Re: [ossec-list] Re: Hacker or configuration error ?

[James Le Cuirot]

I don't know what's going on here but /proc is not a real directory and 
does not take up space on the disk. It is a virtual directory, maintained 
by the operating system, and the numbered directories directly within it 
will frequently change as they map to processes running on the system.

On Sunday, 29 November 2015 17:33:03 UTC, Antoine wrote:
>
> I searched only 5 mins on the hard drive I found full friday (my 120GB 
> SSD), /proc was empty but dolphin indicated 0 free bytes.
> I usually split my drives in 3 partitions, 1 for / with 20GB, 1 for the 
> swap (except on SSD), remaining space for /home.
> Each time the / partition was full.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] ossec-logtest returns Level 0 but still getting email alerts Level 2

[dan (ddp)]

On Mon, Nov 30, 2015 at 9:59 AM, Daniel Bray  wrote:
> On Friday, November 27, 2015 at 8:16:39 AM UTC-5, dan (ddpbsd) wrote:
>>
>> And strangely enough, this works just fine for me (ignored when fed
>> through logger).
>>
>> Can you update to the latest OSSEC source from github and try that?
>
>
> Updated to latest github update, and issue remains. Logtest shows Level 0,
> alerts come to email as level 2.
>

Last idea at the moment:
Copy archives.log. Open the copy in a text editor. Find an entry you
want to test against and delete everything else.
Delete the archives.log header from your chosen entry.
Run that through ossec-logtest:
`cat copy-of-archives.log | /var/ossec/bin/ossec-logtest`

See if it still gets reported as a 0. Maybe there's some odd spacing
issue that isn't maintained when copy/pasting it.


>
> Side note: Kudos to the developers, the upgrade was VERY easy over top the
> existing RPM install:
> git clone https://github.com/ossec/ossec-hids.git
> cd ossec-hids
> ./install
>  - You already have OSSEC installed. Do you want to update it? (y/n): y
>  - Do you want to update the rules? (y/n): y
> done! Nice and quick.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible (again)

[Greg Nowicki]

Thanks for the reply. Yes, I had thought of the permissions, should have 
mentioned that in the original post. Here they are:
[root@ossec ossec]# ls -ld queue
dr-xr-x--- 11 root ossec 4096 Nov  3  2011 queue
[root@ossec ossec]# ls -ld queue/ossec 
drwxrwx--- 2 ossec ossec 4096 Nov 23 16:11 queue/ossec
[root@ossec ossec]# ls -ld queue/ossec/queue 
srw-rw 1 ossec ossec 0 Nov 23 16:11 queue/ossec/queue
They look correct.

However, your SELinux suggestion I hadn't verified or thought of. But it is 
off:
[root@ossec ossec]# cat /etc/selinux/config 
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#enforcing - SELinux security policy is enforced.
#permissive - SELinux prints warnings instead of enforcing.
#disabled - SELinux is fully disabled.
SELINUX=disabled
# SELINUXTYPE= type of policy in use. Possible values are:
#targeted - Only targeted network daemons are protected.
#strict - Full SELinux protection.
SELINUXTYPE=targeted

Anything else I can try?

