Re: [ossec-list] Re: Location of OSSEC-WUI

2015-12-22 Thread Vic Hargrave 
Hi Maxim.

I'm the developer of the OSSEC virtual appliance.  I think what you need to
do might involve dipping into the Kibana code.  However, I can take a look
a this and see what I can come up with.

-- vic

On Mon, Dec 14, 2015 at 11:36 PM, Maxim Surdu  wrote:

> I find it
>
> /opt/lampp/htdocs/ossec-wui
>
> /usr/share/kibana
>
> who can help me with this topic?
> https://groups.google.com/forum/#!topic/ossec-list/-IbGTSrBwIQ
>
> i already did it for ossec-wui
> but how to do for kibana??
>
>
> 
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Tuning OSSEC

2015-12-22 Thread Santiago Bassett 
Hi,

in case you are interested, we have done some work integrating OSSEC with
ELK (specially for those using them to be compliant with PCI DSS, not sure
if this is the case), including the creation of Kibana dashboards.

We have also created a RESTful API for OSSEC that we plan to use with new
Kibana plugins functionality (added in version 4.2), to be able to
monitor/control your OSSEC deployments from Kibana (e.g agent status,
syscheck or rootcheck settings, agent keys, loaded rules...)

See more info in our website at:
http://documentation.wazuh.com/en/latest/ossec_elk.html

Best regards,

Santiago.

On Thu, Dec 17, 2015 at 8:24 AM,  wrote:

> I've been tasked with tuning OSSEC.
>
> I've wondering if there is a general guideline or process. We have OSSEC
> feeding into ELK stack. What are folks thoughts on tuning vs. coming up
> with better Kibana hunting searches?
>
> Thanks!
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] File Integrity Monitoring through OSSEC

2015-12-22 Thread Santiago Bassett 
You can probably do that using Rootcheck rules.


For example, to alert if "Server: 1.2.3.4" line has been modified, you
could use a rule like this:


[Memory configuration check - Server different than 1.2.3.4] [any]

f:/etc/memory.cfg -> !r:^# && r:^Server && !r::1.2.3.4;


You would need to create rules for those lines you want to monitor.


I hope that helps,

Santiago.



On Mon, Dec 21, 2015 at 4:49 AM, dan (ddp)  wrote:

> On Fri, Dec 18, 2015 at 8:36 AM, Nishant Porwal
>  wrote:
> > Hi Santiago/Dan,
> >
> > Thanks for the inputs ,i am able to track the changes.
> > One more suggestion is needed ,
> >
> > I want to track the file changes and need to alert only on specific
> changes
> > .
> > Example : -
> >
> > File : - memory.cfg
> >
> > Content : -
> >
> > *
> >
> > Server : 1.2.3.4
> > Port : 8080,80,9090,28443,23
> > Services : Telnet,SSH, FTPD,
> > log_alert : Yes
> > log_memory : Yes
> > log_system : Yes
> > log_application : Yes
> > log_tomcat : Yes
> >
> > *
> >
> > Reuirement is : -
> >
> > If any changes have been done in parameters Server ,Port ,Services
> > ,log_tomcat  notify to certain email , else if log_alert ,log_memory ,
> > log_application ,log_system  have been changed don't notify .
> >
>
> I don't know of a way to watch for changes in certain parts of a a file.
>
> > On Tue, Dec 8, 2015 at 7:01 AM, Santiago Bassett
> >  wrote:
> >>
> >> More comments:
> >>
> >> 1.When file have been changed  ?
> >> Use realtime option (kernel needs to support inotify, most recent ones
> do)
> >>
> >> 2.Who have changed it ?
> >> No easy way to do this. I would use Audit tools and parse their output
> >> with an OSSEC decoder/rules (I think those would need to be created).
> >>
> >> 3.What have been changed ?
> >>
> >> As Dan mentioned, report_changes. Only works on text files (doesn't make
> >> sense for binaries).
> >>
> >> 4.Notify on certain changes .
> >>
> >> What do you mean? Permission changes, ownership changes are reported by
> >> syscheck too.
> >>
> >> On Sun, Dec 6, 2015 at 9:10 AM, dan (ddp)  wrote:
> >>>
> >>>
> >>> On Dec 6, 2015 11:01 AM, "Nishant Porwal" 
> >>> wrote:
> >>> >
> >>> > Hi Guys ,
> >>> >
> >>> > I need to monitor approx 50 config and flat files on 20 servers ,
> means
> >>> > 1000 files .
> >>> >
> >>> > My requirement is below .
> >>> >
> >>> > 1.When file have been changed  ?
> >>> > 2.Who have changed it ?
> >>>
> >>> No one has come up with a way to do this through syscheck yet.
> >>>
> >>> > 3.What have been changed ?
> >>> > 4.Notify on certain changes .
> >>> >
> >>> > Most important part id "What have been changed "
> >>> >
> >>>
> >>> Report_changes I think is the option you want.
> >>>
> >>> > All are linux servers .
> >>> >
> >>> > OSSEC can help here ?
> >>> > I couldn't find anything in documentation specifying about "what have
> >>> > beeen changed " .
> >>> >
> >>> >
> >>> > Thanks
> >>> > Nishant
> >>> >
> >>> > --
> >>> >
> >>> > ---
> >>> > You received this message because you are subscribed to the Google
> >>> > Groups "ossec-list" group.
> >>> > To unsubscribe from this group and stop receiving emails from it,
> send
> >>> > an email to ossec-list+unsubscr...@googlegroups.com.
> >>> > For more options, visit https://groups.google.com/d/optout.
> >>>
> >>> --
> >>>
> >>> ---
> >>> You received this message because you are subscribed to the Google
> Groups
> >>> "ossec-list" group.
> >>> To unsubscribe from this group and stop receiving emails from it, send
> an
> >>> email to ossec-list+unsubscr...@googlegroups.com.
> >>> For more options, visit https://groups.google.com/d/optout.
> >>
> >>
> >> --
> >>
> >> ---
> >> You received this message because you are subscribed to the Google
> Groups
> >> "ossec-list" group.
> >> To unsubscribe from this group and stop receiving emails from it, send
> an
> >> email to ossec-list+unsubscr...@googlegroups.com.
> >> For more options, visit https://groups.google.com/d/optout.
> >
> >
> >
> >
> > --
> > Thanks n Regards
> > Nishant Porwal
> > 09527916969
> >
> > --
> >
> > ---
> > You received this message because you are subscribed to the Google Groups
> > "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send an
> > email to ossec-list+unsubscr...@googlegroups.com.
> > For more options, visit https://groups.google.com/d/optout.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this

