On Wednesday, June 19, 2013 3:25:46 PM UTC+2, dan (ddpbsd) wrote: > > On Tue, Jun 18, 2013 at 4:24 AM, <[email protected] <javascript:>> > wrote: > > I tried creating this in local_rules.xml: > > > > <rule id="100341" level="8"> > > <decoded_as>iptables</decoded_as> > > <program_name>kernel</program_name> > > <regex>^usb \S* new</regex> > > <description>Unknown USB device attached</description> > > </rule> > > > > I got this to work with ossec-logtest: > <rule id="500007" level="10"> > <decoded_as>iptables</decoded_as> > <match>^usb</match> > <regex>^usb \S+: New</regex> > <description>XXX</description> > </rule> > > > > My example above, also works with ossec-logtest, but not when inserting a USB-device in a server. It doesn't generate any alert. Does yours?
-- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
