[ossec-list] Re: Prerrequisites Instalation OSSEC

[Pedro S]

Hi,

Regarding to the hardware requirements, depends on your environment and how 
much agents do you want to deploy.

Disk: Depends on the traffic load of your agents, if we could know that we 
can calculate the EPS... how long do want to store the logs? I think 300 GB 
or 500 GB should be enough.
RAM: Again, depends on your traffic (for analysisd daemon and remoted 
daemon), 4 GB should be enough.
Processor: I would say any dual-core processor greater than 2.5 Ghz... 
since OSSEC is not multi-thread I am not sure if you will need more than 
that.
SO: OSSEC Manager needs to run on a Linux platform, Redhat/Debian.


Maybe someone can bring us some light here, but those will be the 
requirements on my opinion!

Best regards,

Pedro S.

On Tuesday, April 26, 2016 at 1:08:15 AM UTC+2, Adiel Navarro wrote:
>
>  
>
> What are the hardware prerrequisites to install OSSEC?
>
>  
>
> I need information about disk, memory, processor, operating system, etc.
>
>  
>
> Thanks, regards.
>
>  
>
>  
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] What's your favorite rules?

[Jesus Linares]

Interesting thread. 

lately I'm using Amazon EC2 Rules 
, 
I feel them really useful and you can find more rules for Amazon in the 
linked repository. Also, you can find interesting this script 
to update 
your rules automatically.

I would like to know what rules are you missing in OSSEC.


Regards.
Jesus Linares.

On Monday, April 25, 2016 at 12:20:50 AM UTC+2, theresa mic-snare wrote:
>
> 1002 ;))
>
> Am Freitag, 22. April 2016 19:07:32 UTC+2 schrieb namobud...@gmail.com:
>>
>> These worked great, just wondering if you have any updates.
>>
>> On Thursday, March 3, 2016 at 12:46:38 PM UTC-5, LostInThe Tubez wrote:
>>>
>>> Good thread idea. I’ve copied a few Windows-centric rules below. Some of 
>>> the rules that lean heavily on  could no doubt be improved, but they 
>>> don’t bother me with false positives or performance issues in my small 
>>> environment, so I don’t worry about it. YMMV. I also have some decoders and 
>>> rules for Cowrie honeypots, but intend to polish those up and submit a pull 
>>> request for those one of these days. If anyone is interested in testing 
>>> them though, I could send those off list.
>>>
>>>  
>>>
>>> 
>>>
>>> 594
>>>
>>> \SOFTWARE\Microsoft\Windows\CurrentVersion\Run
>>>
>>> A change has been made to the software that 
>>> automatically runs at startup.
>>>
>>> 
>>>
>>>  
>>>
>>> 
>>>
>>> 18103
>>>
>>> Length specified in network packet
>>>
>>> Somebody is sending malformed data to your SQL 
>>> Server. You should probably investigate.
>>>
>>> 
>>>
>>>  
>>>
>>> 
>>>
>>> 18101
>>>
>>> PSEXESVC|PsExec
>>>
>>> Remote access via PSEXEC. If this wasn't initiated 
>>> by you, then you've got a problem.
>>>
>>> 
>>>
>>>  
>>>
>>> 
>>>
>>> 18102
>>>
>>> ^2004$
>>>
>>> diagnosed
>>>
>>> There's a problem with abnormal memory usage on 
>>> this system! Please investigate the indicated processes.
>>>
>>> 
>>>
>>>  
>>>
>>> 
>>>
>>> 18104
>>>
>>> 4698
>>>
>>> A scheduled task has been created on this machine. 
>>> Please review.
>>>
>>> Requires group policy modification to the Advanced 
>>> Security Audit policy/Audit Other Object Access Events. See: 
>>> https://technet.microsoft.com/en-us/library/dn319119.aspx
>>>
>>> 
>>>
>>>  
>>>
>>> 
>>>
>>> 18103
>>>
>>> 36874|36888
>>>
>>> recon_ssl,
>>>
>>> Add Schannel errors to the custom recon_ssl 
>>> group
>>>
>>> 
>>>
>>>  
>>>
>>> 
>>>
>>> recon_ssl
>>>
>>> There have been over 40 SSL cipher suite probes in 
>>> the last two minutes. Someone may be performing reconnaissance on your 
>>> servers, assessing whether one of your SSL-enabled services is vulnerable 
>>> to exploits.
>>>
>>> Unfortunately, Schannel errors are of limited usefulness. 
>>> They occur without any indication of which IP address caused them, so 
>>> consulting contextual log info or firewall logs is the only way to track 
>>> down who is responsible.
>>>
>>> 
>>>
>>>  
>>>
>>> 
>>>
>>> 18103
>>>
>>> ^1000$|^1002$|^7023$|^7034$
>>>
>>> 
>>>
>>> A program or service has crashed. Investigate as 
>>> appropriate.
>>>
>>> 
>>>
>>>  
>>>
>>> 
>>>
>>> 18101
>>>
>>> ^7045$
>>>
>>> A new service has been installed on this 
>>> computer.
>>>
>>> 
>>>
>>>  
>>>
>>> *From:* ossec...@googlegroups.com [mailto:ossec...@googlegroups.com] *On 
>>> Behalf Of *namobud...@gmail.com
>>> *Sent:* Thursday, March 3, 2016 6:35 AM
>>> *To:* ossec-list 
>>> *Subject:* [ossec-list] What's your favorite rules?
>>>
>>>  
>>>
>>> I'm wondering what everyone's favorite rules are.
>>>
>>>  
>>>
>>> I'm trying to come up with some new rules to tighten security, so I 
>>> would like to hear (and see code snippets) or folks favorites, and what 
>>> they are designed to detect. I.E. detect commands run, look for certain 
>>> IOC's and so on. I'm impressed with how much OSSEC does out of box too!
>>>
>>>  
>>>
>>> Thanks!
>>>
>>>  
>>>
>>> -- 
>>>
>>> --- 
>>> You received this message because you are subscribed to the Google 
>>> Groups "ossec-list" group.
>>> To unsubscribe from this group and stop receiving emails from it, send 
>>> an email to ossec-list+...@googlegroups.com.
>>> For more options, visit https://groups.google.com/d/optout.
>>>
>>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] What's your favorite rules?

