[ossec-list] Re: How to remove die box/duplicate ip box from OSSEC Manager without interactive commands.
On Wednesday, March 14, 2018 at 5:04:40 PM UTC-10, Arvind Lavania wrote: > > Hello, > > During release i need to remove 50 boxes(Lin/Win) from OSSEC manager on > every month and than need to enroll 50 nex boxes. Is there any command so i > can remove those 50 agent before enrolling new one so IP duplicate or > hostname duplicate related error not come in production. > > I am using Ansible to enroll the server in ossec manager. > Depending on what you're trying to do and whether preserving keys/history are important, the rename_agent.sh and renumber_agent.sh scripts in the contrib directory might be useful. Note that these scripts need to be run on both the agent and the server. YMMV. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] OSSEC flushed all the iptables rules
On Tue, 14 Jun 2016, Doug Burks wrote: Perhaps related to the Active Response bug mentioned in the comments here? https://web.archive.org/web/20150803131317/http://www.ossec.net/?p=1135 No that's a bug in the host-deny.sh script. It has nothing to do with iptables. Antonio Querubin e-mail: t...@lavanauts.org xmpp: antonioqueru...@gmail.com
Re: [ossec-list] OSSEC flushed all the iptables rules
On Tue, 14 Jun 2016, Zeal Vora wrote: We installed OSSEC in our production machines yesterday and today we saw that all the iptables rules in all the machines were flushed. Something similar to iptables -F Any idea on what can cause this ? I am aware that OSSEC active-response can add or remove entries from iptables but have never knew about flushing entire iptables rules. Any help will be appreciated.! Normally, if an ossec client is stopped, it will remove all active response entries added to the firewall rules and /etc/hosts.deny from the time ossec was started before exiting. Is this what you're seeing or are the entire iptables rules completely gone? Antonio Querubin e-mail: t...@lavanauts.org xmpp: antonioqueru...@gmail.com
Re: [ossec-list] Nagios needs to sudo to read syslog causing unnecessary alerts
On Mon, Jun 13, 2016 at 9:48 AM, Tahir Hafiz <tahir...@gmail.com > wrote: We have a situation in which nagios, to do it's nrpe checks, has to constantly read the /var/log/syslog. Therefore, we constantly have alerts at level 3 such as: Rule: 5502 (level 3) -> 'Login session closed.' Rule: 5501 (level 3) -> 'Login session opened.' which involve sessions opening and closing for user root (as the nagios user sudo's to read the syslog file). We don't want to have to whitelist these types of alerts as we want to have warning if someone escalates their privileges. Therefore, is it acceptable to have nagios user added to the adm group as the adm group can read the syslog file? What are the right ways to solve this? On one particular server I have both Nagios and OSSEC (as a manager) installed but I don't see the same issue you see. Is SELinux enabled on your system? You may need to add a SELinux policy to enable Nagios access to the logs without having to sudo. Here's a TE file I use to generate a Nagios plugin SELinux policy: module nagios_plugin 1.0; require { type nagios_t; type nagios_log_t; type var_t; type ping_t; type httpd_t; type httpd_sys_content_t; type httpd_nagios_script_t; type httpd_sys_script_t; type usr_t; type procmail_t; type system_mail_t; class process { signal sigkill ptrace }; class dir { read write search add_name remove_name }; # class file manage_file_perms; class file write; class fifo_file { read write create open getattr }; type dhcpd_port_t; type nagios_services_plugin_t; class udp_socket name_bind; type nagios_system_plugin_t; type nagios_services_plugin_exec_t; class file getattr; } #= httpd_nagios_script_t = allow httpd_nagios_script_t var_t:file { getattr }; allow httpd_nagios_script_t var_t:fifo_file { write getattr }; #= httpd_t == allow httpd_t var_t:file { getattr }; #= nagios_t == #allow nagios_t self:process ptrace; allow nagios_t system_mail_t:process { signal sigkill }; allow nagios_t httpd_sys_content_t:file { write getattr }; allow nagios_t var_t:dir { read write add_name remove_name }; allow nagios_t var_t:fifo_file { read write create open getattr }; #allow nagios_t var_t:file manage_file_perms; #= ping_t == allow ping_t var_t:file { write }; allow ping_t usr_t:file write; #= httpd_sys_script_t == allow httpd_sys_script_t usr_t:fifo_file { getattr write open }; #= procmail_t == allow procmail_t nagios_log_t:dir search; #= nagios_services_plugin_t == # This avc can be allowed using the boolean 'allow_ypbind' allow nagios_services_plugin_t dhcpd_port_t:udp_socket name_bind; #= nagios_system_plugin_t == allow nagios_system_plugin_t nagios_services_plugin_exec_t:file getattr; Antonio Querubin e-mail: t...@lavanauts.org xmpp: antonioqueru...@gmail.com
Re: [ossec-list] OSSEC-abnormal-behavior-active-repsonse
How are you configuring those white listed subnets in the config - as a series of individual addresses? Sent from my iPad > On May 19, 2016, at 06:42, James Siegelwrote: > > I have a set of subnets that are whitelisted. > The server and agents were installed quite some time ago and are on 2.81. > > The server and the agents have been restarted at various times over the past > months as part of update/patching processes. > > The conf file was not changed during those time periods. > > My boss was locked out by active response, after successfully logging in, > then trying to su up to root, that occurred last Thursday. > > The CEO was locked out of a device last night. > > In both those instance, the devices they were originating from were part of > whitelisted subnets. > > Somehow, suddenly random occurrences of locking out whitelisted devices? > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Re: 2.8 - Active response on Windows agents not working ?
