[ossec-list] Reporting all actions that comes from firewall logs
Hi all, I am trying to report all actions made by some CheckPoint Firewall's. After adjust my decoder, I am trying to write some rules to match all logged firewall actions like: Drop, Accept, Session Auth, etc... For example to report all drops, I have write this rule: group name=cpfirewall, rule id=100100 level=0 descriptionCheckPoint Firewall-1 rules grouped./description /rule rule id=100101 level=5 if_sid100100/if_sid actionDrop/action descriptionCheckPoint Firewall-1 drop action event./description groupcpfirewall,drop,/group /rule /group Testing one rule: **Phase 1: Completed pre-decoding. full event: '294 28Feb2012 23:59:14 Lan2 CHCKPNT1 Log Drop nbname nbname 192.168.1.5 192.168.1.255 udp message_info: Address spoofing VPN-1 Power/UTM ' hostname: 'cosclunode02' program_name: '(null)' log: '294 28Feb2012 23:59:14 Lan2 FW-INT-CHCKPNT1 Log Drop nbname nbname 192.168.1.5 192.168.1.255 udp message_info: Address spoofing VPN-1 Power/UTM ' **Phase 2: Completed decoding. decoder: 'custom-checkpoint-fw' action: 'Drop' srcip: '192.168.1.5' dstip: '192.168.1.255' proto: 'udp' extra_data: 'message_info: Address spoofing' **Phase 3: Completed filtering (rules). Rule id: '100100' Level: '0' Description: 'CheckPoint Firewall-1 rules grouped.' After this, I have run ossec-reportd test: [root@ossecsrv rules]# cat /data/config/logs/cp.logs | /data/ossec/slave/bin/ossec-reportd -f level 5 2012/03/05 09:11:08 ossec-reportd: INFO: Started (pid: 25097). 2012/03/05 09:11:15 ossec-reportd: INFO: Report completed and zero alerts post-filter ... and: [root@ossecsrv rules]# cat /data/config/logs/cp.logs | /data/ossec/slave/bin/ossec-reportd -f group cpfirewall 2012/03/05 09:12:10 ossec-reportd: INFO: Started (pid: 25097). 2012/03/05 09:12:50 ossec-reportd: INFO: Report completed and zero alerts post-filter ... and [root@ossecsrv rules]# cat /data/config/logs/cp.logs | /data/ossec/slave/bin/ossec-reportd -f group cpfirewall_drop 2012/03/05 09:13:45 ossec-reportd: INFO: Started (pid: 25097). 2012/03/05 09:14:10 ossec-reportd: INFO: Report completed and zero alerts post-filter ... but it doesn't works ... What am I doing wrong??
Re: [ossec-list] Reporting all actions that comes from firewall logs
On Mon, Mar 5, 2012 at 4:26 AM, C. L. Martinez carlopm...@gmail.com wrote: Hi all, I am trying to report all actions made by some CheckPoint Firewall's. After adjust my decoder, I am trying to write some rules to match all logged firewall actions like: Drop, Accept, Session Auth, etc... For example to report all drops, I have write this rule: group name=cpfirewall, rule id=100100 level=0 descriptionCheckPoint Firewall-1 rules grouped./description /rule rule id=100101 level=5 if_sid100100/if_sid actionDrop/action descriptionCheckPoint Firewall-1 drop action event./description groupcpfirewall,drop,/group /rule /group Testing one rule: **Phase 1: Completed pre-decoding. full event: '294 28Feb2012 23:59:14 Lan2 CHCKPNT1 Log Drop nbname nbname 192.168.1.5 192.168.1.255 udp message_info: Address spoofing VPN-1 Power/UTM ' hostname: 'cosclunode02' program_name: '(null)' log: '294 28Feb2012 23:59:14 Lan2 FW-INT-CHCKPNT1 Log Drop nbname nbname 192.168.1.5 192.168.1.255 udp message_info: Address spoofing VPN-1 Power/UTM ' **Phase 2: Completed decoding. decoder: 'custom-checkpoint-fw' action: 'Drop' srcip: '192.168.1.5' dstip: '192.168.1.255' proto: 'udp' extra_data: 'message_info: Address spoofing' **Phase 3: Completed filtering (rules). Rule id: '100100' Level: '0' Description: 'CheckPoint Firewall-1 rules grouped.' After this, I have run ossec-reportd test: [root@ossecsrv rules]# cat /data/config/logs/cp.logs | Is cp.logs the firewall logs or OSSEC alert logs? ossec-reportd looks through OSSEC alert logs. /data/ossec/slave/bin/ossec-reportd -f level 5 2012/03/05 09:11:08 ossec-reportd: INFO: Started (pid: 25097). 