Re: [ossec-list] Nginx access.log not processing

2016-04-07 Thread Gesiel Bernardes 
Running ossec-logtest I received this info:

**Phase 2: Completed decoding.
   decoder: 'pure-transfer'
2016/04/07 15:39:11 ossec-testrule: Rules in an inconsistent state. Exiting.

How finding the inconsistent rule?

Gesiel

Em quinta-feira, 7 de abril de 2016 14:24:47 UTC-3, dan (ddpbsd) escreveu:
>
> On Thu, Apr 7, 2016 at 1:18 PM, Gesiel Bernardes 
>  wrote: 
> > Hi, 
> > 
> >   I have a problem with Ossec and Nginx. Ossec is not generating alerts 
> > /var/log/nginx/access.log, generated by Nginx, but 
> /var/log/nginx/error.log 
> > is fine. My Ossec version is 2.8.2 and I use all default rules (included 
> > nginx_rules.xml). Below is my configuration: 
> > 
> > ossec.conf 
> >  
> > [...] 
> >
> > apache 
> > /var/log/nginx/access.log 
> >
> > 
> >
> > apache 
> > /var/log/nginx/error.log 
> >
> > [...] 
> > --- 
> > 
> >   In theory, the traffic below should generate an alert (rule id 31103, 
> > right?), but no alerts are generated. (below is ossec-logcollector log 
> > debug): 
> > 
> > 2016/04/07 14:13:15 ossec-logcollector: DEBUG: Reading syslog message: 
> > 'xx.xx.xx.xx - - [07/Apr/2016:14:13:14 -0300] "GET 
> > /index.php?a=union=select HTTP/1.1" 200 45346 "-" "Wget/1.15 
> (linux-gnu)"' 
> > 
> > Can someone help me? Any ideas? 
> > 
>
>
> I don't have 2.8.2 available at the moment, but here's what I'm 
> currently seeing in ossec-logtest: 
> xx.xx.xx.xx - - [07/Apr/2016:14:13:14 -0300] "GET 
> /index.php?a=union=select HTTP/1.1" 200 45346 "-" "Wget/1.15 
> (linux-gnu)" 
>
>
> **Phase 1: Completed pre-decoding. 
>full event: 'xx.xx.xx.xx - - [07/Apr/2016:14:13:14 -0300] "GET 
> /index.php?a=union=select HTTP/1.1" 200 45346 "-" "Wget/1.15 
> (linux-gnu)"' 
>hostname: 'ix' 
>program_name: '(null)' 
>log: 'xx.xx.xx.xx - - [07/Apr/2016:14:13:14 -0300] "GET 
> /index.php?a=union=select HTTP/1.1" 200 45346 "-" "Wget/1.15 
> (linux-gnu)"' 
>
> **Phase 2: Completed decoding. 
>decoder: 'web-accesslog' 
>srcip: 'xx.xx.xx.xx' 
>url: '/index.php?a=union=select' 
>id: '200' 
>
> **Phase 3: Completed filtering (rules). 
>Rule id: '31511' 
>Level: '0' 
>Description: 'Blacklisted user agent (wget).' 
>
> What does your ossec-logtest output look like? 
>
>
> > 
> > Gesiel 
> > 
> > -- 
> > 
> > --- 
> > You received this message because you are subscribed to the Google 
> Groups 
> > "ossec-list" group. 
> > To unsubscribe from this group and stop receiving emails from it, send 
> an 
> > email to ossec-list+...@googlegroups.com . 
> > For more options, visit https://groups.google.com/d/optout. 
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: When new ossec build is planning ?

2016-04-07 Thread Pedro S 
If you are talking about this 
commit: 
https://github.com/ossec/ossec-hids/commit/dbf841c595a4b6a5a0203b04651b5efb14d95e7d#diff-45abb2823a60f0163e56942090cdb53f

You do not need to reinstall OSSEC to include it, or install a new 
packages, just add the following rule into your 
/var/ossec/rules/proftpd_rules.xml:


 
11200 
unable to open incoming connection 
Couldn't open the incoming connection.  
Check log message for reason. 
 

Regards,

Pedro S.

