I know they work 0-15, but is there any advice when writing new rules? I'm just writing one or two with a view to submit some back to the community and wondered if there was any informal guide as to which level? I've skimmed the OSSEC book but can't find anything.
I've always mentally worked on: 1-3 - don't really care, just want for an audit 4-6 - a little odd, but nothing to cause alarm 7-9 - no action needed, but permanent visibility advised 10-13 - this shouldn't be happening, lightly investigate then chose course of action 14-15 - investigate/remedy now Sound ok?