2012/03/05 09:11:15 ossec-reportd: INFO: Report completed and zero alerts post-filter ... and: [root@ossecsrv rules]# cat /data/config/logs/cp.logs | /data/ossec/slave/bin/ossec-reportd -f group cpfirewall 2012/03/05 09:12:10 ossec-reportd: INFO: Started (pid: 25097). 2012/03/05 09:12:50 ossec-reportd: INFO: Report completed and zero alerts post-filter ... and [root@ossecsrv rules]# cat /data/config/logs/cp.logs | /data/ossec/slave/bin/ossec-reportd -f group cpfirewall_drop 2012/03/05 09:13:45 ossec-reportd: INFO: Started (pid: 25097). 2012/03/05 09:14:10 ossec-reportd: INFO: Report completed and zero alerts post-filter ... but it doesn't works ... What am I doing wrong??
Re: [ossec-list] Reporting all actions that comes from firewall logs
I should probably mention that I think the -a flag for ossec-logtest will give you OSSEC alert log output. Redirect that to a file or possibly to ossec-reportd, and you should probably get what you're after. On Mon, Mar 5, 2012 at 5:48 AM, dan (ddp) ddp...@gmail.com wrote: On Mon, Mar 5, 2012 at 4:26 AM, C. L. Martinez carlopm...@gmail.com wrote: Hi all, I am trying to report all actions made by some CheckPoint Firewall's. After adjust my decoder, I am trying to write some rules to match all logged firewall actions like: Drop, Accept, Session Auth, etc... For example to report all drops, I have write this rule: group name=cpfirewall, rule id=100100 level=0 descriptionCheckPoint Firewall-1 rules grouped./description /rule rule id=100101 level=5 if_sid100100/if_sid actionDrop/action descriptionCheckPoint Firewall-1 drop action event./description groupcpfirewall,drop,/group /rule /group Testing one rule: **Phase 1: Completed pre-decoding. full event: '294 28Feb2012 23:59:14 Lan2 CHCKPNT1 Log Drop nbname nbname 192.168.1.5 192.168.1.255 udp message_info: Address spoofing VPN-1 Power/UTM ' hostname: 'cosclunode02' program_name: '(null)' log: '294 28Feb2012 23:59:14 Lan2 FW-INT-CHCKPNT1 Log Drop nbname nbname 192.168.1.5 192.168.1.255 udp message_info: Address spoofing VPN-1 Power/UTM ' **Phase 2: Completed decoding. decoder: 'custom-checkpoint-fw' action: 'Drop' srcip: '192.168.1.5' dstip: '192.168.1.255' proto: 'udp' extra_data: 'message_info: Address spoofing' **Phase 3: Completed filtering (rules). Rule id: '100100' Level: '0' Description: 'CheckPoint Firewall-1 rules grouped.' After this, I have run ossec-reportd test: [root@ossecsrv rules]# cat /data/config/logs/cp.logs | Is cp.logs the firewall logs or OSSEC alert logs? ossec-reportd looks through OSSEC alert logs. /data/ossec/slave/bin/ossec-reportd -f level 5 2012/03/05 09:11:08 ossec-reportd: INFO: Started (pid: 25097). 2012/03/05 09:11:15 ossec-reportd: INFO: Report completed and zero alerts post-filter ... and: [root@ossecsrv rules]# cat /data/config/logs/cp.logs | /data/ossec/slave/bin/ossec-reportd -f group cpfirewall 2012/03/05 09:12:10 ossec-reportd: INFO: Started (pid: 25097). 2012/03/05 09:12:50 ossec-reportd: INFO: Report completed and zero alerts post-filter ... and [root@ossecsrv rules]# cat /data/config/logs/cp.logs | /data/ossec/slave/bin/ossec-reportd -f group cpfirewall_drop 2012/03/05 09:13:45 ossec-reportd: INFO: Started (pid: 25097). 2012/03/05 09:14:10 ossec-reportd: INFO: Report completed and zero alerts post-filter ... but it doesn't works ... What am I doing wrong??
