Hi Mike, On Thu, Jan 20, 2011 at 12:50 PM, Mike Smith <ranger....@gmail.com> wrote: > Hello, > > I would like to know how i can get ossec to alert me any time a find with > the extention of .asp is placed with the c:\inetoub directory running > windows server 2003. > > <directories check_all="yes">c:\inetpub/*.asp</directories> or how do you do > it with a file ext like .asp can you do *.asp or ,asp$
New topic, new thread. Don't re-use threads. ;) Anyhow, your directories statement won't work. There isn't much globbing support in OSSEC. Your best option might be turning on the alert on new files option, and creating a rule to alert on asp files in inetpub. Something like: <rule id="100000" level="10"> <if_sid>554</if_sid> <match>c:\inetpub</match> <regex>inetpub/\.+.asp</regex> <description>New asp file</description> </rule> I haven't tested this at all, so I don't know if it's exactly right. You may have to make adjustments. > > Also, what frequency can I set, can you set it to 1 min / 60 secs, or is > there a better way using the realtime option. > > Thanks, > > Mike http://www.ossec.net/doc/syntax/head_ossec_config.syscheck.html You can set the frequency to whatever you want (in seconds). If you have syscheck checking a lot of directories, it may not finish in 60 seconds though. The realtime option may be best on the platforms that support it.