Re: [ossec-list] OSSEC Notification - (ServerName) 192.168.x.x - Alert level 10

Fri, 13 May 2011 11:09:48 -0700 

Hi Randy,

On Fri, May 13, 2011 at 1:50 PM, Randy Dover <[email protected]> wrote:
> I'm getting the email below about every 5 minutes.
>
> I went into the local_rules.xml file and added this section:
>  <rule id="100002" level="0">
>    <if_sid>18106</if_sid>
>    <id>52</id>
>    <description>Ignore ID 52 alerts</description>
>  </rule>
>
> But I'm still getting the alerts. Do I need to change the if_sid number
> to 18154?
>

If you don't want to see alerts from rule sid 18154, why would you
match on rule sid 18106?

> Complete rules section is:
>  <!-- Specify here a list of rules to ignore. -->
>  <!--
>  <rule id="100030" level="0">
>    <if_sid>12345, 23456, xyz, abc</if_sid>
>    <description>List of rules to be ignored.</description>
>  </rule>
>  -->
>  <rule id="100001" level="0">
>    <if_sid>18106</if_sid>
>    <id>529</id>
>    <description>Ignore ID 529 alerts</description>
>  </rule>
>  <rule id="100002" level="0">
>    <if_sid>18106</if_sid>
>    <id>52</id>
>    <description>Ignore ID 52 alerts</description>
>  </rule>
>
> Randy Dover
> To: DL_ITStaff
> Subject: OSSEC Notification - (ServerName) 192.168.x.x - Alert level 10
>
> OSSEC HIDS Notification.
> 2011 May 13 13:35:55
>
> Received From: (ServerName) 192.168.x.x->WinEvtLog
> Rule: 18154 fired (level 10) -> "Multiple Windows error events."
> Portion of the log(s):
>
> WinEvtLog: Application: ERROR(52): SXS: (no user): no domain:
> ServerName: Internal error in the TCP Server (null reply). Please
> contact Support.
> WinEvtLog: Application: ERROR(52): SXS: (no user): no domain:
> ServerName: Internal error in the TCP Server (null reply). Please
> contact Support.
> WinEvtLog: Application: ERROR(52): SXS: (no user): no domain:
> ServerName: Internal error in the TCP Server (null reply). Please
> contact Support.
> WinEvtLog: Application: ERROR(52): SXS: (no user): no domain:
> ServerName: Internal error in the TCP Server (null reply). Please
> contact Support.
> WinEvtLog: Application: ERROR(52): SXS: (no user): no domain:
> ServerName: Internal error in the TCP Server (null reply). Please
> contact Support.
> WinEvtLog: Application: ERROR(52): SXS: (no user): no domain:
> ServerName: Internal error in the TCP Server (null reply). Please
> contact Support.
> WinEvtLog: Application: ERROR(52): SXS: (no user): no domain:
> ServerName: Internal error in the TCP Server (null reply). Please
> contact Support.
>
>
>
>  --END OF NOTIFICATION
>
>
>
>

Reply via email to