+++949728:33261:0:0:4d0c26d748241dd469466b303317c43b:f0ab007d37cf65a28db32c8e6fbd79b2448dd2cc !1439965988 /usr/sbin/tcpdump
четверг, 20 августа 2015 г., 15:26:53 UTC+3 пользователь dan (ddpbsd) написал: > > > On Aug 20, 2015 5:08 AM, "Oleg Makarov" <theoleg...@gmail.com > <javascript:>> wrote: > > > > I see this > > -rw-r----- 1 ossec ossec 350K Aug 19 09:33 (logstashnode1) > 192.168.198.211->syscheck > > > > > > That file is a text file, see if the file you created is listed in it. > > > > > среда, 19 августа 2015 г., 16:31:31 UTC+3 пользователь dan (ddpbsd) > написал: > >> > >> On Wed, Aug 19, 2015 at 2:43 AM, Oleg Makarov <theoleg...@gmail.com> > wrote: > >> > Yes, i restart ossec. > >> > For example! > >> > My server has 192.168.190.20 ip address, my client(logstashnode1) has > >> > 192.168.198.211 ip address. > >> > Look by timestamp. > >> > On client: > >> > root@logstash-node1:~# apt-get install tcpdump > >> > > >> > On server: > >> > http://prntscr.com/86bv2u > >> > And there is no email alert. > >> > Next I change a file and > >> > root@logstash-node1:~# tcpdump host 192.168.190.20 > >> > tcpdump: verbose output suppressed, use -v or -vv for full protocol > decode > >> > listening on eth1, link-type EN10MB (Ethernet), capture size 65535 > bytes > >> > 09:23:22.302340 IP 192.168.198.211.46259 > 192.168.190.20.1514: UDP, > length > >> > 329 > >> > 09:25:28.437477 IP 192.168.198.211.46259 > 192.168.190.20.1514: UDP, > length > >> > 361 > >> > 09:25:28.439484 IP 192.168.190.20.1514 > 192.168.198.211.46259: UDP, > length > >> > 73 > >> > 09:25:32.396813 IP 192.168.198.211.46259 > 192.168.190.20.1514: UDP, > length > >> > 89 > >> > w09:27:42.527598 IP 192.168.198.211.46259 > 192.168.190.20.1514: UDP, > length > >> > 569 > >> > 09:28:08.271268 IP 192.168.198.211.46259 > 192.168.190.20.1514: UDP, > length > >> > 89 > >> > 09:29:25.883934 IP 192.168.198.211.46259 > 192.168.190.20.1514: UDP, > length > >> > 129 > >> > 09:29:52.660490 IP 192.168.198.211.46259 > 192.168.190.20.1514: UDP, > length > >> > 513 > >> > 09:30:56.247744 IP 192.168.198.211.46259 > 192.168.190.20.1514: UDP, > length > >> > 137 > >> > 09:31:16.422701 IP 192.168.198.211.46259 > 192.168.190.20.1514: UDP, > length > >> > 137 > >> > 09:32:02.785489 IP 192.168.198.211.46259 > 192.168.190.20.1514: UDP, > length > >> > 217 > >> > w09:33:08.820036 IP 192.168.198.211.46259 > 192.168.190.20.1514: UDP, > length > >> > 137 > >> > 09:34:12.913942 IP 192.168.198.211.46259 > 192.168.190.20.1514: UDP, > length > >> > 185 > >> > 09:34:14.284525 IP 192.168.198.211.46259 > 192.168.190.20.1514: UDP, > length > >> > 145 > >> > 09:34:16.627091 IP 192.168.198.211.46259 > 192.168.190.20.1514: UDP, > length > >> > 137 > >> > 09:34:38.638144 IP 192.168.198.211.46259 > 192.168.190.20.1514: UDP, > length > >> > 89 > >> > 09:34:38.638292 IP 192.168.198.211.46259 > 192.168.190.20.1514: UDP, > length > >> > 81 > >> > 09:35:28.690221 IP 192.168.198.211.46259 > 192.168.190.20.1514: UDP, > length > >> > 281 > >> > 09:35:28.692716 IP 192.168.190.20.1514 > 192.168.198.211.46259: UDP, > length > >> > 73 > >> > 09:36:23.042208 IP 192.168.198.211.46259 > 192.168.190.20.1514: UDP, > length > >> > 185 > >> > 09:38:33.163604 IP 192.168.198.211.46259 > 192.168.190.20.1514: UDP, > length > >> > 441 > >> > 09:40:43.291763 IP 192.168.198.211.46259 > 192.168.190.20.1514: UDP, > length > >> > 409 > >> > > >> > on client: > >> > w2015/08/19 09:28:08 ossec-syscheckd: INFO: Starting syscheck scan. > >> > 2015/08/19 09:34:38 ossec-syscheckd: INFO: Ending syscheck scan. > >> > > >> > and no alert on email! > >> > > >> > What is going on? :( > >> > > >> > >> Is the new file in the syscheck db > (/var/ossec/queue/syscheck/SOMETHING)? > >> > >> > вторник, 18 августа 2015 г., 15:36:43 UTC+3 пользователь dan (ddpbsd) > >> > написал: > >> >> > >> >> On Tue, Aug 18, 2015 at 4:15 AM, Oleg Makarov <theoleg...@gmail.com> > > >> >> wrote: > >> >> > In local_rules > >> >> > <rule id="554" level="10" overwrite="yes"> > >> >> > <category>ossec</category> > >> >> > <decoded_as>syscheck_new_entry</decoded_as> > >> >> > <description>File added to the system.</description> > >> >> > <group>syscheck,</group> > >> >> > </rule> > >> >> > > >> >> > >> >> After making this change, did you restart the OSSEC processes? > >> >> Did syscheck complete a scan after creating the file you wanted it > to > >> >> detect? > >> >> > >> >> > > >> >> > понедельник, 17 августа 2015 г., 18:31:14 UTC+3 пользователь dan > >> >> > (ddpbsd) > >> >> > написал: > >> >> >> > >> >> >> On Mon, Aug 17, 2015 at 9:20 AM, Oleg Makarov < > theoleg...@gmail.com> > >> >> >> wrote: > >> >> >> > I'm trying to touch some file, but there is no alert about new > file ( > >> >> >> > > >> >> >> > >> >> >> Did you set rule 554 to a higher level than 0? > >> >> >> > >> >> >> > понедельник, 17 августа 2015 г., 13:06:12 UTC+3 пользователь > Oleg > >> >> >> > Makarov > >> >> >> > написал: > >> >> >> >> > >> >> >> >> I have agent.conf > >> >> >> >> <agent_config> > >> >> >> >> <syscheck> > >> >> >> >> <frequency>600</frequency> > >> >> >> >> <alert_new_files>yes</alert_new_files> > >> >> >> >> <scan_on_start>no</scan_on_start> > >> >> >> >> <auto_ignore>no</auto_ignore> > >> >> >> >> <directories report_changes="yes" check_all="yes" > >> >> >> >> realtime="yes">/etc,/usr/bin,/usr/sbin</directories> > >> >> >> >> <directories report_changes="yes" check_all="yes" > >> >> >> >> realtime="yes">/bin,/sbin</directories> > >> >> >> >> <directories report_changes="yes" check_all="yes" > >> >> >> >> realtime="yes">/usr/local/sbin</directories> > >> >> >> >> <directories report_changes="yes" check_all="yes" > >> >> >> >> realtime="yes">/usr/local/bin</directories> > >> >> >> >> <directories report_changes="yes" check_all="yes" > >> >> >> >> realtime="yes">/var/www</directories> > >> >> >> >> <directories report_changes="yes" check_all="yes" > >> >> >> >> realtime="yes">/boot,/root</directories> > >> >> >> >> <directories report_changes="yes" check_all="yes" > >> >> >> >> realtime="yes">/opt/</directories> > >> >> >> >> </syscheck> > >> >> >> >> <rootcheck> > >> >> >> >> > >> >> >> >> > >> >> >> >> > <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files> > >> >> >> >> > >> >> >> >> > >> >> >> >> > >> >> >> >> > <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans> > > >> >> >> >> </rootcheck> > >> >> >> >> </agent_config> > >> >> >> >> > >> >> >> >> I