Dear Frank
Thanks for your support.
I try to add it to local_rules.xml, Still it is not effect.
local_rules.xml as below:
<group name="local,syslog,">
<rule id="510000" level="7">
<if_sid>530</if_sid>
<match>ossec: output: 'netstat -an |grep LISTEN</match>
<check_diff />
<description>Listened ports have changed.</description>
</rule>
<rule id="554" level="10" overwrite="yes">
<category>ossec</category>
<decoded_as>syscheck_new_entry</decoded_as>
<match>keylog.exe7</match>
<description>File added to the system.(Intrusion)</description>
<group>syscheck,</group>
</rule>
</group>
2012/8/27 Frank Stefan Sundberg Solli <[email protected]>
> You need to add it to local_rules.xml
>
>
> On Mon, Aug 27, 2012 at 5:15 AM, JJ Yu <[email protected]> wrote:
>
>> I was write rule in ossec_rules.xml. but it is not effect. Please help~~~
>> as :
>> <rule id="554" level="9">
>>
>> <category>ossec</category>
>>
>> <decoded_as>syscheck_new_entry</decoded_as>
>>
>> <description>File added to the system.</description>
>>
>> <group>syscheck,</group>
>>
>> </rule>
>>
>>
>> <rule id="554" level="9" overwrite="yes">
>>
>> <category>ossec</category>
>>
>> <decoded_as>syscheck_new_entry</decoded_as>
>>
>> <match>^keylog.exe^</match>
>>
>> <description>File added to the system.(Intrusion)</description>
>>
>> <group>syscheck,</group>
>>
>> </rule>
>>
>
>
>
> --
> MVH/With regards
>
> Frank
> --
> Name: Frank Stefan Sundberg Solli
> E-mail: [email protected]
> Web: http://0x41.me
> GPG: 684119F4
>
>
