syscheck granular alerting

31 views
Skip to first unread message

Ross Lawrie

unread,
Jan 6, 2012, 5:51:55 PM1/6/12
to ossec...@googlegroups.com
Hi,

I've been trying to get this to work, but I'm obviously missing
something or not understanding something. What I'd like to do issue an
alert to an alternate email address should a file change occur within a
particular directory.

From my reading, it seemed like the method to do this would be to create
a custom rule, and then have an alert based on it in the ossec.conf.
Unfortunately nothing seems to be happening...

In local_rules.xml I've created a custom rule:

<group name="syscheck,">
...
<rule id="100023" level="10">
<description>Change to a custom directory</description>
<match>/home/ross</match>
</rule>
...
</group>

(I've also tried <regex> rather than <match>)

In ossec.conf, I've set this up:

<ossec_config>
...
<email_alerts>
<email_to>ro...@riverstyx.net</email_to>
<rule_id>100023</rule_id>
<do_not_delay />
<do_not_group />
</email_alerts>
...
</ossec_config>

Now, alerting to the email address defined globally is working, and I'm
seeing alerts on file changes/creation/deletion that I make within the
directory I'm watching (/home/ross for example), but I'm not seeing
alerts going to the email address shown above - nor alerts to either
address with the description set in the custom rule.

Perhaps I'm going about this the wrong way, or there's an easier way to
do this, but my search engine results haven't helped me, so hopefully
someone here can point me in the right direction.

Ross.

dan (ddp)

unread,
Jan 6, 2012, 6:09:08 PM1/6/12
to ossec...@googlegroups.com
On Fri, Jan 6, 2012 at 5:51 PM, Ross Lawrie <ro...@riverstyx.net> wrote:
> Hi,
>
> I've been trying to get this to work, but I'm obviously missing
> something or not understanding something. What I'd like to do issue an
> alert to an alternate email address should a file change occur within a
> particular directory.
>
> From my reading, it seemed like the method to do this would be to create
> a custom rule, and then have an alert based on it in the ossec.conf.
> Unfortunately nothing seems to be happening...
>
> In local_rules.xml I've created a custom rule:
>
> <group name="syscheck,">
> ...
>   <rule id="100023" level="10">
>      <description>Change to a custom directory</description>
>      <match>/home/ross</match>
>   </rule>

Does this rule get triggered?

> ...
> </group>
>
> (I've also tried <regex> rather than <match>)
>
> In ossec.conf, I've set this up:
>
> <ossec_config>
> ...
>   <email_alerts>
>      <email_to>ro...@riverstyx.net</email_to>
>      <rule_id>100023</rule_id>
>      <do_not_delay />
>      <do_not_group />
>   </email_alerts>
> ...
> </ossec_config>
>
> Now, alerting to the email address defined globally is working, and I'm
> seeing alerts on file changes/creation/deletion that I make within the
> directory I'm watching (/home/ross for example), but I'm not seeing
> alerts going to the email address shown above - nor alerts to either
> address with the description set in the custom rule.
>
> Perhaps I'm going about this the wrong way, or there's an easier way to
> do this, but my search engine results haven't helped me, so hopefully
> someone here can point me in the right direction.
>
> Ross.

Is the working address also an @riverstyx.net email address? Have you
checked your maillogs to see if they provide a hint?

Ross Lawrie

unread,
Jan 6, 2012, 7:07:04 PM1/6/12
to ossec...@googlegroups.com
On 12-01-06 03:09 PM, dan (ddp) wrote:
> On Fri, Jan 6, 2012 at 5:51 PM, Ross Lawrie <ro...@riverstyx.net> wrote:
>> Hi,
>>
>> I've been trying to get this to work, but I'm obviously missing
>> something or not understanding something. What I'd like to do issue an
>> alert to an alternate email address should a file change occur within a
>> particular directory.
>>
>> From my reading, it seemed like the method to do this would be to create
>> a custom rule, and then have an alert based on it in the ossec.conf.
>> Unfortunately nothing seems to be happening...
>>
>> In local_rules.xml I've created a custom rule:
>>
>> <group name="syscheck,">
>> ...
>> <rule id="100023" level="10">
>> <description>Change to a custom directory</description>
>> <match>/home/ross</match>
>> </rule>
> Does this rule get triggered?

