[ossec-list] Do CDB lists require ossec to be restarted?
Hi, We are using CDB lists for a number of tasks, they work fine but when a list is updated, just running ossec-makelists won't male ossec-analysisd to take the new information in account, we need to restart OSSEC.. Is that the expected behaviour or is there a way to use a CDB list as a dynamic list that can get data added or stripped and OSSEC using it without restarting? Thanks very much in advance. Kind regards, Jose Moreno PS I've searched in the list to see if this same question has been asked before but didn't find it; sorry if I missed anything. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Centralize Logging
Hi, Installed and configured OSSEC 2.8.1 with 4 Agents. work fine. I need to know how to enabled OSSEC for central logging system. so Agent logs store on servers. I have configured logall but no luck. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] OSSEC profile by regex
Hello, Is it possible to define a profile based on "name" filtered by regex? In documentation we have: /var/log/my.log syslog /var/log/my.log2 syslog C:\myapp\my.log syslog Can i use something like this? /var/log/my.log syslog /var/log/my.log2 syslog C:\myapp\my.log syslog Thanks for your time. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Centralize Logging
On Tue, 10 Feb 2015, Mehul gajjar wrote: Installed and configured OSSEC 2.8.1 with 4 Agents. work fine. I need to know how to enabled OSSEC for central logging system. so Agent logs store on servers. I have configured logall but no luck. you have a hammer, so everything looks like a nail. Ossec is not the right tool for your centralized logging solution. Yes it can gather logs, but it's very limited in what it can do with them. There are a lot of things that you need to take into account. Ossec uses the syslog protocol (in it's simplist forms), but take a look at the article below for info on the wider set of things you need to consider when planning a centralized logging system (later articles in the series go into more depth on particular tools and issues) https://www.usenix.org/publications/login/august-2013-volume-38-number-4/enterprise-logging David Lang
Re: [ossec-list] Do CDB lists require ossec to be restarted?
On Tue, Feb 10, 2015 at 4:36 AM, Jose Moreno wrote: > Hi, > > We are using CDB lists for a number of tasks, they work fine but when a list > is updated, just running ossec-makelists won't male ossec-analysisd to take > the new information in account, we need to restart OSSEC.. > > Is that the expected behaviour or is there a way to use a CDB list as a > dynamic list that can get data added or stripped and OSSEC using it without > restarting? > cdb isn't really meant to change that often, that's why there's no real delete or add. But it shouldn't require a restart to see changes. > Thanks very much in advance. > Kind regards, > Jose Moreno > > > PS I've searched in the list to see if this same question has been asked > before but didn't find it; sorry if I missed anything. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Active response srcip changes whether response is executed
On Mon, Feb 9, 2015 at 5:13 PM, Glen Leeder wrote: > Thanks Dan, > > I've changed my rsyslog format to IP addresses instead of hosts and all is > good. > I can't be sure, but it seems like you're confused. The log message: Feb 9 19:19:53 myhostname gleeder: OSSEC-TESTER-RULE does not contain a srcip. This one does not either: Feb 9 19:19:53 192.168.1.1 gleeder: OSSEC-TESTER-RULE So if your AR expects a srcip, these log messages will not trigger it. > Do you know whether the directive requires that > srcip is specified or will it work without that? > If there is no srcip in the log message, there is nothing that would be affected by the whitelist. > Glen > > On Monday, February 9, 2015 at 11:08:11 PM UTC+10, dan (ddpbsd) wrote: >> >> On Mon, Feb 9, 2015 at 4:26 AM, Glen Leeder wrote: >> > Hi, >> > >> > I using ossec 2.8.1 on Ubuntu 14.04 running locally only, no agents. I >> > have >> > the following local_rules.xml defined to exercise syslog monitoring : >> > $ sudo more /var/ossec/rules/local_rules.xml >> > >> > >> > OSSEC-TESTER-RULE >> > OSSEC Test Alert >> > >> > >> > >> > When this rule triggers (by running 'logger "OSSEC-TESTER-RULE"), an >> > active >> > response is executed due to this ossec.conf: >> > >> > post2slack >> > ar_slack.sh >> > >> > no >> > >> > >> > >> > post2slack >> > local >> > 4 >> > >> > >> > This works as expected provided I do not populate the command >> > field. If I specify srcip the alert still triggers, >> > however, the active response is no longer executed. the syslog entry >> > ends up >> > as something like: >> > Feb 9 19:19:53 myhostname gleeder: OSSEC-TESTER-RULE >> > >> >> There is no IP in this log message to be decoded, so it makes sense >> that AR won't be triggered if it expects there to be a source ip. >> >> > I can't determine from the documentation whether this should work or >> > not. >> > myhostname resolves to 127.0.0.1 but I haven't got any white_list IPs >> > specified anyway (my end goal is a to have some white_listing which is >> > why I >> > specified srcip). >> > >> > Is there an implicit white_list default or another reason why specifying >> > srcip causes the response to no longer execute? >> > Is srcip required for white_list to work? >> > >> > Best regards, >> > Glen >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to ossec-list+...@googlegroups.com. >> > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] OSSEC profile by regex
