[ossec-list] Microsoft Azure Multi-Factor Decode and Rules.

[Brent Morris]

Not exactly sure if this is the right place to post this, but it took me 
some time to get working decodes for Microsoft's Azure Multi-Factor 
Authentication (PhoneFactor.net).

It's pretty cool multifactor authentication for on-prem RDP Gateway and OWA 
using your phone as the second factor.

This was my first attempt to create my own decodes for an app that wasn't 
supported by OSSEC.  OSSEC is so cool that I wanted to share these with 
others incase there might be one or two of you out there that could 
benefit.  We're not using the APP or voice calls, but it shouldn't be to 
hard with the info below to setup the rest of the options for those.

You could have the agent monitor the log files, or setup syslog inside the 
PhoneFactor app.  I opted for syslog messages. 

And let me know if I'm posting in the wrong place, have an error in my 
decodes, or anything else helpful.

Thanks!

---



add the following to local_decoder.xml

  
   pfsvc-auth
  Pfauth \w+ for user '(\S+)'.  Call status: 
(\S+) - "\w+\s+\w+|\w+\s+\w+\s+\w+\.".
  srcuser, status
  

then add the following to local_rules.xml (tailor to your specific needs).


  
  pfsvc-auth
  Phone Factor Authentication app group.
  

  100140
  FAILED_SMS_OTP_INCORRECT
  User Failed SMS Challenge/Response
  


--end local_rules.xml

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Microsoft Azure Multi-Factor Decode and Rules.

[Brent Morris]

Wish I could edit that last post!  

I forgot a few lines   complete local_decoder.xml below.

add the following to local_decoder.xml


  
^pfsvc
  

  
   pfsvc-auth
  Pfauth \w+ for user '(\S+)'.  Call status: 
(\S+) - "\w+\s+\w+|\w+\s+\w+\s+\w+\.".
  srcuser, status
  



On Friday, December 5, 2014 11:51:18 AM UTC-8, Brent Morris wrote:

> Not exactly sure if this is the right place to post this, but it took me 
> some time to get working decodes for Microsoft's Azure Multi-Factor 
> Authentication (PhoneFactor.net).
>
> It's pretty cool multifactor authentication for on-prem RDP Gateway and 
> OWA using your phone as the second factor.
>
> This was my first attempt to create my own decodes for an app that wasn't 
> supported by OSSEC.  OSSEC is so cool that I wanted to share these with 
> others incase there might be one or two of you out there that could 
> benefit.  We're not using the APP or voice calls, but it shouldn't be to 
> hard with the info below to setup the rest of the options for those.
>
> You could have the agent monitor the log files, or setup syslog inside the 
> PhoneFactor app.  I opted for syslog messages. 
>
> And let me know if I'm posting in the wrong place, have an error in my 
> decodes, or anything else helpful.
>
> Thanks!
>
> ---
>
>
>
> add the following to local_decoder.xml
>
>   
>pfsvc-auth
>   Pfauth \w+ for user '(\S+)'.  Call status: 
> (\S+) - "\w+\s+\w+|\w+\s+\w+\s+\w+\.".
>   srcuser, status
>   
>
> then add the following to local_rules.xml (tailor to your specific needs).
>
> 
>   
>   pfsvc-auth
>   Phone Factor Authentication app group.
>   
> 
>   100140
>   FAILED_SMS_OTP_INCORRECT
>   User Failed SMS Challenge/Response
>   
> 
>
> --end local_rules.xml
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: Microsoft Azure Multi-Factor Decode and Rules.

[Brent Morris]

I can.

Are you interested in just the important bits as they relate to the decodes 
(authentication success/failure), or did you want to see the entire log 
file?  It's a fairly verbose application, so with the logging level that I 
setup on it, it only reports application errors, administrator 
functions, and authentications (so far anyway).  In our case, we're using 
SMS text message only at the moment.  

I tested the voice call and the local_rules would need to be updated for 
failures on that.  Looks like it follows a similar format.

Sanitized logs below from syslog:

2014 Dec 08 13:04:05 pfserver->1.2.3.4 Dec  8 13:04:05 pfserver pfsvc: 
Pfauth succeeded for user 'DOMAIN\username'.  Call status: 
SUCCESS_SMS_AUTHENTICATED - "SMS Authenticated".
2014 Dec 08 13:04:43 pfserver->1.2.3.4 Dec  8 13:04:43 pfserver pfsvc: 
Pfauth succeeded for user 'DOMAIN\username'.  Call status: 
SUCCESS_SMS_AUTHENTICATED - "SMS Authenticated".
2014 Dec 08 13:06:32 pfserver->1.2.3.4 Dec  8 13:06:32 pfserver pfsvc: 
Pfauth failed for user 'DOMAIN\username'.  Call status: 
FAILED_SMS_OTP_INCORRECT - "SMS OTP Incorrect".
2014 Dec 08 13:33:23 pfserver->1.2.3.4 Dec  8 13:33:23 pfserver pfsvc: User 
"DOMAIN\domainadmin" changed user "DOMAIN\username" value mode3 from 3 to 2.
2014 Dec 08 13:33:50 pfserver->1.2.3.4 Dec  8 13:33:50 pfserver pfsvc: 
Pfauth succeeded for user 'DOMAIN\username'.  Call status: SUCCESS_NO_PIN - 
"Only # Entered".
2014 Dec 08 13:35:23 pfserver->1.2.3.4 Dec  8 13:35:23 pfserver pfsvc: 
Pfauth failed for user 'DOMAIN\username'.  Call status: 
SUCCESS_NO_PIN_BUT_TIMEOUT - "No Phone Input - Timed Out".


On Monday, December 8, 2014 5:03:57 AM UTC-8, dan (ddpbsd) wrote:

> On Fri, Dec 5, 2014 at 3:19 PM, Brent Morris  > wrote: 
> > Wish I could edit that last post! 
> > 
> > I forgot a few lines   complete local_decoder.xml below. 
> > 
> > add the following to local_decoder.xml 
> > 
> > 
> >
> > ^pfsvc 
> >
> > 
> >
> >pfsvc-auth 
> >   Pfauth \w+ for user '(\S+)'.  Call 
> status: 
> > (\S+) - "\w+\s+\w+|\w+\s+\w+\s+\w+\.". 
> >   srcuser, status 
> >
> > 
>
> Awesome stuff! Can you provide some log samples? 
>
> > 
> > 
> > On Friday, December 5, 2014 11:51:18 AM UTC-8, Brent Morris wrote: 
> >> 
> >> Not exactly sure if this is the right place to post this, but it took 
> me 
> >> some time to get working decodes for Microsoft's Azure Multi-Factor 
> >> Authentication (PhoneFactor.net). 
> >> 
> >> It's pretty cool multifactor authentication for on-prem RDP Gateway and 
> >> OWA using your phone as the second factor. 
> >> 
> >> This was my first attempt to create my own decodes for an app that 
> wasn't 
> >> supported by OSSEC.  OSSEC is so cool that I wanted to share these with 
> >> others incase there might be one or two of you out there that could 
> benefit. 
> >> We're not using the APP or voice calls, but it shouldn't be to hard 
> with the 
> >> info below to setup the rest of the options for those. 
> >> 
> >> You could have the agent monitor the log files, or setup syslog inside 
> the 
> >> PhoneFactor app.  I opted for syslog messages. 
> >> 
> >> And let me know if I'm posting in the wrong place, have an error in my 
> >> decodes, or anything else helpful. 
> >> 
> >> Thanks! 
> >> 
> >> --- 
> >> 
> >> 
> >> 
> >> add the following to local_decoder.xml 
> >> 
> >>
> >>pfsvc-auth 
> >>   Pfauth \w+ for user '(\S+)'.  Call 
> status: 
> >> (\S+) - "\w+\s+\w+|\w+\s+\w+\s+\w+\.". 
> >>   srcuser, status 
> >>
> >> 
> >> then add the following to local_rules.xml (tailor to your specific 
> needs). 
> >> 
> >>  
> >>
> >>   pfsvc-auth 
> >>   Phone Factor Authentication app group. 
> >>
> >>  
> >>   100140 
> >>   FAILED_SMS_OTP_INCORRECT 
> >>   User Failed SMS Challenge/Response 
> >>
> >>  
> >> 
> >> --end local_rules.xml 
> > 
> > -- 
> > 
> > --- 
> > You received this message because you are subscribed to the Google 
> Groups 
> > "ossec-list" group. 
> > To unsubscribe from this group and stop receiving emails from it, send 
> an 
> > email to ossec-list+...@googlegroups.com . 
> > For more options, visit https://groups.google.com/d/optout. 
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Monitoring ASA - Agentless

[Brent Morris]

I think dan mentioned it all - but basically... 

Run the register_host.sh and plug in your username@host password 
enablepassword

Step 1 e.g.  ./register_host.sh ciscouser@1.2.3.4 password enablepassword

Steps 2 and 3 in your list are incorrect.  Delete those...

Edit the ossec.conf and add/edit  section

e.g.

ssh_pixconfig_diff
36000
ciscouser@1.2.3.4
periodic_diff


Then restart ossec.

/var/ossec/bin/ossec-control -restart

Someone also mentioned syslog to capture all the setup and teardowns... 
along with other useful information.  I highly recommend configuring that 
as well!!!

Good luck!  Let us know how you are doing!!


On Monday, December 8, 2014 8:55:30 AM UTC-8, Semperfi wrote:

> Hello;
>
> I would like to monitor our ASA 5510.  Is there any documentation or 
> tutorial on monitoring an ASA ?
>
> I have found limited information  and my understading.
>
>   
>
> 1)I have to edit the register_host.sh,  add the host.:  if 
> so,  Where?
>
> 2)edit ssh_asa-fwsmconfig_diff, with the password:  is this 
> the SNMP pwd ?
>
> 3)Run ssh_asa-fwsmconfig_diff within  \ossec
>
>  
>
> Is this basically all there is to be done?
>
>  
>
> Thank you for your help
>
>  
>

On Monday, December 8, 2014 8:55:30 AM UTC-8, Semperfi wrote:
>
> Hello;
>
> I would like to monitor our ASA 5510.  Is there any documentation or 
> tutorial on monitoring an ASA ?
>
> I have found limited information  and my understading.
>
>   
>
> 1)I have to edit the register_host.sh,  add the host.:  if 
> so,  Where?
>
> 2)edit ssh_asa-fwsmconfig_diff, with the password:  is this 
> the SNMP pwd ?
>
> 3)Run ssh_asa-fwsmconfig_diff within  \ossec
>
>  
>
> Is this basically all there is to be done?
>
>  
>
> Thank you for your help
>
>  
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] MS Windows server DHCP logs

[Brent Morris]

I believe this is Windows Server 2012 R2.

The header for that CDF is...

ID,Date,Time,Description,IP Address,Host Name,MAC Address,User Name, 
TransactionID, QResult,Probationtime, 
CorrelationID,Dhcid,VendorClass(Hex),VendorClass(ASCII),UserClass(Hex),UserClass(ASCII),RelayAgentInformation,DnsRegError.

HTH!

On Wednesday, December 10, 2014 4:35:45 AM UTC-8, dan (ddpbsd) wrote:

> On Wed, Dec 10, 2014 at 5:06 AM, Martynas Buožis  > wrote: 
> > Hello 
> > 
> > But I am using OSSEC agent that downloaded from OSSEC. And configured it 
> to send dhcp logs, so my assumption was that this shall somehow stick 
> together on OSSEC server ? Or maybe there is a mistake in configuration for 
> DHCP logs and different format shall be selected ? 
> > 
>
> Logs stored to archives.log have a header added to them. This header 
> is not present when the log message is decoded. The fact that the log 
> message has made it to the archives.log means that the manager is 
> receiving the log message. If you run the provided log message 
> (everything from "30," to the end), it should decode properly. Give it 
> a shot. 
> If it turns out like it did for me when I did this, it'll trigger a 
> rule. The rule is level 0 though, so no real alert. You'd have to add 
> an alert for this. 
>
> > Now I have in ossec.conf for agent : 
> > 
> >  
> >   C:\Windows\sysnative\dhcp\DhcpSrvLog-%a.log 
> > syslog  
> > 
> > If I do not want change decoder.xml and have permeant solution not 
> affected by updates - what could be a proposal ? Copy chapter for ms-dhcp 
> from decoder.xml to local_decoder.xml, rename it in some way and add right 
> prematch ?  Current is : 
> > 
>
> I don't know what problem you are trying to solve here, so I cannot 
> provide any help. 
>
> >  
> >   ^\d\d,\d+/\d+/\d\d\d\d,\d+:\d+:\d+,| 
> >   ^\d\d,\d+/\d+/\d\d,\d+:\d+:\d+, 
> >   
> ^(\d\d),\d+/\d+/\d\d\d*,\d+:\d+:\d+,(\.+),(\d+.\d+.\d+.\d+) 
> >   id,extra_data,srcip 
> >  
> > 
> > Many thanks, 
> > Martynas 
> > 
> > 
> > -Original Message- 
> > From: ossec...@googlegroups.com  [mailto:
> ossec...@googlegroups.com ] On Behalf Of dan (ddp) 
> > Sent: Tuesday, December 9, 2014 5:49 PM 
> > To: ossec...@googlegroups.com  
> > Subject: Re: [ossec-list] MS Windows server DHCP logs 
> > 
> > On Tue, Dec 9, 2014 at 10:19 AM, Martynas Buožis  > wrote: 
> >> Hello 
> >> 
> >> Yes, message is from archives.log as it was sent by ossec-agent from 
> server. But I never got it parsed into alerts.log. 
> >> 
> >> If I will change decoder.xml - will it be overwritten with a next 
> update ? 
> > 
> > Yes. 
> > 
> >> 
> >> I was expecting that  standard logs as sent by OSSEC agent should be 
> handled by default OSSEC server definitions  
> >> 
> > 
> > According to my tests it is. It is decoded by ms-dhcp-ipv4, and triggers 
> rule 6300 (Grouping for the MS-DHCP rules). 
> > Try running the log message through ossec-logtest without the header 
> that OSSEC adds. 
> > 
> >> Many thanks for an advice, 
> >> Martynas 
> >> 
> >> 
> >>> On 09 Dec 2014, at 14:53, dan (ddp) > 
> wrote: 
> >>> 
>  On Tue, Dec 9, 2014 at 7:44 AM, dan (ddp)  > wrote: 
> > On Tue, Dec 9, 2014 at 6:59 AM, Martynas Buožis  > wrote: 
> > Hello 
> > 
> > I have following in my ossec.conf file on Windows server : 
> > 
> >  
> > 
>  C:\Windows\sysnative\dhcp\DhcpSrvLog-%a.log 
> >  syslog  
> > 
> > Messages are coming as enabled in full log (command : logs/archives# 
> tail -f archives.log | grep dhcp) and look like : 
> > 
> > 2014 Dec 09 13:49:45 (PDC) 
> > 192.168.100.1->\Windows\sysnative\dhcp\DhcpSrvLog-Tue.log 
> > 30,12/09/14,13:48:57,DNS Update 
> > Request,192.168.101.71,host.domain.local,,,0,6,0 
> > 
> > PDC is server name, 192.168.100.1 is server IP. 
> > 
> > But above message is not recognized by decoder and is not handled by 
> ms_dhcp_rules.xml. 
> > 
> > ossec-testrule: Type one log per line. 
> > 
> > 2014 Dec 09 13:49:45 (PDC) 
> > 192.168.100.1->\Windows\sysnative\dhcp\DhcpSrvLog-Tue.log 
> > 30,12/09/14,13:48:57,DNS Update 
> > Request,192.168.101.71,host.domain.local,,,0,6,0 
> > 
> > 
> > **Phase 1: Completed pre-decoding. 
> >   full event: '2014 Dec 09 13:49:45 (PDC) 
> 192.168.100.1->\Windows\sysnative\dhcp\DhcpSrvLog-Tue.log 
> 30,12/09/14,13:48:57,DNS Update 
> Request,192.168.101.71,host.domain.local,,,0,6,0' 
> >   hostname: 'ossec' 
> >   program_name: '(null)' 
> >   log: '2014 Dec 09 13:49:45 (PDC) 
> 192.168.100.1->\Windows\sysnative\dhcp\DhcpSrvLog-Tue.log 
> 30,12/09/14,13:48:57,DNS Update 
> Request,192.168.101.71,host.domain.local,,,0,6,0' 
> > 
> > **Phase 2: Completed decoding. 
> >   No decoder matched 
> > 
> > 
> > How I can fix that so OSSEC will recognize above message for DHCP ? 
>  
>  What version of Windows is this? T

Re: [ossec-list] MS Windows server DHCP logs

[Brent Morris]

Testing the OP's logs, I get an expected response.  It should be noted that 
the log message needs to be truncated from archives.log prior to passing it 
to ossec-logtest.  Even with the additional available fields in Windows 
2012, the OSSEC decoder does recognize it as an MS DHCP log file.


**Phase 1: Completed pre-decoding.
   full event: '30,12/09/14,13:48:57,DNS Update 
Request,192.168.101.71,host.domain.local,,,0,6,0 '
   hostname: 'ossec'
   program_name: '(null)'
   log: '30,12/09/14,13:48:57,DNS Update 
Request,192.168.101.71,host.domain.local,,,0,6,0 '
**Phase 2: Completed decoding.
   decoder: 'ms-dhcp-ipv4'
**Phase 3: Completed filtering (rules).
   Rule id: '6300'
   Level: '0'
   Description: 'Grouping for the MS-DHCP rules.'


On Wednesday, December 10, 2014 4:35:45 AM UTC-8, dan (ddpbsd) wrote:

> On Wed, Dec 10, 2014 at 5:06 AM, Martynas Buožis  > wrote: 
> > Hello 
> > 
> > But I am using OSSEC agent that downloaded from OSSEC. And configured it 
> to send dhcp logs, so my assumption was that this shall somehow stick 
> together on OSSEC server ? Or maybe there is a mistake in configuration for 
> DHCP logs and different format shall be selected ? 
> > 
>
> Logs stored to archives.log have a header added to them. This header 
> is not present when the log message is decoded. The fact that the log 
> message has made it to the archives.log means that the manager is 
> receiving the log message. If you run the provided log message 
> (everything from "30," to the end), it should decode properly. Give it 
> a shot. 
> If it turns out like it did for me when I did this, it'll trigger a 
> rule. The rule is level 0 though, so no real alert. You'd have to add 
> an alert for this. 
>
> > Now I have in ossec.conf for agent : 
> > 
> >  
> >   C:\Windows\sysnative\dhcp\DhcpSrvLog-%a.log 
> > syslog  
> > 
> > If I do not want change decoder.xml and have permeant solution not 
> affected by updates - what could be a proposal ? Copy chapter for ms-dhcp 
> from decoder.xml to local_decoder.xml, rename it in some way and add right 
> prematch ?  Current is : 
> > 
>
> I don't know what problem you are trying to solve here, so I cannot 
> provide any help. 
>
> >  
> >   ^\d\d,\d+/\d+/\d\d\d\d,\d+:\d+:\d+,| 
> >   ^\d\d,\d+/\d+/\d\d,\d+:\d+:\d+, 
> >   
> ^(\d\d),\d+/\d+/\d\d\d*,\d+:\d+:\d+,(\.+),(\d+.\d+.\d+.\d+) 
> >   id,extra_data,srcip 
> >  
> > 
> > Many thanks, 
> > Martynas 
> > 
> > 
> > -Original Message- 
> > From: ossec...@googlegroups.com  [mailto:
> ossec...@googlegroups.com ] On Behalf Of dan (ddp) 
> > Sent: Tuesday, December 9, 2014 5:49 PM 
> > To: ossec...@googlegroups.com  
> > Subject: Re: [ossec-list] MS Windows server DHCP logs 
> > 
> > On Tue, Dec 9, 2014 at 10:19 AM, Martynas Buožis  > wrote: 
> >> Hello 
> >> 
> >> Yes, message is from archives.log as it was sent by ossec-agent from 
> server. But I never got it parsed into alerts.log. 
> >> 
> >> If I will change decoder.xml - will it be overwritten with a next 
> update ? 
> > 
> > Yes. 
> > 
> >> 
> >> I was expecting that  standard logs as sent by OSSEC agent should be 
> handled by default OSSEC server definitions  
> >> 
> > 
> > According to my tests it is. It is decoded by ms-dhcp-ipv4, and triggers 
> rule 6300 (Grouping for the MS-DHCP rules). 
> > Try running the log message through ossec-logtest without the header 
> that OSSEC adds. 
> > 
> >> Many thanks for an advice, 
> >> Martynas 
> >> 
> >> 
> >>> On 09 Dec 2014, at 14:53, dan (ddp) > 
> wrote: 
> >>> 
>  On Tue, Dec 9, 2014 at 7:44 AM, dan (ddp)  > wrote: 
> > On Tue, Dec 9, 2014 at 6:59 AM, Martynas Buožis  > wrote: 
> > Hello 
> > 
> > I have following in my ossec.conf file on Windows server : 
> > 
> >  
> > 
>  C:\Windows\sysnative\dhcp\DhcpSrvLog-%a.log 
> >  syslog  
> > 
> > Messages are coming as enabled in full log (command : logs/archives# 
> tail -f archives.log | grep dhcp) and look like : 
> > 
> > 2014 Dec 09 13:49:45 (PDC) 
> > 192.168.100.1->\Windows\sysnative\dhcp\DhcpSrvLog-Tue.log 
> > 30,12/09/14,13:48:57,DNS Update 
> > Request,192.168.101.71,host.domain.local,,,0,6,0 
> > 
> > PDC is server name, 192.168.100.1 is server IP. 
> > 
> > But above message is not recognized by decoder and is not handled by 
> ms_dhcp_rules.xml. 
> > 
> > ossec-testrule: Type one log per line. 
> > 
> > 2014 Dec 09 13:49:45 (PDC) 
> > 192.168.100.1->\Windows\sysnative\dhcp\DhcpSrvLog-Tue.log 
> > 30,12/09/14,13:48:57,DNS Update 
> > Request,192.168.101.71,host.domain.local,,,0,6,0 
> > 
> > 
> > **Phase 1: Completed pre-decoding. 
> >   full event: '2014 Dec 09 13:49:45 (PDC) 
> 192.168.100.1->\Windows\sysnative\dhcp\DhcpSrvLog-Tue.log 
> 30,12/09/14,13:48:57,DNS Update 
> Request,192.168.101.71,host.domain.local,,,0,6,0' 
> >   h

[ossec-list] Re: anyone know the status of the issue where IIS logs are not able to trigger on web_rules.xml

[Brent Morris]

Interesting...

I hadn't realized my IIS log files were being completely ignored.

If I put my IIS server in IIS or NCSA logging mode... They are decoded as 
PureFTPD logs using ossec-logtest

In W3C format - they come out like this..

**Phase 3: Completed filtering (rules).
   Rule id: '31100'
   Level: '0'
   Description: 'Access log messages grouped.

sample used..

2014-12-12 18:23:44 W3SVC1 SERVER-NAME 1.2.3.4 GET 
/Scripts/..%5c..%5cwinnt/system32/cmd.exe /c+dir+\ 443 - 1.2.3.4 
Mozilla/5.0+(Windows+NT+6.1;+WOW64;+Trident/7.0;+rv:11.0)+like+Gecko 404 11 
0 0

Then some of the longer ActiveSync logs are just lost on the decoder... 
with 

**Phase 2: Completed decoding.
   No decoder matched.

It would be great to resolve this issue.  IIS keeps me up at night since 
it's probably our biggest liability.  Let me know how I can help.  I can 
provide logs (would prefer not to post them here though).

On Friday, December 12, 2014 7:37:15 AM UTC-8, James Whittington wrote:

> I was just curious if anyone knew the status of the issue where IIS logs 
> are not able to trigger on web_rules.xml?
>
> Basically even with a correct IIS decoder in place the web rules will 
> never trigger.
>
>  
>
> I came across some pretty obvious SQL Injection Attacks against IIS 
> websites and was trying to determine why OSSEC didn’t catch those events.
>
>  
>
> So really there is no point to running IIS logs through OSSEC if you can’t 
> trigger against rules.
>
>  
>
> I see the issue was raised here 
> https://github.com/ossec/ossec-hids/issues/164 
>
> With possible fix here https://github.com/ossec/ossec-hids/pull/434
>
>  
>
> James Whittington
>
>  
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: anyone know the status of the issue where IIS logs are not able to trigger on web_rules.xml

[Brent Morris]

OK - on another system I'm able to get the web_rules.xml to trigger.

I setup IIS logging on this system... in W3C format.  selected all the 
fields..
#Fields: date time s-sitename s-computername s-ip cs-method cs-uri-stem 
cs-uri-query s-port cs-username c-ip cs-version cs(User-Agent) cs(Cookie) 
cs(Referer) cs-host sc-status sc-substatus sc-win32-status sc-bytes 
cs-bytes time-taken

OSSEC config on the monitored system looks like this.


C:\inetpub\logs\LogFiles\W3SVC1\u_ex%y%m%d.log
iis


restarted the ossec agent  and iisreset too...

hammered on it for cmd.exe

and zoop zoop!

OSSEC HIDS Notification.
2014 Dec 12 13:01:50
Received From: (IIS8-5Server) 
1.2.3.4->\inetpub\logs\LogFiles\W3SVC1\u_ex141212.log
Rule: 31153 fired (level 10) -> "Multiple common web attacks from same 
souce ip."
Portion of the log(s):
2014-12-12 21:00:55 W3SVC1 IIS8-5Server 1.2.3.4 GET /cmd.exe - 443 - 
2.3.4.5 HTTP/1.1 
Mozilla/5.0+(Windows+NT+6.1;+WOW64;+Trident/7.0;+rv:11.0)+like+Gecko - - 
IIS8-5Server 404 0 2 1477 256 0





On Friday, December 12, 2014 7:37:15 AM UTC-8, James Whittington wrote:

> I was just curious if anyone knew the status of the issue where IIS logs 
> are not able to trigger on web_rules.xml?
>
> Basically even with a correct IIS decoder in place the web rules will 
> never trigger.
>
>  
>
> I came across some pretty obvious SQL Injection Attacks against IIS 
> websites and was trying to determine why OSSEC didn’t catch those events.
>
>  
>
> So really there is no point to running IIS logs through OSSEC if you can’t 
> trigger against rules.
>
>  
>
> I see the issue was raised here 
> https://github.com/ossec/ossec-hids/issues/164 
>
> With possible fix here https://github.com/ossec/ossec-hids/pull/434
>
>  
>
> James Whittington
>
>  
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: anyone know the status of the issue where IIS logs are not able to trigger on web_rules.xml

[Brent Morris]

Thanks for the tip!  I'll definitely check that out!  

On Friday, December 12, 2014 2:28:41 PM UTC-8, Nathaniel Bentzinger wrote:
>
>  Just a side note since you mention IIS is your biggest liability for 
> some reason consider running the free version of dotDefender on your 
> Windows server then monitor with OSSEC the Event logs for dotDefender. That 
> way you can create active-responses against what dotDefender finds and it 
> finds everything. Just be sure to update your agent’s OSSEC config to look 
> at dotdefender event logs.
>
>  
>
> here are my local_rules for dotdefender:
>
>   
>
> 18100
>
> Applicure|dotDefender
>
> dotDefender Alert
>
> system_error, Applicure
>
>   
>
>  
>
>   
>
> 100015
>
> Multiple dotDefender Alerts
>
> system_error, Applicure
>
>   
>
>  
>
>   
>
> 100015
>
> Session Protection
>
> dotDefender Alert: Session Protection
>
> system_error, Applicure, Session_Protection
>
>   
>
>  
>
>   
>
> 100015
>
> SQL Injection|Classic SQL
>
> dotDefender Alert: SQL Injection Attempt
>
> system_error, Applicure, SQL_Injection_attempt
>
>   
>
>  
>
>   
>
> 100015
>
> Compromised/Hacked Servers
>
> dotDefender Alert: Compromised/Hacked 
> Servers
>
> system_error, Applicure, Hacked_Servers
>
>   
>
>  
>
>
>
> 100015
>
> Anti-Proxy Protection|Generic Anti-proxy Protection
>
> dotDefender Alert: Anti-proxy Protection
>
>     system_error, Applicure, Anti-proxy_Protection
>
>   
>
>  
>
> IIS will just give you 4xx/5xx ins OSSEC you’d have to adjust the rules to 
> capture everything else.
>
>  
>
>  
>
> *From:* ossec...@googlegroups.com  [mailto:
> ossec...@googlegroups.com ] *On Behalf Of *Brent Morris
> *Sent:* Friday, December 12, 2014 4:07 PM
> *To:* ossec...@googlegroups.com 
> *Subject:* [ossec-list] Re: anyone know the status of the issue where IIS 
> logs are not able to trigger on web_rules.xml
>
>  
>  
> OK - on another system I'm able to get the web_rules.xml to trigger.
>  
>  
>  
> I setup IIS logging on this system... in W3C format.  selected all the 
> fields..
>  
> #Fields: date time s-sitename s-computername s-ip cs-method cs-uri-stem 
> cs-uri-query s-port cs-username c-ip cs-version cs(User-Agent) cs(Cookie) 
> cs(Referer) cs-host sc-status sc-substatus sc-win32-status sc-bytes 
> cs-bytes time-taken
>  
>  
>  
> OSSEC config on the monitored system looks like this.
>  
>  
>  
> 
> C:\inetpub\logs\LogFiles\W3SVC1\u_ex%y%m%d.log
> iis
> 
>  
>  
>  
> restarted the ossec agent  and iisreset too...
>  
>  
>  
> hammered on it for cmd.exe
>  
>  
>  
> and zoop zoop!
>  
> OSSEC HIDS Notification.
> 2014 Dec 12 13:01:50
>  
> Received From: (IIS8-5Server) 
> 1.2.3.4->\inetpub\logs\LogFiles\W3SVC1\u_ex141212.log
> Rule: 31153 fired (level 10) -> "Multiple common web attacks from same 
> souce ip."
> Portion of the log(s):
>  
> 2014-12-12 21:00:55 W3SVC1 IIS8-5Server 1.2.3.4 GET /cmd.exe - 443 - 
> 2.3.4.5 HTTP/1.1 
> Mozilla/5.0+(Windows+NT+6.1;+WOW64;+Trident/7.0;+rv:11.0)+like+Gecko - - 
> IIS8-5Server 404 0 2 1477 256 0
>  
>  
>  
>  
>  
>  
>  
>  
>  
>
> On Friday, December 12, 2014 7:37:15 AM UTC-8, James Whittington wrote:
>  
>  I was just curious if anyone knew the status of the issue where IIS logs 
> are not able to trigger on web_rules.xml?
>
> Basically even with a correct IIS decoder in place the web rules will 
> never trigger.
>
>  
>
> I came across some pretty obvious SQL Injection Attacks against IIS 
> websites and was trying to determine why OSSEC didn’t catch those events.
>
>  
>
> So really there is no point to running IIS logs through OSSEC if you can’t 
> trigger against rules.
>
>  
>
> I see the issue was raised here 
> https://github.com/ossec/ossec-hids/issues/164 
>
> With possible fix here https://github.com/ossec/ossec-hids/pull/434
>
>  
>
> James Whittington
>
>  
>  
>  -- 
>
> --- 
> You received this message because you are subscribed to the Google Groups 
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to ossec-list+...@googlegroups.com .
> For more options, visit https://groups.google.com/d/optout.
>  

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: anyone know the status of the issue where IIS logs are not able to trigger on web_rules.xml

[Brent Morris]

It should be noted that the decoders seem fine for me (and I suspect 
everyone else).  I think that github issue is bogus.  

Follow what I posted above...  basically, IIS Manager > Default Web Site > 
Logging > Log File Format:  W3C - select fields.  *Check all the boxes that 
are not checked*!  I think there were 4 that weren't checked.

Edit your OSSEC config on that box...  


C:\inetpub\logs\LogFiles\W3SVC1\u_ex%y%m%d.log
iis


I've tested on IIS 7.5 and IIS 8.5, and both systems work flawlessly for 
the built-in decoders in OSSEC.  I even tested with Nexpose and they both 
work.

I think there may be confusion on the net on how to set this up... and with 
the out-of-the-box settings for W3C formatted logs, the decoders will not 
work.  Need to check all the boxes in the "Select Fields" dialog.

Also, thank you for bringing the IIS log file issue to my attention.  I 
thought OSSEC was working on the logs too!!!  I should have known they were 
too quiet! :)

HTH!


