[ossec-list] OSSEC HA settings

2014-02-11 Thread Dolph Rocks 
Hi ,

Can anyone please tell me the exact steps to set up High Availability 
server for already running ossec server?


-- 

--- 
You received this message because you are subscribed to the Google Groups 
ossec-list group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [ossec-list] Netstat port alerts

2014-02-11 Thread Brad Lhotsky 
You can use active response to verify an alert,

local_rules.xml

!-- DEMOTE the netstat rule and make it STFU --
rule id=10 level=1
  matchossec: output: 'netstat'/match
  optionsno_email_alert/options
  descriptionNetstat Listening Ports Changed, verify/description
/rule

!-- Escalate if we verify -- 
rule id=11 level=12
  decoded_asossec-verify/decoded_as
  match^netstat/match
  descriptionNetstat Verified Listening Ports Changed/description
/rule

ossec.conf

  command
    nameossec-ar-verify-netstat/name
    executableossec-ar-verify-netstat.sh/executable
    timeout_allowedno/timeout_allowed
  /command

  active-response
    commandossec-ar-verify-netstat/command
    locationlocal/location
    rules_id10/rules_id
  /active-response

!-- OSSEC ActiveResponse to Verify Alerts --

decoder name=ossec-ar-verify
    program_nameossec-ar-verify/program_name
/decoder


!--
    Crontab Verify Sample:
     - Aug 30 16:33:13 puppet-03 ossec-ar-verify: crontab root control:puppet - 
puppet:2012-05-23T10:39:36 file:2012-08-30T14:33:13
--
decoder name=ossec-ar-verify-crontab
    parentossec-ar-verify/parent
    prematch^crontab /prematch
    regex offset=after_prematch^(\S+)/regex
    orderuser/order
/decoder

decoder name=ossec-ar-verify-file
    parentossec-ar-verify/parent
    prematch^file /prematch
    regex offset=after_prematch^(\S+)/regex
    orderaction/order
/decoder

decoder name=ossec-ar-verify-netstat
    parentossec-ar-verify/parent
    prematch^netstat /prematch
    regex offset=after_prematch^(\S+)/regex
    ordersrcport/order
/decoder

Then have your script do run netstat with your wrapper, compare it to the 
previous run, though you’ll need to baseline it either via your config 
management system or by looking at the OSSEC history in /var/ossec/queue/diff/  
though I don’t remember off-hand where those are stored.  If there’s a new 
port, then:
     logger -t ossec-ar-verify netstat $PORT new/missing/whatever

And if there are no results, just don’t syslog anything.  Really easy way to 
abuse ActiveResponse to work for you.

-- 
Brad Lhotsky

On 10 Feb 2014 at 04:49:35, scoobydooxp (ajprow...@gmail.com) wrote:

I'd really like to run the netstat check on our FTP server. Whenever an FTP 
Data connection opens on a random high port, OSSEC alerts about netstat 
changing. Is there a way to run a custom netstat wrapper? I wrote a netstat 
wrapper that uses -p to exclude vsftpd high ports but OSSEC does not seem to 
like the command. Any tips please?

Thanks in advance,
Scooby
--
 
---
You received this message because you are subscribed to the Google Groups 
ossec-list group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
ossec-list group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

[ossec-list] How to isntall without prompts

2014-02-11 Thread David Montgomery 
Hi,

Newbie trying to install agent and server.  Will build my own chef recipes.

Wowee...If I were a prompt I would love ossec.  Where are the docs to 
bypass all of the prompts?  Or to people use expect to install agents?

I am on ubunutu 12.04

Thanks


-- 

--- 
You received this message because you are subscribed to the Google Groups 
ossec-list group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

[ossec-list] minor ossec issue

2014-02-11 Thread Eero Volotinen 
Hi List,

I have some issues with ossec. My ossec server was down about week and
after starting ossec server, all clients start to flood server and they
also eat disk io from client servers.

How to resolve this issue, ie. reset all clients to fresh today state?



--
Eero

-- 

--- 
You received this message because you are subscribed to the Google Groups 
ossec-list group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.