Here is a solution. One thing I was not sure about was that sometimes you get on a third event "ignoring", wasnt sure how to defeat this.
How to add an active response to OSSEC to get diffs when the Integrity checksum changed rules 550/1/2 fire. To install create diff-alert.sh and diff-alert-filename.awk in /var/ ossec/active-response/bin. Add the ossec.conf fragments to /var/ossec/etc/ossec.conf This implementation uses a simple directory structure under /var/ossec/ etc/diff-checks to determine whether a file should diff'ed. Create /var/ossec/etc/diff-checks Under this directory create full paths of files to be checked, ie mkdir -p /var/ossec/etc/diff-checks/etc/awstats touch /var/ossec/etc/diff-checks/etc/awstats/ awstats.objectgizmos.com.conf Using touch means you get a full diff on first change, alternatively you can just copy the file of interest into diff-checks. restart ossec /var/ossec/bin/ossec-control restart ---- Main script /var/ossec/active-response/bin/diff-alert.sh #!/bin/bash # E-mails an alert - showing diff of selected files # # Author: Martin West based on Daniel Cids mail-test.sh # Set to root and use /etc/aliases to redirect root as needed. MAILADDRESS="root" ACTION=$1 USER=$2 IP=$3 ALERTID=$4 RULEID=$5 BINDIR=`dirname $0`; cd $BINDIR BINDIR=`pwd` cd ../.. OSSEC_DIR=`pwd` #** Alert 1257620885.280781: mail - ossec,syscheck, #2009 Nov 07 19:08:05 lenovo2->syscheck #Rule: 551 (level 7) -> 'Integrity checksum changed again (2nd time).' #Src IP: (none) #User: (none) #Integrity checksum changed for: '/etc/awstats/ awstats.objectgizmos.com.conf' if [ $ACTION = TEST ]; then ALERTID="1257620885.280781" LOGFILE=${BINDIR}/test.log else LOGFILE=${OSSEC_DIR}/logs/alerts/alerts.log fi # Get alert prefix ALERTTIME=`echo "$ALERTID" | cut -d "." -f 1` # Get alert suffix ALERTLAST=`echo "$ALERTID" | cut -d "." -f 2` # Getting full alert GREPARG="$ALERTTIME\.$ALERTLAST" # Put awk program in file to avoid complications of single quote FILENAME=`grep -A 10 $GREPARG $LOGFILE | grep "Integrity checksum changed for:" | awk -f ${BINDIR}/diff-alert-filen ame.awk ` if [ $ACTION = TEST ]; then echo "$FILENAME" fi DIFF_ROOT_DIR="${OSSEC_DIR}/etc/diff-checks" if [ -f ${DIFF_ROOT_DIR}/${FILENAME:1} ]; then # Logging the call echo "`date` $0 $1 $2 $3 $4 $5 $6 $7 $8 $FILENAME" >> ${OSSEC_DIR}/ logs/active-responses.log DIFF_CMD="diff -s $FILENAME ${DIFF_ROOT_DIR}/${FILENAME:1}" if [ $ACTION = TEST ]; then DIFF_OUTPUT=`${DIFF_CMD}` echo "$DIFF_OUTPUT" fi SUBJECT="OSSEC Alert ${FILENAME} diff" $DIFF_CMD | mail $MAILADDRESS -s "OSSEC Alert ${FILENAME} diff" cp --backup=t $FILENAME ${DIFF_ROOT_DIR}/${FILENAME:1} else logger "$0 $FILENAME not found in ${DIFF_ROOT_DIR}/${FILENAME:1}" if [ $ACTION = TEST ]; then echo "not found ${DIFF_ROOT_DIR}/${FILENAME:1}" fi fi ---- awk script /var/ossec/active-response/bin/diff-alert-filename.awk BEGIN { FS = "[ :']+" } ; { print $5 } ---- /var/ossec/etc/ossec.conf <command> <name>diff-alert</name> <executable>diff-alert.sh</executable> <expect/> <timeout_allowed>no</timeout_allowed> </command> <active-response> <command>diff-alert</command> <location>server</location> <rules_id>550,551,552</rules_id> </active-response> Martin West skype:amartinwest On 7 Nov 2009, at 17:43, Martin West wrote: > Thanks, thats a good lead, Ill investigate and if I get anywhere Ill > post the results