Re: [ossec-list] Will app get blocked on heavy mysql queries?

[frwa onto]

Hi Ryan,
I can see something like this in my
ossec /var/ossec/logs/alerts alerts.log .

** Alert 1447389519.1118: mail  - web,accesslog,attack,
2015 Nov 13 12:38:39 ->/var/log/httpd/access_log
Rule: 31106 (level 6) -> 'A web attack returned code 200 (success).'
Src IP: 10.212.*
10.212.*** - - [13/Nov/2015:12:37:49 +0800] "POST
/*/.php?..."


In my active-responses.log I can see this.

Fri Nov 13 12:38:40 MYT 2015 /var/ossec/active-response/bin/host-deny.sh
add - 10.212.*1447389519.1118 31106
Fri Nov 13 12:38:40 MYT 2015
/var/ossec/active-response/bin/firewall-drop.sh add - 10.212.**
1447389519.1118 31106


So the only way to relate both the logs is it via the rule number 31106? So
this rule also relate to post activity ?



On Fri, Nov 13, 2015 at 1:09 AM, Ryan Schulze  wrote:

> That depends on how you set up your active response. IIRC the default is
> to trigger for any rule 7 or higher. So just check which rules level 7 or
> higher were triggered by you (e.g. bei checking the alert logs or your
> emails).
>
> Since you mentioned phpmyadmin I'd guess maybe one of the SQL injection
> rules if phpmyadmin transfers certain requests as a GET (making it show up
> in the webserver logs).
>
>
> On 11/10/2015 7:31 PM, frwa onto wrote:
>
> Hi Santiago,
>   This will just block the active response right. But in
> my case why is it that when I try to get huge data the active response
> comes into effect. I cant see which rule is fired to activate the active
> response? Is there any work around together with the active response being
> active?
>
> On Wed, Nov 11, 2015 at 2:04 AM, Santiago Bassett <
> santiago.bass...@gmail.com> wrote:
>
>> You can find info here:
>>
>>
>> http://ossec-docs.readthedocs.org/en/latest/syntax/head_ossec_config.active-response.html
>>
>>
>> If unsure I suggest to disable it at /var/ossec/etc/ossec.conf
>>
>>   
>>
>> yes
>>
>>   
>>
>> On Tue, Nov 10, 2015 at 1:22 AM, frwa onto < 
>> frwao...@gmail.com> wrote:
>>
>>> Hi Ryan,
>>>  I am not too good in tuning up my active response or rules.
>>> Any tips on how to go about it?
>>>
>>>
>>> On Tue, Nov 10, 2015 at 1:17 PM, Ryan Schulze < 
>>> r...@dopefish.de> wrote:
>>>
 Sounds like you may want to look into fine tuning your active response
 and/or rules.

 On 11/9/2015 10:11 PM, frwa onto wrote:

 Hi Santiago,
I am just running as standalone so its not a manager
 or agent. I have another machine for instance I am using the older ossec
 2.7.1 in that one I have tried say I got my phpymadmin and when I start
 browsing huge data ossec will block me an only after some time I can login
 here is the active response log as below.

 Tue Nov 10 11:48:12 MYT 2015
 /var/ossec/active-response/bin/firewall-drop.sh add - 10.212.134.200
 1447127292.12356 31106
 Tue Nov 10 11:48:12 MYT 2015
 /var/ossec/active-response/bin/host-deny.sh add - 10.212.134.200
 1447127292.12356 31106
 Tue Nov 10 11:58:42 MYT 2015
 /var/ossec/active-response/bin/host-deny.sh delete - 10.212.134.200
 1447127292.12356 31106
 Tue Nov 10 11:58:42 MYT 2015
 /var/ossec/active-response/bin/firewall-drop.sh delete - 10.212.134.200
 1447127292.12356 31106

 I dont know what trigger is exactly but I know due to my browsing of
 huge data and also how to overcome this issue? In my older version I saw
 this error too
 ossec-execd: INFO: Active response command not present:
 '/var/ossec/active-response/bin/restart-ossec.cmd'. Not using it on this
 system.

 This is my worry on the new machine using 2.8.1 the app might get block
 from accessing the data.

