[ossec-list] Re: Create custom rule for OSSEC 2.8.3, to capture specific phrase in application log
Hi, you should create decoders and rules for that event. Check out the documentation: http://ossec-docs.readthedocs.io/en/latest/syntax/analysis.html Also. you can use the binary /var/ossec/bin/ossec-logtest to test your own decoders/rules. On Monday, January 30, 2017 at 7:04:34 AM UTC-8, Eli Tunkel wrote: > > 2016-07-24 11:43:22,707 INFO [main-EventThread ] > [.m.async.facade.Bootstrap] Became Leader!!! |TAGS| > 2016-07-24 11:43:22,707 INFO [main-EventThread ] > [.m.async.facade.Bootstrap] ## Leader election: > *Server > is leader and starting* ## |TAGS| > > > > > > .I have added the custom path for this log to the ossec.conf .״This is > sample log I want to capture, the phrase I want to make a rule for is > "*Server > is leader and start* > > Thanks friend, > > > > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] need help with a rule
On Tue, Jan 31, 2017 at 11:15 AM, SternData wrote: > I'm getting hammered by probes for non-existent PHP files. > > Received From: sugaree->/var/log/httpd/xxx.c om_error_log > Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system." > Portion of the log(s): > > [Tue Jan 31 09:57:35.809951 2017] [proxy_fcgi:error] [pid 25770] [client > 46.28.110.136:51282] AH01071: Got error 'Primary script unknown\n' > > What's the best way to make a rule to throw an active deny response for > these after two attempts within 1 minute? > Running this through ossec-logtest gives me the following information: **Phase 1: Completed pre-decoding. full event: '[Tue Jan 31 09:57:35.809951 2017] [proxy_fcgi:error] [pid 25770] [client 46.28.110.136:51282] AH01071: Got error 'Primary script unknown\n'' hostname: 'ossec-test' program_name: '(null)' log: '[Tue Jan 31 09:57:35.809951 2017] [proxy_fcgi:error] [pid 25770] [client 46.28.110.136:51282] AH01071: Got error 'Primary script unknown\n'' **Phase 2: Completed decoding. decoder: 'apache-errorlog' srcip: '46.28.110.136' srcport: '51282' id: 'AH01071' **Phase 3: Completed filtering (rules). Rule id: '30301' Level: '0' Description: 'Apache error messages grouped.' So creating a rule should be fairly straight forward. Something like this (mostly untested): 30301 Primary script unknown Primary script unknown 400017 Multiple attempts to Primary script unknown Then setup the active response to block based on sid 400018. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] need help with a rule
I'm getting hammered by probes for non-existent PHP files. Received From: sugaree->/var/log/httpd/xxx.c om_error_log Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system." Portion of the log(s): [Tue Jan 31 09:57:35.809951 2017] [proxy_fcgi:error] [pid 25770] [client 46.28.110.136:51282] AH01071: Got error 'Primary script unknown\n' What's the best way to make a rule to throw an active deny response for these after two attempts within 1 minute? -- -- Steve -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Unable to capture file integrity changes more than 3 times with auto_ignore
On Tue, Jan 31, 2017 at 7:06 AM, Abhijit Tikekar wrote: > Hi, > > I am unable to make work on our OSSEC instance for few > directories which are set for Real Time monitoring. OSSEC Agent version is > 2.8.3 and server is currently on 2.8.1. > Start by correcting this issue. > I have tried to set no on both server and the > agent, but OSSEC still keeps ignoring the checksum change after 3rd time. > This setting does nothing on the agent, AFAIK. > Here is the directory monitoring configuration: > > 79200 > /usr/bin,/usr/sbin > /bin,/sbin > /root,/etc > no > Make sure you restart the OSSEC processes on the server after making these changes. > > And the file we are trying to monitor is /etc/odbcnew.ini > > When I check for the file changes, OSSEC always