On Friday, December 12, 2014 3:02:52 PM UTC-8, James Whittington wrote:

> “Just a side note since you mention IIS is your biggest liability for 
> some reason consider running the free version of dotDefender on your 
> Windows server then monitor with OSSEC the Event logs for dotDefender.”
>
> Wow that’s a heck of a good idea, I haven’t heard of that product before 
> but I am looking over it now.
>
> OSSEC doesn’t really have an automated for rules to be updated, so using a 
> product that can do that then feed the results to OSSEC sounds like a good 
> idea.
>
>  
>
> I like the freedom OSSEC gives you for customization but it has been 
> frustrating that some of the out of the box things that didn’t work 
> especially on Windows newer than like Windows 2003.  You would think a IIS 
> 7 decoder would have been included with the default decoders but it wasn’t 
> last couple of times I tested it.
>
>  
>
> Luckily folks had posted samples of decoders for it and eventually I 
> learned how to create one but that can be daunting learning curve for 
> something I would have expected to just work.
>
> Then to discover that you have been happily scanning IIS logs and it 
> appears web rules were being ignored just adds to the frustration.
>
>  
>
> I understand some of the latest versions do offer eventchannel support so 
> I keep meaning to check that out.
>
>  
>
> I will have to check out dotDefender however…
>
>  
>
> James Whittington
>
>  
>
>  
>
> *From:* ossec...@googlegroups.com  [mailto:
> ossec...@googlegroups.com ] *On Behalf Of *Nathaniel 
> Bentzinger
> *Sent:* Friday, December 12, 2014 16:45
> *To:* ossec...@googlegroups.com 
> *Subject:* RE: [ossec-list] Re: anyone know the status of the issue where 
> IIS logs are not able to trigger on web_rules.xml
>
>  
>
> Just a side note since you mention IIS is your biggest liability for some 
> reason consider running the free version of dotDefender on your Windows 
> server then monitor with OSSEC the Event logs for dotDefender. That way you 
> can create active-responses against what dotDefender finds and it finds 
> everything. Just be sure to update your agent’s OSSEC config to look at 
> dotdefender event logs.
>
>  
>
> here are my local_rules for dotdefender:
>
>   
>
> 18100
>
> Applicure|dotDefender
>
> dotDefender Alert
>
> system_error, Applicure
>
>   
>
>  
>
>   
>
> 100015
>
> Multiple dotDefender Alerts
>
> system_error, Applicure
>
>   
>
>  
>
>   
>
> 100015
>
> Session Protection
>
> dotDefender Alert: Session Protection
>
> system_error, Applicure, Session_Protection
>
>   
>
>  
>
>   
>
> 100015
>
> SQL Injection|Classic SQL
>
> dotDefender Alert: SQL Injection Attempt
>
> system_error, Applicure, SQL_Injection_attempt
>
>   
>
>  
>
>   
>
> 100015
>
> Compromised/Hacked Servers
>
> dotDefender Alert: Compromised/Hacked 
> Servers
>
> system_error, Applicure, Hacked_Servers
>
>   
>
>  
>
>
>
> 100015
>
> Anti-Proxy Protection|Generic Anti-proxy Protection
>
> dotDefender Alert: Anti-proxy Protection
>
> system_error, Applicure, Anti-proxy_Protection
>
>   
>
>  
>
> IIS will just give you 4xx/5xx ins OSSEC you’d have to adjust the rules to 
> capture everything else.
>
>  
>
>  
>
> *From:* ossec...@googlegroups.com  [
> mailto:o...@googlegroups.com ] *On Behalf Of *Brent Morris
> *Sent:* Friday, December 12, 2014 4:07 PM
> *To:* ossec...@googlegroups.

[ossec-list] Re: How to bypassing need "fully-qualified address"

[Brent Morris]

what's your  address?  It should be fully 
qualified if you're sending to gmail and the like...

On Tuesday, December 16, 2014 8:23:16 AM UTC-8, finid wrote:
>
> In further troubleshooting email issues I have with a couple of servers 
> not being able to send emails to certain email providers, I have found 
> that OSSEC is actually sending emails, but the other end is rejecting 
> them. 
>
> So after installing a local SMTP app for OSSEC to send emails, any 
> emails destined to Fastmail and Google are rejected with this type of 
> message: 
>
> < snip > 
> Sender address rejected: need fully-qualified address 
>  (in reply to RCPT TO command) 
> < /snip > 
>
> Obviously some email providers are not that picky, but is there a way to 
> bypass this without actually setting up a FQDM? 
>
> TIA, 
>
>
> -- 
> finid 
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: How to bypassing need "fully-qualified address"

[Brent Morris]

I'm not sure what Google's requirements are to send email.  Perhaps a bit 
out of scope for this discussion group?

I can send non-fully qualified emails on servers I own! :) 

Can you change it to send as yourself to yourself on gmail.com ???  seems 
like an easy enough test.



On Tuesday, December 16, 2014 12:56:29 PM UTC-8, finid wrote:

> The  address is the generic one set by OSSEC (the server 
> does not have a FQDN). 
>
> Just to clarify some points about the email credentials: 
>
> 1. If the  address is, for example, myname@gmail, and the 
>  points to a Google SMTP server, can I have the 
>  address be any arbitrary email address? 
>
> 2. Must the  address have to be a valid address? 
>
> TIA 
>
>
> -- 
> finid 
>
>
>
> On 2014-12-16 12:46, Brent Morris wrote: 
> > what's your  address? It should be fully 
> > qualified if you're sending to gmail and the like... 
> > 
> > On Tuesday, December 16, 2014 8:23:16 AM UTC-8, finid wrote: 
> > 
> >> In further troubleshooting email issues I have with a couple of 
> >> servers 
> >> not being able to send emails to certain email providers, I have 
> >> found 
> >> that OSSEC is actually sending emails, but the other end is 
> >> rejecting 
> >> them. 
> >> 
> >> So after installing a local SMTP app for OSSEC to send emails, any 
> >> emails destined to Fastmail and Google are rejected with this type 
> >> of 
> >> message: 
> >> 
> >> < snip > 
> >> Sender address rejected: need fully-qualified address 
> >> (in reply to RCPT TO command) 
> >> < /snip > 
> >> 
> >> Obviously some email providers are not that picky, but is there a 
> >> way to 
> >> bypass this without actually setting up a FQDM? 
> >> 
> >> TIA, 
> >> 
> >> -- 
> >> finid 
> > 
> >  -- 
> > 
> >  --- 
> >  You received this message because you are subscribed to the Google 
> > Groups "ossec-list" group. 
> >  To unsubscribe from this group and stop receiving emails from it, 
> > send an email to ossec-list+...@googlegroups.com . 
> >  For more options, visit https://groups.google.com/d/optout [1]. 
> > 
> > 
> > Links: 
> > -- 
> > [1] https://groups.google.com/d/optout 
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] What to make of ossec-hosts.* files

[Brent Morris]

I think what you're seeing is what is described in CVE-2014-5284 
- http://www.ossec.net/?p=1135

Basically, they were in /tmp, and then a vulnerability was disclosed... so 
those files were moved from /tmp to /var/ossec in 2.8.1

On Tuesday, December 16, 2014 1:19:15 PM UTC-8, finid wrote:
>
> On 2014-12-16 14:59, fi...@vivaldi.net  wrote: 
> > Hi, 
> > 
> > I see a bunch of files in /var/ossec with names of the form 
> > ossec-hosts.*. what are they and how can I stop the system from 
> > creating them? 
> > 
> > Here are a few examples. 
> > 
> > ossec-hosts.1i6uugNQB3 
> > ossec-hosts.BFHjPh9dwg 
> > ossec-hosts.i4EvjkDXUh 
> > ossec-hosts.U3thtpzm6b 
> > ossec-hosts.1MeJfr9MGt 
> > 
> > 
>
> So those files appear to be temporary files. Shouldn't they be in /tmp, 
> instead of /var/ossec? 
>
>
> -- 
> finid 
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: want to exclude (rem) rules in ossec.conf and just use syscheck

[Brent Morris]

Personally, I wouldn't relegate OSSEC to run the syscheck components only.  
I would encourage you to keep the rules...

OSSEC is noisy at first...  but the goal is simple.  Find ways to quiet 
OSSEC without inhibiting its ability to detect and alert you of malicious 
activity.  That second part of the statement is the key.

http://www.ossec.net/ossec-docs/OSSEC-book-ch4.pdf

There are folks here that can help if you want to configure your ossec to 
be a little more quiet... and you'll learn a little about Linux in the 
process.  And a little noise is comforting also...  I worry when OSSEC is 
quiet...





On Tuesday, December 16, 2014 7:28:29 AM UTC-8, Jacob W wrote:

> The rules we have right now are generating way too much traffic. My boss 
> has asked that we rem or comment out the rules so we just have the syscheck 
> running. 
>
> **I am no Linux guru**
>
> I went into and made  in each rule line. 
> EXAMPLE -  
>
> When I restart the ossec-control then run the start I get:  OSSEC 
> analysisd: Testing rules failed. Configuration error. Exiting.
>
>
> Thoughts?
>
> Thanks!!!
>
>
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Help creating rules

[Brent Morris]

As Dan mentioned, turning the "log all" option on in your ossec.conf is a 
good idea.  That might satisfy the PCI requirements to "log" those 
transactions so long as Active Directory auditing is turned up.  It looks 
like you have Active Directory running... so system time changes will 
likely from AD.

When I went through my logs, I found two events that occur on a time 
change.  The Windows System logs an Event ID 37 - "Time time provider 
NtpClient is currently receiving valid time data from"  If it's not 
turned on, turn on Security Auditing -  Audit Privilege Use - Success and 
Failure. You'll also see another corresponding event in the Windows 
Security Log - Event 4616 - Audit Success - The system time was changed. 
 These Event IDs vary among Windows versions  a google search will lead 
you to the correct event id if this isn't a match.

OSSEC already has a rule for System time changed.  It's default level is 5 
- Let's say you have set 7 in your 
ossec.conf - so anything that is a level 7, it sends an email to your group.

Edit your  /var/ossec/rules/local_rules.xml and add this..

  
18104
^520$|^4616$
System time changed.
time_changed,
  

As for your MS AntiMalware definition updates you'll want to run 
through the process I've done to determine where you need to tune your 
local_rules.xml file.

Here's some info I found on events corresponding to MS Antimalware.  To get 
those alerting, I would use /var/ossec/bin/ossec-logtest and paste the 
events as they come into ossec into log test...  be sure to truncate the 
log message from archives.log as it prepends some stuff to the beginning of 
the log entry which throws ossec-logtest off.  For instance...


2014 Dec 03 17:06:52 (source-server) 1.2.3.4->WinEvtLog 2014 Dec 03 
17:06:49 WinEvtLog: Security: AUDIT_SUCCESS(4616):...actual 
log entry removed

becomes

2014 Dec 03 17:06:49 WinEvtLog: Security: 
AUDIT_SUCCESS(4616):...actual log entry 
removed

When I pasted some of my WinDefend events into ossec-logtest... it returns 
the following...

**Phase 3: Completed filtering (rules).
   Rule id: '18101'
   Level: '0'
   Description: 'Windows informational event.'

You'll want to tweak your local_rules.xml and use some creative  
criteria to capture and alert on those logs and ignore the other noise...

Here’s a list of the Microsoft Antimalware Events in my System Event Log:

 1000 – Scan started

1001 – Scan completed

1002 – Scan stopped (canceled)

1005 – Scan terminated due to error

1011 – Item deleted from quarantine

1013 – History removed

1116 – Malware detection

1117 – Malware remediation 

1119 – Remediation error (not found)

2000 – Successful update

2001 – Failed update

2002 – Engine update

2010 – Dynamic Signature Service retrieved additional signatures 

2011 – Dynamic Signature Service discarded obsolete signatures

3002 – Real-time protection failure: behavior monitoring

5000 – Real-time protection enabled

5001 – Real-time protection disabled

5004 – Real-time protection configuration changed

5007 – Configuration changed

5100 – Entered grace period: validation failed (bogus)

Source: 
 
http://answers.microsoft.com/en-us/protect/forum/mse-protect_updating/can-i-get-a-full-list-of-all-event-ids-generated/40a57d82-db36-4a2b-9ddb-5ce35b0de473


HTH!




On Friday, December 19, 2014 3:27:22 PM UTC-8, moe hans wrote:
>
>
> Hi All,
>
>
> I am new to OSSEC  so struggling to create some new rules. We are 
> monitoring our few windows servers because of PCI compliance. One of the 
>  requirement is to log time change  on the server and AV update. I am not 
> sure how to create the rule to get those logs imported to the ossec server. 
>
>
>
> Our AV logs  under system logs and looks like this.
>
> [image: Inline image 1]  
>
>
> How to create a rule for this.
>
> Thanks for the help
>
> -- 
> Moe Hans
>  

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: anyone know the status of the issue where IIS logs are not able to trigger on web_rules.xml

[Brent Morris]

What does ossec-logtest respond with on the sample below?

2014-12-12 21:00:55 W3SVC1 IIS8-5Server 1.2.3.4 GET /cmd.exe - 443 - 
2.3.4.5 HTTP/1.1 
Mozilla/5.0+(Windows+NT+6.1;+WOW64;+Trident/7.0;+rv:11.0)+like+Gecko - - 
IIS8-5Server 404 0 2 1477 256 0

There's either an issue with the IIS logs, or an issue with OSSEC.

Can you provide a sample of the log with the SQL injection that isn't 
picked up by web rules?  Also, could you provide the relevant portion of a 
URL you use to test a SQL injection attack?  I'll try it on my systems and 
perhaps we can compare the logs to figure out where the issue is.  

On Monday, December 22, 2014 11:40:30 AM UTC-8, James Whittington wrote:

> >> I've tested on IIS 7.5 and IIS 8.5, and both systems work flawlessly 
> >> for the built-in decoders in OSSEC.  I even tested with Nexpose and 
> >> they both work. 
>
> >Can you please post a log sample that you know decodes properly and for 
> which the rules hit as they should? It would be nice to get to the bottom 
> of >this. 
>
> I haven't seen a log sample of IIS 7.5 and IIS 8.5 "flawlessly" decoding 
> and triggering on default web rules so I was hoping someone would step up 
> and show a decoded IIS log  triggering on a web rule. 
>
> From what I can tell on a logtest only the parent decoder displays so I 
> think it would be tricky to know for sure which decoder was used last. 
>
> I checked log samples from IIS 7, IIS 8, ISS 8 in the azure cloud and they 
> all extract URL at least, but none seem to trigger on a simple SQL 
> injection rule 
> I had been previously advised that the documentation says all log fields 
> must be checked (Yep did that a couple of years ago but I double checked 
> anyway). 
> I have also heard to just use something else to analyze IIS log events 
> (and this is likely the best path for me at this point). 
>
> I like the flexibility OSSEC gives me but I am pretty darn sure IIS logs 
> will not trigger on web rules which is a shame. 
>
> I guess I must be in the minority with using OSSEC to monitor IIS logs, or 
> something in my setup is wrong, or folks just assume OSSEC is helping them 
> watch IIS logs. 
>
> I am just putting this topic back out there in case anything new had 
> happened with it. 
>
> James Whittington 
>
>
>
> -Original Message- 
> From: ossec...@googlegroups.com  [mailto:
> ossec...@googlegroups.com ] On Behalf Of Michael Starks 
> Sent: Saturday, December 13, 2014 11:50 
> To: ossec...@googlegroups.com  
> Subject: Re: [ossec-list] Re: anyone know the status of the issue where 
> IIS logs are not able to trigger on web_rules.xml 
>
> On 12/12/2014 06:02 PM, Brent Morris wrote: 
> > It should be noted that the decoders seem fine for me (and I suspect 
> > everyone else).  I think that github issue is bogus. 
>
> I think it is correct, but of course I could have made a mistake. 
>
> > Follow what I posted above...  basically, IIS Manager > Default Web 
> > Site 
> >> Logging > Log File Format:  W3C - select fields.  *Check all the 
> >> boxes 
> > that are not checked*!  I think there were 4 that weren't checked. 
> > 
> > Edit your OSSEC config on that box... 
> > 
> >  
> > C:\inetpub\logs\LogFiles\W3SVC1\u_ex%y%m%d.log 
> > iis 
> >  
> > 
> > I've tested on IIS 7.5 and IIS 8.5, and both systems work flawlessly 
> > for the built-in decoders in OSSEC.  I even tested with Nexpose and 
> > they both work. 
>
> Can you please post a log sample that you know decodes properly and for 
> which the rules hit as they should? It would be nice to get to the bottom 
> of this. 
>
> -- 
>
> --- 
> You received this message because you are subscribed to the Google Groups 
> "ossec-list" group. 
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to ossec-list+...@googlegroups.com . 
> For more options, visit https://groups.google.com/d/optout. 
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: anyone know the status of the issue where IIS logs are not able to trigger on web_rules.xml

[Brent Morris]

le queries).'
>
>  
>
> *The URL is decoding but should be triggering on this rule?*
>
>  
>
> 
>
> 31100
>
> 
> =select%20|select+|insert%20|%20from%20|%20where%20|union%20|
>
> union+|where+|null,null|xp_cmdshell
>
> SQL injection attempt.
>
> attack,sql_injection,
>
>   
>
>
> On Monday, December 22, 2014 11:40:30 AM UTC-8, James Whittington wrote:
>
> >> I've tested on IIS 7.5 and IIS 8.5, and both systems work flawlessly 
> >> for the built-in decoders in OSSEC.  I even tested with Nexpose and 
> >> they both work. 
>
> >Can you please post a log sample that you know decodes properly and for 
> which the rules hit as they should? It would be nice to get to the bottom 
> of >this. 
>
> I haven't seen a log sample of IIS 7.5 and IIS 8.5 "flawlessly" decoding 
> and triggering on default web rules so I was hoping someone would step up 
> and show a decoded IIS log  triggering on a web rule. 
>
> From what I can tell on a logtest only the parent decoder displays so I 
> think it would be tricky to know for sure which decoder was used last. 
>
> I checked log samples from IIS 7, IIS 8, ISS 8 in the azure cloud and they 
> all extract URL at least, but none seem to trigger on a simple SQL 
> injection rule 
> I had been previously advised that the documentation says all log fields 
> must be checked (Yep did that a couple of years ago but I double checked 
> anyway). 
> I have also heard to just use something else to analyze IIS log events 
> (and this is likely the best path for me at this point). 
>
> I like the flexibility OSSEC gives me but I am pretty darn sure IIS logs 
> will not trigger on web rules which is a shame. 
>
> I guess I must be in the minority with using OSSEC to monitor IIS logs, or 
> something in my setup is wrong, or folks just assume OSSEC is helping them 
> watch IIS logs. 
>
> I am just putting this topic back out there in case anything new had 
> happened with it. 
>
> James Whittington 
>
>
>
> -Original Message- 
> From: ossec...@googlegroups.com [mailto:ossec...@googlegroups.com] On 
> Behalf Of Michael Starks 
> Sent: Saturday, December 13, 2014 11:50 
> To: ossec...@googlegroups.com 
> Subject: Re: [ossec-list] Re: anyone know the status of the issue where 
> IIS logs are not able to trigger on web_rules.xml 
>
> On 12/12/2014 06:02 PM, Brent Morris wrote: 
> > It should be noted that the decoders seem fine for me (and I suspect 
> > everyone else).  I think that github issue is bogus. 
>
> I think it is correct, but of course I could have made a mistake. 
>
> > Follow what I posted above...  basically, IIS Manager > Default Web 
> > Site 
> >> Logging > Log File Format:  W3C - select fields.  *Check all the 
> >> boxes 
> > that are not checked*!  I think there were 4 that weren't checked. 
> > 
> > Edit your OSSEC config on that box... 
> > 
> >  
> > C:\inetpub\logs\LogFiles\W3SVC1\u_ex%y%m%d.log 
> > iis 
> >  
> > 
> > I've tested on IIS 7.5 and IIS 8.5, and both systems work flawlessly 
> > for the built-in decoders in OSSEC.  I even tested with Nexpose and 
> > they both work. 
>
> Can you please post a log sample that you know decodes properly and for 
> which the rules hit as they should? It would be nice to get to the bottom 
> of this. 
>
> -- 
>
> --- 
> You received this message because you are subscribed to the Google Groups 
> "ossec-list" group. 
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to ossec-list+...@googlegroups.com. 
> For more options, visit https://groups.google.com/d/optout. 
>
> -- 
>
> --- 
> You received this message because you are subscribed to the Google Groups 
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to ossec-list+...@googlegroups.com .
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Monitor installations and uninstallations on Windows machines

[Brent Morris]

There are a couple approaches you could take.

Turn on Audit Process Tracking Success/Failure - and use some creative 
 filters in the local_rules.xml to alert on setup.exe, msiexec, 
uninst.exe and other possible keywords.  MSIExec is an easy one, but there 
are plenty of portable apps that would bypass normal install routines.

Another approach would be to remove local admin (I'm making an assumption 
here that they have local admin), and setup a separate local admin account 
that the users would use to escalate to local admin to install/uninstall 
applications.  This would be easier to track as you would only check for 
use of this account.


On Wednesday, January 14, 2015 at 12:01:09 PM UTC-8, XMS967 wrote:

> Setup: server is on the CentOs virtual appliance provided by them, and I 
> have the agent installed on my Windows machine.
>
> Among other things, I'd like to use OSSEC to monitor when I install or 
> uninstall an application. This *sometimes* is tracked in the event log; 
> however, not all installations are tracked there. (For an example, there's 
> Acrylic Wifi.) I'd monitor the Uninstall area in the registry, except 
> apparently OSSEC only monitors changes to existing values, not new or 
> removed ones. Monitoring the Program Files directory is an exercise in 
> futility.
>
> What would be the best way to monitor when a user installs or uninstalls 
> an application?
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Monitor installations and uninstallations on Windows machines

[Brent Morris]

Also, "Applications and Services Logs > Microsoft > Application-Experience 
> Program-Inventory" might also be a place to setup monitoring  There 
is a value for "Number of installed programs"

On Wednesday, January 14, 2015 at 12:01:09 PM UTC-8, XMS967 wrote:
>
> Setup: server is on the CentOs virtual appliance provided by them, and I 
> have the agent installed on my Windows machine.
>
> Among other things, I'd like to use OSSEC to monitor when I install or 
> uninstall an application. This *sometimes* is tracked in the event log; 
> however, not all installations are tracked there. (For an example, there's 
> Acrylic Wifi.) I'd monitor the Uninstall area in the registry, except 
> apparently OSSEC only monitors changes to existing values, not new or 
> removed ones. Monitoring the Program Files directory is an exercise in 
> futility.
>
> What would be the best way to monitor when a user installs or uninstalls 
> an application?
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Windows Event Channels of Interest

[Brent Morris]

You have a great list here!

I would add the following...

DHCP logs.
IIS logs.
Microsoft-Windows-TerminalServices-Gateway/Operational - if applicable.

Turn up auditing via gpo on process tracking, policy change, privilege use, 
directory service access, account management, (success and failures), and 
account logons.

Grab your centralized antivirus management logs also if possible.

Network Policy Server accounting (radius server).

It gets a little noisy in here with all that on...

-Brent

On Thursday, January 15, 2015 at 9:16:44 AM UTC-8, Chris Decker wrote:

> All,
>
> I'm a long-time OSSEC user, but I rarely use OSSEC with Windows machines.  
> Recently I had the "opportunity" to monitor a significant number of Windows 
> machines, and I've been learning where security-relevant logs are stored on 
> the system.
>
> In addition to the standard Application/Security/System logs I'm 
> monitoring the following Event Channels, but wanted to see if others had 
> suggestions on additions:
> Microsoft-Windows-Windows Firewall With Advanced Security/Firewall
> Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational
> Microsoft-TaskScheduler/Operational
>
>
> Does anyone have any recommendations that I should add to my 
> configuration?  Of course the function of the machine will drive which 
> channels are valuable.  I'm currently considering the following:
> - WinRM
> - WinNAT
> - Exchange
> - SMBServer
> - PrintService
> - NTLM
> - IIS_Logging
>
> What do you use in your configuration?
>
>
>
> Thanks,
> Chris
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Need help testing decodes for Cisco Prime Security Manager (PRSM)

[Brent Morris]

Hi...

I am curious if anyone is using a Cisco NGFW with Cisco PRSM   I'd love 
to get a little input on these and perhaps see what logs look like from 
other Cisco NFGW devices with PRSM.

And if you are using this firewall, would you help in testing the syslog 
feature of PRSM to OSSEC?

Here are the decodes to add to your local_decode.xml - it's not complete 
yet...

  

^\d\s\d\d\d\d-\d\d-\d\d\w\d\d:\d\d:\d\d.\d\d\dZ\s\d+.\d+.\d+.\d+\sCiscoNGFW\s\d\d\d\d\s
  


  
   cisco-cx
   ^1|2|3|4
   \.+Flow_DstIp=\p(\d+.\d+.\d+.\d+)\p\.+Flow_SrcIp="(\d+.\d+.\d+.\d+)"\.+Url_Category_Name="(\w+\s*\w*\s*\w*\s*\w*)"
 
\.+Url="(\.+)"\.*
   dstip,srcip,extra_data,url,action
  


The second sample below throws an Rule: 1002 fired (level 2) -> "Unknown 
problem somewhere in the system." - Bad words are all over that one... I am 
not sure how to work around it right now and there are too many 
interruptions to wrap my head around it.

Cisco won't give me their secret formula for the logs, so I'm forced to try 
to figure it out on my own.  Near as I can tell... the number X 
in "CiscoNGFW 2827 X" is significant as to what type of log it is.  You can 
see where I've tried to prematch that number   6 seems to be denied 
transactions... while 1-5 are setup, complete, and teardown flows.

sample logs:

1 2015-01-22T23:16:02.783Z 1.2.3.23 CiscoNGFW 2827 5 [ngfwEvent@9 
Http_Response_Status="200" Flow_Dst_Service="tcp/80" Flow_Bytes_Sent="317" 
Flow_Bytes_Received="36718" Event_Type="0" Count="1" 
Flow_DstIp="184.25.57.9" Flow_SrcIp="1.1.1.47" Url_Category_Name="Software 
Updates" Flow_Bytes="37035" Web_Reputation_Threat_Type="" Avc_Tag_Name="" 
Ev_SrcLabel="CX-CX" Response_Magic_Type="application/x-ms-cab" 
Event_Type_Name="HTTP Complete" User_Realm="1.1.1.47" Policy_Name="Implicit 
Allow" Flow_Transaction_Id="3" Url="
http://download.windowsupdate.com/d/msdownload/update/software/updt/2013/12/windows6.1-kb2891804-x64-express_9d70ffa853afa5f559c42d552c7626a47cb3e3da.cab";
 
Identity_Source_Name="None" Auth_Policy_Name="Default" Flow_SrcIfc="inside" 
Flow_ConnId="27397591" Flow_DstHostName="download.windowsupdate.com" 
Flow_Transaction_Count="1" Ev_Id="43239" Web_Reputation_Score="9.2" 
Event_Type_Action="Info" Ev_GenTime="1421968494449" Flow_DstPort="80" 
Flow_DstIfc="outside" Ev_SrcId="2147484710" Avc_App_Na


1 2015-01-26T16:51:13.515Z 1.2.3.23 CiscoNGFW 2827 6 [ngfwEvent@9 
Flow_Dst_Service="tcp/80" Flow_Bytes_Sent="388" Event_Type="0" 
Flow_DstIp="199.27.79.129" Flow_SrcIp="1.1.1.32" Count="1" 
Url_Category_Name="Business and Industry" Flow_Bytes="388" 
Web_Reputation_Threat_Type="Adware" Avc_Tag_Name="" Ev_SrcLabel="CX-CX" 
Event_Type_Name="HTTP Deny" User_Realm="1.1.1.32" Policy_Name="Implicit 
Allow" Flow_Transaction_Id="0" Url="
http://s.skimresources.com/js/23176X817180.skimlinks.js"; 
Identity_Source_Name="None" Auth_Policy_Name="Default" Flow_SrcIfc="inside" 
Flow_ConnId="27947284" Flow_DstHostName="s.skimresources.com" 
Flow_Transaction_Count="1" Ev_Id="679530" Web_Reputation_Score="-9.1" 
Event_Type_Action="Deny" Ev_GenTime="1422291064092" Flow_DstPort="80" 
Policy_Deny_Reason_Name="Web Reputation" Flow_DstIfc="outside" 
Ev_SrcId="2147484710" Avc_App_Name="HyperText Transfer Protocol" 
Ev_SrcHwType="ASA-CX" Flow_SrcPort="44750" Smx_Config_Version="56" 
Flow_Requests_Denied="1" Avc_App_Type="Infrastructure


Thanks!  Let me know if anyone has any interest.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Need help testing decodes for Cisco Prime Security Manager (PRSM)

[Brent Morris]

Here's the entire thing...

local_rules.xml -  adjust rule ids accordingly...


  
  cisco-cx
  Cisco CX Flows.
  

  100198
  Deny
  Flow Denied
  


local_decoder.xml -

  

^\d\s\d\d\d\d-\d\d-\d\d\w\d\d:\d\d:\d\d.\d\d\dZ\s\d+.\d+.\d+.\d+\sCiscoNGFW\s\d\d\d\d\s
  
  
   cisco-cx
   ^1|^2|^3|^4|^5
   \.+Flow_DstIp=\p(\d+.\d+.\d+.\d+)\p\.+Flow_SrcIp="(\d+.\d+.\d+.\d+)"\.+Url_Category_Name="(\w+\s*\w*\s*\w*\s*\w*)"
 
\.+Url="(\.+)"\.*
   dstip,srcip,extra_data,url,action
  
  
   cisco-cx
   ^6|^7|^8|^9|^10
  ^\.+Web_Reputation_Threat_Type="(\w+\s*\w*\s*\w*\s*\w*)"\.*Event_Type_Name="(\w+\s*\w*\s*\w*\s*\w*)"
 
User_Realm="(\w+\p*\w*\p*\w*\p*\w*)"\.+Event_Type_Action="\w+"\.*Policy_Deny_Reason_Name="(\w+\s*\w*)"\.*
  status,action,user,extra_data
  

it still needs some tweaking... if anyone out there (*listens for 
crickets*) has a Cisco CX product and wants to test its syslog 
abilities. 


On Tuesday, January 27, 2015 at 4:18:38 PM UTC-8, Brent Morris wrote:

> Hi...
>
> I am curious if anyone is using a Cisco NGFW with Cisco PRSM   I'd 
> love to get a little input on these and perhaps see what logs look like 
> from other Cisco NFGW devices with PRSM.
>
> And if you are using this firewall, would you help in testing the syslog 
> feature of PRSM to OSSEC?
>
> Here are the decodes to add to your local_decode.xml - it's not complete 
> yet...
>
>   
> 
> ^\d\s\d\d\d\d-\d\d-\d\d\w\d\d:\d\d:\d\d.\d\d\dZ\s\d+.\d+.\d+.\d+\sCiscoNGFW\s\d\d\d\d\s
>   
>
>
>   
>cisco-cx
>^1|2|3|4
> offset="after_parent">\.+Flow_DstIp=\p(\d+.\d+.\d+.\d+)\p\.+Flow_SrcIp="(\d+.\d+.\d+.\d+)"\.+Url_Category_Name="(\w+\s*\w*\s*\w*\s*\w*)"
>  
> \.+Url="(\.+)"\.*
>dstip,srcip,extra_data,url,action
>   
>
>
> The second sample below throws an Rule: 1002 fired (level 2) -> "Unknown 
> problem somewhere in the system." - Bad words are all over that one... I am 
> not sure how to work around it right now and there are too many 
> interruptions to wrap my head around it.
>
> Cisco won't give me their secret formula for the logs, so I'm forced to 
> try to figure it out on my own.  Near as I can tell... the number X 
> in "CiscoNGFW 2827 X" is significant as to what type of log it is.  You can 
> see where I've tried to prematch that number   6 seems to be denied 
> transactions... while 1-5 are setup, complete, and teardown flows.
>
> sample logs:
>
> 1 2015-01-22T23:16:02.783Z 1.2.3.23 CiscoNGFW 2827 5 [ngfwEvent@9 
> Http_Response_Status="200" Flow_Dst_Service="tcp/80" Flow_Bytes_Sent="317" 
> Flow_Bytes_Received="36718" Event_Type="0" Count="1" 
> Flow_DstIp="184.25.57.9" Flow_SrcIp="1.1.1.47" Url_Category_Name="Software 
> Updates" Flow_Bytes="37035" Web_Reputation_Threat_Type="" Avc_Tag_Name="" 
> Ev_SrcLabel="CX-CX" Response_Magic_Type="application/x-ms-cab" 
> Event_Type_Name="HTTP Complete" User_Realm="1.1.1.47" Policy_Name="Implicit 
> Allow" Flow_Transaction_Id="3" Url="
> http://download.windowsupdate.com/d/msdownload/update/software/updt/2013/12/windows6.1-kb2891804-x64-express_9d70ffa853afa5f559c42d552c7626a47cb3e3da.cab";
>  
> Identity_Source_Name="None" Auth_Policy_Name="Default" Flow_SrcIfc="inside" 
> Flow_ConnId="27397591" Flow_DstHostName="download.windowsupdate.com" 
> Flow_Transaction_Count="1" Ev_Id="43239" Web_Reputation_Score="9.2" 
> Event_Type_Action="Info" Ev_GenTime="1421968494449" Flow_DstPort="80" 
> Flow_DstIfc="outside" Ev_SrcId="2147484710" Avc_App_Na
>
>
> 1 2015-01-26T16:51:13.515Z 1.2.3.23 CiscoNGFW 2827 6 [ngfwEvent@9 
> Flow_Dst_Service="tcp/80" Flow_Bytes_Sent="388" Event_Type="0" 
> Flow_DstIp="199.27.79.129" Flow_SrcIp="1.1.1.32" Count="1" 
> Url_Category_Name="Business and Industry" Flow_Bytes="388" 
> Web_Reputation_Threat_Type="Adware" Avc_Tag_Name="" Ev_SrcLabel="CX-CX" 
> Event_Type_Name="HTTP Deny" User_Realm="1.1.1.32" Policy_Name="Implicit 
> Allow" Flow_Transaction_Id="0" Url="
> http://s.skimresources.com/js/23176X817180.skimlinks.js"; 
> Identity_Source_Name="None" Auth_Policy_Name="Default" Flow_SrcIfc="inside" 
> Flow_ConnId="27947284" Flow_DstHostName="s.skimresources.com" 
> Flow_Transaction_Count="1" Ev_Id="679530" Web_Reputation_Score="-9.1" 
> Event_Type_Action="Deny" Ev_GenTime="1422291064092" Flow_DstPort="80" 
> Policy_Deny_Reason_Name="Web Reputation" Flow_DstIfc="outside" 
> Ev_SrcId="2147484710" Avc_App_Name="HyperText Transfer Protocol" 
> Ev_SrcHwType="ASA-CX" Flow_SrcPort="44750" Smx_Config_Version="56" 
> Flow_Requests_Denied="1" Avc_App_Type="Infrastructure
>
>
> Thanks!  Let me know if anyone has any interest.
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: I cannot monitor my ASA 5520 by using OSSEC

[Brent Morris]

It'd also help to see the commands you sent to the ASA for syslogging.

sh run log
or sh run | inc log



On Friday, February 6, 2015 at 8:34:12 AM UTC-8, dan (ddpbsd) wrote:
>
> On Fri, Feb 6, 2015 at 11:28 AM, Network Infrastructure 
> > wrote: 
> > I the folder: 
> > /var/ossec/logs/archives/archives.log 
> > /var/ossec/logs/alerts/alerts.log. 
> > 
> > I cannot see any changed. So what 's wrong? 
> > 
>
> I have to assume this means you are not seeing log messages from the 
> cisco device in /var/ossec/logs/archives/archives.log. If that's the 
> case: 
> Use tcpdump to make sure the logs are being sent from the cisco device: 
> `tcpdump -i NETWORK_INTERFACE_NAME -nn port 514 and host 
> IP_OF_CISCO_DEVICE` 
> You should see traffic from the cisco device to the OSSEC manager. If 
> not, you'll have to look at the settings on your Cisco device to 
> determine why it isn't sending logs. 
>
> If you do see traffic, make sure ossec-remoted is running. 
> Make sure it's listening on port 514. 
>
>
> > On Friday, February 6, 2015 at 9:11:33 AM UTC+7, Network Infrastructure 
> > wrote: 
> >> 
> >> I have configured OSSEC to monitor my ASA 5520 but I cannot see 
> anything 
> >> 
> >> In ASA 5520, I enable syslog server to send syslog to my OSSEC 
> >> 
> >> 
> >> In OSSEC, the /var/ossec/etc/ossec.conf, I configed: 
> >> 
> >>  
> >> 
> >>  
> >>   syslog 
> >>   IP_OF_CISCO_DEVICE 
> >>  
> >>  
> >>   yes 
> >>  
> >> 
> >>  
> >> 
> >> Then I restart ossec services but I cannot see anything. 
> >> 
> >> 
> >> Help me please ... 
> > 
> > -- 
> > 
> > --- 
> > You received this message because you are subscribed to the Google 
> Groups 
> > "ossec-list" group. 
> > To unsubscribe from this group and stop receiving emails from it, send 
> an 
> > email to ossec-list+...@googlegroups.com . 
> > For more options, visit https://groups.google.com/d/optout. 
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: I cannot monitor my ASA 5520 by using OSSEC

[Brent Morris]

Bingo!  Your ASA is not configured properly for logging.

ssh to the device and login
enable
(enter password)
config t
logging trap debugging
exit
write mem
exit

if debugging is too much info, you can lower it to notifications as in 
Eero's example.  

