On Fri, Sep 7, 2012 at 10:20 AM, dan (ddp) <[email protected]> wrote: > On Tue, Aug 28, 2012 at 11:26 PM, JJ Yu <[email protected]> wrote: >> Dear Dan >> I want to alert some anti-malware file that I have been known.So I >> add rule to local_rules.xml as below. >> After change local_rules.xml every time,I had re-started OSSEC >> processes. > > $(grep keylog.exe /var/ossec/queue/syscheck/* | more) > > If the file exists in one of the syscheck db files then it won't show > up on a new file alert (554). > >> Would you please to tell me,When new_entry How to alert specific file >> is be adding. >> Many thanks! >> <rule id="554" level="9" overwrite="yes"> >> <category>ossec</category> >> <decoded_as>syscheck_new_entry</decoded_as> >> <match>keylog.exe</match> >> <description>File added to the system.(Intrusion)</description> >> <group>syscheck,</group> >> </rule> >> > > No idea how to do it, I haven't tried it. I wouldn't go about it like > that though. > Instead of overwriting the generic rule 554, I would try creating a child > rule. > Something like this (untested): > > <rule id="SOMETHING" level="12"> > <if_sid>1002</if_sid>
Oops, that should be 554, not 1002. Instead of doing an if_sid, I think you could do an if_group of syscheck. > <match>keylog.exe</match> > <description>keylog.exe found</description> > </rule> > > Then restart OSSEC of course. > >> 2012/8/28 dan (ddp) <[email protected]> >> >>> On Sun, Aug 26, 2012 at 11:15 PM, JJ Yu <[email protected]> wrote: >>> > I was write rule in ossec_rules.xml. but it is not effect. Please >>> > help~~~ >>> > as : >>> > <rule id="554" level="9"> >>> > >>> >>> The above looks wrong. Did you change it? Where did you change it? Why >>> did you change it? >>> >>> > <category>ossec</category> >>> > >>> > <decoded_as>syscheck_new_entry</decoded_as> >>> > >>> > <description>File added to the system.</description> >>> > >>> > <group>syscheck,</group> >>> > >>> > </rule> >>> > >>> > >>> >>> Where did you put the following rule? Did you restart the OSSEC >>> processes after adding the rule? >>> >>> > <rule id="554" level="9" overwrite="yes"> >>> > >>> > <category>ossec</category> >>> > >>> > <decoded_as>syscheck_new_entry</decoded_as> >>> > >>> > <match>^keylog.exe^</match> >>> > >>> >>> Having a ^ at the end is just going to confuse things. I don't think >>> it means what you think it means. Take out both ^. >>> >>> > <description>File added to the system.(Intrusion)</description> >>> > >>> > <group>syscheck,</group> >>> > >>> > </rule> >> >>
