Re: [ossec-list] Child rule w/ regex not working - can't figure out why

[Rob Williams]

Indeed it does!! Thanks for the help, really appreciate it!

On Tuesday, March 6, 2018 at 3:55:11 PM UTC-8, dan (ddpbsd) wrote:
>
> On Tue, Mar 6, 2018 at 6:52 PM, Rob Williams <tsinfo...@gmail.com 
> > wrote: 
> > I am trying to create a child rule to 1002 (which I have silenced) to 
> alert 
> > in certain cases. I can get the rule to work if I remove the regex 
> portion; 
> > however, I don't want that as a permanent solution. My rule is below, 
> and a 
> > sample log entry is below as well. Am I doing something wrong when it 
> comes 
> > to matching based on regex? 
> > 
> >  
> > 
> > 1002 
> > 
> > + ERROR TcpOutputFd - Connection to host=\S+ 
> failed 
> > 
>
> Does it work if you change the above to  instead of ? 
>
> > Unsilence 1002 for failed TcpOutputFd 
> > connections 
> > 
> >
> > 
> > 
> > Sample Log: 
> > 
> > 
> > 03-06-2018 21:53:42.475 + ERROR TcpOutputFd - Connection to 
> > host=127.0.0.1:9997 failed 
> > 
> > -- 
> > 
> > --- 
> > You received this message because you are subscribed to the Google 
> Groups 
> > "ossec-list" group. 
> > To unsubscribe from this group and stop receiving emails from it, send 
> an 
> > email to ossec-list+...@googlegroups.com . 
> > For more options, visit https://groups.google.com/d/optout. 
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Child rule w/ regex not working - can't figure out why

[Rob Williams]

I am trying to create a child rule to 1002 (which I have silenced) to alert 
in certain cases. I can get the rule to work if I remove the regex portion; 
however, I don't want that as a permanent solution. My rule is below, and a 
sample log entry is below as well. Am I doing something wrong when it comes 
to matching based on regex?



1002

+ ERROR TcpOutputFd - Connection to host=\S+ failed

Unsilence 1002 for failed TcpOutputFd connections


  


Sample Log:


03-06-2018 21:53:42.475 + ERROR TcpOutputFd - Connection to 
host=127.0.0.1:9997 failed

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: What is the best way to make ossec ignore alerts caused by new packages (unatended upgrades)?

[Rob Williams]

Hi Jesus,

Can you elaborate a bit more on what you mean here? I'm also trying to 
disable syscheck alerts when unattended upgrades run, but I'm not quite 
sure the best way of doing so.

Thanks!

On Saturday, October 1, 2016 at 2:01:58 AM UTC-7, Jesus Linares wrote:
>
> Hi James,
>
> review the alerts related with packages, and create a rule to ignore the 
> events that you do not need.
>
> Regards.
>
> On Wednesday, September 28, 2016 at 5:40:34 PM UTC+2, James Vernon wrote:
>>
>> As the title sais, is there a defined best practice for this?
>>
>> If unattended upgrades runs and upgrades any packages, ossec spams emails 
>> about changed files (as expected). Is there a tried and true method to make 
>> ossec aware that the packages were updated via unattended upgrades so it 
>> doesn't generate alerts or something similar outside of ossec (I 
>> acknowledge that this can be abused, but I would like to see if its 
>> possible)? I'm quite new to this software so you will have to forgive me.
>>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Active Response not working at all

[Rob Williams]

Still no luck. Just to verify, the scripts should be located in 
/var/ossec/active-response/bin/, correct? Unfortunately the logs aren't 
really telling me anything either.

