Re: [ossec-list] How to Query OSSEC for certain events (Hunting Techniques)
I'm using LightSIEM - based on ELK system that can blow all OSSEC and Snort messages to sуmantec pieces with you can use in search queryes later. вт, 22 сент. 2015 г. в 17:53, : > Hello Group! > > I'm using the Logstash / Kibana (as well as the OSSEC basic web interface). > > In Kibana I use a table view to sort OSSEC events by number and this helps > zero in on suspicious events. While the basic web interface is fairly > featureless I found that going to the search screen and searching for > events of level 2 (lowest level) and then attack / misuse all sometimes > nets a event worth investigating. > > My question is how do folks use these tools (Kibana and basic OSSEC) > interfaces to hunt for IOC's and other events of interest? Are there other > tools I could be running against our OSSEC server. > > Any info or suggested query's are appreciated. > > Thanks, > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- -- С уважением, Светлов Даниил. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Re: Ossec agent error
sudo tail -f /path/to/filename Eero 3.11.2015 6.26 ip. "Reinaldo Fernandes" kirjoitti: > > Can you provide me the correct command to run?? > Thank you > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Re: Ossec agent error
Can you provide me the correct command to run?? Thank you -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Re: Ossec agent error
Are you trying to execute log file?
You need to run sudo tail filename, not sudo filename
Eero
3.11.2015 5.40 ip. "Reinaldo Fernandes"
kirjoitti:
> Hi dan,
> I did now:
> sudo /var/ossec/logs/ossec.log
>
> and I got exactly the same entrys on the logs as before:
>
> [root@ossec user]# /var/ossec/logs/ossec.log
>
> /var/ossec/logs/ossec.log: line 1: syntax error near unexpected token `('
>
> /var/ossec/logs/ossec.log: line 1: `2015/06/12 15:52:36
> ossec-monitord(1225): INFO: SIGNAL Received. Exit Cleaning...'
>
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Re: Ossec agent error
On Tue, Nov 3, 2015 at 10:40 AM, Reinaldo Fernandes
wrote:
> Hi dan,
> I did now:
> sudo /var/ossec/logs/ossec.log
>
> and I got exactly the same entrys on the logs as before:
>
Those are really weird. Do you have any stray "(" in your ossec.conf file?
> [root@ossec user]# /var/ossec/logs/ossec.log
>
> /var/ossec/logs/ossec.log: line 1: syntax error near unexpected token `('
>
> /var/ossec/logs/ossec.log: line 1: `2015/06/12 15:52:36
> ossec-monitord(1225): INFO: SIGNAL Received. Exit Cleaning...'
>
>
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Re: Ossec agent error
Hi dan,
I did now:
sudo /var/ossec/logs/ossec.log
and I got exactly the same entrys on the logs as before:
[root@ossec user]# /var/ossec/logs/ossec.log
/var/ossec/logs/ossec.log: line 1: syntax error near unexpected token `('
/var/ossec/logs/ossec.log: line 1: `2015/06/12 15:52:36
ossec-monitord(1225): INFO: SIGNAL Received. Exit Cleaning...'
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Re: Ossec agent error
On Nov 3, 2015 10:28 AM, "Reinaldo Fernandes" wrote: > > Hi dan, > > Sorry but I'm getting a acces denied when I try to run the following command: > tail -F /var/ossec/logs/ossec.log > You may need to use sudo to access the file. And a `tail -f` will only show new entries (which will be fine if you restart the processes while tailing the file). > -- > > --- > You received this message because you are subscribed to the Google Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Re: Ossec agent error
Hi dan, Sorry but I'm getting a acces denied when I try to run the following command: tail -F /var/ossec/logs/ossec.log -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Re: Ossec agent error
On Nov 3, 2015 10:13 AM, "Reinaldo Fernandes"
wrote:
>
> Hi Eero,
>
>
>
> Thank you for your reply but no Joy.
>
> All the hosts have the firewall deactivated.
>
Any luck finding any more info in the ossec.log file? Maybe just look for
stray parentheses in the ossec.conf.
>
>
> Best regards,
>
> Reinaldo
>
>
>
> terça-feira, 3 de Novembro de 2015 às 12:11:10 UTC, Reinaldo Fernandes
escreveu:
>>
>> Hello,
>>
>>
>>
>> My name is Reinaldo Fernandes and I’m contacting you regarding the Ossec
solution
>>
>> I have been trying to deploy this on our environment ( Windows mainly)
but the agent it’s not able to communicate with the Ossec server (They are
both on the same VLAN, no firewall between).