Re: [ossec-list] ossec for apache access log on ubuntu - not generating alerts

2015-12-22 Thread Venkata Venamma 
Thanks!! that helped me proceed in right direction and solve the issue.


On Monday, December 21, 2015 at 9:39:55 PM UTC+5:30, LostInThe Tubez wrote:
>
> You may very well have to download the latest rule files from the github 
> repository in order to recognize the latest apache log format. You can 
> verify by copy/pasting a line from your apache log into ossec-logtest and 
> seeing if it knows how to decode it. 
>
> > -Original Message- 
> > From: ossec...@googlegroups.com  [mailto:
> ossec...@googlegroups.com ] 
> > On Behalf Of dan (ddp) 
> > Sent: Monday, December 21, 2015 5:52 AM 
> > To: ossec...@googlegroups.com  
> > Subject: Re: [ossec-list] ossec for apache access log on ubuntu - not 
> > generating alerts 
> > 
> > On Mon, Dec 21, 2015 at 7:40 AM, Venkata Venamma 
> >  wrote: 
> > > Hello experts, 
> > > 
> > > I want to monitor apache access.log on ubunu using ossec. Have 
> configured 
> > > local_rules.xml as below, in addition to adding the log file 
> > > /var/log/apache2/acces.log to ossec.conf file. 
> > > 
> > > Entry in local_rules.xml: 
> > > 
> > > apache, 
> > >  
> > >
> > > 31100 
> > > Web server 400 error code. 
> > >
> > >  
> > > 
> > 
> > You're missing the "^4" from the rule. 
> > 
> > 
> > > 
> > > When I hit the apache server with too many not existent URLs ( this 
> forcing 
> > > too many 404 in access.log), I was expecting to receive email and 
> generate 
> > > alerts. I don't see any activity in the ossec log or alert log. 
> > > Can you please provide some pointers how to solve? 
> > > 
> > > Thanks in advance, 
> > > 
> > > -R 
> > > 
> > > 
> > > -- 
> > > 
> > > --- 
> > > You received this message because you are subscribed to the Google 
> > Groups 
> > > "ossec-list" group. 
> > > To unsubscribe from this group and stop receiving emails from it, send 
> an 
> > > email to ossec-list+...@googlegroups.com . 
> > > For more options, visit https://groups.google.com/d/optout. 
> > 
> > -- 
> > 
> > --- 
> > You received this message because you are subscribed to the Google 
> Groups 
> > "ossec-list" group. 
> > To unsubscribe from this group and stop receiving emails from it, send 
> an 
> > email to ossec-list+...@googlegroups.com . 
> > For more options, visit https://groups.google.com/d/optout. 
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] ossec-maild Error Sending email to 127.0.0.1

2015-12-22 Thread theresa mic-snare 
hmm it looks as so ossec-maild has a problem with my ssmtp
ssmtp works fine, because it sent me an automated/generated email at 2:43 
in the morning.
i've set DEBUGGING=yes in the ssmtp.conf but the logs don't show any more 
info to debug

what surprises me is that on netstat ssmtp isn't showing any open 
connectings.
to me it looks like it's only opening a connection when it wants to send an 
email, there's no permanent open connection.

