Re: [ossec-list] AnaLogi login page?
On Friday 11 October 2013 12:53:21 pm Richard McAlexander wrote: I have AnaLogi installed and one thing that seems odd is that there's no login page. I haven't had much time spend researching, but there also doesn't seem to be much in the way of documentation. Is there a way to enable a login page? Or am I just wrong in the assumption that there should be a login page? Thank you very much! -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out. I have Analogi installed, too, and to the best of my knowledge, there's no login page. Dimitri -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [ossec-list] repeated_offenders not working
On Tuesday 12 March 2013 11:22:24 am Martin Gottlieb wrote: Hello, I have added the repeated_offenders configuration block to all of my agents and the server as follows: active-response repeated_offenders120180240/repeated_offenders /active-response When I restart OSSEC on the agent, I do see the messages indicating that it recognizes the settings: 2013/03/12 11:17:40 ossec-execd: INFO: Adding offenders timeout: 120 (for #1) 2013/03/12 11:17:40 ossec-execd: INFO: Adding offenders timeout: 180 (for #2) 2013/03/12 11:17:40 ossec-execd: INFO: Adding offenders timeout: 240 (for #3) However, I continue to see repeated attacks where the blocking is deleted after the default 60 minutes each time: Tue Mar 12 04:02:23 EDT 2013 /var/ossec/active-response/bin/firewall-drop.sh add - 209.190.64.19 1363075343.32232753 5720 Tue Mar 12 05:02:55 EDT 2013 /var/ossec/active-response/bin/firewall-drop.sh delete - 209.190.64.19 1363075343.32232753 5720 Tue Mar 12 05:45:03 EDT 2013 /var/ossec/active-response/bin/firewall-drop.sh add - 209.190.64.19 1363081503.103380375 5712 Tue Mar 12 06:46:19 EDT 2013 /var/ossec/active-response/bin/firewall-drop.sh delete - 209.190.64.19 1363081503.103380375 5712 Tue Mar 12 06:47:26 EDT 2013 /var/ossec/active-response/bin/firewall-drop.sh add - 209.190.64.19 1363085246.126982032 5712 Tue Mar 12 07:48:42 EDT 2013 /var/ossec/active-response/bin/firewall-drop.sh delete - 209.190.64.19 1363085246.126982032 5712 Tue Mar 12 08:02:53 EDT 2013 /var/ossec/active-response/bin/firewall-drop.sh add - 209.190.64.19 1363089773.151565087 5712 Tue Mar 12 09:04:16 EDT 2013 /var/ossec/active-response/bin/firewall-drop.sh delete - 209.190.64.19 1363089773.151565087 5712 Tue Mar 12 09:05:23 EDT 2013 /var/ossec/active-response/bin/firewall-drop.sh add - 209.190.64.19 1363093523.180046077 5712 Tue Mar 12 10:06:19 EDT 2013 /var/ossec/active-response/bin/firewall-drop.sh delete - 209.190.64.19 1363093523.180046077 5712 The only solution I've seen to this issue is to make sure this is configured on the agent side, not the server. As I mentioned, I have done this. I am running OSSEC 2.6 on the server and all agents. Am I missing something? thanks. Martin PS. Sorry if this is a duplicate posting, I tried posting through the web interface and it didn't show up. -- --- For what it's worth, I have the same problem Dimitri -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [ossec-list] Re: Repeated-offenders still not working
On Monday 12 March 2012 12:24:47 pm Steven Stern wrote: On 03/12/2012 10:49 AM, Dimitri Yioulos wrote: Anyone have any ideas on this? All, Back at the end of last year, I asked about using the repeated-offenders feature in OH. I added the following directives to ossec.conf on the host that I want this to work in: command namehost-deny/name executablehost-deny.sh/executable expectsrcip/expect timeout_allowedyes/timeout_allowed /command active-response !-- This response is going to execute the host-deny - command for every event that fires a rule with - level (severity) = 6. - The IP is going to be blocked for 600 seconds. -- commandhost-deny/command locationlocal/location level6/level timeout600/timeout /active-response Despite that, it's not working. Ossec reports the following: OSSEC HIDS Notification. 