Not what you're asking, but should provide very similar results. <rule id="ID_NUMBER" level="0"> <if_sid>510</if_sid> <match>/dev/oracleasm/.query_disk</match> <description>Ignore alerts for this file.</description> </rule>
On Fri, Apr 22, 2011 at 8:06 AM, Christopher Laibinis <[email protected]> wrote: > How can I ignore a file or directory in the rootcheck portion of OSSC? > > For instance I am receiving the following: > > OSSEC HIDS Notification. > 2011 Apr 22 02:48:35 > > Received From: (nyctpdprd1) 10.186.196.132->rootcheck > Rule: 510 fired (level 7) -> "Host-based anomaly detection event > (rootcheck)." > Portion of the log(s): > > File '/dev/oracleasm/.query_disk' present on /dev. Possible hidden > file. > > I would like to ignore this file and have added the > > <ignore>/dev/oracleasm</ignore> > > directive in the ossec.conf file under the <rootcheck> portion, but it > does not work. >
