Can ossec-logtest be used for syscheck rule testing? If so, how?
For example, if I use " ../bin/syscheck_control -i 031" and get a listing of
changes like this:
2011 Aug 29 09:13:00,4 - /inetpub/wwwroot/VLRS/file1c.txt
2011 Aug 29 09:13:00,4 - /inetpub/wwwroot/VLRS/file1a.txt
2011 Aug 29 09:13:00,4 - /inetpub/wwwroot/VLRS/file1d.txt
2011 Aug 29 09:13:00,4 - /inetpub/wwwroot/VLRS/file1b.txt
Can I use ossec-logtest on one of those entries?
ossec-testrule: Type one log per line.
2011 Aug 29 09:13:00,4 - /inetpub/wwwroot/VLRS/file1b.txt
**Phase 1: Completed pre-decoding.
full event: '2011 Aug 29 09:13:00,4 - /inetpub/wwwroot/VLRS/file1b.txt'
hostname: 'sles10ossec'
program_name: '(null)'
log: '2011 Aug 29 09:13:00,4 - /inetpub/wwwroot/VLRS/file1b.txt'
**Phase 2: Completed decoding.
No decoder matched.
This would lead me to believe that ossec-logtest cannot be used, but I don't
know.
Thank you for any input,
Patrick Swartz
-----Original Message-----
From: [email protected] [mailto:[email protected]] On
Behalf Of Swartz, Patrick H
Sent: Sunday, August 28, 2011 8:47 AM
To: [email protected]
Subject: RE: [ossec-list] Rule help please
Update. I removed my local_rules.xml and now am getting syscheck alerts. So,
now I need to figure out what changed from 2.0 to 2.6 in how local_rules are
processed.
I see a long day ahead rewriting my local_rules once I figure out how they work
again.
Patrick Swartz
-----Original Message-----
From: Swartz, Patrick H
Sent: Sunday, August 28, 2011 8:19 AM
To: [email protected]
Subject: RE: [ossec-list] Rule help please
I have setup a rule where one only has the <if_group> and the other only has
the <if_sid> and still neither fire. I have removed all rules except
rules_config.xml, ossec_rules.xml, and local_rules.xml to remove all
non-syscheck alerts, and guess what ... syscheck isn't alerting on anything!
Period. No changes from the standard /etc,/bin,/sbin (for example) are
alerting.
Where do I go to figure this issue out? Is there a way to test syscheck other
than just making changes to a file and waiting?
Please help.
Thanks,
Patrick Swartz
-----Original Message-----
From: [email protected] [mailto:[email protected]] On
Behalf Of Daniel Cid
Sent: Saturday, August 27, 2011 6:50 AM
To: [email protected]
Subject: Re: [ossec-list] Rule help please
Hi Patrick,
Try using only <if_group> or only <if_sid>, not both. I think that's
what is causing the issue.
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Fri, Aug 26, 2011 at 11:35 AM, Swartz, Patrick H
<[email protected]> wrote:
> Hi All,
> I apologize for troubling the list with what I thought was a simple
> rule, but for the life of me I can't figure out why my rule isn't
> firing.
>
> I'm running OSSEC 2.6 on SuSE 10 and am testing with a Linux and a
> Window client.
> Here is part of my ossec.conf
> <directories realtime="yes"
> check_all="yes">E:\BlueScreendev_root</directories>
> <directories realtime="yes"
> check_all="yes">E:\InetPub\wwwroot\EFTPSRefDev</directories>
> <directories realtime="yes"
> check_all="yes">E:\InetPub\wwwroot\BlueScreen_root</directories>
> <directories realtime="yes"
> check_all="yes">E:\InetPub\wwwroot\ISTS_root</directories>
> <directories realtime="yes"
> check_all="yes">E:\OLRSDev_Root\MyRT</directories>
> <directories realtime="yes"
> check_all="yes">E:\OURSDev_Root</directories>
> <directories realtime="yes"
> check_all="yes">E:\PRSDev_root</directories>
> <directories realtime="yes"
> check_all="yes">E:\VLRSdev_Root</directories>
>
> And here is the rule that I'm trying to get to work...
> <rule id="100724" level="0">
> <if_group>syscheck</if_group>
> <if_sid>550, 551, 552, 553, 554</if_sid>
> <match>EFTPSREF|ISTSREF|MYRT|OURS|PRS|VLRS|BlueScreendev_root|EFTPSRefDe
> v|BlueScreen_root|ISTS_root|olrs_root|OURS_root|prs_root|VLRSRef|MyRT|OU
> RSDev_Root|PRSDev_root|VLRSdev_Root</match>
> <description>Testing rule 100724</description>
> </rule>
> <rule id="100725" level="7">
> <if_sid>100724</if_sid>
> <description>Changes to Web Files</description>
> </rule>
>
> Using ./syscheck_control -i ### does show that the changes are being
> noticed, but I am not getting any alerts.
>
> I have another testing rule as suggested from here --
> http://www.immutablesecurity.com/index.php/2010/10/20/2woo-tips-tricks/
> -- and that works.
>
> Any help would be greatly appreciated as I only dive into OSSEC about
> every two years and it takes me a while to relearn all that I did
> previously.
>
> Thanks to all in the group,
>
> Patrick Swartz
>
>
>
>
> -----------------------------------------
> The information in this message may be proprietary and/or
> confidential, and protected from disclosure. If the reader of this
> message is not the intended recipient, or an employee or agent
> responsible for delivering this message to the intended recipient,
> you are hereby notified that any dissemination, distribution or
> copying of this communication is strictly prohibited. If you have
> received this communication in error, please notify First Data
> immediately by replying to this message and deleting it from your
> computer.
>