[theresa mic-snare]

I woke up this morning with a notification on my phone that this following 
rule fired again:


31108
"\(\)\s*{\s*:;\s*}\s*;
Shellshock attack detected
attack,pci_dss_11.4,


Just as I thought that the Shellshock hype was over..someone from China 
tried to penetrate my server again...
harmless since I patch my server frequently, but still interesting to see 
what's going on

Good to see that OSSEC is capable of detecting recent/modern threats :)

Am Dienstag, 26. April 2016 13:44:42 UTC+2 schrieb Jesus Linares:
>
> Interesting thread. 
>
> lately I'm using Amazon EC2 Rules 
> , 
> I feel them really useful and you can find more rules for Amazon in the 
> linked repository. Also, you can find interesting this script 
> to update 
> your rules automatically.
>
> I would like to know what rules are you missing in OSSEC.
>
>
> Regards.
> Jesus Linares.
>
> On Monday, April 25, 2016 at 12:20:50 AM UTC+2, theresa mic-snare wrote:
>>
>> 1002 ;))
>>
>> Am Freitag, 22. April 2016 19:07:32 UTC+2 schrieb namobud...@gmail.com:
>>>
>>> These worked great, just wondering if you have any updates.
>>>
>>> On Thursday, March 3, 2016 at 12:46:38 PM UTC-5, LostInThe Tubez wrote:

 Good thread idea. I’ve copied a few Windows-centric rules below. Some 
 of the rules that lean heavily on  could no doubt be improved, but 
 they don’t bother me with false positives or performance issues in my 
 small 
 environment, so I don’t worry about it. YMMV. I also have some decoders 
 and 
 rules for Cowrie honeypots, but intend to polish those up and submit a 
 pull 
 request for those one of these days. If anyone is interested in testing 
 them though, I could send those off list.

  

 

 594

 \SOFTWARE\Microsoft\Windows\CurrentVersion\Run

 A change has been made to the software that 
 automatically runs at startup.

 

  

 

 18103

 Length specified in network packet

 Somebody is sending malformed data to your SQL 
 Server. You should probably investigate.

 

  

 

 18101

 PSEXESVC|PsExec

 Remote access via PSEXEC. If this wasn't initiated 
 by you, then you've got a problem.

 

  

 

 18102

 ^2004$

 diagnosed

 There's a problem with abnormal memory usage on 
 this system! Please investigate the indicated processes.

 

  

 

 18104

 4698

 A scheduled task has been created on this machine. 
 Please review.

 Requires group policy modification to the Advanced 
 Security Audit policy/Audit Other Object Access Events. See: 
 https://technet.microsoft.com/en-us/library/dn319119.aspx

 

  

 

 18103

 36874|36888

 recon_ssl,

 Add Schannel errors to the custom recon_ssl 
 group

 

  

 >>> ignore="1800">

 recon_ssl

 There have been over 40 SSL cipher suite probes in 
 the last two minutes. Someone may be performing reconnaissance on your 
 servers, assessing whether one of your SSL-enabled services is vulnerable 
 to exploits.

 Unfortunately, Schannel errors are of limited usefulness. 
 They occur without any indication of which IP address caused them, so 
 consulting contextual log info or firewall logs is the only way to track 
 down who is responsible.

 

  

 

 18103

 ^1000$|^1002$|^7023$|^7034$

 

 A program or service has crashed. Investigate as 
 appropriate.

