[ossec-list] Is it possible to disable alert.log and use only database?
I would like to disable alert.log and use only database. Is it possible to implement in default ossec or I should modify source code?
[ossec-list] Syscheck Windows Agent
Hi. I'm using ossec to monitor some windows agents on 2003 server. The server is running centos and saving the information in a mysql database. When I receive a syscheck event from windows (file modified, deleted or added) the username is empty. Is it possible to modify some rule to have that username logged on the event ? Thanks a lot.
Re: [ossec-list] Is it possible to disable alert.log and use only database?
Start warming up emacs. On Sep 25, 2012 6:07 AM, kay kay kay.d...@gmail.com wrote: I would like to disable alert.log and use only database. Is it possible to implement in default ossec or I should modify source code?
Re: [ossec-list] Syscheck Windows Agent
OK, thanks. 2012/9/25 dan (ddp) ddp...@gmail.com F we could magically associate a username with a file modification it would be the default. On Sep 25, 2012 6:08 AM, Alejandro ajm.marti...@gmail.com wrote: Hi. I'm using ossec to monitor some windows agents on 2003 server. The server is running centos and saving the information in a mysql database. When I receive a syscheck event from windows (file modified, deleted or added) the username is empty. Is it possible to modify some rule to have that username logged on the event ? Thanks a lot.
Re: [ossec-list] Syscheck Windows Agent
Thanks Dan. I'll try. My idea is to register the usern logged on a computer that deletes or modifies a file (like windows security log). maybe some mix between them... 2012/9/25 dan (ddp) ddp...@gmail.com On Tue, Sep 25, 2012 at 6:22 AM, Alejandro Martinez ajm.marti...@gmail.com wrote: OK, thanks. If you know a good way to get that info, let us know. We can try to get it in after 2.7. 2012/9/25 dan (ddp) ddp...@gmail.com F we could magically associate a username with a file modification it would be the default. On Sep 25, 2012 6:08 AM, Alejandro ajm.marti...@gmail.com wrote: Hi. I'm using ossec to monitor some windows agents on 2003 server. The server is running centos and saving the information in a mysql database. When I receive a syscheck event from windows (file modified, deleted or added) the username is empty. Is it possible to modify some rule to have that username logged on the event ? Thanks a lot.
Re: [ossec-list] Syscheck Windows Agent
On Tue, Sep 25, 2012 at 8:43 AM, Alejandro Martinez ajm.marti...@gmail.com wrote: Thanks Dan. I'll try. My idea is to register the usern logged on a computer that deletes or modifies a file (like windows security log). maybe some mix between them... There's too much of a chance for false positives. Many systems are multi-user these days. I was hoping for a file attribute that possibly tracked the last user to modify the file. 2012/9/25 dan (ddp) ddp...@gmail.com On Tue, Sep 25, 2012 at 6:22 AM, Alejandro Martinez ajm.marti...@gmail.com wrote: OK, thanks. If you know a good way to get that info, let us know. We can try to get it in after 2.7. 2012/9/25 dan (ddp) ddp...@gmail.com F we could magically associate a username with a file modification it would be the default. On Sep 25, 2012 6:08 AM, Alejandro ajm.marti...@gmail.com wrote: Hi. I'm using ossec to monitor some windows agents on 2003 server. The server is running centos and saving the information in a mysql database. When I receive a syscheck event from windows (file modified, deleted or added) the username is empty. Is it possible to modify some rule to have that username logged on the event ? Thanks a lot.
Re: [ossec-list] Re: ignore alerts specify ip in apache logs
Guys, I created a rule and inserted it into local_rules.xml, but it is not working. group name=web,accesslog, rule id=100201 level=5 if_sid31100/if_sid*#I also tried to put the specific number of rule (30119, 30118,etc.)* match^client 192.168.21.18/match optionsno_email_alert/options /rule /group what is wrong on it ? thanks! On Mon, Sep 24, 2012 at 9:13 AM, Leonardo Bacha Abrantes leona...@lbasolutions.com wrote: yes! exactly this! :) On Sun, Sep 23, 2012 at 11:30 AM, JB jjoob...@gmail.com wrote: Do you mean NOT to trigger alerts when the Location is 'your.reverse.proxy.ip - /var/log/httpd/access_log'? On Friday, September 21, 2012 10:58:17 AM UTC-7, Leonardo Bacha Abrantes wrote: Hey guys! I have a machine working a reverse proxy that redirect requests to another machine which is my webserver and am receiving a lot of alerts of my webserver that has the ip of my reverse proxy. I don't want to receive alerts of my webserver that has the ip of my reverse proxy. I found a rule below to ignore any alert but how can I specify to ignore alerts only in access.log and error.log from reverse proxy ? rule id=100123 level=0 if_level8/if_level srcip*Ip of my reverse proxy*/srcip descriptionIgnoring any alert above level 8 that has MYIP decoded./description rule many thanks!
