Hi Rob, you need to add the conditions to trigger that rule only for your specific files. Use match or regex:
<rule id="70908" level="0" frequency="0" timeframe="45" ignore="600"> <if_matched_sid>510</if_matched_sid> <!-- contitions: option 1: <match>YOUR_FILE1|YOUR_FILE2|...</match> option 2: <regex>YOUR_FILE\.+</regex> --> <description>Ignore rule 510 for 600 seconds for some files. </description> </rule> I think you can't use *same_id *because the decoders are not extracting any ID. Regards. On Monday, April 17, 2017 at 6:55:19 PM UTC+2, Rob Williams wrote: > > Hi Jesus, the first rule is what I am trying. You said I can match the > file in <match> but can I do that when the file changes as is not one file > I want to ignore. Can I use regex syntax in rules? I used it in decoders as > I thought I wasn't able to. Thanks! > > <rule id="70908" level="0" frequency="0" timeframe="45" ignore="600"> > <if_matched_sid>510</if_matched_sid> > <same_id /> > <description>Ignore rule 510 for 600 seconds if the same ID is > matched.</description> > </rule> > > On Monday, April 17, 2017 at 3:16:48 AM UTC-5, Jesus Linares wrote: >> >> What rule did you use?. Please, share here the rule and the alerts that >> you want to ignore. >> >> I'd need the ID from the decoder to do so >> >> There are no xml decoders for rootcheck. What you want to extract in the >> id field is the file, right?. You can do a *match* in the rule for the >> file. >> >> Regards. >> >> On Friday, April 14, 2017 at 12:13:50 AM UTC+2, Rob Williams wrote: >>> >>> Hi Jesus, >>> >>> Thanks for the reply. I have noticed when I activate this rule, it >>> blocks all events and does not alert on the first event. Also note, I am >>> trying to use the ID field from my decoder to match against. I can't just >>> use a static match as the ID continuously changes so I'd need the ID from >>> the decoder to do so. Any ideas? Thanks! >>> >>> On Wednesday, April 5, 2017 at 12:26:31 PM UTC-7, Rob Williams wrote: >>>> >>>> Hi all, >>>> >>>> I'm running into an issue where rule 510 is triggering and I'm getting >>>> spammed with alerts but I can't seem to tune it correctly. What's weird is >>>> that I am still getting alerted for rule 510 for this log, but I can't >>>> figure out how to get that to show in logtest. Basically, I am getting >>>> spammed with rule 510 and trying to filter it down more and here is what >>>> happens when I enter the log in logtest: .... any ideas on how to fix >>>> this? >>>> >>>> **Phase 1: Completed pre-decoding. >>>> >>>> full event: 'File '/filepath/' is owned by root and has written >>>> permissions to anyone.' >>>> >>>> hostname: 'hostname' >>>> >>>> program_name: '(null)' >>>> >>>> log: 'File '/filepath/' is owned by root and has written >>>> permissions to anyone.' >>>> >>>> >>>> **Phase 2: Completed decoding. >>>> >>>> decoder: 'sample_decoder_setup' >>>> >>>> id: '/filepath/' >>>> >>> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.