[ossec-list] Question about OSSEC server which reports files are changed, but the file seems unchanged
Hi OSSEC users and Dan High-level background of my current setup: - Several OSSEC servers are running on Solaris - OSSEC agents are running on Solaris and reporting to the above OSSEC servers - Running /opt/ossec/bin/agent_control -lc shows the agents are connecting to the server - File integrity check is enabled and several configuration files are being monitored. One of the files being monitored is syslog-ng.conf My problem: Recently I find more than one OSSEC servers detect changes on this syslog-ng.conf file (this file is installed on all OSSEC clients). However, when I run the below command, it doesn't tell me what exactly is changed. I have also checked the file integrity myself and I also don't see anything wrong. * Output from the OSSEC server * [root@myserver ~]# /opt/ossec/bin/syscheck_control -i 049 -f /opt/syslog-ng/conf/syslog-ng.conf Integrity changes for agent 'myagent (049) - 10.XX.XX.XXX': Detailed information for entries matching: '/opt/syslog-ng/conf/syslog-ng.conf' 2012 Jan 08 23:31:38,0 - /opt/syslog-ng/conf/syslog-ng.conf 2012 Jan 19 08:31:27,0 - /opt/syslog-ng/conf/syslog-ng.conf File changed. [root@myserver ~]# * Output from the OSSEC agent * root@myagent% pwd /opt/ossec/queue/diff/local/opt/syslog-ng/conf/syslog-ng.conf root@spewgp2c35% ls -arlt total 8 -rw-rw-r-- 1 root other 1488 Jun 28 2011 last-entry drwxrwx--- 3 root other 512 Jun 28 2011 .. drwxrwx--- 2 root other 512 Jun 28 2011 . root@myagent% My questions: Why there is no integrity change detected but OSSEC servers report the file is changed? Regards, Marcos
[ossec-list] Decoding log
I have tried for a few weeks to decode one magento log with no luck. I have searched more then 2 weeks for solution for this problem. If anyone can help i appreciate it. the log is : 2011-12-28T08:30:59+00:00 CRIT Not valid template file:frontend/base/ default/template/exacttarget/top_sub.phtml i have made several decoders but none worked for this log. decoder name=magentoCRIT #prematch^\d\d\d\d-\d\d-\d\d\w\d\d:\d\d:\d\d\p\d\d:\d\d\.*/ prematch #prematch^\d+-\d+-\d+\w\d+:\d+:\d+\p\d+:\d+ CRIT/prematch #prematchCRIT/prematch prematch\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\. CRIT/ prematch /decoder My gues is that date format is making some sort of error.. because if i try format like this 2011-12-28 08:30:59+00:00 CRIT Not valid template file:frontend/base/ default/template/exacttarget/top_sub.phtml it finds modified decoder without \w. Thank you all!
[ossec-list] Active-response doesn't seem to work for some rules (ipop3 specifically but some ssh and other auth failures as well)
Here are the alerts I get from ossec, so I know it sees the attacks and the level is 10 so it should be taking action. I have the active-response set for anything over level 8 I think: Rule: 40111 fired (level 10) - Multiple authentication failures. Portion of the log(s): Feb 1 06:39:33 server1 ipop3d[33069]: Login failed user=info auth=info host=[12.36.252.93] Feb 1 06:39:30 server1 ipop3d[33068]: Login failed user=info auth=info host=[12.36.252.93] Feb 1 06:39:27 server1 ipop3d[33067]: Login failed user=info auth=info host=[12.36.252.93] Feb 1 06:39:20 server1 ipop3d[33065]: Login failed user=info auth=info host=[12.36.252.93] Feb 1 06:39:17 server1 ipop3d[33064]: Login failed user=info auth=info host=[12.36.252.93] Feb 1 06:39:14 server1 ipop3d[33063]: Login failed user=info auth=info host=[12.36.252.93] Rule: 5712 fired (level 10) - SSHD brute force trying to get access to the system. Portion of the log(s): Feb 1 02:57:18 server1 sshd[21791]: Invalid user mbrown from 222.87.204.13 Feb 1 02:56:40 server1 sshd[21720]: Invalid user f1astra from 222.87.204.13 Feb 1 02:56:34 server1 sshd[21703]: Invalid user dan from 222.87.204.13 Feb 1 02:56:04 server1 sshd[21668]: Invalid user janab from 222.87.204.13 Feb 1 02:55:58 server1 sshd[21633]: Invalid user r00t from 222.87.204.13 The sshd brute force one sometimes results in the host-deny and firewall-drop active response rules firing and the active-response works fine. Maybe I need to adjust the frequency or timing for these rules somehow? Thanks for any help you can give.