 

  

 

 18101

 ^7045$

 A new service has been installed on this 
 computer.

 

  

 *From:* ossec...@googlegroups.com [mailto:ossec...@googlegroups.com] *On 
 Behalf Of *namobud...@gmail.com
 *Sent:* Thursday, March 3, 2016 6:35 AM
 *To:* ossec-list 
 *Subject:* [ossec-list] What's your favorite rules?

  

 I'm wondering what everyone's favorite rules are.

  

 I'm trying to come up with some new rules to tighten security, so I 
 would like to hear (and see code snippets) or folks favorites, and what 
 they are designed to detect. I.E. detect commands run, look for certain 
 IOC's and so on. I'm impressed with how much OSSEC does out of box too!

  

 Thanks!

Re: [ossec-list] What's your favorite rules?

[theresa mic-snare]

Also, I should explain why I first wrote 1002
I often check for this rule (2 - Unknown problem somewhere in the system.) 
just to see if there are any false-positives that haven't been covered by 
an existing rule yet.
Then I would see which log event needs a new rule or decoder, so that it 
would be covered the next time it occurs :)


Am Dienstag, 26. April 2016 14:08:29 UTC+2 schrieb theresa mic-snare:
>
> I woke up this morning with a notification on my phone that this following 
> rule fired again:
>
> 
> 31108
> "\(\)\s*{\s*:;\s*}\s*;
> Shellshock attack detected
> attack,pci_dss_11.4,
> 
>
> Just as I thought that the Shellshock hype was over..someone from 
> China tried to penetrate my server again...
> harmless since I patch my server frequently, but still interesting to see 
> what's going on
>
> Good to see that OSSEC is capable of detecting recent/modern threats :)
>
> Am Dienstag, 26. April 2016 13:44:42 UTC+2 schrieb Jesus Linares:
>>
>> Interesting thread. 
>>
>> lately I'm using Amazon EC2 Rules 
>> ,
>>  
>> I feel them really useful and you can find more rules for Amazon in the 
>> linked repository. Also, you can find interesting this script 
>> to 
>> update your rules automatically.
>>
>> I would like to know what rules are you missing in OSSEC.
>>
>>
>> Regards.
>> Jesus Linares.
>>
>> On Monday, April 25, 2016 at 12:20:50 AM UTC+2, theresa mic-snare wrote:
>>>
>>> 1002 ;))
>>>
>>> Am Freitag, 22. April 2016 19:07:32 UTC+2 schrieb namobud...@gmail.com:

 These worked great, just wondering if you have any updates.

 On Thursday, March 3, 2016 at 12:46:38 PM UTC-5, LostInThe Tubez wrote:
>
> Good thread idea. I’ve copied a few Windows-centric rules below. Some 
> of the rules that lean heavily on  could no doubt be improved, but 
> they don’t bother me with false positives or performance issues in my 
> small 
> environment, so I don’t worry about it. YMMV. I also have some decoders 
> and 
> rules for Cowrie honeypots, but intend to polish those up and submit a 
> pull 
> request for those one of these days. If anyone is interested in testing 
> them though, I could send those off list.
>
>  
>
> 
>
> 594
>
> \SOFTWARE\Microsoft\Windows\CurrentVersion\Run
>
> A change has been made to the software that 
> automatically runs at startup.
>
> 
>
>  
>
> 
>
> 18103
>
> Length specified in network packet
>
> Somebody is sending malformed data to your SQL 
> Server. You should probably investigate.
>
> 
>
>  
>
> 
>
> 18101
>
> PSEXESVC|PsExec
>
> Remote access via PSEXEC. If this wasn't 
> initiated by you, then you've got a problem.
>
> 
>
>  
>
> 
>
> 18102
>
> ^2004$
>
> diagnosed
>
> There's a problem with abnormal memory usage on 
> this system! Please investigate the indicated processes.
>
> 
>
>  
>
> 
>
> 18104
>
> 4698
>
> A scheduled task has been created on this 
> machine. Please review.
>
> Requires group policy modification to the Advanced 
> Security Audit policy/Audit Other Object Access Events. See: 
> https://technet.microsoft.com/en-us/library/dn319119.aspx
>
> 
>
>  
>
> 
>
> 18103
>
> 36874|36888
>
> recon_ssl,
>
> Add Schannel errors to the custom recon_ssl 
> group
>
> 
>
>  
>
>  ignore="1800">
>
> recon_ssl
>
> There have been over 40 SSL cipher suite probes 
> in the last two minutes. Someone may be performing reconnaissance on your 
> servers, assessing whether one of your SSL-enabled services is vulnerable 
> to exploits.
>
> Unfortunately, Schannel errors are of limited 
> usefulness. They occur without any indication of which IP address caused 
> them, so consulting contextual log info or firewall logs is the only way 
> to 
> track down who is responsible.
>
> 
>
>  
>
> 
>
> 18103
>
> ^1000$|^1002$|^7023$|^7034$
>
> 
>
> A program or service has crashed. Investigate as 
> appropriate.
>
> 
>
>  
>
> 
>
> 18101
>
> ^7045$
>
> A new service has been installed on this 
> computer.
>
> 
>
>  
>
> *From:* ossec...@googlegrou

Re: [ossec-list] What's your favorite rules?

