from:"Antonio Querubin"

[ossec-list] Re: How to remove die box/duplicate ip box from OSSEC Manager without interactive commands.

2018-03-15 Thread Antonio Querubin



On Wednesday, March 14, 2018 at 5:04:40 PM UTC-10, Arvind Lavania wrote:
>
> Hello,
>
> During release i need to remove 50 boxes(Lin/Win) from OSSEC manager on 
> every month and than need to enroll 50 nex boxes. Is there any command so i 
> can remove those 50 agent before enrolling new one so IP duplicate or 
> hostname duplicate related error not come in production.
>
>  I am using Ansible to enroll the server in ossec manager.
>

Depending on what you're trying to do and whether preserving keys/history 
are important, the rename_agent.sh and renumber_agent.sh scripts in the 
contrib directory might be useful.  Note that these scripts need to be run 
on both the agent and the server.  YMMV.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] OSSEC flushed all the iptables rules

2016-06-14 Thread Antonio Querubin


On Tue, 14 Jun 2016, Doug Burks wrote:


Perhaps related to the Active Response bug mentioned in the comments here?

https://web.archive.org/web/20150803131317/http://www.ossec.net/?p=1135


No that's a bug in the host-deny.sh script.  It has nothing to do with 
iptables.


Antonio Querubin
e-mail:  t...@lavanauts.org
xmpp:  antonioqueru...@gmail.com

Re: [ossec-list] OSSEC flushed all the iptables rules

2016-06-14 Thread Antonio Querubin


On Tue, 14 Jun 2016, Zeal Vora wrote:


We installed OSSEC in our production machines yesterday and today we saw
that all the iptables rules in all the machines were flushed. Something
similar to iptables -F

Any idea on what can cause this ? I am aware that OSSEC active-response can
add or remove entries from iptables but have never knew about flushing
entire iptables rules.

Any help will be appreciated.!


Normally, if an ossec client is stopped, it will remove all active 
response entries added to the firewall rules and /etc/hosts.deny from the 
time ossec was started before exiting.  Is this what you're seeing or are 
the entire iptables rules completely gone?


Antonio Querubin
e-mail:  t...@lavanauts.org
xmpp:  antonioqueru...@gmail.com

Re: [ossec-list] Nagios needs to sudo to read syslog causing unnecessary alerts

2016-06-14 Thread Antonio Querubin


On Mon, Jun 13, 2016 at 9:48 AM, Tahir Hafiz <tahir...@gmail.com > 
wrote:

We have a situation in which nagios, to do it's nrpe checks, has to
constantly read the /var/log/syslog.
Therefore, we constantly have alerts at level 3 such as:

Rule: 5502 (level 3) -> 'Login session closed.'
Rule: 5501 (level 3) -> 'Login session opened.'

which involve sessions opening and closing for user root (as the nagios user
sudo's to read the syslog file).


We don't want to have to whitelist these types of alerts as we want to have
warning if someone escalates their privileges. Therefore, is it acceptable
to have nagios user added to the adm group as the adm group can read the
syslog file? What are the right ways to solve this?


On one particular server I have both Nagios and OSSEC (as a manager) 
installed but I don't see the same issue you see.  Is SELinux enabled on 
your system?  You may need to add a SELinux policy to enable Nagios access 
to the logs without having to sudo.  Here's a TE file I use to generate a 
Nagios plugin SELinux policy:


module nagios_plugin 1.0;

require {
 type nagios_t;
 type nagios_log_t;
 type var_t;
 type ping_t;
 type httpd_t;
 type httpd_sys_content_t;
 type httpd_nagios_script_t;
 type httpd_sys_script_t;
 type usr_t;
 type procmail_t;
 type system_mail_t;
 class process { signal sigkill ptrace };
 class dir { read write search add_name remove_name };
# class file manage_file_perms;
 class file write;
 class fifo_file { read write create open getattr };
type dhcpd_port_t;
type nagios_services_plugin_t;
class udp_socket name_bind;
type nagios_system_plugin_t;
type nagios_services_plugin_exec_t;
class file getattr;
}

#= httpd_nagios_script_t =
allow httpd_nagios_script_t var_t:file { getattr };
allow httpd_nagios_script_t var_t:fifo_file { write getattr };

#= httpd_t ==
allow httpd_t var_t:file { getattr };

#= nagios_t ==
#allow nagios_t self:process ptrace;
allow nagios_t system_mail_t:process { signal sigkill };
allow nagios_t httpd_sys_content_t:file { write getattr };
allow nagios_t var_t:dir { read write add_name remove_name };
allow nagios_t var_t:fifo_file { read write create open getattr };
#allow nagios_t var_t:file manage_file_perms;

#= ping_t ==
allow ping_t var_t:file { write };
allow ping_t usr_t:file write;

#= httpd_sys_script_t ==
allow httpd_sys_script_t usr_t:fifo_file { getattr write open };

#= procmail_t ==
allow procmail_t nagios_log_t:dir search;

#= nagios_services_plugin_t ==
# This avc can be allowed using the boolean 'allow_ypbind'
allow nagios_services_plugin_t dhcpd_port_t:udp_socket name_bind;

#= nagios_system_plugin_t ==
allow nagios_system_plugin_t nagios_services_plugin_exec_t:file getattr;


Antonio Querubin
e-mail:  t...@lavanauts.org
xmpp:  antonioqueru...@gmail.com

Re: [ossec-list] OSSEC-abnormal-behavior-active-repsonse

2016-05-20 Thread Antonio Querubin

How are you configuring those white listed subnets in the config - as a series 
of individual addresses?

Sent from my iPad

> On May 19, 2016, at 06:42, James Siegel  wrote:
> 
> I have a set of subnets that are whitelisted.
> The server and agents were installed quite some time ago and are on 2.81.
> 
> The server and the agents have been restarted at various times over the past 
> months as part of update/patching processes.
> 
> The conf file was not changed during those time periods.
> 
> My boss was locked out by active response, after successfully logging in, 
> then trying to su up to root, that occurred last Thursday.
> 
> The CEO was locked out of a device last night.
> 
> In both those instance, the devices they were originating from were part of 
> whitelisted subnets.
> 
> Somehow, suddenly random occurrences of locking out whitelisted devices?
> 
> 
> -- 
> 
> --- 
> You received this message because you are subscribed to the Google Groups 
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: 2.8 - Active response on Windows agents not working ?

