[ossec-list] Re: OSSEC Agent not works
It really sounds like you are missing a step -- perhaps post the steps you do for the install, adding an agent etc, showing the commands and results. We need something more to help you. Kat On Thursday, April 13, 2017 at 5:24:32 PM UTC-5, Руслан Аминджанов wrote: > > Hello! > I installed OSSEC server and client on 2 hosts whoever agent showed as > "Never connected". There is no firewall between these hosts and if I use > netcat to connect to server It log shows that message is not properly > formated. > Output of tcpdump: > > 00:58:11.619862 IP 10.2.2.3.43453 > 10.2.2.12.fujitsu-dtcns: UDP, length 73 > > 00:58:11.620415 IP 10.2.2.13.fujitsu-dtcns > 10.2.2.3.43453: UDP, length 73 > > 00:58:15.620201 IP 10.2.2.3.43453 > 10.2.2.12.fujitsu-dtcns: UDP, length 73 > > 00:58:15.620618 IP 10.2.2.13.fujitsu-dtcns > 10.2.2.3.43453: UDP, length 73 > > 00:58:20.620619 IP 10.2.2.3.43453 > 10.2.2.12.fujitsu-dtcns: UDP, length 73 > > 00:58:20.621167 IP 10.2.2.13.fujitsu-dtcns > 10.2.2.3.43453: UDP, length 73 > > 00:58:26.621162 IP 10.2.2.3.43453 > 10.2.2.12.fujitsu-dtcns: UDP, length 73 > > 00:58:26.621703 IP 10.2.2.13.fujitsu-dtcns > 10.2.2.3.43453: UDP, length 73 > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: Real time monitoring hidden files or hidden folder
I actually monitor /home/*.ssh,/root/.ssh And have AR set that if a new directory appears in /home, it restarts the agent so it adds it to the wildcard. On Monday, March 20, 2017 at 10:47:13 PM UTC-5, jingxu...@bettercloud.com wrote: > > Recently, we are trying to use OSSEC to monitor ~/.ssh/authorized_key for > real time. But it seems it only works for system integrity check > periodically, but not real-time, I checked the /var/ossec/queue/diff > folder, it recorded all the changes under that folder, but since .ssh is a > hidden folder, I can not get alerts from ossec manager for real-time file > change alert. Is there anyone knowing how to fix this? > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: Agentless ssh monitoring fails to connect every time
Hi, Could you post the log entries? Also, an ssh -vvv output would help to see what is going on. It is clearly a connection problem, but hard to diagnose based on what you have posted. Kat On Friday, March 17, 2017 at 10:20:58 PM UTC-5, Marcin Gołębiowski wrote: > > I can't seem to make the agentless monitoring to work. I added two remote > boxes with /var/ossec/agentless/register_host.sh and configured > paswordless connection generating ssh keys for user ossec. However after > restarting ossec the connection to remote server fails every time. > Ossec.log shows: ossec-agentlessd: ERROR: ssh_integrity_check_linux: > us...@remote.server.pl : Public key authentication failed to > host: us...@remote.server.pl . I tried to connect wit a > password but this time I got timeout: ERROR: ssh_integrity_check_linux: > u...@remote.server.pl : Timeout while connecting to host: > us...@remote.server.pl . I checked .passlist file and > passwords are correct. What is more - I am able to ssh to remote server > using id_rsa generated for ossec user so theoretically ossec should connect > with NOPASS option. But it doesn't. I am in the dark. Server is Ubuntu > Server 16.04, OSSEC verson 2.8.3, expect installed, firewall disabled. Any > ideas? > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: Need information about Application installation via OSSEC
You could set the appropriate folders, assuming *nix system, such as /bin,/usr/bin,/sbin,/usr/sbin for realtime monitoring and new file alerts. Then if an installed package, regardless of YUM or dpkg/apt is installed, even by just copying it into place, you would still get an alert. Kat On Monday, March 20, 2017 at 7:04:18 AM UTC-5, Jayalaxmi K wrote: > > Hi Team, > > could you please let me know , if application installation can be > monitored using OSSEC?? > Please let me know the rule for the same. > > Thanks in advance > Jaya > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: Modify rules
One other bit of information - the "read only" error has nothing to do with OSSEC itself. It is simply a warning based on Linux saying that the file is marked without the "W" attribute. You can resolve this from "vi" by simply using a "w" upon exit. For example, after you edit the sshd_rules.xml, enter :wq! That will over-write the file. However, any changes to the built-in files will be overwritten next time you upgrade, so Victor's comment about using local_rules.xml is actually more correct. Kat On Monday, March 20, 2017 at 1:56:29 PM UTC-5, The Dude wrote: > > I am new to ossec and I am trying to figure out what is the best way to > change a rule. In the ossec.conf it says this > > >> >> >> host-deny >> local >> 6 >> 600 >> > > > > > I am assuming the level it is referring to is the level set in the > rule.xml So the sshd_rules.xml has this line. > >> >> >> 5700 >> ^Failed|^error: PAM: Authentication >> SSHD authentication failed. >> authentication_failed, > > > > > > When testing failed ssh logins I see the alert in the alert.log for the > rule above. How should I go about changing the level to 6 so it will get > blocked? I tried editing the sshd_rules.xml but get the read only warning. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: OSSEC real-time monitoring with hidden files
Good morning, You seem to have posted this question twice, so I will just answer this one. I have this running on all my systems and it easily works without an issue. You have to make sure the right packages are installed for Realtime. Hidden files do not bother OSSEC - a hidden file is simply a file named with a leading "." dot, but that does not alter the fact that it has an inode and a directory entry. Make sure you have the "inotify" package installed. Also, you might want to post your config file. One other issue is that if the file did not exist prior to starting OSSEC and you do not have alerting on new files setup, then you may not see the alerts either. I use this feature for monitoring in realtime if users put SSH private keys on a public server, rather than their laptop. I have AR setup to remove any private keys immediately upon alert generation. Cheers Kat On Monday, March 20, 2017 at 10:47:15 PM UTC-5, jingxu...@bettercloud.com wrote: > > Recently, we are trying to use OSSEC to monitor files > ~/.ssh/authorized_key for real time, but it seems it can only detect for > syscheck, but not real time. I checked the /var/ossec/queue/diff folder, it > recorded all the changes, but because the .ssh folder is hidden. I can not > get real-time alerts from OSSEC manager, is there anyone know how to fix > this, or does OSSEC ever consider this function before? > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Is OSSEC 2.9.0 officially released?
Hi all, It seems to me that 2.9.0 is released - at least no more RC# after the last one. My question is, is this the case, and if so, could the website be updated to reflect it? According t the github release is with 25 days ago, but website still indicated 2.8.3? Thanks Kat -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: ossec-analysisd won't start, "could not create directory"
I'll write something up and submit it. Kat On Friday, January 13, 2017 at 1:28:42 PM UTC-6, Joel wrote: > > hi all, > > man, not having a good day. > > I was starting to run out of space on my / volume as a result of ossec > logs piling up. i need to keep the logs, so i added a new drive (to the > ossec VMW vm) mounted it and then moved the logs/ directory to the new > mount. > > now, when starting ossec, ossec-analysisd won't start. I think it's > trying to chroot and can't cross the filesystem boundary...? > > 2017/01/13 19:24:47 ossec-analysisd(1210): ERROR: Queue '/queue/alerts/ar' >> not accessible: 'Connection refused'. >> 2017/01/13 19:24:47 ossec-analysisd(1301): ERROR: Unable to connect to >> active response queue. >> 2017/01/13 19:24:50 ossec-analysisd(1210): ERROR: Queue >> '/queue/alerts/execq' not accessible: 'Connection refused'. >> 2017/01/13 19:24:50 ossec-analysisd(1301): ERROR: Unable to connect to >> active response queue. >> 2017/01/13 19:24:50 ossec-analysisd: DEBUG: Active response Init >> completed. >> 2017/01/13 19:24:50 ossec-analysisd(1107): ERROR: Could not create >> directory '/logs/archives/2017/' due to [(2)-(No such file or directory)]. > > > and > > [root@e-ossec-001: /var/ossec]# ls -ald /data/logs/ossec/ >> drwxr-xr-x 6 ossec ossec 129 Jan 13 19:03 /data/logs/ossec/ >> [root@e-ossec-001: /var/ossec]# ls -al /var/ossec/ >> total 24 >> dr-xr-x--- 16 root ossec 4096 Jan 13 18:55 . >> drwxr-xr-x. 20 root root 4096 Jan 13 19:21 .. >> dr-xr-x--- 3 root ossec 16 Jan 12 22:05 active-response >> dr-xr-x--- 2 root ossec 4096 Oct 6 13:37 agentless >> drwxr-x--- 3 root ossec 19 Oct 6 13:37 backup >> dr-xr-x--- 2 root root 4096 Jan 12 18:43 bin >> dr-xr-x--- 5 root ossec 4096 Jan 13 16:34 etc >> drwxr-x--- 2 root ossec 34 Oct 6 13:37 integrations >> lrwxrwxrwx 1 root root16 Jan 13 18:55 logs -> /data/logs/ossec >> dr-xr-x--- 4 root root34 Oct 6 13:37 lua >> dr-xr-x--- 11 root ossec 150 Oct 6 13:38 queue >> dr-xr-x--- 2 root ossec 4096 Oct 17 13:36 rules >> drwx-- 2 root ossec6 Oct 6 13:37 .ssh >> drwxr-x--- 5 ossec ossec 61 Oct 6 13:57 stats >> dr-xr-x--T 2 root ossec6 Oct 6 13:37 tmp >> dr-xr-x--- 3 root root20 Oct 6 13:37 update >> dr-xr-x--- 3 root ossec 16 Jan 13 19:24 var > > > do I need to keep it allon the same volume? > > thanks! > > Joel > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: ossec-analysisd won't start, "could not create directory"
