On Thu, Jul 26, 2012 at 3:09 AM, bw <[email protected]> wrote:
> By default active response acts on level 6+, but emails are only sent for
> level 7 and up. So if I demote a rule from level, say, 10 to level 6 the
> response will still fire but I won't get an email about it, right?
>
> My question is, how do I do that for a default rule so that it won't be
> overwritten when I update OSSEC?
>
> Example: postfix_rules.xml has this:
>
> <rule id="3353" level="10" frequency="$POSTFIX_FREQ" timeframe="120">
> <if_matched_sid>3303</if_matched_sid>
> <same_source_ip />
> <description>Multiple attempts to send e-mail from </description>
> <description>invalid/unknown sender domain.</description>
> <group>multiple_spam,</group>
> </rule>
>
> Sometimes I get too many of these and I don't care to see them, so demoting
> this rule to level="6" should do the trick, but I don't want to modify
> rules_postfix.xml
Use something like one of the following in local_rules.xml:
<rule id="something_not_taken" level="6">
<if_sid>3353</if_sid>
<description>Level 6 yeah!</description>
</rule>
Or
<rule id="3353" level="6" frequency="$POSTFIX_FREQ" timeframe="120"
overwrite="yes">
<if_matched_sid>3303</if_matched_sid>
<same_source_ip />
<description>Multiple attempts to send e-mail from </description>
<description>invalid/unknown sender domain.</description>
<group>multiple_spam,</group>
</rule>
