[ossec-list] Outlook Web Access (2003) logs

2015-12-09 Thread Chris H 
Hi. I'm trying, unsuccessfully, to create a decoder for Outlook Web Access 
(OWA) 2003 access logs.  These are a slightly different format to regular 
IIS access logs, so aren't getting matched:

2015-12-09 14:03:44 W3SVC1 10.10.10.10 GET /index.php - 80 - 79.141.160.57 
Mozilla/5.0+[en]+(X11,+U;+OpenVAS+7.0.5) 403 4 5

I've added a local decoder as below, but it's not getting matched:


windows-date-format
web-log
true
^W3SVC\d+ \S+ 
(\S+) (\S+ \S+) \d+ \S+ 
(\d+.\d+.\d+.\d+) \S+ (\d+)
action, url, srcip, id


Any ideas?  I've based this on the tweaks for IIS7 logs, which seem to 
work.  Testing my regex elsewhere, e.g. regex101.com, it seems to work and 
I don't get any errors.  Testing in ossec-logtest, I get the following:

**Phase 1: Completed pre-decoding.
   full event: '2015-12-09 14:03:44 W3SVC1 10.10.10.10 GET /index.php - 
80 - 79.141.160.57 Mozilla/5.0+[en]+(X11,+U;+OpenVAS+7.0.5) 403 4 5'
   hostname: 'ossec'
   program_name: '(null)'
   log: '2015-12-09 14:03:44 W3SVC1 10.10.10.10 GET /index.php - 80 - 
79.141.160.57 Mozilla/5.0+[en]+(X11,+U;+OpenVAS+7.0.5) 403 4 5'

**Phase 2: Completed decoding.
   decoder: 'windows-date-format'

**Phase 3: Completed filtering (rules).
   Rule id: '31100'
   Level: '0'
   Description: 'Access log messages grouped.'

I'm trying to detect scans via multiple 400 errors, but they're not getting 
picked up because the decoder is failing.

Thanks

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Overwriting Trend AV Rule

2015-04-30 Thread Chris H 
HI.  We use Trend Micro AV, but the current rules don't match properly.  
I'm not sure what they're looking at, but our version of Trend writes 
alerts to the Windows Event Log.  

Here's a sample.

2015 Apr 29 17:57:52 WinEvtLog: Application: WARNING(500): Trend Micro 
OfficeScan Server: SYSTEM: NT AUTHORITY: AV01.domain.co.uk: Virus/Malware: 
Eicar_test_1  Computer: LAPTOP1  Domain: domain.co.uk  File: 
C:\Users\username\AppData\Roaming\Notepad++\backup\new  
3@2015-04-29_174606  Date/Time: 29/04/2015 17:57:48  Result: Virus 
successfully detected, cannot perform the Clean action (Quarantine)

I'm trying to overwrite the current rules 7610 and 7611, relating to virus 
detection, using the Windows decoder:

trend-osce_rules.xml:

  
7600
^0|$|^1$|^2$|^33|^10$|^11$|^12$
virus
Virus detected and cleaned/quarantined/remved
  


local_rules.xml:

  
18102
^500
virus
Virus detected and 
cleaned/quarantined/removed
  


However, when I run ossec-logtest it's picking up as 18102, not 7610.  If I 
remove the overwrite and change the rule ID to something unique, like 
97610, the rule fires.  How can I overwrite the existing Trend rule, but 
keep the same ID's so that other monitoring systems (specifically OSSIM) 
work.

Thanks.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Syslog forwarding doesn't work with custom_alert_output

2015-01-06 Thread Chris H 
It's the default OSSEC install in OSSIM, rather than one I installed 
myself.  It's 2.8 though.

Thanks

On Monday, January 5, 2015 3:17:09 PM UTC, dan (ddpbsd) wrote:
>
> On Mon, Jan 5, 2015 at 10:14 AM, Chris H  > wrote: 
> > Hi. 
> > 
> > The OSSEC deployment within OSSIM uses custom_alert_output, rather than 
> the 
> > default log format.  I'm was trying to get these alerts sent to another 
> > server, and enabled syslog_output, as I have done on other OSSEC 
> > deployments.  On the OSSIM deployment, the logs do not get forwarded.  I 
> > removed the custom_alert_output setting in ossec.conf and the logs get 
> > forwarded as expected. 
> > 
> > Is this a known issue?  If not, I can raise a bug on github. 
> > 
>
> Which version of OSSEC did you install? 
>
> > Thanks 
> > 
> > -- 
> > 
> > --- 
> > You received this message because you are subscribed to the Google 
> Groups 
> > "ossec-list" group. 
> > To unsubscribe from this group and stop receiving emails from it, send 
> an 
> > email to ossec-list+...@googlegroups.com . 
> > For more options, visit https://groups.google.com/d/optout. 
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Syslog forwarding doesn't work with custom_alert_output

2015-01-05 Thread Chris H 
Hi. 

The OSSEC deployment within OSSIM uses custom_alert_output, rather than the 
default log format.  I'm was trying to get these alerts sent to another 
server, and enabled syslog_output, as I have done on other OSSEC 
deployments.  On the OSSIM deployment, the logs do not get forwarded.  I 
removed the custom_alert_output setting in ossec.conf and the logs get 
forwarded as expected.

Is this a known issue?  If not, I can raise a bug on github.

Thanks

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] OSSEC with OSSIM

2014-11-14 Thread Chris H 
This is exactly what I'm trying to get working with my issue where the 
hybrid agent stops parsing the alerts log file :(

On Wednesday, November 12, 2014 2:09:36 PM UTC, dan (ddpbsd) wrote:
>
> On Wed, Nov 12, 2014 at 5:47 AM, Teddy Jayasaputra 
> > wrote: 
> > Dear all, 
> > 
> > Any of you have working with ossec server talking to ossec in OSSIM? 
> > 
> > I send alert level ossec via syslog to rsyslog ossim but not working 
> because 
> > OSSIM use custom log with tag AV in front of each log so alert from 
> ossec 
> > server not recognize by OSSIM. 
> > 
> > I heard about ossec in hybrid mode. 
> > Can someone describe it?  Or point me the manual to do it? Can hybrid 
> mode 
> > solve deployment ossec to ossec in OSSIM ? 
> > 
>
> Hybrid mode allows an OSSEC manager to report alerts to another OSSEC 
> manager. 
>
> > Thanks. 
> > 
> > Best Regards, 
> > 
> > -Teddy- 
> > 
> > -- 
> > 
> > --- 
> > You received this message because you are subscribed to the Google 
> Groups 
> > "ossec-list" group. 
> > To unsubscribe from this group and stop receiving emails from it, send 
> an 
> > email to ossec-list+...@googlegroups.com . 
> > For more options, visit https://groups.google.com/d/optout. 
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Hybrid issues - stops forwarding logs

2014-11-13 Thread Chris H 
Hi.  It means nothing to me, but here's a section from strace -f as it 
fails again.

20128 stat("/logs/ossec/ossec-agent/queue/ossec/.wait", 0x7fff0a998c90) = 
-1 ENOENT (No such file or directory)
20128 sendto(4, "1:/logs/ossec/logs/alerts/alerts"..., 666, 0, NULL, 0) = 
666
20128 read(6, "", 4096) = 0
20128 read(7, "", 4096) = 0
20128 read(8, "", 4096) = 0
20128 read(9, 0x7f328630, 4096) = -1 EISDIR (Is a directory)
20128 select(0, NULL, NULL, NULL, {2, 0}) = 0 (Timeout)
20128 stat("/logs/ossec/ossec-agent/queue/ossec/.wait", 0x7fff0a998c90) = 
-1 ENOENT (No such file or directory)
20128 sendto(4, "1:/logs/ossec/logs/alerts/alerts"..., 378, 0, NULL, 0) = 
378
20128 read(6, "", 4096) = 0
20128 read(7, "", 4096) = 0
20128 read(8, "", 4096) = 0
20128 read(9, 0x7f328630, 4096) = -1 EISDIR (Is a directory)
20128 select(0, NULL, NULL, NULL, {2, 0}) = 0 (Timeout)
20128 read(5, "104->WinEvtLog\nRule: 18149 (leve"..., 4096) = 4096
20128 stat("/logs/ossec/ossec-agent/queue/ossec/.wait", 0x7fff0a998c90) = 
-1 ENOENT (No such file or directory)
20128 sendto(4, "1:/logs/ossec/logs/alerts/alerts"..., 381, 0, NULL, 0) = 
381
20128 read(6, "", 4096) = 0
20128 read(7, "", 4096) = 0
20128 read(8, "", 4096) = 0
20128 read(9, 0x7f328630, 4096) = -1 EISDIR (Is a directory)
20128 stat("/logs/ossec/ossec-agent/queue/ossec/.wait", 0x7fff0a999720) = 
-1 ENOENT (No such file or directory)
20128 sendto(4, "1:ossec-keepalive:--MARK--: c$L/"..., 111, 0, NULL, 0) = 
111
20128 stat("/logs/ossec/logs/alerts/alerts.log", {st_mode=S_IFREG|0640, 
st_size=1216888277, ...}) = 0
20128 stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=3661, ...}) = 0
20128 open("/logs/ossec/ossec-agent/logs/ossec.log", 
O_WRONLY|O_CREAT|O_APPEND, 0666) = 10
20128 fstat(10, {st_mode=S_IFREG|0770, st_size=41256, ...}) = 0
20128 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 
0) = 0x7f32862ff000
20128 fstat(10, {st_mode=S_IFREG|0770, st_size=41256, ...}) = 0
20128 lseek(10, 41256, SEEK_SET)= 41256
20128 write(10, "2014/11/13 15:13:11 ossec-logcol"..., 123) = 123
20128 close(10) = 0
20128 munmap(0x7f32862ff000, 4096)  = 0
20128 close(5)  = 0
20128 munmap(0x7f3286304000, 4096)  = 0
20128 stat("/var/log/userhistory.log", {st_mode=S_IFREG|0600, st_size=0, 
...}) = 0
20128 stat("/var/log/messages", {st_mode=S_IFREG|0600, st_size=1282, ...}) 
= 0
20128 stat("/var/log/secure", {st_mode=S_IFREG|0600, st_size=3183, ...}) = 0
20128 stat("/var/log/audit", {st_mode=S_IFDIR|0750, st_size=4096, ...}) = 0


On Thursday, November 13, 2014 1:53:16 PM UTC, Jeremy Rossi wrote:
>
> Can we try to get an strace with threads: strace -f   
>
> > On Nov 12, 2014, at 12:52 PM, dan (ddp) > 
> wrote: 
> > 
> >> On Wed, Nov 12, 2014 at 11:49 AM, dan (ddp)  > wrote: 
> >>> On Mon, Nov 10, 2014 at 4:02 AM, Chris H  > wrote: 
> >>> The only calls in the strace to alerts.log are these: 
> >>> 
> >>> sendto(4, "1:ossec-keepalive:--MARK--: no[;"..., 673, 0, NULL, 0) = 
> 673 
> >> 
> >> Are you sure 4 is a log file, and not the connection to the 
> >> ossec-remoted on the other end? I don't think there's enough of the 
> >> logs to really get an idea of what's going on (maybe the developers 
> >> would have more of a clue). 
> >> 
> >> I did setup a hybrid system on Centos 7 and the latest OSSEC sources, 
> >> but I'm not seeing the same issues you are. 
> > 
> > Spoke too soon, just saw it happen after about an hour of running. 
> > 
> >>> It's definitely reading it though, as it forwards the logs for a bit. 
> >>> 
> >>>> On Friday, November 7, 2014 1:00:31 PM UTC, dan (ddpbsd) wrote: 
> >>>> 
> >>>>> On Thu, Nov 6, 2014 at 9:40 AM, Chris H  
> wrote: 
> >>>>> Hi. 
> >>>>> 
> >>>>> I'm running on CentOS 6.6. 
> >>>>> 
> >>>>> I enabled debug in internal_options.conf - nothing new in the logs. 
> >>>>> strace 
> >>>>> gives this at the time that it stops reading the file.  It means 
> nothing 
> >>>>> to 
> >>>>> me, though. 
> >>>>> 
> >>>>> stat("/logs/ossec/ossec-agent/queu

Re: [ossec-list] Hybrid issues - stops forwarding logs

2014-11-10 Thread Chris H 
The only calls in the strace to alerts.log are these:

sendto(4, "1:ossec-keepalive:--MARK--: no[;"..., 673, 0, NULL, 0) = 673

It's definitely reading it though, as it forwards the logs for a bit.

On Friday, November 7, 2014 1:00:31 PM UTC, dan (ddpbsd) wrote:
>
> On Thu, Nov 6, 2014 at 9:40 AM, Chris H > 
> wrote: 
> > Hi. 
> > 
> > I'm running on CentOS 6.6. 
> > 
> > I enabled debug in internal_options.conf - nothing new in the logs. 
>  strace 
> > gives this at the time that it stops reading the file.  It means nothing 
> to 
> > me, though. 
> > 
> > stat("/logs/ossec/ossec-agent/queue/ossec/.wait", 0x7fffe60bf900) = -1 
> > ENOENT (No such file or directory) 
> > sendto(4, "1:/logs/ossec/logs/alerts/alerts"..., 641, 0, NULL, 0) = 641 
> > select(0, NULL, NULL, NULL, {2, 0}) = 0 (Timeout) 
> > stat("/logs/ossec/ossec-agent/queue/ossec/.wait", 0x7fffe60bf900) = -1 
> > ENOENT (No such file or directory) 
> > sendto(4, "1:/logs/ossec/logs/alerts/alerts"..., 639, 0, NULL, 0) = 639 
> > select(0, NULL, NULL, NULL, {2, 0}) = 0 (Timeout) 
> > stat("/logs/ossec/ossec-agent/queue/ossec/.wait", 0x7fffe60bf900) = -1 
> > ENOENT (No such file or directory) 
> > sendto(4, "1:/logs/ossec/logs/alerts/alerts"..., 634, 0, NULL, 0) = 634 
> > stat("/logs/ossec/ossec-agent/queue/ossec/.wait", 0x7fffe60c0390) = -1 
> > ENOENT (No such file or directory) 
> > sendto(4, "1:ossec-keepalive:--MARK--: no[;"..., 673, 0, NULL, 0) = 673 
> > stat("/logs/ossec/logs/alerts/alerts.log", {st_mode=S_IFREG|0640, 
> > st_size=2608807647, ...}) = 0 
> > stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=3661, ...}) = 0 
> > open("/logs/ossec/ossec-agent/logs/ossec.log", 
> O_WRONLY|O_CREAT|O_APPEND, 
> > 0666) = 6 
> > fstat(6, {st_mode=S_IFREG|0770, st_size=6467, ...}) = 0 
> > mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) 
> = 
> > 0x7f718bba4000 
> > fstat(6, {st_mode=S_IFREG|0770, st_size=6467, ...}) = 0 
> > lseek(6, 6467, SEEK_SET)= 6467 
> > write(6, "2014/11/06 14:28:30 ossec-logcol"..., 123) = 123 
> > close(6)= 0 
> > munmap(0x7f718bba4000, 4096)= 0 
> > close(5)= 0 
> > munmap(0x7f718bba5000, 4096)= 0 
> > select(0, NULL, NULL, NULL, {2, 0}) = 0 (Timeout) 
> > select(0, NULL, NULL, NULL, {2, 0}) = 0 (Timeout) 
> > select(0, NULL, NULL, NULL, {2, 0}) = 0 (Timeout) 
> > select(0, NULL, NULL, NULL, {2, 0}^C  
> > 
>
> I don't actually see an open of the alerts.log, or any failures (or 
> I'm missing them). 
>
> > 
> > It seems to fail after the keepalive every time. 
> > 
> > On Thursday, November 6, 2014 12:53:32 PM UTC, dan (ddpbsd) wrote: 
> >> 
> >> On Thu, Nov 6, 2014 at 6:44 AM, Chris H  wrote: 
> >> > Has anyone got Hybrid working? 
> >> > 
> >> 
> >> I have agents that work and I have managers that work. So basically 
> yes. 
> >> What distro/version are you using? 
> >> Can you try strace to see if that gives you more information on what's 
> >> going on? 
> >> Looking at the code, I think better information should be logged, 
> >> maybe try turning on debug? 
> >> 
> >> > according to lsof, nothing else seems to be accessing the files at 
> the 
> >> > time 
> >> > that the agent stops processing them. 
> >> > 
> >> > I've figured out why it's looking at additional files/directories, 
> it's 
> >> > pulled in the shared agent config; I'd forgotten I'd configured that 
> :) 
> >> > 
> >> > 
> >> > 
> >> > On Tuesday, November 4, 2014 3:43:43 PM UTC, Chris H wrote: 
> >> >> 
> >> >> Hi. I've set selinux to Permissive, no difference.  It sends some 
> logs 
> >> >> out, in the 2 minutes before it stops processing the file. 
> >> >> 
> >> >> Thanks. 
> >> >> 
> >> >> On Tuesday, November 4, 2014 12:56:49 PM UTC, dan (ddpbsd) wrote: 
> >> >>> 
> >> >>> On Mon, Nov 3, 2014 at 12:39 PM, Chris H  
> wrote: 
> >> >>> > Hi.  I'm trying to get a hybrid server working, and seeing some 
> odd 
> >> >>> > behaviour.  I'm running 2.8.1. 
>

Re: [ossec-list] Hybrid issues - stops forwarding logs

2014-11-06 Thread Chris H 
Same thing, unfortunately.

2014/11/06 15:26:33 ossec-logcollector: DEBUG: Starting ...
2014/11/06 15:26:33 ossec-logcollector: DEBUG: Waiting main daemons to 
settle.
2014/11/06 15:26:39 ossec-logcollector: INFO: (unix_domain) Maximum send 
buffer set to: '229376'.
2014/11/06 15:26:39 ossec-logcollector: DEBUG: Entering LogCollectorStart().
2014/11/06 15:26:39 ossec-logcollector(1950): INFO: Analyzing file: 
'/logs/ossec/logs/alerts/alerts.log'.
2014/11/06 15:26:39 ossec-logcollector: INFO: Started (pid: 7004).
2014/11/06 15:28:49 ossec-logcollector(1904): INFO: File not available, 
ignoring it: '/logs/ossec/logs/alerts/alerts.log'.

it's failing immediately after the first keepalive:
sendto(4, "1:ossec-keepalive:--MARK--: X;]^"..., 485, 0, NULL, 0) = 485

On Thursday, November 6, 2014 3:15:35 PM UTC, dan (ddpbsd) wrote:
>
>
> On Nov 6, 2014 9:41 AM, "Chris H" > 
> wrote:
> >
> > Hi.
> >
> > I'm running on CentOS 6.6.
> >
> > I enabled debug in internal_options.conf - nothing new in the logs.  
> strace gives this at the time that it stops reading the file.  It means 
> nothing to me, though.
> >
>
> Try killing the daemon and restarting it with the -d flag. 
> `/var/ossec/ossec-agent/bin/ossec-logcollector -d` (typed on my phone, so 
> tyops are likely)
>
> > stat("/logs/ossec/ossec-agent/queue/ossec/.wait", 0x7fffe60bf900) = -1 
> ENOENT (No such file or directory)
> > sendto(4, "1:/logs/ossec/logs/alerts/alerts"..., 641, 0, NULL, 0) = 641
> > select(0, NULL, NULL, NULL, {2, 0}) = 0 (Timeout)
> > stat("/logs/ossec/ossec-agent/queue/ossec/.wait", 0x7fffe60bf900) = -1 
> ENOENT (No such file or directory)
> > sendto(4, "1:/logs/ossec/logs/alerts/alerts"..., 639, 0, NULL, 0) = 639
> > select(0, NULL, NULL, NULL, {2, 0}) = 0 (Timeout)
> > stat("/logs/ossec/ossec-agent/queue/ossec/.wait", 0x7fffe60bf900) = -1 
> ENOENT (No such file or directory)
> > sendto(4, "1:/logs/ossec/logs/alerts/alerts"..., 634, 0, NULL, 0) = 634
> > stat("/logs/ossec/ossec-agent/queue/ossec/.wait", 0x7fffe60c0390) = -1 
> ENOENT (No such file or directory)
> > sendto(4, "1:ossec-keepalive:--MARK--: no[;"..., 673, 0, NULL, 0) = 673
> > stat("/logs/ossec/logs/alerts/alerts.log", {st_mode=S_IFREG|0640, 
> st_size=2608807647, ...}) = 0
> > stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=3661, ...}) = 0
> > open("/logs/ossec/ossec-agent/logs/ossec.log", 
> O_WRONLY|O_CREAT|O_APPEND, 0666) = 6
> > fstat(6, {st_mode=S_IFREG|0770, st_size=6467, ...}) = 0
> > mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) 
> = 0x7f718bba4000
> > fstat(6, {st_mode=S_IFREG|0770, st_size=6467, ...}) = 0
> > lseek(6, 6467, SEEK_SET)= 6467
> > write(6, "2014/11/06 14:28:30 ossec-logcol"..., 123) = 123
> > close(6)= 0
> > munmap(0x7f718bba4000, 4096)= 0
> > close(5)= 0
> > munmap(0x7f718bba5000, 4096)    = 0
> > select(0, NULL, NULL, NULL, {2, 0}) = 0 (Timeout)
> > select(0, NULL, NULL, NULL, {2, 0}) = 0 (Timeout)
> > select(0, NULL, NULL, NULL, {2, 0}) = 0 (Timeout)
> > select(0, NULL, NULL, NULL, {2, 0}^C 
> >
> >
> > It seems to fail after the keepalive every time.
> >
> > On Thursday, November 6, 2014 12:53:32 PM UTC, dan (ddpbsd) wrote:
> >>
> >> On Thu, Nov 6, 2014 at 6:44 AM, Chris H  wrote: 
> >> > Has anyone got Hybrid working? 
> >> > 
> >>
> >> I have agents that work and I have managers that work. So basically 
> yes. 
> >> What distro/version are you using? 
> >> Can you try strace to see if that gives you more information on what's 
> going on? 
> >> Looking at the code, I think better information should be logged, 
> >> maybe try turning on debug? 
> >>
> >> > according to lsof, nothing else seems to be accessing the files at 
> the time 
> >> > that the agent stops processing them. 
> >> > 
> >> > I've figured out why it's looking at additional files/directories, 
> it's 
> >> > pulled in the shared agent config; I'd forgotten I'd configured that 
> :) 
> >> > 
> >> > 
> >> > 
> >> > On Tuesday, November 4, 2014 3:43:43 PM UTC, Chris H wrote: 
> >> >> 
> >> >> Hi. I've set selinux to Permissive, no difference.  It sends some 
> logs 
> >> >

Re: [ossec-list] Hybrid issues - stops forwarding logs

2014-11-06 Thread Chris H 
Hi.

