Re: [ossec-list] OSSEC MSSQL Audit log
If you have not done it already, try enabling "logall" option in the ossec manager configuration file (global section). Then check your /var/ossec/logs/archives/archives.log and see if those are getting there. If that is the case, then agent is forwarding the logs but they are just not triggering alerts. If events don't get there, there might be some configuration issue on the agent side (you could try enabling debug for the agent in internal_options.conf) Best On Wed, Jan 27, 2016 at 5:04 AM, Fayaxwrote: > I have enabled audit os MSSQL Server 2014 and audit logs are sent to > Windows Application Log. > I can see the audit logs from event viewer. But I'm unable to see the > audit logs from OSSEC server. > OSSEC agent is configured to analyze Application event log. > > Any help would be greatly appreciated. > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] syscheck not working with restrict option
Are you sure your config is not working? I just tested this and it works for me: /root I created three test files: root@vpc-ossec-manager:~# ls test.txt* test.txt1 test.txt2 test.txt3 And this is what I get in my syscheck file: root@vpc-ossec-manager:~# cat /var/ossec/queue/syscheck/syscheck | grep test.txt +++3:33188:0:0:764efa883dda1e11db47671c4a3bbd9e:55ca6286e3e4f4fba5d0448333fa99fc5a404a73 !1453933436 /root/test.txt1 +++5:33188:0:0:d8e8fca2dc0f896fd7cb4cb0031ba249:4e1243bd22c66e76c2ba9eddc1f91394e57f9f83 !1453933436 /root/test.txt2 There is nothing for test.txt3 I am using 2.9 version (development branch) Best On Tue, Jan 26, 2016 at 4:34 PM, Luke Hanseywrote: > If I use: > > restrict=".php|.js">/var/www/vhosts/ > > syscheck logs no changes to any file. > > If I use: > > /var/www/vhosts/ > > Works fine and logs changes to any file. > > Am I missing something when using the *restrict *option? > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] decoder prematch (regex) issue
Agree with Dan, also double check the regexes, as it looks like there are some inconsistencies at the end. I don't think that \D+ is in the right place. Best On Wed, Jan 27, 2016 at 7:08 AM, dan (ddp)wrote: > > On Jan 27, 2016 10:06 AM, "Fredrik" wrote: > > > > HI All, > > > > > > Been working on a regex to match highlighted part of the (event) string > below: > > > > Jan 27 09:41:01 127.0.0.1 Jan 27 9:32:28 st4600fw01n1 allow src: 192.168.1.15; dst: 89.208.212.2; proto: tcp; appi_name: **; > app_desc: **; app_id: 10063753; app_category: **; matched_category: > **; app_properties: **; app_risk: **; app_rule_id: **; > app_rule_name: **; web_client_type: Chrome; web_server_type: > Microsoft-IIS; app_sig_id: 10063753:5; resource: > http://www.aliveproxy.com/; proxy_src_ip: 192.168.1.15 product: > Application Control; service: http; s_port: 58579; product_family: Network; > > > > ... but I just can't get it to match the string I'm hoping to catch. I > have tried different additions to the regex below, please note that it is > not complete as I have not got past this point without failure - yet ;) I > would like to match Jan 27 09:41:01 127.0.0.1 Jan 27 9:32:28 st4600fw01n1 > > > > ^\w+ \d+ \d+:\d+:\d+ \w+\.\w+\.\w+\.\w+ \w+ \D+ > > > > I'm sure I'm missing something obvious, any hints would be greatly > appreciated. One example of a string that won't work is (I have included > ossec_logtest output for for reference: > > > > ^\w+ \d+ \d+:\d+:\d+ \w+\.\w+\.\w+\.\w+ \w+ \d+:\d+:\d+ > st4600fw01n/d* > > > > admin@lab-host99:/var/ossec/bin# ./ossec-logtest > > 2016/01/27 14:13:53 ossec-testrule: INFO: Reading local decoder file. > > 2016/01/27 14:13:53 ossec-testrule: INFO: Started (pid: 22710). > > ossec-testrule: Type one log per line. > > > > Jan 27 09:41:01 127.0.0.1 Jan 27 9:32:28 st4600fw01n1 allow src: 192.168.1.15; dst: 89.208.212.2; proto: tcp; appi_name: **; > app_desc: **; app_id: 10063753; app_category: **; matched_category: > **; app_properties: **; app_risk: **; app_rule_id: **; > app_rule_name: **; web_client_type: Chrome; web_server_type: > Microsoft-IIS; app_sig_id: 10063753:5; resource: > http://www.aliveproxy.com/; proxy_src_ip: 192.168.1.15 product: > Application Control; service: http; s_port: 58579; product_family: Network; > > > > > > **Phase 1: Completed pre-decoding. > >full event: 'Jan 27 09:41:01 127.0.0.1 Jan 27 9:32:28 > st4600fw01n1 allow tcp; appi_name: **; app_desc: **; app_id: 10063753; app_category: > **; matched_category: **; app_properties: **; app_risk: **; > app_rule_id: **; app_rule_name: **; web_client_type: Chrome; > web_server_type: Microsoft-IIS; app_sig_id: 10063753:5; resource: > http://www.aliveproxy.com/; proxy_src_ip: 192.168.1.15 product: > Application Control; service: http; s_port: 58579; product_family: Network;' > >hostname: '127.0.0.1' > >program_name: '(null)' > >log: 'Jan 27 9:32:28 st4600fw01n1 allow 192.168.1.15; dst: 89.208.212.2; proto: tcp; appi_name: **; app_desc: > **; app_id: 10063753; app_category: **; matched_category: **; > app_properties: **; app_risk: **; app_rule_id: **; > app_rule_name: **; web_client_type: Chrome; web_server_type: > Microsoft-IIS; app_sig_id: 10063753:5; resource: > http://www.aliveproxy.com/; proxy_src_ip: 192.168.1.15 product: > Application Control; service: http; s_port: 58579; product_family: Network;' > > > > Notice that in the "log:" entry part of what you highlighted has been > removed. It's a transport header, and ossec generally tries to remove those > from processing. > > > **Phase 2: Completed decoding. > >No decoder matched. > > > > > > Best, > > Fredrik > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to ossec-list+unsubscr...@googlegroups.com. > > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: Integrity checksum size changed to 0 or from 0 - false positive
