Hi, you can select file extensions easily using wildcards, for example:
<syscheck> <directories realtime="no">C:\Windows\*.exe,C:\Windows\*.dll</directories> </syscheck> This method works only with files that already exist. If you want to scan files that are created after OSSEC starts, you may use <ignore> and create a regular expression that matches any path except those that end with ".exe" or ".dll". To do this more easily, the new OSSEC 2.9 and Wazuh 1.2 will bring a new feature that negates a regex with a "!" symbol, and you may use it in the following way: <syscheck> <directories realtime="no">C:\Windows</directories> <ignore type="sregex">!.exe$</ignore> </syscheck> Hope it helps. Best regards. On Thursday, August 4, 2016 at 6:19:42 AM UTC-7, [email protected] wrote: > > Hello! > > I want to check on integrity files with selected extensions - .exe, .dll. > But in documentation I find only example with ignore function which use > sregex or regex. I try this configuration but it does not work: > > <syscheck> > > <directories realtime="no" report_changes="yes" > > check_all="yes" type="sregex">C:\Windows\,exe|.dll</directories> > > </syscheck> > > Is there any way to check files with selected extensions in OSSEC? > > > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