On Tue, Feb 10, 2015 at 7:00 AM, Ricardo Perre wrote: > Hello, > > Is it possible to define a profile based on "name" filtered by regex? > In documentation we have: > > > > > /var/log/my.log > syslog > > > > > > /var/log/my.log2 > syslog > > > > > > C:\myapp\my.log > syslog > > > > > > Can i use something like this? > > > > > /var/log/my.log > syslog > > > > > > > /var/log/my.log2 > syslog > > > > > > C:\myapp\my.log > syslog > > > Try it and report back. > > Thanks for your time. > Thank you for yours. > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Ossec's active response doesn't work
On Mon, Feb 9, 2015 at 3:42 PM, Ricardo Galossi wrote: > Hi Dan, > I installed ossec as "local". Yeah, the AR configuration is default. The > daemon ossec-execd is running normally and the firewall is enable. I made > testes with both versions of ossec 2.7 and 2.8.1 within the same VPS. > However, only the version 2.7 block the attacker based on the rule ID 31151. > > If you want I can send you the logs of ossec 2.8.1. > > Thank you for your attention. > Run ossec-logtest, and paste the log message I used in it multiple times. Let's see if 31151 or whatever fires (and see if the output differs from what I saw with post 2.8.1). I'm hoping to have a chance to try active responses tonight. > Em segunda-feira, 9 de fevereiro de 2015 18:23:09 UTC-2, dan (ddpbsd) > escreveu: >> >> On Mon, Feb 9, 2015 at 2:53 PM, Ricardo Galossi >> wrote: >> > Hi Dan, >> > The logs are in attach. >> > >> >> Ok, it looks like active response is being triggered by rule 31151: >> Mon Feb 9 15:10:03 BRST 2015 >> /var/ossec/active-response/bin/host-deny.sh add - 172.16.10.87 >> 1423501803.36643 31151 >> >> Using ossec-logtest, and pasting the log message in a few times, does >> trigger 31151: >> 172.16.10.87 - - [09/Feb/2015:15:10:03 -0200] "GET >> /wordpress/KwJ55hQv.asmx HTTP/1.1" 403 1510 "-" "Mozilla/5.00 >> (Nikto/2.1.6) (Evasions:None) (Test:map_codes)" >> >> >> **Phase 1: Completed pre-decoding. >>full event: '172.16.10.87 - - [09/Feb/2015:15:10:03 -0200] "GET >> /wordpress/KwJ55hQv.asmx HTTP/1.1" 403 1510 "-" "Mozilla/5.00 >> (Nikto/2.1.6) (Evasions:None) (Test:map_codes)"' >>hostname: 'arrakis' >>program_name: '(null)' >>log: '172.16.10.87 - - [09/Feb/2015:15:10:03 -0200] "GET >> /wordpress/KwJ55hQv.asmx HTTP/1.1" 403 1510 "-" "Mozilla/5.00 >> (Nikto/2.1.6) (Evasions:None) (Test:map_codes)"' >> >> **Phase 2: Completed decoding. >>decoder: 'web-accesslog' >>srcip: '172.16.10.87' >>url: '/wordpress/KwJ55hQv.asmx' >>id: '403' >> >> **Phase 3: Completed filtering (rules). >>Rule id: '31151' >>Level: '10' >>Description: 'Multiple web server 400 error codes from same source >> ip.' >> **Alert to be generated. >> >> Since you didn't provide your AR configuration I'll have to assume >> it's the default. Based on that, we get back to earlier questions: >> Is ossec-execd running on the agent? >> Is the firewall enabled on the system? >> >> > Em segunda-feira, 9 de fevereiro de 2015 17:20:05 UTC-2, dan (ddpbsd) >> > escreveu: >> >> >> >> On Mon, Feb 9, 2015 at 2:14 PM, Ricardo Galossi >> >> wrote: >> >> > Hi Dan, >> >> > I see. As soon as I get home I'll send the log files. Do you want >> >> > only >> >> > the >> >> > alert.log or something else? >> >> > >> >> >> >> I'd love to see the apache log messages that work in OSSEC 2.7 but not >> >> in >> >> 2.8. >> >> >> >> > Em segunda-feira, 9 de fevereiro de 2015 17:00:38 UTC-2, dan (ddpbsd) >> >> > escreveu: >> >> >> >> >> >> On Mon, Feb 9, 2015 at 1:39 PM, Ricardo Galossi >> >> >> >> >> >> wrote: >> >> >> > Hi guys, >> >> >> > I made some tests here with ossec 2.7. When I try to scan the >> >> >> > target, >> >> >> > the >> >> >> > modsec delivery a 403 error page, so, ossec read the apache >> >> >> > access.log >> >> >> > file >> >> >> > and match the rule with ID 31151 from web_rules.xml and block the >> >> >> > attacker's >> >> >> > IP on iptables. Follow the rule below: >> >> >> > >> >> >> > >> >> >> > 31101 >> >> >> > >> >> >> > Multiple web server 400 error codes >> >> >> > from same source ip. >> >> >> > web_scan,recon, >> >> >> > >> >> >> > >> >> >> > The question is, why doesn't happen the same thing on ossec 2.8.1? >> >> >> > There is some problem if I used the version 2.7? >> >> >> > >> >> >> >> >> >> It's hard to tell without log samples. >> >> >> >> >> >> > Em segunda-feira, 9 de fevereiro de 2015 15:47:31 UTC-2, Ricardo >> >> >> > Galossi >> >> >> > escreveu: >> >> >> >> >> >> >> >> Hi Dan, >> >> >> >> Thank you for your attention. I'm at work now, and I'm not able >> >> >> >> to >> >> >> >> access >> >> >> >> my VPS from here, but tonight when I leave the company I'll send >> >> >> >> you >> >> >> >> the log >> >> >> >> file. >> >> >> >> >> >> >> >> Em segunda-feira, 9 de fevereiro de 2015 15:42:46 UTC-2, dan >> >> >> >> (ddpbsd) >> >> >> >> escreveu: >> >> >> >>> >> >> >> >>> On Mon, Feb 9, 2015 at 12:39 PM, Ricardo Galossi >> >> >> >>> wrote: >> >> >> >>> > Hi Rodrigo, >> >> >> >>> > I've seen the file syslog_rules.xml to see the rule with ID >> >> >> >>> > 1002, >> >> >> >>> > I >> >> >> >>> > understood the rule perfectly. As you said I've changed the >> >> >> >>> > field >> >> >> >>> > of >> >> >> >>> > rules with ID 30200 and 30201 for "ModSecurity: Access >> >> >> >>> > denied". >> >> >> >>> > I've >> >> >> >>> > also >> >> >> >>> > changed the level of drop in my ossec.conf to level 2. >> >> >> >>> > Although, >> >> >> >>> > unfortunately it doesn't solve my problem