I'm running on CentOS 6.6.

I enabled debug in internal_options.conf - nothing new in the logs.  strace 
gives this at the time that it stops reading the file.  It means nothing to 
me, though.

stat("/logs/ossec/ossec-agent/queue/ossec/.wait", 0x7fffe60bf900) = -1 
ENOENT (No such file or directory)
sendto(4, "1:/logs/ossec/logs/alerts/alerts"..., 641, 0, NULL, 0) = 641
select(0, NULL, NULL, NULL, {2, 0}) = 0 (Timeout)
stat("/logs/ossec/ossec-agent/queue/ossec/.wait", 0x7fffe60bf900) = -1 
ENOENT (No such file or directory)
sendto(4, "1:/logs/ossec/logs/alerts/alerts"..., 639, 0, NULL, 0) = 639
select(0, NULL, NULL, NULL, {2, 0}) = 0 (Timeout)
stat("/logs/ossec/ossec-agent/queue/ossec/.wait", 0x7fffe60bf900) = -1 
ENOENT (No such file or directory)
sendto(4, "1:/logs/ossec/logs/alerts/alerts"..., 634, 0, NULL, 0) = 634
stat("/logs/ossec/ossec-agent/queue/ossec/.wait", 0x7fffe60c0390) = -1 
ENOENT (No such file or directory)
sendto(4, "1:ossec-keepalive:--MARK--: no[;"..., 673, 0, NULL, 0) = 673
stat("/logs/ossec/logs/alerts/alerts.log", {st_mode=S_IFREG|0640, 
st_size=2608807647, ...}) = 0
stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=3661, ...}) = 0
open("/logs/ossec/ossec-agent/logs/ossec.log", O_WRONLY|O_CREAT|O_APPEND, 
0666) = 6
fstat(6, {st_mode=S_IFREG|0770, st_size=6467, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 
0x7f718bba4000
fstat(6, {st_mode=S_IFREG|0770, st_size=6467, ...}) = 0
lseek(6, 6467, SEEK_SET)= 6467
write(6, "2014/11/06 14:28:30 ossec-logcol"..., 123) = 123
close(6)= 0
munmap(0x7f718bba4000, 4096)= 0
close(5)= 0
munmap(0x7f718bba5000, 4096)= 0
select(0, NULL, NULL, NULL, {2, 0}) = 0 (Timeout)
select(0, NULL, NULL, NULL, {2, 0}) = 0 (Timeout)
select(0, NULL, NULL, NULL, {2, 0}) = 0 (Timeout)
select(0, NULL, NULL, NULL, {2, 0}^C 


It seems to fail after the keepalive every time.

On Thursday, November 6, 2014 12:53:32 PM UTC, dan (ddpbsd) wrote:
>
> On Thu, Nov 6, 2014 at 6:44 AM, Chris H > 
> wrote: 
> > Has anyone got Hybrid working? 
> > 
>
> I have agents that work and I have managers that work. So basically yes. 
> What distro/version are you using? 
> Can you try strace to see if that gives you more information on what's 
> going on? 
> Looking at the code, I think better information should be logged, 
> maybe try turning on debug? 
>
> > according to lsof, nothing else seems to be accessing the files at the 
> time 
> > that the agent stops processing them. 
> > 
> > I've figured out why it's looking at additional files/directories, it's 
> > pulled in the shared agent config; I'd forgotten I'd configured that :) 
> > 
> > 
> > 
> > On Tuesday, November 4, 2014 3:43:43 PM UTC, Chris H wrote: 
> >> 
> >> Hi. I've set selinux to Permissive, no difference.  It sends some logs 
> >> out, in the 2 minutes before it stops processing the file. 
> >> 
> >> Thanks. 
> >> 
> >> On Tuesday, November 4, 2014 12:56:49 PM UTC, dan (ddpbsd) wrote: 
> >>> 
> >>> On Mon, Nov 3, 2014 at 12:39 PM, Chris H  wrote: 
> >>> > Hi.  I'm trying to get a hybrid server working, and seeing some odd 
> >>> > behaviour.  I'm running 2.8.1. 
> >>> > 
> >>> > When the agent component starts, the logs state: 
> >>> > 
> >>> > 2014/11/03 17:00:24 ossec-agentd: INFO: Started (pid: 26197). 
> >>> > 2014/11/03 17:00:24 ossec-agentd: INFO: Server IP Address: 
> 192.168.1.1 
> >>> > 2014/11/03 17:00:24 ossec-agentd: INFO: Trying to connect to server 
> >>> > (192.168.1.1:1514). 
> >>> > 2014/11/03 17:00:24 ossec-agentd: INFO: Using IPv4 for: 192.168.1.1 
> . 
> >>> > 2014/11/03 17:00:24 ossec-rootcheck: Rootcheck disabled. Exiting. 
> >>> > 2014/11/03 17:00:24 ossec-syscheckd: WARN: Rootcheck module 
> disabled. 
> >>> > 2014/11/03 17:00:28 ossec-syscheckd: INFO: Started (pid: 26205). 
> >>> > 2014/11/03 17:00:28 ossec-syscheckd: INFO: Monitoring directory: 
> >>> > '/etc'. 
> >>> > 2014/11/03 17:00:28 ossec-syscheckd: INFO: Monitoring directory: 
> >>> > '/usr/bin'. 
> >>> > 2014/11/03 17:00:28 ossec-syscheckd: INFO: Monitoring directory: 
> >>> > '/usr/sbin'. 
> >>> > 2014/11/03 17:00:28 ossec-syscheckd: INFO: Monitoring directory: 
> >>>

Re: [ossec-list] Hybrid issues - stops forwarding logs

2014-11-06 Thread Chris H 
Has anyone got Hybrid working?

according to lsof, nothing else seems to be accessing the files at the time 
that the agent stops processing them.  

I've figured out why it's looking at additional files/directories, it's 
pulled in the shared agent config; I'd forgotten I'd configured that :)


On Tuesday, November 4, 2014 3:43:43 PM UTC, Chris H wrote:
>
> Hi. I've set selinux to Permissive, no difference.  It sends some logs 
> out, in the 2 minutes before it stops processing the file.
>
> Thanks.
>
> On Tuesday, November 4, 2014 12:56:49 PM UTC, dan (ddpbsd) wrote:
>>
>> On Mon, Nov 3, 2014 at 12:39 PM, Chris H  wrote: 
>> > Hi.  I'm trying to get a hybrid server working, and seeing some odd 
>> > behaviour.  I'm running 2.8.1. 
>> > 
>> > When the agent component starts, the logs state: 
>> > 
>> > 2014/11/03 17:00:24 ossec-agentd: INFO: Started (pid: 26197). 
>> > 2014/11/03 17:00:24 ossec-agentd: INFO: Server IP Address: 192.168.1.1 
>> > 2014/11/03 17:00:24 ossec-agentd: INFO: Trying to connect to server 
>> > (192.168.1.1:1514). 
>> > 2014/11/03 17:00:24 ossec-agentd: INFO: Using IPv4 for: 192.168.1.1 . 
>> > 2014/11/03 17:00:24 ossec-rootcheck: Rootcheck disabled. Exiting. 
>> > 2014/11/03 17:00:24 ossec-syscheckd: WARN: Rootcheck module disabled. 
>> > 2014/11/03 17:00:28 ossec-syscheckd: INFO: Started (pid: 26205). 
>> > 2014/11/03 17:00:28 ossec-syscheckd: INFO: Monitoring directory: 
>> '/etc'. 
>> > 2014/11/03 17:00:28 ossec-syscheckd: INFO: Monitoring directory: 
>> '/usr/bin'. 
>> > 2014/11/03 17:00:28 ossec-syscheckd: INFO: Monitoring directory: 
>> > '/usr/sbin'. 
>> > 2014/11/03 17:00:28 ossec-syscheckd: INFO: Monitoring directory: 
>> '/bin'. 
>> > 2014/11/03 17:00:28 ossec-syscheckd: INFO: Monitoring directory: 
>> '/sbin'. 
>> > 2014/11/03 17:00:30 ossec-agentd(1210): ERROR: Queue 
>> '/queue/alerts/execq' 
>> > not accessible: 'Queue not found'. 
>> > 2014/11/03 17:00:30 ossec-logcollector(1950): INFO: Analyzing file: 
>> > '/logs/ossec/logs/alerts/alerts.log'. 
>> > 2014/11/03 17:00:30 ossec-logcollector(1950): INFO: Analyzing file: 
>> > '/var/log/userhistory.log'. 
>> > 2014/11/03 17:00:30 ossec-logcollector(1950): INFO: Analyzing file: 
>> > '/var/log/messages'. 
>> > 2014/11/03 17:00:30 ossec-logcollector(1950): INFO: Analyzing file: 
>> > '/var/log/secure'. 
>> > 2014/11/03 17:00:30 ossec-logcollector(1950): INFO: Analyzing file: 
>> > '/var/log/audit'. 
>> > 2014/11/03 17:00:30 ossec-logcollector: INFO: Started (pid: 26201). 
>> > 2014/11/03 17:00:45 ossec-agentd: INFO: Unable to connect to the active 
>> > response queue (disabled). 
>> > 2014/11/03 17:00:46 ossec-agentd(4102): INFO: Connected to the server 
>> > (192.168.1.1:1514). 
>> > 2014/11/03 17:01:30 ossec-syscheckd: INFO: Starting syscheck scan 
>> > (forwarding database). 
>> > 2014/11/03 17:01:30 ossec-syscheckd: INFO: Starting syscheck database 
>> > (pre-scan). 
>> > 
>> > I don't know why it's monitoring most of those, as the ossec.conf for 
>> the 
>> > agent only specifies '/logs/ossec/logs/alerts/alerts.log'.  A couple of 
>> > minutes later, it stops parsing the alerts.log, with: 
>> > 
>> > 2014/11/03 17:02:40 ossec-logcollector(1904): INFO: File not available, 
>> > ignoring it: '/logs/ossec/logs/alerts/alerts.log'. 
>> > 
>> > Any idea why it's stopping parsing the log file?  I do have logstash 
>> > consuming the logs too, and thought it might be that, but it happens 
>> even if 
>> > I disable logstash.  It's happening almost exactly 2 minutes after the 
>> > process starts.  I've tried setting the permissions on the log file to 
>> 644, 
>> > too, but that makes no difference. 
>> > 
>>
>> Is SELinux or something blocking access to it? 
>>
>> > -- 
>> > 
>> > --- 
>> > You received this message because you are subscribed to the Google 
>> Groups 
>> > "ossec-list" group. 
>> > To unsubscribe from this group and stop receiving emails from it, send 
>> an 
>> > email to ossec-list+...@googlegroups.com. 
>> > For more options, visit https://groups.google.com/d/optout. 
>>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Hybrid issues - stops forwarding logs

2014-11-04 Thread Chris H 
Hi. I've set selinux to Permissive, no difference.  It sends some logs out, 
in the 2 minutes before it stops processing the file.

Thanks.

On Tuesday, November 4, 2014 12:56:49 PM UTC, dan (ddpbsd) wrote:
>
> On Mon, Nov 3, 2014 at 12:39 PM, Chris H  > wrote: 
> > Hi.  I'm trying to get a hybrid server working, and seeing some odd 
> > behaviour.  I'm running 2.8.1. 
> > 
> > When the agent component starts, the logs state: 
> > 
> > 2014/11/03 17:00:24 ossec-agentd: INFO: Started (pid: 26197). 
> > 2014/11/03 17:00:24 ossec-agentd: INFO: Server IP Address: 192.168.1.1 
> > 2014/11/03 17:00:24 ossec-agentd: INFO: Trying to connect to server 
> > (192.168.1.1:1514). 
> > 2014/11/03 17:00:24 ossec-agentd: INFO: Using IPv4 for: 192.168.1.1 . 
> > 2014/11/03 17:00:24 ossec-rootcheck: Rootcheck disabled. Exiting. 
> > 2014/11/03 17:00:24 ossec-syscheckd: WARN: Rootcheck module disabled. 
> > 2014/11/03 17:00:28 ossec-syscheckd: INFO: Started (pid: 26205). 
> > 2014/11/03 17:00:28 ossec-syscheckd: INFO: Monitoring directory: '/etc'. 
> > 2014/11/03 17:00:28 ossec-syscheckd: INFO: Monitoring directory: 
> '/usr/bin'. 
> > 2014/11/03 17:00:28 ossec-syscheckd: INFO: Monitoring directory: 
> > '/usr/sbin'. 
> > 2014/11/03 17:00:28 ossec-syscheckd: INFO: Monitoring directory: '/bin'. 
> > 2014/11/03 17:00:28 ossec-syscheckd: INFO: Monitoring directory: 
> '/sbin'. 
> > 2014/11/03 17:00:30 ossec-agentd(1210): ERROR: Queue 
> '/queue/alerts/execq' 
> > not accessible: 'Queue not found'. 
> > 2014/11/03 17:00:30 ossec-logcollector(1950): INFO: Analyzing file: 
> > '/logs/ossec/logs/alerts/alerts.log'. 
> > 2014/11/03 17:00:30 ossec-logcollector(1950): INFO: Analyzing file: 
> > '/var/log/userhistory.log'. 
> > 2014/11/03 17:00:30 ossec-logcollector(1950): INFO: Analyzing file: 
> > '/var/log/messages'. 
> > 2014/11/03 17:00:30 ossec-logcollector(1950): INFO: Analyzing file: 
> > '/var/log/secure'. 
> > 2014/11/03 17:00:30 ossec-logcollector(1950): INFO: Analyzing file: 
> > '/var/log/audit'. 
> > 2014/11/03 17:00:30 ossec-logcollector: INFO: Started (pid: 26201). 
> > 2014/11/03 17:00:45 ossec-agentd: INFO: Unable to connect to the active 
> > response queue (disabled). 
> > 2014/11/03 17:00:46 ossec-agentd(4102): INFO: Connected to the server 
> > (192.168.1.1:1514). 
> > 2014/11/03 17:01:30 ossec-syscheckd: INFO: Starting syscheck scan 
> > (forwarding database). 
> > 2014/11/03 17:01:30 ossec-syscheckd: INFO: Starting syscheck database 
> > (pre-scan). 
> > 
> > I don't know why it's monitoring most of those, as the ossec.conf for 
> the 
> > agent only specifies '/logs/ossec/logs/alerts/alerts.log'.  A couple of 
> > minutes later, it stops parsing the alerts.log, with: 
> > 
> > 2014/11/03 17:02:40 ossec-logcollector(1904): INFO: File not available, 
> > ignoring it: '/logs/ossec/logs/alerts/alerts.log'. 
> > 
> > Any idea why it's stopping parsing the log file?  I do have logstash 
> > consuming the logs too, and thought it might be that, but it happens 
> even if 
> > I disable logstash.  It's happening almost exactly 2 minutes after the 
> > process starts.  I've tried setting the permissions on the log file to 
> 644, 
> > too, but that makes no difference. 
> > 
>
> Is SELinux or something blocking access to it? 
>
> > -- 
> > 
> > --- 
> > You received this message because you are subscribed to the Google 
> Groups 
> > "ossec-list" group. 
> > To unsubscribe from this group and stop receiving emails from it, send 
> an 
> > email to ossec-list+...@googlegroups.com . 
> > For more options, visit https://groups.google.com/d/optout. 
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Hybrid issues - stops forwarding logs

2014-11-03 Thread Chris H 
Hi.  I'm trying to get a hybrid server working, and seeing some odd 
behaviour.  I'm running 2.8.1.

When the agent component starts, the logs state:

2014/11/03 17:00:24 ossec-agentd: INFO: Started (pid: 26197).
2014/11/03 17:00:24 ossec-agentd: INFO: Server IP Address: 192.168.1.1
2014/11/03 17:00:24 ossec-agentd: INFO: Trying to connect to server 
(192.168.1.1:1514).
2014/11/03 17:00:24 ossec-agentd: INFO: Using IPv4 for: 192.168.1.1 .
2014/11/03 17:00:24 ossec-rootcheck: Rootcheck disabled. Exiting.
2014/11/03 17:00:24 ossec-syscheckd: WARN: Rootcheck module disabled.
2014/11/03 17:00:28 ossec-syscheckd: INFO: Started (pid: 26205).
2014/11/03 17:00:28 ossec-syscheckd: INFO: Monitoring directory: '/etc'.
2014/11/03 17:00:28 ossec-syscheckd: INFO: Monitoring directory: '/usr/bin'.
2014/11/03 17:00:28 ossec-syscheckd: INFO: Monitoring directory: 
'/usr/sbin'.
2014/11/03 17:00:28 ossec-syscheckd: INFO: Monitoring directory: '/bin'.
2014/11/03 17:00:28 ossec-syscheckd: INFO: Monitoring directory: '/sbin'.
2014/11/03 17:00:30 ossec-agentd(1210): ERROR: Queue '/queue/alerts/execq' 
not accessible: 'Queue not found'.
2014/11/03 17:00:30 ossec-logcollector(1950): INFO: Analyzing file: 
'/logs/ossec/logs/alerts/alerts.log'.
2014/11/03 17:00:30 ossec-logcollector(1950): INFO: Analyzing file: 
'/var/log/userhistory.log'.
2014/11/03 17:00:30 ossec-logcollector(1950): INFO: Analyzing file: 
'/var/log/messages'.
2014/11/03 17:00:30 ossec-logcollector(1950): INFO: Analyzing file: 
'/var/log/secure'.
2014/11/03 17:00:30 ossec-logcollector(1950): INFO: Analyzing file: 
'/var/log/audit'.
2014/11/03 17:00:30 ossec-logcollector: INFO: Started (pid: 26201).
2014/11/03 17:00:45 ossec-agentd: INFO: Unable to connect to the active 
response queue (disabled).
2014/11/03 17:00:46 ossec-agentd(4102): INFO: Connected to the server 
(192.168.1.1:1514).
2014/11/03 17:01:30 ossec-syscheckd: INFO: Starting syscheck scan 
(forwarding database).
2014/11/03 17:01:30 ossec-syscheckd: INFO: Starting syscheck database 
(pre-scan).

