[ossec-list] Re: custom decoder kernelmon syslog-ng
Here is what I have created so far log test works waiting for real world ( i have a disk on Buffalo NAS that is dying ). Thought it may help others. Put I will post real world results. *Decoders:* errormon ^Error situation detected! \w+ \d+ \d+:\d+\d+:\d+ \w+ \w+ \d+\p\p \w+ \w+ \w+\p (\w+) \w+ \w+ \w+ \w+ status iptables true ^cmd= ^cmd=\S+\s(\S+)\s\w+\s\d+\s(\d) extra_data,status *Rules:* TS5400R33A nas-101-sector Buffalo NAS - Bad Sector Count! 810001 Buffalo NAS - Repeated Bad Sector Count! TS5400R33A nas-101-broken Buffalo NAS - Disk Failure! 810003 Buffalo NAS - Repeated Disk Failure! Logtest Out: Jun 21 03:27:36 TS5400R33A errormon[2761]: Error situation detected! HD4 Broken E30Replace the DISK **Phase 1: Completed pre-decoding. full event: 'Jun 21 03:27:36 TS5400R33A errormon[2761]: Error situation detected! HD4 Broken E30Replace the DISK' hostname: 'TS5400R33A' program_name: 'errormon' log: 'Error situation detected! HD4 Broken E30Replace the DISK' **Phase 2: Completed decoding. decoder: 'nas-101-broken' **Phase 3: Completed filtering (rules). Rule id: '810004' Level: '16' Description: 'Buffalo NAS - Repeated Disk Failure!' **Alert to be generated. Jun 13 09:40:56 TS5400R33A kernelmon: cmd=ioerr sdc READ 33661712 1 **Phase 1: Completed pre-decoding. full event: 'Jun 13 09:40:56 TS5400R33A kernelmon: cmd=ioerr sdc READ 33661712 1' hostname: 'TS5400R33A' program_name: 'kernelmon' log: 'cmd=ioerr sdc READ 33661712 1' **Phase 2: Completed decoding. decoder: 'iptables' extra_data: 'sdc' status: '1' **Phase 3: Completed filtering (rules). Rule id: '810002' Level: '16' Description: 'Buffalo NAS - Repeated Bad Sector Count!' **Alert to be generated. On Wednesday, April 25, 2018 at 11:34:07 AM UTC-5, Jacob Mcgrath wrote: > > This is the log sent to ossec: > > Apr 24 03:21:41 TS5400R33A kernelmon: cmd=ioerr sdc READ 50030496 1 > > If I run threw logtest i get iptables as the final decoder: > > **Phase 1: Completed pre-decoding. >full event: 'Apr 24 03:21:41 TS5400R33A kernelmon: cmd=ioerr sdc > READ 50030496 1' >hostname: 'TS5400R33A' >program_name: 'kernelmon' >log: 'cmd=ioerr sdc READ 50030496 1' > > **Phase 2: Completed decoding. >decoder: 'iptables' > > > I tried to make other custom decoders using iptables as the parent and or > totally new decoders for this log but it always decodes the same. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: custom decoder kernelmon syslog-ng
Here is what I have created so far log test works waiting for real world ( i have a disk on Buffalo NAS that is dying ). Thought it may help others. Put I will post real world results. *Decoders:* errormon ^Error situation detected! \w+ \d+ \d+:\d+\d+:\d+ \w+ \w+ \d+\p\p \w+ \w+ \w+\p (\w+) \w+ \w+ \w+ \w+ status iptables true ^cmd= ^cmd=\S+\s(\S+)\s\w+\s\d+\s(\d) extra_data,status *Rules:* TS5400R33A nas-101-sector Buffalo NAS - Bad Sector Count! 810001 Buffalo NAS - Repeated Bad Sector Count! TS5400R33A nas-101-broken Buffalo NAS - Disk Failure! 810003 Buffalo NAS - Repeated Disk Failure! Logtest Out: Jun 13 09:40:56 TS5400R33A kernelmon: cmd=ioerr sdc READ 33661712 1 **Phase 1: Completed pre-decoding. full event: 'Jun 13 09:40:56 TS5400R33A kernelmon: cmd=ioerr sdc READ 33661712 1' hostname: 'TS5400R33A' program_name: 'kernelmon' log: 'cmd=ioerr sdc READ 33661712 1' **Phase 2: Completed decoding. decoder: 'iptables' extra_data: 'sdc' status: '1' **Phase 3: Completed filtering (rules). Rule id: '810001' Level: '10' Description: 'Buffalo NAS - Bad Sector Count!' **Alert to be generated. Jun 13 09:40:56 TS5400R33A kernelmon: cmd=ioerr sdc READ 33661712 1 **Phase 1: Completed pre-decoding. full event: 'Jun 13 09:40:56 TS5400R33A kernelmon: cmd=ioerr sdc READ 33661712 1' hostname: 'TS5400R33A' program_name: 'kernelmon' log: 'cmd=ioerr sdc READ 33661712 1' **Phase 2: Completed decoding. decoder: 'iptables' extra_data: 'sdc' status: '1' **Phase 3: Completed filtering (rules). Rule id: '810002' Level: '16' Description: 'Buffalo NAS - Repeated Bad Sector Count!' **Alert to be generated. On Wednesday, April 25, 2018 at 11:34:07 AM UTC-5, Jacob Mcgrath wrote: > > This is the log sent to ossec: > > Apr 24 03:21:41 TS5400R33A kernelmon: cmd=ioerr sdc READ 50030496 1 > > If I run threw logtest i get iptables as the final decoder: > > **Phase 1: Completed pre-decoding. >full event: 'Apr 24 03:21:41 TS5400R33A kernelmon: cmd=ioerr sdc > READ 50030496 1' >hostname: 'TS5400R33A' >program_name: 'kernelmon' >log: 'cmd=ioerr sdc READ 50030496 1' > > **Phase 2: Completed decoding. >decoder: 'iptables' > > > I tried to make other custom decoders using iptables as the parent and or > totally new decoders for this log but it always decodes the same. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: custom decoder kernelmon syslog-ng
Do agent-less syslog's for ossec change on there delivery to the ossec server? These are syslogs being sen t to ossec. On Wednesday, April 25, 2018 at 11:34:07 AM UTC-5, Jacob Mcgrath wrote: > > This is the log sent to ossec: > > Apr 24 03:21:41 TS5400R33A kernelmon: cmd=ioerr sdc READ 50030496 1 > > If I run threw logtest i get iptables as the final decoder: > > **Phase 1: Completed pre-decoding. >full event: 'Apr 24 03:21:41 TS5400R33A kernelmon: cmd=ioerr sdc > READ 50030496 1' >hostname: 'TS5400R33A' >program_name: 'kernelmon' >log: 'cmd=ioerr sdc READ 50030496 1' > > **Phase 2: Completed decoding. >decoder: 'iptables' > > > I tried to make other custom decoders using iptables as the parent and or > totally new decoders for this log but it always decodes the same. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: custom decoder kernelmon syslog-ng
tried these with no result: kernelmon ^TS5400R33A iptables ^TS5400R33A On Wednesday, April 25, 2018 at 11:34:07 AM UTC-5, Jacob Mcgrath wrote: > > This is the log sent to ossec: > > Apr 24 03:21:41 TS5400R33A kernelmon: cmd=ioerr sdc READ 50030496 1 > > If I run threw logtest i get iptables as the final decoder: > > **Phase 1: Completed pre-decoding. >full event: 'Apr 24 03:21:41 TS5400R33A kernelmon: cmd=ioerr sdc > READ 50030496 1' >hostname: 'TS5400R33A' >program_name: 'kernelmon' >log: 'cmd=ioerr sdc READ 50030496 1' > > **Phase 2: Completed decoding. >decoder: 'iptables' > > > I tried to make other custom decoders using iptables as the parent and or > totally new decoders for this log but it always decodes the same. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] custom decoder kernelmon syslog-ng
This is the log sent to ossec: Apr 24 03:21:41 TS5400R33A kernelmon: cmd=ioerr sdc READ 50030496 1 If I run threw logtest i get iptables as the final decoder: **Phase 1: Completed pre-decoding. full event: 'Apr 24 03:21:41 TS5400R33A kernelmon: cmd=ioerr sdc READ 50030496 1' hostname: 'TS5400R33A' program_name: 'kernelmon' log: 'cmd=ioerr sdc READ 50030496 1' **Phase 2: Completed decoding. decoder: 'iptables' I tried to make other custom decoders using iptables as the parent and or totally new decoders for this log but it always decodes the same. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: Is a local_decoder.xml needed for USB detection ?
I have not tested on AD controlled Windows 10 as of yet He is mine its script base and tails from the sid 530 https://groups.google.com/forum/#!searchin/ossec-list/usb$20detection%7Csort:date/ossec-list/9P1wZM78jj4/CvibL-afAgAJ you would need this in the Windows agent config. full_command C:\ossec-tools\usb\usb-audit.bat 30 USBDevices -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] agent_control all agents
Wondering if there is a way to use agent_control via cmd line to send active response to all agents manually. What i use for the single agent commands /var/ossec/bin/agent_control -b 74.34.56.78 -f win_nullroute120 001 -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Windows 10 Enterprise Ossec agent
I have an So install and am deploying Ossec agents to my active directory Windows 7 pc's with out much issues. No i am attempting to setup for Win 10 Enterprise but these never can connected to teh Ossec server. Have any done this before in reguards to Windows10. I do have 2012 and 2016 servers to play with after this lol. Let me know 2018/04/03 08:56:02 ossec-syscheckd: INFO: Started (pid: 4472). 2018/04/03 08:56:12 ossec-agent: WARN: Process locked. Waiting for permission... 2018/04/03 08:56:23 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: '10.20.199.250'. 2018/04/03 08:56:25 ossec-agentd: INFO: Trying to connect to server 10.20.199.250, port 1514. 2018/04/03 08:56:25 INFO: Connected to 10.20.199.250 at address 10.20.199.250:1514, port 1514 2018/04/03 08:56:46 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: '10.20.199.250'. 2018/04/03 08:57:06 ossec-agentd: INFO: Trying to connect to server 10.20.199.250, port 1514. 2018/04/03 08:57:06 INFO: Connected to 10.20.199.250 at address 10.20.199.250:1514, port 1514 -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: Teamviewer logs not consistant
will try ty I think my regex foo was off a bit On Tuesday, October 11, 2016 at 6:41:56 PM UTC-5, Jacob Mcgrath wrote: > > I am looking at logging on a windows agent Teamviewer logs. The issue is > the irregular output like soo. > > 673915615 Support Team20-05-2016 19:37:51 20-05-2016 20:04:29 > userRemoteControl {811FB7EC-E1EB-470A-B5EE-01E7290B7FDF} > 151856824 01-06-2016 19:30:36 01-06-2016 20:00:44 user > RemoteControl {38164985-5201-4BFE-BF6E-32F2E770954E} > 151856824 02-06-2016 18:29:32 02-06-2016 18:47:33 user > RemoteControl {22D28696-95C0-4AF8-9EBE-440580B85D65} > 172856590 PCMust 16-08-2016 15:15:21 16-08-2016 15:22:54 user > RemoteControl {934B2BDF-DB82-4113-9C60-9250A6E47A7A} > 891956027 Afterworld 18-08-2016 18:13:27 18-08-2016 18:26:37 > userRemoteControl {E4555287-A198-4D54-8851-67C2DF8EA5DD} > > > How would one go about regexing this type of output? > > > The stuff in blue would be the required data to pass to rulesets > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Teamviewer logs not consistant
I am looking at logging on a windows agent Teamviewer logs. The issue is the irregular output like soo. 673915615 Support Team20-05-2016 19:37:51 20-05-2016 20:04:29 userRemoteControl {811FB7EC-E1EB-470A-B5EE-01E7290B7FDF} 151856824 01-06-2016 19:30:36 01-06-2016 20:00:44 user RemoteControl {38164985-5201-4BFE-BF6E-32F2E770954E} 151856824 02-06-2016 18:29:32 02-06-2016 18:47:33 user RemoteControl {22D28696-95C0-4AF8-9EBE-440580B85D65} 172856590 PCMust 16-08-2016 15:15:21 16-08-2016 15:22:54 user RemoteControl {934B2BDF-DB82-4113-9C60-9250A6E47A7A} 891956027 Afterworld 18-08-2016 18:13:27 18-08-2016 18:26:37 userRemoteControl {E4555287-A198-4D54-8851-67C2DF8EA5DD} How would one go about regexing this type of output? The stuff in blue would be the required data to pass to rulesets -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: ossec local logfile ignored
I ended up moving this bash script to the Security Onion server then with help her wrote basic decoders and rules to trigger alerts. Still going to play with the agent custom log file issue off and on. On Friday, June 10, 2016 at 11:12:02 AM UTC-5, Jacob Mcgrath wrote: > > ANy have a issue like this The Ossec server says its not available and > ignores it. But it is thereweird ? > > root@alamo:/home/mis/admin-tools/logs# tail \ ping-domain.log > System Check Domain Cluster - A appears to be down 06092016 > 09:50:01 > System Check Domain Cluster - A appears to be down 06092016 > 09:52:01 > System Check Domain Cluster - A appears to be down 06092016 > 09:54:01 > > > > root@alamo:/home/mis/admin-tools/logs# tail \ ping-game.log > System Check Gaming Cluster - appears to be down for 5 minutes 06102016 > 10:52:01 > System Check Gaming Cluster - appears to be down for 5 minutes 06102016 > 10:54:01 > System Check Gaming Cluster - appears to be down for 5 minutes 06102016 > 10:56:01 > > > > > > 2016/06/10 10:49:06 ossec-logcollector(1904): INFO: File not available, > ignoring it: '/home/mis/admin-tools/logs/ping-domain.log > '. > 2016/06/10 10:49:06 ossec-logcollector(1904): INFO: File not available, > ignoring it: '/home/mis/admin-tools/logs/ping-games.log' > . > root@alamo:/var/ossec/logs/alerts# ls -la /home/mis/admin-tools/logs/ > total 76 > drwxrwxr-x 2 mis mis 4096 Jun 8 13:10 . > drwxrwxr-x 4 mis mis 4096 Jun 8 08:13 .. > -rw-r--r-- 1 root root 7337 Jun 9 10:08 ping-domain.log > -rw-r--r-- 1 root root 52452 Jun 10 10:52 ping-game.log > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: Ossec - ping servers with alert on failure
ty that did it ty On Thursday, June 2, 2016 at 6:48:13 AM UTC-5, Jacob Mcgrath wrote: > > Was wondering on the best route/option to accomplish this? > > > (similar to the USB storage detection) > > Was thinking about a batch or bash that would ping servers from a list to > a file. That every so many minute this > file would be overwritten with the new results. > > If the results "differ" from the last log the alert would be triggered. > > > (other option) > > Run script as scheduled task, write to log then monitor log like a syslog. > Regex for the failed pings. Then alerts. > > > Curious if any had tried and found either way better? > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: Ossec - ping servers with alert on failure
Sry from what I see I do have that timestamp header in my logging from Elsa... ServPing Game DeezNutZ down 2016 Jun 14 11:04:01 alamo->/var/log/messages Jun 14 11:04:01 alamo logger: ServPing Game DeezNutZ down And from my /var/log/message 2016 Jun 14 12:10:03 alamo->/var/log/syslog Jun 14 12:10:01 alamo logger: ServPing Domain testing123 down 2016 Jun 14 12:10:03 alamo->/var/log/syslog Jun 14 12:10:01 alamo logger: ServPing Game DeezNutZ down Current Decoders are; ServPing servping (\w+) (\w+) (\w+) id,dstip,action Rules are: servping PingServ Rules Group 75 Domain Domain Server Down 5 Minutes! 75 Game Gaming Server Down 5 Minutes! 76 Domain Server Down 10 Minutes! authentication_failures, 77 Gaming Server Down 10 Minutes! authentication_failures, bash is: #!/bin/bash # Program name: ping-domain-serv.sh # */5 * * * * /home/mis/admin-tools/ping-domain-serv.sh ( crontab run ping-domain-serv every 5 min) logpath=/var/log/ pingtext=/home/mis/admin-tools/cfg/ping-domain.txt find $logpath -name "*.log" -type f -mtime +7 -print -delete touch "$logpath ping-domain.log" cat $pingtext | while read output do ping -c 1 "$output" > /dev/null if [ $? -eq 0 ]; then echo "Server $output is up" else logger -t logger ServPing Domain $output down fi done Just not seeing any alerts of of yet?? Now with this log entry or entries: 2016 Jun 14 11:04:01 alamo->/var/log/messages Jun 14 11:04:01 alamo logger: ServPing Game DeezNutZ down alamo logger: ServPing Game DeezNutZ down ServPing Game DeezNutZ down *i get a result of:* *2016 Jun 14 11:04:01 alamo->/var/log/messages Jun 14 11:04:01 alamo logger: ServPing Game DeezNutZ down**Phase 1: Completed pre-decoding. full event: '2016 Jun 14 11:04:01 alamo->/var/log/messages Jun 14 11:04:01 alamo logger: ServPing Game DeezNutZ down' hostname: 'alamo' program_name: '(null)' log: '2016 Jun 14 11:04:01 alamo->/var/log/messages Jun 14 11:04:01 alamo logger: ServPing Game DeezNutZ down'**Phase 2: Completed decoding. decoder: 'servping' id: 'Game' dstip: 'DeezNutZ' action: 'down'**Phase 3: Completed filtering (rules). Rule id: '700009' Level: '12' Description: 'Gaming Server Down 10 Minutes!'**Alert to be generated.* On Thursday, June 2, 2016 at 6:48:13 AM UTC-5, Jacob Mcgrath wrote: > > Was wondering on the best route/option to accomplish this? > > > (similar to the USB storage detection) > > Was thinking about a batch or bash that would ping servers from a list to > a file. That every so many minute this > file would be overwritten with the new results. > > If the results "differ" from the last log the alert would be triggered. > > > (other option) > > Run script as scheduled task, write to log then monitor log like a syslog. > Regex for the failed pings. Then alerts. > > > Curious if any had tried and found either way better? > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: Ossec - ping servers with alert on failure
I have tried something different and used logger to push server ping failures to the /var/log/message. I do see this when I grep the Ossec archive. 2016 Jun 13 23:30:22 alamo->/var/log/messages alamo logger: ServPing Domain DC01 down So this works but I can not seam to get past phase one pre decoding: hostname 'alamo' program_name 'logger' log 'ServPing Domain DC01 down' Tried to adjust these decoders as so but still no phase two..thought maby this log is already a child of another but debug didn't yeild much of anything. ^ServPing servping (\w+) (\w+) (\w+) id,dstip,action, On Thursday, June 2, 2016 at 6:48:13 AM UTC-5, Jacob Mcgrath wrote: > > Was wondering on the best route/option to accomplish this? > > > (similar to the USB storage detection) > > Was thinking about a batch or bash that would ping servers from a list to > a file. That every so many minute this > file would be overwritten with the new results. > > If the results "differ" from the last log the alert would be triggered. > > > (other option) > > Run script as scheduled task, write to log then monitor log like a syslog. > Regex for the failed pings. Then alerts. > > > Curious if any had tried and found either way better? > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: Ossec - ping servers with alert on failure
ServPing Domain A down 06092016 08:48:01 ServPing Game A down 06092016 08:48:01 ^ServPing servping (\w+) (\w+) (\w+) (\d\d\d\d\d\d\d\d \d\d:\d\d:\d\d) id,dstip,action,extra_data servping-all PingServ Rules Group 75 Domain Domain Server Down! 75 Game Game Server Down! 76 Domain Server Down 10 Minutes! syslog, 77 Gaming Server Down 10 Minutes! syslog, I will have to wait till Monday and I will post the bash and or batch script and the setting up of it. Still having the issue of log monitoring of this alert from the native Ossec server... but I will have a solution either way. On Thursday, June 2, 2016 at 6:48:13 AM UTC-5, Jacob Mcgrath wrote: > > Was wondering on the best route/option to accomplish this? > > > (similar to the USB storage detection) > > Was thinking about a batch or bash that would ping servers from a list to > a file. That every so many minute this > file would be overwritten with the new results. > > If the results "differ" from the last log the alert would be triggered. > > > (other option) > > Run script as scheduled task, write to log then monitor log like a syslog. > Regex for the failed pings. Then alerts. > > > Curious if any had tried and found either way better? > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: ISS 7 + 404/200 error decoders/rules..
