whats the ossec version that you tested with, and how did you configure ossec.conf and local.xml?
I don't know which bit that I missed in the configuration. On 6 September 2016 at 14:40, dan (ddp) <[email protected]> wrote: > On Tue, Sep 6, 2016 at 9:29 AM, Daiyue Weng <[email protected]> wrote: > > could you show me your ossec.conf and local_rules.xml? > > > > This is for one of my servers. Probably not what I'll be testing with > though. > ossec.conf: > <ossec_config> > <global> > <email_notification>yes</email_notification> > <email_to>[email protected]</email_to> > <smtp_server>192.168.17.9</smtp_server> > <!--<smtp_server>/usr/bin/msmtp -v --timeout 20 -f > "[email protected]" -t</smtp_server>--> > <email_from>ossecm@earth</email_from> > </global> > > <database_output> > <hostname>127.0.0.1</hostname> > <username>ossecuser</username> > <password>TGmmxNsh5TNrKTy8</password> > <database>ossec</database> > <type>mysql</type> > </database_output> > > <syscheck> > <!-- Frequency that syscheck is executed - default to every 22 hours > --> > <frequency>79200</frequency> > <auto_ignore>no</auto_ignore> > > <!-- Directories to check (perform all possible verifications) --> > <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories> > <directories check_all="yes">/bin,/sbin</directories> > <directories check_all="yes" realtime="yes">/var/test</directories> > > <!-- Files/directories to ignore --> > <ignore>/etc/mtab</ignore> > <ignore>/etc/mnttab</ignore> > <ignore>/etc/hosts.deny</ignore> > <ignore>/etc/mail/statistics</ignore> > <ignore>/etc/random-seed</ignore> > <ignore>/etc/adjtime</ignore> > <ignore>/etc/httpd/logs</ignore> > <ignore>/etc/utmpx</ignore> > <ignore>/etc/wtmpx</ignore> > <ignore>/etc/cups/certs</ignore> > <ignore>/etc/dumpdates</ignore> > <ignore>/etc/svc/volatile</ignore> > > <!-- Windows files to ignore --> > <ignore>C:\WINDOWS/System32/LogFiles</ignore> > <ignore>C:\WINDOWS/Debug</ignore> > <ignore>C:\WINDOWS/WindowsUpdate.log</ignore> > <ignore>C:\WINDOWS/iis6.log</ignore> > <ignore>C:\WINDOWS/system32/wbem/Logs</ignore> > <ignore>C:\WINDOWS/system32/wbem/Repository</ignore> > <ignore>C:\WINDOWS/Prefetch</ignore> > <ignore>C:\WINDOWS/PCHEALTH/HELPCTR/DataColl</ignore> > <ignore>C:\WINDOWS/SoftwareDistribution</ignore> > <ignore>C:\WINDOWS/Temp</ignore> > <ignore>C:\WINDOWS/system32/config</ignore> > <ignore>C:\WINDOWS/system32/spool</ignore> > <ignore>C:\WINDOWS/system32/CatRoot</ignore> > </syscheck> > > <rootcheck> > <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files> > <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans. > txt</rootkit_trojans> > <system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</ > system_audit> > <system_audit>/var/ossec/etc/shared/cis_debian_linux_rcl. > txt</system_audit> > <system_audit>/var/ossec/etc/shared/cis_rhel_linux_rcl.txt< > /system_audit> > <system_audit>/var/ossec/etc/shared/cis_rhel5_linux_rcl. > txt</system_audit> > </rootcheck> > > <global> > <white_list>127.0.0.1</white_list> > <white_list>^localhost.localdomain$</white_list> > <white_list>192.168.17.17</white_list> > <white_list>192.168.17.9</white_list> > <white_list>192.168.18.1</white_list> > </global> > > <remote> > <connection>secure</connection> > </remote> > > <alerts> > <log_alert_level>1</log_alert_level> > <email_alert_level>7</email_alert_level> > </alerts> > > <command> > <name>host-deny</name> > <executable>host-deny.sh</executable> > <expect>srcip</expect> > <timeout_allowed>yes</timeout_allowed> > </command> > > <command> > <name>firewall-drop</name> > <executable>firewall-drop.sh</executable> > <expect>srcip</expect> > <timeout_allowed>yes</timeout_allowed> > </command> > > <command> > <name>disable-account</name> > <executable>disable-account.sh</executable> > <expect>user</expect> > <timeout_allowed>yes</timeout_allowed> > </command> > > <command> > <name>restart-ossec</name> > <executable>restart-ossec.sh</executable> > <expect></expect> > </command> > > > <command> > <name>route-null</name> > <executable>route-null.sh</executable> > <expect>srcip</expect> > <timeout_allowed>yes</timeout_allowed> > </command> > > <!