Re: [ossec-list] Disk usage monitor not working in RHEL5

2016-04-19 Thread Santiago Bassett 
Out of curiosity, what is the rule supposed to trigger the alert?  The one
is see by default looks for full partitions...

https://github.com/ossec/ossec-hids/blob/a7ca63d6d074f2f6bdb49f4bc79a054c31dcafc7/etc/rules/ossec_rules.xml#L137

On Mon, Apr 18, 2016 at 2:07 AM, Robert Micallef 
wrote:

> I tested it on CentOS 5 and the output of df is as expected (Single line).
>
> We don't have a lot of RHEL5 but this happens on every 1 I tried so far (I
> tried 7).
>
> Here is the output of df -h on RHEL5:
>
> FilesystemSize  Used Avail Use% Mounted on
> /dev/mapper/VolGroup00-LogVol00
>23G   16G  5.4G  75% /
> /dev/hda1  99M   13M   82M  14% /boot
> tmpfs 4.9G 0  4.9G   0% /dev/shm
>
> Here is the output of a CentOS 5 machine:
>
> FilesystemSize  Used Avail Use% Mounted on
> /dev/sda3 1.9T  1.7T  104G  95% /
> /dev/sda1  99M   36M   58M  39% /boot
> tmpfs 3.9G 0  3.9G   0% /dev/shm
>
> So the CentOS is a single line and OSSEC picks that log perfectly. But
> RHEL5 it will see 2 logs:
>
> ossec: output: 'df -h': /dev/mapper/VolGroup00-LogVol00
> ossec: output: 'df -h':23G   16G  5.4G  75% /
>
> And doesn't work. Tested in RHEL 5.8 and 5.11.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] RootCheck disableing

2016-04-19 Thread Santiago Bassett 
was meaning to paste this link before sending last email:

http://ossec-docs.readthedocs.org/en/latest/manual/rootcheck/manual-rootcheck.html

On Tue, Apr 19, 2016 at 5:06 PM, Santiago Bassett <
santiago.bass...@gmail.com> wrote:

> Hi Eyal,
>
> try setting syscheck.debug=2 in internal_options.conf file. It looks like
> there are some rootchecks that still run, unless you set those to no, like
> check_pids, check_dev, check_ports,... see more info at:
>
>
> On Mon, Apr 18, 2016 at 12:13 PM,  wrote:
>
>> Interesting... that should be the only config that you need to update in
>> order to disable the root check. I tried it in my lab and disabled it
>> properly as well.
>>
>>
>> On Sunday, April 17, 2016 at 4:56:15 AM UTC-4, eyal gershon wrote:
>>>
>>> I checked again the logs -
>>>
>>> 2016/04/16 18:37:27 ossec-rootcheck: INFO: Starting rootcheck scan.
>>> 2016/04/16 18:37:27 ossec-rootcheck: No rootcheck_files file configured.
>>> 2016/04/16 18:37:27 ossec-rootcheck: No rootcheck_trojans file
>>> configured.
>>> 2016/04/16 18:45:52 ossec-rootcheck: INFO: Ending rootcheck scan.
>>>
>>> The log says the check did run,
>>> Is there another configuration file I might be missing?
>>>
>>> On Friday, April 15, 2016 at 3:08:23 PM UTC+3, Pedro S wrote:

 I have reproduced your configuration on my labs, rootcheck is not
 starting again. Could you re-verify that agent.conf file is right on your
 agent?

