On Fri, Mar 28, 2014 at 12:19 PM, Ryan <[email protected]> wrote: > Have you done a whole directory match? Do the specific file checks look > like the example below? >
I think so, can't remember off hand though. I don't currently use any. > > <rule id="100021" level="13"> > <if_matched_group>syscheck</if_matched_group> > <match>DIRECTORY</match> > <description>Integrity checksum changed.</description> > </rule> > > On Friday, March 28, 2014 11:05:33 AM UTC-5, dan (ddpbsd) wrote: >> >> On Fri, Mar 28, 2014 at 12:02 PM, Ryan <[email protected]> wrote: >> > Has anyone else tried to create specific rules like this before? Since >> > the >> > email works for some of the rules, I think I need to fix the local >> > rules. >> > >> >> I've used custom rules to look for changes to specific files. I think >> my rules checked for the syscheck group and <match> on the file name. >> >> > On Friday, March 28, 2014 10:55:55 AM UTC-5, dan (ddpbsd) wrote: >> >> >> >> On Fri, Mar 28, 2014 at 11:33 AM, Ryan <[email protected]> wrote: >> >> > The log search the rules should perform to trigger the email. The >> >> > rules >> >> > are >> >> > in the same group, they are in-between the below entries. I have had >> >> > two >> >> > emails trigger from the below rules, but I have tested modifications >> >> > that >> >> > should have triggered all rules to email. >> >> > >> >> >> >> Make sure the modifications trigger an alert. If the (correct) alert >> >> is triggered, check for an email. >> >> If an alert is not triggered, you have 1 problem. If the (correct) >> >> alert is triggered, but you have no email you have a second problem. >> >> It's important to find out which problem you are having. >> >> >> >> Beyond that, I don't think I have anything else to offer. I feel like >> >> getting to this point (basically the beginning) has been enough work. >> >> >> >> > <group name="group-all-the-new-rules-are-in,"> >> >> > </group> >> >> > >> >> > On Friday, March 28, 2014 10:22:51 AM UTC-5, dan (ddpbsd) wrote: >> >> >> >> >> >> On Fri, Mar 28, 2014 at 11:19 AM, Ryan <[email protected]> wrote: >> >> >> > Some of the email notifications work, but I think my issue is more >> >> >> > with >> >> >> > the >> >> >> > rule search. Below is the email notification: >> >> >> >> >> >> What rule search? >> >> >> >> >> >> > <email_alerts> >> >> >> > <email_to>myemail@mydomain</email_to> >> >> >> > <group>group-all-the-new-rules-are-in</group> >> >> >> >> >> >> Are you sure they're all in this group? Are any of the rules >> >> >> triggering these emails? >> >> >> >> >> >> > <do_not_delay /> >> >> >> > <do_not_group /> >> >> >> > </email_alerts> >> >> >> > >> >> >> > >> >> >> > On Friday, March 28, 2014 10:11:38 AM UTC-5, dan (ddpbsd) wrote: >> >> >> >> >> >> >> >> On Fri, Mar 28, 2014 at 11:08 AM, Ryan <[email protected]> wrote: >> >> >> >> > In the logs I see that some are triggering. >> >> >> >> > >> >> >> >> >> >> >> >> So, doesn't it seem like the problem is with the email >> >> >> >> configuration >> >> >> >> and not the rules? >> >> >> >> >> >> >> >> > On Friday, March 28, 2014 9:58:29 AM UTC-5, dan (ddpbsd) wrote: >> >> >> >> >> >> >> >> >> >> On Fri, Mar 28, 2014 at 10:53 AM, Ryan <[email protected]> >> >> >> >> >> wrote: >> >> >> >> >> > Hello, >> >> >> >> >> > I am working on creating rules to email specific groups when >> >> >> >> >> > a >> >> >> >> >> > file >> >> >> >> >> > changes >> >> >> >> >> > in a specific directory on a client. I am trying to copy >> >> >> >> >> > the >> >> >> >> >> > below >> >> >> >> >> > rules, >> >> >> >> >> > but for a specific directory. I added the specific >> >> >> >> >> > directories >> >> >> >> >> > into >> >> >> >> >> > the >> >> >> >> >> > syscheck notation on the client side. I also found and >> >> >> >> >> > changed >> >> >> >> >> > the >> >> >> >> >> > default >> >> >> >> >> > setting that the ossec server will ignore file changes after >> >> >> >> >> > 3 >> >> >> >> >> > changes. >> >> >> >> >> > I >> >> >> >> >> > did not clear any counters after this applying this change. >> >> >> >> >> > I >> >> >> >> >> > think >> >> >> >> >> > I >> >> >> >> >> > have >> >> >> >> >> > the email to the specific group figured out, but I am not >> >> >> >> >> > getting >> >> >> >> >> > the >> >> >> >> >> > emails >> >> >> >> >> > on the changes. The logs are showing some of the changes. >> >> >> >> >> > >> >> >> >> >> >> >> >> >> >> Are your rules triggering? >> >> >> >> >> >> >> >> >> >> > Rules I am trying to copy: >> >> >> >> >> > <rule id="550" level="7"> >> >> >> >> >> > <category>ossec</category> >> >> >> >> >> > <decoded_as>syscheck_integrity_changed</decoded_as> >> >> >> >> >> > <description>Integrity checksum changed.