Re: [ossec-list] in solaris - does realtime check work?
I think that realtime monitoring is not supported under solaris. eero 8.9.2016 9.40 ip. "Stephen LuShing" kirjoitti: > I install ossec in solaris and trying to check some directories so I setup > the following in ossec.conf > > > > check_all="yes">/etc,/usr/bin,/usr/sbin,/usr/sfw/bin > check_all="yes">/bin,/sbin,/usr/ccs/bin > yes > > When I started - I get the WARN message - will ossec check for it will be > ignored. > > 2016/09/08 14:36:03 ossec-syscheckd: INFO: Monitoring directory: '/etc'. > 2016/09/08 14:36:03 ossec-syscheckd: INFO: Monitoring directory: > '/usr/bin'. > 2016/09/08 14:36:03 ossec-syscheckd: INFO: Monitoring directory: > '/usr/sbin'. > 2016/09/08 14:36:03 ossec-syscheckd: INFO: Monitoring directory: > '/usr/sfw/bin'. > 2016/09/08 14:36:03 ossec-syscheckd: INFO: Monitoring directory: '/bin'. > 2016/09/08 14:36:03 ossec-syscheckd: INFO: Monitoring directory: '/sbin'. > 2016/09/08 14:36:03 ossec-syscheckd: INFO: Monitoring directory: > '/usr/ccs/bin'. > 2016/09/08 14:36:03 ossec-syscheckd: WARN: Ignoring flag for real time > monitoring on directory: '/etc'. > 2016/09/08 14:36:03 ossec-syscheckd: WARN: Ignoring flag for real time > monitoring on directory: '/usr/bin'. > 2016/09/08 14:36:03 ossec-syscheckd: WARN: Ignoring flag for real time > monitoring on directory: '/usr/sbin'. > 2016/09/08 14:36:03 ossec-syscheckd: WARN: Ignoring flag for real time > monitoring on directory: '/usr/sfw/bin'. > 2016/09/08 14:36:03 ossec-syscheckd: WARN: Ignoring flag for real time > monitoring on directory: '/bin'. > 2016/09/08 14:36:03 ossec-syscheckd: WARN: Ignoring flag for real time > monitoring on directory: '/sbin'. > 2016/09/08 14:36:03 ossec-syscheckd: WARN: Ignoring flag for real time > monitoring on directory: '/usr/ccs/bin'. > > > Stephen LuShing > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] in solaris - does realtime check work?
I install ossec in solaris and trying to check some directories so I setup the following in ossec.conf /etc,/usr/bin,/usr/sbin,/usr/sfw/bin /bin,/sbin,/usr/ccs/bin yes When I started - I get the WARN message - will ossec check for it will be ignored. 2016/09/08 14:36:03 ossec-syscheckd: INFO: Monitoring directory: '/etc'. 2016/09/08 14:36:03 ossec-syscheckd: INFO: Monitoring directory: '/usr/bin'. 2016/09/08 14:36:03 ossec-syscheckd: INFO: Monitoring directory: '/usr/sbin'. 2016/09/08 14:36:03 ossec-syscheckd: INFO: Monitoring directory: '/usr/sfw/bin'. 2016/09/08 14:36:03 ossec-syscheckd: INFO: Monitoring directory: '/bin'. 2016/09/08 14:36:03 ossec-syscheckd: INFO: Monitoring directory: '/sbin'. 2016/09/08 14:36:03 ossec-syscheckd: INFO: Monitoring directory: '/usr/ccs/bin'. 2016/09/08 14:36:03 ossec-syscheckd: WARN: Ignoring flag for real time monitoring on directory: '/etc'. 2016/09/08 14:36:03 ossec-syscheckd: WARN: Ignoring flag for real time monitoring on directory: '/usr/bin'. 2016/09/08 14:36:03 ossec-syscheckd: WARN: Ignoring flag for real time monitoring on directory: '/usr/sbin'. 2016/09/08 14:36:03 ossec-syscheckd: WARN: Ignoring flag for real time monitoring on directory: '/usr/sfw/bin'. 2016/09/08 14:36:03 ossec-syscheckd: WARN: Ignoring flag for real time monitoring on directory: '/bin'. 2016/09/08 14:36:03 ossec-syscheckd: WARN: Ignoring flag for real time monitoring on directory: '/sbin'. 2016/09/08 14:36:03 ossec-syscheckd: WARN: Ignoring flag for real time monitoring on directory: '/usr/ccs/bin'. Stephen LuShing -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Not getting Active Response to work - reducing number of messages with integrity sum changes upon package update
