If you want to create alerts when a log or the output of a command changes, take a look at the new <check_diff \/> option in the rules (available on the latest snapshot).<\/p>\n\n\n\n
To demonstrate with an example, we will create a rule to alert when there is a new port open in listening mode on our server.<\/p>\n\n\n\n
First, we configure OSSEC to run the \u2018netstat -tan |grep LISTEN\u2019 command by adding the following to ossec.conf:<\/p>\n\n\n\n
<localfile>\n <log_format>full_command<\/log_format>\n <command>netstat -tan |grep LISTEN|grep -v 127.0.0.1<\/command>\n<\/localfile><\/code><\/pre>\n\n\n\nAfter that, I add a rule to alert when its output changes:<\/p>\n\n\n\n
<rule id=\"140123\" level=\"7\">\n <if_sid>530<\/if_sid>\n <match>ossec: output: 'netstat -tan |grep LISTEN<\/match>\n <check_diff \/>\n <description>Listened ports have changed.<\/description>\n<\/rule><\/code><\/pre>\n\n\n\nNote that we use the <check_diff \/> option. The first time it receives the event, it will store in an internal database. Every time it receives the same event, it will compare against what we have store and only alert if the output changes.<\/p>\n\n\n\n
In our example, after configuring OSSEC, I started netcat to listen on port 23456 and that\u2019s the alert I got:<\/p>\n\n\n\n
OSSEC HIDS Notification.\n2010 Mar 11 19:56:30\n\nReceived From: XYZ->netstat -tan |grep LISTEN|grep -v 127.0.0.1\nRule: 140123 fired (level 7) -> \"Listened ports have changed.\"\nPortion of the log(s):\n\nossec: output: 'netstat -tan |grep LISTEN|grep -v 127.0.0.1':\ntcp4 0 0 *.23456 *.* LISTEN\ntcp4 0 0 *.3306 *.* LISTEN\ntcp4 0 0 *.25 *.* LISTEN\nPrevious output:\nossec: output: 'netstat -tan |grep LISTEN|grep -v 127.0.0.1':\ntcp4 0 0 *.3306 *.* LISTEN\ntcp4 0 0 *.25 *.* LISTEN\n<\/code><\/pre>\n\n\n\nWhat do you think? We can probably extend this idea to create very interesting rules\u2026<\/p>\n","protected":false},"excerpt":{"rendered":"
If you want to create alerts when a log or the output of a command changes, take a look at the new <check_diff \/> option in the rules (available on the latest snapshot). To demonstrate with an example, we will create a rule to alert when there is a new port open in listening mode […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[5],"tags":[],"_links":{"self":[{"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/posts\/58"}],"collection":[{"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/comments?post=58"}],"version-history":[{"count":1,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/posts\/58\/revisions"}],"predecessor-version":[{"id":59,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/posts\/58\/revisions\/59"}],"wp:attachment":[{"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/media?parent=58"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/categories?post=58"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/tags?post=58"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}