On Thu, Dec 1, 2011 at 6:42 PM, alsdks <[email protected]> wrote: > Hi list , > > I have been trying to set up a command to detect files starting with > dot or double dot (. ..) But whatever I do I do not get an alert for > it .Here is my configuration : > > command at agent's ossec.conf: > > <localfile> > <log_format>full_command</log_format> > <command>find /test -name '.*'</command> > <alias>find-dots2</alias> > <frequency>300</frequency> > </localfile> > > > rule specification at server local_rules.xml > > > <rule id="100108" level="10"> > <if_sid>530</if_sid> > <match>ossec: output: 'find-dots2' </match>
I haven't been able to get it to work just yet, but did notice that you have a space between 'find-dots2' and </match>. It works with logtest, just haven't seen an alert in "production." > <check_diff /> > <description> Suspicious File created </description> > </rule> > > I see the output coming with logall enabled : > > # tail -f ../logs/archives/archives.log > /test/..test1 > /test/.test4 > /test/.test1 > /test/..test5 > /test/.test3 > /test/..test6 > /test/..test2 > /test/..test4 > /test/.test2 > /test/..test3 > > I added some and run the agent scans again ...Nothing > > No alert , no anything ! > > What am I doing wrong ? > > Thank you all!
