Re: [ossec-list] false positive when "netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort" because of Recv-Q
Hi,
any news about this topic?
I have also the need to disable the "netstat" part (preferred to disable it
on management server globaly) is this possible?
best regards
philipp
On Tuesday, January 13, 2015 at 1:43:21 PM UTC+1, Yaniv Ron wrote:
>
> How can I import the agents without this command ? (meaning that I do not
> want my agents to run it at all)
>
>
> On Mon, Jan 12, 2015 at 6:42 PM, Ming >
> wrote:
>
>> Thanks Dan, opened an issue here:
>> https://github.com/ossec/ossec-hids/issues/495
>>
>>
>>
>> dan (ddpbsd)於 2015年1月8日星期四 UTC+8下午9時38分32秒寫道:
>>>
>>> On Wed, Jan 7, 2015 at 9:39 PM, Ming wrote:
>>> > Thanks Dan,
>>> >
>>> > It works! Do you think it will be included in coming update of ossec?
>>> >
>>>
>>> It's never come up before. Please open an issue about it on
>>> https://github.com/ossec/ossec-hids and it'll get some attention.
>>>
>>> >
>>> >
>>> > dan (ddpbsd)於 2015年1月7日星期三UTC+8下午9時12分29秒寫道:
>>> >>
>>> >> On Mon, Jan 5, 2015 at 10:56 PM, Ming wrote:
>>> >> > Hi all,
>>> >> >
>>> >> > I received alert for port change, however, there is no change, but
>>> only
>>> >> > change on "Recv-Q", how can I correct it for properly detect port
>>> >> > change?
>>> >> > Thank you all.
>>> >> >
>>> >> > OSSEC version: 2.8.1
>>> >> >
>>> >> >
>>> >> > OSSEC HIDS Notification.
>>> >> > 2015 Jan 06 11:21:11
>>> >> >
>>> >> > Received From: www->netstat -tan |grep LISTEN |grep -v 127.0.0.1 |
>>> sort
>>> >> > Rule: 533 fired (level 7) -> "Listened ports status (netstat)
>>> changed
>>> >> > (new
>>> >> > port opened or closed)."
>>> >> > Portion of the log(s):
>>> >> >
>>> >> > ossec: output: 'netstat -tan |grep LISTEN |grep -v 127.0.0.1 |
>>> sort':
>>> >> > tcp0 0 0.0.0.0:443 0.0.0.0:*
>>> >> > LISTEN
>>> >> > tcp0 0 0.0.0.0:80 0.0.0.0:*
>>> >> > LISTEN
>>> >> > tcp6 0 0 ::1:25 :::*
>>> >> > LISTEN
>>> >> > tcp6 0 0 :::21 :::*
>>> >> > LISTEN
>>> >> > Previous output:
>>> >> > ossec: output: 'netstat -tan |grep LISTEN |grep -v 127.0.0.1 |
>>> sort':
>>> >> > tcp0 0 0.0.0.0:80 0.0.0.0:*
>>> >> > LISTEN
>>> >> > tcp3 0 0.0.0.0:443 0.0.0.0:*
>>> >> > LISTEN
>>> >> > tcp6 0 0 ::1:25 :::*
>>> >> > LISTEN
>>> >> > tcp6 0 0 :::21 :::*
>>> >> > LISTEN
>>> >> >
>>> >>
>>> >> Perhaps modify the script to be something like:
>>> >> `netstat -tan | grep LISTEN |grep -v 127.0.0.1 | awk '{ print
>>> $1,$4,$5
>>> >> }' | sort`
>>> >>
>>> >> > --
>>> >> >
>>> >> > ---
>>> >> > You received this message because you are subscribed to the Google
>>> >> > Groups
>>> >> > "ossec-list" group.
>>> >> > To unsubscribe from this group and stop receiving emails from it,
>>> send
>>> >> > an
>>> >> > email to ossec-list+...@googlegroups.com.
>>> >> > For more options, visit https://groups.google.com/d/optout.
>>> >
>>> > --
>>> >
>>> > ---
>>> > You received this message because you are subscribed to the Google
>>> Groups
>>> > "ossec-list" group.
>>> > To unsubscribe from this group and stop receiving emails from it, send
>>> an
>>> > email to ossec-list+...@googlegroups.com.
>>> > For more options, visit https://groups.google.com/d/optout.
>>>
>> --
>>
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to ossec-list+...@googlegroups.com .
>> For more options, visit https://groups.google.com/d/optout.
