[ossec-list] Re: Windows agent doesn't synchronize agent.conf

[Jesus Linares]

Hi

ossec-agent(1226): ERROR: Error reading XML file 'shared/agent.conf': 
> XMLERR: File 'shared/agent.conf' not found. (line 147).


what is in the line 147?.

More information about the agent.conf and the process to synchronize it: 
https://documentation.wazuh.com/current/user-manual/reference/centralized-configuration.html
 

I hope it helps.
Regards.

On Sunday, July 2, 2017 at 3:30:07 AM UTC+2, Ricardo Galossi wrote:
>
> Hi guys,
>
> I'd like to ask for some help here..
>
> My windows agents are not synchronizing shared/agent.conf, 
> within C:\Program Files (x86)\ossec-agent\shared direrectory there is no 
> agent.conf even after restarting windows agent. Follow my agent.cong below:
>
> 
> 
>  check_all="yes">C:\labtest
> 
> 
>
> In the agent log file I receive the following message:
>
> ossec-agent(1226): ERROR: Error reading XML file 'shared/agent.conf': 
> XMLERR: File 'shared/agent.conf' not found. (line 147).
>
> If I create the file agent.conf manually the configuration works (what 
> proof that the configuration is ok), but also doesn't synchronize if i try 
> to change it.
>
> Am I making some mistake? Please, help me!!
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Rule fired but active-response didn't work

[Tunguyen]

My rule fired, i received alert emails too. But active-response doesn't 
work. 

Here is my active-response config in ossec.conf:


firewall-drop
all
100101
600


Here is my email alert:

Received From: ubuntu-server->/var/log/nginx/access.log Rule: 100101 fired 
(level 9) -> “Multiple access in a short time from same IP” Portion of the 
log(s):

118.70.116.148 – tu_nguyen [03/Jul/2017:16:46:27 +0700] “GET / HTTP/1.1” 
200 396 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 
(KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36” 

118.70.116.148 – tu_nguyen [03/Jul/2017:16:46:26 +0700] “GET / HTTP/1.1” 
200 396 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 
(KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36” 

118.70.116.148 – tu_nguyen [03/Jul/2017:16:46:25 +0700] “GET / HTTP/1.1” 
200 396 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 
(KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36” 

118.70.116.148 – tu_nguyen [03/Jul/2017:16:46:25 +0700] “GET / HTTP/1.1” 
200 396 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 
(KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36” 

118.70.116.148 – tu_nguyen [03/Jul/2017:16:46:24 +0700] “GET / HTTP/1.1” 
200 396 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 
(KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36” 

118.70.116.148 – tu_nguyen [03/Jul/2017:16:46:23 +0700] “GET / HTTP/1.1” 
200 396 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 
(KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36” 

118.70.116.148 – tu_nguyen [03/Jul/2017:16:46:23 +0700] “GET / HTTP/1.1” 
200 396 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 
(KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36”


After receiving this alert message, my IP hasn't been blocked and I still 
can send bunch of requests to the server. And when i checked 
/var/ossec/logs/active-responses.log, it was empty. No IP has been block. 
Can someone explain please?

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] OSSEC rule match time and timeframe

[Fredrik Hilmersson]

Hello,

Lets say I have a script which runs once every half an hour. With a latency 
difference in about 10-20 seconds.
Would it be possible to match the following:

1. Time
2. Hostname
3. Username

The reason I prefer more than a single match, i.e only time is to not by 
mistake miss an actual event.



 5501
 **:30

 agent-hostname
 ssh-user

 no_email_alert

 Ignore rule 5501 for host 



Kind regards,
Fredrik

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Rule fired but active-response didn't work

[Fredrik Hilmersson]

Hey, I had a similar issue with the active response not working as 
intended. The way I solved it was to add the following to the ossec.conf 



 

   ossec-server

 



