On Tue, Sep 6, 2016 at 9:47 AM, Daiyue Weng <[email protected]> wrote: > whats the ossec version that you tested with, and how did you configure > ossec.conf and local.xml? >
All I've tested (in relation to this) is that agent_control did something. I have in the past tested alert_new_files and realtime, but I can't say I've tested them recently. I'm working on this as fast as I can. > I don't know which bit that I missed in the configuration. > > On 6 September 2016 at 14:40, dan (ddp) <[email protected]> wrote: >> >> On Tue, Sep 6, 2016 at 9:29 AM, Daiyue Weng <[email protected]> wrote: >> > could you show me your ossec.conf and local_rules.xml? >> > >> >> This is for one of my servers. Probably not what I'll be testing with >> though. >> ossec.conf: >> <ossec_config> >> <global> >> <email_notification>yes</email_notification> >> <email_to>[email protected]</email_to> >> <smtp_server>192.168.17.9</smtp_server> >> <!--<smtp_server>/usr/bin/msmtp -v --timeout 20 -f >> "[email protected]" -t</smtp_server>--> >> <email_from>ossecm@earth</email_from> >> </global> >> >> <database_output> >> <hostname>127.0.0.1</hostname> >> <username>ossecuser</username> >> <password>TGmmxNsh5TNrKTy8</password> >> <database>ossec</database> >> <type>mysql</type> >> </database_output> >> >> <syscheck> >> <!-- Frequency that syscheck is executed - default to every 22 hours >> --> >> <frequency>79200</frequency> >> <auto_ignore>no</auto_ignore> >> >> <!-- Directories to check (perform all possible verifications) --> >> <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories> >> <directories check_all="yes">/bin,/sbin</directories> >> <directories check_all="yes" realtime="yes">/var/test</directories> >> >> <!-- Files/directories to ignore --> >> <ignore>/etc/mtab</ignore> >> <ignore>/etc/mnttab</ignore> >> <ignore>/etc/hosts.deny</ignore> >> <ignore>/etc/mail/statistics</ignore> >> <ignore>/etc/random-seed</ignore> >> <ignore>/etc/adjtime</ignore> >> <ignore>/etc/httpd/logs</ignore> >> <ignore>/etc/utmpx</ignore> >> <ignore>/etc/wtmpx</ignore> >> <ignore>/etc/cups/certs</ignore> >> <ignore>/etc/dumpdates</ignore> >> <ignore>/etc/svc/volatile</ignore> >> >> <!-- Windows files to ignore --> >> <ignore>C:\WINDOWS/System32/LogFiles</ignore> >> <ignore>C:\WINDOWS/Debug</ignore> >> <ignore>C:\WINDOWS/WindowsUpdate.log</ignore> >> <ignore>C:\WINDOWS/iis6.log</ignore> >> <ignore>C:\WINDOWS/system32/wbem/Logs</ignore> >> <ignore>C:\WINDOWS/system32/wbem/Repository</ignore> >> <ignore>C:\WINDOWS/Prefetch</ignore> >> <ignore>C:\WINDOWS/PCHEALTH/HELPCTR/DataColl</ignore> >> <ignore>C:\WINDOWS/SoftwareDistribution</ignore> >> <ignore>C:\WINDOWS/Temp</ignore> >> <ignore>C:\WINDOWS/system32/config</ignore> >> <ignore>C:\WINDOWS/system32/spool</ignore> >> <ignore>C:\WINDOWS/system32/CatRoot</ignore> >> </syscheck> >> >> <rootcheck> >> <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files> >> >> <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans> >> >> <system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit> >> >> <system_audit>/var/ossec/etc/shared/cis_debian_linux_rcl.txt</system_audit> >> >> <system_audit>/var/ossec/etc/shared/cis_rhel_linux_rcl.txt</system_audit> >> >> <system_audit>/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt</system_audit> >> </rootcheck> >> >> <global> >> <white_list>127.0.0.1</white_list> >> <white_list>^localhost.localdomain$</white_list> >> <white_list>192.168.17.17</white_list> >> <white_list>192.168.17.9</white_list> >> <white_list>192.168.18.1</white_list> >> </global> >> >> <remote> >> <connection>secure</connection> >> </remote> >> >> <alerts> >> <log_alert_level>1</log_alert_level> >> <email_alert_level>7</email_alert_level> >> </alerts> >> >> <command> >> <name>host-deny</name> >> <executable>host-deny.sh</executable> >> <expect>srcip</expect> >> <timeout_allowed>yes</timeout_allowed> >> </command> >> >> <command> >> <name>firewall-drop</name> >> <executable>firewall-drop.sh</executable> >> <expect>srcip</expect> >> <timeout_allowed>yes</timeout_allowed> >> </command> >> >> <command> >> <name>disable-account</name> >> <executable>disable-account.sh</executable> >> <expect>user</expect> >> <timeout_allowed>yes</timeout_allowed> >> </command> >> >> <command> >> <name>restart-ossec</name> >> <executable>restart-ossec.sh</executable> >> <expect></expect> >> </command> >> >> >> <command> >> <name>route-null</name> >> <executable>route-null.sh</executable> >> <expect>srcip</expect> >> <timeout_allowed>yes</timeout_allowed> >> </command> >> >> <!