[ossec-list] ossec server migration to VM
I will be migrating our ossec server to a new data center and the powers that be are offering me a VM instead of a physical server like it is on now. I was wondering if anyone here has had any performance issues with ossec server running on a VM? We will have 2500+ ossec clients connecting to the server and need to know if it would be in my best interest to push back for physical hardware instead of virtual?
RE: [ossec-list] ossec server migration to VM
I have two Ossec servers running on VM's for over a couple years now. They each have 200+ agents connected. Have not had any problems. Christian L. Kovac Senior Network Support Analyst MTA Metro-North Railroad 212-499-4642 ko...@mnr.org -Original Message- From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On Behalf Of OssecNoob Sent: Wednesday, February 01, 2012 1:14 PM To: ossec-list Subject: [ossec-list] ossec server migration to VM I will be migrating our ossec server to a new data center and the powers that be are offering me a VM instead of a physical server like it is on now. I was wondering if anyone here has had any performance issues with ossec server running on a VM? We will have 2500+ ossec clients connecting to the server and need to know if it would be in my best interest to push back for physical hardware instead of virtual?
[ossec-list] WinEventLog:Security events
I'm running a Splunk 4.2.5 server on CentOS. On a Win2k3 server I've installed Universal SplunkForwarder 4.3, collecting Application, Security, and System events. I don't want to see Security Success Audit events, since there are about anywhere from 1000-3500 per minute. (And I need to have the Audit Success flags turned on the server since we need to be CIS server compliant.) On the server, I have defined props.conf [WinEventLog:Security] TRANSFORMS-set=dropevents transforms.conf [dropevents] REGEX = (?msi)^EventCode=(560|562|567).*^(Type=Audit Success) DEST_KEY = queue FORMAT = nullQueue I've tried various forms of the REGEX, including just the EventCodes, one EventCode, etc. Nothing seems to work; no events are dropped. I read that this was a known issue before 4.2.1, but it is not listed in the 4.3 known issues. Can anyone enlighten me as to what I may be doing wrong?
[ossec-list] day of decoder problems
What am I missing - it just keeps firing on the windows-date-format -- so frustrating, it must be simple, I am just blind today: Logentry: 2012-01-12 15:19:58 Package: attack.vector: removing(string1,string2,string3) by administrator decoder: decoder name=fw-private prematch^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d /prematch /decoder decoder name=fw-private-alert parentfw-private/parent regex offset=after_parent^Package: (\.+):\.+/regex orderdata/order /decoder And I want to store the attack.vector in 'data', but it just keeps triggering: **Phase 1: Completed pre-decoding. full event: '2012-01-12 15:19:58 Package: attack.vector: removing(string1,string2,string3) by administrator' hostname: 'ossex' program_name: '(null)' log: '2012-01-12 15:19:58 Package: attack.vector: removing(string1,string2,string3) by administrator' **Phase 2: Completed decoding. decoder: 'windows-date-format' **Phase 3: Completed filtering (rules). Rule id: '1002' Level: '0' Description: 'Unknown problem somewhere in the system.'
Re: [ossec-list] WinEventLog:Security events
I think you have the wrong mailing list. :-) This is for OSSEC - if you have Splunk questions, try http://splunk-base.splunk.com/answers/ On Wed, Feb 1, 2012 at 3:04 PM, biciunas p...@biciunas.com wrote: I'm running a Splunk 4.2.5 server on CentOS. On a Win2k3 server I've installed Universal SplunkForwarder 4.3, collecting Application, Security, and System events. I don't want to see Security Success Audit events, since there are about anywhere from 1000-3500 per minute. (And I need to have the Audit Success flags turned on the server since we need to be CIS server compliant.) On the server, I have defined props.conf [WinEventLog:Security] TRANSFORMS-set=dropevents transforms.conf [dropevents] REGEX = (?msi)^EventCode=(560|562|567).*^(Type=Audit Success) DEST_KEY = queue FORMAT = nullQueue I've tried various forms of the REGEX, including just the EventCodes, one EventCode, etc. Nothing seems to work; no events are dropped. I read that this was a known issue before 4.2.1, but it is not listed in the 4.3 known issues. Can anyone enlighten me as to what I may be doing wrong?
[ossec-list] Re: WinEventLog:Security events
In fact, I do have the wrong list. My apologies. My only (weak) defense is that I'm using OSSEC agents to feed data to Splunk. Please disregard this post (unless you can help with my problem). On Feb 1, 3:17 pm, Paul Southerington sout...@gmail.com wrote: I think you have the wrong mailing list. :-) This is for OSSEC - if you have Splunk questions, tryhttp://splunk-base.splunk.com/answers/ On Wed, Feb 1, 2012 at 3:04 PM, biciunas p...@biciunas.com wrote: I'm running a Splunk 4.2.5 server on CentOS. On a Win2k3 server I've installed Universal SplunkForwarder 4.3, collecting Application, Security, and System events. I don't want to see Security Success Audit events, since there are about anywhere from 1000-3500 per minute. (And I need to have the Audit Success flags turned on the server since we need to be CIS server compliant.) On the server, I have defined props.conf [WinEventLog:Security] TRANSFORMS-set=dropevents transforms.conf [dropevents] REGEX = (?msi)^EventCode=(560|562|567).*^(Type=Audit Success) DEST_KEY = queue FORMAT = nullQueue I've tried various forms of the REGEX, including just the EventCodes, one EventCode, etc. Nothing seems to work; no events are dropped. I read that this was a known issue before 4.2.1, but it is not listed in the 4.3 known issues. Can anyone enlighten me as to what I may be doing wrong?
