Hi list,I'm writing rules for the Windows Firewall but have problem on using first-time cache.
I want to get email alert the first time a program was blocked. With the rules below, rule 8502 was never triggered.
BTW, are there any doc on rule syntax?
Rgds.
Martin
===============================================================
<group name="windows,event_log">
<rule id="8308" level="4" >
<if_sid>8005</if_sid>
<id>^861</id>
<group>fw_blocked</group>
<description>The Windows Firewall has detected an application
listening for incoming traffic.</description>
</rule>
</group>
<group name="windows,eventlog,fts">
<rule id="8502" level="4">
<if_group>fw_blocked</if_group>
<options>alert_by_email</options>
<if_fts></if_fts>
<description>First time application blocked by Windows
Firewall.</description>
</rule> </group> ============================================================== ** Alert 1155281253.43328: 2006 Aug 11 15:27:33 (MYHOST) 192.168.10.25->WinEvtLogRule: 8308 (level 4) -> 'The Windows Firewall has detected an application listening for incoming traffic.'
Src IP: (none) User: adminWinEvtLog: Security: AUDIT_FAILURE(861): Security: admin: MYHOST: MYHOST: nc C:\utils\nc.exe 2912 amdin MYHOST No No IPv4 TCP 28384 No No
** Alert 1155282533.44825: 2006 Aug 11 15:48:53 (MYHOST) 192.168.10.25->WinEvtLogRule: 8308 (level 4) -> 'The Windows Firewall has detected an application listening for incoming traffic.'
Src IP: (none) User: adminWinEvtLog: Security: AUDIT_FAILURE(861): Security: admin: MYHOST: MYHOST: - C:\WINDOWS\system32\nslookup.exe 2876 admin MYHOST No No IPv4 UDP 1731 No No
smime.p7s
Description: S/MIME Cryptographic Signature
