Re: [ossec-list] How to Query OSSEC for certain events (Hunting Techniques)
I'm using LightSIEM - based on ELK system that can blow all OSSEC and Snort messages to sуmantec pieces with you can use in search queryes later. вт, 22 сент. 2015 г. в 17:53, : > Hello Group! > > I'm using the Logstash / Kibana (as well as the OSSEC basic web interface). > > In Kibana I use a table view to sort OSSEC events by number and this helps > zero in on suspicious events. While the basic web interface is fairly > featureless I found that going to the search screen and searching for > events of level 2 (lowest level) and then attack / misuse all sometimes > nets a event worth investigating. > > My question is how do folks use these tools (Kibana and basic OSSEC) > interfaces to hunt for IOC's and other events of interest? Are there other > tools I could be running against our OSSEC server. > > Any info or suggested query's are appreciated. > > Thanks, > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- -- С уважением, Светлов Даниил. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Re: Ossec agent error
sudo tail -f /path/to/filename Eero 3.11.2015 6.26 ip. "Reinaldo Fernandes" kirjoitti: > > Can you provide me the correct command to run?? > Thank you > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Re: Ossec agent error
Can you provide me the correct command to run?? Thank you -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Re: Ossec agent error
Are you trying to execute log file? You need to run sudo tail filename, not sudo filename Eero 3.11.2015 5.40 ip. "Reinaldo Fernandes" kirjoitti: > Hi dan, > I did now: > sudo /var/ossec/logs/ossec.log > > and I got exactly the same entrys on the logs as before: > > [root@ossec user]# /var/ossec/logs/ossec.log > > /var/ossec/logs/ossec.log: line 1: syntax error near unexpected token `(' > > /var/ossec/logs/ossec.log: line 1: `2015/06/12 15:52:36 > ossec-monitord(1225): INFO: SIGNAL Received. Exit Cleaning...' > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Re: Ossec agent error
On Tue, Nov 3, 2015 at 10:40 AM, Reinaldo Fernandes wrote: > Hi dan, > I did now: > sudo /var/ossec/logs/ossec.log > > and I got exactly the same entrys on the logs as before: > Those are really weird. Do you have any stray "(" in your ossec.conf file? > [root@ossec user]# /var/ossec/logs/ossec.log > > /var/ossec/logs/ossec.log: line 1: syntax error near unexpected token `(' > > /var/ossec/logs/ossec.log: line 1: `2015/06/12 15:52:36 > ossec-monitord(1225): INFO: SIGNAL Received. Exit Cleaning...' > > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Re: Ossec agent error
Hi dan, I did now: sudo /var/ossec/logs/ossec.log and I got exactly the same entrys on the logs as before: [root@ossec user]# /var/ossec/logs/ossec.log /var/ossec/logs/ossec.log: line 1: syntax error near unexpected token `(' /var/ossec/logs/ossec.log: line 1: `2015/06/12 15:52:36 ossec-monitord(1225): INFO: SIGNAL Received. Exit Cleaning...' -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Re: Ossec agent error
On Nov 3, 2015 10:28 AM, "Reinaldo Fernandes" wrote: > > Hi dan, > > Sorry but I'm getting a acces denied when I try to run the following command: > tail -F /var/ossec/logs/ossec.log > You may need to use sudo to access the file. And a `tail -f` will only show new entries (which will be fine if you restart the processes while tailing the file). > -- > > --- > You received this message because you are subscribed to the Google Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Re: Ossec agent error
Hi dan, Sorry but I'm getting a acces denied when I try to run the following command: tail -F /var/ossec/logs/ossec.log -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Re: Ossec agent error
