Hi,
how can I tell ossec to ignore certain files when checking for rootkit? I have a virtual server running on a real host, and the virtual server root is /var/lib/vz/root/2001. Then I got alerts like ,-------- | Files hidden inside directory '/var/lib/vz/root/2001/proc'. Link count does not match | +number of files (8,75). `-------- I tried to ignore those alert by adding a local rule as follows: <rule id="12001" level="0"> <!-- <if_sid>14</if_sid> --> <!-- <if_group>rootcheck</if_group> --> <regex>/var/lib/vz/root/\d+/proc</regex> <description>Ignore false positives from rootcheck</description> <description>on files under virtual servers</description> </rule> but it doesn't have any effect. Thanh On Tue, Mar 20, 2007 at 10:52:11AM +0100, The Thanh Han wrote:
Hi, I did some testing and it seems that anytime a log file changes, the analysis engine is triggered. So monitoring log files seems a rather expensive operation (and very useful of course). In the scenario of several virtual servers running on a real host, I would setup an ossec server installation on the real host. On the virtual servers will be only ossec agent for for rootkit checking and nothing more. This way, I hope I don't miss anything that ossec offers while the performace cost is reasonable. Any comments/suggestions please? Thanks, Thanh