On Sat, 7 May 2016, Jacob Mcgrath wrote: Ok, let me know when it time for my guinea piging to start lol. The patched script should be useable now. Just download straight from github. Antonio Querubin e-mail: t...@lavanauts.org xmpp: antonioqueru...@gmail.com
Re: [ossec-list] Re: 2.8 - Active response on Windows agents not working ?
On Fri, 6 May 2016, Michael Starks wrote: Good catch and thank you. I don't think the script ever worked, even before the commit. You're right. I vaguely recall (and my recollection is known to be flawed :)) that when I was working on the various IPv6 updates and turned my attention to this script, I noticed it wasn't working locally at all. Windows didn't like setting a gateway of 127.0.0.1 for an IPv4 route and I think there was some kind of synxtax issue as well. I 'fixed' things by using a null address as the next hop for both IPv4 and IPv6. However, I never 'verified' the script from OSSEC manager's point of view (ie. run agent_control on the manager) and assumed that once the script started working locally everything was ok. The other bug was still lurking in the script. Reminds me of the TV series "Seconds from Disaster" - where chains of 'errors' are not detected in time, sometimes some of the errors masking subsequent errors from being detected. Antonio Querubin e-mail: t...@lavanauts.org xmpp: antonioqueru...@gmail.com
Re: [ossec-list] Re: 2.8 - Active response on Windows agents not working ?
Yes. :) Sent from my iPad > On May 5, 2016, at 16:25, Jacob Mcgrathwrote: > > Is this a patch to Ossec or tot eh script? > >> On Wednesday, July 2, 2014 at 11:28:31 AM UTC-5, morgan cox wrote: >> Hi >> >> I cannot get active response to work >> >> how can I debug why active response on Windows agents is not working ? >> >> linux agents are fine - i.e drop/active response is working >> >> I have followed - >> http://ossec-docs.readthedocs.org/en/latest/manual/ar/ar-windows.html >> >> when I use the command : - /var/ossec/bin/agent_control -b 2.3.4.5 -f >> win_nullroute600 -u 002 >> >> it doesn''t block / add a route on the windows agent >> >> tried on Windows 2012/2008 both os's same result. >> >> How can I find out why ? >> >> regards >> > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Re: 2.8 - Active response on Windows agents not working ?
On Wed, 4 May 2016, Antonio Querubin wrote: Actually the script did break and assumed one of parameters was dropped in commit 168cb2f. And the mistake wasn't caught until now. I'll submit a patch shortly. PR #828. Antonio Querubin e-mail: t...@lavanauts.org xmpp: antonioqueru...@gmail.com
Re: [ossec-list] Re: 2.8 - Active response on Windows agents not working ?
On Wed, 4 May 2016, Antonio Querubin wrote: I've been doing some testing and the script itself is ok. It seems the windows agent is receiving the IP address and since the agent doesn't attempt to run a duplicate request I think it's reasonable to assume it's because the agent has already cached the IP address. So the mystery is how the agent is losing the IP address info before calling route-null.. Actually the script did break and assumed one of parameters was dropped in commit 168cb2f. And the mistake wasn't caught until now. I'll submit a patch shortly. -- Antonio Querubin e-mail: t...@lavanauts.org xmpp: antonioqueru...@gmail.com -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Re: 2.8 - Active response on Windows agents not working ?
On Wed, 4 May 2016, Jacob Mcgrath wrote: The script works locally at work If I invoke a active response from the ossec server like so /var/ossec/bin/agent_control -b 1.2.3.4 -f win_nullroute600 -u 007 I see that the C:\Program Files (x86)\ossec-agent\active-response\active-responses.log is generated...with this input... Wed 05/04/2016 13:27:16.81 C:\Program Files (x86)\ossec-agent\active-response\bin\"active-response/bin/route-null.cmd" add - "-" Wed 05/04/2016 13:41:16.86 C:\Program Files (x86)\ossec-agent\active-response\bin\"active-response/bin/route-null.cmd" delete - "-" route print on my windows agent does not show this route added and in turn removed... From what I can tell the script should work if the proper args are received. But the ip to be routed from ossec never get seen in the windows agent...could be the script or the way the arg is passed down from server to agent. I've been doing some testing and the script itself is ok. It seems the windows agent is receiving the IP address and since the agent doesn't attempt to run a duplicate request I think it's reasonable to assume it's because the agent has already cached the IP address. So the mystery is how the agent is losing the IP address info before calling route-null.. -- Antonio Querubin e-mail: t...@lavanauts.org xmpp: antonioqueru...@gmail.com -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Re: 2.8 - Active response on Windows agents not working ?
