Thanks Dan. I think I found the biggest problem. The sid is incorrect. Web_dirs is setup for our different web directories such as /usr/apache, etc. The rule numbers were a mis-translated quotes, but thanks for pointing it out. I will look at the decoder.xml file. I was pointing it to MySql and not Apache.
Barry Walker -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of dan (ddp) Sent: Friday, April 01, 2011 3:59 PM To: [email protected] Subject: Re: [ossec-list] Ossec Rules Hi Barry, Without looking at the documentation.... On Fri, Apr 1, 2011 at 11:13 AM, Walker, Barry <[email protected]> wrote: > I am in the process of creating rules for social security number detection > and credit cards. I created the following file, customer_data with the > contents of: > > 123-45-6789 > > I then modified /var/ossec/etc/shared/system_audit_rcl.txt with the following: > > [Possible Unencrypted Social Security Number Detected] [any] [] > d:$web_dirs -> r:^\. -> r:\d\d\d-\d\d-\d\d\d\d; > What is $web_dirs? > Next I modified /var/ossec/rules/local_rules.xml with the following: > > <!-- This will check social security plain text. --> > <!-- Do you have the above characters in the local_rules.xml in this position above the rule? If so, they will make the rule a "comment" and it will not be live. > <rule id=.100024. level=.12.> I'm guessing the "."s above are "mis-translated" quotations. > <if_sid>516</if_sid> > <match>Unencrypted Social Security Number</match> > <description>Possible Unencrypted Social Security Number > Detected</description> > </rule> > --> > > Next I restarted OSSEC with: /var/ossec/bin/ossec-control restart > > Next I initiated a scan on the local system: /var/ossec/bin/agent_ctonrol -r > -u 000 > > The problem that I have is that I do not get any results back detecting the > customer_data file has what appears to be a social security number. > > Does anybody see where I may have gone wrong? > > Barry Walker >
