Direct copy from the blog https://akmalhisyam.my/blog/ossec-creating-custom-rules for my reference – thanks Akmal!

When parsing log, OSSEC will look at level 0 first, and then highest level -> lowest levelOSSEC will not produce alert for rules with level 0It is best to put custom rules in local_rules.xml or other file to avoid being overwritten during upgradeossec-logtest is a very useful tool to test your rules & decoder

Example

Silencing certain rules

<pre class="wp-block-code">```
<rule id="100030" level="0">
  <if_sid>503,502</if_sid>
  <description>List of rules to be ignored.</description>
</rule>


OSSEC will not produce any alert when rule 502 and 503 is triggered

- - - - - -

#### Ignore alert if rules triggered by certain IP


```

  40101
  127.0.0.1
  Ignore this

```
```

If rule 40101 triggered by 127.0.0.1, dont produce any alert

- - - - - -

#### Ignore alert if contains certain strings

```

```

  1002
  terrorist|terror|femmefatale|heart-attack
  Ignore 1002 false positive

```
```

OSSEC is using [OS\_match/sregex](https://ossec-docs.readthedocs.io/en/latest/syntax/regex.html) syntax in <match>

- - - - - -

#### Ignore alert if contains certain strings (using regex)

```

```

  1002,1003
  ^WordPress database error You have an error in your SQL syntax(\.*)functionName$
  Unescaped SQL query, known issue

```
```

OSSEC is using [OS\_regex/regex](https://ossec-docs.readthedocs.io/en/latest/syntax/regex.html) syntax in <regex>

- - - - - -

#### Trigger custom rule when certain field match certain value in cdb list

```

```

  31101
  rules/badurl
  URL is in badurl

```
```

- - - - - -

#### Trigger custom rule when certain rules is fired x time within n second from same srcip

```

```

  100215
  
  Multiple badurl access 
  from same source ip.
  web_scan,recon,

```
```

- - - - - -

#### Overriding rules

```

```

  Non standard syslog message (size too large).

```
```

Original rule 1003 have 10245 as its maxsize. Using overwrite=”yes” will make OSSEC overwrite certain field in original rule

- - - - - -

#### Custom rule group

```

```

  
    1002,1003
    ^WordPress database error You have an error in your SQL syntax(\.*)functionName$
    Unescaped SQL query, known issue
  

  
    1003
    WUID | WTB
    ignorance is bliss
  

```
```