[ossec-list] Re: USB storage detect & recursive file list

2016-04-20 Thread Jacob Mcgrath 
I have a batch script I wrote that could be used in replacement of 
PowerShell...  
@echo off
for /f "tokens=2 delims==" %%d in ('wmic logicaldisk where "drivetype=2" 
get name /format:value') do ( set var=%%d
)
echo
dir /s %var% > C:\temp\test.txt
type C:\temp\test.txt

pause


The output is this went usb drives are available

 Volume in drive F is F
 Volume Serial Number is 2971-7DFC

 Directory of F:\

08/11/2015  09:21 PM12,836,794 38 Special - Caught Up In You.mp4
08/11/2015  09:21 PM13,973,320 38 Special - Hold On Loosely.mp4
08/11/2015  09:14 PM10,296,703 Alanis Morissette - Hand In My 
Pocket.mp4
08/11/2015  09:15 PM19,490,518 Alanis Morissette - Ironic OFFICIAL 
VIDEO.mp4
08/11/2015  07:46 PM10,015,763 All That Remains - Hold On.mp4
08/11/2015  07:46 PM14,173,662 All That Remains - What If I Was 
Nothing.mp4
08/11/2015  07:20 PM14,071,850 Andy Grammer - Honey Im Good 
Official Music Video.mp4

And this when none are inserted ( this being ran from my users Desktop 
directory... ( was looking at running this .bat from the ossec agent side 
bin) or a sub folder of that..

Volume in drive C has no label.
 Volume Serial Number is 84F7-A037

 Directory of C:\Program Files\ossec-agent\active-response\bin

04/20/2016  05:14 PM  .
04/20/2016  05:14 PM  ..
04/19/2016  05:30 PM   515 restart-ossec.cmd
04/19/2016  05:30 PM 1,520 route-null.cmd
04/20/2016  05:04 PM   215 usb.bat
   3 File(s)  2,250 bytes

 Total Files Listed:
   3 File(s)  2,250 bytes
   2 Dir(s)  860,057,559,040 bytes free

One of my concerns is that of getting this script info into the email 
alerts as well as in ossecs host logs in order to search via keyword say 
"usb" is ELSA...  I am still not
totally up to speed on how this works..

On Wednesday, April 20, 2016 at 3:23:31 PM UTC-5, Jacob Mcgrath wrote:
>
> Wonder if I could wrap it into a test.ps1 and execute threw  
> powershell.exe 
> -noprofile -executionpolicy bypass -file .\test.ps1
>
> On Tuesday, April 19, 2016 at 2:23:39 PM UTC-5, Jacob Mcgrath wrote:
>>
>> I have a basic Windows agent setting to alert me when a storage device is 
>> detected using Power shell..
>>
>> 
>> full_command
>> powershell.exe -command "gwmi win32_diskdrive | select 
>> 
>> Model,InterfaceType,serialnumber,Size,MediaType,CapabilityDescriptions > 
>> C:\temp\usbdetect.txt ; (gc C:\temp\usbdetect.txt | select -Skip 2)"
>> 
>> 300
>> USBDevices
>>   
>>
>>
>> with the following rule in local_rules.xml
>> 
>> 530
>> ossec: output: 'USBDevices'
>> 
>> Mounted Device change detected
>>   
>>
>>
>>
>>
>> Of course I get this alert which is nice for basic logging..
>>
>> OSSEC HIDS Notification.
>>
>>  
>>
>> 2016 Apr 19 18:35:31 
>>
>>   
>>
>> Received From: (mis41) any->USBDevices 
>>
>> Rule: 503002 fired (level 7) -> "Mounted Device change detected" 
>>
>> Portion of the log(s): 
>>
>>   
>>
>> ossec: output: 'USBDevices': 
>>
>> Model  : TOSHIBA DT01ACA100 SCSI Disk Device 
>>
>> InterfaceType  : IDE 
>>
>> serialnumber   :359ZMW6MS 
>>
>> Size   : 1000202273280 
>>
>> MediaType  : Fixed hard disk media 
>>
>> CapabilityDescriptions : {Random Access, Supports Writing, SMART 
>> Notification} 
>>
>> Model  : Verbatim STORE N GO USB Device 
>>
>> InterfaceType  : USB 
>>
>> serialnumber   : AA000489 
>>
>> Size   : 16022845440 
>>
>> MediaType  : Removable Media 
>>
>> CapabilityDescriptions : {Random Access, Supports Writing, Supports 
>> Removable M 
>>
>>  edia} 
>>
>> Model  : Verbatim STORE N GO USB Device 
>>
>> InterfaceType  : USB 
>>
>> serialnumber   : AA000489 
>>
>> Size   : 16022845440 
>>
>> MediaType  : Removable Media 
>>
>> CapabilityDescriptions : {Random Access, Supports Writing, Supports 
>> Removable M 
>>
>>   
>>
>>   
>>
>>   
>>
>>  --END OF NOTIFICATION
>>
>>
>>
>> I was playing around with Powershell and have a optional command to print 
>> out USB storage device files recursively...
>>
>>
>> powershell.exe $USBDrive = Get-WmiObject Win32_Volume -Filter 
>> "DriveType='2'"| select -expand driveletter ; Get-Childitem $USBDrive 
>> -recurse 
>> > C:\temp\test.txt ; (gc C:\temp\test.txt | select -Skip 2)
>>
>>
>> this gives me this output in a tmp.txt if ran from a powershell window 
>> and or run line.
>>
>>
>> Directory: F:\
>>
>>
>> ModeLastWriteTime Length Name
>>   
>> - -- 
>>   
>> -a---11/06/2015  12:38 PM   2290 mbam-setup-2.2.0.1024.exe   
>>   
>> -a---12/21/2014   9:27 AM  397798952

