Dan, I fixed the fatal flaws, and it does work. Many thanks!
Dimitri On Wednesday 19 October 2011 2:46:24 pm dan (ddp) wrote: > Write a rule. > > <rule id="SET_AN_ID" level="O"> > <if_sid>1002</if_sid> > <match>scan errors: 0, viruses detected: 0, infected files > detected: 0</match> > <description>All is well.</description> > </rule> > > This one has fatal flaws, but if fixed it works. > > On Wed, Oct 19, 2011 at 2:34 PM, Dimitri Yioulos <dyiou...@onpointfc.com> wrote: > > All, > > > > It's a bit embarrassing that I can't figure out how to stop > > this particular alert, but I don't know how. Here's the > > situation: > > > > I have Sophos anti-virus installed on some of my Linux boxes. > > I keep getting Ossec alerts like the following: > > > > 2011 Oct 19 11:21:59 Rule Id: 1002 level: 2 > > Location: (plymouth) 192.168.1.2->/var/log/messages > > Unknown problem somewhere in the system. > > Oct 19 11:21:59 plymouth savd: savscan.log: On-demand scan > > details: master boot records scanned: 0, boot records > > scanned: 0, files scanned: 3, scan errors: 0, viruses > > detected: 0, infected files detected: 0 > > > > Obviously, I don't want this event to alert. What do I have > > to do in Ossec to prevent this specific alert? > > > > Many thanks. > > > > Dimitri > > > > -- > > This message has been scanned for viruses and > > dangerous content by MailScanner, and is > > believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.