On Tue, Sep 6, 2016 at 6:36 AM, dan (ddp) <ddp...@gmail.com> wrote: > On Sep 6, 2016 6:32 AM, "Daiyue Weng" <daiyuew...@gmail.com> wrote: >> >> since I am running local-ossec, so agent_control doesn't do any good here? >> > > I'll install a local instance and try it out for you. I'll report back > shortly. >
Not positive, but it doesn't look like it's working. I'm not keeping it around for another try. You may just have to restart the syscheckd process. >> On 5 September 2016 at 17:43, dan (ddp) <ddp...@gmail.com> wrote: >>> >>> On Mon, Sep 5, 2016 at 12:29 PM, Daiyue Weng <daiyuew...@gmail.com> >>> wrote: >>> > Hi, ideally we like ossec to check file integrity in real time, if not, >>> > what >>> > are the other options ossec can offer in that aspect? >>> > >>> >>> It will do some things in real time, not all. I think it should be a >>> fairly simple code change to add new files to the realtime options, >>> but I've never really looked into it. >>> >>> > Is there a Syscheck cmd in ossec? >>> > >>> >>> # /var/ossec/bin/agent_control -h >>> >>> OSSEC HIDS agent_control: Control remote agents. >>> Available options: >>> -h This help message. >>> -l List available (active or not) agents. >>> -lc List active agents. >>> -i <id> Extracts information from an agent. >>> -R <id> Restarts agent. >>> -r -a Runs the integrity/rootkit checking on all agents >>> now. >>> -r -u <id> Runs the integrity/rootkit checking on one agent now. >>> >>> -b <ip> Blocks the specified ip address. >>> -f <ar> Used with -b, specifies which response to run. >>> -L List available active responses. >>> -s Changes the output to CSV (comma delimited). >>> >>> >>> > On 5 September 2016 at 17:23, dan (ddp) <ddp...@gmail.com> wrote: >>> >> >>> >> On Mon, Sep 5, 2016 at 12:14 PM, Daiyue Weng <daiyuew...@gmail.com> >>> >> wrote: >>> >> > The /var/ossec/logs/alerts/alerts.log didn't show the addition of >>> >> > the >>> >> > file, >>> >> > no alerts fired after adding a file to /home/user_name, which is >>> >> > monitored >>> >> > by ossec. what's the possible problems? >>> >> > >>> >> >>> >> A syscheck scan probably hasn't run since the file was added (I don't >>> >> think it works with realtime). >>> >> Try running a syscheck scan to see if an alert is created. >>> >> >>> >> > On Monday, 5 September 2016 17:02:06 UTC+1, dan (ddpbsd) wrote: >>> >> >> >>> >> >> On Mon, Sep 5, 2016 at 11:53 AM, Daiyue Weng <daiyu...@gmail.com> >>> >> >> wrote: >>> >> >> > Using the above cmd, adding a file on a monitored directory, i.e. >>> >> >> > /home/user_name, >>> >> >> > >>> >> >> > nothing is shown on tcpdump, >>> >> >> > >>> >> >> > tcpdump: listening on dummy0, link-type EN10MB (Ethernet), >>> >> >> > capture >>> >> >> > size >>> >> >> > 262144 bytes >>> >> >> > >>> >> >> > >>> >> >> >>> >> >> You can use "-i INTERFACE_NAME" to change the interface it listens >>> >> >> on. >>> >> >> So make sure you're listening to the interface the emails should be >>> >> >> sent >>> >> >> from. >>> >> >> Did any alerts fire while you were using tcpdump (check >>> >> >> /var/ossec/logs/alerts/alerts.log). >>> >> >> If not, that'll be a problem. >>> >> >> >>> >> >> > >>> >> >> > >>> >> >> > On Monday, 5 September 2016 16:44:57 UTC+1, dan (ddpbsd) wrote: >>> >> >> >> >>> >> >> >> On Mon, Sep 5, 2016 at 11:42 AM, Daiyue Weng >>> >> >> >> <daiyu...@gmail.com> >>> >> >> >> wrote: >>> >> >> >> > Hi, could you give me an example of using tcpdump in this >>> >> >> >> > case? >>> >> >> >> > >>> >> >> >> >>> >> >> >> tcpdump -nnXxevvs 0 port 25 >>> >> >> >> >>> >> >> >> > cheers >>> >> >> >> > >>> >> >> >> > On Monday, 5 September 2016 15:57:08 UTC+1, dan (ddpbsd) >>> >> >> >> > wrote: >>> >> >> >> >> >>> >> >> >> >> On Mon, Sep 5, 2016 at 10:47 AM, Daiyue Weng >>> >> >> >> >> <daiyu...