stops after 3rd change. I > can reset it manually but it'll stop again eventually after next 3 changes. > > 2017 Jan 31 06:44:24,0 - /etc/odbcnew.ini > File changed. - 1st time modified. > Integrity checking values: >Size: >682 >Perm: rw--- >Uid: 0 >Gid: 0 >Md5: >bc47acc61dd3ac8f88d8a1197e3e9b1a >Sha1: >02d20920310be144261d897d90d906e86a90225f > > 2017 Jan 31 06:47:15,2 - /etc/odbcnew.ini > File changed. - 2nd time modified. > Integrity checking values: >Size: >770 >Perm: rw--- >Uid: 0 >Gid: 0 >Md5: >087e76a102721db3c7218acb978720b2 >Sha1: >f5437d9ede1d2bb41cafbefce922d1c5997a3c13 > > 2017 Jan 31 06:47:16,3 - /etc/odbcnew.ini > File changed. - 3rd time modified. > Integrity checking values: >Size: >792 >Perm: rw--- >Uid: 0 >Gid: 0 >Md5: >0ba151babde2a5adf64fb25b67628e9b >Sha1: >266ff0c7ae1b19897046041da3df2beb598a1663 > > I found an old thread referring to making a source code change for > temporarily resolve this issue. Is that change still needed in the latest > versions? > https://groups.google.com/forum/#!topic/ossec-list/qk8Ch6DEIqk > Not that I'm aware of. > On another thread, one example shows that OSSEC still records the fact that > a file is being ignored. > https://groups.google.com/forum/#!topic/ossec-list/qNnjYZGsWCs > > 2008 Jun 26 22:48:26,4 - /etc/squid/squid.conf > File changed. - Being ignored (3 or more changes). > > > We do not get this message. Does that mean agent itself is not sending the > changes after 3rd time? > The agent doesn't care how many times it's changed. It doesn't even really know the file has changed (unless there's an inotify event blah blah). I haven't noticed any issues with it, but I'll test it out a bit. > > Kindly assist > > Thanks, > > ~ Abhi > > > > > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Re: Alerts generated despite level '0' rule being hit
On Fri, Jan 27, 2017 at 11:00 AM, Daniel B. wrote:
>
> Yes, via ./ossec-control -r
>
root@ossec-test:/var/ossec/etc# /var/ossec/bin/ossec-control -r
Usage: /var/ossec/bin/ossec-control {start|stop|restart|status|enable|disable}
Try `/var/ossec/bin/ossec-control restart`
>
> On Thursday, January 26, 2017 at 4:41:20 PM UTC-5, Daniel B. wrote:
>>
>>
>>
>> full_log:
>>
>> Files hidden inside directory
>> '/var/lib/docker/aufs/mnt/545d04c068f0f7ce19361a94d1c43b0c6686a0dfdd45e1803ccee569acc1767b/usr/share/locale'.
>> Link count does not match number of files (54,70).
>>
>> I have a rule setup to ignore this, and it's actually being hit when I test
>> the above line via ./ossec-logtest -v (see image)
>>
>> When I check the alerts, I see this as a level 7 alert.
>>
At some point was 76 level 7? Or are you seeing a different level 7 alert?
>> The rules are defined on the server. Any idea on why an alert would be
>> generated despite the level 0 rule being hit?
>>
>> Decoder:
Files hidden inside directory
(\p/var/lib/docker\.+)
extra_data
>>
>>
>> Rule:
>>>
>>>
>>>
>>> ignore_docker_mismatch
>>>
>>> Level 0 Alert -- Ignoring Docker Files
>>> Mismatch
>>>
>>>
>>>
>>>
>>
>>
>>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] OSSEC 2.8.3 create custom rule
On Mon, Jan 30, 2017 at 9:54 AM, Eli Tunkel wrote: > Hi Guys > > > I am looking to create a new custom ossec rult to capture specific phrase in > a log. > I have added the required directory to the ossec.conf > monitoring. > > LOG Sample: > > 2016-07-24 11:43:22,707 INFO [main-EventThread ] > [.m.async.facade.Bootstrap] Became Leader!!! |TAGS| > 2016-07-24 11:43:22,707 INFO [main-EventThread ] > [.m.async.facade.Bootstrap] ## Leader election: > Server is leader and starting ## |TAGS| > > Looking to find > > > Leader election: Server is leader and starting > I'm assuming you haven't tried, so here's a basic run down. Start with ossec-logtest: # echo '2016-07-24 11:43:22,707 INFO [main-EventThread ] [.m.async.facade.Bootstrap] ## Leader election: Server is leader and starting ## |TAGS|' | /var/ossec/bin/ossec-logtest **Phase 1: Completed pre-decoding. full event: '2016-07-24 11:43:22,707 INFO [main-EventThread ] [.m.async.facade.Bootstrap] ## Leader election: Server is leader and starting ## |TAGS|' hostname: 'INFO' program_name: '(null)' log: ' [main-EventThread ] [.m.async.facade.Bootstrap] ## Leader election: Server is leader and starting ## |TAGS|' **Phase 2: Completed decoding. No decoder matched. The "log" field is what we'll be working with mostly. So let's add a basic rule to local_rules.xml: m.async.facade.Bootstrap Stuff Re-run logtest: **Phase 1: Completed pre-decoding. full event: '2016-07-24 11:43:22,707 INFO [main-EventThread ] [.m.async.facade.Bootstrap] ## Leader election: Server is leader and starting ## |TAGS|' hostname: 'INFO' program_name: '(null)' log: ' [main-EventThread ] [.m.async.facade.Bootstrap] ## Leader election: Server is leader and starting ## |TAGS|' **Phase 2: Completed decoding. No decoder matched. **Phase 3: Completed filtering (rules). Rule id: '41' Level: '1' Description: 'Stuff' **Alert to be generated. As we can see our new rule is matched. So let's look at more specific details to get exactly what you want: 41 Leader election: Server is leader and starting Leader election. More logtest: **Phase 1: Completed pre-decoding. full event: '2016-07-24 11:43:22,707 INFO [main-EventThread ] [.m.async.facade.Bootstrap] ## Leader election: Server is leader and starting ## |TAGS|' hostname: 'INFO' program_name: '(null)' log: ' [main-EventThread ] [.m.async.facade.Bootstrap] ## Leader election: Server is leader and starting ## |TAGS|' **Phase 2: Completed decoding. No decoder matched. **Phase 3: Completed filtering (rules). Rule id: '42' Level: '1' Description: 'Leader election.' **Alert to be generated. Final rules: m.async.facade.Bootstrap m.async.facade.Bootstrap group 41 Leader election: Server is leader and starting Leader election. Add those and restart the ossec processes on the master. > Thanks ahead!! > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Create rules for custom decoder (netasq/stomshield firewall)
On Mon, Jan 30, 2017 at 10:46 AM, Bertrand Danos wrote: > Hello, > > I still have some problems with my customes rules. > How to generate 3 differents alerts depending on the messages. > > > Here are my steps : > > 1) Add log file to monitor > * Edit the file etc/ossec.conf and add the following lines: > > syslog > /var/log/firewall.log > > > > 2) Create a decoder > * Add in file etc/local_decoder.xml the following lines : > > > ^id= > > > > netasq > logtype="auth" > ^id=(\S+) time=\.+ fw="(\w+)" \.+ user="(\S+)" src=(\S+) \.+ > logtype="auth" > id, extra_data, user, srcip > > > > netasq > logtype="filter" > ^id=(\S+) time=\.+ fw="(\w+)" \.+ srcifname="(\w+)" ipproto=(\S+) > proto=(\S+) src=(\S+) srcport=(\d+) \.+ dst=(\S+) dstport=(\d+) \.+ > logtype="(\S+)" > id, extra_data, extra_data, protocol, protocol, srcip, srcport, > dstip, dstport I think you have too many entries in here. There's a limit, apparently you reached it. I segfaulted with this decoder, but removing the srcifname entry fixed it for me. > > > > netasq > logtype="alarm" > ^id=(\S+) time=\.+ fw="(\w+)" \.+ msg="(\.+)" \.+ > logtype="alarm" > id, extra_data, extra_data, action > > > > 3) Write custom rules : > * Edit the file etc/ossec.conf and add in the line : > netasq.xml > > * Create file rules/netasq.xml > > > > These IDs appear to be too large. Remove a 0. > netasq-auth All of the log messages decode as "netasq." > Authentication failure on firewall > > > > netasq-filter > Firewall has filtered some data > > > > netasq-alarm > Firewall has gnerated an alarm > > > > > > For each sample I'd like to receive one of the 3 alerts : > > Dec 2 15:42:29 192.168.200.1 id=firewall time="2016-12-02 15:42:28" > fw="test-fw" tz=+ startime="2016-12-02 15:42:28" user="admin" > src=10.0.0.1 ruleid=0 method="PLAIN" error=4 msg="Authentication request > invalid" logtype="auth"#015 > > Dec 2 14:37:42 192.168.200.1 id=firewall time="2016-12-02 14:37:41" > fw="test-fw" tz=+ startime="2016-12-02 14:37:40" pri=5 confid=01 > slotlevel=2 ruleid=1 srcif="Ethernet2" srcifname="eth2" ipproto=tcp > proto=ssh src=10.0.0.2 srcport=33659 srcportname=ephemeral_fw_tcp > srcname=admin dst=192.168.1.1 dstport=22 dstportname=ssh dstname=fw > action=pass logtype="filter"#015 > > Jan 9 14:54:32 192.168.200.1 id=firewall time="2017-01-09 14:53:49" > fw="test-fw" tz=+ startime="2017-01-09 14:53:48" pri=4 confid=01 > slotlevel=2 ruleid=13 srcif="Ethernet2" srcifname="eth2" ipproto=icmp > icmptype=8 icmpcode=0 proto=icmp src=10.0.0.2 dst=192.168.1.1 dstname=fw > action=block msg="Filter alarm" class=filter classification=0 > logtype="alarm"#015 > logtest output: **Phase 1: Completed pre-decoding. full event: 'Dec 2 15:42:29 192.168.200.1 id=firewall time="2016-12-02 15:42:28" fw="test-fw" tz=+ startime="2016-12-02 15:42:28" user="admin" src=10.0.0.1 ruleid=0 method="PLAIN" error=4 msg="Authentication request invalid" logtype="auth"#015' hostname: '192.168.200.1' program_name: '(null)' log: 'id=firewall time="2016-12-02 15:42:28" fw="test-fw" tz=+ startime="2016-12-02 15:42:28" user="admin" src=10.0.0.1 ruleid=0 method="PLAIN" error=4 msg="Authentication request invalid" logtype="auth"#015' **Phase 2: Completed decoding. decoder: 'netasq' id: 'firewall' extra_data: 'test-fw' dstuser: 'admin' srcip: '10.0.0.1' **Phase 3: Completed filtering (rules). Rule id: '1002' Level: '2' Description: 'Unknown problem somewhere in the system.' **Alert to be generated. **Phase 1: Completed pre-decoding. full event: 'Dec 2 14:37:42 192.168.200.1 id=firewall time="2016-12-02 14:37:41" fw="test-fw" tz=+ startime="2016-12-02 14:37:40" pri=5 confid=01 slotlevel=2 ruleid=1 srcif="Ethernet2" srcifname="eth2" ipproto=tcp proto=ssh src=10.0.0.2 srcport=33659 srcportname=ephemeral_fw_tcp srcname=admin dst=192.168.1.1 dstport=22 dstportname=ssh dstname=fw action=pass logtype="filter"#015' hostname: '192.168.200.1' program_name: '(null)' log: 'id=firewall time="2016-12-02 14:37:41" fw="test-fw" tz=+ startime="2016-12-02 14:37:40" pri=5 confid=01 slotlevel=2 ruleid=1 srcif="Ethernet2" srcifname="eth2" ipproto=tcp proto=ssh src=10.0.0.2 srcport=33659 srcportname=ephemeral_fw_tcp srcname=admin dst=192.168.1.1 dstport=22 dstportname=ssh dstname=fw action=pass logtype="filter"#015' **Phase 2: Completed decoding. decoder: 'netasq' id: 'firewall' extra_data: 'test-fw' proto: 'tcp' proto: 'ssh' srcip: '10.0.0.2' srcport: '33659' dstip: '192.168.1.1' dstport: '22' **Phase 1: Completed pre-decoding. full event: 'Jan 9 14:54:32 192.168.200.1 id=firewall time="2017-01-09 14:53:49" fw="test-fw" tz=+ startime="2017-01-09 14:53:48" pri=4 confid=01 slotlevel=2 ruleid=13 srcif="Ethernet2" srcifna
Re: [ossec-list] how to modify the apache log decoder to accept dash in time
On Sun, Jan 29, 2017 at 2:54 PM, wrote: > My web servers logs are being decoded as 'pure-transfer' instead of as an > apache log due to the time format, which includes a dash '-". If I remove > the dash, then the logs are decoded as apache logs. I believe I have to > options: 1) change the precedence of the decoders, giving priority to apache > or 2) update the format of the logs in my apache config. Please explain how > I would change the precedence or perhaps there is a better solution? > > My OSSEC server is running OSSEC HIDS v2.8.3. > > SAMPLE LOG FILE: > 46.229.168.71 - - [29/Jan/2017:06:34:13 -0800] "GET > /web/guest/community-action1%3BOldBars58@jsessionid%3D194335F9E14CFE295BDBAACC95467F6D > HTTP/1.1" 404 27590 "-" "Mozilla/5.0 (compatible; SemrushBot/1.2~bl; > +http://www.semrush.com/bot.html)" > On