Hi dear community, i install and configure about 10 agents, and of course i have a lot of users,a part of this users are ftp Clients
in policy-rules.xml i have next rules <group name="policy_violation,"> <rule id="17101" level="9"> <if_group>authentication_success</if_group> <time>4 pm - 7 am</time> <description>Successful login during non-business hours.</description> <group>login_time,</group> </rule> <rule id="17102" level="9"> <if_group>authentication_success</if_group> <weekday>weekends</weekday> <description>Successful login during weekend.</description> <group>login_day,</group> </rule> OSSEC HIDS Notification. 2016 Mar 02 19:05:41 Received From: (host.xxxxxx.xx) xxx.xxx.xxx.xxx->/var/log/messages Rule: 17101 fired (level 9) -> "Successful login during non-business hours." Portion of the log(s): Mar 2 21:05:38 host pure-ftpd: (?@xxx.xxx.xx.xxx) [INFO] transpor is now logged in --END OF NOTIFICATION transpor is username of my client and i add a rule to ignore alerts of this users because they are clients in local_rules i create next rule to ignore "Successful login during non-business hours" and "Successful login during weekend" for FTP clinets <group name="policy_violation_overwrite,"> <rule id="17101" level="9" overwrite="yes"> <if_group>authentication_success</if_group> <time>4 pm - 7 am</time> <description>Successful login during non-business hours.</description> <group>login_time,pci_dss_10.2.5,pci_dss_10.6.1,</group> </rule> <rule id="17102" level="9" overwrite="yes"> <if_group>authentication_success</if_group> <weekday>weekends</weekday> <description>Successful login during weekend.</description> <group>login_day,pci_dss_10.2.5,pci_dss_10.6.1,</group> </rule> <rule id="100002" level="3"> <if_sid>17101</if_sid> <match> transpor | client1 | client2 | client3 | ....... | client 50 </match> <description>Sesion open by Client</description> </rule> <rule id="100003" level="3"> <if_sid>17102</if_sid> <match> transpor | client1 | client2 | client3 | ....... | client 50 </match> <description>Sesion open by Client</description> </rule> because i have a lot of clients ossec give me error and not started, how can manage or edit this rule ? i appreciate your help, and a lot of respect for developers and community! -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.