Re: [ossec-list] Reporting all actions that comes from firewall logs
On Mon, Mar 5, 2012 at 11:49 AM, dan (ddp) ddp...@gmail.com wrote: I should probably mention that I think the -a flag for ossec-logtest will give you OSSEC alert log output. Redirect that to a file or possibly to ossec-reportd, and you should probably get what you're after. Thanks Dan. It is correct, cp.logs is in ossec alert format. For example: ** Alert 1330945041.114: - firewall, 2012 Mar 05 10:57:21 ossecsrv-stdin Rule: 100100 (level 2) - 'CheckPoint Firewall-1 rules grouped.' Src IP: 192.168.1.7 Dst IP: 192.168.2.3 Dst Port: domain-udp 113 26Feb2012 23:59:04 bond0.30 CHCKPNT1 Log Drop domain-udp 47082 192.168.1.7 192.168.2.3 udp 82 82-Standard inzone: Internal; outzone: Internal; service_id: domain-udp VPN-1 Power/UTM doesn't trigger alert 100101 instead of 100100 ...
Re: [ossec-list] Reporting all actions that comes from firewall logs
On Mon, Mar 5, 2012 at 6:09 AM, C. L. Martinez carlopm...@gmail.com wrote: On Mon, Mar 5, 2012 at 11:49 AM, dan (ddp) ddp...@gmail.com wrote: I should probably mention that I think the -a flag for ossec-logtest will give you OSSEC alert log output. Redirect that to a file or possibly to ossec-reportd, and you should probably get what you're after. Thanks Dan. It is correct, cp.logs is in ossec alert format. For example: ** Alert 1330945041.114: - firewall, 2012 Mar 05 10:57:21 ossecsrv-stdin Rule: 100100 (level 2) - 'CheckPoint Firewall-1 rules grouped.' Src IP: 192.168.1.7 Dst IP: 192.168.2.3 Dst Port: domain-udp 113 26Feb2012 23:59:04 bond0.30 CHCKPNT1 Log Drop domain-udp 47082 192.168.1.7 192.168.2.3 udp 82 82-Standard inzone: Internal; outzone: Internal; service_id: domain-udp VPN-1 Power/UTM doesn't trigger alert 100101 instead of 100100 ... It doesn't trigger 100101 because action isn't decoded.
Re: [ossec-list] Reporting all actions that comes from firewall logs
On Mon, Mar 5, 2012 at 1:04 PM, dan (ddp) ddp...@gmail.com wrote: On Mon, Mar 5, 2012 at 6:09 AM, C. L. Martinez carlopm...@gmail.com wrote: On Mon, Mar 5, 2012 at 11:49 AM, dan (ddp) ddp...@gmail.com wrote: I should probably mention that I think the -a flag for ossec-logtest will give you OSSEC alert log output. Redirect that to a file or possibly to ossec-reportd, and you should probably get what you're after. Thanks Dan. It is correct, cp.logs is in ossec alert format. For example: ** Alert 1330945041.114: - firewall, 2012 Mar 05 10:57:21 ossecsrv-stdin Rule: 100100 (level 2) - 'CheckPoint Firewall-1 rules grouped.' Src IP: 192.168.1.7 Dst IP: 192.168.2.3 Dst Port: domain-udp 113 26Feb2012 23:59:04 bond0.30 CHCKPNT1 Log Drop domain-udp 47082 192.168.1.7 192.168.2.3 udp 82 82-Standard inzone: Internal; outzone: Internal; service_id: domain-udp VPN-1 Power/UTM doesn't trigger alert 100101 instead of 100100 ... It doesn't trigger 100101 because action isn't decoded. Uhhmmm .. wait a minute. Action is decoded using these decoders: decoder name=custom-checkpoint-fw prematch\d+ \d+\w+\d+ \d+:\d+:\d+ (\S+) FW-INT-CHCKPNT1/prematch /decoder decoder name=custom-checkpoint-fw-tcp-udp-icmp parentcustom-checkpoint-fw/parent regex offset=after_parent\w+ (\w+) (\S+) \S+ (\S+) (\S+) (\w+) \S+ (\S+)/regex orderaction,dstport,srcip,dstip,protocol,extra_data/order /decoder decoder name=custom-checkpoint-fw-tcp-udp-icmp parentcustom-checkpoint-fw/parent regex offset=after_regex\w+ (\w+) (\S+) (\S+) (\w+) (\.