[ossec-list] Fwd: Unable to add agents from different netblocks
Hi Team, I have configured Ossec-hids-2.7 on one of my AWS instance which has 10.5 series ip, I am able to add 25+ agents from 10.5 series and tried adding 10.9 series agents however I am unable to see them on gui and not even getting mails from 10.9 series. I am able to ping or ssh to 10.9 series from 10.5 and vice versa, all the ports are open between 10.9 and 10.5 netblock. Any possible reason for not able to get details from 10.9 series, please help me. -- Thanks and Regards, Narendra Reddy .Alla 91-9620525522 -- Thanks and Regards, Narendra Reddy .Alla 91-9620525522 -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Asterisk rules for Ubuntu
On Mon, Feb 9, 2015 at 4:23 PM, Daniel Calvo Castro wrote: > Just today I´ve been experiencing same issues trying to get OSSIM + OSSEC > working with an asterisk box, I´ve followed this link [1], and trying to > enumerate users I´m able to correlate and fire mails correctly with OSSIM, > but UI always show $SRCIP 0.0.0.0 so seems useless to configure post-actions > like DROP $SRCIP. > > Taking a look at the link provided, his log appears only to contain src IP, > like that: > > May 19 11:42:17 asterisk asterisk[5200]: NOTICE[14808]: chan_sip.c:15889 in > handle_request_register: Registration from ‘”355″’ > failed for ‘[[[192.168.210.48]]]’ – No matching peer found > > You can see "failed for 'x.x.x.x' only > > But seems like in recent versions like me ( stable Elastix and ossec 2.8 ), > log says "failed for 'x.x.x.x:UDPPORT' so I figured it could be some regexp > issue, time to check. > > - log from post provided and default regexp in decoder.xml "\d+.\d+.\d+.\d+" > in regexpr.com correctly matches SRCIP but it fails, you can try yourself: > > May [[19 11:42:17] asterisk asterisk[5200]: NOTICE[14808]: > chan_sip.c:15889 in handle_request_register: Registration from > ‘”355″’ failed for ‘192.168.210.48’ – No > matching peer found > Are these brackets really in the log message, or are they there for emphasis? > - Escaping dot characters solves the problem, \d+\.\d+\.\d+\.\d+ correctly \. matches any single character. > matches IP address, and for IP:UDPPORT you can use \d+\.\d+\.\d+\.\d+\:\d+. > > But placing all this tweakings in decoder and restarting ossec server did > not work, OSSIM always matches SRCIP like 0.0.0.0. In fact, I modified this > ossec as is the event seen in OSSIM UI when I run svwar: > For some reason I can't get the regex to work with the single quotes around the IP address. > > 6201 > No matching peer found > Login session failed (invalid extension). > invalid_login, > > > > I´ll keep trying tomorrow, keep in touch please! > > Kind Regards, > > Daniel > > [1] https://sysbrain.wordpress.com/2010/05/24/asterisk-ossec-part-ii/ > > 2015-02-09 20:21 GMT+01:00 dan (ddp) : >> >> On Mon, Feb 9, 2015 at 2:10 PM, Security >> wrote: >> > Could be. >> > I don't know if I have to write to the dev mailing list to have it fixed >> > in >> > the next release. >> > I'm running my modified version on 3 asterisk instances and I'm very >> > happy >> > with the results. >> > >> >> Your best option is to open an issue on the github. >> https://github.com/ossec/ossec-hids >> If I remember I'll try to come up with a rule that covers both the old >> and new log samples we have. >> >> > Regards, >> > >> > Simon Gillet >> > >> > Le 9 févr. 2015 à 14:08, dan (ddp) a écrit : >> > >> > On Sun, Feb 8, 2015 at 5:26 PM, Security >> > wrote: >> > >> > Hello, >> > >> > I think the Asterisk rules could be wrong. Or at least for Ubuntu. >> > OSSEC always failed blocking brute force attempt on Asterisk. >> > A standart log entry for brute force attempt looks like: >> > >> > Dec 17 22:37:25 new asterisk[20110]: NOTICE[20127]: chan_sip.c:25030 in >> > handle_request_register: Registration from '"6100" ' >> > failed for '85.25.110.243:5188' - Wrong password >> > >> > >> > This log sample is different than the one we were provided previously. >> > >> > I changed the rules in the decoder.xml files and I have no much better >> > results. >> > >> > Let me know if I'm wrong, I'm not a OSSEC expert but now I block the >> > brute >> > force attempts. >> > >> > Regards, >> > >> > Simon Gillet >> > >> > I changed this rule: >> > >> > >> > asterisk >> > ^NOTICE[\d+]: \S+ in \S+: Registration from >> > ^\S+ failed for >> > '(\d+.\d+.\d+.\d+)' >> > srcip >> > >> > >> > To this one: >> > >> > >> > asterisk >> > ^NOTICE[\d+]: \S+ in \S+: Registration from \S+ >> > \S+ >> > ^failed for '(\S+):(\d+)' >> > srcip,srcport >> > >> > >> > And this rule: >> > >> > >> > asterisk >> > Registration from >> > failed for '(\d+.\d+.\d+.\d+)' >> > srcip >> > >> > >> > To this one: >> > >> > >> > asterisk >> > Registration from >> > failed for '(\S+):(\d+)' >> > srcip,srcport >> > >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to ossec-list+unsubscr...@googlegroups.com. >> > For more options, visit https://groups.google.com/d/optout. >> > >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to ossec-list+unsubscr...@googlegroups.com. >> > For more options, visit https://groups.google.com/d/optout. >> > >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscr
Re: [ossec-list] Fwd: Unable to add agents from different netblocks
