I want to ignore some windows alerts from one or two particular hosts,
but I'm still getting alerted despite my efforts. I've placed rules in
the /var/ossec/rules/local_rules.xml file on the Ossec Server, but
they don't have any effect.
The host's all use a 10.0.0.0/8 as their IP and have capitalized
hostnames, my rules are like this:
<rule id="1000321" level="0">
<if_level>2</if_level>
<hostname>pcname*|PCNAME*</hostname>
<options>no_email_alert</options>
</rule>
I want to catch PCNAME202 and PCNAME302, and others that may come
along later with the same naming convention, and have alerts over
level 2 ignored.
Here is the basic alert from email:
Subject: OSSEC Notification - (PCNAME202) 10.0.0.0 - Alert level 10
OSSEC HIDS Notification.
2013 Dec 20 19:25:48
Received From: (PCNAME202) 10.0.0.0->WinEvtLog
Rule: 18152 fired (level 10) -> "Multiple Windows Logon Failures."
Portion of the log(s):
etc....
------------
Am I placing the rules in the right location? Is the hostname case sensitive?
-rich
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