 On Tuesday, November 10, 2015 at 9:18:45 AM UTC+8, Santiago Bassett
 wrote:
>
> Are you running an agent or the manager? I don't think OSSEC would
> block access to your mysql db.
>
> On Mon, Nov 9, 2015 at 8:19 AM, frwa onto  wrote:
>
>> Hi,
>> I have centos server. I have managed to install ossec 2.8.1. It
>> mainly runs a socket programming app. For every instance of a connection 
>> it
>> will receive data and insert into mysql db. What I worried in what 
>> scenario
>> will it block the access to this local mysql db as I can see there some
>> rules for mysql? Sorry very new to these.
>> --
>>
>> ---
>> You received this message because you are subscribed to the Google
>> Groups "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it,
>> send an email to ossec-list+...@googlegroups.com.
>> For more options, visit 
>> https://groups.google.com/d/optout.
>>
>
> --

 ---
 You received this message because you are subscribed to the Google
 Groups "ossec-list" group.
 To unsubscribe from this group and sto

Re: [ossec-list] Will app get blocked on heavy mysql queries?

[frwa onto]

Hi Dan,
   Yes you are right the 31106 rule doesnt not exist even in my
current 2.8.1. In my 2.8.1 I see the rules are starting with 50100 and is
there any specific reason why the older rules have been removed.  I guess
that I should upgrade the older machine with the new 2.8.1 ? Just for
knowledge sake must I always uninstall and install a new version of Ossec
or just replace the rules xml file?  Also why in the 2.7.1. when the AR is
activated I dont see which rules is trigger in ossec log file itself?

On Fri, Nov 13, 2015 at 1:05 AM, dan (ddp)  wrote:

> On Mon, Nov 9, 2015 at 11:11 PM, frwa onto  wrote:
> > Hi Santiago,
> >I am just running as standalone so its not a manager
> or
> > agent. I have another machine for instance I am using the older ossec
> 2.7.1
>
>
> 2.7.1 is way too old to provide much support for.
>
> > in that one I have tried say I got my phpymadmin and when I start
> browsing
> > huge data ossec will block me an only after some time I can login here is
> > the active response log as below.
> >
> > Tue Nov 10 11:48:12 MYT 2015
> /var/ossec/active-response/bin/firewall-drop.sh
> > add - 10.212.134.200 1447127292.12356 31106
>
> So rule 31106 is triggering the AR.
>   
> 31103, 31104, 31105
> ^200
> A web attack returned code 200 (success).
> attack,
>   
>
> You'll have to go through 31103-31105 to try and get a more specific
> understanding of what is triggering the alert.
> (All of this is taken from a 2.8.3+ system, so details may be
> different from 2.7.1)
>
> > Tue Nov 10 11:48:12 MYT 2015 /var/ossec/active-response/bin/host-deny.sh
> add
> > - 10.212.134.200 1447127292.12356 31106
> > Tue Nov 10 11:58:42 MYT 2015 /var/ossec/active-response/bin/host-deny.sh
> > delete - 10.212.134.200 1447127292.12356 31106
> > Tue Nov 10 11:58:42 MYT 2015
> /var/ossec/active-response/bin/firewall-drop.sh
> > delete - 10.212.134.200 1447127292.12356 31106
> >
> > I dont know what trigger is exactly but I know due to my browsing of huge
> > data and also how to overcome this issue? In my older version I saw this
> > error too
> > ossec-execd: INFO: Active response command not present:
> > '/var/ossec/active-response/bin/restart-ossec.cmd'. Not using it on this
> > system.
> >
> > This is my worry on the new machine using 2.8.1 the app might get block
> from
> > accessing the data.
> >
> > On Tuesday, November 10, 2015 at 9:18:45 AM UTC+8, Santiago Bassett
> wrote:
> >>
> >> Are you running an agent or the manager? I don't think OSSEC would block
> >> access to your mysql db.
> >>
> >> On Mon, Nov 9, 2015 at 8:19 AM, frwa onto  wrote:
> >>>
> >>> Hi,
> >>> I have centos server. I have managed to install ossec 2.8.1. It
> >>> mainly runs a socket programming app. For every instance of a
> connection it
> >>> will receive data and insert into mysql db. What I worried in what
> scenario
> >>> will it block the access to this local mysql db as I can see there some
> >>> rules for mysql? Sorry very new to these.
> >>>
> >>> --
> >>>
> >>> ---
> >>> You received this message because you are subscribed to the Google
> Groups
> >>> "ossec-list" group.
> >>> To unsubscribe from this group and stop receiving emails from it, send
> an
> >>> email to ossec-list+...@googlegroups.com.
> >>> For more options, visit https://groups.google.com/d/optout.
> >>
> >>
> > --
> >
> > ---
> > You received this message because you are subscribed to the Google Groups
> > "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send an
> > email to ossec-list+unsubscr...@googlegroups.com.
> > For more options, visit https://groups.google.com/d/optout.
>
> --
>
> ---
> You received this message because you are subscribed to a topic in the
> Google Groups "ossec-list" group.
> To unsubscribe from this topic, visit
> https://groups.google.com/d/topic/ossec-list/rdsEIi60ciM/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
> ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Package Debian Jessie 2.8.3 + Mysql