@gmail.com> >>> >> >> >> >> wrote: >>> >> >> >> >> > Hi, since it is a fresh install of ossec, so I didn't get >>> >> >> >> >> > any >>> >> >> >> >> > emails. >>> >> >> >> >> > The >>> >> >> >> >> > notification is turn on as >>> >> >> >> >> > >>> >> >> >> >> >>> >> >> >> >> Try using tcpdump (looking for connections to the email >>> >> >> >> >> server >>> >> >> >> >> from >>> >> >> >> >> the OSSEC system) >>> >> >> >> >> or check the maillogs on the email server to determine if >>> >> >> >> >> there >>> >> >> >> >> is >>> >> >> >> >> an >>> >> >> >> >> error when sending. >>> >> >> >> >> >>> >> >> >> >> > <alert_new_files>yes</alert_new_files> >>> >> >> >> >> > >>> >> >> >> >> > in ossec.conf >>> >> >> >> >> > >>> >> >> >> >> > On Monday, 5 September 2016 15:38:25 UTC+1, dan (ddpbsd) >>> >> >> >> >> > wrote: >>> >> >> >> >> >> >>> >> >> >> >> >> On Mon, Sep 5, 2016 at 10:33 AM, Daiyue Weng >>> >> >> >> >> >> <daiyu...@gmail.com> >>> >> >> >> >> >> wrote: >>> >> >> >> >> >> > Hi, I installed ossec local on my cloud server, and >>> >> >> >> >> >> > configure >>> >> >> >> >> >> > ossec.conf >>> >> >> >> >> >> > as >>> >> >> >> >> >> > follows, I tried to detect new additions using >>> >> >> >> >> >> > <alert_new_files>yes</alert_new_files>. >>> >> >> >> >> >> > >>> >> >> >> >> >> > <global> >>> >> >> >> >> >> > <email_notification>yes</email_notification> >>> >> >> >> >> >> > <email_to>my_e...@example.com</email_to> >>> >> >> >> >> >> > <smtp_server>ns0.bt.net.</smtp_server> >>> >> >> >> >> >> > <email_from>my_e...@example.com</email_from> >>> >> >> >> >> >> > </global> >>> >> >> >> >> >> > <syscheck> >>> >> >> >> >> >> > <!-- Frequency that syscheck is executed - default >>> >> >> >> >> >> > to >>> >> >> >> >> >> > every >>> >> >> >> >> >> > 22 >>> >> >> >> >> >> > hours >>> >> >> >> >> >> > --> >>> >> >> >> >> >> > <frequency>79200</frequency> >>> >> >> >> >> >> > <alert_new_files>yes</alert_new_files> >>> >> >> >> >> >> > >>> >> >> >> >> >> > <!-- Directories to check (perform all possible >>> >> >> >> >> >> > verifications) >>> >> >> >> >> >> > --> >>> >> >> >> >> >> > <directories report_changes="yes" realtime="yes" >>> >> >> >> >> >> > check_all="yes">/etc,/usr/bin,/usr/sbin</directories> >>> >> >> >> >> >> > <directories report_changes="yes" realtime="yes" >>> >> >> >> >> >> > check_all="yes">/bin,/sbin</directories> >>> >> >> >> >> >> > <directories report_changes="yes" realtime="yes" >>> >> >> >> >> >> > check_all="yes">/home/user_name</directories> >>> >> >> >> >> >> > </syscheck> >>> >> >> >> >> >> > >>> >> >> >> >> >> > The local_rules.xml is like, >>> >> >> >> >> >> > >>> >> >> >> >> >> > <group name="local,syslog,"> >>> >> >> >> >> >> > >>> >> >> >> >> >> > <!-- Note that rule id 5711 is defined at the >>> >> >> >> >> >> > ssh_rules >>> >> >> >> >> >> > file >>> >> >> >> >> >> > - as a ssh failed login. This is just an example >>> >> >> >> >> >> > - since ip 1.1.1.1 shouldn't be used anywhere. >>> >> >> >> >> >> > - Level 0 means ignore. >>> >> >> >> >> >> > --> >>> >> >> >> >> >> > <rule id="100001" level="0"> >>> >> >> >> >> >> > <if_sid>5711</if_sid> >>> >> >> >> >> >> > <srcip>1.1.1.1</srcip> >>> >> >> >> >> >> > <description>Example of rule that will ignore sshd >>> >> >> >> >> >> > </description> >>> >> >> >> >> >> > <description>failed logins from IP >>> >> >> >> >> >> > 1.1.1.1.</description> >>> >> >> >> >> >> > </rule> >>> >> >> >> >> >> > >>> >> >> >> >> >> > <rule id="554" level="7" overwrite="yes"> >>> >> >> >> >> >> > <category>ossec</category> >>> >> >> >> >> >> > <decoded_as>syscheck_new_entry</decoded_as> >>> >> >> >> >> >> > <description>File added to the >>> >> >> >> >> >> > system.</description> >>> >> >> >> >> >> > <group>syscheck,</group> >>> >> >> >> >> >> > </rule> >>> >> >> >> >> >> > </group> <!-- SYSLOG,LOCAL --> >>> >> >> >> >> >> > >>> >> >> >> >> >> > Now, if I added a file in home/user_name, there is no >>> >> >> >> >> >> > email >>> >> >> >> >> >> > notification >>> >> >> >> >> >> > coming through the SMTP server. I am using smtp.bt.net, >>> >> >> >> >> >> > using >>> >> >> >> >> >> > >>> >> >> >> >> >> > dig -t mx smtp.bt.net >>> >> >> >> >> >> > >>> >> >> >> >> >> > >>> >> >> >> >> >> > to get the SMTP server. Whats the possible reasons that >>> >> >> >> >> >> > I am >>> >> >> >> >> >> > not >>> >> >> >> >> >> > getting >>> >> >> >> >> >> > the >>> >> >> >> >> >> > email? >>> >> >> >> >> >> > >>> >> >> >> >> >> >>> >> >> >> >> >> Are