Security - We will get there

1. Some fine tune examples:

   <rule id="120101" level="9">
      <if_sid>20101</if_sid>
      <match>httpodbc.dll</match>
      <description>Monitoring packet</description>
   </rule>

  <rule id="120102" level="0">
    <if_sid>20100, 20101</if_sid>
    <decoded_as>snort</decoded_as>
    <!-- 119:4 - (http_inspect) BARE BYTE UNICODE ENCODING
       -->
    <id>^119:4:</id>
    <srcip>1.1.1.1</srcip>
    <srcip>1.1.1.2</srcip>
    <srcip>1.1.1.3</srcip>
    <description>Ignored snort ids.- Bare byte from servers</description>
  </rule>

  <rule id="120103" level="0">
    <if_sid>20100, 20101</if_sid>
    <decoded_as>snort</decoded_as>
    <!-- (snort_decoder): Experimental Tcp Options found
       -->
    <id>^116:58:</id>
    <match>Experimental Tcp Options found</match>
    <description>Ignored snort ids.- Experimental Tcp Options found</description>
  </rule>

  <rule id="120104" level="0">
    <if_sid>20100, 20101</if_sid>
    <decoded_as>snort</decoded_as>
    <!-- _vti_bin/owssvr.dll
       -->
    <id>^1:1288:</id>
    <description>Ignored snort ids.- _vti_bin/owssvr.dll etc</description>
  </rule>

   <rule id="101002" level="9" ignore="10">
      <if_sid>1002</if_sid>
      <match>ossecmysql</match>
      <description>ossec2mysql lost db connection</description>
   </rule>

 2. How to disable "Excessive number of event " alert for specific event types.

OSSEC will generate this type of alert even after you use local rule and level 0 to ignore the events. Need to find a way to disable this type of alert for some specific event.

3. Sometimes by tuning the snort rules can be more effective and specific, for example:

note the ! "/vti_bin/owssrv.dll" in the urlcontent keyword.

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS \
(msg:"WEB-FRONTPAGE /_vti_bin/ access";flow:to_server,established; \
uricontent:"/_vti_bin/"; uricontent: ! "/vti_bin/owssrv.dll"; nocase; \
classtype:web-application-activity; sid:1288;  rev:5;)

Try to use match in ossec to ignore it but could not just ignore the event triggered by owssrv.dll because this content will not be carried in the snort log.