Re: [ossec-list] Re: ignore alerts specify ip in apache logs
On Tue, Sep 25, 2012 at 10:04 AM, Leonardo Bacha Abrantes leona...@lbasolutions.com wrote: Guys, I created a rule and inserted it into local_rules.xml, but it is not working. group name=web,accesslog, rule id=100201 level=5 if_sid31100/if_sid#I also tried to put the specific number of rule (30119, 30118,etc.) match^client 192.168.21.18/match optionsno_email_alert/options /rule /group what is wrong on it ? thanks! Your log sample didn't come through, or I missed it. Can you resend? On Mon, Sep 24, 2012 at 9:13 AM, Leonardo Bacha Abrantes leona...@lbasolutions.com wrote: yes! exactly this! :) On Sun, Sep 23, 2012 at 11:30 AM, JB jjoob...@gmail.com wrote: Do you mean NOT to trigger alerts when the Location is 'your.reverse.proxy.ip - /var/log/httpd/access_log'? On Friday, September 21, 2012 10:58:17 AM UTC-7, Leonardo Bacha Abrantes wrote: Hey guys! I have a machine working a reverse proxy that redirect requests to another machine which is my webserver and am receiving a lot of alerts of my webserver that has the ip of my reverse proxy. I don't want to receive alerts of my webserver that has the ip of my reverse proxy. I found a rule below to ignore any alert but how can I specify to ignore alerts only in access.log and error.log from reverse proxy ? rule id=100123 level=0 if_level8/if_level srcipIp of my reverse proxy/srcip descriptionIgnoring any alert above level 8 that has MYIP decoded./description rule many thanks!
Re: [ossec-list] Re: ignore alerts specify ip in apache logs
Hi Dan, The apache log is: [Tue Sep 25 11:03:50 2012] [error] [client 192.168.21.18] ModSecurity: Access denied with code 403 (phase 2). Pattern match (?i:(?:unions*?(?:all|distinct|[(!@]*?)?s*?[([]*?s*?select)|(?:w+s+likes+[\\'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98])|(?:likes*?[\\'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98]%)|(?:[\\'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98]s*?likeW*?[\\'`\\xc2\\xb4\\xe2 ... at REQUEST_COOKIES:__utmz. [file /etc/httpd/conf.d/modsecurity/base_rules/modsecurity_crs_41_sql_injection_attacks.conf] [line 235] [id 981245] [msg Detects basic SQL authentication bypass attempts 2/3] [data \\xc2\\xba49 d] [severity CRITICAL] [tag WEB_ATTACK/SQLI] [hostname www.mysite.com] [uri /sites/all/themes/mysite/img/btlai.jpg] [unique_id UGG5xn8AAAEAABzuFRgS] [Tue Sep 25 11:03:50 2012] [error] [client 192.168.21.18] ModSecurity: Access denied with code 403 (phase 2). Pattern match (?i:(?:unions*?(?:all|distinct|[(!@]*?)?s*?[([]*?s*?select)|(?:w+s+likes+[\\'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98])|(?:likes*?[\\'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98]%)|(?:[\\'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98]s*?likeW*?[\\'`\\xc2\\xb4\\xe2 ... at REQUEST_COOKIES:__utmz. [file /etc/httpd/conf.d/modsecurity/base_rules/modsecurity_crs_41_sql_injection_attacks.conf] [line 235] [id 981245] [msg Detects basic SQL authentication bypass attempts 2/3] [data \\xc2\\xba49 d] [severity CRITICAL] [tag WEB_ATTACK/SQLI] [hostname www.mysite.com] [uri /sites/all/themes/mysite/img/logo-brasil.jpg] [unique_id UGG5xn8AAAEAAByF90UP] thanks!! On Tue, Sep 25, 2012 at 11:08 AM, dan (ddp) ddp...@gmail.com wrote: On Tue, Sep 25, 2012 at 10:04 AM, Leonardo Bacha Abrantes leona...@lbasolutions.com wrote: Guys, I created a rule and inserted it into local_rules.xml, but it is not working. group name=web,accesslog, rule id=100201 level=5 if_sid31100/if_sid#I also tried to put the specific number of rule (30119, 30118,etc.) match^client 192.168.21.18/match optionsno_email_alert/options /rule /group what is wrong on it ? thanks! Your log sample didn't come through, or I missed it. Can you resend? On Mon, Sep 24, 2012 at 9:13 AM, Leonardo Bacha Abrantes leona...@lbasolutions.com wrote: yes! exactly this! :) On Sun, Sep 23, 2012 at 11:30 AM, JB jjoob...@gmail.com wrote: Do you mean NOT to trigger alerts when the Location is 'your.reverse.proxy.ip - /var/log/httpd/access_log'? On Friday, September 21, 2012 10:58:17 AM UTC-7, Leonardo Bacha Abrantes wrote: Hey guys! I have a machine working a reverse proxy that redirect requests to another machine which is my webserver and am receiving a lot of alerts of my webserver that has the ip of my reverse proxy. I don't want to receive alerts of my webserver that has the ip of my reverse proxy. I found a rule below to ignore any alert but how can I specify to ignore alerts only in access.log and error.log from reverse proxy ? rule id=100123 level=0 if_level8/if_level srcipIp of my reverse proxy/srcip descriptionIgnoring any alert above level 8 that has MYIP decoded./description rule many thanks!