Good question, I hadn't thought to track down the appropriate log file
(alerts.log right?). It doesn't appear to be triggered, I'm only seeing
the usual (550/554) ids being triggered, for example:

** Alert 1325894109.26688: mail - ossec,syscheck,
2012 Jan 06 15:55:09 myhost->syscheck
Rule: 550 (level 7) -> 'Integrity checksum changed.'
Integrity checksum changed for: '/home/ross/ross-test'
Size changed from '47' to '13'
Old md5sum was: 'c3fbbd59f074b47bcdc99ddbb4af329a'
New md5sum is : '3ebfdcf378cc6221db90e4d6f11900f3'
Old sha1sum was: '491150eb08a96cd1baf222df1e4173d21800457f'
New sha1sum is : '76951d7c9d6b27d972c12866095cef8fca25b4e6'

Does the match/regex not work against the line containing the file name?
I have other custom rules that seem to work (and that I've disabled as
part of my efforts to get this one to work, just in case they were
conflicting somehow) so I think I've got it in the right place. I've
changed the match/regex to only be against the word 'ross', just to try
and increase my chances, but still no luck.

The working address is also a riverstyx.net address, I've even tried the
same address (since the description identifier and rule-id ought to make
it distinguishable). As noted above though, I'm not seeing it trigger in
the alerts.log, so obviously I've done something wrong with the actual
rule at this point, and the email address isn't even getting a chance to
be an issue at this point.

dan (ddp)

unread,
Jan 6, 2012, 7:52:08 PM1/6/12
to ossec...@googlegroups.com


Crud, I should have mentioned this in the previous email (but I just saw it).

Try:

<rule id="100023" level="10">

<if_sid>550</if_sid> <!-- This means if the rule 550 matches, but
the file has /home/ross in it this rule should be triggered instead-->


<description>Change to a custom directory</description>
<match>/home/ross</match>
</rule>

Give that a shot.

Ross Lawrie

unread,
Jan 7, 2012, 2:13:00 PM1/7/12
to ossec...@googlegroups.com

Fantastic! I was sure I'd tried this, but obviously I missed something if I did. Works great, thanks very much Dan.


BP9906

unread,
Jan 9, 2012, 5:12:04 PM1/9/12
to ossec-list
I'd recommend using

<if_group>syscheck</if_group>

instead of

<if_sid>550, 551, 552</if_sid>

only to get all your syscheck stuff, but your choice.



On Jan 7, 11:13 am, Ross Lawrie <r...@riverstyx.net> wrote:
> On 2012-01-06, at 4:52 PM, dan (ddp) wrote:
>
>
>
>
>
>
>
>
>
> > On Fri, Jan 6, 2012 at 7:07 PM, Ross Lawrie <r...@riverstyx.net> wrote:
> >> On 12-01-06 03:09 PM, dan (ddp) wrote:

Ross Lawrie

unread,
Jan 13, 2012, 6:34:16 PM1/13/12
to ossec...@googlegroups.com
On 12-01-09 02:12 PM, BP9906 wrote:
> I'd recommend using
>
> <if_group>syscheck</if_group>
>
> instead of
>
> <if_sid>550, 551, 552</if_sid>
>
> only to get all your syscheck stuff, but your choice.

Thanks, the group stuff is great (and I use) for the overall file
changes, but I was looking to send alerts to another department for only
the files they're concerned with.

Everything is working great now, thanks for everyone's help.

Reply all
Reply to author
Forward
0 new messages