Hi Jesus, the first rule is what I am trying. You said I can match the file in <match> but can I do that when the file changes as is not one file I want to ignore. Can I use regex syntax in rules? I used it in decoders as I thought I wasn't able to. Thanks!
<rule id="70908" level="0" frequency="0" timeframe="45" ignore="600"> <if_matched_sid>510</if_matched_sid> <same_id /> <description>Ignore rule 510 for 600 seconds if the same ID is matched. </description> </rule> On Monday, April 17, 2017 at 3:16:48 AM UTC-5, Jesus Linares wrote: > > What rule did you use?. Please, share here the rule and the alerts that > you want to ignore. > > I'd need the ID from the decoder to do so > > There are no xml decoders for rootcheck. What you want to extract in the > id field is the file, right?. You can do a *match* in the rule for the > file. > > Regards. > > On Friday, April 14, 2017 at 12:13:50 AM UTC+2, Rob Williams wrote: >> >> Hi Jesus, >> >> Thanks for the reply. I have noticed when I activate this rule, it blocks >> all events and does not alert on the first event. Also note, I am trying to >> use the ID field from my decoder to match against. I can't just use a >> static match as the ID continuously changes so I'd need the ID from the >> decoder to do so. Any ideas? Thanks! >> >> On Wednesday, April 5, 2017 at 12:26:31 PM UTC-7, Rob Williams wrote: >>> >>> Hi all, >>> >>> I'm running into an issue where rule 510 is triggering and I'm getting >>> spammed with alerts but I can't seem to tune it correctly. What's weird is >>> that I am still getting alerted for rule 510 for this log, but I can't >>> figure out how to get that to show in logtest. Basically, I am getting >>> spammed with rule 510 and trying to filter it down more and here is what >>> happens when I enter the log in logtest: .... any ideas on how to fix >>> this? >>> >>> **Phase 1: Completed pre-decoding. >>> >>> full event: 'File '/filepath/' is owned by root and has written >>> permissions to anyone.' >>> >>> hostname: 'hostname' >>> >>> program_name: '(null)' >>> >>> log: 'File '/filepath/' is owned by root and has written >>> permissions to anyone.' >>> >>> >>> **Phase 2: Completed decoding. >>> >>> decoder: 'sample_decoder_setup' >>> >>> id: '/filepath/' >>> >> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.