[Rob B]

what _rules.xml file is 1002 located?   I wish I had some kind of rules 
legend to reference.  Thanks.  ;-)



On Tuesday, April 26, 2016 at 8:20:11 AM UTC-4, theresa mic-snare wrote:
>
> Also, I should explain why I first wrote 1002
> I often check for this rule (2 - Unknown problem somewhere in the 
> system.) just to see if there are any false-positives that haven't been 
> covered by an existing rule yet.
> Then I would see which log event needs a new rule or decoder, so that it 
> would be covered the next time it occurs :)
>
>
> Am Dienstag, 26. April 2016 14:08:29 UTC+2 schrieb theresa mic-snare:
>>
>> I woke up this morning with a notification on my phone that this 
>> following rule fired again:
>>
>> 
>> 31108
>> "\(\)\s*{\s*:;\s*}\s*;
>> Shellshock attack detected
>> attack,pci_dss_11.4,
>> 
>>
>> Just as I thought that the Shellshock hype was over..someone from 
>> China tried to penetrate my server again...
>> harmless since I patch my server frequently, but still interesting to see 
>> what's going on
>>
>> Good to see that OSSEC is capable of detecting recent/modern threats :)
>>
>> Am Dienstag, 26. April 2016 13:44:42 UTC+2 schrieb Jesus Linares:
>>>
>>> Interesting thread. 
>>>
>>> lately I'm using Amazon EC2 Rules 
>>> ,
>>>  
>>> I feel them really useful and you can find more rules for Amazon in the 
>>> linked repository. Also, you can find interesting this script 
>>> to 
>>> update your rules automatically.
>>>
>>> I would like to know what rules are you missing in OSSEC.
>>>
>>>
>>> Regards.
>>> Jesus Linares.
>>>
>>> On Monday, April 25, 2016 at 12:20:50 AM UTC+2, theresa mic-snare wrote:

 1002 ;))

 Am Freitag, 22. April 2016 19:07:32 UTC+2 schrieb namobud...@gmail.com:
>
> These worked great, just wondering if you have any updates.
>
> On Thursday, March 3, 2016 at 12:46:38 PM UTC-5, LostInThe Tubez wrote:
>>
>> Good thread idea. I’ve copied a few Windows-centric rules below. Some 
>> of the rules that lean heavily on  could no doubt be improved, 
>> but 
>> they don’t bother me with false positives or performance issues in my 
>> small 
>> environment, so I don’t worry about it. YMMV. I also have some decoders 
>> and 
>> rules for Cowrie honeypots, but intend to polish those up and submit a 
>> pull 
>> request for those one of these days. If anyone is interested in testing 
>> them though, I could send those off list.
>>
>>  
>>
>> 
>>
>> 594
>>
>> \SOFTWARE\Microsoft\Windows\CurrentVersion\Run
>>
>> A change has been made to the software that 
>> automatically runs at startup.
>>
>> 
>>
>>  
>>
>> 
>>
>> 18103
>>
>> Length specified in network packet
>>
>> Somebody is sending malformed data to your SQL 
>> Server. You should probably investigate.
>>
>> 
>>
>>  
>>
>> 
>>
>> 18101
>>
>> PSEXESVC|PsExec
>>
>> Remote access via PSEXEC. If this wasn't 
>> initiated by you, then you've got a problem.
>>
>> 
>>
>>  
>>
>> 
>>
>> 18102
>>
>> ^2004$
>>
>> diagnosed
>>
>> There's a problem with abnormal memory usage on 
>> this system! Please investigate the indicated processes.
>>
>> 
>>
>>  
>>
>> 
>>
>> 18104
>>
>> 4698
>>
>> A scheduled task has been created on this 
>> machine. Please review.
>>
>> Requires group policy modification to the Advanced 
>> Security Audit policy/Audit Other Object Access Events. See: 
>> https://technet.microsoft.com/en-us/library/dn319119.aspx
>>
>> 
>>
>>  
>>
>> 
>>
>> 18103
>>
>> 36874|36888
>>
>> recon_ssl,
>>
>> Add Schannel errors to the custom recon_ssl 
>> group
>>
>> 
>>
>>  
>>
>> > ignore="1800">
>>
>> recon_ssl
>>
>> There have been over 40 SSL cipher suite probes 
>> in the last two minutes. Someone may be performing reconnaissance on 
>> your 
>> servers, assessing whether one of your SSL-enabled services is 
>> vulnerable 
>> to exploits.
>>
>> Unfortunately, Schannel errors are of limited 
>> usefulness. They occur without any indication of which IP address caused 
>> them, so consulting contextual log info or firewall logs is the only way 
>> to 
>> track down who is responsible.
>>
>> 
>>
>>  
>>
>> 
>>
>> 181

Re: [ossec-list] What's your favorite rules?

