Honestly...because I guess I don't have a clue about how to write a rule exception.
I found something on a post about preventing another type message, and the rule didn't match what I thought it should be, but it worked. So, I guess I should change that 18106 to 18154, huh? Randy Dover Vice President / Information Technology Officer Cornerstone Community Bank 6401 Lee Highway, Suite 119 Chattanooga, TN 37421 Telephone: 423-385-3010 [email protected] -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of dan (ddp) Sent: Friday, May 13, 2011 2:10 PM To: [email protected] Subject: Re: [ossec-list] OSSEC Notification - (ServerName) 192.168.x.x - Alert level 10 Hi Randy, On Fri, May 13, 2011 at 1:50 PM, Randy Dover <[email protected]> wrote: > I'm getting the email below about every 5 minutes. > > I went into the local_rules.xml file and added this section: > <rule id="100002" level="0"> > <if_sid>18106</if_sid> > <id>52</id> > <description>Ignore ID 52 alerts</description> > </rule> > > But I'm still getting the alerts. Do I need to change the if_sid > number to 18154? > If you don't want to see alerts from rule sid 18154, why would you match on rule sid 18106? > Complete rules section is: > <!-- Specify here a list of rules to ignore. --> > <!-- > <rule id="100030" level="0"> > <if_sid>12345, 23456, xyz, abc</if_sid> > <description>List of rules to be ignored.</description> > </rule> > --> > <rule id="100001" level="0"> > <if_sid>18106</if_sid> > <id>529</id> > <description>Ignore ID 529 alerts</description> > </rule> > <rule id="100002" level="0"> > <if_sid>18106</if_sid> > <id>52</id> > <description>Ignore ID 52 alerts</description> > </rule> > > Randy Dover > To: DL_ITStaff > Subject: OSSEC Notification - (ServerName) 192.168.x.x - Alert level > 10 > > OSSEC HIDS Notification. > 2011 May 13 13:35:55 > > Received From: (ServerName) 192.168.x.x->WinEvtLog > Rule: 18154 fired (level 10) -> "Multiple Windows error events." > Portion of the log(s): > > WinEvtLog: Application: ERROR(52): SXS: (no user): no domain: > ServerName: Internal error in the TCP Server (null reply). Please > contact Support. > WinEvtLog: Application: ERROR(52): SXS: (no user): no domain: > ServerName: Internal error in the TCP Server (null reply). Please > contact Support. > WinEvtLog: Application: ERROR(52): SXS: (no user): no domain: > ServerName: Internal error in the TCP Server (null reply). Please > contact Support. > WinEvtLog: Application: ERROR(52): SXS: (no user): no domain: > ServerName: Internal error in the TCP Server (null reply). Please > contact Support. > WinEvtLog: Application: ERROR(52): SXS: (no user): no domain: > ServerName: Internal error in the TCP Server (null reply). Please > contact Support. > WinEvtLog: Application: ERROR(52): SXS: (no user): no domain: > ServerName: Internal error in the TCP Server (null reply). Please > contact Support. > WinEvtLog: Application: ERROR(52): SXS: (no user): no domain: > ServerName: Internal error in the TCP Server (null reply). Please > contact Support. > > > > --END OF NOTIFICATION > > > >
