Hmm ok...so wait i can guarantee any tampering gets detected as the md5sum and sha1sum changes...BUT its not detected in real time. I'll look into this tomorrow if u dont mind. I have a couple of issues with the WUI--- FYI im Gurtaj xD
On Mar 7, 2:48 pm, Gurtaj Singh <gurtaj.si...@esentire.com> wrote: > Yea I know what u mean. > But a couple of days ago i modified a file(I think it was the /etc/group > file)...syscheck fired a lvl 7 alert like 2 min later...it detected a > modified file...havent tried a reduced logfile yet. > also can u tell me what log file did u use? > > On Mon, 2011-03-07 at 13:31 -0600, Nate Woodward wrote: > > > > -----Original Message----- > > > From: gutsy gibbon [mailto:gibbongutsy...@gmail.com] > > > Sent: Monday, March 07, 2011 12:52 PM > > > To: ossec-list > > > Subject: [ossec-list] Re: Deletion of log data > > > > what log file did u open with vim...make sure that the log > > > file u open is included in the ossec.conf file and just to > > > I made sure I was modifying a logfile that is being monitored. > > > > make sure the rule works reduce the 6 hr syscheck thing...get > > > it to run right after u edit the file.. > > > I'll give this a try, but assuming the rule does work (it's one of the > > rules that ships with OSSEC, after all), how do I make sure log > > tampering will be detected no matter what? The OSSEC book says the time > > between syschecks has a minimum frequency of an hour, and I can't > > exactly ask crackers to only tamper with my logs X minutes after the top > > of the hour. > > > > On Mar 6, 10:54 am, "Tanishk Lakhaani" <tanishk2...@gmail.com> wrote: > > > > I think it checks for the same only at the time of running > > > syscheck, bcoz at that time it tries to compare it with the > > > database it has already made during pre-scan mode. > > > > > Regards > > > > Tanishk Lakhaani > > > > Sent from BlackBerry® on Airtel > > > > > -----Original Message----- > > > > From: "Nate Woodward" <nate.woodw...@the-connection.com> > > > > > Sender: ossec-list@googlegroups.com > > > > Date: Fri, 4 Mar 2011 10:08:51 > > > > To: ossec-list<ossec-list@googlegroups.com> > > > > Reply-To: ossec-list@googlegroups.com > > > > Subject: [ossec-list] Deletion of log data > > > > > Hi, > > > > > I'm trying to get OSSEC to detect data deletion in log > > > files. The page > > > > athttp://www.ossec.net/doc/manual/monitoring/index.htmlindicatesthat > > > > log monitoring is done in real time, and ossec_rules.xml has these > > > > rules: > > > > > <!-- File rotation/reducded rules --> > > > > <rule id="591" level="3"> > > > > <if_sid>500</if_sid> > > > > <match>^ossec: File rotated </match> > > > > <description>Log file rotated.</description> > > > > </rule> > > > > > <rule id="592" level="8"> > > > > <if_sid>500</if_sid> > > > > <match>^ossec: File size reduced</match> > > > > <description>Log file size reduced.</description> > > > > <group>attacks,</group> > > > > </rule> > > > > > <rule id="593" level="9"> > > > > <if_sid>500</if_sid> > > > > <match>^ossec: Event log cleared</match> > > > > <description>Microsoft Event log cleared.</description> > > > > <group>logs_cleared,</group> > > > > </rule> > > > > > When I open up a log file in vim, delete a few lines and > > > save it, rule > > > > 592 doesn't trigger. Am I doing something wrong? Does real-time log > > > > monitoring include the rules above, or do those rules only trigger > > > > when syscheck is run (at which time the log would have grown bigger > > > > than what it was before, despite my deletions)? > > > > > How can I ensure log file integrity? > > > > > -Nate