Re: [ossec-list] OSSEC MSSQL Audit log

2016-01-27 Thread Santiago Bassett 
If you have not done it already, try enabling "logall" option in the ossec
manager configuration file (global section). Then check your
/var/ossec/logs/archives/archives.log and see if those are getting there.

If that is the case, then agent is forwarding the logs but they are just
not triggering alerts. If events don't get there, there might be some
configuration issue on the agent side (you could try enabling debug for the
agent in internal_options.conf)

Best


On Wed, Jan 27, 2016 at 5:04 AM, Fayax  wrote:

> I have enabled audit os MSSQL Server 2014 and audit logs are sent to
> Windows Application Log.
> I can see the audit logs from event viewer. But I'm unable to see the
> audit logs from OSSEC server.
> OSSEC agent is configured to analyze Application event log.
>
> Any help would be greatly appreciated.
>
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] syscheck not working with restrict option

2016-01-27 Thread Santiago Bassett 
Are you sure your config is not working?

I just tested this and it works for me:

/root

I created three test files:

root@vpc-ossec-manager:~# ls test.txt*

test.txt1  test.txt2  test.txt3

And this is what I get in my syscheck file:

root@vpc-ossec-manager:~# cat /var/ossec/queue/syscheck/syscheck | grep
test.txt

+++3:33188:0:0:764efa883dda1e11db47671c4a3bbd9e:55ca6286e3e4f4fba5d0448333fa99fc5a404a73
!1453933436 /root/test.txt1

+++5:33188:0:0:d8e8fca2dc0f896fd7cb4cb0031ba249:4e1243bd22c66e76c2ba9eddc1f91394e57f9f83
!1453933436 /root/test.txt2

There is nothing for test.txt3

I am using 2.9 version (development branch)

Best

On Tue, Jan 26, 2016 at 4:34 PM, Luke Hansey 
wrote:

> If I use:
>
>  restrict=".php|.js">/var/www/vhosts/
>
> syscheck logs no changes to any file.
>
> If I use:
>
> /var/www/vhosts/
>
> Works fine and logs changes to any file.
>
> Am I missing something when using the *restrict *option?
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] decoder prematch (regex) issue

2016-01-27 Thread Santiago Bassett 
Agree with Dan, also double check the regexes, as it looks like there are
some inconsistencies at the end. I don't think that \D+ is in the right
place.

Best

On Wed, Jan 27, 2016 at 7:08 AM, dan (ddp)  wrote:

>
> On Jan 27, 2016 10:06 AM, "Fredrik"  wrote:
> >
> > HI All,
> >
> >
> > Been working on a regex to match highlighted part of the (event) string
> below:
> >
> > Jan 27 09:41:01 127.0.0.1 Jan 27 9:32:28 st4600fw01n1 allow  src: 192.168.1.15; dst: 89.208.212.2; proto: tcp; appi_name: **;
> app_desc: **; app_id: 10063753; app_category: **; matched_category:
> **; app_properties: **; app_risk: **; app_rule_id: **;
> app_rule_name: **; web_client_type: Chrome; web_server_type:
> Microsoft-IIS; app_sig_id: 10063753:5; resource:
> http://www.aliveproxy.com/; proxy_src_ip: 192.168.1.15 product:
> Application Control; service: http; s_port: 58579; product_family: Network;
> >
> > ... but I just can't get it to match the string I'm hoping to catch. I
> have tried different additions to the regex below, please note that it is
> not complete as I have not got past this point without failure - yet ;) I
> would like to match Jan 27 09:41:01 127.0.0.1 Jan 27 9:32:28 st4600fw01n1
> >
> > ^\w+ \d+ \d+:\d+:\d+ \w+\.\w+\.\w+\.\w+ \w+ \D+
> >
> > I'm sure I'm missing something obvious, any hints would be greatly
> appreciated. One example of a string that won't work is (I have included
> ossec_logtest output for for reference:
> >
> > ^\w+ \d+ \d+:\d+:\d+ \w+\.\w+\.\w+\.\w+ \w+ \d+:\d+:\d+
> st4600fw01n/d*
> >
> > admin@lab-host99:/var/ossec/bin# ./ossec-logtest
> > 2016/01/27 14:13:53 ossec-testrule: INFO: Reading local decoder file.
> > 2016/01/27 14:13:53 ossec-testrule: INFO: Started (pid: 22710).
> > ossec-testrule: Type one log per line.
> >
> > Jan 27 09:41:01 127.0.0.1 Jan 27 9:32:28 st4600fw01n1 allow  src: 192.168.1.15; dst: 89.208.212.2; proto: tcp; appi_name: **;
> app_desc: **; app_id: 10063753; app_category: **; matched_category:
> **; app_properties: **; app_risk: **; app_rule_id: **;
> app_rule_name: **; web_client_type: Chrome; web_server_type:
> Microsoft-IIS; app_sig_id: 10063753:5; resource:
> http://www.aliveproxy.com/; proxy_src_ip: 192.168.1.15 product:
> Application Control; service: http; s_port: 58579; product_family: Network;
> >
> >
> > **Phase 1: Completed pre-decoding.
> >full event: 'Jan 27 09:41:01 127.0.0.1 Jan 27 9:32:28
> st4600fw01n1 allow  tcp; appi_name: **; app_desc: **; app_id: 10063753; app_category:
> **; matched_category: **; app_properties: **; app_risk: **;
> app_rule_id: **; app_rule_name: **; web_client_type: Chrome;
> web_server_type: Microsoft-IIS; app_sig_id: 10063753:5; resource:
> http://www.aliveproxy.com/; proxy_src_ip: 192.168.1.15 product:
> Application Control; service: http; s_port: 58579; product_family: Network;'
> >hostname: '127.0.0.1'
> >program_name: '(null)'
> >log: 'Jan 27 9:32:28 st4600fw01n1 allow  192.168.1.15; dst: 89.208.212.2; proto: tcp; appi_name: **; app_desc:
> **; app_id: 10063753; app_category: **; matched_category: **;
> app_properties: **; app_risk: **; app_rule_id: **;
> app_rule_name: **; web_client_type: Chrome; web_server_type:
> Microsoft-IIS; app_sig_id: 10063753:5; resource:
> http://www.aliveproxy.com/; proxy_src_ip: 192.168.1.15 product:
> Application Control; service: http; s_port: 58579; product_family: Network;'
> >
>
> Notice that in the "log:" entry part of what you highlighted has been
> removed. It's a transport header, and ossec generally tries to remove those
> from processing.
>
> > **Phase 2: Completed decoding.
> >No decoder matched.
> >
> >
> > Best,
> > Fredrik
> >
> > --
> >
> > ---
> > You received this message because you are subscribed to the Google
> Groups "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send
> an email to ossec-list+unsubscr...@googlegroups.com.
> > For more options, visit https://groups.google.com/d/optout.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Integrity checksum size changed to 0 or from 0 - false positive

2016-01-27 Thread ZaNN 
Hola Daniel,

Yes, that was my first try. Problem was that the result of an iptables 
command was too large and the content was truncated mostly of the time. 
Therefore, it was triggering false positives.

Do you think of another way of perform an iptables -S check diff in real 
time? 