I don't know why it's monitoring most of those, as the ossec.conf for the 
agent only specifies '/logs/ossec/logs/alerts/alerts.log'.  A couple of 
minutes later, it stops parsing the alerts.log, with:

2014/11/03 17:02:40 ossec-logcollector(1904): INFO: File not available, 
ignoring it: '/logs/ossec/logs/alerts/alerts.log'.

Any idea why it's stopping parsing the log file?  I do have logstash 
consuming the logs too, and thought it might be that, but it happens even 
if I disable logstash.  It's happening almost exactly 2 minutes after the 
process starts.  I've tried setting the permissions on the log file to 644, 
too, but that makes no difference.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: OSSEC & Logstash

2014-03-20 Thread Chris H 
Thanks, I'll have a look.  For me the default template created each field 
as a multi-field, with the regular, analysed field and an additional "raw" 
un-analysed field.  I'm extracting quite a lot of fields from the different 
log types, which is something I was doing in Splunk before trying 
elasticsearch.

"Alert_Level" : {
  "type" : "multi_field",
  "fields" : {
"Alert_Level" : {
  "type" : "string",
  "omit_norms" : true
},
"raw" : {
  "type" : "string",
  "index" : "not_analyzed",
  "omit_norms" : true,
  "index_options" : "docs",
  "include_in_all" : false,
  "ignore_above" : 256
}
  }
},

I created a new default template in elasticsearch:

curl -XPUT 'http://localhost:9200/_template/template_logstash/' -d '{
  "template": "logstash-*",
  "settings": {
"index.store.compress.stored": true
  },
  "mappings": {
"_default_": {
  "_source": { "compress": "true" },
  "_all" : {
"enabled" : false
  }
}
  }
}'

This has applied, but the compression doesn't seem to do much.  I'm at the 
point where I might only be able to store a limited amount of data in 
elasticsearch :(

Chris


On Wednesday, March 19, 2014 7:37:41 PM UTC, Joshua Garnett wrote:
>
> Chris,
>
> Yeah digging into the templates was another big win for me.  For instance, 
> if you try to do a topN query on signature with the default template, you 
> end up with words like the and and as your top hits.  Setting signature 
> to not_analyzed ensures the field isn't tokenized.  Below is my template.
>
> --Josh
>
> Logstash settings:
>
> output {
>elasticsearch {
>  host => "10.0.0.1"
>  cluster => "mycluster"
>  index => "logstash-ossec-%{+.MM.dd}"
>  index_type => "ossec"
>  template_name => "template-ossec"
>  template => "/etc/logstash/elasticsearch_template.json"
>  template_overwrite => true
>}
> }
>
> elasticsearch_template.json
>
> {
>   "template":"logstash-ossec-*",
>   "settings":{
> "index.analysis.analyzer.default.stopwords":"_none_",
> "index.refresh_interval":"5s",
> "index.analysis.analyzer.default.type":"standard"
>   },
>   "mappings":{
> "ossec":{
>   "properties":{
> "@fields.hostname":{
>   "type":"string",
>   "index":"not_analyzed"
> },
> "@fields.product":{
>   "type":"string",
>   "index":"not_analyzed"
> },
> "@message":{
>   "type":"string",
>   "index":"not_analyzed"
> },
> "@timestamp":{
>   "type":"date"
> },
> "@version":{
>   "type":"string",
>   "index":"not_analyzed"
> },
> "acct":{
>   "type":"string",
>   "index":"not_analyzed"
> },
> "ossec_group":{
>   "type":"string",
>   "index":"not_analyzed"
> },
> "ossec_server":{
>   "type":"string",
>   "index":"not_analyzed"
> },
> "raw_message":{
>   "type":"string",
>   "index":"analyzed"
> },
> "reporting_ip":{
>   "type":"string",
>   "index":"not_analyzed"
> },
> "reporting_source":{
>   "type":"string",
>   "index":"analyzed"
> },
> "rule_number":{
>   "type":"integer"
> },
> "severity":{
>   "type":"integer"
> },
> "signatu

[ossec-list] Re: OSSEC & Logstash

2014-03-19 Thread Chris H 
Hi, Joshua.  

I'm using a very similar technique.  Are you applying a mapping template, 
or using the default?  I'm using the default automatic templates, because 
frankly I don't fully understand templates.  What this means though is that 
my daily indexes are larger than the uncompressed alerts.log, between 2-4GB 
per day, and I'm rapidly running out of disk space.  I gather than this can 
be optimised by enabling compression and excluding the _source and _all 
fields through the mapping template, but I'm not sure exactly how this 
works.  Just wondered if you've come across the same problem.

Thanks.

On Saturday, March 8, 2014 10:02:35 PM UTC, Joshua Garnett wrote:
>
> All,
>
> I'll probably write a blog post on this, but I wanted to share some work 
> I've done today.  
> http://vichargrave.com/ossec-log-management-with-elasticsearch/ shows how 
> to use OSSEC's syslog output to route messages to Elasticsearch.  The 
> problem with this method is it uses UDP.  Even when sending packets to a 
> local process UDP by definition is unreliable.  Garbage collections and 
> other system events can cause packets to be lost.  I've found it tends to 
> cap out at around 1,500 messages per minute. 
>
> To address this issue I've put together a logstash config that will read 
> the alerts from /var/ossec/logs/alerts/alerts.log.  On top of solving the 
> reliability issue, it also fixes issues with multi-lines being lost, and 
> adds geoip lookups for the src_ip.  I tested it against approximately 1GB 
> of alerts (3M events).
>
> input {
>   file {
> type => "ossec"
> path => "/var/ossec/logs/alerts/alerts.log"
> sincedb_path => "/opt/logstash/"
> codec => multiline {
>   pattern => "^\*\*"
>   negate => true
>   what => "previous"
> }
>   }
> }
>
> filter {
>   if [type] == "ossec" {
> # Parse the header of the alert
> grok {
>   # Matches  2014 Mar 08 00:57:49 (some.server.com) 10.1.2.3->ossec
>   # (?m) fixes issues with multi-lines see 
> https://logstash.jira.com/browse/LOGSTASH-509
>   match => ["message", "(?m)\*\* Alert 
> %{DATA:timestamp_seconds}:%{SPACE}%{WORD}?%{SPACE}\- 
> %{DATA:ossec_group}\n%{YEAR} %{SYSLOGTIMESTAMP:syslog_timestamp} 
> \(%{DATA:reporting_host}\) 
> %{IP:reporting_ip}\-\>%{DATA:reporting_source}\nRule: 
> %{NONNEGINT:rule_number} \(level %{NONNEGINT:severity}\) \-\> 
> '%{DATA:signature}'\n%{GREEDYDATA:remaining_message}"]
>   
>   # Matches  2014 Mar 08 00:00:00 ossec-server01->/var/log/auth.log
>   match => ["message", "(?m)\*\* Alert 
> %{DATA:timestamp_seconds}:%{SPACE}%{WORD}?%{SPACE}\- 
> %{DATA:ossec_group}\n%{YEAR} %{SYSLOGTIMESTAMP:syslog_timestamp} 
> %{DATA:reporting_host}\-\>%{DATA:reporting_source}\nRule: 
> %{NONNEGINT:rule_number} \(level %{NONNEGINT:severity}\) \-\> 
> '%{DATA:signature}'\n%{GREEDYDATA:remaining_message}"]
> }
>
> # Attempt to parse additional data from the alert
> grok {
>   match => ["remaining_message", "(?m)(Src IP: 
> %{IP:src_ip}%{SPACE})?(Src Port: %{NONNEGINT:src_port}%{SPACE})?(Dst IP: 
> %{IP:dst_ip}%{SPACE})?(Dst Port: %{NONNEGINT:dst_port}%{SPACE})?(User: 
> %{USER:acct}%{SPACE})?%{GREEDYDATA:real_message}"]
> }
>
> geoip {
>   source => "src_ip"
> }
>
> mutate {
>   convert  => [ "severity", "integer"]
>   replace  => [ "@message", "%{real_message}" ]
>   replace  => [ "@fields.hostname", "%{reporting_host}"]
>   add_field=> [ "@fields.product", "ossec"]
>   add_field=> [ "raw_message", "%{message}"]
>   add_field=> [ "ossec_server", "%{host}"]
>   remove_field => [ "type", "syslog_program", "syslog_timestamp", 
> "reporting_host", "message", "timestamp_seconds", "real_message", 
> "remaining_message", "path", "host", "tags"]
> }
>   }
> }
>
> output {
>elasticsearch {
>  host => "10.0.0.1"
>  cluster => "mycluster"
>}
> }
>
> Here are a few examples of the output this generates.
>
> {
>"@timestamp":"2014-03-08T20:34:08.847Z",
>"@version":"1",
>"ossec_group":"syslog,sshd,invalid_login,authentication_failed,",
>"reporting_ip":"10.1.2.3",
>"reporting_source":"/var/log/auth.log",
>"rule_number":"5710",
>"severity":5,
>"signature":"Attempt to login using a non-existent user",
>"src_ip":"112.65.211.164",
>"geoip":{
>   "ip":"112.65.211.164",
>   "country_code2":"CN",
>   "country_code3":"CHN",
>   "country_name":"China",
>   "continent_code":"AS",
>   "region_name":"23",
>   "city_name":"Shanghai",
>   "latitude":31.0456007,
>   "longitude":121.3997,
>   "timezone":"Asia/Shanghai",
>   "real_region_name":"Shanghai",
>   "location":[
>  121.3997,
>  31.0456007
>   ]
>},
>"@message":"Mar  8 01:00:59 someserver sshd[22874]: Invalid user oracle 
> from 112.65.211.164\n",
>"@fields.hostname":"someserver.somedomain.com",
>"@fields.product"

[ossec-list] help with regex for decoder

2014-02-13 Thread Chris H 
Hi.  I'm having real problems with a regex for a decoder, and hope someone 
can help.  I'm trying to extract some details from Windows Event Logs from 
a file server, for Object Access.  Here's a sample of the logs:

WinEvtLog: Security: AUDIT_SUCCESS(560): Security: user.name: MYDOMAIN: 
WIN-FS2: Object Open:  Object Server: Security Object Type: 
File   Object Name: D:\Shares\Recruitment\Head Office\Ops Vacancies 
Tracker.xlsxHandle ID: 27948Operation ID: 
{3,166460974} Process ID: 4   Image File Name:Primary 
User Name: WIN-FS2$ Primary Domain: 4UCORE  Primary Logon ID: 
(0x0,0x3E7)   Client User Name: user.name Client Domain: 
MYDOMAIN   Client Logon ID: (0x3,0x9D2FBB5)Accesses: 
%%1539%%4423  Privileges: 
-   Restricted Sid Count: 0 Access Mask: 0x40080

The fields I'm interested in, and that I want to use with FTS to trigger an 
alert, are the user.name and Object Name.  I'm good with extracting the 
former with the following decoders:


windows
^WinEvtLog: 


windows
windows
^\.+: (\w+)\((560)\):
^\.+: (\w+)\((560)\): \S+: (\S+): \S+: 
(\S+):
status, id, user, system_name


But I can't extract the Object Name.  I've tried various permutations of 
along the lines of:

windows
windows
^\.+: (\w+)\((560)\):
^\.+: (\w+)\((560)\): \S+: (\S+): \S+: 
(\S+):
\.*Object Type: File\s+Object Name: (\.*) +Handle
status, id, user, system_name


I also have to deal with files with spaces in the name.  With a fuller 
regex library I'd do something like this, which works nicely because of the 
non-greedy matching:
^.+: (\w+)\((560)\): \w+: (\S+): \S+: (\S+): .*Object Type: File\s+Object 
Name: (.+?)\s+Handle

But I can't even get OSSEC to match on something as simple as:
\.*Name: (\S+)

Any help would be gratefully received.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [ossec-list] OSSEC and syslog messages

2014-02-06 Thread Chris H 


On Thursday, February 6, 2014 1:06:35 PM UTC, dan (ddpbsd) wrote:
>
> On Wed, Feb 5, 2014 at 9:14 AM, Chris H > 
> wrote: 
> > Hi.  I'm trying this setup, after seeing the blog post on ossec.net 
> > recently, and regularly exceeding the 500mb limit on Splunk free.  I'm 
> > sending alerts level 3+ to logstash and 5+ to splunk still.  I spent a 
> while 
> > tweaking the logstash.conf to work with spunk format syslog output, as 
> it 
> > includes the groups. Was going to share when it was fully working, 
> but... 
> > 
> > Not all the logs are going into logstash (or at least not going in to 
> > elasticsearch.) 
> > 
> > For example, we just had a bunch of alerts from our anti-virus server. 
>  In 
> > the space of 30 seconds we had 29 events from one workstation: 
> > 
> > ** Alert 1391605348.1873086525: - trend_micro,osce,virus 
> > 2014 Feb 05 13:02:28 (AV01) 172.19.2.2->WinEvtLog 
> > Rule: 110003 (level 5) -> 'Virus detected and Quarantined' 
> > WinEvtLog: Application: WARNING(500): Trend Micro OfficeScan Server: 
> SYSTEM: 
> > NT AUTHORITY: AV01.domain.co.uk: Virus/Malware: TROJ_SPNR.14AR14 
>  Computer: 
> > D13800  Domain: Client pcs and laptops  File: C:\Documents and 
> > Settings\bob.smith\Local Settings\Temp\tmp0de3e9e7.exe  Date/Time: 
> > 05/02/2014 13:02:21  Result: Quarantine 
> > 
> > The only difference was the timestamp and the filename.  All 29 events 
> went 
> > into Splunk, but only 1 made it into elasticsearch (not the first event, 
> > either.)  Could this be because of the syslog size limit?  There are a 
> lot 
> > more events going into logstash because of the lower alert threshold. 
> How 
> > does OSSEC group alerts when sending them by syslog? 
> > 
>
> When you come across an instance like this, do all (or at least > 1) 
> of the alerts get sent to logstash by ossec-csyslogd? 
>

Hi Dan. I don't whether they're being dropped by logstash, or not being 
posted.  There's nothing in the logstash logs to indicate them being 
dropped.  Is there a log file to indicate when a message is posted by 
ossec-csyslogd?  My alerts.log is 2.2gb so far today, there's too much 
going through to be able to readily compare what's going through to what's 
being received.

Thanks


> > Thanks. 
> > 
> > On Monday, January 27, 2014 1:36:19 PM UTC, dan (ddpbsd) wrote: 
> >> 
> >> On Mon, Jan 27, 2014 at 8:16 AM, Michiel van Es  
> >> wrote: 
> >> > Hi, 
> >> > 
> >> > Is anyone using OSSEC => syslog => Logstash => Kibana for their 
> setup? 
> >> > We found out that the netstat -tan diff ran by syscheck gives only 
> the 
> >> > first 
> >> > line of the diff: 
> >> > 
> >> > <132>Jan 27 11:37:43 local-machine-001 ossec: Alert Level: 7; Rule: 
> 533 
> >> > - 
> >> > Listened ports status (netstat) 
> >> > 
> >> > changed (new port opened or closed).; Location: 
> >> > local-machine-001->netstat 
> >> > -tan |grep LISTEN |grep -v 127.0.0.1 | sort; ossec: output: 
> >> > 
> >> > 'netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort' and it does not 
> >> > show 
> >> > the diff output (the 2 netstat -tan outputs). 
> >> > 
> >> > Does anyone else has this issue and if so, how did you fix it with 
> >> > (r)syslog? 
> >> > OSSEC 2.7.1 on Red Hat 6 64 bit (Atomic repo) and OSSEC and 
> >> > Logstash/Kibana 
> >> > run on 2 seperate machines. 
> >> > 
> >> 
> >> I haven't looked into this really, but I think the syslog output is 
> >> limited to 1024(?)k (an old syslog limit). diffs wouldn't really 
> >> transfer via syslog very well anyways, so I'm not sure they'd be worth 
> >> it. 
> >> 
> >> > Michiel 
> >> > 
> >> > 
> >> > 
> >> > -- 
> >> > 
> >> > --- 
> >> > You received this message because you are subscribed to the Google 
> >> > Groups 
> >> > "ossec-list" group. 
> >> > To unsubscribe from this group and stop receiving emails from it, 
> send 
> >> > an 
> >> > email to ossec-list+...@googlegroups.com. 
> >> > For more options, visit https://groups.google.com/groups/opt_out. 
> > 
> > -- 
> > 
> > --- 
> > You received this message because you are subscribed to the Google 
> Groups 
> > "ossec-list" group. 
> > To unsubscribe from this group and stop receiving emails from it, send 
> an 
> > email to ossec-list+...@googlegroups.com . 
> > For more options, visit https://groups.google.com/groups/opt_out. 
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [ossec-list] OSSEC and syslog messages

2014-02-06 Thread Chris H 
Just as an FYI, after posting this I thought about my setup a bit and I've 
now got logstash consuming the alerts.log directly.  I'll see if this works 
a bit better; at first glance it seems to.  I've attached my logstash.conf.


On Wednesday, February 5, 2014 2:14:36 PM UTC, Chris H wrote:
>
> Hi.  I'm trying this setup, after seeing the blog post on ossec.netrecently, 
> and regularly exceeding the 500mb limit on Splunk free.  I'm 
> sending alerts level 3+ to logstash and 5+ to splunk still.  I spent a 
> while tweaking the logstash.conf to work with spunk format syslog output, 
> as it includes the groups. Was going to share when it was fully working, 
> but...
>
> Not all the logs are going into logstash (or at least not going in to 
> elasticsearch.)  
>
> For example, we just had a bunch of alerts from our anti-virus server.  In 
> the space of 30 seconds we had 29 events from one workstation:
>
> ** Alert 1391605348.1873086525: - trend_micro,osce,virus
> 2014 Feb 05 13:02:28 (AV01) 172.19.2.2->WinEvtLog
> Rule: 110003 (level 5) -> 'Virus detected and Quarantined'
> WinEvtLog: Application: WARNING(500): Trend Micro OfficeScan Server: 
> SYSTEM: NT AUTHORITY: AV01.domain.co.uk: Virus/Malware: TROJ_SPNR.14AR14  
> Computer: D13800  Domain: Client pcs and laptops  File: C:\Documents and 
> Settings\bob.smith\Local Settings\Temp\tmp0de3e9e7.exe  Date/Time: 
> 05/02/2014 13:02:21  Result: Quarantine
>
> The only difference was the timestamp and the filename.  All 29 events 
> went into Splunk, but only 1 made it into elasticsearch (not the first 
> event, either.)  Could this be because of the syslog size limit?  There are 
> a lot more events going into logstash because of the lower alert threshold. 
> How does OSSEC group alerts when sending them by syslog?
>
> Thanks.
>
> On Monday, January 27, 2014 1:36:19 PM UTC, dan (ddpbsd) wrote:
>>
>> On Mon, Jan 27, 2014 at 8:16 AM, Michiel van Es  
>> wrote: 
>> > Hi, 
>> > 
>> > Is anyone using OSSEC => syslog => Logstash => Kibana for their setup? 
>> > We found out that the netstat -tan diff ran by syscheck gives only the 
>> first 
>> > line of the diff: 
>> > 
>> > <132>Jan 27 11:37:43 local-machine-001 ossec: Alert Level: 7; Rule: 533 
>> - 
>> > Listened ports status (netstat) 
>> > 
>> > changed (new port opened or closed).; Location: 
>> local-machine-001->netstat 
>> > -tan |grep LISTEN |grep -v 127.0.0.1 | sort; ossec: output: 
>> > 
>> > 'netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort' and it does not 
>> show 
>> > the diff output (the 2 netstat -tan outputs). 
>> > 
>> > Does anyone else has this issue and if so, how did you fix it with 
>> > (r)syslog? 
>> > OSSEC 2.7.1 on Red Hat 6 64 bit (Atomic repo) and OSSEC and 
>> Logstash/Kibana 
>> > run on 2 seperate machines. 
>> > 
>>
>> I haven't looked into this really, but I think the syslog output is 
>> limited to 1024(?)k (an old syslog limit). diffs wouldn't really 
>> transfer via syslog very well anyways, so I'm not sure they'd be worth 
>> it. 
>>
>> > Michiel 
>> > 
>> > 
>> > 
>> > -- 
>> > 
>> > --- 
>> > You received this message because you are subscribed to the Google 
>> Groups 
>> > "ossec-list" group. 
>> > To unsubscribe from this group and stop receiving emails from it, send 
>> an 
>> > email to ossec-list+...@googlegroups.com. 
>> > For more options, visit https://groups.google.com/groups/opt_out. 
>>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
input {
  file {
path => "/logs/ossec/logs/alerts/alerts.log"
type => "ossec_alerts"  
  }
}

filter {
  if [type] == "ossec_alerts" {

multiline {
  pattern => "^** Alert"
  what => "previous"
  negate => "true"
}


grok {
  match => { "message" => "\nRule: (?\d+) \(level 
(?\d+)\) \-> '(%{DATA:Description})'\n" }
}
grok {
  match => { "message" => "\n(?%{YEAR} +%{MONTH} 
+%{MONTHDAY} %{TIME}) \((?.*?)\) 
(?\d+\.\d+\.\d+\.\d+)->(?.*?)\n" }
}
grok {
  match => { "message" =&

Re: [ossec-list] OSSEC and Nagios integration

2014-02-06 Thread Chris H 
could you do something with the syslog output?  send the alerts you're 
interested in to syslog on the nagios host and tail the logs from that?  
Might allow you to be a bit more selective, too.