[Santiago Bassett]

Just uploaded the new packages. The issues should be fixed now.

On Mon, Nov 9, 2015 at 5:04 PM, Santiago Bassett  wrote:

> Thank you Regis for the feedback. Really appreciate it.
>
> Will work on those issues and generate new packages as soon as I can, most
> likely sometime in the next couple of days.
>
>
>
> On Mon, Nov 9, 2015 at 3:24 AM, Régis Houssin 
> wrote:
>
>> another recurring problem that has not been corrected, it's about the
>> file:
>>
>> /var/ossec/active-response/bin/host-deny.sh
>>
>> you must remove the spaces of the equal sign (problem with debian):
>>
>> replace :
>>
>> TMP_FILE = `mktemp /var/ossec/ossec-hosts.XX`
>>
>> by
>>
>> TMP_FILE=`mktemp /var/ossec/ossec-hosts.XX`
>>
>>
>>
>> and replace :
>>
>> TMP_FILE = "/var/ossec/ossec-hosts.`cat /dev/urandom | tr -dc 'a-zA-Z0-9'
>> | fold -w 32 | head -1 `"
>>
>> by
>>
>> TMP_FILE="/var/ossec/ossec-hosts.`cat /dev/urandom | tr -dc 'a-zA-Z0-9'
>> | fold -w 32 | head -1 `"
>>
>>
>> Best
>>
>> Le 08/11/2015 18:33, Santiago Bassett a écrit :
>>
>> Compiling packages, should be up in the repo in about an hour. Those will
>> be version 2.8.3-2.
>>
>> Please don't hesitate to let me know if you still find issues.
>>
>> Best
>>
>> On Sun, Nov 8, 2015 at 7:50 AM, Santiago Bassett <
>> santiago.bass...@gmail.com> wrote:
>>
>>> Hi Regis,
>>>
>>> yes, this version of the deb packages has not been compiled with mysql
>>> support.
>>>
>>> I am actually working on a new one right now, to include systemd
>>> support. Will look to include mysql support too. Hopefully I can publish it
>>> today.
>>>
>>> Best
>>>
>>> On Sun, Nov 8, 2015 at 5:57 AM, Régis Houssin <
>>> regis.hous...@gmail.com> wrote:
>>>
 Hello

 I installed the 2.8.3 package on Debian Jessie and I have this error
 message when I want to activate Mysql:

 ossec-dbd(5207): ERROR: OSSEC not compiled with support for 'mysql'


>> Cordialement,
>> --
>> Régis Houssin
>> -
>> iNodbox (Cap-Networks)
>> 5, rue Corneille
>> 01000 BOURG EN BRESSE
>> FRANCE
>> VoIP: +33 1 83 62 40 03
>> GSM: +33 6 33 02 07 97
>> Email: regis.hous...@inodbox.com
>>
>> Web: https://www.inodbox.com/
>> Development: https://git.framasoft.org/u/inodbox/
>> Translation: https://www.transifex.com/inodbox/
>> -
>>
>> --
>>
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to ossec-list+unsubscr...@googlegroups.com.
>> For more options, visit https://groups.google.com/d/optout.
>>
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: OSSEC: Real time file monitoring not starting

[Santiago Bassett]

Are you using scan_on_start option? Remember realtime won't work until
first syscheck is done.

I also recommend to use alert_new_files and set auto_ignore to "no" (this
goes on the manager).

