Hi Derek, as Dan said, the best practice is to use the file *local_rules.xml*. But, if you are improving or creating new rules, it would be great if you share them with OSSEC <https://github.com/ossec/ossec-hids> or with Wazuh ruleset repository <https://github.com/wazuh/ossec-rules>. On the other hand, if you just want to adapt the rules to your environment (overwrite, levels, descriptions) just use the *local_rules* file.
Thanks. Regards. On Friday, August 26, 2016 at 3:46:05 PM UTC+2, dan (ddpbsd) wrote: > > On Fri, Aug 26, 2016 at 9:39 AM, Derek Day <[email protected] > <javascript:>> wrote: > > I have hopefully an easily answered question regarding modifying some of > the > > rules.xml files that come with ossec. I guess my question centers > around, > > what is the best practice for doing something like that? i want to give > > certain windows eveint ID's higher levels and lower certain other ones. > > should i just modify the msauth_rules.xml files as required or is there > a > > different best practice? > > > > Usually what we recommend is to add the rules with your changes to > local_rules.xml and add the overwrite option. > > > Thanks > > > > Derek > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
