Ok. Apologies in advance for the length of this.
First the main log (ossec.log) from the point of a recent OSSEC-HIDS
server restart:
2006/08/09 10:06:12 ossec-logcollector(1225): SIGNAL Received. Exit
Cleaning...
2006/08/09 10:06:12 ossec-remoted(1225): SIGNAL Received. Exit
Cleaning...
2006/08/09 10:06:12 ossec-syscheckd(1225): SIGNAL Received. Exit
Cleaning...
2006/08/09 10:06:12 ossec-analysisd(1225): SIGNAL Received. Exit
Cleaning...
2006/08/09 10:06:12 ossec-maild(1225): SIGNAL Received. Exit
Cleaning...
2006/08/09 10:06:12 ossec-execd(1225): SIGNAL Received. Exit
Cleaning...
2006/08/09 10:06:17 ossec-maild: Started (pid: 3377).
2006/08/09 10:06:17 ossec-execd: Started (pid: 3381).
2006/08/09 10:06:17 ossec-analysisd: Reading rules
file: 'rules_config.xml'
2006/08/09 10:06:17 ossec-analysisd: Reading rules
file: 'pam_rules.xml'
2006/08/09 10:06:17 ossec-analysisd: Reading rules
file: 'sshd_rules.xml'
2006/08/09 10:06:17 ossec-analysisd: Reading rules
file: 'telnetd_rules.xml'
2006/08/09 10:06:17 ossec-analysisd: Reading rules
file: 'syslog_rules.xml'
2006/08/09 10:06:17 ossec-analysisd: Reading rules
file: 'pix_rules.xml'
2006/08/09 10:06:17 ossec-analysisd: Reading rules
file: 'named_rules.xml'
2006/08/09 10:06:17 ossec-analysisd: Reading rules
file: 'smbd_rules.xml'
2006/08/09 10:06:17 ossec-analysisd: Reading rules
file: 'vsftpd_rules.xml'
2006/08/09 10:06:17 ossec-analysisd: Reading rules
file: 'pure-ftpd_rules.xml'
2006/08/09 10:06:17 ossec-analysisd: Reading rules
file: 'proftpd_rules.xml'
2006/08/09 10:06:17 ossec-analysisd: Reading rules
file: 'hordeimp_rules.xml'
2006/08/09 10:06:17 ossec-analysisd: Reading rules
file: 'web_rules.xml'
2006/08/09 10:06:17 ossec-analysisd: Reading rules
file: 'apache_rules.xml'
2006/08/09 10:06:17 ossec-analysisd: Reading rules
file: 'ids_rules.xml'
2006/08/09 10:06:17 ossec-analysisd: Reading rules
file: 'squid_rules.xml'
2006/08/09 10:06:17 ossec-analysisd: Reading rules
file: 'firewall_rules.xml'
2006/08/09 10:06:17 ossec-analysisd: Reading rules
file: 'netscreenfw_rules.xml'
2006/08/09 10:06:17 ossec-analysisd: Reading rules
file: 'postfix_rules.xml'
2006/08/09 10:06:17 ossec-analysisd: Reading rules
file: 'sendmail_rules.xml'
2006/08/09 10:06:17 ossec-analysisd: Reading rules
file: 'imapd_rules.xml'
2006/08/09 10:06:17 ossec-analysisd: Reading rules
file: 'spamd_rules.xml'
2006/08/09 10:06:17 ossec-analysisd: Reading rules
file: 'msauth_rules.xml'
2006/08/09 10:06:17 ossec-remoted: Started (pid: 3393).
2006/08/09 10:06:17 ossec-remoted(1501): No IP or network allowed in
the access list for syslog. No reason for running it. Exiting.
2006/08/09 10:06:17 ossec-remoted: Started (pid: 3395).
