Snort mailing list archives
Re: Overriding securityonion_rules.xml
From: Doug Burks via Snort-users <snort-users () lists snort org>
Date: Sun, 13 Aug 2017 16:29:09 -0400
Hi GRSmith, Please send Security Onion questions to the Security Onion mailing list: https://securityonion.net/wiki/MailingLists Thanks! On Sun, Aug 13, 2017 at 3:04 PM, GRSmith <grsmith () dakelake com> wrote:
Should it be possible to override/modify rules in securityonion_rules.xml using entries in local_rules.xml? If not, is it possible in some other way, and if so how? For example: I would like to temporarily force rule 111112 to ignore eth1. perhaps with something like the following. The syntax here may be wrong (or non-optimal), but I cannot test because OSSEC server restart first complains. ossec-analysisd: Overwrite rule '111112' not found. <group name="local,syslog,"> <rule id="111112" level="7"> <if_sid>111111</if_sid> <match>eth2: 0|eth3: 0|eth4: 0</match> <description>Received 0 packets in designated time interval (defined in ossec.conf). Please check interface, cabling, and tap/span!</description> </rule> </group> _______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
-- Doug Burks _______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Overriding securityonion_rules.xml GRSmith (Aug 13)
- Re: Overriding securityonion_rules.xml Doug Burks via Snort-users (Aug 13)