On Tue, Sep 6, 2016 at 9:29 AM, Daiyue Weng <[email protected]> wrote:
> could you show me your ossec.conf and local_rules.xml?
>
This is for one of my servers. Probably not what I'll be testing with though.
ossec.conf:
<ossec_config>
<global>
<email_notification>yes</email_notification>
<email_to>[email protected]</email_to>
<smtp_server>192.168.17.9</smtp_server>
<!--<smtp_server>/usr/bin/msmtp -v --timeout 20 -f
"[email protected]" -t</smtp_server>-->
<email_from>ossecm@earth</email_from>
</global>
<database_output>
<hostname>127.0.0.1</hostname>
<username>ossecuser</username>
<password>TGmmxNsh5TNrKTy8</password>
<database>ossec</database>
<type>mysql</type>
</database_output>
<syscheck>
<!-- Frequency that syscheck is executed - default to every 22 hours -->
<frequency>79200</frequency>
<auto_ignore>no</auto_ignore>
<!-- Directories to check (perform all possible verifications) -->
<directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
<directories check_all="yes">/bin,/sbin</directories>
<directories check_all="yes" realtime="yes">/var/test</directories>
<!-- Files/directories to ignore -->
<ignore>/etc/mtab</ignore>
<ignore>/etc/mnttab</ignore>
<ignore>/etc/hosts.deny</ignore>
<ignore>/etc/mail/statistics</ignore>
<ignore>/etc/random-seed</ignore>
<ignore>/etc/adjtime</ignore>
<ignore>/etc/httpd/logs</ignore>
<ignore>/etc/utmpx</ignore>
<ignore>/etc/wtmpx</ignore>
<ignore>/etc/cups/certs</ignore>
<ignore>/etc/dumpdates</ignore>
<ignore>/etc/svc/volatile</ignore>
<!-- Windows files to ignore -->
<ignore>C:\WINDOWS/System32/LogFiles</ignore>
<ignore>C:\WINDOWS/Debug</ignore>
<ignore>C:\WINDOWS/WindowsUpdate.log</ignore>
<ignore>C:\WINDOWS/iis6.log</ignore>
<ignore>C:\WINDOWS/system32/wbem/Logs</ignore>
<ignore>C:\WINDOWS/system32/wbem/Repository</ignore>
<ignore>C:\WINDOWS/Prefetch</ignore>
<ignore>C:\WINDOWS/PCHEALTH/HELPCTR/DataColl</ignore>
<ignore>C:\WINDOWS/SoftwareDistribution</ignore>
<ignore>C:\WINDOWS/Temp</ignore>
<ignore>C:\WINDOWS/system32/config</ignore>
<ignore>C:\WINDOWS/system32/spool</ignore>
<ignore>C:\WINDOWS/system32/CatRoot</ignore>
</syscheck>
<rootcheck>
<rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
<rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
<system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit>
<system_audit>/var/ossec/etc/shared/cis_debian_linux_rcl.txt</system_audit>
<system_audit>/var/ossec/etc/shared/cis_rhel_linux_rcl.txt</system_audit>
<system_audit>/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt</system_audit>
</rootcheck>
<global>
<white_list>127.0.0.1</white_list>
<white_list>^localhost.localdomain$</white_list>
<white_list>192.168.17.17</white_list>
<white_list>192.168.17.9</white_list>
<white_list>192.168.18.1</white_list>
</global>
<remote>
<connection>secure</connection>
</remote>
<alerts>
<log_alert_level>1</log_alert_level>
<email_alert_level>7</email_alert_level>
</alerts>
<command>
<name>host-deny</name>
<executable>host-deny.sh</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>firewall-drop</name>
<executable>firewall-drop.sh</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>disable-account</name>
<executable>disable-account.sh</executable>
<expect>user</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>restart-ossec</name>
<executable>restart-ossec.sh</executable>
<expect></expect>
</command>
<command>
<name>route-null</name>
<executable>route-null.sh</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<!-- Files to monitor (localfiles) -->
<localfile>
<log_format>syslog</log_format>
<location>/var/log/auth.log</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/syslog</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/dpkg.log</location>
</localfile>
<localfile>
<log_format>apache</log_format>
<location>/var/log/nginx/access.log</location>
</localfile>
<localfile>
<log_format>apache</log_format>
<location>/var/log/nginx/error.log</location>
</localfile>
<localfile>
<log_format>apache</log_format>
<location>/var/log/apache2/error.log</location>
</localfile>
<localfile>
<log_format>command</log_format>
<command>df -h</command>
</localfile>
<localfile>
<log_format>full_command</log_format>
<command>netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort</command>
</localfile>
<localfile>
<log_format>full_command</log_format>
<command>last -n 5</command>
</localfile>
</ossec_config>
<ossec_config> <!-- rules global entry -->
<rules>
<!--<decoder>etc/decoder.xml</decoder>-->
<decoder_dir pattern=".xml$">etc/decoders.d</decoder_dir>
<include>rules_config.xml</include>
<!--
<include>pam_rules.xml</include>
<include>sshd_rules.xml</include>
<include>telnetd_rules.xml</include>
<include>syslog_rules.xml</include>
<include>arpwatch_rules.xml</include>
<include>symantec-av_rules.xml</include>
<include>symantec-ws_rules.xml</include>
<include>pix_rules.xml</include>
<include>named_rules.xml</include>
<include>smbd_rules.xml</include>
<include>vsftpd_rules.xml</include>
<include>pure-ftpd_rules.xml</include>
