Hi Dan,
Ok thank you for the confirmation. I think I will yum uninstall
the older one and replace with the new rpm.
On Tue, Nov 17, 2015 at 9:41 PM, dan (ddp) <[email protected]> wrote:
> On Sat, Nov 14, 2015 at 12:15 AM, frwa onto <[email protected]> wrote:
> > Hi Dan,
> > Regarding this.
> >
> > "Unless you removed the files in /var/ossec/rules, that rule should be
> > there. It should be in the web_rules.xml file.'
> >
> > No I did not remove anything. The 2.8.1 is install in a new machine
> infact.
> >
> >
> > "You should download the source (if you installed via source) and run
> > the install.sh script. It should detect your current installation and
> > offer to upgrade. NOTE: It will overwrite the rules files (except
> > local_rules.xml or any you've added), as well as decoder.xml (but not
> > local_decoder.xml)."
> >
> > In my case I just download this two files
> > ossec-hids-server-2.8.1-48.el6.art.x86_64.rpm and
> > ossec-hids-2.8.1-48.el6.art.x86_64.rpm from atomicorp site and just run
> yum
> > command on them and it installed ossec. So now in my old machine what is
> the
> > correct method to replace the older 2.7.1 to 2.8.1 ? Should I remain it
> and
> > just copy the rules folder from 2.8.1 into 2.7.1 ? Please advice I might
> be
> > doing it wrong?
> >
>
> I don't know much about the RPMs, but I do know that just copying the
> rules from 2.8.1 to a 2.7.1 machine is the wrong way to upgrade. You
> should upgrade OSSEC, not just the rules. I am guessing your package
> manager should be able to help you with that.
>
>
> > On Fri, Nov 13, 2015 at 9:38 PM, dan (ddp) <[email protected]> wrote:
> >>
> >> On Thu, Nov 12, 2015 at 11:20 PM, frwa onto <[email protected]> wrote:
> >> > Hi Dan,
> >> > Yes you are right the 31106 rule doesnt not exist even in
> my
> >> > current 2.8.1. In my 2.8.1 I see the rules are starting with 50100 and
> >> > is
> >> > there any specific reason why the older rules have been removed. I
> >> > guess
> >>
> >> Unless you removed the files in /var/ossec/rules, that rule should be
> >> there. It should be in the web_rules.xml file.
> >>
> >> > that I should upgrade the older machine with the new 2.8.1 ? Just for
> >> > knowledge sake must I always uninstall and install a new version of
> >> > Ossec or
> >>
> >> You should download the source (if you installed via source) and run
> >> the install.sh script. It should detect your current installation and
> >> offer to upgrade. NOTE: It will overwrite the rules files (except
> >> local_rules.xml or any you've added), as well as decoder.xml (but not
> >> local_decoder.xml).
> >>
> >> > just replace the rules xml file? Also why in the 2.7.1. when the AR
> is
> >> > activated I dont see which rules is trigger in ossec log file itself?
> >> >
> >>
> >> The ossec.log does not log this information.
> >>
> >> > On Fri, Nov 13, 2015 at 1:05 AM, dan (ddp) <[email protected]> wrote:
> >> >>
> >> >> On Mon, Nov 9, 2015 at 11:11 PM, frwa onto <[email protected]>
> wrote:
> >> >> > Hi Santiago,
> >> >> > I am just running as standalone so its not a
> >> >> > manager
> >> >> > or
> >> >> > agent. I have another machine for instance I am using the older
> ossec
> >> >> > 2.7.1
> >> >>
> >> >>
> >> >> 2.7.1 is way too old to provide much support for.
> >> >>
> >> >> > in that one I have tried say I got my phpymadmin and when I start
> >> >> > browsing
> >> >> > huge data ossec will block me an only after some time I can login
> >> >> > here
> >> >> > is
> >> >> > the active response log as below.
> >> >> >
> >> >> > Tue Nov 10 11:48:12 MYT 2015
> >> >> > /var/ossec/active-response/bin/firewall-drop.sh
> >> >> > add - 10.212.134.200 1447127292.12356 31106
> >> >>
> >> >> So rule 31106 is triggering the AR.
> >> >> <rule id="31106" level="6">
> >> >> <if_sid>31103, 31104, 31105</if_sid>
> >> >> <id>^200</id>
> >> >> <description>A web attack returned code 200
> >> >> (success).</description>
> >> >> <group>attack,</group>
> >> >> </rule>
> >> >>
> >> >> You'll have to go through 31103-31105 to try and get a more specific
> >> >> understanding of what is triggering the alert.
