Hi everyone, I have followed detecting deface website technique from blog.rootshell.be <https://blog.rootshell.be/2011/10/25/detecting-defaced-websites-with-ossec/> . I have used this technique for 2 different domains, but the first rule is always triggered. I dont know if i'm wrong in configuration rule or there can not be any solution to check 2 sites at the same time?
Here is my configure of OSSEC: In my ossec.conf, i've added 2 *<localfile>* with 2 different domains: > <localfile> > <log_format>full_command</log_format> > <command>curl http://siteA.com/ | grep title | sha1sum</command> > <frequency>5</frequency> > </localfile> > <localfile> > <log_format>full_command</log_format> > <command>curl http://siteB.com/ | grep title | sha1sum</command> > <frequency>5</frequency> > </localfile> And in Local_rules, i've defined 2 rules in the one group: <rule id="100001" level="10"> > <if_sid>530</if_sid> > <match>ossec: output: 'curl http://siteA.com/ | grep title | > sha1sum</match> > <check_diff /> > <description>Change detected on http://siteA.com/.</description> > </rule> > <rule id="100002" level="10"> > <if_sid>530</if_sid> > <match>ossec: output: 'curl http://siteB.com/ | grep title | > sha1sum</match> > <check_diff /> > <description>Change detected on http://siteB.com/.</description> > </rule> Thanks you -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
