[ossec-list] Question about OSSEC server which reports files are changed, but the file seems unchanged

[Marcos Tang]

Hi OSSEC users and Dan


High-level background of my current setup:

- Several OSSEC servers are running on Solaris
- OSSEC agents are running on Solaris and reporting to the above OSSEC servers

- Running /opt/ossec/bin/agent_control -lc shows the agents are connecting to 
the server
- File integrity check is enabled and several configuration files are being 
monitored. One of the files being monitored is syslog-ng.conf 


My problem:

Recently I find more than one OSSEC servers detect changes on this 
syslog-ng.conf file (this file is installed on all OSSEC clients). However, 
when I run the below command, it doesn't tell me what exactly is changed. I 
have also checked the file integrity myself and I also don't see anything wrong.

*
Output from the OSSEC server
*

[root@myserver ~]# /opt/ossec/bin/syscheck_control -i 049 -f 
/opt/syslog-ng/conf/syslog-ng.conf

Integrity changes for agent 'myagent (049) - 10.XX.XX.XXX':
Detailed information for entries matching: '/opt/syslog-ng/conf/syslog-ng.conf'

2012 Jan 08 23:31:38,0 - /opt/syslog-ng/conf/syslog-ng.conf

2012 Jan 19 08:31:27,0 - /opt/syslog-ng/conf/syslog-ng.conf
File changed. [root@myserver ~]# 



*
Output from the OSSEC agent

*
root@myagent% pwd
/opt/ossec/queue/diff/local/opt/syslog-ng/conf/syslog-ng.conf
root@spewgp2c35% ls -arlt
total 8
-rw-rw-r--   1 root other   1488 Jun 28  2011 last-entry
drwxrwx---   3 root other    512 Jun 28  2011 ..
drwxrwx---   2 root other    512 Jun 28  2011 .
root@myagent% 


 
My questions:

Why there is no integrity change detected but OSSEC servers report the file is 
changed? 


Regards,
Marcos

[ossec-list] Decoding log

[kumaig]

I have tried for a few weeks to decode one magento log with no luck. I
have searched more then 2 weeks for solution for this problem. If
anyone can help i appreciate it.
the log is :
2011-12-28T08:30:59+00:00 CRIT Not valid template file:frontend/base/
default/template/exacttarget/top_sub.phtml

i have made several decoders but none worked for this log.

decoder name=magentoCRIT
#prematch^\d\d\d\d-\d\d-\d\d\w\d\d:\d\d:\d\d\p\d\d:\d\d\.*/
prematch
#prematch^\d+-\d+-\d+\w\d+:\d+:\d+\p\d+:\d+ CRIT/prematch
#prematchCRIT/prematch
prematch\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\. CRIT/
prematch
/decoder

My gues is that date format is making some sort of error.. because if
i try format like this

2011-12-28 08:30:59+00:00 CRIT Not valid template file:frontend/base/
default/template/exacttarget/top_sub.phtml

it finds modified decoder without \w.

Thank you all!

[ossec-list] Active-response doesn't seem to work for some rules (ipop3 specifically but some ssh and other auth failures as well)

[Jon Bayless]

Here are the alerts I get from ossec, so I know it sees the attacks and the 
level is 10 so it should be taking action. I have the active-response set for 
anything over level 8 I think:

Rule: 40111 fired (level 10) - Multiple authentication failures.
Portion of the log(s):

Feb  1 06:39:33 server1 ipop3d[33069]: Login failed user=info auth=info 
host=[12.36.252.93]
Feb  1 06:39:30 server1 ipop3d[33068]: Login failed user=info auth=info 
host=[12.36.252.93]
Feb  1 06:39:27 server1 ipop3d[33067]: Login failed user=info auth=info 
host=[12.36.252.93]
Feb  1 06:39:20 server1 ipop3d[33065]: Login failed user=info auth=info 
host=[12.36.252.93]
Feb  1 06:39:17 server1 ipop3d[33064]: Login failed user=info auth=info 
host=[12.36.252.93]
Feb  1 06:39:14 server1 ipop3d[33063]: Login failed user=info auth=info 
host=[12.36.252.93]

Rule: 5712 fired (level 10) - SSHD brute force trying to get access to the 
system.
Portion of the log(s):