My bad - I should have explained "bind" a bit more. This is actually part of the FUSE filesystem (http://bindfs.org) You will need to install fuse utils and Userspace programs -- example: #yum search fuse *fuse*.x86_64 : File System in Userspace (*FUSE*) utilities I could write it all up -- perhaps I will do a quick userguide doc that can be added to OSSEC. I specifically use this method with sshfs to mount a larger file store on the backend of my OSSEC managers. Kat On Friday, January 13, 2017 at 1:28:42 PM UTC-6, Joel wrote: > > hi all, > > man, not having a good day. > > I was starting to run out of space on my / volume as a result of ossec > logs piling up. i need to keep the logs, so i added a new drive (to the > ossec VMW vm) mounted it and then moved the logs/ directory to the new > mount. > > now, when starting ossec, ossec-analysisd won't start. I think it's > trying to chroot and can't cross the filesystem boundary...? > > 2017/01/13 19:24:47 ossec-analysisd(1210): ERROR: Queue '/queue/alerts/ar' >> not accessible: 'Connection refused'. >> 2017/01/13 19:24:47 ossec-analysisd(1301): ERROR: Unable to connect to >> active response queue. >> 2017/01/13 19:24:50 ossec-analysisd(1210): ERROR: Queue >> '/queue/alerts/execq' not accessible: 'Connection refused'. >> 2017/01/13 19:24:50 ossec-analysisd(1301): ERROR: Unable to connect to >> active response queue. >> 2017/01/13 19:24:50 ossec-analysisd: DEBUG: Active response Init >> completed. >> 2017/01/13 19:24:50 ossec-analysisd(1107): ERROR: Could not create >> directory '/logs/archives/2017/' due to [(2)-(No such file or directory)]. > > > and > > [root@e-ossec-001: /var/ossec]# ls -ald /data/logs/ossec/ >> drwxr-xr-x 6 ossec ossec 129 Jan 13 19:03 /data/logs/ossec/ >> [root@e-ossec-001: /var/ossec]# ls -al /var/ossec/ >> total 24 >> dr-xr-x--- 16 root ossec 4096 Jan 13 18:55 . >> drwxr-xr-x. 20 root root 4096 Jan 13 19:21 .. >> dr-xr-x--- 3 root ossec 16 Jan 12 22:05 active-response >> dr-xr-x--- 2 root ossec 4096 Oct 6 13:37 agentless >> drwxr-x--- 3 root ossec 19 Oct 6 13:37 backup >> dr-xr-x--- 2 root root 4096 Jan 12 18:43 bin >> dr-xr-x--- 5 root ossec 4096 Jan 13 16:34 etc >> drwxr-x--- 2 root ossec 34 Oct 6 13:37 integrations >> lrwxrwxrwx 1 root root16 Jan 13 18:55 logs -> /data/logs/ossec >> dr-xr-x--- 4 root root34 Oct 6 13:37 lua >> dr-xr-x--- 11 root ossec 150 Oct 6 13:38 queue >> dr-xr-x--- 2 root ossec 4096 Oct 17 13:36 rules >> drwx-- 2 root ossec6 Oct 6 13:37 .ssh >> drwxr-x--- 5 ossec ossec 61 Oct 6 13:57 stats >> dr-xr-x--T 2 root ossec6 Oct 6 13:37 tmp >> dr-xr-x--- 3 root root20 Oct 6 13:37 update >> dr-xr-x--- 3 root ossec 16 Jan 13 19:24 var > > > do I need to keep it allon the same volume? > > thanks! > > Joel > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: ossec-analysisd won't start, "could not create directory"
There is a work-around which I have used. Dan is correct - you can't get to the folder outside of the chroot-ed jail. You can however, bring the folder in via: mount --bind /var/ossec/logs /data/logs/ossec The trick is to bind the directory so the system still thinks it is part of the jail. Cheers Kat On Friday, January 13, 2017 at 1:28:42 PM UTC-6, Joel wrote: > > hi all, > > man, not having a good day. > > I was starting to run out of space on my / volume as a result of ossec > logs piling up. i need to keep the logs, so i added a new drive (to the > ossec VMW vm) mounted it and then moved the logs/ directory to the new > mount. > > now, when starting ossec, ossec-analysisd won't start. I think it's > trying to chroot and can't cross the filesystem boundary...? > > 2017/01/13 19:24:47 ossec-analysisd(1210): ERROR: Queue '/queue/alerts/ar' >> not accessible: 'Connection refused'. >> 2017/01/13 19:24:47 ossec-analysisd(1301): ERROR: Unable to connect to >> active response queue. >> 2017/01/13 19:24:50 ossec-analysisd(1210): ERROR: Queue >> '/queue/alerts/execq' not accessible: 'Connection refused'. >> 2017/01/13 19:24:50 ossec-analysisd(1301): ERROR: Unable to connect to >> active response queue. >> 2017/01/13 19:24:50 ossec-analysisd: DEBUG: Active response Init >> completed. >> 2017/01/13 19:24:50 ossec-analysisd(1107): ERROR: Could not create >> directory '/logs/archives/2017/' due to [(2)-(No such file or directory)]. > > > and > > [root@e-ossec-001: /var/ossec]# ls -ald /data/logs/ossec/ >> drwxr-xr-x 6 ossec ossec 129 Jan 13 19:03 /data/logs/ossec/ >> [root@e-ossec-001: /var/ossec]# ls -al /var/ossec/ >> total 24 >> dr-xr-x--- 16 root ossec 4096 Jan 13 18:55 . >> drwxr-xr-x. 20 root root 4096 Jan 13 19:21 .. >> dr-xr-x--- 3 root ossec 16 Jan 12 22:05 active-response >> dr-xr-x--- 2 root ossec 4096 Oct 6 13:37 agentless >> drwxr-x--- 3 root ossec 19 Oct 6 13:37 backup >> dr-xr-x--- 2 root root 4096 Jan 12 18:43 bin >> dr-xr-x--- 5 root ossec 4096 Jan 13 16:34 etc >> drwxr-x--- 2 root ossec 34 Oct 6 13:37 integrations >> lrwxrwxrwx 1 root root16 Jan 13 18:55 logs -> /data/logs/ossec >> dr-xr-x--- 4 root root34 Oct 6 13:37 lua >> dr-xr-x--- 11 root ossec 150 Oct 6 13:38 queue >> dr-xr-x--- 2 root ossec 4096 Oct 17 13:36 rules >> drwx-- 2 root ossec6 Oct 6 13:37 .ssh >> drwxr-x--- 5 ossec ossec 61 Oct 6 13:57 stats >> dr-xr-x--T 2 root ossec6 Oct 6 13:37 tmp >> dr-xr-x--- 3 root root20 Oct 6 13:37 update >> dr-xr-x--- 3 root ossec 16 Jan 13 19:24 var > > > do I need to keep it allon the same volume? > > thanks! > > Joel > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: OSSEC watching SQL
Sort of. One of the things I did with OSSEC and mySQL - as i had critical tables that I wanted to know when they were being accessed, was to create a mySQL trigger that would write a logfile entry anytime the table was access with all the information needed. OSSEC of course picked this up and alerted me. Take a loog here - http://www.mysqltutorial.org/create-the-first-trigger-in-mysql.aspxhttp://www.mysqltutorial.org/create-the-first-trigger-in-mysql.aspx And they have a good example showing an . "Employees" table that they want to keep track of. It is not that hard, and performance hit is negligible. Obviously if you tried to do a trigger on each insert for the entire database, that would kill it, but . you can do a lot of creative things with OSSEC. Cheers Kat On Sunday, January 8, 2017 at 7:19:34 AM UTC-6, Mike Hammett wrote: > > My current centralized logging environment stores syslog in MySQL. Can > OSSEC watch a SQL database instead of a file? > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: Maxiumum Number of Agents Allowed
In case anyone is curious - with proper server sizing, I have run OSSEC Managers with 20-30,000 agents connected. :-) Kat On Thursday, August 18, 2011 at 4:49:26 AM UTC-5, PJG wrote: > > Dear All, > > We are planning on ramping up our OSSEC deployment. > > There's a warning which is seen in the log files which states: > > INFO: Maximum number of agents allowed: '256'. > > Does anyone know if this is an actual limit, or simply recommended? > > Also if it is breached, does this have any impact on the service? > > If so, is there anyway to increase this amount? > > Thanks > > Pip -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: Update Wazuh with standard Ossec files
The Wazuh fork is actually newer, but regardless there should never be a conflict from 2.x to 2.x with agent and server. When you say "conflict" - can you be more specific on the error you are seeing? Kat On Friday, January 20, 2017 at 5:14:09 PM UTC-6, Alejandro M wrote: > > Hello all. I just installed the Wazuh fork in a server but after a bit of > tinkering, I realized there were issues between a previously installed > agent and this server. > > After searching for information, it seems the error is that the agent > version(2.8.3) is newer than what what comes with Wazuh which apparently is > 2.8 and it causes a conflict. > > Could I update Wazuh's OSSEC with the official ossec files so the server > matches the agent, without risk of losing my configurations(logstash, etc) > or I just should use the Wazuh files for agent installation? > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Re: Profiles and agents
I already did. :-)
#1027
On Thursday, January 19, 2017 at 12:15:14 PM UTC-6, dan (ddpbsd) wrote:
>
> On Tue, Jan 17, 2017 at 3:06 PM, Kat <uncom...@gmail.com >
> wrote:
> > The problem is simple - the install.sh is where this is taken care of,
> but
> > no one ever bothered to add the code when they added the variable of
> > USER_AGENT_CONFIG_PROFILE.
> >
>
> If you submit a pull request I'll bother with it right now.
>
> > Take a look at install.sh and find the top bit of code here -- and you
> will
> > see the part I added to fix the PROFILE:
> >
> > echo "" > $NEWCONFIG
> >
> > echo " " >> $NEWCONFIG
> >
> > if [ "X${IP}" != "X" ]; then
> >
> > echo "$IP" >> $NEWCONFIG
> >
> > elif [ "X${HNAME}" != "X" ]; then
> >
> > echo "$HNAME" >>
> $NEWCONFIG
> >
> > fi
> >
> > # add this block to check for and add a preset profile name for the
> > agent (from preloaded-vars.conf)
> >
> > if [ "$X{USER_AGENT_CONFIG_PROFILE}" != "X" ]; then
> >
> > PROFILE=${USER_AGENT_CONFIG_PROFILE}
> >
> > echo "$PROFILE" >>
> $NEWCONFIG
> >
> > fi
> >
> > # end of added PROFILE block
> >
> > echo " " >> $NEWCONFIG
> >
> > echo "" >> $NEWCONFIG
> >
> >
> > Cheers
> > Kat
> >
> > On Thursday, January 22, 2015 at 4:09:42 AM UTC-6, Slobodan Aleksić
> wrote:
> >>
> >> Hello list,
> >>
> >> I am having trouble setting up agent's ossec.conf by the install.sh
> >> script correctly.
> >> Setting "USER_AGENT_CONFIG_PROFILE" in "preloaded-vars.conf" to
> >> something, doesn't create a setting in ossec.conf ..
> >>
> >> Another thing: How to get a minimal ossec.conf on agents autmatically.
> >> So that only server and profile settings are kept in ossec.conf and all
> >> the rest only in agent.conf ?
> >>
> >> Thanks in advance
> >>
> >>
> >> --
> >> Slobodan
> >
> > --
> >
> > ---
> > You received this message because you are subscribed to the Google
> Groups
> > "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send
> an
> > email to ossec-list+...@googlegroups.com .
> > For more options, visit https://groups.google.com/d/optout.