see that md5sum on agent and master are matched. > >> >> >> >> And in alerts.log I see that something changing like: > >> >> >> >> ** Alert 1439801053.7257075: mail - ossec,syscheck, > >> >> >> >> 2015 Aug 17 11:44:13 (***) 192.168.95.11->syscheck > >> >> >> >> Rule: 552 (level 7) -> 'Integrity checksum changed again (3rd > >> >> >> >> time).' > >> >> >> >> Integrity checksum changed for: '/etc/resolv.conf' > >> >> >> >> Size changed from '69' to '282' > >> >> >> >> Old md5sum was: '92afcc2863f403d86fe4befc8c54a0be' > >> >> >> >> New md5sum is : '71bc9f207c1f1a427d130647c1c608fb' > >> >> >> >> Old sha1sum was: '54dfdd362b1f2c060b2f250e15052078f1670af7' > >> >> >> >> New sha1sum is : 'e7a70a9a56d5f120cb4286ff416089e8f3bccf83' > >> >> >> >> But there is no email for this alert. Sometime I received it, > >> >> >> >> sometimes > >> >> >> >> not. > >> >> >> >> What I 'm doing wrong? > >> >> >> >> Master config: > >> >> >> >> <ossec_config> > >> >> >> >> <global> > >> >> >> >> <email_notification>yes</email_notification> > >> >> >> >> <email_to>it2@*.com</email_to> > >> >> >> >> <smtp_server>mail2.*.com</smtp_server> > >> >> >> >> <email_from>ossecmail@*.com</email_from> > >> >> >> >> </global> > >> >> >> >> > >> >> >> >> > >> >> >> >> <rules> > >> >> >> >> <include>rules_config.xml</include> > >> >> >> >> <include>pam_rules.xml</include> > >> >> >> >> <include>sshd_rules.xml</include> > >> >> >> >> <include>telnetd_rules.xml</include> > >> >> >> >> <include>syslog_rules.xml</include> > >> >> >> >> <include>arpwatch_rules.xml</include> > >> >> >> >> <include>symantec-av_rules.xml</include> > >> >> >> >> <include>symantec-ws_rules.xml</include> > >> >> >> >> <include>pix_rules.xml</include> > >> >> >> >> <include>named_rules.xml</include> > >> >> >> >> <include>smbd_rules.xml</include> > >> >> >> >> <include>vsftpd_rules.xml</include> > >> >> >> >> <include>pure-ftpd_rules.xml</include> > >> >> >> >> <include>proftpd_rules.xml</include> > >> >> >> >> <include>ms_ftpd_rules.xml</include> > >> >> >> >> <include>ftpd_rules.xml</include> > >> >> >> >> <include>hordeimp_rules.xml</include> > >> >> >> >> <include>roundcube_rules.xml</include> > >> >> >> >> <include>wordpress_rules.xml</include> > >> >> >> >> <include>cimserver_rules.xml</include> > >> >> >> >> <include>vpopmail_rules.xml</include> > >> >> >> >> <include>vmpop3d_rules.xml</include> > >> >> >> >> <include>courier_rules.xml</include> > >> >> >> >> <include>web_rules.xml</include> > >> >> >> >> <include>web_appsec_rules.xml</include> > >> >> >> >> <include>apache_rules.xml</include> > >> >> >> >> <include>nginx_rules.xml</include> > >> >> >> >> <include>php_rules.xml</include> > >> >> >> >> <include>mysql_rules.xml</include> > >> >> >> >> <include>postgresql_rules.xml</include> > >> >> >> >> <include>ids_rules.xml</include> > >> >> >> >> <include>squid_rules.xml</include> > >> >> >> >> <include>firewall_rules.xml</include> > >> >> >> >> <include>cisco-ios_rules.xml</include> > >> >> >> >> <include>netscreenfw_rules.xml</include> > >> >> >> >> <include