I'm trying to monitor a few websites for changes, I followed some examples
online other than needing to change http:\\ to http/\\ in the match (that's how
it appears in archives.log):
Added to ossec.conf
<localfile>
<log_format>full_command</log_format>
<command>wget -o /dev/null -O - http://www.poxodd.com | sha1sum</command>
<frequency>7200</frequency>
</localfile>
<localfile>
<log_format>full_command</log_format>
<command>wget -o /dev/null -O - http://www.unruleable.org/blog/ |
sha1sum</command>
<frequency>7200</frequency>
</localfile>
Added to local_rules.xml
<rule id="150013" level="10">
<if_sid>530</if_sid>
<match>ossec: output: 'wget -o /dev/null -O -
http\//www.unruleable.org/blog/ | sha1sum'</match>
<check_diff />
<description>Unruleable blog changed</description>
</rule>
<rule id="150014" level="10">
<if_sid>530</if_sid>
<match>ossec: output: 'wget -o /dev/null -O - http\//www.poxodd.com |
sha1sum'</match>
<check_diff />
<description>Poxodd changed</description>
</rule>
It sorta works, however ossec intermixes the command outputs, I'm getting
several alerts for rule 150013 and none for any others. Here's an example
alert where it's comparing two different command outputs:
OSSEC HIDS Notification.
2012 Dec 07 09:07:00SSEC HIDS Notification.
2012 Dec 07 09:07:01
Received From: goonsquad->wget -o /dev/null -O -
http\//www.unruleable.org/blog/ | sha1sum
Rule: 150013 fired (level 10) -> "Unruleable blog changed"
Portion of the log(s):
ossec: output: 'wget -o /dev/null -O - http\//www.unruleable.org/blog/ |
sha1sum':
0175271bf205f54ca1caa09a9b9182146def31a5 -
Previous output:
ossec: output: 'wget -o /dev/null -O - http\//www.poxodd.com | sha1sum':
9506ac8e36f9727c2567d7ee90d117cb557b24d9 -
Perhaps I'm not fully understanding this (from the manual): Note that we use
the <check_diff /> option. The first time it receives the event, it will store
in an internal database. Every time it receives the same event, it will compare
against what we have store and only alert if the output changes.
Maybe I'm not getting what it meant by an 'event'?
I think I'll try to work around this for now by createing a shell script to do
all of my checks in one call. I would like to know what's up though as this
feature is very powerful.