Simple application level file integrity monitoring & Intrusion detection (IDS)

idsintrusion-detectionipsossectripwire

We've been searching for a simple file integrity monitoring solution on CentOS/Linux that will work on the application level. We are not looking for OS/network level IDS as OSSEC and the others do a pretty good job at that.

We have looked at centralized (OSSEC) and non-centralized (Tripwire Open Source) however they each have their limitation in regards to file restrictions and recursively monitoring thousands of files/directories.

Essentially we have thousands of php/cgi/pl files which we will like to monitor for changes/injections. The problem is they are all in directories that might contain other filetypes and other things that changes. Directory integrity checking is not an option as the directory might changes but not the files we are interested in monitoring.

Is there a software out there that can take a 'find' command to get a file list, places this file list in a database with an md5 checksum for each file and then on the next run it matches the file list file by file and alerts of any changes to the md5 checksums and new files?

Best Answer

Perhaps you can try AIDE (http://aide.sourceforge.net/), and create a rule that will only monitor *php/cgi/pl files.

Related Solutions

Just installed OSSEC, what next

My question now: what are some common tasks I should try next?

OSSEC has default rules to perform log analysis, file integrity checking, rootkit detection, ...

You can try some common tasks such as:

monitoring kernel log by adding the below config to ossec.conf:

<localfile>
    <log_format>syslog</log_format>
    <location>/var/log/kern.log</location>
</localfile>

Adding some exclude words which you don't want to getting alert to /var/ossec/rules/local_rules.xml:

RRD_update|getaddrinfo|does not represent a number in line|error.class.php|Bind to port|errorsign.jpg|error.gif|error retrieving information about user

and overwrite some rules:

  <rule id="5703" level="10" frequency="4" timeframe="360" overwrite="yes">
    <if_matched_sid>5702</if_matched_sid>
    <options>no_email_alert</options>
    <description>Possible breakin attempt </description>
    <description>(high number of reverse lookup errors).</description>
  </rule>

write several shell scripts for active response
integrate OSSEC with Splunk

I would like to go in and change some file that OSSEC is monitoring to see if it alerts on that, but I don't know what the default rules are monitoring.

You can search the keyword integrity in rules folder:

# grep -lir "integrity" /var/ossec/rules/
/var/ossec/rules/msauth_rules.xml
/var/ossec/rules/syslog_rules.xml
/var/ossec/rules/ossec_rules.xml

It's rule ID 550:

  <rule id="550" level="7">
    <category>ossec</category>
    <decoded_as>syscheck_integrity_changed</decoded_as>
    <description>Integrity checksum changed.</description>
    <group>syscheck,</group>
  </rule>

Related Topic