Re: [ossec-list] Apache Rules don't Trigger Active Response

2016-05-19 Thread Patrick 
Log of apache 2.4.20_1 in FreeBSD is much more complex which the docoder 
expect, the standard config can’t understand. 

I add this instruction in prematch of decoder apache-errorlog. And now the 
decoder can understand the log

*^[\w+ \w+ \d+ \d+:\d+:\d+.\d+ \d+] [:error] [pid \d+] [client 
\d+.\d+.\d+.\d+:\d+]*

^[warn] |^[notice] |^[error] |^[:error] |^[\w+ \w+ \d+ 
\d+:\d+:\d+.\d+ \d+] [:error] [pid \d+] [client \d+.\d+.\d+.\d+:\d+] 


>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] OSSEC-abnormal-behavior-active-repsonse

2016-05-19 Thread James Siegel 
I have a set of subnets that are whitelisted.
The server and agents were installed quite some time ago and are on 2.81.

The server and the agents have been restarted at various times over the 
past months as part of update/patching processes.

The conf file was not changed during those time periods.

My boss was locked out by active response, after successfully logging in, 
then trying to su up to root, that occurred last Thursday.

The CEO was locked out of a device last night.

In both those instance, the devices they were originating from were part of 
whitelisted subnets.

Somehow, suddenly random occurrences of locking out whitelisted devices?


-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: white list specific ip on active response

2016-05-19 Thread James Siegel 
Active response is acting up abnormally in 2.8.1

Active response is enabled.
Subnets are whitelisted in ossec.conf on the server.
The server and the agents have all been restarted over the past few months 
during patching cycles.

Last week my boss was locked out by active response while demonstrating 
something during a webex/team call.

Last night, the CEO was locked out of a different box.

Both of their devices were in a whitelisted subnet range. 

In the case of my boss, he was logged in, and tried to su up to root and 
that is when it happened.

The CEO tried logging in to a box and was locked out.

My boss has asked me to reach out and see if anyone else is having issues.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Apache Rules don't Trigger Active Response

2016-05-19 Thread dan (ddp) 
On Thu, May 19, 2016 at 9:25 AM, Patrick  wrote:
> Thanks so much Dan.
>
>
> The error was simple, but i couldn't see. Thanks so much.
>
>
> I edit the decoder and now the action work.
>

What changes did you make to the decoder? They might be able to be put
into the tree.

>
> Em quarta-feira, 18 de maio de 2016 15:49:12 UTC-3, dan (ddpbsd) escreveu:
>>
>> On Wed, May 18, 2016 at 2:33 PM, Patrick Müller
>>  wrote:
>> > Hi guys.
>> >
>> >
>> > My configuration is Freebsd-10.2 with ossec-hids-local-2.8.3 installed
>> > via
>> > ports.
>> >
>> >
>> > I have this custom configuration for a active reponse which block web
>> > attacks.
>> >
>> >
>> >   
>> >
>> >   ipfw-www
>> >
>> > local
>> >
>> > 43200
>> >
>> > 30202,31151
>> >
>> >   
>> >
>> >
>> > This is my test with logtest
>> >
>> >
>> > **Phase 1: Completed pre-decoding.
>> >
>> >full event: '[Wed May 18 10:50:29.541536 2016] [:error] [pid
>> > 1173]
>> > [client ip:54252] [client ip] ModSecurity: Access denied with code 403
>> > (phase 2). Match of "rx
>> >
>> > (^/file?file=/etc/cccam.cfg$|event=update_asl_config|^/etc/(?:js/|?)|^/index.php?module=asl=|^/etc/img/)"
>> > against "REQUEST_URI" required. [file
>> >
>> > "/usr/local/etc/apache24/Includes/modsecurity2/activated_rules/10_asl_rules.conf"]
>> > [line "219"] [id "390709"] [rev "26"] [msg "Atomicorp.com WAF Rules:
>> > Attempt
>> > to access protected file remotely"] [data "../etc/"] [severity
>> > "CRITICAL"]
>> > [hostname "site-name"] [uri "/home/home.php"] [unique_id
>> > "VzxzJZKkXAIAAASV6VUH"]'
>> >
>> >hostname: 'host'
>> >
>> >program_name: '(null)'
>> >
>> >log: the same of full event
>> >
>> >
>> > **Phase 2: Completed decoding.
>> >
>> >decoder: 'apache-errorlog'
>> >
>>
>> There is no IP address for your script to block (assuming it needs one).
>>
>> >
>> > **Phase 3: Completed filtering (rules).
>> >
>> >Rule id: '30202'
>> >
>> >Level: '10'
>> >
>> >Description: 'Multiple attempts blocked by Mod Security.'
>> >
>> > **Alert to be generated.
>> >
>> >
>> > My problem no in file that execute the action to block, because the rule
>> > 31151 work.
>> >
>> >
>> > My alert in active-reponse.
>> > /usr/local/ossec-hids/active-response/bin/ipfw-www.sh add - ip
>> > 1463590617.6659091 31151
>> >
>> >
>> > Debug mode of logtest
>> >
>> >
>> > 2016/05/18 15:09:13 4 : rule:30202, level 10, timeout: 0
>> >
>> > 2016/05/18 15:09:14 3 : rule:31151, level 9, timeout: 0
>> >
>> >
>> >
>> > If the logtest can decode correctly my event log and know the rule, the
>> > active response work for others rules, where is my error? Why the rule
>> > to
>> > block this action don’t work?
>> >
>> >
>> > Any idea is welcome. Thanks
>> >
>> > --
>> >
>> > ---
>> > You received this message because you are subscribed to the Google
>> > Groups
>> > "ossec-list" group.
>> > To unsubscribe from this group and stop receiving emails from it, send
>> > an
>> > email to ossec-list+...@googlegroups.com.
>> > For more options, visit https://groups.google.com/d/optout.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Apache Rules don't Trigger Active Response

