[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[ossec-list] Re: OSSEC-- File integrity check??
- To: ossec-list@xxxxxxxxxxxxxxxx
- Subject: [ossec-list] Re: OSSEC-- File integrity check??
- From: "Daniel Cid" <daniel.cid@xxxxxxxxx>
- Date: Thu, 2 Aug 2007 23:08:45 -0300
- Dkim-signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=BFPCLcF6q3HoaajGXks9vgsb4jWpMNTl4QYLUikgNfUT0/sHpHj5uUtkcp1xGORw8jmSHBPBk89sXhBAxSKcdDeUuJ+znXwOzVkYfFF3zISw958ioPY41pWqhokZqToIhfJYYlJzMKJh3Vt1kXazjCc+OVL5I/GT2Xu6ne6yni0=
Hi Robert,
Did you restart the server after adding the
"<alert_new_files>yes</alert_new_files>"
entry? Also, take a look at this post that explains a bit more about
the alert_new_files
option:
http://www.ossec.net/ossec-list/2007-May/msg00005.html
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On 8/1/07, Robert5156 <gidituri_ravi1@xxxxxxxxxxx> wrote:
>
> I installed server on fedora and an agent on windows XP sp2 system.
> Everything is working fine except when i test the file integrity
> checking, it is not reporting any new files created.
> It is reporting any content changes of existing files ,but not new
> files. Can any one look at the config files and let me know what is
> wrong.
>
>
> Below is the ossec.conf file on the server and ossec.conf file
> contents of XP client agent.
> ______________________________Linux Server ossec.conf
> file___________________
> <ossec_config>
> <ossec_config>
> <global>
> <email_notification>yes</email_notification>
> <email_to>EMAIL</email_to>
> <smtp_server>SERVER NAME</smtp_server>
> <email_from>ossecm@SERVERNAME</email_from>
> <integrity_checking>6</integrity_checking>
> </global>
>
> <rules>
> <include>rules_config.xml</include>
> <include>pam_rules.xml</include>
> <include>sshd_rules.xml</include>
> <include>telnetd_rules.xml</include>
> <include>syslog_rules.xml</include>
> <include>arpwatch_rules.xml</include>
> <include>symantec-av_rules.xml</include>
> <include>pix_rules.xml</include>
> <include>named_rules.xml</include>
> <include>smbd_rules.xml</include>
> <include>vsftpd_rules.xml</include>
> <include>pure-ftpd_rules.xml</include>
> <include>proftpd_rules.xml</include>
> <include>ms_ftpd_rules.xml</include>
> <include>hordeimp_rules.xml</include>
> <include>vpopmail_rules.xml</include>
> <include>web_rules.xml</include>
> <include>apache_rules.xml</include>
> <include>ids_rules.xml</include>
> <include>squid_rules.xml</include>
> <include>firewall_rules.xml</include>
> <include>netscreenfw_rules.xml</include>
> <include>postfix_rules.xml</include>
> <include>sendmail_rules.xml</include>
> <include>imapd_rules.xml</include>
> <include>mailscanner_rules.xml</include>
> <include>ms-exchange_rules.xml</include>
> <include>racoon_rules.xml</include>
> <include>vpn_concentrator_rules.xml</include>
> <include>spamd_rules.xml</include>
> <include>msauth_rules.xml</include>
> <!-- <include>policy_rules.xml</include> -->
> <include>attack_rules.xml</include>
> <include>zeus_rules.xml</include>
> <include>ossec_rules.xml</include>
> <include>local_rules.xml</include>
> </rules>
>
> <syscheck>
> <!-- Frequency that syscheck is executed - default to every 6
> hours -->
