Week of OSSEC Day 2: Detecting New Files

Yesterday, I posted a tip on how OSSEC could alert you to world-writable files. That’s important to know since those files often lead to exploitable systems.

Today, I’m going to show you how you can use OSSEC to detect and optionally alert on new files. You might be surprised to learn that OSSEC does not alert on new files by default. I recently found out why: imagine my surprise when I recently opened by e-mail inbox to find over 2,000 alerts from OSSEC, all about new files.

Even so, getting alerts on new files can be useful. Here’s how you do it:

1. Add to the <syscheck> block of etc/ossec.conf: <alert_new_files>yes</alert_new_files>
2. Restart OSSEC.

OSSEC is now configured to alert on new files, but you won’t get alerts. Why? It’s because of this rule in etc/ossec_rules.xml:

<rule id=”554″ level=”0″>
<category>ossec</category>
<decoded_as>syscheck_new_entry</decoded_as>
<description>File added to the system.</description>
<group>syscheck,</group>
</rule>

This rule says, “don’t log and don’t alert on new files.” To make new file alerting work, we need to do something about this rule. Add this to local_rules.xml:

<rule id=”554″ level=”7″ overwrite=”yes”>
<category>ossec</category>
<decoded_as>syscheck_new_entry</decoded_as>
<description>File added to the system.</description>
<group>syscheck,</group>
</rule>

That’s all you have to do. The next time syscheck runs (which could be a few hours), ossec will begin alerting on anything new that is added to a directory you have told OSSEC to monitor. But what if temporary files are constantly being added to one of those directories? Or what if you simply add a tarball, extract it, and there were several hundred files in the tarball? You’ll get flooded with alerts.

The key to making this useful is to take a positive security approach. That is, rather than getting alerted on every new file in all the directories you have defined, instead you consider where files should generally not be added often but are critical to know about. OS system directories are a good choice. They may change often due to being patched, but generally speaking, new files are more rare.

We can make this distinction by further tweaking the rule above. The Windows system32 directory is a good example of a place to monitor for new files. Malware is often installed there, but patches generally change existing files rather than add new files. To only be alerted in the system32 directory, we can make a dependent rule using <if_sid> or use the overwrite=yes option. The following example uses the latter:

<rule id=”554″ level=”7″ overwrite=”yes”>
<category>ossec</category>
<decoded_as>syscheck_new_entry</decoded_as>
<match>\system32\</match>
<description>File added to the system.</description>
<group>syscheck,</group>
</rule>

Of course, this could be as granular as you need it to be. Perhaps you don’t need to be alerted to new files, but just want them logged. Simply add <options>no_email_alert</options> to the rule or reduce the level.

Knowing about files being added to the system is important in case of a compromise. However, effective tuning of this feature is critical to making it useful. Do what works best for you.

Posted in Intrusion Detection, Log Analysis Tagged with:
8 comments on “Week of OSSEC Day 2: Detecting New Files
  1. Devendra says:

    Are the changes in ossec_rules.xml & local_rules.xml required on the agent host or the manager host to alert on new files ?

    Thanks.

  2. Devendra says:

    Please ignore my question. I realized those xml’s are only manager.

  3. Devendra says:

    Another question…will the new file alert gets generated only during next scheduled scan or can it be fired real time if “real time” option is set? It doesnt seems to be working in real time for me.

  4. mstarks says:

    Devendra :

    Another question…will the new file alert gets generated only during next scheduled scan or can it be fired real time if “real time” option is set? It doesnt seems to be working in real time for me.

    Hello Devendra,

    I could be wrong, but I believe you will get a new file alert in a currently monitored directory upon restarting OSSEC, or in a newly added directory after the next syscheck scan runs.

    Regards,
    Mike

  5. FlaBon says:

    Hello Mike,

    I’m having trouble receiving alerts over new file created under C:\Windows\System32 directory on a Windows 2008 R2 (64bits) OS. Everywhere else is working, but not with files or directories created on that very directory!
    Have anyone experienced this type of problem before?
    Kind regards,

  6. Troy says:

    Hi Mike;

    Thank you for these guides. I am having general success with my new implementation of OSSEC, also being new to the monitoring world. Quite cool so far.

    My need at present is to be able to configure Ossec to not only monitor adds or removals of files but also changes to files. (don’t want to necessarily monitor individual files just essentially any changes within a folder structure alerted on).

    Any pointers for this newbie appreciated.

    Regards,

    Troy

  7. Troy says:

    Oh, sorry to leave out…I want to monitor files on the client system – a Windows box.

    -Troy

Leave a Reply

Your email address will not be published. Required fields are marked *

*