Re: [ossec-list] Re: ignore alerts specify ip in apache logs
On Tue, Sep 25, 2012 at 10:14 AM, Leonardo Bacha Abrantes leona...@lbasolutions.com wrote: Hi Dan, The apache log is: [Tue Sep 25 11:03:50 2012] [error] [client 192.168.21.18] ModSecurity: Access denied with code 403 (phase 2). Pattern match (?i:(?:unions*?(?:all|distinct|[(!@]*?)?s*?[([]*?s*?select)|(?:w+s+likes+[\\'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98])|(?:likes*?[\\'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98]%)|(?:[\\'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98]s*?likeW*?[\\'`\\xc2\\xb4\\xe2 ... at REQUEST_COOKIES:__utmz. [file /etc/httpd/conf.d/modsecurity/base_rules/modsecurity_crs_41_sql_injection_attacks.conf] [line 235] [id 981245] [msg Detects basic SQL authentication bypass attempts 2/3] [data \\xc2\\xba49 d] [severity CRITICAL] [tag WEB_ATTACK/SQLI] [hostname www.mysite.com] [uri /sites/all/themes/mysite/img/btlai.jpg] [unique_id UGG5xn8AAAEAABzuFRgS] [Tue Sep 25 11:03:50 2012] [error] [client 192.168.21.18] ModSecurity: Access denied with code 403 (phase 2). Pattern match (?i:(?:unions*?(?:all|distinct|[(!@]*?)?s*?[([]*?s*?select)|(?:w+s+likes+[\\'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98])|(?:likes*?[\\'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98]%)|(?:[\\'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98]s*?likeW*?[\\'`\\xc2\\xb4\\xe2 ... at REQUEST_COOKIES:__utmz. [file /etc/httpd/conf.d/modsecurity/base_rules/modsecurity_crs_41_sql_injection_attacks.conf] [line 235] [id 981245] [msg Detects basic SQL authentication bypass attempts 2/3] [data \\xc2\\xba49 d] [severity CRITICAL] [tag WEB_ATTACK/SQLI] [hostname www.mysite.com] [uri /sites/all/themes/mysite/img/logo-brasil.jpg] [unique_id UGG5xn8AAAEAAByF90UP] thanks!! Running it through ossec-logtest I see: **Phase 1: Completed pre-decoding. full event: '[Tue Sep 25 11:03:50 2012] [error] [client 192.168.21.18] ModSecurity: Access denied with code 403 (phase 2). Pattern match (?i:(?:unions*?(?:all|distinct|[(!@]*?)?s*?[([]*?s*?select)|(?:w+s+likes+[\\'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98])|(?:likes*?[\\'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98]%)|(?:[\\'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98]s*?likeW*?[\\'`\\xc2\\xb4\\xe2 ... at REQUEST_COOKIES:__utmz. [file /etc/httpd/conf.d/modsecurity/base_rules/modsecurity_crs_41_sql_injection_attacks.conf] [line 235] [id 981245] [msg Detects basic SQL authentication bypass attempts 2/3] [data \\xc2\\xba49 d] [severity CRITICAL] [tag WEB_ATTACK/SQLI] [hostname www.mysite.com] [uri /sites/all/themes/mysite/img/btlai.jpg] [unique_id UGG5xn8AAAEAABzuFRgS] [Tue Sep 25 11:03:50 2012] [error] [client 192.168.21.18] ModSecurity: Access denied with code 403 (phase 2). Pattern match (?i:(?:unions*?(?:all|distinct|[(!@]*?)?s*?[([]*?s*?select)|(?:w+s+likes+[\\'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98])|(?:likes*?[\\'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98]%)|(?:[\\'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98]s*?likeW*?[\\'`\\xc2\\xb4\\xe2 ... at REQUEST_COOKIES:__utmz. [file /etc/httpd/conf.d/modsecurity/base_rules/modsecurity_crs_41_sql_injection_attacks.conf] [line 235] [id 981245] [msg Detects basic SQL authentication bypass attempts 2/3] [data \\xc2\\xba49 d] [severity CRITICAL] [tag WEB_ATTACK/SQLI] [hostname www.mysite.com] [uri /sites/all/themes/mysite/img/logo-brasil.jpg] [unique_id UGG5xn8AAAEAAByF90UP]' hostname: 'arrakis' program_name: '(null)' log: '[error] [client 192.168.21.18] ModSecurity: Access denied with code 403 (phase 2). Pattern match (?i:(?:unions*?(?:all|distinct|[(!@]*?)?s*?[([]*?s*?select)|(?:w+s+likes+[\\'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98])|(?:likes*?[\\'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98]%)|(?:[\\'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98]s*?likeW*?