2016-05-19 Thread Patrick 


Thanks so much Dan. 


The error was simple, but i couldn't see. Thanks so much. 


I edit the decoder and now the action work.

Em quarta-feira, 18 de maio de 2016 15:49:12 UTC-3, dan (ddpbsd) escreveu:
>
> On Wed, May 18, 2016 at 2:33 PM, Patrick Müller 
>  wrote: 
> > Hi guys. 
> > 
> > 
> > My configuration is Freebsd-10.2 with ossec-hids-local-2.8.3 installed 
> via 
> > ports. 
> > 
> > 
> > I have this custom configuration for a active reponse which block web 
> > attacks. 
> > 
> > 
> >
> > 
> >   ipfw-www 
> > 
> > local 
> > 
> > 43200 
> > 
> > 30202,31151 
> > 
> >
> > 
> > 
> > This is my test with logtest 
> > 
> > 
> > **Phase 1: Completed pre-decoding. 
> > 
> >full event: '[Wed May 18 10:50:29.541536 2016] [:error] [pid 
> 1173] 
> > [client ip:54252] [client ip] ModSecurity: Access denied with code 403 
> > (phase 2). Match of "rx 
> > 
> (^/file?file=/etc/cccam.cfg$|event=update_asl_config|^/etc/(?:js/|?)|^/index.php?module=asl=|^/etc/img/)"
>  
>
> > against "REQUEST_URI" required. [file 
> > 
> "/usr/local/etc/apache24/Includes/modsecurity2/activated_rules/10_asl_rules.conf"]
>  
>
> > [line "219"] [id "390709"] [rev "26"] [msg "Atomicorp.com WAF Rules: 
> Attempt 
> > to access protected file remotely"] [data "../etc/"] [severity 
> "CRITICAL"] 
> > [hostname "site-name"] [uri "/home/home.php"] [unique_id 
> > "VzxzJZKkXAIAAASV6VUH"]' 
> > 
> >hostname: 'host' 
> > 
> >program_name: '(null)' 
> > 
> >log: the same of full event 
> > 
> > 
> > **Phase 2: Completed decoding. 
> > 
> >decoder: 'apache-errorlog' 
> > 
>
> There is no IP address for your script to block (assuming it needs one). 
>
> > 
> > **Phase 3: Completed filtering (rules). 
> > 
> >Rule id: '30202' 
> > 
> >Level: '10' 
> > 
> >Description: 'Multiple attempts blocked by Mod Security.' 
> > 
> > **Alert to be generated. 
> > 
> > 
> > My problem no in file that execute the action to block, because the rule 
> > 31151 work. 
> > 
> > 
> > My alert in active-reponse. 
> > /usr/local/ossec-hids/active-response/bin/ipfw-www.sh add - ip 
> > 1463590617.6659091 31151 
> > 
> > 
> > Debug mode of logtest 
> > 
> > 
> > 2016/05/18 15:09:13 4 : rule:30202, level 10, timeout: 0 
> > 
> > 2016/05/18 15:09:14 3 : rule:31151, level 9, timeout: 0 
> > 
> > 
> > 
> > If the logtest can decode correctly my event log and know the rule, the 
> > active response work for others rules, where is my error? Why the rule 
> to 
> > block this action don’t work? 
> > 
> > 
> > Any idea is welcome. Thanks 
> > 
> > -- 
> > 
> > --- 
> > You received this message because you are subscribed to the Google 
> Groups 
> > "ossec-list" group. 
> > To unsubscribe from this group and stop receiving emails from it, send 
> an 
> > email to ossec-list+...@googlegroups.com . 
> > For more options, visit https://groups.google.com/d/optout. 
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: Repeated offenders?

