[ossec-list] Re: Windows agent - unable to start agent (check config)

[Victor Fernandez]

Hi.

Have you added the original administrator and your own account to the 
"Administrators" group?

I followed your steps, added my user account to "Administrators", closed 
and reopened my session, and it did work.

Regards.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Windows agent - unable to start agent (check config)

[Jose Luis Ruiz]

Try to add and admin user to this new Administrator group and reinstall Ossec


---
Jose Luis Ruiz
Wazuh Inc.
j...@wazuh.com

> On Mar 29, 2016, at 4:21 PM, Krzysztof Zaklikiewicz  
> wrote:
> 
> Hi
> 
> I downloaded from http://ossec.wazuh.com/windows/
> 
> In addition, I had to manually add the IP address of the server to ossec.conf 
>   192.168.17.14  
> 
> Logs of ossec.log
> 
> 2016/03/29 21:36:22 ossec-agent: INFO: Service does not exist (OssecSvc) 
> nothing to remove.
> 
> 2016/03/29 21:36:22 ossec-agent: INFO: Successfully added to the service 
> database.
> 
> 2016/03/29 21:36:23 setup-windows: INFO: System is Vista or newer (Microsoft 
> Windows 7 Business Edition Professional Service Pack 1 (Build 7601) - OSSEC 
> HIDS v2.8.3).
> 
> 2016/03/29 22:08:48 ossec-agent: Using notify time: 600 and max time to 
> reconnect: 1800
> 
> 2016/03/29 22:08:48 ossec-agent(1402): ERROR: Authentication key file 
> 'client.keys' not found.
> 
> 2016/03/29 22:08:48 ossec-agent(1750): ERROR: No remote connection 
> configured. Exiting.
> 
> 2016/03/29 22:08:48 ossec-agent: INFO: Received exit signal. 
> 
> 
> W dniu wtorek, 29 marca 2016 22:13:58 UTC+2 użytkownik jose napisał:
> Hi Krzysztof
> 
> are you compiling your own windows agent from sources? or you are downloading 
> from any web?
> 
>  
> Jose Luis Ruiz
> Wazuh Inc.
> jo...@wazuh.com 
> 
>> On Mar 29, 2016, at 4:03 PM, Krzysztof Zaklikiewicz > > wrote:
>> 
>> Hello
>> 
>> I can't start ossec agent for Windows 7 Pro - agent displays error unable to 
>> start agent (check config). My Windows is Polish, I added group 
>> Administrators and nothing changed. Please help.
>> 
>> Best regards
>> Krzysztof Zaklikiewicz
>> 
>> -- 
>> 
>> --- 
>> You received this message because you are subscribed to the Google Groups 
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to ossec-list+...@googlegroups.com .
>> For more options, visit https://groups.google.com/d/optout 
>> .
> 
> 
> -- 
> 
> --- 
> You received this message because you are subscribed to the Google Groups 
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to ossec-list+unsubscr...@googlegroups.com 
> .
> For more options, visit https://groups.google.com/d/optout 
> .

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Windows agent - unable to start agent (check config)

[Pedro Sanchez]

Did you use the UI (win32ui.exe) to add the key? You need to import the key
extracted from Manager. Open it as Administrator, paste the key on
"Authentication key" and click on "Save" button.

The log is telling us that you didn't add the key, so the file client.keys
is not created.

On Tue, Mar 29, 2016 at 10:21 PM, Krzysztof Zaklikiewicz  wrote:

