date:20160412

[ossec-list] windows active response logic

2016-04-12 Thread Rob B

Hello Folks,

  Could someone help me wrap my head around the windows active response 
mechanism?

If I understand correctly, the  active response / bin folder on the server 
will house my .CMD file containing my windows response actions.?

What I would like to do is have active response fire on an event such as:

  18100

Which would then run my .cmd file, where I want to run an executable that I 
have already packaged. 

My question here is: what is the logic to run my packaged executable from 
the .cmd file?  Where do I store my packaged executable, how does it get to 
the client agent to fire?  Where will it fire from, so that I may have the 
correct syntax in my .cmd file? Can the package be pushed from the server 
to all windows agents once they refresh somehow?

I do understand the basics as to how to setup active response in the .conf 
file on the server ossec.conf file and where to turn it ON in the agent 
side .conf file. How can I turn ON all the agents active response from the 
server? (Currently i only know how to manually update the file at each 
client.)

Any pointers from the Gurus would be greatly appreciated.  =)

Thanks much Guys!!


Rob




-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: When new ossec build is planning ?

2016-04-12 Thread dan (ddp)

On Tue, Apr 12, 2016 at 2:15 PM,   wrote:
>> What repo are using to build ossec ?
> Heh, seems, your ossec build is near master, right ?)
>

I try to stay up to date. It's hard to do development type work on it
using an old version.

> Thank you for your answers!
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: When new ossec build is planning ?

2016-04-12 Thread bazz

> What repo are using to build ossec ?
Heh, seems, your ossec build is near master, right ?)

Thank you for your answers!

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: When new ossec build is planning ?

2016-04-12 Thread dan (ddp)

On Tue, Apr 12, 2016 at 1:58 PM,   wrote:
> Yeah, 2.8.3 from wazuh apt ubuntu repository.
> Let's look on this commit in master and 2.8.3 tag:
> https://github.com/ddpbsd/ossec-hids/commit/a7b69e873e070ea01e346d79c43b403920029801
> As as understand code, this type of log was added in file
> src/analysisd/cleanevent.c
> Master branch: code is there. On 106 line.
> https://github.com/ddpbsd/ossec-hids/blob/master/src/analysisd/cleanevent.c#L106
> 2.8.3 tag: Code is not there're
> https://github.com/ddpbsd/ossec-hids/blob/2.8.3/src/analysisd/cleanevent.c#L116
>

So somewhere between 2.8.3 and today code was added. Which makes
sense, development is ongoing.

> Unfortunatly, wazuh repo haven't deb-src packages, so i can't look to its
> code.
> I've also just tried atomic stable repo for centos 6.7
> Rules still not recognized.
>
> What repo are using to build ossec ?
>

The main one: https://github.com/ossec/ossec-hids

> Btw: my question was "Is there any plan on new release"
> If new release coming soon - i'll wait for it.
> If not - i will try to build debian packages for my private repo.
>

Define "soon." I've asked the other devs what their opinion is on 2.9,
but haven't heard back from most.

The main choices (as I see them) are:
* Prep and release the current 2.9 beta branch.
* Rebranch 2.9 from the current MASTER, and hope that real life
doesn't get in the way of prepping and releasing.
* Skip 2.9, branch 3.0 from the current MASTER (possibly looking at
semver in the process), and hoping that real life doesn't get in the
way of this little hobby.

Unfortunately this isn't a decision I feel comfortable making for everyone.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: When new ossec build is planning ?

2016-04-12 Thread bazz

Yeah, 2.8.3 from wazuh apt ubuntu repository.
Let's look on this commit in master and 2.8.3 
tag: 
https://github.com/ddpbsd/ossec-hids/commit/a7b69e873e070ea01e346d79c43b403920029801
As as understand code, this type of log was added in file 
src/analysisd/cleanevent.c
Master branch: code is there. On 106 line.
https://github.com/ddpbsd/ossec-hids/blob/master/src/analysisd/cleanevent.c#L106
2.8.3 tag: Code is not there're
https://github.com/ddpbsd/ossec-hids/blob/2.8.3/src/analysisd/cleanevent.c#L116

Unfortunatly, wazuh repo haven't deb-src packages, so i can't look to its 
code.
I've also just tried atomic stable repo for centos 6.7
Rules still not recognized.

What repo are using to build ossec ?

Btw: my question was "Is there any plan on new release"
If new release coming soon - i'll wait for it.
If not - i will try to build debian packages for my private repo.