On Nov 3, 2015 10:13 AM, "Reinaldo Fernandes" wrote: > > Hi Eero, > > > > Thank you for your reply but no Joy. > > All the hosts have the firewall deactivated. > Any luck finding any more info in the ossec.log file? Maybe just look for stray parentheses in the ossec.conf. > > > Best regards, > > Reinaldo > > > > terça-feira, 3 de Novembro de 2015 às 12:11:10 UTC, Reinaldo Fernandes escreveu: >> >> Hello, >> >> >> >> My name is Reinaldo Fernandes and I’m contacting you regarding the Ossec solution >> >> I have been trying to deploy this on our environment ( Windows mainly) but the agent it’s not able to communicate with the Ossec server (They are both on the same VLAN, no firewall between). >> >> >> >> This is the error: >> >> >> >> 2015/11/03 10:44:47 ossec-agent: INFO: Trying to connect to server ( 172.20.21.43:1514). >> >> >> >> 2015/11/03 10:44:47 ossec-agent: INFO: Using IPv4 for: 172.20.21.43 . >> >> >> >> 2015/11/03 10:45:09 ossec-agent(4101): WARN: Waiting for server reply (not started). Tried: '172.20.21.43'. >> >> >> >> When I try to look up at the logs on the Ossec server this is the only info that I got: >> >> >> >> [root@ossec user]# /var/ossec/logs/ossec.log >> >> /var/ossec/logs/ossec.log: line 1: syntax error near unexpected token `(' >> >> /var/ossec/logs/ossec.log: line 1: `2015/06/12 15:52:36 ossec-monitord(1225): INFO: SIGNAL Received. Exit Cleaning...' >> >> >> >> Any clue or tip on how to solve this situation? >> >> >> >> Reinaldo Fernandes > > -- > > --- > You received this message because you are subscribed to the Google Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: Ossec agent error
Hi Eero, Thank you for your reply but no Joy. All the hosts have the firewall deactivated. Best regards, Reinaldo terça-feira, 3 de Novembro de 2015 às 12:11:10 UTC, Reinaldo Fernandes escreveu: > > Hello, > > > > My name is Reinaldo Fernandes and I’m contacting you regarding the Ossec > solution > > I have been trying to deploy this on our environment ( Windows mainly) but > the agent it’s not able to communicate with the Ossec server (They are both > on the same VLAN, no firewall between). > > > > *This is the error: * > > > > 2015/11/03 10:44:47 ossec-agent: INFO: Trying to connect to server ( > 172.20.21.43:1514). > > > > 2015/11/03 10:44:47 ossec-agent: INFO: Using IPv4 for: 172.20.21.43 . > > > > 2015/11/03 10:45:09 ossec-agent(4101): WARN: Waiting for server reply (not > started). Tried: '172.20.21.43'. > > > > *When I try to look up at the logs on the Ossec server this is the only > info that I got:* > > > > [root@ossec user]# /var/ossec/logs/ossec.log > > /var/ossec/logs/ossec.log: line 1: syntax error near unexpected token `(' > > /var/ossec/logs/ossec.log: line 1: `2015/06/12 15:52:36 > ossec-monitord(1225): INFO: SIGNAL Received. Exit Cleaning...' > > > > Any clue or tip on how to solve this situation? > > > > *Reinaldo Fernandes* > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] /var/log/messages filling up
Struggling with the /var/log/messages file filling up with ossec alert messages on a fresh install of the appliance. My struggles are not helped by being a Linux and ossec novice. lsof shows the following processes using the messages file - rsyslogd, abrt-dump and ossec-log. I have tried to comment out the syslog_output and local file entries in ossec.conf and restarting ossec. Looking through the history here I did manage to get the locatime file set correctly :-) And that's about me done, , any pointer please ? Thanks Tim -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Re: agentless frequency/start time
On Tue, Nov 3, 2015 at 8:53 AM, Dimitris wrote: >> Hi Dan, > > > Thank you for your answer. Indeed, using the 2 separate blocks > worked and I can use 2 or more different frequencies. > > What remains is the specific time to run the agentless scan. The time based > scan seems only available for syscheck, which I understand is local for the > ossec server and not the remote scanned hosts. > If you want to add this functionality, you can submit a pull request to https://github.com/ossec/ossec-hids I don't think there would be any objections to having this. > Thanks again. > Dimitris. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Ossec agent error
