[ossec-list] Local decoder help
Hello: am attempting to write a local decoder for Asterisk and cannot get the syntax correct. The log line appears as: [Dec 10 19:47:47] NOTICE[23927][C-0013] chan_sip.c: Call from '' (NNN.NNN.NNN.NNN:9202) to extension 'N' rejected because extension not found in context 'XXX'. and I have tried the following decoder: decoder name=local-asterisk-registration prematchNOTICE[\d+] \S+: Call from \S+ \((\d+.\d+.\d+.\d+):\d+\) /prematch regex offset=after_prematchto extension \S+ rejected because extension not found in context/regex ordersrcip/order /decoder this never matches and am wondering whether it is due to the '(' around the source IP ? Any help appreciated.
Re: [ossec-list] Re: Problem with active response in 2.7
On Mon, Dec 10, 2012 at 9:46 PM, Brenden Walker bren...@unruleable.org wrote: On Mon, 10 Dec 2012 13:15:50 -0800 (PST) Guilmxm guilhem.march...@gmail.com wrote: Hi, I had the same issue with Ossec 2.7 even with a server / agent fresh install, i confirm. Regards, Guilhem Weird, it's working fine in 2.7 for me. OSSEC HIDS agent_control. Available active responses: Response name: host-deny2400, command: host-deny.sh Response name: firewall-drop600, command: firewall-drop.sh and ossec.conf active-response !-- This response is going to execute the host-deny - command for every event that fires a rule with - level (severity) = 6. - The IP is going to be blocked for 600 seconds. -- commandhost-deny/command locationlocal/location level6/level timeout2400/timeout /active-response active-response !-- Firewall Drop response. Block the IP for - 600 seconds on the firewall (iptables, - ipfilter, etc). -- commandfirewall-drop/command locationlocal/location level6/level timeout600/timeout /active-response Uhmm I have found another problem, well two problems: a) I have defined another active response: command namerestart-ossec/name executablerestart-ossec.sh/executable expect/expect /command active-response commandrestart-ossec/command locationall/location rules_id12/rules_id /active-response ... and It doesn't appears: [root@ossectst etc]# agent_control -L OSSEC HIDS agent_control. Available active responses: Response name: firewall-drop86400, command: firewall-drop.sh b) active response firewall-drop.sh it doesn't works for a FreeBSD 8.3 system (using version 2.6 for server and agent works) Please, any idea??
[ossec-list] log-format autitd
Hi ALL. After upgrading ossec to 2.7 release I try to check auditd logs. server side ossec.conf changes: localfile log_formatauditd/log_format location/var/log/audit/audit.log/location /localfile # service ossec restart Stopping OSSEC:[ OK ] Starting OSSEC: 2012/12/11 12:48:35 ossec-config(1235): ERROR: Invalid value for element 'log_format': auditd. 2012/12/11 12:48:35 ossec-config(1202): ERROR: Configuration error at '/var/ossec/etc/ossec.conf'. Exiting. 2012/12/11 12:48:35 ossec-logcollector(1202): ERROR: Configuration error at '/var/ossec/etc/ossec.conf'. Exiting. Ossec are really support auditd-log format? Whats wrong?
[ossec-list] Re: can use 2.7 replace ossim 's ossec ?
Yes -- I did it. Works fine. Just install it normally and select Upgrade as it will find the previous version. On Monday, December 10, 2012 9:13:07 PM UTC-8, peng lin wrote: can use 2.7 replace ossim 's ossec ? is that everyone do it ?
Re: [ossec-list] Monitoring command output check_diff is getting mixed up.
