Have you done a whole directory match? Do the specific file checks look like the example below?
<rule id="100021" level="13"> <if_matched_group>syscheck</if_matched_group> <match>DIRECTORY</match> <description>Integrity checksum changed.</description> </rule> On Friday, March 28, 2014 11:05:33 AM UTC-5, dan (ddpbsd) wrote: > > On Fri, Mar 28, 2014 at 12:02 PM, Ryan <[email protected] <javascript:>> > wrote: > > Has anyone else tried to create specific rules like this before? Since > the > > email works for some of the rules, I think I need to fix the local > rules. > > > > I've used custom rules to look for changes to specific files. I think > my rules checked for the syscheck group and <match> on the file name. > > > On Friday, March 28, 2014 10:55:55 AM UTC-5, dan (ddpbsd) wrote: > >> > >> On Fri, Mar 28, 2014 at 11:33 AM, Ryan <[email protected]> wrote: > >> > The log search the rules should perform to trigger the email. The > rules > >> > are > >> > in the same group, they are in-between the below entries. I have had > >> > two > >> > emails trigger from the below rules, but I have tested modifications > >> > that > >> > should have triggered all rules to email. > >> > > >> > >> Make sure the modifications trigger an alert. If the (correct) alert > >> is triggered, check for an email. > >> If an alert is not triggered, you have 1 problem. If the (correct) > >> alert is triggered, but you have no email you have a second problem. > >> It's important to find out which problem you are having. > >> > >> Beyond that, I don't think I have anything else to offer. I feel like > >> getting to this point (basically the beginning) has been enough work. > >> > >> > <group name="group-all-the-new-rules-are-in,"> > >> > </group> > >> > > >> > On Friday, March 28, 2014 10:22:51 AM UTC-5, dan (ddpbsd) wrote: > >> >> > >> >> On Fri, Mar 28, 2014 at 11:19 AM, Ryan <[email protected]> wrote: > >> >> > Some of the email notifications work, but I think my issue is more > >> >> > with > >> >> > the > >> >> > rule search. Below is the email notification: > >> >> > >> >> What rule search? > >> >> > >> >> > <email_alerts> > >> >> > <email_to>myemail@mydomain</email_to> > >> >> > <group>group-all-the-new-rules-are-in</group> > >> >> > >> >> Are you sure they're all in this group? Are any of the rules > >> >> triggering these emails? > >> >> > >> >> > <do_not_delay /> > >> >> > <do_not_group /> > >> >> > </email_alerts> > >> >> > > >> >> > > >> >> > On Friday, March 28, 2014 10:11:38 AM UTC-5, dan (ddpbsd) wrote: > >> >> >> > >> >> >> On Fri, Mar 28, 2014 at 11:08 AM, Ryan <[email protected]> wrote: > >> >> >> > In the logs I see that some are triggering. > >> >> >> > > >> >> >> > >> >> >> So, doesn't it seem like the problem is with the email > configuration > >> >> >> and not the rules? > >> >> >> > >> >> >> > On Friday, March 28, 2014 9:58:29 AM UTC-5, dan (ddpbsd) wrote: > >> >> >> >> > >> >> >> >> On Fri, Mar 28, 2014 at 10:53 AM, Ryan <[email protected]> > wrote: > >> >> >> >> > Hello, > >> >> >> >> > I am working on creating rules to email specific groups when > a > >> >> >> >> > file > >> >> >> >> > changes > >> >> >> >> > in a specific directory on a client. I am trying to copy > the > >> >> >> >> > below > >> >> >> >> > rules, > >> >> >> >> > but for a specific directory. I added the specific > directories > >> >> >> >> > into > >> >> >> >> > the > >> >> >> >> > syscheck notation on the client side. I also found and > changed > >> >> >> >> > the > >> >> >> >> > default > >> >> >> >> > setting that the ossec server will ignore file changes after > 3 > >> >> >> >> > changes. > >> >> >> >> > I > >> >> >> >> > did not clear any counters after this applying this change. > I > >> >> >> >> > think > >> >> >> >> > I > >> >> >> >> > have > >> >> >> >> > the email to the specific group figured out, but I am not > >> >> >> >> > getting > >> >> >> >> > the > >> >> >> >> > emails > >> >> >> >> > on the changes. The logs are showing some of the changes. > >> >> >> >> > > >> >> >> >> > >> >> >> >> Are your rules triggering? > >> >> >> >> > >> >> >> >> > Rules I am trying to copy: > >> >> >> >> > <rule id="550" level="7"> > >> >> >> >> > <category>ossec</category> > >> >> >> >> > <decoded_as>syscheck_integrity_changed</decoded_as> > >> >> >> >> > <description>Integrity checksum changed.