this is firewall issue.disable local firewall on ossec server. eero tiistai 3. marraskuuta 2015 Reinaldo Fernandes < fernandes.jreina...@gmail.com> kirjoitti: > Hello, > > > > My name is Reinaldo Fernandes and I’m contacting you regarding the Ossec > solution > > I have been trying to deploy this on our environment ( Windows mainly) but > the agent it’s not able to communicate with the Ossec server (They are both > on the same VLAN, no firewall between). > > > > *This is the error: * > > > > 2015/11/03 10:44:47 ossec-agent: INFO: Trying to connect to server ( > 172.20.21.43:1514). > > > > 2015/11/03 10:44:47 ossec-agent: INFO: Using IPv4 for: 172.20.21.43 . > > > > 2015/11/03 10:45:09 ossec-agent(4101): WARN: Waiting for server reply (not > started). Tried: '172.20.21.43'. > > > > *When I try to look up at the logs on the Ossec server this is the only > info that I got:* > > > > [root@ossec user]# /var/ossec/logs/ossec.log > > /var/ossec/logs/ossec.log: line 1: syntax error near unexpected token `(' > > /var/ossec/logs/ossec.log: line 1: `2015/06/12 15:52:36 > ossec-monitord(1225): INFO: SIGNAL Received. Exit Cleaning...' > > > > Any clue or tip on how to solve this situation? > > > > *Reinaldo Fernandes* > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com > > . > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Re: agentless frequency/start time
> > Hi Dan, Thank you for your answer. Indeed, using the 2 separate blocks worked and I can use 2 or more different frequencies. What remains is the specific time to run the agentless scan. The time based scan seems only available for syscheck, which I understand is local for the ossec server and not the remote scanned hosts. Thanks again. Dimitris. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Re: agentless frequency/start time
On Tue, Nov 3, 2015 at 8:28 AM, Dimitris wrote: > Hello, > > This is the only thread about agentless frequency and start time. What I > have seen is that start time is not available, you receive an error when you > try to set it in ossec.conf in ssh_integrity_check_linux. What > I observe though is the following: > > I have 2-3 hosts to run agentless ssh_integrity_check_linux. I need to run > the scan in different times. One needs to run at 1:30 every night, another > needs to run every 30 seconds. My current configuration in ossec.conf: > > ssh_integrity_check_linux > 30 That's super ambitious. > ossec@172.x.x.4 > periodic > /bin /etc /sbin > > ssh_integrity_check_linux > 86400 > ossec@172.x.x.5 > periodic > /bin > > > Is there a way to run the second scan at a specific time? I have thought of > a workaround to restart ossec at 1:30, but I will later add another system > that I need to scan daily at 4:00. How can this be done? > I'm not aware of a way to run the commands at a specified time. If it's not in the documentation, it probably doesn't exist. > Additionally, if you set different frequencies per host, only the longest > one works, i.e. 86400 above. Is this a bug, or do you see something wrong? > I don't use the agentless stuff, so I don't know how much help I can be. But have you tried using 2 blocks instead of 1? It could be a stupid idea, but again I don't use it. > I would appreciate your answer. > > Thank you, > Dimitris. > > > > On Tuesday, July 9, 2013 at 5:27:15 PM UTC+3, Adam wrote: >> >> Hello, >> >> When setting a frequency for agentless scanning, does this work as 18600 >> seconds say from the last time the agentless script was started, or from >> when it was finished and analysed? >> >> Also is there an equivalent to the for syscheck for >> kicking of agentless scripts? (If not, could I suggest it for a future >> feature). >> >> Cheers >> Adam > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Ossec agent error
On Tue, Nov 3, 2015 at 7:09 AM, Reinaldo Fernandes wrote: > Hello, > > > > My name is Reinaldo Fernandes and I’m contacting you regarding the Ossec > solution > > I have been trying to deploy this on our environment ( Windows mainly) but > the agent it’s not able to communicate with the Ossec server (They are both > on the same VLAN, no firewall between). > > > > This is the error: > > > > 2015/11/03 10:44:47 ossec-agent: INFO: Trying to connect to server > (172.20.21.43:1514). > > > > 2015/11/03 10:44:47 ossec-agent: INFO: Using IPv4 for: 172.20.21.43 . > > > > 2015/11/03 10:45:09 ossec-agent(4101): WARN: Waiting for server reply (not > started). Tried: '172.20.21.43'. > > > > When I try to look up at the logs on the Ossec server this is the only info > that I got: > > > > [root@ossec user]# /var/ossec/logs/ossec.log > > /var/ossec/logs/ossec.log: line 1: syntax error near unexpected token `(' > > /var/ossec/logs/ossec.log: line 1: `2015/06/12 15:52:36 > ossec-monitord(1225): INFO: SIGNAL Received. Exit Cleaning...' > > > > Any clue or tip on how to solve this situation? > The ossec.log lines don't look familiar. Are there any lines preceding those that might provide more of a clue? It kind of looks like there is an issue with the ossec.conf on the manager. > > > Reinaldo Fernandes > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: agentless frequency/start time
Hello, This is the only thread about agentless frequency and start time. What I have seen is that start time is not available, you receive an error when you try to set it in ossec.conf in ssh_integrity_check_linux. What I observe though is the following: I have 2-3 hosts to run agentless ssh_integrity_check_linux. I need to run the scan in different times. One needs to run at 1:30 every night, another needs to run every 30 seconds. My current configuration in ossec.conf: ssh_integrity_check_linux 30 ossec@172.x.x.4 periodic /bin /etc /sbin ssh_integrity_check_linux 86400 ossec@172.x.x.5 periodic /bin Is there a way to run the second scan at a specific time? I have thought of a workaround to restart ossec at 1:30, but I will later add another system that I need to scan daily at 4:00. How can this be done? Additionally, if you set different frequencies per host, only the longest one works, i.e. 86400 above. Is this a bug, or do you see something wrong? I would appreciate your answer. Thank you, Dimitris. On Tuesday, July 9, 2013 at 5:27:15 PM UTC+3, Adam wrote: > > Hello, > > When setting a frequency for agentless scanning, does this work as 18600 > seconds say from the last time the agentless script was started, or from > when it was finished and analysed? > > Also is there an equivalent to the for syscheck for > kicking of agentless scripts? (If not, could I suggest it for a future > feature). > > Cheers > Adam > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Ossec agent error
Hello, My name is Reinaldo Fernandes and I’m contacting you regarding the Ossec solution I have been trying to deploy this on our environment ( Windows mainly) but the agent it’s not able to communicate with the Ossec server (They are both on the same VLAN, no firewall between). *This is the error: * 2015/11/03 10:44:47 ossec-agent: INFO: Trying to connect to server (172.20.21.43:1514). 2015/11/03 10:44:47 ossec-agent: INFO: Using IPv4 for: 172.20.21.43 . 2015/11/03 10:45:09 ossec-agent(4101): WARN: Waiting for server reply (not started). Tried: '172.20.21.43'. *When I try to look up at the logs on the Ossec server this is the only info that I got:* [root@ossec user]# /var/ossec/logs/ossec.log /var/ossec/logs/ossec.log: line 1: syntax error near unexpected token `(' /var/ossec/logs/ossec.log: line 1: `2015/06/12 15:52:36 ossec-monitord(1225): INFO: SIGNAL Received. Exit Cleaning...' Any clue or tip on how to solve this situation? *Reinaldo Fernandes* -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Ossec agent error
Hello, My name is Reinaldo Fernandes and I’m contacting you regarding the Ossec solution I have been trying to deploy this on our environment ( Windows mainly) but the agent it’s not able to communicate with the Ossec server (They are both on the same VLAN, no firewall between). *This is the error: * 2015/11/03 10:44:47 ossec-agent: INFO: Trying to connect to server (172.20.21.43:1514). 2015/11/03 10:44:47 ossec-agent: INFO: Using IPv4 for: 172.20.21.43 . 2015/11/03 10:45:09 ossec-agent(4101): WARN: Waiting for server reply (not started). Tried: '172.20.21.43'. *When I try to look up at the logs on the Ossec server this is the only info that I got:* [root@ossec user]# /var/ossec/logs/ossec.log /var/ossec/logs/ossec.log: line 1: syntax error near unexpected token `(' /var/ossec/logs/ossec.log: line 1: `2015/06/12 15:52:36 ossec-monitord(1225): INFO: SIGNAL Received. Exit Cleaning...' Any clue or tip on how to solve this situation? *Reinaldo Fernandes* -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.