[ossec-list] Rules & matching

Tue, 18 May 2010 15:28:30 -0700 

Hi All,
As I continue to understand the proper use of rules, I still have a few
questions.

Given this list of files/directories that need to be monitored:
/opt/Apache/httpd-2.2.12/conf/cmi_cntpay_p
/opt/Apache/httpd-2.2.12/conf/opnpmnt_cntpay_p
/opt/Apache/httpd-2.2.12/conf/sprt_cntpay_p
/opt/Apache/httpd-2.2.12/conf/adjmnt_cntpay_p
/opt/Apache/httpd-2.2.12/conf/cmi_cntpay_p
/opt/Apache/httpd-2.2.12/conf/opnpmnt_cntpay_p
/opt/Apache/httpd-2.2.12/conf/sprt_cntpay_p
/opt/Apache/httpd-2.2.12/conf/adjmnt_cntpay_p
/opt/JBoss/jboss-4.2.1.GA/server/ach_cntpay_p01/deploy/
/opt/JBoss/jboss-4.2.1.GA/server/ach_cntpay_p01/lib/
/opt/JBoss/jboss-4.2.1.GA/server/ach_cntpay_p01/conf/
/opt/JBoss/jboss-4.2.1.GA/server/adjmnt_cntpay_p01/deploy/
/opt/JBoss/jboss-4.2.1.GA/server/adjmnt_cntpay_p01/lib/
/opt/JBoss/jboss-4.2.1.GA/server/adjmnt_cntpay_p01/conf/
/opt/JBoss/jboss-4.2.1.GA/server/sprt_cntpay_p01/deploy/
/opt/JBoss/jboss-4.2.1.GA/server/sprt_cntpay_p01/lib/
/opt/JBoss/jboss-4.2.1.GA/server/sprt_cntpay_p01/conf/

Will this rule/match work?

<rule id="100502" level="0">
    <if_group>syscheck</if_group>
    <if_sid>550, 551, 552</if_sid>
    <match>cntpay</match>
    <description>Ignoring file changes</description>
</rule>
<rule id="100503" level="7">
    <if_sid>100502</if_sid>
 
<hostname>nopirap1|nopirap2|nocirap1|nocirap2|nopintr1|ncbirap1</hostnam
e>
    <description>Changes to Application</description>
  </rule>

Or do I need to specify more of the path, something like
<match>$sprt_cntpay_p01/conf/</match> ?

Thanks,

Patrick Swartz
UNIX Planning & Engineering (DSUSSE)
First Data 
402-777-7337 desk
402-871-8981 cell



-----------------------------------------
The information in this message may be proprietary and/or
confidential, and protected from disclosure.  If the reader of this
message is not the intended recipient, or an employee or agent
responsible for delivering this message to the intended recipient,
you are hereby notified that any dissemination, distribution or
copying of this communication is strictly prohibited. If you have
received this communication in error, please notify First Data
immediately by replying to this message and deleting it from your
computer.

Reply via email to