Hola Daniel, Yes, that was my first try. Problem was that the result of an iptables command was too large and the content was truncated mostly of the time. Therefore, it was triggering false positives. Do you think of another way of perform an iptables -S check diff in real time? El miércoles, 27 de enero de 2016, 6:44:03 (UTC+1), Daniel Cid escribió: > > Yes, that would be an issue. Have you tried not sending the output to a > file and using the check_diff option on the rules itself? > > You could do: > > > full_command > iptables -S > iptables_status > 3600 > > > And then write a rule to alert on changes: > > > 530 > ossec: output: 'iptables_status > > Iptables changed > > > See if that works. > > thanks, > > > On Monday, January 25, 2016 at 8:51:31 AM UTC-4, ZaNN wrote: >> >> Hi all, >> >> I have configured a checksum alert in real time that triggers and e-mail >> alert each time a file is being modified. This file is an output of an >> iptables command executed in all agents every hour: >> >> >> full_command >> iptables -S > >> /var/ossec/active-response/iptables_diff.txt >> iptables_status >> 3600 >> >> >> The problem is that lot of times false positives are received due to size >> changed *to 0 or from 0*. Not every hour definitely. >> >> Integrity checksum changed for: >> '/var/ossec/active-response/iptables_diff.txt'*Size changed from '1089' to >> '0'* >> What changed: >> 1,20d0 >> < -P INPUT DROP >> < -P FORWARD DROP >> < -P OUTPUT ACCEPT >> < -N LOGGING >> < -N OUTPUT-NOLOG >> < -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT >> < -A INPUT -p icmp -j ACCEPT >> < -A INPUT -i lo -j ACCEPT >> < -A INPUT -s 10.0.0.0/8 -p tcp -m state --state NEW -m tcp --dport 22 -j >> ACCEPT >> < -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT >> < -A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT >> < -A OUTPUT -d 8.8.8.8/32 -p udp -m udp --dport 53 -m state --state NEW -j >> OUTPUT-NOLOG >> < -A OUTPUT -d 8.8.4.4/32 -p udp -m udp --dport 53 -m state --state NEW -j >> OUTPUT-NOLOG >> < -A OUTPUT -p udp -m udp --dport 123 -m state --state NEW -j OUTPUT-NOLOG >> < -A OUTPUT -d 192.168.116.0/24 -p udp -m udp --dport 1514 -m state --state >> NEW -j OUTPUT-NOLOG >> < -A OUTPUT -d 192.168.116.0/24 -p udp -m udp --dport 514 -m state --state >> NEW -j OUTPUT-NOLOG >> Old md5sum was: '0b43600d67c9fdde33912771c81927e2' >> New md5sum is : 'd41d8cd98f00b204e9800998ecf8427e' >> Old sha1sum was: 'e991b6897be54bfc0fd2ef0410fd5e50d54317b6' >> New sha1sum is : 'da39a3ee5e6b4b0d3255bfef95601890afd80709' >> >> >> Integrity checksum changed for: >> '/var/ossec/active-response/iptables_diff.txt'*Size changed from '0' to >> '1089'* >> What changed: >> 0a1,20 >> >> -P INPUT DROP >> -P FORWARD DROP >> -P OUTPUT ACCEPT >> -N LOGGING >> -N OUTPUT-NOLOG >> -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT >> -A INPUT -p icmp -j ACCEPT >> -A INPUT -i lo -j ACCEPT >> >> >> >> >> >> >> I suspect that this behaviour is related to real time (inotify) and rewrite >> the file each time the command is executed ( > ). Is there any best practice >> to avoid this false >> positives? maybe a delay in real time check? >> >> Thanks in advance >> >> >> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] firewall.log and ICMP?
I'll patch my analysisd to provide srcport and dstport with a value of "0" if the protocol is "ICMP"... I need to keep traces of such events... /x On Tue, Jan 26, 2016 at 11:40 PM, Brent Morriswrote: > Good catch! > > I think the ASA provides ports just as part of internal processing of the > IP translation. Perhaps they're a sequence number or provide some internal > function for IOS. They seem completely random. They change to the real > port in the logs when using TCP or UDP. Here are the logs as seen from the > ASA > > ICMP > 2016 Jan 26 02:00:49 ossec->1.2.3.4 Jan 26 2016 02:00:49: %ASA-6-302021: > Teardown ICMP connection for faddr 8.8.8.8/0 gaddr external.addr/18125 > laddr external.addr/18125(any) > 2016 Jan 26 02:00:49 ossec->1.2.3.4 Jan 26 2016 02:00:49: %ASA-6-302020: > Built outbound ICMP connection for faddr 8.8.8.8/0 gaddr > external.addr/18126 laddr external.addr/18126(any) > 2016 Jan 26 02:00:49 ossec->1.2.3.4 Jan 26 2016 02:00:49: %ASA-6-302021: > Teardown ICMP connection for faddr 8.8.8.8/0 gaddr external.addr/18126 > laddr external.addr/18126(any) > > In the case of a TCP or UDP connection, you'd see Built outbound TCP > connection 60148807 for outside:137.135.12.16/443 (137.135.12.16/443) to > inside:1.2.3.4/11515 (external.ip.addr/11515) > > > > On Tuesday, January 26, 2016 at 2:10:25 PM UTC-8, Xavier Mertens wrote: >> >> Hi Brent, >> I think that I found the problem! Here is an sample of my ossec-logtest >> output: >> >> **Phase 2: Completed decoding. >>decoder: 'iptables' >>action: 'AUDIT' >>srcip: '92.222.185.1' >>dstip: '51.254.36.238' >>proto: 'ICMP' >> >> But, while diving into the source code (in analysisd/alert/log.c): >> >> /* FW_Log: v0.1, 2005/12/30 */ >> int FW_Log(Eventinfo *lf) >> { >> /* If we don't have the srcip or the >> * action, there is no point in going >> * forward over here >> */ >> if(!lf->action || !lf->srcip || !lf->dstip || !lf->srcport || >>!lf->dstport || !lf->protocol) >> { >> return(0); >> } >> >> I don't have srcport & dstport filled in so no log! I think I'll patch >> the code and >> >> I'm wondering why your ASA firewall provides ports!? >> >> About ossec2dshield, I wrote this tool a long time ago to share my logs >> with DShield.org. >> Ping me you want details! >> >> /x >> >> >> On Tue, Jan 26, 2016 at 9:05 PM, Brent Morris >> wrote: >> >>> Xavier, >>> >>> I'm collecting logs from my ASA and I do see ICMP traffic in my >>> firewall.log - >>> >>> 2016 Jan 26 12:00:50 ossec->192.168.168.168 CLOSED ICMP 1.2.3.4:10254 >>> ->external.addr:10254 >>> 2016 Jan 26 12:00:54 ossec->192.168.168.168 CLOSED ICMP 1.2.3.4:10510 >>> ->external.addr:10510 >>> 2016 Jan 26 12:00:57 ossec->192.168.168.168 CLOSED ICMP 1.2.3.4:10766 >>> ->external.addr:10766 >>> 2016 Jan 26 12:01:05 ossec->192.168.168.168 CLOSED ICMP 1.2.3.4:11278 >>> ->external.addr:11278 >>> >>> I'm not sure what the issue might be. >>> >>> Also, thank you for the ossec2dshield script!!! I heard about it on the >>> Internet Storm Center Stormcast, but it might be worth plugging to the list >>> here too :) >>> >>> On Tuesday, January 26, 2016 at 1:08:12 AM UTC-8, Xavier Mertens wrote: I'm collected firewall logs from many Ubuntu servers (basically the /var/log/ufw.log). In this log, I can see events about TCP, UDP and ICMP traffic (allowed or dropped). But, on my OSSEC server, in my firewall.log, I don't see any event related to the ICMP protocol... /x On Sat, Jan 23, 2016 at 11:45 PM, Santiago Bassett < santiago...