Hi Dimitri,
If you look at /var/ossec/rules/local_rules.xml it will have some examples on how to filter specific rules. For your case, the following rule would help: <rule id="100001" level="0"> <if_sid>40101</if_sid> <user>nobody</user> <description>Ignoring user nobody.</description> </rule> Our wiki has also some information about it: http://www.ossec.net/wiki/index.php/Know_How:Ignore_Rules *Remember to restart ossec after making these changes. Hope it helps. -- Daniel B. Cid dcid ( at ) ossec.net On 9/27/06, Dimitri Yioulos <[EMAIL PROTECTED]> wrote:
Hello to all. I recently upgraded to O-H-0.9-2. Since then, I've been getting the following alerts from my mail server: OSSEC HIDS Notification. 2006 Sep 27 15:32:22 Received From: (plymouth) 192.168.1.2->/var/log/messages Rule: 40101 fired (level 12) -> "System user sucessfully logged on the system." Portion of the log(s): su(pam_unix)[8027]: session opened for user nobody by (uid=0) --END OF NOTIFICATION I've not yet figured out which service firing via the user nobody, but would like to filter these alerts out. How would I do that? Thanks. Dimitri -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