<include>proftpd_rules.xml</include>
<include>ms_ftpd_rules.xml</include>
<include>ftpd_rules.xml</include>
<include>hordeimp_rules.xml</include>
<include>roundcube_rules.xml</include>
<include>wordpress_rules.xml</include>
<include>cimserver_rules.xml</include>
<include>vpopmail_rules.xml</include>
<include>vmpop3d_rules.xml</include>
<include>courier_rules.xml</include>
<include>web_rules.xml</include>
<include>web_appsec_rules.xml</include>
<include>apache_rules.xml</include>
<include>nginx_rules.xml</include>
<include>php_rules.xml</include>
<include>mysql_rules.xml</include>
<include>postgresql_rules.xml</include>
<include>ids_rules.xml</include>
<include>squid_rules.xml</include>
<include>firewall_rules.xml</include>
<include>apparmor_rules.xml</include>
<include>cisco-ios_rules.xml</include>
<include>netscreenfw_rules.xml</include>
<include>sonicwall_rules.xml</include>
<include>postfix_rules.xml</include>
<include>sendmail_rules.xml</include>
<include>imapd_rules.xml</include>
<include>mailscanner_rules.xml</include>
<include>dovecot_rules.xml</include>
<include>ms-exchange_rules.xml</include>
<include>racoon_rules.xml</include>
<include>vpn_concentrator_rules.xml</include>
<include>spamd_rules.xml</include>
<include>msauth_rules.xml</include>
<include>mcafee_av_rules.xml</include>
<include>trend-osce_rules.xml</include>
<include>ms-se_rules.xml</include>
<include>zeus_rules.xml</include>
<include>solaris_bsm_rules.xml</include>
<include>vmware_rules.xml</include>
<include>ms_dhcp_rules.xml</include>
<include>asterisk_rules.xml</include>
<include>ossec_rules.xml</include>
<include>attack_rules.xml</include>
<include>openbsd_rules.xml</include>
<include>clam_av_rules.xml</include>
<include>dropbear_rules.xml</include>
<include>sysmon_rules.xml</include>
<include>opensmtpd_rules.xml</include>
-->
<rule_dir pattern=".xml$">rules/rules.d</rule_dir>
<!--<include>local_rules.xml</include>-->
</rules>
</ossec_config> <!-- rules global entry -->
local_rules.xml:
<!-- @(#) $Id: ./etc/rules/local_rules.xml, 2011/09/08 dcid Exp $
- Example of local rules for OSSEC.
-
- Copyright (C) 2009 Trend Micro Inc.
- All rights reserved.
-
- This program is a free software; you can redistribute it
- and/or modify it under the terms of the GNU General Public
- License (version 2) as published by the FSF - Free Software
- Foundation.
-
- License details: http://www.ossec.net/en/licensing.html
-->
<!-- Modify it at your will. -->
<group name="local,syslog,">
<!-- Note that rule id 5711 is defined at the ssh_rules file
- as a ssh failed login. This is just an example
- since ip 1.1.1.1 shouldn't be used anywhere.
- Level 0 means ignore.
-->
<rule id="100001" level="0">
<if_sid>5711</if_sid>
<srcip>1.1.1.1</srcip>
<description>Example of rule that will ignore sshd </description>
<description>failed logins from IP 1.1.1.1.</description>
</rule>
<!-- This example will ignore ssh failed logins for the user name XYZABC.
-->
<!--
<rule id="100020" level="0">
<if_sid>5711</if_sid>
<user>XYZABC</user>
<description>Example of rule that will ignore sshd </description>
<description>failed logins for user XYZABC.</description>
</rule>
-->
<!-- Specify here a list of rules to ignore. -->
<!--
<rule id="100030" level="0">
<if_sid>12345, 23456, xyz, abc</if_sid>
<description>List of rules to be ignored.</description>
</rule>
-->
<rule id="700007" level="10">
<match>^TEST TEST TEST</match>
<description>test test test</description>
<group>test,</group>
</rule>
<rule id="710001" level="0">
<program_name>^collectd</program_name>
<description>collectd collected.</description>
</rule>
<rule id="710002" level="0">
<if_sid>710001</if_sid>
<match>illegal attempt to update using time</match>
<description>Ignore collectd time issues.</description>
</rule>
<rule id="710003" level="0">
<if_sid>710001</if_sid>
<match>uc_update: Value too old: name</match>
<description>ignore collectd valu eerror.</description>
</rule>
<rule id="711001" level="0">
<program_name>^nsd</program_name>
<description>nsd grouping.</description>
</rule>
<rule id="711002" level="0">
<if_sid>711001</if_sid>
<match>failed reading from </match>
<description>nsd connection failed.</description>
</rule>
<rule id="712001" level="0">
<program_name>^ngircd</program_name>
<description>ngircd grouping.</description>
</rule>
<rule id="712002" level="0">
<if_sid>712001</if_sid>
<match>Shutting down connection</match>
<description>ngircd shutting down connection.</description>
</rule>
<rule id="712003" level="0">
<if_sid>712001</if_sid>
<match>Client unregistered</match>
<description>ngircd client unregistered.</description>
</rule>
<rule id="1003" level="13" maxsize="4096" overwrite="yes">
<description>Non standard syslog message (size too large).</description>
</rule>
</group> <!-- SYSLOG,LOCAL -->
> On 6 September 2016 at 14:17, Daiyue Weng <[email protected]> wrote:
>>
>> This is what I did,
>>
>> 1. restart ossec
>>
>> 2. running `ps auxww | grep ossec-execd`, execd is already running.
