date:20151113

Re: [ossec-list] Package Debian Jessie 2.8.3 + Mysql

2015-11-13 Thread Régis Houssin

Hi,

it's ok !! :-)
thank you very much


Le 13/11/2015 03:20, Santiago Bassett a écrit :
> Just uploaded the new packages. The issues should be fixed now.
>
> On Mon, Nov 9, 2015 at 5:04 PM, Santiago Bassett
> > wrote:
>
> Thank you Regis for the feedback. Really appreciate it.
>
> Will work on those issues and generate new packages as soon as I
> can, most likely sometime in the next couple of days. 
>

Cordialement,
-- 
Régis Houssin
-
iNodbox (Cap-Networks)
5, rue Corneille
01000 BOURG EN BRESSE
FRANCE
VoIP: +33 1 83 62 40 03
GSM: +33 6 33 02 07 97
Email: regis.hous...@inodbox.com

Web: https://www.inodbox.com/
Development: https://git.framasoft.org/u/inodbox/
Translation: https://www.transifex.com/inodbox/
-

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
<>

Re: [ossec-list] ossec-logtest returns Level 0 but still getting email alerts Level 2

2015-11-13 Thread dan (ddp)

On Fri, Nov 13, 2015 at 10:44 AM, Daniel Bray  wrote:
> On Friday, November 13, 2015 at 10:33:04 AM UTC-5, Daniel Bray wrote:
>>>
>>>  I'm waiting to see if it generates an alert.
>>
>>
>
>
> Nope, issue remains. Very confusing.
>

I think if you stat ossec-analysisd in debug mode it outputs the rule
IDs it loads. Is 15 in there?

I've put the rule in /var/ossec/rules/local_rules.xml and changing the
hostnames to match my systems. Then running `echo '  : HAEngine :
WARNING   : 2 : Replay protection check failed' | logger -t mip`
gives me the log in question in /var/log/messages.
And here are the results:
** Alert 1447429935.7071: - local,syslog,
2015 Nov 13 10:52:15 arrakis->/var/log/messages
Rule: 15 (level 4) -> 'Ignore MIP Alerts'
Nov 13 10:52:14 arrakis mip:   : HAEngine : WARNING   : 2 : Replay
protection check failed

So it works (I changed the level so it shows up) with more than just
ossec-logtest.

> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] ossec-logtest returns Level 0 but still getting email alerts Level 2

2015-11-13 Thread Daniel Bray

Sorry about that, it is just a simple typo. I didn't want to copy the
actual rule, as it had some semi-private information in it.  I copied and
pasted my actual rule 15 to a test rule 17, so please just ignore
that.  Here is the actual updated test rule I'm trying:

  
1002
testserver
mip
HAEngine\.*INFO|HAEngine\.*WARNING|Failed to send pseudo-TCP
segment frame
Ignore MIP Alerts
  

Here is the current log entry I'm testing:
Nov 13 16:07:17 testserver mip:  : HAEngine : WARNING   : 2 : Replay
protection check failed

And here is the current results:
**Phase 1: Completed pre-decoding.
   full event: 'Nov 13 16:07:17 testserver mip:  : HAEngine : WARNING
: 2 : Replay protection check failed'
   hostname: 'testserver'
   program_name: 'mip'
   log: ' : HAEngine : WARNING   : 2 : Replay protection check
failed'

**Phase 2: Completed decoding.
   No decoder matched.

**Phase 3: Completed filtering (rules).
   Rule id: '17'
   Level: '0'
   Description: 'Ignore MIP Alerts'


However, the email alerts are still coming in. I'm trying to start some of
this up in debug mode, so I can gather further information.




On Fri, Nov 13, 2015 at 11:27 AM, dan (ddp)  wrote:

> On Fri, Nov 13, 2015 at 11:16 AM, Pedro S.  wrote:
> > My confusion was the rule he wrote here has SID 15 and the logtest
> > result has SID 17, sorry about that.
> >
>
> You're right, I totally missed that. Now I'm wondering what 17 is.
>
> > Still i'll try to create a generic rule to make sure OSSEC is loading new
> > rules.
> >
> > Anyways if Dan already has tested it, the rule is working, it should be
> your
> > OSSEC is not loading the rule properly.
> >
> >
> > El viernes, 13 de noviembre de 2015, 8:04:05 (UTC-8), dan (ddpbsd)
> escribió:
> >>
> >> On Fri, Nov 13, 2015 at 10:59 AM, Pedro S.  wrote:
> >> > Hi Daniel,
> >> >
> >> > The alerts you changed to level 0 it isn't the same that you write
> some
> >> > lines before, isn't it?
> >> > You turn to 0 rule SID 15 but the alert you show us has SID 1002.
> >> >
> >>
> >> The log message used in the ossec-logtest example matches the log
> >> message that is in the alert. The problem is that ossec-logtest shows
> >> that the log message should match rule 15, but ossec-analysisd is
> >> matching the log message to 1002.
> >>
> >>
> >> > For testing purposes try to deactivate (change to level 0) rule 1002
> and
> >> > check if it is still generating these alerts.
> >> >
> >>
> >> Don't do this. There's no reason to change that to 0. Even for
> >> testing. I've been using OSSEC for a little while now, and I don't
> >> think that would have ever helped with anything.
> >>
> >> >
> >> >
> >> >
> >> >
> >> > El viernes, 13 de noviembre de 2015, 7:44:37 (UTC-8), Daniel Bray
> >> > escribió:
> >> >>
> >> >> On Friday, November 13, 2015 at 10:33:04 AM UTC-5, Daniel Bray wrote:
> >> 
> >>   I'm waiting to see if it generates an alert.
> >> >>>
> >> >>>
> >> >>
> >> >>
> >> >> Nope, issue remains. Very confusing.
> >> >
> >> > --
> >> >
> >> > ---
> >> > You received this message because you are subscribed to the Google
> >> > Groups
> >> > "ossec-list" group.
> >> > To unsubscribe from this group and stop receiving emails from it, send
> >> > an
> >> > email to ossec-list+...@googlegroups.com.
> >> > For more options, visit https://groups.google.com/d/optout.
> >
> > --
> >
> > ---
> > You received this message because you are subscribed to the Google Groups
> > "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send an
> > email to ossec-list+unsubscr...@googlegroups.com.
> > For more options, visit https://groups.google.com/d/optout.
>
> --
>
> ---
> You received this message because you are subscribed to a topic in the
> Google Groups "ossec-list" group.
> To unsubscribe from this topic, visit
> https://groups.google.com/d/topic/ossec-list/uXdwCE64oRU/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
> ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] ossec-logtest returns Level 0 but still getting email alerts Level 2

2015-11-13 Thread Daniel Bray

Yes, all my local rules are under the  and yes, 
I made sure to stop and restart everything.

