I have a little problem with my OSSEC. I am currently creating a personal project to detect the PHP files in the / var / www / html folder that were created, but the active-response system does not want to detect this. My decoder does present like this.
Code: Select all
Fri 15 Jan 2021 08:13:09 PM INFO: /var/www/html/[aasfgdgd.php g.php test.php ]
Code: Select all
<decoder name="php-check-log">
<prematch>^\S+ \S+ \S+ \S+ \S+ \S+ \S+: \S+</prematch>
<regex offset="after_prematch">^(.+\.php)</regex>
<order>extra_data</order>
</decoder>
Code: Select all
<rule id="100002" level="5">
<decoded_as>php-check-log</decoded_as>
<description>New php file added</description>
</rule>
Code: Select all
<command>
<name>check-php</name>
<executable>check-php.sh</executable>
<timeout_allowed>no</timeout_allowed>
<expect>extra_data</expect>
</command>
<active-response>
<command>check-php</command>
<location>server</location>
<rules_id>100002</rules_id>
</active-response>
<localfile>
<log_format>syslog</log_format>
<location>/var/www/html/test.log</location>
<location>/var/www/html/test.log</location>
Code: Select all
#!/bin/sh
command=$(ls /var/www/html|grep .php)
if [ $? -eq 0 ]; then
echo "Fri 15 Jan 2021 08:13:09 PM INFO: /var/www/html/[$(ls /var/www/html|grep \.php|tr -d '\n'|sed -e 's/\.php/\.php /g')]" >> /var/www/html/test.log
else
echo "Nothing"
fi
Thanks!