Useful trobleshooting tip is to enable debug for syscheck on the agent
(internal_options.conf file)

Best

On Wed, Nov 11, 2015 at 12:59 PM, Jenia Jenia  wrote:

> I've checked, I have the /usr/include/linux/inotify.h and I have
> -DUSEINOTIFY.
>
> I do have the "Real time file monitoring started.", which I simply didn't
> notice.
>
> However the problem is that it looks like real time notifications are
> working inconsistently, i.e: if I let's say "apt-get install ...some
> package, I get the notification right away, also when I restart OSSEC I get
> email immediately, BUT when I modify /etc/hosts or some other file that is
> with "realtime" parameter in "directories" then I only get a notification
> when ossec-syscheckd runs as scheduled.
>
> Any ideas?
>
>
>
>
> On Wednesday, November 11, 2015 at 9:09:45 PM UTC+2, Jb Cheng wrote:
>>
>> Realtime syscheck uses INOTIFY feature on Linux systems. The Makeall file
>> checks existence of a header file. Please see if your Ubuntu system has one
>> of the follwoing:
>>
>> # Checking for inotify
>>
>> if [ "X$OS" = "XLinux" ]; then
>>
>> if [ -e /usr/include/sys/inotify.h ]; then
>>
>> echo "EEXTRA=-DUSEINOTIFY" >> Config.OS
>>
>> elif [ -e /usr/include/linux/inotify.h ]; then
>>
>> echo "EEXTRA=-DUSEINOTIFY" >> Config.OS
>>
>> fi
>>
>> LUA_PLAT="posix"
>>
>> fi
>>
>>
>> If it works, Config.OS file will contain the '-DUSEINOFITY' compilation
>> directive. Please check it.
>>
>> Documentation is available at:
>> http://ossec-docs.readthedocs.org/en/latest/manual/syscheck/#real-time-monitoring
>>
>> Good luck!
>>
>> On Wednesday, November 11, 2015 at 4:48:09 AM UTC-8, Jenia Jenia wrote:
>>
>> Hi Guys!
>>> I've installed and configured OSSEC to get real time notifications, but
>>> when I modify for instance /etc/passwd or /etc/hosts I don't get a real
>>> time notification.
>>> Scheduled notifications are working I receive events to my email.
>>>
>>> In addition documentation tells that in ossec.log there should be a line
>>> "Real time file monitoring started." which I never get.
>>>
>>> Please advise
>>>
>>>  
>>> yes
>>> jen...@gmail.com
>>> mx.yandex.net.
>>> ossecm@myserver
>>>   
>>>   
>>>   
>>> jen...@gmail.com
>>> 550, 553, 554
>>> 
>>>   
>>>
>>>   
>>> >> check_all="yes">/etc,/usr/bin,/usr/sbin
>>>
>>> yes
>>> no
>>> no
>>>
>>> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] ossec-logtest returns Level 0 but still getting email alerts Level 2

[Santiago Bassett]

Hi Daniel,

not sure if that matters but is your local rule in the same , as rule 1002 is? You sure you restarted the manger right?

Best

On Thu, Nov 12, 2015 at 7:06 AM, Daniel Bray  wrote:

> I'm running ossec-hids-server-2.8.2-49.el6.art.x86_64 (Atomic repo)
>
> I've updated /var/ossec/rules/local_rules.xml with the following rule:
>
>   
> 1002
> testserver1|testserver2
> mip
> HAEngine\.*INFO|HAEngine\.*WARNING|Failed to send pseudo-TCP
> segment frame
> Ignore MIP Alerts
>   
>
>
> I've tested the rule with:
> ossec-testrule: Type one log per line.
>
> Nov 12 13:48:50 testserver1 mip:  : HAEngine : WARNING   : 2 : Replay
> protection check failed
>
>
> **Phase 1: Completed pre-decoding.
>full event: 'Nov 12 13:48:50 testserver1 mip:  : HAEngine : WARNING
>   : 2 : Replay protection check failed '
>hostname: 'testserver1'
>program_name: 'mip'
>log: ' : HAEngine : WARNING   : 2 : Replay protection check
> failed '
>
> **Phase 2: Completed decoding.
>No decoder matched.
>
> **Phase 3: Completed filtering (rules).
>Rule id: '17'
>Level: '0'
>Description: 'Ignore MIP Alerts'
>
>
>
> I've restarted everything, but the servers are still generating alerts:
>
> OSSEC HIDS Notification.
> 2015 Nov 12 14:58:37
>
> Received From: (testserver1)
> Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
> Portion of the log(s):
>
> Nov 12 14:58:36 testserver1 mip:  : HAEngine : WARNING   : 2 : Replay
> protection check failed
>
>  --END OF NOTIFICATION
>
>
>
> Can anybody shed some light on what's going on, or what I should try next?
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Will app get blocked on heavy mysql queries?

