[ossec-list] Regular expresions

2019-12-20 Thread Diego S 
Hi all!

I was wondering the best way to represent a digit between a range and if it 
is possible to indicate that a digit is going to be repeated a given number 
of times.

For example a digit between 0 and 3, I mean 0, 1, 2 or 3 thats for the 
first question.

For the second part, for example the digits between 0 and 3, repeated 14 
times. At the common regular expression it will be represented like 
(0-3){14}

Thanks and Regards.

Diego.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/d87e366a-a9ff-4c10-bd6c-592b744f7599%40googlegroups.com.

[ossec-list] SIEM is not displaying my alert

2019-10-21 Thread Diego S 
Hi everyone!

Im not getting the alerts generated on the server reflected on SIEM
dashboard.
I followed this steps to take data from logs of an agent.
https://www.alienvault.com/documentation/usm-appliance/ids-configuration/process-reading-log-file-with-hids-agent-windows.htm

Im getting the alert on alerts.log but im not able to find it on SIEM
dashboard.

[image: image.png]

I dont know if this is a policy or event correlation thing. But im not
clear what is the process from reciving an alert to getting reflected on
SIEM.

Thanks and regards!
Diego.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/CAGQH4FJ0o2rRCQ1JAmd0F-pdfGHE4PRA3qHAeqich1-Srj0Xew%40mail.gmail.com.

Re: [ossec-list] Custom Decoder

2019-10-14 Thread Diego S 
Thanks Juan! its working now.

I did wrong forum enter!

Regards,

El lun., 14 oct. 2019 a las 11:48, Juan Carlos Tello (<
juancarlos.te...@wazuh.com>) escribió:

