Where is ossec stores rootcheck's base?
четверг, 13 декабря 2012 г., 22:18:04 UTC+4 пользователь orfan написал: > > ./rootcheck_control -i 004 > > Policy and auditing events for agent 'venus (004) - 10.0.0.3': > > Resolved events: > 2012 Dec 08 03:14:03 (first time detected: 2012 Dec 08 03:14:03) > System Audit: System Audit: Possible backdoor. File: > /usr/home/www/mysite/htdocs/dumper.php. > > Outstanding events: > > 2012 Dec 13 05:25:51 (first time detected: 2012 Dec 08 03:10:10) > System Audit: System Audit: Web exploits (uncommon file name inside > htdocs) - Possible compromise. File: /usr/home/www/mysite/git/.ssh. > Reference: http://www.ossec.net/wiki/index.php/WebAttacks_links . > > 2012 Dec 13 05:28:16 (first time detected: 2012 Dec 08 03:14:03) > System Audit: System Audit: Possible backdoor. > File:/usr/home/www/mysite/htdocs/cfg/main.php. > > 2012 Dec 13 05:28:16 (first time detected: 2012 Dec 08 03:14:03) > System Audit: System Audit: Possible backdoor. File: > /usr/home/www/mysite/htdocs/shopz.php. > > 2012 Dec 13 05:28:53 (first time detected: 2012 Dec 08 03:14:32) > System Audit: System Audit: Possible redirector. File: > /usr/home/www/mysite/htdocs/.htaccess. > > 2012 Dec 13 05:34:21 (first time detected: 2012 Dec 08 03:20:37) > System Audit: Interface 'igb1' in promiscuous mode. > > Yes, dates are correct in the alert.log. > > Version: ossec-hids-server-2.6_2 > > > > > > > > четверг, 13 декабря 2012 г., 18:45:38 UTC+4 пользователь dan (ddpbsd) > написал: >> >> On Wed, Dec 12, 2012 at 10:07 AM, orfan <a.ul...@gmail.com> wrote: >> > Ossec don't send messages about system audit events. But I can see the >> > events when run 'rootcheck_control -i XXX'. And there is no records >> about >> > that events in alert.log file. It worked before, i recieved the email >> about >> > system audit events from ossec. I don't know why it not work now. >> > >> >> Are these entries recent? (I don't have any entries, so I have no idea >> what they look like) >> >> Are you checking the correct dates in the alert.log files? >> >> What version of OSSEC? >> >> > среда, 12 декабря 2012 г., 1:56:26 UTC+4 пользователь dan (ddpbsd) >> написал: >> >> >> >> On Mon, Dec 10, 2012 at 10:12 AM, orfan <a.ul...@gmail.com> wrote: >> >> > I have ossec-hids-server-2.6_2. >> >> > >> >> > <rule id="509" level="0"> >> >> > <category>ossec</category> >> >> > <decoded_as>rootcheck</decoded_as> >> >> > <description>Rootcheck event.</description> >> >> > <group>rootcheck,</group> >> >> > </rule> >> >> > >> >> > Decoded as "rootcheck", but i can't find rootcheck decoder in >> >> > decoder.xml. >> >> > Is it normal? >> >> > >> >> > >> >> >> >> I believe that decoder is actually coded inside of rootcheck for speed >> >> reasons. >> >