> Hi
>
> I downloaded from http://ossec.wazuh.com/windows/
>
> In addition, I had to manually add the IP address of the server to
> ossec.conf   192.168.17.14  
>
> Logs of ossec.log
>
> 2016/03/29 21:36:22 ossec-agent: INFO: Service does not exist (OssecSvc)
> nothing to remove.
>
> 2016/03/29 21:36:22 ossec-agent: INFO: Successfully added to the service
> database.
>
> 2016/03/29 21:36:23 setup-windows: INFO: System is Vista or newer
> (Microsoft Windows 7 Business Edition Professional Service Pack 1 (Build
> 7601) - OSSEC HIDS v2.8.3).
>
> 2016/03/29 22:08:48 ossec-agent: Using notify time: 600 and max time to
> reconnect: 1800
>
> 2016/03/29 22:08:48 ossec-agent(1402): ERROR: Authentication key file
> 'client.keys' not found.
>
> 2016/03/29 22:08:48 ossec-agent(1750): ERROR: No remote connection
> configured. Exiting.
>
> 2016/03/29 22:08:48 ossec-agent: INFO: Received exit signal.
>
>
> W dniu wtorek, 29 marca 2016 22:13:58 UTC+2 użytkownik jose napisał:
>>
>> Hi Krzysztof
>>
>> are you compiling your own windows agent from sources? or you are
>> downloading from any web?
>>
>> 
>> Jose Luis Ruiz
>> Wazuh Inc.
>> jo...@wazuh.com
>>
>> On Mar 29, 2016, at 4:03 PM, Krzysztof Zaklikiewicz 
>> wrote:
>>
>> Hello
>>
>> I can't start ossec agent for Windows 7 Pro - agent displays error unable
>> to start agent (check config). My Windows is Polish, I added group
>> Administrators and nothing changed. Please help.
>>
>> Best regards
>> Krzysztof Zaklikiewicz
>>
>> --
>>
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to ossec-list+...@googlegroups.com.
>> For more options, visit https://groups.google.com/d/optout.
>>
>>
>> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Windows agent - unable to start agent (check config)

[Krzysztof Zaklikiewicz]

Hi

I downloaded from http://ossec.wazuh.com/windows/

In addition, I had to manually add the IP address of the server to 
ossec.conf   192.168.17.14  

Logs of ossec.log

2016/03/29 21:36:22 ossec-agent: INFO: Service does not exist (OssecSvc) 
nothing to remove.

2016/03/29 21:36:22 ossec-agent: INFO: Successfully added to the service 
database.

2016/03/29 21:36:23 setup-windows: INFO: System is Vista or newer 
(Microsoft Windows 7 Business Edition Professional Service Pack 1 (Build 
7601) - OSSEC HIDS v2.8.3).

2016/03/29 22:08:48 ossec-agent: Using notify time: 600 and max time to 
reconnect: 1800

2016/03/29 22:08:48 ossec-agent(1402): ERROR: Authentication key file 
'client.keys' not found.

2016/03/29 22:08:48 ossec-agent(1750): ERROR: No remote connection 
configured. Exiting.

2016/03/29 22:08:48 ossec-agent: INFO: Received exit signal. 


W dniu wtorek, 29 marca 2016 22:13:58 UTC+2 użytkownik jose napisał:
>
> Hi Krzysztof
>
> are you compiling your own windows agent from sources? or you are 
> downloading from any web?
>
>  
> Jose Luis Ruiz
> Wazuh Inc.
> jo...@wazuh.com 
>
> On Mar 29, 2016, at 4:03 PM, Krzysztof Zaklikiewicz  > wrote:
>
> Hello
>
> I can't start ossec agent for Windows 7 Pro - agent displays error unable 
> to start agent (check config). My Windows is Polish, I added group 
> Administrators and nothing changed. Please help.
>
> Best regards
> Krzysztof Zaklikiewicz
>
> -- 
>
> --- 
> You received this message because you are subscribed to the Google Groups 
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to ossec-list+...@googlegroups.com .
> For more options, visit https://groups.google.com/d/optout.
>
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Windows agent - unable to start agent (check config)

[Jose Luis Ruiz]

Hi Krzysztof

are you compiling your own windows agent from sources? or you are downloading 
from any web?