But you're never going to see your ASA logging if you don't configure it to 
send to an external server.

Documentation from Cisco.
Using ASDM - 
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113053-asa82-syslog-config-00.html#loggsyslogserv

Using CLI
http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/monitor_syslog.html#wp1552182




On Wednesday, February 11, 2015 at 2:26:46 AM UTC-8, Eero Volotinen wrote:
>
>
> You need to enable logging to syslog server first. command is like logging 
> trap 
> example:
>
> conf t
> logging trap notifications
> wr
>
> br,
> Eero
> --
>
> 2015-02-11 8:50 GMT+02:00 Network Infrastructure  >:
>
>> This is the message when I use the command:
>>
>> but it doesn't work
>>
>> ASA5520# sh run log
>> logging enable
>> logging asdm informational
>> logging host inside 192.168.10.11
>> ASA5520# sh run | inc log
>>  service-object tcp eq klogin
>>  service-object tcp eq login
>>  service-object udp eq syslog
>>  service-object udp eq syslog
>>  service-object udp eq syslog
>> logging enable
>> logging asdm informational
>> logging host inside 192.168.10.11
>>
>>
>> On Friday, February 6, 2015 at 9:11:33 AM UTC+7, Network Infrastructure 
>> wrote:
>>
>>> I have configured OSSEC to monitor my ASA 5520 but I cannot see anything 
>>>
>>> In ASA 5520, I enable syslog server to send syslog to my OSSEC
>>>
>>>
>>> In OSSEC, the /var/ossec/etc/ossec.conf, I configed:
>>>
>>> 
>>>
>>>  
>>>   syslog 
>>>   IP_OF_CISCO_DEVICE 
>>> 
>>> 
>>>   yes
>>> 
>>>
>>> 
>>>
>>> Then I restart ossec services but I cannot see anything.
>>>
>>>
>>> Help me please ...
>>>
>>  -- 
>>
>> --- 
>> You received this message because you are subscribed to the Google Groups 
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to ossec-list+...@googlegroups.com .
>> For more options, visit https://groups.google.com/d/optout.
>>
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Windows DNS log monitoring

[Brent Morris]

That DNS.log file doesn't get populated until you stop the DNS service.

It looks like it's zero bytes until you stop the DNS service, at which 
point it fills up the file with data for review...

You'd probably be better off grabbing one of the event channels for 
DNS-Server > Audit.

On Tuesday, February 24, 2015 at 10:42:20 AM UTC-8, scott.koontz wrote:
>
>  I am attempting to monitor the Windows DNS debug log with the ossec 
> agent in the following configuration:
>
>  
>
>   
>
> %windir%\System32\dns\dns.log
>
> syslog
>
>   
>
>  
>
> But I receive these errors in the agent log:
>
> 2015/02/23 15:36:11 ossec-agent(1103): ERROR: Unable to open file 
> 'C:\Windows\System32\dns\dns.log'.
>
> 2015/02/23 15:36:11 ossec-agent(1950): INFO: Analyzing file: 
> 'C:\Windows\System32\dns\dns.log'.
>
> 2015/02/23 15:40:33 ossec-agent(1904): INFO: File not available, ignoring 
> it: 'C:\Windows\System32\dns\dns.log'.
>
>  
>
> In case it’s relevant, the DNS log level is set to 0x8000E121 and I’ve 
> also tried 0xE121.  
>
>  
>
> Thanks,
>
>  
>
> Scott
>
>   
>  

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] OSSEC Decodes for Cisco ASA CX - Context-Aware Firewall - PRSM

[Brent Morris]

Well  I think it worked..  I stumbled my way through GIT but managed to 
push my changes back to the project.

I chose some rule id numbers close to the Cisco VPN concentrator - it 
looked like there was a gap in numbers in that rule section to the next.

I can also submit the decodes for the on-prem Microsoft Azure 2FA if that 
would help (I posted earlier on this).

Thanks for your help!

On Tuesday, February 3, 2015 at 7:54:48 AM UTC-8, dan (ddpbsd) wrote:
>
> On Tue, Feb 3, 2015 at 8:44 AM, Brent Morris  > wrote: 
> > Greetings all. 
> > 
> > Would it be better to submit a pull request on github to get these 
> included 
> > in the next release of OSSEC?  I'm not github aware... never used it 
> other 
> > than to download stuff. 
> > 
>
> Submitting a pull request is the best way to get these included. I can 
> do it if you really need me to. 
> The basic process is: 
> create an account/login to your account 
> Fork the ossec-hids project 
> Clone your repo on your local system 
> Apply your changes 
> `git add` changed files 
> `git commit` and add a useful commit message 
> `git push` your changes to your repository 
> Go to https://github.com/ossec/ossec-hids and click the new link at 
> the top asking if you want to compare changes/submit a pull request. 
>
> > Here are my final decodes for ASA CX - These are coming off a Cisco 
> > ASA-5515X with PRSM "on-box".  The advantage to sending these to a 
> syslog 
> > server is that you can keep the logs from the "on-box" PRSM as long as 
> you 
> > like.  "On-Box" PRSM only allows 30 days of rolling logs, and the 
> reporting 
> > feature leaves much to be desired.  Off-box PRSM is a separate 
> license/cost 
> > item, and does a little more but still leaves much to be desired in 
> > reporting.  It also supports Syslog.  Downside to syslog is that the 
> > messages sometimes hit the limit of syslog size and are truncated.  I've 
> > accommodated for this by picking out the interesting bits usually 
> included 
> > toward the beginning of the message.  the URL= portion of the log can 
> > sometimes be extremely long in today's world.  After speaking to Cisco 
> TAC - 
> > they said 1024 bytes was the max they could send - referencing 
> > http://tools.ietf.org/html/rfc3164#section-4 - So without further 
> ado 
> > 
> > 
> > 
> > local_rules.xml 
> > 
> > 
> > 
> >  
> >
> >   cisco-cx 
> >   Cisco CX Flows. 
> >
> > 
> >  
> >   100210 
> >   Deny 
> >   Flow Denied 
> >
> > 
> >  
> > 
> > local_decoder.xml 
> > 
> >
> > 
> > 
> ^\d\s\d\d\d\d-\d\d-\d\d\w\d\d:\d\d:\d\d.\d\d\dZ\s\d+.\d+.\d+.\d+\sCiscoNGFW\s\d\d\d\d\s
>  
>
> >
> > 
> >
> >cisco-cx 
> >^1|^2|^3|^4|^5 
> > > 
> offset="after_parent">\.+Flow_DstIp=\p(\d+.\d+.\d+.\d+)\p\.+Flow_SrcIp="(\d+.\d+.\d+.\d+)"\.+Url_Category_Name="(\w+\s*\w*\s*\w*\s*\w*)"
>  
>
> > \.+Url="(\.+)"\.* 
> >dstip,srcip,extra_data,url,action 
> >
> > 
> >
> >cisco-cx 
> >^6|^7|^8|^9|^10 
> >> 
> offset="after_parent">^\.+Web_Reputation_Threat_Type="(\w+\s*\w*\s*\w*\s*\w*)"\.*Event_Type_Name="(\w+\s*\w*\s*\w*\s*\w*)"
>  
>
> > User_Realm="(\w+\p*\w*\p*\w*\p*\w*)"\.+Url="(\.+)"\.* 
> >   status,action,user,url 
> >
> > 
> > 
> > Sample Logs. 
> > 
> > Flow Denied 
> > 
> > 1 2015-02-02T23:09:03.733Z 1.1.1.23 CiscoNGFW 2827 6 [ngfwEvent@9 
> > Flow_Dst_Service="tcp/80" Flow_Bytes_Sent="396" Event_Type="0" 
> > Flow_DstIp="162.255.119.254" Flow_SrcIp="1.2.3.32" Count="1" 
> > Url_Category_Name="Uncategorized" Flow_Bytes="396" 
> > Web_Reputation_Threat_Type="Related to Phishing" Avc_Tag_Name="" 
> > Ev_SrcLabel="CX-CX" Event_Type_Name="HTTP Deny" User_Realm="1.2.3.32" 
> > Policy_Name="Implicit Allow" Flow_Transaction_Id="0" 
> > Url="http://image2.seethenewscan-updates.us/"; 
> Identity_Source_Name="None" 
> > Auth_Policy_Name="Default" Flow_SrcIfc="inside" Flow_ConnId="29106287" 
> > Flow_DstHostName="image2.seethenewscan-updates.us" 
> > Flow_Transaction_Count="1" Ev_Id="2281992" Web_Re

Re: [ossec-list] OSSEC Decodes for Cisco ASA CX - Context-Aware Firewall - PRSM

[Brent Morris]

Thanks for the tip.  I submitted it as a pull request...

-Brent

On Tuesday, March 10, 2015 at 1:29:51 PM UTC-7, ChristianB wrote:
>
> Here is the commit: 
>
> https://github.com/score1more4me/ossec-hids/commit/ed45c6fc6fe02a9016e1e709f17a1960fcf42c40
>  
>
> It's not a pull request yet. 
>
> Regards 
> Christian 
>
>
> Am 10.03.2015 um 21:14 schrieb Brent Morris: 
> > Well  I think it worked..  I stumbled my way through GIT but managed 
> > to push my changes back to the project. 
> > 
> > I chose some rule id numbers close to the Cisco VPN concentrator - it 
> > looked like there was a gap in numbers in that rule section to the next. 
> > 
> > I can also submit the decodes for the on-prem Microsoft Azure 2FA if 
> > that would help (I posted earlier on this). 
> > 
> > Thanks for your help! 
> > 
> > On Tuesday, February 3, 2015 at 7:54:48 AM UTC-8, dan (ddpbsd) wrote: 
> > 
> > On Tue, Feb 3, 2015 at 8:44 AM, Brent Morris  
> > wrote: 
> > > Greetings all. 
> > > 
> > > Would it be better to submit a pull request on github to get these 
> > included 
> > > in the next release of OSSEC?  I'm not github aware... never used 
> > it other 
> > > than to download stuff. 
> > > 
> > 
> > Submitting a pull request is the best way to get these included. I 
> can 
> > do it if you really need me to. 
> > The basic process is: 
> > create an account/login to your account 
> > Fork the ossec-hids project 
> > Clone your repo on your local system 
> > Apply your changes 
> > `git add` changed files 
> > `git commit` and add a useful commit message 
> > `git push` your changes to your repository 
> > Go to https://github.com/ossec/ossec-hids 
> > <https://github.com/ossec/ossec-hids> and click the new link at 
> > the top asking if you want to compare changes/submit a pull request. 
> > 
> > > Here are my final decodes for ASA CX - These are coming off a 
> Cisco 
> > > ASA-5515X with PRSM "on-box".  The advantage to sending these to a 
> > syslog 
> > > server is that you can keep the logs from the "on-box" PRSM as 
> > long as you 
> > > like.  "On-Box" PRSM only allows 30 days of rolling logs, and the 
> > reporting 
> > > feature leaves much to be desired.  Off-box PRSM is a separate 
> > license/cost 
> > > item, and does a little more but still leaves much to be desired 
> in 
> > > reporting.  It also supports Syslog.  Downside to syslog is that 
> the 
> > > messages sometimes hit the limit of syslog size and are truncated. 
> >  I've 
> > > accommodated for this by picking out the interesting bits usually 
> > included 
> > > toward the beginning of the message.  the URL= portion of the log 
> can 
> > > sometimes be extremely long in today's world.  After speaking to 
> > Cisco TAC - 
> > > they said 1024 bytes was the max they could send - referencing 
> > > http://tools.ietf.org/html/rfc3164#section-4 
> > <http://tools.ietf.org/html/rfc3164#section-4> - So without further 
> > ado 
> > > 
> > > 
> > > 
> > > local_rules.xml 
> > > 
> > > 
> > > 
> > >  
> > >
> > >   cisco-cx 
> > >   Cisco CX Flows. 
> > >
> > > 
> > >  
> > >   100210 
> > >   Deny 
> > >   Flow Denied 
> > >
> > > 
> > >  
> > > 
> > > local_decoder.xml 
> > > 
> > >
> > > 
> > > 
> > 
> ^\d\s\d\d\d\d-\d\d-\d\d\w\d\d:\d\d:\d\d.\d\d\dZ\s\d+.\d+.\d+.\d+\sCiscoNGFW\s\d\d\d\d\s
>  
>
> > 
> > >
> > > 
> > >
> > >cisco-cx 
> > >^1|^2|^3|^4|^5 
> > > > > 
> > 
> offset="after_parent">\.+Flow_DstIp=\p(\d+.\d+.\d+.\d+)\p\.+Flow_SrcIp="(\d+.\d+.\d+.\d+)"\.+Url_Category_Name="(\w+\s*\w*\s*\w*\s*\w*)"
>  
>
> > 
> > > \.+Url="(\.+)"\.* 
> > >dstip,srcip,extra_data,url,action 
> > >
> > > 
> > >
> > >  

[ossec-list] Re: Bypassing Asterisk rules

[Brent Morris]

You might need to flesh out the rules for asterisk.  I didn't see anything 
based on INVITE in the asterisk section of the decodes or the built-in 
rules.  

Sometimes it's necessary to add what you want to watch for in the 
local_rules.xml - it shouldn't be too tough to add a  for 
what you're looking for.

On Monday, March 9, 2015 at 10:04:02 AM UTC-7, Van Nistelroot wrote:
>
> Hi list, 
>
> When you attack PBX by enumerating users, you can do it via INVITE, 
> REGISTER and OPTIONS. 
>
> ossec is only able to detect REGISTER requests, but nothing happens 
> when successfully  try to enumerate vía INVITE ( tried myself ) 
>
> I´m doing something wrong or ossec has to be tweaked? 
>
> Kind Regards, 
>
> Daniel 
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: nmap

[Brent Morris]

I haven't done it, but the documentation is here:

https://github.com/ossec/ossec-hids/blob/master/doc/nmap.txt


On Wednesday, March 11, 2015 at 7:39:30 AM UTC-7, alex petrov wrote:
>
> how to configure ossec to monitor logs nmap and output signal issue of 
> changing the state of the port or host? help PLS
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: OSSEC Agent Version shows 2.8 when 2.8.1 is installed.

[Brent Morris]

I'd check to see if your host-deny.sh script includes the following.  I 
believe the only change from 2.8 to 2.8.1 was a workaround for 
CVE-2014-5284.

https://github.com/ossec/ossec-hids/commit/b4c42b1b0053d16e69e4581d2a52286ab2a248ff


On Wednesday, March 11, 2015 at 6:52:10 PM UTC-7, D-Dub wrote:
>
> test:/var/agent/bin# ./manage_agents
>
> *
> * OSSEC HIDS v2.8 Agent manager.*
>
>
> Is this expected when 2.8.1 is installed?  Also is there a way to verify 
> that 2.8.1 is installed?
>
> Thanks!
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] OSSEC Agentless script not passing commands

[Brent Morris]

the permissions on .passlist on my system are 744



On Tuesday, March 17, 2015 at 5:37:46 AM UTC-7, Gaetan Noel wrote:
>
> Thanks for you answer, you were right, the script waits for a ">" and our 
> switchs give us a "#" so I've changed the script accordingly and it works 
> now.
>
> Only problem is, when ossec runs that script it doesn't find the passwords 
> I'm thinking it's right issue on the .passlist. Would you mind giving me 
> the rights you have on the file on your environment ?
>
> Thanks,
> Gaetan
>
> On Monday, March 16, 2015 at 10:23:29 AM UTC-4, dan (ddpbsd) wrote:
>>
>> On Fri, Mar 13, 2015 at 4:04 PM, Gaetan Noel  wrote: 
>> > Hello, 
>> > 
>> > I'm trying to setup agentless on our system but when I run the test 
>> command 
>> > the script successfully connects to my switch but it looks like the 
>> command 
>> > isn't run on it so it times out : 
>> > 
>> > [root@xxx:/var/ossec]# ./agentless/ssh_pixconfig_diff 
>> > switch_fim@xx 
>> > spawn ssh -c des switch_fim@x 
>> > No valid ciphers for protocol version 2 given, using defaults. 
>> > C 
>> > 
>>
>> I don't know for sure, but I'd bet this output is confusing the script. 
>>
>> > SWITCH_HOSTNAME# 
>> > ERROR: Timeout while running on host (too long to finish): 
>> > switch_fim@xx . 
>> > 
>> > All the config seems fine I've added the host using the correct command 
>> and 
>> > the ossec.conf looks like this : 
>> > 
>> >  
>> > ssh_pixconfig_diff 
>> > 60 
>> > switch_fim@ 
>> > periodic_diff 
>> > show conf 
>> >  
>> > 
>> > Thanks in advance :-) 
>> > 
>> > -- 
>> > 
>> > --- 
>> > You received this message because you are subscribed to the Google 
>> Groups 
>> > "ossec-list" group. 
>> > To unsubscribe from this group and stop receiving emails from it, send 
>> an 
>> > email to ossec-list+...@googlegroups.com. 
>> > For more options, visit https://groups.google.com/d/optout. 
>>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Trying to create a application whitelist for Windows

[Brent Morris]

I'd like to create an application white list from Windows audit logs.

I have some systems that are fairly static in nature.  They only do one 
thing, and I want to be alerted when they deviate from this behavior.  An 
example use case could be a Windows Embedded POS (no cheeky acronym 
intended).  Alerts would be generated when the system is creating processes 
outside of its normal defined behavior.

Here's the issue.  I can't match the system_name from the completed decode. 
 It doesn't look like system_name is included in the rules syntax.

http://ossec-docs.readthedocs.org/en/latest/syntax/head_rules.html

My thought was that I could modify the decoder.xml to parse out the 
executable name from the event log and stuff that in program_name.  Then 
perform a CDB lookup based on matching system_name.

But since that isn't possible, my second thought was to just do some 
creative matching from the local_rules.xml - however, these local_rules 
screw up all the other "audit success" rules.


  
  18104
  ^SYSTEM-NAME|Allowed1.exe|Allowed2.exe
  SYSTEM-NAME Application Whitelist


  
  18104
  ^SYSTEM-NAME|exe
  SYSTEM-NAME Application Blacklist



How can I positively match a single string "SYSTEM-NAME" and a long list of 
"or" strings?

Thank you!




-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Trying to create a application whitelist for Windows

[Brent Morris]

Nevermind - I am going to try this..  and adapt it for Windows Audit 
process logs.

http://blog.rootshell.be/2014/02/10/tracking-processesmalwares-using-ossec/



On Tuesday, March 24, 2015 at 10:55:47 AM UTC-7, Brent Morris wrote:
>
> I'd like to create an application white list from Windows audit logs.
>
> I have some systems that are fairly static in nature.  They only do one 
> thing, and I want to be alerted when they deviate from this behavior.  An 
> example use case could be a Windows Embedded POS (no cheeky acronym 
> intended).  Alerts would be generated when the system is creating processes 
> outside of its normal defined behavior.
>
> Here's the issue.  I can't match the system_name from the completed 
> decode.  It doesn't look like system_name is included in the rules syntax.
>
> http://ossec-docs.readthedocs.org/en/latest/syntax/head_rules.html
>
> My thought was that I could modify the decoder.xml to parse out the 
> executable name from the event log and stuff that in program_name.  Then 
> perform a CDB lookup based on matching system_name.
>
> But since that isn't possible, my second thought was to just do some 
> creative matching from the local_rules.xml - however, these local_rules 
> screw up all the other "audit success" rules.
>
> 
>   
>   18104
>   ^SYSTEM-NAME|Allowed1.exe|Allowed2.exe
>   SYSTEM-NAME Application Whitelist
> 
>
>   
>   18104
>   ^SYSTEM-NAME|exe
>   SYSTEM-NAME Application Blacklist
> 
> 
>
> How can I positively match a single string "SYSTEM-NAME" and a long list 
> of "or" strings?
>
> Thank you!
>
>
>
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Trying to create a application whitelist for Windows

[Brent Morris]

Josh - Thanks for the link and the information!  I took a quick peek at 
your work and it looks very thorough!  I will give it my full attention 
next week when I have more time.

Here's my quick and dirty approach for this...

It was clear to me that the windows decoder is a good start.  Which is a 
nice way of saying that it could use some fleshing out.  I took my approach 
for this from the following site: 
 http://www.richardosgood.com/blog/fixing-ossec-windows-logon-failure-events/

My use case is pretty interesting.  I have a Windows 2003 server that is in 
a gray area slightly outside of my control.  I am, however, allowed to run 
an OSSEC agent on this computer.  It is a one trick pony computer, and has 
very predictable behavior.  Given that this computer is connected to some 
sensitive networks, I wanted to be sure that anytime anyone runs anything 
other than the executables they need to do their job, I would receive an 
alert.

Other use cases might be that you want to enable GPO application 
whitelisting or applocker, but you don't want to break anything.  You could 
use this approach prior to implementing the GPOs and be assured that there 
are no other applications missing from your list.  There's another link in 
a previous post that has the applocker whitelist approach.  It looks to be 
quite good.  Unfortunately I'm still dealing with Windows 2003 here at 
least for the next 9 months. WindowsXP embedded would be another use case. 
 Plenty of POS computers running that software right now...  AUDIT_SUCCESS 
events will fly right under the OSSEC radar

I suspect this approach would work for any system where process auditing is 
enabled.  Just check to see what event ID you need to trap and change the 
XML below to match.

Hope this helps someone out there!





 windows
 ^WinEvtLog: 





 windows
 windows
 ^\.+: (\w+)\((592)\):
 ^\.+: (\w+)\((592)\): \.+: (\S+): \.+: (\S+): 
\.+: \.+: \.+ \.+:\s+(\S+) 

 status, id, system_name, user, url
 name, location, user, system_name





 windows
 windows
 ^\.+: (\w+)\((\d+)\): (\.+): 
 (\.+): \.+: (\S+): 
 status, id, extra_data, user, system_name
 name, location, user, system_name






  
  18104
  ^592$

  SYSTEM-NAME
  
explorer.exe|rdpclip.exe|scrnsave.scr|your_executable_name_here.exe
  SYSTEM-NAME Application Whitelist



 18104
  ^592$

 SYSTEM-NAME
 SYSTEM-NAME Application Blacklist




-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Sysmon & OSSEC (Security Onion Integration)

[Brent Morris]

Thanks Josh!  Great stuff here...  For my particular use case, sysmon will 
log to the SYSTEM eventlog and enable me to capture more in-depth 
information beyond the image name of the executables being launched on the 
system.

I'll implement this next week!

-Brent

On Friday, March 27, 2015 at 6:29:03 AM UTC-7, DefensiveDepth wrote:
>
> Newly published paper: Using Sysmon to Enrich Security Onion's Host-Level 
> Capabilities 
> 
>
> Of particular note, I wrote an OSSEC decoder and a number of rules for 
> Sysmon Event ID 1: Process Created... 
>
> They can be found on Github 
> ... Feel free to tweak, 
> contribute back, send feedback, etc
>
> Keep in mind that there may be issues with the current stable release 
> (2.8) as the  bug is unfixed--
>
> I believe the bug fix is slated to be released with 2.9...(
> https://github.com/ossec/ossec-hids/issues/224)
>
> -Josh
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Please help with CDB lists....

[Brent Morris]

*Raw Log...*

2015 Mar 31 11:37:27 WinEvtLog: System: INFORMATION(1): Sysmon: Username: 
SYSTEM-NAME: SYSTEM-NAME: Process Create:  UtcTime: 3/31/2015 
06:37:27.465 PM  ProcessGuid: {7531FA7E-E967-551A--0010D2A58706}   
   ProcessId: 5868  Image: C:\Folder\Folder\file.exe  CommandLine: 
C:\Folder\Folder\file.exe   User: DOMAIN\Username  LogonGuid: 
{7531FA7E-E963-551A--0020EB238706}  LogonId: 0x68723eb 
 TerminalSessionId: 1  IntegrityLevel: no level  HashType: SHA1 
 Hash: 19AF48C6B036E722D74FA00C4E852774236D2F38  ParentProcessGuid: 
{7531FA7E-E965-551A--0010038F8706}  ParentProcessId: 476 
 ParentImage: C:\Folder\Folder\Parent.exe  ParentCommandLine: 
"C:\Folder\Folder\Parent.exe"

*Decoded...*

**Phase 2: Completed decoding.
   decoder: 'windows'
   status: 'C:\Folder\Folder\file.exe'
   dstuser: 'DOMAIN\Username'
   url: '19AF48C6B036E722D74FA00C4E852774236D2F38'
   extra_data: 'C:\Folder\Folder\Parent.exe'

**Phase 3: Completed filtering (rules).
   Rule id: '100242'
   Level: '12'
   Description: 'Unauthorized Process Detected'
**Alert to be generated.


*Rules...*


  18100
  rules/lists/filelist
  Authorized Process



  18100
  rules/lists/filelist
  Unauthorized Process


*CDB file contents...*

19AF48C6B036E722D74FA00C4E852774236D2F38:file.exe

*Goal:*

I would like to monitor a system for expected behavior and receive alerts 
when unexpected behavior occurs.  I have a list of SHA1 hashes of the 
executables as in the CDB file contents above.  I simply want an alert when 
there are processes executed from this system outside of its baseline.

*Issue:*  

I cannot get a MATCH to work in the CDB.  Maybe its something simple and 
I've just been looking at this too long.  I've commented out the 100242 
rule and I cannot get 100241 to work.  

Much of the documentation supports no file extensions on the cdb lists in 
the ossec.conf and in the rules.xml - although I can find examples where 
people have included extensions...

Maybe something silly I've overlooked?  Please... someone slap some sense 
into me!!! 

Thank you!




-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Please help with CDB lists....

[Brent Morris]

I found it...

the issue was that I prepended a / ossec.conf 

bad
*/*lists/filename

good!
lists/filename


Thanks for your help!

On Tuesday, March 31, 2015 at 3:05:32 PM UTC-7, DefensiveDepth wrote:

> 1) Confirm that you have the list referenced in ossec.conf  ie 
> lists/psexec
>
> 2) Create the cdb file with no extension ie vi /var/ossec/lists/psexec
> 3) Run: /var/ossec/bin/ossec-makelists, it should create a file named 
> psexec.cdb in the lists folder
>
> MaWhen doing my first CDB list a couple months back I ran into some weird 
> issues with the ossec-makelists & file extensions...  The above are my raw 
> notes that eventually worked
>
> -Josh
>
>
>
> On Tuesday, March 31, 2015 at 4:52:51 PM UTC-4, Brent Morris wrote:
>>
>> *Raw Log...*
>>
>> 2015 Mar 31 11:37:27 WinEvtLog: System: INFORMATION(1): Sysmon: Username: 
>> SYSTEM-NAME: SYSTEM-NAME: Process Create:  UtcTime: 3/31/2015 
>> 06:37:27.465 PM  ProcessGuid: {7531FA7E-E967-551A--0010D2A58706}   
>>ProcessId: 5868  Image: C:\Folder\Folder\file.exe  CommandLine: 
>> C:\Folder\Folder\file.exe   User: DOMAIN\Username  LogonGuid: 
>> {7531FA7E-E963-551A--0020EB238706}  LogonId: 0x68723eb 
>>  TerminalSessionId: 1  IntegrityLevel: no level  HashType: SHA1 
>>  Hash: 19AF48C6B036E722D74FA00C4E852774236D2F38  ParentProcessGuid: 
>> {7531FA7E-E965-551A--0010038F8706}  ParentProcessId: 476 
>>  ParentImage: C:\Folder\Folder\Parent.exe  ParentCommandLine: 
>> "C:\Folder\Folder\Parent.exe"
>>
>> *Decoded...*
>>
>> **Phase 2: Completed decoding.
>>decoder: 'windows'
>>status: 'C:\Folder\Folder\file.exe'
>>dstuser: 'DOMAIN\Username'
>>url: '19AF48C6B036E722D74FA00C4E852774236D2F38'
>>extra_data: 'C:\Folder\Folder\Parent.exe'
>>
>> **Phase 3: Completed filtering (rules).
>>Rule id: '100242'
>>Level: '12'
>>Description: 'Unauthorized Process Detected'
>> **Alert to be generated.
>>
>>
>> *Rules...*
>>
>> 
>>   18100
>>   rules/lists/filelist
>>   Authorized Process
>> 
>>
>> 
>>   18100
>>   rules/lists/filelist
>>   Unauthorized Process
>> 
>>
>> *CDB file contents...*
>>
>> 19AF48C6B036E722D74FA00C4E852774236D2F38:file.exe
>>
>> *Goal:*
>>
>> I would like to monitor a system for expected behavior and receive alerts 
>> when unexpected behavior occurs.  I have a list of SHA1 hashes of the 
>> executables as in the CDB file contents above.  I simply want an alert when 
>> there are processes executed from this system outside of its baseline.
>>
>> *Issue:*  
>>
>> I cannot get a MATCH to work in the CDB.  Maybe its something simple and 
>> I've just been looking at this too long.  I've commented out the 100242 
>> rule and I cannot get 100241 to work.  
>>
>> Much of the documentation supports no file extensions on the cdb lists in 
>> the ossec.conf and in the rules.xml - although I can find examples where 
>> people have included extensions...
>>
>> Maybe something silly I've overlooked?  Please... someone slap some sense 
>> into me!!! 
>>
>> Thank you!
>>
>>
>>
>>
>>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Agentless not writing what changes are detected

[Brent Morris]

Thanks for the question.  Mine's apparently been broken for quite some time!

Are you just grepping the alerts.log or are you being alerted via email?  
You look like you're posting out of the alerts.log... you might add grep -A 
10 agentless alerts.log 

Here's the example I'm seeing via email now that I've fixed mine..

Also, do you really have a PIX?  If you have an ASA, the 
ssh_asa-fwsmconfig_diff might be the way to go.  I know the PIX script has 
an issue with the expect password.


*OSSEC HIDS Notification.2015 Apr 08 11:37:39*
*Received From: (ssh_asa-fwsmconfig_diff) **user@1.2.3.4->agentless* 
agentless>

*Rule: 555 fired (level 7) -> "Integrity checksum for agentless device 
changed."Portion of the log(s):*









*ossec: agentless: Change detected:56c56< Botnet Traffic Filter 
: Enabled458 days---> Botnet Traffic Filter : 
Enabled457 days375c375< ssh timeout 59---> ssh timeout 51More 
changes..*


* --END OF NOTIFICATION*

 

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Agentless not writing what changes are detected

[Brent Morris]

Yeah, I realized I'm going to get an alert every day for the botnet filter 
license counter too.

Which command are you referring to?

On Wednesday, April 8, 2015 at 12:16:22 PM UTC-7, Gaetan Noel wrote:

> Thanks for your help guys.
>
> You are right Brett, the alert.log has all the info. The issue I have is 
> with Splunk, everything gets sent via syslog and the event is as I pasted 
> above. For the alert.log here's what I get :
>
> *** Alert 1428518183.14013429: - syslog,sshd,recon,*
> *--*
> *Rule: 555 (level 7) -> 'Integrity checksum for agentless device changed.'*
> *ossec: agentless: Change detected:*
> *1404c1404*
> *< ntp clock-period 22519145*
> *---*
> *> ntp clock-period 22519163*
> *2806a2807*
> *> Connection to x.x.x.x closed by remote host.*
>
> That script doesn't give me any problem , it seems to work fine. Although 
> I should probably change something so it doesn't alert me for the NTP 
> change. May I ask what command you are running ?
>
> Thanks,
> Gaetan
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: Agentless not writing what changes are detected

[Brent Morris]

Oh, the script uses basic sh run and sh ver - If you want to filter out the 
ntp offset, you may consider changing the following in your 
ssh_pixconfig_diff

send "show running-config\r"

change to:

send "show running-config | grep -v ntp clock-period\r"

then test..  but I do think it ossec alert log is showing all the changes.  
I would have to test with more changes to verify that.