On Tue, Feb 10, 2015 at 7:09 AM, narendra reddy wrote: > > Hi Team, > > I have configured Ossec-hids-2.7 on one of my AWS instance which has 10.5 > series ip, I am able to add 25+ agents from 10.5 series and tried adding > 10.9 series agents however I am unable to see them on gui and not even > getting mails from 10.9 series. > > I am able to ping or ssh to 10.9 series from 10.5 and vice versa, all the > ports are open between 10.9 and 10.5 netblock. > > Any possible reason for not able to get details from 10.9 series, please > help me. > Are the 10.9 agents connecting? > -- > Thanks and Regards, > Narendra Reddy .Alla > 91-9620525522 > > > > -- > Thanks and Regards, > Narendra Reddy .Alla > 91-9620525522 > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Asterisk rules for Ubuntu
Hi again These brackets are for emphasis, sorry for not to clarify this, but it clearly looks like it is a regexp issue, I´m going to deal with it now and I´ll post if I´m able to solve it. May be some other people are dealing with this, any help would really appreciated. It is a ticket opened on github as suggested? I´ll do that in such case Kind Regards 2015-02-10 13:31 GMT+01:00 dan (ddp) : > On Mon, Feb 9, 2015 at 4:23 PM, Daniel Calvo Castro > wrote: >> Just today I´ve been experiencing same issues trying to get OSSIM + OSSEC >> working with an asterisk box, I´ve followed this link [1], and trying to >> enumerate users I´m able to correlate and fire mails correctly with OSSIM, >> but UI always show $SRCIP 0.0.0.0 so seems useless to configure post-actions >> like DROP $SRCIP. >> >> Taking a look at the link provided, his log appears only to contain src IP, >> like that: >> >> May 19 11:42:17 asterisk asterisk[5200]: NOTICE[14808]: chan_sip.c:15889 in >> handle_request_register: Registration from ‘”355″’ >> failed for ‘[[[192.168.210.48]]]’ – No matching peer found >> >> You can see "failed for 'x.x.x.x' only >> >> But seems like in recent versions like me ( stable Elastix and ossec 2.8 ), >> log says "failed for 'x.x.x.x:UDPPORT' so I figured it could be some regexp >> issue, time to check. >> >> - log from post provided and default regexp in decoder.xml "\d+.\d+.\d+.\d+" >> in regexpr.com correctly matches SRCIP but it fails, you can try yourself: >> >> May [[19 11:42:17] asterisk asterisk[5200]: NOTICE[14808]: >> chan_sip.c:15889 in handle_request_register: Registration from >> ‘”355″’ failed for ‘192.168.210.48’ – No >> matching peer found >> > > Are these brackets really in the log message, or are they there for emphasis? > >> - Escaping dot characters solves the problem, \d+\.\d+\.\d+\.\d+ correctly > > \. matches any single character. > >> matches IP address, and for IP:UDPPORT you can use \d+\.\d+\.\d+\.\d+\:\d+. >> >> But placing all this tweakings in decoder and restarting ossec server did >> not work, OSSIM always matches SRCIP like 0.0.0.0. In fact, I modified this >> ossec as is the event seen in OSSIM UI when I run svwar: >> > > For some reason I can't get the regex to work with the single quotes > around the IP address. > >> >> 6201 >> No matching peer found >> Login session failed (invalid extension). >> invalid_login, >> >> >> >> I´ll keep trying tomorrow, keep in touch please! >> >> Kind Regards, >> >> Daniel >> >> [1] https://sysbrain.wordpress.com/2010/05/24/asterisk-ossec-part-ii/ >> >> 2015-02-09 20:21 GMT+01:00 dan (ddp) : >>> >>> On Mon, Feb 9, 2015 at 2:10 PM, Security >>> wrote: >>> > Could be. >>> > I don't know if I have to write to the dev mailing list to have it fixed >>> > in >>> > the next release. >>> > I'm running my modified version on 3 asterisk instances and I'm very >>> > happy >>> > with the results. >>> > >>> >>> Your best option is to open an issue on the github. >>> https://github.com/ossec/ossec-hids >>> If I remember I'll try to come up with a rule that covers both the old >>> and new log samples we have. >>> >>> > Regards, >>> > >>> > Simon Gillet >>> > >>> > Le 9 févr. 2015 à 14:08, dan (ddp) a écrit : >>> > >>> > On Sun, Feb 8, 2015 at 5:26 PM, Security >>> > wrote: >>> > >>> > Hello, >>> > >>> > I think the Asterisk rules could be wrong. Or at least for Ubuntu. >>> > OSSEC always failed blocking brute force attempt on Asterisk. >>> > A standart log entry for brute force attempt looks like: >>> > >>> > Dec 17 22:37:25 new asterisk[20110]: NOTICE[20127]: chan_sip.c:25030 in >>> > handle_request_register: Registration from '"6100" ' >>> > failed for '85.25.110.243:5188' - Wrong password >>> > >>> > >>> > This log sample is different than the one we were provided previously. >>> > >>> > I changed the rules in the decoder.xml files and I have no much better >>> > results. >>> > >>> > Let me know if I'm wrong, I'm not a OSSEC expert but now I block the >>> > brute >>> > force attempts. >>> > >>> > Regards, >>> > >>> > Simon Gillet >>> > >>> > I changed this rule: >>> > >>> > >>> > asterisk >>> > ^NOTICE[\d+]: \S+ in \S+: Registration from >>> > ^\S+ failed for >>> > '(\d+.\d+.\d+.\d+)' >>> > srcip >>> > >>> > >>> > To this one: >>> > >>> > >>> > asterisk >>> > ^NOTICE[\d+]: \S+ in \S+: Registration from \S+ >>> > \S+ >>> > ^failed for '(\S+):(\d+)' >>> > srcip,srcport >>> > >>> > >>> > And this rule: >>> > >>> > >>> > asterisk >>> > Registration from >>> > failed for '(\d+.\d+.\d+.\d+)' >>> > srcip >>> > >>> > >>> > To this one: >>> > >>> > >>> > asterisk >>> > Registration from >>> > failed for '(\S+):(\d+)' >>> > srcip,srcport >>> > >>> > >>> > -- >>> > >>> > --- >>> > You received this message because you are subscribed to the Google >>> > Groups >>> > "ossec-list" group. >>> > To unsubscribe from this group and stop receiving emails from it, send >>> > an >>> > email to ossec-list+unsubscr...@googlegroups.com. >
Re: [ossec-list] Asterisk rules for Ubuntu
