[ossec-list] Re: syscheck logs alters randomly

["Daniel Cid" <daniel.cid@xxxxxxxxx>]

Hi Thomas,

Please take a look at this post for more information:

http://marc.info/?l=ossec-list&m=117806536420713&w=2

thanks,

--
Daniel B. Cid
dcid ( at ) ossec.net

On 5/1/07, Mo, Ze Tao (Thomas) <zmo@xxxxxxxxx> wrote:
> Hi,
>
>
>
> I have installed ossec-hids-1.0 on a linux box. It starts up fine. However,
> the syscheck doesn't seem to work as expected. I have configured the
> frequency to one minute, but no matter what I did on those directories and
> files that were listed in the configuration file, it didn't log anything
> into the log files /etc/ossec/logs/ossec.log and
> /etc/ossec/logs/alters/alters.log.
>
>
>
> The strange thing is it logged some alters when I waited for about ten
> minutes:
>
>
>
> ** Alert 1177985540.93407: mail  - syscheck,
>
> 2007 May 01 12:12:20 trinity->syscheck
>
> Rule: 13 (level 8) -> 'Integrity checksum of file '/root/hello' has
> changed.'
>
> Src IP: (none)
>
> User: (none)
>
> Integrity checksum changed for: '/root/hello'
>
> Size changed from '46' to '15'
>
> Old md5sum was: '7afbe5791fddb5b295f66ea512a887a8'
>
> New md5sum is : '032447899e6c18dd3e30388764c0ff21'
>
> Old sha1sum was: '0e989997e46d66e5732bf7326311e9afd3e65494'
>
> New sha1sum is : 'f9340a4bddb9f2783ab37f26012cbd273e64d2f2'
>
>
>
> However, I made some modification to those files /root/hello and
> /etc/init.d/tomcat5 again, but nothing was logged until I waited for more
> than 13 mins. >.<!
>
>
>
> ** Alert 1177986931.98177: mail  - syscheck,
>
> 2007 May 01 12:35:31 trinity->syscheck
>
> Rule: 13 (level 8) -> 'Integrity checksum of file '/etc/init.d/tomcat5' has
> changed again (third time or more).Ignoring it.'
>
> Src IP: (none)
>
> User: (none)
>
> Integrity checksum changed for: '/etc/init.d/tomcat5'
>
> Size changed from '1437' to '1391'
>
> Permissions changed from 'rwxrwxrwx' to 'rwxr-xr-x'
>
> Old md5sum was: 'f6799e9c5a364cc24040f568b647de94'
>
> New md5sum is : '988214a24373a1f5907aecf2758e502a'
>
> Old sha1sum was: 'f6fae1c88f7542ef330ec964edba65bf3098963d'
>
> New sha1sum is : '254a8e54c6690daddcc46ef10100b02a9558d8cc'
>
>
>
>
>
> I have few questions here:
>
> 1. Is there a minimum value I need to set for frequency?
>
> 2. Why syscheck is not checking files "PERIODICALLY"?
>
>
>
> The ossec.conf I am using is:
>
>
>
> <!-- OSSEC config -->
>
>
>
> <ossec_config>
>
>   <global>
>
>     <email_notification>no</email_notification>
>
>     <white_list>127.0.0.1</white_list>
>
>   </global>
>
>
>
>   <rules>
>
>     <include>rules_config.xml</include>
>
>     <include>sshd_rules.xml</include>
>
>     <include>syslog_rules.xml</include>
>
>     <include>pix_rules.xml</include>
>
>     <include>named_rules.xml</include>
>
>     <include>pure-ftpd_rules.xml</include>
>
>     <include>proftpd_rules.xml</include>
>
>     <include>web_rules.xml</include>
>
>     <include>apache_rules.xml</include>
>
>     <include>ids_rules.xml</include>
>
>     <include>squid_rules.xml</include>
>
>     <include>firewall_rules.xml</include>
>
>     <include>postfix_rules.xml</include>
>
>     <include>sendmail_rules.xml</include>
>
>     <include>spamd_rules.xml</include>
>
>     <include>msauth_rules.xml</include>
>
>     <include>attack_rules.xml</include>
>
>   </rules>
>
>
>
>   <syscheck>
>
>     <!-- Frequency that syscheck is executed -- default every 2 hours -->
>
>     <frequency>60</frequency>
>
>     <directories check_all="yes">/root/hello</directories>
>
>     <directories
> check_all="yes">/etc/init.d/tomcat5</directories>
>
>   </syscheck>
>
>
>
>
>
>   <rootcheck>
>
>
> <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
>
>
> <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
>
>   </rootcheck>
>
>
>
>   <alerts>
>
>     <log_alert_level>1</log_alert_level>
>
>     <email_alert_level>7</email_alert_level>
>
>   </alerts>
>
>
>
>   <command>
>
>     <name>host-deny</name>
>
>     <executable>host-deny.sh</executable>
>
>     <expect>srcip</expect>
>
>     <timeout_allowed>yes</timeout_allowed>
>
>   </command>
>
>
>
>   <command>
>
>     <name>firewall-drop</name>
>
>     <executable>firewall-drop.sh</executable>
>
>     <expect>srcip</expect>
>
>     <timeout_allowed>yes</timeout_allowed>
>
>   </command>
>
>
>
>   <command>
>
>     <name>disable-account</name>
>
>     <executable>disable-account.sh</executable>
>
>     <expect>user</expect>
>
>     <timeout_allowed>yes</timeout_allowed>
>
>   </command>
>
>
>
>
>
>   <!-- Active Response Config -->
>
>   <active-response>
>
>     <!-- This response is going to execute the host-deny
>
>        - command for every event that fires a rule with
>
>        - level (severity) >= 6.
>
>        - The IP is going to be blocked for  600 seconds.
>
>       -->
>
>     <command>host-deny</command>
>
>     <location>local</location>
>
>     <level>6</level>
>
>     <timeout>600</timeout>
>
>   </active-response>
>
>
>
>   <active-response>
>
>     <!-- Firewall Drop response. Block the IP for
>
>        - 600 seconds on the firewall (iptables,
>
>        - ipfilter, etc).
>
>       -->
>
>     <command>firewall-drop</command>
>
>     <location>local</location>
>
>     <level>6</level>
>
>     <timeout>600</timeout>
>
>   </active-response>
>
>
>
>   <!-- Files to monitor (localfiles) -->
>
>
>
>   <localfile>
>
>     <log_format>syslog</log_format>
>
>     <location>/var/log/messages</location>
>
>   </localfile>
>
>
>
>   <localfile>
>
>     <log_format>syslog</log_format>
>
>     <location>/var/log/secure</location>
>
>   </localfile>
>
>
>
>   <localfile>
>
>     <log_format>syslog</log_format>
>
>     <location>/var/log/maillog</location>
>
>   </localfile>
>
>
>
> </ossec_config>
>
>
>
>
>
>
>
>
>
> Any help will be appreciated.
>
>
>
> Thanks
>
> Thomas