On Wednesday, April 8, 2015 at 3:34:26 PM UTC-7, Gaetan Noel wrote:

> The one you are running on your switches. I m using "show config". 
> Actually it might be easier to filter out ntp results. 
>
> Any idea why the syslog output is not showing the full changes ?
> On mer. 8 avr. 2015 at 15:36 Brent Morris  > wrote:
>
>> Yeah, I realized I'm going to get an alert every day for the botnet 
>> filter license counter too.
>>
>> Which command are you referring to?
>>
>>
>> On Wednesday, April 8, 2015 at 12:16:22 PM UTC-7, Gaetan Noel wrote:
>>
>>> Thanks for your help guys.
>>>
>>> You are right Brett, the alert.log has all the info. The issue I have is 
>>> with Splunk, everything gets sent via syslog and the event is as I pasted 
>>> above. For the alert.log here's what I get :
>>>
>>> *** Alert 1428518183.14013429: - syslog,sshd,recon,*
>>> *--*
>>> *Rule: 555 (level 7) -> 'Integrity checksum for agentless device 
>>> changed.'*
>>> *ossec: agentless: Change detected:*
>>> *1404c1404*
>>> *< ntp clock-period 22519145*
>>> *---*
>>> *> ntp clock-period 22519163*
>>> *2806a2807*
>>> *> Connection to x.x.x.x closed by remote host.*
>>>
>>> That script doesn't give me any problem , it seems to work fine. 
>>> Although I should probably change something so it doesn't alert me for the 
>>> NTP change. May I ask what command you are running ?
>>>
>>> Thanks,
>>> Gaetan
>>>
>>  -- 
>>
>> --- 
>> You received this message because you are subscribed to a topic in the 
>> Google Groups "ossec-list" group.
>> To unsubscribe from this topic, visit 
>> https://groups.google.com/d/topic/ossec-list/oRN7sK-pYb0/unsubscribe.
>> To unsubscribe from this group and all its topics, send an email to 
>> ossec-list+...@googlegroups.com .
>> For more options, visit https://groups.google.com/d/optout.
>>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: whitelist and logging

[Brent Morris]

Do you have the yes option set in your ossec.conf?

When I scan my ossec box, I see plenty of attempts in the archive.log...  

On Monday, April 13, 2015 at 5:26:15 PM UTC-7, ri...@amcoonline.net wrote:
>
> Hi gang:
>
> I've been working hard to get up-to-date on OSSEC but as you all know, 
> there's a lot to cover.  I've read the docs on the website and have a copy 
> of Brad Lhotsky's guide but am running into an issue in setup that I 
> haven't quite figured out.
>
> I have a test setup with a server named 'ossec' and an agent named 
> 'logserver'.  With the default install, if I run a brute force ssh password 
> attack against 'logserver' I will get locked out of both machines after 
> about 16 bad password attempts using medusa.  Great!  That's what I want it 
> to do.  Except that I don't want to be locked out from my own machine.
>
> I added my local subnet to the conf file on 'ossec'.
>
> root@ossec:/var/ossec/etc# head ossec.conf 
> 
>
>  
>
>
>
> yes 
>
> root@localhost 
>
> 127.0.0.1 
>
> ossecm@ossec 
>
> 192.168.2.0/24 
>
>   
>
>
>
>
> Once I did that I restarted both server and agent.
>
> Now when I run a password crack attempt from my machine I no longer get 
> locked out, which is what I wanted, but I also don't see the attempt logged 
> anywhere.  I was under the impression that OSSEC would still log any rules 
> that are violated by a whitelisted server.
>
> What am I missing?  How can I log bad behavior from whitelisted systems 
> without locking myself out?
>
> Thanks,
>
> Rick Chatham
> amco.me
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: whitelist and logging

[Brent Morris]

Add that logall option right in the  section and restart ossec.

On Wednesday, April 15, 2015 at 2:07:02 AM UTC-7, ri...@amcoonline.net 
wrote:
>
> @brent Morris
>
> I don't have the option  set on either the server or agent.  Which 
> section does it go in?
>
> Here is the local_rules.xml from the server.
> -
> 
>
>   
>   
> 5711
> 1.1.1.1
> Example of rule that will ignore sshd 
> failed logins from IP 1.1.1.1.
>   
>
>
>   
>   
>
>
>   
>   
>
>  
>
>
> 
> ------
>
> Thanks in advance,
>
> Rick
>
> On Tuesday, April 14, 2015 at 8:52:26 AM UTC-7, Brent Morris wrote:
>>
>> Do you have the yes option set in your ossec.conf?
>>
>> When I scan my ossec box, I see plenty of attempts in the archive.log...  
>>
>> On Monday, April 13, 2015 at 5:26:15 PM UTC-7, ri...@amcoonline.net 
>> wrote:
>>>
>>> Hi gang:
>>>
>>> I've been working hard to get up-to-date on OSSEC but as you all know, 
>>> there's a lot to cover.  I've read the docs on the website and have a copy 
>>> of Brad Lhotsky's guide but am running into an issue in setup that I 
>>> haven't quite figured out.
>>>
>>> I have a test setup with a server named 'ossec' and an agent named 
>>> 'logserver'.  With the default install, if I run a brute force ssh password 
>>> attack against 'logserver' I will get locked out of both machines after 
>>> about 16 bad password attempts using medusa.  Great!  That's what I want it 
>>> to do.  Except that I don't want to be locked out from my own machine.
>>>
>>> I added my local subnet to the conf file on 'ossec'.
>>>
>>> root@ossec:/var/ossec/etc# head ossec.conf 
>>> 
>>>
>>>  
>>>
>>>
>>>
>>> yes 
>>>
>>> root@localhost 
>>>
>>> 127.0.0.1 
>>>
>>> ossecm@ossec 
>>>
>>> 192.168.2.0/24 
>>>
>>>   
>>>
>>>
>>>
>>>
>>> Once I did that I restarted both server and agent.
>>>
>>> Now when I run a password crack attempt from my machine I no longer get 
>>> locked out, which is what I wanted, but I also don't see the attempt logged 
>>> anywhere.  I was under the impression that OSSEC would still log any rules 
>>> that are violated by a whitelisted server.
>>>
>>> What am I missing?  How can I log bad behavior from whitelisted systems 
>>> without locking myself out?
>>>
>>> Thanks,
>>>
>>> Rick Chatham
>>> amco.me
>>>
>>>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: How Long Will It Take Me To Get OSSEC Up & Running?

[Brent Morris]

I'll take a shot at answering this...

*1. How long do you think it will take to run up the OSSEC installation on 
1 VM and get 15-20 network components configured?*

This depends entirely on your approach.  Install a Linux distribution and 
install OSSEC won't take you very long at all.  There's also an OVA virtual 
appliance download as well if you use VirtualBox.  If you use VMWare or 
other... it will require some conversion and cost you more time than just 
installing Linux and OSSEC separately.  Installing Linux would be maybe an 
hour?  The OSSEC install is pretty fast!!!  Maybe several minutes for that 
piece... :) 

I would take it one step at a time.  Get OSSEC installed and running.. then 
add a client or two.

*2. How skilled does somebody need to be to do the work, do they need 
specialist knowledge or is it all pretty standard stuff?*

It looks like you have some Linux already running.  General knowledge of 
Linux is very helpful...  editing text files, running binaries and scripts, 
basic understanding of IP protocols, syslog, etc.  Critical thinking, 
general troubleshooting, and Internet research skills are also very helpful 
as well...  If you have Windows in your environment, then Active Directory 
and/or Group Policy knowledge is also desirable.

*3. If we got in a pro who had setup tools like OSSEC before, how long 
should it take them?*

That entirely depends on your environment and what you want to monitor.  If 
you could take a moment to describe your general environment and goals, 
then someone could take a better shot at answering this question.

*4. Do you know how many threat signatures are provided out of the box? 
Like how many scenarios are pre-packaged for event monitoring?*

Threat signatures would be a somewhat inaccurate term here...  OSSEC uses 
log decodes and rules as its basis for decision making.  It does have 
"rootkit" detection and does monitor clients for changes to key areas of a 
given operating system.  But basically, there are two primary ways OSSEC 
uses to monitor systems.  Client/Manager or syslog.  So if your device 
can't run the OSSEC client but can send logs via syslog, then OSSEC has the 
ability to monitor those logs (caveat: you might have to write your own 
decodes and rules if they don't already exist).  OSSEC does have the 
ability built-in to analyze many popular platforms.

HTH!


On Sunday, April 19, 2015 at 4:23:14 PM UTC-7, gaucmuxb wrote:
>
> Hello,
>
> I am currently looking at my options for log management and event 
> monitoring. OSSEC seems like a great open source option but I don't know 
> how long it's going to get up and running.
>
> The environment is compromised of 15-20 network components, including 
> Linux VMs and firewalls. The team is technically skilled but we haven't 
> worked with log management and event monitoring tools before, so if we did 
> it ourselves there would be some learning on the job.
>
> Questions:
> 1. How long do you think it will take to run up the OSSEC installation on 
> 1 VM and get 15-20 network components configured?
> 2. How skilled does somebody need to be to do the work, do they need 
> specialist knowledge or is it all pretty standard stuff?
> 3. If we got in a pro who had setup tools like OSSEC before, how long 
> should it take them?
> 4. Do you know how many threat signatures are provided out of the box? 
> Like how many scenarios are pre-packaged for event monitoring?
>
> I appreciate that I have given only general information about the 
> environment and asked questions that relate to your individual experience, 
> but any thoughts and experiences would be really helpful.
>
> Thanks for your help, GM
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Process monitoring and alert is missing.

[Brent Morris]

Yeah, it looks like you solved it... the 500 alerts are for OSSEC.

OSSEC will automatically alert you when an agent goes on or offline... what 
are your intentions with that rule?  I'm not sure you need the regular 
expression line if you just want to rewrite the alert level of a 530 rule.

On Tuesday, April 21, 2015 at 11:34:04 AM UTC-7, Graeme Stewart wrote:
>
> Ok, looks like I was able to answer my own question :-)
>
> First issue was my understanding of the archive.log syntax. The actual log 
> record is:
>
> ossec: output: 'host_list':ID: 000, Name: main_server.blahdomain.com 
> (server), IP: 127.0.0.1, Active/Local
>
> This yields the following output when tested:
>
> # /var/ossec/bin/ossec-logtest 
> 2015/04/21 11:10:50 ossec-testrule: INFO: Reading local decoder file.
> 2015/04/21 11:10:50 ossec-testrule: INFO: Started (pid: 1732).
> ossec-testrule: Type one log per line.
>
> ossec: output: 'host_list':ID: 000, Name: main_server.blahdomain.com 
> (server), IP: 127.0.0.1, Active/Local
>
>
> **Phase 1: Completed pre-decoding.
>full event: 'ossec: output: 'host_list':ID: 000, Name: 
> main_server.blahdomain.com (server), IP: 127.0.0.1, Active/Local'
>hostname: 'server.blahdomain.com'
>program_name: '(null)'
>log: 'ossec: output: 'host_list':ID: 000, Name: 
> main_server.blahdomain.com (server), IP: 127.0.0.1, Active/Local'
>
> **Phase 2: Completed decoding.
>decoder: 'ossec'
>
> **Phase 3: Completed filtering (rules).
>Rule id: '530'
>Level: '0'
>Description: 'OSSEC process monitoring rules.'
>
> So for my own understanding the decoder hit's as an "ossec" type record, 
> but since my rule didn't include that as a check. Fixing my rule to:
>
>   
> 530
> \s+ID:\s+\d+,\s+Name:\.+IP:
> OSSEC agent status
>   
>
> Leads to the alerts being generated correctly. Yay!
>
> tl;dr the sid check is important, and if it hits it will ignore rules 
> where that is not set.
>
>
> On Tuesday, April 21, 2015 at 10:31:49 AM UTC-7, Graeme Stewart wrote:
>>
>> Hi all,
>>
>> Hopefully someone can offer some insight :-) I'm very new to OSSEC.
>>
>> I've enabled full log archiving on the server itself:
>>
>> 
>> no
>> yes
>> 
>>
>> I've also setup a process monitor on the OSSEC server:
>>
>> 
>>   command
>>   host_list
>>   600
>>   /var/ossec/bin/agent_control -l
>> 
>>
>> I can see log entries in the archive.log corresponding to this actually 
>> running:
>>
>> 2015 Apr 21 10:03:21 some_sexy_hostname_here->host_list ossec: output: 
>> 'host_list': OSSEC HIDS agent_control. List of available agents:
>> 2015 Apr 21 10:03:21 some_sexy_hostname_here->host_list ossec: output: 
>> 'host_list':ID: 000, Name: main_server.blahdomain.com (server), IP: 
>> 127.0.0.1, Active/Local
>> 2015 Apr 21 10:03:21 some_sexy_hostname_here->host_list ossec: output: 
>> 'host_list':ID: 001, Name: a_client_at.blahdomain.com, IP: 
>> 400.300.200.1, Active
>> 2015 Apr 21 10:03:21 some_sexy_hostname_here->host_list ossec: output: 
>> 'host_list':ID: 002, Name: another_client_at.blahdomain.com, IP: 
>> 400.300.200.2, Active
>>
>> ...and I've written an alert  to fire on this 
>> within: /var/ossec/rules/local_rules.xml
>>
>> 
>>   \s+ID:\s+\d+,\s+Name:\.+IP:
>>   OSSEC agent status
>> 
>>
>> When I test this rule, I get:
>>
>> # /var/ossec/bin/ossec-logtest 
>> 2015/04/21 10:26:48 ossec-testrule: INFO: Reading local decoder file.
>> 2015/04/21 10:26:48 ossec-testrule: INFO: Started (pid: 1477).
>> ossec-testrule: Type one log per line.
>>
>> 2015 Apr 21 10:03:21 some_sexy_hostname_here->host_list ossec: output: 
>> 'host_list':ID: 001, Name: a_client_at.blahdomain.com, IP: 
>> 400.300.200.1, Active
>>
>>
>> **Phase 1: Completed pre-decoding.
>>full event: '2015 Apr 21 10:03:21 
>> some_sexy_hostname_here->host_list ossec: output: 'host_list':ID: 001, 
>> Name: a_client_at.blahdomain.com, IP: 400.300.200.1, Active'
>>hostname: 'main_server.blahdomain.com'
>>program_name: '(null)'
>>log: '2015 Apr 21 10:03:21 some_sexy_hostname_here->host_list 
>> ossec: output: 'host_list':ID: 001, Name: a_client_at.blahdomain.com, 
>> IP: 400.300.200.1, Active'
>>
>> **Phase 2: Completed decoding.
>>No decoder matched.
>>
>> **Phase 3: Completed filtering (rules).
>>Rule id: '100040'
>>Level: '5'
>>Description: 'OSSEC agent status'
>> **Alert to be generated.
>>
>> Unfortunately I never see this alert show up in 
>> /var/ossec/logs/alerts/alerts.log. 
>>
>> I'm running out of ideas why this might be the case. Can anyone offer 
>> some info on how I might best troubleshoot this issue to identify the root 
>> cause? (secretly hoping it's something obvious that I'm missing!)
>>
>> Thank you,
>>
>> Graeme
>>
>>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send

[ossec-list] Re: Agents Not Connecting

[Brent Morris]

What's your process for adding agents?  From the manager:  Add the agent, 
extract the key... From the agent:  paste the key on the agent - plug in IP 
address.  Save and restart agent ?

What do you see in your /var/ossec/logs/ossec.log

No issues with IP connectivity?  And active response is disabled??



On Tuesday, April 21, 2015 at 12:52:58 PM UTC-7, Dan Mackin wrote:
>
> I'm having a super hard time working to get some agents back connected to 
> my OSSEC server. I'm not really sure where to start so I'll show you what 
> I've got so far:
>
> All of the hosts shown when I run ossec_control -l show Disconnected or 
> Never Connected. However, I'm able to restart agents using the 
> ossec_control -R  command AND my logs on my agents show that they're 
> connected to my server. Why won't they show as connected? I've tried 
> removing agents and re-adding them. Restarting services on both server and 
> guest doesn't help and doesn't show any errors. Debug mode doesn't give me 
> anything good either. What am I missing?
>
> Requisite details:
>
> $ uname -ar; cat /etc/*release
> Linux 3.13.0-29-generic #53-Ubuntu SMP Wed Jun 4 21:00:20 UTC 2014 x86_64 
> x86_64 x86_64 GNU/Linux
> DISTRIB_ID=Ubuntu
> DISTRIB_RELEASE=14.04
> DISTRIB_CODENAME=trusty
> DISTRIB_DESCRIPTION="Ubuntu 14.04.1 LTS"
> NAME="Ubuntu"
> VERSION="14.04.1 LTS, Trusty Tahr"
> ID=ubuntu
> ID_LIKE=debian
> PRETTY_NAME="Ubuntu 14.04.1 LTS"
> VERSION_ID="14.04"
> HOME_URL="http://www.ubuntu.com/";
> SUPPORT_URL="http://help.ubuntu.com/";
> BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/";
>
> $ sudo /var/ossec/bin/ossec-logtest -V
>  
> OSSEC HIDS v2.8 - Trend Micro Inc.
>  
> This program is free software; you can redistribute it and/or modify
> it under the terms of the GNU General Public License (version 2) as 
> published by the Free Software Foundation. For more details, go to 
> http://www.ossec.net/main/license/
>
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Active-Response and Fortinet firewall?

[Brent Morris]

https://groups.google.com/forum/#!topic/ossec-list/_0fqn9fU8WA

I've done something similar in the past with an ASA.  I have no experience 
with a Fortinet firewall, but if you can manage it via SSH, you should be 
able to crawl into the ASA's example fairly easily.


On Monday, May 4, 2015 at 4:40:36 AM UTC-7, Xme wrote:
>
> Hi *,
>
> I was just wondering if somebody has already interconnected a Fortinet 
> firewall with an Active-Response script? (to block offender's IP addresses)
> Just to not re-invent the wheel...
>
> This is not directly related to OSSEC but if you've some ideas to share, 
> ping me off list... Tx!
>
> KR,
> /x
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Agentless Network Devices

[Brent Morris]

You might need to tune the agentless script.  Not sure if you're running 
PIX or the ASA script  but the script is in /var/ossec/agentless

look for the send "show running-config" or send "show version".  With the 
Cisco CLI, you can omit information using the grep -v... it should be in 
there as an example.

you might need to change the command to..

*send "show running-config | grep -v ntp\r"* or something similar to omit 
that line.

then test it...

*cd /var/ossec && ./agentless/ssh_asa-fwsmconfig_diff* 
*youru...@host.ip.addie*

HTH!

On Tuesday, May 12, 2015 at 10:08:11 AM UTC-7, Adam Whelan wrote:
>
> I manually edited the password in the .passlist file and all is well now. 
> The only remaining issue is now I get an alert every time the check runs 
> because of ntp clock-period always changes. Not sure if there is a way to 
> set Ossec to ignore this type of difference. 
>
> _ 
> Adam Whelan 
> Senior Systems Analyst 
> http://www.blueprintmedicines.com 
> O: 617-714-6761 
> M: 508-364-2118 
> Skype: Adam.Whelan4 
>
>
>
> -Original Message- 
> From: ossec...@googlegroups.com  [mailto:
> ossec...@googlegroups.com ] On Behalf Of dan (ddp) 
> Sent: Tuesday, May 12, 2015 11:41 AM 
> To: ossec...@googlegroups.com  
> Subject: Re: [ossec-list] Agentless Network Devices 
>
> On Tue, May 12, 2015 at 11:38 AM, Adam Whelan <
> awh...@blueprintmedicines.com > wrote: 
> > OK further update and root cause. My enable password uses the "$" which 
> after that character the rest of the password is cutoff. Not sure if there 
> is a way around this, I am seeing if I can just edit the .passlist file 
> manually to fix though I still believe it will fail with that character 
> being in the enable password. Any thoughts? 
> > 
>
> Perhaps you can escape it with a "\" or something (I don't know much about 
> expect). 
>
> > _ 
> > Adam Whelan 
> > Senior Systems Analyst 
> > http://www.blueprintmedicines.com 
> > O: 617-714-6761 
> > M: 508-364-2118 
> > Skype: Adam.Whelan4 
> > 
> > 
> > 
> > -Original Message- 
> > From: ossec...@googlegroups.com  [mailto:
> ossec...@googlegroups.com ] 
> > On Behalf Of Adam Whelan 
> > Sent: Tuesday, May 12, 2015 11:28 AM 
> > To: ossec...@googlegroups.com  
> > Subject: RE: [ossec-list] Agentless Network Devices 
> > 
> > Here it is from two different Cisco switches. SW-01 and SW-02 
> > 
> > [root@srv-security-01 ossec]# agentless/ssh_pixconfig_diff user@sw-01 
> password enable_password spawn ssh -c des user@sw-01 No valid ciphers for 
> protocol version 2 given, using defaults. 
> > Password: 
> > 
> > SW-01>INFO: Starting. 
> > enable 
> > Password: 
> > % Access denied 
> > 
> > SW-01>ERROR: Timeout while going to enable mode on host: netadmin@sw-01 
> . 
> > 
> > -- 
> > -- 
> > 
> > [root@srv-security-01 ossec]# agentless/ssh_pixconfig_diff user@sw-02 
> password enable_password spawn ssh -c des user@sw-02 No valid ciphers for 
> protocol version 2 given, using defaults. 
> > Password: 
> > 
> > SW-02>INFO: Starting. 
> > enable 
> > Password: 
> > Password: ERROR: Incorrect enable password to remote host: user@sw-02 . 
> > 
> > 
> > Thanks! 
> > 
> > -Original Message- 
> > From: ossec...@googlegroups.com  [mailto:
> ossec...@googlegroups.com ] 
> > On Behalf Of dan (ddp) 
> > Sent: Tuesday, May 12, 2015 11:22 AM 
> > To: ossec...@googlegroups.com  
> > Subject: Re: [ossec-list] Agentless Network Devices 
> > 
> > On Tue, May 12, 2015 at 11:18 AM, Adam Whelan <
> awh...@blueprintmedicines.com > wrote: 
> >> So at this point I have established that for some reason the script it 
> not passing my enable password correctly and or I have some other 
> configuration issue on my devices that may be causing confusion to the 
> script. If anyone else has any input or ideas please let me know.  I can 
> use any other ssh client such as putty and issue the enable command with 
> the password and everything is fine via that route. 
> >> 
> > 
> > Can you provide a transcript of the session when you run the script 
> manually? Obviously remove all IPs/passwords/usernames (replace them with 
> generics or whatever so we know something was there). 
> > 
> >> Thank You 
> >> 
> >> 
> >> 
> >> -Original Message- 
> >> From: ossec...@googlegroups.com  
> >> [mailto:ossec...@googlegroups.com ] 
> >> On Behalf Of dan (ddp) 
> >> Sent: Tuesday, May 12, 2015 11:11 AM 
> >> To: ossec...@googlegroups.com  
> >> Subject: Re: [ossec-list] Agentless Network Devices 
> >> 
> >> On Tue, May 12, 2015 at 11:04 AM, Adam Whelan <
> awh...@blueprintmedicines.com > wrote: 
> >>> Hi, 
> >>>This is my config below, pretty standard per the manual. 
> >>> 
> >>>  
> >>> ssh_pixconfig_diff 
> >>> 300 
> >>> user@switch-02 
> >>> periodic_diff 
> >>>  
> >>> 
> >>>I did just try to run the test manually vi

Re: [ossec-list] Agentless network diff not showing correct info

[Brent Morris]

Although it would be nice to see an entire list of changes in an alert 
email.  I think the agentless alert has performed its duty of providing an 
alert that the configuration of your device has changed.

You can go into /var/ossec/queue/diff and find the entire captures of the 
device in question and do some manual comparisons of files to see what 
changes were made.  Although if you have a lot of Cisco devices to manage 
configurations on, you might look consider a product like SolarWinds 
CatTools or ManageEngine Network Configuration Manager.  I don't consider 
OSSEC robust enough for configuration management of these devices, although 
it might be possible to use it as such  Personally, I just want to know 
when something gets changed 



On Tuesday, May 12, 2015 at 10:55:14 AM UTC-7, dan (ddpbsd) wrote:
>
> On Tue, May 12, 2015 at 1:47 PM, Adam Whelan 
> > wrote: 
> > I checked the alert log and it is truncated in there as well. I do see 
> the changed listed though inside the diff file as shown below. The permit 
> host line is what I am looking for that isn't showing up in the alert log 
> and or the email notification. As you can see it is just the one extra line 
> that gets chopped off. I can understand possibly the details not making it 
> into the email message but I would expect it to be fully logged in the log 
> file... 
> > 
> > 
>
> Like I said, the buffer for that data might be too small. 
> You could possibly add a `| grep -v 'Last configuration change'` to 
> the diff_cmd (if that's less useful data), but I'd be worried about it 
> overflowing that buffer. 
>
> https://github.com/ossec/ossec-hids/blob/master/src/agentlessd/agentlessd.c#L231
>  
>
> I'm guessing that the size of these buffers is something that should 
> be revisited after 2.9 is released. 
>
> > Diff File Information--- 
> > 17c17 
> > < Current configuration : 16328 bytes 
> > --- 
> >> Current configuration : 16360 bytes 
> > 19c19 
> > < ! Last configuration change at 09:53:33 EST Tue May 12 2015 by 
> netadmin 
> > --- 
> >> ! Last configuration change at 12:07:34 EST Tue May 12 2015 by netadmin 
> > 248a249 
> >>  permit host .. any 
> > 
> > -Alert Log Information--- 
> > Rule: 555 (level 7) -> 'Integrity checksum for agentless device 
> changed.' 
> > ossec: agentless: Change detected: 
> > 17c17 
> > < Current configuration : 16328 bytes 
> > --- 
> >> Current configuration : 16360 bytes 
> > 19c19 
> > < ! Last configuration change at 09:53:33 EST Tue May 12 2015 by 
> netadmin 
> > --- 
> >> ! Last configuration change at 12:07:34 EST Tue May 12 2015 by netadmin 
> > More changes.. 
> > 
> > _ 
> > 
> > 
> > 
> > -Original Message- 
> > From: ossec...@googlegroups.com  [mailto:
> ossec...@googlegroups.com ] On Behalf Of dan (ddp) 
> > Sent: Tuesday, May 12, 2015 1:40 PM 
> > To: ossec...@googlegroups.com  
> > Subject: Re: [ossec-list] Agentless network diff not showing correct 
> info 
> > 
> > On Tue, May 12, 2015 at 1:28 PM, Adam Whelan <
> awh...@blueprintmedicines.com > wrote: 
> >> Interesting, I changed an ACL which has maybe 75-100 existing entries 
> but only added a single entry. I would expect it to show me that single 
> addition unless it is trying to show me the difference of the entire ACL. 
> So besides a notice something has changed I won't be able to tell what has 
> actually changed which makes this a bit pointless unless I dump the config 
> a number of times a day so I have files to diff via another program? 
> >> 
> > 
> > Inside the OSSEC binaries there are buffers that hold the data. These 
> buffers are only so big (I don't know how big off hand), and it's possible 
> your data is being truncated because of these buffer sizes. 
> > 
> > You can check the alerts.log file to see if the missing data is present 
> in the actual alert. If so, it's the buffers in ossec-maild that are too 
> small. 
> > 
> >> 
> >> 
> >> -Original Message- 
> >> From: ossec...@googlegroups.com  [mailto:
> ossec...@googlegroups.com ] 
> >> On Behalf Of dan (ddp) 
> >> Sent: Tuesday, May 12, 2015 1:22 PM 
> >> To: ossec...@googlegroups.com  
> >> Subject: Re: [ossec-list] Agentless network diff not showing correct 
> >> info 
> >> 
> >> On Tue, May 12, 2015 at 1:18 PM, Adam Whelan <
> awh...@blueprintmedicines.com > wrote: 
> >>> 
> >>> Hi, 
> >>> 
> >>> I have the agentless working with my cisco switches. It appears to 
> notice that a change was made to an access control list but does not 
> display the change via the alert email or the alert log. Below is what I 
> receive. I would expect to see the new ACL entry that was added? Any 
> thoughts? 
> >>> 
> >>> 
> >>> 
> >>> OSSEC HIDS Notification. 
> >>> 
> >>> 2015 May 12 13:13:31 
> >>> 
> >>> 
> >>> 
> >>> Received From: (ssh_pixconfig_diff) user@sw-01->agentless 
> >>> 
> >>> Rule: 555 fired (level 7) -> "Integrity checksum for

[ossec-list] Re: Custom Rules for deeper registry monitoring

[Brent Morris]

You'll want to test this yourself

But you can manage what files are monitored and what registry entries are 
monitored in the host's config file for the Syscheck.  Run the Agent Manger 
on the host and go to view > config.  Then you can just change the 
configuration file and save it, restart the agent and wait for results.

It seems like it would be possible to put a rule for alerts to changes to 
HKLM\System.  But quite frankly, you're going to be inundated with many 
alerts that may not be valuable.  I've seen evidence of this when 
performing system comparisons for MSI creation of before/after an 
installation.  Windows makes lots of tiny changes to the registry and the 
file system, even when it's idle.

As for file system monitoring.  I think you would be better served by 
turning on auditing and applying an audit policy to the file system.  Set 
the server to "log all" and then only pull alerts on sensitive areas of 
your computer.  You may find historical value in archiving all the changes 
to the OSSEC system for future review

You might also check out Josh Bower's Sysmon 2.0 integration with OSSEC. 
 This can help you monitor executable processes on your windows system 
good stuff!



On Friday, May 15, 2015 at 5:15:13 AM UTC-7, Justin Hazard wrote:
>
> Hey Everyone,
>
> Huge fan of OSSEC, just got my first implementation up and operational.  I 
> have a few rules that I want to right, just for testing sake.
>
> What we are looking to do, is to write two separate rules that achieve 
> similar results, and more specifically we want to know when any change is 
> created to the registry, or when any file is created/deleted on the host.
>
> I was looking at what is being monitored currently, and wondering if I put 
> a rule in place that says notify me when "HKLM\System" changes, ALERT.
>
> Is this possible?
>
> I know it seems like a lot of information that would be rolling in, but we 
> are just trying to see all of what we can do with OSSEC.
>
> Please let me know if you can assist.
>
> V/R,
>
> Justin
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Custom Rules for deeper registry monitoring

[Brent Morris]

Syscheck only runs on intervals, and will have some limitations in a 64 bit 
environment.  Please see the issue below.

https://github.com/ossec/ossec-hids/issues/301

Another way to accomplish your goal would be to turn on auditing on the 
Windows computer.  This is either done through Group Policy or Local 
Policy.  Enable "Audit Object Access" for success and failure.  Then Open 
the properties of the folder you want to monitor, Security tab, Advanced, 
Advanced Security Settings, Auditing tab and add the users/groups you want 
to audit.  The OSSEC agent will pass the audit logs to the manager in 
real-time.

You can try those syscheck settings you mentioned.  I'd be interested to 
hear your results!




On Friday, May 15, 2015 at 1:04:23 PM UTC-7, Justin Hazard wrote:
>
> Hi Brent,
>
> I appreciate the response, and it seems like the way forward for the 
> Registry Monitoring portion.  I will test it out, and let you know how it 
> works.  I understand it is going to generate a lot of stuff, but I am just 
> testing it right now, and need to figure out a few things, and it will 
> help.  Once full blown implementation is upon us, I will adjust as needed.
>
> As for the Auditing portion, I like the idea, but not sure where to turn 
> on that function.  Just so you are aware, I am running OSSEC OVF against 
> Windows hosts currently.
>
> Could I do something like this:
>
> 
> C:,D:
> 
>
>
> Or, are you talking about another feature I have yet to stumble across 
> yet?  I also am not sure, if this is the correct syntax, or if I need to 
> put in special characters like you would for something like a PCRE rule or 
> something.
>
> Thanks again for the help, I really appreciate it.
>
> Justin
>
> On Friday, May 15, 2015 at 12:20:51 PM UTC-4, Brent Morris wrote:
>>
>> You'll want to test this yourself
>>
>> But you can manage what files are monitored and what registry entries are 
>> monitored in the host's config file for the Syscheck.  Run the Agent Manger 
>> on the host and go to view > config.  Then you can just change the 
>> configuration file and save it, restart the agent and wait for results.
>>
>> It seems like it would be possible to put a rule for alerts to changes to 
>> HKLM\System.  But quite frankly, you're going to be inundated with many 
>> alerts that may not be valuable.  I've seen evidence of this when 
>> performing system comparisons for MSI creation of before/after an 
>> installation.  Windows makes lots of tiny changes to the registry and the 
>> file system, even when it's idle.
>>
>> As for file system monitoring.  I think you would be better served by 
>> turning on auditing and applying an audit policy to the file system.  Set 
>> the server to "log all" and then only pull alerts on sensitive areas of 
>> your computer.  You may find historical value in archiving all the changes 
>> to the OSSEC system for future review
>>
>> You might also check out Josh Bower's Sysmon 2.0 integration with OSSEC. 
>>  This can help you monitor executable processes on your windows system 
>> good stuff!
>>
>>
>>
>> On Friday, May 15, 2015 at 5:15:13 AM UTC-7, Justin Hazard wrote:
>>>
>>> Hey Everyone,
>>>
>>> Huge fan of OSSEC, just got my first implementation up and operational. 
>>>  I have a few rules that I want to right, just for testing sake.
>>>
>>> What we are looking to do, is to write two separate rules that achieve 
>>> similar results, and more specifically we want to know when any change is 
>>> created to the registry, or when any file is created/deleted on the host.
>>>
>>> I was looking at what is being monitored currently, and wondering if I 
>>> put a rule in place that says notify me when "HKLM\System" changes, ALERT.
>>>
>>> Is this possible?
>>>
>>> I know it seems like a lot of information that would be rolling in, but 
>>> we are just trying to see all of what we can do with OSSEC.
>>>
>>> Please let me know if you can assist.
>>>
>>> V/R,
>>>
>>> Justin
>>>
>>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Ossec iis log recognize problem

[Brent Morris]

So to get IIS to work right, I had to go into IIS Manager, click on Default 
Web Site (or appropriate site) open the properties window for Logging. 
 Select the W3C format.  Click "Select Fields" and check every box on that 
list.

