Re: [ossec-list] Can't filter rule by IP

[dan (ddp)]

On Feb 18, 2016 5:44 PM, "Jane Doe"  wrote:
>
> Hey guys!
>
> I'm trying to filter rule 18154 by not sending email alerts for certain
hosts. I've tried several ways to filter this in the local_rules.xml file.
>
> 1)
>
> 6
>
> 
>   
> 18103
>  ip_address//I've also replaced this with srcip
>  ip_address//I've also replaced this with srcip
>  no_email_alerts
> Multiple Windows error events.
>   
> 
>
> 2) I've created my own rule
>
> 6
>
> 
>   
> 18103
>  ip_address//I've also replaced this with srcip
>  ip_address//I've also replaced this with srcip
> Multiple Windows error events.
>   
> 
>
> 3)
>
> 
>   
> 18154
>  ip_address//I've also replaced this with srcip
>  ip_address//I've also replaced this with srcip
> Multiple Windows error events.
>   
> 
>
>
> Does the group name matter? Do I need to decode srcip? I have the general
idea on how to filter rules in general for all hosts, but I can't seem to
get it to work for specific hosts.
>

I think multiple matches not separated by a "|" will be ANDed together. Try
it with 1 match option.
Also, providing a log sample helps us test, and makes helping a lot easier.

> Thanks!
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
"ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Can't filter rule by IP

[Jane Doe]

Hey guys! 

I'm trying to filter rule 18154 by not sending email alerts for certain 
hosts. I've tried several ways to filter this in the local_rules.xml file.

*1) *

6  


  
18103
 *ip_address*//I've also replaced this with srcip
 *ip_address*//I've also replaced this with srcip
 no_email_alerts
Multiple Windows error events.
  


*2)* I've created my own rule

6  


  
18103
 *ip_address*//I've also replaced this with srcip
 *ip_address*//I've also replaced this with srcip
Multiple Windows error events.
  


*3) *


  
18154
 *ip_address*//I've also replaced this with srcip
 *ip_address*//I've also replaced this with srcip
Multiple Windows error events.
  



Does the group name matter? Do I need to decode srcip? I have the general 
idea on how to filter rules in general for all hosts, but I can't seem to 
get it to work for specific hosts.

Thanks!

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: IISv7.5 decoder attempt

[Fredrik]

Hi again :)


Looking at your previous example I put this together while looking in the 
book where rule hierarchies are discussed. As an exemple if I wanted to 
make an exception to webrule 31108 and say to ignore 2xx and 3xx code 
unless a specific URL is requested (GET). I placed the below in my 
local_rules.xml, but as expected from Noob - it won't fire ;)


  
31108
access_allowed
alert_by_email
/images/logo2.png/
URL requested -- images/logo2.png
  



One more specific question, in this example what does the  and 
especially the last ',' instruct OSSEC to do?