-- Files to monitor (localfiles) --> > > <localfile> > <log_format>syslog</log_format> > <location>/var/log/auth.log</location> > </localfile> > > <localfile> > <log_format>syslog</log_format> > <location>/var/log/syslog</location> > </localfile> > > <localfile> > <log_format>syslog</log_format> > <location>/var/log/dpkg.log</location> > </localfile> > > <localfile> > <log_format>apache</log_format> > <location>/var/log/nginx/access.log</location> > </localfile> > > <localfile> > <log_format>apache</log_format> > <location>/var/log/nginx/error.log</location> > </localfile> > > <localfile> > <log_format>apache</log_format> > <location>/var/log/apache2/error.log</location> > </localfile> > > <localfile> > <log_format>command</log_format> > <command>df -h</command> > </localfile> > > <localfile> > <log_format>full_command</log_format> > <command>netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort</command> > </localfile> > > <localfile> > <log_format>full_command</log_format> > <command>last -n 5</command> > </localfile> > </ossec_config> > > <ossec_config> <!-- rules global entry --> > <rules> > <!--<decoder>etc/decoder.xml</decoder>--> > <decoder_dir pattern=".xml$">etc/decoders.d</decoder_dir> > <include>rules_config.xml</include> > <!-- > <include>pam_rules.xml</include> > <include>sshd_rules.xml</include> > <include>telnetd_rules.xml</include> > <include>syslog_rules.xml</include> > <include>arpwatch_rules.xml</include> > <include>symantec-av_rules.xml</include> > <include>symantec-ws_rules.xml</include> > <include>pix_rules.xml</include> > <include>named_rules.xml</include> > <include>smbd_rules.xml</include> > <include>vsftpd_rules.xml</include> > <include>pure-ftpd_rules.xml</include> > <include>proftpd_rules.xml</include> > <include>ms_ftpd_rules.xml</include> > <include>ftpd_rules.xml</include> > <include>hordeimp_rules.xml</include> > <include>roundcube_rules.xml</include> > <include>wordpress_rules.xml</include> > <include>cimserver_rules.xml</include> > <include>vpopmail_rules.xml</include> > <include>vmpop3d_rules.xml</include> > <include>courier_rules.xml</include> > <include>web_rules.xml</include> > <include>web_appsec_rules.xml</include> > <include>apache_rules.xml</include> > <include>nginx_rules.xml</include> > <include>php_rules.xml</include> > <include>mysql_rules.xml</include> > <include>postgresql_rules.xml</include> > <include>ids_rules.xml</include> > <include>squid_rules.xml</include> > <include>firewall_rules.xml</include> > <include>apparmor_rules.xml</include> > <include>cisco-ios_rules.xml</include> > <include>netscreenfw_rules.xml</include> > <include>sonicwall_rules.xml</include> > <include>postfix_rules.xml</include> > <include>sendmail_rules.xml</include> > <include>imapd_rules.xml</include> > <include>mailscanner_rules.xml</include> > <include>dovecot_rules.xml</include> > <include>ms-exchange_rules.xml</include> > <include>racoon_rules.xml</include> > <include>vpn_concentrator_rules.xml</include> > <include>spamd_rules.xml</include> > <include>msauth_rules.xml</include> > <include>mcafee_av_rules.xml</include> > <include>trend-osce_rules.xml</include> > <include>ms-se_rules.xml</include> > <include>zeus_rules.xml</include> > <include>solaris_bsm_rules.xml</include> > <include>vmware_rules.xml</include> > <include>ms_dhcp_rules.xml</include> > <include>asterisk_rules.xml</include> > <include>ossec_rules.xml</include> > <include>attack_rules.xml</include> > <include>openbsd_rules.xml</include> > <include>clam_av_rules.xml</include> > <include>dropbear_rules.xml</include> > <include>sysmon_rules.xml</include> > <include>opensmtpd_rules.xml</include> > --> > <rule_dir pattern=".xml$">rules/rules.d</rule_dir> > <!--<include>local_rules.xml</include>--> > </rules> > </ossec_config> <!-- rules global entry --> > > local_rules.xml: > <!-- @(#) $Id: ./etc/rules/local_rules.xml, 2011/09/08 dcid Exp $ > > - Example of local rules for OSSEC. > - > - Copyright (C) 2009 Trend Micro Inc. > - All rights reserved. > - > - This program is a free software; you can redistribute it > - and/or modify it under the terms of the GNU General Public > - License (version 2) as published by the FSF - Free Software > - Foundation. > - > - License details: http://www.ossec.net/en/licensing.html > --> > > > <!-- Modify it at your will. --> > > <group name="local,syslog,"> > > <!-- Note that rule id 5711 is defined at the ssh_rules file > - as a ssh failed login. This is just an example > - since ip 1.1.1.1 shouldn't be used anywhere. > - Level 0 means ignore. > --> > <rule id="100001" level="0"> > <if_sid>5711</if_sid> > <srcip>1.1.1.1</srcip> > <description>Example of rule that will ignore sshd </description> > <description>failed logins from IP 1.1.1.1.