On Feb 10, 2015 7:57 AM, "Daniel Calvo Castro" < daniel.ca...@kernelsecurity.es> wrote: > > Hi again > > These brackets are for emphasis, sorry for not to clarify this, but it > clearly looks like it is a regexp issue, I´m going to deal with it now > and I´ll post if I´m able to solve it. May be some other people are > dealing with this, any help would really appreciated. It is a ticket > opened on github as suggested? I´ll do that in such case > I opened one about the regex issue I'm seeing with this. > Kind Regards > > 2015-02-10 13:31 GMT+01:00 dan (ddp) : > > On Mon, Feb 9, 2015 at 4:23 PM, Daniel Calvo Castro > > wrote: > >> Just today I´ve been experiencing same issues trying to get OSSIM + OSSEC > >> working with an asterisk box, I´ve followed this link [1], and trying to > >> enumerate users I´m able to correlate and fire mails correctly with OSSIM, > >> but UI always show $SRCIP 0.0.0.0 so seems useless to configure post-actions > >> like DROP $SRCIP. > >> > >> Taking a look at the link provided, his log appears only to contain src IP, > >> like that: > >> > >> May 19 11:42:17 asterisk asterisk[5200]: NOTICE[14808]: chan_sip.c:15889 in > >> handle_request_register: Registration from ‘”355″’ > >> failed for ‘[[[192.168.210.48]]]’ – No matching peer found > >> > >> You can see "failed for 'x.x.x.x' only > >> > >> But seems like in recent versions like me ( stable Elastix and ossec 2.8 ), > >> log says "failed for 'x.x.x.x:UDPPORT' so I figured it could be some regexp > >> issue, time to check. > >> > >> - log from post provided and default regexp in decoder.xml "\d+.\d+.\d+.\d+" > >> in regexpr.com correctly matches SRCIP but it fails, you can try yourself: > >> > >> May [[19 11:42:17] asterisk asterisk[5200]: NOTICE[14808]: > >> chan_sip.c:15889 in handle_request_register: Registration from > >> ‘”355″’ failed for ‘192.168.210.48’ – No > >> matching peer found > >> > > > > Are these brackets really in the log message, or are they there for emphasis? > > > >> - Escaping dot characters solves the problem, \d+\.\d+\.\d+\.\d+ correctly > > > > \. matches any single character. > > > >> matches IP address, and for IP:UDPPORT you can use \d+\.\d+\.\d+\.\d+\:\d+. > >> > >> But placing all this tweakings in decoder and restarting ossec server did > >> not work, OSSIM always matches SRCIP like 0.0.0.0. In fact, I modified this > >> ossec as is the event seen in OSSIM UI when I run svwar: > >> > > > > For some reason I can't get the regex to work with the single quotes > > around the IP address. > > > >> > >> 6201 > >> No matching peer found > >> Login session failed (invalid extension). > >> invalid_login, > >> > >> > >> > >> I´ll keep trying tomorrow, keep in touch please! > >> > >> Kind Regards, > >> > >> Daniel > >> > >> [1] https://sysbrain.wordpress.com/2010/05/24/asterisk-ossec-part-ii/ > >> > >> 2015-02-09 20:21 GMT+01:00 dan (ddp) : > >>> > >>> On Mon, Feb 9, 2015 at 2:10 PM, Security > >>> wrote: > >>> > Could be. > >>> > I don't know if I have to write to the dev mailing list to have it fixed > >>> > in > >>> > the next release. > >>> > I'm running my modified version on 3 asterisk instances and I'm very > >>> > happy > >>> > with the results. > >>> > > >>> > >>> Your best option is to open an issue on the github. > >>> https://github.com/ossec/ossec-hids > >>> If I remember I'll try to come up with a rule that covers both the old > >>> and new log samples we have. > >>> > >>> > Regards, > >>> > > >>> > Simon Gillet > >>> > > >>> > Le 9 févr. 2015 à 14:08, dan (ddp) a écrit : > >>> > > >>> > On Sun, Feb 8, 2015 at 5:26 PM, Security < secur...@gillet-bouillon.eu> > >>> > wrote: > >>> > > >>> > Hello, > >>> > > >>> > I think the Asterisk rules could be wrong. Or at least for Ubuntu. > >>> > OSSEC always failed blocking brute force attempt on Asterisk. > >>> > A standart log entry for brute force attempt looks like: > >>> > > >>> > Dec 17 22:37:25 new asterisk[20110]: NOTICE[20127]: chan_sip.c:25030 in > >>> > handle_request_register: Registration from '"6100" ' > >>> > failed for '85.25.110.243:5188' - Wrong password > >>> > > >>> > > >>> > This log sample is different than the one we were provided previously. > >>> > > >>> > I changed the rules in the decoder.xml files and I have no much better > >>> > results. > >>> > > >>> > Let me know if I'm wrong, I'm not a OSSEC expert but now I block the > >>> > brute > >>> > force attempts. > >>> > > >>> > Regards, > >>> > > >>> > Simon Gillet > >>> > > >>> > I changed this rule: > >>> > > >>> > > >>> > asterisk > >>> > ^NOTICE[\d+]: \S+ in \S+: Registration from > >>> > ^\S+ failed for > >>> > '(\d+.\d+.\d+.\d+)' > >>> > srcip > >>> > > >>> > > >>> > To this one: > >>> > > >>> > > >>> > asterisk > >>> > ^NOTICE[\d+]: \S+ in \S+: Registration from \S+ > >>> > \S+ > >>> > ^failed for '(\S+):(\d+)' > >>> > srcip,srcport > >>> > > >>> > > >>> > And this rule: > >>> > > >>> > > >>> > asterisk > >>> > Registration from > >>> > f
[ossec-list] Re: Unable to add agents from different netblocks
yes when I installed the agent on 10.9 series machines, I am able to import the key and start the ossec but server ui is not showing them. On Tuesday, 10 February 2015 17:54:15 UTC+5:30, narendra reddy wrote: > > > Hi Team, > > I have configured Ossec-hids-2.7 on one of my AWS instance which has 10.5 > series ip, I am able to add 25+ agents from 10.5 series and tried adding > 10.9 series agents however I am unable to see them on gui and not even > getting mails from 10.9 series. > > I am able to ping or ssh to 10.9 series from 10.5 and vice versa, all the > ports are open between 10.9 and 10.5 netblock. > > Any possible reason for not able to get details from 10.9 series, please > help me. > > -- > Thanks and Regards, > Narendra Reddy .Alla > 91-9620525522 > > > > -- > Thanks and Regards, > Narendra Reddy .Alla > 91-9620525522 > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Asterisk rules for Ubuntu
