Re: [ossec-list] Re: %AppData% alert on new file creation proper setup

2017-03-29 Thread Victor Fernandez 
Hi,

I tested that configuration at Windows agent's ossec.conf:

 300 
C:\Users/Administrator/AppData/Local/Temp 


And I added this new rule on manager's local_fules.xml:

  554 <
regex>C:\\Users/\S+/AppData/Local/Temp File added to
the system at Temp directory. syscheck,pci_dss_11.5,  


This rule works with temporary files for any user. Unfortunately it seems
that wildcards (C:\Users/*/AppData/Local/Temp) do not work on Windows
agents, so you should add a  entry for each user.

Note that new files are not reported on the first scan, so wait for this
message at agent's ossec.log:

2017/03/29 11:44:32 ossec-syscheckd: INFO: Ending syscheck scan (forwarding
database).


Now add any file to the Temp directory. When next scan is performed, an
alert like this one should appear in the manager:

** Alert 1490788534.45426831: - ossec,syscheck,pci_dss_11.5,
2017 Mar 29 04:55:34 (windows-agent) 10.1.2.3->syscheck
Rule: 100554 (level 10) -> 'File added to the system at Temp directory.'
New file 'C:\Users/Administrator/AppData/Local/Temp/Test Document.txt'
added to the file system.
File: C:\Users/Administrator/AppData/Local/Temp/Test Document.txt
New size: 0
New permissions: 100666
New user: Administrators (0)
New group:  (0)
New MD5: d41d8cd98f00b204e9800998ecf8427e
New SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709


Hope it help.

Best regards.



On Tue, Mar 28, 2017 at 4:01 AM, dan (ddp)  wrote:

> On Mon, Mar 27, 2017 at 4:26 AM,   wrote:
> > Hello Dan,
> >
> > Thank you for your feedback. I have changed the frequency to 900
> > sec, and inspected the ossec.log. I noted that inside the log file none
> of
> > the agent.conf directories where present. Any theories on why the
> ossec.conf
> > syscheck content is showing up in ossec.log, and the agent.conf syscheck
> is
> > not?
> >
>
> Can OSSEC read the agent.conf (permissions)?
> Is the updated agent.conf transferred to the agent (you can open the
> file in a text editor to check)?
> Other than that, no real idea.
>
> > cheers,
> > Henry
> >
> > On Saturday, March 25, 2017 at 6:50:03 AM UTC-6, henry.wil...@gmail.com
> > wrote:
> >>
> >> Hello fellow googlers,
> >>
> >>
> >> The GOAL:
> >>
> >> For every user on my windows OSSEC agent, generate OSSEC alert severity
> 10
> >> when new file added to
> >>
> >> C:\Users/*/%AppData%/Local/Temp directory
> >>
> >> Where star was supposed to be the wildcard place holder to instruct
> OSSEC
> >> to mean ANY user
> >>
> >>
> >>
> >> The Attempt & RESULTS:
> >>
> >>
> >> In an effort to get OSSEC to generate an alert upon new file created in
> >> %AppData% I have conducted the following steps.
> >>
> >>
> >> http://ossec-docs.readthedocs.io/en/latest/faq/syscheck.
> html#why-aren-t-new-files-creating-an-alert
> >>
> >> Why aren’t new files creating an alert?
> >>
> >> By default OSSEC does not alert on new files. To enable this
> >> functionality,  must be set to yes inside the
> 
> >> section of the manager’s ossec.conf. Also, the rule to alert on new
> files
> >> (rule 554) is set to level 0 by default. The alert level will need to be
> >> raised in order to see the alert. Alerting on new files does not work in
> >> realtime, a full scan will be necessary to detect them.
> >>
> >> Add the following to local_rules.xml:
> >>
> >> 
> >>
> >>   ossec
> >>
> >>   syscheck_new_entry
> >>
> >>   File added to the system.
> >>
> >>   syscheck,
> >>
> >> 
> >>
> >> The  entry should look something like this:
> >>
> >> 
> >>
> >>   7200
> >>
> >>   yes
> >>
> >>   /etc,/bin,/sbin
> >>
> >> 
> >>
> >>
> >>
> >> In my OSSEC environment, I have a CENTos (current build) host for my
> OSSEC
> >> manager. I also have windows OS host for my OSSEC agent (agent id=001).
> To
> >> test the agent.conf setup of OSSEC I have on the OSSEC Manger host two
> >> configuration files, both the original ossec.conf file located @
> directory
> >> var/ossec/etc/ as well as the agent.conf file located @ directory
> >> var/ossec/etc/shared. I have made the  entry in both
> these
> >> configuration files. As well as add rule id 554 to local_rules.xml as
> >> depicted above from OSSEC documentation.
> >>
> >>
> >> To confirm settings are correct I ran logtest without error.
> Additionally,
> >> I preformed the following self-checks:
> >>
> >>
> >> Confirmed level=”10” for rule id 554 in local_rules.xml AND
> >> On OSSEC Manager inside the ossec.conf file that setting for alert
> >> threshold was set to alert on level>=1
> >> Md5sum on Manager = on Agent copy of agent.conf
> >> Reduced frequency to 60 for troubleshooting/testing create new file
> >> feature.
> >> create new file in directory %AppData%  ‘test.txt’
> >>
> >> No immediate result, additionally let sit and wait for 24hrs to ensure
> >> syscheck could run multiple times.
> >> Result new file ‘test.txt’ was not alerted on.
> >>
> >> To arrive at this conclusion, I inspected the following results:
> >>
> >> nano /var/ossec/logs/alerts/alerts.log
> >>
> >> I can see .nix directories are fir