 30,60,120,240,480





 no



kind regards,
Fredrik

Den måndag 3 juli 2017 kl. 12:05:36 UTC+2 skrev Tunguyen:
>
> My rule fired, i received alert emails too. But active-response doesn't 
> work. 
>
> Here is my active-response config in ossec.conf:
>
> 
> firewall-drop
> all
> 100101
> 600
> 
>
> Here is my email alert:
>
> Received From: ubuntu-server->/var/log/nginx/access.log Rule: 100101 fired 
> (level 9) -> “Multiple access in a short time from same IP” Portion of the 
> log(s):
>
> 118.70.116.148 – tu_nguyen [03/Jul/2017:16:46:27 +0700] “GET / HTTP/1.1” 
> 200 396 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 
> (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36” 
>
> 118.70.116.148 – tu_nguyen [03/Jul/2017:16:46:26 +0700] “GET / HTTP/1.1” 
> 200 396 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 
> (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36” 
>
> 118.70.116.148 – tu_nguyen [03/Jul/2017:16:46:25 +0700] “GET / HTTP/1.1” 
> 200 396 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 
> (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36” 
>
> 118.70.116.148 – tu_nguyen [03/Jul/2017:16:46:25 +0700] “GET / HTTP/1.1” 
> 200 396 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 
> (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36” 
>
> 118.70.116.148 – tu_nguyen [03/Jul/2017:16:46:24 +0700] “GET / HTTP/1.1” 
> 200 396 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 
> (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36” 
>
> 118.70.116.148 – tu_nguyen [03/Jul/2017:16:46:23 +0700] “GET / HTTP/1.1” 
> 200 396 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 
> (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36” 
>
> 118.70.116.148 – tu_nguyen [03/Jul/2017:16:46:23 +0700] “GET / HTTP/1.1” 
> 200 396 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 
> (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36”
>
>
> After receiving this alert message, my IP hasn't been blocked and I still 
> can send bunch of requests to the server. And when i checked 
> /var/ossec/logs/active-responses.log, it was empty. No IP has been block. 
> Can someone explain please?
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Rule fired but active-response didn't work

[Fredrik Hilmersson]

ossec.conf on the AGENT side, forgot to mention!

Den måndag 3 juli 2017 kl. 12:14:30 UTC+2 skrev Fredrik Hilmersson:
>
> Hey, I had a similar issue with the active response not working as 
> intended. The way I solved it was to add the following to the ossec.conf 
>
> 
>
>  
>
>ossec-server
>
>  
>
> 
>
>  30,60,120,240,480
>
> 
>
> 
>
>  no
>
> 
>
> kind regards,
> Fredrik
>
> Den måndag 3 juli 2017 kl. 12:05:36 UTC+2 skrev Tunguyen:
>>
>> My rule fired, i received alert emails too. But active-response doesn't 
>> work. 
>>
>> Here is my active-response config in ossec.conf:
>>
>> 
>> firewall-drop
>> all
>> 100101
>> 600
>> 
>>
>> Here is my email alert:
>>
>> Received From: ubuntu-server->/var/log/nginx/access.log Rule: 100101 
>> fired (level 9) -> “Multiple access in a short time from same IP” Portion 
>> of the log(s):
>>
>> 118.70.116.148 – tu_nguyen [03/Jul/2017:16:46:27 +0700] “GET / HTTP/1.1” 
>> 200 396 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 
>> (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36” 
>>
>> 118.70.116.148 – tu_nguyen [03/Jul/2017:16:46:26 +0700] “GET / HTTP/1.1” 
>> 200 396 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 
>> (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36” 
>>
>> 118.70.116.148 – tu_nguyen [03/Jul/2017:16:46:25 +0700] “GET / HTTP/1.1” 
>> 200 396 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 
>> (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36” 
>>
>> 118.70.116.148 – tu_nguyen [03/Jul/2017:16:46:25 +0700] “GET / HTTP/1.1” 
>> 200 396 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 
>> (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36” 
>>
>> 118.70.116.148 – tu_nguyen [03/Jul/2017:16:46:24 +0700] “GET / HTTP/1.1” 
>> 200 396 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 
>> (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36” 
>>
>> 118.70.116.148 – tu_nguyen [03/Jul/2017:16:46:23 +0700] “GET / HTTP/1.1” 
>> 200 396 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 
>> (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36” 
>>
>> 118.70.116.148 – tu_nguyen [03/Jul/2017:16:46:23 +0700] “GET / HTTP/1.1” 
>> 200 396 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 
>> (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36”
>>
>>
>> After receiving this alert message, my IP hasn't been blocked and I still 
>> can send bunch of requests to the server. And when i checked 
>> /var/ossec/logs/active-responses.log, it was empty. No IP has been block. 
>> Can someone explain please?
>>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Rule fired but active-response didn't work

