Re: [ossec-list] Alerts generated despite level '0' rule being hit

2017-01-27 Thread dan (ddp) 
On Thu, Jan 26, 2017 at 4:41 PM, Daniel B.  wrote:
>
>
>
> full_log:
>
> Files hidden inside directory 
> '/var/lib/docker/aufs/mnt/545d04c068f0f7ce19361a94d1c43b0c6686a0dfdd45e1803ccee569acc1767b/usr/share/locale'.
>  Link count does not match number of files (54,70).
>
> I have a rule setup to ignore this, and it's actually being hit when I test 
> the above line via ./ossec-logtest -v (see image)
>
> When I check the alerts, I see this as a level 7 alert.
>
> The rules are defined on the server. Any idea on why an alert would be 
> generated despite the level 0 rule being hit?
>

Did you restart the OSSEC processes on the server after adding your rule?

> Decoder:
>>>
>>> 
>>>
>>>   Files hidden inside directory 
>>>
>>>   (\p/var/lib/docker\.+)
>>>
>>>   extra_data
>>>
>>> 
>
>
> Rule:
>>
>> 
>>
>> ignore_docker_mismatch
>>
>> Level 0 Alert -- Ignoring Docker Files 
>> Mismatch
>>
>>   
>>
>>
>
>
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups 
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Alerts generated despite level '0' rule being hit

2017-01-26 Thread Daniel B. 






full_log: 
Files hidden inside directory 
'/var/lib/docker/aufs/mnt/545d04c068f0f7ce19361a94d1c43b0c6686a0dfdd45e1803ccee569acc1767b/usr/share/locale'.
 
Link count does not match number of files (54,70).

I have a rule setup to ignore this, and it's actually being hit when I test 
the above line via ./ossec-logtest -v (see image)

When I check the alerts, I see this as a level 7 alert. 

The rules are defined on the server. Any idea on why an alert would be 
generated despite the level 0 rule being hit? 

Decoder: 

> 
>
>   Files hidden inside directory 
>
>   (\p/var/lib/docker\.+)
>
>   extra_data
>
> 
>
>
Rule: 

> 

ignore_docker_mismatch

Level 0 Alert -- Ignoring Docker Files 
> Mismatch

  

 



-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.