On Wednesday, February 5, 2014 1:53:38 PM UTC, Michiel van Es wrote:
>
> To be more precise: this is the most valuable link I found: 
> http://blog.kintoandar.com/2011/01/nagios-nrpe-ossec-check.html
> I am still interested in other peoples' implementations.
>
> Op woensdag 5 februari 2014 14:45:26 UTC+1 schreef Michiel van Es:
>>
>> Yes, First 3 hits about mail scripts (nagios exchange) and 'swatch alike 
>> scripts' but not a lot of specific setup information.
>> That is why I ask it here what people use nowadays and how their setup 
>> looks like.
>>
>> Michiel
>>
>> Op woensdag 5 februari 2014 14:32:47 UTC+1 schreef Darin Perusich:
>>>
>>> Have you asked Google? 
>>> -- 
>>> Later, 
>>> Darin 
>>>
>>>
>>> On Wed, Feb 5, 2014 at 6:47 AM, Michiel van Es  
>>> wrote: 
>>> > Hello, 
>>> > 
>>> > I was wondering if someone already used the OSSEC and Nagios to 
>>> generate 
>>> > alerts ? 
>>> > I have the following idea in my head: alert of level 11+ will be seen 
>>> by a 
>>> > monitor/swatch script tailing the /var/ossec/logs/alerts/alerts.log 
>>> logfile 
>>> > and generates an alert/trigger and sends it to Nagios. 
>>> > Nagios generates an alert, shows in on a dashboard. 
>>> > Engineer fixes the issue or filters the alert (in case of a false 
>>> positive) 
>>> > and OK/ACK the alert in Nagios. 
>>> > 
>>> > Or has someone else a better idea how to integrate these 2 together? 
>>> > 
>>> > All tips are more then welcome! 
>>> > 
>>> > Michiel 
>>> > 
>>> > -- 
>>> > 
>>> > --- 
>>> > You received this message because you are subscribed to the Google 
>>> Groups 
>>> > "ossec-list" group. 
>>> > To unsubscribe from this group and stop receiving emails from it, send 
>>> an 
>>> > email to ossec-list+...@googlegroups.com. 
>>> > For more options, visit https://groups.google.com/groups/opt_out. 
>>>
>>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [ossec-list] OSSEC and syslog messages

2014-02-05 Thread Chris H 
Hi.  I'm trying this setup, after seeing the blog post on ossec.net 
recently, and regularly exceeding the 500mb limit on Splunk free.  I'm 
sending alerts level 3+ to logstash and 5+ to splunk still.  I spent a 
while tweaking the logstash.conf to work with spunk format syslog output, 
as it includes the groups. Was going to share when it was fully working, 
but...

Not all the logs are going into logstash (or at least not going in to 
elasticsearch.)  

For example, we just had a bunch of alerts from our anti-virus server.  In 
the space of 30 seconds we had 29 events from one workstation:

** Alert 1391605348.1873086525: - trend_micro,osce,virus
2014 Feb 05 13:02:28 (AV01) 172.19.2.2->WinEvtLog
Rule: 110003 (level 5) -> 'Virus detected and Quarantined'
WinEvtLog: Application: WARNING(500): Trend Micro OfficeScan Server: 
SYSTEM: NT AUTHORITY: AV01.domain.co.uk: Virus/Malware: TROJ_SPNR.14AR14  
Computer: D13800  Domain: Client pcs and laptops  File: C:\Documents and 
Settings\bob.smith\Local Settings\Temp\tmp0de3e9e7.exe  Date/Time: 
05/02/2014 13:02:21  Result: Quarantine

The only difference was the timestamp and the filename.  All 29 events went 
into Splunk, but only 1 made it into elasticsearch (not the first event, 
either.)  Could this be because of the syslog size limit?  There are a lot 
more events going into logstash because of the lower alert threshold. How 
does OSSEC group alerts when sending them by syslog?

Thanks.

On Monday, January 27, 2014 1:36:19 PM UTC, dan (ddpbsd) wrote:
>
> On Mon, Jan 27, 2014 at 8:16 AM, Michiel van Es 
> > 
> wrote: 
> > Hi, 
> > 
> > Is anyone using OSSEC => syslog => Logstash => Kibana for their setup? 
> > We found out that the netstat -tan diff ran by syscheck gives only the 
> first 
> > line of the diff: 
> > 
> > <132>Jan 27 11:37:43 local-machine-001 ossec: Alert Level: 7; Rule: 533 
> - 
> > Listened ports status (netstat) 
> > 
> > changed (new port opened or closed).; Location: 
> local-machine-001->netstat 
> > -tan |grep LISTEN |grep -v 127.0.0.1 | sort; ossec: output: 
> > 
> > 'netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort' and it does not 
> show 
> > the diff output (the 2 netstat -tan outputs). 
> > 
> > Does anyone else has this issue and if so, how did you fix it with 
> > (r)syslog? 
> > OSSEC 2.7.1 on Red Hat 6 64 bit (Atomic repo) and OSSEC and 
> Logstash/Kibana 
> > run on 2 seperate machines. 
> > 
>
> I haven't looked into this really, but I think the syslog output is 
> limited to 1024(?)k (an old syslog limit). diffs wouldn't really 
> transfer via syslog very well anyways, so I'm not sure they'd be worth 
> it. 
>
> > Michiel 
> > 
> > 
> > 
> > -- 
> > 
> > --- 
> > You received this message because you are subscribed to the Google 
> Groups 
> > "ossec-list" group. 
> > To unsubscribe from this group and stop receiving emails from it, send 
> an 
> > email to ossec-list+...@googlegroups.com . 
> > For more options, visit https://groups.google.com/groups/opt_out. 
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [ossec-list] Alerting on mass phishing attacks

2013-12-18 Thread Chris H 
Thank you.  I wasn't aware of that site.  I've raised an enhancement, 
https://bitbucket.org/jbcheng/ossec-hids/issue/64/ Hopefully there's enough 
information in there.

On Wednesday, December 18, 2013 3:53:57 PM UTC, dan (ddpbsd) wrote:
>
> On Wed, Dec 18, 2013 at 10:29 AM, Michael Starks 
> > wrote: 
> > On 2013-12-18 9:21, Chris H wrote: 
> >> 
> >> Thanks, that's kind of what I was expecting. Even same_user, or any of 
> >> the other standard decoder fields might help, as they could be misused 
> >> somewhat. 
> >> 
> >> Thanks for clarifying 
> > 
> > 
> > I think this would be pretty useful. I'll keep it in mind as we work on 
> v3. 
> > 
>
> You should create an enhancement ticket: 
> https://bitbucket.org/jbcheng/ossec-hids/issues?status=new&status=open 
>
> I think this is a really good idea, and would love to see it in 3.0. 
>
> > 
> > -- 
> > 
> > --- You received this message because you are subscribed to the Google 
> > Groups "ossec-list" group. 
> > To unsubscribe from this group and stop receiving emails from it, send 
> an 
> > email to ossec-list+...@googlegroups.com . 
> > For more options, visit https://groups.google.com/groups/opt_out. 
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [ossec-list] Alerting on mass phishing attacks

2013-12-18 Thread Chris H 
Thanks, that's kind of what I was expecting.  Even same_user, or any of the 
other standard decoder fields might help, as they could be misused somewhat.

Thanks for clarifying

On Wednesday, December 18, 2013 3:13:17 PM UTC, Michael Starks wrote:
>
> On 2013-12-18 2:46, Chris H wrote: 
> > Hi, Michael. Exchange 2003. I've got the Message Tracking logs. 
>
> Ok, I guess the question of the MTA was sort of irrelevant, but I was 
> curious since I have done some work for the Barracuda S&VF. 
>
> If we had options like same_subject or same_sender, like we do with 
> same_source_ip, then this would be possible, but without code changes, I 
> can't think of a way to do it in advance of knowing what the phishing 
> email is about. 
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [ossec-list] Alerting on mass phishing attacks

2013-12-18 Thread Chris H 
Hi, Michael.  Exchange 2003.  I've got the Message Tracking logs.

Thanks

On Tuesday, December 17, 2013 5:32:53 PM UTC, Michael Starks wrote:
>
> On 2013-12-17 10:24, Chris H wrote: 
> > Hi. We recently experienced a mass phishing attack, and I wondered if 
> > this was something that could be detected using OSSEC. I know that I 
> > can trigger an alert based off a number of events occurring within an 
> > allotted time period, but can this be "grouped" somehow? For example, 
> > 100 emails with the same subject and sender received in 30 minutes. Is 
> > this possible in the rules? 
> > 
> > Thanks. 
>
> What MTA are you using? 
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

[ossec-list] Alerting on mass phishing attacks

2013-12-17 Thread Chris H 
Hi.  We recently experienced a mass phishing attack, and I wondered if this 
was something that could be detected using OSSEC.  I know that I can 
trigger an alert based off a number of events occurring within an allotted 
time period, but can this be "grouped" somehow?  For example, 100 emails 
with the same subject and sender received in 30 minutes.  Is this possible 
in the rules?

Thanks.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

[ossec-list] Re: release 2.7.1, Windows agents and profiles, and Server 2012

2013-11-15 Thread Chris H 
Hi. I'll have a go setting up a build environment following that guide, and see 
what I can come up with. 

I've installed the agent on Windows 2012, it works but doesn't detect OS, never 
mind the profile. I had a poke through the code and it looked like the OS 
detection routine was just missing the reference to 2012.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

[ossec-list] release 2.7.1, Windows agents and profiles, and Server 2012

2013-11-12 Thread Chris H 
Hi, 

I was wondering whether the 2.7.1 release is scheduled to include a fix to 
support centralised agent profiles on Windows servers, or support to 
recognise Windows 2012?

I spent a bit of time a short while ago trying to get to the bottom of it, 
but I couldn't get it to compile.  If anyone has instructions on getting 
the build environment working under Win 7 (or Fedora) I'll have another go.

Thanks

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

[ossec-list] Re: OSSEC manager redundancy

2013-11-01 Thread Chris H 
Hi Michiel.  Do you have any current load-balancers that you could set up a 
Virtual IP on, and point the agents to the VIP?  Or use something like 
heartbeat ?  

I'm not sure how you'd sync the config, maybe store them on a mount from a 
SAN or even something like rsync to keep the secondary server up to date?

Chris

On Thursday, October 31, 2013 2:19:40 PM UTC, Michiel van Es wrote:
>
> Hello,
>
> I am planning to setup OSSEC 2.7 for my company for about 500+ servers and 
> some appliances.
> It will be running on Red Hat 5 + 6 agents mainly.
>
> There is a company policy that one server is the same a no server at all 
> (redundancy is a must in my company).
>
> Is it possible to create a redundant setup of 2 OSSEC managers, having the 
> port 1514 UDP load balanced and both servers store their entries and 
> databases/keys on a NAS or single (redundant) storage platform?
>
> Has aynone else created such a setup?
> I want to use rsync/bash scripting as less as possible to make the setup 
> easy to maintain :)
>
> Michiel
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [ossec-list] Cannot get agent profile working on windows (2nd try)

2013-10-23 Thread Chris H 


On Friday, September 27, 2013 3:39:38 PM UTC+1, Chris H wrote:
>
>
>
> On Thursday, September 26, 2013 5:25:10 PM UTC+1, Chris H wrote:
>>
>>
>>
>> On Thursday, September 26, 2013 3:49:39 PM UTC+1, dan (ddpbsd) wrote:
>>>
>>> On Thu, Sep 26, 2013 at 10:29 AM, Chris H  wrote: 
>>> > 
>>> > 
>>> > On Thursday, September 26, 2013 2:59:08 PM UTC+1, dan (ddpbsd) wrote: 
>>> >> 
>>> >> On Wed, Sep 25, 2013 at 8:18 AM, Chris H  
>>> wrote: 
>>> >> > An update to this.  It appears that on Windows Server 2012 it 
>>> agent.conf 
>>> >> > doesn't work with OS either.  I get this in the log files, and it's 
>>> not 
>>> >> > monitoring anything: 
>>> >> > 
>>> >> > 2013/09/25 13:16:49 ossec-agent(1702): INFO: No directory provided 
>>> for 
>>> >> > syscheck to monitor. 
>>> >> > 2013/09/25 13:16:49 ossec-agent: WARN: Syscheck disabled. 
>>> >> > 
>>> >> > Thanks 
>>> >> > 
>>> >> 
>>> >> 
>>> >> Look to see how OSSEC gets the OS information, and find out what 2012 
>>> >> gives. With that info we might be able to get it working. 
>>> > 
>>> > 
>>> > Thanks Dan.  I presume I'm looking for something in the logs? I've 
>>> enabled 
>>> > debug, but not seeing anything: 
>>> > 
>>>
>>> You'd have to look in the code. 
>>>
>>
>> Took a while to find the code :)
>> OK, I've not done much C dev, and not for a long time, but I think it 
>> uses GetVersionEx.  It identifies first based on major version; Vista an 
>> onwards are v6.  Then it checks for minor version but only 0 or 1.  2012, 
>> and presumably Win8, return minor version 2; mine shows a Version of 
>> 6.2.9200, and a Name of "Microsoft Windows Server 2012 Standard".
>>
>> Also, the code to read the agent profile seems to be in there, but I'm 
>> not sure why it's failing and showing the profile as NULL.  I'll try and 
>> add some more debug code.
>>
>
> OK, not sure whether it's me, or I've got a funny version of the code, but 
> I can't get it to compile either under Fedora or on Windows with mingw :(
>
>>
>> Thanks
>>  
>>
>>>
>>> > 2013/09/26 15:24:07 ossec-agent: DEBUG: Reading agent configuration. 
>>> > 2013/09/26 15:24:07 ossec-agent Using notify time: 600 and max time to 
>>> > reconnect: 1800 
>>> > 2013/09/26 15:24:07 ossec-agent: DEBUG: Reading logcollector 
>>> configuration. 
>>> > 2013/09/26 15:24:07 ossec-agent: calling os_read_agent_profile(). 
>>> > 2013/09/26 15:24:07 ossec-agent: os_read_agent_profile() = [(null)] 
>>> > 2013/09/26 15:24:07 Read agent config profile name [(null)] 
>>> > 2013/09/26 15:24:07 [sftp] did not match agent config profile name 
>>> [(null)] 
>>> > 2013/09/26 15:24:07 ossec-agent: calling os_read_agent_profile(). 
>>> > 2013/09/26 15:24:07 ossec-agent: os_read_agent_profile() = [(null)] 
>>> > 2013/09/26 15:24:07 Read agent config profile name [(null)] 
>>> > 2013/09/26 15:24:07 [dc] did not match agent config profile name 
>>> [(null)] 
>>> > 2013/09/26 15:24:07 ossec-agent: calling os_read_agent_profile(). 
>>> > 2013/09/26 15:24:07 ossec-agent: os_read_agent_profile() = [(null)] 
>>> > 2013/09/26 15:24:07 Read agent config profile name [(null)] 
>>> > 2013/09/26 15:24:07 [dhcp] did not match agent config profile name 
>>> [(null)] 
>>> > 2013/09/26 15:24:07 ossec-agent: calling os_read_agent_profile(). 
>>> > 2013/09/26 15:24:07 ossec-agent: os_read_agent_profile() = [(null)] 
>>> > 2013/09/26 15:24:07 Read agent config profile name [(null)] 
>>> > 2013/09/26 15:24:07 [dns] did not match agent config profile name 
>>> [(null)] 
>>> > 2013/09/26 15:24:07 ossec-agent: calling os_read_agent_name(). 
>>> > 2013/09/26 15:24:07 ossec-agent: os_read_agent_name returned (W-DC-01 
>>> > ). 
>>> > 2013/09/26 15:24:07 ossec-agent: calling os_read_agent_name(). 
>>> > 2013/09/26 15:24:07 ossec-agent: os_read_agent_name returned (W-DC-01 
>>> > ). 
>>> > 2013/09/26 15:24:07 ossec-execd: INFO: Started (pid: 4100). 
>>> > 
>>> > Thanks. 
>>> >

Re: [ossec-list] Cannot get agent profile working on windows (2nd try)

2013-09-27 Thread Chris H 


On Thursday, September 26, 2013 5:25:10 PM UTC+1, Chris H wrote:
>
>
>
> On Thursday, September 26, 2013 3:49:39 PM UTC+1, dan (ddpbsd) wrote:
>>
>> On Thu, Sep 26, 2013 at 10:29 AM, Chris H  wrote: 
>> > 
>> > 
>> > On Thursday, September 26, 2013 2:59:08 PM UTC+1, dan (ddpbsd) wrote: 
>> >> 
>> >> On Wed, Sep 25, 2013 at 8:18 AM, Chris H  wrote: 
>> >> > An update to this.  It appears that on Windows Server 2012 it 
>> agent.conf 
>> >> > doesn't work with OS either.  I get this in the log files, and it's 
>> not 
>> >> > monitoring anything: 
>> >> > 
>> >> > 2013/09/25 13:16:49 ossec-agent(1702): INFO: No directory provided 
>> for 
>> >> > syscheck to monitor. 
>> >> > 2013/09/25 13:16:49 ossec-agent: WARN: Syscheck disabled. 
>> >> > 
>> >> > Thanks 
>> >> > 
>> >> 
>> >> 
>> >> Look to see how OSSEC gets the OS information, and find out what 2012 
>> >> gives. With that info we might be able to get it working. 
>> > 
>> > 
>> > Thanks Dan.  I presume I'm looking for something in the logs? I've 
>> enabled 
>> > debug, but not seeing anything: 
>> > 
>>
>> You'd have to look in the code. 
>>
>
> Took a while to find the code :)
> OK, I've not done much C dev, and not for a long time, but I think it uses 
> GetVersionEx.  It identifies first based on major version; Vista an onwards 
> are v6.  Then it checks for minor version but only 0 or 1.  2012, and 
> presumably Win8, return minor version 2; mine shows a Version of 6.2.9200, 
> and a Name of "Microsoft Windows Server 2012 Standard".
>
> Also, the code to read the agent profile seems to be in there, but I'm not 
> sure why it's failing and showing the profile as NULL.  I'll try and add 
> some more debug code.
>

OK, not sure whether it's me, or I've got a funny version of the code, but 
I can't get it to compile either under Fedora or on Windows with mingw :(

