Re: [ossec-list] Cannot get agent profile working on windows (2nd try)
It looks like this feature was not included in the ossec-hids/src/win32/ I have not found any changes in the win32 sources. среда, 27 февраля 2013 г., 2:01:56 UTC+6 пользователь dan (ddpbsd) написал: > > On Thu, Feb 21, 2013 at 6:38 AM, Андрей Шевченко > > > wrote: > > I tried to add a bad option and i see that it is not being picked up... > > Like in my example, i don't see anything related to options in specific > > agent profile. > > > > You could check the code repository to see if the commits enabling > this functionality for unixy systems also enabled it for Windows. > > > вторник, 19 февраля 2013 г., 23:15:44 UTC+6 пользователь dan (ddpbsd) > > написал: > >> > >> On Mon, Feb 18, 2013 at 6:23 AM, Андрей Шевченко > >> wrote: > >> > osssec.conf(agent test_PC): > >> > > >> >> > >> >> > >> >> > >> >> > >> >> > >> >> test1 > >> >> > >> >> 1.1.1.1 > >> >> > >> >> > >> >> > >> >> > >> >> > >> >> > >> >> no > >> >> > >> >> > >> >> > >> >> > >> >> > >> > > >> > > >> > > >> > agent.conf(server): > >> > > >> >> > >> >> > >> >> > >> >> > >> >> D:/ > >> >> > >> >> > >> >> > >> >> > >> >> > >> >> > >> >> > >> >> > >> >> > >> >> > >> >> F:/ > >> >> > >> >> > >> >> > >> >> > >> >> > >> >> > >> >> > >> >> > >> >> > >> >> > >> >> C:/ > >> >> > >> >> > >> >> > >> >> > >> > > >> > > >> > ossec.log(agent): > >> > > >> >> 2013/02/18 15:41:34 ossec-agent: INFO: Monitoring directory: 'D:/'. > >> >> > >> >> 2013/02/18 15:41:34 ossec-agent: INFO: Monitoring directory: 'C:/'. > >> > > >> > > >> > Disk F is not monitored. > >> > > >> > Equal configuration for agent under FreeBSD works fine. > >> > > >> > -- > >> > > >> > >> You could add a bad option under that profile to see if it's being > >> picked up, like monitoring a syslog file that doesn't actually exist. > >> > >> Other than that, I'd try something like: > >> > >> > >> > >> F:\. > >> > >> > >> > >> I can't test this at the moment, so I don't know for sure that it will > >> work. > >> > >> > --- > >> > You received this message because you are subscribed to the Google > >> > Groups > >> > "ossec-list" group. > >> > To unsubscribe from this group and stop receiving emails from it, > send > >> > an > >> > email to ossec-list+...@googlegroups.com. > >> > For more options, visit https://groups.google.com/groups/opt_out. > >> > > >> > > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to ossec-list+...@googlegroups.com . > > For more options, visit https://groups.google.com/groups/opt_out. > > > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [ossec-list] After upgrade to 2.7, ossec-remoted not started by "ossec-control start"
On Tue, Feb 26, 2013 at 4:20 PM, Michael Namaiandeh wrote: > Unsubscribe. I have already sent an email to > ossec-list+unsubscr...@googlegroups.com and I'm still on the mailing list. > Have you tried going to the ossec google groups page and unsubscribing? > > -Original Message- > From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On > Behalf Of p...@biciunas.com > Sent: Tuesday, February 26, 2013 3:59 PM > To: ossec-list@googlegroups.com > Subject: Re: [ossec-list] After upgrade to 2.7, ossec-remoted not started by > "ossec-control start" > > I agree. So the question remains, why doesn't it? The script is unchanged - > ossec-remoted (and the others) are listed as they were in 2.6. > > - Original Message - >> It doesn't even look like it attempted to start ossec-remoted. grep >> ossec-remoted /var/ossec/bin/ossec-control > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/groups/opt_out. > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/groups/opt_out. > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [ossec-list] After upgrade to 2.7, ossec-remoted not started by "ossec-control start"
On Tue, Feb 26, 2013 at 3:58 PM, p...@biciunas.com wrote: > I agree. So the question remains, why doesn't it? The script is unchanged - > ossec-remoted (and the others) are listed as they were in 2.6. > Walk through the script, see what happens. Does it try to start the daemon? > - Original Message - >> It doesn't even look like it attempted to start ossec-remoted. grep >> ossec-remoted /var/ossec/bin/ossec-control > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/groups/opt_out. > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
RE: [ossec-list] After upgrade to 2.7, ossec-remoted not started by "ossec-control start"
Unsubscribe. I have already sent an email to ossec-list+unsubscr...@googlegroups.com and I'm still on the mailing list. -Original Message- From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On Behalf Of p...@biciunas.com Sent: Tuesday, February 26, 2013 3:59 PM To: ossec-list@googlegroups.com Subject: Re: [ossec-list] After upgrade to 2.7, ossec-remoted not started by "ossec-control start" I agree. So the question remains, why doesn't it? The script is unchanged - ossec-remoted (and the others) are listed as they were in 2.6. - Original Message - > It doesn't even look like it attempted to start ossec-remoted. grep > ossec-remoted /var/ossec/bin/ossec-control -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [ossec-list] After upgrade to 2.7, ossec-remoted not started by "ossec-control start"
I agree. So the question remains, why doesn't it? The script is unchanged - ossec-remoted (and the others) are listed as they were in 2.6. - Original Message - > It doesn't even look like it attempted to start ossec-remoted. grep > ossec-remoted /var/ossec/bin/ossec-control -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
RE: [ossec-list] OSSEC 2.6: Capturing Custom Powershell Event to generate an alert never generates the alert
> -Original Message- > From: Nathaniel Bentzinger > Sent: Tuesday, February 26, 2013 4:02 PM > To: ossec-list@googlegroups.com > Subject: RE: [ossec-list] OSSEC 2.6: Capturing Custom Powershell Event to > generate an alert never generates the alert > > > > > -Original Message- > > From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] > > On Behalf Of dan (ddp) > > Sent: Tuesday, February 26, 2013 3:29 PM > > To: ossec-list@googlegroups.com > > Subject: Re: [ossec-list] OSSEC 2.6: Capturing Custom Powershell Event > > to generate an alert never generates the alert > > > > On Tue, Feb 26, 2013 at 12:43 PM, Nathaniel Bentzinger > > wrote: > > > I've written a powershell script to install windows updates and > > > report back status to the Application Event log so OSSEC can scrap > > > them up and generate alerts however I'm not getting the email generated. > > > > > > > > > > > > My rule: > > > > > > > > > > > > > > > > > > > > > > > > 1 > > > > > > WindowsUpdateScript > > > > > > Windows Update Script > > > > > > > > > > > > > > > > > > > > > > > > LogAll is enabled on my ossec.conf & the email alert level is 8. > > > > > > > > > > > > The logging results in the archives.log: > > > > > > > > > > > > # tail -f archives/archives.log | grep WindowsUpdate > > > > > > 2013 Feb 26 12:35:31 (testwin2008) 10.10.10.0->WinEvtLog WinEvtLog: > > > Application: INFORMATION(104): WindowsUpdateScript: (no user): no domain: > > > TESTWIN2008.archergroup.local: Starting Automated Windows Update > > > Installation: 2/26/2013 12:35:29 PM > > > > > > > > > > > > > > > > > > Ossec-Logtest output: > > > > > > > > > > > > [root@secserv bin]# ./ossec-logtest -f > > > > > > 2013/02/26 12:35:21 ossec-testrule: INFO: Reading local decoder file. > > > > > > 2013/02/26 12:35:21 ossec-testrule: INFO: Started (pid: 24615). > > > > > > ossec-testrule: Type one log per line. > > > > > > > > > > > > Application: INFORMATION(105): WindowsUpdateScript: (no user): no domain: > > > TESTWIN2008.archergroup.local: Automated Windows Update Installation: > > > Completed: 2/26/2013 12:28:44 PM Windows Update Results: Security > > > Update for Microsoft Visual C++ 2010 Service Pack 1 Redistributable > > > Package > > > (KB2565063) > > > > > > > > > > > > > > > > > > **Phase 1: Completed pre-decoding. > > > > > > full event: ' Application: INFORMATION(105): > > > WindowsUpdateScript: (no > > > user): no domain: TESTWIN2008.archergroup.local: Automated Windows > > > Update > > > Installation: Completed: 2/26/2013 12:28:44 PM Windows Update Results: > > > Security Update for Microsoft Visual C++ 2010 Service Pack 1 > > > Redistributable Package (KB2565063)' > > > > > >hostname: 'secserv' > > > > > >program_name: '(null)' > > > > > >log: ' Application: INFORMATION(105): WindowsUpdateScript: (no > > > user): > > > no domain: TESTWIN2008.archergroup.local: Automated Windows Update > > > Installation: Completed: 2/26/2013 12:28:44 PM Windows Update Results: > > > Security Update for Microsoft Visual C++ 2010 Service Pack 1 > > > Redistributable Package (KB2565063)' > > > > > > > > > > > > **Phase 2: Completed decoding. > > > > > >No decoder matched. > > > > > > > > > > > > **Rule debugging: > > > > > > Trying rule: 1 - Generic template for all syslog rules. > > > > > >*Rule 1 matched. > > > > > >*Trying child rules. > > > > > > Trying rule: 5500 - Grouping of the pam_unix rules. > > > > > > Trying rule: 5700 - SSHD messages grouped. > > > > > > Trying rule: 5600 - Grouping for the telnetd rules > > > > > > Trying rule: 2100 - NFS rules grouped. > > > > > > Trying rule: 2507 - OpenLDAP group. > > > > > > Trying rule: 2550 - rshd messages grouped. > > > > > > Trying rule: 2701 - Ignoring procmail messages. > > > > > > Trying rule: 2800 - Pre-match rule for smartd. > > > > > > Trying rule: 5100 - Pre-match rule for kernel messages > > > > > > Trying rule: 5200 - Ignoring hpiod for producing useless logs. > > > > > > Trying rule: 2830 - Crontab rule group. > > > > > > Trying rule: 5300 - Initial grouping for su messages. > > > > > > Trying rule: 5400 - Initial group for sudo messages > > > > > > Trying rule: 9100 - PPTPD messages grouped > > > > > > Trying rule: 9200 - Squid syslog messages grouped > > > > > > Trying rule: 2900 - Dpkg (Debian Package) log. > > > > > > Trying rule: 2930 - Yum logs. > > > > > > Trying rule: 2931 - Yum logs. > > > > > > Trying rule: 7200 - Grouping of the arpwatch rules. > > > > > > Trying rule: 7300 - Grouping of Symantec AV rules. > > > > > > Trying rule: 7400 - Grouping of Symantec Web Security rules. > > > > > > Trying rule: 4300 - Grouping of PIX rules > > > > > > Trying rule: 12100 - Grouping of the named rules > > > > > > Trying rule: 13100 - Grouping for the smbd rules. > > > > > > Trying rule: 13106 - (null) > > >
RE: [ossec-list] OSSEC 2.6: Capturing Custom Powershell Event to generate an alert never generates the alert
> -Original Message- > From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On > Behalf Of dan (ddp) > Sent: Tuesday, February 26, 2013 3:29 PM > To: ossec-list@googlegroups.com > Subject: Re: [ossec-list] OSSEC 2.6: Capturing Custom Powershell Event to > generate an alert never generates the alert > > On Tue, Feb 26, 2013 at 12:43 PM, Nathaniel Bentzinger group.com> wrote: > > I've written a powershell script to install windows updates and report > > back status to the Application Event log so OSSEC can scrap them up > > and generate alerts however I'm not getting the email generated. > > > > > > > > My rule: > > > > > > > > > > > > > > > > 1 > > > > WindowsUpdateScript > > > > Windows Update Script > > > > > > > > > > > > > > > > LogAll is enabled on my ossec.conf & the email alert level is 8. > > > > > > > > The logging results in the archives.log: > > > > > > > > # tail -f archives/archives.log | grep WindowsUpdate > > > > 2013 Feb 26 12:35:31 (testwin2008) 10.10.10.0->WinEvtLog WinEvtLog: > > Application: INFORMATION(104): WindowsUpdateScript: (no user): no domain: > > TESTWIN2008.archergroup.local: Starting Automated Windows Update > > Installation: 2/26/2013 12:35:29 PM > > > > > > > > > > > > Ossec-Logtest output: > > > > > > > > [root@secserv bin]# ./ossec-logtest -f > > > > 2013/02/26 12:35:21 ossec-testrule: INFO: Reading local decoder file. > > > > 2013/02/26 12:35:21 ossec-testrule: INFO: Started (pid: 24615). > > > > ossec-testrule: Type one log per line. > > > > > > > > Application: INFORMATION(105): WindowsUpdateScript: (no user): no domain: > > TESTWIN2008.archergroup.local: Automated Windows Update Installation: > > Completed: 2/26/2013 12:28:44 PM Windows Update Results: Security > > Update for Microsoft Visual C++ 2010 Service Pack 1 Redistributable > > Package > > (KB2565063) > > > > > > > > > > > > **Phase 1: Completed pre-decoding. > > > > full event: ' Application: INFORMATION(105): > > WindowsUpdateScript: (no > > user): no domain: TESTWIN2008.archergroup.local: Automated Windows > > Update > > Installation: Completed: 2/26/2013 12:28:44 PM Windows Update Results: > > Security Update for Microsoft Visual C++ 2010 Service Pack 1 > > Redistributable Package (KB2565063)' > > > >hostname: 'secserv' > > > >program_name: '(null)' > > > >log: ' Application: INFORMATION(105): WindowsUpdateScript: (no user): > > no domain: TESTWIN2008.archergroup.local: Automated Windows Update > > Installation: Completed: 2/26/2013 12:28:44 PM Windows Update Results: > > Security Update for Microsoft Visual C++ 2010 Service Pack 1 > > Redistributable Package (KB2565063)' > > > > > > > > **Phase 2: Completed decoding. > > > >No decoder matched. > > > > > > > > **Rule debugging: > > > > Trying rule: 1 - Generic template for all syslog rules. > > > >*Rule 1 matched. > > > >*Trying child rules. > > > > Trying rule: 5500 - Grouping of the pam_unix rules. > > > > Trying rule: 5700 - SSHD messages grouped. > > > > Trying rule: 5600 - Grouping for the telnetd rules > > > > Trying rule: 2100 - NFS rules grouped. > > > > Trying rule: 2507 - OpenLDAP group. > > > > Trying rule: 2550 - rshd messages grouped. > > > > Trying rule: 2701 - Ignoring procmail messages. > > > > Trying rule: 2800 - Pre-match rule for smartd. > > > > Trying rule: 5100 - Pre-match rule for kernel messages > > > > Trying rule: 5200 - Ignoring hpiod for producing useless logs. > > > > Trying rule: 2830 - Crontab rule group. > > > > Trying rule: 5300 - Initial grouping for su messages. > > > > Trying rule: 5400 - Initial group for sudo messages > > > > Trying rule: 9100 - PPTPD messages grouped > > > > Trying rule: 9200 - Squid syslog messages grouped > > > > Trying rule: 2900 - Dpkg (Debian Package) log. > > > > Trying rule: 2930 - Yum logs. > > > > Trying rule: 2931 - Yum logs. > > > > Trying rule: 7200 - Grouping of the arpwatch rules. > > > > Trying rule: 7300 - Grouping of Symantec AV rules. > > > > Trying rule: 7400 - Grouping of Symantec Web Security rules. > > > > Trying rule: 4300 - Grouping of PIX rules > > > > Trying rule: 12100 - Grouping of the named rules > > > > Trying rule: 13100 - Grouping for the smbd rules. > > > > Trying rule: 13106 - (null) > > > > Trying rule: 11400 - Grouping for the vsftpd rules. > > > > Trying rule: 11300 - Grouping for the pure-ftpd rules. > > > > Trying rule: 11200 - Grouping for the proftpd rules. > > > > Trying rule: 11500 - Grouping for the Microsoft ftp rules. > > > > Trying rule: 11100 - Grouping for the ftpd rules. > > > > Trying rule: 9300 - Grouping for the Horde imp rules. > > > > Trying rule: 9400 - Roundcube messages groupe.d > > > > Trying rule: 9500 - Wordpress messages grouped. > > > > Trying rule: 9600 - cimserver messages grouped. > > > > Trying rule
Re: [ossec-list] After upgrading to 2.7, one agent does not finish server handshake
There is nothing in any log on the server that sheds any light. Using a hand-grenade approach, I deleted the agent on the server and added a new agent ID, deleted and reinstalled the agent on the Windows box, restarted and rebooted everything I could get my hands on. The agent successfully contacted the server. - Original Message - > There really should be log messages on the server explaining the > problem. Make sure the IP the server sees from the agent matches the > IP in the client.keys file for that agent. Make sure the IP is unique > in the client.keys file. Delete the agent and re-add it if necessary. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
[ossec-list] Re: Cannot get agentless script ssh_asa-fwsmconfig_diff to connect to ASA
Actually the hashes are me obscuring my password for this post. Where you
see hashes is the script displaying my password in plain text. I have
agentless working for my Cisco switches and routers and a successful test
of the ssh_pixconfig_diff script grabs the password for the device from the
var/ossec/agentless/.passlist file, logs into the device, runs the script
then logs out of the device without requiring me to enter in a password
(because again, the script grabs the pwd for the device from the .passlist
file). So I'm assuming, perhaps unwisely, that when the
ssh_asa-fwsmconfig_diff script runs correctly, it also will grab the pwd
from the .passlist file, run through the script and finish without ever
stopping to prompt me for a pwd.