here's my ssmtp.conf
AuthUser=xx...@gmail.com
AuthPass=x
FromLineOverride=YES
mailhub=smtp.gmail.com:587
UseSTARTTLS=YES
TLS_CA_File=/etc/pki/tls/certs/ca-bundle.crt
Debug=YES

and my open connections:
netstat -tulpen
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address   Foreign Address 
State   User   Inode  PID/Program name   
tcp0  0 0.0.0.0:33060.0.0.0:*   
LISTEN  27 37255941313/mysqld 
tcp0  0 0.0.0.0:22  0.0.0.0:*   
LISTEN  0  11227  1216/sshd   
tcp0  0 :::22   :::*   
 LISTEN  0  11232  1216/sshd   
tcp0  0 :::8080 :::*   
 LISTEN  0  11642  1550/httpd  
tcp0  0 :::80   :::*   
 LISTEN  0  11638  1550/httpd  
udp0  0 0.0.0.0:15140.0.0.0:*   
0  13181  1926/ossec-remoted  
udp0  0 78.41.116.116:123   0.0.0.0:*   
0  11350  1256/ntpd   
udp0  0 127.0.0.1:123   0.0.0.0:*   
0  11346  1256/ntpd   
udp0  0 0.0.0.0:123 0.0.0.0:*   
0  11339  1256/ntpd   
udp0  0 ::1:123 :::*   
 0  11352  1256/ntpd   
udp0  0 fe80::5054:ff:fef6:4b74:123 :::*   
 0  11351  1256/ntpd   
udp0  0 :::123  :::*   
 0  11340  1256/ntpd   

I'm happy to do a TCPdump but at the moment I don't really know what to 
filter for...
is ossec--maild listening on a specific port or default 25 port for smtp?

thanks,
theresa

Am Montag, 21. Dezember 2015 14:00:56 UTC+1 schrieb dan (ddpbsd):
>
> On Sun, Dec 20, 2015 at 7:50 AM, theresa mic-snare 
>  wrote: 
> > Hi everyone, 
> > 
> > today I've noticed a problem with the ossec-maild process. 
> > The ossec.log keeps saying 
> > 
> > ossec-maild(1223): ERROR: Error Sending email to 127.0.0.1 (smtp server) 
> > 
> > Of course I started troubleshooting the problem and tried to send 
> several 
> > test-emails from the ossec master. 
> > I'm using ssmtp through my google-mail account by the way. 
> > All test mails that I sent arrived immediately, so sending mails through 
> my 
> > MTA seems to work as usual. 
> > 
> > Then I checked the mail log /var/log/maillog-20151220 
> > which to my surprise has the latest mail entry from yesterday 19:30 
> > Dec 19 19:30:03 tron sSMTP[3943]: Sent mail for b...@bla.org 
>  (221 2.0.0 
> > closing connection u126sm11888435wme.3 - gsmtp) uid=48 username=apache 
> > outbytes=1898 
> > 
> > changed the email address to b...@bla.org  for 
> demonstration purposes... 
> > 
> > 
> > at least the two test emails that I just send should appear in this log, 
> > right? 
> > 
> > I know that the root cause to this problem is NOT an ossec 
> problembut 
> > maybe you have an idea what the problem might be? 
> > I've checked the quota settings in my gmail account, (so far only 10% 
> > used...) 
> > I've also checked the disk space on my ossec master, still 21GB left on 
> / 
> > (where also /var is mounted) 
> > 
> > so I doubt it's a quota or diskspace problem. 
> > i've also restarted (stopped and started) ossec, to see if any zombie 
> > processes still allocated the filesystem, and it therefore showed that 
> > plenty of diskspace was available. 
> > but even after the restart of ossec it still shows that it has plenty of 
> > diskspace available. 
> > 
> > any other ideas how I could troubleshoot this problem? 
> > 
>
> Make sure ssmtp is still listening on 127.0.0.1. 
> Use tcpdump or something similar to sniff the traffic between 
> ossec-maild and ssmtp. 
> Turn on debugging on ssmtp? 
>
> > thanks, 
> > theresa 
> > 
> > -- 
> > 
> > --- 
> > You received this message because you are subscribed to the Google 
> Groups 
> > "ossec-list" group. 
> > To unsubscribe from this group and stop receiving emails from it, send 
> an 
> > email to ossec-list+...@googlegroups.com .

Re: [ossec-list] ossec-maild Error Sending email to 127.0.0.1

2015-12-22 Thread theresa mic-snare 
*FACEPALM*

problem solved.this is too embarrassing :(((
epic fail!

