On Tue, Sep 6, 2016 at 7:13 AM, Daiyue Weng <daiyuew...@gmail.com> wrote: > Could you elaborate the steps you went through? How does it work? >
Make sure active response is enabled. run: /var/ossec/bin/agent_control -r -u 000 Wait. > On 6 September 2016 at 12:12, dan (ddp) <ddp...@gmail.com> wrote: >> >> On Tue, Sep 6, 2016 at 6:59 AM, dan (ddp) <ddp...@gmail.com> wrote: >> > On Tue, Sep 6, 2016 at 6:36 AM, dan (ddp) <ddp...@gmail.com> wrote: >> >> On Sep 6, 2016 6:32 AM, "Daiyue Weng" <daiyuew...@gmail.com> wrote: >> >>> >> >>> since I am running local-ossec, so agent_control doesn't do any good >> >>> here? >> >>> >> >> >> >> I'll install a local instance and try it out for you. I'll report back >> >> shortly. >> >> >> > >> > Not positive, but it doesn't look like it's working. I'm not keeping >> > it around for another try. >> > You may just have to restart the syscheckd process. >> > >> >> It does look like this might be working, just had to have execd >> running and have a bit more patience. >> >> >>> On 5 September 2016 at 17:43, dan (ddp) <ddp...@gmail.com> wrote: >> >>>> >> >>>> On Mon, Sep 5, 2016 at 12:29 PM, Daiyue Weng <daiyuew...@gmail.com> >> >>>> wrote: >> >>>> > Hi, ideally we like ossec to check file integrity in real time, if >> >>>> > not, >> >>>> > what >> >>>> > are the other options ossec can offer in that aspect? >> >>>> > >> >>>> >> >>>> It will do some things in real time, not all. I think it should be a >> >>>> fairly simple code change to add new files to the realtime options, >> >>>> but I've never really looked into it. >> >>>> >> >>>> > Is there a Syscheck cmd in ossec? >> >>>> > >> >>>> >> >>>> # /var/ossec/bin/agent_control -h >> >>>> >> >>>> OSSEC HIDS agent_control: Control remote agents. >> >>>> Available options: >> >>>> -h This help message. >> >>>> -l List available (active or not) agents. >> >>>> -lc List active agents. >> >>>> -i <id> Extracts information from an agent. >> >>>> -R <id> Restarts agent. >> >>>> -r -a Runs the integrity/rootkit checking on all agents >> >>>> now. >> >>>> -r -u <id> Runs the integrity/rootkit checking on one agent >> >>>> now. >> >>>> >> >>>> -b <ip> Blocks the specified ip address. >> >>>> -f <ar> Used with -b, specifies which response to run. >> >>>> -L List available active responses. >> >>>> -s Changes the output to CSV (comma delimited). >> >>>> >> >>>> >> >>>> > On 5 September 2016 at 17:23, dan (ddp) <ddp...@gmail.com> wrote: >> >>>> >> >> >>>> >> On Mon, Sep 5, 2016 at 12:14 PM, Daiyue Weng >> >>>> >> <daiyuew...@gmail.com> >> >>>> >> wrote: >> >>>> >> > The /var/ossec/logs/alerts/alerts.log didn't show the addition >> >>>> >> > of >> >>>> >> > the >> >>>> >> > file, >> >>>> >> > no alerts fired after adding a file to /home/user_name, which is >> >>>> >> > monitored >> >>>> >> > by ossec. what's the possible problems? >> >>>> >> > >> >>>> >> >> >>>> >> A syscheck scan probably hasn't run since the file was added (I >> >>>> >> don't >> >>>> >> think it works with realtime). >> >>>> >> Try running a syscheck scan to see if an alert is created. >> >>>> >> >> >>>> >> > On Monday, 5 September 2016 17:02:06 UTC+1, dan (ddpbsd) wrote: >> >>>> >> >> >> >>>> >> >> On Mon, Sep 5, 2016 at 11:53 AM, Daiyue Weng >> >>>> >> >> <daiyu...