Re: [ossec-list] How to test OSSEC using a linux dataset containing raw system call traces?
Well from what I gathered from the dataset documentation, the contents of these datasets are system call traces. They have been generated on a test system during normal activities of the host which ranged from web browsing to latex document preparation, and there's approximately 800 traces used for training data and approximately 4000 used for validation data, and there's the attack traces too representing 6 different methods of attacks However, while reading up the documentation of the dataset just now I came across the following: "The ADFA-LD12 is designed for anomaly based systems, not signature recognition IDS" And since OSSEC is based on signatures, it looks to me that this dataset is in fact useless for my task. Am I correct in that assumption? On Wednesday, August 26, 2015 at 9:31:28 PM UTC+2, Santiago Bassett wrote: > > Miroslav, could you briefly explain what are the contents of the datasets? > OSSEC is a log analysis based HIDS based on signatures (rules). It also has > a module to detect malware/rookits that looks for hidden processes, > suspicious files, registry keys etc. > > On Wed, Aug 26, 2015 at 9:03 AM, dan (ddp) > > wrote: > >> On Wed, Aug 26, 2015 at 11:35 AM, 'Miroslav S' via ossec-list >> > wrote: >> > Hello everyone. >> > >> > I have been tasked to test effectiveness of OSSEC HIDS (by >> effectiveness I >> > mean detection rate it achieves as well as false positives rate) when a >> > dataset of raw system call traces are used. >> > >> > The dataset itself is the AFDA-LD dataset which can be found here >> > http://www.cybersecurity.unsw.adfa.edu.au/ADFA%20IDS%20Datasets/ >> > >> > This dataset consists of 3 groups of raw system call traces generated >> with >> > auditd UNIX program: >> > >> > 1. Normal training data >> > 2. Normal validation data >> > 3. Attack data. >> > >> > The method used to perform this task is irrelevant as long as I manage >> to >> > use this particular dataset with OSSEC. >> > >> > >> > So far I have the latest version of OSSEC installed on Ubuntu 14.04. I >> > suppose that in order to perform my task, OSSEC should first be trained >> > using the normal training data of the dataset and then tested for false >> > positives using the normal validation data and for attack detection >> using >> > the attack data. I am however quite new when it comes to OSSEC and IDS >> in >> > general so I could very easily be wrong when it comes to that >> assumption. >> > >> > >> > So my question is - Can OSSEC be trained and tested with raw system call >> > traces in the first place, and if yes, how? If not, can the data from >> this >> > particular dataset be used in any other way in order to test >> effectiveness >> > of OSSEC? >> > >> >> I don't see anything in the data that would be all that useful to OSSEC. >> >> > >> > Thank you >> > >> > Miroslav >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> an >> > email to ossec-list+...@googlegroups.com . >> > For more options, visit https://groups.google.com/d/optout. >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to ossec-list+...@googlegroups.com . >> For more options, visit https://groups.google.com/d/optout. >> > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: api or syscheck database question
Great stuff, thank you. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Glibc 2.14 dependency
Hello all, It appears the latest version of OSSEC requires glibc 2.14. Are there any versions that require a lower version, specifically 2.12? I am running CentOS 6 so this is posing an issue. Thanks. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Glibc 2.14 dependency
Just install it from sources or from atomic repo.. Eero 27.8.2015 3.02 ip. "Onion Guy" kirjoitti: > Hello all, > > It appears the latest version of OSSEC requires glibc 2.14. Are there any > versions that require a lower version, specifically 2.12? I am running > CentOS 6 so this is posing an issue. > > Thanks. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] How to test OSSEC using a linux dataset containing raw system call traces?
