Hi Rob,
you need to add the conditions to trigger that rule only for your specific
files. Use match or regex:
<rule id="70908" level="0" frequency="0" timeframe="45" ignore="600">
<if_matched_sid>510</if_matched_sid>
<!--
contitions:
option 1:
<match>YOUR_FILE1|YOUR_FILE2|...</match>
option 2:
<regex>YOUR_FILE\.+</regex>
-->
<description>Ignore rule 510 for 600 seconds for some files.
</description>
</rule>
I think you can't use *same_id *because the decoders are not extracting any
ID.
Regards.
On Monday, April 17, 2017 at 6:55:19 PM UTC+2, Rob Williams wrote:
>
> Hi Jesus, the first rule is what I am trying. You said I can match the
> file in <match> but can I do that when the file changes as is not one file
> I want to ignore. Can I use regex syntax in rules? I used it in decoders as
> I thought I wasn't able to. Thanks!
>
> <rule id="70908" level="0" frequency="0" timeframe="45" ignore="600">
> <if_matched_sid>510</if_matched_sid>
> <same_id />
> <description>Ignore rule 510 for 600 seconds if the same ID is
> matched.</description>
> </rule>
>
> On Monday, April 17, 2017 at 3:16:48 AM UTC-5, Jesus Linares wrote:
>>
>> What rule did you use?. Please, share here the rule and the alerts that
>> you want to ignore.
>>
>> I'd need the ID from the decoder to do so
>>
>> There are no xml decoders for rootcheck. What you want to extract in the
>> id field is the file, right?. You can do a *match* in the rule for the
>> file.
>>
>> Regards.
>>
>> On Friday, April 14, 2017 at 12:13:50 AM UTC+2, Rob Williams wrote:
>>>
>>> Hi Jesus,
>>>
>>> Thanks for the reply. I have noticed when I activate this rule, it
>>> blocks all events and does not alert on the first event. Also note, I am
>>> trying to use the ID field from my decoder to match against. I can't just
>>> use a static match as the ID continuously changes so I'd need the ID from
>>> the decoder to do so. Any ideas? Thanks!
>>>
>>> On Wednesday, April 5, 2017 at 12:26:31 PM UTC-7, Rob Williams wrote:
>>>>
>>>> Hi all,
>>>>
>>>> I'm running into an issue where rule 510 is triggering and I'm getting
>>>> spammed with alerts but I can't seem to tune it correctly. What's weird is
>>>> that I am still getting alerted for rule 510 for this log, but I can't
>>>> figure out how to get that to show in logtest. Basically, I am getting
>>>> spammed with rule 510 and trying to filter it down more and here is what
>>>> happens when I enter the log in logtest: .... any ideas on how to fix
>>>> this?
>>>>
>>>> **Phase 1: Completed pre-decoding.
>>>>
>>>> full event: 'File '/filepath/' is owned by root and has written
>>>> permissions to anyone.'
>>>>
>>>> hostname: 'hostname'
>>>>
>>>> program_name: '(null)'
>>>>
>>>> log: 'File '/filepath/' is owned by root and has written
>>>> permissions to anyone.'
>>>>
>>>>
>>>> **Phase 2: Completed decoding.
>>>>
>>>> decoder: 'sample_decoder_setup'
>>>>
>>>> id: '/filepath/'
>>>>
>>>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