I also choose to roll over logs on a daily schedule, and use local time for 
naming and rollover.

Then you should get usable logs from IIS that you can feed OSSEC with.

HTH

On Tuesday, May 19, 2015 at 2:49:43 PM UTC-7, Ahmet Yılmaz wrote:
>
> I am using ossec for forensic log analysis. My usage almost same as 
> example 2 in this link: 
> https://ossec-docs.readthedocs.org/en/latest/programs/ossec-logtest.html 
> 
>  
> I use ossec all the time and it works perfect. But this time logtest-a 
> command didn't recognize log lines and make no alert even 404 errors. What 
> should I do to ossec recognize logs? Anonymized log lines are at the below. 
>
> First log file: 
> 2011-02-11 12:44:34 W3SVC1 10.16.0.10 GET /cmd.exe - 80 - 111.11.1.123 
> Mozilla/5.0+(X11;+Ubuntu;+Linux+x86_64;+rv:33.0)+Gecko/20100101+Firefox/33.0 
> 404 0 2 
> 2011-12-11 12:23:08 W3SVC1 10.16.0.10 GET /cmd.exe.aspx - 80 - 
> 111.11.1.123 
> Mozilla/5.0(X11;+Ubuntu;+Linux+x86_64;+rv:33.0)+Gecko/20100101+Firefox/33.0 
> 404 0 0   
>
> Second log file: 
>
> 2011-11-11 15:19:40 10.10.10.10 GET /zboard.php 
> id=union_schdule&year='%3E%3Cscript%3Ealert(1908)%3C/script%3E 80 - 
> 10.0.2.22 
> Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+6.1;+Win64;+x64;+Trident/4.0;+.NET+CLR+2.0.50727;+SLCC2;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+Media+Center+PC+6.0;+Tablet+PC+2.0)
>  
> - 404 0 2 0 
> 2011-11-09 22:23:31  10.10.10.10 GET /WebResource.axd - 80 - 10.0.0.2 
> Mozilla/5.0 
> (compatible;+MSIE+9.0;+Windows+NT+6.1;+WOW64;+Trident/5.0)";+waitfor+delay+'0:0:4'+--
>  
> - 404 0 0 0 
>
> Third log file: 
>
> 2011-11-22 00:51:27 10.1.0.1 GET /index.aspx - 80 - 11.11.11.111 
> Mozilla/5.0+(compatible;+MSIE+9.0;+Windows+NT+6.1;+WOW64;+Trident/5.0) 200 
> 0 0 59 
> 2011-11-27 02:53:17 10.1.0.1 GET /stores.aspx - 80 - 11.11.11.111 
> Mozilla/5.0+(compatible;+MSIE+9.0;+Windows+NT+6.1;+WOW64;+Trident/5.0) 200 
> 0 0 45 
>
> All of the log files are iis logs. 
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: OSSEC Agent Install - Windows

[Brent Morris]

Bryan,

Do you need help compiling the source code for the Windows agent?

I was able to muddle my way through the process of this and can offer some 
assistance if that was your question.

Looking through my .bash_history - it looks like the following commands got 
me there.  This is on the virtual appliance download of OSSEC (CentOS 6.5)

yum install mingw32-pkg-config
yum install mingw32-binutils
yum install epel-release
yum install mingw32-gcc

cd /etc/yum.repos.d
wget 
http://download.lbs.solidcharity.com/repos/tpokorra/nsis/centos/6/lbs-tpokorra-nsis.repo
yum install nsis.x86_64

path=/usr/local/nsis:$PATH

make TARGET=winagent *- from the source code dir.*

The above steps might be incomplete or inaccurate, but this should get you 
in the neighborhood.



On Wednesday, May 20, 2015 at 2:59:57 PM UTC-7, Bryan Carter wrote:
>
> I am finally to a point where I can do testing on the agent-auth bit for 
> Windows. 
> I am not real keen on the windows compilation process, and have very 
> little experience taking code to the executable level. 
> I see that some things have been done on this since it was discussed last, 
> but can someone tell me the actual steps to be able to test it? 
>
> Thanks 
> --- 
> Bryan K. Carter 
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: Ossec iis log recognize problem

[Brent Morris]

Dan,

That shouldn't be too hard to do..  I can take a swipe at it if you like.


On Friday, May 22, 2015 at 5:25:28 AM UTC-7, dan (ddpbsd) wrote:
>
> On Wed, May 20, 2015 at 5:36 PM, Brent Morris  > wrote: 
> > So to get IIS to work right, I had to go into IIS Manager, click on 
> Default 
> > Web Site (or appropriate site) open the properties window for Logging. 
> > Select the W3C format.  Click "Select Fields" and check every box on 
> that 
> > list. 
> > 
> > I also choose to roll over logs on a daily schedule, and use local time 
> for 
> > naming and rollover. 
> > 
> > Then you should get usable logs from IIS that you can feed OSSEC with. 
> > 
>
> If the default log format for IIS isn't supported by OSSEC, it'd be 
> great if someone could try to write a decoder to include it. 
>
> > HTH 
> > 
> > 
> > On Tuesday, May 19, 2015 at 2:49:43 PM UTC-7, Ahmet Yılmaz wrote: 
> >> 
> >> I am using ossec for forensic log analysis. My usage almost same as 
> >> example 2 in this link: 
> >> 
> https://ossec-docs.readthedocs.org/en/latest/programs/ossec-logtest.html 
> >> I use ossec all the time and it works perfect. But this time logtest-a 
> >> command didn't recognize log lines and make no alert even 404 errors. 
> What 
> >> should I do to ossec recognize logs? Anonymized log lines are at the 
> below. 
> >> 
> >> First log file: 
> >> 2011-02-11 12:44:34 W3SVC1 10.16.0.10 GET /cmd.exe - 80 - 111.11.1.123 
> >> 
> Mozilla/5.0+(X11;+Ubuntu;+Linux+x86_64;+rv:33.0)+Gecko/20100101+Firefox/33.0 
>
> >> 404 0 2 
> >> 2011-12-11 12:23:08 W3SVC1 10.16.0.10 GET /cmd.exe.aspx - 80 - 
> >> 111.11.1.123 
> >> 
> Mozilla/5.0(X11;+Ubuntu;+Linux+x86_64;+rv:33.0)+Gecko/20100101+Firefox/33.0 
> >> 404 0 0 
> >> 
> >> Second log file: 
> >> 
> >> 2011-11-11 15:19:40 10.10.10.10 GET /zboard.php 
> >> id=union_schdule&year='%3E%3Cscript%3Ealert(1908)%3C/script%3E 80 - 
> >> 10.0.2.22 
> >> 
> Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+6.1;+Win64;+x64;+Trident/4.0;+.NET+CLR+2.0.50727;+SLCC2;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+Media+Center+PC+6.0;+Tablet+PC+2.0)
>  
>
> >> - 404 0 2 0 
> >> 2011-11-09 22:23:31  10.10.10.10 GET /WebResource.axd - 80 - 10.0.0.2 
> >> Mozilla/5.0 
> >> 
> (compatible;+MSIE+9.0;+Windows+NT+6.1;+WOW64;+Trident/5.0)";+waitfor+delay+'0:0:4'+--
>  
>
> >> - 404 0 0 0 
> >> 
> >> Third log file: 
> >> 
> >> 2011-11-22 00:51:27 10.1.0.1 GET /index.aspx - 80 - 11.11.11.111 
> >> Mozilla/5.0+(compatible;+MSIE+9.0;+Windows+NT+6.1;+WOW64;+Trident/5.0) 
> 200 0 
> >> 0 59 
> >> 2011-11-27 02:53:17 10.1.0.1 GET /stores.aspx - 80 - 11.11.11.111 
> >> Mozilla/5.0+(compatible;+MSIE+9.0;+Windows+NT+6.1;+WOW64;+Trident/5.0) 
> 200 0 
> >> 0 45 
> >> 
> >> All of the log files are iis logs. 
> > 
> > -- 
> > 
> > --- 
> > You received this message because you are subscribed to the Google 
> Groups 
> > "ossec-list" group. 
> > To unsubscribe from this group and stop receiving emails from it, send 
> an 
> > email to ossec-list+...@googlegroups.com . 
> > For more options, visit https://groups.google.com/d/optout. 
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: [OSSEC] How to write decoder for Java process

[Brent Morris]

The best way to get help from us would be to post a sample log from OSSEC.

You're going to want to move your custom decoder from decoder.xml to 
local_decoder.xml so it won't be overwritten during an upgrade.

My process for writing custom decoders is to open two shells to your ossec 
server.  One with your text editor editing local_decoder.xml and one ready 
to re-launch ossec-logtest.  And then pull up this a few reference pages.. 
 http://ossec-docs.readthedocs.org/en/latest/syntax/regex.html  - 
 
http://ossec-docs.readthedocs.org/en/latest/manual/rules-decoders/create-custom.html
 
 -  Start small and build from there.  Get the logtest working on Phase 2 
of the decoding and pull out one attribute.  Right now you don't have a 
matching number of attributes (items listed in the  section vs what 
you have in parenthesis)  for you decoder.  It should look something like 
this assuming srcip in your log is a ipv4 address..  (untested!)

Once you can pull out an attribute, such as srcip, then build on the next 
one and test..


  logger
  ^#~#~#LOGGER
  
^#~#~#(\d+.\d+.\d+.\d+)#~#~#\.+#~#~#\.+#~#~#\.+#~#~#\.+#~#~#\.+#~#~#\.+#~#~#\.+#~#~#\.+#~#~#\.+#~#~#
  srcip


Remember to use the wild cards referenced on the OSSEC implementation of 
regex. - * \.* vs *\.** vs *\.*+ all mean different things to OSSEC.

I'd be happy to help if you post a sample log.  Sanitize it, but don't 
censor it with ellipses please.






On Monday, June 1, 2015 at 2:21:26 AM UTC-7, Chandrakant Solanki wrote:
>
> Hello All,
>
> I have one Java process which is running as daemon, on some TCP/IP port.
> Now I would like to find out particular line (which is pre-formatted) from 
> application's log file.
> e.g. #~#~#LOGGER#~#~##~#~#..#~#~#
>
> When above line will found into log, it should mail me and execute one 
> shell script.
>
> I have tried with below configuration on client side. (ossec agent)
>
> ossec.conf
> ...
>   
> syslog
> /var/log/application/processor.log
>   
> ...
>
> decoder.xml
> ...
> 
>   java
> 
>
> 
>   logger
>   ^#~#~#LOGGER
>   
> ^#~#~#(\.)#~#~#(\.)#~#~#(\.)#~#~#(\.)#~#~#(\.)#~#~#(\.)#~#~#(\.)#~#~#(\.)#~#~#(\.)#~#~#(\.)#~#~#
>   srcip
> 
> ...
>
> local_rules.xml
>
> 
>  
>   logger
>   Custom LOGGER Found
>  
> 
>
> Please help me out.
>
> Thanks,
>
> Chandrakant Solanki
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: OSSEC.NET site down?

[Brent Morris]

it works for me...

http://downforeveryoneorjustme.com/


On Wednesday, June 3, 2015 at 12:29:13 PM UTC-7, Juan Aguilar wrote:
>
> Is it me or has the ossec.net site been down all day?
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: OSSEC root login detect configuration

[Brent Morris]

Best way to do this is to check out what logs are being generated when you 
login as root.

On my system, I see the following:

Jun 30 08:42:26 ossec sshd[26600]: pam_unix(sshd:session): session opened 
for user root by (uid=0)

I usually just paste the actual log into ossec-logtest to see what rule is 
triggered.

run /var/ossec/bin/ossec-logtest and paste the log entry from your system 
when root login occurs.

On my system, I see the following.

**Phase 3: Completed filtering (rules).
   Rule id: '5501'
   Level: '3'
   Description: 'Login session opened.'
**Alert to be generated.

To accomplish your goal of being alerted when root logs into the server, 
you'll want to edit the local_rules.xml file and rewrite that rule and 
change it to both root and also change the level to one that 
will generate an alert on your specific configuration.

Test this by making the changes in local_rules.xml and restarting 
ossec-logtest to verify the results - and then once you're satisfied with 
the results, restart ossec.

HTH!

On Monday, June 29, 2015 at 6:10:24 PM UTC-7, 長谷川真 wrote:
>
> Hi,there.
>  
> I have two quetions for OSSEC for configuration.
>  
>
> 1. I want to notice whether there was a root login for Server.OSSEC can 
> notice the root logoin ?
> 2. If OSSEC can notice the root login for Server,how do I configure OSSEC ?
>  
> Best Regards.
>
> Shin
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: ossec-analysisd: Invalid decoder name

[Brent Morris]

I don't see that you closed the  section of your xml 
with a 

That might be it!


On Friday, July 10, 2015 at 12:51:03 PM UTC-7, repquota wrote:
>
> Hi,
> I have another problem. I added new file to my ossec rules and after 
> reload ossec i have in ossec logs something like:
>
> 2015/07/10 21:35:28 ossec-testrule: INFO: Reading local decoder file.
>
> 2015/07/10 21:35:28 ossec-analysisd: Invalid decoder name: 'usermod'.
>
> 2015/07/10 21:35:28 ossec-testrule(1220): ERROR: Error loading the rules: 
> 'usermod_rules.xml'.
>
>
> my decoder on decoder.xml below:
>
>
> 
>
>   ^usermod
>
> 
>
>
> 
>
>   usermod
>
>   ^lock \S+ 
>
>   ^user (\S+) password$
>
>   user, srcip
>
> 
>
>
> and my usermod_rules.xml below:
>
>
> 
>
> 
>
>  usermod
>
>  USERMOD messages grouped.
>
> 
>
>
> 
>
>  100020
>
>  lock user
>
>  Usser account locked
>
>  
>
>
>  of course I added file name in /var/ossec/etc/ossec in  block
>
>
> Where is a mistake ? What am I doing wrong ?
>
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: can i use !root

[Brent Morris]

That won't work...  

I typically will overwrite an alert level if I want to ignore certain 
users.  

http://ossec-docs.readthedocs.org/en/latest/syntax/head_rules.html


On Wednesday, July 29, 2015 at 3:09:43 AM UTC-7, Ashley Drees wrote:

> can i use !root in a rule to NOT match user root?
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: can i use !root

[Brent Morris]

Ashley, 

Can you provide more details about what you're trying to accomplish?  It 
appears that you'd like to use active-response with repeated_offenders - 
but I'm not quite sure.

If the above is correct, then you'd want to set your active-response up to 
match the rules for the alerts you're receiving on invalid logons or 
root

-Brent

On Wednesday, July 29, 2015 at 9:06:41 AM UTC-7, Ashley Drees wrote:
>
> Ok, not so much ignore, I am looking for a way to ban permanently any IP 
> that tries to log in as root, but have a short ban for anyone just 
> forgetting the password, fail more than 3 times and they get an increasing 
> delay.
>
> Ashley Drees
> 07956726775
>
>
> On 29 Jul 2015, at 13:31, Brent Morris > 
> wrote:
>
> That won't work...  
>
> I typically will overwrite an alert level if I want to ignore certain 
> users.  
>
> http://ossec-docs.readthedocs.org/en/latest/syntax/head_rules.html
>
>
> On Wednesday, July 29, 2015 at 3:09:43 AM UTC-7, Ashley Drees wrote:
>
>> can i use !root in a rule to NOT match user root?
>>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Can't acess to CENTOs OSSEC server via putty - after login the connection drops

[Brent Morris]

You look like you may have misconfigured your IP addresses

eth0 has 3 IP addresses.  10.80.1.100 is configured twice.  Once for a 
class A and once for a class C subnet

Can you show the contents of the following?

ifconfig -a

and

nm-tool

I suspect you just need to configure your network addresses correctly.



On Monday, August 3, 2015 at 4:45:41 AM UTC-7, Jorge Neves wrote:
>
> Hi Theresa,
>
> Thank you  for pointing me to the obvious. 
>
> I have made the change but I am still getting error after login via putty.
>
> I changed:
> BOOTPROTO=static 
> and add
> NETWORK=10.80.1.0
> NETMASK=255.255.255.0
> IPADDR=10.80.1.100
>
> Regards
> Jorge
>
> sábado, 1 de Agosto de 2015 às 09:10:11 UTC+1, theresa mic-snare escreveu:
>>
>> Hi Jorge,
>>
>> you have a typo in your eth0 interface config "BOOTPROTO=satic" instead 
>> should read "static"
>> why do you have 3 different IPs on your eth0 interface? same IP with 
>> different netmasks?! you probably only want the /24 subnet
>>
>> can you even connect through SSH to the server or do you use some kind of 
>> console-access to the server?
>>
>> best,
>> theresa
>>
>> Am Freitag, 31. Juli 2015 13:59:24 UTC+2 schrieb Jorge Neves:
>>>
>>>
>>>
>>> quinta-feira, 30 de Julho de 2015 às 17:22:19 UTC+1, Jorge Neves 
>>> escreveu:

 Thank you,

 I am getting this:

 quinta-feira, 30 de Julho de 2015 às 16:49:55 UTC+1, dan (ddpbsd) 
 escreveu:
>
>
> On Jul 30, 2015 11:42 AM, "Jorge Neves"  wrote:
> >
> > Hi,
> >
> > I am new with OSSEC and basic with linux.
> >
> >
> > I am having an issue where when I login to the server using putty it 
> drops the connection.
> >
> >
> > I have already whit listed it on the ossec-server.conf file.
> >
> > The version I am using is 2.8.2.
> >
> > Can someone help me please.
> >
>
> If you have physical access to the system, check /var/log/messages 
> (and/or authlog) for relevant log messages. You can also check 
> /var/ossec/logs/alerts/alerts.log for ossec alerts that may be related.
>
> > thank you
> >
> > Regards
> > J
> >
> > -- 
> >
> > --- 
> > You received this message because you are subscribed to the Google 
> Groups "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, 
> send an email to ossec-list+...@googlegroups.com.
> > For more options, visit https://groups.google.com/d/optout.
>


-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Exclude a event based on the log message

[Brent Morris]

**Phase 1: Completed pre-decoding.
   full event: '2015-07-02 12:11:46 DROP TCP 10.13.1.6 10.13.16.7 443 
3562 40 A 1283761885 1189402707 7504 - - - RECEIVE'
   hostname: 'ossec'
   program_name: '(null)'
   log: '2015-07-02 12:11:46 DROP TCP 10.13.1.6 10.13.16.7 443 3562 40 
A 1283761885 1189402707 7504 - - - RECEIVE'

**Phase 2: Completed decoding.
   decoder: 'windows-date-format'
   action: 'DROP'
   proto: 'TCP'
   srcip: '10.13.1.6'
   dstip: '10.13.16.7'
   srcport: '443'
   dstport: '3562'

**Phase 3: Completed filtering (rules).
   Rule id: '4101'
   Level: '5'
   Description: 'Firewall drop event.

Against rule.

 
 4151
 10.13.16.7
 10.13.1.6
 #100882
 


looks like the srcip is incorrect.  as is the rule you're lookign for. 
 Also, depending on your alert level, level 10 may still generate emails. 
 You may want to rewrite that as 0.  Something like this.

 
 4101
 10.13.1.6
 Quiet 10.13.1.6 noise
 



On Monday, August 3, 2015 at 8:41:20 AM UTC-7, Björn wrote:
>
> Hello,
>
> I try to exclude this event: 
>
>
> OSSEC HIDS Notification.
> 2015 Jul 02 12:12:14
>
> Received From: (jump02) 10.13.16.7->\Logfiles\Firewall\pfirewall.log
> Rule: 4151 fired (level 10) -> "Multiple Firewall drop events from same 
> source."
> Portion of the log(s):
>
> 2015-07-02 12:11:59 DROP TCP 10.13.1.6 10.13.16.7 443 3573 40 A 2313797595 
> 2078887944 7504 - - - RECEIVE
> 2015-07-02 12:11:58 DROP TCP 10.13.1.6 10.13.16.7 443 3572 40 A 1914956515 
> 1862563536 7504 - - - RECEIVE
> 2015-07-02 12:11:58 DROP TCP 10.13.1.6 10.13.16.7 443 3572 40 A 1914956515 
> 1862563535 7504 - - - RECEIVE
> 2015-07-02 12:11:57 DROP TCP 10.13.1.6 10.13.16.7 443 3571 40 A 1983683511 
> 660455107 7504 - - - RECEIVE
> 2015-07-02 12:11:57 DROP TCP 10.13.1.6 10.13.16.7 443 3571 40 A 1983683511 
> 660455106 7504 - - - RECEIVE
> 2015-07-02 12:11:56 DROP TCP 10.13.1.6 10.13.16.7 443 3568 40 A 1348841012 
> 1715023945 7504 - - - RECEIVE
> 2015-07-02 12:11:56 DROP TCP 10.13.1.6 10.13.16.7 443 3568 40 A 1348841012 
> 1715023944 7504 - - - RECEIVE
> 2015-07-02 12:11:50 DROP TCP 10.13.1.6 10.13.16.7 443 3566 40 A 1087397228 
> 121698030 7504 - - - RECEIVE
> 2015-07-02 12:11:49 DROP TCP 10.13.1.6 10.13.16.7 443 3563 40 A 524181289 
> 2382348392 7504 - - - RECEIVE
> 2015-07-02 12:11:49 DROP TCP 10.13.1.6 10.13.16.7 443 3563 40 A 524181289 
> 2382348391 7504 - - - RECEIVE
> 2015-07-02 12:11:46 DROP TCP 10.13.1.6 10.13.16.7 443 3562 40 A 1283761885 
> 1189402708 7504 - - - RECEIVE
> 2015-07-02 12:11:46 DROP TCP 10.13.1.6 10.13.16.7 443 3562 40 A 1283761885 
> 1189402707 7504 - - - RECEIVE
>
>
>
>  --END OF NOTIFICATION
>
>
> with this rule without success:
>
>  
>  4151
>  10.13.16.7
>  10.13.1.6
>  #100882
>  
>
>
> But we still receiving mails for this events. Do you got an idea what's 
> wrong? 
>
> Thanks! 
>
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Windows Agent No active Response

[Brent Morris]

Sean,

I don't have a Terminal Server any longer to test on...  Are you using the 
more granular Advanced Auditing policies on your 2012 boxes?  In my Remote 
Desktop testing, I see two events that correlate.  There's a AUDIT_FAILURE 
for 4768 4625 - both of these together reveal the IP address of the 
incoming connection.

Remember, OSSEC is only going to be as good as the information you're 
sending it.  Can you run 'auditpol.exe /get /category:*' on your terminal 
server and paste this information into a response here?

If possible, consider a migration to Remote Desktop Gateway - then setup 
MultiFactor with Azure.  I have OSSEC decodes for those if you need them 
(they're here in the Google archives too).  And please ensure your 
administrator account has been renamed and there are no common account 
names.  Open 3389 scares me! 
 
http://www.rdsgurus.com/uncategorized/step-by-step-using-windows-server-2012-r2-rd-gateway-with-azure-multifactor-authentication/



On Monday, September 14, 2015 at 5:47:11 AM UTC-7, Sean.Haynes - SCH.570 
wrote:
>
>
> Hello All;
>
>
> I'm trying to figure out how the windows agent works - it seems to be a 
> bit hit and miss.
>
>
> If I manually monitor our RDP box I can see regular brute force attacks. 
> Now for what ever reason MS Server 2012 R2 does not seem to log IPs anymore 
> in the event logs. So I'm assuming from that the OSSEC software is then 
> unable to function correctly as there is no active response.
>
>
> OSSEC does report on failed logons, or some of the failed logons generated 
> by these attacks, but that's it.
>
>
> Am I missing something?
>
>
> Many thanks
>
>
>
> --
> Please consider the environment before printing this email 
> This email is confidential and intended solely for the use of the 
> individual to whom it is addressed. Any views or opinions made are solely 
> those of the author. If you are not the intended recipient, be advised that 
> you have received this email in error and that any use, dissemination, 
> forwarding, printing or copying of this email is strictly prohibited. 
> Please delete it and advise the sender directly.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Log Rotation issues

[Brent Morris]

Hi Robert,

Is ossec-monitord running?  This process takes care of the log rotations.  
I would restart it with the -d option to run it in debug mode to see if it 
can give you more info.


On Tuesday, September 15, 2015 at 6:53:42 AM UTC-7, Farnsworth, Robert 
wrote:

> Nobody has had an issue like this?  Any help would be appreciated.
>
>  
>
> *From:* Farnsworth, Robert 
> *Sent:* Monday, September 14, 2015 11:10 AM
> *To:* ossec...@googlegroups.com 
> *Subject:* Log Rotation issues
>
>  
>
> It is my understanding that the alerts.log file should get zero’d out 
> after the log rotation process has occurred each night, any idea why this 
> may not be occurring on my managers?
>
>  
>
> This worked fine for about 6 months after implementing OSSEC but now has 
> stopped working and causes a fill up of the file system most every night.
>
>  
>
> I have even requested an additional 5 GB and the problem still exist.
>
>  
>
> -rw-r-. 2 ossec ossec 28918093 Sep 14 09:35 alerts.log
>
>  
>
> *Thanks*
>
>  
>
> Robert
>
>  
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Merge EventChannel fix into 2.8?

[Brent Morris]

Would it be easier to host a compiled version of the fixed client?  I think 
that might solve some of the challenges here...

On Monday, September 21, 2015 at 5:41:46 AM UTC-7, dan (ddpbsd) wrote:
>
> I'm afraid it will fall to the same issues 2.9 is having right now, but I 
> will give it a shot.
> On Sep 18, 2015 1:55 PM, "DefensiveDepth"  > wrote:
>
>> Is it possible to merge the EventChannel bug fix 
>> into 2.8 so that stable 
>> binaries with this issue fixed could be released?
>>
>> Thanks,
>>
>> -Josh
>>
>> -- 
>>
>> --- 
>> You received this message because you are subscribed to the Google Groups 
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to ossec-list+...@googlegroups.com .
>> For more options, visit https://groups.google.com/d/optout.
>>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Firewall rules grouped

[Brent Morris]

I'm curious how "Firewall rules grouped" land in the firewall log.

Consider the log 

Sep 21 2015 05:35:12: %ASA-4-106023: Deny tcp src outside:3.1.33.7/56323 
dst inside:1.1.1.1/8891 by access-group "outside_access_inside" [0x0, 0x0]

Returns the following.


**Phase 1: Completed pre-decoding.
   full event: 'Sep 21 2015 05:35:12: %ASA-4-106023: Deny tcp src 
outside:3.1.33.7/56323 dst inside:1.1.1.1/8891 by access-group 
"outside_access_inside" [0x0, 0x0]'
   hostname: 'lott-ossec'
   program_name: '(null)'
   log: 'Sep 21 2015 05:35:12: %ASA-4-106023: Deny tcp src 
outside:3.1.33.7/56323 dst inside:1.1.1.1/8891 by access-group 
"outside_access_inside" [0x0, 0x0]'

**Phase 2: Completed decoding.
   decoder: 'pix'
   id: '4-106023'
   action: 'Deny'
   proto: 'tcp'
   srcip: '3.1.33.7'
   srcport: '56323'
   dstip: '1.1.1.1'
   dstport: '8891'

**Phase 3: Completed filtering (rules).
   Rule id: '4100'
   Level: '0'
   Description: 'Firewall rules grouped.'


How do these connections make it into the firewall.log file???  

I'm trying to tune ossec and could use some guidance.

Thank you!

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Merge EventChannel fix into 2.8?

[Brent Morris]

(I'm assuming it is fixed in 2.9) - sure!  Compile and post the 2.9 client 
binaries on ossec.net with checksums, etc.

Or would this create other issues?



On Monday, September 21, 2015 at 2:19:58 PM UTC-7, DefensiveDepth wrote:

> @Brent, the 2.9 beta that has it fixed?
>>>
>>>
> -Josh 
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: FW: [ossec-list] Re: Log Rotation issues - Resolved

[Brent Morris]

This sounds like it should be reported as an issue/bug on Github.

On Friday, September 25, 2015 at 6:55:39 AM UTC-7, Farnsworth, Robert wrote:
>
> Thought I would let you know I have resolved this, I believe the problem 
> stemmed from my alerts.log getting way too large and the Log Rotation could 
> not handle the size of the file. 
>
> So I  filtered a bunch of windows event alerts to get the logs to a 
> manageable level and the rotation is doing it's job again. 
>
> The OSSEC Log Rotation routine must have some limitations on file size. 
>
> Thanks for all your help. 
>
> Robert 
>
> -Original Message- 
> From: ossec...@googlegroups.com  [mailto:
> ossec...@googlegroups.com ] On Behalf Of dan (ddp) 
> Sent: Wednesday, September 16, 2015 12:36 PM 
> To: ossec...@googlegroups.com  
> Subject: Re: FW: [ossec-list] Re: Log Rotation issues 
>
> On Wed, Sep 16, 2015 at 12:18 PM, Farnsworth, Robert  > wrote: 
> > No it did not. 
> > I made the change and restarted OSSEC I don’t remember us talking about 
> a recompiling. 
> > 
>
> Sorry if I forgot to mention it, I meant to. When you change the 
> sourcecode you'll have to recompile and install the new binaries. Then 
> restart the processes. Running the install.sh script should accomplish this 
> (it will "upgrade" over itself). 
>
> > 
> > -Original Message- 
> > From: ossec...@googlegroups.com  [mailto:
> ossec...@googlegroups.com ] 
> > On Behalf Of dan (ddp) 
> > Sent: Wednesday, September 16, 2015 12:17 PM 
> > To: ossec...@googlegroups.com  
> > Subject: Re: FW: [ossec-list] Re: Log Rotation issues 
> > 
> > On Wed, Sep 16, 2015 at 8:50 AM, Farnsworth, Robert  > wrote: 
> >> The only error I see from analysisd is the read error's. One of them is 
> the Ossec Manager. 
> >> 
> >> Here is a sample. 
> >> 
> >> 2015/09/16 08:34:09 ossec-analysisd: ERROR: read error on 
> >> /queue/diff/hostname/533/last-entry 
> >> 2015/09/16 08:34:09 ossec-analysisd: ERROR: read error on 
> >> /queue/diff/ hostname/535/last-entry 
> >> 2015/09/16 08:37:56 ossec-analysisd: ERROR: read error on 
> >> /queue/diff/ hostname/535/last-entry 
> >> 2015/09/16 08:40:11 ossec-analysisd: ERROR: read error on 
> >> /queue/diff/ hostname/533/last-entry 
> >> 2015/09/16 08:40:11 ossec-analysisd: ERROR: read error on 
> >> /queue/diff/ hostname/535/last-entry 
> >> 
> > 
> > That was after making the change, recompiling, and restarting OSSEC? 
> > Did the logfile rotate properly? 
> > 
> > -- 
> > 
> > --- 
> > You received this message because you are subscribed to the Google 
> Groups "ossec-list" group. 
> > To unsubscribe from this group and stop receiving emails from it, send 
> an email to ossec-list+...@googlegroups.com . 
> > For more options, visit https://groups.google.com/d/optout. 
> > 
> > -- 
> > 
> > --- 
> > You received this message because you are subscribed to the Google 
> Groups "ossec-list" group. 
> > To unsubscribe from this group and stop receiving emails from it, send 
> an email to ossec-list+...@googlegroups.com . 
> > For more options, visit https://groups.google.com/d/optout. 
>
> -- 
>
> --- 
> You received this message because you are subscribed to the Google Groups 
> "ossec-list" group. 
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to ossec-list+...@googlegroups.com . 
> For more options, visit https://groups.google.com/d/optout. 
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: Monitor Windows Services Shutdown

[Brent Morris]

It's easier for us to test if you can post it from your archives.log on 
ossec :)

On Monday, October 5, 2015 at 9:52:20 AM UTC-7, Daniel Baker wrote:
>
> - http://schemas.microsoft.com/win/2004/08/events/event 
> *">
> - 
>
>   1100 
>   0 
>   4 
>   103 
>   0 
>   0x4020 
>
>   2719810 
>
>
>   Security 
>   Security-Test 
>
>   
> - 
>xmlns="*http://manifests.microsoft.com/win/2004/08/windows/eventlog 
> *" /> 
>   
>   
>
> On Monday, October 5, 2015 at 10:25:48 AM UTC-6, dan (ddpbsd) wrote:
>>
>>
>> On Oct 5, 2015 12:23 PM, "Daniel Baker"  wrote:
>> >
>> >
>> >
>> > On Monday, October 5, 2015 at 8:38:17 AM UTC-6, Daniel Baker wrote:
>> >>
>> >> I'm looking for a way to have OSSEC trigger on Event ID 1100 Service 
>> Shutdown in Windows.
>> >
>> >
>> > This is what I'm trying to add to the local_rules.xml file:
>> >
>> > 
>> > 18104
>> > ^1100$
>> > Windows Service Stopped
>> >  
>> >
>>
>> Do you have a log we can test with?
>>
>> > -- 
>> >
>> > --- 
>> > You received this message because you are subscribed to the Google 
>> Groups "ossec-list" group.
>> > To unsubscribe from this group and stop receiving emails from it, send 
>> an email to ossec-list+...@googlegroups.com.
>> > For more options, visit https://groups.google.com/d/optout.
>>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: (possible) webserver attack

[Brent Morris]

I'm not familiar with apache logs... but it looks like you are being 
scanned with a web vulnerability scanner from an attacker in China.  The 
youtube string you see, I believe, is the user-agent string supplied by the 
scanning host.