2006/08/09 10:06:17 ossec-analysisd: Reading rules
file: 'attack_rules.xml'
2006/08/09 10:06:17 ossec-analysisd: Total rules enabled: '338'
2006/08/09 10:06:17 ossec-analysisd: Ignoring file: '/etc/mtab'
2006/08/09 10:06:17 ossec-analysisd: Ignoring file: '/etc/mnttab'
2006/08/09 10:06:17 ossec-analysisd: Ignoring file: '/etc/hosts.deny'
2006/08/09 10:06:17 ossec-analysisd: Ignoring
file: '/etc/mail/statistics'
2006/08/09 10:06:17 ossec-analysisd: Ignoring file: '/etc/random-seed'
2006/08/09 10:06:17 ossec-analysisd: Ignoring file: '/etc/adjtime'
2006/08/09 10:06:17 ossec-analysisd: Ignoring file: '/etc/httpd/logs'
2006/08/09 10:06:17 ossec-analysisd: Ignoring file: '/etc/utmpx'
2006/08/09 10:06:17 ossec-analysisd: Ignoring file: '/etc/wtmpx'
2006/08/09 10:06:17 ossec-analysisd: Ignoring file: 'C:
\WINDOWS/System32/LogFiles'
2006/08/09 10:06:17 ossec-analysisd: Ignoring file: 'C:
\WINDOWS/WindowsUpdate.log'
2006/08/09 10:06:17 ossec-analysisd: Ignoring file: 'C:
\WINDOWS/system32/wbem/Logs'
2006/08/09 10:06:17 ossec-analysisd: Ignoring file: 'C:
\WINDOWS/Prefetch'
2006/08/09 10:06:17 ossec-analysisd: Ignoring file: 'C:
\WINDOWS/PCHEALTH/HELPCTR/DataColl'
2006/08/09 10:06:17 ossec-analysisd: Ignoring file: 'C:
\WINDOWS/SoftwareDistribution/DataStore'
2006/08/09 10:06:17 ossec-analysisd: Ignoring file: 'C:
\WINDOWS/SoftwareDistribution/ReportingEvents.log'
2006/08/09 10:06:17 ossec-analysisd: Ignoring file: 'C:\WINDOWS/Temp'
2006/08/09 10:06:17 ossec-analysisd: Ignoring file: 'C:
\WINDOWS/system32/config/systemprofile/Local Settings'
2006/08/09 10:06:17 ossec-analysisd: Ignoring file: 'C:
\WINDOWS/system32/config'
2006/08/09 10:06:17 ossec-analysisd: 9 IPs in the white list for
active response.
2006/08/09 10:06:17 ossec-analysisd: Started (pid: 3385).
2006/08/09 10:06:17 ossec-remoted: Assigning counter for agent
HINGHAM: '1:2153'.
2006/08/09 10:06:17 ossec-remoted: Assigning sender counter: 0:4
2006/08/09 10:06:20 ossec-analysisd: Connected to '/queue/alerts/ar'
(active-response queue)
2006/08/09 10:06:20 ossec-analysisd: Connected
to '/queue/alerts/execq' (exec queue)
2006/08/09 10:06:20 ossec-syscheckd: Started (pid: 3401).
2006/08/09 10:06:23 ossec-logcollector(1950): Analyzing
file: '/var/log/messages'.
2006/08/09 10:06:23 ossec-logcollector(1950): Analyzing
file: '/var/log/secure'.
2006/08/09 10:06:23 ossec-logcollector(1950): Analyzing
file: '/var/log/xferlog'.
2006/08/09 10:06:23 ossec-logcollector(1950): Analyzing
file: '/var/log/radius/radius.log'.
2006/08/09 10:06:23 ossec-logcollector(1950): Analyzing
file: '/var/log/maillog'.
2006/08/09 10:06:23 ossec-logcollector(1950): Analyzing
file: '/var/log/httpd/error_log'.
2006/08/09 10:06:23 ossec-logcollector(1950): Analyzing
file: '/var/log/httpd/access_log'.
2006/08/09 10:06:23 ossec-logcollector(1950): Analyzing
file: '/etc/httpd/logs/access_log'.
2006/08/09 10:06:23 ossec-logcollector(1950): Analyzing
file: '/etc/httpd/logs/error_log'.
2006/08/09 10:06:23 ossec-logcollector: Started (pid: 3389).
Next, a snippet from ossec-alerts-09.log:
** Alert 1155132717.132107:
2006 Aug 09 10:11:57 (HINGHAM) 192.168.1.3->/var/log/httpd/access_log
Rule: 3101 (level 5) -> 'Web server 400 error code.'
Src IP: 192.168.100.53
User: (none)
192.168.100.53 - - [09/Aug/2006:10:11:54 -0400] "GET / HTTP/1.1" 400
311 "-" "-"
** Alert 1155132717.132376:
2006 Aug 09 10:11:57 (HINGHAM) 192.168.1.3->/etc/httpd/logs/access_log
Rule: 3101 (level 5) -> 'Web server 400 error code.'