 On Thursday, April 14, 2016 at 2:38:47 PM UTC+2, eyal gershon wrote:
>
> 2016/04/14 06:03:17 ossec-rootcheck: INFO: Started (pid: 30101).
> 2016/04/14 06:06:05 ossec-rootcheck: INFO: Starting rootcheck scan.
> 2016/04/14 06:06:05 ossec-rootcheck: No rootcheck_files file
> configured.
> 2016/04/14 06:06:05 ossec-rootcheck: No rootcheck_trojans file
> configured.
> 2016/04/14 06:17:38 ossec-rootcheck: INFO: Ending rootcheck scan.
>
> The start of the scan is right after the restart of the ossed-hids
> restart from the original post
>
> On Thursday, April 14, 2016 at 2:57:36 PM UTC+3, dan (ddpbsd) wrote:
>>
>> On Thu, Apr 14, 2016 at 6:27 AM, eyal gershon 
>> wrote:
>> > Hey,
>> >
>> > I tried to disabled the rootcheck on one of the servers.
>> > I have added the following line to the agent.conf file -
>> >
>> > 
>> > yes
>> > 
>> >
>> > and after I am restarting the service I get the following output -
>> > Starting ossec-hids: 2016/04/14 06:16:27 ossec-rootcheck: Rootcheck
>> > disabled. Exiting.
>> > ossec-syscheckd: WARN: Rootcheck module disabled.
>> >
>> > and a few min later I see in the logs that the rootcheck is running
>> again.
>> > any one have an idea why did I miss?
>> >
>>
>> Which log messages are you seeing specifically?
>>
>> > --
>> >
>> > ---
>> > You received this message because you are subscribed to the Google
>> Groups
>> > "ossec-list" group.
>> > To unsubscribe from this group and stop receiving emails from it,
>> send an
>> > email to ossec-list+...@googlegroups.com.
>> > For more options, visit https://groups.google.com/d/optout.
>>
> --
>>
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to ossec-list+unsubscr...@googlegroups.com.
>> For more options, visit https://groups.google.com/d/optout.
>>
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] RootCheck disableing

2016-04-19 Thread Santiago Bassett 
Hi Eyal,

try setting syscheck.debug=2 in internal_options.conf file. It looks like
there are some rootchecks that still run, unless you set those to no, like
check_pids, check_dev, check_ports,... see more info at:


On Mon, Apr 18, 2016 at 12:13 PM,  wrote:

> Interesting... that should be the only config that you need to update in
> order to disable the root check. I tried it in my lab and disabled it
> properly as well.
>
>
> On Sunday, April 17, 2016 at 4:56:15 AM UTC-4, eyal gershon wrote:
>>
>> I checked again the logs -
>>
>> 2016/04/16 18:37:27 ossec-rootcheck: INFO: Starting rootcheck scan.
>> 2016/04/16 18:37:27 ossec-rootcheck: No rootcheck_files file configured.
>> 2016/04/16 18:37:27 ossec-rootcheck: No rootcheck_trojans file configured.
>> 2016/04/16 18:45:52 ossec-rootcheck: INFO: Ending rootcheck scan.
>>
>> The log says the check did run,
>> Is there another configuration file I might be missing?
>>
>> On Friday, April 15, 2016 at 3:08:23 PM UTC+3, Pedro S wrote:
>>>
>>> I have reproduced your configuration on my labs, rootcheck is not
>>> starting again. Could you re-verify that agent.conf file is right on your
>>> agent?
>>>
>>> On Thursday, April 14, 2016 at 2:38:47 PM UTC+2, eyal gershon wrote:

 2016/04/14 06:03:17 ossec-rootcheck: INFO: Started (pid: 30101).
 2016/04/14 06:06:05 ossec-rootcheck: INFO: Starting rootcheck scan.
 2016/04/14 06:06:05 ossec-rootcheck: No rootcheck_files file configured.
 2016/04/14 06:06:05 ossec-rootcheck: No rootcheck_trojans file
 configured.
 2016/04/14 06:17:38 ossec-rootcheck: INFO: Ending rootcheck scan.

