Hi, I'm receiving this alert:
OSSEC HIDS Notification. 2010 Jan 12 07:53:45 Received From: server->rootcheck Rule: 510 fired (level 7) -> "Host-based anomaly detection event (rootcheck)." Portion of the log(s): File '*/tmp/home_nfs/*.snapshot/hourly.5/home/xxx/file.txt' is owned by root and has written permissions to anyone. --END OF NOTIFICATION and I want that exclude the directory .snapshot for all agents. It is possible as You said, adding a rule in local_rules.xml ?? Thanks, Albert. 2009/12/24 Wim Remes <[email protected]> > Hi, > > can you provide me with the exact alert you are receiving ? > We can possibly put a specific rule in local_rules.xml to ignore this > event. > > Kind Regards, > > Wim > > On 24 Dec 2009, at 09:21, Albert Ros wrote: > > Dear Wim, > > But if I have a filesystem with directory .snapshot, I must add exception > for this, or constantly I am receiving alerts about possible rootkit > > '*/opt/*.snapshot/hourly.5/.... ...../format'. Hidden from stats, but > showing up on readdir. Possible kernel level rootkit. > > > I think that would be a method for doesn't check for rootkits in > /opt/.snapshot. > > Thanks for your response, > Albert. > > 2009/12/21 Wim Remes <[email protected]> > >> Hi, >> >> rootcheck doesn't discriminate as it's goal is to look for files and >> configuration that would be consistent with the presence of a rootkit. >> The ignore setting is only valid in the <syscheck> directive, like this >> >> <syscheck> >> <directories check_all=yes>/etc,/usr/bin,/usr/sbin</directories> >> >> <ignore>/tmp/</ignore> >> </syscheck> >> >> however, the ignore would only make sense if you want to ignore a >> directory deeper in the hierarchy, like this >> <syscheck> >> <directories check_all="yes">/tmp</directories> >> ... >> <ignore>/tmp/dir1/dir2/dir3</ignore> >> </syscheck> >> >> because you don't care about file changes in that specific location, but >> you do in all other subfolders of /tmp. >> >> Hope this helps, >> >> Kind Regards, >> >> Wim >> >> On 21 Dec 2009, at 09:58, rosgos wrote: >> >> > Hi everyone, >> > >> > I am using ossec v2.3 on server and I have a exception in module >> > rootchchek: >> > >> > <rootcheck> >> > .............. >> > <ignore>/tmp/</ignore> >> > </rootcheck> >> > >> > I have restarted de daemon, but I am receiving alerts about changes in >> > directory /tmp. >> > It isn't incorrect this sitaxy in osssec.conf ? >> > >> > Thanks. >> > Albert. >> > >> > >> > >> >> > >