@gmail.com> >> >>>> >> >> wrote: >> >>>> >> >> > Using the above cmd, adding a file on a monitored directory, >> >>>> >> >> > i.e. >> >>>> >> >> > /home/user_name, >> >>>> >> >> > >> >>>> >> >> > nothing is shown on tcpdump, >> >>>> >> >> > >> >>>> >> >> > tcpdump: listening on dummy0, link-type EN10MB (Ethernet), >> >>>> >> >> > capture >> >>>> >> >> > size >> >>>> >> >> > 262144 bytes >> >>>> >> >> > >> >>>> >> >> > >> >>>> >> >> >> >>>> >> >> You can use "-i INTERFACE_NAME" to change the interface it >> >>>> >> >> listens >> >>>> >> >> on. >> >>>> >> >> So make sure you're listening to the interface the emails >> >>>> >> >> should be >> >>>> >> >> sent >> >>>> >> >> from. >> >>>> >> >> Did any alerts fire while you were using tcpdump (check >> >>>> >> >> /var/ossec/logs/alerts/alerts.log). >> >>>> >> >> If not, that'll be a problem. >> >>>> >> >> >> >>>> >> >> > >> >>>> >> >> > >> >>>> >> >> > On Monday, 5 September 2016 16:44:57 UTC+1, dan (ddpbsd) >> >>>> >> >> > wrote: >> >>>> >> >> >> >> >>>> >> >> >> On Mon, Sep 5, 2016 at 11:42 AM, Daiyue Weng >> >>>> >> >> >> <daiyu...@gmail.com> >> >>>> >> >> >> wrote: >> >>>> >> >> >> > Hi, could you give me an example of using tcpdump in this >> >>>> >> >> >> > case? >> >>>> >> >> >> > >> >>>> >> >> >> >> >>>> >> >> >> tcpdump -nnXxevvs 0 port 25 >> >>>> >> >> >> >> >>>> >> >> >> > cheers >> >>>> >> >> >> > >> >>>> >> >> >> > On Monday, 5 September 2016 15:57:08 UTC+1, dan (ddpbsd) >> >>>> >> >> >> > wrote: >> >>>> >> >> >> >> >> >>>> >> >> >> >> On Mon, Sep 5, 2016 at 10:47 AM, Daiyue Weng >> >>>> >> >> >> >> <daiyu...@gmail.com> >> >>>> >> >> >> >> wrote: >> >>>> >> >> >> >> > Hi, since it is a fresh install of ossec, so I didn't >> >>>> >> >> >> >> > get >> >>>> >> >> >> >> > any >> >>>> >> >> >> >> > emails. >> >>>> >> >> >> >> > The >> >>>> >> >> >> >> > notification is turn on as >> >>>> >> >> >> >> > >> >>>> >> >> >> >> >> >>>> >> >> >> >> Try using tcpdump (looking for connections to the email >> >>>> >> >> >> >> server >> >>>> >> >> >> >> from >> >>>> >> >> >> >> the OSSEC system) >> >>>> >> >> >> >> or check the maillogs on the email server to determine >> >>>> >> >> >> >> if >> >>>> >> >> >> >> there >> >>>> >> >> >> >> is >> >>>> >> >> >> >> an >> >>>> >> >> >> >> error when sending. >> >>>> >> >> >> >> >> >>>> >> >> >> >> > <alert_new_files>yes</alert_new_files> >> >>>> >> >> >> >> > >> >>>> >> >> >> >> > in ossec.conf >> >>>> >> >> >> >> > >> >>>> >> >> >> >> > On Monday, 5 September 2016 15:38:25 UTC+1, dan >> >>>> >> >> >> >> > (ddpbsd) >> >>>> >> >> >> >> > wrote: >> >>>> >> >> >> >> >> >> >>>> >> >> >> >> >> On Mon, Sep 5, 2016 at 10:33 AM, Daiyue Weng >> >>>> >> >> >> >> >> <daiyu...@gmail.com> >> >>>> >> >> >> >> >> wrote: >> >>>> >> >> >> >> >> > Hi, I installed ossec local on my cloud server, and >> >>>> >> >> >> >> >> > configure >> >>>> >> >> >> >> >> > ossec.conf >> >>>> >> >> >> >> >> > as >> >>>> >> >> >> >> >> > follows, I tried to detect new additions using >> >>>> >> >> >> >> >> > <alert_new_files>yes</alert_new_files>. >> >>>> >> >> >> >> >> > >> >>>> >> >> >> >> >> > <global> >> >>>> >> >> >> >> >> > <email_notification>yes</email_notification> >> >>>> >> >> >> >> >> > <email_to>my_e...