On Thursday, November 12, 2015 at 8:37:35 PM UTC-5, Santiago Bassett wrote:
>
> Hi Daniel,
>
> not sure if that matters but is your local rule in the same  "syslog,errors,">, as rule 1002 is? You sure you restarted the manger 
> right?
>
> Best
>
> On Thu, Nov 12, 2015 at 7:06 AM, Daniel Bray  > wrote:
>
>> I'm running ossec-hids-server-2.8.2-49.el6.art.x86_64 (Atomic repo)
>>
>> I've updated /var/ossec/rules/local_rules.xml with the following rule:
>>
>>   
>> 1002
>> testserver1|testserver2
>> mip
>> HAEngine\.*INFO|HAEngine\.*WARNING|Failed to send pseudo-TCP 
>> segment frame
>> Ignore MIP Alerts
>>   
>>
>>
>> I've tested the rule with:
>> ossec-testrule: Type one log per line.
>>
>> Nov 12 13:48:50 testserver1 mip:  : HAEngine : WARNING   : 2 : Replay 
>> protection check failed
>>
>>
>> **Phase 1: Completed pre-decoding.
>>full event: 'Nov 12 13:48:50 testserver1 mip:  : HAEngine : 
>> WARNING   : 2 : Replay protection check failed '
>>hostname: 'testserver1'
>>program_name: 'mip'
>>log: ' : HAEngine : WARNING   : 2 : Replay protection check 
>> failed '
>>
>> **Phase 2: Completed decoding.
>>No decoder matched.
>>
>> **Phase 3: Completed filtering (rules).
>>Rule id: '17'
>>Level: '0'
>>Description: 'Ignore MIP Alerts'
>>
>>
>>
>> I've restarted everything, but the servers are still generating alerts:
>>
>> OSSEC HIDS Notification.
>> 2015 Nov 12 14:58:37
>>
>> Received From: (testserver1)
>> Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
>> Portion of the log(s):
>>
>> Nov 12 14:58:36 testserver1 mip:  : HAEngine : WARNING   : 2 : Replay 
>> protection check failed
>>
>>  --END OF NOTIFICATION
>>
>>
>>
>> Can anybody shed some light on what's going on, or what I should try next?
>>
>> -- 
>>
>> --- 
>> You received this message because you are subscribed to the Google Groups 
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to ossec-list+...@googlegroups.com .
>> For more options, visit https://groups.google.com/d/optout.
>>
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] ossec-logtest returns Level 0 but still getting email alerts Level 2

2015-11-13 Thread Daniel Bray

On Friday, November 13, 2015 at 10:33:04 AM UTC-5, Daniel Bray wrote:
>
>  I'm waiting to see if it generates an alert.
>>
>
>

Nope, issue remains. Very confusing.  

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] ossec-logtest returns Level 0 but still getting email alerts Level 2

2015-11-13 Thread Pedro S.

Hi Daniel,

The alerts you changed to level 0 it isn't the same that you write some 
lines before, isn't it?
You turn to 0 rule SID 15 but the alert you show us has SID 1002.

For testing purposes try to deactivate (change to level 0) rule 1002 and 
check if it is still generating these alerts.

El viernes, 13 de noviembre de 2015, 7:44:37 (UTC-8), Daniel Bray escribió:
>
> On Friday, November 13, 2015 at 10:33:04 AM UTC-5, Daniel Bray wrote:
>>
>>  I'm waiting to see if it generates an alert.
>>>
>>
>>
>
> Nope, issue remains. Very confusing.  
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] ossec-logtest returns Level 0 but still getting email alerts Level 2

2015-11-13 Thread dan (ddp)

On Fri, Nov 13, 2015 at 11:40 AM, Daniel Bray  wrote:
> Sorry about that, it is just a simple typo. I didn't want to copy the
> actual rule, as it had some semi-private information in it.  I copied and
> pasted my actual rule 15 to a test rule 17, so please just ignore
> that.  Here is the actual updated test rule I'm trying:
>
>   
> 1002
> testserver
> mip
> HAEngine\.*INFO|HAEngine\.*WARNING|Failed to send pseudo-TCP
> segment frame
> Ignore MIP Alerts
>   
>
> Here is the current log entry I'm testing:
> Nov 13 16:07:17 testserver mip:  : HAEngine : WARNING   : 2 : Replay
> protection check failed
>
> And here is the current results:
> **Phase 1: Completed pre-decoding.
>full event: 'Nov 13 16:07:17 testserver mip:  : HAEngine : WARNING
> : 2 : Replay protection check failed'
>hostname: 'testserver'
>program_name: 'mip'
>log: ' : HAEngine : WARNING   : 2 : Replay protection check
> failed'
>
> **Phase 2: Completed decoding.
>No decoder matched.
>
> **Phase 3: Completed filtering (rules).
>Rule id: '17'
>Level: '0'
>Description: 'Ignore MIP Alerts'
>
>
> However, the email alerts are still coming in. I'm trying to start some of
> this up in debug mode, so I can gather further information.
>

Ok, this information is working for me as well. I have tested it on a
local install and an agent/server install (changing the hostname as
appropriate).

Is the agent name testserver? Do the hostname of the system and the
agent name match?

>
>
>
> On Fri, Nov 13, 2015 at 11:27 AM, dan (ddp)  wrote:
>>
>> On Fri, Nov 13, 2015 at 11:16 AM, Pedro S.  wrote:
>> > My confusion was the rule he wrote here has SID 15 and the logtest
>> > result has SID 17, sorry about that.
>> >
>>
>> You're right, I totally missed that. Now I'm wondering what 17 is.
>>
>> > Still i'll try to create a generic rule to make sure OSSEC is loading
>> > new
>> > rules.
>> >
>> > Anyways if Dan already has tested it, the rule is working, it should be
>> > your
>> > OSSEC is not loading the rule properly.
>> >
>> >
>> > El viernes, 13 de noviembre de 2015, 8:04:05 (UTC-8), dan (ddpbsd)
>> > escribió:
>> >>
>> >> On Fri, Nov 13, 2015 at 10:59 AM, Pedro S.  wrote:
>> >> > Hi Daniel,
>> >> >
>> >> > The alerts you changed to level 0 it isn't the same that you write
>> >> > some
>> >> > lines before, isn't it?
>> >> > You turn to 0 rule SID 15 but the alert you show us has SID 1002.
>> >> >
>> >>
>> >> The log message used in the ossec-logtest example matches the log
>> >> message that is in the alert. The problem is that ossec-logtest shows
>> >> that the log message should match rule 15, but ossec-analysisd is
>> >> matching the log message to 1002.
>> >>
>> >>
>> >> > For testing purposes try to deactivate (change to level 0) rule 1002
>> >> > and
>> >> > check if it is still generating these alerts.
>> >> >
>> >>
>> >> Don't do this. There's no reason to change that to 0. Even for
>> >> testing. I've been using OSSEC for a little while now, and I don't
>> >> think that would have ever helped with anything.
>> >>
>> >> >
>> >> >
>> >> >
>> >> >
>> >> > El viernes, 13 de noviembre de 2015, 7:44:37 (UTC-8), Daniel Bray
>> >> > escribió:
>> >> >>
>> >> >> On Friday, November 13, 2015 at 10:33:04 AM UTC-5, Daniel Bray
>> >> >> wrote:
>> >> 
>> >>   I'm waiting to see if it generates an alert.
>> >> >>>
>> >> >>>
>> >> >>
>> >> >>
>> >> >> Nope, issue remains. Very confusing.
>> >> >
>> >> > --
>> >> >
>> >> > ---
>> >> > You received this message because you are subscribed to the Google
>> >> > Groups
>> >> > "ossec-list" group.
>> >> > To unsubscribe from this group and stop receiving emails from it,
>> >> > send
>> >> > an
>> >> > email to ossec-list+...@googlegroups.com.
>> >> > For more options, visit https://groups.google.com/d/optout.
>> >
>> > --
>> >
>> > ---
>> > You received this message because you are subscribed to the Google
>> > Groups
>> > "ossec-list" group.
>> > To unsubscribe from this group and stop receiving emails from it, send
>> > an
>> > email to ossec-list+unsubscr...@googlegroups.com.
>> > For more options, visit https://groups.google.com/d/optout.
>>
>> --
>>
>> ---
>> You received this message because you are subscribed to a topic in the
>> Google Groups "ossec-list" group.
>> To unsubscribe from this topic, visit
>> https://groups.google.com/d/topic/ossec-list/uXdwCE64oRU/unsubscribe.
>> To unsubscribe from this group and all its topics, send an email to
>> ossec-list+unsubscr...@googlegroups.com.
>> For more options, visit https://groups.google.com/d/optout.
>
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more

Re: [ossec-list] ossec-logtest returns Level 0 but still getting email alerts Level 2

2015-11-13 Thread Pedro Sánchez de Castro

I'm wondering.. maybe you can activate archives log (logall option) and
check if the alert is working, i mean, if the alert shows on archives we
will know that the issue is mail related and no about rules decoding.