2016-05-07 Thread Antonio Querubin


On Sat, 7 May 2016, Jacob Mcgrath wrote:


Ok, let me know when it time for my guinea piging to start  lol.


The patched script should be useable now.  Just download straight from 
github.


Antonio Querubin
e-mail:  t...@lavanauts.org
xmpp:  antonioqueru...@gmail.com

Re: [ossec-list] Re: 2.8 - Active response on Windows agents not working ?

2016-05-06 Thread Antonio Querubin


On Fri, 6 May 2016, Michael Starks wrote:

Good catch and thank you. I don't think the script ever worked, even before 
the commit.


You're right.  I vaguely recall (and my recollection is known to be flawed 
:)) that when I was working on the various IPv6 updates and turned my 
attention to this script, I noticed it wasn't working locally at all. 
Windows didn't like setting a gateway of 127.0.0.1 for an IPv4 route and I 
think there was some kind of synxtax issue as well.  I 'fixed' things by 
using a null address as the next hop for both IPv4 and IPv6.  However, I 
never 'verified' the script from OSSEC manager's point of view (ie. run 
agent_control on the manager) and assumed that once the script started 
working locally everything was ok.  The other bug was still lurking in the 
script.  Reminds me of the TV series "Seconds from Disaster" - where 
chains of 'errors' are not detected in time, sometimes some of the errors 
masking subsequent errors from being detected.


Antonio Querubin
e-mail:  t...@lavanauts.org
xmpp:  antonioqueru...@gmail.com

Re: [ossec-list] Re: 2.8 - Active response on Windows agents not working ?

2016-05-06 Thread Antonio Querubin

Yes.  :)

Sent from my iPad

> On May 5, 2016, at 16:25, Jacob Mcgrath  wrote:
> 
> Is this a patch to Ossec or tot eh script?
> 
>> On Wednesday, July 2, 2014 at 11:28:31 AM UTC-5, morgan cox wrote:
>> Hi
>> 
>> I cannot get active response to work 
>> 
>>  how can I debug why active response on Windows agents is not working ?
>> 
>> linux agents are fine - i.e drop/active response is working
>> 
>> I have followed - 
>> http://ossec-docs.readthedocs.org/en/latest/manual/ar/ar-windows.html
>> 
>> when I use the command : -  /var/ossec/bin/agent_control -b 2.3.4.5 -f 
>> win_nullroute600 -u 002 
>> 
>> it doesn''t block / add a route on the windows agent
>> 
>> tried on Windows 2012/2008 both os's same result.
>> 
>> How can I find out why ?
>> 
>> regards
>> 
> 
> -- 
> 
> --- 
> You received this message because you are subscribed to the Google Groups 
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: 2.8 - Active response on Windows agents not working ?

2016-05-04 Thread Antonio Querubin


On Wed, 4 May 2016, Antonio Querubin wrote:

Actually the script did break and assumed one of parameters was dropped in 
commit 168cb2f.  And the mistake wasn't caught until now.  I'll submit a 
patch shortly.


PR #828.

Antonio Querubin
e-mail:  t...@lavanauts.org
xmpp:  antonioqueru...@gmail.com

Re: [ossec-list] Re: 2.8 - Active response on Windows agents not working ?

2016-05-04 Thread Antonio Querubin


On Wed, 4 May 2016, Antonio Querubin wrote:

I've been doing some testing and the script itself is ok.  It seems the 
windows agent is receiving the IP address and since the agent doesn't attempt 
to run a duplicate request I think it's reasonable to assume it's because the 
agent has already cached the IP address.  So the mystery is how the agent is 
losing the IP address info before calling route-null..


Actually the script did break and assumed one of parameters was dropped 
in commit 168cb2f.  And the mistake wasn't caught until now.  I'll submit 
a patch shortly.


--
Antonio Querubin
e-mail:  t...@lavanauts.org
xmpp:  antonioqueru...@gmail.com

--

--- 
You received this message because you are subscribed to the Google Groups "ossec-list" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: 2.8 - Active response on Windows agents not working ?

2016-05-04 Thread Antonio Querubin


On Wed, 4 May 2016, Jacob Mcgrath wrote:


The script works locally at work

If I invoke a active response from the ossec server like so

/var/ossec/bin/agent_control -b 1.2.3.4 -f win_nullroute600 -u 007


I see that the  C:\Program Files
(x86)\ossec-agent\active-response\active-responses.log  is generated...with
this input...

Wed 05/04/2016 13:27:16.81 C:\Program Files
(x86)\ossec-agent\active-response\bin\"active-response/bin/route-null.cmd"
add - "-"
Wed 05/04/2016 13:41:16.86 C:\Program Files
(x86)\ossec-agent\active-response\bin\"active-response/bin/route-null.cmd"
delete - "-"

route print on my windows agent does not show this route added and in turn
removed...

From what I can tell the script should work if the proper args are
received.  But the ip to be routed from ossec never get seen in the windows
agent...could be the script or the way the arg is passed down from server
to agent.


I've been doing some testing and the script itself is ok.  It seems the 
windows agent is receiving the IP address and since the agent doesn't 
attempt to run a duplicate request I think it's reasonable to assume it's 
because the agent has already cached the IP address.  So the mystery is 
how the agent is losing the IP address info before calling route-null..


--
Antonio Querubin
e-mail:  t...@lavanauts.org
xmpp:  antonioqueru...@gmail.com

--

--- 
You received this message because you are subscribed to the Google Groups "ossec-list" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: 2.8 - Active response on Windows agents not working ?

2016-05-04 Thread Antonio Querubin


On Tue, 3 May 2016, Jacob Mcgrath wrote:


For me it was the IP checking part of the script on Windows 7 Enterprise...
I commented it out for now until I have a little time to rework the
checking function...  I will post it later when this happens.