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: Profiles and agents
minor typo on this line: echo "$PROFILE" >> $NEWCONFIG that should read echo "$PROFILE" >> $NEWCONFIG On Thursday, January 22, 2015 at 4:09:42 AM UTC-6, Slobodan Aleksić wrote: > > Hello list, > > I am having trouble setting up agent's ossec.conf by the install.sh > script correctly. > Setting "USER_AGENT_CONFIG_PROFILE" in "preloaded-vars.conf" to > something, doesn't create a setting in ossec.conf .. > > Another thing: How to get a minimal ossec.conf on agents autmatically. > So that only server and profile settings are kept in ossec.conf and all > the rest only in agent.conf ? > > Thanks in advance > > > -- > Slobodan > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: Profiles and agents
The problem is simple - the install.sh is where this is taken care of, but
no one ever bothered to add the code when they added the variable of
USER_AGENT_CONFIG_PROFILE.
Take a look at install.sh and find the top bit of code here -- and you will
see the part I added to fix the PROFILE:
echo "" > $NEWCONFIG
echo " " >> $NEWCONFIG
if [ "X${IP}" != "X" ]; then
echo "$IP" >> $NEWCONFIG
elif [ "X${HNAME}" != "X" ]; then
echo "$HNAME" >> $NEWCONFIG
fi
# add this block to check for and add a preset profile name for the
agent (from preloaded-vars.conf)
if [ "$X{USER_AGENT_CONFIG_PROFILE}" != "X" ]; then
PROFILE=${USER_AGENT_CONFIG_PROFILE}
echo "$PROFILE" >> $NEWCONFIG
fi
# end of added PROFILE block
echo " " >> $NEWCONFIG
echo "" >> $NEWCONFIG
Cheers
Kat
On Thursday, January 22, 2015 at 4:09:42 AM UTC-6, Slobodan Aleksić wrote:
>
> Hello list,
>
> I am having trouble setting up agent's ossec.conf by the install.sh
> script correctly.
> Setting "USER_AGENT_CONFIG_PROFILE" in "preloaded-vars.conf" to
> something, doesn't create a setting in ossec.conf ..
>
> Another thing: How to get a minimal ossec.conf on agents autmatically.
> So that only server and profile settings are kept in ossec.conf and all
> the rest only in agent.conf ?
>
> Thanks in advance
>
>
> --
> Slobodan
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
[ossec-list] Different branches?
Hi all, Trying to figure out the different branches right now and what has been integrated and what has not. Right now there seems to be the main branch, then there is Dan's - (is that the main branch too?) and then there is Wazuh, and of course Atomic. Can someone summarize the different branches and make my brain stop contorting please :-) I want to get all the best parts of all the enhancements from all the teams, but I am not quite sure there is one branch that incorporates them all? Then again, I could be completely wrong? Kat -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: Getting this OSSEC Notification of an Alert Level 7
Wouldn't it be easier rather than to modify the rule - simply add these to the ignores with - /dev/oracleasm ?? Just a thought. Kat On Tuesday, August 30, 2016 at 9:12:33 AM UTC-5, Stephen LuShing wrote: > > I have been getting this notification which I am trying to fix. This is an > normal occurance since this is an oracle database using ASM disks. The > notification is the same but the files changes. Here is what we received > > OSSEC HIDS Notification. > > 2016 Aug 30 08:33:48 > > > > Received From: (lxbanrdt2) 147.4.146.155->rootcheck > > Rule: 510 fired (level 7) -> "Host-based anomaly detection event > (rootcheck)." > > Portion of the log(s): > > File '/dev/oracleasm/iid/19BE' present on /dev. Possible > hidden file. > > --END OF NOTIFICATION > > OSSEC HIDS Notification. > > 2016 Aug 30 08:33:48 > > I want to have this notification ignored so any ideas on how to do this. > > > Stephen LuShing > > Hofstra University > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] 2.9 track?
Hi all -- Just wondering on the status of 2.9 RC2? Been several weeks now. Any updates on the final release? Thanks Kat -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: Help with Stand alone implementation on Red Hat Enterprise 6
Shawn, ossec-hids is he base package containing, what you might call, the "building blocks" -- things like the username configs, folders, scripts to setup permissions, etc. However, you have not set the "fiction" of the box, so yes, you do need the "server" package. You don't need to add the client as well, since the server will do just fine on its own. So install ossec-hids and ossec-hids-server. That should get you going just fine. Cheers Kat On Monday, August 22, 2016 at 12:59:28 PM UTC-5, Shawn Wiley wrote: > > I have a pair of Red Hat 6 servers which will be deployed "high risk" > internet facing. I'd like to install the OSSEC software to monitor for > changes to the server, root kits, and compliance checking. I have > successfully deployed OSSEC before as an agent talking back to an OSSEC > server but I would like to do this install as a stand alone device so I do > not have to open up communications into my internal LAN. I see on Red Hat's > yum server there is a "ossec-hids.x86_64 2.8.3-53.el6.art" but when I > install this file many of the required binaries seem to be missing. Can I > install only this package and configure it to run OSSEC or do I need to > also install the ossec-hids-server.x86_64 or ossec-hids-client.x86_64 to > make ossec run as a stand alone? The server file has a few additional > dependencies which I'd rather not install unless I have to. Has anyone > written up exactly which files are required to build a stand alone OSSEC > instance. I know I can build and install OSSEC on my server and that works > but I need to be able to deploy via an RPM. Otherwise it will be to much > manual work to build OSSEC on all of my servers. Any advice on how to > install OSSEC as as stand alone device via YUM or RPM packages would be > greatly appreciated. Even advice as to which RPMs need to be installed > would be helpful is it only hids or is it hids client or hids server. > > Thanks, > > Shawn > > > > > > > ossec-hids.x86_64 2.8.3-53.el6.art > ossec-hids-server.x86_64 2.8.3-53.el6.art > ossec-hids-client.x86_64 2.8.3-53.el6.art > ossec-hids-debuginfo.x86_642.8.3-53.el6.art > ossec-hids-mysql.x86_642.8.3-53.el6.art > ossec-hids-server.x86_64 2.8.3-53.el6.art > ossec-wui.noarch 0.8-4.el6.art > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: ERROR: Unable to send file 'merged.mg' to agent.
One thing to also check is permissions and ownership on "merged.mg" - many times I see it get mucked up and OSSEC can't read it. I have found that if I delete it, then restart OSSEC it will be re-created and it no longer has issues sending the file after that. (Not sure WHY it happens though) Cheers Kat (PS - Hi Graeme!) On Thursday, July 28, 2016 at 11:43:32 AM UTC-5, Graeme Stewart wrote: > > Seeing a lot of errors in the logfiles like this: > > 2016/07/28 16:41:48 ossec-remoted: ERROR: Unable to send file 'merged.mg' > to agent. > 2016/07/28 16:41:50 ossec-remoted(1217): ERROR: Error creating encrypted > message. > 2016/07/28 16:41:50 ossec-remoted: ERROR: Unable to send file 'merged.mg' > to agent. > 2016/07/28 16:41:50 ossec-remoted(1217): ERROR: Error creating encrypted > message. > 2016/07/28 16:41:50 ossec-remoted: ERROR: Unable to send file 'merged.mg' > to agent. > 2016/07/28 16:41:52 ossec-remoted(1217): ERROR: Error creating encrypted > message. > 2016/07/28 16:41:52 ossec-remoted: ERROR: Unable to send file 'merged.mg' > to agent. > 2016/07/28 16:41:52 ossec-remoted(1217): ERROR: Error creating encrypted > message. > 2016/07/28 16:41:52 ossec-remoted: ERROR: Unable to send file 'merged.mg' > to agent. > 2016/07/28 16:41:54 ossec-remoted(1217): ERROR: Error creating encrypted > message. > 2016/07/28 16:41:54 ossec-remoted: ERROR: Unable to send file 'merged.mg' > to agent. > 2016/07/28 16:41:56 ossec-remoted(1217): ERROR: Error creating encrypted > message. > > Any guidance on troubleshooting? Search hasn't turned up much other than > delete merged.mg and restart (which we've tried to no success)... > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: can we re-use agentID's
Hmm -- I re-use IDs all the time. Did it when I had 30,000+ agents, and now with only 10,000. You just have to delete the key (I don't like that they are commented out) and make sure you remove the rids agent files in /var/ossec/queue/ossec/rids - find the number of the agent you removed and remove that file. Then you are free to re-use agent IDs all the time. Cheers Kat On Thursday, July 28, 2016 at 2:03:34 PM UTC-5, Chanti Naani wrote: > > Hi, > We have a pretty decent implementation of the ossec with max clients set > to 3000. > So far we have generated close to 2900 client keys with in the past 1 > year. > But at the same time , a lot of people moved out and almost 500 endpoints > are not in use. > > If we delete those 500 endpoints (using /var/ossec/bin/manage_agents -r > $id) , will we be able to add 500 new clients to the ossec server? > without re-compiling the ossec authd server with increased set MAX_AGENTS) > > we are running: > > OSSEC HIDS v2.8 > > Thanks. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: Too much noise in alerts
Hi Brad, My guess is you have extended auditing enabled. Both of these alerts are typical of access requests (file handles) or successful use of privs - in both cases, I would be more interested in failed use of privs and/or blocked access. However, you have to judge for your environment. Without knowing everything about your setup, I would say you could probably safely ignore these for now, then focus on the rest of the alerts to try to get a clear understanding of what "normal" is. Cheers Kat On Friday, July 8, 2016 at 2:34:20 PM UTC-5, Brad Carey wrote: > > We have deployed OSSEC company wide to probably 60-80 PCs and servers. > Problem is our hourly emails are 4-5MB, way too much to wade through. The > vast majority of the events are Event ID 4656, with a good number of Event > ID 4673 too. How do I determine whether or not I can suppress all of these > from the alert emails? I don't mean in the technical sense, but security > sense. Might these particular events ever be thrown when there is malicious > activity? > > Thanks! > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: Ossec Agent 2.71 Keeps disconnecting from Ossec server 2.8.3
You should disable RIDS: remoted.verify_msg_id=0 The errors should go away. The problem is, RIDS must be removed on both agent and server, that may be causing issues. Kat On Tuesday, April 5, 2016 at 8:21:18 AM UTC-5, Alexandre LAQUERRE wrote: > > Hi, > > > > I have been using Ossec for quite a while and we decided to upgrade the > version (2.7.1) to 2.8.3 and that was relatively successful except for the > fact that it pulled a number on my Ossec.conf by creating indent problems > and adding open brackets in the wrong area but anyway it works. My issue is > that for the moment our client will not update the OSSEC agents and wish to > keep the 2.7.1 , I have not seen any documentation that would indicate a > compatibility issue however I noticed that no matter what I do , the agents > will end up disconnecting. They will start out all active and then after 20 > minutes or so they will all be disconnected except for a small minority. > > > > When I performed the install I have set the maximum number of agents to > 4096 because the client has about … I would say close to 3000 agents, > furthermore the installation did go well however I suspect that the > agent.conf file in the shared folder got messed up due to this update being > very significant. I have been working on this issue for at least three days > and I am no longer certain where to look. > > > > I would like to specify that I have already tried to erase the RIDS while > Ossec Is stop (server) and when I start it back up again the same issue > occurs. Now I am hoping the solution will not be to erase the rids from the > client as it would be a long process for our customer. > > > > Thank you, > > > > Alexandre Laquerre > > Analyste Sécurité > > [image: http://cybercan.com/images/iso2.jpg] > > *LINKBYNET * > > Performance | Innovation | Qualité > > > > > Suivez-nous sur les médias sociaux ! > > [image: cid:image001.jpg@01CEE08C.10B406C0] > <http://www.linkedin.com/company/LINKBYNET>*-* [image: > cid:image002.jpg@01CEE08C.10B406C0] <https://twitter.com/#!/@LINKBYNET> > *-* [image: 1331824224_FaceBook_24x24] <http://www.facebook.com/LINKBYNET> > *-* [image: 1384399169_Flurry_Google_Alt] > <https://plus.google.com/b/104214152964322174793/104214152964322174793/posts> > *1255 Place Phillips, Suite 700, **Montréal, QC H3B 3G1* > *Standard : +1 800 258 0820* > > *Pôle Sécurité : +1 514 667 0554* > > Web : www.linkbynet.com > > [image: cid:image019.jpg@01CF0ADF.D085FB20] > > *Avant d'imprimer cet e-mail, pensez à l'environnement.* > > LINKBYNET, *1er hébergeur* des environnements en haute disponibilité – Source > 01net|IPLabel > <http://pro.01net.com/rub/01business/10403/01business/indicateurs/hebergeurs-environnement-haute-disponibilite/> > > > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: Ossec Agent 2.71 Keeps disconnecting from Ossec server 2.8.3