2015-11-13 8:40 GMT-08:00 Daniel Bray :

> Sorry about that, it is just a simple typo. I didn't want to copy
> the actual rule, as it had some semi-private information in it.  I copied
> and pasted my actual rule 15 to a test rule 17, so please just
> ignore that.  Here is the actual updated test rule I'm trying:
>
>   
> 1002
> testserver
> mip
> HAEngine\.*INFO|HAEngine\.*WARNING|Failed to send pseudo-TCP
> segment frame
> Ignore MIP Alerts
>   
>
> Here is the current log entry I'm testing:
> Nov 13 16:07:17 testserver mip:  : HAEngine : WARNING   : 2 : Replay
> protection check failed
>
> And here is the current results:
> **Phase 1: Completed pre-decoding.
>full event: 'Nov 13 16:07:17 testserver mip:  : HAEngine : WARNING
>   : 2 : Replay protection check failed'
>hostname: 'testserver'
>program_name: 'mip'
>log: ' : HAEngine : WARNING   : 2 : Replay protection check
> failed'
>
> **Phase 2: Completed decoding.
>No decoder matched.
>
> **Phase 3: Completed filtering (rules).
>Rule id: '17'
>Level: '0'
>Description: 'Ignore MIP Alerts'
>
>
> However, the email alerts are still coming in. I'm trying to start some of
> this up in debug mode, so I can gather further information.
>
>
>
>
> On Fri, Nov 13, 2015 at 11:27 AM, dan (ddp)  wrote:
>
>> On Fri, Nov 13, 2015 at 11:16 AM, Pedro S.  wrote:
>> > My confusion was the rule he wrote here has SID 15 and the logtest
>> > result has SID 17, sorry about that.
>> >
>>
>> You're right, I totally missed that. Now I'm wondering what 17 is.
>>
>> > Still i'll try to create a generic rule to make sure OSSEC is loading
>> new
>> > rules.
>> >
>> > Anyways if Dan already has tested it, the rule is working, it should be
>> your
>> > OSSEC is not loading the rule properly.
>> >
>> >
>> > El viernes, 13 de noviembre de 2015, 8:04:05 (UTC-8), dan (ddpbsd)
>> escribió:
>> >>
>> >> On Fri, Nov 13, 2015 at 10:59 AM, Pedro S.  wrote:
>> >> > Hi Daniel,
>> >> >
>> >> > The alerts you changed to level 0 it isn't the same that you write
>> some
>> >> > lines before, isn't it?
>> >> > You turn to 0 rule SID 15 but the alert you show us has SID 1002.
>> >> >
>> >>
>> >> The log message used in the ossec-logtest example matches the log
>> >> message that is in the alert. The problem is that ossec-logtest shows
>> >> that the log message should match rule 15, but ossec-analysisd is
>> >> matching the log message to 1002.
>> >>
>> >>
>> >> > For testing purposes try to deactivate (change to level 0) rule 1002
>> and
>> >> > check if it is still generating these alerts.
>> >> >
>> >>
>> >> Don't do this. There's no reason to change that to 0. Even for
>> >> testing. I've been using OSSEC for a little while now, and I don't
>> >> think that would have ever helped with anything.
>> >>
>> >> >
>> >> >
>> >> >
>> >> >
>> >> > El viernes, 13 de noviembre de 2015, 7:44:37 (UTC-8), Daniel Bray
>> >> > escribió:
>> >> >>
>> >> >> On Friday, November 13, 2015 at 10:33:04 AM UTC-5, Daniel Bray
>> wrote:
>> >> 
>> >>   I'm waiting to see if it generates an alert.
>> >> >>>
>> >> >>>
>> >> >>
>> >> >>
>> >> >> Nope, issue remains. Very confusing.
>> >> >
>> >> > --
>> >> >
>> >> > ---
>> >> > You received this message because you are subscribed to the Google
>> >> > Groups
>> >> > "ossec-list" group.
>> >> > To unsubscribe from this group and stop receiving emails from it,
>> send
>> >> > an
>> >> > email to ossec-list+...@googlegroups.com.
>> >> > For more options, visit https://groups.google.com/d/optout.
>> >
>> > --
>> >
>> > ---
>> > You received this message because you are subscribed to the Google
>> Groups
>> > "ossec-list" group.
>> > To unsubscribe from this group and stop receiving emails from it, send
>> an
>> > email to ossec-list+unsubscr...@googlegroups.com.
>> > For more options, visit https://groups.google.com/d/optout.
>>
>> --
>>
>> ---
>> You received this message because you are subscribed to a topic in the
>> Google Groups "ossec-list" group.
>> To unsubscribe from this topic, visit
>> https://groups.google.com/d/topic/ossec-list/uXdwCE64oRU/unsubscribe.
>> To unsubscribe from this group and all its topics, send an email to
>> ossec-list+unsubscr...@googlegroups.com.
>> For more options, visit https://groups.google.com/d/optout.
>>
>
> --
>
> ---
> You received this message because you are subscribed to a topic in the
> Google Groups "ossec-list" group.
> To unsubscribe from this topic, visit
> https://groups.google.com/d/topic/ossec-list/uXdwCE64oRU/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
>

Re: [ossec-list] ossec-logtest returns Level 0 but still getting email alerts Level 2

2015-11-13 Thread dan (ddp)

On Fri, Nov 13, 2015 at 11:16 AM, Pedro S.  wrote:
> My confusion was the rule he wrote here has SID 15 and the logtest
> result has SID 17, sorry about that.
>

You're right, I totally missed that. Now I'm wondering what 17 is.

> Still i'll try to create a generic rule to make sure OSSEC is loading new
> rules.
>
> Anyways if Dan already has tested it, the rule is working, it should be your
> OSSEC is not loading the rule properly.
>
>
> El viernes, 13 de noviembre de 2015, 8:04:05 (UTC-8), dan (ddpbsd) escribió:
>>
>> On Fri, Nov 13, 2015 at 10:59 AM, Pedro S.  wrote:
>> > Hi Daniel,
>> >
>> > The alerts you changed to level 0 it isn't the same that you write some
>> > lines before, isn't it?
>> > You turn to 0 rule SID 15 but the alert you show us has SID 1002.
>> >
>>
>> The log message used in the ossec-logtest example matches the log
>> message that is in the alert. The problem is that ossec-logtest shows
>> that the log message should match rule 15, but ossec-analysisd is
>> matching the log message to 1002.
>>
>>
>> > For testing purposes try to deactivate (change to level 0) rule 1002 and
>> > check if it is still generating these alerts.
>> >
>>
>> Don't do this. There's no reason to change that to 0. Even for
>> testing. I've been using OSSEC for a little while now, and I don't
>> think that would have ever helped with anything.
>>
>> >
>> >
>> >
>> >
>> > El viernes, 13 de noviembre de 2015, 7:44:37 (UTC-8), Daniel Bray
>> > escribió:
>> >>
>> >> On Friday, November 13, 2015 at 10:33:04 AM UTC-5, Daniel Bray wrote:
>> 
>>   I'm waiting to see if it generates an alert.
>> >>>
>> >>>
>> >>
>> >>
>> >> Nope, issue remains. Very confusing.
>> >
>> > --
>> >
>> > ---
>> > You received this message because you are subscribed to the Google
>> > Groups
>> > "ossec-list" group.
>> > To unsubscribe from this group and stop receiving emails from it, send
>> > an
>> > email to ossec-list+...@googlegroups.com.
>> > For more options, visit https://groups.google.com/d/optout.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] ossec-logtest returns Level 0 but still getting email alerts Level 2