:: Check for a valid IP
::ECHO "%2" | %WINDIR%\system32\findstr.exe /R
"[0-2][0-9]*[0-9]*\.[0-2][0-9]*[0-9]*\.[0-2][0-9]*[0-9]*\.[0-2][0-9]*[0-9]*"

nul || ECHO Invalid IP && EXIT /B 2

:: Extracts last ip address from ipconfig and routes to this address.
Windows will not allow routing to 127.0.0.1
FOR /F "TOKENS=2* DELIMS=:" %%A IN ('%WINDIR%\system32\ipconfig.exe ^|
%WINDIR%\system32\findstr.exe /R /C:"IPv*4* Address"') DO FOR %%B IN (%%A)
DO SET IPADDR=%%B
%WINDIR%\system32\route.exe ADD %2 MASK 255.255.255.255 %IPADDR%


That looks like an older version of route-null.cmd.  Can you try 
installing the current version from the git repo and see if that works any 
better for you?



Antonio Querubin
e-mail:  t...@lavanauts.org
xmpp:  antonioqueru...@gmail.com

Re: [ossec-list] Re: Decoding long messages - multiple regex statements

2016-04-15 Thread Antonio Querubin


On Fri, 15 Apr 2016, Fredrik wrote:


Thanks for getting back to me. Again :) :) I'm trying out your enhancement
to the first decoder and trying to combine it with child-decoders from our
previous posts. I currently have this (which obviously doesn't work), but
how do I best create the parent-child tree to handle the slight variations
in messages? One per action (e.g. block, prevent) and where needed use two
child-decoders with same name to capture all field of interest - as you
have instructed previously (i.e. one for fields action,srcip,dstip , the
second for url, extra_data fields?




 Checkpoint-test
 (\w+) \S+ \S+ src: (\d+.\d+.\d+.\d+); dst:
(\d+.\d+.\d+.\d+)
 action,srcip,dstip



If you plan on detecting IPv6 activity on your network you may want to 
change \d+.\d+.\d+.\d+ to \S+



Antonio Querubin
e-mail:  t...@lavanauts.org
xmpp:  antonioqueru...@gmail.com

Re: [ossec-list] new postfix rule doesn't fire....

2016-03-28 Thread Antonio Querubin

That regex looks IPv4 specific.  Can you make it allow IPv6 addresses?

Sent from my iPad

> On Mar 28, 2016, at 05:35, theresa mic-snare  wrote:
> 
> Thanks, Dan!
> I now almost got it fully working your advice was really good!
> Here's my problem, somehow the OpenBSD smtpd decoders fire instead of the 
> postfixmaybe I'd need to rearrange the order in the ossec.conf to load 
> the postfix decoders last.
> because it also triggers this
> 
> 
>   smtpd
> 
> 
> However, when I uncomment this, my new postfix decoder works just fine
> here's my postfix decoder:
> 
>   true
>   postfix
>   ^warning: 
>   \d+.\d+\d+\d+.\w+.\w+.\w+: 
>   srcip
> 
> 
> Here are my postfix rules:
>   
> postfix-rbl
> Grouping of the postfix RBL rules.
>   
> 
>   
> 3395
>  RBL lookup error: 
> Host or domain name not found. Name service 
> error
> spam,pci_dss_10.6.1,pci_dss_11.4,
>   
> 
> ossec-logtest is now able to detect it:
> **Phase 2: Completed decoding.
>decoder: 'postfix'
> 
> **Phase 3: Completed filtering (rules).
>Rule id: '3396'
>Level: '6'
>Description: 'Host or domain name not found. Name service error'
> **Alert to be generated.
> 
> At the moment I really don't know how to prevent the clash with the openbsd 
> decoder...hmm
> 
> 
> 
> 
> 
> Am Montag, 28. März 2016 16:22:57 UTC+2 schrieb dan (ddpbsd):
>> 
>> On Mon, Mar 28, 2016 at 10:00 AM, theresa mic-snare 
>>  wrote: 
>> > hmm, well I have this decoder in my ossec decoder set, 
>> > /var/ossec/etc/ossec_decoders/postfix_decoders.xml 
>> >  
>> >   ^warning:  
>> >   ^(\S+): hostname (\s+) verification 
>> > failed 
>> >   srcip 
>> >  
>> > 
>> > don't remember if I have added this myself, or if it came with the wazuh 
>> > decoders 
>> > then this decoder is used, by ossec-logtest 
>> > but unfortunately my rule isn't triggering...hmm 
>> > 
>> > **Phase 1: Completed pre-decoding. 
>> >full event: 'warning: 199.249.24.179.list.dsbl.org: RBL lookup 
>> > error: 
>> > Host or domain name not found. Name service error for 
>> > name=199.249.24.179.list.dsbl.org type=A: Host not found, try again' 
>> >hostname: 'tron' 
>> >program_name: '(null)' 
>> >log: 'warning: 199.249.24.179.list.dsbl.org: RBL lookup error: Host 
>> > or domain name not found. Name service error for 
>> > name=199.249.24.179.list.dsbl.org type=A: Host not found, try again' 
>> > 
>> > **Phase 2: Completed decoding. 
>> >decoder: 'postfix-failed' 
>> > 
>> > **Phase 3: Completed filtering (rules). 
>> >Rule id: '1002' 
>> >Level: '2' 
>> >Description: 'Unknown problem somewhere in the system.' 
>> > **Alert to be generated. 
>> > 
>> > I've now had a look in my maillog and found the exact log message as 
>> > postfix 
>> > logged it: 
>> > 2016-03-23T01:09:28.962188+01:00 tron postfix/smtpd[472]: warning: 
>> > 199.249.24.179.list.dsbl.org: RBL lookup error: Host or domain name not 
>> > found. Name service error for name=199.249.24.179.list.dsbl.org type=A: 
>> > Host 
>> > not found, try again 
>> > 
>> > after running this message now through ossec-logtest, I can see that 
>> > another 
>> > decoder matches, namely the smtpd decoder (openbsd_decoders.xml) 
>> > 
>> > **Phase 1: Completed pre-decoding. 
>> >full event: '2016-03-23T01:09:28.962188+01:00 tron 
>> > postfix/smtpd[472]: warning: 199.249.24.179.list.dsbl.org: RBL lookup 
>> > error: 
>> > Host or domain name not found. Name service error for 
>> > name=199.249.24.179.list.dsbl.org type=A: Host not found, try again' 
>> >hostname: 'tron' 
>> >program_name: 'postfix/smtpd' 
>> >log: 'warning: 199.249.24.179.list.dsbl.org: RBL lookup error: Host 
>> > or domain name not found. Name service error for 
>> > name=199.249.24.179.list.dsbl.org type=A: Host not found, try again' 
>> > 
>> > **Phase 2: Completed decoding. 
>> >decoder: 'smtpd' 
>> > 
>> > **Phase 3: Completed filtering (rules). 
>> >Rule id: '1002' 
>> >Level: '2' 
>> >Description: 'Unknown problem somewhere in the system.' 
>> > **Alert to be generated. 
>> > 
>> > However, what am I doing wrong here? Why is this rule not triggering? 
>> >
>> > 3300 
>> > RBL lookup error: 
>> > Host or domain name not found. Name service 
>> > error 
>> > spam,pci_dss_10.6.1,pci_dss_11.4, 
>> >
>> > 
>> > Am I missing something here? 
>> > 
>> 
>> Rule 3300 requires the decoder to be postfix-reject, not postfix-failed: 
>>
>> postfix-reject 
>> Grouping of the postfix reject rules. 
>>
>> 
>> 
>> > Am Montag, 28. März 2016 14:44:51 UTC+2 schrieb dan (ddpbsd): 
>> >> 
>> >> On Fri, Mar 25, 2016 at 4:17 PM, theresa mic-snare 
>> >>  wrote: 
>> >> > Hi, 
>> >> > 
>> >> > i'm trying to write my first rules, by extending the existing postfix 
>> >> > rules. 
>> >> > 
>> >> > here's what i'm

