Re: Re: [ossec-list] Invalid 'if_sid' problem
hi 2013/03/04 13:06:27 rules_list: Signature ID '1050001' not found. Invalid 'if_sid'. thanksBest Regards From: dan (ddp) Date: 2013-03-01 22:52 To: ossec-list Subject: Re: [ossec-list] Invalid 'if_sid' problem On Fri, Mar 1, 2013 at 3:14 AM, root r...@cnmoker.org wrote: hi,all my rules is this group name=local,rsyslog, rule id=1050001 level=0 decoded_asrsyslog-pstats/decoded_as extra_data0/extra_data descriptionrsyslog is right/description /rule rule id=1050002 level=1 if_sid1050001/if_sid extra_data1/extra_data descriptionRsyslog Alert/description /rule /group but when i test it,log-test say this 2013/03/01 15:57:47 ossec-testrule: INFO: Reading local decoder file. 2013/03/01 15:57:47 rules_list: Signature ID '1050001' not found. Invalid 'if_sid'. Try using smaller numbers. 105001, 105002, etc. i Reference the official example rules,like this group name=zeus, rule id=31200 level=0 decoded_aszeus/decoded_as descriptionGrouping of Zeus rules./description /rule rule id=31201 level=0 if_sid31200/if_sid regex^[\S+ \S+] INFO:|^[\S+ \S+] SSL:/regex descriptionGrouping of Zeus informational logs./description /rule . why this ok? thanksBest Regards -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
[ossec-list] Ossec agents are not appearing in Ossec Server
I installed Ossec Server and some agents on other servers. But the thing is that out of 10 agents only 7 servers are able to communicate with Ossec Server and 3 are not. This is the Ossec Server information DIRECTORY=/var/ossec VERSION=v2.5.1 DATE=Thu Jan 13 17:03:30 AST 2011 TYPE=server And this is the Log which i collected from newly installed Agent 2013/03/04 06:22:25 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: '192.168.9.1'. 2013/03/04 06:32:31 ossec-agentd: INFO: Trying to connect to server (192.168.9.1:1514). 2013/03/04 06:32:31 ossec-agentd: INFO: Using IPv4 for: 192.168.9.1 . 2013/03/04 06:32:52 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: '192.168.9.1'. 2013/03/04 07:49:27 ossec-agentd: INFO: Trying to connect to server (192.168.9.1:1514). 2013/03/04 07:49:27 ossec-agentd: INFO: Using IPv4 for: 192.168.9.1 . 2013/03/04 07:49:48 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: '192.168.9.1'. 2013/03/04 07:59:54 ossec-agentd: INFO: Trying to connect to server (192.168.9.1:1514). 2013/03/04 07:59:54 ossec-agentd: INFO: Using IPv4 for: 192.168.9.1 . 2013/03/04 08:00:15 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: '192.168.9.1'. 2013/03/04 09:17:08 ossec-agentd: INFO: Trying to connect to server (192.168.9.1:1514). 2013/03/04 09:17:08 ossec-agentd: INFO: Using IPv4 for: 192.168.9.1 . 2013/03/04 09:17:29 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: '192.168.9.1'. 2013/03/04 09:27:35 ossec-agentd: INFO: Trying to connect to server (192.168.9.1:1514). 2013/03/04 09:27:35 ossec-agentd: INFO: Using IPv4 for: 192.168.9.1 . 2013/03/04 09:27:56 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: '192.168.9.1'. Agent Info [root@pdbosl02 etc]# cat ossec-init.conf DIRECTORY=/var/ossec VERSION=v2.6 DATE=Sat Aug 25 13:56:49 AST 2012 TYPE=agent -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
[ossec-list] how can i match nonzero in rules?