[ossec-list] postfix-reject decoder not working with port in log entry

2016-04-20 Thread Tobias Margiani 
Hi,

Trying to configure OSSEC for our mail server I noticed that our postfix log 
format is different from what ossec expects with the default rules.

The postfix-reject decoder reads the source ip and and an error id, but in our 
logs there is also a port present (instead of "[x.x.x.x]: id" we have 
"[ip]:port: id"). Here is an (shortened) example log entry:

Apr 18 09:31:42 server postfix/postscreen[13433]: NOQUEUE: reject: RCPT from 
[x.x.x.x]:9011: 550 5.7.1 Service unavailable; client [ip] blocked using ...

I now tried to overwrite the "postfix-reject" decoder locally (I hesitated to 
modify it directly because I thought updates would overwrite the decoder file). 
The problem is, that decoders can't have the same name and there is no 
"overwrite" option as there is for rules.
Adding another decoder and overwriting rule 3300 (Grouping of the postfix 
reject rules.) also showed no effect, probably because the old decoder matches 
before any decoder in "local-decoders.xml" has a chance to match the log 
entry.

Is it correct that I should try not to change the shipped decoders/rule but 
create my own ones?
And is there a way to overwrite a decoder (or have I completely missed some 
different way to solve this problem)?

I hope this is the correct list to ask this question and thank you for any 
ideas.

Regards,
Tobias Margiani

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: USB storage detect & recursive file list

2016-04-20 Thread Jacob Mcgrath 
Wonder if I could wrap it into a test.ps1 and execute threw  
powershell.exe 
-noprofile -executionpolicy bypass -file .\test.ps1

