OSSEC Alert On New Files

idps ids intrusion detection intrusion prvention ips linux monitoring ossec ossim

A colleague came to me today complaining about how tons of malicious .php files are showing up in his Apache directory. After talking to him about vulnerability testing against his website, I suggested he take a look at OSSEC for its system and file integrity checks. OSSEC has the ability to alert you if contents of a system file change, permissions on a user file change, SSH brute-force attempts are made, and when a new file shows up on your file-system.

Installation

Installing OSSEC on Linux machines is a breeze. You can also deploy OSSEC agents on Windows machines to invite those to the party :) Proceed by following official OSSEC installation documentation here.

Enable Active Response

If you did not enable active response during installation, do so now. Open <code class="EnlighterJSRAW" data-enlighter-language="null">/var/ossec/etc/ossec.conf file in your favorite text editor and either take this section out or replicate as I have written below:
no

Check out official documentation here to learn and add some active response options to your configuration.

Enable Email Notifications
Replicate following on top of your ossec.conf file to enable email notifications:

<global><br></br>  
<email_notification>yes</email_notification><br></br>  
<email_maxperhour>14</email_maxperhour><br></br>  
<email_to>[email protected]</email_to><br></br>  
<smtp_server>mysmtpserver.host.com</smtp_server><br></br>  
<email_from>[email protected]</email_from><br></br>  
</global>  

Enable Alerts On New Files

In order to enable alerts on new files, open up your ossec.conf file and navigate to syscheck section. Now replicate following:

<alert_new_files>yes</alert_new_files><br></br>  
<scan_on_start>no</scan_on_start><br></br>  
<auto_ignore>no</auto_ignore>  

In addition to enable alert on new files, you need to make sure these alerts aren’t being suppressed. By default, ossecrules.xml file is configured to neither log nor alert on new files. We can override this by editing localrules.xml file. So open up local_rules.xml in your favorite text editor and add following between tags:

<rule id="554" level="7" overwrite="yes"><br></br>  
<category>ossec</category><br></br>  
<decoded_as>syscheck_new_entry</decoded_as><br></br>  
<description>File added to the system.</description><br></br>  
<group>syscheck</group><br></br>  
</rule>  

You can further tweak to alert only check for new files in a specific directory. For this purpose, use tags. For example, I will add following to alert on new files in my web server directory:

<match>/var/www/</match><br></br>

Apply Changes
Apply changes by restarted OSSEC. You can use following command for this purpose:

/var/ossec/bin/ossec-control restart<br></br>

If you run into issues, look at /var/ossec/logs/ossec.log for any errors.

The author would love to hear your comments. Let us discuss at Twitter @hashtaginfosec.