Hi Brenden, In your initial rule, the match syntax was wrong: matchossec: output: 'wget -o /dev/null -O - http\//www.unruleable.org/blog/ | sha1sum'/match OSSEC was actually looking for the string sha1sum OR the command output name ( | sha1sum we treat as a separator). As for the key, we use the rule id as the storage key, so you would need a different rule for each one of those sites. thanks, -- Daniel B. Cid http://dcid.me On Fri, Dec 7, 2012 at 2:47 PM, Brenden Walker bren...@unruleable.org wrote: On Fri, 7 Dec 2012 13:18:33 -0500 dan (ddp) ddp...@gmail.com wrote: On Fri, Dec 7, 2012 at 12:47 PM, Brenden Walker bren...@unruleable.org wrote: On Fri, 7 Dec 2012 12:31:24 -0500 dan (ddp) ddp...@gmail.com wrote: On Fri, Dec 7, 2012 at 12:22 PM, Brenden Walker bren...@unruleable.org wrote: I'm trying to monitor a few websites for changes, I followed some examples online other than needing to change http:\\ to http/\\ in the match (that's how it appears in archives.log): Added to ossec.conf localfile log_formatfull_command/log_format commandwget -o /dev/null -O - http://www.poxodd.com | sha1sum/command frequency7200/frequency /localfile localfile log_formatfull_command/log_format commandwget -o /dev/null -O - http://www.unruleable.org/blog/ | sha1sum/command frequency7200/frequency /localfile Use aliases to better differentiate between these commands. Figures I was missing something simple. Any idea how ossec differentiates these? When I changed my config to a call to checksites.sh I got this: Received From: goonsquad-/opt/ossec/checksites.sh Rule: 150013 fired (level 10) - Website change detected Portion of the log(s): ossec: output: '/opt/ossec/checksites.sh': www.poxodd.com 9506ac8e36f9727c2567d7ee90d117cb557b24d9 - www.unruleable.org/blog/ 81ddc99e3c2ee60518a3b219f561117185284bf0 - www.diablops.com 83626f4b502af0e55329cc6634078b6bf7ca2443 - gta.diablps.com 68e498cf5f10bef32d8fc0a0b4e9ffbc79832861 - Previous output: ossec: output: 'wget -o /dev/null -O - http\//gta.diablops.com | sha1sum': 58aaa26e0e263ced83260b07abba280b84d3df39 - Which leads me to believe that an alias is required for command output entries, otherwise they'd all get muddled up?? I'm fighting a horrible headache at the moment, so I'm probably missing something simple here. Originally you had 3 commands, all of them the same except for a small bit. Since the differences were deep enough into the command the output was getting mixed up. So did adding an alias to each of those commands help? When the commands aren't basically the same they don't get mixed up. I personally think aliases make things easier, so I always use them. I changed the discreet command checks into a single call to a shell script. AND aliased it (I agree, good idea there). I figured that it would be better this way as I can simply add a site to the check script (sure it'll give me an initial alert when I change, but that's good). What I find weird is that it compared the previous output from this no longer existing localfile section: localfile log_formatfull_command/log_format commandwget -o /dev/null -O - http://www.poxodd.com | sha1sum/command frequency7200/frequency frequency7200/frequency /localfile With this new and completely un-related localfile section: localfile aliasweb_modifications/alias log_formatfull_command/log_format command/opt/ossec/checksites.sh/command frequency7200/frequency /localfile I removed the per site localfile sections. What I can't figure out is what ossec is using as a key to previous command output? It's certainly using nothing in the command section as these two have nothing in common there. Which is why I suspect that alias is really required, or this is a simple bug.
Re: [ossec-list] Local decoder help
You missed something: after 'NOTICE[23927]' there is '[C-013] chan_sip.c:' which is not in your prematch. In my Guide to gooder grammer, I had a rule: Proofread your writing to see if you any words out. On Dec 11, 2012, at 12:12 AM, Phil Daws wrote: Hello: am attempting to write a local decoder for Asterisk and cannot get the syntax correct. The log line appears as: [Dec 10 19:47:47] NOTICE[23927][C-0013] chan_sip.c: Call from '' (NNN.NNN.NNN.NNN:9202) to extension 'N' rejected because extension not found in context 'XXX'. and I have tried the following decoder: decoder name=local-asterisk-registration prematchNOTICE[\d+] \S+: Call from \S+ \((\d+.\d+.\d+.\d+):\d+\) /prematch regex offset=after_prematchto extension \S+ rejected because extension not found in context/regex ordersrcip/order /decoder this never matches and am wondering whether it is due to the '(' around the source IP ? Any help appreciated.
