Hi, there are rules for that in https://github.com/wazuh/wazuh-ruleset/blob/master/rules/0215-policy_rules.xml. They are included by default, but not enabled.
Regards. On Thursday, March 30, 2017 at 12:20:39 AM UTC+2, jose wrote: > > Hi mscrano, yes you can do that, > > example: > > <rule id=“100127” level=“10”> > <if_sid>100125</if_sid> > <time>6 pm – 8:30 am</time> > <description>Login outside business hours.</description> > <group>policy_violation</group> > </rule> > > http://ossec-docs.readthedocs.io/en/latest/syntax/head_rules.html#element-time > > <http://ossec-docs.readthedocs.io/en/latest/syntax/head_rules.html> > > Regards > ----------------------- > Jose Luis Ruiz > Wazuh Inc. > [email protected] <javascript:> > > On March 29, 2017 at 6:17:37 PM, [email protected] <javascript:> ( > [email protected] <javascript:>) wrote: > > Hi Ossec-list, > I am wondering if anyone else has run into this issue, I have a cron that > runs at the same time every day and it always triggers the promiscuous mode > rule (per expected behavior) . Is it possible to have a time based > exclusion for a rule such that it will not trigger between specific times? > For example I would like to disable this rule for 2 minutes at midnight. I > have not seen such a configuration option in the documentation. Anyone have > any advice? > Thanks, > Mark Scrano > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected] <javascript:>. > For more options, visit https://groups.google.com/d/optout. > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