[dan (ddp)]

On Tue, Apr 26, 2016 at 10:15 AM, Rob B  wrote:
> what _rules.xml file is 1002 located?   I wish I had some kind of rules
> legend to reference.  Thanks.  ;-)
>

[ddp@ix] :; grep '"1002"' /var/ossec/rules/*_rules.xml
/var/ossec/rules/syslog_rules.xml:  


>
>
> On Tuesday, April 26, 2016 at 8:20:11 AM UTC-4, theresa mic-snare wrote:
>>
>> Also, I should explain why I first wrote 1002
>> I often check for this rule (2 - Unknown problem somewhere in the system.)
>> just to see if there are any false-positives that haven't been covered by an
>> existing rule yet.
>> Then I would see which log event needs a new rule or decoder, so that it
>> would be covered the next time it occurs :)
>>
>>
>> Am Dienstag, 26. April 2016 14:08:29 UTC+2 schrieb theresa mic-snare:
>>>
>>> I woke up this morning with a notification on my phone that this
>>> following rule fired again:
>>>
>>> 
>>> 31108
>>> "\(\)\s*{\s*:;\s*}\s*;
>>> Shellshock attack detected
>>> attack,pci_dss_11.4,
>>> 
>>>
>>> Just as I thought that the Shellshock hype was over..someone from
>>> China tried to penetrate my server again...
>>> harmless since I patch my server frequently, but still interesting to see
>>> what's going on
>>>
>>> Good to see that OSSEC is capable of detecting recent/modern threats :)
>>>
>>> Am Dienstag, 26. April 2016 13:44:42 UTC+2 schrieb Jesus Linares:

 Interesting thread.

 lately I'm using Amazon EC2 Rules, I feel them really useful and you can
 find more rules for Amazon in the linked repository. Also, you can find
 interesting this script to update your rules automatically.

 I would like to know what rules are you missing in OSSEC.


 Regards.
 Jesus Linares.

 On Monday, April 25, 2016 at 12:20:50 AM UTC+2, theresa mic-snare wrote:
>
> 1002 ;))
>
> Am Freitag, 22. April 2016 19:07:32 UTC+2 schrieb namobud...@gmail.com:
>>
>> These worked great, just wondering if you have any updates.
>>
>> On Thursday, March 3, 2016 at 12:46:38 PM UTC-5, LostInThe Tubez
>> wrote:
>>>
>>> Good thread idea. I’ve copied a few Windows-centric rules below. Some
>>> of the rules that lean heavily on  could no doubt be improved, 
>>> but
>>> they don’t bother me with false positives or performance issues in my 
>>> small
>>> environment, so I don’t worry about it. YMMV. I also have some decoders 
>>> and
>>> rules for Cowrie honeypots, but intend to polish those up and submit a 
>>> pull
>>> request for those one of these days. If anyone is interested in testing 
>>> them
>>> though, I could send those off list.
>>>
>>>
>>>
>>> 
>>>
>>> 594
>>>
>>> \SOFTWARE\Microsoft\Windows\CurrentVersion\Run
>>>
>>> A change has been made to the software that
>>> automatically runs at startup.
>>>
>>> 
>>>
>>>
>>>
>>> 
>>>
>>> 18103
>>>
>>> Length specified in network packet
>>>
>>> Somebody is sending malformed data to your SQL
>>> Server. You should probably investigate.
>>>
>>> 
>>>
>>>
>>>
>>> 
>>>
>>> 18101
>>>
>>> PSEXESVC|PsExec
>>>
>>> Remote access via PSEXEC. If this wasn't
>>> initiated by you, then you've got a problem.
>>>
>>> 
>>>
>>>
>>>
>>> 
>>>
>>> 18102
>>>
>>> ^2004$
>>>
>>> diagnosed
>>>
>>> There's a problem with abnormal memory usage on
>>> this system! Please investigate the indicated processes.
>>>
>>> 
>>>
>>>
>>>
>>> 
>>>
>>> 18104
>>>
>>> 4698
>>>
>>> A scheduled task has been created on this
>>> machine. Please review.
>>>
>>> Requires group policy modification to the Advanced
>>> Security Audit policy/Audit Other Object Access Events. See:
>>> https://technet.microsoft.com/en-us/library/dn319119.aspx
>>>
>>> 
>>>
>>>
>>>
>>> 
>>>
>>> 18103
>>>
>>> 36874|36888
>>>
>>> recon_ssl,
>>>
>>> Add Schannel errors to the custom recon_ssl
>>> group
>>>
>>> 
>>>
>>>
>>>
>>> >> ignore="1800">
>>>
>>> recon_ssl
>>>
>>> There have been over 40 SSL cipher suite probes
>>> in the last two minutes. Someone may be performing reconnaissance on 
>>> your
>>> servers, assessing whether one of your SSL-enabled services is 
>>> vulnerable to
>>> exploits.
>>>
>>> Unfortunately, Schannel errors are of limited
>>> usefulness. They occur without any indication of which IP address caused
>>> them, so consulting contextual log info or firewall logs is the

Re: [ossec-list] What's your favorite rules?