Src IP: 192.168.100.53
User: (none)
192.168.100.53 - - [09/Aug/2006:10:11:54 -0400] "GET / HTTP/1.1" 400
311 "-" "-"
My note - this alert, which is repeated many times, regards the only
box on which I have the OSSEC-HIDS agent. It's our Web server. The
IP address referenced is that of my WinXP desktop. This looks
unrelated to my original question but, well, there it is.
Finally, ossec.conf:
<ossec_config>
<global>
<email_notification>yes</email_notification>
<email_to>[EMAIL PROTECTED]</email_to>
<smtp_server>192.168.1.2</smtp_server>
<email_from>[EMAIL PROTECTED]</email_from>
</global>
<rules>
<include>rules_config.xml</include>
<include>pam_rules.xml</include>
<include>sshd_rules.xml</include>
<include>telnetd_rules.xml</include>
<include>syslog_rules.xml</include>
<include>pix_rules.xml</include>
<include>named_rules.xml</include>
<include>smbd_rules.xml</include>
<include>vsftpd_rules.xml</include>
<include>pure-ftpd_rules.xml</include>
<include>proftpd_rules.xml</include>
<include>hordeimp_rules.xml</include>
<include>web_rules.xml</include>
<include>apache_rules.xml</include>
<include>ids_rules.xml</include>
<include>squid_rules.xml</include>
<include>firewall_rules.xml</include>
<include>netscreenfw_rules.xml</include>
<include>postfix_rules.xml</include>
<include>sendmail_rules.xml</include>
<include>imapd_rules.xml</include>
<include>spamd_rules.xml</include>
<include>msauth_rules.xml</include>
<!-- <include>policy_rules.xml</include> -->
<include>attack_rules.xml</include>
</rules>
<syscheck>
<!-- Frequency that syscheck is executed - default every 2
hours -->
<frequency>7200</frequency>
<!-- Directories to check (perform all possible
verifications) -->
<directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
<directories check_all="yes">/bin,/sbin</directories>
<!-- Files/directories to ignore -->
<ignore>/etc/mtab</ignore>
<ignore>/etc/mnttab</ignore>
<ignore>/etc/hosts.deny</ignore>
<ignore>/etc/mail/statistics</ignore>
<ignore>/etc/random-seed</ignore>
<ignore>/etc/adjtime</ignore>
<ignore>/etc/httpd/logs</ignore>
<ignore>/etc/utmpx</ignore>
<ignore>/etc/wtmpx</ignore>
<!-- Windows files to ignore -->
<ignore>C:\WINDOWS/System32/LogFiles</ignore>
<ignore>C:\WINDOWS/WindowsUpdate.log</ignore>
<ignore>C:\WINDOWS/system32/wbem/Logs</ignore>
<ignore>C:\WINDOWS/Prefetch</ignore>
<ignore>C:\WINDOWS/PCHEALTH/HELPCTR/DataColl</ignore>
<ignore>C:\WINDOWS/SoftwareDistribution/DataStore</ignore>
<ignore>C:
\WINDOWS/SoftwareDistribution/ReportingEvents.log</ignore>
<ignore>C:\WINDOWS/Temp</ignore>
<ignore>C:\WINDOWS/system32/config/systemprofile/Local
Settings</ignore>
<ignore>C:\WINDOWS/system32/config</ignore>
</syscheck>
<rootcheck>
<rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
<rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
</rootcheck>
<global>
<white_list>127.0.0.1</white_list>
<white_list>192.168.100.2</white_list>
<white_list>192.168.100.3</white_list>
<white_list>192.168.100.4</white_list>
<white_list>192.168.100.6</white_list>
<white_list>192.168.100.9</white_list>
<white_list>192.168.100.10</white_list>
<white_list>192.168.100.52</white_list>
<white_list>192.168.100.53</white_list>
</global>
<remote>
<connection>syslog</connection>
</remote>
<remote>
<connection>secure</connection>
</remote>
<alerts>
<log_alert_level>1</log_alert_level>
<email_alert_level>7</email_alert_level>
</alerts>
<command>
<name>host-deny</name>
<executable>host-deny.sh</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>firewall-drop</name>
<executable>firewall-drop.sh</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>disable-account</name>
<executable>disable-account.sh</executable>
<expect>user</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<!-- Active Response Config -->
<active-response>
<!-- This response is going to execute the host-deny
- command for every event that fires a rule with
- level (severity) >= 6.
- The IP is going to be blocked for 600 seconds.