вторник, 12 апреля 2016 г., 19:08:41 UTC+4 пользователь dan (ddpbsd) 
написал:
>
> On Tue, Apr 12, 2016 at 10:23 AM,   
> wrote: 
> > 2016-04-12 10:15:11,756 next-test.com proftpd[29403] next-test.com 
> > (hostname.com[78.131.92.4]): USER testnext (Login failed): Incorrect 
> > password. 
> > 2016-04-12 10:15:30,894 next-test.com proftpd[29431] next-test.com 
> > (hostname.com[78.131.92.4]): USER testnext: Login successful. 
> > 
>
> I forgot to ask which version you're using. 2.8.3? My logtests were on 
> the current code. 
>
> > root@next-test:/var/ossec# /var/ossec/bin/ossec-logtest 
> > 2016/04/12 10:22:21 ossec-testrule: INFO: Reading local decoder file. 
> > 2016/04/12 10:22:21 ossec-testrule: INFO: Started (pid: 29992). 
> > ossec-testrule: Type one log per line. 
> > 
> > 2016-04-12 10:15:11,756 next-test.com proftpd[29403] next-test.com 
> > (hostname.com[78.131.92.4]): USER testnext (Login failed): Incorrect 
> > password. 
> > 
> > 
> > **Phase 1: Completed pre-decoding. 
> >full event: '2016-04-12 10:15:11,756 next-test.com 
> proftpd[29403] 
> > next-test.com (hostname.com[78.131.92.4]): USER testnext (Login 
> failed): 
> > Incorrect password.' 
> >hostname: 'next-test' 
> >program_name: '(null)' 
> >log: '2016-04-12 10:15:11,756 next-test.com proftpd[29403] 
> > next-test.com (hostname.com[78.131.92.4]): USER testnext (Login 
> failed): 
> > Incorrect password.' 
> > 
> > **Phase 2: Completed decoding. 
> >No decoder matched. 
> > 
> > **Phase 3: Completed filtering (rules). 
> >Rule id: '2501' 
> >Level: '5' 
> >Description: 'User authentication failure.' 
> > **Alert to be generated. 
> > 
> > 
> > 2016-04-12 10:15:11,756 next-test.com proftpd[29403] next-test.com 
> > (hostname.com[78.131.92.4]): USER testnext (Login failed): Incorrect 
> > password. 
> > 
> > 
> > **Phase 1: Completed pre-decoding. 
> >full event: '2016-04-12 10:15:11,756 next-test.com 
> proftpd[29403] 
> > next-test.com (hostname.com[78.131.92.4]): USER testnext (Login 
> failed): 
> > Incorrect password.' 
> >hostname: 'next-test' 
> >program_name: '(null)' 
> >log: '2016-04-12 10:15:11,756 next-test.com proftpd[29403] 
> > next-test.com (hostname.com[78.131.92.4]): USER testnext (Login 
> failed): 
> > Incorrect password.' 
> > 
> > **Phase 2: Completed decoding. 
> >No decoder matched. 
> > 
> > **Phase 3: Completed filtering (rules). 
> >Rule id: '2501' 
> >Level: '5' 
> >Description: 'User authentication failure.' 
> > **Alert to be generated. 
> > 
> > вторник, 12 апреля 2016 г., 15:31:34 UTC+4 пользователь dan (ddpbsd) 
> > написал: 
> >> 
> >> On Tue, Apr 12, 2016 at 7:17 AM,   wrote: 
> >> > Sorry, i missed  the commit 
> >> > 
> >> > 
> https://github.com/ddpbsd/ossec-hids/commit/a7b69e873e070ea01e346d79c43b403920029801
>  
> >> > Now my proftpd logs are not processed by ossec. 
> >> > 
> >> 
> >> Can you provide log samples? 
> >> 
> >> > Also, if possible, please add to apt-repo deb-src packages to help 
> >> > recompile 
> >> > ossec. 
> >> > I tried to rebuild deb packages, but failed. 
> >> > 
> >> > четверг, 7 апреля 2016 г., 22:14:19 UTC+4 пользователь Jesus Linares 
> >> > написал: 
> >> >> 
> >> >> What commit do you mean? 
> >> >> 
> >> >> On Tuesday, April 5, 2016 at 8:06:17 PM UTC+2, ba...@x-cart.com 
> wrote: 
> >> >>> 
> >> >>> Hello! 
> >> >>> I very interested in this commit for support proftpd logs. 
> >> >>> 
> >> >>> Is there're any plans on new ossec deb packages, that will include 
> >> >>> this 
> >> >>> commit ? 
> >> >>> Or better way is build ossec myself ? 
> >> >>> 
> >> >>> Thank you! 
> >> > 
> >> > -- 
> >> > 
> >> > --- 
> >> > You received this message because you are subscribed to the Google 
> >> > Groups 
> >> > "ossec-list" group. 
> >> > To unsubscribe from this group and stop receiving emails from it, 
> send 
> >> > an 
> >> > email to ossec-list+...@googlegroups.com. 
> >> > For more options, visit https://groups.google.com/d/optout. 
> > 
> >

Re: [ossec-list] Re: When new ossec build is planning ?

2016-04-12 Thread dan (ddp)

On Tue, Apr 12, 2016 at 10:23 AM,   wrote:
> 2016-04-12 10:15:11,756 next-test.com proftpd[29403] next-test.com
> (hostname.com[78.131.92.4]): USER testnext (Login failed): Incorrect
> password.
> 2016-04-12 10:15:30,894 next-test.com proftpd[29431] next-test.com
> (hostname.com[78.131.92.4]): USER testnext: Login successful.
>
> root@next-test:/var/ossec# /var/ossec/bin/ossec-logtest
> 2016/04/12 10:22:21 ossec-testrule: INFO: Reading local decoder file.
> 2016/04/12 10:22:21 ossec-testrule: INFO: Started (pid: 29992).
> ossec-testrule: Type one log per line.
>
> 2016-04-12 10:15:11,756 next-test.com proftpd[29403] next-test.com
> (hostname.com[78.131.92.4]): USER testnext (Login failed): Incorrect
> password.
>
>
> **Phase 1: Completed pre-decoding.
>full event: '2016-04-12 10:15:11,756 next-test.com proftpd[29403]
> next-test.com (hostname.com[78.131.92.4]): USER testnext (Login failed):
> Incorrect password.'
>hostname: 'next-test'
>program_name: '(null)'
>log: '2016-04-12 10:15:11,756 next-test.com proftpd[29403]
> next-test.com (hostname.com[78.131.92.4]): USER testnext (Login failed):
> Incorrect password.'
>
> **Phase 2: Completed decoding.
>No decoder matched.
>
> **Phase 3: Completed filtering (rules).
>Rule id: '2501'
>Level: '5'
>Description: 'User authentication failure.'
> **Alert to be generated.
>
>
> 2016-04-12 10:15:11,756 next-test.com proftpd[29403] next-test.com
> (hostname.com[78.131.92.4]): USER testnext (Login failed): Incorrect
> password.
>
>
> **Phase 1: Completed pre-decoding.
>full event: '2016-04-12 10:15:11,756 next-test.com proftpd[29403]
> next-test.com (hostname.com[78.131.92.4]): USER testnext (Login failed):
> Incorrect password.'
>hostname: 'next-test'
>program_name: '(null)'
>log: '2016-04-12 10:15:11,756 next-test.com proftpd[29403]
> next-test.com (hostname.com[78.131.92.4]): USER testnext (Login failed):
> Incorrect password.'
>
> **Phase 2: Completed decoding.
>No decoder matched.
>
> **Phase 3: Completed filtering (rules).
>Rule id: '2501'
>Level: '5'
>Description: 'User authentication failure.'
> **Alert to be generated.
>