[\\'`\\xc2\\xb4\\xe2 ... at REQUEST_COOKIES:__utmz. [file /etc/httpd/conf.d/modsecurity/base_rules/modsecurity_crs_41_sql_injection_attacks.conf] [line 235] [id 981245] [msg Detects basic SQL authentication bypass attempts 2/3] [data \\xc2\\xba49 d] [severity CRITICAL] [tag WEB_ATTACK/SQLI] [hostname www.mysite.com] [uri /sites/all/themes/mysite/img/btlai.jpg] [unique_id UGG5xn8AAAEAABzuFRgS] [Tue Sep 25 11:03:50 2012] [error] [client 192.168.21.18] ModSecurity: Access denied with code 403 (phase 2). Pattern match (?i:(?:unions*?(?:all|distinct|[(!@]*?)?s*?[([]*?s*?select)|(?:w+s+likes+[\\'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98])|(?:likes*?[\\'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98]%)|(?:[\\'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98]s*?likeW*?[\\'`\\xc2\\xb4\\xe2 ... at REQUEST_COOKIES:__utmz. [file /etc/httpd/conf.d/modsecurity/base_rules/modsecurity_crs_41_sql_injection_attacks.conf] [line 235] [id 981245] [msg Detects basic SQL authentication bypass attempts 2/3] [data \\xc2\\xba49 d] [severity
Re: [ossec-list] Is it possible to disable alert.log and use only database?
Any sane response? вторник, 25 сентября 2012 г., 14:12:45 UTC+4 пользователь dan (ddpbsd) написал: Start warming up emacs. On Sep 25, 2012 6:07 AM, kay kay kay@gmail.com javascript: wrote: I would like to disable alert.log and use only database. Is it possible to implement in default ossec or I should modify source code?
Re: [ossec-list] Is it possible to disable alert.log and use only database?
On Tue, Sep 25, 2012 at 10:21 AM, kay kay kay.d...@gmail.com wrote: Any sane response? Use vi? вторник, 25 сентября 2012 г., 14:12:45 UTC+4 пользователь dan (ddpbsd) написал: Start warming up emacs. On Sep 25, 2012 6:07 AM, kay kay kay@gmail.com wrote: I would like to disable alert.log and use only database. Is it possible to implement in default ossec or I should modify source code?
Re: [ossec-list] Re: ignore alerts specify ip in apache logs
thanks a lot Dan! On Tue, Sep 25, 2012 at 11:25 AM, dan (ddp) ddp...@gmail.com wrote: On Tue, Sep 25, 2012 at 10:14 AM, Leonardo Bacha Abrantes leona...@lbasolutions.com wrote: Hi Dan, The apache log is: [Tue Sep 25 11:03:50 2012] [error] [client 192.168.21.18] ModSecurity: Access denied with code 403 (phase 2). Pattern match (?i:(?:unions*?(?:all|distinct|[(!@]*?)?s*?[([]*?s*?select)|(?:w+s+likes+[\\'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98])|(?:likes*?[\\'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98]%)|(?:[\\'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98]s*?likeW*?[\\'`\\xc2\\xb4\\xe2 ... at REQUEST_COOKIES:__utmz. [file /etc/httpd/conf.d/modsecurity/base_rules/modsecurity_crs_41_sql_injection_attacks.conf] [line 235] [id 981245] [msg Detects basic SQL authentication bypass attempts 2/3] [data \\xc2\\xba49 d] [severity CRITICAL] [tag WEB_ATTACK/SQLI] [hostname www.mysite.com] [uri /sites/all/themes/mysite/img/btlai.jpg] [unique_id UGG5xn8AAAEAABzuFRgS] [Tue Sep 25 11:03:50 2012] [error] [client 192.168.21.18] ModSecurity: Access denied with code 403 (phase 2). Pattern match (?i:(?:unions*?(?:all|distinct|[(!@]*?)?s*?[([]*?s*?select)|(?:w+s+likes+[\\'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98])|(?:likes*?[\\'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98]%)|(?:[\\'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98]s*?likeW*?[\\'`\\xc2\\xb4\\xe2 ... at REQUEST_COOKIES:__utmz. [file /etc/httpd/conf.d/modsecurity/base_rules/modsecurity_crs_41_sql_injection_attacks.conf] [line 235] [id 981245] [msg Detects basic SQL authentication bypass attempts 2/3] [data \\xc2\\xba49 d] [severity CRITICAL] [tag WEB_ATTACK/SQLI] [hostname www.mysite.com] [uri /sites/all/themes/mysite/img/logo-brasil.jpg] [unique_id UGG5xn8AAAEAAByF90UP] thanks!! Running it through ossec-logtest I see: **Phase 1: Completed pre-decoding. full event: '[Tue Sep 25 11:03:50 2012] [error] [client 192.168.21.18] ModSecurity: Access denied with code 403 (phase 2). Pattern match (?i:(?:unions*?(?:all|distinct|[(!@]*?)?s*?[([]*?s*?select)|(?:w+s+likes+[\\'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98])|(?:likes*?[\\'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98]%)|(?:[\\'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98]s*?likeW*?