</description> > </rule> > > > <!-- This example will ignore ssh failed logins for the user name XYZABC. > --> > <!-- > <rule id="100020" level="0"> > <if_sid>5711</if_sid> > <user>XYZABC</user> > <description>Example of rule that will ignore sshd </description> > <description>failed logins for user XYZABC.</description> > </rule> > --> > > > <!-- Specify here a list of rules to ignore. --> > <!-- > <rule id="100030" level="0"> > <if_sid>12345, 23456, xyz, abc</if_sid> > <description>List of rules to be ignored.</description> > </rule> > --> > > <rule id="700007" level="10"> > <match>^TEST TEST TEST</match> > <description>test test test</description> > <group>test,</group> > </rule> > > > <rule id="710001" level="0"> > <program_name>^collectd</program_name> > <description>collectd collected.</description> > </rule> > > <rule id="710002" level="0"> > <if_sid>710001</if_sid> > <match>illegal attempt to update using time</match> > <description>Ignore collectd time issues.</description> > </rule> > > <rule id="710003" level="0"> > <if_sid>710001</if_sid> > <match>uc_update: Value too old: name</match> > <description>ignore collectd valu eerror.</description> > </rule> > > <rule id="711001" level="0"> > <program_name>^nsd</program_name> > <description>nsd grouping.</description> > </rule> > > <rule id="711002" level="0"> > <if_sid>711001</if_sid> > <match>failed reading from </match> > <description>nsd connection failed.</description> > </rule> > > <rule id="712001" level="0"> > <program_name>^ngircd</program_name> > <description>ngircd grouping.</description> > </rule> > > <rule id="712002" level="0"> > <if_sid>712001</if_sid> > <match>Shutting down connection</match> > <description>ngircd shutting down connection.</description> > </rule> > > <rule id="712003" level="0"> > <if_sid>712001</if_sid> > <match>Client unregistered</match> > <description>ngircd client unregistered.</description> > </rule> > > <rule id="1003" level="13" maxsize="4096" overwrite="yes"> > <description>Non standard syslog message (size too > large).</description> > </rule> > > </group> <!-- SYSLOG,LOCAL --> > > > > > On 6 September 2016 at 14:17, Daiyue Weng <[email protected]> wrote: > >> > >> This is what I did, > >> > >> 1. restart ossec > >> > >> 2. running `ps auxww | grep ossec-execd`, execd is already running. > >> > >> 3. add an empty file in /home/user_name > >> > >> 4. running /var/ossec/bin/agent_control -r -u 000 > >> > >> 5. checking alerts.log, no file addition log was shown. > >> > >> I am using Arch Linux. > >> > >> On 6 September 2016 at 12:23, dan (ddp) <[email protected]> wrote: > >>> > >>> On Tue, Sep 6, 2016 at 7:22 AM, Daiyue Weng <[email protected]> > wrote: > >>> > thanks, how to enable active response in ossec.conf? > >>> > > >>> > >>> If it's disabled, delete that block. If it's not disabled, it should > >>> be running (`ps auxww | grep ossec-execd`) > >>> > >>> > On 6 September 2016 at 12:15, dan (ddp) <[email protected]> wrote: > >>> >> > >>> >> On Tue, Sep 6, 2016 at 7:13 AM, Daiyue Weng <[email protected]> > >>> >> wrote: > >>> >> > Could you elaborate the steps you went through? How does it work? > >>> >> > > >>> >> > >>> >> Make sure active response is enabled. > >>> >> run: > >>> >> /var/ossec/bin/agent_control -r -u 000 > >>> >> > >>> >> Wait. > >>> >> > >>> >> > On 6 September 2016 at 12:12, dan (ddp) <[email protected]> wrote: > >>> >> >> > >>> >> >> On Tue, Sep 6, 2016 at 6:59 AM, dan (ddp) <[email protected]> > wrote: > >>> >> >> > On Tue, Sep 6, 2016 at 6:36 AM, dan (ddp) <[email protected]> > >>> >> >> > wrote: > >>> >> >> >> On Sep 6, 2016 6:32 AM, "Daiyue Weng" <[email protected]> > >>> >> >> >> wrote: > >>> >> >> >>> > >>> >> >> >>> since I am running local-ossec, so agent_control doesn't do > any > >>> >> >> >>> good > >>> >> >> >>> here? > >>> >> >> >>> > >>> >> >> >> > >>> >> >> >> I'll install a local instance and try it out for you. I'll > >>> >> >> >> report > >>> >> >> >> back > >>> >> >> >> shortly. > >>> >> >> >> > >>> >> >> > > >>> >> >> > Not positive, but it doesn't look like it's working. I'm not > >>> >> >> > keeping > >>> >> >> > it around for another try. > >>> >> >> > You may just have to restart the syscheckd