On 06/23/2013 11:01 AM, vanhien771354 wrote:
When you install source application .msi OSSEC will get alert like that
** Alert 1372002658.41135: mail - Install_MSI
2013 Jun 23 22:50:58 (win7) 192.168.2.1->WinEvtLog
Rule: 100007 (level 7) -> 'Detected Software Install'
User: MrHien
WinEvtLog: Application: INFORMATION(1035): MsiInstaller: MrHien:
MrHien-PC: MrHien-PC: Log Parser 2.2 2.2.10 1033 0 Microsoft Corporation
(NULL)
We already have a rule for this, but it looks like maybe there is
another event log ID which needs to be added. Try this:
<rule id="18147" level="5" overwrite="yes">
<if_sid>18101</if_sid>
<id>^11707$|^1035$</id>
<options>alert_by_email</options>
<description>Application Installed.</description>
</rule>
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