>>
>> 3. add an empty file in /home/user_name
>>
>> 4. running /var/ossec/bin/agent_control -r -u 000
>>
>> 5. checking alerts.log, no file addition log was shown.
>>
>> I am using Arch Linux.
>>
>> On 6 September 2016 at 12:23, dan (ddp) <[email protected]> wrote:
>>>
>>> On Tue, Sep 6, 2016 at 7:22 AM, Daiyue Weng <[email protected]> wrote:
>>> > thanks, how to enable active response in ossec.conf?
>>> >
>>>
>>> If it's disabled, delete that block. If it's not disabled, it should
>>> be running (`ps auxww | grep ossec-execd`)
>>>
>>> > On 6 September 2016 at 12:15, dan (ddp) <[email protected]> wrote:
>>> >>
>>> >> On Tue, Sep 6, 2016 at 7:13 AM, Daiyue Weng <[email protected]>
>>> >> wrote:
>>> >> > Could you elaborate the steps you went through? How does it work?
>>> >> >
>>> >>
>>> >> Make sure active response is enabled.
>>> >> run:
>>> >> /var/ossec/bin/agent_control -r -u 000
>>> >>
>>> >> Wait.
>>> >>
>>> >> > On 6 September 2016 at 12:12, dan (ddp) <[email protected]> wrote:
>>> >> >>
>>> >> >> On Tue, Sep 6, 2016 at 6:59 AM, dan (ddp) <[email protected]> wrote:
>>> >> >> > On Tue, Sep 6, 2016 at 6:36 AM, dan (ddp) <[email protected]>
>>> >> >> > wrote:
>>> >> >> >> On Sep 6, 2016 6:32 AM, "Daiyue Weng" <[email protected]>
>>> >> >> >> wrote:
>>> >> >> >>>
>>> >> >> >>> since I am running local-ossec, so agent_control doesn't do any
>>> >> >> >>> good
>>> >> >> >>> here?
>>> >> >> >>>
>>> >> >> >>
>>> >> >> >> I'll install a local instance and try it out for you. I'll
>>> >> >> >> report
>>> >> >> >> back
>>> >> >> >> shortly.
>>> >> >> >>
>>> >> >> >
>>> >> >> > Not positive, but it doesn't look like it's working. I'm not
>>> >> >> > keeping
>>> >> >> > it around for another try.
>>> >> >> > You may just have to restart the syscheckd process.
>>> >> >> >
>>> >> >>
>>> >> >> It does look like this might be working, just had to have execd
>>> >> >> running and have a bit more patience.
>>> >> >>
>>> >> >> >>> On 5 September 2016 at 17:43, dan (ddp) <[email protected]>
>>> >> >> >>> wrote:
>>> >> >> >>>>
>>> >> >> >>>> On Mon, Sep 5, 2016 at 12:29 PM, Daiyue Weng
>>> >> >> >>>> <[email protected]>
>>> >> >> >>>> wrote:
>>> >> >> >>>> > Hi, ideally we like ossec to check file integrity in real
>>> >> >> >>>> > time,
>>> >> >> >>>> > if
>>> >> >> >>>> > not,
>>> >> >> >>>> > what
>>> >> >> >>>> > are the other options ossec can offer in that aspect?
>>> >> >> >>>> >
>>> >> >> >>>>
>>> >> >> >>>> It will do some things in real time, not all. I think it
>>> >> >> >>>> should be
>>> >> >> >>>> a
>>> >> >> >>>> fairly simple code change to add new files to the realtime
>>> >> >> >>>> options,
>>> >> >> >>>> but I've never really looked into it.
>>> >> >> >>>>
>>> >> >> >>>> > Is there a Syscheck cmd in ossec?
>>> >> >> >>>> >
>>> >> >> >>>>
>>> >> >> >>>> # /var/ossec/bin/agent_control -h
>>> >> >> >>>>
>>> >> >> >>>> OSSEC HIDS agent_control: Control remote agents.
>>> >> >> >>>> Available options:
>>> >> >> >>>> -h This help message.
>>> >> >> >>>> -l List available (active or not) agents.
>>> >> >> >>>> -lc List active agents.
>>> >> >> >>>> -i <id> Extracts information from an agent.
>>> >> >> >>>> -R <id> Restarts agent.
>>> >> >> >>>> -r -a Runs the integrity/rootkit checking on all
>>> >> >> >>>> agents
>>> >> >> >>>> now.
>>> >> >> >>>> -r -u <id> Runs the integrity/rootkit checking on one
>>> >> >> >>>> agent
>>> >> >> >>>> now.
>>> >> >> >>>>
>>> >> >> >>>> -b <ip> Blocks the specified ip address.
>>> >> >> >>>> -f <ar> Used with -b, specifies which response to
>>> >> >> >>>> run.
>>> >> >> >>>> -L List available active responses.
>>> >> >> >>>> -s Changes the output to CSV (comma
>>> >> >> >>>> delimited).
