Re: [ossec-list] separate notifications
Am 29.06.2016 um 20:30 schrieb dan (ddp): On Wed, Jun 29, 2016 at 1:59 PM, Andreas Piesk <a.pi...@gmx.net> wrote: Hello list, is it possible to use OSSEC as FIM to check system files and application files with separate notifications? Changed system files should be reported to email address 1, changed application files to email address 2. Any ideas are appreciated. You can probably create child rules to alert on system files, and then use the granular email options to send those alerts to a different email. A lot of it would probably revolve around how you define system vs application files. I define it by location, /etc, /usr/, etc. belongs to system, /app would be application. I tried something like that: syscheck /etc System object has changed! syscheck_system syscheck /app App object has changed! syscheck_app1 ma...@foo.bar syscheck_system ma...@foo.bar syscheck_app1 But it doesn't seem to work, i don'get any alerts, hmmpf. Regards. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] separate notifications
Hello list, is it possible to use OSSEC as FIM to check system files and application files with separate notifications? Changed system files should be reported to email address 1, changed application files to email address 2. Any ideas are appreciated. Best regards -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Problems with ossec-maild
On 22.03.2012 18:47, MDACC-Luckie wrote: I ran the following based on a previous email thread I saw and have attached the results. Please let me know if anyone has ideas on why it is happening: not quite sure. do you know how to reproduce it? i tried but wasn't able to. please set a breakpoint at os_maild_client.c:94: snprintf(mail-subject, SUBJECT_SIZE -1, MAIL_SUBJECT, and print out the contents of mail and al_data. regards, -ap
Re: [ossec-list] Memory Leak in ossec-csyslogd and ossec-dbd
On 20.03.2012 20:52, Steve Lodin wrote: I've had this patch running for the past two days and all indications are this eliminated the memory leak in read-alert.c that affects ossec-csyslogd. good to hear. commited the patch in my fork https://bitbucket.org/pieska/ossec-hids along with another memleak fix. you're welcome to try my fork (it contains only bugfixes). regards, -ap
Re: [ossec-list] Memory Leak in ossec-csyslogd and ossec-dbd
On 05.03.2012 19:28, Steve Lodin wrote: I've got valgrind running on both binaries and it looks like there might be some interesting leak results. Any suggestions on how to get this fixed? Sorry, relative newbie to OSSEC and I'm not sure how to get this into the bug fix process. while fixing memleaks in other ossec parts i took a look at your issue and uploaded a patch (ossec-memleaks.patch) to bitbucket. please let me know if the patch fixes your problem. regards, -ap
Re: [ossec-list] Memory Leak in ossec-csyslogd and ossec-dbd
On 05.03.2012 19:28, Steve Lodin wrote: I've got valgrind running on both binaries and it looks like there might be some interesting leak results. Any suggestions on how to get this fixed? Sorry, relative newbie to OSSEC and I'm not sure how to get this into the bug fix process. you could open an issue at bitbucket (https://bitbucket.org/dcid/ossec-hids/) and upload your findings there, so others can take a look, verify and hopefully fix some leaks. or you post your findings with an explanation how you got them on the mailing list. but if the data is multi-megabytes in size, bitbucket is the better choice. regards, -ap
Re: [ossec-list] Memory Leak in ossec-csyslogd and ossec-dbd
On 02.03.2012 22:17, Steve wrote: Thanks for any suggestions or help! you could use valgrind (http://valgrind.org) to report memleaks, for instance valgrind binary args or more detailed valgrind --leak-check=yes binary args regards, -ap
Re: [ossec-list] Segfaults with overwrite
On 04.02.2012 10:01, Oliver Müller wrote: I definitely get a segfault though and I clear out my local rules. There was nothing in there execpt of this group with one rule. Is it an Ubuntu problem then? i would say, yes. maybe a backtrace of the core dump (compiled with debug info) gives a hint where exactly the segfault occurs. regards, -ap
Re: [ossec-list] Segfaults with overwrite