[\\'`\\xc2\\xb4\\xe2 ... at REQUEST_COOKIES:__utmz. [file /etc/httpd/conf.d/modsecurity/base_rules/modsecurity_crs_41_sql_injection_attacks.conf] [line 235] [id 981245] [msg Detects basic SQL authentication bypass attempts 2/3] [data \\xc2\\xba49 d] [severity CRITICAL] [tag WEB_ATTACK/SQLI] [hostname www.mysite.com] [uri /sites/all/themes/mysite/img/btlai.jpg] [unique_id UGG5xn8AAAEAABzuFRgS] [Tue Sep 25 11:03:50 2012] [error] [client 192.168.21.18] ModSecurity: Access denied with code 403 (phase 2). Pattern match (?i:(?:unions*?(?:all|distinct|[(!@]*?)?s*?[([]*?s*?select)|(?:w+s+likes+[\\'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98])|(?:likes*?[\\'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98]%)|(?:[\\'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98]s*?likeW*?[\\'`\\xc2\\xb4\\xe2 ... at REQUEST_COOKIES:__utmz. [file /etc/httpd/conf.d/modsecurity/base_rules/modsecurity_crs_41_sql_injection_attacks.conf] [line 235] [id 981245] [msg Detects basic SQL authentication bypass attempts 2/3] [data \\xc2\\xba49 d] [severity CRITICAL] [tag WEB_ATTACK/SQLI] [hostname www.mysite.com] [uri /sites/all/themes/mysite/img/logo-brasil.jpg] [unique_id UGG5xn8AAAEAAByF90UP]' hostname: 'arrakis' program_name: '(null)' log: '[error] [client 192.168.21.18] ModSecurity: Access denied with code 403 (phase 2). Pattern match (?i:(?:unions*?(?:all|distinct|[(!@]*?)?s*?[([]*?s*?select)|(?:w+s+likes+[\\'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98])|(?:likes*?[\\'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98]%)|(?:[\\'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98]s*?likeW*?[\\'`\\xc2\\xb4\\xe2 ... at REQUEST_COOKIES:__utmz. [file /etc/httpd/conf.d/modsecurity/base_rules/modsecurity_crs_41_sql_injection_attacks.conf] [line 235] [id 981245] [msg Detects basic SQL authentication bypass attempts 2/3] [data \\xc2\\xba49 d] [severity CRITICAL] [tag WEB_ATTACK/SQLI] [hostname www.mysite.com] [uri /sites/all/themes/mysite/img/btlai.jpg] [unique_id UGG5xn8AAAEAABzuFRgS] [Tue Sep 25 11:03:50 2012] [error] [client 192.168.21.18] ModSecurity: Access denied with code 403 (phase 2). Pattern match (?i:(?:unions*?(?:all|distinct|[(!@]*?)?s*?[([]*?s*?select)|(?:w+s+likes+[\\'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98])|(?:likes*?[\\'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98]%)|(?:[\\'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98]s*?likeW*?[\\'`\\xc2\\xb4\\xe2 ... at REQUEST_COOKIES:__utmz. [file
Re: [ossec-list] Is it possible to disable alert.log and use only database?
I didn't ask about which tool to use, I ask about which file to modify, what exactly. And is it possible at all. вторник, 25 сентября 2012 г., 18:26:58 UTC+4 пользователь dan (ddpbsd) написал: On Tue, Sep 25, 2012 at 10:21 AM, kay kay kay@gmail.com javascript: wrote: Any sane response? Use vi? вторник, 25 сентября 2012 г., 14:12:45 UTC+4 пользователь dan (ddpbsd) написал: Start warming up emacs. On Sep 25, 2012 6:07 AM, kay kay kay@gmail.com wrote: I would like to disable alert.log and use only database. Is it possible to implement in default ossec or I should modify source code?
Re: [ossec-list] Is it possible to disable alert.log and use only database?
On Tue, Sep 25, 2012 at 10:41 AM, kay kay kay.d...@gmail.com wrote: I didn't ask about which tool to use, I ask about which file to modify, what exactly. And is it possible at all. Yes it's possible, but you'll have to modify the source code to do it. That feature isn't implemented. If I took the time to tell you what to modify and how to do it exactly I might as well do it myself. вторник, 25 сентября 2012 г., 18:26:58 UTC+4 пользователь dan (ddpbsd) написал: On Tue, Sep 25, 2012 at 10:21 AM, kay kay kay@gmail.com wrote: Any sane response? Use vi? вторник, 25 сентября 2012 г., 14:12:45 UTC+4 пользователь dan (ddpbsd) написал: Start warming up emacs. On Sep 25, 2012 6:07 AM, kay kay kay@gmail.com wrote: I would like to disable alert.log and use only database. Is it possible to implement in default ossec or I should modify source code?
