Hi Patrick, Try using only <if_group> or only <if_sid>, not both. I think that's what is causing the issue.
Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On Fri, Aug 26, 2011 at 11:35 AM, Swartz, Patrick H <[email protected]> wrote: > Hi All, > I apologize for troubling the list with what I thought was a simple > rule, but for the life of me I can't figure out why my rule isn't > firing. > > I'm running OSSEC 2.6 on SuSE 10 and am testing with a Linux and a > Window client. > Here is part of my ossec.conf > <directories realtime="yes" > check_all="yes">E:\BlueScreendev_root</directories> > <directories realtime="yes" > check_all="yes">E:\InetPub\wwwroot\EFTPSRefDev</directories> > <directories realtime="yes" > check_all="yes">E:\InetPub\wwwroot\BlueScreen_root</directories> > <directories realtime="yes" > check_all="yes">E:\InetPub\wwwroot\ISTS_root</directories> > <directories realtime="yes" > check_all="yes">E:\OLRSDev_Root\MyRT</directories> > <directories realtime="yes" > check_all="yes">E:\OURSDev_Root</directories> > <directories realtime="yes" > check_all="yes">E:\PRSDev_root</directories> > <directories realtime="yes" > check_all="yes">E:\VLRSdev_Root</directories> > > And here is the rule that I'm trying to get to work... > <rule id="100724" level="0"> > <if_group>syscheck</if_group> > <if_sid>550, 551, 552, 553, 554</if_sid> > <match>EFTPSREF|ISTSREF|MYRT|OURS|PRS|VLRS|BlueScreendev_root|EFTPSRefDe > v|BlueScreen_root|ISTS_root|olrs_root|OURS_root|prs_root|VLRSRef|MyRT|OU > RSDev_Root|PRSDev_root|VLRSdev_Root</match> > <description>Testing rule 100724</description> > </rule> > <rule id="100725" level="7"> > <if_sid>100724</if_sid> > <description>Changes to Web Files</description> > </rule> > > Using ./syscheck_control -i ### does show that the changes are being > noticed, but I am not getting any alerts. > > I have another testing rule as suggested from here -- > http://www.immutablesecurity.com/index.php/2010/10/20/2woo-tips-tricks/ > -- and that works. > > Any help would be greatly appreciated as I only dive into OSSEC about > every two years and it takes me a while to relearn all that I did > previously. > > Thanks to all in the group, > > Patrick Swartz > > > > > ----------------------------------------- > The information in this message may be proprietary and/or > confidential, and protected from disclosure. If the reader of this > message is not the intended recipient, or an employee or agent > responsible for delivering this message to the intended recipient, > you are hereby notified that any dissemination, distribution or > copying of this communication is strictly prohibited. If you have > received this communication in error, please notify First Data > immediately by replying to this message and deleting it from your > computer. >
