OSSEC rules: Remove alert when Tor guard is overloaded

freedomofpress · Aug 23, 2017 · 32b18ad · 32b18ad
1 parent dd40158
commit 32b18ad
Showing 1 changed file with 13 additions and 0 deletions.
diff --git a/install_files/securedrop-ossec-server/var/ossec/rules/local_rules.xml b/install_files/securedrop-ossec-server/var/ossec/rules/local_rules.xml
@@ -128,3 +128,16 @@
     <options>no_email_alert</options>
   </rule>
 </group>
+
+<!--
+  Do not send an email alert on overloaded Tor guard events.
+  These are purely informational notifications, but would be
+  a candidate for sending up to FPF for analysis in aggregate.
+-->
+<group name="tor guard overloaded">
+  <rule id="200002" level="0">
+    <if_sid>1002</if_sid>
+    <match>this means the Tor network is overloaded</match>
+    <options>no_email_alert</options>
+  </rule>
+</group>