Hi Rob,
it is not possible to create decoders for rootcheck because they are at C
level: https://github.com/wazuh/wazuh/blob/master/src/analysisd/analysisd.c#L772
Also, you don't need them, just create a rule like:
<rule id="70908" level="0" frequency="0" timeframe="45" ignore="300">
<if_matched_sid>510</if_matched_sid>
<match>your conditions (match the file?)</match>
<description>Ignore rule 510 during 300 seconds.</description>
</rule>
Example for ignore completely a rootcheck
event:
https://github.com/wazuh/wazuh-ruleset/blob/f1e1e46e51faefbe75c79052d63437cc3c1a02b4/rules/0015-ossec_rules.xml#L63
Also, you can disable the check in the *ossec.conf*.
I hope it helps.
Regards.
On Thursday, April 6, 2017 at 7:44:57 PM UTC+2, dan (ddpbsd) wrote:
>
> On Thu, Apr 6, 2017 at 1:28 PM, Rob Williams <[email protected]
> <javascript:>> wrote:
> > Hi,
> >
> > I tried to do this, but I'm getting:
> >
> > ERROR: Parent decoder name invalid: 'rootcheck'
> > ERROR: Error adding decoder plugin
> >
> > I don't see the rootcheck decoder within decoder.xml as well, any ideas?
> >
>
> It must be one of the built in decoders, and I guess those can't be
> used for child decoders.
> No other ideas at the moment, but I'll keep thinking about it.
>
> > Thanks again for the help!
> >
> >
> > On Wednesday, April 5, 2017 at 12:26:31 PM UTC-7, Rob Williams wrote:
> >>
> >> Hi all,
> >>
> >> I'm running into an issue where rule 510 is triggering and I'm getting
> >> spammed with alerts but I can't seem to tune it correctly. What's weird
> is
> >> that I am still getting alerted for rule 510 for this log, but I can't
> >> figure out how to get that to show in logtest. Basically, I am getting
> >> spammed with rule 510 and trying to filter it down more and here is
> what
> >> happens when I enter the log in logtest: .... any ideas on how to
> fix
> >> this?
> >>
> >> **Phase 1: Completed pre-decoding.
> >>
> >> full event: 'File '/filepath/' is owned by root and has written
> >> permissions to anyone.'
> >>
> >> hostname: 'hostname'
> >>
> >> program_name: '(null)'
> >>
> >> log: 'File '/filepath/' is owned by root and has written
> >> permissions to anyone.'
> >>
> >>
> >> **Phase 2: Completed decoding.
> >>
> >> decoder: 'sample_decoder_setup'
> >>
> >> id: '/filepath/'
> >
> > --
> >
> > ---
> > You received this message because you are subscribed to the Google
> Groups
> > "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send
> an
> > email to [email protected] <javascript:>.
> > For more options, visit https://groups.google.com/d/optout.
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
