Difference between revisions of "Modifying default OSSEC rules"
(Created page with "<yambe:breadcrumb>OSSEC|OSSEC</yambe:breadcrumb> =Modifying default OSSEC rules= ==Disable email alerts== To disable email alerts from a rule use '''one of the following thre...") |
m |
||
| (One intermediate revision by the same user not shown) | |||
| Line 1: | Line 1: | ||
[[Main Page|Home]] > [[CentOS]] > [[CentOS 6.x]] > [[Security tools]] > [[OSSEC]] > [[Modifying default OSSEC rules]] | |||
==Disable email alerts== | ==Disable email alerts== | ||
| Line 24: | Line 23: | ||
</rule> | </rule> | ||
</pre> | </pre> | ||
==Ignore VPN server's LDAP object failed notifications from OSSEC== | |||
To ignore particular type of alerts which get caught as catch-all (unknown 1002 rule) use: | |||
<pre> | |||
<rule id="100031" level="0"> | |||
<if_sid>1002</if_sid> | |||
<match>LDAP search failed: No such object</match> | |||
<description>Ignored LDAP search failed on VPN server</description> | |||
</rule> | |||
</pre> | |||
Steps learned from http://www.linuxbsdos.com/2015/02/26/configure-ossec-to-not-email-alerts-on-iptables-denied-messages/ | |||
Refer http://osdir.com/ml/ossec-list/2010-03/msg00215.html and examples in the local_rules.xml file. More syntax at http://ossec-docs.readthedocs.org/en/latest/syntax/head_rules.html | Refer http://osdir.com/ml/ossec-list/2010-03/msg00215.html and examples in the local_rules.xml file. More syntax at http://ossec-docs.readthedocs.org/en/latest/syntax/head_rules.html | ||
[[Main Page|Home]] > [[CentOS]] > [[CentOS 6.x]] > [[Security tools]] > [[OSSEC]] > [[Modifying default OSSEC rules]] | |||
Latest revision as of 16:05, 24 March 2022
Home > CentOS > CentOS 6.x > Security tools > OSSEC > Modifying default OSSEC rules
Disable email alerts
To disable email alerts from a rule use one of the following three ways:
- Comment <option>alert_by_email</option>
- Decrease level so that there is no alert by default
- Explicitly specify <option>no_email_alert</option>
This may be required for very generic 1002, 1003 rules which generate too many alerts otherwise.
More rule syntax at http://ossec-docs.readthedocs.org/en/latest/syntax/head_rules.html
Disable particular rule using local_rules.xml
To disable particular rule using '/var/ossec/rules/local_rules.xml' use following definition:
<rule id="100002" level="0">
<if_sid>40111</if_sid>
<description>Ignoring authentication failures from radius server</description>
</rule>
Ignore VPN server's LDAP object failed notifications from OSSEC
To ignore particular type of alerts which get caught as catch-all (unknown 1002 rule) use:
<rule id="100031" level="0">
<if_sid>1002</if_sid>
<match>LDAP search failed: No such object</match>
<description>Ignored LDAP search failed on VPN server</description>
</rule>
Steps learned from http://www.linuxbsdos.com/2015/02/26/configure-ossec-to-not-email-alerts-on-iptables-denied-messages/
Refer http://osdir.com/ml/ossec-list/2010-03/msg00215.html and examples in the local_rules.xml file. More syntax at http://ossec-docs.readthedocs.org/en/latest/syntax/head_rules.html
Home > CentOS > CentOS 6.x > Security tools > OSSEC > Modifying default OSSEC rules
