date:20120322

Re: [ossec-list] Issues with not being able to start OSSEC-REMOTED

2012-03-22 Thread dan (ddp)

On Wed, Mar 21, 2012 at 3:39 PM, MDACC-Luckie  wrote:
> We have had a very successful deployment of OSSEC so I got really gung-
> ho and decided to add the final handful of servers and generate keys
> for them.  I generated keys for about 60 extra servers consecutively.
> Since that happened and I restarted the OSSEC processes, ossec-remoted
> is dying.  In my digging around, I noticed the following:
>
> - When I "(L)ist already added agents" using manage_agents, my full
> list of devices I generated keys for appears
>
> BUT
>
> - When I do a  ./agent_control -l, only the OSSEC server using ID: 000
> is listed and no others.
>
> As well, when I look in my ossec.log file, I see entries for ossec-
> remoted starting but never any other info about issues.  Is there some
> enhanced logging that I can turn on to see why it is failing?  Or any
> suggestions for troubleshooting this issue?
>
> Thanks
> Luckie

You can run it in debug mode (`/var/ossec/bin/ossec-control enable
debug && /var/ossec/bin/ossec-control restart`).
You can run remoted under gdb.
gdb /var/ossec/bin/ossec-remoted
set follow-fork-mode child
run

How many agents is the system configured to handle?

Re: [ossec-list] How to Set up a Sonicwall in OSSEC

2012-03-22 Thread Kat

FYI - running TCPDUMP is not a good test to verify the firewall block or 
not, since tcpdump puts the NIC in promiscuous AND intercepts the packets 
BEFORE the firewall sees them. So even if you are seeing the packets, you 
don't know they are being blocked or not without reviewing your firewall 
settings, turning it off/on, etc. (Which is what you did)

On Wednesday, March 21, 2012 2:26:30 PM UTC-5, Michael Scott wrote:
>
> Thanks again for the help and reply Dan.
>
> Just for fun, I disabled the firewall, and it started working. I ended up 
> removing the exception, applying changes, and then recreating it and 
> applying changes. After that, it ended up working.
>
> Sorry for the false alarm, and thanks!
>
> - Mike Scott
>
>

[ossec-list] Re: Issues with not being able to start OSSEC-REMOTED

2012-03-22 Thread MDACC-Luckie

Thanks for the info Dan.  Your question about agents configured
triggered the in my mind  that even though I had bumped up my agents
it was configured to handle, I had actually not increased it to
acconodate as many as was configure.  I bumped up the number of agents
again and it is all working well now.  Thanks!

[ossec-list] Problems with ossec-maild

2012-03-22 Thread MDACC-Luckie

I increased the number of agents my installation was capable of
supporting, reinstalled and then copied my saved ossec.conf file and
internal_options.conf into the ossec/etc directory and restarted
ossec.  My ossec-maild daemon starts, runs for a few seconds and then
dies.

I ran the following based on a previous email thread I saw and have
attached the results.  Please let me know if anyone has ideas on why
it is happening:

[root@dcprpoemprddb1 logs]# gdb /opt/ossec/bin/ossec-maild
GNU gdb (GDB) Red Hat Enterprise Linux (7.0.1-23.el5_5.2)
Copyright (C) 2009 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later 
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show
copying"
and "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu".
For bug reporting instructions, please see:
...
Reading symbols from /opt/ossec/bin/ossec-maild...done.
(gdb) set follow-fork-mode child
(gdb) run
Starting program: /opt/ossec/bin/ossec-maild
[New process 2615]
[New process 2616]

Program received signal SIGSEGV, Segmentation fault.
[Switching to process 2616]
0x00387c879b60 in strlen () from /lib64/libc.so.6
(gdb) bt
#0  0x00387c879b60 in strlen () from /lib64/libc.so.6
#1  0x00387c846cb9 in vfprintf () from /lib64/libc.so.6
#2  0x00387c8699da in vsnprintf () from /lib64/libc.so.6
#3  0x00387c84d5e3 in snprintf () from /lib64/libc.so.6
#4  0x00402d66 in OS_RecvMailQ (fileq=0x635640,
p=0x387cb56cc0, Mail=0x7fffe870, msg_sms=0x7fffe7e0)
at os_maild_client.c:96
#5  0x00402848 in OS_Run (mail=0x7fffe870) at maild.c:381
#6  0x004023d0 in main (argc=1, argv=0x7fffe9f8) at
maild.c:171
(gdb)

