I've tried both of the following and neither seems to trigger a level 12
alert when I modify files in c:\windows\system32\drivers\etc
<rule id="100999" level="12">
<if_group>syscheck</if_group>
<description>Changes to files in c:\%WINDIR%\Sytem32\drivers
\etc</description>
<match>for: 'C:\Windows/System32/drivers/etc'</match>
</rule>
<rule id="100998" level="12">
<if_group>syscheck</if_group>
<description>Changes to files in c:\%WINDIR%\Sytem32\drivers
\etc</description>
<match>for: 'C:\Windows\System32\drivers\etc'</match>
</rule>
I have both rules nested in the syslog,local group in the config file.
Any idea why this will not trigger?
-=t
On Thu, 2010-04-29 at 15:09 -0400, dan (ddp) wrote:
> Try <if_group> instead of <if_matched_group>
>
> On Thu, Apr 29, 2010 at 1:40 PM, ted beezy <[email protected]> wrote:
> > I have a question about local rule configuration.
> >
> > I need to setup a custom rule to send a level 12 alert on changes to any
> > files in the c:\$WINDIR$\system32\drivers\etc folder.
> >
> > I've tried multiple configurations of this rule and none have seemed to
> > work, any advice would be much appreciated at this point.
> >
> > I tried it below the group configs with the below setup, please note
> > that I'm hard coding my $WINDIR$ directory in the match portion in order
> > to eliminate possible problems (i.e. dumbing it down to make sure that
> > is not a possible issue)
> >
> > <group name="local">
> > <rule id="100999" level="12">
> > <if_matched_group>syscheck</if_matched_group>
> > <description>Changes to files in c:\%WINDIR%\Sytem32\drivers
> > \etc</description>
> > <match>c:\windows\System32\drivers\etc</match>
> > </rule>
> > </group>
> >
> > That didn't work.
> >
> > I've also tried it with the below configs as well in the default groups
> > in local_rules.xml
> >
> >
> > <rule id="100999" level="12">
> > <if_matched_group>syscheck</if_matched_group>
> > <description>Changes to files in c:\%WINDIR%\Sytem32\drivers
> > \etc</description>
> > <match>c:\windows\System32\drivers\etc</match>
> > </rule>
> >
> >
> > <rule id="100999" level="12">
> > <if_sid>551</if_sid>
> > <description>Changes to files in c:\%WINDIR%\Sytem32\drivers
> > \etc</description>
> > <match>for: 'C:\Windows\System32\drivers\etc'</match>
> > </rule>
> >
> > I even tried this final one since for whatever reason ossec reports the
> > directory paths exactly as input in the <match> section below.
> >
> > <rule id="100999" level="12">
> > <if_sid>551</if_sid>
> > <description>Changes to files in c:\%WINDIR%\Sytem32\drivers
> > \etc</description>
> > <match>for: 'C:\Windows/System32/drivers/etc'</match>
> > </rule>
> >
> > None of these seem to work, any advice would be much appreciated.
> >
> > -ted
> >
> >
> >
> >
