AW: [ossec-list] ossec with nagios
Hi, interesting. But I think it isn’t possible. As far as I know, the ossec-remotd doesn’t return anything, so you can’t expect something with check_udp. In addition when the daemon runs via UDP so you will not receive a different return code as zero. So you just can check if the daemon is running and for this case you have many possiblities. Best Regards, Bjoern Von: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] Im Auftrag von Gaurav Rajput Gesendet: Donnerstag, 13. März 2014 21:38 An: ossec-list@googlegroups.com Betreff: [ossec-list] ossec with nagios Hi, I have an ossec-server along with a nagios-server. All i want, is to monitor the ossec-remoted from nagios. But the main problem is that, ossec-remoted uses UDP protocol, so it never echoes back. So how would I ensure that my ossec-server is up and running (with or without using nagios) ? Also, i tried nagios-plugin check_udp, but, while tackling the UDP, we must pass the send string and expect string as parameters to this command. I couldn't find any way to do this. I tried netcat too but its not giving me the desired result (as it was echoing the same thing for all UDP ports [0-65535]). So is there any specific string that i can send and receive some expected string ? ( I don't have enough time to open the code right now ). Thanks. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.commailto:ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Install Agent on OSSEC Server?
On Thu, Mar 13, 2014 at 4:49 PM, Mike Wisniewski wiz...@gmail.com wrote: Thanks all for the help. I had another machine laying around, so I installed an 'agent' to the second machine. Once I did that and had it report to the server, everything started working fine and it inserts the blocks in my hosts.deny. I don't know if it's a bug per se, but I believe that the active responses shouldn't make you install an agent if you just have a server running. Then again, if you are just using one machine, you should probably install 'local' anyways. It's not a bug, you did the wrong installation. Thanks for the responses and help! On Thursday, March 13, 2014 2:54:43 PM UTC-5, Mike Wisniewski wrote: Please see below for the answers... On Thursday, March 13, 2014 1:30:37 PM UTC-5, dan (ddpbsd) wrote: On Thu, Mar 13, 2014 at 2:24 PM, Mike Wisniewski wiz...@gmail.com wrote: Thanks for the quick response. Please see inline for naswers. On Thursday, March 13, 2014 12:57:34 PM UTC-5, dan (ddpbsd) wrote: On Thu, Mar 13, 2014 at 1:53 PM, Mike Wisniewski wiz...@gmail.com wrote: [...] Are you using active response? Yes, I am trying to use active response. I'm trying to get it to dump IP's in /etc/hosts.deny. I am reading logs from another device in a directory that doesn't support ossec. It's actually dumping the apache logs and I'm trying to get it to add it to the hosts.deny on the server. Make sure AR isn't disabled. Make sure ossec-execd is running. Make sure AR is configured for the server and not just the agents. I believe I enabled AR for the 'host-deny' command. Attached is my config file. http://pastebin.com/PY8C10Uc ossec-execd is running as well. The alert shows up in the 'alerts.log' file as well, but doesn't add it to /etc/hosts.deny or the activeresponse.log. Here's a snip of an alert of me doing a vulnerability scan against that box. ** Alert 1394732302.250449: - apache,invalid_request, 2014 Mar 13 12:38:22 snoopy-/data/device-Logs/Apache/sys-error.log Rule: 30115 (level 5) - 'Invalid URI (bad client request).' Src IP: 10.0.1.9 [Thu Mar 13 12:38:22 2014] [error] [client 10.0.1.9] Invalid URI in request GET /%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd HTTP/1.1 Thanks for your response and help. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] ossec-maild tags
On Thu, Mar 13, 2014 at 3:01 AM, Gaurav Rajput gx1...@gmail.com wrote: Hi, I have 3 different infrastructures (Development, Production and Testing), running the same configuration (with same ip-address and subnet) and nodes. I have 3 ossec-servers running. Each ossec-server is sending the mails to a central gmail account. All I want is, to categorize the mails from each infrastructure. In other words I want to tag the emails with Dev, Prod or Test. Is there any way to do this, as I searched a lot in the configuration file ??? I think your best bet is to have them sent from different email addresses. Thanks. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] ossec-maild tags
Or you could change this file: https://github.com/ossec/ossec-hids/blob/master/src/os_maild/sendmail.c on each server and add something to SUBJECT so you can filter that out on gmail. I always have to change this file as my local mailserver is very strict about the HELOMSG and I have to change it to the servername. Regards Christian Am 14.03.2014 13:09, schrieb dan (ddp): On Thu, Mar 13, 2014 at 3:01 AM, Gaurav Rajput gx1...@gmail.com wrote: Hi, I have 3 different infrastructures (Development, Production and Testing), running the same configuration (with same ip-address and subnet) and nodes. I have 3 ossec-servers running. Each ossec-server is sending the mails to a central gmail account. All I want is, to categorize the mails from each infrastructure. In other words I want to tag the emails with Dev, Prod or Test. Is there any way to do this, as I searched a lot in the configuration file ??? I think your best bet is to have them sent from different email addresses. Thanks. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: Trend Micro end Commercial Support?
