On Mon, Nov 28, 2011 at 3:25 AM, Dmitry <[email protected]> wrote: > Hello! > I'm going to control new txt files in the directory. Agent works under > Windows7. > So I created rule: > <rule id="100003" level="7"> > <if_sid>554</if_sid> > <description>Some file was created</description> > </rule> > > <rule id="100004" level="10"> > <if_sid>100003</if_sid> > <match> .txt' added to the file system.</match>
I'm guessing the text above come from an actual syslog alert. The alert descriptions are not fed back through OSSEC, so this won't match. You could possibly use <match>.txt$</match> to get a match, but I haven't tried it. > <description>New txt file added</description> > </rule> > > The rule 100003 works and I receives alerts. But the rule 100004 > doesn't work. I mean I don't receive alerts. > You see, I add 2 files: exe & txt. And I receive the following alert: > OSSEC HIDS Notification. > 2011 Nov 28 12:08:21 > Received From: (My_Win7_Machine) 172.19.42.123->syscheck > Rule: 100003 fired (level 7) -> "Some file was created" > Portion of the log(s): > New file 'C:\Test/setup_7.exe' added to the file system. > --END OF NOTIFICATION > OSSEC HIDS Notification. > 2011 Nov 28 12:08:21 > Received From: (My_Win7_Machine) 172.19.42.123->syscheck > Rule: 100003 fired (level 7) -> "Some file was created" > Portion of the log(s): > New file 'C:\Test/Test7.txt' added to the file system. > --END OF NOTIFICATION > > But everywhere both in books and INTERNET I read that this rule must > work. > Please help me to eliminate my mistake. >
