Overriding securityonion_rules.xml

["GRSmith" <grsmith () dakelake com>]

Should it be possible to override/modify rules in securityonion_rules.xml
using entries in local_rules.xml?  If not, is it possible in some other way,
and if so how?

For example: I would like to temporarily force rule 111112 to ignore eth1.
perhaps with something like the following.  The syntax here may be wrong (or
non-optimal), but I cannot test because OSSEC server restart first
complains. ossec-analysisd: Overwrite rule '111112' not found.

<group name="local,syslog,">
  <rule id="111112" level="7">
    <if_sid>111111</if_sid>
    <match>eth2: 0|eth3: 0|eth4: 0</match>
    <description>Received 0 packets in designated time interval (defined in
ossec.conf).  Please check interface, cabling, and tap/span!</description>
  </rule>
</group>



_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!