post 2.8 installs this seems to be picked up by the web-accesslog decoder: **Phase 1: Completed pre-decoding. full event: '46.229.168.71 - - [29/Jan/2017:06:34:13 -0800] "GET /web/guest/community-action1%3BOldBars58@jsessionid%3D194335F9E14CFE295BDBAACC95467F6D HTTP/1.1" 404 27590 "-" "Mozilla/5.0 (compatible; SemrushBot/1.2~bl; http://www.semrush.com/bot.html)"' hostname: 'ossec-test' program_name: '(null)' log: '46.229.168.71 - - [29/Jan/2017:06:34:13 -0800] "GET /web/guest/community-action1%3BOldBars58@jsessionid%3D194335F9E14CFE295BDBAACC95467F6D HTTP/1.1" 404 27590 "-" "Mozilla/5.0 (compatible; SemrushBot/1.2~bl; http://www.semrush.com/bot.html)"' **Phase 2: Completed decoding. decoder: 'web-accesslog' srcip: '46.229.168.71' url: '/web/guest/community-action1%3BOldBars58@jsessionid%3D194335F9E14CFE295BDBAACC95467F6D' id: '404' **Phase 3: Completed filtering (rules). Rule id: '31101' Level: '5' Description: 'Web server 400 error code.' **Alert to be generated. > Thank you, > > Gil Vidals > Etica, Inc. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Monitoring syslog activity/traffic
On Mon, Jan 30, 2017 at 9:14 AM, Tibor Luth wrote: > Hi all! > > I have a few datasources sending remote syslog to an OSSIM appliance running > Rsyslog (udp or tcp/514) and OSSEC server and local agent. First I would > like to generate alerts or see in logs if a datasource (ossec-agents also) > lost connection or stopped logging... (eg. misconfiguration happened, new > firewall rule is blocking.. etc). Is it possible somehow? I thought to > monitor a command with OSSEC like tcpdump, tshark, netstat or somehing like > that for standard syslog protocoll and write a custom ossim plugin for local > ossec.log. > Ideas are welcomed! :) > Thank you! > Do you have any logs that indicate the system is no longer logging to the intended destination? > T. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] How to automate configuration of OSSEC Agent on Windows?
I'm using 2.8.3.
I managed to add agent key using the command below:
echo y | "D:\Program Files (x86)\ossec-agent\manage_agents.exe" -i
As for server IP, I used the following PowerShell snippet (it would be nice
if manage_agents.exe handled that as well):
$ossec_config_file = "${env:ProgramFiles(x86)}\ossec-agent\ossec.conf"
[xml]$xml = "$(Get-Content $ossec_config_file)"
foreach ($ossec_config in $xml.fake.SelectNodes('//ossec_config')) {
$clients = $ossec_config.SelectNodes('client')
if ($clients.Count -eq 0) {
$client = $ossec_config.AppendChild($xml.CreateElement('client'))
$clients = $ossec_config.SelectNodes('client')
}
foreach ($client in $clients) {
$server_ips = $client.SelectNodes('server-ip')
if ($server_ips.Count -eq 0) {
$server_ip = $client.AppendChild($xml.CreateElement('server-ip'))
$server_ips = $client.SelectNodes('server-ip')
}
foreach ($server_ip in $server_ips) {
$server_ip.set_InnerText($ip)
}
}
$xml2 = New-Object System.Xml.XmlDocument
$node = $xml2.AppendChild($xml2.ImportNode($ossec_config, $true))
$xml2.Save($ossec_config_file)
break
}
On Monday, January 30, 2017 at 7:05:43 PM UTC-3, jose wrote:
>
> Hi Igor,
>
>
> It's not possible in a windows package to set the Server IP and Key with
> command line.
>
>
> Which version is your Ossec Manager?
>
>
> If by chance you are using wazuh, you can follow this article:
>
>
>
> https://blog.wazuh.com/automatically-deploying-ossec-to-windows-using-wazuh-api/
>
>
> i hope it helps.
>
> Regards
> ---
> Jose Luis Ruiz
> Wazuh Inc.
> jo...@wazuh.com
>
> On January 27, 2017 at 1:11:04 AM, Igor Gatis (ig...@esfera5.com.br
> ) wrote:
>
> I need to make OSSEC install fully automatic. Installation can be easily
> done with /S flag to make it silent (
> https://chocolatey.org/packages/ossec-agent)
>
> My question now is: how do I set server IP and agent key using command
> line?