Getting back to this old issue I finally found time to do some more testing. My own script was apparently not called because the active-response was disabled for the commands "host-deny" and "firewall-drop" (or maybe one of them - I did not check). After enabling the two, it works. Not sure why ossec behaves this way. Am Freitag, 29. Juli 2016 16:45:49 UTC+2 schrieb Dominik: > > > > Am Freitag, 29. Juli 2016 14:20:41 UTC+2 schrieb dan (ddpbsd): >> >> On Fri, Jul 29, 2016 at 2:50 AM, Dominik wrote: >> > >> > >> > Am Donnerstag, 28. Juli 2016 17:51:23 UTC+2 schrieb dan (ddpbsd): >> >> >> >> On Thu, Jul 28, 2016 at 11:25 AM, Dominik wrote: >> >> > Dear all >> >> > somehow I'm missing something fundamental on Active Response - it >> just >> >> > does >> >> > not work for me. >> >> > >> >> > I'm working on an ubuntu ossec server V2.8.3 >> >> > >> >> > I want to run an active response on rule 2902. So I changed the >> >> > configuration the following way: >> >> > >> >> > >> >> > purge-integrity >> >> > purge-integrity.sh >> >> > >> >> > no >> >> > >> >> > >> >> > >> >> > >> >> > >> >> > no >> >> > purge-integrity >> >> > server >> >> > 2902 >> >> > >> >> > >> >> > >> >> > >> >> > Since I want to run the script on the server, I just modified the >> ossec >> >> > server. >> >> > >> >> > I created a script with exec rights: >> >> >> ls -l active-response/bin/purge-integrity.sh >> >> > -rwxr-xr-x 1 root ossec 363 Jul 28 16:31 >> >> > active-response/bin/purge-integrity.sh >> >> > >> >> > >> >> > >> >> > The script creates a simple entry in logs/active-responses.log: >> >> >> active-response/bin/purge-integrity.sh >> >> >> cat logs/active-responses.log >> >> > Thu Jul 28 16:42:47 CEST 2016 active-response/bin/purge-integrity.sh >> >> > >> >> > >> >> > >> >> > After restarting ossec, the active response appears to be available: >> >> >> bin/agent_control -L >> >> > >> >> > >> >> > OSSEC HIDS agent_control. Available active responses: >> >> > >> >> >Response name: purge-integrity0, command: purge-integrity.sh >> >> > >> >> > >> >> > >> >> > (why is there a 0 after purge-integrity?) >> >> > >> >> > It also appears possible to start the response: >> >> >> bin/agent_control -u 000 -b 1.2.3.4 -f purge-integrity >> >> > >> >> > OSSEC HIDS agent_control: Running active response 'purge-integrity' >> on: >> >> > 000 >> >> > >> >> >>bin/agent_control -u 000 -b 1.2.3.4 -f purge-integrity0 >> >> > >> >> > OSSEC HIDS agent_control: Running active response 'purge-integrity0' >> on: >> >> > 000 >> >> > >> >> > >> >> > >> >> > However, the script is not called and the active-responses.log >> remains >> >> > unchanged (similarly, nothing happens if rule 2902 fires): >> >> > cat logs/active-responses.log >> >> > Thu Jul 28 16:42:47 CEST 2016 active-response/bin/purge-integrity.sh >> >> > >> >> > >> >> > >> >> > I set the agent to run in debug mode (agent.debug=2 in >> >> > internal_options.conf) but do not see related messages in >> logs/ossec.log >> >> > >> >> > At this point, I'm out of ideas on how to further track this down. >> So, >> >> > how >> >> > do I go about further debugging this? >> >> > >> >> >> >> Is ossec-execd running? >> > >> > >> > Yes, it is: >> >> ps -A | grep ossec >> > 64637 ?00:00:00 ossec-maild >> > 64641 ?00:00:00 ossec-execd >> > 64645 ?00:00:21 ossec-analysisd >> > 64649 ?00:00:01 ossec-logcollec >> > 64654 ?00:00:18 ossec-remoted >> > 64660 ?00:00:10 ossec-syscheckd >> > 64663 ?00:00:06 ossec-monitord >> > >> > >> > >> > >> >> >> >> Do you use the full paths for files in the script? >> > >> > >> > Not for the binaries - but otherwise yes: >> > >> >> Try using the full paths. I don't know what the PATH is for the execd >> process. >> >> > Still no success with the following script: > > #!/bin/bash > # Deletes the checksum table for the integrity upon installs > # Author: Dominik Reusser > > ACTION=$1 > USER=$2 > IP=$3 > ALERTID=$4 > RULEID=$5 > AGENT=$6 > FILENAME=$7 > > LOCAL=`/usr/bin/dirname $0`; > cd $LOCAL > cd ../ > PWD=`/bin/pwd` > > /bin/echo "Hello world" >> /var/ossec/test.log > > > # Logging the call > /bin/echo "`date` $0 $1 $2 $3 $4 $5 $6 $7 $8" >> ${PWD}/../logs/active- > responses.log > > > > bin/agent_control -u 000 -b 1.2.3.4 -f purge-integrity > > does not create the expected output. > > Can I debug the communication between agent_control and the local process > receiving the commands (ossec-execd? are messages created? where?) > Are active-response calls logged? > Can I run a service in foreground-mode to receive more messages? > > How could I go more basic than this? > > Greetings > Dominik > > > >> > #!/bin/bash >> > # Deletes the checksum table for the integrity upon installs >> > # Author: Dominik Reusser >> > >> > ACTION=$1 >> > USER=$2