El miércoles, 27 de enero de 2016, 6:44:03 (UTC+1), Daniel Cid escribió:
>
> Yes, that would be an issue. Have you tried not sending the output to a 
> file and using the check_diff option on the rules itself?
>
> You could do:
>
>   
> full_command
> iptables -S
> iptables_status
> 3600
>   
>
> And then write a rule to alert on changes:
>
>   
> 530
> ossec: output: 'iptables_status
> 
> Iptables changed
>   
>
> See if that works.
>
> thanks,
>
>
> On Monday, January 25, 2016 at 8:51:31 AM UTC-4, ZaNN wrote:
>>
>> Hi all,
>>
>> I have configured a checksum alert in real time that triggers and e-mail 
>> alert each time a file is being modified. This file is an output of an 
>> iptables command executed in all agents every hour:
>>
>>   
>> full_command
>> iptables -S  > 
>> /var/ossec/active-response/iptables_diff.txt
>> iptables_status
>> 3600
>>   
>>
>> The problem is that lot of times false positives are received due to size 
>> changed *to 0 or from 0*. Not every hour definitely. 
>>
>> Integrity checksum changed for: 
>> '/var/ossec/active-response/iptables_diff.txt'*Size changed from '1089' to 
>> '0'*
>> What changed:
>> 1,20d0
>> < -P INPUT DROP
>> < -P FORWARD DROP
>> < -P OUTPUT ACCEPT
>> < -N LOGGING
>> < -N OUTPUT-NOLOG
>> < -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
>> < -A INPUT -p icmp -j ACCEPT 
>> < -A INPUT -i lo -j ACCEPT 
>> < -A INPUT -s 10.0.0.0/8 -p tcp -m state --state NEW -m tcp --dport 22 -j 
>> ACCEPT 
>> < -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT 
>> < -A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT 
>> < -A OUTPUT -d 8.8.8.8/32 -p udp -m udp --dport 53 -m state --state NEW -j 
>> OUTPUT-NOLOG 
>> < -A OUTPUT -d 8.8.4.4/32 -p udp -m udp --dport 53 -m state --state NEW -j 
>> OUTPUT-NOLOG 
>> < -A OUTPUT -p udp -m udp --dport 123 -m state --state NEW -j OUTPUT-NOLOG 
>> < -A OUTPUT -d 192.168.116.0/24 -p udp -m udp --dport 1514 -m state --state 
>> NEW -j OUTPUT-NOLOG 
>> < -A OUTPUT -d 192.168.116.0/24 -p udp -m udp --dport 514 -m state --state 
>> NEW -j OUTPUT-NOLOG 
>> Old md5sum was: '0b43600d67c9fdde33912771c81927e2'
>> New md5sum is : 'd41d8cd98f00b204e9800998ecf8427e'
>> Old sha1sum was: 'e991b6897be54bfc0fd2ef0410fd5e50d54317b6'
>> New sha1sum is : 'da39a3ee5e6b4b0d3255bfef95601890afd80709'
>>
>>
>> Integrity checksum changed for: 
>> '/var/ossec/active-response/iptables_diff.txt'*Size changed from '0' to 
>> '1089'*
>> What changed:
>> 0a1,20
>>
>> -P INPUT DROP
>> -P FORWARD DROP
>> -P OUTPUT ACCEPT
>> -N LOGGING
>> -N OUTPUT-NOLOG
>> -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
>> -A INPUT -p icmp -j ACCEPT 
>> -A INPUT -i lo -j ACCEPT 
>>
>>
>>
>>  
>>
>>
>> I suspect that this behaviour is related to real time (inotify) and rewrite 
>> the file each time the command is executed ( > ). Is there any best practice 
>> to avoid this false 
>> positives? maybe a delay in real time check? 
>>
>> Thanks in advance
>>
>>
>>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] firewall.log and ICMP?

2016-01-27 Thread Xavier Mertens 
I'll patch my analysisd to provide srcport and dstport with a value of "0"
if the protocol is "ICMP"... I need to keep traces of such events...

/x

On Tue, Jan 26, 2016 at 11:40 PM, Brent Morris 
wrote:

> Good catch!
>
> I think the ASA provides ports just as part of internal processing of the
> IP translation.  Perhaps they're a sequence number or provide some internal
> function for IOS.  They seem completely random.  They change to the real
> port in the logs when using TCP or UDP.  Here are the logs as seen from the
> ASA
>
> ICMP
> 2016 Jan 26 02:00:49 ossec->1.2.3.4 Jan 26 2016 02:00:49: %ASA-6-302021:
> Teardown ICMP connection for faddr 8.8.8.8/0 gaddr external.addr/18125
> laddr external.addr/18125(any)
> 2016 Jan 26 02:00:49 ossec->1.2.3.4 Jan 26 2016 02:00:49: %ASA-6-302020:
> Built outbound ICMP connection for faddr 8.8.8.8/0 gaddr
> external.addr/18126 laddr external.addr/18126(any)
> 2016 Jan 26 02:00:49 ossec->1.2.3.4 Jan 26 2016 02:00:49: %ASA-6-302021:
> Teardown ICMP connection for faddr 8.8.8.8/0 gaddr external.addr/18126
> laddr external.addr/18126(any)
>
> In the case of a TCP or UDP connection, you'd see   Built outbound TCP
> connection 60148807 for outside:137.135.12.16/443 (137.135.12.16/443) to
> inside:1.2.3.4/11515 (external.ip.addr/11515)
>
>
>
> On Tuesday, January 26, 2016 at 2:10:25 PM UTC-8, Xavier Mertens wrote:
>>
>> Hi Brent,
>> I think that I found the problem! Here is an sample of my ossec-logtest
>> output:
>>
>> **Phase 2: Completed decoding.
>>decoder: 'iptables'
>>action: 'AUDIT'
>>srcip: '92.222.185.1'
>>dstip: '51.254.36.238'
>>proto: 'ICMP'
>>
>> But, while diving into the source code (in analysisd/alert/log.c):
>>
>> /* FW_Log: v0.1, 2005/12/30 */
>> int FW_Log(Eventinfo *lf)
>> {
>> /* If we don't have the srcip or the
>>  * action, there is no point in going
>>  * forward over here
>>  */
>> if(!lf->action || !lf->srcip || !lf->dstip || !lf->srcport ||
>>!lf->dstport || !lf->protocol)
>> {
>> return(0);
>> }
>>
>> I don't have srcport & dstport filled in so no log! I think I'll patch
>> the code and
>>
>> I'm wondering why your ASA firewall provides ports!?
>>
>> About ossec2dshield, I wrote this tool a long time ago to share my logs
>> with DShield.org.
>> Ping me you want details!
>>
>> /x
>>
>>
>> On Tue, Jan 26, 2016 at 9:05 PM, Brent Morris 
>> wrote:
>>
>>> Xavier,
>>>
>>> I'm collecting logs from my ASA and I do see ICMP traffic in my
>>> firewall.log -
>>>
>>> 2016 Jan 26 12:00:50 ossec->192.168.168.168 CLOSED ICMP 1.2.3.4:10254
>>> ->external.addr:10254
>>> 2016 Jan 26 12:00:54 ossec->192.168.168.168 CLOSED ICMP 1.2.3.4:10510
>>> ->external.addr:10510
>>> 2016 Jan 26 12:00:57 ossec->192.168.168.168 CLOSED ICMP 1.2.3.4:10766
>>> ->external.addr:10766
>>> 2016 Jan 26 12:01:05 ossec->192.168.168.168 CLOSED ICMP 1.2.3.4:11278
>>> ->external.addr:11278
>>>
>>> I'm not sure what the issue might be.
>>>
>>> Also, thank you for the ossec2dshield script!!!  I heard about it on the
>>> Internet Storm Center Stormcast, but it might be worth plugging to the list
>>> here too :)
>>>
>>> On Tuesday, January 26, 2016 at 1:08:12 AM UTC-8, Xavier Mertens wrote:

 I'm collected firewall logs from many Ubuntu servers (basically the
 /var/log/ufw.log).
 In this log, I can see events about TCP, UDP and ICMP traffic (allowed
 or dropped).
 But, on my OSSEC server, in my firewall.log, I don't see any event
 related to the ICMP protocol...