Thanks,

Greg

On Monday, November 23, 2015 at 4:35:09 PM UTC-5, Greg Nowicki wrote:
>
> Hello,
>
> Hoping someone can help me.
>
> New server install on RHEL 6 using source file ossec-hids-2.8.3.tar.gz, it 
> appears the very important daemon, ossec-analysisd, does not fully start, 
> thus preventing other processes from running. The log pasted below shows no 
> smoking gun. Debug has been turned on for all processes (and performing a 
> '/var/ossec/bin/ossec-control enable debug' command). I've cut out my 
> local rules and pared down the config file to a bare minimum with no 
> resolution. What am I missing here?
>
> Thanks,
>
> Greg
>
> uname -a:
> Linux ossec.example.com 2.6.32-573.1.1.el6.x86_64 #1 SMP Tue Jul 14 
> 02:46:51 EDT 2015 x86_64 x86_64 x86_64 GNU/Linux
>
> /var/ossec/logs/ossec.log:
> 2015/11/23 15:53:49 ossec-testrule: INFO: Reading local decoder file.
> 2015/11/23 15:53:50 ossec-testrule: INFO: Started (pid: 10488).
> 2015/11/23 15:53:50 ossec-maild: DEBUG: Starting ...
> 2015/11/23 15:53:50 ossec-execd(1350): INFO: Active response disabled. 
> Exiting.
> 2015/11/23 15:53:50 ossec-analysisd: DEBUG: Starting ...
> 2015/11/23 15:53:50 ossec-analysisd: DEBUG: Found user/group ...
> 2015/11/23 15:53:50 ossec-analysisd: DEBUG: Active response initialized ...
> 2015/11/23 15:53:50 adding rule: rules_config.xml
> 2015/11/23 15:53:50 adding rule: pam_rules.xml
> 2015/11/23 15:53:50 adding rule: sshd_rules.xml
> 2015/11/23 15:53:50 adding rule: telnetd_rules.xml
> 2015/11/23 15:53:50 adding rule: syslog_rules.xml
> 2015/11/23 15:53:50 adding rule: arpwatch_rules.xml
> 2015/11/23 15:53:50 adding rule: symantec-av_rules.xml
> 2015/11/23 15:53:50 adding rule: symantec-ws_rules.xml
> 2015/11/23 15:53:50 adding rule: pix_rules.xml
> 2015/11/23 15:53:50 adding rule: named_rules.xml
> 2015/11/23 15:53:50 adding rule: smbd_rules.xml
> 2015/11/23 15:53:50 adding rule: vsftpd_rules.xml
> 2015/11/23 15:53:50 adding rule: pure-ftpd_rules.xml
> 2015/11/23 15:53:50 adding rule: proftpd_rules.xml
> 2015/11/23 15:53:50 adding rule: ms_ftpd_rules.xml
> 2015/11/23 15:53:50 adding rule: ftpd_rules.xml
> 2015/11/23 15:53:50 adding rule: hordeimp_rules.xml
> 2015/11/23 15:53:50 adding rule: roundcube_rules.xml
> 2015/11/23 15:53:50 adding rule: wordpress_rules.xml
> 2015/11/23 15:53:50 adding rule: cimserver_rules.xml
> 2015/11/23 15:53:50 adding rule: vpopmail_rules.xml
> 2015/11/23 15:53:50 adding rule: vmpop3d_rules.xml
> 2015/11/23 15:53:50 adding rule: courier_rules.xml
> 2015/11/23 15:53:50 adding rule: web_rules.xml
> 2015/11/23 15:53:50 adding rule: web_appsec_rules.xml
> 2015/11/23 15:53:50 adding rule: apache_rules.xml
> 2015/11/23 15:53:50 adding rule: nginx_rules.xml
> 2015/11/23 15:53:50 adding rule: php_rules.xml
> 2015/11/23 15:53:50 adding rule: mysql_rules.xml
> 2015/11/23 15:53:50 adding rule: postgresql_rules.xml
> 2015/11/23 15:53:50 adding rule: ids_rules.xml
> 2015/11/23 15:53:50 adding rule: squid_rules.xml
> 2015/11/23 15:53:50 adding rule: firewall_rules.xml
> 2015/11/23 15:53:50 adding rule: cisco-ios_rules.xml
> 2015/11/23 15:53:50 adding rule: netscreenfw_rules.xml
> 2015/11/23 15:53:50 adding rule: sonicwall_rules.xml
> 2015/11/23 15:53:50 adding rule: postfix_rules.xml
> 2015/11/23 15:53:50 adding rule: sendmail_rules.xml
> 2015/11/23 15:53:50 adding rule: imapd_rules.xml
> 2015/11/23 15:53:50 adding rule: mailscanner_rules.xml
> 2015/11/23 15:53:50 adding rule: dovecot_rules.xml
> 2015/11/23 15:53:50 adding rule: ms-exchange_rules.xml
> 2015/11/23 15:53:50 adding rule: racoon_rules.xml
> 2015/11/23 15:53:50 adding rule: vpn_concentrator_rules.xml
> 2015/11/23 15:53:50 adding rule: spamd_rules.xml
> 2015/11/23 15:53:50 adding rule: msauth_rules.xml
> 2015/11/23 15:53:50 adding rule: mcafee_av_rules.xml
> 2015/11/23 15:53:50 adding rule: trend-osce_rules.xml
> 2015/11/23 15:53:50 adding rule: ms-se_rules.xml
> 2015/11/23 15:53:50 adding rule: zeus_rules.xml
> 

Re: [ossec-list] Re: OSSEC - Windows Event Log - PowerShell Alerts

[Phillipa Moorea]

