Re: [ossec-list] ossec-maild(1223): ERROR: Error Sending email to 127.0.0.1 (smtp server)

2017-11-03 Thread dan (ddp) 
On Nov 3, 2017 18:33,  wrote:

I am receiving the error: ossec-maild(1223): ERROR: Error Sending email to
127.0.0.1 (smtp server)

postfix is working on my client. `echo 'message' | mail -s 'subject'
recipi...@email.com` works as expected.

I have changed smtp_relay in my global config to localhost and 127.0.0.1
but neither worked.

Not sure what to try next.


Look at your postfix logs



-- 

---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] ossec-maild(1223): ERROR: Error Sending email to 127.0.0.1 (smtp server)

2017-11-03 Thread this . iz . not . a . drill 
I am receiving the error: ossec-maild(1223): ERROR: Error Sending email to 
127.0.0.1 (smtp server)

postfix is working on my client. `echo 'message' | mail -s 'subject' 
recipi...@email.com` works as expected.

I have changed smtp_relay in my global config to localhost and 127.0.0.1 
but neither worked.

Not sure what to try next. 

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Ossec and information about delete Files and Folders

2017-11-03 Thread L R 
Hi All,

I have problem with my ossec - on website ossec-wui I don't see any 
information about delete files or folders ( on Windows machines) 

Ossec SRV is on Centos 6.7 , ossec ver is 2.9.2.
When I delete folder from Windows 7 ( File Auditing is on and I see in 
EventLog information about delete files ID 4663) I don't see info in ossec 
about delete folder and I don't know why? :( Anyone Can help me?

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Centralized agent.conf

2017-11-03 Thread mark van de giessen 
Hi Eddi Bento,

I'm experiencing the same issue, i assume.
In windows, there currently is a bug that prevents a 'client-server' model 
as the md5 checksum fails due to End-Of-Line conversion errors. See 
(https://github.com/ossec/ossec-hids/pull/1207)
To resolve this, either wait for the fix mentioned in issue 1207, or 
compile it yourself with the fix included.

Coincidentally, i myself am also waiting for a new release, mainly for this 
issue.

Hopefully i've provided some help.

Sincerely,

Mark

Op donderdag 2 november 2017 22:01:23 UTC+1 schreef Eddi Bento:
>
> Hello.
>
> I'm trying to set up a proof of concept for OSSEC.  It's all set up and 
> monitoring a few computers, but I can't seem to get the agent.conf file to 
> push.  Originally, I was told to copy the ossec.conf file on the Manager 
> and remove the Global entries on it.  Since then, I've completely killed 
> the file and created an empty agent.conf that has the following:
>
> 
> 
> C:\OSSEC-Test\something.log
> syslog
> 
> 
>
> This is only line as I want to get this one file monitored first before I 
> continue.  I save this file and restart OSSEC.
>
> When I run:
>
> agent_control -i 002
>
> (where 002 is the AgentID for agent01)
>
> ..it never updates the MD5 Checksum of this file next to Client Version: 
> OSSEC HIDS v2.9.2
>
> Does anyone have an idea on what I'm doing wrong?  Is there an place where 
> I can see in the log that the agent.conf push fails?
>
> Regards,
> Eddi
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: Need to whitelist a message from message file

2017-11-03 Thread Stephen LuShing 
It looks good with the statement as we not getting large amount of email
alerts

Thanks for the help

Steve lushing

On Thu, Nov 2, 2017 at 11:18 AM, Branch Family 
wrote:

> Actually, you would need this:
>
> MYAGENT|MYAGENT1|MYAGENT2
>
> Kevin
>
> On Thu, Nov 2, 2017 at 10:26 AM, Stephen LuShing 
> wrote:
>
>> Question
>>
>> The rule you provided
>>
>> 
>> 5104
>> MYAGENT
>> Ignore promisc mode events for specific
>> agent(s)
>>   
>>
>> If I have more than 1 server that giving this ,essage will the entry be
>> like
>>
>> MYAGENT, MYAGENT1, MYAGENT2
>>
>> or do I copy the same statement fordifferent servers.
>>
>>
>> Thanks in advance
>>
>> steve lushing
>>
>> On Tue, Oct 31, 2017 at 10:59 AM, dan (ddp)  wrote:
>>
>>> On Tue, Oct 31, 2017 at 10:58 AM, Stephen LuShing 
>>> wrote:
>>> > Does this child rule go on my main ossec server or on the agent side.
>>> - I
>>> > still learning OSSEC.
>>> >
>>>
>>> Rules go on the OSSEC manager.
>>>
>>> > Thanks in advance
>>> >
>>> > Steve Lushing
>>> >
>>> > On Mon, Oct 30, 2017 at 11:43 AM, Branch Family >> >
>>> > wrote:
>>> >>
>>> >> Stephen,
>>> >>
>>> >> If you want to granularly de-escalate or whitelist this alert, then
>>> create
>>> >> a child rule to rule 5104 in /var/ossec/etc/rules/local_rules.xml
>>> like this,
>>> >> somewhere in the sid range 10-12, with the agent name in
>>> question
>>> >> substituted for MYAGENT.
>>> >>
>>> >>   
>>> >> 5104
>>> >> MYAGENT
>>> >> Ignore promisc mode events for specific
>>> >> agent(s)
>>> >>   
>>> >>
>>> >> This would drop the severity level of the rule down to 5 for promisc
>>> >> events involving MYAGENT, hopefully low enough to be below your
>>> >>  in ossec.conf so you don't get emailed about it.
>>> >> Actually 5104 is only a level 8, which would imply your
>>> 
>>> >> is 8 or lower.  I imagine that would email you about a heap of events
>>> of
>>> >> little alert value.  You might want to consider bumping up that
>>> threshold.
>>> >> I personally would be deluged with emails even with an
>>> 
>>> >> value of 10.
>>> >>
>>> >> Reegards,
>>> >> Kevin
>>> >>
>>> >> On Mon, Oct 30, 2017 at 11:17 AM, Stephen LuShing <
>>> smlush...@gmail.com>
>>> >> wrote:
>>> >>>
>>> >>> I do not want to block the whole event or this alert. Is there a way
>>> to
>>> >>> block or whitelist a specific message from this alert. On this
>>> server we are
>>> >>> getting the Interface entered in promiscuous(sniffing) mode for one
>>> server
>>> >>> and a specific network interface.
>>> >>>
>>> >>> Can this be done on the agent level. We are basically getting "Oct 27
>>> >>> 09:39:59 lxbandt2 kernel: device eth10 entered promiscuous mode"
>>> message -
>>> >>> we want to stop getting this as a email but still record it on the
>>> logs. Is
>>> >>> there a way to do this.
>>> >>>
>>> >>> Else we may have to filter this email.
>>> >>>
>>> >>> Stephen LuShing
>>> >>>
>>> >>> On Fri, Oct 27, 2017 at 9:09 PM, 
>>> wrote:
>>> 
>>>  Hello Stephen
>>> 
>>>    I do not know if I understood well, but if you want to disable
>>> this
>>>  alert, you only need to add the following block to your file
>>> local_rules.xml
>>> 
>>>    
>>>  5100
>>>  Promiscuous mode enabled|
>>>  device \S+ entered promiscuous mode
>>>  Interface entered in promiscuous(sniffing)
>>>  mode.
>>>  promisc,
>>>    
>>> 
>>>  This block will overwrite the official 5104 rule.
>>>  If you want to do that, you have to be sure, because you are
>>> changing
>>>  the level value of the event in order to dismiss it. Could be
>>> possible that
>>>  other similar events (i.e. a malicious script which change the
>>> network
>>>  interface to promiscuous mode), then the event will no be
>>> registered as an
>>>  alert too.
>>> 
>>>  Hope it helps.
>>>  Best regards,
>>> 
>>> 
>>> 
>>>  On Friday, October 27, 2017 at 7:11:26 AM UTC-7, Stephen LuShing
>>> wrote:
>>> >
>>> > We recently been getting the following message from OSSEC:
>>> >
>>> >
>>> >
>>> > OSSEC HIDS Notification.
>>> >
>>> > 2017 Oct 27 09:40:01
>>> >
>>> > Received From: (lxbandt2) 10.8.6.31->/var/log/messages
>>> >
>>> > Rule: 5104 fired (level 8) -> "Interface entered in
>>> > promiscuous(sniffing) mode."
>>> >
>>> > Portion of the log(s):
>>> >
>>> > Oct 27 09:39:59 lxbandt2 kernel: device eth10 entered promiscuous
>>> mode
>>> >
>>> > --END OF NOTIFICATION
>>> >
>>> > Question
>>> >
>>> >
>>> >
>>> > Is there a way to ignore this message (other that are similar) as
>>> we
>>> > determine that this is not a issue for the server (It seems like
>>> Oracle is
>>> > running a process)
>>> >
>>> >
>>> >
>>> > If this is possible to whitelist or somehow have OSSEC ignore this
>>> > specific warning. If so – whe