Compile all the URL requests and setup a cdb list in OSSEC.  Then setup an 
active response based on the URL requested to block the offending IP 
address.  The rule will look something like the following.


  31100
  lists/urlblacklist
Web Vulnerability Scanner Detected


and active response... assumes firewall-drop command will actually block 
the attacker at your perimeter.

firewall-drop
server
184780
300
2,10,60,120,1440
  

Now all you need is the list and testing :)





On Monday, October 5, 2015 at 4:25:18 AM UTC-7, theresa mic-snare wrote:
>
> Hi all,
>
> it's my weekly ossec question post ;)
>
> maybe you can help shed some light onto this one, as I'm not really good 
> with HTTP/Apache return codes.
> I have tons of these types of requests in my current Apache webserver log
>
> 125.122.211.198 - - [15/Sep/2015:00:50:58 +0200] "GET /admin.cgi 
> HTTP/1.0" 403 5 "https://www.youtube.com/watch?v=FoUWHfh733Y"; "() { 
> goo;}; echo Content-Type: text/plain ; echo ; echo shellshot_`expr 1344 -
>  7`"
> 125.122.211.198 - - [15/Sep/2015:00:50:50 +0200] "GET 
> /catalog/index.cgi HTTP/1.0" 403 5 
> "https://www.youtube.com/watch?v=FoUWHfh733Y"; "() { goo;}; echo 
> Content-Type: text/plain ; echo ; echo shellshot_`expr 1344 - 7`"
> 125.122.211.198
>  - - [15/Sep/2015:00:50:49 +0200] "GET /cart.cgi HTTP/1.0" 403 5 
> "https://www.youtube.com/watch?v=FoUWHfh733Y"; "() { goo;}; echo 
> Content-Type: text/plain ; echo ; echo shellshot_`expr 1344 - 7`"
> 125.122.211.198
>  - - [15/Sep/2015:00:50:49 +0200] "GET /cartcart.cgi HTTP/1.0" 403 5 
> "https://www.youtube.com/watch?v=FoUWHfh733Y"; "() { goo;}; echo 
> Content-Type: text/plain ; echo ; echo shellshot_`expr 1344 - 7`"
> 125.122.211.198
>  - - [15/Sep/2015:00:50:48 +0200] "GET /bigconf.cgi HTTP/1.0" 403 5 
> "https://www.youtube.com/watch?v=FoUWHfh733Y"; "() { goo;}; echo 
> Content-Type: text/plain ; echo ; echo shellshot_`expr 1344 - 7`"
> 125.122.211.198
>  - - [15/Sep/2015:00:50:47 +0200] "GET /bandwidth/index.cgi HTTP/1.0" 
> 403 5 "https://www.youtube.com/watch?v=FoUWHfh733Y"; "() { goo;}; echo 
> Content-Type: text/plain ; echo ; echo shellshot_`expr 1344 - 7`"
> 125.122.211.198
>  - - [15/Sep/2015:00:50:47 +0200] "GET /b2-include/b2edit.showposts.php 
> HTTP/1.0" 403 5 "https://www.youtube.com/watch?v=FoUWHfh733Y"; "() { 
> goo;}; echo Content-Type: text/plain ; echo ; echo shellshot_`expr 1344 -
>  7`"
> 125.122.211.198 - - [15/Sep/2015:00:50:46 +0200] "GET 
> /axis-cgi/buffer/command.cgi HTTP/1.0" 403 5 
> "https://www.youtube.com/watch?v=FoUWHfh733Y"; "() { goo;}; echo 
> Content-Type: text/plain ; echo ; echo shellshot_`expr 1344 - 7`"
> 125.122.211.198
>  - - [15/Sep/2015:00:50:45 +0200] "GET /apps/web/vs_diag.cgi HTTP/1.0" 
> 403 5 "https://www.youtube.com/watch?v=FoUWHfh733Y"; "() { goo;}; echo 
> Content-Type: text/plain ; echo ; echo shellshot_`expr 1344 - 7`"
> 125.122.211.198
>  - - [15/Sep/2015:00:50:45 +0200] "GET /analyse.cgi HTTP/1.0" 403 2790 
> "https://www.youtube.com/watch?v=FoUWHfh733Y"; "() { goo;}; echo 
> Content-Type: text/plain ; echo ; echo shellshot_`expr 1344 - 7`"
> 125.122.211.198
>  - - [15/Sep/2015:00:50:44 +0200] "GET /aktivate/cgi-bin/catgy.cgi 
> HTTP/1.0" 404 8436 "https://www.youtube.com/watch?v=FoUWHfh733Y"; "() { 
> goo;}; echo Content-Type: text/plain ; echo ; echo shellshot_`expr 1344 -
>  7`"
> 125.122.211.198 - - [15/Sep/2015:00:50:43 +0200] "GET /agora.cgi
>  HTTP/1.0" 404 8436 "https://www.youtube.com/watch?v=FoUWHfh733Y"; "() { 
> goo;}; echo Content-Type: text/plain ; echo ; echo shellshot_`expr 1344 -
>  7`"
>
> what are these doing except trying to call a youtube video?
> I was once told that the GET requests are not as harmful as the POST 
> requests...
>
> I suppose it's just some script kiddie running a webserver attack script.
> should I worry?
>
> how to block these?
>
> I have a couple of other request types as well, but they all follow the 
> same pattern.
>
> best,
> theresa
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: (possible) webserver attack

[Brent Morris]

Yeah, you're in the neighborhood.

First - can you post some content from your archives.log with those Apache 
logs?  I can help better if I can see what you're seeing.

You need to see exactly what you're passing to the URL field using 
ossec-logtest in order to make your cdb list correctly.  Sometimes the 
decoder puts extra characters in the URL field, such as a space and a 
hyphen.  At least that was my case.

Here's a blurb from my cdb list nexpose makes the following requests 
during a web audit.

/spiffymcgee.cfm -:16
/spiffymcgee.jsp -:16
/jbossmq-httpil/ -:16
/spiffymcgee.nsf -:16
/spiffymcgee.jsp -:16
/spiffymcgee.nsf -:16

The important bits are on the left side of the colon.  I think I used excel 
to autonumber and populate the right side of the colon.  But you're 
basically going to compare whatever is being passed to the URL field with 
exactly the content on the left side of the colon.  So you can see you'll 
need to be creative in your ability to separate out the URLs from the rest 
of the junk in your logs along with checking and removing valid URLs that 
might be in the list.  In your example #1 example, I would only use 
"/pub/english.cgi 
-:16" . there is a space and a hypen in my case when running the logs 
against ossec-logtest.  I can't emphasis enough that it needs to be EXACT. 
 Partial matches will not trigger the rule.

The list will reside in /var/ossec/lists/urlblacklist

then run ./ossec-makelists

In your ossec.conf - add lists/urlblacklist inside 
 

Add the rule to local_rules.xml

Use ossec-logtest to verify new rule is working properly.

Add the active response to ossec.conf

restart ossec and test with a real request to a URL in the list.  Verify 
active response has done its deed.

HTH!
-Brent











On Monday, October 5, 2015 at 10:36:35 AM UTC-7, theresa mic-snare wrote:
>
> Hi Brent,
>
> thank you very much for your help and your explanations.
>
> I'm just getting started with OSSEC, most of this is all new to me, but 
> I'm learning quickly ;)
> what does CDB stand for? I looked it up in the OSSEC docs and also googled 
> it? does it stand for common database?
> according to the Docs I need to complile the CDB list with ossec-makelists 
> , right?
>
> I want to understand this properly, and thus I want to document it for my 
> thesis project -- so please correct me if I misunderstood you:
>
>
>1. i will create a list with the HTTP request strings, e.g: GET 
>/pub/english.cgi HTTP/1.0" 403 5 "
>https://www.youtube.com/watch?v=FoUWHfh733Y"; "() { goo;}; echo 
>Content-Type: text/plain ; echo ; echo shellshot_`expr 1344 - 7` and put 
> it 
>into a list/txt file. i.e urlblacklist.txt
>2. then I will run ossec-makelists on this
>3. then I will setup a rule to block those requests  where does 
>this go?! Is it a rule inside the rules directory??!
>
> 
>   31151 <http://www.ossec.net/doc/search.html?q=rule-id-31151>
> 
>   lists/urlblacklist
> Web Vulnerability Scanner Detected
> 
>
> the rule that fired for me (according to my OSSEC WUI) was rule ID: 31151 
> <http://www.ossec.net/doc/search.html?q=rule-id-31151>
>
>1. finally I will create a AR in my ossec.conf
>
> firewall-drop
>      server
>  184780
>  300
> 2,10,60,120,1440
>  
>
> Hopefully I'm not too far off
>
> thanks,
> theresa
>
> Am Montag, 5. Oktober 2015 18:55:16 UTC+2 schrieb Brent Morris:
>>
>> I'm not familiar with apache logs... but it looks like you are being 
>> scanned with a web vulnerability scanner from an attacker in China.  The 
>> youtube string you see, I believe, is the user-agent string supplied by the 
>> scanning host.
>>
>> Compile all the URL requests and setup a cdb list in OSSEC.  Then setup 
>> an active response based on the URL requested to block the offending IP 
>> address.  The rule will look something like the following.
>>
>> 
>>   31100
>>   lists/urlblacklist
>> Web Vulnerability Scanner Detected
>> 
>>
>> and active response... assumes firewall-drop command will actually block 
>> the attacker at your perimeter.
>>
>> firewall-drop
>> server
>> 184780
>> 300
>> 2,10,60,120,1440
>>   
>>
>> Now all you need is the list and testing :)
>>
>>
>>
>>
>>
>> On Monday, October 5, 2015 at 4:25:18 AM UTC-7, theresa mic-snare wrote:
>>>
>>> Hi all,
>>>
>>> it's my weekly ossec question post ;)
>>>
>>> maybe you can help shed some light onto this one, as I'm not really g

Re: [ossec-list] Re: Monitor Windows Services Shutdown

[Brent Morris]

If you have the OSSEC manager installed and running, along with an agent on 
your Windows computer, then the agent should be sending all the event logs 
to the manager and storing them in /var/ossec/logs/archives/archives.log 

This is typically where OSSEC learns about events, and triggers alerts such 
as the one you're describing.  So if you can paste the event as OSSEC sees 
and stores it from archives.log - we can add your rule to our 
local_rules.xml and use tools, such as ossec-logtest to help you with 
writing your rule.

Unless I'm missing something... in which case I apologize :)

On Monday, October 5, 2015 at 10:11:02 AM UTC-7, Daniel Baker wrote:
>
> More Information:  PCI 10.2.6 Initialization, stopping, or pausing of the 
> audit logs
> My focus is on Windows Services Stop events
>
> I do not have any logs in archives.log
>
>
> On Monday, October 5, 2015 at 10:59:25 AM UTC-6, Brent Morris wrote:
>>
>> It's easier for us to test if you can post it from your archives.log on 
>> ossec :)
>>
>> On Monday, October 5, 2015 at 9:52:20 AM UTC-7, Daniel Baker wrote:
>>>
>>> - http://schemas.microsoft.com/win/2004/08/events/event 
>>> <http://schemas.microsoft.com/win/2004/08/events/event>*">
>>> - 
>>>
>>>   1100 
>>>   0 
>>>   4 
>>>   103 
>>>   0 
>>>   0x4020 
>>>
>>>   2719810 
>>>
>>>
>>>   Security 
>>>   Security-Test 
>>>
>>>   
>>> - 
>>>   >> xmlns="*http://manifests.microsoft.com/win/2004/08/windows/eventlog 
>>> <http://manifests.microsoft.com/win/2004/08/windows/eventlog>*" /> 
>>>   
>>>   
>>>
>>> On Monday, October 5, 2015 at 10:25:48 AM UTC-6, dan (ddpbsd) wrote:
>>>>
>>>>
>>>> On Oct 5, 2015 12:23 PM, "Daniel Baker"  wrote:
>>>> >
>>>> >
>>>> >
>>>> > On Monday, October 5, 2015 at 8:38:17 AM UTC-6, Daniel Baker wrote:
>>>> >>
>>>> >> I'm looking for a way to have OSSEC trigger on Event ID 1100 Service 
>>>> Shutdown in Windows.
>>>> >
>>>> >
>>>> > This is what I'm trying to add to the local_rules.xml file:
>>>> >
>>>> > 
>>>> > 18104
>>>> > ^1100$
>>>> > Windows Service Stopped
>>>> >  
>>>> >
>>>>
>>>> Do you have a log we can test with?
>>>>
>>>> > -- 
>>>> >
>>>> > --- 
>>>> > You received this message because you are subscribed to the Google 
>>>> Groups "ossec-list" group.
>>>> > To unsubscribe from this group and stop receiving emails from it, 
>>>> send an email to ossec-list+...@googlegroups.com.
>>>> > For more options, visit https://groups.google.com/d/optout.
>>>>
>>>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: (possible) webserver attack

[Brent Morris]

Well, an empty log is an unhappy one.  do you have the "log all" option in 
your ossec.conf 

For testing purposes, take one of the requests from your log and browse to 
your apache server with that request.

for instance - http://1.2.3.4/admin.cgi

Then check the archives.log for the log entry.  Run it through 
ossec-logtest...


-Brent





On Tuesday, October 6, 2015 at 3:10:12 AM UTC-7, theresa mic-snare wrote:
>
> Hi Brent,
>
> thanks for the perfect explanations.
>
> I just checked, my archives.log is 0 bytes, seems like it was log-rotated 
> during the night.
> and in the monthly folder, e.g Oct or Sep are only checksum logs, e.g 
> ossec-archive-01.log.sum
>
> But I've seen multiple requests from 1 IP address and put those requests 
> into a txt file (I've attached it to this post)
>
> no idea why my archives.log is empty :(
>
> regards,
> theresa
>
> Am Montag, 5. Oktober 2015 20:02:29 UTC+2 schrieb Brent Morris:
>>
>> Yeah, you're in the neighborhood.
>>
>> First - can you post some content from your archives.log with those 
>> Apache logs?  I can help better if I can see what you're seeing.
>>
>> You need to see exactly what you're passing to the URL field using 
>> ossec-logtest in order to make your cdb list correctly.  Sometimes the 
>> decoder puts extra characters in the URL field, such as a space and a 
>> hyphen.  At least that was my case.
>>
>> Here's a blurb from my cdb list nexpose makes the following requests 
>> during a web audit.
>>
>> /spiffymcgee.cfm -:16
>> /spiffymcgee.jsp -:16
>> /jbossmq-httpil/ -:16
>> /spiffymcgee.nsf -:16
>> /spiffymcgee.jsp -:16
>> /spiffymcgee.nsf -:16
>>
>> The important bits are on the left side of the colon.  I think I used 
>> excel to autonumber and populate the right side of the colon.  But you're 
>> basically going to compare whatever is being passed to the URL field with 
>> exactly the content on the left side of the colon.  So you can see you'll 
>> need to be creative in your ability to separate out the URLs from the rest 
>> of the junk in your logs along with checking and removing valid URLs that 
>> might be in the list.  In your example #1 example, I would only use 
>> "/pub/english.cgi 
>> -:16" . there is a space and a hypen in my case when running the logs 
>> against ossec-logtest.  I can't emphasis enough that it needs to be EXACT. 
>>  Partial matches will not trigger the rule.
>>
>> The list will reside in /var/ossec/lists/urlblacklist
>>
>> then run ./ossec-makelists
>>
>> In your ossec.conf - add lists/urlblacklist inside 
>>  
>>
>> Add the rule to local_rules.xml
>>
>> Use ossec-logtest to verify new rule is working properly.
>>
>> Add the active response to ossec.conf
>>
>> restart ossec and test with a real request to a URL in the list.  Verify 
>> active response has done its deed.
>>
>> HTH!
>> -Brent
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> On Monday, October 5, 2015 at 10:36:35 AM UTC-7, theresa mic-snare wrote:
>>>
>>> Hi Brent,
>>>
>>> thank you very much for your help and your explanations.
>>>
>>> I'm just getting started with OSSEC, most of this is all new to me, but 
>>> I'm learning quickly ;)
>>> what does CDB stand for? I looked it up in the OSSEC docs and also 
>>> googled it? does it stand for common database?
>>> according to the Docs I need to complile the CDB list with 
>>> ossec-makelists , right?
>>>
>>> I want to understand this properly, and thus I want to document it for 
>>> my thesis project -- so please correct me if I misunderstood you:
>>>
>>>
>>>1. i will create a list with the HTTP request strings, e.g: GET 
>>>/pub/english.cgi HTTP/1.0" 403 5 "
>>>https://www.youtube.com/watch?v=FoUWHfh733Y"; "() { goo;}; echo 
>>>Content-Type: text/plain ; echo ; echo shellshot_`expr 1344 - 7` and put 
>>> it 
>>>into a list/txt file. i.e urlblacklist.txt
>>>2. then I will run ossec-makelists on this
>>>3. then I will setup a rule to block those requests  where does 
>>>this go?! Is it a rule inside the rules directory??!
>>>
>>> 
>>>   31151 <http://www.ossec.net/doc/search.html?q=rule-id-31151>
>>> 
>>>   lists/urlblacklist
>>> Web Vulnerability Scanner Detected
&g

[ossec-list] Re: alert to monitor my system admins

[Brent Morris]

(I'm assuming you're referencing Microsoft products)

check out the msauth_rules.xml - that has all the rules that you're looking 
for.   For instance, 18111 for user account changes.  Group changes are in 
there also.  You might have to change the levels on some of them in your 
local_rules.xml depending on your alert threshold set in your ossec.conf

-Brent

On Wednesday, October 7, 2015 at 11:58:24 AM UTC-7, Farnsworth, Robert 
wrote:
>
> How would I go about writing a rule to capture my system administrators 
> when they make a change to any user related function such as adding users, 
> changing groups and so on, either on domains or locally.
>
>  
>
> I would assume the rule would need to be ID specific.
>
>  
>
> So if admin_A and/or admin_B adds a user I need to get an alert for that.  
>
>  
>
> Thanks
>
>  
>
> Robert
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Windows time changes Alert

[Brent Morris]

Hi Moe,

Edit your  /var/ossec/rules/local_rules.xml and add this..

  
18104
^520$|^4616$
System time changed.
time_changed,
  

That should do the trick so long as alert level 7 meets the alert level 
threshold set in your ossec.conf

On Friday, October 9, 2015 at 11:15:41 AM UTC-7, moe hans wrote:
>
> Hi I would like to recieve alerts when someone change the time on a 
> windows servers. I can see that logs are being sent to the OSSEC server but 
> it not alert me. 
>
> 2015 Oct 09 11:02:08 (Bookadmin-sry) 192.168.161.149->WinEvtLog 2015 Oct 
> 09 00:02:05 WinEvtLog: Security: AUDIT_SUCCESS(4616): 
> Microsoft-Windows-Security-Auditing: (no user): no domain: bookadmin-sry: 
> The system time was changed. Subject:  Security ID: 
>  S-1-5-21-4177568406-2897204066-3252460601-500  Account Name: 
>  Administrator  Account Domain:  BOOKADMIN-SRY  Logon ID:  0x3bb6d17 
>  Process Information:  Process ID: (null)  Name:Previous Time: 
>  2015-10-09T07:02:06.0Z 2015-10-09T18:02:07.279218900Z New Time: 
>  C:\Windows\System32\rundll32.exe 0x2954  This event is generated when the 
> system time is changed. It is normal for the Windows Time Service, which 
> runs with System privilege, to change the system time on a regular basis. 
> Other system time changes may be indicative of attempts to tamper with the 
> computer.
>
>
> In the windows eventlog it show us as event id 1.
>
> -- 
> Moe Hans
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Outlook Web Access (2003) logs

[Brent Morris]

I added a "default IIS" decoder to the github repository, but I don't 
suppose it will release until the next major version.

For now, I think you need to reconfigure IIS logging to match what OSSEC is 
looking for.  Go into IIS Manager, click on Default Web Site (or 
appropriate site) open the properties window for Logging.  Select the W3C 
format.  Click "Select Fields" and check every box on that list.

You'll also choose to roll over logs on a daily schedule, and use local 
time for naming and rollover.

On Wednesday, December 9, 2015 at 10:10:06 AM UTC-8, Chris H wrote:
>
> Hi. I'm trying, unsuccessfully, to create a decoder for Outlook Web Access 
> (OWA) 2003 access logs.  These are a slightly different format to regular 
> IIS access logs, so aren't getting matched:
>
> 2015-12-09 14:03:44 W3SVC1 10.10.10.10 GET /index.php - 80 - 79.141.160.57 
> Mozilla/5.0+[en]+(X11,+U;+OpenVAS+7.0.5) 403 4 5
>
> I've added a local decoder as below, but it's not getting matched:
>
> 
> windows-date-format
> web-log
> true
> ^W3SVC\d+ \S+ 
> (\S+) (\S+ \S+) \d+ \S+ 
> (\d+.\d+.\d+.\d+) \S+ (\d+)
> action, url, srcip, id
> 
>
> Any ideas?  I've based this on the tweaks for IIS7 logs, which seem to 
> work.  Testing my regex elsewhere, e.g. regex101.com, it seems to work 
> and I don't get any errors.  Testing in ossec-logtest, I get the following:
>
> **Phase 1: Completed pre-decoding.
>full event: '2015-12-09 14:03:44 W3SVC1 10.10.10.10 GET /index.php 
> - 80 - 79.141.160.57 Mozilla/5.0+[en]+(X11,+U;+OpenVAS+7.0.5) 403 4 5'
>hostname: 'ossec'
>program_name: '(null)'
>log: '2015-12-09 14:03:44 W3SVC1 10.10.10.10 GET /index.php - 80 - 
> 79.141.160.57 Mozilla/5.0+[en]+(X11,+U;+OpenVAS+7.0.5) 403 4 5'
>
> **Phase 2: Completed decoding.
>decoder: 'windows-date-format'
>
> **Phase 3: Completed filtering (rules).
>Rule id: '31100'
>Level: '0'
>Description: 'Access log messages grouped.'
>
> I'm trying to detect scans via multiple 400 errors, but they're not 
> getting picked up because the decoder is failing.
>
> Thanks
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Custom OSSEC decoders - Windows rules not firing

[Brent Morris]

You should try these for Sysmon events.

https://github.com/defensivedepth/Sysmon_OSSEC/blob/master/Sysmon_OSSEC-Decoders.xml

I'm not familiar with wazuh, if it's a fork of OSSEC decoders/rules or what?

I can tell you that the ones I've linked will work without breaking other 
things... 

On Wednesday, January 13, 2016 at 7:24:40 AM UTC-8, techb...@gmail.com 
wrote:
>
> Hello,
>
> I incorporated wazuh's custom OSSEC decoders for sysmon events (
> https://github.com/wazuh/ossec-rules/blob/master/rules-decoders/ossec/decoders/windows_decoders.xml)
>  
> by placing these decoders into /var/ossec/etc/local_decoder.xml. However, 
> when I did this, the normal windows rules in 
> /var/ossec/rules/msauth_rules.xml would no longer fire. Obviously I created 
> a conflict of some sort, but I'm not certain where.
>
> To expound, here is a sample log line:
>
> 2016 Jan 13 08:19:04 WinEvtLog: Security: AUDIT_SUCCESS(4733): 
> Microsoft-Windows-Security-Auditing: (no user): no domain: foo.local: A 
> member was removed from a security-enabled local group. Subject:  Security 
> ID:  S-1-5-18  Account Name:  foo-machine$  Account Domain:  FOO  Logon 
> ID:  0x3e7  Member:  Security ID:  
> S-1-5-21-xx-x-xx-  Account Name:  -  Group:  
> Security ID:  S-1-5-32-544  Group Name:  Administrators  Group Domain:  
> Builtin  Additional Information:  Privileges:  -
>
>
> Before adding a local_decoder.xml, this log line would be parsed as 
> follows:
>
> **Phase 2: Completed decoding.
>decoder: 'windows'
>status: 'AUDIT_SUCCESS'
>id: '4733'
>extra_data: 'Microsoft-Windows-Security-Auditing'
>dstuser: '(no user)'
>system_name: 'foo-machine'
>
> **Phase 3: Completed filtering (rules).
>Rule id: '18217'
>Level: '12'
>Description: 'Administrators Group Changed'
>Info - Text: 'http://support.microsoft.com/kb/243330'
> **Alert to be generated.
>
>
> Now, it's parsed as such:
>
> **Phase 2: Completed decoding.
>decoder: 'windows'
>
> **Phase 3: Completed filtering (rules).
>Rule id: '18100'
>Level: '0'
>Description: 'Group of windows rules.'
>
> Why!?!
>
> Thanks!
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: Custom OSSEC decoders - Windows rules not firing

[Brent Morris]

Thanks Santiago.

My apologies if my message was curt.  I haven't seen Wazuh and I knew the 
existing Sysmon decoders work fairly well.  When I looked at the ones on 
Wazuh, they looked fairly different than the ones I know to work.  I spent 
a bit of time contributing back to Josh's Github repository for them and 
hit the wall with some of the variations of sysmon logs

Thanks for the explanation!  I'll take a look at Wazuh.

On Wednesday, January 13, 2016 at 12:25:36 PM UTC-8, Santiago Bassett wrote:
>
> Hi, 
>
> Wazuh ruleset includes more than 200 new rules and mapping with PCI DSS 
> controls (tagging also out-of-the box OSSEC rules). We started this effort 
> for some of the OSSEC deployments we are working on, and decided it was a 
> good idea to put together a ruleset (specially for cases where OSSEC is 
> used for PCI DSS or in Amazon AWS environments). Currently our team is 
> maintaining these rules and actively developing new ones.
>
> Regarding Sysmon decoders, we recently modified them (
> http://defensivedepth.com/2015/12/19/new-sysmon-ossec-decoders/), fixing 
> a few issues and of course contributing back to ossec-hids repository.
>
> Info on how to install the ruleset can be found here: 
> http://documentation.wazuh.com/en/latest/ossec_ruleset.html
>
> If you decide to use the automatic installation (
> http://documentation.wazuh.com/en/latest/ossec_ruleset.html#automatic-installation),
>  
> you can run:
>
> ossec_ruleset.py -a -u -s
>
> That will create a backup of your existing rules and decoders, install new 
> ones, and modify your ossec.conf to include these lines:
>
> etc/ossec_decoders
>
> etc/wazuh_decoders
>
> Hope that helps,
>
> Santiago.
>
>
>
>
>
>
>
> On Wed, Jan 13, 2016 at 11:39 AM, Brent Morris  > wrote:
>
>> You should try these for Sysmon events.
>>
>>
>> https://github.com/defensivedepth/Sysmon_OSSEC/blob/master/Sysmon_OSSEC-Decoders.xml
>>
>> I'm not familiar with wazuh, if it's a fork of OSSEC decoders/rules or 
>> what?
>>
>> I can tell you that the ones I've linked will work without breaking other 
>> things... 
>>
>> On Wednesday, January 13, 2016 at 7:24:40 AM UTC-8, techb...@gmail.com 
>> wrote:
>>>
>>> Hello,
>>>
>>> I incorporated wazuh's custom OSSEC decoders for sysmon events (
>>> https://github.com/wazuh/ossec-rules/blob/master/rules-decoders/ossec/decoders/windows_decoders.xml)
>>>  
>>> by placing these decoders into /var/ossec/etc/local_decoder.xml. However, 
>>> when I did this, the normal windows rules in 
>>> /var/ossec/rules/msauth_rules.xml would no longer fire. Obviously I created 
>>> a conflict of some sort, but I'm not certain where.
>>>
>>> To expound, here is a sample log line:
>>>
>>> 2016 Jan 13 08:19:04 WinEvtLog: Security: AUDIT_SUCCESS(4733): 
>>> Microsoft-Windows-Security-Auditing: (no user): no domain: foo.local: A 
>>> member was removed from a security-enabled local group. Subject:  Security 
>>> ID:  S-1-5-18  Account Name:  foo-machine$  Account Domain:  FOO  Logon 
>>> ID:  0x3e7  Member:  Security ID:  
>>> S-1-5-21-xx-x-xx-  Account Name:  -  Group:  
>>> Security ID:  S-1-5-32-544  Group Name:  Administrators  Group Domain:  
>>> Builtin  Additional Information:  Privileges:  -
>>>
>>>
>>> Before adding a local_decoder.xml, this log line would be parsed as 
>>> follows:
>>>
>>> **Phase 2: Completed decoding.
>>>decoder: 'windows'
>>>status: 'AUDIT_SUCCESS'
>>>id: '4733'
>>>extra_data: 'Microsoft-Windows-Security-Auditing'
>>>dstuser: '(no user)'
>>>system_name: 'foo-machine'
>>>
>>> **Phase 3: Completed filtering (rules).
>>>Rule id: '18217'
>>>Level: '12'
>>>Description: 'Administrators Group Changed'
>>>Info - Text: 'http://support.microsoft.com/kb/243330'
>>> **Alert to be generated.
>>>
>>>
>>> Now, it's parsed as such:
>>>
>>> **Phase 2: Completed decoding.
>>>decoder: 'windows'
>>>
>>> **Phase 3: Completed filtering (rules).
>>>Rule id: '18100'
>>>Level: '0'
>>>Description: 'Group of windows rules.'
>>>
>>> Why!?!
>>>
>>> Thanks!
>>>
>> -- 
>>
>> --- 
>> You received this message because you are subscribed to the Google Groups 
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to ossec-list+...@googlegroups.com .
>> For more options, visit https://groups.google.com/d/optout.
>>
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Windows Malware Detection

[Brent Morris]

http://santi-bassett.blogspot.com/2014/09/osseccon-2014-malware-detection-with.html

Another option would be to glean the SHA1 values of malware, and create and 
use the Sysmon blacklist.  But automating a blacklist of SHA1 values for 
malware, using Sysmon and a CDB list in OSSEC would be a method worth 
considering.  This wouldn't work with the win_malware_rcl.txt and using 
IOCs from that angle.

On Friday, January 8, 2016 at 4:05:40 AM UTC-8, 林威任 wrote:
>
> Hello,I has installed the server and agent of ossec.
> I want to use OSSEC to detect malware on windows systems,
> so I must add some codes to the win_malware_rcl.txt.
> Then, I can analyse the logs file produced.
> ps: this used by research.
> Please give me some ideas.
> Thank you very much.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] firewall.log and ICMP?

[Brent Morris]

Xavier,

I'm collecting logs from my ASA and I do see ICMP traffic in my 
firewall.log - 

2016 Jan 26 12:00:50 ossec->192.168.168.168 CLOSED ICMP 
1.2.3.4:10254->external.addr:10254
2016 Jan 26 12:00:54 ossec->192.168.168.168 CLOSED ICMP 
1.2.3.4:10510->external.addr:10510
2016 Jan 26 12:00:57 ossec->192.168.168.168 CLOSED ICMP 
1.2.3.4:10766->external.addr:10766
2016 Jan 26 12:01:05 ossec->192.168.168.168 CLOSED ICMP 
1.2.3.4:11278->external.addr:11278

I'm not sure what the issue might be.  

Also, thank you for the ossec2dshield script!!!  I heard about it on the 
Internet Storm Center Stormcast, but it might be worth plugging to the list 
here too :)

On Tuesday, January 26, 2016 at 1:08:12 AM UTC-8, Xavier Mertens wrote:
>
> I'm collected firewall logs from many Ubuntu servers (basically the 
> /var/log/ufw.log).
> In this log, I can see events about TCP, UDP and ICMP traffic (allowed or 
> dropped).
> But, on my OSSEC server, in my firewall.log, I don't see any event related 
> to the ICMP protocol...
>
> /x
>
> On Sat, Jan 23, 2016 at 11:45 PM, Santiago Bassett  > wrote:
>
>> I am afraid I don't understand the problem or question, maybe if you 
>> explain it a little bit more we can help better.
>>
>> Best
>>
>> On Thu, Jan 21, 2016 at 7:56 AM, Xavier Mertens > > wrote:
>>
>>> Hi *,
>>>
>>> Maybe a stupid question but I'm investigating an issue and I've to 
>>> browse my history of firewall.log files. Problem: I find only TCP/UDP 
>>> events and nothing regarding ICMP packets?
>>>
>>> I tested via ossec-logstest and events are correctly parsed... 
>>>
>>> I never paid attention to this in the past... :-(
>>> Any idea?
>>>
>>> /x
>>>
>>> -- 
>>>
>>> --- 
>>> You received this message because you are subscribed to the Google 
>>> Groups "ossec-list" group.
>>> To unsubscribe from this group and stop receiving emails from it, send 
>>> an email to ossec-list+...@googlegroups.com .
>>> For more options, visit https://groups.google.com/d/optout.
>>>
>>
>> -- 
>>
>> --- 
>> You received this message because you are subscribed to the Google Groups 
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to ossec-list+...@googlegroups.com .
>> For more options, visit https://groups.google.com/d/optout.
>>
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] firewall.log and ICMP?

[Brent Morris]

Good catch!  

