How do I stop syscheck alerts during app updates?

Mihailo Vicanović

unread,

Jul 13, 2016, 6:17:37 AM7/13/16

to Wazuh mailing list

Hi,

First of all I'd like to thank you for Wazuh! You've polished and enhanced OSSEC really good!

Still, I have an issue when I'd like to ignore 550,553 & 554 (files changed, deleted, added) alerts during a regular application update. I followed this instruction "How do I stop syscheck alerts during system updates?":

@manager

#Stop the OSSEC processes on the manager

service ossec stop

#run /var/ossec/bin/syscheck_control -u AGENT_ID. This will clear the syscheck database for the agent, and the next time syscheck runs it will create a new baseline

/var/ossec/bin/syscheck_control -u AGENT_ID

#start the OSSEC processes on the manager.

service ossec start

@agent

# bohoo.php is updated, bohoo_update.php is created from scratch

echo "update 1" >> /app/data/bohoo.php

echo "update 1" >> /app/data/bohoo_update.php

#Once the system update is complete, run a syscheck scan on that agent. The database will be populated with new values, and should not trigger “file modified” alarms.

@manager

/data/ossec/bin/agent_control -r -u AGENT_ID

It showed no 554 or 550 alerts which made me think I won the case but after running @agent /var/ossec/bin/ossec-control restart high number of 554 alerts are generated afterwards (like all files in monitored directories are added again which is not true) which annulled the benefit of ignored file change and creation...

Am I doing something wrong here, what has caused this high number of 554s after agent restart? Is there another way to ignore legitimate file changes/insertions/deletions?

Jesus Linares

unread,

Jul 13, 2016, 7:13:20 AM7/13/16

to Wazuh mailing list

Hi Mihailo,

thanks for your comments. We are working hard to improve OSSEC!.

could you share your ossec.conf?. Specially, the syscheck section.

Thanks.

Mihailo Vicanović

unread,

Jul 13, 2016, 7:40:30 AM7/13/16

to Wazuh mailing list

Hi Jesus,

We have two ossec.conf files, one for manager and one for agent.

This is ossec.conf from manager:

<ossec_config>

<email_notification>yes</email_notification>

<email_to>ossec-not...@MYCOMPANY.com</email_to>

<smtp_server>localhost</smtp_server>

<email_from>ossec-not...@MYCOMPANY.com</email_from>

<jsonout_output>yes</jsonout_output>

</global>

<syscheck>

<frequency>3600</frequency>

<directories report_changes="yes" check_all="yes">/etc,/usr/bin,/usr/sbin</directories>

<directories report_changes="yes" check_all="yes">/bin,/sbin</directories>

<alert_new_files>yes</alert_new_files>

<auto_ignore>no</auto_ignore>

<ignore>/etc/mtab</ignore>

<ignore>/etc/mnttab</ignore>

<ignore>/etc/hosts.deny</ignore>

<ignore>/etc/mail/statistics</ignore>

<ignore>/etc/random-seed</ignore>

<ignore>/etc/adjtime</ignore>

<ignore>/etc/httpd/logs</ignore>

<ignore>/etc/utmpx</ignore>

<ignore>/etc/wtmpx</ignore>

<ignore>/etc/cups/certs</ignore>

<ignore>/etc/dumpdates</ignore>

<ignore>/etc/svc/volatile</ignore>

<ignore>C:\WINDOWS/System32/LogFiles</ignore>

<ignore>C:\WINDOWS/Debug</ignore>

<ignore>C:\WINDOWS/WindowsUpdate.log</ignore>

<ignore>C:\WINDOWS/iis6.log</ignore>

<ignore>C:\WINDOWS/system32/wbem/Logs</ignore>

<ignore>C:\WINDOWS/system32/wbem/Repository</ignore>

<ignore>C:\WINDOWS/Prefetch</ignore>

<ignore>C:\WINDOWS/PCHEALTH/HELPCTR/DataColl</ignore>

<ignore>C:\WINDOWS/SoftwareDistribution</ignore>

<ignore>C:\WINDOWS/Temp</ignore>

<ignore>C:\WINDOWS/system32/config</ignore>

<ignore>C:\WINDOWS/system32/spool</ignore>

<ignore>C:\WINDOWS/system32/CatRoot</ignore>

</syscheck>

<rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>

<rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>

<system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit>

<system_audit>/var/ossec/etc/shared/cis_debian_linux_rcl.txt</system_audit>

<system_audit>/var/ossec/etc/shared/cis_rhel_linux_rcl.txt</system_audit>

<system_audit>/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt</system_audit>

</rootcheck>

<white_list>127.0.0.1</white_list>

<white_list>^localhost.localdomain$</white_list>

<white_list>10.x.x.x</white_list>

</global>

<connection>secure</connection>

</remote>

<log_alert_level>1</log_alert_level>

<email_alert_level>9</email_alert_level>

</alerts>

<expect>srcip</expect>

<timeout_allowed>yes</timeout_allowed>

</command>

<name>firewall-drop</name>

<executable>firewall-drop.sh</executable>

<expect>srcip</expect>

<timeout_allowed>yes</timeout_allowed>

</command>

<name>disable-account</name>

<executable>disable-account.sh</executable>

<timeout_allowed>yes</timeout_allowed>

</command>

<name>restart-ossec</name>

<executable>restart-ossec.sh</executable>

</command>

<name>route-null</name>

<executable>route-null.sh</executable>

<expect>srcip</expect>

<timeout_allowed>yes</timeout_allowed>

</command>

<active-response>

<!-- This response is going to execute the host-deny

- command for every event that fires a rule with

- level (severity) >= 6.

