Re: [ossec-list] ossec-authd disable SSLv3

2015-07-03 Thread Björn


Am Dienstag, 23. Juni 2015 16:29:44 UTC+2 schrieb dan (ddpbsd):
>
> On Tue, Jun 23, 2015 at 10:22 AM, Björn > 
> wrote: 
> > Hello, 
> > 
> > is there any way to disable SSLv3 in ossec-authd actually? 
> > 
>
> I could be misunderstanding it, but this commit should force tls 1.2: 
>
> https://github.com/ossec/ossec-hids/commit/9e47258b712b66673ebbc0e475e4da899e30ab4c
>  
>

Yes, this is working fine for me! 
Thanks! 
 

>
> > Best Regards, 
> > Bjoern 
> > 
> > 
> > -- 
> > 
> > --- 
> > You received this message because you are subscribed to the Google 
> Groups 
> > "ossec-list" group. 
> > To unsubscribe from this group and stop receiving emails from it, send 
> an 
> > email to ossec-list+...@googlegroups.com . 
> > For more options, visit https://groups.google.com/d/optout. 
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


[ossec-list] Re: OSSEC is making AWS EC2 instance w/ Centos 7 become unresponsive

2015-07-03 Thread Kat
I have seen many issues with CentOS 7 becoming unresponsive. Kernel issues. 
 Try removing OSSEC, but my guess, it will still hang. Are you current on 
all patches?

-K

On Thursday, July 2, 2015 at 6:47:53 PM UTC-7, Caleb P wrote:
>
> If I start OSSEC, my Centos 7 AWS instance becomes unresponsive after a 
> short while (under 30 mins usually). httpd and ssh do not respond ever 
> until I go into the AWS console to reboot it. 
>
> I've looked through various logs, but half the stuff I don't know what it 
> is. What logs should I examine for problems, and anything in particular I 
> should look for?  Has anyone had this happen before?
>
> While running top, the last process to show was ossec-syscheckd when the 
> system crashed. It was at 30.2% CPU usage and 0.2% memory. 
> PID USER  PR  NIVIRTRESSHR S %CPU %MEM TIME+ COMMAND
> 1009 root  20   05388   1624672 R 30.2  0.2   0:05.91 
> ossec-syscheckd
> 1290 apache20   0  561900  15720   4984 S  6.3  1.5   0:00.39 httpd
> 25 root  20   0   0  0  0 R  0.7  0.0   0:00.14 rcuos/0
> 299 root   0 -20   0  0  0 S  0.3  0.0   0:00.03 
> kworker/0:1H
> 1276 centos20   0  130024   1816   1276 R  0.3  0.2   0:00.42 top
> 1 root  20   0   56636   6724   3940 S  0.0  0.7   0:02.14 systemd
>
>
>
> Appreciate any suggestions or ideas! Thanks
> Caleb
>
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


[ossec-list] ossec-maild not sending out any alerts (relaying through ssmtp)

2015-07-03 Thread theresa mic-snare
 

hi ossec'ers,


my problem is I can't send out any emails/alert notifications with the 
ossec-maild process. I'm relaying my emails through ssmtp, the 
configuration is valid because I'm able to send out mails to external 
addresses through mailx for instance. But for some reason OSSEC just won't 
send any emails out.

I have the following in my global ossec.conf


  
yes
x...@gmail.com
localhost
x...@gmail.com
  

So by localhost or 127.0.0.1 it should use ssmtp to send out emails, right?


Does the email_from field require to be a ossecm@realdomain? Or can this be 
a gmail address as well? So does it mean the ossecm user needs to send out 
these alerts?

Again tests to send out emails through ssmtp via mailx have been 
successful. so I doubt it's a ssmtp issue here.

Also what I find a little odd is that when i restart ossec through 
ossec-control all the services/processes should be restarted in a specific 
order, right? however when I look at the ossec.log in 
/var/ossec/logs/ossec.log the ossec-maild isn't mentioned at all the 
process itself runs though, when i do a ps -ef |grep ossec-maild

my question now: how can I get the email notifcation in ossec to work?!


thanks!

