From 35cd825164c7be31e91a5bd011f0c815b3a539d6 Mon Sep 17 00:00:00 2001
From: Pablo Navarro <pablo.navarro@wazuh.com>
Date: Mon, 3 Sep 2018 10:00:12 +0200
Subject: [PATCH] Silence 100% of use in snap disks

---
 rules/0015-ossec_rules.xml | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/rules/0015-ossec_rules.xml b/rules/0015-ossec_rules.xml
index a4e263771..b3f5b7d3c 100755
--- a/rules/0015-ossec_rules.xml
+++ b/rules/0015-ossec_rules.xml
@@ -183,6 +183,13 @@
     <description>List of the last logged in users.</description>
   </rule>
 
+  <rule id="536" level="0">
+    <if_sid>531</if_sid>
+      <regex>'df -P':\s+/dev/loop\d+\s+\d+\s+\d+\s+0\s+100%\s+/snap/\w+/\d+</regex>
+      <description>Ignore snap disks because are always 100% of capacity</description>
+  </rule>
+
+
   <rule id="550" level="7">
     <category>ossec</category>
     <decoded_as>syscheck_integrity_changed</decoded_as>