Yes, that would be an issue. Have you tried not sending the output to a
file and using the check_diff option on the rules itself?
You could do:
<localfile>
<log_format>full_command</log_format>
<command>iptables -S</command>
<alias>iptables_status</alias>
<frequency>3600</frequency>
</localfile>
And then write a rule to alert on changes:
<rule id="1001001" level="7">
<if_sid>530</if_sid>
<match>ossec: output: 'iptables_status</match>
<check_diff />
<description>Iptables changed</description>
</rule>
See if that works.
thanks,
On Monday, January 25, 2016 at 8:51:31 AM UTC-4, ZaNN wrote:
>
> Hi all,
>
> I have configured a checksum alert in real time that triggers and e-mail
> alert each time a file is being modified. This file is an output of an
> iptables command executed in all agents every hour:
>
> <localfile>
> <log_format>full_command</log_format>
> <command>iptables -S >
> /var/ossec/active-response/iptables_diff.txt</command>
> <alias>iptables_status</alias>
> <frequency>3600</frequency>
> </localfile>
>
> The problem is that lot of times false positives are received due to size
> changed *to 0 or from 0*. Not every hour definitely.
>
> Integrity checksum changed for:
> '/var/ossec/active-response/iptables_diff.txt'*Size changed from '1089' to
> '0'*
> What changed:
> 1,20d0
> < -P INPUT DROP
> < -P FORWARD DROP
> < -P OUTPUT ACCEPT
> < -N LOGGING
> < -N OUTPUT-NOLOG
> < -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> < -A INPUT -p icmp -j ACCEPT
> < -A INPUT -i lo -j ACCEPT
> < -A INPUT -s 10.0.0.0/8 -p tcp -m state --state NEW -m tcp --dport 22 -j
> ACCEPT
> < -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
> < -A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
> < -A OUTPUT -d 8.8.8.8/32 -p udp -m udp --dport 53 -m state --state NEW -j
> OUTPUT-NOLOG
> < -A OUTPUT -d 8.8.4.4/32 -p udp -m udp --dport 53 -m state --state NEW -j
> OUTPUT-NOLOG
> < -A OUTPUT -p udp -m udp --dport 123 -m state --state NEW -j OUTPUT-NOLOG
> < -A OUTPUT -d 192.168.116.0/24 -p udp -m udp --dport 1514 -m state --state
> NEW -j OUTPUT-NOLOG
> < -A OUTPUT -d 192.168.116.0/24 -p udp -m udp --dport 514 -m state --state
> NEW -j OUTPUT-NOLOG
> Old md5sum was: '0b43600d67c9fdde33912771c81927e2'
> New md5sum is : 'd41d8cd98f00b204e9800998ecf8427e'
> Old sha1sum was: 'e991b6897be54bfc0fd2ef0410fd5e50d54317b6'
> New sha1sum is : 'da39a3ee5e6b4b0d3255bfef95601890afd80709'
>
>
> Integrity checksum changed for:
> '/var/ossec/active-response/iptables_diff.txt'*Size changed from '0' to
> '1089'*
> What changed:
> 0a1,20
>
> -P INPUT DROP
> -P FORWARD DROP
> -P OUTPUT ACCEPT
> -N LOGGING
> -N OUTPUT-NOLOG
> -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A INPUT -p icmp -j ACCEPT
> -A INPUT -i lo -j ACCEPT
>
>
>
>
>
>
> I suspect that this behaviour is related to real time (inotify) and rewrite
> the file each time the command is executed ( > ). Is there any best practice
> to avoid this false
> positives? maybe a delay in real time check?
>
> Thanks in advance
>
>
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
