On Thu, Jun 20, 2013 at 7:33 AM, <[email protected]> wrote: > > > On Wednesday, June 19, 2013 3:25:46 PM UTC+2, dan (ddpbsd) wrote: >> >> On Tue, Jun 18, 2013 at 4:24 AM, <[email protected]> wrote: >> > I tried creating this in local_rules.xml: >> > >> > <rule id="100341" level="8"> >> > <decoded_as>iptables</decoded_as> >> > <program_name>kernel</program_name> >> > <regex>^usb \S* new</regex> >> > <description>Unknown USB device attached</description> >> > </rule> >> > >> >> I got this to work with ossec-logtest: >> <rule id="500007" level="10"> >> <decoded_as>iptables</decoded_as> >> <match>^usb</match> >> <regex>^usb \S+: New</regex> >> <description>XXX</description> >> </rule> >> >> >> > > My example above, also works with ossec-logtest, but not when inserting a > USB-device in a server. It doesn't generate any alert. Does yours? >
No idea, did you test it? I don't have a linux system handy. > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