[ossec-list] Overriding composite rule (18152)
I want to be notified if their are 10 failed logon attempts within 2 minutes from the same user. I know that rule 18152 sends an alert when their are 10 (8) failed attempts within 2 minutes. From msauth_rules.xml rule id=18152 level=10 frequency=$MS_FREQ timeframe=240 if_matched_groupwin_authentication_failed/if_matched_group descriptionMultiple Windows Logon Failures./description groupauthentication_failures,/group /rule I have tried adding the following to my local_rules.xml rule id=100300 level=10 frequency=8 timeframe=240 if_matched_groupwin_authentication_failed/if_matched_group same_user / descriptionPossible Brute force attack against windows logins (10 failures within 2 minutes)./description groupauthentication_failures,/group /rule When i use ossec_logtest the rule 18152 is fired, but never 100300. FYI: I have a file ossec_test file with 10 lines of the same bad login for testing. WinEvtLog: Security: AUDIT_FAILURE(675): Security: SYSTEM: NT AUTHORITY: SERVER1: Pre-authentication failed: User Name: user1 User ID:% {S-1-5-21-1296043670-581226567-3024351967-8251} Service Name: krbtgt/DOMAIN.LOCAL Pre-Authentication Type: 0x0Failure Code: 0x19 Client Address: 10.0.0.10 --- I also tried the following in my local_rules.xml in the hope that it would override the one previously defined. rule id=18152 level=10 frequency=8 timeframe=240 if_matched_groupwin_authentication_failed/if_matched_group same_user / descriptionMultiple Windows Logon Failures. (Same User Test)/ description groupauthentication_failures,/group /rule When I use ossec_logtest the old rule is fired, does not have (Same User Test) in the description. -- After some playing around I went back to my first try but modified the frequecy. rule id=100300 level=10 frequency=5 timeframe=240 if_matched_groupwin_authentication_failed/if_matched_group same_user / descriptionPossible Brute force attack against windows logins (10 failures within 2 minutes)./description groupauthentication_failures,/group /rule This would trigger the rule. If I increased the frequency to 6 then the rule 18152 would be triggered. Any idea at what I am doing wrong or pointers on how to do this correctly. Thanks
[ossec-list] Question - Crafting a rule to send a separate email to a paging device
Good day: Given the following rule rule id=18 level=11 if_sid18107/if_sid matchLogon Type: 10/match descriptionWindows RDP Login./description groupauthentication_success,/group /rule What could we add so that if the User Name is not a specific value AND the Source Network Address is not a specific value, that an email is triggered to a specific email address? Thank you.
[ossec-list] Re: Overriding composite rule (18152)
try that 18152 rule again in your local rules with overwrite=yes option , to overwrite the original rule and see how it goes . On Feb 1, 11:20 pm, tao_zhyn taoz...@gmail.com wrote: I want to be notified if their are 10 failed logon attempts within 2 minutes from the same user. I know that rule 18152 sends an alert when their are 10 (8) failed attempts within 2 minutes. From msauth_rules.xml rule id=18152 level=10 frequency=$MS_FREQ timeframe=240 if_matched_groupwin_authentication_failed/if_matched_group descriptionMultiple Windows Logon Failures./description groupauthentication_failures,/group /rule I have tried adding the following to my local_rules.xml rule id=100300 level=10 frequency=8 timeframe=240 if_matched_groupwin_authentication_failed/if_matched_group same_user / descriptionPossible Brute force attack against windows logins (10 failures within 2 minutes)./description groupauthentication_failures,/group /rule When i use ossec_logtest the rule 18152 is fired, but never 100300. FYI: I have a file ossec_test file with 10 lines of the same bad login for testing. WinEvtLog: Security: AUDIT_FAILURE(675): Security: SYSTEM: NT AUTHORITY: SERVER1: Pre-authentication failed: User Name: user1 User ID: % {S-1-5-21-1296043670-581226567-3024351967-8251} Service Name: krbtgt/DOMAIN.LOCAL Pre-Authentication Type: 0x0 Failure Code: 0x19 Client Address: 10.0.0.10 --- I also tried the following in my local_rules.xml in the hope that it would override the one previously defined. rule id=18152 