windows-date-format true ^\d+.\d+.\d+.\d+ GET |^\d+.\d+.\d+.\d+ POST (\S+ \S*) \.* (\d+.\d+.\d+.\d+) \S*\.* (\d\d\d) \S+ \S+ \S+ url,srcip,id On Thursday, May 26, 2016 at 3:33:30 PM UTC-5, Jacob Mcgrath wrote: > > > > Looking to take these logs from two seperate server applications and > perform alerts and possibly responses to them. > > server 1: > > 2016-05-26 15:45:47 172.18.2.247 POST /wfc/portal - 443 - 10.18.100.24 > Mozilla/5.0+(Windows+NT+6.3;+WOW64;+rv:39.0)+Gecko/20100101+Firefox/39.0 > 200 0 0 15 > 2016-05-26 15:38:15 172.18.2.247 GET /wff - 443 - 10.18.100.24 > Mozilla/5.0+(Windows+NT+6.1;+WOW64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/50.0.2661.102+Safari/537.36 > > 404 0 2 203 > > Server 2: > > 2016-05-26 00:16:02 W3SVC1071858006 192.168.1.30 POST > /servlet/Router/Transaction/Erp - 80 - 10.13.100.4 > Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.1;+WOW64;+Trident/7.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+Media+Center+PC+6.0;+InfoPath.3) > > 200 0 0 > 2016-05-26 00:16:03 W3SVC1071858006 192.168.1.30 GET > /lawson/portal/drill/drsearch.css - 80 - 10.12.100.10 > Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.1;+WOW64;+Trident/5.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+Media+Center+PC+6.0;+InfoPath.3) > > 404 0 2 > > > Right now I am just attempting to work with logs from Server1: to alert > on 200 & 4040 errors for for web scans and alike but a beginning. > > > Entry in local_decoder.xml: > > > windows-date-format > true > ^\d+.\d+.\d+.\d+ GET |^\d+.\d+.\d+.\d+ > POST > (\S+ \S*) \.* (\d+.\d+.\d+.\d+) \S*\.* > (\d\d\d) \S+ \S+ \S+ > url,srcip,id > > > > > Entry in local_rules.xml > > > > > kronos-web > Grouping for Kronos web rules. > > > > 17 > 404 > IIS 7 Web Server 404 Error. > connection attempt, > > > > 17 > 200 > IIS 7 Web Server 200 Error. > connection attempt, > > > > 18,19 > Possible Kronos Web Scan/Attack Detected. > attacks, > > > > > > > When I run the logtest is get this output that I am getting the url,srcip > and id.. but is not getting to the rules I have created above... > > > **Phase 1: Completed pre-decoding. >full event: '2016-05-26 15:45:47 172.18.2.247 POST /wfc/portal - > 443 - 10.18.100.24 > Mozilla/5.0+(Windows+NT+6.3;+WOW64;+rv:39.0)+Gecko/20100101+Firefox/39.0 > 200 0 0 15' >hostname: 'alamo' >program_name: '(null)' >log: '2016-05-26 15:45:47 172.18.2.247 POST /wfc/portal - 443 - > 10.18.100.24 > Mozilla/5.0+(Windows+NT+6.3;+WOW64;+rv:39.0)+Gecko/20100101+Firefox/39.0 > 200 0 0 15' > > **Phase 2: Completed decoding. >decoder: 'windows-date-format' >url: '/wfc/portal -' >srcip: '10.18.100.24' >id: '200' > > > > Am I missing something like a base idea behind this or a syntax thing I > really do not know... > > > > > > > > > > > > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: ossec local logfile ignored
The script will write each line as the bash script as the check fails. This log is deleted if first creation is older than 7 days( since the record would remain in Ossec archive). I thought it may be already accessed by the script as it runs every 3-5 mins but do not think this is the cause ( i removed the cron job in control of it and the problem continues. Wonder if it is a issue with adding additional logs to monitor on the server its self. Was Trying running route checks and other serving core ping checks from the Ossec server its self instead of firing up other VM's to run these lesser checks. On Friday, June 10, 2016 at 11:12:02 AM UTC-5, Jacob Mcgrath wrote: > > ANy have a issue like this The Ossec server says its not available and > ignores it. But it is thereweird ? > > root@alamo:/home/mis/admin-tools/logs# tail \ ping-domain.log > System Check Domain Cluster - A appears to be down 06092016 > 09:50:01 > System Check Domain Cluster - A appears to be down 06092016 > 09:52:01 > System Check Domain Cluster - A appears to be down 06092016 > 09:54:01 > > > > root@alamo:/home/mis/admin-tools/logs# tail \ ping-game.log > System Check Gaming Cluster - appears to be down for 5 minutes 06102016 > 10:52:01 > System Check Gaming Cluster - appears to be down for 5 minutes 06102016 > 10:54:01 > System Check Gaming Cluster - appears to be down for 5 minutes 06102016 > 10:56:01 > > > > > > 2016/06/10 10:49:06 ossec-logcollector(1904): INFO: File not available, > ignoring it: '/home/mis/admin-tools/logs/ping-domain.log > '. > 2016/06/10 10:49:06 ossec-logcollector(1904): INFO: File not available, > ignoring it: '/home/mis/admin-tools/logs/ping-games.log' > . > root@alamo:/var/ossec/logs/alerts# ls -la /home/mis/admin-tools/logs/ > total 76 > drwxrwxr-x 2 mis mis 4096 Jun 8 13:10 . > drwxrwxr-x 4 mis mis 4096 Jun 8 08:13 .. > -rw-r--r-- 1 root root 7337 Jun 9 10:08 ping-domain.log > -rw-r--r-- 1 root root 52452 Jun 10 10:52 ping-game.log > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: ossec local logfile ignored
on restart end of log On Friday, June 10, 2016 at 11:12:02 AM UTC-5, Jacob Mcgrath wrote: > > ANy have a issue like this The Ossec server says its not available and > ignores it. But it is thereweird ? > > root@alamo:/home/mis/admin-tools/logs# tail \ ping-domain.log > System Check Domain Cluster - A appears to be down 06092016 > 09:50:01 > System Check Domain Cluster - A appears to be down 06092016 > 09:52:01 > System Check Domain Cluster - A appears to be down 06092016 > 09:54:01 > > > > root@alamo:/home/mis/admin-tools/logs# tail \ ping-game.log > System Check Gaming Cluster - appears to be down for 5 minutes 06102016 > 10:52:01 > System Check Gaming Cluster - appears to be down for 5 minutes 06102016 > 10:54:01 > System Check Gaming Cluster - appears to be down for 5 minutes 06102016 > 10:56:01 > > > > > > 2016/06/10 10:49:06 ossec-logcollector(1904): INFO: File not available, > ignoring it: '/home/mis/admin-tools/logs/ping-domain.log > '. > 2016/06/10 10:49:06 ossec-logcollector(1904): INFO: File not available, > ignoring it: '/home/mis/admin-tools/logs/ping-games.log' > . > root@alamo:/var/ossec/logs/alerts# ls -la /home/mis/admin-tools/logs/ > total 76 > drwxrwxr-x 2 mis mis 4096 Jun 8 13:10 . > drwxrwxr-x 4 mis mis 4096 Jun 8 08:13 .. > -rw-r--r-- 1 root root 7337 Jun 9 10:08 ping-domain.log > -rw-r--r-- 1 root root 52452 Jun 10 10:52 ping-game.log > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] ossec local logfile ignored
ANy have a issue like this The Ossec server says its not available and ignores it. But it is thereweird ? root@alamo:/home/mis/admin-tools/logs# tail \ ping-domain.log System Check Domain Cluster - A appears to be down 06092016 09:50:01 System Check Domain Cluster - A appears to be down 06092016 09:52:01 System Check Domain Cluster - A appears to be down 06092016 09:54:01 root@alamo:/home/mis/admin-tools/logs# tail \ ping-game.log System Check Gaming Cluster - appears to be down for 5 minutes 06102016 10:52:01 System Check Gaming Cluster - appears to be down for 5 minutes 06102016 10:54:01 System Check Gaming Cluster - appears to be down for 5 minutes 06102016 10:56:01 2016/06/10 10:49:06 ossec-logcollector(1904): INFO: File not available, ignoring it: '/home/mis/admin-tools/logs/ping-domain.log '. 2016/06/10 10:49:06 ossec-logcollector(1904): INFO: File not available, ignoring it: '/home/mis/admin-tools/logs/ping-games.log' . root@alamo:/var/ossec/logs/alerts# ls -la /home/mis/admin-tools/logs/ total 76 drwxrwxr-x 2 mis mis 4096 Jun 8 13:10 . drwxrwxr-x 4 mis mis 4096 Jun 8 08:13 .. -rw-r--r-- 1 root root 7337 Jun 9 10:08 ping-domain.log -rw-r--r-- 1 root root 52452 Jun 10 10:52 ping-game.log -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: Ossec - ping servers with alert on failure
np On Thursday, June 2, 2016 at 6:48:13 AM UTC-5, Jacob Mcgrath wrote: > > Was wondering on the best route/option to accomplish this? > > > (similar to the USB storage detection) > > Was thinking about a batch or bash that would ping servers from a list to > a file. That every so many minute this > file would be overwritten with the new results. > > If the results "differ" from the last log the alert would be triggered. > > > (other option) > > Run script as scheduled task, write to log then monitor log like a syslog. > Regex for the failed pings. Then alerts. > > > Curious if any had tried and found either way better? > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: Ossec - ping servers with alert on failure
ok ok I see what you are talking about On Thursday, June 2, 2016 at 6:48:13 AM UTC-5, Jacob Mcgrath wrote: > > Was wondering on the best route/option to accomplish this? > > > (similar to the USB storage detection) > > Was thinking about a batch or bash that would ping servers from a list to > a file. That every so many minute this > file would be overwritten with the new results. > > If the results "differ" from the last log the alert would be triggered. > > > (other option) > > Run script as scheduled task, write to log then monitor log like a syslog. > Regex for the failed pings. Then alerts. > > > Curious if any had tried and found either way better? > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: Ossec - ping servers with alert on failure
I think I am going to reinstall my Security Onion had off the wall issues with other things as well. Will try on my test server when I get home Might have a semi borked install On Thursday, June 2, 2016 at 6:48:13 AM UTC-5, Jacob Mcgrath wrote: > > Was wondering on the best route/option to accomplish this? > > > (similar to the USB storage detection) > > Was thinking about a batch or bash that would ping servers from a list to > a file. That every so many minute this > file would be overwritten with the new results. > > If the results "differ" from the last log the alert would be triggered. > > > (other option) > > Run script as scheduled task, write to log then monitor log like a syslog. > Regex for the failed pings. Then alerts. > > > Curious if any had tried and found either way better? > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: Ossec - ping servers with alert on failure
Weird issue any have insites :) My local log output: ServPing Domain A down 06092016 08:48:01 ServPing Game A down 06092016 08:48:01 Decoders & rules: servping (\w+) (\w+) (\w+) (\d\d\d\d\d\d\d\d \d\d:\d\d:\d\d) id,dstip,action,extra_data servping-all PingServ Rules Group 75 Domain Domain Server Down! 75 Game Game Server Down! Now the decoders process down fine but the initial rule will not fire might be my use of the option. Any thoughts? On Thursday, June 2, 2016 at 6:48:13 AM UTC-5, Jacob Mcgrath wrote: > > Was wondering on the best route/option to accomplish this? > > > (similar to the USB storage detection) > > Was thinking about a batch or bash that would ping servers from a list to > a file. That every so many minute this > file would be overwritten with the new results. > > If the results "differ" from the last log the alert would be triggered. > > > (other option) > > Run script as scheduled task, write to log then monitor log like a syslog. > Regex for the failed pings. Then alerts. > > > Curious if any had tried and found either way better? > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: Ossec - ping servers with alert on failure
^PINGSERV PING pingserv (\w+) (\d\d/\d\d/\d\d\d\d \d:\d\d:\d\d.\d\d) (\w+) action,extra_data,dstip pingserv Grouping For Server Ping Group 100010 FAILURE Server Ping Failure 100011 Server Unreachable For Over 6 Minutes attacks, On Thursday, June 2, 2016 at 6:48:13 AM UTC-5, Jacob Mcgrath wrote: > > Was wondering on the best route/option to accomplish this? > > > (similar to the USB storage detection) > > Was thinking about a batch or bash that would ping servers from a list to > a file. That every so many minute this > file would be overwritten with the new results. > > If the results "differ" from the last log the alert would be triggered. > > > (other option) > > Run script as scheduled task, write to log then monitor log like a syslog. > Regex for the failed pings. Then alerts. > > > Curious if any had tried and found either way better? > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: Ossec - ping servers with alert on failure
Ill post my final decoders & rules + script soon On Thursday, June 2, 2016 at 6:48:13 AM UTC-5, Jacob Mcgrath wrote: > > Was wondering on the best route/option to accomplish this? > > > (similar to the USB storage detection) > > Was thinking about a batch or bash that would ping servers from a list to > a file. That every so many minute this > file would be overwritten with the new results. > > If the results "differ" from the last log the alert would be triggered. > > > (other option) > > Run script as scheduled task, write to log then monitor log like a syslog. > Regex for the failed pings. Then alerts. > > > Curious if any had tried and found either way better? > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: Ossec - ping servers with alert on failure
it works on my test system at home which is the same install as at the shop so WTF sry for the crazy &(^*(^% On Thursday, June 2, 2016 at 6:48:13 AM UTC-5, Jacob Mcgrath wrote: > > Was wondering on the best route/option to accomplish this? > > > (similar to the USB storage detection) > > Was thinking about a batch or bash that would ping servers from a list to > a file. That every so many minute this > file would be overwritten with the new results. > > If the results "differ" from the last log the alert would be triggered. > > > (other option) > > Run script as scheduled task, write to log then monitor log like a syslog. > Regex for the failed pings. Then alerts. > > > Curious if any had tried and found either way better? > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: Ossec - ping servers with alert on failure
With this it still hits the 1002 rule pingserv Grouping For Server Ping Group 100010 FAILURE FAILURE On Thursday, June 2, 2016 at 6:48:13 AM UTC-5, Jacob Mcgrath wrote: > > Was wondering on the best route/option to accomplish this? > > > (similar to the USB storage detection) > > Was thinking about a batch or bash that would ping servers from a list to > a file. That every so many minute this > file would be overwritten with the new results. > > If the results "differ" from the last log the alert would be triggered. > > > (other option) > > Run script as scheduled task, write to log then monitor log like a syslog. > Regex for the failed pings. Then alerts. > > > Curious if any had tried and found either way better? > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] ISS 7 + 404/200 error decoders/rules..
