Re: Re : Re: [ossec-list] Rule for syscheck

Tue, 20 Jul 2010 06:09:51 -0700 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Jul 19, 2010, at 12:57 PM, dan (ddp) wrote:
> On Fri, Jul 16, 2010 at 5:22 AM, Bob Sauvage <[email protected]> wrote:
>> Ok, thanks for these tips ;) !
>> 
>> I changed it like this :
>> 
>>   <rule id="100001" level="0">
>>     <if_group>syscheck,</if_group>
>>     <hostname>**|**</hostname>
>>     <regex>'\\S+/.svn</regex>
>>     <description>Directories to exclude</description>
>>   </rule>
>> 
>>   <rule id="100002" level="0">
>>     <if_group>syscheck,</if_group>
>>     <hostname>**|**</hostname>
>>     <regex>'/etc/logrotate\\S+</regex>
>>     <description>Directories to exclude</description>
>>   </rule>
>> 
>>   <rule id="100003" level="0">
>>     <if_group>syscheck,</if_group>
>>     <hostname>**|**</hostname>
>>     <regex>'/etc/tinydns-dns\\d+/log</regex>
>>     <description>Directories to exclude</description>
>>   </rule>
>> 
>> What do you think of this ?
>> 
> 
> I'm not so sure of the double backslashes (\\). I think that may not
> be quite what you want.


Double backslash escapes a backslash.  I think he ultimately wants this :


  <rule id="100001" level="0">
    <if_group>syscheck,</if_group>
    <hostname>**|**</hostname>
    <regex>\S+/\.svn</regex>
    <description>Directories to exclude</description>
  </rule>

  <rule id="100002" level="0">
    <if_group>syscheck,</if_group>
    <hostname>**|**</hostname>
    <regex>/etc/logrotate\S+</regex>
    <description>Directories to exclude</description>
  </rule>

  <rule id="100003" level="0">
    <if_group>syscheck,</if_group>
    <hostname>**|**</hostname>
    <regex>/etc/tinydns-dns\d+/log</regex>
    <description>Directories to exclude</description>
 </rule>

Though I'm not sure I'd agree with using rules for this.  I'm also curious what 
in /etc/logrotate is changing that you need to ignore that directory ..  Those 
files should be pretty static, no?

Just use ignore rules for these ..

<ignore type="sregex">/\/.svn/</ignore>

<ignore type="sregex">^/etc/logrotate</ignore>

<ignore type="sregex">^/etc/tinydns-dns\d+/log</ignore>   (This is a weird 
directory structure for tinydns..  can you provide an ls as an example?)



- ---------------------------
Jason 'XenoPhage' Frisvold
[email protected]
- ---------------------------
"Any sufficiently advanced magic is indistinguishable from technology."
- - Niven's Inverse of Clarke's Third Law



-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.14 (Darwin)

iEYEARECAAYFAkxFEkYACgkQ8CjzPZyTUTQjfQCeMNL2rOydcx+d/PZOrbyZCXM1
+qcAn2l6bECOcIN0VkBsVZxt+zLrHh/3
=ZvQ2
-----END PGP SIGNATURE-----

Reply via email to