>
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+...@googlegroups.com .
> For more options, visit https://groups.google.com/d/optout.
>
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
[ossec-list] Unable to capture file integrity changes more than 3 times with auto_ignore
Hi, I am unable to make work on our OSSEC instance for few directories which are set for Real Time monitoring. OSSEC Agent version is 2.8.3 and server is currently on 2.8.1. I have tried to set no on both server and the agent, but OSSEC still keeps ignoring the checksum change after 3rd time. Here is the directory monitoring configuration: 79200 /usr/bin,/usr/sbin /bin,/sbin */root,/etc* *no* And the file we are trying to monitor is /etc/odbcnew.ini When I check for the file changes, OSSEC always stops after 3rd change. I can reset it manually but it'll stop again eventually after next 3 changes. 2017 Jan 31 06:44:24,0 - /etc/odbcnew.ini File changed. - 1st time modified. Integrity checking values: Size: >682 Perm: rw--- Uid: 0 Gid: 0 Md5: >bc47acc61dd3ac8f88d8a1197e3e9b1a Sha1: >02d20920310be144261d897d90d906e86a90225f 2017 Jan 31 06:47:15,2 - /etc/odbcnew.ini File changed. - 2nd time modified. Integrity checking values: Size: >770 Perm: rw--- Uid: 0 Gid: 0 Md5: >087e76a102721db3c7218acb978720b2 Sha1: >f5437d9ede1d2bb41cafbefce922d1c5997a3c13 2017 Jan 31 06:47:16,3 - /etc/odbcnew.ini File changed. - 3rd time modified. Integrity checking values: Size: >792 Perm: rw--- Uid: 0 Gid: 0 Md5: >0ba151babde2a5adf64fb25b67628e9b Sha1: >266ff0c7ae1b19897046041da3df2beb598a1663 I found an old thread referring to making a source code change for temporarily resolve this issue. Is that change still needed in the latest versions? https://groups.google.com/forum/#!topic/ossec-list/qk8Ch6DEIqk On another thread, one example shows that OSSEC still records the fact that a file is being ignored. https://groups.google.com/forum/#!topic/ossec-list/qNnjYZGsWCs *2008 Jun 26 22:48:26,4 - /etc/squid/squid.confFile changed. - Being ignored (3 or more changes).* We do not get this message. Does that mean agent itself is not sending the changes after 3rd time? Kindly assist Thanks, ~ Abhi -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Regular OSSEC vs OSSEC Wazuh
hi Wazuh has rules update and a nice integration of PCI DSS compliance. More and more Wazuh is different from ossec, but i think they contribute on it too. I still using ossec with our ELK, but ELK is a pain in the ass to upgrade, so i think graylog is better for searching logs. there is siemonster that integrate ossec/wazuh too, great job but still a bit disappointing. I really hope Ossec will still have improvement, this is a great tools, but i can only debug for helping. The problem we face now, is botnet using each different ip for brute forcing.. that is a limit of the decoder checking only urp/ip/etc.. There is a big step bewteen HIDS and SIEM and the cost For us, Ossec need better reporting and correlation - Mail original - De: "Philip Alexander" À: "ossec-list" Envoyé: Lundi 30 Janvier 2017 19:05:50 Objet: [ossec-list] Regular OSSEC vs OSSEC Wazuh I intend to set up OSSEC and noticed there seem to be two main flavours: regular OSSEC and Wazuh fork. >From what I've been able to gather, the main advantages of Wazuh are: * its ability to integrate with ELK * an improved ruleset * restful API I have no interest in using ELK for this project, but we already have a preexisting graylog instance that I'd like to hook up with OSSEC, which should be possible in regular OSSEC using syslog cef format, according to this: https://github.com/Graylog2/graylog-guide-ossec . I assume I can still use the improved ruleset even if I run regular OSSEC, atleast I haven't seen anything that indicates otherwise. As for the restful API, I'm still very inexperienced and I've only recently heard about REST - I don't even know how I would begin putting it to use - so I'm not sure if I should use the Wazuh fork just for that. The objective is to run OSSEC agents on the machines in our cloud environment and point them to an OSSEC Server in a machine that's already being used for log management and monitoring on the same network . Are there any other advantages to running Wazuh instead of regular OSSEC? Is there much of a performance difference? Anything else I should take into consideration? -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com . For more options, visit https://groups.google.com/d/optout . -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