>>
>>
>>
>> This is the error:
>>
>>
>>
>> 2015/11/03 10:44:47 ossec-agent: INFO: Trying to connect to server (
172.20.21.43:1514).
>>
>>
>>
>> 2015/11/03 10:44:47 ossec-agent: INFO: Using IPv4 for: 172.20.21.43 .
>>
>>
>>
>> 2015/11/03 10:45:09 ossec-agent(4101): WARN: Waiting for server reply
(not started). Tried: '172.20.21.43'.
>>
>>
>>
>> When I try to look up at the logs on the Ossec server this is the only
info that I got:
>>
>>
>>
>> [root@ossec user]# /var/ossec/logs/ossec.log
>>
>> /var/ossec/logs/ossec.log: line 1: syntax error near unexpected token `('
>>
>> /var/ossec/logs/ossec.log: line 1: `2015/06/12 15:52:36
ossec-monitord(1225): INFO: SIGNAL Received. Exit Cleaning...'
>>
>>
>>
>> Any clue or tip on how to solve this situation?
>>
>>
>>
>> Reinaldo Fernandes
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
"ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: Ossec agent error
Hi Eero,
Thank you for your reply but no Joy.
All the hosts have the firewall deactivated.
Best regards,
Reinaldo
terça-feira, 3 de Novembro de 2015 às 12:11:10 UTC, Reinaldo Fernandes
escreveu:
>
> Hello,
>
>
>
> My name is Reinaldo Fernandes and I’m contacting you regarding the Ossec
> solution
>
> I have been trying to deploy this on our environment ( Windows mainly) but
> the agent it’s not able to communicate with the Ossec server (They are both
> on the same VLAN, no firewall between).
>
>
>
> *This is the error: *
>
>
>
> 2015/11/03 10:44:47 ossec-agent: INFO: Trying to connect to server (
> 172.20.21.43:1514).
>
>
>
> 2015/11/03 10:44:47 ossec-agent: INFO: Using IPv4 for: 172.20.21.43 .
>
>
>
> 2015/11/03 10:45:09 ossec-agent(4101): WARN: Waiting for server reply (not
> started). Tried: '172.20.21.43'.
>
>
>
> *When I try to look up at the logs on the Ossec server this is the only
> info that I got:*
>
>
>
> [root@ossec user]# /var/ossec/logs/ossec.log
>
> /var/ossec/logs/ossec.log: line 1: syntax error near unexpected token `('
>
> /var/ossec/logs/ossec.log: line 1: `2015/06/12 15:52:36
> ossec-monitord(1225): INFO: SIGNAL Received. Exit Cleaning...'
>
>
>
> Any clue or tip on how to solve this situation?
>
>
>
> *Reinaldo Fernandes*
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
[ossec-list] /var/log/messages filling up
Struggling with the /var/log/messages file filling up with ossec alert messages on a fresh install of the appliance. My struggles are not helped by being a Linux and ossec novice. lsof shows the following processes using the messages file - rsyslogd, abrt-dump and ossec-log. I have tried to comment out the syslog_output and local file entries in ossec.conf and restarting ossec. Looking through the history here I did manage to get the locatime file set correctly :-) And that's about me done, , any pointer please ? Thanks Tim -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Re: agentless frequency/start time
On Tue, Nov 3, 2015 at 8:53 AM, Dimitris wrote: >> Hi Dan, > > > Thank you for your answer. Indeed, using the 2 separate blocks > worked and I can use 2 or more different frequencies. > > What remains is the specific time to run the agentless scan. The time based > scan seems only available for syscheck, which I understand is local for the > ossec server and not the remote scanned hosts. > If you want to add this functionality, you can submit a pull request to https://github.com/ossec/ossec-hids I don't think there would be any objections to having this. > Thanks again. > Dimitris. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Ossec agent error
this is firewall issue.disable local firewall on ossec server.
eero
tiistai 3. marraskuuta 2015 Reinaldo Fernandes <
fernandes.jreina...@gmail.com> kirjoitti:
> Hello,
>
>
>
> My name is Reinaldo Fernandes and I’m contacting you regarding the Ossec
> solution
>
> I have been trying to deploy this on our environment ( Windows mainly) but
> the agent it’s not able to communicate with the Ossec server (They are both
> on the same VLAN, no firewall between).