 
Jose Luis Ruiz
Wazuh Inc.
j...@wazuh.com 

> On Mar 29, 2016, at 4:03 PM, Krzysztof Zaklikiewicz  
> wrote:
> 
> Hello
> 
> I can't start ossec agent for Windows 7 Pro - agent displays error unable to 
> start agent (check config). My Windows is Polish, I added group 
> Administrators and nothing changed. Please help.
> 
> Best regards
> Krzysztof Zaklikiewicz
> 
> -- 
> 
> --- 
> You received this message because you are subscribed to the Google Groups 
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to ossec-list+unsubscr...@googlegroups.com 
> .
> For more options, visit https://groups.google.com/d/optout 
> .

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Windows agent - unable to start agent (check config)

[Krzysztof Zaklikiewicz]

Hello

I can't start ossec agent for Windows 7 Pro - agent displays error unable 
to start agent (check config). My Windows is Polish, I added group 
Administrators and nothing changed. Please help.

Best regards
Krzysztof Zaklikiewicz

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] How to ignore log ?

[dan (ddp)]

On Tue, Mar 29, 2016 at 11:29 AM, sandeep dubey
 wrote:
> Hi,
>
> I am getting this alert form all the hosts -
>
> Mar 29 13:30:02 cmcloud kernel: [885866.238608] type=1400
> audit(1459258202.301:67688): apparmor="DENIED" operation="ptrace"
> profile="docker-default" pid=21882 comm="ps" requested_mask="trace"
> denied_mask="trace" peer="unconfined"
>
> to disable this alerts i have written this -
> 
> no_email_alert
> apparmor="DENIED"  profile="docker-default"
> IGNORED RULE
> 
>
> and restarted the ossec master service, still getting same alert
> what am i missing here ?
>

The first step is to run the log message through ossec-logtest:
ossec-testrule: Type one log per line.
**Phase 1: Completed pre-decoding.
   full event: 'Mar 29 13:30:02 cmcloud kernel: [885866.238608]
type=1400 audit(1459258202.301:67688): apparmor="DENIED"
operation="ptrace" profile="docker-default" pid=21882 comm="ps"
requested_mask="trace" denied_mask="trace" peer="unconfined"'
   hostname: 'cmcloud'
   program_name: 'kernel'
   log: '[885866.238608] type=1400 audit(1459258202.301:67688):
apparmor="DENIED" operation="ptrace" profile="docker-default"
pid=21882 comm="ps" requested_mask="trace" denied_mask="trace"
peer="unconfined"'

**Phase 2: Completed decoding.
   decoder: 'iptables'
   status: 'DENIED'
   extra_data: 'ptrace'

**Phase 3: Completed filtering (rules).
   Rule id: '52002'
   Level: '3'
   Description: 'Apparmor DENIED'
**Alert to be generated.


So the log message is currently triggering rule 52002. We'll use this
in our rule.
The status is DENIED, which can also be useful.
So we'll write a basic rule that tries to match on these:


  DENIED
  profile="docker-default"
  IGNORE RULE


I add this to /var/ossec/rules/local_rules.xml. I set the level to 0
because I don't care about it.
Then I rerun ossec-logtest:
ossec-testrule: Type one log per line.
**Phase 1: Completed pre-decoding.
   full event: 'Mar 29 13:30:02 cmcloud kernel: [885866.238608]
type=1400 audit(1459258202.301:67688): apparmor="DENIED"
operation="ptrace" profile="docker-default" pid=21882 comm="ps"
requested_mask="trace" denied_mask="trace" peer="unconfined"'
   hostname: 'cmcloud'
   program_name: 'kernel'
   log: '[885866.238608] type=1400 audit(1459258202.301:67688):
apparmor="DENIED" operation="ptrace" profile="docker-default"
pid=21882 comm="ps" requested_mask="trace" denied_mask="trace"
peer="unconfined"'

**Phase 2: Completed decoding.
   decoder: 'iptables'
   status: 'DENIED'
   extra_data: 'ptrace'

**Phase 3: Completed filtering (rules).
   Rule id: '81'
   Level: '0'
   Description: 'IGNORE RULE'

With the custom rule in place the log message is adequately ignored.

> --
> Regards,
> Sandeep
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: id "|" or "," ??