Am Dienstag, 22. Dezember 2015 10:54:45 UTC+1 schrieb theresa mic-snare:
>
> hmm it looks as so ossec-maild has a problem with my ssmtp
> ssmtp works fine, because it sent me an automated/generated email at 2:43 
> in the morning.
> i've set DEBUGGING=yes in the ssmtp.conf but the logs don't show any more 
> info to debug
>
> what surprises me is that on netstat ssmtp isn't showing any open 
> connectings.
> to me it looks like it's only opening a connection when it wants to send 
> an email, there's no permanent open connection.
>
> here's my ssmtp.conf
> AuthUser=xx...@gmail.com
> AuthPass=x
> FromLineOverride=YES
> mailhub=smtp.gmail.com:587
> UseSTARTTLS=YES
> TLS_CA_File=/etc/pki/tls/certs/ca-bundle.crt
> Debug=YES
>
> and my open connections:
> netstat -tulpen
> Active Internet connections (only servers)
> Proto Recv-Q Send-Q Local Address   Foreign Address   
>   State   User   Inode  PID/Program name   
> tcp0  0 0.0.0.0:33060.0.0.0:* 
>   LISTEN  27 37255941313/mysqld 
> tcp0  0 0.0.0.0:22  0.0.0.0:* 
>   LISTEN  0  11227  1216/sshd   
> tcp0  0 :::22   :::* 
>LISTEN  0  11232  1216/sshd   
> tcp0  0 :::8080 :::* 
>LISTEN  0  11642  1550/httpd  
> tcp0  0 :::80   :::* 
>LISTEN  0  11638  1550/httpd  
> udp0  0 0.0.0.0:15140.0.0.0:* 
>   0  13181  1926/ossec-remoted  
> udp0  0 78.41.116.116:123   0.0.0.0:* 
>   0  11350  1256/ntpd   
> udp0  0 127.0.0.1:123   0.0.0.0:* 
>   0  11346  1256/ntpd   
> udp0  0 0.0.0.0:123 0.0.0.0:* 
>   0  11339  1256/ntpd   
> udp0  0 ::1:123 :::* 
>0  11352  1256/ntpd   
> udp0  0 fe80::5054:ff:fef6:4b74:123 :::* 
>0  11351  1256/ntpd   
> udp0  0 :::123  :::* 
>0  11340  1256/ntpd   
>
> I'm happy to do a TCPdump but at the moment I don't really know what to 
> filter for...
> is ossec--maild listening on a specific port or default 25 port for smtp?
>
> thanks,
> theresa
>
> Am Montag, 21. Dezember 2015 14:00:56 UTC+1 schrieb dan (ddpbsd):
>>
>> On Sun, Dec 20, 2015 at 7:50 AM, theresa mic-snare 
>>  wrote: 
>> > Hi everyone, 
>> > 
>> > today I've noticed a problem with the ossec-maild process. 
>> > The ossec.log keeps saying 
>> > 
>> > ossec-maild(1223): ERROR: Error Sending email to 127.0.0.1 (smtp 
>> server) 
>> > 
>> > Of course I started troubleshooting the problem and tried to send 
>> several 
>> > test-emails from the ossec master. 
>> > I'm using ssmtp through my google-mail account by the way. 
>> > All test mails that I sent arrived immediately, so sending mails 
>> through my 
>> > MTA seems to work as usual. 
>> > 
>> > Then I checked the mail log /var/log/maillog-20151220 
>> > which to my surprise has the latest mail entry from yesterday 19:30 
>> > Dec 19 19:30:03 tron sSMTP[3943]: Sent mail for b...@bla.org (221 
>> 2.0.0 
>> > closing connection u126sm11888435wme.3 - gsmtp) uid=48 username=apache 
>> > outbytes=1898 
>> > 
>> > changed the email address to b...@bla.org for demonstration 
>> purposes... 
>> > 
>> > 
>> > at least the two test emails that I just send should appear in this 
>> log, 
>> > right? 
>> > 
>> > I know that the root cause to this problem is NOT an ossec 
>> problembut 
>> > maybe you have an idea what the problem might be? 
>> > I've checked the quota settings in my gmail account, (so far only 10% 
>> > used...) 
>> > I've also checked the disk space on my ossec master, still 21GB left on 
>> / 
>> > (where also /var is mounted) 
>> > 
>> > so I doubt it's a quota or diskspace problem. 
>> > i've also restarted (stopped and started) ossec, to see if any zombie 
>> > processes still allocated the filesystem, and it therefore showed that 
>> > plenty of diskspace was available. 
>> > but even after the restart of ossec it still shows that it has plenty 
>> of 
>> > diskspace available. 
>> > 
>> > any other ideas how I could troubleshoot this problem? 
>> > 
>>
>> Make sure ssmtp is still listening on 127.0.0.1. 
>> Use tcpdump or something similar to sniff the traffic between 
>> ossec-maild and ssmtp.

Re: [ossec-list] how to add user to web UI?

2015-12-22 Thread dan (ddp) 
On Tue, Dec 22, 2015 at 7:25 AM, Maxim Surdu  wrote:
> Hi everyone,
>
> I am new in Ossec, i configure ossec-server and ossec agent, all is working
> formidable!
> i change password for user in ossec-wui, can i add another user and can i do
> it admin or simple user?if i can how can i do it?
>

I don't believe the users have any bearing on the application itself,
they just do basic auth to the web server. You should be able to add a
second user by following the same procedure you did when setting up
the wui, http-password maybe?

NOTE: I don't use the wui, especially since it's unmaintained.