+)/regex orderaction,srcip,dstip,protocol,extra_data/order /decoder decoder name=custom-checkpoint-fw-tcp-udp-icmp parentcustom-checkpoint-fw/parent regex offset=after_regex\w+ (\w+) \S+ \S+ (\S+) (\S+) (\w+) (\.+)/regex orderaction,srcip,dstip,protocol,extra_data/order /decoder for example: **Phase 1: Completed pre-decoding. full event: '629 26Feb2012 23:59:21 bond0.30 CHCKPNT1 Log Drop http 4419 192.168.1.15 trafficconverter-sinkhole.sie.isc.org tcp 106 106-Standard service_id: http VPN-1 Power/UTM ' hostname: 'ossecsrv' program_name: '(null)' log: '629 26Feb2012 23:59:21 bond0.30 CHCKPNT1 Log Drop http 4419 192.168.1.15 trafficconverter-sinkhole.sie.isc.org tcp 106 106-Standard service_id: http VPN-1 Power/UTM ' **Phase 2: Completed decoding. decoder: 'custom-checkpoint-fw' action: 'Drop' dstport: 'http' srcip: '192.168.1.15' dstip: 'trafficconverter-sinkhole.sie.isc.org' proto: 'tcp' extra_data: '106-Standard' **Rule debugging: Trying rule: 1 - Generic template for all syslog rules. *Rule 1 matched. *Trying child rules. Trying rule: 100100 - CheckPoint Firewall-1 rules grouped. *Rule 100100 matched. *Trying child rules. Trying rule: 100101 - CheckPoint Firewall-1 action event. **Phase 3: Completed filtering (rules). Rule id: '100100' Level: '0' Description: 'CheckPoint Firewall-1 rules grouped.' Or do I need to decode log in rules file too??
Re: [ossec-list] Reporting all actions that comes from firewall logs
On Mon, Mar 5, 2012 at 1:18 PM, C. L. Martinez carlopm...@gmail.com wrote: On Mon, Mar 5, 2012 at 1:04 PM, dan (ddp) ddp...@gmail.com wrote: On Mon, Mar 5, 2012 at 6:09 AM, C. L. Martinez carlopm...@gmail.com wrote: On Mon, Mar 5, 2012 at 11:49 AM, dan (ddp) ddp...@gmail.com wrote: I should probably mention that I think the -a flag for ossec-logtest will give you OSSEC alert log output. Redirect that to a file or possibly to ossec-reportd, and you should probably get what you're after. Thanks Dan. It is correct, cp.logs is in ossec alert format. For example: ** Alert 1330945041.114: - firewall, 2012 Mar 05 10:57:21 ossecsrv-stdin Rule: 100100 (level 2) - 'CheckPoint Firewall-1 rules grouped.' Src IP: 192.168.1.7 Dst IP: 192.168.2.3 Dst Port: domain-udp 113 26Feb2012 23:59:04 bond0.30 CHCKPNT1 Log Drop domain-udp 47082 192.168.1.7 192.168.2.3 udp 82 82-Standard inzone: Internal; outzone: Internal; service_id: domain-udp VPN-1 Power/UTM doesn't trigger alert 100101 instead of 100100 ... It doesn't trigger 100101 because action isn't decoded. Uhhmmm .. wait a minute. Action is decoded using these decoders: decoder name=custom-checkpoint-fw prematch\d+ \d+\w+\d+ \d+:\d+:\d+ (\S+) FW-INT-CHCKPNT1/prematch /decoder decoder name=custom-checkpoint-fw-tcp-udp-icmp parentcustom-checkpoint-fw/parent regex offset=after_parent\w+ (\w+) (\S+) \S+ (\S+) (\S+) (\w+) \S+ (\S+)/regex orderaction,dstport,srcip,dstip,protocol,extra_data/order /decoder decoder name=custom-checkpoint-fw-tcp-udp-icmp parentcustom-checkpoint-fw/parent regex offset=after_regex\w+ (\w+) (\S+) (\S+) (\w+) (\.+)/regex orderaction,srcip,dstip,protocol,extra_data/order /decoder decoder name=custom-checkpoint-fw-tcp-udp-icmp parentcustom-checkpoint-fw/parent regex offset=after_regex\w+ (\w+) \S+ \S+ (\S+) (\S+) (\w+) (\.