hi, now i has match discarded value in rsyslog-stats,i want monitoring this if value is 0 no alert and if not alert it! so how can i do? thanksBest Regards -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
[ossec-list] Email alerts grouping
Hello. I am running OSSEC 2.6. I am pushing logs from Windows Domain Controllers I only want certain level alerts to generate emails, and different alerts to go to different groups. For example, all network alerts above 8 go to the network team, Linux alerts above 8 go to the Linux tea, and ALL alerts above 11 come to me. I have emails set to go through a local sendmail instance,with emails by default going to a blackhole address. global email_notificationyes/email_notification email_toblackhole@localhost/email_to smtp_serverlocalhost/smtp_server email_fromossec@.../email_from logallyes/logall /global alerts log_alert_level4/log_alert_level email_alert_level6/email_alert_level /alerts email_alerts email_tonetwork@.../email_to groupsyslog,cisco_ios/group level10/level do_not_delay / /email_alerts email_alerts email_tochris@.../email_to level11/level do_not_delay/ do_not_group / /email_alerts If a change is made to the Domain Admin group, this triggers a level 12 alert. However, the email comes through as OSSEC Notification - (ADS1) 10.10.10.10 - Alert level 10, and somewhere in this extremely long email is the actual alert I'm interested in. I thought do_not_group was supposed to stop this, or have I misunderstood that? Is it because too many emails are going to the blackhole address? How can I achieve what I'm trying to do? Thanks. Chris -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: Re: [ossec-list] Invalid 'if_sid' problem
ok,this problem i kown why.because local group not have 1050001,so if_sid can not find it. thanksBest Regards From: root Date: 2013-03-04 13:07 To: ossec-list Subject: Re: Re: [ossec-list] Invalid 'if_sid' problem hi 2013/03/04 13:06:27 rules_list: Signature ID '1050001' not found. Invalid 'if_sid'. thanksBest Regards From: dan (ddp) Date: 2013-03-01 22:52 To: ossec-list Subject: Re: [ossec-list] Invalid 'if_sid' problem On Fri, Mar 1, 2013 at 3:14 AM, root r...@cnmoker.org wrote: hi,all my rules is this group name=local,rsyslog, rule id=1050001 level=0 decoded_asrsyslog-pstats/decoded_as extra_data0/extra_data descriptionrsyslog is right/description /rule rule id=1050002 level=1 if_sid1050001/if_sid extra_data1/extra_data descriptionRsyslog Alert/description /rule /group but when i test it,log-test say this 2013/03/01 15:57:47 ossec-testrule: INFO: Reading local decoder file. 2013/03/01 15:57:47 rules_list: Signature ID '1050001' not found. Invalid 'if_sid'. Try using smaller numbers. 105001, 105002, etc. i Reference the official example rules,like this group name=zeus, rule id=31200 level=0 decoded_aszeus/decoded_as descriptionGrouping of Zeus rules./description /rule rule id=31201 level=0 if_sid31200/if_sid regex^[\S+ \S+] INFO:|^[\S+ \S+] SSL:/regex descriptionGrouping of Zeus informational logs./description /rule . why this ok? thanksBest Regards -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
[ossec-list] Re: how can i match nonzero in rules?
hi i write rule like this group name=rsyslog, rule id=105001 level=0 decoded_asrsyslog-pstats/decoded_as extra_data^0/extra_data descriptionrsyslog is right/description /rule rule id=105002 level=13 decoded_asrsyslog-pstats/decoded_as extra_data^1/extra_data descriptionrsyslog is wrong/description /rule /group but the problem is if extra_data value like 21 can not match it thanksBest Regards From: root Date: 2013-03-04 17:08 To: ossec-list Subject: how can i match nonzero in rules? hi, now i has match discarded value in rsyslog-stats,i want monitoring this if value is 0 no alert and if not alert it! so how can i do? thanksBest Regards -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
[ossec-list] Re: Invalid 'if_sid' problem
I just tried your rules: group name=local,rsyslog, rule id=150001 level=0 !--decoded_asrsyslog-pstats/decoded_as -- extra_data0/extra_data descriptionrsyslog is right/description /rule rule id=150002 level=1 if_sid150001/if_sid extra_data1/extra_data descriptionRsyslog Alert/description /rule /group and as Dan wrote, reducing the ID number fixes your error. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
[ossec-list] Re: Has anyone successfully set up agentless monitoring of SonicWALL firewalls?
bump On Tuesday, February 26, 2013 9:44:59 AM UTC-7, cspragu...@gmail.com wrote: If so, did you use one of the scripts within /var/ossec/agentless or did you create your own script? -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
[ossec-list] syscheck on agent - space? Missing something?