> Any help would be greatly appreciated
>
> Thanks,
> Maxim
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] how to add user to web UI?

2015-12-22 Thread Maxim Surdu 
what web interface you recommend me to use, which i can create users for 
authentication to see logs because kibana have not :(

marți, 22 decembrie 2015, 15:04:55 UTC+2, dan (ddpbsd) a scris: 
>
> On Tue, Dec 22, 2015 at 7:25 AM, Maxim Surdu  > wrote: 
> > Hi everyone, 
> > 
> > I am new in Ossec, i configure ossec-server and ossec agent, all is 
> working 
> > formidable! 
> > i change password for user in ossec-wui, can i add another user and can 
> i do 
> > it admin or simple user?if i can how can i do it? 
> > 
>
> I don't believe the users have any bearing on the application itself, 
> they just do basic auth to the web server. You should be able to add a 
> second user by following the same procedure you did when setting up 
> the wui, http-password maybe? 
>
> NOTE: I don't use the wui, especially since it's unmaintained. 
>
> > Any help would be greatly appreciated 
> > 
> > Thanks, 
> > Maxim 
> > 
> > -- 
> > 
> > --- 
> > You received this message because you are subscribed to the Google 
> Groups 
> > "ossec-list" group. 
> > To unsubscribe from this group and stop receiving emails from it, send 
> an 
> > email to ossec-list+...@googlegroups.com . 
> > For more options, visit https://groups.google.com/d/optout. 
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] how to add user to web UI?

2015-12-22 Thread Maxim Surdu 
Hi everyone,

I am new in Ossec, i configure ossec-server and ossec agent, all is working 
formidable!
i change password for user in ossec-wui, can i add another user and can i 
do it admin or simple user?if i can how can i do it?

Any help would be greatly appreciated
 
Thanks,
Maxim

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] how to add user to web UI?

2015-12-22 Thread dan (ddp) 
On Tue, Dec 22, 2015 at 8:16 AM, Maxim Surdu  wrote:
> what web interface you recommend me to use, which i can create users for
> authentication to see logs because kibana have not :(
>

I don't have any recommendations because it's been a long time since
I've looked into them.
But there are a number of options, depending on budget (no
recommendations here, just offering some options):
* Shield for elasticsearch looks like it offers some security for the elk stack.
* Splunk offers a number of authentication options.
* graylog2 I belive allows you to create users with different roles.
* Arcsight has more options than anyone could ever need.
* Alienvault's offerings seem to be popular.

I'd be interested in hearing what users actually use, and how it works
for them (but not necessarily in this thread). Looking into various
front ends is something I'm definitely interested in doing, just
haven't had the time.

> marți, 22 decembrie 2015, 15:04:55 UTC+2, dan (ddpbsd) a scris:
>>
>> On Tue, Dec 22, 2015 at 7:25 AM, Maxim Surdu  wrote:
>> > Hi everyone,
>> >
>> > I am new in Ossec, i configure ossec-server and ossec agent, all is
>> > working
>> > formidable!
>> > i change password for user in ossec-wui, can i add another user and can
>> > i do
>> > it admin or simple user?if i can how can i do it?
>> >
>>
>> I don't believe the users have any bearing on the application itself,
>> they just do basic auth to the web server. You should be able to add a
>> second user by following the same procedure you did when setting up
>> the wui, http-password maybe?
>>
>> NOTE: I don't use the wui, especially since it's unmaintained.
>>
>> > Any help would be greatly appreciated
>> >
>> > Thanks,
>> > Maxim
>> >
>> > --
>> >
>> > ---
>> > You received this message because you are subscribed to the Google
>> > Groups
>> > "ossec-list" group.
>> > To unsubscribe from this group and stop receiving emails from it, send
>> > an
>> > email to ossec-list+...@googlegroups.com.
>> > For more options, visit https://groups.google.com/d/optout.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] How/where does one get a version of the OSSEC agent-auth application that will run on Windows?

2015-12-22 Thread dan (ddp) 
On Mon, Dec 21, 2015 at 4:34 PM, Chris  wrote:
> I have successfully configured an OSSEC server running on Ubuntu in AWS.
>
>
> I have also successfully automated Ubuntu AWS instances automatically
> installing the OSSEC agent and connecting to the OSSEC server via this
> command /var/ossec/bin/agent-auth -m ossec.myprivatedomain.local -p 1515
>
>
> I am working on automating the installation of the OSSEC agent for Windows
> instances including automating the Windows instances connecting to the OSSEC
> server. I understand that the OSSEC agent for Windows can be downloaded from
> the OSSEC site's "Downloads" page and that it can be silently installed
> using this command line: ossec-agent-win32-2.8.3.exe /S
>
>
> Despite much research, I cannot find out how to get a version of the OSSEC
> agent-auth executable that will run on Windows to allow me to automate the
> Windows instances connecting to the OSSEC server.
>
>
> The closest thing I can find to any mention of the agent-auth application
> being available for Windows is from this blog:
> https://github.com/ossec/ossec-hids/issues/166#issuecomment-41461642 ...
> where a comment states ...
>
> The Windows version of agent-auth was compiled on Linux (Fedora 20) and
> tested on Windows 7 Home Premium 64-bit.
>
> None of the tutorials that talk about compiling the OSSEC agent for Windows
> on Linux address how to compile the agent-auth application for Windows.
>
>
> How/where does one get a version of the OSSEC agent-auth application that
> will run on Windows?
>

I have a currently untested branch for this at
https://github.com/ddpbsd/ossec-hids/tree/winauthd

It's using the current development master as its base. I haven't had
the time or motivation to actually test it yet.

> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Clients authenticate, but don't connect (Corp env)

2015-12-22 Thread dan (ddp) 
On Mon, Dec 21, 2015 at 9:26 AM, Jamey B  wrote:
> Hi Dan,
>
> When we use manage_agents and export the key to the agent, the agent works
> fine. We've had success this way, but obviously it's tedious for over 5000
> servers. Isn't this similar how authd works? I'm wondering if there's
> something we're not executing after the agent gets a key.
>
> I've regenerated the SSL key on the server (somehow it was missing), so
> agents no longer have issues connecting for their key -- this is what caused
> all the agent alerts a few posts ago. We are following the guide below, but
> the agents just don't connect after getting their key:
>
> http://dcid.me/blog/2011/01/automatically-creating-and-setting-up-the-agent-keys/
>


That was just part of the troubleshooting process. We now know that
agents CAN connect and work. So we have eliminated one issue. Only a
million more to go!

I might have missed it in the threat, but what version of OSSEC are you using?
When you run ossec-authd, what options are you using?

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: how to add user to web UI?

2015-12-22 Thread Abdulvehhab Agin 
Hi,

Welcome to Ossec, I am sorry to say that  Ossec wui hasn't natively support 
role management, but you can easily develop by php knowledge.


22 Aralık 2015 Salı 14:25:09 UTC+2 tarihinde Maxim Surdu yazdı:
> Hi everyone,
> 
> I am new in Ossec, i configure ossec-server and ossec agent, all is working 
> formidable!
> 
> i change password for user in ossec-wui, can i add another user and can i do 
> it admin or simple user?if i can how can i do it?
> 
> 
> 
> Any help would be greatly appreciated
> 
>  
> Thanks,
> Maxim

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] How/where does one get a version of the OSSEC agent-auth application that will run on Windows?

2015-12-22 Thread dan (ddp) 
On Tue, Dec 22, 2015 at 11:48 AM, Chris  wrote:
> Thanks for letting me know. I'll keep an eye on the project to see if future
> releases add support for the agent-auth application for Windows.
>
> The use case is a hybrid environment hosted by Amazon Web Services (AWS)
> where auto-scaling groups cause instances (servers) to come and go.
> Automation technology, such as AWS CloudFormation, allow fully automated
> configuration of the entire server without any manual interaction. The Linux
> version of agent-auth allows this to work well for Linux agents. Not having
> the Windows version prevents OSSEC from being viable in a large-scale cloud
> environment where automation is required. Use of third-party tools such as
> Chef, Puppet, Ansible, etc. can overcome this limitation, but add additional
> considerations.
>

That's a space I'm kinda sorta playing with (although less windows).
If you get the chance to test the windows agent-auth stuff (even in
non-prod stuff), let me know how it works out.

> Thanks,
> Chris
>
>
> On Tuesday, December 22, 2015 at 7:04:55 AM UTC-6, dan (ddpbsd) wrote:
>>
>> On Mon, Dec 21, 2015 at 4:34 PM, Chris  wrote:
>> > I have successfully configured an OSSEC server running on Ubuntu in AWS.
>> >
>> >
>> > I have also successfully automated Ubuntu AWS instances automatically
>> > installing the OSSEC agent and connecting to the OSSEC server via this
>> > command /var/ossec/bin/agent-auth -m ossec.myprivatedomain.local -p 1515
>> >
>> >
>> > I am working on automating the installation of the OSSEC agent for
>> > Windows
>> > instances including automating the Windows instances connecting to the
>> > OSSEC
>> > server. I understand that the OSSEC agent for Windows can be downloaded
>> > from
>> > the OSSEC site's "Downloads" page and that it can be silently installed
>> > using this command line: ossec-agent-win32-2.8.3.exe /S
>> >
>> >
>> > Despite much research, I cannot find out how to get a version of the
>> > OSSEC
>> > agent-auth executable that will run on Windows to allow me to automate
>> > the
>> > Windows instances connecting to the OSSEC server.
>> >
>> >
>> > The closest thing I can find to any mention of the agent-auth
>> > application
>> > being available for Windows is from this blog:
>> > https://github.com/ossec/ossec-hids/issues/166#issuecomment-41461642 ...
>> > where a comment states ...
>> >
>> > The Windows version of agent-auth was compiled on Linux (Fedora 20) and
>> > tested on Windows 7 Home Premium 64-bit.
>> >
>> > None of the tutorials that talk about compiling the OSSEC agent for
>> > Windows
>> > on Linux address how to compile the agent-auth application for Windows.
>> >
>> >
>> > How/where does one get a version of the OSSEC agent-auth application
>> > that
>> > will run on Windows?
>> >
>>
>> I have a currently untested branch for this at
>> https://github.com/ddpbsd/ossec-hids/tree/winauthd
>>
>> It's using the current development master as its base. I haven't had
>> the time or motivation to actually test it yet.
>>
>> > --
>> >
>> > ---
>> > You received this message because you are subscribed to the Google
>> > Groups
>> > "ossec-list" group.
>> > To unsubscribe from this group and stop receiving emails from it, send
>> > an
>> > email to ossec-list+...@googlegroups.com.
>> > For more options, visit https://groups.google.com/d/optout.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] How/where does one get a version of the OSSEC agent-auth application that will run on Windows?