Best regards,
Fredrik 

On Monday, February 15, 2016 at 11:58:13 AM UTC+1, Jesus Linares wrote:
>
> Hi Fredrik,
>
> user-created rules are defined in *local_rules.xml* and the range is from 
> 10 to 11. If you want to change the behaviour of a rule you have to 
> use the option *overwrite*. Using the *overwrite *option instructs rule 
> engine to use the local rule definition instead of the one found in the 
> */var/ossec/rules/* directory.
>
> Example: Change message in ssh authentication. local_rules.xml:
> 
> 
> 5700
> ^Accepted|authenticated.$
> SSHD authentication success LOCAL RULES TEST.
> 
> authentication_success,pci_dss_10.2.5,
> 
> 
>
> It would be very interesting if you share the stuff about track connecting 
> devices ;)
>
> Regards.
> Jesus Linares.
>
> On Sunday, February 14, 2016 at 8:26:49 PM UTC+1, Fredrik wrote:
>>
>> Good example! Definitely helpful! Thanks!
>>
>> One thing, I know I read about it somewhere, but how do I group my 
>> entries in the local_rules file to make them fire. Say for example that I 
>> would like to change the behavior of the 31008 rule with an exception? Will 
>> go back through the collection of links to see if I can figure it out :) 
>> Also, saw some interesting stuff on how to  track connecting devices (dhcp) 
>> through MAC-addresses -- obviously unrelated to IIS logs though ;)
>>
>> Best regards,
>> Fredrik
>>
>> On Thursday, February 11, 2016 at 12:25:33 AM UTC+1, Brent Morris wrote:
>>>
>>> eesh... hotkeys got away from me and I posted too fast.
>>>
>>> Sure..
>>>
>>> You can do some active response stuff on ID 400... That's fun to do!
>>>
>>> For me personally, I took a fingerprint of all the web vulnerability 
>>> scanners and made it into a CDB list.  This was from Nexpose, OpenVAS, and 
>>> a pilfered some extras from old logs...  put those all in a CDB list and 
>>> added a rule.
>>>
>>> Local_rules.xml
>>>
>>> 
>>>   31100
>>>   lists/urlblacklist
>>> Web Vulnerability Scanner Detected
>>> 
>>> ---
>>> ossec.config
>>>
>>> 
>>>   
>>>   lists/urlblacklist
>>> 
>>>
>>> then 
>>>   
>>> firewall-drop
>>> server
>>> 31100
>>> 300
>>>  
>>>
>>> ---
>>>
>>> sample content of urlblacklist (it's a long file)
>>>
>>> /bblog/xmlrpc.php -:17
>>> /scripts/root.exe -:17
>>> /msadc/msadcs.dll -:17
>>> /cgi-bin/test-cgi -:17
>>> /cgi-bin/htsearch -:17
>>> /CFIDE/adminiapi/ -:17
>>> /cgi-bin/faxquery -:17
>>> /CFIDE/scheduler/ -:17
>>> /CFIDE/websocket/ -:17
>>> /common/index.jsf -:17
>>> /cgi-bin/home.tcl -:17
>>> /bblog/xmlrpc.php -:17
>>> /cfdocs/index.htm -:17
>>>
>>> -
>>>
>>> Now you can detect and block those pesky web vulnerability scanners 
>>>  You'll have to connect the active response to your actual firewall and 
>>> configure the script accordingly.  And you'll likely have some samples of 
>>> web scanners if you have a web server connected to the net.  We get scanned 
>>> all the time...
>>>
>>> And you could block repeat 404 errors too...
>>>
>>> This isn't a complete tutorial; you'll need to read up on creating CDB 
>>> lists, and compiling them.  You'll also need to get active response 
>>> working.  And, ALWAYS test it when you're done so you can be sure you're 
>>> blocking those pesky scanners but not blocking valid traffic.  One wrong 
>>> URL in that CDB list and OSSEC suddenly turns on you and bites.  And one 
>>> wrong character on a line can be the difference between a hit and a miss.
>>>
>>> HTH!!!
>>>
>>>
>>>
>>>
>>> On Wednesday, February 10, 2016 at 3:15:49 PM UTC-8, Brent Morris wrote:

 Sure..

 You can do some active response stuff on ID 400... That's fun to do!

 For me personally, I took a fingerprint of all the web vulnerability 
 scanners and made it into a CDB list.  This was from Nexpose, OpenVAS, and 
 a pilfered some extras from old logs...  put those all in a CDB list and 
 added a rule.

 Local_rules.xml

 
   31100
   lists/urlblacklist
 Web Vulnerability Scanner Detected
 

 ossec.config

 




 On Tuesday, February 9, 2016 at 1:24:24 PM UTC-8, Fredrik wrote:
>
> Hi Brent,
>
>
> Just mentioned in post to Jesus that I have been (still am) learning 
> as I go :) Your recommendation to stick with the three fields url, 

Re: [ossec-list] Re: Hybrid or dual install?