Op donderdag 6 maart 2014 04:06:03 UTC+1 schreef mad...@gmail.com: Hi guys, My company has recently made a commitment to using OSSEC as our HIDS solution, under the assumption that Trend Micro still provide their limited commercial support contracts - I even emailed *os...@trendmicro.com*javascript:and they replied with quotes and everything. 2 weeks later, they've mentioned that Trend Micro has canned this support since the start of the year? Is there anyone using this current support that has alternative solutions lined up to cover support for this? Are there any other vendors who provide support? I'm sure we aren't the only company which this will affect whether we use OSSEC or not for a HIDS solution... Cheers, Dean This would be very bad for people who have commercial support and not getting this any more. I hope it not true. We use OSSEC a lot and are happy with the Google list responses but we also choose OSSEC because of its commercial support option. Michiel -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] OSSEC VM appliance getting errors when trying to install
Just downloaded the OSSEC appliance VM. When importing the ovf file into ESXi5.1 I get an error the the OVF file is corrupted. This is after three separate downloads of the VM appliance. I tried to convert the ovf to a vmx file no luck same error. Then I tried creating a VM pointed to the provided VMDK file I get the error there is no manifest file even though the .mf is in the same storage location. Is there a working version of the VM OSSEC appliance? -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Event ID 560 - Object Access in Windows
buenas tardes me puse Identificación 560 Object Access en Windows Server 2003, la directiva está trabajando pero no tienen conocimiento de cómo configurarlo para que me esta regla identifica el OSSIM gracias -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Event ID 560 - Object Access in Windows
buenas tardes me puse Identificación 560 Object Access en Windows Server 2003, la directiva está trabajando pero no tienen conocimiento de cómo configurarlo para que me esta regla identifica el OSSIM gracias -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Event ID 560 - Object Access in Windows
For the benefit of everyone, please ask your question in English. Para el beneficio de todos, por favor pregunte a su pregunta en Inglés. On 2014-03-14 15:36, OSCAR GIOVANNY GONZALEZ GIOVANNY GONZALEZ CRUZ wrote: buenas tardes me puse Identificación 560 Object Access en Windows Server 2003, la directiva está trabajando pero no tienen conocimiento de cómo configurarlo para que me esta regla identifica el OSSIM gracias -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout [1]. Links: -- [1] https://groups.google.com/d/optout -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] ossec-maild tags
Hi, We had a similar requirement here. I just added an additional option to the ossec.conf that get's added into the mail headers (X-IDS-OSSEC: $value) to be able to use that to sort the emails from the different masters. I currently don't have a patch file with only that change (for stupid reasons all our changes are currently lumped into one big patch file), but If you can wait until next week I'm planning on having a look at git and forks and all that fun. So I should, at the very least, have a patch file or fork with that feature singled out. Ryan On 3/13/2014 2:01 AM, Gaurav Rajput wrote: Hi, I have 3 different infrastructures (Development, Production and Testing), running the same configuration (with same ip-address and subnet) and nodes. I have 3 ossec-servers running. Each ossec-server is sending the mails to a central gmail account. All I want is, to categorize the mails from each infrastructure. In other words I want to tag the emails with Dev, Prod or Test. Is there any way to do this, as I searched a lot in the configuration file ??? Thanks. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com mailto:ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. smime.p7s Description: S/MIME Cryptographic Signature