date:20160225

[ossec-list] Anybody using CIS controls with OSSEC? (https://github.com/awailly/cis-ubuntu-ansible)

2016-02-25 Thread Barry Kaplan

I am trying to harden up our instances, but I find that after applying 
these controls the agent can longer contact the agent via UDP.

I'm still trying to figure out exactly which bit is to blame. Has anybody 
else used the CIS controls on the same instance as OSSEC?

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Syscheck Database names?

2016-02-25 Thread Santiago Bassett

.(agent_name) agent_ip->syscheck.cpt

If I remember it correctly this is a hidden file that OSSEC users to
identify when the syscheck database, when it has finished writing into the
syscheck file.

"cpt" file extension stands for completed, meaning that syscheck scan has
finished.

This is on top of my mind, so I might be wrong (although I don't think by
far).

On Thu, Feb 25, 2016 at 11:18 AM, dan (ddp)  wrote:

> On Thu, Feb 25, 2016 at 6:28 AM, Joao T.  wrote:
> > Hi team,
> >
> > Agents are name like '(agent_name) agent_ip->syscheck', right?
> >
> > Sometimes I meet with a file with these files in my syscheck folder:
> >
> >> (agent_name) agent_ip->syscheck-registry
>
> This is for the registry checks. Sometimes ossec makes it for
> non-windows systems. I don't know why.
>
> >> .(agent_name) agent_ip->syscheck.cpt
> >
>
> Not sure what this is off hand.
>
> >
> > What are they exactly? Are they just internal temporally files? Should I
> > ignore them?
> >
> > And could someone confirm what name should have the syscheck database for
> > the server (or manager) ?
> >
>
> Mine is called "syscheck" (/var/ossec/queue/syscheck/syscheck).
>
> > Thanks team!
> >
> >
> > --
> >
> > ---
> > You received this message because you are subscribed to the Google Groups
> > "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send an
> > email to ossec-list+unsubscr...@googlegroups.com.
> > For more options, visit https://groups.google.com/d/optout.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] What is the use case for OSSEC hybrid mode

2016-02-25 Thread Santiago Bassett

Agree with Daniel. Just want to add another clarification:

When you choose server profile, it will install the OSSEC manager and agent
components, meaning that you can also monitor your local system. No need to
choose hybrid mode unless you plan to forward data to another OSSEC manager.

On Thu, Feb 25, 2016 at 10:54 AM, Daniel Cid  wrote:

> I personally use it mostly on very busy servers to limit the amount of
> events being sent by the agent
> to the manager.
>
> Say a very busy web server that generates thousands of logs per second.
> Instead of sending all events centrally, I use the hybrid mode to do the
> initial analysis locally and only send the real alerts centrally (which is
> just a few per minute).
>
> thanks,
>
> On Thu, Feb 25, 2016 at 1:33 PM, Manoveg Saxena  wrote:
>
>> Hi,
>>
>> I am not able to understand when should I use hybrid mode.
>>
>> I have one server and 4 agents.
>> My server also have many applications and a web server which I want to
>> monitor along with that web servers and other applications on agents.
>> Therefore should I go for
>> 1)  hybrid on server and agent on other servers
>> 2)  or server and agent setup
>>
>> Thanks,
>> Manoveg
>>
>> --
>>
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to ossec-list+unsubscr...@googlegroups.com.
>> For more options, visit https://groups.google.com/d/optout.
>>
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Server not responding to agent messages (1218/4101)

2016-02-25 Thread dan (ddp)

On Feb 25, 2016 9:27 PM, "James Stallard"  wrote:
>
> All:
>
> 1st time on board, and I know this sounds like a rookie question, but...I
did have ossec runnig ok in another aws environment, now with upgrade to
2.7-2.8.2 in a new env, am having problems
>
> I've just installed 2.8.3 agent & server on CentOS 6.7 (market place
version, hardened).
> Configured keys on both via manage_agent & restarted.

Make sure the IP the manager sees the packets coming from is the IP that
was added in manage_agents.
> I know i have UDP connectivity since I have tcpdump -v -o eth0 1514
running on server and receive this from client:
> tpdump: listening on eth0, link-type EN10MB (Ethernet), capture size
65535 bytes
>   ip-10-.ec2.internal.51508 >
ip-.ec2.internal.fujitsu-dtcns: UDP, length 73
> ...

Does the server respond?

> These messages correspond with the '''Waiting for server to reply..."
messages sent by client" below
>
> These errors on client:
> 016/02/25 21:16:02 ossec-agentd: INFO: Using IPv4 for: 1 .
> 016/02/25 21:16:12 ossec-agentd(1218): ERROR: Unable to send message to
server.
> 016/02/25 21:16:24 ossec-agentd(1218): ERROR: Unable to send message to
server.
> 016/02/25 21:16:25 ossec-agentd(4101): WARN: Waiting for server reply
(not started). Tried: ''.
>
> Nothing in server logs that indicate a message was received.
>

Turn on debugging and restart the ossec processes on the manager
(`/var/ossec/bin/ossec_control enable debug && /var/ossec/bin/ossec_control
restart`)

> on client, list_clients -a I get
> *No agent available.
>
> And I don't see anything more when turning on debug mode.
>
> Note sure what else to try.
> I have turned off iptables on both client/server to debug this.
>
> Any ideas would be greatly appreciated.
>
> jms.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
"ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Server not responding to agent messages (1218/4101)

2016-02-25 Thread James Stallard

All:

1st time on board, and I know this sounds like a rookie question, but...I 
did have ossec runnig ok in another aws environment, now with upgrade to 
2.7-2.8.2 in a new env, am having problems

I've just installed 2.8.3 agent & server on CentOS 6.7 (market place 
version, hardened).
Configured keys on both via manage_agent & restarted.
I know i have UDP connectivity since I have tcpdump -v -o eth0 1514 running 
on server and receive this from client:
tpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 
bytes
  ip-10-.ec2.internal.51508 > 
ip-.ec2.internal.fujitsu-dtcns: UDP, length 73
...
These messages correspond with the '''Waiting for server to reply..." 
messages sent by client" below

These errors on client:
016/02/25 21:16:02 ossec-agentd: INFO: Using IPv4 for: 1 .
016/02/25 21:16:12 ossec-agentd(1218): ERROR: Unable to send message to 
server.
016/02/25 21:16:24 ossec-agentd(1218): ERROR: Unable to send message to 
server.
016/02/25 21:16:25 ossec-agentd(4101): WARN: Waiting for server reply (not 
started). Tried: ''.

Nothing in server logs that indicate a message was received.

on client, list_clients -a I get
*No agent available.

And I don't see anything more when turning on debug mode.

Note sure what else to try.
I have turned off iptables on both client/server to debug this.

Any ideas would be greatly appreciated.

jms.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: DNS caching for ?