As for how I configured agentless system I am trying to test, I ran the
/var/ossec/agentless/register_host.sh
add p...@pix.fw.local pixpass enablepass and did indeed enter a value for
pixpass and enablepass, that I confirmed was correct by opening the
.passlist file.
On Monday, February 25, 2013 5:23:46 PM UTC-7, cspragu...@gmail.com wrote:
>
> I am trying to test agentless connection to one of my ASAs. I have
> enabled agentless, I have added the device with register_host.sh and have
> added a ssh_asa-fwsmconfig_diff agentless config for the ASA in
> ossec.config. I am now just trying to test the script by running:
>
> /var/ossec$ sudo ./agentless/ssh_asa-fwsmconfig_diff account@10.10.10.10
>
> Here is the output from that command:
> ___
> ossec@OSSEC:/var/ossec$ sudo ./agentless/ssh_asa-fwsmconfig_diff
> account@10.10.10.10
> [sudo] password for ossec:
> spawn ssh -c des account@10.10.10.10
>
>
> No valid ciphers for protocol version 2 given, using defaults.
>
>
> account@10.10.10.10's password:
>
> This is a privately owned computing system.Access is permitted only by
> authorized employees or agents of the company.The system may be used only
> for authorized company business.Company management approval is required for
> all access privileges.This system is equipped with a security system
> intended to prevent and record unauthorized access attempts. Unauthorized
> access or use is a crime under the law.
>
> Type help or '?' for a list of available commands.
>
>
> 10ASA> INFO: Starting.
> enable
>
> Password:
> ERROR: Timeout while running enable on host: account@10.10.10.10
> ossec@OSSEC:/var/ossec$ #
> -bash: ###: event not found
> _
>
> The spot where you see the first series of hashes is where the script
> stops and prompts me for a password. I'm assuming that it is asking me for
> the enable password. I enter the correct enable password and, as you see,
> I get a timeout.
>
> I did modify the ssh_asa-fwsmconfig_diff script a bit after an issue I
> encountered with the ssh_pixconfig_diff script. I was having troubles
> making the pix script work then came across this post:
> http://www.mail-archive.com/ossec-list@googlegroups.com/msg15464.html
> After reading that post and correcting the *password:* bugs, the script
> started working perfectly. I opened the ssh_asa-fwsmconfig_diff script and
> also found spacing issues everywhere "*password:*" is referenced. After
> doing so I was at least able to get as far as you see above but am now
> stuck again.
>
> Here is my ssh_asafwsmconfig_diff script with the "*password:*"
> corrections. I have made no other changes. Any script geniuses out there
> that can identify any other problems that could be causing this issue for
> me?
>
> "ssh_asa-fwsmconfig_diff" [readonly] 210L, 5253C#!/usr/bin/env expect
>
> # @(#) $Id$
> # Agentless monitoring
> #
> # Copyright (C) 2009 Trend Micro Inc.
> # All rights reserved.
> #
> # This program is a free software; you can redistribute it
> # and/or modify it under the terms of the GNU General Public
> # License (version 2) as published by the FSF - Free Software
> # Foundation.
>
>
> if {$argc < 1} {
> send_user "ERROR: ssh_pixconfig_diff \n";
> exit 1;
> }
>
>
> # NOTE: this script must be called from within /var/ossec for it to work.
> set passlist "agentless/.passlist"
> set hostname [lindex $argv 0]1,1Top2,0-13,1 45678910,1123,0-145,1 67{
>
>
> }8{
>
>
> }9,0-1201,1 23
> set commands [lrange $argv 1 end]24,10%
> set pass "x"25,11%
> set addpass "x"26,11%
> set timeout 2027,12%
> 28,0-12%
> if {[string compare $hostname "test"] == 0} {29,13%
> if {[string compare $commands "test"] == 0} {30,13%
> exit 0;31,14%
> }32,14%
> {}33,15%
> {}34,0-15%
> # Reading the password list.35,16%
> if [catch {36,16%
> set in [open "$passlist" r]37,17%
> {
>
> } loc_error] {38,18%{
>
> }
> send_user "ERROR: Password list not present (use \"register_host\"
> first).\nn"39,19%
> exit 1;40,19%
> {}41,110%
> {}42,0-110%
> while {[gets $in line] != -1} {43,111%
> set me [strin
Re: [ossec-list] OSSEC 2.6: Capturing Custom Powershell Event to generate an alert never generates the alert
On Tue, Feb 26, 2013 at 12:43 PM, Nathaniel Bentzinger wrote: > I’ve written a powershell script to install windows updates and report back > status to the Application Event log so OSSEC can scrap them up and generate > alerts however I’m not getting the email generated. > > > > My rule: > > > > > > > > 1 > > WindowsUpdateScript > > Windows Update Script > > > > > > > > LogAll is enabled on my ossec.conf & the email alert level is 8. > > > > The logging results in the archives.log: > > > > # tail -f archives/archives.log | grep WindowsUpdate > > 2013 Feb 26 12:35:31 (testwin2008) 10.10.10.0->WinEvtLog WinEvtLog: > Application: INFORMATION(104): WindowsUpdateScript: (no user): no domain: > TESTWIN2008.archergroup.local: Starting Automated Windows Update > Installation: 2/26/2013 12:35:29 PM > > > > > > Ossec-Logtest output: > > > > [root@secserv bin]# ./ossec-logtest -f > > 2013/02/26 12:35:21 ossec-testrule: INFO: Reading local decoder file. > > 2013/02/26 12:35:21 ossec-testrule: INFO: Started (pid: 24615). > > ossec-testrule: Type one log per line. > > > > Application: INFORMATION(105): WindowsUpdateScript: (no user): no domain: > TESTWIN2008.archergroup.local: Automated Windows Update Installation: > Completed: 2/26/2013 12:28:44 PM Windows Update Results: Security Update > for Microsoft Visual C++ 2010 Service Pack 1 Redistributable Package > (KB2565063) > > > > > > **Phase 1: Completed pre-decoding. > > full event: ' Application: INFORMATION(105): WindowsUpdateScript: (no > user): no domain: TESTWIN2008.archergroup.local: Automated Windows Update > Installation: Completed: 2/26/2013 12:28:44 PM Windows Update Results: > Security Update for Microsoft Visual C++ 2010 Service Pack 1 Redistributable > Package (KB2565063)' > >hostname: 'secserv' > >program_name: '(null)' > >log: ' Application: INFORMATION(105): WindowsUpdateScript: (no user): > no domain: TESTWIN2008.archergroup.local: Automated Windows Update > Installation: Completed: 2/26/2013 12:28:44 PM Windows Update Results: > Security Update for Microsoft Visual C++ 2010 Service Pack 1 Redistributable > Package (KB2565063)' > > > > **Phase 2: Completed decoding. > >No decoder matched. > > > > **Rule debugging: > > Trying rule: 1 - Generic template for all syslog rules. > >*Rule 1 matched. > >*Trying child rules. > > Trying rule: 5500 - Grouping of the pam_unix rules. > > Trying rule: 5700 - SSHD messages grouped. > > Trying rule: 5600 - Grouping for the telnetd rules > > Trying rule: 2100 - NFS rules grouped. > > Trying rule: 2507 - OpenLDAP group. > > Trying rule: 2550 - rshd messages grouped. > > Trying rule: 2701 - Ignoring procmail messages. > > Trying rule: 2800 - Pre-match rule for smartd. > > Trying rule: 5100 - Pre-match rule for kernel messages > > Trying rule: 5200 - Ignoring hpiod for producing useless logs. > > Trying rule: 2830 - Crontab rule group. > > Trying rule: 5300 - Initial grouping for su messages. > > Trying rule: 5400 - Initial group for sudo messages > > Trying rule: 9100 - PPTPD messages grouped > > Trying rule: 9200 - Squid syslog messages grouped > > Trying rule: 2900 - Dpkg (Debian Package) log. > > Trying rule: 2930 - Yum logs. > > Trying rule: 2931 - Yum logs. > > Trying rule: 7200 - Grouping of the arpwatch rules. > > Trying rule: 7300 - Grouping of Symantec AV rules. > > Trying rule: 7400 - Grouping of Symantec Web Security rules. > > Trying rule: 4300 - Grouping of PIX rules > > Trying rule: 12100 - Grouping of the named rules > > Trying rule: 13100 - Grouping for the smbd rules. > > Trying rule: 13106 - (null) > > Trying rule: 11400 - Grouping for the vsftpd rules. > > Trying rule: 11300 - Grouping for the pure-ftpd rules. > > Trying rule: 11200 - Grouping for the proftpd rules. > > Trying rule: 11500 - Grouping for the Microsoft ftp rules. > > Trying rule: 11100 - Grouping for the ftpd rules. > > Trying rule: 9300 - Grouping for the Horde imp rules. > > Trying rule: 9400 - Roundcube messages groupe.d > > Trying rule: 9500 - Wordpress messages grouped. > > Trying rule: 9600 - cimserver messages grouped. > > Trying rule: 9900 - Grouping for the vpopmail rules. > > Trying rule: 9800 - Grouping for the vm-pop3d rules. > > Trying rule: 3900 - Grouping for the courier rules. > > Trying rule: 30100 - Apache messages grouped. > > Trying rule: 31300 - Nginx messages grouped. > > Trying rule: 31404 - PHP Warning message. > > Trying rule: 31405 - PHP Fatal error. > > Trying rule: 31406 - PHP Parse error. > > Trying rule: 50100 - MySQL messages grouped. > > Trying rule: 50500 - PostgreSQL messages grouped. > > Trying rule: 4700 - Grouping of Cisco IOS rules. > > Trying rule: 4500 - Grouping for the Netscreen Firewall rules > > Trying rule: 4800 - SonicWall messages gro
Re: [ossec-list] Has anyone successfully set up agentless monitoring of SonicWALL firewalls?
