On Wed, Dec 14, 2016 at 7:20 AM, Francesco Raimondi <francesco.raimond...@gmail.com> wrote: > Greetings, > > I have some problem trying to detect a process running on the machine. > Specifically, I want to detect the process "tor.exe" by using > win_applications_rcl.txt > Here's my directive: > > [P2P] [any] [] > p:=:tor.exe; > > Unfortunately, it's not working... there seems to be a problem with the = > sign, if I use something like this: > > p:r:tor.exe; > > it works correctly. But then, since "r:" is used for regular expression, I > get an alert for everything that contains "tor.exe", which is obviously not > good. >
I don't have much experience with this, but what about something like: p:r:^tor.exe$ > Any idea on how I can improve this? > > Thanks, > Francesco > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