@gmail.com> wrote: > I am afraid I don't understand the problem or question, maybe if you > explain it a little bit more we can help better. > > Best > > On Thu, Jan 21, 2016 at 7:56 AM, Xavier Mertens > wrote: > >> Hi *, >> >> Maybe a stupid question but I'm investigating an issue and I've to >> browse my history of firewall.log files. Problem: I find only TCP/UDP >> events and nothing regarding ICMP packets? >> >> I tested via ossec-logstest and events are correctly parsed... >> >> I never paid attention to this in the past... :-( >> Any idea? >> >> /x >> >> -- >> >> --- >> You received this message because you are subscribed to the Google >> Groups "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, >> send an email to ossec-list+...@googlegroups.com. >> For more options, visit https://groups.google.com/d/optout. >> > > -- > > --- > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send > an email to ossec-list+...@googlegroups.com. > For more options,
Re: [ossec-list] Log file not triggering alert
Because now the problem is we have new log files created daily. Is this something OSSEC is not capable of? On Wednesday, January 27, 2016 at 10:43:52 AM UTC-5, Greg Burns wrote: > > That worked! I think I was not testing it properly. I used the tail -f as > you said and added the line with the alert. I really appreciate your help. > > I have one more question. Is there anyway to monitor new log files as they > appear? > > This is the naming convention: > BatchLog_LT_01192016203220 > > In the config file could I put something like ? Would that look at all > files with that name convention? It seems the last 6 numbers may change > > > C:\logs\Batch_Log_LT_%m%d%y > syslog > > > > On Tuesday, January 26, 2016 at 10:46:06 AM UTC-5, LostInThe Tubez wrote: >> >> Great, so we know OSSEC is matching against your custom rule. Next step >> would be to make sure the alert is showing up in >> /var/ossec/logs/alerts/alerts.log on the OSSEC manager. Double check you’ve >> restarted the manager since you made the edit to local_rules.xml. If your >> OSSEC manager isn’t too busy, I find the easiest way to do a live test of a >> rule is to tail –f the alerts.log on the server so you can watch as new >> logs are written to it. Then, on the agent, copy/paste your test log line >> into C:\logs\BatchLog_LT_01192016203220. After a moment or two, you should >> see it show up in the tailed alerts.log file on the manager. In that alert >> entry it will indicate whether an email was generated or not. The header >> for the alert will look something like this: “** Alert 1453814129.49577: >> mail - local,syslog,”. “mail” being the keyword you’re looking for. >> >> >> >> If you see a mail was generated, you know you are dealing with an email >> delivery problem and not an OSSEC detection problem. >> >> >> >> >> >> *From:* ossec...@googlegroups.com [mailto:ossec...@googlegroups.com] *On >> Behalf Of *Greg Burns >> *Sent:* Tuesday, January 26, 2016 8:28 AM >> *To:* ossec-list>> *Subject:* Re: [ossec-list] Log file not triggering alert >> >> >> >> Thanks for the response. >> >> >> >> I ran log test with the following output: >> >> >> >> ossec-testrule: Type one log per line. >> >> >> >> 2016-01-20T17:49:19Error validating xml data against the >> schema on line 272 >> >> Content of element "litleTxnId" is incomplete >> >> >> >> **Phase 1: Completed pre-decoding. >> >>full event: '2016-01-20T17:49:19 Error validating xml >> data against the schema on line 272' >> >>hostname: 'kali' >> >>program_name: '(null)' >> >>log: '2016-01-20T17:49:19 Error validating xml data >> against the schema on line 272' >> >> >> >> **Phase 2: Completed decoding. >> >>No decoder matched. >> >> >> >> **Phase 3: Completed filtering (rules). >> >>Rule id: '' >> >>Level: '12' >> >>Description: 'An error was found in an order' >> >> **Alert to be generated. >> >> >> >> >> On Friday, January 22, 2016 at 7:31:23 PM UTC-5, LostInThe Tubez wrote: >> >> Have you run your log entry through ossec-logtest on the server? This >> will tell you if an alert should be generated or not. It is always possible >> that another rule is matching first or perhaps your rule isn’t working as >> expected. There are a couple potential issues with your rule, but I would >> suggest checking ossec-logtest and reporting back before you get too far >> into the nitty gritty. >> >> >> >> You can use %Y, %m, and %d in your filenames to represent the year, month >> and day, respectively. The file has to exist before the agent starts, >> otherwise it won’t be monitored. IIRC, wildcards (asterisks) do not work >> with the Windows agent for some strange reason. >> >> >> >> >> >> *From:* ossec...@googlegroups.com [mailto:ossec...@googlegroups.com] *On >> Behalf Of *Greg Burns >> *Sent:* Friday, January 22, 2016 1:08 PM >> *To:* ossec-list >> *Subject:* [ossec-list] Log file not triggering alert >> >> >> >> I wrote a rule in OSSEC to send an email alert anytime the following >> string appears in a log (its a flat log file with no extension): >> >> >> >> 2016-01-20T17:49:19Error validating xml data against the >> schema on line 272 Content of element "litleTxnId" is incomplete >> >> >> >> the rule should be triggered anytime the word "error validating" appear. >> Below is the rule: >> >> >> >> >> >> >> >> >> >> error validating >> >> alert_by_email >> >> An error was found in an order >> >> >> >> >> >> >> >> For testing purposes placed a log file in C:\logs and set the >> configuration file to look in that directory- its the fourth one down >> >> >> >> >> >> >> >> >> >> >> >> Application >> >> eventlog >> >> >> >> >> >> >> >> Security >> >> eventlog >> >> >> >> >> >> >> >> System >>
Re: [ossec-list] firewall.log and ICMP?