Re: [ossec-list] Is it possible to disable alert.log and use only database?
Thank you for sane answer. So why didn't you tell me at once it is impossible to implement it in default ossec instead of use vi? вторник, 25 сентября 2012 г., 18:45:30 UTC+4 пользователь dan (ddpbsd) написал: On Tue, Sep 25, 2012 at 10:41 AM, kay kay kay@gmail.com javascript: wrote: I didn't ask about which tool to use, I ask about which file to modify, what exactly. And is it possible at all. Yes it's possible, but you'll have to modify the source code to do it. That feature isn't implemented. If I took the time to tell you what to modify and how to do it exactly I might as well do it myself. вторник, 25 сентября 2012 г., 18:26:58 UTC+4 пользователь dan (ddpbsd) написал: On Tue, Sep 25, 2012 at 10:21 AM, kay kay kay@gmail.com wrote: Any sane response? Use vi? вторник, 25 сентября 2012 г., 14:12:45 UTC+4 пользователь dan (ddpbsd) написал: Start warming up emacs. On Sep 25, 2012 6:07 AM, kay kay kay@gmail.com wrote: I would like to disable alert.log and use only database. Is it possible to implement in default ossec or I should modify source code?
Re: [ossec-list] Is it possible to disable alert.log and use only database?
On Tue, Sep 25, 2012 at 10:56 AM, kay kay kay.d...@gmail.com wrote: Thank you for sane answer. So why didn't you tell me at once it is impossible to implement it in default ossec instead of use vi? Because you offered to modify the source code to implement the feature, and I thought you would get it. It was a failed attempt at a humorous way of answering the question. вторник, 25 сентября 2012 г., 18:45:30 UTC+4 пользователь dan (ddpbsd) написал: On Tue, Sep 25, 2012 at 10:41 AM, kay kay kay@gmail.com wrote: I didn't ask about which tool to use, I ask about which file to modify, what exactly. And is it possible at all. Yes it's possible, but you'll have to modify the source code to do it. That feature isn't implemented. If I took the time to tell you what to modify and how to do it exactly I might as well do it myself. вторник, 25 сентября 2012 г., 18:26:58 UTC+4 пользователь dan (ddpbsd) написал: On Tue, Sep 25, 2012 at 10:21 AM, kay kay kay@gmail.com wrote: Any sane response? Use vi? вторник, 25 сентября 2012 г., 14:12:45 UTC+4 пользователь dan (ddpbsd) написал: Start warming up emacs. On Sep 25, 2012 6:07 AM, kay kay kay@gmail.com wrote: I would like to disable alert.log and use only database. Is it possible to implement in default ossec or I should modify source code?
Re: [ossec-list] Syscheck Windows Agent
Thanks for the info Scott. 2012/9/25 Scott Klauminzer sklaumin...@gmail.com This may help in building rules to monitor. Also the Event IDs change based on OS Version (Vista+) http://blogs.msdn.com/b/ericfitz/archive/2006/03/07/545726.aspx Events 560, 562, 563, 564, 567, and each of those adding 4096 for Vista+ are all relevant, and not currently within ossec rule sets. This depends on having Windows Auditing set to audit object access, which is difficult to make sure works according to plan, see this: http://blogs.technet.com/b/askds/archive/2011/03/11/getting-the-effective-audit-policy-in-windows-7-and-2008-r2.aspx I know this info is Windows 7 and 2008 based, but the concepts are the same, Windows has evolved, and with Domain, Local and auditpol.exe access to Policy settings, that all have different refresh times and overrides, this can get clustered quickly. Net result is *auditpol.exe /get /category:* *is the best resource for actual up to the minute Audit Policy settings, but this will change if you have competing polices! On Sep 25, 2012, at 7:01 AM, dan (ddp) ddp...@gmail.com wrote: On Tue, Sep 25, 2012 at 8:43 AM, Alejandro Martinez ajm.marti...@gmail.com wrote: Thanks Dan. I'll try. My idea is to register the usern logged on a computer that deletes or modifies a file (like windows security log). maybe some mix between them... There's too much of a chance for false positives. Many systems are multi-user these days. I was hoping for a file attribute that possibly tracked the last user to modify the file. 2012/9/25 dan (ddp) ddp...@gmail.com On Tue, Sep 25, 2012 at 6:22 AM, Alejandro Martinez ajm.marti...@gmail.com wrote: OK, thanks. If you know a good way to get that info, let us know. We can try to get it in after 2.7. 2012/9/25 dan (ddp) ddp...@gmail.com F we could magically associate a username with a file modification it would be the default. On Sep 25, 2012 6:08 AM, Alejandro ajm.marti...@gmail.com wrote: Hi. I'm using ossec to monitor some windows agents on 2003 server. The server is running centos and saving the information in a mysql database. When I receive a syscheck event from windows (file modified, deleted or added) the username is empty. Is it possible to modify some rule to have that username logged on the event ? Thanks a lot.
