Re: [ossec-list] Send to different email
Thank you the tutorial is unfortunately very small. Do you know in which file I have to configure this ? (its not mentioned) And what is the commend to filter per host ? ( on the tuto only rule_id, format and level are mentioned as filter) Thank you again ! :) On 24 June 2010 00:56, Nerijus Krukauskas wrote: > Hi, > > On Wed, June 23, 2010 11:56, Mathieu D wrote: > > Hello all, > > > > We are using OSSEC in our company and I will like to know how to send > > notification to different people according to the machine name. > > > > *For example : * > > the notification of the host *myexchange.mycompany.com* are send to * > > t...@gmail.com* and > > the notification concerning the host* myactivedirectory.mycompany.com* > are > > send to *geo...@hotmail.com* > > etc... > > > > Is it possible ? if yes could you tell me the procedure to do so ? > > > > Thanks all a lot to all the community ! > > Read here: http://www.ossec.net/dcid/?p=75. It should answer your > question. :) > > -- > http://nk99.org/ > > >
[ossec-list] Re: Ignore Rule for Server/Client Setup
Great, thanks for the advice, the ignore rules seem to be working now.
Re: [ossec-list] Re: email alert level question
since your email is the one in the you will get all emails being sent out by the ossec . Change that setting to a different email and then you will only get the emails for the level you specified in the second definition. Assaf Vlad wrote: Thanks, but have set the level to 3 and still get level 2 alerts. Cheers, Leo -- Assaf Flatto Linux System Administrator No.9 | 6 Portal Way | London | W3 6RU | T: +44 (0)20 88 96 8014 | M: +44 (0)75 3568 1067 I am doing a Charity Bike ride On the 27 of June for the Capital to Coast Charity. Please help by Donating http://www.justgiving.com/Lovefilm-capital-to-coast - LOVEFiLM UK Limited is a company registered in England and Wales. Registered Number: 06528297. Registered Office: No.9, 6 Portal Way, London W3 6RU, United Kingdom. This e-mail is confidential to the ordinary user of the e-mail address to which it was addressed. If you have received it in error, please delete it from your system and notify the sender immediately. This email message has been delivered safely and archived online by Mimecast. For more information please visit http://www.mimecast.co.uk -
Re: [ossec-list] ossec.conf
sudo generally logs in syslog format. You'd probably want: syslog /var/adm/sudo.log If that doesn't seem to work, post a couple of entried from sudo.log. You can also run the log entries from sudo.log through ossec-logtest to see how they are decoded. On Tue, Jun 22, 2010 at 3:38 PM, dasselin wrote: > Hi list > > I’m new to OSSEC I installed it on a Solaris 10 server with > several Sun > Clients and some Windows also. I have a simple question and I did > not > Find in the documentation > > It pertains to ossec.conf and the log format. What are the accepted > formats > That are accepted by ossec example below. Can syslog be replaces by > sudo > > > syslog > /var/adm/messages > > > > Sudo > /var/adm/sudo.log > > > > Thank you for any help > Dan >
Re: [ossec-list] File integrity checking on the log files
On Tue, Jun 22, 2010 at 2:46 PM, Richard Geddes wrote: > Hello, > > The "OSSEC PCI Solution" pdf says that ossec can help with, among other > sections, section 10.5. > > From PCI: > "10.5.5 Use file-integrity monitoring or change-detection software on logs > to ensure that existing log data cannot be changed without generating alerts > (although new data being added should not cause an alert). " > > > the syscheck section of my test host: > > > > > > check_all="yes">/etc,/usr/bin,/usr/sbin > /bin,/sbin > /var/log > ... > > > > > After restarting ossec, I'm getting ossec alerts about files changing in > /var/log/. > > Question: Does ossec take into account the changing nature of logs? It > looks like a flat hash check. If so, how would ossec help with monitoring > log file integrity(PCI 10.5.5)? > > Also, about an hour ago I modified /bin/login with hexedit, verified that > the hash had changed, and ossec did not generate an alert any ideas? > > Thanks > > -- > Richard Geddes > BlueGolf - www.BlueGolf.com > rged...@bluegolf.com | 610-293-0998 | 610-293-0987 (fax) > It looks to me (and I don't deal with PCI) that 10.5.5 is not exactly covered by OSSEC. OSSEC does not hash the entries in the log files or anything, so if you add /var/log to syscheck, you will get alerts every time an event is written to the log file. If the inode of the log file changes, OSSEC may re-open the log file from the beginning (thinking the old one was rotated away). Not all editors will write the file to a new inode though (there was a thread about this a while back). Do you have syscheck setup to ignore files after 3 changes? If so, login may be in that ignored state. syscheck_control might be able to give you more information.
Re: [ossec-list] Re: email alert level question
Do you get all level 2 alerts, or only the ones where the rule specifies that it will send an email? On Wed, Jun 23, 2010 at 9:33 AM, Vlad wrote: > Thanks, but have set the level to 3 and still get level 2 alerts. > > Cheers, > > Leo > >
Re: [ossec-list] Send to different email
Configuration for the ossec server is generally done in ossec.conf. Try: qwerty where qwerty is the agent name of the system sending the alert. On Thu, Jun 24, 2010 at 4:01 AM, Mathieu D wrote: > Thank you the tutorial is unfortunately very small. > Do you know in which file I have to configure this ? (its not mentioned) > And what is the commend to filter per host ? ( on the tuto only rule_id, > format and level are mentioned as filter) > Thank you again ! :) >
Re: [ossec-list] Intermittent e-mail notifications. How to set up e-mail notifications properly?