@example.com</email_to> >> >>>> >> >> >> >> >> > <smtp_server>ns0.bt.net.</smtp_server> >> >>>> >> >> >> >> >> > <email_from>my_e...@example.com</email_from> >> >>>> >> >> >> >> >> > </global> >> >>>> >> >> >> >> >> > <syscheck> >> >>>> >> >> >> >> >> > <!-- Frequency that syscheck is executed - >> >>>> >> >> >> >> >> > default >> >>>> >> >> >> >> >> > to >> >>>> >> >> >> >> >> > every >> >>>> >> >> >> >> >> > 22 >> >>>> >> >> >> >> >> > hours >> >>>> >> >> >> >> >> > --> >> >>>> >> >> >> >> >> > <frequency>79200</frequency> >> >>>> >> >> >> >> >> > <alert_new_files>yes</alert_new_files> >> >>>> >> >> >> >> >> > >> >>>> >> >> >> >> >> > <!-- Directories to check (perform all >> >>>> >> >> >> >> >> > possible >> >>>> >> >> >> >> >> > verifications) >> >>>> >> >> >> >> >> > --> >> >>>> >> >> >> >> >> > <directories report_changes="yes" >> >>>> >> >> >> >> >> > realtime="yes" >> >>>> >> >> >> >> >> > >> >>>> >> >> >> >> >> > check_all="yes">/etc,/usr/bin,/usr/sbin</directories> >> >>>> >> >> >> >> >> > <directories report_changes="yes" >> >>>> >> >> >> >> >> > realtime="yes" >> >>>> >> >> >> >> >> > check_all="yes">/bin,/sbin</directories> >> >>>> >> >> >> >> >> > <directories report_changes="yes" >> >>>> >> >> >> >> >> > realtime="yes" >> >>>> >> >> >> >> >> > check_all="yes">/home/user_name</directories> >> >>>> >> >> >> >> >> > </syscheck> >> >>>> >> >> >> >> >> > >> >>>> >> >> >> >> >> > The local_rules.xml is like, >> >>>> >> >> >> >> >> > >> >>>> >> >> >> >> >> > <group name="local,syslog,"> >> >>>> >> >> >> >> >> > >> >>>> >> >> >> >> >> > <!-- Note that rule id 5711 is defined at the >> >>>> >> >> >> >> >> > ssh_rules >> >>>> >> >> >> >> >> > file >> >>>> >> >> >> >> >> > - as a ssh failed login. This is just an >> >>>> >> >> >> >> >> > example >> >>>> >> >> >> >> >> > - since ip 1.1.1.1 shouldn't be used >> >>>> >> >> >> >> >> > anywhere. >> >>>> >> >> >> >> >> > - Level 0 means ignore. >> >>>> >> >> >> >> >> > --> >> >>>> >> >> >> >> >> > <rule id="100001" level="0"> >> >>>> >> >> >> >> >> > <if_sid>5711</if_sid> >> >>>> >> >> >> >> >> > <srcip>1.1.1.1</srcip> >> >>>> >> >> >> >> >> > <description>Example of rule that will ignore >> >>>> >> >> >> >> >> > sshd >> >>>> >> >> >> >> >> > </description> >> >>>> >> >> >> >> >> > <description>failed logins from IP >> >>>> >> >> >> >> >> > 1.1.1.1.</description> >> >>>> >> >> >> >> >> > </rule> >> >>>> >> >> >> >> >> > >> >>>> >> >> >> >> >> > <rule id="554" level="7" overwrite="yes"> >> >>>> >> >> >> >> >> > <category>ossec</category> >> >>>> >> >> >> >> >> > <decoded_as>syscheck_new_entry</decoded_as> >> >>>> >> >> >> >> >> > <description>File added to the >> >>>> >> >> >> >> >> > system.</description> >> >>>> >> >> >> >> >> > <group>syscheck,</group> >> >>>> >> >> >> >> >> > </rule> >> >>>> >> >> >> >> >> > </group> <!