On Tue, 3 May 2016, Jacob Mcgrath wrote: For me it was the IP checking part of the script on Windows 7 Enterprise... I commented it out for now until I have a little time to rework the checking function... I will post it later when this happens. :: Check for a valid IP ::ECHO "%2" | %WINDIR%\system32\findstr.exe /R "[0-2][0-9]*[0-9]*\.[0-2][0-9]*[0-9]*\.[0-2][0-9]*[0-9]*\.[0-2][0-9]*[0-9]*" nul || ECHO Invalid IP && EXIT /B 2 :: Extracts last ip address from ipconfig and routes to this address. Windows will not allow routing to 127.0.0.1 FOR /F "TOKENS=2* DELIMS=:" %%A IN ('%WINDIR%\system32\ipconfig.exe ^| %WINDIR%\system32\findstr.exe /R /C:"IPv*4* Address"') DO FOR %%B IN (%%A) DO SET IPADDR=%%B %WINDIR%\system32\route.exe ADD %2 MASK 255.255.255.255 %IPADDR% That looks like an older version of route-null.cmd. Can you try installing the current version from the git repo and see if that works any better for you? Antonio Querubin e-mail: t...@lavanauts.org xmpp: antonioqueru...@gmail.com
Re: [ossec-list] Re: Decoding long messages - multiple regex statements
On Fri, 15 Apr 2016, Fredrik wrote: Thanks for getting back to me. Again :) :) I'm trying out your enhancement to the first decoder and trying to combine it with child-decoders from our previous posts. I currently have this (which obviously doesn't work), but how do I best create the parent-child tree to handle the slight variations in messages? One per action (e.g. block, prevent) and where needed use two child-decoders with same name to capture all field of interest - as you have instructed previously (i.e. one for fields action,srcip,dstip , the second for url, extra_data fields? Checkpoint-test (\w+) \S+ \S+ src: (\d+.\d+.\d+.\d+); dst: (\d+.\d+.\d+.\d+) action,srcip,dstip If you plan on detecting IPv6 activity on your network you may want to change \d+.\d+.\d+.\d+ to \S+ Antonio Querubin e-mail: t...@lavanauts.org xmpp: antonioqueru...@gmail.com
Re: [ossec-list] new postfix rule doesn't fire....
That regex looks IPv4 specific. Can you make it allow IPv6 addresses? Sent from my iPad > On Mar 28, 2016, at 05:35, theresa mic-snarewrote: > > Thanks, Dan! > I now almost got it fully working your advice was really good! > Here's my problem, somehow the OpenBSD smtpd decoders fire instead of the > postfixmaybe I'd need to rearrange the order in the ossec.conf to load > the postfix decoders last. > because it also triggers this > > > smtpd > > > However, when I uncomment this, my new postfix decoder works just fine > here's my postfix decoder: > > true > postfix > ^warning: > \d+.\d+\d+\d+.\w+.\w+.\w+: > srcip > > > Here are my postfix rules: > > postfix-rbl > Grouping of the postfix RBL rules. > > > > 3395 > RBL lookup error: > Host or domain name not found. Name service > error > spam,pci_dss_10.6.1,pci_dss_11.4, > > > ossec-logtest is now able to detect it: > **Phase 2: Completed decoding. >decoder: 'postfix' > > **Phase 3: Completed filtering (rules). >Rule id: '3396' >Level: '6' >Description: 'Host or domain name not found. Name service error' > **Alert to be generated. > > At the moment I really don't know how to prevent the clash with the openbsd > decoder...hmm > > > > > > Am Montag, 28. März 2016 16:22:57 UTC+2 schrieb dan (ddpbsd): >> >> On Mon, Mar 28, 2016 at 10:00 AM, theresa mic-snare >> wrote: >> > hmm, well I have this decoder in my ossec decoder set, >> > /var/ossec/etc/ossec_decoders/postfix_decoders.xml >> > >> > ^warning: >> > ^(\S+): hostname (\s+) verification >> > failed >> > srcip >> > >> > >> > don't remember if I have added this myself, or if it came with the wazuh >> > decoders >> > then this decoder is used, by ossec-logtest >> > but unfortunately my rule isn't triggering...hmm >> > >> > **Phase 1: Completed pre-decoding. >> >full event: 'warning: 199.249.24.179.list.dsbl.org: RBL lookup >> > error: >> > Host or domain name not found. Name service error for >> > name=199.249.24.179.list.dsbl.org type=A: Host not found, try again' >> >hostname: 'tron' >> >program_name: '(null)' >> >log: 'warning: 199.249.24.179.list.dsbl.org: RBL lookup error: Host >> > or domain name not found. Name service error for >> > name=199.249.24.179.list.dsbl.org type=A: Host not found, try again' >> > >> > **Phase 2: Completed decoding. >> >decoder: 'postfix-failed' >> > >> > **Phase 3: Completed filtering (rules). >> >Rule id: '1002' >> >Level: '2' >> >Description: 'Unknown problem somewhere in the system.' >> > **Alert to be generated. >> > >> > I've now had a look in my maillog and found the exact log message as >> > postfix >> > logged it: >> > 2016-03-23T01:09:28.962188+01:00 tron postfix/smtpd[472]: warning: >> > 199.249.24.179.list.dsbl.org: RBL lookup error: Host or domain name not >> > found. Name service error for name=199.249.24.179.list.dsbl.org type=A: >> > Host >> > not found, try again >> > >> > after running this message now through ossec-logtest, I can see that >> > another >> > decoder matches, namely the smtpd decoder (openbsd_decoders.xml) >> > >> > **Phase 1: Completed pre-decoding. >> >full event: '2016-03-23T01:09:28.962188+01:00 tron >> > postfix/smtpd[472]: warning: 199.249.24.179.list.dsbl.org: RBL lookup >> > error: >> > Host or domain name not found. Name service error for >> > name=199.249.24.179.list.dsbl.org type=A: Host not found, try again' >> >hostname: 'tron' >> >program_name: 'postfix/smtpd' >> >log: 'warning: 199.249.24.179.list.dsbl.org: RBL lookup error: Host >> > or domain name not found. Name service error for >> > name=199.249.24.179.list.dsbl.org type=A: Host not found, try again' >> > >> > **Phase 2: Completed decoding. >> >decoder: 'smtpd' >> > >> > **Phase 3: Completed filtering (rules). >> >Rule id: '1002' >> >Level: '2' >> >Description: 'Unknown problem somewhere in the system.' >> > **Alert to be generated. >> > >> > However, what am I doing wrong here? Why is this rule not triggering? >> > >> > 3300 >> > RBL lookup error: >> > Host or domain name not found. Name service >> > error >> > spam,pci_dss_10.6.1,pci_dss_11.4, >> > >> > >> > Am I missing something here? >> > >> >> Rule 3300 requires the decoder to be postfix-reject, not postfix-failed: >> >> postfix-reject >> Grouping of the postfix reject rules. >> >> >> >> > Am Montag, 28. März 2016 14:44:51 UTC+2 schrieb dan (ddpbsd): >> >> >> >> On Fri, Mar 25, 2016 at 4:17 PM, theresa mic-snare >> >> wrote: >> >> > Hi, >> >> > >> >> > i'm trying to write my first rules, by extending the existing postfix >> >> > rules. >> >> > >> >> > here's what i'm
Re: [ossec-list] Scaling OSSEC (presentation from OpenNSM project / scripts / rules)
Nice work! Sent from my iPad > On Mar 18, 2016, at 03:36, Rodrigo Montoro(Sp0oKeR)wrote: > > Presentation here: https://www.youtube.com/watch?v=TllGa-POslQ > > Nice content here https://github.com/ncsa/ossec-tools > Custom AR scripts > > active-response/virustotal_lookup.sh/virus_total.py - Look up hash from > syscheck alerts in VT database > active-response/cymru_lookup.sh - Look up hash from sysheck alerts in Team > Cymru Malware Hash Registery > active-response/puppetdb_lookup.sh - Look up managed files in PuppetDB > active-response/rpm_lookup.sh - Look up files that changed from RPM install > (must be present on agents) > active-response/deb_lookup.sh - Lookup file that changes from DEB install > (must be present on agents) > active-response/time_lookup.sh - Check if system clock is off or time zone > differs for analyzed logs > active-response/command_search.sh - Search for malicious commands across logs > active-response/cif.sh - Create intelligence feed from alerts > active-response/bhr.sh - Block hosts at perimeter using Black Hole Router by > Justin Azoff > active-response/add_to_cdb.sh - Add entries from alerts to system database > e.g. system users > active-response/rule-all.sh - Run many of the above scripts > active-response/syscheck-all.sh - Run many of the syscheck scripts > And more rules and tips there. > > Regards, > -- > Rodrigo Montoro (Sp0oKeR) > http://spookerlabs.blogspot.com > http://www.twitter.com/spookerlabs > http://www.linkedin.com/in/spooker > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Re: DNS caching for ?
On Fri, 26 Feb 2016, dan (ddp) wrote: IIRC, there was some talk previously about adding a dns daemon that could be queried from inside the chroot. I can't remember exactly what I had found, but it related to libasr (https://github.com/OpenSMTPD/libasr). Maybe a dnsd of some sort built into opensmtpd? Oh wait I get what you're saying. Disregard my last :) Antonio Querubin e-mail: t...@lavanauts.org xmpp: antonioqueru...@gmail.com
Re: [ossec-list] Re: DNS caching for ?