[Fredrik Hilmersson]

Sorry for the 'spam' hehe, just checked my configuration once more and the 
active response section you refer to is that the original response setting? 
Make sure to have the following within your ossec.conf (server side):





firewall-drop

 all

 6

 600

 30,60,120,240,480





 firewall-drop

 all

 100101






Den måndag 3 juli 2017 kl. 12:15:08 UTC+2 skrev Fredrik Hilmersson:
>
> ossec.conf on the AGENT side, forgot to mention!
>
> Den måndag 3 juli 2017 kl. 12:14:30 UTC+2 skrev Fredrik Hilmersson:
>>
>> Hey, I had a similar issue with the active response not working as 
>> intended. The way I solved it was to add the following to the ossec.conf 
>>
>> 
>>
>>  
>>
>>ossec-server
>>
>>  
>>
>> 
>>
>>  30,60,120,240,480
>>
>> 
>>
>> 
>>
>>  no
>>
>> 
>>
>> kind regards,
>> Fredrik
>>
>> Den måndag 3 juli 2017 kl. 12:05:36 UTC+2 skrev Tunguyen:
>>>
>>> My rule fired, i received alert emails too. But active-response doesn't 
>>> work. 
>>>
>>> Here is my active-response config in ossec.conf:
>>>
>>> 
>>> firewall-drop
>>> all
>>> 100101
>>> 600
>>> 
>>>
>>> Here is my email alert:
>>>
>>> Received From: ubuntu-server->/var/log/nginx/access.log Rule: 100101 
>>> fired (level 9) -> “Multiple access in a short time from same IP” Portion 
>>> of the log(s):
>>>
>>> 118.70.116.148 – tu_nguyen [03/Jul/2017:16:46:27 +0700] “GET / 
>>> HTTP/1.1” 200 396 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) 
>>> AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36” 
>>>
>>> 118.70.116.148 – tu_nguyen [03/Jul/2017:16:46:26 +0700] “GET / 
>>> HTTP/1.1” 200 396 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) 
>>> AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36” 
>>>
>>> 118.70.116.148 – tu_nguyen [03/Jul/2017:16:46:25 +0700] “GET / 
>>> HTTP/1.1” 200 396 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) 
>>> AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36” 
>>>
>>> 118.70.116.148 – tu_nguyen [03/Jul/2017:16:46:25 +0700] “GET / 
>>> HTTP/1.1” 200 396 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) 
>>> AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36” 
>>>
>>> 118.70.116.148 – tu_nguyen [03/Jul/2017:16:46:24 +0700] “GET / 
>>> HTTP/1.1” 200 396 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) 
>>> AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36” 
>>>
>>> 118.70.116.148 – tu_nguyen [03/Jul/2017:16:46:23 +0700] “GET / 
>>> HTTP/1.1” 200 396 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) 
>>> AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36” 
>>>
>>> 118.70.116.148 – tu_nguyen [03/Jul/2017:16:46:23 +0700] “GET / 
>>> HTTP/1.1” 200 396 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) 
>>> AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36”
>>>
>>>
>>> After receiving this alert message, my IP hasn't been blocked and I 
>>> still can send bunch of requests to the server. And when i checked 
>>> /var/ossec/logs/active-responses.log, it was empty. No IP has been block. 
>>> Can someone explain please?
>>>
>>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] I'm unclear why my rule is not matching...

[Ian Brown]

I've got this event log in windows:

2017 Jul 02 22:38:47 WinEvtLog: Security: AUDIT_FAILURE(5152): 
Microsoft-Windows-Security-Auditing: (no user): no domain: leaf-1: The 
Windows Filtering Platform blocked a packet. Application Information: 
Process ID: 0 Application Name: - Network Information: Direction: %%14592 
Source Address: 192.168.1.120 Source Port: 39740 Destination Address: 
192.168.1.255 Destination Port: 32414 Protocol: 17 Filter Information: 
Filter Run-Time ID: 93069 Layer Name: %%14597 Layer Run-Time ID: 13

I'd like to ignore entries that contain the broadcast address 192.168.1.255.

