What is your real goal? This thread is a jumbled mess. On Fri, Aug 26, 2011 at 10:35 AM, Swartz, Patrick H <[email protected]> wrote: > Hi All, > I apologize for troubling the list with what I thought was a simple > rule, but for the life of me I can't figure out why my rule isn't > firing. >
Which rule? You include 2. 100724 is a level 0 so nothing will be logged, and I think 100725 is just looking for a level 0 alert so it won't fire. 100725 also looks like it's ONLY looking for 100724, and in that case bump the level of 100724 to 7 and 100725 becomes redundant. Try it with 100724 as a level 1. > I'm running OSSEC 2.6 on SuSE 10 and am testing with a Linux and a > Window client. > Here is part of my ossec.conf > <directories realtime="yes" > check_all="yes">E:\BlueScreendev_root</directories> > <directories realtime="yes" > check_all="yes">E:\InetPub\wwwroot\EFTPSRefDev</directories> > <directories realtime="yes" > check_all="yes">E:\InetPub\wwwroot\BlueScreen_root</directories> > <directories realtime="yes" > check_all="yes">E:\InetPub\wwwroot\ISTS_root</directories> > <directories realtime="yes" > check_all="yes">E:\OLRSDev_Root\MyRT</directories> > <directories realtime="yes" > check_all="yes">E:\OURSDev_Root</directories> > <directories realtime="yes" > check_all="yes">E:\PRSDev_root</directories> > <directories realtime="yes" > check_all="yes">E:\VLRSdev_Root</directories> > > And here is the rule that I'm trying to get to work... > <rule id="100724" level="0"> > <if_group>syscheck</if_group> > <if_sid>550, 551, 552, 553, 554</if_sid> > <match>EFTPSREF|ISTSREF|MYRT|OURS|PRS|VLRS|BlueScreendev_root|EFTPSRefDe > v|BlueScreen_root|ISTS_root|olrs_root|OURS_root|prs_root|VLRSRef|MyRT|OU > RSDev_Root|PRSDev_root|VLRSdev_Root</match> > <description>Testing rule 100724</description> > </rule> > <rule id="100725" level="7"> > <if_sid>100724</if_sid> > <description>Changes to Web Files</description> > </rule> > > Using ./syscheck_control -i ### does show that the changes are being > noticed, but I am not getting any alerts. > > I have another testing rule as suggested from here -- > http://www.immutablesecurity.com/index.php/2010/10/20/2woo-tips-tricks/ > -- and that works. > > Any help would be greatly appreciated as I only dive into OSSEC about > every two years and it takes me a while to relearn all that I did > previously. > > Thanks to all in the group, > > Patrick Swartz > > > > > ----------------------------------------- > The information in this message may be proprietary and/or > confidential, and protected from disclosure. If the reader of this > message is not the intended recipient, or an employee or agent > responsible for delivering this message to the intended recipient, > you are hereby notified that any dissemination, distribution or > copying of this communication is strictly prohibited. If you have > received this communication in error, please notify First Data > immediately by replying to this message and deleting it from your > computer. >