 /x

 On Sat, Jan 23, 2016 at 11:45 PM, Santiago Bassett <
 santiago...@gmail.com> wrote:

> I am afraid I don't understand the problem or question, maybe if you
> explain it a little bit more we can help better.
>
> Best
>
> On Thu, Jan 21, 2016 at 7:56 AM, Xavier Mertens 
> wrote:
>
>> Hi *,
>>
>> Maybe a stupid question but I'm investigating an issue and I've to
>> browse my history of firewall.log files. Problem: I find only TCP/UDP
>> events and nothing regarding ICMP packets?
>>
>> I tested via ossec-logstest and events are correctly parsed...
>>
>> I never paid attention to this in the past... :-(
>> Any idea?
>>
>> /x
>>
>> --
>>
>> ---
>> You received this message because you are subscribed to the Google
>> Groups "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it,
>> send an email to ossec-list+...@googlegroups.com.
>> For more options, visit https://groups.google.com/d/optout.
>>
>
> --
>
> ---
> You received this message because you are subscribed to the Google
> Groups "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to ossec-list+...@googlegroups.com.
> For more options,

Re: [ossec-list] Log file not triggering alert

2016-01-27 Thread Greg Burns 
Because now the problem is we have new log files created daily. Is this 
something OSSEC is not capable of?

On Wednesday, January 27, 2016 at 10:43:52 AM UTC-5, Greg Burns wrote:
>
> That worked! I think I was not testing it properly. I used the tail -f as 
> you said and added the line with the alert. I really appreciate your help. 
>
> I have one more question. Is there anyway to monitor new log files as they 
> appear? 
>
> This is the naming convention:
> BatchLog_LT_01192016203220
>
> In the config file could I put something like  ? Would that look at all 
> files with that name convention? It seems the last 6 numbers may change 
>  
>  
> C:\logs\Batch_Log_LT_%m%d%y
> syslog
>   
>
>
> On Tuesday, January 26, 2016 at 10:46:06 AM UTC-5, LostInThe Tubez wrote:
>>
>> Great, so we know OSSEC is matching against your custom rule. Next step 
>> would be to make sure the alert is showing up in 
>> /var/ossec/logs/alerts/alerts.log on the OSSEC manager. Double check you’ve 
>> restarted the manager since you made the edit to local_rules.xml. If your 
>> OSSEC manager isn’t too busy, I find the easiest way to do a live test of a 
>> rule is to tail –f the alerts.log on the server so you can watch as new 
>> logs are written to it. Then, on the agent, copy/paste your test log line 
>> into C:\logs\BatchLog_LT_01192016203220. After a moment or two, you should 
>> see it show up in the tailed alerts.log file on the manager. In that alert 
>> entry it will indicate whether an email was generated or not. The header 
>> for the alert will look something like this: “** Alert 1453814129.49577: 
>> mail  - local,syslog,”. “mail” being the keyword you’re looking for.
>>
>>  
>>
>> If you see a mail was generated, you know you are dealing with an email 
>> delivery problem and not an OSSEC detection problem.
>>
>>  
>>
>>  
>>
>> *From:* ossec...@googlegroups.com [mailto:ossec...@googlegroups.com] *On 
>> Behalf Of *Greg Burns
>> *Sent:* Tuesday, January 26, 2016 8:28 AM
>> *To:* ossec-list 
>> *Subject:* Re: [ossec-list] Log file not triggering alert
>>
>>  
>>
>> Thanks for the response.
>>
>>  
>>
>> I ran log test with the following output:
>>
>>  
>>
>> ossec-testrule: Type one log per line.
>>
>>  
>>
>> 2016-01-20T17:49:19Error validating xml data against the 
>> schema on line 272
>>
>> Content of element "litleTxnId" is incomplete
>>
>>  
>>
>> **Phase 1: Completed pre-decoding.
>>
>>full event: '2016-01-20T17:49:19   Error validating xml 
>> data against the schema on line 272'
>>
>>hostname: 'kali'
>>
>>program_name: '(null)'
>>
>>log: '2016-01-20T17:49:19 Error validating xml data 
>> against the schema on line 272'
>>
>>  
>>
>> **Phase 2: Completed decoding.
>>
>>No decoder matched.
>>
>>  
>>
>> **Phase 3: Completed filtering (rules).
>>
>>Rule id: ''
>>
>>Level: '12'
>>
>>Description: 'An error was found in an order'
>>
>> **Alert to be generated.
>>
>>  
>>
>>
>> On Friday, January 22, 2016 at 7:31:23 PM UTC-5, LostInThe Tubez wrote:
>>
>> Have you run your log entry through ossec-logtest on the server? This 
>> will tell you if an alert should be generated or not. It is always possible 
>> that another rule is matching first or perhaps your rule isn’t working as 
>> expected. There are a couple potential issues with your rule, but I would 
>> suggest checking ossec-logtest and reporting back before you get too far 
>> into the nitty gritty.
>>
>>  
>>
>> You can use %Y, %m, and %d in your filenames to represent the year, month 
>> and day, respectively. The file has to exist before the agent starts, 
>> otherwise it won’t be monitored. IIRC, wildcards (asterisks) do not work 
>> with the Windows agent for some strange reason.
>>
>>  
>>
>>  
>>
>> *From:* ossec...@googlegroups.com [mailto:ossec...@googlegroups.com] *On 
>> Behalf Of *Greg Burns
>> *Sent:* Friday, January 22, 2016 1:08 PM
>> *To:* ossec-list 
>> *Subject:* [ossec-list] Log file not triggering alert
>>
>>  
>>
>> I wrote a rule in OSSEC to send an email alert anytime the following 
>> string appears in a log (its a flat log file with no extension):
>>
>>  
>>
>> 2016-01-20T17:49:19Error validating xml data against the 
>> schema on line 272 Content of element "litleTxnId" is incomplete 
>>
>>  
>>
>> the rule should be triggered anytime the word "error validating" appear. 
>> Below is the rule:
>>
>>  
>>
>> 
>>
>> 
>>
>>   
>>
>> error validating
>>
>> alert_by_email
>>
>> An error was found in an order
>>
>>   
>>
>>  
>>
>>  
>>
>> For testing purposes placed a log file in C:\logs and set the 
>> configuration file to look in that directory- its the fourth one down
>>
>>  
>>
>> 
>>
>>  
>>
>>   
>>
>>   
>>
>> Application
>>
>> eventlog
>>
>>   
>>
>>  
>>
>>   
>>
>> Security
>>
>> eventlog
>>
>>   
>>
>>  
>>
>>   
>>
>> System
>>

Re: [ossec-list] firewall.log and ICMP?