 The start of the scan is right after the restart of the ossed-hids
 restart from the original post

 On Thursday, April 14, 2016 at 2:57:36 PM UTC+3, dan (ddpbsd) wrote:
>
> On Thu, Apr 14, 2016 at 6:27 AM, eyal gershon 
> wrote:
> > Hey,
> >
> > I tried to disabled the rootcheck on one of the servers.
> > I have added the following line to the agent.conf file -
> >
> > 
> > yes
> > 
> >
> > and after I am restarting the service I get the following output -
> > Starting ossec-hids: 2016/04/14 06:16:27 ossec-rootcheck: Rootcheck
> > disabled. Exiting.
> > ossec-syscheckd: WARN: Rootcheck module disabled.
> >
> > and a few min later I see in the logs that the rootcheck is running
> again.
> > any one have an idea why did I miss?
> >
>
> Which log messages are you seeing specifically?
>
> > --
> >
> > ---
> > You received this message because you are subscribed to the Google
> Groups
> > "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it,
> send an
> > email to ossec-list+...@googlegroups.com.
> > For more options, visit https://groups.google.com/d/optout.
>
 --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: USB storage detect & recursive file list

2016-04-19 Thread Jacob Mcgrath 
Will try droping the | select -Skip 2 from the Get-Content see if that 
works or maby a -Raw output arg

On Tuesday, April 19, 2016 at 2:23:39 PM UTC-5, Jacob Mcgrath wrote:
>
> I have a basic Windows agent setting to alert me when a storage device is 
> detected using Power shell..
>
> 
> full_command
> powershell.exe -command "gwmi win32_diskdrive | select 
> Model,InterfaceType,serialnumber,Size,MediaType,CapabilityDescriptions 
> > 
> C:\temp\usbdetect.txt ; (gc C:\temp\usbdetect.txt | select -Skip 2)"
> 
> 300
> USBDevices
>   
>
>
> with the following rule in local_rules.xml
> 
> 530
> ossec: output: 'USBDevices'
> 
> Mounted Device change detected
>   
>
>
>
>
> Of course I get this alert which is nice for basic logging..
>
> OSSEC HIDS Notification.
>
>  
>
> 2016 Apr 19 18:35:31 
>
>   
>
> Received From: (mis41) any->USBDevices 
>
> Rule: 503002 fired (level 7) -> "Mounted Device change detected" 
>
> Portion of the log(s): 
>
>   
>
> ossec: output: 'USBDevices': 
>
> Model  : TOSHIBA DT01ACA100 SCSI Disk Device 
>
> InterfaceType  : IDE 
>
> serialnumber   :359ZMW6MS 
>
> Size   : 1000202273280 
>
> MediaType  : Fixed hard disk media 
>
> CapabilityDescriptions : {Random Access, Supports Writing, SMART 
> Notification} 
>
> Model  : Verbatim STORE N GO USB Device 
>
> InterfaceType  : USB 
>
> serialnumber   : AA000489 
>
> Size   : 16022845440 
>
> MediaType  : Removable Media 
>
> CapabilityDescriptions : {Random Access, Supports Writing, Supports 
> Removable M 
>
>  edia} 
>
> Model  : Verbatim STORE N GO USB Device 
>
> InterfaceType  : USB 
>
> serialnumber   : AA000489 
>
> Size   : 16022845440 
>
> MediaType  : Removable Media 
>
> CapabilityDescriptions : {Random Access, Supports Writing, Supports 
> Removable M 
>
>   
>
>   
>
>   
>
>  --END OF NOTIFICATION
>
>
>
> I was playing around with Powershell and have a optional command to print 
> out USB storage device files recursively...
>
>
> powershell.exe $USBDrive = Get-WmiObject Win32_Volume -Filter 
> "DriveType='2'"| select -expand driveletter ; Get-Childitem $USBDrive 
> -recurse 
> > C:\temp\test.txt ; (gc C:\temp\test.txt | select -Skip 2)
>
>
> this gives me this output in a tmp.txt if ran from a powershell window and 
> or run line.
>
>
> Directory: F:\
>
>
> ModeLastWriteTime Length Name 
>  
> - --  
>  
> -a---11/06/2015  12:38 PM   2290 mbam-setup-2.2.0.1024.exe
>  
> -a---12/21/2014   9:27 AM  397798952 sp66051_driver-pack.exe  
>  
>
>
> Directory: E:\
>
>
> ModeLastWriteTime Length Name 
>  
> - --  
>  
> -a---12/06/2011   9:51 AM 388608 HijackThis.exe   
>  
> -a---03/04/2016   2:44 PM   2290 mbam-setup-2.2.0.1024.exe
>  
> -a---03/04/2016   2:46 PM   9524 hijackthis.log
>
> I have been attempting to get the above USB recursive file lists 
> into a USB detection report but have not had any success as of yet using 
> the above command instead of the first like below.
>
>
>
>   
> full_command
> powershell.exe $USBDrive = Get-WmiObject Win32_Volume -Filter
>  "DriveType='2'"| select -expand driveletter ; Get-Childitem $USBDrive -
> recurse > C:\temp\test.txt ; (gc C:\temp\test.txt | select -Skip 2)"
> 
> 300
> USBDevices
>   
>
>
> This gives me a empty C:\temp\test.txt file...
>
>
> Any suggestions would be appreiciated...
>
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: USB storage detect & recursive file list

