Re: [ossec-list] File Integrity Monitoring through OSSEC

2015-12-07 Thread Santiago Bassett 
More comments:

1.When file have been changed  ?
Use realtime option (kernel needs to support inotify, most recent ones do)

2.Who have changed it ?
No easy way to do this. I would use Audit tools and parse their output with
an OSSEC decoder/rules (I think those would need to be created).

3.What have been changed ?

As Dan mentioned, report_changes. Only works on text files (doesn't make
sense for binaries).

4.Notify on certain changes .

What do you mean? Permission changes, ownership changes are reported by
syscheck too.

On Sun, Dec 6, 2015 at 9:10 AM, dan (ddp)  wrote:

>
> On Dec 6, 2015 11:01 AM, "Nishant Porwal" 
> wrote:
> >
> > Hi Guys ,
> >
> > I need to monitor approx 50 config and flat files on 20 servers , means
> 1000 files .
> >
> > My requirement is below .
> >
> > 1.When file have been changed  ?
> > 2.Who have changed it ?
>
> No one has come up with a way to do this through syscheck yet.
>
> > 3.What have been changed ?
> > 4.Notify on certain changes .
> >
> > Most important part id "What have been changed "
> >
>
> Report_changes I think is the option you want.
>
> > All are linux servers .
> >
> > OSSEC can help here ?
> > I couldn't find anything in documentation specifying about "what have
> beeen changed " .
> >
> >
> > Thanks
> > Nishant
> >
> > --
> >
> > ---
> > You received this message because you are subscribed to the Google
> Groups "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send
> an email to ossec-list+unsubscr...@googlegroups.com.
> > For more options, visit https://groups.google.com/d/optout.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] I want to hack my ossec-agent by metasploit!

2015-12-07 Thread Santiago Bassett 
Yes, what Dan says make sense.

In addition you can use "logall" option, so not only alerts are logged, but
also every log message. The output goes to
/var/ossec/logs/archives/archives.log

If what you need is to show them in ossec.log at the monitored host, you
can enable agent debug at internal_options.conf




On Fri, Dec 4, 2015 at 5:15 AM, dan (ddp)  wrote:

> On Fri, Dec 4, 2015 at 2:45 AM, 林威任  wrote:
> > I  hacked my ossec-agent to get the logs,
> > but the logs do not  appear the ossec.log.
> > Therefore,I want to ask why it  does not show up.
> > Thank you!!!
> >
>
> Logs appear in the /var/ossec/logs/alerts/alerts.log file on the OSSEC
> server (or locally for a local installation).
> Without more information (like the logs created by the apps you
> hacked), it's tough to help much more.
>
> > --
> >
> > ---
> > You received this message because you are subscribed to the Google Groups
> > "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send an
> > email to ossec-list+unsubscr...@googlegroups.com.
> > For more options, visit https://groups.google.com/d/optout.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: OSSEC Alert ways

2015-12-07 Thread Santiago Bassett 
Yes, you can either use AlienVault/OSSIM policy/action settings or directly
OSSEC active-response module. More info at:

http://ossec-docs.readthedocs.org/en/latest/manual/ar/ar-custom.html

On Fri, Dec 4, 2015 at 1:05 AM,  wrote:

> Thanks  Moorea  This is what I want to say   !!
>
> 在 2015年12月2日星期三 UTC+8下午11:00:51,Phillipa Moorea写道:
>
>> I think I can translate.  Angelina needs to know if she can run a script
>> when an alert is generated.  She does not want to alert with emails because
>> she gets too many emails.
>>
>> This might not help, but what we do is push our OSSIM alerts to an SEIM
>> (Security Event and Incident Management).  I am using AlienVault OSSIM, but
>> there are many others out there that are probably more light weight.  I
>> believe it is from the SEIM that you can chart out the alerts and generate
>> emails within SEIM when you get to a certain threshold of alerts or by some
>> other measurement of your choice.
>>
>> I think a main SEIM vendor is Splunk.
>>
>> Not sure if that helps, hopefully others here can chime in too.
>>
>> On Wednesday, December 2, 2015 at 4:21:09 AM UTC-6, angelw...@gmail.com
>> wrote:
>>>
>>>
>>> 
>>> hello~everyone  ,Ossec some problems bothering me ~~ ossec *data is hug* ,
>>> my leader let me to deal with  this  data.artificial..yeapit
>>> is means  i will nalysis those data  by my  eyes !oh my god
>>> !!!   It's driving me crazy  !! and I think  I think
>>> the most crazy people is  my leader   There are nearly 17   data
>>>  so   help  ME   ...
>>>  the *function is : *  use another way to* alert admin *,  At present
>>> ,OSSEC-agent  collate logs   and  give  OSSEC-Server  ,   OSSEC-Server
>>>  analysis  logs  ,and use E-mail to alert admin through Rules   ,the
>>> rules  has level.   i use e-mail . .but  email too many , some
>>> important messages  i usually can not see and deal problems   so  i
>>>  want ask  ,can i use anothor way  to alert  admin  (not E-mail ) .can  i  
>>> choose
>>> *different ways of alarm*  by the degree of emergency  content.
>>> OSSEC can *use  Scripts ??*??
>>> iam gona be dead .help..T_T...
>>>
>>> My English is not very good,Please understand~~
>>> Thanks for your  reply
>>>
>>>
>>> 
>>> angelina
>>>
>> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: OSSEC - Windows Event Log - PowerShell Alerts