Is this worth submitting as an issue to github? https://github.com/ossec/ossec-hids/issues On Wednesday, January 27, 2016 at 12:08:54 AM UTC-8, Xavier Mertens wrote: > > I'll patch my analysisd to provide srcport and dstport with a value of "0" > if the protocol is "ICMP"... I need to keep traces of such events... > > /x > > On Tue, Jan 26, 2016 at 11:40 PM, Brent Morris> wrote: > >> Good catch! >> >> I think the ASA provides ports just as part of internal processing of the >> IP translation. Perhaps they're a sequence number or provide some internal >> function for IOS. They seem completely random. They change to the real >> port in the logs when using TCP or UDP. Here are the logs as seen from the >> ASA >> >> ICMP >> 2016 Jan 26 02:00:49 ossec->1.2.3.4 Jan 26 2016 02:00:49: %ASA-6-302021: >> Teardown ICMP connection for faddr 8.8.8.8/0 gaddr external.addr/18125 >> laddr external.addr/18125(any) >> 2016 Jan 26 02:00:49 ossec->1.2.3.4 Jan 26 2016 02:00:49: %ASA-6-302020: >> Built outbound ICMP connection for faddr 8.8.8.8/0 gaddr >> external.addr/18126 laddr external.addr/18126(any) >> 2016 Jan 26 02:00:49 ossec->1.2.3.4 Jan 26 2016 02:00:49: %ASA-6-302021: >> Teardown ICMP connection for faddr 8.8.8.8/0 gaddr external.addr/18126 >> laddr external.addr/18126(any) >> >> In the case of a TCP or UDP connection, you'd see Built outbound >> TCP connection 60148807 for outside:137.135.12.16/443 (137.135.12.16/443) >> to inside:1.2.3.4/11515 (external.ip.addr/11515) >> >> >> >> On Tuesday, January 26, 2016 at 2:10:25 PM UTC-8, Xavier Mertens wrote: >>> >>> Hi Brent, >>> I think that I found the problem! Here is an sample of my ossec-logtest >>> output: >>> >>> **Phase 2: Completed decoding. >>>decoder: 'iptables' >>>action: 'AUDIT' >>>srcip: '92.222.185.1' >>>dstip: '51.254.36.238' >>>proto: 'ICMP' >>> >>> But, while diving into the source code (in analysisd/alert/log.c): >>> >>> /* FW_Log: v0.1, 2005/12/30 */ >>> int FW_Log(Eventinfo *lf) >>> { >>> /* If we don't have the srcip or the >>> * action, there is no point in going >>> * forward over here >>> */ >>> if(!lf->action || !lf->srcip || !lf->dstip || !lf->srcport || >>>!lf->dstport || !lf->protocol) >>> { >>> return(0); >>> } >>> >>> I don't have srcport & dstport filled in so no log! I think I'll patch >>> the code and >>> >>> I'm wondering why your ASA firewall provides ports!? >>> >>> About ossec2dshield, I wrote this tool a long time ago to share my logs >>> with DShield.org. >>> Ping me you want details! >>> >>> /x >>> >>> >>> On Tue, Jan 26, 2016 at 9:05 PM, Brent Morris >>> wrote: >>> Xavier, I'm collecting logs from my ASA and I do see ICMP traffic in my firewall.log - 2016 Jan 26 12:00:50 ossec->192.168.168.168 CLOSED ICMP 1.2.3.4:10254->external.addr:10254 2016 Jan 26 12:00:54 ossec->192.168.168.168 CLOSED ICMP 1.2.3.4:10510->external.addr:10510 2016 Jan 26 12:00:57 ossec->192.168.168.168 CLOSED ICMP 1.2.3.4:10766->external.addr:10766 2016 Jan 26 12:01:05 ossec->192.168.168.168 CLOSED ICMP 1.2.3.4:11278->external.addr:11278 I'm not sure what the issue might be. Also, thank you for the ossec2dshield script!!! I heard about it on the Internet Storm Center Stormcast, but it might be worth plugging to the list here too :) On Tuesday, January 26, 2016 at 1:08:12 AM UTC-8, Xavier Mertens wrote: > > I'm collected firewall logs from many Ubuntu servers (basically the > /var/log/ufw.log). > In this log, I can see events about TCP, UDP and ICMP traffic (allowed > or dropped). > But, on my OSSEC server, in my firewall.log, I don't see any event > related to the ICMP protocol... > > /x > > On Sat, Jan 23, 2016 at 11:45 PM, Santiago Bassett < > santiago...@gmail.com> wrote: > >> I am afraid I don't understand the problem or question, maybe if you >> explain it a little bit more we can help better. >> >> Best >> >> On Thu, Jan 21, 2016 at 7:56 AM, Xavier Mertens >> wrote: >> >>> Hi *, >>> >>> Maybe a stupid question but I'm investigating an issue and I've to >>> browse my history of firewall.log files. Problem: I find only TCP/UDP >>> events and nothing regarding ICMP packets? >>> >>> I tested via ossec-logstest and events are correctly parsed... >>> >>> I never paid attention to this in the past... :-( >>> Any idea? >>> >>> /x >>> >>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, >>> send an email to ossec-list+...@googlegroups.com. >>> For
Re: [ossec-list] Log file not triggering alert
That worked! I think I was not testing it properly. I used the tail -f as you said and added the line with the alert. I really appreciate your help. I have one more question. Is there anyway to monitor new log files as they appear? This is the naming convention: BatchLog_LT_01192016203220 In the config file could I put something like ? Would that look at all files with that name convention? It seems the last 6 numbers may change C:\logs\Batch_Log_LT_%m%d%y syslog On Tuesday, January 26, 2016 at 10:46:06 AM UTC-5, LostInThe Tubez wrote: > > Great, so we know OSSEC is matching against your custom rule. Next step > would be to make sure the alert is showing up in > /var/ossec/logs/alerts/alerts.log on the OSSEC manager. Double check you’ve > restarted the manager since you made the edit to local_rules.xml. If your > OSSEC manager isn’t too busy, I find the easiest way to do a live test of a > rule is to tail –f the alerts.log on the server so you can watch as new > logs are written to it. Then, on the agent, copy/paste your test log line > into C:\logs\BatchLog_LT_01192016203220. After a moment or two, you should > see it show up in the tailed alerts.log file on the manager. In that alert > entry it will indicate whether an email was generated or not. The header > for the alert will look something like this: “** Alert 1453814129.49577: > mail - local,syslog,”. “mail” being the keyword you’re looking for. > > > > If you see a mail was generated, you know you are dealing with an email > delivery problem and not an OSSEC detection problem. > > > > > > *From:* ossec...@googlegroups.com [mailto: > ossec...