Are there any errors in ossec.log regarding email? Have you tried running the daemon in debug mode? OSSEC's email daemon is pretty bare bones, so it might be worth while to route it through the system's smtpd. On Tue, Jun 22, 2010 at 3:19 AM, Ivan Lezhnjov Jr. wrote: > Hey guys! > > I've been using OSSEC for a while on two Linux based routers and I noticed > that e-mail notifications on one of them is working almost perfectly, meaning > that e-mail notifications are sent out and OSSEC can connect to the GMail's > SMTP server but there's a problem. At irregular intervals OSSEC fails to > connect to GMail's SMTP. > > The second machine wasn't able to send out even a single e-mail notification. > > Both machines use identical configuration (my e-mail address was mangled to > spam-protect myself): > > > yes > 1v4n.l3zhnj0v...@gm4il.com > gmail-smtp-in.l.google.com > sega.security.gu...@gmail.com > > > Each machine is located in a different network (autonomous systems/ISPs). > > I have trouble seeing why one machine would send out e-mail notifications > successfully, albeit sometimes it fails to, due to its inability to connect to > the specified SMTP server, so I thought I'd ask this here. > > Also, why another machine never succeeded at sending at least a single e-mail > notification remains a complete mystery to me. It simply doesn't make sense > when I try to approach and understand this issue with the "traditional" > knowledge of e-mail infrastructure workflow. Identical configurations > > My goal is to have robust e-mail notifications and working. So, I've been > wondering for a while why OSSEC works so unreliably with GMail's SMTP and if > it's the same story with any other SMTP (I never tried any other). > > Also, I've been thinking about setting up my own SMTP server on these two > routers but I'm not really sure what kind of setup I should aim for and/or if > this will help at all. I'd appreciate it if someone gave a hint on this. > > -- > > Ivan Lezhnjov Jr. > > Europe, Ukraine, Simferopol > > +--+ > > Key ID 0x5811D90C > Key Fingerprint 2A52 5C8C 38BE C04F D8DE A169 19E2 E49A 5811 D90C > Use GPG Exercise Your Right To Privacy >
[ossec-list] Re: OSSEC & Splunk integration
On Apr 11, 7:31 pm, Paul Southerington wrote: > > I've actually been considering making it do that out-of-the-box. If other > people want that, please let me know. > > Right now, you can search on 'reporting_host' instead, or you can try the > following. I haven't really tested this yet, so let me know if you have > issues: > To Paul, first, I wanted to thank you for your work! I specifically wanted to provide feedback that yes, I would personally love to see this configured out of the box - or even better yet, a feature that can simply be "switched on". While your out-of-box configuration is arguably more "to spec", in practice within my own environment, I find this way to be more useful. I am running OSSEC and Splunk on the same machine, so I followed your instructions with the plug-in to do direct parsing of the log files, along with your instructions below, and everything is working perfectly. I did modify the transform names from *syslog* to *locallog* for my own tracking, but other than that, your instructions worked perfectly. Again, thank you very much for your work on this project! -Jim
[ossec-list] ossec-maild version 2.4.1 dies frequently
After upgrading my server to OSSEC Version 2.4.1, the ossec-maild daemon dies frequently each day. Nothing else I am aware of in my system has changed. Is anyone else experiencing ossec-maild dying? Is there a solution to this problem you are aware of? Thanks, Gil Vidals VM Racks - ESX Hosting
[ossec-list] firewall-drop.sh and iptables
Hello, My organization is currently under an ssh brute force attack (over a week in duration, so far). We are encountering a problem with the firewall-drop.sh script and iptables under RHE and SuSE. First, we have increased the active response duration from 10 minutes to 24 hours because the attacker is re-using IP addresses. We are seeing something like a memory leak in a program. If we shut down the OSSEC agent on a RHE or SuSE host, we are seeing a lot of rules still in the iptables filter table when there should be none since the agent terminates all active responses when it shuts down. We are seeing something similar on our OSSEC server which runs on a RHE host. Meanwhile, this problem does not appear on our Solaris hosts running OSSEC agents. I investigated the firewall-drop.sh script and found that when the OS is Linux, the script retries 5 times both for adding a rule to the input and forward chains and for removing a rule from the input and forward chains. Under Solaris and AIX no such retry or error detection scheme is used. During the brute force attack, I monitored the active-response logs on agents running under SuSE and RHE. There were frequent times when this retry mechanism was activated, sometimes running out of the 5 retry attempts on one or both chains. Is iptables not synchronous? Is that why the retry logic exists in firewall-drop.sh? Is ipf (Solaris equivalent) synchronous? Is that why there is no retry logic or even error checking logic in firewall-drop.sh? I have tried to remedy the situation by wrapping a flock() around the Linux part of firewall-drop.sh. So far, this fix seems to be working. Does anyone else have similar experiences with iptables in a busy environment such as an ssh brute force attack? Thanks, Trevor
[ossec-list] Silent Windows agent install
Please, I need to install the Windows agent on 100's of xp clients that don't have a real desktop. Is there any non GUI install out there or examples of a way to copy the files reg change and create and Start the service. Thanks Christian