[Pedro S]

I think it is hard to simulate correlation on OSSEC, it has some tools as 
you said like frecuency, timeframe, if_matched_sid, if_matched_group... I 
think the best and simple approach is to create two rules matching the 
ID's, but as far as I know It won't work as you desired.

For example:

   
18103
^4000$|^4001$
Match of Windows Event ID 4000 OR 4001
authentication_success,pci_dss_10.2.5,
  


  
18500
^4001$
Match of Windows Event ID 4000 followed of 4001

authentication_success,pci_dss_10.2.5,
  


The second rule will trigger only if there is a previous match of 4000 or 
4001. I don't know any other approach to solve this.
Maybe we can use active response to execute an script which store the info 
and at some point triggers an alert.

I hope someone can bring us some light here.

Regards,

Pedro S.

On Tuesday, March 29, 2016 at 4:21:36 PM UTC+2, Rob B wrote:
>
> Thank you for taking the time to answer with examples Pedro!
>
> One last related question if ya don,t mind..? I am trying to wrap
> my head around a rule firing off after a simple bit of correlation.
> Is it possible?  I know this is the job of the SIEM, but I am trying
> to get the SIEM to only correlate fired upon alerts that are qualified
> by a mechanism first. So, for example, I would like a rule to fire on
> event 4567 that was followed by 4523 then followed by 4625 between 1
> and 50 times, then a 4624... (when all these things match the rule
> fires)
>
> I see that rules have the ability of setting frequency and time frame,
> which would help me, though I am at a loss for the remainder of my
> needs.  Seems an external script may be needed along with a sort of
> temporary repository. ( I may be over thinking this and mucking it up
> )
>
>
> What could you suggest?
>
>
> V/R,
> Rob B.
>
> On Tuesday, March 29, 2016 at 7:41:21 AM UTC-4, Pedro S wrote:
>>
>> If you need to filter for one specific ID you need to use the *pipe |* 
>> option, I don't think you can use "," inside ** tags to 
>> concatenate anything.
>> "," character will be treated like an string character not a regex one so 
>> it will try to match for *"IDNumber,".*
>>
>> As you know, one example of this kind of rule is used on 
>> *msauth_rules.xml:*
>>
>>   
>>> 18105
>>> 
>>> ^529$|^530$|^531$|^532$|^533$|^534$|^535$|^536$|^537$|^539$|^4625$
>>> Windows Logon Failure.
>>> 
>>> win_authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,
>>>   
>>
>>
>> This last one will work, and the following one WON'T work:
>>
>>   
>>> 18105
>>> ^529$,^530$,^531$,^532$,^533$
>>> Windows Logon Failure.
>>> 
>>> win_authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,
>>>   
>>
>>
>>
>> Regards,
>>
>> Pedro S.
>>
>>  
>>
>>
>> On Monday, March 28, 2016 at 9:07:30 PM UTC+2, Rob B wrote:
>>>
>>> Heya Folks,
>>>
>>>   I've been looking for the docs that explain the difference between the 
>>> use of the '|" and the "," when specifying the id numbers within a rule. I 
>>> cant find anything that explains the use.
>>>
>>> Could someone explain to me the differences by way of use?  or provide a 
>>> link that I may have missed?
>>>
>>>
>>>
>>> Two arbitrary use case EXAMPLES of what I am after is:
>>>
>>> A.)  Within sid 18103, look for id 12345 followed by 12346, followed by 
>>> 12347
>>> B.)  Within sid 18103, look for id 11234 and 11254
>>>
>>>
>>> Thank you!
>>>
>>> R.B.
>>>
>>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Filter Windows Event Log at client

[Duẩn Phạm]

I used *or* and it worked. Thanks very much!

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Filter Windows Event Log at client

[Duẩn Phạm]

I used *or* and it worked. Thanks very much!