2012 Mar 07 09:08:16 Received From: (plymouth) 192.168.1.2-/var/log/messages Rule: 40111 fired (level 10) - Multiple authentication failures. Portion of the log(s): Mar 7 09:07:44 plymouth ipop3d[29926]: Login failed user=hod auth=hod host=201-93-132-240.dsl.telesp.net.br [201.93.132.240] ... However, rather than OH invoking repeated-offenders, and blocking the offender for 600 seconds, I continue to see the offender make attempts on the host. What am I missing here? Can you get onto the server when the block should be in effect? If so, what do you see in /etc/hosts.deny and from iptables -L? At the time the blocks should be taking place, do you see anything in /var/log/messages or /var/ossec/logs/active-responses.log? Are you running SELinux in enforcing mode? -- -- Steve Steve, Thanks for your response. By grepping for the offending IP addy in /var/ossec/logs/active-responses.log, I saw that host-deny.sh add and firewall-drop.sh add were fired. Ten minutes later, host-deny.sh delete and firewall-drop.sh delete were fired. So, it appears that repeated-offenders is working. I just didn't know where to look. I guess I'd like an email notification when the blocks/unblocks are fired. How/where do I enable that? Again, thanks. Dimitri -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
[ossec-list] Repeated-offenders still not working
All, Back at the end of last year, I asked about using the repeated-offenders feature in OH. I added the following directives to ossec.conf on the host that I want this to work in: command namehost-deny/name executablehost-deny.sh/executable expectsrcip/expect timeout_allowedyes/timeout_allowed /command active-response !-- This response is going to execute the host-deny - command for every event that fires a rule with - level (severity) = 6. - The IP is going to be blocked for 600 seconds. -- commandhost-deny/command locationlocal/location level6/level timeout600/timeout /active-response Despite that, it's not working. Ossec reports the following: OSSEC HIDS Notification. 2012 Mar 07 09:08:16 Received From: (plymouth) 192.168.1.2-/var/log/messages Rule: 40111 fired (level 10) - Multiple authentication failures. Portion of the log(s): Mar 7 09:07:44 plymouth ipop3d[29926]: Login failed user=hod auth=hod host=201-93-132-240.dsl.telesp.net.br [201.93.132.240] ... However, rather than OH invoking repeated-offenders, and blocking the offender for 600 seconds, I continue to see the offender make attempts on the host. What am I missing here? Thanks. Dimitri -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Re: [ossec-list] ossec 2.6 repeated offenders not working
On Thursday 29 December 2011 5:35:44 pm Rainer wrote: Does the repeated offenders option get recognized? (you should see messages about it in ossec.log) No, nothing about repeated offenders in ossec.log Then it didn't get picked up when you restarted the ossec processes. You should see something like this (from another thread): ossec-execd: INFO: Adding offenders timeout: 30 (for #1) hm, nothing. I'll try to play around with the place of the statement like you suggested below. The first time an IP is blocked it should be blocked for the default timeout period (you have 900 set). After this time period the IP will be unblocked. The next time it is blocked it will be blocked for the first repeated offenders timeout (30 minutes in your example). So the next time is whenever an attack comes from this IP again? My understanding of you is that there is no timeout. If the next attack from that IP would be in 4 weeks, repeated offenders would be triggered. right? I don't know if the order matters in this case, but you could try moving the repeated_offenders configuration to after the default timeout. I'm now jumping into this thread because I realize that repeat offenders isn't working for me either. I see the pertinent directives for repeat offenders in ossec.conf on the ossec server, but not on the box where the offense is taking place. Does the directive belong there? Thanks. Dimitri -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Re: [ossec-list] ossec 2.6 repeated offenders not working