[Daniel Cid]

Yes, I use the hybrid mode quite a bit too. It basically automates the
process of installing the local + agent without having to do both
separately.

thanks,

On Thu, Feb 18, 2016 at 2:10 PM, Kat  wrote:

> I use Hybrid modes for 1000s of agents and mixed managers. It allows me to
> distribute managers, and still  have centralized collection. If I lose the
> WAN, the hybrids continue to process alerts,  and once the WANs are
> restored the data resumes to the central host. They have proven to be
> extremely reliable and I have had no issues. I do run with as high as
> 20,000 agents in some cases with no issues.
>
> Cheers
> Kat
>
>
> On Thursday, February 18, 2016 at 7:36:10 AM UTC-8, James Dough wrote:
>>
>> Looking at the hybrid install type; it installs two versions of ossec,
>> that have been reduced. One server role and one agent role.
>>
>> Is the hybrid as reliable? I don't see nearly as much documentation on
>> it. Is it a safer bet to go with dual install?
>>
>> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Hybrid or dual install?

[Kat]

I use Hybrid modes for 1000s of agents and mixed managers. It allows me to 
distribute managers, and still  have centralized collection. If I lose the 
WAN, the hybrids continue to process alerts,  and once the WANs are 
restored the data resumes to the central host. They have proven to be 
extremely reliable and I have had no issues. I do run with as high as 
20,000 agents in some cases with no issues.

Cheers
Kat

On Thursday, February 18, 2016 at 7:36:10 AM UTC-8, James Dough wrote:
>
> Looking at the hybrid install type; it installs two versions of ossec, 
> that have been reduced. One server role and one agent role. 
>
> Is the hybrid as reliable? I don't see nearly as much documentation on it. 
> Is it a safer bet to go with dual install?
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Hybrid or dual install?

[James Dough]

Looking at the hybrid install type; it installs two versions of ossec, that 
have been reduced. One server role and one agent role. 

Is the hybrid as reliable? I don't see nearly as much documentation on it. 
Is it a safer bet to go with dual install?

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: exclude service-users

[Jesus Linares]

Regarding cpanel users... I don't know cpanel, but it seems is part 
of chkservd service (info 
).
 
Anyway, you can ignore them using rules.

