Hi, I forgot it, you have to enable the output to archives.log. So, in global section of your ossec.conf add: <logall>yes</logall>
You will see all the events that OSSEC is receiving in archives.log and the alerts in alerts.log (only some events generate alerts). It is a good way to debug what is happening. Anyway, the problem is with your rules. Events: ossec: output: 'curl http\\//siteA.com/ | grep title | sha1sum':\nda39a3ee5e6b4b0d3255bfef95601890afd80709 - ossec: output: 'curl http\\//siteB.com/ *|* grep title | sha1sum':\n4eb7d4cc1b4bf5a7aff57b0502e091944d3e4252 - Rules: <match>ossec: output: 'curl http://siteA.com/ | grep title | sha1sum</match> <match>ossec: output: 'curl http://siteB.com/ | grep title | sha1sum</match> You want to capture the pipe (I) of your command with the match expression, but inside <match> a pipe means "OR". So, you are saying: match "ossec: output: 'curl http://siteA.com/ or grep title or sha1sum". That is the reason that SiteB event matches with the rule for SiteA. Simplify your match: <rule id="100001" level="10"> <if_sid>530</if_sid> <match>siteA.com</match> <check_diff /> <description>Change detected on http://siteA.com/.</description> </rule> <rule id="100002" level="10"> <if_sid>530</if_sid> <match>siteB.com</match> <check_diff /> <description>Change detected on http://siteB.com/.</description> </rule> It should work. Regards. On Friday, August 12, 2016 at 11:41:21 AM UTC+2, Trần Khoa wrote: > > Hi Jesus Linares, > > Thanks you for responsing my stack :). I've check > */var/ossec/logs/archives/archives.log > *and there is nothing in there, i mean there is no character in the log. > I've also review my rules, and there isn't any errors :(. > > I've read documents about *Localfile *using *full_command* and found this > > full_command >> >> This format will be the output from the command (as run by root) defined >> by command >> <http://ossec-docs.readthedocs.io/en/latest/manual/monitoring/index.html#command>. >> >> The entire output will be treated as a *single log*. >> > > So, does the second results of *full_command *overwrited the first > command results? Or are my rules wrong in logical? > > Here is my log generated in *alert.jsons:* > > {"rule":{"level":3,"comment":"Change detected on *http://siteA.com/ >> <http://siteA.com/>*.","sidid":100001,"firedtimes":7,"groups":["local","syslog"]},"full_log":"ossec: >> >> output: 'curl *http\\//siteA.com/* | grep title | >> sha1sum':\n*da39a3ee5e6b4b0d3255bfef95601890afd80709 >> -*","decoder":{"name":"ossec"},"hostname":"mx","timestamp":"2016 Aug 12 >> 16:26:34","location":"curl *http\\//siteA.com/* | grep title | sha1sum"} >> > > >> {"rule":{"level":3,"comment":"Change detected on *http://siteA.com/ >> <http://siteA.com/>*.","sidid":100001,"firedtimes":8,"groups":["local","syslog"]},"full_log":"ossec: >> >> output: 'curl *http\\//siteB.com* | grep title | >> sha1sum':\n*4eb7d4cc1b4bf5a7aff57b0502e091944d3e4252 >> -*","decoder":{"name":"ossec"},"hostname":"mx","timestamp":"2016 Aug 12 >> 16:26:34","location":"curl *http\\//siteB.com* | grep title | sha1sum"} >> > > >> {"rule":{"level":3,"comment":"Change detected on *http://siteA.com/ >> <http://siteA.com/>*.","sidid":100001,"firedtimes":9,"groups":["local","syslog"]},"full_log":"ossec: >> >> output: 'curl *http\\//siteA.com/* | grep title | >> sha1sum':\n*da39a3ee5e6b4b0d3255bfef95601890afd80709 >> -*","decoder":{"name":"ossec"},"hostname":"mx","timestamp":"2016 Aug 12 >> 16:26:38","location":"curl *http\\//siteA.com/* | grep title | sha1sum"} >> > > >> {"rule":{"level":3,"comment":"Change detected on *http://siteA.com/ >> <http://siteA.com/>*.","sidid":100001,"firedtimes":10,"groups":["local","syslog"]},"full_log":"ossec: >> >> output: 'curl *http\\//siteB.com* | grep title | >> sha1sum':\n*4eb7d4cc1b4bf5a7aff57b0502e091944d3e4252 >> -*","decoder":{"name":"ossec"},"hostname":"mx","timestamp":"2016 Aug 12 >> 16:26:38","location":"curl *http\\//siteB.com* | grep title | sha1sum"} > > > Thanks you > - Have a good day - > > Vào 15:51:49 UTC+7 Thứ Tư, ngày 10 tháng 8 năm 2016, Jesus Linares đã viết: >> >> Hi, >> >> review the event generated with the command in >> /var/ossec/logs/archives/archives.log. Then, use the binary >> /var/ossec/bin/ossec-logtest to review your rules. >> >> Regards. >> >> On Tuesday, August 9, 2016 at 11:18:10 AM UTC+2, Trần Khoa wrote: >>> >>> Hi everyone, >>> I have followed detecting deface website technique from >>> blog.rootshell.be >>> <https://blog.rootshell.be/2011/10/25/detecting-defaced-websites-with-ossec/> >>> . >>> I have used this technique for 2 different domains, but the first rule >>> is always triggered. >>> I dont know if i'm wrong in configuration rule or there can not be any >>> solution to check 2 sites at the same time? >>> >>> Here is my configure of OSSEC: >>> >>> In my ossec.conf, i've added 2 *<localfile>* with 2 different domains: >>> >>>> <localfile> >>>> <log_format>full_command</log_format> >>>> <command>curl http://siteA.com/ | grep title | sha1sum</command> >>>> <frequency>5</frequency> >>>> </localfile> >>> >>> >>>> <localfile> >>>> <log_format>full_command</log_format> >>>> <command>curl http://siteB.com/ | grep title | sha1sum</command> >>>> <frequency>5</frequency> >>>> </localfile> >>> >>> >>> And in Local_rules, i've defined 2 rules in the one group: >>> >>> <rule id="100001" level="10"> >>>> <if_sid>530</if_sid> >>>> <match>ossec: output: 'curl http://siteA.com/ | grep title | >>>> sha1sum</match> >>>> <check_diff /> >>>> <description>Change detected on http://siteA.com/.</description> >>>> </rule> >>>> <rule id="100002" level="10"> >>>> <if_sid>530</if_sid> >>>> <match>ossec: output: 'curl http://siteB.com/ | grep title | >>>> sha1sum</match> >>>> <check_diff /> >>>> <description>Change detected on http://siteB.com/.</description> >>>> </rule> >>> >>> >>> Thanks you >>> >> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