</description> > >> >> >> >> > <group>syscheck,</group> > >> >> >> >> > </rule> > >> >> >> >> > > >> >> >> >> > <rule id="551" level="7"> > >> >> >> >> > <category>ossec</category> > >> >> >> >> > <decoded_as>syscheck_integrity_changed_2nd</decoded_as> > >> >> >> >> > <description>Integrity checksum changed again (2nd > >> >> >> >> > time).</description> > >> >> >> >> > <group>syscheck,</group> > >> >> >> >> > </rule> > >> >> >> >> > > >> >> >> >> > <rule id="552" level="7"> > >> >> >> >> > <category>ossec</category> > >> >> >> >> > <decoded_as>syscheck_integrity_changed_3rd</decoded_as> > >> >> >> >> > <description>Integrity checksum changed again (3rd > >> >> >> >> > time).</description> > >> >> >> >> > <group>syscheck,</group> > >> >> >> >> > </rule> > >> >> >> >> > > >> >> >> >> > <rule id="553" level="7"> > >> >> >> >> > <category>ossec</category> > >> >> >> >> > <decoded_as>syscheck_deleted</decoded_as> > >> >> >> >> > <description>File deleted. Unable to retrieve > >> >> >> >> > checksum.</description> > >> >> >> >> > <group>syscheck,</group> > >> >> >> >> > </rule> > >> >> >> >> > > >> >> >> >> > <rule id="554" level="0"> > >> >> >> >> > <category>ossec</category> > >> >> >> >> > <decoded_as>syscheck_new_entry</decoded_as> > >> >> >> >> > <description>File added to the system.</description> > >> >> >> >> > <group>syscheck,</group> > >> >> >> >> > </rule> > >> >> >> >> > > >> >> >> >> > <rule id="555" level="7"> > >> >> >> >> > <if_sid>500</if_sid> > >> >> >> >> > <match>^ossec: agentless: </match> > >> >> >> >> > <description>Integrity checksum for agentless device > >> >> >> >> > changed.</description> > >> >> >> >> > <group>syscheck,agentless</group> > >> >> >> >> > </rule> > >> >> >> >> > > >> >> >> >> > > >> >> >> >> > Different trial rules : > >> >> >> >> > <rule id="100001" level="13"> > >> >> >> >> > <if_sid>550</if_sid> > >> >> >> >> > <match>DIRECTORY</match> > >> >> >> >> > <description>A file has changed in > DIRECTORY</description> > >> >> >> >> > </rule> > >> >> >> >> > > >> >> >> >> > <rule id="100002" level="13"> > >> >> >> >> > <if_sid>551</if_sid> > >> >> >> >> > <match>DIRECTORY</match> > >> >> >> >> > <description>A file has changed (2nd time) in > >> >> >> >> > DIRECTORY</description> > >> >> >> >> > </rule> > >> >> >> >> > > >> >> >> >> > <rule id="100003" level="13"> > >> >> >> >> > <if_sid>552</if_sid> > >> >> >> >> > <match>DIRECTORY</match> > >> >> >> >> > <description>A file has changed (3rd time) in > >> >> >> >> > DIRECTORY</description> > >> >> >> >> > </rule> > >> >> >> >> > > >> >> >> >> > <rule id="100004" level="13"> > >> >> >> >> > <if_sid>553</if_sid> > >> >> >> >> > <match>DIRECTORY</match> > >> >> >> >> > <description>A file was deleted in > DIRECTORY</description> > >> >> >> >> > </rule> > >> >> >> >> > > >> >> >> >> > <rule id="100005" level="13"> > >> >> >> >> > <if_sid>554</if_sid> > >> >> >> >> > <match>DIRECTORY</match> > >> >> >> >> > <description>A file was added in DIRECTORY</description> > >> >> >> >> > </rule> > >> >> >> >> > > >> >> >> >> > <rule id="100006" level="13"> > >> >> >> >> > <if_sid>555</if_sid> > >> >> >> >> > <match>DIRECTORY</match> > >> >> >> >> > <description>Integrity checksum of a file was changed in > >> >> >> >> > DIRECTORY</description> > >> >> >> >> > </rule> > >> >> >> >> > > >> >> >> >> > > >> >> >> >> > <rule id="100011" level="13"> > >> >> >> >> > <decoded_as>syscheck_integrity_changed</decoded_as> > >> >> >> >> > <match>DIRECTORY</match> > >> >> >> >> > <description>Integrity checksum changed.</description> > >> >> >> >> > </rule> > >> >> >> >> > > >> >> >> >> > <rule id="100012" level="13"> > >> >> >> >> > <decoded_as>syscheck_integrity_changed_2nd</decoded_as> > >> >> >> >> > <match>DIRECTORY</match> > >> >> >> >> > <description>Integrity checksum changed again (2nd > >> >> >> >> > time).