Hi Dan, rule 100109 is the rule to raise the severity for certain files .
For example (I haven't got my configuration available right now but it looks like this): <rule id="100109" level="10"> <if_sid>550</if_sid> <match>for: '/etc/hosts|for: '/etc/services</match> <description>Important Unix file changed</description> </rule> Thank you On Feb 6, 1:57 pm, "dan (ddp)" <[email protected]> wrote: > On Fri, Feb 3, 2012 at 9:19 AM, alsdks <[email protected]> wrote: > > Hello again, > > > I followed the steps to configure a rule that will generate a higher > > severity alert for specific files and noticed that it works for the > > first change detected but not for the second and beyond .For example > > the rule triggers successfully for the first syscheck: > > > ** Alert 1328264466.58561: mail - local,syslog, > > 2012 Feb 03 12:21:06 (centos) 10.10.10.6->syscheck > > Rule: 100109 (level 10) -> 'Important Unix Services > > What is rule 100109? > > > > > > > > > configuration file changed ' > > Integrity checksum changed for: '/etc/services' > > > but for the second (and beyond) it does not .Instead : > > > ** Alert 1328269285.160591: mail - ossec,syscheck, > > 2012 Feb 03 13:41:25 (centos) 10.10.10.6->syscheck > > Rule: 551 (level 7) -> 'Integrity checksum changed again (2nd > > time).' > > Integrity checksum changed for: '/etc/services' > > > I presume that if someone wants to get higher severity alerts for > > specific files , he would want this to happen at each occurrence.This > > is the way it should work but in this case it doesn't . > > > I tried to work arround it by creating the following rule but with no > > luck : > > > <rule id="100118" level="10"> > > <if_sid>551</if_sid> > > <match>for: '/etc/hosts|for: '/etc/services</match> > > <description>Important Unix file changed again</description> > > </rule> > > > Any suggestions ? > > > Thank you
