useful links, though bit outdated
http://perezbox.com/2013/03/ossec-for-website-security-part-i/
https://hackertarget.com/defending-wordpress-ossec/
How to add an access log to ossec monitor
# /var/ossec/bin/util.sh addfile /var/log/httpd/somesite.access_log
how to start-stop ossec
service ossec start
service ossec stop
service ossec restart
service ossec status
You might find useful changing this file:
nano /var/ossec/etc/ossec.conf
<!-- Frequency that syscheck is executed - set to every 4 hours --> <frequency>14400</frequency> <!-- Directories to check (perform all possible verifications) --> <directories realtime="yes" check_all="yes">/etc,/usr/bin,/usr/sbin</directories> <directories realtime="yes" check_all="yes">/bin,/sbin</directories> <directories realtime="yes" report_changes="yes" restrict=".htaccess|.php|.html|.js">[path to the root of your site]</directories> <alert_new_files>yes</alert_new_files> <scan_on_start>no</scan_on_start> <auto_ignore>no</auto_ignore>
This reduces syscheck frequence to 14400, adds monitoring to site root path and alerts for new files.
To enable alerting for new files, edit
/var/ossec/rules/ossec_rules.xml
Go to rule 554 and change level to 7 like this:
<rule id=”554″ level=”7″> <category>ossec</category> <decoded_as>syscheck_new_entry</decoded_as> <description>File added to the system.</description> <group>syscheck,</group> </rule>
Leave a Reply