Hi, review the event generated with the command in /var/ossec/logs/archives/archives.log. Then, use the binary /var/ossec/bin/ossec-logtest to review your rules.
Regards. On Tuesday, August 9, 2016 at 11:18:10 AM UTC+2, Trần Khoa wrote: > > Hi everyone, > I have followed detecting deface website technique from blog.rootshell.be > <https://blog.rootshell.be/2011/10/25/detecting-defaced-websites-with-ossec/> > . > I have used this technique for 2 different domains, but the first rule is > always triggered. > I dont know if i'm wrong in configuration rule or there can not be any > solution to check 2 sites at the same time? > > Here is my configure of OSSEC: > > In my ossec.conf, i've added 2 *<localfile>* with 2 different domains: > >> <localfile> >> <log_format>full_command</log_format> >> <command>curl http://siteA.com/ | grep title | sha1sum</command> >> <frequency>5</frequency> >> </localfile> > > >> <localfile> >> <log_format>full_command</log_format> >> <command>curl http://siteB.com/ | grep title | sha1sum</command> >> <frequency>5</frequency> >> </localfile> > > > And in Local_rules, i've defined 2 rules in the one group: > > <rule id="100001" level="10"> >> <if_sid>530</if_sid> >> <match>ossec: output: 'curl http://siteA.com/ | grep title | >> sha1sum</match> >> <check_diff /> >> <description>Change detected on http://siteA.com/.</description> >> </rule> >> <rule id="100002" level="10"> >> <if_sid>530</if_sid> >> <match>ossec: output: 'curl http://siteB.com/ | grep title | >> sha1sum</match> >> <check_diff /> >> <description>Change detected on http://siteB.com/.</description> >> </rule> > > > Thanks you > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.