-->
<command>host-deny</command>
<location>local</location>
<level>6</level>
<timeout>600</timeout>
</active-response>
<active-response>
<!-- Firewall Drop response. Block the IP for
- 600 seconds on the firewall (iptables,
- ipfilter, etc).
-->
<command>firewall-drop</command>
<location>local</location>
<level>6</level>
<timeout>600</timeout>
</active-response>
<!-- Files to monitor (localfiles) -->
<localfile>
<log_format>syslog</log_format>
<location>/var/log/messages</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/secure</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/xferlog</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/radius/radius.log</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/maillog</location>
</localfile>
<localfile>
<log_format>apache</log_format>
<location>/var/log/httpd/error_log</location>
</localfile>
<localfile>
<log_format>apache</log_format>
<location>/var/log/httpd/access_log</location>
</localfile>
<localfile>
<log_format>apache</log_format>
<location>/etc/httpd/logs/access_log</location>
</localfile>
<localfile>
<log_format>apache</log_format>
<location>/etc/httpd/logs/error_log</location>
</localfile>
</ossec_config>
Dimitri
On Wednesday August 09 2006 9:49 am, Ahmet Ozturk wrote:
> Hi Dimitri,
>
> If it's not a problem for you, please send them to list.
> It would be good for list members to see them.
> Someone may have different ideas then mine. :)
>
> Regards,
>
> Ahmet Ozturk.
>
> Dimitri Yioulos wrote:
> > Yes. May I send these to you OL?
> >
> > Dimitri
> >
> > On Wednesday August 09 2006 9:33 am, Ahmet Ozturk wrote:
> >> Hi again,
> >>
> >> I'll test windows agent at home tonight.
> >> Can you send us your ossec.conf file and related alert logs?
> >>
> >> Regards,
> >>
> >> Ahmet Ozturk.
> >>
> >> Dimitri Yioulos wrote:
> >>> Thanks, Ahmet.
> >>>
> >>> Might you have any idea why my WinXP box keeps getting blocked
> >>> when using the ssh and ftp tools, even though it's whitelisted?
> >>>
> >>> Dimitri
> >>>
> >>> On Wednesday August 09 2006 9:12 am, Ahmet Ozturk wrote:
> >>>> Hi Dimitri,
> >>>>
> >>>> OSSEC-HIDS configuration only accepts CIDRs /8 /16 /24 /32.
> >>>>
> >>>> Please see Rafael Capovilla's solution.
> >>>> (http://www.ossec.net/ossec-list/2006-August/msg00063.html)
> >>>>
> >>>> I think Meir Michanie will correct this issue soon.
> >>>>
> >>>> Since you have only two agent boxes, you may define them
> >>>> seperately in config file like:
> >>>> <white_list>192.168.100.xx/32</white_list>
> >>>> <white_list>192.168.100.yyy/32</white_list>
> >>>>
> >>>> Regards,
> >>>>
> >>>> Ahmet Ozturk.
> >>>>
> >>>> Dimitri Yioulos wrote:
> >>>>> Hello list members.
> >>>>>
> >>>>> In order to use various tools on my OSSEC-HIDS server and
> >>>>> agent boxes, I've whitelisted my two desktop boxes - WinXP
> >>>>> and SimplyMepis Linux.
> >>>>>
> >>>>> >From the Linux desktop, using cli ssh and sftp tools, I have
> >>>>>>
> >>>>>> no
> >>>>>
> >>>>> trouble getting into the OSSEC-HIDS server or agents. From
> >>>>> the Windows desktop, however, I keep getting added to
> >>>>> hosts.deny when using either Putty (ssh) or WinSCP3 (sftp).
> >>>>> I then have to remove the entry fr the WinXP desktop from
> >>>>> hosts.deny and restart the OSSEC-HIDS server (merely removing
> >>>>> the entry from hosts.deny doesn't work). I have, as per
> >>>>> instruction, added a separate entry in ossec.conf for each
> >>>>> LAN address I want to whitelist. Is this a possible bug, or
> >>>>> am I doing something wrong?
> >>>>>
> >>>>> I tried whitelisting my entire LAN by adding
> >>>>> <white_list>192.168.100.0/22</white_list>, but that didn't
> >>>>> seem to work. If this isn't something I'm doing wrong, might
> >>>>> I suggest adding this ability in a future release?
> >>>>>
> >>>>> Regards,
> >>>>>
> >>>>> Dimitri
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