On Fri, 26 Feb 2016, dan (ddp) wrote: IIRC, there was some talk previously about adding a dns daemon that could be queried from inside the chroot. I can't remember exactly what I had found, but it related to libasr (https://github.com/OpenSMTPD/libasr). Maybe a dnsd of some sort built into opensmtpd? Not sure how that addresses the OP's problem. If you accept that the server's IP address will change then you still need to find a way to both detect the change on the agent and then trigger some kind of restart/reload on same. Unless you're willing to run the whole detection/restart show from a separate monitoring system. This assumes the hosting provider provides some automated means for restarting systems that can be scripted. Far simpler to use a secondary stable IP address for the server <-> agent communication. The stable address does not need to be the NIC primary address nor public. Antonio Querubin e-mail: t...@lavanauts.org xmpp: antonioqueru...@gmail.com
Re: [ossec-list] OSSEC IIS LOG being cutted after alert is created
On Tue, 2 Feb 2016, Santiago Bassett wrote: From src/headers/defs.h, here are some interesting constants #define OS_MAXSTR OS_SIZE_6144/* Size for logs, sockets, etc */ #define OS_BUFFER_SIZE OS_SIZE_2048/* Size of general buffers */ #define OS_FLSIZE OS_SIZE_256 /* Maximum file size*/ #define OS_HEADER_SIZE OS_SIZE_128 /* Maximum header size */ #define OS_LOG_HEADER OS_SIZE_256 /* Maximum log header size */ #define IPSIZE 16 /* IP Address size */ Might want to update your source with the master branch. IPSIZE was updated to agree with the current socket API RFC-3493. Antonio Querubin e-mail: t...@lavanauts.org xmpp: antonioqueru...@gmail.com
Re: [ossec-list] Very high load on stop ossec on Centos
On Fri, 22 Jan 2016, Giorgio Biondi wrote: I have some linuxbox running with Centos but only box ha this strange behaviur.. All work fine but if I stop the service load on this linuxbox go to impossible value.. today have reached 700 (is true.. 700) After some minutes load goes down to normal value.. 0,40 If I get processlist I see many 'firewall-drop.sh'.. Other bad thing is.. I see many (today about 11000) file in /var/ossec like this: -rw--- 1 root ossec0 22 gen 09:50 ossec-hosts.8zU2h1Ie1K -rw--- 1 root ossec0 22 gen 09:51 ossec-hosts.XUtatiQkNR It's a known problem with the current release running on exposed busy servers, but it's mitigated in the current master branch. You'll need to remove the stale ossec-hosts.xx files manually. See the following for more info: https://github.com/ossec/ossec-hids/issues/609 https://github.com/ossec/ossec-hids/pull/618 https://github.com/ossec/ossec-hids/pull/624 Antonio Querubin e-mail: t...@lavanauts.org xmpp: antonioqueru...@gmail.com
Re: [ossec-list] SELinux context for ossec.log to allow log rotation
On Wed, 2 Dec 2015, Santiago Bassett wrote: I'll actually add this to the Debian/Ubuntu packages as well. What is weird is that I don't see any logrotate configuration file added when using install.sh script. Wouldn't it make sense to add it there as well? I've only seen the logrotate script in RPMs. It's currently not in the master branch but probably should be added, and as you say, also integrated into install.sh. On top of that, if SELINUX is enabled, either a policy would need to be added (say logrotate-ossec to keep it separate from any existing logrotate policy which by the way exists in RHEL 7 but not in RHEL 6 derivatives), or add a chcon to the startup scripts. Antonio Querubin e-mail: t...@lavanauts.org xmpp: antonioqueru...@gmail.com
Re: [ossec-list] SELinux context for ossec.log to allow log rotation
On Tue, 1 Dec 2015, Santiago Bassett wrote: OSSEC log files are rotated by ossec-monitord process every day at midnight. I don't think you would need to use logrotate for this. Did you check ossec-monitord process is running? Monitord only touches the alerts, archives, and firewall logs. The active-responses.log and ossec.log are handled by a logrotate job (which is found in the RPM packages). If selinux is enabled, the context of the /var/ossec/logs directory would need to be changed for logrotate to operate on those files (or a targeted selinux policy created). This info should be captured somewhere in the documentation or integrated into the install scripts. Antonio Querubin e-mail: t...@lavanauts.org xmpp: antonioqueru...@gmail.com
Re: [ossec-list] ossec-authd client authentication
On Fri, 18 Sep 2015, dan (ddp) wrote: Unfortunately I don't know. We want to push a new release, but finding the personal time to do so has been quite difficult. It's an unavoidable part of volunteer-only projects, and something we will definitely try to remedy in the future (more automation, better testing, etc.). The current development code is pretty close (if not spot on) to what will be released though. I do recommend that everyone download it and give it a spin. More testing might help us get it out. There is no mention of 2.9 alpha/beta/RC/whatever on the ossec.net website in any of the obvious places. Ie. Chances are few people other than developers who follow the github site know about it. If you want to encourage everyone to download and test it, then a note added to the News and/or Download menus on the ossec website might be in order. Antonio Querubin e-mail: t...@lavanauts.org xmpp: antonioqueru...@gmail.com
Re: [ossec-list] Re: Bug
On Fri, 14 Aug 2015, Winn Johnston wrote: You can also see via netstat the IP it is trying to use is definitely not valid root# netstat -lntp udp | grep 1514 udp4 0 0 10.20.80.89.51990 255.255.255.255.1514 Independent of ossec, does the server hostname actually resolve to an IP address? Antonio Querubin e-mail: t...@lavanauts.org xmpp: antonioqueru...@gmail.com
Re: [ossec-list] Re: ossec-wui search broken?
On Fri, 10 Jul 2015, theresa mic-snare wrote: i've just found this in my httpd_error log PHP Warning: date(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods You should set this in your /etc/php.ini file so that all your PHP apps (not just ossec-wui) know what timezone to use. Antonio Querubin e-mail: t...@lavanauts.org xmpp: antonioqueru...@gmail.com
Re: [ossec-list] Upgrade from 2.8 to 2.8.2
On Tue, 23 Jun 2015, secucatc...@free.fr wrote: thanks for your answer i don't use host-deny bur only AR, and i was talking about: CVE-2015-3222 http://www.ossec.net/?p=1198 i read This issue does not affect agents and for me it was not clear if you can go for root escalation via sys check only on the server or if you don't need to upgrade the agent. That doesn't seem right. syscheck and corresponding diffs are run by agents so they're directly affected. http://osdir.com/ml/opensource-software-security/2015-06/msg00089.html 1. A vulnerable version is in use. 2. The OSSEC agent is configured to use syscheck to monitor the file system for changes. Antonio Querubin e-mail: t...@lavanauts.org xmpp: antonioqueru...@gmail.com
Re: [ossec-list] force ossec-authd to use 0.0.0.0/0 and not any when using without the -i flag?
