A tip of cooking OSSEC rules

How to config OSSEC rules to ignore something?
I have the logs like this

Mar 30 17:50:20 192.168.x.201 192.168.xx.104 - - [30/Mar/2009:17:50:43 +0800] "OPTIONS /svn HTTP/1.1" 401 401
Mar 30 17:50:21 192.168.x.201 192.168.xx.104 - root [30/Mar/2009:17:50:44 +0800] "OPTIONS /svn HTTP/1.1" 401 401
Mar 30 17:50:22 192.168.x.201 192.168.xx.104 - svn [30/Mar/2009:17:50:45 +0800] "OPTIONS /svn HTTP/1.1" 401 401
Mar 30 17:50:24 192.168.x.201 192.168.xx.104 - user [30/Mar/2009:17:50:46 +0800] "OPTIONS /svn HTTP/1.1" 401 401

I just want alert,when somebody make 4xx errors in a short time. but I want to ignore the "-",in the user field.

first, I add the user field in etc/decoder.xml

web-log ^\d+.\d+.\d+.\d+ ^(\d+.\d+.\d+.\d+) \S+ (\S+) [\S+ \S\d+] "\w+ (\S+) HTTP\S+ (\d+) srcip, user, url, id the add new rules 31101 ^- 31101 Multiple web server 4XX error code. from same source ip. alert_by_email attack,


You can ignore the user field is "-",by let the level=0,in front rule 31166.