> Hi Diego,
> The issue seems to be the regular expression.
>
> It seems the correct syntax would be:
> 
>   Brocade-format
>   ^\d\d\d\d/\d\d/\d\d-\d\d:\d\d:\d\d
> \(\S+\), [\S+], \S+, \S+, (\.+)/\S+/(\.+),
>   user,second
> 
> Note that / , [ and ] characters are not escaped, and that the criteria
> for extracting fields has been optimized.
>
> Although the issue was with the regular expression, which uses the same
> interpreter than OSSEC, it is true that the behavior is not the same as
> with ossec, so I do recommend using the Wazuh mailing list for queries
> related to Wazuh.
>
> Best Regards,
> Juan Carlos Tello
>
> On Monday, October 14, 2019 at 4:11:15 PM UTC+2, Diego S wrote:
>>
>> Sorry, my bad Dan, thanks anyways, i have a start point now.
>>
>> Regards!
>>
>> El lun., 14 oct. 2019 a las 10:56, dan (ddp) ()
>> escribió:
>>
>>> On Mon, Oct 14, 2019 at 9:54 AM Diego S  wrote:
>>> >
>>> > Hi!
>>> >
>>> > i tried with a updated version and im still getting the same error :S
>>> >
>>>
>>> That's Wazuh. I don't know enough about their project to help.
>>>
>>> >
>>> >
>>> > El sáb., 12 oct. 2019 a las 9:12, dan (ddp) ()
>>> escribió:
>>> >>
>>> >>
>>> >>
>>> >> On Fri, Oct 11, 2019 at 2:03 PM Diego S  wrote:
>>> >>>
>>> >>> Im using 2.0 version.
>>> >>
>>> >>
>>> >> 2.0 is ancient. Not much I can do to help with that.
>>> >>
>>> >>>
>>> >>> Im not able to find the syntax error.
>>> >>>
>>> >>> Thanks!
>>> >>>
>>> >>> El vie., 11 oct. 2019 a las 14:51, dan (ddp) ()
>>> escribió:
>>> >>>>
>>> >>>> On Fri, Oct 11, 2019 at 1:41 PM Diego S  wrote:
>>> >>>> >
>>> >>>> > Thnaks you very much for your response.
>>> >>>> > Let me know if am i wrong. The decoder will be like this:
>>> >>>> >
>>> >>>> > 
>>> >>>> >   ^\d+\s\w\w\w\w\w, 
>>> >>>> > 
>>> >>>> >
>>> >>>> > 
>>> >>>> >   Brocade-format
>>> >>>> >   ^\d\d\d\d/\d\d/\d\d-\d\d:\d\d:\d\d
>>> \(\S+\), \[\S+\], \S+, \S+, /S+)/\S+(/\w+/\S+),
>>> >>>> >   user,second
>>> >>>> > 
>>> >>>> >
>>> >>>> > 
>>> >>>> >   squid
>>> >>>> >   ^\d+ \S+ 
>>> >>>> >   ^\d+ (\S+) (\w+)/(\d+) \d+ \w+ (\S+) 
>>> >>>> >   srcip,action,id,url
>>> >>>> > 
>>> >>>> >
>>> >>>> > But im getting a syntax error and i dont know why or where.
>>> >>>> >
>>> >>>> > 2019/10/11 12:05:07 ossec-analysisd(1450): ERROR: Syntax error on
>>> regex: '^\d\d\d\d/\d\d/\d\d-\d\d:\d\d:\d\d\(\S+\), \[\S+\], \S+, \S+,
>>> (\S+)/\S+(/\w+/\S+)': 6.
>>> >>>> >
>>> >>>>
>>> >>>> I'm not sure what's wrong there. Which version of OSSEC are you
>>> using?
>>> >>>>
>>> >>>> > Thanks and regards!
>>> >>>> >
>>> >>>> > --
>>> >>>> >
>>> >>>> > ---
>>> >>>> > You received this message because you are subscribed to the
>>> Google Groups "ossec-list" group.
>>> >>>> > To unsubscribe from this group and stop receiving emails from it,
>>> send an email to ossec...@googlegroups.com.
>>> >>>> > To view this discussion on the web visit
>>> https://groups.google.com/d/msgid/ossec-list/CAGQH4FLk08YBG4NhaVQ9vG-nB-zF2%2Bo1GwnxSSvRbE62MGH2qA%40mail.gmail.com
>>> .
>>> >>>>
>>> >>>> --
>>> >>>>
>>> >>>> ---
>>> >>>> You received this message because you are subscribed to the Google
>>> Groups "ossec-list" group.
>>> >>>> To unsubsc

Re: [ossec-list] Custom Decoder

2019-10-14 Thread Diego S 
Sorry, my bad Dan, thanks anyways, i have a start point now.

Regards!

El lun., 14 oct. 2019 a las 10:56, dan (ddp) () escribió:

