You are right, *ignore *is a *OS_Match/sregex*. You could use: <ignore type="^sregex">.pdf$|.odt$</ignore>
I hope you find it useful ;) On Thursday, January 21, 2016 at 1:19:11 PM UTC+1, ono-sendai wrote: > > On 20/01/2016 17:53, Jesus Linares wrote: > > > you can use this rule: > > > > <rule id="100004" level="0"> > > <*if_group*>syscheck</*if_group*> > > <match>for: '/var/lib/tomcat7/OFFLINE/</match> > > <regex>for: '\.+.pdf'</regex> > > <description>NO PDF Alert</description> > > </rule> > > Thank you!! It works! I've modified that rule so now it can match also > rule 554 > and others filetypes. > > <rule id="100004" level="0"> > <if_group>syscheck</if_group> > <match> '/var/lib/tomcat7/OFFLINE/</match> > <regex> '\.+.pdf'| '\.+.odt'</regex> > <description>Ignore OFFLINE documents</description> > </rule> > > > I guess you could use the ignore tag: > > <ignore type="sregex">/var/lib/tomcat7/OFFLINE/\.+.pdf</ignore> > > Before trying with the rule I tried without succes with this <ignore> > statement > > <ignore type="^sregex">/var/lib/tomcat7/OFFLINE/\.*.pdf</ignore> > > but then I realized that only three special characters (^ $ |) are usable > in > sregex according with [0]... is it correct? > > Thank you again :) > > [0] > > https://ossec-docs.readthedocs.org/en/latest/syntax/regex.html#os-match-sregex-syntax > > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
