Hi,
*OS_Match/sregex* supports simple string matching and the following special
characters: ^, $, |. You are using invalid expressions as \.+ or \S+. *Ignore
*option is very useful but in this case I think there is no choice to use
rules:
<rule id="100004" level="0">
<if_group>syscheck</if_group>
<match> '/path1/path2</match>
<regex> '\.+.extension'</regex>
<description>Ignore /path1/path2/*.extension</description>
</rule>
Regards.
Jesus Linares.
On Tuesday, February 16, 2016 at 2:39:52 AM UTC+1, dan (ddpbsd) wrote:
>
>
> On Feb 15, 2016 8:31 PM, "Leo G" <[email protected] <javascript:>> wrote:
> >
> > Thanks Jesus Linares,
> >
> > Yes, I noticed the typo, was using<ignore type="sregex">
> >
> > I can't use '.jpg$' because I want to only exclude
> directory_one/directory_two/*.jpg
> >
> > Therefore I tried config like this:
> >
> > <ignore type="sregex">/home/leo/testing/\.+.jpg</ignore>
> > <ignore type="sregex">/home/leo/testing/\S+.jpg</ignore>
> >
> > Unfortunately no luck with regular expression matching for me
> >
>
> Because those are invalid sregex.
>
> > On Friday, 12 February 2016 01:08:11 UTC+11, Jesus Linares wrote:
> >>
> >> Hi Leo,
> >>
> >> I'm glad you can solve your issue with the rules, but ignore should
> work.
> >>
> >> The symbol ^ in "<ignore type="^sregex">.jpg$</ignore>" is a typo. You
> could try with <ignore type="sregex">.jpg$</ignore>.
> >>
> >> Check the documentation out:
> http://ossec-docs.readthedocs.org/en/latest/manual/syscheck/
> >>
> >> Regards.
> >> Jesus Linares.
> >>
> >> On Wednesday, February 10, 2016 at 11:42:52 PM UTC+1, Leo G wrote:
> >>>
> >>> Thank you!!
> >>>
> >>> add match and regex in rules worked for me.
> >>>
> >>> no luck with ignore="sregex" :(
> >>>
> >>> On Wednesday, 10 February 2016 10:16:08 UTC+11, Leo G wrote:
> >>>>
> >>>>
> >>>> Hi,
> >>>>
> >>>> Can someone please help with the regex? I want to exclude all the
> .jpg files in xxx/xxx/,
> >>>>
> >>>> I have config in ossec.conf below:
> >>>>
> >>>> <alert_new_files>yes</alert_new_files>
> >>>> <directories check_all="yes">/home/xxx</directories>
> >>>> <ignore>/home/xxx/xxx/\S*\.jpg</ignore>
> >>>> </syscheck>
> >>>>
> >>>> However it seems it's still not ignoring all the jpg files, still
> getting alerts for all the new jpg files.
> >>>>
> >>>> Also used 'ossec-regex' for testing,
> >>>>
> >>>> > /var/ossec/bin/ossec-regex '/home/xxx/xxx/\S*\.jpg'
> >>>> > New file '/home/xxx/xxx/yyy.jpg' added to the file system.
> >>>>
> >>>> +OSRegex_Execute: New file '/home/xxx/xxx/yyy.jpg' added to the file
> system.
> >>>> +OS_Regex : New file '/home/xxx/xxx/yyy.jpg' added to the file
> system.
> >>>> ^C
> >>>>
> >>>> Seems to be matching.
> >
> > --
> >
> > ---
> > You received this message because you are subscribed to the Google
> Groups "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send
> an email to [email protected] <javascript:>.
> > For more options, visit https://groups.google.com/d/optout.
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