2016-04-19 Thread Jacob Mcgrath 
I have nominal success with this ..

 
full_command
powershell.exe "$USBDrive = Get-WmiObject Win32_Volume -Filter 
"DriveType='2'"| select -expand driveletter ; Get-Childitem $USBDrive 
-recurse > C:\temp\test.txt ; (gc C:\temp\test.txt | select -Skip 2)" 

60
USBDevices
  





OSSEC HIDS Notification.


2016 Apr 19 19:46:53


 


Received From: (mis41) any->USBDevices


Rule: 503002 fired (level 7) -> "Mounted Device
change detected"


Portion of the log(s):


 


ossec: output: 'USBDevices':


Directory: F:\


 


 


 


 --END OF
NOTIFICATION

It is missing the remaining content on that C:\temp\tmp.txt ... But I am 
close  :)

On Tuesday, April 19, 2016 at 2:23:39 PM UTC-5, Jacob Mcgrath wrote:
>
> I have a basic Windows agent setting to alert me when a storage device is 
> detected using Power shell..
>
> 
> full_command
> powershell.exe -command "gwmi win32_diskdrive | select 
> Model,InterfaceType,serialnumber,Size,MediaType,CapabilityDescriptions 
> > 
> C:\temp\usbdetect.txt ; (gc C:\temp\usbdetect.txt | select -Skip 2)"
> 
> 300
> USBDevices
>   
>
>
> with the following rule in local_rules.xml
> 
> 530
> ossec: output: 'USBDevices'
> 
> Mounted Device change detected
>   
>
>
>
>
> Of course I get this alert which is nice for basic logging..
>
> OSSEC HIDS Notification.
>
>  
>
> 2016 Apr 19 18:35:31 
>
>   
>
> Received From: (mis41) any->USBDevices 
>
> Rule: 503002 fired (level 7) -> "Mounted Device change detected" 
>
> Portion of the log(s): 
>
>   
>
> ossec: output: 'USBDevices': 
>
> Model  : TOSHIBA DT01ACA100 SCSI Disk Device 
>
> InterfaceType  : IDE 
>
> serialnumber   :359ZMW6MS 
>
> Size   : 1000202273280 
>
> MediaType  : Fixed hard disk media 
>
> CapabilityDescriptions : {Random Access, Supports Writing, SMART 
> Notification} 
>
> Model  : Verbatim STORE N GO USB Device 
>
> InterfaceType  : USB 
>
> serialnumber   : AA000489 
>
> Size   : 16022845440 
>
> MediaType  : Removable Media 
>
> CapabilityDescriptions : {Random Access, Supports Writing, Supports 
> Removable M 
>
>  edia} 
>
> Model  : Verbatim STORE N GO USB Device 
>
> InterfaceType  : USB 
>
> serialnumber   : AA000489 
>
> Size   : 16022845440 
>
> MediaType  : Removable Media 
>
> CapabilityDescriptions : {Random Access, Supports Writing, Supports 
> Removable M 
>
>   
>
>   
>
>   
>
>  --END OF NOTIFICATION
>
>
>
> I was playing around with Powershell and have a optional command to print 
> out USB storage device files recursively...
>
>
> powershell.exe $USBDrive = Get-WmiObject Win32_Volume -Filter 
> "DriveType='2'"| select -expand driveletter ; Get-Childitem $USBDrive 
> -recurse 
> > C:\temp\test.txt ; (gc C:\temp\test.txt | select -Skip 2)
>
>
> this gives me this output in a tmp.txt if ran from a powershell window and 
> or run line.
>
>
> Directory: F:\
>
>
> ModeLastWriteTime Length Name 
>  
> - --  
>  
> -a---11/06/2015  12:38 PM   2290 mbam-setup-2.2.0.1024.exe
>  
> -a---12/21/2014   9:27 AM  397798952 sp66051_driver-pack.exe  
>  
>
>
> Directory: E:\
>
>
> ModeLastWriteTime Length Name 
>  
> - --  
>  
> -a---12/06/2011   9:51 AM 388608 HijackThis.exe   
>  
> -a---03/04/2016   2:44 PM   2290 mbam-setup-2.2.0.1024.exe
>  
> -a---03/04/2016   2:46 PM   9524 hijackthis.log
>
> I have been attempting to get the above USB recursive file lists 
> into a USB detection report but have not had any success as of yet using 
> the above command instead of the first like below.
>
>
>
>   
> full_command
> powershell.exe $USBDrive = Get-WmiObject Win32_Volume -Filter
>  "DriveType='2'"| select -expand driveletter ; Get-Childitem $USBDrive -
> recurse > C:\temp\test.txt ; (gc C:\temp\test.txt | select -Skip 2)"
> 
> 300
> USBDevices
>   
>
>
> This gives me a empty C:\temp\test.txt file...
>
>
> Any suggestions would be appreiciated...
>
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] USB storage detect & recursive file list