On Wednesday, April 19, 2017 at 12:31:41 PM UTC-7, dan (ddpbsd) wrote:
>
> On Wed, Apr 19, 2017 at 3:23 PM, Tony Bryant  > wrote: 
> > Yes test.sh is on the agent. Execd is also running and yep the alert is 
> > firing. 
> > 
>
> Try removing the level option and leave just the rules_id. 
>
> > On Wednesday, April 19, 2017 at 11:30:37 AM UTC-7, dan (ddpbsd) wrote: 
> >> 
> >> On Wed, Apr 19, 2017 at 2:26 PM, Tony Bryant  
> wrote: 
> >> > Hello, 
> >> > 
> >> > I'm pretty new to OSSEC and I'm working to get some active responses 
> >> > working. I have tried a number of different active responses but 
> cannot 
> >> > seem 
> >> > to get it to work anywhere (not on the server or agents). I'm now 
> trying 
> >> > a 
> >> > simple AR to just log to active-responses.log but it still does not 
> seem 
> >> > to 
> >> > be triggering. I do receive the email alert, but the AR does not 
> >> > trigger. 
> >> > Here is my config for the test active response: 
> >> > 
> >> >  
> >> > 
> >> >test 
> >> > 
> >> >test.sh 
> >> > 
> >> > 
> >> > 
> >> >no 
> >> > 
> >> >  
> >> > 
> >> > (I've tried the location as local, all, and server but no luck) 
> >> > 
> >> >  
> >> > 
> >> >no 
> >> > 
> >> >test 
> >> > 
> >> >local 
> >> > 
> >> >70999 
> >> > 
> >> >0 
> >> > 
> >> >  
> >> > 
> >> > 
> >> > 
> >> > #!/bin/sh 
> >> > 
> >> > ACTION=$1 
> >> > USER=$2 
> >> > IP=$3 
> >> > ALERTID=$4 
> >> > RULEID=$5 
> >> > 
> >> > LOCAL=`dirname $0`; 
> >> > cd $LOCAL 
> >> > cd ../ 
> >> > PWD=`pwd` 
> >> > 
> >> > 
> >> > # Logging the call 
> >> > echo "`date` $0 $1 $2 $3 $4 $5 $6 $7 $8" >> 
> >> > ${PWD}/../logs/active-responses.log 
> >> > 
> >> > 
> >> > 
> >> > The permissions on test.sh are correct with execute permission and I 
> >> > added 
> >> > them to ossec group as all other ARs seemed to have that. 
> >> > 
> >> 
> >> Is test.sh on the system you're trying to run the AR on? 
> >> Is execd running on the system you're trying to run the AR on? 
> >> Is 70999 firing? 
> >> With rules_id, I don't think you'll need the level option set. 
> >> 
> >> > 
> >> > Thanks! 
> >> > 
> >> > 
> >> > 
> >> > 
> >> > 
> >> > 
> >> > 
> >> > 
> >> > 
> >> > 
> >> > 
> >> > 
> >> > 
> >> > 
> >> > 
> >> > 
> >> > 
> >> > 
> >> > 
> >> > 
> >> >
> >> > 
> >> > 
> >> > -- 
> >> > 
> >> > --- 
> >> > You received this message because you are subscribed to the Google 
> >> > Groups 
> >> > "ossec-list" group. 
> >> > To unsubscribe from this group and stop receiving emails from it, 
> send 
> >> > an 
> >> > email to ossec-list+...@googlegroups.com. 
> >> > For more options, visit https://groups.google.com/d/optout. 
> > 
> > -- 
> > 
> > --- 
> > You received this message because you are subscribed to the Google 
> Groups 
> > "ossec-list" group. 
> > To unsubscribe from this group and stop receiving emails from it, send 
> an 
> > email to ossec-list+...@googlegroups.com . 
> > For more options, visit https://groups.google.com/d/optout. 
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Rule 510 is triggering events but logtest is not showing any rules that should be triggered

[Rob Williams]

Hi Jesus, the first rule is what I am trying. You said I can match the file 
in  but can I do that when the file changes as is not one file I 
want to ignore. Can I use regex syntax in rules? I used it in decoders as I 
thought I wasn't able to. Thanks!


510

Ignore rule 510 for 600 seconds if the same ID is matched.



On Monday, April 17, 2017 at 3:16:48 AM UTC-5, Jesus Linares wrote:
>
> What rule did you use?. Please, share here the rule and the alerts that 
> you want to ignore.
>
> I'd need the ID from the decoder to do so
>
> There are no xml decoders for rootcheck. What you want to extract in the 
> id field is the file, right?. You can do a *match* in the rule for the 
> file.
>
> Regards.
>
> On Friday, April 14, 2017 at 12:13:50 AM UTC+2, Rob Williams wrote:
>>
>> Hi Jesus,
>>
>> Thanks for the reply. I have noticed when I activate this rule, it blocks 
>> all events and does not alert on the first event. Also note, I am trying to 
>> use the ID field from my decoder to match against. I can't just use a 
>> static match as the ID continuously changes so I'd need the ID from the 
>> decoder to do so. Any ideas? Thanks!
>>
>> On Wednesday, April 5, 2017 at 12:26:31 PM UTC-7, Rob Williams wrote:
>>>
>>> Hi all,
>>>
>>> I'm running into an issue where rule 510 is triggering and I'm getting 
>>> spammed with alerts but I can't seem to tune it correctly. What's weird is 
>>> that I am still getting alerted for rule 510 for this log, but I can't 
>>> figure out how to get that to show in logtest. Basically, I am getting 
>>> spammed with rule 510 and trying to filter it down more and here is what 
>>> happens when I enter the log in logtest: any ideas on how to fix 
>>> this?
>>>
>>> **Phase 1: Completed pre-decoding.
>>>
>>>full event: 'File '/filepath/' is owned by root and has written 
>>> permissions to anyone.'
>>>
>>>hostname: 'hostname'
>>>
>>>program_name: '(null)'
>>>
>>>log: 'File '/filepath/' is owned by root and has written 
>>> permissions to anyone.'
>>>
>>>
>>> **Phase 2: Completed decoding.
>>>
>>>decoder: 'sample_decoder_setup'
>>>
>>>id: '/filepath/'
>>>
>>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Rule 510 is triggering events but logtest is not showing any rules that should be triggered