process. > >>> >> >> > > >>> >> >> > >>> >> >> It does look like this might be working, just had to have execd > >>> >> >> running and have a bit more patience. > >>> >> >> > >>> >> >> >>> On 5 September 2016 at 17:43, dan (ddp) <[email protected]> > >>> >> >> >>> wrote: > >>> >> >> >>>> > >>> >> >> >>>> On Mon, Sep 5, 2016 at 12:29 PM, Daiyue Weng > >>> >> >> >>>> <[email protected]> > >>> >> >> >>>> wrote: > >>> >> >> >>>> > Hi, ideally we like ossec to check file integrity in real > >>> >> >> >>>> > time, > >>> >> >> >>>> > if > >>> >> >> >>>> > not, > >>> >> >> >>>> > what > >>> >> >> >>>> > are the other options ossec can offer in that aspect? > >>> >> >> >>>> > > >>> >> >> >>>> > >>> >> >> >>>> It will do some things in real time, not all. I think it > >>> >> >> >>>> should be > >>> >> >> >>>> a > >>> >> >> >>>> fairly simple code change to add new files to the realtime > >>> >> >> >>>> options, > >>> >> >> >>>> but I've never really looked into it. > >>> >> >> >>>> > >>> >> >> >>>> > Is there a Syscheck cmd in ossec? > >>> >> >> >>>> > > >>> >> >> >>>> > >>> >> >> >>>> # /var/ossec/bin/agent_control -h > >>> >> >> >>>> > >>> >> >> >>>> OSSEC HIDS agent_control: Control remote agents. > >>> >> >> >>>> Available options: > >>> >> >> >>>> -h This help message. > >>> >> >> >>>> -l List available (active or not) agents. > >>> >> >> >>>> -lc List active agents. > >>> >> >> >>>> -i <id> Extracts information from an agent. > >>> >> >> >>>> -R <id> Restarts agent. > >>> >> >> >>>> -r -a Runs the integrity/rootkit checking on > all > >>> >> >> >>>> agents > >>> >> >> >>>> now. > >>> >> >> >>>> -r -u <id> Runs the integrity/rootkit checking on > one > >>> >> >> >>>> agent > >>> >> >> >>>> now. > >>> >> >> >>>> > >>> >> >> >>>> -b <ip> Blocks the specified ip address. > >>> >> >> >>>> -f <ar> Used with -b, specifies which response > to > >>> >> >> >>>> run. > >>> >> >> >>>> -L List available active responses. > >>> >> >> >>>> -s Changes the output to CSV (comma > >>> >> >> >>>> delimited). > >>> >> >> >>>> > >>> >> >> >>>> > >>> >> >> >>>> > On 5 September 2016 at 17:23, dan (ddp) <[email protected] > > > >>> >> >> >>>> > wrote: > >>> >> >> >>>> >> > >>> >> >> >>>> >> On Mon, Sep 5, 2016 at 12:14 PM, Daiyue Weng > >>> >> >> >>>> >> <[email protected]> > >>> >> >> >>>> >> wrote: > >>> >> >> >>>> >> > The /var/ossec/logs/alerts/alerts.log didn't show the > >>> >> >> >>>> >> > addition > >>> >> >> >>>> >> > of > >>> >> >> >>>> >> > the > >>> >> >> >>>> >> > file, > >>> >> >> >>>> >> > no alerts fired after adding a file to /home/user_name, > >>> >> >> >>>> >> > which > >>> >> >> >>>> >> > is > >>> >> >> >>>> >> > monitored > >>> >> >> >>>> >> > by ossec. what's the possible problems? > >>> >> >> >>>> >> > > >>> >> >> >>>> >> > >>> >> >> >>>> >> A syscheck scan probably hasn't run since the file was > >>> >> >> >>>> >> added (I > >>> >> >> >>>> >> don't > >>> >> >> >>>> >> think it works with realtime). > >>> >> >> >>>> >> Try running a syscheck scan to see if an alert is > created. > >>> >> >> >>>> >> > >>> >> >> >>>> >> > On Monday, 5 September 2016 17:02:06 UTC+1, dan > (ddpbsd) > >>> >> >> >>>> >> > wrote: > >>> >> >> >>>> >> >> > >>> >> >> >>>> >> >> On Mon, Sep 5, 2016 at 11:53 AM, Daiyue Weng > >>> >> >> >>>> >> >> <[email protected]> > >>> >> >> >>>> >> >> wrote: > >>> >> >> >>>> >> >> > Using the above cmd, adding a file on a monitored > >>> >> >> >>>> >> >> > directory, > >>> >> >> >>>> >> >> > i.e. > >>> >> >> >>>> >> >> > /home/user_name, > >>> >> >> >>>> >> >> > > >>> >> >> >>>> >> >> > nothing is shown on tcpdump, > >>> >> >> >>>> >> >> > > >>> >> >> >>>> >> >> > tcpdump: listening on dummy0, link-type EN10MB > >>> >> >> >>>> >> >> > (Ethernet), > >>> >> >> >>>> >> >> > capture > >>> >> >> >>>> >> >> > size > >>> >> >> >>>> >> >> > 262144 bytes > >>> >> >> >>>> >> >> > > >>> >> >> >>>> >> >> > > >>> >> >> >>>> >> >> > >>> >> >> >>>> >> >> You can use "-i INTERFACE_NAME" to change the > interface > >>> >> >> >>>> >> >> it > >>> >> >> >>>> >> >> listens > >>> >> >> >>>> >> >> on. > >>> >> >> >>>> >> >> So make sure you're listening to the interface the > >>> >> >> >>>> >> >> emails > >>> >> >> >>>> >> >> should be > >>> >> >> >>>> >> >> sent > >>> >> >> >>>> >> >> from. > >>> >> >> >>>> >> >> Did any alerts fire while you were using tcpdump > (check > >>> >> >> >>>> >> >> /var/ossec/logs/alerts/alerts.log). > >>> >> >> >>>> >> >> If