2016-05-19 Thread Xavier Mertens 
Thanks for the tips! I'll test again following your advices...

/x

On Thu, May 19, 2016 at 9:33 AM, Jesus Linares  wrote:

> Hi,
>
> I guess that your command needs an IP, so if your rule *xxx *doesn't have
> the field *srcip *extracted (by the proper decoder) the active-response
> will not work.
>
> Also, keep in mind that *repeated_offenders *must be in* ossec.conf* of *every
> agent* (*shared/agent.conf* or *manager/ossec.conf* are not valid).
>
> Regards.
>
> On Thursday, May 19, 2016 at 8:42:29 AM UTC+2, Xme wrote:
>>
>> Hi *,
>>
>> I'm trying to implement a new active-response rule for a specific event
>> (1 rule ID).
>> It must be implement with the  tag.
>>
>> Problem: I've multiple active-response rules matching this event and it
>> seems that OSSEC picks up the wrong one (repeater offenders are not
>> applied).
>>
>> Any idea to debug this? The rule is:
>>
>> 
>> firewall-drop-aggressive
>> local
>> 600
>> xxx
>> 30,60,120,240,480
>>   
>>
>> /x
>>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Repeated offenders?

2016-05-19 Thread Jesus Linares 
Hi,

I guess that your command needs an IP, so if your rule *xxx *doesn't have 
the field *srcip *extracted (by the proper decoder) the active-response 
will not work.

Also, keep in mind that *repeated_offenders *must be in* ossec.conf* of *every 
agent* (*shared/agent.conf* or *manager/ossec.conf* are not valid).

Regards.

On Thursday, May 19, 2016 at 8:42:29 AM UTC+2, Xme wrote:
>
> Hi *,
>
> I'm trying to implement a new active-response rule for a specific event (1 
> rule ID).
> It must be implement with the  tag.
>
> Problem: I've multiple active-response rules matching this event and it 
> seems that OSSEC picks up the wrong one (repeater offenders are not 
> applied).
>
> Any idea to debug this? The rule is:
>
> 
> firewall-drop-aggressive
> local
> 600
> xxx
> 30,60,120,240,480
>   
>
> /x
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Windows Defender Decoder ?

2016-05-19 Thread Jesus Linares 
Hi Brent,

Your rules are in OSSEC by default (with other ID, why?) but you added a 
few new rules. 

could you send a PR to OSSEC or Wazuh 
with your new 
rules?. 

Thanks.


On Wednesday, May 18, 2016 at 8:38:16 PM UTC+2, Rob B wrote:
>
> Nice!  Thanks Pedro!  I've got it now..
>
> Cheers.
>
>
> On Wednesday, May 18, 2016 at 10:09:14 AM UTC-4, Pedro S wrote:
>>
>> Hi Rob,
>>
>> *extra_data *is another allowed field used by OSSEC decoders to extract 
>> information from the event, once it is extracted you can match the field 
>> content in order to create a rule.
>> The content of extra_data depends on the decoder which extracted it, in 
>> Windows decoders  
>> could
>>  
>> be for example: Win source, Parent Image, Protocol, Signature, Start 
>> function...
>>
>> Best regards,
>>
>> Pedro S.
>>
>> On Tuesday, May 17, 2016 at 5:32:25 PM UTC+2, Rob B wrote:
>>>
>>> Thanks Brent.! Funny enough, that day I figured it out and built a 
>>> whole bunch very similar to your list.  Seems to be working very nicely, as 
>>> now I find myself leaning to creating some down right creative 
>>> composites  (finally)
>>>
>>> I've been looking for some reference material on the  tag? 
>>>  How is this used properly?
>>>
>>>
>>>
>>> Cheers!   Rob
>>>
>>>
>>> On Monday, May 16, 2016 at 5:22:08 PM UTC-4, Brent Morris wrote:

