Quieten OSSEC alerts

[Andi Morris]

Hi,
how do I go about quitening certain OSSEC alerts? I don't necessarily want to disable them all, but just ones I don't care about, e.g. Multiple IDS events from same source ip.

That particular alert has a generator ID os 10001 and a signature ID of 20151, but putting 10001:20151 in my disablesid.conf file doesn't stop the alert firing.

Cheers,
Andi

[Kevin Branch]

Hi Andi,

To completely disable certain OSSEC rules, you can add the rule's number to the existing "ignore rules" rule in /var/ossec/rules/local_rules.xml and then restart OSSEC with service "ossec-hids-server restart".    You can also write other kinds of whitelisting rules to disable other rules just for given hosts or given string matches in the log lines.  For that, you need to learn to write OSSEC rules.  Start here: http://www.ossec.net/ossec-docs/OSSEC-book-ch4.pdf

<!-- ignore rules

        502     Ossec server started - boring

        503     Ossec agent started - boring

        504     Ossec agent disconnected - boring

       1003     Non standard syslog message (size too large)

  -->

  <rule id="100010" level="0">

        <if_sid>502,503,504,1003</if_sid>

        <description>List of rules to be ignored.</description>

  </rule>

Kevin

--
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at http://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.

[Andi Morris]

Perfect, thanks Kevin.

You received this message because you are subscribed to a topic in the Google Groups "security-onion" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/security-onion/vcQQ-RwwFgY/unsubscribe.
To unsubscribe from this group and all its topics, send an email to security-onio...@googlegroups.com.