On Tue, Feb 7, 2012 at 5:50 AM, alsdks <[email protected]> wrote: > Hi Dan, > > rule 100109 is the rule to raise the severity for certain files . > > For example (I haven't got my configuration available right now but it > looks like this): > > <rule id="100109" level="10"> > <if_sid>550</if_sid>
Instead of making new rules for each sid, why not use the syscheck group? Something like: <rule id="SOMETHING" level="LOTS"> <if_group>syscheck</if_group> <match>/etc/services</match> <description>/etc/services modified</description> </rule> > <match>for: '/etc/hosts|for: '/etc/services</match> > <description>Important Unix file changed</description> > </rule> > > > Thank you > > On Feb 6, 1:57 pm, "dan (ddp)" <[email protected]> wrote: >> On Fri, Feb 3, 2012 at 9:19 AM, alsdks <[email protected]> wrote: >> > Hello again, >> >> > I followed the steps to configure a rule that will generate a higher >> > severity alert for specific files and noticed that it works for the >> > first change detected but not for the second and beyond .For example >> > the rule triggers successfully for the first syscheck: >> >> > ** Alert 1328264466.58561: mail - local,syslog, >> > 2012 Feb 03 12:21:06 (centos) 10.10.10.6->syscheck >> > Rule: 100109 (level 10) -> 'Important Unix Services >> >> What is rule 100109? >> >> >> >> >> >> >> >> > configuration file changed ' >> > Integrity checksum changed for: '/etc/services' >> >> > but for the second (and beyond) it does not .Instead : >> >> > ** Alert 1328269285.160591: mail - ossec,syscheck, >> > 2012 Feb 03 13:41:25 (centos) 10.10.10.6->syscheck >> > Rule: 551 (level 7) -> 'Integrity checksum changed again (2nd >> > time).' >> > Integrity checksum changed for: '/etc/services' >> >> > I presume that if someone wants to get higher severity alerts for >> > specific files , he would want this to happen at each occurrence.This >> > is the way it should work but in this case it doesn't . >> >> > I tried to work arround it by creating the following rule but with no >> > luck : >> >> > <rule id="100118" level="10"> >> > <if_sid>551</if_sid> >> > <match>for: '/etc/hosts|for: '/etc/services</match> >> > <description>Important Unix file changed again</description> >> > </rule> >> >> > Any suggestions ? >> >> > Thank you
