On Sun, Aug 26, 2012 at 11:15 PM, JJ Yu <[email protected]> wrote: > I was write rule in ossec_rules.xml. but it is not effect. Please help~~~ > as : > <rule id="554" level="9"> >
The above looks wrong. Did you change it? Where did you change it? Why did you change it? > <category>ossec</category> > > <decoded_as>syscheck_new_entry</decoded_as> > > <description>File added to the system.</description> > > <group>syscheck,</group> > > </rule> > > Where did you put the following rule? Did you restart the OSSEC processes after adding the rule? > <rule id="554" level="9" overwrite="yes"> > > <category>ossec</category> > > <decoded_as>syscheck_new_entry</decoded_as> > > <match>^keylog.exe^</match> > Having a ^ at the end is just going to confuse things. I don't think it means what you think it means. Take out both ^. > <description>File added to the system.(Intrusion)</description> > > <group>syscheck,</group> > > </rule>