Re: [ossec-list] Syscheck Windows Agent
Very nice info. Unfortunately, if I undetstand this correctly, syscheck would not have access to this data. On Sep 25, 2012 1:43 PM, Scott Klauminzer sklaumin...@gmail.com wrote: This may help in building rules to monitor. Also the Event IDs change based on OS Version (Vista+) http://blogs.msdn.com/b/ericfitz/archive/2006/03/07/545726.aspx Events 560, 562, 563, 564, 567, and each of those adding 4096 for Vista+ are all relevant, and not currently within ossec rule sets. This depends on having Windows Auditing set to audit object access, which is difficult to make sure works according to plan, see this: http://blogs.technet.com/b/askds/archive/2011/03/11/getting-the-effective-audit-policy-in-windows-7-and-2008-r2.aspx I know this info is Windows 7 and 2008 based, but the concepts are the same, Windows has evolved, and with Domain, Local and auditpol.exe access to Policy settings, that all have different refresh times and overrides, this can get clustered quickly. Net result is *auditpol.exe /get /category:* *is the best resource for actual up to the minute Audit Policy settings, but this will change if you have competing polices! On Sep 25, 2012, at 7:01 AM, dan (ddp) ddp...@gmail.com wrote: On Tue, Sep 25, 2012 at 8:43 AM, Alejandro Martinez ajm.marti...@gmail.com wrote: Thanks Dan. I'll try. My idea is to register the usern logged on a computer that deletes or modifies a file (like windows security log). maybe some mix between them... There's too much of a chance for false positives. Many systems are multi-user these days. I was hoping for a file attribute that possibly tracked the last user to modify the file. 2012/9/25 dan (ddp) ddp...@gmail.com On Tue, Sep 25, 2012 at 6:22 AM, Alejandro Martinez ajm.marti...@gmail.com wrote: OK, thanks. If you know a good way to get that info, let us know. We can try to get it in after 2.7. 2012/9/25 dan (ddp) ddp...@gmail.com F we could magically associate a username with a file modification it would be the default. On Sep 25, 2012 6:08 AM, Alejandro ajm.marti...@gmail.com wrote: Hi. I'm using ossec to monitor some windows agents on 2003 server. The server is running centos and saving the information in a mysql database. When I receive a syscheck event from windows (file modified, deleted or added) the username is empty. Is it possible to modify some rule to have that username logged on the event ? Thanks a lot.
Re: [ossec-list] Syscheck Windows Agent
Correct, but if auditing is set up to specify the same directories, you would have additional audit events to correlate. On Sep 25, 2012, at 10:48 AM, dan (ddp) ddp...@gmail.com wrote: Very nice info. Unfortunately, if I undetstand this correctly, syscheck would not have access to this data. On Sep 25, 2012 1:43 PM, Scott Klauminzer sklaumin...@gmail.com wrote: This may help in building rules to monitor. Also the Event IDs change based on OS Version (Vista+) http://blogs.msdn.com/b/ericfitz/archive/2006/03/07/545726.aspx Events 560, 562, 563, 564, 567, and each of those adding 4096 for Vista+ are all relevant, and not currently within ossec rule sets. This depends on having Windows Auditing set to audit object access, which is difficult to make sure works according to plan, see this: http://blogs.technet.com/b/askds/archive/2011/03/11/getting-the-effective-audit-policy-in-windows-7-and-2008-r2.aspx I know this info is Windows 7 and 2008 based, but the concepts are the same, Windows has evolved, and with Domain, Local and auditpol.exe access to Policy settings, that all have different refresh times and overrides, this can get clustered quickly. Net result is auditpol.exe /get /category:* is the best resource for actual up to the minute Audit Policy settings, but this will change if you have competing polices! On Sep 25, 2012, at 7:01 AM, dan (ddp) ddp...@gmail.com wrote: On Tue, Sep 25, 2012 at 8:43 AM, Alejandro Martinez ajm.marti...@gmail.com wrote: Thanks Dan. I'll try. My idea is to register the usern logged on a computer that deletes or modifies a file (like windows security log). maybe some mix between them... There's too much of a chance for false positives. Many systems are multi-user these days. I was hoping for a file attribute that possibly tracked the last user to modify the file. 2012/9/25 dan (ddp) ddp...@gmail.com On Tue, Sep 25, 2012 at 6:22 AM, Alejandro Martinez ajm.marti...@gmail.com wrote: OK, thanks. If you know a good way to get that info, let us know. We can try to get it in after 2.7. 2012/9/25 dan (ddp) ddp...@gmail.com F we could magically associate a username with a file modification it would be the default. On Sep 25, 2012 6:08 AM, Alejandro ajm.marti...@gmail.com wrote: Hi. I'm using ossec to monitor some windows agents on 2003 server. The server is running centos and saving the information in a mysql database. When I receive a syscheck event from windows (file modified, deleted or added) the username is empty. Is it possible to modify some rule to have that username logged on the event ? Thanks a lot.