And strangely enough, this is what I get:
**Phase 1: Completed pre-decoding.
   full event: '2016-04-12 10:15:11,756 next-test.com
proftpd[29403] next-test.com (hostname.com[78.131.92.4]): USER
testnext (Login failed): Incorrect password.'
   hostname: 'next-test.com'
   program_name: 'proftpd'
   log: 'next-test.com (hostname.com[78.131.92.4]): USER testnext
(Login failed): Incorrect password.'

**Phase 2: Completed decoding.
   decoder: 'proftpd'
   srcip: '78.131.92.4'

**Phase 3: Completed filtering (rules).
   Rule id: '11204'
   Level: '5'
   Description: 'Login failed accessing the FTP server'
**Alert to be generated.




**Phase 1: Completed pre-decoding.
   full event: '2016-04-12 10:15:30,894 next-test.com
proftpd[29431] next-test.com (hostname.com[78.131.92.4]): USER
testnext: Login successful.'
   hostname: 'next-test.com'
   program_name: 'proftpd'
   log: 'next-test.com (hostname.com[78.131.92.4]): USER testnext:
Login successful.'

**Phase 2: Completed decoding.
   decoder: 'proftpd'
   srcip: '78.131.92.4'
   dstuser: 'testnext'

**Phase 3: Completed filtering (rules).
   Rule id: '11205'
   Level: '3'
   Description: 'FTP Authentication success.'
**Alert to be generated.


It must be time to remove my installation and start over for testing.

> вторник, 12 апреля 2016 г., 15:31:34 UTC+4 пользователь dan (ddpbsd)
> написал:
>>
>> On Tue, Apr 12, 2016 at 7:17 AM,   wrote:
>> > Sorry, i missed  the commit
>> >
>> > https://github.com/ddpbsd/ossec-hids/commit/a7b69e873e070ea01e346d79c43b403920029801
>> > Now my proftpd logs are not processed by ossec.
>> >
>>
>> Can you provide log samples?
>>
>> > Also, if possible, please add to apt-repo deb-src packages to help
>> > recompile
>> > ossec.
>> > I tried to rebuild deb packages, but failed.
>> >
>> > четверг, 7 апреля 2016 г., 22:14:19 UTC+4 пользователь Jesus Linares
>> > написал:
>> >>
>> >> What commit do you mean?
>> >>
>> >> On Tuesday, April 5, 2016 at 8:06:17 PM UTC+2, ba...@x-cart.com wrote:
>> >>>
>> >>> Hello!
>> >>> I very interested in this commit for support proftpd logs.
>> >>>
>> >>> Is there're any plans on new ossec deb packages, that will include
>> >>> this
>> >>> commit ?
>> >>> Or better way is build ossec myself ?
>> >>>
>> >>> Thank you!
>> >
>> > --
>> >
>> > ---
>> > You received this message because you are subscribed to the Google
>> > Groups
>> > "ossec-list" group.
>> > To unsubscribe from this group and stop receiving emails from it, send
>> > an
>> > email to ossec-list+...@googlegroups.com.
>> > For more options, visit https://groups.google.com/d/optout.
>
> --
>
> ---
> You received this message because you are

Re: [ossec-list] Re: When new ossec build is planning ?

2016-04-12 Thread dan (ddp)

On Tue, Apr 12, 2016 at 10:23 AM,   wrote:
> 2016-04-12 10:15:11,756 next-test.com proftpd[29403] next-test.com
> (hostname.com[78.131.92.4]): USER testnext (Login failed): Incorrect
> password.
> 2016-04-12 10:15:30,894 next-test.com proftpd[29431] next-test.com
> (hostname.com[78.131.92.4]): USER testnext: Login successful.
>

I forgot to ask which version you're using. 2.8.3? My logtests were on
the current code.