@googlegroups.com ] *On Behalf Of *Greg Burns > *Sent:* Tuesday, January 26, 2016 8:28 AM > *To:* ossec-list> *Subject:* Re: [ossec-list] Log file not triggering alert > > > > Thanks for the response. > > > > I ran log test with the following output: > > > > ossec-testrule: Type one log per line. > > > > 2016-01-20T17:49:19Error validating xml data against the > schema on line 272 > > Content of element "litleTxnId" is incomplete > > > > **Phase 1: Completed pre-decoding. > >full event: '2016-01-20T17:49:19 Error validating xml > data against the schema on line 272' > >hostname: 'kali' > >program_name: '(null)' > >log: '2016-01-20T17:49:19 Error validating xml data > against the schema on line 272' > > > > **Phase 2: Completed decoding. > >No decoder matched. > > > > **Phase 3: Completed filtering (rules). > >Rule id: '' > >Level: '12' > >Description: 'An error was found in an order' > > **Alert to be generated. > > > > > On Friday, January 22, 2016 at 7:31:23 PM UTC-5, LostInThe Tubez wrote: > > Have you run your log entry through ossec-logtest on the server? This will > tell you if an alert should be generated or not. It is always possible that > another rule is matching first or perhaps your rule isn’t working as > expected. There are a couple potential issues with your rule, but I would > suggest checking ossec-logtest and reporting back before you get too far > into the nitty gritty. > > > > You can use %Y, %m, and %d in your filenames to represent the year, month > and day, respectively. The file has to exist before the agent starts, > otherwise it won’t be monitored. IIRC, wildcards (asterisks) do not work > with the Windows agent for some strange reason. > > > > > > *From:* ossec...@googlegroups.com [mailto:ossec...@googlegroups.com] *On > Behalf Of *Greg Burns > *Sent:* Friday, January 22, 2016 1:08 PM > *To:* ossec-list > *Subject:* [ossec-list] Log file not triggering alert > > > > I wrote a rule in OSSEC to send an email alert anytime the following > string appears in a log (its a flat log file with no extension): > > > > 2016-01-20T17:49:19Error validating xml data against the > schema on line 272 Content of element "litleTxnId" is incomplete > > > > the rule should be triggered anytime the word "error validating" appear. > Below is the rule: > > > > > > > > > > error validating > > alert_by_email > > An error was found in an order > > > > > > > > For testing purposes placed a log file in C:\logs and set the > configuration file to look in that directory- its the fourth one down > > > > > > > > > > > > Application > > eventlog > > > > > > > > Security > > eventlog > > > > > > > > System > > eventlog > > > > > > > > C:\logs\BatchLog_LT_01192016203220 > > syslog > > > > > > However it does not seem to be working. When I go in and restart the agent > it appears to successfully analyze the logs except it does not trigger an > alert. below is the ossec.log after restarting: > > > > 2016/01/22 15:04:28 ossec-agent: INFO: Started (pid: 7268). > > >
Re: [ossec-list] decoder prematch (regex) issue
Thanks Dan! I obviously didn't realize that this was the case :( This means that I should create a regex that take the missing entry part into account and hence matches: Jan 27 9:32:28 st4600fw01n1 not the full string I was aiming for? This would then explain the, from my point of view, somewhat erratic behavior where things matched that I believed wouldn't ;) Best, Fredrik On Wednesday, January 27, 2016 at 4:09:38 PM UTC+1, dan (ddpbsd) wrote: > > > On Jan 27, 2016 10:06 AM, "Fredrik"> wrote: > > > > HI All, > > > > > > Been working on a regex to match highlighted part of the (event) string > below: > > > > Jan 27 09:41:01 127.0.0.1 Jan 27 9:32:28 st4600fw01n1 allow src: 192.168.1.15; dst: 89.208.212.2; proto: tcp; appi_name: **; > app_desc: **; app_id: 10063753; app_category: **; matched_category: > **; app_properties: **; app_risk: **; app_rule_id: **; > app_rule_name: **; web_client_type: Chrome; web_server_type: > Microsoft-IIS; app_sig_id: 10063753:5; resource: > http://www.aliveproxy.com/; proxy_src_ip: 192.168.1.15 product: > Application Control; service: http; s_port: 58579; product_family: Network; > > > > ... but I just can't get it to match the string I'm hoping to catch. I > have tried different additions to the regex below, please note that it is > not complete as I have not got past this point without failure - yet ;) I > would like to match Jan 27 09:41:01 127.0.0.1 Jan 27 9:32:28 st4600fw01n1 > > > > ^\w+ \d+ \d+:\d+:\d+ \w+\.\w+\.\w+\.\w+ \w+ \D+ > > > > I'm sure I'm missing something obvious, any hints would be greatly > appreciated. One example of a string that won't work is (I have included > ossec_logtest output for for reference: > > > > ^\w+ \d+ \d+:\d+:\d+ \w+\.\w+\.\w+\.\w+ \w+ \d+:\d+:\d+ > st4600fw01n/d* > > > > admin@lab-host99:/var/ossec/bin# ./ossec-logtest > > 2016/01/27 14:13:53 ossec-testrule: INFO: Reading local decoder file. > > 2016/01/27 14:13:53 ossec-testrule: INFO: Started (pid: 22710). > > ossec-testrule: Type one log per line. > > > > Jan 27 09:41:01 127.0.0.1 Jan 27 9:32:28 st4600fw01n1 allow src: 192.168.1.15; dst: 89.208.212.2; proto: tcp; appi_name: **; > app_desc: **; app_id: 10063753; app_category: **; matched_category: > **; app_properties: **; app_risk: **; app_rule_id: **; > app_rule_name: **; web_client_type: Chrome; web_server_type: > Microsoft-IIS; app_sig_id: 10063753:5; resource: > http://www.aliveproxy.com/; proxy_src_ip: 192.168.1.15 product: > Application Control; service: http; s_port: 58579; product_family: Network; > > > > > > **Phase 1: Completed pre-decoding. > >full event: 'Jan 27 09:41:01 127.0.0.1 Jan 27 9:32:28 > st4600fw01n1 allow tcp; appi_name: **; app_desc: **; app_id: 10063753; app_category: > **; matched_category: **; app_properties: **; app_risk: **; > app_rule_id: **; app_rule_name: **; web_client_type: Chrome; > web_server_type: Microsoft-IIS; app_sig_id: 10063753:5; resource: > http://www.aliveproxy.com/; proxy_src_ip: 192.168.1.15 product: > Application Control; service: http; s_port: 58579; product_family: Network;' > >hostname: '127.0.0.1' > >program_name: '(null)' > >log: 'Jan 27 9:32:28 st4600fw01n1 allow 192.168.1.15; dst: 89.208.212.2; proto: tcp; appi_name: **; app_desc: > **; app_id: 10063753; app_category: **; matched_category: **; > app_properties: **; app_risk: **; app_rule_id: **; > app_rule_name: **; web_client_type: Chrome; web_server_type: > Microsoft-IIS; app_sig_id: 10063753:5; resource: > http://www.aliveproxy.com/; proxy_src_ip: 192.168.1.15 product: > Application Control; service: http; s_port: 58579; product_family: Network;' > > > > Notice that in the "log:" entry part of what you highlighted has been > removed. It's a transport header, and ossec generally tries to remove those > from processing. > > > **Phase 2: Completed decoding. > >No decoder matched. > > > > > > Best, > > Fredrik > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to ossec-list+...@googlegroups.com . > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] decoder prematch (regex) issue