Just wondering if I am missing something. I have an agent that has used too much space for syscheck changes. I want to re-init with new rules. If I run syscheck_control with -u it says it will INIT the database, but the old stuff is still there. So I have to get on every system to clear the old junk and wasted space? Am I missing something here? thanks -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
[ossec-list] Re: Ossec agents are not appearing in Ossec Server
Update to 2.7 on both Manager and client ... On Sunday, March 3, 2013 11:46:51 PM UTC-8, Umair Mustafa wrote: I installed Ossec Server and some agents on other servers. But the thing is that out of 10 agents only 7 servers are able to communicate with Ossec Server and 3 are not. This is the Ossec Server information DIRECTORY=/var/ossec VERSION=v2.5.1 DATE=Thu Jan 13 17:03:30 AST 2011 TYPE=server And this is the Log which i collected from newly installed Agent 2013/03/04 06:22:25 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: '192.168.9.1'. 2013/03/04 06:32:31 ossec-agentd: INFO: Trying to connect to server ( 192.168.9.1:1514). 2013/03/04 06:32:31 ossec-agentd: INFO: Using IPv4 for: 192.168.9.1 . 2013/03/04 06:32:52 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: '192.168.9.1'. 2013/03/04 07:49:27 ossec-agentd: INFO: Trying to connect to server ( 192.168.9.1:1514). 2013/03/04 07:49:27 ossec-agentd: INFO: Using IPv4 for: 192.168.9.1 . 2013/03/04 07:49:48 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: '192.168.9.1'. 2013/03/04 07:59:54 ossec-agentd: INFO: Trying to connect to server ( 192.168.9.1:1514). 2013/03/04 07:59:54 ossec-agentd: INFO: Using IPv4 for: 192.168.9.1 . 2013/03/04 08:00:15 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: '192.168.9.1'. 2013/03/04 09:17:08 ossec-agentd: INFO: Trying to connect to server ( 192.168.9.1:1514). 2013/03/04 09:17:08 ossec-agentd: INFO: Using IPv4 for: 192.168.9.1 . 2013/03/04 09:17:29 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: '192.168.9.1'. 2013/03/04 09:27:35 ossec-agentd: INFO: Trying to connect to server ( 192.168.9.1:1514). 2013/03/04 09:27:35 ossec-agentd: INFO: Using IPv4 for: 192.168.9.1 . 2013/03/04 09:27:56 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: '192.168.9.1'. Agent Info [root@pdbosl02 etc]# cat ossec-init.conf DIRECTORY=/var/ossec VERSION=v2.6 DATE=Sat Aug 25 13:56:49 AST 2012 TYPE=agent -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
[ossec-list] Whitelist instead of blacklist
Hey everybody, I have a task that I'm struggling with; could you help? *Task*: I need to have a blacklist capability on all of my agents ( to alert, not block) *Issue 1*: The blacklist contains over 700 IPs (currently) so creating a rule for each would (to me) seem taxing on the agent and server *Issue 2*: The white list will contain over 200 IPs or 10 domains/subnets *Questions*: - Should I use a white list instead of the blacklist? - Has anybody on this list done this? - What is the most practical method? *Reasearch*: - I found an excellent example written by Anthony Kasza (* anthonykasza.webs.com/docs/honeyports.pdf)* but none of my agents will be running nc. - I looked on this list and other great resources but do not have a good answer Thank you in advance for your time! -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
[ossec-list] Re: multiple OSSEC decoders on the same event has some problem
now, i wrote like this decoder name=rsyslog-pstats-main parentrsyslog-pstats/parent prematch^main\sQ/prematch /decoder decoder name=rsyslog-pstats-discarded-full parentrsyslog-pstats-main/parent regex offset=after_parent^\.*discarded\pfull=(\d+)\.*/regex orderextra_data/order /decoder decoder name=rsyslog-pstats-discarded-nf parentrsyslog-pstats-main/parent regex offset=after_parent^\.*discarded\pnf=(\d+)\.*/regex orderextra_data/order /decoder but server say 2013/03/05 12:27:03 ossec-analysisd(2101): ERROR: Parent decoder name invalid: 'rsyslog-pstats-main'. 2013/03/05 12:27:03 ossec-analysisd(2106): ERROR: Error adding decoder plugin. 2013/03/05 12:27:03 ossec-testrule(1202): ERROR: Configuration error at '/etc/decoder.xml'. Exiting. 