not, that'll be a problem. > >>> >> >> >>>> >> >> > >>> >> >> >>>> >> >> > > >>> >> >> >>>> >> >> > > >>> >> >> >>>> >> >> > On Monday, 5 September 2016 16:44:57 UTC+1, dan > >>> >> >> >>>> >> >> > (ddpbsd) > >>> >> >> >>>> >> >> > wrote: > >>> >> >> >>>> >> >> >> > >>> >> >> >>>> >> >> >> On Mon, Sep 5, 2016 at 11:42 AM, Daiyue Weng > >>> >> >> >>>> >> >> >> <[email protected]> > >>> >> >> >>>> >> >> >> wrote: > >>> >> >> >>>> >> >> >> > Hi, could you give me an example of using tcpdump > >>> >> >> >>>> >> >> >> > in > >>> >> >> >>>> >> >> >> > this > >>> >> >> >>>> >> >> >> > case? > >>> >> >> >>>> >> >> >> > > >>> >> >> >>>> >> >> >> > >>> >> >> >>>> >> >> >> tcpdump -nnXxevvs 0 port 25 > >>> >> >> >>>> >> >> >> > >>> >> >> >>>> >> >> >> > cheers > >>> >> >> >>>> >> >> >> > > >>> >> >> >>>> >> >> >> > On Monday, 5 September 2016 15:57:08 UTC+1, dan > >>> >> >> >>>> >> >> >> > (ddpbsd) > >>> >> >> >>>> >> >> >> > wrote: > >>> >> >> >>>> >> >> >> >> > >>> >> >> >>>> >> >> >> >> On Mon, Sep 5, 2016 at 10:47 AM, Daiyue Weng > >>> >> >> >>>> >> >> >> >> <[email protected]> > >>> >> >> >>>> >> >> >> >> wrote: > >>> >> >> >>>> >> >> >> >> > Hi, since it is a fresh install of ossec, so I > >>> >> >> >>>> >> >> >> >> > didn't > >>> >> >> >>>> >> >> >> >> > get > >>> >> >> >>>> >> >> >> >> > any > >>> >> >> >>>> >> >> >> >> > emails. > >>> >> >> >>>> >> >> >> >> > The > >>> >> >> >>>> >> >> >> >> > notification is turn on as > >>> >> >> >>>> >> >> >> >> > > >>> >> >> >>>> >> >> >> >> > >>> >> >> >>>> >> >> >> >> Try using tcpdump (looking for connections to > the > >>> >> >> >>>> >> >> >> >> email > >>> >> >> >>>> >> >> >> >> server > >>> >> >> >>>> >> >> >> >> from > >>> >> >> >>>> >> >> >> >> the OSSEC system) > >>> >> >> >>>> >> >> >> >> or check the maillogs on the email server to > >>> >> >> >>>> >> >> >> >> determine > >>> >> >> >>>> >> >> >> >> if > >>> >> >> >>>> >> >> >> >> there > >>> >> >> >>>> >> >> >> >> is > >>> >> >> >>>> >> >> >> >> an > >>> >> >> >>>> >> >> >> >> error when sending. > >>> >> >> >>>> >> >> >> >> > >>> >> >> >>>> >> >> >> >> > <alert_new_files>yes</alert_new_files> > >>> >> >> >>>> >> >> >> >> > > >>> >> >> >>>> >> >> >> >> > in ossec.conf > >>> >> >> >>>> >> >> >> >> > > >>> >> >> >>>> >> >> >> >> > On Monday, 5 September 2016 15:38:25 UTC+1, > dan > >>> >> >> >>>> >> >> >> >> > (ddpbsd) > >>> >> >> >>>> >> >> >> >> > wrote: > >>> >> >> >>>> >> >> >> >> >> > >>> >> >> >>>> >> >> >> >> >> On Mon, Sep 5, 2016 at 10:33 AM, Daiyue Weng > >>> >> >> >>>> >> >> >> >> >> <[email protected]> > >>> >> >> >>>> >> >> >> >> >> wrote: > >>> >> >> >>>> >> >> >> >> >> > Hi, I installed ossec local on my cloud > >>> >> >> >>>> >> >> >> >> >> > server, > >>> >> >> >>>> >> >> >> >> >> > and > >>> >> >> >>>> >> >> >> >> >> > configure > >>> >> >> >>>> >> >> >> >> >> > ossec.conf > >>> >> >> >>>> >> >> >> >> >> > as > >>> >> >> >>>> >> >> >> >> >> > follows, I tried to detect new additions > >>> >> >> >>>> >> >> >> >> >> > using > >>> >> >> >>>> >> >> >> >> >> > <alert_new_files>yes</alert_new_files>. > >>> >> >> >>>> >> >> >> >> >> > > >>> >> >> >>>> >> >> >> >> >> > <global> > >>> >> >> >>>> >> >> >> >> >> > > >>> >> >> >>>> >> >> >> >> >> > <email_notification>yes</ > email_notification> > >>> >> >> >>>> >> >> >> >> >> > <email_to>[email protected]< > /email_to> > >>> >> >> >>>> >> >> >> >> >> > <smtp_server>ns0.bt.net.</ > smtp_server> > >>> >> >> >>>> >> >> >> >> >> > > >>> >> >> >>>> >> >> >> >> >> > <email_from>[email protected] > </email_from> > >>> >> >> >>>> >> >> >> >> >> > </global> > >>> >> >> >>>> >> >> >> >> >> > <syscheck> > >>> >> >> >>>> >> >> >> >> >> > <!-- Frequency that syscheck is > executed > >>> >> >> >>>> >> >> >> >> >> > - > >>> >> >> >>>> >> >> >> >> >> > default > >>> >> >> >>>> >> >> >> >> >> > to > >>> >> >> >>>> >> >> >> >> >> > every > >>> >> >> >>>> >> >> >> >> >> > 22 > >>> >> >> >>>> >> >> >> >> >> > hours > >>> >> >> >>>> >> >> >> >> >> > --> > >>> >> >> >>>> >> >> >> >> >> > <frequency>79200</frequency> > >>> >> >> >>>> >> >> >> >> >> > <alert_new_files>yes</alert_ > new_files> > >>> >> >> >>>> >> >> >> >> >> > > >>> >> >> >>>> >> >> >> >> >> > <!