2016-01-27 Thread Brent Morris 
Is this worth submitting as an issue to github?

https://github.com/ossec/ossec-hids/issues


On Wednesday, January 27, 2016 at 12:08:54 AM UTC-8, Xavier Mertens wrote:
>
> I'll patch my analysisd to provide srcport and dstport with a value of "0" 
> if the protocol is "ICMP"... I need to keep traces of such events...
>
> /x
>
> On Tue, Jan 26, 2016 at 11:40 PM, Brent Morris  > wrote:
>
>> Good catch!  
>>
>> I think the ASA provides ports just as part of internal processing of the 
>> IP translation.  Perhaps they're a sequence number or provide some internal 
>> function for IOS.  They seem completely random.  They change to the real 
>> port in the logs when using TCP or UDP.  Here are the logs as seen from the 
>> ASA
>>
>> ICMP
>> 2016 Jan 26 02:00:49 ossec->1.2.3.4 Jan 26 2016 02:00:49: %ASA-6-302021: 
>> Teardown ICMP connection for faddr 8.8.8.8/0 gaddr external.addr/18125 
>> laddr external.addr/18125(any)
>> 2016 Jan 26 02:00:49 ossec->1.2.3.4 Jan 26 2016 02:00:49: %ASA-6-302020: 
>> Built outbound ICMP connection for faddr 8.8.8.8/0 gaddr 
>> external.addr/18126 laddr external.addr/18126(any)
>> 2016 Jan 26 02:00:49 ossec->1.2.3.4 Jan 26 2016 02:00:49: %ASA-6-302021: 
>> Teardown ICMP connection for faddr 8.8.8.8/0 gaddr external.addr/18126 
>> laddr external.addr/18126(any)
>>
>> In the case of a TCP or UDP connection, you'd see   Built outbound 
>> TCP connection 60148807 for outside:137.135.12.16/443 (137.135.12.16/443) 
>> to inside:1.2.3.4/11515 (external.ip.addr/11515)
>>
>>
>>
>> On Tuesday, January 26, 2016 at 2:10:25 PM UTC-8, Xavier Mertens wrote:
>>>
>>> Hi Brent,
>>> I think that I found the problem! Here is an sample of my ossec-logtest 
>>> output:
>>>
>>> **Phase 2: Completed decoding.
>>>decoder: 'iptables'
>>>action: 'AUDIT'
>>>srcip: '92.222.185.1'
>>>dstip: '51.254.36.238'
>>>proto: 'ICMP'
>>>
>>> But, while diving into the source code (in analysisd/alert/log.c):
>>>
>>> /* FW_Log: v0.1, 2005/12/30 */
>>> int FW_Log(Eventinfo *lf)
>>> {
>>> /* If we don't have the srcip or the
>>>  * action, there is no point in going
>>>  * forward over here
>>>  */
>>> if(!lf->action || !lf->srcip || !lf->dstip || !lf->srcport ||
>>>!lf->dstport || !lf->protocol)
>>> {
>>> return(0);
>>> }
>>>
>>> I don't have srcport & dstport filled in so no log! I think I'll patch 
>>> the code and 
>>>
>>> I'm wondering why your ASA firewall provides ports!?
>>>
>>> About ossec2dshield, I wrote this tool a long time ago to share my logs 
>>> with DShield.org.
>>> Ping me you want details!
>>>
>>> /x
>>>
>>>
>>> On Tue, Jan 26, 2016 at 9:05 PM, Brent Morris  
>>> wrote:
>>>
 Xavier,

 I'm collecting logs from my ASA and I do see ICMP traffic in my 
 firewall.log - 

 2016 Jan 26 12:00:50 ossec->192.168.168.168 CLOSED ICMP 
 1.2.3.4:10254->external.addr:10254
 2016 Jan 26 12:00:54 ossec->192.168.168.168 CLOSED ICMP 
 1.2.3.4:10510->external.addr:10510
 2016 Jan 26 12:00:57 ossec->192.168.168.168 CLOSED ICMP 
 1.2.3.4:10766->external.addr:10766
 2016 Jan 26 12:01:05 ossec->192.168.168.168 CLOSED ICMP 
 1.2.3.4:11278->external.addr:11278

 I'm not sure what the issue might be.  

 Also, thank you for the ossec2dshield script!!!  I heard about it on 
 the Internet Storm Center Stormcast, but it might be worth plugging to the 
 list here too :)

 On Tuesday, January 26, 2016 at 1:08:12 AM UTC-8, Xavier Mertens wrote:
>
> I'm collected firewall logs from many Ubuntu servers (basically the 
> /var/log/ufw.log).
> In this log, I can see events about TCP, UDP and ICMP traffic (allowed 
> or dropped).
> But, on my OSSEC server, in my firewall.log, I don't see any event 
> related to the ICMP protocol...
>
> /x
>
> On Sat, Jan 23, 2016 at 11:45 PM, Santiago Bassett <
> santiago...@gmail.com> wrote:
>
>> I am afraid I don't understand the problem or question, maybe if you 
>> explain it a little bit more we can help better.
>>
>> Best
>>
>> On Thu, Jan 21, 2016 at 7:56 AM, Xavier Mertens  
>> wrote:
>>
>>> Hi *,
>>>
>>> Maybe a stupid question but I'm investigating an issue and I've to 
>>> browse my history of firewall.log files. Problem: I find only TCP/UDP 
>>> events and nothing regarding ICMP packets?
>>>
>>> I tested via ossec-logstest and events are correctly parsed... 
>>>
>>> I never paid attention to this in the past... :-(
>>> Any idea?
>>>
>>> /x
>>>
>>> -- 
>>>
>>> --- 
>>> You received this message because you are subscribed to the Google 
>>> Groups "ossec-list" group.
>>> To unsubscribe from this group and stop receiving emails from it, 
>>> send an email to ossec-list+...@googlegroups.com.
>>> For

Re: [ossec-list] Log file not triggering alert

2016-01-27 Thread Greg Burns 
That worked! I think I was not testing it properly. I used the tail -f as 
you said and added the line with the alert. I really appreciate your help. 

I have one more question. Is there anyway to monitor new log files as they 
appear? 

This is the naming convention:
BatchLog_LT_01192016203220

In the config file could I put something like  ? Would that look at all 
files with that name convention? It seems the last 6 numbers may change 
 