Re: [ossec-list] Monitoring command output check_diff is getting mixed up.
On Tue, 11 Dec 2012 10:39:19 -0400 Daniel Cid daniel@gmail.com wrote: Hi Brenden, In your initial rule, the match syntax was wrong: matchossec: output: 'wget -o /dev/null -O - http\//www.unruleable.org/blog/ | sha1sum'/match OSSEC was actually looking for the string sha1sum OR the command output name ( | sha1sum we treat as a separator). Ah, I seee... As for the key, we use the rule id as the storage key, so you would need a different rule for each one of those sites. Thanks, I believe I based my work off an article you wrote. One thing for sure, http:// is not right as it ends up logging as http\// Thanks for the details, I think I'm in business now.. aliases really help with this as it makes the match simpler I think.
[ossec-list] Re: ossec-agent: INFO: Event count after '20000'
Hi did anyone solve this issue in managed environment? Y. W dniu poniedziałek, 3 grudnia 2012 09:30:53 UTC+1 użytkownik YatZeck napisał: Hi OSSec guys! I've read a little about people problems with Event count after '2', but I think none found solution. My probem is ossec agent is filling network bandwidth to its limit. What kind of troubleshooting can I do? Regards, Y.
Re: [ossec-list] Re: SSH authentication failures not resulting in active responses by firewall blocking
On Sun, Dec 9, 2012 at 11:10 AM, Guilmxm guilhem.march...@gmail.com wrote: Ok, the error in log : 2012/12/09 12:47:44 ossec-execd(1311): ERROR: Invalid command name 'firewall-drop14400' provided. Came from the fact i wanted to increase the default 600 seconds banish time to 14400 (4 hours), there came the new error. Sill i don't have active response for this rule matched... Example i've tested today (before time modification for banish time): Active response traces: Sun Dec 9 12:47:44 CET 2012 /var/ossec/active-response/bin/host-deny.sh add - 37.160.44.146 1355053664.338773 31151 Sun Dec 9 12:58:14 CET 2012 /var/ossec/active-response/bin/host-deny.sh delete - 37.160.44.146 1355053664.338773 31151 And relevant log in server: ** Alert 1355053664.338773: mail - web,accesslog,web_scan,recon, 2012 Dec 09 12:47:44 (XX) XXX.XXX.XXX.XXX-/var/log/nginx/index.access.log Rule: 31151 (level 10) - 'Multiple web server 400 error codes from same source ip.' Src IP: 37.160.44.146 37.160.44.146 - - [09/Dec/2012:12:47:42 +0100] GET /index.asp HTTP/1.1 401 188 - Mozilla/5.00 (Nikto/2.1.5) (Evasions:None) (Test:multiple_index) 37.160.44.146 - - [09/Dec/2012:12:47:41 +0100] GET /index.pl HTTP/1.1 401 188 - Mozilla/5.00 (Nikto/2.1.5) (Evasions:None) (Test:multiple_index) 37.160.44.146 - - [09/Dec/2012:12:47:40 +0100] GET /index.cgi HTTP/1.1 401 188 - Mozilla/5.00 (Nikto/2.1.5) (Evasions:None) (Test:multiple_index) 37.160.44.146 - - [09/Dec/2012:12:47:39 +0100] GET /index.cfm HTTP/1.1 401 188 - Mozilla/5.00 (Nikto/2.1.5) (Evasions:None) (Test:multiple_index) 37.160.44.146 - - [09/Dec/2012:12:47:38 +0100] GET /index.shtml HTTP/1.1 401 188 - Mozilla/5.00 (Nikto/2.1.5) (Evasions:None) (Test:multiple_index) 37.160.44.146 - - [09/Dec/2012:12:47:37 +0100] GET /index.htm HTTP/1.1 401 188 - Mozilla/5.00 (Nikto/2.1.5) (Evasions:None) (Test:multiple_index) So active response works fine but not