Re: [ossec-list] How to Set up a Sonicwall in OSSEC

2012-03-22 Thread Michael Scott

Thanks Kat! I was thinking of firewalls between the OSSEC server and the
sonicwall, it wasn't until after Dan emailed that I figured I better double
check the firewall on the OSSEC server itself. Next time I'll have to check
that a little earlier :-)

Mike Scott

On Thu, Mar 22, 2012 at 7:29 AM, Kat  wrote:

> FYI - running TCPDUMP is not a good test to verify the firewall block or
> not, since tcpdump puts the NIC in promiscuous AND intercepts the packets
> BEFORE the firewall sees them. So even if you are seeing the packets, you
> don't know they are being blocked or not without reviewing your firewall
> settings, turning it off/on, etc. (Which is what you did)
>
>
>
> On Wednesday, March 21, 2012 2:26:30 PM UTC-5, Michael Scott wrote:
>>
>> Thanks again for the help and reply Dan.
>>
>> Just for fun, I disabled the firewall, and it started working. I ended up
>> removing the exception, applying changes, and then recreating it and
>> applying changes. After that, it ended up working.
>>
>> Sorry for the false alarm, and thanks!
>>
>> - Mike Scott
>>
>>

[ossec-list] Database and File rules encrypted?

2012-03-22 Thread Michel Henrique Aquino Santos

Hello,

I'm doing an paper on university study (Federal University of Lavras -
UFLA - www.ufla.br), comparing four tools for checking integrity of
files (Tripwire, OSSEC, AIDE and Samhain).
I need some information about the tool OSSEC.
The generated database (snapshot) is encrypted? The rules file is encrypted?


Sorry my english, I can not write correctly.
I await response.
Thank you!

-- 
Att,

*Michel Henrique Aquino Santos*
Bacharelado em Ciência da Computação
Universidade Federal de Lavras - UFLA
Skype: michel_has
Gtalk: michel.has
michel@gmail.com

Linux User # 496756

http://resolvidoslinux.blogspot.com/

Re: [ossec-list] Database and File rules encrypted?

2012-03-22 Thread dan (ddp)

Neither are encrypted in OSSEC.

On Thu, Mar 22, 2012 at 4:22 PM, Michel Henrique Aquino Santos
 wrote:
> Hello,
>
> I'm doing an paper on university study (Federal University of Lavras - UFLA
> - www.ufla.br), comparing four tools for checking integrity of files
> (Tripwire, OSSEC, AIDE and Samhain).
> I need some information about the tool OSSEC.
> The generated database (snapshot) is encrypted? The rules file is encrypted?
>
>
> Sorry my english, I can not write correctly.
> I await response.
> Thank you!
>
> --
> Att,
>
> Michel Henrique Aquino Santos
> Bacharelado em Ciência da Computação
> Universidade Federal de Lavras - UFLA
> Skype: michel_has
> Gtalk: michel.has
> michel@gmail.com
>
> Linux User # 496756
>
> http://resolvidoslinux.blogspot.com/

[ossec-list] JBoss Logs

2012-03-22 Thread octomeow

Hi

I'm very new to OSSEC.  Does anyone have a good rules file for Jboss
logs I could look at?

Re: [ossec-list] Database and File rules encrypted?

2012-03-22 Thread Michel Henrique Aquino Santos

Thanks for the reply. This is not good because it creates a
vulnerability in the system.

Att.

