[ossec-list] Re: Logtest behave different then analysisd with compiled rules
Thank you for your reply, On 15 Giu, 14:31, Daniel Cid daniel@gmail.com wrote: Hi Stefano, Can you send some of the logs you are trying to parse? Yes, sure: WinEvtLog: Security: AUDIT_SUCCESS(538): Security: my.username: AOSS: AS2SA: User Logoff: User Name: my.username Domain: AOVV Logon ID: (0x0,0x85A659B) Logon Type: 3 The results of the match should change if in the file /var/ossec/ adslist the line my.username exists or not. Also, your code has some serious security issues in there. I recommend that you double check it before putting in production (e.g. strcpy should not be used). Thank you for the information. Sure i check it again. Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On Fri, May 28, 2010 at 10:16 AM, Stefano Pedretti stefano.pedre...@gmail.com wrote: Here the code ofcompiledrule: #include shared.h #include eventinfo.h #include config.h #include stdio.h void *logman(Eventinfo *lf) { static const char filename[] = /var/ossec/adslist; if(!lf-dstuser) { return(NULL); } char user[128]; strcpy(user,lf-dstuser); Eventinfo *lfr = NULL; if(strlen(user) 0){ FILE *file = fopen ( filename, r ); if ( file != NULL ){ char line[128]; while ( fgets ( line, sizeof line, file ) != NULL ){ if (strlen(user) == (strlen(line)-1)){ user[strlen(user)] = 0; line[strlen(line)-1] = 0; int i; for (i=0; i strlen(line) ; i++) line[i] = tolower(line[i]); if (strcmp(user,line) == 0){ lfr=lf; break; } } } fclose ( file ); } else { perror ( filename ); } } return(lfr); } On 26 Mag, 11:00, Stefano Pedretti stefano.pedre...@gmail.com wrote: Hi all, using OSSEC I found a limitation for the lenghtness of a regexp. So i'm writing my owncompiledrule for my pourpose. This code simply compare the dstuser field with a list of users in a file. I tested my C rule with ossec-logtest and works fine but no match appears at all when events come from agents. Everytime I modify the rule C source i reinstall all, using the install.sh script. Someone has found a similar behaviour? There's a trick to avoid that? Thank you! -- - Pedretti Stefano stefano.pedre...@gmail.com PGP Fingerprint: 5B00129Ehttp://paroledisilicio.wordpress.com Skype : ste.pedro83 mobile: +393292348186 -
Re: [ossec-list] Intermittent e-mail notifications. How to set up e-mail notifications properly?
Yes, there are plenty but all the same. It's a message that states ERROR: Error Sending email to 74.125.43.27 (smtp server) nothing else, even with debug mode turned on. 2010/06/25 06:18:21 ossec-maild: DEBUG: Starting ... 2010/06/25 06:18:21 ossec-maild: INFO: Chrooted to directory: /var/ossec, using user: ossecm 2010/06/25 06:18:21 ossec-maild: INFO: Started (pid: 3266). 2010/06/25 06:18:40 ossec-syscheckd: INFO: Starting syscheck database (pre- scan). 2010/06/25 06:19:46 ossec-syscheckd: INFO: Finished creating syscheck database (pre-scan completed). 2010/06/25 06:21:46 ossec-syscheckd: INFO: Starting syscheck scan (forwarding database). 2010/06/25 06:22:17 ossec-maild(1223): ERROR: Error Sending email to 74.125.43.27 (smtp server) 2010/06/25 06:22:27 ossec-maild(1223): ERROR: Error Sending email to 74.125.43.27 (smtp server) 2010/06/25 06:25:10 ossec-syscheckd: INFO: Ending syscheck scan (forwarding database). 2010/06/25 06:25:30 ossec-rootcheck: INFO: Starting rootcheck scan. 2010/06/25 06:28:58 ossec-rootcheck: INFO: Ending rootcheck scan. I'm wondering what causes the error. The error message itself isn't really helpful. On Thursday 24 June 2010 16:52:00 dan (ddp) wrote: Are there any errors in ossec.log regarding email? Have you tried running the daemon in debug mode? OSSEC's email daemon is pretty bare bones, so it might be worth while to route it through the system's smtpd. On Tue, Jun 22, 2010 at 3:19 AM, Ivan Lezhnjov Jr. ivan.lezhnjov...