Hi Barry, Without looking at the documentation.... On Fri, Apr 1, 2011 at 11:13 AM, Walker, Barry <[email protected]> wrote: > I am in the process of creating rules for social security number detection > and credit cards. I created the following file, customer_data with the > contents of: > > 123-45-6789 > > I then modified /var/ossec/etc/shared/system_audit_rcl.txt with the following: > > [Possible Unencrypted Social Security Number Detected] [any] [] > d:$web_dirs -> r:^\. -> r:\d\d\d-\d\d-\d\d\d\d; >
What is $web_dirs? > Next I modified /var/ossec/rules/local_rules.xml with the following: > > <!-- This will check social security plain text. --> > <!-- Do you have the above characters in the local_rules.xml in this position above the rule? If so, they will make the rule a "comment" and it will not be live. > <rule id=.100024. level=.12.> I'm guessing the "."s above are "mis-translated" quotations. > <if_sid>516</if_sid> > <match>Unencrypted Social Security Number</match> > <description>Possible Unencrypted Social Security Number > Detected</description> > </rule> > --> > > Next I restarted OSSEC with: /var/ossec/bin/ossec-control restart > > Next I initiated a scan on the local system: /var/ossec/bin/agent_ctonrol -r > -u 000 > > The problem that I have is that I do not get any results back detecting the > customer_data file has what appears to be a social security number. > > Does anybody see where I may have gone wrong? > > Barry Walker >
