Hi,
I´m trying to ignore the following type of alert:
Time: Mon Apr 17 03:43:59 2017 +0200
File: /tmp/.xcloner-b80c1
Reason: Suspicious directory
Owner: myuser:myuser (563:575)
Action: No action taken
All alerts start with /tmp/.xcloner-
I have added this to csf.fignore but no go:
/tmp/\.^xcloner
any help?
csf.fignore regex issue
Re: csf.fignore regex issue
Why did you add the caret ""^" before the "x" ?
The line that you wrote:
File: /tmp/.xcloner-b80c1
doesn't show any "^", may be you should write:
/tmp/.xcloner
or:
\/tmp\/\.xcloner
if you need to escape the characters.
The line that you wrote:
File: /tmp/.xcloner-b80c1
doesn't show any "^", may be you should write:
/tmp/.xcloner
or:
\/tmp\/\.xcloner
if you need to escape the characters.
Re: csf.fignore regex issue
The file csf.fignore says you can use perl regular expression pattern. I searched around and I found this website:
https://www.cs.tut.fi/~jkorpela/perl/regexp.html
so I used ^ character as the string starts (but not ends with xcloner).
I will try to suggestions
https://www.cs.tut.fi/~jkorpela/perl/regexp.html
so I used ^ character as the string starts (but not ends with xcloner).
I will try to suggestions
Re: csf.fignore regex issue
Ok, that character is only for the start of a line, but the start of the line was "/tmp".