working with the decoders at the moment On Thursday, June 2, 2016 at 6:37:02 AM UTC-5, Jacob Mcgrath wrote: > > Ok, think I got it. Waiting till server log level is tuned up a bit then > I will go for it again. > > On Friday, May 27, 2016 at 7:12:41 AM UTC-5, dan (ddpbsd) wrote: >> >> On Thu, May 26, 2016 at 4:33 PM, Jacob Mcgrath >> wrote: >> > >> > >> > Looking to take these logs from two seperate server applications and >> perform >> > alerts and possibly responses to them. >> > >> > server 1: >> > >> > 2016-05-26 15:45:47 172.18.2.247 POST /wfc/portal - 443 - 10.18.100.24 >> > >> Mozilla/5.0+(Windows+NT+6.3;+WOW64;+rv:39.0)+Gecko/20100101+Firefox/39.0 >> 200 >> > 0 0 15 >> > 2016-05-26 15:38:15 172.18.2.247 GET /wff - 443 - 10.18.100.24 >> > >> Mozilla/5.0+(Windows+NT+6.1;+WOW64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/50.0.2661.102+Safari/537.36 >> >> >> > 404 0 2 203 >> > >> > Server 2: >> > >> > 2016-05-26 00:16:02 W3SVC1071858006 192.168.1.30 POST >> > /servlet/Router/Transaction/Erp - 80 - 10.13.100.4 >> > >> Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.1;+WOW64;+Trident/7.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+Media+Center+PC+6.0;+InfoPath.3) >> >> >> > 200 0 0 >> > 2016-05-26 00:16:03 W3SVC1071858006 192.168.1.30 GET >> > /lawson/portal/drill/drsearch.css - 80 - 10.12.100.10 >> > >> Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.1;+WOW64;+Trident/5.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+Media+Center+PC+6.0;+InfoPath.3) >> >> >> > 404 0 2 >> > >> > >> > Right now I am just attempting to work with logs from Server1: to >> alert on >> > 200 & 4040 errors for for web scans and alike but a beginning. >> > >> > >> > Entry in local_decoder.xml: >> > >> > >> > windows-date-format >> > true >> > ^\d+.\d+.\d+.\d+ GET >> |^\d+.\d+.\d+.\d+ >> > POST >> > (\S+ \S*) \.* (\d+.\d+.\d+.\d+) \S*\.* >> > (\d\d\d) \S+ \S+ \S+ >> > url,srcip,id >> > >> > >> > >> > >> > Entry in local_rules.xml >> > >> > >> > >> > >> > kronos-web >> >> This rule is assuming the events are decoded as "kronos-web," but as >> you see in the logtest output they fall under "decoder: >> 'windows-date-format'." >> >> > Grouping for Kronos web rules. >> > >> > >> > >> > 17 >> > 404 >> > IIS 7 Web Server 404 Error. >> > connection attempt, >> > >> > >> > >> > 17 >> > 200 >> > IIS 7 Web Server 200 Error. >> > connection attempt, >> > >> > >> > >> > 18,19 >> > Possible Kronos Web Scan/Attack >> Detected. >> > attacks, >> > >> > >> > >> > >> > >> > >> > When I run the logtest is get this output that I am getting the >> url,srcip >> > and id.. but is not getting to the rules I have created above... >> > >> > >> > **Phase 1: Completed pre-decoding. >> >full event: '2016-05-26 15:45:47 172.18.2.247 POST /wfc/portal - >> 443 >> > - 10.18.100.24 >> > >> Mozilla/5.0+(Windows+NT+6.3;+WOW64;+rv:39.0)+Gecko/20100101+Firefox/39.0 >> 200 >> > 0 0 15' >> >hostname: 'alamo' >> >program_name: '(null)' >> >log: '2016-05-26 15:45:47 172.18.2.247 POST /wfc/portal - 443 - >> > 10.18.100.24 >> > >> Mozilla/5.0+(Windows+NT+6.3;+WOW64;+rv:39.0)+Gecko/20100101+Firefox/39.0 >> 200 >> > 0 0 15' >> > >> > **Phase 2: Completed decoding. >> >decoder: 'windows-date-format' >> >url: '/wfc/portal -' >> >srcip: '10.18.100.24' >> >id: '200' >> > >> > >> > >> > Am I missing something like a base idea behind this or a syntax thing >> I >> > really do not know... >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> an >> > email to ossec-list+...@googlegroups.com. >> > For more options, visit https://groups.google.com/d/optout. >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: Ossec - ping servers with alert on failure
I got a script at timed intervals pinging out a server list and only writing failures to a log like so: ( this is a test run using unknown machine name ) PINGSERV PING FAILURE 06/03/2016 8:40:48.35 fail1 Now I have set up decoders like so: ^PINGSERV PING pingserv (\w+) (\d\d/\d\d/\d\d\d\d \d:\d\d:\d\d.\d\d) (\w+) action,extra_data,dstip The output is as such ( more and less what I want ) PINGSERV PING FAILURE 06/03/2016 8:40:48.35 fail1 **Phase 1: Completed pre-decoding. full event: 'PINGSERV PING FAILURE 06/03/2016 8:40:48.35 fail1 ' hostname: 'alamo' program_name: '(null)' log: 'PINGSERV PING FAILURE 06/03/2016 8:40:48.35 fail1 ' **Phase 2: Completed decoding. decoder: 'pingserv' action: 'FAILURE' extra_data: '06/03/2016 8:40:48.35' dstip: 'fail1' **Phase 3: Completed filtering (rules). Rule id: '1002' Level: '2' Description: 'Unknown problem somewhere in the system.' **Alert to be generated. The issue is that I am not able to trigger the rule bellow: pingserv Grouping For Server Ping Group On Thursday, June 2, 2016 at 6:48:13 AM UTC-5, Jacob Mcgrath wrote: > > Was wondering on the best route/option to accomplish this? > > > (similar to the USB storage detection) > > Was thinking about a batch or bash that would ping servers from a list to > a file. That every so many minute this > file would be overwritten with the new results. > > If the results "differ" from the last log the alert would be triggered. > > > (other option) > > Run script as scheduled task, write to log then monitor log like a syslog. > Regex for the failed pings. Then alerts. > > > Curious if any had tried and found either way better? > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Ossec - ping servers with alert on failure
Was wondering on the best route/option to accomplish this? (similar to the USB storage detection) Was thinking about a batch or bash that would ping servers from a list to a file. That every so many minute this file would be overwritten with the new results. If the results "differ" from the last log the alert would be triggered. (other option) Run script as scheduled task, write to log then monitor log like a syslog. Regex for the failed pings. Then alerts. Curious if any had tried and found either way better? -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] ISS 7 + 404/200 error decoders/rules..
Ok, think I got it. Waiting till server log level is tuned up a bit then I will go for it again. On Friday, May 27, 2016 at 7:12:41 AM UTC-5, dan (ddpbsd) wrote: > > On Thu, May 26, 2016 at 4:33 PM, Jacob Mcgrath > > wrote: > > > > > > Looking to take these logs from two seperate server applications and > perform > > alerts and possibly responses to them. > > > > server 1: > > > > 2016-05-26 15:45:47 172.18.2.247 POST /wfc/portal - 443 - 10.18.100.24 > > Mozilla/5.0+(Windows+NT+6.3;+WOW64;+rv:39.0)+Gecko/20100101+Firefox/39.0 > 200 > > 0 0 15 > > 2016-05-26 15:38:15 172.18.2.247 GET /wff - 443 - 10.18.100.24 > > > Mozilla/5.0+(Windows+NT+6.1;+WOW64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/50.0.2661.102+Safari/537.36 > > > > 404 0 2 203 > > > > Server 2: > > > > 2016-05-26 00:16:02 W3SVC1071858006 192.168.1.30 POST > > /servlet/Router/Transaction/Erp - 80 - 10.13.100.4 > > > Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.1;+WOW64;+Trident/7.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+Media+Center+PC+6.0;+InfoPath.3) > > > > 200 0 0 > > 2016-05-26 00:16:03 W3SVC1071858006 192.168.1.30 GET > > /lawson/portal/drill/drsearch.css - 80 - 10.12.100.10 > > > Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.1;+WOW64;+Trident/5.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+Media+Center+PC+6.0;+InfoPath.3) > > > > 404 0 2 > > > > > > Right now I am just attempting to work with logs from Server1: to alert > on > > 200 & 4040 errors for for web scans and alike but a beginning. > > > > > > Entry in local_decoder.xml: > > > > > > windows-date-format > > true > > ^\d+.\d+.\d+.\d+ GET |^\d+.\d+.\d+.\d+ > > POST > > (\S+ \S*) \.* (\d+.\d+.\d+.\d+) \S*\.* > > (\d\d\d) \S+ \S+ \S+ > > url,srcip,id > > > > > > > > > > Entry in local_rules.xml > > > > > > > > > > kronos-web > > This rule is assuming the events are decoded as "kronos-web," but as > you see in the logtest output they fall under "decoder: > 'windows-date-format'." > > > Grouping for Kronos web rules. > > > > > > > > 17 > > 404 > > IIS 7 Web Server 404 Error. > > connection attempt, > > > > > > > > 17 > > 200 > > IIS 7 Web Server 200 Error. > > connection attempt, > > > > > > > > 18,19 > > Possible Kronos Web Scan/Attack Detected. > > attacks, > > > > > > > > > > > > > > When I run the logtest is get this output that I am getting the > url,srcip > > and id.. but is not getting to the rules I have created above... > > > > > > **Phase 1: Completed pre-decoding. > >full event: '2016-05-26 15:45:47 172.18.2.247 POST /wfc/portal - > 443 > > - 10.18.100.24 > > Mozilla/5.0+(Windows+NT+6.3;+WOW64;+rv:39.0)+Gecko/20100101+Firefox/39.0 > 200 > > 0 0 15' > >hostname: 'alamo' > >program_name: '(null)' > >log: '2016-05-26 15:45:47 172.18.2.247 POST /wfc/portal - 443 - > > 10.18.100.24 > > Mozilla/5.0+(Windows+NT+6.3;+WOW64;+rv:39.0)+Gecko/20100101+Firefox/39.0 > 200 > > 0 0 15' > > > > **Phase 2: Completed decoding. > >decoder: 'windows-date-format' > >url: '/wfc/portal -' > >srcip: '10.18.100.24' > >id: '200' > > > > > > > > Am I missing something like a base idea behind this or a syntax thing I > > really do not know... > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to ossec-list+...@googlegroups.com . > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: ISS 7 + 404/200 error decoders/rules..
v2.8 On Thursday, May 26, 2016 at 3:33:30 PM UTC-5, Jacob Mcgrath wrote: > > > > Looking to take these logs from two seperate server applications and > perform alerts and possibly responses to them. > > server 1: > > 2016-05-26 15:45:47 172.18.2.247 POST /wfc/portal - 443 - 10.18.100.24 > Mozilla/5.0+(Windows+NT+6.3;+WOW64;+rv:39.0)+Gecko/20100101+Firefox/39.0 > 200 0 0 15 > 2016-05-26 15:38:15 172.18.2.247 GET /wff - 443 - 10.18.100.24 > Mozilla/5.0+(Windows+NT+6.1;+WOW64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/50.0.2661.102+Safari/537.36 > > 404 0 2 203 > > Server 2: > > 2016-05-26 00:16:02 W3SVC1071858006 192.168.1.30 POST > /servlet/Router/Transaction/Erp - 80 - 10.13.100.4 > Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.1;+WOW64;+Trident/7.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+Media+Center+PC+6.0;+InfoPath.3) > > 200 0 0 > 2016-05-26 00:16:03 W3SVC1071858006 192.168.1.30 GET > /lawson/portal/drill/drsearch.css - 80 - 10.12.100.10 > Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.1;+WOW64;+Trident/5.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+Media+Center+PC+6.0;+InfoPath.3) > > 404 0 2 > > > Right now I am just attempting to work with logs from Server1: to alert > on 200 & 4040 errors for for web scans and alike but a beginning. > > > Entry in local_decoder.xml: > > > windows-date-format > true > ^\d+.\d+.\d+.\d+ GET |^\d+.\d+.\d+.\d+ > POST > (\S+ \S*) \.* (\d+.\d+.\d+.\d+) \S*\.* > (\d\d\d) \S+ \S+ \S+ > url,srcip,id > > > > > Entry in local_rules.xml > > > > > kronos-web > Grouping for Kronos web rules. > > > > 17 > 404 > IIS 7 Web Server 404 Error. > connection attempt, > > > > 17 > 200 > IIS 7 Web Server 200 Error. > connection attempt, > > > > 18,19 > Possible Kronos Web Scan/Attack Detected. > attacks, > > > > > > > When I run the logtest is get this output that I am getting the url,srcip > and id.. but is not getting to the rules I have created above... > > > **Phase 1: Completed pre-decoding. >full event: '2016-05-26 15:45:47 172.18.2.247 POST /wfc/portal - > 443 - 10.18.100.24 > Mozilla/5.0+(Windows+NT+6.3;+WOW64;+rv:39.0)+Gecko/20100101+Firefox/39.0 > 200 0 0 15' >hostname: 'alamo' >program_name: '(null)' >log: '2016-05-26 15:45:47 172.18.2.247 POST /wfc/portal - 443 - > 10.18.100.24 > Mozilla/5.0+(Windows+NT+6.3;+WOW64;+rv:39.0)+Gecko/20100101+Firefox/39.0 > 200 0 0 15' > > **Phase 2: Completed decoding. >decoder: 'windows-date-format' >url: '/wfc/portal -' >srcip: '10.18.100.24' >id: '200' > > > > Am I missing something like a base idea behind this or a syntax thing I > really do not know... > > > > > > > > > > > > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: ISS 7 + 404/200 error decoders/rules..
My phase 3 is the same.. **Phase 1: Completed pre-decoding. full event: '2016-05-26 15:45:47 172.18.2.247 POST /wfc/portal - 443 - 10.18.100.24 Mozilla/5.0+(Windows+NT+6.3;+WOW64;+rv:39.0)+Gecko/20100101+Firefox/39.0 200 0 0 15' hostname: 'alamo' program_name: '(null)' log: '2016-05-26 15:45:47 172.18.2.247 POST /wfc/portal - 443 - 10.18.100.24 Mozilla/5.0+(Windows+NT+6.3;+WOW64;+rv:39.0)+Gecko/20100101+Firefox/39.0 200 0 0 15' **Phase 2: Completed decoding. decoder: 'windows-date-format' url: '/wfc/portal -' srcip: '10.18.100.24' id: '200' **Phase 3: Completed filtering (rules). Rule id: '31108' Level: '0' Description: 'Ignored URLs (simple queries).' On Thursday, May 26, 2016 at 4:05:55 PM UTC-5, Brent Morris wrote: > > Hi Jacob, > > What version of OSSEC are you on? > > It doesn't look like you've configured your IIS servers logging to meet > the OSSEC 2.8 decoder expectations. But even having said that, I'd > submitted some "IIS default" decodes to the github repository some time > back. > > So when I test your log against my OSSEC, I get a different result. > > **Phase 1: Completed pre-decoding. >full event: '2016-05-26 15:45:47 172.18.2.247 POST /wfc/portal - > 443 - 10.18.100.24 > Mozilla/5.0+(Windows+NT+6.3;+WOW64;+rv:39.0)+Gecko/20100101+Firefox/39.0 > 200 0 0 15' >hostname: 'lott-ossec' >program_name: '(null)' >log: '2016-05-26 15:45:47 172.18.2.247 POST /wfc/portal - 443 - > 10.18.100.24 > Mozilla/5.0+(Windows+NT+6.3;+WOW64;+rv:39.0)+Gecko/20100101+Firefox/39.0 > 200 0 0 15' > > **Phase 2: Completed decoding. >decoder: 'windows-date-format' >dstip: '172.18.2.247' >action: 'POST' >url: '/wfc/portal' >dstport: '443' >srcip: '10.18.100.24' >id: '200' > > **Phase 3: Completed filtering (rules). >Rule id: '31108' >Level: '0' >Description: 'Ignored URLs (simple queries).' > > But it looks like you have a decoder that is working. And having said > that, I can't see what "**Phase 3" of your logtest shows for the output of > the rule id. I only see Phase 1 and Phase 2... so there's no way for us to > know what rule it is matching to compare against your local_rules.xml > entries. > > > On Thursday, May 26, 2016 at 1:35:30 PM UTC-7, Jacob Mcgrath wrote: >> >> I am still struggling with the general syntax of regex... >> >> On Thursday, May 26, 2016 at 3:33:30 PM UTC-5, Jacob Mcgrath wrote: >>> >>> >>> >>> Looking to take these logs from two seperate server applications and >>> perform alerts and possibly responses to them. >>> >>> server 1: >>> >>> 2016-05-26 15:45:47 172.18.2.247 POST /wfc/portal - 443 - 10.18.100.24 >>> Mozilla/5.0+(Windows+NT+6.3;+WOW64;+rv:39.0)+Gecko/20100101+Firefox/39.0 >>> 200 0 0 15 >>> 2016-05-26 15:38:15 172.18.2.247 GET /wff - 443 - 10.18.100.24 >>> Mozilla/5.0+(Windows+NT+6.1;+WOW64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/50.0.2661.102+Safari/537.36 >>> >>> 404 0 2 203 >>> >>> Server 2: >>> >>> 2016-05-26 00:16:02 W3SVC1071858006 192.168.1.30 POST >>> /servlet/Router/Transaction/Erp - 80 - 10.13.100.4 >>> Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.1;+WOW64;+Trident/7.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+Media+Center+PC+6.0;+InfoPath.3) >>> >>> 200 0 0 >>> 2016-05-26 00:16:03 W3SVC1071858006 192.168.1.30 GET >>> /lawson/portal/drill/drsearch.css - 80 - 10.12.100.10 >>> Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.1;+WOW64;+Trident/5.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+Media+Center+PC+6.0;+InfoPath.3) >>> >>> 404 0 2 >>> >>> >>> Right now I am just attempting to work with logs from Server1: to alert >>> on 200 & 4040 errors for for web scans and alike but a beginning. >>> >>> >>> Entry in local_decoder.xml: >>> >>> >>> windows-date-format >>> true >>> ^\d+.\d+.\d+.\d+ GET |^\d+.\d+.\d+.\d+ >>> POST >>> (\S+ \S*) \.* (\d+.\d+.\d+.\d+) \S*\.* >>> (\d\d\d) \S+ \S+ \S+ >>> url,srcip,id >>> >>> >
[ossec-list] Re: ISS 7 + 404/200 error decoders/rules..
I am still struggling with the general syntax of regex... On Thursday, May 26, 2016 at 3:33:30 PM UTC-5, Jacob Mcgrath wrote: > > > > Looking to take these logs from two seperate server applications and > perform alerts and possibly responses to them. > > server 1: > > 2016-05-26 15:45:47 172.18.2.247 POST /wfc/portal - 443 - 10.18.100.24 > Mozilla/5.0+(Windows+NT+6.3;+WOW64;+rv:39.0)+Gecko/20100101+Firefox/39.0 > 200 0 0 15 > 2016-05-26 15:38:15 172.18.2.247 GET /wff - 443 - 10.18.100.24 > Mozilla/5.0+(Windows+NT+6.1;+WOW64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/50.0.2661.102+Safari/537.36 > > 404 0 2 203 > > Server 2: > > 2016-05-26 00:16:02 W3SVC1071858006 192.168.1.30 POST > /servlet/Router/Transaction/Erp - 80 - 10.13.100.4 > Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.1;+WOW64;+Trident/7.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+Media+Center+PC+6.0;+InfoPath.3) > > 200 0 0 > 2016-05-26 00:16:03 W3SVC1071858006 192.168.1.30 GET > /lawson/portal/drill/drsearch.css - 80 - 10.12.100.10 > Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.1;+WOW64;+Trident/5.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+Media+Center+PC+6.0;+InfoPath.3) > > 404 0 2 > > > Right now I am just attempting to work with logs from Server1: to alert > on 200 & 4040 errors for for web scans and alike but a beginning. > > > Entry in local_decoder.xml: > > > windows-date-format > true > ^\d+.\d+.\d+.\d+ GET |^\d+.\d+.\d+.\d+ > POST > (\S+ \S*) \.* (\d+.\d+.\d+.\d+) \S*\.* > (\d\d\d) \S+ \S+ \S+ > url,srcip,id > > > > > Entry in local_rules.xml > > > > > kronos-web > Grouping for Kronos web rules. > > > > 17 > 404 > IIS 7 Web Server 404 Error. > connection attempt, > > > > 17 > 200 > IIS 7 Web Server 200 Error. > connection attempt, > > > > 18,19 > Possible Kronos Web Scan/Attack Detected. > attacks, > > > > > > > When I run the logtest is get this output that I am getting the url,srcip > and id.. but is not getting to the rules I have created above... > > > **Phase 1: Completed pre-decoding. >full event: '2016-05-26 15:45:47 172.18.2.247 POST /wfc/portal - > 443 - 10.18.100.24 > Mozilla/5.0+(Windows+NT+6.3;+WOW64;+rv:39.0)+Gecko/20100101+Firefox/39.0 > 200 0 0 15' >hostname: 'alamo' >program_name: '(null)' >log: '2016-05-26 15:45:47 172.18.2.247 POST /wfc/portal - 443 - > 10.18.100.24 > Mozilla/5.0+(Windows+NT+6.3;+WOW64;+rv:39.0)+Gecko/20100101+Firefox/39.0 > 200 0 0 15' > > **Phase 2: Completed decoding. >decoder: 'windows-date-format' >url: '/wfc/portal -' >srcip: '10.18.100.24' >id: '200' > > > > Am I missing something like a base idea behind this or a syntax thing I > really do not know... > > > > > > > > > > > > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] ISS 7 + 404/200 error decoders/rules..