2016-02-25 Thread dan (ddp)

On Thu, Feb 25, 2016 at 9:37 AM, Barry Kaplan  wrote:
> Ok, is this something that would be considered for change? In our
> environment there is no guarantee that nodes will remain on the same IP. For
> this we use consul and dnsmasq to lookup DNS names.
>

Sure, we would consider accepting a pull request for this. Remember
that the ossec processes generally chroot to /var/ossec, and the
resolution should finish before the chroot (or everything needed to
resolve the name copied to /var/ossec?).

> For now I will hard code server_hostname to the DNS of the ossec server. At
> least that value exists when the agent starts. But when the ossec server
> dies (AWS nodes die all the time) I will have update and restart every
> agent.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] rules files as symlinks

2016-02-25 Thread dan (ddp)

On Tue, Feb 23, 2016 at 11:57 AM, Rui Zhang  wrote:
> It is interesting that symlink works for ossec.conf under etc folder, but
> doesn't work for client.keys under etc folder for agent type.
>

It all depends on when the file is read. Perhaps ossec.conf is opened
before the chroot?

> On Wednesday, February 17, 2016 at 10:13:46 AM UTC-8, Santiago Bassett
> wrote:
>>
>> Yes, if it is inside the jail then that should be ok. Also check that your
>> ossec.conf is configured to look for the rules where you want. As well,
>> symbolic links inside the jail should work.
>>
>> I hope that helps
>>
>> On Wed, Feb 17, 2016 at 7:49 AM, Rui Zhang  wrote:
>>>
>>> Thank you, Santiago! Other than remounting a partition inside the jail,
>>> can we configure the folder for rules files? If we can configure the folder,
>>> would this also be inside the same jail too? I am thinking of configuring
>>> the rules folder to /opt/ossec/rules, but I guess it will be looking for
>>> rules under /var/ossec/opt/ossec/rules instead of /opt/ossec/rules.
>>>
>>> On Tuesday, February 16, 2016 at 6:24:46 PM UTC-8, Santiago Bassett
>>> wrote:

 This is because ossec-analysisd process runs in a chroot environment, so
 it can't reach anything out of the jail (/var/ossec).

 In some scenarios, when really necessary, what we do is remount a
 partition inside the jail (mount -o bind). I don't recommend this, but it 
 is
 a workaround that should work.

 Best

 On Tue, Feb 16, 2016 at 2:45 PM, Rui Zhang  wrote:
>
> Hi,
>
> I am trying to use a symlink for local_rules.xml. Here is what I did
>
> cd /var/ossec/rules
> cp local_rules.xml /opt/ossec/rules
> mv local_rules.xml local_rules.xml.bak
> ln -s /opt/ossec/rules/local_rules.xml local_rules.xml
>
> But I couln't start OSSEC after this change and when I check the log
> file, it indicates that it couldn't read the XML file local_rules.xml.
> 2016/02/16 14:22:49 ossec-analysisd(1226): ERROR: Error reading XML
> file '/rules/local_rules.xml': XMLERR: File '/rules/local_rules.xml' not
> found. (line 88).
> 2016/02/16 14:22:49 ossec-analysisd(1220): ERROR: Error loading the
> rules: 'local_rules.xml'.
> 2016/02/16 14:22:52 ossec-syscheckd(1210): ERROR: Queue
> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
> 2016/02/16 14:22:52 ossec-rootcheck(1210): ERROR: Queue
> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
> 2016/02/16 14:22:58 ossec-logcollector(1210): ERROR: Queue
> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
> 2016/02/16 14:22:58 ossec-logcollector(1211): ERROR: Unable to access
> queue: '/var/ossec/queue/ossec/queue'. Giving up..
>
> I checked the user/group and permission of those files, and they seem
> to be identical. So OSSEC won't take symlink for rules XML file?
> ll /opt/ossec/rules/local_rules.xml
> -r-xr-x--- 1 root ossec 1551 Oct 12 14:21
> /opt/ossec/rules/local_rules.xml*
>
> ll local_rules.xml.bak
> -r-xr-x--- 1 root ossec 1551 Oct 12 14:21 local_rules.xml.bak
>
> --
>
> ---
> You received this message because you are subscribed to the Google
> Groups "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.


>>> --
>>>
>>> ---
>>> You received this message because you are subscribed to the Google Groups
>>> "ossec-list" group.
>>> To unsubscribe from this group and stop receiving emails from it, send an
>>> email to ossec-list+...@googlegroups.com.
>>> For more options, visit https://groups.google.com/d/optout.
>>
>>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] agent unable to forward diff data for report_changes

2016-02-25 Thread dan (ddp)

On Mon, Feb 22, 2016 at 6:09 PM, Abhi  wrote:
> Hi,
>
> I am trying to get the report_changes working for /etc directory. After
> enabling it, along with the real time option, agent correctly logs all the
> changes immediately under
> " /var/ossec/queue/diff/local/etc/". All changes are recorded into their
> respective folders. Each time a edit is done, a new diff file is generated.
>
> For enabling, added the following under ossec.conf on Agent:   realtime="yes" report_changes="yes" check_all="yes">/etc
>
> But these "diff.XXX" files never make it to OSSEC server. Are they
> supposed to?
> When I check for this specific agent under
> "/var/ossec/queue/diff/AgentName", the only files listed are
> "state.".
>
> Apart from setting , is there any other configuration that I
> missed?
>

Do you get the diffs in the alerts?

> Agent Version - 2.8.1 ( Also tested with 2.8.3)
> Agent OS - CentOS 6.6
>
> Server OS - CentOS 6.6
>
> Many Thanks,
>
> ~ Abhi
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] List of OSSEC rules?

2016-02-25 Thread thak

Interesting. We maintain a few compliance standards (not PCI) so I will 
look into it for sure. 

