Hi Jesus Linares, Thanks you for your help. It really work now :). Besides, thanks to your guide in enabling ouput to archives.log *<logall>yes</logall>* , i can understand ouput event clearly :). I've found the command getting <title> tag more exactly, I hope it can help the others getting the same problem
<localfile> > <log_format>full_command</log_format> > <command>wget -qO- 'http://siteA.com/' | perl -l -0777 -ne 'print $1 > if /\<title.*?>\s*(.*?)\s*\<\/title/si' | sha1sum</command> > <frequency>300</frequency> > </localfile> Anyway, my problems already solve, thanks you Jesus Linares :D. - Have a good day - Vào 18:37:18 UTC+7 Thứ Sáu, ngày 12 tháng 8 năm 2016, Jesus Linares đã viết: > > Hi, > > I forgot it, you have to enable the output to archives.log. So, in global > section of your ossec.conf add: > <logall>yes</logall> > > You will see all the events that OSSEC is receiving in archives.log and > the alerts in alerts.log (only some events generate alerts). It is a good > way to debug what is happening. > > Anyway, the problem is with your rules. > > Events: > ossec: output: 'curl http\\//siteA.com/ | grep title | > sha1sum':\nda39a3ee5e6b4b0d3255bfef95601890afd80709 - > ossec: output: 'curl http\\//siteB.com/ *|* grep title | > sha1sum':\n4eb7d4cc1b4bf5a7aff57b0502e091944d3e4252 - > > Rules: > <match>ossec: output: 'curl http://siteA.com/ | grep title | > sha1sum</match> > <match>ossec: output: 'curl http://siteB.com/ | grep title | > sha1sum</match> > > You want to capture the pipe (I) of your command with the match > expression, but inside <match> a pipe means "OR". So, you are saying: match > "ossec: output: 'curl http://siteA.com/ or grep title or sha1sum". That > is the reason that SiteB event matches with the rule for SiteA. > > Simplify your match: > <rule id="100001" level="10"> > <if_sid>530</if_sid> > <match>siteA.com</match> > <check_diff /> > <description>Change detected on http://siteA.com/.</description> > </rule> > <rule id="100002" level="10"> > <if_sid>530</if_sid> > <match>siteB.com</match> > <check_diff /> > <description>Change detected on http://siteB.com/.</description> > </rule> > > It should work. > > Regards. > > On Friday, August 12, 2016 at 11:41:21 AM UTC+2, Trần Khoa wrote: >> >> Hi Jesus Linares, >> >> Thanks you for responsing my stack :). I've check >> */var/ossec/logs/archives/archives.log >> *and there is nothing in there, i mean there is no character in the log. >> I've also review my rules, and there isn't any errors :(. >> >> I've read documents about *Localfile *using *full_command* and found this >> >> full_command >>> >>> This format will be the output from the command (as run by root) defined >>> by command >>> <http://ossec-docs.readthedocs.io/en/latest/manual/monitoring/index.html#command>. >>> >>> The entire output will be treated as a *single log*. >>> >> >> So, does the second results of *full_command *overwrited the first >> command results? Or are my rules wrong in logical? >> >> Here is my log generated in *alert.jsons:* >> >> {"rule":{"level":3,"comment":"Change detected on *http://siteA.com/ >>> <http://siteA.com/>*.","sidid":100001,"firedtimes":7,"groups":["local","syslog"]},"full_log":"ossec: >>> >>> output: 'curl *http\\//siteA.com/* | grep title | >>> sha1sum':\n*da39a3ee5e6b4b0d3255bfef95601890afd80709 >>> -*","decoder":{"name":"ossec"},"hostname":"mx","timestamp":"2016 Aug >>> 12 16:26:34","location":"curl *http\\//siteA.com/* | grep title | >>> sha1sum"} >>> >> >> >>> {"rule":{"level":3,"comment":"Change detected on *http://siteA.com/ >>> <http://siteA.com/>*.","sidid":100001,"firedtimes":8,"groups":["local","syslog"]},"full_log":"ossec: >>> >>> output: 'curl *http\\//siteB.com* | grep title | >>> sha1sum':\n*4eb7d4cc1b4bf5a7aff57b0502e091944d3e4252 >>> -*","decoder":{"name":"ossec"},"hostname":"mx","timestamp":"2016 Aug >>> 12 16:26:34","location":"curl *http\\//siteB.com* | grep title | >>> sha1sum"} >>> >> >> >>> {"rule":{"level":3,"comment":"Change detected on *http://siteA.com/ >>> <http://siteA.com/>*.","sidid":100001,"firedtimes":9,"groups":["local","syslog"]},"full_log":"ossec: >>> >>> output: 'curl *http\\//siteA.com/* | grep title | >>> sha1sum':\n*da39a3ee5e6b4b0d3255bfef95601890afd80709 >>> -*","decoder":{"name":"ossec"},"hostname":"mx","timestamp":"2016 Aug >>> 12 16:26:38","location":"curl *http\\//siteA.com/* | grep title | >>> sha1sum"} >>> >> >> >>> {"rule":{"level":3,"comment":"Change detected on *http://siteA.com/ >>> <http://siteA.com/>*.","sidid":100001,"firedtimes":10,"groups":["local","syslog"]},"full_log":"ossec: >>> >>> output: 'curl *http\\//siteB.com* | grep title | >>> sha1sum':\n*4eb7d4cc1b4bf5a7aff57b0502e091944d3e4252 >>> -*","decoder":{"name":"ossec"},"hostname":"mx","timestamp":"2016 Aug >>> 12 16:26:38","location":"curl *http\\//siteB.com* | grep title | >>> sha1sum"} >> >> >> Thanks you >> - Have a good day - >> >> Vào 15:51:49 UTC+7 Thứ Tư, ngày 10 tháng 8 năm 2016, Jesus Linares đã >> viết: >>> >>> Hi, >>> >>> review the event generated with the command in >>> /var/ossec/logs/archives/archives.log. Then, use the binary >>> /var/ossec/bin/ossec-logtest to review your rules. >>> >>> Regards. >>> >>> On Tuesday, August 9, 2016 at 11:18:10 AM UTC+2, Trần Khoa wrote: >>>> >>>> Hi everyone, >>>> I have followed detecting deface website technique from >>>> blog.rootshell.be >>>> <https://blog.rootshell.be/2011/10/25/detecting-defaced-websites-with-ossec/> >>>> . >>>> I have used this technique for 2 different domains, but the first rule >>>> is always triggered. >>>> I dont know if i'm wrong in configuration rule or there can not be any >>>> solution to check 2 sites at the same time? >>>> >>>> Here is my configure of OSSEC: >>>> >>>> In my ossec.conf, i've added 2 *<localfile>* with 2 different domains: >>>> >>>>> <localfile> >>>>> <log_format>full_command</log_format> >>>>> <command>curl http://siteA.com/ | grep title | sha1sum</command> >>>>> <frequency>5</frequency> >>>>> </localfile> >>>> >>>> >>>>> <localfile> >>>>> <log_format>full_command</log_format> >>>>> <command>curl http://siteB.com/ | grep title | sha1sum</command> >>>>> <frequency>5</frequency> >>>>> </localfile> >>>> >>>> >>>> And in Local_rules, i've defined 2 rules in the one group: >>>> >>>> <rule id="100001" level="10"> >>>>> <if_sid>530</if_sid> >>>>> <match>ossec: output: 'curl http://siteA.com/ | grep title | >>>>> sha1sum</match> >>>>> <check_diff /> >>>>> <description>Change detected on http://siteA.com/.</description> >>>>> </rule> >>>>> <rule id="100002" level="10"> >>>>> <if_sid>530</if_sid> >>>>> <match>ossec: output: 'curl http://siteB.com/ | grep title | >>>>> sha1sum</match> >>>>> <check_diff /> >>>>> <description>Change detected on http://siteB.com/.</description> >>>>> </rule> >>>> >>>> >>>> Thanks you >>>> >>> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.