OSECモニタに新規ファイルがあるとアラームが発生します。

from:http://www.immutablesecurity.com/index.php/2009/10/26/week-of-ossec-day-2-detecting-new-files/
 Even so、getting alerts on new files can be useful.Here’s how you it：
   1.Add to the block of etc/ossec.com nf： 

 
    
 
     
<alert_new_files>yesalert_new_files
 
    
 
    
    2. Restart OSSEC.
OSEC is now configred to alert on new files，but you’t get alerts.Why？It’s because of this rule in etc/ossec_rules.xml:
＜rule id=「554」 level="0">  
osseccategory>  
＜decoded_as>sysscheck_new_entrydecoded_as>  
＜description＞File added ト the system.description>  
＜group＞sysscheck、group＞  
 rule>  
This rule says，“don’t log and don’t alert on new files.”To make new file alerting work，we need to do something about this rule.Add this to local_。rules.xml:
＜rule id=「554」 level="7" overwrite="yes"  
osseccategory>  
＜decoded_as>sysscheck_new_entrydecoded_as>  
＜description＞File added ト the system.description>  
＜group＞sysscheck、group＞  
 rule>  
That’s all You have to do.The next time syschheck runs(which could be a few houss)、ossec will begin alerting on anything new that is added to a directory you have to monitor.But what if temporement？Or what if you simply add a tall，extract it，and there were several hndred files in the taball？You’ll get flook ded with alerts.
  
転載先:https://blog.51cto.com/xikder/670658