Re: [ossec-list] Is it possible to disable alert.log and use only database?
On 25.09.2012 10:00, dan (ddp) wrote: Because you offered to modify the source code to implement the feature, and I thought you would get it. It was a failed attempt at a humorous way of answering the question. That's nothing. I was about to suggest an ossec command that kept cat'ing /dev/null into the alerts.log. I wouldn't turn off alerts.log, though. Databases crash, lock, don't get restarted, etc. It's much less reliable than flat files, IMHO. Maybe just delete the archived logs after a certain period of time...
[ossec-list] Re: Is it possible to disable alert.log and use only database?
May I ask why do you want to disable alert.log? On Monday, September 24, 2012 11:37:10 PM UTC-7, kay kay wrote: I would like to disable alert.log and use only database. Is it possible to implement in default ossec or I should modify source code?
Re: [ossec-list] OSSEC 2.7-beta0. Logcollector segfaults dirty fix
On Wed, Sep 19, 2012 at 5:40 AM, PAL p...@pal.dp.ua wrote: I tried to install OSSEC 2.7 in my environment. Unfortunately, logcollector have a serious problem. I defined config like: localfile log_format timeout=2linux_auditd/log_format location/var/log/audit/audit.log/location /localfile I got logcollector segfault in short time. I made some exploring. File was successfully accessed until start but lost access in few minutes (looks like because audit.log is updated frequently) , and after that logcollector segfault'ed. Ok, lets to debug. As I found, when file not available, it's marked by set logff[i].ign to 999 and logff[i].fp to null. BUT! In next cycle logcollector will try to interpret this file as command type! This will incorrectly set size and position and when function read will call, we got segfault It sees the entry as a command because of the change to a union in struct logreader. When anything in that union is set, every check for one of those possible variables will match, even if that variable isn't set. Then trying to access that unset variable will cause issues. I'm wondering if removing the union or working with it a bit better will help. BTW, I used a similar fix as the one you posted, and it seemed to recognize commands. I haven't double checked the output or anything yet, but I'm pretty confident it'll work. For example, debug session: gdb ./client-logcollector -f [New process 11610] [New process 11611] Program received signal SIGSEGV, Segmentation fault. [Switching to process 11611] 0x2ad2bb1c in fgetpos64@@GLIBC_2.2.5 () from /lib64/libc.so.6 (gdb) bt #0 0x2ad2bb1c in fgetpos64@@GLIBC_2.2.5 () from /lib64/libc.so.6 #1 0x00405d6a in read_linux_audit (pos=3, drop_it=0) at read_linux_audit.c:157 #2 0x004033f0 in LogCollectorStart () at logcollector.c:349 #3 0x00404992 in main (argc=1, argv=0x7fffc658) at main.c:184 (gdb) The same happened (but not in allway, strange, hm) when I add to config nonexisted file I make a patch (in attachment), which allow to avoid this problem After a day of testing logcollector work fine
[ossec-list] Re: Large scale deployment
I know there are deployments of more than 3000 agents on one OSSEC server. You need to keep an eye on the amount of network traffic though. Overloading can result in lost events. Refer to http://www.ossec.net/?p=449 under the heading OSSEC Symposium Day 2.. On Sunday, September 23, 2012 5:24:17 PM UTC-7, JJ Yu wrote: Dears, Is there any one knows large scale development ? I want to implement over 1 set. There is an issue on how to deployment client key and management. Could you share any experience? Many thanks. Br. JJ
[ossec-list] Re: Large scale deployment
with the new Hybrid feature, why would you want to deploy 1 to a single manager? As someone who has had 3000-4000 dedicated to single managers, I would strongly suggest a tiered approach. It just makes more sense. Yes, you would have to wait for 2.7 to finish the beta cycle, but to me, I would think this is the way to go. 1 on a manager trying to maintain all the connections - just think of the load on the NIC(s) and the biggest problem being that the analysisd process is single threaded, so you are pumping all that data through one engine. I will say that yes, others are correct - management through a configuration system such as puppet or cfengine is the only way to go, and not trying to use the agent management directly within OSSEC. Just my 2 cents Kat On Tuesday, September 25, 2012 11:57:01 AM UTC-7, JB wrote: I know there are deployments of more than 3000 agents on one OSSEC server. You need to keep an eye on the amount of network traffic though. Overloading can result in lost events. Refer to http://www.ossec.net/?p=449 under the heading OSSEC Symposium Day 2.. On Sunday, September 23, 2012 5:24:17 PM UTC-7, JJ Yu wrote: Dears, Is there any one knows large scale development ? I want to implement over 1 set. There is an issue on how to deployment client key and management. Could you share any experience? Many thanks. Br. JJ