On Tue, Feb 26, 2013 at 11:44 AM, wrote: > If so, did you use one of the scripts within /var/ossec/agentless or did you > create your own script? > Not that I have a script or anything, but what do you want to monitor with the agentless functionality? What command line tools are available on the sonicwall? > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/groups/opt_out. > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [ossec-list] After upgrading to 2.7, one agent does not finish server handshake
On Mon, Feb 25, 2013 at 2:38 PM, biciunas wrote: > I upgraded a CentOS 5.9 server from OSSEC 2.6 to 2.7 > After restarting OSSEC server, all the 2.6 agents (both Windows and Linux) > resumed their connections except for 1 Windows agent. The ossec.log showed: > > 2013/02/25 18:18:24 ossec-agent: INFO: Started (pid: 3580). > 2013/02/25 18:18:34 ossec-agent: WARN: Process locked. Waiting for > permission... > 2013/02/25 18:18:45 ossec-agent(4101): WARN: Waiting for server reply (not > started). Tried: '10.xxx.xxx.xxx'. > 2013/02/25 18:18:47 ossec-agent: INFO: Trying to connect to server > (10.xxx.xxx.xxx:1514). > 2013/02/25 18:18:47 ossec-agent: INFO: Using IPv4 for: 10.xxx.xxx.xxx . > 2013/02/25 18:19:08 ossec-agent(4101): WARN: Waiting for server reply (not > started). Tried: '10.xxx.xxx.xxx'. > 2013/02/25 18:19:28 ossec-agent: INFO: Trying to connect to server > (10.xxx.xxx.xxx:1514). > 2013/02/25 18:19:28 ossec-agent: INFO: Using IPv4 for: 10.xxx.xxx.xxx . > < etc.> > > Wireshark on the windows agent box shows UDP messages going to the correct > IP address, > > The strangest part is that running tethereal on the OSSEC server shows the > requests coming in, But unlike any of the agentt conversations, there's no > outbound messages from the OSSEC server. I can't find anything that remotely > looks like a log entry that may shed any relevant information as to why the > agent request is ignored. > > Starting OSSEC in debug mode does not shed any light on this. > > Anyone have any ideas? > > > There really should be log messages on the server explaining the problem. Make sure the IP the server sees from the agent matches the IP in the client.keys file for that agent. Make sure the IP is unique in the client.keys file. Delete the agent and re-add it if necessary. > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/groups/opt_out. > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [ossec-list] Rule creation to supress email alert
On Tue, Feb 26, 2013 at 3:46 AM, Fredrik wrote: > Hi Stephane, > > > Thanks for your post! Sorry, my bad - the example I sent was generic and not > an exact message from the logs :( Please find a "real" sample below. > > Feb 26 09:54:19 192.168.x.y Cisco-WAC: *Feb 26 08:38:36.316: > %APF-4-REGISTER_IPADD_ON_MSCB_FAILED: apf_foreignap.c:1281 Could not > Register IP Add on MSCB. MSCB still in init state. Address:98:03:d8:ae:b2:34 > # /var/ossec/bin/ossec-logtest 2013/02/26 15:23:05 ossec-testrule: INFO: Reading local decoder file. 2013/02/26 15:23:06 ossec-testrule: INFO: Started (pid: 32596). ossec-testrule: Type one log per line. Feb 26 09:54:19 192.168.x.y Cisco-WAC: *Feb 26 08:38:36.316: %APF-4-REGISTER_IPADD_ON_MSCB_FAILED: apf_foreignap.c:1281 Could not Register IP Add on MSCB. MSCB still in init state. Address:98:03:d8:ae:b2:34 **Phase 1: Completed pre-decoding. full event: 'Feb 26 09:54:19 192.168.x.y Cisco-WAC: *Feb 26 08:38:36.316: %APF-4-REGISTER_IPADD_ON_MSCB_FAILED: apf_foreignap.c:1281 Could not Register IP Add on MSCB. MSCB still in init state. Address:98:03:d8:ae:b2:34' hostname: '192.168.x.y' program_name: 'Cisco-WAC' log: '*Feb 26 08:38:36.316: %APF-4-REGISTER_IPADD_ON_MSCB_FAILED: apf_foreignap.c:1281 Could not Register IP Add on MSCB. MSCB still in init state. Address:98:03:d8:ae:b2:34' **Phase 2: Completed decoding. No decoder matched. **Phase 3: Completed filtering (rules). Rule id: '1002' Level: '2' Description: 'Unknown problem somewhere in the system.' **Alert to be generated. There is no srcip, so of course the rule won't match. > ossec-logtest doesn't seem to accept the -f switch (in my install), did you > mean -d for debug? Attached the output I got with -d. > > Best, > Fredrik > > On Tuesday, February 26, 2013 12:07:51 AM UTC+1, srossan wrote: >> >> I don't see how your log is related to rule 1002 ( 1002). >> I suggest you remove this line as well. You can test your new rule with >> ossec-logtest -f, it will give you insight on your rules hierarchy. >> >> -Stephane >> >> On Feb 25, 2013 2:56 PM, "Kevin Kelly" wrote: >> > >> > I believe the problem is: 192.168.x.y >> > >> > There is no IP address in the log entry, so the source IP will never >> > match. Maybe you could use instead? >> > >> > -- >> > Kevin Kelly >> > Director, Network Technology >> > Whitman College >> > >> > >> > From: "Fredrik" >> > To: ossec...@googlegroups.com >> >> > Sent: Monday, February 25, 2013 1:49:14 AM >> > Subject: [ossec-list] Rule creation to supress email alert >> > >> > >> > Hello! >> > >> > I have read some of the similar posts, but can't seem to get it to work. >> > I'm trying to stop the following (syslog) message from generating an alert >> > - >> > while the underlying cause is being dealt with: >> > >> > Feb 25 09:40:31.464 apf_foreignap.c:1281 >> > APF-4-REGISTER_IPADD_ON_MSCB_FAILED: Could not Register IP Add on MSCB. >> > MSCB >> > still in init state. Address:00:40:96:a7:50:c6 >> > >> > I have added a rule to local_rules.xml: >> > >> > >> > >> > 1002 >> > 192.168.x.y >> > %APF-4-REGISTER_IPADD_ON_MSCB_FAILED: >> > no_email_alert >> > >> > >> > I have tried different match-strings, with/without ip-address but I >> > can't seem to get a hit on my custom filter when using the ossec-logtest >> > binary and the message keeps generating email alerts, >> > >> > What have I got wrong?! >> > >> > Fredrik >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an email to ossec-list+...@googlegroups.com. >> >> > For more options, visit https://groups.google.com/groups/opt_out. >> > >> > >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an email to ossec-list+...@googlegroups.com. >> >> > For more options, visit https://groups.google.com/groups/opt_out. >> > >> > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/groups/opt_out. > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [ossec-list] Cannot get agent profile working on windows (2nd try)
On Thu, Feb 21, 2013 at 6:38 AM, Андрей Шевченко wrote: > I tried to add a bad option and i see that it is not being picked up... > Like in my example, i don't see anything related to options in specific > agent profile. > You could check the code repository to see if the commits enabling this functionality for unixy systems also enabled it for Windows. > вторник, 19 февраля 2013 г., 23:15:44 UTC+6 пользователь dan (ddpbsd) > написал: >> >> On Mon, Feb 18, 2013 at 6:23 AM, Андрей Шевченко >> wrote: >> > osssec.conf(agent test_PC): >> > >> >> >> >> >> >> >> >> >> >> >> >> test1 >> >> >> >> 1.1.1.1 >> >> >> >> >> >> >> >> >> >> >> >> >> >> no >> >> >> >> >> >> >> >> >> >> >> > >> > >> > >> > agent.conf(server): >> > >> >> >> >> >> >> >> >> >> >> D:/ >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> F:/ >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> C:/ >> >> >> >> >> >> >> >> >> > >> > >> > ossec.log(agent): >> > >> >> 2013/02/18 15:41:34 ossec-agent: INFO: Monitoring directory: 'D:/'. >> >> >> >> 2013/02/18 15:41:34 ossec-agent: INFO: Monitoring directory: 'C:/'. >> > >> > >> > Disk F is not monitored. >> > >> > Equal configuration for agent under FreeBSD works fine. >> > >> > -- >> > >> >> You could add a bad option under that profile to see if it's being >> picked up, like monitoring a syslog file that doesn't actually exist. >> >> Other than that, I'd try something like: >> >> >> >> F:\. >> >> >> >> I can't test this at the moment, so I don't know for sure that it will >> work. >> >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to ossec-list+...@googlegroups.com. >> > For more options, visit https://groups.google.com/groups/opt_out. >> > >> > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/groups/opt_out. > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [ossec-list] Cannot get agentless script ssh_asa-fwsmconfig_diff to connect to ASA
On Mon, Feb 25, 2013 at 7:23 PM, wrote:
> I am trying to test agentless connection to one of my ASAs. I have enabled
> agentless, I have added the device with register_host.sh and have added a
> ssh_asa-fwsmconfig_diff agentless config for the ASA in ossec.config. I am
> now just trying to test the script by running:
>
> /var/ossec$ sudo ./agentless/ssh_asa-fwsmconfig_diff account@10.10.10.10
>
> Here is the output from that command:
> ___
> ossec@OSSEC:/var/ossec$ sudo ./agentless/ssh_asa-fwsmconfig_diff
> account@10.10.10.10
> [sudo] password for ossec:
> spawn ssh -c des account@10.10.10.10
>
>
> No valid ciphers for protocol version 2 given, using defaults.
