On Mon, Feb 2, 2015 at 8:57 AM, Khoshal A R. <[email protected]> wrote: > Hi, > > Can you please help me in what I m doing wrong in modifying the severity of > the rules that I m trying in local_rules.xml. > > OS : Kali-Linux > > OSSEC version : 2.8.1 > > > > Please find the local_rules.xml file entries below for the overwrite: > > Everything else works , but I need to change the severity of certain rules > for the meaningful alerts and fine tune the frequency they are executed. > > Appreciate your help. >
Are all of these rules commented out in the local_rules.xml file as well? Did you restart the OSSEC processes after making the changes? Do you have log samples that can be tested with ossec-logtest? > > > > > > > <rule id="100102" level="12" overwrite="yes"> > > <if_sid>18104</if_sid> > > <id>^513$|^4609$</id> > > <description>Windows is shutting down.</description> > > <group>system_shutdown,</group> > > </rule> > > --> > > > > <!-- > > <rule id="100103" level="13" overwrite="yes"> > > <if_sid>18103</if_sid> > > <id>^13570$</id> > > <description>Windows file system full.</description> > > <group>low_diskspace,</group> > > </rule> > > --> > > > > <!-- > > <rule id="100104" level="12" overwrite="yes"> > > <if_sid>18100,18103</if_sid> > > <status>^ERROR</status> > > <description>Windows error event.</description> > > <group>system_error,</group> > > </rule> > > --> > > > > <!-- > > <rule id="100105" level="12" overwrite="yes"> > > <if_sid>18100,18105</if_sid> > > <status>^AUDIT_FAILURE|^failure</status> > > <description>Windows audit failure event.</description> > > </rule> > > --> > > > > </group> <!-- SYSLOG,LOCAL --> > > > > Regards, > > Khoshal AR > > Sonata Software Limited > > > > > > Disclaimer: "The materials contained in this email and any attachments may > contain confidential or legally privileged information. The information > contained in this communication is intended solely for the use of the > individual or entity to whom it is addressed and others authorized to > receive it. If you are not the intended recipient you are hereby notified > that any disclosure, copying, distribution or taking any action in reliance > on the contents of this information is strictly prohibited and may be > unlawful. If you have received this communication in error, please notify us > immediately by responding to this email and then delete it from your system. > Sonata is neither liable for the proper and complete transmission of the > information contained in this communication nor for any delay in its > receipt" > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