2016-04-19 Thread Pedro Sanchez 
Hi,

Nice commands, very useful, thanks for sharing.

Both commands are working on my labs, the second one prints the full list
of files at the terminal and writes into C:\temp\test.txt file (watch out
the last *" *quotes before ).

I am not sure if you need to merge the two commands output into the same
alert, in that case, I can't only think about combine both and running just
one .


Regards,

Pedro S.


On Tue, Apr 19, 2016 at 9:23 PM, Jacob Mcgrath 
wrote:

> I have a basic Windows agent setting to alert me when a storage device is
> detected using Power shell..
>
> 
> full_command
> powershell.exe -command "gwmi win32_diskdrive | select
> Model,InterfaceType,serialnumber,Size,MediaType,CapabilityDescriptions
> >
> C:\temp\usbdetect.txt ; (gc C:\temp\usbdetect.txt | select -Skip 2)"
> 
> 300
> USBDevices
>   
>
>
> with the following rule in local_rules.xml
> 
> 530
> ossec: output: 'USBDevices'
> 
> Mounted Device change detected
>   
>
>
>
>
> Of course I get this alert which is nice for basic logging..
>
> OSSEC HIDS Notification.
>
>
>
> 2016 Apr 19 18:35:31
>
>
>
> Received From: (mis41) any->USBDevices
>
> Rule: 503002 fired (level 7) -> "Mounted Device change detected"
>
> Portion of the log(s):
>
>
>
> ossec: output: 'USBDevices':
>
> Model  : TOSHIBA DT01ACA100 SCSI Disk Device
>
> InterfaceType  : IDE
>
> serialnumber   :359ZMW6MS
>
> Size   : 1000202273280
>
> MediaType  : Fixed hard disk media
>
> CapabilityDescriptions : {Random Access, Supports Writing, SMART
> Notification}
>
> Model  : Verbatim STORE N GO USB Device
>
> InterfaceType  : USB
>
> serialnumber   : AA000489
>
> Size   : 16022845440
>
> MediaType  : Removable Media
>
> CapabilityDescriptions : {Random Access, Supports Writing, Supports
> Removable M
>
>  edia}
>
> Model  : Verbatim STORE N GO USB Device
>
> InterfaceType  : USB
>
> serialnumber   : AA000489
>
> Size   : 16022845440
>
> MediaType  : Removable Media
>
> CapabilityDescriptions : {Random Access, Supports Writing, Supports
> Removable M
>
>
>
>
>
>
>
>  --END OF NOTIFICATION
>
>
>
> I was playing around with Powershell and have a optional command to print
> out USB storage device files recursively...
>
>
> powershell.exe $USBDrive = Get-WmiObject Win32_Volume -Filter
> "DriveType='2'"| select -expand driveletter ; Get-Childitem $USBDrive -recurse
> > C:\temp\test.txt ; (gc C:\temp\test.txt | select -Skip 2)
>
>
> this gives me this output in a tmp.txt if ran from a powershell window and
> or run line.
>
>
> Directory: F:\
>
>
> ModeLastWriteTime Length Name
> - -- 
> -a---11/06/2015  12:38 PM   2290 mbam-setup-2.2.0.1024.exe
> -a---12/21/2014   9:27 AM  397798952 sp66051_driver-pack.exe
>
>
> Directory: E:\
>
>
> ModeLastWriteTime Length Name