Em 22-03-2012 17:33, dan (ddp) escreveu:
> Neither are encrypted in OSSEC.
>
> On Thu, Mar 22, 2012 at 4:22 PM, Michel Henrique Aquino Santos
>  wrote:
>> Hello,
>>
>> I'm doing an paper on university study (Federal University of Lavras - UFLA
>> - www.ufla.br), comparing four tools for checking integrity of files
>> (Tripwire, OSSEC, AIDE and Samhain).
>> I need some information about the tool OSSEC.
>> The generated database (snapshot) is encrypted? The rules file is encrypted?
>>
>>
>> Sorry my english, I can not write correctly.
>> I await response.
>> Thank you!
>>
>> --
>> Att,
>>
>> Michel Henrique Aquino Santos
>> Bacharelado em Ciência da Computação
>> Universidade Federal de Lavras - UFLA
>> Skype: michel_has
>> Gtalk: michel.has
>> michel@gmail.com
>>
>> Linux User # 496756
>>
>> http://resolvidoslinux.blogspot.com/

-- 
Att,

*Michel Henrique Aquino Santos*
Bacharelado em Ciência da Computação
Universidade Federal de Lavras - UFLA
Skype: michel_has
Gtalk: michel.has
michel@gmail.com

Linux User # 496756

http://resolvidoslinux.blogspot.com/

RE: [ossec-list] Database and File rules encrypted?

2012-03-22 Thread Castle, Shane

Just what is this vulnerability, specifically?

-- 
Shane Castle
Data Security Mgr, Boulder County IT
CISSP GSEC GCIH


-Original Message-
From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On 
Behalf Of Michel Henrique Aquino Santos
Sent: Thursday, March 22, 2012 14:54
To: ossec-list@googlegroups.com
Subject: Re: [ossec-list] Database and File rules encrypted?

Thanks for the reply. This is not good because it creates a vulnerability in 
the system.

Att.

Em 22-03-2012 17:33, dan (ddp) escreveu: 

Neither are encrypted in OSSEC.

On Thu, Mar 22, 2012 at 4:22 PM, Michel Henrique Aquino Santos
   wrote:

Hello,

I'm doing an paper on university study (Federal University of 
Lavras - UFLA
- www.ufla.br), comparing four tools for checking integrity of 
files
(Tripwire, OSSEC, AIDE and Samhain).
I need some information about the tool OSSEC.
The generated database (snapshot) is encrypted? The rules file 
is encrypted?


Sorry my english, I can not write correctly.
I await response.
Thank you!

--
Att,

Michel Henrique Aquino Santos
Bacharelado em Ciência da Computação
Universidade Federal de Lavras - UFLA
Skype: michel_has
Gtalk: michel.has
michel@gmail.com

Linux User # 496756

http://resolvidoslinux.blogspot.com/




-- 
Att,

Michel Henrique Aquino Santos
Bacharelado em Ciência da Computação
Universidade Federal de Lavras - UFLA
Skype: michel_has 
Gtalk: michel.has
michel@gmail.com

Linux User # 496756

http://resolvidoslinux.blogspot.com/

RE: [ossec-list] Database and File rules encrypted?

2012-03-22 Thread Nelson, James

The vast majority of log data is not encrypted to begin with, so how do you
figure it's a vulnerability?  At most, transmission between agent and master
could be considered vulnerable but you can set it up to use secure
transmission which would be encrypted.

 

James 



From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On
Behalf Of Michel Henrique Aquino Santos
Sent: Thursday, March 22, 2012 3:54 PM
To: ossec-list@googlegroups.com
Subject: Re: [ossec-list] Database and File rules encrypted?

 

Thanks for the reply. This is not good because it creates a vulnerability in
the system.

Att.

Em 22-03-2012 17:33, dan (ddp) escreveu: 

Neither are encrypted in OSSEC.
 
On Thu, Mar 22, 2012 at 4:22 PM, Michel Henrique Aquino Santos
   wrote:

Hello,
 
I'm doing an paper on university study (Federal University of Lavras
- UFLA
- www.ufla.br), comparing four tools for checking integrity of files
(Tripwire, OSSEC, AIDE and Samhain).
I need some information about the tool OSSEC.
The generated database (snapshot) is encrypted? The rules file is
encrypted?
 
