Focus on IDS
Re: Re: OSSEC and Windows messages May 10 2010 08:01PM
evilwon12 yahoo com (1 replies)
RE: Re: OSSEC and Windows messages May 11 2010 01:58PM
Josh Little (josh zombietango com)

Can you post an example of a rule you are writing? One thing I have found is
that, especially on Windows systems messages, I have to explicitly mark
whitespace as \s+ instead of just leaving it as is. Though, to be fair, this
is typically when monitoring messages received through SNARE/syslog and not
the OSSEC agent. Also, are you looking to warn on a specific string/match or
filter out false positives?

ZT

-----Original Message-----
From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On
Behalf Of evilwon12 (at) yahoo (dot) com [email concealed]
Sent: Monday, May 10, 2010 4:01 PM
To: focus-ids (at) securityfocus (dot) com [email concealed]
Subject: Re: Re: OSSEC and Windows messages

Sorry if I was not clear in my original post. When I said I have not been
able to filter on anything in the message string, I thought that implied
that I have already done a custom rule in the local rules file. Sorry if
that was not clear, but it is not working.

-----------------------------------------------------------------
Securing Your Online Data Transfer with SSL.
A guide to understanding SSL certificates, how they operate and their
application. By making use of an SSL certificate on your web server, you can
securely collect sensitive information online, and increase business by
giving your customers confidence that their transactions are safe.
http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a
17f1
94

-----------------------------------------------------------------
Securing Your Online Data Transfer with SSL.
A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL certificate on your web server, you can securely collect sensitive information online, and increase business by giving your customers confidence that their transactions are safe.
http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a
17f194

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus