[ossec-list] how to monitor ossec status?
hi,all now, i want monitor ossec status,how can i do? like ossec discarded packet monitor thanks&Best Regards -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
[ossec-list] how to set a White List ip for all rules?
hi,all how to set a White List ip for all rules? thanks&Best Regards -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [ossec-list] how to monitor ossec status?
On Mar 12, 2013 6:49 AM, "root" wrote: > > hi,all > > now, i want monitor ossec status,how can i do? > > like ossec discarded packet monitor > > thanks&Best Regards > /var/ossec/bin/ossec-control status is about all we have. > -- > > --- > You received this message because you are subscribed to the Google Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/groups/opt_out. > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [ossec-list] how to set a White List ip for all rules?
On Mar 12, 2013 6:50 AM, "root" wrote: > > > hi,all > > > how to set a White List ip for all rules? > > > > thanks&Best Regards > There isn't a way to do that. White lists are only for active response. > -- > > --- > You received this message because you are subscribed to the Google Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/groups/opt_out. > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
[ossec-list] Repeated Offenders not triggering
I am running an agent/server configuration of OSSEC. I have added the repeated offenders configuration block to all of my agents and the server as follows: 120,180,240 When I restart OSSEC, I do see the messages indicating that it recognizes the settings: 2013/03/12 10:05:50 ossec-execd: INFO: Adding offenders timeout: 120 (for #1) 2013/03/12 10:05:50 ossec-execd: INFO: Adding offenders timeout: 180 (for #2) 2013/03/12 10:05:50 ossec-execd: INFO: Adding offenders timeout: 240 (for #3) However, I continue to see repeated attacks that are coming back every hour, or rather, the blocking is deleted after one hour each time: Tue Mar 12 04:02:23 EDT 2013 /var/ossec/active-response/bin/firewall-drop.sh add - 209.190.64.19 1363075343.32232753 5720 Tue Mar 12 05:02:55 EDT 2013 /var/ossec/active-response/bin/firewall-drop.sh delete - 209.190.64.19 1363075343.32232753 5720 Tue Mar 12 05:45:03 EDT 2013 /var/ossec/active-response/bin/firewall-drop.sh add - 209.190.64.19 1363081503.103380375 5712 Tue Mar 12 06:46:19 EDT 2013 /var/ossec/active-response/bin/firewall-drop.sh delete - 209.190.64.19 1363081503.103380375 5712 Tue Mar 12 06:47:26 EDT 2013 /var/ossec/active-response/bin/firewall-drop.sh add - 209.190.64.19 1363085246.126982032 5712 Tue Mar 12 07:48:42 EDT 2013 /var/ossec/active-response/bin/firewall-drop.sh delete - 209.190.64.19 1363085246.126982032 5712 Tue Mar 12 08:02:53 EDT 2013 /var/ossec/active-response/bin/firewall-drop.sh add - 209.190.64.19 1363089773.151565087 5712 Tue Mar 12 09:04:16 EDT 2013 /var/ossec/active-response/bin/firewall-drop.sh delete - 209.190.64.19 1363089773.151565087 5712 Tue Mar 12 09:05:23 EDT 2013 /var/ossec/active-response/bin/firewall-drop.sh add - 209.190.64.19 1363093523.180046077 5712 Tue Mar 12 10:06:29 EDT 2013 /var/ossec/active-response/bin/firewall-drop.sh add - 209.190.64.19 1363097189.212231955 5712 I am running OSSEC version 2.6 on all machines. The only answer I've seen to this issue is to make sure it is configured on the agent side but, as I mentioned, I am already doing that. Am I missing something? Thanks. Martin -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
[ossec-list] repeated_offenders not working
Hello, I have added the repeated_offenders configuration block to all of my agents and the server as follows: 120180240 When I restart OSSEC on the agent, I do see the messages indicating that it recognizes the settings: 2013/03/12 11:17:40 ossec-execd: INFO: Adding offenders timeout: 120 (for #1) 2013/03/12 11:17:40 ossec-execd: INFO: Adding offenders timeout: 180 (for #2) 2013/03/12 11:17:40 ossec-execd: INFO: Adding offenders timeout: 240 (for #3) However, I continue to see repeated attacks where the blocking is deleted after the default 60 minutes each time: Tue Mar 12 04:02:23 EDT 2013 /var/ossec/active-response/bin/firewall-drop.sh add - 209.190.64.19 1363075343.32232753 5720 Tue Mar 12 05:02:55 EDT 2013 /var/ossec/active-response/bin/firewall-drop.sh delete - 209.190.64.19 1363075343.32232753 5720 Tue Mar 12 05:45:03 EDT 2013 /var/ossec/active-response/bin/firewall-drop.sh add - 209.190.64.19 1363081503.103380375 5712 Tue Mar 12 06:46:19 EDT 2013 /var/ossec/active-response/bin/firewall-drop.sh delete - 209.190.64.19 1363081503.103380375 5712 Tue Mar 12 06:47:26 EDT 2013 /var/ossec/active-response/bin/firewall-drop.sh add - 209.190.64.19 1363085246.126982032 5712 Tue Mar 12 07:48:42 EDT 2013 /var/ossec/active-response/bin/firewall-drop.sh delete - 209.190.64.19 1363085246.126982032 5712 Tue Mar 12 08:02:53 EDT 2013 /var/ossec/active-response/bin/firewall-drop.sh add - 209.190.64.19 1363089773.151565087 5712 Tue Mar 12 09:04:16 EDT 2013 /var/ossec/active-response/bin/firewall-drop.sh delete - 209.190.64.19 1363089773.151565087 5712 Tue Mar 12 09:05:23 EDT 2013 /var/ossec/active-response/bin/firewall-drop.sh add - 209.190.64.19 1363093523.180046077 5712 Tue Mar 12 10:06:19 EDT 2013 /var/ossec/active-response/bin/firewall-drop.sh delete - 209.190.64.19 1363093523.180046077 5712 The only solution I've seen to this issue is to make sure this is configured on the agent side, not the server. As I mentioned, I have done this. I am running OSSEC 2.6 on the server and all agents. Am I missing something? thanks. Martin PS. Sorry if this is a duplicate posting, I tried posting through the web interface and it didn't show up. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
RE: [ossec-list] Newish to Ossec with question
Thank you! A few started popping up later, took longer than I thought it would.
Rob
-Original Message-
From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On
Behalf Of dan (ddp)
Sent: Monday, March 11, 2013 4:55 PM
To: ossec-list@googlegroups.com
Subject: Re: [ossec-list] Newish to Ossec with question
On Mon, Mar 11, 2013 at 4:41 PM, Rhoads, Robert W.
wrote:
> Here is an example of an alert I would think would be emailed out given its
> alert level (substitutions made to protect data):
>
> ** Alert 1363025973.366006859: mail - ids,fts,
> 2013 Mar 11 14:19:33 (SNORTsvr) ->/var/snort/logs/alerts
> Rule: 20100 (level 8) -> 'First time this IDS alert is generated.'
> Src IP:
> Dst IP:
> 03/11-13:19:30.519963 [**] [1:2000488:7] ET EXPLOIT MS-SQL SQL
> Injection closing string plus line comment [**] [Classification:
> Attempted User Privilege Gain] [Priority: 1] {TCP :63836
> -> :1433
>
>
> The ossec.conf section for email is:
>
>
> yes
> rhoa...@location.va.us
> grav...@location.va.us
> 1.2.3.4
> oss...@svr.location.tld
>
>
I can't think of a reason offhand that wouldn't send an email. If you have
access to the maillogs you could try seeing if the mail server rejected the
messages. If you don't, getting a packet capture when one of these alerts fire
might be helpful to see if OSSEC tries to send the email.
>
> Rob
>
> -Original Message-
> From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com]
> On Behalf Of dan (ddp)
> Sent: Monday, March 11, 2013 4:06 PM
> To: ossec-list@googlegroups.com
> Subject: Re: [ossec-list] Newish to Ossec with question
>
> On Mon, Mar 11, 2013 at 3:48 PM, Rhoads, Robert W.
> wrote:
>> Hello to everyone. I am fairly new to OSSEC and need a little
>> assistance or nudge in the right direction.
>>
>>
>>
>> I have installed the OSSEC agent on a Linux system running SNORT, and
>> have configured the OSSEC agent to look at and read the SNORT alert
>> file. I have confirmed that this does work, and according to the
>> OSSEC alert log on the server, OSSEC server sees and generates an
>> alert on IDS events...however, these alerts OSSEC sees and generates in its
>> log file are not emailed out.
>> The setting for email alerts is set to level 7, and while the
>> majority are at level six, several level 8 and level 10 alerts do
>> appear in the log file and email was never generated. I am receiving
>> email alerts for other type alerts generated by OSSEC.
>>
>>
>>
>> Do I need to create my own rule to get OSSEC to email the alerts to
>> me? If not, where might I go poking around to solve this?
>>
>>
>>
>> Respectfully,
>>
>>
>>
>> Robert Rhoads
>>
>>
>>
>
> What alerts are you seeing in your ossec alerts.log that you expect emails
> on? How do you have email setup in ossec?
>
>> --
>>
>> ---
>> You received this message because you are subscribed to the Google
>> Groups "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it,
>> send an email to ossec-list+unsubscr...@googlegroups.com.
>> For more options, visit https://groups.google.com/groups/opt_out.
>>
>>
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
Re: [ossec-list] repeated_offenders not working
On Tuesday 12 March 2013 11:22:24 am Martin Gottlieb wrote: > Hello, > > I have added the repeated_offenders configuration block > to all of my agents and the server as follows: > > > 120180240 > > > When I restart OSSEC on the agent, I do see the messages > indicating that it recognizes the settings: > > 2013/03/12 11:17:40 ossec-execd: INFO: Adding offenders > timeout: 120 (for #1) > 2013/03/12 11:17:40 ossec-execd: INFO: Adding offenders > timeout: 180 (for #2) > 2013/03/12 11:17:40 ossec-execd: INFO: Adding offenders > timeout: 240 (for #3) > > However, I continue to see repeated attacks where the > blocking is deleted after the default 60 minutes each > time: > > Tue Mar 12 04:02:23 EDT 2013 > /var/ossec/active-response/bin/firewall-drop.sh add - > 209.190.64.19 1363075343.32232753 5720 > Tue Mar 12 05:02:55 EDT 2013 > /var/ossec/active-response/bin/firewall-drop.sh delete - > 209.190.64.19 1363075343.32232753 5720 > Tue Mar 12 05:45:03 EDT 2013 > /var/ossec/active-response/bin/firewall-drop.sh add - > 209.190.64.19 1363081503.103380375 5712 > Tue Mar 12 06:46:19 EDT 2013 > /var/ossec/active-response/bin/firewall-drop.sh delete - > 209.190.64.19 1363081503.103380375 5712 > Tue Mar 12 06:47:26 EDT 2013 > /var/ossec/active-response/bin/firewall-drop.sh add - > 209.190.64.19 1363085246.126982032 5712 > Tue Mar 12 07:48:42 EDT 2013 > /var/ossec/active-response/bin/firewall-drop.sh delete - > 209.190.64.19 1363085246.126982032 5712 > Tue Mar 12 08:02:53 EDT 2013 > /var/ossec/active-response/bin/firewall-drop.sh add - > 209.190.64.19 1363089773.151565087 5712 > Tue Mar 12 09:04:16 EDT 2013 > /var/ossec/active-response/bin/firewall-drop.sh delete - > 209.190.64.19 1363089773.151565087 5712 > Tue Mar 12 09:05:23 EDT 2013 > /var/ossec/active-response/bin/firewall-drop.sh add - > 209.190.64.19 1363093523.180046077 5712 > Tue Mar 12 10:06:19 EDT 2013 > /var/ossec/active-response/bin/firewall-drop.sh delete - > 209.190.64.19 1363093523.180046077 5712 > > The only solution I've seen to this issue is to make sure > this is configured on the agent side, not the server. As > I mentioned, I have done this. > I am running OSSEC 2.6 on the server and all agents. > > Am I missing something? > > thanks. > > Martin > > PS. Sorry if this is a duplicate posting, I tried > posting through the web interface and it didn't show up. > > -- > > --- For what it's worth, I have the same problem Dimitri -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [ossec-list] repeated_offenders not working
On Mar 12, 2013 11:40 AM, "Martin Gottlieb" wrote: > > > Hello, > > I have added the repeated_offenders configuration block to all of my agents and the server as follows: > > > 120180240 > > > When I restart OSSEC on the agent, I do see the messages indicating that it recognizes the settings: > > 2013/03/12 11:17:40 ossec-execd: INFO: Adding offenders timeout: 120 (for #1) > 2013/03/12 11:17:40 ossec-execd: INFO: Adding offenders timeout: 180 (for #2) > 2013/03/12 11:17:40 ossec-execd: INFO: Adding offenders timeout: 240 (for #3) > > However, I continue to see repeated attacks where the blocking is deleted after the default 60 minutes each time: > > Tue Mar 12 04:02:23 EDT 2013 /var/ossec/active-response/bin/firewall-drop.sh add - 209.190.64.19 1363075343.32232753 5720 > Tue Mar 12 05:02:55 EDT 2013 /var/ossec/active-response/bin/firewall-drop.sh delete - 209.190.64.19 1363075343.32232753 5720 > Tue Mar 12 05:45:03 EDT 2013 /var/ossec/active-response/bin/firewall-drop.sh add - 209.190.64.19 1363081503.103380375 5712 > Tue Mar 12 06:46:19 EDT 2013 /var/ossec/active-response/bin/firewall-drop.sh delete - 209.190.64.19 1363081503.103380375 5712 > Tue Mar 12 06:47:26 EDT 2013 /var/ossec/active-response/bin/firewall-drop.sh add - 209.190.64.19 1363085246.126982032 5712 > Tue Mar 12 07:48:42 EDT 2013 /var/ossec/active-response/bin/firewall-drop.sh delete - 209.190.64.19 1363085246.126982032 5712 > Tue Mar 12 08:02:53 EDT 2013 /var/ossec/active-response/bin/firewall-drop.sh add - 209.190.64.19 1363089773.151565087 5712 > Tue Mar 12 09:04:16 