Vào 17:57:11 UTC+7 Thứ Ba, ngày 29 tháng 3 năm 2016, Jesus Linares đã viết:
>
> Hi, 
>
> try with *and*/*or*:
>
> 
>   Security
>   eventchannel  
>   Event/System[EventID=5140 and EventID=5144]
> 
>
> Regards,
> Jesus Linares.
>
> On Monday, March 28, 2016 at 10:58:57 AM UTC+2, Duẩn Phạm wrote:
>>
>> Hi,
>>
>> I have installed the new version of OSSEC v2.8.3. I have a windows ossec 
>> client. I would like to filter Windows event logs 
>> (Applications/Security/System/Application and Services Log) based on the 
>> event ids at ossec client (in order to reduce the logs forwarded to OSSEC 
>> manager).
>> Ex: EventID=5140 and EventID=5144
>>   I try config: 
>>   
>> Security
>> eventchannel
>> Event/System[EventID=5140 && EventID=5144]
>>   
>>   
>> Security
>> eventchannel
>> Event/System[EventID=5140 || EventID=5144]
>>   
>> *THIS  DOESN'T WORK*
>>
>>
>> *Am I doing something wrong here. Please advice.*
>>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: id "|" or "," ??

[Rob B]

Thank you for taking the time to answer with examples Pedro!

One last related question if ya don,t mind..? I am trying to wrap
my head around a rule firing off after a simple bit of correlation.
Is it possible?  I know this is the job of the SIEM, but I am trying
to get the SIEM to only correlate fired upon alerts that are qualified
by a mechanism first. So, for example, I would like a rule to fire on
event 4567 that was followed by 4523 then followed by 4625 between 1
and 50 times, then a 4624... (when all these things match the rule
fires)

I see that rules have the ability of setting frequency and time frame,
which would help me, though I am at a loss for the remainder of my
needs.  Seems an external script may be needed along with a sort of
temporary repository. ( I may be over thinking this and mucking it up
)


What could you suggest?


V/R,
Rob B.

On Tuesday, March 29, 2016 at 7:41:21 AM UTC-4, Pedro S wrote:
>
> If you need to filter for one specific ID you need to use the *pipe |* 
> option, I don't think you can use "," inside ** tags to 
> concatenate anything.
> "," character will be treated like an string character not a regex one so 
> it will try to match for *"IDNumber,".*
>
> As you know, one example of this kind of rule is used on 
> *msauth_rules.xml:*
>
>   
>> 18105
>> 
>> ^529$|^530$|^531$|^532$|^533$|^534$|^535$|^536$|^537$|^539$|^4625$
>> Windows Logon Failure.
>> 
>> win_authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,
>>   
>
>
> This last one will work, and the following one WON'T work:
>
>   
>> 18105
>> ^529$,^530$,^531$,^532$,^533$
>> Windows Logon Failure.
>> 
>> win_authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,
>>   
>
>
>
> Regards,
>
> Pedro S.
>
>  
>
>
> On Monday, March 28, 2016 at 9:07:30 PM UTC+2, Rob B wrote:
>>
>> Heya Folks,
>>
>>   I've been looking for the docs that explain the difference between the 
>> use of the '|" and the "," when specifying the id numbers within a rule. I 
>> cant find anything that explains the use.
>>
>> Could someone explain to me the differences by way of use?  or provide a 
>> link that I may have missed?
>>
>>
>>
>> Two arbitrary use case EXAMPLES of what I am after is:
>>
>> A.)  Within sid 18103, look for id 12345 followed by 12346, followed by 
>> 12347
>> B.)  Within sid 18103, look for id 11234 and 11254
>>
>>
>> Thank you!
>>
>> R.B.
>>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: id "|" or "," ??

[Pedro S]

If you need to filter for one specific ID you need to use the *pipe |* 
option, I don't think you can use "," inside ** tags to 
concatenate anything.
"," character will be treated like an string character not a regex one so 
it will try to match for *"IDNumber,".*

As you know, one example of this kind of rule is used on *msauth_rules.xml:*

  
> 18105
> 
> ^529$|^530$|^531$|^532$|^533$|^534$|^535$|^536$|^537$|^539$|^4625$
> Windows Logon Failure.
> win_authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,
>   


This last one will work, and the following one WON'T work:

  
> 18105
> ^529$,^530$,^531$,^532$,^533$
> Windows Logon Failure.
> win_authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,
>   



Regards,

Pedro S.

