You can't use ossec-logtest for rootcheck events. For example, if I get the full_log of a real alert: "File '/usr/local/nsis/nsis-3.0b2-src/Contrib/Language files/Valencian.nlf' is owned by root and has written permissions to anyone." and I paste it in logtest:
*Phase 1: Completed pre-decoding. full event: 'File '/usr/local/nsis/nsis-3.0b2-src/Contrib/Language files/Valencian.nlf' is owned by root and has written permissions to anyone.' hostname: 'ip-10-0-0-10' program_name: '(null)' log: 'File '/usr/local/nsis/nsis-3.0b2-src/Contrib/Language files/ Valencian.nlf' is owned by root and has written permissions to anyone.' **Phase 2: Completed decoding. No decoder matched. So, ossec-logtest doesn't show anything, but the alert is properly generated. This is due to rootcheck has decoders at c-level. Your rule looks right, just restart OSSEC and test it manually. Sometimes, OSSEC has problems with \.* so if that part doesn't have spaces, it is better to use \S*. Let me know if it works. Regards. On Saturday, May 20, 2017 at 3:04:44 AM UTC+2, dan (ddpbsd) wrote: > > On Thu, May 18, 2017 at 4:51 PM, Gert Verhoog <ge...@montoux.com > <javascript:>> wrote: > > Hi Jesus, > > > > I'm having the same problem, and the triggering of this rule causes so > much > > noise that it's drowning out other alerts. I have added a rule like you > > suggested to my local rules: > > > > <rule id="100510" level="0" frequency="0" timeframe="45" ignore="600"> > > <if_matched_sid>510</if_matched_sid> > > <regex>/var/lib/docker/volumes/\.*/_data/\.* is owned by root and > has > > written permissions to anyone</regex> > > <description>Ignore rootcheck warning on world-writable docker > > volumes</description> > > </rule> > > > > But it doesn't seem to have an effect. I've played with the regex, > > simplifying it and even deleting it altogether, but I still can't seem > to > > get it working. Logtest shows the following output: > > > > > > File > > > '/var/lib/docker/volumes/81c96e1d9b6a07710dc0ba90daccf5650efe59e213b20354bbb86f4e65929a0e/_data/path/to/static/fonts/icons/glyphicons-social-regular.eot' > > > > is owned by root and has written permissions to anyone. > > > > Is this the log message you get from the agent? You can turn on the > logall option and check archives.log for the exact message from the > agent. > > > > > **Phase 1: Completed pre-decoding. > > > > > > full event: 'File > > > '/var/lib/docker/volumes/81c96e1d9b6a07710dc0ba90daccf5650efe59e213b20354bbb86f4e65929a0e/_data/path/to/static/fonts/icons/glyphicons-social-regular.eot' > > > > is owned by root and has written permissions to anyone.' > > > > > > hostname: 'ec2-12-34-56-78' > > > > > > program_name: '(null)' > > > > > > log: 'File > > > '/var/lib/docker/volumes/81c96e1d9b6a07710dc0ba90daccf5650efe59e213b20354bbb86f4e65929a0e/_data/path/to/static/fonts/icons/glyphicons-social-regular.eot' > > > > is owned by root and has written permissions to anyone.' > > > > > > > > > > **Phase 2: Completed decoding. > > > > > > No decoder matched. > > > > > > > > I'm fairly new to OSSEC and Wazuh, so I may be missing something. Is > there > > anything obvious that I'm doing wrong? > > > > Cheers! > > Gert > > > > > > > > On Wednesday, April 19, 2017 at 12:14:28 AM UTC+12, Jesus Linares wrote: > >> > >> Hi Rob, > >> > >> you need to add the conditions to trigger that rule only for your > specific > >> files. Use match or regex: > >> > >> <rule id="70908" level="0" frequency="0" timeframe="45" ignore="600"> > >> <if_matched_sid>510</if_matched_sid> > >> <!-- > >> contitions: > >> option 1: > >> <match>YOUR_FILE1|YOUR_FILE2|...</match> > >> option 2: > >> <regex>YOUR_FILE\.+</regex> > >> --> > >> <description>Ignore rule 510 for 600 seconds for some > >> files.</description> > >> </rule> > > > > > > > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to ossec-list+...@googlegroups.com <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.