On Tuesday, April 5, 2016 at 8:06:17 PM UTC+2, ba...@x-cart.com wrote:
>
> Hello!
> I very interested in this commit for support proftpd logs.
>
> Is there're any plans on new ossec deb packages, that will include this 
> commit ?
> Or better way is build ossec myself ?
>
> Thank you!
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: When new ossec build is planning ?

2016-04-07 Thread Jesus Linares 
What commit do you mean?

On Tuesday, April 5, 2016 at 8:06:17 PM UTC+2, ba...@x-cart.com wrote:
>
> Hello!
> I very interested in this commit for support proftpd logs.
>
> Is there're any plans on new ossec deb packages, that will include this 
> commit ?
> Or better way is build ossec myself ?
>
> Thank you!
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] OSSEC agents show as Active even after the OSSEC Process on server is stopped

2016-04-07 Thread Pedro S 
Jesus is totally right.

The time out he is talking about is:* 3*NOTIFY_TIME+30*, *NOTIFY_TIME* by 
default is 600 seconds.

Check the last modification file date on every agent-info/* file and wait 
until that time be more than 30'30''.

Best regards,

Pedro S.


On Thursday, April 7, 2016 at 8:08:02 PM UTC+2, Jesus Linares wrote:
>
> Hi,
>
> in order to know if an agent is connected, disconnected or never connected 
> OSSEC reads the modification date of the files in 
> */var/ossec/queue/agent-info/*:*
>
>- if there is no file for the agent the status is *never connected*
>- if the modification time of the file is less than a defined tiemout, 
>the status is *actived*. If it is greater then the status is 
>*disconnected*.
>
> I guess those files are updated by the Manager each time that the agents 
> send a "keep-alive".
>
> I'm not sure, but I think the timeout is around 30 minutes.
>
> Regards,
> Jesus Linares.
>
> On Tuesday, April 5, 2016 at 5:26:10 PM UTC+2, sandeep wrote:
>>
>> Hello Dan,
>>
>> Thanksf for the reply. Yeah its the old data, I ran ./agent_control 
>> -lc|grep ID:|wc -l to list the count of agents active and it shows as 3k 
>> even though the manager's ossec process is stopped. I am trying to figure 
>> out where the cache is stored. I need to remove that data before starting 
>> the manager's OSSEC process back.
>>
>> Without removing that data, if i start back the manager's ossec process 
>> the 3k count remains the same and the remaining agents do not show up as 
>> active.
>>
>> Thanks,
>> Sandeep.
>>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] OSSEC agents show as Active even after the OSSEC Process on server is stopped

2016-04-07 Thread Jesus Linares 
Hi,

in order to know if an agent is connected, disconnected or never connected 
OSSEC reads the modification date of the files in 
*/var/ossec/queue/agent-info/*:*

   - if there is no file for the agent the status is *never connected*
   - if the modification time of the file is less than a defined tiemout, 
   the status is *actived*. If it is greater then the status is 
   *disconnected*.

I guess those files are updated by the Manager each time that the agents 
send a "keep-alive".

I'm not sure, but I think the timeout is around 30 minutes.

Regards,
Jesus Linares.

On Tuesday, April 5, 2016 at 5:26:10 PM UTC+2, sandeep wrote:
>
> Hello Dan,
>
> Thanksf for the reply. Yeah its the old data, I ran ./agent_control 
> -lc|grep ID:|wc -l to list the count of agents active and it shows as 3k 
> even though the manager's ossec process is stopped. I am trying to figure 
> out where the cache is stored. I need to remove that data before starting 
> the manager's OSSEC process back.
>
> Without removing that data, if i start back the manager's ossec process 
> the 3k count remains the same and the remaining agents do not show up as 
> active.
>
> Thanks,
> Sandeep.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: new files does not creating alert at all

2016-04-07 Thread Pedro S 
Hi,

That decoder is hardcoded 
into
 
OSSEC code, so you won't find any decoder called like that.

Best regards,

Pedro S.