On Thursday, February 25, 2016 at 1:53:36 PM UTC-5, Pedro S wrote:
>
> You are welcome! I'll upload it into some website or repository folder.
>
> It is some simple but works, in the future I will extract too the PCI 
> compliance requirement of every rule. If you need the rules with PCI 
> requirements groups try out Wazuh Ruleset.
>
> Regards,
>
> Pedro S.
>
> On Thu, Feb 25, 2016 at 7:42 PM, thak  
> wrote:
>
>> Whoa, that's awesome! Thanks sir. 
>>
>> On Thursday, February 25, 2016 at 7:15:45 AM UTC-5, Pedro S wrote:
>>>
>>> Hi thak,
>>>
>>> I made a quick Python script that can help you out. It lists all the 
>>> rules on */var/ossec/rules. *Output example:
>>>
>>> mailscanner_rules.xml - Rule 3751 - Level 6 -> Multiple attempts of spam.
>>> hordeimp_rules.xml - Rule 9300 - Level 0 -> Grouping for the Horde imp 
>>> rules.
>>> hordeimp_rules.xml - Rule 9301 - Level 0 -> Horde IMP informational 
>>> message.
>>> apache_rules.xml - Rule 30412 - Level 6 -> Shellshock attack attempt
>>> roundcube_rules.xml - Rule 9400 - Level 0 -> Roundcube messages groupe.d
>>>
>>>
>>> Working with Python 2.7.6
>>>
>>> #!/usr/bin/python
>>> # Rules list
>>> # pe...@wazuh.com
>>>
>>> import sys
>>> import re
>>> import os
>>>
>>> *rules_directory = "/var/ossec/rules/"*
>>>
>>> def GetRulesList(fulldir, filename):
>>> rule_detected = 0
>>> rule_description = 0
>>> level = ""
>>> sidid = ""
>>> description = ""
>>> pattern_idlevel = re.compile(r'>> pattern_description = re.compile(r'(.+?)')
>>> pattern_endrule = re.compile(r'')
>>> try:
>>> with open(fulldir) as f:
>>> lines = f.readlines()
>>> for line in lines:
>>> if rule_detected == 0:
>>> match = re.findall(pattern_idlevel, line)
>>> if match:
>>> rule_detected = 1
>>> sidid = match[0][0]
>>> level = match[0][1]
>>> else:
>>> if rule_description == 0:
>>> match = re.findall(pattern_description, line)
>>> if match:
>>> rule_description = 1
>>> description = match[0]
>>> if rule_description == 1:
>>> match = re.findall(pattern_endrule, line)
>>> if match:
>>> print "%s - Rule %s - Level %s -> %s" % 
>>> (filename,sidid,level,description)
>>> rule_detected = 0
>>> rule_description = 0
>>> level = ""
>>> sidid = ""
>>> description = ""
>>> except EnvironmentError: 
>>>print ("Error: OSSEC rules directory does not appear to 
>>> exist")
>>>
>>> if __name__ == "__main__":
>>> print ("Reading rules from directory %s") % (rules_directory)
>>> for root, directories, filenames in os.walk(rules_directory):
>>> for filename in filenames:
>>> if filename[-4:] == ".xml":
>>> GetRulesList(os.path.join(root,filename), filename)
>>>
>>>
>>>
>>> Hope it help, regards,
>>>
>>> Pedro S.
>>>
>>> On Monday, February 22, 2016 at 4:38:43 PM UTC+1, thak wrote:

 Thanks!

 On Monday, February 22, 2016 at 10:27:21 AM UTC-5, dan (ddpbsd) wrote:
>
>
> On Feb 22, 2016 10:22 AM, "thak"  wrote:
> >
> > What's the best way to get a list of the rules, ideally by rule # 
> and short descriptive name (e.g., like the alerts..."Rule: 5403 fired 
> (level 4) -> "First time user executed sudo."). I need a list to update 
> some security and compliance documentation prior to an upcoming audit. 
> >
>
> All of the rules are available in the /var/ossec/rules directory. I 
> don't think it would be too difficult to write a script to grab the names 
> and ids.
>
> > -- 
> >
> > --- 
> > You received this message because you are subscribed to the Google 
> Groups "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, 
> send an email to ossec-list+...@googlegroups.com.
> > For more options, visit https://groups.google.com/d/optout.
>
 -- 
>>
>> --- 
>> You received this message because you are subscribed to the Google Groups 
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to ossec-list+...@googlegroups.com .
>> For more options, visit https://groups.google.com/d/optout.
>>
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails

Re: [ossec-list] Custom rule to disable 1002 email alerts

2016-02-25 Thread dan (ddp)

On Thu, Feb 25, 2016 at 1:50 PM, thak  wrote:
> I've seen similar topics, so apologies if this has been answered several
> times but I want to make sure I get guidance for the most recent version!
>
> Loving OSSEC so far having set it up in our environment a few days ago.
> However, rule 1002 is particularly chatty given our Apache error logs.
> Basically, our application's identity API has a ping function that runs
> every 5 seconds to check for an authenticated session. It will do this even
> once the user's session has timed out, so long as that browser or tab is
> open. We have a lot of customers who time out but don't close the tab
> (understandably). So when the ping.json function runs, it generates a few
> log entries with the term "error", specifically
> https://app-identity.thak.com/idm/error/...
>
> In our application this is obviously expected, and we can purge error_log
> when it gets too big filling with this stuff, but OSSEC is piling up alerts
> multiple times per minute, and from our security perspective it's really
> just noise.
>
> Can I set up a local rule to
> https://app-identity.thak.com/idm/error/ without an email
> alert that will trump the default "Unknown problem somewhere in the system"
> alert for logs containing "error" terminology? I'm really new to writing
> custom rules but it seems like that wouldn't be too difficult, and throwing
> that local rules file on our proxies would solve this problem.
>

Depending on the actual log, that should work. Add an
"1002" to your custom rule to make sure it over rides
the 1002 alerts.
So something like this:

  1002
  https://app-identity.thak.com/idm/error/
  Ignore blah blah


Put that in place and use ossec-logtest to make sure it works.

> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] List of OSSEC rules?

2016-02-25 Thread dan (ddp)

On Thu, Feb 25, 2016 at 1:53 PM, Pedro Sanchez  wrote:
> You are welcome! I'll upload it into some website or repository folder.
>
> It is some simple but works, in the future I will extract too the PCI
> compliance requirement of every rule. If you need the rules with PCI
> requirements groups try out Wazuh Ruleset.
>

You can add it to the ossec repo in the contrib directory, then submit
a pull request.

> Regards,
>
> Pedro S.
>
> On Thu, Feb 25, 2016 at 7:42 PM, thak  wrote:
>>
>> Whoa, that's awesome! Thanks sir.
>>
>> On Thursday, February 25, 2016 at 7:15:45 AM UTC-5, Pedro S wrote:
>>>
>>> Hi thak,
>>>
>>> I made a quick Python script that can help you out. It lists all the
>>> rules on /var/ossec/rules. Output example:
>>>
>>> mailscanner_rules.xml - Rule 3751 - Level 6 -> Multiple attempts of spam.
>>> hordeimp_rules.xml - Rule 9300 - Level 0 -> Grouping for the Horde imp
>>> rules.
>>> hordeimp_rules.xml - Rule 9301 - Level 0 -> Horde IMP informational
>>> message.
>>> apache_rules.xml - Rule 30412 - Level 6 -> Shellshock attack attempt
>>> roundcube_rules.xml - Rule 9400 - Level 0 -> Roundcube messages groupe.d
>>>
>>>
>>> Working with Python 2.7.6
>>>
>>> #!/usr/bin/python
>>> # Rules list
>>> # pe...@wazuh.com
>>>
>>> import sys
>>> import re
>>> import os
>>>
>>> rules_directory = "/var/ossec/rules/"
>>>
>>> def GetRulesList(fulldir, filename):
>>> rule_detected = 0
>>> rule_description = 0
>>> level = ""
>>> sidid = ""
>>> description = ""
>>> pattern_idlevel = re.compile(r'>> pattern_description = re.compile(r'(.+?)')
>>> pattern_endrule = re.compile(r'')
>>> try:
>>> with open(fulldir) as f:
>>> lines = f.readlines()
>>> for line in lines:
>>> if rule_detected == 0:
>>> match = re.findall(pattern_idlevel, line)
>>> if match:
>>> rule_detected = 1
>>> sidid = match[0][0]
>>> level = match[0][1]
>>> else:
>>> if rule_description == 0:
>>> match = re.findall(pattern_description, line)
>>> if match:
>>> rule_description = 1
>>> description = match[0]
>>> if rule_description == 1:
>>> match = re.findall(pattern_endrule, line)
>>> if match:
>>> print "%s - Rule %s - Level %s -> %s" %
>>> (filename,sidid,level,description)
>>> rule_detected = 0
>>> rule_description = 0
>>> level = ""
>>> sidid = ""
>>> description = ""
>>> except EnvironmentError:
>>>print ("Error: OSSEC rules directory does not appear to
>>> exist")
>>>
>>> if __name__ == "__main__":
>>> print ("Reading rules from directory %s") % (rules_directory)
>>> for root, directories, filenames in os.walk(rules_directory):
>>> for filename in filenames:
>>> if filename[-4:] == ".xml":
>>> GetRulesList(os.path.join(root,filename), filename)
>>>
>>>
>>>
>>> Hope it help, regards,
>>>
>>> Pedro S.
>>>
>>> On Monday, February 22, 2016 at 4:38:43 PM UTC+1, thak wrote:

