If you want to create alerts when a log or the output of a command changes, take a look at the new <check_diff /> option in the rules (available on the latest snapshot).
To demonstrate with an example, we will create a rule to alert when there is a new port opens in listening mode on our server.
First, we configure OSSEC to run the ‘netstat -tan |grep LISTEN’ command by adding the following to ossec.conf:
<localfile>
<log_format>full_command</log_format>
<command>netstat -tan |grep LISTEN|grep -v 127.0.0.1</command>
</localfile>
After that, I add a rule to alert when its output changes:
<rule id="140123" level="7">
<if_sid>530</if_sid>
<match>ossec: output: 'netstat -tan |grep LISTEN</match>
<check_diff />
<description>Listened ports have changed.</description>
</rule>
Note that we use the "check_diff" option. The first time it receives the event, it will store in an internal database. Every time it receives the same event, it will compare against what we have store and only alert if the output changes.
In our example, after configuring OSSEC, I started netcat to listen on port 23456 and that’s the alert I got:
OSSEC HIDS Notification.
2010 Mar 11 19:56:30
Rule: 140123 fired (level 7) -> "Listened ports have changed."
Portion of the log(s):
ossec: output: 'netstat -tan |grep LISTEN|grep -v 127.0.0.1':
tcp4 0 0 *.23456 *.* LISTEN
tcp4 0 0 *.3306 *.* LISTEN
tcp4 0 0 *.25 *.* LISTEN
Previous output:
ossec: output: 'netstat -tan |grep LISTEN|grep -v 127.0.0.1':
tcp4 0 0 *.3306 *.* LISTEN
tcp4 0 0 *.25 *.* LISTEN
What do you think? We can probably extend this idea to create very interesting rules…