2015-11-13 Thread Daniel Bray

On Friday, November 13, 2015 at 8:51:45 AM UTC-5, dan (ddpbsd) wrote:
>
> Or are you sure the manager restarted? Most of the time when I've seen 
> this behavior on the list analysisd did not actually stop, so it 
> didn't pickup the new rules. Running `/var/ossec/bin/ossec-control 
> stop`, then verifying all of the processes are stopped is a prudent 
> course of action. 
>

Hmmm, not sure this would cause it, but this is what I saw:
sudo /var/ossec/bin/ossec-control stop
Killing ossec-monitord ..
Killing ossec-logcollector ..
Killing ossec-remoted ..
Killing ossec-syscheckd ..
Killing ossec-analysisd ..
Killing ossec-maild ..
ossec-execd not running ..
OSSEC HIDS v2.8 Stopped

sudo ps aux| grep ossec
ossecm4828  0.0  0.0  10508   260 ?SNov10   0:00 
/var/ossec/bin/ossec-maild

So, it stopped everything, except ossec-maild. I missed this the first 
time, because I specifically checked for analysisd instead of just "ossec". 
 So, I manually killed the ossec-maild process and started everything back. 
I'm waiting to see if it generates an alert.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] ossec-logtest returns Level 0 but still getting email alerts Level 2

2015-11-13 Thread Pedro S.

My confusion was the rule he wrote here has SID 15 and the logtest 
result has SID 17, sorry about that.

Still i'll try to create a generic rule to make sure OSSEC is loading new 
rules.

Anyways if Dan already has tested it, the rule is working, it should be 
your OSSEC is not loading the rule properly.


El viernes, 13 de noviembre de 2015, 8:04:05 (UTC-8), dan (ddpbsd) escribió:
>
> On Fri, Nov 13, 2015 at 10:59 AM, Pedro S.  
> wrote: 
> > Hi Daniel, 
> > 
> > The alerts you changed to level 0 it isn't the same that you write some 
> > lines before, isn't it? 
> > You turn to 0 rule SID 15 but the alert you show us has SID 1002. 
> > 
>
> The log message used in the ossec-logtest example matches the log 
> message that is in the alert. The problem is that ossec-logtest shows 
> that the log message should match rule 15, but ossec-analysisd is 
> matching the log message to 1002. 
>
>
> > For testing purposes try to deactivate (change to level 0) rule 1002 and 
> > check if it is still generating these alerts. 
> > 
>
> Don't do this. There's no reason to change that to 0. Even for 
> testing. I've been using OSSEC for a little while now, and I don't 
> think that would have ever helped with anything. 
>
> > 
> > 
> > 
> > 
> > El viernes, 13 de noviembre de 2015, 7:44:37 (UTC-8), Daniel Bray 
> escribió: 
> >> 
> >> On Friday, November 13, 2015 at 10:33:04 AM UTC-5, Daniel Bray wrote: 
>  
>   I'm waiting to see if it generates an alert. 
> >>> 
> >>> 
> >> 
> >> 
> >> Nope, issue remains. Very confusing. 
> > 
> > -- 
> > 
> > --- 
> > You received this message because you are subscribed to the Google 
> Groups 
> > "ossec-list" group. 
> > To unsubscribe from this group and stop receiving emails from it, send 
> an 
> > email to ossec-list+...@googlegroups.com . 
> > For more options, visit https://groups.google.com/d/optout. 
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] ossec-logtest returns Level 0 but still getting email alerts Level 2

2015-11-13 Thread Daniel Bray

On Friday, November 13, 2015 at 2:03:45 PM UTC-5, dan (ddpbsd) wrote:
>
> Try setting the rule to level 2
>
>
>
Doing that results in:
**Phase 3: Completed filtering (rules).
   Rule id: '17'
   Level: '2'
   Description: 'Ignore MIP Alerts'
**Alert to be generated.
 

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] ossec-logtest returns Level 0 but still getting email alerts Level 2

2015-11-13 Thread dan (ddp)

On Fri, Nov 13, 2015 at 2:07 PM, Daniel Bray  wrote:
> On Friday, November 13, 2015 at 2:03:45 PM UTC-5, dan (ddpbsd) wrote:
>>
>> Try setting the rule to level 2
>>
>>
>
> Doing that results in:
> **Phase 3: Completed filtering (rules).
>Rule id: '17'
>Level: '2'
>Description: 'Ignore MIP Alerts'
> **Alert to be generated.
>

I was hoping it would help with the production use, but since it was
working for me I guess that doesn't matter. I'm pretty much stumped at
the moment.

>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Package Debian Jessie 2.8.3 + Mysql

2015-11-13 Thread Santiago Bassett

Thanks to you for the feedback!

On Fri, Nov 13, 2015 at 12:28 AM, Régis Houssin 
wrote:

> Hi,
>
> it's ok !! :-)
> thank you very much
>
>
> Le 13/11/2015 03:20, Santiago Bassett a écrit :
>
> Just uploaded the new packages. The issues should be fixed now.
>
> On Mon, Nov 9, 2015 at 5:04 PM, Santiago Bassett <
> santiago.bass...@gmail.com> wrote:
>
>> Thank you Regis for the feedback. Really appreciate it.
>>
>> Will work on those issues and generate new packages as soon as I can,
>> most likely sometime in the next couple of days.
>>
>
> Cordialement,
> --
> Régis Houssin
> -
> iNodbox (Cap-Networks)
> 5, rue Corneille
> 01000 BOURG EN BRESSE
> FRANCE
> VoIP: +33 1 83 62 40 03
> GSM: +33 6 33 02 07 97
> Email: regis.hous...@inodbox.com
>
> Web: https://www.inodbox.com/
> Development: https://git.framasoft.org/u/inodbox/
> Translation: https://www.transifex.com/inodbox/
> -
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] ossec-logtest returns Level 0 but still getting email alerts Level 2

2015-11-13 Thread dan (ddp)

On Fri, Nov 13, 2015 at 2:20 PM, Daniel Bray  wrote:
> On Fri, Nov 13, 2015 at 2:16 PM, dan (ddp)  wrote:
>>
>> I was hoping it would help with the production use, but since it was
>> working for me I guess that doesn't matter. I'm pretty much stumped at
>> the moment.
>
>
> I'm running this on CentOS 6 with ossec-hids-server-2.8.2-49.el6.art.x86_64
> (Atomic)
> I'm curious if it's an issue with the version I'm using.
>

I've never used the RPMs, and I don't have a centos box handy to try
them out at the moment.

> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Windows OSSEC Agent 2.8.3 – cannot install on Windows server 2012 R2

2015-11-13 Thread Jb Cheng

I downloaded the 2.8.3 Windows agent from http://www.ossec.net/?page_id=19 
today, 
( 
https://bintray.com/artifact/download/ossec/ossec-hids/ossec-agent-win32-2.8.3.exe).
The EXE file size is 1,146 KB. The SHA256 check sum is: 

feb135286ed19382cc479b7f035be5296360291900faf01338accad59f910e4a  
ossec-agent-win32-2.8.3.exe

I installed it on my Win 7 and Win Server 2012 R2 boxes, and both 
installations were successful. 

On Monday, November 9, 2015 at 6:51:41 PM UTC-8, Santiago Bassett wrote:
>
> Looks like the Windows agent file in ossec.net is corrupted. The file is 
> only 207K, and Sha256 checksum doesn't match.
>
> We have a pre-compiled Windows agent at http://ossec.wazuh.com/windows/
>
> This one is 1.1MB and works fine for us.
>
> I'll reach Vic so he can upload a new one to ossec.net 
>
> Best regards,
>
> Santiago.
>
> On Mon, Nov 9, 2015 at 11:14 AM, Konrad W  > wrote:
>
>> Same issue here on Windows 7...package doesn't install...asking to 
>> specify the path and no go with the path either...
>>
>>
>> On Monday, November 9, 2015 at 11:24:58 AM UTC-5, SoulAuctioneer wrote:
>>>
>>> I get the feeling this never worked but that is just me. Also, I don't 
>>> think you have to put in a path if doing a slient install or anything and 
>>> it should just work.
>>>
>> -- 
>>
>> --- 
>> You received this message because you are subscribed to the Google Groups 
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to ossec-list+...@googlegroups.com .
>> For more options, visit https://groups.google.com/d/optout.
>>
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] ossec-logtest returns Level 0 but still getting email alerts Level 2

2015-11-13 Thread Pedro S.

Okay try this:

Temporaly remove "alert_by_email" from rule 1002 on 
syslog_rules.xml.
Now add "alert_by_email" in your custom rule.
Restart OSSEC and generate the alert.

What im trying here is to stop OSSEC from sending 1002 rule email, i think 
that "alert_by_email" option force OSSEC to send an email alert and stop 
him to keep looking to reach 17 rule. Just guessing.

Btw, sorry for my english, as you would imagine, it is not my mother 
language.

El viernes, 13 de noviembre de 2015, 11:20:47 (UTC-8), Daniel Bray escribió:
>
> On Fri, Nov 13, 2015 at 2:16 PM, dan (ddp)  > wrote:
>
>> I was hoping it would help with the production use, but since it was
>> working for me I guess that doesn't matter. I'm pretty much stumped at
>> the moment.
>>
>
> I'm running this on CentOS 6 
> with ossec-hids-server-2.8.2-49.el6.art.x86_64 (Atomic)
> I'm curious if it's an issue with the version I'm using. 
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] ossec-logtest returns Level 0 but still getting email alerts Level 2

2015-11-13 Thread Daniel Bray

On Fri, Nov 13, 2015 at 2:16 PM, dan (ddp)  wrote:

> I was hoping it would help with the production use, but since it was
> working for me I guess that doesn't matter. I'm pretty much stumped at
> the moment.
>

I'm running this on CentOS 6 with ossec-hids-server-2.8.2-49.el6.art.x86_64
(Atomic)
I'm curious if it's an issue with the version I'm using.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] ossec-logtest returns Level 0 but still getting email alerts Level 2

2015-11-13 Thread Daniel Bray

On Friday, November 13, 2015 at 12:17:09 PM UTC-5, dan (ddpbsd) wrote:
>
> Ok, this information is working for me as well. I have tested it on a 
> local install and an agent/server install (changing the hostname as 
> appropriate). 
>
> Is the agent name testserver? Do the hostname of the system and the 
> agent name match? 
>

 Yes, that all matches up. In fact, I've tried with multiple hostnames or 
just one hostname, and each time the logtest catches it as "Level: '0' - 
Description: 'Ignore MIP Alerts'"no matter what I throw at it, but the 
emails/alerts keep coming in as "Rule: 1002 fired (level 2)". 

I'm even waiting for the email to come in, grabbing the "Portion of the 
log(s):" from the email and pasting it into the logtest, and each time it 
comes up as "Level: '0' - Description: 'Ignore MIP Alerts'".

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] ossec-logtest returns Level 0 but still getting email alerts Level 2

2015-11-13 Thread dan (ddp)

On Nov 13, 2015 1:49 PM, "Daniel Bray"  wrote:
>
> On Friday, November 13, 2015 at 12:17:09 PM UTC-5, dan (ddpbsd) wrote:
>>
>> Ok, this information is working for me as well. I have tested it on a
>> local install and an agent/server install (changing the hostname as
>> appropriate).
>>
>> Is the agent name testserver? Do the hostname of the system and the
>> agent name match?
>
>
>
>  Yes, that all matches up. In fact, I've tried with multiple hostnames or
just one hostname, and each time the logtest catches it as "Level: '0' -
Description: 'Ignore MIP Alerts'"no matter what I throw at it, but the
emails/alerts keep coming in as "Rule: 1002 fired (level 2)".
>
> I'm even waiting for the email to come in, grabbing the "Portion of the
log(s):" from the email and pasting it into the logtest, and each time it
comes up as "Level: '0' - Description: 'Ignore MIP Alerts'".
>

Try setting the rule to level 2

> --
>
> ---
> You received this message because you are subscribed to the Google Groups
"ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Windows OSSEC Agent 2.8.3 – cannot install on Windows server 2012 R2

2015-11-13 Thread Santiago Bassett

Yes, I think is ok now. This was fixed by Dan a few days ago.

We can close this issue.

On Fri, Nov 13, 2015 at 11:59 AM, Jb Cheng  wrote:

> I downloaded the 2.8.3 Windows agent from http://www.ossec.net/?page_id=19
> today, (
> https://bintray.com/artifact/download/ossec/ossec-hids/ossec-agent-win32-2.8.3.exe
> ).
> The EXE file size is 1,146 KB. The SHA256 check sum is:
>
>
> feb135286ed19382cc479b7f035be5296360291900faf01338accad59f910e4a  
> ossec-agent-win32-2.8.3.exe
>
> I installed it on my Win 7 and Win Server 2012 R2 boxes, and both
> installations were successful.
>
> On Monday, November 9, 2015 at 6:51:41 PM UTC-8, Santiago Bassett wrote:
>>
>> Looks like the Windows agent file in ossec.net is corrupted. The file is
>> only 207K, and Sha256 checksum doesn't match.
>>
>> We have a pre-compiled Windows agent at http://ossec.wazuh.com/windows/
>>
>> This one is 1.1MB and works fine for us.
>>
>> I'll reach Vic so he can upload a new one to ossec.net
>>
>> Best regards,
>>
>> Santiago.
>>
>> On Mon, Nov 9, 2015 at 11:14 AM, Konrad W  wrote:
>>
>>> Same issue here on Windows 7...package doesn't install...asking to
>>> specify the path and no go with the path either...
>>>
>>>
>>> On Monday, November 9, 2015 at 11:24:58 AM UTC-5, SoulAuctioneer wrote:

 I get the feeling this never worked but that is just me. Also, I don't
 think you have to put in a path if doing a slient install or anything and
 it should just work.

>>> --
>>>
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "ossec-list" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to ossec-list+...@googlegroups.com.
>>> For more options, visit https://groups.google.com/d/optout.
>>>
>>
>> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Windows OSSEC Agent 2.8.3 – cannot install on Windows server 2012 R2

2015-11-13 Thread Mellisa

I have been experiencing the same issue withe agent failing after upgrading 
from 2.4.X to 2.8.3 the agent will not connect to the server.  I have the 
server running on Centos 7 and I have check my log and i see no error.  I 
will attempt this again in the coming week withe the newly implies agent 
and see if I have better luck.

