On Sun, Dec 16, 2012 at 2:20 PM, orfan <a.ula...@gmail.com> wrote: > Where is ossec stores rootcheck's base? >
What do you mean by rootcheck's base? > четверг, 13 декабря 2012 г., 22:18:04 UTC+4 пользователь orfan написал: >> >> ./rootcheck_control -i 004 >> >> Policy and auditing events for agent 'venus (004) - 10.0.0.3': >> >> Resolved events: >> 2012 Dec 08 03:14:03 (first time detected: 2012 Dec 08 03:14:03) >> System Audit: System Audit: Possible backdoor. File: >> /usr/home/www/mysite/htdocs/dumper.php. >> >> Outstanding events: >> >> 2012 Dec 13 05:25:51 (first time detected: 2012 Dec 08 03:10:10) >> System Audit: System Audit: Web exploits (uncommon file name inside >> htdocs) - Possible compromise. File: /usr/home/www/mysite/git/.ssh. >> Reference: http://www.ossec.net/wiki/index.php/WebAttacks_links . >> >> 2012 Dec 13 05:28:16 (first time detected: 2012 Dec 08 03:14:03) >> System Audit: System Audit: Possible backdoor. >> File:/usr/home/www/mysite/htdocs/cfg/main.php. >> >> 2012 Dec 13 05:28:16 (first time detected: 2012 Dec 08 03:14:03) >> System Audit: System Audit: Possible backdoor. File: >> /usr/home/www/mysite/htdocs/shopz.php. >> >> 2012 Dec 13 05:28:53 (first time detected: 2012 Dec 08 03:14:32) >> System Audit: System Audit: Possible redirector. File: >> /usr/home/www/mysite/htdocs/.htaccess. >> >> 2012 Dec 13 05:34:21 (first time detected: 2012 Dec 08 03:20:37) >> System Audit: Interface 'igb1' in promiscuous mode. >> >> Yes, dates are correct in the alert.log. >> >> Version: ossec-hids-server-2.6_2 >> >> >> Make sure you have rules for these (I don't have any installations of 2.6 left, and 2.6_2 makes no sense to me). >> >> >> >> >> четверг, 13 декабря 2012 г., 18:45:38 UTC+4 пользователь dan (ddpbsd) >> написал: >>> >>> On Wed, Dec 12, 2012 at 10:07 AM, orfan <a.ul...@gmail.com> wrote: >>> > Ossec don't send messages about system audit events. But I can see the >>> > events when run 'rootcheck_control -i XXX'. And there is no records >>> > about >>> > that events in alert.log file. It worked before, i recieved the email >>> > about >>> > system audit events from ossec. I don't know why it not work now. >>> > >>> >>> Are these entries recent? (I don't have any entries, so I have no idea >>> what they look like) >>> >>> Are you checking the correct dates in the alert.log files? >>> >>> What version of OSSEC? >>> >>> > среда, 12 декабря 2012 г., 1:56:26 UTC+4 пользователь dan (ddpbsd) >>> > написал: >>> >> >>> >> On Mon, Dec 10, 2012 at 10:12 AM, orfan <a.ul...@gmail.com> wrote: >>> >> > I have ossec-hids-server-2.6_2. >>> >> > >>> >> > <rule id="509" level="0"> >>> >> > <category>ossec</category> >>> >> > <decoded_as>rootcheck</decoded_as> >>> >> > <description>Rootcheck event.</description> >>> >> > <group>rootcheck,</group> >>> >> > </rule> >>> >> > >>> >> > Decoded as "rootcheck", but i can't find rootcheck decoder in >>> >> > decoder.xml. >>> >> > Is it normal? >>> >> > >>> >> > >>> >> >>> >> I believe that decoder is actually coded inside of rootcheck for speed >>> >> reasons.