I have seen this as well, and what I found seemed to be related to encryption being used on 2.8.3 vs the 2.7 packages. As Santi suggested, also removing the rids for the agents allows it to connect. I would, however, strongly suggest keeping them within the same release, and it avoids many of the problems observed. Kat On Tuesday, April 5, 2016 at 8:21:18 AM UTC-5, Alexandre LAQUERRE wrote: > > Hi, > > > > I have been using Ossec for quite a while and we decided to upgrade the > version (2.7.1) to 2.8.3 and that was relatively successful except for the > fact that it pulled a number on my Ossec.conf by creating indent problems > and adding open brackets in the wrong area but anyway it works. My issue is > that for the moment our client will not update the OSSEC agents and wish to > keep the 2.7.1 , I have not seen any documentation that would indicate a > compatibility issue however I noticed that no matter what I do , the agents > will end up disconnecting. They will start out all active and then after 20 > minutes or so they will all be disconnected except for a small minority. > > > > When I performed the install I have set the maximum number of agents to > 4096 because the client has about … I would say close to 3000 agents, > furthermore the installation did go well however I suspect that the > agent.conf file in the shared folder got messed up due to this update being > very significant. I have been working on this issue for at least three days > and I am no longer certain where to look. > > > > I would like to specify that I have already tried to erase the RIDS while > Ossec Is stop (server) and when I start it back up again the same issue > occurs. Now I am hoping the solution will not be to erase the rids from the > client as it would be a long process for our customer. > > > > Thank you, > > > > Alexandre Laquerre > > Analyste Sécurité > > [image: http://cybercan.com/images/iso2.jpg] > > *LINKBYNET * > > Performance | Innovation | Qualité > > > > > Suivez-nous sur les médias sociaux ! > > [image: cid:image001.jpg@01CEE08C.10B406C0] > <http://www.linkedin.com/company/LINKBYNET>*-* [image: > cid:image002.jpg@01CEE08C.10B406C0] <https://twitter.com/#!/@LINKBYNET> > *-* [image: 1331824224_FaceBook_24x24] <http://www.facebook.com/LINKBYNET> > *-* [image: 1384399169_Flurry_Google_Alt] > <https://plus.google.com/b/104214152964322174793/104214152964322174793/posts> > *1255 Place Phillips, Suite 700, **Montréal, QC H3B 3G1* > *Standard : +1 800 258 0820* > > *Pôle Sécurité : +1 514 667 0554* > > Web : www.linkbynet.com > > [image: cid:image019.jpg@01CF0ADF.D085FB20] > > *Avant d'imprimer cet e-mail, pensez à l'environnement.* > > LINKBYNET, *1er hébergeur* des environnements en haute disponibilité – Source > 01net|IPLabel > <http://pro.01net.com/rub/01business/10403/01business/indicateurs/hebergeurs-environnement-haute-disponibilite/> > > > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: List of logged in users AND List of the last logged in users
The windows systems do not have the same commands for looking at users. Your commands for looking at both logged in and last, will only work on *nix platforms. Kat On Wednesday, April 6, 2016 at 2:38:26 AM UTC-5, Maxim Surdu wrote: > > Hi dear community, > > i install and configure about 10 agents, and of course i have a lot of > users, i need to monitoring when they are working or drink coffee > > in ossec_rules.xml > > i have next rules > > > 530 > ossec: output: 'w' > > alert_by_email > List of logged in users. It will not be alerted by > default. > > > > 530 > ossec: output: 'last -n > > alert_by_email > List of the last logged in users. > > > i have linux and windows machines but mail is coming just from one > machine(linux) how about the rest > what i did wrong? > > i appreciate your help, and a lot of respect for developers and community! > > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: Hybrid or dual install?
I use Hybrid modes for 1000s of agents and mixed managers. It allows me to distribute managers, and still have centralized collection. If I lose the WAN, the hybrids continue to process alerts, and once the WANs are restored the data resumes to the central host. They have proven to be extremely reliable and I have had no issues. I do run with as high as 20,000 agents in some cases with no issues. Cheers Kat On Thursday, February 18, 2016 at 7:36:10 AM UTC-8, James Dough wrote: > > Looking at the hybrid install type; it installs two versions of ossec, > that have been reduced. One server role and one agent role. > > Is the hybrid as reliable? I don't see nearly as much documentation on it. > Is it a safer bet to go with dual install? > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Port 1514 Not Listening
Just a silly question I don't see in this thread -- do you have ANY clients defined on the server itself?? What is currently in /var/ossec/etc/clients.keys? -Kat -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: OSSEC is making AWS EC2 instance w/ Centos 7 become unresponsive
I have seen many issues with CentOS 7 becoming unresponsive. Kernel issues. Try removing OSSEC, but my guess, it will still hang. Are you current on all patches? -K On Thursday, July 2, 2015 at 6:47:53 PM UTC-7, Caleb P wrote: If I start OSSEC, my Centos 7 AWS instance becomes unresponsive after a short while (under 30 mins usually). httpd and ssh do not respond ever until I go into the AWS console to reboot it. I've looked through various logs, but half the stuff I don't know what it is. What logs should I examine for problems, and anything in particular I should look for? Has anyone had this happen before? While running top, the last process to show was ossec-syscheckd when the system crashed. It was at 30.2% CPU usage and 0.2% memory. PID USER PR NIVIRTRESSHR S %CPU %MEM TIME+ COMMAND 1009 root 20 05388 1624672 R 30.2 0.2 0:05.91 ossec-syscheckd 1290 apache20 0 561900 15720 4984 S 6.3 1.5 0:00.39 httpd 25 root 20 0 0 0 0 R 0.7 0.0 0:00.14 rcuos/0 299 root 0 -20 0 0 0 S 0.3 0.0 0:00.03 kworker/0:1H 1276 centos20 0 130024 1816 1276 R 0.3 0.2 0:00.42 top 1 root 20 0 56636 6724 3940 S 0.0 0.7 0:02.14 systemd Appreciate any suggestions or ideas! Thanks Caleb -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: OSSEC opens lots of files and keeps them open
How many folders/files are you monitoring for changes? On Friday, May 10, 2013 1:32:33 AM UTC-7, Winni Neessen wrote: Hi, I am running OSSEC 2.7 on FreeBSD 8.4. Recently I received a kernel warning, that maxfiles was exceeded. I was wondering how this could be, as kern.maxfiles was configured to 32k. A run of lsof quickly showed that OSSEC was the bad guy. 30k files were currently open through OSSEC. After a restart the count was back to 1k. A week later I can see that the kern.openfiles is again at 18k and constantly growing. 16k are again used by OSSEC. My question... is this normal behaviour by OSSEC, so that I need to adjust my kern.maxfiles settings? Or could this be some kind of misbehaviour? Any advice is greatly appreciated. Thanks Winni -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
[ossec-list] listening ports command / diff (possible improvement?)
I know some people have asked about the listen ports changed command that
they offered as a default/example in OSSEC install..
I too find it useful, but got tired of a lot of alerts for ports over 1024.
This still handles IPv4 and v6 ports:
*netstat -tan | awk '$NF != LISTEN || $4 ~ /^127\.0\.0\./ { next } \*
*{ n = split($4, wk, : ) } wk[n] = 1024
\*
*{ in_use[wk[n]] = 1 } END \*
*{ for ( port in in_use ) \*
*{ printf(%d\n, port) } }'*
replaces: *netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort*
and since it only forks the single awk instead of the original grep, grep
and sort - it is a tiny bit quicker. Also, the output is limited to just
the port numbers and nothing more..
if anyone finds it useful, there you go.
--
---
You received this message because you are subscribed to the Google Groups
ossec-list group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
[ossec-list] multiple analysisd ???
Ok, I am thinking off the cuff here -- but was starting to wonder how OSSEC could scale more easily to large infrastructures. One of the primary issues is analysisd being single threaded. BUT -- since analysisd does not trap the port - 1514 for anything - that is left up to remoted - then why couldn't you run multiple versions of analysisd but have them tied to a specific keys file somehow? In otherwords, have a way to mark the client.keys file with a field that perhaps had a 1,2,3 or 4 or something like that, and it would indicate which analysisd instance you are going to talk to? I guess I need to go look at the code to see who is doing the evaluation on the client.keys for processing. I am guessing it is remoted, so maybe this would not work too easily if that is the case. The whole point here is to NOT try to make analysisd multi-threaded, but instead have some way to decide how many daemons you want to run and which one processes which clients. Thoughts/comments?? -K -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
[ossec-list] Re: aix 6.1 install failure
I have compiled OSSEC all the way thru AIX 6.1 and JB is right. gcc has issues, native C compiler always works. I did get it to work with gcc but only after fighting it. I will go back through my notes and see what I can find. If you happen to have IBMs c, it should work fine however. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
[ossec-list] Re: Basic OSSEC Configuration for Web Servers / Website Security
There are a couple of typos thanks to HTML formatting you might want to fix -- things like lt instead of But things for the write up -- very nice. -K On Wednesday, March 13, 2013 10:20:29 AM UTC-7, perezbox wrote: Hey Folks I put together this little post to better help those that are using OSSEC on their web servers: http://tonyonsecurity.com/2013/03/13/ossec-for-website-security-part-i/ It's nothing too complicated but a little something that many seem to forget or not think about. Hope it helps someone. Cheers. Tony -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
[ossec-list] Re: 13% CPU oad generated by ossec-authd
Still seeing high CPU usage for authd. Hmmm... On Tuesday, March 12, 2013 1:06:18 PM UTC-7, Kat wrote: Been seeing that a lot too -- going to try the repo update and see how that works. Perhaps it is time for a 2.7.1 release - I think we have enough general fixes to warrant it. cheers -K -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
[ossec-list] Re: OSSEC Server 2.7 - Active Responses intermittent
are you checking the right logs and do you have the ARs set for the right place? Sometimes people forget the log entries will be in agents log files, not the SERVER. On Wednesday, March 13, 2013 10:56:34 AM UTC-7, BP9906 wrote: Hello, I recently upgraded my ossec server to 2.7 and everything is working great. The weird issue I'm having is that the active responses sometimes dont fire. Its very intermittent because I get email spam for my Rule that is supposed to trigger a null-route. I check the server's active-responses.log and it shows no entries, though previously in the same day (couple hours ago) I see entries for the same rule number. Any suggestions on helping determine why the ossec server couldnt spawn my active response for the rule? Thank you, Brian -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
[ossec-list] Re: 13% CPU oad generated by ossec-authd
Been seeing that a lot too -- going to try the repo update and see how that works. Perhaps it is time for a 2.7.1 release - I think we have enough general fixes to warrant it. cheers -K -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
[ossec-list] syscheck on agent - space? Missing something?
