grep -riL "foo" .
This is the explanation of the parameters used on grep
-L, --files-without-match
each file processed.
-R, -r, --recursive
Recursively search subdirectories listed.
-i, --ignore-case
Perform case insensitive matching.<rule id="100030" level="0">
<if_sid>503,502</if_sid>
<description>List of rules to be ignored.</description>
</rule>OSSEC will not produce any alert when rule 502 and 503 is triggered, level=”0″ ignores alerts.
<rule id="100225" level="0">
<if_sid>40101</if_sid>
<srcip>127.0.0.1</srcip>
<description>Ignore this</description>
</rule>If rule 40101 triggered by 127.0.0.1, dont produce any alert
<rule id="100223" level="0">
<if_sid>1002</if_sid>
<match>terrorist|terror|femmefatale|heart-attack</match>
<description>Ignore 1002 false positive</description>
</rule>OSSEC is using OS_match/sregex syntax in <match>
<rule id="100207" level="4">
<if_sid>1002,1003</if_sid>
<regex>^WordPress database error You have an error in your SQL syntax(\.*)functionName$</regex>
<description>Unescaped SQL query, known issue</description>
</rule>OSSEC is using OS_regex/regex syntax in <regex>
<rule id="100215" level="5">
<if_sid>31101</if_sid>
<list lookup="match_key" field="url">rules/badurl</list>
<description>URL is in badurl</description>
</rule><rule id="100216" level="10" frequency="4" timeframe="90">
<if_matched_sid>100215</if_matched_sid>
<same_source_ip />
<description>Multiple badurl access </description>
<description>from same source ip.</description>
<group>web_scan,recon,</group>
</rule><rule id="1003" level="13" overwrite="yes" maxsize="2000">
<description>Non standard syslog message (size too large).</description>
</rule>Original rule 1003 have 10245 as its maxsize. Using overwrite=”yes” will make OSSEC overwrite certain field in original rule
<group name="app_error">
<rule id="100207" level="4">
<if_sid>1002,1003</if_sid>
<regex>^WordPress database error You have an error in your SQL syntax(\.*)functionName$</regex>
<description>Unescaped SQL query, known issue</description>
</rule>
<rule id="100218" level="0">
<if_sid>1003</if_sid>
<match>WUID | WTB</match>
<description>ignorance is bliss</description>
</rule>
</group>Why does xargs strip quotes from input text?
Here is a simplified example:
echo "/Place/='http://www.google.com'" | xargs echo
outputs
/Place/=http://www.google.comSolution 1:
From the xargs manual:
If you want an input argument to contain blanks or horizontal tabs, enclose it in double quotes or apostrophes. If the argument contains a double quote character (
"), you must enclose the argument in apostrophes. Conversely, if the argument contains an apostrophe ('), you must enclose the argument in double quotes. You can also put a backslash (\) in front of a character to tell xargs to ignore any special meaning the character may have (for example, white space characters, or quotes).
This means you can escape quotes if the quotes are quoted themselves:
$ echo "/Place/=\'http://www.google.com\'" | xargs echo
/Place/='http://www.google.com'
Solution 2:
if you want xargs to ignore quotes one of the good soultion can be the use of xargs flag xargs -0
Directly from Man page OPTIONS
OPTIONS -0, –null
Input items are terminated by a null character instead of by whitespace, and the quotes and backslash are not special (every character is taken literally). Disables the end of file string, which is treated like any other argument. Useful when input items might contain white space, quote marks, or backslashes. The GNU find -print0 option produces input suitable for this mode.
I’ve checked on a GNU system that setting the delimiter to a specific value (like a newline) with -doption (and not just -0) would also cause xargs not to treat the quotes etc specially.
If all local changes can be discarded you can simply run git checkout . to do so. After that you can run git pull or similar commands to pull. To ignore certain files (that are not in the commits already) you can add filenames/directories to .gitignore.
A Passionate Techie 