**Phase 1: Completed pre-decoding.
full event: 'File '/filepath/' is owned by root and has written permissions to anyone.'
hostname: 'hostname'
program_name: '(null)'
log: 'File '/filepath/' is owned by root and has written permissions to anyone.'
**Phase 2: Completed decoding.
decoder: 'sample_decoder_setup'
id: '/filepath/'
<rule id="80100" level="7" frequency="2" timeframe="60" ignore="120">
<if_matched_sid>510</if_matched_sid>
<same_id />
<description>This is meant to reduce noise as these events happen in batches with not much difference in meaning.</description>
</rule>
DECODER:
<decoder name="sample_decoder_setup">
<prematch>^(\.+) (\p/filepath\.+) </prematch>
<regex>(/filepath/\.+/mnt/\.+/)</regex>
<order>id</order>
</decoder>
Logtest returns the id I am looking for to match and that part works fine. It only gets to the first 2 steps though, and does not match it with a rule in logtest.
<rule id="70908" level="0" frequency="0" timeframe="45" ignore="300">
<if_matched_sid>510</if_matched_sid>
<match>your conditions (match the file?)</match>
<description>Ignore rule 510 during 300 seconds.</description>
</rule>
I'd need the ID from the decoder to do so
<rule id="70908" level="0" frequency="0" timeframe="45" ignore="600">
<if_matched_sid>510</if_matched_sid>
<!--
contitions:
option 1:
<match>YOUR_FILE1|YOUR_FILE2|...</match>
option 2:
<regex>YOUR_FILE\.+</regex>
-->
<description>Ignore rule 510 for 600 seconds for some files.</description>
</rule>
<rule id="100510" level="0" frequency="0" timeframe="45" ignore="600"> <if_matched_sid>510</if_matched_sid> <regex>/var/lib/docker/volumes/\.*/_data/\.* is owned by root and has written permissions to anyone</regex> <description>Ignore rootcheck warning on world-writable docker volumes</description> </rule>
File '/var/lib/docker/volumes/81c96e1d9b6a07710dc0ba90daccf5650efe59e213b20354bbb86f4e65929a0e/_data/path/to/static/fonts/icons/glyphicons-social-regular.eot' is owned by root and has written permissions to anyone.
**Phase 1: Completed pre-decoding.
full event: 'File '/var/lib/docker/volumes/81c96e1d9b6a07710dc0ba90daccf5650efe59e213b20354bbb86f4e65929a0e/_data/path/to/static/fonts/icons/glyphicons-social-regular.eot' is owned by root and has written permissions to anyone.'
hostname: 'ec2-12-34-56-78'
program_name: '(null)'
log: 'File '/var/lib/docker/volumes/81c96e1d9b6a07710dc0ba90daccf5650efe59e213b20354bbb86f4e65929a0e/_data/path/to/static/fonts/icons/glyphicons-social-regular.eot' is owned by root and has written permissions to anyone.'
**Phase 2: Completed decoding.
No decoder matched.
*Phase 1: Completed pre-decoding.
full event: 'File '/usr/local/nsis/nsis-3.0b2-src/Contrib/Language files/Valencian.nlf' is owned by root and has written permissions to anyone.'
hostname: 'ip-10-0-0-10'
program_name: '(null)'
log: 'File '/usr/local/nsis/nsis-3.0b2-src/Contrib/Language files/Valencian.nlf' is owned by root and has written permissions to anyone.'
**Phase 2: Completed decoding.
No decoder matched.
2017 May 24 12:38:16 (ci-runner__development_12.34.56.78) any->rootcheck File '/var/lib/docker/volumes/d758587e86d60a53043c93c1f730d6e04acdcb5f7a5a181182cfe0fb754aa293/_data/path/to/some/file.txt' is owned by root and has written permissions to anyone.
<rule id="100510" level="0">
<if_sid>510</if_sid>
<regex>is owned by root and has written permissions to anyone</regex>
<description>Ignore this rule</description>
<group>rootcheck,</group>
</rule>
rule.id:510 agent.name:ci-runner__development_12.34.56.78 agent.id:009 manager.name:ec2-11-22-33-44.ap-southeast-2.compute.amazonaws.comrule.firedtimes:1,700 rule.level:7 rule.description:Host-based anomaly detection event (rootcheck). rule.groups:ossec, rootcheck source:decoder.name:rootcheck title:File is owned by root and has written permissions to anyone. full_log:File '/var/lib/docker/volumes/d758587e86d60a53043c93c1f730d6e04acdcb5f7a5a181182cfe0fb754aa293/_data/path/to/some/file.txt' is owned by root and has written permissions to anyone. @timestamp:May 24th 2017, 12:38:16.000 file:/var/lib/docker/volumes/d758587e86d60a53043c93c1f730d6e04acdcb5f7a5a181182cfe0fb754aa293/_data/path/to/some/file.txt host:ec2-11-22-33-44.ap-southeast-2.compute.amazonaws.com location:rootcheck
2017 May 24 12:38:16 (ci-runner__development_12.34.56.78) any->rootcheck File '/var/lib/docker/volumes/d758587e86d60a53043c93c1f730d6e04acdcb5f7a5a181182cfe0fb754aa293/_data/path/to/some/file.txt' is owned by root and has written permissions to anyone.
<rule id="100510" level="0">
<if_sid>510</if_sid>
<regex>/var/lib/docker/volumes/\S+/_data</regex>
<description>Ignore this rule</description>
<group>rootcheck,</group>
</rule>
<rule id="100510" level="0"> <if_sid>510</if_sid> <regex>is owned by root and has written permissions to anyone</regex> <description>Ignore this rule</description> <group>rootcheck,</group> </rule>
<rule id="100510" level="15">
<if_sid>510</if_sid>
<field name="title">File is owned by root and has written permissions to anyone</field>
<description>Ignore this rule</description>
<group>rootcheck,</group>
</rule>
Rule: 100510 (level 15) -> 'Ignore this rule'
File '/var/lib/test' is owned by root and has written permissions to anyone.
title: File is owned by root and has written permissions to anyone.
file: /var/lib/test
<field name="title">File is owned by root and has written permissions to anyone</field>
<field name="file">good_file.txt</field>