On Thu, Nov 12, 2015 at 11:20 PM, frwa onto <[email protected]> wrote: > Hi Dan, > Yes you are right the 31106 rule doesnt not exist even in my > current 2.8.1. In my 2.8.1 I see the rules are starting with 50100 and is > there any specific reason why the older rules have been removed. I guess
Unless you removed the files in /var/ossec/rules, that rule should be there. It should be in the web_rules.xml file. > that I should upgrade the older machine with the new 2.8.1 ? Just for > knowledge sake must I always uninstall and install a new version of Ossec or You should download the source (if you installed via source) and run the install.sh script. It should detect your current installation and offer to upgrade. NOTE: It will overwrite the rules files (except local_rules.xml or any you've added), as well as decoder.xml (but not local_decoder.xml). > just replace the rules xml file? Also why in the 2.7.1. when the AR is > activated I dont see which rules is trigger in ossec log file itself? > The ossec.log does not log this information. > On Fri, Nov 13, 2015 at 1:05 AM, dan (ddp) <[email protected]> wrote: >> >> On Mon, Nov 9, 2015 at 11:11 PM, frwa onto <[email protected]> wrote: >> > Hi Santiago, >> > I am just running as standalone so its not a manager >> > or >> > agent. I have another machine for instance I am using the older ossec >> > 2.7.1 >> >> >> 2.7.1 is way too old to provide much support for. >> >> > in that one I have tried say I got my phpymadmin and when I start >> > browsing >> > huge data ossec will block me an only after some time I can login here >> > is >> > the active response log as below. >> > >> > Tue Nov 10 11:48:12 MYT 2015 >> > /var/ossec/active-response/bin/firewall-drop.sh >> > add - 10.212.134.200 1447127292.12356 31106 >> >> So rule 31106 is triggering the AR. >> <rule id="31106" level="6"> >> <if_sid>31103, 31104, 31105</if_sid> >> <id>^200</id> >> <description>A web attack returned code 200 (success).</description> >> <group>attack,</group> >> </rule> >> >> You'll have to go through 31103-31105 to try and get a more specific >> understanding of what is triggering the alert. >> (All of this is taken from a 2.8.3+ system, so details may be >> different from 2.7.1) >> >> > Tue Nov 10 11:48:12 MYT 2015 /var/ossec/active-response/bin/host-deny.sh >> > add >> > - 10.212.134.200 1447127292.12356 31106 >> > Tue Nov 10 11:58:42 MYT 2015 /var/ossec/active-response/bin/host-deny.sh >> > delete - 10.212.134.200 1447127292.12356 31106 >> > Tue Nov 10 11:58:42 MYT 2015 >> > /var/ossec/active-response/bin/firewall-drop.sh >> > delete - 10.212.134.200 1447127292.12356 31106 >> > >> > I dont know what trigger is exactly but I know due to my browsing of >> > huge >> > data and also how to overcome this issue? In my older version I saw this >> > error too >> > ossec-execd: INFO: Active response command not present: >> > '/var/ossec/active-response/bin/restart-ossec.cmd'. Not using it on this >> > system. >> > >> > This is my worry on the new machine using 2.8.1 the app might get block >> > from >> > accessing the data. >> > >> > On Tuesday, November 10, 2015 at 9:18:45 AM UTC+8, Santiago Bassett >> > wrote: >> >> >> >> Are you running an agent or the manager? I don't think OSSEC would >> >> block >> >> access to your mysql db. >> >> >> >> On Mon, Nov 9, 2015 at 8:19 AM, frwa onto <[email protected]> wrote: >> >>> >> >>> Hi, >> >>> I have centos server. I have managed to install ossec 2.8.1. It >> >>> mainly runs a socket programming app. For every instance of a >> >>> connection it >> >>> will receive data and insert into mysql db. What I worried in what >> >>> scenario >> >>> will it block the access to this local mysql db as I can see there >> >>> some >> >>> rules for mysql? Sorry very new to these. >> >>> >> >>> -- >> >>> >> >>> --- >> >>> You received this message because you are subscribed to the Google >> >>> Groups >> >>> "ossec-list" group. >> >>> To unsubscribe from this group and stop receiving emails from it, send >> >>> an >> >>> email to [email protected]. >> >>> For more options, visit https://groups.google.com/d/optout. >> >> >> >> >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/d/optout. >> >> -- >> >> --- >> You received this message because you are subscribed to a topic in the >> Google Groups "ossec-list" group. >> To unsubscribe from this topic, visit >> https://groups.google.com/d/topic/ossec-list/rdsEIi60ciM/unsubscribe. >> To unsubscribe from this group and all its topics, send an email to >> [email protected]. >> For more options, visit https://groups.google.com/d/optout. > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