If anyone have any ideas please feel free to make suggestion.

On Monday, November 9, 2015 at 10:06:40 AM UTC-5, Andrei Duca wrote:
>
> Hi guys,
>
>  
>
> I downloaded the OSSEC agent 2.8.3 for Windows and when I run it nothing 
> happens. 
>
> From cmd it asks for a path as parameter and when one is added I get the 
> following errors:
>
>  
>
> C:\ossec-agent-win32-2.8.3.exe C:\Ossec
>
> [SC] OpenService FAILED 1060:
>
>  
>
> The specified service does not exist as an installed service.
>
>  
>
> 2015/11/10 00:43:12 setup-windows: INFO: System is Vista or newer 
> (Microsoft Win
>
> dows Server 2008 R2 Datacenter Edition (full) Service Pack 1 (Build 7601) 
> - OSSE
>
> C HIDS v2.8.3).
>
> The system cannot find the file specified.
>
> The system cannot find the file specified.
>
> The system cannot find the file specified.
>
> The system cannot find the file specified.
>
> The system cannot find the file specified.
>
> Are you sure (Y/N)?processed file: C:\Tools\Ossec\ossec.log
>
> The system cannot find the file specified.
>
> The system cannot find the file specified.
>
> The system cannot find the file specified.
>
> The system cannot find the file specified.
>
> The system cannot find the file specified.
>
>  
>
> Is the compiled version for Windows broken or am I doing something wrong?
>
>  
>
> Thanks for your help.
>
> Andrei
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Will app get blocked on heavy mysql queries?

2015-11-13 Thread frwa onto

Hi Dan,
   Regarding this.

"Unless you removed the files in /var/ossec/rules, that rule should be
there. It should be in the web_rules.xml file.'

No I did not remove anything. The 2.8.1 is install in a new machine infact.


"You should download the source (if you installed via source) and run
the install.sh script. It should detect your current installation and
offer to upgrade. NOTE: It will overwrite the rules files (except
local_rules.xml or any you've added), as well as decoder.xml (but not
local_decoder.xml)."

In my case I just download this two
files ossec-hids-server-2.8.1-48.el6.art.x86_64.rpm
and ossec-hids-2.8.1-48.el6.art.x86_64.rpm from atomicorp site and just run
yum command on them and it installed ossec. So now in my old machine what
is the correct method to replace the older 2.7.1 to 2.8.1 ? Should I remain
it and just copy the rules folder from 2.8.1 into 2.7.1 ? Please advice I
might be doing it wrong?

On Fri, Nov 13, 2015 at 9:38 PM, dan (ddp)  wrote:

> On Thu, Nov 12, 2015 at 11:20 PM, frwa onto  wrote:
> > Hi Dan,
> >Yes you are right the 31106 rule doesnt not exist even in my
> > current 2.8.1. In my 2.8.1 I see the rules are starting with 50100 and is
> > there any specific reason why the older rules have been removed.  I guess
>
> Unless you removed the files in /var/ossec/rules, that rule should be
> there. It should be in the web_rules.xml file.
>
> > that I should upgrade the older machine with the new 2.8.1 ? Just for
> > knowledge sake must I always uninstall and install a new version of
> Ossec or
>
> You should download the source (if you installed via source) and run
> the install.sh script. It should detect your current installation and
> offer to upgrade. NOTE: It will overwrite the rules files (except
> local_rules.xml or any you've added), as well as decoder.xml (but not
> local_decoder.xml).
>
> > just replace the rules xml file?  Also why in the 2.7.1. when the AR is
> > activated I dont see which rules is trigger in ossec log file itself?
> >
>
> The ossec.log does not log this information.
>
> > On Fri, Nov 13, 2015 at 1:05 AM, dan (ddp)  wrote:
> >>
> >> On Mon, Nov 9, 2015 at 11:11 PM, frwa onto  wrote:
> >> > Hi Santiago,
> >> >I am just running as standalone so its not a
> manager
> >> > or
> >> > agent. I have another machine for instance I am using the older ossec
> >> > 2.7.1
> >>
> >>
> >> 2.7.1 is way too old to provide much support for.
> >>
> >> > in that one I have tried say I got my phpymadmin and when I start
> >> > browsing
> >> > huge data ossec will block me an only after some time I can login here
> >> > is
> >> > the active response log as below.
> >> >
> >> > Tue Nov 10 11:48:12 MYT 2015
> >> > /var/ossec/active-response/bin/firewall-drop.sh
> >> > add - 10.212.134.200 1447127292.12356 31106
> >>
> >> So rule 31106 is triggering the AR.
> >>   
> >> 31103, 31104, 31105
> >> ^200
> >> A web attack returned code 200 (success).
> >> attack,
> >>   
> >>
> >> You'll have to go through 31103-31105 to try and get a more specific
> >> understanding of what is triggering the alert.
> >> (All of this is taken from a 2.8.3+ system, so details may be
> >> different from 2.7.1)
> >>
> >> > Tue Nov 10 11:48:12 MYT 2015
> /var/ossec/active-response/bin/host-deny.sh
> >> > add
> >> > - 10.212.134.200 1447127292.12356 31106
> >> > Tue Nov 10 11:58:42 MYT 2015
> /var/ossec/active-response/bin/host-deny.sh
> >> > delete - 10.212.134.200 1447127292.12356 31106
> >> > Tue Nov 10 11:58:42 MYT 2015
> >> > /var/ossec/active-response/bin/firewall-drop.sh
> >> > delete - 10.212.134.200 1447127292.12356 31106
> >> >
> >> > I dont know what trigger is exactly but I know due to my browsing of
> >> > huge
> >> > data and also how to overcome this issue? In my older version I saw
> this
> >> > error too
> >> > ossec-execd: INFO: Active response command not present:
> >> > '/var/ossec/active-response/bin/restart-ossec.cmd'. Not using it on
> this
> >> > system.
> >> >
> >> > This is my worry on the new machine using 2.8.1 the app might get
> block
> >> > from
> >> > accessing the data.
> >> >
> >> > On Tuesday, November 10, 2015 at 9:18:45 AM UTC+8, Santiago Bassett
> >> > wrote:
> >> >>
> >> >> Are you running an agent or the manager? I don't think OSSEC would
> >> >> block
> >> >> access to your mysql db.
> >> >>
> >> >> On Mon, Nov 9, 2015 at 8:19 AM, frwa onto  wrote:
> >> >>>
> >> >>> Hi,
> >> >>> I have centos server. I have managed to install ossec 2.8.1. It
> >> >>> mainly runs a socket programming app. For every instance of a
> >> >>> connection it
> >> >>> will receive data and insert into mysql db. What I worried in what
> >> >>> scenario
> >> >>> will it block the access to this local mysql db as I can see there
> >> >>> some
> >> >>> rules for mysql? Sorry very new to these.
> >> >>>
> >> >>> --
> >> >>>
>

Re: [ossec-list] ossec-logtest returns Level 0 but still getting email alerts Level 2

2015-11-13 Thread dan (ddp)

On Thu, Nov 12, 2015 at 8:37 PM, Santiago Bassett
 wrote:
> Hi Daniel,
>
> not sure if that matters but is your local rule in the same  name="syslog,errors,">, as rule 1002 is? You sure you restarted the manger
> right?
>

Or are you sure the manager restarted? Most of the time when I've seen
this behavior on the list analysisd did not actually stop, so it
didn't pickup the new rules. Running `/var/ossec/bin/ossec-control
stop`, then verifying all of the processes are stopped is a prudent
course of action.