>
>
> account@10.10.10.10's password:
>
> This is a privately owned computing system.Access is permitted only by
> authorized employees or agents of the company.The system may be used only
> for authorized company business.Company management approval is required for
> all access privileges.This system is equipped with a security system
> intended to prevent and record unauthorized access attempts. Unauthorized
> access or use is a crime under the law.
>
> Type help or '?' for a list of available commands.
>
>
> 10ASA> INFO: Starting.
> enable
>
> Password:
> ERROR: Timeout while running enable on host: account@10.10.10.10
> ossec@OSSEC:/var/ossec$ #
> -bash: ###: event not found
> _
>
It looks like the script is expecting a password, but doesn't receive
one, and a bunch of hashes are passed to the OSSEC server's shell.
How did you configure the agentless system? Did it ask for an enable
password? (I don't use agentless, especially with Cisco products)
> The spot where you see the first series of hashes is where the script stops
> and prompts me for a password. I'm assuming that it is asking me for the
> enable password. I enter the correct enable password and, as you see, I get
> a timeout.
>
> I did modify the ssh_asa-fwsmconfig_diff script a bit after an issue I
> encountered with the ssh_pixconfig_diff script. I was having troubles
> making the pix script work then came across this post:
> http://www.mail-archive.com/ossec-list@googlegroups.com/msg15464.html
> After reading that post and correcting the *password:* bugs, the script
> started working perfectly. I opened the ssh_asa-fwsmconfig_diff script and
> also found spacing issues everywhere "*password:*" is referenced. After
> doing so I was at least able to get as far as you see above but am now stuck
> again.
>
> Here is my ssh_asafwsmconfig_diff script with the "*password:*" corrections.
> I have made no other changes. Any script geniuses out there that can
> identify any other problems that could be causing this issue for me?
>
> "ssh_asa-fwsmconfig_diff" [readonly] 210L, 5253C#!/usr/bin/env expect
>
> # @(#) $Id$
> # Agentless monitoring
> #
> # Copyright (C) 2009 Trend Micro Inc.
> # All rights reserved.
> #
> # This program is a free software; you can redistribute it
> # and/or modify it under the terms of the GNU General Public
> # License (version 2) as published by the FSF - Free Software
> # Foundation.
>
>
> if {$argc < 1} {
> send_user "ERROR: ssh_pixconfig_diff \n";
> exit 1;
> }
>
>
> # NOTE: this script must be called from within /var/ossec for it to work.
> set passlist "agentless/.passlist"
> set hostname [lindex $argv 0]1,1Top2,0-13,1 45678910,1123,0-145,1 67{
>
>
> }8{
>
>
> }9,0-1201,1 23
> set commands [lrange $argv 1 end]24,10%
> set pass "x"25,11%
> set addpass "x"26,11%
> set timeout 2027,12%
> 28,0-12%
> if {[string compare $hostname "test"] == 0} {29,13%
> if {[string compare $commands "test"] == 0} {30,13%
> exit 0;31,14%
> }32,14%
> {}33,15%
> {}34,0-15%
> # Reading the password list.35,16%
> if [catch {36,16%
> set in [open "$passlist" r]37,17%
> {
>
> } loc_error] {38,18%{
>
> }
> send_user "ERROR: Password list not present (use \"register_host\"
> first).\nn"39,19%
> exit 1;40,19%
> {}41,110%
> {}42,0-110%
> while {[gets $in line] != -1} {43,111%
> set me [string first "|" $line]44,111%
> set me2 [string last "|" $line]45,112%
> set length [string length $line]46,112%
> 47,113%
> if {$me == -1} {48,113%
> continue;49,114%
> }50,114%
> if {$me2 == -1} {51,115%
> continue;52,115%
> }53,116%
> if {$me == $me2} {54,117%
> continue;55,117%
> }56,118%
> 57,118%
> set me [expr $me-1]58,119%
> set me2 [expr $me2-1]59,119%
> 60,120% set host_list [string range $line 0 $me] set me [expr $me+2]61,120%2
> set pass_list [string range $line $me $me2]63,121%
> set me2 [expr $me2+2]64,121%
> set addpass_list [string range $line $me2 $length]65,122%
> 66,0-122%
> if {[string compare $host_list $hostname] == 0} {67,123%
> set pass "$pass_list"68,124%
> set addpass "$addpass_list"69,124%
> break70,125%
> }71,125%
> }72,126%
> close $in73,126%
> 74,0-127%
> 75,0-127%
> if
Re: [ossec-list] Best approach to use IP based rules
On Tue, Feb 26, 2013 at 4:39 AM, C. L. Martinez wrote: > HI all, > > I have defined several rules to monitor firewall logs. These rules > send an alert if srcip or dstip match with several cdb IP blacklists > (from dshield, RBN, shadowserver, etc) ... but cost it is too > expensive. ossec-analysisd spends a lot of CPU resources to process > firewall logs received. (over 7 million every day). > > Exists some best approach to accomplish this task using ossec?? > > -- > cdb is probably the best we have. If this is affecting the performance of the ossec server to the point it isn't analyzing other log messages, you may need to run an additional ossec server for the firewall logs (use hybrid to forward the alerts to the main server if necessary). > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/groups/opt_out. > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [ossec-list] After upgrade to 2.7, ossec-remoted not started by "ossec-control start"
On Mon, Feb 25, 2013 at 11:23 AM, biciunas wrote: > I upgraded a CentOS 5.9 server from 2.6 to 2.7 using yum. > > After the upgrade, running "ossec-control start" results in: > > [root@foobar bin]# ./ossec-control start > Starting OSSEC HIDS v2.7 (by Trend Micro Inc.)... > Started ossec-maild... > Started ossec-execd... > Started ossec-analysisd... It doesn't even look like it attempted to start ossec-remoted. grep ossec-remoted /var/ossec/bin/ossec-control > [root@foobar bin]# ./ossec-control status > ossec-monitord not running... > ossec-logcollector not running... > ossec-remoted not running... > ossec-syscheckd not running... > ossec-analysisd is running... > ossec-maild is running... > ossec-execd is running... > > However, running ossec-remoted will work just fine: > > [root@foobar bin]# ./ossec-remoted > [root@foobar bin]# ossec-control status > ossec-monitord not running... > ossec-logcollector not running... > ossec-remoted is running... > ossec-syscheckd not running... > ossec-analysisd is running... > ossec-maild is running... > ossec-execd is running... > > The log shows nothing interesting, even when using ossec-control enable > debug. the ossec-server.sh script was not touched. Any ideas? > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/groups/opt_out. > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [ossec-list] Hybrid Killed Me?