Re: [ossec-list] Scaling OSSEC (presentation from OpenNSM project / scripts / rules)

2016-03-19 Thread Antonio Querubin

Nice work!

Sent from my iPad

> On Mar 18, 2016, at 03:36, Rodrigo Montoro(Sp0oKeR)  wrote:
> 
> Presentation here: https://www.youtube.com/watch?v=TllGa-POslQ
> 
> Nice content here  https://github.com/ncsa/ossec-tools
> Custom AR scripts
> 
> active-response/virustotal_lookup.sh/virus_total.py - Look up hash from 
> syscheck alerts in VT database
> active-response/cymru_lookup.sh - Look up hash from sysheck alerts in Team 
> Cymru Malware Hash Registery
> active-response/puppetdb_lookup.sh - Look up managed files in PuppetDB
> active-response/rpm_lookup.sh - Look up files that changed from RPM install 
> (must be present on agents)
> active-response/deb_lookup.sh - Lookup file that changes from DEB install 
> (must be present on agents)
> active-response/time_lookup.sh - Check if system clock is off or time zone 
> differs for analyzed logs
> active-response/command_search.sh - Search for malicious commands across logs
> active-response/cif.sh - Create intelligence feed from alerts
> active-response/bhr.sh - Block hosts at perimeter using Black Hole Router by 
> Justin Azoff
> active-response/add_to_cdb.sh - Add entries from alerts to system database 
> e.g. system users
> active-response/rule-all.sh - Run many of the above scripts
> active-response/syscheck-all.sh - Run many of the syscheck scripts
> And more rules and tips there.
> 
> Regards,
> -- 
> Rodrigo Montoro (Sp0oKeR)
> http://spookerlabs.blogspot.com
> http://www.twitter.com/spookerlabs
> http://www.linkedin.com/in/spooker
> -- 
> 
> --- 
> You received this message because you are subscribed to the Google Groups 
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: DNS caching for ?

2016-02-26 Thread Antonio Querubin


On Fri, 26 Feb 2016, dan (ddp) wrote:


IIRC, there was some talk previously about adding a dns daemon that
could be queried from inside the chroot.
I can't remember exactly what I had found, but it related to libasr
(https://github.com/OpenSMTPD/libasr). Maybe a dnsd of some sort built
into opensmtpd?


Oh wait I get what you're saying.  Disregard my last :)


Antonio Querubin
e-mail:  t...@lavanauts.org
xmpp:  antonioqueru...@gmail.com

Re: [ossec-list] Re: DNS caching for ?

2016-02-26 Thread Antonio Querubin


On Fri, 26 Feb 2016, dan (ddp) wrote:


IIRC, there was some talk previously about adding a dns daemon that
could be queried from inside the chroot.
I can't remember exactly what I had found, but it related to libasr
(https://github.com/OpenSMTPD/libasr). Maybe a dnsd of some sort built
into opensmtpd?


Not sure how that addresses the OP's problem.  If you accept that the 
server's IP address will change then you still need to find a way to both 
detect the change on the agent and then trigger some kind of 
restart/reload on same.


Unless you're willing to run the whole detection/restart show from a 
separate monitoring system.  This assumes the hosting provider provides 
some automated means for restarting systems that can be scripted.


Far simpler to use a secondary stable IP address for the server <-> agent 
communication.  The stable address does not need to be the NIC primary 
address nor public.



Antonio Querubin
e-mail:  t...@lavanauts.org
xmpp:  antonioqueru...@gmail.com

Re: [ossec-list] OSSEC IIS LOG being cutted after alert is created

2016-02-02 Thread Antonio Querubin


On Tue, 2 Feb 2016, Santiago Bassett wrote:


From src/headers/defs.h, here are some interesting constants

#define OS_MAXSTR   OS_SIZE_6144/* Size for logs, sockets, etc  */

#define OS_BUFFER_SIZE  OS_SIZE_2048/* Size of general buffers  */

#define OS_FLSIZE   OS_SIZE_256 /* Maximum file size*/

#define OS_HEADER_SIZE  OS_SIZE_128 /* Maximum header size  */

#define OS_LOG_HEADER   OS_SIZE_256 /* Maximum log header size  */

#define IPSIZE  16  /* IP Address size  */


Might want to update your source with the master branch.  IPSIZE was 
updated to agree with the current socket API RFC-3493.