Thanks, Dan. Is anything else required other than to add the directives to ossec.conf on the agaent? Dimitri On Friday 30 December 2011 8:48:15 am dan (ddp) wrote: It belongs on the system that does the AR, most likely the agent. On Dec 30, 2011 8:42 AM, Dimitri Yioulos dyiou...@onpointfc.com wrote: On Thursday 29 December 2011 5:35:44 pm Rainer wrote: Does the repeated offenders option get recognized? (you should see messages about it in ossec.log) No, nothing about repeated offenders in ossec.log Then it didn't get picked up when you restarted the ossec processes. You should see something like this (from another thread): ossec-execd: INFO: Adding offenders timeout: 30 (for #1) hm, nothing. I'll try to play around with the place of the statement like you suggested below. The first time an IP is blocked it should be blocked for the default timeout period (you have 900 set). After this time period the IP will be unblocked. The next time it is blocked it will be blocked for the first repeated offenders timeout (30 minutes in your example). So the next time is whenever an attack comes from this IP again? My understanding of you is that there is no timeout. If the next attack from that IP would be in 4 weeks, repeated offenders would be triggered. right? I don't know if the order matters in this case, but you could try moving the repeated_offenders configuration to after the default timeout. I'm now jumping into this thread because I realize that repeat offenders isn't working for me either. I see the pertinent directives for repeat offenders in ossec.conf on the ossec server, but not on the box where the offense is taking place. Does the directive belong there? Thanks. Dimitri -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Re: [ossec-list] ossec 2.6 repeated offenders not working
Thanks much, and to you and all have a very happy new year! On Friday 30 December 2011 4:49:51 pm dan (ddp) wrote: On Fri, Dec 30, 2011 at 12:54 PM, Dimitri Yioulos dyiou...@onpointfc.com wrote: Thanks, Dan. Is anything else required other than to add the directives to ossec.conf on the agaent? Dimitri Not that I'm aware of, but I don't do much with repeated_offenders On Friday 30 December 2011 8:48:15 am dan (ddp) wrote: It belongs on the system that does the AR, most likely the agent. On Dec 30, 2011 8:42 AM, Dimitri Yioulos dyiou...@onpointfc.com wrote: On Thursday 29 December 2011 5:35:44 pm Rainer wrote: Does the repeated offenders option get recognized? (you should see messages about it in ossec.log) No, nothing about repeated offenders in ossec.log Then it didn't get picked up when you restarted the ossec processes. You should see something like this (from another thread): ossec-execd: INFO: Adding offenders timeout: 30 (for #1) hm, nothing. I'll try to play around with the place of the statement like you suggested below. The first time an IP is blocked it should be blocked for the default timeout period (you have 900 set). After this time period the IP will be unblocked. The next time it is blocked it will be blocked for the first repeated offenders timeout (30 minutes in your example). So the next time is whenever an attack comes from this IP again? My understanding of you is that there is no timeout. If the next attack from that IP would be in 4 weeks, repeated offenders would be triggered. right? I don't know if the order matters in this case, but you could try moving the repeated_offenders configuration to after the default timeout. I'm now jumping into this thread because I realize that repeat offenders isn't working for me either. I see the pertinent directives for repeat offenders in ossec.conf on the ossec server, but not on the box where the offense is taking place. Does the directive belong there? Thanks. Dimitri -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
[ossec-list] Stop particular alert
All, It's a bit embarrassing that I can't figure out how to stop this particular alert, but I don't know how. Here's the situation: I have Sophos anti-virus installed on some of my Linux boxes. I keep getting Ossec alerts like the following: 2011 Oct 19 11:21:59 Rule Id: 1002 level: 2 Location: (plymouth) 192.168.1.2-/var/log/messages Unknown problem somewhere in the system. Oct 19 11:21:59 plymouth savd: savscan.log: On-demand scan details: master boot records scanned: 0, boot records scanned: 0, files scanned: 3, scan errors: 0, viruses detected: 0, infected files detected: 0 Obviously, I don't want this event to alert. What do I have to do in Ossec to prevent this specific alert? Many thanks. Dimitri -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Re: [ossec-list] Stop particular alert
