Sure, all the information I used is here: http://www.ossec.net/dcid/?p=198 http://www.ossec.net/doc/manual/monitoring/process-monitoring.html
-----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of x509v3 Sent: Sunday, October 31, 2010 11:21 PM To: ossec-list Subject: [ossec-list] Re: Checking Open Ports Hi -- this is an interesting rule and application of OSSEC. Can you post the changes you needed to make this work? Thanks, Bill On Oct 18, 11:42 am, "Jefferson, Shawn" <[email protected]> wrote: > Hi! I'm making progress. I believe there was a problem with my > local_rules.xml file. I had a rule for 530 to overwrite and another for the > output of netstat at the bottom of my local rules file, and these for some > reason were not getting processed correctly. I've made some changes there > and I can see files in my diff directory now!!!! > > and, success! I am now receiving alerts forportchanges. > > Thanks for your help in narrowing this down for me. > > -----Original Message----- > From: [email protected] [mailto:[email protected]] On > Behalf Of dan (ddp) > Sent: Monday, October 18, 2010 11:28 AM > To: [email protected] > Subject: Re: [ossec-list]CheckingOpenPorts > > On Mon, Oct 18, 2010 at 2:11 PM, Jefferson, Shawn > <[email protected]> wrote: > > Hi, > > > Ok! Getting closer to figuring this out. The full_command data is getting > > from the client to the server (and being logged in the archives.log file > > after using the global.logall option.) It looks like the message is NOT > > being decoded as Rule 530 though. > > > This is from my archives.log: > > 2010 Oct 18 09:14:29 (SERVER01) 172.1.3.1->netstat -an | find "LISTEN" > > ossec: output: 'netstat -an | find "LISTEN"': > > TCP 0.0.0.0:135 0.0.0.0:0 LISTENING > > TCP 0.0.0.0:443 0.0.0.0:0 LISTENING > > TCP 0.0.0.0:445 0.0.0.0:0 LISTENING > > TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING > > TCP 0.0.0.0:1164 0.0.0.0:0 LISTENING > > TCP 0.0.0.0:3389 0.0.0.0:0 LISTENING > > > Pasting the first line into the logtest application gives me this output: > > > 2010 Oct 18 09:14:29 (SERVER01) 172.1.3.1->netstat -an | find "LISTEN" > > ossec: output: 'netstat -an | find "LISTEN"': > > > **Phase 1: Completed pre-decoding. > > full event: '2010 Oct 18 09:14:29 (SERVER01) 172.1.3.1->netstat -an | > > find "LISTEN" ossec: output: 'netstat -an | find "LISTEN"':' > > hostname: 'ossecsvr' > > program_name: '(null)' > > log: '2010 Oct 18 09:14:29 (SERVER01) 172.1.3.1->netstat -an | find > > "LISTEN" ossec: output: 'netstat -an | find "LISTEN"':' > > > **Phase 2: Completed decoding. > > No decoder matched. > > > And the rule 530 that is in the ossec_rules.xml file: > > > <!-- Process monitoring rules --> > > <rule id="530" level="0"> > > <if_sid>500</if_sid> > > <match>^ossec: output: </match> > > <description>OSSEC process monitoring rules.</description> > > <group>process_monitor,</group> > > </rule> > > I can't do it myself right now, but try pasting everything after the > '->' into ossec-logtest: > netstat -an | find "LISTEN" ossec: output: 'netstat -an | find "LISTEN"':
