On Wed, Jul 24, 2013 at 8:34 AM, Macaulay Dias Souza <[email protected]> wrote: > Hi dan, > > > >> I talked to my client and he told me that the machine generating the alert >> Rule: 18152 fired (level 10) is an AD and everyone ta logging for her, or >> will generate many alerts depending on the amount of people who must log >> there. I noticed that I receive emails with the rule: in 1002 in the same >> proportion that the rule 18152. They may be related? Can I add a rule how >> this to ignore the rule 18152 in AD? >> >> <rule id="100xxx" level="0"> >> <if_sid> 18152 </ if_sid> >> <hostname> SSP001001-006 </ hostname> >> <options> no_email_alert </ options> >> <description> ignores multiple login errors </ description> >> </ rule> > > > I need a decoder? >
For what? Is that a guess? Take out the extra spaces in your rule, does it work (you can probably remove the <options> as well, level 0 alerts shouldn't trigger emails by default)? > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