>
> Thanks
>  
>
>>
>> > 2013/09/26 15:24:07 ossec-agent: DEBUG: Reading agent configuration. 
>> > 2013/09/26 15:24:07 ossec-agent Using notify time: 600 and max time to 
>> > reconnect: 1800 
>> > 2013/09/26 15:24:07 ossec-agent: DEBUG: Reading logcollector 
>> configuration. 
>> > 2013/09/26 15:24:07 ossec-agent: calling os_read_agent_profile(). 
>> > 2013/09/26 15:24:07 ossec-agent: os_read_agent_profile() = [(null)] 
>> > 2013/09/26 15:24:07 Read agent config profile name [(null)] 
>> > 2013/09/26 15:24:07 [sftp] did not match agent config profile name 
>> [(null)] 
>> > 2013/09/26 15:24:07 ossec-agent: calling os_read_agent_profile(). 
>> > 2013/09/26 15:24:07 ossec-agent: os_read_agent_profile() = [(null)] 
>> > 2013/09/26 15:24:07 Read agent config profile name [(null)] 
>> > 2013/09/26 15:24:07 [dc] did not match agent config profile name 
>> [(null)] 
>> > 2013/09/26 15:24:07 ossec-agent: calling os_read_agent_profile(). 
>> > 2013/09/26 15:24:07 ossec-agent: os_read_agent_profile() = [(null)] 
>> > 2013/09/26 15:24:07 Read agent config profile name [(null)] 
>> > 2013/09/26 15:24:07 [dhcp] did not match agent config profile name 
>> [(null)] 
>> > 2013/09/26 15:24:07 ossec-agent: calling os_read_agent_profile(). 
>> > 2013/09/26 15:24:07 ossec-agent: os_read_agent_profile() = [(null)] 
>> > 2013/09/26 15:24:07 Read agent config profile name [(null)] 
>> > 2013/09/26 15:24:07 [dns] did not match agent config profile name 
>> [(null)] 
>> > 2013/09/26 15:24:07 ossec-agent: calling os_read_agent_name(). 
>> > 2013/09/26 15:24:07 ossec-agent: os_read_agent_name returned (W-DC-01 
>> > ). 
>> > 2013/09/26 15:24:07 ossec-agent: calling os_read_agent_name(). 
>> > 2013/09/26 15:24:07 ossec-agent: os_read_agent_name returned (W-DC-01 
>> > ). 
>> > 2013/09/26 15:24:07 ossec-execd: INFO: Started (pid: 4100). 
>> > 
>> > Thanks. 
>> > 
>> >> 
>> >> > 
>> >> > On Wednesday, September 25, 2013 12:41:31 PM UTC+1, Chris H wrote: 
>> >> >> 
>> >> >> Sorry to resurrect an old thread, but is there any update to this? 
>>  I'm 
>> >> >> just moving towards a centralised config, and experiencing this 
>> issue. 
>> >> >> referencing by OS or name, works, but by config-profile doesn't on 
&g

Re: [ossec-list] Cannot get agent profile working on windows (2nd try)

2013-09-26 Thread Chris H 


On Thursday, September 26, 2013 3:49:39 PM UTC+1, dan (ddpbsd) wrote:
>
> On Thu, Sep 26, 2013 at 10:29 AM, Chris H > 
> wrote: 
> > 
> > 
> > On Thursday, September 26, 2013 2:59:08 PM UTC+1, dan (ddpbsd) wrote: 
> >> 
> >> On Wed, Sep 25, 2013 at 8:18 AM, Chris H  wrote: 
> >> > An update to this.  It appears that on Windows Server 2012 it 
> agent.conf 
> >> > doesn't work with OS either.  I get this in the log files, and it's 
> not 
> >> > monitoring anything: 
> >> > 
> >> > 2013/09/25 13:16:49 ossec-agent(1702): INFO: No directory provided 
> for 
> >> > syscheck to monitor. 
> >> > 2013/09/25 13:16:49 ossec-agent: WARN: Syscheck disabled. 
> >> > 
> >> > Thanks 
> >> > 
> >> 
> >> 
> >> Look to see how OSSEC gets the OS information, and find out what 2012 
> >> gives. With that info we might be able to get it working. 
> > 
> > 
> > Thanks Dan.  I presume I'm looking for something in the logs? I've 
> enabled 
> > debug, but not seeing anything: 
> > 
>
> You'd have to look in the code. 
>

Took a while to find the code :)
OK, I've not done much C dev, and not for a long time, but I think it uses 
GetVersionEx.  It identifies first based on major version; Vista an onwards 
are v6.  Then it checks for minor version but only 0 or 1.  2012, and 
presumably Win8, return minor version 2; mine shows a Version of 6.2.9200, 
and a Name of "Microsoft Windows Server 2012 Standard".

Also, the code to read the agent profile seems to be in there, but I'm not 
sure why it's failing and showing the profile as NULL.  I'll try and add 
some more debug code.

Thanks
 

>
> > 2013/09/26 15:24:07 ossec-agent: DEBUG: Reading agent configuration. 
> > 2013/09/26 15:24:07 ossec-agent Using notify time: 600 and max time to 
> > reconnect: 1800 
> > 2013/09/26 15:24:07 ossec-agent: DEBUG: Reading logcollector 
> configuration. 
> > 2013/09/26 15:24:07 ossec-agent: calling os_read_agent_profile(). 
> > 2013/09/26 15:24:07 ossec-agent: os_read_agent_profile() = [(null)] 
> > 2013/09/26 15:24:07 Read agent config profile name [(null)] 
> > 2013/09/26 15:24:07 [sftp] did not match agent config profile name 
> [(null)] 
> > 2013/09/26 15:24:07 ossec-agent: calling os_read_agent_profile(). 
> > 2013/09/26 15:24:07 ossec-agent: os_read_agent_profile() = [(null)] 
> > 2013/09/26 15:24:07 Read agent config profile name [(null)] 
> > 2013/09/26 15:24:07 [dc] did not match agent config profile name 
> [(null)] 
> > 2013/09/26 15:24:07 ossec-agent: calling os_read_agent_profile(). 
> > 2013/09/26 15:24:07 ossec-agent: os_read_agent_profile() = [(null)] 
> > 2013/09/26 15:24:07 Read agent config profile name [(null)] 
> > 2013/09/26 15:24:07 [dhcp] did not match agent config profile name 
> [(null)] 
> > 2013/09/26 15:24:07 ossec-agent: calling os_read_agent_profile(). 
> > 2013/09/26 15:24:07 ossec-agent: os_read_agent_profile() = [(null)] 
> > 2013/09/26 15:24:07 Read agent config profile name [(null)] 
> > 2013/09/26 15:24:07 [dns] did not match agent config profile name 
> [(null)] 
> > 2013/09/26 15:24:07 ossec-agent: calling os_read_agent_name(). 
> > 2013/09/26 15:24:07 ossec-agent: os_read_agent_name returned (W-DC-01 
> > ). 
> > 2013/09/26 15:24:07 ossec-agent: calling os_read_agent_name(). 
> > 2013/09/26 15:24:07 ossec-agent: os_read_agent_name returned (W-DC-01 
> > ). 
> > 2013/09/26 15:24:07 ossec-execd: INFO: Started (pid: 4100). 
> > 
> > Thanks. 
> > 
> >> 
> >> > 
> >> > On Wednesday, September 25, 2013 12:41:31 PM UTC+1, Chris H wrote: 
> >> >> 
> >> >> Sorry to resurrect an old thread, but is there any update to this? 
>  I'm 
> >> >> just moving towards a centralised config, and experiencing this 
> issue. 
> >> >> referencing by OS or name, works, but by config-profile doesn't on 
> >> >> Windows. 
> >> >> I've also tried the 2.7.1 beta agent, and seeing the same issue. 
> >> >> 
> >> >> I don't know if it's relevant, but I'm seeing entries like this in 
> the 
> >> >> agent logs if I enable debug logging: 
> >> >> 
> >> >> 2013/09/25 12:40:07 Read agent config profile name [(null)] 
> >> >> 2013/09/25 12:40:07 [dhcp] did not match agent config profile name 
> >> >> [(null)] 
> >> >> 
> >> >> 2013/09/25 12:40:07 R

Re: [ossec-list] Cannot get agent profile working on windows (2nd try)

2013-09-26 Thread Chris H 


On Thursday, September 26, 2013 2:59:08 PM UTC+1, dan (ddpbsd) wrote:
>
> On Wed, Sep 25, 2013 at 8:18 AM, Chris H > 
> wrote: 
> > An update to this.  It appears that on Windows Server 2012 it agent.conf 
> > doesn't work with OS either.  I get this in the log files, and it's not 
> > monitoring anything: 
> > 
> > 2013/09/25 13:16:49 ossec-agent(1702): INFO: No directory provided for 
> > syscheck to monitor. 
> > 2013/09/25 13:16:49 ossec-agent: WARN: Syscheck disabled. 
> > 
> > Thanks 
> > 
>
>
> Look to see how OSSEC gets the OS information, and find out what 2012 
> gives. With that info we might be able to get it working. 
>

Thanks Dan.  I presume I'm looking for something in the logs? I've enabled 
debug, but not seeing anything:

2013/09/26 15:24:07 ossec-agent: DEBUG: Reading agent configuration.
2013/09/26 15:24:07 ossec-agent Using notify time: 600 and max time to 
reconnect: 1800
2013/09/26 15:24:07 ossec-agent: DEBUG: Reading logcollector configuration.
2013/09/26 15:24:07 ossec-agent: calling os_read_agent_profile().
2013/09/26 15:24:07 ossec-agent: os_read_agent_profile() = [(null)]
2013/09/26 15:24:07 Read agent config profile name [(null)]
2013/09/26 15:24:07 [sftp] did not match agent config profile name [(null)]
2013/09/26 15:24:07 ossec-agent: calling os_read_agent_profile().
2013/09/26 15:24:07 ossec-agent: os_read_agent_profile() = [(null)]
2013/09/26 15:24:07 Read agent config profile name [(null)]
2013/09/26 15:24:07 [dc] did not match agent config profile name [(null)]
2013/09/26 15:24:07 ossec-agent: calling os_read_agent_profile().
2013/09/26 15:24:07 ossec-agent: os_read_agent_profile() = [(null)]
2013/09/26 15:24:07 Read agent config profile name [(null)]
2013/09/26 15:24:07 [dhcp] did not match agent config profile name [(null)]
2013/09/26 15:24:07 ossec-agent: calling os_read_agent_profile().
2013/09/26 15:24:07 ossec-agent: os_read_agent_profile() = [(null)]
2013/09/26 15:24:07 Read agent config profile name [(null)]
2013/09/26 15:24:07 [dns] did not match agent config profile name [(null)]
2013/09/26 15:24:07 ossec-agent: calling os_read_agent_name().
2013/09/26 15:24:07 ossec-agent: os_read_agent_name returned (W-DC-01
).
2013/09/26 15:24:07 ossec-agent: calling os_read_agent_name().
2013/09/26 15:24:07 ossec-agent: os_read_agent_name returned (W-DC-01
).
2013/09/26 15:24:07 ossec-execd: INFO: Started (pid: 4100).

Thanks.


> > 
> > On Wednesday, September 25, 2013 12:41:31 PM UTC+1, Chris H wrote: 
> >> 
> >> Sorry to resurrect an old thread, but is there any update to this?  I'm 
> >> just moving towards a centralised config, and experiencing this issue. 
> >> referencing by OS or name, works, but by config-profile doesn't on 
> Windows. 
> >> I've also tried the 2.7.1 beta agent, and seeing the same issue. 
> >> 
> >> I don't know if it's relevant, but I'm seeing entries like this in the 
> >> agent logs if I enable debug logging: 
> >> 
> >> 2013/09/25 12:40:07 Read agent config profile name [(null)] 
> >> 2013/09/25 12:40:07 [dhcp] did not match agent config profile name 
> >> [(null)] 
> >> 
> >> 2013/09/25 12:40:07 Read agent config profile name [(null)] 
> >> 2013/09/25 12:40:07 [dns] did not match agent config profile name 
> [(null)] 
> >> 
> >> Thanks 
> >> 
> >> 
> >> On Tuesday, March 5, 2013 11:19:31 PM UTC, dan (ddpbsd) wrote: 
> >>> 
> >>> On Tue, Mar 5, 2013 at 12:49 AM, Андрей Шевченко  
> >>> wrote: 
> >>> > Is it possible to add this functionality in a future version of 
> >>> > ossec-agent 
> >>> > for win? 
> >>> > 
> >>> 
> >>> Definitely. 
> >>> 
> >>> > 
> >>> > среда, 27 февраля 2013 г., 10:11:21 UTC+6 пользователь Андрей 
> Шевченко 
> >>> > написал: 
> >>> >> 
> >>> >> It looks like this feature was not included in the 
> >>> >> ossec-hids/src/win32/ 
> >>> >> I have not found any changes in the win32 sources. 
> >>> >> 
> >>> >> среда, 27 февраля 2013 г., 2:01:56 UTC+6 пользователь dan (ddpbsd) 
> >>> >> написал: 
> >>> >>> 
> >>> >>> On Thu, Feb 21, 2013 at 6:38 AM, Андрей Шевченко <
> dioer...@gmail.com> 
> >>> >>> wrote: 
> >>> >>> > I tried to add a bad option and i see that it is not being 
> picked 
> >>> >>> > u

Re: [ossec-list] Cannot get agent profile working on windows (2nd try)

2013-09-25 Thread Chris H 
An update to this.  It appears that on Windows Server 2012 it agent.conf 
doesn't work with OS either.  I get this in the log files, and it's not 
monitoring anything:

2013/09/25 13:16:49 ossec-agent(1702): INFO: No directory provided for 
syscheck to monitor.
2013/09/25 13:16:49 ossec-agent: WARN: Syscheck disabled.

Thanks

On Wednesday, September 25, 2013 12:41:31 PM UTC+1, Chris H wrote:
>
> Sorry to resurrect an old thread, but is there any update to this?  I'm 
> just moving towards a centralised config, and experiencing this issue.  
> referencing by OS or name, works, but by config-profile doesn't on 
> Windows.  I've also tried the 2.7.1 beta agent, and seeing the same issue.
>
> I don't know if it's relevant, but I'm seeing entries like this in the 
> agent logs if I enable debug logging:
>
> 2013/09/25 12:40:07 Read agent config profile name [(null)]
> 2013/09/25 12:40:07 [dhcp] did not match agent config profile name [(null)]
>
> 2013/09/25 12:40:07 Read agent config profile name [(null)]
> 2013/09/25 12:40:07 [dns] did not match agent config profile name [(null)]
>
> Thanks
>
>
> On Tuesday, March 5, 2013 11:19:31 PM UTC, dan (ddpbsd) wrote:
>>
>> On Tue, Mar 5, 2013 at 12:49 AM, Андрей Шевченко  
>> wrote: 
>> > Is it possible to add this functionality in a future version of 
>> ossec-agent 
>> > for win? 
>> > 
>>
>> Definitely. 
>>
>> > 
>> > среда, 27 февраля 2013 г., 10:11:21 UTC+6 пользователь Андрей Шевченко 
>> > написал: 
>> >> 
>> >> It looks like this feature was not included in the 
>> ossec-hids/src/win32/ 
>> >> I have not found any changes in the win32 sources. 
>> >> 
>> >> среда, 27 февраля 2013 г., 2:01:56 UTC+6 пользователь dan (ddpbsd) 
>> >> написал: 
>> >>> 
>> >>> On Thu, Feb 21, 2013 at 6:38 AM, Андрей Шевченко  
>>
>> >>> wrote: 
>> >>> > I tried to add a bad option and i see that it is not being picked 
>> up... 
>> >>> > Like in my example, i don't see anything related to options in 
>> specific 
>> >>> > agent profile. 
>> >>> > 
>> >>> 
>> >>> You could check the code repository to see if the commits enabling 
>> >>> this functionality for unixy systems also enabled it for Windows. 
>> >>> 
>> >>> > вторник, 19 февраля 2013 г., 23:15:44 UTC+6 пользователь dan 
>> (ddpbsd) 
>> >>> > написал: 
>> >>> >> 
>> >>> >> On Mon, Feb 18, 2013 at 6:23 AM, Андрей Шевченко <
>> dioer...@gmail.com> 
>> >>> >> wrote: 
>> >>> >> > osssec.conf(agent test_PC): 
>> >>> >> > 
>> >>> >> >>  
>> >>> >> >> 
>> >>> >> >> 
>> >>> >> >>  
>> >>> >> >> 
>> >>> >> >> test1 
>> >>> >> >> 
>> >>> >> >>  1.1.1.1 
>> >>> >> >> 
>> >>> >> >>  
>> >>> >> >> 
>> >>> >> >> 
>> >>> >> >>  
>> >>> >> >> 
>> >>> >> >> no 
>> >>> >> >> 
>> >>> >> >>  
>> >>> >> >> 
>> >>> >> >> 
>> >>> >> >>  
>> >>> >> > 
>> >>> >> > 
>> >>> >> > 
>> >>> >> > agent.conf(server): 
>> >>> >> > 
>> >>> >> >>  
>> >>> >> >> 
>> >>> >> >>  
>> >>> >> >> 
>> >>> >> >> D:/ 
>> >>> >> >> 
>> >>> >> >>  
>> >>> >> >> 
>> >>> >> >>  
>> >>> >> >> 
>> >>> >> >> 
>> >>> >> >>  
>> >>> >> >> 
>> >>> >> >>  
>> >>> >> >> 
>> >>> >> >>   F:/ 
>> >>> >> >> 
>> >>> >> >>  
>> >>> >> >> 
>> >>> >> >>  
>> >>> >> &

Re: [ossec-list] Cannot get agent profile working on windows (2nd try)

2013-09-25 Thread Chris H 
Sorry to resurrect an old thread, but is there any update to this?  I'm 
just moving towards a centralised config, and experiencing this issue.  
referencing by OS or name, works, but by config-profile doesn't on 
Windows.  I've also tried the 2.7.1 beta agent, and seeing the same issue.

I don't know if it's relevant, but I'm seeing entries like this in the 
agent logs if I enable debug logging:

2013/09/25 12:40:07 Read agent config profile name [(null)]
2013/09/25 12:40:07 [dhcp] did not match agent config profile name [(null)]

2013/09/25 12:40:07 Read agent config profile name [(null)]
2013/09/25 12:40:07 [dns] did not match agent config profile name [(null)]

Thanks


On Tuesday, March 5, 2013 11:19:31 PM UTC, dan (ddpbsd) wrote:
>
> On Tue, Mar 5, 2013 at 12:49 AM, Андрей Шевченко 
> > 
> wrote: 
> > Is it possible to add this functionality in a future version of 
> ossec-agent 
> > for win? 
> > 
>
> Definitely. 
>
> > 
> > среда, 27 февраля 2013 г., 10:11:21 UTC+6 пользователь Андрей Шевченко 
> > написал: 
> >> 
> >> It looks like this feature was not included in the 
> ossec-hids/src/win32/ 
> >> I have not found any changes in the win32 sources. 
> >> 
> >> среда, 27 февраля 2013 г., 2:01:56 UTC+6 пользователь dan (ddpbsd) 
> >> написал: 
> >>> 
> >>> On Thu, Feb 21, 2013 at 6:38 AM, Андрей Шевченко  
> >>> wrote: 
> >>> > I tried to add a bad option and i see that it is not being picked 
> up... 
> >>> > Like in my example, i don't see anything related to options in 
> specific 
> >>> > agent profile. 
> >>> > 
> >>> 
> >>> You could check the code repository to see if the commits enabling 
> >>> this functionality for unixy systems also enabled it for Windows. 
> >>> 
> >>> > вторник, 19 февраля 2013 г., 23:15:44 UTC+6 пользователь dan 
> (ddpbsd) 
> >>> > написал: 
> >>> >> 
> >>> >> On Mon, Feb 18, 2013 at 6:23 AM, Андрей Шевченко <
> dioer...@gmail.com> 
> >>> >> wrote: 
> >>> >> > osssec.conf(agent test_PC): 
> >>> >> > 
> >>> >> >>  
> >>> >> >> 
> >>> >> >> 
> >>> >> >>  
> >>> >> >> 
> >>> >> >> test1 
> >>> >> >> 
> >>> >> >>  1.1.1.1 
> >>> >> >> 
> >>> >> >>  
> >>> >> >> 
> >>> >> >> 
> >>> >> >>  
> >>> >> >> 
> >>> >> >> no 
> >>> >> >> 
> >>> >> >>  
> >>> >> >> 
> >>> >> >> 
> >>> >> >>  
> >>> >> > 
> >>> >> > 
> >>> >> > 
> >>> >> > agent.conf(server): 
> >>> >> > 
> >>> >> >>  
> >>> >> >> 
> >>> >> >>  
> >>> >> >> 
> >>> >> >> D:/ 
> >>> >> >> 
> >>> >> >>  
> >>> >> >> 
> >>> >> >>  
> >>> >> >> 
> >>> >> >> 
> >>> >> >>  
> >>> >> >> 
> >>> >> >>  
> >>> >> >> 
> >>> >> >>   F:/ 
> >>> >> >> 
> >>> >> >>  
> >>> >> >> 
> >>> >> >>  
> >>> >> >> 
> >>> >> >> 
> >>> >> >>  
> >>> >> >> 
> >>> >> >>  
> >>> >> >> 
> >>> >> >>   C:/ 
> >>> >> >> 
> >>> >> >>  
> >>> >> >> 
> >>> >> >>  
> >>> >> > 
> >>> >> > 
> >>> >> > ossec.log(agent): 
> >>> >> > 
> >>> >> >> 2013/02/18 15:41:34 ossec-agent: INFO: Monitoring directory: 
> 'D:/'. 
> >>> >> >> 
> >>> >> >> 2013/02/18 15:41:34 ossec-agent: INFO: Monitoring directory: 
> 'C:/'. 
> >>> >> > 
> >>> >> > 
> >>> >> > Disk F is not monitored. 
> >>> >> > 
> >>> >> > Equal configuration for agent under FreeBSD works fine. 
> >>> >> > 
> >>> >> > -- 
> >>> >> > 
> >>> >> 
> >>> >> You could add a bad option under that profile to see if it's being 
> >>> >> picked up, like monitoring a syslog file that doesn't actually 
> exist. 
> >>> >> 
> >>> >> Other than that, I'd try something like: 
> >>> >> 
> >>> >>  
> >>> >>  
> >>> >>   F:\.  
> >>> >>  
> >>> >>  
> >>> >> 
> >>> >> I can't test this at the moment, so I don't know for sure that it 
> will 
> >>> >> work. 
> >>> >> 
> >>> >> > --- 
> >>> >> > You received this message because you are subscribed to the 
> Google 
> >>> >> > Groups 
> >>> >> > "ossec-list" group. 
> >>> >> > To unsubscribe from this group and stop receiving emails from it, 
> >>> >> > send 
> >>> >> > an 
> >>> >> > email to ossec-list+...@googlegroups.com. 
> >>> >> > For more options, visit https://groups.google.com/groups/opt_out. 
>
> >>> >> > 
> >>> >> > 
> >>> > 
> >>> > -- 
> >>> > 
> >>> > --- 
> >>> > You received this message because you are subscribed to the Google 
> >>> > Groups 
> >>> > "ossec-list" group. 
> >>> > To unsubscribe from this group and stop receiving emails from it, 
> send 
> >>> > an 
> >>> > email to ossec-list+...@googlegroups.com. 
> >>> > For more options, visit https://groups.google.com/groups/opt_out. 
> >>> > 
> >>> > 
> > 
> > -- 
> > 
> > --- 
> > You received this message because you are subscribed to the Google 
> Groups 
> > "ossec-list" group. 
> > To unsubscribe from this group and stop receiving emails from it, send 
> an 
> > email to ossec-list+...@googlegroups.com . 
> > For more options, visit https://groups.google.com/groups/opt_out. 
> > 
> > 
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@g

[ossec-list] Re: OSSEC integration into Alienvault SIEM webinar

2013-09-23 Thread Chris H 
Hi Santiago.  I was doing a bit of research into this exact topic myself 
already, so perfect timing :) I've registered, but do you know if the 
presentation/video will be made available afterwards, in case I am unable 
to attend?