Hi Dan!  Here's a log from my archives.log file

2015 Nov 30 10:07:57 (HOSTNAME) HOSTIP->WinEvtLog 2015 Nov 30 10:07:54 
WinEvtLog: Security: AUDIT_SUCCESS(4688): 
Microsoft-Windows-Security-Auditing: (no user): no domain: HOSTNAME_FQDN: A 
new process has been created. Subject:  Security ID: 
 S-1-5-21-1292428093-1078145449-842925246-500  Account Name:  Administrator 
 Account Domain:  DOMAIN  Logon ID:  0x6b008a65  Process Information:  New 
Process ID:  0xeac  New Process Name: 
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe  Token Elevation 
Type: %%1936  Creator Process ID: 0x2068

I also get other similar powershell event logs with this type of unique 
message info:
handle to an object was closed
a process has exited
handle to an object was requested
privileges used for access check

in addition to the log above which has the message "a new process has been 
created"

On Monday, November 30, 2015 at 7:52:14 AM UTC-6, dan (ddpbsd) wrote:
>
> On Mon, Nov 30, 2015 at 6:39 AM, Phillipa Moorea  > wrote: 
> > If anybody knows what I am doing wrong, any help would be great.  Even 
> just 
> > a documentation link or something or a question of clarification?  I 
> have 
> > posted this issue in the AlienVault forums as well.  I've been keeping 
> both 
> > forums updated. 
> > 
>
> Can you post an entry from the archives.log after the eventchannel change? 
>
> > I think a lot of people will want to monitor any scripts from the 
> command 
> > line and from PowerShell that run on one of their servers or 
> workstations. 
> > If bad malware gets onto a device, it usually runs scripts, so this is 
> part 
> > of my detection technique to alert me if a script is ran.  I'm still 
> working 
> > on the rules. 
> > 
> > This is my current rule setup in the local_rules.xml file: 
> > 
> >  
> >
> > ^400$|^403$|^500$|^501$|^600$ 
> > Powershell Event. 
> >
> >
> > CommandType=Cmdlet 
> > Powershell Command. 
> >
> >
> > PowerShell 
> > Powershell Log. 
> >
> >  
> > 
> > I'm not sure if the group name matters or needs to be something 
> specific? 
> > 
>
> The group names shouldn't affect much. 
>
> > 
> > On Friday, November 27, 2015 at 9:06:21 AM UTC-6, Phillipa Moorea wrote: 
> >> 
> >> A little further, I changed the logformat from eventlog to 
> eventchannel, 
> >> and now the archive.log has taken out all of the multiple lines.  I 
> still do 
> >> not have a generated alert yet even though ossec-logtest says it 
> generates 
> >> an alert and it matches my custom rule.  I set the level to level 6. 
> >> 
> >> On Friday, November 27, 2015 at 8:41:48 AM UTC-6, Phillipa Moorea 
> wrote: 
> >>> 
> >>> Well, I updated both the server and client OSSEC HIDS to 2.8.3, but 
> still 
> >>> no luck.  The PowerShell logs in archive.log are still multi-line 
> logs, and 
> >>> I am getting the same results. 
> >>> 
> >>> On Wednesday, November 25, 2015 at 8:45:18 AM UTC-6, Phillipa Moorea 
> >>> wrote: 
>  
>  Ok, I think I know what's going on now.  I do not have the latest 
> stable 
>  release of 2.8.3.  I think I might have 2.8.2 or 2.8.1 or something. 
>  
>  I found this issue which resembled my issue because the logs have 
>  multiple lines in powershell. 
>  https://github.com/ossec/ossec-hids/issues/224 
>  Then I saw that a fix was implemented in 2.9 from here: 
>  https://github.com/ossec/ossec-hids/pull/457 
>  Then from this forum I now see that perhaps it is implemented in 
> 2.8.3 
>  on Nov 5th which is probably the day after I had made my OSSEC 
> updates, lol: 
>  https://groups.google.com/forum/#!topic/ossec-list/JA9x4uzDg1g 
>  
>  I'll try updating to the latest version again and see if that helps. 
>  
>  On Monday, November 9, 2015 at 9:17:28 AM UTC-6, Phillipa Moorea 
> wrote: 
> > 
> > I have restarted OSSEC using the OSSEC Agent Manager on the ossec 
> > client computer.  I have also restarted the OSSEC service on the 
> OSSEC 
> > server.  I'm not sure why I can't reply to your response, so I had 
> to reply 
> > to mine @dan(ddpbsd) 
> > 
> > Also I am using OSSEC HIDS v2.8 on the client & server. 
> > 
> > -- 
> > 
> > --- 
> > You received this message because you are subscribed to the Google 
> Groups 
> > "ossec-list" group. 
> > To unsubscribe from this group and stop receiving emails from it, send 
> an 
> > email to ossec-list+...@googlegroups.com . 
> > For more options, visit https://groups.google.com/d/optout. 
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] ossec-logtest returns Level 0 but still getting email alerts Level 2

