Actually, think it's going to be this because the sid is 509.
<rule id="100002" level="0">
<if_sid>509</if_sid>
<match>/dev/.blkid.tab.old</match>
<description>Ignore /dev/.blkid.tab.old</description>
</rule>
Will try to test this today. I have other whitelisting (level 0) stuff to
do as well.
On Wednesday, 1 June 2016 13:36:53 UTC+1, Tahir Hafiz wrote:
>
> Thanks will give it a try in the local_rules.xml
>
> Am I right in thinking that Level 0 still keeps a log in
> /var/ossec/logs/ossec.log, it's just the alerts file that the log is kept
> out of?
>
>
>
> On Wednesday, 1 June 2016 12:59:42 UTC+1, dan (ddpbsd) wrote:
>>
>> On Wed, Jun 1, 2016 at 5:17 AM, Tahir Hafiz <[email protected]> wrote:
>> > Creating a child rule like that looks for "/dev/.blkid.tab.old" and
>> ignores
>> > it, okay, I am trying to find examples of such things.
>> > Do you have a link or any examples of such a thing?
>> >
>>
>> The rules files are full of examples.
>>
>> > I don't need to create such a rule in local_rules.xml do I?
>> >
>> > I think I should create such a rule in ossec_rules.xml where the 510
>> rule
>> > exist.
>> > Is that correct?
>> >
>>
>> Using local_rules.xml is the best option. The other rule files will
>> get overwritten during an upgrade, and your changes would be lost.
>>
>> Something like (and I haven't tested this or anything):
>> <rule id="800001" level="0">
>> <if_sid>510</if_sid>
>> <match>/dev/.blkid.tab.old</match>
>> <description>Ignore /dev/.blkid.tab.old</description>
>> </rule>
>>
>> >
>> > <rule id="510" level="7">
>> > <if_sid>509</if_sid>
>> > <description>Host-based anomaly detection event
>> > (rootcheck).</description>
>> > <group>rootcheck,</group>
>> > <if_fts />
>> > </rule>
>> >
>> > Above is the stanza, I will try to add to it by reading this pdf about
>> > rules:
>> > http://www.ossec.net/ossec-docs/OSSEC-book-ch4.pdf
>> >
>> >
>> >
>> >
>> > On Tuesday, 31 May 2016 17:42:10 UTC+1, dan (ddpbsd) wrote:
>> >>
>> >> On Tue, May 31, 2016 at 12:00 PM, Tahir Hafiz <[email protected]>
>> wrote:
>> >> > How do I get OSSEC to ignore a specific textual alert and not show
>> it in
>> >> > the
>> >> > alerts file?
>> >> > I know I can create a local_rules.xml file and get it to ignore a
>> >> > specific
>> >> > rule but I need something more specific than that.
>> >> >
>> >> > This is the alert that I see in the alerts file
>> >> > (/var/ossec/logs/alerts/alerts.log):
>> >> >
>> >> > ** Alert 1464690578.111537: mail - ossec,rootcheck,
>> >> > 2016 May 31 11:29:38 (XYZabc02) any->rootcheck
>> >> > Rule: 510 (level 7) -> 'Host-based anomaly detection event
>> (rootcheck).'
>> >> > File '/dev/.blkid.tab.old' present on /dev. Possible hidden file.
>> >> >
>> >> >
>> >> > So I would like OSSEC to not show the above alert in the alerts
>> file.
>> >> > Is there a way to do that?
>> >> >
>> >> > More generally is there a way to whitelist specific alerts so they
>> don't
>> >> > show up in the alerts file.
>> >> >
>> >>
>> >>
>> >> Have you tried creating a child rule that looks for
>> "/dev/.blkid.tab.old"?
>> >>
>> >> > I see that the guy here has the same problem but his solution does
>> not
>> >> > work:
>> >> > https://botbot.me/freenode/ossec/2016-03-01/?tz=America/Los_Angeles
>> >> >
>> >> > Cheers,
>> >> > Tahir
>> >> >
>> >> > --
>> >> >
>> >> > ---
>> >> > You received this message because you are subscribed to the Google
>> >> > Groups
>> >> > "ossec-list" group.
>> >> > To unsubscribe from this group and stop receiving emails from it,
>> send
>> >> > an
>> >> > email to [email protected].
>> >> > For more options, visit https://groups.google.com/d/optout.
>> >
>> > --
>> >
>> > ---
>> > You received this message because you are subscribed to the Google
>> Groups
>> > "ossec-list" group.
>> > To unsubscribe from this group and stop receiving emails from it, send
>> an
>> > email to [email protected].
>> > For more options, visit https://groups.google.com/d/optout.
>>
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