 


On Monday, March 28, 2016 at 9:07:30 PM UTC+2, Rob B wrote:
>
> Heya Folks,
>
>   I've been looking for the docs that explain the difference between the 
> use of the '|" and the "," when specifying the id numbers within a rule. I 
> cant find anything that explains the use.
>
> Could someone explain to me the differences by way of use?  or provide a 
> link that I may have missed?
>
>
>
> Two arbitrary use case EXAMPLES of what I am after is:
>
> A.)  Within sid 18103, look for id 12345 followed by 12346, followed by 
> 12347
> B.)  Within sid 18103, look for id 11234 and 11254
>
>
> Thank you!
>
> R.B.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Filter Windows Event Log at client

[Jesus Linares]

Hi, 

try with *and*/*or*:


  Security
  eventchannel  
  Event/System[EventID=5140 and EventID=5144]


Regards,
Jesus Linares.

On Monday, March 28, 2016 at 10:58:57 AM UTC+2, Duẩn Phạm wrote:
>
> Hi,
>
> I have installed the new version of OSSEC v2.8.3. I have a windows ossec 
> client. I would like to filter Windows event logs 
> (Applications/Security/System/Application and Services Log) based on the 
> event ids at ossec client (in order to reduce the logs forwarded to OSSEC 
> manager).
> Ex: EventID=5140 and EventID=5144
>   I try config: 
>   
> Security
> eventchannel
> Event/System[EventID=5140 && EventID=5144]
>   
>   
> Security
> eventchannel
> Event/System[EventID=5140 || EventID=5144]
>   
> *THIS  DOESN'T WORK*
>
>
> *Am I doing something wrong here. Please advice.*
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Decoding long messages - multiple regex statements

[Jesus Linares]

Hi,

first, I would use the same format for both messages. Two options:

   - Change log format in each device. 
  - Choose one:
 - 1Mar2016 15:17:09 redirect st4600fw01n1
 - Jan 27 09:41:01 127.0.0.1 Jan 27 9:32:28 st4600fw01n1
  - This part could be your parent decoder (using regular expressions)
   - Change the log received with rsyslog, for example, add a string:
  - *MyFirewall *1Mar2016 15:17:09 redirect st4600fw01n1
  - So, the parent decoder will be ^**MyFirewall *
   
The prematch of each sub-decoder (child decoder) could be the type of log, 
maybe "web_client_type" or "mail".

What firewall are you using? Version?.

Paste here more logs.