-- SYSLOG,LOCAL --> >> >>>> >> >> >> >> >> > >> >>>> >> >> >> >> >> > Now, if I added a file in home/user_name, there is >> >>>> >> >> >> >> >> > no >> >>>> >> >> >> >> >> > email >> >>>> >> >> >> >> >> > notification >> >>>> >> >> >> >> >> > coming through the SMTP server. I am using >> >>>> >> >> >> >> >> > smtp.bt.net, >> >>>> >> >> >> >> >> > using >> >>>> >> >> >> >> >> > >> >>>> >> >> >> >> >> > dig -t mx smtp.bt.net >> >>>> >> >> >> >> >> > >> >>>> >> >> >> >> >> > >> >>>> >> >> >> >> >> > to get the SMTP server. Whats the possible reasons >> >>>> >> >> >> >> >> > that >> >>>> >> >> >> >> >> > I am >> >>>> >> >> >> >> >> > not >> >>>> >> >> >> >> >> > getting >> >>>> >> >> >> >> >> > the >> >>>> >> >> >> >> >> > email? >> >>>> >> >> >> >> >> > >> >>>> >> >> >> >> >> >> >>>> >> >> >> >> >> Are you getting emails for other alerts? >> >>>> >> >> >> >> >> Are alerts being triggered for these new files? >> >>>> >> >> >> >> >> >> >>>> >> >> >> >> >> > Many thanks >> >>>> >> >> >> >> >> > >> >>>> >> >> >> >> >> > -- >> >>>> >> >> >> >> >> > >> >>>> >> >> >> >> >> > --- >> >>>> >> >> >> >> >> > You received this message because you are subscribed >> >>>> >> >> >> >> >> > to >> >>>> >> >> >> >> >> > the >> >>>> >> >> >> >> >> > Google >> >>>> >> >> >> >> >> > Groups >> >>>> >> >> >> >> >> > "ossec-list" group. >> >>>> >> >> >> >> >> > To unsubscribe from this group and stop receiving >> >>>> >> >> >> >> >> > emails >> >>>> >> >> >> >> >> > from >> >>>> >> >> >> >> >> > it, >> >>>> >> >> >> >> >> > send >> >>>> >> >> >> >> >> > an >> >>>> >> >> >> >> >> > email to ossec-list+...@googlegroups.com. >> >>>> >> >> >> >> >> > For more options, visit >> >>>> >> >> >> >> >> > https://groups.google.com/d/optout. >> >>>> >> >> >> >> > >> >>>> >> >> >> >> > -- >> >>>> >> >> >> >> > >> >>>> >> >> >> >> > --- >> >>>> >> >> >> >> > You received this message because you are subscribed to >> >>>> >> >> >> >> > the >> >>>> >> >> >> >> > Google >> >>>> >> >> >> >> > Groups >> >>>> >> >> >> >> > "ossec-list" group. >> >>>> >> >> >> >> > To unsubscribe from this group and stop receiving >> >>>> >> >> >> >> > emails >> >>>> >> >> >> >> > from >> >>>> >> >> >> >> > it, >> >>>> >> >> >> >> > send >> >>>> >> >> >> >> > an >> >>>> >> >> >> >> > email to ossec-list+...@googlegroups.com. >> >>>> >> >> >> >> > For more options, visit >> >>>> >> >> >> >> > https://groups.google.com/d/optout. >> >>>> >> >> >> > >> >>>> >> >> >> > -- >> >>>> >> >> >> > >> >>>> >> >> >> > --- >> >>>> >> >> >> > You received this message because you are subscribed to >> >>>> >> >> >> > the >> >>>> >> >> >> > Google >> >>>> >> >> >> > Groups >> >>>> >> >> >> > "ossec-list" group. >> >>>> >> >> >> > To unsubscribe from this group and stop receiving emails >> >>>> >> >> >> > from >> >>>> >> >> >> > it, >> >>>> >> >> >> > send >> >>>> >> >> >> > an >> >>>> >> >> >> > email to ossec-list+...@googlegroups.com. >> >>>> >> >> >> > For more options, visit >> >>>> >> >> >> > https://groups.google.com/d/optout. >> >>>> >> >> > >> >>>> >> >> > -- >> >>>> >> >> > >> >>>> >> >> > --- >> >>>> >> >> > You received this message because you are subscribed to the >> >>>> >> >> > Google >> >>>> >> >> > Groups >> >>>> >> >> > "ossec-list" group. >> >>>> >> >> > To unsubscribe from this group and stop receiving emails from >> >>>> >> >> > it, >> >>>> >> >> > send >> >>>> >> >> > an >> >>>> >> >> > email to ossec-list+...