Multiple windows audit events
155 views
Skip to first unread message
Roch
Jul 4, 2008, 5:38:55 AM7/4/08
to ossec...@googlegroups.com
Hi. Is there any way to suppress or stop the checking of a specific
alert. Namely the one that alerts me when windows firewall has
detected an application is listening for incoming traffic? Rule 18153
gets called but it doesnt seem to work if i disable it . Also having
problems with multiple windows 2003 systems where the cpu is pegging
at 100% but I havent checked the object access audit setting yet to
see if thats the cause. I am running version 1.5.1
alert. Namely the one that alerts me when windows firewall has
detected an application is listening for incoming traffic? Rule 18153
gets called but it doesnt seem to work if i disable it . Also having
problems with multiple windows 2003 systems where the cpu is pegging
at 100% but I havent checked the object access audit setting yet to
see if thats the cause. I am running version 1.5.1
Thanks. Roch
--
Sent from Gmail for mobile | mobile.google.com
List Subscriptions
Jul 4, 2008, 9:05:40 AM7/4/08
to ossec...@googlegroups.com
Suppression is easily accomplished using local rules:
http://www.ossec.net/wiki/index.php/Know_How:Ignore_Rules
basically you'll want something like this:
<rule id="100001" level="0">
<if_matched_sid>18153</if_matched_sid>
<description>Ignore Multiple Windows audit failure events</description>
</rule>
I would suggest only ignoring for noisy hosts by adding <srcip> tags
to the local rule. This way you don't miss something new down the
road. Check local_rules.xml for more examples.
Cheers
Roch
Jul 4, 2008, 10:36:23 AM7/4/08
to ossec...@googlegroups.com
Thankyou ill try this out
Reply all
Reply to author
Forward
0 new messages