Hi, ideally we like ossec to check file integrity in real time, if not, what are the other options ossec can offer in that aspect?
Is there a Syscheck cmd in ossec? On 5 September 2016 at 17:23, dan (ddp) <[email protected]> wrote: > On Mon, Sep 5, 2016 at 12:14 PM, Daiyue Weng <[email protected]> wrote: > > The /var/ossec/logs/alerts/alerts.log didn't show the addition of the > file, > > no alerts fired after adding a file to /home/user_name, which is > monitored > > by ossec. what's the possible problems? > > > > A syscheck scan probably hasn't run since the file was added (I don't > think it works with realtime). > Try running a syscheck scan to see if an alert is created. > > > On Monday, 5 September 2016 17:02:06 UTC+1, dan (ddpbsd) wrote: > >> > >> On Mon, Sep 5, 2016 at 11:53 AM, Daiyue Weng <[email protected]> > wrote: > >> > Using the above cmd, adding a file on a monitored directory, i.e. > >> > /home/user_name, > >> > > >> > nothing is shown on tcpdump, > >> > > >> > tcpdump: listening on dummy0, link-type EN10MB (Ethernet), capture > size > >> > 262144 bytes > >> > > >> > > >> > >> You can use "-i INTERFACE_NAME" to change the interface it listens on. > >> So make sure you're listening to the interface the emails should be sent > >> from. > >> Did any alerts fire while you were using tcpdump (check > >> /var/ossec/logs/alerts/alerts.log). > >> If not, that'll be a problem. > >> > >> > > >> > > >> > On Monday, 5 September 2016 16:44:57 UTC+1, dan (ddpbsd) wrote: > >> >> > >> >> On Mon, Sep 5, 2016 at 11:42 AM, Daiyue Weng <[email protected]> > >> >> wrote: > >> >> > Hi, could you give me an example of using tcpdump in this case? > >> >> > > >> >> > >> >> tcpdump -nnXxevvs 0 port 25 > >> >> > >> >> > cheers > >> >> > > >> >> > On Monday, 5 September 2016 15:57:08 UTC+1, dan (ddpbsd) wrote: > >> >> >> > >> >> >> On Mon, Sep 5, 2016 at 10:47 AM, Daiyue Weng <[email protected]> > >> >> >> wrote: > >> >> >> > Hi, since it is a fresh install of ossec, so I didn't get any > >> >> >> > emails. > >> >> >> > The > >> >> >> > notification is turn on as > >> >> >> > > >> >> >> > >> >> >> Try using tcpdump (looking for connections to the email server > from > >> >> >> the OSSEC system) > >> >> >> or check the maillogs on the email server to determine if there > is > >> >> >> an > >> >> >> error when sending. > >> >> >> > >> >> >> > <alert_new_files>yes</alert_new_files> > >> >> >> > > >> >> >> > in ossec.conf > >> >> >> > > >> >> >> > On Monday, 5 September 2016 15:38:25 UTC+1, dan (ddpbsd) wrote: > >> >> >> >> > >> >> >> >> On Mon, Sep 5, 2016 at 10:33 AM, Daiyue Weng < > [email protected]> > >> >> >> >> wrote: > >> >> >> >> > Hi, I installed ossec local on my cloud server, and configure > >> >> >> >> > ossec.conf > >> >> >> >> > as > >> >> >> >> > follows, I tried to detect new additions using > >> >> >> >> > <alert_new_files>yes</alert_new_files>. > >> >> >> >> > > >> >> >> >> > <global> > >> >> >> >> > <email_notification>yes</email_notification> > >> >> >> >> > <email_to>[email protected]</email_to> > >> >> >> >> > <smtp_server>ns0.bt.net.</smtp_server> > >> >> >> >> > <email_from>[email protected]</email_from> > >> >> >> >> > </global> > >> >> >> >> > <syscheck> > >> >> >> >> > <!-- Frequency that syscheck is executed - default to > >> >> >> >> > every > >> >> >> >> > 22 > >> >> >> >> > hours > >> >> >> >> > --> > >> >> >> >> > <frequency>79200</frequency> > >> >> >> >> > <alert_new_files>yes</alert_new_files> > >> >> >> >> > > >> >> >> >> > <!-- Directories to check (perform all possible > >> >> >> >> > verifications) > >> >> >> >> > --> > >> >> >> >> > <directories report_changes="yes" realtime="yes" > >> >> >> >> > check_all="yes">/etc,/usr/bin,/usr/sbin</directories> > >> >> >> >> > <directories report_changes="yes" realtime="yes" > >> >> >> >> > check_all="yes">/bin,/sbin</directories> > >> >> >> >> > <directories report_changes="yes" realtime="yes" > >> >> >> >> > check_all="yes">/home/user_name</directories> > >> >> >> >> > </syscheck> > >> >> >> >> > > >> >> >> >> > The local_rules.xml is like, > >> >> >> >> > > >> >> >> >> > <group name="local,syslog,"> > >> >> >> >> > > >> >> >> >> > <!