 
Sorry my english, I can not write correctly.
I await response.
Thank you!
 
--
Att,
 
Michel Henrique Aquino Santos
Bacharelado em Ciência da Computação
Universidade Federal de Lavras - UFLA
Skype: michel_has
Gtalk: michel.has
michel@gmail.com
 
Linux User # 496756
 
http://resolvidoslinux.blogspot.com/

 

 

-- 
Att,

Michel Henrique Aquino Santos
Bacharelado em Ciência da Computação
Universidade Federal de Lavras - UFLA
Skype: michel_has 
Gtalk: michel.has
michel@gmail.com

Linux User # 496756

http://resolvidoslinux.blogspot.com/

Re: [ossec-list] Database and File rules encrypted?

2012-03-22 Thread Michel Henrique Aquino Santos

Hi,
an attacker can read the rules file and use any directory or file is not
monitored to carry out the attack.

Em 22-03-2012 18:04, Castle, Shane escreveu:
> Just what is this vulnerability, specifically?
>

-- 
Att,

*Michel Henrique Aquino Santos*
Bacharelado em Ciência da Computação
Universidade Federal de Lavras - UFLA
Skype: michel_has
Gtalk: michel.has
michel@gmail.com

Linux User # 496756

http://resolvidoslinux.blogspot.com/

Re: [ossec-list] Database and File rules encrypted?

2012-03-22 Thread Michel Henrique Aquino Santos

If an attacker managed to enter the machine and gain privileged access,
it can read the configuration files if the OSSEC installed as local.
Thus, you can use a directory or file not monitored to carry out the
attack, or even modify the file rules.

Em 22-03-2012 18:16, Nelson, James escreveu:
>
> The vast majority of log data is not encrypted to begin with, so how
> do you figure it's a vulnerability?  At most, transmission between
> agent and master could be considered vulnerable but you can set it up
> to use secure transmission which would be encrypted.
>
>  
>
> James
>
> 
>
> *From:*ossec-list@googlegroups.com
> [mailto:ossec-list@googlegroups.com] *On Behalf Of *Michel Henrique
> Aquino Santos
> *Sent:* Thursday, March 22, 2012 3:54 PM
> *To:* ossec-list@googlegroups.com
> *Subject:* Re: [ossec-list] Database and File rules encrypted?
>
>  
>
> Thanks for the reply. This is not good because it creates a
> vulnerability in the system.
>
> Att.
>
> Em 22-03-2012 17:33, dan (ddp) escreveu:
>
> Neither are encrypted in OSSEC.
>  
> On Thu, Mar 22, 2012 at 4:22 PM, Michel Henrique Aquino Santos
>   wrote:
>> Hello,
>>  
>> I'm doing an paper on university study (Federal University of Lavras - UFLA
>> - www.ufla.br ), comparing four tools for checking 
>> integrity of files
>> (Tripwire, OSSEC, AIDE and Samhain).
>> I need some information about the tool OSSEC.
>> The generated database (snapshot) is encrypted? The rules file is encrypted?
>>  
>>  
>> Sorry my english, I can not write correctly.
>> I await response.
>> Thank you!
>>  
>> --
>> Att,
>>  
>> Michel Henrique Aquino Santos
>> Bacharelado em Ciência da Computação
>> Universidade Federal de Lavras - UFLA
>> Skype: michel_has
>> Gtalk: michel.has
>> michel@gmail.com 
>>  
>> Linux User # 496756
>>  
>> http://resolvidoslinux.blogspot.com/
>  
>
>  
>
> -- 
> Att,
>
> *Michel Henrique Aquino Santos*
> Bacharelado em Ciência da Computação
> Universidade Federal de Lavras - UFLA
> Skype: michel_has
> Gtalk: michel.has
> michel@gmail.com 
>
> Linux User # 496756
>
> http://resolvidoslinux.blogspot.com/
>

-- 
Att,

*Michel Henrique Aquino Santos*
Bacharelado em Ciência da Computação
Universidade Federal de Lavras - UFLA
Skype: michel_has
Gtalk: michel.has
michel@gmail.com

Linux User # 496756

http://resolvidoslinux.blogspot.com/

RE: [ossec-list] Database and File rules encrypted?