Re: [ossec-list] install ossec - bind to port 1514 fail | getaddrinfo: name or service not know

2017-03-29 Thread Eduardo Reichert Figueiredo 
Hi Victor,
i validated and ipv6 feature is enable in my redhat 7.3, but ossec remoted 
continue is same error reported above.

The file of installation is same that used in other installations (rhel6.8).

Em quinta-feira, 23 de março de 2017 15:37:50 UTC-3, Victor Fernandez 
escreveu:
>
> Hi Eduardo, 
>
> I agree with Dan, I tested OSSEC v2.9 on a clean CentOS 7 with your 
>  configuration and it worked. But when I disabled IPv6 I got the 
> same errors you have.
>
> Please try to enable IPv6 on the running system with:
>
> sysctl -w net.ipv6.conf.all.disable_ipv6=1
> sysctl -w net.ipv6.conf.default.disable_ipv6=1
>
>
> And try to start OSSEC. If it works, consider enabling IPv6 permanently by 
> editing file */etc/sysctl.conf*.
>
> Hope it help. If I find another way to run OSSEC with IPv6 disabled I will 
> let you know.
>
> Best regards.
>
> On Thu, Mar 23, 2017 at 11:19 AM, dan (ddp)  > wrote:
>
>> On Thu, Mar 23, 2017 at 1:08 PM, Eduardo Reichert Figueiredo
>> > wrote:
>> > Hi dan, i dont have ipv6 enabled in my system linux, so i dont have 
>> inet6 in
>> > my ifconfig configurations, only ipv4.
>> >
>> > This can caused for the problem?
>> >
>>
>> I think having ipv6 support is necessary now. You don't need to have
>> addresses or anything, but the facilities need to be available.
>>
>> > Em quarta-feira, 22 de março de 2017 20:30:08 UTC-3, dan (ddpbsd) 
>> escreveu:
>> >>
>> >> On Tue, Mar 21, 2017 at 10:46 AM, Eduardo Reichert Figueiredo
>> >>  wrote:
>> >> > When i install ossec 2.9.0 on rhel 7.3 (no ipv6 feature and address) 
>> i
>> >> > have
>> >>
>> >> Is IPv6 totally disabled for your system (support for IPv6 was 
>> removed)?
>> >>
>> >> > a problem to ossec-remoted and ossec-auth, this services cant bind 
>> ports
>> >> > 1514, log error below.
>> >> > I generated my certificated with commands "openssl genrsa -out" and
>> >> > "openssl
>> >> > req -new -x509 -key ".
>> >> >
>> >> > ##Log OSSEC.LOG
>> >> > 2017/03/21 11:34:34 ossec-remoted: DEBUG: Forking remoted: '0'.
>> >> > 2017/03/21 11:34:34 ossec-remoted: Remote syslog allowed from:
>> >> > '0.0.0.0/0'
>> >> > 2017/03/21 11:34:34 ossec-remoted: DEBUG: Forking remoted: '1'.
>> >> > 2017/03/21 11:34:34 getaddrinfo: Name or service not known
>> >> > 2017/03/21 11:34:34 getaddrinfo: Name or service not known
>> >> > 2017/03/21 11:34:34 ossec-remoted(1206): ERROR: Unable to Bind port
>> >> > '1514'
>> >> > 2017/03/21 11:34:34 ossec-remoted(1206): ERROR: Unable to Bind port
>> >> > '514'
>> >> > 2017/03/21 11:34:41 ossec-syscheckd: INFO: Starting syscheck scan
>> >> > (forwarding database).
>> >> > 2017/03/21 11:34:41 ossec-syscheckd: INFO: Starting syscheck database
>> >> > (pre-scan).
>> >> > 2017/03/21 11:35:47 ossec-authd: DEBUG: Starting ...
>> >> > 2017/03/21 11:35:47 ossec-authd: INFO: Started (pid: 24420).
>> >> > 2017/03/21 11:35:47 ossec-authd: DEBUG: Returning CTX for server.
>> >> > 2017/03/21 11:35:47 getaddrinfo: Name or service not known
>> >> > 2017/03/21 11:35:47 ossec-authd: Unable to bind to port 1514
>> >> >
>> >> > in other cases for unable to bind port 1514, my error was my
>> >> > client.keys,
>> >> > but now i have a new error "getaddrinfo".
>> >> >
>> >> > Can you help me?
>> >> >
>> >> > Kind regards
>> >> >
>> >> > --
>> >> >
>> >> > ---
>> >> > You received this message because you are subscribed to the Google
>> >> > Groups
>> >> > "ossec-list" group.
>> >> > To unsubscribe from this group and stop receiving emails from it, 
>> send
>> >> > an
>> >> > email to ossec-list+...@googlegroups.com.
>> >> > For more options, visit https://groups.google.com/d/optout.
>> >
>> > --
>> >
>> > ---
>> > You received this message because you are subscribed to the Google 
>> Groups
>> > "ossec-list" group.
>> > To unsubscribe from this group and stop receiving emails from it, send 
>> an
>> > email to ossec-list+...@googlegroups.com .
>> > For more options, visit https://groups.google.com/d/optout.
>>
>> --
>>
>> ---
>> You received this message because you are subscribed to the Google Groups 
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to ossec-list+...@googlegroups.com .
>> For more options, visit https://groups.google.com/d/optout.
>>
>
>
>
> -- 
> Victor M. Fernandez-Castro
> IT Security Engineer
> Wazuh Inc.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] install ossec - bind to port 1514 fail | getaddrinfo: name or service not know