> On Mon, Oct 14, 2019 at 9:54 AM Diego S  wrote:
> >
> > Hi!
> >
> > i tried with a updated version and im still getting the same error :S
> >
>
> That's Wazuh. I don't know enough about their project to help.
>
> >
> >
> > El sáb., 12 oct. 2019 a las 9:12, dan (ddp) ()
> escribió:
> >>
> >>
> >>
> >> On Fri, Oct 11, 2019 at 2:03 PM Diego S  wrote:
> >>>
> >>> Im using 2.0 version.
> >>
> >>
> >> 2.0 is ancient. Not much I can do to help with that.
> >>
> >>>
> >>> Im not able to find the syntax error.
> >>>
> >>> Thanks!
> >>>
> >>> El vie., 11 oct. 2019 a las 14:51, dan (ddp) ()
> escribió:
> >>>>
> >>>> On Fri, Oct 11, 2019 at 1:41 PM Diego S  wrote:
> >>>> >
> >>>> > Thnaks you very much for your response.
> >>>> > Let me know if am i wrong. The decoder will be like this:
> >>>> >
> >>>> > 
> >>>> >   ^\d+\s\w\w\w\w\w, 
> >>>> > 
> >>>> >
> >>>> > 
> >>>> >   Brocade-format
> >>>> >   ^\d\d\d\d/\d\d/\d\d-\d\d:\d\d:\d\d
> \(\S+\), \[\S+\], \S+, \S+, /S+)/\S+(/\w+/\S+),
> >>>> >   user,second
> >>>> > 
> >>>> >
> >>>> > 
> >>>> >   squid
> >>>> >   ^\d+ \S+ 
> >>>> >   ^\d+ (\S+) (\w+)/(\d+) \d+ \w+ (\S+) 
> >>>> >   srcip,action,id,url
> >>>> > 
> >>>> >
> >>>> > But im getting a syntax error and i dont know why or where.
> >>>> >
> >>>> > 2019/10/11 12:05:07 ossec-analysisd(1450): ERROR: Syntax error on
> regex: '^\d\d\d\d/\d\d/\d\d-\d\d:\d\d:\d\d\(\S+\), \[\S+\], \S+, \S+,
> (\S+)/\S+(/\w+/\S+)': 6.
> >>>> >
> >>>>
> >>>> I'm not sure what's wrong there. Which version of OSSEC are you using?
> >>>>
> >>>> > Thanks and regards!
> >>>> >
> >>>> > --
> >>>> >
> >>>> > ---
> >>>> > You received this message because you are subscribed to the Google
> Groups "ossec-list" group.
> >>>> > To unsubscribe from this group and stop receiving emails from it,
> send an email to ossec-list+unsubscr...@googlegroups.com.
> >>>> > To view this discussion on the web visit
> https://groups.google.com/d/msgid/ossec-list/CAGQH4FLk08YBG4NhaVQ9vG-nB-zF2%2Bo1GwnxSSvRbE62MGH2qA%40mail.gmail.com
> .
> >>>>
> >>>> --
> >>>>
> >>>> ---
> >>>> You received this message because you are subscribed to the Google
> Groups "ossec-list" group.
> >>>> To unsubscribe from this group and stop receiving emails from it,
> send an email to ossec-list+unsubscr...@googlegroups.com.
> >>>>
> >>>> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ossec-list/CAMyQvMpCiBxvjLv5_memm7H%2BFPO4JTeiKGDLqpw72f8RA6dvMw%40mail.gmail.com
> .
> >>>
> >>> --
> >>>
> >>> ---
> >>> You received this message because you are subscribed to the Google
> Groups "ossec-list" group.
> >>> To unsubscribe from this group and stop receiving emails from it, send
> an email to ossec-list+unsubscr...@googlegroups.com.
> >>> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ossec-list/CAGQH4F%2BqTDKSiMJXBtCWmewR2SR1oDRiTpTwQBB%3Dm21mQrs-Ag%40mail.gmail.com
> .
> >>
> >> --
> >>
> >> ---
> >> You received this message because you are subscribed to the Google
> Groups "ossec-list" group.
> >> To unsubscribe from this group and stop receiving emails from it, send
> an email to ossec-list+unsubscr...@googlegroups.com.
> >> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ossec-list/CAMyQvMrEQhqC%3D5_ggxQkf8hLExg3iJVG77b9xxp4_YmTB-jt8A%40mail.gmail.com
> .
> >
> > --
> >
> > ---
> > You received this message because you are subscribed to the Google
> Groups "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send
> an email to ossec-list+unsubscr...@googlegroups.com.
> > To view this discussion on the web visit
> https://groups.google.com/d/msgid/ossec-list/CAGQH4FLLsptFocLfeLdZ0vLnCKVN_RkWVA5EbJPs_X2SVQytwQ%40mail.gmail.com
> .
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ossec-list/CAMyQvMpafeA_0FcmJ5jc%2BtfpiE79FjdbGgApzTVVANCCQpCAYQ%40mail.gmail.com
> .
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/CAGQH4F%2BLxTF__RnxqNU9H35nw%3Dy_%3DhDpq86E_3H_qF%2BQGjysBA%40mail.gmail.com.

Re: [ossec-list] Custom Decoder

2019-10-11 Thread Diego S 
Im using 2.0 version.

Im not able to find the syntax error.

