Ok. Apologies in advance for the length of this. First the main log (ossec.log) from the point of a recent OSSEC-HIDS server restart:
2006/08/09 10:06:12 ossec-logcollector(1225): SIGNAL Received. Exit Cleaning... 2006/08/09 10:06:12 ossec-remoted(1225): SIGNAL Received. Exit Cleaning... 2006/08/09 10:06:12 ossec-syscheckd(1225): SIGNAL Received. Exit Cleaning... 2006/08/09 10:06:12 ossec-analysisd(1225): SIGNAL Received. Exit Cleaning... 2006/08/09 10:06:12 ossec-maild(1225): SIGNAL Received. Exit Cleaning... 2006/08/09 10:06:12 ossec-execd(1225): SIGNAL Received. Exit Cleaning... 2006/08/09 10:06:17 ossec-maild: Started (pid: 3377). 2006/08/09 10:06:17 ossec-execd: Started (pid: 3381). 2006/08/09 10:06:17 ossec-analysisd: Reading rules file: 'rules_config.xml' 2006/08/09 10:06:17 ossec-analysisd: Reading rules file: 'pam_rules.xml' 2006/08/09 10:06:17 ossec-analysisd: Reading rules file: 'sshd_rules.xml' 2006/08/09 10:06:17 ossec-analysisd: Reading rules file: 'telnetd_rules.xml' 2006/08/09 10:06:17 ossec-analysisd: Reading rules file: 'syslog_rules.xml' 2006/08/09 10:06:17 ossec-analysisd: Reading rules file: 'pix_rules.xml' 2006/08/09 10:06:17 ossec-analysisd: Reading rules file: 'named_rules.xml' 2006/08/09 10:06:17 ossec-analysisd: Reading rules file: 'smbd_rules.xml' 2006/08/09 10:06:17 ossec-analysisd: Reading rules file: 'vsftpd_rules.xml' 2006/08/09 10:06:17 ossec-analysisd: Reading rules file: 'pure-ftpd_rules.xml' 2006/08/09 10:06:17 ossec-analysisd: Reading rules file: 'proftpd_rules.xml' 2006/08/09 10:06:17 ossec-analysisd: Reading rules file: 'hordeimp_rules.xml' 2006/08/09 10:06:17 ossec-analysisd: Reading rules file: 'web_rules.xml' 2006/08/09 10:06:17 ossec-analysisd: Reading rules file: 'apache_rules.xml' 2006/08/09 10:06:17 ossec-analysisd: Reading rules file: 'ids_rules.xml' 2006/08/09 10:06:17 ossec-analysisd: Reading rules file: 'squid_rules.xml' 2006/08/09 10:06:17 ossec-analysisd: Reading rules file: 'firewall_rules.xml' 2006/08/09 10:06:17 ossec-analysisd: Reading rules file: 'netscreenfw_rules.xml' 2006/08/09 10:06:17 ossec-analysisd: Reading rules file: 'postfix_rules.xml' 2006/08/09 10:06:17 ossec-analysisd: Reading rules file: 'sendmail_rules.xml' 2006/08/09 10:06:17 ossec-analysisd: Reading rules file: 'imapd_rules.xml' 2006/08/09 10:06:17 ossec-analysisd: Reading rules file: 'spamd_rules.xml' 2006/08/09 10:06:17 ossec-analysisd: Reading rules file: 'msauth_rules.xml' 2006/08/09 10:06:17 ossec-remoted: Started (pid: 3393). 2006/08/09 10:06:17 ossec-remoted(1501): No IP or network allowed in the access list for syslog. No reason for running it. Exiting. 2006/08/09 10:06:17 ossec-remoted: Started (pid: 3395). 2006/08/09 10:06:17 ossec-analysisd: Reading rules file: 'attack_rules.xml' 2006/08/09 10:06:17 ossec-analysisd: Total rules enabled: '338' 2006/08/09 10:06:17 ossec-analysisd: Ignoring file: '/etc/mtab' 2006/08/09 10:06:17 ossec-analysisd: Ignoring file: '/etc/mnttab' 2006/08/09 10:06:17 ossec-analysisd: Ignoring file: '/etc/hosts.deny' 2006/08/09 10:06:17 ossec-analysisd: Ignoring file: '/etc/mail/statistics' 2006/08/09 10:06:17 ossec-analysisd: Ignoring file: '/etc/random-seed' 2006/08/09 10:06:17 ossec-analysisd: Ignoring file: '/etc/adjtime' 2006/08/09 10:06:17 ossec-analysisd: Ignoring file: '/etc/httpd/logs' 2006/08/09 10:06:17 ossec-analysisd: Ignoring file: '/etc/utmpx' 2006/08/09 10:06:17 ossec-analysisd: Ignoring file: '/etc/wtmpx' 2006/08/09 10:06:17 ossec-analysisd: Ignoring file: 'C: \WINDOWS/System32/LogFiles' 2006/08/09 10:06:17 ossec-analysisd: Ignoring file: 'C: \WINDOWS/WindowsUpdate.log' 2006/08/09 10:06:17 ossec-analysisd: Ignoring file: 'C: \WINDOWS/system32/wbem/Logs' 2006/08/09 10:06:17 ossec-analysisd: Ignoring file: 'C: \WINDOWS/Prefetch' 2006/08/09 10:06:17 ossec-analysisd: Ignoring file: 'C: \WINDOWS/PCHEALTH/HELPCTR/DataColl' 2006/08/09 10:06:17 ossec-analysisd: Ignoring file: 'C: \WINDOWS/SoftwareDistribution/DataStore' 2006/08/09 10:06:17 ossec-analysisd: Ignoring file: 'C: \WINDOWS/SoftwareDistribution/ReportingEvents.log' 2006/08/09 10:06:17 ossec-analysisd: Ignoring file: 'C:\WINDOWS/Temp' 2006/08/09 10:06:17 ossec-analysisd: Ignoring file: 'C: \WINDOWS/system32/config/systemprofile/Local Settings' 2006/08/09 10:06:17 ossec-analysisd: Ignoring file: 'C: \WINDOWS/system32/config' 2006/08/09 10:06:17 ossec-analysisd: 9 IPs in the white list for active response. 2006/08/09 10:06:17 ossec-analysisd: Started (pid: 3385). 2006/08/09 10:06:17 ossec-remoted: Assigning counter for agent HINGHAM: '1:2153'. 2006/08/09 10:06:17 ossec-remoted: Assigning sender counter: 0:4 2006/08/09 10:06:20 ossec-analysisd: Connected to '/queue/alerts/ar' (active-response queue) 2006/08/09 10:06:20 ossec-analysisd: Connected to '/queue/alerts/execq' (exec queue) 2006/08/09 10:06:20 ossec-syscheckd: Started (pid: 3401). 2006/08/09 10:06:23 ossec-logcollector(1950): Analyzing file: '/var/log/messages'. 2006/08/09 10:06:23 ossec-logcollector(1950): Analyzing file: '/var/log/secure'. 2006/08/09 10:06:23 ossec-logcollector(1950): Analyzing file: '/var/log/xferlog'. 2006/08/09 10:06:23 ossec-logcollector(1950): Analyzing file: '/var/log/radius/radius.log'. 2006/08/09 10:06:23 ossec-logcollector(1950): Analyzing file: '/var/log/maillog'. 2006/08/09 10:06:23 ossec-logcollector(1950): Analyzing file: '/var/log/httpd/error_log'. 2006/08/09 10:06:23 ossec-logcollector(1950): Analyzing file: '/var/log/httpd/access_log'. 2006/08/09 10:06:23 ossec-logcollector(1950): Analyzing file: '/etc/httpd/logs/access_log'. 2006/08/09 10:06:23 ossec-logcollector(1950): Analyzing file: '/etc/httpd/logs/error_log'. 2006/08/09 10:06:23 ossec-logcollector: Started (pid: 3389). Next, a snippet from ossec-alerts-09.log: ** Alert 1155132717.132107: 2006 Aug 09 10:11:57 (HINGHAM) 192.168.1.3->/var/log/httpd/access_log Rule: 3101 (level 5) -> 'Web server 400 error code.' Src IP: 192.168.100.53 User: (none) 192.168.100.53 - - [09/Aug/2006:10:11:54 -0400] "GET / HTTP/1.1" 400 311 "-" "-" ** Alert 1155132717.132376: 2006 Aug 09 10:11:57 (HINGHAM) 192.168.1.3->/etc/httpd/logs/access_log Rule: 3101 (level 5) -> 'Web server 400 error code.' Src IP: 192.168.100.53 User: (none) 192.168.100.53 - - [09/Aug/2006:10:11:54 -0400] "GET / HTTP/1.1" 400 311 "-" "-" My note - this alert, which is repeated many times, regards the only box on which I have the OSSEC-HIDS agent. It's our Web server. The IP address referenced is that of my WinXP desktop. This looks unrelated to my original question but, well, there it is. Finally, ossec.conf: <ossec_config> <global> <email_notification>yes</email_notification> <email_to>[EMAIL PROTECTED]</email_to> <smtp_server>192.168.1.2</smtp_server> <email_from>[EMAIL PROTECTED]</email_from> </global> <rules> <include>rules_config.xml</include> <include>pam_rules.xml</include> <include>sshd_rules.xml</include> <include>telnetd_rules.xml</include> <include>syslog_rules.xml</include> <include>pix_rules.xml</include> <include>named_rules.xml</include> <include>smbd_rules.xml</include> <include>vsftpd_rules.xml</include> <include>pure-ftpd_rules.xml</include> <include>proftpd_rules.xml</include> <include>hordeimp_rules.xml</include> <include>web_rules.xml</include> <include>apache_rules.xml</include> <include>ids_rules.xml</include> <include>squid_rules.xml</include> <include>firewall_rules.xml</include> <include>netscreenfw_rules.xml</include> <include>postfix_rules.xml</include> <include>sendmail_rules.xml</include> <include>imapd_rules.xml</include> <include>spamd_rules.xml</include> <include>msauth_rules.xml</include> <!