On 03.02.2012 16:09, Oliver Müller wrote: You have to past in this as ONE line (ends with /myapp/): [Mon Jan 23 08:40:46 2012] [error] [client 192.168.0.123] user unknownUser not found: /myapp/ that's what i did. testing the above line uo to /myapp/ doesn't produce a segfault on my system. regards, -ap
Re: [ossec-list] Segfaults with overwrite
On 02.02.2012 10:06, Oliver Mueller wrote: If I add the following rule to local_rules.xml and try to test it with ossec-logtest, I receive a segfault (see below): .. Is there any update planed to ossec soon? works for me (RHEL 5.7 64bit): $ /var/ossec/bin/ossec-logtest -V OSSEC HIDS v2.6 - Trend Micro Inc. $ /var/ossec/bin/ossec-logtest ossec-testrule: Type one log per line. [Mon Jan 23 08:40:46 2012] [error] [client 192.168.0.123] user unknownUser not found: /myapp/ **Phase 1: Completed pre-decoding. full event: '[Mon Jan 23 08:40:46 2012] [error] [client 192.168.0.123] user unknownUser not found: /myapp/' hostname: 'myhost' program_name: '(null)' log: '[error] [client 192.168.0.123] user unknownUser not found: /myapp/' **Phase 2: Completed decoding. decoder: 'apache-errorlog' srcip: '192.168.0.123' **Phase 3: Completed filtering (rules). Rule id: '30109' Level: '9' Description: 'Attempt to login using a non-existent user.' **Alert to be generated. MfG, -ap
Re: [ossec-list] Re: Latest ossec builds not building
On 08.12.2011 15:12, Peter M Abraham wrote: 2. How do I install inotify? on Centos5 the header files are in package kernel-headers: # yum provides /usr/include/linux/inotify.h kernel-headers-2.6.18-274.12.1.el5.x86_64 : Header files for the Linux kernel for use by glibc Repo: installed Matched from: Other : Provides-match: /usr/include/linux/inotify.h regards, -ap
Re: [ossec-list] split decoder.xml into separate files
On 06.12.2011 23:01, dan (ddp) wrote: There are no specific plans to do it, but it's been thought about. what can i do to push it in the right (separate decoder files) direction? create a hg clone, do the work and hope it gets merged? regards, -ap
Re: [ossec-list] Multiple cores?
On 07.12.2011 15:25, Kat wrote: Just wondering if there is any trick either at build time or runtime to convince ossec-analysisd to use more than a single core in a large CPU rich system. I have 8 cores and no matter what it just doesn't want to use more than one. I guess I could look at the code, not sure if it is able to use more than one. from what i saw the code is very much single-threaded. you could set up multiple ossec to spread the load but i wonder, do you have performance problems cpu-wise? if yes, do you have some figures (message rate, number of rules, etc.)? regards, -ap
Re: [ossec-list] Rule 553 syscheck_deleted failing
On 07.12.2011 21:41, Nick Green wrote: Is anyone having trouble with getting alerts to fire on deletion of a file? same problem here but i haven't found a solution yet. it's supposed to be working and for at least one list member (danddp) it does. i'm using RHEL5/Centos5 too, OSSEC w/ INOTIFY. the tests with OSSEC w/o INOTIFY are still on my todo list. do you use INOTIFY too? regards, -ap
[ossec-list] split decoder.xml into separate files
Hello, i'm currently building a rpm package and decided to use etc/rules.d/ and etc/decoders.d/ as locations for rules and decoders. are there plans to split up decoder.xml into one file per decoder as well? i think it would be a good idea because then you had the choice using separate files or a single combined file which could be created by 'cat *_decoder.xml decoder.xml'. regards, -ap
Re: [ossec-list] Re: Latest ossec builds not building
On 06.12.2011 22:17, Peter M Abraham wrote: run_realtime.c:40:25: sys/inotify.h: No such file or directory are the inotify header files installed on that machine? regards, -ap
Re: [ossec-list] check for missing messages
