On 12-01-09 02:12 PM, BP9906 wrote: > I'd recommend using > > <if_group>syscheck</if_group> > > instead of > > <if_sid>550, 551, 552</if_sid> > > only to get all your syscheck stuff, but your choice.
Thanks, the group stuff is great (and I use) for the overall file changes, but I was looking to send alerts to another department for only the files they're concerned with. Everything is working great now, thanks for everyone's help. > > > > On Jan 7, 11:13 am, Ross Lawrie <[email protected]> wrote: >> On 2012-01-06, at 4:52 PM, dan (ddp) wrote: >> >> >> >> >> >> >> >> >> >>> On Fri, Jan 6, 2012 at 7:07 PM, Ross Lawrie <[email protected]> wrote: >>>> On 12-01-06 03:09 PM, dan (ddp) wrote: >>>>> On Fri, Jan 6, 2012 at 5:51 PM, Ross Lawrie <[email protected]> wrote: >>>>>> Hi, >>>>>> I've been trying to get this to work, but I'm obviously missing >>>>>> something or not understanding something. What I'd like to do issue an >>>>>> alert to an alternate email address should a file change occur within a >>>>>> particular directory. >>>>>> From my reading, it seemed like the method to do this would be to create >>>>>> a custom rule, and then have an alert based on it in the ossec.conf. >>>>>> Unfortunately nothing seems to be happening... >>>>>> In local_rules.xml I've created a custom rule: >>>>>> <group name="syscheck,"> >>>>>> ... >>>>>> <rule id="100023" level="10"> >>>>>> <description>Change to a custom directory</description> >>>>>> <match>/home/ross</match> >>>>>> </rule> >>>>> Does this rule get triggered? >>>> Good question, I hadn't thought to track down the appropriate log file >>>> (alerts.log right?). It doesn't appear to be triggered, I'm only seeing >>>> the usual (550/554) ids being triggered, for example: >>>> ** Alert 1325894109.26688: mail - ossec,syscheck, >>>> 2012 Jan 06 15:55:09 myhost->syscheck >>>> Rule: 550 (level 7) -> 'Integrity checksum changed.' >>>> Integrity checksum changed for: '/home/ross/ross-test' >>>> Size changed from '47' to '13' >>>> Old md5sum was: 'c3fbbd59f074b47bcdc99ddbb4af329a' >>>> New md5sum is : '3ebfdcf378cc6221db90e4d6f11900f3' >>>> Old sha1sum was: '491150eb08a96cd1baf222df1e4173d21800457f' >>>> New sha1sum is : '76951d7c9d6b27d972c12866095cef8fca25b4e6' >>>> Does the match/regex not work against the line containing the file name? >>>> I have other custom rules that seem to work (and that I've disabled as >>>> part of my efforts to get this one to work, just in case they were >>>> conflicting somehow) so I think I've got it in the right place. I've >>>> changed the match/regex to only be against the word 'ross', just to try >>>> and increase my chances, but still no luck. >>> Crud, I should have mentioned this in the previous email (but I just saw >>> it). >>> Try: >>> <rule id="100023" level="10"> >>> <if_sid>550</if_sid> <!-- This means if the rule 550 matches, but >>> the file has /home/ross in it this rule should be triggered instead--> >>> <description>Change to a custom directory</description> >>> <match>/home/ross</match> >>> </rule> >>> Give that a shot. >> Fantastic! I was sure I'd tried this, but obviously I missed something if I >> did. Works great, thanks very much Dan.