> root@next-test:/var/ossec# /var/ossec/bin/ossec-logtest
> 2016/04/12 10:22:21 ossec-testrule: INFO: Reading local decoder file.
> 2016/04/12 10:22:21 ossec-testrule: INFO: Started (pid: 29992).
> ossec-testrule: Type one log per line.
>
> 2016-04-12 10:15:11,756 next-test.com proftpd[29403] next-test.com
> (hostname.com[78.131.92.4]): USER testnext (Login failed): Incorrect
> password.
>
>
> **Phase 1: Completed pre-decoding.
>full event: '2016-04-12 10:15:11,756 next-test.com proftpd[29403]
> next-test.com (hostname.com[78.131.92.4]): USER testnext (Login failed):
> Incorrect password.'
>hostname: 'next-test'
>program_name: '(null)'
>log: '2016-04-12 10:15:11,756 next-test.com proftpd[29403]
> next-test.com (hostname.com[78.131.92.4]): USER testnext (Login failed):
> Incorrect password.'
>
> **Phase 2: Completed decoding.
>No decoder matched.
>
> **Phase 3: Completed filtering (rules).
>Rule id: '2501'
>Level: '5'
>Description: 'User authentication failure.'
> **Alert to be generated.
>
>
> 2016-04-12 10:15:11,756 next-test.com proftpd[29403] next-test.com
> (hostname.com[78.131.92.4]): USER testnext (Login failed): Incorrect
> password.
>
>
> **Phase 1: Completed pre-decoding.
>full event: '2016-04-12 10:15:11,756 next-test.com proftpd[29403]
> next-test.com (hostname.com[78.131.92.4]): USER testnext (Login failed):
> Incorrect password.'
>hostname: 'next-test'
>program_name: '(null)'
>log: '2016-04-12 10:15:11,756 next-test.com proftpd[29403]
> next-test.com (hostname.com[78.131.92.4]): USER testnext (Login failed):
> Incorrect password.'
>
> **Phase 2: Completed decoding.
>No decoder matched.
>
> **Phase 3: Completed filtering (rules).
>Rule id: '2501'
>Level: '5'
>Description: 'User authentication failure.'
> **Alert to be generated.
>
> вторник, 12 апреля 2016 г., 15:31:34 UTC+4 пользователь dan (ddpbsd)
> написал:
>>
>> On Tue, Apr 12, 2016 at 7:17 AM,   wrote:
>> > Sorry, i missed  the commit
>> >
>> > https://github.com/ddpbsd/ossec-hids/commit/a7b69e873e070ea01e346d79c43b403920029801
>> > Now my proftpd logs are not processed by ossec.
>> >
>>
>> Can you provide log samples?
>>
>> > Also, if possible, please add to apt-repo deb-src packages to help
>> > recompile
>> > ossec.
>> > I tried to rebuild deb packages, but failed.
>> >
>> > четверг, 7 апреля 2016 г., 22:14:19 UTC+4 пользователь Jesus Linares
>> > написал:
>> >>
>> >> What commit do you mean?
>> >>
>> >> On Tuesday, April 5, 2016 at 8:06:17 PM UTC+2, ba...@x-cart.com wrote:
>> >>>
>> >>> Hello!
>> >>> I very interested in this commit for support proftpd logs.
>> >>>
>> >>> Is there're any plans on new ossec deb packages, that will include
>> >>> this
>> >>> commit ?
>> >>> Or better way is build ossec myself ?
>> >>>
>> >>> Thank you!
>> >
>> > --
>> >
>> > ---
>> > You received this message because you are subscribed to the Google
>> > Groups
>> > "ossec-list" group.
>> > To unsubscribe from this group and stop receiving emails from it, send
>> > an
>> > email to ossec-list+...@googlegroups.com.
>> > For more options, visit https://groups.google.com/d/optout.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: When new ossec build is planning ?

2016-04-12 Thread bazz

2016-04-12 10:15:11,756 next-test.com proftpd[29403] next-test.com 
(hostname.com[78.131.92.4]): USER testnext (Login failed): Incorrect 
password.
2016-04-12 10:15:30,894 next-test.com proftpd[29431] next-test.com 
(hostname.com[78.131.92.4]): USER testnext: Login successful.

root@next-test:/var/ossec# /var/ossec/bin/ossec-logtest 
2016/04/12 10:22:21 ossec-testrule: INFO: Reading local decoder file.
2016/04/12 10:22:21 ossec-testrule: INFO: Started (pid: 29992).
ossec-testrule: Type one log per line.

2016-04-12 10:15:11,756 next-test.com proftpd[29403] next-test.com 
(hostname.com[78.131.92.4]): USER testnext (Login failed): Incorrect 
password.

**Phase 1: Completed pre-decoding.
   full event: '2016-04-12 10:15:11,756 next-test.com proftpd[29403] 
next-test.com (hostname.com[78.131.92.4]): USER testnext (Login failed): 
Incorrect password.'
   hostname: 'next-test'
   program_name: '(null)'
   log: '2016-04-12 10:15:11,756 next-test.com proftpd[29403] 
next-test.com (hostname.com[78.131.92.4]): USER testnext (Login failed): 
Incorrect password.'

**Phase 2: Completed decoding.
   No decoder matched.

**Phase 3: Completed filtering (rules).
   Rule id: '2501'
   Level: '5'
   Description: 'User authentication failure.'
**Alert to be generated.

2016-04-12 10:15:11,756 next-test.com proftpd[29403] next-test.com 
(hostname.com[78.131.92.4]): USER testnext (Login failed): Incorrect 
password.

**Phase 1: Completed pre-decoding.
   full event: '2016-04-12 10:15:11,756 next-test.com proftpd[29403] 
next-test.com (hostname.com[78.131.92.4]): USER testnext (Login failed): 
Incorrect password.'
   hostname: 'next-test'
   program_name: '(null)'
   log: '2016-04-12 10:15:11,756 next-test.com proftpd[29403] 
next-test.com (hostname.com[78.131.92.4]): USER testnext (Login failed): 
Incorrect password.'

