On Thu, May 18, 2017 at 4:51 PM, Gert Verhoog <g...@montoux.com> wrote: > Hi Jesus, > > I'm having the same problem, and the triggering of this rule causes so much > noise that it's drowning out other alerts. I have added a rule like you > suggested to my local rules: > > <rule id="100510" level="0" frequency="0" timeframe="45" ignore="600"> > <if_matched_sid>510</if_matched_sid> > <regex>/var/lib/docker/volumes/\.*/_data/\.* is owned by root and has > written permissions to anyone</regex> > <description>Ignore rootcheck warning on world-writable docker > volumes</description> > </rule> > > But it doesn't seem to have an effect. I've played with the regex, > simplifying it and even deleting it altogether, but I still can't seem to > get it working. Logtest shows the following output: > > > File > '/var/lib/docker/volumes/81c96e1d9b6a07710dc0ba90daccf5650efe59e213b20354bbb86f4e65929a0e/_data/path/to/static/fonts/icons/glyphicons-social-regular.eot' > is owned by root and has written permissions to anyone. >
Is this the log message you get from the agent? You can turn on the logall option and check archives.log for the exact message from the agent. > > **Phase 1: Completed pre-decoding. > > > full event: 'File > '/var/lib/docker/volumes/81c96e1d9b6a07710dc0ba90daccf5650efe59e213b20354bbb86f4e65929a0e/_data/path/to/static/fonts/icons/glyphicons-social-regular.eot' > is owned by root and has written permissions to anyone.' > > > hostname: 'ec2-12-34-56-78' > > > program_name: '(null)' > > > log: 'File > '/var/lib/docker/volumes/81c96e1d9b6a07710dc0ba90daccf5650efe59e213b20354bbb86f4e65929a0e/_data/path/to/static/fonts/icons/glyphicons-social-regular.eot' > is owned by root and has written permissions to anyone.' > > > > > **Phase 2: Completed decoding. > > > No decoder matched. > > > > I'm fairly new to OSSEC and Wazuh, so I may be missing something. Is there > anything obvious that I'm doing wrong? > > Cheers! > Gert > > > > On Wednesday, April 19, 2017 at 12:14:28 AM UTC+12, Jesus Linares wrote: >> >> Hi Rob, >> >> you need to add the conditions to trigger that rule only for your specific >> files. Use match or regex: >> >> <rule id="70908" level="0" frequency="0" timeframe="45" ignore="600"> >> <if_matched_sid>510</if_matched_sid> >> <!-- >> contitions: >> option 1: >> <match>YOUR_FILE1|YOUR_FILE2|...</match> >> option 2: >> <regex>YOUR_FILE\.+</regex> >> --> >> <description>Ignore rule 510 for 600 seconds for some >> files.</description> >> </rule> > > > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.