-- Files to monitor (localfiles) --> >> >> <localfile> >> <log_format>syslog</log_format> >> <location>/var/log/auth.log</location> >> </localfile> >> >> <localfile> >> <log_format>syslog</log_format> >> <location>/var/log/syslog</location> >> </localfile> >> >> <localfile> >> <log_format>syslog</log_format> >> <location>/var/log/dpkg.log</location> >> </localfile> >> >> <localfile> >> <log_format>apache</log_format> >> <location>/var/log/nginx/access.log</location> >> </localfile> >> >> <localfile> >> <log_format>apache</log_format> >> <location>/var/log/nginx/error.log</location> >> </localfile> >> >> <localfile> >> <log_format>apache</log_format> >> <location>/var/log/apache2/error.log</location> >> </localfile> >> >> <localfile> >> <log_format>command</log_format> >> <command>df -h</command> >> </localfile> >> >> <localfile> >> <log_format>full_command</log_format> >> <command>netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort</command> >> </localfile> >> >> <localfile> >> <log_format>full_command</log_format> >> <command>last -n 5</command> >> </localfile> >> </ossec_config> >> >> <ossec_config> <!-- rules global entry --> >> <rules> >> <!--<decoder>etc/decoder.xml</decoder>--> >> <decoder_dir pattern=".xml$">etc/decoders.d</decoder_dir> >> <include>rules_config.xml</include> >> <!-- >> <include>pam_rules.xml</include> >> <include>sshd_rules.xml</include> >> <include>telnetd_rules.xml</include> >> <include>syslog_rules.xml</include> >> <include>arpwatch_rules.xml</include> >> <include>symantec-av_rules.xml</include> >> <include>symantec-ws_rules.xml</include> >> <include>pix_rules.xml</include> >> <include>named_rules.xml</include> >> <include>smbd_rules.xml</include> >> <include>vsftpd_rules.xml</include> >> <include>pure-ftpd_rules.xml</include> >> <include>proftpd_rules.xml</include> >> <include>ms_ftpd_rules.xml</include> >> <include>ftpd_rules.xml</include> >> <include>hordeimp_rules.xml</include> >> <include>roundcube_rules.xml</include> >> <include>wordpress_rules.xml</include> >> <include>cimserver_rules.xml</include> >> <include>vpopmail_rules.xml</include> >> <include>vmpop3d_rules.xml</include> >> <include>courier_rules.xml</include> >> <include>web_rules.xml</include> >> <include>web_appsec_rules.xml</include> >> <include>apache_rules.xml</include> >> <include>nginx_rules.xml</include> >> <include>php_rules.xml</include> >> <include>mysql_rules.xml</include> >> <include>postgresql_rules.xml</include> >> <include>ids_rules.xml</include> >> <include>squid_rules.xml</include> >> <include>firewall_rules.xml</include> >> <include>apparmor_rules.xml</include> >> <include>cisco-ios_rules.xml</include> >> <include>netscreenfw_rules.xml</include> >> <include>sonicwall_rules.xml</include> >> <include>postfix_rules.xml</include> >> <include>sendmail_rules.xml</include> >> <include>imapd_rules.xml</include> >> <include>mailscanner_rules.xml</include> >> <include>dovecot_rules.xml</include> >> <include>ms-exchange_rules.xml</include> >> <include>racoon_rules.xml</include> >> <include>vpn_concentrator_rules.xml</include> >> <include>spamd_rules.xml</include> >> <include>msauth_rules.xml</include> >> <include>mcafee_av_rules.xml</include> >> <include>trend-osce_rules.xml</include> >> <include>ms-se_rules.xml</include> >> <include>zeus_rules.xml</include> >> <include>solaris_bsm_rules.xml</include> >> <include>vmware_rules.xml</include> >> <include>ms_dhcp_rules.xml</include> >> <include>asterisk_rules.xml</include> >> <include>ossec_rules.xml</include> >> <include>attack_rules.xml</include> >> <include>openbsd_rules.xml</include> >> <include>clam_av_rules.xml</include> >> <include>dropbear_rules.xml</include> >> <include>sysmon_rules.xml</include> >> <include>opensmtpd_rules.xml</include> >> --> >> <rule_dir pattern=".xml$">rules/rules.d</rule_dir> >> <!--<include>local_rules.xml</include>--> >> </rules> >> </ossec_config> <!-- rules global entry --> >> >> local_rules.xml: >> <!-- @(#) $Id: ./etc/rules/local_rules.xml, 2011/09/08 dcid Exp $ >> >> - Example of local rules for OSSEC. >> - >> - Copyright (C) 2009 Trend Micro Inc. >> - All rights reserved. >> - >> - This program is a free software; you can redistribute it >> - and/or modify it under the terms of the GNU General Public >> - License (version 2) as published by the FSF - Free Software >> - Foundation. >> - >> - License details: http://www.ossec.net/en/licensing.html >> --> >> >> >> <!-- Modify it at your will. --> >> >> <group name="local,syslog,"> >> >> <!-- Note that rule id 5711 is defined at the ssh_rules file >> - as a ssh failed login. This is just an example >> - since ip 1.1.1.1 shouldn't be used anywhere. >> - Level 0 means ignore. >> --> >> <rule id="100001" level="0"> >> <if_sid>5711</if_sid> >> <srcip>1.1.1.1</srcip> >> <description>Example of rule that will ignore sshd </description> >> <description>failed logins from IP 1.1.1.1.