[ossec-list] Re: OSSEC is making AWS EC2 instance w/ Centos 7 become unresponsive
I have seen many issues with CentOS 7 becoming unresponsive. Kernel issues. Try removing OSSEC, but my guess, it will still hang. Are you current on all patches? -K On Thursday, July 2, 2015 at 6:47:53 PM UTC-7, Caleb P wrote: If I start OSSEC, my Centos 7 AWS instance becomes unresponsive after a short while (under 30 mins usually). httpd and ssh do not respond ever until I go into the AWS console to reboot it. I've looked through various logs, but half the stuff I don't know what it is. What logs should I examine for problems, and anything in particular I should look for? Has anyone had this happen before? While running top, the last process to show was ossec-syscheckd when the system crashed. It was at 30.2% CPU usage and 0.2% memory. PID USER PR NIVIRTRESSHR S %CPU %MEM TIME+ COMMAND 1009 root 20 05388 1624672 R 30.2 0.2 0:05.91 ossec-syscheckd 1290 apache20 0 561900 15720 4984 S 6.3 1.5 0:00.39 httpd 25 root 20 0 0 0 0 R 0.7 0.0 0:00.14 rcuos/0 299 root 0 -20 0 0 0 S 0.3 0.0 0:00.03 kworker/0:1H 1276 centos20 0 130024 1816 1276 R 0.3 0.2 0:00.42 top 1 root 20 0 56636 6724 3940 S 0.0 0.7 0:02.14 systemd Appreciate any suggestions or ideas! Thanks Caleb -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] ossec-authd disable SSLv3
Am Dienstag, 23. Juni 2015 16:29:44 UTC+2 schrieb dan (ddpbsd): On Tue, Jun 23, 2015 at 10:22 AM, Björn in...@bb-it.biz javascript: wrote: Hello, is there any way to disable SSLv3 in ossec-authd actually? I could be misunderstanding it, but this commit should force tls 1.2: https://github.com/ossec/ossec-hids/commit/9e47258b712b66673ebbc0e475e4da899e30ab4c Yes, this is working fine for me! Thanks! Best Regards, Bjoern -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com javascript:. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: New opensource SIEM (LightSIEM) with OSSEC support
sounds awesome, great work Daniil! just out of curiosity, why did you decided to go with snort instead of suricata? http://suricata-ids.org keep up the good work! Am Samstag, 28. März 2015 17:29:54 UTC+1 schrieb Daniil Svetlov: Hi, community! I have suffer of lacking SIEM system for OSSEC for several years. I tried Splunk, but it is very expensive. I also tried OSSEC WebUI, but I deleted it after few hours. A lot of time I sent OSSEC alerts to Prelude IDS and used Prewikka as web interface, but it have some bugs and was not actively developed. I saw several articles about parsing OSSEC in Logstash and Elasticsearch. It inspired me to create a batch of configs for parsing OSSEC and Snort logs. I created some patterns for parsing OSSEC and Snort alerts and now I plan to add more possible event sources. I wrote configs for Elasticsearch and Logstash, made few dashborads for Kibana as main part of WebUI. Kibana havn't got builtin authentication, so i found another project - Kibana Authentication Proxy and add it to my configuration too. I have also create some common model for SIEM messages based on IDMEF class hierarchy. I hope it will help to normalize events from different sources to one format. And that will help to analyze and visualize them. At the end of all that work I have make ansible playbook for easy and fast deploing all stuff and configs. So, my playbook take all that things together and run. Try LightSIEM progect on GitHub https://github.com/dsvetlov/lightsiem Hope it will help somebody to deploy free and opensource SIEM. I will be thankful for all your comments, advices and suggestions. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] ossec-maild not sending out any alerts (relaying through ssmtp)
hi ossec'ers, my problem is I can't send out any emails/alert notifications with the ossec-maild process. I'm relaying my emails through ssmtp, the configuration is valid because I'm able to send out mails to external addresses through mailx for instance. But for some reason OSSEC just won't send any emails out. I have the following in my global ossec.conf global email_notificationyes/email_notification email_tox...@gmail.com/email_to smtp_serverlocalhost/smtp_server email_fromx...@gmail.com/email_from /global So by localhost or 127.0.0.1 it should use ssmtp to send out emails, right? Does the email_from field require to be a ossecm@realdomain? Or can this be a gmail address as well? So does it mean the ossecm user needs to send out these alerts? Again tests to send out emails through ssmtp via mailx have been successful. so I doubt it's a ssmtp issue here. Also what I find a little odd is that when i restart ossec through ossec-control all the services/processes should be restarted in a specific order, right? however when I look at the ossec.log in /var/ossec/logs/ossec.log the ossec-maild isn't mentioned at all the process itself runs though, when i do a ps -ef |grep ossec-maild my question now: how can I get the email notifcation in ossec to work?! thanks! -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Re: New opensource SIEM (LightSIEM) with OSSEC support
Hello, Theresa! I'm not go with snort instead of suricata. A have production snort deployment on my work. It provides access to big amount of log samples and user experience of LightSIEM. Anyway, suricata supports all relevant snort log formats. So you can use all types of snort input in LightSIEM with suricata. If you find some errors, feel free to report about it - I will try to help and fix them. пт, 3 июля 2015 г. в 20:14, theresa mic-snare rockprinz...@gmail.com: sounds awesome, great work Daniil! just out of curiosity, why did you decided to go with snort instead of suricata? http://suricata-ids.org keep up the good work! Am Samstag, 28. März 2015 17:29:54 UTC+1 schrieb Daniil Svetlov: Hi, community! I have suffer of lacking SIEM system for OSSEC for several years. I tried Splunk, but it is very expensive. I also tried OSSEC WebUI, but I deleted it after few hours. A lot of time I sent OSSEC alerts to Prelude IDS and used Prewikka as web interface, but it have some bugs and was not actively developed. I saw several articles about parsing OSSEC in Logstash and Elasticsearch. It inspired me to create a batch of configs for parsing OSSEC and Snort logs. I created some patterns for parsing OSSEC and Snort alerts and now I plan to add more possible event sources. I wrote configs for Elasticsearch and Logstash, made few dashborads for Kibana as main part of WebUI. Kibana havn't got builtin authentication, so i found another project - Kibana Authentication Proxy and add it to my configuration too. I have also create some common model for SIEM messages based on IDMEF class hierarchy. I hope it will help to normalize events from different sources to one format. And that will help to analyze and visualize them. At the end of all that work I have make ansible playbook for easy and fast deploing all stuff and configs. So, my playbook take all that things together and run. Try LightSIEM progect on GitHub https://github.com/dsvetlov/lightsiem Hope it will help somebody to deploy free and opensource SIEM. I will be thankful for all your comments, advices and suggestions. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- -- С уважением, Светлов Даниил. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