On Fri, 29 May 2015, Braden Heil wrote: I've tried looking for the source, to see if I could do just that. I'll keep looking, if it wouldn't take you more than 10 seconds to grab me a link / point me in the right direction, would you mind helping me with that? We are using AlienVault at work, when using any I'm not getting trend charts, current IP addresses, file change reports come in as 0.0.0.0... few other things. I manually set some up with 0.0.0.0/0 and everything works fine. The IPv6 branch just changes 'any' to '::/0' internally, which actually has the same meaning to the various socket API functions. Antonio Querubin e-mail: t...@lavanauts.org xmpp: antonioqueru...@gmail.com
Re: [ossec-list] ossec-hosts files
On Tue, 26 May 2015, fi...@vivaldi.net wrote: I just looked in the root of my OSSEC installation on Ubuntu and noticed dozens of files with names like ossec-hosts.CMvJNMB8af. What could those be and what's the effect, if any, of deleting them? Those are temporary files created by the host-deny.sh script when it flushes an address from /etc/hosts.deny. The temporary file is removed upon normal completion of the script. When you stop (or restart) ossec do you notice your system load skyrocketing for minutes at a time long after the stop? Do you have many addresses listed in /etc/hosts.deny? Antonio Querubin e-mail: t...@lavanauts.org xmpp: antonioqueru...@gmail.com
Re: [ossec-list] Blank /etc/hosts.deny
On Sun, 10 May 2015, fi...@vivaldi.net wrote: This was a clean install of 2.8.1 on a fresh Debian 8 server. Actually you're right - a clean agent install of 2.8.1 would still have the problem with the spaces around the '=' in host-deny.sh since 2.8.1 actually introduced that problem. And if I'm reading the commit log correctly, the patch to adduser.sh did actually make it into 2.9-beta4. Sorry for the confusion. Antonio Querubin e-mail: t...@lavanauts.org xmpp: antonioqueru...@gmail.com
Re: [ossec-list] Blank /etc/hosts.deny
On Sun, 10 May 2015, Doug Burks wrote: Please see the comments here: http://www.ossec.net/?p=1135 Unfortunately, adduser.sh was also broken in 2.8.1 on certain systems resulting in various files not being updated as expected on an agent when install.sh is run. Ie. if you installed 2.8.1 over a previous version, your agent may still be using the older binaries and scripts. Unfortunately, the patch for adduser.sh didn't make it to the stable branch in time for the pending 2.9 release. Two workarounds are to do a clean agent install to ensure your host-deny.sh is the most recent or just install host-deny.sh manually from the source. Antonio Querubin e-mail: t...@lavanauts.org xmpp: antonioqueru...@gmail.com
Re: [ossec-list] load problem when stopping ossec
On Thu, 7 May 2015, Antonio Querubin wrote: The ossec shutdown also leaves numerous ossec-hosts. temp files in /var/ossec. Uh, ignore that piece - self-inflicted wound... :) Antonio Querubin e-mail: t...@lavanauts.org xmpp: antonioqueru...@gmail.com
Re: [ossec-list] Re: Ubuntu 14.10 black screen after installing ossec-wui
On Thu, 30 Apr 2015, Pedro Pereira wrote: webserver: apache directory: pressed enter (it was the default /var/ossec) It's not really the default - it's just an example. And of course many people (including me) miss that distinction and just press enter. And /tmp is clobbered. Antonio Querubin e-mail: t...@lavanauts.org xmpp: antonioqueru...@gmail.com
Re: [ossec-list] Re: Ubuntu 14.10 black screen after installing ossec-wui
On Wed, 29 Apr 2015, Pedro Pereira wrote: Yup, it did mess up the user accounts... i commented the htpasswd section of the script but it still created 3 new accounts, dunno why. The workaround the logon loop is to restore the /tmp permissions ownership, you where right. Somehow, the ossec-wui script changes the permissions in the /tmp/ folder of ubuntu, not the /var/ossec/tmp permission or even the /var/www/ossec-wui/tmp. I thinks there's a bug in the script, permission changing wise. I followed this : http://ubuntuforums.org/showthread.php?t=2050685 For now, it seems to work. But i still cannot comprehend why did it create the accounts ossec, ossecr and ossecm...Can you guys check out the script and give me a hand? The ossec-hids install.sh adds those users. That's normal. The problem is with the ossec-wui setup.sh clobbering the /tmp permissions. It needs some fixing... Antonio Querubin e-mail: t...@lavanauts.org xmpp: antonioqueru...@gmail.com
Re: [ossec-list] Ossec server not listening on IPv6
On Fri, 13 Mar 2015, Jeremy Rossi wrote: https://github.com/ossec/ossec-hids/pull/422 This has not been pulled into ossec. But I think he keeps it up to date over at https://bitbucket.org/aquerubin/ossec-hids/wiki/Home This has not been pulled into ossec but should be I think. This leaves me somewhat speechless and appalled. I have been patiently waiting over a year. Of all the OSS projects I've participated in, the dwell time for OSSEC surpasses all others by at least an order of magnitude. Contrast that with other pull requests over the past year which were merged quickly (and promptly broke agent-server communication not once but several times). Many pull requests in general have increased the complexity and code size of OSSEC while the IPv6 bits actually decrease the code size and simplify it. As worldwide IPv6 deployment continues to accelerate rapidly, the lack of fully functioning IPv6 capability in OSSEC presents a major operational security blind spot that needs to be addressed sooner rather than later. I strongly urge the developer team to give this higher priority. Antonio Querubin e-mail: t...@lavanauts.org xmpp: antonioqueru...@gmail.com
Re: [ossec-list] anyone interested in OSSEC RPMs?
