[ossec-list] Active Response - Skip Email

2015-09-25 Thread BP9906 
Am I able to trigger an active response without having an email alert 
generated? 

In previous versions, I noticed if I put the level too low (like 5) it wont 
trigger an active response because an email was not generated. 

Is there a way to do this?

Thank you,
Brian

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

RE: [ossec-list] Checkpoint OPSEC Certification

2015-09-25 Thread Jason Dean 
I’m not sure if I can run an agent on it or push logs to syslog. I will have to 
contact CP Support to find out if it effects how logs are processed in CP 
Smartview Tracker because we use that extensively. Thanks for the assistance. 
One workaround I discovered is to use Splunk to connect since it is OPSEC 
certified and then use the OSSEC add-in for Splunk to get all my logs to the 
same application.

 

Thanks,

Jason Dean

IT Administrator

PRO Consulting Services, Inc.

 

NOTICE OF CONFIDENTIALITY:  This electronic communication may contain 
confidential information intended solely for PRO Consulting Services, Inc. 
business by the individual to whom it is addressed.  Any disclosure (verbal or 
in print), copying, distribution, or use of this information by an unauthorized 
person is prohibited, and may violate PRO Consulting policy and/or federal 
laws.  Should you receive this electronic communication in error, please notify 
the sender immediately at the following telephone number:  713-523-1800.  
Thereafter, please delete the message.

 

From: eero.t.voloti...@gmail.com [mailto:eero.t.voloti...@gmail.com] On Behalf 
Of Eero Volotinen
Sent: Thursday, September 24, 2015 11:48 PM
To: ossec-list; jd...@proconsrv.com
Subject: Re: [ossec-list] Checkpoint OPSEC Certification

 

Hi,

Is there any problems to set checkpoint to log into syslog and then use ossec 
agent on box to forward logs to ossec server? This is usual way to do this..

--

Eero

 

2015-09-25 0:37 GMT+03:00 :

Hello, I'm trying to get my Checkpoint firewall, ips, vpn, etc. logs into 
OSSEC, but Checkpoint is telling me that it has to be OPSEC certified in order 
to make a connection. If you are pulling your CheckPoint Gaia R77.20 firewall 
logs into OSSEC, how did you do it? I have seen the articles on forwarding 
syslog, but those are only the OS log files. I have also seen THIS  

 article on using an 'agent in the middle' to create a secure connection, but 
there has to be a better way. Any help would be greatly appreciated!

 

Thanks!

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

 

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

RE: FW: [ossec-list] Re: Log Rotation issues - Resolved

2015-09-25 Thread Farnsworth, Robert 
Thought I would let you know I have resolved this, I believe the problem 
stemmed from my alerts.log getting way too large and the Log Rotation could not 
handle the size of the file. 

So I  filtered a bunch of windows event alerts to get the logs to a manageable 
level and the rotation is doing it's job again.

The OSSEC Log Rotation routine must have some limitations on file size.

Thanks for all your help.

Robert

-Original Message-
From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On 
Behalf Of dan (ddp)
Sent: Wednesday, September 16, 2015 12:36 PM
To: ossec-list@googlegroups.com
Subject: Re: FW: [ossec-list] Re: Log Rotation issues

On Wed, Sep 16, 2015 at 12:18 PM, Farnsworth, Robert 
 wrote:
> No it did not.
> I made the change and restarted OSSEC I don’t remember us talking about a 
> recompiling.
>

Sorry if I forgot to mention it, I meant to. When you change the sourcecode 
you'll have to recompile and install the new binaries. Then restart the 
processes. Running the install.sh script should accomplish this (it will 
"upgrade" over itself).

>
> -Original Message-
> From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] 
> On Behalf Of dan (ddp)
> Sent: Wednesday, September 16, 2015 12:17 PM
> To: ossec-list@googlegroups.com
> Subject: Re: FW: [ossec-list] Re: Log Rotation issues
>
> On Wed, Sep 16, 2015 at 8:50 AM, Farnsworth, Robert 
>  wrote:
>> The only error I see from analysisd is the read error's. One of them is the 
>> Ossec Manager.
>>
>> Here is a sample.
>>
>> 2015/09/16 08:34:09 ossec-analysisd: ERROR: read error on 
>> /queue/diff/hostname/533/last-entry
>> 2015/09/16 08:34:09 ossec-analysisd: ERROR: read error on 
>> /queue/diff/ hostname/535/last-entry
>> 2015/09/16 08:37:56 ossec-analysisd: ERROR: read error on 
>> /queue/diff/ hostname/535/last-entry
>> 2015/09/16 08:40:11 ossec-analysisd: ERROR: read error on 
>> /queue/diff/ hostname/533/last-entry
>> 2015/09/16 08:40:11 ossec-analysisd: ERROR: read error on 
>> /queue/diff/ hostname/535/last-entry
>>
>
> That was after making the change, recompiling, and restarting OSSEC?
> Did the logfile rotate properly?
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups 
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups 
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

---
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Merge EventChannel fix into 2.8?