Feb  1 02:57:18 server1 sshd[21791]: Invalid user mbrown from 222.87.204.13
Feb  1 02:56:40 server1 sshd[21720]: Invalid user f1astra from 222.87.204.13
Feb  1 02:56:34 server1 sshd[21703]: Invalid user dan from 222.87.204.13
Feb  1 02:56:04 server1 sshd[21668]: Invalid user janab from 222.87.204.13
Feb  1 02:55:58 server1 sshd[21633]: Invalid user r00t from 222.87.204.13

The sshd brute force one sometimes results in the host-deny and firewall-drop 
active response rules firing and the active-response works fine. Maybe I need 
to adjust the frequency or timing for these rules somehow?

Thanks for any help you can give.

[ossec-list] ossec server migration to VM

[OssecNoob]

I will be migrating our ossec server to a new data center and the
powers that be are offering me a VM instead of a physical server like
it is on now. I was wondering if anyone here has had any performance
issues with ossec server running on a VM? We will have 2500+ ossec
clients connecting to the server and need to know if it would be in my
best interest to push back for physical hardware instead of virtual?

RE: [ossec-list] ossec server migration to VM

[Kovac, Christian]

I have two Ossec servers running on VM's for over a couple years now. They each 
have 200+ agents connected. Have not had any problems. 

Christian L. Kovac
Senior Network Support Analyst
MTA Metro-North Railroad
212-499-4642
ko...@mnr.org 



-Original Message-
From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On 
Behalf Of OssecNoob
Sent: Wednesday, February 01, 2012 1:14 PM
To: ossec-list
Subject: [ossec-list] ossec server migration to VM

I will be migrating our ossec server to a new data center and the powers that 
be are offering me a VM instead of a physical server like it is on now. I was 
wondering if anyone here has had any performance issues with ossec server 
running on a VM? We will have 2500+ ossec clients connecting to the server and 
need to know if it would be in my best interest to push back for physical 
hardware instead of virtual?

[ossec-list] WinEventLog:Security events

[biciunas]

I'm running a Splunk 4.2.5 server on CentOS. On a Win2k3 server I've
installed Universal SplunkForwarder 4.3, collecting Application,
Security, and System events. I don't want to see Security Success
Audit events, since there are about anywhere from 1000-3500 per
minute. (And I need to have the Audit Success flags turned on the
server since we need to be CIS server compliant.)

On the server, I have defined

props.conf
[WinEventLog:Security]
TRANSFORMS-set=dropevents

transforms.conf
[dropevents]
REGEX = (?msi)^EventCode=(560|562|567).*^(Type=Audit Success)
DEST_KEY = queue
FORMAT = nullQueue

I've tried various forms of the REGEX, including just the EventCodes,
one EventCode, etc. Nothing seems to work; no events are dropped. I
read that this was a known issue before 4.2.1, but it is not listed in
the 4.3 known issues. Can anyone enlighten me as to what I may be
doing wrong?

[ossec-list] day of decoder problems

[Kat]

What am I missing - it just keeps firing on the windows-date-format --
so frustrating, it must be simple, I am just blind today:

Logentry:

2012-01-12 15:19:58 Package: attack.vector:
removing(string1,string2,string3) by administrator

decoder:

decoder name=fw-private
  prematch^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d /prematch
/decoder

decoder name=fw-private-alert
  parentfw-private/parent
  regex offset=after_parent^Package: (\.+):\.+/regex
  orderdata/order
/decoder

And I want to store the attack.vector in 'data', but it just keeps
triggering:

**Phase 1: Completed pre-decoding.
   full event: '2012-01-12 15:19:58 Package: attack.vector:
removing(string1,string2,string3) by administrator'
   hostname: 'ossex'
   program_name: '(null)'
   log: '2012-01-12 15:19:58 Package: attack.vector:
removing(string1,string2,string3) by administrator'

**Phase 2: Completed decoding.
   decoder: 'windows-date-format'

**Phase 3: Completed filtering (rules).
   Rule id: '1002'
   Level: '0'
   Description: 'Unknown problem somewhere in the system.'