Thanks,
Chris

On Saturday, September 21, 2013 2:06:22 AM UTC+1, Santiago Bassett wrote:
>
> Hello everybody,
>
> I am preparing a webinar for next Tuesday (8:00am-9:00am PDT) where I plan 
> to explain how OSSEC has been integrated into AlienVault/OSSIM SIEM.
>
> My idea is to show how OSSEC can be configured and managed from 
> AlienVault GUI, as well as a few examples of OSSEC alerts correlation, 
> including automatic reliability and risk assessment.
>
> Please feel free to register for the webinar if interested, it will be a 
> pleasure for me also to answer questions by the end of the webinar. Here is 
> the link for the registration: 
> http://www.alienvault.com/marketing/ossec-webinar
>
> All the best,
>
> Santiago.
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [ossec-list] Daily First Time Seen

2013-06-21 Thread Chris H 
Hi.  There aren't any suitable unique fields, as the same AP might appear 
multiple times.  But I can classify them in the Cisco controller, so I'm 
only alerting on unclassified rogues.  I've also added ignore="60" to the 
rule to keep the noise down somewhat.  This is what I've ended up with:


> Rogue Wireless Access Point discovered
> snmptrap-wlc-rogue
> CISCO-LWAPP-AP-MIB::cLApRogueApMacAddress
> rogue,
> 
>  
> Unclassified Rogue Wireless Access Point 
> discovered
> 108999
> cLApRogueClassType.0 = unclassified,
> rogue,
> 
>

My understanding is that when the level 10 rule is ignored, the level 8 
rule should still fire; I'm only sending an email on the level 10.

Thanks

On Thursday, June 20, 2013 4:01:40 PM UTC+1, Chris H wrote:
>
> Thanks Michael, might be able to work something with regards to the unique 
> fts field.  Can you match on date in OSSEC?  Will have a test.
>
> Thanks.
>
> On Thursday, June 20, 2013 3:54:54 PM UTC+1, Michael Starks wrote:
>>
>> On 20.06.2013 03:10, Chris H wrote: 
>> > Hi. 
>> > 
>> > I am passing the logs from my Cisco Wireless Lan Controllers through 
>> > to OSSEC. One of the events that I am interested in is when rogue 
>> > wireless access points are detected. Unfortunately, the events are 
>> > issued for each wireless access point that detects the rogue, not 
>> > just 
>> > the controller. 
>> > 
>> > I tried using FTS, which works partially in that I can trigger an 
>> > alert just once. What I would like to be able to do is trigger an 
>> > alert just once per day, so if the same device appears the next day I 
>> > still get an alert. Is this possible? 
>> > 
>> > Thanks 
>>
>> You can change the fts criteria so that it is matching on something 
>> that is decoded and unique each time (MAC address?), or you can try 
>> deleting the entry in queue/fts/fts-queue on a daily basis. Not sure if 
>> the manager needs a restart after that, though. 
>>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [ossec-list] Daily First Time Seen

2013-06-20 Thread Chris H 
Thanks Michael, might be able to work something with regards to the unique 
fts field.  Can you match on date in OSSEC?  Will have a test.

Thanks.

On Thursday, June 20, 2013 3:54:54 PM UTC+1, Michael Starks wrote:
>
> On 20.06.2013 03:10, Chris H wrote: 
> > Hi. 
> > 
> > I am passing the logs from my Cisco Wireless Lan Controllers through 
> > to OSSEC. One of the events that I am interested in is when rogue 
> > wireless access points are detected. Unfortunately, the events are 
> > issued for each wireless access point that detects the rogue, not 
> > just 
> > the controller. 
> > 
> > I tried using FTS, which works partially in that I can trigger an 
> > alert just once. What I would like to be able to do is trigger an 
> > alert just once per day, so if the same device appears the next day I 
> > still get an alert. Is this possible? 
> > 
> > Thanks 
>
> You can change the fts criteria so that it is matching on something 
> that is decoded and unique each time (MAC address?), or you can try 
> deleting the entry in queue/fts/fts-queue on a daily basis. Not sure if 
> the manager needs a restart after that, though. 
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

[ossec-list] Daily First Time Seen

2013-06-20 Thread Chris H 
Hi.

I am passing the logs from my Cisco Wireless Lan Controllers through to 
OSSEC.  One of the events that I am interested in is when rogue wireless 
access points are detected.  Unfortunately, the events are issued for each 
wireless access point that detects the rogue, not just the controller.

I tried using FTS, which works partially in that I can trigger an alert 
just once.  What I would like to be able to do is trigger an alert just 
once per day, so if the same device appears the next day I still get an 
alert.  Is this possible?

Thanks

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

[ossec-list] Re: MS DHCP Logs?

2013-05-10 Thread Chris H 
Adding this to an old thread in case it helps anyone else...  Instead of 
referencing each file individually, this works for me:

  
%windir%\System32\Dhcp\DhcpSrvLog-%a.log
syslog
  

http://linux.die.net/man/3/strftime:
*%a* 

The abbreviated weekday name according to the current locale. 

HTH


On Monday, November 5, 2012 2:02:05 PM UTC, Brian Sims wrote:
>
> Unfortunately, that doesn't seem to have helped.The problem isn't when 
> initially reading the logs when the agent starts, but rather when the 
> weekly rotation for dayX takes place.
>
> Started the agent after moving the files on Friday, all are opened OK, 
> logs are being received for DHCP on the ossec server.
>
> 2012/11/02 13:32:40 ossec-agent(1950): INFO: Analyzing file: 
> 'C:\DHCPLOGS\DhcpSrvLog-Sun.log'.
> 2012/11/02 13:32:40 ossec-agent(1950): INFO: Analyzing file: 
> 'C:\DHCPLOGS\DhcpSrvLog-Mon.log'.
> 2012/11/02 13:32:40 ossec-agent(1950): INFO: Analyzing file: 
> 'C:\DHCPLOGS\DhcpSrvLog-Tue.log'.
> 2012/11/02 13:32:40 ossec-agent(1950): INFO: Analyzing file: 
> 'C:\DHCPLOGS\DhcpSrvLog-Wed.log'.
> 2012/11/02 13:32:40 ossec-agent(1950): INFO: Analyzing file: 
> 'C:\DHCPLOGS\DhcpSrvLog-Thu.log'.
> 2012/11/02 13:32:40 ossec-agent(1950): INFO: Analyzing file: 
> 'C:\DHCPLOGS\DhcpSrvLog-Fri.log'.
> 2012/11/02 13:32:40 ossec-agent(1950): INFO: Analyzing file: 
> 'C:\DHCPLOGS\DhcpSrvLog-Sat.log'.
>
> The previous Saturday's log is rotated out for current, OSSEC agent can't 
> open it:
>
> 2012/11/03 00:01:54 ossec-agent(1117): ERROR: Error handling file 
> 'C:\DHCPLOGS\DhcpSrvLog-Sat.log' (date).
> 2012/11/03 00:01:54 ossec-agent(1103): ERROR: Unable to open file 
> 'C:\DHCPLOGS\DhcpSrvLog-Sat.log'.
> 2012/11/03 00:06:22 ossec-agent(1904): INFO: File not available, ignoring 
> it: 'C:\DHCPLOGS\DhcpSrvLog-Sat.log'.
>
> Same with Sunday:
>
> 2012/11/04 00:02:24 ossec-agent(1117): ERROR: Error handling file 
> 'C:\DHCPLOGS\DhcpSrvLog-Sun.log' (date).
> 2012/11/04 00:02:24 ossec-agent(1103): ERROR: Unable to open file 
> 'C:\DHCPLOGS\DhcpSrvLog-Sun.log'.
> 2012/11/04 00:06:52 ossec-agent(1904): INFO: File not available, ignoring 
> it: 'C:\DHCPLOGS\DhcpSrvLog-Sun.log'.
>
> And today's:
>
> 2012/11/05 00:00:13 ossec-agent(1117): ERROR: Error handling file 
> 'C:\DHCPLOGS\DhcpSrvLog-Mon.log' (date).
> 2012/11/05 00:00:13 ossec-agent(1103): ERROR: Unable to open file 
> 'C:\DHCPLOGS\DhcpSrvLog-Mon.log'.
> 2012/11/05 00:04:44 ossec-agent(1904): INFO: File not available, ignoring 
> it: 'C:\DHCPLOGS\DhcpSrvLog-Mon.log'.
>
> I supposed a scheduled task to restart the agent every midnight might 
> work, but that seems rather kludgey - and I'm not sure if it might miss 
> reporting events.
>
> Any other ideas?   Given that the parser is bundled into the package, can 
> only think a number of people have gotten this working...
>
>
>
> On Tuesday, October 23, 2012 3:34:47 PM UTC-4, Brian Sims wrote:
>>
>> I see there is an MS DHCP parser, but I'm not having much success in 
>> getting it to work in a stable fashion.The log file names are 
>> DhcpSrvLog-Sun.log, DhcpSrvLog-Mon.log, etc and so rotate on a weekly basis 
>> - the naming convention is not configurable.   
>>
>> The first agent config sample my google-fu turned up the following:
>>
>> 
>>   
>> %windir%\system32\dhcp\*.log
>> syslog
>>   
>> 
>>
>> That did not work as MS logs can't be wildcarded.I then added the 
>> individual log files:
>>
>>   
>> %windir%\system32\dhcp\Audit\DhcpSrvLog-Sun.log
>> syslog
>>   
>>   
>> %windir%\system32\dhcp\Audit\DhcpSrvLog-Mon.log
>> syslog
>>   
>>   
>> %windir%\system32\dhcp\Audit\DhcpSrvLog-Tue.log
>> syslog
>>   
>>   
>> %windir%\system32\dhcp\Audit\DhcpSrvLog-Wed.log
>> syslog
>>   
>>   
>> %windir%\system32\dhcp\Audit\DhcpSrvLog-Thu.log
>> syslog
>>   
>>   
>> %windir%\system32\dhcp\Audit\DhcpSrvLog-Fri.log
>> syslog
>>   
>>   
>> %windir%\system32\dhcp\Audit\DhcpSrvLog-Sat.log
>> syslog
>>   
>>
>> This seemed to work at first... but it doesn't seem to handle the 
>> rotation and dies when the next log day up is rotated.   That's the current 
>> log - and so the important one.   This occurs shortly after the nightly 
>> rotation:
>>
>> 2012/10/19 00:02:07 ossec-agent(1117): ERROR: Error handling file 
>> 'C:\WINDOWS\system32\dhcp\Audit\DhcpSrvLog-Fri.log' (date).
>> 2012/10/19 00:02:07 ossec-agent(1103): ERROR: Unable to open file 
>> 'C:\WINDOWS\system32\dhcp\Audit\DhcpSrvLog-Fri.log'.
>> 2012/10/19 00:06:36 ossec-agent(1904): INFO: File not available, ignoring 
>> it: 'C:\WINDOWS\system32\dhcp\Audit\DhcpSrvLog-Fri.log'.
>>
>> OSSEC seems to handle other log rotation gracefully, so not sure why this 
>> is problematic.Given there's a bundled MS DHCP parser, it'd seem that 
>> someone must have gotten this successfully working...
>>
>> TIA,
>> Brian
>>
>>
>>
>>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list"

[ossec-list] Email alerts grouping

2013-03-04 Thread Chris H 
Hello.  I am running OSSEC 2.6.  I am pushing logs from Windows Domain 
Controllers

I only want certain level alerts to generate emails, and different alerts 
to go to different groups.  For example, all network alerts above 8 go to 
the network team, Linux alerts above 8 go to the Linux tea, and ALL alerts 
above 11 come to me.  I have emails set to go through a local sendmail 
instance,with emails by default going to a "blackhole" address.  


  
> yes
> blackhole@localhost
> localhost
> ossec@...
> yes
>   
>
>   
> 4
> 6
>   
>
>   
> network@...
> syslog,cisco_ios
> 10
> 
>   
>
>   
> chris@...
> 11
> 
> 
>   
>

If a change is made to the Domain Admin group, this triggers a level 12 
alert.  However, the email comes through as "OSSEC Notification - (ADS1) 
10.10.10.10 - Alert level 10", and somewhere in this extremely long email 
is the actual alert I'm interested in.

I thought do_not_group was supposed to stop this, or have I misunderstood 
that?  Is it because too many emails are going to the "blackhole" address?  
How can I achieve what I'm trying to do?

Thanks.

Chris
 
 
 

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [ossec-list] Re: msauth logs - extract "real" user and IP

2012-11-06 Thread Chris H 


On Tuesday, November 6, 2012 4:58:24 PM UTC, dan (ddpbsd) wrote:
>
> On Tue, Nov 6, 2012 at 11:19 AM, Chris H > 
> wrote: 
> > 
> > 
> > On Tuesday, November 6, 2012 2:25:42 PM UTC, dan (ddpbsd) wrote: 
> >> 
> >> On Tue, Nov 6, 2012 at 8:17 AM, Chris H  wrote: 
> >> > OK, in further digging, it doesn't work.  It seemed to work under 
> >> > ossec-logtest, but no alerts were firing in the real world. 
> >> > 
> >> > The issue I'm having is the multiple attempts alerts are firing if 10 
> >> > logins 
> >> > fail, regardless of the user, because they all show as the SYSTEM 
> user. 
> >> > 
> >> > Thanks 
> >> > 
> >> 
> >> Which alert is firing? 
> > 
> > 
> > The alert is 18152 (Multiple Windows Logon Failures), which triggers 
> after 6 
> > events.  I've got one example email alert with 5 separate users in it! 
> > 
>
> 18152 does not require the username to be the same: 
>
>
> win_authentication_failed 
> Multiple Windows Logon Failures. 
> authentication_failures, 
>
>

I appreciate that, but based on the way it extracts the username I can't 
turn it on.  What I'd really like is 2 separate alerts, one for multiples 
of the same user, and one for different users from the same IP.  I need to 
extract the fields to be able to do this. 

>
> > Also, sometimes it will send an email over a dozen level 3 events at the 
> > top, then the level 10 event at the bottom. 
> > 
>
> That's normal. 
>
> OK 

> >> 
> >> 
> >> > 
> >> > On Tuesday, November 6, 2012 11:13:24 AM UTC, Chris H wrote: 
> >> >> 
> >> >> Hi, 
> >> >> 
> >> >> I'm passing log files from Domain Controllers via the OSSEC agent, 
> and 
> >> >> trying to refine the decoders for logon events.  As standard, the 
> event 
> >> >> logs 
> >> >> the User as SYSTEM, as this is what raises the event.  The event 
> logs 
> >> >> contain the User Name and Client IP.  I've added a new decoder to 
> >> >> local_decoder.xml, and can extract the proper username, but I'm 
> >> >> struggling 
> >> >> to capture the IP address: 
> >> >> 
> >> >> This works to extract the user name for events 672, 673 or 675 
> (which 
> >> >> seem 
> >> >> the relevant ones): 
> >> >> 
> >> >>  
> >> >> windows 
> >> >> windows 
> >> >> \((672)|(673)|(675)\) 
> >> >> ^WinEvtLog: \.+: (\w+)\((\d+)\): (\.+): \.+: \.+: 
> >> >> (\S+):\.*:\s+User Name:\s+(\S+)\s+ 
> >> >> status,id,extra_data,system_name,user 
> >> >>  
> >> >> 
> >> >> 
> >> >> but this regex fails: 
> >> >> ^WinEvtLog: \.+: (\w+)\((\d+)\): (\.+): \.+: \.+: 
> >> >> (\S+):\.*:\s+User 
> >> >> Name:\s+(\S+)\s+\.+Client Address:(\d+.\d+.\d+.\d+) 
> >> >> 
> >> >> 
> >> >> 
> >> >> Any ideas?  Here are some sample logs: 
> >> >> 
> >> >> WinEvtLog: Security: AUDIT_FAILURE(672): Security: SYSTEM: NT 
> >> >> AUTHORITY: 
> >> >> DC04: Authentication Ticket Request:  User Name: 
>  tony.hodgson 
> >> >> Supplied Realm Name: domain.co.uk   User ID: - 
> >> >> Service Name:   krbtgt/4ucore.4ultd.co.uk   Service ID: - 
> >> >> Ticket Options: 0x40810010  Result Code:0x6 
> Ticket 
> >> >> Encryption Type: -   Pre-Authentication Type: -  Client 
> >> >> Address: 
> >> >> 10.250.0.12Certificate Issuer Name:Certificate Serial 
> >> >> Number: 
> >> >> Certificate Thumbprint: 
> >> >> 
> >> >> WinEvtLog: Security: AUDIT_SUCCESS(672): Security: SYSTEM: NT 
> >> >> AUTHORITY: 
> >> >> DC04: Authentication Ticket Request:   User Name: 
> >> >> pas.components  Supplied Realm Name: DOMAIN   User ID: 
> >> >> %{S-1-5-21-1577433185-774302318-2220402944-3242}   Service Name: 
> >> >> krbtgt  Service ID: 
> >> >> %{S-1-5-21-1577433185-774302318-2220402944-502} Ticket 
> Options: 
> >