[ossec-list] Active responses stopped working
Hi, Having fiddled perhaps a bit too much with the setup of OSSEC, my active responses on my server stopped working last night, and I'm unable to pinpoint the problem.I unfortunately, even with debug enabled, see any errors in ossec.log, and I'm quite unsure how to go about debugging this. If I, on the server look at the available active responses I get this: > agent_control -L OSSEC HIDS agent_control. Available active responses: Response name: notify-pushbullet0, command: notify-pushbullet.py Response name: firewall-honeypot0, command: firewall-honeypot.sh Response name: firewall-permaban0, command: firewall-permaban.sh So far, so good. Looking at my list of active agents I get: > agent_control -l OSSEC HIDS agent_control. List of available agents: ID: 000, Name: ShadowBUNT (server), IP: 127.0.0.1 , Active/Local ... ... Now, if I try to trigger an active response on the server, everything looks fine: agent_control -u 000 -f notify-pushbullet0 -b 192.168.1.1 OSSEC HIDS agent_control: Running active response 'notify-pushbullet0' on: 000 However, nothing shows up in */var/ossec/logs/active-responses.log*. And when I look at *ossec.log*, I find this one: 2016/09/08 16:25:02 ossec-remoted(1320): ERROR: Agent '000' not found. One possible explanation is that I reinstalled OSSEC and copied over my old config, but I suspect I didn't do it 100%, as I had to re-add all the agents. Since the server/agent doesn't have the option to remove/add/insert key/get key however, I didn't do anything with it. As far as I can tell, all other functionality is fine, including alerts. Though I notice that alerts on the server are listed with location "localhost" instead of "ShadowBUNT", which is the server name. I don't know if that's important. Since I rather not do another complete reinstall, I was hoping someone might know how I can fix this... OJ . -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Problem with ossec-maild after upgrade from 2.8.3 to 2.9.0rc3
Am Donnerstag, 8. September 2016 14:45:44 UTC+2 schrieb dan (ddpbsd): > > On Thu, Sep 8, 2016 at 8:34 AM, Dominik > > wrote: > > Hi there, > > I just upgraded from OSSEC 2.8.3 to 2.9.0rc3. Since, I'm getting the > > following error: > > > > 2016/09/08 14:04:46 getaddrinfo: Name or service not known > > 2016/09/08 14:04:46 ossec-maild(1223): ERROR: Error Sending email to > > localhost (smtp server) > > > > > > The relevant configuration: > > > > > > yes > > l...@xyz.de > > localhost > > l...@xyz.de > > yes > > > > > > > > Any idea why this could happen? > > > > The name lookup is failing for some reason. You can try tracking it > down or change it to 127.0.0.1. > Solution A: It's working with the change to 127.0.0.1. Solution B: I suspect that maild runs in a chroot environment (would this be /var/ossec - the installation dir?) If the file /etc/hosts is not present in this chroot environment, localhost can not be resolved. In any case, it also works with the localhost entry if I copy /etc/hosts to /var/ossec/etc/hosts Copying /etc/hosts during installation would avoid similar problems. Greetings Dominik > > > Thanks > > Dominik > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to ossec-list+...@googlegroups.com . > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Problem with ossec-maild after upgrade from 2.8.3 to 2.9.0rc3