If I fire up "ossec-logtest -v" and feed that log line into the app, I see 
that it matches against the sid 18105:

Trying rule: 18105 - Windows audit failure event.
>*Rule 18105 matched.
>*Trying child rules.
> Trying rule: 18120 - Windows login attempt (ignored). Duplicated.
> Trying rule: 18153 - Multiple Windows audit failure events.
> Trying rule: 18106 - Windows Logon Failure.
> Trying rule: 18139 - Windows DC Logon Failure.
> Trying rule: 18180 - MS SQL Server Logon Failure.
> Trying rule: 18108 - Failed attempt to perform a privileged operation.
> **Phase 3: Completed filtering (rules).
>Rule id: '18105'
>Level: '4'
>Description: 'Windows audit failure event.'
> **Alert to be generated.


So I've added this rule to my local_rules.xml file:

  
> 18105
> 192.168.1.255
>  Ignore firewall dropped packets for broadcast 
> address
>   


However, after restarting the ossec-hids-server and re-run "ossec-logtest 
-v", I see that it tries my rule but somehow doesn't match -- what have I 
done wrong?

Trying rule: 18105 - Windows audit failure event.
>*Rule 18105 matched.
>*Trying child rules.
> Trying rule: 18120 - Windows login attempt (ignored). Duplicated.
> Trying rule: 14 -  Ignore firewall dropped packets for broadcast 
> address
> Trying rule: 18153 - Multiple Windows audit failure events.
> Trying rule: 18106 - Windows Logon Failure.
> Trying rule: 18139 - Windows DC Logon Failure.
> Trying rule: 18180 - MS SQL Server Logon Failure.
> Trying rule: 18108 - Failed attempt to perform a privileged operation.
> **Phase 3: Completed filtering (rules).
>Rule id: '18105'
>Level: '4'
>Description: 'Windows audit failure event.'
> **Alert to be generated.


-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] NTFS Alternative data stream false positives under Windows 10 using OSSEC rootkit detector

[Ian Brown]

It looks like the rootkit detector is going nuts over alternative data 
streams that Windows is creating by default.  See: 
https://superuser.com/questions/1199464/alternate-data-stream-win32app-1-attached-to-a-large-number-of-folders

Apparently in Windows 10 the "Storage Service" is creating these streams.

Is it possible to modify the rootkit detector to ignore alternative data 
streams named "Win32App_1" that have no data?

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: I'm unclear why my rule is not matching...

[Fredrik Hilmersson]

What happens if you change  using 192.168.1.255?

