Thanks let me give this a shot. One question though -
Why use "$" in <match>/tmp$</match> >> Perhaps the block of config that i would put in ossec.conf on the agent >> side. >> >I'm not sure what this comment is in regards to. Nevermind ... about this. I understand your suggestion needs to go to the file - local_rules.xml on the server side. AJ On Monday, March 3, 2014 12:38:00 PM UTC-8, dan (ddpbsd) wrote: > > On Mon, Mar 3, 2014 at 3:23 PM, Anuj AJ <[email protected] <javascript:>> > wrote: > > Sorry for the late response ... > > > > Could you give me an example .. I have been struggling to implement the > > hierarchy you mentioned, where one rule would check for - > > "/home/smartbiz/releases" and the other child looks for "/tmp$". > > > > > These are completely untested, solving the puzzle is the fun part. I > don't want to take that away from anyone. :) > > <rule id="900001" level="1"> > <if_group>syscheck</if_group> <!-- if_group_match? I can never > remember --> > <match>/home/smartbiz/releases/</match> > <description>Smartbiz has strange habits</description> > </rule> > <rule id="900002" level="10"> > <if_sid>900001</if_sid> > <match>/tmp$</match> > <description>tmp something or other.</description> > </rule> > > > Perhaps the block of config that i would put in ossec.conf on the agent > > side. > > > > I'm not sure what this comment is in regards to. > > > Hoping for best. > > > > Thanks > > AJ > > > > > > On Tuesday, February 18, 2014 11:19:06 AM UTC-8, dan (ddpbsd) wrote: > >> > >> On Tue, Feb 18, 2014 at 2:15 PM, Anuj AJ <[email protected]> wrote: > >> > Oh .. sorry .. i wasnt clear ... the directories denoted by * get > >> > dynamically added frequently (as you can see like releases). > >> > > >> > <ignore type="sregex">^/home/smartbiz/releases/DIR1/tmp</ignore> > >> > <ignore type="sregex">^/home/smartbiz/releases/DIR2/tmp</ignore> > >> > .. > >> > .. > >> > > >> > So if there is any way that OSSEC can skip just the 'tmp' directories > >> > under > >> > those directories ? > >> > > >> > >> Eh, probably. > >> Maybe try chaining rules. First one does a match for > >> "/home/smartbiz/releases" and the child looks for "/tmp$" or > >> something. > >> > >> > > >> > > >> > > >> > > >> > On Tuesday, February 18, 2014 11:08:34 AM UTC-8, dan (ddpbsd) wrote: > >> >> > >> >> On Tue, Feb 18, 2014 at 2:06 PM, Anuj AJ <[email protected]> > wrote: > >> >> > Was thinking the same, since some other permutations of '*' wasnt > >> >> > working > >> >> > either. > >> >> > > >> >> > Is there any other way i can accomplish what i seek ?? > >> >> > Would really appreciate the help. > >> >> > > >> >> > >> >> <ignore type="sregex">^/home/smartbiz/ > >> >> releases/DIR1/tmp</ignore> > >> >> <ignore type="sregex">^/home/smartbiz/ > >> >> releases/DIR2/tmp</ignore> > >> >> <ignore type="sregex">^/home/smartbiz/ > >> >> releases/DIR3/tmp</ignore> > >> >> > >> >> > Thanks > >> >> > > >> >> > Anuj > >> >> > > >> >> > > >> >> > On Tuesday, February 18, 2014 10:29:04 AM UTC-8, dan (ddpbsd) > wrote: > >> >> >> > >> >> >> On Tue, Feb 18, 2014 at 1:27 PM, Anuj AJ <[email protected]> > wrote: > >> >> >> > Greetings > >> >> >> > > >> >> >> > I have OSSEC 2.7 server agent setup and have been trying to > have > >> >> >> > the > >> >> >> > agent > >> >> >> > ignore some specific directories. > >> >> >> > So far the test cases have been successful, but im stuck on > this > >> >> >> > in > >> >> >> > particular - > >> >> >> > > >> >> >> > Trying to ignore the directories - > >> >> >> > > >> >> >> > /home/foo/foofoo/*/tmp > >> >> >> > > >> >> >> > by * i mean all the directories underneath 'foofoo', have > >> >> >> > subdirectory > >> >> >> > 'tmp' > >> >> >> > that i want to ignore/exclude. > >> >> >> > > >> >> >> > currently i have this under the agent config > >> >> >> > > >> >> >> > <ignore > type="sregex">^/home/smartbiz/releases/*/tmp</ignore> > >> >> >> > > >> >> >> > >> >> >> I don't believe "*" is valid sregex. > >> >> >> > >> >> >> > Doesnt seem to work :( > >> >> >> > > >> >> >> > Please help. > >> >> >> > > >> >> >> > Thanks > >> >> >> > AJ > >> >> >> > > >> >> >> > > >> >> >> > -- > >> >> >> > > >> >> >> > --- > >> >> >> > You received this message because you are subscribed to the > Google > >> >> >> > Groups > >> >> >> > "ossec-list" group. > >> >> >> > To unsubscribe from this group and stop receiving emails from > it, > >> >> >> > send > >> >> >> > an > >> >> >> > email to [email protected]. > >> >> >> > For more options, visit > https://groups.google.com/groups/opt_out. > >> >> > > >> >> > -- > >> >> > > >> >> > --- > >> >> > You received this message because you are subscribed to the Google > >> >> > Groups > >> >> > "ossec-list" group. > >> >> > To unsubscribe from this group and stop receiving emails from it, > >> >> > send > >> >> > an > >> >> > email to [email protected]. > >> >> > For more options, visit https://groups.google.com/groups/opt_out. > >> > > >> > -- > >> > > >> > --- > >> > You received this message because you are subscribed to the Google > >> > Groups > >> > "ossec-list" group. > >> > To unsubscribe from this group and stop receiving emails from it, > send > >> > an > >> > email to [email protected]. > >> > For more options, visit https://groups.google.com/groups/opt_out. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/groups/opt_out. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