[Daniel Bray]

On Friday, November 27, 2015 at 8:16:39 AM UTC-5, dan (ddpbsd) wrote:
>
> And strangely enough, this works just fine for me (ignored when fed 
> through logger). 
>
> Can you update to the latest OSSEC source from github and try that? 
>

Updated to latest github update, and issue remains. Logtest shows Level 0, 
alerts come to email as level 2.


Side note: Kudos to the developers, the upgrade was VERY easy over top the 
existing RPM install:
git clone https://github.com/ossec/ossec-hids.git
cd ossec-hids
./install
 - You already have OSSEC installed. Do you want to update it? (y/n): y
 - Do you want to update the rules? (y/n): y
done! Nice and quick.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: OSSEC - Windows Event Log - PowerShell Alerts

[Phillipa Moorea]

Also, thanks for the information about the groups

On Monday, November 30, 2015 at 10:15:26 AM UTC-6, Phillipa Moorea wrote:
>
> Hi Dan!  Here's a log from my archives.log file
>
> 2015 Nov 30 10:07:57 (HOSTNAME) HOSTIP->WinEvtLog 2015 Nov 30 10:07:54 
> WinEvtLog: Security: AUDIT_SUCCESS(4688): 
> Microsoft-Windows-Security-Auditing: (no user): no domain: HOSTNAME_FQDN: A 
> new process has been created. Subject:  Security ID: 
>  S-1-5-21-1292428093-1078145449-842925246-500  Account Name:  Administrator 
>  Account Domain:  DOMAIN  Logon ID:  0x6b008a65  Process Information:  New 
> Process ID:  0xeac  New Process Name: 
> C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe  Token Elevation 
> Type: %%1936  Creator Process ID: 0x2068
>
> I also get other similar powershell event logs with this type of unique 
> message info:
> handle to an object was closed
> a process has exited
> handle to an object was requested
> privileges used for access check
>
> in addition to the log above which has the message "a new process has been 
> created"
>
> On Monday, November 30, 2015 at 7:52:14 AM UTC-6, dan (ddpbsd) wrote:
>>
>> On Mon, Nov 30, 2015 at 6:39 AM, Phillipa Moorea  
>> wrote: 
>> > If anybody knows what I am doing wrong, any help would be great.  Even 
>> just 
>> > a documentation link or something or a question of clarification?  I 
>> have 
>> > posted this issue in the AlienVault forums as well.  I've been keeping 
>> both 
>> > forums updated. 
>> > 
>>
>> Can you post an entry from the archives.log after the eventchannel 
>> change? 
>>
>> > I think a lot of people will want to monitor any scripts from the 
>> command 
>> > line and from PowerShell that run on one of their servers or 
>> workstations. 
>> > If bad malware gets onto a device, it usually runs scripts, so this is 
>> part 
>> > of my detection technique to alert me if a script is ran.  I'm still 
>> working 
>> > on the rules. 
>> > 
>> > This is my current rule setup in the local_rules.xml file: 
>> > 
>> >  
>> >
>> > ^400$|^403$|^500$|^501$|^600$ 
>> > Powershell Event. 
>> >
>> >
>> > CommandType=Cmdlet 
>> > Powershell Command. 
>> >
>> >
>> > PowerShell 
>> > Powershell Log. 
>> >
>> >  
>> > 
>> > I'm not sure if the group name matters or needs to be something 
>> specific? 
>> > 
>>
>> The group names shouldn't affect much. 
>>
>> > 
>> > On Friday, November 27, 2015 at 9:06:21 AM UTC-6, Phillipa Moorea 
>> wrote: 
>> >> 
>> >> A little further, I changed the logformat from eventlog to 
>> eventchannel, 
>> >> and now the archive.log has taken out all of the multiple lines.  I 
>> still do 
>> >> not have a generated alert yet even though ossec-logtest says it 
>> generates 
>> >> an alert and it matches my custom rule.  I set the level to level 6. 
>> >> 
>> >> On Friday, November 27, 2015 at 8:41:48 AM UTC-6, Phillipa Moorea 
>> wrote: 
>> >>> 
>> >>> Well, I updated both the server and client OSSEC HIDS to 2.8.3, but 
>> still 
>> >>> no luck.  The PowerShell logs in archive.log are still multi-line 
>> logs, and 
>> >>> I am getting the same results. 
>> >>> 
>> >>> On Wednesday, November 25, 2015 at 8:45:18 AM UTC-6, Phillipa Moorea 
>> >>> wrote: 
>>  
>>  Ok, I think I know what's going on now.  I do not have the latest 
>> stable 
>>  release of 2.8.3.  I think I might have 2.8.2 or 2.8.1 or something. 
>>  
>>  I found this issue which resembled my issue because the logs have 
>>  multiple lines in powershell. 
>>  https://github.com/ossec/ossec-hids/issues/224 
>>  Then I saw that a fix was implemented in 2.9 from here: 
>>  https://github.com/ossec/ossec-hids/pull/457 
>>  Then from this forum I now see that perhaps it is implemented in 
>> 2.8.3 
>>  on Nov 5th which is probably the day after I had made my OSSEC 
>> updates, lol: 
>>  https://groups.google.com/forum/#!topic/ossec-list/JA9x4uzDg1g 
>>  
>>  I'll try updating to the latest version again and see if that helps. 
>>  
>>  On Monday, November 9, 2015 at 9:17:28 AM UTC-6, Phillipa Moorea 
>> wrote: 
>> > 
>> > I have restarted OSSEC using the OSSEC Agent Manager on the ossec 
>> > client computer.  I have also restarted the OSSEC service on the 
>> OSSEC 
>> > server.  I'm not sure why I can't reply to your response, so I had 
>> to reply 
>> > to mine @dan(ddpbsd) 
>> > 
>> > Also I am using OSSEC HIDS v2.8 on the client & server. 
>> > 
>> > -- 
>> > 
>> > --- 
>> > You received this message because you are subscribed to the Google 
>> Groups 
>> > "ossec-list" group. 
>> > To unsubscribe from this group and stop receiving emails from it, send 
>> an 
>> > email to ossec-list+...@googlegroups.com. 
>> > For more options, visit https://groups.google.com/d/optout. 
>>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe 