 Thanks!

 On Monday, February 22, 2016 at 10:27:21 AM UTC-5, dan (ddpbsd) wrote:
>
>
> On Feb 22, 2016 10:22 AM, "thak"  wrote:
> >
> > What's the best way to get a list of the rules, ideally by rule # and
> > short descriptive name (e.g., like the alerts..."Rule: 5403 fired 
> > (level 4)
> > -> "First time user executed sudo."). I need a list to update some 
> > security
> > and compliance documentation prior to an upcoming audit.
> >
>
> All of the rules are available in the /var/ossec/rules directory. I
> don't think it would be too difficult to write a script to grab the names
> and ids.
>
> > --
> >
> > ---
> > You received this message because you are subscribed to the Google
> > Groups "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it,
> > send an email to ossec-list+...@googlegroups.com.
> > For more options, visit https://groups.google.com/d/optout.
>>
>> --
>>
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to ossec-list+unsubscr...@googlegroups.com.
>> For more options, visit https://groups.google.com/d/optout.
>
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send

Re: [ossec-list] What is the use case for OSSEC hybrid mode

2016-02-25 Thread Daniel Cid

I personally use it mostly on very busy servers to limit the amount of
events being sent by the agent
to the manager.

Say a very busy web server that generates thousands of logs per second.
Instead of sending all events centrally, I use the hybrid mode to do the
initial analysis locally and only send the real alerts centrally (which is
just a few per minute).

thanks,

On Thu, Feb 25, 2016 at 1:33 PM, Manoveg Saxena  wrote:

> Hi,
>
> I am not able to understand when should I use hybrid mode.
>
> I have one server and 4 agents.
> My server also have many applications and a web server which I want to
> monitor along with that web servers and other applications on agents.
> Therefore should I go for
> 1)  hybrid on server and agent on other servers
> 2)  or server and agent setup
>
> Thanks,
> Manoveg
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] List of OSSEC rules?

2016-02-25 Thread Pedro Sanchez

You are welcome! I'll upload it into some website or repository folder.

It is some simple but works, in the future I will extract too the PCI
compliance requirement of every rule. If you need the rules with PCI
requirements groups try out Wazuh Ruleset.

Regards,

Pedro S.

On Thu, Feb 25, 2016 at 7:42 PM, thak  wrote:

> Whoa, that's awesome! Thanks sir.
>
> On Thursday, February 25, 2016 at 7:15:45 AM UTC-5, Pedro S wrote:
>>
>> Hi thak,
>>
>> I made a quick Python script that can help you out. It lists all the
>> rules on */var/ossec/rules. *Output example:
>>
>> mailscanner_rules.xml - Rule 3751 - Level 6 -> Multiple attempts of spam.
>> hordeimp_rules.xml - Rule 9300 - Level 0 -> Grouping for the Horde imp
>> rules.
>> hordeimp_rules.xml - Rule 9301 - Level 0 -> Horde IMP informational
>> message.
>> apache_rules.xml - Rule 30412 - Level 6 -> Shellshock attack attempt
>> roundcube_rules.xml - Rule 9400 - Level 0 -> Roundcube messages groupe.d
>>
>>
>> Working with Python 2.7.6
>>
>> #!/usr/bin/python
>> # Rules list
>> # pe...@wazuh.com
>>
>> import sys
>> import re
>> import os
>>
>> *rules_directory = "/var/ossec/rules/"*
>>
>> def GetRulesList(fulldir, filename):
>> rule_detected = 0
>> rule_description = 0
>> level = ""
>> sidid = ""
>> description = ""
>> pattern_idlevel = re.compile(r'> pattern_description = re.compile(r'(.+?)')
>> pattern_endrule = re.compile(r'')
>> try:
>> with open(fulldir) as f:
>> lines = f.readlines()
>> for line in lines:
>> if rule_detected == 0:
>> match = re.findall(pattern_idlevel, line)
>> if match:
>> rule_detected = 1
>> sidid = match[0][0]
>> level = match[0][1]
>> else:
>> if rule_description == 0:
>> match = re.findall(pattern_description, line)
>> if match:
>> rule_description = 1
>> description = match[0]
>> if rule_description == 1:
>> match = re.findall(pattern_endrule, line)
>> if match:
>> print "%s - Rule %s - Level %s -> %s" %
>> (filename,sidid,level,description)
>> rule_detected = 0
>> rule_description = 0
>> level = ""
>> sidid = ""
>> description = ""
>> except EnvironmentError:
>>print ("Error: OSSEC rules directory does not appear to exist")
>>
>> if __name__ == "__main__":
>> print ("Reading rules from directory %s") % (rules_directory)
>> for root, directories, filenames in os.walk(rules_directory):
>> for filename in filenames:
>> if filename[-4:] == ".xml":
>> GetRulesList(os.path.join(root,filename), filename)
>>
>>
>>
>> Hope it help, regards,
>>
>> Pedro S.
>>
>> On Monday, February 22, 2016 at 4:38:43 PM UTC+1, thak wrote:
>>>
>>> Thanks!
>>>
>>> On Monday, February 22, 2016 at 10:27:21 AM UTC-5, dan (ddpbsd) wrote:


 On Feb 22, 2016 10:22 AM, "thak"  wrote:
 >
 > What's the best way to get a list of the rules, ideally by rule # and
 short descriptive name (e.g., like the alerts..."Rule: 5403 fired (level 4)
 -> "First time user executed sudo."). I need a list to update some security
 and compliance documentation prior to an upcoming audit.
 >

 All of the rules are available in the /var/ossec/rules directory. I
 don't think it would be too difficult to write a script to grab the names
 and ids.

