IDS mailing list archives
RE: Re: OSSEC and Windows messages
From: "Josh Little" <josh () zombietango com>
Date: Tue, 11 May 2010 09:58:19 -0400
Can you post an example of a rule you are writing? One thing I have found is that, especially on Windows systems messages, I have to explicitly mark whitespace as \s+ instead of just leaving it as is. Though, to be fair, this is typically when monitoring messages received through SNARE/syslog and not the OSSEC agent. Also, are you looking to warn on a specific string/match or filter out false positives? ZT -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of evilwon12 () yahoo com Sent: Monday, May 10, 2010 4:01 PM To: focus-ids () securityfocus com Subject: Re: Re: OSSEC and Windows messages Sorry if I was not clear in my original post. When I said I have not been able to filter on anything in the message string, I thought that implied that I have already done a custom rule in the local rules file. Sorry if that was not clear, but it is not working. ----------------------------------------------------------------- Securing Your Online Data Transfer with SSL. A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL certificate on your web server, you can securely collect sensitive information online, and increase business by giving your customers confidence that their transactions are safe. http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a17f1 94 ----------------------------------------------------------------- Securing Your Online Data Transfer with SSL. A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL certificate on your web server, you can securely collect sensitive information online, and increase business by giving your customers confidence that their transactions are safe. http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a17f194
Current thread:
- Re: OSSEC and Windows messages sohil_garg (May 07)
- <Possible follow-ups>
- Re: Re: OSSEC and Windows messages evilwon12 (May 10)
- RE: Re: OSSEC and Windows messages Josh Little (May 11)
- Re: RE: Re: OSSEC and Windows messages evilwon12 (May 17)