Re: [ossec-list] Re: OSSEC - Windows Event Log - PowerShell Alerts

[Phillipa Moorea]

Here's another example of a log file in which I'm actually interested in:

2015 Nov 30 13:02:39 (HOSTNAME) HOSTIP->WinEvtLog 2015 Nov 30 13:02:39 
WinEvtLog: Windows PowerShell: INFORMATION(500): PowerShell: (no user): no 
domain: HOSTNAME_FQDN: Command "Get-Host" is Started. Details:   
 NewCommandState=Started   SequenceNumber=41   HostName=ConsoleHost 
 HostVersion=2.0  HostId=9579f128-903c-463c-80fa-7eaa4a80dc54 
 EngineVersion=2.0  RunspaceId=c07bf134-24b9-47f7-9dfe-9732dc3e675d 
 PipelineId=5  CommandName=Get-Host  CommandType=Cmdlet  ScriptName= 
 CommandPath=  CommandLine=Get-Host

This log actually shows the command name that was ran "Get-Host" was my 
test Powershell command.  If there was a script, then the ScriptName would 
be populated.


On Monday, November 30, 2015 at 12:54:50 PM UTC-6, Phillipa Moorea wrote:
>
> Also, thanks for the information about the groups
>
> On Monday, November 30, 2015 at 10:15:26 AM UTC-6, Phillipa Moorea wrote:
>>
>> Hi Dan!  Here's a log from my archives.log file
>>
>> 2015 Nov 30 10:07:57 (HOSTNAME) HOSTIP->WinEvtLog 2015 Nov 30 10:07:54 
>> WinEvtLog: Security: AUDIT_SUCCESS(4688): 
>> Microsoft-Windows-Security-Auditing: (no user): no domain: HOSTNAME_FQDN: A 
>> new process has been created. Subject:  Security ID: 
>>  S-1-5-21-1292428093-1078145449-842925246-500  Account Name:  Administrator 
>>  Account Domain:  DOMAIN  Logon ID:  0x6b008a65  Process Information:  New 
>> Process ID:  0xeac  New Process Name: 
>> C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe  Token Elevation 
>> Type: %%1936  Creator Process ID: 0x2068
>>
>> I also get other similar powershell event logs with this type of unique 
>> message info:
>> handle to an object was closed
>> a process has exited
>> handle to an object was requested
>> privileges used for access check
>>
>> in addition to the log above which has the message "a new process has 
>> been created"
>>
>> On Monday, November 30, 2015 at 7:52:14 AM UTC-6, dan (ddpbsd) wrote:
>>>
>>> On Mon, Nov 30, 2015 at 6:39 AM, Phillipa Moorea  
>>> wrote: 
>>> > If anybody knows what I am doing wrong, any help would be great.  Even 
>>> just 
>>> > a documentation link or something or a question of clarification?  I 
>>> have 
>>> > posted this issue in the AlienVault forums as well.  I've been keeping 
>>> both 
>>> > forums updated. 
>>> > 
>>>
>>> Can you post an entry from the archives.log after the eventchannel 
>>> change? 
>>>
>>> > I think a lot of people will want to monitor any scripts from the 
>>> command 
>>> > line and from PowerShell that run on one of their servers or 
>>> workstations. 
>>> > If bad malware gets onto a device, it usually runs scripts, so this is 
>>> part 
>>> > of my detection technique to alert me if a script is ran.  I'm still 