[Ryan Schulze]

That depends on how you set up your active response. IIRC the default is 
to trigger for any rule 7 or higher. So just check which rules level 7 
or higher were triggered by you (e.g. bei checking the alert logs or 
your emails).


Since you mentioned phpmyadmin I'd guess maybe one of the SQL injection 
rules if phpmyadmin transfers certain requests as a GET (making it show 
up in the webserver logs).


On 11/10/2015 7:31 PM, frwa onto wrote:

Hi Santiago,
  This will just block the active response right. But 
in my case why is it that when I try to get huge data the active 
response comes into effect. I cant see which rule is fired to activate 
the active response? Is there any work around together with the active 
response being active?


On Wed, Nov 11, 2015 at 2:04 AM, Santiago Bassett 
mailto:santiago.bass...@gmail.com>> wrote:


You can find info here:


http://ossec-docs.readthedocs.org/en/latest/syntax/head_ossec_config.active-response.html


If unsure I suggest to disable it at /var/ossec/etc/ossec.conf

  

yes

  


On Tue, Nov 10, 2015 at 1:22 AM, frwa onto mailto:frwao...@gmail.com>> wrote:

Hi Ryan,
 I am not too good in tuning up my active response
or rules. Any tips on how to go about it?


On Tue, Nov 10, 2015 at 1:17 PM, Ryan Schulze
mailto:r...@dopefish.de>> wrote:

Sounds like you may want to look into fine tuning your
active response and/or rules.

On 11/9/2015 10:11 PM, frwa onto wrote:

Hi Santiago,
   I am just running as standalone so its
not a manager or agent. I have another machine for
instance I am using the older ossec 2.7.1 in that one I
have tried say I got my phpymadmin and when I start
browsing huge data ossec will block me an only after some
time I can login here is the active response log as below.

Tue Nov 10 11:48:12 MYT 2015
/var/ossec/active-response/bin/firewall-drop.sh add -
10.212.134.200 1447127292.12356 31106
Tue Nov 10 11:48:12 MYT 2015
/var/ossec/active-response/bin/host-deny.sh add -
10.212.134.200 1447127292.12356 31106
Tue Nov 10 11:58:42 MYT 2015
/var/ossec/active-response/bin/host-deny.sh delete -
10.212.134.200 1447127292.12356 31106
Tue Nov 10 11:58:42 MYT 2015
/var/ossec/active-response/bin/firewall-drop.sh delete -
10.212.134.200 1447127292.12356 31106

I dont know what trigger is exactly but I know due to my
browsing of huge data and also how to overcome this
issue? In my older version I saw this error too
ossec-execd: INFO: Active response command not present:
'/var/ossec/active-response/bin/restart-ossec.cmd'. Not
using it on this system.

This is my worry on the new machine using 2.8.1 the app
might get block from accessing the data.

On Tuesday, November 10, 2015 at 9:18:45 AM UTC+8,
Santiago Bassett wrote:

Are you running an agent or the manager? I don't
think OSSEC would block access to your mysql db.

On Mon, Nov 9, 2015 at 8:19 AM, frwa onto
 wrote:

Hi,
I have centos server. I have managed to
install ossec 2.8.1. It mainly runs a socket
programming app. For every instance of a
connection it will receive data and insert into
mysql db. What I worried in what scenario will it
block the access to this local mysql db as I can
see there some rules for mysql? Sorry very new to
these.
-- 


---
You received this message because you are
subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving
emails from it, send an email to
ossec-list+...@googlegroups.com.
For more options, visit
https://groups.google.com/d/optout.


-- 


---
You received this message because you are subscribed to
the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails
from it, send an email to
ossec-list+unsubscr...@googlegroups.com
.
For more options, visit https://groups.google.com/d/optout.


-- 


---
You received this message because you are subscribed to a
topic in the Google Group

Re: [ossec-list] Will app get blocked on heavy mysql queries?