On Wed, Feb 20, 2013 at 9:28 PM, TWAD wrote: > Dan, > I changed the permisisons for merged.mg to rwrwr and it is updating as I > write this. Group is ossec, owner is ossec > I no longer run the hybrid, I have only the server installed to reduce > troubleshooting efforts. > > Here is what I recently noticed and changed. Upon start-up tonight, > ossec-remotd was not starting. I noticed an error that I did not have an IP > for syslog so I edited ossec.conf and noticed that I have two remote > elements. One for syslog, and one for secure. I removed the syslog element, > added a port 1514 (sisnce I cannot see it through tcpdump), and allowed IPs > . > > > > 127.0.0.1 > > ^localhost.localdomain$ > > 10.10.1.1 > > 10.10.2.8 > > 10.10.2.100 > > 10.10.1.100 > > > > > > > > secure > > 1514 > > 10.10.1.100 > > 10.10.1.1 > > 10.10.2.100 > > 10.10.2.8 > > 10.10.2.10 > > > > > > # > > # secure > > # > I know this problem has been solved, but I wanted to toss this into the archives: The hashes at the beginning of these lines will probably break the configuration. Commenting lines out should be done via at the end. > > > I saved the configuration and ran ossec-control restart > > Now I get: > > [root@rhelx bin]# ./ossec-control status ossec-monitord is running... > > ossec-logcollector is running... > > ossec-remoted: Process 24878 not used by ossec, removing .. > > ossec-remoted not running... > > ossec-syscheckd is running... > > ossec-analysisd is running... > > ossec-maild not running... > > ossec-execd is running... > > > The agent still gets: > 2013/02/20 19:54:35 ossec-agent: INFO: Started (pid: 6364). > 2013/02/20 19:54:45 ossec-agent: WARN: Process locked. Waiting for > permission... > 2013/02/20 19:54:55 ossec-agent(4101): WARN: Waiting for server reply (not > started). Tried: '10.10.2.8'. > 2013/02/20 19:54:57 ossec-agent: INFO: Trying to connect to server > (10.10.2.8:1514). > 2013/02/20 19:54:57 ossec-agent: INFO: Using IPv4 for: 10.10.2.8 . > > and when I grep for ossec-remoted in the ossec log, I get this: > > 2013/02/20 19:53:10 ossec-remoted: DEBUG: Starting ... > > 2013/02/20 19:53:10 ossec-remoted: INFO: Started (pid: 24876). > > 2013/02/20 19:53:10 ossec-remoted: DEBUG: Forking remoted: '1'. > > 2013/02/20 19:53:10 ossec-remoted: DEBUG: Forking remoted: '0'. > > 2013/02/20 19:53:10 ossec-remoted: INFO: Started (pid: 24878). > > 2013/02/20 19:53:10 ossec-remoted(1206): ERROR: Unable to Bind port '1514' > > 2013/02/20 19:53:11 ossec-remoted: DEBUG: Running manager_init > > 2013/02/20 19:53:11 ossec-remoted: INFO: (unix_domain) Maximum send buffer > set to: '229376'. > > 2013/02/20 19:53:11 ossec-remoted(4111): INFO: Maximum number of agents > > allowed: '256'. > > 2013/02/20 19:53:11 ossec-remoted(1410): INFO: Reading authentication keys > file. > > 2013/02/20 19:53:11 ossec-remoted: DEBUG: OS_StartCounter. > > 2013/02/20 19:53:11 ossec-remoted: OS_StartCounter: keysize: 2 > > > I searched for hours today looking through old posts to find an answer and I > noticed a guy (Eric Hansen) had the same issue, but the thread stopped > before the solve. > https://groups.google.com/forum/?fromgroups#!topic/ossec-list/gDbBjD6r-DQ > > Thanks > Will > > > > On Wednesday, February 20, 2013 9:10:47 AM UTC-6, dan (ddpbsd) wrote: >> >> On Tue, Feb 19, 2013 at 11:55 PM, TWAD wrote: >> > Bottom line: No Clients will connect after I installed Hybrid, >> > Uninstalled >> > Hybrid, and Reinstalled Server. What am I doing/have I done wrong? >> > >> >> Hybrid just installs a server installation in /var/ossec, and an agent >> in /var/ossec/ossec-agent (for forwarding alerts to other OSSEC >> servers). So setup should be the same. >> >> > Details >> > >> > 1. SO I had v2.7 installed as a server on RHEL 6.4 >> > >> > 2. I had agents on 10 hosts in the lab >> > >> > 3. All agents were monitored with no issues >> > >> > 4. I wanted an agent on the server, So I installed Hybrid >> > >> > 5. Then none of the agents would connect >> > >> > 6. Every agent log shows ossec-agent (4101): WARN: Waiting for server >> > reply >> > (not started). Tried 10.10.2.8, trying to connect to server >> > (10.10.2.8:1514) >> > >> > 7. So from here I uninstalled and reinstalled over and over again keys, >> > clients, and finally the server using the script below AND removing the >> > /var/ossec directory >> > >> > 8. Today I reinstalled the server (not hybrid) and >> > uninstalled/reinstalled >> > installed clients on two hosts. I am getting the same error no matter >> > what >> > >> > 9. I have the firewall completely disabled >> > >> > [root@rhelx uninstall-ossec]# iptables --list >> > Chain INPUT (policy ACCEPT) >> > >> > target prot opt source destination >> > >> > >> > >> > Chain FORWARD (policy ACCEPT) >> > >> > target prot opt source destination >> > >> > >> > >> > Chain OUTPUT (policy ACCEPT) >> > >> > target prot opt source destination >> > >> > >> > >> > 10.The ag
[ossec-list] OSSEC 2.6: Capturing Custom Powershell Event to generate an alert never generates the alert
I've written a powershell script to install windows updates and report back status to the Application Event log so OSSEC can scrap them up and generate alerts however I'm not getting the email generated. My rule: 1 WindowsUpdateScript Windows Update Script LogAll is enabled on my ossec.conf & the email alert level is 8. The logging results in the archives.log: # tail -f archives/archives.log | grep WindowsUpdate 2013 Feb 26 12:35:31 (testwin2008) 10.10.10.0->WinEvtLog WinEvtLog: Application: INFORMATION(104): WindowsUpdateScript: (no user): no domain: TESTWIN2008.archergroup.local: Starting Automated Windows Update Installation: 2/26/2013 12:35:29 PM Ossec-Logtest output: [root@secserv bin]# ./ossec-logtest -f 2013/02/26 12:35:21 ossec-testrule: INFO: Reading local decoder file. 2013/02/26 12:35:21 ossec-testrule: INFO: Started (pid: 24615). ossec-testrule: Type one log per line. Application: INFORMATION(105): WindowsUpdateScript: (no user): no domain: TESTWIN2008.archergroup.local: Automated Windows Update Installation: Completed: 2/26/2013 12:28:44 PM Windows Update Results: Security Update for Microsoft Visual C++ 2010 Service Pack 1 Redistributable Package (KB2565063) **Phase 1: Completed pre-decoding. full event: ' Application: INFORMATION(105): WindowsUpdateScript: (no user): no domain: TESTWIN2008.archergroup.local: Automated Windows Update Installation: Completed: 2/26/2013 12:28:44 PM Windows Update Results: Security Update for Microsoft Visual C++ 2010 Service Pack 1 Redistributable Package (KB2565063)' hostname: 'secserv' program_name: '(null)' log: ' Application: INFORMATION(105): WindowsUpdateScript: (no user): no domain: TESTWIN2008.archergroup.local: Automated Windows Update Installation: Completed: 2/26/2013 12:28:44 PM Windows Update Results: Security Update for Microsoft Visual C++ 2010 Service Pack 1 Redistributable Package (KB2565063)' **Phase 2: Completed decoding. No decoder matched. **Rule debugging: Trying rule: 1 - Generic template for all syslog rules. *Rule 1 matched. *Trying child rules. Trying rule: 5500 - Grouping of the pam_unix rules. Trying rule: 5700 - SSHD messages grouped. Trying rule: 5600 - Grouping for the telnetd rules Trying rule: 2100 - NFS rules grouped. Trying rule: 2507 - OpenLDAP group. Trying rule: 2550 - rshd messages grouped. Trying rule: 2701 - Ignoring procmail messages. Trying rule: 2800 - Pre-match rule for smartd. Trying rule: 5100 - Pre-match rule for kernel messages Trying rule: 5200 - Ignoring hpiod for producing useless logs. Trying rule: 2830 - Crontab rule group. Trying rule: 5300 - Initial grouping for su messages. Trying rule: 5400 - Initial group for sudo messages Trying rule: 9100 - PPTPD messages grouped Trying rule: 9200 - Squid syslog messages grouped Trying rule: 2900 - Dpkg (Debian Package) log. Trying rule: 2930 - Yum logs. Trying rule: 2931 - Yum logs. Trying rule: 7200 - Grouping of the arpwatch rules. Trying rule: 7300 - Grouping of Symantec AV rules. Trying rule: 7400 - Grouping of Symantec Web Security rules. Trying rule: 4300 - Grouping of PIX rules Trying rule: 12100 - Grouping of the named rules Trying rule: 13100 - Grouping for the smbd rules. Trying rule: 13106 - (null) Trying rule: 11400 - Grouping for the vsftpd rules. Trying rule: 11300 - Grouping for the pure-ftpd rules. Trying rule: 11200 - Grouping for the proftpd rules. Trying rule: 11500 - Grouping for the Microsoft ftp rules. Trying rule: 11100 - Grouping for the ftpd rules. Trying rule: 9300 - Grouping for the Horde imp rules. Trying rule: 9400 - Roundcube messages groupe.d Trying rule: 9500 - Wordpress messages grouped. Trying rule: 9600 - cimserver messages grouped. Trying rule: 9900 - Grouping for the vpopmail rules. Trying rule: 9800 - Grouping for the vm-pop3d rules. Trying rule: 3900 - Grouping for the courier rules. Trying rule: 30100 - Apache messages grouped. Trying rule: 31300 - Nginx messages grouped. Trying rule: 31404 - PHP Warning message. Trying rule: 31405 - PHP Fatal error. Trying rule: 31406 - PHP Parse error. Trying rule: 50100 - MySQL messages grouped. Trying rule: 50500 - PostgreSQL messages grouped. Trying rule: 4700 - Grouping of Cisco IOS rules. Trying rule: 4500 - Grouping for the Netscreen Firewall rules Trying rule: 4800 - SonicWall messages grouped. Trying rule: 3300 - Grouping of the postfix reject rules. Trying rule: 3320 - Grouping of the postfix rules. Trying rule: 3390 - Grouping of the clamsmtpd rules. Trying rule: 3100 - Grouping of the sendmail rules. Trying rule: 3190 - Grouping of the smf-sav sendmail milter rules. Trying rule: 3600 - Grouping of the imapd rules. Trying rule: 3700 - Grouping of mailscanner rules. Trying
[ossec-list] Has anyone successfully set up agentless monitoring of SonicWALL firewalls?