**Phase 2: Completed decoding.
   No decoder matched.

**Phase 3: Completed filtering (rules).
   Rule id: '2501'
   Level: '5'
   Description: 'User authentication failure.'
**Alert to be generated.

вторник, 12 апреля 2016 г., 15:31:34 UTC+4 пользователь dan (ddpbsd) 
написал:
>
> On Tue, Apr 12, 2016 at 7:17 AM,   wrote: 
> > Sorry, i missed  the commit 
> > 
> https://github.com/ddpbsd/ossec-hids/commit/a7b69e873e070ea01e346d79c43b403920029801
>  
> > Now my proftpd logs are not processed by ossec. 
> > 
>
> Can you provide log samples? 
>
> > Also, if possible, please add to apt-repo deb-src packages to help 
> recompile 
> > ossec. 
> > I tried to rebuild deb packages, but failed. 
> > 
> > четверг, 7 апреля 2016 г., 22:14:19 UTC+4 пользователь Jesus Linares 
> > написал: 
> >> 
> >> What commit do you mean? 
> >> 
> >> On Tuesday, April 5, 2016 at 8:06:17 PM UTC+2, ba...@x-cart.com wrote: 
> >>> 
> >>> Hello! 
> >>> I very interested in this commit for support proftpd logs. 
> >>> 
> >>> Is there're any plans on new ossec deb packages, that will include 
> this 
> >>> commit ? 
> >>> Or better way is build ossec myself ? 
> >>> 
> >>> Thank you! 
> > 
> > -- 
> > 
> > --- 
> > You received this message because you are subscribed to the Google 
> Groups 
> > "ossec-list" group. 
> > To unsubscribe from this group and stop receiving emails from it, send 
> an 
> > email to ossec-list+...@googlegroups.com . 
> > For more options, visit https://groups.google.com/d/optout. 
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: Integrity of the OSSEC agent

2016-04-12 Thread Darin Perusich

If you're primary concern is ensuring the integrity of a firewall, or
any system for that matter, perhaps the more simple approach of
limiting local access to the system and further limiting who elevated
privileges to install/patch/update the system, in addition to file
level integrity checking, would be a place to start to ensure a strong
security posture.

In addition to OSSEC, you can also use AIDE to check file integrity,
and you can layer FreeBSDs TrustedBSD MAC framework on top of that.
While auditd(8) is the Linux Audit Daemon, I'm sure there's an
equivalent in FreeBSD, which you can use to audit any file access, and
bring the system to a grinding halt w/the amount of logs generated,
and alert locally with SEC, and ship those logs off to
splunk/greylog2/syslog to ensure they're not fiddled with in the event
of local compromise. Since this is a FreeBSD I'd also run ZFS for the
file systems and use a snapper(8) like tool to create a file system
snapshot for roleback purposes after updates.

I'm not trying to be an ass, I'm simply pointing out that one needs to
have a layered and  methodical approach to securing ones systems and
there is no silver bullet. At some point you need to trust whoever is
managing said systems, the vendors you're getting your software from,
which is easier when they're based on open source code and you can
review the sources code.

--
Later,
Darin


On Tue, Apr 12, 2016 at 7:33 AM, dan (ddp)  wrote:
> On Mon, Apr 11, 2016 at 2:57 PM, John Jenkins  
> wrote:
>> Good point Dan.
>>
>> So here's a thought that maybe getting into the realms of silliness - how
>> about mounting (read-only) the entire filesystem of the "untrusted" machine
>> (via SSHFS) onto a a "trusted" machine, and run OSSEC locally on the trusted
>> machine?
>>
>
> Scale that out to 30,000 hosts of varying architectures, operating
> systems, and versions.
> At multiple locations with varying internet connection qualities.
>
>> On Monday, April 11, 2016 at 6:23:09 PM UTC+1, dan (ddpbsd) wrote:
>>>
>>> On Mon, Apr 11, 2016 at 1:07 PM, John Jenkins 
>>> wrote:
>>> > Yeah I did read up on samhain but I prefer the simplicity of OSSEC.
>>> >
>>> > For me, the main goal is to have integrity checking on a FreeBSD based
>>> > firewall/router.
>>> >
>>> > I'm thinking the best option is to use rkhunter and/or chkrootkit on the
>>> > router, and then use a remote OSSEC in agentless mode to verify file
>>> > integrity of the entire system - unless there is a simpler way to do
>>> > this :)
>>> >
>>>
>>> The agentless support will probably have the same problems, because I
>>> believe it uses the system's hashing programs.
>>>
>>> > On Monday, April 11, 2016 at 5:26:28 PM UTC+1, Darin Perusich wrote:
>>> >>
>>> >> One mechanism would be to recreated what samhain, another OSSEC type
>>> >> tool, does and add a compiled-in key that is used to verify the
>>> >> integrity of the binary. In the case where it was being packaged by an
>>> >> outside source, i.e. some distribution repo, you could add additional
>>> >> key material to verify the integrity for a sites deployment.
>>> >>
>>> >> http://www.la-samhna.de/samhain/manual/keypad.html
>>> >> --
>>> >> Later,
>>> >> Darin
>>> >>
>>> >>
>>> >> On Mon, Apr 11, 2016 at 10:47 AM, John Jenkins 
>>> >> wrote:
>>> >> > .. I forgot to mention that if anyone did go down this route of
>>> >> > static
>>> >> > linking it would have disadvantages as well such as not getting any
>>> >> > security
>>> >> > updates in the libraries until the next time you re-compile.
>>> >> >
>>> >> >
>>> >> > On Monday, April 11, 2016 at 3:15:36 PM UTC+1, John Jenkins wrote:
>>> >> >>
>>> >> >> Thanks for the info.
>>> >> >>
>>> >> >> I did think one way round this would be to verify the integrity of
>>> >> >> the
>>> >> >> ossec binaries before the check is run. This could be done remotely
>>> >> >> by
>>> >> >> comparing the hashes of some locally stashed known good binaries
>>> >> >> against
>>> >> >> what is on the agent machine.
>>> >> >>
>>> >> >> However, just checking some of the binaries on FreeBSD from the
>>> >> >> osssec-client pkg and a lot of them are dynamically linked for some
>>> >> >> reason.
>>> >> >>
>>> >> >> This would mean if you wanted to be absolutely sure you'd need to
>>> >> >> compare
>>> >> >> the hashes of all the linked libraries as well. It starts to become
>>> >> >> a
>>> >> >> headache.
>>> >> >>
>>> >> >> On Monday, April 11, 2016 at 9:58:54 AM UTC+1, John Jenkins wrote:
>>> >> >>>
>>> >> >>> Apologies if this has been answered before but I couldn't find any
>>> >> >>> information about this. I'm also new to OSSEC.
>>> >> >>>
>>> >> >>> How does an agent based install of OSSEC detect or prevent the
>>> >> >>> modification of the agent itself?
>>> >> >>>
>>> >> >>> For example, what's to stop someone replacing the agent with their
>>> >> >>> own
>>> >> >>> custom binary to do god-knows