[dan (ddp)]

On Mon, Nov 9, 2015 at 11:11 PM, frwa onto  wrote:
> Hi Santiago,
>I am just running as standalone so its not a manager or
> agent. I have another machine for instance I am using the older ossec 2.7.1


2.7.1 is way too old to provide much support for.

> in that one I have tried say I got my phpymadmin and when I start browsing
> huge data ossec will block me an only after some time I can login here is
> the active response log as below.
>
> Tue Nov 10 11:48:12 MYT 2015 /var/ossec/active-response/bin/firewall-drop.sh
> add - 10.212.134.200 1447127292.12356 31106

So rule 31106 is triggering the AR.
  
31103, 31104, 31105
^200
A web attack returned code 200 (success).
attack,
  

You'll have to go through 31103-31105 to try and get a more specific
understanding of what is triggering the alert.
(All of this is taken from a 2.8.3+ system, so details may be
different from 2.7.1)

> Tue Nov 10 11:48:12 MYT 2015 /var/ossec/active-response/bin/host-deny.sh add
> - 10.212.134.200 1447127292.12356 31106
> Tue Nov 10 11:58:42 MYT 2015 /var/ossec/active-response/bin/host-deny.sh
> delete - 10.212.134.200 1447127292.12356 31106
> Tue Nov 10 11:58:42 MYT 2015 /var/ossec/active-response/bin/firewall-drop.sh
> delete - 10.212.134.200 1447127292.12356 31106
>
> I dont know what trigger is exactly but I know due to my browsing of huge
> data and also how to overcome this issue? In my older version I saw this
> error too
> ossec-execd: INFO: Active response command not present:
> '/var/ossec/active-response/bin/restart-ossec.cmd'. Not using it on this
> system.
>
> This is my worry on the new machine using 2.8.1 the app might get block from
> accessing the data.
>
> On Tuesday, November 10, 2015 at 9:18:45 AM UTC+8, Santiago Bassett wrote:
>>
>> Are you running an agent or the manager? I don't think OSSEC would block
>> access to your mysql db.
>>
>> On Mon, Nov 9, 2015 at 8:19 AM, frwa onto  wrote:
>>>
>>> Hi,
>>> I have centos server. I have managed to install ossec 2.8.1. It
>>> mainly runs a socket programming app. For every instance of a connection it
>>> will receive data and insert into mysql db. What I worried in what scenario
>>> will it block the access to this local mysql db as I can see there some
>>> rules for mysql? Sorry very new to these.
>>>
>>> --
>>>
>>> ---
>>> You received this message because you are subscribed to the Google Groups
>>> "ossec-list" group.
>>> To unsubscribe from this group and stop receiving emails from it, send an
>>> email to ossec-list+...@googlegroups.com.
>>> For more options, visit https://groups.google.com/d/optout.
>>
>>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Will app get blocked on heavy mysql queries?

[frwa onto]

Hi All,
 Any solution to my issue with regards to mysql? I cant see which
rule is triggered to generate the active response? Or is that active
response cant work together in my scenario?

On Wed, Nov 11, 2015 at 9:31 AM, frwa onto  wrote:

> Hi Santiago,
>   This will just block the active response right. But in
> my case why is it that when I try to get huge data the active response
> comes into effect. I cant see which rule is fired to activate the active
> response? Is there any work around together with the active response being
> active?
>
> On Wed, Nov 11, 2015 at 2:04 AM, Santiago Bassett <
> santiago.bass...@gmail.com> wrote:
>
>> You can find info here:
>>
>>
>> http://ossec-docs.readthedocs.org/en/latest/syntax/head_ossec_config.active-response.html
>>
>>
>> If unsure I suggest to disable it at /var/ossec/etc/ossec.conf
>>
>>   
>>
>> yes
>>
>>   
>>
>> On Tue, Nov 10, 2015 at 1:22 AM, frwa onto  wrote:
>>
>>> Hi Ryan,
>>>  I am not too good in tuning up my active response or rules.
>>> Any tips on how to go about it?
>>>
>>>
>>> On Tue, Nov 10, 2015 at 1:17 PM, Ryan Schulze  wrote:
>>>
 Sounds like you may want to look into fine tuning your active response
 and/or rules.

 On 11/9/2015 10:11 PM, frwa onto wrote:

 Hi Santiago,
I am just running as standalone so its not a manager
 or agent. I have another machine for instance I am using the older ossec
 2.7.1 in that one I have tried say I got my phpymadmin and when I start
 browsing huge data ossec will block me an only after some time I can login
 here is the active response log as below.