Just wondering if I am missing something. I have an agent that has used too much space for syscheck changes. I want to re-init with new rules. If I run syscheck_control with -u it says it will INIT the database, but the old stuff is still there. So I have to get on every system to clear the old junk and wasted space? Am I missing something here? thanks -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
[ossec-list] Re: Ossec agents are not appearing in Ossec Server
Update to 2.7 on both Manager and client ... On Sunday, March 3, 2013 11:46:51 PM UTC-8, Umair Mustafa wrote: I installed Ossec Server and some agents on other servers. But the thing is that out of 10 agents only 7 servers are able to communicate with Ossec Server and 3 are not. This is the Ossec Server information DIRECTORY=/var/ossec VERSION=v2.5.1 DATE=Thu Jan 13 17:03:30 AST 2011 TYPE=server And this is the Log which i collected from newly installed Agent 2013/03/04 06:22:25 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: '192.168.9.1'. 2013/03/04 06:32:31 ossec-agentd: INFO: Trying to connect to server ( 192.168.9.1:1514). 2013/03/04 06:32:31 ossec-agentd: INFO: Using IPv4 for: 192.168.9.1 . 2013/03/04 06:32:52 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: '192.168.9.1'. 2013/03/04 07:49:27 ossec-agentd: INFO: Trying to connect to server ( 192.168.9.1:1514). 2013/03/04 07:49:27 ossec-agentd: INFO: Using IPv4 for: 192.168.9.1 . 2013/03/04 07:49:48 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: '192.168.9.1'. 2013/03/04 07:59:54 ossec-agentd: INFO: Trying to connect to server ( 192.168.9.1:1514). 2013/03/04 07:59:54 ossec-agentd: INFO: Using IPv4 for: 192.168.9.1 . 2013/03/04 08:00:15 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: '192.168.9.1'. 2013/03/04 09:17:08 ossec-agentd: INFO: Trying to connect to server ( 192.168.9.1:1514). 2013/03/04 09:17:08 ossec-agentd: INFO: Using IPv4 for: 192.168.9.1 . 2013/03/04 09:17:29 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: '192.168.9.1'. 2013/03/04 09:27:35 ossec-agentd: INFO: Trying to connect to server ( 192.168.9.1:1514). 2013/03/04 09:27:35 ossec-agentd: INFO: Using IPv4 for: 192.168.9.1 . 2013/03/04 09:27:56 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: '192.168.9.1'. Agent Info [root@pdbosl02 etc]# cat ossec-init.conf DIRECTORY=/var/ossec VERSION=v2.6 DATE=Sat Aug 25 13:56:49 AST 2012 TYPE=agent -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [ossec-list] Maximum number of agents allowed:
The only issues you have to keep in mind are the maxagents - pretty simple - but there is another hidden setting in the client keys creation that is in the code. Set to 4000 by default. Have to edit that and set it to whatever. I fixed the makefile to do it when you change the setmaxagents. The value is -- in validate.c in ~/src/addagent folder. in the Makeall you will find this code: # Increasing maximum number of agents if [ X$1 = Xsetmaxagents ]; then echo -n Specify maximum number of agents: ; read AGMAX echo HEXTRA=-DMAX_AGENTS=$AGMAX ./Config.OS echo Maximum number of agents set to $AGMAX. exit 0; fi and I updated mine to change the value in validate.c as well. # Increasing maximum number of agents if [ X$1 = Xsetmaxagents ]; then echo -n Specify maximum number of agents: ; read AGMAX echo HEXTRA=-DMAX_AGENTS=$AGMAX ./Config.OS sed -i 's/if\(i \\= 4000\)/if\(i = $AGMAX\)/' addagent/validate.c echo Maximum number of agents set to $AGMAX. exit 0; fi -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
[ossec-list] recover SERVER keys?
Well - it happened - I lost a server (hardware raid failure and corrupted drives). So here is the question - all the agents have keys, but I lost the other end - is there ANY way to rebuild a server from this sort of thing and recover? I can't think of anything, since it is all built around the original server key (lost), but it never hurts to ask.. And before you all yell at me about backups -- yes, I know. All my other systems are backed up, just not this one. :-( -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: Re: [ossec-list] splunk+ossec ossec-agent Disconnected?
Upgrade your agents to 2.7 -- problems should be resolved. On Wednesday, January 30, 2013 6:52:49 PM UTC-8, root wrote: hi thank you reply it. yes,my ossec server is ossec 2.7 and my ossec-agent is ossec 2.6,but my other agent also is ossec 2.6 and work normal.i down konw why this. thanksBest Regards *From:* Kat javascript: *Date:* 2013-01-31 03:18 *To:* ossec-list javascript: *Subject:* Re: [ossec-list] splunk+ossec ossec-agent Disconnected? Has nothing to do with splunk or not -- and my guess is this is not ossec 2.7? You can check if you have a tool like netcat (default installed on Linux) by doing nc -u server-address 1514 then type a few lines to see if on the server you are seeing errors in the log file (incorrectly formatted or not allowed messages. However, most of the connection related problems were resolved in 2.7. make sure you are on the newest. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com javascript:. For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [ossec-list] splunk+ossec ossec-agent Disconnected?
Has nothing to do with splunk or not -- and my guess is this is not ossec 2.7? You can check if you have a tool like netcat (default installed on Linux) by doing nc -u server-address 1514 then type a few lines to see if on the server you are seeing errors in the log file (incorrectly formatted or not allowed messages. However, most of the connection related problems were resolved in 2.7. make sure you are on the newest. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [ossec-list] Trying to install on Solaris 10
having built/installed on numerous Solaris systems, even as recently as last week - it does work. But yes, it can be a little touch. Most of it, I have found, is related to the appropriate build environment and libraries. Doublecheck the pre-reqs for things like openssl libraries, and all the correct build tools - gcc, make and more. It can be done. :-) -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
[ossec-list] authd - agent
Just wondering if there is some reason with the agent-auth has to use IP when requesting a client key rather than a hostname? Kind of messy when trying to build in automated installs into RPMs and puppet across multiple datacenters. Is there some logical reason I am missing? thanks K -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [ossec-list] authd - agent
If you happen to find a patch lying around... :-) On Tuesday, January 29, 2013 10:14:53 AM UTC-8, dan (ddpbsd) wrote: On Tue, Jan 29, 2013 at 12:44 PM, Kat uncom...@gmail.com javascript: wrote: Just wondering if there is some reason with the agent-auth has to use IP when requesting a client key rather than a hostname? Kind of messy when trying to build in automated installs into RPMs and puppet across multiple datacenters. Is there some logical reason I am missing? No one has written the code. I thought I had mailed a patch to use hostnames to the list a while back, but I can't remember for sure. thanks K -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com javascript:. For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
[ossec-list] Re: updating ossec on centos 6: libmysqlclient.so.18(libmysqlclient_16)
Firstly - you probably want to get the 2.7 package and build that, rather than the rpm of the 2.6. If you do the source build, which is pretty simple based on the install.sh script - it should find the pre-reqs based on libraries. If it does not, then the Percona version does not contain the proper dependencies... At least give it a try with the source build and see if that resolves it. Download from the ossec.net website.
[ossec-list] Re: Agent reporting to multiple servers
If you install as Local then it turns off the ability to communicate outside of the configuration. If you convert these to hybrid, then you could do what you want. I did that with a few servers during testing - wanted to see if a local installation would be viable as making it hybrid. Then at least it keeps running even if it loses connection to the central server.
[ossec-list] Re: Rule Frequency problem
You should take a look at this patch: https://groups.google.com/forum/?fromgroups=#!search/accumulator/ossec-dev/NfQaFREyCHI/ycoRVq6YD_gJ On Thursday, December 13, 2012 8:21:51 AM UTC-8, Mike Hubbard wrote: Hello - I am trying to construct a set of rules that cause a change in behavior if a certain thing happens. My first rule catches a particular line from a log file and has an ID of 100500. Then I have a set of rules that look something like this: rule id=100524 level=3 frequency=1 timeframe=300 if_matched_sid100500/if_matched_sid if_sid550/if_sid match/a/file/im/interested/in/match descriptionAcceptable update of /a/file/im/interested/in/description /rule rule id=100525 level=3 frequency=1 timeframe=300 if_matched_sid100500/if_matched_sid if_sid550/if_sid match/a/differentfile/im/interested/in/match descriptionAcceptable update of /a/differentfile/im/interested/in/description /rule This works just great - the first time through. If, within the 5 minute period, one of the files is modified, then either rule 100524 or 100525 triggers. But that is the end of my show. I've been interpreting frequency and timeframe as count of alerts within the time period - but it appears to me that my count of alerts is being reset after the first composite rule fires. Is it not legal to have multiple rules watching the frequency of some other rule? Is there some other simpler problem here with my rules? Thank you
[ossec-list] Re: snort+ossec email
Take a look at Security-Onion This combines tools like Snort and OSSEC and brings it into a single platform. There is also a SecurityOnion for Splunk that expands on this idea. -K On Wednesday, December 12, 2012 10:56:49 AM UTC-8, Leonardo Pezente wrote: im a noob in ossec, but i think it was a good idea to have in my nids machine. he is aready running, and now i want to him to send an e-mail of possible problem, of he and my nids(snort) detect, but i dont have idea how to do that. i have snort send alerts to my syslog, and i put the syscheck in 1 hour. i have create an e-mail just for that, and i have change the global for send e-mail. So, he will send e-mail every 0ne hour or i have to make more some think?
[ossec-list] Re: can use 2.7 replace ossim 's ossec ?
Yes -- I did it. Works fine. Just install it normally and select Upgrade as it will find the previous version. On Monday, December 10, 2012 9:13:07 PM UTC-8, peng lin wrote: can use 2.7 replace ossim 's ossec ? is that everyone do it ?