On Thu, Aug 27, 2015 at 4:44 AM, 'Miroslav S' via ossec-list wrote: > Well from what I gathered from the dataset documentation, the contents of > these datasets are system call traces. They have been generated on a test > system during normal activities of the host which ranged from web browsing > to latex document preparation, and there's approximately 800 traces used for > training data and approximately 4000 used for validation data, and there's > the attack traces too representing 6 different methods of attacks > > However, while reading up the documentation of the dataset just now I came > across the following: > > "The ADFA-LD12 is designed for anomaly based systems, not signature > recognition IDS" > > And since OSSEC is based on signatures, it looks to me that this dataset is > in fact useless for my task. Am I correct in that assumption? > OSSEC currently has no facilities to interpret that data. > On Wednesday, August 26, 2015 at 9:31:28 PM UTC+2, Santiago Bassett wrote: >> >> Miroslav, could you briefly explain what are the contents of the datasets? >> OSSEC is a log analysis based HIDS based on signatures (rules). It also has >> a module to detect malware/rookits that looks for hidden processes, >> suspicious files, registry keys etc. >> >> On Wed, Aug 26, 2015 at 9:03 AM, dan (ddp) wrote: >>> >>> On Wed, Aug 26, 2015 at 11:35 AM, 'Miroslav S' via ossec-list >>> wrote: >>> > Hello everyone. >>> > >>> > I have been tasked to test effectiveness of OSSEC HIDS (by >>> > effectiveness I >>> > mean detection rate it achieves as well as false positives rate) when a >>> > dataset of raw system call traces are used. >>> > >>> > The dataset itself is the AFDA-LD dataset which can be found here >>> > http://www.cybersecurity.unsw.adfa.edu.au/ADFA%20IDS%20Datasets/ >>> > >>> > This dataset consists of 3 groups of raw system call traces generated >>> > with >>> > auditd UNIX program: >>> > >>> > 1. Normal training data >>> > 2. Normal validation data >>> > 3. Attack data. >>> > >>> > The method used to perform this task is irrelevant as long as I manage >>> > to >>> > use this particular dataset with OSSEC. >>> > >>> > >>> > So far I have the latest version of OSSEC installed on Ubuntu 14.04. I >>> > suppose that in order to perform my task, OSSEC should first be trained >>> > using the normal training data of the dataset and then tested for false >>> > positives using the normal validation data and for attack detection >>> > using >>> > the attack data. I am however quite new when it comes to OSSEC and IDS >>> > in >>> > general so I could very easily be wrong when it comes to that >>> > assumption. >>> > >>> > >>> > So my question is - Can OSSEC be trained and tested with raw system >>> > call >>> > traces in the first place, and if yes, how? If not, can the data from >>> > this >>> > particular dataset be used in any other way in order to test >>> > effectiveness >>> > of OSSEC? >>> > >>> >>> I don't see anything in the data that would be all that useful to OSSEC. >>> >>> > >>> > Thank you >>> > >>> > Miroslav >>> > >>> > -- >>> > >>> > --- >>> > You received this message because you are subscribed to the Google >>> > Groups >>> > "ossec-list" group. >>> > To unsubscribe from this group and stop receiving emails from it, send >>> > an >>> > email to ossec-list+...@googlegroups.com. >>> > For more options, visit https://groups.google.com/d/optout. >>> >>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google Groups >>> "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send an >>> email to ossec-list+...@googlegroups.com. >>> For more options, visit https://groups.google.com/d/optout. >> >> > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] How to test OSSEC using a linux dataset containing raw system call traces?
Correct, that dataset won't work in this case. On Thu, Aug 27, 2015 at 7:07 AM, dan (ddp) wrote: > On Thu, Aug 27, 2015 at 4:44 AM, 'Miroslav S' via ossec-list > wrote: > > Well from what I gathered from the dataset documentation, the contents of > > these datasets are system call traces. They have been generated on a test > > system during normal activities of the host which ranged from web > browsing > > to latex document preparation, and there's approximately 800 traces used > for > > training data and approximately 4000 used for validation data, and > there's > > the attack traces too representing 6 different methods of attacks > > > > However, while reading up the documentation of the dataset just now I > came > > across the following: > > > > "The ADFA-LD12 is designed for anomaly based systems, not signature > > recognition IDS" > > > > And since OSSEC is based on signatures, it looks to me that this > dataset is > > in fact useless for my task. Am I correct in that assumption? > > > > OSSEC currently has no facilities to interpret that data. > > > On Wednesday, August 26, 2015 at 9:31:28 PM UTC+2, Santiago Bassett > wrote: > >> > >> Miroslav, could you briefly explain