EDT 2013 /var/ossec/active-response/bin/firewall-drop.sh delete - 209.190.64.19 1363089773.151565087 5712 > Tue Mar 12 09:05:23 EDT 2013 /var/ossec/active-response/bin/firewall-drop.sh add - 209.190.64.19 1363093523.180046077 5712 > Tue Mar 12 10:06:19 EDT 2013 /var/ossec/active-response/bin/firewall-drop.sh delete - 209.190.64.19 1363093523.180046077 5712 > > The only solution I've seen to this issue is to make sure this is configured on the agent side, not the server. As I mentioned, I have done this. So this works if you correctly configure this setting on the agent? > I am running OSSEC 2.6 on the server and all agents. > > Am I missing something? > > thanks. > > Martin > > PS. Sorry if this is a duplicate posting, I tried posting through the web interface and it didn't show up. > > -- > > --- > You received this message because you are subscribed to the Google Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/groups/opt_out. > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [ossec-list] repeated_offenders not working
Not for me, but apparently it does for others. On Tuesday, March 12, 2013 11:56:56 AM UTC-4, dan (ddpbsd) wrote: > > > On Mar 12, 2013 11:40 AM, "Martin Gottlieb" > > > wrote: > > > > > > Hello, > > > > I have added the repeated_offenders configuration block to all of my > agents and the server as follows: > > > > > > 120180240 > > > > > > When I restart OSSEC on the agent, I do see the messages indicating that > it recognizes the settings: > > > > 2013/03/12 11:17:40 ossec-execd: INFO: Adding offenders timeout: 120 > (for #1) > > 2013/03/12 11:17:40 ossec-execd: INFO: Adding offenders timeout: 180 > (for #2) > > 2013/03/12 11:17:40 ossec-execd: INFO: Adding offenders timeout: 240 > (for #3) > > > > However, I continue to see repeated attacks where the blocking is > deleted after the default 60 minutes each time: > > > > Tue Mar 12 04:02:23 EDT 2013 > /var/ossec/active-response/bin/firewall-drop.sh add - 209.190.64.19 > 1363075343.32232753 5720 > > Tue Mar 12 05:02:55 EDT 2013 > /var/ossec/active-response/bin/firewall-drop.sh delete - 209.190.64.19 > 1363075343.32232753 5720 > > Tue Mar 12 05:45:03 EDT 2013 > /var/ossec/active-response/bin/firewall-drop.sh add - 209.190.64.19 > 1363081503.103380375 5712 > > Tue Mar 12 06:46:19 EDT 2013 > /var/ossec/active-response/bin/firewall-drop.sh delete - 209.190.64.19 > 1363081503.103380375 5712 > > Tue Mar 12 06:47:26 EDT 2013 > /var/ossec/active-response/bin/firewall-drop.sh add - 209.190.64.19 > 1363085246.126982032 5712 > > Tue Mar 12 07:48:42 EDT 2013 > /var/ossec/active-response/bin/firewall-drop.sh delete - 209.190.64.19 > 1363085246.126982032 5712 > > Tue Mar 12 08:02:53 EDT 2013 > /var/ossec/active-response/bin/firewall-drop.sh add - 209.190.64.19 > 1363089773.151565087 5712 > > Tue Mar 12 09:04:16 EDT 2013 > /var/ossec/active-response/bin/firewall-drop.sh delete - 209.190.64.19 > 1363089773.151565087 5712 > > Tue Mar 12 09:05:23 EDT 2013 > /var/ossec/active-response/bin/firewall-drop.sh add - 209.190.64.19 > 1363093523.180046077 5712 > > Tue Mar 12 10:06:19 EDT 2013 > /var/ossec/active-response/bin/firewall-drop.sh delete - 209.190.64.19 > 1363093523.180046077 5712 > > > > The only solution I've seen to this issue is to make sure this is > configured on the agent side, not the server. As I mentioned, I have done > this. > > So this works if you correctly configure this setting on the agent? > > > I am running OSSEC 2.6 on the server and all agents. > > > > Am I missing something? > > > > thanks. > > > > Martin > > > > PS. Sorry if this is a duplicate posting, I tried posting through the > web interface and it didn't show up. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to ossec-list+...@googlegroups.com . > > For more options, visit https://groups.google.com/groups/opt_out. > > > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
[ossec-list] Re: 13% CPU oad generated by ossec-authd
Been seeing that a lot too -- going to try the repo update and see how that works. Perhaps it is time for a 2.7.1 release - I think we have enough general fixes to warrant it. cheers -K >> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