Den måndag 3 juli 2017 kl. 14:29:48 UTC+2 skrev Ian Brown:
>
> I've got this event log in windows:
>
> 2017 Jul 02 22:38:47 WinEvtLog: Security: AUDIT_FAILURE(5152): 
> Microsoft-Windows-Security-Auditing: (no user): no domain: leaf-1: The 
> Windows Filtering Platform blocked a packet. Application Information: 
> Process ID: 0 Application Name: - Network Information: Direction: %%14592 
> Source Address: 192.168.1.120 Source Port: 39740 Destination Address: 
> 192.168.1.255 Destination Port: 32414 Protocol: 17 Filter Information: 
> Filter Run-Time ID: 93069 Layer Name: %%14597 Layer Run-Time ID: 13
>
> I'd like to ignore entries that contain the broadcast address 
> 192.168.1.255.
>
> If I fire up "ossec-logtest -v" and feed that log line into the app, I see 
> that it matches against the sid 18105:
>
> Trying rule: 18105 - Windows audit failure event.
>>*Rule 18105 matched.
>>*Trying child rules.
>> Trying rule: 18120 - Windows login attempt (ignored). Duplicated.
>> Trying rule: 18153 - Multiple Windows audit failure events.
>> Trying rule: 18106 - Windows Logon Failure.
>> Trying rule: 18139 - Windows DC Logon Failure.
>> Trying rule: 18180 - MS SQL Server Logon Failure.
>> Trying rule: 18108 - Failed attempt to perform a privileged operation.
>> **Phase 3: Completed filtering (rules).
>>Rule id: '18105'
>>Level: '4'
>>Description: 'Windows audit failure event.'
>> **Alert to be generated.
>
>
> So I've added this rule to my local_rules.xml file:
>
>   
>> 18105
>> 192.168.1.255
>>  Ignore firewall dropped packets for broadcast 
>> address
>>   
>
>
> However, after restarting the ossec-hids-server and re-run "ossec-logtest 
> -v", I see that it tries my rule but somehow doesn't match -- what have I 
> done wrong?
>
> Trying rule: 18105 - Windows audit failure event.
>>*Rule 18105 matched.
>>*Trying child rules.
>> Trying rule: 18120 - Windows login attempt (ignored). Duplicated.
>> Trying rule: 14 -  Ignore firewall dropped packets for broadcast 
>> address
>> Trying rule: 18153 - Multiple Windows audit failure events.
>> Trying rule: 18106 - Windows Logon Failure.
>> Trying rule: 18139 - Windows DC Logon Failure.
>> Trying rule: 18180 - MS SQL Server Logon Failure.
>> Trying rule: 18108 - Failed attempt to perform a privileged operation.
>> **Phase 3: Completed filtering (rules).
>>Rule id: '18105'
>>Level: '4'
>>Description: 'Windows audit failure event.'
>> **Alert to be generated.
>
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: Windows agent doesn't synchronize agent.conf

[Victor Fernandez]

Hi,

it is strange that the log indicates line 147 when it was not able to read
it. Maybe the agent.conf file is not arriving to the agent or it is being
discarded due to a checksum error.

First, please remove file *merged.mg * from folder
*shared* in the agent and the manager. Then enable debugging log in order
to know where the problem is.

   - On the manager:

/var/ossec/bin/ossec-control enable debug
/var/ossec/bin/ossec-control restart



   - On the agent, add this line to file *local_internal_options.conf*:

windows.debug=1


and restart the agent. When it gets connected, the manager should log a
message like:

ossec-remoted: Sending file 'merged.mg' to agent.


and that file should appear immediately in the agent (folder *shared*).
After few seconds, when the file is completely delivered, it should be
unmerged into every file that exists in the manager's shared folder.

A common issue is that the file doesn't arrive properly (e.g. some packets
were lost or corrupted) the file *merged.mg * will
disappear suddenly and the Windows agent should log:

ossec-agent: Failed md5 for: merged.mg -- deleting.


In this case, the manager will retry to send the file every 10 minutes.

But as I mentioned before, an error message about reading file that
indicates a line different from 0 has no sense. However I hope this help
you.

Best regards.



On Mon, Jul 3, 2017 at 11:44 AM, Jesus Linares  wrote:

> Hi
>
> ossec-agent(1226): ERROR: Error reading XML file 'shared/agent.conf':
>> XMLERR: File 'shared/agent.conf' not found. (line 147).
>
>
> what is in the line 147?.
>
> More information about the agent.conf and the process to synchronize it:
> https://documentation.wazuh.com/current/user-manual/reference/centralized-
> configuration.html
>
> I hope it helps.
> Regards.
>
> On Sunday, July 2, 2017 at 3:30:07 AM UTC+2, Ricardo Galossi wrote:
>>
>> Hi guys,
>>
>> I'd like to ask for some help here..
>>
>> My windows agents are not synchronizing shared/agent.conf,
>> within C:\Program Files (x86)\ossec-agent\shared direrectory there is no
>> agent.conf even after restarting windows agent. Follow my agent.cong below:
>>
>> 
>> 
>> C:\labtest> rectories>
>> 
>> 
>>
>> In the agent log file I receive the following message:
>>
>> ossec-agent(1226): ERROR: Error reading XML file 'shared/agent.conf':
>> XMLERR: File 'shared/agent.conf' not found. (line 147).
>>
>> If I create the file agent.conf manually the configuration works (what
>> proof that the configuration is ok), but also doesn't synchronize if i try
>> to change it.
>>
>> Am I making some mistake? Please, help me!!
>>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>



-- 
Victor M. Fernandez-Castro
IT Security Engineer
Wazuh Inc.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: I'm unclear why my rule is not matching...

