My question now: what are some common tasks I should try next?
OSSEC has default rules to perform log analysis, file integrity checking, rootkit detection, ...
You can try some common tasks such as:
- monitoring kernel log by adding the below config to
ossec.conf:
<localfile>
<log_format>syslog</log_format>
<location>/var/log/kern.log</location>
</localfile>
- Adding some exclude words which you don't want to getting alert to
/var/ossec/rules/local_rules.xml:
RRD_update|getaddrinfo|does not represent a number in line|error.class.php|Bind to port|errorsign.jpg|error.gif|error retrieving information about user
and overwrite some rules:
<rule id="5703" level="10" frequency="4" timeframe="360" overwrite="yes">
<if_matched_sid>5702</if_matched_sid>
<options>no_email_alert</options>
<description>Possible breakin attempt </description>
<description>(high number of reverse lookup errors).</description>
</rule>
- write several shell scripts for active response
- integrate OSSEC
with Splunk
I would like to go in and change some file that OSSEC is monitoring to
see if it alerts on that, but I don't know what the default rules are
monitoring.
You can search the keyword integrity in rules folder:
# grep -lir "integrity" /var/ossec/rules/
/var/ossec/rules/msauth_rules.xml
/var/ossec/rules/syslog_rules.xml
/var/ossec/rules/ossec_rules.xml
It's rule ID 550:
<rule id="550" level="7">
<category>ossec</category>
<decoded_as>syscheck_integrity_changed</decoded_as>
<description>Integrity checksum changed.</description>
<group>syscheck,</group>
</rule>