On 28.11.2011 21:01, dan (ddp) wrote: There isn't really a way at the moment. It's a problem I'm interested, and I'm slowly coming up with a plan. I'm open to ideas if anyone has a good one. may not be a good one, but i'm thinking of something like: rule id=1 level=7 if_sid.../if_sid matchsomething/match descriptionsomething found/description /rule rule id=2 level=5 frequency=1 timeframe=300 frequency_interval=60 reset_if_matched_sid1/reset_if_matched_sid same_source_ip/ descriptionsomething missed for the last 300s/description /rule frequency of rule 2 will be increased every frequency_interval seconds by 1. if it has frequency hits in timeframe seconds, it will fire. rule 1 is a standard rule and will reset frequency of the specified rule if it fires. reset_if_matched_sid is just an example, there should also be reset_if_matched_group, etc. i don't know if OSSEC already has an internal timer routine which could used for incrementing frequency based on frequency_interval, i admit, i haven't looked at the code in detail yet. but maybe the whole idea is stupid and has flaws i'm not aware of. side from that: is there a reason why frequency must actually +2 to fire (frequency = 2 requires 4 hits)? the lowest possible value is 1 which means the rule needs 3 hits to fire, what if i want only 2 hits? regards, -ap
[ossec-list] check for missing messages
Hello list, i'm trying to figure out how OSSEC could check for missing messages, unsuccessful so far. syslogd on my servers is sending MARK messages every 600s and i would like to get an alert if OSSEC hasn't seen a MARK message from a host in the last 1800s. all syslog messages are fed to OSSEC so it gets everything syslog sents. is this possible? creating a rule set to alert if OSSEC has seen MARK messages in the last 1800s was easy but to alert if it has NOT seen these messages seems hard, at least for me :) any hints? maybe i'm missing something totally obvious. regards, -ap
Re: [ossec-list] issue with file integrity check
On 26.09.2011 20:54, dan (ddp) wrote: On Sat, Sep 24, 2011 at 3:17 AM, Andreas Piesk a.pi...@gmx.net wrote: On 24.09.2011 02:42, dan (ddp) wrote: OS? Distro? OS/Distro Version? OSSEC version? sorry, forgot that vital piece of information. OS is Red Hat 5.7 64bit, OSSEC 2.6.0 (we tried both ASL RPM and compiled from sources). You should get emails about deleted files. I'm not sure why 554 is firing instead of the integrity change rule, that's kinda strange. any guess what it could possibly be? Not really, it's working fine on a lot of CentOS boxes. What does your rule 554 look like? OK, i fixed the problem with the strange message, my overwrite rule was wrong. but the main issue, no alerts about deleted files, remains. and this is a show stopper for me. i hoped to replace OSIRIS by OSSEC because OSIRIS is no longer active/maintained and i really like OSSEC's rule engine, but if i can't get OSSEC working properly it's no use. i have no clue why OSSEC doesn't report deleted files. it's a standard setup, no fancy stuff, and reporting deleted files is a very basic function of a file integrity checker, IMHO. the only change i made to the default setup is directories check_all=yes/home/itsme/OSSECTEST/directories this is the directory i use for tests. if i put a file in it, no alert because alert_new_files is not set in the default config. if i change the file i get a proper alert. if i delete the file i get nothing. does anybody have a setup with OSSEC on RHEL5/CentOS5 without inotify where deleted files are reported? i highly assume the answer is yes, but i have to ask. i enabled debug to get a hint but there's not much debug info. any ideas what i could try to solve the problem because i'm stuck and out of ideas. regards, -ap
Re: [ossec-list] issue with file integrity check
On 24.09.2011 02:42, dan (ddp) wrote: OS? Distro? OS/Distro Version? OSSEC version? sorry, forgot that vital piece of information. OS is Red Hat 5.7 64bit, OSSEC 2.6.0 (we tried both ASL RPM and compiled from sources). You should get emails about deleted files. I'm not sure why 554 is firing instead of the integrity change rule, that's kinda strange. any guess what it could possibly be? On Tue, Sep 20, 2011 at 4:38 PM, Andreas Piesk a.pi...@gmx.net wrote: Hello list, the file integrity checking acts a little strange on my testsystem. i enabled alert_new_files because i need to know if there are new files. the first time the scan runs it reports a new file but 'syscheck_control -i' doesn't show the file. if i delete the file and ran syscheck again, i get no alert about the deleted file. if i run the sequence create file, syscheck, change file permissions, syscheck, delete file, syscheck i get an alert for the new file: Rule: 554 fired (level 7) - File added to the system. Portion of the log(s): New file '/home/itsme/OSSECTEST/BLA' added to the file system. a second alert which looks wrong because the file was