Looking to take these logs from two seperate server applications and perform alerts and possibly responses to them. server 1: 2016-05-26 15:45:47 172.18.2.247 POST /wfc/portal - 443 - 10.18.100.24 Mozilla/5.0+(Windows+NT+6.3;+WOW64;+rv:39.0)+Gecko/20100101+Firefox/39.0 200 0 0 15 2016-05-26 15:38:15 172.18.2.247 GET /wff - 443 - 10.18.100.24 Mozilla/5.0+(Windows+NT+6.1;+WOW64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/50.0.2661.102+Safari/537.36 404 0 2 203 Server 2: 2016-05-26 00:16:02 W3SVC1071858006 192.168.1.30 POST /servlet/Router/Transaction/Erp - 80 - 10.13.100.4 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.1;+WOW64;+Trident/7.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+Media+Center+PC+6.0;+InfoPath.3) 200 0 0 2016-05-26 00:16:03 W3SVC1071858006 192.168.1.30 GET /lawson/portal/drill/drsearch.css - 80 - 10.12.100.10 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.1;+WOW64;+Trident/5.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+Media+Center+PC+6.0;+InfoPath.3) 404 0 2 Right now I am just attempting to work with logs from Server1: to alert on 200 & 4040 errors for for web scans and alike but a beginning. Entry in local_decoder.xml: windows-date-format true ^\d+.\d+.\d+.\d+ GET |^\d+.\d+.\d+.\d+ POST (\S+ \S*) \.* (\d+.\d+.\d+.\d+) \S*\.* (\d\d\d) \S+ \S+ \S+ url,srcip,id Entry in local_rules.xml kronos-web Grouping for Kronos web rules. 17 404 IIS 7 Web Server 404 Error. connection attempt, 17 200 IIS 7 Web Server 200 Error. connection attempt, 18,19 Possible Kronos Web Scan/Attack Detected. attacks, When I run the logtest is get this output that I am getting the url,srcip and id.. but is not getting to the rules I have created above... **Phase 1: Completed pre-decoding. full event: '2016-05-26 15:45:47 172.18.2.247 POST /wfc/portal - 443 - 10.18.100.24 Mozilla/5.0+(Windows+NT+6.3;+WOW64;+rv:39.0)+Gecko/20100101+Firefox/39.0 200 0 0 15' hostname: 'alamo' program_name: '(null)' log: '2016-05-26 15:45:47 172.18.2.247 POST /wfc/portal - 443 - 10.18.100.24 Mozilla/5.0+(Windows+NT+6.3;+WOW64;+rv:39.0)+Gecko/20100101+Firefox/39.0 200 0 0 15' **Phase 2: Completed decoding. decoder: 'windows-date-format' url: '/wfc/portal -' srcip: '10.18.100.24' id: '200' Am I missing something like a base idea behind this or a syntax thing I really do not know... -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: IIS 8 FTP log monitor & alert
*Started the decoder/rules from scratch since the test ossec system at home worked ok...* *This see's the FTP log attempts + the elevation of "Brute Force" to an active response threw route-null.cmd. but the route-null.cmd should be the latest updated release of this script from github...* *But is is working, little more tunning but It works* *Enable active response on Windows FTP IIS agent:* C:\inetpub\logs\LogFiles\FTPSVC4\u_ex%y%m%d.log iis no *Add to server ossec.conf:* win_nullroute route-null.cmd srcip yes win_nullroute all 10006 6 60 *Server local_decoder.xml:* windows-date-format true ^\d+.\d+.\d+.\d+ \d+ \S+ FTPSVC4 ^(\d+.\d+.\d+.\d+) \d+ (\S+) \S+ \S+ \S + \S+ \d+ (\S+) \S+ (\d+) srcip,user,action,id *Server local_rules.xml:* msftp8 Grouping for the Microsoft ftp 8 rules. 14 PASS 530 FTP Authentication failed. authentication_failed, 15 FTP brute force (multiple failed logins). authentication_failures, On Monday, May 23, 2016 at 3:51:28 PM UTC-5, Jacob Mcgrath wrote: > > Here is what I have so far... > > *Agent config* > > > > > C:\inetpub\logs\LogFiles\FTPSVC4\u_ex%y%m%d.log > iis > > > *Server local_decoder.xml* > > > windows-date-format > true > ^\d+.\d+.\d+.\d+ \d+ \S+ FTPSVC prematch> > ^(\d+.\d+.\d+.\d+) \d+ (\S+) \S+ \S+ \S > + \S+ > \d+ (\S+) \S+ (\d+) > srcip,user,action,id > > > *Server local_rules.xml* > > > > msftp8 > Grouping for the Microsoft ftp 8 rules. > > > > 14 > PASS > 530 > FTP Authentication failed. > authentication_failed, > > > > 15 > FTP brute force (multiple failed logins). description> > authentication_failures, > > > > > > > *No My IIS 8 ftp server log looks like this for the 530 error:* > > 2016-05-23 20:03:38 10.18.100.24 23138 - FTPSVC4 SPMEDIA1 - 10.20.199.157 > 12600 PASS *** 530 1326 41 101 16 0 6ecb4d92-0515-44a5-ad58-9f057ff2fd18 - > An+error+occurred+during+the+authentication+process. > > > The plan is to check the IIS 8 FTP server log looking for brute force > attempts and in addition drop the IP that is offending to agents. > > I have set these up and restarted both server and agent and run 10+ rapid > ftp login attempts but do not see any real alerts as designed. > > Any direction would be welcomed... > > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: IIS 8 FTP log monitor & alert
As far as alert.log ** Alert 1464116536.2709526: mail - syslog,errors, 2016 May 24 19:02:16 (spmedia1) 10.20.199.157->\inetpub\logs\LogFiles\FTPSVC4\u_ ex160524.log Rule: 1002 (level 2) -> 'Unknown problem somewhere in the system.' Src IP: 10.18.100.24 User: - 2016-05-24 19:02:01 10.18.100.24 53101 - FTPSVC4 SPMEDIA1 - 10.20.199.157 12600 PASS *** 530 1326 41 101 11 0 1475ab80-1b75-43ce-9b59-d2d61cf15c63 - An+error+oc curred+during+the+authentication+process. On Monday, May 23, 2016 at 3:51:28 PM UTC-5, Jacob Mcgrath wrote: > > Here is what I have so far... > > *Agent config* > > > > > C:\inetpub\logs\LogFiles\FTPSVC4\u_ex%y%m%d.log > iis > > > *Server local_decoder.xml* > > > windows-date-format > true > ^\d+.\d+.\d+.\d+ \d+ \S+ FTPSVC prematch> > ^(\d+.\d+.\d+.\d+) \d+ (\S+) \S+ \S+ \S > + \S+ > \d+ (\S+) \S+ (\d+) > srcip,user,action,id > > > *Server local_rules.xml* > > > > msftp8 > Grouping for the Microsoft ftp 8 rules. > > > > 14 > PASS > 530 > FTP Authentication failed. > authentication_failed, > > > > 15 > FTP brute force (multiple failed logins). description> > authentication_failures, > > > > > > > *No My IIS 8 ftp server log looks like this for the 530 error:* > > 2016-05-23 20:03:38 10.18.100.24 23138 - FTPSVC4 SPMEDIA1 - 10.20.199.157 > 12600 PASS *** 530 1326 41 101 16 0 6ecb4d92-0515-44a5-ad58-9f057ff2fd18 - > An+error+occurred+during+the+authentication+process. > > > The plan is to check the IIS 8 FTP server log looking for brute force > attempts and in addition drop the IP that is offending to agents. > > I have set these up and restarted both server and agent and run 10+ rapid > ftp login attempts but do not see any real alerts as designed. > > Any direction would be welcomed... > > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: IIS 8 FTP log monitor & alert
ossec v2.8 & local_rules included... On Tuesday, May 24, 2016 at 11:39:06 AM UTC-5, Jesus Linares wrote: > > Hi, > > you are right, the problem should be with your rule. Do you have > local_rules.xml included in ossec.conf?. What OSSEC version are you > running?. > > In my version it is working (Wazuh <https://github.com/wazuh>): > > 2016-05-23 20:03:38 10.18.100.24 23138 - FTPSVC4 SPMEDIA1 - 10.20.199.157 > 12600 PASS *** 530 1326 41 101 16 0 6ecb4d92-0515-44a5-ad58-9f057ff2fd18 - > An+error+occurred+during+the+authentication+process. > > > > > **Phase 1: Completed pre-decoding. >full event: '2016-05-23 20:03:38 10.18.100.24 23138 - FTPSVC4 > SPMEDIA1 - 10.20.199.157 12600 PASS *** 530 1326 41 101 16 0 > 6ecb4d92-0515-44a5-ad58-9f057ff2fd18 - > An+error+occurred+during+the+authentication+process.' >hostname: 'LinMV' >program_name: '(null)' >log: '2016-05-23 20:03:38 10.18.100.24 23138 - FTPSVC4 SPMEDIA1 - > 10.20.199.157 12600 PASS *** 530 1326 41 101 16 0 > 6ecb4d92-0515-44a5-ad58-9f057ff2fd18 - > An+error+occurred+during+the+authentication+process.' > > > **Phase 2: Completed decoding. >decoder: 'windows-date-format' >srcip: '10.18.100.24' >dstuser: '-' >action: 'PASS' >id: '530' > > > **Phase 3: Completed filtering (rules). >Rule id: '15' >Level: '5' >Description: 'FTP Authentication failed.' > **Alert to be generated. > > > > > On Tuesday, May 24, 2016 at 5:39:55 PM UTC+2, Jacob Mcgrath wrote: >> >> I can run 8-10 failed logins and do get email alerts for them so I >> believe the decoder is working but the rules are not being applied and the >> fall back is rule:1002 for some reason >> >> OSSEC HIDS Notification. >> >> 2016 May 24 15:32:13 >> >> >> >> Received From: (spmedia1) >> 10.20.199.157->\inetpub\logs\LogFiles\FTPSVC4\u_ex160524.log >> >> Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system." >> >> Portion of the log(s): >> >> >> >> 2016-05-24 15:31:20 10.18.100.24 46986 - FTPSVC4 SPMEDIA1 - 10.20.199.157 >> 12600 PASS *** 530 1326 41 101 10 16 ffbd0e67-ff45-4c49-b29f-26692a1975da - >> An+error+occurred+during+the+authentication+process. >> >> >> >> >> >> >> >> --END OF NOTIFICATION >> >> >> >> On Monday, May 23, 2016 at 3:51:28 PM UTC-5, Jacob Mcgrath wrote: >>> >>> Here is what I have so far... >>> >>> *Agent config* >>> >>> >>> >>> >>> C:\inetpub\logs\LogFiles\FTPSVC4\u_ex%y%m%d.log >>> iis >>> >>> >>> *Server local_decoder.xml* >>> >>> >>> windows-date-format >>> true >>> ^\d+.\d+.\d+.\d+ \d+ \S+ FTPSVC>> prematch> >>> ^(\d+.\d+.\d+.\d+) \d+ (\S+) \S+ \S+ \S >>> + \S+ >>> \d+ (\S+) \S+ (\d+) >>> srcip,user,action,id >>> >>> >>> *Server local_rules.xml* >>> >>> >>> >>> msftp8 >>> Grouping for the Microsoft ftp 8 rules. >>> >>> >>> >>> 14 >>> PASS >>> 530 >>> FTP Authentication failed. >>> authentication_failed, >>> >>> >>> >>> 15 >>> FTP brute force (multiple failed logins).>> description> >>> authentication_failures, >>> >>> >>> >>> >>> >>> >>> *No My IIS 8 ftp server log looks like this for the 530 error:* >>> >>> 2016-05-23 20:03:38 10.18.100.24 23138 - FTPSVC4 SPMEDIA1 - >>> 10.20.199.157 12600 PASS *** 530 1326 41 101 16 0 >>> 6ecb4d92-0515-44a5-ad58-9f057ff2fd18 - >>> An+error+occurred+during+the+authentication+process. >>> >>> >>> The plan is to check the IIS 8 FTP server log looking for brute force >>> attempts and in addition drop the IP that is offending to agents. >>> >>> I have set these up and restarted both server and agent and run 10+ >>> rapid ftp login attempts but do not see any real alerts as designed. >>> >>> Any direction would be welcomed... >>> >>> >>> >>> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: IIS 8 FTP log monitor & alert
I can run 8-10 failed logins and do get email alerts for them so I believe the decoder is working but the rules are not being applied and the fall back is rule:1002 for some reason OSSEC HIDS Notification. 2016 May 24 15:32:13 Received From: (spmedia1) 10.20.199.157->\inetpub\logs\LogFiles\FTPSVC4\u_ex160524.log Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system." Portion of the log(s): 2016-05-24 15:31:20 10.18.100.24 46986 - FTPSVC4 SPMEDIA1 - 10.20.199.157 12600 PASS *** 530 1326 41 101 10 16 ffbd0e67-ff45-4c49-b29f-26692a1975da - An+error+occurred+during+the+authentication+process. --END OF NOTIFICATION On Monday, May 23, 2016 at 3:51:28 PM UTC-5, Jacob Mcgrath wrote: > > Here is what I have so far... > > *Agent config* > > > > > C:\inetpub\logs\LogFiles\FTPSVC4\u_ex%y%m%d.log > iis > > > *Server local_decoder.xml* > > > windows-date-format > true > ^\d+.\d+.\d+.\d+ \d+ \S+ FTPSVC prematch> > ^(\d+.\d+.\d+.\d+) \d+ (\S+) \S+ \S+ \S > + \S+ > \d+ (\S+) \S+ (\d+) > srcip,user,action,id > > > *Server local_rules.xml* > > > > msftp8 > Grouping for the Microsoft ftp 8 rules. > > > > 14 > PASS > 530 > FTP Authentication failed. > authentication_failed, > > > > 15 > FTP brute force (multiple failed logins). description> > authentication_failures, > > > > > > > *No My IIS 8 ftp server log looks like this for the 530 error:* > > 2016-05-23 20:03:38 10.18.100.24 23138 - FTPSVC4 SPMEDIA1 - 10.20.199.157 > 12600 PASS *** 530 1326 41 101 16 0 6ecb4d92-0515-44a5-ad58-9f057ff2fd18 - > An+error+occurred+during+the+authentication+process. > > > The plan is to check the IIS 8 FTP server log looking for brute force > attempts and in addition drop the IP that is offending to agents. > > I have set these up and restarted both server and agent and run 10+ rapid > ftp login attempts but do not see any real alerts as designed. > > Any direction would be welcomed... > > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: IIS 8 FTP log monitor & alert
I can run 8-10 failed logins and do get email alerts for them so I believe the decoder is working but the rules are not being applied and the fall back is rule:1002 for some reason On Tuesday, May 24, 2016 at 10:24:24 AM UTC-5, Jacob Mcgrath wrote: > > Weird I run the logtest and I get this: > > 2016-05-24 14:41:16 10.18.100.24 45491 - FTPSVC4 SPMEDIA1 - 10.20.199.157 > 12600 PASS *** 530 1326 41 101 11 0 e9bd6228-d83c-4b29-9163-e191716a1180 - > An+error+occurred+during+the+authentication+process. > > > **Phase 1: Completed pre-decoding. >full event: '2016-05-24 14:41:16 10.18.100.24 45491 - FTPSVC4 > SPMEDIA1 - 10.20.199.157 12600 PASS *** 530 1326 41 101 11 0 > e9bd6228-d83c-4b29-9163-e191716a1180 - > An+error+occurred+during+the+authentication+process.' >hostname: 'alamo' >program_name: '(null)' >log: '2016-05-24 14:41:16 10.18.100.24 45491 - FTPSVC4 SPMEDIA1 - > 10.20.199.157 12600 PASS *** 530 1326 41 101 11 0 > e9bd6228-d83c-4b29-9163-e191716a1180 - > An+error+occurred+during+the+authentication+process.' > > **Phase 2: Completed decoding. >decoder: 'windows-date-format' >srcip: '10.18.100.24' >dstuser: '-' >action: 'PASS' >id: '530' > > **Phase 3: Completed filtering (rules). >Rule id: '1002' >Level: '2' >Description: 'Unknown problem somewhere in the system.' > **Alert to be generated. > > > On Tuesday, May 24, 2016 at 7:10:10 AM UTC-5, Jesus Linares wrote: >> >> Hi Jacob, >> >> the rule 16 will be fired when rule 15 fires 8 times (6+2). It >> seems to work: >> >> **Phase 1: Completed pre-decoding. >>full event: '2016-05-23 20:03:38 10.18.100.24 23138 - FTPSVC4 >> SPMEDIA1 - 10.20.199.157 12600 PASS *** 530 1326 41 101 16 0 >> 6ecb4d92-0515-44a5-ad58-9f057ff2fd18 - >> An+error+occurred+during+the+authentication+process.' >>hostname: 'LinMV' >>program_name: '(null)' >>log: '2016-05-23 20:03:38 10.18.100.24 23138 - FTPSVC4 SPMEDIA1 - >> 10.20.199.157 12600 PASS *** 530 1326 41 101 16 0 >> 6ecb4d92-0515-44a5-ad58-9f057ff2fd18 - >> An+error+occurred+during+the+authentication+process.' >> >> >> **Phase 2: Completed decoding. >>decoder: 'windows-date-format' >>srcip: '10.18.100.24' >>dstuser: '-' >>action: 'PASS' >>id: '530' >> >> >> **Phase 3: Completed filtering (rules). >>Rule id: '16' >>Level: '10' >>Description: 'FTP brute force (multiple failed logins).' >> **Alert to be generated. >> >> So, your rules are fine. Maybe the problem is that you are receiving a >> different log (with other format) or just you are not receiving anything. >> Configure ossec to log all events: >> >> yes >> >> Then, review archives/archives.log. In case you are receiving the ftp >> logs, paste here some examples and we can help a little more. >> >> >> Regards. >> >> On Monday, May 23, 2016 at 10:51:28 PM UTC+2, Jacob Mcgrath wrote: >>> >>> Here is what I have so far... >>> >>> *Agent config* >>> >>> >>> >>> >>> C:\inetpub\logs\LogFiles\FTPSVC4\u_ex%y%m%d.log >>> iis >>> >>> >>> *Server local_decoder.xml* >>> >>> >>> windows-date-format >>> true >>> ^\d+.\d+.\d+.\d+ \d+ \S+ FTPSVC>> prematch> >>> ^(\d+.\d+.\d+.\d+) \d+ (\S+) \S+ \S+ \S >>> + \S+ >>> \d+ (\S+) \S+ (\d+) >>> srcip,user,action,id >>> >>> >>> *Server local_rules.xml* >>> >>> >>> >>> msftp8 >>> Grouping for the Microsoft ftp 8 rules. >>> >>> >>> >>> 14 >>> PASS >>> 530 >>> FTP Authentication failed. >>> authentication_failed, >>> >>> >>> >>> 15 >>> FTP brute force (multiple failed logins).>> description> >>> authentication_failures, >>> >>> >>> >>> >>> >>> >>> *No My IIS 8 ftp server log looks like this for the 530 error:* >>> >>> 2016-05-23 20:03:38 10.18.100.24 23138 - FTPSVC4 SPMEDIA1 - >>> 10.20.199.157 12600 PASS *** 530 1326 41 101 16 0 >>> 6ecb4d92-0515-44a5-ad58-9f057ff2fd18 - >>> An+error+occurred+during+the+authentication+process. >>> >>> >>> The plan is to check the IIS 8 FTP server log looking for brute force >>> attempts and in addition drop the IP that is offending to agents. >>> >>> I have set these up and restarted both server and agent and run 10+ >>> rapid ftp login attempts but do not see any real alerts as designed. >>> >>> Any direction would be welcomed... >>> >>> >>> >>> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: IIS 8 FTP log monitor & alert
