Try <if_group> instead of <if_matched_group>
On Thu, Apr 29, 2010 at 1:40 PM, ted beezy <[email protected]> wrote: > I have a question about local rule configuration. > > I need to setup a custom rule to send a level 12 alert on changes to any > files in the c:\$WINDIR$\system32\drivers\etc folder. > > I've tried multiple configurations of this rule and none have seemed to > work, any advice would be much appreciated at this point. > > I tried it below the group configs with the below setup, please note > that I'm hard coding my $WINDIR$ directory in the match portion in order > to eliminate possible problems (i.e. dumbing it down to make sure that > is not a possible issue) > > <group name="local"> > <rule id="100999" level="12"> > <if_matched_group>syscheck</if_matched_group> > <description>Changes to files in c:\%WINDIR%\Sytem32\drivers > \etc</description> > <match>c:\windows\System32\drivers\etc</match> > </rule> > </group> > > That didn't work. > > I've also tried it with the below configs as well in the default groups > in local_rules.xml > > > <rule id="100999" level="12"> > <if_matched_group>syscheck</if_matched_group> > <description>Changes to files in c:\%WINDIR%\Sytem32\drivers > \etc</description> > <match>c:\windows\System32\drivers\etc</match> > </rule> > > > <rule id="100999" level="12"> > <if_sid>551</if_sid> > <description>Changes to files in c:\%WINDIR%\Sytem32\drivers > \etc</description> > <match>for: 'C:\Windows\System32\drivers\etc'</match> > </rule> > > I even tried this final one since for whatever reason ossec reports the > directory paths exactly as input in the <match> section below. > > <rule id="100999" level="12"> > <if_sid>551</if_sid> > <description>Changes to files in c:\%WINDIR%\Sytem32\drivers > \etc</description> > <match>for: 'C:\Windows/System32/drivers/etc'</match> > </rule> > > None of these seem to work, any advice would be much appreciated. > > -ted > > > >