On Tue, Feb 10, 2015 at 8:01 AM, dan (ddp) wrote: > > On Feb 10, 2015 7:57 AM, "Daniel Calvo Castro" > wrote: >> >> Hi again >> >> These brackets are for emphasis, sorry for not to clarify this, but it >> clearly looks like it is a regexp issue, I´m going to deal with it now >> and I´ll post if I´m able to solve it. May be some other people are >> dealing with this, any help would really appreciated. It is a ticket >> opened on github as suggested? I´ll do that in such case >> > > I opened one about the regex issue I'm seeing with this. > Which was ultimately not an issue. Somehow utf-8 characters polluted the log message I was testing with. >> Kind Regards >> >> 2015-02-10 13:31 GMT+01:00 dan (ddp) : >> > On Mon, Feb 9, 2015 at 4:23 PM, Daniel Calvo Castro >> > wrote: >> >> Just today I´ve been experiencing same issues trying to get OSSIM + >> >> OSSEC >> >> working with an asterisk box, I´ve followed this link [1], and trying >> >> to >> >> enumerate users I´m able to correlate and fire mails correctly with >> >> OSSIM, >> >> but UI always show $SRCIP 0.0.0.0 so seems useless to configure >> >> post-actions >> >> like DROP $SRCIP. >> >> >> >> Taking a look at the link provided, his log appears only to contain src >> >> IP, >> >> like that: >> >> >> >> May 19 11:42:17 asterisk asterisk[5200]: NOTICE[14808]: >> >> chan_sip.c:15889 in >> >> handle_request_register: Registration from >> >> ‘”355″’ >> >> failed for ‘[[[192.168.210.48]]]’ – No matching peer found >> >> >> >> You can see "failed for 'x.x.x.x' only >> >> >> >> But seems like in recent versions like me ( stable Elastix and ossec >> >> 2.8 ), >> >> log says "failed for 'x.x.x.x:UDPPORT' so I figured it could be some >> >> regexp >> >> issue, time to check. >> >> >> >> - log from post provided and default regexp in decoder.xml >> >> "\d+.\d+.\d+.\d+" >> >> in regexpr.com correctly matches SRCIP but it fails, you can try >> >> yourself: >> >> >> >> May [[19 11:42:17] asterisk asterisk[5200]: NOTICE[14808]: >> >> chan_sip.c:15889 in handle_request_register: Registration from >> >> ‘”355″’ failed for ‘192.168.210.48’ – No >> >> matching peer found >> >> >> > >> > Are these brackets really in the log message, or are they there for >> > emphasis? >> > >> >> - Escaping dot characters solves the problem, \d+\.\d+\.\d+\.\d+ >> >> correctly >> > >> > \. matches any single character. >> > >> >> matches IP address, and for IP:UDPPORT you can use >> >> \d+\.\d+\.\d+\.\d+\:\d+. >> >> >> >> But placing all this tweakings in decoder and restarting ossec server >> >> did >> >> not work, OSSIM always matches SRCIP like 0.0.0.0. In fact, I modified >> >> this >> >> ossec as is the event seen in OSSIM UI when I run svwar: >> >> >> > >> > For some reason I can't get the regex to work with the single quotes >> > around the IP address. >> > >> >> >> >> 6201 >> >> No matching peer found >> >> Login session failed (invalid extension). >> >> invalid_login, >> >> >> >> >> >> >> >> I´ll keep trying tomorrow, keep in touch please! >> >> >> >> Kind Regards, >> >> >> >> Daniel >> >> >> >> [1] https://sysbrain.wordpress.com/2010/05/24/asterisk-ossec-part-ii/ >> >> >> >> 2015-02-09 20:21 GMT+01:00 dan (ddp) : >> >>> >> >>> On Mon, Feb 9, 2015 at 2:10 PM, Security >> >>> wrote: >> >>> > Could be. >> >>> > I don't know if I have to write to the dev mailing list to have it >> >>> > fixed >> >>> > in >> >>> > the next release. >> >>> > I'm running my modified version on 3 asterisk instances and I'm very >> >>> > happy >> >>> > with the results. >> >>> > >> >>> >> >>> Your best option is to open an issue on the github. >> >>> https://github.com/ossec/ossec-hids >> >>> If I remember I'll try to come up with a rule that covers both the old >> >>> and new log samples we have. >> >>> >> >>> > Regards, >> >>> > >> >>> > Simon Gillet >> >>> > >> >>> > Le 9 févr. 2015 à 14:08, dan (ddp) a écrit : >> >>> > >> >>> > On Sun, Feb 8, 2015 at 5:26 PM, Security >> >>> > >> >>> > wrote: >> >>> > >> >>> > Hello, >> >>> > >> >>> > I think the Asterisk rules could be wrong. Or at least for Ubuntu. >> >>> > OSSEC always failed blocking brute force attempt on Asterisk. >> >>> > A standart log entry for brute force attempt looks like: >> >>> > >> >>> > Dec 17 22:37:25 new asterisk[20110]: NOTICE[20127]: chan_sip.c:25030 >> >>> > in >> >>> > handle_request_register: Registration from '"6100" >> >>> > ' >> >>> > failed for '85.25.110.243:5188' - Wrong password >> >>> > >> >>> > >> >>> > This log sample is different than the one we were provided >> >>> > previously. >> >>> > >> >>> > I changed the rules in the decoder.xml files and I have no much >> >>> > better >> >>> > results. >> >>> > >> >>> > Let me know if I'm wrong, I'm not a OSSEC expert but now I block the >> >>> > brute >> >>> > force attempts. >> >>> > >> >>> > Regards, >> >>> > >> >>> > Simon Gillet >> >>> > >> >>> > I changed this rule: >> >>> > >> >>> > >> >>> > asterisk >> >>> > ^NOTICE[\d+]: \S+ in \S+: Registration fro
Re: [ossec-list] Re: Unable to add agents from different netblocks