Thanks!

El vie., 11 oct. 2019 a las 14:51, dan (ddp) () escribió:

> On Fri, Oct 11, 2019 at 1:41 PM Diego S  wrote:
> >
> > Thnaks you very much for your response.
> > Let me know if am i wrong. The decoder will be like this:
> >
> > 
> >   ^\d+\s\w\w\w\w\w, 
> > 
> >
> > 
> >   Brocade-format
> >   ^\d\d\d\d/\d\d/\d\d-\d\d:\d\d:\d\d
> \(\S+\), \[\S+\], \S+, \S+, /S+)/\S+(/\w+/\S+),
> >   user,second
> > 
> >
> > 
> >   squid
> >   ^\d+ \S+ 
> >   ^\d+ (\S+) (\w+)/(\d+) \d+ \w+ (\S+) 
> >   srcip,action,id,url
> > 
> >
> > But im getting a syntax error and i dont know why or where.
> >
> > 2019/10/11 12:05:07 ossec-analysisd(1450): ERROR: Syntax error on regex:
> '^\d\d\d\d/\d\d/\d\d-\d\d:\d\d:\d\d\(\S+\), \[\S+\], \S+, \S+,
> (\S+)/\S+(/\w+/\S+)': 6.
> >
>
> I'm not sure what's wrong there. Which version of OSSEC are you using?
>
> > Thanks and regards!
> >
> > --
> >
> > ---
> > You received this message because you are subscribed to the Google
> Groups "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send
> an email to ossec-list+unsubscr...@googlegroups.com.
> > To view this discussion on the web visit
> https://groups.google.com/d/msgid/ossec-list/CAGQH4FLk08YBG4NhaVQ9vG-nB-zF2%2Bo1GwnxSSvRbE62MGH2qA%40mail.gmail.com
> .
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ossec-list/CAMyQvMpCiBxvjLv5_memm7H%2BFPO4JTeiKGDLqpw72f8RA6dvMw%40mail.gmail.com
> .
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/CAGQH4F%2BqTDKSiMJXBtCWmewR2SR1oDRiTpTwQBB%3Dm21mQrs-Ag%40mail.gmail.com.

Re: [ossec-list] Custom Decoder

2019-10-11 Thread Diego S 
Thnaks you very much for your response.
Let me know if am i wrong. The decoder will be like this:


  ^\d+\s\w\w\w\w\w, 



  Brocade-format
  ^\d\d\d\d/\d\d/\d\d-\d\d:\d\d:\d\d \(\S+\),
\[\S+\], \S+, \S+, /S+)/\S+(/\w+/\S+),
  user,second



  squid
  ^\d+ \S+ 
  ^\d+ (\S+) (\w+)/(\d+) \d+ \w+ (\S+) 
  srcip,action,id,url


But im getting a syntax error and i dont know why or where.

2019/10/11 12:05:07 ossec-analysisd(1450): ERROR: Syntax error on regex:
'^\d\d\d\d/\d\d/\d\d-\d\d:\d\d:\d\d\(\S+\), \[\S+\], \S+, \S+,
(\S+)/\S+(/\w+/\S+)': 6.

Thanks and regards!

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/CAGQH4FLk08YBG4NhaVQ9vG-nB-zF2%2Bo1GwnxSSvRbE62MGH2qA%40mail.gmail.com.

[ossec-list] Custom Decoder

2019-10-11 Thread Diego S 
Hi everyone!

I wondering if we already have on ossec a custom decoder acording to this 
kind of log to get the red values.

1022 AUDIT, 2019/07/26-18:02:33 (UYT), [SEC-3020], INFO, SECURITY, 
diego.gonzales/user/pivonox.prod.pci.elan.red.com.uy/ssh/CLI 
, ad_0/SW-FC-2/FID 
128, , Event: login, Status: success, Info: Successful login attempt via 
REMOTE, IP Addr: pivonox.prod.pci.elan.red.com.uy.


I tried to do a custom one, but without success.


