search

ossec / ossec-hids

OSSEC is an Open Source Host-based Intrusion Detection System that performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response.
http://www.ossec.net
Other
4.5k stars 1.04k forks source link

Ossec monitor multiple process #1451

Open politicasemmedo opened 6 years ago

politicasemmedo commented 6 years ago

If I create a rule to monitor processes via ossec, I create several rules on the server for multiple processes. How do I configure in the agent, to choose only one process, and in another agent another process?

Ex: Agent 1: (Monit wordpad.exe)

    <localfile>
        <log_format>full_command</log_format>
        <command>tasklist</command>
        <frequency>60</frequency>
    </localfile>

Ex: Agent 2: (Monit explorer.exe)

    <localfile>
        <log_format>full_command</log_format>
        <command>tasklist</command>
        <frequency>60</frequency>
    </localfile>

Server:

<rule id="100050" level="7">
  <if_sid>530</if_sid>
  <match>^ossec: output: 'tasklist'</match>
  <description>Critical process not found.</description>
  <group>process_monitor,</group>
</rule>
<rule id="100051" level="0">
  <if_sid>100050</if_sid>
  <match>**wordpad.exe**</match>
  <description>Processes running as expected</description>
  <group>process_monitor,</group>
</rule>

<rule id="100052" level="7">
  <if_sid>530</if_sid>
  <match>^ossec: output: 'tasklist'</match>
  <description>Critical process not found.</description>
  <group>process_monitor,</group>
</rule>
<rule id="100053" level="0">
  <if_sid>100052</if_sid>
  <match>explorer.exe</match>
  <description>Processes running as expected</description>
  <group>process_monitor,</group>
</rule>

how???

ddpbsd commented 6 years ago

Add the first full_command entry to the first agent's ossec.conf and the second to the second agent's ossec.conf Or use agent.conf