On 1/3/2014 10:15 AM, Rich Rumble wrote:
On Thursday, January 2, 2014 6:13:55 PM UTC-5, dan (ddpbsd) wrote:On Thu, Jan 2, 2014 at 6:10 PM, dan (ddp) <[email protected] <javascript:>> wrote: > I'll have to jump on a computer later to test. Rulea still do not belong on > the agents. Never have, never will. I'll try to add a faq entry on that. > Oops, I can't seem to find the log sample.I've got it working now, I had duplicated the rules in the file because my VI skillz are like that :) I am using the names without wild cards separated with pipe "|", and once I restarted the whole server, not just ossec it began working/ignoring. I am using lowercase names in the rule even though the names are uppercase when I entered them as agents. I have not tried with wildcards and I don't think I will since I only have a handful to ignore on. Basically OSSEC is duplicating the effort with that alert and it's a chatty/large alert for us.Thanks for the tips nonetheless! -rich --
I've never tried it out with hostnames but using a CDB list in the rule might make things easier to maintain if you end up needing to add more hostnames.
http://www.ossec.net/doc/manual/rules-decoders/rule-lists.html
smime.p7s
Description: S/MIME Cryptographic Signature
