On Mon, Dec 30, 2013 at 9:45 AM, Rich Rumble <[email protected]> wrote: > I want to ignore some windows alerts from one or two particular hosts, > but I'm still getting alerted despite my efforts. I've placed rules in > the /var/ossec/rules/local_rules.xml file on the Ossec Server, but > they don't have any effect. > The host's all use a 10.0.0.0/8 as their IP and have capitalized > hostnames, my rules are like this: > <rule id="1000321" level="0"> > <if_level>2</if_level> > <hostname>pcname*|PCNAME*</hostname>
Try with 1 hostname, and remove the asterisks. > <options>no_email_alert</options> > </rule> > > I want to catch PCNAME202 and PCNAME302, and others that may come > along later with the same naming convention, and have alerts over > level 2 ignored. > Here is the basic alert from email: > > Subject: OSSEC Notification - (PCNAME202) 10.0.0.0 - Alert level 10 > > OSSEC HIDS Notification. > 2013 Dec 20 19:25:48 > > Received From: (PCNAME202) 10.0.0.0->WinEvtLog > Rule: 18152 fired (level 10) -> "Multiple Windows Logon Failures." > Portion of the log(s): > etc.... > ------------ > Am I placing the rules in the right location? Is the hostname case sensitive? > -rich > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
