Hi all! i have installed and configured ossec hids 2.6,but it still doesn't work fine. More details: i edited a ossec.conf like that - <alert_new_files>yes</ alert_new_files>,and added next lines into local.rules.xml
- <rule id=”554″ level=”7" overwrite="yes"″> <category>ossec</category> <decoded_as>syscheck_new_entry</decoded_as> <description>File added to the system.</description> <group>syscheck,</group> </rule> Also i configured ossec for e-mail alerting-it's work with other alerts types. Server side work on Debian Squeeze and agent on windows 7. I looked to integrity syscheck text database and not found special mark for new files. New files was marked just the other files- +++ (first column in var\ossec\queue\syscheck-"you client" ). Does somebody has this problem? i have tried this http://www.immutablesecurity.com/index.php/2009/10/26/week-of-ossec-day-2-detecting-new-files/ but dont get any results.