2013/03/05 12:28:13 ossec-syscheckd: INFO: Starting syscheck scan. thanksBest Regards From: root Date: 2013-03-04 12:43 To: ossec-list Subject: multiple OSSEC decoders on the same event has some problem hi,all now,i want match this event 2013-03-04T12:39:54.901160+08:00 localhost rsyslogd-pstats: imudp(*:514): submitted=0 2013-03-04T12:39:54.901163+08:00 localhost rsyslogd-pstats: imudp(*:514): submitted=0 2013-03-04T12:39:54.901167+08:00 localhost rsyslogd-pstats: main Q: size=11 enqueued=13130 full=0 discarded.full=0 discarded.nf=0 maxqsize=1441 2013-03-04T12:40:04.906896+08:00 localhost rsyslogd-pstats: imuxsock: submitted=1568 ratelimit.discarded=0 ratelimit.numratelimiters=0 2013-03-04T12:40:04.906918+08:00 localhost rsyslogd-pstats: action 1: processed=10116 failed=0 2013-03-04T12:40:04.906921+08:00 localhost rsyslogd-pstats: action 2: processed=2393 failed=0 2013-03-04T12:40:04.906923+08:00 localhost rsyslogd-pstats: action 3: processed=35 failed=0 2013-03-04T12:40:04.906925+08:00 localhost rsyslogd-pstats: action 4: processed=2 failed=0 2013-03-04T12:40:04.906926+08:00 localhost rsyslogd-pstats: action 5: processed=32 failed=0 2013-03-04T12:40:04.906928+08:00 localhost rsyslogd-pstats: action 6: processed=0 failed=0 2013-03-04T12:40:04.906930+08:00 localhost rsyslogd-pstats: action 7: processed=0 failed=0 2013-03-04T12:40:04.906931+08:00 localhost rsyslogd-pstats: action 8: processed=0 failed=0 i want match the all of the failed or discarded value my decoder like this decoder name=rsyslog-pstats program_name^rsyslogd-pstats/program_name /decoder !-- failed -- decoder name=rsyslog-pstats-failed parentrsyslog-pstats/parent prematch^action\s\d+/prematch regex offset=after_prematch^\.*failed=(\d+)/regex orderextra_data/order /decoder !-- main Q -- decoder name=rsyslog-pstats-discarded parentrsyslog-pstats/parent prematch^main\sQ/prematch /decoder decoder name=rsyslog-pstats-discarded-full parentrsyslog-pstats-discarded/parent regex offset=after_prematch^\.*discarded\pfull=(\d+)\.*/regex orderextra_data/order /decoder decoder name=rsyslog-pstats-discarded-nf parentrsyslog-pstats-discarded/parent regex offset=after_prematch^\.*discarded\pnf=(\d+)\.*/regex orderextra_data/order /decoder !-- the end of rsyslog -- but,ossec say 2013/03/04 12:35:47 ossec-analysisd(2107): ERROR: Decoder configuration error: 'rsyslog-pstats-discarded-full'. 2013/03/04 12:35:47 ossec-testrule(1202): ERROR: Configuration error at '/etc/decoder.xml'. Exiting. i think this part has problem,but i do not kown why and how? decoder name=rsyslog-pstats-discarded-full parentrsyslog-pstats-discarded/parent regex offset=after_prematch^\.*discarded\pfull=(\d+)\.*/regex orderextra_data/order /decoder decoder name=rsyslog-pstats-discarded-nf parentrsyslog-pstats-discarded/parent regex offset=after_prematch^\.*discarded\pnf=(\d+)\.*/regex orderextra_data/order /decoder thanksBest Regards -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [ossec-list] Cannot get agent profile working on windows (2nd try)
Is it possible to add this functionality in a future version of ossec-agent for win? среда, 27 февраля 2013 г., 10:11:21 UTC+6 пользователь Андрей Шевченко написал: It looks like this feature was not included in the ossec-hids/src/win32/ I have not found any changes in the win32 sources. среда, 27 февраля 2013 г., 2:01:56 UTC+6 пользователь dan (ddpbsd) написал: On Thu, Feb 21, 2013 at 6:38 AM, Андрей Шевченко dioer...@gmail.com wrote: I tried to add a bad option and i see that it is not being picked up... Like in my example, i don't see anything related to options in specific agent profile. You could check the code repository to see if the commits enabling this functionality for unixy systems also enabled it for Windows. вторник, 19 февраля 2013 г., 23:15:44 UTC+6 пользователь dan (ddpbsd) написал: On Mon, Feb 18, 2013 at 6:23 AM, Андрей Шевченко dioer...@gmail.com wrote: osssec.conf(agent test_PC): ossec_config client config-profiletest1/config-profile server-ip1.1.1.1/server-ip /client active-response disabledno/disabled /active-response /ossec_config agent.conf(server): agent_config name=test_PC syscheck directories check_all=yesD://directories /syscheck /agent_config agent_config profile=test1 syscheck directories check_all=yesF://directories /syscheck /agent_config agent_config os=Windows syscheck directories check_all=yesC://directories /syscheck /agent_config ossec.log(agent): 2013/02/18 15:41:34 ossec-agent: INFO: Monitoring directory: 'D:/'. 2013/02/18 15:41:34 ossec-agent: INFO: Monitoring directory: 'C:/'. Disk F is not monitored. Equal configuration for agent under FreeBSD works fine. -- You could add a bad option under that profile to see if it's being picked up, like monitoring a syslog file that doesn't actually exist. Other than that, I'd try something like: agent_config profile=test1 syscheck directories check_all=yesF:\./directories !-- Notice the . -- /syscheck /agent_config I can't test this at the moment, so I don't know for sure that it will work. --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.