Re: [ossec-list] Re: Rule 510 is triggering events but logtest is not showing any rules that should be triggered

2017-05-28 Thread Gert Verhoog 
That works like a charm, thank you for your help!

Cheers,
gert

On Thursday, May 25, 2017 at 1:21:52 AM UTC+12, Jesus Linares wrote:
>
> I don't know what is happening. Both, *regex* and *match *look in the 
> *full_log 
> *field. So it should work with regex (escaping reserved characters) and 
> match. It looks like the full_log doesn't contain that information, only 
> the filename. 
>
> Anyway, if you are using Wazuh 2.0, the "title" and the "file" are 
> extracted as dynamic fields 
> .
>  
> Example:
>
> *local_rules.xml*  (change the level to 0)
>
> 
> 510
> *File is owned by root and has written 
> permissions to anyone*
> Ignore this rule
> rootcheck,
> 
>
> *alerts.log*
> *Rule: 100510 (level 15) -> 'Ignore this rule'*
> File '/var/lib/test' is owned by root and has written permissions to 
> anyone.
> title: File is owned by root and has written permissions to anyone.
> file: /var/lib/test
>
> You can use both fields to ignore only some files:
> File is owned by root and has written permissions to 
> anyone
> good_file.txt
>
> The  tag is a regex, so you can use wildcards (\.+ \.*), or (|), 
> expressions (\w, \S), etc.
>
> I hope it helps.
>
>
>
> On Wednesday, May 24, 2017 at 5:32:48 AM UTC+2, Gert Verhoog wrote:
>>
>> I think I'm just really confused as to what "regex" and "match" are 
>> actually matching against. Given the following log event:
>>
>> 2017 May 24 12:38:16 (ci-runner__development_12.34.56.78) any->rootcheck 
>> File 
>> '/var/lib/docker/volumes/d758587e86d60a53043c93c1f730d6e04acdcb5f7a5a181182cfe0fb754aa293/_data/path/to/some/file.txt'
>>  
>> is owned by root and has written permissions to anyone.
>>
>> This rule successfully ignores it:
>>
>>   
>> 510
>> /var/lib/docker/volumes/\S+/_data
>> Ignore this rule
>> rootcheck,
>>   
>>
>>
>> But this one doesn't:
>>
>>   
>> 510
>> is owned by root and has written permissions to anyone
>> Ignore this rule
>> rootcheck,
>>   
>>
>>
>> What string does regex match against? The docs say "Any regex to match 
>> against the log event"; that should include more than just the file path, 
>> right?
>>
>> Cheers,
>> Gert
>>
>>
>>
>> On Wednesday, May 24, 2017 at 1:02:24 PM UTC+12, Gert Verhoog wrote:
>>>
>>> Unfortunately, it's still not working, and I'm not sure what else I can 
>>> try... This is what I'm doing:
>>>
>>> The log entries that I want to ignore all look like this (from 
>>> archives.log):
>>>
>>> 2017 May 24 12:38:16 (ci-runner__development_12.34.56.78) any->rootcheck 
>>> File 
>>> '/var/lib/docker/volumes/d758587e86d60a53043c93c1f730d6e04acdcb5f7a5a181182cfe0fb754aa293/_data/path/to/some/file.txt'
>>>  
>>> is owned by root and has written permissions to anyone.
>>>
>>> Inspired by rule 511 from the wazuh ruleset 
>>> ,
>>>  
>>> I have the following rule in /var/ossec/etc/rules/local_rules.xml:
>>>
>>>   
>>> 510 
>>> is owned by root and has written permissions to anyone
>>>  
>>> Ignore this rule 
>>> rootcheck, 
>>>   
>>>
>>> After editing the local rules file, I execute a 
>>> "/var/ossec/bin/ossec-control restart" on the server, and after that also 
>>> on the client. I wait for rootcheck to execute, which generates many 
>>> entries such as the one above in the archives.log. Unfortunately, they 
>>> still show up as a level 7 event in the kibana dashboard:
>>>
>>> rule.id:510 agent.name:ci-runner__development_12.34.56.78 agent.id:009 
>>> manager.name:ec2-11-22-33-44.ap-southeast-2.compute.amazonaws.comrule.
>>> firedtimes:1,700 rule.level:7 rule.description:Host-based anomaly 
>>> detection event (rootcheck). rule.groups:ossec, rootcheck source:decoder
>>> .name:rootcheck title:File is owned by root and has written permissions 
>>> to anyone. full_log:File 
>>> '/var/lib/docker/volumes/d758587e86d60a53043c93c1f730d6e04acdcb5f7a5a181182cfe0fb754aa293/_data/path/to/some/file.txt'
>>>  
>>> is owned by root and has written permissions to anyone. @timestamp:May 
>>> 24th 2017, 12:38:16.000 file:/var/lib/docker/volumes/
>>> d758587e86d60a53043c93c1f730d6e04acdcb5f7a5a181182cfe0fb754aa293/_data/
>>> path/to/some/file.txt host:ec2-11-22-33-44.ap-southeast-2.compute.
>>> amazonaws.com location:rootcheck
>>>
>>>
>>> Unfortunately, we can't just change the permissions of these without 
>>> breaking our CI. I'm not very concerned about the world-writable files 
>>> under /var/lib/docker/volumes, since only root can traverse this path 
>>> anyway, so I would love to just ignore them, as they are about 90% of what 
>>> shows up in the dashboards, so it drowns out other events. 
>>>
>>> Do you have any ideas what I could try next? 
>>>
>>> Many thanks for your help so far!
>>>
>>>
>>> On Tuesday, May 23, 2017 at 1:35:58 AM UTC+12, Jesus Linares wrote:

 You can'

Re: [ossec-list] Re: OSSEC Agent not works

2017-05-28 Thread Руслан Аминджанов 
Still nothing.
https://0bin.net/paste/7rMT6xDrnBLdjAZd#HIJmfdpKt4bnGmgsV30SdbywkXSi0-pnzZ7UXZBDffw

суббота, 27 мая 2017 г., 22:38:13 UTC+5 пользователь dan (ddpbsd) написал:
>
> On Sat, May 27, 2017 at 5:39 PM, Руслан Аминджанов 
> > wrote: 
> > Fully reinstalled system and got a new problem: still agents not 
> connecting 
> > but now event if I send messages to ossec-remoted via netcat there is no 
> > entities in log. Checked via netstat and ossec-remoted is listening. 
> > 
>
> Turn on debug mode on the manager (`/var/ossec/bin/ossec-control 
> enable debug`), restart OSSEC (`/var/ossec/bin/ossec-control 
> restart`), and try again. 
>
> > понедельник, 17 апреля 2017 г., 18:01:44 UTC+5:45 пользователь Руслан 
> > Аминджанов написал: 
> >> 
> >> I am reinstalling system right now but it looks like this was the 
> issue. 
> >> Thank you very much! 
> >> 
> >> понедельник, 17 апреля 2017 г., 7:01:29 UTC+5:45 пользователь Victor 
> >> Fernandez написал: 
> >>> 
> >>> Hi, 
> >>> 
> >>> have you more than one network interface on your manager? I see your 
> >>> tcpdump log a bit unusual: 
> >>> 
> >>> 00:58:11.619862 IP 10.2.2.3.43453 > 10.2.2.12.fujitsu-dtcns: UDP, 
> length 
> >>> 73 
> >>> 00:58:11.620415 IP 10.2.2.13.fujitsu-dtcns > 10.2.2.3.43453: UDP, 
> length 
> >>> 73 
> >>> 
> >>> 
> >>> It seems that the manager is responding (probably an ACK message) but 
> it 
> >>> is doing it from a different IP (10.2.2.13 instead of 10.2.2.12). 
> >>> 
> >>> Do you see any error at /var/ossec/log/ossec.log at the agent? 
> >>> 
> >>> Best regards. 
> >>> 
> >>> On Sat, Apr 15, 2017 at 11:59 PM, Kat  wrote: 
>  
>  It really sounds like you are missing a step -- perhaps post the 
> steps 
>  you do for the install, adding an agent etc, showing the commands and 
>  results. We need something more to help you. 
>  
>  Kat 
>  
>  
>  On Thursday, April 13, 2017 at 5:24:32 PM UTC-5, Руслан Аминджанов 
>  wrote: 
> > 
> > Hello! 
> > I installed OSSEC server and client on 2 hosts whoever agent showed 
> as 
> > "Never connected". There is no firewall between these hosts and if I 
> use 
> > netcat to connect to server It log shows that message is not 
> properly 
> > formated. 
> > Output of tcpdump: 
> > 
> > 00:58:11.619862 IP 10.2.2.3.43453 > 10.2.2.12.fujitsu-dtcns: UDP, 
> > length 73 
> > 
> > 00:58:11.620415 IP 10.2.2.13.fujitsu-dtcns > 10.2.2.3.43453: UDP, 
> > length 73 
> > 
> > 00:58:15.620201 IP 10.2.2.3.43453 > 10.2.2.12.fujitsu-dtcns: UDP, 
> > length 73 
> > 
> > 00:58:15.620618 IP 10.2.2.13.fujitsu-dtcns > 10.2.2.3.43453: UDP, 
> > length 73 
> > 
> > 00:58:20.620619 IP 10.2.2.3.43453 > 10.2.2.12.fujitsu-dtcns: UDP, 
> > length 73 
> > 
> > 00:58:20.621167 IP 10.2.2.13.fujitsu-dtcns > 10.2.2.3.43453: UDP, 
> > length 73 
> > 
> > 00:58:26.621162 IP 10.2.2.3.43453 > 10.2.2.12.fujitsu-dtcns: UDP, 
> > length 73 
> > 
> > 00:58:26.621703 IP 10.2.2.13.fujitsu-dtcns > 10.2.2.3.43453: UDP, 
> > length 73 
>  
>  -- 
>  
>  --- 
>  You received this message because you are subscribed to the Google 
>  Groups "ossec-list" group. 
>  To unsubscribe from this group and stop receiving emails from it, 
> send 
>  an email to ossec-list+...@googlegroups.com. 
>  For more options, visit https://groups.google.com/d/optout. 
> >>> 
> >>> 
> >>> 
> >>> 
> >>> -- 
> >>> Victor M. Fernandez-Castro 
> >>> IT Security Engineer 
> >>> Wazuh Inc. 
> > 
> > -- 
> > 
> > --- 
> > You received this message because you are subscribed to the Google 
> Groups 
> > "ossec-list" group. 
> > To unsubscribe from this group and stop receiving emails from it, send 
> an 
> > email to ossec-list+...@googlegroups.com . 
> > For more options, visit https://groups.google.com/d/optout. 
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Help with decoder