</description> >> >> >> >> >> > <group>syscheck,</group> >> >> >> >> >> > </rule> >> >> >> >> >> > >> >> >> >> >> > <rule id="551" level="7"> >> >> >> >> >> > <category>ossec</category> >> >> >> >> >> > <decoded_as>syscheck_integrity_changed_2nd</decoded_as> >> >> >> >> >> > <description>Integrity checksum changed again (2nd >> >> >> >> >> > time).</description> >> >> >> >> >> > <group>syscheck,</group> >> >> >> >> >> > </rule> >> >> >> >> >> > >> >> >> >> >> > <rule id="552" level="7"> >> >> >> >> >> > <category>ossec</category> >> >> >> >> >> > <decoded_as>syscheck_integrity_changed_3rd</decoded_as> >> >> >> >> >> > <description>Integrity checksum changed again (3rd >> >> >> >> >> > time).</description> >> >> >> >> >> > <group>syscheck,</group> >> >> >> >> >> > </rule> >> >> >> >> >> > >> >> >> >> >> > <rule id="553" level="7"> >> >> >> >> >> > <category>ossec</category> >> >> >> >> >> > <decoded_as>syscheck_deleted</decoded_as> >> >> >> >> >> > <description>File deleted. Unable to retrieve >> >> >> >> >> > checksum.</description> >> >> >> >> >> > <group>syscheck,</group> >> >> >> >> >> > </rule> >> >> >> >> >> > >> >> >> >> >> > <rule id="554" level="0"> >> >> >> >> >> > <category>ossec</category> >> >> >> >> >> > <decoded_as>syscheck_new_entry</decoded_as> >> >> >> >> >> > <description>File added to the system.</description> >> >> >> >> >> > <group>syscheck,</group> >> >> >> >> >> > </rule> >> >> >> >> >> > >> >> >> >> >> > <rule id="555" level="7"> >> >> >> >> >> > <if_sid>500</if_sid> >> >> >> >> >> > <match>^ossec: agentless: </match> >> >> >> >> >> > <description>Integrity checksum for agentless device >> >> >> >> >> > changed.</description> >> >> >> >> >> > <group>syscheck,agentless</group> >> >> >> >> >> > </rule> >> >> >> >> >> > >> >> >> >> >> > >> >> >> >> >> > Different trial rules : >> >> >> >> >> > <rule id="100001" level="13"> >> >> >> >> >> > <if_sid>550</if_sid> >> >> >> >> >> > <match>DIRECTORY</match> >> >> >> >> >> > <description>A file has changed in >> >> >> >> >> > DIRECTORY</description> >> >> >> >> >> > </rule> >> >> >> >> >> > >> >> >> >> >> > <rule id="100002" level="13"> >> >> >> >> >> > <if_sid>551</if_sid> >> >> >> >> >> > <match>DIRECTORY</match> >> >> >> >> >> > <description>A file has changed (2nd time) in >> >> >> >> >> > DIRECTORY</description> >> >> >> >> >> > </rule> >> >> >> >> >> > >> >> >> >> >> > <rule id="100003" level="13"> >> >> >> >> >> > <if_sid>552</if_sid> >> >> >> >> >> > <match>DIRECTORY</match> >> >> >> >> >> > <description>A file has changed (3rd time) in >> >> >> >> >> > DIRECTORY</description> >> >> >> >> >> > </rule> >> >> >> >> >> > >> >> >> >> >> > <rule id="100004" level="13"> >> >> >> >> >> > <if_sid>553</if_sid> >> >> >> >> >> > <match>DIRECTORY</match> >> >> >> >> >> > <description>A file was deleted in >> >> >> >> >> > DIRECTORY</description> >> >> >> >> >> > </rule> >> >> >> >> >> > >> >> >> >> >> > <rule id="100005" level="13"> >> >> >> >> >> > <if_sid>554</if_sid> >> >> >> >> >> > <match>DIRECTORY</match> >> >> >> >> >> > <description>A file was added in DIRECTORY</description> >> >> >> >> >> > </rule> >> >> >> >> >> > >> >> >> >> >> > <rule id="100006" level="13"> >> >> >> >> >> > <if_sid>555</if_sid> >> >> >> >> >> > <match>DIRECTORY</match> >> >> >> >> >> > <description>Integrity checksum of a file was changed in >> >> >> >> >> > DIRECTORY</description> >> >> >> >> >> > </rule> >> >> >> >> >> > >> >> >> >> >> > >> >> >> >> >> > <rule id="100011" level="13"> >> >> >> >> >> > <decoded_as>syscheck_integrity_changed</decoded_as> >> >> >> >> >> > <match>DIRECTORY</match> >> >> >> >> >> > <description>Integrity checksum changed.</description> >> >> >> >> >> > </rule> >> >> >> >> >> > >> >> >> >> >> > <rule id="100012" level="13"> >> >> >> >> >> > <decoded_as>syscheck_integrity_changed_2nd</decoded_as> >> >> >> >> >> > <match>DIRECTORY</match> >> >> >> >> >> > <description>Integrity checksum changed again (2nd >> >> >> >> >> > time).