[ossec-list] RE: Ossec Agent 2.71 Keeps disconnecting from Ossec server 2.8.3

2016-04-12 Thread Alexandre LAQUERRE

Thank you very much for the information,

I was able to convince our customer to deploy the new version update in order 
to limit the downtime and well he is going to install 10 or 20 machines in 
order to see if it works or not.


Thank you,

Alexandre Laquerre
Analyste Sécurité
[http://cybercan.com/images/iso2.jpg]
LINKBYNET
Performance | Innovation | Qualité

Suivez-nous  sur les médias sociaux !
[cid:image001.jpg@01CEE08C.10B406C0]-
 [cid:image002.jpg@01CEE08C.10B406C0]   - 
[1331824224_FaceBook_24x24]   - 
[1384399169_Flurry_Google_Alt] 

1255 Place Phillips, Suite 700, Montréal, QC H3B 3G1
Standard : +1 800 258 0820
Pôle Sécurité : +1 514 667 0554
Web : www.linkbynet.com
[cid:image019.jpg@01CF0ADF.D085FB20]
Avant d'imprimer cet e-mail, pensez à l'environnement.
LINKBYNET, 1er hébergeur des environnements en haute disponibilité – Source 
01net|IPLabel


From: Kat [mailto:uncommon...@gmail.com]
Sent: Tuesday, April 12, 2016 9:52 AM
To: ossec-list 
Cc: Alexandre LAQUERRE 
Subject: Re: Ossec Agent 2.71 Keeps disconnecting from Ossec server 2.8.3

I have seen this as well, and what I  found seemed to be related to encryption 
being used on 2.8.3 vs the 2.7 packages.  As Santi suggested, also removing the 
rids for the agents allows it to connect. I would, however, strongly suggest 
keeping them within the same release, and it avoids many of the problems 
observed.

Kat

On Tuesday, April 5, 2016 at 8:21:18 AM UTC-5, Alexandre LAQUERRE wrote:
Hi,

I have been using Ossec for quite a while and we decided to upgrade the version 
(2.7.1) to 2.8.3 and that was relatively successful except for the fact that it 
pulled a number on my Ossec.conf by creating indent problems and adding open 
brackets in the wrong area but anyway it works. My issue is that for the moment 
our client will not update the OSSEC agents and wish to keep the 2.7.1 , I have 
not seen any documentation that would indicate a compatibility issue however I 
noticed that no matter what I do , the agents will end up disconnecting. They 
will start out all active and then after 20 minutes or so they will all be 
disconnected except for a small minority.

When I performed the install I have set the maximum number of agents to 4096 
because the client has about … I would say close to 3000 agents, furthermore 
the installation did go well however I suspect that the agent.conf file in the 
shared folder got messed up due to this update being very significant. I have 
been working on this issue for at least three days and I am no longer certain 
where to look.

I would like to specify that I have already tried to erase the RIDS while Ossec 
Is stop (server) and when I start it back up again the same issue occurs. Now I 
am hoping the solution will not be to erase the rids from the client as it 
would be a long process for our customer.

Thank you,

Alexandre Laquerre
Analyste Sécurité
[Image removed by sender. 
http://cybercan.com/images/iso2.jpg]
LINKBYNET
Performance | Innovation | Qualité

Suivez-nous  sur les médias sociaux !
[Image removed by sender. 
cid:image001.jpg@01CEE08C.10B406C0]- 
[Image removed by sender. cid:image002.jpg@01CEE08C.10B406C0] 
  - [Image removed by sender. 
1331824224_FaceBook_24x24]   - [Image 
removed by sender. 1384399169_Flurry_Google_Alt] 

1255 Place Phillips, Suite 700, Montréal, QC H3B 3G1
Standard : +1 800 258 0820
Pôle Sécurité : +1 514 667 0554
Web : www.linkbynet.com
[Image removed by sender. cid:image019.jpg@01CF0ADF.D085FB20]
Avant d'imprimer cet e-mail, pensez à l'environnement.
LINKBYNET, 1er hébergeur des environnements en haute disponibilité – Source 
01net|IPLabel


-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Ossec Agent 2.71 Keeps disconnecting from Ossec server 2.8.3

2016-04-12 Thread Kat

I have seen this as well, and what I  found seemed to be related to 
encryption being used on 2.8.3 vs the 2.7 packages.  As Santi suggested, 
also removing the rids for the agents allows it to connect. I would, 
however, strongly suggest keeping them within the same release, and it 
avoids many of the problems observed.