On Monday, April 4, 2016 at 8:06:58 PM UTC+2, jingxu...@bettercloud.com 
wrote:
>
> Yes, I noticed the difference, add new file entry will not be real-time. 
> But what if I restart the agent and manager, will it rescan and then 
> generate that event right after I restart everything. 
>
> And also, my issue is I waited for the interval, however, I still would 
> not be able to get a log event even I create some new files and 
> directories. 
>
> My last question is within that rule, the decoder name is 
> syscheck_new_entry, where the decoder file is, I can not find this decoder 
> in the decoders folder.
> Thank you.
>
> On Friday, April 1, 2016 at 6:49:42 AM UTC-4, Jesus Linares wrote:
>>
>> Check out this blog: 
>> http://perezbox.com/2013/07/ossec-detecting-new-files-understanding-how-it-works/
>>
>> Pay attention to the part: "REAL TIME VS ALERT ON NEW".
>>
>> Regards,
>> Jesus Linares.
>>
>> On Thursday, March 31, 2016 at 9:08:37 PM UTC+2, 
>> jingxu...@bettercloud.com wrote:
>>>
>>> I followed the instructions to how to set up alert for add new file as 
>>> follows:
>>>
>>> 
>>>   ossec
>>>   syscheck_new_entry
>>>   File added to the system.
>>>   syscheck,
>>>
>>>
>>> and 
>>>
>>> 
>>>   7200
>>>   yes
>>>   /etc,/bin,/sbin
>>>
>>>
>>> But it never works. I can not get alerts even I restart the agent and 
>>> manager. Could any one help me with this, thanks 
>>>
>>>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: How are the best test to ossec rules

2016-04-07 Thread Pedro S 
Testing OSSEC installation or OSSEC Rules? I am with Dan, define "test" 
hehe, what do you want exactly.

On Tuesday, April 5, 2016 at 4:58:46 PM UTC+2, tchello2008br wrote:
>
> Hi all 
> I want to test my installation , what is the best method ? 
>
> Tks 
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] How are the best test to ossec rules

2016-04-07 Thread Jesus Linares 
Hi,

Define exactly what you want to test. 

Some generic test that you can do:

   - Review ossec.log
   - Review connectivity with agents
   - Check host performance with command 'top'.
   - Review most common alerts

Regards,
Jesus Linares.


On Tuesday, April 5, 2016 at 5:20:22 PM UTC+2, dan (ddpbsd) wrote:
>
> On Tue, Apr 5, 2016 at 10:57 AM, Marcelo Rosa  > wrote: 
> > Hi all 
> > I want to test my installation , what is the best method ? 
> > 
>
> Define "test." 
>
> > Tks 
> > 
> > -- 
> > 
> > --- 
> > You received this message because you are subscribed to the Google 
> Groups "ossec-list" group. 
> > To unsubscribe from this group and stop receiving emails from it, send 
> an email to ossec-list+...@googlegroups.com . 
> > For more options, visit https://groups.google.com/d/optout. 
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: List of logged in users AND List of the last logged in users

2016-04-07 Thread Maxim Surdu 
ok, who can tell me how about the rest of linux machines?
why is working just for one? 

miercuri, 6 aprilie 2016, 23:57:16 UTC+3, Kat a scris:
>
> The windows systems do not have the same commands for looking at users. 
> Your commands for looking at both logged in and last, will only work on 
> *nix  platforms.
>
> Kat
>
> On Wednesday, April 6, 2016 at 2:38:26 AM UTC-5, Maxim Surdu wrote:
>>
>> Hi dear community,
>>
>> i install and configure about 10 agents, and of course i have a lot of 
>> users, i need to monitoring when they are working or drink coffee 
>>
>> in ossec_rules.xml
>>  
>> i have next rules
>>
>>  
>> 530
>> ossec: output: 'w'
>> 
>> alert_by_email
>> List of logged in users. It will not be alerted by 
>> default.
>>   
>>
>>   
>> 530
>> ossec: output: 'last -n 
>> 
>> alert_by_email
>> List of the last logged in users.
>>   
>>
>> i have linux and windows machines but mail is coming just from one 
>> machine(linux) how about the rest
>> what i did wrong?
>>
>> i appreciate your help, and a lot of respect for developers and community!
>>
>>
>>
>>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.