Re : Re: Re : Re: Re : Re: [ossec-list] Rule for syscheck

Sat, 24 Jul 2010 08:53:58 -0700 

Yes of course ! With this command : service ossec restart 


----- Message d'origine -----
De : dan (ddp)
Envoyés : 23.07.10 15:24
À : [email protected]
Objet : Re: Re : Re: Re : Re: [ossec-list] Rule for syscheck

On Tue, Jul 20, 2010 at 3:06 AM, Bob Sauvage <[email protected]> wrote: > 
About the double backslashes, I saw this here : > 
http://www.ossec.net/wiki/Know_How:Regex_Readme > > But you have right, it 
doesn't work. I changed those like this > (local_rules.xml) : > > <group 
name="local,syslog,"> > > <!-- Note that rule id 5711 is defined at the 
ssh_rules file > - as a ssh failed login. This is just an example > - since ip 
1.1.1.1 shouldn't be used anywhere. > - Level 0 means ignore. > --> > <rule 
id="100001" level="0"> > <if_group>syscheck,</if_group> > 
<hostname>***|***</hostname> > <regex>'\S+/.svn</regex> > 
<description>Directories to exclude</description> > </rule> > > <rule 
id="100002" level="0"> > <if_group>syscheck,</if_group> > <hostname> > 
***|***</hostname> > <regex>'/etc/logrotate\S+</regex> > 
<description>Directories to exclude</description> > </rule> > > <rule 
id="100003" level="0"> > <if_group>syscheck,</if_group> > <hostname> > 
***|***</hostname> > <regex>'/etc/tinydns-dns\d+/log</regex> > 
<description>Directories to exclude</description> > </rule> > > But it doesn't 
work too :/ ! > > About the first rule, I want to ignore all the ".svn" 
subdirectories. > > About the second, I want to ignore 
/etc/logrotate_syslog.d~/mail and > /etc/logrotate_syslog.d~/local2 for 
example. > > And for the last, I want to ignore /etc/tinydns-dns1/* and > 
/etc/tinydns-dns2/* for example. > > I think I need help ! > > Thanks a lot ! > 
I don't see anything obviously wrong with the rules, but I haven't tried any 
real syscheck rules. Did you restart the ossec server processes after creating 
the rules?

Reply via email to