Hi Steve, A lot of people have problems finding stuff on our wiki, but we plan to keep improving it (and any help is welcome). As Michael said, you can send the log entries to the list so we can help you out or you use the following documents from our FAQ:
http://www.ossec.net/wiki/index.php/Know_How:Ignore_Rules http://www.ossec.net/wiki/index.php/Know_How:CorrelateSnort Also, my presentation at AusCERT/Confidence can be of help too: http://www.ossec.net/ossec-docs/auscert-2007-dcid.pdf Hope it helps, -- Daniel B. Cid dcid ( at ) ossec.net On 6/21/07, Steve Johnson <[EMAIL PROTECTED]> wrote: > > Hi, > > There is a syslog message that triggers rule 1002 for syslog, which is > about alerting on certain keyword. The message happens when we try to > set an ssh tunnel when the port has already been used by someone else > and has the keyword "error" generated by sshd. I don't want to remove > the keyword from rule 1002 or even less ignore the rule completely, but > I was wondering if there was a way to whitelist certain specific syslog > messages? I could not find the information in the wiki, so I hope I > didn't just overlook it :-) > > Thanks, > Steve Johnson >