+)/regex orderaction,srcip,dstip,protocol,extra_data/order /decoder for example: **Phase 1: Completed pre-decoding. full event: '629 26Feb2012 23:59:21 bond0.30 CHCKPNT1 Log Drop http 4419 192.168.1.15 trafficconverter-sinkhole.sie.isc.org tcp 106 106-Standard service_id: http VPN-1 Power/UTM ' hostname: 'ossecsrv' program_name: '(null)' log: '629 26Feb2012 23:59:21 bond0.30 CHCKPNT1 Log Drop http 4419 192.168.1.15 trafficconverter-sinkhole.sie.isc.org tcp 106 106-Standard service_id: http VPN-1 Power/UTM ' **Phase 2: Completed decoding. decoder: 'custom-checkpoint-fw' action: 'Drop' dstport: 'http' srcip: '192.168.1.15' dstip: 'trafficconverter-sinkhole.sie.isc.org' proto: 'tcp' extra_data: '106-Standard' **Rule debugging: Trying rule: 1 - Generic template for all syslog rules. *Rule 1 matched. *Trying child rules. Trying rule: 100100 - CheckPoint Firewall-1 rules grouped. *Rule 100100 matched. *Trying child rules. Trying rule: 100101 - CheckPoint Firewall-1 action event. **Phase 3: Completed filtering (rules). Rule id: '100100' Level: '0' Description: 'CheckPoint Firewall-1 rules grouped.' Or do I need to decode log in rules file too?? Ok, I have found the problem .. It is in on my rules file. I have defined a var option like in syslog rules appears, and It seems is wrong ... Thanks for your help.
[ossec-list] Ossec Windows rules 18111
Dear community, I do have a mail each time a user connect to a windows server. I get an alert with regards to : Rule: 18111 fired (level 8) - User account changed. The alert is related to 642 is reporting that the account was changed. But in fact, I do have an event like this at each login. I am using pgina for ldap authentification. Does anyone encounter this king of issue ? Regards,
Re: [ossec-list] Memory Leak in ossec-csyslogd and ossec-dbd
Thanks Andreas. I've got valgrind running on both binaries and it looks like there might be some interesting leak results. Any suggestions on how to get this fixed? Sorry, relative newbie to OSSEC and I'm not sure how to get this into the bug fix process. Cheers, Steve On Fri, Mar 2, 2012 at 4:52 PM, Andreas Piesk a.pi...@gmx.net wrote: On 02.03.2012 22:17, Steve wrote: Thanks for any suggestions or help! you could use valgrind (http://valgrind.org) to report memleaks, for instance valgrind binary args or more detailed valgrind --leak-check=yes binary args regards, -ap -- Cell: +1-317-840-9088 LinkedIn: http://www.linkedin.com/in/stevelodin Twitter: http://twitter.com/stevelodin
[ossec-list] two interfaces
I have a RH 5 box with two interfaces on different subnets The interface that the key is on works fine but the other interface is trying to connect to the ossec server and I get a reject error Is there any way to configure the agent to use only one interface? Michael Barrett | Information Security Analyst - Lead | Mortgage Guaranty Insurance Corporation 270 E. Kilbourn Ave. | Milwaukee, WI 53202 USA | ( 1.414.347.6271 | 7 1.888.601.4440 | * michael_barr...@mgic.com This message is intended for use only by the person(s) addressed above and may contain privileged and confidential information. Disclosure or use of this message by any other person is strictly prohibited. If this message is received in error, please notify the sender immediately and delete this message.
