Michael Starks, kasper creates its own log called Kaspersky Event Log dan (ddpbsd), yes, they are there
*2013 Sep 19 11:12:31 (W7Dell) 0.0.0.0->WinEvtLog WinEvtLog: Kaspersky Event Log: WARNING(4660): avp: (no user): no domain: adminpk: File C:\Users\Admin\Desktop\crack.exe is virus * next i create /var/ossec/rules/kasper_rules.xml *<group name="kasper">* * * * <rule id="100101" level="0">* * <category>windows</category>* * <description>Group of windows rules.</description>* * </rule>* * * * <rule id="100102" level="10">* * <if_sid>100101</if_sid>* * <status>^Kaspersky</status>* * <description>Any Kasper Activity</description>* * </rule>* * * * <rule id="100103" level="10">* * <if_sid>100102</if_sid>* * <id>^4660$</id>* * <description>Kaspersky Alarm</description>* * </rule>* * * *</group>* and it doesn't create alerts i try to check rules using tool ossec-logtest, but it doesn't generate any alerts even with native windows log: *2013 Sep 19 11:42:27 (W7Dell) 0.0.0.0->WinEvtLog WinEvtLog: Security: AUDIT_SUCCESS(4732): Microsoft-Windows-Security-Auditing: (no user): no domain: adminpk: A member was added to a security-enabled local group. Subject: Security ID: S-1-5-21-713843645-4102711683-1688150638-1000 Account Name: Admin Account Domain: adminpk Logon ID: 0xbedad Member: Security ID: S-1-5-21-713843645-4102711683-1688150638-1002 Account Name: - Group: Security ID: S-1-5-32-544 Group Name: admins Group Domain: Builtin Additional Information: Privileges: * so i'm stuck, pls help -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