Antonio Querubin
e-mail:  t...@lavanauts.org
xmpp:  antonioqueru...@gmail.com

Re: [ossec-list] Very high load on stop ossec on Centos

2016-01-22 Thread Antonio Querubin


On Fri, 22 Jan 2016, Giorgio Biondi wrote:


I have some linuxbox running with Centos but only box ha this strange
behaviur..
All work fine but if I stop the service load on this linuxbox go to
impossible value.. today have reached 700 (is true.. 700)
After some minutes load goes down to normal value.. 0,40
If I get processlist I see many 'firewall-drop.sh'..
Other bad thing is.. I see many (today about 11000) file in /var/ossec like
this:

-rw---  1 root  ossec0 22 gen 09:50 ossec-hosts.8zU2h1Ie1K
-rw---  1 root  ossec0 22 gen 09:51 ossec-hosts.XUtatiQkNR


It's a known problem with the current release running on exposed busy 
servers, but it's mitigated in the current master branch.  You'll need to 
remove the stale ossec-hosts.xx files manually.  See the following 
for more info:


https://github.com/ossec/ossec-hids/issues/609
https://github.com/ossec/ossec-hids/pull/618
https://github.com/ossec/ossec-hids/pull/624


Antonio Querubin
e-mail:  t...@lavanauts.org
xmpp:  antonioqueru...@gmail.com

Re: [ossec-list] SELinux context for ossec.log to allow log rotation

2015-12-03 Thread Antonio Querubin


On Wed, 2 Dec 2015, Santiago Bassett wrote:


I'll actually add this to the Debian/Ubuntu packages as well. What is weird
is that I don't see any logrotate configuration file added when using
install.sh script. Wouldn't it make sense to add it there as well?


I've only seen the logrotate script in RPMs.  It's currently not in the 
master branch but probably should be added, and as you say, also 
integrated into install.sh.  On top of that, if SELINUX is enabled, either 
a policy would need to be added (say logrotate-ossec to keep it separate 
from any existing logrotate policy which by the way exists in RHEL 7 but 
not in RHEL 6 derivatives), or add a chcon to the startup scripts.


Antonio Querubin
e-mail:  t...@lavanauts.org
xmpp:  antonioqueru...@gmail.com

Re: [ossec-list] SELinux context for ossec.log to allow log rotation

2015-12-01 Thread Antonio Querubin


On Tue, 1 Dec 2015, Santiago Bassett wrote:


OSSEC log files are rotated by ossec-monitord process every day at
midnight. I don't think you would need to use logrotate for this. Did you
check ossec-monitord process is running?


Monitord only touches the alerts, archives, and firewall logs.  The 
active-responses.log and ossec.log are handled by a logrotate job (which 
is found in the RPM packages).  If selinux is enabled, the context of the 
/var/ossec/logs directory would need to be changed for logrotate to 
operate on those files (or a targeted selinux policy created).  This info 
should be captured somewhere in the documentation or integrated into the 
install scripts.


Antonio Querubin
e-mail:  t...@lavanauts.org
xmpp:  antonioqueru...@gmail.com

Re: [ossec-list] ossec-authd client authentication

2015-09-19 Thread Antonio Querubin


On Fri, 18 Sep 2015, dan (ddp) wrote:


Unfortunately I don't know. We want to push a new release, but finding
the personal time to do so has been quite difficult. It's an
unavoidable part of volunteer-only projects, and something we will
definitely try to remedy in the future (more automation, better
testing, etc.).
The current development code is pretty close (if not spot on) to what
will be released though. I do recommend that everyone download it and
give it a spin. More testing might help us get it out.


There is no mention of 2.9 alpha/beta/RC/whatever on the ossec.net website 
in any of the obvious places.  Ie. Chances are few people other than 
developers who follow the github site know about it.  If you want to 
encourage everyone to download and test it, then a note added to the News 
and/or Download menus on the ossec website might be in order.



Antonio Querubin
e-mail:  t...@lavanauts.org
xmpp:  antonioqueru...@gmail.com

Re: [ossec-list] Re: Bug

2015-08-14 Thread Antonio Querubin


On Fri, 14 Aug 2015, Winn Johnston wrote:


You can also see via netstat the IP it is trying to use is definitely not
valid

root# netstat -lntp udp | grep 1514
udp4   0  0  10.20.80.89.51990  255.255.255.255.1514


Independent of ossec, does the server hostname actually resolve to an IP 
address?



Antonio Querubin
e-mail:  t...@lavanauts.org
xmpp:  antonioqueru...@gmail.com

Re: [ossec-list] Re: ossec-wui search broken?

2015-07-10 Thread Antonio Querubin


On Fri, 10 Jul 2015, theresa mic-snare wrote:


i've just found this in my httpd_error log


PHP Warning:  date(): It is not safe to rely on the system's timezone
settings. You are *required* to use the date.timezone setting or the
date_default_timezone_set() function. In case you used any of those methods


You should set this in your /etc/php.ini file so that all your PHP apps 
(not just ossec-wui) know what timezone to use.


Antonio Querubin
e-mail:  t...@lavanauts.org
xmpp:  antonioqueru...@gmail.com

Re: [ossec-list] Upgrade from 2.8 to 2.8.2

2015-06-23 Thread Antonio Querubin


On Tue, 23 Jun 2015, secucatc...@free.fr wrote:


thanks for your answer
i don't use host-deny bur only AR, and i was talking about:
CVE-2015-3222
http://www.ossec.net/?p=1198

i read This issue does not affect agents and for me it was not clear 
if you can go for root escalation via sys check only on the server or if 
you don't need to upgrade the agent.


That doesn't seem right.  syscheck and corresponding diffs are run by 
agents so they're directly affected.



http://osdir.com/ml/opensource-software-security/2015-06/msg00089.html

1. A vulnerable version is in use.
2. The OSSEC agent is configured to use syscheck to monitor the file
system for changes.