Re: [ossec-list] WinEventLog:Security events

[Paul Southerington]

I think you have the wrong mailing list.  :-)

This is for OSSEC - if you have Splunk questions, try
http://splunk-base.splunk.com/answers/



On Wed, Feb 1, 2012 at 3:04 PM, biciunas p...@biciunas.com wrote:

 I'm running a Splunk 4.2.5 server on CentOS. On a Win2k3 server I've
 installed Universal SplunkForwarder 4.3, collecting Application,
 Security, and System events. I don't want to see Security Success
 Audit events, since there are about anywhere from 1000-3500 per
 minute. (And I need to have the Audit Success flags turned on the
 server since we need to be CIS server compliant.)

 On the server, I have defined

 props.conf
 [WinEventLog:Security]
 TRANSFORMS-set=dropevents

 transforms.conf
 [dropevents]
 REGEX = (?msi)^EventCode=(560|562|567).*^(Type=Audit Success)
 DEST_KEY = queue
 FORMAT = nullQueue

 I've tried various forms of the REGEX, including just the EventCodes,
 one EventCode, etc. Nothing seems to work; no events are dropped. I
 read that this was a known issue before 4.2.1, but it is not listed in
 the 4.3 known issues. Can anyone enlighten me as to what I may be
 doing wrong?

[ossec-list] Re: WinEventLog:Security events

[biciunas]

In fact, I do have the wrong list. My apologies. My only (weak)
defense is that I'm using OSSEC agents to feed data to Splunk.
Please disregard this post (unless you can help with my problem).

On Feb 1, 3:17 pm, Paul Southerington sout...@gmail.com wrote:
 I think you have the wrong mailing list.  :-)

 This is for OSSEC - if you have Splunk questions, 
 tryhttp://splunk-base.splunk.com/answers/







 On Wed, Feb 1, 2012 at 3:04 PM, biciunas p...@biciunas.com wrote:
  I'm running a Splunk 4.2.5 server on CentOS. On a Win2k3 server I've
  installed Universal SplunkForwarder 4.3, collecting Application,
  Security, and System events. I don't want to see Security Success
  Audit events, since there are about anywhere from 1000-3500 per
  minute. (And I need to have the Audit Success flags turned on the
  server since we need to be CIS server compliant.)

  On the server, I have defined

  props.conf
  [WinEventLog:Security]
  TRANSFORMS-set=dropevents

  transforms.conf
  [dropevents]
  REGEX = (?msi)^EventCode=(560|562|567).*^(Type=Audit Success)
  DEST_KEY = queue
  FORMAT = nullQueue

  I've tried various forms of the REGEX, including just the EventCodes,
  one EventCode, etc. Nothing seems to work; no events are dropped. I
  read that this was a known issue before 4.2.1, but it is not listed in
  the 4.3 known issues. Can anyone enlighten me as to what I may be
  doing wrong?

[ossec-list] Overriding composite rule (18152)

[tao_zhyn]

I want to be notified if their are 10 failed logon attempts within 2
minutes from the same user.

I know that rule 18152 sends an alert when their are 10 (8) failed
attempts within 2 minutes.

From msauth_rules.xml

rule id=18152 level=10 frequency=$MS_FREQ timeframe=240
 if_matched_groupwin_authentication_failed/if_matched_group
 descriptionMultiple Windows Logon Failures./description
 groupauthentication_failures,/group
/rule


I have tried adding the following to my local_rules.xml

rule id=100300 level=10 frequency=8 timeframe=240
if_matched_groupwin_authentication_failed/if_matched_group
same_user /
descriptionPossible Brute force attack against windows logins
(10 failures within 2 minutes)./description
groupauthentication_failures,/group
/rule


When i use ossec_logtest the rule 18152 is fired, but never 100300.

FYI: I have a file ossec_test file with 10 lines of the same bad login
for testing.

WinEvtLog: Security: AUDIT_FAILURE(675): Security: SYSTEM: NT
AUTHORITY: SERVER1: Pre-authentication failed:  User Name:
 user1  User ID:%
{S-1-5-21-1296043670-581226567-3024351967-8251} Service Name:
krbtgt/DOMAIN.LOCAL
Pre-Authentication Type: 0x0Failure Code: 0x19  Client
Address: 10.0.0.10


---

I also tried the following in my local_rules.xml in the hope that it
would override the one previously defined.

rule id=18152 level=10 frequency=8 timeframe=240
 if_matched_groupwin_authentication_failed/if_matched_group
 same_user /
 descriptionMultiple Windows Logon Failures. (Same User Test)/
description
 groupauthentication_failures,/group
/rule

When I use ossec_logtest the old rule is fired, does not have (Same
User Test) in the description.


