[ossec-list] Monitoring command output check_diff is getting mixed up.

Fri, 07 Dec 2012 09:28:50 -0800 

I'm trying to monitor a few websites for changes, I followed some examples 
online other than needing to change http:\\ to http/\\ in the match (that's how 
it appears in archives.log):


Added to ossec.conf

  <localfile>
    <log_format>full_command</log_format>
    <command>wget -o /dev/null -O - http://www.poxodd.com | sha1sum</command>
    <frequency>7200</frequency>
  </localfile>
  <localfile>
    <log_format>full_command</log_format>
    <command>wget -o /dev/null -O - http://www.unruleable.org/blog/ | 
sha1sum</command>
    <frequency>7200</frequency>
  </localfile>



Added to local_rules.xml
   <rule id="150013" level="10">
     <if_sid>530</if_sid>
     <match>ossec: output: 'wget -o /dev/null -O - 
http\//www.unruleable.org/blog/ | sha1sum'</match>
     <check_diff />
     <description>Unruleable blog changed</description>
   </rule>


   <rule id="150014" level="10">
     <if_sid>530</if_sid>
     <match>ossec: output: 'wget -o /dev/null -O - http\//www.poxodd.com | 
sha1sum'</match>
     <check_diff />
     <description>Poxodd changed</description>
   </rule>


It sorta works, however ossec intermixes the command outputs, I'm getting 
several alerts for rule 150013 and none for any others.  Here's an example 
alert where it's comparing two different command outputs:


OSSEC HIDS Notification.
2012 Dec 07 09:07:00SSEC HIDS Notification.
2012 Dec 07 09:07:01

Received From: goonsquad->wget -o /dev/null -O - 
http\//www.unruleable.org/blog/ | sha1sum
Rule: 150013 fired (level 10) -> "Unruleable blog changed"
Portion of the log(s):

ossec: output: 'wget -o /dev/null -O - http\//www.unruleable.org/blog/ | 
sha1sum':
0175271bf205f54ca1caa09a9b9182146def31a5  -
Previous output:
ossec: output: 'wget -o /dev/null -O - http\//www.poxodd.com | sha1sum':
9506ac8e36f9727c2567d7ee90d117cb557b24d9  -


Perhaps I'm not fully understanding this (from the manual): Note that we use 
the <check_diff /> option. The first time it receives the event, it will store 
in an internal database. Every time it receives the same event, it will compare 
against what we have store and only alert if the output changes.

Maybe I'm not getting what it meant by an 'event'?  

I think I'll try to work around this for now by createing a shell script to do 
all of my checks in one call.  I would like to know what's up though as this 
feature is very powerful.

Reply via email to