Hi Albert, A rule would be better for this:
<rule id="100201" level="0"> <if_sid>510<if_sid> <match>File '/tmp/home_nfs/.snapshot</match> <description>Ignoring .snapshot dir..</description> </rule> Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On Tue, Jan 12, 2010 at 4:08 AM, Albert Ros <[email protected]> wrote: > I also have other alerts as this: > > Received From: xxx->rootcheck > Rule: 510 fired (level 7) -> "Host-based anomaly detection event > (rootcheck)." > Portion of the log(s): > > File '/dev/cpuset/x...@575792/memory_spread_slab' present on /dev. Possible > hidden file. > > Received From: xxx->rootcheck > Rule: 510 fired (level 7) -> "Host-based anomaly detection event > (rootcheck)." > Portion of the log(s): > > File '/dev/cpuset/x...@575792/memory_spread_page' present on /dev. Possible > hidden file. > > 2010/1/12 Albert Ros <[email protected]> >> >> Hi, >> >> I'm receiving this alert: >> >> OSSEC HIDS Notification. >> 2010 Jan 12 07:53:45 >> >> Received From: server->rootcheck >> Rule: 510 fired (level 7) -> "Host-based anomaly detection event >> (rootcheck)." >> >> >> Portion of the log(s): >> >> File '/tmp/home_nfs/.snapshot/hourly.5/home/xxx/file.txt' is owned by root >> and has written permissions to anyone. >> >> >> >> >> --END OF NOTIFICATION >> >> >> and I want that exclude the directory .snapshot for all agents. It is >> possible as You said, adding a rule in local_rules.xml ?? >> >> Thanks, >> Albert. >> >> >> 2009/12/24 Wim Remes <[email protected]> >>> >>> Hi, >>> can you provide me with the exact alert you are receiving ? >>> We can possibly put a specific rule in local_rules.xml to ignore this >>> event. >>> Kind Regards, >>> Wim >>> On 24 Dec 2009, at 09:21, Albert Ros wrote: >>> >>> Dear Wim, >>> >>> But if I have a filesystem with directory .snapshot, I must add exception >>> for this, or constantly I am receiving alerts about possible rootkit >>> >>> '/opt/.snapshot/hourly.5/.... ...../format'. Hidden from stats, but >>> showing up on readdir. Possible kernel level rootkit. >>> >>> >>> >>> >>> I think that would be a method for doesn't check for rootkits in >>> /opt/.snapshot. >>> >>> Thanks for your response, >>> Albert. >>> >>> 2009/12/21 Wim Remes <[email protected]> >>>> >>>> Hi, >>>> >>>> rootcheck doesn't discriminate as it's goal is to look for files and >>>> configuration that would be consistent with the presence of a rootkit. >>>> The ignore setting is only valid in the <syscheck> directive, like this >>>> >>>> <syscheck> >>>> <directories check_all=yes>/etc,/usr/bin,/usr/sbin</directories> >>>> >>>> <ignore>/tmp/</ignore> >>>> </syscheck> >>>> >>>> however, the ignore would only make sense if you want to ignore a >>>> directory deeper in the hierarchy, like this >>>> <syscheck> >>>> <directories check_all="yes">/tmp</directories> >>>> ... >>>> <ignore>/tmp/dir1/dir2/dir3</ignore> >>>> </syscheck> >>>> >>>> because you don't care about file changes in that specific location, but >>>> you do in all other subfolders of /tmp. >>>> >>>> Hope this helps, >>>> >>>> Kind Regards, >>>> >>>> Wim >>>> >>>> On 21 Dec 2009, at 09:58, rosgos wrote: >>>> >>>> > Hi everyone, >>>> > >>>> > I am using ossec v2.3 on server and I have a exception in module >>>> > rootchchek: >>>> > >>>> > <rootcheck> >>>> > .............. >>>> > <ignore>/tmp/</ignore> >>>> > </rootcheck> >>>> > >>>> > I have restarted de daemon, but I am receiving alerts about changes in >>>> > directory /tmp. >>>> > It isn't incorrect this sitaxy in osssec.conf ? >>>> > >>>> > Thanks. >>>> > Albert. >>>> > >>>> > >>>> > >>>> >>> >>> >> > >