 
C:\logs\Batch_Log_LT_%m%d%y
syslog
  


On Tuesday, January 26, 2016 at 10:46:06 AM UTC-5, LostInThe Tubez wrote:
>
> Great, so we know OSSEC is matching against your custom rule. Next step 
> would be to make sure the alert is showing up in 
> /var/ossec/logs/alerts/alerts.log on the OSSEC manager. Double check you’ve 
> restarted the manager since you made the edit to local_rules.xml. If your 
> OSSEC manager isn’t too busy, I find the easiest way to do a live test of a 
> rule is to tail –f the alerts.log on the server so you can watch as new 
> logs are written to it. Then, on the agent, copy/paste your test log line 
> into C:\logs\BatchLog_LT_01192016203220. After a moment or two, you should 
> see it show up in the tailed alerts.log file on the manager. In that alert 
> entry it will indicate whether an email was generated or not. The header 
> for the alert will look something like this: “** Alert 1453814129.49577: 
> mail  - local,syslog,”. “mail” being the keyword you’re looking for.
>
>  
>
> If you see a mail was generated, you know you are dealing with an email 
> delivery problem and not an OSSEC detection problem.
>
>  
>
>  
>
> *From:* ossec...@googlegroups.com  [mailto:
> ossec...@googlegroups.com ] *On Behalf Of *Greg Burns
> *Sent:* Tuesday, January 26, 2016 8:28 AM
> *To:* ossec-list 
> *Subject:* Re: [ossec-list] Log file not triggering alert
>
>  
>
> Thanks for the response.
>
>  
>
> I ran log test with the following output:
>
>  
>
> ossec-testrule: Type one log per line.
>
>  
>
> 2016-01-20T17:49:19Error validating xml data against the 
> schema on line 272
>
> Content of element "litleTxnId" is incomplete
>
>  
>
> **Phase 1: Completed pre-decoding.
>
>full event: '2016-01-20T17:49:19   Error validating xml 
> data against the schema on line 272'
>
>hostname: 'kali'
>
>program_name: '(null)'
>
>log: '2016-01-20T17:49:19 Error validating xml data 
> against the schema on line 272'
>
>  
>
> **Phase 2: Completed decoding.
>
>No decoder matched.
>
>  
>
> **Phase 3: Completed filtering (rules).
>
>Rule id: ''
>
>Level: '12'
>
>Description: 'An error was found in an order'
>
> **Alert to be generated.
>
>  
>
>
> On Friday, January 22, 2016 at 7:31:23 PM UTC-5, LostInThe Tubez wrote:
>
> Have you run your log entry through ossec-logtest on the server? This will 
> tell you if an alert should be generated or not. It is always possible that 
> another rule is matching first or perhaps your rule isn’t working as 
> expected. There are a couple potential issues with your rule, but I would 
> suggest checking ossec-logtest and reporting back before you get too far 
> into the nitty gritty.
>
>  
>
> You can use %Y, %m, and %d in your filenames to represent the year, month 
> and day, respectively. The file has to exist before the agent starts, 
> otherwise it won’t be monitored. IIRC, wildcards (asterisks) do not work 
> with the Windows agent for some strange reason.
>
>  
>
>  
>
> *From:* ossec...@googlegroups.com [mailto:ossec...@googlegroups.com] *On 
> Behalf Of *Greg Burns
> *Sent:* Friday, January 22, 2016 1:08 PM
> *To:* ossec-list 
> *Subject:* [ossec-list] Log file not triggering alert
>
>  
>
> I wrote a rule in OSSEC to send an email alert anytime the following 
> string appears in a log (its a flat log file with no extension):
>
>  
>
> 2016-01-20T17:49:19Error validating xml data against the 
> schema on line 272 Content of element "litleTxnId" is incomplete 
>
>  
>
> the rule should be triggered anytime the word "error validating" appear. 
> Below is the rule:
>
>  
>
> 
>
> 
>
>   
>
> error validating
>
> alert_by_email
>
> An error was found in an order
>
>   
>
>  
>
>  
>
> For testing purposes placed a log file in C:\logs and set the 
> configuration file to look in that directory- its the fourth one down
>
>  
>
> 
>
>  
>
>   
>
>   
>
> Application
>
> eventlog
>
>   
>
>  
>
>   
>
> Security
>
> eventlog
>
>   
>
>  
>
>   
>
> System
>
> eventlog
>
>   
>
>  
>
>   
>
> C:\logs\BatchLog_LT_01192016203220
>
> syslog
>
>   
>
>  
>
> However it does not seem to be working. When I go in and restart the agent 
> it appears to successfully analyze the logs except it does not trigger an 
> alert. below is the ossec.log after restarting:
>
>  
>
> 2016/01/22 15:04:28 ossec-agent: INFO: Started (pid: 7268).
>
>  
>

Re: [ossec-list] decoder prematch (regex) issue

2016-01-27 Thread Fredrik 
Thanks Dan! I obviously didn't realize that this was the case :( This means 
that I should create a regex that take the missing entry part into account 
and hence matches: Jan 27 9:32:28 st4600fw01n1 not the full string I 
was aiming for? This would then explain the, from my point of view, 
somewhat erratic behavior where things matched that I believed wouldn't ;)  

Best,
Fredrik 

On Wednesday, January 27, 2016 at 4:09:38 PM UTC+1, dan (ddpbsd) wrote:
>
>
> On Jan 27, 2016 10:06 AM, "Fredrik"  
> wrote:
> >
> > HI All,
> >
> >
> > Been working on a regex to match highlighted part of the (event) string 
> below:
> >
> > Jan 27 09:41:01 127.0.0.1 Jan 27 9:32:28 st4600fw01n1 allow  src: 192.168.1.15; dst: 89.208.212.2; proto: tcp; appi_name: **; 
> app_desc: **; app_id: 10063753; app_category: **; matched_category: 
> **; app_properties: **; app_risk: **; app_rule_id: **; 
> app_rule_name: **; web_client_type: Chrome; web_server_type: 
> Microsoft-IIS; app_sig_id: 10063753:5; resource: 
> http://www.aliveproxy.com/; proxy_src_ip: 192.168.1.15 product: 
> Application Control; service: http; s_port: 58579; product_family: Network;
> >
> > ... but I just can't get it to match the string I'm hoping to catch. I 
> have tried different additions to the regex below, please note that it is 
> not complete as I have not got past this point without failure - yet ;) I 
> would like to match Jan 27 09:41:01 127.0.0.1 Jan 27 9:32:28 st4600fw01n1 
> >
> > ^\w+ \d+ \d+:\d+:\d+ \w+\.\w+\.\w+\.\w+ \w+ \D+ 
> >
> > I'm sure I'm missing something obvious, any hints would be greatly 
> appreciated. One example of a string that won't work is (I have included 
> ossec_logtest output for for reference:
> >
> > ^\w+ \d+ \d+:\d+:\d+ \w+\.\w+\.\w+\.\w+ \w+ \d+:\d+:\d+ 
> st4600fw01n/d*
> >
> > admin@lab-host99:/var/ossec/bin# ./ossec-logtest
> > 2016/01/27 14:13:53 ossec-testrule: INFO: Reading local decoder file.
> > 2016/01/27 14:13:53 ossec-testrule: INFO: Started (pid: 22710).
> > ossec-testrule: Type one log per line.
> >
> > Jan 27 09:41:01 127.0.0.1 Jan 27 9:32:28 st4600fw01n1 allow  src: 192.168.1.15; dst: 89.208.212.2; proto: tcp; appi_name: **; 
> app_desc: **; app_id: 10063753; app_category: **; matched_category: 
> **; app_properties: **; app_risk: **; app_rule_id: **; 
> app_rule_name: **; web_client_type: Chrome; web_server_type: 
> Microsoft-IIS; app_sig_id: 10063753:5; resource: 
> http://www.aliveproxy.com/; proxy_src_ip: 192.168.1.15 product: 
> Application Control; service: http; s_port: 58579; product_family: Network;
> >
> >
> > **Phase 1: Completed pre-decoding.
> >full event: 'Jan 27 09:41:01 127.0.0.1 Jan 27 9:32:28 
> st4600fw01n1 allow  tcp; appi_name: **; app_desc: **; app_id: 10063753; app_category: 
> **; matched_category: **; app_properties: **; app_risk: **; 
> app_rule_id: **; app_rule_name: **; web_client_type: Chrome; 
> web_server_type: Microsoft-IIS; app_sig_id: 10063753:5; resource: 
> http://www.aliveproxy.com/; proxy_src_ip: 192.168.1.15 product: 
> Application Control; service: http; s_port: 58579; product_family: Network;'
> >hostname: '127.0.0.1'
> >program_name: '(null)'
> >log: 'Jan 27 9:32:28 st4600fw01n1 allow  192.168.1.15; dst: 89.208.212.2; proto: tcp; appi_name: **; app_desc: 
> **; app_id: 10063753; app_category: **; matched_category: **; 
> app_properties: **; app_risk: **; app_rule_id: **; 
> app_rule_name: **; web_client_type: Chrome; web_server_type: 
> Microsoft-IIS; app_sig_id: 10063753:5; resource: 
> http://www.aliveproxy.com/; proxy_src_ip: 192.168.1.15 product: 
> Application Control; service: http; s_port: 58579; product_family: Network;'
> >
>
> Notice that in the "log:" entry part of what you highlighted has been 
> removed. It's a transport header, and ossec generally tries to remove those 
> from processing.
>
> > **Phase 2: Completed decoding.
> >No decoder matched.
> >
> >
> > Best,
> > Fredrik 
> >
> > -- 
> >
> > --- 
> > You received this message because you are subscribed to the Google 
> Groups "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send 
> an email to ossec-list+...@googlegroups.com .
> > For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] decoder prematch (regex) issue