2015-12-07 Thread Santiago Bassett 
Thanks Phillipa for sharing. So good to see you actually integrated it with
AlienVault OSSIM too.

On Wed, Dec 2, 2015 at 1:02 PM, Phillipa Moorea 
wrote:

> Thanks for all the help from you (Santiago), from dan, some other posts on
> here, github repository issues, a book I bought on ossec for $10, and the
> work of the OSSEC developers that made the 2.8.3 update, and of course the
> people in the AlienVault Labs!
>
> I was now able to get the alerts working.  I analyzed the PowerShell logs
> and changed my rules a bit.  Here is what I changed it too:
>
> 
>   
> 18100,18101
> CommandType=Script
> Powershell Script.
>   
>   
> 18100,18101
> CommandType=Cmdlet
> Powershell Command.
>   
>   
> 18100,18101
> CommandType=Function
> Powershell Function.
>   
>   
> 100210
> NewCommandState=Started
> Powershell Script (500-Started).
>   
>   
> 100210
> NewCommandState=Stopped
> Powershell Script (501-Stopped).
>   
>   
> 100211
> NewCommandState=Started
> Powershell Command (500-Started).
>   
>   
> 100211
> NewCommandState=Stopped
> Powershell Command (501-Stopped).
>   
>   
> 100212
> NewCommandState=Started
> Powershell Function (500-Started).
>   
>   
> 100212
> NewCommandState=Stopped
> Powershell Function (501-Stopped).
>   
>  
>
> I have also created a custom OSSIM plugin for AlienVault to get the alerts
> into the SEIM:
> /etc/ossim/agent/plugins/powershell.cfg: (ATTACHED FILE)
> /etc/ossim/agent/plugins/powershell.sql: (ATTACHED FILE)
>
> It's probably not the best structure, but it works pretty well and is a
> good start!
>
>
>
> On Wednesday, December 2, 2015 at 1:16:09 PM UTC-6, Santiago Bassett wrote:
>>
>> Glad it finally worked Phillipa :-)
>>
>> On Tue, Dec 1, 2015 at 5:28 PM, Phillipa Moorea 
>> wrote:
>>
>>> Yeah, I finally got the alerts working.  This post helped me out alot:
>>> https://groups.google.com/forum/#!searchin/ossec-list/alert$20to$20be$20generated/ossec-list/SWJe7nm2cbU/pKc8HSfDXCEJ
>>>
>>> It shows exactly a log inside of the archive.log, and what you should
>>> paste into the ossec-logtest.  I also found somewhere to run ossec-logtest
>>> with the "-v" flag option to show the rule matches too.  After I got that,
>>> I found that other rules would match causing the level to be 0.
>>>
>>> Rule 6 matches which was a generic windows rule.
>>> Rule 18100 matched with some logs which is the "Group of windows rules"
>>>
>>> I changed the "" to the 18100 as suggested by Santiago, and then
>>> ran the test again.
>>> It worked.
>>>
>>> So I actually tested it in a real test scenario, and it worked!! Alarms
>>> were generated in the alarms.log file.
>>>
>>>
>>> THANK YOU everyone for all of your help.  After a bunch of fixes,
>>> configuration fixes, OSSEC upgrades, buying an OSSEC book off of amazon,
>>> and these forums, I was finally able to get it to work. :)
>>>
>>> YEAH!!
>>>
>>>
>>>
>>> On Tuesday, December 1, 2015 at 6:43:58 PM UTC-6, Phillipa Moorea wrote:

 Thanks Santiago for the information about OSSIM.