Antonio Querubin
e-mail:  t...@lavanauts.org
xmpp:  antonioqueru...@gmail.com

Re: [ossec-list] force ossec-authd to use 0.0.0.0/0 and not any when using without the -i flag?

2015-05-29 Thread Antonio Querubin


On Fri, 29 May 2015, Braden Heil wrote:


I've tried looking for the source, to see if I could do just that.  I'll
keep looking, if it wouldn't take you more than 10 seconds to grab me a
link / point me in the right direction, would you mind helping me with that?

We are using AlienVault at work, when using any I'm not getting trend
charts, current IP addresses, file change reports come in as 0.0.0.0... few
other things.  I manually set some up with 0.0.0.0/0 and everything works
fine.


The IPv6 branch just changes 'any' to '::/0' internally, which actually 
has the same meaning to the various socket API functions.


Antonio Querubin
e-mail:  t...@lavanauts.org
xmpp:  antonioqueru...@gmail.com

Re: [ossec-list] ossec-hosts files

2015-05-26 Thread Antonio Querubin


On Tue, 26 May 2015, fi...@vivaldi.net wrote:

I just looked in the root of my OSSEC installation on Ubuntu and noticed 
dozens of files with names like ossec-hosts.CMvJNMB8af.


What could those be and what's the effect, if any, of deleting them?


Those are temporary files created by the host-deny.sh script when it 
flushes an address from /etc/hosts.deny.  The temporary file is removed 
upon normal completion of the script.  When you stop (or restart) ossec do 
you notice your system load skyrocketing for minutes at a time long after 
the stop?  Do you have many addresses listed in /etc/hosts.deny?


Antonio Querubin
e-mail:  t...@lavanauts.org
xmpp:  antonioqueru...@gmail.com

Re: [ossec-list] Blank /etc/hosts.deny

2015-05-10 Thread Antonio Querubin


On Sun, 10 May 2015, fi...@vivaldi.net wrote:


This was a clean install of 2.8.1 on a fresh Debian 8 server.


Actually you're right - a clean agent install of 2.8.1 would still have 
the problem with the spaces around the '=' in host-deny.sh since 2.8.1 
actually introduced that problem.


And if I'm reading the commit log correctly, the patch to adduser.sh did 
actually make it into 2.9-beta4.  Sorry for the confusion.



Antonio Querubin
e-mail:  t...@lavanauts.org
xmpp:  antonioqueru...@gmail.com

Re: [ossec-list] Blank /etc/hosts.deny

2015-05-10 Thread Antonio Querubin


On Sun, 10 May 2015, Doug Burks wrote:


Please see the comments here:

http://www.ossec.net/?p=1135


Unfortunately, adduser.sh was also broken in 2.8.1 on certain systems 
resulting in various files not being updated as expected on an agent when 
install.sh is run.  Ie. if you installed 2.8.1 over a previous version, 
your agent may still be using the older binaries and scripts.


Unfortunately, the patch for adduser.sh didn't make it to the stable 
branch in time for the pending 2.9 release.


Two workarounds are to do a clean agent install to ensure your 
host-deny.sh is the most recent or just install host-deny.sh manually from 
the source.


Antonio Querubin
e-mail:  t...@lavanauts.org
xmpp:  antonioqueru...@gmail.com

Re: [ossec-list] load problem when stopping ossec

2015-05-08 Thread Antonio Querubin


On Thu, 7 May 2015, Antonio Querubin wrote:

The ossec shutdown also leaves numerous ossec-hosts. temp files in 
/var/ossec.


Uh, ignore that piece - self-inflicted wound... :)


Antonio Querubin
e-mail:  t...@lavanauts.org
xmpp:  antonioqueru...@gmail.com

Re: [ossec-list] Re: Ubuntu 14.10 black screen after installing ossec-wui

2015-04-30 Thread Antonio Querubin


On Thu, 30 Apr 2015, Pedro Pereira wrote:


webserver: apache
directory: pressed enter (it was the default /var/ossec)


It's not really the default - it's just an example.  And of course 
many people (including me) miss that distinction and just press enter. 
And /tmp is clobbered.


Antonio Querubin
e-mail:  t...@lavanauts.org
xmpp:  antonioqueru...@gmail.com

Re: [ossec-list] Re: Ubuntu 14.10 black screen after installing ossec-wui

2015-04-29 Thread Antonio Querubin


On Wed, 29 Apr 2015, Pedro Pereira wrote:


Yup, it did mess up the user accounts... i commented the htpasswd section
of the script but it still created 3 new accounts, dunno why. The
workaround the logon loop is to restore the /tmp permissions ownership, you
where right. Somehow, the ossec-wui script changes the permissions in the
/tmp/ folder of ubuntu, not the /var/ossec/tmp permission or even the
/var/www/ossec-wui/tmp. I thinks there's a bug in the script, permission
changing wise. I followed this :
http://ubuntuforums.org/showthread.php?t=2050685
For now, it seems to work. But i still cannot comprehend why did it create
the accounts ossec, ossecr and ossecm...Can you guys check out the script
and give me a hand?


The ossec-hids install.sh adds those users.  That's normal.

The problem is with the ossec-wui setup.sh clobbering the /tmp 
permissions.  It needs some fixing...


Antonio Querubin
e-mail:  t...@lavanauts.org
xmpp:  antonioqueru...@gmail.com

Re: [ossec-list] Ossec server not listening on IPv6

2015-03-13 Thread Antonio Querubin


On Fri, 13 Mar 2015, Jeremy Rossi wrote:


https://github.com/ossec/ossec-hids/pull/422

This has not been pulled into ossec.  But I think he keeps it up to date 
over at https://bitbucket.org/aquerubin/ossec-hids/wiki/Home


This has not been pulled into ossec but should be I think.


This leaves me somewhat speechless and appalled.  I have been patiently 
waiting over a year.  Of all the OSS projects I've participated in, the 
dwell time for OSSEC surpasses all others by at least an order of 
magnitude.  Contrast that with other pull requests over the past year 
which were merged quickly (and promptly broke agent-server communication 
not once but several times).  Many pull requests in general have increased 
the complexity and code size of OSSEC while the IPv6 bits actually 
decrease the code size and simplify it.