On Thu, Sep 8, 2016 at 8:34 AM, Dominik wrote: > Hi there, > I just upgraded from OSSEC 2.8.3 to 2.9.0rc3. Since, I'm getting the > following error: > > 2016/09/08 14:04:46 getaddrinfo: Name or service not known > 2016/09/08 14:04:46 ossec-maild(1223): ERROR: Error Sending email to > localhost (smtp server) > > > The relevant configuration: > > > yes > l...@xyz.de > localhost > l...@xyz.de > yes > > > > Any idea why this could happen? > The name lookup is failing for some reason. You can try tracking it down or change it to 127.0.0.1. > Thanks > Dominik > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Problem with ossec-maild after upgrade from 2.8.3 to 2.9.0rc3
Hi there, I just upgraded from OSSEC 2.8.3 to 2.9.0rc3. Since, I'm getting the following error: 2016/09/08 14:04:46 getaddrinfo: Name or service not known 2016/09/08 14:04:46 ossec-maild(1223): ERROR: Error Sending email to localhost (smtp server) The relevant configuration: yes l...@xyz.de localhost l...@xyz.de yes Any idea why this could happen? Thanks Dominik -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Edit eventlog format
Hi everyone! I've installed an ossec agent on a windows server. The server produces audit success events that look like this in the eventviewer: userinfo1 ipinfo2 domain info3 access important the installed ossec agent parses the events to the archives.log where they look something like this: 2016 Sep 06 15:20:02 (Host-xxx-16-11-96) xxx.16.11.96->WinEvtLog 2016 Sep 06 15:21:38 WinEvtLog: Security: AUDIT_SUCCESS(5145): Microsoft-Windows-Security-Auditing: *info1: info2: info3: important: *but what i want the archives.log entry to like is: 2016 Sep 06 15:20:02 (Host-xxx-16-11-96) xxx.16.11.96->WinEvtLog 2016 Sep 06 15:21:38 WinEvtLog: Security: AUDIT_SUCCESS(5145): Microsoft-Windows-Security-Auditing:* important:* *info1: info2: info3: *Is it even possible to do this? If yes, where are the things i have to edit. Thanks in advance. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Edit eventlog format
Hi everyone! I've installed an ossec agent on a windows server. The server produces audit success events that look like this in the eventviewer: userinfo1 ipinfo2 domain info3 access important the installed ossec agent parses the events to the archives.log where they look something like this: 2016 Sep 06 15:20:02 (Host-xxx-16-11-96) xxx.16.11.96->WinEvtLog 2016 Sep 06 15:21:38 WinEvtLog: Security: AUDIT_SUCCESS(5145): Microsoft-Windows-Security-Auditing: *info1: info2: info3: important: *but what i want the archives.log entry to like is: 2016 Sep 06 15:20:02 (Host-xxx-16-11-96) xxx.16.11.96->WinEvtLog 2016 Sep 06 15:21:38 WinEvtLog: Security: AUDIT_SUCCESS(5145): Microsoft-Windows-Security-Auditing:* important:* *info1: info2: info3: *Is it even possible to do this? If yes, where are the things i have to edit. Thanks in advance. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: Rule based on specific interval time
This is exactly what I was looking for! And I'm really sorry to have wasted your time, I should have read the documentation more carefully, since it's clearly explained there. Thanks! Il giorno mercoledì 7 settembre 2016 20:02:11 UTC+2, Jesus Linares ha scritto: > > Hi, > > you could overwrite the rule and use *time*. It would be something like: > > *local_rules.xml* > > > > 500 > 03:00 am - 05:00 pm > alert_by_email > Agent disconnected > Ossec agent disconnected. > pci_dss_10.6.1, > > > > Regards. > > > On Wednesday, September 7, 2016 at 4:12:37 PM UTC+2, Francesco Raimondi > wrote: >> >> Greetings everyone, >> >> I wonder if it's possible to create a new rule or fire an existing one >> based on a specific time period. More specifically, I need to modify the >> rule for the agent disconnection and I need to be alerted only if it's >> fired in between 10:00 - 12:00 AM and 03:00 - 05:00 PM. >> >> Any help would be greatly appreciated. >> >> Frank >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.