[Snort-users] Overriding securityonion_rules.xml

Doug Burks doug.burks at gmail.com
Sun Aug 13 16:29:09 EDT 2017


Hi GRSmith,

Please send Security Onion questions to the Security Onion mailing list:
https://securityonion.net/wiki/MailingLists

Thanks!

On Sun, Aug 13, 2017 at 3:04 PM, GRSmith <grsmith at dakelake.com> wrote:
> Should it be possible to override/modify rules in securityonion_rules.xml
> using entries in local_rules.xml?  If not, is it possible in some other way,
> and if so how?
>
> For example: I would like to temporarily force rule 111112 to ignore eth1.
> perhaps with something like the following.  The syntax here may be wrong (or
> non-optimal), but I cannot test because OSSEC server restart first
> complains. ossec-analysisd: Overwrite rule '111112' not found.
>
> <group name="local,syslog,">
>   <rule id="111112" level="7">
>     <if_sid>111111</if_sid>
>     <match>eth2: 0|eth3: 0|eth4: 0</match>
>     <description>Received 0 packets in designated time interval (defined in
> ossec.conf).  Please check interface, cabling, and tap/span!</description>
>   </rule>
> </group>
>
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.snort.org
> Go to this URL to change user options or unsubscribe:
> https://lists.snort.org/mailman/listinfo/snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!



-- 
Doug Burks



More information about the Snort-users mailing list