JB & Michael - good thoughts - only one problem, I have 4000 hosts. Gonna make for a very looooonnngggggg rules file.
My thought on this is simple - more so for alerting on attacks/issues as they move around. Or for the audit rules - another reason for this. Here is the situation - let's say an audit rule kicks off, so I create a ticket for a team to fix that problem, but I want to give them 7 days (or some arbitrary number, maybe only a day) to fix the problem - I want to ignore that rule for a period of time. Now this is simple in the world of a few dozen hosts, but when we are in the hundreds or thousands, not so much. AND if it triggers on each of those 4000 hosts, then yes, I have a problem, but even if it only triggers on 2000, I need a way to "acknowledge" the alert for a certain amount of time. If this capability existed in OSSEC it could go a long way to making it that much better. Think how NAGIOS allows you to acknowledge a host/service down forever or just for a certain period of time. I was thinking of setting an active response that adds to a CDB list and reloads the list. If the host is in that list, ignore the alert. However the list is cleared once a week and if the alert is still there, you have a way to show them. Some people could say just lengthen the frequency on the running of the audit - but I don't want to do that, I want them to run daily, but not alert daily if I already know about something. Does that make sense? -Kat