If so, did you use one of the scripts within /var/ossec/agentless or did you create your own script? -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [ossec-list] Rule creation to supress email alert
HI Fredrik, I really meant ossec-logtest -f. Here is my example with your log: # /apps/ossec/bin/ossec-logtest -f 2013/02/26 14:54:43 ossec-testrule: INFO: Reading local decoder file. 2013/02/26 14:54:43 ossec-testrule: INFO: Started (pid: 3245). ossec-testrule: Type one log per line. Feb 26 09:54:19 192.168.x.y Cisco-WAC: *Feb 26 08:38:36.316: %APF-4-REGISTER_IPADD_ON_MSCB_FAILED: apf_foreignap.c:1281 Could not Register IP Add on MSCB. MSCB still in init state. Address:98:03:d8:ae:b2:34 **Phase 1: Completed pre-decoding. full event: 'Feb 26 09:54:19 192.168.x.y Cisco-WAC: *Feb 26 08:38:36.316: %APF-4-REGISTER_IPADD_ON_MSCB_FAILED: apf_foreignap.c:1281 Could not Register IP Add on MSCB. MSCB still in init state. Address:98:03:d8:ae:b2:34' hostname: '192.168.x.y' program_name: 'Cisco-WAC' log: '*Feb 26 08:38:36.316: %APF-4-REGISTER_IPADD_ON_MSCB_FAILED: apf_foreignap.c:1281 Could not Register IP Add on MSCB. MSCB still in init state. Address:98:03:d8:ae:b2:34' **Phase 2: Completed decoding. No decoder matched. **Rule debugging: Trying rule: 1 - Generic template for all syslog rules. *Rule 1 matched. *Trying child rules. Trying rule: 5500 - Grouping of the pam_unix rules. Trying rule: 5700 - SSHD messages grouped. Trying rule: 5600 - Grouping for the telnetd rules Trying rule: 2100 - NFS rules grouped. Trying rule: 2507 - OpenLDAP group. Trying rule: 2550 - rshd messages grouped. Trying rule: 2701 - Ignoring procmail messages. Trying rule: 2800 - Pre-match rule for smartd. Trying rule: 5100 - Pre-match rule for kernel messages Trying rule: 5200 - Ignoring hpiod for producing useless logs. Trying rule: 2830 - Crontab rule group. Trying rule: 5300 - Initial grouping for su messages. Trying rule: 5400 - Initial group for sudo messages Trying rule: 9100 - PPTPD messages grouped Trying rule: 9200 - Squid syslog messages grouped Trying rule: 2900 - Dpkg (Debian Package) log. Trying rule: 2930 - Yum logs. Trying rule: 2931 - Yum logs. Trying rule: 7200 - Grouping of the arpwatch rules. Trying rule: 7300 - Grouping of Symantec AV rules. Trying rule: 7400 - Grouping of Symantec Web Security rules. Trying rule: 4300 - Grouping of PIX rules Trying rule: 12100 - Grouping of the named rules Trying rule: 13100 - Grouping for the smbd rules. Trying rule: 13106 - (null) Trying rule: 11400 - Grouping for the vsftpd rules. Trying rule: 11300 - Grouping for the pure-ftpd rules. Trying rule: 11200 - Grouping for the proftpd rules. Trying rule: 11500 - Grouping for the Microsoft ftp rules. Trying rule: 11100 - Grouping for the ftpd rules. Trying rule: 9300 - Grouping for the Horde imp rules. Trying rule: 9400 - Roundcube messages groupe.d Trying rule: 9500 - Wordpress messages grouped. Trying rule: 9600 - cimserver messages grouped. Trying rule: 9900 - Grouping for the vpopmail rules. Trying rule: 9800 - Grouping for the vm-pop3d rules. Trying rule: 3900 - Grouping for the courier rules. Trying rule: 30100 - Apache messages grouped. Trying rule: 31300 - Nginx messages grouped. Trying rule: 31404 - PHP Warning message. Trying rule: 31405 - PHP Fatal error. Trying rule: 31406 - PHP Parse error. Trying rule: 50100 - MySQL messages grouped. Trying rule: 50500 - PostgreSQL messages grouped. Trying rule: 4700 - Grouping of Cisco IOS rules. Trying rule: 4500 - Grouping for the Netscreen Firewall rules Trying rule: 4800 - SonicWall messages grouped. Trying rule: 3300 - Grouping of the postfix reject rules. Trying rule: 3320 - Grouping of the postfix rules. Trying rule: 3390 - Grouping of the clamsmtpd rules. Trying rule: 3100 - Grouping of the sendmail rules. Trying rule: 3190 - Grouping of the smf-sav sendmail milter rules. Trying rule: 3600 - Grouping of the imapd rules. Trying rule: 3700 - Grouping of mailscanner rules. Trying rule: 9700 - Dovecot Messages Grouped. Trying rule: 3800 - Grouping of Exchange rules. Trying rule: 14100 - Grouping of racoon rules. Trying rule: 14200 - Grouping of Cisco VPN concentrator rules Trying rule: 3500 - Grouping for the spamd rules Trying rule: 7600 - Grouping of Trend OSCE rules. Trying rule: 31200 - Grouping of Zeus rules. Trying rule: 6100 - Solaris BSM Auditing messages grouped. Trying rule: 19100 - VMWare messages grouped. Trying rule: 19101 - VMWare ESX syslog messages grouped. Trying rule: 6300 - Grouping for the MS-DHCP rules. Trying rule: 6350 - Grouping for the MS-DHCP rules. Trying rule: 6200 - Asterisk messages grouped. Trying rule: 600 - Active Response Messages Grouped Trying rule: 100210 - (null) Trying rule: 100460 - (null) Trying rule: 100600 - Puppet alerts Trying rule: 100825 - (null) Trying rule: 100900 - (null) Trying rule: 10111
Re: [ossec-list] After upgrading to 2.7, one agent does not finish server handshake
More information: This morning, in order to continue troubleshooting this problem, I started the Windows 2.7 agent. and the agent log showed that there was a connection to the OSSEC server. The tethereal trace that was running on the server when the agent started showed a handshake, followed by a multitude of UDP packets from the agent. All well and good, looks like all the other agent actions. However, when I looked at the agent from the server, I get: [root@foobar bin]# ./agent_control -i NaN OSSEC HIDS agent_control. Agent information: Agent ID: NaN Agent Name: Agent-Name-01 IP address: 192.168.xxx.xxx Status: Never connected Operating system:Unknown Client version: Unknown Last keep alive: Unknown Syscheck last started at: Tue Feb 26 14:19:01 2013 Rootcheck last started at: Tue Feb 26 14:19:35 2013 Yet there's continuing traffic from the agent to the server. Can anyone explain this behavior, and is this what I can expect when I upgrade the other agents from 2.6 to 2.7? On Monday, February 25, 2013 3:43:07 PM UTC-5, biciunas wrote: > > Additional information: > > 1) I deleted the 2.6 Windows agent, installed a 2.7 agent, and used the > same key - same result. > 2) I deleted the agent key on the server, created a new key, re-installed > the 2.7 agent - same result. > > - Original Message - > > I upgraded a CentOS 5.9 server from OSSEC 2.6 to 2.7 > > After restarting OSSEC server, all the 2.6 agents (both Windows and > > Linux) resumed their connections except for 1 Windows agent. The > > ossec.log showed: > > > > 2013/02/25 18:18:24 ossec-agent: INFO: Started (pid: 3580). > > 2013/02/25 18:18:34 ossec-agent: WARN: Process locked. Waiting for > > permission... > > 2013/02/25 18:18:45 ossec-agent(4101): WARN: Waiting for server reply > > (not started). Tried: '10.xxx.xxx.xxx'. > > 2013/02/25 18:18:47 ossec-agent: INFO: Trying to connect to server > > (10.xxx.xxx.xxx:1514). > > 2013/02/25 18:18:47 ossec-agent: INFO: Using IPv4 for: 10.xxx.xxx.xxx > > . > > 2013/02/25 18:19:08 ossec-agent(4101): WARN: Waiting for server reply > > (not started). Tried: '10.xxx.xxx.xxx'. > > 2013/02/25 18:19:28 ossec-agent: INFO: Trying to connect to server > > (10.xxx.xxx.xxx:1514). > > 2013/02/25 18:19:28 ossec-agent: INFO: Using IPv4 for: 10.xxx.xxx.xxx > > . > > < etc.> > > > > Wireshark on the windows agent box shows UDP messages going to the > > correct IP address, > > > > The strangest part is that running tethereal on the OSSEC server shows > > the requests coming in, But unlike any of the agentt conversations, > > there's no outbound messages from the OSSEC server. I can't find > > anything that remotely looks like a log entry that may shed any > > relevant information as to why the agent request is ignored. > > > > Starting OSSEC in debug mode does not shed any light on this. > > > > Anyone have any ideas? > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
[ossec-list] Cannot get agentless script ssh_asa-fwsmconfig_diff to connect to ASA
I am trying to test agentless connection to one of my ASAs. I have enabled
agentless, I have added the device with register_host.sh and have added a
ssh_asa-fwsmconfig_diff agentless config for the ASA in ossec.config. I am
now just trying to test the script by running:
/var/ossec$ sudo ./agentless/ssh_asa-fwsmconfig_diff account@10.10.10.10
Here is the output from that command:
___
ossec@OSSEC:/var/ossec$ sudo ./agentless/ssh_asa-fwsmconfig_diff
account@10.10.10.10
[sudo] password for ossec:
spawn ssh -c des account@10.10.10.10
No valid ciphers for protocol version 2 given, using defaults.