--

After some playing around I went back to my first try but modified the
frequecy.

rule id=100300 level=10 frequency=5 timeframe=240
if_matched_groupwin_authentication_failed/if_matched_group
same_user /
descriptionPossible Brute force attack against windows logins
(10 failures within 2 minutes)./description
groupauthentication_failures,/group
/rule

This would trigger the rule.  If I increased the frequency to 6 then
the rule 18152 would be triggered.


Any idea at what I am doing wrong or pointers on how to do this
correctly.

Thanks

[ossec-list] Question - Crafting a rule to send a separate email to a paging device

[Peter M Abraham]

Good day:

Given the following rule

  rule id=18 level=11
if_sid18107/if_sid
matchLogon Type: 10/match
descriptionWindows RDP Login./description
groupauthentication_success,/group
  /rule

What could we add so that if the User Name is not a specific value
AND the Source Network Address is not a specific value, that an
email is triggered to a specific email address?

Thank you.

[ossec-list] Re: Overriding composite rule (18152)

[alsdks]

try that 18152 rule again in your local rules with overwrite=yes
option , to overwrite the original rule and see how it goes .

On Feb 1, 11:20 pm, tao_zhyn taoz...@gmail.com wrote:
 I want to be notified if their are 10 failed logon attempts within 2
 minutes from the same user.

 I know that rule 18152 sends an alert when their are 10 (8) failed
 attempts within 2 minutes.

 From msauth_rules.xml

 rule id=18152 level=10 frequency=$MS_FREQ timeframe=240
      if_matched_groupwin_authentication_failed/if_matched_group
      descriptionMultiple Windows Logon Failures./description
      groupauthentication_failures,/group
 /rule

 I have tried adding the following to my local_rules.xml

 rule id=100300 level=10 frequency=8 timeframe=240
     if_matched_groupwin_authentication_failed/if_matched_group
     same_user /
     descriptionPossible Brute force attack against windows logins
 (10 failures within 2 minutes)./description
     groupauthentication_failures,/group
 /rule

 When i use ossec_logtest the rule 18152 is fired, but never 100300.

 FYI: I have a file ossec_test file with 10 lines of the same bad login
 for testing.

 WinEvtLog: Security: AUDIT_FAILURE(675): Security: SYSTEM: NT
 AUTHORITY: SERVER1: Pre-authentication failed:          User Name:
  user1          User ID:        %
 {S-1-5-21-1296043670-581226567-3024351967-8251}         Service Name:
 krbtgt/DOMAIN.LOCAL
         Pre-Authentication Type: 0x0            Failure Code: 0x19      Client
 Address: 10.0.0.10

 ---

 I also tried the following in my local_rules.xml in the hope that it
 would override the one previously defined.

 rule id=18152 level=10 frequency=8 timeframe=240
      if_matched_groupwin_authentication_failed/if_matched_group
      same_user /
      descriptionMultiple Windows Logon Failures. (Same User Test)/
 description
      groupauthentication_failures,/group
 /rule

 When I use ossec_logtest the old rule is fired, does not have (Same
 User Test) in the description.

 --

 After some playing around I went back to my first try but modified the
 frequecy.

 rule id=100300 level=10 frequency=5 timeframe=240
     if_matched_groupwin_authentication_failed/if_matched_group
     same_user /
     descriptionPossible Brute force attack against windows logins
 (10 failures within 2 minutes)./description
     groupauthentication_failures,/group
 /rule

 This would trigger the rule.  If I increased the frequency to 6 then
 the rule 18152 would be triggered.

 Any idea at what I am doing wrong or pointers on how to do this
 correctly.