I let you here what ive did.



This one is getting the "1022 Audit" for discriminate the one i need to the 
rest.




  ^\d+\s\w\w\w\w




.


 And here is when im trying to get the underlined red values at the 
begining of the text but im not sure: 


-The type of the log i have to use or if it is necesary

-The "order" value i have tho use to take this both red values.

-The structure of the decoder.




  Brocade-format

  -

  ^\d\d\d\d/\d\d/\d\d-\d\d:d\d:d\d\s\(\w+\),\s\p\w\w\w-\w\w\w\w\p,\s\w+,\s(\w+),\w+/\w+/\w+/\w+(/\w+),\.*

  -





Thanks and Regards!

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/6d13f649-698c-41bf-b386-08602e9b2f80%40googlegroups.com.

Re: [ossec-list] Re: Using rules by escaping certain file extensions.

2019-09-27 Thread Diego S 
Javier would you confirm if this rule is working on wazuh V2.0?

Because when i was to pass the rule from my laboratory(V3.9) to the wanted
server with (V2.0) is not working.

Thanks!

El jue., 19 sept. 2019 a las 15:55, Javier Castro ()
escribió:

> No problem Diego, glad it is working for you.
>
> Regards,
> Javier.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ossec-list/a0d7ae93-7881-4784-99b7-4e85fc8d43c2%40googlegroups.com
> 
> .
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/CAGQH4FKFPz2JDth0VSA89ssgrRUoNmcuu6qSgsRy8DYEcALj_g%40mail.gmail.com.

Re: [ossec-list] Re: Using rules by escaping certain file extensions.

2019-09-19 Thread Diego S 
Oh man you save my day! It's works perfectly for my scenario.

Im understanding how its works now.

Thanks a lot Javier and congrats for the product and the community you all
have.

El jue., 19 sept. 2019 a las 15:00, Javier Castro ()
escribió:

> Hi Diego,
> the correct syntax would be: * restrict="!.msg$|.sql$|.rar$">/var/zimbra/ *
>
> Let me know how that works.
> Regards,
> Javier.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ossec-list/1e007a6c-c9d2-43a7-a360-6f51ec0b1204%40googlegroups.com
> 
> .
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/CAGQH4FJPi2VerWKXg4L5CAxbrOWo1ehOgdoLE113e-0%3DaV9qZg%40mail.gmail.com.

Re: [ossec-list] Re: Using rules by escaping certain file extensions.

2019-09-18 Thread Diego S 
Hello Javier!

I have another problem. If i want to exclude a group of extensions, how
would i do it? because if i use */var/zimbra/ *

This is not working. I guess is because im using and OR comparator or for
the way im using the expresion. Any idea?

Thanks again!
Diego.

El mié., 18 sept. 2019 a las 11:35, Javier Castro ()
escribió:

> Then you can try with restrict:
>
> */var/zimbra/*
>
> The folder you are monitoring will ignore files ending in .msg. You don't
> need ignore for that.
> Regards,
> Javier.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ossec-list/49ddbb17-0c49-44f4-8793-47b7dc210423%40googlegroups.com
> 
> .
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/CAGQH4F%2B3HhsSN9ZtFGRgjtDBd1pHqxQwP%3D7SEgovzKk5hiEP1Q%40mail.gmail.com.

Re: [ossec-list] Re: Using rules by escaping certain file extensions.

2019-09-18 Thread Diego S 
Thanks a lot Javier, that option works perfectly!

Regards,
Diego

El mié., 18 sept. 2019 a las 11:35, Javier Castro ()
escribió:

> Then you can try with restrict:
>
> */var/zimbra/*
>
> The folder you are monitoring will ignore files ending in .msg. You don't
> need ignore for that.
> Regards,
> Javier.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ossec-list/49ddbb17-0c49-44f4-8793-47b7dc210423%40googlegroups.com
> 
> .
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/CAGQH4FL%2BkFVjmfpxtuGwu981ucKVXvM2aaUsT5Se0RjrsTkiPw%40mail.gmail.com.