I think the ASA provides ports just as part of internal processing of the 
IP translation.  Perhaps they're a sequence number or provide some internal 
function for IOS.  They seem completely random.  They change to the real 
port in the logs when using TCP or UDP.  Here are the logs as seen from the 
ASA

ICMP
2016 Jan 26 02:00:49 ossec->1.2.3.4 Jan 26 2016 02:00:49: %ASA-6-302021: 
Teardown ICMP connection for faddr 8.8.8.8/0 gaddr external.addr/18125 
laddr external.addr/18125(any)
2016 Jan 26 02:00:49 ossec->1.2.3.4 Jan 26 2016 02:00:49: %ASA-6-302020: 
Built outbound ICMP connection for faddr 8.8.8.8/0 gaddr 
external.addr/18126 laddr external.addr/18126(any)
2016 Jan 26 02:00:49 ossec->1.2.3.4 Jan 26 2016 02:00:49: %ASA-6-302021: 
Teardown ICMP connection for faddr 8.8.8.8/0 gaddr external.addr/18126 
laddr external.addr/18126(any)

In the case of a TCP or UDP connection, you'd see   Built outbound TCP 
connection 60148807 for outside:137.135.12.16/443 (137.135.12.16/443) to 
inside:1.2.3.4/11515 (external.ip.addr/11515)



On Tuesday, January 26, 2016 at 2:10:25 PM UTC-8, Xavier Mertens wrote:
>
> Hi Brent,
> I think that I found the problem! Here is an sample of my ossec-logtest 
> output:
>
> **Phase 2: Completed decoding.
>decoder: 'iptables'
>action: 'AUDIT'
>srcip: '92.222.185.1'
>dstip: '51.254.36.238'
>proto: 'ICMP'
>
> But, while diving into the source code (in analysisd/alert/log.c):
>
> /* FW_Log: v0.1, 2005/12/30 */
> int FW_Log(Eventinfo *lf)
> {
> /* If we don't have the srcip or the
>  * action, there is no point in going
>  * forward over here
>  */
> if(!lf->action || !lf->srcip || !lf->dstip || !lf->srcport ||
>!lf->dstport || !lf->protocol)
> {
> return(0);
> }
>
> I don't have srcport & dstport filled in so no log! I think I'll patch the 
> code and 
>
> I'm wondering why your ASA firewall provides ports!?
>
> About ossec2dshield, I wrote this tool a long time ago to share my logs 
> with DShield.org.
> Ping me you want details!
>
> /x
>
>
> On Tue, Jan 26, 2016 at 9:05 PM, Brent Morris  > wrote:
>
>> Xavier,
>>
>> I'm collecting logs from my ASA and I do see ICMP traffic in my 
>> firewall.log - 
>>
>> 2016 Jan 26 12:00:50 ossec->192.168.168.168 CLOSED ICMP 
>> 1.2.3.4:10254->external.addr:10254
>> 2016 Jan 26 12:00:54 ossec->192.168.168.168 CLOSED ICMP 
>> 1.2.3.4:10510->external.addr:10510
>> 2016 Jan 26 12:00:57 ossec->192.168.168.168 CLOSED ICMP 
>> 1.2.3.4:10766->external.addr:10766
>> 2016 Jan 26 12:01:05 ossec->192.168.168.168 CLOSED ICMP 
>> 1.2.3.4:11278->external.addr:11278
>>
>> I'm not sure what the issue might be.  
>>
>> Also, thank you for the ossec2dshield script!!!  I heard about it on the 
>> Internet Storm Center Stormcast, but it might be worth plugging to the list 
>> here too :)
>>
>> On Tuesday, January 26, 2016 at 1:08:12 AM UTC-8, Xavier Mertens wrote:
>>>
>>> I'm collected firewall logs from many Ubuntu servers (basically the 
>>> /var/log/ufw.log).
>>> In this log, I can see events about TCP, UDP and ICMP traffic (allowed 
>>> or dropped).
>>> But, on my OSSEC server, in my firewall.log, I don't see any event 
>>> related to the ICMP protocol...
>>>
>>> /x
>>>
>>> On Sat, Jan 23, 2016 at 11:45 PM, Santiago Bassett <
>>> santiago...@gmail.com> wrote:
>>>
>>>> I am afraid I don't understand the problem or question, maybe if you 
>>>> explain it a little bit more we can help better.
>>>>
>>>> Best
>>>>
>>>> On Thu, Jan 21, 2016 at 7:56 AM, Xavier Mertens  
>>>> wrote:
>>>>
>>>>> Hi *,
>>>>>
>>>>> Maybe a stupid question but I'm investigating an issue and I've to 
>>>>> browse my history of firewall.log files. Problem: I find only TCP/UDP 
>>>>> events and nothing regarding ICMP packets?
>>>>>
>>>>> I tested via ossec-logstest and events are correctly parsed... 
>>>>>
>>>>> I never paid attention to this in the past... :-(
>>>>> Any idea?
>>>>>
>>>>> /x
>>>>>
>>>>> -- 
>>>>>
>>>>> --- 
>>>>> You received this message because you are subscribed to the Google 
>>&g

Re: [ossec-list] firewall.log and ICMP?

[Brent Morris]

Is this worth submitting as an issue to github?

https://github.com/ossec/ossec-hids/issues


On Wednesday, January 27, 2016 at 12:08:54 AM UTC-8, Xavier Mertens wrote:
>
> I'll patch my analysisd to provide srcport and dstport with a value of "0" 
> if the protocol is "ICMP"... I need to keep traces of such events...
>
> /x
>
> On Tue, Jan 26, 2016 at 11:40 PM, Brent Morris  > wrote:
>
>> Good catch!  
>>
>> I think the ASA provides ports just as part of internal processing of the 
>> IP translation.  Perhaps they're a sequence number or provide some internal 
>> function for IOS.  They seem completely random.  They change to the real 
>> port in the logs when using TCP or UDP.  Here are the logs as seen from the 
>> ASA
>>
>> ICMP
>> 2016 Jan 26 02:00:49 ossec->1.2.3.4 Jan 26 2016 02:00:49: %ASA-6-302021: 
>> Teardown ICMP connection for faddr 8.8.8.8/0 gaddr external.addr/18125 
>> laddr external.addr/18125(any)
>> 2016 Jan 26 02:00:49 ossec->1.2.3.4 Jan 26 2016 02:00:49: %ASA-6-302020: 
>> Built outbound ICMP connection for faddr 8.8.8.8/0 gaddr 
>> external.addr/18126 laddr external.addr/18126(any)
>> 2016 Jan 26 02:00:49 ossec->1.2.3.4 Jan 26 2016 02:00:49: %ASA-6-302021: 
>> Teardown ICMP connection for faddr 8.8.8.8/0 gaddr external.addr/18126 
>> laddr external.addr/18126(any)
>>
>> In the case of a TCP or UDP connection, you'd see   Built outbound 
>> TCP connection 60148807 for outside:137.135.12.16/443 (137.135.12.16/443) 
>> to inside:1.2.3.4/11515 (external.ip.addr/11515)
>>
>>
>>
>> On Tuesday, January 26, 2016 at 2:10:25 PM UTC-8, Xavier Mertens wrote:
>>>
>>> Hi Brent,
>>> I think that I found the problem! Here is an sample of my ossec-logtest 
>>> output:
>>>
>>> **Phase 2: Completed decoding.
>>>decoder: 'iptables'
>>>action: 'AUDIT'
>>>srcip: '92.222.185.1'
>>>dstip: '51.254.36.238'
>>>proto: 'ICMP'
>>>
>>> But, while diving into the source code (in analysisd/alert/log.c):
>>>
>>> /* FW_Log: v0.1, 2005/12/30 */
>>> int FW_Log(Eventinfo *lf)
>>> {
>>> /* If we don't have the srcip or the
>>>  * action, there is no point in going
>>>  * forward over here
>>>  */
>>> if(!lf->action || !lf->srcip || !lf->dstip || !lf->srcport ||
>>>!lf->dstport || !lf->protocol)
>>> {
>>> return(0);
>>> }
>>>
>>> I don't have srcport & dstport filled in so no log! I think I'll patch 
>>> the code and 
>>>
>>> I'm wondering why your ASA firewall provides ports!?
>>>
>>> About ossec2dshield, I wrote this tool a long time ago to share my logs 
>>> with DShield.org.
>>> Ping me you want details!
>>>
>>> /x
>>>
>>>
>>> On Tue, Jan 26, 2016 at 9:05 PM, Brent Morris  
>>> wrote:
>>>
>>>> Xavier,
>>>>
>>>> I'm collecting logs from my ASA and I do see ICMP traffic in my 
>>>> firewall.log - 
>>>>
>>>> 2016 Jan 26 12:00:50 ossec->192.168.168.168 CLOSED ICMP 
>>>> 1.2.3.4:10254->external.addr:10254
>>>> 2016 Jan 26 12:00:54 ossec->192.168.168.168 CLOSED ICMP 
>>>> 1.2.3.4:10510->external.addr:10510
>>>> 2016 Jan 26 12:00:57 ossec->192.168.168.168 CLOSED ICMP 
>>>> 1.2.3.4:10766->external.addr:10766
>>>> 2016 Jan 26 12:01:05 ossec->192.168.168.168 CLOSED ICMP 
>>>> 1.2.3.4:11278->external.addr:11278
>>>>
>>>> I'm not sure what the issue might be.  
>>>>
>>>> Also, thank you for the ossec2dshield script!!!  I heard about it on 
>>>> the Internet Storm Center Stormcast, but it might be worth plugging to the 
>>>> list here too :)
>>>>
>>>> On Tuesday, January 26, 2016 at 1:08:12 AM UTC-8, Xavier Mertens wrote:
>>>>>
>>>>> I'm collected firewall logs from many Ubuntu servers (basically the 
>>>>> /var/log/ufw.log).
>>>>> In this log, I can see events about TCP, UDP and ICMP traffic (allowed 
>>>>> or dropped).
>>>>> But, on my OSSEC server, in my firewall.log, I don't see any event 
>>>>> related to the ICMP protocol...
>>>>>
&g

[ossec-list] Re: IISv7.5 decoder attempt

[Brent Morris]

In order to get OSSEC to work with IIS logs, you have to basically enable 
all the Extended logging options...  Be sure to check the "use local time 
for file naming and rollover" - otherwise your OSSEC will be dark for a few 
hours while it catches up with IIS's GMT time.

http://ossec-docs.readthedocs.org/en/latest/manual/monitoring/file-log-monitoring.html
 
- scroll down from there to see the screen shots.

Jesus' recommendation is a change committed in the next release of the 
version of OSSEC.  You could add that to your local_decoder.xml if you 
wanted.  We put that in there as a catch-all for the IIS logs still in 
default mode.  But it's can't hurt to turn up the logging in IIS me thinks.


On Wednesday, February 3, 2016 at 12:59:25 PM UTC-8, Fredrik wrote:
>
> Hi All,
>
>
>
> Gone through a few threads about decoders for IIS. I'm just getting 
> started and, so far, have only managed easy stuff. I'm trying to extract 
> the fields mentioned in decoder from the log entry using the decoder below, 
> but the logtester still give the result below. What am I missing this time 
> :)
>
> FULL LOG ENTRY:
> 2016-02-02 08:45:31 10.32.10.14 GET /images/logo2.png - 80 - 10.32.5.145 
> Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.3;+WOW64;+Trident/7.0;+Touch;+.NET4.0E;+.NET4.0C;+.NET+CLR+3.5.30729;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.30729;+Tablet+PC+2.0)
>  
> 200 0 0 15
>
> LOGTEST RESULTS:
> **Phase 1: Completed pre-decoding.
>full event: '2016-02-02 08:45:31 10.46.10.101 GET /images/logo2.png 
> - 80 - 10.46.5.145 
> Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.3;+WOW64;+Trident/7.0;+Touch;+.NET4.0E;+.NET4.0C;+.NET+CLR+3.5.30729;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.30729;+Tablet+PC+2.0)
>  
> 200 0 0 15'
>hostname: 'sto-lab99'
>program_name: '(null)'
>log: '2016-02-02 08:45:31 10.46.10.101 GET /images/logo2.png - 80 - 
> 10.46.5.145 
> Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.3;+WOW64;+Trident/7.0;+Touch;+.NET4.0E;+.NET4.0C;+.NET+CLR+3.5.30729;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.30729;+Tablet+PC+2.0)
>  
> 200 0 0 15'
>
> **Phase 2: Completed decoding.
>decoder: 'windows-date-format'
>
> DECODER:
>  
>   windows-date-format 
>   web-log 
>   true 
>^\d+-\d+-\d+ \d+:\d+:\d+ (\S+) (\S+) - 
> (\S+) - (\d+.\d+.\d+.\d+)  
>srcip, action, url, srcip, dstport 
>  
>
> Best,
> Fredrik 
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: IISv7.5 decoder attempt

[Brent Morris]

Fredrik,

The stuff you cooked up has some issues.  If you want those fields 
extracted and were going to use them for alerts, I'd go with Jesus' 2nd 
recommendation.  It's a good expansion of the default IIS logging decoders 
from the OSSEC git repository.

If you change your logging per the OSSEC instructions, I don't believe that 
his recommended decoder will work and the built-in decoder will trigger. 
 Which by default, only pulls out the url, srcip and ID.  It doesn't get 
the destip, port and action.  I've found the srcip, URL, and ID to be the 
most valuable.  If you had a large farm or servers with multiple addresses, 
I can see why destip would be useful Or the action (IIS verb).  Give us 
a little more background as to what problem you're trying to solve and I'm 
sure we can help you further :)

-Brent





On Saturday, February 6, 2016 at 12:04:53 PM UTC-8, Fredrik wrote:
>
> Guys! Thanks both for taking the time to respond! So, if I understand this 
> correctly I could use default IIS logging and go with Jesus suggestion - 
> this would require updating the OSSEC binaries though, correct? as you 
> suggest Brent, having a look at the logging settings in IIS makes sense 
> regardless. Provided I'm able to update the logging, what decoder settings 
> should I use? Go with Jesus', or is the stuff I cooked up worth pursuing? 
>
> Thanks again!
>
> Best regards,
> Fredrik 
>
> On Thursday, February 4, 2016 at 9:05:09 PM UTC+1, Brent Morris wrote:
>>
>> In order to get OSSEC to work with IIS logs, you have to basically enable 
>> all the Extended logging options...  Be sure to check the "use local time 
>> for file naming and rollover" - otherwise your OSSEC will be dark for a few 
>> hours while it catches up with IIS's GMT time.
>>
>>
>> http://ossec-docs.readthedocs.org/en/latest/manual/monitoring/file-log-monitoring.html
>>  
>> - scroll down from there to see the screen shots.
>>
>> Jesus' recommendation is a change committed in the next release of the 
>> version of OSSEC.  You could add that to your local_decoder.xml if you 
>> wanted.  We put that in there as a catch-all for the IIS logs still in 
>> default mode.  But it's can't hurt to turn up the logging in IIS me thinks.
>>
>>
>> On Wednesday, February 3, 2016 at 12:59:25 PM UTC-8, Fredrik wrote:
>>>
>>> Hi All,
>>>
>>>
>>>
>>> Gone through a few threads about decoders for IIS. I'm just getting 
>>> started and, so far, have only managed easy stuff. I'm trying to extract 
>>> the fields mentioned in decoder from the log entry using the decoder below, 
>>> but the logtester still give the result below. What am I missing this time 
>>> :)
>>>
>>> FULL LOG ENTRY:
>>> 2016-02-02 08:45:31 10.32.10.14 GET /images/logo2.png - 80 - 10.32.5.145 
>>> Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.3;+WOW64;+Trident/7.0;+Touch;+.NET4.0E;+.NET4.0C;+.NET+CLR+3.5.30729;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.30729;+Tablet+PC+2.0)
>>>  
>>> 200 0 0 15
>>>
>>> LOGTEST RESULTS:
>>> **Phase 1: Completed pre-decoding.
>>>full event: '2016-02-02 08:45:31 10.46.10.101 GET 
>>> /images/logo2.png - 80 - 10.46.5.145 
>>> Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.3;+WOW64;+Trident/7.0;+Touch;+.NET4.0E;+.NET4.0C;+.NET+CLR+3.5.30729;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.30729;+Tablet+PC+2.0)
>>>  
>>> 200 0 0 15'
>>>hostname: 'sto-lab99'
>>>program_name: '(null)'
>>>log: '2016-02-02 08:45:31 10.46.10.101 GET /images/logo2.png - 80 
>>> - 10.46.5.145 
>>> Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.3;+WOW64;+Trident/7.0;+Touch;+.NET4.0E;+.NET4.0C;+.NET+CLR+3.5.30729;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.30729;+Tablet+PC+2.0)
>>>  
>>> 200 0 0 15'
>>>
>>> **Phase 2: Completed decoding.
>>>decoder: 'windows-date-format'
>>>
>>> DECODER:
>>>  
>>>   windows-date-format 
>>>   web-log 
>>>   true 
>>>^\d+-\d+-\d+ \d+:\d+:\d+ (\S+) (\S+) - 
>>> (\S+) - (\d+.\d+.\d+.\d+)  
>>>srcip, action, url, srcip, dstport 
>>>  
>>>
>>> Best,
>>> Fredrik 
>>>
>>>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: IISv7.5 decoder attempt

[Brent Morris]

Sure..

You can do some active response stuff on ID 400... That's fun to do!

For me personally, I took a fingerprint of all the web vulnerability 
scanners and made it into a CDB list.  This was from Nexpose, OpenVAS, and 
a pilfered some extras from old logs...  put those all in a CDB list and 
added a rule.

Local_rules.xml


  31100
  lists/urlblacklist
Web Vulnerability Scanner Detected


ossec.config






On Tuesday, February 9, 2016 at 1:24:24 PM UTC-8, Fredrik wrote:
>
> Hi Brent,
>
>
> Just mentioned in post to Jesus that I have been (still am) learning as I 
> go :) Your recommendation to stick with the three fields url, srcip and ID 
> makes sense in my case as well. I noticed that the logging settings in 
> IIS7.5 looks somewhat different, but as expected all options were not 
> checked in this server's configuration. 
>
> Regarding the alerts, I'm more trying to set up a few samples to see what 
> I can catch. Do you have any recommendations of things to try? Maybe one 
> for requests resulting in ID 400?
>
> Best regards,
> Fredrik 
>
> On Monday, February 8, 2016 at 9:24:18 PM UTC+1, Brent Morris wrote:
>>
>> Fredrik,
>>
>> The stuff you cooked up has some issues.  If you want those fields 
>> extracted and were going to use them for alerts, I'd go with Jesus' 2nd 
>> recommendation.  It's a good expansion of the default IIS logging decoders 
>> from the OSSEC git repository.
>>
>> If you change your logging per the OSSEC instructions, I don't believe 
>> that his recommended decoder will work and the built-in decoder will 
>> trigger.  Which by default, only pulls out the url, srcip and ID.  It 
>> doesn't get the destip, port and action.  I've found the srcip, URL, and ID 
>> to be the most valuable.  If you had a large farm or servers with multiple 
>> addresses, I can see why destip would be useful Or the action (IIS 
>> verb).  Give us a little more background as to what problem you're trying 
>> to solve and I'm sure we can help you further :)
>>
>> -Brent
>>
>>
>>
>>
>>
>> On Saturday, February 6, 2016 at 12:04:53 PM UTC-8, Fredrik wrote:
>>>
>>> Guys! Thanks both for taking the time to respond! So, if I understand 
>>> this correctly I could use default IIS logging and go with Jesus suggestion 
>>> - this would require updating the OSSEC binaries though, correct? as you 
>>> suggest Brent, having a look at the logging settings in IIS makes sense 
>>> regardless. Provided I'm able to update the logging, what decoder settings 
>>> should I use? Go with Jesus', or is the stuff I cooked up worth pursuing? 
>>>
>>> Thanks again!
>>>
>>> Best regards,
>>> Fredrik 
>>>
>>> On Thursday, February 4, 2016 at 9:05:09 PM UTC+1, Brent Morris wrote:
>>>>
>>>> In order to get OSSEC to work with IIS logs, you have to basically 
>>>> enable all the Extended logging options...  Be sure to check the "use 
>>>> local 
>>>> time for file naming and rollover" - otherwise your OSSEC will be dark for 
>>>> a few hours while it catches up with IIS's GMT time.
>>>>
>>>>
>>>> http://ossec-docs.readthedocs.org/en/latest/manual/monitoring/file-log-monitoring.html
>>>>  
>>>> - scroll down from there to see the screen shots.
>>>>
>>>> Jesus' recommendation is a change committed in the next release of the 
>>>> version of OSSEC.  You could add that to your local_decoder.xml if you 
>>>> wanted.  We put that in there as a catch-all for the IIS logs still in 
>>>> default mode.  But it's can't hurt to turn up the logging in IIS me thinks.
>>>>
>>>>
>>>> On Wednesday, February 3, 2016 at 12:59:25 PM UTC-8, Fredrik wrote:
>>>>>
>>>>> Hi All,
>>>>>
>>>>>
>>>>>
>>>>> Gone through a few threads about decoders for IIS. I'm just getting 
>>>>> started and, so far, have only managed easy stuff. I'm trying to extract 
>>>>> the fields mentioned in decoder from the log entry using the decoder 
>>>>> below, 
>>>>> but the logtester still give the result below. What am I missing this 
>>>>> time 
>>>>> :)
>>>>>
>>>>> FULL LOG ENTRY:
>>>>> 2016-02-02 08:45:31 10.32.10.14 GET /images/logo2.png - 80 - 
>>>>> 10.32.5.145 
>>>>> Moz

[ossec-list] Re: IISv7.5 decoder attempt

[Brent Morris]

eesh... hotkeys got away from me and I posted too fast.

Sure..

You can do some active response stuff on ID 400... That's fun to do!

For me personally, I took a fingerprint of all the web vulnerability 
scanners and made it into a CDB list.  This was from Nexpose, OpenVAS, and 
a pilfered some extras from old logs...  put those all in a CDB list and 
added a rule.

Local_rules.xml


  31100
  lists/urlblacklist
Web Vulnerability Scanner Detected

---
ossec.config


  
  lists/urlblacklist


then 
  
firewall-drop
server
31100
300
 

---

sample content of urlblacklist (it's a long file)

/bblog/xmlrpc.php -:17
/scripts/root.exe -:17
/msadc/msadcs.dll -:17
/cgi-bin/test-cgi -:17
/cgi-bin/htsearch -:17
/CFIDE/adminiapi/ -:17
/cgi-bin/faxquery -:17
/CFIDE/scheduler/ -:17
/CFIDE/websocket/ -:17
/common/index.jsf -:17
/cgi-bin/home.tcl -:17
/bblog/xmlrpc.php -:17
/cfdocs/index.htm -:17

-

Now you can detect and block those pesky web vulnerability scanners 
 You'll have to connect the active response to your actual firewall and 
configure the script accordingly.  And you'll likely have some samples of 
web scanners if you have a web server connected to the net.  We get scanned 
all the time...

And you could block repeat 404 errors too...

This isn't a complete tutorial; you'll need to read up on creating CDB 
lists, and compiling them.  You'll also need to get active response 
working.  And, ALWAYS test it when you're done so you can be sure you're 
blocking those pesky scanners but not blocking valid traffic.  One wrong 
URL in that CDB list and OSSEC suddenly turns on you and bites.  And one 
wrong character on a line can be the difference between a hit and a miss.

HTH!!!




On Wednesday, February 10, 2016 at 3:15:49 PM UTC-8, Brent Morris wrote:
>
> Sure..
>
> You can do some active response stuff on ID 400... That's fun to do!
>
> For me personally, I took a fingerprint of all the web vulnerability 
> scanners and made it into a CDB list.  This was from Nexpose, OpenVAS, and 
> a pilfered some extras from old logs...  put those all in a CDB list and 
> added a rule.
>
> Local_rules.xml
>
> 
>   31100
>   lists/urlblacklist
> Web Vulnerability Scanner Detected
> 
>
> ossec.config
>
> 
>
>
>
>
> On Tuesday, February 9, 2016 at 1:24:24 PM UTC-8, Fredrik wrote:
>>
>> Hi Brent,
>>
>>
>> Just mentioned in post to Jesus that I have been (still am) learning as I 
>> go :) Your recommendation to stick with the three fields url, srcip and ID 
>> makes sense in my case as well. I noticed that the logging settings in 
>> IIS7.5 looks somewhat different, but as expected all options were not 
>> checked in this server's configuration. 
>>
>> Regarding the alerts, I'm more trying to set up a few samples to see what 
>> I can catch. Do you have any recommendations of things to try? Maybe one 
>> for requests resulting in ID 400?
>>
>> Best regards,
>> Fredrik 
>>
>> On Monday, February 8, 2016 at 9:24:18 PM UTC+1, Brent Morris wrote:
>>>
>>> Fredrik,
>>>
>>> The stuff you cooked up has some issues.  If you want those fields 
>>> extracted and were going to use them for alerts, I'd go with Jesus' 2nd 
>>> recommendation.  It's a good expansion of the default IIS logging decoders 
>>> from the OSSEC git repository.
>>>
>>> If you change your logging per the OSSEC instructions, I don't believe 
>>> that his recommended decoder will work and the built-in decoder will 
>>> trigger.  Which by default, only pulls out the url, srcip and ID.  It 
>>> doesn't get the destip, port and action.  I've found the srcip, URL, and ID 
>>> to be the most valuable.  If you had a large farm or servers with multiple 
>>> addresses, I can see why destip would be useful Or the action (IIS 
>>> verb).  Give us a little more background as to what problem you're trying 
>>> to solve and I'm sure we can help you further :)
>>>
>>> -Brent
>>>
>>>
>>>
>>>
>>>
>>> On Saturday, February 6, 2016 at 12:04:53 PM UTC-8, Fredrik wrote:
>>>>
>>>> Guys! Thanks both for taking the time to respond! So, if I understand 
>>>> this correctly I could use default IIS logging and go with Jesus 
>>>> suggestion 
>>>> - this would require updating the OSSEC binaries though, correct? as you 
>>>> suggest Brent, having a look at the logging settings in IIS makes sense 
>>>> regardless. Provided I'm able to update the logging, wha

[ossec-list] Re: IISv7.5 decoder attempt

[Brent Morris]

There are a couple of ways to track connected devices.

It depends on where DHCP lives.  If it's on a windows computer, add DHCP 
logs to your OSSEC configuration.

  
%windir%\sysnative\Dhcp\DhcpSrvLog-%a.log
syslog
  

Then inside your DHCP MMC, right click on the IPV4 scope and go to 
properties.  General tab and check "Enable DHCP audit logging".

If you have Cisco switches, you could do a couple of tricks to do some 
tracking of MACs to IP addresses, but it would require some scripting 
through OSSEC.  Not impossible, but it hasn't been written yet.



On Sunday, February 14, 2016 at 11:26:49 AM UTC-8, Fredrik wrote:
>
> Good example! Definitely helpful! Thanks!
>
> One thing, I know I read about it somewhere, but how do I group my entries 
> in the local_rules file to make them fire. Say for example that I would 
> like to change the behavior of the 31008 rule with an exception? Will go 
> back through the collection of links to see if I can figure it out :) Also, 
> saw some interesting stuff on how to  track connecting devices (dhcp) 
> through MAC-addresses -- obviously unrelated to IIS logs though ;)
>
> Best regards,
> Fredrik
>
> On Thursday, February 11, 2016 at 12:25:33 AM UTC+1, Brent Morris wrote:
>>
>> eesh... hotkeys got away from me and I posted too fast.
>>
>> Sure..
>>
>> You can do some active response stuff on ID 400... That's fun to do!
>>
>> For me personally, I took a fingerprint of all the web vulnerability 
>> scanners and made it into a CDB list.  This was from Nexpose, OpenVAS, and 
>> a pilfered some extras from old logs...  put those all in a CDB list and 
>> added a rule.
>>
>> Local_rules.xml
>>
>> 
>>   31100
>>   lists/urlblacklist
>> Web Vulnerability Scanner Detected
>> 
>> ---
>> ossec.config
>>
>> 
>>   
>>   lists/urlblacklist
>> 
>>
>> then 
>>   
>> firewall-drop
>> server
>> 31100
>> 300
>>  
>>
>> ---
>>
>> sample content of urlblacklist (it's a long file)
>>
>> /bblog/xmlrpc.php -:17
>> /scripts/root.exe -:17
>> /msadc/msadcs.dll -:17
>> /cgi-bin/test-cgi -:17
>> /cgi-bin/htsearch -:17
>> /CFIDE/adminiapi/ -:17
>> /cgi-bin/faxquery -:17
>> /CFIDE/scheduler/ -:17
>> /CFIDE/websocket/ -:17
>> /common/index.jsf -:17
>> /cgi-bin/home.tcl -:17
>> /bblog/xmlrpc.php -:17
>> /cfdocs/index.htm -:17
>>
>> -
>>
>> Now you can detect and block those pesky web vulnerability scanners 
>>  You'll have to connect the active response to your actual firewall and 
>> configure the script accordingly.  And you'll likely have some samples of 
>> web scanners if you have a web server connected to the net.  We get scanned 
>> all the time...
>>
>> And you could block repeat 404 errors too...
>>
>> This isn't a complete tutorial; you'll need to read up on creating CDB 
>> lists, and compiling them.  You'll also need to get active response 
>> working.  And, ALWAYS test it when you're done so you can be sure you're 
>> blocking those pesky scanners but not blocking valid traffic.  One wrong 
>> URL in that CDB list and OSSEC suddenly turns on you and bites.  And one 
>> wrong character on a line can be the difference between a hit and a miss.
>>
>> HTH!!!
>>
>>
>>
>>
>> On Wednesday, February 10, 2016 at 3:15:49 PM UTC-8, Brent Morris wrote:
>>>
>>> Sure..
>>>
>>> You can do some active response stuff on ID 400... That's fun to do!
>>>
>>> For me personally, I took a fingerprint of all the web vulnerability 
>>> scanners and made it into a CDB list.  This was from Nexpose, OpenVAS, and 
>>> a pilfered some extras from old logs...  put those all in a CDB list and 
>>> added a rule.
>>>
>>> Local_rules.xml
>>>
>>> 
>>>   31100
>>>   lists/urlblacklist
>>> Web Vulnerability Scanner Detected
>>> 
>>>
>>> ossec.config
>>>
>>> 
>>>
>>>
>>>
>>>
>>> On Tuesday, February 9, 2016 at 1:24:24 PM UTC-8, Fredrik wrote:
>>>>
>>>> Hi Brent,
>>>>
>>>>
>>>> Just mentioned in post to Jesus that I have been (still am) learning as 
>>>> I go :) Your recommendation to stick with the three fields url, srcip and 
>>>> ID makes sense in my case as well. I noticed that the logging setting

[ossec-list] Cryptolocker, Windows file system auditing

[Brent Morris]

I turned on file system auditing on our Windows shares quite a long time 
ago, it's just handy to have running for those times when you want to find 
out specifics when users get paranoid.

This isn't an original thought but it seems like we have almost all the 
ingredients to come up with a detection rule for cryptolocker outbreaks. 
 When you zip a file on the network, it creates a 4663 AUDIT_SUCCESS rule 
along with Accesses %%4417 in the "Access Request Information".

Has anyone looked into creating a trip wire for an OSSEC rule in such a use 
case?  Does Cryptolocker (or variants) go wild on the network drives 
encrypting all the files (read file, write encrypted version, delete 
encrypted version) or do they throttle?

Just in a base test... it doesn't look like OSSEC pulls enough information 
from the audit log to be precision accurate.  We should pull out the *user 
name* and fire an alert on X number of these in a 15 minute period along 
with the *Accesses:* code.

**Phase 2: Completed decoding.
   decoder: 'windows'
   status: 'AUDIT_SUCCESS'
   id: '4663'
   extra_data: 'Microsoft-Windows-Security-Auditing'
   dstuser: '(no user)'
   system_name: 'server'

**Phase 3: Completed filtering (rules).
   Rule id: '18104'
   Level: '0'
   Description: 'Windows audit success event.'


*List of access codes from Microsoft*
https://social.technet.microsoft.com/Forums/windows/en-US/0ec39516-5dcc-4453-9761-c1f94439a1cc/windows-7-security-audit-logs-how-do-i-translate-4421-1537-and-other--data-fields?forum=w7itprosecurity

I suppose to make it a valid alert, it'd be good to run cryptolocker in a 
test lab and check that the audit logs do trigger the desired alerts.

Has anyone done this yet?  If not, would you be interested in something 
like this?

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Disable Email Alerts from a particular source ip

[Brent Morris]

You also might try using a pipe (or).  I use this for  to omit 
alerts from certain addresses.


7
192.168.2.1|192.168.2.2
Ignoring rule any level above 7 from ip X.


On Tuesday, March 1, 2016 at 8:12:13 AM UTC-8, Jesus Linares wrote:
>
> Hi,
>
> I think your rule is proper. You can add another srcip field if you want:
>
> 
> 7
> 192.168.2.1
> 192.168.2.2
> Ignoring rule any level above 7 from ip X.
> 
>
> If you want to send emails for severities above X level, you can use this 
> configuration:
>
> 
> 
> X
> 
> 
>
> Level 7 is the minimum alert level to send e-mail notifications.
>
> Documentation: 
> http://ossec-docs.readthedocs.org/en/latest/syntax/head_ossec_config.alerts.html#element-email_alert_level
>
> Also, check out this: 
> http://ossec-docs.readthedocs.org/en/latest/syntax/head_ossec_config.email_alerts.html#element-level
>
> * *overrides granular email alert levels: 
> . Individual rules can override this with the 
> *alert_by_email 
> *option.
>
> Regards.
> Jesus Linares.
>
>
>
> On Tuesday, March 1, 2016 at 3:02:19 PM UTC+1, calvin ratti wrote:
>>
>> Hi,
>>
>> I have a VA scanner which I have added in the Whitelist to prevent Active 
>> Response from blocking the scans. What I also understand from here is that 
>> to prevent email alerts, I should create a custom rule. Is the following 
>> syntax proper or am i missing something:
>>
>> 
>> 7
>> 1.2.3.4/24
>> Ignoring rule any level above 7 from Whitelisted 
>> IPs
>> 
>>
>> rule id is unique, we have configured to send email alerts only for level 
>> 7 & above. 
>>
>> -Cal
>>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: ssh_asa-fwsmconfig_diff

[Brent Morris]

Hi Yurii,

Did you use the register_host.sh script as documented 
http://ossec-docs.readthedocs.org/en/latest/manual/agent/agentless-monitoring.html
 
?  If so, there should be a file called .passlist in the 
/var/ossec/agentless folder.  open that file and ensure the information is 
correct.