@gmail.com wrote: Hey guys! I've been using OSSEC for a while on two Linux based routers and I noticed that e-mail notifications on one of them is working almost perfectly, meaning that e-mail notifications are sent out and OSSEC can connect to the GMail's SMTP server but there's a problem. At irregular intervals OSSEC fails to connect to GMail's SMTP. The second machine wasn't able to send out even a single e-mail notification. Both machines use identical configuration (my e-mail address was mangled to spam-protect myself): global email_notificationyes/email_notification email_to1v4n.l3zhnj0v...@gm4il.com/email_to smtp_servergmail-smtp-in.l.google.com/smtp_server email_fromsega.security.gu...@gmail.com/email_from /global Each machine is located in a different network (autonomous systems/ISPs). I have trouble seeing why one machine would send out e-mail notifications successfully, albeit sometimes it fails to, due to its inability to connect to the specified SMTP server, so I thought I'd ask this here. Also, why another machine never succeeded at sending at least a single e-mail notification remains a complete mystery to me. It simply doesn't make sense when I try to approach and understand this issue with the traditional knowledge of e-mail infrastructure workflow. Identical configurations My goal is to have robust e-mail notifications and working. So, I've been wondering for a while why OSSEC works so unreliably with GMail's SMTP and if it's the same story with any other SMTP (I never tried any other). Also, I've been thinking about setting up my own SMTP server on these two routers but I'm not really sure what kind of setup I should aim for and/or if this will help at all. I'd appreciate it if someone gave a hint on this. -- Ivan Lezhnjov Jr. Europe, Ukraine, Simferopol +--+ Key ID 0x5811D90C Key Fingerprint 2A52 5C8C 38BE C04F D8DE A169 19E2 E49A 5811 D90C Use GPG Exercise Your Right To Privacy -- Ivan Lezhnjov Jr. Europe, Ukraine, Simferopol +--+ Key ID 0x5811D90C Key Fingerprint 2A52 5C8C 38BE C04F D8DE A169 19E2 E49A 5811 D90C Use GPG Exercise Your Right To Privacy
Re: [ossec-list] ossec-maild version 2.4.1 dies frequently
Anything in the logs around the time of the crash? On Thu, Jun 24, 2010 at 2:05 PM, Gil Vidals gvid...@gmail.com wrote: After upgrading my server to OSSEC Version 2.4.1, the ossec-maild daemon dies frequently each day. Nothing else I am aware of in my system has changed. Is anyone else experiencing ossec-maild dying? Is there a solution to this problem you are aware of? Thanks, Gil Vidals VM Racks - ESX Hosting
[ossec-list] Centralized agent configuration: How to overwrite complete local configuration?
Hi, I tried out the centralized agent configuration today. I saw, that the local and the centralized configuration are merged. Is there an option to completely ignore/overwrite the local configuration? In my case I want to remove a local configured localfile-option. Best Regards, Thomas
[ossec-list] Active responses timing out earlier than configured
Hello, We have our active responses set to time out af 86,400 seconds (24 hours). However, I notice that they are timing out after only 20 hours. Can OSSEC only handle a fixed number of current active responses at one time so that it immediately expires current active responses in order to make room for new ones? Or is this a bug? Cheers! Trevor
[ossec-list] Moving OSSEC to another location?
Hi *, I'm running an OSSEC instance for a while. Installation has bee done in /usr/local/ossec/. Now, for performance reasons, I'd like to move the whole stuff to another filesystem. The easy way is to move the ossec/ directory and symlink it. But, it there a procedure to really reconfigure it with the new location? Tx, Xavier -- My server is comscript src=http://owned.cn/js.jspletely secure.