2015-12-22 Thread Chris 
Thanks for letting me know. I'll keep an eye on the project to see if 
future releases add support for the agent-auth application for Windows.

The use case is a hybrid environment hosted by Amazon Web Services (AWS) 
where auto-scaling groups cause instances (servers) to come and go. 
Automation technology, such as AWS CloudFormation, allow fully automated 
configuration of the entire server without any manual interaction. The 
Linux version of agent-auth allows this to work well for Linux agents. Not 
having the Windows version prevents OSSEC from being viable in a 
large-scale cloud environment where automation is required. Use of 
third-party tools such as Chef, Puppet, Ansible, etc. can overcome this 
limitation, but add additional considerations.

Thanks,
Chris


On Tuesday, December 22, 2015 at 7:04:55 AM UTC-6, dan (ddpbsd) wrote:
>
> On Mon, Dec 21, 2015 at 4:34 PM, Chris  
> wrote: 
> > I have successfully configured an OSSEC server running on Ubuntu in AWS. 
> > 
> > 
> > I have also successfully automated Ubuntu AWS instances automatically 
> > installing the OSSEC agent and connecting to the OSSEC server via this 
> > command /var/ossec/bin/agent-auth -m ossec.myprivatedomain.local -p 1515 
> > 
> > 
> > I am working on automating the installation of the OSSEC agent for 
> Windows 
> > instances including automating the Windows instances connecting to the 
> OSSEC 
> > server. I understand that the OSSEC agent for Windows can be downloaded 
> from 
> > the OSSEC site's "Downloads" page and that it can be silently installed 
> > using this command line: ossec-agent-win32-2.8.3.exe /S 
> > 
> > 
> > Despite much research, I cannot find out how to get a version of the 
> OSSEC 
> > agent-auth executable that will run on Windows to allow me to automate 
> the 
> > Windows instances connecting to the OSSEC server. 
> > 
> > 
> > The closest thing I can find to any mention of the agent-auth 
> application 
> > being available for Windows is from this blog: 
> > https://github.com/ossec/ossec-hids/issues/166#issuecomment-41461642 
> ... 
> > where a comment states ... 
> > 
> > The Windows version of agent-auth was compiled on Linux (Fedora 20) and 
> > tested on Windows 7 Home Premium 64-bit. 
> > 
> > None of the tutorials that talk about compiling the OSSEC agent for 
> Windows 
> > on Linux address how to compile the agent-auth application for Windows. 
> > 
> > 
> > How/where does one get a version of the OSSEC agent-auth application 
> that 
> > will run on Windows? 
> > 
>
> I have a currently untested branch for this at 
> https://github.com/ddpbsd/ossec-hids/tree/winauthd 
>
> It's using the current development master as its base. I haven't had 
> the time or motivation to actually test it yet. 
>
> > -- 
> > 
> > --- 
> > You received this message because you are subscribed to the Google 
> Groups 
> > "ossec-list" group. 
> > To unsubscribe from this group and stop receiving emails from it, send 
> an 
> > email to ossec-list+...@googlegroups.com . 
> > For more options, visit https://groups.google.com/d/optout. 
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Clients authenticate, but don't connect (Corp env)

2015-12-22 Thread Jamey B 
Hi Dan,

When we add agents, this is what we run on the agents:

/var/ossec/bin/agent-auth -m  -p 1515
/etc/init.d/ossec/ossec-hids restart

I've confirmed via tcmpdump the agents are connecting over 1514.  We also
tried 'A ' at the end of the first command above, but have the
same result.


Here's what the agents are running:

*root@testlabex2* ./ossec-control status

ossec-logcollector is running...

ossec-syscheckd is running...

ossec-agentd is running...
ossec-execd is running...


