On Mon, Mar 3, 2014 at 3:47 PM, Anuj AJ <[email protected]> wrote: > Thanks let me give this a shot. > > One question though - > > Why use "$" in <match>/tmp$</match> >
I think "p" will be the last character in the string. You can try it without as well, like I said, it's untested. > >>> Perhaps the block of config that i would put in ossec.conf on the agent >>> side. >>> > >>I'm not sure what this comment is in regards to. > > Nevermind ... about this. I understand your suggestion needs to go to the > file - local_rules.xml on the server side. > > > > AJ > > > > On Monday, March 3, 2014 12:38:00 PM UTC-8, dan (ddpbsd) wrote: >> >> On Mon, Mar 3, 2014 at 3:23 PM, Anuj AJ <[email protected]> wrote: >> > Sorry for the late response ... >> > >> > Could you give me an example .. I have been struggling to implement the >> > hierarchy you mentioned, where one rule would check for - >> > "/home/smartbiz/releases" and the other child looks for "/tmp$". >> > >> >> >> These are completely untested, solving the puzzle is the fun part. I >> don't want to take that away from anyone. :) >> >> <rule id="900001" level="1"> >> <if_group>syscheck</if_group> <!-- if_group_match? I can never >> remember --> >> <match>/home/smartbiz/releases/</match> >> <description>Smartbiz has strange habits</description> >> </rule> >> <rule id="900002" level="10"> >> <if_sid>900001</if_sid> >> <match>/tmp$</match> >> <description>tmp something or other.</description> >> </rule> >> >> > Perhaps the block of config that i would put in ossec.conf on the agent >> > side. >> > >> >> I'm not sure what this comment is in regards to. >> >> > Hoping for best. >> > >> > Thanks >> > AJ >> > >> > >> > On Tuesday, February 18, 2014 11:19:06 AM UTC-8, dan (ddpbsd) wrote: >> >> >> >> On Tue, Feb 18, 2014 at 2:15 PM, Anuj AJ <[email protected]> wrote: >> >> > Oh .. sorry .. i wasnt clear ... the directories denoted by * get >> >> > dynamically added frequently (as you can see like releases). >> >> > >> >> > <ignore type="sregex">^/home/smartbiz/releases/DIR1/tmp</ignore> >> >> > <ignore type="sregex">^/home/smartbiz/releases/DIR2/tmp</ignore> >> >> > .. >> >> > .. >> >> > >> >> > So if there is any way that OSSEC can skip just the 'tmp' directories >> >> > under >> >> > those directories ? >> >> > >> >> >> >> Eh, probably. >> >> Maybe try chaining rules. First one does a match for >> >> "/home/smartbiz/releases" and the child looks for "/tmp$" or >> >> something. >> >> >> >> > >> >> > >> >> > >> >> > >> >> > On Tuesday, February 18, 2014 11:08:34 AM UTC-8, dan (ddpbsd) wrote: >> >> >> >> >> >> On Tue, Feb 18, 2014 at 2:06 PM, Anuj AJ <[email protected]> wrote: >> >> >> > Was thinking the same, since some other permutations of '*' wasnt >> >> >> > working >> >> >> > either. >> >> >> > >> >> >> > Is there any other way i can accomplish what i seek ?? >> >> >> > Would really appreciate the help. >> >> >> > >> >> >> >> >> >> <ignore type="sregex">^/home/smartbiz/ >> >> >> releases/DIR1/tmp</ignore> >> >> >> <ignore type="sregex">^/home/smartbiz/ >> >> >> releases/DIR2/tmp</ignore> >> >> >> <ignore type="sregex">^/home/smartbiz/ >> >> >> releases/DIR3/tmp</ignore> >> >> >> >> >> >> > Thanks >> >> >> > >> >> >> > Anuj >> >> >> > >> >> >> > >> >> >> > On Tuesday, February 18, 2014 10:29:04 AM UTC-8, dan (ddpbsd) >> >> >> > wrote: >> >> >> >> >> >> >> >> On Tue, Feb 18, 2014 at 1:27 PM, Anuj AJ <[email protected]> >> >> >> >> wrote: >> >> >> >> > Greetings >> >> >> >> > >> >> >> >> > I have OSSEC 2.7 server agent setup and have been trying to >> >> >> >> > have >> >> >> >> > the >> >> >> >> > agent >> >> >> >> > ignore some specific directories. >> >> >> >> > So far the test cases have been successful, but im stuck on >> >> >> >> > this >> >> >> >> > in >> >> >> >> > particular - >> >> >> >> > >> >> >> >> > Trying to ignore the directories - >> >> >> >> > >> >> >> >> > /home/foo/foofoo/*/tmp >> >> >> >> > >> >> >> >> > by * i mean all the directories underneath 'foofoo', have >> >> >> >> > subdirectory >> >> >> >> > 'tmp' >> >> >> >> > that i want to ignore/exclude. >> >> >> >> > >> >> >> >> > currently i have this under the agent config >> >> >> >> > >> >> >> >> > <ignore >> >> >> >> > type="sregex">^/home/smartbiz/releases/*/tmp</ignore> >> >> >> >> > >> >> >> >> >> >> >> >> I don't believe "*" is valid sregex. >> >> >> >> >> >> >> >> > Doesnt seem to work :( >> >> >> >> > >> >> >> >> > Please help. >> >> >> >> > >> >> >> >> > Thanks >> >> >> >> > AJ >> >> >> >> > >> >> >> >> > >> >> >> >> > -- >> >> >> >> > >> >> >> >> > --- >> >> >> >> > You received this message because you are subscribed to the >> >> >> >> > Google >> >> >> >> > Groups >> >> >> >> > "ossec-list" group. >> >> >> >> > To unsubscribe from this group and stop receiving emails from >> >> >> >> > it, >> >> >> >> > send >> >> >> >> > an >> >> >> >> > email to [email protected]. >> >> >> >> > For more options, visit >> >> >> >> > https://groups.google.com/groups/opt_out. >> >> >> > >> >> >> > -- >> >> >> > >> >> >> > --- >> >> >> > You received this message because you are subscribed to the Google >> >> >> > Groups >> >> >> > "ossec-list" group. >> >> >> > To unsubscribe from this group and stop receiving emails from it, >> >> >> > send >> >> >> > an >> >> >> > email to [email protected]. >> >> >> > For more options, visit https://groups.google.com/groups/opt_out. >> >> > >> >> > -- >> >> > >> >> > --- >> >> > You received this message because you are subscribed to the Google >> >> > Groups >> >> > "ossec-list" group. >> >> > To unsubscribe from this group and stop receiving emails from it, >> >> > send >> >> > an >> >> > email to [email protected]. >> >> > For more options, visit https://groups.google.com/groups/opt_out. >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/groups/opt_out. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