 > --
 >
 > ---
 > You received this message because you are subscribed to the Google
 Groups "ossec-list" group.
 > To unsubscribe from this group and stop receiving emails from it,
 send an email to ossec-list+...@googlegroups.com.
 > For more options, visit https://groups.google.com/d/optout.

>>> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Custom rule to disable 1002 email alerts

2016-02-25 Thread thak

I've seen similar topics, so apologies if this has been answered several 
times but I want to make sure I get guidance for the most recent version! 

Loving OSSEC so far having set it up in our environment a few days ago. 
However, rule 1002 is particularly chatty given our Apache error logs. 
Basically, our application's identity API has a ping function that runs 
every 5 seconds to check for an authenticated session. It will do this even 
once the user's session has timed out, so long as that browser or tab is 
open. We have a lot of customers who time out but don't close the tab 
(understandably). So when the ping.json function runs, it generates a few 
log entries with the term "error", specifically 
https://app-identity.thak.com/idm/error/... 

In our application this is obviously expected, and we can purge error_log 
when it gets too big filling with this stuff, but OSSEC is piling up alerts 
multiple times per minute, and from our security perspective it's really 
just noise. 

Can I set up a local rule to 
https://app-identity.thak.com/idm/error/ without an email 
alert that will trump the default "Unknown problem somewhere in the system" 
alert for logs containing "error" terminology? I'm really new to writing 
custom rules but it seems like that wouldn't be too difficult, and throwing 
that local rules file on our proxies would solve this problem. 

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] List of OSSEC rules?

2016-02-25 Thread thak

Whoa, that's awesome! Thanks sir. 

On Thursday, February 25, 2016 at 7:15:45 AM UTC-5, Pedro S wrote:
>
> Hi thak,
>
> I made a quick Python script that can help you out. It lists all the rules 
> on */var/ossec/rules. *Output example:
>
> mailscanner_rules.xml - Rule 3751 - Level 6 -> Multiple attempts of spam.
> hordeimp_rules.xml - Rule 9300 - Level 0 -> Grouping for the Horde imp 
> rules.
> hordeimp_rules.xml - Rule 9301 - Level 0 -> Horde IMP informational 
> message.
> apache_rules.xml - Rule 30412 - Level 6 -> Shellshock attack attempt
> roundcube_rules.xml - Rule 9400 - Level 0 -> Roundcube messages groupe.d
>
>
> Working with Python 2.7.6
>
> #!/usr/bin/python
> # Rules list
> # pe...@wazuh.com 
>
> import sys
> import re
> import os
>
> *rules_directory = "/var/ossec/rules/"*
>
> def GetRulesList(fulldir, filename):
> rule_detected = 0
> rule_description = 0
> level = ""
> sidid = ""
> description = ""
> pattern_idlevel = re.compile(r' pattern_description = re.compile(r'(.+?)')
> pattern_endrule = re.compile(r'')
> try:
> with open(fulldir) as f:
> lines = f.readlines()
> for line in lines:
> if rule_detected == 0:
> match = re.findall(pattern_idlevel, line)
> if match:
> rule_detected = 1
> sidid = match[0][0]
> level = match[0][1]
> else:
> if rule_description == 0:
> match = re.findall(pattern_description, line)
> if match:
> rule_description = 1
> description = match[0]
> if rule_description == 1:
> match = re.findall(pattern_endrule, line)
> if match:
> print "%s - Rule %s - Level %s -> %s" % 
> (filename,sidid,level,description)
> rule_detected = 0
> rule_description = 0
> level = ""
> sidid = ""
> description = ""
> except EnvironmentError: 
>print ("Error: OSSEC rules directory does not appear to exist")
>
> if __name__ == "__main__":
> print ("Reading rules from directory %s") % (rules_directory)
> for root, directories, filenames in os.walk(rules_directory):
> for filename in filenames:
> if filename[-4:] == ".xml":
> GetRulesList(os.path.join(root,filename), filename)
>
>
>
> Hope it help, regards,
>
> Pedro S.
>
> On Monday, February 22, 2016 at 4:38:43 PM UTC+1, thak wrote:
>>
>> Thanks!
>>
>> On Monday, February 22, 2016 at 10:27:21 AM UTC-5, dan (ddpbsd) wrote:
>>>
>>>
>>> On Feb 22, 2016 10:22 AM, "thak"  wrote:
>>> >
>>> > What's the best way to get a list of the rules, ideally by rule # and 
>>> short descriptive name (e.g., like the alerts..."Rule: 5403 fired (level 4) 
>>> -> "First time user executed sudo."). I need a list to update some security 
>>> and compliance documentation prior to an upcoming audit. 
>>> >
>>>
>>> All of the rules are available in the /var/ossec/rules directory. I 
>>> don't think it would be too difficult to write a script to grab the names 
>>> and ids.
>>>
>>> > -- 
>>> >
>>> > --- 
>>> > You received this message because you are subscribed to the Google 
>>> Groups "ossec-list" group.
>>> > To unsubscribe from this group and stop receiving emails from it, send 
>>> an email to ossec-list+...@googlegroups.com.
>>> > For more options, visit https://groups.google.com/d/optout.
>>>
>>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] What is the use case for OSSEC hybrid mode

2016-02-25 Thread Manoveg Saxena

Hi,

I am not able to understand when should I use hybrid mode.

I have one server and 4 agents.
My server also have many applications and a web server which I want to 
monitor along with that web servers and other applications on agents.
Therefore should I go for
1)  hybrid on server and agent on other servers
2)  or server and agent setup

Thanks,
Manoveg

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Why don't my rules do anything?

2016-02-25 Thread Jesus Linares

Well, I guess you can change the apache log format or improve/overwrite the 
decoders.

Regards.
Jesus Linares.