not added nor changed (checksum wise): Rule: 554 fired (level 7) - File added to the system. Portion of the log(s): Integrity checksum changed for: '/home/itsme/OSSECTEST/BLA' Permissions changed from 'rw-r--r--' to 'rw---' and again no alert for the file deletion. according to syscheck the file wasn't deleted: # /var/ossec/bin/syscheck_control -i 000 -f /home/itsme/OSSECTEST/BLA Integrity checking changes for local system 'server - 127.0.0.1': Detailed information for entries matching: '/home/itsme/OSSECTEST/BLA' 2011 Sep 20 21:17:36,0 - /home/itsme/OSSECTEST/BLA File added to the database. Integrity checking values: Size: 0 Perm: rw-r--r-- Uid: 500 Gid: 100 Md5: d41d8cd98f00b204e9800998ecf8427e Sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 2011 Sep 20 21:30:47,0 - /home/itsme/OSSECTEST/BLA File changed. - 1st time modified. Integrity checking values: Size: 0 Perm: rw--- Uid: 500 Gid: 100 Md5: d41d8cd98f00b204e9800998ecf8427e Sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 does OSSEC only cares about file changes or do i miss something? according to the rules it should report file deletions but it didn't on my testserver and i would like to know why. i don't use real-time monitoring. regards, -ap
[ossec-list] issue with file integrity check
Hello list, the file integrity checking acts a little strange on my testsystem. i enabled alert_new_files because i need to know if there are new files. the first time the scan runs it reports a new file but 'syscheck_control -i' doesn't show the file. if i delete the file and ran syscheck again, i get no alert about the deleted file. if i run the sequence create file, syscheck, change file permissions, syscheck, delete file, syscheck i get an alert for the new file: Rule: 554 fired (level 7) - File added to the system. Portion of the log(s): New file '/home/itsme/OSSECTEST/BLA' added to the file system. a second alert which looks wrong because the file was not added nor changed (checksum wise): Rule: 554 fired (level 7) - File added to the system. Portion of the log(s): Integrity checksum changed for: '/home/itsme/OSSECTEST/BLA' Permissions changed from 'rw-r--r--' to 'rw---' and again no alert for the file deletion. according to syscheck the file wasn't deleted: # /var/ossec/bin/syscheck_control -i 000 -f /home/itsme/OSSECTEST/BLA Integrity checking changes for local system 'server - 127.0.0.1': Detailed information for entries matching: '/home/itsme/OSSECTEST/BLA' 2011 Sep 20 21:17:36,0 - /home/itsme/OSSECTEST/BLA File added to the database. Integrity checking values: Size: 0 Perm: rw-r--r-- Uid: 500 Gid: 100 Md5: d41d8cd98f00b204e9800998ecf8427e Sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 2011 Sep 20 21:30:47,0 - /home/itsme/OSSECTEST/BLA File changed. - 1st time modified. Integrity checking values: Size: 0 Perm: rw--- Uid: 500 Gid: 100 Md5: d41d8cd98f00b204e9800998ecf8427e Sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 does OSSEC only cares about file changes or do i miss something? according to the rules it should report file deletions but it didn't on my testserver and i would like to know why. i don't use real-time monitoring. regards, -ap
[ossec-list] decoded fields and rules
i would like to suppress some rules for some users, especially rule 5501,5502. first i had to change the pam decoder because it didn't decode the user field. this is my version: decoder name=pam-user parentpam/parent prematchsession \w+ /prematch regex offset=after_prematch^for user (\S+)/regex orderuser/order /decoder but i'm also interested in the username requesting the session. the decoder was quickly adapted and decodes the fields correctly: **Phase 2: Completed decoding. decoder: 'pam' dstuser: 'root' srcuser: '(uid=0)' but then i realized that i cannot use all decoded fields in rules. this is the rule: rule id=12 level=0 if_sid5501,5502/if_sid useritsme/user srcusernotyou/srcuser descriptionignore login sessions by notyou/description /rule $ /var/ossec/bin/ossec-logtest -f 2011/09/15 21:01:58 ossec-testrule: INFO: Reading local decoder file. 2011/09/15 21:01:58 ossec-analysisd: Invalid option 'srcuser' for rule '12'. 2011/09/15 21:01:58 ossec-testrule(1220): ERROR: Error loading the rules: 'local_rules.xml'. what's the reason behind this? why decode fields if you cannot use them in rules? -ap