@googlegroups.com. >> >>>> >> >> > For more options, visit https://groups.google.com/d/optout. >> >>>> >> > >> >>>> >> > -- >> >>>> >> > >> >>>> >> > --- >> >>>> >> > You received this message because you are subscribed to the >> >>>> >> > Google >> >>>> >> > Groups >> >>>> >> > "ossec-list" group. >> >>>> >> > To unsubscribe from this group and stop receiving emails from >> >>>> >> > it, >> >>>> >> > send >> >>>> >> > an >> >>>> >> > email to ossec-list+unsubscr...@googlegroups.com. >> >>>> >> > For more options, visit https://groups.google.com/d/optout. >> >>>> >> >> >>>> >> -- >> >>>> >> >> >>>> >> --- >> >>>> >> You received this message because you are subscribed to a topic in >> >>>> >> the >> >>>> >> Google Groups "ossec-list" group. >> >>>> >> To unsubscribe from this topic, visit >> >>>> >> >> >>>> >> https://groups.google.com/d/topic/ossec-list/fknE75We_dw/unsubscribe. >> >>>> >> To unsubscribe from this group and all its topics, send an email >> >>>> >> to >> >>>> >> ossec-list+unsubscr...@googlegroups.com. >> >>>> >> For more options, visit https://groups.google.com/d/optout. >> >>>> > >> >>>> > >> >>>> > -- >> >>>> > >> >>>> > --- >> >>>> > You received this message because you are subscribed to the Google >> >>>> > Groups >> >>>> > "ossec-list" group. >> >>>> > To unsubscribe from this group and stop receiving emails from it, >> >>>> > send >> >>>> > an >> >>>> > email to ossec-list+unsubscr...@googlegroups.com. >> >>>> > For more options, visit https://groups.google.com/d/optout. >> >>>> >> >>>> -- >> >>>> >> >>>> --- >> >>>> You received this message because you are subscribed to a topic in >> >>>> the >> >>>> Google Groups "ossec-list" group. >> >>>> To unsubscribe from this topic, visit >> >>>> https://groups.google.com/d/topic/ossec-list/fknE75We_dw/unsubscribe. >> >>>> To unsubscribe from this group and all its topics, send an email to >> >>>> ossec-list+unsubscr...@googlegroups.com. >> >>>> For more options, visit https://groups.google.com/d/optout. >> >>> >> >>> >> >>> -- >> >>> >> >>> --- >> >>> You received this message because you are subscribed to the Google >> >>> Groups >> >>> "ossec-list" group. >> >>> To unsubscribe from this group and stop receiving emails from it, send >> >>> an >> >>> email to ossec-list+unsubscr...@googlegroups.com. >> >>> For more options, visit https://groups.google.com/d/optout. >> >> -- >> >> --- >> You received this message because you are subscribed to a topic in the >> Google Groups "ossec-list" group. >> To unsubscribe from this topic, visit >> https://groups.google.com/d/topic/ossec-list/fknE75We_dw/unsubscribe. >> To unsubscribe from this group and all its topics, send an email to >> ossec-list+unsubscr...@googlegroups.com. >> For more options, visit https://groups.google.com/d/optout. > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.