Dan, I fixed the fatal flaws, and it does work. Many thanks! Dimitri On Wednesday 19 October 2011 2:46:24 pm dan (ddp) wrote: Write a rule. rule id=SET_AN_ID level=O if_sid1002/if_sid matchscan errors: 0, viruses detected: 0, infected files detected: 0/match descriptionAll is well./description /rule This one has fatal flaws, but if fixed it works. On Wed, Oct 19, 2011 at 2:34 PM, Dimitri Yioulos dyiou...@onpointfc.com wrote: All, It's a bit embarrassing that I can't figure out how to stop this particular alert, but I don't know how. Here's the situation: I have Sophos anti-virus installed on some of my Linux boxes. I keep getting Ossec alerts like the following: 2011 Oct 19 11:21:59 Rule Id: 1002 level: 2 Location: (plymouth) 192.168.1.2-/var/log/messages Unknown problem somewhere in the system. Oct 19 11:21:59 plymouth savd: savscan.log: On-demand scan details: master boot records scanned: 0, boot records scanned: 0, files scanned: 3, scan errors: 0, viruses detected: 0, infected files detected: 0 Obviously, I don't want this event to alert. What do I have to do in Ossec to prevent this specific alert? Many thanks. Dimitri -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
[ossec-list] Re: Preventing locally triggered rule
Hi, Rick. Much to my chagrin, I noticed that my version of OH was 1.4. I think (that being the operative word) that accepting CIDR notations other than 8, 16, 24, and 32 wasn't implemementedin OH until a later version. Anyway, I upgraded to version 1.6, used scrip192.168.100.0/22/srcip, my users are pinging away, and I'm not getting any more notifications! Thanks so much for your help and patience. Dimitri On Wednesday 07 January 2009 4:48 pm, McClinton, Rick wrote: Hi Dmitri. Source diving in the snapshot release, ossec-hids-081212/src/shared/validate_op.c shows it understands a /22 as: _netmasks[22] = 0xFC00; Which should be OK, but I guess there could still be bugs. I didn't do the CVS diving to see when this was added so I don't know that your source code is the same. How about using chunks, you can have multiple srcip tags in the rule. srcip192.168.100.0/24/srcip srcip192.168.100.1/24/srcip srcip192.168.100.2/24/srcip srcip192.168.100.3/24/srcip Also, have you tried your rule against ossec-logtest -f? c.f. http://www.ossec.net/dcid/?p=136 Rick -Original Message- From: ossec-list@googlegroups.com [mailto:ossec-l...@googlegroups.com] On Behalf Of Dimitri Yioulos Sent: Wednesday, January 07, 2009 3:53 PM To: ossec-list@googlegroups.com Subject: [ossec-list] Re: Preventing locally triggered rule Importance: Low Thanks very much, Rick! I checked the docs for any information on srcip, and also googled, but came up relatively empty. So, I took the rule you so kindly provided, and included: srcip192.168.100.0/22/srcip But, that didn't work. I read somewhere (regarding whitelisting, I think) that OH doesn't like CIDR notations other than 8, 16, 24, and 32. No where have I seen that I can use the actual subnet mask (in our case, 255.255.252.0). It would be a PITA to have to enter all of the worksations I want to filter out and, of course, there's DHCP to deal with. Any idea how I might be able to deal with ths? Dimitri This message contains TMA Resources confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
[ossec-list] Preventing locally triggered rule
