On Sat, Nov 14, 2015 at 12:15 AM, frwa onto <[email protected]> wrote: > Hi Dan, > Regarding this. > > "Unless you removed the files in /var/ossec/rules, that rule should be > there. It should be in the web_rules.xml file.' > > No I did not remove anything. The 2.8.1 is install in a new machine infact. > > > "You should download the source (if you installed via source) and run > the install.sh script. It should detect your current installation and > offer to upgrade. NOTE: It will overwrite the rules files (except > local_rules.xml or any you've added), as well as decoder.xml (but not > local_decoder.xml)." > > In my case I just download this two files > ossec-hids-server-2.8.1-48.el6.art.x86_64.rpm and > ossec-hids-2.8.1-48.el6.art.x86_64.rpm from atomicorp site and just run yum > command on them and it installed ossec. So now in my old machine what is the > correct method to replace the older 2.7.1 to 2.8.1 ? Should I remain it and > just copy the rules folder from 2.8.1 into 2.7.1 ? Please advice I might be > doing it wrong? >
I don't know much about the RPMs, but I do know that just copying the rules from 2.8.1 to a 2.7.1 machine is the wrong way to upgrade. You should upgrade OSSEC, not just the rules. I am guessing your package manager should be able to help you with that. > On Fri, Nov 13, 2015 at 9:38 PM, dan (ddp) <[email protected]> wrote: >> >> On Thu, Nov 12, 2015 at 11:20 PM, frwa onto <[email protected]> wrote: >> > Hi Dan, >> > Yes you are right the 31106 rule doesnt not exist even in my >> > current 2.8.1. In my 2.8.1 I see the rules are starting with 50100 and >> > is >> > there any specific reason why the older rules have been removed. I >> > guess >> >> Unless you removed the files in /var/ossec/rules, that rule should be >> there. It should be in the web_rules.xml file. >> >> > that I should upgrade the older machine with the new 2.8.1 ? Just for >> > knowledge sake must I always uninstall and install a new version of >> > Ossec or >> >> You should download the source (if you installed via source) and run >> the install.sh script. It should detect your current installation and >> offer to upgrade. NOTE: It will overwrite the rules files (except >> local_rules.xml or any you've added), as well as decoder.xml (but not >> local_decoder.xml). >> >> > just replace the rules xml file? Also why in the 2.7.1. when the AR is >> > activated I dont see which rules is trigger in ossec log file itself? >> > >> >> The ossec.log does not log this information. >> >> > On Fri, Nov 13, 2015 at 1:05 AM, dan (ddp) <[email protected]> wrote: >> >> >> >> On Mon, Nov 9, 2015 at 11:11 PM, frwa onto <[email protected]> wrote: >> >> > Hi Santiago, >> >> > I am just running as standalone so its not a >> >> > manager >> >> > or >> >> > agent. I have another machine for instance I am using the older ossec >> >> > 2.7.1 >> >> >> >> >> >> 2.7.1 is way too old to provide much support for. >> >> >> >> > in that one I have tried say I got my phpymadmin and when I start >> >> > browsing >> >> > huge data ossec will block me an only after some time I can login >> >> > here >> >> > is >> >> > the active response log as below. >> >> > >> >> > Tue Nov 10 11:48:12 MYT 2015 >> >> > /var/ossec/active-response/bin/firewall-drop.sh >> >> > add - 10.212.134.200 1447127292.12356 31106 >> >> >> >> So rule 31106 is triggering the AR. >> >> <rule id="31106" level="6"> >> >> <if_sid>31103, 31104, 31105</if_sid> >> >> <id>^200</id> >> >> <description>A web attack returned code 200 >> >> (success).</description> >> >> <group>attack,</group> >> >> </rule> >> >> >> >> You'll have to go through 31103-31105 to try and get a more specific >> >> understanding of what is triggering the alert. >> >> (All of this is taken from a 2.8.3+ system, so details may be >> >> different from 2.7.1) >> >> >> >> > Tue Nov 10 11:48:12 MYT 2015 >> >> > /var/ossec/active-response/bin/host-deny.sh >> >> > add >> >> > - 10.212.134.200 1447127292.12356 31106 >> >> > Tue Nov 10 11:58:42 MYT 2015 >> >> > /var/ossec/active-response/bin/host-deny.sh >> >> > delete - 10.212.134.200 1447127292.12356 31106 >> >> > Tue Nov 10 11:58:42 MYT 2015 >> >> > /var/ossec/active-response/bin/firewall-drop.sh >> >> > delete - 10.212.134.200 1447127292.12356 31106 >> >> > >> >> > I dont know what trigger is exactly but I know due to my browsing of >> >> > huge >> >> > data and also how to overcome this issue? In my older version I saw >> >> > this >> >> > error too >> >> > ossec-execd: INFO: Active response command not present: >> >> > '/var/ossec/active-response/bin/restart-ossec.cmd'. Not using it on >> >> > this >> >> > system. >> >> > >> >> > This is my worry on the new machine using 2.8.1 the app might get >> >> > block >> >> > from >> >> > accessing the data. >> >> > >> >> > On Tuesday, November 10, 2015 at 9:18:45 AM UTC+8, Santiago Bassett >> >> > wrote: >> >> >> >> >> >> Are you running an agent or the manager? I don't think OSSEC would >> >> >> block >> >> >> access to your mysql db. >> >> >> >> >> >> On Mon, Nov 9, 2015 at 8:19 AM, frwa onto <[email protected]> wrote: >> >> >>> >> >> >>> Hi, >> >> >>> I have centos server. I have managed to install ossec 2.8.1. It >> >> >>> mainly runs a socket programming app. For every instance of a >> >> >>> connection it >> >> >>> will receive data and insert into mysql db. What I worried in what >> >> >>> scenario >> >> >>> will it block the access to this local mysql db as I can see there >> >> >>> some >> >> >>> rules for mysql? Sorry very new to these. >> >> >>> >> >> >>> -- >> >> >>> >> >> >>> --- >> >> >>> You received this message because you are subscribed to the Google >> >> >>> Groups >> >> >>> "ossec-list" group. >> >> >>> To unsubscribe from this group and stop receiving emails from it, >> >> >>> send >> >> >>> an >> >> >>> email to [email protected]. >> >> >>> For more options, visit https://groups.google.com/d/optout. >> >> >> >> >> >> >> >> > -- >> >> > >> >> > --- >> >> > You received this message because you are subscribed to the Google >> >> > Groups >> >> > "ossec-list" group. >> >> > To unsubscribe from this group and stop receiving emails from it, >> >> > send >> >> > an >> >> > email to [email protected]. >> >> > For more options, visit https://groups.google.com/d/optout. >> >> >> >> -- >> >> >> >> --- >> >> You received this message because you are subscribed to a topic in the >> >> Google Groups "ossec-list" group. >> >> To unsubscribe from this topic, visit >> >> https://groups.google.com/d/topic/ossec-list/rdsEIi60ciM/unsubscribe. >> >> To unsubscribe from this group and all its topics, send an email to >> >> [email protected]. >> >> For more options, visit https://groups.google.com/d/optout. >> > >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/d/optout. >> >> -- >> >> --- >> You received this message because you are subscribed to a topic in the >> Google Groups "ossec-list" group. >> To unsubscribe from this topic, visit >> https://groups.google.com/d/topic/ossec-list/rdsEIi60ciM/unsubscribe. >> To unsubscribe from this group and all its topics, send an email to >> [email protected]. >> For more options, visit https://groups.google.com/d/optout. > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