Weird I run the logtest and I get this: 2016-05-24 14:41:16 10.18.100.24 45491 - FTPSVC4 SPMEDIA1 - 10.20.199.157 12600 PASS *** 530 1326 41 101 11 0 e9bd6228-d83c-4b29-9163-e191716a1180 - An+error+occurred+during+the+authentication+process. **Phase 1: Completed pre-decoding. full event: '2016-05-24 14:41:16 10.18.100.24 45491 - FTPSVC4 SPMEDIA1 - 10.20.199.157 12600 PASS *** 530 1326 41 101 11 0 e9bd6228-d83c-4b29-9163-e191716a1180 - An+error+occurred+during+the+authentication+process.' hostname: 'alamo' program_name: '(null)' log: '2016-05-24 14:41:16 10.18.100.24 45491 - FTPSVC4 SPMEDIA1 - 10.20.199.157 12600 PASS *** 530 1326 41 101 11 0 e9bd6228-d83c-4b29-9163-e191716a1180 - An+error+occurred+during+the+authentication+process.' **Phase 2: Completed decoding. decoder: 'windows-date-format' srcip: '10.18.100.24' dstuser: '-' action: 'PASS' id: '530' **Phase 3: Completed filtering (rules). Rule id: '1002' Level: '2' Description: 'Unknown problem somewhere in the system.' **Alert to be generated. On Tuesday, May 24, 2016 at 7:10:10 AM UTC-5, Jesus Linares wrote: > > Hi Jacob, > > the rule 16 will be fired when rule 15 fires 8 times (6+2). It > seems to work: > > **Phase 1: Completed pre-decoding. >full event: '2016-05-23 20:03:38 10.18.100.24 23138 - FTPSVC4 > SPMEDIA1 - 10.20.199.157 12600 PASS *** 530 1326 41 101 16 0 > 6ecb4d92-0515-44a5-ad58-9f057ff2fd18 - > An+error+occurred+during+the+authentication+process.' >hostname: 'LinMV' >program_name: '(null)' >log: '2016-05-23 20:03:38 10.18.100.24 23138 - FTPSVC4 SPMEDIA1 - > 10.20.199.157 12600 PASS *** 530 1326 41 101 16 0 > 6ecb4d92-0515-44a5-ad58-9f057ff2fd18 - > An+error+occurred+during+the+authentication+process.' > > > **Phase 2: Completed decoding. >decoder: 'windows-date-format' >srcip: '10.18.100.24' >dstuser: '-' >action: 'PASS' >id: '530' > > > **Phase 3: Completed filtering (rules). >Rule id: '16' >Level: '10' >Description: 'FTP brute force (multiple failed logins).' > **Alert to be generated. > > So, your rules are fine. Maybe the problem is that you are receiving a > different log (with other format) or just you are not receiving anything. > Configure ossec to log all events: > > yes > > Then, review archives/archives.log. In case you are receiving the ftp > logs, paste here some examples and we can help a little more. > > > Regards. > > On Monday, May 23, 2016 at 10:51:28 PM UTC+2, Jacob Mcgrath wrote: >> >> Here is what I have so far... >> >> *Agent config* >> >> >> >> >> C:\inetpub\logs\LogFiles\FTPSVC4\u_ex%y%m%d.log >> iis >> >> >> *Server local_decoder.xml* >> >> >> windows-date-format >> true >> ^\d+.\d+.\d+.\d+ \d+ \S+ FTPSVC> prematch> >> ^(\d+.\d+.\d+.\d+) \d+ (\S+) \S+ \S+ \S >> + \S+ >> \d+ (\S+) \S+ (\d+) >> srcip,user,action,id >> >> >> *Server local_rules.xml* >> >> >> >> msftp8 >> Grouping for the Microsoft ftp 8 rules. >> >> >> >> 14 >> PASS >> 530 >> FTP Authentication failed. >> authentication_failed, >> >> >> >> 15 >> FTP brute force (multiple failed logins).> description> >> authentication_failures, >> >> >> >> >> >> >> *No My IIS 8 ftp server log looks like this for the 530 error:* >> >> 2016-05-23 20:03:38 10.18.100.24 23138 - FTPSVC4 SPMEDIA1 - 10.20.199.157 >> 12600 PASS *** 530 1326 41 101 16 0 6ecb4d92-0515-44a5-ad58-9f057ff2fd18 - >> An+error+occurred+during+the+authentication+process. >> >> >> The plan is to check the IIS 8 FTP server log looking for brute force >> attempts and in addition drop the IP that is offending to agents. >> >> I have set these up and restarted both server and agent and run 10+ rapid >> ftp login attempts but do not see any real alerts as designed. >> >> Any direction would be welcomed... >> >> >> >> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] IIS 8 FTP log monitor & alert
Here is what I have so far... *Agent config* C:\inetpub\logs\LogFiles\FTPSVC4\u_ex%y%m%d.log iis *Server local_decoder.xml* windows-date-format true ^\d+.\d+.\d+.\d+ \d+ \S+ FTPSVC ^(\d+.\d+.\d+.\d+) \d+ (\S+) \S+ \S+ \S + \S+ \d+ (\S+) \S+ (\d+) srcip,user,action,id *Server local_rules.xml* msftp8 Grouping for the Microsoft ftp 8 rules. 14 PASS 530 FTP Authentication failed. authentication_failed, 15 FTP brute force (multiple failed logins). authentication_failures, *No My IIS 8 ftp server log looks like this for the 530 error:* 2016-05-23 20:03:38 10.18.100.24 23138 - FTPSVC4 SPMEDIA1 - 10.20.199.157 12600 PASS *** 530 1326 41 101 16 0 6ecb4d92-0515-44a5-ad58-9f057ff2fd18 - An+error+occurred+during+the+authentication+process. The plan is to check the IIS 8 FTP server log looking for brute force attempts and in addition drop the IP that is offending to agents. I have set these up and restarted both server and agent and run 10+ rapid ftp login attempts but do not see any real alerts as designed. Any direction would be welcomed... -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: Have Snort signature trigger Ossec active response...?
I am thinking of monitoring the sguild.logs for snort alerts such as the below that decoders would have to be made for ( which I am weak on ): 2016-05-12 16:08:58 pid(2410) Sending sock222f690: InsertEvent {0 0 unknown alamo-eth1-1 {2016-05-12 16:08:58} 3 106 {Port Scan} 10.40.2.75 10.40.3.253 6 56496 10247 1 901 0 8 8 1} On Tuesday, May 10, 2016 at 3:35:26 PM UTC-5, Jacob Mcgrath wrote: > > Is it possible to have Ossec monitor Snort logs for certain Sid's and then > trigger the active response on all agents when event occurs. > > Looking at reacting to Nmap and Nessus type scans on my internal network. > > > I guess I would have to monitor the Security Onion servers snort log for > Sid's for port scans. > > In the Security Onion server I have /etc/nsm/rules/local.rules > > > # look for stealth port scans/sweeps > alert tcp any any -> any any (msg:"SYN FIN Scan"; flags: SF;sid:900;) > alert tcp any any -> any any (msg:"FIN Scan"; flags: F;sid:901;) > alert tcp any any -> any any (msg:"NULL Scan"; flags: 0;sid:902;) > alert tcp any any -> any any (msg:"XMAS Scan"; flags: FPU;sid:903;) > alert tcp any any -> any any (msg:"Full XMAS Scan"; flags: SRAFPU;sid: > 904;) > alert tcp any any -> any any (msg:"URG Scan"; flags: U;sid:905;) > alert tcp any any -> any any (msg:"URG FIN Scan"; flags: FU;sid:906;) > alert tcp any any -> any any (msg:"PUSH FIN Scan"; flags: FP;sid:907;) > alert tcp any any -> any any (msg:"URG PUSH Scan"; flags: PU;sid:908;) > alert tcp any any -> any any (flags: A; ack: 0; msg:"NMAP TCP ping!";sid: > 909;) > > > > > How would one write the local local.rules for the Ossec server to trigger > active responses route-null function on agents. > > > 1. Snort see's port scans and writes alert to log > 2. Ossec see's snorts port scan alerts in log and triggers route-null on > all agents. > > I there a guide to setting something like this up ? > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: Have Snort signature trigger Ossec active response...?
I had to re-purpose my Vm playground PE R900 until I get a replacement motherboard for my signage server; so it may take a bit until I can start playing with this. But it looks like there is a way to use Barnyard to decode alerts to a readable log format. At least from what I read. I am referencing this log alerts <http://commons.oreilly.com/wiki/index.php/Snort_Cookbook/Logging,_Alerts,_and_Output_Plug-ins#Logging_Only_Alerts> On Tuesday, May 10, 2016 at 3:35:26 PM UTC-5, Jacob Mcgrath wrote: > > Is it possible to have Ossec monitor Snort logs for certain Sid's and then > trigger the active response on all agents when event occurs. > > Looking at reacting to Nmap and Nessus type scans on my internal network. > > > I guess I would have to monitor the Security Onion servers snort log for > Sid's for port scans. > > In the Security Onion server I have /etc/nsm/rules/local.rules > > > # look for stealth port scans/sweeps > alert tcp any any -> any any (msg:"SYN FIN Scan"; flags: SF;sid:900;) > alert tcp any any -> any any (msg:"FIN Scan"; flags: F;sid:901;) > alert tcp any any -> any any (msg:"NULL Scan"; flags: 0;sid:902;) > alert tcp any any -> any any (msg:"XMAS Scan"; flags: FPU;sid:903;) > alert tcp any any -> any any (msg:"Full XMAS Scan"; flags: SRAFPU;sid: > 904;) > alert tcp any any -> any any (msg:"URG Scan"; flags: U;sid:905;) > alert tcp any any -> any any (msg:"URG FIN Scan"; flags: FU;sid:906;) > alert tcp any any -> any any (msg:"PUSH FIN Scan"; flags: FP;sid:907;) > alert tcp any any -> any any (msg:"URG PUSH Scan"; flags: PU;sid:908;) > alert tcp any any -> any any (flags: A; ack: 0; msg:"NMAP TCP ping!";sid: > 909;) > > > > > How would one write the local local.rules for the Ossec server to trigger > active responses route-null function on agents. > > > 1. Snort see's port scans and writes alert to log > 2. Ossec see's snorts port scan alerts in log and triggers route-null on > all agents. > > I there a guide to setting something like this up ? > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Have Snort signature trigger Ossec active response...?
Is it possible to have Ossec monitor Snort logs for certain Sid's and then trigger the active response on all agents when event occurs. Looking at reacting to Nmap and Nessus type scans on my internal network. I guess I would have to monitor the Security Onion servers snort log for Sid's for port scans. In the Security Onion server I have /etc/nsm/rules/local.rules # look for stealth port scans/sweeps alert tcp any any -> any any (msg:"SYN FIN Scan"; flags: SF;sid:900;) alert tcp any any -> any any (msg:"FIN Scan"; flags: F;sid:901;) alert tcp any any -> any any (msg:"NULL Scan"; flags: 0;sid:902;) alert tcp any any -> any any (msg:"XMAS Scan"; flags: FPU;sid:903;) alert tcp any any -> any any (msg:"Full XMAS Scan"; flags: SRAFPU;sid: 904;) alert tcp any any -> any any (msg:"URG Scan"; flags: U;sid:905;) alert tcp any any -> any any (msg:"URG FIN Scan"; flags: FU;sid:906;) alert tcp any any -> any any (msg:"PUSH FIN Scan"; flags: FP;sid:907;) alert tcp any any -> any any (msg:"URG PUSH Scan"; flags: PU;sid:908;) alert tcp any any -> any any (flags: A; ack: 0; msg:"NMAP TCP ping!";sid: 909;) How would one write the local local.rules for the Ossec server to trigger active responses route-null function on agents. 1. Snort see's port scans and writes alert to log 2. Ossec see's snorts port scan alerts in log and triggers route-null on all agents. I there a guide to setting something like this up ? -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: 2.8 - Active response on Windows agents not working ?
I have win 8, 10, Server 2003/2008/2012 I will test on when I get a moment at work. On Wednesday, July 2, 2014 at 11:28:31 AM UTC-5, morgan cox wrote: > > Hi > > I cannot get active response to work > > how can I debug why active response on Windows agents is not working ? > > linux agents are fine - i.e drop/active response is working > > I have followed - > http://ossec-docs.readthedocs.org/en/latest/manual/ar/ar-windows.html > > when I use the command : - /var/ossec/bin/agent_control -b 2.3.4.5 -f > win_nullroute600 -u 002 > > it doesn''t block / add a route on the windows agent > > tried on Windows 2012/2008 both os's same result. > > How can I find out why ? > > regards > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: 2.8 - Active response on Windows agents not working ?
Ok on Win7 Ent it seams to be working ok... ty On Wednesday, July 2, 2014 at 11:28:31 AM UTC-5, morgan cox wrote: > > Hi > > I cannot get active response to work > > how can I debug why active response on Windows agents is not working ? > > linux agents are fine - i.e drop/active response is working > > I have followed - > http://ossec-docs.readthedocs.org/en/latest/manual/ar/ar-windows.html > > when I use the command : - /var/ossec/bin/agent_control -b 2.3.4.5 -f > win_nullroute600 -u 002 > > it doesn''t block / add a route on the windows agent > > tried on Windows 2012/2008 both os's same result. > > How can I find out why ? > > regards > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: 2.8 - Active response on Windows agents not working ?
Ok, let me know when it time for my guinea piging to start lol. On Wednesday, July 2, 2014 at 11:28:31 AM UTC-5, morgan cox wrote: > > Hi > > I cannot get active response to work > > how can I debug why active response on Windows agents is not working ? > > linux agents are fine - i.e drop/active response is working > > I have followed - > http://ossec-docs.readthedocs.org/en/latest/manual/ar/ar-windows.html > > when I use the command : - /var/ossec/bin/agent_control -b 2.3.4.5 -f > win_nullroute600 -u 002 > > it doesn''t block / add a route on the windows agent > > tried on Windows 2012/2008 both os's same result. > > How can I find out why ? > > regards > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: 2.8 - Active response on Windows agents not working ?
Is this a patch to Ossec or tot eh script? On Wednesday, July 2, 2014 at 11:28:31 AM UTC-5, morgan cox wrote: > > Hi > > I cannot get active response to work > > how can I debug why active response on Windows agents is not working ? > > linux agents are fine - i.e drop/active response is working > > I have followed - > http://ossec-docs.readthedocs.org/en/latest/manual/ar/ar-windows.html > > when I use the command : - /var/ossec/bin/agent_control -b 2.3.4.5 -f > win_nullroute600 -u 002 > > it doesn''t block / add a route on the windows agent > > tried on Windows 2012/2008 both os's same result. > > How can I find out why ? > > regards > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: 2.8 - Active response on Windows agents not working ?
Thank you Antonio On Wednesday, July 2, 2014 at 11:28:31 AM UTC-5, morgan cox wrote: > > Hi > > I cannot get active response to work > > how can I debug why active response on Windows agents is not working ? > > linux agents are fine - i.e drop/active response is working > > I have followed - > http://ossec-docs.readthedocs.org/en/latest/manual/ar/ar-windows.html > > when I use the command : - /var/ossec/bin/agent_control -b 2.3.4.5 -f > win_nullroute600 -u 002 > > it doesn''t block / add a route on the windows agent > > tried on Windows 2012/2008 both os's same result. > > How can I find out why ? > > regards > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: 2.8 - Active response on Windows agents not working ?
The script works locally at work If I invoke a active response from the ossec server like so /var/ossec/bin/agent_control -b 1.2.3.4 -f win_nullroute600 -u 007 I see that the C:\Program Files (x86)\ossec-agent\active-response\active-responses.log is generated...with this input... Wed 05/04/2016 13:27:16.81 C:\Program Files (x86)\ossec-agent\active-response\bin\"active-response/bin/route-null.cmd" add - "-" Wed 05/04/2016 13:41:16.86 C:\Program Files (x86)\ossec-agent\active-response\bin\"active-response/bin/route-null.cmd" delete - "-" route print on my windows agent does not show this route added and in turn removed... >From what I can tell the script should work if the proper args are received. But the ip to be routed from ossec never get seen in the windows agent...could be the script or the way the arg is passed down from server to agent. On Wednesday, July 2, 2014 at 11:28:31 AM UTC-5, morgan cox wrote: > > Hi > > I cannot get active response to work > > how can I debug why active response on Windows agents is not working ? > > linux agents are fine - i.e drop/active response is working > > I have followed - > http://ossec-docs.readthedocs.org/en/latest/manual/ar/ar-windows.html > > when I use the command : - /var/ossec/bin/agent_control -b 2.3.4.5 -f > win_nullroute600 -u 002 > > it doesn''t block / add a route on the windows agent > > tried on Windows 2012/2008 both os's same result. > > How can I find out why ? > > regards > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: 2.8 - Active response on Windows agents not working ?
Not at work yet but the new one from git repo works "locally". I will test in a couple hours at work :) :: Script to null route an ip address. @ECHO OFF ECHO. :: Set some variables FOR /F "TOKENS=1* DELIMS= " %%A IN ('DATE/T') DO SET DAT=%%A %%B FOR /F "TOKENS=1-3 DELIMS=:" %%A IN ("%TIME%") DO SET TIM=%%A:%%B:%%C :: Check for required arguments IF /I "%1"=="" GOTO ERROR IF /I "%2"=="" GOTO ERROR :: Check for a valid IP ECHO "%2" | %WINDIR%\system32\findstr.exe /R "\." >nul || GOTO ipv6 set prefixlength=32 set gateway=0.0.0.0 goto x :ipv6 set prefixlength=128 set gateway=:: :x IF /I "%1"=="add" GOTO ADD IF /I "%1"=="delete" GOTO DEL :ERROR ECHO Invalid argument(s). ECHO Usage: route-null.cmd ^(ADD^|DELETE^) IP Address ECHO Example: route-null.cmd ADD 1.2.3.4 EXIT /B 1 :: Adding IP to be null-routed. :ADD %WINDIR%\system32\route.exe ADD %2/%prefixlength% %gateway% :: Log it ECHO %DAT%%TIM% %~dp0%0 %1 - %2 >> " %OSSECPATH%active-response\active-responses.log" GOTO EXIT :DEL %WINDIR%\system32\route.exe DELETE %2/%prefixlength% ECHO %DAT%%TIM% %~dp0%0 %1 - %2 >> " %OSSECPATH%active-response\active-responses.log" :EXIT /B 0: On Wednesday, July 2, 2014 at 11:28:31 AM UTC-5, morgan cox wrote: > > Hi > > I cannot get active response to work > > how can I debug why active response on Windows agents is not working ? > > linux agents are fine - i.e drop/active response is working > > I have followed - > http://ossec-docs.readthedocs.org/en/latest/manual/ar/ar-windows.html > > when I use the command : - /var/ossec/bin/agent_control -b 2.3.4.5 -f > win_nullroute600 -u 002 > > it doesn''t block / add a route on the windows agent > > tried on Windows 2012/2008 both os's same result. > > How can I find out why ? > > regards > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: 2.8 - Active response on Windows agents not working ?
yes I have no life "but" since I am dropping routes on my internal network I can check the first octet.. or to checks in chain style for other subnets... ECHO "%2" | %WINDIR%\system32\findstr.exe /R "10\." >nul || ECHO Invalid IP && EXIT /B 2 On Wednesday, July 2, 2014 at 11:28:31 AM UTC-5, morgan cox wrote: > > Hi > > I cannot get active response to work > > how can I debug why active response on Windows agents is not working ? > > linux agents are fine - i.e drop/active response is working > > I have followed - > http://ossec-docs.readthedocs.org/en/latest/manual/ar/ar-windows.html > > when I use the command : - /var/ossec/bin/agent_control -b 2.3.4.5 -f > win_nullroute600 -u 002 > > it doesn''t block / add a route on the windows agent > > tried on Windows 2012/2008 both os's same result. > > How can I find out why ? > > regards > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: 2.8 - Active response on Windows agents not working ?