>>> >> >> >>>>
>>> >> >> >>>>
>>> >> >> >>>> > On 5 September 2016 at 17:23, dan (ddp) <[email protected]>
>>> >> >> >>>> > wrote:
>>> >> >> >>>> >>
>>> >> >> >>>> >> On Mon, Sep 5, 2016 at 12:14 PM, Daiyue Weng
>>> >> >> >>>> >> <[email protected]>
>>> >> >> >>>> >> wrote:
>>> >> >> >>>> >> > The /var/ossec/logs/alerts/alerts.log didn't show the
>>> >> >> >>>> >> > addition
>>> >> >> >>>> >> > of
>>> >> >> >>>> >> > the
>>> >> >> >>>> >> > file,
>>> >> >> >>>> >> > no alerts fired after adding a file to /home/user_name,
>>> >> >> >>>> >> > which
>>> >> >> >>>> >> > is
>>> >> >> >>>> >> > monitored
>>> >> >> >>>> >> > by ossec. what's the possible problems?
>>> >> >> >>>> >> >
>>> >> >> >>>> >>
>>> >> >> >>>> >> A syscheck scan probably hasn't run since the file was
>>> >> >> >>>> >> added (I
>>> >> >> >>>> >> don't
>>> >> >> >>>> >> think it works with realtime).
>>> >> >> >>>> >> Try running a syscheck scan to see if an alert is created.
>>> >> >> >>>> >>
>>> >> >> >>>> >> > On Monday, 5 September 2016 17:02:06 UTC+1, dan (ddpbsd)
>>> >> >> >>>> >> > wrote:
>>> >> >> >>>> >> >>
>>> >> >> >>>> >> >> On Mon, Sep 5, 2016 at 11:53 AM, Daiyue Weng
>>> >> >> >>>> >> >> <[email protected]>
>>> >> >> >>>> >> >> wrote:
>>> >> >> >>>> >> >> > Using the above cmd, adding a file on a monitored
>>> >> >> >>>> >> >> > directory,
>>> >> >> >>>> >> >> > i.e.
>>> >> >> >>>> >> >> > /home/user_name,
>>> >> >> >>>> >> >> >
>>> >> >> >>>> >> >> > nothing is shown on tcpdump,
>>> >> >> >>>> >> >> >
>>> >> >> >>>> >> >> > tcpdump: listening on dummy0, link-type EN10MB
>>> >> >> >>>> >> >> > (Ethernet),
>>> >> >> >>>> >> >> > capture
>>> >> >> >>>> >> >> > size
>>> >> >> >>>> >> >> > 262144 bytes
>>> >> >> >>>> >> >> >
>>> >> >> >>>> >> >> >
>>> >> >> >>>> >> >>
>>> >> >> >>>> >> >> You can use "-i INTERFACE_NAME" to change the interface
>>> >> >> >>>> >> >> it
>>> >> >> >>>> >> >> listens
>>> >> >> >>>> >> >> on.
>>> >> >> >>>> >> >> So make sure you're listening to the interface the
>>> >> >> >>>> >> >> emails
>>> >> >> >>>> >> >> should be
>>> >> >> >>>> >> >> sent
>>> >> >> >>>> >> >> from.
>>> >> >> >>>> >> >> Did any alerts fire while you were using tcpdump (check
>>> >> >> >>>> >> >> /var/ossec/logs/alerts/alerts.log).
>>> >> >> >>>> >> >> If not, that'll be a problem.
>>> >> >> >>>> >> >>
>>> >> >> >>>> >> >> >
>>> >> >> >>>> >> >> >
>>> >> >> >>>> >> >> > On Monday, 5 September 2016 16:44:57 UTC+1, dan
>>> >> >> >>>> >> >> > (ddpbsd)
>>> >> >> >>>> >> >> > wrote:
>>> >> >> >>>> >> >> >>
>>> >> >> >>>> >> >> >> On Mon, Sep 5, 2016 at 11:42 AM, Daiyue Weng
>>> >> >> >>>> >> >> >> <[email protected]>
>>> >> >> >>>> >> >> >> wrote:
>>> >> >> >>>> >> >> >> > Hi, could you give me an example of using tcpdump
>>> >> >> >>>> >> >> >> > in
>>> >> >> >>>> >> >> >> > this
>>> >> >> >>>> >> >> >> > case?
>>> >> >> >>>> >> >> >> >
>>> >> >> >>>> >> >> >>
>>> >> >> >>>> >> >> >> tcpdump -nnXxevvs 0 port 25
>>> >> >> >>>> >> >> >>
>>> >> >> >>>> >> >> >> > cheers
>>> >> >> >>>> >> >> >> >
>>> >> >> >>>> >> >> >> > On Monday, 5 September 2016 15:57:08 UTC+1, dan
>>> >> >> >>>> >> >> >> > (ddpbsd)
>>> >> >> >>>> >> >> >> > wrote:
>>> >> >> >>>> >> >> >> >>
>>> >> >> >>>> >> >> >> >> On Mon, Sep 5, 2016 at 10:47 AM, Daiyue Weng
>>> >> >> >>>> >> >> >> >> <[email protected]>
>>> >> >> >>>> >> >> >> >> wrote:
>>> >> >> >>>> >> >> >> >> > Hi, since it is a fresh install of ossec, so I
>>> >> >> >>>> >> >> >> >> > didn't
>>> >> >> >>>> >> >> >> >> > get
>>> >> >> >>>> >> >> >> >> > any
>>> >> >> >>>> >> >> >> >> > emails.