>>
>
>
>
> --
> *Yaniv Ron*
> +972-3-7298582
> *Security Department | Viber S.a.r.l *| www.viber.com | yron@viber
> .com
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] false positive when "netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort" because of Recv-Q
On Tue, Mar 31, 2015 at 9:59 AM, Philipp Hoferichter wrote:
> Hi,
>
> any news about this topic?
> I have also the need to disable the "netstat" part (preferred to disable it
> on management server globaly) is this possible?
>
I haven't seen anything in github (commits, pull requests, or issues)
related to a knob for turning off this check.
> best regards
>
> philipp
>
> On Tuesday, January 13, 2015 at 1:43:21 PM UTC+1, Yaniv Ron wrote:
>>
>> How can I import the agents without this command ? (meaning that I do not
>> want my agents to run it at all)
>>
>>
>> On Mon, Jan 12, 2015 at 6:42 PM, Ming wrote:
>>>
>>> Thanks Dan, opened an issue here:
>>> https://github.com/ossec/ossec-hids/issues/495
>>>
>>>
>>>
>>> dan (ddpbsd)於 2015年1月8日星期四 UTC+8下午9時38分32秒寫道:
On Wed, Jan 7, 2015 at 9:39 PM, Ming wrote:
> Thanks Dan,
>
> It works! Do you think it will be included in coming update of ossec?
>
It's never come up before. Please open an issue about it on
https://github.com/ossec/ossec-hids and it'll get some attention.
>
>
> dan (ddpbsd)於 2015年1月7日星期三UTC+8下午9時12分29秒寫道:
>>
>> On Mon, Jan 5, 2015 at 10:56 PM, Ming wrote:
>> > Hi all,
>> >
>> > I received alert for port change, however, there is no change, but
>> > only
>> > change on "Recv-Q", how can I correct it for properly detect port
>> > change?
>> > Thank you all.
>> >
>> > OSSEC version: 2.8.1
>> >
>> >
>> > OSSEC HIDS Notification.
>> > 2015 Jan 06 11:21:11
>> >
>> > Received From: www->netstat -tan |grep LISTEN |grep -v 127.0.0.1 |
>> > sort
>> > Rule: 533 fired (level 7) -> "Listened ports status (netstat)
>> > changed
>> > (new
>> > port opened or closed)."
>> > Portion of the log(s):
>> >
>> > ossec: output: 'netstat -tan |grep LISTEN |grep -v 127.0.0.1 |
>> > sort':
>> > tcp0 0 0.0.0.0:443 0.0.0.0:*
>> > LISTEN
>> > tcp0 0 0.0.0.0:80 0.0.0.0:*
>> > LISTEN
>> > tcp6 0 0 ::1:25 :::*
>> > LISTEN
>> > tcp6 0 0 :::21 :::*
>> > LISTEN
>> > Previous output:
>> > ossec: output: 'netstat -tan |grep LISTEN |grep -v 127.0.0.1 |
>> > sort':
>> > tcp0 0 0.0.0.0:80 0.0.0.0:*
>> > LISTEN
>> > tcp3 0 0.0.0.0:443 0.0.0.0:*
>> > LISTEN
>> > tcp6 0 0 ::1:25 :::*
>> > LISTEN
>> > tcp6 0 0 :::21 :::*
>> > LISTEN
>> >
>>
>> Perhaps modify the script to be something like:
>> `netstat -tan | grep LISTEN |grep -v 127.0.0.1 | awk '{ print
>> $1,$4,$5
>> }' | sort`
>>
>> > --
>> >
>> > ---
>> > You received this message because you are subscribed to the Google
>> > Groups
>> > "ossec-list" group.
>> > To unsubscribe from this group and stop receiving emails from it,
>> > send
>> > an
>> > email to ossec-list+...@googlegroups.com.
>> > For more options, visit https://groups.google.com/d/optout.
>
> --
>
> ---
> You received this message because you are subscribed to the Google
> Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an
> email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>>>
>>> --
>>>
>>> ---
>>> You received this message because you are subscribed to the Google Groups
>>> "ossec-list" group.
>>> To unsubscribe from this group and stop receiving emails from it, send an
>>> email to ossec-list+...@googlegroups.com.
>>> For more options, visit https://groups.google.com/d/optout.
>>
>>
>>
>>
>> --
>> Yaniv Ron
>> +972-3-7298582
>> Security Department | Viber S.a.r.l | www.viber.com | y...@viber.com
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: Can OSSEC log all process the user open in Microsoft Windows?