2016-01-27 Thread Fredrik 
Hi Santiago!


Thanks for your input. As you pointed out the \D+ is out of place and I 
couldn't figure out why that would match whereas the latter regex, that I 
believed to be more complete, wouldn't. With input from Dan and yourself, I 
realize that OSSEC is offering a helping hand in stripping the transport 
header. If I got this right, I should match against what logtest outputs 
after log: and not the full string?

Best regards,
Fredrik 

On Thursday, January 28, 2016 at 12:12:53 AM UTC+1, Santiago Bassett wrote:
>
> Agree with Dan, also double check the regexes, as it looks like there are 
> some inconsistencies at the end. I don't think that \D+ is in the right 
> place.
>
> Best
>
> On Wed, Jan 27, 2016 at 7:08 AM, dan (ddp)  > wrote:
>
>>
>> On Jan 27, 2016 10:06 AM, "Fredrik"  
>> wrote:
>> >
>> > HI All,
>> >
>> >
>> > Been working on a regex to match highlighted part of the (event) string 
>> below:
>> >
>> > Jan 27 09:41:01 127.0.0.1 Jan 27 9:32:28 st4600fw01n1 allow > src: 192.168.1.15; dst: 89.208.212.2; proto: tcp; appi_name: **; 
>> app_desc: **; app_id: 10063753; app_category: **; matched_category: 
>> **; app_properties: **; app_risk: **; app_rule_id: **; 
>> app_rule_name: **; web_client_type: Chrome; web_server_type: 
>> Microsoft-IIS; app_sig_id: 10063753:5; resource: 
>> http://www.aliveproxy.com/; proxy_src_ip: 192.168.1.15 product: 
>> Application Control; service: http; s_port: 58579; product_family: Network;
>> >
>> > ... but I just can't get it to match the string I'm hoping to catch. I 
>> have tried different additions to the regex below, please note that it is 
>> not complete as I have not got past this point without failure - yet ;) I 
>> would like to match Jan 27 09:41:01 127.0.0.1 Jan 27 9:32:28 st4600fw01n1 
>> >
>> > ^\w+ \d+ \d+:\d+:\d+ \w+\.\w+\.\w+\.\w+ \w+ \D+ 
>> >
>> > I'm sure I'm missing something obvious, any hints would be greatly 
>> appreciated. One example of a string that won't work is (I have included 
>> ossec_logtest output for for reference:
>> >
>> > ^\w+ \d+ \d+:\d+:\d+ \w+\.\w+\.\w+\.\w+ \w+ \d+:\d+:\d+ 
>> st4600fw01n/d*
>> >
>> > admin@lab-host99:/var/ossec/bin# ./ossec-logtest
>> > 2016/01/27 14:13:53 ossec-testrule: INFO: Reading local decoder file.
>> > 2016/01/27 14:13:53 ossec-testrule: INFO: Started (pid: 22710).
>> > ossec-testrule: Type one log per line.
>> >
>> > Jan 27 09:41:01 127.0.0.1 Jan 27 9:32:28 st4600fw01n1 allow > src: 192.168.1.15; dst: 89.208.212.2; proto: tcp; appi_name: **; 
>> app_desc: **; app_id: 10063753; app_category: **; matched_category: 
>> **; app_properties: **; app_risk: **; app_rule_id: **; 
>> app_rule_name: **; web_client_type: Chrome; web_server_type: 
>> Microsoft-IIS; app_sig_id: 10063753:5; resource: 
>> http://www.aliveproxy.com/; proxy_src_ip: 192.168.1.15 product: 
>> Application Control; service: http; s_port: 58579; product_family: Network;
>> >
>> >
>> > **Phase 1: Completed pre-decoding.
>> >full event: 'Jan 27 09:41:01 127.0.0.1 Jan 27 9:32:28 
>> st4600fw01n1 allow > tcp; appi_name: **; app_desc: **; app_id: 10063753; app_category: 
>> **; matched_category: **; app_properties: **; app_risk: **; 
>> app_rule_id: **; app_rule_name: **; web_client_type: Chrome; 
>> web_server_type: Microsoft-IIS; app_sig_id: 10063753:5; resource: 
>> http://www.aliveproxy.com/; proxy_src_ip: 192.168.1.15 product: 
>> Application Control; service: http; s_port: 58579; product_family: Network;'
>> >hostname: '127.0.0.1'
>> >program_name: '(null)'
>> >log: 'Jan 27 9:32:28 st4600fw01n1 allow > 192.168.1.15; dst: 89.208.212.2; proto: tcp; appi_name: **; app_desc: 
>> **; app_id: 10063753; app_category: **; matched_category: **; 
>> app_properties: **; app_risk: **; app_rule_id: **; 
>> app_rule_name: **; web_client_type: Chrome; web_server_type: 
>> Microsoft-IIS; app_sig_id: 10063753:5; resource: 
>> http://www.aliveproxy.com/; proxy_src_ip: 192.168.1.15 product: 
>> Application Control; service: http; s_port: 58579; product_family: Network;'
>> >
>>
>> Notice that in the "log:" entry part of what you highlighted has been 
>> removed. It's a transport header, and ossec generally tries to remove those 
>> from processing.
>>
>> > **Phase 2: Completed decoding.
>> >No decoder matched.
>> >
>> >
>> > Best,
>> > Fredrik 
>> >
>> > -- 
>> >
>> > --- 
>> > You received this message because you are subscribed to the Google 
>> Groups "ossec-list" group.
>> > To unsubscribe from this group and stop receiving emails from it, send 
>> an email to ossec-list+...@googlegroups.com .
>> > For more options, visit https://groups.google.com/d/optout.
>>
>> -- 
>>
>> --- 
>> You received this message because you are subscribed to the Google Groups 
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails

[ossec-list] Testing integratord

2016-01-27 Thread Daniel Cid 
I have been working on the integrator daemon (ossec-integratord) to allow
OSSEC
to easily integrate with external APIs to send alerts & notifications.

I have pushed it to my personal fork and I am looking for testers, and
people interested to try it out to help flush out any bugs/issues.

So far, we added support for Slack & PagerDuty.