 Tue Nov 10 11:48:12 MYT 2015
 /var/ossec/active-response/bin/firewall-drop.sh add - 10.212.134.200
 1447127292.12356 31106
 Tue Nov 10 11:48:12 MYT 2015
 /var/ossec/active-response/bin/host-deny.sh add - 10.212.134.200
 1447127292.12356 31106
 Tue Nov 10 11:58:42 MYT 2015
 /var/ossec/active-response/bin/host-deny.sh delete - 10.212.134.200
 1447127292.12356 31106
 Tue Nov 10 11:58:42 MYT 2015
 /var/ossec/active-response/bin/firewall-drop.sh delete - 10.212.134.200
 1447127292.12356 31106

 I dont know what trigger is exactly but I know due to my browsing of
 huge data and also how to overcome this issue? In my older version I saw
 this error too
 ossec-execd: INFO: Active response command not present:
 '/var/ossec/active-response/bin/restart-ossec.cmd'. Not using it on this
 system.

 This is my worry on the new machine using 2.8.1 the app might get block
 from accessing the data.

 On Tuesday, November 10, 2015 at 9:18:45 AM UTC+8, Santiago Bassett
 wrote:
>
> Are you running an agent or the manager? I don't think OSSEC would
> block access to your mysql db.
>
> On Mon, Nov 9, 2015 at 8:19 AM, frwa onto  wrote:
>
>> Hi,
>> I have centos server. I have managed to install ossec 2.8.1. It
>> mainly runs a socket programming app. For every instance of a connection 
>> it
>> will receive data and insert into mysql db. What I worried in what 
>> scenario
>> will it block the access to this local mysql db as I can see there some
>> rules for mysql? Sorry very new to these.
>> --
>>
>> ---
>> You received this message because you are subscribed to the Google
>> Groups "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it,
>> send an email to ossec-list+...@googlegroups.com.
>> For more options, visit https://groups.google.com/d/optout.
>>
>
> --

 ---
 You received this message because you are subscribed to the Google
 Groups "ossec-list" group.
 To unsubscribe from this group and stop receiving emails from it, send
 an email to ossec-list+unsubscr...@googlegroups.com.
 For more options, visit https://groups.google.com/d/optout.


 --

 ---
 You received this message because you are subscribed to a topic in the
 Google Groups "ossec-list" group.
 To unsubscribe from this topic, visit
 https://groups.google.com/d/topic/ossec-list/rdsEIi60ciM/unsubscribe.
 To unsubscribe from this group and all its topics, send an email to
 ossec-list+unsubscr...@googlegroups.com.
 For more options, visit https://groups.google.com/d/optout.

>>>
>>> --
>>>
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "ossec-list" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to ossec-list+unsubscr...@googlegroups.com.
>>> For more options, visit https://groups.google.com/d/optout.
>>>
>>
>> --
>>
>> ---
>> You received this message because you are subscribed to a topic in the
>> Google Groups "ossec-list" group.
>> To unsubscribe from this topic, visit
>> https://groups.google.com/d/topic/o

Re: [ossec-list] ERROR: Timeout while connecting to host:

[dan (ddp)]

On Nov 12, 2015 10:35 AM, "Dimitris"  wrote:
>
> Hi Dan,
>
> Thanks for the reply. So, the only solution would be to remove the
banner? For cases that we need the banner, is there a way the script to
ignore it and work?

You should be able to modify the script to get it to work. I don't know
details though, it's been a while since I've looked at the scripts. I
usuallyuse agents.

> --> Do you know the exact spot that the problem occurs, so I could modify
the script or create a new one to run for the specific host?
> --> Or maybe, could we modify the banner somehow that the script receives
its input as commented out and ignores it?
>
> Any idea would be appreciated.
>
> Thanks again,
> Dimitris.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
"ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] ERROR: Timeout while connecting to host:

[Dimitris]

Hi Dan,

Thanks for the reply. So, the only solution would be to remove the banner? 
For cases that we need the banner, is there a way the script to ignore it 
and work? 
--> Do you know the exact spot that the problem occurs, so I could modify 
the script or create a new one to run for the specific host? 
--> Or maybe, could we modify the banner somehow that the script receives 
its input as commented out and ignores it?

