On Fri, Jan 6, 2012 at 7:07 PM, Ross Lawrie <[email protected]> wrote: > On 12-01-06 03:09 PM, dan (ddp) wrote: >> On Fri, Jan 6, 2012 at 5:51 PM, Ross Lawrie <[email protected]> wrote: >>> Hi, >>> >>> I've been trying to get this to work, but I'm obviously missing >>> something or not understanding something. What I'd like to do issue an >>> alert to an alternate email address should a file change occur within a >>> particular directory. >>> >>> From my reading, it seemed like the method to do this would be to create >>> a custom rule, and then have an alert based on it in the ossec.conf. >>> Unfortunately nothing seems to be happening... >>> >>> In local_rules.xml I've created a custom rule: >>> >>> <group name="syscheck,"> >>> ... >>> <rule id="100023" level="10"> >>> <description>Change to a custom directory</description> >>> <match>/home/ross</match> >>> </rule> >> Does this rule get triggered? > > Good question, I hadn't thought to track down the appropriate log file > (alerts.log right?). It doesn't appear to be triggered, I'm only seeing > the usual (550/554) ids being triggered, for example: > > ** Alert 1325894109.26688: mail - ossec,syscheck, > 2012 Jan 06 15:55:09 myhost->syscheck > Rule: 550 (level 7) -> 'Integrity checksum changed.' > Integrity checksum changed for: '/home/ross/ross-test' > Size changed from '47' to '13' > Old md5sum was: 'c3fbbd59f074b47bcdc99ddbb4af329a' > New md5sum is : '3ebfdcf378cc6221db90e4d6f11900f3' > Old sha1sum was: '491150eb08a96cd1baf222df1e4173d21800457f' > New sha1sum is : '76951d7c9d6b27d972c12866095cef8fca25b4e6' > > Does the match/regex not work against the line containing the file name? > I have other custom rules that seem to work (and that I've disabled as > part of my efforts to get this one to work, just in case they were > conflicting somehow) so I think I've got it in the right place. I've > changed the match/regex to only be against the word 'ross', just to try > and increase my chances, but still no luck. >
Crud, I should have mentioned this in the previous email (but I just saw it). Try: <rule id="100023" level="10"> <if_sid>550</if_sid> <!-- This means if the rule 550 matches, but the file has /home/ross in it this rule should be triggered instead--> <description>Change to a custom directory</description> <match>/home/ross</match> </rule> Give that a shot. >> >>> ... >>> </group> >>> >>> (I've also tried <regex> rather than <match>) >>> >>> In ossec.conf, I've set this up: >>> >>> <ossec_config> >>> ... >>> <email_alerts> >>> <email_to>[email protected]</email_to> >>> <rule_id>100023</rule_id> >>> <do_not_delay /> >>> <do_not_group /> >>> </email_alerts> >>> ... >>> </ossec_config> >>> >>> Now, alerting to the email address defined globally is working, and I'm >>> seeing alerts on file changes/creation/deletion that I make within the >>> directory I'm watching (/home/ross for example), but I'm not seeing >>> alerts going to the email address shown above - nor alerts to either >>> address with the description set in the custom rule. >>> >>> Perhaps I'm going about this the wrong way, or there's an easier way to >>> do this, but my search engine results haven't helped me, so hopefully >>> someone here can point me in the right direction. >>> >>> Ross. >> Is the working address also an @riverstyx.net email address? Have you >> checked your maillogs to see if they provide a hint? > > The working address is also a riverstyx.net address, I've even tried the > same address (since the description identifier and rule-id ought to make > it distinguishable). As noted above though, I'm not seeing it trigger in > the alerts.log, so obviously I've done something wrong with the actual > rule at this point, and the email address isn't even getting a chance to > be an issue at this point. >
