Daniel, Your solution seems to work great. Thanks. Aaron
On Mon, Mar 16, 2009 at 1:34 PM, Daniel Cid <[email protected]> wrote: > > Hi Aaron, > > This rule should work well without affecting other alerts. However, it > will only ignore the 3rd change (see rules > 552 for the 2nd and rule 551 for the first). Because of that, I would > change the if_sid to if_group: > > <rule id="100128" level="0"> > <if_group>syscheck</if_group> > <match>'/etc/prelink.cache'</match> > <description>expected file change</description> > </rule> > > > You can also restrict to a few agents using > <hostname>servername1|server2|etc</hostname> > > Hope it helps. > > -- > Daniel B. Cid > dcid ( at ) ossec.net > > > On Mon, Mar 16, 2009 at 10:37 AM, Aaron Bliss <[email protected]> > wrote: > > Hi all, > > We are running ossec 2.0. Most (all) of our linux clients report daily > of > > /etc/prelink.cache checksum changes. According to this RedHat post > > http://www.redhat.com/archives/fedora-list/2007-October/msg04408.htmlthis > > is expected behavior. I know how to modify the local rules file on the > > ossec server to ignore certain events, however in this case I wasn't sure > > howto write the rule without affecting other checksum alerts. Would this > be > > a safe way to exclude notifications of /etc/prelink.cache changes: > > > > Here is the event: > > > > Received From: (servername1) 137.21.9.81->syscheck > > > > Rule: 552 fired (level 7) -> "Integrity checksum changed again (3rd > time)." > > > > Portion of the log(s): > > > > > > > > Integrity checksum changed for: '/etc/prelink.cache' > > > > Old md5sum was: '7649b16e6cc72ce2b6e989bab337b38f' > > > > New md5sum is : 'e2c4858227aa021e9a52c96d87a2dcbc' > > > > Old sha1sum was: 'f29f4b8d55fd09334d6dc4e7c94fbda6d2c67225' > > > > New sha1sum is : 'f07051aa0ec779869f7e976e597cbe245d953bc2' > > > > Here is the rule I was thinking: > > > > <rule id="100128" level="0"> > > <if_sid>552</if_sid> > > <match>'/etc/prelink.cache'</match> > > <description>expected file change</description> > > </rule> > > >
