[ossec-list] overwrite rules from Local_rules.xml does not work

Mon, 02 Feb 2015 05:59:17 -0800 

Hi,
Can you please help me in what I m doing wrong in modifying the severity of the 
rules that I m trying in local_rules.xml.
OS : Kali-Linux
OSSEC version : 2.8.1

Please find the local_rules.xml file entries below for the overwrite:
Everything else works , but I need to change the severity of certain rules for 
the meaningful alerts and fine tune the frequency they are executed.
Appreciate your help.



<rule id="100102" level="12" overwrite="yes">
    <if_sid>18104</if_sid>
    <id>^513$|^4609$</id>
    <description>Windows is shutting down.</description>
    <group>system_shutdown,</group>
  </rule>
 -->

 <!--
<rule id="100103" level="13" overwrite="yes">
    <if_sid>18103</if_sid>
    <id>^13570$</id>
    <description>Windows file system full.</description>
    <group>low_diskspace,</group>
  </rule>
  -->

 <!--
<rule id="100104" level="12" overwrite="yes">
<if_sid>18100,18103</if_sid>
<status>^ERROR</status>
<description>Windows error event.</description>
<group>system_error,</group>
</rule>
 -->

 <!--
<rule id="100105" level="12" overwrite="yes">
 <if_sid>18100,18105</if_sid>
    <status>^AUDIT_FAILURE|^failure</status>
    <description>Windows audit failure event.</description>
  </rule>
 -->

</group> <!-- SYSLOG,LOCAL -->

Regards,
Khoshal AR
Sonata Software Limited


Disclaimer: "The materials contained in this email and any attachments may 
contain confidential or legally privileged information. The information 
contained in this communication is intended solely for the use of the 
individual or entity to whom it is addressed and others authorized to receive 
it. If you are not the intended recipient you are hereby notified that any 
disclosure, copying, distribution or taking any action in reliance on the 
contents of this information is strictly prohibited and may be unlawful. If you 
have received this communication in error, please notify us immediately by 
responding to this email and then delete it from your system. Sonata is neither 
liable for the proper and complete transmission of the information contained in 
this communication nor for any delay in its receipt"

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

Reply via email to