Hi Santiago! Thanks for your input. As you pointed out the \D+ is out of place and I couldn't figure out why that would match whereas the latter regex, that I believed to be more complete, wouldn't. With input from Dan and yourself, I realize that OSSEC is offering a helping hand in stripping the transport header. If I got this right, I should match against what logtest outputs after log: and not the full string? Best regards, Fredrik On Thursday, January 28, 2016 at 12:12:53 AM UTC+1, Santiago Bassett wrote: > > Agree with Dan, also double check the regexes, as it looks like there are > some inconsistencies at the end. I don't think that \D+ is in the right > place. > > Best > > On Wed, Jan 27, 2016 at 7:08 AM, dan (ddp)> wrote: > >> >> On Jan 27, 2016 10:06 AM, "Fredrik" >> wrote: >> > >> > HI All, >> > >> > >> > Been working on a regex to match highlighted part of the (event) string >> below: >> > >> > Jan 27 09:41:01 127.0.0.1 Jan 27 9:32:28 st4600fw01n1 allow > src: 192.168.1.15; dst: 89.208.212.2; proto: tcp; appi_name: **; >> app_desc: **; app_id: 10063753; app_category: **; matched_category: >> **; app_properties: **; app_risk: **; app_rule_id: **; >> app_rule_name: **; web_client_type: Chrome; web_server_type: >> Microsoft-IIS; app_sig_id: 10063753:5; resource: >> http://www.aliveproxy.com/; proxy_src_ip: 192.168.1.15 product: >> Application Control; service: http; s_port: 58579; product_family: Network; >> > >> > ... but I just can't get it to match the string I'm hoping to catch. I >> have tried different additions to the regex below, please note that it is >> not complete as I have not got past this point without failure - yet ;) I >> would like to match Jan 27 09:41:01 127.0.0.1 Jan 27 9:32:28 st4600fw01n1 >> > >> > ^\w+ \d+ \d+:\d+:\d+ \w+\.\w+\.\w+\.\w+ \w+ \D+ >> > >> > I'm sure I'm missing something obvious, any hints would be greatly >> appreciated. One example of a string that won't work is (I have included >> ossec_logtest output for for reference: >> > >> > ^\w+ \d+ \d+:\d+:\d+ \w+\.\w+\.\w+\.\w+ \w+ \d+:\d+:\d+ >> st4600fw01n/d* >> > >> > admin@lab-host99:/var/ossec/bin# ./ossec-logtest >> > 2016/01/27 14:13:53 ossec-testrule: INFO: Reading local decoder file. >> > 2016/01/27 14:13:53 ossec-testrule: INFO: Started (pid: 22710). >> > ossec-testrule: Type one log per line. >> > >> > Jan 27 09:41:01 127.0.0.1 Jan 27 9:32:28 st4600fw01n1 allow > src: 192.168.1.15; dst: 89.208.212.2; proto: tcp; appi_name: **; >> app_desc: **; app_id: 10063753; app_category: **; matched_category: >> **; app_properties: **; app_risk: **; app_rule_id: **; >> app_rule_name: **; web_client_type: Chrome; web_server_type: >> Microsoft-IIS; app_sig_id: 10063753:5; resource: >> http://www.aliveproxy.com/; proxy_src_ip: 192.168.1.15 product: >> Application Control; service: http; s_port: 58579; product_family: Network; >> > >> > >> > **Phase 1: Completed pre-decoding. >> >full event: 'Jan 27 09:41:01 127.0.0.1 Jan 27 9:32:28 >> st4600fw01n1 allow > tcp; appi_name: **; app_desc: **; app_id: 10063753; app_category: >> **; matched_category: **; app_properties: **; app_risk: **; >> app_rule_id: **; app_rule_name: **; web_client_type: Chrome; >> web_server_type: Microsoft-IIS; app_sig_id: 10063753:5; resource: >> http://www.aliveproxy.com/; proxy_src_ip: 192.168.1.15 product: >> Application Control; service: http; s_port: 58579; product_family: Network;' >> >hostname: '127.0.0.1' >> >program_name: '(null)' >> >log: 'Jan 27 9:32:28 st4600fw01n1 allow > 192.168.1.15; dst: 89.208.212.2; proto: tcp; appi_name: **; app_desc: >> **; app_id: 10063753; app_category: **; matched_category: **; >> app_properties: **; app_risk: **; app_rule_id: **; >> app_rule_name: **; web_client_type: Chrome; web_server_type: >> Microsoft-IIS; app_sig_id: 10063753:5; resource: >> http://www.aliveproxy.com/; proxy_src_ip: 192.168.1.15 product: >> Application Control; service: http; s_port: 58579; product_family: Network;' >> > >> >> Notice that in the "log:" entry part of what you highlighted has been >> removed. It's a transport header, and ossec generally tries to remove those >> from processing. >> >> > **Phase 2: Completed decoding. >> >No decoder matched. >> > >> > >> > Best, >> > Fredrik >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> Groups "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> an email to ossec-list+...@googlegroups.com . >> > For more options, visit https://groups.google.com/d/optout. >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails
[ossec-list] Testing integratord
I have been working on the integrator daemon (ossec-integratord) to allow OSSEC to easily integrate with external APIs to send alerts & notifications. I have pushed it to my personal fork and I am looking for testers, and people interested to try it out to help flush out any bugs/issues. So far, we added support for Slack & PagerDuty. Latest code for it here: https://bitbucket.org/dcid/ossec-hids/src/3ed5ef68d33be4c36edba32e3893d30f7bbbc4e9/src/os_integrator/?at=default And setup instructions: https://blog.sucuri.net/2016/01/server-security-integrating-ossec-with-slack-and-pagerduty.html *you should be able to safely upgrade directly to: https://bitbucket.org/dcid/ossec-hids/get/tip.tar.gz if that makes it easier. Also, if you have suggestions for more integrations, let me know. thanks! -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Testing integratord