On Thursday, February 25, 2016 at 6:18:08 PM UTC+1, James Culver wrote:
>
> Thank you, this is helpful. Now it works with and without GET parameters. 
> However, it only works if Apache records a hostname and not just "-" in the 
> hostname position. And Apache doesn't always do that (in fact, in our logs, 
> it never does it).
>
> On Thursday, February 25, 2016 at 9:42:17 AM UTC-7, Jesus Linares wrote:
>>
>> Keep in mind that rule 31108 is for http codes 2xx and 3xx. If you want 
>> to log that request with 4xx or 5xx codes you should add these rules 
>> (31101, 31120...).
>>
>> It's working, but I'm thinking on a better way to do this.
>>
>> Regards.
>> Jesus Linares.
>>
>>
>> On Thursday, February 25, 2016 at 5:36:34 PM UTC+1, Jesus Linares wrote:
>>>
>>> That is because with GET parameters is not a simple query (rule 31108):
>>>
>>> **Phase 1: Completed pre-decoding.
>>>full event: '10.10.10.10 hostname - [25/Feb/2016:10:10:10 -0500] 
>>> "GET /icons/whatever/?C=http://5.6.7.8/requeststringtest.php; HTTP/1.1" 
>>> 200 Text...'
>>>hostname: 'LinMV'
>>>program_name: '(null)'
>>>log: '10.10.10.10 hostname - [25/Feb/2016:10:10:10 -0500] "GET 
>>> /icons/whatever/?C=http://5.6.7.8/requeststringtest.php; HTTP/1.1" 200 
>>> Text...'
>>>
>>>
>>> **Phase 2: Completed decoding.
>>>decoder: 'web-accesslog'
>>>srcip: '10.10.10.10'
>>>url: '/icons/whatever/?C=http://5.6.7.8/requeststringtest.php;'
>>>id: '200'
>>>
>>>
>>> **Rule debugging:
>>> Trying rule: 4 - Generic template for all web rules.
>>>*Rule 4 matched.
>>>*Trying child rules.
>>> Trying rule: 31100 - Access log messages grouped.
>>>*Rule 31100 matched.
>>>*Trying child rules.
>>> 
>>> *Trying rule: 31108 - Ignored URLs (simple queries).Trying rule: 
>>> 31511 - Blacklisted user agent (wget).*
>>>
>>>
>>> This is working:
>>>
>>>   
>>>   
>>> *31100,31108*
>>> requeststringtest.php
>>> request string test 2
>>>   
>>>
>>>
>>> Regards.
>>> Jesus Linares.
>>>
>>>
>>> On Thursday, February 25, 2016 at 5:11:48 PM UTC+1, James Culver wrote:

 Thanks. I have tested your version of the rule, and it works *so long 
 as* there aren't GET parameters in the requested URI.

 For example, the following request triggers an alert:
 1.2.3.4 - -[25/Feb/2016:08:43:08 -0700] "GET 
 /icons/whatever/requeststringtest.php HTTP/1.1" 20068393 blahblahblah

 However, this request is ignored:
 1.2.3.4 - -[25/Feb/2016:08:43:08 -0700] "GET /icons/whatever/?C=
 http://5.6.7.8/requeststringtest.php HTTP/1.1" 20068393 blahblahblah

 Any ideas why that is?

>>>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Why don't my rules do anything?

2016-02-25 Thread James Culver

Thank you, this is helpful. Now it works with and without GET parameters. 
However, it only works if Apache records a hostname and not just "-" in the 
hostname position. And Apache doesn't always do that (in fact, in our logs, 
it never does it).

On Thursday, February 25, 2016 at 9:42:17 AM UTC-7, Jesus Linares wrote:
>
> Keep in mind that rule 31108 is for http codes 2xx and 3xx. If you want to 
> log that request with 4xx or 5xx codes you should add these rules (31101, 
> 31120...).
>
> It's working, but I'm thinking on a better way to do this.
>
> Regards.
> Jesus Linares.
>
>
> On Thursday, February 25, 2016 at 5:36:34 PM UTC+1, Jesus Linares wrote:
>>
>> That is because with GET parameters is not a simple query (rule 31108):
>>
>> **Phase 1: Completed pre-decoding.
>>full event: '10.10.10.10 hostname - [25/Feb/2016:10:10:10 -0500] 
>> "GET /icons/whatever/?C=http://5.6.7.8/requeststringtest.php; HTTP/1.1" 
>> 200 Text...'
>>hostname: 'LinMV'
>>program_name: '(null)'
>>log: '10.10.10.10 hostname - [25/Feb/2016:10:10:10 -0500] "GET 
>> /icons/whatever/?C=http://5.6.7.8/requeststringtest.php; HTTP/1.1" 200 
>> Text...'
>>
>>
>> **Phase 2: Completed decoding.
>>decoder: 'web-accesslog'
>>srcip: '10.10.10.10'
>>url: '/icons/whatever/?C=http://5.6.7.8/requeststringtest.php;'
>>id: '200'
>>
>>
>> **Rule debugging:
>> Trying rule: 4 - Generic template for all web rules.
>>*Rule 4 matched.
>>*Trying child rules.
>> Trying rule: 31100 - Access log messages grouped.
>>*Rule 31100 matched.
>>*Trying child rules.
>> 
>> *Trying rule: 31108 - Ignored URLs (simple queries).Trying rule: 
>> 31511 - Blacklisted user agent (wget).*
>>
>>
>> This is working:
>>
>>   
>>   
>> *31100,31108*
>> requeststringtest.php
>> request string test 2
>>   
>>
>>
>> Regards.
>> Jesus Linares.
>>
>>
>> On Thursday, February 25, 2016 at 5:11:48 PM UTC+1, James Culver wrote:
>>>
>>> Thanks. I have tested your version of the rule, and it works *so long 
>>> as* there aren't GET parameters in the requested URI.
>>>
>>> For example, the following request triggers an alert:
>>> 1.2.3.4 - -[25/Feb/2016:08:43:08 -0700] "GET 
>>> /icons/whatever/requeststringtest.php HTTP/1.1" 20068393 blahblahblah
>>>
>>> However, this request is ignored:
>>> 1.2.3.4 - -[25/Feb/2016:08:43:08 -0700] "GET /icons/whatever/?C=
>>> http://5.6.7.8/requeststringtest.php HTTP/1.1" 20068393 blahblahblah
>>>
>>> Any ideas why that is?
>>>
>>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Why don't my rules do anything?

2016-02-25 Thread Jesus Linares

Keep in mind that rule 31108 is for http codes 2xx and 3xx. If you want to 
log that request with 4xx or 5xx codes you should add these rules (31101, 
31120...).

It's working, but I'm thinking on a better way to do this.

Regards.
Jesus Linares.


