Hi Charles,
Meir's suggestion to use the monolitic rules is to make your life easier in the future (and also to make easy to manage them). However, to answer your question, the "noalert" attribute does not have the meaning you would expect by the name. It means that if you match this rule, check for any "child" rule. If you don't find any, keep searching for other rules... You will see that we generally use it for the initial rules in each group. <rule id="5700" level="0" noalert="1"> <decoded_as>sshd</decoded_as> <description>SSHD messages grouped.</description> </rule> The way you are using the user_defined.xml is correct. You will not have any problem during upgrades. However, to reduce the verbosity of the alerts, I would suggest to reduce the severity (level) of these rules (like to 1 or 2) and set the "log_alert_level" to 4, 5 or something higher. Hope it helps.. -- Daniel B. Cid dcid ( at ) ossec.net On 8/20/06, kef_list <[EMAIL PROTECTED]> wrote:
Sorry, I don't understand. All I want to do is to create user defined rules that override some of the built-in options, not create a monolitic rules file.... On Aug 20, 2006, at 15:38 , Meir Michanie wrote: > > > I would encourage you to follow the howto: > > http://www.ossec.net/wiki/index.php/Monolitic_rules_file ____________________________________________________ Institut Balear de Comunicacions, S.L. Gremio Tejedores 22, 1 07009 Palma de Mallorca, Spain Tel: +34 971.45.90.99 | Mobile: +34 607.87.12.77 Fax: +34 971.43.08.18 | E-mail: [EMAIL PROTECTED] URL: http://www.ibacom.es/ ____________________________________________________