You can test your agentless with this method.

be sure your current working directory is /var/ossec

pwd
/var/ossec

from there..

./agentless/ssh_asa-fwsmconfig_diff user...@192.168.0.1

Check the output and see where the trouble is.

Hope this helps!!!

-Brent





On Wednesday, March 16, 2016 at 8:24:29 AM UTC-7, Yurii Shatylo wrote:
>
> Dear Colleagues,
>
> Could you give me a hand with my issue?
> I've put credentials to the *ssh_asa-fwsmconfig_diff *and as the result 
> I've got (2016/03/16 11:29:13 ossec-agentlessd: INFO: Test passed for 
> 'ssh_asa-fwsmconfig_diff). After that I deleted ACL on the cisco asa but 
> nothing happened. It seems like script which produces difference is not 
> working. 
> *There is my general config file:*
>
> 
>   ssh_asa-fwsmconfig_diff
>   300
>   user...@192.168.0.1 
>   periodic_diff
>  
>
> *Thank you in advance.*
> *Yurii*
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: ssh_asa-fwsmconfig_diff

[Brent Morris]

When you use a standard SSH client, and go into enable mode.

Does it have an uppercase P on password?

I vaguely recall an issue with the case sensitivity of that script. 

send "enable\r"
> expect {
> "Password:" {
> send "$addpass\r"
> expect {


I believe that should be

send "enable\r"
expect {
"*assword:" {
send "$addpass\r"

expect {


 I've seen PIX and ASAs go both ways with upper and lower case P's   

Let me know!


On Monday, March 28, 2016 at 7:00:29 AM UTC-7, Yurii Shatylo wrote:
>
> I have done it when I added host (ASA). 
> In my file called *.passlist* I have the following record: 
> *user...@192.168.0.1 
> |password|enablepass*
> When I start checking I got error only with enable authentication, the 
> first authentication is OK.
> Also I tried to put enable password to ssh_asa... but without successful 
> result.
>
> KR,
> Yurii 
>
> 2016-03-28 15:46 GMT+03:00 dan (ddp) >:
>
>> On Mon, Mar 28, 2016 at 8:07 AM, Yurii Shatylo > > wrote:
>> > I have read ossec-docs but nothing found about how to set user 
>> credentials
>> > for enables mode. If you know, please send me the doc.
>> > Thank you in advance.
>> >
>>
>>
>> http://ossec.github.io/docs/manual/agent/agentless-monitoring.html?highlight=agentless#getting-started-with-agentless
>> I haven't tested it or anything, but the above link mentions
>> enablepass being added when you add the agentless host.
>>
>> > KR, Yurii
>> >
>> > 2016-03-28 14:32 GMT+03:00 Eero Volotinen > >:
>> >>
>> >> Please read docs and scripts used for this functionality. You need to
>> >> supply enable password too.
>> >>
>> >> 28.3.2016 2.15 ip. "Yurii Shatylo" > 
>> kirjoitti:
>> >>>
>> >>> Did you mean I need to add second line to .psslist with same 
>> credentials
>> >>> for ENABLE mode?
>> >>>
>> >>> KR, Yurii
>> >>>
>> >>> 2016-03-28 14:10 GMT+03:00 Eero Volotinen > >:
>> >>>>
>> >>>> you need to supply both passwords to register_host.sh
>> >>>>
>> >>>> --
>> >>>> Eero
>> >>>>
>> >>>> 2016-03-28 14:04 GMT+03:00 Yurii Shatylo > >:
>> >>>>>
>> >>>>> Hello,
>> >>>>>
>> >>>>> Cisco settings is setup correctly because I manually logon to ASA
>> >>>>> without any issues and run the command "show ran conf".
>> >>>>> Do you which line has to be configure in script? In password list I
>> >>>>> have registered login and password by "register_host.sh" and I 
>> successfully
>> >>>>> authenticate (without ENABLE mode) when I start checking the 
>> script. I have
>> >>>>> only issue with ENABLE mode password.
>> >>>>>
>> >>>>> KR, Yurii
>> >>>>>
>> >>>>> 2016-03-28 13:57 GMT+03:00 Eero Volotinen > >:
>> >>>>>>
>> >>>>>> You need to configure correct enable password in cisco and script 
>> too.
>> >>>>>> (or to password list)
>> >>>>>>
>> >>>>>> --
>> >>>>>> Eero
>> >>>>>>
>> >>>>>> 2016-03-28 13:46 GMT+03:00 Yurii Shatylo > >:
>> >>>>>>>
>> >>>>>>> Dear Colleagues,
>> >>>>>>>
>> >>>>>>> Some time ago I setup Cisco ASA agentless monitoring. After 
>> Brent’s
>> >>>>>>> clarification I found out that I have missed some settings which I
>> >>>>>>> successfully setup. When the settings were implemented I tried to 
>> check by
>> >>>>>>> “./agentless/ssh_asa-fwsmconfig_diff user...@192.168.0.1” 
>> command but result
>> >>>>>>> was unsuccessful. The first authentication level is OK but when 
>> the script
>> >>>>>>> pushed “enable” command I got error:
>> >>>>>>>
>> >>>>>>>
>> >>>>>>>
>> >>>>>>> “enable
>> >>>>>>>
>> >>>>>>> Pa

[ossec-list] Re: Windows Defender Decoder ?

[Brent Morris]

Rob - can you post your OSSEC version of the log?  I can check my rules. 
 These are a culmination of gleaned rules that I updated some time back 
with new event IDs.  Yours is covered in there  but I would like to 
test it against a valid OSSEC log.  So if you can post it from the OSSEC 
logs, that'd be great.

Here they are..





  
windows
18101,18102,18103
^Microsoft Antimalware
Grouping of Microsoft Security Essentials 
rules.
  

  
720001
^1118$|^1119$
virus,
Microsoft Security Essentials - Virus detected, but unable 
to remove.
  
  
720001
^1117$
virus,
Microsoft Security Essentials - Virus detected and 
properly removed.
  

  
720001
^1119$|^1118$|^1117$|^1116$
virus,
Microsoft Security Essentials - Virus 
detected.
  

  
720001
^1015$
virus,
Microsoft Security Essentials - Suspicious activity 
detected.
  

   
  
720001
^5007$
Microsoft Security Essentials - Configuration 
changed.
policy_changed,
  
  
720001
^5008$
Microsoft Security Essentials - Service 
failed.
  
  
720001
^3002$
Microsoft Security Essentials - Real time protection 
failed.
  
  
720001
^2012$
Microsoft Security Essentials - Cannot use Dynamic 
Signature Service.
  
  
720001
^2004$
Microsoft Security Essentials - Loading definitions 
failed. Using last good set.
  
  
720001
^2003$
Microsoft Security Essentials - Engine update 
failed.
  
  
720001
^2001$
Microsoft Security Essentials - Definitions update 
failed.
  
  
720001
^1005$
Microsoft Security Essentials - Scan error. Scan has 
stopped.
  
  
720001
^1002$
Microsoft Security Essentials - Scan stopped before 
completion.
  

  
  
  
720012
Virus:DOS/EICAR_Test_File
alert_by_email
Microsoft Security Essentials - EICAR test file 
detected.
  
  
720011
Virus:DOS/EICAR_Test_File
alert_by_email
Microsoft Security Essentials - EICAR test file 
removed.
  
  
720010
Virus:DOS/EICAR_Test_File
alert_by_email
Microsoft Security Essentials - EICAR test file detected, 
but removal failed.
  

  
  
720001
^2000$
Microsoft Security Essentials - Signature database 
updated.
  
  
720001
^2002$
Microsoft Security Essentials - Scan engine 
updated.
  
  
720001
^1000$|^1001$
Microsoft Security Essentials - Scan started or 
stopped.
  
  
720001
^1013$
Microsoft Security Essentials - History 
cleared.
  

  
  
720011
Multiple Microsoft Security Essentials AV warnings 
detected.
  
  
720012
Multiple Microsoft Security Essentials AV warnings 
detected.
  

 


On Friday, April 22, 2016 at 1:16:22 PM UTC-7, Rob B wrote:
>
> Hello All,
>
>Does anyone have a decoder for Windows Defender floating around out 
> there??
>
> Im having a heck of a time...   Here is the event channel event example if 
> anyone is curious or can help:  (Win10 box)
>
> Log Name:  Microsoft-Windows-Windows Defender/Operational
> Source:Microsoft-Windows-Windows Defender
> Date:  4/22/2016 4:05:17 PM
> Event ID:  1116
> Task Category: None
> Level: Warning
> Keywords:  
> User:  SYSTEM
> Computer:  VICTIM0
> Description:
> Windows Defender has detected malware or other potentially unwanted 
> software.
>  For more information please see the following:
>
> http://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Bagsu!rfn&threatid=2147694406&enterprise=0
>   Name: Trojan:Win32/Bagsu!rfn
>   ID: 2147694406
>   Severity: Severe
>   Category: Trojan
>   Path: 
> containerfile:_\\10.0.1.10\share\Malware_For_Demo\REAL_BAD_Malz2\Server.exe;file:_\\10.0.1.10\share\Malware_For_Demo\REAL_BAD_Malz2\Server.exe;file:_\\10.0.1.10\share\Malware_For_Demo\REAL_BAD_Malz2\Server.exe->(VFS:svchost.exe)
>   Detection Origin: Network share
>   Detection Type: Concrete
>   Detection Source: Real-Time Protection
>   User: frog
>   Process Name: C:\Windows\explorer.exe
>   Signature Version: AV: 1.217.2054.0, AS: 1.217.2054.0, NIS: 115.8.0.0
>   Engine Version: AM: 1.1.12603.0, NIS: 2.1.11804.0
>
> Event Xml:
> http://schemas.microsoft.com/win/2004/08/events/event";>
>   
>  Guid="{11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78}" />
> 1116
> 0
> 3
> 0
> 0
> 0x8000
> 
> 95
> 
> 
> Microsoft-Windows-Windows Defender/Operational
> VICTIM0
> 
>   
>   
> %%827
> 4.9.10586.0
> {CAADD684-36C9-444B-8A6D-8CE537A93E40}
> 2016-04-22T20:04:40.369Z
> 
> 
> 
> 
> 2147694406
> Trojan:Win32/Bagsu!rfn
> 5
> Severe
> 8
> Trojan
> 
> http://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Bagsu!rfn&threatid=2147694406&enterprise=0
> 
> 1
> 
> 
> 1
> 3
> %%818
> C:\Windows\explorer.exe
> frog
> 
> 
>  Name="Path">containerf

[ossec-list] Re: Windows Defender Decoder ?

[Brent Morris]

Hi Jesus,

Yeah, I think I submitted a pull request into OSSEC some time back on 
this...  If memory serves, the other IDs are because I used the existing MS 
ID schema for OSSEC.  The odd IDs are just because these live in my 
local_rules.xml in production.  Sadly, I haven't had the time to update 
OSSEC or try any of the new distributions lately.



On Thursday, May 19, 2016 at 12:25:09 AM UTC-7, Jesus Linares wrote:
>
> Hi Brent,
>
> Your rules are in OSSEC by default (with other ID, why?) but you added a 
> few new rules. 
>
> could you send a PR to OSSEC or Wazuh 
> <https://github.com/wazuh/ossec-rules/tree/development>with your new 
> rules?. 
>
> Thanks.
>
>
> On Wednesday, May 18, 2016 at 8:38:16 PM UTC+2, Rob B wrote:
>>
>> Nice!  Thanks Pedro!  I've got it now..
>>
>> Cheers.
>>
>>
>> On Wednesday, May 18, 2016 at 10:09:14 AM UTC-4, Pedro S wrote:
>>>
>>> Hi Rob,
>>>
>>> *extra_data *is another allowed field used by OSSEC decoders to extract 
>>> information from the event, once it is extracted you can match the field 
>>> content in order to create a rule.
>>> The content of extra_data depends on the decoder which extracted it, in 
>>> Windows decoders  
>>> <https://github.com/wazuh/ossec-rules/blob/master/rules-decoders/ossec/decoders/windows_decoders.xml#L350>could
>>>  
>>> be for example: Win source, Parent Image, Protocol, Signature, Start 
>>> function...
>>>
>>> Best regards,
>>>
>>> Pedro S.
>>>
>>> On Tuesday, May 17, 2016 at 5:32:25 PM UTC+2, Rob B wrote:
>>>>
>>>> Thanks Brent.! Funny enough, that day I figured it out and built a 
>>>> whole bunch very similar to your list.  Seems to be working very nicely, 
>>>> as 
>>>> now I find myself leaning to creating some down right creative 
>>>> composites  (finally)
>>>>
>>>> I've been looking for some reference material on the  tag? 
>>>>  How is this used properly?
>>>>
>>>>
>>>>
>>>> Cheers!   Rob
>>>>
>>>>
>>>> On Monday, May 16, 2016 at 5:22:08 PM UTC-4, Brent Morris wrote:
>>>>>
>>>>> Rob - can you post your OSSEC version of the log?  I can check my 
>>>>> rules.  These are a culmination of gleaned rules that I updated some time 
>>>>> back with new event IDs.  Yours is covered in there  but I would like 
>>>>> to test it against a valid OSSEC log.  So if you can post it from the 
>>>>> OSSEC 
>>>>> logs, that'd be great.
>>>>>
>>>>> Here they are..
>>>>>
>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>>   
>>>>> windows
>>>>> 18101,18102,18103
>>>>> ^Microsoft Antimalware
>>>>> Grouping of Microsoft Security Essentials 
>>>>> rules.
>>>>>   
>>>>>
>>>>>   
>>>>> 720001
>>>>> ^1118$|^1119$
>>>>> virus,
>>>>> Microsoft Security Essentials - Virus detected, but 
>>>>> unable to remove.
>>>>>   
>>>>>   
>>>>> 720001
>>>>> ^1117$
>>>>> virus,
>>>>> Microsoft Security Essentials - Virus detected and 
>>>>> properly removed.
>>>>>   
>>>>>
>>>>>   
>>>>> 720001
>>>>> ^1119$|^1118$|^1117$|^1116$
>>>>> virus,
>>>>> Microsoft Security Essentials - Virus 
>>>>> detected.
>>>>>   
>>>>>
>>>>>   
>>>>> 720001
>>>>> ^1015$
>>>>> virus,
>>>>> Microsoft Security Essentials - Suspicious activity 
>>>>> detected.
>>>>>   
>>>>>
>>>>>
>>>>>   
>>>>> 720001
>>>>> ^5007$
>>>>> Microsoft Security Essentials - Configuration 
>>>>> changed.
>>>>> policy_changed,
>>>>>   
>>>>>   
>>>>> 720001
>>>>> ^5008$
>>>>> Microsoft Security Essentials - Service 
>>>>> failed.
>>>>>   
>

[ossec-list] Re: ISS 7 + 404/200 error decoders/rules..

[Brent Morris]

Hi Jacob,

What version of OSSEC are you on?

It doesn't look like you've configured your IIS servers logging to meet the 
OSSEC 2.8 decoder expectations.  But even having said that, I'd submitted 
some "IIS default" decodes to the github repository some time back.

So when I test your log against my OSSEC, I get a different result.  

**Phase 1: Completed pre-decoding.
   full event: '2016-05-26 15:45:47 172.18.2.247 POST /wfc/portal - 443 
- 10.18.100.24 
Mozilla/5.0+(Windows+NT+6.3;+WOW64;+rv:39.0)+Gecko/20100101+Firefox/39.0 
200 0 0 15'
   hostname: 'lott-ossec'
   program_name: '(null)'
   log: '2016-05-26 15:45:47 172.18.2.247 POST /wfc/portal - 443 - 
10.18.100.24 
Mozilla/5.0+(Windows+NT+6.3;+WOW64;+rv:39.0)+Gecko/20100101+Firefox/39.0 
200 0 0 15'

**Phase 2: Completed decoding.
   decoder: 'windows-date-format'
   dstip: '172.18.2.247'
   action: 'POST'
   url: '/wfc/portal'
   dstport: '443'
   srcip: '10.18.100.24'
   id: '200'

**Phase 3: Completed filtering (rules).
   Rule id: '31108'
   Level: '0'
   Description: 'Ignored URLs (simple queries).'

But it looks like you have a decoder that is working.  And having said 
that, I can't see what "**Phase 3" of your logtest shows for the output of 
the rule id.  I only see Phase 1 and Phase 2... so there's no way for us to 
know what rule it is matching to compare against your local_rules.xml 
entries.


On Thursday, May 26, 2016 at 1:35:30 PM UTC-7, Jacob Mcgrath wrote:
>
> I am still struggling with the general syntax of regex...
>
> On Thursday, May 26, 2016 at 3:33:30 PM UTC-5, Jacob Mcgrath wrote:
>>
>>
>>
>> Looking to take these logs from two seperate server applications and 
>> perform alerts and possibly responses to them.
>>
>> server 1:
>>
>> 2016-05-26 15:45:47 172.18.2.247 POST /wfc/portal - 443 - 10.18.100.24 
>> Mozilla/5.0+(Windows+NT+6.3;+WOW64;+rv:39.0)+Gecko/20100101+Firefox/39.0 
>> 200 0 0 15
>> 2016-05-26 15:38:15 172.18.2.247 GET /wff - 443 - 10.18.100.24 
>> Mozilla/5.0+(Windows+NT+6.1;+WOW64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/50.0.2661.102+Safari/537.36
>>  
>> 404 0 2 203
>>
>> Server 2:
>>
>> 2016-05-26 00:16:02 W3SVC1071858006 192.168.1.30 POST 
>> /servlet/Router/Transaction/Erp - 80 - 10.13.100.4 
>> Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.1;+WOW64;+Trident/7.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+Media+Center+PC+6.0;+InfoPath.3)
>>  
>> 200 0 0
>> 2016-05-26 00:16:03 W3SVC1071858006 192.168.1.30 GET 
>> /lawson/portal/drill/drsearch.css - 80 - 10.12.100.10 
>> Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.1;+WOW64;+Trident/5.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+Media+Center+PC+6.0;+InfoPath.3)
>>  
>> 404 0 2
>>
>>
>> Right now I am just attempting to work with  logs from Server1: to alert 
>> on 200 & 4040 errors for for web scans and alike but a beginning.
>>
>>
>> Entry in local_decoder.xml:
>>
>> 
>>   windows-date-format
>>   true
>>   ^\d+.\d+.\d+.\d+ GET |^\d+.\d+.\d+.\d+ 
>> POST 
>>   (\S+ \S*) \.* (\d+.\d+.\d+.\d+) \S*\.* 
>> (\d\d\d) \S+ \S+ \S+
>>   url,srcip,id
>> 
>>
>>
>>
>> Entry in local_rules.xml
>>
>>
>> 
>>   
>> kronos-web
>> Grouping for Kronos web rules.
>>   
>>
>>   
>> 17
>> 404
>> IIS 7 Web Server 404 Error.
>> connection attempt,
>>   
>>
>>   
>> 17
>> 200
>> IIS 7 Web Server 200 Error.
>> connection attempt,
>>   
>>
>>   
>> 18,19
>> Possible Kronos Web Scan/Attack Detected.
>> attacks,
>>   
>> 
>>
>>
>>
>>
>> When I run the logtest is get this output that I am getting the url,srcip 
>> and id..  but is not getting to the rules I have created above...
>>
>>
>> **Phase 1: Completed pre-decoding.
>>full event: '2016-05-26 15:45:47 172.18.2.247 POST /wfc/portal - 
>> 443 - 10.18.100.24 
>> Mozilla/5.0+(Windows+NT+6.3;+WOW64;+rv:39.0)+Gecko/20100101+Firefox/39.0 
>> 200 0 0 15'
>>hostname: 'alamo'
>>program_name: '(null)'
>>log: '2016-05-26 15:45:47 172.18.2.247 POST /wfc/portal - 443 - 
>> 10.18.100.24 
>> Mozilla/5.0+(Windows+NT+6.3;+WOW64;+rv:39.0)+Gecko/20100101+Firefox/39.0 
>> 200 0 0 15'
>>
>> **Phase 2: Completed decoding.
>>decoder: 'windows-date-format'
>>url: '/wfc/portal -'
>>srcip: '10.18.100.24'
>>id: '200'
>>
>>
>>
>> Am I missing something like a base idea behind this or a syntax thing  I 
>> really do not know...
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Ransomware.

[Brent Morris]

I thought about doing this too.  You could look for file extensions as 
mentioned before.

But I struggled on how to make it effective, and then how to test it.  To 
be realistic, I think you'd need a lab with a mirror of your environment 
(file share, ossec, etc) and actually run a variant of cryptolocker to see 
the results.  I wasn't convinced that simply alerting on X number of files 
written within X number of seconds would be effective enough without some 
tuning and testing.

It's a good idea!!!  But I think a proper implementation would require lots 
of time and testing... and I realized it was the last thing on my list to 
do after employing all the other "best" (good) practices in cryptolocker 
prevention.

In the end, I thought application whitelisting alone would yield a better 
return. :/

-Brent



On Thursday, June 9, 2016 at 3:27:50 AM UTC-7, Nate wrote:
>
> Couldn't pass be used to monitor the frequency of files accessed or 
> rewritten on a share via the logs generated from those operations?  It 
> might not be foolproof, but if the log shows a single account accessing 
> several files faster than a human might be able to, it could alert, or even 
> block. Maybe I'm missing something.  
> On Jun 7, 2016 13:58, "Kevin Wilcox" > 
> wrote:
>
>> On 7 June 2016 at 13:29, Eero Volotinen > 
>> wrote:
>>
>> > Well. This is impossible. There is no way to see difference between 
>> normal
>> > file access and virus crypting all your files..
>>
>> There are some common extensions for very common ransomware/crypto
>> stuff that you can look for but be prepared for false positives, to
>> add to the extensions list and for the list to change with new
>> iterations of the malware.
>>
>> For example:
>>
>>
>> https://www.reddit.com/r/sysadmin/comments/46361k/list_of_ransomware_extensions_and_known_ransom/
>>
>> You can also do things like script checking the entropy level of files
>> in a directory and generate alerts based on that output. Now, though,
>> we're talking about doing stuff well outside of OSSEC and just having
>> OSSEC send alerts if  is or isn't present.
>>
>> One quick-and-easy thing to do is to have a canary directory or file
>> that nobody should ever access. If you see the access time change on
>> the directory, write a file that triggers an alert. If a new file
>> shows in the directory, trigger an alert. If anything in the directory
>> changes, trigger an alert.
>>
>> As you said, the hard part of identifying virus behaviour is that it
>> mimics things we do every day.
>>
>> kmw
>>
>> --
>>
>> ---
>> You received this message because you are subscribed to the Google Groups 
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to ossec-list+...@googlegroups.com .
>> For more options, visit https://groups.google.com/d/optout.
>>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Android's Outlook app causing crazy logs in IIS/Exchange

[Brent Morris]

Microsoft's Android app for Outlook is making my OSSEC unhappy. :(   These 
logs are coming in via IIS.

Rule: 1003 fired (level 13) -> "Non standard syslog message (size too 
> large)."
> Portion of the log(s):
>  
>
> 4947_Fid:126_St:S_Sk:1758347863_Fid:127_St:S_Sk:11921995_Fid:128_St:S_Sk:1934396847_Fid:129_St:S_Sk:630117934_Fid:13_St:S_Sk:1754505034_Fid:130_St:S_Sk:748505773_Fid:131_St:S_Sk:309540663_Fid:132_St:S_Sk:1772191869_Fid:133_St:S_Sk:565377033_Fid:134_St:S_Sk:281226952_Fid:135_St:S_Sk:62187726_Fid:136_St:S_Sk:1567895604_Fid:137_St:S_Sk:1356942230_Fid:138_St:S_Sk:1515475935_Fid:139_St:S_Sk:1412175845_Fid:14_St:S_Sk:768085750_Fid:140_St:S_Sk:1708529117_Fid:141_St:S_Sk:743126850_Fid:142_St:S_Sk:397094829_Fid:143_St:S_Sk:1815464751_Fid:144_St:S_Sk:2130767954_Fid:145_St:S_Sk:611310625_Fid:146_St:S_Sk:131106572_Fid:147_St:S_Sk:1642314164_Fid:148_St:S_Sk:1204748926_Fid:149_St:S_Sk:1851235748_Fid:15_St:S_Sk:1885412375_Fid:150_St:S_Sk:1181980656_Fid:151_St:S_Sk:137658458_Fid:152_St:S_Sk:2072150418_Fid:153_St:S_Sk:2051081829_Fid:154_St:S_Sk:1944889060_Fid:155_St:S_Sk:2132772168_Fid:156_St:S_Sk:1350885012_Fid:157_St:S_Sk:1335572306_Fid:158_St:S_Sk:707491986_Fid:159_St:S_Sk:384868235_Fid:16_St:S_Sk:1590622507_Fid:160_St:S_Sk:1241069710_Fid:161_St:S_Sk:1161064540_Fid:162_St:S_Sk:1650111764_Fid:163_St:S_Sk:729076120_Fid:164_St:S_Sk:44905471_Fid:165_St:S_Sk:987209269_Fid:166_St:S_Sk:1882339622_Fid:167_St:S_Sk:1745980924_Fid:168_St:S_Sk:80824038_Fid:169_S
>  
>  
>  
>  --END OF NOTIFICATION


This is all part of one log entry.


I can add a rule to suppress these alerts, but it seems to me that in agent 
communications (not syslog comm) to OSSEC, it ought to be allowed to have 
an extremely large message.


Is there a fundamental reason the agent has the same limitation as syslog 
for communication?


Thanks for any responses!!!


-Brent


-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: OSSEC rule to detect new run keys added to the registry

[Brent Morris]

AFAIK - OSSEC already checks those run locations.  I've wondered about the 
Wow6432Node Run location, but I believe it checks those too.

Check your ossec.conf on the clients and you'll see those Run locations are 
in there by default.

On Wednesday, December 14, 2016 at 11:27:10 AM UTC-8, namobud...@gmail.com 
wrote:
>
> I'm wondering if anyone has created (or could help me) create an OSSEC 
> rule to detect new additions to the "run" keys in the registry.
>
> The goal is to detect malware and fileless malware adding run keys to the 
> registry.
>
> If anyway has started creating rules for fileless malware detection that 
> would be great too.
>
> Thanks.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: multiple ip brute force Wordpress attack

[Brent Morris]

Can you lock down your wp-admin folder using an .htaccess file or your 
hosting provider's control panel?


On Friday, February 23, 2018 at 5:36:57 AM UTC-8, Martin West wrote:

> Hi, I run a minor website http://socct.org, unfortunately the acronym 
> coincides with https://www.wikileaks.org/wiki/SOCCT_(military).  For the 
> last two days the site is taking a multiple site brute force attacks. Apart 
> from changing our name, any suggestions?  I have added an extension rule to 
> rule 31510 so that if I get multiple 31510 alerts in short period from 
> the same ip I block for longer which stopped getting alerts every ten 
> minutes.
>
> Thanks
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Migration to 2.9.2

[Brent Morris]

Hi Gang!

I've been on 2.8x for some time, and it's time to upgrade.  The in place 
upgrade failed miserably; mostly due to ipv6 issues.  I do wish the 
install.sh script would check for ipv6 support and soft fail if it's not 
found.  I recompiled with the ipv4 workaround, and was able to get 
ossec-remoted partially working with syslog, but agents weren't able to 
communicate with it.  And I'm not going to monkey around with that Linux 
install any longer.  Stick a fork in it, I'm done.

So what's the process to migrate logs, agent keys (I can probably look that 
one up, but if you have a minute) to a new installation?  Is it possible to 
bring over the logs from our old installation and the chain of immutable 
archive authentication from day to day?  It'd help with records compliance 
if I could just carry them forward.

Thanks!

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Modification to Correct IP Connectivity Issues on BSD Servers

[Brent Morris]

Dave - first, thank you very much for such a detailed explanation and 
submitting this back to OSSEC for the community!

I just attempted an upgrade from 2.8.3. to 2.9.3 and had, what sounds like, 
similar issues.  Our CentOS 6.5 server didn't have ipv6 support installed 
or enabled.  I recompiled with a workaround noted in this github issue 
- https://github.com/ossec/ossec-hids/pull/1259 - and was able to get 
syslog clients working, but my agents would still not connect.

My agent logs contained the same errors... trying to connnect.  Connected, 
and then waiting for reply.  I ended up restoring my old server.

Have you looked at the pull request I linked above?  Are the issues related?

Thanks again!

On Wednesday, May 2, 2018 at 6:25:18 PM UTC-7, Dave Stoddard wrote:
>
> I just submitted a pull request to correct a connectivity issue I was 
> having with OSSEC servers running on FreeBSD 11.1. I mentioned this on the 
> email list a few weeks ago, but it took some time to do the work to 
> identify and correct the problem. I encountered a significant issue in 
> OSSEC 2.9.3 and the current OSSEC beta (GitHub repository) release that 
> affects the ability of OSSEC clients to be able to connect to FreeBSD 
> servers. The issue did not exist for OSSEC 2.8.3 possibly due to the fact 
> that it was IPv4 only. This connectivity issue probably affects all current 
> BSD derivatives and possibly some of the more obscure releases of Linux as 
> well. I have identified and resolved the issue in OSSEC by rewriting some 
> of the networking code, however, before I describe the solution, I wanted 
> to provide some background information on the problem first.
>
> *Problem Symptoms*
>
> The server is running FreeBSD 11.1 with all of the current updates. This 
> is a standard OSSEC server installation with all standard options enabled 
> and no bells and whistles (no MySQL and no MQ). After correcting for some 
> BSD-specific issues for header files and libraries, OSSEC installs normally 
> on the server with the install.sh script and the compilation completes 
> without any fatal errors (GCC does generate a few warnings on 
> analysisd/decoders/syscheck.c and analysisd/decoders/syscheck-test.c, but 
> these are not show stoppers). The server has an assigned IP address of 
> 192.168.1.80 (IPv4 private IP space) and all of the clients it associates 
> with are on the local 192.168.1.0/24 network.
>
> The OSSEC 2.9.3 client software is installed on each Windows workstation 
> and valid client keys are obtained for each client system. Everything 
> appears fine, except that there are no alerts logged on the server for any 
> of the configured clients. In short, the problem manifests itself as an 
> inability for the client systems to connect to the OSSEC server. In the 
> ossec.log file on each client there are messages like this that repeat over 
> and over:
>
> 2018/03/08 12:11:06 ossec-agentd: INFO: Trying to connect to server 
> 192.168.1.80, port 1514.
> 2018/03/08 12:11:06 INFO: Connected to 192.168.1.80 at address 192.168.
> 1.80:1514, port 1514
> 2018/03/08 12:11:27 ossec-agentd(4101): WARN: Waiting for server reply (
> not started). Tried: '192.168.1.80'.
>
>
> 2018/03/08 12:12:41 ossec-agentd: INFO: Trying to connect to server 
> 192.168.1.80, port 1514.
> 2018/03/08 12:12:41 INFO: Connected to 192.168.1.80 at address 192.168.
> 1.80:1514, port 1514
> 2018/03/08 12:13:02 ossec-agentd(4101): WARN: Waiting for server reply (
> not started). Tried: '192.168.1.80'.
>
>
> Because the clients use UDP, and UDP is a connectionless protocol, there 
> is no protocol handshake to ensure a connection has actually been 
> established like there would be with TCP. As long as the sendto() function 
> returns a positive integer (the number of bytes sent), the call is deemed 
> successful. This is true even when packets are not received on the 
> destination host. To compensate for this, the server is supposed to return 
> a control message to indicate the packet was received. Because the client 
> never receives this confirmation, a warning is generated in the client log 
> "Waiting for server reply (not started)".
>
> On the server, remoted starts fine. It displays the maximum number of 
> agents allowed (2048) and logs the fact that it successfully read the 
> authentication keys file. However, the server logs hint that there is an 
> issue when remoted starts because each client in the client.keys file 
> results in a message stating "Assigning counter for agent Workstation01: 
> '0:0'", or "Assigning sender counter: 0:0". These messages are generated 
> when a client is defined in the etc/client.keys file, but no initial 
> connection has ever occurred. This is normal for a first time start of 
> OSSEC, but if this happens every time you restart OSSEC for every client 
> defined in the system, your clients are not communicating.
>
> To identify whether remoted was listening on UDP port 1514, I used the 
> "netstat -an" c

[ossec-list] Re: remoted crashing (too many agents?)

[Brent Morris]

What version of OSSEC are you running?  Also, can you check your 
/var/ossec/logs/ossec.log to see if it's unable to listen on port 1514?  
You can run ossec-remoted from command line with -f and/or -d to get more 
details.

On Thursday, May 3, 2018 at 11:01:55 AM UTC-7, Cooper wrote:
>
> Hey all (Dan),
>
> I pushed out the new version of the ossec agent to about 1,000 servers 
> last night.   However, remoted on port 1514 crashes on start, without 
> logging an error message as to why.  Is there something that I need to 
> tweak for this many agents?  It was working just fine with the trial run of 
> ~300.
>
> Thanks!
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.