Re: [ossec-list] Re: Using rules by escaping certain file extensions.

2019-09-18 Thread Diego S 
But i need to force both conditions at the same time. I need to skip up all
the .msg from /var/zimbra.

If that is the case, is ok to express */var/zimbra/.msg$ ?*

Sorry if i didnt express good enough. But my question is about how to
express the directory before the extension and if it is correct expressed
like the example..

Thanks again, this really helped me a lot.

Diego.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/CAGQH4FLNDkKAHnmd5ydfSSS02phEVcy9qqeUo0NGvq4bNPprNg%40mail.gmail.com.

Re: [ossec-list] Re: Using rules by escaping certain file extensions.

2019-09-16 Thread Diego S 
Hello Javier! thanks a lot for your answer, was really helpfull.

I have another question if you dont mind.
If I want to specify a previous path before the extension to exclude like
"/var/zimbra/.msg$" should i have to do something special? or just put it
like the example?

*/var/zimbra/.msg$*

Thanks again!
Diego.

El dom., 15 sept. 2019 a las 7:46, Javier Castro ()
escribió:

> Hello Diego,
> you don't need to specify *\.+* inside the ignore tag (it is actually not
> part of sregex syntax).
> Something like this should work:  *.msg$*
>
> You can read more about sregex here:
> https://documentation.wazuh.com/3.9/user-manual/ruleset/ruleset-xml-syntax/regex.html#sregex-os-match-syntax
>
> Regards,
> Javier.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ossec-list/d3279ed1-ac89-466e-bc7e-c882663cfb90%40googlegroups.com
> 
> .
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/CAGQH4F%2BMnhXuEKB1jW8y6mamN7C5UNVFk7UuEM8PC-%3Dx8-%2BVaQ%40mail.gmail.com.

[ossec-list] Using rules by escaping certain file extensions.

2019-09-13 Thread Diego S 
Hello everyone,

First off all, sorry for my english.

Im having a problem when I try to use "Ignore_type" parameter on syscheck 
to escape ".msg" file extension.

Im on Wazuh v3.9.3 (Centos 7).

Agent: Ubuntu 18.04.3 LTS

I have a rule set to detect possible credit card numbers in files in a 
certain directory. This is working fine, but I need to discriminate by file 
extension.

*rule: *


  
516
Visa Credit Card
Visa Credit Card
rootcheck,
  


*Ossec.conf on the Agent:*

 

no


43200

yes


/home/PCI
/etc,/usr/bin,/usr/sbin
/bin,/sbin,/boot



/etc/mtab
/etc/hosts.deny
/etc/mail/statistics
/etc/random-seed
/etc/random.seed
/etc/adjtime
/etc/httpd/logs
/etc/utmpx
/etc/wtmpx
/etc/cups/certs
/etc/dumpdates
/etc/svc/volatile
/sys/kernel/security
/sys/kernel/debug
/dev/core


^/proc
.log$|.swp$
   * '\.+.msg' ---> i guess here is the 
problem.*


/etc/ssl/private.key

yes


*Then on /var/ossec/etc/shared/system_audit_rcl.txt*

$php.ini=/etc/php.ini,/var/www/conf/php.ini,/etc/php5/apache2/php.ini;
$web_dirs=/var/www,/var/htdocs,/home/httpd,/usr/local/apache,/usr/local/apache2,/usr/local/www,
*/home/PCI*;* ->> last directory is where all the files i want to scan are 
(/home/PCI)*

# Visa Credit Card
[VISA Credit Card] [any] []
d:$web_dirs -> r:^\. -> r:\d\d\d\d\d\d\d\d\d\d\d\d\d\d\d\d;


*ATM this rule is reporting all king of file extensions on /home/PCI with 
VISA credit car numbers.*

I apreciate any kind of help!

thanks and regards.




-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/bff3f487-b679-4665-b356-cd328e8d1f80%40googlegroups.com.