Actually, I'm a bit embarrassed, but all I did was add this to decoder.xml
<decoder name="snoopy-logger">
<program_name>^snoopy</program_name>
</decoder>
Then in local_rules I added the following:
<rule id="100040" level="0">
<decoded_as>snoopy-logger</decoded_as>
<description>Ignore Snoopy logger events</description>
</rule>
<rule id="100041" level="15">
<if_sid>100040</if_sid>
<match>whatever</match>
<description>file access (snoopy)</description>
</rule>
A bit simplistic but it works.
On Thu, Jun 23, 2011 at 7:16 PM, Michael Starks <
[email protected]> wrote:
> On 06/23/2011 08:59 PM, Jeremy Lee wrote:
>
>> Thanks Michael,
>>
>> I have FIM on so I'll have to get that set for alerting. However, I
>> realized we have Snoopy installed on this box, so I'm basically just
>> pointing OSSEC to watch the Snoopy log locally. I already created a
>> decoder for Snoopy and just had to create some rules to filter based on
>> certain matches.
>>
>
> I'm glad you mentioned this. I was just looking at Snoopy and planned on
> adding support. :) Care to share what you have developed so we can add it to
> OSSEC?
>