As worldwide IPv6 deployment continues to accelerate rapidly, the lack of 
fully functioning IPv6 capability in OSSEC presents a major operational 
security blind spot that needs to be addressed sooner rather than later. 
I strongly urge the developer team to give this higher priority.


Antonio Querubin
e-mail:  t...@lavanauts.org
xmpp:  antonioqueru...@gmail.com

Re: [ossec-list] anyone interested in OSSEC RPMs?

2015-03-03 Thread Antonio Querubin


On Tue, 3 Mar 2015, autodidactic wrote:


Also, is this something that the broader ossec user community would find
useful? Or, are most content with the Atomicorp RPMs? I'm wondering if the
RPM packaging I'm doing would be worth while to contribute back to the
project or no one cares?


How about making the SPEC file(s) (or SRPM(s)) available in a public 
repository?


Antonio Querubin
e-mail:  t...@lavanauts.org
xmpp:  antonioqueru...@gmail.com

RE: [ossec-list] Cant Get it Working

2014-11-21 Thread Antonio Querubin


On Fri, 21 Nov 2014, Colin Bruce wrote:

What I wonder is can it be built on one server and run on another. 
Obviously the agent can but what about the server?


Needs to be built for the same OS.  A 32-bit binary will run on a 64-bit 
machine but not the reverse.


Antonio Querubin
e-mail:  t...@lavanauts.org
xmpp:  antonioqueru...@gmail.com

RE: [ossec-list] Cant Get it Working

2014-11-21 Thread Antonio Querubin


On Fri, 21 Nov 2014, Colin Bruce wrote:

Yes they are the same OS and same word size. They are actually both 
built from a standard image we use.


Should be ok then.

Antonio Querubin
e-mail:  t...@lavanauts.org
xmpp:  antonioqueru...@gmail.com

Re: [ossec-list] Building the Windows Agent

2014-10-24 Thread Antonio Querubin


On Fri, 24 Oct 2014, Colin Bruce wrote:


4.   Shared.h contains a line which reads #include ws2tcpip.h
   which causes several errors when building with version 4.8.1 of
   MinGW. Commenting out the line allows compilation to complete
   although I am not sure if the result is actually correct.


Is it a problem with compiling or with linking?

In make.bat and make.sh you'll need to add '-lws2_32' after '-lwsock32'

--
Antonio Querubin
e-mail:  t...@lavanauts.org
xmpp:  antonioqueru...@gmail.com

--

--- 
You received this message because you are subscribed to the Google Groups ossec-list group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] OSSEC file integrity tool questions

2014-10-18 Thread Antonio Querubin


On Thu, 16 Oct 2014, Michael Starks wrote:


On 10/16/2014 06:38 AM, jason polachak wrote:



OSSEC supports SHA1 which is listed as approved, but I would expect that
it would be deprecated in the standard soon. I'm not aware of anyone
making efforts to update the hash standard in OSSEC.


SHA1 was deprecated in 2011 and disallowed after 2013 for signature 
generation.  For legacy signature verification and other non-signature 
hash applications it's still acceptable.


Ref:  NIST Special Pub 800-131A Table 9.

--
Antonio Querubin
e-mail:  t...@lavanauts.org
xmpp:  antonioqueru...@gmail.com

--

--- 
You received this message because you are subscribed to the Google Groups ossec-list group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] 1403 Incorrectly formated message - ip address issue

2014-10-14 Thread Antonio Querubin


On Tue, 14 Oct 2014, invi...@gmail.com wrote:


I have just had an issue with agent on Windows XP system.
For some reason we inherited our LAN configured with public IP. All was ok
till now and is ok so far, I think.
Server ip ends 0.4, client ip ends 0.40
I was trying to add/remove client, re-enter client key and etc did not
help. only after I changed IP address to something other i.e. 0.94 only
then it worked.
Looks like there was an issue with this particular IP address ending 0.40
other clients works fine.


Maybe a regex issue.  Have you tried using the hostname instead of 
the address?


Antonio Querubin
e-mail:  t...@lavanauts.org
xmpp:  antonioqueru...@gmail.com

--

--- 
You received this message because you are subscribed to the Google Groups ossec-list group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] 1403 Incorrectly formated message - ip address issue

2014-10-14 Thread Antonio Querubin

What am I thinking?  Ignore previous. :)

On Tue, 14 Oct 2014, Antonio Querubin wrote:

Date: Tue, 14 Oct 2014 07:55:58 -1000 (HST)
From: Antonio Querubin t...@lavanauts.org
Reply-To: ossec-list@googlegroups.com
To: invi...@gmail.com
Cc: ossec-list@googlegroups.com
Subject: Re: [ossec-list] 1403 Incorrectly formated message - ip address issue

On Tue, 14 Oct 2014, invi...@gmail.com wrote:

I have just had an issue with agent on Windows XP system.
For some reason we inherited our LAN configured with public IP. All was ok
till now and is ok so far, I think.
Server ip ends 0.4, client ip ends 0.40
I was trying to add/remove client, re-enter client key and etc did not
help. only after I changed IP address to something other i.e. 0.94 only
then it worked.
Looks like there was an issue with this particular IP address ending 0.40
other clients works fine.

Maybe a regex issue.  Have you tried using the hostname instead of the 
address?

Antonio Querubin
e-mail:  t...@lavanauts.org
xmpp:  antonioqueru...@gmail.com

--

--- You received this message because you are subscribed to the Google Groups 
ossec-list group.
To unsubscribe from this group and stop receiving emails from it, send an 
email to ossec-list+unsubscr...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

Antonio Querubin
e-mail:  t...@lavanauts.org
xmpp:  antonioqueru...@gmail.com

--

--- 
You received this message because you are subscribed to the Google Groups ossec-list group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Windows agents not connecting to OSSEC server

2014-10-13 Thread Antonio Querubin


On Sun, 12 Oct 2014, David Masters wrote:


Ok...here is the log file from a freshly installed agent (shutdown ossec
server, removed all rid files, no rid files on agent system, manually
entererd key and server address):



This is the log file from same machine after pushing out key
file/ossec.conf file and deleting rid files (no change to any other part of
the machine or configuration):



Verified all information in both files was exactly the same as before and
files in rids directory were deleted before service was restarted.