>>> >> >> >>>> >> >> >> >> > The
>>> >> >> >>>> >> >> >> >> > notification is turn on as
>>> >> >> >>>> >> >> >> >> >
>>> >> >> >>>> >> >> >> >>
>>> >> >> >>>> >> >> >> >> Try using tcpdump (looking for connections to the
>>> >> >> >>>> >> >> >> >> email
>>> >> >> >>>> >> >> >> >> server
>>> >> >> >>>> >> >> >> >> from
>>> >> >> >>>> >> >> >> >> the OSSEC system)
>>> >> >> >>>> >> >> >> >> or check the maillogs on the email server to
>>> >> >> >>>> >> >> >> >> determine
>>> >> >> >>>> >> >> >> >> if
>>> >> >> >>>> >> >> >> >> there
>>> >> >> >>>> >> >> >> >> is
>>> >> >> >>>> >> >> >> >> an
>>> >> >> >>>> >> >> >> >> error when sending.
>>> >> >> >>>> >> >> >> >>
>>> >> >> >>>> >> >> >> >> > <alert_new_files>yes</alert_new_files>
>>> >> >> >>>> >> >> >> >> >
>>> >> >> >>>> >> >> >> >> > in ossec.conf
>>> >> >> >>>> >> >> >> >> >
>>> >> >> >>>> >> >> >> >> > On Monday, 5 September 2016 15:38:25 UTC+1, dan
>>> >> >> >>>> >> >> >> >> > (ddpbsd)
>>> >> >> >>>> >> >> >> >> > wrote:
>>> >> >> >>>> >> >> >> >> >>
>>> >> >> >>>> >> >> >> >> >> On Mon, Sep 5, 2016 at 10:33 AM, Daiyue Weng
>>> >> >> >>>> >> >> >> >> >> <[email protected]>
>>> >> >> >>>> >> >> >> >> >> wrote:
>>> >> >> >>>> >> >> >> >> >> > Hi, I installed ossec local on my cloud
>>> >> >> >>>> >> >> >> >> >> > server,
>>> >> >> >>>> >> >> >> >> >> > and
>>> >> >> >>>> >> >> >> >> >> > configure
>>> >> >> >>>> >> >> >> >> >> > ossec.conf
>>> >> >> >>>> >> >> >> >> >> > as
>>> >> >> >>>> >> >> >> >> >> > follows, I tried to detect new additions
>>> >> >> >>>> >> >> >> >> >> > using
>>> >> >> >>>> >> >> >> >> >> > <alert_new_files>yes</alert_new_files>.
>>> >> >> >>>> >> >> >> >> >> >
>>> >> >> >>>> >> >> >> >> >> > <global>
>>> >> >> >>>> >> >> >> >> >> >
>>> >> >> >>>> >> >> >> >> >> > <email_notification>yes</email_notification>
>>> >> >> >>>> >> >> >> >> >> > <email_to>[email protected]</email_to>
>>> >> >> >>>> >> >> >> >> >> > <smtp_server>ns0.bt.net.</smtp_server>
>>> >> >> >>>> >> >> >> >> >> >
>>> >> >> >>>> >> >> >> >> >> > <email_from>[email protected]</email_from>
>>> >> >> >>>> >> >> >> >> >> > </global>
>>> >> >> >>>> >> >> >> >> >> > <syscheck>
>>> >> >> >>>> >> >> >> >> >> > <!-- Frequency that syscheck is executed
>>> >> >> >>>> >> >> >> >> >> > -
>>> >> >> >>>> >> >> >> >> >> > default
>>> >> >> >>>> >> >> >> >> >> > to
>>> >> >> >>>> >> >> >> >> >> > every
>>> >> >> >>>> >> >> >> >> >> > 22
>>> >> >> >>>> >> >> >> >> >> > hours
>>> >> >> >>>> >> >> >> >> >> > -->
>>> >> >> >>>> >> >> >> >> >> > <frequency>79200</frequency>
>>> >> >> >>>> >> >> >> >> >> > <alert_new_files>yes</alert_new_files>
>>> >> >> >>>> >> >> >> >> >> >
>>> >> >> >>>> >> >> >> >> >> > <!-- Directories to check (perform all
>>> >> >> >>>> >> >> >> >> >> > possible
>>> >> >> >>>> >> >> >> >> >> > verifications)
>>> >> >> >>>> >> >> >> >> >> > -->
>>> >> >> >>>> >> >> >> >> >> > <directories report_changes="yes"
>>> >> >> >>>> >> >> >> >> >> > realtime="yes"
>>> >> >> >>>> >> >> >> >> >> >
>>> >> >> >>>> >> >> >> >> >> >
>>> >> >> >>>> >> >> >> >> >> >
>>> >> >> >>>> >> >> >> >> >> > check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
>>> >> >> >>>> >> >> >> >> >> > <directories report_changes="yes"
>>> >> >> >>>> >> >> >> >> >> > realtime="yes"
>>> >> >> >>>> >> >> >> >> >> > check_all="yes">/bin,/sbin</directories>
>>> >> >> >>>> >> >> >> >> >> > <directories report_changes="yes"
>>> >> >> >>>> >> >> >> >> >> > realtime="yes"
>>> >> >> >>>> >> >> >> >> >> > check_all="yes">/home/user_name</directories>
>>> >> >> >>>> >> >> >> >> >> > </syscheck>
>>> >> >> >>>> >> >> >> >> >> >
>>> >> >> >>>> >> >> >> >> >> > The local_rules.xml is like,
>>> >> >> >>>> >> >> >> >> >> >
>>> >> >> >>>> >> >> >> >> >> > <group name="local,syslog,">
>>> >> >> >>>> >> >> >> >> >> >
>>> >> >> >>>> >> >> >> >> >> > <!-- Note that rule id 5711 is defined at
>>> >> >> >>>> >> >> >> >> >> > the
>>> >> >> >>>> >> >> >> >> >> > ssh_rules
>>> >> >> >>>> >> >> >> >> >> > file
>>> >> >> >>>> >> >> >> >> >> > - as a ssh failed login. This is just
>>> >> >> >>>> >> >> >> >> >> > an
>>> >> >> >>>> >> >> >> >> >> > example
>>> >> >> >>>> >> >> >> >> >> > - since ip 1.1.1.1 shouldn't be used
>>> >> >> >>>> >> >> >> >> >> > anywhere.