> - -- 
> -a---12/06/2011   9:51 AM 388608 HijackThis.exe
> -a---03/04/2016   2:44 PM   2290 mbam-setup-2.2.0.1024.exe
> -a---03/04/2016   2:46 PM   9524 hijackthis.log
>
> I have been attempting to get the above USB recursive file lists
> into a USB detection report but have not had any success as of yet using
> the above command instead of the first like below.
>
>
>
>   
> full_command
> powershell.exe $USBDrive = Get-WmiObject Win32_Volume -Filter
>  "DriveType='2'"| select -expand driveletter ; Get-Childitem $USBDrive -
> recurse > C:\temp\test.txt ; (gc C:\temp\test.txt | select -Skip 2)"
> 
> 300
> USBDevices
>   
>
>
> This gives me a empty C:\temp\test.txt file...
>
>
> Any suggestions would be appreiciated...
>
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] USB storage detect & recursive file list

2016-04-19 Thread Jacob Mcgrath 
I have a basic Windows agent setting to alert me when a storage device is 
detected using Power shell..


full_command
powershell.exe -command "gwmi win32_diskdrive | select 
Model,InterfaceType,serialnumber,Size,MediaType,CapabilityDescriptions 
> 
C:\temp\usbdetect.txt ; (gc C:\temp\usbdetect.txt | select -Skip 2)"

300
USBDevices
  


with the following rule in local_rules.xml

530
ossec: output: 'USBDevices'

Mounted Device change detected
  




Of course I get this alert which is nice for basic logging..

OSSEC HIDS Notification.

 

2016 Apr 19 18:35:31 

  

Received From: (mis41) any->USBDevices 

Rule: 503002 fired (level 7) -> "Mounted Device change detected" 

Portion of the log(s): 

  

ossec: output: 'USBDevices': 

Model  : TOSHIBA DT01ACA100 SCSI Disk Device 

InterfaceType  : IDE 

serialnumber   :359ZMW6MS 

Size   : 1000202273280 

MediaType  : Fixed hard disk media 

CapabilityDescriptions : {Random Access, Supports Writing, SMART 
Notification} 

Model  : Verbatim STORE N GO USB Device 

InterfaceType  : USB 

serialnumber   : AA000489 

Size   : 16022845440 

MediaType  : Removable Media 

CapabilityDescriptions : {Random Access, Supports Writing, Supports 
Removable M 

 edia} 

Model  : Verbatim STORE N GO USB Device 

InterfaceType  : USB 

serialnumber   : AA000489 

Size   : 16022845440 

MediaType  : Removable Media 

CapabilityDescriptions : {Random Access, Supports Writing, Supports 
Removable M 

  

  

  

 --END OF NOTIFICATION



I was playing around with Powershell and have a optional command to print 
out USB storage device files recursively...


powershell.exe $USBDrive = Get-WmiObject Win32_Volume -Filter 
"DriveType='2'"| select -expand driveletter ; Get-Childitem $USBDrive -recurse 
> C:\temp\test.txt ; (gc C:\temp\test.txt | select -Skip 2)


this gives me this output in a tmp.txt if ran from a powershell window and 
or run line.


