I'd recommend using <if_group>syscheck</if_group>
instead of <if_sid>550, 551, 552</if_sid> only to get all your syscheck stuff, but your choice. On Jan 7, 11:13 am, Ross Lawrie <[email protected]> wrote: > On 2012-01-06, at 4:52 PM, dan (ddp) wrote: > > > > > > > > > > > On Fri, Jan 6, 2012 at 7:07 PM, Ross Lawrie <[email protected]> wrote: > >> On 12-01-06 03:09 PM, dan (ddp) wrote: > >>> On Fri, Jan 6, 2012 at 5:51 PM, Ross Lawrie <[email protected]> wrote: > >>>> Hi, > > >>>> I've been trying to get this to work, but I'm obviously missing > >>>> something or not understanding something. What I'd like to do issue an > >>>> alert to an alternate email address should a file change occur within a > >>>> particular directory. > > >>>> From my reading, it seemed like the method to do this would be to create > >>>> a custom rule, and then have an alert based on it in the ossec.conf. > >>>> Unfortunately nothing seems to be happening... > > >>>> In local_rules.xml I've created a custom rule: > > >>>> <group name="syscheck,"> > >>>> ... > >>>> <rule id="100023" level="10"> > >>>> <description>Change to a custom directory</description> > >>>> <match>/home/ross</match> > >>>> </rule> > >>> Does this rule get triggered? > > >> Good question, I hadn't thought to track down the appropriate log file > >> (alerts.log right?). It doesn't appear to be triggered, I'm only seeing > >> the usual (550/554) ids being triggered, for example: > > >> ** Alert 1325894109.26688: mail - ossec,syscheck, > >> 2012 Jan 06 15:55:09 myhost->syscheck > >> Rule: 550 (level 7) -> 'Integrity checksum changed.' > >> Integrity checksum changed for: '/home/ross/ross-test' > >> Size changed from '47' to '13' > >> Old md5sum was: 'c3fbbd59f074b47bcdc99ddbb4af329a' > >> New md5sum is : '3ebfdcf378cc6221db90e4d6f11900f3' > >> Old sha1sum was: '491150eb08a96cd1baf222df1e4173d21800457f' > >> New sha1sum is : '76951d7c9d6b27d972c12866095cef8fca25b4e6' > > >> Does the match/regex not work against the line containing the file name? > >> I have other custom rules that seem to work (and that I've disabled as > >> part of my efforts to get this one to work, just in case they were > >> conflicting somehow) so I think I've got it in the right place. I've > >> changed the match/regex to only be against the word 'ross', just to try > >> and increase my chances, but still no luck. > > > Crud, I should have mentioned this in the previous email (but I just saw > > it). > > > Try: > > > <rule id="100023" level="10"> > > <if_sid>550</if_sid> <!-- This means if the rule 550 matches, but > > the file has /home/ross in it this rule should be triggered instead--> > > <description>Change to a custom directory</description> > > <match>/home/ross</match> > > </rule> > > > Give that a shot. > > Fantastic! I was sure I'd tried this, but obviously I missed something if I > did. Works great, thanks very much Dan.
