Daniel, thanks for your response. We wouldn't include this line inside the rule? <group>rootcheck,</group>
2010/1/15 Daniel Cid <[email protected]> > Hi Albert, > > A rule would be better for this: > > <rule id="100201" level="0"> > <if_sid>510<if_sid> > <match>File '/tmp/home_nfs/.snapshot</match> > <description>Ignoring .snapshot dir..</description> > </rule> > > Thanks, > > -- > Daniel B. Cid > dcid ( at ) ossec.net > > On Tue, Jan 12, 2010 at 4:08 AM, Albert Ros <[email protected]> wrote: > > I also have other alerts as this: > > > > Received From: xxx->rootcheck > > Rule: 510 fired (level 7) -> "Host-based anomaly detection event > > (rootcheck)." > > Portion of the log(s): > > > > File '/dev/cpuset/x...@575792/memory_spread_slab' present on /dev. > Possible > > hidden file. > > > > Received From: xxx->rootcheck > > Rule: 510 fired (level 7) -> "Host-based anomaly detection event > > (rootcheck)." > > Portion of the log(s): > > > > File '/dev/cpuset/x...@575792/memory_spread_page' present on /dev. > Possible > > hidden file. > > > > 2010/1/12 Albert Ros <[email protected]> > >> > >> Hi, > >> > >> I'm receiving this alert: > >> > >> OSSEC HIDS Notification. > >> 2010 Jan 12 07:53:45 > >> > >> Received From: server->rootcheck > >> Rule: 510 fired (level 7) -> "Host-based anomaly detection event > >> (rootcheck)." > >> > >> > >> Portion of the log(s): > >> > >> File '/tmp/home_nfs/.snapshot/hourly.5/home/xxx/file.txt' is owned by > root > >> and has written permissions to anyone. > >> > >> > >> > >> > >> --END OF NOTIFICATION > >> > >> > >> and I want that exclude the directory .snapshot for all agents. It is > >> possible as You said, adding a rule in local_rules.xml ?? > >> > >> Thanks, > >> Albert. > >> > >> > >> 2009/12/24 Wim Remes <[email protected]> > >>> > >>> Hi, > >>> can you provide me with the exact alert you are receiving ? > >>> We can possibly put a specific rule in local_rules.xml to ignore this > >>> event. > >>> Kind Regards, > >>> Wim > >>> On 24 Dec 2009, at 09:21, Albert Ros wrote: > >>> > >>> Dear Wim, > >>> > >>> But if I have a filesystem with directory .snapshot, I must add > exception > >>> for this, or constantly I am receiving alerts about possible rootkit > >>> > >>> '/opt/.snapshot/hourly.5/.... ...../format'. Hidden from stats, but > >>> showing up on readdir. Possible kernel level rootkit. > >>> > >>> > >>> > >>> > >>> I think that would be a method for doesn't check for rootkits in > >>> /opt/.snapshot. > >>> > >>> Thanks for your response, > >>> Albert. > >>> > >>> 2009/12/21 Wim Remes <[email protected]> > >>>> > >>>> Hi, > >>>> > >>>> rootcheck doesn't discriminate as it's goal is to look for files and > >>>> configuration that would be consistent with the presence of a rootkit. > >>>> The ignore setting is only valid in the <syscheck> directive, like > this > >>>> > >>>> <syscheck> > >>>> <directories check_all=yes>/etc,/usr/bin,/usr/sbin</directories> > >>>> > >>>> <ignore>/tmp/</ignore> > >>>> </syscheck> > >>>> > >>>> however, the ignore would only make sense if you want to ignore a > >>>> directory deeper in the hierarchy, like this > >>>> <syscheck> > >>>> <directories check_all="yes">/tmp</directories> > >>>> ... > >>>> <ignore>/tmp/dir1/dir2/dir3</ignore> > >>>> </syscheck> > >>>> > >>>> because you don't care about file changes in that specific location, > but > >>>> you do in all other subfolders of /tmp. > >>>> > >>>> Hope this helps, > >>>> > >>>> Kind Regards, > >>>> > >>>> Wim > >>>> > >>>> On 21 Dec 2009, at 09:58, rosgos wrote: > >>>> > >>>> > Hi everyone, > >>>> > > >>>> > I am using ossec v2.3 on server and I have a exception in module > >>>> > rootchchek: > >>>> > > >>>> > <rootcheck> > >>>> > .............. > >>>> > <ignore>/tmp/</ignore> > >>>> > </rootcheck> > >>>> > > >>>> > I have restarted de daemon, but I am receiving alerts about changes > in > >>>> > directory /tmp. > >>>> > It isn't incorrect this sitaxy in osssec.conf ? > >>>> > > >>>> > Thanks. > >>>> > Albert. > >>>> > > >>>> > > >>>> > > >>>> > >>> > >>> > >> > > > > >
