[ossec-list] Updated OSSEC Windows rules

Updated OSSEC Windows rules, hope this may help: https://github.com/zoldners/ossec-hids -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to

[ossec-list] Re: OSSEC rule to detect new run keys added to the registry

1) Install Sysmon 5 (Sysinternals) 2) Configure registry monitoring in Sysmon configuration (xml file): Software\Microsoft\Windows\CurrentVersion\Run Software\Microsoft\Windows\CurrentVersion\RunOnce 3) Configure OSSEC agents to parse Sysmon eventlog:

[ossec-list] Re: OSSEC - vSphere

You can enable syslog on ESXi, but I don't know about vSphere on Windows. Allow syslog on ESXi hosts (firewall): http://pubs.vmware.com/vsphere-51/index.jsp#com.vmware.vsphere.security.doc/GUID-1083C791-83A1-4442-AE25-3BA454FC0444.html Configure syslog on ESXi hosts:

[ossec-list] Re: Updated decoder for Sysmon v3

Thanks! -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Can OSSEC log all process the user open in Microsoft Windows?

Starting point - Windows 8 and Windows Server 2012 Security Event Details: http://www.microsoft.com/en-us/download/details.aspx?id=35753 For example, Windows process tracking: 1) Enable Advanced Audit Policy Configuration - Detailed Tracking - Audit Process Creation (Success) 2) Create test

[ossec-list] Re: Rules: regex filter (underscore)

On Thursday, January 22, 2015 at 4:07:47 PM UTC+2, ZaNN wrote: Did not test, but this match instead of a regex should do the trick: matchAccount Name: SM_/match Sorry, match failed. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To

Re: [ossec-list] Rules: regex filter (underscore)

On Thursday, January 22, 2015 at 4:06:01 PM UTC+2, dan (ddpbsd) wrote: regexAccount Name:\s+SM_\S+/regex Thanks, Dan, it works! -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails

[ossec-list] Rules: regex filter (underscore)

Hello, I don't know how to filter out unneeded alerts, if alert contains 'Account Name: SM_randomstring', for example, SM_f9295f8bdec14ffe9 Tried: regexAccount Name:\s+SM+\.+\w/regex How to filter out such alerts? Thank you! -- --- You received this message because you are subscribed to