[Snort-users] Overriding securityonion_rules.xml
grsmith at dakelake.com
Sun Aug 13 15:04:28 EDT 2017
Should it be possible to override/modify rules in securityonion_rules.xml
using entries in local_rules.xml? If not, is it possible in some other way,
and if so how?
For example: I would like to temporarily force rule 111112 to ignore eth1.
perhaps with something like the following. The syntax here may be wrong (or
non-optimal), but I cannot test because OSSEC server restart first
complains. ossec-analysisd: Overwrite rule '111112' not found.
<rule id="111112" level="7">
<match>eth2: 0|eth3: 0|eth4: 0</match>
<description>Received 0 packets in designated time interval (defined in
ossec.conf). Please check interface, cabling, and tap/span!</description>
More information about the Snort-users