Re: [ossec-list] Agent configuration management via central server
If I am reading your problem - you are saying ossec.conf on the AGENT is not being overwritten -- if this is correct - then yes, it is not - it won't. Only agent.conf gets pushed to the agents. ossec.conf is set manually on agents, so if you expect it to get changes - you need to use puppet or some other method. cheers K On Wednesday, November 28, 2012 5:25:31 AM UTC-8, dan (ddpbsd) wrote: On Tue, Nov 27, 2012 at 7:29 PM, funwithossec ho...@donobi.netjavascript: wrote: All, Apologies if this has been covered, but I sure couldn't find it :-) In my lab I have a central ossec 2.6 server on Ubuntu and one client on Centos, set them up with active response and followed procedure here: http://www.ossec.net/doc/manual/agent/agent-configuration.html agent.conf is written to the client upon restart of server and client ossec.conf is not overwritten This feels like a permissions error, agent.conf is owned by ossec:ossec and ossec.conf is owned by root:root and is not writable by other than root, this is default as far as I can tell and I don't want to muck with it unless I have to. Any help would be...helpful :-) -Thanks What's the problem? You haven't identified it at all.
Re: [ossec-list] Identifying user that made change to file as part of File Integrity/Syscheck monitoring?
I see this topic come up a lot and I have dealt with the question from auditors too. Unless you have full auditing enabled, the simple answer is no. Think about this -- a file is writable by the owner and a group - the group contains 1000 users. Auditd is NOT enabled. One of those 1000 users that has the ability to modify the file and indeed they do. Unix checks the perms and verifies that the uid or gid has permission to modify the file. It does, it is allowed. No place in the inode or the directory entry is any information kept on who modified the file. Why? Because it has to be someone that is authorized to do it. Therefore the only way to track this data is to have another process monitor everything users are doing - i.e. auditd running, in order to track this. At one point I had an auditor tell me But tripwire does this. Um, no it does not. Tripwire shows that the file was changed and who the owner of the file is. Based on this, auditors sometimes assume that it was the owner changing the folder, which is not the case. Additionally, if a user has sudo privs to one of the UIDs or GIDs - well, that pretty much throws it all out the window. Take a look at auditd and if you are willing to accept the load it may present on your system, then this will solve the question you are asking. Otherwise, you are not going to be able to do it. It is all about understanding what information is stored in an inode and the directory entry. (And the directory entry is minimal -- filename, inode #) cheers Kat
Re: [ossec-list] Identifying user that made change to file as part of File Integrity/Syscheck monitoring?
auditd is a Unix-centric process. Kind of like ACLs though. They all have it, but they all have slightly different ways of enabling and managing.
[ossec-list] Re: add logfile to ossec
when you exit vi/vim - just do :wq! - if you are root while editing - it will over-write it and you don't have to change perms. On Wednesday, October 10, 2012 2:36:41 PM UTC-7, Adam wrote: I set up rsyslog to get messages from a remote network device and put the messages in /var/log/IP/syslog.log How do i add that file to ossec so it parses it and stuff? i attempted to edit ossec.conf but its read only. do i need to change the prems on that make my changes, change the prems back then restart ossec? Thank you.
Re: [ossec-list] am i doing this wrong
Scanning does not necessarily provide a blip. Do you have any kind of tool logging scans or are you doing something beyond an nmap scan, such as brute force login attemps. Something has to create a log entry for OSSEC to see. Based on what you are saying - is there any kind of entry in any of the event logs showing that a scan was happening? OSSEC would see that.
[ossec-list] puppet rules (not for deployment but alerting)
I know a lot of us use puppet to deploy OSSEC.. Just wondering if anyone has bothered to put together rules for puppet alerts? Things like when a file changes -- can be useful if you are not using syscheck on that file, or if you want a correlation with the file change and what changed it. Lots of other things come to mind and I have begun this process, but if someone else has already done it - well, I just thought I would ask. cheers Kat
[ossec-list] Re: Large scale deployment
with the new Hybrid feature, why would you want to deploy 1 to a single manager? As someone who has had 3000-4000 dedicated to single managers, I would strongly suggest a tiered approach. It just makes more sense. Yes, you would have to wait for 2.7 to finish the beta cycle, but to me, I would think this is the way to go. 1 on a manager trying to maintain all the connections - just think of the load on the NIC(s) and the biggest problem being that the analysisd process is single threaded, so you are pumping all that data through one engine. I will say that yes, others are correct - management through a configuration system such as puppet or cfengine is the only way to go, and not trying to use the agent management directly within OSSEC. Just my 2 cents Kat On Tuesday, September 25, 2012 11:57:01 AM UTC-7, JB wrote: I know there are deployments of more than 3000 agents on one OSSEC server. You need to keep an eye on the amount of network traffic though. Overloading can result in lost events. Refer to http://www.ossec.net/?p=449 under the heading OSSEC Symposium Day 2.. On Sunday, September 23, 2012 5:24:17 PM UTC-7, JJ Yu wrote: Dears, Is there any one knows large scale development ? I want to implement over 1 set. There is an issue on how to deployment client key and management. Could you share any experience? Many thanks. Br. JJ
Re: [ossec-list] linux_auditd log_format and configuration error in OSSEC 2.7 beta
I ran into the same problem - *IF* you try updating a 2.6 install with the beta - you must REPLACE it. So no to upgrade and then delete the existing folder (when it asks) and install new 2.7. Otherwise it keeps some files (have not verified which) that cause this. On Wednesday, September 19, 2012 9:21:09 AM UTC-7, dan (ddpbsd) wrote: On Wed, Sep 19, 2012 at 12:15 PM, PAL p...@pal.dp.ua javascript: wrote: In ossec 2.7 a new log_format appeared: linux_auditd I got a strange error. When I configure for read audit.log on agent side: localfile log_format timeout=5linux_auditd/log_format location/var/log/audit/audit.log/location /localfile all work ok. But, when I wrote same lines on server host - I got error: 2012/09/19 12:03:08 ossec-config(1243): ERROR: Invalid attribute 'log_format' in the configuration: 'linux_auditd'. 2012/09/19 12:03:08 ossec-config(1202): ERROR: Configuration error at '/var/ossec/etc/ossec.conf'. Exiting. 2012/09/19 12:03:08 ossec-logcollector(1202): ERROR: Configuration error at '/var/ossec/etc/ossec.conf'. Exiting. When I set log_format to syslog OR comment out all rules, I have no errors. Is any way to fix it? Are you sure your OSSEC server is running version 2.7?
[ossec-list] Re: WARN: Problem receiving message from
new v4 of Alienvault has 2.6 - so simply upgrade your appliance. -K
[ossec-list] Simplest question ever (?) - timestamp
Is there a way to tell OSSEC to use the timestamp of the actual logfile entry rather than its own internal timestamp of when it sees the alert? This should be a configuration option - *hint hint* Unless there is already a way to do this. thanks K
Re: [ossec-list] ignore interval but...
JB Michael - good thoughts - only one problem, I have 4000 hosts. Gonna make for a very lonnngg rules file. My thought on this is simple - more so for alerting on attacks/issues as they move around. Or for the audit rules - another reason for this. Here is the situation - let's say an audit rule kicks off, so I create a ticket for a team to fix that problem, but I want to give them 7 days (or some arbitrary number, maybe only a day) to fix the problem - I want to ignore that rule for a period of time. Now this is simple in the world of a few dozen hosts, but when we are in the hundreds or thousands, not so much. AND if it triggers on each of those 4000 hosts, then yes, I have a problem, but even if it only triggers on 2000, I need a way to acknowledge the alert for a certain amount of time. If this capability existed in OSSEC it could go a long way to making it that much better. Think how NAGIOS allows you to acknowledge a host/service down forever or just for a certain period of time. I was thinking of setting an active response that adds to a CDB list and reloads the list. If the host is in that list, ignore the alert. However the list is cleared once a week and if the alert is still there, you have a way to show them. Some people could say just lengthen the frequency on the running of the audit - but I don't want to do that, I want them to run daily, but not alert daily if I already know about something. Does that make sense? -Kat
[ossec-list] ignore interval but...
Ok, here is a tricky one I can't figure out.. I have a simple rule with an ignore=7200 so it does not fire too much. BUT, what if I only want to set the ignore PER HOST? In other words, if it triggers on another host it should alert then set the ignore timer. Yeah, I am not aware of a clean/simple way to do this.. Any ideas?
Re: [ossec-list] Can nto have centralized agent config working
If you restart the client, it will get pushed within a minute - assuming you had restarted the manager so it knows there was a change. I had this problem with a large install of 4000+ agents in the beginning, but in general, if the agent is restarted shortly after manager, the files were pushed within a minute. This was on 2.6 of course - NOT the AtomiCorp rpms, since I had nothing but problems with those and keys and all sorts of things. My suggestion, rebuilding the manager from source. See if that fixes. ~K On Tuesday, July 31, 2012 4:40:02 AM UTC-7, dan (ddpbsd) wrote: On Tue, Jul 31, 2012 at 7:31 AM, Steve Kieu wrote: I did it and restart the server first and the client later. Should it be picked up right away ? It could take a while for it to be pushed. I think if you run the processes in debug mode the transfer will be logged. Running in debug mode might be a good idea to see if it logs information on why the agent.conf isn't being pushed.
[ossec-list] Simple(?) - Forensics (historical?) but live
Here's hoping there is a simple answer to this. I know of the technique to run the forensics into ossec-logtest. And that is a fabulous tool/method. But, I want to take a previous years data - BO - (before ossec) and run it through and have ossec actually process it into the appropriate log files (and perhaps mysql or spunk) just as if it was live data. In other words, process it like live data so it is logged and saved in the database/splunk. The reason for this is simple - to build up the past couple of years of raw data into a searchable/historical reference. I know ossec-logtest can be piped into anything, but before I start trying it, I am wondering if you could use the same method of catting the files but into live ossec? Off to try some tests - if I find anything, I will let you know. If anyone else can think of a way to do it, would love to hear. thanks ~k
[ossec-list] audit alerts / root kit
Here is a problem I am trying to figure out a work-around. Looking for files that might be unauthorized copies of files. For example, /etc/passwd. But, if you add that to the rootkit_files in etc/shared - you would want to list it as */passwd -- but how could you get it to only trigger if it finds copies of passed in anyplace other than /etc? scratching head, ~k
[ossec-list] rootcheck/rootkit rules
Just wondering where to find docs on writing/updating rules for rootkit/rootcheck? Format and all that is what I am looking for. I am looking through the various root check files under etc/shared, but can't seem to find the syntax for these files in the docs. :-( Any help/suggestions? -K
[ossec-list] Re: Large installs.
