Hi there,
is it possible to create an alert only if specific filetypes hit a
directory?
I am testing with an upload directory and I want to generate an alert only
if a PHP file becomes uploaded.
My idea was to realize this with custom rules:
<rule id="554" level="5" overwrite="yes">
<category>ossec</category>
<decoded_as>syscheck_new_entry</decoded_as>
<description>File added to the system.</description>
<group>syscheck,</group>
</rule>
<rule id="100554" level="10">
<if_sid>554</if_sid>
<match>/root/upload/\w+.php</match>
<description>New php file in upload folder.</description>
</rule>
<rule id="100555" level="0">
<if_sid>554</if_sid>
<match>/root/upload</match>
<description>New file in upload folder.</description>
</rule>
Is there a better, suggested way to achieve this, or should my solution
work?
Thanks for your help in advance, regards Georg.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