Regards.
Jesus Linares

On Thursday, February 18, 2016 at 12:35:56 PM UTC+1, Jesus Linares wrote:
>
> Hi Maxim,
>
> First, you have to activate policy_rules: ossec.conf: 
> policy_rules.xml
>
> I guess the problem with your rule is that the decoder is not extracting 
> the field *user*.
>
> For example, if I switch between user root to homer: "root@LinMV:~# su 
> homer" it is generated this log: "Feb 18 11:23:17 LinMV su[1202]: 
> pam_unix(su:session): session opened for user homer by root(uid=0)". If you 
> use /var/ossec/bin/logtest you will see that the decoder doesn't extract 
> any field:
> Feb 18 11:23:17 LinMV su[1202]: pam_unix(su:session): session opened for 
> user homer by root(uid=0)
> **Phase 2: Completed decoding.
>decoder: 'pam'
>
> So, you have 2 options, change the decoder to extract the user field, or 
> change your rules. Here an example:
>
> local_rules.xml:
> 
> 
> authentication_success
> 00:00 am - 11:59 pm
> Successful login during non-business hours. TEST
> 
> login_time,pci_dss_10.2.5,pci_dss_10.6.1,
> 
> 
> 
>   17101
>   user homer
>   Ignore USERNAME
> 
> 
>
> In rule 12, I match with "user homer": "Feb 18 11:23:17 LinMV 
> su[1202]: pam_unix(su:session): session opened for user homer by 
> root(uid=0)". You could use regex tag for regular expressions.
> *Remember to change the . This is an example.
>
> Output:
> Feb 18 11:23:17 LinMV su[1202]: pam_unix(su:session): session opened for 
> user homer by root(uid=0)
>
>
>
>
> **Phase 1: Completed pre-decoding.
>full event: 'Feb 18 11:23:17 LinMV su[1202]: pam_unix(su:session): 
> session opened for user homer by root(uid=0)'
>hostname: 'LinMV'
>program_name: 'su'
>log: 'pam_unix(su:session): session opened for user homer by 
> root(uid=0)'
>
>
> **Phase 2: Completed decoding.
>decoder: 'pam'
>
>
> **Phase 3: Completed filtering (rules).
>Rule id: '12'
>Level: '0'
>Description: 'Ignore USERNAME'
>
> Regards.
>
>
> On Thursday, February 18, 2016 at 10:29:27 AM UTC+1, Maxim Surdu wrote:
>>
>> Hi dear community,
>>
>> i install and configure about 10 agents, and of course i have a lot of 
>> users,a part of this users are service-users 
>>
>> in policy-rules.xml 
>>
>> i have next rules
>>
>> 
>>   
>> authentication_success
>> 4 pm -  7 am
>> Successful login during non-business hours.
>> login_time,
>>   
>>
>>   
>> authentication_success
>> weekends
>> Successful login during weekend.
>> login_day,
>>   
>>
>>
>> and ii add a rule to ignore user www-data
>>
>> 
>>   17101
>>   www-data
>>   Ignore USERNAME
>> 
>>
>> but is not working 
>>
>> also i have a lot of users what begin with 
>> __cpanel__service__auth__ftpd**
>>
>> some exaples:
>>
>> __cpanel__service__auth__ftpd__k0MtRO0qadKcn0W104TiJX_fIUt6NTesiDOXfXjQdao09FHQbymiy9OB4AenozyY
>>
>> __cpanel__service__auth__ftpd__iNQU40H8hsz0rrHIyB2CSrz47pJhIaWXEvo5Bn9oYK8Jfx0LzN4rK2DqxYfnn_sn
>>  
>>
>> __cpanel__service__auth__ftpd__GkNcCNIvBSTW1ZDvgUd8RmBex9y6AaZ8BXSZFyVe9mLogb7sBHzwDSbggie5zVaE
>>  
>>
>> and ossec mail me for this service-users that they successful login 
>> during non-business hours, i know that but i don't  need that data in 
>> mail box
>>
>> how can i exclude all this service users for policy rules?
>>
>> i appreciate your help, and a lot of respect for developers and community!
>>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: exclude service-users

[Jesus Linares]

Hi Maxim,

First, you have to activate policy_rules: ossec.conf: 
policy_rules.xml

I guess the problem with your rule is that the decoder is not extracting 
the field *user*.

For example, if I switch between user root to homer: "root@LinMV:~# su 
homer" it is generated this log: "Feb 18 11:23:17 LinMV su[1202]: 
pam_unix(su:session): session opened for user homer by root(uid=0)". If you 
use /var/ossec/bin/logtest you will see that the decoder doesn't extract 
any field:
Feb 18 11:23:17 LinMV su[1202]: pam_unix(su:session): session opened for 
user homer by root(uid=0)
**Phase 2: Completed decoding.
   decoder: 'pam'

So, you have 2 options, change the decoder to extract the user field, or 
change your rules. Here an example:

local_rules.xml:


authentication_success
00:00 am - 11:59 pm
Successful login during non-business hours. TEST

login_time,pci_dss_10.2.5,pci_dss_10.6.1,



  17101
  user homer
  Ignore USERNAME



In rule 12, I match with "user homer": "Feb 18 11:23:17 LinMV su[1202]: 
pam_unix(su:session): session opened for user homer by root(uid=0)". You 
could use regex tag for regular expressions.
*Remember to change the . This is an example.