[Rob B]

NM, found it!  ;-)   syslog  duh.

On Tuesday, April 26, 2016 at 10:15:03 AM UTC-4, Rob B wrote:
>
> what _rules.xml file is 1002 located?   I wish I had some kind of rules 
> legend to reference.  Thanks.  ;-)
>
>
>
> On Tuesday, April 26, 2016 at 8:20:11 AM UTC-4, theresa mic-snare wrote:
>>
>> Also, I should explain why I first wrote 1002
>> I often check for this rule (2 - Unknown problem somewhere in the 
>> system.) just to see if there are any false-positives that haven't been 
>> covered by an existing rule yet.
>> Then I would see which log event needs a new rule or decoder, so that it 
>> would be covered the next time it occurs :)
>>
>>
>> Am Dienstag, 26. April 2016 14:08:29 UTC+2 schrieb theresa mic-snare:
>>>
>>> I woke up this morning with a notification on my phone that this 
>>> following rule fired again:
>>>
>>> 
>>> 31108
>>> "\(\)\s*{\s*:;\s*}\s*;
>>> Shellshock attack detected
>>> attack,pci_dss_11.4,
>>> 
>>>
>>> Just as I thought that the Shellshock hype was over..someone from 
>>> China tried to penetrate my server again...
>>> harmless since I patch my server frequently, but still interesting to 
>>> see what's going on
>>>
>>> Good to see that OSSEC is capable of detecting recent/modern threats :)
>>>
>>> Am Dienstag, 26. April 2016 13:44:42 UTC+2 schrieb Jesus Linares:

 Interesting thread. 

 lately I'm using Amazon EC2 Rules 
 ,
  
 I feel them really useful and you can find more rules for Amazon in the 
 linked repository. Also, you can find interesting this script 
 to 
 update your rules automatically.

 I would like to know what rules are you missing in OSSEC.


 Regards.
 Jesus Linares.

 On Monday, April 25, 2016 at 12:20:50 AM UTC+2, theresa mic-snare wrote:
>
> 1002 ;))
>
> Am Freitag, 22. April 2016 19:07:32 UTC+2 schrieb namobud...@gmail.com
> :
>>
>> These worked great, just wondering if you have any updates.
>>
>> On Thursday, March 3, 2016 at 12:46:38 PM UTC-5, LostInThe Tubez 
>> wrote:
>>>
>>> Good thread idea. I’ve copied a few Windows-centric rules below. 
>>> Some of the rules that lean heavily on  could no doubt be 
>>> improved, 
>>> but they don’t bother me with false positives or performance issues in 
>>> my 
>>> small environment, so I don’t worry about it. YMMV. I also have some 
>>> decoders and rules for Cowrie honeypots, but intend to polish those up 
>>> and 
>>> submit a pull request for those one of these days. If anyone is 
>>> interested 
>>> in testing them though, I could send those off list.
>>>
>>>  
>>>
>>> 
>>>
>>> 594
>>>
>>> \SOFTWARE\Microsoft\Windows\CurrentVersion\Run
>>>
>>> A change has been made to the software that 
>>> automatically runs at startup.
>>>
>>> 
>>>
>>>  
>>>
>>> 
>>>
>>> 18103
>>>
>>> Length specified in network packet
>>>
>>> Somebody is sending malformed data to your SQL 
>>> Server. You should probably investigate.
>>>
>>> 
>>>
>>>  
>>>
>>> 
>>>
>>> 18101
>>>
>>> PSEXESVC|PsExec
>>>
>>> Remote access via PSEXEC. If this wasn't 
>>> initiated by you, then you've got a problem.
>>>
>>> 
>>>
>>>  
>>>
>>> 
>>>
>>> 18102
>>>
>>> ^2004$
>>>
>>> diagnosed
>>>
>>> There's a problem with abnormal memory usage on 
>>> this system! Please investigate the indicated processes.
>>>
>>> 
>>>
>>>  
>>>
>>> 
>>>
>>> 18104
>>>
>>> 4698
>>>
>>> A scheduled task has been created on this 
>>> machine. Please review.
>>>
>>> Requires group policy modification to the Advanced 
>>> Security Audit policy/Audit Other Object Access Events. See: 
>>> https://technet.microsoft.com/en-us/library/dn319119.aspx
>>>
>>> 
>>>
>>>  
>>>
>>> 
>>>
>>> 18103
>>>
>>> 36874|36888
>>>
>>> recon_ssl,
>>>
>>> Add Schannel errors to the custom recon_ssl 
>>> group
>>>
>>> 
>>>
>>>  
>>>
>>> >> ignore="1800">
>>>
>>> recon_ssl
>>>
>>> There have been over 40 SSL cipher suite probes 
>>> in the last two minutes. Someone may be performing reconnaissance on 
>>> your 
>>> servers, assessing whether one of your SSL-enabled services is 
>>> vulnerable 
>>> to exploits.
>>>
>>> Unfortunately, Schannel errors ar

[ossec-list] A rule to detect that Regsvr32.exe has been run?

