Hello, Being somewhat new to OSSEC (about 8 months now), one feature I used a lot was the ability to silence a noisy rule. A typical example is 1002, which in some environments can be very noisy. The method I read about was to duplicate the rule in local_rules.xml but change the level to "0". This has worked fine with dozens of rules that were false positives in the past all the way thru v 2.7. Now, however, with 2.7.1 I keep getting duplicate rule errors and ossec fails to start. Even if I add overwrite="yes" to the rule (which I did not have to do before just to change the level).
Am I missing something? Is there a new way to disable a false positive that I can't find? I have tried all possible combinations, but my 2.7 config to 2.7.1 simply fails on the duplicates. For now I have rolled back to 2.7 until I can understand how this feature is meant to work and the purpose. I could not find much in the release notes on any configuration options for the dups. Help? ~J -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