Regards,
Jesus Linares

On Thursday, March 24, 2016 at 9:47:28 PM UTC+1, Fredrik wrote:
>
> Hi Jesus,
>
>
> Got sidetracked with other projects, and finally getting back to my 
> questions about handling different messages from the same device 
> (firewall). Also, Jesus your suggestion about placing a prematch in the 
> suggested decoder in this thread - what would be a good prematch here? 
>
> Should I add an OR to the parent decoder to do the first match and then 
> use different subdecoders to extract the useful information from the other 
> type of message? How do you deal with these type of scenarios?
>
> Just so I got that part right. Giving two sections the same 
> Checkpoint-alert in essence means that it is one 
> decoder, but defined in two sections? 
>
>
> Please find the two message-types below for reference.
>
> MESSAGE1:
> 1Mar2016 15:17:09 redirect st4600fw01n1  Chrome; resource: http://
> sc1.checkpoint.com/za/images/threatwiki/pages/TestAntiBotBlade.html; src: 
> 192.168.1.15; dst: 23.8.4.103; proto: tcp; session_id: 
> {0x56d5a2de,0x4,0xc50d2e0a,0xc001}; Protection name: Check Point - 
> Testing Bot; malware_family: Check Point; Source OS: Windows; Confidence 
> Level: 5; severity: 2; malware_action: Communication with C site; 
> rule_uid: {9AF67731-0D35-4117-AF2B-9A47F9396D26}; Protection Type: URL 
> reputation; malware_rule_id: {00CE-00A4-0046-9658-621EA5468654}; 
> protection_id: 00233CFEE; log_id: 2; proxy_src_ip: 192.168.1.15; scope: 
> 10.46.5.133; product: Anti Malware; service: http; s_port: 61834;
>
> MESSAGE2:
> Jan 27 09:41:01 127.0.0.1 Jan 27 9:32:28 st4600fw01n1 allow  : 192.168.1.15; dst: 89.208.212.2; proto: tcp; appi_name: **; app_desc
> : **; app_id: 10063753; app_category: **; matched_category: 
> **; app_properties: **; app_risk: **; app_rule_id: **; 
> app_rule_name: **; web_client_type: Chrome; web_server_type: Microsoft
> -IIS; app_sig_id: 10063753:5; resource: http://www.aliveproxy.com/; 
> proxy_src_ip: 192.168.1.15 product: Application Control; service: http; 
> s_port: 58579; product_family: Network;
>
> On Monday, March 7, 2016 at 12:11:21 PM UTC+1, Jesus Linares wrote:
>
>> Hi Fredrik,
>>
>> The expression "\.+" matches for anything. Usually, it is not a good idea 
>> because is slow and maybe you capture something that you don't want. So, 
>> *when 
>> it is possible*, it is better to use something specific.
>>
>> When you have different decoders (different name) with the same parent, 
>> you should use a prematch. If you don't use prematch, it is fired the first 
>> rule. In the previous example:
>>
>> Log:
>> Mar  3 12:15:24 LinMV TestDecoder[1963]: TypeB field1: hi; value2: bye; 
>> value3: seeyou
>>
>> Without prematch:
>> **Phase 2: Completed decoding.
>>decoder: 'TestDecoder'
>>extra_data: 'seeyou'
>>
>> With prematch:
>> **Phase 2: Completed decoding.
>>decoder: 'TestDecoder'
>>id: 'bye;'
>>
>>
>> Without prematch, the decoder is TestDecoder-1, but it should be 
>> TestDecoder2 (because it has the string "field1". In my view, it is a good 
>> practice use prematch, but sometimes it is no necessary.
>>
>> Regarding your last question, could you use the same log format in your 
>> firewall and in the blade?. Paste here two logs of each one (firewall and 
>> blade) and your decoders, and we will take a look ;)
>>
>> Regards.
>> Jesus Linares
>>
>> On Friday, March 4, 2016 at 9:08:34 PM UTC+1, Fredrik wrote:
>>>
>>> Hi All,
>>>
>>>
>>> In this context and with your great response. What would you PROs 
>>> suggest I do when decoding another type of message from the same firewall - 
>>> but a different blade (i.e. module). Turns out that the messages look 
>>> somewhat different. This is a sample from the other module and it won't 
>>> match with the current decoder. Should I add an OR to the parent decoder to 
>>> do the first match and then use different subdecoders to extract the useful 
>>> information from the other type of message? How do you deal with these type 
>>> of scenarios?
>>>
>>> MESSAGE:
>>> 1Mar2016 15:17:09 redirect st4600fw01n1 >> Chrome; resource: http://
>>> sc1.checkpoint.com/za/images/threatwiki/pages/TestAntiBotBlade.html; 
>>> src: 192.168.1.15; dst: 23.8.4.103; proto: tcp; 

[ossec-list] Re: How to research "Host-based anomaly detection event (rootcheck)."

[Jesus Linares]

Hi, 

that alert is related to a *kernel-level check* (anomaly detection checks, 
not *rootkit_files.txt* or *rootkit_trojans.txt*). You can see more details 
in the code: src/rootcheck/check_rc_pids.c. Line 256: "Check if the pid is 
a thread (not showing in /proc".

The code inspects all process IDs (PID), and use the getsid, getpgid, and 
kill system calls to find all running processes. If the PID is being used, 
but the ps command cannot see it, a kernel-level rootkit or a Trojan 
version of ps might be running. It is also compared the output of getsid, 
getpgid, and kill system calls looking for discrepancies.