For me it was the IP checking part of the script on Windows 7 Enterprise... I commented it out for now until I have a little time to rework the checking function... I will post it later when this happens. :: Check for a valid IP ::ECHO "%2" | %WINDIR%\system32\findstr.exe /R "[0-2][0-9]*[0-9]*\.[0-2][0-9]*[0-9]*\.[0-2][0-9]*[0-9]*\.[0-2][0-9]*[0-9]*" >nul || ECHO Invalid IP && EXIT /B 2 :: Extracts last ip address from ipconfig and routes to this address. Windows will not allow routing to 127.0.0.1 FOR /F "TOKENS=2* DELIMS=:" %%A IN ('%WINDIR%\system32\ipconfig.exe ^| %WINDIR%\system32\findstr.exe /R /C:"IPv*4* Address"') DO FOR %%B IN (%%A) DO SET IPADDR=%%B %WINDIR%\system32\route.exe ADD %2 MASK 255.255.255.255 %IPADDR% On Wednesday, July 2, 2014 at 11:28:31 AM UTC-5, morgan cox wrote: > > Hi > > I cannot get active response to work > > how can I debug why active response on Windows agents is not working ? > > linux agents are fine - i.e drop/active response is working > > I have followed - > http://ossec-docs.readthedocs.org/en/latest/manual/ar/ar-windows.html > > when I use the command : - /var/ossec/bin/agent_control -b 2.3.4.5 -f > win_nullroute600 -u 002 > > it doesn''t block / add a route on the windows agent > > tried on Windows 2012/2008 both os's same result. > > How can I find out why ? > > regards > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: Ossec & Windows mass deployment and server based agent config?
Thanks peps for the info, digging into it as we speak On Thursday, April 28, 2016 at 6:57:30 AM UTC-5, Jacob Mcgrath wrote: > > I have a 200-300 workstation network and roughly 60-80 servers in either > heavy metal or virtual clusters. > > > From what I read I can use a .cvs file with hostnames to assign Ossec keys > to agents in large volumes. Has any done this / or had issues with this > method? > > Passing down windows agent config's from the Ossec server. Is this a real > world possibility? > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: USB storage detection & content logging ( Reworked from earlier post )
<https://lh3.googleusercontent.com/-77P49OfgEuI/VyOAW-JH46I/CYQ/rWZvCMTOkl0240wJOUI5DtIt46YXC5xfQCLcB/s1600/squert.PNG> On Friday, April 29, 2016 at 6:48:57 AM UTC-5, Jacob Mcgrath wrote: > > Ok, here is my .Bat script I use to Check for & list files contained > within the usb drive. If no drive is detected the output file would not > change there for not causing > an alarm when the drive is removed. If no drive is present the script > exits causing no change to the usbstor.txt thus no alarm either. > > @echo off > set host=%COMPUTERNAME% > > > for /F "tokens=1*" %%a in ('fsutil fsinfo drives') do ( >for %%c in (%%b) do ( > for /F "tokens=3" %%d in ('fsutil fsinfo drivetype %%c') do ( > if %%d equ Removable ( > for /f "skip=4 usebackq tokens=2" %%a in (`nslookup %host%`) do echo > %host% %%a %user% > C:\temp\usbstor.txt > echo Drive %%c is Removable (USB^) > dir /s %%c >> C:\temp\usbstor.txt > type C:\temp\usbstor.txt > ) > ) >) > ) > > > Now in the Windows agent config is have the entry that would run the .Bat > script every so many minutes or seconds ( I have mine set for 30 seconds > for testing but 60 sec would be more > realistic). > > > full_command > C:\Admin_Tools\USB_Audit\usb-audit.bat > 30 > USBDevices > > > On the Ossec server side I have this entry on the local_rules.xml > > > 530 > ossec: output: 'USBDevices' > > Mounted Device change detected > > > > After this I restart the Ossec server and agent wait a minute then insert > a usb drive. I get a email alert similar to this... I have shorten the > output after the "Previous output" since this would include the > differences between the current and last alert. > > OSSEC HIDS Notification. > > > > 2016 Apr 28 15:11:29 > > > > > Received From: (mis41) any->USBDevices > > Rule: 503002 fired (level 7) -> "Mounted Device change detected" > > Portion of the log(s): > > > > ossec: output: 'USBDevices': > > Drive F:\ is Removable (USB) > > MIS41 10.18.100.24 > > Volume in drive F is OS > > Volume Serial Number is 642E-1FF6 > > Directory of F:\ > > 11/06/2015 01:38 PM22,908,888 mbam-setup-2.2.0.1024.exe > > 12/21/2014 10:27 AM 397,798,952 sp66051_driver-pack.exe > >2 File(s)420,707,840 bytes > > Directory of F:\System Volume Information > > 11/05/2015 08:56 AM . > > 11/05/2015 08:56 AM .. > > 11/05/2015 08:56 AM76 IndexerVolumeGuid > > 01/13/2016 02:41 PM12 WPSettings.dat > >2 File(s) 88 bytes > > Total Files Listed: > >4 File(s)420,707,928 bytes > >2 Dir(s) 3,328,983,040 bytes free > > Previous output: > > ossec: output: 'USBDevices': > > > > > > > > > > --END OF NOTIFICATION > > I do see similar logging in Squert for these events. I do see the alerts > for the events in Elsa but no output like there is in the above in the > Ossec alerts category. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: Ossec & Windows mass deployment and server based agent config?
I am having a issue getting my servers agent.conf push to s test Windows agent as from a prior post USB Detection <https://groups.google.com/forum/#!topic/ossec-list/9P1wZM78jj4> I wish to use the /var/ossec/etc/shared/agent.conf to push USB detection and possibly other deployment wide logging ect. My server side agent.conf is as soo.. -rw-r--r-- 1 root ossec 237 Apr 28 19:49 /var/ossec/etc/shared/agent.conf full_command C:\Admin_Tools\USB_Audit\usb-audit.bat 30 USBDevices I restarted the Ossec manager & the Windows client but after much time I still do not see any alteration to the Windows client side agent.conf... i ran a md5sum check with this output... 02e124cb20c0a982fa571edcf5ecfce3 /var/ossec/etc/shared/agent.conf root@alamo:/home/mis# /var/ossec/bin/agent_control -i 007 OSSEC HIDS agent_control. Agent information: Agent ID: 007 Agent Name: mis41 IP address: any/any Status: Active Operating system:Microsoft Windows 7 Enterprise Edition Professional .. Client version: OSSEC HIDS v2.8.3 / d41d8cd98f00b204e9800998ecf8427e Last keep alive: Fri Apr 29 15:29:04 2016 Syscheck last started at: Fri Apr 29 15:13:54 2016 Rootcheck last started at: Fri Apr 29 15:14:26 2016 Wondering if the Active Directory permission structure is causing issues with Ossec config pushes.?? On Thursday, April 28, 2016 at 6:57:30 AM UTC-5, Jacob Mcgrath wrote: > > I have a 200-300 workstation network and roughly 60-80 servers in either > heavy metal or virtual clusters. > > > From what I read I can use a .cvs file with hostnames to assign Ossec keys > to agents in large volumes. Has any done this / or had issues with this > method? > > Passing down windows agent config's from the Ossec server. Is this a real > world possibility? > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] USB storage detection & content logging ( Reworked from earlier post )
Ok, here is my .Bat script I use to Check for & list files contained within the usb drive. If no drive is detected the output file would not change there for not causing an alarm when the drive is removed. If no drive is present the script exits causing no change to the usbstor.txt thus no alarm either. @echo off set host=%COMPUTERNAME% for /F "tokens=1*" %%a in ('fsutil fsinfo drives') do ( for %%c in (%%b) do ( for /F "tokens=3" %%d in ('fsutil fsinfo drivetype %%c') do ( if %%d equ Removable ( for /f "skip=4 usebackq tokens=2" %%a in (`nslookup %host%`) do echo %host% %%a %user% > C:\temp\usbstor.txt echo Drive %%c is Removable (USB^) dir /s %%c >> C:\temp\usbstor.txt type C:\temp\usbstor.txt ) ) ) ) Now in the Windows agent config is have the entry that would run the .Bat script every so many minutes or seconds ( I have mine set for 30 seconds for testing but 60 sec would be more realistic). full_command C:\Admin_Tools\USB_Audit\usb-audit.bat 30 USBDevices On the Ossec server side I have this entry on the local_rules.xml 530 ossec: output: 'USBDevices' Mounted Device change detected After this I restart the Ossec server and agent wait a minute then insert a usb drive. I get a email alert similar to this... I have shorten the output after the "Previous output" since this would include the differences between the current and last alert. OSSEC HIDS Notification. 2016 Apr 28 15:11:29 Received From: (mis41) any->USBDevices Rule: 503002 fired (level 7) -> "Mounted Device change detected" Portion of the log(s): ossec: output: 'USBDevices': Drive F:\ is Removable (USB) MIS41 10.18.100.24 Volume in drive F is OS Volume Serial Number is 642E-1FF6 Directory of F:\ 11/06/2015 01:38 PM22,908,888 mbam-setup-2.2.0.1024.exe 12/21/2014 10:27 AM 397,798,952 sp66051_driver-pack.exe 2 File(s)420,707,840 bytes Directory of F:\System Volume Information 11/05/2015 08:56 AM . 11/05/2015 08:56 AM .. 11/05/2015 08:56 AM76 IndexerVolumeGuid 01/13/2016 02:41 PM12 WPSettings.dat 2 File(s) 88 bytes Total Files Listed: 4 File(s)420,707,928 bytes 2 Dir(s) 3,328,983,040 bytes free Previous output: ossec: output: 'USBDevices': --END OF NOTIFICATION I do see similar logging in Squert for these events. I do see the alerts for the events in Elsa but no output like there is in the above in the Ossec alerts category. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: USB storage detect & recursive file list
And I get this in Squert on my Security Onion... <https://lh3.googleusercontent.com/-s8bBhwqjuDc/VyIsbVMoMaI/CWM/ntYZ5QQQYYYJM1rxu8gFSPyP2B-LN3-nACLcB/s1600/squert.PNG> On Thursday, April 28, 2016 at 10:21:58 AM UTC-5, Jacob Mcgrath wrote: > > Ok, here is my .Bat script I use to Check for & list files contained > within the usb drive. If no drive is detected the output file would not > change there for not causing > an alarm when the drive is removed. > > @echo off > set host=%COMPUTERNAME% > > > for /F "tokens=1*" %%a in ('fsutil fsinfo drives') do ( >for %%c in (%%b) do ( > for /F "tokens=3" %%d in ('fsutil fsinfo drivetype %%c') do ( > if %%d equ Removable ( > for /f "skip=4 usebackq tokens=2" %%a in (`nslookup %host%`) do echo > %host% %%a %user% > C:\temp\usbstor.txt > echo Drive %%c is Removable (USB^) > dir /s %%c >> C:\temp\usbstor.txt > type C:\temp\usbstor.txt > ) > ) >) > ) > > > Now in the Windows agent config is have the entry that would run the .Bat > script every so many minutes or seconds ( I have mine set for 30 seconds > for testing but 60 sec would be more > realistic. > > > full_command > C:\Admin_Tools\USB_Audit\usb-audit.bat > 30 > USBDevices > > > On the Ossec server side I have this entry on the local_rules.xml > > > 530 > ossec: output: 'USBDevices' > > Mounted Device change detected > > > > After this I restart the Ossec server and agent wait a minute then insert > a usb drive. I get a email alert similar to this: > > OSSEC HIDS Notification. > > 2016 Apr 28 15:11:29 > > > > Received From: (mis41) any->USBDevices > > Rule: 503002 fired (level 7) -> "Mounted Device change detected" > > Portion of the log(s): > > > > ossec: output: 'USBDevices': > > Drive F:\ is Removable (USB) > > MIS41 10.18.100.24 > > Volume in drive F is OS > > Volume Serial Number is 642E-1FF6 > > Directory of F:\ > > 11/06/2015 01:38 PM22,908,888 mbam-setup-2.2.0.1024.exe > > 12/21/2014 10:27 AM 397,798,952 sp66051_driver-pack.exe > >2 File(s)420,707,840 bytes > > Directory of F:\System Volume Information > > 11/05/2015 08:56 AM . > > 11/05/2015 08:56 AM .. > > 11/05/2015 08:56 AM76 IndexerVolumeGuid > > 01/13/2016 02:41 PM12 WPSettings.dat > >2 File(s) 88 bytes > > Total Files Listed: > >4 File(s)420,707,928 bytes > >2 Dir(s) 3,328,983,040 bytes free > > Previous output: > > ossec: output: 'USBDevices': > > > > > > > > --END OF NOTIFICATION > > In Squert I can see this: > > > > > On Tuesday, April 19, 2016 at 2:23:39 PM UTC-5, Jacob Mcgrath wrote: >> >> I have a basic Windows agent setting to alert me when a storage device is >> detected using Power shell.. >> >> >> full_command >> powershell.exe -command "gwmi win32_diskdrive | select >> >> Model,InterfaceType,serialnumber,Size,MediaType,CapabilityDescriptions > >> C:\temp\usbdetect.txt ; (gc C:\temp\usbdetect.txt | select -Skip 2)" >> >> 300 >> USBDevices >> >> >> >> with the following rule in local_rules.xml >> >> 530 >> ossec: output: 'USBDevices' >> >> Mounted Device change detected >> >> >> >> >> >> Of course I get this alert which is nice for basic logging.. >> >> OSSEC HIDS Notification. >> >> >> >> 2016 Apr 19 18:35:31 >> >> >> >> Received From: (mis41) any->USBDevices >> >> Rule: 503002 fired (level 7) -> "Mounted Device change detected" >> >> Portion of the log(s): >> >> >> >> ossec: output: 'USBDevices': >> >> Model : TOSHIBA DT01ACA100 SCSI Disk Device >> >> InterfaceType : IDE >> >> serialnumber :359ZMW6MS >> >> Size : 1000202273280 >> >> MediaType : Fixed hard disk media >> >> CapabilityDescriptions : {Random Access, Supports Writing, SMART >> Notification} >> >> Model : Verbatim STORE N GO USB Device >> >> InterfaceT
[ossec-list] Re: USB storage detect & recursive file list
Now In Squert i can see this report and or alert... <https://lh3.googleusercontent.com/-Ooskcm7_A2U/VyIrGUcx9iI/CWA/CsSu3vRW83Y8kbU89cVAGTV7PgWqSVk8QCLcB/s1600/squert.PNG> On Thursday, April 28, 2016 at 10:21:58 AM UTC-5, Jacob Mcgrath wrote: > > Ok, here is my .Bat script I use to Check for & list files contained > within the usb drive. If no drive is detected the output file would not > change there for not causing > an alarm when the drive is removed. > > @echo off > set host=%COMPUTERNAME% > > > for /F "tokens=1*" %%a in ('fsutil fsinfo drives') do ( >for %%c in (%%b) do ( > for /F "tokens=3" %%d in ('fsutil fsinfo drivetype %%c') do ( > if %%d equ Removable ( > for /f "skip=4 usebackq tokens=2" %%a in (`nslookup %host%`) do echo > %host% %%a %user% > C:\temp\usbstor.txt > echo Drive %%c is Removable (USB^) > dir /s %%c >> C:\temp\usbstor.txt > type C:\temp\usbstor.txt > ) > ) >) > ) > > > Now in the Windows agent config is have the entry that would run the .Bat > script every so many minutes or seconds ( I have mine set for 30 seconds > for testing but 60 sec would be more > realistic. > > > full_command > C:\Admin_Tools\USB_Audit\usb-audit.bat > 30 > USBDevices > > > On the Ossec server side I have this entry on the local_rules.xml > > > 530 > ossec: output: 'USBDevices' > > Mounted Device change detected > > > > After this I restart the Ossec server and agent wait a minute then insert > a usb drive. I get a email alert similar to this: > > OSSEC HIDS Notification. > > 2016 Apr 28 15:11:29 > > > > Received From: (mis41) any->USBDevices > > Rule: 503002 fired (level 7) -> "Mounted Device change detected" > > Portion of the log(s): > > > > ossec: output: 'USBDevices': > > Drive F:\ is Removable (USB) > > MIS41 10.18.100.24 > > Volume in drive F is OS > > Volume Serial Number is 642E-1FF6 > > Directory of F:\ > > 11/06/2015 01:38 PM22,908,888 mbam-setup-2.2.0.1024.exe > > 12/21/2014 10:27 AM 397,798,952 sp66051_driver-pack.exe > >2 File(s)420,707,840 bytes > > Directory of F:\System Volume Information > > 11/05/2015 08:56 AM . > > 11/05/2015 08:56 AM .. > > 11/05/2015 08:56 AM76 IndexerVolumeGuid > > 01/13/2016 02:41 PM12 WPSettings.dat > >2 File(s) 88 bytes > > Total Files Listed: > >4 File(s)420,707,928 bytes > >2 Dir(s) 3,328,983,040 bytes free > > Previous output: > > ossec: output: 'USBDevices': > > > > > > > > --END OF NOTIFICATION > > In Squert I can see this: > > > > > On Tuesday, April 19, 2016 at 2:23:39 PM UTC-5, Jacob Mcgrath wrote: >> >> I have a basic Windows agent setting to alert me when a storage device is >> detected using Power shell.. >> >> >> full_command >> powershell.exe -command "gwmi win32_diskdrive | select >> >> Model,InterfaceType,serialnumber,Size,MediaType,CapabilityDescriptions > >> C:\temp\usbdetect.txt ; (gc C:\temp\usbdetect.txt | select -Skip 2)" >> >> 300 >> USBDevices >> >> >> >> with the following rule in local_rules.xml >> >> 530 >> ossec: output: 'USBDevices' >> >> Mounted Device change detected >> >> >> >> >> >> Of course I get this alert which is nice for basic logging.. >> >> OSSEC HIDS Notification. >> >> >> >> 2016 Apr 19 18:35:31 >> >> >> >> Received From: (mis41) any->USBDevices >> >> Rule: 503002 fired (level 7) -> "Mounted Device change detected" >> >> Portion of the log(s): >> >> >> >> ossec: output: 'USBDevices': >> >> Model : TOSHIBA DT01ACA100 SCSI Disk Device >> >> InterfaceType : IDE >> >> serialnumber :359ZMW6MS >> >> Size : 1000202273280 >> >> MediaType : Fixed hard disk media >> >> CapabilityDescriptions : {Random Access, Supports Writing, SMART >> Notification} >> >> Model : Verbatim STORE N GO USB Device >> >
[ossec-list] Re: USB storage detect & recursive file list
Ok, here is my .Bat script I use to Check for & list files contained within the usb drive. If no drive is detected the output file would not change there for not causing an alarm when the drive is removed. @echo off set host=%COMPUTERNAME% for /F "tokens=1*" %%a in ('fsutil fsinfo drives') do ( for %%c in (%%b) do ( for /F "tokens=3" %%d in ('fsutil fsinfo drivetype %%c') do ( if %%d equ Removable ( for /f "skip=4 usebackq tokens=2" %%a in (`nslookup %host%`) do echo %host% %%a %user% > C:\temp\usbstor.txt echo Drive %%c is Removable (USB^) dir /s %%c >> C:\temp\usbstor.txt type C:\temp\usbstor.txt ) ) ) ) Now in the Windows agent config is have the entry that would run the .Bat script every so many minutes or seconds ( I have mine set for 30 seconds for testing but 60 sec would be more realistic. full_command C:\Admin_Tools\USB_Audit\usb-audit.bat 30 USBDevices On the Ossec server side I have this entry on the local_rules.xml 530 ossec: output: 'USBDevices' Mounted Device change detected After this I restart the Ossec server and agent wait a minute then insert a usb drive. I get a email alert similar to this: OSSEC HIDS Notification. 2016 Apr 28 15:11:29 Received From: (mis41) any->USBDevices Rule: 503002 fired (level 7) -> "Mounted Device change detected" Portion of the log(s): ossec: output: 'USBDevices': Drive F:\ is Removable (USB) MIS41 10.18.100.24 Volume in drive F is OS Volume Serial Number is 642E-1FF6 Directory of F:\ 11/06/2015 01:38 PM22,908,888 mbam-setup-2.2.0.1024.exe 12/21/2014 10:27 AM 397,798,952 sp66051_driver-pack.exe 2 File(s)420,707,840 bytes Directory of F:\System Volume Information 11/05/2015 08:56 AM . 11/05/2015 08:56 AM .. 11/05/2015 08:56 AM76 IndexerVolumeGuid 01/13/2016 02:41 PM12 WPSettings.dat 2 File(s) 88 bytes Total Files Listed: 4 File(s)420,707,928 bytes 2 Dir(s) 3,328,983,040 bytes free Previous output: ossec: output: 'USBDevices': --END OF NOTIFICATION In Squert I can see this: On Tuesday, April 19, 2016 at 2:23:39 PM UTC-5, Jacob Mcgrath wrote: > > I have a basic Windows agent setting to alert me when a storage device is > detected using Power shell.. > > > full_command > powershell.exe -command "gwmi win32_diskdrive | select > Model,InterfaceType,serialnumber,Size,MediaType,CapabilityDescriptions > > > C:\temp\usbdetect.txt ; (gc C:\temp\usbdetect.txt | select -Skip 2)" > > 300 > USBDevices > > > > with the following rule in local_rules.xml > > 530 > ossec: output: 'USBDevices' > > Mounted Device change detected > > > > > > Of course I get this alert which is nice for basic logging.. > > OSSEC HIDS Notification. > > > > 2016 Apr 19 18:35:31 > > > > Received From: (mis41) any->USBDevices > > Rule: 503002 fired (level 7) -> "Mounted Device change detected" > > Portion of the log(s): > > > > ossec: output: 'USBDevices': > > Model : TOSHIBA DT01ACA100 SCSI Disk Device > > InterfaceType : IDE > > serialnumber :359ZMW6MS > > Size : 1000202273280 > > MediaType : Fixed hard disk media > > CapabilityDescriptions : {Random Access, Supports Writing, SMART > Notification} > > Model : Verbatim STORE N GO USB Device > > InterfaceType : USB > > serialnumber : AA000489 > > Size : 16022845440 > > MediaType : Removable Media > > CapabilityDescriptions : {Random Access, Supports Writing, Supports > Removable M > > edia} > > Model : Verbatim STORE N GO USB Device > > InterfaceType : USB > > serialnumber : AA000489 > > Size : 16022845440 > > MediaType : Removable Media > > CapabilityDescriptions : {Random Access, Supports Writing, Supports > Removable M > > > > > > > > --END OF NOTIFICATION > > > > I was playing around with Powershell and have a optional command to print > out USB storage device files recursively... > > > powershell.exe $USBDrive = Get-WmiObject Win32_Volume -Filter > "DriveType='2'"| select -expand driveletter ; Get-Childitem $USBD
[ossec-list] Ossec & Windows mass deployment and server based agent config?
