RE: Re: OSSEC and Windows messages

["Josh Little" <josh () zombietango com>]

Can you post an example of a rule you are writing? One thing I have found is
that, especially on Windows systems messages, I have to explicitly mark
whitespace as \s+ instead of just leaving it as is. Though, to be fair, this
is typically when monitoring messages received through SNARE/syslog and not
the OSSEC agent. Also, are you looking to warn on a specific string/match or
filter out false positives?

ZT

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of evilwon12 () yahoo com
Sent: Monday, May 10, 2010 4:01 PM
To: focus-ids () securityfocus com
Subject: Re: Re: OSSEC and Windows messages

Sorry if I was not clear in my original post.  When I said I have not been
able to filter on anything in the message string, I thought that implied
that I have already done a custom rule in the local rules file.  Sorry if
that was not clear, but it is not working.

-----------------------------------------------------------------
Securing Your Online Data Transfer with SSL.
A guide to understanding SSL certificates, how they operate and their
application. By making use of an SSL certificate on your web server, you can
securely collect sensitive information online, and increase business by
giving your customers confidence that their transactions are safe.
http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a17f1
94




-----------------------------------------------------------------
Securing Your Online Data Transfer with SSL.
A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL certificate 
on your web server, you can securely collect sensitive information online, and increase business by giving your 
customers confidence that their transactions are safe.
http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a17f194