[ossec-list] Rule help please

Fri, 26 Aug 2011 07:42:47 -0700 

Hi All,
I apologize for troubling the list with what I thought was a simple
rule, but for the life of me I can't figure out why my rule isn't
firing.

I'm running OSSEC 2.6 on SuSE 10 and am testing with a Linux and a
Window client.
Here is part of my ossec.conf
          <directories realtime="yes"
check_all="yes">E:\BlueScreendev_root</directories>
        <directories realtime="yes"
check_all="yes">E:\InetPub\wwwroot\EFTPSRefDev</directories>
        <directories realtime="yes"
check_all="yes">E:\InetPub\wwwroot\BlueScreen_root</directories>
        <directories realtime="yes"
check_all="yes">E:\InetPub\wwwroot\ISTS_root</directories>
        <directories realtime="yes"
check_all="yes">E:\OLRSDev_Root\MyRT</directories>
        <directories realtime="yes"
check_all="yes">E:\OURSDev_Root</directories>
        <directories realtime="yes"
check_all="yes">E:\PRSDev_root</directories>
        <directories realtime="yes"
check_all="yes">E:\VLRSdev_Root</directories>

And here is the rule that I'm trying to get to work...
   <rule id="100724" level="0">
    <if_group>syscheck</if_group>
    <if_sid>550, 551, 552, 553, 554</if_sid>    
<match>EFTPSREF|ISTSREF|MYRT|OURS|PRS|VLRS|BlueScreendev_root|EFTPSRefDe
v|BlueScreen_root|ISTS_root|olrs_root|OURS_root|prs_root|VLRSRef|MyRT|OU
RSDev_Root|PRSDev_root|VLRSdev_Root</match>
    <description>Testing rule 100724</description>
</rule>
<rule id="100725" level="7">
    <if_sid>100724</if_sid>
    <description>Changes to Web Files</description>
</rule>

Using ./syscheck_control -i ### does show that the changes are being
noticed, but I am not getting any alerts.

I have another testing rule as suggested from here --
http://www.immutablesecurity.com/index.php/2010/10/20/2woo-tips-tricks/
-- and that works. 

Any help would be greatly appreciated as I only dive into OSSEC about
every two years and it takes me a while to relearn all that I did
previously.

Thanks to all in the group,

Patrick Swartz




-----------------------------------------
The information in this message may be proprietary and/or
confidential, and protected from disclosure.  If the reader of this
message is not the intended recipient, or an employee or agent
responsible for delivering this message to the intended recipient,
you are hereby notified that any dissemination, distribution or
copying of this communication is strictly prohibited. If you have
received this communication in error, please notify First Data
immediately by replying to this message and deleting it from your
computer.

Reply via email to