I am in the process of creating rules for social security number detection and
credit cards. I created the following file, customer_data with the contents of:
123-45-6789
I then modified /var/ossec/etc/shared/system_audit_rcl.txt with the following:
[Possible Unencrypted Social Security Number Detected] [any] []
d:$web_dirs -> r:^\. -> r:\d\d\d-\d\d-\d\d\d\d;
Next I modified /var/ossec/rules/local_rules.xml with the following:
<!-- This will check social security plain text. -->
<!--
<rule id=.100024. level=.12.>
<if_sid>516</if_sid>
<match>Unencrypted Social Security Number</match>
<description>Possible Unencrypted Social Security Number
Detected</description>
</rule>
-->
Next I restarted OSSEC with: /var/ossec/bin/ossec-control restart
Next I initiated a scan on the local system: /var/ossec/bin/agent_ctonrol -r
-u 000
The problem that I have is that I do not get any results back detecting the
customer_data file has what appears to be a social security number.
Does anybody see where I may have gone wrong?
Barry Walker