Any ideas?


Did you remove the corresponding rids file on the server?

Antonio Querubin
e-mail:  t...@lavanauts.org
xmpp:  antonioqueru...@gmail.com

--

--- 
You received this message because you are subscribed to the Google Groups ossec-list group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: Issue triggering Active Response on Windows 2012

2014-09-24 Thread Antonio Querubin


On Tue, 23 Sep 2014, Eric Johnfelt wrote:


- The regular expression for validating IP's is wrong. Findstr's RegExp
facility is well... just terrible, so [0-9]*\.[0-9]*\.[0-9]*\.[0-9]* is the
best you can do, but its not 100% correct for validating IP addresses
either, but it works for the complete subset of valid addresses.


I ended up just tossing the regex since it's useless for IPv6 addresses. 
I wish Windows had a built-in shell util for validating any IP address.



- The method used to choose the null-route is a bit flawed. It doesn't take
into account any combination of multiple IP's or network interfaces; which
is common for people using any kind of virtualization (Virtual Box, VMware,
Virtual PC) or servers with multiple IPs or NICS. Technically, it will
still work, it is just... not fundamentally correct and your mileage may
vary.



Lastly, testing the active-response does not seem to work... at least for
me... I'm still working on that... however I can say the following for
certain. First, when I issue a test, I see the packet received via
wireshark, the agent just doesn't seem to respond. However, when a real
active-response comes in from the manager, the route-null.cmd script 
executed; with the fixes mentioned above, the script does work.


I wonder if this is something specific to Windows 2012 as I've got it 
working for windows 7.  I haven't gotten around to testing with 2012 
yet.



I see a few people have replaced the script completely, I am considering
that myself using a powershell or VBScript (both of which have a *much*
better regex facility for validating strings (and IP addresses)) as well as
giving me APIs (particularly WMI) to determine the best IP to null route on
from the available interfaces and local addresses, or just use the internal
firewall to block via NETSH or the ActiveX control for the firewall
facility.


Rather than trying to choose the interface IP I found it simpler to just 
set the gateway to either 0.0.0.0 or :: whichever applies.



Anyhow, the point is, you can fix the bundled script or replace it;
replacing will give you access to better AND more functionality, IMHO.
Either way fixed or replaced, when it works... its a beautiful thing.


Indeed.

Antonio Querubin
e-mail:  t...@lavanauts.org
xmpp:  antonioqueru...@gmail.com

--

--- 
You received this message because you are subscribed to the Google Groups ossec-list group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] decoder rules for Barracuda logs

2014-05-27 Thread Antonio Querubin


On Tue, 27 May 2014, Michael Starks wrote:


On 2014-05-26 18:03, Antonio Querubin wrote:

Wondering if anyone has some decoder rules that work with Barracuda
logs. I recently enabled syslogging of a Barracuda Spam/Virus Email
Firewall device to an OSSEC server.  The server is now sending alert
level 2 email notifications complaining of an 'unknown' problem for
email that fails the Barracuda's spam/virtus detection tests:


I have one. Seems to work OK. I was waiting to write some rules and do some 
QA before I submitted it. Let me know how it works for you:


Thanks - this saves me quite a bit of time.  They appear to be 
IPv4-centric but I'll update them and see how that goes.



!-- Barracuda SVF Email Logs --



Antonio Querubin
e-mail:  t...@lavanauts.org
xmpp:  antonioqueru...@gmail.com

--

--- 
You received this message because you are subscribed to the Google Groups ossec-list group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: [ossec-dev] Announcement - OSSEC Moving to Github

2014-01-29 Thread Antonio Querubin


On Tue, 28 Jan 2014, Jeremy Rossi wrote:


## Announcement - OSSEC Moving to Github


Can we assume this also applies to ossec-wui?



## 3) Port Open Pull Requests ##



Contact pull request author to request they move to github and resubmit
using github.  If no response is received preform the following:


Based on the recent github activity, it already looks like you're 
proceeding with converting the open bitbucket pull requests to github 
anyway.  Should we just wait for the dust to settle before attempting our 
own conversion?


I've got open bitbucket pull requests for both the hids and wui:

https://bitbucket.org/jbcheng/ossec-hids/pull-request/39/ipv6-patches

https://bitbucket.org/jbcheng/ossec-wui/pull-request/1/enable-ipv6-agents-fix-null-mod-list-add


Antonio Querubin
e-mail:  t...@lavanauts.org
xmpp:  antonioqueru...@gmail.com

--

--- 
You received this message because you are subscribed to the Google Groups ossec-list group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [ossec-list] Re: Time wrong on webui beta 8

2014-01-09 Thread Antonio Querubin


On Thu, 9 Jan 2014, Carl Hilinski wrote:


FIXED.

/etc/php.ini has a date.timezone line entry. It was commented out. Changed
it to
[Date]
; Defines the default timezone used by the date functions
; http://php.net/date.timezone
date.timezone = US/Eastern

It now reports the time correctly.


And that too!  :)

Antonio Querubin
e-mail:  t...@lavanauts.org
xmpp:  antonioqueru...@gmail.com

--

--- 
You received this message because you are subscribed to the Google Groups ossec-list group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [ossec-list] Re: Time wrong on webui beta 8

2014-01-09 Thread Antonio Querubin


On Thu, 9 Jan 2014, dan (ddp) wrote:


I just checked on my system, and I'm seeing the same behavior. Perhaps
the wui converts everything to UTC?


I don't see that problem here with wui.  Might want to check that all of 
the following make sense on both agents and manager:


hwclock
/etc/localtime
/etc/timezone

Antonio Querubin
e-mail:  t...@lavanauts.org
xmpp:  antonioqueru...@gmail.com

--

--- 
You received this message because you are subscribed to the Google Groups ossec-list group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

46 matches

Mail list logo