|ASL 2.2.11 updates, twitter, and more|
|Written by Scott Shinn|
|Monday, 13 September 2010 15:22|
A few random project updates:
The larger project update going on right now is OSSEC version 2.5 (beta). As ASL 3.0 is being developed a number of our support packages need to be either updated, or modified to support our new API's and features. This is a big one, since OSSEC supports both event recording in mysql as well as our enterprise client/server components. The latest build, 2.5-0.2 added a new rule set called exclude_rules.xml which we use in ASL to generate rule customizations. Currently ASL 2.2.11-0.2 allows you to modify either the level (used to manage shunning, shunning/reporting, or ignore) or the email policy on a per alert level via the file /etc/asl/rules.
# Rule ID, Email, Level
When asl -s -f is run, this will generate the appropriate rule exclude data to customize the policy. For example to disable email alerting on specific OSSEC rule ids like 60118 (mod_security) you would use:
Internally we've already seen the shortcomings of this file based approach to managing the rule configuration and prototyped past this, so this is just going to be an interim solution. Don't get too attached!