[Rob Williams]

Hi Jesus,

Thanks for the reply. I have noticed when I activate this rule, it blocks 
all events and does not alert on the first event. Also note, I am trying to 
use the ID field from my decoder to match against. I can't just use a 
static match as the ID continuously changes so I'd need the ID from the 
decoder to do so. Any ideas? Thanks!

On Wednesday, April 5, 2017 at 12:26:31 PM UTC-7, Rob Williams wrote:
>
> Hi all,
>
> I'm running into an issue where rule 510 is triggering and I'm getting 
> spammed with alerts but I can't seem to tune it correctly. What's weird is 
> that I am still getting alerted for rule 510 for this log, but I can't 
> figure out how to get that to show in logtest. Basically, I am getting 
> spammed with rule 510 and trying to filter it down more and here is what 
> happens when I enter the log in logtest: any ideas on how to fix 
> this?
>
> **Phase 1: Completed pre-decoding.
>
>full event: 'File '/filepath/' is owned by root and has written 
> permissions to anyone.'
>
>hostname: 'hostname'
>
>program_name: '(null)'
>
>log: 'File '/filepath/' is owned by root and has written 
> permissions to anyone.'
>
>
> **Phase 2: Completed decoding.
>
>decoder: 'sample_decoder_setup'
>
>id: '/filepath/'
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Is it possible to trigger an active response on a rule with a severity level of 0?

[Rob Williams]

Essentially, I want to trigger an active response for a rule that I created 
that has a severity level of 0. I created this rule because I did not want 
to be alerted on the default rule and only wanted to be alerted based on 
the output from my active response. My question is if I have the severity 
level of 0, will it just be completely ignored without the active response 
even triggering? I ask because I'm having trouble setting it up properly 
and want to rule out if this is the cause. Thank you for your help in 
advance.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Pass active response script to agent

[Rob Williams]

Ah ok got it, thanks!!

On Friday, April 7, 2017 at 5:00:11 PM UTC-7, dan (ddpbsd) wrote:
>
> On Fri, Apr 7, 2017 at 7:30 PM, Rob Williams <tsinfo...@gmail.com 
> > wrote: 
> > Hello, 
> > 
> > I assume this should be pretty simple but I've been troubleshooting an 
> > Active Response I setup with a custom script and rules/decoders. 
> Everything 
> > looks it it should be operating correctly, but I could not get it work. 
> > After checking an agent, I'm realizing the custom script in 
> > active-response/bin/ that I created is not on the agent. How would I go 
> > about passing this? This is the first time I've created a custom script 
> and 
> > I can't seem to find any documentation on this in particular. 
> > 
>
> You have to add it to the agent manually. Anything from scp to 
> puppet/ansible/chef to dragging the script from a file share. 
>
> > Thanks, 
> > Rob 
> > 
> > -- 
> > 
> > --- 
> > You received this message because you are subscribed to the Google 
> Groups 
> > "ossec-list" group. 
> > To unsubscribe from this group and stop receiving emails from it, send 
> an 
> > email to ossec-list+...@googlegroups.com . 
> > For more options, visit https://groups.google.com/d/optout. 
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Pass active response script to agent

[Rob Williams]

Also, I've gone ahead and restarted, stopped then started, and more several 
times.

On Friday, April 7, 2017 at 4:30:53 PM UTC-7, Rob Williams wrote:
>
> Hello,
>
> I assume this should be pretty simple but I've been troubleshooting an 
> Active Response I setup with a custom script and rules/decoders. Everything 
> looks it it should be operating correctly, but I could not get it work. 
> After checking an agent, I'm realizing the custom script in 
> active-response/bin/ that I created is not on the agent. How would I go 
> about passing this? This is the first time I've created a custom script and 
> I can't seem to find any documentation on this in particular.
>
> Thanks,
> Rob
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Pass active response script to agent

[Rob Williams]

Hello,

I assume this should be pretty simple but I've been troubleshooting an 
Active Response I setup with a custom script and rules/decoders. Everything 
looks it it should be operating correctly, but I could not get it work. 
After checking an agent, I'm realizing the custom script in 
active-response/bin/ that I created is not on the agent. How would I go 
about passing this? This is the first time I've created a custom script and 
I can't seem to find any documentation on this in particular.