>>> >> >> >>>> >> >> >> >> >> > - Level 0 means ignore.
>>> >> >> >>>> >> >> >> >> >> > -->
>>> >> >> >>>> >> >> >> >> >> > <rule id="100001" level="0">
>>> >> >> >>>> >> >> >> >> >> > <if_sid>5711</if_sid>
>>> >> >> >>>> >> >> >> >> >> > <srcip>1.1.1.1</srcip>
>>> >> >> >>>> >> >> >> >> >> > <description>Example of rule that will
>>> >> >> >>>> >> >> >> >> >> > ignore
>>> >> >> >>>> >> >> >> >> >> > sshd
>>> >> >> >>>> >> >> >> >> >> > </description>
>>> >> >> >>>> >> >> >> >> >> > <description>failed logins from IP
>>> >> >> >>>> >> >> >> >> >> > 1.1.1.1.</description>
>>> >> >> >>>> >> >> >> >> >> > </rule>
>>> >> >> >>>> >> >> >> >> >> >
>>> >> >> >>>> >> >> >> >> >> > <rule id="554" level="7" overwrite="yes">
>>> >> >> >>>> >> >> >> >> >> > <category>ossec</category>
>>> >> >> >>>> >> >> >> >> >> >
>>> >> >> >>>> >> >> >> >> >> > <decoded_as>syscheck_new_entry</decoded_as>
>>> >> >> >>>> >> >> >> >> >> > <description>File added to the
>>> >> >> >>>> >> >> >> >> >> > system.</description>
>>> >> >> >>>> >> >> >> >> >> > <group>syscheck,</group>
>>> >> >> >>>> >> >> >> >> >> > </rule>
>>> >> >> >>>> >> >> >> >> >> > </group> <!-- SYSLOG,LOCAL -->
>>> >> >> >>>> >> >> >> >> >> >
>>> >> >> >>>> >> >> >> >> >> > Now, if I added a file in home/user_name,
>>> >> >> >>>> >> >> >> >> >> > there
>>> >> >> >>>> >> >> >> >> >> > is
>>> >> >> >>>> >> >> >> >> >> > no
>>> >> >> >>>> >> >> >> >> >> > email
>>> >> >> >>>> >> >> >> >> >> > notification
>>> >> >> >>>> >> >> >> >> >> > coming through the SMTP server. I am using
>>> >> >> >>>> >> >> >> >> >> > smtp.bt.net,
>>> >> >> >>>> >> >> >> >> >> > using
>>> >> >> >>>> >> >> >> >> >> >
>>> >> >> >>>> >> >> >> >> >> > dig -t mx smtp.bt.net
>>> >> >> >>>> >> >> >> >> >> >
>>> >> >> >>>> >> >> >> >> >> >
>>> >> >> >>>> >> >> >> >> >> > to get the SMTP server. Whats the possible
>>> >> >> >>>> >> >> >> >> >> > reasons
>>> >> >> >>>> >> >> >> >> >> > that
>>> >> >> >>>> >> >> >> >> >> > I am
>>> >> >> >>>> >> >> >> >> >> > not
>>> >> >> >>>> >> >> >> >> >> > getting
>>> >> >> >>>> >> >> >> >> >> > the
>>> >> >> >>>> >> >> >> >> >> > email?
>>> >> >> >>>> >> >> >> >> >> >
>>> >> >> >>>> >> >> >> >> >>
>>> >> >> >>>> >> >> >> >> >> Are you getting emails for other alerts?
>>> >> >> >>>> >> >> >> >> >> Are alerts being triggered for these new files?
>>> >> >> >>>> >> >> >> >> >>
>>> >> >> >>>> >> >> >> >> >> > Many thanks
>>> >> >> >>>> >> >> >> >> >> >
>>> >> >> >>>> >> >> >> >> >> > --
>>> >> >> >>>> >> >> >> >> >> >
>>> >> >> >>>> >> >> >> >> >> > ---
>>> >> >> >>>> >> >> >> >> >> > You received this message because you are
>>> >> >> >>>> >> >> >> >> >> > subscribed
>>> >> >> >>>> >> >> >> >> >> > to
>>> >> >> >>>> >> >> >> >> >> > the
>>> >> >> >>>> >> >> >> >> >> > Google
>>> >> >> >>>> >> >> >> >> >> > Groups
>>> >> >> >>>> >> >> >> >> >> > "ossec-list" group.