2017-05-28 Thread RWagner 
Ooops!

Correcting the decoder parent and my decoder:

Decoder parent:

date=\S+ time=\.+ devname=\S+ devid=FG\w+ logid=\d+ 

syslog



My decoder:

fortigate-firewall-v5
type=event subtype=vpn level=\S+ 
vd="\.+" logdesc="\.+" msg=
logdesc="\.+" msg="(\.+)" action=(\.*) remip=(\S+) locip=(\S+) 
\.*vpntunnel="(\.*)"
extra_data,action,dstip,srcip,status


Em domingo, 28 de maio de 2017 11:38:16 UTC-3, RWagner escreveu:
>
>
> 
> Hi Guys!
>
> I'm making a decoder for problems with vpn phase_2 for the fortigate.
>
> Sample log:
> date=2017-05-20 time=07:31:20 devname=Fw1-sa-dc2d-g56 
> devid=FGT60D00 logid=01016745858 type=event subtype=vpn 
> level=notice vd=root logdesc="IPsec phase 2 status changed" msg="IPsec 
> phase 2 status change" action=phase2-down remip=1.1.1.1 locip=2.2.2.2 
> remport=500 locport=500 outintf="wan2" 
> cookies="dfaf555664477957/b55566998873c6f9" user="N/A" group="N/A" 
> xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="VPN_XPTO" 
> phase2_name=VPN_XPTO
>
>
> Decoder parent:
> 
>  date = \ S + time = \. + Devname = \ S + devid = FG \ w + 
> logid = \ d +
>  syslog 
> 
>
>
> My decoder:
> 
>  fortigate-firewall-v5 
>logdesc = "\. +" Msg = "(\. +)" Action = (\. *) Remip = (\ S 
> +) locip = 
>  extra_data, action, dstip, srcip, status 
> 
>
> In the image with the test done with the logtest, does not show data 
> extra_data, action, dstip, srcip, status.
>
> I wonder what's wrong with my decoder.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Help with decoder

2017-05-28 Thread RWagner 



Hi Guys!

I'm making a decoder for problems with vpn phase_2 for the fortigate.

Sample log:
date=2017-05-20 time=07:31:20 devname=Fw1-sa-dc2d-g56 
devid=FGT60D00 logid=01016745858 type=event subtype=vpn 
level=notice vd=root logdesc="IPsec phase 2 status changed" msg="IPsec 
phase 2 status change" action=phase2-down remip=1.1.1.1 locip=2.2.2.2 
remport=500 locport=500 outintf="wan2" 
cookies="dfaf555664477957/b55566998873c6f9" user="N/A" group="N/A" 
xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="VPN_XPTO" 
phase2_name=VPN_XPTO


Decoder parent:

 date = \ S + time = \. + Devname = \ S + devid = FG \ w + 
logid = \ d +
 syslog 



My decoder:

 fortigate-firewall-v5 
  logdesc = "\. +" Msg = "(\. +)" Action = (\. *) Remip = (\ S +) 
locip = 
 extra_data, action, dstip, srcip, status 


In the image with the test done with the logtest, does not show data 
extra_data, action, dstip, srcip, status.

I wonder what's wrong with my decoder.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.