- The IP is going to be blocked for 600 seconds.

-->

<location>local</location>

</active-response>

<active-response>

<!-- Firewall Drop response. Block the IP for

- 600 seconds on the firewall (iptables,

- ipfilter, etc).

-->

<command>firewall-drop</command>

<location>local</location>

</active-response>

<log_format>syslog</log_format>

</localfile>

<log_format>syslog</log_format>

<location>/var/log/syslog</location>

</localfile>

<log_format>syslog</log_format>

</localfile>

<log_format>command</log_format>

</localfile>

<log_format>full_command</log_format>

<command>netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort</command>

</localfile>

<log_format>full_command</log_format>

</localfile>

</ossec_config>

<ossec_config>

<rules>

<decoder_dir>etc/ossec_decoders</decoder_dir>

<decoder_dir>etc/wazuh_decoders</decoder_dir>

<include>rules_config.xml</include>

<include>pam_rules.xml</include>

<include>sshd_rules.xml</include>

<include>telnetd_rules.xml</include>

<include>syslog_rules.xml</include>

<include>arpwatch_rules.xml</include>

<include>symantec-av_rules.xml</include>

<include>symantec-ws_rules.xml</include>

<include>pix_rules.xml</include>

<include>named_rules.xml</include>

<include>smbd_rules.xml</include>

<include>vsftpd_rules.xml</include>

<include>pure-ftpd_rules.xml</include>

<include>proftpd_rules.xml</include>

<include>ms_ftpd_rules.xml</include>

<include>ftpd_rules.xml</include>

<include>hordeimp_rules.xml</include>

<include>roundcube_rules.xml</include>

<include>wordpress_rules.xml</include>

<include>cimserver_rules.xml</include>

<include>vpopmail_rules.xml</include>

<include>vmpop3d_rules.xml</include>

<include>courier_rules.xml</include>

<include>web_rules.xml</include>

<include>web_appsec_rules.xml</include>

<include>apache_rules.xml</include>

<include>nginx_rules.xml</include>

<include>php_rules.xml</include>

<include>mysql_rules.xml</include>

<include>postgresql_rules.xml</include>

<include>ids_rules.xml</include>

<include>squid_rules.xml</include>

<include>firewall_rules.xml</include>

<include>apparmor_rules.xml</include>

<include>cisco-ios_rules.xml</include>

<include>netscreenfw_rules.xml</include>

<include>sonicwall_rules.xml</include>

<include>postfix_rules.xml</include>

<include>sendmail_rules.xml</include>

<include>imapd_rules.xml</include>

<include>mailscanner_rules.xml</include>

<include>dovecot_rules.xml</include>

<include>ms-exchange_rules.xml</include>

<include>racoon_rules.xml</include>

<include>vpn_concentrator_rules.xml</include>

<include>spamd_rules.xml</include>

<include>msauth_rules.xml</include>

<include>mcafee_av_rules.xml</include>

<include>trend-osce_rules.xml</include>

<include>ms-se_rules.xml</include>

<include>zeus_rules.xml</include>

<include>solaris_bsm_rules.xml</include>

<include>vmware_rules.xml</include>

<include>ms_dhcp_rules.xml</include>

<include>asterisk_rules.xml</include>

<include>ossec_rules.xml</include>

<include>attack_rules.xml</include>

<include>openbsd_rules.xml</include>

<include>clam_av_rules.xml</include>

<include>dropbear_rules.xml</include>

<include>sysmon_rules.xml</include>

<include>auditd_rules.xml</include>

<include>local_rules.xml</include>

</rules>

</ossec_config>

Agent ossec.conf:

<agent_config>

<syscheck>

<frequency>3600</frequency>

<directories report_changes="yes" realtime="yes" check_all="yes">/app/config</directories>

<directories report_changes="yes" realtime="yes" check_all="yes">/app/data,/app/env</directories>

<directories report_changes="yes" check_all="yes">/etc,/usr/bin,/usr/sbin</directories>

<directories report_changes="yes" check_all="yes">/bin,/sbin</directories>

<ignore>/etc/mtab</ignore>

<ignore>/etc/mnttab</ignore>

<ignore>/etc/hosts.deny</ignore>

<ignore>/etc/mail/statistics</ignore>

<ignore>/etc/random-seed</ignore>

<ignore>/etc/adjtime</ignore>

<ignore>/etc/httpd/logs</ignore>

<ignore>/etc/utmpx</ignore>

<ignore>/etc/wtmpx</ignore>

<ignore>/etc/cups/certs</ignore>

<ignore>/etc/dumpdates</ignore>

<ignore>/etc/svc/volatile</ignore>

</syscheck>

<rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>

<rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>

<system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit>

<system_audit>/var/ossec/etc/shared/cis_debian_linux_rcl.txt</system_audit>

<system_audit>/var/ossec/etc/shared/cis_rhel_linux_rcl.txt</system_audit>

<system_audit>/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt</system_audit>

