{"id":22,"date":"2011-10-25T23:08:00","date_gmt":"2011-10-25T23:08:00","guid":{"rendered":"https:\/\/defragged.org\/ossec\/?p=22"},"modified":"2020-06-29T23:11:11","modified_gmt":"2020-06-29T23:11:11","slug":"3woo-alerting-on-dns-ip-address-changes","status":"publish","type":"post","link":"https:\/\/defragged.org\/ossec\/2011\/10\/3woo-alerting-on-dns-ip-address-changes\/","title":{"rendered":"3WoO: Alerting on DNS (IP Address) changes"},"content":{"rendered":"\n

If you keep your DNS outside and you can\u2019t monitor the zone files directly, a nice way to make sure the integrity of your DNS is intact is by checking remotely that it hasn\u2019t been changed.<\/p>\n\n\n\n

With OSSEC, you can do it using the command monitoring output.<\/p>\n\n\n\n

First, download the latest version from here<\/a> and install it.<\/p>\n\n\n\n

You will see a new tool in the \/var\/ossec\/bin directory:<\/p>\n\n\n\n

# \/var\/ossec\/bin\/util.sh\n\/var\/ossec\/bin\/util.sh: addfile <filename> [<format>]\n\/var\/ossec\/bin\/util.sh: addsite <domain>\n\/var\/ossec\/bin\/util.sh: adddns <domain>\n\nExample: \/var\/ossec\/bin\/util.sh adddns ossec.net\nExample: \/var\/ossec\/bin\/util.sh addsite dcid.me<\/code><\/pre>\n\n\n\n
So, you can just run the command \u201cutil.sh adddns\u201d and it will add the domain specified to be monitored:<\/p>\n\n\n\n
# \/var\/ossec\/bin\/util.sh adddns ossec.net<\/code><\/pre>\n\n\n\n
In this case, we added the domain ossec.net. In the backend, it will add those new entries:<\/p>\n\n\n\n
<ossec_config>\n   <localfile>\n     <log_format>full_command<\/log_format>\n     <command>host -W 5 -t NS ossec.net; host -W 5 -t A ossec.net | sort<\/command>\n   <\/localfile>\n   <\/ossec_config>\n\n   <group name=\"local,dnschanges,\">\n   <rule id=\"150013\" level=\"10\">\n     <if_sid>530<\/if_sid>\n     <check_diff \/>\n     <match>^ossec: output: \u2019host -W 5 -t NS ossec.net<\/match>\n     <description>DNS Changed for ossec.net<\/description>\n   <\/rule>\n   <\/group><\/code><\/pre>\n\n\n\n
So you get a nice alert when your IP address changes.<\/p>\n","protected":false},"excerpt":{"rendered":"
If you keep your DNS outside and you can\u2019t monitor the zone files directly, a nice way to make sure the integrity of your DNS is intact is by checking remotely that it hasn\u2019t been changed. With OSSEC, you can do it using the command monitoring output. First, download the latest version from here and install it. […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[2],"tags":[],"_links":{"self":[{"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/posts\/22"}],"collection":[{"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/comments?post=22"}],"version-history":[{"count":1,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/posts\/22\/revisions"}],"predecessor-version":[{"id":23,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/posts\/22\/revisions\/23"}],"wp:attachment":[{"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/media?parent=22"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/categories?post=22"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/tags?post=22"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}