[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[ossec-list] OSSEC-- File integrity check??
I installed server on fedora and an agent on windows XP sp2 system.
Everything is working fine except when i test the file integrity
checking, it is not reporting any new files created.
It is reporting any content changes of existing files ,but not new
files. Can any one look at the config files and let me know what is
wrong.
Below is the ossec.conf file on the server and ossec.conf file
contents of XP client agent.
______________________________Linux Server ossec.conf
file___________________
<ossec_config>
<ossec_config>
<global>
<email_notification>yes</email_notification>
<email_to>EMAIL</email_to>
<smtp_server>SERVER NAME</smtp_server>
<email_from>ossecm@SERVERNAME</email_from>
<integrity_checking>6</integrity_checking>
</global>
<rules>
<include>rules_config.xml</include>
<include>pam_rules.xml</include>
<include>sshd_rules.xml</include>
<include>telnetd_rules.xml</include>
<include>syslog_rules.xml</include>
<include>arpwatch_rules.xml</include>
<include>symantec-av_rules.xml</include>
<include>pix_rules.xml</include>
<include>named_rules.xml</include>
<include>smbd_rules.xml</include>
<include>vsftpd_rules.xml</include>
<include>pure-ftpd_rules.xml</include>
<include>proftpd_rules.xml</include>
<include>ms_ftpd_rules.xml</include>
<include>hordeimp_rules.xml</include>
<include>vpopmail_rules.xml</include>
<include>web_rules.xml</include>
<include>apache_rules.xml</include>
<include>ids_rules.xml</include>
<include>squid_rules.xml</include>
<include>firewall_rules.xml</include>
<include>netscreenfw_rules.xml</include>
<include>postfix_rules.xml</include>
<include>sendmail_rules.xml</include>
<include>imapd_rules.xml</include>
<include>mailscanner_rules.xml</include>
<include>ms-exchange_rules.xml</include>
<include>racoon_rules.xml</include>
<include>vpn_concentrator_rules.xml</include>
<include>spamd_rules.xml</include>
<include>msauth_rules.xml</include>
<!-- <include>policy_rules.xml</include> -->
<include>attack_rules.xml</include>
<include>zeus_rules.xml</include>
<include>ossec_rules.xml</include>
<include>local_rules.xml</include>
</rules>
<syscheck>
<!-- Frequency that syscheck is executed - default to every 6
hours -->
<frequency>600</frequency>
<!-- Directories to check (perform all possible verifications) --
>
<directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
<directories check_all="yes">/bin,/sbin</directories>
<directories check_all="yes">C:\WINDOWS</directories>
<alert_new_files>yes</alert_new_files>
<auto_ignore>no</auto_ignore>
<!-- Files/directories to ignore -->
<ignore>/etc/mtab</ignore>
<ignore>/etc/mnttab</ignore>
<ignore>/etc/hosts.deny</ignore>
<ignore>/etc/mail/statistics</ignore>
<ignore>/etc/random-seed</ignore>
<ignore>/etc/adjtime</ignore>
<ignore>/etc/httpd/logs</ignore>
<ignore>/etc/utmpx</ignore>
<ignore>/etc/wtmpx</ignore>
<ignore>/etc/cups/certs</ignore>
<!-- Windows files to ignore -->
<ignore>C:\WINDOWS/System32/LogFiles</ignore>
<ignore>C:\WINDOWS/Debug</ignore>
<ignore>C:\WINDOWS/WindowsUpdate.log</ignore>
<ignore>C:\WINDOWS/iis6.log</ignore>
<ignore>C:\WINDOWS/system32/wbem/Logs</ignore>
<ignore>C:\WINDOWS/system32/wbem/Repository</ignore>
<ignore>C:\WINDOWS/Prefetch</ignore>
<ignore>C:\WINDOWS/PCHEALTH/HELPCTR/DataColl</ignore>
<ignore>C:\WINDOWS/SoftwareDistribution</ignore>
<ignore>C:\WINDOWS/Temp</ignore>
<ignore>C:\WINDOWS/system32/config</ignore>
<ignore>C:\WINDOWS/system32/spool</ignore>
<ignore>C:\WINDOWS/system32/CatRoot</ignore>
</syscheck>
<rootcheck>
<rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</
rootkit_files>
<rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</
rootkit_trojans>
</rootcheck>
<alerts>
<log_alert_level>1</log_alert_level>
<email_alert_level>7</email_alert_level>
</alerts>
________________________--END _________________________________
Below is the XP-client agent's ossec.conf file contents.
__________________________________XP_client config____________________
<ossec_config>
<client>
<!-- IP address of the Ossec HIDS server -->
<server-ip>serverIP</server-ip>
</client>
<!-- Updated syscheck config -->
<ossec_config>
<syscheck>
<frequency>600</frequency>
<alert_new_files>yes</alert_new_files>
<directories check_all="yes">C:\WINDOWS</directories>
<ignore>C:\WINDOWS/System32/LogFiles</ignore>
<ignore>C:\WINDOWS/system32/wbem/Logs</ignore>
<ignore>C:\WINDOWS/Prefetch</ignore>
<ignore>C:\WINDOWS/Debug</ignore>
<ignore>C:\WINDOWS/PCHEALTH/HELPCTR/DataColl</ignore>
<ignore>C:\WINDOWS/SoftwareDistribution</ignore>
<ignore>C:\WINDOWS/Temp</ignore>
<ignore>C:\WINDOWS/SchedLgU.Txt</ignore>
<ignore>C:\WINDOWS/system32/config</ignore>
<ignore>C:\WINDOWS/system32/CatRoot</ignore>
<ignore>C:\WINDOWS/system32/wbem/Repository</ignore>
<ignore>C:\WINDOWS/LastGood.Tmp</ignore>
<ignore>C:\WINDOWS/LastGood</ignore>
<ignore>C:\WINDOWS/Help</ignore>
<ignore>C:\WINDOWS/Fonts</ignore>
<ignore>C:\WINDOWS/PCHEALTH</ignore>
<ignore>C:\WINDOWS/system32/dllcache</ignore>
<ignore type="sregex">.log$|.htm$|.jpg$|.png$|.chm$|.pnf$</ignore>
</syscheck>
</ossec_config>
_______________________END_______END_______
Any help is appreciated.
OSSEC home |
Main Index |
Thread Index
OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.