from:http://www.immutablesecurity.com/index.php/2009/10/26/week-of-ossec-day-2-detecting-new-files/

 Even so, getting alerts on new files can be useful. Here’s how you do it:

   1. Add to the block of etc/ossec.conf: 

 
    
     
     
  1. <alert_new_files>yesalert_new_files
    2.  
    
 
    
    2. Restart OSSEC.
 
    
OSSEC is now configured to alert on new files, but you won’t get alerts. Why? It’s because of this rule in etc/ossec_rules.xml:
 
    
 
    
     
     
  1. <rule id=”554″ level=”0″> 
    2.  
     
  2.  <category>osseccategory> 
    3.  
     
  3.  <decoded_as>syscheck_new_entrydecoded_as> 
    4.  
     
  4.  <description>File added to the system.description> 
    5.  
     
  5.  <group>syscheck,group> 
    6.  
     
  6. rule> 
    7.  
    
 
    
This rule says, “don’t log and don’t alert on new files.” To make new file alerting work, we need to do something about this rule. Add this to local_rules.xml:
 
    
 
    
     
     
  1. <rule id=”554″ level=”7″ overwrite=”yes”> 
    2.  
     
  2.  <category>osseccategory> 
    3.  
     
  3.  <decoded_as>syscheck_new_entrydecoded_as> 
    4.  
     
  4.  <description>File added to the system.description> 
    5.  
     
  5. <group>syscheck,group> 
    6.  
     
  6. rule> 
    7.  
    
 
    
That’s all you have to do. The next time syscheck runs (which could be a few hours), ossec will begin alerting on anything new that is added to a directory you have told OSSEC to monitor. But what if temporary files are constantly being added to one of those directories? Or what if you simply add a tarball, extract it, and there were several hundred files in the tarball? You’ll get flooded with alerts.