-- <include>policy_rules.xml</include> --> <include>attack_rules.xml</include> </rules> <syscheck> <!-- Frequency that syscheck is executed - default every 2 hours --> <frequency>7200</frequency> <!-- Directories to check (perform all possible verifications) --> <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories> <directories check_all="yes">/bin,/sbin</directories> <!-- Files/directories to ignore --> <ignore>/etc/mtab</ignore> <ignore>/etc/mnttab</ignore> <ignore>/etc/hosts.deny</ignore> <ignore>/etc/mail/statistics</ignore> <ignore>/etc/random-seed</ignore> <ignore>/etc/adjtime</ignore> <ignore>/etc/httpd/logs</ignore> <ignore>/etc/utmpx</ignore> <ignore>/etc/wtmpx</ignore> <!-- Windows files to ignore --> <ignore>C:\WINDOWS/System32/LogFiles</ignore> <ignore>C:\WINDOWS/WindowsUpdate.log</ignore> <ignore>C:\WINDOWS/system32/wbem/Logs</ignore> <ignore>C:\WINDOWS/Prefetch</ignore> <ignore>C:\WINDOWS/PCHEALTH/HELPCTR/DataColl</ignore> <ignore>C:\WINDOWS/SoftwareDistribution/DataStore</ignore> <ignore>C: \WINDOWS/SoftwareDistribution/ReportingEvents.log</ignore> <ignore>C:\WINDOWS/Temp</ignore> <ignore>C:\WINDOWS/system32/config/systemprofile/Local Settings</ignore> <ignore>C:\WINDOWS/system32/config</ignore> </syscheck> <rootcheck> <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files> <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans> </rootcheck> <global> <white_list>127.0.0.1</white_list> <white_list>192.168.100.2</white_list> <white_list>192.168.100.3</white_list> <white_list>192.168.100.4</white_list> <white_list>192.168.100.6</white_list> <white_list>192.168.100.9</white_list> <white_list>192.168.100.10</white_list> <white_list>192.168.100.52</white_list> <white_list>192.168.100.53</white_list> </global> <remote> <connection>syslog</connection> </remote> <remote> <connection>secure</connection> </remote> <alerts> <log_alert_level>1</log_alert_level> <email_alert_level>7</email_alert_level> </alerts> <command> <name>host-deny</name> <executable>host-deny.sh</executable> <expect>srcip</expect> <timeout_allowed>yes</timeout_allowed> </command> <command> <name>firewall-drop</name> <executable>firewall-drop.sh</executable> <expect>srcip</expect> <timeout_allowed>yes</timeout_allowed> </command> <command> <name>disable-account</name> <executable>disable-account.sh</executable> <expect>user</expect> <timeout_allowed>yes</timeout_allowed> </command> <!-- Active Response Config --> <active-response> <!-- This response is going to execute the host-deny - command for every event that fires a rule with - level (severity) >= 6. - The IP is going to be blocked for 600 seconds. --> <command>host-deny</command> <location>local</location> <level>6</level> <timeout>600</timeout> </active-response> <active-response> <!-- Firewall Drop response. Block the IP for - 600 seconds on the firewall (iptables, - ipfilter, etc). --> <command>firewall-drop</command> <location>local</location> <level>6</level> <timeout>600</timeout> </active-response> <!