2015-09-25 Thread DefensiveDepth 
Sounds great, thanks!

Let me know how I can help.

-Josh

On Thursday, September 24, 2015 at 9:59:22 PM UTC-4, SoulAuctioneer wrote:
>
> Was talking to Dan today. Will try to put together some merge requests to 
> his branch and 2.8.3 that will hopefully fix these things. Hopefully will 
> find some time in the next few days to make that happen.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: Solaris 10 compile error

2015-09-25 Thread theresa mic-snare 
Hi Dan,

I managed to fix the problem.
Yesterday I used the gcc provided by the OpenCSW repository
Today I tried it with the original gcc from the SUNW packages. I don't know 
what's the difference between the two, but somehow it only works with this 
one (located in /usr/sfw/bin/gcc).

i've managed to successfully compile them both on Solaris 11 and Solaris 10.
and I will soon provide the packages that I built for the community. If 
anyone else can use them, then it was at least the sweat and tears worth :)

Dan, thanks *VERY* much for bearing with me :)

best,
theresa

Am Donnerstag, 24. September 2015 16:21:02 UTC+2 schrieb dan (ddpbsd):
>
>
> On Sep 24, 2015 10:05 AM, "theresa mic-snare"  > wrote:
> >
> > where shall I put this?
> >
>
> src/os_crypto/blowfish/Makefile maybe? 
>
> >
> > Am Donnerstag, 24. September 2015 15:34:07 UTC+2 schrieb dan (ddpbsd):
> >>
> >> On Thu, Sep 24, 2015 at 9:24 AM, theresa mic-snare 
> >>  wrote: 
> >> > of course you were right, Dan! 
> >> > I had to export CC to point to where GCC is installed (in my case in 
> >> > /opt/csw/bin/gcc) 
> >> > 
> >> > worked perfectly, until I ran in yet another problem. but this time I 
> think 
> >> > something's wrong with my ssl.h in /usr/include/openssl/ssl.h 
> >> > 
> >> >  *** Making os_auth *** 
> >> > 
> >> > /opt/csw/bin/gcc -g -Wall -I../ -I../headers 
>  -DDEFAULTDIR=\"/var/ossec\" 
> >> > -DCLIENT -DUSE_OPENSSL -DSOLARIS -DHIGHFIRST 
>  -DARGV0=\"ossec-authd\" 
> >> > -DOSSECHIDS -lsocket -lnsl -lresolv main-server.c ssl.c 
> >> > ../addagent/validate.c ../config/lib_config.a ../shared/lib_shared.a 
> >> > ../os_net/os_net.a ../os_regex/os_regex.a ../os_crypto/os_crypto.a 
> >> > ../os_zlib/os_zlib.c ../external/libz.a -lssl -lcrypto -o ossec-authd 
> >>
> >> I'm guessing you're missing some -I (capital i) and -L magic in here. 
> >> Maybe: 
> >> "-I/usr/sfw/include -L/usr/sfw/lib" 
> >>
> >> I don't remember anyone else reporting these types of issues with this 
> release. 
> >> I wish I knew what they did differently than you (maybe not upgrade?). 
> >> It would make working with Solaris a little easier in the next 
> >> release. 
> >>
> >> > main-server.c: In function 'ssl_error': 
> >> > main-server.c:53:31: warning: passing argument 1 of 'SSL_get_error' 
> discards 
> >> > 'const' qualifier from pointer target type 
> >> >  switch (SSL_get_error(ssl, ret)) 
> >> >^ 
> >> > In file included from auth.h:45:0, 
> >> >  from main-server.c:29: 
> >> > /usr/include/openssl/ssl.h:1408:5: note: expected 'struct SSL *' but 
> >> > argument is of type 'const struct SSL *' 
> >> >  int SSL_get_error(SSL *s,int ret_code); 
> >> >  ^ 
> >> > ld: fatal: library -lssl: not found 
> >> > ld: fatal: library -lcrypto: not found 
> >> > ld: fatal: file processing errors. No output written to ossec-authd 
> >> > *** Error code 1 
> >> > make: Fatal error: Command failed for target `auth1' 
> >> > Current working directory /root/ossec-hids-2.8.2/src/os_auth 
> >> > 
> >> > 
> >> > 
> >> > Am Donnerstag, 24. September 2015 14:57:08 UTC+2 schrieb dan 
> (ddpbsd): 
> >> >> 
> >> >> 
> >> >> On Sep 24, 2015 8:46 AM, "theresa mic-snare"  
> wrote: 
> >> >> > 
> >> >> > it was indeed in a different location :) 
> >> >> > i symlinked it to the other location where it should supposedly be 
> >> >> > /usr/include/openssl/opensslconf.h 
> >> >> > 
> >> >> > and ran the installation script again. 
> >> >> > but now i'm running into a different error 
> >> >> > 
> >> >> >  *** Making os_crypto *** 
> >> >> > 
> >> >> > cc -g -Wall -I../../ -I../../headers  -DDEFAULTDIR=\"/var/ossec\" 
> >> >> > -DCLIENT -DUSE_OPENSSL -DSOLARIS -DHIGHFIRST 
>  -DARGV0=\"blowfish_op\" 
> >> >> > -DOSSECHIDS -c bf_op.c bf_skey.c bf_enc.c 
> >> >> > cc: -W option with unknown program all 
> >> >> 
> >> >> That right there makes me think it isn't using gcc as the compiler 
> (-Wall 
> >> >> has been around for a while now). 
> >> >> 
> >> >> > *** Error code 1 
> >> >> > make: Fatal error: Command failed for target `bf' 
> >> >> > Current working directory 
> /root/ossec-hids-2.8.2/src/os_crypto/blowfish 
> >> >> > *** Error code 1 
> >> >> > The following command caused the error: 
> >> >> > cd blowfish; make 
> >> >> > make: Fatal error: Command failed for target `os_crypto' 
> >> >> > Current working directory /root/ossec-hids-2.8.2/src/os_crypto 
> >> >> > 
> >> >> > Error Making os_crypto 
> >> >> > *** Error code 1 
> >> >> > The following command caused the error: 
> >> >> > /bin/bash ./Makeall all 
> >> >> > make: Fatal error: Command failed for target `all' 
> >> >> > 
> >> >> >  Error 0x5. 
> >> >> >  Building error. Unable to finish the installation. 
> >> >> > 
> >> >> > 
> >> >> > 
> >> >> > Am Donnerstag, 24. September 2015 14:28:14 UTC+2 schrieb dan 
> (ddpbsd): 
> >> >> >> 
> >> >> >> 
> >> >> >> On Sep 24, 2015 8:23 AM, "theresa mic-snare"  
>
> >> >> >> wrote: 
> >> >> >> >