Sorry sir! My skill is Cisco configuration. I don't know how to Configure windows to track the information. Could you help me please? On Sunday, March 29, 2015 at 6:22:01 PM UTC+7, Nhen Panha wrote: > > Hi sir! > > Last week I have install OSSEC to monitor my Windows Server and Windows > 8.1. > > I want to control all activities that users do something in My Windows for > example I want to know when user open browser, copy document, . > > What should I config OSSEC manager and my Windows? > > Help me please? > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: send eventlog to ossec
I created an issue to investigate this further: https://github.com/ossec/ossec-hids/issues/568 >From what you have showed it looks like it should work according to the examples given in the documentation. I'll have to dig deeper to understand more. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Re: Can OSSEC log all process the user open in Microsoft Windows?
How about reading the documentation ? Eero 31.3.2015 6.17 ip. kirjoitti "Nhen Panha" : > Sorry sir! > > My skill is Cisco configuration. I don't know how to Configure windows to > track the information. > Could you help me please? > > On Sunday, March 29, 2015 at 6:22:01 PM UTC+7, Nhen Panha wrote: >> >> Hi sir! >> >> Last week I have install OSSEC to monitor my Windows Server and Windows >> 8.1. >> >> I want to control all activities that users do something in My Windows >> for example I want to know when user open browser, copy document, >> . >> >> What should I config OSSEC manager and my Windows? >> >> Help me please? >> > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Please help with CDB lists....
*Raw Log...*
2015 Mar 31 11:37:27 WinEvtLog: System: INFORMATION(1): Sysmon: Username:
SYSTEM-NAME: SYSTEM-NAME: Process Create: UtcTime: 3/31/2015
06:37:27.465 PM ProcessGuid: {7531FA7E-E967-551A--0010D2A58706}
ProcessId: 5868 Image: C:\Folder\Folder\file.exe CommandLine:
C:\Folder\Folder\file.exe User: DOMAIN\Username LogonGuid:
{7531FA7E-E963-551A--0020EB238706} LogonId: 0x68723eb
TerminalSessionId: 1 IntegrityLevel: no level HashType: SHA1
Hash: 19AF48C6B036E722D74FA00C4E852774236D2F38 ParentProcessGuid:
{7531FA7E-E965-551A--0010038F8706} ParentProcessId: 476
ParentImage: C:\Folder\Folder\Parent.exe ParentCommandLine:
"C:\Folder\Folder\Parent.exe"
*Decoded...*
**Phase 2: Completed decoding.
decoder: 'windows'
status: 'C:\Folder\Folder\file.exe'
dstuser: 'DOMAIN\Username'
url: '19AF48C6B036E722D74FA00C4E852774236D2F38'
extra_data: 'C:\Folder\Folder\Parent.exe'
**Phase 3: Completed filtering (rules).
Rule id: '100242'
Level: '12'
Description: 'Unauthorized Process Detected'
**Alert to be generated.
*Rules...*
18100
rules/lists/filelist
Authorized Process
18100
rules/lists/filelist
Unauthorized Process
*CDB file contents...*
19AF48C6B036E722D74FA00C4E852774236D2F38:file.exe
*Goal:*
I would like to monitor a system for expected behavior and receive alerts
when unexpected behavior occurs. I have a list of SHA1 hashes of the
executables as in the CDB file contents above. I simply want an alert when
there are processes executed from this system outside of its baseline.
*Issue:*
I cannot get a MATCH to work in the CDB. Maybe its something simple and
I've just been looking at this too long. I've commented out the 100242
rule and I cannot get 100241 to work.
Much of the documentation supports no file extensions on the cdb lists in
the ossec.conf and in the rules.xml - although I can find examples where
people have included extensions...
Maybe something silly I've overlooked? Please... someone slap some sense
into me!!!
Thank you!
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: send eventlog to ossec
Hello, maybe it will be a small hint how to resolve my problem, I still sitting on this problem, I noticed that when in the agent ossec.conf is Security *eventlog* all events are sent to ossec server, when I change eventlog with eventchannel Security *eventchannel* nothing is sent, it looks like agent doesn't know what to do. Besides I found small error in the entry Event/*System*[EventID=4625] I changed that for Event/*Security*[EventID=4625] but it also didn't help too much. regards, -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: Can OSSEC log all process the user open in Microsoft Windows?
