On Feb 15, 2016 8:31 PM, "Leo G" <[email protected]> wrote: > > Thanks Jesus Linares, > > Yes, I noticed the typo, was using<ignore type="sregex"> > > I can't use '.jpg$' because I want to only exclude directory_one/directory_two/*.jpg > > Therefore I tried config like this: > > <ignore type="sregex">/home/leo/testing/\.+.jpg</ignore> > <ignore type="sregex">/home/leo/testing/\S+.jpg</ignore> > > Unfortunately no luck with regular expression matching for me >
Because those are invalid sregex. > On Friday, 12 February 2016 01:08:11 UTC+11, Jesus Linares wrote: >> >> Hi Leo, >> >> I'm glad you can solve your issue with the rules, but ignore should work. >> >> The symbol ^ in "<ignore type="^sregex">.jpg$</ignore>" is a typo. You could try with <ignore type="sregex">.jpg$</ignore>. >> >> Check the documentation out: http://ossec-docs.readthedocs.org/en/latest/manual/syscheck/ >> >> Regards. >> Jesus Linares. >> >> On Wednesday, February 10, 2016 at 11:42:52 PM UTC+1, Leo G wrote: >>> >>> Thank you!! >>> >>> add match and regex in rules worked for me. >>> >>> no luck with ignore="sregex" :( >>> >>> On Wednesday, 10 February 2016 10:16:08 UTC+11, Leo G wrote: >>>> >>>> >>>> Hi, >>>> >>>> Can someone please help with the regex? I want to exclude all the .jpg files in xxx/xxx/, >>>> >>>> I have config in ossec.conf below: >>>> >>>> <alert_new_files>yes</alert_new_files> >>>> <directories check_all="yes">/home/xxx</directories> >>>> <ignore>/home/xxx/xxx/\S*\.jpg</ignore> >>>> </syscheck> >>>> >>>> However it seems it's still not ignoring all the jpg files, still getting alerts for all the new jpg files. >>>> >>>> Also used 'ossec-regex' for testing, >>>> >>>> > /var/ossec/bin/ossec-regex '/home/xxx/xxx/\S*\.jpg' >>>> > New file '/home/xxx/xxx/yyy.jpg' added to the file system. >>>> >>>> +OSRegex_Execute: New file '/home/xxx/xxx/yyy.jpg' added to the file system. >>>> +OS_Regex : New file '/home/xxx/xxx/yyy.jpg' added to the file system. >>>> ^C >>>> >>>> Seems to be matching. > > -- > > --- > You received this message because you are subscribed to the Google Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
