search

ossec / ossec-hids

OSSEC is an Open Source Host-based Intrusion Detection System that performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response.
http://www.ossec.net
Other
4.51k stars 1.04k forks source link

Syscheck--Multiple Alerts for the same event #1096

Open JTSEC opened 7 years ago

JTSEC commented 7 years ago

Hello,

I have been using syscheck (realtime) to monitor a directory. I notice that when modifying a .txt file only one alert per event is generated.However, when modifying other type of files I get more that one alert from the same event. I don't understand why it recomputes the hash values twice for one modification of the file (i.e. add/remove text)

See below:

OSSEC HIDS Notification. 2017 Mar 15 13:05:36

Received From: (Host-b) 10.10.10.25->syscheck Rule: 550 fired (level 7) -> "Integrity checksum changed." Portion of the log(s):

Integrity checksum changed for: '/home/max/Documents/presentation.odp' Size changed from '12094' to '0' Old md5sum was: '53124ae0cd8229725586b5826b60070d' New md5sum is : 'd41d8cd98f00b204e9800998ecf8427e' Old sha1sum was: 'c26039d44126b23acc36f08a3d8ec28bef3654c7' New sha1sum is : 'da39a3ee5e6b4b0d3255bfef95601890afd80709'

--END OF NOTIFICATION

OSSEC HIDS Notification. 2017 Mar 15 13:05:36

Received From: (Host-b) 10.10.10.25->syscheck Rule: 550 fired (level 7) -> "Integrity checksum changed." Portion of the log(s):

Integrity checksum changed for: '/home/max/Documents/presentation.odp' Size changed from '0' to '11840' Old md5sum was: 'd41d8cd98f00b204e9800998ecf8427e' New md5sum is : '4cc428826d96afcba5961f2375bf50aa' Old sha1sum was: 'da39a3ee5e6b4b0d3255bfef95601890afd80709' New sha1sum is : '851eb8678646ceb21facd5b01ba6a4abd29555d5'

As I mentioned before, this does not happen with .txt files. I have also tested this with .html files and I get two alerts for the same event, like the example above. Notice that on the first block the "New md5sum" becomes the "Old md5sum" on the second Alert. Yet, I only modified the file once. Even the time-stamps are the same in both notifications.

Any ideas? Thanks

ddpbsd commented 7 years ago

Are you using different programs to do the modifications of different files? You can try monitoring the inotify events to see what's sent to OSSEC.

JTSEC commented 7 years ago

Hello ddpbsd,

I manually opened the files and modified them by either adding or removing a letter, for instance. I thought this was an application issue, but I tested it by adding a line to a .txt file through the terminal and using gedit. In both cases I only get one notification for the event.
I noticed that as soon as I click on "save" in the case of the .odp & .html files , two alerts get generated at the same time ( /var/ossec/log/alerts/alerts.log)

I tested this on Windows ( thinking that it might be a Linux OS thing) and the same thing happened, two notifications when modifying either an .odp or .html file ( I used notepad for making changes to the .html file)

Is it possible that the file system, somehow, writes the changes in a two-step process??

Thanks

ddpbsd commented 7 years ago

I guess it's possible. Watching the inotify events might give you more information on what's going on.