Incredibly basic rule(s), as follows to get a match to the software
restriction policies on a MS pc.
<rule id="100037" level="11">
<match>WARNING(865)</match>
<description>Tried to run something from the wrong area</description>
</rule>
Also tried
<rule id="100036" level="11">
<match>SoftwareRestrictionPolicies</match>
<description>Tried to run something from the wrong area</description>
</rule>
and
<rule id="100035" level="11">
<match>Microsoft-Windows-SoftwareRestrictionPolicies</match>
<description>Tried to run something from the wrong area</description>
</rule>
Log test produces the following
ossec-testrule: Type one log per line.
015 Nov 25 13:19:08 (seuk-d15) 192.168.10.71->WinEvtLog 2015 Nov 25
13:19:06 WinEvtLog: Application: WARNING(865): Microsoft-Windows-Softwa
reRestrictionPolicies:
**Phase 1: Completed pre-decoding.
full event: '015 Nov 25 13:19:08 (seuk-d15) 192.168.10.71->WinEvtLog
2015 Nov 25 13:19:06 WinEvtLog: Application: WARNING(865): Micr
osoft-Windows-SoftwareRestrictionPolicies:'
hostname: 'ossec'
program_name: '(null)'
log: '015 Nov 25 13:19:08 (seuk-d15) 192.168.10.71->WinEvtLog 2015
Nov 25 13:19:06 WinEvtLog: Application: WARNING(865): Microsoft-W
indows-SoftwareRestrictionPolicies:'
**Phase 2: Completed decoding.
No decoder matched.
**Phase 3: Completed filtering (rules).
Rule id: '100037'
Level: '11'
Description: 'Tried to run something from the wrong area'
**Alert to be generated.
So looks good, all three have matched under logtest (the test line is
copied from the archive file after logall applied...)
But I get no alerts after restarting . Its so basic, I can't see what can
possibly be wrong, but been looking at it for over a day now and starting
to go abit mad ;-)
And ideas ? Please ?
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