On Tue, Feb 10, 2015 at 8:06 AM, narendra reddy wrote: > yes when I installed the agent on 10.9 series machines, I am able to import > the key and start the ossec but server ui is not showing them. > But do the agents actually connect? You can use tcpdump on the manager to see the traffic going back and forth. Also, check the ossec.log on the manager. Maybe the manager is seeing the 10.9 agents as coming from a different IP than what you were expecting. Lastly, check your firewalls. Maybe a firewall is blocking something. > > On Tuesday, 10 February 2015 17:54:15 UTC+5:30, narendra reddy wrote: >> >> >> Hi Team, >> >> I have configured Ossec-hids-2.7 on one of my AWS instance which has 10.5 >> series ip, I am able to add 25+ agents from 10.5 series and tried adding >> 10.9 series agents however I am unable to see them on gui and not even >> getting mails from 10.9 series. >> >> I am able to ping or ssh to 10.9 series from 10.5 and vice versa, all the >> ports are open between 10.9 and 10.5 netblock. >> >> Any possible reason for not able to get details from 10.9 series, please >> help me. >> >> -- >> Thanks and Regards, >> Narendra Reddy .Alla >> 91-9620525522 >> >> >> >> -- >> Thanks and Regards, >> Narendra Reddy .Alla >> 91-9620525522 > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] check_diff
help me please
понедельник, 9 февраля 2015 г., 16:53:37 UTC+3 пользователь dan (ddpbsd)
написал:
>
> On Mon, Feb 9, 2015 at 8:13 AM, alex petrov > wrote:
> >
> > 530
> > ossec: output: 'for /f "tokens=3*"
> >
> > new soft install
> >
> >
> >
> >
> > full_command
> > 10
> > for /f "tokens=3*" %a in ('reg query
> > "HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall" /s ^| find /i
> > "DisplayName"') do @echo %a%b
> >
> >
> >
> > but is only a single file in the directory /var/ossec/queue/diff/tes
> > /700086/ only one file 'last-entry' , not what it Compare the. How to
> get
> > files like "state.1412050724" for example.
> >
>
> Looks like I was confused, I was thinking syscheck. Sorry about that.
>
> Does the last-entry file contain the current output from the command?
>
>
> > понедельник, 9 февраля 2015 г., 16:08:11 UTC+3 пользователь dan (ddpbsd)
> > написал:
> >>
> >> On Mon, Feb 9, 2015 at 6:07 AM, alex petrov
> wrote:
> >> > Help please. Why when I use the chesk_diff I have created in the
> >> > directory
> >> > /var/ossec/queue/diff/tes /700086/ only one file 'last-entry' instead
> of
> >> > multiple files with changes.
> >> >
> >>
> >> Are all of these files text files?
> >> Has a syscheck scan been run since they were changed?
> >>
> >> > --
> >> >
> >> > ---
> >> > You received this message because you are subscribed to the Google
> >> > Groups
> >> > "ossec-list" group.
> >> > To unsubscribe from this group and stop receiving emails from it,
> send
> >> > an
> >> > email to ossec-list+...@googlegroups.com.
> >> > For more options, visit https://groups.google.com/d/optout.
> >
> > --
> >
> > ---
> > You received this message because you are subscribed to the Google
> Groups
> > "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send
> an
> > email to ossec-list+...@googlegroups.com .
> > For more options, visit https://groups.google.com/d/optout.
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] OSSEC profile by regex
Hi there! I'm interested about this test too. Anyone maybe profile could fit your needs ? http://ossec-docs.readthedocs.org/en/latest/syntax/head_agent_config.html#options Good read https://groups.google.com/forum/#!topic/ossec-list/KKdsgYDiiks https://groups.google.com/forum/#!topic/ossec-list/L32Fbdz1AiU Thanks On Tue, Feb 10, 2015 at 10:23 AM, dan (ddp) wrote: > On Tue, Feb 10, 2015 at 7:00 AM, Ricardo Perre wrote: > > Hello, > > > > Is it possible to define a profile based on "name" filtered by regex? > > In documentation we have: > > > > > > > > > > /var/log/my.log > > syslog > > > > > > > > > > > > /var/log/my.log2 > > syslog > > > > > > > > > > > > C:\myapp\my.log > > syslog > > > > > > > > > > > > Can i use something like this? > > > > > > > > > > /var/log/my.log > > syslog > > > > > > > > > > > > > > /var/log/my.log2 > > syslog > > > > > > > > > > > > C:\myapp\my.log > > syslog > > > > > > > > Try it and report back. > > > > > Thanks for your time. > > > > Thank you for yours. > > > -- > > > > --- > > You received this message because you are subscribed to the Google Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send an > > email to ossec-list+unsubscr...@googlegroups.com. > > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- Rodrigo Montoro (Sp0oKeR) http://spookerlabs.blogspot.com http://www.twitter.com/spookerlabs http://www.linkedin.com/in/spooker -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] check_diff
On Tue, Feb 10, 2015 at 8:43 AM, alex petrov wrote:
> help me please
>
Make sure there are changes between runs? Maybe increase the frequency
(10 is very small)?
I don't really have any ideas of what to look at, and I don't have any
systems to test this on.
> понедельник, 9 февраля 2015 г., 16:53:37 UTC+3 пользователь dan (ddpbsd)
> написал:
>>
>> On Mon, Feb 9, 2015 at 8:13 AM, alex petrov wrote:
>> >
>> > 530
>> > ossec: output: 'for /f "tokens=3*"
>> >
>> > new soft install
>> >
>> >
>> >
>> >
>> > full_command
>> > 10
>> > for /f "tokens=3*" %a in ('reg query
>> > "HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall" /s ^| find /i
>> > "DisplayName"') do @echo %a%b
>> >
>> >
>> >
>> > but is only a single file in the directory /var/ossec/queue/diff/tes
>> > /700086/ only one file 'last-entry' , not what it Compare the. How to
>> > get
>> > files like "state.1412050724" for example.
