Re: [ossec-list] Can't Overwrite Rule 554

2012-09-07 Thread dan (ddp)
On Tue, Aug 28, 2012 at 11:26 PM, JJ Yu x86x...@gmail.com wrote: Dear Dan I want to alert some anti-malware file that I have been known.So I add rule to local_rules.xml as below. After change local_rules.xml every time,I had re-started OSSEC processes. $(grep keylog.exe

Re: [ossec-list] Can't Overwrite Rule 554

2012-09-05 Thread Mobile Testing
Dear Dan I want to alert some anti-malware file that I have been known.So I add rule to local_rules.xml as below. After change local_rules.xml every time,I had re-started OSSEC processes. Would you please to tell me,When new_entry How to alert specific file is be

Re: [ossec-list] Can't Overwrite Rule 554

2012-08-28 Thread JJ Yu
Dear Frank Thanks for your support. I try to add it to local_rules.xml, Still it is not effect. local_rules.xml as below: group name=local,syslog, rule id=51 level=7 if_sid530/if_sid matchossec: output: 'netstat -an |grep LISTEN/match check_diff /

Re: [ossec-list] Can't Overwrite Rule 554

2012-08-28 Thread dan (ddp)
On Sun, Aug 26, 2012 at 11:15 PM, JJ Yu x86x...@gmail.com wrote: I was write rule in ossec_rules.xml. but it is not effect. Please help~~~ as : rule id=554 level=9 The above looks wrong. Did you change it? Where did you change it? Why did you change it? categoryossec/category

Re: [ossec-list] Can't Overwrite Rule 554

2012-08-28 Thread dan (ddp)
On Mon, Aug 27, 2012 at 9:22 PM, JJ Yu x86x...@gmail.com wrote: Dear Frank Thanks for your support. I try to add it to local_rules.xml, Still it is not effect. Did you restart the OSSEC processes? How did you test? local_rules.xml as below: group name=local,syslog, rule

Re: [ossec-list] Can't Overwrite Rule 554

2012-08-28 Thread JJ Yu
Dear Dan I want to alert some anti-malware file that I have been known.So I add rule to local_rules.xml as below. After change local_rules.xml every time,I had re-started OSSEC processes. Would you please to tell me,When new_entry How to alert specific file is be adding. Many

Re: [ossec-list] Can't Overwrite Rule 554

2012-08-27 Thread Frank Stefan Sundberg Solli
You need to add it to local_rules.xml On Mon, Aug 27, 2012 at 5:15 AM, JJ Yu x86x...@gmail.com wrote: I was write rule in ossec_rules.xml. but it is not effect. Please help~~~ as : rule id=554 level=9 categoryossec/category decoded_assyscheck_new_entry/decoded_as

[ossec-list] Can't Overwrite Rule 554

2012-08-26 Thread JJ Yu
I was write rule in ossec_rules.xml. but it is not effect. Please help~~~ as : rule id=554 level=9 categoryossec/category decoded_assyscheck_new_entry/decoded_as descriptionFile added to the system./description groupsyscheck,/group /rule rule id=554 level=9