[ossec-list] PSAD rule include error
Hello, The ruleset psad_rules.xml which is included in the 3.0.0 version is not by default included in the ossec.conf file. When i add the the include: psad_rules.xml within the I get the following error: ossec-testrule: INFO: Reading local decoder file. rules_list: Category '1' not found. Invalid 'category'. It works by adding the rules to local_rules.xml, so that's no issue, but for convenience and also to learn if i've done something incorrect I would appreciate some help of the above issue. Kind regards, Fredrik -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] E-mail alert for login
On Wed, Aug 22, 2018 at 6:32 AM Dzenis Aslani wrote: > > Thanks Dan issue is solved :). Any idea why ossec cant be installed through > APT in Ubuntu i tried both manually and automaticaly and i got same error > "unable to correct problems you have held broken packages" > No clue, I don't deal with the packages. > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Windows Active Response not firing
On Wed, Aug 22, 2018 at 8:35 PM wrote: > > Hello, > > I am trying a very basic active response which would terminate a powershell > process when it is created on a host (Windows 10) machine. > > I have a standalone SO configuration, with 3 OSSEC agents (V2.9) connected, > all Windows machines. > > I have verified that the script shutdown_powershell.cmd works, independent of > OSSEC active response. > > My ossec.conf file looks like this: > > > shutdown_powershell > shutdown_powershell.cmd > > > > > shutdown_powershell > 100051 > defined-agent > 003 > > > I have verified that my rule 100051 (powershell_process_creation) works, it > populates in Sguil every time I open Powershell on any agent. I have > restarted OSSEC on my server and agent several times and opening Powershell > on agent 003. > > I have followed the tutorial at > https://ossec-docs.readthedocs.io/en/latest/manual/ar/ar-custom.html and > everything works to a T. > Problem is when I run this on the manager: > ./agent_control -b 2.2.3.3 -f win_nullroute600 -u 003 > ...the active-response.log file on the agent is generating these kinds of > feedback: > Wed 08/22/2018 16:56:19.28 C:\Program Files > (x86)\ossec-agent\active-response\bin\"active-response/bin/route-null.cmd" > add "-" "2.2.3.3" > (This makes me think the file path used by active-response is corrupted) > > Whereas when I run: > ./agent_control -b 2.3.2.3 -f shutdown_powershell0 -u 003 > ...the command does not appear in the log at all. Changing the script code > and adding "srcip" in the manager's ossec.conf file does not fix this > problem. We have also determined file permissions to not be a problem. > Does your script log to that file? I don't mess with the Windows stuff much, so not sure how helpful I'll actually be. > Could you give some pointers to this problem? > > Thanks, > > Clark > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] OSSEC Upgrade to 3.0.0
On Wed, Aug 29, 2018 at 6:06 AM Chris wrote: > > Hi, > > I have upgraded OSSEC from 2.8.3 to 3.0.0 on my Ubuntu server, using the > install.sh from the expanded tar.gz. From what I can see this was successful > in running the upgrade, but as this was not an upgrade using the repo, as > version 3.0.0 isn't available on it. I cannot see how to get the current > version number as I will need this for evidence. > > dpkg -l shows the old version > manage_agents -V shows 2.9.0?? > Running one of the binaries with `-V` should give a version. Unfortunately that doesn't always get bumped properly... > Thanks > > Chris > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] PSAD rule include error