> >> >> (All of this is taken from a 2.8.3+ system, so details may be
> >> >> different from 2.7.1)
> >> >>
> >> >> > Tue Nov 10 11:48:12 MYT 2015
> >> >> > /var/ossec/active-response/bin/host-deny.sh
> >> >> > add
> >> >> > - 10.212.134.200 1447127292.12356 31106
> >> >> > Tue Nov 10 11:58:42 MYT 2015
> >> >> > /var/ossec/active-response/bin/host-deny.sh
> >> >> > delete - 10.212.134.200 1447127292.12356 31106
> >> >> > Tue Nov 10 11:58:42 MYT 2015
> >> >> > /var/ossec/active-response/bin/firewall-drop.sh
> >> >> > delete - 10.212.134.200 1447127292.12356 31106
> >> >> >
> >> >> > I dont know what trigger is exactly but I know due to my browsing
> of
> >> >> > huge
> >> >> > data and also how to overcome this issue? In my older version I saw
> >> >> > this
> >> >> > error too
> >> >> > ossec-execd: INFO: Active response command not present:
> >> >> > '/var/ossec/active-response/bin/restart-ossec.cmd'. Not using it on
> >> >> > this
> >> >> > system.
> >> >> >
> >> >> > This is my worry on the new machine using 2.8.1 the app might get
> >> >> > block
> >> >> > from
> >> >> > accessing the data.
> >> >> >
> >> >> > On Tuesday, November 10, 2015 at 9:18:45 AM UTC+8, Santiago Bassett
> >> >> > wrote:
> >> >> >>
> >> >> >> Are you running an agent or the manager? I don't think OSSEC would
> >> >> >> block
> >> >> >> access to your mysql db.
> >> >> >>
> >> >> >> On Mon, Nov 9, 2015 at 8:19 AM, frwa onto <[email protected]>
> wrote:
> >> >> >>>
> >> >> >>> Hi,
> >> >> >>> I have centos server. I have managed to install ossec 2.8.1.
> It
> >> >> >>> mainly runs a socket programming app. For every instance of a
> >> >> >>> connection it
> >> >> >>> will receive data and insert into mysql db. What I worried in
> what
> >> >> >>> scenario
> >> >> >>> will it block the access to this local mysql db as I can see
> there
> >> >> >>> some
> >> >> >>> rules for mysql? Sorry very new to these.
> >> >> >>>
> >> >> >>> --
> >> >> >>>
> >> >> >>> ---
> >> >> >>> You received this message because you are subscribed to the
> Google
> >> >> >>> Groups
> >> >> >>> "ossec-list" group.
> >> >> >>> To unsubscribe from this group and stop receiving emails from it,
> >> >> >>> send
> >> >> >>> an
> >> >> >>> email to [email protected].
> >> >> >>> For more options, visit https://groups.google.com/d/optout.
> >> >> >>
> >> >> >>
> >> >> > --
> >> >> >
> >> >> > ---
> >> >> > You received this message because you are subscribed to the Google
> >> >> > Groups
> >> >> > "ossec-list" group.
> >> >> > To unsubscribe from this group and stop receiving emails from it,
> >> >> > send
> >> >> > an
> >> >> > email to [email protected].
> >> >> > For more options, visit https://groups.google.com/d/optout.
> >> >>
> >> >> --
> >> >>
> >> >> ---
> >> >> You received this message because you are subscribed to a topic in
> the
> >> >> Google Groups "ossec-list" group.
> >> >> To unsubscribe from this topic, visit
> >> >> https://groups.google.com/d/topic/ossec-list/rdsEIi60ciM/unsubscribe
> .
> >> >> To unsubscribe from this group and all its topics, send an email to
> >> >> [email protected].
> >> >> For more options, visit https://groups.google.com/d/optout.
> >> >
> >> >
> >> > --
> >> >
> >> > ---
> >> > You received this message because you are subscribed to the Google
> >> > Groups
> >> > "ossec-list" group.
> >> > To unsubscribe from this group and stop receiving emails from it, send
> >> > an
> >> > email to [email protected].
> >> > For more options, visit https://groups.google.com/d/optout.
> >>
> >> --
> >>
> >> ---
> >> You received this message because you are subscribed to a topic in the
> >> Google Groups "ossec-list" group.
> >> To unsubscribe from this topic, visit
> >> https://groups.google.com/d/topic/ossec-list/rdsEIi60ciM/unsubscribe.
> >> To unsubscribe from this group and all its topics, send an email to
> >> [email protected].
> >> For more options, visit https://groups.google.com/d/optout.
> >
> >
> > --
> >
> > ---
> > You received this message because you are subscribed to the Google Groups
> > "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send an
> > email to [email protected].
> > For more options, visit https://groups.google.com/d/optout.
>
> --
>
> ---
> You received this message because you are subscribed to a topic in the
> Google Groups "ossec-list" group.
> To unsubscribe from this topic, visit
> https://groups.google.com/d/topic/ossec-list/rdsEIi60ciM/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
> [email protected].
> For more options, visit https://groups.google.com/d/optout.
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
