I am trying to follow this setup to scan tmp for files that have perl
or php in them but for the life of me I can't seem to get it to work.
Any idea's on what I need to get this to work so that when files are
found I am sent emails about them?
http://groups.google.com/group/ossec-list/browse_thread/thread/b555f6ed0ef4839d
Server - system_audit_rcl.txt
##Added to look for perl and php in /tmp
[File found in /tmp that is perl or php code - Possible compromise] [any] []
d:/tmp -> -> r:<?|^#!;
##Added to look for perl and php in /var/tmp
[File found in /tmp that is perl or php code - Possible compromise] [any] []
d:/var/tmp -> -> r:<?|^#!;
Agent - merged.mg
##Added to look for perl and php in /tmp
[File found in /tmp that is perl or php code - Possible compromise] [any] []
d:/tmp -> -> r:<?|^#!;
##Added to look for perl and php in /var/tmp
[File found in /var/tmp that is perl or php code - Possible compromise]
[any] []
d:/var/tmp -> -> r:<?|^#!;
# EOF #
