Hi list ,
I have been trying to set up a command to detect files starting with
dot or double dot (. ..) But whatever I do I do not get an alert for
it .Here is my configuration :
command at agent's ossec.conf:
<localfile>
<log_format>full_command</log_format>
<command>find /test -name '.*'</command>
<alias>find-dots2</alias>
<frequency>300</frequency>
</localfile>
rule specification at server local_rules.xml
<rule id="100108" level="10">
<if_sid>530</if_sid>
<match>ossec: output: 'find-dots2' </match>
<check_diff />
<description> Suspicious File created </description>
</rule>
I see the output coming with logall enabled :
# tail -f ../logs/archives/archives.log
/test/..test1
/test/.test4
/test/.test1
/test/..test5
/test/.test3
/test/..test6
/test/..test2
/test/..test4
/test/.test2
/test/..test3
I added some and run the agent scans again ...Nothing
No alert , no anything !
What am I doing wrong ?
Thank you all!
