OSSEC rootcheck file/directory ignore
1,140 views
Skip to first unread message
Christopher Laibinis
Apr 22, 2011, 8:06:21 AM4/22/11
to ossec-list
How can I ignore a file or directory in the rootcheck portion of OSSC?
For instance I am receiving the following:
OSSEC HIDS Notification.
2011 Apr 22 02:48:35
Received From: (nyctpdprd1) 10.186.196.132->rootcheck
Rule: 510 fired (level 7) -> "Host-based anomaly detection event
(rootcheck)."
Portion of the log(s):
File '/dev/oracleasm/.query_disk' present on /dev. Possible hidden
file.
I would like to ignore this file and have added the
<ignore>/dev/oracleasm</ignore>
directive in the ossec.conf file under the <rootcheck> portion, but it
does not work.
For instance I am receiving the following:
OSSEC HIDS Notification.
2011 Apr 22 02:48:35
Received From: (nyctpdprd1) 10.186.196.132->rootcheck
Rule: 510 fired (level 7) -> "Host-based anomaly detection event
(rootcheck)."
Portion of the log(s):
File '/dev/oracleasm/.query_disk' present on /dev. Possible hidden
file.
I would like to ignore this file and have added the
<ignore>/dev/oracleasm</ignore>
directive in the ossec.conf file under the <rootcheck> portion, but it
does not work.
sameer nanda
Apr 22, 2011, 12:28:55 PM4/22/11
to ossec...@googlegroups.com
hey doug,
y dont u increase the time of syscheck ..
that is what i mean to say is , set it at a time gap of around 21600 seconds.
i hope this will reduce cpu utilization.
y dont u increase the time of syscheck ..
that is what i mean to say is , set it at a time gap of around 21600 seconds.
i hope this will reduce cpu utilization.
Tanishk Lakhaani
Apr 22, 2011, 3:21:02 PM4/22/11
to ossec...@googlegroups.com
Hi chris,
The work around's the same what u have done$ just a few things to check:
a. Put the absolute path of the file in the ossec.conf in ignore tab
b. Restart ossec to let the changes come in place.
c. Create a rule in local_rules.xml using the match tag, being applie on this rule.
-- tanishk
The work around's the same what u have done$ just a few things to check:
a. Put the absolute path of the file in the ossec.conf in ignore tab
b. Restart ossec to let the changes come in place.
c. Create a rule in local_rules.xml using the match tag, being applie on this rule.
-- tanishk
Sent from BlackBerry® on Airtel
From: sameer nanda <sameer...@gmail.com>
Sender: ossec...@googlegroups.com
Date: Fri, 22 Apr 2011 09:28:55 -0700
ReplyTo: ossec...@googlegroups.com
Subject: Re: [ossec-list] OSSEC rootcheck file/directory ignore
dan (ddp)
Apr 22, 2011, 4:15:26 PM4/22/11
to ossec...@googlegroups.com
Not what you're asking, but should provide very similar results.
<rule id="ID_NUMBER" level="0">
<if_sid>510</if_sid>
<match>/dev/oracleasm/.query_disk</match>
<description>Ignore alerts for this file.</description>
</rule>
Christopher Laibinis
Apr 25, 2011, 1:50:45 PM4/25/11
to ossec-list
I think this will have a rule on the ossec server, I am looking to do
this on an agent basis and have the same rule set for all the agents.
On Apr 22, 4:15 pm, "dan (ddp)" <ddp...@gmail.com> wrote:
> Not what you're asking, but should provide very similar results.
>
> <rule id="ID_NUMBER" level="0">
> <if_sid>510</if_sid>
> <match>/dev/oracleasm/.query_disk</match>
> <description>Ignore alerts for this file.</description>
> </rule>
>
> On Fri, Apr 22, 2011 at 8:06 AM, Christopher Laibinis
>
this on an agent basis and have the same rule set for all the agents.
On Apr 22, 4:15 pm, "dan (ddp)" <ddp...@gmail.com> wrote:
> Not what you're asking, but should provide very similar results.
>
> <rule id="ID_NUMBER" level="0">
> <if_sid>510</if_sid>
> <match>/dev/oracleasm/.query_disk</match>
> <description>Ignore alerts for this file.</description>
> </rule>
>
> On Fri, Apr 22, 2011 at 8:06 AM, Christopher Laibinis
>
Christopher Laibinis
Apr 25, 2011, 1:48:14 PM4/25/11
to ossec-list
Does syscheck control rootcheck?
On Apr 22, 12:28 pm, sameer nanda <sameer.30...@gmail.com> wrote:
> hey doug,
>
> y dont u increase the time of syscheck ..
>
> that is what i mean to say is , set it at a time gap of around 21600
> seconds.
> i hope this will reduce cpu utilization.
>
On Apr 22, 12:28 pm, sameer nanda <sameer.30...@gmail.com> wrote:
> hey doug,
>
> y dont u increase the time of syscheck ..
>
> that is what i mean to say is , set it at a time gap of around 21600
> seconds.
> i hope this will reduce cpu utilization.
>
dan (ddp)
Apr 26, 2011, 4:32:37 PM4/26/11
to ossec...@googlegroups.com
There is a <frequency> setting for rootcheck.
dan (ddp)
Apr 26, 2011, 4:32:18 PM4/26/11
to ossec...@googlegroups.com
Yes, this rule would be applied to all agents. Why would you want it
to be different for some agents?
to be different for some agents?
Reply all
Reply to author
Forward
0 new messages