Hi there.
I'm still getting one alert e-mail type 2 eventhough I modified/created 
some files under /etc am I missing something else in the configuration?
This is the server coniguration.

<!-- OSSEC example config -->

<ossec_config>
  <global>
    <email_notification>yes</email_notification>
    <email_to>m...@company.com</email_to>
    <smtp_server>localhost</smtp_server>
    <email_from>oss...@server.com</email_from>
    <email_maxperhour>100</email_maxperhour>
    <logall>yes</logall>
    <memory_size>4096</memory_size>
   </global>


  <rules>
    <include>rules_config.xml</include>
    <include>pam_rules.xml</include>
    <include>sshd_rules.xml</include>
    <include>telnetd_rules.xml</include>
    <include>syslog_rules.xml</include>
    <include>arpwatch_rules.xml</include>
    <include>symantec-av_rules.xml</include>
    <include>symantec-ws_rules.xml</include>
    <include>pix_rules.xml</include>
    <include>named_rules.xml</include>
    <include>smbd_rules.xml</include>
    <include>vsftpd_rules.xml</include>
    <include>pure-ftpd_rules.xml</include>
    <include>proftpd_rules.xml</include>
    <include>ms_ftpd_rules.xml</include>
    <include>ftpd_rules.xml</include>
    <include>hordeimp_rules.xml</include>
    <include>roundcube_rules.xml</include>
    <include>wordpress_rules.xml</include>
    <include>cimserver_rules.xml</include>
    <include>vpopmail_rules.xml</include>
    <include>vmpop3d_rules.xml</include>
    <include>courier_rules.xml</include>
    <include>web_rules.xml</include>
    <include>web_appsec_rules.xml</include>
    <include>apache_rules.xml</include>
    <include>nginx_rules.xml</include>
    <include>php_rules.xml</include>
    <include>mysql_rules.xml</include>
    <include>postgresql_rules.xml</include>
    <include>ids_rules.xml</include>
    <include>squid_rules.xml</include>
    <include>firewall_rules.xml</include>
    <include>cisco-ios_rules.xml</include>
    <include>netscreenfw_rules.xml</include>
    <include>sonicwall_rules.xml</include>
    <include>postfix_rules.xml</include>
    <include>sendmail_rules.xml</include>
    <include>imapd_rules.xml</include>
    <include>mailscanner_rules.xml</include>
    <include>dovecot_rules.xml</include>
    <include>ms-exchange_rules.xml</include>
    <include>racoon_rules.xml</include>
    <include>vpn_concentrator_rules.xml</include>
    <include>spamd_rules.xml</include>
    <include>msauth_rules.xml</include>
    <include>mcafee_av_rules.xml</include>
    <include>trend-osce_rules.xml</include>
    <include>ms-se_rules.xml</include>
    <!-- <include>policy_rules.xml</include> -->
    <include>zeus_rules.xml</include>
    <include>solaris_bsm_rules.xml</include>
    <include>vmware_rules.xml</include>
    <include>ms_dhcp_rules.xml</include>
    <include>asterisk_rules.xml</include>
    <include>ossec_rules.xml</include>
    <include>attack_rules.xml</include>
    <include>local_rules.xml</include>
  </rules>


  <syscheck>
    <!-- Frequency that syscheck is executed default every 20 hours -->
    <frequency>3600</frequency>
    <alert_new_files>yes</alert_new_files>

     <!-- Directories to check  (perform all possible verifications) -->
     <directories check_all="yes" realtime="yes" 
report_changes="yes">/boot,/etc,/root,/home,/bin,/sbin,/usr/bin,/usr/sbin</directories>

    <!-- Files/directories to ignore -->
    <ignore>/etc/mtab</ignore>
    <ignore>/etc/hosts.deny</ignore>
    <ignore>/etc/mail/statistics</ignore>
    <ignore>/etc/random-seed</ignore>
    <ignore>/etc/adjtime</ignore>
    <ignore>/etc/httpd/logs</ignore>
  </syscheck>

  <rootcheck>
    <frequency>3600</frequency>
    <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
    
<rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
  </rootcheck>

  <global>
    <white_list>127.0.0.1</white_list>
  </global>

  <remote>
    <connection>secure</connection>
  </remote>

  <alerts>
    <log_alert_level>1</log_alert_level>
    <email_alert_level>7</email_alert_level>
  </alerts>

  <command>
    <name>host-deny</name>
    <executable>host-deny.sh</executable>
    <expect>srcip</expect>
    <timeout_allowed>yes</timeout_allowed>
  </command>

  <command>
    <name>firewall-drop</name>
    <executable>firewall-drop.sh</executable>
    <expect>srcip</expect>
    <timeout_allowed>yes</timeout_allowed>
  </command>

  <command>
    <name>disable-account</name>
    <executable>disable-account.sh</executable>
    <expect>user</expect>
    <timeout_allowed>yes</timeout_allowed>
  </command>


  <!-- Active Response Config -->
  <active-response>
    <!-- This response is going to execute the host-deny
       - command for every event that fires a rule with
       - level (severity) >= 6.
       - The IP is going to be blocked for  600 seconds.
      -->
    <command>host-deny</command>
    <location>local</location>
    <level>6</level>
    <timeout>600</timeout>
  </active-response>

  <active-response>
    <!-- Firewall Drop response. Block the IP for
       - 600 seconds on the firewall (iptables,
       - ipfilter, etc).
      -->
    <command>firewall-drop</command>
    <location>local</location>
    <level>6</level>
    <timeout>600</timeout>
  </active-response>

  <!-- Files to monitor (localfiles) -->

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/messages</location>
  </localfile>

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/authlog</location>
  </localfile>

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/secure</location>
  </localfile>

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/xferlog</location>
  </localfile>

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/maillog</location>
  </localfile>

  <localfile>
    <log_format>apache</log_format>
    <location>/var/www/logs/access_log</location>
  </localfile>

  <localfile>
    <log_format>apache</log_format>
    <location>/var/www/logs/error_log</location>
  </localfile>

     <reports>
        <!--
        Reports options here
        -->
     <title>ZEBRA OSSEC Security Report For The Masses</title>
    </reports>


</ossec_config>



Thank for your patience.