Directory: F:\


ModeLastWriteTime Length Name  
- --   
-a---11/06/2015  12:38 PM   2290 mbam-setup-2.2.0.1024.exe 
-a---12/21/2014   9:27 AM  397798952 sp66051_driver-pack.exe   


Directory: E:\


ModeLastWriteTime Length Name  
- --   
-a---12/06/2011   9:51 AM 388608 HijackThis.exe
-a---03/04/2016   2:44 PM   2290 mbam-setup-2.2.0.1024.exe 
-a---03/04/2016   2:46 PM   9524 hijackthis.log

I have been attempting to get the above USB recursive file lists 
into a USB detection report but have not had any success as of yet using 
the above command instead of the first like below.



  
full_command
powershell.exe $USBDrive = Get-WmiObject Win32_Volume -Filter 
"DriveType='2'"| select -expand driveletter ; Get-Childitem $USBDrive -
recurse > C:\temp\test.txt ; (gc C:\temp\test.txt | select -Skip 2)"

300
USBDevices
  


This gives me a empty C:\temp\test.txt file...


Any suggestions would be appreiciated...


-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Ossec Agent 2.71 Keeps disconnecting from Ossec server 2.8.3

2016-04-19 Thread Alexandre Laquerre 
So the final result was as follows, the first step i exported the agent 
list and updated the list ( i basically erased 1000 agents that were no 
longer used (#***) and then saved it in csv format. Following that i used 
the script managed_agents -f to reimport the whole agent list with new IDS. 
It basically took a good hour. Once done i creatied a script that would 
uninstall + install the Ossec Agent (2.8.3) and then attribute its key to 
the installation which basically takes 5 seconds and then it is up and 
running. 

So all is now good. 

Hopefully this can help anyone that has a similar issue as well.

Cheers,


On Wednesday, April 13, 2016 at 11:23:28 AM UTC-4, Alexandre Laquerre wrote:
>
> I have added my ossec.conf and agent.conf , Is it possible to have  a look 
> to see if there is something that is off ? ( i have removed the IP adress 
> for the agentless section)
>
> Thank you,
>
> Alex
>
> On Wednesday, April 13, 2016 at 10:40:00 AM UTC-4, Kat wrote:
>>
>> You should disable RIDS:
>>
>> remoted.verify_msg_id=0
>>
>> The errors should go away. The problem is, RIDS must be removed on both 
>> agent and server, that may be causing issues.
>>
>> Kat
>>
>> On Tuesday, April 5, 2016 at 8:21:18 AM UTC-5, Alexandre LAQUERRE wrote:
>>>
>>> Hi,
>>>
>>>  
>>>
>>> I have been using Ossec for quite a while and we decided to upgrade the 
>>> version (2.7.1) to 2.8.3 and that was relatively successful except for the 
>>> fact that it pulled a number on my Ossec.conf by creating indent problems 
>>> and adding open brackets in the wrong area but anyway it works. My issue is 
>>> that for the moment our client will not update the OSSEC agents and wish to 
>>> keep the 2.7.1 , I have not seen any documentation that would indicate a 
>>> compatibility issue however I noticed that no matter what I do , the agents 
>>> will end up disconnecting. They will start out all active and then after 20 
>>> minutes or so they will all be disconnected except for a small minority. 
>>>
>>>  
>>>
>>> When I performed the install I have set the maximum number of agents to 
>>> 4096 because the client has about … I would say close to 3000 agents, 
>>> furthermore the installation did go well however I suspect that the 
>>> agent.conf file in the shared folder got messed up due to this update being 
>>> very significant. I have been working on this issue for at least three days 
>>> and I am no longer certain where to look.
>>>
>>>  
>>>
>>> I would like to specify that I have already tried to erase the RIDS 
>>> while Ossec Is stop (server) and when I start it back up again the same 
>>> issue occurs. Now I am hoping the solution will not be to erase the rids 
>>> from the client as it would be a long process for our customer.
>>>
>>>  
>>>
>>> Thank you,
>>>
>>>  
>>>
>>>
>>>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Windows Agent Compilation

2016-04-19 Thread Victor Fernandez 
Hi Kumar.