>>> working 
>>> > on the rules. 
>>> > 
>>> > This is my current rule setup in the local_rules.xml file: 
>>> > 
>>> >  
>>> >
>>> > ^400$|^403$|^500$|^501$|^600$ 
>>> > Powershell Event. 
>>> >
>>> >
>>> > CommandType=Cmdlet 
>>> > Powershell Command. 
>>> >
>>> >
>>> > PowerShell 
>>> > Powershell Log. 
>>> >
>>> >  
>>> > 
>>> > I'm not sure if the group name matters or needs to be something 
>>> specific? 
>>> > 
>>>
>>> The group names shouldn't affect much. 
>>>
>>> > 
>>> > On Friday, November 27, 2015 at 9:06:21 AM UTC-6, Phillipa Moorea 
>>> wrote: 
>>> >> 
>>> >> A little further, I changed the logformat from eventlog to 
>>> eventchannel, 
>>> >> and now the archive.log has taken out all of the multiple lines.  I 
>>> still do 
>>> >> not have a generated alert yet even though ossec-logtest says it 
>>> generates 
>>> >> an alert and it matches my custom rule.  I set the level to level 6. 
>>> >> 
>>> >> On Friday, November 27, 2015 at 8:41:48 AM UTC-6, Phillipa Moorea 
>>> wrote: 
>>> >>> 
>>> >>> Well, I updated both the server and client OSSEC HIDS to 2.8.3, but 
>>> still 
>>> >>> no luck.  The PowerShell logs in archive.log are still multi-line 
>>> logs, and 
>>> >>> I am getting the same results. 
>>> >>> 
>>> >>> On Wednesday, November 25, 2015 at 8:45:18 AM UTC-6, Phillipa Moorea 
>>> >>> wrote: 
>>>  
>>>  Ok, I think I know what's going on now.  I do not have the latest 
>>> stable 
>>>  release of 2.8.3.  I think I might have 2.8.2 or 2.8.1 or 
>>> something. 
>>>  
>>>  I found this issue which resembled my issue because the logs have 
>>>  multiple lines in powershell. 
>>>  https://github.com/ossec/ossec-hids/issues/224 
>>>  Then I saw that a fix was implemented in 2.9 from here: 
>>>  https://github.com/ossec/ossec-hids/pull/457 
>>>  Then from this forum I now see that perhaps it is implemented in 
>>> 2.8.3 
>>>  on Nov 5th which is probably the day after I had made my OSSEC 
>>> updates, lol: 
>>>  https://groups.google.com/forum/#!topic/ossec-list/JA9x4uzDg1g 
>>>  
>>>  I'll try updating to the latest 

Re: [ossec-list] ossec-logtest returns Level 0 but still getting email alerts Level 2

[Daniel Bray]

On Mon, Nov 30, 2015 at 11:26 AM, dan (ddp)  wrote:
>
>
> Last idea at the moment:
> Copy archives.log. Open the copy in a text editor. Find an entry you
> want to test against and delete everything else.
> Delete the archives.log header from your chosen entry.
> Run that through ossec-logtest:
> `cat copy-of-archives.log | /var/ossec/bin/ossec-logtest`
>
> See if it still gets reported as a 0. Maybe there's some odd spacing
> issue that isn't maintained when copy/pasting it.
>
>
Still gets reported as 0, but email is Level 2.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] ossec-logtest returns Level 0 but still getting email alerts Level 2