El jueves, 13 de octubre de 2016, 14:47:25 (UTC-3), dan (ddpbsd) escribió:
>
> On Thu, Oct 13, 2016 at 1:09 PM, Kernel Panic <netwar...@gmail.com 
> <javascript:>> wrote: 
> > Hi 
> > Does this still apply? 
> > I have this option enabled: <alert_new_files>yes</alert_new_files> along 
> > with the realtime=yes. 
> > 
> > From another post on the list: 
> >>In the past new files were not alerted in real time. I'm not sure if 
> >>this has changed. Any of the developers know? 
> > 
>
> Was there a response to this post? I don't think it's changed, but I'm 
> sure I miss commits here and there. 
>
> > 
> > Another question , by reading this 
> > 
> http://ossec-docs.readthedocs.io/en/latest/syntax/head_ossec_config.global.html
>  
> > I can see that there are values that can be adjusted, for example host 
> > information, by default 8, how do I interpret that, there greater the 
> number 
> > more verbose? I just made some modification under  /etc, created some 
> file 
>
> That would be the alert level. It does not change verbosity, just the 
> level of the alert. 
>
> > modified other just to test, but still have no e-mail, I'm only getting 
> an 
> > e-mail regarding a service log and nothing else, which is the parameter 
> to 
> > tell ossec to send all the issues? 
> > 
>
> For the new file, you probably need a full syscheck scan for it to be 
> picked up. 
> For the modified file, if it's already in the syscheck db, you should 
> be alerted relatively quickly (if realtime is enabled and currently 
> running). 
>
> Other than that, OSSEC should send all alerts. 
>
> > Last question: 
> > 2016/10/13 11:10:35 ossec-syscheckd: INFO: Starting syscheck scan 
> > (forwarding database). 
> > 2016/10/13 11:10:35 ossec-syscheckd: INFO: Starting syscheck database 
> > (pre-scan). 
> > 2016/10/13 11:10:35 ossec-syscheckd: INFO: Initializing real time file 
> > monitoring (not started). 
> > 
> > Which service is not started?  the doc says the package inotify should 
> be 
> > installed and I have it inotify-tools-3.13-2.el6.art.x86_64 
> > 
>
> That doesn't indicate that a service hasn't started, just that the 
> realtime feature hasn't started working yet. 
> There's a delay for realtime to start. 
>
> > Thank you very much!! 
> > Regards 
> > 
> > 
> > 
> > 
> > El jueves, 13 de octubre de 2016, 10:32:16 (UTC-3), dan (ddpbsd) 
> escribió: 
> >> 
> >> On Thu, Oct 13, 2016 at 9:21 AM, Kernel Panic <netwar...@gmail.com> 
> wrote: 
> >> > 
> >> > Hi 
> >> > Let's see, shouldn't I have to configure on each tag to which 
> directory 
> >> > I 
> >> > want to apply it? as in check_all , directories,  realtime and which 
> >> > directories, or are they global parameters? that's why I included 
> home 
> >> > and 
> >> > root on both of them. 
> >> > 
> >> 
> >> 
> >> Each option applies to the directories configured in it. 
> >> 
> >> > <directories 
> >> > 
> >> > 
> check_all="yes">/root,/home,/etc,/bin,/sbin,/usr/bin,/usr/sbin</directories> 
>
> >> > 
> >> 
> >> This checks all of the hashes, owner, and permissions. 
> >> 
> >> >  <directories realtime="yes" 
> >> > check_all="yes">/root,/home,/etc</directories> 
> >> > 
> >> 
> >> This does realtime checks of all of the above, and should produce an 
> >> error because the "/root," "/home," and "/etc" directories are 
> >> duplicated. 
> >> Duplication of directories can cause issues, so it's best not to do 
> >> it. The way to solve this is not to duplicate these directories in the 
> >> second configuration by not including them in the first. 
> >> For example: 
> >> 
> >> <directories 
> check_all="yes">/bin,/sbin,/usr/bin,/usr/sbin</directories> 
> >> <directories check_all="yes" 
> realtime="yes">/root,/home,/etc</directories> 
> >> 
> >> Now, if you want to add "report_changes" to /etc, you'll have to 
> >> remove it from the above configuration. You'll end up with: 
> >> 
> >> <directories 
> check_all="yes">/bin,/sbin,/usr/bin,/usr/sbin</directories> 
> >> <directories check_all="yes" realtime="yes">/root,/home</directories> 
> >> <directories check_all="yes" realtime="yes" 
> >> report_changes="yes">/etc</directories> 
> >> 
> >> > 
> >> > Thank you very much 
> >> > Best Regerds 
> >> > 
> > 
> > -- 
> > 
> > --- 
> > You received this message because you are subscribed to the Google 
> Groups 
> > "ossec-list" group. 
> > To unsubscribe from this group and stop receiving emails from it, send 
> an 
> > email to ossec-list+...@googlegroups.com <javascript:>. 
> > For more options, visit https://groups.google.com/d/optout. 
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to