2017-03-29 Thread Victor Fernandez 
Sorry Eduardo, maybe the method that I told you (enabling on the fly) does
not work properly.

If followed those steps to disable IPv6, better undo what you did to
disable it.

I have done it by editing file "/etc/sysctl.conf" and adding (to disable)
or removing (to enable back) these lines:

net.ipv6.conf.all.disable_ipv6 = 1

net.ipv6.conf.default.disable_ipv6 = 1


You probably used this method to disable IPv6, so please try to remove (or
comment) those lines, reboot your system and start OSSEC again.

Best regards.

On Wed, Mar 29, 2017 at 3:30 PM, Eduardo Reichert Figueiredo <
eduardo.reich...@hotmail.com> wrote:

> Hi Victor,
> i validated and ipv6 feature is enable in my redhat 7.3, but ossec remoted
> continue is same error reported above.
>
> The file of installation is same that used in other installations
> (rhel6.8).
>
> Em quinta-feira, 23 de março de 2017 15:37:50 UTC-3, Victor Fernandez
> escreveu:
>>
>> Hi Eduardo,
>>
>> I agree with Dan, I tested OSSEC v2.9 on a clean CentOS 7 with your
>>  configuration and it worked. But when I disabled IPv6 I got the
>> same errors you have.
>>
>> Please try to enable IPv6 on the running system with:
>>
>> sysctl -w net.ipv6.conf.all.disable_ipv6=1
>> sysctl -w net.ipv6.conf.default.disable_ipv6=1
>>
>>
>> And try to start OSSEC. If it works, consider enabling IPv6 permanently
>> by editing file */etc/sysctl.conf*.
>>
>> Hope it help. If I find another way to run OSSEC with IPv6 disabled I
>> will let you know.
>>
>> Best regards.
>>
>> On Thu, Mar 23, 2017 at 11:19 AM, dan (ddp)  wrote:
>>
>>> On Thu, Mar 23, 2017 at 1:08 PM, Eduardo Reichert Figueiredo
>>>  wrote:
>>> > Hi dan, i dont have ipv6 enabled in my system linux, so i dont have
>>> inet6 in
>>> > my ifconfig configurations, only ipv4.
>>> >
>>> > This can caused for the problem?
>>> >
>>>
>>> I think having ipv6 support is necessary now. You don't need to have
>>> addresses or anything, but the facilities need to be available.
>>>
>>> > Em quarta-feira, 22 de março de 2017 20:30:08 UTC-3, dan (ddpbsd)
>>> escreveu:
>>> >>
>>> >> On Tue, Mar 21, 2017 at 10:46 AM, Eduardo Reichert Figueiredo
>>> >>  wrote:
>>> >> > When i install ossec 2.9.0 on rhel 7.3 (no ipv6 feature and
>>> address) i
>>> >> > have
>>> >>
>>> >> Is IPv6 totally disabled for your system (support for IPv6 was
>>> removed)?
>>> >>
>>> >> > a problem to ossec-remoted and ossec-auth, this services cant bind
>>> ports
