Updated OSSEC Windows rules, hope this may help:
https://github.com/zoldners/ossec-hids
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to
1) Install Sysmon 5 (Sysinternals)
2) Configure registry monitoring in Sysmon configuration (xml file):
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\RunOnce
3) Configure OSSEC agents to parse Sysmon eventlog:
You can enable syslog on ESXi, but I don't know about vSphere on Windows.
Allow syslog on ESXi hosts (firewall):
http://pubs.vmware.com/vsphere-51/index.jsp#com.vmware.vsphere.security.doc/GUID-1083C791-83A1-4442-AE25-3BA454FC0444.html
Configure syslog on ESXi hosts:
Thanks!
--
---
You received this message because you are subscribed to the Google Groups
ossec-list group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Starting point - Windows 8 and Windows Server 2012 Security Event Details:
http://www.microsoft.com/en-us/download/details.aspx?id=35753
For example, Windows process tracking:
1) Enable Advanced Audit Policy Configuration - Detailed Tracking - Audit
Process Creation (Success)
2) Create test
On Thursday, January 22, 2015 at 4:07:47 PM UTC+2, ZaNN wrote:
Did not test, but this match instead of a regex should do the trick:
matchAccount Name: SM_/match
Sorry, match failed.
--
---
You received this message because you are subscribed to the Google Groups
ossec-list group.
To
On Thursday, January 22, 2015 at 4:06:01 PM UTC+2, dan (ddpbsd) wrote:
regexAccount Name:\s+SM_\S+/regex
Thanks, Dan, it works!
--
---
You received this message because you are subscribed to the Google Groups
ossec-list group.
To unsubscribe from this group and stop receiving emails
Hello,
I don't know how to filter out unneeded alerts, if alert contains 'Account
Name: SM_randomstring', for example, SM_f9295f8bdec14ffe9
Tried:
regexAccount Name:\s+SM+\.+\w/regex
How to filter out such alerts?
Thank you!
--
---
You received this message because you are subscribed to