>
>
>
> *This is the error: *
>
>
>
> 2015/11/03 10:44:47 ossec-agent: INFO: Trying to connect to server (
> 172.20.21.43:1514).
>
>
>
> 2015/11/03 10:44:47 ossec-agent: INFO: Using IPv4 for: 172.20.21.43 .
>
>
>
> 2015/11/03 10:45:09 ossec-agent(4101): WARN: Waiting for server reply (not
> started). Tried: '172.20.21.43'.
>
>
>
> *When I try to look up at the logs on the Ossec server this is the only
> info that I got:*
>
>
>
> [root@ossec user]# /var/ossec/logs/ossec.log
>
> /var/ossec/logs/ossec.log: line 1: syntax error near unexpected token `('
>
> /var/ossec/logs/ossec.log: line 1: `2015/06/12 15:52:36
> ossec-monitord(1225): INFO: SIGNAL Received. Exit Cleaning...'
>
>
>
> Any clue or tip on how to solve this situation?
>
>
>
> *Reinaldo Fernandes*
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com
>
> .
> For more options, visit https://groups.google.com/d/optout.
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Re: agentless frequency/start time
> > Hi Dan, Thank you for your answer. Indeed, using the 2 separate blocks worked and I can use 2 or more different frequencies. What remains is the specific time to run the agentless scan. The time based scan seems only available for syscheck, which I understand is local for the ossec server and not the remote scanned hosts. Thanks again. Dimitris. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Re: agentless frequency/start time
On Tue, Nov 3, 2015 at 8:28 AM, Dimitris wrote: > Hello, > > This is the only thread about agentless frequency and start time. What I > have seen is that start time is not available, you receive an error when you > try to set it in ossec.conf in ssh_integrity_check_linux. What > I observe though is the following: > > I have 2-3 hosts to run agentless ssh_integrity_check_linux. I need to run > the scan in different times. One needs to run at 1:30 every night, another > needs to run every 30 seconds. My current configuration in ossec.conf: > > ssh_integrity_check_linux > 30 That's super ambitious. > ossec@172.x.x.4 > periodic > /bin /etc /sbin > > ssh_integrity_check_linux > 86400 > ossec@172.x.x.5 > periodic > /bin > > > Is there a way to run the second scan at a specific time? I have thought of > a workaround to restart ossec at 1:30, but I will later add another system > that I need to scan daily at 4:00. How can this be done? > I'm not aware of a way to run the commands at a specified time. If it's not in the documentation, it probably doesn't exist. > Additionally, if you set different frequencies per host, only the longest > one works, i.e. 86400 above. Is this a bug, or do you see something wrong? > I don't use the agentless stuff, so I don't know how much help I can be. But have you tried using 2 blocks instead of 1? It could be a stupid idea, but again I don't use it. > I would appreciate your answer. > > Thank you, > Dimitris. > > > > On Tuesday, July 9, 2013 at 5:27:15 PM UTC+3, Adam wrote: >> >> Hello, >> >> When setting a frequency for agentless scanning, does this work as 18600 >> seconds say from the last time the agentless script was started, or from >> when it was finished and analysed? >> >> Also is there an equivalent to the for syscheck for >> kicking of agentless scripts? (If not, could I suggest it for a future >> feature). >> >> Cheers >> Adam > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Ossec agent error
On Tue, Nov 3, 2015 at 7:09 AM, Reinaldo Fernandes
wrote:
> Hello,
>
>
>
> My name is Reinaldo Fernandes and I’m contacting you regarding the Ossec
> solution
>
> I have been trying to deploy this on our environment ( Windows mainly) but
> the agent it’s not able to communicate with the Ossec server (They are both
> on the same VLAN, no firewall between).
>
>
>
> This is the error:
>
>
>
> 2015/11/03 10:44:47 ossec-agent: INFO: Trying to connect to server
> (172.20.21.43:1514).
>
>
>
> 2015/11/03 10:44:47 ossec-agent: INFO: Using IPv4 for: 172.20.21.43 .
>
>
>
> 2015/11/03 10:45:09 ossec-agent(4101): WARN: Waiting for server reply (not
> started). Tried: '172.20.21.43'.