what are the contents of the > datasets? > >> OSSEC is a log analysis based HIDS based on signatures (rules). It also > has > >> a module to detect malware/rookits that looks for hidden processes, > >> suspicious files, registry keys etc. > >> > >> On Wed, Aug 26, 2015 at 9:03 AM, dan (ddp) wrote: > >>> > >>> On Wed, Aug 26, 2015 at 11:35 AM, 'Miroslav S' via ossec-list > >>> wrote: > >>> > Hello everyone. > >>> > > >>> > I have been tasked to test effectiveness of OSSEC HIDS (by > >>> > effectiveness I > >>> > mean detection rate it achieves as well as false positives rate) > when a > >>> > dataset of raw system call traces are used. > >>> > > >>> > The dataset itself is the AFDA-LD dataset which can be found here > >>> > http://www.cybersecurity.unsw.adfa.edu.au/ADFA%20IDS%20Datasets/ > >>> > > >>> > This dataset consists of 3 groups of raw system call traces generated > >>> > with > >>> > auditd UNIX program: > >>> > > >>> > 1. Normal training data > >>> > 2. Normal validation data > >>> > 3. Attack data. > >>> > > >>> > The method used to perform this task is irrelevant as long as I > manage > >>> > to > >>> > use this particular dataset with OSSEC. > >>> > > >>> > > >>> > So far I have the latest version of OSSEC installed on Ubuntu 14.04. > I > >>> > suppose that in order to perform my task, OSSEC should first be > trained > >>> > using the normal training data of the dataset and then tested for > false > >>> > positives using the normal validation data and for attack detection > >>> > using > >>> > the attack data. I am however quite new when it comes to OSSEC and > IDS > >>> > in > >>> > general so I could very easily be wrong when it comes to that > >>> > assumption. > >>> > > >>> > > >>> > So my question is - Can OSSEC be trained and tested with raw system > >>> > call > >>> > traces in the first place, and if yes, how? If not, can the data from > >>> > this > >>> > particular dataset be used in any other way in order to test > >>> > effectiveness > >>> > of OSSEC? > >>> > > >>> > >>> I don't see anything in the data that would be all that useful to > OSSEC. > >>> > >>> > > >>> > Thank you > >>> > > >>> > Miroslav > >>> > > >>> > -- > >>> > > >>> > --- > >>> > You received this message because you are subscribed to the Google > >>> > Groups > >>> > "ossec-list" group. > >>> > To unsubscribe from this group and stop receiving emails from it, > send > >>> > an > >>> > email to ossec-list+...@googlegroups.com. > >>> > For more options, visit https://groups.google.com/d/optout. > >>> > >>> -- > >>> > >>> --- > >>> You received this message because you are subscribed to the Google > Groups > >>> "ossec-list" group. > >>> To unsubscribe from this group and stop receiving emails from it, send > an > >>> email to ossec-list+...@googlegroups.com. > >>> For more options, visit https://groups.google.com/d/optout. > >> > >> > > -- > > > > --- > > You received this message because you are subscribed to the Google Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send an > > email to ossec-list+unsubscr...@googlegroups.com. > > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] How to test OSSEC using a linux dataset containing raw system call traces?
I was afraid of that. Anyway, thank you both Dan & Santiago for your answers. I now know that my task will be impossible to perform as it's currently defined, so I guess it will have to be redefined. On Thursday, August 27, 2015 at 4:27:49 PM UTC+2, Santiago Bassett wrote: > > Correct, that dataset won't work in this case. > > On Thu, Aug 27, 2015 at 7:07 AM, dan (ddp) > > wrote: > >> On Thu, Aug 27, 2015 at 4:44 AM, 'Miroslav S' via ossec-list >> > wrote: >> > Well from what I gathered from the dataset documentation, the contents >> of >> > these datasets are system call traces. They have been generated on a >> test >> > system during normal activities of the host which ranged from web >> browsing >> > to latex document preparation, and there's approximately 800 traces >> used for >> > training data and approximately 4000 used for validation data, and >> there's >> > the attack traces too representing 6 different methods of attacks >> > >> > However, while reading up the documentation of the dataset just now I >> came >> > across the following: >> > >> > "The ADFA-LD12 is designed for anomaly based systems, not signature >> > recognition IDS" >> > >> > And since OSSEC is based on signatures, it looks to me that this >> dataset is >> > in fact useless for my task. Am I correct in that assumption? >> > >> >> OSSEC currently has no facilities to interpret that data. >> >> > On Wednesday, August 26, 2015 at 9:31:28 PM UTC+2, Santiago Bassett >> wrote: >> >> >> >> Miroslav, could you briefly explain what are the contents of the >> datasets? >> >> OSSEC is a log analysis based HIDS based on signatures (rules). It >> also has >> >> a module to detect malware/rookits that looks for hidden processes, >> >> suspicious files, registry keys etc. >> >> >> >> On