OSSEC syscheck ignore rule

988 views
Skip to first unread message

Josh Albright

unread,
Sep 17, 2009, 1:03:36 PM9/17/09
to ossec...@googlegroups.com

Hi,

 

Is it possible to ignore files that match a regex pattern in specific directories while continuing to monitor in others? I’m trying to monitor the /var/spool/mqueue base directory and ignore all the mail related files within the directory as they change/move frequently.

 

 

I put the following ignore type rule in place to ignore the mail related files:  

 

<directories check_all="yes">/var/spool</directories>

<ignore type="sregex">^Qf|^df|^qf|^xf</ignore>   

 

I think this works ok for ignoring the mail related files, but the rule will also cause files in other directories to be ignored that I don’t want such as /etc/dfs/dfstab.

 

Is there a way to apply the ignore rule only to a specific directory? Thanks for your help!

 

 

Thanks,

 

Josh


This email and the information included in this transmission are privileged and confidential and intended only for the recipient listed above. If you are not the intended recipient, please advise the sender immediately by reply e-mail and delete this message and any attachments without retaining a copy. If you are not the intended recipient, you are hereby notified that any disclosure, copying or distribution of this message, or the taking of any action based upon it, is strictly prohibited. Although this email and any attachments are believed to be free of any virus or other defects which might affect any computer or IT system into which they are received, neither Escalate Retail nor any of its affiliates shall be liable for any loss or damage arising in any way from the receipt or use thereof.

Daniel Cid

unread,
Sep 18, 2009, 1:46:20 PM9/18/09
to ossec...@googlegroups.com
Hi Josh,

If you know the file names you want to monitor inside the /var/spool
directory you can use
regular expressions in there:

<directories check_all="yes">/var/spool/*filesX</directories>


Otherwise you would need to use rules for that, since our <ignore>
option is very simple.
In the rule you can do:

<rule id="abc" level="0">
<if_group>syscheck</if_group>
<regex>/var/spool/QF|/var/spool/df</regex>
<description>Ignoring QF and DF files inside /var/spool</description>
</rule>

Hope it helps.

--
Daniel B. Cid
dcid ( at ) ossec.net

Joshua Albright

unread,
Nov 4, 2009, 12:53:42 PM11/4/09
to ossec-list
Hi Daniel,

Thanks for your reply. Is it possible to to monitor only the base
directory without monitoring any of the files located in the
directory?

For example I want to make sure permissions don't change on /var/spool/
mqueue, but don't care about any files inside that directory.

Thanks,

Josh

On Sep 18, 9:46 am, Daniel Cid <daniel....@gmail.com> wrote:
> Hi Josh,
>
> If you know the file names you want to monitor inside the /var/spool
> directory you can use
> regular expressions in there:
>
> <directories check_all="yes">/var/spool/*filesX</directories>
>
> Otherwise you would need to use rules for that, since our <ignore>
> option is very simple.
> In the rule you can do:
>
> <rule id="abc" level="0">
>   <if_group>syscheck</if_group>
>   <regex>/var/spool/QF|/var/spool/df</regex>
>   <description>Ignoring QF and DF files inside /var/spool</description>
> </rule>
>
> Hope it helps.
>
> --
> Daniel B. Cid
> dcid ( at ) ossec.net
>

jplee3

unread,
Nov 4, 2009, 2:08:11 PM11/4/09
to ossec-list
Hi,

I was also interested in this.

"Otherwise you would need to use rules for that, since our <ignore>
option is very simple.
In the rule you can do:

<rule id="abc" level="0">
<if_group>syscheck</if_group>
<regex>/var/spool/QF|/var/spool/df</regex>
<description>Ignoring QF and DF files inside /var/spool</
description>
</rule>"

Where would you specifically put the rule mentioned above? Is that in
the local_rules.xml? Also, what is the syntax explicitly used with the
<ignore type="sregex"> parameter? I'm trying to monitor a directory
but ignore a specific file (or possibly more in the future) that has
the following naming convention: "apache.log.11042009" where the
appended date is being rotated on a daily basis and constantly
changing.


Thanks,
Jeremy

John A. Sullivan III

unread,
Nov 4, 2009, 5:35:56 PM11/4/09
to ossec...@googlegroups.com
Hmmm . . .just a thought - haven't tried it - what if you
included /var/spool/mqueue and ignored /var/spool/mqueue/*? - John

--
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsul...@opensourcedevel.com

http://www.spiritualoutreach.com
Making Christianity intelligible to secular society

Jeremy Lee

unread,
Nov 5, 2009, 10:11:08 AM11/5/09
to ossec...@googlegroups.com
I've tried this and the "*" regex wildcard does not work with the <ignore> directive.

jplee3

unread,
Nov 17, 2009, 2:42:41 PM11/17/09
to ossec-list
Anyone have any insight on how to exclude files/directories with the
proper regex ?

On Nov 5, 7:11 am, Jeremy Lee <jpl...@gmail.com> wrote:
> I've tried this and the "*" regex wildcard does not work with the <ignore>
> directive.
>
> On Wed, Nov 4, 2009 at 2:35 PM, John A. Sullivan III <
>
> > jsulli...@opensourcedevel.com
Reply all
Reply to author
Forward
0 new messages