level=10 frequency=8 timeframe=240 if_matched_groupwin_authentication_failed/if_matched_group same_user / descriptionMultiple Windows Logon Failures. (Same User Test)/ description groupauthentication_failures,/group /rule When I use ossec_logtest the old rule is fired, does not have (Same User Test) in the description. -- After some playing around I went back to my first try but modified the frequecy. rule id=100300 level=10 frequency=5 timeframe=240 if_matched_groupwin_authentication_failed/if_matched_group same_user / descriptionPossible Brute force attack against windows logins (10 failures within 2 minutes)./description groupauthentication_failures,/group /rule This would trigger the rule. If I increased the frequency to 6 then the rule 18152 would be triggered. Any idea at what I am doing wrong or pointers on how to do this correctly. Thanks
[ossec-list] Maild not sending message data
Hi all, I have finally tracked down why I am not getting any emails from ossec at all by enabling debugging in sendmail.c and recompiling maild as suggested here: http://www.ossec.net/wiki/Tweaking_OSSEC#How_to_trace_sending_mail The debug info I have is: 2012/02/02 10:49:30 ossec-syscheckd: INFO: Starting syscheck scan (forwarding database). 2012/02/02 10:49:30 ossec-syscheckd: INFO: Starting syscheck database (pre-scan). 2012/02/02 10:50:44 DEBUG: Received banner: '220 (smtpserver) ESMTP ready. ' 2012/02/02 10:50:44 DEBUG: Sent 'Helo notify.ossec.net ', received: '250 (smtpserver) Hello notify.ossec.net [172.16.0.154] ' 2012/02/02 10:50:44 DEBUG: Sent 'Mail From: (root@ossecserver) ', received: '250 OK ' 2012/02/02 10:50:44 DEBUG: Sent 'Rcpt To: (valid_email) ', received: '250 Accepted ' 2012/02/02 10:50:44 DEBUG: Sent 'Rcpt To: (valid_email) ', received: '250 Accepted ' 2012/02/02 10:50:44 DEBUG: Sent 'DATA ', received: '354 Enter message, ending with . on a line by itself ' 2012/02/02 10:54:40 ossec-syscheckd: INFO: Finished creating syscheck database (pre-scan completed). 2012/02/02 10:54:52 ossec-syscheckd: INFO: Ending syscheck scan (forwarding database). It looks to me that ossec simply doesn't send a message at all and doesn't end the message sending properly either. I am running ossec-hids-2.6 on Debian 6.0.3 32-bit (server, the 1 client so far is the same OS) Any advice appreciated. Thank you.
[ossec-list] Re: Maild not sending message data
This problem seems to have been resolved now. The email address used in the From field in the configs for some reason halted the emails from sending. Changing it to some other email address worked. Not sure why yet but it is not an Ossec problem. Sorry for wasting anyone's time. --- Regards David Ward m: 0410 472 531 skype: DaveQB twitter: DaveQB14 www: www.dward.us On 02.02.2012 11:27, David wrote: Hi all, I have finally tracked down why I am not getting any emails from ossec at all by enabling debugging in sendmail.c and recompiling maild as suggested here: http://www.ossec.net/wiki/Tweaking_OSSEC#How_to_trace_sending_mail [1] The debug info I have is: 2012/02/02 10:49:30 ossec-syscheckd: INFO: Starting syscheck scan (forwarding database). 2012/02/02 10:49:30 ossec-syscheckd: INFO: Starting syscheck database (pre-scan). 2012/02/02 10:50:44 DEBUG: Received banner: '220 (smtpserver) ESMTP ready. ' 2012/02/02 10:50:44 DEBUG: Sent 'Helo notify.ossec.net ', received: '250 (smtpserver) Hello notify.ossec.net [172.16.0.154] ' 2012/02/02 10:50:44 DEBUG: Sent 'Mail From: ', received: '250 OK ' 2012/02/02 10:50:44 DEBUG: Sent 'Rcpt To: ', received: '250 Accepted ' 2012/02/02 10:50:44 DEBUG: Sent 'Rcpt To: ', received: '250 Accepted ' 2012/02/02 10:50:44 DEBUG: Sent 'DATA ', received: '354 Enter message, ending with . on a line by itself ' 2012/02/02 10:54:40 ossec-syscheckd: INFO: Finished creating syscheck database (pre-scan completed). 2012/02/02 10:54:52 ossec-syscheckd: INFO: Ending syscheck scan (forwarding database). It looks to me that ossec simply doesn't send a message at all and doesn't end the message sending properly either. I am running ossec-hids-2.6 on Debian 6.0.3 32-bit (server, the 1 client so far is the same OS) Any advice appreciated. Thank you. Links: -- [1] http://www.ossec.net/wiki/Tweaking_OSSEC#How_to_trace_sending_mail