Latest code for it here:
https://bitbucket.org/dcid/ossec-hids/src/3ed5ef68d33be4c36edba32e3893d30f7bbbc4e9/src/os_integrator/?at=default

And setup instructions:
https://blog.sucuri.net/2016/01/server-security-integrating-ossec-with-slack-and-pagerduty.html

*you should be able to safely upgrade directly to:
https://bitbucket.org/dcid/ossec-hids/get/tip.tar.gz if that makes it
easier.


Also, if you have suggestions for more integrations, let me know.

thanks!

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Testing integratord

2016-01-27 Thread Santiago Bassett 
Thanks Daniel! I'll definitely try the integration with Slack. Cool stuff.

On Wed, Jan 27, 2016 at 10:57 AM, Daniel Cid  wrote:

> I have been working on the integrator daemon (ossec-integratord) to allow
> OSSEC
> to easily integrate with external APIs to send alerts & notifications.
>
> I have pushed it to my personal fork and I am looking for testers, and
> people interested to try it out to help flush out any bugs/issues.
>
> So far, we added support for Slack & PagerDuty.
>
> Latest code for it here:
>
> https://bitbucket.org/dcid/ossec-hids/src/3ed5ef68d33be4c36edba32e3893d30f7bbbc4e9/src/os_integrator/?at=default
>
> And setup instructions:
>
> https://blog.sucuri.net/2016/01/server-security-integrating-ossec-with-slack-and-pagerduty.html
>
> *you should be able to safely upgrade directly to:
> https://bitbucket.org/dcid/ossec-hids/get/tip.tar.gz if that makes it
> easier.
>
>
> Also, if you have suggestions for more integrations, let me know.
>
> thanks!
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Testing integratord

2016-01-27 Thread Alberto Mijares 
Hi Daniel,

This is great! I don't have time right now for testing but I have a
suggestion: the next step should be the integration with RT and RTIR.

Thank you for this work.

Best regards,


Alberto Mijares



On Wed, Jan 27, 2016 at 2:27 PM, Daniel Cid  wrote:
> I have been working on the integrator daemon (ossec-integratord) to allow
> OSSEC
> to easily integrate with external APIs to send alerts & notifications.
>
> I have pushed it to my personal fork and I am looking for testers, and
> people interested to try it out to help flush out any bugs/issues.
>
> So far, we added support for Slack & PagerDuty.
>
> Latest code for it here:
> https://bitbucket.org/dcid/ossec-hids/src/3ed5ef68d33be4c36edba32e3893d30f7bbbc4e9/src/os_integrator/?at=default
>
> And setup instructions:
> https://blog.sucuri.net/2016/01/server-security-integrating-ossec-with-slack-and-pagerduty.html
>
> *you should be able to safely upgrade directly to:
> https://bitbucket.org/dcid/ossec-hids/get/tip.tar.gz if that makes it
> easier.
>
>
> Also, if you have suggestions for more integrations, let me know.
>
> thanks!
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] How to ignore mail alerts for alert logic security servers which are testing the infrastructure for vulnarabilities

2016-01-27 Thread narendra reddy 
Hi Team, 

I have ossec server running in my infrastructure, we have two alert logic 
servers which tests our infrastructure by doing brute force attack and all 
kinds of attacks and ossec is sending lot of mail alerts, I want to drop 
those alert mails if the attack is from those two server, how can I set a 
rule for it.

I tried to mention those  in local rules file

 
5711
ALERT_LOGIC-IPADDDR1
ALERT_LOGIC-IPADDDR2
IALERT_LOGIC-IPADDDR3
failed logins from Alert Logic server.
  

However its not working, I still get many alert emails stating multiple 
login failures I have created similar alerts for 5551, 5712, 5720 still I 
am getting mail alerts for rule 5551.

Is there a way where I can drop the alerts if the attack is from Alertlogic 
servers on my network?

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] OSSEC and Postgres Install Error

2016-01-27 Thread Jason Aleksi 
I had some time last night to work on this more.  I found another library 
that I didn't have installed.  When I installed the libpq-dev package, I 
was able to run the setdb and install with Postgres support.

When installing OSSEC with Postgres support, one needs to make sure this 
library is installed.

sudo apt-get -y install libpq-dev

-JA-


On Tuesday, January 26, 2016 at 9:24:11 AM UTC-6, dan (ddpbsd) wrote:
>
>
> On Jan 26, 2016 7:02 AM, "Jason Aleksi"  
> wrote:
> >
> > OSSEC seems to be ignoring Postgres during the install.  This is running 
> on Ubuntu 14.04 LTS.
> >
> > I already have Postgres and postgres-client installed.
> > sudo apt-get -y install postgresql postgresql-client postgresql-contrib
> >
> > I get an error when I run setdb (notice it doesn't say anything about 
> postgres)
> > service@apps:/opt/ossec-hids-2.8.1/src$ sudo make setdb
> > Error: MySQL client libraries not installed.
> > Error: DB libraries not installed.
> >
> > Even though I do not use/need MySQL, I installed them anyway just to 
> test.
> > service@apps:/opt/ossec-hids-2.8.1/src$ sudo apt-get -y install 
> libmysqlclient-d  mysql-client
> >
> > I rerun the setdb and everything looks good, but it's missing the 
> postgres support
> > service@apps:/opt/ossec-hids-2.8.1/src$ sudo make setdb
> > Info: Compiled with MySQL support.
> > service@apps:/opt/ossec-hids-2.8.1/src$ 
> >
> > When I go to start OSSEC, I get an error saying OSSEC is not compiled 
> with support for postgresql.
> > service@apps:/opt/ossec-hids-2.8.1$ sudo /var/ossec/bin/ossec-control 
> start
> > Starting OSSEC HIDS v2.8 (by Trend Micro Inc.)...
> > 2016/01/26 00:33:19 ossec-dbd(5207): ERROR: OSSEC not compiled with 
> support for  'postgresql'.
> > 2016/01/26 00:33:19 ossec-dbd(1202): ERROR: Configuration error at 
> '/var/ossec/e 
> tc/ossec.conf'. Exiting.
> > ossec-dbd did not start correctly.
> > service@apps:/opt/ossec-hids-2.8.1$
> >
> >
> > I've looked in the docs and search the forums, but I cannot find what am 
> I doing wrong.  Suggestions?  
> >
>
> I'm not sure of the status of the postgresql support, I don't even know if 
> it works.
> First thing I'd do is look for dev or devel packages of the packages 
> you've installed. 
>
> > -- 
> >
> > --- 
> > You received this message because you are subscribed to the Google 
> Groups "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send 
> an email to ossec-list+...@googlegroups.com .
> > For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: How to ignore mail alerts for alert logic security servers which are testing the infrastructure for vulnarabilities

2016-01-27 Thread ZaNN 
Instead of using  i'd recommend using  

Mine configuration for that kind of periodic security assessments:


  
6
10.32.0.9
10.32.0.8
IP address of the automatic scan - Security 
team
Automatic Scan IP from pentesting network whitelisted 
- 01.07.2015
  


El miércoles, 27 de enero de 2016, 10:14:00 (UTC+1), narendra reddy 
escribió:
>
> Hi Team, 
>
> I have ossec server running in my infrastructure, we have two alert logic 
> servers which tests our infrastructure by doing brute force attack and all 
> kinds of attacks and ossec is sending lot of mail alerts, I want to drop 
> those alert mails if the attack is from those two server, how can I set a 
> rule for it.
>
> I tried to mention those  in local rules file
>
>  
> 5711
> ALERT_LOGIC-IPADDDR1
> ALERT_LOGIC-IPADDDR2
> IALERT_LOGIC-IPADDDR3
> failed logins from Alert Logic server.
>   
>
> However its not working, I still get many alert emails stating multiple 
> login failures I have created similar alerts for 5551, 5712, 5720 still I 
> am getting mail alerts for rule 5551.
>
> Is there a way where I can drop the alerts if the attack is from 
> Alertlogic servers on my network?
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] OSSEC MSSQL audit log

2016-01-27 Thread Fayax 
I have enabled audit on MS SQL Server 2014, logs are sent to Windows 
Application log.
I can see the audit logs from Event Viewer, but I'm unable to see the logs 
on OSSEC server.
OSSEC agent is configured to monitor Windows Application logs.