</description> >> >> >> >> >> > </rule> >> >> >> >> >> > >> >> >> >> >> > <rule id="100013" level="13"> >> >> >> >> >> > <decoded_as>syscheck_integrity_changed_3rd</decoded_as> >> >> >> >> >> > <match>DIRECTORY</match> >> >> >> >> >> > <description>Integrity checksum changed again (3rd >> >> >> >> >> > time).</description> >> >> >> >> >> > </rule> >> >> >> >> >> > >> >> >> >> >> > <rule id="100014" level="13"> >> >> >> >> >> > <decoded_as>syscheck_deleted</decoded_as> >> >> >> >> >> > <match>DIRECTORY</match> >> >> >> >> >> > <description>File deleted. Unable to retrieve >> >> >> >> >> > checksum.</description> >> >> >> >> >> > </rule> >> >> >> >> >> > >> >> >> >> >> > <rule id="100015" level="13"> >> >> >> >> >> > <decoded_as>syscheck_new_entry</decoded_as> >> >> >> >> >> > <match>DIRECTORY</match> >> >> >> >> >> > <description>File added to the system.</description> >> >> >> >> >> > </rule> >> >> >> >> >> > >> >> >> >> >> > >> >> >> >> >> > <rule id="100021" level="13"> >> >> >> >> >> > <if_matched_group>syscheck</if_matched_group> >> >> >> >> >> > <match>DIRECTORY</match> >> >> >> >> >> > <description>Integrity checksum changed.</description> >> >> >> >> >> > </rule> >> >> >> >> >> > >> >> >> >> >> > <rule id="100022" level="13"> >> >> >> >> >> > <if_matched_group>syscheck</if_matched_group> >> >> >> >> >> > <match>DIRECTORY</match> >> >> >> >> >> > <description>Integrity checksum changed again (2nd >> >> >> >> >> > time).</description> >> >> >> >> >> > </rule> >> >> >> >> >> > >> >> >> >> >> > <rule id="100023" level="13"> >> >> >> >> >> > <if_matched_group>syscheck</if_matched_group> >> >> >> >> >> > <match>DIRECTORY</match> >> >> >> >> >> > <description>Integrity checksum changed again (3rd >> >> >> >> >> > time).</description> >> >> >> >> >> > </rule> >> >> >> >> >> > >> >> >> >> >> > <rule id="100024" level="13"> >> >> >> >> >> > <if_matched_group>syscheck</if_matched_group> >> >> >> >> >> > <match>DIRECTORY</match> >> >> >> >> >> > <description>File deleted. Unable to retrieve >> >> >> >> >> > checksum.</description> >> >> >> >> >> > </rule> >> >> >> >> >> > >> >> >> >> >> > <rule id="100025" level="13"> >> >> >> >> >> > <if_matched_group>syscheck</if_matched_group> >> >> >> >> >> > <match>DIRECTORY</match> >> >> >> >> >> > <description>File added to the system.</description> >> >> >> >> >> > </rule> >> >> >> >> >> > >> >> >> >> >> > -- >> >> >> >> >> > >> >> >> >> >> > --- >> >> >> >> >> > You received this message because you are subscribed to the >> >> >> >> >> > Google >> >> >> >> >> > Groups >> >> >> >> >> > "ossec-list" group. >> >> >> >> >> > To unsubscribe from this group and stop receiving emails >> >> >> >> >> > from >> >> >> >> >> > it, >> >> >> >> >> > send >> >> >> >> >> > an >> >> >> >> >> > email to [email protected]. >> >> >> >> >> > For more options, visit https://groups.google.com/d/optout. >> >> >> >> > >> >> >> >> > -- >> >> >> >> > >> >> >> >> > --- >> >> >> >> > You received this message because you are subscribed to the >> >> >> >> > Google >> >> >> >> > Groups >> >> >> >> > "ossec-list" group. >> >> >> >> > To unsubscribe from this group and stop receiving emails from >> >> >> >> > it, >> >> >> >> > send >> >> >> >> > an >> >> >> >> > email to [email protected]. >> >> >> >> > For more options, visit https://groups.google.com/d/optout. >> >> >> > >> >> >> > -- >> >> >> > >> >> >> > --- >> >> >> > You received this message because you are subscribed to the Google >> >> >> > Groups >> >> >> > "ossec-list" group. >> >> >> > To unsubscribe from this group and stop receiving emails from it, >> >> >> > send >> >> >> > an >> >> >> > email to [email protected]. >> >> >> > For more options, visit https://groups.google.com/d/optout. >> >> > >> >> > -- >> >> > >> >> > --- >> >> > You received this message because you are subscribed to the Google >> >> > Groups >> >> > "ossec-list" group. >> >> > To unsubscribe from this group and stop receiving emails from it, >> >> > send >> >> > an >> >> > email to [email protected]. >> >> > For more options, visit https://groups.google.com/d/optout. >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