Thanks,
Rob

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Rule 510 is triggering events but logtest is not showing any rules that should be triggered

[Rob Williams]

Hi,

I tried to do this, but I'm getting:

ERROR: Parent decoder name invalid: 'rootcheck'
ERROR: Error adding decoder plugin

I don't see the rootcheck decoder within decoder.xml as well, any ideas?

Thanks again for the help!

On Wednesday, April 5, 2017 at 12:26:31 PM UTC-7, Rob Williams wrote:
>
> Hi all,
>
> I'm running into an issue where rule 510 is triggering and I'm getting 
> spammed with alerts but I can't seem to tune it correctly. What's weird is 
> that I am still getting alerted for rule 510 for this log, but I can't 
> figure out how to get that to show in logtest. Basically, I am getting 
> spammed with rule 510 and trying to filter it down more and here is what 
> happens when I enter the log in logtest: any ideas on how to fix 
> this?
>
> **Phase 1: Completed pre-decoding.
>
>full event: 'File '/filepath/' is owned by root and has written 
> permissions to anyone.'
>
>hostname: 'hostname'
>
>program_name: '(null)'
>
>log: 'File '/filepath/' is owned by root and has written 
> permissions to anyone.'
>
>
> **Phase 2: Completed decoding.
>
>decoder: 'sample_decoder_setup'
>
>id: '/filepath/'
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Rule 510 is triggering events but logtest is not showing any rules that should be triggered

[Rob Williams]

I stopped them all (which appeared to work fine) and start again. Here is 
the rule and decoder I made for this (I want to alert only once if the same 
ID (filepath) has alerted in the past minute):



510



This is meant to reduce noise as these events happen in 
batches with not much difference in meaning.

  


DECODER:




  ^(\.+) (\p/filepath\.+) 

  (/filepath/\.+/mnt/\.+/)

  id




Logtest returns the id I am looking for to match and that part works fine. 
It only gets to the first 2 steps though, and does not match it with a rule 
in logtest.
On Wednesday, April 5, 2017 at 12:48:21 PM UTC-7, dan (ddpbsd) wrote:
>
> On Wed, Apr 5, 2017 at 3:44 PM, Rob Williams <tsinfo...@gmail.com 
> > wrote: 
> > Yes I have, I've also tried to disable all the relevant changes I've 
> made, 
> > restart, and still have the same issue. 
> > 
>
> Try stopping the ossec processes, verify that ossec-analysisd has 
> stopped (sometimes it doesn't and causes issues), and start it back 
> up. 
> Can you also post the changes you made? 
>
> > On Wednesday, April 5, 2017 at 12:39:42 PM UTC-7, dan (ddpbsd) wrote: 
> >> 
> >> On Wed, Apr 5, 2017 at 3:26 PM, Rob Williams <tsinfo...@gmail.com> 
> wrote: 
> >> > Hi all, 
> >> > 
> >> > I'm running into an issue where rule 510 is triggering and I'm 
> getting 
> >> > spammed with alerts but I can't seem to tune it correctly. What's 
> weird 
> >> > is 
> >> > that I am still getting alerted for rule 510 for this log, but I 
> can't 
> >> > figure out how to get that to show in logtest. Basically, I am 
> getting 
> >> > spammed with rule 510 and trying to filter it down more and here is 
> what 
> >> > happens when I enter the log in logtest: any ideas on how to 
> fix 
> >> > this? 
> >> > 
> >> > **Phase 1: Completed pre-decoding. 
> >> > 
> >> >full event: 'File '/filepath/' is owned by root and has 
> written 
> >> > permissions to anyone.' 
> >> > 
> >> >hostname: 'hostname' 
> >> > 
> >> >program_name: '(null)' 
> >> > 
> >> >log: 'File '/filepath/' is owned by root and has written 
> >> > permissions 
> >> > to anyone.' 
> >> > 
> >> > 
> >> > **Phase 2: Completed decoding. 
> >> > 
> >> >decoder: 'sample_decoder_setup' 
> >> > 
> >> >id: '/filepath/' 
> >> > 
> >> 
> >> Did you restart the OSSEC processes on the server after making your 
> >> modifications? 
> >> 
> >> > -- 
> >> > 
> >> > --- 
> >> > You received this message because you are subscribed to the Google 
> >> > Groups 
> >> > "ossec-list" group. 
> >> > To unsubscribe from this group and stop receiving emails from it, 
> send 
> >> > an 
> >> > email to ossec-list+...@googlegroups.com. 
> >> > For more options, visit https://groups.google.com/d/optout. 
> > 
> > -- 
> > 
> > --- 
> > You received this message because you are subscribed to the Google 
> Groups 
> > "ossec-list" group. 
> > To unsubscribe from this group and stop receiving emails from it, send 
> an 
> > email to ossec-list+...@googlegroups.com . 
> > For more options, visit https://groups.google.com/d/optout. 
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Rule 510 is triggering events but logtest is not showing any rules that should be triggered