-- Directories to check (perform > all > >>> >> >> >>>> >> >> >> >> >> > possible > >>> >> >> >>>> >> >> >> >> >> > verifications) > >>> >> >> >>>> >> >> >> >> >> > --> > >>> >> >> >>>> >> >> >> >> >> > <directories report_changes="yes" > >>> >> >> >>>> >> >> >> >> >> > realtime="yes" > >>> >> >> >>>> >> >> >> >> >> > > >>> >> >> >>>> >> >> >> >> >> > > >>> >> >> >>>> >> >> >> >> >> > > >>> >> >> >>>> >> >> >> >> >> > check_all="yes">/etc,/usr/bin, > /usr/sbin</directories> > >>> >> >> >>>> >> >> >> >> >> > <directories report_changes="yes" > >>> >> >> >>>> >> >> >> >> >> > realtime="yes" > >>> >> >> >>>> >> >> >> >> >> > check_all="yes">/bin,/sbin</directories> > >>> >> >> >>>> >> >> >> >> >> > <directories report_changes="yes" > >>> >> >> >>>> >> >> >> >> >> > realtime="yes" > >>> >> >> >>>> >> >> >> >> >> > check_all="yes">/home/user_ > name</directories> > >>> >> >> >>>> >> >> >> >> >> > </syscheck> > >>> >> >> >>>> >> >> >> >> >> > > >>> >> >> >>>> >> >> >> >> >> > The local_rules.xml is like, > >>> >> >> >>>> >> >> >> >> >> > > >>> >> >> >>>> >> >> >> >> >> > <group name="local,syslog,"> > >>> >> >> >>>> >> >> >> >> >> > > >>> >> >> >>>> >> >> >> >> >> > <!-- Note that rule id 5711 is defined > at > >>> >> >> >>>> >> >> >> >> >> > the > >>> >> >> >>>> >> >> >> >> >> > ssh_rules > >>> >> >> >>>> >> >> >> >> >> > file > >>> >> >> >>>> >> >> >> >> >> > - as a ssh failed login. This is > just > >>> >> >> >>>> >> >> >> >> >> > an > >>> >> >> >>>> >> >> >> >> >> > example > >>> >> >> >>>> >> >> >> >> >> > - since ip 1.1.1.1 shouldn't be used > >>> >> >> >>>> >> >> >> >> >> > anywhere. > >>> >> >> >>>> >> >> >> >> >> > - Level 0 means ignore. > >>> >> >> >>>> >> >> >> >> >> > --> > >>> >> >> >>>> >> >> >> >> >> > <rule id="100001" level="0"> > >>> >> >> >>>> >> >> >> >> >> > <if_sid>5711</if_sid> > >>> >> >> >>>> >> >> >> >> >> > <srcip>1.1.1.1</srcip> > >>> >> >> >>>> >> >> >> >> >> > <description>Example of rule that > will > >>> >> >> >>>> >> >> >> >> >> > ignore > >>> >> >> >>>> >> >> >> >> >> > sshd > >>> >> >> >>>> >> >> >> >> >> > </description> > >>> >> >> >>>> >> >> >> >> >> > <description>failed logins from IP > >>> >> >> >>>> >> >> >> >> >> > 1.1.1.1.</description> > >>> >> >> >>>> >> >> >> >> >> > </rule> > >>> >> >> >>>> >> >> >> >> >> > > >>> >> >> >>>> >> >> >> >> >> > <rule id="554" level="7" > overwrite="yes"> > >>> >> >> >>>> >> >> >> >> >> > <category>ossec</category> > >>> >> >> >>>> >> >> >> >> >> > > >>> >> >> >>>> >> >> >> >> >> > <decoded_as>syscheck_new_ > entry</decoded_as> > >>> >> >> >>>> >> >> >> >> >> > <description>File added to the > >>> >> >> >>>> >> >> >> >> >> > system.</description> > >>> >> >> >>>> >> >> >> >> >> > <group>syscheck,</group> > >>> >> >> >>>> >> >> >> >> >> > </rule> > >>> >> >> >>>> >> >> >> >> >> > </group> <!-- SYSLOG,LOCAL --> > >>> >> >> >>>> >> >> >> >> >> > > >>> >> >> >>>> >> >> >> >> >> > Now, if I added a file in home/user_name, > >>> >> >> >>>> >> >> >> >> >> > there > >>> >> >> >>>> >> >> >> >> >> > is > >>> >> >> >>>> >> >> >> >> >> > no > >>> >> >> >>>> >> >> >> >> >> > email > >>> >> >> >>>> >> >> >> >> >> > notification > >>> >> >> >>>> >> >> >> >> >> > coming through the SMTP server. I am using > >>> >> >> >>>> >> >> >> >> >> > smtp.bt.net, > >>> >> >> >>>> >> >> >> >> >> > using > >>> >> >> >>>> >> >> >> >> >> > > >>> >> >> >>>> >> >> >> >> >> > dig -t mx smtp.bt.net > >>> >> >> >>>> >> >> >> >> >> > > >>> >> >> >>>> >> >> >> >> >> > > >>> >> >> >>>> >> >> >> >> >> > to get the SMTP server. Whats the possible > >>> >> >> >>>> >> >> >> >> >> > reasons > >>> >> >> >>>> >> >> >> >> >> > that > >>> >> >> >>>> >> >> >> >> >> > I am > >>> >> >> >>>> >> >> >> >> >> > not > >>> >> >> >>>> >> >> >> >> >> > getting > >>> >> >> >>>> >> >> >> >> >> > the > >>> >> >> >>>> >> >> >> >> >> > email? > >>> >> >> >>>> >> >> >> >> >> > > >>> >> >> >>>> >> >> >> >> >> > >>> >> >> >>>> >> >> >> >> >> Are you getting emails for other alerts? > >>> >> >> >>>> >> >> >> >> >> Are alerts being triggered for these new > files? > >>> >> >> >>>> >> >> >> >> >> > >>> >> >> >>>> >> >> >> >> >> > Many thanks > >>> >> >> >>>> >> >> >> >> >> > > >>> >> >> >>>> >> >> >> >> >> > -- > >>> >> >> >>>> >> >> >> >> >> > > >>> >> >> >>>> >> >> >> >> >> > --- > >>> >> >> >>>> >> >> >> >> >> > You received this message because you are > >>> >> >> >>>> >> >> >> >> >> > subscribed > >>> >> >> >>>> >> >> >> >> >> > to > >>> >> >> >>>> >> >> >> >> >> > the > >>> >> >> >>>> >> >> >> >> >> > Google > >>> >> >> >>>> >> >> >> >> >> > Groups > >>> >> >> >>>> >> >> >> >> >> > "ossec-list" group. > >>> >> >> >>>> >> >> >> >> >> > To unsubscribe from this group and stop > >>> >> >> >>>> >> >> >> >> >> > receiving > >>> >> >> >>>> >> >> >> >> >> > emails > >>> >> >> >>>> >> >> >> >> >> > from > >>> >> >> >>>> >> >> >> >> >> > it, > >>> >> >> >>>> >> >> >> >> >> > send > >>> >> >> >>>> >> >> >> >> >> > an > >>> >> >> >>>> >> >> >> >> >> > email to [email protected]. > >>> >> >> >>>> >> >> >> >> >> > For more options, visit > >>> >> >> >>>> >> >> >> >> >> > https://groups.google.com/d/optout. > >>> >> >> >>>> >> >> >> >> > > >>> >> >> >>>> >> >> >> >> > -- > >>> >> >> >>>> >> >> >> >> > > >>> >> >> >>>> >> >> >> >> > --- > >>> >> >> >>>> >> >> >> >> > You received this message because you are > >>> >> >> >>>> >> >> >> >> > subscribed > >>> >> >> >>>> >> >> >> >> > to > >>> >> >> >>>> >> >> >> >> > the > >>> >> >> >>>> >> >> >> >> > Google > >>> >> >> >>>> >> >> >> >> > Groups > >>> >> >> >>>> >> >> >> >> > "ossec-list" group. > >>> >> >> >>>> >> >> >> >> > To unsubscribe from this group and stop > >>> >> >> >>>> >> >> >> >> > receiving > >>> >> >> >>>> >> >> >> >> > emails > >>> >> >> >>>> >> >> >> >> > from > >>> >> >> >>>> >> >> >> >> > it, > >>> >> >> >>>> >> >> >> >> > send > >>> >> >> >>>> >> >> >> >> > an > >>> >> >> >>>> >> >> >> >> > email to [email protected]. > >>> >> >> >>>> >> >> >> >> > For more options, visit > >>> >> >> >>>> >> >> >> >> > https://groups.google.com/d/optout. > >>> >> >> >>>> >> >> >> > > >>> >> >> >>>> >> >> >> > -- > >>> >> >> >>>> >> >> >> > > >>> >> >> >>>> >> >> >> > --- > >>> >> >> >>>> >> >> >> > You received this message because you are > >>> >> >> >>>> >> >> >> > subscribed to > >>> >> >> >>>> >> >> >> > the > >>> >> >> >>>> >> >> >> > Google > >>> >> >> >>>> >> >> >> > Groups > >>> >> >> >>>> >> >> >> > "ossec-list" group. > >>> >> >> >>>> >> >> >> > To unsubscribe from this group and stop receiving > >>> >> >> >>>> >> >> >> > emails > >>> >> >> >>>> >> >> >> > from > >>> >> >> >>>> >> >> >> > it, > >>> >> >> >>>> >> >> >> > send > >>> >> >> >>>> >> >> >> > an > >>> >> >> >>>> >> >> >> > email to [email protected]. > >>> >> >> >>>> >> >> >> > For more options, visit > >>> >> >> >>>> >> >> >> > https://groups.google.com/d/optout. > >>> >> >> >>>> >> >> > > >>> >> >> >>>> >> >> > -- > >>> >> >> >>>> >> >> > > >>> >> >> >>>> >> >> > --- > >>> >> >> >>>> >> >> > You received this message because you are subscribed > >>> >> >> >>>> >> >> > to > >>> >> >> >>>> >> >> > the > >>> >> >> >>>> >> >> > Google > >>> >> >> >>>> >> >> > Groups > >>> >> >> >>>> >> >> > "ossec-list" group. > >>> >> >> >>>> >> >> > To unsubscribe from this group and stop receiving > >>> >> >> >>>> >> >> > emails > >>> >> >> >>>> >> >> > from > >>> >> >> >>>> >> >> > it, > >>> >> >> >>>> >> >> > send > >>> >> >> >>>> >> >> > an > >>> >> >> >>>> >> >> > email to [email protected]. > >>> >> >> >>>> >> >> > For more options, visit > >>> >> >> >>>> >> >> > https://groups.google.com/d/optout. > >>> >> >> >>>> >> > > >>> >> >> >>>> >> > -- > >>> >> >> >>>> >> > > >>> >> >> >>>> >> > --- > >>> >> >> >>>> >> > You received this message because you are subscribed to > >>> >> >> >>>> >> > the > >>> >> >> >>>> >> > Google > >>> >> >> >>>> >> > Groups > >>> >> >> >>>> >> > "ossec-list" group. > >>> >> >> >>>> >> > To unsubscribe from this group and stop receiving > emails > >>> >> >> >>>> >> > from > >>> >> >> >>>> >> > it, > >>> >> >> >>>> >> > send > >>> >> >> >>>> >> > an > >>> >> >> >>>> >> > email to [email protected]. > >>> >> >> >>>> >> > For more options, visit > >>> >> >> >>>> >> > https://groups.google.com/d/optout. > >>> >> >> >>>> >> > >>> >> >> >>>> >> -- > >>> >> >> >>>> >> > >>> >> >> >>>> >> --- > >>> >> >> >>>> >> You received this message because you are subscribed to a > >>> >> >> >>>> >> topic > >>> >> >> >>>> >> in > >>> >> >> >>>> >> the > >>> >> >> >>>> >> Google Groups "ossec-list" group. > >>> >> >> >>>> >> To unsubscribe from this topic, visit > >>> >> >> >>>> >> > >>> >> >> >>>> >> > >>> >> >> >>>> >> > >>> >> >> >>>> >> https://groups.google.com/d/ > topic/ossec-list/fknE75We_dw/unsubscribe. > >>> >> >> >>>> >> To unsubscribe from this group and all its topics, send > an > >>> >> >> >>>> >> email > >>> >> >> >>>> >> to > >>> >> >> >>>> >> [email protected]. > >>> >> >> >>>> >> For more options, visit https://groups.google.com/d/ > optout. > >>> >> >> >>>> > > >>> >> >> >>>> > > >>> >> >> >>>> > -- > >>> >> >> >>>> > > >>> >> >> >>>> > --- > >>> >> >> >>>> > You received this message because you are subscribed to > the > >>> >> >> >>>> > Google > >>> >> >> >>>> > Groups > >>> >> >> >>>> > "ossec-list" group. > >>> >> >> >>>> > To unsubscribe from this group and stop receiving emails > >>> >> >> >>>> > from > >>> >> >> >>>> > it, > >>> >> >> >>>> > send > >>> >> >> >>>> > an > >>> >> >> >>>> > email to [email protected]. > >>> >> >> >>>> > For more options, visit https://groups.google.com/d/ > optout. > >>> >> >> >>>> > >>> >> >> >>>> -- > >>> >> >> >>>> > >>> >> >> >>>> --- > >>> >> >> >>>> You received this message because you are subscribed to a > >>> >> >> >>>> topic in > >>> >> >> >>>> the > >>> >> >> >>>> Google Groups "ossec-list" group. > >>> >> >> >>>> To unsubscribe from this topic, visit > >>> >> >> >>>> > >>> >> >> >>>> > >>> >> >> >>>> https://groups.google.com/d/topic/ossec-list/fknE75We_dw/ > unsubscribe. > >>> >> >> >>>> To unsubscribe from this group and all its topics, send an > >>> >> >> >>>> email > >>> >> >> >>>> to > >>> >> >> >>>> [email protected]. > >>> >> >> >>>> For more options, visit https://groups.google.com/d/optout. > >>> >> >> >>> > >>> >> >> >>> > >>> >> >> >>> -- > >>> >> >> >>> > >>> >> >> >>> --- > >>> >> >> >>> You received this message because you are subscribed to the > >>> >> >> >>> Google > >>> >> >> >>> Groups > >>> >> >> >>> "ossec-list" group. > >>> >> >> >>> To unsubscribe from this group and stop receiving emails from > >>> >> >> >>> it, > >>> >> >> >>> send > >>> >> >> >>> an > >>> >> >> >>> email to [email protected]. > >>> >> >> >>> For more options, visit https://groups.google.com/d/optout. > >>> >> >> > >>> >> >> -- > >>> >> >> > >>> >> >> --- > >>> >> >> You received this message because you are subscribed to a topic > in > >>> >> >> the > >>> >> >> Google Groups "ossec-list" group. > >>> >> >> To unsubscribe from this topic, visit > >>> >> >> > >>> >> >> https://groups.google.com/d/topic/ossec-list/fknE75We_dw/ > unsubscribe. > >>> >> >> To unsubscribe from this group and all its topics, send an email > to > >>> >> >> [email protected]. > >>> >> >> For more options, visit https://groups.google.com/d/optout. > >>> >> > > >>> >> > > >>> >> > -- > >>> >> > > >>> >> > --- > >>> >> > You received this message because you are subscribed to the Google > >>> >> > Groups > >>> >> > "ossec-list" group. > >>> >> > To unsubscribe from this group and stop receiving emails from it, > >>> >> > send > >>> >> > an > >>> >> > email to [email protected]. > >>> >> > For more options, visit https://groups.google.com/d/optout. > >>> >> > >>> >> -- > >>> >> > >>> >> --- > >>> >> You received this message because you are subscribed to a topic in > the > >>> >> Google Groups "ossec-list" group. > >>> >> To unsubscribe from this topic, visit > >>> >> https://groups.google.com/d/topic/ossec-list/fknE75We_dw/ > unsubscribe. > >>> >> To unsubscribe from this group and all its topics, send an email to > >>> >> [email protected]. > >>> >> For more options, visit https://groups.google.com/d/optout. > >>> > > >>> > > >>> > -- > >>> > > >>> > --- > >>> > You received this message because you are subscribed to the Google > >>> > Groups > >>> > "ossec-list" group. > >>> > To unsubscribe from this group and stop receiving emails from it, > send > >>> > an > >>> > email to [email protected]. > >>> > For more options, visit https://groups.google.com/d/optout. > >>> > >>> -- > >>> > >>> --- > >>> You received this message because you are subscribed to a topic in the > >>> Google Groups "ossec-list" group. > >>> To unsubscribe from this topic, visit > >>> https://groups.google.com/d/topic/ossec-list/fknE75We_dw/unsubscribe. > >>> To unsubscribe from this group and all its topics, send an email to > >>> [email protected]. > >>> For more options, visit https://groups.google.com/d/optout. > >> > >> > > > > -- > > > > --- > > You received this message because you are subscribed to the Google Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send an > > email to [email protected]. > > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to a topic in the > Google Groups "ossec-list" group. > To unsubscribe from this topic, visit https://groups.google.com/d/ > topic/ossec-list/fknE75We_dw/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