Hello to all, and a most Happy New Year! I'm not sure if the subject of my post is accurate, but here's what I'm after. Our Web server has been set up as a conduit by which to ping GPS devices via our business application. When any of our LAN hosts do a ping, I get the following notification from OH: OSSEC HIDS Notification. 2009 Jan 06 16:04:36 Received From: (hingham) 192.168.1.3-/etc/httpd/logs/access_log Rule: 31151 fired (level 10) - Mutiple web server 400 error codes from same source ip. Portion of the log(s): 72.93.103.87 - - [06/Jan/2009:16:04:34 -0500] GET /rci/rci_command_563.txt HTTP/1.1 404 8611 - PowerBuilder 72.93.103.87 - - [06/Jan/2009:16:04:34 -0500] GET /rci/rci_command_563.txt HTTP/1.1 404 8611 - PowerBuilder 72.93.103.87 - - [06/Jan/2009:16:04:17 -0500] GET /rci/rci_command_563.txt HTTP/1.1 404 8611 - PowerBuilder 72.93.103.87 - - [06/Jan/2009:16:04:17 -0500] GET /rci/rci_command_563.txt HTTP/1.1 404 8611 - PowerBuilder 72.93.103.87 - - [06/Jan/2009:16:04:01 -0500] GET /rci/rci_command_563.txt HTTP/1.1 404 8611 - PowerBuilder 72.93.103.87 - - [06/Jan/2009:16:04:01 -0500] GET /rci/rci_command_563.txt HTTP/1.1 404 8611 - PowerBuilder 72.93.103.87 - - [06/Jan/2009:16:03:34 -0500] GET /rci/rci_command_563.txt HTTP/1.1 404 8611 - PowerBuilder 72.93.103.87 - - [06/Jan/2009:16:03:34 -0500] GET /rci/rci_command_563.txt HTTP/1.1 404 8611 - PowerBuilder 72.93.103.87 - - [06/Jan/2009:16:03:10 -0500] GET /rci/rci_command_563.txt HTTP/1.1 404 8611 - PowerBuilder 72.93.103.87 - - [06/Jan/2009:16:03:10 -0500] GET /rci/rci_command_563.txt HTTP/1.1 404 8611 - PowerBuilder --END OF NOTIFICATION I'd like to prevent the rule being triggered by our LAN hosts (or, at least, stop the notifications). I whitelisted various hosts in ossec.conf, but that didn't work (and I probably don't really get the true purpose of whitelisting, to boot). Can someone help me out? Thanks. Dimitri -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
[ossec-list] Re: OSSEC Web Interface
Agreed. On Wednesday 25 June 2008 4:05 pm, Herb Steck wrote: MySQL. But there is already a web interface, so why not work off of that and make it better? -Original Message- From: ossec-list@googlegroups.com [mailto:[EMAIL PROTECTED] On Behalf Of Adriel Desautels Sent: Wednesday, June 25, 2008 3:00 PM To: ossec-list@googlegroups.com Subject: [ossec-list] Re: OSSEC Web Interface I don't see why not. I'm not much of a developer myself, so I'd most probably need some help heading this off. First I need to understand how OSSEC interfaces with what database. Anyone know? Regards, Adriel T. Desautels Chief Technology Officer Netragard, LLC. Office : 617-934-0269 Mobile : 617-633-3821 http://www.linkedin.com/pub/1/118/a45 Join the Netragard, LLC. Linked In Group: http://www.linkedin.com/e/gis/48683/0B98E1705142 --- Netragard, LLC - http://www.netragard.com - We make IT Safe Penetration Testing, Vulnerability Assessments, Website Security Netragard Whitepaper Downloads: --- Choosing the right provider : http://tinyurl.com/2ahk3j Three Things you must know : http://tinyurl.com/26pjsn Derek J. Morris wrote: That would be great, are you going to make it open to the ossec community? -Derek Greetings, I am interested in possibly creating a new OSSEC web interface. What sort of back-end database does OSSEC use today? I thought it was mysql, but I think I'm wrong. Regards, Adriel T. Desautels Chief Technology Officer Netragard, LLC. Office : 617-934-0269 Mobile : 617-633-3821 http://www.linkedin.com/pub/1/118/a45 Join the Netragard, LLC. Linked In Group: http://www.linkedin.com/e/gis/48683/0B98E1705142 --- Netragard, LLC - http://www.netragard.com - We make IT Safe Penetration Testing, Vulnerability Assessments, Website Security Netragard Whitepaper Downloads: --- Choosing the right provider : http://tinyurl.com/2ahk3j Three Things you must know : http://tinyurl.com/26pjsn - Derek -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
[ossec-list] Firewall active response
Hi, folks. Even though I've been using O-H for w while now, I still think I have this screwed up: I want to use the firewall active response. However, it doesn't seem to be working. My firewall is on a different box from O-H server. Here's the directive I have in my ossec.conf file: active-response !-- Firewall Drop response. Block the IP for - 600 seconds on the firewall (iptables, - ipfilter, etc). -- commandfirewall-drop/command locationdefined-agent/location agent_id004/agent_id level6/level timeout600/timeout /active-response Would someone be kind enough to give me a hand to make this work? Many thanks. Dimitri -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