Thanks Daniel! I'll definitely try the integration with Slack. Cool stuff. On Wed, Jan 27, 2016 at 10:57 AM, Daniel Cidwrote: > I have been working on the integrator daemon (ossec-integratord) to allow > OSSEC > to easily integrate with external APIs to send alerts & notifications. > > I have pushed it to my personal fork and I am looking for testers, and > people interested to try it out to help flush out any bugs/issues. > > So far, we added support for Slack & PagerDuty. > > Latest code for it here: > > https://bitbucket.org/dcid/ossec-hids/src/3ed5ef68d33be4c36edba32e3893d30f7bbbc4e9/src/os_integrator/?at=default > > And setup instructions: > > https://blog.sucuri.net/2016/01/server-security-integrating-ossec-with-slack-and-pagerduty.html > > *you should be able to safely upgrade directly to: > https://bitbucket.org/dcid/ossec-hids/get/tip.tar.gz if that makes it > easier. > > > Also, if you have suggestions for more integrations, let me know. > > thanks! > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Testing integratord
Hi Daniel, This is great! I don't have time right now for testing but I have a suggestion: the next step should be the integration with RT and RTIR. Thank you for this work. Best regards, Alberto Mijares On Wed, Jan 27, 2016 at 2:27 PM, Daniel Cidwrote: > I have been working on the integrator daemon (ossec-integratord) to allow > OSSEC > to easily integrate with external APIs to send alerts & notifications. > > I have pushed it to my personal fork and I am looking for testers, and > people interested to try it out to help flush out any bugs/issues. > > So far, we added support for Slack & PagerDuty. > > Latest code for it here: > https://bitbucket.org/dcid/ossec-hids/src/3ed5ef68d33be4c36edba32e3893d30f7bbbc4e9/src/os_integrator/?at=default > > And setup instructions: > https://blog.sucuri.net/2016/01/server-security-integrating-ossec-with-slack-and-pagerduty.html > > *you should be able to safely upgrade directly to: > https://bitbucket.org/dcid/ossec-hids/get/tip.tar.gz if that makes it > easier. > > > Also, if you have suggestions for more integrations, let me know. > > thanks! > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] How to ignore mail alerts for alert logic security servers which are testing the infrastructure for vulnarabilities
Hi Team, I have ossec server running in my infrastructure, we have two alert logic servers which tests our infrastructure by doing brute force attack and all kinds of attacks and ossec is sending lot of mail alerts, I want to drop those alert mails if the attack is from those two server, how can I set a rule for it. I tried to mention those in local rules file 5711 ALERT_LOGIC-IPADDDR1 ALERT_LOGIC-IPADDDR2 IALERT_LOGIC-IPADDDR3 failed logins from Alert Logic server. However its not working, I still get many alert emails stating multiple login failures I have created similar alerts for 5551, 5712, 5720 still I am getting mail alerts for rule 5551. Is there a way where I can drop the alerts if the attack is from Alertlogic servers on my network? -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] OSSEC and Postgres Install Error
I had some time last night to work on this more. I found another library that I didn't have installed. When I installed the libpq-dev package, I was able to run the setdb and install with Postgres support. When installing OSSEC with Postgres support, one needs to make sure this library is installed. sudo apt-get -y install libpq-dev -JA- On Tuesday, January 26, 2016 at 9:24:11 AM UTC-6, dan (ddpbsd) wrote: > > > On Jan 26, 2016 7:02 AM, "Jason Aleksi"> wrote: > > > > OSSEC seems to be ignoring Postgres during the install. This is running > on Ubuntu 14.04 LTS. > > > > I already have Postgres and postgres-client installed. > > sudo apt-get -y install postgresql postgresql-client postgresql-contrib > > > > I get an error when I run setdb (notice it doesn't say anything about > postgres) > > service@apps:/opt/ossec-hids-2.8.1/src$ sudo make setdb > > Error: MySQL client libraries not installed. > > Error: DB libraries not installed. > > > > Even though I do not use/need MySQL, I installed them anyway just to > test. > > service@apps:/opt/ossec-hids-2.8.1/src$ sudo apt-get -y install > libmysqlclient-d mysql-client > > > > I rerun the setdb and everything looks good, but it's missing the > postgres support > > service@apps:/opt/ossec-hids-2.8.1/src$ sudo make setdb > > Info: Compiled with MySQL support. > > service@apps:/opt/ossec-hids-2.8.1/src$ > > > > When I go to start OSSEC, I get an error saying OSSEC is not compiled > with support for postgresql. > > service@apps:/opt/ossec-hids-2.8.1$ sudo /var/ossec/bin/ossec-control > start > > Starting OSSEC HIDS v2.8 (by Trend Micro Inc.)... > > 2016/01/26 00:33:19 ossec-dbd(5207): ERROR: OSSEC not compiled with > support for 'postgresql'. > > 2016/01/26 00:33:19 ossec-dbd(1202): ERROR: Configuration error at > '/var/ossec/e > tc/ossec.conf'. Exiting. > > ossec-dbd did not start correctly. > > service@apps:/opt/ossec-hids-2.8.1$ > > > > > > I've looked in the docs and search the forums, but I cannot find what am > I doing wrong. Suggestions? > > > > I'm not sure of the status of the postgresql support, I don't even know if > it works. > First thing I'd do is look for dev or devel packages of the packages > you've installed. > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to ossec-list+...@googlegroups.com . > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: How to ignore mail alerts for alert logic security servers which are testing the infrastructure for vulnarabilities
Instead of using i'd recommend using Mine configuration for that kind of periodic security assessments: 6 10.32.0.9 10.32.0.8 IP address of the automatic scan - Security team Automatic Scan IP from pentesting network whitelisted - 01.07.2015 El miércoles, 27 de enero de 2016, 10:14:00 (UTC+1), narendra reddy escribió: > > Hi Team, > > I have ossec server running in my infrastructure, we have two alert logic > servers which tests our infrastructure by doing brute force attack and all > kinds of attacks and ossec is sending lot of mail alerts, I want to drop > those alert mails if the attack is from those two server, how can I set a > rule for it. > > I tried to mention those in local rules file > > > 5711 > ALERT_LOGIC-IPADDDR1 > ALERT_LOGIC-IPADDDR2 > IALERT_LOGIC-IPADDDR3 > failed logins from Alert Logic server. > > > However its not working, I still get many alert emails stating multiple > login failures I have created similar alerts for 5551, 5712, 5720 still I > am getting mail alerts for rule 5551. > > Is there a way where I can drop the alerts if the attack is from > Alertlogic servers on my network? > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] OSSEC MSSQL audit log
