OSSEC监控有新建文件时报警。

from:http://www.immutablesecurity.com/index.php/2009/10/26/week-of-ossec-day-2-detecting-new-files/

 Even so, getting alerts on new files can be useful. Here’s how you do it:

   1. Add to the <syscheck> block of etc/ossec.conf: 

  
  
  
  
  1. <alert_new_files>yes</alert_new_files
    2. Restart OSSEC.

OSSEC is now configured to alert on new files, but you won’t get alerts. Why? It’s because of this rule in etc/ossec_rules.xml:

  
  
  
  
  1. <rule id=”554″ level=”0″> 
  2. <category>ossec</category> 
  3. <decoded_as>syscheck_new_entry</decoded_as> 
  4. <description>File added to the system.</description> 
  5. <group>syscheck,</group> 
  6. </rule> 

This rule says, “don’t log and don’t alert on new files.” To make new file alerting work, we need to do something about this rule. Add this to local_rules.xml:

  
  
  
  
  1. <rule id=”554″ level=”7″ overwrite=”yes”> 
  2. <category>ossec</category> 
  3. <decoded_as>syscheck_new_entry</decoded_as> 
  4. <description>File added to the system.</description> 
  5. <group>syscheck,</group> 
  6. </rule> 

That’s all you have to do. The next time syscheck runs (which could be a few hours), ossec will begin alerting on anything new that is added to a directory you have told OSSEC to monitor. But what if temporary files are constantly being added to one of those directories? Or what if you simply add a tarball, extract it, and there were several hundred files in the tarball? You’ll get flooded with alerts.

 

你可能感兴趣的:(职场,休闲,ossec)