Just tried this. Cool. And of course, it raises another question.
Here's my first hit from it. It gives the source IP as a.b.c.0. How do I tell which of my (so far, two) test workstations running the agent from dhcp addresses fired the rule?
Thanks.
OSSEC HIDS Notification.
2009 Dec 13 13:32:17
Received From: (dhcp) a.b.c.0->rootcheck
Rule: 513 fired (level 9) -> "Windows malware detected."
Portion of the log(s):
Windows Malware: Anti-virus site on the hosts file. File: C:\WINDOWS\System32\Drivers\etc\HOSTS.
________________________________