Rule Custom for files deleted
285 views
Skip to first unread message
Ronaldo Silva
Jun 14, 2023, 3:05:45 PM6/14/23
to Wazuh mailing list
Hi Community !
I need an alert whenever a file is deleted in /CA_test and subfolders
I am monitoring files created in the /CA_test folder by the configuration:
<agent_config>
<!-- Shared agent configuration here -->
<syscheck>
<!-- Frequency that syscheck is executed default every 1 min -->
<frequency>60</frequency>
<directories check_all="yes" realtime="yes" report_changes="yes" whodata="yes">/CA_test</directories>
</syscheck>
</agent_config>
<!-- Shared agent configuration here -->
<syscheck>
<!-- Frequency that syscheck is executed default every 1 min -->
<frequency>60</frequency>
<directories check_all="yes" realtime="yes" report_changes="yes" whodata="yes">/CA_test</directories>
</syscheck>
</agent_config>
and right after I created the following rule in local_rules.xml
<group name="syscheck_entry_modified,">
<rule id="100025" level="10">
<if_sid>553</if_sid>
<field name="file">\\CA_test\\</field>
<description>file deleted in CA_test</description>
<group>syscheck,syscheck_entry_modified,syscheck_file</group>
</rule>
<rule id="100025" level="10">
<if_sid>553</if_sid>
<field name="file">\\CA_test\\</field>
<description>file deleted in CA_test</description>
<group>syscheck,syscheck_entry_modified,syscheck_file</group>
</rule>
</group>
but when inserting the following log in ruleset test:
2023 Jun 14 14:32:35 (AGENT-TEST) any->syscheck File '/CA_test/test_file.txt' deleted
return me:
**Phase 2: Completed decoding.
No decoder matched.
No decoder matched.
what am i doing wrong to not trigger rule 100025?
Marcos Darío Buslaiman
Jun 14, 2023, 4:12:57 PM6/14/23
to Wazuh mailing list
Hi Ronaldo,
Thanks for using Wazuh!
If you need to get alerts when a file is deleted you only need to edit the ossec.conf on the agent and add the directories for monitoring within the <syscheck> block.
Thanks for using Wazuh!
If you need to get alerts when a file is deleted you only need to edit the ossec.conf on the agent and add the directories for monitoring within the <syscheck> block.
Like bellow:
<directories check_all="yes" report_changes="yes" realtime="yes">/CA_test</directories>
That configuration will be reporting add, delete, and checksum changes on the files inside the path and subfolders.
Here is an example that I have tested on a Windows agent.
This is the configuration that I have added to my ossec.conf on the agent in syscheck block
<directories check_all="yes" report_changes="yes" realtime="yes">C:\Users\Marcos\Downloads</directories>
Then I restarted the agent and create files, and move in different subfolders, and I received the following alerts.
<directories check_all="yes" report_changes="yes" realtime="yes">C:\Users\Marcos\Downloads</directories>
Then I restarted the agent and create files, and move in different subfolders, and I received the following alerts.
Here you will find a proof of concept very useful according to your case.
And here you will find more information about the File integrity monitoring capability where you will find how to create custom FIM rules
Please, let me know if you have any doubts or comments.
Regards
Marcos.
Reply all
Reply to author
Forward
0 new messages