>sonicwall_rules.xml</include> > >> >> >> >> <include>postfix_rules.xml</include> > >> >> >> >> <include>sendmail_rules.xml</include> > >> >> >> >> <include>imapd_rules.xml</include> > >> >> >> >> <include>mailscanner_rules.xml</include> > >> >> >> >> <include>dovecot_rules.xml</include> > >> >> >> >> <include>ms-exchange_rules.xml</include> > >> >> >> >> <include>racoon_rules.xml</include> > >> >> >> >> <include>vpn_concentrator_rules.xml</include> > >> >> >> >> <include>spamd_rules.xml</include> > >> >> >> >> <include>msauth_rules.xml</include> > >> >> >> >> <include>mcafee_av_rules.xml</include> > >> >> >> >> <include>trend-osce_rules.xml</include> > >> >> >> >> <include>ms-se_rules.xml</include> > >> >> >> >> <!-- <include>policy_rules.xml</include> --> > >> >> >> >> <include>zeus_rules.xml</include> > >> >> >> >> <include>solaris_bsm_rules.xml</include> > >> >> >> >> <include>vmware_rules.xml</include> > >> >> >> >> <include>ms_dhcp_rules.xml</include> > >> >> >> >> <include>asterisk_rules.xml</include> > >> >> >> >> <include>ossec_rules.xml</include> > >> >> >> >> <include>attack_rules.xml</include> > >> >> >> >> <include>openbsd_rules.xml</include> > >> >> >> >> <include>clam_av_rules.xml</include> > >> >> >> >> <include>dropbear_rules.xml</include> > >> >> >> >> <include>local_rules.xml</include> > >> >> >> >> </rules> > >> >> >> >> > >> >> >> >> > >> >> >> >> <syscheck> > >> >> >> >> <!-- Frequency that syscheck is executed - default to > every 22 > >> >> >> >> hours > >> >> >> >> --> > >> >> >> >> <frequency>300</frequency> > >> >> >> >> > >> >> >> >> > >> >> >> >> <!-- Directories to check (perform all possible > verifications) > >> >> >> >> --> > >> >> >> >> <directories report_changes="yes" check_all="yes" > >> >> >> >> realtime="yes">/etc,/usr/bin,/usr/sbin</directories> > >> >> >> >> > >> >> >> >> ... > >> >> >> > > >> >> >> > -- > >> >> >> > > >> >> >> > --- > >> >> >> > You received this message because you are subscribed to the > Google > >> >> >> > Groups > >> >> >> > "ossec-list" group. > >> >> >> > To unsubscribe from this group and stop receiving emails from > it, > >> >> >> > send > >> >> >> > an > >> >> >> > email to ossec-list+...@googlegroups.com. > >> >> >> > For more options, visit https://groups.google.com/d/optout. > >> >> > > >> >> > -- > >> >> > > >> >> > --- > >> >> > You received this message because you are subscribed to the Google > >> >> > Groups > >> >> > "ossec-list" group. > >> >> > To unsubscribe from this group and stop receiving emails from it, > send > >> >> > an > >> >> > email to ossec-list+...@googlegroups.com. > >> >> > For more options, visit https://groups.google.com/d/optout. > >> > > >> > -- > >> > > >> > --- > >> > You received this message because you are subscribed to the Google > Groups > >> > "ossec-list" group. > >> > To unsubscribe from this group and stop receiving emails from it, > send an > >> > email to ossec-list+...@googlegroups.com. > >> > For more options, visit https://groups.google.com/d/optout. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to ossec-list+...@googlegroups.com <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