4 installs -- 1700 hosts 1200 hosts 1340 hosts and 900 (oops, that is not over 1000, but close) Use puppet to manage deployments rather than OSSEC itself. Also, puppet maintains more than just agent.conf. Splunk on the backend with Splunk for OSSEC app handling all the details. Also, because this was large mixed platform of Linux, Hp-UX, AIX, Solaris and Windoze, puppet made things much easier. Biggest problem was the constant alerts of disconnected agents, when they really weren't. This was caused mostly by the load and short check times in the agent/server codes. I found some patches to bump that up, but in the beginning I just disabled the Agent disconnected rules, which also worked. ** Maybe a note to developers -- as the agent count goes up - set up check-in timers that go up with the agent count. It would avoid a lot of false-positives on these alerts. My biggest issue was with reporting, which is why Splunk was added to the mix. This gives the flexibility needed to support both SOC type engineers as well as auditors requests, and once the reports are defined, they can modify them easily enough for their needs with just a little training. Hope this helps - if you have questions, just ask and I will try to answer. ~K
Re: [ossec-list] How to Set up a Sonicwall in OSSEC
FYI - running TCPDUMP is not a good test to verify the firewall block or not, since tcpdump puts the NIC in promiscuous AND intercepts the packets BEFORE the firewall sees them. So even if you are seeing the packets, you don't know they are being blocked or not without reviewing your firewall settings, turning it off/on, etc. (Which is what you did) On Wednesday, March 21, 2012 2:26:30 PM UTC-5, Michael Scott wrote: Thanks again for the help and reply Dan. Just for fun, I disabled the firewall, and it started working. I ended up removing the exception, applying changes, and then recreating it and applying changes. After that, it ended up working. Sorry for the false alarm, and thanks! - Mike Scott
[ossec-list] report_changes - odd results
Hi all.. Here is an odd one. I have a folder with a few dozen subfolders. I want to set up report_changes on all the subfolders with a specific file in it - for example: /opt/conf/*/*act_config And it seems to work fine - but here is the odd part. The *sh_config is a txt file in every folder, and this is verified. Sometimes the report changes actually works and other times it only shows the checksums changing, which I know if the checksum changes the contents had to change. So the question is simple -- any idea what might cause the report_changes to work most of the time, but sometimes it only reports checksum? How would you debug this? Basically I have a system with 50-60 users and they each have one of the config files and they change them from time to time. So I want to know which user changed it and what the changed (so when they say I didn't change anything I can tell them and show them. But the baffling part is this works 90% of the time, but every now and then, as mentioned, it does not show the actual changes. signed, confused...
[ossec-list] Re: report_changes - odd results
That first paragraph should read the *act_config - not *sh_config... Sorry if that was confusing. On Feb 13, 8:05 am, Kat uncommon...@gmail.com wrote: Hi all.. Here is an odd one. I have a folder with a few dozen subfolders. I want to set up report_changes on all the subfolders with a specific file in it - for example: /opt/conf/*/*act_config And it seems to work fine - but here is the odd part. The *sh_config is a txt file in every folder, and this is verified. Sometimes the report changes actually works and other times it only shows the checksums changing, which I know if the checksum changes the contents had to change.
[ossec-list] Re: day of decoder problems
I always wondered about that - shouldn't anything in Local... get processed before the built-in? I did have a feeling it was order dependent, and I took the route of making the rules decoded_as - windows_date_format and everything works, and this now confirms my thoughts that local did NOT get processed first, but maybe this could be something for the future - a switch for processing local BEFORE or AFTER builtin? Let the organization decided on an install basis? I could see this fixing a lot of ambiguity. thanks for the clarification..
[ossec-list] day of decoder problems
What am I missing - it just keeps firing on the windows-date-format -- so frustrating, it must be simple, I am just blind today: Logentry: 2012-01-12 15:19:58 Package: attack.vector: removing(string1,string2,string3) by administrator decoder: decoder name=fw-private prematch^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d /prematch /decoder decoder name=fw-private-alert parentfw-private/parent regex offset=after_parent^Package: (\.+):\.+/regex orderdata/order /decoder And I want to store the attack.vector in 'data', but it just keeps triggering: **Phase 1: Completed pre-decoding. full event: '2012-01-12 15:19:58 Package: attack.vector: removing(string1,string2,string3) by administrator' hostname: 'ossex' program_name: '(null)' log: '2012-01-12 15:19:58 Package: attack.vector: removing(string1,string2,string3) by administrator' **Phase 2: Completed decoding. decoder: 'windows-date-format' **Phase 3: Completed filtering (rules). Rule id: '1002' Level: '0' Description: 'Unknown problem somewhere in the system.'
[ossec-list] Best way to add rules to EXISTING products/decoders.
I am working on a bunch of updated rules for PIX/ASA firewall messaging - my question is since these use an existing decoder and group of rules, what is the best way to add them. Should I be using local_rules or how could I contribute them to update the pix_rules set? thanks k
[ossec-list] Re: Agents cannot connect to server
I keep seeing these from more than one person - with over 6000 agents in 3 DC's I can tell you I have found the quickest solution: 1. Although this is frowned upon - on the agents - wipe /var/ossec/ queue/rids/ on each of the offending agents 2. find the agent ID in the same folder on the server and rm 3. restart the agent. (restart the server if you feel like it) Poof - connections made - everyone happy. I constantly get the Trying... errors, normally after a new install. I have a mix of Solaris, AIX, HP-UX, Linux and Windoze.. The uni* boxes are the ones that do this and I can find no rhyme or reason in why they do it. The funny thing is, sniffing it shows the traffic, but the server simply refuses to make the connection until I wipe the RIDS folders/identities. This works every time - with a couple of very rare times when I have to do this AND re-create the key. Try this and see if it helps.
[ossec-list] any ideas - syslog and secure
Any ideas why this won't work if udp 1513 is not bound: remote connectionsyslog/connection port1513/port /remote remote connectionsecure/connection /remote It only listens on 1514 - and here is the kicker - even if I remove the secure option, it still won't listen on any other port - no matter what. Has me baffled and if I turn on debug level 2 on remote, I still don't see anything in the logs. ideas?
[ossec-list] Re: any ideas - syslog and secure
Never mind -- You can't use syslog WITHOUT allowed-ips of some sort. ERROR: No IP or network allowed in the access list for syslog. No reason for running it. Exiting.
[ossec-list] Re: Now on to AIX .. error compiling 2.6
You don't have all the pieces to the gcc compiler installed fully. You need the compiler and the supporting libraries, etc. That is where you are getting the cc1 errors. On Jan 19, 10:02 am, Swartz, Patrick H patrick.swa...@firstdata.com wrote: Hi All, Well, with RH, SuSE, and Solaris10 out of the way.. now on to AIX5.3... I tried compiling the OSSEC package on a AIX 5.3 system and I get these errors 5- Installing the system - Running the Makefile *** Making zlib (by Jean-loup Gailly and Mark Adler) *** gcc -c -g -Wall -I../../ -I../../headers -DDEFAULTDIR=\/opt/ossec\ -DCLIENT -DUSE_OPENSSL -DAIX -DHIGHFIRST -DARGV0=\zlib\ -DXML_VAR=\var\ -DOSSECHIDS *.c gcc: error trying to exec 'cc1': execvp: No such file or directory gcc: error trying to exec 'cc1': execvp: No such file or directory gcc: error trying to exec 'cc1': execvp: No such file or directory gcc: error trying to exec 'cc1': execvp: No such file or directory gcc: error trying to exec 'cc1': execvp: No such file or directory gcc: error trying to exec 'cc1': execvp: No such file or directory gcc: error trying to exec 'cc1': execvp: No such file or directory gcc: error trying to exec 'cc1': execvp: No such file or directory gcc: error trying to exec 'cc1': execvp: No such file or directory gcc: error trying to exec 'cc1': execvp: No such file or directory gcc: error trying to exec 'cc1': execvp: No such file or directory gcc: error trying to exec 'cc1': execvp: No such file or directory make: 1254-004 The error code from the last command is 1.
[ossec-list] another AR question..
Just wondering if there is a simple way that saying in a 5 minute period - an alert triggers an active response 20 times, I only want the AR to activate ONCE? I know how to set counters on the alert, but I don't want to do that. I want the alert to keep logging - but I don't want the response to run 20 times if the alert triggers. Thoughts? Comments Thanks
[ossec-list] Active response arguments - clarification
I am baffled -- Below is an alert - which triggered an active response. It should have executed a block on my pix, but for some reason the IP was lost in translation so to speak. The Src IP shows up correctly in the alert, and in the script, it is set via $3, but if I output the string with a simple echo $0 $1 $2 $3 etc, it shows $3 as being -. Any idea what might cause this? What am I missing.. The active response triggered but because it tried to block an IP of - of course the command choked. Hmm... -- ** Alert 172472951.705506: mail - syslog,sshd,authentication_failures, 2011 Nov 17 21:23:39 (myhost.xyzzy.com) 192.168.10.2-/var/log/secure Rule: 5720 (level 10) - 'Multiple SSHD authentication failures.' Src IP: 140.215.10.133 User: root Nov 17 21:23:20 myhost sshd[21204]: Failed password for root from 140.215.10.133 port 54076 ssh2 Nov 17 21:23:04 myhost sshd[21180]: Failed password for root from 140.215.10.133 port 51929 ssh2 Nov 17 21:21:31 myhost sshd[25927]: Failed password for root from 140.215.10.133 port 44496 ssh2 Nov 17 21:20:52 myhost sshd[25882]: Failed password for root from 140.215.10.133 port 39281 ssh2 Nov 17 21:20:22 myhost sshd[20922]: Failed password for games from 140.215.10.133 port 58637 ssh2 Nov 17 21:19:22 myhost sshd[25729]: Failed password for root from 140.215.10.133 port 50943 ssh2 Nov 17 21:17:57 myhost sshd[20693]: Failed password for bin from 140.215.10.133 port 41115 ssh2 Nov 17 21:17:53 myhost sshd[25611]: Failed password for bin from 140.215.10.133 port 39299 ssh2 /var/ossec/active-response/bin/fw-shun.sh add - - 1324351419.705506 5720 (myhost.xyzzy.com) 192.168.10.2-/var/log/secure The argument settings in the script -- ACTION=$1 USER=$2 IP=$3 ALERTID=$4 RULEID=$5
[ossec-list] Re: Active response arguments - clarification
A! ... um, No. :-( On Dec 20, 10:14 am, dan (ddp) ddp...@gmail.com wrote: Is expectsrcip/expect set in the command definition?
[ossec-list] Re: Active response arguments - clarification
Something to ponder however -- I thought it was in there - instead there was an unmatched /expect on a line within the command definition - and no error was generated, that is how I missed it. A bug perhaps? On Dec 20, 10:21 am, Kat uncommon...@gmail.com wrote: A! ... um, No. :-( On Dec 20, 10:14 am, dan (ddp) ddp...@gmail.com wrote: Is expectsrcip/expect set in the command definition?
