On Mon, Dec 26, 2011 at 1:02 AM, Daniel Shreterford <[email protected]> wrote: > Hi all! i have installed and configured ossec hids 2.6,but it still > doesn't work fine. > More details: i edited a ossec.conf like that - <alert_new_files>yes</ > alert_new_files>,and added next lines into local.rules.xml >
Which ossec.conf? You needed to add this to the manager's ossec.conf. > - <rule id=”554″ level=”7" overwrite="yes"″> > <category>ossec</category> > <decoded_as>syscheck_new_entry</decoded_as> > <description>File added to the system.</description> > <group>syscheck,</group> > </rule> Did you restart the manager's ossec processes after making these changes? > Also i configured ossec for e-mail alerting-it's work with other > alerts types. > Server side work on Debian Squeeze and agent on windows 7. > I looked to integrity syscheck text database and not found special > mark for new files. New files was marked just the other files- +++ > (first column in var\ossec\queue\syscheck-"you client" ). > Does somebody has this problem? > i have tried this > http://www.immutablesecurity.com/index.php/2009/10/26/week-of-ossec-day-2-detecting-new-files/ > but dont get any results. Did a syscheck scan run after you made the changes? Are you sure there were new files in the appropriate directories?