Starting point - Windows 8 and Windows Server 2012 Security Event Details: http://www.microsoft.com/en-us/download/details.aspx?id=35753 For example, Windows process tracking: 1) Enable Advanced Audit Policy Configuration -> Detailed Tracking -> Audit Process Creation (Success) 2) Create test OSSEC rule (/var/ossec/rules/msauth_rules.xml) 18104 ^4688$ A new process has been created 3) Create rule(s) according to your environment, for example: 18160 ^4688$ cmd.exe CMD has been started -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: send eventlog to ossec
Hello, maybe it will be a small hint how to resolve my problem, I still sitting on this problem, I noticed that when in the agent ossec.conf is Security *eventlog* all events are sent to ossec server, when I change eventlog with eventchannel Security *eventchannel* nothing is sent, it looks like agent doesn't know what to do. Besides I found small error in the entry Event/*System*[EventID=4625] I changed that for Event/*Security*[EventID=4625] but it also didn't help too much. regards, -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: Please help with CDB lists....
1) Confirm that you have the list referenced in ossec.conf ie
lists/psexec
2) Create the cdb file with no extension ie vi /var/ossec/lists/psexec
3) Run: /var/ossec/bin/ossec-makelists, it should create a file named
psexec.cdb in the lists folder
MaWhen doing my first CDB list a couple months back I ran into some weird
issues with the ossec-makelists & file extensions... The above are my raw
notes that eventually worked
-Josh
On Tuesday, March 31, 2015 at 4:52:51 PM UTC-4, Brent Morris wrote:
>
> *Raw Log...*
>
> 2015 Mar 31 11:37:27 WinEvtLog: System: INFORMATION(1): Sysmon: Username:
> SYSTEM-NAME: SYSTEM-NAME: Process Create: UtcTime: 3/31/2015
> 06:37:27.465 PM ProcessGuid: {7531FA7E-E967-551A--0010D2A58706}
>ProcessId: 5868 Image: C:\Folder\Folder\file.exe CommandLine:
> C:\Folder\Folder\file.exe User: DOMAIN\Username LogonGuid:
> {7531FA7E-E963-551A--0020EB238706} LogonId: 0x68723eb
> TerminalSessionId: 1 IntegrityLevel: no level HashType: SHA1
> Hash: 19AF48C6B036E722D74FA00C4E852774236D2F38 ParentProcessGuid:
> {7531FA7E-E965-551A--0010038F8706} ParentProcessId: 476
> ParentImage: C:\Folder\Folder\Parent.exe ParentCommandLine:
> "C:\Folder\Folder\Parent.exe"
>
> *Decoded...*
>
> **Phase 2: Completed decoding.
>decoder: 'windows'
>status: 'C:\Folder\Folder\file.exe'
>dstuser: 'DOMAIN\Username'
>url: '19AF48C6B036E722D74FA00C4E852774236D2F38'
>extra_data: 'C:\Folder\Folder\Parent.exe'
>
> **Phase 3: Completed filtering (rules).
>Rule id: '100242'
>Level: '12'
>Description: 'Unauthorized Process Detected'
> **Alert to be generated.
>
>
> *Rules...*
>
>
> 18100
> rules/lists/filelist
> Authorized Process
>
>
>
> 18100
> rules/lists/filelist
> Unauthorized Process
>
>
> *CDB file contents...*
>
> 19AF48C6B036E722D74FA00C4E852774236D2F38:file.exe
>
> *Goal:*
>
> I would like to monitor a system for expected behavior and receive alerts
> when unexpected behavior occurs. I have a list of SHA1 hashes of the
> executables as in the CDB file contents above. I simply want an alert when
> there are processes executed from this system outside of its baseline.
>
> *Issue:*
>
> I cannot get a MATCH to work in the CDB. Maybe its something simple and
> I've just been looking at this too long. I've commented out the 100242
> rule and I cannot get 100241 to work.
>
> Much of the documentation supports no file extensions on the cdb lists in
> the ossec.conf and in the rules.xml - although I can find examples where
> people have included extensions...
>
> Maybe something silly I've overlooked? Please... someone slap some sense
> into me!!!
>
> Thank you!
>
>
>
>
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: send eventlog to ossec
I confirmed in the code that the query is getting passed to EvtSubscribe() and an error should get generated and show in the logs if the query is malformed in anyway. There have been a large amount of changes to the eventchannel code in 2.9 which is still beta. Let me find a download link for that version and have you try it out there. If it still doesn't work we can do some deeper dive troubleshooting. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