On Tuesday, April 19, 2016 at 2:23:39 PM UTC-5, Jacob Mcgrath wrote:
>
> I have a basic Windows agent setting to alert me when a storage device is 
> detected using Power shell..
>
> 
> full_command
> powershell.exe -command "gwmi win32_diskdrive | select 
> Model,InterfaceType,serialnumber,Size,MediaType,CapabilityDescriptions 
> > 
> C:\temp\usbdetect.txt ; (gc C:\temp\usbdetect.txt | select -Skip 2)"
> 
> 300
> USBDevices
>   
>
>
> with the following rule in local_rules.xml
> 
> 530
> ossec: output: 'USBDevices'
> 
> Mounted Device change detected
>   
>
>
>
>
> Of course I get this alert which is nice for basic logging..
>
> OSSEC HIDS Notification.
>
>  
>
> 2016 Apr 19 18:35:31 
>
>   
>
> Received From: (mis41) any->USBDevices 
>
> Rule: 503002 fired (level 7) -> "Mounted Device change detected" 
>
> Portion of the log(s): 
>
>   
>
> ossec: output: 'USBDevices': 
>
> Model  : TOSHIBA DT01ACA100 SCSI Disk Device 
>
> InterfaceType  : IDE 
>
> serialnumber   :359ZMW6MS 
>
> Size   : 1000202273280 
>
> MediaType  : Fixed hard disk media 
>
> CapabilityDescriptions : {Random Access, Supports Writing, SMART 
> Notification} 
>
> Model  : Verbatim STORE N GO USB Device 
>
> InterfaceType  : USB 
>
> serialnumber   : AA000489 
>
> Size   : 16022845440 
>
> MediaType  : Removable Media 
>
> CapabilityDescriptions : {Random Access, Supports Writing, Supports 
> Removable M 
>
>  edia} 
>
> Model  : Verbatim STORE N GO USB Device 
>
> InterfaceType  : USB 
>
> serialnumber   : AA000489 
>
> Size   : 16022845440 
>
> MediaType  : Removable Media 
>
> CapabilityDescriptions : {Random Access, Supports Writing, Supports 
> Removable M 
>
>   
>
>   
>
>   
>
>  --END OF NOTIFICATION
>
>
>
> I was playing around with Powershell and have a optional command to print 
> out USB storage device files recursively...
>
>
> powershell.exe $USBDrive = Get-WmiObject Win32_Volume -Filter 
> "DriveType='2'"| select -expand driveletter ; Get-Childitem $USBDrive 
> -recurse 
> > C:\temp\test.txt ; (gc C:\temp\test.txt | select -Skip 2)
>
>
> this gives me this output in a tmp.txt if ran from a powershell window and 
> or run line.
>
>
> Directory: F:\
>
>
> ModeLastWriteTime Length Name 
>  
> - --  
>  
> -a---11/06/2015  12:38 PM   2290 mbam-setup-2.2.0.1024.exe
>  
> -a---12/21/2014   9:27 AM  397798952 sp66051_driver-pack.exe  
>  
>
>
> Directory: E:\
>
>
> ModeLastWriteTime Length Name 
>  
> - --  
>  
> -a---12/06/2011   9:51 AM 388608 HijackThis.exe   
>  
> -a---03/04/2016   2:44 PM   2290 mbam-setup-2.2.0.1024.exe
>  
> -a---03/04/2016   2:46 PM   9524 hijackthis.log
>
> I have been attempting to get the above USB recursive file lists 
> into a USB detection report but have not had any success as of yet using 
> the above command instead of the first like below.
>
>
>
>   
> full_command
> powershell.exe $USBDrive = Get-WmiObject Win32_Volume -Filter
>  "DriveType='2'"| select -expand driveletter ; Get-Childitem $USBDrive -
> recurse > C:\temp\test.txt ; (gc C:\temp\test.txt | select -Skip 2)"
> 
> 300
> USBDevices
>   
>
>
> This gives me a empty C:\temp\test.txt file...
>
>
> Any suggestions would be appreiciated...
>
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: USB storage detect & recursive file list

2016-04-20 Thread Pedro Sanchez 
I think  has a character limitation, try to remove empty spaces or
make shorter the test.txt content.

On Wed, Apr 20, 2016 at 12:39 AM, Jacob Mcgrath  wrote:

> Will try droping the | select -Skip 2 from the Get-Content see if that
> works or maby a -Raw output arg
>
> On Tuesday, April 19, 2016 at 2:23:39 PM UTC-5, Jacob Mcgrath wrote:
>
>> I have a basic Windows agent setting to alert me when a storage device is
>> detected using Power shell..
>>
>> 
>> full_command
>> powershell.exe -command "gwmi win32_diskdrive | select
>>
>> Model,InterfaceType,serialnumber,Size,MediaType,CapabilityDescriptions >
>> C:\temp\usbdetect.txt ; (gc C:\temp\usbdetect.txt | select -Skip 2)"
>> 
>> 300
>> USBDevices
>>   
>>
>>
>> with the following rule in local_rules.xml
>> 
>> 530
>> ossec: output: 'USBDevices'
>> 
>> Mounted Device change detected
>>   
>>
>>
>>
>>
>> Of course I get this alert which is nice for basic logging..
>>
>> OSSEC HIDS Notification.
>>
>>
>>
>> 2016 Apr 19 18:35:31
>>
>>
>>
>> Received From: (mis41) any->USBDevices
>>
>> Rule: 503002 fired (level 7) -> "Mounted Device change detected"
>>
>> Portion of the log(s):
>>
>>
>>
>> ossec: output: 'USBDevices':
>>
>> Model  : TOSHIBA DT01ACA100 SCSI Disk Device
>>
>> InterfaceType  : IDE
>>
>> serialnumber   :359ZMW6MS
>>
>> Size   : 1000202273280
>>
>> MediaType  : Fixed hard disk media
>>
>> CapabilityDescriptions : {Random Access, Supports Writing, SMART
>> Notification}
>>
>> Model  : Verbatim STORE N GO USB Device
>>
>> InterfaceType  : USB
>>
>> serialnumber   : AA000489
>>
>> Size   : 16022845440
>>
>> MediaType  : Removable Media
>>
>> CapabilityDescriptions : {Random Access, Supports Writing, Supports
>> Removable M
>>
>>  edia}
>>
>> Model  : Verbatim STORE N GO USB Device
>>
>> InterfaceType  : USB
>>
>> serialnumber   : AA000489
>>
>> Size   : 16022845440
>>
>> MediaType  : Removable Media
>>
>> CapabilityDescriptions : {Random Access, Supports Writing, Supports
>> Removable M
>>
>>
>>
>>
>>
>>
>>
>>  --END OF NOTIFICATION
>>
>>
>>
>> I was playing around with Powershell and have a optional command to print
>> out USB storage device files recursively...
>>
>>
>> powershell.exe $USBDrive = Get-WmiObject Win32_Volume -Filter
>> "DriveType='2'"| select -expand driveletter ; Get-Childitem $USBDrive 
>> -recurse
>> > C:\temp\test.txt ; (gc C:\temp\test.txt | select -Skip 2)
>>
>>
>> this gives me this output in a tmp.txt if ran from a powershell window
>> and or run line.
>>
>>
>> Directory: F:\
>>
>>
>> ModeLastWriteTime Length Name
>> - -- 
>> -a---11/06/2015  12:38 PM   2290 mbam-setup-2.2.0.1024.exe
>> -a---12/21/2014   9:27 AM  397798952 sp66051_driver-pack.exe
>>
>>
>> Directory: E:\
>>
>>
>> ModeLastWriteTime Length Name
>> - -- 
>> -a---12/06/2011   9:51 AM 388608 HijackThis.exe
>> -a---03/04/2016   2:44 PM   2290 mbam-setup-2.2.0.1024.exe
>> -a---03/04/2016   2:46 PM   9524 hijackthis.log
>>
>> I have been attempting to get the above USB recursive file lists
>> into a USB detection report but have not had any success as of yet using
>> the above command instead of the first like below.
>>
>>
>>
>>   
>> full_command
>> powershell.exe $USBDrive = Get-WmiObject Win32_Volume -
>> Filter "DriveType='2'"| select -expand driveletter ; Get-Childitem
>>  $USBDrive -recurse > C:\temp\test.txt ; (gc C:\temp\test.txt | select -
>> Skip 2)"
>> 300
>> USBDevices
>>   
>>
>>
>> This gives me a empty C:\temp\test.txt file...
>>
>>
>> Any suggestions would be appreiciated...
>>
>>
>> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: Rule 1002 continues to fire after creating local overwriting rule

2016-04-20 Thread James Stallings 
Service restarts did not clear the defunct process. I ended up killing them 
off and restarting. The server is healthy now and processing rules 
correctly. Thanks for all the help.