you getting emails for other alerts? >>> >> >> >> >> >> Are alerts being triggered for these new files? >>> >> >> >> >> >> >>> >> >> >> >> >> > Many thanks >>> >> >> >> >> >> > >>> >> >> >> >> >> > -- >>> >> >> >> >> >> > >>> >> >> >> >> >> > --- >>> >> >> >> >> >> > You received this message because you are subscribed to >>> >> >> >> >> >> > the >>> >> >> >> >> >> > Google >>> >> >> >> >> >> > Groups >>> >> >> >> >> >> > "ossec-list" group. >>> >> >> >> >> >> > To unsubscribe from this group and stop receiving emails >>> >> >> >> >> >> > from >>> >> >> >> >> >> > it, >>> >> >> >> >> >> > send >>> >> >> >> >> >> > an >>> >> >> >> >> >> > email to ossec-list+...@googlegroups.com. >>> >> >> >> >> >> > For more options, visit >>> >> >> >> >> >> > https://groups.google.com/d/optout. >>> >> >> >> >> > >>> >> >> >> >> > -- >>> >> >> >> >> > >>> >> >> >> >> > --- >>> >> >> >> >> > You received this message because you are subscribed to the >>> >> >> >> >> > Google >>> >> >> >> >> > Groups >>> >> >> >> >> > "ossec-list" group. >>> >> >> >> >> > To unsubscribe from this group and stop receiving emails >>> >> >> >> >> > from >>> >> >> >> >> > it, >>> >> >> >> >> > send >>> >> >> >> >> > an >>> >> >> >> >> > email to ossec-list+...@googlegroups.com. >>> >> >> >> >> > For more options, visit https://groups.google.com/d/optout. >>> >> >> >> > >>> >> >> >> > -- >>> >> >> >> > >>> >> >> >> > --- >>> >> >> >> > You received this message because you are subscribed to the >>> >> >> >> > Google >>> >> >> >> > Groups >>> >> >> >> > "ossec-list" group. >>> >> >> >> > To unsubscribe from this group and stop receiving emails from >>> >> >> >> > it, >>> >> >> >> > send >>> >> >> >> > an >>> >> >> >> > email to ossec-list+...@googlegroups.com. >>> >> >> >> > For more options, visit https://groups.google.com/d/optout. >>> >> >> > >>> >> >> > -- >>> >> >> > >>> >> >> > --- >>> >> >> > You received this message because you are subscribed to the >>> >> >> > Google >>> >> >> > Groups >>> >> >> > "ossec-list" group. >>> >> >> > To unsubscribe from this group and stop receiving emails from it, >>> >> >> > send >>> >> >> > an >>> >> >> > email to ossec-list+...@googlegroups.com. >>> >> >> > For more options, visit https://groups.google.com/d/optout. >>> >> > >>> >> > -- >>> >> > >>> >> > --- >>> >> > You received this message because you are subscribed to the Google >>> >> > Groups >>> >> > "ossec-list" group. >>> >> > To unsubscribe from this group and stop receiving emails from it, >>> >> > send >>> >> > an >>> >> > email to ossec-list+unsubscr...@googlegroups.com. >>> >> > For more options, visit https://groups.google.com/d/optout. >>> >> >>> >> -- >>> >> >>> >> --- >>> >> You received this message because you are subscribed to a topic in the >>> >> Google Groups "ossec-list" group. >>> >> To unsubscribe from this topic, visit >>> >> https://groups.google.com/d/topic/ossec-list/fknE75We_dw/unsubscribe. >>> >> To unsubscribe from this group and all its topics, send an email to >>> >> ossec-list+unsubscr...@googlegroups.com. >>> >> For more options, visit https://groups.google.com/d/optout. >>> > >>> > >>> > -- >>> > >>> > --- >>> > You received this message because you are subscribed to the Google >>> > Groups >>> > "ossec-list" group. >>> > To unsubscribe from this group and stop receiving emails from it, send >>> > an >>> > email to ossec-list+unsubscr...@googlegroups.com. >>> > For more options, visit https://groups.google.com/d/optout. >>> >>> -- >>> >>> --- >>> You received this message because you are subscribed to a topic in the >>> Google Groups "ossec-list" group. >>> To unsubscribe from this topic, visit >>> https://groups.google.com/d/topic/ossec-list/fknE75We_dw/unsubscribe. >>> To unsubscribe from this group and all its topics, send an email to >>> ossec-list+unsubscr...@googlegroups.com. >>> For more options, visit https://groups.google.com/d/optout. >> >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to ossec-list+unsubscr...@googlegroups.com. >> For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.