account@10.10.10.10's password:
This is a privately owned computing system.Access is permitted only by
authorized employees or agents of the company.The system may be used only
for authorized company business.Company management approval is required for
all access privileges.This system is equipped with a security system
intended to prevent and record unauthorized access attempts. Unauthorized
access or use is a crime under the law.
Type help or '?' for a list of available commands.
10ASA> INFO: Starting.
enable
Password:
ERROR: Timeout while running enable on host: account@10.10.10.10
ossec@OSSEC:/var/ossec$ #
-bash: ###: event not found
_
The spot where you see the first series of hashes is where the script stops
and prompts me for a password. I'm assuming that it is asking me for the
enable password. I enter the correct enable password and, as you see, I
get a timeout.
I did modify the ssh_asa-fwsmconfig_diff script a bit after an issue I
encountered with the ssh_pixconfig_diff script. I was having troubles
making the pix script work then came across this post:
http://www.mail-archive.com/ossec-list@googlegroups.com/msg15464.html
After reading that post and correcting the *password:* bugs, the script
started working perfectly. I opened the ssh_asa-fwsmconfig_diff script and
also found spacing issues everywhere "*password:*" is referenced. After
doing so I was at least able to get as far as you see above but am now
stuck again.
Here is my ssh_asafwsmconfig_diff script with the "*password:*"
corrections. I have made no other changes. Any script geniuses out there
that can identify any other problems that could be causing this issue for
me?
"ssh_asa-fwsmconfig_diff" [readonly] 210L, 5253C#!/usr/bin/env expect
# @(#) $Id$
# Agentless monitoring
#
# Copyright (C) 2009 Trend Micro Inc.
# All rights reserved.
#
# This program is a free software; you can redistribute it
# and/or modify it under the terms of the GNU General Public
# License (version 2) as published by the FSF - Free Software
# Foundation.
if {$argc < 1} {
send_user "ERROR: ssh_pixconfig_diff \n";
exit 1;
}
# NOTE: this script must be called from within /var/ossec for it to work.
set passlist "agentless/.passlist"
set hostname [lindex $argv 0]1,1Top2,0-13,1 45678910,1123,0-145,1 67{
}8{
}9,0-1201,1 23
set commands [lrange $argv 1 end]24,10%
set pass "x"25,11%
set addpass "x"26,11%
set timeout 2027,12%
28,0-12%
if {[string compare $hostname "test"] == 0} {29,13%
if {[string compare $commands "test"] == 0} {30,13%
exit 0;31,14%
}32,14%
{}33,15%
{}34,0-15%
# Reading the password list.35,16%
if [catch {36,16%
set in [open "$passlist" r]37,17%
{
} loc_error] {38,18%{
}
send_user "ERROR: Password list not present (use \"register_host\"
first).\nn"39,19%
exit 1;40,19%
{}41,110%
{}42,0-110%
while {[gets $in line] != -1} {43,111%
set me [string first "|" $line]44,111%
set me2 [string last "|" $line]45,112%
set length [string length $line]46,112%
47,113%
if {$me == -1} {48,113%
continue;49,114%
}50,114%
if {$me2 == -1} {51,115%
continue;52,115%
}53,116%
if {$me == $me2} {54,117%
continue;55,117%
}56,118%
57,118%
set me [expr $me-1]58,119%
set me2 [expr $me2-1]59,119%
60,120% set host_list [string range $line 0 $me] set me [expr $me+2]61,120%2
set pass_list [string range $line $me $me2]63,121%
set me2 [expr $me2+2]64,121%
set addpass_list [string range $line $me2 $length]65,122%
66,0-122%
if {[string compare $host_list $hostname] == 0} {67,123%
set pass "$pass_list"68,124%
set addpass "$addpass_list"69,124%
break70,125%
}71,125%
}72,126%
close $in73,126%
74,0-127%
75,0-127%
if {[string compare $pass "x"] == 0} {76,128%
send_user "ERROR: Password for '$hostname' not found.\n"77,128%
exit 1;78,129%
{
}79,129%
{
}80,0-130%
81,0-131%
# SSHing to the box and passing the directories to check.82,131%
if [catch {83,132%
spawn ssh -c des $hostname84,132%
{
} loc_error] {85,133%
{
}
send_user "ERROR: Opening connection: $loc_error.\n"86,133%
exit 1;87,134%
{
}88,134%
{
}89,0-135%
expect {90,135%
"WARNING: REMOTE HOST" {91,136% send_user "ERROR: RSA host key for
'$hostname' has changed. Unable to acccess.
[ossec-list] Best approach to use IP based rules
HI all, I have defined several rules to monitor firewall logs. These rules send an alert if srcip or dstip match with several cdb IP blacklists (from dshield, RBN, shadowserver, etc) ... but cost it is too expensive. ossec-analysisd spends a lot of CPU resources to process firewall logs received. (over 7 million every day). Exists some best approach to accomplish this task using ossec?? -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [ossec-list] Rule creation to supress email alert
Hi Kevin, Thanks for your post! I included a bad sample string that, as you point out didn't include an IP, see below for an example of an actuall alert. Best, Fredrik On Monday, February 25, 2013 11:55:46 PM UTC+1, Kevin Kelly wrote: > > I believe the problem is: 192.168.x.y > > There is no IP address in the log entry, so the source IP will never > match. Maybe you could use instead? > > -- > Kevin Kelly > Director, Network Technology > Whitman College > > -- > *From: *"Fredrik" > > *To: *ossec...@googlegroups.com > *Sent: *Monday, February 25, 2013 1:49:14 AM > *Subject: *[ossec-list] Rule creation to supress email alert > > Hello! > > I have read some of the similar posts, but can't seem to get it to work. > I'm trying to stop the following (syslog) message from generating an alert > - while the underlying cause is being dealt with: > > Feb 25 09:40:31.464 apf_foreignap.c:1281 > APF-4-REGISTER_IPADD_ON_MSCB_FAILED: Could not Register IP Add on MSCB. > MSCB still in init state. Address:00:40:96:a7:50:c6 > > I have added a rule to local_rules.xml: > > > > 1002 > 192.168.x.y > %APF-4-REGISTER_IPADD_ON_MSCB_FAILED: > no_email_alert > > > I have tried different match-strings, with/without ip-address but I can't > seem to get a hit on my custom filter when using the ossec-logtest binary > and the message keeps generating email alerts, > > What have I got wrong?! > > Fredrik > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+...@googlegroups.com . > For more options, visit https://groups.google.com/groups/opt_out. > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
