[ossec-list] Re: Alert on new files from specific filetype

Tue, 17 Dec 2013 04:42:08 -0800 

Am Dienstag, 17. Dezember 2013 10:17:37 UTC+1 schrieb Georg Schönberger:
>
> Hi there,
>
> is it possible to create an alert only if specific filetypes hit a 
> directory?
> I am testing with an upload directory and I want to generate an alert only 
> if a PHP file becomes uploaded.
>
> My idea was to realize this with custom rules:
>     <rule id="554" level="5" overwrite="yes">
>         <category>ossec</category>
>         <decoded_as>syscheck_new_entry</decoded_as>
>         <description>File added to the system.</description>
>         <group>syscheck,</group>
>     </rule>
>     <rule id="100554" level="10">
>         <if_sid>554</if_sid>
>         <match>/root/upload/\w+.php</match>
>         <description>New php file in upload folder.</description>
>     </rule>
>     <rule id="100555" level="0">
>         <if_sid>554</if_sid>
>         <match>/root/upload</match>
>         <description>New file in upload folder.</description>
>     </rule>
>
> Is there a better, suggested way to achieve this, or should my solution 
> work?
> Thanks for your help in advance, regards Georg.
>

After testing a while I have found a working configuration:
 </group> <!-- SYSLOG,LOCAL -->
  <group name="ossec">
    <rule id="554" level="5" overwrite="yes">
        <category>ossec</category>
        <decoded_as>syscheck_new_entry</decoded_as>
        <description>File added to the system.</description>
        <group>syscheck,</group>
    </rule>
    <rule id="100554" level="10">
        <if_sid>554</if_sid>
        <regex>/root/upload/\w+.php</regex>
        <description>New php file in upload folder.</description>
    </rule>
    <rule id="100555" level="1">
        <if_sid>554</if_sid>
        <match>/root/upload</match>
        <description>New file in upload folder.</description>
    </rule>
</group>

The alerts are generated as expected:
** Alert 1387276571.4962: mail  - ossec
2013 Dec 17 11:36:11 snoopy->syscheck
Rule: 100554 (level 10) -> 'New php file in upload folder.'
New file '/root/upload/test5.php' added to the file system.

** Alert 1387276573.5161: - ossec
2013 Dec 17 11:36:13 snoopy->syscheck
Rule: 100555 (level 1) -> 'New file in upload folder.'
New file '/root/upload/test6.deb' added to the file system.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.

Reply via email to