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


[ossec-list] Re: New opensource SIEM (LightSIEM) with OSSEC support

2015-07-03 Thread theresa mic-snare
sounds awesome, great work Daniil!

just out of curiosity, why did you decided to go with snort instead of 
suricata?
http://suricata-ids.org

keep up the good work!

Am Samstag, 28. März 2015 17:29:54 UTC+1 schrieb Daniil Svetlov:
>
> Hi, community!
>
> I have suffer of lacking SIEM system for OSSEC for several years. I tried 
> Splunk, but it is very expensive. I  also tried OSSEC WebUI, but I deleted 
> it after few hours. A lot of time I sent OSSEC alerts to Prelude IDS and 
> used Prewikka as web interface, but it have some bugs and was not actively 
> developed.
>
> I saw several articles about parsing OSSEC in Logstash and Elasticsearch. 
> It inspired me to create a batch of configs for parsing OSSEC and Snort 
> logs.
> I created some patterns for parsing OSSEC and Snort alerts and now I plan 
> to add more possible event sources. I wrote configs for Elasticsearch and 
> Logstash, made few dashborads for Kibana as main part of WebUI.
> Kibana havn't got builtin authentication, so i found another project - 
> Kibana Authentication Proxy and add it to my configuration too.
> I have also create some common model for SIEM messages based on IDMEF 
> class hierarchy. I hope it will help to normalize events from different 
> sources to one format. And that will help to analyze and visualize them.
>
> At the end of all that work I have make ansible playbook for easy and fast 
> deploing all stuff and configs. So, my playbook take all that things 
> together and run. 
>
> Try LightSIEM progect on GitHub https://github.com/dsvetlov/lightsiem
>
> Hope it will help somebody to deploy free and opensource SIEM. 
>
> I will be thankful for all your comments, advices and suggestions.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [ossec-list] Re: New opensource SIEM (LightSIEM) with OSSEC support

2015-07-03 Thread Daniil Svetlov
Hello, Theresa!

I'm not go with snort instead of suricata. A have production snort
deployment on my work. It provides access to big amount of log samples and
user experience of LightSIEM.

Anyway, suricata supports all relevant snort log formats. So you can use
all types of snort input in LightSIEM with suricata. If you find some
errors, feel free to report about it - I will try to help and fix them.

пт, 3 июля 2015 г. в 20:14, theresa mic-snare :

> sounds awesome, great work Daniil!
>
> just out of curiosity, why did you decided to go with snort instead of
> suricata?
> http://suricata-ids.org
>
> keep up the good work!
>
>
> Am Samstag, 28. März 2015 17:29:54 UTC+1 schrieb Daniil Svetlov:
>>
>> Hi, community!
>>
>> I have suffer of lacking SIEM system for OSSEC for several years. I tried
>> Splunk, but it is very expensive. I  also tried OSSEC WebUI, but I deleted
>> it after few hours. A lot of time I sent OSSEC alerts to Prelude IDS and
>> used Prewikka as web interface, but it have some bugs and was not actively
>> developed.
>>
>> I saw several articles about parsing OSSEC in Logstash and Elasticsearch.
>> It inspired me to create a batch of configs for parsing OSSEC and Snort
>> logs.
>> I created some patterns for parsing OSSEC and Snort alerts and now I plan
>> to add more possible event sources. I wrote configs for Elasticsearch and
>> Logstash, made few dashborads for Kibana as main part of WebUI.
>> Kibana havn't got builtin authentication, so i found another project -
>> Kibana Authentication Proxy and add it to my configuration too.
>> I have also create some common model for SIEM messages based on IDMEF
>> class hierarchy. I hope it will help to normalize events from different
>> sources to one format. And that will help to analyze and visualize them.
>>
>> At the end of all that work I have make ansible playbook for easy and
>> fast deploing all stuff and configs. So, my playbook take all that things
>> together and run.
>>
>> Try LightSIEM progect on GitHub https://github.com/dsvetlov/lightsiem
>>
>> Hope it will help somebody to deploy free and opensource SIEM.
>>
>> I will be thankful for all your comments, advices and suggestions.
>>
>  --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>
-- 

--
С уважением, Светлов Даниил.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.