Hi Rob, I guess your decoder is working in ossec-logtest. But, in the real world, the events from rootcheck don't use xml decoders, they use c decoders: https://github.com/wazuh/wazuh/blob/master/src/analysisd/analysisd.c#L772
Regards. On Tuesday, April 18, 2017 at 7:45:13 PM UTC+2, Rob Williams wrote: > > Hi Jesus, > > I'll try this and let you know. The decoder is extracting the ID > effectively, however, it is just not matching the log with any rule it > seems. > > On Tuesday, April 18, 2017 at 5:14:28 AM UTC-7, Jesus Linares wrote: >> >> Hi Rob, >> >> you need to add the conditions to trigger that rule only for your >> specific files. Use match or regex: >> >> <rule id="70908" level="0" frequency="0" timeframe="45" ignore="600"> >> <if_matched_sid>510</if_matched_sid> >> <!-- >> contitions: >> option 1: >> <match>YOUR_FILE1|YOUR_FILE2|...</match> >> option 2: >> <regex>YOUR_FILE\.+</regex> >> --> >> <description>Ignore rule 510 for 600 seconds for some files. >> </description> >> </rule> >> >> I think you can't use *same_id *because the decoders are not extracting >> any ID. >> >> Regards. >> >> On Monday, April 17, 2017 at 6:55:19 PM UTC+2, Rob Williams wrote: >>> >>> Hi Jesus, the first rule is what I am trying. You said I can match the >>> file in <match> but can I do that when the file changes as is not one file >>> I want to ignore. Can I use regex syntax in rules? I used it in decoders as >>> I thought I wasn't able to. Thanks! >>> >>> <rule id="70908" level="0" frequency="0" timeframe="45" ignore="600"> >>> <if_matched_sid>510</if_matched_sid> >>> <same_id /> >>> <description>Ignore rule 510 for 600 seconds if the same ID is >>> matched.</description> >>> </rule> >>> >>> On Monday, April 17, 2017 at 3:16:48 AM UTC-5, Jesus Linares wrote: >>>> >>>> What rule did you use?. Please, share here the rule and the alerts that >>>> you want to ignore. >>>> >>>> I'd need the ID from the decoder to do so >>>> >>>> There are no xml decoders for rootcheck. What you want to extract in >>>> the id field is the file, right?. You can do a *match* in the rule for >>>> the file. >>>> >>>> Regards. >>>> >>>> On Friday, April 14, 2017 at 12:13:50 AM UTC+2, Rob Williams wrote: >>>>> >>>>> Hi Jesus, >>>>> >>>>> Thanks for the reply. I have noticed when I activate this rule, it >>>>> blocks all events and does not alert on the first event. Also note, I am >>>>> trying to use the ID field from my decoder to match against. I can't just >>>>> use a static match as the ID continuously changes so I'd need the ID from >>>>> the decoder to do so. Any ideas? Thanks! >>>>> >>>>> On Wednesday, April 5, 2017 at 12:26:31 PM UTC-7, Rob Williams wrote: >>>>>> >>>>>> Hi all, >>>>>> >>>>>> I'm running into an issue where rule 510 is triggering and I'm >>>>>> getting spammed with alerts but I can't seem to tune it correctly. >>>>>> What's >>>>>> weird is that I am still getting alerted for rule 510 for this log, but >>>>>> I >>>>>> can't figure out how to get that to show in logtest. Basically, I am >>>>>> getting spammed with rule 510 and trying to filter it down more and here >>>>>> is >>>>>> what happens when I enter the log in logtest: .... any ideas on how >>>>>> to >>>>>> fix this? >>>>>> >>>>>> **Phase 1: Completed pre-decoding. >>>>>> >>>>>> full event: 'File '/filepath/' is owned by root and has >>>>>> written permissions to anyone.' >>>>>> >>>>>> hostname: 'hostname' >>>>>> >>>>>> program_name: '(null)' >>>>>> >>>>>> log: 'File '/filepath/' is owned by root and has written >>>>>> permissions to anyone.' >>>>>> >>>>>> >>>>>> **Phase 2: Completed decoding. >>>>>> >>>>>> decoder: 'sample_decoder_setup' >>>>>> >>>>>> id: '/filepath/' >>>>>> >>>>> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