On Thursday, February 25, 2016 at 5:36:34 PM UTC+1, Jesus Linares wrote:
>
> That is because with GET parameters is not a simple query (rule 31108):
>
> **Phase 1: Completed pre-decoding.
>full event: '10.10.10.10 hostname - [25/Feb/2016:10:10:10 -0500] 
> "GET /icons/whatever/?C=http://5.6.7.8/requeststringtest.php; HTTP/1.1" 
> 200 Text...'
>hostname: 'LinMV'
>program_name: '(null)'
>log: '10.10.10.10 hostname - [25/Feb/2016:10:10:10 -0500] "GET 
> /icons/whatever/?C=http://5.6.7.8/requeststringtest.php; HTTP/1.1" 200 
> Text...'
>
>
> **Phase 2: Completed decoding.
>decoder: 'web-accesslog'
>srcip: '10.10.10.10'
>url: '/icons/whatever/?C=http://5.6.7.8/requeststringtest.php;'
>id: '200'
>
>
> **Rule debugging:
> Trying rule: 4 - Generic template for all web rules.
>*Rule 4 matched.
>*Trying child rules.
> Trying rule: 31100 - Access log messages grouped.
>*Rule 31100 matched.
>*Trying child rules.
> 
> *Trying rule: 31108 - Ignored URLs (simple queries).Trying rule: 31511 
> - Blacklisted user agent (wget).*
>
>
> This is working:
>
>   
>   
> *31100,31108*
> requeststringtest.php
> request string test 2
>   
>
>
> Regards.
> Jesus Linares.
>
>
> On Thursday, February 25, 2016 at 5:11:48 PM UTC+1, James Culver wrote:
>>
>> Thanks. I have tested your version of the rule, and it works *so long as* 
>> there aren't GET parameters in the requested URI.
>>
>> For example, the following request triggers an alert:
>> 1.2.3.4 - -[25/Feb/2016:08:43:08 -0700] "GET 
>> /icons/whatever/requeststringtest.php HTTP/1.1" 20068393 blahblahblah
>>
>> However, this request is ignored:
>> 1.2.3.4 - -[25/Feb/2016:08:43:08 -0700] "GET /icons/whatever/?C=
>> http://5.6.7.8/requeststringtest.php HTTP/1.1" 20068393 blahblahblah
>>
>> Any ideas why that is?
>>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Why don't my rules do anything?

2016-02-25 Thread Jesus Linares

That is because with GET parameters is not a simple query (rule 31108):

**Phase 1: Completed pre-decoding.
   full event: '10.10.10.10 hostname - [25/Feb/2016:10:10:10 -0500] 
"GET /icons/whatever/?C=http://5.6.7.8/requeststringtest.php; HTTP/1.1" 200 
Text...'
   hostname: 'LinMV'
   program_name: '(null)'
   log: '10.10.10.10 hostname - [25/Feb/2016:10:10:10 -0500] "GET 
/icons/whatever/?C=http://5.6.7.8/requeststringtest.php; HTTP/1.1" 200 
Text...'


**Phase 2: Completed decoding.
   decoder: 'web-accesslog'
   srcip: '10.10.10.10'
   url: '/icons/whatever/?C=http://5.6.7.8/requeststringtest.php;'
   id: '200'


**Rule debugging:
Trying rule: 4 - Generic template for all web rules.
   *Rule 4 matched.
   *Trying child rules.
Trying rule: 31100 - Access log messages grouped.
   *Rule 31100 matched.
   *Trying child rules.

*Trying rule: 31108 - Ignored URLs (simple queries).Trying rule: 31511 
- Blacklisted user agent (wget).*


This is working:

  
  
*31100,31108*
requeststringtest.php
request string test 2
  


Regards.
Jesus Linares.


On Thursday, February 25, 2016 at 5:11:48 PM UTC+1, James Culver wrote:
>
> Thanks. I have tested your version of the rule, and it works *so long as* 
> there aren't GET parameters in the requested URI.
>
> For example, the following request triggers an alert:
> 1.2.3.4 - -[25/Feb/2016:08:43:08 -0700] "GET 
> /icons/whatever/requeststringtest.php HTTP/1.1" 20068393 blahblahblah
>
> However, this request is ignored:
> 1.2.3.4 - -[25/Feb/2016:08:43:08 -0700] "GET /icons/whatever/?C=
> http://5.6.7.8/requeststringtest.php HTTP/1.1" 20068393 blahblahblah
>
> Any ideas why that is?
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Why don't my rules do anything?

2016-02-25 Thread James Culver

Thanks. I have tested your version of the rule, and it works *so long as* 
there aren't GET parameters in the requested URI.

For example, the following request triggers an alert:
1.2.3.4 - -[25/Feb/2016:08:43:08 -0700] "GET 
/icons/whatever/requeststringtest.php HTTP/1.1" 20068393 blahblahblah

However, this request is ignored:
1.2.3.4 - -[25/Feb/2016:08:43:08 -0700] "GET 
/icons/whatever/?C=http://5.6.7.8/requeststringtest.php HTTP/1.1" 20068393 
blahblahblah

Any ideas why that is?

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: DNS caching for ?

2016-02-25 Thread Barry Kaplan

Ok, is this something that would be considered for change? In our 
environment there is no guarantee that nodes will remain on the same IP. 
For this we use consul and dnsmasq to lookup DNS names. 

For now I will hard code server_hostname to the DNS of the ossec server. At 
least that value exists when the agent starts. But when the ossec server 
dies (AWS nodes die all the time) I will have update and restart every 
agent. 

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Why don't my rules do anything?

2016-02-25 Thread James Culver

I have added the following rules to local_rules.conf:
  
31100
requeststringtest.php
request string test 2
alert_by_email
  

  
100060

request string test 2
alert_by_email
  
but OSSEC doesn't care at all. It counts the rules as being enabled, but no 
matter how many times or how fast i go to http : // 
server.ip/whatever?X=requeststringtest.php (or any URL that includes the 
string), OSSEC completely ignores it. The out of the box rules work fine. 
If I port scan, ssh or HTTP brute-force, or pull too many 400 or 500 
errors, then the appropriate rules fire. But this rule doesn't do anything. 
What am I doing wrong?

OSSEC 2.8.2
CentOS 6
Apache

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] List of OSSEC rules?

2016-02-25 Thread Pedro S

Hi thak,

I made a quick Python script that can help you out. It lists all the rules 
on */var/ossec/rules. *Output example:

mailscanner_rules.xml - Rule 3751 - Level 6 -> Multiple attempts of spam.
hordeimp_rules.xml - Rule 9300 - Level 0 -> Grouping for the Horde imp 
rules.
hordeimp_rules.xml - Rule 9301 - Level 0 -> Horde IMP informational message.
apache_rules.xml - Rule 30412 - Level 6 -> Shellshock attack attempt
roundcube_rules.xml - Rule 9400 - Level 0 -> Roundcube messages groupe.d


Working with Python 2.7.6

#!/usr/bin/python
# Rules list
# pe...@wazuh.com

import sys
import re
import os

*rules_directory = "/var/ossec/rules/"*

def GetRulesList(fulldir, filename):
rule_detected = 0
rule_description = 0
level = ""
sidid = ""
description = ""
pattern_idlevel = re.compile(r'(.+?)')
pattern_endrule = re.compile(r'')
try:
with open(fulldir) as f:
lines = f.readlines()
for line in lines:
if rule_detected == 0:
match = re.findall(pattern_idlevel, line)
if match:
rule_detected = 1
sidid = match[0][0]
level = match[0][1]
else:
if rule_description == 0:
match = re.findall(pattern_description, line)
if match:
rule_description = 1
description = match[0]
if rule_description == 1:
match = re.findall(pattern_endrule, line)
if match:
print "%s - Rule %s - Level %s -> %s" % 
(filename,sidid,level,description)
rule_detected = 0
rule_description = 0
level = ""
sidid = ""
description = ""
except EnvironmentError: 
   print ("Error: OSSEC rules directory does not appear to exist")
   
if __name__ == "__main__":
print ("Reading rules from directory %s") % (rules_directory)
for root, directories, filenames in os.walk(rules_directory):
for filename in filenames:
if filename[-4:] == ".xml":
GetRulesList(os.path.join(root,filename), filename)



Hope it help, regards,

Pedro S.

