Hello!
I'm going to control new txt files in the directory. Agent works under
Windows7.
So I created rule:
<rule id="100003" level="7">
<if_sid>554</if_sid>
<description>Some file was created</description>
</rule>
<rule id="100004" level="10">
<if_sid>100003</if_sid>
<match> .txt' added to the file system.</match>
<description>New txt file added</description>
</rule>
The rule 100003 works and I receives alerts. But the rule 100004
doesn't work. I mean I don't receive alerts.
You see, I add 2 files: exe & txt. And I receive the following alert:
OSSEC HIDS Notification.
2011 Nov 28 12:08:21
Received From: (My_Win7_Machine) 172.19.42.123->syscheck
Rule: 100003 fired (level 7) -> "Some file was created"
Portion of the log(s):
New file 'C:\Test/setup_7.exe' added to the file system.
--END OF NOTIFICATION
OSSEC HIDS Notification.
2011 Nov 28 12:08:21
Received From: (My_Win7_Machine) 172.19.42.123->syscheck
Rule: 100003 fired (level 7) -> "Some file was created"
Portion of the log(s):
New file 'C:\Test/Test7.txt' added to the file system.
--END OF NOTIFICATION
But everywhere both in books and INTERNET I read that this rule must
work.
Please help me to eliminate my mistake.
