[ossec-list] Re: Ignore specific files in directories

Wed, 20 Jan 2016 08:53:56 -0800 

Hi,

you can use this rule:

<rule id="100004" level="0">
    <*if_group*>syscheck</*if_group*>
    <match>for: '/var/lib/tomcat7/OFFLINE/</match>
    <regex>for: '\.+.pdf'</regex>
    <description>NO PDF Alert</description>
</rule>

I think if_group is better than if_matched_group. Also your regex is wrong 
because the event doesn't begin (^) with "/var.." and end ($) with "pdf". 
The event is something like this: *Integrity checksum changed for: 
'/path1/path2/path3/file.ext'. *So the path begins with "'/path1..." and 
ends with ".ext'".

I guess you could use the ignore tag: 
<ignore type="sregex">/var/lib/tomcat7/OFFLINE/\.+.pdf</ignore>

It's up to you. ;)


On Wednesday, January 20, 2016 at 11:11:44 AM UTC+1, ono-sendai wrote:
>
> Hi,I'm monitoring my /var dir 
>
> <directories realtime="yes" 
> check_all="yes">/etc,/root,/var,/home,/tmp,/bin,/sbin,/usr</directories> 
>
> and I can use the <ignore> statement to ignore subfolders/files without 
> problems. 
>
> Now I'm trying to ignore all .pdf|.odt|.jpg ecc ecc in a specific folder 
> and 
> relative subfolders. So i wrote this rule: 
>
>   <rule id="100004" level="0"> 
>     <if_matched_group>syscheck</if_matched_group> 
>     <regex>^/var/lib/tomcat7/OFFLINE/\.*pdf$</regex> 
>     <description>Ignore OFFLINE documents</description> 
>   </rule> 
>
> but I still receive alerts like these: 
>
> Rule: 550 (level 7) -> 'Integrity checksum changed.' 
> Integrity checksum changed for: '/var/lib/tomcat7/OFFLINE/test.pdf' 
> Size changed from '54' to '94' 
> Old md5sum was: '9b26b668284325b02520b0f34281d63b' 
> New md5sum is : '22edde5ccec5fb0120b63cae421d013e' 
>
> or alerts for new files creations (i have overwritten rule 554 according 
> to this 
> faq [0]). 
> How can I archieve my goal? And, is this approach (rule creation) 
> efficient (i want to add some or to specify multiple files extension in 
> this rule) ? 
>
> I'm using ossec version 2.8.3-3jessie (from 
> http://ossec.wazuh.com/repos/apt/debian) and the wazuh's ruleset [1] 
>
> Thank you :) 
>
>
> [0] 
>
> http://ossec-docs.readthedocs.org/en/latest/manual/syscheck/#why-aren-t-new-files-creating-an-alert
>  
> [1] https://github.com/wazuh/ossec-rules 
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

Reply via email to