On Wednesday, April 20, 2016 at 8:46:21 AM UTC-4, dan (ddpbsd) wrote:
>
> On Mon, Apr 18, 2016 at 5:46 PM, James Stallings  > wrote: 
> > I believe root cause here was a bunch of old OSSEC processes that were 
> still 
> > holding an older config in memory even after I had cycled the daemons on 
> > several occasions. I no longer see the issue. Has anyone seen this sort 
> of 
> > behavior before? 
> > 
>
> It's not common, but it does happen. You can probably find several 
> instances of it on the mailing list. 
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: Rule 1002 continues to fire after creating local overwriting rule

2016-04-20 Thread dan (ddp) 
On Mon, Apr 18, 2016 at 5:46 PM, James Stallings  wrote:
> I believe root cause here was a bunch of old OSSEC processes that were still
> holding an older config in memory even after I had cycled the daemons on
> several occasions. I no longer see the issue. Has anyone seen this sort of
> behavior before?
>

It's not common, but it does happen. You can probably find several
instances of it on the mailing list.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: ossec service in windows 10

2016-04-20 Thread Diego Arranz 
Ok, I review all permission inside folder for system account and now all 
run ok.

Thanks so much for the help

El miércoles, 20 de abril de 2016, 10:02:07 (UTC+2), Victor Fernandez 
escribió:
>
> I had the Erorr 5 when the file "ossec-agent.exe" has no permissions for 
> "SYSTEM".
>
> Unfortunately, when we change the IP in the UI, the file "ossec.conf" is 
> re-created without SYSTEM permissions, so the service starts and exits 
> suddenly, but it prints the access error in the "ossec.log".
>
> So, make sure that SYSTEM has permissions for executable files inside 
> directory "ossec-agent" and "ossec.conf".
>
> Kind regards.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Disk usage monitor not working in RHEL5

2016-04-20 Thread Robert Micallef 
Sure. Current rule:

  
530
ossec: output: 'df -h': /dev/
100%
Partition usage reached 100% (disk space
monitor).
low_diskspace,
  

Leave that rule for 100% (so you don't modify the original rules).

In local_rules add:
 
530
ossec: output: 'df -h': /dev/
9\d%
Partition usage over 90% (disk space
monitor).
low_diskspace,
  

On 20 April 2016 at 10:17, theresa mic-snare  wrote:

> cool, would you mind sharing those custom rules with us? the threshold
> (over 90%) one is specifically appealing to me :)
>
> Am Mittwoch, 20. April 2016 09:12:29 UTC+2 schrieb Robert Micallef:
>>
>> I added custom rules to alert if space is over 90%.
>>
>> On 20 April 2016 at 02:16, Santiago Bassett 
>> wrote:
>>
>>> Out of curiosity, what is the rule supposed to trigger the alert?  The
>>> one is see by default looks for full partitions...
>>>
>>>
>>> https://github.com/ossec/ossec-hids/blob/a7ca63d6d074f2f6bdb49f4bc79a054c31dcafc7/etc/rules/ossec_rules.xml#L137
>>>
>>> On Mon, Apr 18, 2016 at 2:07 AM, Robert Micallef 
>>> wrote:
>>>
 I tested it on CentOS 5 and the output of df is as expected (Single
 line).

 We don't have a lot of RHEL5 but this happens on every 1 I tried so far
 (I tried 7).

 Here is the output of df -h on RHEL5:

 FilesystemSize  Used Avail Use% Mounted on
 /dev/mapper/VolGroup00-LogVol00
23G   16G  5.4G  75% /
 /dev/hda1  99M   13M   82M  14% /boot
 tmpfs 4.9G 0  4.9G   0% /dev/shm

 Here is the output of a CentOS 5 machine:

 FilesystemSize  Used Avail Use% Mounted on
 /dev/sda3 1.9T  1.7T  104G  95% /
 /dev/sda1  99M   36M   58M  39% /boot
 tmpfs 3.9G 0  3.9G   0% /dev/shm

 So the CentOS is a single line and OSSEC picks that log perfectly. But
 RHEL5 it will see 2 logs:

 ossec: output: 'df -h': /dev/mapper/VolGroup00-LogVol00
 ossec: output: 'df -h':23G   16G  5.4G  75% /

 And doesn't work. Tested in RHEL 5.8 and 5.11.

 --

 ---
 You received this message because you are subscribed to the Google
 Groups "ossec-list" group.
 To unsubscribe from this group and stop receiving emails from it, send
 an email to ossec-list+...@googlegroups.com.
 For more options, visit https://groups.google.com/d/optout.