[namobuddhaonion]

Hello group,

Here an interesting article on how Regsvr32.exe can use .com script files 
to execute code. I didn’t see a remediation, but it’s good to at least be 
aware of it. 

http://subt0x10.blogspot.com/2016/04/bypass-application-whitelisting-script.html

My question is can we write a rule to detect that Regsvr32.exe has been run?

Thanks,

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] What's your favorite rules?

[Rob B]

I find this a very interesting set of rule(s)


  18100
  /services.exe
  Sysmon - Suspicious Process - services.exe
  pci_dss_10.6.1,pci_dss_11.4,



  184746
  wininit.exe
  Sysmon - Legitimate Parent Image - services.exe




On Tuesday, April 26, 2016 at 10:17:17 AM UTC-4, dan (ddpbsd) wrote:
>
> On Tue, Apr 26, 2016 at 10:15 AM, Rob B > 
> wrote: 
> > what _rules.xml file is 1002 located?   I wish I had some kind of rules 
> > legend to reference.  Thanks.  ;-) 
> > 
>
> [ddp@ix] :; grep '"1002"' /var/ossec/rules/*_rules.xml 
> /var/ossec/rules/syslog_rules.xml:   
>
>
> > 
> > 
> > On Tuesday, April 26, 2016 at 8:20:11 AM UTC-4, theresa mic-snare wrote: 
> >> 
> >> Also, I should explain why I first wrote 1002 
> >> I often check for this rule (2 - Unknown problem somewhere in the 
> system.) 
> >> just to see if there are any false-positives that haven't been covered 
> by an 
> >> existing rule yet. 
> >> Then I would see which log event needs a new rule or decoder, so that 
> it 
> >> would be covered the next time it occurs :) 
> >> 
> >> 
> >> Am Dienstag, 26. April 2016 14:08:29 UTC+2 schrieb theresa mic-snare: 
> >>> 
> >>> I woke up this morning with a notification on my phone that this 
> >>> following rule fired again: 
> >>> 
> >>>  
> >>> 31108 
> >>> "\(\)\s*{\s*:;\s*}\s*; 
> >>> Shellshock attack detected 
> >>> attack,pci_dss_11.4, 
> >>>  
> >>> 
> >>> Just as I thought that the Shellshock hype was over..someone from 
> >>> China tried to penetrate my server again... 
> >>> harmless since I patch my server frequently, but still interesting to 
> see 
> >>> what's going on 
> >>> 
> >>> Good to see that OSSEC is capable of detecting recent/modern threats 
> :) 
> >>> 
> >>> Am Dienstag, 26. April 2016 13:44:42 UTC+2 schrieb Jesus Linares: 
>  
>  Interesting thread. 
>  
>  lately I'm using Amazon EC2 Rules, I feel them really useful and you 
> can 
>  find more rules for Amazon in the linked repository. Also, you can 
> find 
>  interesting this script to update your rules automatically. 
>  
>  I would like to know what rules are you missing in OSSEC. 
>  
>  
>  Regards. 
>  Jesus Linares. 
>  
>  On Monday, April 25, 2016 at 12:20:50 AM UTC+2, theresa mic-snare 
> wrote: 
> > 
> > 1002 ;)) 
> > 
> > Am Freitag, 22. April 2016 19:07:32 UTC+2 schrieb 
> namobud...@gmail.com: 
> >> 
> >> These worked great, just wondering if you have any updates. 
> >> 
> >> On Thursday, March 3, 2016 at 12:46:38 PM UTC-5, LostInThe Tubez 
> >> wrote: 
> >>> 
> >>> Good thread idea. I’ve copied a few Windows-centric rules below. 
> Some 
> >>> of the rules that lean heavily on  could no doubt be 
> improved, but 
> >>> they don’t bother me with false positives or performance issues in 
> my small 
> >>> environment, so I don’t worry about it. YMMV. I also have some 
> decoders and 
> >>> rules for Cowrie honeypots, but intend to polish those up and 
> submit a pull 
> >>> request for those one of these days. If anyone is interested in 
> testing them 
> >>> though, I could send those off list. 
> >>> 
> >>> 
> >>> 
> >>>  
> >>> 
> >>> 594 
> >>> 
> >>> 
> \SOFTWARE\Microsoft\Windows\CurrentVersion\Run 
> >>> 
> >>> A change has been made to the software that 
> >>> automatically runs at startup. 
> >>> 
> >>>  
> >>> 
> >>> 
> >>> 
> >>>  
> >>> 
> >>> 18103 
> >>> 
> >>> Length specified in network packet 
> >>> 
> >>> Somebody is sending malformed data to your 
> SQL 
> >>> Server. You should probably investigate. 
> >>> 
> >>>  
> >>> 
> >>> 
> >>> 
> >>>  
> >>> 
> >>> 18101 
> >>> 
> >>> PSEXESVC|PsExec 
> >>> 
> >>> Remote access via PSEXEC. If this wasn't 
> >>> initiated by you, then you've got a problem. 
> >>> 
> >>>  
> >>> 
> >>> 
> >>> 
> >>>  
> >>> 
> >>> 18102 
> >>> 
> >>> ^2004$ 
> >>> 
> >>> diagnosed 
> >>> 
> >>> There's a problem with abnormal memory usage 
> on 
> >>> this system! Please investigate the indicated 
> processes. 
> >>> 
> >>>  
> >>> 
> >>> 
> >>> 
> >>>  
> >>> 
> >>> 18104 
> >>> 
> >>> 4698 
> >>> 
> >>> A scheduled task has been created on this 
> >>> machine. Please review. 
> >>> 
> >>> Requires group policy modification to the Advanced 
> >>> Security Audit policy/Audit Other Object Access Events. See: 
> >>> https://technet.microsoft.com/en-us/library/dn319119.aspx 
> >>> 
> >>>  
> >>> 
> >>> 
> >>> 
> >>>  
> >>> 
> >>> 18

