how you can use OSSEC to detect and optionally alert on new files?

how you do it:

1. Add to the <syscheck> block of etc/ossec.conf: <alert_new_files>yes</alert_new_files>
2. Restart OSSEC.

OSSEC is now configured to alert on new files, but you won’t get alerts. Why? It’s because of this rule in etc/ossec_rules.xml:

<rule id=”554″ level=”0″>
<category>ossec</category>
<decoded_as>syscheck_new_entry</decoded_as>
<description>File added to the system.</description>
<group>syscheck,</group>
</rule>

This rule says, “don’t log and don’t alert on new files.” To make new file alerting work, we need to do something about this rule. Add this to local_rules.xml:

<rule id=”554″ level=”7″ overwrite=”yes”>
<category>ossec</category>
<decoded_as>syscheck_new_entry</decoded_as>
<description>File added to the system.</description>
<group>syscheck,</group>
</rule>

Note:

The next time syscheck runs (which could be a few hours), ossec will begin alerting on anything new that is added to a directory you have told OSSEC to monitor. But what if temporary files are constantly being added to one of those directories? Or what if you simply add a tarball, extract it, and there were several hundred files in the tarball? You’ll get flooded with alerts.

The key to making this useful is to take a positive security approach. That is, rather than getting alerted on every new file in all the directories you have defined, instead you consider where files should generally not be added often but are critical to know about. OS system directories are a good choice. They may change often due to being patched, but generally speaking, new files are more rare.

Tweak the Rule

We can make this distinction by further tweaking the rule above. The Windows system32 directory is a good example of a place to monitor for new files. Malware is often installed there, but patches generally change existing files rather than add new files. To only be alerted in the system32 directory, we can make a dependent rule using <if_sid> or use the overwrite=yes option. The following example uses the latter:

<rule id=”554″ level=”7″ overwrite=”yes”>
<category>ossec</category>
<decoded_as>syscheck_new_entry</decoded_as>
<match>\system32\</match>
<description>File added to the system.</description>
<group>syscheck,</group>
</rule>

This could be as granular as you need it to be. Perhaps you don’t need to be alerted to new files, but just want them logged. Simply add <options>no_email_alert</options> to the rule or reduce the level.

Advertisements