On Tue, 3 Mar 2015, autodidactic wrote: Also, is this something that the broader ossec user community would find useful? Or, are most content with the Atomicorp RPMs? I'm wondering if the RPM packaging I'm doing would be worth while to contribute back to the project or no one cares? How about making the SPEC file(s) (or SRPM(s)) available in a public repository? Antonio Querubin e-mail: t...@lavanauts.org xmpp: antonioqueru...@gmail.com
RE: [ossec-list] Cant Get it Working
On Fri, 21 Nov 2014, Colin Bruce wrote: What I wonder is can it be built on one server and run on another. Obviously the agent can but what about the server? Needs to be built for the same OS. A 32-bit binary will run on a 64-bit machine but not the reverse. Antonio Querubin e-mail: t...@lavanauts.org xmpp: antonioqueru...@gmail.com
RE: [ossec-list] Cant Get it Working
On Fri, 21 Nov 2014, Colin Bruce wrote: Yes they are the same OS and same word size. They are actually both built from a standard image we use. Should be ok then. Antonio Querubin e-mail: t...@lavanauts.org xmpp: antonioqueru...@gmail.com
Re: [ossec-list] Building the Windows Agent
On Fri, 24 Oct 2014, Colin Bruce wrote: 4. Shared.h contains a line which reads #include ws2tcpip.h which causes several errors when building with version 4.8.1 of MinGW. Commenting out the line allows compilation to complete although I am not sure if the result is actually correct. Is it a problem with compiling or with linking? In make.bat and make.sh you'll need to add '-lws2_32' after '-lwsock32' -- Antonio Querubin e-mail: t...@lavanauts.org xmpp: antonioqueru...@gmail.com -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] OSSEC file integrity tool questions
On Thu, 16 Oct 2014, Michael Starks wrote: On 10/16/2014 06:38 AM, jason polachak wrote: OSSEC supports SHA1 which is listed as approved, but I would expect that it would be deprecated in the standard soon. I'm not aware of anyone making efforts to update the hash standard in OSSEC. SHA1 was deprecated in 2011 and disallowed after 2013 for signature generation. For legacy signature verification and other non-signature hash applications it's still acceptable. Ref: NIST Special Pub 800-131A Table 9. -- Antonio Querubin e-mail: t...@lavanauts.org xmpp: antonioqueru...@gmail.com -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] 1403 Incorrectly formated message - ip address issue
On Tue, 14 Oct 2014, invi...@gmail.com wrote: I have just had an issue with agent on Windows XP system. For some reason we inherited our LAN configured with public IP. All was ok till now and is ok so far, I think. Server ip ends 0.4, client ip ends 0.40 I was trying to add/remove client, re-enter client key and etc did not help. only after I changed IP address to something other i.e. 0.94 only then it worked. Looks like there was an issue with this particular IP address ending 0.40 other clients works fine. Maybe a regex issue. Have you tried using the hostname instead of the address? Antonio Querubin e-mail: t...@lavanauts.org xmpp: antonioqueru...@gmail.com -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] 1403 Incorrectly formated message - ip address issue
What am I thinking? Ignore previous. :) On Tue, 14 Oct 2014, Antonio Querubin wrote: Date: Tue, 14 Oct 2014 07:55:58 -1000 (HST) From: Antonio Querubin t...@lavanauts.org Reply-To: ossec-list@googlegroups.com To: invi...@gmail.com Cc: ossec-list@googlegroups.com Subject: Re: [ossec-list] 1403 Incorrectly formated message - ip address issue On Tue, 14 Oct 2014, invi...@gmail.com wrote: I have just had an issue with agent on Windows XP system. For some reason we inherited our LAN configured with public IP. All was ok till now and is ok so far, I think. Server ip ends 0.4, client ip ends 0.40 I was trying to add/remove client, re-enter client key and etc did not help. only after I changed IP address to something other i.e. 0.94 only then it worked. Looks like there was an issue with this particular IP address ending 0.40 other clients works fine. Maybe a regex issue. Have you tried using the hostname instead of the address? Antonio Querubin e-mail: t...@lavanauts.org xmpp: antonioqueru...@gmail.com -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. Antonio Querubin e-mail: t...@lavanauts.org xmpp: antonioqueru...@gmail.com -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Windows agents not connecting to OSSEC server
On Sun, 12 Oct 2014, David Masters wrote: Ok...here is the log file from a freshly installed agent (shutdown ossec server, removed all rid files, no rid files on agent system, manually entererd key and server address): This is the log file from same machine after pushing out key file/ossec.conf file and deleting rid files (no change to any other part of the machine or configuration): Verified all information in both files was exactly the same as before and files in rids directory were deleted before service was restarted. Any ideas? Did you remove the corresponding rids file on the server? Antonio Querubin e-mail: t...@lavanauts.org xmpp: antonioqueru...@gmail.com -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Re: Issue triggering Active Response on Windows 2012
