On Fri, Feb 3, 2012 at 9:19 AM, alsdks <[email protected]> wrote: > Hello again, > > I followed the steps to configure a rule that will generate a higher > severity alert for specific files and noticed that it works for the > first change detected but not for the second and beyond .For example > the rule triggers successfully for the first syscheck: > > ** Alert 1328264466.58561: mail - local,syslog, > 2012 Feb 03 12:21:06 (centos) 10.10.10.6->syscheck > Rule: 100109 (level 10) -> 'Important Unix Services
What is rule 100109? > configuration file changed ' > Integrity checksum changed for: '/etc/services' > > but for the second (and beyond) it does not .Instead : > > ** Alert 1328269285.160591: mail - ossec,syscheck, > 2012 Feb 03 13:41:25 (centos) 10.10.10.6->syscheck > Rule: 551 (level 7) -> 'Integrity checksum changed again (2nd > time).' > Integrity checksum changed for: '/etc/services' > > I presume that if someone wants to get higher severity alerts for > specific files , he would want this to happen at each occurrence.This > is the way it should work but in this case it doesn't . > > > I tried to work arround it by creating the following rule but with no > luck : > > <rule id="100118" level="10"> > <if_sid>551</if_sid> > <match>for: '/etc/hosts|for: '/etc/services</match> > <description>Important Unix file changed again</description> > </rule> > > Any suggestions ? > > Thank you
