You can't use ossec-logtest for rootcheck events. For example, if I get the
full_log of a real alert: "File
'/usr/local/nsis/nsis-3.0b2-src/Contrib/Language files/Valencian.nlf' is
owned by root and has written permissions to anyone." and I paste it in
logtest:
*Phase 1: Completed pre-decoding.
full event: 'File '/usr/local/nsis/nsis-3.0b2-src/Contrib/Language
files/Valencian.nlf' is owned by root and has written permissions to
anyone.'
hostname: 'ip-10-0-0-10'
program_name: '(null)'
log: 'File '/usr/local/nsis/nsis-3.0b2-src/Contrib/Language files/
Valencian.nlf' is owned by root and has written permissions to anyone.'
**Phase 2: Completed decoding.
No decoder matched.
So, ossec-logtest doesn't show anything, but the alert is properly
generated. This is due to rootcheck has decoders at c-level.
Your rule looks right, just restart OSSEC and test it manually. Sometimes,
OSSEC has problems with \.* so if that part doesn't have spaces, it is
better to use \S*.
Let me know if it works.
Regards.
On Saturday, May 20, 2017 at 3:04:44 AM UTC+2, dan (ddpbsd) wrote:
>
> On Thu, May 18, 2017 at 4:51 PM, Gert Verhoog <[email protected]
> <javascript:>> wrote:
> > Hi Jesus,
> >
> > I'm having the same problem, and the triggering of this rule causes so
> much
> > noise that it's drowning out other alerts. I have added a rule like you
> > suggested to my local rules:
> >
> > <rule id="100510" level="0" frequency="0" timeframe="45" ignore="600">
> > <if_matched_sid>510</if_matched_sid>
> > <regex>/var/lib/docker/volumes/\.*/_data/\.* is owned by root and
> has
> > written permissions to anyone</regex>
> > <description>Ignore rootcheck warning on world-writable docker
> > volumes</description>
> > </rule>
> >
> > But it doesn't seem to have an effect. I've played with the regex,
> > simplifying it and even deleting it altogether, but I still can't seem
> to
> > get it working. Logtest shows the following output:
> >
> >
> > File
> >
> '/var/lib/docker/volumes/81c96e1d9b6a07710dc0ba90daccf5650efe59e213b20354bbb86f4e65929a0e/_data/path/to/static/fonts/icons/glyphicons-social-regular.eot'
>
>
> > is owned by root and has written permissions to anyone.
> >
>
> Is this the log message you get from the agent? You can turn on the
> logall option and check archives.log for the exact message from the
> agent.
>
> >
> > **Phase 1: Completed pre-decoding.
> >
> >
> > full event: 'File
> >
> '/var/lib/docker/volumes/81c96e1d9b6a07710dc0ba90daccf5650efe59e213b20354bbb86f4e65929a0e/_data/path/to/static/fonts/icons/glyphicons-social-regular.eot'
>
>
> > is owned by root and has written permissions to anyone.'
> >
> >
> > hostname: 'ec2-12-34-56-78'
> >
> >
> > program_name: '(null)'
> >
> >
> > log: 'File
> >
> '/var/lib/docker/volumes/81c96e1d9b6a07710dc0ba90daccf5650efe59e213b20354bbb86f4e65929a0e/_data/path/to/static/fonts/icons/glyphicons-social-regular.eot'
>
>
> > is owned by root and has written permissions to anyone.'
> >
> >
> >
> >
> > **Phase 2: Completed decoding.
> >
> >
> > No decoder matched.
> >
> >
> >
> > I'm fairly new to OSSEC and Wazuh, so I may be missing something. Is
> there
> > anything obvious that I'm doing wrong?
> >
> > Cheers!
> > Gert
> >
> >
> >
> > On Wednesday, April 19, 2017 at 12:14:28 AM UTC+12, Jesus Linares wrote:
> >>
> >> Hi Rob,
> >>
> >> you need to add the conditions to trigger that rule only for your
> specific
> >> files. Use match or regex:
> >>
> >> <rule id="70908" level="0" frequency="0" timeframe="45" ignore="600">
> >> <if_matched_sid>510</if_matched_sid>
> >> <!--
> >> contitions:
> >> option 1:
> >> <match>YOUR_FILE1|YOUR_FILE2|...</match>
> >> option 2:
> >> <regex>YOUR_FILE\.+</regex>
> >> -->
> >> <description>Ignore rule 510 for 600 seconds for some
> >> files.</description>
> >> </rule>
> >
> >
> >
> >
> > --
> >
> > ---
> > You received this message because you are subscribed to the Google
> Groups
> > "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send
> an
> > email to [email protected] <javascript:>.
> > For more options, visit https://groups.google.com/d/optout.
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