 Thanks

[ossec-list] Maild not sending message data

[David]

Hi all,

I have finally tracked down why I am not getting any emails from ossec
at all by enabling debugging in sendmail.c and recompiling maild as
suggested here:

http://www.ossec.net/wiki/Tweaking_OSSEC#How_to_trace_sending_mail

The debug info I have is:

2012/02/02 10:49:30 ossec-syscheckd: INFO: Starting syscheck scan
(forwarding database).
2012/02/02 10:49:30 ossec-syscheckd: INFO: Starting syscheck database
(pre-scan).
2012/02/02 10:50:44 DEBUG: Received banner: '220 (smtpserver) ESMTP
ready.
'
2012/02/02 10:50:44 DEBUG: Sent 'Helo notify.ossec.net
', received: '250 (smtpserver) Hello notify.ossec.net [172.16.0.154]
'
2012/02/02 10:50:44 DEBUG: Sent 'Mail From: (root@ossecserver)
', received: '250 OK
'
2012/02/02 10:50:44 DEBUG: Sent 'Rcpt To: (valid_email)
', received: '250 Accepted
'
2012/02/02 10:50:44 DEBUG: Sent 'Rcpt To: (valid_email)
', received: '250 Accepted
'
2012/02/02 10:50:44 DEBUG: Sent 'DATA
', received: '354 Enter message, ending with . on a line by itself
'
2012/02/02 10:54:40 ossec-syscheckd: INFO: Finished creating syscheck
database (pre-scan completed).
2012/02/02 10:54:52 ossec-syscheckd: INFO: Ending syscheck scan
(forwarding database).

It looks to me that ossec simply doesn't send a message at all and
doesn't end the message sending properly either.

I am running ossec-hids-2.6 on Debian 6.0.3 32-bit (server, the 1
client so far is the same OS)

Any advice appreciated.
Thank you.

[ossec-list] Re: Maild not sending message data

[David Ward]

  

This problem seems to have been resolved now. 

The email address
used in the From field in the configs for some reason halted the emails
from sending. Changing it to some other email address worked. 

Not
sure why yet but it is not an Ossec problem. 

Sorry for wasting
anyone's time. 

---
Regards
David Ward
m: 0410 472 531
skype:
DaveQB
twitter: DaveQB14
www: www.dward.us

On 02.02.2012 11:27, David
wrote: 

 Hi all,
 
 I have finally tracked down why I am not getting
any emails from ossec
 at all by enabling debugging in sendmail.c and
recompiling maild as
 suggested here:
 

http://www.ossec.net/wiki/Tweaking_OSSEC#How_to_trace_sending_mail [1]


 The debug info I have is:
 
 2012/02/02 10:49:30 ossec-syscheckd:
INFO: Starting syscheck scan
 (forwarding database).
 2012/02/02
10:49:30 ossec-syscheckd: INFO: Starting syscheck database

(pre-scan).
 2012/02/02 10:50:44 DEBUG: Received banner: '220
(smtpserver) ESMTP
 ready.
 '
 2012/02/02 10:50:44 DEBUG: Sent 'Helo
notify.ossec.net
 ', received: '250 (smtpserver) Hello notify.ossec.net
[172.16.0.154]
 '
 2012/02/02 10:50:44 DEBUG: Sent 'Mail From: 
 ',
received: '250 OK
 '
 2012/02/02 10:50:44 DEBUG: Sent 'Rcpt To: 
 ',
received: '250 Accepted
 '
 2012/02/02 10:50:44 DEBUG: Sent 'Rcpt To:

 ', received: '250 Accepted
 '
 2012/02/02 10:50:44 DEBUG: Sent
'DATA
 ', received: '354 Enter message, ending with . on a line by
itself
 '
 2012/02/02 10:54:40 ossec-syscheckd: INFO: Finished
creating syscheck
 database (pre-scan completed).
 2012/02/02 10:54:52
ossec-syscheckd: INFO: Ending syscheck scan
 (forwarding database).


 It looks to me that ossec simply doesn't send a message at all and

doesn't end the message sending properly either.
 
 I am running
ossec-hids-2.6 on Debian 6.0.3 32-bit (server, the 1
 client so far is
the same OS)
 
 Any advice appreciated.
 Thank you.



Links:
--
[1]
http://www.ossec.net/wiki/Tweaking_OSSEC#How_to_trace_sending_mail