I have a question about local rule configuration.
I need to setup a custom rule to send a level 12 alert on changes to any
files in the c:\$WINDIR$\system32\drivers\etc folder.
I've tried multiple configurations of this rule and none have seemed to
work, any advice would be much appreciated at this point.
I tried it below the group configs with the below setup, please note
that I'm hard coding my $WINDIR$ directory in the match portion in order
to eliminate possible problems (i.e. dumbing it down to make sure that
is not a possible issue)
<group name="local">
<rule id="100999" level="12">
<if_matched_group>syscheck</if_matched_group>
<description>Changes to files in c:\%WINDIR%\Sytem32\drivers
\etc</description>
<match>c:\windows\System32\drivers\etc</match>
</rule>
</group>
That didn't work.
I've also tried it with the below configs as well in the default groups
in local_rules.xml
<rule id="100999" level="12">
<if_matched_group>syscheck</if_matched_group>
<description>Changes to files in c:\%WINDIR%\Sytem32\drivers
\etc</description>
<match>c:\windows\System32\drivers\etc</match>
</rule>
<rule id="100999" level="12">
<if_sid>551</if_sid>
<description>Changes to files in c:\%WINDIR%\Sytem32\drivers
\etc</description>
<match>for: 'C:\Windows\System32\drivers\etc'</match>
</rule>
I even tried this final one since for whatever reason ossec reports the
directory paths exactly as input in the <match> section below.
<rule id="100999" level="12">
<if_sid>551</if_sid>
<description>Changes to files in c:\%WINDIR%\Sytem32\drivers
\etc</description>
<match>for: 'C:\Windows/System32/drivers/etc'</match>
</rule>
None of these seem to work, any advice would be much appreciated.
-ted
