Hi,

I forgot it, you have to enable the output to archives.log. So, in global 
section of your ossec.conf add:
<logall>yes</logall>

You will see all the events that OSSEC is receiving in archives.log and the 
alerts in alerts.log (only some events generate alerts). It is a good way 
to debug what is happening.

Anyway, the problem is with your rules.

Events:
ossec: output: 'curl http\\//siteA.com/ | grep title | 
sha1sum':\nda39a3ee5e6b4b0d3255bfef95601890afd80709  -
ossec: output: 'curl http\\//siteB.com/ *|* grep title | 
sha1sum':\n4eb7d4cc1b4bf5a7aff57b0502e091944d3e4252  -

Rules:
<match>ossec: output: 'curl http://siteA.com/ | grep title | sha1sum</match>
<match>ossec: output: 'curl http://siteB.com/ | grep title | sha1sum</match>

You want to capture the pipe (I) of your command with the match expression, 
but inside <match> a pipe means "OR". So, you are saying: match "ossec: 
output: 'curl http://siteA.com/ or grep title or sha1sum". That is the 
reason that SiteB event matches with the rule for SiteA.

Simplify your match:
<rule id="100001" level="10">
   <if_sid>530</if_sid>
   <match>siteA.com</match>
   <check_diff /> 
   <description>Change detected on http://siteA.com/.</description>
 </rule>
 <rule id="100002" level="10">
   <if_sid>530</if_sid>
   <match>siteB.com</match>
   <check_diff /> 
   <description>Change detected on http://siteB.com/.</description>
 </rule>  

It should work.

Regards.

On Friday, August 12, 2016 at 11:41:21 AM UTC+2, Trần Khoa wrote:
>
> Hi Jesus Linares,
>
> Thanks you for responsing my stack :). I've check 
> */var/ossec/logs/archives/archives.log 
> *and there is nothing in there, i mean there is no character in the log. 
> I've also review my rules, and there isn't any errors :(.
>
> I've read documents about *Localfile *using *full_command* and found this
>
> full_command
>>
>> This format will be the output from the command (as run by root) defined 
>> by command 
>> <http://ossec-docs.readthedocs.io/en/latest/manual/monitoring/index.html#command>.
>>  
>> The entire output will be treated as a *single log*.
>>
>  
> So, does the second results of *full_command *overwrited the first 
> command results? Or are my rules wrong in logical?
>
> Here is my log generated in *alert.jsons:*
>
> {"rule":{"level":3,"comment":"Change detected on *http://siteA.com/ 
>> <http://siteA.com/>*.","sidid":100001,"firedtimes":7,"groups":["local","syslog"]},"full_log":"ossec:
>>  
>> output: 'curl *http\\//siteA.com/* | grep title | 
>> sha1sum':\n*da39a3ee5e6b4b0d3255bfef95601890afd80709 
>>  -*","decoder":{"name":"ossec"},"hostname":"mx","timestamp":"2016 Aug 12 
>> 16:26:34","location":"curl *http\\//siteA.com/* | grep title | sha1sum"}
>>
>  
>
>> {"rule":{"level":3,"comment":"Change detected on *http://siteA.com/ 
>> <http://siteA.com/>*.","sidid":100001,"firedtimes":8,"groups":["local","syslog"]},"full_log":"ossec:
>>  
>> output: 'curl *http\\//siteB.com* | grep title | 
>> sha1sum':\n*4eb7d4cc1b4bf5a7aff57b0502e091944d3e4252 
>>  -*","decoder":{"name":"ossec"},"hostname":"mx","timestamp":"2016 Aug 12 
>> 16:26:34","location":"curl *http\\//siteB.com* | grep title | sha1sum"}
>>
>  
>
>> {"rule":{"level":3,"comment":"Change detected on *http://siteA.com/ 
>> <http://siteA.com/>*.","sidid":100001,"firedtimes":9,"groups":["local","syslog"]},"full_log":"ossec:
>>  
>> output: 'curl *http\\//siteA.com/* | grep title | 
>> sha1sum':\n*da39a3ee5e6b4b0d3255bfef95601890afd80709 
>>  -*","decoder":{"name":"ossec"},"hostname":"mx","timestamp":"2016 Aug 12 
>> 16:26:38","location":"curl *http\\//siteA.com/* | grep title | sha1sum"}
>>
>  
>
>> {"rule":{"level":3,"comment":"Change detected on *http://siteA.com/ 
>> <http://siteA.com/>*.","sidid":100001,"firedtimes":10,"groups":["local","syslog"]},"full_log":"ossec:
>>  
>> output: 'curl *http\\//siteB.com* | grep title | 
>> sha1sum':\n*4eb7d4cc1b4bf5a7aff57b0502e091944d3e4252 
>>  -*","decoder":{"name":"ossec"},"hostname":"mx","timestamp":"2016 Aug 12 
>> 16:26:38","location":"curl  *http\\//siteB.com* | grep title | sha1sum"}
>
>  
> Thanks you 
> - Have a good day -
>
> Vào 15:51:49 UTC+7 Thứ Tư, ngày 10 tháng 8 năm 2016, Jesus Linares đã viết:
>>
>> Hi,
>>
>> review the event generated with the command in 
>> /var/ossec/logs/archives/archives.log. Then, use the binary 
>> /var/ossec/bin/ossec-logtest to review your rules.
>>
>> Regards.
>>
>> On Tuesday, August 9, 2016 at 11:18:10 AM UTC+2, Trần Khoa wrote:
>>>
>>> Hi everyone, 
>>> I have followed detecting deface website technique from 
>>> blog.rootshell.be 
>>> <https://blog.rootshell.be/2011/10/25/detecting-defaced-websites-with-ossec/>
>>> .
>>> I have used this technique for 2 different domains, but the first rule 
>>> is always triggered. 
>>> I dont know if i'm wrong in configuration rule or there can not be any 
>>> solution to check 2 sites at the same time?
>>>
>>> Here is my configure of OSSEC:
>>>
>>> In my ossec.conf, i've added 2 *<localfile>* with 2 different domains:
>>>
>>>>   <localfile>
>>>>     <log_format>full_command</log_format>
>>>>     <command>curl http://siteA.com/ | grep title | sha1sum</command>
>>>>     <frequency>5</frequency>
>>>>   </localfile>
>>>
>>>
>>>>   <localfile>
>>>>     <log_format>full_command</log_format>
>>>>     <command>curl http://siteB.com/ | grep title | sha1sum</command>
>>>>     <frequency>5</frequency>
>>>>   </localfile>
>>>
>>>
>>> And in Local_rules, i've defined 2 rules in the one group:
>>>
>>>   <rule id="100001" level="10">
>>>>     <if_sid>530</if_sid>
>>>>     <match>ossec: output: 'curl http://siteA.com/ | grep title | 
>>>> sha1sum</match>
>>>>     <check_diff /> 
>>>>     <description>Change detected on http://siteA.com/.</description>
>>>>   </rule>
>>>>   <rule id="100002" level="10">
>>>>     <if_sid>530</if_sid>
>>>>     <match>ossec: output: 'curl http://siteB.com/ | grep title | 
>>>> sha1sum</match>
>>>>     <check_diff /> 
>>>>     <description>Change detected on http://siteB.com/.</description>
>>>>   </rule>  
>>>
>>>
>>> Thanks you
>>>
>>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

Reply via email to