There's no way to check if a file got smaller using syscheck. What you can do tho is create an active response script that checks if a file got smaller that fires whenever rule 550 fires (syscheck file changes).
Here's my script (in this case it sends an e-mail but you can also make it do something else): *#!/bin/sh* *# E-mails an alert - /var/ossec/active-response/bin/mail-smaller.sh* *# This script will mail if it detects that a syschecked file got smaller.* *# This script also requires you to have** the default "custom AV alerts"* *MAILADDRESS="[email protected]"* *ACTION=$1* *ALERTID=$2* *RULEID=$5* *LOCAL=`dirname $0`;* *cd $LOCAL* *cd ../* *PWD=`pwd`* *# Logging the call of the this AR script* *echo "`date` $0 $1 $2 $3 $4 $5 $6 $7 $8" >> ${PW* *D}/../logs/active-responses.log* *# Filtering out of the alert* *FILENAME=$(grep $ALERTID /var/ossec/logs/alerts/alerts.log | cut -d \; -f9 | cut -d \' -f2) # get path + filename * *SIZE1=$(grep $ALERTID /var/ossec/logs/alerts/alerts.log | cut -d \; -f9 | cut -d \' -f4) # size 1* *SIZE2=$(grep $ALERTID /var/ossec/logs/alerts/alerts.log | cut -d \; -f9 | cut -d \' -f6) # size 2* *ALERT=$(grep $ALERTID /var/ossec/logs/alerts/alerts.log)* *DATE=$(date)* *if [ $SIZE1 -gt $SIZE2 ] #check if file got smaller* *then* * echo "DATE:\t\t\t\t$DATE\nFILENAME:\t\t\t$FILENAME \nFILESIZE BEFORE:\t\t$SIZE1\nFILESIZE AFTER:\t\t$SIZE2\n\n FULL ALERT : $ALERT" | mail $MAILADDRESS -s "OSSEC: Filesize of $FILENAME Decreased!"* *fi* Hope this helps ;) Op vrijdag 3 september 2010 00:27:41 UTC+2 schreef jplee3: > > Hey all, > > I need syscheck to monitor for if a log file was tampered with (zeroed > out or modified/edited). Right now it seems that if you have syscheck > monitor a log file for this purpose, it will generate tons of 'false > positives' because log files are pretty dynamically changed/rotated. > > Anyway to have OSSEC check if someone was trying to edit the file > though? > > > > Thanks! > jeremy -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