2012-03-22 Thread Castle, Shane

If this happened then it's game over. Encrypting the files/filesystem will do 
no good if your system is compromised.

Sorry, I don't buy it. Try again.

-- 
Shane Castle
Data Security Mgr, Boulder County IT
CISSP GSEC GCIH


-Original Message-
From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On 
Behalf Of Michel Henrique Aquino Santos
Sent: Thursday, March 22, 2012 15:52
To: ossec-list@googlegroups.com
Subject: Re: [ossec-list] Database and File rules encrypted?

If an attacker managed to enter the machine and gain privileged access, it can 
read the configuration files if the OSSEC installed as local. Thus, you can use 
a directory or file not monitored to carry out the attack, or even modify the 
file rules.

Em 22-03-2012 18:16, Nelson, James escreveu: 

The vast majority of log data is not encrypted to begin with, so how do 
you figure it's a vulnerability?  At most, transmission between agent and 
master could be considered vulnerable but you can set it up to use secure 
transmission which would be encrypted.

 

James 





From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] 
On Behalf Of Michel Henrique Aquino Santos
Sent: Thursday, March 22, 2012 3:54 PM
To: ossec-list@googlegroups.com
Subject: Re: [ossec-list] Database and File rules encrypted?

 

Thanks for the reply. This is not good because it creates a 
vulnerability in the system.

Att.

Em 22-03-2012 17:33, dan (ddp) escreveu: 

Neither are encrypted in OSSEC.
 
On Thu, Mar 22, 2012 at 4:22 PM, Michel Henrique Aquino Santos
   wrote:

Hello,
 
I'm doing an paper on university study (Federal University of 
Lavras - UFLA
- www.ufla.br), comparing four tools for checking integrity of 
files
(Tripwire, OSSEC, AIDE and Samhain).
I need some information about the tool OSSEC.
The generated database (snapshot) is encrypted? The rules file 
is encrypted?
 
 
Sorry my english, I can not write correctly.
I await response.
Thank you!
 
--
Att,
 
Michel Henrique Aquino Santos
Bacharelado em Ciência da Computação
Universidade Federal de Lavras - UFLA
Skype: michel_has
Gtalk: michel.has
michel@gmail.com
 
Linux User # 496756
 
http://resolvidoslinux.blogspot.com/

 

 

-- 
Att,

Michel Henrique Aquino Santos
Bacharelado em Ciência da Computação
Universidade Federal de Lavras - UFLA
Skype: michel_has 
Gtalk: michel.has
michel@gmail.com

Linux User # 496756

http://resolvidoslinux.blogspot.com/


-- 
Att,

Michel Henrique Aquino Santos
Bacharelado em Ciência da Computação
Universidade Federal de Lavras - UFLA
Skype: michel_has 
Gtalk: michel.has
michel@gmail.com

Linux User # 496756

http://resolvidoslinux.blogspot.com/

Re: [ossec-list] Issues with not being able to start OSSEC-REMOTED

Re: [ossec-list] How to Set up a Sonicwall in OSSEC

[ossec-list] Re: Issues with not being able to start OSSEC-REMOTED

[ossec-list] Problems with ossec-maild

Re: [ossec-list] How to Set up a Sonicwall in OSSEC

[ossec-list] Database and File rules encrypted?

Re: [ossec-list] Database and File rules encrypted?

[ossec-list] JBoss Logs

Re: [ossec-list] Database and File rules encrypted?

RE: [ossec-list] Database and File rules encrypted?

RE: [ossec-list] Database and File rules encrypted?

Re: [ossec-list] Database and File rules encrypted?

Re: [ossec-list] Database and File rules encrypted?

RE: [ossec-list] Database and File rules encrypted?

14 matches

Site Navigation

Mail list logo

Footer information