>>> >> > 1514, log error below.
>>> >> > I generated my certificated with commands "openssl genrsa -out" and
>>> >> > "openssl
>>> >> > req -new -x509 -key ".
>>> >> >
>>> >> > ##Log OSSEC.LOG
>>> >> > 2017/03/21 11:34:34 ossec-remoted: DEBUG: Forking remoted: '0'.
>>> >> > 2017/03/21 11:34:34 ossec-remoted: Remote syslog allowed from:
>>> >> > '0.0.0.0/0'
>>> >> > 2017/03/21 11:34:34 ossec-remoted: DEBUG: Forking remoted: '1'.
>>> >> > 2017/03/21 11:34:34 getaddrinfo: Name or service not known
>>> >> > 2017/03/21 11:34:34 getaddrinfo: Name or service not known
>>> >> > 2017/03/21 11:34:34 ossec-remoted(1206): ERROR: Unable to Bind port
>>> >> > '1514'
>>> >> > 2017/03/21 11:34:34 ossec-remoted(1206): ERROR: Unable to Bind port
>>> >> > '514'
>>> >> > 2017/03/21 11:34:41 ossec-syscheckd: INFO: Starting syscheck scan
>>> >> > (forwarding database).
>>> >> > 2017/03/21 11:34:41 ossec-syscheckd: INFO: Starting syscheck
>>> database
>>> >> > (pre-scan).
>>> >> > 2017/03/21 11:35:47 ossec-authd: DEBUG: Starting ...
>>> >> > 2017/03/21 11:35:47 ossec-authd: INFO: Started (pid: 24420).
>>> >> > 2017/03/21 11:35:47 ossec-authd: DEBUG: Returning CTX for server.
>>> >> > 2017/03/21 11:35:47 getaddrinfo: Name or service not known
>>> >> > 2017/03/21 11:35:47 ossec-authd: Unable to bind to port 1514
>>> >> >
>>> >> > in other cases for unable to bind port 1514, my error was my
>>> >> > client.keys,
>>> >> > but now i have a new error "getaddrinfo".
>>> >> >
>>> >> > Can you help me?
>>> >> >
>>> >> > Kind regards
>>> >> >
>>> >> > --
>>> >> >
>>> >> > ---
>>> >> > You received this message because you are subscribed to the Google
>>> >> > Groups
>>> >> > "ossec-list" group.
>>> >> > To unsubscribe from this group and stop receiving emails from it,
>>> send
>>> >> > an
>>> >> > email to ossec-list+...@googlegroups.com.
>>> >> > For more options, visit https://groups.google.com/d/optout.
>>> >
>>> > --
>>> >
>>> > ---
>>> > You received this message because you are subscribed to the Google
>>> Groups
>>> > "ossec-list" group.
>>> > To unsubscribe from this group and stop receiving emails from it, send
>>> an
>>> > email to ossec-list+...@googlegroups.com.
>>> > For more options, visit https://groups.google.com/d/optout.
>>>
>>> --
>>>
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "ossec-list" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to ossec-list+...@googlegroups.com.
>>> For more options, visit https://groups.google.com/d/optout.
>>