Any help would be greatly appreciated.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] OSSEC MSSQL Audit log

2016-01-27 Thread Fayax 
I have enabled audit os MSSQL Server 2014 and audit logs are sent to 
Windows Application Log.
I can see the audit logs from event viewer. But I'm unable to see the audit 
logs from OSSEC server.
OSSEC agent is configured to analyze Application event log.

Any help would be greatly appreciated.


-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] decoder prematch (regex) issue

2016-01-27 Thread Fredrik 
HI All,


Been working on a regex to match highlighted part of the (event) string 
below:

*Jan 27 09:41:01 127.0.0.1 Jan 27 9:32:28 st4600fw01n1 *allow http://www.aliveproxy.com/; proxy_src_ip: 192.168.1.15 product: Application 
Control; service: http; s_port: 58579; product_family: Network;

... but I just can't get it to match the string I'm hoping to catch. I have 
tried different additions to the regex below, please note that it is not 
complete as I have not got past this point without failure - yet ;) I would 
like to match Jan 27 09:41:01 127.0.0.1 Jan 27 9:32:28 st4600fw01n1 

^\w+ \d+ \d+:\d+:\d+ \w+\.\w+\.\w+\.\w+ \w+ \D+ 

I'm sure I'm missing something obvious, any hints would be greatly 
appreciated. One example of a string that won't work is (I have included 
ossec_logtest output for for reference:

^\w+ \d+ \d+:\d+:\d+ \w+\.\w+\.\w+\.\w+ \w+ \d+:\d+:\d+ 
st4600fw01n/d*

admin@lab-host99:/var/ossec/bin# ./ossec-logtest
2016/01/27 14:13:53 ossec-testrule: INFO: Reading local decoder file.
2016/01/27 14:13:53 ossec-testrule: INFO: Started (pid: 22710).
ossec-testrule: Type one log per line.

Jan 27 09:41:01 127.0.0.1 Jan 27 9:32:28 st4600fw01n1 allow http://www.aliveproxy.com/; proxy_src_ip: 192.168.1.15 product: Application 
Control; service: http; s_port: 58579; product_family: Network;


**Phase 1: Completed pre-decoding.
   full event: 'Jan 27 09:41:01 127.0.0.1 Jan 27 9:32:28 st4600fw01n1 
allow http://www.aliveproxy.com/; proxy_src_ip: 192.168.1.15 product: Application 
Control; service: http; s_port: 58579; product_family: Network;'
   hostname: '127.0.0.1'
   program_name: '(null)'
   log: 'Jan 27 9:32:28 st4600fw01n1 allow http://www.aliveproxy.com/; proxy_src_ip: 192.168.1.15 product: Application 
Control; service: http; s_port: 58579; product_family: Network;'

**Phase 2: Completed decoding.
   No decoder matched.


Best,
Fredrik 

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] OSSEC MSSQL audit log

2016-01-27 Thread dan (ddp) 
On Jan 27, 2016 10:06 AM, "Fayax"  wrote:
>
> I have enabled audit on MS SQL Server 2014, logs are sent to Windows
Application log.
> I can see the audit logs from Event Viewer, but I'm unable to see the
logs on OSSEC server.
> OSSEC agent is configured to monitor Windows Application logs.
>
> Any help would be greatly appreciated.
>

Turn on the logall option on the ossec server, and check to see if those
logs are present in the archives.log file.

> --
>
> ---
> You received this message because you are subscribed to the Google Groups
"ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] OSSEC and Postgres Install Error

2016-01-27 Thread dan (ddp) 
On Jan 27, 2016 9:21 AM, "Jason Aleksi"  wrote:
>
> I had some time last night to work on this more.  I found another library
that I didn't have installed.  When I installed the libpq-dev package, I
was able to run the setdb and install with Postgres support.
>
> When installing OSSEC with Postgres support, one needs to make sure this
library is installed.
>
> sudo apt-get -y install libpq-dev
>

Can you open an issue at https://girhub.com/ossec/ossec-docs for this?

> -JA-
>
>
> On Tuesday, January 26, 2016 at 9:24:11 AM UTC-6, dan (ddpbsd) wrote:
>>
>>
>> On Jan 26, 2016 7:02 AM, "Jason Aleksi"  wrote:
>> >
>> > OSSEC seems to be ignoring Postgres during the install.  This is
running on Ubuntu 14.04 LTS.
>> >
>> > I already have Postgres and postgres-client installed.
>> > sudo apt-get -y install postgresql postgresql-client postgresql-contrib
>> >
>> > I get an error when I run setdb (notice it doesn't say anything about
postgres)
>> > service@apps:/opt/ossec-hids-2.8.1/src$ sudo make setdb
>> > Error: MySQL client libraries not installed.
>> > Error: DB libraries not installed.
>> >
>> > Even though I do not use/need MySQL, I installed them anyway just to
test.
>> > service@apps:/opt/ossec-hids-2.8.1/src$ sudo apt-get -y install
libmysqlclient-d  mysql-client
>> >
>> > I rerun the setdb and everything looks good, but it's missing the
postgres support
>> > service@apps:/opt/ossec-hids-2.8.1/src$ sudo make setdb
>> > Info: Compiled with MySQL support.
>> > service@apps:/opt/ossec-hids-2.8.1/src$
>> >
>> > When I go to start OSSEC, I get an error saying OSSEC is not compiled
with support for postgresql.
>> > service@apps:/opt/ossec-hids-2.8.1$ sudo /var/ossec/bin/ossec-control
start
>> > Starting OSSEC HIDS v2.8 (by Trend Micro Inc.)...
>> > 2016/01/26 00:33:19 ossec-dbd(5207): ERROR: OSSEC not compiled with
support for  'postgresql'.
>> > 2016/01/26 00:33:19 ossec-dbd(1202): ERROR: Configuration error at
'/var/ossec/e
tc/ossec.conf'. Exiting.
>> > ossec-dbd did not start correctly.
>> > service@apps:/opt/ossec-hids-2.8.1$
>> >
>> >
>> > I've looked in the docs and search the forums, but I cannot find what
am I doing wrong.  Suggestions?
>> >
>>
>> I'm not sure of the status of the postgresql support, I don't even know
if it works.
>> First thing I'd do is look for dev or devel packages of the packages
you've installed.
>>
>> > --
>> >
>> > ---
>> > You received this message because you are subscribed to the Google
Groups "ossec-list" group.
>> > To unsubscribe from this group and stop receiving emails from it, send
an email to ossec-list+...@googlegroups.com.
>>
>> > For more options, visit https://groups.google.com/d/optout.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
"ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.