[Rob Williams]

Yes I have, I've also tried to disable all the relevant changes I've made, 
restart, and still have the same issue.

On Wednesday, April 5, 2017 at 12:39:42 PM UTC-7, dan (ddpbsd) wrote:
>
> On Wed, Apr 5, 2017 at 3:26 PM, Rob Williams <tsinfo...@gmail.com 
> > wrote: 
> > Hi all, 
> > 
> > I'm running into an issue where rule 510 is triggering and I'm getting 
> > spammed with alerts but I can't seem to tune it correctly. What's weird 
> is 
> > that I am still getting alerted for rule 510 for this log, but I can't 
> > figure out how to get that to show in logtest. Basically, I am getting 
> > spammed with rule 510 and trying to filter it down more and here is what 
> > happens when I enter the log in logtest: any ideas on how to fix 
> > this? 
> > 
> > **Phase 1: Completed pre-decoding. 
> > 
> >full event: 'File '/filepath/' is owned by root and has written 
> > permissions to anyone.' 
> > 
> >hostname: 'hostname' 
> > 
> >program_name: '(null)' 
> > 
> >log: 'File '/filepath/' is owned by root and has written 
> permissions 
> > to anyone.' 
> > 
> > 
> > **Phase 2: Completed decoding. 
> > 
> >decoder: 'sample_decoder_setup' 
> > 
> >id: '/filepath/' 
> > 
>
> Did you restart the OSSEC processes on the server after making your 
> modifications? 
>
> > -- 
> > 
> > --- 
> > You received this message because you are subscribed to the Google 
> Groups 
> > "ossec-list" group. 
> > To unsubscribe from this group and stop receiving emails from it, send 
> an 
> > email to ossec-list+...@googlegroups.com . 
> > For more options, visit https://groups.google.com/d/optout. 
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Rule 510 is triggering events but logtest is not showing any rules that should be triggered

[Rob Williams]

Hi all,

I'm running into an issue where rule 510 is triggering and I'm getting 
spammed with alerts but I can't seem to tune it correctly. What's weird is 
that I am still getting alerted for rule 510 for this log, but I can't 
figure out how to get that to show in logtest. Basically, I am getting 
spammed with rule 510 and trying to filter it down more and here is what 
happens when I enter the log in logtest: any ideas on how to fix 
this?

**Phase 1: Completed pre-decoding.

   full event: 'File '/filepath/' is owned by root and has written 
permissions to anyone.'

   hostname: 'hostname'

   program_name: '(null)'

   log: 'File '/filepath/' is owned by root and has written permissions 
to anyone.'


**Phase 2: Completed decoding.

   decoder: 'sample_decoder_setup'

   id: '/filepath/'

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Alert for rule 510 is being generated, but logtest is not showing that any alert should be generated.

[Rob Williams]

Hi all,

I'm running into an issue where rule 510 is triggering and I'm getting 
spammed with alerts but I can't seem to tune it correctly. What's weird is 
that I am still getting alerted for rule 510 for this log, but I can't 
figure out how to get that to show in logtest. Basically, I am getting 
spammed with rule 510 and trying to filter it down more and here is what 
happens when I enter the log in logtest: any ideas on how to fix 
this?

**Phase 1: Completed pre-decoding.

   full event: 'File 
'/var/lib/docker/devicemapper/mnt/acbc57824bbcbeae3b511a861c7d4aafc7c4f2351ff2c1125d29f06cdb0e4b84/rootfs/opt/apps-server/.cache/Tradeshift.Offline.css'
 
is owned by root and has written permissions to anyone.'

   hostname: 'hostname'

   program_name: '(null)'

   log: 'File '/filepath/' is owned by root and has written permissions 
to anyone.'


**Phase 2: Completed decoding.

   decoder: 'docker_root'

   id: '/filepath/'

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.