>>> >> >> >>>> >> >> >> >> >> > To unsubscribe from this group and stop
>>> >> >> >>>> >> >> >> >> >> > receiving
>>> >> >> >>>> >> >> >> >> >> > emails
>>> >> >> >>>> >> >> >> >> >> > from
>>> >> >> >>>> >> >> >> >> >> > it,
>>> >> >> >>>> >> >> >> >> >> > send
>>> >> >> >>>> >> >> >> >> >> > an
>>> >> >> >>>> >> >> >> >> >> > email to [email protected].
>>> >> >> >>>> >> >> >> >> >> > For more options, visit
>>> >> >> >>>> >> >> >> >> >> > https://groups.google.com/d/optout.
>>> >> >> >>>> >> >> >> >> >
>>> >> >> >>>> >> >> >> >> > --
>>> >> >> >>>> >> >> >> >> >
>>> >> >> >>>> >> >> >> >> > ---
>>> >> >> >>>> >> >> >> >> > You received this message because you are
>>> >> >> >>>> >> >> >> >> > subscribed
>>> >> >> >>>> >> >> >> >> > to
>>> >> >> >>>> >> >> >> >> > the
>>> >> >> >>>> >> >> >> >> > Google
>>> >> >> >>>> >> >> >> >> > Groups
>>> >> >> >>>> >> >> >> >> > "ossec-list" group.
>>> >> >> >>>> >> >> >> >> > To unsubscribe from this group and stop
>>> >> >> >>>> >> >> >> >> > receiving
>>> >> >> >>>> >> >> >> >> > emails
>>> >> >> >>>> >> >> >> >> > from
>>> >> >> >>>> >> >> >> >> > it,
>>> >> >> >>>> >> >> >> >> > send
>>> >> >> >>>> >> >> >> >> > an
>>> >> >> >>>> >> >> >> >> > email to [email protected].
>>> >> >> >>>> >> >> >> >> > For more options, visit
>>> >> >> >>>> >> >> >> >> > https://groups.google.com/d/optout.
>>> >> >> >>>> >> >> >> >
>>> >> >> >>>> >> >> >> > --
>>> >> >> >>>> >> >> >> >
>>> >> >> >>>> >> >> >> > ---
>>> >> >> >>>> >> >> >> > You received this message because you are
>>> >> >> >>>> >> >> >> > subscribed to
>>> >> >> >>>> >> >> >> > the
>>> >> >> >>>> >> >> >> > Google
>>> >> >> >>>> >> >> >> > Groups
>>> >> >> >>>> >> >> >> > "ossec-list" group.
>>> >> >> >>>> >> >> >> > To unsubscribe from this group and stop receiving
>>> >> >> >>>> >> >> >> > emails
>>> >> >> >>>> >> >> >> > from
>>> >> >> >>>> >> >> >> > it,
>>> >> >> >>>> >> >> >> > send
>>> >> >> >>>> >> >> >> > an
>>> >> >> >>>> >> >> >> > email to [email protected].
>>> >> >> >>>> >> >> >> > For more options, visit
>>> >> >> >>>> >> >> >> > https://groups.google.com/d/optout.
>>> >> >> >>>> >> >> >
>>> >> >> >>>> >> >> > --
>>> >> >> >>>> >> >> >
>>> >> >> >>>> >> >> > ---
>>> >> >> >>>> >> >> > You received this message because you are subscribed
>>> >> >> >>>> >> >> > to
>>> >> >> >>>> >> >> > the
>>> >> >> >>>> >> >> > Google
>>> >> >> >>>> >> >> > Groups
>>> >> >> >>>> >> >> > "ossec-list" group.
>>> >> >> >>>> >> >> > To unsubscribe from this group and stop receiving
>>> >> >> >>>> >> >> > emails
>>> >> >> >>>> >> >> > from
>>> >> >> >>>> >> >> > it,
>>> >> >> >>>> >> >> > send
>>> >> >> >>>> >> >> > an
>>> >> >> >>>> >> >> > email to [email protected].
>>> >> >> >>>> >> >> > For more options, visit
>>> >> >> >>>> >> >> > https://groups.google.com/d/optout.
>>> >> >> >>>> >> >
>>> >> >> >>>> >> > --
>>> >> >> >>>> >> >
>>> >> >> >>>> >> > ---
>>> >> >> >>>> >> > You received this message because you are subscribed to
>>> >> >> >>>> >> > the
>>> >> >> >>>> >> > Google
>>> >> >> >>>> >> > Groups
>>> >> >> >>>> >> > "ossec-list" group.
>>> >> >> >>>> >> > To unsubscribe from this group and stop receiving emails
>>> >> >> >>>> >> > from
>>> >> >> >>>> >> > it,
>>> >> >> >>>> >> > send
>>> >> >> >>>> >> > an
>>> >> >> >>>> >> > email to [email protected].
>>> >> >> >>>> >> > For more options, visit
>>> >> >> >>>> >> > https://groups.google.com/d/optout.
