Creating a child rule like that looks for "/dev/.blkid.tab.old" and ignores
it, okay, I am trying to find examples of such things.
Do you have a link or any examples of such a thing?
I don't need to create such a rule in local_rules.xml do I?
I think I should create such a rule in ossec_rules.xml where the 510 rule
exist.
Is that correct?
<rule id="510" level="7">
<if_sid>509</if_sid>
<description>Host-based anomaly detection event
(rootcheck).</description>
<group>rootcheck,</group>
<if_fts />
</rule>
Above is the stanza, I will try to add to it by reading this pdf about
rules:
http://www.ossec.net/ossec-docs/OSSEC-book-ch4.pdf
On Tuesday, 31 May 2016 17:42:10 UTC+1, dan (ddpbsd) wrote:
>
> On Tue, May 31, 2016 at 12:00 PM, Tahir Hafiz <[email protected]
> <javascript:>> wrote:
> > How do I get OSSEC to ignore a specific textual alert and not show it in
> the
> > alerts file?
> > I know I can create a local_rules.xml file and get it to ignore a
> specific
> > rule but I need something more specific than that.
> >
> > This is the alert that I see in the alerts file
> > (/var/ossec/logs/alerts/alerts.log):
> >
> > ** Alert 1464690578.111537: mail - ossec,rootcheck,
> > 2016 May 31 11:29:38 (XYZabc02) any->rootcheck
> > Rule: 510 (level 7) -> 'Host-based anomaly detection event (rootcheck).'
> > File '/dev/.blkid.tab.old' present on /dev. Possible hidden file.
> >
> >
> > So I would like OSSEC to not show the above alert in the alerts file.
> > Is there a way to do that?
> >
> > More generally is there a way to whitelist specific alerts so they don't
> > show up in the alerts file.
> >
>
>
> Have you tried creating a child rule that looks for "/dev/.blkid.tab.old"?
>
> > I see that the guy here has the same problem but his solution does not
> work:
> > https://botbot.me/freenode/ossec/2016-03-01/?tz=America/Los_Angeles
> <https://www.google.com/url?q=https%3A%2F%2Fbotbot.me%2Ffreenode%2Fossec%2F2016-03-01%2F%3Ftz%3DAmerica%2FLos_Angeles&sa=D&sntz=1&usg=AFQjCNFnetQx083I09YbnlAuNzMvsTxqKA>
>
> >
> > Cheers,
> > Tahir
> >
> > --
> >
> > ---
> > You received this message because you are subscribed to the Google
> Groups
> > "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send
> an
> > email to [email protected] <javascript:>.
> > For more options, visit https://groups.google.com/d/optout.
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
