Dear Dan
I want to alert some anti-malware file that I have been known.So I
add rule to local_rules.xml as below.
After change local_rules.xml every time,I had re-started OSSEC
processes.
Would you please to tell me,When new_entry How to alert specific file
is be adding.
Many thanks!
<rule id="554" level="9" overwrite="yes">
<category>ossec</category>
<decoded_as>syscheck_new_entry</decoded_as>
<match>keylog.exe</match>
<description>File added to the system.(Intrusion)</description>
<group>syscheck,</group>
</rule>
2012/8/28 dan (ddp) <[email protected]>
> On Sun, Aug 26, 2012 at 11:15 PM, JJ Yu <[email protected]> wrote:
> > I was write rule in ossec_rules.xml. but it is not effect. Please help~~~
> > as :
> > <rule id="554" level="9">
> >
>
> The above looks wrong. Did you change it? Where did you change it? Why
> did you change it?
>
> > <category>ossec</category>
> >
> > <decoded_as>syscheck_new_entry</decoded_as>
> >
> > <description>File added to the system.</description>
> >
> > <group>syscheck,</group>
> >
> > </rule>
> >
> >
>
> Where did you put the following rule? Did you restart the OSSEC
> processes after adding the rule?
>
> > <rule id="554" level="9" overwrite="yes">
> >
> > <category>ossec</category>
> >
> > <decoded_as>syscheck_new_entry</decoded_as>
> >
> > <match>^keylog.exe^</match>
> >
>
> Having a ^ at the end is just going to confuse things. I don't think
> it means what you think it means. Take out both ^.
>
> > <description>File added to the system.(Intrusion)</description>
> >
> > <group>syscheck,</group>
> >
> > </rule>
>