the SSH connection attempt... Regards, Guilhem Please provide your active response configuration. Le dimanche 9 décembre 2012 13:19:58 UTC+1, Guilmxm a écrit : Hi, My SSH server is being attacked since a few days, ossec detects it but does not initiate an active response resulting in blocking the remote host. Therefore, any other types of attacked result in ossec active responses, as for an example if i try to attack myself from an external connection, ssh authentication failures result in ossec active response. (authentication failures) Does anyone could explain me why ? If i'm not wrong the host does not supply any password, is it the reason why there is active response ? Here the alert log generated by ossec in relation with this connection attempt: ** Alert 1355053924.344329: mail - syslog,access_control,authentication_failed, 2012 Dec 09 12:52:04 (X) XXX.XXX.XXX.XXX-/var/log/auth.log Rule: 2502 (level 10) - 'User missed the password more than one time' Dec 9 12:52:03 XXX sshd[4676]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=174-143-56-97.static.cloud-ips.com user=root The same host is detected with an other rule because it's trying to connect using a non existing user or non authorized: ** Alert 1355053924.343978: - syslog,sshd,invalid_login,authentication_failed, 2012 Dec 09 12:52:04 (X) XXX.XXX.XXX.XXX-/var/log/auth.log Rule: 5710 (level 5) - 'Attempt to login using a non-existent user' Src IP: 174.143.56.97 Dec 9 12:52:03 XXX sshd[4676]: Failed password for invalid user root from 174.143.56.97 port 53770 ssh2 Thanks! Regards, Guilhem
Re: [ossec-list] Local decoder help
On Tue, Dec 11, 2012 at 1:12 AM, Phil Daws ux...@splatnix.net wrote: Hello: am attempting to write a local decoder for Asterisk and cannot get the syntax correct. The log line appears as: [Dec 10 19:47:47] NOTICE[23927][C-0013] chan_sip.c: Call from '' (NNN.NNN.NNN.NNN:9202) to extension 'N' rejected because extension not found in context 'XXX'. and I have tried the following decoder: decoder name=local-asterisk-registration prematchNOTICE[\d+] \S+: Call from \S+ \((\d+.\d+.\d+.\d+):\d+\) /prematch regex offset=after_prematchto extension \S+ rejected because extension not found in context/regex ordersrcip/order /decoder this never matches and am wondering whether it is due to the '(' around the source IP ? Any help appreciated. decoder name=stuff prematch^[\S+ \d\d \d\d:\d\d:\d\d] NOTICE[\d+][\S+] chan_sip.c: /prematch regex offset=after_prematch^Call from '' \((\S+):(\d+)\) to extension '(\S+)' /regex ordersrcip, srcport, extra_data/order /decoder
Re: [ossec-list] Help to eliminate false positive
On Mon, Dec 10, 2012 at 12:53 PM, Scott wa6...@gmail.com wrote: I'm having trouble making a rule to eliminate this false positive, rule 1002 is kicking in: sendmail[24167]: qBAHj1gY023631: to=fatal-err...@example.com, delay=00:00:06, xdelay=00:00:05, mailer=esmtp, pri=120705, relay=xyz.example.com. [1.2.3.4], dsn=2.0.0, stat=Sent (Ok: queued as 4D47E343E84D) This e-mail was successful, even though it is sent to a mailbox for errors. rule id=100103 level=1 if_sid1002/if_sid matchfatal-err...@example.com/match descriptionNot an error/description /rule
Re: [ossec-list] Notifications of the System audit events.