</description> >> </rule> >> >> >> <!-- This example will ignore ssh failed logins for the user name >> XYZABC. >> --> >> <!-- >> <rule id="100020" level="0"> >> <if_sid>5711</if_sid> >> <user>XYZABC</user> >> <description>Example of rule that will ignore sshd </description> >> <description>failed logins for user XYZABC.</description> >> </rule> >> --> >> >> >> <!-- Specify here a list of rules to ignore. --> >> <!-- >> <rule id="100030" level="0"> >> <if_sid>12345, 23456, xyz, abc</if_sid> >> <description>List of rules to be ignored.</description> >> </rule> >> --> >> >> <rule id="700007" level="10"> >> <match>^TEST TEST TEST</match> >> <description>test test test</description> >> <group>test,</group> >> </rule> >> >> >> <rule id="710001" level="0"> >> <program_name>^collectd</program_name> >> <description>collectd collected.</description> >> </rule> >> >> <rule id="710002" level="0"> >> <if_sid>710001</if_sid> >> <match>illegal attempt to update using time</match> >> <description>Ignore collectd time issues.</description> >> </rule> >> >> <rule id="710003" level="0"> >> <if_sid>710001</if_sid> >> <match>uc_update: Value too old: name</match> >> <description>ignore collectd valu eerror.</description> >> </rule> >> >> <rule id="711001" level="0"> >> <program_name>^nsd</program_name> >> <description>nsd grouping.</description> >> </rule> >> >> <rule id="711002" level="0"> >> <if_sid>711001</if_sid> >> <match>failed reading from </match> >> <description>nsd connection failed.</description> >> </rule> >> >> <rule id="712001" level="0"> >> <program_name>^ngircd</program_name> >> <description>ngircd grouping.</description> >> </rule> >> >> <rule id="712002" level="0"> >> <if_sid>712001</if_sid> >> <match>Shutting down connection</match> >> <description>ngircd shutting down connection.</description> >> </rule> >> >> <rule id="712003" level="0"> >> <if_sid>712001</if_sid> >> <match>Client unregistered</match> >> <description>ngircd client unregistered.</description> >> </rule> >> >> <rule id="1003" level="13" maxsize="4096" overwrite="yes"> >> <description>Non standard syslog message (size too >> large).</description> >> </rule> >> >> </group> <!-- SYSLOG,LOCAL --> >> >> >> >> > On 6 September 2016 at 14:17, Daiyue Weng <[email protected]> wrote: >> >> >> >> This is what I did, >> >> >> >> 1. restart ossec >> >> >> >> 2. running `ps auxww | grep ossec-execd`, execd is already running. >> >> >> >> 3. add an empty file in /home/user_name >> >> >> >> 4. running /var/ossec/bin/agent_control -r -u 000 >> >> >> >> 5. checking alerts.log, no file addition log was shown. >> >> >> >> I am using Arch Linux. >> >> >> >> On 6 September 2016 at 12:23, dan (ddp) <[email protected]> wrote: >> >>> >> >>> On Tue, Sep 6, 2016 at 7:22 AM, Daiyue Weng <[email protected]> >> >>> wrote: >> >>> > thanks, how to enable active response in ossec.conf? >> >>> > >> >>> >> >>> If it's disabled, delete that block. If it's not disabled, it should >> >>> be running (`ps auxww | grep ossec-execd`) >> >>> >> >>> > On 6 September 2016 at 12:15, dan (ddp) <[email protected]> wrote: >> >>> >> >> >>> >> On Tue, Sep 6, 2016 at 7:13 AM, Daiyue Weng <[email protected]> >> >>> >> wrote: >> >>> >> > Could you elaborate the steps you went through? How does it work? >> >>> >> > >> >>> >> >> >>> >> Make sure active response is enabled. >> >>> >> run: >> >>> >> /var/ossec/bin/agent_control -r -u 000 >> >>> >> >> >>> >> Wait. >> >>> >> >> >>> >> > On 6 September 2016 at 12:12, dan (ddp) <[email protected]> wrote: >> >>> >> >> >> >>> >> >> On Tue, Sep 6, 2016 at 6:59 AM, dan (ddp) <[email protected]> >> >>> >> >> wrote: >> >>> >> >> > On Tue, Sep 6, 2016 at 6:36 AM, dan (ddp) <[email protected]> >> >>> >> >> > wrote: >> >>> >> >> >> On Sep 6, 2016 6:32 AM, "Daiyue Weng" <[email protected]> >> >>> >> >> >> wrote: >> >>> >> >> >>> >> >>> >> >> >>> since I am running local-ossec, so agent_control doesn't do >> >>> >> >> >>> any >> >>> >> >> >>> good >> >>> >> >> >>> here? >> >>> >> >> >>> >> >>> >> >> >> >> >>> >> >> >> I'll install a local instance and try it out for you. I'll >> >>> >> >> >> report >> >>> >> >> >> back >> >>> >> >> >> shortly. >> >>> >> >> >> >> >>> >> >> > >> >>> >> >> > Not positive, but it doesn't look like it's working. I'm not >> >>> >> >> > keeping >> >>> >> >> > it around for another try. >> >>> >> >> > You may just have to restart the syscheckd process. >> >>> >> >> > >> >>> >> >> >> >>> >> >> It does look like this might be working, just had to have execd >> >>> >> >> running and have a bit more patience. >> >>> >> >> >> >>> >> >> >>> On 