[ossec-list] Re: Integrity checksum size changed to 0 or from 0 - false positive

Tue, 26 Jan 2016 21:44:42 -0800 

Yes, that would be an issue. Have you tried not sending the output to a 
file and using the check_diff option on the rules itself?

You could do:

  <localfile>
    <log_format>full_command</log_format>
    <command>iptables -S</command>
    <alias>iptables_status</alias>
    <frequency>3600</frequency>
  </localfile>

And then write a rule to alert on changes:

  <rule id="1001001" level="7">
    <if_sid>530</if_sid>
    <match>ossec: output: 'iptables_status</match>
    <check_diff />
    <description>Iptables changed</description>
  </rule>

See if that works.

thanks,


On Monday, January 25, 2016 at 8:51:31 AM UTC-4, ZaNN wrote:
>
> Hi all,
>
> I have configured a checksum alert in real time that triggers and e-mail 
> alert each time a file is being modified. This file is an output of an 
> iptables command executed in all agents every hour:
>
>   <localfile>
>     <log_format>full_command</log_format>
>     <command>iptables -S  > 
> /var/ossec/active-response/iptables_diff.txt</command>
>     <alias>iptables_status</alias>
>     <frequency>3600</frequency>
>   </localfile>
>
> The problem is that lot of times false positives are received due to size 
> changed *to 0 or from 0*. Not every hour definitely. 
>
> Integrity checksum changed for: 
> '/var/ossec/active-response/iptables_diff.txt'*Size changed from '1089' to 
> '0'*
> What changed:
> 1,20d0
> < -P INPUT DROP
> < -P FORWARD DROP
> < -P OUTPUT ACCEPT
> < -N LOGGING
> < -N OUTPUT-NOLOG
> < -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
> < -A INPUT -p icmp -j ACCEPT 
> < -A INPUT -i lo -j ACCEPT 
> < -A INPUT -s 10.0.0.0/8 -p tcp -m state --state NEW -m tcp --dport 22 -j 
> ACCEPT 
> < -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT 
> < -A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT 
> < -A OUTPUT -d 8.8.8.8/32 -p udp -m udp --dport 53 -m state --state NEW -j 
> OUTPUT-NOLOG 
> < -A OUTPUT -d 8.8.4.4/32 -p udp -m udp --dport 53 -m state --state NEW -j 
> OUTPUT-NOLOG 
> < -A OUTPUT -p udp -m udp --dport 123 -m state --state NEW -j OUTPUT-NOLOG 
> < -A OUTPUT -d 192.168.116.0/24 -p udp -m udp --dport 1514 -m state --state 
> NEW -j OUTPUT-NOLOG 
> < -A OUTPUT -d 192.168.116.0/24 -p udp -m udp --dport 514 -m state --state 
> NEW -j OUTPUT-NOLOG 
> Old md5sum was: '0b43600d67c9fdde33912771c81927e2'
> New md5sum is : 'd41d8cd98f00b204e9800998ecf8427e'
> Old sha1sum was: 'e991b6897be54bfc0fd2ef0410fd5e50d54317b6'
> New sha1sum is : 'da39a3ee5e6b4b0d3255bfef95601890afd80709'
>
>
> Integrity checksum changed for: 
> '/var/ossec/active-response/iptables_diff.txt'*Size changed from '0' to 
> '1089'*
> What changed:
> 0a1,20
>
> -P INPUT DROP
> -P FORWARD DROP
> -P OUTPUT ACCEPT
> -N LOGGING
> -N OUTPUT-NOLOG
> -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
> -A INPUT -p icmp -j ACCEPT 
> -A INPUT -i lo -j ACCEPT 
>
>
>
>  
>
>
> I suspect that this behaviour is related to real time (inotify) and rewrite 
> the file each time the command is executed ( > ). Is there any best practice 
> to avoid this false 
> positives? maybe a delay in real time check? 
>
> Thanks in advance
>
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to