-- Note that rule id 5711 is defined at the ssh_rules > >> >> >> >> > file > >> >> >> >> > - as a ssh failed login. This is just an example > >> >> >> >> > - since ip 1.1.1.1 shouldn't be used anywhere. > >> >> >> >> > - Level 0 means ignore. > >> >> >> >> > --> > >> >> >> >> > <rule id="100001" level="0"> > >> >> >> >> > <if_sid>5711</if_sid> > >> >> >> >> > <srcip>1.1.1.1</srcip> > >> >> >> >> > <description>Example of rule that will ignore sshd > >> >> >> >> > </description> > >> >> >> >> > <description>failed logins from IP > 1.1.1.1.</description> > >> >> >> >> > </rule> > >> >> >> >> > > >> >> >> >> > <rule id="554" level="7" overwrite="yes"> > >> >> >> >> > <category>ossec</category> > >> >> >> >> > <decoded_as>syscheck_new_entry</decoded_as> > >> >> >> >> > <description>File added to the system.</description> > >> >> >> >> > <group>syscheck,</group> > >> >> >> >> > </rule> > >> >> >> >> > </group> <!-- SYSLOG,LOCAL --> > >> >> >> >> > > >> >> >> >> > Now, if I added a file in home/user_name, there is no email > >> >> >> >> > notification > >> >> >> >> > coming through the SMTP server. I am using smtp.bt.net, > using > >> >> >> >> > > >> >> >> >> > dig -t mx smtp.bt.net > >> >> >> >> > > >> >> >> >> > > >> >> >> >> > to get the SMTP server. Whats the possible reasons that I am > >> >> >> >> > not > >> >> >> >> > getting > >> >> >> >> > the > >> >> >> >> > email? > >> >> >> >> > > >> >> >> >> > >> >> >> >> Are you getting emails for other alerts? > >> >> >> >> Are alerts being triggered for these new files? > >> >> >> >> > >> >> >> >> > Many thanks > >> >> >> >> > > >> >> >> >> > -- > >> >> >> >> > > >> >> >> >> > --- > >> >> >> >> > You received this message because you are subscribed to the > >> >> >> >> > Google > >> >> >> >> > Groups > >> >> >> >> > "ossec-list" group. > >> >> >> >> > To unsubscribe from this group and stop receiving emails from > >> >> >> >> > it, > >> >> >> >> > send > >> >> >> >> > an > >> >> >> >> > email to [email protected]. > >> >> >> >> > For more options, visit https://groups.google.com/d/optout. > >> >> >> > > >> >> >> > -- > >> >> >> > > >> >> >> > --- > >> >> >> > You received this message because you are subscribed to the > Google > >> >> >> > Groups > >> >> >> > "ossec-list" group. > >> >> >> > To unsubscribe from this group and stop receiving emails from > it, > >> >> >> > send > >> >> >> > an > >> >> >> > email to [email protected]. > >> >> >> > For more options, visit https://groups.google.com/d/optout. > >> >> > > >> >> > -- > >> >> > > >> >> > --- > >> >> > You received this message because you are subscribed to the Google > >> >> > Groups > >> >> > "ossec-list" group. > >> >> > To unsubscribe from this group and stop receiving emails from it, > >> >> > send > >> >> > an > >> >> > email to [email protected]. > >> >> > For more options, visit https://groups.google.com/d/optout. > >> > > >> > -- > >> > > >> > --- > >> > You received this message because you are subscribed to the Google > >> > Groups > >> > "ossec-list" group. > >> > To unsubscribe from this group and stop receiving emails from it, send > >> > an > >> > email to [email protected]. > >> > For more options, visit https://groups.google.com/d/optout. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send an > > email to [email protected]. > > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to a topic in the > Google Groups "ossec-list" group. > To unsubscribe from this topic, visit https://groups.google.com/d/ > topic/ossec-list/fknE75We_dw/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
