Hi Nate, On Wed, Feb 2, 2011 at 5:22 PM, Nate Woodward <nate.woodw...@the-connection.com> wrote: > Hi, > > I just started using OSSEC a few days ago, and google isn't helping me > on this. I'm trying to exclude a list of files from OSSEC's syschecks, > and I'm running into problems with both the regex engine and variables. > > The documentation at http://www.ossec.net/wiki/Know_How:Regex_Readme > says that you have to escape parentheses, which suggests to me that > unescaped parenthesis are interpreted in the way that egrep interprets > them. For example, "<regex>asdf(foo|bar)</regex>" would match "asdffoo" > or "asdfbar". Is that the case? If not, is there some other way to > specify that regex (other than "asdffoo|asdfbar")? >
Not that I'm aware of. > Secondly, when using variables defined by the <var> tag, how do you > protect them from surrounding text? I was trying to set up a rule (which > I later realized was invalid for other reasons) that had the form > "<match>blah blah ($VARIABLE_NAME)</match>", and when trying to restart > OSSEC, I got a "Unknown variable: $VARIABLE_NAME)" error. Is there some > way to prevent this? > Just use $VARIABLE_NAME > If the above questions have simple answers, you can disregard the rest > of this message. For the full context of what I'm trying to accomplish, > read on. > > What I want to do is to exclude a list of files from syschecks. To > accomplish this, I first defined this variable in my local_rules.xml: > > <var > name="IGNORE_FILE_CHANGE">/etc/prelink.cache|/etc/Master_backup</var> > > The OSSEC Book suggests excluding these files by matching the string > "for: '/path/to/file'". In order to try to accomplish this, I added the > rule: > > <rule id="105001" level="0"> > <if_group>syscheck</if_group> > <regex>for: '($IGNORE_FILE_CHANGE)'</regex> > <description>Excluding expected file changes</description> > </rule> > > What I'm expecting to happen is for the regex tag to expand in this > sequence: > "for: '($IGNORE_FILE_CHANGE)'" > "for: '(/etc/prelink.cache|/etc/Master_backup)'" > "for: '/etc/prelink.cache'" OR "for: '/etc/Master_backup'" > > What happens instead is, I get a syntax error when trying to restart > OSSEC. Could someone point out the various erroneous assumptions I'm > making? > > Seems complicated. Why not: <syscheck> <ignore type="sregex">^/etc/prelink.cache</ignore> <ignore type="sregex">^/etc/Master_backup</ignore> </syscheck> Or: <rule id="105002" level="0"> <if_group>syscheck</if_group> <match>/etc/prelink.cache|/etc/Master_backup</match> <description>Ignore this stuff.</description> </rule>