Re: [ossec-list] msauth logs - extract "real" user and IP

2012-11-06 Thread Chris H 


On Tuesday, November 6, 2012 4:58:14 PM UTC, dan (ddpbsd) wrote:
>
> On Tue, Nov 6, 2012 at 11:39 AM, Chris H > 
> wrote: 
> > 
> > 
> > On Tuesday, November 6, 2012 2:25:43 PM UTC, dan (ddpbsd) wrote: 
> >> 
> >> On Tue, Nov 6, 2012 at 6:13 AM, Chris H  wrote: 
> >> > Hi, 
> >> > 
> >> > I'm passing log files from Domain Controllers via the OSSEC agent, 
> and 
> >> > trying to refine the decoders for logon events.  As standard, the 
> event 
> >> > logs 
> >> > the User as SYSTEM, as this is what raises the event.  The event logs 
> >> > contain the User Name and Client IP.  I've added a new decoder to 
> >> > local_decoder.xml, and can extract the proper username, but I'm 
> >> > struggling 
> >> > to capture the IP address: 
> >> > 
> >> > This works to extract the user name for events 672, 673 or 675 (which 
> >> > seem 
> >> > the relevant ones): 
> >> > 
> >> >  
> >> > windows 
> >> > windows 
> >> > \((672)|(673)|(675)\) 
> >> > ^WinEvtLog: \.+: (\w+)\((\d+)\): (\.+): \.+: \.+: 
> >> > (\S+):\.*:\s+User Name:\s+(\S+)\s+ 
> >> > status,id,extra_data,system_name,user 
> >> >  
> >> > 
> >> > 
> >> > but this regex fails: 
> >> > ^WinEvtLog: \.+: (\w+)\((\d+)\): (\.+): \.+: \.+: 
> >> > (\S+):\.*:\s+User 
> >> > Name:\s+(\S+)\s+\.+Client Address:(\d+.\d+.\d+.\d+) 
> >> > 
> >> > 
> >> > 
> >> > Any ideas?  Here are some sample logs: 
> >> > 
> >> > WinEvtLog: Security: AUDIT_FAILURE(672): Security: SYSTEM: NT 
> AUTHORITY: 
> >> > DC04: Authentication Ticket Request:  User Name: 
>  tony.hodgson 
> >> > Supplied Realm Name: domain.co.uk   User ID: - 
> >> > Service Name:   krbtgt/4ucore.4ultd.co.uk   Service ID: - 
> >> > Ticket Options: 0x40810010  Result Code:0x6 
> Ticket 
> >> > Encryption Type: -   Pre-Authentication Type: -  Client 
> Address: 
> >> > 10.250.0.12Certificate Issuer Name:Certificate Serial 
> >> > Number: 
> >> > Certificate Thumbprint: 
> >> > 
> >> > WinEvtLog: Security: AUDIT_SUCCESS(672): Security: SYSTEM: NT 
> AUTHORITY: 
> >> > DC04: Authentication Ticket Request:   User Name: 
> >> > pas.components  Supplied Realm Name: DOMAIN   User ID: 
> >> > %{S-1-5-21-1577433185-774302318-2220402944-3242}   Service Name: 
> >> > krbtgt  Service ID: 
> >> > %{S-1-5-21-1577433185-774302318-2220402944-502} Ticket 
> Options: 
> >> > 0x40810010  Result Code:-   Ticket Encryption Type: 0x17 
> >> > Pre-Authentication Type: 2  Client Address:   172.19.83.24 
> >> > Certificate Issuer Name:Certificate Serial Number: 
> >> > Certificate 
> >> > Thumbprint: 
> >> > 
> >> > WinEvtLog: Security: AUDIT_SUCCESS(673): Security: SYSTEM: NT 
> AUTHORITY: 
> >> > DC04: Service Ticket Request:  User Name: 
> >> > Geoff.Fisher@DOMAIN 
> >> > User Domain:DOMAIN.CO.UK  Service Name:   LSG-CBP-DC03$ 
> >> > Service ID:   %{S-1-5-21-1577433185-774302318-2220402944-36611} 
> >> > Ticket Options: 0x4080  Ticket Encryption Type: 0x17 
> >> > Client Address: 172.19.84.46Failure Code:   - 
> >> > Logon GUID: {a2767528-fbdc-b2f5-1cfb-1c204e97a4e0}   
>  Transited 
> >> > Services: - 
> >> > 
> >> > WinEvtLog: Security: AUDIT_FAILURE(675): Security: SYSTEM: NT 
> AUTHORITY: 
> >> > DC04: Pre-authentication failed:   User Name: W-NMAPP-01$ 
>  User 
> >> > ID: 
> >> > %{S-1-5-21-1577433185-774302318-2220402944-40192}   Service Name: 
> >> > krbtgt/DOMAIN.CO.UK   Pre-Authentication Type: 0x0 Failure 
> Code: 
> >> > 0x19  Client Address: 172.19.93.6 
> >> > 
> >> > 
> >> > Thanks. 
> >> 
> >>  
> >> windows 
> >> windows 
> >> \((672)|(673)|(675)\) 
> >> ^WinEvtLog: \.+: (\w+)\((\d+)\): (\.+): \.+: \.+: 
> >> (\S+):\.*:\s+Us 
> >> er Name:\s+(\S+)\s+ 
> >> status,id,extra_data,system_name,user 
> >>  
> >> 
> >>  
> >>   windows 
> >>   windows 
> >>   Client Address:\s*(\S+) 
> >>   srcip 
> >>  
> > 
> > 
> > Thanks, that works, sort of.  It works under ossec-logtest, but when I 
> > enable these in local_decoder.xml it stops logging any events.  Without 
> it 
> > I'm getting lots logged, but without the username being calculated 
> properly. 
> > 
>
> What do you mean it "stops logging any events?"  Are you sure the 
> processes are still running? Are you getting any errors in ossec.log? 
>

I've got logall turned on.  Without those decoders added to local_decoder 
it generates alerts from Windows events, and they also appear in the 
archive log.  With them, the events only appear in the archive log.  There 
are no errors, it's just like the rules stop matching.

Re: [ossec-list] msauth logs - extract "real" user and IP

2012-11-06 Thread Chris H 


On Tuesday, November 6, 2012 2:25:43 PM UTC, dan (ddpbsd) wrote:
>
> On Tue, Nov 6, 2012 at 6:13 AM, Chris H > 
> wrote: 
> > Hi, 
> > 
> > I'm passing log files from Domain Controllers via the OSSEC agent, and 
> > trying to refine the decoders for logon events.  As standard, the event 
> logs 
> > the User as SYSTEM, as this is what raises the event.  The event logs 
> > contain the User Name and Client IP.  I've added a new decoder to 
> > local_decoder.xml, and can extract the proper username, but I'm 
> struggling 
> > to capture the IP address: 
> > 
> > This works to extract the user name for events 672, 673 or 675 (which 
> seem 
> > the relevant ones): 
> > 
> >  
> > windows 
> > windows 
> > \((672)|(673)|(675)\) 
> > ^WinEvtLog: \.+: (\w+)\((\d+)\): (\.+): \.+: \.+: 
> > (\S+):\.*:\s+User Name:\s+(\S+)\s+ 
> > status,id,extra_data,system_name,user 
> >  
> > 
> > 
> > but this regex fails: 
> > ^WinEvtLog: \.+: (\w+)\((\d+)\): (\.+): \.+: \.+: 
> (\S+):\.*:\s+User 
> > Name:\s+(\S+)\s+\.+Client Address:(\d+.\d+.\d+.\d+) 
> > 
> > 
> > 
> > Any ideas?  Here are some sample logs: 
> > 
> > WinEvtLog: Security: AUDIT_FAILURE(672): Security: SYSTEM: NT AUTHORITY: 
> > DC04: Authentication Ticket Request:  User Name:  tony.hodgson 
> > Supplied Realm Name: domain.co.uk   User ID: - 
> > Service Name:   krbtgt/4ucore.4ultd.co.uk   Service ID: - 
> > Ticket Options: 0x40810010  Result Code:0x6 Ticket 
> > Encryption Type: -   Pre-Authentication Type: -  Client Address: 
> > 10.250.0.12Certificate Issuer Name:Certificate Serial 
> Number: 
> > Certificate Thumbprint: 
> > 
> > WinEvtLog: Security: AUDIT_SUCCESS(672): Security: SYSTEM: NT AUTHORITY: 
> > DC04: Authentication Ticket Request:   User Name: 
> > pas.components  Supplied Realm Name: DOMAIN   User ID: 
> > %{S-1-5-21-1577433185-774302318-2220402944-3242}   Service Name: 
> > krbtgt  Service ID: 
> > %{S-1-5-21-1577433185-774302318-2220402944-502} Ticket Options: 
> > 0x40810010  Result Code:-   Ticket Encryption Type: 0x17 
> > Pre-Authentication Type: 2  Client Address:   172.19.83.24 
> > Certificate Issuer Name:Certificate Serial Number: 
>  Certificate 
> > Thumbprint: 
> > 
> > WinEvtLog: Security: AUDIT_SUCCESS(673): Security: SYSTEM: NT AUTHORITY: 
> > DC04: Service Ticket Request:  User Name: 
>  Geoff.Fisher@DOMAIN 
> > User Domain:DOMAIN.CO.UK  Service Name:   LSG-CBP-DC03$ 
> > Service ID:   %{S-1-5-21-1577433185-774302318-2220402944-36611} 
> > Ticket Options: 0x4080  Ticket Encryption Type: 0x17 
> > Client Address: 172.19.84.46Failure Code:   - 
> > Logon GUID: {a2767528-fbdc-b2f5-1cfb-1c204e97a4e0}Transited 
> > Services: - 
> > 
> > WinEvtLog: Security: AUDIT_FAILURE(675): Security: SYSTEM: NT AUTHORITY: 
> > DC04: Pre-authentication failed:   User Name: W-NMAPP-01$  User 
> ID: 
> > %{S-1-5-21-1577433185-774302318-2220402944-40192}   Service Name: 
> > krbtgt/DOMAIN.CO.UK   Pre-Authentication Type: 0x0 Failure 
> Code: 
> > 0x19  Client Address: 172.19.93.6 
> > 
> > 
> > Thanks. 
>
>  
> windows 
> windows 
> \((672)|(673)|(675)\) 
> ^WinEvtLog: \.+: (\w+)\((\d+)\): (\.+): \.+: \.+: 
> (\S+):\.*:\s+Us 
> er Name:\s+(\S+)\s+ 
> status,id,extra_data,system_name,user 
>  
>
>  
>   windows 
>   windows 
>   Client Address:\s*(\S+) 
>   srcip 
>  
>

Thanks, that works, sort of.  It works under ossec-logtest, but when I 
enable these in local_decoder.xml it stops logging any events.  Without it 
I'm getting lots logged, but without the username being calculated properly.

Re: [ossec-list] Re: msauth logs - extract "real" user and IP

2012-11-06 Thread Chris H 


On Tuesday, November 6, 2012 2:25:42 PM UTC, dan (ddpbsd) wrote:
>
> On Tue, Nov 6, 2012 at 8:17 AM, Chris H > 
> wrote: 
> > OK, in further digging, it doesn't work.  It seemed to work under 
> > ossec-logtest, but no alerts were firing in the real world. 
> > 
> > The issue I'm having is the multiple attempts alerts are firing if 10 
> logins 
> > fail, regardless of the user, because they all show as the SYSTEM user. 
> > 
> > Thanks 
> > 
>
> Which alert is firing? 
>

The alert is 18152 (Multiple Windows Logon Failures), which triggers after 
6 events.  I've got one example email alert with 5 separate users in it!

Also, sometimes it will send an email over a dozen level 3 events at the 
top, then the level 10 event at the bottom.
 

>
> > 
> > On Tuesday, November 6, 2012 11:13:24 AM UTC, Chris H wrote: 
> >> 
> >> Hi, 
> >> 
> >> I'm passing log files from Domain Controllers via the OSSEC agent, and 
> >> trying to refine the decoders for logon events.  As standard, the event 
> logs 
> >> the User as SYSTEM, as this is what raises the event.  The event logs 
> >> contain the User Name and Client IP.  I've added a new decoder to 
> >> local_decoder.xml, and can extract the proper username, but I'm 
> struggling 
> >> to capture the IP address: 
> >> 
> >> This works to extract the user name for events 672, 673 or 675 (which 
> seem 
> >> the relevant ones): 
> >> 
> >>  
> >> windows 
> >> windows 
> >> \((672)|(673)|(675)\) 
> >> ^WinEvtLog: \.+: (\w+)\((\d+)\): (\.+): \.+: \.+: 
> >> (\S+):\.*:\s+User Name:\s+(\S+)\s+ 
> >> status,id,extra_data,system_name,user 
> >>  
> >> 
> >> 
> >> but this regex fails: 
> >> ^WinEvtLog: \.+: (\w+)\((\d+)\): (\.+): \.+: \.+: 
> (\S+):\.*:\s+User 
> >> Name:\s+(\S+)\s+\.+Client Address:(\d+.\d+.\d+.\d+) 
> >> 
> >> 
> >> 
> >> Any ideas?  Here are some sample logs: 
> >> 
> >> WinEvtLog: Security: AUDIT_FAILURE(672): Security: SYSTEM: NT 
> AUTHORITY: 
> >> DC04: Authentication Ticket Request:  User Name:  tony.hodgson 
> >> Supplied Realm Name: domain.co.uk   User ID: - 
> >> Service Name:   krbtgt/4ucore.4ultd.co.uk   Service ID: - 
> >> Ticket Options: 0x40810010  Result Code:0x6 Ticket 
> >> Encryption Type: -   Pre-Authentication Type: -  Client 
> Address: 
> >> 10.250.0.12Certificate Issuer Name:Certificate Serial 
> Number: 
> >> Certificate Thumbprint: 
> >> 
> >> WinEvtLog: Security: AUDIT_SUCCESS(672): Security: SYSTEM: NT 
> AUTHORITY: 
> >> DC04: Authentication Ticket Request:   User Name: 
> >> pas.components  Supplied Realm Name: DOMAIN   User ID: 
> >> %{S-1-5-21-1577433185-774302318-2220402944-3242}   Service Name: 
> >> krbtgt  Service ID: 
> >> %{S-1-5-21-1577433185-774302318-2220402944-502} Ticket Options: 
> >> 0x40810010  Result Code:-   Ticket Encryption Type: 0x17 
> >> Pre-Authentication Type: 2  Client Address:   172.19.83.24 
> >> Certificate Issuer Name:Certificate Serial Number: 
>  Certificate 
> >> Thumbprint: 
> >> 
> >> WinEvtLog: Security: AUDIT_SUCCESS(673): Security: SYSTEM: NT 
> AUTHORITY: 
> >> DC04: Service Ticket Request:  User Name: 
>  Geoff.Fisher@DOMAIN 
> >> User Domain:DOMAIN.CO.UK  Service Name:   LSG-CBP-DC03$ 
> >> Service ID:   %{S-1-5-21-1577433185-774302318-2220402944-36611} 
> >> Ticket Options: 0x4080  Ticket Encryption Type: 0x17 
> >> Client Address: 172.19.84.46Failure Code:   - 
> >> Logon GUID: {a2767528-fbdc-b2f5-1cfb-1c204e97a4e0}Transited 
> >> Services: - 
> >> 
> >> WinEvtLog: Security: AUDIT_FAILURE(675): Security: SYSTEM: NT 
> AUTHORITY: 
> >> DC04: Pre-authentication failed:   User Name: W-NMAPP-01$  User 
> ID: 
> >> %{S-1-5-21-1577433185-774302318-2220402944-40192}   Service Name: 
> >> krbtgt/DOMAIN.CO.UK   Pre-Authentication Type: 0x0 Failure 
> Code: 
> >> 0x19  Client Address: 172.19.93.6 
> >> 
> >> 
> >> Thanks. 
>

[ossec-list] Re: msauth logs - extract "real" user and IP

2012-11-06 Thread Chris H 
OK, in further digging, it doesn't work.  It seemed to work under 
ossec-logtest, but no alerts were firing in the real world.

The issue I'm having is the multiple attempts alerts are firing if 10 
logins fail, regardless of the user, because they all show as the SYSTEM 
user.

Thanks

On Tuesday, November 6, 2012 11:13:24 AM UTC, Chris H wrote:
>
> Hi,
>
> I'm passing log files from Domain Controllers via the OSSEC agent, and 
> trying to refine the decoders for logon events.  As standard, the event 
> logs the User as SYSTEM, as this is what raises the event.  The event logs 
> contain the User Name and Client IP.  I've added a new decoder to 
> local_decoder.xml, and can extract the proper username, but I'm struggling 
> to capture the IP address:
>
> This works to extract the user name for events 672, 673 or 675 (which seem 
> the relevant ones):
>
> 
> windows
> windows
> \((672)|(673)|(675)\)
> ^WinEvtLog: \.+: (\w+)\((\d+)\): (\.+): \.+: \.+: 
> (\S+):\.*:\s+User Name:\s+(\S+)\s+
> status,id,extra_data,system_name,user
> 
>
>
> but this regex fails:
> ^WinEvtLog: \.+: (\w+)\((\d+)\): (\.+): \.+: \.+: (\S+):\.*:\s+User 
> Name:\s+(\S+)\s+\.+Client Address:(\d+.\d+.\d+.\d+)
>
>
>
> Any ideas?  Here are some sample logs:
>
> WinEvtLog: Security: AUDIT_FAILURE(672): Security: SYSTEM: NT AUTHORITY: 
> DC04: Authentication Ticket Request:  *User Name:  tony.hodgson*  
>  Supplied Realm Name: 
> domain.co.uk   User ID: -   Service Name:   
> krbtgt/4ucore.4ultd.co.uk   Service ID: -   Ticket Options:   
>   0x40810010  Result Code:0x6 Ticket Encryption Type: - 
>   Pre-Authentication Type: -  *Client Address: 10.250.0.12*   
>  Certificate Issuer Name:Certificate Serial Number: 
>  Certificate Thumbprint:
>
> WinEvtLog: Security: AUDIT_SUCCESS(672): Security: SYSTEM: NT AUTHORITY: 
> DC04: Authentication Ticket Request:   *User Name: 
>  pas.components*  Supplied Realm Name: DOMAIN   User ID: 
>%{S-1-5-21-1577433185-774302318-2220402944-3242}   Service 
> Name:   krbtgt  Service ID: 
> %{S-1-5-21-1577433185-774302318-2220402944-502} Ticket Options: 
> 0x40810010  Result Code:-   Ticket Encryption Type: 0x17   
>  Pre-Authentication Type: 2  *Client Address:   
> 172.19.83.24* Certificate Issuer Name:Certificate Serial 
> Number:  Certificate Thumbprint:
>
> WinEvtLog: Security: AUDIT_SUCCESS(673): Security: SYSTEM: NT AUTHORITY: 
> DC04: Service Ticket Request:  User Name:  *
> Geoff.Fisher@DOMAIN*User Domain:DOMAIN.CO.UK  Service 
> Name:   LSG-CBP-DC03$   Service ID:   
> %{S-1-5-21-1577433185-774302318-2220402944-36611}Ticket Options:   
>   0x4080  Ticket Encryption Type: 0x17*Client 
> Address: 172.19.84.46*Failure Code:   -   Logon 
> GUID: {a2767528-fbdc-b2f5-1cfb-1c204e97a4e0}Transited Services: 
> -
>
> WinEvtLog: Security: AUDIT_FAILURE(675): Security: SYSTEM: NT AUTHORITY: 
> DC04: Pre-authentication failed:   User Name: *W-NMAPP-01$*  User 
> ID:%{S-1-5-21-1577433185-774302318-2220402944-40192}   Service 
> Name: krbtgt/DOMAIN.CO.UK   Pre-Authentication Type: 0x0 Failure 
> Code: 0x19  *Client Address: 172.19.93.6*
>
>
> Thanks.
>

[ossec-list] msauth logs - extract "real" user and IP

2012-11-06 Thread Chris H 
Hi,

I'm passing log files from Domain Controllers via the OSSEC agent, and 
trying to refine the decoders for logon events.  As standard, the event 
logs the User as SYSTEM, as this is what raises the event.  The event logs 
contain the User Name and Client IP.  I've added a new decoder to 
local_decoder.xml, and can extract the proper username, but I'm struggling 
to capture the IP address:

This works to extract the user name for events 672, 673 or 675 (which seem 
the relevant ones):


windows
windows
\((672)|(673)|(675)\)
^WinEvtLog: \.+: (\w+)\((\d+)\): (\.+): \.+: \.+: 
(\S+):\.*:\s+User Name:\s+(\S+)\s+
status,id,extra_data,system_name,user



but this regex fails:
^WinEvtLog: \.+: (\w+)\((\d+)\): (\.+): \.+: \.+: (\S+):\.*:\s+User 
Name:\s+(\S+)\s+\.+Client Address:(\d+.\d+.\d+.\d+)



Any ideas?  Here are some sample logs:

WinEvtLog: Security: AUDIT_FAILURE(672): Security: SYSTEM: NT AUTHORITY: 
DC04: Authentication Ticket Request:  *User Name:  tony.hodgson*   
 Supplied Realm Name: domain.co.uk   User ID: - 
  Service Name:   krbtgt/4ucore.4ultd.co.uk   Service ID: -   
Ticket Options: 0x40810010  Result Code:0x6 Ticket 
Encryption Type: -   Pre-Authentication Type: -  *Client Address:   
  10.250.0.12*Certificate Issuer Name:Certificate Serial 
Number:  Certificate Thumbprint:

WinEvtLog: Security: AUDIT_SUCCESS(672): Security: SYSTEM: NT AUTHORITY: 
DC04: Authentication Ticket Request:   *User Name: 
 pas.components*  Supplied Realm Name: DOMAIN   User ID:   
 %{S-1-5-21-1577433185-774302318-2220402944-3242}   Service 
Name:   krbtgt  Service ID: 
%{S-1-5-21-1577433185-774302318-2220402944-502} Ticket Options: 
0x40810010  Result Code:-   Ticket Encryption Type: 0x17   
 Pre-Authentication Type: 2  *Client Address:   172.19.83.24
* Certificate Issuer Name:Certificate Serial Number: 
 Certificate Thumbprint:

WinEvtLog: Security: AUDIT_SUCCESS(673): Security: SYSTEM: NT AUTHORITY: 
DC04: Service Ticket Request:  User Name:  *Geoff.Fisher@DOMAIN*
   User Domain:DOMAIN.CO.UK  Service Name:   LSG-CBP-DC03$ 
  Service ID:   %{S-1-5-21-1577433185-774302318-2220402944-36611}   
 Ticket Options: 0x4080  Ticket Encryption Type: 0x17   
 *Client Address: 172.19.84.46*Failure Code:   -   
Logon GUID: {a2767528-fbdc-b2f5-1cfb-1c204e97a4e0}Transited 
Services: -

WinEvtLog: Security: AUDIT_FAILURE(675): Security: SYSTEM: NT AUTHORITY: 
DC04: Pre-authentication failed:   User Name: *W-NMAPP-01$*  User 
ID:%{S-1-5-21-1577433185-774302318-2220402944-40192}   Service 
Name: krbtgt/DOMAIN.CO.UK   Pre-Authentication Type: 0x0 Failure 
Code: 0x19  *Client Address: 172.19.93.6*


Thanks.

