Look at the realtime option for syscheck: http://www.ossec.net/doc/manual/syscheck/
I also recommend turning auto_ignore off, so you will continue to be notified after the 3rd change detection. Stick <auto_ignore>no</auto_ignore> into the syscheck portion of your ossec.conf. You might also wish to look at the do_not_delay email option: http://www.ossec.net/doc/syntax/head_ossec_config.email_alerts.html No idea about OSSIM. I don't use it. From: [email protected] [mailto:[email protected]] On Behalf Of Ruwan Geeganage Sent: Wednesday, May 01, 2013 9:33 AM To: [email protected] Subject: Re: [ossec-list] OSSEC windows agent - Registry modification alerts Hi Thanks for the quick reply. I want to get informed as soon as the registry modification has done. Can I get these notification by applying your modification ? How can I do this in OSSIM ? What correlation directive should I use ? Thank you so mcuh On Wednesday, May 1, 2013 9:03:14 PM UTC+5:30, lostinthetubez wrote: The last OSSEC release made all registry changes drop below the default email threshold, even useful ones like this. Add something to local_rules.xml to selectively elevate the Level, like this: <rule id="110000" level="10"> <if_sid>594</if_sid> <match>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run</match> <description>A change has been made to the software that automatically runs at startup.</description> </rule> From: [email protected] <javascript:> [mailto:[email protected] <javascript:> ] On Behalf Of Ruwan Geeganage Sent: Wednesday, May 01, 2013 8:05 AM To: [email protected] <javascript:> Subject: [ossec-list] OSSEC windows agent - Registry modification alerts have installed OSSEC agent in my windows PC. I want to get alerts when any program or person add new entries to following registry entry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run I check the ossec.conf in windows agent. It has the particular entry. But Im not getting any real time alerts. Please help -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected] <javascript:> . For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