[Ryan Schulze]

On 11/30/2015 12:21 PM, Daniel Bray wrote:
On Mon, Nov 30, 2015 at 11:26 AM, dan (ddp) > wrote:



Last idea at the moment:
Copy archives.log. Open the copy in a text editor. Find an entry you
want to test against and delete everything else.
Delete the archives.log header from your chosen entry.
Run that through ossec-logtest:
`cat copy-of-archives.log | /var/ossec/bin/ossec-logtest`

See if it still gets reported as a 0. Maybe there's some odd spacing
issue that isn't maintained when copy/pasting it.


Still gets reported as 0, but email is Level 2.
--


Is this the only rule in your local_rules.xml that isn't working, or are 
all rules in your local_rules.xml not working?


--

--- 
You received this message because you are subscribed to the Google Groups "ossec-list" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


smime.p7s
Description: S/MIME Cryptographic Signature

[ossec-list] Re: OSSEC - Windows Event Log - PowerShell Alerts

[Phillipa Moorea]

If anybody knows what I am doing wrong, any help would be great.  Even just 
a documentation link or something or a question of clarification?  I have 
posted this issue in the AlienVault forums as well.  I've been keeping both 
forums updated.

I think a lot of people will want to monitor any scripts from the command 
line and from PowerShell that run on one of their servers or workstations. 
 If bad malware gets onto a device, it usually runs scripts, so this is 
part of my detection technique to alert me if a script is ran.  I'm still 
working on the rules.

This is my current rule setup in the local_rules.xml file:


  
^400$|^403$|^500$|^501$|^600$
Powershell Event.
  
  
CommandType=Cmdlet
Powershell Command.
  
  
PowerShell
Powershell Log.
  


I'm not sure if the group name matters or needs to be something specific?

On Friday, November 27, 2015 at 9:06:21 AM UTC-6, Phillipa Moorea wrote:
>
> A little further, I changed the logformat from eventlog to eventchannel, 
> and now the archive.log has taken out all of the multiple lines.  I still 
> do not have a generated alert yet even though ossec-logtest says it 
> generates an alert and it matches my custom rule.  I set the level to level 
> 6.
>
> On Friday, November 27, 2015 at 8:41:48 AM UTC-6, Phillipa Moorea wrote:
>>
>> Well, I updated both the server and client OSSEC HIDS to 2.8.3, but still 
>> no luck.  The PowerShell logs in archive.log are still multi-line logs, and 
>> I am getting the same results.
>>
>> On Wednesday, November 25, 2015 at 8:45:18 AM UTC-6, Phillipa Moorea 
>> wrote:
>>>
>>> Ok, I think I know what's going on now.  I do not have the latest stable 
>>> release of 2.8.3.  I think I might have 2.8.2 or 2.8.1 or something.
>>>
>>> I found this issue which resembled my issue because the logs have 
>>> multiple lines in powershell.  
>>> https://github.com/ossec/ossec-hids/issues/224
>>> Then I saw that a fix was implemented in 2.9 from here: 
>>> https://github.com/ossec/ossec-hids/pull/457
>>> Then from this forum I now see that perhaps it is implemented in 2.8.3 
>>> on Nov 5th which is probably the day after I had made my OSSEC updates, 
>>> lol: https://groups.google.com/forum/#!topic/ossec-list/JA9x4uzDg1g
>>>
>>> I'll try updating to the latest version again and see if that helps.
>>>
>>> On Monday, November 9, 2015 at 9:17:28 AM UTC-6, Phillipa Moorea wrote:

 I have restarted OSSEC using the OSSEC Agent Manager on the ossec 
 client computer.  I have also restarted the OSSEC service on the OSSEC 
 server.  I'm not sure why I can't reply to your response, so I had to 
 reply 
 to mine @dan(ddpbsd)

 Also I am using OSSEC HIDS v2.8 on the client & server.

>>>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: Hacker or configuration error ?

[Antoine]

Ok, are the directories in /proc erased by the system when shutting down 
the computer ?


I was watching the content of my SSD filled up on friday, and it 
comfirmed it's not due to OSSEC's config.
I found that datas from my /home/antoine directory were copied to 
/var/ossec/queue/diff/local/home/antoine/
I never lauched this copy, and the time it started is "fun". Friday I 
was connected to irc, at 17h32 (5:32pm) I said irc I left to buy food,
the copy started at 17h38 (5:38pm)... It's the time indicated by the 
earlier directory.


