In the scope of the OSSEC Week, here is a quick contribution which can greatly help you to monitor suspicious changes on a website. Today, your corporate website is the very first contact you have with your customers, partners, press, etc. It’s your window to the world. Nobody can pretend being fully protected against defacement or intrusions. It’s important to be alerted as soon as possible when something “suspicious” occurs. It’s never a good story to be alerted by a third party that you’ve been hacked…
OSSEC integrates by default a FIM (“File Intregrity Monitoring“) feature which can be used to detect changes in files on your web servers. But sometimes, those servers are outsourced or not fully controlled from A to Z by you or your team. Anyway, OSSEC can detect changes in remote files via another feature called “full_command“. How?
In your ossec.conf, define a new “file” entry like this:
<localfile> <log_format>full_command</log_format> <command>wget -o /dev/null -O - http://www.company.com | sha1sum</command> </localfile>
This command will grab the homepage of www.company.com and compute its SHA1 digest. Now, define a new alert in local_rules.xml:
<rule id="123456" level="8"> <if_sid>530</if_sid> <match>ossec: output: 'wget -o /dev/null -O - http://www.company.com</match> <check_diff /> <description>Change detected on www.company.com.</description> </rule>
Of course, you can detect changes on specific files:
<command>wget -o /dev/null -O - http://www.company.com/file.xml | sha1sum</command>
Or on a group of files read from another one:
<command>for I in `cat files.tmp`; do wget -O - -o /dev/null http://site.be/$I | sha1sum; done</command>
Do you need to track changes related to your BGP Autonomous System? Use this one:
<command>whois -h whois.ripe.net as12345 | sha1sum</command>
Use your imagination! There are tons of other examples with the “full_command” OSSEC feature. Remember: As soon as you detect a problem, as soon as you fix it! Just one last remark, most websites integrated dynamic content like banners, newsfeed. Select carefully which changes you need to track otherwise, you will be flooded by false positive alerts!