 Rob - can you post your OSSEC version of the log?  I can check my 
 rules.  These are a culmination of gleaned rules that I updated some time 
 back with new event IDs.  Yours is covered in there  but I would like 
 to test it against a valid OSSEC log.  So if you can post it from the 
 OSSEC 
 logs, that'd be great.

 Here they are..

 
 
 
 
   
 windows
 18101,18102,18103
 ^Microsoft Antimalware
 Grouping of Microsoft Security Essentials 
 rules.
   

   
 720001
 ^1118$|^1119$
 virus,
 Microsoft Security Essentials - Virus detected, but 
 unable to remove.
   
   
 720001
 ^1117$
 virus,
 Microsoft Security Essentials - Virus detected and 
 properly removed.
   

   
 720001
 ^1119$|^1118$|^1117$|^1116$
 virus,
 Microsoft Security Essentials - Virus 
 detected.
   

   
 720001
 ^1015$
 virus,
 Microsoft Security Essentials - Suspicious activity 
 detected.
   


   
 720001
 ^5007$
 Microsoft Security Essentials - Configuration 
 changed.
 policy_changed,
   
   
 720001
 ^5008$
 Microsoft Security Essentials - Service 
 failed.
   
   
 720001
 ^3002$
 Microsoft Security Essentials - Real time protection 
 failed.
   
   
 720001
 ^2012$
 Microsoft Security Essentials - Cannot use Dynamic 
 Signature Service.
   
   
 720001
 ^2004$
 Microsoft Security Essentials - Loading definitions 
 failed. Using last good set.
   
   
 720001
 ^2003$
 Microsoft Security Essentials - Engine update 
 failed.
   
   
 720001
 ^2001$
 Microsoft Security Essentials - Definitions update 
 failed.
   
   
 720001
 ^1005$
 Microsoft Security Essentials - Scan error. Scan has 
 stopped.
   
   
 720001
 ^1002$
 Microsoft Security Essentials - Scan stopped before 
 completion.
   

   
   
   
 720012
 Virus:DOS/EICAR_Test_File
 alert_by_email
 Microsoft Security Essentials - EICAR test file 
 detected.
   
   
 720011
 Virus:DOS/EICAR_Test_File
 alert_by_email
 Microsoft Security Essentials - EICAR test file 
 removed.
   
   
 720010
 Virus:DOS/EICAR_Test_File
 alert_by_email
 Microsoft Security Essentials - EICAR test file 
 detected, but removal failed.
   

   
   
 720001
 ^2000$
 Microsoft Security Essentials - Signature database 
 updated.
   
   
 720001
 ^2002$
 Microsoft Security Essentials - Scan engine 
 updated.
   
   
 720001
 ^1000$|^1001$
 Microsoft Security Essentials - Scan started or 
 stopped.
   
   
 720001
 ^1013$
 Microsoft Security Essentials - History 
 cleared.
   

   
   
 720011
 Multiple Microsoft Security Essentials AV warnings 
 detected.
   
   
 720012

[ossec-list] reindexing logs

2016-05-19 Thread Maxim Surdu 
Hi dear community,

i had a problem with logstash, after i resolve it i saw what in kibana are 
missing logs, how can i resolve the problem and reindexing all my logs to 
kibana
I will be thankful if someone will help me step by step


i appreciate your help, and a lot of respect for developers and community!

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Repeated offenders?

2016-05-19 Thread Xavier Mertens 
Hi *,

I'm trying to implement a new active-response rule for a specific event (1
rule ID).
It must be implement with the  tag.

Problem: I've multiple active-response rules matching this event and it
seems that OSSEC picks up the wrong one (repeater offenders are not
applied).

Any idea to debug this? The rule is:


firewall-drop-aggressive
local
600
xxx
30,60,120,240,480
  

/x

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.