On Sun, Jul 7, 2013 at 3:02 PM, Janelle <[email protected]> wrote: > Hello, > > Being somewhat new to OSSEC (about 8 months now), one feature I used a lot > was the ability to silence a noisy rule. A typical example is 1002, which in > some environments can be very noisy. The method I read about was to > duplicate the rule in local_rules.xml but change the level to "0". This has > worked fine with dozens of rules that were false positives in the past all
That's a bad way to do it. I generally create a new rule, <if_sid> the old rule, and make sure the new rule is a low level. > the way thru v 2.7. Now, however, with 2.7.1 I keep getting duplicate rule > errors and ossec fails to start. Even if I add overwrite="yes" to the rule > (which I did not have to do before just to change the level). > This is working fine for me. Are you using the beta tarball or source direct from the repo? > Am I missing something? Is there a new way to disable a false positive that > I can't find? I have tried all possible combinations, but my 2.7 config to > 2.7.1 simply fails on the duplicates. For now I have rolled back to 2.7 > until I can understand how this feature is meant to work and the purpose. I > could not find much in the release notes on any configuration options for > the dups. > > Help? > > ~J > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
