Not receiving alerts for deleted files

[Ameya Bhatkal]

Hi Everyone,

I have setup OSSEC 2.8 Manager using Security Onion 12.04 LTS. The Ossec Client agents have been installed on 6 Windows machines.

I receive alerts for file additions and modifications but not when the monitored files are deleted.

I face the following issues:

Issue 1

The Ossec agent has been configured to monitor folders. If a file within the folder is deleted, then I do not receive any alert. Moreover the client ossec log does not mention that the file is missing or deleted and there is no entry in the alert.log file present in the Ossec Manager.

Issue 2

The Ossec agent has been configured to monitor specific files.  If a file has been deleted, the client ossec log has the following entry:

"2014/08/06 15:31:58 ossec-agent: WARN: Error opening directory: 'C:\Delete check 2/Delete2.conf/': No such file or directory "

But I do not receive any alert that a file has been deleted. The alert.log file present in the Ossec Server does not reflect any such event.

Rule 553 is present in the ossec_rules.xml and has not been tampered with.

Could you kindly help me out with the issue. Any help will be greatly appreciated!

Thanks in advance...

[dan (ddp)]

I think there was an issue with deleted files not being reported if
you weren't using the realtime option.
I also think that was corrected post 2.8.

> Thanks in advance...
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

[Michael Starks]

On 2014-08-06 5:16, Ameya Bhatkal wrote:
> Hi Everyone,
>
> I have setup OSSEC 2.8 Manager using Security Onion 12.04 LTS. The
> Ossec Client agents have been installed on 6 Windows machines.
>
> I receive alerts for file additions and modifications but not when the
> monitored files are deleted.

Have you waited for a full syscheck scan to complete before deleting a
file?

[Ameya Bhatkal]

Hi Dan,

Yes I am using the realtime="yes" option for both the folder as well as specific files.

Hi Michael,

I waited for 3 syscheck scans to complete before attempting to delete files. But still the problem persists!!

[Ameya Bhatkal]

Hi,

I enabled debug mode in the Ossec client machine . When I clear the windows system and security logs, the following lines appear in the ossec.log file of the Ossec client:-

2014/08/07 16:00:07 ossec-agent: WARN: Event log cleared: 'System'

2014/08/07 16:00:07 ossec-agent: DEBUG: Attempting to send message to server.

2014/08/07 16:00:07 ossec-agent: DEBUG: Sending message to server: 'ossec: Event log cleared: 'System''

2014/08/07 16:00:11 ossec-agent: DEBUG: Attempting to send message to server.

But when files that are under monitoring mode are deleted, then I see the following info in the ossec.log of the Ossec client machine:-

15:57:58 ossec-agent: INFO: Starting syscheck scan.

2014/08/07 15:57:58 ossec-agent: DEBUG: Attempting to send message to server.

2014/08/07 15:57:58 ossec-agent: DEBUG: Sending message to server: 'Starting syscheck scan.'

2014/08/07 15:57:58 ossec-agent: DEBUG: Starting os_winreg_check

2014/08/07 15:57:58 ossec-agent: WARN: Error opening directory: 'D:\Delete Check.xls': No such file or directory 

2014/08/07 15:58:18 ossec-agent: INFO: Ending syscheck scan.

2014/08/07 15:58:18 ossec-agent: DEBUG: Attempting to send message to server.

2014/08/07 15:58:18 ossec-agent: DEBUG: Sending info to server (ctime2)...

2014/08/07 15:58:18 ossec-agent: DEBUG: Sending keep alive message.

Hope this helps.......

On Wednesday, August 6, 2014 3:46:29 PM UTC+5:30, Ameya Bhatkal wrote:

[dan (ddp)]

Look at the commits made after 2.8, see if there was something dealing
with this committed. If there was, try that code, see if it helps.

> On Wednesday, August 6, 2014 3:46:29 PM UTC+5:30, Ameya Bhatkal wrote:
>>
>> Hi Everyone,
>>
>> I have setup OSSEC 2.8 Manager using Security Onion 12.04 LTS. The Ossec
>> Client agents have been installed on 6 Windows machines.
>>
>> I receive alerts for file additions and modifications but not when the
>> monitored files are deleted.
>>
>> I face the following issues:
>>
>> Issue 1
>>
>> The Ossec agent has been configured to monitor folders. If a file within
>> the folder is deleted, then I do not receive any alert. Moreover the client
>> ossec log does not mention that the file is missing or deleted and there is
>> no entry in the alert.log file present in the Ossec Manager.
>>
>> Issue 2
>>
>> The Ossec agent has been configured to monitor specific files. If a file
>> has been deleted, the client ossec log has the following entry:
>>
>> "2014/08/06 15:31:58 ossec-agent: WARN: Error opening directory:
>> 'C:\Delete check 2/Delete2.conf/': No such file or directory "
>>
>> But I do not receive any alert that a file has been deleted. The alert.log
>> file present in the Ossec Server does not reflect any such event.
>>
>> Rule 553 is present in the ossec_rules.xml and has not been tampered with.
>>
>> Could you kindly help me out with the issue. Any help will be greatly
>> appreciated!
>>
>> Thanks in advance...
>

[Ameya Bhatkal]

Hi Dan,

Didn't get what you were saying in regards to the "commit" thing! Is it possible for you to elaborate?

On Wednesday, August 6, 2014 3:46:29 PM UTC+5:30, Ameya Bhatkal wrote:

[dan (ddp)]

On Thu, Aug 14, 2014 at 3:34 AM, Ameya Bhatkal <ame...@gmail.com> wrote:
> Hi Dan,
>
> Didn't get what you were saying in regards to the "commit" thing! Is it
> possible for you to elaborate?
>

Go here: https://github.com/ossec/ossec-hids/commits/master
Look for something about the topic.

I'm guessing the fixes didn't make it into the code though based on
this: https://github.com/ossec/ossec-hids/pull/5