> <frequency>600</frequency>
>
> <!-- Directories to check (perform all possible verifications) --
> >
> <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
> <directories check_all="yes">/bin,/sbin</directories>
> <directories check_all="yes">C:\WINDOWS</directories>
> <alert_new_files>yes</alert_new_files>
> <auto_ignore>no</auto_ignore>
>
> <!-- Files/directories to ignore -->
> <ignore>/etc/mtab</ignore>
> <ignore>/etc/mnttab</ignore>
> <ignore>/etc/hosts.deny</ignore>
> <ignore>/etc/mail/statistics</ignore>
> <ignore>/etc/random-seed</ignore>
> <ignore>/etc/adjtime</ignore>
> <ignore>/etc/httpd/logs</ignore>
> <ignore>/etc/utmpx</ignore>
> <ignore>/etc/wtmpx</ignore>
> <ignore>/etc/cups/certs</ignore>
>
> <!-- Windows files to ignore -->
> <ignore>C:\WINDOWS/System32/LogFiles</ignore>
> <ignore>C:\WINDOWS/Debug</ignore>
> <ignore>C:\WINDOWS/WindowsUpdate.log</ignore>
> <ignore>C:\WINDOWS/iis6.log</ignore>
> <ignore>C:\WINDOWS/system32/wbem/Logs</ignore>
> <ignore>C:\WINDOWS/system32/wbem/Repository</ignore>
> <ignore>C:\WINDOWS/Prefetch</ignore>
> <ignore>C:\WINDOWS/PCHEALTH/HELPCTR/DataColl</ignore>
> <ignore>C:\WINDOWS/SoftwareDistribution</ignore>
> <ignore>C:\WINDOWS/Temp</ignore>
> <ignore>C:\WINDOWS/system32/config</ignore>
> <ignore>C:\WINDOWS/system32/spool</ignore>
> <ignore>C:\WINDOWS/system32/CatRoot</ignore>
> </syscheck>
>
> <rootcheck>
> <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</
> rootkit_files>
> <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</
> rootkit_trojans>
> </rootcheck>
>
> <alerts>
> <log_alert_level>1</log_alert_level>
> <email_alert_level>7</email_alert_level>
> </alerts>
> ________________________--END _________________________________
>
> Below is the XP-client agent's ossec.conf file contents.
>
> __________________________________XP_client config____________________
> <ossec_config>
> <client>
> <!-- IP address of the Ossec HIDS server -->
> <server-ip>serverIP</server-ip>
> </client>
>
> <!-- Updated syscheck config -->
> <ossec_config>
> <syscheck>
> <frequency>600</frequency>
> <alert_new_files>yes</alert_new_files>
> <directories check_all="yes">C:\WINDOWS</directories>
> <ignore>C:\WINDOWS/System32/LogFiles</ignore>
> <ignore>C:\WINDOWS/system32/wbem/Logs</ignore>
> <ignore>C:\WINDOWS/Prefetch</ignore>
> <ignore>C:\WINDOWS/Debug</ignore>
> <ignore>C:\WINDOWS/PCHEALTH/HELPCTR/DataColl</ignore>
> <ignore>C:\WINDOWS/SoftwareDistribution</ignore>
> <ignore>C:\WINDOWS/Temp</ignore>
> <ignore>C:\WINDOWS/SchedLgU.Txt</ignore>
> <ignore>C:\WINDOWS/system32/config</ignore>
> <ignore>C:\WINDOWS/system32/CatRoot</ignore>
> <ignore>C:\WINDOWS/system32/wbem/Repository</ignore>
> <ignore>C:\WINDOWS/LastGood.Tmp</ignore>
> <ignore>C:\WINDOWS/LastGood</ignore>
> <ignore>C:\WINDOWS/Help</ignore>
> <ignore>C:\WINDOWS/Fonts</ignore>
> <ignore>C:\WINDOWS/PCHEALTH</ignore>
> <ignore>C:\WINDOWS/system32/dllcache</ignore>
> <ignore type="sregex">.log$|.htm$|.jpg$|.png$|.chm$|.pnf$</ignore>
> </syscheck>
> </ossec_config>
> _______________________END_______END_______
>
> Any help is appreciated.
>
>
OSSEC home |
Main Index |
Thread Index
OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.