On Tue, 23 Sep 2014, Eric Johnfelt wrote: - The regular expression for validating IP's is wrong. Findstr's RegExp facility is well... just terrible, so [0-9]*\.[0-9]*\.[0-9]*\.[0-9]* is the best you can do, but its not 100% correct for validating IP addresses either, but it works for the complete subset of valid addresses. I ended up just tossing the regex since it's useless for IPv6 addresses. I wish Windows had a built-in shell util for validating any IP address. - The method used to choose the null-route is a bit flawed. It doesn't take into account any combination of multiple IP's or network interfaces; which is common for people using any kind of virtualization (Virtual Box, VMware, Virtual PC) or servers with multiple IPs or NICS. Technically, it will still work, it is just... not fundamentally correct and your mileage may vary. Lastly, testing the active-response does not seem to work... at least for me... I'm still working on that... however I can say the following for certain. First, when I issue a test, I see the packet received via wireshark, the agent just doesn't seem to respond. However, when a real active-response comes in from the manager, the route-null.cmd script executed; with the fixes mentioned above, the script does work. I wonder if this is something specific to Windows 2012 as I've got it working for windows 7. I haven't gotten around to testing with 2012 yet. I see a few people have replaced the script completely, I am considering that myself using a powershell or VBScript (both of which have a *much* better regex facility for validating strings (and IP addresses)) as well as giving me APIs (particularly WMI) to determine the best IP to null route on from the available interfaces and local addresses, or just use the internal firewall to block via NETSH or the ActiveX control for the firewall facility. Rather than trying to choose the interface IP I found it simpler to just set the gateway to either 0.0.0.0 or :: whichever applies. Anyhow, the point is, you can fix the bundled script or replace it; replacing will give you access to better AND more functionality, IMHO. Either way fixed or replaced, when it works... its a beautiful thing. Indeed. Antonio Querubin e-mail: t...@lavanauts.org xmpp: antonioqueru...@gmail.com -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] decoder rules for Barracuda logs
On Tue, 27 May 2014, Michael Starks wrote: On 2014-05-26 18:03, Antonio Querubin wrote: Wondering if anyone has some decoder rules that work with Barracuda logs. I recently enabled syslogging of a Barracuda Spam/Virus Email Firewall device to an OSSEC server. The server is now sending alert level 2 email notifications complaining of an 'unknown' problem for email that fails the Barracuda's spam/virtus detection tests: I have one. Seems to work OK. I was waiting to write some rules and do some QA before I submitted it. Let me know how it works for you: Thanks - this saves me quite a bit of time. They appear to be IPv4-centric but I'll update them and see how that goes. !-- Barracuda SVF Email Logs -- Antonio Querubin e-mail: t...@lavanauts.org xmpp: antonioqueru...@gmail.com -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: [ossec-dev] Announcement - OSSEC Moving to Github
On Tue, 28 Jan 2014, Jeremy Rossi wrote: ## Announcement - OSSEC Moving to Github Can we assume this also applies to ossec-wui? ## 3) Port Open Pull Requests ## Contact pull request author to request they move to github and resubmit using github. If no response is received preform the following: Based on the recent github activity, it already looks like you're proceeding with converting the open bitbucket pull requests to github anyway. Should we just wait for the dust to settle before attempting our own conversion? I've got open bitbucket pull requests for both the hids and wui: https://bitbucket.org/jbcheng/ossec-hids/pull-request/39/ipv6-patches https://bitbucket.org/jbcheng/ossec-wui/pull-request/1/enable-ipv6-agents-fix-null-mod-list-add Antonio Querubin e-mail: t...@lavanauts.org xmpp: antonioqueru...@gmail.com -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [ossec-list] Re: Time wrong on webui beta 8
On Thu, 9 Jan 2014, Carl Hilinski wrote: FIXED. /etc/php.ini has a date.timezone line entry. It was commented out. Changed it to [Date] ; Defines the default timezone used by the date functions ; http://php.net/date.timezone date.timezone = US/Eastern It now reports the time correctly. And that too! :) Antonio Querubin e-mail: t...@lavanauts.org xmpp: antonioqueru...@gmail.com -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [ossec-list] Re: Time wrong on webui beta 8
On Thu, 9 Jan 2014, dan (ddp) wrote: I just checked on my system, and I'm seeing the same behavior. Perhaps the wui converts everything to UTC? I don't see that problem here with wui. Might want to check that all of the following make sense on both agents and manager: hwclock /etc/localtime /etc/timezone Antonio Querubin e-mail: t...@lavanauts.org xmpp: antonioqueru...@gmail.com -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.