>>>
>>> --
>>>
>>> ---
>>> You received this message because you are subscribed to a topic in the
>>> Google Groups "ossec-list" group.
>>> To unsubscribe from this topic, visit
>>> https://groups.google.com/d/topic/ossec-list/A8ekjtycKY4/unsubscribe.
>>> To unsubscribe from this group and all its topics, send an email to
>>> ossec-list+...@googlegroups.com.
>>> For more options, visit https://groups.google.com/d/optout.
>>>
>>
>> --
>
> ---
> You received this message because you are subscribed to a topic in the
> Google Groups "ossec-list" group.
> To unsubscribe from this topic, visit
> https://groups.google.com/d/topic/ossec-list/A8ekjtycKY4/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
> ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Disk usage monitor not working in RHEL5

2016-04-20 Thread theresa mic-snare 
cool, would you mind sharing those custom rules with us? the threshold 
(over 90%) one is specifically appealing to me :)

Am Mittwoch, 20. April 2016 09:12:29 UTC+2 schrieb Robert Micallef:
>
> I added custom rules to alert if space is over 90%. 
>
> On 20 April 2016 at 02:16, Santiago Bassett  > wrote:
>
>> Out of curiosity, what is the rule supposed to trigger the alert?  The 
>> one is see by default looks for full partitions...
>>
>>
>> https://github.com/ossec/ossec-hids/blob/a7ca63d6d074f2f6bdb49f4bc79a054c31dcafc7/etc/rules/ossec_rules.xml#L137
>>
>> On Mon, Apr 18, 2016 at 2:07 AM, Robert Micallef > > wrote:
>>
>>> I tested it on CentOS 5 and the output of df is as expected (Single 
>>> line).
>>>
>>> We don't have a lot of RHEL5 but this happens on every 1 I tried so far 
>>> (I tried 7).
>>>
>>> Here is the output of df -h on RHEL5:
>>>
>>> FilesystemSize  Used Avail Use% Mounted on
>>> /dev/mapper/VolGroup00-LogVol00
>>>23G   16G  5.4G  75% /
>>> /dev/hda1  99M   13M   82M  14% /boot
>>> tmpfs 4.9G 0  4.9G   0% /dev/shm
>>>
>>> Here is the output of a CentOS 5 machine:
>>>
>>> FilesystemSize  Used Avail Use% Mounted on
>>> /dev/sda3 1.9T  1.7T  104G  95% /
>>> /dev/sda1  99M   36M   58M  39% /boot
>>> tmpfs 3.9G 0  3.9G   0% /dev/shm
>>>
>>> So the CentOS is a single line and OSSEC picks that log perfectly. But 
>>> RHEL5 it will see 2 logs:
>>>
>>> ossec: output: 'df -h': /dev/mapper/VolGroup00-LogVol00
>>> ossec: output: 'df -h':23G   16G  5.4G  75% /
>>>
>>> And doesn't work. Tested in RHEL 5.8 and 5.11.
>>>
>>> -- 
>>>
>>> --- 
>>> You received this message because you are subscribed to the Google 
>>> Groups "ossec-list" group.
>>> To unsubscribe from this group and stop receiving emails from it, send 
>>> an email to ossec-list+...@googlegroups.com .
>>> For more options, visit https://groups.google.com/d/optout.
>>>
>>
>> -- 
>>
>> --- 
>> You received this message because you are subscribed to a topic in the 
>> Google Groups "ossec-list" group.
>> To unsubscribe from this topic, visit 
>> https://groups.google.com/d/topic/ossec-list/A8ekjtycKY4/unsubscribe.
>> To unsubscribe from this group and all its topics, send an email to 
>> ossec-list+...@googlegroups.com .
>> For more options, visit https://groups.google.com/d/optout.
>>
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: ossec service in windows 10

2016-04-20 Thread Victor Fernandez 
I had the Erorr 5 when the file "ossec-agent.exe" has no permissions for 
"SYSTEM".

Unfortunately, when we change the IP in the UI, the file "ossec.conf" is 
re-created without SYSTEM permissions, so the service starts and exits 
suddenly, but it prints the access error in the "ossec.log".

So, make sure that SYSTEM has permissions for executable files inside 
directory "ossec-agent" and "ossec.conf".

