Yes sorry this is the way I have it , just could not remember it now . So this triggers for 1st time correctly but when the same file changes 2nd and 3rd , the syscheck rules 551 and 552 trigger .
On Tue, Feb 7, 2012 at 1:24 PM, dan (ddp) <[email protected]> wrote: > On Tue, Feb 7, 2012 at 5:50 AM, alsdks <[email protected]> wrote: > > Hi Dan, > > > > rule 100109 is the rule to raise the severity for certain files . > > > > For example (I haven't got my configuration available right now but it > > looks like this): > > > > <rule id="100109" level="10"> > > <if_sid>550</if_sid> > > Instead of making new rules for each sid, why not use the syscheck group? > Something like: > > <rule id="SOMETHING" level="LOTS"> > <if_group>syscheck</if_group> > <match>/etc/services</match> > <description>/etc/services modified</description> > </rule> > > > <match>for: '/etc/hosts|for: '/etc/services</match> > > <description>Important Unix file changed</description> > > </rule> > > > > > > Thank you > > > > On Feb 6, 1:57 pm, "dan (ddp)" <[email protected]> wrote: > >> On Fri, Feb 3, 2012 at 9:19 AM, alsdks <[email protected]> wrote: > >> > Hello again, > >> > >> > I followed the steps to configure a rule that will generate a higher > >> > severity alert for specific files and noticed that it works for the > >> > first change detected but not for the second and beyond .For example > >> > the rule triggers successfully for the first syscheck: > >> > >> > ** Alert 1328264466.58561: mail - local,syslog, > >> > 2012 Feb 03 12:21:06 (centos) 10.10.10.6->syscheck > >> > Rule: 100109 (level 10) -> 'Important Unix Services > >> > >> What is rule 100109? > >> > >> > >> > >> > >> > >> > >> > >> > configuration file changed ' > >> > Integrity checksum changed for: '/etc/services' > >> > >> > but for the second (and beyond) it does not .Instead : > >> > >> > ** Alert 1328269285.160591: mail - ossec,syscheck, > >> > 2012 Feb 03 13:41:25 (centos) 10.10.10.6->syscheck > >> > Rule: 551 (level 7) -> 'Integrity checksum changed again (2nd > >> > time).' > >> > Integrity checksum changed for: '/etc/services' > >> > >> > I presume that if someone wants to get higher severity alerts for > >> > specific files , he would want this to happen at each occurrence.This > >> > is the way it should work but in this case it doesn't . > >> > >> > I tried to work arround it by creating the following rule but with no > >> > luck : > >> > >> > <rule id="100118" level="10"> > >> > <if_sid>551</if_sid> > >> > <match>for: '/etc/hosts|for: '/etc/services</match> > >> > <description>Important Unix file changed again</description> > >> > </rule> > >> > >> > Any suggestions ? > >> > >> > Thank you >
