Hi, I just started using OSSEC a few days ago, and google isn't helping me on this. I'm trying to exclude a list of files from OSSEC's syschecks, and I'm running into problems with both the regex engine and variables.
The documentation at http://www.ossec.net/wiki/Know_How:Regex_Readme says that you have to escape parentheses, which suggests to me that unescaped parenthesis are interpreted in the way that egrep interprets them. For example, "<regex>asdf(foo|bar)</regex>" would match "asdffoo" or "asdfbar". Is that the case? If not, is there some other way to specify that regex (other than "asdffoo|asdfbar")? Secondly, when using variables defined by the <var> tag, how do you protect them from surrounding text? I was trying to set up a rule (which I later realized was invalid for other reasons) that had the form "<match>blah blah ($VARIABLE_NAME)</match>", and when trying to restart OSSEC, I got a "Unknown variable: $VARIABLE_NAME)" error. Is there some way to prevent this? If the above questions have simple answers, you can disregard the rest of this message. For the full context of what I'm trying to accomplish, read on. What I want to do is to exclude a list of files from syschecks. To accomplish this, I first defined this variable in my local_rules.xml: <var name="IGNORE_FILE_CHANGE">/etc/prelink.cache|/etc/Master_backup</var> The OSSEC Book suggests excluding these files by matching the string "for: '/path/to/file'". In order to try to accomplish this, I added the rule: <rule id="105001" level="0"> <if_group>syscheck</if_group> <regex>for: '($IGNORE_FILE_CHANGE)'</regex> <description>Excluding expected file changes</description> </rule> What I'm expecting to happen is for the regex tag to expand in this sequence: "for: '($IGNORE_FILE_CHANGE)'" "for: '(/etc/prelink.cache|/etc/Master_backup)'" "for: '/etc/prelink.cache'" OR "for: '/etc/Master_backup'" What happens instead is, I get a syntax error when trying to restart OSSEC. Could someone point out the various erroneous assumptions I'm making?