 I do not have conditions for "if_sid" in the rules.  I'm not sure what
 I would even put there since this is the first rule for PowerShell events.
 I currently have set the alert level on the rule to 2.  I tried other
 values, but nothing was working there.  I'm still trying to debug why an
 alert is not generating, even though when I run the ossec-logtest, it says
 that an alert will be generated


 On Tuesday, December 1, 2015 at 6:37:03 PM UTC-6, Santiago Bassett
 wrote:
>
> I haven't have time to go through the whole email thread, but I don't
> think using OSSEC in AlienVault OSSIM would cause this. The only
> modification AlienVault does to OSSEC is the format used for alerts output
> (at alerts.log), so it can easily be parsed by the AlienVault plugin.
>
> Regarding your other question, please check that conditions of
>  rules are also met, and that ultimately the alert level is
> different than 0.
>
> Hope that helps
>
> On Tue, Dec 1, 2015 at 4:32 PM, Phillipa Moorea 
> wrote:
>
>> I had before restarted only OSSEC, but now I tried restarting the
>> server, but no fixes yet.
>>
>> Could the issue be caused by the use of OSSEC on an AlienVault OSSIM
>> server?
>>
>>
>> On Tuesday, December 1, 2015 at 5:40:19 PM UTC-6, Phillipa Moorea
>> wrote:
>>>
>>> Could the problem (of not creating alerts) be caused because
>>> PowerShell events are INFORMATIONAL?
>>>
>>> Informational Event Codes generated by PowerShell: 400, 403, 500,
>>> 501, 600
>>>
>>>
>>>
>>> On Monday, November 30, 2015 at 1:05:35 PM UTC-6, Phillipa Moorea
>>> wrote:

 Here's another example of a log file in which I'm actually
 interested in:

 2015 Nov 30 13:0

Re: [ossec-list] 2.8.3 Installation

2015-12-07 Thread dan (ddp) 
On Mon, Dec 7, 2015 at 10:25 AM, sandeep ganti  wrote:
>
> What was the previous version that was tested for these platforms and also
> when do you think we might expect a release for a newer version of OSSEC ?
> The reason for this question is to make sure i am having the better version
> of OSSEC running in my environment as i wont be doing any changes to it
> couple of years from now.
>

I don't think anyone on the dev team has access to these niche systems
for testing, so all testing is done by users. Generally we don't see
reports for these systems until after release, so I have no clue when
the last version was tested with them.

I don't expect 2.9 to be released this year.

> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] 2.8.3 Installation

2015-12-07 Thread sandeep ganti 

What was the previous version that was tested for these platforms and also 
when do you think we might expect a release for a newer version of OSSEC ? 
The reason for this question is to make sure i am having the better version 
of OSSEC running in my environment as i wont be doing any changes to it 
couple of years from now.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] 2.8.3 Installation

2015-12-07 Thread dan (ddp) 
On Mon, Dec 7, 2015 at 10:13 AM, sandeep ganti  wrote:
>
> Thanks Dan,
>
> Is the 2.8.3 Source file good for AIX and Solaris agent installations too?
>
> I have AIX 5.1,5.2,5.3,6.1,& 7.1 and Solaris 5.6, 5.7, 5.8, 5.9, 5.10 &
> 5.11.
>

It should be, but I don't know if it's been tested on those platforms.

>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] 2.8.3 Installation

2015-12-07 Thread sandeep ganti 

Thanks Dan,

Is the 2.8.3 Source file good for AIX and Solaris agent installations too? 

I have AIX 5.1,5.2,5.3,6.1,& 7.1 and Solaris 5.6, 5.7, 5.8, 5.9, 5.10 & 
5.11.
 

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] alert for logging outside working hours

2015-12-07 Thread dan (ddp) 
On Mon, Dec 7, 2015 at 4:06 AM, Maxim Surdu  wrote:
> Hi everyone,
>
> I am new in Ossec, i configure ossec-server and ossec agent, all is working
> formidable!
> but i need to create an alert to show me people who are logging outside
> working hours in my system server or agent
> for example my company working hours are Monday-Friday from 09.00 until
> 18.00 and i need to know who from my employers working after work-hours!
>
> Any help would be greatly appreciated
>


You should be able to use the  option:
http://ossec.github.io/docs/syntax/head_rules.html#element-time

So something like (totally untested):

authentication
6 pm - 9 am
Login after hours


> Thanks,
> Maxim
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] alert for logging outside working hours

2015-12-07 Thread Maxim Surdu 
Hi everyone,

I am new in Ossec, i configure ossec-server and ossec agent, all is working 
formidable!
but i need to create an alert to show me people who are logging outside 
working hours in my system server or agent 
for example my company working hours are Monday-Friday from 09.00 until 
18.00 and i need to know who from my employers working after work-hours!

Any help would be greatly appreciated
 
Thanks,
Maxim

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.