On Wed, Jun 1, 2016 at 5:17 AM, Tahir Hafiz <[email protected]> wrote: > Creating a child rule like that looks for "/dev/.blkid.tab.old" and ignores > it, okay, I am trying to find examples of such things. > Do you have a link or any examples of such a thing? >
The rules files are full of examples. > I don't need to create such a rule in local_rules.xml do I? > > I think I should create such a rule in ossec_rules.xml where the 510 rule > exist. > Is that correct? > Using local_rules.xml is the best option. The other rule files will get overwritten during an upgrade, and your changes would be lost. Something like (and I haven't tested this or anything): <rule id="800001" level="0"> <if_sid>510</if_sid> <match>/dev/.blkid.tab.old</match> <description>Ignore /dev/.blkid.tab.old</description> </rule> > > <rule id="510" level="7"> > <if_sid>509</if_sid> > <description>Host-based anomaly detection event > (rootcheck).</description> > <group>rootcheck,</group> > <if_fts /> > </rule> > > Above is the stanza, I will try to add to it by reading this pdf about > rules: > http://www.ossec.net/ossec-docs/OSSEC-book-ch4.pdf > > > > > On Tuesday, 31 May 2016 17:42:10 UTC+1, dan (ddpbsd) wrote: >> >> On Tue, May 31, 2016 at 12:00 PM, Tahir Hafiz <[email protected]> wrote: >> > How do I get OSSEC to ignore a specific textual alert and not show it in >> > the >> > alerts file? >> > I know I can create a local_rules.xml file and get it to ignore a >> > specific >> > rule but I need something more specific than that. >> > >> > This is the alert that I see in the alerts file >> > (/var/ossec/logs/alerts/alerts.log): >> > >> > ** Alert 1464690578.111537: mail - ossec,rootcheck, >> > 2016 May 31 11:29:38 (XYZabc02) any->rootcheck >> > Rule: 510 (level 7) -> 'Host-based anomaly detection event (rootcheck).' >> > File '/dev/.blkid.tab.old' present on /dev. Possible hidden file. >> > >> > >> > So I would like OSSEC to not show the above alert in the alerts file. >> > Is there a way to do that? >> > >> > More generally is there a way to whitelist specific alerts so they don't >> > show up in the alerts file. >> > >> >> >> Have you tried creating a child rule that looks for "/dev/.blkid.tab.old"? >> >> > I see that the guy here has the same problem but his solution does not >> > work: >> > https://botbot.me/freenode/ossec/2016-03-01/?tz=America/Los_Angeles >> > >> > Cheers, >> > Tahir >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