[ossec-list] Change alert level for changes to system configuration files and system binaries

[Tahir Hafiz]

Guys I am staring at this:

   
/etc,/usr/bin,/usr/sbin
/bin,/sbin


Does anyone know where I can change the default alert level for those 
directories above - I want to modify changes to the above to Alert Level 14?
Basically, I am hooking OSSEC into Nagios alerting with a shell script but 
I only want to be alerted (hook into Nagios) at Level 14 or above.

Is there a way I can do it in the standard config file: 
/var/ossec/etc/ossec.conf

I would prefer not to modify anything in the rules directory but just have 
any mods in the same place in the standard config file. 

Cheers,
Tahir


-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: A rule to detect that Regsvr32.exe has been run?

[Rob B]

Interesting..   thanks for that blog post.   COM+   lol, classic!

anyhow, here is a crude one but it works..  ;-)


  18100
  Regsvr32.exe
  Suspicious - "Regsvr32" Capable of application whitelisting 
bypass.




On Tuesday, April 26, 2016 at 11:37:07 AM UTC-4, namobud...@gmail.com wrote:
>
> Hello group,
>
> Here an interesting article on how Regsvr32.exe can use .com script files 
> to execute code. I didn’t see a remediation, but it’s good to at least be 
> aware of it. 
>
>
> http://subt0x10.blogspot.com/2016/04/bypass-application-whitelisting-script.html
>
> My question is can we write a rule to detect that Regsvr32.exe has been 
> run?
>
> Thanks,
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] A rule to detect that Regsvr32.exe has been run?

[J. Craig]

Remediations include:
- restricting permissions to the binary
- windows firewall blocking network access to binary

If a user has admin or a path to admin, these are just speed bumps.

Sysmon would be useful here for instrumentation: e.g. look for regsvr32.exe
executing and/or making any network connections.


On Tue, Apr 26, 2016 at 8:37 AM,  wrote:

> Hello group,
>
> Here an interesting article on how Regsvr32.exe can use .com script files
> to execute code. I didn’t see a remediation, but it’s good to at least be
> aware of it.
>
>
> http://subt0x10.blogspot.com/2016/04/bypass-application-whitelisting-script.html
>
> My question is can we write a rule to detect that Regsvr32.exe has been
> run?
>
> Thanks,
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] ossec users and group should be in system groups

[Dennis Golden]

Over the past several years, I have submitted diff's for 
InstallServer.sh and InstallAgent.sh to make the users and group be in 
the range for system users/groups.


I use openSUSE that has always supported the '-r' flag in the "groupadd" 
and "useradd" commands. Even though I don't use other distributions, I 
have been unable to find a distribution that does not support system 
users/groups.


I can continue to patch my installations to do this; however, since my 
checks for support and use of the flag would work on any system that 
doesn't support it, I would really like to have it included.


I am also planning on switching to wazuh for ossec-hid, would I submit a 
get request to ossec or wazuh?


Regards,

Dennis
--
Dennis Golden
Golden Consulting Services, Inc.

--

--- 
You received this message because you are subscribed to the Google Groups "ossec-list" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.