[ossec-list] Re: Splunk for OSSEC a

2015-09-25 Thread Edward 
Hello James,

Thank you for your reply.
I have installed the OSSEC server and the Splunk software on the same 
server.
For the time span 7 and 30 days I do get the same issue.
WIth lesser time span I still them but not so much.

The problem is that I don't know what these alerts are.
If I click on these alerts, Slunk shows me no records found.
Which is a bit odd and completely messes up the reporting, because these 
alerts are a lot.
Could it be it counts the total number of alerts?

With my splunk configuration, it just reads the ossec log directory.
Is this configuration correct?

Cheers



On Thursday, September 24, 2015 at 7:32:55 PM UTC+2, Jamey B wrote:
>
> Hi,
>
> Do you get the same result if you set the time span to 7 days? 30 days?
> Have you set OSSEC to log these alerts or change the alert levels?
> Do you have one OSSEC server, or multiple OSSEC Servers?
>
> I would also ensure you're sending via SYSLOG to the appropriate Splunk 
> instance (some installs might only listen to 514). What may be happening is 
> the server is reporting the stats as it should, but it isn't forwarding 
> SYSLOG to Splunk correctly.
>
>
>
> On Wednesday, September 23, 2015 at 10:07:13 AM UTC-4, Edward wrote:
>>
>> Hello people,
>>
>> On my Ossec server I have installed splunk and also the ossec app for 
>> splunk.
>> I see now a nice dashboard, but if I look at the figures :
>>
>>
>>
>> 
>>
>>
>>
>>
>>
>> if you look at signatures, you see number with no description.
>>
>>
>> 
>>
>>
>>
>> When you click on it, it shows zero data.
>>
>>
>> 
>>
>>
>> Have you seen this before?
>> Thi is very annoying, because there is 100 times more of this sort and 
>> the reports will get very messy.
>>
>>
>>
>>
>>
>> 
>>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Checkpoint OPSEC Certification

