Hi there,
Following up on my own question, I am trying to build my own ClamAV
rules, but am having mixed results.
I've tested all my rules with ossec-logtest, and all seem to be firing
fine on the server.
However, logs from my agent are another thing. The only rules firing
from logs from my agent are 25507 and 25508. The others never fire.
Does anyone see any issues with the below setup?
I've added two decoders on the OSSEC server:
<decoder name="clamd">
<program_name>^clamd</program_name>
</decoder>
<decoder name="freshclam">
<program_name>^freshclam</program_name>
</decoder>
Created the flowing configuration file:
<!--
- Unofficial Clamd rules for OSSEC.
-->
<group name="clamd,freshclam,">
<rule id="25500" level="0" noalert="1">
<decoded_as>clamd</decoded_as>
<description>Grouping of the clamd rules.</description>
</rule>
<rule id="25506" level="0" noalert="1">
<decoded_as>freshclam</decoded_as>
<description>ClamAV database update</description>
</rule>
<rule id="25501" level="8">
<if_sid>25500</if_sid>
<match>FOUND$</match>
<description>Virus detected</description>
<group>virus</group>
</rule>
<rule id="25502" level="10">
<if_sid>25500</if_sid>
<match>^ERROR: </match>
<description>Clamd error</description>
<group>virus</group>
</rule>
<rule id="25503" level="7">
<if_sid>25500</if_sid>
<match>^WARNING: </match>
<description>Clamd warning</description>
<group>virus</group>
</rule>
<rule id="25504" level="3">
<if_sid>25500</if_sid>
<match>clamd daemon</match>
<description>Clamd restarted</description>
<group>virus</group>
</rule>
<rule id="25505" level="3">
<if_sid>25500</if_sid>
<match>Database modification detected</match>
<description>Clamd database updated</description>
<group>virus</group>
</rule>
<rule id="25507" level="3">
<if_sid>25506</if_sid>
<match>ClamAV update process started </match>
<description>ClamAV database update</description>
<group>virus</group>
</rule>
<rule id="25508" level="3">
<if_sid>25506</if_sid>
<match>Database updated </match>
<description>ClamAV database updated</description>
<group>virus</group>
</rule>
</group> <!-- clamd, freshclam -->
<!-- EOF -->
And included the clamd.xml file in the ossec.conf file.
Any tips?
Thanks,
Mike
Mon, 2009-03-16 at 17:35 -0300, Michael Caplan wrote:
> Hi,
>
> Does OSSEC have a bundled rule(s) that covers clamd logs entries as
> found here http://www.ossec.net/wiki/index.php/ClamAV ? I'm just not
> finding anything in the OSSEC 2.0 rules. If ot, does anyone know of any
> user contributed rules that covers clamd?
>
> Thanks,
>
> Mike
>
Please consider the environment before printing this email.
E-mail messages may contain viruses, worms, or other malicious code. By reading
the message and opening any attachments, the recipient accepts full
responsibility for taking protective action against such code. Henry Schein is
not liable for any loss or damage arising from this message.
The information in this email is confidential and may be legally privileged. It
is intended solely for the addressee(s). Access to this e-mail by anyone else
is unauthorized.
