Updated OSSEC Windows rules, hope this may help:
https://github.com/zoldners/ossec-hids
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr.
1) Install Sysmon 5 (Sysinternals)
2) Configure registry monitoring in Sysmon configuration (xml file):
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\RunOnce
3) Configure OSSEC agents to parse Sysmon eventlog:
You can enable syslog on ESXi, but I don't know about vSphere on Windows.
Allow syslog on ESXi hosts (firewall):
http://pubs.vmware.com/vsphere-51/index.jsp#com.vmware.vsphere.security.doc/GUID-1083C791-83A1-4442-AE25-3BA454FC0444.html
Configure syslog on ESXi hosts:
https://pubs.vmware.com/vsphe
Thanks!
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Starting point - Windows 8 and Windows Server 2012 Security Event Details:
http://www.microsoft.com/en-us/download/details.aspx?id=35753
For example, Windows process tracking:
1) Enable Advanced Audit Policy Configuration -> Detailed Tracking -> Audit
Process Creation (Success)
2) Create test O
On Thursday, January 22, 2015 at 4:06:01 PM UTC+2, dan (ddpbsd) wrote:
>
>
> Account Name:\s+SM_\S+
>
>
Thanks, Dan, it works!
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it
On Thursday, January 22, 2015 at 4:07:47 PM UTC+2, ZaNN wrote:
>
> Did not test, but this match instead of a regex should do the trick:
>
> Account Name: SM_
>
Sorry, match failed.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsub
Hello,
I don't know how to filter out unneeded alerts, if alert contains 'Account
Name: SM_randomstring', for example, SM_f9295f8bdec14ffe9
Tried:
Account Name:\s+SM+\.+\w
How to filter out such alerts?
Thank you!
--
---
You received this message because you are subscribed to the Google