>>> >> >> >>>> >>
>>> >> >> >>>> >> --
>>> >> >> >>>> >>
>>> >> >> >>>> >> ---
>>> >> >> >>>> >> You received this message because you are subscribed to a
>>> >> >> >>>> >> topic
>>> >> >> >>>> >> in
>>> >> >> >>>> >> the
>>> >> >> >>>> >> Google Groups "ossec-list" group.
>>> >> >> >>>> >> To unsubscribe from this topic, visit
>>> >> >> >>>> >>
>>> >> >> >>>> >>
>>> >> >> >>>> >>
>>> >> >> >>>> >> https://groups.google.com/d/topic/ossec-list/fknE75We_dw/unsubscribe.
>>> >> >> >>>> >> To unsubscribe from this group and all its topics, send an
>>> >> >> >>>> >> email
>>> >> >> >>>> >> to
>>> >> >> >>>> >> [email protected].
>>> >> >> >>>> >> For more options, visit https://groups.google.com/d/optout.
>>> >> >> >>>> >
>>> >> >> >>>> >
>>> >> >> >>>> > --
>>> >> >> >>>> >
>>> >> >> >>>> > ---
>>> >> >> >>>> > You received this message because you are subscribed to the
>>> >> >> >>>> > Google
>>> >> >> >>>> > Groups
>>> >> >> >>>> > "ossec-list" group.
>>> >> >> >>>> > To unsubscribe from this group and stop receiving emails
>>> >> >> >>>> > from
>>> >> >> >>>> > it,
>>> >> >> >>>> > send
>>> >> >> >>>> > an
>>> >> >> >>>> > email to [email protected].
>>> >> >> >>>> > For more options, visit https://groups.google.com/d/optout.
>>> >> >> >>>>
>>> >> >> >>>> --
>>> >> >> >>>>
>>> >> >> >>>> ---
>>> >> >> >>>> You received this message because you are subscribed to a
>>> >> >> >>>> topic in
>>> >> >> >>>> the
>>> >> >> >>>> Google Groups "ossec-list" group.
>>> >> >> >>>> To unsubscribe from this topic, visit
>>> >> >> >>>>
>>> >> >> >>>>
>>> >> >> >>>> https://groups.google.com/d/topic/ossec-list/fknE75We_dw/unsubscribe.
>>> >> >> >>>> To unsubscribe from this group and all its topics, send an
>>> >> >> >>>> email
>>> >> >> >>>> to
>>> >> >> >>>> [email protected].
>>> >> >> >>>> For more options, visit https://groups.google.com/d/optout.
>>> >> >> >>>
>>> >> >> >>>
>>> >> >> >>> --
>>> >> >> >>>
>>> >> >> >>> ---
>>> >> >> >>> You received this message because you are subscribed to the
>>> >> >> >>> Google
>>> >> >> >>> Groups
>>> >> >> >>> "ossec-list" group.
>>> >> >> >>> To unsubscribe from this group and stop receiving emails from
>>> >> >> >>> it,
>>> >> >> >>> send
>>> >> >> >>> an
>>> >> >> >>> email to [email protected].
>>> >> >> >>> For more options, visit https://groups.google.com/d/optout.
>>> >> >>
>>> >> >> --
>>> >> >>
>>> >> >> ---
>>> >> >> You received this message because you are subscribed to a topic in
>>> >> >> the
>>> >> >> Google Groups "ossec-list" group.
>>> >> >> To unsubscribe from this topic, visit
>>> >> >>
>>> >> >> https://groups.google.com/d/topic/ossec-list/fknE75We_dw/unsubscribe.
>>> >> >> To unsubscribe from this group and all its topics, send an email to
>>> >> >> [email protected].
>>> >> >> For more options, visit https://groups.google.com/d/optout.
>>> >> >
>>> >> >
>>> >> > --
>>> >> >
>>> >> > ---
>>> >> > You received this message because you are subscribed to the Google
>>> >> > Groups
>>> >> > "ossec-list" group.
>>> >> > To unsubscribe from this group and stop receiving emails from it,
>>> >> > send
>>> >> > an
>>> >> > email to [email protected].
>>> >> > For more options, visit https://groups.google.com/d/optout.
>>> >>
>>> >> --
>>> >>
>>> >> ---
>>> >> You received this message because you are subscribed to a topic in the
>>> >> Google Groups "ossec-list" group.
>>> >> To unsubscribe from this topic, visit
>>> >> https://groups.google.com/d/topic/ossec-list/fknE75We_dw/unsubscribe.
>>> >> To unsubscribe from this group and all its topics, send an email to
>>> >> [email protected].
>>> >> For more options, visit https://groups.google.com/d/optout.
>>> >
>>> >
>>> > --
>>> >
>>> > ---
>>> > You received this message because you are subscribed to the Google
>>> > Groups
>>> > "ossec-list" group.
>>> > To unsubscribe from this group and stop receiving emails from it, send
>>> > an
>>> > email to [email protected].
>>> > For more options, visit https://groups.google.com/d/optout.
>>>
>>> --
>>>
>>> ---
>>> You received this message because you are subscribed to a topic in the
>>> Google Groups "ossec-list" group.
>>> To unsubscribe from this topic, visit
>>> https://groups.google.com/d/topic/ossec-list/fknE75We_dw/unsubscribe.
>>> To unsubscribe from this group and all its topics, send an email to
>>> [email protected].
>>> For more options, visit https://groups.google.com/d/optout.
>>
>>
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