2015-09-25 Thread C. L. Martinez 
On Thu, Sep 24, 2015 at 9:37 PM,   wrote:
> Hello, I'm trying to get my Checkpoint firewall, ips, vpn, etc. logs into
> OSSEC, but Checkpoint is telling me that it has to be OPSEC certified in
> order to make a connection. If you are pulling your CheckPoint Gaia R77.20
> firewall logs into OSSEC, how did you do it? I have seen the articles on
> forwarding syslog, but those are only the OS log files. I have also seen
> THIS article on using an 'agent in the middle' to create a secure
> connection, but there has to be a better way. Any help would be greatly
> appreciated!
>

Us syslog from Management Server and redirect them to ossec. I use
this solution for over 50 chkp's fws.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Lots of new errors in the log

2015-09-25 Thread Valentin Yefimov 
2015/09/25 08:44:59 ossec-analysisd: No sid search!! XXX
2015/09/25 08:44:59 ossec-logcollector: socketerr (not available).
2015/09/25 08:44:59 ossec-logcollector(1224): ERROR: Error sending message 
to queue.
2015/09/25 08:45:00 ossec-syscheckd: socketerr (not available).
2015/09/25 08:45:00 ossec-syscheckd(1224): ERROR: Error sending message to 
queue.
2015/09/25 08:45:02 ossec-logcollector(1210): ERROR: Queue 
'/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2015/09/25 08:45:02 ossec-logcollector(1211): ERROR: Unable to access 
queue: '/var/ossec/queue/ossec/queue'. Giving up..
2015/09/25 08:45:03 ossec-syscheckd(1210): ERROR: Queue 
'/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2015/09/25 08:45:03 ossec-syscheckd(1211): ERROR: Unable to access queue: 
'/var/ossec/queue/ossec/queue'. Giving up..



-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Wrong time on osserver /var/ossec/logs/ossec.log

2015-09-25 Thread Valentin Yefimov 
Thanks you. I did the following:

[root@srv-ossec ~]# file /etc/localtime 
/etc/localtime: symbolic link to `/usr/share/zoneinfo/Europe/Moscow'
[root@srv-ossec ~]# file /var/ossec/etc/localtime
/var/ossec/etc/localtime: timezone data, version 2, 4 gmt time flags, 4 std 
time flags, no leap seconds, 185 transition times, 4 abbreviation chars
[root@srv-ossec ~]# file /usr/share/zoneinfo/Europe/Moscow
/usr/share/zoneinfo/Europe/Moscow: timezone data, version 2, 13 gmt time 
flags, 13 std time flags, no leap seconds, 77 transition times, 13 
abbreviation chars
[root@srv-ossec ~]# /etc/init.d/ossec stop
Stopping OSSEC:[  OK  ]
[root@srv-ossec ~]# mv /var/ossec/etc/localtime /root/
[root@srv-ossec ~]# cp /etc/localtime /var/ossec/etc/localtime
[root@srv-ossec ~]# file /var/ossec/etc/localtime
/var/ossec/etc/localtime: timezone data, version 2, 13 gmt time flags, 13 
std time flags, no leap seconds, 77 transition times, 13 abbreviation chars
[root@srv-ossec ~]# /etc/init.d/ossec start
Starting OSSEC: 2015/09/25 08:38:39 ossec-maild: INFO: E-Mail notification 
disabled. Clean Exit.
   [  OK  ]
And my problem is solved.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Checkpoint OPSEC Certification

2015-09-25 Thread Eero Volotinen 
Hi,

Is there any problems to set checkpoint to log into syslog and then use
ossec agent on box to forward logs to ossec server? This is usual way to do
this..

--
Eero

2015-09-25 0:37 GMT+03:00 :

> Hello, I'm trying to get my Checkpoint firewall, ips, vpn, etc. logs into
> OSSEC, but Checkpoint is telling me that it has to be OPSEC certified in
> order to make a connection. If you are pulling your CheckPoint Gaia R77.20
> firewall logs into OSSEC, how did you do it? I have seen the articles on
> forwarding syslog, but those are only the OS log files. I have also seen THIS
>
> article
> on using an 'agent in the middle' to create a secure connection, but there
> has to be a better way. Any help would be greatly appreciated!
>
> Thanks!
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.