5 September 2016 at 17:43, dan (ddp) <[email protected]> >> >>> >> >> >>> wrote: >> >>> >> >> >>>> >> >>> >> >> >>>> On Mon, Sep 5, 2016 at 12:29 PM, Daiyue Weng >> >>> >> >> >>>> <[email protected]> >> >>> >> >> >>>> wrote: >> >>> >> >> >>>> > Hi, ideally we like ossec to check file integrity in real >> >>> >> >> >>>> > time, >> >>> >> >> >>>> > if >> >>> >> >> >>>> > not, >> >>> >> >> >>>> > what >> >>> >> >> >>>> > are the other options ossec can offer in that aspect? >> >>> >> >> >>>> > >> >>> >> >> >>>> >> >>> >> >> >>>> It will do some things in real time, not all. I think it >> >>> >> >> >>>> should be >> >>> >> >> >>>> a >> >>> >> >> >>>> fairly simple code change to add new files to the realtime >> >>> >> >> >>>> options, >> >>> >> >> >>>> but I've never really looked into it. >> >>> >> >> >>>> >> >>> >> >> >>>> > Is there a Syscheck cmd in ossec? >> >>> >> >> >>>> > >> >>> >> >> >>>> >> >>> >> >> >>>> # /var/ossec/bin/agent_control -h >> >>> >> >> >>>> >> >>> >> >> >>>> OSSEC HIDS agent_control: Control remote agents. >> >>> >> >> >>>> Available options: >> >>> >> >> >>>> -h This help message. >> >>> >> >> >>>> -l List available (active or not) agents. >> >>> >> >> >>>> -lc List active agents. >> >>> >> >> >>>> -i <id> Extracts information from an agent. >> >>> >> >> >>>> -R <id> Restarts agent. >> >>> >> >> >>>> -r -a Runs the integrity/rootkit checking on >> >>> >> >> >>>> all >> >>> >> >> >>>> agents >> >>> >> >> >>>> now. >> >>> >> >> >>>> -r -u <id> Runs the integrity/rootkit checking on >> >>> >> >> >>>> one >> >>> >> >> >>>> agent >> >>> >> >> >>>> now. >> >>> >> >> >>>> >> >>> >> >> >>>> -b <ip> Blocks the specified ip address. >> >>> >> >> >>>> -f <ar> Used with -b, specifies which response >> >>> >> >> >>>> to >> >>> >> >> >>>> run. >> >>> >> >> >>>> -L List available active responses. >> >>> >> >> >>>> -s Changes the output to CSV (comma >> >>> >> >> >>>> delimited). >> >>> >> >> >>>> >> >>> >> >> >>>> >> >>> >> >> >>>> > On 5 September 2016 at 17:23, dan (ddp) >> >>> >> >> >>>> > <[email protected]> >> >>> >> >> >>>> > wrote: >> >>> >> >> >>>> >> >> >>> >> >> >>>> >> On Mon, Sep 5, 2016 at 12:14 PM, Daiyue Weng >> >>> >> >> >>>> >> <[email protected]> >> >>> >> >> >>>> >> wrote: >> >>> >> >> >>>> >> > The /var/ossec/logs/alerts/alerts.log didn't show the >> >>> >> >> >>>> >> > addition >> >>> >> >> >>>> >> > of >> >>> >> >> >>>> >> > the >> >>> >> >> >>>> >> > file, >> >>> >> >> >>>> >> > no alerts fired after adding a file to >> >>> >> >> >>>> >> > /home/user_name, >> >>> >> >> >>>> >> > which >> >>> >> >> >>>> >> > is >> >>> >> >> >>>> >> > monitored >> >>> >> >> >>>> >> > by ossec. what's the possible problems? >> >>> >> >> >>>> >> > >> >>> >> >> >>>> >> >> >>> >> >> >>>> >> A syscheck scan probably hasn't run since the file was >> >>> >> >> >>>> >> added (I >> >>> >> >> >>>> >> don't >> >>> >> >> >>>> >> think it works with realtime). >> >>> >> >> >>>> >> Try running a syscheck scan to see if an alert is >> >>> >> >> >>>> >> created. >> >>> >> >> >>>> >> >> >>> >> >> >>>> >> > On Monday, 5 September 2016 17:02:06 UTC+1, dan >> >>> >> >> >>>> >> > (ddpbsd) >> >>> >> >> >>>> >> > wrote: >> >>> >> >> >>>> >> >> >> >>> >> >> >>>> >> >> On Mon, Sep 5, 2016 at 11:53 AM, Daiyue Weng >> >>> >> >> >>>> >> >> <[email protected]> >> >>> >> >> >>>> >> >> wrote: >> >>> >> >> >>>> >> >> > Using the above cmd, adding a file on a monitored >> >>> >> >> >>>> >> >> > directory, >> >>> >> >> >>>> >> >> > i.e. >> >>> >> >> >>>> >> >> > /home/user_name, >> >>> >> >> >>>> >> >> > >> >>> >> >> >>>> >> >> > nothing is shown on tcpdump, >> >>> >> >> >>>> >> >> > >> >>> >> >> >>>> >> >> > tcpdump: listening on dummy0, link-type EN10MB >> >>> >> >> >>>> >> >> > (Ethernet), >> >>> >> >> >>>> >> >> > capture >> >>> >> >> >>>> >> >> > size >> >>> >> >> >>>> >> >> > 262144 bytes >> >>> >> >> >>>> >> >> > >> >>> >> >> >>>> >> >> > >> >>> >> >> >>>> >> >> >> >>> >> >> >>>> >> >> You can use "-i INTERFACE_NAME" to change the >> >>> >> >> >>>> >> >> interface >> >>> >> >> >>>> >> >> it >> >>> >> >> >>>> >> >> listens >> >>> >> >> >>>> >> >> on. >> >>> >> >> >>>> >> >> So make sure you're listening to the interface the >> >>> >> >> >>>> >> >> emails >> >>> >> >> >>>> >> >> should be >> >>> >> >> >>>> >> >> sent >> >>> >> >> >>>> >> >> from. >> >>> >> >> >>>> >> >> Did any alerts fire while you were using tcpdump >> >>> >> >> >>>> >> >> (check >> >>> >> >> >>>> >> >> /var/ossec/logs/alerts/alerts.log). >> >>> >> >> >>>> >> >> If not, that'll be a problem. >> >>> >> >> >>>> >> >> >> >>> >> >> >>>> >> >> > >> >>> >> >> >>>> >> >> > >> >>> >> >> >>>> >> >> > On Monday, 5 September 2016 16:44:57 UTC+1, dan >> >>> >> >> >>>> >> >> > (ddpbsd) >> >>> >> >> >>>> >> >> > wrote: >> >>> >> >> >>>> >> >> >> >> >>> >> >> >>>> >> >> >> On Mon, Sep 5, 2016 at 11:42 AM, Daiyue Weng >> >>> >> >> >>>> >> >> >> <[email protected]> >> >>> >> >> >>>> >> >> >> wrote: >> >>> >> >> >>>> >> >> >> > Hi, could you give me an example of using >> >>> >> >> >>>> >> >> >> > tcpdump >> >>> >> >> >>>> >> >> >> > in >> >>> >> >> >>>> >> >> >> > this >> >>> >> >> >>>> >> >> >> > case? >> >>> >> >> >>>> >> >> >> > >> >>> >> >> >>>> >> >> >> >> >>> >> >> >>>> >> >> >> tcpdump -nnXxevvs 0 port 25 >> >>> >> >> >>>> >> >> >> >> >>> >> >> >>>> >> >> >> > cheers >> >>> >> >> >>>> >> >> >> > >> >>> >> >> >>>> >> >> >> > On Monday, 5 September 2016 15:57:08 UTC+1, dan >> >>> >> >> >>>> >> >> >> > (ddpbsd) >> >>> >> >> >>>> >> >> >> > wrote: >> >>> >> >> >>>> >> >> >> >> >> >>> >> >> >>>> >> >> >> >> On Mon, Sep 5, 2016 at 10:47 AM, Daiyue Weng >> >>> >> >> >>>> >> >> >> >> <[email protected]> >> >>> >> >> >>>> >> >> >> >> wrote: >> >>> >> >> >>>> >> >> >> >> > Hi, since it is a fresh install of ossec, so >> >>> >> >> >>>> >> >> >> >> > I >> >>> >> >> >>>> >> >> >> >> > didn't >> >>> >> >> >>>> >> >> >> >> > get >> >>> >> >> >>>> >> >> >> >> > any >> >>> >> >> >>>> >> >> >> >> > emails. >> >>> >> >> >>>> >> >> >> >> > The >> >>> >> >> >>>> >> >> >> >> > notification is turn on as >> >>> >> >> >>>> >> >> >> >> > >> >>> >> >> >>>> >> >> >> >> >> >>> >> >> >>>> >> >> >> >> Try using tcpdump (looking for connections to >> >>> >> >> >>>> >> >> >> >> the >> >>> >> >> >>>> >> >> >> >> email >> >>> >> >> >>>> >> >> >> >> server >> >>> >> >> >>>> >> >> >> >> from >> >>> >> >> >>>> >> >> >> >> the OSSEC system) >> >>> >> >> >>>> >> >> >> >> or check the maillogs on the email server to >> >>> >> >> >>>> >> >> >> >> determine >> >>> >> >> >>>> >> >> >> >> if >> >>> >> >> >>>> >> >> >> >> there >> >>> >> >> >>>> >> >> >> >> is >> >>> >> >> >>>> >> >> >> >> an >> >>> >> >> >>>> >> >> >> >> error when sending. >> >>> >> >> >>>> >> >> >> >> >> >>> >> >> >>>> >> >> >> >> > <alert_new_files>yes</alert_new_files> >> >>> >> >> >>>> >> >> >> >> > >> >>> >> >> >>>> >> >> >> >> > in ossec.conf >> >>> >> >> >>>> >> >> >> >> > >> >>> >> >> >>>> >> >> >> >> > On Monday, 5 September 2016 15:38:25 UTC+1, >> >>> >> >> >>>> >> >> >> >> > dan >> >>> >> >> >>>> >> >> >> >> > (ddpbsd) >> >>> >> >> >>>> >> >> >> >> > wrote: >> >>> >> >> >>>> >> >> >> >> >> >> >>> >> >> >>>> >> >> >> >> >> On Mon, Sep 5, 2016 at 10:33 AM, Daiyue Weng >> >>> >> >> >>>> >> >> >> >> >> <[email protected]> >> >>> >> >> >>>> >> >> >> >> >> wrote: >> >>> >> >> >>>> >> >> >> >> >> > Hi, I installed ossec local on my cloud >> >>> >> >> >>>> >> >> >> >> >> > server, >> >>> >> >> >>>> >> >> >> >> >> > and >> >>> >> >> >>>> >> >> >> >> >> > configure >> >>> >> >> >>>> >> >> >> >> >> > ossec.conf >> >>> >> >> >>>> >> >> >> >> >> > as >> >>> >> >> >>>> >> >> >> >> >> > follows, I tried to detect new additions >> >>> >> >> >>>> >> >> >> >> >> > using >> >>> >> >> >>>> >> >> >> >> >> > <alert_new_files>yes</alert_new_files>. >> >>> >> >> >>>> >> >> >> >> >> > >> >>> >> >> >>>> >> >> >> >> >> > <global> >> >>> >> >> >>>> >> >> >> >> >> > >> >>> >> >> >>>> >> >> >> >> >> > >> >>> >> >> >>>> >> >> >> >> >> > <email_notification>yes</email_notification> >> >>> >> >> >>>> >> >> >> >> >> > >> >>> >> >> >>>> >> >> >> >> >> > <email_to>[email protected]</email_to> >> >>> >> >> >>>> >> >> >> >> >> > >> >>> >> >> >>>> >> >> >> >> >> > <smtp_server>ns0.bt.net.</smtp_server> >> >>> >> >> >>>> >> >> >> >> >> > >> >>> >> >> >>>> >> >> >> >> >> > >> >>> >> >> >>>> >> >> >> >> >> > <email_from>[email protected]</email_from> >> >>> >> >> >>>> >> >> >> >> >> > </global> >> >>> >> >> >>>> >> >> >> >> >> > <syscheck> >> >>> >> >> >>>> >> >> >> >> >> > <!-- Frequency that syscheck is >> >>> >> >> >>>> >> >> >> >> >> > executed >> >>> >> >> >>>> >> >> >> >> >> > - >> >>> >> >> >>>> >> >> >> >> >> > default >> >>> >> >> >>>> >> >> >> >> >> > to >> >>> >> >> >>>> >> >> >> >> >> > every >> >>> >> >> >>>> >> >> >> >> >> > 22 >> >>> >> >> >>>> >> >> >> >> >> > hours >> >>> >> >> >>>> >> >> >> >> >> > --> >> >>> >> >> >>>> >> >> >> >> >> > <frequency>79200</frequency> >> >>> >> >> >>>> >> >> >> >> >> > >> >>> >> >> >>>> >> >> >> >> >> > <alert_new_files>yes</alert_new_files> >> >>> >> >> >>>> >> >> >> >> >> > >> >>> >> >> >>>> >> >> >> >> >> > <!