Wed, Aug 26, 2015 at 9:03 AM, dan (ddp) wrote: >> >>> >> >>> On Wed, Aug 26, 2015 at 11:35 AM, 'Miroslav S' via ossec-list >> >>> wrote: >> >>> > Hello everyone. >> >>> > >> >>> > I have been tasked to test effectiveness of OSSEC HIDS (by >> >>> > effectiveness I >> >>> > mean detection rate it achieves as well as false positives rate) >> when a >> >>> > dataset of raw system call traces are used. >> >>> > >> >>> > The dataset itself is the AFDA-LD dataset which can be found here >> >>> > http://www.cybersecurity.unsw.adfa.edu.au/ADFA%20IDS%20Datasets/ >> >>> > >> >>> > This dataset consists of 3 groups of raw system call traces >> generated >> >>> > with >> >>> > auditd UNIX program: >> >>> > >> >>> > 1. Normal training data >> >>> > 2. Normal validation data >> >>> > 3. Attack data. >> >>> > >> >>> > The method used to perform this task is irrelevant as long as I >> manage >> >>> > to >> >>> > use this particular dataset with OSSEC. >> >>> > >> >>> > >> >>> > So far I have the latest version of OSSEC installed on Ubuntu >> 14.04. I >> >>> > suppose that in order to perform my task, OSSEC should first be >> trained >> >>> > using the normal training data of the dataset and then tested for >> false >> >>> > positives using the normal validation data and for attack detection >> >>> > using >> >>> > the attack data. I am however quite new when it comes to OSSEC and >> IDS >> >>> > in >> >>> > general so I could very easily be wrong when it comes to that >> >>> > assumption. >> >>> > >> >>> > >> >>> > So my question is - Can OSSEC be trained and tested with raw system >> >>> > call >> >>> > traces in the first place, and if yes, how? If not, can the data >> from >> >>> > this >> >>> > particular dataset be used in any other way in order to test >> >>> > effectiveness >> >>> > of OSSEC? >> >>> > >> >>> >> >>> I don't see anything in the data that would be all that useful to >> OSSEC. >> >>> >> >>> > >> >>> > Thank you >> >>> > >> >>> > Miroslav >> >>> > >> >>> > -- >> >>> > >> >>> > --- >> >>> > You received this message because you are subscribed to the Google >> >>> > Groups >> >>> > "ossec-list" group. >> >>> > To unsubscribe from this group and stop receiving emails from it, >> send >> >>> > an >> >>> > email to ossec-list+...@googlegroups.com. >> >>> > For more options, visit https://groups.google.com/d/optout. >> >>> >> >>> -- >> >>> >> >>> --- >> >>> You received this message because you are subscribed to the Google >> Groups >> >>> "ossec-list" group. >> >>> To unsubscribe from this group and stop receiving emails from it, >> send an >> >>> email to ossec-list+...@googlegroups.com. >> >>> For more options, visit https://groups.google.com/d/optout. >> >> >> >> >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> an >> > email to ossec-list+...@googlegroups.com . >> > For more options, visit https://groups.google.com/d/optout. >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this gr
Re: [ossec-list] Combining centralized and local agent.conf files
Problem is, I have some agent_configs that I moved from the general (puppet-managed) ossec.conf file, into the shared agent.conf file. When the configs were in the ossrc.conf file, they used to generate a lot of email (monitoring errors that appear in log files mostly). Now that they are in the agent.conf file, there is no more activity. How can I force (or make) ossec-hids read the agent.conf file? On Wednesday, August 26, 2015 at 2:40:13 PM UTC+1, dan (ddpbsd) wrote: > > On Wed, Aug 26, 2015 at 9:20 AM, > > wrote: > > I suppose you are correct, but I have both ossec.conf and > shared/agent.conf > > on > > each serve, and they both have different configuration (the agent.conf > has > > values inside of it? > > Which one of them does ossec depend on? > > ossec.conf is required, agent.conf is optional. Both configurations are > used. > > > I must note that I installed these from the atomic repo onto RHEL and > CentOS > > machines. > > > > I am grateful for any illumination. > > > > On Wednesday, August 26, 2015 at 1:20:53 PM UTC+1, dan (ddpbsd) wrote: > >> > >> On Wed, Aug 26, 2015 at 7:38 AM, wrote: > >> > Hi! > >> > > >> > Is it a good idea to use shared agent.conf and local agent.confs? > >> > I have puppet managing an agent.conf file for all my client machines > >> > before > >> > I discovered > >> > using the shared agent.conf. > >> > Can they be used together, and if so, how? > >> > > >> > >> Isn't ossec.conf basically the local agent.conf? > >> > >> > > >> > -- > >> > > >> > --- > >> > You received this message because you are subscribed to the Google > >> > Groups > >> > "ossec-list" group. > >> > To unsubscribe from this group and stop receiving emails from it, > send > >> > an > >> > email to ossec-list+...@googlegroups.com. > >> > For more options, visit https://groups.google.com/d/optout. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to ossec-list+...@googlegroups.com . > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