Output:
Feb 18 11:23:17 LinMV su[1202]: pam_unix(su:session): session opened for 
user homer by root(uid=0)




**Phase 1: Completed pre-decoding.
   full event: 'Feb 18 11:23:17 LinMV su[1202]: pam_unix(su:session): 
session opened for user homer by root(uid=0)'
   hostname: 'LinMV'
   program_name: 'su'
   log: 'pam_unix(su:session): session opened for user homer by 
root(uid=0)'


**Phase 2: Completed decoding.
   decoder: 'pam'


**Phase 3: Completed filtering (rules).
   Rule id: '12'
   Level: '0'
   Description: 'Ignore USERNAME'

Regards.


On Thursday, February 18, 2016 at 10:29:27 AM UTC+1, Maxim Surdu wrote:
>
> Hi dear community,
>
> i install and configure about 10 agents, and of course i have a lot of 
> users,a part of this users are service-users 
>
> in policy-rules.xml 
>
> i have next rules
>
> 
>   
> authentication_success
> 4 pm -  7 am
> Successful login during non-business hours.
> login_time,
>   
>
>   
> authentication_success
> weekends
> Successful login during weekend.
> login_day,
>   
>
>
> and ii add a rule to ignore user www-data
>
> 
>   17101
>   www-data
>   Ignore USERNAME
> 
>
> but is not working 
>
> also i have a lot of users what begin with 
> __cpanel__service__auth__ftpd**
>
> some exaples:
>
> __cpanel__service__auth__ftpd__k0MtRO0qadKcn0W104TiJX_fIUt6NTesiDOXfXjQdao09FHQbymiy9OB4AenozyY
>
> __cpanel__service__auth__ftpd__iNQU40H8hsz0rrHIyB2CSrz47pJhIaWXEvo5Bn9oYK8Jfx0LzN4rK2DqxYfnn_sn
>  
>
> __cpanel__service__auth__ftpd__GkNcCNIvBSTW1ZDvgUd8RmBex9y6AaZ8BXSZFyVe9mLogb7sBHzwDSbggie5zVaE
>  
>
> and ossec mail me for this service-users that they successful login 
> during non-business hours, i know that but i don't  need that data in 
> mail box
>
> how can i exclude all this service users for policy rules?
>
> i appreciate your help, and a lot of respect for developers and community!
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: the length of time the user logged in

[Jesus Linares]

Hi Maxim,

what is the OS of your agents?.

What kind of login you want to alert?. ssh, ftp, normal login?

Regards.

On Thursday, February 18, 2016 at 10:14:32 AM UTC+1, Maxim Surdu wrote:
>
> Hi dear community,
>
> i install and configure about 10 agents, and of course i have a lot of 
> users, i have logs when they are login and logout can i create a rule to 
> show me the length of time the user logged in and when they logout rule 
> send me mail.
>
> i appreciate your help and a lot of respect for developers and community!
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] exclude service-users

[Maxim Surdu]

Hi dear community,

i install and configure about 10 agents, and of course i have a lot of 
users,a part of this users are service-users 

in policy-rules.xml 

i have next rules


  
authentication_success
4 pm -  7 am
Successful login during non-business hours.
login_time,
  

  
authentication_success
weekends
Successful login during weekend.
login_day,
  


and ii add a rule to ignore user www-data


  17101
  www-data
  Ignore USERNAME


but is not working 

also i have a lot of users what begin with 
__cpanel__service__auth__ftpd**

some exaples:
__cpanel__service__auth__ftpd__k0MtRO0qadKcn0W104TiJX_fIUt6NTesiDOXfXjQdao09FHQbymiy9OB4AenozyY
__cpanel__service__auth__ftpd__iNQU40H8hsz0rrHIyB2CSrz47pJhIaWXEvo5Bn9oYK8Jfx0LzN4rK2DqxYfnn_sn
 
__cpanel__service__auth__ftpd__GkNcCNIvBSTW1ZDvgUd8RmBex9y6AaZ8BXSZFyVe9mLogb7sBHzwDSbggie5zVaE
 

and ossec mail me for this service-users that they successful login during 
non-business hours, i know that but i don't  need that data in mail box

how can i exclude all this service users for policy rules?

i appreciate your help, and a lot of respect for developers and community!

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.