[ossec-list] Re: Agent not responding
Hi, Daniel. You know, I've been doing IT long enough to know that I should provide as much information as possible when I ask for help. Please accept my apologies. As it turns out, I decided to completely uninstall/reinstall the O-H agent on the problem machine. Now, it works just fine. I must have had a bit of cruft creep into the original installation/upgrade. Thanks for your response. Regards, Dimitri On Monday 02 April 2007 8:28 pm, you wrote: Hi Dimitri, We would need more information to help you out. The following information can be helpful: http://www.ossec.net/en/faq.html#a2.2 Also, make sure the ip addresses are correctly configured and there is no error on the ossec.log of your agent. Thanks, daniel On 3/29/07, Dimitri Yioulos [EMAIL PROTECTED] wrote: Hello to all. First, to the ossec development team, great job on the program and on the Web gui! Much appreciated here. I'm currently monitoring about 10 machines. Nine of them respond just fine. One, however, doesn't send any mail notifications, and doesn't appear in the Web gui. I've removed this machine from the list of agents, then added it back. No joy. What to do? Thanks. Dimitri -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
[ossec-list] Agent not responding
Hello to all. First, to the ossec development team, great job on the program and on the Web gui! Much appreciated here. I'm currently monitoring about 10 machines. Nine of them respond just fine. One, however, doesn't send any mail notifications, and doesn't appear in the Web gui. I've removed this machine from the list of agents, then added it back. No joy. What to do? Thanks. Dimitri -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
[ossec-list] Re: {Spam?} [ossec-list] Ossec Web UI
On Tuesday 20 March 2007 3:11 pm, Rob wrote: Hey all, Finally got ossec installed on our windows servers and everything looks good. I have 1 question however. I had test servers that I've deleted the agent from the ossec server but I still see them in the ossec web ui. An example is below. How can I delete these? Thanks! Robert SERVERNAME (IP-ADDRESS) - INACTIVE You must delete them from the server - /var/ossec/bin/manage_agents. Use the R option to remove agents. Dimitri -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
[ossec-list] Trying again - Filtering out specific alert
Hello to all. A few weeks ago I mentioned that I'd upgraded to O-H-0.9-2 (now at O-H-0.9-3). Since then, I've been getting the following alerts from my mail server: OSSEC HIDS Notification. 2006 Sep 27 15:32:22 Received From: (plymouth) 192.168.1.2-/var/log/messages Rule: 40101 fired (level 12) - System user sucessfully logged on the system. Portion of the log(s): su(pam_unix)[8027]: session opened for user nobody by (uid=0) --END OF NOTIFICATION Hope noone minds, but I didn't get a reply to my original post, and thought I'd ask again - How would I filter out that specific alert? I'd greatly appreciate your help. Thanks. Dimitri -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
[ossec-list] Re: Trying again - Filtering out specific alert
Hey, Daniel. You did reply indeed. Apologies for my not being more observant. Is there a way to filter out the nobody user alert coming from that one server only? As always, thanks. Dimitri On Tuesday October 24 2006 2:09 pm, Daniel Cid wrote: Hi Dimitri, I did reply to your first post. Take a look at: http://www.ossec.net/ossec-list/2006-September/msg00342.html Hope it helps, -- Daniel B. Cid dcid ( at ) ossec.net On 10/24/06, Dimitri Yioulos [EMAIL PROTECTED] wrote: Hello to all. A few weeks ago I mentioned that I'd upgraded to O-H-0.9-2 (now at O-H-0.9-3). Since then, I've been getting the following alerts from my mail server: OSSEC HIDS Notification. 2006 Sep 27 15:32:22 Received From: (plymouth) 192.168.1.2-/var/log/messages Rule: 40101 fired (level 12) - System user sucessfully logged on the system. Portion of the log(s): su(pam_unix)[8027]: session opened for user nobody by (uid=0) --END OF NOTIFICATION Hope noone minds, but I didn't get a reply to my original post, and thought I'd ask again - How would I filter out that specific alert? I'd greatly appreciate your help. Thanks. Dimitri -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