Kind regards.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: ossec service in windows 10

2016-04-20 Thread Diego Arranz 
Hi

  For install ossec,

   First i create an Administrators group and add the users to this 
group(this user belong to Administrator local group too), then install it 
without error in for example "d:\ossec\ossec-agent". 

For config the agent (ossec server and key) i use the gui and try start 
with this with error: "Unable to start agent(check config)". 

If i try to start with service the error is "windows cannot start OSSEC 
HIDS in local computer. Error 5: Access Deny".

If i setup the OssecSvc service with the administrator account instead 
of local system account all is ok.

   The permissions for the folder d:\ossec\ossec-agent are: full control to 
system, local service, network service, administradores group , usuarios 
group and Administrators group.

   When i try start with local system account  in the services no printing 
into ossec.log

  I tried to uninstall and install again in other folder and change 
permissions but nothing.. only run when i change the service account to 
an user, not for local system account.

Best Regards

El martes, 19 de abril de 2016, 20:41:00 (UTC+2), Victor Fernandez escribió:
>
> Hi Diego.
>
> How do you start the service, with the UI or from Services?
>
> Does OSSEC print something into the file "ossec.log"?
>
> Best regards.
>
> Victor Fernandez.
>
>
>
> On Tuesday, April 19, 2016 at 12:15:49 PM UTC+2, Diego Arranz wrote:
>>
>> Hi all,
>>
>>I´m testing wazuh server on CentOS and ossec 2.8.3 as agent in windows 
>> 10 profesional (spanish language), the problem is when i try to start the 
>> ossec service as local account, the service don´t run with error 5: acces 
>> deny error, if i setup any administrator account to run the service is all 
>> ok.
>>
>>   I try to do full permissions to network service account and local 
>> services account over the folder but the error is the same (error 5: acces 
>> deny)
>>
>>   
>>
>>   Somebody have any idea about this problem??
>>
>> Thanks in advance.
>>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: ossec service in windows 10

2016-04-20 Thread Victor Fernandez 
P.D.: I detected that sometimes, if I already created the group 
"Administrators" (for non-English Windows versions), the OSSEC grants files 
permissions only to the group "Administrators".

In order to start a service, executable files must have execution 
permissions for "SYSTEM". So, please make sure that "ossec-agent.exe" and 
every ".exe" file has permissions for SYSTEM. I did the following steps:

   1. Open properties for directory "C:\Program Files\ossec-agent" (or 
   "C:\Program Files (x86)\ossec-agent")
   2. Go to tab "Security". Make sure there are permissions for "SYSTEM".
   3. Now click on button "Advanced".
   4. On tab "Permissions", you may have to click "Change permissions".
   5. Mark box "Replace all child object permission entries with 
   inheritable permission entries from this object". (In Spanish: "Reemplazar 
   todas las entradas de permisos secundarios por entradas de permisos 
   heredables de este objeto".)
   6. Click "Accept" and confirm the dialog box that will appear.
   7. Try to start the agent.

I hope this will be useful for you.
Best regards.

Victor Fernandez.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Ossec Agent 2.71 Keeps disconnecting from Ossec server 2.8.3

2016-04-20 Thread theresa mic-snare 
awesome, thanks for sharing your experience with us Alexandre.
I'm sure this could be beneficial to others as well!

Am Dienstag, 19. April 2016 21:13:00 UTC+2 schrieb Alexandre Laquerre:
>
> So the final result was as follows, the first step i exported the agent 
> list and updated the list ( i basically erased 1000 agents that were no 
> longer used (#***) and then saved it in csv format. Following that i used 
> the script managed_agents -f to reimport the whole agent list with new IDS. 
> It basically took a good hour. Once done i creatied a script that would 
> uninstall + install the Ossec Agent (2.8.3) and then attribute its key to 
> the installation which basically takes 5 seconds and then it is up and 
> running. 
>
> So all is now good. 
>
> Hopefully this can help anyone that has a similar issue as well.
>
> Cheers,
>
>
> On Wednesday, April 13, 2016 at 11:23:28 AM UTC-4, Alexandre Laquerre 
> wrote:
>>
>> I have added my ossec.conf and agent.conf , Is it possible to have  a 
>> look to see if there is something that is off ? ( i have removed the IP 
>> adress for the agentless section)
>>
>> Thank you,
>>
>> Alex
>>
>> On Wednesday, April 13, 2016 at 10:40:00 AM UTC-4, Kat wrote:
>>>
>>> You should disable RIDS:
>>>
>>> remoted.verify_msg_id=0
>>>
>>> The errors should go away. The problem is, RIDS must be removed on both 
>>> agent and server, that may be causing issues.
>>>
>>> Kat
>>>
>>> On Tuesday, April 5, 2016 at 8:21:18 AM UTC-5, Alexandre LAQUERRE wrote:

 Hi,

  

 I have been using Ossec for quite a while and we decided to upgrade the 
 version (2.7.1) to 2.8.3 and that was relatively successful except for the 
 fact that it pulled a number on my Ossec.conf by creating indent problems 
 and adding open brackets in the wrong area but anyway it works. My issue 
 is 
 that for the moment our client will not update the OSSEC agents and wish 
 to 
 keep the 2.7.1 , I have not seen any documentation that would indicate a 
 compatibility issue however I noticed that no matter what I do , the 
 agents 
 will end up disconnecting. They will start out all active and then after 
 20 
 minutes or so they will all be disconnected except for a small minority. 

  

 When I performed the install I have set the maximum number of agents to 
 4096 because the client has about … I would say close to 3000 agents, 
 furthermore the installation did go well however I suspect that the 
 agent.conf file in the shared folder got messed up due to this update 
 being 
 very significant. I have been working on this issue for at least three 
 days 
 and I am no longer certain where to look.

  

 I would like to specify that I have already tried to erase the RIDS 
 while Ossec Is stop (server) and when I start it back up again the same 
 issue occurs. Now I am hoping the solution will not be to erase the rids 
 from the client as it would be a long process for our customer.

  

 Thank you,

  




-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Disk usage monitor not working in RHEL5

2016-04-20 Thread Robert Micallef 
I added custom rules to alert if space is over 90%.

On 20 April 2016 at 02:16, Santiago Bassett 
wrote:

> Out of curiosity, what is the rule supposed to trigger the alert?  The one
> is see by default looks for full partitions...
>
>
> https://github.com/ossec/ossec-hids/blob/a7ca63d6d074f2f6bdb49f4bc79a054c31dcafc7/etc/rules/ossec_rules.xml#L137
>
> On Mon, Apr 18, 2016 at 2:07 AM, Robert Micallef 
> wrote:
>
>> I tested it on CentOS 5 and the output of df is as expected (Single line).
>>
>> We don't have a lot of RHEL5 but this happens on every 1 I tried so far
>> (I tried 7).
>>
>> Here is the output of df -h on RHEL5:
>>
>> FilesystemSize  Used Avail Use% Mounted on
>> /dev/mapper/VolGroup00-LogVol00
>>23G   16G  5.4G  75% /
>> /dev/hda1  99M   13M   82M  14% /boot
>> tmpfs 4.9G 0  4.9G   0% /dev/shm
>>
>> Here is the output of a CentOS 5 machine:
>>
>> FilesystemSize  Used Avail Use% Mounted on
>> /dev/sda3 1.9T  1.7T  104G  95% /
>> /dev/sda1  99M   36M   58M  39% /boot
>> tmpfs 3.9G 0  3.9G   0% /dev/shm
>>
>> So the CentOS is a single line and OSSEC picks that log perfectly. But
>> RHEL5 it will see 2 logs:
>>
>> ossec: output: 'df -h': /dev/mapper/VolGroup00-LogVol00
>> ossec: output: 'df -h':23G   16G  5.4G  75% /
>>
>> And doesn't work. Tested in RHEL 5.8 and 5.11.
>>
>> --
>>
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to ossec-list+unsubscr...@googlegroups.com.
>> For more options, visit https://groups.google.com/d/optout.
>>
>
> --
>
> ---
> You received this message because you are subscribed to a topic in the
> Google Groups "ossec-list" group.
> To unsubscribe from this topic, visit
> https://groups.google.com/d/topic/ossec-list/A8ekjtycKY4/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
> ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.