I have enabled audit on MS SQL Server 2014, logs are sent to Windows Application log. I can see the audit logs from Event Viewer, but I'm unable to see the logs on OSSEC server. OSSEC agent is configured to monitor Windows Application logs. Any help would be greatly appreciated. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] OSSEC MSSQL Audit log
I have enabled audit os MSSQL Server 2014 and audit logs are sent to Windows Application Log. I can see the audit logs from event viewer. But I'm unable to see the audit logs from OSSEC server. OSSEC agent is configured to analyze Application event log. Any help would be greatly appreciated. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] decoder prematch (regex) issue
HI All, Been working on a regex to match highlighted part of the (event) string below: *Jan 27 09:41:01 127.0.0.1 Jan 27 9:32:28 st4600fw01n1 *allow http://www.aliveproxy.com/; proxy_src_ip: 192.168.1.15 product: Application Control; service: http; s_port: 58579; product_family: Network; ... but I just can't get it to match the string I'm hoping to catch. I have tried different additions to the regex below, please note that it is not complete as I have not got past this point without failure - yet ;) I would like to match Jan 27 09:41:01 127.0.0.1 Jan 27 9:32:28 st4600fw01n1 ^\w+ \d+ \d+:\d+:\d+ \w+\.\w+\.\w+\.\w+ \w+ \D+ I'm sure I'm missing something obvious, any hints would be greatly appreciated. One example of a string that won't work is (I have included ossec_logtest output for for reference: ^\w+ \d+ \d+:\d+:\d+ \w+\.\w+\.\w+\.\w+ \w+ \d+:\d+:\d+ st4600fw01n/d* admin@lab-host99:/var/ossec/bin# ./ossec-logtest 2016/01/27 14:13:53 ossec-testrule: INFO: Reading local decoder file. 2016/01/27 14:13:53 ossec-testrule: INFO: Started (pid: 22710). ossec-testrule: Type one log per line. Jan 27 09:41:01 127.0.0.1 Jan 27 9:32:28 st4600fw01n1 allow http://www.aliveproxy.com/; proxy_src_ip: 192.168.1.15 product: Application Control; service: http; s_port: 58579; product_family: Network; **Phase 1: Completed pre-decoding. full event: 'Jan 27 09:41:01 127.0.0.1 Jan 27 9:32:28 st4600fw01n1 allow http://www.aliveproxy.com/; proxy_src_ip: 192.168.1.15 product: Application Control; service: http; s_port: 58579; product_family: Network;' hostname: '127.0.0.1' program_name: '(null)' log: 'Jan 27 9:32:28 st4600fw01n1 allow http://www.aliveproxy.com/; proxy_src_ip: 192.168.1.15 product: Application Control; service: http; s_port: 58579; product_family: Network;' **Phase 2: Completed decoding. No decoder matched. Best, Fredrik -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] OSSEC MSSQL audit log
On Jan 27, 2016 10:06 AM, "Fayax"wrote: > > I have enabled audit on MS SQL Server 2014, logs are sent to Windows Application log. > I can see the audit logs from Event Viewer, but I'm unable to see the logs on OSSEC server. > OSSEC agent is configured to monitor Windows Application logs. > > Any help would be greatly appreciated. > Turn on the logall option on the ossec server, and check to see if those logs are present in the archives.log file. > -- > > --- > You received this message because you are subscribed to the Google Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] OSSEC and Postgres Install Error
On Jan 27, 2016 9:21 AM, "Jason Aleksi"wrote: > > I had some time last night to work on this more. I found another library that I didn't have installed. When I installed the libpq-dev package, I was able to run the setdb and install with Postgres support. > > When installing OSSEC with Postgres support, one needs to make sure this library is installed. > > sudo apt-get -y install libpq-dev > Can you open an issue at https://girhub.com/ossec/ossec-docs for this? > -JA- > > > On Tuesday, January 26, 2016 at 9:24:11 AM UTC-6, dan (ddpbsd) wrote: >> >> >> On Jan 26, 2016 7:02 AM, "Jason Aleksi" wrote: >> > >> > OSSEC seems to be ignoring Postgres during the install. This is running on Ubuntu 14.04 LTS. >> > >> > I already have Postgres and postgres-client installed. >> > sudo apt-get -y install postgresql postgresql-client postgresql-contrib >> > >> > I get an error when I run setdb (notice it doesn't say anything about postgres) >> > service@apps:/opt/ossec-hids-2.8.1/src$ sudo make setdb >> > Error: MySQL client libraries not installed. >> > Error: DB libraries not installed. >> > >> > Even though I do not use/need MySQL, I installed them anyway just to test. >> > service@apps:/opt/ossec-hids-2.8.1/src$ sudo apt-get -y install libmysqlclient-d mysql-client >> > >> > I rerun the setdb and everything looks good, but it's missing the postgres support >> > service@apps:/opt/ossec-hids-2.8.1/src$ sudo make setdb >> > Info: Compiled with MySQL support. >> > service@apps:/opt/ossec-hids-2.8.1/src$ >> > >> > When I go to start OSSEC, I get an error saying OSSEC is not compiled with support for postgresql. >> > service@apps:/opt/ossec-hids-2.8.1$ sudo /var/ossec/bin/ossec-control start >> > Starting OSSEC HIDS v2.8 (by Trend Micro Inc.)... >> > 2016/01/26 00:33:19 ossec-dbd(5207): ERROR: OSSEC not compiled with support for 'postgresql'. >> > 2016/01/26 00:33:19 ossec-dbd(1202): ERROR: Configuration error at '/var/ossec/e tc/ossec.conf'. Exiting. >> > ossec-dbd did not start correctly. >> > service@apps:/opt/ossec-hids-2.8.1$ >> > >> > >> > I've looked in the docs and search the forums, but I cannot find what am I doing wrong. Suggestions? >> > >> >> I'm not sure of the status of the postgresql support, I don't even know if it works. >> First thing I'd do is look for dev or devel packages of the packages you've installed. >> >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google Groups "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com. >> >> > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.