You can also use restrict=".asp" to only monitor those files... <directories check_all="yes" restrict=".asp">c:\inetput/</directories>
Thanks, On Thu, Jan 20, 2011 at 3:13 PM, dan (ddp) <[email protected]> wrote: > Hi Mike, > > On Thu, Jan 20, 2011 at 12:50 PM, Mike Smith <[email protected]> wrote: >> Hello, >> >> I would like to know how i can get ossec to alert me any time a find with >> the extention of .asp is placed with the c:\inetoub directory running >> windows server 2003. >> >> <directories check_all="yes">c:\inetpub/*.asp</directories> or how do you do >> it with a file ext like .asp can you do *.asp or ,asp$ > > > New topic, new thread. Don't re-use threads. ;) > > Anyhow, your directories statement won't work. There isn't much > globbing support in OSSEC. > > Your best option might be turning on the alert on new files option, > and creating a rule to alert on asp files in inetpub. Something like: > > <rule id="100000" level="10"> > <if_sid>554</if_sid> > <match>c:\inetpub</match> > <regex>inetpub/\.+.asp</regex> > <description>New asp file</description> > </rule> > > I haven't tested this at all, so I don't know if it's exactly right. > You may have to make adjustments. > >> >> Also, what frequency can I set, can you set it to 1 min / 60 secs, or is >> there a better way using the realtime option. >> >> Thanks, >> >> Mike > > http://www.ossec.net/doc/syntax/head_ossec_config.syscheck.html > You can set the frequency to whatever you want (in seconds). If you > have syscheck checking a lot of directories, it may not finish in 60 > seconds though. The realtime option may be best on the platforms that > support it. >