On Thu, Aug 30, 2018 at 4:11 AM Fredrik Hilmersson wrote: > > Hello, > > The ruleset psad_rules.xml which is included in the 3.0.0 version is not by > default included in the ossec.conf file. When i add the the include: > psad_rules.xml within the I get the following error: > > ossec-testrule: INFO: Reading local decoder file. > rules_list: Category '1' not found. Invalid 'category'. > > It works by adding the rules to local_rules.xml, so that's no issue, but for > convenience and also to learn if i've done something incorrect I would > appreciate some help of the above issue. > I'm not having any issues. rules_config.xml pam_rules.xml sshd_rules.xml telnetd_rules.xml syslog_rules.xml arpwatch_rules.xml symantec-av_rules.xml symantec-ws_rules.xml pix_rules.xml named_rules.xml smbd_rules.xml vsftpd_rules.xml pure-ftpd_rules.xml proftpd_rules.xml ms_ftpd_rules.xml ftpd_rules.xml hordeimp_rules.xml roundcube_rules.xml wordpress_rules.xml cimserver_rules.xml vpopmail_rules.xml vmpop3d_rules.xml courier_rules.xml web_rules.xml web_appsec_rules.xml apache_rules.xml nginx_rules.xml php_rules.xml mysql_rules.xml postgresql_rules.xml ids_rules.xml squid_rules.xml firewall_rules.xml apparmor_rules.xml cisco-ios_rules.xml netscreenfw_rules.xml sonicwall_rules.xml postfix_rules.xml sendmail_rules.xml imapd_rules.xml mailscanner_rules.xml dovecot_rules.xml ms-exchange_rules.xml racoon_rules.xml vpn_concentrator_rules.xml spamd_rules.xml msauth_rules.xml mcafee_av_rules.xml trend-osce_rules.xml ms-se_rules.xml zeus_rules.xml solaris_bsm_rules.xml vmware_rules.xml ms_dhcp_rules.xml asterisk_rules.xml ossec_rules.xml attack_rules.xml openbsd_rules.xml clam_av_rules.xml dropbear_rules.xml sysmon_rules.xml opensmtpd_rules.xml exim_rules.xml openbsd-dhcpd_rules.xml dnsmasq_rules.xml psad_rules.xml local_rules.xml [root@rossak ossec]# /var/ossec/bin/ossec-logtest -t 2018/08/30 07:18:54 ossec-testrule: INFO: Reading local decoder file. [root@rossak ossec]# > Kind regards, > Fredrik > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] OSSEC Upgrade to 3.0.0
I found today, that running ossec-control (any option) displays the version number at the top. I have also been on to Wazuh about getting their public repo updated with version 3.0.0 to eliminate this issue. On Thursday, 30 August 2018 12:14:34 UTC+1, dan (ddpbsd) wrote: > > On Wed, Aug 29, 2018 at 6:06 AM Chris > wrote: > > > > Hi, > > > > I have upgraded OSSEC from 2.8.3 to 3.0.0 on my Ubuntu server, using the > install.sh from the expanded tar.gz. From what I can see this was > successful in running the upgrade, but as this was not an upgrade using the > repo, as version 3.0.0 isn't available on it. I cannot see how to get the > current version number as I will need this for evidence. > > > > dpkg -l shows the old version > > manage_agents -V shows 2.9.0?? > > > > Running one of the binaries with `-V` should give a version. > Unfortunately that doesn't always get bumped properly... > > > Thanks > > > > Chris > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to ossec-list+...@googlegroups.com . > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Getting emails for level 2 alerts
I get a lot of emails for level 2 alerts, though I'm set for 7 as the cutoff etc/ossec.conf:7 Ideas? -- -- Steve -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Getting emails for level 2 alerts
On Thu, Aug 30, 2018 at 1:05 PM SternData wrote: > > I get a lot of emails for level 2 alerts, though I'm set for 7 as the cutoff > > etc/ossec.conf:7 > > Ideas? > Do these rules have the email option set in the rule definition? > -- > -- Steve > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Destination address required'. On Solaris 10
On Wednesday, February 26, 2014 at 1:04:14 PM UTC-5, OsO RoƱoso wrote: > > root@lenga # ls -las > total 4 >2 drwxrwx--- 2 root root 512 Feb 26 14:31 . >2 dr-xr-x--- 7 root root 512 Feb 25 18:26 .. >0 -rw-r--r-- 1 root root 0 Feb 25 18:34 .agent_info > < i changed own for ossec and root, same problem >0 srw-rw 1 ossecossec 0 Feb 25 18:34 queue > Four years too late, but, in case someone else needs to find the answer, what fixed it for me was that /var/ossec/queue/rids didn't seem to exist. Creating it with an ownership of ossec:ossec and 750 permissions did the trick. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
