Peter M. Abraham
unread,Nov 27, 2007, 5:07:38 PM11/27/07Sign in to reply to author
Sign in to forward
You do not have permission to delete messages in this group
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to ossec-list
Greetings Aaron:
Yes, just copy the rule elements to /var/ossec/rules/local_rules.xml
and use the overwrite="yes" feature to overwrite the rule.
Or if the rule would be a subset, then copy the main rule which
triggers alerts to local_rules.xml, set the level low enough or email
to ignore, and then create separate rules for what you need
notifications on.
The Window login rules are in /var/ossec/rules/msauth_rules.xml
Based on the information you provided, rule 18107 was triggered. That
is in the msauth_rules.xml file as
<rule id="18107" level="3">
<if_sid>18104</if_sid>
<id>^528|^540|^672|^673</id>
<description>Windows Logon Success.</description>
<group>authentication_success,</group>
</rule>
Daniel might be able to answer if you could do the equivalent of an if
then else (i.e. if <match>Logon Type: 3</match> then ignore, else
report), but the above may be a starting point for you.
Thank you.