Ok, thanks for these tips ;) ! I changed it like this :
<rule id="100001" level="0"> <if_group>syscheck,</if_group> <hostname>**|**</hostname> <regex>'\\S+/.svn</regex> <description>Directories to exclude</description> </rule> <rule id="100002" level="0"> <if_group>syscheck,</if_group> <hostname>**|**</hostname> <regex>'/etc/logrotate\\S+</regex> <description>Directories to exclude</description> </rule> <rule id="100003" level="0"> <if_group>syscheck,</if_group> <hostname>**|**</hostname> <regex>'/etc/tinydns-dns\\d+/log</regex> <description>Directories to exclude</description> </rule> What do you think of this ? ----- Message d'origine ----- De : dan (ddp) Envoyés : 15.07.10 18:09 À : [email protected] Objet : Re: [ossec-list] Rule for syscheck Your regex is wrong. http://www.ossec.net/wiki/Know_How:Regex_Readme You could also look at the syscheck ignore options: http://www.ossec.net/main/manual/manual-syscheck/#examples On Thu, Jul 15, 2010 at 6:54 AM, Bob Sauvage <[email protected]> wrote: > Hello people ! > > I want to make a rule to ignore some directories for the syscheck. > I need regex because I have a lot of directories... > > I make this : > > > > <group name="local,syslog,"> > > <!-- Note that rule id 5711 is defined at the ssh_rules file > - as a ssh failed login. This is just an example > - since ip 1.1.1.1 shouldn't be used anywhere. > - Level 0 means ignore. > --> > <rule id="100001" level="0"> > <if_group>syscheck</if_group> > <hostname>***|***</hostname> > <regex>*/.svn*|/etc/logrotate*|/etc/tinydns-dns*/log/*</regex> > <description>Directories to exclude</description> > </rule> > > But I always have alert for the logfile of tinydns... > > Thanks a lot ! >