-- Files to monitor (localfiles) --> <localfile> <log_format>syslog</log_format> <location>/var/log/messages</location> </localfile> <localfile> <log_format>syslog</log_format> <location>/var/log/secure</location> </localfile> <localfile> <log_format>syslog</log_format> <location>/var/log/xferlog</location> </localfile> <localfile> <log_format>syslog</log_format> <location>/var/log/radius/radius.log</location> </localfile> <localfile> <log_format>syslog</log_format> <location>/var/log/maillog</location> </localfile> <localfile> <log_format>apache</log_format> <location>/var/log/httpd/error_log</location> </localfile> <localfile> <log_format>apache</log_format> <location>/var/log/httpd/access_log</location> </localfile> <localfile> <log_format>apache</log_format> <location>/etc/httpd/logs/access_log</location> </localfile> <localfile> <log_format>apache</log_format> <location>/etc/httpd/logs/error_log</location> </localfile> </ossec_config> Dimitri On Wednesday August 09 2006 9:49 am, Ahmet Ozturk wrote: > Hi Dimitri, > > If it's not a problem for you, please send them to list. > It would be good for list members to see them. > Someone may have different ideas then mine. :) > > Regards, > > Ahmet Ozturk. > > Dimitri Yioulos wrote: > > Yes. May I send these to you OL? > > > > Dimitri > > > > On Wednesday August 09 2006 9:33 am, Ahmet Ozturk wrote: > >> Hi again, > >> > >> I'll test windows agent at home tonight. > >> Can you send us your ossec.conf file and related alert logs? > >> > >> Regards, > >> > >> Ahmet Ozturk. > >> > >> Dimitri Yioulos wrote: > >>> Thanks, Ahmet. > >>> > >>> Might you have any idea why my WinXP box keeps getting blocked > >>> when using the ssh and ftp tools, even though it's whitelisted? > >>> > >>> Dimitri > >>> > >>> On Wednesday August 09 2006 9:12 am, Ahmet Ozturk wrote: > >>>> Hi Dimitri, > >>>> > >>>> OSSEC-HIDS configuration only accepts CIDRs /8 /16 /24 /32. > >>>> > >>>> Please see Rafael Capovilla's solution. > >>>> (http://www.ossec.net/ossec-list/2006-August/msg00063.html) > >>>> > >>>> I think Meir Michanie will correct this issue soon. > >>>> > >>>> Since you have only two agent boxes, you may define them > >>>> seperately in config file like: > >>>> <white_list>192.168.100.xx/32</white_list> > >>>> <white_list>192.168.100.yyy/32</white_list> > >>>> > >>>> Regards, > >>>> > >>>> Ahmet Ozturk. > >>>> > >>>> Dimitri Yioulos wrote: > >>>>> Hello list members. > >>>>> > >>>>> In order to use various tools on my OSSEC-HIDS server and > >>>>> agent boxes, I've whitelisted my two desktop boxes - WinXP > >>>>> and SimplyMepis Linux. > >>>>> > >>>>> >From the Linux desktop, using cli ssh and sftp tools, I have > >>>>>> > >>>>>> no > >>>>> > >>>>> trouble getting into the OSSEC-HIDS server or agents. From > >>>>> the Windows desktop, however, I keep getting added to > >>>>> hosts.deny when using either Putty (ssh) or WinSCP3 (sftp). > >>>>> I then have to remove the entry fr the WinXP desktop from > >>>>> hosts.deny and restart the OSSEC-HIDS server (merely removing > >>>>> the entry from hosts.deny doesn't work). I have, as per > >>>>> instruction, added a separate entry in ossec.conf for each > >>>>> LAN address I want to whitelist. Is this a possible bug, or > >>>>> am I doing something wrong? > >>>>> > >>>>> I tried whitelisting my entire LAN by adding > >>>>> <white_list>192.168.100.0/22</white_list>, but that didn't > >>>>> seem to work. If this isn't something I'm doing wrong, might > >>>>> I suggest adding this ability in a future release? > >>>>> > >>>>> Regards, > >>>>> > >>>>> Dimitri -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.