[ossec-list] Integrity checksum size changed to 0 or from 0 - false positive

Mon, 25 Jan 2016 04:52:14 -0800 

Hi all,

I have configured a checksum alert in real time that triggers and e-mail 
alert each time a file is being modified. This file is an output of an 
iptables command executed in all agents every hour:

  <localfile>
    <log_format>full_command</log_format>
    <command>iptables -S  > 
/var/ossec/active-response/iptables_diff.txt</command>
    <alias>iptables_status</alias>
    <frequency>3600</frequency>
  </localfile>

The problem is that lot of times false positives are received due to size 
changed *to 0 or from 0*. Not every hour definitely. 

Integrity checksum changed for: 
'/var/ossec/active-response/iptables_diff.txt'*Size changed from '1089' to '0'*
What changed:
1,20d0
< -P INPUT DROP
< -P FORWARD DROP
< -P OUTPUT ACCEPT
< -N LOGGING
< -N OUTPUT-NOLOG
< -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
< -A INPUT -p icmp -j ACCEPT 
< -A INPUT -i lo -j ACCEPT 
< -A INPUT -s 10.0.0.0/8 -p tcp -m state --state NEW -m tcp --dport 22 -j 
ACCEPT 
< -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT 
< -A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT 
< -A OUTPUT -d 8.8.8.8/32 -p udp -m udp --dport 53 -m state --state NEW -j 
OUTPUT-NOLOG 
< -A OUTPUT -d 8.8.4.4/32 -p udp -m udp --dport 53 -m state --state NEW -j 
OUTPUT-NOLOG 
< -A OUTPUT -p udp -m udp --dport 123 -m state --state NEW -j OUTPUT-NOLOG 
< -A OUTPUT -d 192.168.116.0/24 -p udp -m udp --dport 1514 -m state --state NEW 
-j OUTPUT-NOLOG 
< -A OUTPUT -d 192.168.116.0/24 -p udp -m udp --dport 514 -m state --state NEW 
-j OUTPUT-NOLOG 
Old md5sum was: '0b43600d67c9fdde33912771c81927e2'
New md5sum is : 'd41d8cd98f00b204e9800998ecf8427e'
Old sha1sum was: 'e991b6897be54bfc0fd2ef0410fd5e50d54317b6'
New sha1sum is : 'da39a3ee5e6b4b0d3255bfef95601890afd80709'


Integrity checksum changed for: 
'/var/ossec/active-response/iptables_diff.txt'*Size changed from '0' to '1089'*
What changed:
0a1,20

-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-N LOGGING
-N OUTPUT-NOLOG
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -p icmp -j ACCEPT 
-A INPUT -i lo -j ACCEPT 



 


I suspect that this behaviour is related to real time (inotify) and rewrite the 
file each time the command is executed ( > ). Is there any best practice to 
avoid this false 
positives? maybe a delay in real time check? 

Thanks in advance


-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

Reply via email to