Hi Jesus, the first rule is what I am trying. You said I can match the file
in <match> but can I do that when the file changes as is not one file I
want to ignore. Can I use regex syntax in rules? I used it in decoders as I
thought I wasn't able to. Thanks!
<rule id="70908" level="0" frequency="0" timeframe="45" ignore="600">
<if_matched_sid>510</if_matched_sid>
<same_id />
<description>Ignore rule 510 for 600 seconds if the same ID is matched.
</description>
</rule>
On Monday, April 17, 2017 at 3:16:48 AM UTC-5, Jesus Linares wrote:
>
> What rule did you use?. Please, share here the rule and the alerts that
> you want to ignore.
>
> I'd need the ID from the decoder to do so
>
> There are no xml decoders for rootcheck. What you want to extract in the
> id field is the file, right?. You can do a *match* in the rule for the
> file.
>
> Regards.
>
> On Friday, April 14, 2017 at 12:13:50 AM UTC+2, Rob Williams wrote:
>>
>> Hi Jesus,
>>
>> Thanks for the reply. I have noticed when I activate this rule, it blocks
>> all events and does not alert on the first event. Also note, I am trying to
>> use the ID field from my decoder to match against. I can't just use a
>> static match as the ID continuously changes so I'd need the ID from the
>> decoder to do so. Any ideas? Thanks!
>>
>> On Wednesday, April 5, 2017 at 12:26:31 PM UTC-7, Rob Williams wrote:
>>>
>>> Hi all,
>>>
>>> I'm running into an issue where rule 510 is triggering and I'm getting
>>> spammed with alerts but I can't seem to tune it correctly. What's weird is
>>> that I am still getting alerted for rule 510 for this log, but I can't
>>> figure out how to get that to show in logtest. Basically, I am getting
>>> spammed with rule 510 and trying to filter it down more and here is what
>>> happens when I enter the log in logtest: .... any ideas on how to fix
>>> this?
>>>
>>> **Phase 1: Completed pre-decoding.
>>>
>>> full event: 'File '/filepath/' is owned by root and has written
>>> permissions to anyone.'
>>>
>>> hostname: 'hostname'
>>>
>>> program_name: '(null)'
>>>
>>> log: 'File '/filepath/' is owned by root and has written
>>> permissions to anyone.'
>>>
>>>
>>> **Phase 2: Completed decoding.
>>>
>>> decoder: 'sample_decoder_setup'
>>>
>>> id: '/filepath/'
>>>
>>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
