Re: [ossec-list] Custom decoder failing to load
On Fri, Mar 13, 2020 at 2:28 PM Olivier Ragain wrote: > > Hi, > I've created a custom decoder: > > ^sshd > > > > sshd-custom > ^Bad protocol version > ^\S+ from (\S+) port (\S+)$ > srcip,srcport > > > When I restart the engine to load it, I end up with the following error: > 2020/03/13 18:21:54 ossec-testrule: INFO: Reading decoder file > decoders/ssh_decoder.xml. > 2020/03/13 18:21:54 ossec-analysisd(2106): ERROR: Error adding decoder plugin. > 2020/03/13 18:21:54 ossec-testrule: INFO: Reading the lists file: > 'lists/approved_scanners_list' > 2020/03/13 18:21:54 ossec-analysisd: Invalid decoder name: 'pam'. > 2020/03/13 18:21:54 ossec-testrule(1220): ERROR: Error loading the rules: > 'pam_rules.xml'. > > Where is the error in my decoder? > I don't receive an error when I add the decoders to local_decoders.xml. Which version of OSSEC are you using? > Thanks > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/ossec-list/9e0d792c-1b50-43fb-86e9-71d229dd17bd%40googlegroups.com. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/CAMyQvMo1_tMuHUB-1WGRuV6zw0SdGpVS%3D4BFdXxQaPJm6zHwVw%40mail.gmail.com.
[ossec-list] Re: Custom decoder failing to load
Hi, So, I've created the local_decoder.xml file in the etc folder and put my decoder code in it and it is working. I am using version 3.6.0 Thanks -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/fc3b497c-5ec9-42b6-9456-670e35b3ec78%40googlegroups.com.
[ossec-list] Re: Custom decoder failing to load
Hi, So now the question is, why does it not work when i use: decoders configuration in the ossec.conf file ? I see that it is loading the file from the logs, but it fails to log the decoder information itself and then ossec wont start. Can anyone explain how to use the decoder_dir configuration element ? I want to put all custom rules / decoders / lists in their own folder so that when updates happen, I dont get wiped or impacted for some update reasons. Thanks -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/f0d7b226-0fbe-4df8-9a23-c7759f18d347%40googlegroups.com.
Re: [ossec-list] Re: Custom decoder failing to load
On Mon, Mar 16, 2020 at 8:16 AM Olivier Ragain wrote: > > Hi, > So now the question is, why does it not work when i use: > decoders configuration in the ossec.conf file ? I > see that it is loading the file from the logs, but it fails to log the > decoder information itself and then ossec wont start. > Can anyone explain how to use the decoder_dir configuration element ? > I want to put all custom rules / decoders / lists in their own folder so that > when updates happen, I dont get wiped or impacted for some update reasons. > Thanks > Can you provide the configuration you tried? I haven't used decoder_dir in a while, but it always worked in the past for me. > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/ossec-list/f0d7b226-0fbe-4df8-9a23-c7759f18d347%40googlegroups.com. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/CAMyQvMpOT0bhnwKpy--GDoXqZ3KmwUDOs%3D95v295fC5g4Zs5MQ%40mail.gmail.com.
Re: [ossec-list] Re: Custom decoder failing to load
On Mon, Mar 16, 2020 at 8:43 AM dan (ddp) wrote: > > On Mon, Mar 16, 2020 at 8:16 AM Olivier Ragain > wrote: > > > > Hi, > > So now the question is, why does it not work when i use: > > decoders configuration in the ossec.conf file ? > > I see that it is loading the file from the logs, but it fails to log the > > decoder information itself and then ossec wont start. > > Can anyone explain how to use the decoder_dir configuration element ? > > I want to put all custom rules / decoders / lists in their own folder so > > that when updates happen, I dont get wiped or impacted for some update > > reasons. > > Thanks > > > > Can you provide the configuration you tried? > I haven't used decoder_dir in a while, but it always worked in the past for > me. > Using this allowed `ossec-logtest -t` to work for me: etc/decoder.xml etc/local_decoder.xml etc/decoders.d > > -- > > > > --- > > You received this message because you are subscribed to the Google Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send an > > email to ossec-list+unsubscr...@googlegroups.com. > > To view this discussion on the web visit > > https://groups.google.com/d/msgid/ossec-list/f0d7b226-0fbe-4df8-9a23-c7759f18d347%40googlegroups.com. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/CAMyQvMrApEXMjXh6Fr%3DXgxWsQUg4zwTPFniyUWa%2Bd4wBhw1Xjg%40mail.gmail.com.
[ossec-list] Host-based anomaly detection event (rootcheck)
I use dokku in a Ubuntu 18.04 LTS machine. I received the following alerts concerning files hidden in a long list of directories: Rule: 510 fired (level 7) -> "Host-based anomaly detection event (rootcheck)." Portion of the log(s): Files hidden inside directory '/var/lib/docker/overlay2/c3ee7713915112e9bd1df6d423cc6e2dd35a6d1c9871daae8c53054c05408516/merged/usr/share/man' . Link count does not match number of files (26,1). Then again: Files hidden inside directory '/var/lib/docker/overlay2/c3ee7713915112e9bd1df6d423cc6e2dd35a6d1c9871daae8c53054c05408516/merged/usr/share/dpkg' . Link count does not match number of files (2,1). And so on for a list of 104 directories, like '/var/lib/docker/overlay2/c3ee 7713915112e9bd1df6d423cc6e2dd35a6d1c9871daae8c53054c05408516/merged/usr/sbin' or '/var/lib/docker/overlay2/c3ee7713915112e9bd1df6d423cc6e2dd3 5a6d1c9871daae8c53054c05408516/merged/usr/bin' etc etc How am I expected to interpret these alerts? What am I expected to do? -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/4a32402e-71c6-4b0c-92bb-3007b742ac19%40googlegroups.com.
Re: [ossec-list] Host-based anomaly detection event (rootcheck)
On Mon, Mar 16, 2020 at 12:33 PM llehirgen wrote: > > I use dokku in a Ubuntu 18.04 LTS machine. > I received the following alerts concerning files hidden in a long list of > directories: > > Rule: 510 fired (level 7) -> "Host-based anomaly detection event (rootcheck)." > Portion of the log(s): > > Files hidden inside directory > '/var/lib/docker/overlay2/c3ee7713915112e9bd1df6d423cc6e2dd35a6d1c9871daae8c53054c05408516/merged/usr/share/man'. > Link count does not match number of files (26,1). > > Then again: > Files hidden inside directory > '/var/lib/docker/overlay2/c3ee7713915112e9bd1df6d423cc6e2dd35a6d1c9871daae8c53054c05408516/merged/usr/share/dpkg'. > Link count does not match number of files (2,1). > > And so on for a list of 104 directories, like > '/var/lib/docker/overlay2/c3ee7713915112e9bd1df6d423cc6e2dd35a6d1c9871daae8c53054c05408516/merged/usr/sbin' > or > '/var/lib/docker/overlay2/c3ee7713915112e9bd1df6d423cc6e2dd35a6d1c9871daae8c53054c05408516/merged/usr/bin' > etc etc > > How am I expected to interpret these alerts? What am I expected to do? > rootcheck doesn't understand overlay filesystem stuff yet. There is at least 1 issue open on the topic (at https://github.com/ossec/ossec-hids/issues). > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/ossec-list/4a32402e-71c6-4b0c-92bb-3007b742ac19%40googlegroups.com. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/CAMyQvMqGhsDC3cgscHgSsvRG%2BmmmcEzSuehzuROJbcmHOuLy2Q%40mail.gmail.com.