[ossec-list] Filtering out specific alert
Hello to all. I recently upgraded to O-H-0.9-2. Since then, I've been getting the following alerts from my mail server: OSSEC HIDS Notification. 2006 Sep 27 15:32:22 Received From: (plymouth) 192.168.1.2-/var/log/messages Rule: 40101 fired (level 12) - System user sucessfully logged on the system. Portion of the log(s): su(pam_unix)[8027]: session opened for user nobody by (uid=0) --END OF NOTIFICATION I've not yet figured out which service firing via the user nobody, but would like to filter these alerts out. How would I do that? Thanks. Dimitri -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
[ossec-list] Re: Email Alerts Seem to have just stopped
On Monday September 25 2006 3:43 pm, Terry Warner wrote: Hi All, We have OSSEC installed on 2 machines. We have the 0.9 version not 0.9-2. Recently, email messages have just stopped coming. It seems as though ossec might not be sending them anymore or what not. Either way, all the configuration options look fine, I don't see any errors anywhere. So I am a bit stumped as to what the problem could be. Any info or help would be great! Thanks! Terry -- //Terry Warner// [EMAIL PROTECTED] Internet Labs 732-264-3111 ext: 169 There was a bug, at least in version 0.9.1 that affected emailing from September on, That was fixed in version 0.9-1, which I believe was an interim version. You should probably upgrade to the latest 0.9-2. Dimitri -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
[ossec-list] Re: Whitelisting questions
Ahmet. Um, actually, why would I need a Windows agent? I'm not monitoring a Windows box, just using it to do tasks on an OSSEC_HIDS box, like upload files via sftp (again, using WinSCP3) or run commands via ssh (Putty). That notwithstanding, I'll send along the conf and logs. I've done nothing special to the conf file, though, except whiteliste a few addresses. Dimitri On Wednesday August 09 2006 9:33 am, Ahmet Ozturk wrote: Hi again, I'll test windows agent at home tonight. Can you send us your ossec.conf file and related alert logs? Regards, Ahmet Ozturk. Dimitri Yioulos wrote: Thanks, Ahmet. Might you have any idea why my WinXP box keeps getting blocked when using the ssh and ftp tools, even though it's whitelisted? Dimitri On Wednesday August 09 2006 9:12 am, Ahmet Ozturk wrote: Hi Dimitri, OSSEC-HIDS configuration only accepts CIDRs /8 /16 /24 /32. Please see Rafael Capovilla's solution. (http://www.ossec.net/ossec-list/2006-August/msg00063.html) I think Meir Michanie will correct this issue soon. Since you have only two agent boxes, you may define them seperately in config file like: white_list192.168.100.xx/32/white_list white_list192.168.100.yyy/32/white_list Regards, Ahmet Ozturk. Dimitri Yioulos wrote: Hello list members. In order to use various tools on my OSSEC-HIDS server and agent boxes, I've whitelisted my two desktop boxes - WinXP and SimplyMepis Linux. From the Linux desktop, using cli ssh and sftp tools, I have no trouble getting into the OSSEC-HIDS server or agents. From the Windows desktop, however, I keep getting added to hosts.deny when using either Putty (ssh) or WinSCP3 (sftp). I then have to remove the entry fr the WinXP desktop from hosts.deny and restart the OSSEC-HIDS server (merely removing the entry from hosts.deny doesn't work). I have, as per instruction, added a separate entry in ossec.conf for each LAN address I want to whitelist. Is this a possible bug, or am I doing something wrong? I tried whitelisting my entire LAN by adding white_list192.168.100.0/22/white_list, but that didn't seem to work. If this isn't something I'm doing wrong, might I suggest adding this ability in a future release? Regards, Dimitri -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
[ossec-list] Re: Whitelisting questions