As you wrote:

rc\win-pkg>"C:\MinGW\bin\gcc.exe" -o "ossec-agent" -Wall 
>  -DARGV0=\"ossec-agent\
> " -DCLIENT -DWIN32 -DOSSECHIDS icon.o os_regex/*.c os_net/*.c os_xml/*.c 
> zlib-1.
> 2.8/*.c config/*.c shared/*.c os_execd/*.c os_crypto/blowfish/*.c 
> os_crypto/md5/
> *.c os_crypto/sha1/*.c os_crypto/md5_sha1/*.c os_crypto/shared/*.c 
> rootcheck/*.c
> *.c -I. -Iheaders/ -lwsock32


It doesn't seem to link the library "shlwapi", which contains the function 
PathFindFileName().


Please review the file "make.bat" and make sure that the option "-lshlwapi" 
appears at every line of an executable that fails on compile.


As an example:

"C:\MinGW\bin\gcc.exe" -o "ossec-agent" -Wall  -DARGV0=\"ossec-agent\" 
-DCLIENT -DWIN32 -DOSSECHIDS icon.o os_regex/*.c os_net/*.c os_xml/*.c 
zlib-1.2.8/*.c config/*.c shared/*.c os_execd/*.c os_crypto/blowfish/*.c 
os_crypto/md5/*.c os_crypto/sha1/*.c os_crypto/md5_sha1/*.c 
os_crypto/shared/*.c rootcheck/*.c *.c -I. -Iheaders/ -lwsock32 -lshlwapi

Best regards.

Victor Fernandez.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: ossec service in windows 10

2016-04-19 Thread Victor Fernandez 
Hi Diego.

How do you start the service, with the UI or from Services?

Does OSSEC print something into the file "ossec.log"?

Best regards.

Victor Fernandez.



On Tuesday, April 19, 2016 at 12:15:49 PM UTC+2, Diego Arranz wrote:
>
> Hi all,
>
>I´m testing wazuh server on CentOS and ossec 2.8.3 as agent in windows 
> 10 profesional (spanish language), the problem is when i try to start the 
> ossec service as local account, the service don´t run with error 5: acces 
> deny error, if i setup any administrator account to run the service is all 
> ok.
>
>   I try to do full permissions to network service account and local 
> services account over the folder but the error is the same (error 5: acces 
> deny)
>
>   
>
>   Somebody have any idea about this problem??
>
> Thanks in advance.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] ossec service in windows 10

2016-04-19 Thread Diego Arranz 
Hi all,

   I´m testing wazuh server on CentOS and ossec 2.8.3 as agent in windows 
10 profesional (spanish language), the problem is when i try to start the 
ossec service as local account, the service don´t run with error 5: acces 
deny error, if i setup any administrator account to run the service is all 
ok.

  I try to do full permissions to network service account and local 
services account over the folder but the error is the same (error 5: acces 
deny)

  

  Somebody have any idea about this problem??

Thanks in advance.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: UTF-8/16 support

2016-04-19 Thread Pedro S 
Didn't hear about that before.

According to the error maybe is because the UTF-8/16 like you said, we can 
find in logcollector read_multiline log 

 
or at syslog collector 
,
 
I would say OSSEC is not detecting the \n character...


On Sunday, April 17, 2016 at 2:05:53 PM UTC+2, DefensiveDepth wrote:
>
> It appears that OSSEC does not support log files encoded with UTF-8/16? I 
> haven't seen any specific documentation on it, so I wanted to confirm. From 
> the screenshot below, you can see that the once a null char is encountered 
> (after the T), it fails to read any further.
>
> http://screencast.com/t/tqozmdlzje
>
> -Josh
>
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.