On Mon, Dec 10, 2012 at 10:12 AM, orfan a.ula...@gmail.com wrote: I have ossec-hids-server-2.6_2. rule id=509 level=0 categoryossec/category decoded_asrootcheck/decoded_as descriptionRootcheck event./description grouprootcheck,/group /rule Decoded as rootcheck, but i can't find rootcheck decoder in decoder.xml. Is it normal? I believe that decoder is actually coded inside of rootcheck for speed reasons.
Re: [ossec-list] log-format autitd
On Tue, Dec 11, 2012 at 6:20 AM, Roman K mf.f...@gmail.com wrote: Hi ALL. After upgrading ossec to 2.7 release I try to check auditd logs. server side ossec.conf changes: localfile log_formatauditd/log_format location/var/log/audit/audit.log/location /localfile # service ossec restart Stopping OSSEC:[ OK ] Starting OSSEC: 2012/12/11 12:48:35 ossec-config(1235): ERROR: Invalid value for element 'log_format': auditd. 2012/12/11 12:48:35 ossec-config(1202): ERROR: Configuration error at '/var/ossec/etc/ossec.conf'. Exiting. 2012/12/11 12:48:35 ossec-logcollector(1202): ERROR: Configuration error at '/var/ossec/etc/ossec.conf'. Exiting. Ossec are really support auditd-log format? Whats wrong? Sorry, I thought I had removed all references to that after the commit was reverted. Use syslog, the auditd stuff didn't work.
Re: [ossec-list] Help to eliminate false positive
On Tue, Dec 11, 2012 at 5:03 PM, Scott Nelson wa6...@gmail.com wrote: On Dec 11, 2012, at 3:55 PM, dan (ddp) wrote: On Mon, Dec 10, 2012 at 12:53 PM, Scott wa6...@gmail.com wrote: I'm having trouble making a rule to eliminate this false positive, rule 1002 is kicking in: sendmail[24167]: qBAHj1gY023631: to=fatal-err...@example.com, delay=00:00:06, xdelay=00:00:05, mailer=esmtp, pri=120705, relay=xyz.example.com. [1.2.3.4], dsn=2.0.0, stat=Sent (Ok: queued as 4D47E343E84D) This e-mail was successful, even though it is sent to a mailbox for errors. rule id=100103 level=1 if_sid1002/if_sid matchfatal-err...@example.com/match descriptionNot an error/description /rule I would have tried that, but doesn't that mean I'd have to add in additional rules to catch failed messages? Only if they contain that email address. Chnge the match to: matchOk: queued as /match And you won't 1002 on any messages that are supposed to be queued. You could match on the fatal-errors@blahblah as above, but set the level higher. Then create a child rule matching the Ok: queued bit.
Re: [ossec-list] Help to eliminate false positive
On Dec 11, 2012, at 4:16 PM, dan (ddp) wrote: You could match on the fatal-errors@blahblah as above, but set the level higher. Then create a child rule matching the Ok: queued bit. Sure. Thank's a lot for your help, Dan. Scott
[ossec-list] Re: can use 2.7 replace ossim 's ossec ?
i have to try update ossec in current copy (2.7) and give it (www-data )right permission as original . but when i update ,i can't see any log in siem dashboard . On Tuesday, December 11, 2012 10:48:14 PM UTC+8, Kat wrote: Yes -- I did it. Works fine. Just install it normally and select Upgrade as it will find the previous version. On Monday, December 10, 2012 9:13:07 PM UTC-8, peng lin wrote: can use 2.7 replace ossim 's ossec ? is that everyone do it ?