Re: [ossec-list] cannot get policy auditing to work

2017-03-29 Thread dan (ddp) 
On Tue, Mar 28, 2017 at 5:16 PM, Keith Goodlip  wrote:
> I've been trying to setup policy audit in a lab I've set up to no avail.
>
> My setup is 2 servers (server, client) using CentOS 7.3 and RPMs from the
> atomic repository (selinux, firewalld are disabled) (ipv6 is enabled)
>
> All server processes are up and running:
>
> [root@ossec-server ossec]# bin/ossec-control status
> ossec-monitord is running...
> ossec-logcollector is running...
> ossec-remoted is running...
> ossec-syscheckd is running...
> ossec-analysisd is running...
> ossec-maild is running...
> ossec-execd is running...
> ossec-dbd is running...
>
>
> client enrolled via manage_agents and I can see it registered and active:
>
> [root@ossec-server ossec]# bin/agent_control -i 001
> OSSEC HIDS agent_control. Agent information:
>Agent ID:   001
>Agent Name: ossec-client.infosec
>IP address: 172.16.29.6/32
>Status: Active
>
>Operating system:Linux ossec-client.infosec
> 3.10.0-514.10.2.el7.x86_64 #1 SMP Fri Mar 3 00:04:05 UTC 2017 x86_64
>Client version:  OSSEC HIDS v2.9.0 / 9fd969bbe7f4a3f52951a3e3acb1953b
>Last keep alive: Tue Mar 28 23:09:30 2017
>
>Syscheck last started  at: Tue Mar 28 23:00:35 2017
>Rootcheck last started at: Tue Mar 28 22:41:41 2017
>
>
> here is my agent.conf:
> 
>   
> 
> 3600
>
> 
> /etc,/usr/bin,/usr/sbin
> /bin,/sbin
>
> 
> /etc/mtab
> /etc/mnttab
> /etc/hosts.deny
> /etc/mail/statistics
> /etc/random-seed
> /etc/adjtime
> /etc/httpd/logs
> /etc/utmpx
> /etc/wtmpx
> /etc/cups/certs
> /etc/dumpdates
> /etc/svc/volatile
>
>   
>
>   
>   
> syslog
> /var/log/messages
>   
>
>   
> syslog
> /var/log/secure
>   
>
>   
> syslog
> /var/log/maillog
>   
>
>   
> syslog
> /var/log/yum.log
>   
>
>   
> syslog
> /var/ossec/logs/active-responses.log
>   
>
>   
> /var/ossec/etc/shared/rootkit_files.txt
>
> /var/ossec/etc/shared/rootkit_trojans.txt
> /var/ossec/etc/shared/system_audit_rcl.txt
>
> /var/ossec/etc/shared/cis_rhel7_linux_rcl.txt
>   
>
> 
>
> MD5 matches between /var/ossec/etc/shared/agent.conf and the client version
> I get from bin/agent_control -i 001
>
> However I'm not getting any results from the  system_audit.
>
> What am I doing wrong?
>

Try running ossec-syscheckd in debug mode, and check ossec.log for
messages about it.

> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] time based exceptions

2017-03-29 Thread mscrano 
Hi Ossec-list,
I am wondering if anyone else has run into this issue, I have a cron that 
runs at the same time every day and it always triggers the promiscuous mode 
rule (per expected behavior) .  Is it possible to have a time based 
exclusion for a rule such that it will not trigger between specific times? 
For example I would like to disable this rule for 2 minutes at midnight.  I 
have not seen such a configuration option in the documentation. Anyone have 
any advice?
Thanks,
Mark Scrano

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] time based exceptions

2017-03-29 Thread Jose Luis Ruiz 
Hi mscrano, yes you can do that,

example:


  100125
  6 pm – 8:30 am
  Login outside business hours.
  policy_violation


http://ossec-docs.readthedocs.io/en/latest/syntax/head_rules.html#element-time
   

Regards
---
Jose Luis Ruiz
Wazuh Inc.
j...@wazuh.com

On March 29, 2017 at 6:17:37 PM, mscr...@ieee.org (mscr...@ieee.org) wrote:

Hi Ossec-list,
I am wondering if anyone else has run into this issue, I have a cron that
runs at the same time every day and it always triggers the promiscuous mode
rule (per expected behavior) .  Is it possible to have a time based
exclusion for a rule such that it will not trigger between specific times?
For example I would like to disable this rule for 2 minutes at midnight.  I
have not seen such a configuration option in the documentation. Anyone have
any advice?
Thanks,
Mark Scrano
--

---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.