</description> > >> >> >> >> > </rule> > >> >> >> >> > > >> >> >> >> > <rule id="100013" level="13"> > >> >> >> >> > <decoded_as>syscheck_integrity_changed_3rd</decoded_as> > >> >> >> >> > <match>DIRECTORY</match> > >> >> >> >> > <description>Integrity checksum changed again (3rd > >> >> >> >> > time).</description> > >> >> >> >> > </rule> > >> >> >> >> > > >> >> >> >> > <rule id="100014" level="13"> > >> >> >> >> > <decoded_as>syscheck_deleted</decoded_as> > >> >> >> >> > <match>DIRECTORY</match> > >> >> >> >> > <description>File deleted. Unable to retrieve > >> >> >> >> > checksum.</description> > >> >> >> >> > </rule> > >> >> >> >> > > >> >> >> >> > <rule id="100015" level="13"> > >> >> >> >> > <decoded_as>syscheck_new_entry</decoded_as> > >> >> >> >> > <match>DIRECTORY</match> > >> >> >> >> > <description>File added to the system.</description> > >> >> >> >> > </rule> > >> >> >> >> > > >> >> >> >> > > >> >> >> >> > <rule id="100021" level="13"> > >> >> >> >> > <if_matched_group>syscheck</if_matched_group> > >> >> >> >> > <match>DIRECTORY</match> > >> >> >> >> > <description>Integrity checksum changed.</description> > >> >> >> >> > </rule> > >> >> >> >> > > >> >> >> >> > <rule id="100022" level="13"> > >> >> >> >> > <if_matched_group>syscheck</if_matched_group> > >> >> >> >> > <match>DIRECTORY</match> > >> >> >> >> > <description>Integrity checksum changed again (2nd > >> >> >> >> > time).</description> > >> >> >> >> > </rule> > >> >> >> >> > > >> >> >> >> > <rule id="100023" level="13"> > >> >> >> >> > <if_matched_group>syscheck</if_matched_group> > >> >> >> >> > <match>DIRECTORY</match> > >> >> >> >> > <description>Integrity checksum changed again (3rd > >> >> >> >> > time).</description> > >> >> >> >> > </rule> > >> >> >> >> > > >> >> >> >> > <rule id="100024" level="13"> > >> >> >> >> > <if_matched_group>syscheck</if_matched_group> > >> >> >> >> > <match>DIRECTORY</match> > >> >> >> >> > <description>File deleted. Unable to retrieve > >> >> >> >> > checksum.</description> > >> >> >> >> > </rule> > >> >> >> >> > > >> >> >> >> > <rule id="100025" level="13"> > >> >> >> >> > <if_matched_group>syscheck</if_matched_group> > >> >> >> >> > <match>DIRECTORY</match> > >> >> >> >> > <description>File added to the system.</description> > >> >> >> >> > </rule> > >> >> >> >> > > >> >> >> >> > -- > >> >> >> >> > > >> >> >> >> > --- > >> >> >> >> > You received this message because you are subscribed to the > >> >> >> >> > Google > >> >> >> >> > Groups > >> >> >> >> > "ossec-list" group. > >> >> >> >> > To unsubscribe from this group and stop receiving emails > from > >> >> >> >> > it, > >> >> >> >> > send > >> >> >> >> > an > >> >> >> >> > email to [email protected]. > >> >> >> >> > For more options, visit https://groups.google.com/d/optout. > >> >> >> > > >> >> >> > -- > >> >> >> > > >> >> >> > --- > >> >> >> > You received this message because you are subscribed to the > Google > >> >> >> > Groups > >> >> >> > "ossec-list" group. > >> >> >> > To unsubscribe from this group and stop receiving emails from > it, > >> >> >> > send > >> >> >> > an > >> >> >> > email to [email protected]. > >> >> >> > For more options, visit https://groups.google.com/d/optout. > >> >> > > >> >> > -- > >> >> > > >> >> > --- > >> >> > You received this message because you are subscribed to the Google > >> >> > Groups > >> >> > "ossec-list" group. > >> >> > To unsubscribe from this group and stop receiving emails from it, > >> >> > send > >> >> > an > >> >> > email to [email protected]. > >> >> > For more options, visit https://groups.google.com/d/optout. > >> > > >> > -- > >> > > >> > --- > >> > You received this message because you are subscribed to the Google > >> > Groups > >> > "ossec-list" group. > >> > To unsubscribe from this group and stop receiving emails from it, > send > >> > an > >> > email to [email protected]. > >> > For more options, visit https://groups.google.com/d/optout. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