Any idea would be appreciated.

Thanks again,
Dimitris.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] ERROR: Timeout while connecting to host:

[dan (ddp)]

On Thu, Nov 12, 2015 at 10:19 AM, Dimitris  wrote:
> Hello,
>
> Has this topic been resolved?
> I have the same problem running agentless ossec scan on a server. I try to
> test it manually with the command:
>
> sudo -u ossec ./agentless/ssh_integrity_check_linux os...@172.xx.xx.xx /tmp
>
> and I get the following after 20 seconds:
> [...AFTER SHOWING DESTINATION SERVER BANNER...]
> ERROR: Timeout while connecting to host: os...@172.xx.xx.xx .
>
> It seems that ssh_integrity_check_linux calls main.exp, main.exp sets
> timeout 20 and times out somewhere after that...
> ===
> ...
> set use_sudo " "
> set addpass "x"
> set timeout 20
> ...
>
> ==
>
> And then reads ssh.exp and sends the message:
>
> }
> timeout {
> send_user "\nERROR: Timeout while connecting to host: $hostname .
> \n"
> exit 1;
> }
> ===
>
> ossec.conf relevant entry:
> 
>   ssh_integrity_check_linux
>   86400
>   os...@172.xx.xx.xx
>   periodic
>   /bin /etc /sbin
>
>   
> ==
>
> Is it possible that the login banner used on the Red Hat target server feeds
> expect with some argument not expected?
> Any suggestions?
>

Yes, that is most likely what is happening.


> Thank you in advance,
> Dimitris.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] ERROR: Timeout while connecting to host:

[Dimitris]

Hello,

Has this topic been resolved?
I have the same problem running agentless ossec scan on a server. I try to 
test it manually with the command:

sudo -u ossec ./agentless/ssh_integrity_check_linux os...@172.xx.xx.xx /tmp

and I get the following after 20 seconds:
[...AFTER SHOWING DESTINATION SERVER BANNER...]
ERROR: Timeout while connecting to host: os...@172.xx.xx.xx .

It seems that ssh_integrity_check_linux calls main.exp, main.exp sets 
timeout 20 and times out somewhere after that... 
===
...
set use_sudo " "
set addpass "x"
set timeout 20
...

==

And then reads ssh.exp and sends the message:

}
timeout {
send_user "\nERROR: Timeout while connecting to host: $hostname . 
\n"
exit 1;
}
===

ossec.conf relevant entry:

  ssh_integrity_check_linux
  86400
  os...@172.xx.xx.xx
  periodic
  /bin /etc /sbin

  
==  

Is it possible that the login banner used on the Red Hat target server 
feeds expect with some argument not expected?  
Any suggestions?

Thank you in advance,
Dimitris.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] ossec-logtest returns Level 0 but still getting email alerts Level 2

[Daniel Bray]

I'm running ossec-hids-server-2.8.2-49.el6.art.x86_64 (Atomic repo)

I've updated /var/ossec/rules/local_rules.xml with the following rule:

  
1002
testserver1|testserver2
mip
HAEngine\.*INFO|HAEngine\.*WARNING|Failed to send pseudo-TCP
segment frame
Ignore MIP Alerts
  


I've tested the rule with:
ossec-testrule: Type one log per line.

Nov 12 13:48:50 testserver1 mip:  : HAEngine : WARNING   : 2 : Replay
protection check failed


**Phase 1: Completed pre-decoding.
   full event: 'Nov 12 13:48:50 testserver1 mip:  : HAEngine : WARNING
  : 2 : Replay protection check failed '
   hostname: 'testserver1'
   program_name: 'mip'
   log: ' : HAEngine : WARNING   : 2 : Replay protection check
failed '

**Phase 2: Completed decoding.
   No decoder matched.

**Phase 3: Completed filtering (rules).
   Rule id: '17'
   Level: '0'
   Description: 'Ignore MIP Alerts'



I've restarted everything, but the servers are still generating alerts:

OSSEC HIDS Notification.
2015 Nov 12 14:58:37

Received From: (testserver1)
Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
Portion of the log(s):

Nov 12 14:58:36 testserver1 mip:  : HAEngine : WARNING   : 2 : Replay
protection check failed

 --END OF NOTIFICATION



Can anybody shed some light on what's going on, or what I should try next?

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.