Re: [ossec-list] email alerts - alert levels

2012-10-24 Thread Chris H 
Many thanks Ryan, that sounds like it will achieve exactly what I'm after.  

Chris

On Wednesday, October 24, 2012 2:40:57 PM UTC+1, Ryan Schulze wrote:
>
>  Hi Chris,
>
> the email notification works like this: emails always get sent to the 
> global , and any granular email config is added as an additional 
> recipient of the email. 
> Our solution was to just set the global  to a email address that 
> discards mail (like blackhole or devnull). And then set up the granular 
> email notifications for the levels,groups,location, ... you want. that 
> makes the whole system behave more like you would expect (we use it so that 
> different departments get mails for their own services). 
> if you are expecting a lot of emails, you may want to set the global 
>  to a higher number to avoid grouping of multiple alerts 
> into one email.
>  
> Set up this way your config could look somewhat like this (although alerts 
> >= level 12 would go to both accounts):
>
>
>  
>  yes
> devnull@localhost
> server
> ossec@domain
>  
> ...snip...
> 
>   3
>   6
> 
> ...snip...
> 
>   account2@domain
>   cisco-ios
>   9
> 
> 
>   account1@domain
>   cisco-ios
>   12
> 
>
>  
> On 10/24/2012 8:17 AM, Chris H wrote: 
>
> Hi Dan, 
>
>  I've since realised that the cisco alerts get classified in the grouping 
> as "syslog,cisco-ios,authentication_failed,"; I initially took this as that 
> it was in multiple groups, not that it was hierarchical.  Using the 
> following config means that the alerts are being sent to account2, as well 
> as account1:
>
>  
>  yes
> account1@domain
> server
> ossec@domain
>  
> ...snip...
> 
>   3
>   6
> 
> ...snip...
> 
>   account2@domain
>   syslog,cisco-ios
>   9
> 
>
>  However, I'm getting all alerts above 6 going to account1@, and cisco 
> alerts above 9 going to account1@ & account2@;  what I really want is only 
> cisco alerts being emailed, and only to account2@ (although I would settle 
> for them going to both accounts).  Is there a way to have email alerts off 
> by default and only on for selected alert types?
>
>  Here is a sample from alerts.log:
>
>  2012 Oct 24 12:04:52 LOG-01->172.19.80.143
> Rule: 4724 (level 9) -> 'Failed login to the router.'
> 886384: 510544: Oct 24 12:04:51.701 BST: %SEC_LOGIN-4-LOGIN_FAILED: Login 
> failed [user: ] [Source: 172.19.80.13] [localport: 22] [Reason: Login 
> Authentication Failed] at 12:04:51 BST Wed Oct 24 2012
>  
>  Thanks.
>
> On Wednesday, October 24, 2012 1:46:01 PM UTC+1, dan (ddpbsd) wrote: 
>>
>> On Wed, Oct 24, 2012 at 6:09 AM, Chris H  wrote: 
>> > Hi, 
>> > 
>> > I'm trying to configure email alerts.  I want to use granular alerting, 
>> so 
>> > that specific alerts (i.e. Cisco) go to specific teams.  I only want 
>> > specific alert groups generating emails, not everything.  I've enabled 
>> the 
>> > global alerts, and tested that it works globally by adding 
>> > 9.  This works fine. 
>> > 
>> > What I'm trying to do now is change it to only send alerts that match a 
>> > single group and level, and no others.  I have email_notification, 
>> email_to 
>> > and smtp_server set in the global.  I have removed email_alert_level, 
>> and 
>> > added a new email_alert 
>> > 
>> >  
>> > yes 
>> > account1@domain 
>> > server 
>> > ossec@domain 
>> >  
>> > ...snip... 
>> >  
>> >   3 
>> >  
>> > ...snip... 
>> >  
>> >   account2@domain 
>> >   cisco-ios 
>>
>> Are you sure you have rules in a cisco-ios group? Can you provide 
>> samples of the alerts you are expecting to go to this email address? 
>>
>> >   9 
>> >  
>> > 
>> > emails are being generated, but they are going to account1@domain, 
>> rather 
>> > than account2@domain. 
>> > 
>> > What am I missing? 
>> > 
>> > Thanks, 
>> > 
>> > C 
>>
>  
>

Re: [ossec-list] syslog and pfsense - logs not getting stored

2012-10-24 Thread Chris H 
I've enabled debug in the config file, and nothing shows in the ossec.log. 
 Running it from the command line with ./bin/ossec-remoted -df shows 
slightly more before it drops to the background (despite -f), but nothing 
in the logs when a syslog connection comes in.  syslog definitely works, 
testing with netcat shows results coming through and going in to the 
archive log:

echo "`date`" | nc -uvvv log-01 514

Thanks.

On Wednesday, October 24, 2012 2:18:23 PM UTC+1, dan (ddpbsd) wrote:
>
> On Wed, Oct 24, 2012 at 9:08 AM, Chris H > 
> wrote: 
> > I've also tried putting the IP ranges in allowed-ips, in the form 
> > 192.168.0.0/16, with the same effect.  It is definitely listening, as 
> I've 
> > sent apache logs to it via syslog. 
> > 
> > Thanks 
> > 
>
> You could try putting the IP address of the firewall into an 
> . Possibly run ossec-remoted in debug mode to see if it 
> adds any useful logs. You could also add some logging into the 
> program, see how far the log messages make it. 
>
> > On Wednesday, October 24, 2012 1:42:48 PM UTC+1, dan (ddpbsd) wrote: 
> >> 
> >> On Wed, Oct 24, 2012 at 5:48 AM, Chris H  wrote: 
> >> > Hi Dan. 
> >> > 
> >> > my ossec.conf allows remote connections from any: 
> >> >
> >> > syslog 
> >> > any 
> >> >
> >> > 
> >> 
> >> I didn't know that was valid... My only advice is making sure 
> >> ossec-remoted is listening to udp/514, and actually specifying the 
> >> firewall's IP in allowed-ips. 
> >> 
> >> > I've also tried with IP ranges (192.168.0.0/16). My firewall IP is 
> >> > 192.168.1.254, and this shows up in tpcdump: 
> >> > 
> >> > 10:46:44.234477 IP (tos 0x0, ttl 64, id 18591, offset 0, flags 
> [none], 
> >> > proto 
> >> > UDP (17), length 226) 
> >> > 192.168.1.254.syslog > 192.168.1.8.syslog: [udp sum ok] SYSLOG, 
> >> > length: 
> >> > 198 
> >> > Facility local0 (16), Severity info (6) 
> >> > Msg: Oct 24 09:46:44 pf: 10.10.10.2.55895 > 192.168.1.7.3306: 
> >> > Flags 
> >> > [S], cksum 0x9be1 (correct), seq 565473896, win 14600, options [mss 
> >> > 1460,sackOK,TS val 405015003 ecr 0,nop,wscale 5], length 0 
> >> > 
> >> > Thanks 
> >> > 
> >> > On Monday, October 22, 2012 4:01:54 PM UTC+1, dan (ddpbsd) wrote: 
> >> >> 
> >> >> On Sat, Oct 20, 2012 at 6:46 AM, Chris H  
> wrote: 
> >> >> > Hi. 
> >> >> > 
> >> >> > I've just deployed OSSEC for testing on a VM, and I'm looking to 
> use 
> >> >> > it 
> >> >> > for 
> >> >> > log retention, as well as alerting.  I've enabled syslog and 
> logall, 
> >> >> > and 
> >> >> > successfully got it alerting and logging from apache logs sent by 
> >> >> > syslog. 
> >> >> > But I'm having issues with pfsense. 
> >> >> > 
> >> >> > I've enabled syslog in pfsense, pointing at my ossec installation, 
> >> >> > but 
> >> >> > nothing is showing up in the archive logs.  tcpdump shows the 
> traffic 
> >> >> > coming 
> >> >> > though to the server, as it does with any other syslog traffic, 
> but 
> >> >> > the 
> >> >> > logs 
> >> >> > don't get stored in ossec.  Any thoughts? 
> >> >> > 
> >> >> > I know of the OSSEC for pfsense module, but I'm installing this as 
> a 
> >> >> > proof-of-concept and want to make sure that I can get syslog 
> working 
> >> >> > in 
> >> >> > case 
> >> >> > I have a similar issue elsewhere on something other than pfsense. 
> >> >> > 
> >> >> > Thanks. 
> >> >> 
> >> >> Did you set the correct PFSense IP in the allowed ips configuration? 
>

Re: [ossec-list] email alerts - alert levels

2012-10-24 Thread Chris H 
Hi Dan,

I've since realised that the cisco alerts get classified in the grouping as 
"syslog,cisco-ios,authentication_failed,"; I initially took this as that it 
was in multiple groups, not that it was hierarchical.  Using the following 
config means that the alerts are being sent to account2, as well as 
account1:


yes
account1@domain
server
ossec@domain

...snip...

  3
  6

...snip...

  account2@domain
  syslog,cisco-ios
  9


However, I'm getting all alerts above 6 going to account1@, and cisco 
alerts above 9 going to account1@ & account2@;  what I really want is only 
cisco alerts being emailed, and only to account2@ (although I would settle 
for them going to both accounts).  Is there a way to have email alerts off 
by default and only on for selected alert types?

Here is a sample from alerts.log:

2012 Oct 24 12:04:52 LOG-01->172.19.80.143
Rule: 4724 (level 9) -> 'Failed login to the router.'
886384: 510544: Oct 24 12:04:51.701 BST: %SEC_LOGIN-4-LOGIN_FAILED: Login 
failed [user: ] [Source: 172.19.80.13] [localport: 22] [Reason: Login 
Authentication Failed] at 12:04:51 BST Wed Oct 24 2012

Thanks.

On Wednesday, October 24, 2012 1:46:01 PM UTC+1, dan (ddpbsd) wrote:
>
> On Wed, Oct 24, 2012 at 6:09 AM, Chris H > 
> wrote: 
> > Hi, 
> > 
> > I'm trying to configure email alerts.  I want to use granular alerting, 
> so 
> > that specific alerts (i.e. Cisco) go to specific teams.  I only want 
> > specific alert groups generating emails, not everything.  I've enabled 
> the 
> > global alerts, and tested that it works globally by adding 
> > 9.  This works fine. 
> > 
> > What I'm trying to do now is change it to only send alerts that match a 
> > single group and level, and no others.  I have email_notification, 
> email_to 
> > and smtp_server set in the global.  I have removed email_alert_level, 
> and 
> > added a new email_alert 
> > 
> >  
> > yes 
> > account1@domain 
> > server 
> > ossec@domain 
> >  
> > ...snip... 
> >  
> >   3 
> >  
> > ...snip... 
> >  
> >   account2@domain 
> >   cisco-ios 
>
> Are you sure you have rules in a cisco-ios group? Can you provide 
> samples of the alerts you are expecting to go to this email address? 
>
> >   9 
> >  
> > 
> > emails are being generated, but they are going to account1@domain, 
> rather 
> > than account2@domain. 
> > 
> > What am I missing? 
> > 
> > Thanks, 
> > 
> > C 
>

Re: [ossec-list] syslog and pfsense - logs not getting stored

2012-10-24 Thread Chris H 
I've also tried putting the IP ranges in allowed-ips, in the form 
192.168.0.0/16, with the same effect.  It is definitely listening, as I've 
sent apache logs to it via syslog.

Thanks

On Wednesday, October 24, 2012 1:42:48 PM UTC+1, dan (ddpbsd) wrote:
>
> On Wed, Oct 24, 2012 at 5:48 AM, Chris H > 
> wrote: 
> > Hi Dan. 
> > 
> > my ossec.conf allows remote connections from any: 
> >
> > syslog 
> > any 
> >
> > 
>
> I didn't know that was valid... My only advice is making sure 
> ossec-remoted is listening to udp/514, and actually specifying the 
> firewall's IP in allowed-ips. 
>
> > I've also tried with IP ranges (192.168.0.0/16). My firewall IP is 
> > 192.168.1.254, and this shows up in tpcdump: 
> > 
> > 10:46:44.234477 IP (tos 0x0, ttl 64, id 18591, offset 0, flags [none], 
> proto 
> > UDP (17), length 226) 
> > 192.168.1.254.syslog > 192.168.1.8.syslog: [udp sum ok] SYSLOG, 
> length: 
> > 198 
> > Facility local0 (16), Severity info (6) 
> > Msg: Oct 24 09:46:44 pf: 10.10.10.2.55895 > 192.168.1.7.3306: 
> Flags 
> > [S], cksum 0x9be1 (correct), seq 565473896, win 14600, options [mss 
> > 1460,sackOK,TS val 405015003 ecr 0,nop,wscale 5], length 0 
> > 
> > Thanks 
> > 
> > On Monday, October 22, 2012 4:01:54 PM UTC+1, dan (ddpbsd) wrote: 
> >> 
> >> On Sat, Oct 20, 2012 at 6:46 AM, Chris H  wrote: 
> >> > Hi. 
> >> > 
> >> > I've just deployed OSSEC for testing on a VM, and I'm looking to use 
> it 
> >> > for 
> >> > log retention, as well as alerting.  I've enabled syslog and logall, 
> and 
> >> > successfully got it alerting and logging from apache logs sent by 
> >> > syslog. 
> >> > But I'm having issues with pfsense. 
> >> > 
> >> > I've enabled syslog in pfsense, pointing at my ossec installation, 
> but 
> >> > nothing is showing up in the archive logs.  tcpdump shows the traffic 
> >> > coming 
> >> > though to the server, as it does with any other syslog traffic, but 
> the 
> >> > logs 
> >> > don't get stored in ossec.  Any thoughts? 
> >> > 
> >> > I know of the OSSEC for pfsense module, but I'm installing this as a 
> >> > proof-of-concept and want to make sure that I can get syslog working 
> in 
> >> > case 
> >> > I have a similar issue elsewhere on something other than pfsense. 
> >> > 
> >> > Thanks. 
> >> 
> >> Did you set the correct PFSense IP in the allowed ips configuration? 
>

[ossec-list] Re: email alerts - alert levels

2012-10-24 Thread Chris H 
to elaborate, ultimately what I am trying to do is send all emails from 
cisco above level 9 to one address, and all emails in general above level 
12 to another address.

Thanks

On Wednesday, October 24, 2012 11:09:58 AM UTC+1, Chris H wrote:
>
> Hi,
>
> I'm trying to configure email alerts.  I want to use granular alerting, so 
> that specific alerts (i.e. Cisco) go to specific teams.  I only want 
> specific alert groups generating emails, not everything.  I've enabled the 
> global alerts, and tested that it works globally by 
> adding 9.  This works fine.
>
> What I'm trying to do now is change it to only send alerts that match a 
> single group and level, and no others.  I have email_notification, email_to 
> and smtp_server set in the global.  I have removed email_alert_level, and 
> added a new email_alert
>
> 
> yes
> account1@domain
> server
> ossec@domain
> 
> ...snip...
> 
>   3
> 
> ...snip...
> 
>   account2@domain
>   cisco-ios
>   9
> 
>
> emails are being generated, but they are going to account1@domain, rather 
> than account2@domain.
>
> What am I missing?
>
> Thanks,
>
> C
>

[ossec-list] email alerts - alert levels

2012-10-24 Thread Chris H 
Hi,

I'm trying to configure email alerts.  I want to use granular alerting, so 
that specific alerts (i.e. Cisco) go to specific teams.  I only want 
specific alert groups generating emails, not everything.  I've enabled the 
global alerts, and tested that it works globally by 
adding 9.  This works fine.

What I'm trying to do now is change it to only send alerts that match a 
single group and level, and no others.  I have email_notification, email_to 
and smtp_server set in the global.  I have removed email_alert_level, and 
added a new email_alert


yes
account1@domain
server
ossec@domain

...snip...

  3

...snip...

  account2@domain
  cisco-ios
  9


emails are being generated, but they are going to account1@domain, rather 
than account2@domain.

What am I missing?

Thanks,

C

Re: [ossec-list] syslog and pfsense - logs not getting stored

2012-10-24 Thread Chris H 
Hi Dan.

my ossec.conf allows remote connections from any:
  
syslog
any
  

I've also tried with IP ranges (192.168.0.0/16). My firewall IP is 
192.168.1.254, and this shows up in tpcdump:

10:46:44.234477 IP (tos 0x0, ttl 64, id 18591, offset 0, flags [none], 
proto UDP (17), length 226)
192.168.1.254.syslog > 192.168.1.8.syslog: [udp sum ok] SYSLOG, length: 
198
Facility local0 (16), Severity info (6)
Msg: Oct 24 09:46:44 pf: 10.10.10.2.55895 > 192.168.1.7.3306: Flags 
[S], cksum 0x9be1 (correct), seq 565473896, win 14600, options [mss 
1460,sackOK,TS val 405015003 ecr 0,nop,wscale 5], length 0

Thanks

On Monday, October 22, 2012 4:01:54 PM UTC+1, dan (ddpbsd) wrote:
>
> On Sat, Oct 20, 2012 at 6:46 AM, Chris H > 
> wrote: 
> > Hi. 
> > 
> > I've just deployed OSSEC for testing on a VM, and I'm looking to use it 
> for 
> > log retention, as well as alerting.  I've enabled syslog and logall, and 
> > successfully got it alerting and logging from apache logs sent by 
> syslog. 
> > But I'm having issues with pfsense. 
> > 
> > I've enabled syslog in pfsense, pointing at my ossec installation, but 
> > nothing is showing up in the archive logs.  tcpdump shows the traffic 
> coming 
> > though to the server, as it does with any other syslog traffic, but the 
> logs 
> > don't get stored in ossec.  Any thoughts? 
> > 
> > I know of the OSSEC for pfsense module, but I'm installing this as a 
> > proof-of-concept and want to make sure that I can get syslog working in 
> case 
> > I have a similar issue elsewhere on something other than pfsense. 
> > 
> > Thanks. 
>
> Did you set the correct PFSense IP in the allowed ips configuration? 
>

[ossec-list] syslog and pfsense - logs not getting stored

2012-10-20 Thread Chris H 
Hi.

I've just deployed OSSEC for testing on a VM, and I'm looking to use it for 
log retention, as well as alerting.  I've enabled syslog and logall, and 
successfully got it alerting and logging from apache logs sent by syslog. 
 But I'm having issues with pfsense.

I've enabled syslog in pfsense, pointing at my ossec installation, but 
nothing is showing up in the archive logs.  tcpdump shows the traffic 
coming though to the server, as it does with any other syslog traffic, but 
the logs don't get stored in ossec.  Any thoughts?

I know of the OSSEC for pfsense module, but I'm installing this as a 
proof-of-concept and want to make sure that I can get syslog working in 
case I have a similar issue elsewhere on something other than pfsense.

Thanks.