[Ian Brown]

No effect.  I tried dstip too, but I don't think either of those tags 
contain data due to the decoder used?


  windows
  ^\d\d\d\d \w\w\w \d\d \d\d:\d\d:\d\d WinEvtLog: |^WinEvtLog: 

  ^\.+: (\w+)\((\d+)\): (\.+): 
  (\.+): \.+: (\S+): 
  status, id, extra_data, user, system_name
  name, location, user, system_name


This means the only tags that contain data is status, id, extra_data, user, 
and system_name, right?

Is there a way to dump the data that my rule would have processed? Is the 
decoder stripping what I'm trying to search for?

On Monday, July 3, 2017 at 5:43:39 AM UTC-7, Fredrik Hilmersson wrote:
>
> What happens if you change  using 192.168.1.255?
>
>>
>>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: I'm unclear why my rule is not matching...

[Ian Brown]

I believe I've figured it out -- I think the decoder isn't matching the 
full log string and is thus stripping the ip address information.  Also 
after looking at the regex in the decoder, I've discovered that it doesn't 
even match against the first three example strings provided:

Here's an example from the comments (After prematch):
Security: AUDIT_FAILURE(0x02A9): Security: SYSTEM: NT AUTHORITY: The 
logon to account: xyz by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 from 
workstation: la failed. The error code was: 3221225572

yet, the regex is:
^\.+: (\w+)\((\d+)\): (\.+): 

The second (\d+) will only match against numbers, so (0x02A9) will 
never match.  It should be ([0-9A-Fx]+)

Also, why is it escaping the period at the beginning and at the end? 
 shouldn't the regex be:
^.+: (\w+)\((\d+)\): (.+):

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] What is the best method to augment an existing decoder?

[Ian Brown]

There is a decoder that isn't quite handling some log entries the want I 
need.  I want to augment an existing decoder, but apparently I'm not doing 
this correctly.
Here's an example log entry:
2017 Jul 03 11:17:37 WinEvtLog: Security: AUDIT_FAILURE(5152): 
Microsoft-Windows-Security-Auditing: (no user): no domain: workstation: The 
Windows Filtering Platform blocked a packet. Application Information: 
Process ID: 0 Application Name: - Network Information: Direction: %%14592 
Source Address: 1.2.3.4 Source Port: 143 Destination Address: 5.6.7.8 
Destination Port: 2619 Protocol: 6 Filter Information: Filter Run-Time ID: 
93069 Layer Name: %%14597 Layer Run-Time ID: 13

Using this as a guild:
http://ossec-docs.readthedocs.io/en/latest/manual/rules-decoders/create-custom.html

I've created a new decoder that inherits from this existing one:


  windows
  ^\d\d\d\d \w\w\w \d\d \d\d:\d\d:\d\d WinEvtLog: |^WinEvtLog: 

  ^\.+: (\w+)\((\d+)\): (\.+): 
  (\.+): \.+: (\S+): 
  status, id, extra_data, user, system_name
  name, location, user, system_name


I've tried an number of different versions of this -- below was my last 
attempt:


  windows
  The Windows Filtering Platform
  ^\.+: (\w+)\((\d+)\): (\.+): 
  (\.+): \.+: (\S+): Thee Windows Filtering Platform
  Source Address: (\S+) Source Port: (\d+) Destination Address: 
(\S+) Destination Port: (\d+)
  status, id, extra_data, user, system_name, srcip, srcport, dstip, 
dstport


All I'm trying to do is match for the source and destination information 
that's in these particular log entries.  However, when I added my decoder, 
it "took over" for all the windows decoder matches instead of just for the 
log entries I was hoping to match against -- any log entry that contained 
"The Windows Filtering Platform."

