HI. We use Trend Micro AV, but the current rules don't match properly.
I'm not sure what they're looking at, but our version of Trend writes
alerts to the Windows Event Log.
Here's a sample.
2015 Apr 29 17:57:52 WinEvtLog: Application: WARNING(500): Trend Micro
OfficeScan Server: SYSTEM: NT AUTHORITY: AV01.domain.co.uk: Virus/Malware:
Eicar_test_1 Computer: LAPTOP1 Domain: domain.co.uk File:
C:\Users\username\AppData\Roaming\Notepad++\backup\new
3@2015-04-29_174606 Date/Time: 29/04/2015 17:57:48 Result: Virus
successfully detected, cannot perform the Clean action (Quarantine)
I'm trying to overwrite the current rules 7610 and 7611, relating to virus
detection, using the Windows decoder:
trend-osce_rules.xml:
<group name="trend_micro,ocse">
<rule id="7610" level="5">
<if_sid>7600</if_sid>
<id>^0|$|^1$|^2$|^33|^10$|^11$|^12$</id>
<group>virus</group>
<description>Virus detected and cleaned/quarantined/remved</description>
</rule>
</group>
local_rules.xml:
<group name="trend_micro,ocse,">
<rule id="7610" level="5" overwrite="yes">
<if_sid>18102</if_sid>
<id>^500</id>
<group>virus</group>
<description>Virus detected and
cleaned/quarantined/removed</description>
</rule>
</group>
However, when I run ossec-logtest it's picking up as 18102, not 7610. If I
remove the overwrite and change the rule ID to something unique, like
97610, the rule fires. How can I overwrite the existing Trend rule, but
keep the same ID's so that other monitoring systems (specifically OSSIM)
work.
Thanks.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