On Monday, February 22, 2016 at 4:38:43 PM UTC+1, thak wrote:
>
> Thanks!
>
> On Monday, February 22, 2016 at 10:27:21 AM UTC-5, dan (ddpbsd) wrote:
>>
>>
>> On Feb 22, 2016 10:22 AM, "thak"  wrote:
>> >
>> > What's the best way to get a list of the rules, ideally by rule # and 
>> short descriptive name (e.g., like the alerts..."Rule: 5403 fired (level 4) 
>> -> "First time user executed sudo."). I need a list to update some security 
>> and compliance documentation prior to an upcoming audit. 
>> >
>>
>> All of the rules are available in the /var/ossec/rules directory. I don't 
>> think it would be too difficult to write a script to grab the names and ids.
>>
>> > -- 
>> >
>> > --- 
>> > You received this message because you are subscribed to the Google 
>> Groups "ossec-list" group.
>> > To unsubscribe from this group and stop receiving emails from it, send 
>> an email to ossec-list+...@googlegroups.com.
>> > For more options, visit https://groups.google.com/d/optout.
>>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] ERROR: Incorrectly formated message

2016-02-25 Thread Robert

Hi,

A tried, nothing changed.
But after few hours the client started to work...weird.
And now, three other clients stpped to work, they are on "Disconnected" 
state.
It is strange becouse the agent's log says: ossec-agentd(4102): INFO: 
Connected to the server (192.168.7.212:1514)
No error message, and also no error message on the server side.
tcpdump shows correct communication between the agent and the server
I am getting fed up with this :)

Any thoughts? 

Robert


2016. február 3., szerda 20:57:59 UTC+1 időpontban Pedro S a következőt 
írta:
>
> Hi,
>
> Try to add the agent with "any" parameter on IP field (./manage_agents), 
> when "ip" question prompt, write "any", just for testing, maybe the agent 
> IP when reaching OSSEC it is not the IP you are writting.
>
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Syscheck Database names?

2016-02-25 Thread Joao T.

Hi team, 

Agents are name like '(agent_name) agent_ip->syscheck', right?

Sometimes I meet with a file with these files in my syscheck folder:

(agent_name) agent_ip->syscheck-registry
> .(agent_name) agent_ip->syscheck.cpt


What are they exactly? Are they just internal temporally files? Should I 
ignore them?

And could someone confirm what name should have the syscheck database for 
the server (or manager) ?

Thanks team!


-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: DNS caching for ?

2016-02-25 Thread Pedro S

Hi Barry,

If I understood well, you need to resolve the DNS IP Address more than 
once, unfortunately seems like OSSEC won't do it. 

At the very first start, OSSEC reads the file ossec.conf, when detecting a 
 

 
setting, *OS_GetHost *function is called to get the IP Address, that 
function won't be called again until you restart OSSEC.

Regards,

Pedro S.



On Thursday, February 25, 2016 at 10:57:14 AM UTC+1, Barry Kaplan wrote:
>
> I have a situation where ossec.conf is set with  before 
> the DNS entry is set. From what I can tell so far the result of the initial 
> dns lookup is kept forever, requiring the agent to be restarted. Is it the 
> case that a failed DNS will never be retried?
>
> BTW, I'm pretty sure it's not any caching outside of ossec, because the 
> dns server in this case is consul.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] OSSEC Server Backup & Restore Procedure

2016-02-25 Thread Jesus Linares

Hi,

I don't know if it is what you need, but Wazuh has an script to update the 
ruleset (rules, decoders and rootchecks). Also, this script allows do a 
bakcup of* /var/ossec/etc* and* /var/ossec/rules* and you can restore from 
the script.

Ruleset repository .
Script documentation 

.

Regards.
Jesus Linares.


On Thursday, February 25, 2016 at 7:37:30 AM UTC+1, Eero Volotinen wrote:
>
> Just shutdown the server and pack /var/ossec-directory and init scripts to 
> tarball? restore works just unpacking the tarball to correct directory.
>
> --
> Eero
>
> 2016-02-25 7:56 GMT+02:00 :
>
>> Hi Team,
>>
>> Can someone help tell how to take backup & restore for OSSEC 2.8.3.
>>
>>
>> Regards
>> Vipin Hooda
>>
>> -- 
>>
>> --- 
>> You received this message because you are subscribed to the Google Groups 
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to ossec-list+...@googlegroups.com .
>> For more options, visit https://groups.google.com/d/optout.
>>
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] DNS caching for ?

2016-02-25 Thread Barry Kaplan

I have a situation where ossec.conf is set with  before 
the DNS entry is set. From what I can tell so far the result of the initial 
dns lookup is kept forever, requiring the agent to be restarted. Is it the 
case that a failed DNS will never be retried?

BTW, I'm pretty sure it's not any caching outside of ossec, because the dns 
server in this case is consul.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Anybody using CIS controls with OSSEC? (https://github.com/awailly/cis-ubuntu-ansible)

Re: [ossec-list] Syscheck Database names?

Re: [ossec-list] What is the use case for OSSEC hybrid mode

Re: [ossec-list] Server not responding to agent messages (1218/4101)

[ossec-list] Server not responding to agent messages (1218/4101)

Re: [ossec-list] Re: DNS caching for ?

Re: [ossec-list] rules files as symlinks

Re: [ossec-list] agent unable to forward diff data for report_changes

Re: [ossec-list] List of OSSEC rules?

Re: [ossec-list] Custom rule to disable 1002 email alerts

Re: [ossec-list] List of OSSEC rules?

Re: [ossec-list] What is the use case for OSSEC hybrid mode

Re: [ossec-list] List of OSSEC rules?

[ossec-list] Custom rule to disable 1002 email alerts

Re: [ossec-list] List of OSSEC rules?

[ossec-list] What is the use case for OSSEC hybrid mode

[ossec-list] Re: Why don't my rules do anything?

[ossec-list] Re: Why don't my rules do anything?

[ossec-list] Re: Why don't my rules do anything?

[ossec-list] Re: Why don't my rules do anything?

[ossec-list] Re: Why don't my rules do anything?

[ossec-list] Re: DNS caching for ?

[ossec-list] Why don't my rules do anything?

Re: [ossec-list] List of OSSEC rules?

Re: [ossec-list] ERROR: Incorrectly formated message

[ossec-list] Syscheck Database names?

[ossec-list] Re: DNS caching for ?

Re: [ossec-list] OSSEC Server Backup & Restore Procedure

[ossec-list] DNS caching for ?

29 matches

Site Navigation

Mail list logo

Footer information