I have a 200-300 workstation network and roughly 60-80 servers in either heavy metal or virtual clusters. >From what I read I can use a .cvs file with hostnames to assign Ossec keys to agents in large volumes. Has any done this / or had issues with this method? Passing down windows agent config's from the Ossec server. Is this a real world possibility? -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: USB storage detect & recursive file list
I I have a "working" solution not elegant as I wanted but Does work. When I get to work I will post! On Tuesday, April 19, 2016 at 2:23:39 PM UTC-5, Jacob Mcgrath wrote: > > I have a basic Windows agent setting to alert me when a storage device is > detected using Power shell.. > > > full_command > powershell.exe -command "gwmi win32_diskdrive | select > Model,InterfaceType,serialnumber,Size,MediaType,CapabilityDescriptions > > > C:\temp\usbdetect.txt ; (gc C:\temp\usbdetect.txt | select -Skip 2)" > > 300 > USBDevices > > > > with the following rule in local_rules.xml > > 530 > ossec: output: 'USBDevices' > > Mounted Device change detected > > > > > > Of course I get this alert which is nice for basic logging.. > > OSSEC HIDS Notification. > > > > 2016 Apr 19 18:35:31 > > > > Received From: (mis41) any->USBDevices > > Rule: 503002 fired (level 7) -> "Mounted Device change detected" > > Portion of the log(s): > > > > ossec: output: 'USBDevices': > > Model : TOSHIBA DT01ACA100 SCSI Disk Device > > InterfaceType : IDE > > serialnumber :359ZMW6MS > > Size : 1000202273280 > > MediaType : Fixed hard disk media > > CapabilityDescriptions : {Random Access, Supports Writing, SMART > Notification} > > Model : Verbatim STORE N GO USB Device > > InterfaceType : USB > > serialnumber : AA000489 > > Size : 16022845440 > > MediaType : Removable Media > > CapabilityDescriptions : {Random Access, Supports Writing, Supports > Removable M > > edia} > > Model : Verbatim STORE N GO USB Device > > InterfaceType : USB > > serialnumber : AA000489 > > Size : 16022845440 > > MediaType : Removable Media > > CapabilityDescriptions : {Random Access, Supports Writing, Supports > Removable M > > > > > > > > --END OF NOTIFICATION > > > > I was playing around with Powershell and have a optional command to print > out USB storage device files recursively... > > > powershell.exe $USBDrive = Get-WmiObject Win32_Volume -Filter > "DriveType='2'"| select -expand driveletter ; Get-Childitem $USBDrive > -recurse > > C:\temp\test.txt ; (gc C:\temp\test.txt | select -Skip 2) > > > this gives me this output in a tmp.txt if ran from a powershell window and > or run line. > > > Directory: F:\ > > > ModeLastWriteTime Length Name > > - -- > > -a---11/06/2015 12:38 PM 2290 mbam-setup-2.2.0.1024.exe > > -a---12/21/2014 9:27 AM 397798952 sp66051_driver-pack.exe > > > > Directory: E:\ > > > ModeLastWriteTime Length Name > > - -- > > -a---12/06/2011 9:51 AM 388608 HijackThis.exe > > -a---03/04/2016 2:44 PM 2290 mbam-setup-2.2.0.1024.exe > > -a---03/04/2016 2:46 PM 9524 hijackthis.log > > I have been attempting to get the above USB recursive file lists > into a USB detection report but have not had any success as of yet using > the above command instead of the first like below. > > > > > full_command > powershell.exe $USBDrive = Get-WmiObject Win32_Volume -Filter > "DriveType='2'"| select -expand driveletter ; Get-Childitem $USBDrive - > recurse > C:\temp\test.txt ; (gc C:\temp\test.txt | select -Skip 2)" > > 300 > USBDevices > > > > This gives me a empty C:\temp\test.txt file... > > > Any suggestions would be appreiciated... > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: USB storage detect & recursive file list
Not as of yet, I am still working out some issues with reporting while removable drives are not present. On Friday, April 22, 2016 at 12:05:13 PM UTC-5, namobud...@gmail.com wrote: > > Can I just throw this into my local rules and it will detect plugged in > USB devices? > > > 530 > > ossec: output: 'USB-Audit' > > USB Connected - Current Session Information > > > > > On Tuesday, April 19, 2016 at 3:23:39 PM UTC-4, Jacob Mcgrath wrote: >> >> I have a basic Windows agent setting to alert me when a storage device is >> detected using Power shell.. >> >> >> full_command >> powershell.exe -command "gwmi win32_diskdrive | select >> >> Model,InterfaceType,serialnumber,Size,MediaType,CapabilityDescriptions > >> C:\temp\usbdetect.txt ; (gc C:\temp\usbdetect.txt | select -Skip 2)" >> >> 300 >> USBDevices >> >> >> >> with the following rule in local_rules.xml >> >> 530 >> ossec: output: 'USBDevices' >> >> Mounted Device change detected >> >> >> >> >> >> Of course I get this alert which is nice for basic logging.. >> >> OSSEC HIDS Notification. >> >> >> >> 2016 Apr 19 18:35:31 >> >> >> >> Received From: (mis41) any->USBDevices >> >> Rule: 503002 fired (level 7) -> "Mounted Device change detected" >> >> Portion of the log(s): >> >> >> >> ossec: output: 'USBDevices': >> >> Model : TOSHIBA DT01ACA100 SCSI Disk Device >> >> InterfaceType : IDE >> >> serialnumber :359ZMW6MS >> >> Size : 1000202273280 >> >> MediaType : Fixed hard disk media >> >> CapabilityDescriptions : {Random Access, Supports Writing, SMART >> Notification} >> >> Model : Verbatim STORE N GO USB Device >> >> InterfaceType : USB >> >> serialnumber : AA000489 >> >> Size : 16022845440 >> >> MediaType : Removable Media >> >> CapabilityDescriptions : {Random Access, Supports Writing, Supports >> Removable M >> >> edia} >> >> Model : Verbatim STORE N GO USB Device >> >> InterfaceType : USB >> >> serialnumber : AA000489 >> >> Size : 16022845440 >> >> MediaType : Removable Media >> >> CapabilityDescriptions : {Random Access, Supports Writing, Supports >> Removable M >> >> >> >> >> >> >> >> --END OF NOTIFICATION >> >> >> >> I was playing around with Powershell and have a optional command to print >> out USB storage device files recursively... >> >> >> powershell.exe $USBDrive = Get-WmiObject Win32_Volume -Filter >> "DriveType='2'"| select -expand driveletter ; Get-Childitem $USBDrive >> -recurse >> > C:\temp\test.txt ; (gc C:\temp\test.txt | select -Skip 2) >> >> >> this gives me this output in a tmp.txt if ran from a powershell window >> and or run line. >> >> >> Directory: F:\ >> >> >> ModeLastWriteTime Length Name >> >> - -- >> >> -a---11/06/2015 12:38 PM 2290 mbam-setup-2.2.0.1024.exe >> >> -a---12/21/2014 9:27 AM 397798952 sp66051_driver-pack.exe >> >> >> >> Directory: E:\ >> >> >> ModeLastWriteTime Length Name >> >> - -- >> >> -a---12/06/2011 9:51 AM 388608 HijackThis.exe >> >> -a---03/04/2016 2:44 PM 2290 mbam-setup-2.2.0.1024.exe >> >> -a---03/04/2016 2:46 PM 9524 hijackthis.log >> >> I have been attempting to get the above USB recursive file lists >> into a USB detection report but have not had any success as of yet using >> the above command instead of the first like below. >> >> >> >> >> full_command >> powershell.exe $USBDrive = Get-WmiObject Win32_Volume - >> Filter "DriveType='2'"| select -expand driveletter ; Get-Childitem >> $USBDrive -recurse > C:\temp\test.txt ; (gc C:\temp\test.txt | select - >> Skip 2)" >> 300 >> USBDevices >> >> >> >> This gives me a empty C:\temp\test.txt file... >> >> >> Any suggestions would be appreiciated... >> >> >> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: USB storage detect & recursive file list
Ok, this seems to work better on the Ad network with the Powershell lock down we have at work at the moment.. 530 ossec: output: 'USB-Audit' USB Connected - Current Session Information full_command C:\Admin_Tools\USB_Audit\ps-usb.bat 60 USB-Audit ps-usb.bat @echo off for /f "tokens=2 delims==" %%d in ('wmic logicaldisk where "drivetype=2" get name /format:value') do ( set var=%%d ) echo dir /s %var% > C:\temp\usb.txt type C:\temp\usb.txt end The output I get from this in email alerts is this OSSEC HIDS Notification. 2016 Apr 21 19:47:54 Received From: (mis41) any->USB-Audit Rule: 503002 fired (level 7) -> "USB Connected - Current Session Information" Portion of the log(s): ossec: output: 'USB-Audit': ECHO is off. Volume in drive E is 2_4_2-32-I5 Volume Serial Number is 4086-B0A1 Directory of E:\ 12/06/2011 10:51 AM 388,608 HijackThis.exe 03/04/2016 03:44 PM22,908,888 mbam-setup-2.2.0.1024.exe 03/04/2016 03:46 PM 9,524 hijackthis.log 04/11/2016 03:08 PM 139 report.txt 03/30/2016 10:34 AM 545,957 Screenshot - 03302016 - 03%3A34%3A52 PM.png 02/10/2016 09:16 AM72,176 Signage-Server.docx 11/14/2013 12:26 PM 557 add-printer.bat 02/29/2016 04:12 PM 406 ChatLog Meet Now 2016_02_29 15_12.rtf 04/18/2016 12:50 PM 319 dsafsadf 04/14/2016 04:02 PM11,990 Management Interface10.docx 04/14/2016 04:01 PM50,589 netscan.xml 11/03/2015 03:56 PM10,846 Old Equipmentlist.xlsx 02/29/2016 03:01 PM26,112 OneLink_Server_IP Schema all in one.xls 13 File(s) 24,026,111 bytes Directory of E:\System Volume Information --END OF NOTIFICATION On Tuesday, April 19, 2016 at 2:23:39 PM UTC-5, Jacob Mcgrath wrote: > > I have a basic Windows agent setting to alert me when a storage device is > detected using Power shell.. > > > full_command > powershell.exe -command "gwmi win32_diskdrive | select > Model,InterfaceType,serialnumber,Size,MediaType,CapabilityDescriptions > > > C:\temp\usbdetect.txt ; (gc C:\temp\usbdetect.txt | select -Skip 2)" > > 300 > USBDevices > > > > with the following rule in local_rules.xml > > 530 > ossec: output: 'USBDevices' > > Mounted Device change detected > > > > > > Of course I get this alert which is nice for basic logging.. > > OSSEC HIDS Notification. > > > > 2016 Apr 19 18:35:31 > > > > Received From: (mis41) any->USBDevices > > Rule: 503002 fired (level 7) -> "Mounted Device change detected" > > Portion of the log(s): > > > > ossec: output: 'USBDevices': > > Model : TOSHIBA DT01ACA100 SCSI Disk Device > > InterfaceType : IDE > > serialnumber :359ZMW6MS > > Size : 1000202273280 > > MediaType : Fixed hard disk media > > CapabilityDescriptions : {Random Access, Supports Writing, SMART > Notification} > > Model : Verbatim STORE N GO USB Device > > InterfaceType : USB > > serialnumber : AA000489 > > Size : 16022845440 > > MediaType : Removable Media > > CapabilityDescriptions : {Random Access, Supports Writing, Supports > Removable M > > edia} > > Model : Verbatim STORE N GO USB Device > > InterfaceType : USB > > serialnumber : AA000489 > > Size : 16022845440 > > MediaType : Removable Media > > CapabilityDescriptions : {Random Access, Supports Writing, Supports > Removable M > > > > > > > > --END OF NOTIFICATION > > > > I was playing around with Powershell and have a optional command to print > out USB storage device files recursively... > > > powershell.exe $USBDrive = Get-WmiObject Win32_Volume -Filter > "DriveType='2'"| select -expand driveletter ; Get-Childitem $USBDrive > -recurse > > C:\temp\test.txt ; (gc C:\temp\test.txt | select -Skip 2) > > > this gives me this output in a tmp.txt if ran from a powershell window and > or run line. > > > Directory: F:\ > > > ModeLastWriteTime Length Name > > - -- > > -a---11/06/2015 12:38 PM 2290
[ossec-list] Re: USB storage detect & recursive file list
I have a batch script I wrote that could be used in replacement of PowerShell... @echo off for /f "tokens=2 delims==" %%d in ('wmic logicaldisk where "drivetype=2" get name /format:value') do ( set var=%%d ) echo dir /s %var% > C:\temp\test.txt type C:\temp\test.txt pause The output is this went usb drives are available Volume in drive F is F Volume Serial Number is 2971-7DFC Directory of F:\ 08/11/2015 09:21 PM12,836,794 38 Special - Caught Up In You.mp4 08/11/2015 09:21 PM13,973,320 38 Special - Hold On Loosely.mp4 08/11/2015 09:14 PM10,296,703 Alanis Morissette - Hand In My Pocket.mp4 08/11/2015 09:15 PM19,490,518 Alanis Morissette - Ironic OFFICIAL VIDEO.mp4 08/11/2015 07:46 PM10,015,763 All That Remains - Hold On.mp4 08/11/2015 07:46 PM14,173,662 All That Remains - What If I Was Nothing.mp4 08/11/2015 07:20 PM14,071,850 Andy Grammer - Honey Im Good Official Music Video.mp4 And this when none are inserted ( this being ran from my users Desktop directory... ( was looking at running this .bat from the ossec agent side bin) or a sub folder of that.. Volume in drive C has no label. Volume Serial Number is 84F7-A037 Directory of C:\Program Files\ossec-agent\active-response\bin 04/20/2016 05:14 PM . 04/20/2016 05:14 PM .. 04/19/2016 05:30 PM 515 restart-ossec.cmd 04/19/2016 05:30 PM 1,520 route-null.cmd 04/20/2016 05:04 PM 215 usb.bat 3 File(s) 2,250 bytes Total Files Listed: 3 File(s) 2,250 bytes 2 Dir(s) 860,057,559,040 bytes free One of my concerns is that of getting this script info into the email alerts as well as in ossecs host logs in order to search via keyword say "usb" is ELSA... I am still not totally up to speed on how this works.. On Wednesday, April 20, 2016 at 3:23:31 PM UTC-5, Jacob Mcgrath wrote: > > Wonder if I could wrap it into a test.ps1 and execute threw > powershell.exe > -noprofile -executionpolicy bypass -file .\test.ps1 > > On Tuesday, April 19, 2016 at 2:23:39 PM UTC-5, Jacob Mcgrath wrote: >> >> I have a basic Windows agent setting to alert me when a storage device is >> detected using Power shell.. >> >> >> full_command >> powershell.exe -command "gwmi win32_diskdrive | select >> >> Model,InterfaceType,serialnumber,Size,MediaType,CapabilityDescriptions > >> C:\temp\usbdetect.txt ; (gc C:\temp\usbdetect.txt | select -Skip 2)" >> >> 300 >> USBDevices >> >> >> >> with the following rule in local_rules.xml >> >> 530 >> ossec: output: 'USBDevices' >> >> Mounted Device change detected >> >> >> >> >> >> Of course I get this alert which is nice for basic logging.. >> >> OSSEC HIDS Notification. >> >> >> >> 2016 Apr 19 18:35:31 >> >> >> >> Received From: (mis41) any->USBDevices >> >> Rule: 503002 fired (level 7) -> "Mounted Device change detected" >> >> Portion of the log(s): >> >> >> >> ossec: output: 'USBDevices': >> >> Model : TOSHIBA DT01ACA100 SCSI Disk Device >> >> InterfaceType : IDE >> >> serialnumber :359ZMW6MS >> >> Size : 1000202273280 >> >> MediaType : Fixed hard disk media >> >> CapabilityDescriptions : {Random Access, Supports Writing, SMART >> Notification} >> >> Model : Verbatim STORE N GO USB Device >> >> InterfaceType : USB >> >> serialnumber : AA000489 >> >> Size : 16022845440 >> >> MediaType : Removable Media >> >> CapabilityDescriptions : {Random Access, Supports Writing, Supports >> Removable M >> >> edia} >> >> Model : Verbatim STORE N GO USB Device >> >> InterfaceType : USB >> >> serialnumber : AA000489 >> >> Size : 16022845440 >> >> MediaType : Removable Media >> >> CapabilityDescriptions : {Random Access, Supports Writing, Supports >> Removable M >> >> >> >> >> >> >> >> --END OF NOTIFICATION >> >> >> >> I was playing around with Powershell and have a optional command to print >>
[ossec-list] Re: USB storage detect & recursive file list