Re: [ossec-list] Re: Problem with active response in 2.7
On Tue, Dec 11, 2012 at 6:47 AM, C. L. Martinez carlopm...@gmail.com wrote: On Mon, Dec 10, 2012 at 9:46 PM, Brenden Walker bren...@unruleable.org wrote: On Mon, 10 Dec 2012 13:15:50 -0800 (PST) Guilmxm guilhem.march...@gmail.com wrote: Hi, I had the same issue with Ossec 2.7 even with a server / agent fresh install, i confirm. Regards, Guilhem Weird, it's working fine in 2.7 for me. OSSEC HIDS agent_control. Available active responses: Response name: host-deny2400, command: host-deny.sh Response name: firewall-drop600, command: firewall-drop.sh and ossec.conf active-response !-- This response is going to execute the host-deny - command for every event that fires a rule with - level (severity) = 6. - The IP is going to be blocked for 600 seconds. -- commandhost-deny/command locationlocal/location level6/level timeout2400/timeout /active-response active-response !-- Firewall Drop response. Block the IP for - 600 seconds on the firewall (iptables, - ipfilter, etc). -- commandfirewall-drop/command locationlocal/location level6/level timeout600/timeout /active-response Uhmm I have found another problem, well two problems: a) I have defined another active response: command namerestart-ossec/name executablerestart-ossec.sh/executable expect/expect /command active-response commandrestart-ossec/command locationall/location rules_id12/rules_id /active-response ... and It doesn't appears: [root@ossectst etc]# agent_control -L OSSEC HIDS agent_control. Available active responses: Response name: firewall-drop86400, command: firewall-drop.sh b) active response firewall-drop.sh it doesn't works for a FreeBSD 8.3 system (using version 2.6 for server and agent works) Please, any idea?? Any idea please?? This problem is really strange
Re: [ossec-list] Re: Problem with active response in 2.7
On Dec 12, 2012 2:36 AM, C. L. Martinez carlopm...@gmail.com wrote: On Tue, Dec 11, 2012 at 6:47 AM, C. L. Martinez carlopm...@gmail.com wrote: On Mon, Dec 10, 2012 at 9:46 PM, Brenden Walker bren...@unruleable.org wrote: On Mon, 10 Dec 2012 13:15:50 -0800 (PST) Guilmxm guilhem.march...@gmail.com wrote: Hi, I had the same issue with Ossec 2.7 even with a server / agent fresh install, i confirm. Regards, Guilhem Weird, it's working fine in 2.7 for me. OSSEC HIDS agent_control. Available active responses: Response name: host-deny2400, command: host-deny.sh Response name: firewall-drop600, command: firewall-drop.sh and ossec.conf active-response !-- This response is going to execute the host-deny - command for every event that fires a rule with - level (severity) = 6. - The IP is going to be blocked for 600 seconds. -- commandhost-deny/command locationlocal/location level6/level timeout2400/timeout /active-response active-response !-- Firewall Drop response. Block the IP for - 600 seconds on the firewall (iptables, - ipfilter, etc). -- commandfirewall-drop/command locationlocal/location level6/level timeout600/timeout /active-response Uhmm I have found another problem, well two problems: a) I have defined another active response: command namerestart-ossec/name executablerestart-ossec.sh/executable expect/expect /command active-response commandrestart-ossec/command locationall/location rules_id12/rules_id /active-response ... and It doesn't appears: [root@ossectst etc]# agent_control -L OSSEC HIDS agent_control. Available active responses: Response name: firewall-drop86400, command: firewall-drop.sh b) active response firewall-drop.sh it doesn't works for a FreeBSD 8.3 system (using version 2.6 for server and agent works) Please, any idea?? Any idea please?? This problem is really strange Run it manually, how does it fail? Pleasse give us enough info to help, I'm not installing FreeBSD.
[ossec-list] Immutable rotated logs - chattr + CAP_LINUX_IMMUTABLE removing
Hello, is there any chance configure OSSEC to make every log only appendable? Eg. setup automatically chattr -a for active logs and chattr -i for archive ? Because then If I remove CAP_LINUX_IMMUTABLE rights for root (until reboot) maybe I could cover more items in PCI scope. Thanks for any advice/suggestions Vasek