So I think this sh*t comes from a M*therf*cker who reads my irc 
conversations, or introduced a keylogger on my system, and understand 
french, I'm french and only connected to french irc channels...


I'll watch the content of other disks which where filled up during 
august as soon as possible.


Thanks :)

Antoine.


Le 30/11/2015 10:54, James Le Cuirot a écrit :
I don't know what's going on here but /proc is not a real directory 
and does not take up space on the disk. It is a virtual directory, 
maintained by the operating system, and the numbered directories 
directly within it will frequently change as they map to processes 
running on the system.


On Sunday, 29 November 2015 17:33:03 UTC, Antoine wrote:

I searched only 5 mins on the hard drive I found full friday (my
120GB SSD), /proc was empty but dolphin indicated 0 free bytes.
I usually split my drives in 3 partitions, 1 for / with 20GB, 1
for the swap (except on SSD), remaining space for /home.
Each time the / partition was full.

--

---
You received this message because you are subscribed to the Google 
Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to ossec-list+unsubscr...@googlegroups.com 
.

For more options, visit https://groups.google.com/d/optout.


--

--- 
You received this message because you are subscribed to the Google Groups "ossec-list" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: OSSEC - Windows Event Log - PowerShell Alerts

[dan (ddp)]

On Mon, Nov 30, 2015 at 6:39 AM, Phillipa Moorea  wrote:
> If anybody knows what I am doing wrong, any help would be great.  Even just
> a documentation link or something or a question of clarification?  I have
> posted this issue in the AlienVault forums as well.  I've been keeping both
> forums updated.
>

Can you post an entry from the archives.log after the eventchannel change?

> I think a lot of people will want to monitor any scripts from the command
> line and from PowerShell that run on one of their servers or workstations.
> If bad malware gets onto a device, it usually runs scripts, so this is part
> of my detection technique to alert me if a script is ran.  I'm still working
> on the rules.
>
> This is my current rule setup in the local_rules.xml file:
>
> 
>   
> ^400$|^403$|^500$|^501$|^600$
> Powershell Event.
>   
>   
> CommandType=Cmdlet
> Powershell Command.
>   
>   
> PowerShell
> Powershell Log.
>   
> 
>
> I'm not sure if the group name matters or needs to be something specific?
>

The group names shouldn't affect much.

>
> On Friday, November 27, 2015 at 9:06:21 AM UTC-6, Phillipa Moorea wrote:
>>
>> A little further, I changed the logformat from eventlog to eventchannel,
>> and now the archive.log has taken out all of the multiple lines.  I still do
>> not have a generated alert yet even though ossec-logtest says it generates
>> an alert and it matches my custom rule.  I set the level to level 6.
>>
>> On Friday, November 27, 2015 at 8:41:48 AM UTC-6, Phillipa Moorea wrote:
>>>
>>> Well, I updated both the server and client OSSEC HIDS to 2.8.3, but still
>>> no luck.  The PowerShell logs in archive.log are still multi-line logs, and
>>> I am getting the same results.
>>>
>>> On Wednesday, November 25, 2015 at 8:45:18 AM UTC-6, Phillipa Moorea
>>> wrote:

 Ok, I think I know what's going on now.  I do not have the latest stable
 release of 2.8.3.  I think I might have 2.8.2 or 2.8.1 or something.

 I found this issue which resembled my issue because the logs have
 multiple lines in powershell.
 https://github.com/ossec/ossec-hids/issues/224
 Then I saw that a fix was implemented in 2.9 from here:
 https://github.com/ossec/ossec-hids/pull/457
 Then from this forum I now see that perhaps it is implemented in 2.8.3
 on Nov 5th which is probably the day after I had made my OSSEC updates, 
 lol:
 https://groups.google.com/forum/#!topic/ossec-list/JA9x4uzDg1g

 I'll try updating to the latest version again and see if that helps.

 On Monday, November 9, 2015 at 9:17:28 AM UTC-6, Phillipa Moorea wrote:
>
> I have restarted OSSEC using the OSSEC Agent Manager on the ossec
> client computer.  I have also restarted the OSSEC service on the OSSEC
> server.  I'm not sure why I can't reply to your response, so I had to 
> reply
> to mine @dan(ddpbsd)
>
> Also I am using OSSEC HIDS v2.8 on the client & server.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.