On Tue, Aug 28, 2012 at 11:26 PM, JJ Yu <[email protected]> wrote: > Dear Dan > I want to alert some anti-malware file that I have been known.So I > add rule to local_rules.xml as below. > After change local_rules.xml every time,I had re-started OSSEC > processes.
$(grep keylog.exe /var/ossec/queue/syscheck/* | more) If the file exists in one of the syscheck db files then it won't show up on a new file alert (554). > Would you please to tell me,When new_entry How to alert specific file > is be adding. > Many thanks! > <rule id="554" level="9" overwrite="yes"> > <category>ossec</category> > <decoded_as>syscheck_new_entry</decoded_as> > <match>keylog.exe</match> > <description>File added to the system.(Intrusion)</description> > <group>syscheck,</group> > </rule> > No idea how to do it, I haven't tried it. I wouldn't go about it like that though. Instead of overwriting the generic rule 554, I would try creating a child rule. Something like this (untested): <rule id="SOMETHING" level="12"> <if_sid>1002</if_sid> <match>keylog.exe</match> <description>keylog.exe found</description> </rule> Then restart OSSEC of course. > 2012/8/28 dan (ddp) <[email protected]> > >> On Sun, Aug 26, 2012 at 11:15 PM, JJ Yu <[email protected]> wrote: >> > I was write rule in ossec_rules.xml. but it is not effect. Please >> > help~~~ >> > as : >> > <rule id="554" level="9"> >> > >> >> The above looks wrong. Did you change it? Where did you change it? Why >> did you change it? >> >> > <category>ossec</category> >> > >> > <decoded_as>syscheck_new_entry</decoded_as> >> > >> > <description>File added to the system.</description> >> > >> > <group>syscheck,</group> >> > >> > </rule> >> > >> > >> >> Where did you put the following rule? Did you restart the OSSEC >> processes after adding the rule? >> >> > <rule id="554" level="9" overwrite="yes"> >> > >> > <category>ossec</category> >> > >> > <decoded_as>syscheck_new_entry</decoded_as> >> > >> > <match>^keylog.exe^</match> >> > >> >> Having a ^ at the end is just going to confuse things. I don't think >> it means what you think it means. Take out both ^. >> >> > <description>File added to the system.(Intrusion)</description> >> > >> > <group>syscheck,</group> >> > >> > </rule> > >