On top of that, my decoder's regex doesn't seem to be matching any of the 
fields -- phase 2 just states:

**Phase 2: Completed decoding.
   decoder: 'windows'

instead of at least:
**Phase 2: Completed decoding.
   decoder: 'windows'
   status: 'AUDIT_FAILURE'
   id: '5152'
   extra_data: 'Microsoft-Windows-Security-Auditing'
   dstuser: '(no user)'
   system_name: 'workstation'

How far off the rails am I in achieving the solution I'm looking for?

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Rule fired but active-response didn't work

[Tunguyen]

I've checked the ossec.conf on server side and agent side, those are all 
the same as yours
Here is the agent side:
  
20,40,60
  

And the server side is same as above, except that i add 
 like this:

   firewall-drop 
   all 
   100101 
   600 
  20,40,60


But the response still doesn't work. 
Hmm active-response used to work well, but after a day without changing 
anything, it doesn't work anymore :(

On Monday, July 3, 2017 at 5:20:35 PM UTC+7, Fredrik Hilmersson wrote:
>
> Sorry for the 'spam' hehe, just checked my configuration once more and the 
> active response section you refer to is that the original response setting? 
> Make sure to have the following within your ossec.conf (server side):
>
> 
>
> 
>
> firewall-drop
>
>  all
>
>  6
>
>  600
>
>  30,60,120,240,480
>
> 
>
> 
>
>  firewall-drop
>
>  all
>
>  100101
>
> 
>
>
>
>
> Den måndag 3 juli 2017 kl. 12:15:08 UTC+2 skrev Fredrik Hilmersson:
>>
>> ossec.conf on the AGENT side, forgot to mention!
>>
>> Den måndag 3 juli 2017 kl. 12:14:30 UTC+2 skrev Fredrik Hilmersson:
>>>
>>> Hey, I had a similar issue with the active response not working as 
>>> intended. The way I solved it was to add the following to the ossec.conf 
>>>
>>> 
>>>
>>>  
>>>
>>>ossec-server
>>>
>>>  
>>>
>>> 
>>>
>>>  30,60,120,240,480
>>>
>>> 
>>>
>>> 
>>>
>>>  no
>>>
>>> 
>>>
>>> kind regards,
>>> Fredrik
>>>
>>> Den måndag 3 juli 2017 kl. 12:05:36 UTC+2 skrev Tunguyen:

 My rule fired, i received alert emails too. But active-response doesn't 
 work. 

 Here is my active-response config in ossec.conf:

 
 firewall-drop
 all
 100101
 600
 

 Here is my email alert:

 Received From: ubuntu-server->/var/log/nginx/access.log Rule: 100101 
 fired (level 9) -> “Multiple access in a short time from same IP” Portion 
 of the log(s):

 118.70.116.148 – tu_nguyen [03/Jul/2017:16:46:27 +0700] “GET / 
 HTTP/1.1” 200 396 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) 
 AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36” 

 118.70.116.148 – tu_nguyen [03/Jul/2017:16:46:26 +0700] “GET / 
 HTTP/1.1” 200 396 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) 
 AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36” 

 118.70.116.148 – tu_nguyen [03/Jul/2017:16:46:25 +0700] “GET / 
 HTTP/1.1” 200 396 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) 
 AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36” 

 118.70.116.148 – tu_nguyen [03/Jul/2017:16:46:25 +0700] “GET / 
 HTTP/1.1” 200 396 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) 
 AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36” 

 118.70.116.148 – tu_nguyen [03/Jul/2017:16:46:24 +0700] “GET / 
 HTTP/1.1” 200 396 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) 
 AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36” 

 118.70.116.148 – tu_nguyen [03/Jul/2017:16:46:23 +0700] “GET / 
 HTTP/1.1” 200 396 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) 
 AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36” 

 118.70.116.148 – tu_nguyen [03/Jul/2017:16:46:23 +0700] “GET / 
 HTTP/1.1” 200 396 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) 
 AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36”


 After receiving this alert message, my IP hasn't been blocked and I 
 still can send bunch of requests to the server. And when i checked 
 /var/ossec/logs/active-responses.log, it was empty. No IP has been block. 
 Can someone explain please?

>>>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.