>> >
>>
>> Looks like I was confused, I was thinking syscheck. Sorry about that.
>>
>> Does the last-entry file contain the current output from the command?
>>
>>
>> > понедельник, 9 февраля 2015 г., 16:08:11 UTC+3 пользователь dan (ddpbsd)
>> > написал:
>> >>
>> >> On Mon, Feb 9, 2015 at 6:07 AM, alex petrov
>> >> wrote:
>> >> > Help please. Why when I use the chesk_diff I have created in the
>> >> > directory
>> >> > /var/ossec/queue/diff/tes /700086/ only one file 'last-entry' instead
>> >> > of
>> >> > multiple files with changes.
>> >> >
>> >>
>> >> Are all of these files text files?
>> >> Has a syscheck scan been run since they were changed?
>> >>
>> >> > --
>> >> >
>> >> > ---
>> >> > You received this message because you are subscribed to the Google
>> >> > Groups
>> >> > "ossec-list" group.
>> >> > To unsubscribe from this group and stop receiving emails from it,
>> >> > send
>> >> > an
>> >> > email to ossec-list+...@googlegroups.com.
>> >> > For more options, visit https://groups.google.com/d/optout.
>> >
>> > --
>> >
>> > ---
>> > You received this message because you are subscribed to the Google
>> > Groups
>> > "ossec-list" group.
>> > To unsubscribe from this group and stop receiving emails from it, send
>> > an
>> > email to ossec-list+...@googlegroups.com.
>> > For more options, visit https://groups.google.com/d/optout.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
[ossec-list] Can use OSSEC for FIM solution ,
HI TEAm , Can is use OSSEC for FIM solution, to clear my PCI Audit, if yes, then help me with the hardware requirement and installation procedure. Regards Shankey -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Can use OSSEC for FIM solution ,
On 10 February 2015 at 11:42, shankey wrote: > HI TEAm , > > Can is use OSSEC for FIM solution, to clear my PCI Audit, if yes, then help > me with the hardware requirement and installation procedure. > > Regards > Shankey > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Can use OSSEC for FIM solution ,
On Tue, Feb 10, 2015 at 11:42 AM, shankey wrote: > HI TEAm , > > Can is use OSSEC for FIM solution, to clear my PCI Audit, if yes, then help > me with the hardware requirement and installation procedure. > OSSEC's syscheck functionality provides some file integrity monitoring capabilities: http://ossec-docs.readthedocs.org/en/latest/manual/syscheck/index.html > Regards > Shankey > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Can use OSSEC for FIM solution ,
On 10 February 2015 at 11:44, Kevin Wilcox wrote: > On 10 February 2015 at 11:42, shankey wrote: >> Can is use OSSEC for FIM solution, to clear my PCI Audit, if yes, then help >> me with the hardware requirement and installation procedure. Sorry about the blank reply, folks, the "..." and the "Send" in Gmail are too close together on my laptop screen. Shankey - yes, there are people who are successfully using OSSEC to meet the FIM requirements in PCI. Your hardware requirements and the installation process will depend on the number of clients you're deploying. You will need to tune it to your environment by modifying the directories and files to be monitored (and whether you need that monitoring to happen in real-time). kmw -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Can use OSSEC for FIM solution ,
HI Team, There are arrount 500 server which need to be monitor through (Manager OSSEC server) we would requred all system and application logs for the audit and complaince. base on the that can you suggest how should i go ahead. it would be great if you can share the steps by steps process and hardware spec to implement the same in our environment. FYI :- i not very much familier with the linux. On Tuesday, February 10, 2015 at 10:18:44 PM UTC+5:30, thefergus wrote: > On 10 February 2015 at 11:44, Kevin Wilcox > wrote: > > > On 10 February 2015 at 11:42, shankey > > wrote: > > >> Can is use OSSEC for FIM solution, to clear my PCI Audit, if yes, then > help > >> me with the hardware requirement and installation procedure. > > Sorry about the blank reply, folks, the "..." and the "Send" in Gmail > are too close together on my laptop screen. > > Shankey - yes, there are people who are successfully using OSSEC to > meet the FIM requirements in PCI. > > Your hardware requirements and the installation process will depend on > the number of clients you're deploying. You will need to tune it to > your environment by modifying the directories and files to be > monitored (and whether you need that monitoring to happen in > real-time). > > kmw > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Can use OSSEC for FIM solution ,
2015-02-10 18:42 GMT+02:00 shankey : > HI TEAm , > > Can is use OSSEC for FIM solution, to clear my PCI Audit, if yes, > Yes, it can act as fim. > then help me with the hardware requirement and installation procedure. > Err. Maybe you need to hire consult .. -- Eero -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: Do CDB lists require ossec to be restarted?
Hi Dan, Thanks very much for the reply. I'll go on trying to figure out why we need to restart ossec. Hope to bring soon the findings Kind regards, Jose Moreno El martes, 10 de febrero de 2015, 9:36:21 (UTC), Jose Moreno escribió: > > Hi, > > We are using CDB lists for a number of tasks, they work fine but when a > list is updated, just running ossec-makelists won't male ossec-analysisd to > take the new information in account, we need to restart OSSEC.. > > Is that the expected behaviour or is there a way to use a CDB list as a > dynamic list that can get data added or stripped and OSSEC using it without > restarting? > > Thanks very much in advance. > Kind regards, > Jose Moreno > > > PS I've searched in the list to see if this same question has been asked > before but didn't find it; sorry if I missed anything. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Re: Do CDB lists require ossec to be restarted?
On 2015-02-10 11:45, Jose Moreno wrote: Hi Dan, Thanks very much for the reply. I'll go on trying to figure out why we need to restart ossec. Hope to bring soon the findings Kind regards, Jose Moreno I have observed this behavior in the past as well. CDB is supposed to not require a restart, but I have observed that updates did not become effective until OSSEC was restarted. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
