Thanks I'll try those options. Thanks a lot..
On Thursday, May 2, 2013 5:45:31 AM UTC+5:30, lostinthetubez wrote: > > Look at the realtime option for syscheck: > http://www.ossec.net/doc/manual/syscheck/ > > I also recommend turning auto_ignore off, so you will continue to be > notified after the 3rd change detection. Stick > <auto_ignore>no</auto_ignore> into the syscheck portion of your ossec.conf. > > > > You might also wish to look at the do_not_delay email option: > http://www.ossec.net/doc/syntax/head_ossec_config.email_alerts.html > > > > No idea about OSSIM. I don’t use it. > > > > *From:* [email protected] <javascript:> [mailto: > [email protected] <javascript:>] *On Behalf Of *Ruwan Geeganage > *Sent:* Wednesday, May 01, 2013 9:33 AM > *To:* [email protected] <javascript:> > *Subject:* Re: [ossec-list] OSSEC windows agent - Registry modification > alerts > > > > Hi > > Thanks for the quick reply. > > > > I want to get informed as soon as the registry modification has done. > > > > Can I get these notification by applying your modification ? > > > > How can I do this in OSSIM ? > > What correlation directive should I use ? > > > > Thank you so mcuh > > On Wednesday, May 1, 2013 9:03:14 PM UTC+5:30, lostinthetubez wrote: > > The last OSSEC release made all registry changes drop below the default > email threshold, even useful ones like this. Add something to > local_rules.xml to selectively elevate the Level, like this: > > > > <rule id="110000" level="10"> > > <if_sid>594</if_sid> > > <match>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run</match> > > <description>A change has been made to the software that > automatically runs at startup.</description> > > </rule> > > > > *From:* [email protected] [mailto:[email protected]] *On > Behalf Of *Ruwan Geeganage > *Sent:* Wednesday, May 01, 2013 8:05 AM > *To:* [email protected] > *Subject:* [ossec-list] OSSEC windows agent - Registry modification alerts > > > > have installed OSSEC agent in my windows PC. > > I want to get alerts when any program or person add new entries to > following registry entry > HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run > > I check the ossec.conf in windows agent. It has the particular entry. But > Im not getting any real time alerts. > > Please help > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected] <javascript:>. > For more options, visit https://groups.google.com/groups/opt_out. > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
