Re: [ossec-list] Getting this OSSEC Notification of an Alert Level 7

Wed, 31 Aug 2016 16:58:37 -0700 

Here's how I do it:

  <rule id="101510" level="1">
    <if_sid>510</if_sid>
    <options>no_email_alert</options>
 
<match>/dev/oracleasm/iid|/dev/oracleasm/.check_iid|/dev/oracleasm/.get_iid|/dev/oracleasm/.query_disk|/dev/oracleasm/.query_version</match>
    <description>Ignore alerts for OracleASM files</description>
  </rule>


On Tue, Aug 30, 2016 at 10:16 AM, dan (ddp) <[email protected]> wrote:

> On Tue, Aug 30, 2016 at 10:00 AM, Stephen LuShing <[email protected]>
> wrote:
> > I have been getting this notification which I am trying to fix. This is
> an
> > normal occurance since this is an oracle database using ASM disks. The
> > notification is the same but the files changes. Here is what we received
> >
> > OSSEC HIDS Notification.
> >
> > 2016 Aug 30 08:33:48
> >
> >
> >
> > Received From: (lxbanrdt2) 147.4.146.155->rootcheck
> >
> > Rule: 510 fired (level 7) -> "Host-based anomaly detection event
> > (rootcheck)."
> >
> > Portion of the log(s):
> >
> > File '/dev/oracleasm/iid/00000000000019BE' present on /dev. Possible
> hidden
> > file.
> >
> >  --END OF NOTIFICATION
> >
> > OSSEC HIDS Notification.
> >
> > 2016 Aug 30 08:33:48
> >
> > I want to have this notification ignored so any ideas on how to do this.
> >
>
> Untested:
>
> <rule id="123456" level="0">
>   <if_sid>510</if_sid>
>   <match>/dev/oracleasm/iid</match>
>   <description>Ignore oracleasm</description>
> </rule>
>
> >
> > Stephen LuShing
> >
> > Hofstra University
> >
> >
> > --
> >
> > ---
> > You received this message because you are subscribed to the Google Groups
> > "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send an
> > email to [email protected].
> > For more options, visit https://groups.google.com/d/optout.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

Reply via email to