<https://lh3.googleusercontent.com/-PjI5QG1OEt4/WIpsiYbmInI/AAAAAAAAAP8/XaaQ35illHgeh_zq_oAtMKNU6giFsek7QCLcB/s1600/2017-01-26_1638.png>
full_log:
Files hidden inside directory
'/var/lib/docker/aufs/mnt/545d04c068f0f7ce19361a94d1c43b0c6686a0dfdd45e1803ccee569acc1767b/usr/share/locale'.
Link count does not match number of files (54,70).
I have a rule setup to ignore this, and it's actually being hit when I test
the above line via ./ossec-logtest -v (see image)
When I check the alerts, I see this as a level 7 alert.
The rules are defined on the server. Any idea on why an alert would be
generated despite the level 0 rule being hit?
Decoder:
> <decoder name="ignore_docker_mismatch">
>
> <prematch>Files hidden inside directory </prematch>
>
> <regex>(\p/var/lib/docker\.+)</regex>
>
> <order>extra_data</order>
>
> </decoder>
>
>
Rule:
> <rule id="700006" level="0">
<decoded_as>ignore_docker_mismatch</decoded_as>
<description>Level 0 Alert -- Ignoring Docker Files
> Mismatch</description>
</rule>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
