I have setup a rule where one only has the <if_group> and the other only has the <if_sid> and still neither fire. I have removed all rules except rules_config.xml, ossec_rules.xml, and local_rules.xml to remove all non-syscheck alerts, and guess what ... syscheck isn't alerting on anything! Period. No changes from the standard /etc,/bin,/sbin (for example) are alerting.
Where do I go to figure this issue out? Is there a way to test syscheck other than just making changes to a file and waiting? Please help. Thanks, Patrick Swartz -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Daniel Cid Sent: Saturday, August 27, 2011 6:50 AM To: [email protected] Subject: Re: [ossec-list] Rule help please Hi Patrick, Try using only <if_group> or only <if_sid>, not both. I think that's what is causing the issue. Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On Fri, Aug 26, 2011 at 11:35 AM, Swartz, Patrick H <[email protected]> wrote: > Hi All, > I apologize for troubling the list with what I thought was a simple > rule, but for the life of me I can't figure out why my rule isn't > firing. > > I'm running OSSEC 2.6 on SuSE 10 and am testing with a Linux and a > Window client. > Here is part of my ossec.conf > <directories realtime="yes" > check_all="yes">E:\BlueScreendev_root</directories> > <directories realtime="yes" > check_all="yes">E:\InetPub\wwwroot\EFTPSRefDev</directories> > <directories realtime="yes" > check_all="yes">E:\InetPub\wwwroot\BlueScreen_root</directories> > <directories realtime="yes" > check_all="yes">E:\InetPub\wwwroot\ISTS_root</directories> > <directories realtime="yes" > check_all="yes">E:\OLRSDev_Root\MyRT</directories> > <directories realtime="yes" > check_all="yes">E:\OURSDev_Root</directories> > <directories realtime="yes" > check_all="yes">E:\PRSDev_root</directories> > <directories realtime="yes" > check_all="yes">E:\VLRSdev_Root</directories> > > And here is the rule that I'm trying to get to work... > <rule id="100724" level="0"> > <if_group>syscheck</if_group> > <if_sid>550, 551, 552, 553, 554</if_sid> > <match>EFTPSREF|ISTSREF|MYRT|OURS|PRS|VLRS|BlueScreendev_root|EFTPSRefDe > v|BlueScreen_root|ISTS_root|olrs_root|OURS_root|prs_root|VLRSRef|MyRT|OU > RSDev_Root|PRSDev_root|VLRSdev_Root</match> > <description>Testing rule 100724</description> > </rule> > <rule id="100725" level="7"> > <if_sid>100724</if_sid> > <description>Changes to Web Files</description> > </rule> > > Using ./syscheck_control -i ### does show that the changes are being > noticed, but I am not getting any alerts. > > I have another testing rule as suggested from here -- > http://www.immutablesecurity.com/index.php/2010/10/20/2woo-tips-tricks/ > -- and that works. > > Any help would be greatly appreciated as I only dive into OSSEC about > every two years and it takes me a while to relearn all that I did > previously. > > Thanks to all in the group, > > Patrick Swartz > > > > > ----------------------------------------- > The information in this message may be proprietary and/or > confidential, and protected from disclosure. If the reader of this > message is not the intended recipient, or an employee or agent > responsible for delivering this message to the intended recipient, > you are hereby notified that any dissemination, distribution or > copying of this communication is strictly prohibited. If you have > received this communication in error, please notify First Data > immediately by replying to this message and deleting it from your > computer. >