[ossec-list] odd error on server only
Anyone have any idea why a server would ignore the localfiles for monitoring? I have some alerts that SHOULD be triggering, but they do not trigger on the server, only on agents. Yes, the config file is the same. This is as simple as /var/log/secure being monitored for logins/ failures/etc and they never trigger on the server. ? -K
[ossec-list] Re: odd error on server only
3 identical servers --- 2 work, 1 does not. all same OS, built from source. logtest works on all - so it MUST be something with the config. Going to enable logging and see what I can find. One question - this particular server was configured for logging to DB, but then I decided to not use it so I took the db config out of ossec.conf -- but did NOT rebuilt ossec binaries. Hmm, Perhaps something odd here. Time to enable_all for logging and see... On Dec 16, 1:24 pm, dan (ddp) ddp...@gmail.com wrote: Are the log messages being pulled in? (enable log_all, and make sure) Using ossec-logtest, do the log messages get decoded properly?
[ossec-list] Re: Multiple cores?
Yep -- sending 1800 agents to a single server so it has a lot to analyze. I am finding that this causes many of the agents to show disconnected because they can't get to the server while it is processing very busy nodes. So rather than throw additional servers at it, I have all the cores, but I am maxing out a single core and the others just sit there. :-( On Dec 8, 9:09 am, dan (ddp) ddp...@gmail.com wrote: OSSEC isn't really built for multiple cores. Are you pushing enough data through it to consume a whole core? How many eps?
[ossec-list] Re: help with a filesystem_check rule?
You know, I was thinking it was that simple - then I thought - But wait, it can't be that simple.. And yet sometimes it is. DOH! On Nov 28, 2:16 pm, dan (ddp) ddp...@gmail.com wrote: directories/home/*/.ssh/directories ?
[ossec-list] help with a filesystem_check rule?
Hi all.. Just trying to come up with a way to monitor all .ssh folders in / home, but NOT monitor anything else in home. I want to keep an eye on the key files and if they get altered/replaced. I have to think that someone else has wanted to do this before and already has a regex or something? -k
[ossec-list] decoder fails simple test?
What am I missing here? here is the log entry and my very simple decoder just to start and it fails: Oct 31 11:22:05 127.0.0.1 W 5219816637.934 elo_581 213.126.45.119 GET / L/2284/58299/7d/origin-www.freeport.org.adns.net/night.jpg 200 188362153 1 097903 0 ASP/JSP%20source%20code%20leakage LEAKAGE/ SOURCE_CODE - RESPONSE_BODY decoder name=WAF1 prematch^\d\d\d \d\d \d\d:\d\d:\d\d \w+ LEAKAGE/SOURCE_CODE/ prematch /decoder
[ossec-list] Re: decoder fails simple test?
why is there no way to delete a post you put up when you realize you made stupid mistakes? Can someone delete this please. Moderators? Yeah, I guess it would help if I realized some obvious things like my fields and characters, etc. DOH! On Nov 21, 1:38 pm, Kat uncommon...@gmail.com wrote: What am I missing here? here is the log entry and my very simple decoder just to start and it fails: Oct 31 11:22:05 127.0.0.1 W 5219816637.934 elo_581 213.126.45.119 GET / L/2284/58299/7d/origin-www.freeport.org.adns.net/night.jpg200 188362153 1 097903 0 ASP/JSP%20source%20code%20leakage LEAKAGE/ SOURCE_CODE - RESPONSE_BODY decoder name=WAF1 prematch^\d\d\d \d\d \d\d:\d\d:\d\d \w+ LEAKAGE/SOURCE_CODE/ prematch /decoder
[ossec-list] issue not an issue (agent disconnect)
This is more annoying that a real issue, but thought I would ask anyway. What would cause agents to show as disconnected after weeks of working flawlessly with no issues? I understand it has to do with keep-alive and NOT activity - although ALL the agents are still sending data and we are not losing anything, with the exception of the keep-alive. I am trying to understand what would cause the keep alive from being sent. Is there a setting in the config some place and maybe I deleted it? (I did update the agent.conf file when this appeared to start happening) - and yes, the agent.conf is being copied to all the agents with no issues. This is AIX and Linux and Solaris - so nothing specific about the OS. But we are not losing anything, so I am baffled with this... I think I am just going to quiet the alert and not worry about it.
[ossec-list] Re: AIX 5.3: ossec agent installation problem
You need to add /bin/false to the /etc/security/login.cfg There is a line in the file that says SHELLS and has a list of all valid shells. I created a script to run from my nim server to push it out - I do this, just to have a backup if needed (not the cleanest, but it works): cp /etc/security/login.cfg /etc/security/login.cfg_save sed 's?/bin/bash$?/bin/bash,/bin/false?g' /etc/security/ login.cfg /etc/security/login.cfg_new cp -f /etc/security/login.cfg_new /etc/security/login.cfg rm -f /etc/security/login.cfg_new cheers K
[ossec-list] Re: ossec-authd or agent-auth is not creating valid keys
I am taking this up on my own to resolve this... Pretty good at RPMs - working on a solution and a new SPEC file.. More to follow -K
[ossec-list] Day 2 - my comments..
I thought I would share this.. OSSEC has been a huge help not to mention savings. In 2 very large cases - over 3000 nodes - OSSEC has replaced Tripwire as the Filesystem check, and because of all the fantastic features it adds, it brings even more ROI to the teams involved. In several instances, Tripwire was core dumping and sucking up CPU for reasons TW was never able to resolve, and as OSSEC rolled out to replace it - not only did the audit teams like it, but so did Sys Admins, as they now had a tool to bring sense to log files of over 3000 systems. Using it with the 500 meg version of licensed Splunk and the OSSEC app, the reporting tools provide everything we need to meet compliance requirements. I especially find the command as a logfile ability of OSSEC being able to also replace some of the monitoring tools so we can remove a bit more overhead. Although the DB integration is also a plus, because the feeds go into Splunk, that was not a huge requirement, HOWEVER, in testing up front, I worked with the Logzilla team to provide the same OSSEC App features that Splunk provides in the Logzilla project. So if you are looking for a cheaper solution rather than Splunk, you should take a look at Logzilla (logzilla.pro) to bring the collection portion of all the syslog data into a very neat and powerful interface. Bottom line - with OSSEC spread out in the enterprise, and some of the other tools on the server end to provide the reporting and searching for historical information - this is a WIN-WIN situation all around. I am sure some folks have wondered abotu the load that OSSEC Manager can handle - well, my largest instance is handling just over 3000 nodes and the smaller one around 1700 nodes. Just scale the hardware. The biggest issue is fine-tuning all the false positives, and I am looking to build a tool for a more simple rule tuning method. Specifically something that pulls out the specific rule that is firing into a web interface, then opens a screen and allows you to move the specific parts into another rule, which is then placed in the proper location of the local_rules file. When you have 3000 nodes, managing false positives and fine tuning rules can bit a bit cumbersome having to edit files and reload, etc. Of course when I finish this tool I will be contributing back to the project and offer it out for others... That's my 3 cents (I hate even numbers) for how OSSEC has helped me during the week of OSSEC. cheers ~K
[ossec-list] Best way to alert all sudo su
Simple(?) question... Looking for the best way to log all sudo su - someuser. Obviously, it already flags sudo root, but I am looking to track all the users who are authorized to sudo to other accounts and when they do it. I could modify the syslog_rules - which worked, but since that is a bad thing to do, I was wondering if someone has the best local_rule format to do this without making changes to syslog_rules. thanks ~K
[ossec-list] mysql connect
Hmm, if you can do mysql -u ossecuser -p and login to mysql then why can't ossec connect with the same info? ossec-dbd(5202): ERROR: Error connecting to database ??
[ossec-list] Re: mysql connect
it gets weirder - it connects, drops, connects, gens an error, then does it again I have found some of these around the net. Others have reported it, but have not found definitive fixes - anyone else seeing this? 2011/10/20 10:46:58 ossec-dbd: Connected to database 'ossec' at 'localhost'. 2011/10/20 10:46:59 ossec-dbd: INFO: Started (pid: 10527). 2011/10/20 10:47:00 ossec-dbd(5210): INFO: Attempting to reconnect to database. 2011/10/20 10:47:00 ossec-dbd(5202): ERROR: Error connecting to database 'localhost'(ossec): ERROR: Unknown MySQL server host 'localhost' (0). On Oct 20, 9:36 am, Kat uncommon...@gmail.com wrote: Hmm, if you can do mysql -u ossecuser -p and login to mysql then why can't ossec connect with the same info? ossec-dbd(5202): ERROR: Error connecting to database ??
[ossec-list] Re: Multiple instances of OSSEC running on a single system
did something similar using the smaller version of splunk (500 meg) - stuck with a single server, but created dashboards inside splunk to split the appropriate alerts. Something to think about. On Oct 19, 9:27 am, Sherman Butler sbut...@cequint.com wrote: I'm wondering if it's possible to have multiple instances of server or client running on the same host? Systems are x86 intel running x86 Solaris, no windows systems involved. We have two different groups of people using OSSEC for different issues. One group are the system admins and just want to see the basic system alerts and errors that are logged through syslog, the other group is the application admins and they want to see the error messages from their applications which also log to syslog. The problem is the number of application messages making it into syslog and therefore to OSSEC make it very difficult to pick out the relevant alerts the system admins would like to see. We thought if we could set up two instances of server and client we could separate the differing requirements. Anyone know if this is possible? Sherman Butler
[ossec-list] Re: re-create queue folders..
it sucked up over 2G and was still running! On Oct 19, 8:49 pm, dan (ddp) ddp...@gmail.com wrote: # ls -l /var/ossec/queue total 36 drwxr-xr-x 2 ossecr ossec 512 Oct 18 18:56 agent-info drwxr-xr-x 2 ossec ossec 512 Feb 14 2011 agentless drwxrwx--- 2 ossec ossec 512 Oct 17 10:22 alerts drwxr-x--- 10 ossec ossec 512 Oct 11 09:53 diff drwxr-x--- 2 ossec ossec 512 Feb 14 2011 fts drwxrwx--- 2 ossec ossec 512 Oct 17 10:22 ossec drwxr-xr-x 2 ossecr ossec 512 Oct 18 18:55 rids drwxr-x--- 2 ossec ossec 512 Oct 18 18:57 rootcheck drwxr-x--- 2 ossec ossec 1024 Oct 19 17:07 syscheck I'm not sure why a large syscheck would have necessitated destroying the entire directory. An in place upgrade (rerun install.sh and let it upgrade the system) might also work.
[ossec-list] Re: re-create queue folders..
Oh and re-install with Update does not fix it - it won't re-create the folders, it only copies what it needs to - i.e. UPDATE. And of course if you tell it NOT to update, you lose your client keys.. *sigh*
[ossec-list] Re: latest spec file - 2.6?
Very glad I seemed to spark some interest in getthing the SPEC files updated. It just makes for a much nicer/cleaner release for 2.6 since the SPEC is very old there and missing compiles of a lot of the newer features. Thanks to all and if I can help, just let me know. -K
