2 - Example of local rules for OSSEC.
4 - Copyright (C) 2009 Trend Micro Inc.
7 - This program is a free software; you can redistribute it
8 - and/or modify it under the terms of the GNU General Public
9 - License (version 2) as published by the FSF - Free Software
12 - License details: http://www.ossec.net/en/licensing.html
16 <!-- Modify it at your will. -->
18 <group name="local,syslog,">
20 <!-- Note that rule id 5711 is defined at the ssh_rules file
21 - as a ssh failed login. This is just an example
22 - since ip 1.1.1.1 shouldn't be used anywhere.
23 - Level 0 means ignore.
25 <rule id="100001" level="0">
27 <srcip>1.1.1.1</srcip>
28 <description>Example of rule that will ignore sshd </description>
29 <description>failed logins from IP 1.1.1.1.</description>
33 <!-- This example will ignore ssh failed logins for the user name XYZABC.
36 <rule id="100020" level="0">
39 <description>Example of rule that will ignore sshd </description>
40 <description>failed logins for user XYZABC.</description>
45 <!-- Specify here a list of rules to ignore. -->
47 <rule id="100030" level="0">
48 <if_sid>12345, 23456, xyz, abc</if_sid>
49 <description>List of rules to be ignored.</description>
53 </group> <!-- SYSLOG,LOCAL -->
57 <!-- Begin update by CARNet package ossec-hids-cn -- DO NOT DELETE THIS LINE!-->
59 <rule id="100031" level="0">
62 <description>Events ignored</description>
65 <rule id="100032" level="0">
67 <program_name>^sophie|^smartd</program_name>
68 <description>Ignore Sophie/SMARTd</description>
71 <rule id="100033" level="0">
73 <description>Events ignored</description>
76 <rule id="100034" level="0">
78 <description>Ignore blacklisted mail</description>
81 <rule id="100035" level="0">
84 <program_name>^named</program_name>
85 <description>Ignore BIND cache warnings</description>
88 <rule id="100036" level="0">
90 <match>Updated timestamp for job</match>
91 <program_name>^anacron</program_name>
92 <description>Ignore Anacron warnings</description>
95 <!-- End update by CARNet package ossec-hids-cn -- DO NOT DELETE THIS LINE!-->