Kat

On Tuesday, April 5, 2016 at 8:21:18 AM UTC-5, Alexandre LAQUERRE wrote:
>
> Hi,
>
>  
>
> I have been using Ossec for quite a while and we decided to upgrade the 
> version (2.7.1) to 2.8.3 and that was relatively successful except for the 
> fact that it pulled a number on my Ossec.conf by creating indent problems 
> and adding open brackets in the wrong area but anyway it works. My issue is 
> that for the moment our client will not update the OSSEC agents and wish to 
> keep the 2.7.1 , I have not seen any documentation that would indicate a 
> compatibility issue however I noticed that no matter what I do , the agents 
> will end up disconnecting. They will start out all active and then after 20 
> minutes or so they will all be disconnected except for a small minority. 
>
>  
>
> When I performed the install I have set the maximum number of agents to 
> 4096 because the client has about … I would say close to 3000 agents, 
> furthermore the installation did go well however I suspect that the 
> agent.conf file in the shared folder got messed up due to this update being 
> very significant. I have been working on this issue for at least three days 
> and I am no longer certain where to look.
>
>  
>
> I would like to specify that I have already tried to erase the RIDS while 
> Ossec Is stop (server) and when I start it back up again the same issue 
> occurs. Now I am hoping the solution will not be to erase the rids from the 
> client as it would be a long process for our customer.
>
>  
>
> Thank you,
>
>  
>
> Alexandre Laquerre
>
> Analyste Sécurité
>
> [image: http://cybercan.com/images/iso2.jpg]
> 
> *LINKBYNET *
>
> Performance | Innovation | Qualité
>
>
> 
>
> Suivez-nous  sur les médias sociaux !
>
> [image: cid:image001.jpg@01CEE08C.10B406C0] 
> *-* [image: 
> cid:image002.jpg@01CEE08C.10B406C0]  
> *-* [image: 1331824224_FaceBook_24x24] 
>  *-* [image: 1384399169_Flurry_Google_Alt] 
> 
> *1255 Place Phillips, Suite 700, **Montréal, QC H3B 3G1*
> *Standard : +1 800 258 0820*
>
> *Pôle Sécurité : +1 514 667 0554*
>
> Web : www.linkbynet.com
>
> [image: cid:image019.jpg@01CF0ADF.D085FB20]
>
> *Avant d'imprimer cet e-mail, pensez à l'environnement.*
>
> LINKBYNET, *1er hébergeur* des environnements en haute disponibilité – Source 
> 01net|IPLabel 
> 
>
>  
>
>  
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: Integrity of the OSSEC agent

2016-04-12 Thread dan (ddp)

On Mon, Apr 11, 2016 at 2:57 PM, John Jenkins  wrote:
> Good point Dan.
>
> So here's a thought that maybe getting into the realms of silliness - how
> about mounting (read-only) the entire filesystem of the "untrusted" machine
> (via SSHFS) onto a a "trusted" machine, and run OSSEC locally on the trusted
> machine?
>

Scale that out to 30,000 hosts of varying architectures, operating
systems, and versions.
At multiple locations with varying internet connection qualities.