> Best
>
> On Thu, Nov 12, 2015 at 7:06 AM, Daniel Bray  wrote:
>>
>> I'm running ossec-hids-server-2.8.2-49.el6.art.x86_64 (Atomic repo)
>>
>> I've updated /var/ossec/rules/local_rules.xml with the following rule:
>>
>>   
>> 1002
>> testserver1|testserver2
>> mip
>> HAEngine\.*INFO|HAEngine\.*WARNING|Failed to send pseudo-TCP
>> segment frame
>> Ignore MIP Alerts
>>   
>>
>>
>> I've tested the rule with:
>> ossec-testrule: Type one log per line.
>>
>> Nov 12 13:48:50 testserver1 mip:  : HAEngine : WARNING   : 2 : Replay
>> protection check failed
>>
>>
>> **Phase 1: Completed pre-decoding.
>>full event: 'Nov 12 13:48:50 testserver1 mip:  : HAEngine : WARNING
>> : 2 : Replay protection check failed '
>>hostname: 'testserver1'
>>program_name: 'mip'
>>log: ' : HAEngine : WARNING   : 2 : Replay protection check
>> failed '
>>
>> **Phase 2: Completed decoding.
>>No decoder matched.
>>
>> **Phase 3: Completed filtering (rules).
>>Rule id: '17'
>>Level: '0'
>>Description: 'Ignore MIP Alerts'
>>
>>
>>
>> I've restarted everything, but the servers are still generating alerts:
>>
>> OSSEC HIDS Notification.
>> 2015 Nov 12 14:58:37
>>
>> Received From: (testserver1)
>> Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
>> Portion of the log(s):
>>
>> Nov 12 14:58:36 testserver1 mip:  : HAEngine : WARNING   : 2 : Replay
>> protection check failed
>>
>>  --END OF NOTIFICATION
>>
>>
>>
>> Can anybody shed some light on what's going on, or what I should try next?
>>
>> --
>>
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to ossec-list+unsubscr...@googlegroups.com.
>> For more options, visit https://groups.google.com/d/optout.
>
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Will app get blocked on heavy mysql queries?

2015-11-13 Thread dan (ddp)

On Fri, Nov 13, 2015 at 12:00 AM, frwa onto  wrote:
> Hi Ryan,
> I can see something like this in my ossec /var/ossec/logs/alerts
> alerts.log .
>
> ** Alert 1447389519.1118: mail  - web,accesslog,attack,
> 2015 Nov 13 12:38:39 ->/var/log/httpd/access_log
> Rule: 31106 (level 6) -> 'A web attack returned code 200 (success).'
> Src IP: 10.212.*
> 10.212.*** - - [13/Nov/2015:12:37:49 +0800] "POST
> /*/.php?..."
>
>
> In my active-responses.log I can see this.
>
> Fri Nov 13 12:38:40 MYT 2015 /var/ossec/active-response/bin/host-deny.sh add
> - 10.212.*1447389519.1118 31106
> Fri Nov 13 12:38:40 MYT 2015 /var/ossec/active-response/bin/firewall-drop.sh
> add - 10.212.** 1447389519.1118 31106
>
>
> So the only way to relate both the logs is it via the rule number 31106? So

Yes, you should match up the rule id, the source ip, and the
timestamps (there will probably be a few seconds difference in the
TS).

> this rule also relate to post activity ?
>

No clue. Let's look:

31103, 31104, 31105
^200
A web attack returned code 200 (success).
attack,

So this rule requires a 200 response from the webserver, and traffic
that triggers 31103, 31104, or 31105. What do those rules look for?
Let's find out:

31100,31108
 =select%20|select+|insert%20|%20from%20|%20where%20|union%20|
union+|where+|null,null|xp_cmdshell
SQL injection attempt.
attack,sql_injection,

 So this rule is looking for something sql related, hoping to catch
sqli. Does that apply to the POST you see (it's obfuscated beyond my
ability to decode)?

If not, let's try 31104:

31100

%027|%00|%01|%7f|%2E%2E|%0A|%0D|../..|..\..|echo;|
cmd.exe|root.exe|_mem_bin|msadc|/winnt/|/boot.ini|
/x90/|default.ida|/sumthin|nsiislog.dll|chmod%|wget%|cd%20|
exec%20|../..//|%5C../%5C|././././|2e%2e%5c%2e|\x5C\x5C
Common web attack.
attack,

Ok, so directory traversal. It's an oldie, but a goodie. Again, the
log sample you posted is too obfuscated for me to be able to tell if
this applies. But you should be able to see if those patterns in the
 options are in the POST.

Since it's still not clear, we'll peek at 31105:

31100
%3Cscript|%3C%2Fscript|script>|script%3E|SRC=javascript|IMG%20|
%20ONLOAD=|INPUT%20|iframe%20
XSS (Cross Site Scripting) attempt.
attack,

Ooooh, XSS. Fun stuff. You can look at the  options to see if
those apply to your POST.

If none of these apply, we'll need to see the actual log message to
determine what's going on (you can even send it off list to me, but
make sure you tell me that's what you're doing at the beginning of the
email so I don't get too confused.).

Once you've determined why these rules are firing, you can start to
tune your rules to allow this behavior (if it's not malicious).

>
>
> On Fri, Nov 13, 2015 at 1:09 AM, Ryan Schulze  wrote:
>>
>> That depends on how you set up your active response. IIRC the default is
>> to trigger for any rule 7 or higher. So just check which rules level 7 or
>> higher were triggered by you (e.g. bei checking the alert logs or your
>> emails).
>>
>> Since you mentioned phpmyadmin I'd guess maybe one of the SQL injection
>> rules if phpmyadmin transfers certain requests as a GET (making it show up
>> in the webserver logs).
>>
>>
>> On 11/10/2015 7:31 PM, frwa onto wrote:
>>
>> Hi Santiago,
>>   This will just block the active response right. But in
>> my case why is it that when I try to get huge data the active response comes
>> into effect. I cant see which rule is fired to activate the active response?
>> Is there any work around together with the active response being active?
>>
>> On Wed, Nov 11, 2015 at 2:04 AM, Santiago Bassett
>>  wrote:
>>>
>>> You can find info here:
>>>
>>>
>>> http://ossec-docs.readthedocs.org/en/latest/syntax/head_ossec_config.active-response.html
>>>
>>>
>>> If unsure I suggest to disable it at /var/ossec/etc/ossec.conf
>>>
>>>   
>>>
>>> yes
>>>
>>>   
>>>
>>>
>>> On Tue, Nov 10, 2015 at 1:22 AM, frwa onto  wrote:

 Hi Ryan,
  I am not too good in tuning up my active response or rules.
 Any tips on how to go about it?

 On Tue, Nov 10, 2015 at 1:17 PM, Ryan Schulze  wrote:
>
> Sounds like you may want to look into fine tuning your active response
> and/or rules.
>
> On 11/9/2015 10:11 PM, frwa onto wrote:
>
> Hi Santiago,
>I am just running as standalone so its not a manager
> or agent. I have another machine for instance I am using the older ossec
> 2.7.1 in that one I have tried say I got my phpymadmin and when I start
> browsing huge data ossec will block me an only after some time I can login
> here is the active response log as below.
>
> Tue Nov 10 11:48:12 MYT 2015
>

Re: [ossec-list] Will app get blocked on heavy mysql queries?

