OSSEC Alert On New Files
A colleague came to me today complaining about how tons of malicious .php files are showing up in his Apache directory. After talking to him about vulnerability testing against his website, I suggested he take a look at OSSEC for its system and file integrity checks. OSSEC has the ability to alert you if contents of a system file change, permissions on a user file change, SSH brute-force attempts are made, and when a new file shows up on your file-system.
Installing OSSEC on Linux machines is a breeze. You can also deploy OSSEC agents on Windows machines to invite those to the party Proceed by following official OSSEC installation documentation here.
Enable Active Response
If you did not enable active response during installation, do so now. Open
<code class="EnlighterJSRAW" data-enlighter-language="null">/var/ossec/etc/ossec.conf file in your favorite text editor and either take this section out or replicate as I have written below:
Check out official documentation here to learn and add some active response options to your configuration.
Enable Email Notifications
Replicate following on top of your ossec.conf file to enable email notifications:
<global><br></br> <email_notification>yes</email_notification><br></br> <email_maxperhour>14</email_maxperhour><br></br> <email_to>[email protected]</email_to><br></br> <smtp_server>mysmtpserver.host.com</smtp_server><br></br> <email_from>[email protected]</email_from><br></br> </global>
Enable Alerts On New Files
In order to enable alerts on new files, open up your ossec.conf file and navigate to syscheck section. Now replicate following:
<alert_new_files>yes</alert_new_files><br></br> <scan_on_start>no</scan_on_start><br></br> <auto_ignore>no</auto_ignore>
In addition to enable alert on new files, you need to make sure these alerts aren’t being suppressed. By default, ossec_rules.xml file is configured to neither log nor alert on new files. We can override this by editing local_rules.xml file. So open up local_rules.xml in your favorite text editor and add following between tags:
<rule id="554" level="7" overwrite="yes"><br></br> <category>ossec</category><br></br> <decoded_as>syscheck_new_entry</decoded_as><br></br> <description>File added to the system.</description><br></br> <group>syscheck</group><br></br> </rule>
You can further tweak to alert only check for new files in a specific directory. For this purpose, use tags. For example, I will add following to alert on new files in my web server directory:
Apply changes by restarted OSSEC. You can use following command for this purpose:
If you run into issues, look at /var/ossec/logs/ossec.log for any errors.