Ignore specific files in directories
781 views
Skip to first unread message
ono-sendai
Jan 20, 2016, 5:11:44 AM1/20/16
to ossec...@googlegroups.com
Hi,I'm monitoring my /var dir
<directories realtime="yes"
check_all="yes">/etc,/root,/var,/home,/tmp,/bin,/sbin,/usr</directories>
and I can use the <ignore> statement to ignore subfolders/files without problems.
Now I'm trying to ignore all .pdf|.odt|.jpg ecc ecc in a specific folder and
relative subfolders. So i wrote this rule:
<rule id="100004" level="0">
<if_matched_group>syscheck</if_matched_group>
<regex>^/var/lib/tomcat7/OFFLINE/\.*pdf$</regex>
<description>Ignore OFFLINE documents</description>
</rule>
but I still receive alerts like these:
Rule: 550 (level 7) -> 'Integrity checksum changed.'
Integrity checksum changed for: '/var/lib/tomcat7/OFFLINE/test.pdf'
Size changed from '54' to '94'
Old md5sum was: '9b26b668284325b02520b0f34281d63b'
New md5sum is : '22edde5ccec5fb0120b63cae421d013e'
or alerts for new files creations (i have overwritten rule 554 according to this
faq [0]).
How can I archieve my goal? And, is this approach (rule creation)
efficient (i want to add some or to specify multiple files extension in this rule) ?
I'm using ossec version 2.8.3-3jessie (from
http://ossec.wazuh.com/repos/apt/debian) and the wazuh's ruleset [1]
Thank you :)
[0]
http://ossec-docs.readthedocs.org/en/latest/manual/syscheck/#why-aren-t-new-files-creating-an-alert
[1] https://github.com/wazuh/ossec-rules
<directories realtime="yes"
check_all="yes">/etc,/root,/var,/home,/tmp,/bin,/sbin,/usr</directories>
and I can use the <ignore> statement to ignore subfolders/files without problems.
Now I'm trying to ignore all .pdf|.odt|.jpg ecc ecc in a specific folder and
relative subfolders. So i wrote this rule:
<rule id="100004" level="0">
<if_matched_group>syscheck</if_matched_group>
<regex>^/var/lib/tomcat7/OFFLINE/\.*pdf$</regex>
<description>Ignore OFFLINE documents</description>
</rule>
but I still receive alerts like these:
Rule: 550 (level 7) -> 'Integrity checksum changed.'
Integrity checksum changed for: '/var/lib/tomcat7/OFFLINE/test.pdf'
Size changed from '54' to '94'
Old md5sum was: '9b26b668284325b02520b0f34281d63b'
New md5sum is : '22edde5ccec5fb0120b63cae421d013e'
or alerts for new files creations (i have overwritten rule 554 according to this
faq [0]).
How can I archieve my goal? And, is this approach (rule creation)
efficient (i want to add some or to specify multiple files extension in this rule) ?
I'm using ossec version 2.8.3-3jessie (from
http://ossec.wazuh.com/repos/apt/debian) and the wazuh's ruleset [1]
Thank you :)
[0]
http://ossec-docs.readthedocs.org/en/latest/manual/syscheck/#why-aren-t-new-files-creating-an-alert
[1] https://github.com/wazuh/ossec-rules
Jesus Linares
Jan 20, 2016, 11:53:14 AM1/20/16
to ossec-list
Hi,
you can use this rule:
<rule id="100004" level="0">
<if_group>syscheck</if_group>
<match>for: '/var/lib/tomcat7/OFFLINE/</match>
<regex>for: '\.+.pdf'</regex>
<description>NO PDF Alert</description>
</rule>
I think if_group is better than if_matched_group. Also your regex is wrong because the event doesn't begin (^) with "/var.." and end ($) with "pdf". The event is something like this: Integrity checksum changed for: '/path1/path2/path3/file.ext'. So the path begins with "'/path1..." and ends with ".ext'".
I guess you could use the ignore tag:
<ignore type="sregex">/var/lib/tomcat7/OFFLINE/\.+.pdf</ignore>
It's up to you. ;)
ono-sendai
Jan 21, 2016, 7:19:11 AM1/21/16
to ossec...@googlegroups.com
On 20/01/2016 17:53, Jesus Linares wrote:
> you can use this rule:
>
> <rule id="100004" level="0">
> <*if_group*>syscheck</*if_group*>
> you can use this rule:
>
> <rule id="100004" level="0">
> <match>for: '/var/lib/tomcat7/OFFLINE/</match>
> <regex>for: '\.+.pdf'</regex>
> <description>NO PDF Alert</description>
> </rule>
Thank you!! It works! I've modified that rule so now it can match also rule 554
> <regex>for: '\.+.pdf'</regex>
> <description>NO PDF Alert</description>
> </rule>
and others filetypes.
<rule id="100004" level="0">
<if_group>syscheck</if_group>
<regex> '\.+.pdf'| '\.+.odt'</regex>
<description>Ignore OFFLINE documents</description>
</rule>
</rule>
> I guess you could use the ignore tag:
> <ignore type="sregex">/var/lib/tomcat7/OFFLINE/\.+.pdf</ignore>
Before trying with the rule I tried without succes with this <ignore> statement
> <ignore type="sregex">/var/lib/tomcat7/OFFLINE/\.+.pdf</ignore>
<ignore type="^sregex">/var/lib/tomcat7/OFFLINE/\.*.pdf</ignore>
but then I realized that only three special characters (^ $ |) are usable in
sregex according with [0]... is it correct?
Thank you again :)
[0]
https://ossec-docs.readthedocs.org/en/latest/syntax/regex.html#os-match-sregex-syntax
Jesus Linares
Jan 22, 2016, 11:57:43 AM1/22/16
to ossec-list
You are right, ignore is a OS_Match/sregex.
You could use: <ignore type="^sregex">.pdf$|.odt$</ignore>
I hope you find it useful ;)
ono-sendai
Jan 23, 2016, 6:31:29 AM1/23/16
to ossec...@googlegroups.com
On 22/01/2016 17:57, Jesus Linares wrote:
> You could use: <ignore type="^sregex">.pdf$|.odt$</ignore>
>
> I hope you find it useful ;)
Yes really useful! Thank you again :)
> You could use: <ignore type="^sregex">.pdf$|.odt$</ignore>
>
> I hope you find it useful ;)
Leo G
Feb 10, 2016, 5:41:50 PM2/10/16
to ossec-list
Thank you :)
Setup match and regex in rules, worked for me
<rule id="100004" level="0">
<if_group>syscheck</if_group>
<match> '/var/lib/tomcat7/OFFLINE/</match>
<regex> '\.+.pdf'| '\.+.odt'</regex>
<description>Ignore OFFLINE documents</description>
</rule>
No luck with ignore with type="sregex"
Reply all
Reply to author
Forward
0 new messages