Hi all,
I have configured a checksum alert in real time that triggers and e-mail alert each time a file is being modified. This file is an output of an iptables command executed in all agents every hour:
<localfile>
<log_format>full_command</log_format>
<command>iptables -S > /var/ossec/active-response/iptables_diff.txt</command>
<alias>iptables_status</alias>
<frequency>3600</frequency>
</localfile>
The problem is that lot of times false positives are received due to size changed
to 0 or from 0. Not every hour definitely.
Integrity checksum changed for: '/var/ossec/active-response/iptables_diff.txt'
Size changed from '1089' to '0'
What changed:
1,20d0
< -P INPUT DROP
< -P FORWARD DROP
< -P OUTPUT ACCEPT
< -N LOGGING
< -N OUTPUT-NOLOG
< -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
< -A INPUT -p icmp -j ACCEPT
< -A INPUT -i lo -j ACCEPT
< -A INPUT -s 10.0.0.0/8 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
< -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
< -A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
< -A OUTPUT -d 8.8.8.8/32 -p udp -m udp --dport 53 -m state --state NEW -j OUTPUT-NOLOG
< -A OUTPUT -d 8.8.4.4/32 -p udp -m udp --dport 53 -m state --state NEW -j OUTPUT-NOLOG
< -A OUTPUT -p udp -m udp --dport 123 -m state --state NEW -j OUTPUT-NOLOG
< -A OUTPUT -d 192.168.116.0/24 -p udp -m udp --dport 1514 -m state --state NEW -j OUTPUT-NOLOG
< -A OUTPUT -d 192.168.116.0/24 -p udp -m udp --dport 514 -m state --state NEW -j OUTPUT-NOLOG
Old md5sum was: '0b43600d67c9fdde33912771c81927e2'
New md5sum is : 'd41d8cd98f00b204e9800998ecf8427e'
Old sha1sum was: 'e991b6897be54bfc0fd2ef0410fd5e50d54317b6'
New sha1sum is : 'da39a3ee5e6b4b0d3255bfef95601890afd80709'
Integrity checksum changed for: '/var/ossec/active-response/iptables_diff.txt'
Size changed from '0' to '1089'
What changed:
0a1,20
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-N LOGGING
-N OUTPUT-NOLOG
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
I suspect that this behaviour is related to real time (inotify) and rewrite the file each time the command is executed ( > ). Is there any best practice to avoid this false
positives? maybe a delay in real time check?
Thanks in advance