> On Monday, April 11, 2016 at 6:23:09 PM UTC+1, dan (ddpbsd) wrote:
>>
>> On Mon, Apr 11, 2016 at 1:07 PM, John Jenkins 
>> wrote:
>> > Yeah I did read up on samhain but I prefer the simplicity of OSSEC.
>> >
>> > For me, the main goal is to have integrity checking on a FreeBSD based
>> > firewall/router.
>> >
>> > I'm thinking the best option is to use rkhunter and/or chkrootkit on the
>> > router, and then use a remote OSSEC in agentless mode to verify file
>> > integrity of the entire system - unless there is a simpler way to do
>> > this :)
>> >
>>
>> The agentless support will probably have the same problems, because I
>> believe it uses the system's hashing programs.
>>
>> > On Monday, April 11, 2016 at 5:26:28 PM UTC+1, Darin Perusich wrote:
>> >>
>> >> One mechanism would be to recreated what samhain, another OSSEC type
>> >> tool, does and add a compiled-in key that is used to verify the
>> >> integrity of the binary. In the case where it was being packaged by an
>> >> outside source, i.e. some distribution repo, you could add additional
>> >> key material to verify the integrity for a sites deployment.
>> >>
>> >> http://www.la-samhna.de/samhain/manual/keypad.html
>> >> --
>> >> Later,
>> >> Darin
>> >>
>> >>
>> >> On Mon, Apr 11, 2016 at 10:47 AM, John Jenkins 
>> >> wrote:
>> >> > .. I forgot to mention that if anyone did go down this route of
>> >> > static
>> >> > linking it would have disadvantages as well such as not getting any
>> >> > security
>> >> > updates in the libraries until the next time you re-compile.
>> >> >
>> >> >
>> >> > On Monday, April 11, 2016 at 3:15:36 PM UTC+1, John Jenkins wrote:
>> >> >>
>> >> >> Thanks for the info.
>> >> >>
>> >> >> I did think one way round this would be to verify the integrity of
>> >> >> the
>> >> >> ossec binaries before the check is run. This could be done remotely
>> >> >> by
>> >> >> comparing the hashes of some locally stashed known good binaries
>> >> >> against
>> >> >> what is on the agent machine.
>> >> >>
>> >> >> However, just checking some of the binaries on FreeBSD from the
>> >> >> osssec-client pkg and a lot of them are dynamically linked for some
>> >> >> reason.
>> >> >>
>> >> >> This would mean if you wanted to be absolutely sure you'd need to
>> >> >> compare
>> >> >> the hashes of all the linked libraries as well. It starts to become
>> >> >> a
>> >> >> headache.
>> >> >>
>> >> >> On Monday, April 11, 2016 at 9:58:54 AM UTC+1, John Jenkins wrote:
>> >> >>>
>> >> >>> Apologies if this has been answered before but I couldn't find any
>> >> >>> information about this. I'm also new to OSSEC.
>> >> >>>
>> >> >>> How does an agent based install of OSSEC detect or prevent the
>> >> >>> modification of the agent itself?
>> >> >>>
>> >> >>> For example, what's to stop someone replacing the agent with their
>> >> >>> own
>> >> >>> custom binary to do god-knows what?
>> >> >>>
>> >> >>> Are there any best practices to prevent this?
>> >> >>>
>> >> >>> I'm aware that an agentless install can help mitigate this however
>> >> >>> the
>> >> >>> sshd binary would possibly be a weak point there. Also you lose
>> >> >>> some
>> >> >>> of the nicer features of the agent based install.
>> >> >>>
>> >> >>> Also am I right in thinking the file integrity database is also
>> >> >>> stored
>> >> >>> locally and open to modification in a local only install?
>> >> >>>
>> >> >>> John.
>> >> >
>> >> > --
>> >> >
>> >> > ---
>> >> > You received this message because you are subscribed to the Google
>> >> > Groups
>> >> > "ossec-list" group.
>> >> > To unsubscribe from this group and stop receiving emails from it,
>> >> > send
>> >> > an
>> >> > email to ossec-list+...@googlegroups.com.
>> >> > For more options, visit https://groups.google.com/d/optout.
>> >
>> > --
>> >
>> > ---
>> > You received this message because you are subscribed to the Google
>> > Groups
>> > "ossec-list" group.
>> > To unsubscribe from this group and stop receiving emails from it, send
>> > an
>> > email to ossec-list+...@googlegroups.com.
>> > For more options, visit https://groups.google.com/d/optout.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message

Re: [ossec-list] Re: When new ossec build is planning ?

2016-04-12 Thread dan (ddp)

On Tue, Apr 12, 2016 at 7:17 AM,   wrote:
> Sorry, i missed  the commit
> https://github.com/ddpbsd/ossec-hids/commit/a7b69e873e070ea01e346d79c43b403920029801
> Now my proftpd logs are not processed by ossec.
>

Can you provide log samples?

> Also, if possible, please add to apt-repo deb-src packages to help recompile
> ossec.
> I tried to rebuild deb packages, but failed.
>
> четверг, 7 апреля 2016 г., 22:14:19 UTC+4 пользователь Jesus Linares
> написал:
>>
>> What commit do you mean?
>>
>> On Tuesday, April 5, 2016 at 8:06:17 PM UTC+2, ba...@x-cart.com wrote:
>>>
>>> Hello!
>>> I very interested in this commit for support proftpd logs.
>>>
>>> Is there're any plans on new ossec deb packages, that will include this
>>> commit ?
>>> Or better way is build ossec myself ?
>>>
>>> Thank you!
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: When new ossec build is planning ?

2016-04-12 Thread bazz

Sorry, i missed  the 
commit 
https://github.com/ddpbsd/ossec-hids/commit/a7b69e873e070ea01e346d79c43b403920029801
Now my proftpd logs are not processed by ossec.

Also, if possible, please add to apt-repo deb-src packages to help 
recompile ossec.
I tried to rebuild deb packages, but failed.

четверг, 7 апреля 2016 г., 22:14:19 UTC+4 пользователь Jesus Linares 
написал:
>
> What commit do you mean?
>
> On Tuesday, April 5, 2016 at 8:06:17 PM UTC+2, ba...@x-cart.com wrote:
>>
>> Hello!
>> I very interested in this commit for support proftpd logs.
>>
>> Is there're any plans on new ossec deb packages, that will include this 
>> commit ?
>> Or better way is build ossec myself ?
>>
>> Thank you!
>>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] windows active response logic

Re: [ossec-list] Re: When new ossec build is planning ?

Re: [ossec-list] Re: When new ossec build is planning ?

Re: [ossec-list] Re: When new ossec build is planning ?

Re: [ossec-list] Re: When new ossec build is planning ?

Re: [ossec-list] Re: When new ossec build is planning ?

Re: [ossec-list] Re: When new ossec build is planning ?

Re: [ossec-list] Re: When new ossec build is planning ?

Re: [ossec-list] Re: Integrity of the OSSEC agent

[ossec-list] RE: Ossec Agent 2.71 Keeps disconnecting from Ossec server 2.8.3

[ossec-list] Re: Ossec Agent 2.71 Keeps disconnecting from Ossec server 2.8.3

Re: [ossec-list] Re: Integrity of the OSSEC agent

Re: [ossec-list] Re: When new ossec build is planning ?

[ossec-list] Re: When new ossec build is planning ?

14 matches

Site Navigation

Mail list logo

Footer information