>
>
>
> When I try to look up at the logs on the Ossec server this is the only info
> that I got:
>
>
>
> [root@ossec user]# /var/ossec/logs/ossec.log
>
> /var/ossec/logs/ossec.log: line 1: syntax error near unexpected token `('
>
> /var/ossec/logs/ossec.log: line 1: `2015/06/12 15:52:36
> ossec-monitord(1225): INFO: SIGNAL Received. Exit Cleaning...'
>
>
>
> Any clue or tip on how to solve this situation?
>
The ossec.log lines don't look familiar. Are there any lines preceding
those that might provide more of a clue? It kind of looks like there
is an issue with the ossec.conf on the manager.
>
>
> Reinaldo Fernandes
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: agentless frequency/start time
Hello, This is the only thread about agentless frequency and start time. What I have seen is that start time is not available, you receive an error when you try to set it in ossec.conf in ssh_integrity_check_linux. What I observe though is the following: I have 2-3 hosts to run agentless ssh_integrity_check_linux. I need to run the scan in different times. One needs to run at 1:30 every night, another needs to run every 30 seconds. My current configuration in ossec.conf: ssh_integrity_check_linux 30 ossec@172.x.x.4 periodic /bin /etc /sbin ssh_integrity_check_linux 86400 ossec@172.x.x.5 periodic /bin Is there a way to run the second scan at a specific time? I have thought of a workaround to restart ossec at 1:30, but I will later add another system that I need to scan daily at 4:00. How can this be done? Additionally, if you set different frequencies per host, only the longest one works, i.e. 86400 above. Is this a bug, or do you see something wrong? I would appreciate your answer. Thank you, Dimitris. On Tuesday, July 9, 2013 at 5:27:15 PM UTC+3, Adam wrote: > > Hello, > > When setting a frequency for agentless scanning, does this work as 18600 > seconds say from the last time the agentless script was started, or from > when it was finished and analysed? > > Also is there an equivalent to the for syscheck for > kicking of agentless scripts? (If not, could I suggest it for a future > feature). > > Cheers > Adam > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Ossec agent error
Hello,
My name is Reinaldo Fernandes and I’m contacting you regarding the Ossec
solution
I have been trying to deploy this on our environment ( Windows mainly) but
the agent it’s not able to communicate with the Ossec server (They are both
on the same VLAN, no firewall between).
*This is the error: *
2015/11/03 10:44:47 ossec-agent: INFO: Trying to connect to server
(172.20.21.43:1514).
2015/11/03 10:44:47 ossec-agent: INFO: Using IPv4 for: 172.20.21.43 .
2015/11/03 10:45:09 ossec-agent(4101): WARN: Waiting for server reply (not
started). Tried: '172.20.21.43'.
*When I try to look up at the logs on the Ossec server this is the only
info that I got:*
[root@ossec user]# /var/ossec/logs/ossec.log
/var/ossec/logs/ossec.log: line 1: syntax error near unexpected token `('
/var/ossec/logs/ossec.log: line 1: `2015/06/12 15:52:36
ossec-monitord(1225): INFO: SIGNAL Received. Exit Cleaning...'
Any clue or tip on how to solve this situation?
*Reinaldo Fernandes*
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
[ossec-list] Ossec agent error
Hello,
My name is Reinaldo Fernandes and I’m contacting you regarding the Ossec
solution
I have been trying to deploy this on our environment ( Windows mainly) but
the agent it’s not able to communicate with the Ossec server (They are both
on the same VLAN, no firewall between).
*This is the error: *
2015/11/03 10:44:47 ossec-agent: INFO: Trying to connect to server
(172.20.21.43:1514).
2015/11/03 10:44:47 ossec-agent: INFO: Using IPv4 for: 172.20.21.43 .
2015/11/03 10:45:09 ossec-agent(4101): WARN: Waiting for server reply (not
started). Tried: '172.20.21.43'.
*When I try to look up at the logs on the Ossec server this is the only
info that I got:*
[root@ossec user]# /var/ossec/logs/ossec.log
/var/ossec/logs/ossec.log: line 1: syntax error near unexpected token `('
/var/ossec/logs/ossec.log: line 1: `2015/06/12 15:52:36
ossec-monitord(1225): INFO: SIGNAL Received. Exit Cleaning...'
Any clue or tip on how to solve this situation?
*Reinaldo Fernandes*
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