-- Directories to check (perform >> >>> >> >> >>>> >> >> >> >> >> > all >> >>> >> >> >>>> >> >> >> >> >> > possible >> >>> >> >> >>>> >> >> >> >> >> > verifications) >> >>> >> >> >>>> >> >> >> >> >> > --> >> >>> >> >> >>>> >> >> >> >> >> > <directories report_changes="yes" >> >>> >> >> >>>> >> >> >> >> >> > realtime="yes" >> >>> >> >> >>>> >> >> >> >> >> > >> >>> >> >> >>>> >> >> >> >> >> > >> >>> >> >> >>>> >> >> >> >> >> > >> >>> >> >> >>>> >> >> >> >> >> > >> >>> >> >> >>>> >> >> >> >> >> > check_all="yes">/etc,/usr/bin,/usr/sbin</directories> >> >>> >> >> >>>> >> >> >> >> >> > <directories report_changes="yes" >> >>> >> >> >>>> >> >> >> >> >> > realtime="yes" >> >>> >> >> >>>> >> >> >> >> >> > check_all="yes">/bin,/sbin</directories> >> >>> >> >> >>>> >> >> >> >> >> > <directories report_changes="yes" >> >>> >> >> >>>> >> >> >> >> >> > realtime="yes" >> >>> >> >> >>>> >> >> >> >> >> > >> >>> >> >> >>>> >> >> >> >> >> > check_all="yes">/home/user_name</directories> >> >>> >> >> >>>> >> >> >> >> >> > </syscheck> >> >>> >> >> >>>> >> >> >> >> >> > >> >>> >> >> >>>> >> >> >> >> >> > The local_rules.xml is like, >> >>> >> >> >>>> >> >> >> >> >> > >> >>> >> >> >>>> >> >> >> >> >> > <group name="local,syslog,"> >> >>> >> >> >>>> >> >> >> >> >> > >> >>> >> >> >>>> >> >> >> >> >> > <!-- Note that rule id 5711 is defined >> >>> >> >> >>>> >> >> >> >> >> > at >> >>> >> >> >>>> >> >> >> >> >> > the >> >>> >> >> >>>> >> >> >> >> >> > ssh_rules >> >>> >> >> >>>> >> >> >> >> >> > file >> >>> >> >> >>>> >> >> >> >> >> > - as a ssh failed login. This is >> >>> >> >> >>>> >> >> >> >> >> > just >> >>> >> >> >>>> >> >> >> >> >> > an >> >>> >> >> >>>> >> >> >> >> >> > example >> >>> >> >> >>>> >> >> >> >> >> > - since ip 1.1.1.1 shouldn't be >> >>> >> >> >>>> >> >> >> >> >> > used >> >>> >> >> >>>> >> >> >> >> >> > anywhere. >> >>> >> >> >>>> >> >> >> >> >> > - Level 0 means ignore. >> >>> >> >> >>>> >> >> >> >> >> > --> >> >>> >> >> >>>> >> >> >> >> >> > <rule id="100001" level="0"> >> >>> >> >> >>>> >> >> >> >> >> > <if_sid>5711</if_sid> >> >>> >> >> >>>> >> >> >> >> >> > <srcip>1.1.1.1</srcip> >> >>> >> >> >>>> >> >> >> >> >> > <description>Example of rule that >> >>> >> >> >>>> >> >> >> >> >> > will >> >>> >> >> >>>> >> >> >> >> >> > ignore >> >>> >> >> >>>> >> >> >> >> >> > sshd >> >>> >> >> >>>> >> >> >> >> >> > </description> >> >>> >> >> >>>> >> >> >> >> >> > <description>failed logins from IP >> >>> >> >> >>>> >> >> >> >> >> > 1.1.1.1.</description> >> >>> >> >> >>>> >> >> >> >> >> > </rule> >> >>> >> >> >>>> >> >> >> >> >> > >> >>> >> >> >>>> >> >> >> >> >> > <rule id="554" level="7" >> >>> >> >> >>>> >> >> >> >> >> > overwrite="yes"> >> >>> >> >> >>>> >> >> >> >> >> > <category>ossec</category> >> >>> >> >> >>>> >> >> >> >> >> > >> >>> >> >> >>>> >> >> >> >> >> > >> >>> >> >> >>>> >> >> >> >> >> > <decoded_as>syscheck_new_entry</decoded_as> >> >>> >> >> >>>> >> >> >> >> >> > <description>File added to the >> >>> >> >> >>>> >> >> >> >> >> > system.</description> >> >>> >> >> >>>> >> >> >> >> >> > <group>syscheck,</group> >> >>> >> >> >>>> >> >> >> >> >> > </rule> >> >>> >> >> >>>> >> >> >> >> >> > </group> <!-- SYSLOG,LOCAL --> >> >>> >> >> >>>> >> >> >> >> >> > >> >>> >> >> >>>> >> >> >> >> >> > Now, if I added a file in home/user_name, >> >>> >> >> >>>> >> >> >> >> >> > there >> >>> >> >> >>>> >> >> >> >> >> > is >> >>> >> >> >>>> >> >> >> >> >> > no >> >>> >> >> >>>> >> >> >> >> >> > email >> >>> >> >> >>>> >> >> >> >> >> > notification >> >>> >> >> >>>> >> >> >> >> >> > coming through the SMTP server. I am using >> >>> >> >> >>>> >> >> >> >> >> > smtp.bt.net, >> >>> >> >> >>>> >> >> >> >> >> > using >> >>> >> >> >>>> >> >> >> >> >> > >> >>> >> >> >>>> >> >> >> >> >> > dig -t mx smtp.bt.net >> >>> >> >> >>>> >> >> >> >> >> > >> >>> >> >> >>>> >> >> >> >> >> > >> >>> >> >> >>>> >> >> >> >> >> > to get the SMTP server. Whats the possible >> >>> >> >> >>>> >> >> >> >> >> > reasons >> >>> >> >> >>>> >> >> >> >> >> > that >> >>> >> >> >>>> >> >> >> >> >> > I am >> >>> >> >> >>>> >> >> >> >> >> > not >> >>> >> >> >>>> >> >> >> >> >> > getting >> >>> >> >> >>>> >> >> >> >> >> > the >> >>> >> >> >>>> >> >> >> >> >> > email? >> >>> >> >> >>>> >> >> >> >> >> > >> >>> >> >> >>>> >> >> >> >> >> >> >>> >> >> >>>> >> >> >> >> >> Are you getting emails for other alerts? >> >>> >> >> >>>> >> >> >> >> >> Are alerts being triggered for these new >> >>> >> >> >>>> >> >> >> >> >> files? >> >>> >> >> >>>> >> >> >> >> >> >> >>> >> >> >>>> >> >> >> >> >> > Many thanks >> >>> >> >> >>>> >> >> >> >> >> > >> >>> >> >> >>>> >> >> >> >> >> > -- >> >>> >> >> >>>> >> >> >> >> >> > >> >>> >> >> >>>> >> >> >> >> >> > --- >> >>> >> >> >>>> >> >> >> >> >> > You received this message because you are >> >>> >> >> >>>> >> >> >> >> >> > subscribed >> >>> >> >> >>>> >> >> >> >> >> > to >> >>> >> >> >>>> >> >> >> >> >> > the >> >>> >> >> >>>> >> >> >> >> >> > Google >> >>> >> >> >>>> >> >> >> >> >> > Groups >> >>> >> >> >>>> >> >> >> >> >> > "ossec-list" group. >> >>> >> >> >>>> >> >> >> >> >> > To unsubscribe from this group and stop >> >>> >> >> >>>> >> >> >> >> >> > receiving >> >>> >> >> >>>> >> >> >> >> >> > emails >> >>> >> >> >>>> >> >> >> >> >> > from >> >>> >> >> >>>> >> >> >> >> >> > it, >> >>> >> >> >>>> >> >> >> >> >> > send >> >>> >> >> >>>> >> >> >> >> >> > an >> >>> >> >> >>>> >> >> >> >> >> > email to [email protected]. >> >>> >> >> >>>> >> >> >> >> >> > For more options, visit >> >>> >> >> >>>> >> >> >> >> >> > https://groups.google.com/d/optout. >> >>> >> >> >>>> >> >> >> >> > >> >>> >> >> >>>> >> >> >> >> > -- >> >>> >> >> >>>> >> >> >> >> > >> >>> >> >> >>>> >> >> >> >> > --- >> >>> >> >> >>>> >> >> >> >> > You received this message because you are >> >>> >> >> >>>> >> >> >> >> > subscribed >> >>> >> >> >>>> >> >> >> >> > to >> >>> >> >> >>>> >> >> >> >> > the >> >>> >> >> >>>> >> >> >> >> > Google >> >>> >> >> >>>> >> >> >> >> > Groups >> >>> >> >> >>>> >> >> >> >> > "ossec-list" group. >> >>> >> >> >>>> >> >> >> >> > To unsubscribe from this group and stop >> >>> >> >> >>>> >> >> >> >> > receiving >> >>> >> >> >>>> >> >> >> >> > emails >> >>> >> >> >>>> >> >> >> >> > from >> >>> >> >> >>>> >> >> >> >> > it, >> >>> >> >> >>>> >> >> >> >> > send >> >>> >> >> >>>> >> >> >> >> > an >> >>> >> >> >>>> >> >> >> >> > email to [email protected]. >> >>> >> >> >>>> >> >> >> >> > For more options, visit >> >>> >> >> >>>> >> >> >> >> > https://groups.google.com/d/optout. >> >>> >> >> >>>> >> >> >> > >> >>> >> >> >>>> >> >> >> > -- >> >>> >> >> >>>> >> >> >> > >> >>> >> >> >>>> >> >> >> > --- >> >>> >> >> >>>> >> >> >> > You received this message because you are >> >>> >> >> >>>> >> >> >> > subscribed to >> >>> >> >> >>>> >> >> >> > the >> >>> >> >> >>>> >> >> >> > Google >> >>> >> >> >>>> >> >> >> > Groups >> >>> >> >> >>>> >> >> >> > "ossec-list" group. >> >>> >> >> >>>> >> >> >> > To unsubscribe from this group and stop >> >>> >> >> >>>> >> >> >> > receiving >> >>> >> >> >>>> >> >> >> > emails >> >>> >> >> >>>> >> >> >> > from >> >>> >> >> >>>> >> >> >> > it, >> >>> >> >> >>>> >> >> >> > send >> >>> >> >> >>>> >> >> >> > an >> >>> >> >> >>>> >> >> >> > email to [email protected]. >> >>> >> >> >>>> >> >> >> > For more options, visit >> >>> >> >> >>>> >> >> >> > https://groups.google.com/d/optout. >> >>> >> >> >>>> >> >> > >> >>> >> >> >>>> >> >> > -- >> >>> >> >> >>>> >> >> > >> >>> >> >> >>>> >> >> > --- >> >>> >> >> >>>> >> >> > You received this message because you are >> >>> >> >> >>>> >> >> > subscribed >> >>> >> >> >>>> >> >> > to >> >>> >> >> >>>> >> >> > the >> >>> >> >> >>>> >> >> > Google >> >>> >> >> >>>> >> >> > Groups >> >>> >> >> >>>> >> >> > "ossec-list" group. >> >>> >> >> >>>> >> >> > To unsubscribe from this group and stop receiving >> >>> >> >> >>>> >> >> > emails >> >>> >> >> >>>> >> >> > from >> >>> >> >> >>>> >> >> > it, >> >>> >> >> >>>> >> >> > send >> >>> >> >> >>>> >> >> > an >> >>> >> >> >>>> >> >> > email to [email protected]. >> >>> >> >> >>>> >> >> > For more options, visit >> >>> >> >> >>>> >> >> > https://groups.google.com/d/optout. >> >>> >> >> >>>> >> > >> >>> >> >> >>>> >> > -- >> >>> >> >> >>>> >> > >> >>> >> >> >>>> >> > --- >> >>> >> >> >>>> >> > You received this message because you are subscribed >> >>> >> >> >>>> >> > to >> >>> >> >> >>>> >> > the >> >>> >> >> >>>> >> > Google >> >>> >> >> >>>> >> > Groups >> >>> >> >> >>>> >> > "ossec-list" group. >> >>> >> >> >>>> >> > To unsubscribe from this group and stop receiving >> >>> >> >> >>>> >> > emails >> >>> >> >> >>>> >> > from >> >>> >> >> >>>> >> > it, >> >>> >> >> >>>> >> > send >> >>> >> >> >>>> >> > an >> >>> >> >> >>>> >> > email to [email protected]. >> >>> >> >> >>>> >> > For more options, visit >> >>> >> >> >>>> >> > https://groups.google.com/d/optout. >> >>> >> >> >>>> >> >> >>> >> >> >>>> >> -- >> >>> >> >> >>>> >> >> >>> >> >> >>>> >> --- >> >>> >> >> >>>> >> You received this message because you are subscribed to >> >>> >> >> >>>> >> a >> >>> >> >> >>>> >> topic >> >>> >> >> >>>> >> in >> >>> >> >> >>>> >> the >> >>> >> >> >>>> >> Google Groups "ossec-list" group. >> >>> >> >> >>>> >> To unsubscribe from this topic, visit >> >>> >> >> >>>> >> >> >>> >> >> >>>> >> >> >>> >> >> >>>> >> >> >>> >> >> >>>> >> >> >>> >> >> >>>> >> https://groups.google.com/d/topic/ossec-list/fknE75We_dw/unsubscribe. >> >>> >> >> >>>> >> To unsubscribe from this group and all its topics, send >> >>> >> >> >>>> >> an >> >>> >> >> >>>> >> email >> >>> >> >> >>>> >> to >> >>> >> >> >>>> >> [email protected]. >> >>> >> >> >>>> >> For more options, visit >> >>> >> >> >>>> >> https://groups.google.com/d/optout. >> >>> >> >> >>>> > >> >>> >> >> >>>> > >> >>> >> >> >>>> > -- >> >>> >> >> >>>> > >> >>> >> >> >>>> > --- >> >>> >> >> >>>> > You received this message because you are subscribed to >> >>> >> >> >>>> > the >> >>> >> >> >>>> > Google >> >>> >> >> >>>> > Groups >> >>> >> >> >>>> > "ossec-list" group. >> >>> >> >> >>>> > To unsubscribe from this group and stop receiving emails >> >>> >> >> >>>> > from >> >>> >> >> >>>> > it, >> >>> >> >> >>>> > send >> >>> >> >> >>>> > an >> >>> >> >> >>>> > email to [email protected]. >> >>> >> >> >>>> > For more options, visit >> >>> >> >> >>>> > https://groups.google.com/d/optout. >> >>> >> >> >>>> >> >>> >> >> >>>> -- >> >>> >> >> >>>> >> >>> >> >> >>>> --- >> >>> >> >> >>>> You received this message because you are subscribed to a >> >>> >> >> >>>> topic in >> >>> >> >> >>>> the >> >>> >> >> >>>> Google Groups "ossec-list" group. >> >>> >> >> >>>> To unsubscribe from this topic, visit >> >>> >> >> >>>> >> >>> >> >> >>>> >> >>> >> >> >>>> >> >>> >> >> >>>> https://groups.google.com/d/topic/ossec-list/fknE75We_dw/unsubscribe. >> >>> >> >> >>>> To unsubscribe from this group and all its topics, send an >> >>> >> >> >>>> email >> >>> >> >> >>>> to >> >>> >> >> >>>> [email protected]. >> >>> >> >> >>>> For more options, visit https://groups.google.com/d/optout. >> >>> >> >> >>> >> >>> >> >> >>> >> >>> >> >> >>> -- >> >>> >> >> >>> >> >>> >> >> >>> --- >> >>> >> >> >>> You received this message because you are subscribed to the >> >>> >> >> >>> Google >> >>> >> >> >>> Groups >> >>> >> >> >>> "ossec-list" group. >> >>> >> >> >>> To unsubscribe from this group and stop receiving emails >> >>> >> >> >>> from >> >>> >> >> >>> it, >> >>> >> >> >>> send >> >>> >> >> >>> an >> >>> >> >> >>> email to [email protected]. >> >>> >> >> >>> For more options, visit https://groups.google.com/d/optout. >> >>> >> >> >> >>> >> >> -- >> >>> >> >> >> >>> >> >> --- >> >>> >> >> You received this message because you are subscribed to a topic >> >>> >> >> in >> >>> >> >> the >> >>> >> >> Google Groups "ossec-list" group. >> >>> >> >> To unsubscribe from this topic, visit >> >>> >> >> >> >>> >> >> >> >>> >> >> https://groups.google.com/d/topic/ossec-list/fknE75We_dw/unsubscribe. >> >>> >> >> To unsubscribe from this group and all its topics, send an email >> >>> >> >> to >> >>> >> >> [email protected]. >> >>> >> >> For more options, visit https://groups.google.com/d/optout. >> >>> >> > >> >>> >> > >> >>> >> > -- >> >>> >> > >> >>> >> > --- >> >>> >> > You received this message because you are subscribed to the >> >>> >> > Google >> >>> >> > Groups >> >>> >> > "ossec-list" group. >> >>> >> > To unsubscribe from this group and stop receiving emails from it, >> >>> >> > send >> >>> >> > an >> >>> >> > email to [email protected]. >> >>> >> > For more options, visit https://groups.google.com/d/optout. >> >>> >> >> >>> >> -- >> >>> >> >> >>> >> --- >> >>> >> You received this message because you are subscribed to a topic in >> >>> >> the >> >>> >> Google Groups "ossec-list" group. >> >>> >> To unsubscribe from this topic, visit >> >>> >> >> >>> >> https://groups.google.com/d/topic/ossec-list/fknE75We_dw/unsubscribe. >> >>> >> To unsubscribe from this group and all its topics, send an email to >> >>> >> [email protected]. >> >>> >> For more options, visit https://groups.google.com/d/optout. >> >>> > >> >>> > >> >>> > -- >> >>> > >> >>> > --- >> >>> > You received this message because you are subscribed to the Google >> >>> > Groups >> >>> > "ossec-list" group. >> >>> > To unsubscribe from this group and stop receiving emails from it, >> >>> > send >> >>> > an >> >>> > email to [email protected]. >> >>> > For more options, visit https://groups.google.com/d/optout. >> >>> >> >>> -- >> >>> >> >>> --- >> >>> You received this message because you are subscribed to a topic in the >> >>> Google Groups "ossec-list" group. >> >>> To unsubscribe from this topic, visit >> >>> https://groups.google.com/d/topic/ossec-list/fknE75We_dw/unsubscribe. >> >>> To unsubscribe from this group and all its topics, send an email to >> >>> [email protected]. >> >>> For more options, visit https://groups.google.com/d/optout. >> >> >> >> >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/d/optout. >> >> -- >> >> --- >> You received this message because you are subscribed to a topic in the >> Google Groups "ossec-list" group. >> To unsubscribe from this topic, visit >> https://groups.google.com/d/topic/ossec-list/fknE75We_dw/unsubscribe. >> To unsubscribe from this group and all its topics, send an email to >> [email protected]. >> For more options, visit https://groups.google.com/d/optout. > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