So, your process 13380 is not in /proc. Try to find it using ps -e | grep 
892

Regards,
Jesus Linares.



On Thursday, March 24, 2016 at 2:15:00 PM UTC+1, Johnny InfoSec wrote:
>
> Greetings :-)
>
> Just got this alert, and was wondering if you could provide some specific 
> guidance on how to investigate (step 1, 2, etc.).
>
> New to OSSEC.
>
> OSSEC HIDS Notification.
>
> 2016 Mar 24 7:49:39
>
>  
>
> Received From: log->rootcheck
>
> Rule: 510 fired (level 7) -> "Host-based anomaly detection event 
> (rootcheck)."
>
> Portion of the log(s):
>
>  
>
> Process '13380' hidden from /proc. Possible kernel level rootkit.
>
>  
>
>  
>
>  
>
>  --END OF NOTIFICATION
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] OSSEC Rule Creation Help

[Jesus Linares]

Hi,

The regex for field *same_source_ip *could be *\w+*. But, I'm not sure if 
the field *same_source_ip *is OS_Regex or OS_Match. Check out the 
documentation: http://ossec-docs.readthedocs.org/en/latest/syntax/regex.html

If you need help to create specific rules, it would be very useful to paste 
here some logs samples about you want detect.

Regards,
Jesus Linares.

On Thursday, March 24, 2016 at 1:41:47 PM UTC+1, namobud...@gmail.com wrote:
>
> Thanks Santiago,
>
> The logs I would be examining are just standard windows logs, I wonder if 
> it's just a question of building the right Kibana query or rule wise maybe 
> something like below (adding to my existing authentication group).
>
>
> I already a custom authentication rules group as follows:
>
> 
>  
> authentication 
> 10 pm - 7 am 
> Login after hours 
>  
>
>
>  
>   50 
>   workstation-name 
>   Ignore service accounts 
>  
> 
>
> I'm not really that good with Reg-Ex's, but I think I want to build 
> something similar to below (I'm just not sure on the verbiage). I'm not 
> sure how to say more then more login account from the same IP in OSSEC rule 
> language. Any help would be greatly appreciated.  
>
>  
>   50 
>   workstation-name 
>   a reg-ex expression here that basically says logging 
> into more then one account from the same box  
>  Ignore service accounts *I might want to pull 
> this - not sure -* 
>  
> 
>
> Thanks,
>
>
>
> On Wednesday, March 23, 2016 at 5:54:56 PM UTC-4, Santiago Bassett wrote:
>>
>> For the first use case, I think you should be able to use 
>> "same_source_ip" and "not_same_user" options (I would probably define a 
>> frequency threshold too). 
>>
>> For other cases I guess it all depends on the logs you want to analyze. 
>> Do you have samples?
>>
>>
>>
>> On Wed, Mar 23, 2016 at 5:51 AM,  wrote:
>>
>>> Hello Group,
>>>
>>> Is there a way to create a rule that will filter for login attempts to 
>>> multiple accounts from the same IP? The goal is to find an attacker whose 
>>> gained a foothold attempting password spraying which would fly under the 
>>> password policy radar if they do it slowly enough.
>>>
>>> I'm also looking for rules for the following if anyone has an idea of 
>>> how to write them.
>>>
>>> -An attacker using Powershell Empire (commonly used to own Active 
>>> Directory network)
>>> -Scanning Activity
>>> -Long Duration Connections (A possible sign of an advanced persistant 
>>> connection)
>>> -Concurrent Logins
>>>
>>>
>>> Thanks,
>>>
>>> -- 
>>>
>>> --- 
>>> You received this message because you are subscribed to the Google 
>>> Groups "ossec-list" group.
>>> To unsubscribe from this group and stop receiving emails from it, send 
>>> an email to ossec-list+...@googlegroups.com.
>>> For more options, visit https://groups.google.com/d/optout.
>>>
>>
>>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.