Hi,
I have some experience with ossec server but few with ossim.
My target is replace ossim-server and replace it with ossim..
But Ossim come with this configuration (and have AR disabled) - follow
ossec.conf on ossim..
<ossec_config>
<global>
<email_notification>no</email_notification>
<custom_alert_output>AV - Alert - "$TIMESTAMP" --> RID: "$RULEID"; RL:
"$RULELEVEL"; RG: "$RULEGROUP"; RC: "$RULECOMMENT"; USER: "$DSTUSER";
SRCIP: "$SRCIP"; HOSTNAME: "$HOSTNAME"; LOCATION: "$LOCATION"; EVENT:
"[INIT]$FULLLOG[END]"; </custom_alert_output>
</global>
<syscheck>
<alert_new_files>yes</alert_new_files>
<!-- Frequency that syscheck is executed - default to every 6 hours
-->
<frequency>21600</frequency>
<!-- Directories to check (perform all possible verifications) -->
<directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
<directories check_all="yes">/bin,/sbin</directories>
<directories check_all="yes">/var/ossim/logs</directories>
<!-- Files/directories to ignore -->
<ignore>/etc/mtab</ignore>
<ignore>/etc/mnttab</ignore>
<ignore>/etc/hosts.deny</ignore>
<ignore>/etc/mail/statistics</ignore>
<ignore>/etc/random-seed</ignore>
<ignore>/etc/adjtime</ignore>
<ignore>/etc/httpd/logs</ignore>
<ignore>/etc/utmpx</ignore>
<ignore>/etc/wtmpx</ignore>
<ignore>/etc/cups/certs</ignore>
<ignore>/etc/dumpdates</ignore>
<ignore>/etc/svc/volatile</ignore>
<ignore>/var/ossim/logs/last</ignore>
<ignore>/var/ossim/logs/searches</ignore>
<ignore
type="sregex">.log$|.count$|.total$|.total_events|.csv_total_events|.stats$|.index$|.inx$|.inx.gz$|/tmp.</ignore>
<!-- Windows files to ignore -->
<ignore>C:\WINDOWS/System32/LogFiles</ignore>
<ignore>C:\WINDOWS/Debug</ignore>
<ignore>C:\WINDOWS/WindowsUpdate.log</ignore>
<ignore>C:\WINDOWS/iis6.log</ignore>
<ignore>C:\WINDOWS/system32/wbem/Logs</ignore>
<ignore>C:\WINDOWS/system32/wbem/Repository</ignore>
<ignore>C:\WINDOWS/Prefetch</ignore>
<ignore>C:\WINDOWS/PCHEALTH/HELPCTR/DataColl</ignore>
<ignore>C:\WINDOWS/SoftwareDistribution</ignore>
<ignore>C:\WINDOWS/Temp</ignore>
<ignore>C:\WINDOWS/system32/config</ignore>
<ignore>C:\WINDOWS/system32/spool</ignore>
<ignore>C:\WINDOWS/system32/CatRoot</ignore>
</syscheck>
<rootcheck>
<rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
<rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
<system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit>
<system_audit>/var/ossec/etc/shared/cis_debian_linux_rcl.txt</system_audit>
<system_audit>/var/ossec/etc/shared/cis_rhel_linux_rcl.txt</system_audit>
<system_audit>/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt</system_audit>
</rootcheck>
<active-response>
<disabled>yes</disabled>
</active-response>
<remote>
<connection>secure</connection>
</remote>
<alerts>
<log_alert_level>1</log_alert_level>
</alerts>
<!-- Files to monitor (localfiles) -->
<localfile>
<log_format>syslog</log_format>
<location>/var/log/messages</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/auth.log</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/syslog</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/mail.info</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/dpkg.log</location>
</localfile>
<localfile>
<log_format>apache</log_format>
<location>/var/log/apache2/error.log</location>
</localfile>
<localfile>
<log_format>apache</log_format>
<location>/var/log/apache2/access.log</location>
</localfile>
</ossec_config>
<ossec_config>
<!-- rules global entry -->
</ossec_config>
<!-- rules global entry -->
<ossec_config>
<!-- rules global entry -->
<rules>
<decoder>alienvault/decoders/decoder.xml</decoder>
</rules>
</ossec_config>
<!-- rules global entry -->
<ossec_config>
<!-- rules global entry -->
<rules>
<include>alienvault/rules/rules_config.xml</include>
<include>alienvault/rules/pam_rules.xml</include>
<include>alienvault/rules/sshd_rules.xml</include>
<include>alienvault/rules/telnetd_rules.xml</include>
<include>alienvault/rules/syslog_rules.xml</include>
<include>alienvault/rules/arpwatch_rules.xml</include>
<include>alienvault/rules/symantec-av_rules.xml</include>
<include>alienvault/rules/symantec-ws_rules.xml</include>
<include>alienvault/rules/pix_rules.xml</include>
<include>alienvault/rules/named_rules.xml</include>
<include>alienvault/rules/smbd_rules.xml</include>
<include>alienvault/rules/vsftpd_rules.xml</include>
<include>alienvault/rules/pure-ftpd_rules.xml</include>
<include>alienvault/rules/proftpd_rules.xml</include>
<include>alienvault/rules/ms_ftpd_rules.xml</include>
<include>alienvault/rules/ftpd_rules.xml</include>
<include>alienvault/rules/hordeimp_rules.xml</include>
<include>alienvault/rules/vpopmail_rules.xml</include>