</rootcheck>

<connection>secure</connection>

</remote>

<log_alert_level>1</log_alert_level>

<email_alert_level>9</email_alert_level>

</alerts>

<log_format>syslog</log_format>

</localfile>

<log_format>syslog</log_format>

<location>/var/log/syslog</location>

</localfile>

<log_format>syslog</log_format>

</localfile>

<expect>srcip</expect>

<timeout_allowed>yes</timeout_allowed>

</command>

<name>firewall-drop</name>

<executable>firewall-drop.sh</executable>

<expect>srcip</expect>

<timeout_allowed>yes</timeout_allowed>

</command>

<name>disable-account</name>

<executable>disable-account.sh</executable>

<timeout_allowed>yes</timeout_allowed>

</command>

<name>restart-ossec</name>

<executable>restart-ossec.sh</executable>

</command>

<name>route-null</name>

<executable>route-null.sh</executable>

<expect>srcip</expect>

<timeout_allowed>yes</timeout_allowed>

</command>

<active-response>

<!-- This response is going to execute the host-deny

- command for every event that fires a rule with

- level (severity) >= 6.

- The IP is going to be blocked for 600 seconds.

-->

<location>local</location>

</active-response>

<active-response>

<!-- Firewall Drop response. Block the IP for

- 600 seconds on the firewall (iptables,

- ipfilter, etc).

-->

<command>firewall-drop</command>

<location>local</location>

</active-response>

</agent_config>

Jesus Linares

unread,

Jul 13, 2016, 10:37:53 AM7/13/16

to Wazuh mailing list

Hi Mihailo,

You can ignore legitime files/directories with the ignore tag (syscheck will not scan these files).

ossec.conf of your agent:

  <syscheck>
    ...
    <ignore>/app/data/bohoo.php</ignore>
    <ignore>/app/data/bohoo_update.php</ignore>
    ...
  </syscheck>

Also, you can silent the alerts for some files/directories (syscheck will scan the directories but any alert will be generated):

local_rules.xml (manager):

  <rule id="100002" level="0">
      <if_group>syscheck</if_group>
      <regex>for: '/app/data/bohoo\.*.php</regex>
      <description>NO bohoo alert</description>
  </rule>

Do you need to ignore some files forever or just during an specific system update?.

I hope it helps.

Regards.

On Wednesday, July 13, 2016 at 1:40:30 PM UTC+2, Mihailo Vicanović wrote:

Hi Jesus,

We have two ossec.conf files, one for manager and one for agent.

This is ossec.conf from manager:
<ossec_config>
<global>
<email_notification>yes</email_notification>

<email_to>ossec-notifications@MYCOMPANY.com</email_to>
<smtp_server>localhost</smtp_server>
<email_from>ossec-notifi...@MYCOMPANY.com</email_from>

Jesus Linares

unread,

Jul 13, 2016, 11:09:05 AM7/13/16

to Wazuh mailing list

There is no way to "stop" syscheck during an update. The method specified here is a workaround and clears the syscheck database (deleting useful information about files that maybe have not changed during the update). So, I recommend you to ignore files that are changed very often.

Anyway, if you clean the database and run syscheck again, you should not see any alert because:

The database is empty, so alerts 550, 551, 552 (changed) and 553 (deleted) will not be fired.
The database will be populated with new values, so alert 554 (added) will be fired only if you change its level to a level greater than 0 (by default is 0). Did you change the level?.

Regards.

Mihailo Vicanović

unread,

Jul 13, 2016, 12:15:47 PM7/13/16

to Wazuh mailing list

Hi Jesus,

Thing is that I have to monitor bohoo.php on regular bases but to ignore changes made to it only during update/maintenance window (which is not fixed in time). So, adding it to <ignore> directive or to ignore it via rules isn't an option.

In my OSSEC installation rule 554 is set to be at level 7, so large number of alerts is demystified.

Anyhow, thank you for your help, you've cleared a lot to me. It would be great to implement feature in OSSEC-Wazuh to ignore 550-554 alerts for user-defined directories/files while doing update (e.g. syscheck-control -ignore /app/data/ -u AGENT_ID before update, syscheck-control -unignore /app/data/ -u AGENT_ID after update - if possible).

Jesus Linares

unread,

Jul 13, 2016, 12:29:31 PM7/13/16

to Wazuh mailing list

Hi Mihailo,

thanks for the feedback, we will study the case in order to include it in Wazuh ;).

Well, I guess you can solve your issue if you silent the rule 554 (overwrite it in local_rules.xml). Usually, this rule is annoying. Also, you can silent it only for that directory.