Hello again,
I followed the steps to configure a rule that will generate a higher
severity alert for specific files and noticed that it works for the
first change detected but not for the second and beyond .For example
the rule triggers successfully for the first syscheck:
** Alert 1328264466.58561: mail - local,syslog,
2012 Feb 03 12:21:06 (centos) 10.10.10.6->syscheck
Rule: 100109 (level 10) -> 'Important Unix Services
configuration file changed '
Integrity checksum changed for: '/etc/services'
but for the second (and beyond) it does not .Instead :
** Alert 1328269285.160591: mail - ossec,syscheck,
2012 Feb 03 13:41:25 (centos) 10.10.10.6->syscheck
Rule: 551 (level 7) -> 'Integrity checksum changed again (2nd
time).'
Integrity checksum changed for: '/etc/services'
I presume that if someone wants to get higher severity alerts for
specific files , he would want this to happen at each occurrence.This
is the way it should work but in this case it doesn't .
I tried to work arround it by creating the following rule but with no
luck :
<rule id="100118" level="10">
<if_sid>551</if_sid>
<match>for: '/etc/hosts|for: '/etc/services</match>
<description>Important Unix file changed again</description>
</rule>
Any suggestions ?
Thank you