<include>alienvault/rules/vmpop3d_rules.xml</include>
<include>alienvault/rules/courier_rules.xml</include>
<include>alienvault/rules/web_rules.xml</include>
<include>alienvault/rules/apache_rules.xml</include>
<include>alienvault/rules/mysql_rules.xml</include>
<include>alienvault/rules/postgresql_rules.xml</include>
<include>alienvault/rules/ids_rules.xml</include>
<include>alienvault/rules/squid_rules.xml</include>
<include>alienvault/rules/firewall_rules.xml</include>
<include>alienvault/rules/cisco-ios_rules.xml</include>
<include>alienvault/rules/netscreenfw_rules.xml</include>
<include>alienvault/rules/sonicwall_rules.xml</include>
<include>alienvault/rules/postfix_rules.xml</include>
<include>alienvault/rules/sendmail_rules.xml</include>
<include>alienvault/rules/imapd_rules.xml</include>
<include>alienvault/rules/mailscanner_rules.xml</include>
<include>alienvault/rules/ms-exchange_rules.xml</include>
<include>alienvault/rules/racoon_rules.xml</include>
<include>alienvault/rules/vpn_concentrator_rules.xml</include>
<include>alienvault/rules/spamd_rules.xml</include>
<include>alienvault/rules/msauth_rules.xml</include>
<include>alienvault/rules/mcafee_av_rules.xml</include>
<include>alienvault/rules/ms_dhcp_rules.xml</include>
<include>alienvault/rules/attack_rules.xml</include>
<include>alienvault/rules/vmware_rules.xml</include>
<include>alienvault/rules/ossec_rules.xml</include>
<include>alienvault/rules/zeus_rules.xml</include>
<include>alienvault/rules/solaris_bsm_rules.xml</include>
<!-- <include>policy_rules.xml</include> -->
<include>alienvault/rules/alienvault-directory-service_rules.xml</include>
<include>alienvault/rules/alienvault-windows-FIM_rules.xml</include>
<include>alienvault/rules/alienvault-windows-logon-logoff_rules.xml</include>
<include>alienvault/rules/alienvault-windows-workstation-logon-logoff_rules.xml</include>
<include>alienvault/rules/alienvault-windows-USB_rules.xml</include>
<include>alienvault/rules/alienvault-domain_rules.xml</include>
<include>alienvault/rules/local_rules.xml</include>
</rules>
<agentless>
<type>ssh_integrity_check_bsd</type>
<frequency>3600</frequency>
<host>[email protected]</host>
<state>periodic</state>
<arguments>/etc /usr/bin /usr/sbin /bin /sbin</arguments>
</agentless>
<agentless>
<type>ssh_integrity_check_linux</type>
<frequency>3600</frequency>
<host>[email protected]</host>
<state>periodic</state>
<arguments>/etc /usr/bin /usr/sbin /bin /sbin</arguments>
</agentless>
</ossec_config>
<!-- rules global entry -->
**********************
But I want AR enabled so I have added this at configuration, and have put
on disable=no in Active Response
**********************
<command>
<name>host-deny</name>
<executable>host-deny.sh</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>firewall-drop</name>
<executable>firewall-drop.sh</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>disable-account</name>
<executable>disable-account.sh</executable>
<expect>user</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>restart-ossec</name>
<executable>restart-ossec.sh</executable>
<expect></expect>
</command>
<command>
<name>route-null</name>
<executable>route-null.sh</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<!-- Active Response Config -->
<active-response>
<!-- This response is going to execute the host-deny
- command for every event that fires a rule with
- level (severity) >= 6.
- The IP is going to be blocked for 600 seconds.
-->
<command>host-deny</command>
<location>all</location>
<level>6</level>
<timeout>600</timeout>
<repeated_offenders>60,120,480</repeated_offenders>
</active-response>
<active-response>
<!-- Firewall Drop response. Block the IP for
- 600 seconds on the firewall (iptables,
- ipfilter, etc).
-->
<command>firewall-drop</command>
<location>all</location>
<level>6</level>
<timeout>600</timeout>
<repeated_offenders>60,120,480</repeated_offenders>
</active-response>
<command>
<name>win_nullroute</name>
<executable>route-null.cmd</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<active-response>
<command>win_nullroute</command>
<location>all</location>
<level>6</level>
<timeout>600</timeout>
</active-response>
With this modify, Ossec on Ossim don't start and have error writed before
in ossec.log
Thanks for your time.
gb
Il giorno domenica 13 gennaio 2019 17:48:44 UTC+1, Brian Candler ha scritto:
>
> Well, I'd guess you have a configuration error - maybe some missing
> options in the active response configuration.
>
> Would you care to post any configuration files you have created or
> changed, e.g. ossec.conf and local_internal_options.conf ?
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
