On Mon, Aug 27, 2012 at 9:22 PM, JJ Yu <[email protected]> wrote: > Dear Frank > Thanks for your support. > I try to add it to local_rules.xml, Still it is not effect. >
Did you restart the OSSEC processes? How did you test? > local_rules.xml as below: > <group name="local,syslog,"> > <rule id="510000" level="7"> > <if_sid>530</if_sid> > <match>ossec: output: 'netstat -an |grep LISTEN</match> > <check_diff /> > <description>Listened ports have changed.</description> > </rule> > > <rule id="554" level="10" overwrite="yes"> > <category>ossec</category> > <decoded_as>syscheck_new_entry</decoded_as> > <match>keylog.exe7</match> > <description>File added to the system.(Intrusion)</description> > <group>syscheck,</group> > </rule> > </group> > > > > > > > > > > > > > > > > > > > > > > 2012/8/27 Frank Stefan Sundberg Solli <[email protected]> >> >> You need to add it to local_rules.xml >> >> >> On Mon, Aug 27, 2012 at 5:15 AM, JJ Yu <[email protected]> wrote: >>> >>> I was write rule in ossec_rules.xml. but it is not effect. Please help~~~ >>> as : >>> <rule id="554" level="9"> >>> >>> <category>ossec</category> >>> >>> <decoded_as>syscheck_new_entry</decoded_as> >>> >>> <description>File added to the system.</description> >>> >>> <group>syscheck,</group> >>> >>> </rule> >>> >>> >>> <rule id="554" level="9" overwrite="yes"> >>> >>> <category>ossec</category> >>> >>> <decoded_as>syscheck_new_entry</decoded_as> >>> >>> <match>^keylog.exe^</match> >>> >>> <description>File added to the system.(Intrusion)</description> >>> >>> <group>syscheck,</group> >>> >>> </rule> >> >> >> >> >> -- >> MVH/With regards >> >> Frank >> -- >> Name: Frank Stefan Sundberg Solli >> E-mail: [email protected] >> Web: http://0x41.me >> GPG: 684119F4 >> >