Wonder if I could wrap it into a test.ps1 and execute threw powershell.exe -noprofile -executionpolicy bypass -file .\test.ps1 On Tuesday, April 19, 2016 at 2:23:39 PM UTC-5, Jacob Mcgrath wrote: > > I have a basic Windows agent setting to alert me when a storage device is > detected using Power shell.. > > > full_command > powershell.exe -command "gwmi win32_diskdrive | select > Model,InterfaceType,serialnumber,Size,MediaType,CapabilityDescriptions > > > C:\temp\usbdetect.txt ; (gc C:\temp\usbdetect.txt | select -Skip 2)" > > 300 > USBDevices > > > > with the following rule in local_rules.xml > > 530 > ossec: output: 'USBDevices' > > Mounted Device change detected > > > > > > Of course I get this alert which is nice for basic logging.. > > OSSEC HIDS Notification. > > > > 2016 Apr 19 18:35:31 > > > > Received From: (mis41) any->USBDevices > > Rule: 503002 fired (level 7) -> "Mounted Device change detected" > > Portion of the log(s): > > > > ossec: output: 'USBDevices': > > Model : TOSHIBA DT01ACA100 SCSI Disk Device > > InterfaceType : IDE > > serialnumber :359ZMW6MS > > Size : 1000202273280 > > MediaType : Fixed hard disk media > > CapabilityDescriptions : {Random Access, Supports Writing, SMART > Notification} > > Model : Verbatim STORE N GO USB Device > > InterfaceType : USB > > serialnumber : AA000489 > > Size : 16022845440 > > MediaType : Removable Media > > CapabilityDescriptions : {Random Access, Supports Writing, Supports > Removable M > > edia} > > Model : Verbatim STORE N GO USB Device > > InterfaceType : USB > > serialnumber : AA000489 > > Size : 16022845440 > > MediaType : Removable Media > > CapabilityDescriptions : {Random Access, Supports Writing, Supports > Removable M > > > > > > > > --END OF NOTIFICATION > > > > I was playing around with Powershell and have a optional command to print > out USB storage device files recursively... > > > powershell.exe $USBDrive = Get-WmiObject Win32_Volume -Filter > "DriveType='2'"| select -expand driveletter ; Get-Childitem $USBDrive > -recurse > > C:\temp\test.txt ; (gc C:\temp\test.txt | select -Skip 2) > > > this gives me this output in a tmp.txt if ran from a powershell window and > or run line. > > > Directory: F:\ > > > ModeLastWriteTime Length Name > > - -- > > -a---11/06/2015 12:38 PM 2290 mbam-setup-2.2.0.1024.exe > > -a---12/21/2014 9:27 AM 397798952 sp66051_driver-pack.exe > > > > Directory: E:\ > > > ModeLastWriteTime Length Name > > - -- > > -a---12/06/2011 9:51 AM 388608 HijackThis.exe > > -a---03/04/2016 2:44 PM 2290 mbam-setup-2.2.0.1024.exe > > -a---03/04/2016 2:46 PM 9524 hijackthis.log > > I have been attempting to get the above USB recursive file lists > into a USB detection report but have not had any success as of yet using > the above command instead of the first like below. > > > > > full_command > powershell.exe $USBDrive = Get-WmiObject Win32_Volume -Filter > "DriveType='2'"| select -expand driveletter ; Get-Childitem $USBDrive - > recurse > C:\temp\test.txt ; (gc C:\temp\test.txt | select -Skip 2)" > > 300 > USBDevices > > > > This gives me a empty C:\temp\test.txt file... > > > Any suggestions would be appreiciated... > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: USB storage detect & recursive file list
Will try droping the | select -Skip 2 from the Get-Content see if that works or maby a -Raw output arg On Tuesday, April 19, 2016 at 2:23:39 PM UTC-5, Jacob Mcgrath wrote: > > I have a basic Windows agent setting to alert me when a storage device is > detected using Power shell.. > > > full_command > powershell.exe -command "gwmi win32_diskdrive | select > Model,InterfaceType,serialnumber,Size,MediaType,CapabilityDescriptions > > > C:\temp\usbdetect.txt ; (gc C:\temp\usbdetect.txt | select -Skip 2)" > > 300 > USBDevices > > > > with the following rule in local_rules.xml > > 530 > ossec: output: 'USBDevices' > > Mounted Device change detected > > > > > > Of course I get this alert which is nice for basic logging.. > > OSSEC HIDS Notification. > > > > 2016 Apr 19 18:35:31 > > > > Received From: (mis41) any->USBDevices > > Rule: 503002 fired (level 7) -> "Mounted Device change detected" > > Portion of the log(s): > > > > ossec: output: 'USBDevices': > > Model : TOSHIBA DT01ACA100 SCSI Disk Device > > InterfaceType : IDE > > serialnumber :359ZMW6MS > > Size : 1000202273280 > > MediaType : Fixed hard disk media > > CapabilityDescriptions : {Random Access, Supports Writing, SMART > Notification} > > Model : Verbatim STORE N GO USB Device > > InterfaceType : USB > > serialnumber : AA000489 > > Size : 16022845440 > > MediaType : Removable Media > > CapabilityDescriptions : {Random Access, Supports Writing, Supports > Removable M > > edia} > > Model : Verbatim STORE N GO USB Device > > InterfaceType : USB > > serialnumber : AA000489 > > Size : 16022845440 > > MediaType : Removable Media > > CapabilityDescriptions : {Random Access, Supports Writing, Supports > Removable M > > > > > > > > --END OF NOTIFICATION > > > > I was playing around with Powershell and have a optional command to print > out USB storage device files recursively... > > > powershell.exe $USBDrive = Get-WmiObject Win32_Volume -Filter > "DriveType='2'"| select -expand driveletter ; Get-Childitem $USBDrive > -recurse > > C:\temp\test.txt ; (gc C:\temp\test.txt | select -Skip 2) > > > this gives me this output in a tmp.txt if ran from a powershell window and > or run line. > > > Directory: F:\ > > > ModeLastWriteTime Length Name > > - -- > > -a---11/06/2015 12:38 PM 2290 mbam-setup-2.2.0.1024.exe > > -a---12/21/2014 9:27 AM 397798952 sp66051_driver-pack.exe > > > > Directory: E:\ > > > ModeLastWriteTime Length Name > > - -- > > -a---12/06/2011 9:51 AM 388608 HijackThis.exe > > -a---03/04/2016 2:44 PM 2290 mbam-setup-2.2.0.1024.exe > > -a---03/04/2016 2:46 PM 9524 hijackthis.log > > I have been attempting to get the above USB recursive file lists > into a USB detection report but have not had any success as of yet using > the above command instead of the first like below. > > > > > full_command > powershell.exe $USBDrive = Get-WmiObject Win32_Volume -Filter > "DriveType='2'"| select -expand driveletter ; Get-Childitem $USBDrive - > recurse > C:\temp\test.txt ; (gc C:\temp\test.txt | select -Skip 2)" > > 300 > USBDevices > > > > This gives me a empty C:\temp\test.txt file... > > > Any suggestions would be appreiciated... > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: USB storage detect & recursive file list
I have nominal success with this .. full_command powershell.exe "$USBDrive = Get-WmiObject Win32_Volume -Filter "DriveType='2'"| select -expand driveletter ; Get-Childitem $USBDrive -recurse > C:\temp\test.txt ; (gc C:\temp\test.txt | select -Skip 2)" 60 USBDevices OSSEC HIDS Notification. 2016 Apr 19 19:46:53 Received From: (mis41) any->USBDevices Rule: 503002 fired (level 7) -> "Mounted Device change detected" Portion of the log(s): ossec: output: 'USBDevices': Directory: F:\ --END OF NOTIFICATION It is missing the remaining content on that C:\temp\tmp.txt ... But I am close :) On Tuesday, April 19, 2016 at 2:23:39 PM UTC-5, Jacob Mcgrath wrote: > > I have a basic Windows agent setting to alert me when a storage device is > detected using Power shell.. > > > full_command > powershell.exe -command "gwmi win32_diskdrive | select > Model,InterfaceType,serialnumber,Size,MediaType,CapabilityDescriptions > > > C:\temp\usbdetect.txt ; (gc C:\temp\usbdetect.txt | select -Skip 2)" > > 300 > USBDevices > > > > with the following rule in local_rules.xml > > 530 > ossec: output: 'USBDevices' > > Mounted Device change detected > > > > > > Of course I get this alert which is nice for basic logging.. > > OSSEC HIDS Notification. > > > > 2016 Apr 19 18:35:31 > > > > Received From: (mis41) any->USBDevices > > Rule: 503002 fired (level 7) -> "Mounted Device change detected" > > Portion of the log(s): > > > > ossec: output: 'USBDevices': > > Model : TOSHIBA DT01ACA100 SCSI Disk Device > > InterfaceType : IDE > > serialnumber :359ZMW6MS > > Size : 1000202273280 > > MediaType : Fixed hard disk media > > CapabilityDescriptions : {Random Access, Supports Writing, SMART > Notification} > > Model : Verbatim STORE N GO USB Device > > InterfaceType : USB > > serialnumber : AA000489 > > Size : 16022845440 > > MediaType : Removable Media > > CapabilityDescriptions : {Random Access, Supports Writing, Supports > Removable M > > edia} > > Model : Verbatim STORE N GO USB Device > > InterfaceType : USB > > serialnumber : AA000489 > > Size : 16022845440 > > MediaType : Removable Media > > CapabilityDescriptions : {Random Access, Supports Writing, Supports > Removable M > > > > > > > > --END OF NOTIFICATION > > > > I was playing around with Powershell and have a optional command to print > out USB storage device files recursively... > > > powershell.exe $USBDrive = Get-WmiObject Win32_Volume -Filter > "DriveType='2'"| select -expand driveletter ; Get-Childitem $USBDrive > -recurse > > C:\temp\test.txt ; (gc C:\temp\test.txt | select -Skip 2) > > > this gives me this output in a tmp.txt if ran from a powershell window and > or run line. > > > Directory: F:\ > > > ModeLastWriteTime Length Name > > - -- > > -a---11/06/2015 12:38 PM 2290 mbam-setup-2.2.0.1024.exe > > -a---12/21/2014 9:27 AM 397798952 sp66051_driver-pack.exe > > > > Directory: E:\ > > > ModeLastWriteTime Length Name > > - -- > > -a---12/06/2011 9:51 AM 388608 HijackThis.exe > > -a---03/04/2016 2:44 PM 2290 mbam-setup-2.2.0.1024.exe > > -a---03/04/2016 2:46 PM 9524 hijackthis.log > > I have been attempting to get the above USB recursive file lists > into a USB detection report but have not had any success as of yet using > the above command instead of the first like below. > > > > > full_command > powershell.exe $USBDrive = Get-WmiObject Win32_Volume -Filter > "DriveType='2'"| select -expand driveletter ; Get-Childitem $USBDrive - > recurse > C:\temp\test.txt ; (gc C:\temp\test.txt | select -Skip 2)" > > 300 > USBDevices > > > > This gives me a empty C:\temp\test.txt file... > > > Any suggestions would be appreiciated... > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] USB storage detect & recursive file list
I have a basic Windows agent setting to alert me when a storage device is detected using Power shell.. full_command powershell.exe -command "gwmi win32_diskdrive | select Model,InterfaceType,serialnumber,Size,MediaType,CapabilityDescriptions > C:\temp\usbdetect.txt ; (gc C:\temp\usbdetect.txt | select -Skip 2)" 300 USBDevices with the following rule in local_rules.xml 530 ossec: output: 'USBDevices' Mounted Device change detected Of course I get this alert which is nice for basic logging.. OSSEC HIDS Notification. 2016 Apr 19 18:35:31 Received From: (mis41) any->USBDevices Rule: 503002 fired (level 7) -> "Mounted Device change detected" Portion of the log(s): ossec: output: 'USBDevices': Model : TOSHIBA DT01ACA100 SCSI Disk Device InterfaceType : IDE serialnumber :359ZMW6MS Size : 1000202273280 MediaType : Fixed hard disk media CapabilityDescriptions : {Random Access, Supports Writing, SMART Notification} Model : Verbatim STORE N GO USB Device InterfaceType : USB serialnumber : AA000489 Size : 16022845440 MediaType : Removable Media CapabilityDescriptions : {Random Access, Supports Writing, Supports Removable M edia} Model : Verbatim STORE N GO USB Device InterfaceType : USB serialnumber : AA000489 Size : 16022845440 MediaType : Removable Media CapabilityDescriptions : {Random Access, Supports Writing, Supports Removable M --END OF NOTIFICATION I was playing around with Powershell and have a optional command to print out USB storage device files recursively... powershell.exe $USBDrive = Get-WmiObject Win32_Volume -Filter "DriveType='2'"| select -expand driveletter ; Get-Childitem $USBDrive -recurse > C:\temp\test.txt ; (gc C:\temp\test.txt | select -Skip 2) this gives me this output in a tmp.txt if ran from a powershell window and or run line. Directory: F:\ ModeLastWriteTime Length Name - -- -a---11/06/2015 12:38 PM 2290 mbam-setup-2.2.0.1024.exe -a---12/21/2014 9:27 AM 397798952 sp66051_driver-pack.exe Directory: E:\ ModeLastWriteTime Length Name - -- -a---12/06/2011 9:51 AM 388608 HijackThis.exe -a---03/04/2016 2:44 PM 2290 mbam-setup-2.2.0.1024.exe -a---03/04/2016 2:46 PM 9524 hijackthis.log I have been attempting to get the above USB recursive file lists into a USB detection report but have not had any success as of yet using the above command instead of the first like below. full_command powershell.exe $USBDrive = Get-WmiObject Win32_Volume -Filter "DriveType='2'"| select -expand driveletter ; Get-Childitem $USBDrive - recurse > C:\temp\test.txt ; (gc C:\temp\test.txt | select -Skip 2)" 300 USBDevices This gives me a empty C:\temp\test.txt file... Any suggestions would be appreiciated... -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: windows active response logic
Forgot that part before bed, Question is; Is it possible for a Windows agent to have an active response let say to network scans? On Tuesday, April 12, 2016 at 3:52:09 PM UTC-5, Rob B wrote: > > Hello Folks, > > Could someone help me wrap my head around the windows active response > mechanism? > > If I understand correctly, the active response / bin folder on the server > will house my .CMD file containing my windows response actions.? > > What I would like to do is have active response fire on an event such as: > > 18100 > > Which would then run my .cmd file, where I want to run an executable that > I have already packaged. > > My question here is: what is the logic to run my packaged executable from > the .cmd file? Where do I store my packaged executable, how does it get to > the client agent to fire? Where will it fire from, so that I may have the > correct syntax in my .cmd file? Can the package be pushed from the server > to all windows agents once they refresh somehow? > > I do understand the basics as to how to setup active response in the .conf > file on the server ossec.conf file and where to turn it ON in the agent > side .conf file. How can I turn ON all the agents active response from the > server? (Currently i only know how to manually update the file at each > client.) > > Any pointers from the Gurus would be greatly appreciated. =) > > Thanks much Guys!! > > > Rob > > > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: windows active response logic
I am as well interested in this process in regards to OSSEC and windows active response. I am considering a deployment on a AD controlled business environment. Was considering active response for windows clients when network scans are detected, nmap Nessus, MBSA ect ect. As well as logging any time any past or future when a external storage device (usb) is detected on a Windows client. Any incite on how OSSEC governs its active response on Windows agents would be helpful. On Tuesday, April 12, 2016 at 3:52:09 PM UTC-5, Rob B wrote: > > Hello Folks, > > Could someone help me wrap my head around the windows active response > mechanism? > > If I understand correctly, the active response / bin folder on the server > will house my .CMD file containing my windows response actions.? > > What I would like to do is have active response fire on an event such as: > > 18100 > > Which would then run my .cmd file, where I want to run an executable that > I have already packaged. > > My question here is: what is the logic to run my packaged executable from > the .cmd file? Where do I store my packaged executable, how does it get to > the client agent to fire? Where will it fire from, so that I may have the > correct syntax in my .cmd file? Can the package be pushed from the server > to all windows agents once they refresh somehow? > > I do understand the basics as to how to setup active response in the .conf > file on the server ossec.conf file and where to turn it ON in the agent > side .conf file. How can I turn ON all the agents active response from the > server? (Currently i only know how to manually update the file at each > client.) > > Any pointers from the Gurus would be greatly appreciated. =) > > Thanks much Guys!! > > > Rob > > > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.