2015-11-13 Thread dan (ddp)

On Thu, Nov 12, 2015 at 11:20 PM, frwa onto  wrote:
> Hi Dan,
>Yes you are right the 31106 rule doesnt not exist even in my
> current 2.8.1. In my 2.8.1 I see the rules are starting with 50100 and is
> there any specific reason why the older rules have been removed.  I guess

Unless you removed the files in /var/ossec/rules, that rule should be
there. It should be in the web_rules.xml file.

> that I should upgrade the older machine with the new 2.8.1 ? Just for
> knowledge sake must I always uninstall and install a new version of Ossec or

You should download the source (if you installed via source) and run
the install.sh script. It should detect your current installation and
offer to upgrade. NOTE: It will overwrite the rules files (except
local_rules.xml or any you've added), as well as decoder.xml (but not
local_decoder.xml).

> just replace the rules xml file?  Also why in the 2.7.1. when the AR is
> activated I dont see which rules is trigger in ossec log file itself?
>

The ossec.log does not log this information.

> On Fri, Nov 13, 2015 at 1:05 AM, dan (ddp)  wrote:
>>
>> On Mon, Nov 9, 2015 at 11:11 PM, frwa onto  wrote:
>> > Hi Santiago,
>> >I am just running as standalone so its not a manager
>> > or
>> > agent. I have another machine for instance I am using the older ossec
>> > 2.7.1
>>
>>
>> 2.7.1 is way too old to provide much support for.
>>
>> > in that one I have tried say I got my phpymadmin and when I start
>> > browsing
>> > huge data ossec will block me an only after some time I can login here
>> > is
>> > the active response log as below.
>> >
>> > Tue Nov 10 11:48:12 MYT 2015
>> > /var/ossec/active-response/bin/firewall-drop.sh
>> > add - 10.212.134.200 1447127292.12356 31106
>>
>> So rule 31106 is triggering the AR.
>>   
>> 31103, 31104, 31105
>> ^200
>> A web attack returned code 200 (success).
>> attack,
>>   
>>
>> You'll have to go through 31103-31105 to try and get a more specific
>> understanding of what is triggering the alert.
>> (All of this is taken from a 2.8.3+ system, so details may be
>> different from 2.7.1)
>>
>> > Tue Nov 10 11:48:12 MYT 2015 /var/ossec/active-response/bin/host-deny.sh
>> > add
>> > - 10.212.134.200 1447127292.12356 31106
>> > Tue Nov 10 11:58:42 MYT 2015 /var/ossec/active-response/bin/host-deny.sh
>> > delete - 10.212.134.200 1447127292.12356 31106
>> > Tue Nov 10 11:58:42 MYT 2015
>> > /var/ossec/active-response/bin/firewall-drop.sh
>> > delete - 10.212.134.200 1447127292.12356 31106
>> >
>> > I dont know what trigger is exactly but I know due to my browsing of
>> > huge
>> > data and also how to overcome this issue? In my older version I saw this
>> > error too
>> > ossec-execd: INFO: Active response command not present:
>> > '/var/ossec/active-response/bin/restart-ossec.cmd'. Not using it on this
>> > system.
>> >
>> > This is my worry on the new machine using 2.8.1 the app might get block
>> > from
>> > accessing the data.
>> >
>> > On Tuesday, November 10, 2015 at 9:18:45 AM UTC+8, Santiago Bassett
>> > wrote:
>> >>
>> >> Are you running an agent or the manager? I don't think OSSEC would
>> >> block
>> >> access to your mysql db.
>> >>
>> >> On Mon, Nov 9, 2015 at 8:19 AM, frwa onto  wrote:
>> >>>
>> >>> Hi,
>> >>> I have centos server. I have managed to install ossec 2.8.1. It
>> >>> mainly runs a socket programming app. For every instance of a
>> >>> connection it
>> >>> will receive data and insert into mysql db. What I worried in what
>> >>> scenario
>> >>> will it block the access to this local mysql db as I can see there
>> >>> some
>> >>> rules for mysql? Sorry very new to these.
>> >>>
>> >>> --
>> >>>
>> >>> ---
>> >>> You received this message because you are subscribed to the Google
>> >>> Groups
>> >>> "ossec-list" group.
>> >>> To unsubscribe from this group and stop receiving emails from it, send
>> >>> an
>> >>> email to ossec-list+...@googlegroups.com.
>> >>> For more options, visit https://groups.google.com/d/optout.
>> >>
>> >>
>> > --
>> >
>> > ---
>> > You received this message because you are subscribed to the Google
>> > Groups
>> > "ossec-list" group.
>> > To unsubscribe from this group and stop receiving emails from it, send
>> > an
>> > email to ossec-list+unsubscr...@googlegroups.com.
>> > For more options, visit https://groups.google.com/d/optout.
>>
>> --
>>
>> ---
>> You received this message because you are subscribed to a topic in the
>> Google Groups "ossec-list" group.
>> To unsubscribe from this topic, visit
>> https://groups.google.com/d/topic/ossec-list/rdsEIi60ciM/unsubscribe.
>> To unsubscribe from this group and all its topics, send an email to
>> ossec-list+unsubscr...@googlegroups.com.
>> For more options, visit https://groups.google.com/d/optout.
>
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To

Re: [ossec-list] Package Debian Jessie 2.8.3 + Mysql

Re: [ossec-list] ossec-logtest returns Level 0 but still getting email alerts Level 2

Re: [ossec-list] ossec-logtest returns Level 0 but still getting email alerts Level 2

Re: [ossec-list] ossec-logtest returns Level 0 but still getting email alerts Level 2

Re: [ossec-list] ossec-logtest returns Level 0 but still getting email alerts Level 2

Re: [ossec-list] ossec-logtest returns Level 0 but still getting email alerts Level 2

Re: [ossec-list] ossec-logtest returns Level 0 but still getting email alerts Level 2

Re: [ossec-list] ossec-logtest returns Level 0 but still getting email alerts Level 2

Re: [ossec-list] ossec-logtest returns Level 0 but still getting email alerts Level 2

Re: [ossec-list] ossec-logtest returns Level 0 but still getting email alerts Level 2

Re: [ossec-list] ossec-logtest returns Level 0 but still getting email alerts Level 2

Re: [ossec-list] ossec-logtest returns Level 0 but still getting email alerts Level 2

Re: [ossec-list] ossec-logtest returns Level 0 but still getting email alerts Level 2

Re: [ossec-list] Package Debian Jessie 2.8.3 + Mysql

Re: [ossec-list] ossec-logtest returns Level 0 but still getting email alerts Level 2

Re: [ossec-list] Windows OSSEC Agent 2.8.3 – cannot install on Windows server 2012 R2

Re: [ossec-list] ossec-logtest returns Level 0 but still getting email alerts Level 2

Re: [ossec-list] ossec-logtest returns Level 0 but still getting email alerts Level 2

Re: [ossec-list] ossec-logtest returns Level 0 but still getting email alerts Level 2

Re: [ossec-list] ossec-logtest returns Level 0 but still getting email alerts Level 2

Re: [ossec-list] Windows OSSEC Agent 2.8.3 – cannot install on Windows server 2012 R2

[ossec-list] Re: Windows OSSEC Agent 2.8.3 – cannot install on Windows server 2012 R2

Re: [ossec-list] Will app get blocked on heavy mysql queries?

Re: [ossec-list] ossec-logtest returns Level 0 but still getting email alerts Level 2

Re: [ossec-list] Will app get blocked on heavy mysql queries?

Re: [ossec-list] Will app get blocked on heavy mysql queries?

26 matches

Site Navigation

Mail list logo

Footer information