We are running version 2.8.2-49

On Tue, Dec 22, 2015 at 8:09 AM, dan (ddp)  wrote:

> On Mon, Dec 21, 2015 at 9:26 AM, Jamey B  wrote:
> > Hi Dan,
> >
> > When we use manage_agents and export the key to the agent, the agent
> works
> > fine. We've had success this way, but obviously it's tedious for over
> 5000
> > servers. Isn't this similar how authd works? I'm wondering if there's
> > something we're not executing after the agent gets a key.
> >
> > I've regenerated the SSL key on the server (somehow it was missing), so
> > agents no longer have issues connecting for their key -- this is what
> caused
> > all the agent alerts a few posts ago. We are following the guide below,
> but
> > the agents just don't connect after getting their key:
> >
> >
> http://dcid.me/blog/2011/01/automatically-creating-and-setting-up-the-agent-keys/
> >
>
>
> That was just part of the troubleshooting process. We now know that
> agents CAN connect and work. So we have eliminated one issue. Only a
> million more to go!
>
> I might have missed it in the threat, but what version of OSSEC are you
> using?
> When you run ossec-authd, what options are you using?
>
> --
>
> ---
> You received this message because you are subscribed to a topic in the
> Google Groups "ossec-list" group.
> To unsubscribe from this topic, visit
> https://groups.google.com/d/topic/ossec-list/7u88Yy5W7Rk/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
> ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>



-- 
Sincerely,

James Bearden III

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Trouble matching hash from 550 alert for CDB lookup

2015-12-22 Thread Santiago Bassett 
Not sure why that is not working but, why did you create new decoders? You
could probably use syscheck fields (as Dan mentioned), a good list can be
found here:

http://ossec-docs.readthedocs.org/en/latest/formats/json.html

On Mon, Dec 21, 2015 at 4:59 AM, dan (ddp)  wrote:

> On Thu, Dec 17, 2015 at 3:36 PM, Jon Schipp  wrote:
> > Hey all, my goal is to lookup the sha1 hash from the 550 syscheck alert
> in a
> > CDB database but I'm not having any luck.
> > I've tried the following things to get an alert to happen on a hash from
> the
> > 550 alert
> >
> > 1. Wrote a simple decoder to decode the sha1sum as the id field and then
> > look up the key in a CDB (see bottom of e-mail). I rebuilt the CDB files
> > after each change
> >
> > 2. Match the sha1sum from a 550 alert using 
> >
> >   
> > 550
> > b493df1da32686b27ec147987882c805d3ff6263
> > no_email_alert
> > Hash found
> >   
> >
> > 3. Match the sha1sum from a 550 alert using  (decoder is shown at
> bottom
> > of e-mail)
> >
> >   
> > 550
> > New sha1sum
> > integrity_new_hash
> > b493df1da32686b27ec147987882c805d3ff6263
> > no_email_alert
> > Hash found
> >   
> >
> > Regarding number 2.) I can  on the changed file (e.g.
> > /etc/shadow) from a 550 alert without problem so this
> leads
> > me to believe that it's not possible to match on hash from the alert
> > (hopefully instead I'm making a mistake)
> >
> > Here's an alert example alert that contains the hash in the rules above
> that
> > I'm trying to work with.
> >
> > ** Alert 1450383324.3842774: - ossec,syscheck,
> > 2015 Dec 17 20:15:24 (server2) 1.1.1.2 ->syscheck
> > Rule: 550 (level 7) -> 'Integrity checksum changed.'
> > Integrity checksum changed for: '/etc/sysconfig/sshd'
> > Size changed from '438' to '0'
> > Old sha1sum was: '95bb6b667f597ac3a9146c184865b2a3efe50047'
> > New sha1sum is : 'b493df1da32686b27ec147987882c805d3ff6263'   # <---
> this is
> > the hash I'm trying to match on in the rules above
> >
> >
> > I have a simple decoder that will put the sha1sum in the id file.
> >
> > 
> >   New sha1sum is : |New md5sum is : 
> > 
> >
> > 
> >   integrity_new_hash
> >   '(\w+)'
> >   id
> > 
> >
> >  
> > 550
> > sha1sum
> >
> > no_email_alert
> > Hash found in malware database!
> >   
> >
> > ossec-testrule: Type one log per line.
> >
> > New sha1sum is : 'b493df1da32686b27ec147987882c805d3ff6263'   # <--
> pasted
> > hash line
> >
> >
> > **Phase 1: Completed pre-decoding.
> >full event: 'New sha1sum is :
> > 'b493df1da32686b27ec147987882c805d3ff6263''
> >hostname: 'ossec-sec'
> >program_name: '(null)'
> >log: 'New sha1sum is : 'b493df1da32686b27ec147987882c805d3ff6263''
> >
> > **Phase 2: Completed decoding.
> >decoder: 'integrity_new_hash'
> >id: 'b493df1da32686b27ec147987882c805d3ff6263'  # <--- yay, it's
> now
> > referenced as id.
> >
> > Any help is appreciated
> >
>
> I think syscheck entries are decoded differently than most log
> messages. Check src/analysisd/decoders/syscheck.c.
>
> > --
> >
> > ---
> > You received this message because you are subscribed to the Google Groups
> > "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send an
> > email to ossec-list+unsubscr...@googlegroups.com.
> > For more options, visit https://groups.google.com/d/optout.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.