Re: [ossec-list] two interfaces
Michael, You could try static routing. Something like: # route add -host ossec-server-ip-addr dev ethernet-interface I can't really try this, but something similar may give you the intended results. You will probably have to add this to a startup file, perhaps for the interface when it is configured. Steve On Mon, Mar 5, 2012 at 1:29 PM, Michael Barrett michael_barr...@mgic.comwrote: I have a RH 5 box with two interfaces on different subnets The interface that the key is on works fine but the other interface is trying to connect to the ossec server and I get a reject error Is there any way to configure the agent to use only one interface? ** *Michael Barrett* x.xx...@mgic.com* *| *Information Security Analyst - Lead* | *Mortgage Guaranty Insurance Corporation*http://www.mgic.com/ 270 E. Kilbourn Ave. | Milwaukee, WI 53202 USA | ( 1.414.347.6271 | 7 1.888.601.4440 | * michael_barr...@mgic.com This message is intended for use only by the person(s) addressed above and may contain privileged and confidential information. Disclosure or use of this message by any other person is strictly prohibited. If this message is received in error, please notify the sender immediately and delete this message.
Re: [ossec-list] Memory Leak in ossec-csyslogd and ossec-dbd
On 05.03.2012 19:28, Steve Lodin wrote: I've got valgrind running on both binaries and it looks like there might be some interesting leak results. Any suggestions on how to get this fixed? Sorry, relative newbie to OSSEC and I'm not sure how to get this into the bug fix process. you could open an issue at bitbucket (https://bitbucket.org/dcid/ossec-hids/) and upload your findings there, so others can take a look, verify and hopefully fix some leaks. or you post your findings with an explanation how you got them on the mailing list. but if the data is multi-megabytes in size, bitbucket is the better choice. regards, -ap
[ossec-list]
Hi All, I need a second set of eyes. For some reason I can't seem to get Ossec to generate alerts for syscheck rules any longer. I can use syscheck_control to see the files are being recognized as changed, but no actual alerts are being generated. I'm using Ossec 2.6 on Linux for the collector server and testing using a variety of clients. I'm including all of the standard rules. Here is part of my ossec.conf on the collector server: syscheck frequency300/frequency auto_ignoreno/auto_ignore directories report_changes=yes check_all=yes/etc,/usr/bin,/usr/sbin/directories directories report_changes=yes check_all=yes/bin,/sbin/directories /syscheck alerts log_alert_level3/log_alert_level email_alert_level3/email_alert_level /alerts I'm sure I'm just missing something, but I simply can't find it so any help would be greatly appreciated. Patrick Swartz - The information in this message may be proprietary and/or confidential, and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify First Data immediately by replying to this message and deleting it from your computer.
Re: [ossec-list]
Hi! Maybe these help you: http://www.ossec.net/wiki/Know_How:Email_Alerts_below_7 http://www.ossec.net/wiki/Know_How:Syscheck Best regards woodspeed 2012. március 5. 22:33 Swartz, Patrick H írta, patrick.swa...@firstdata.com : Hi All, I need a second set of eyes. For some reason I can't seem to get Ossec to generate alerts for syscheck rules any longer. I can use syscheck_control to see the files are being recognized as changed, but no actual alerts are being generated. I'm using Ossec 2.6 on Linux for the collector server and testing using a variety of clients. I'm including all of the standard rules. Here is part of my ossec.conf on the collector server: syscheck frequency300/frequency auto_ignoreno/auto_ignore directories report_changes=yes check_all=yes/etc,/usr/bin,/usr/sbin/directories directories report_changes=yes check_all=yes/bin,/sbin/directories /syscheck alerts log_alert_level3/log_alert_level email_alert_level3/email_alert_level /alerts I'm sure I'm just missing something, but I simply can't find it so any help would be greatly appreciated. Patrick Swartz - The information in this message may be proprietary and/or confidential, and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify First Data immediately by replying to this message and deleting it from your computer.
[ossec-list] syscheck update
Hello, I would like to update the internal syscheck database, used in my OSSEC local deployment. What is the best way? I use the same system image everywhere, and would like to get a new syscheck database generated once, on a reference machine, and use it everywhere else. Will it be possible? Let me know. Thanks, -Stephane R.
[ossec-list] convert local linux to server install
is there a standard method to make a local install into a server install? i've added remote settings to the ossec.conf, added agents correctly, but that didn't seen to be enough. there is nothing listening to port 1514. I tried re-installing, but that only prompted an update that didn't seem to offer a install type.'