On Fri, Dec 7, 2012 at 12:22 PM, Brenden Walker <[email protected]> wrote: > I'm trying to monitor a few websites for changes, I followed some examples > online other than needing to change http:\\ to http/\\ in the match (that's > how it appears in archives.log): > > > Added to ossec.conf > > <localfile> > <log_format>full_command</log_format> > <command>wget -o /dev/null -O - http://www.poxodd.com | sha1sum</command> > <frequency>7200</frequency> > </localfile> > <localfile> > <log_format>full_command</log_format> > <command>wget -o /dev/null -O - http://www.unruleable.org/blog/ | > sha1sum</command> > <frequency>7200</frequency> > </localfile> >
Use <alias>es to better differentiate between these commands. > > > Added to local_rules.xml > <rule id="150013" level="10"> > <if_sid>530</if_sid> > <match>ossec: output: 'wget -o /dev/null -O - > http\//www.unruleable.org/blog/ | sha1sum'</match> > <check_diff /> > <description>Unruleable blog changed</description> > </rule> > > > <rule id="150014" level="10"> > <if_sid>530</if_sid> > <match>ossec: output: 'wget -o /dev/null -O - http\//www.poxodd.com | > sha1sum'</match> > <check_diff /> > <description>Poxodd changed</description> > </rule> > > > It sorta works, however ossec intermixes the command outputs, I'm getting > several alerts for rule 150013 and none for any others. Here's an example > alert where it's comparing two different command outputs: > > > OSSEC HIDS Notification. > 2012 Dec 07 09:07:00SSEC HIDS Notification. > 2012 Dec 07 09:07:01 > > Received From: goonsquad->wget -o /dev/null -O - > http\//www.unruleable.org/blog/ | sha1sum > Rule: 150013 fired (level 10) -> "Unruleable blog changed" > Portion of the log(s): > > ossec: output: 'wget -o /dev/null -O - http\//www.unruleable.org/blog/ | > sha1sum': > 0175271bf205f54ca1caa09a9b9182146def31a5 - > Previous output: > ossec: output: 'wget -o /dev/null -O - http\//www.poxodd.com | sha1sum': > 9506ac8e36f9727c2567d7ee90d117cb557b24d9 - > > > Perhaps I'm not fully understanding this (from the manual): Note that we use > the <check_diff /> option. The first time it receives the event, it will > store in an internal database. Every time it receives the same event, it will > compare against what we have store and only alert if the output changes. > > Maybe I'm not getting what it meant by an 'event'? > > I think I'll try to work around this for now by createing a shell script to > do all of my checks in one call. I would like to know what's up though as > this feature is very powerful.