executabledisable-account.sh/executable expectuser/expect timeout_allowedyes/timeout_allowed /command !-- Active Response Config -- active-response !-- This response is going to execute the host-deny - command for every event that fires a rule with - level (severity) = 6. - The IP is going to be blocked for 600 seconds. -- commandhost-deny/command locationlocal/location level6/level timeout600/timeout /active-response active-response !-- Firewall Drop response. Block the IP for - 600 seconds on the firewall (iptables, - ipfilter, etc). -- commandfirewall-drop/command locationlocal/location level6/level timeout600/timeout /active-response !-- Files to monitor (localfiles) -- localfile log_formatsyslog/log_format location/var/log/messages/location /localfile localfile log_formatsyslog/log_format location/var/log/secure/location /localfile localfile log_formatsyslog/log_format location/var/log/xferlog/location /localfile localfile log_formatsyslog/log_format location/var/log/radius/radius.log/location /localfile localfile log_formatsyslog/log_format location/var/log/maillog/location /localfile localfile log_formatapache/log_format location/var/log/httpd/error_log/location /localfile localfile log_formatapache/log_format location/var/log/httpd/access_log/location /localfile localfile log_formatapache/log_format location/etc/httpd/logs/access_log/location /localfile localfile log_formatapache/log_format location/etc/httpd/logs/error_log/location /localfile /ossec_config Dimitri On Wednesday August 09 2006 9:49 am, Ahmet Ozturk wrote: Hi Dimitri, If it's not a problem for you, please send them to list. It would be good for list members to see them. Someone may have different ideas then mine. :) Regards, Ahmet Ozturk. Dimitri Yioulos wrote: Yes. May I send these to you OL? Dimitri On Wednesday August 09 2006 9:33 am, Ahmet Ozturk wrote: Hi again, I'll test windows agent at home tonight. Can you send us your ossec.conf file and related alert logs? Regards, Ahmet Ozturk. Dimitri Yioulos wrote: Thanks, Ahmet. Might you have any idea why my WinXP box keeps getting blocked when using the ssh and ftp tools, even though it's whitelisted? Dimitri On Wednesday August 09 2006 9:12 am, Ahmet Ozturk wrote: Hi Dimitri, OSSEC-HIDS configuration only accepts CIDRs /8 /16 /24 /32. Please see Rafael Capovilla's solution. (http://www.ossec.net/ossec-list/2006-August/msg00063.html) I think Meir Michanie will correct this issue soon. Since you have only two agent boxes, you may define them seperately in config file like: white_list192.168.100.xx/32/white_list white_list192.168.100.yyy/32/white_list Regards, Ahmet Ozturk. Dimitri Yioulos wrote: Hello list members. In order to use various tools on my OSSEC-HIDS server and agent boxes, I've whitelisted my two desktop boxes - WinXP and SimplyMepis Linux. From the Linux desktop, using cli ssh and sftp tools, I have no trouble getting into the OSSEC-HIDS server or agents. From the Windows desktop, however, I keep getting added to hosts.deny when using either Putty (ssh) or WinSCP3 (sftp). I then have to remove the entry fr the WinXP desktop from hosts.deny and restart the OSSEC-HIDS server (merely removing the entry from hosts.deny doesn't work). I have, as per instruction, added a separate entry in ossec.conf for each LAN address I want to whitelist. Is this a possible bug, or am I doing something wrong? I tried whitelisting my entire LAN by adding white_list192.168.100.0/22/white_list, but that didn't seem to work. If this isn't something I'm doing wrong, might I suggest adding this ability in a future release? Regards, Dimitri -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
[ossec-list] Active response - firewall
Hello to all. First, congratulations to the development team on an exellent piece of software (recognized by SANS, no less)! It was easy to install, and tweaking to one's own specifications is straightforward. I very much look forward to future releases. Apologies if this is completely lame, but one tweak that I'd like some help on is firewalling. I have installed ossec-hids on a separate server, and added the agent piece to other server which mainly sit in a DMZ. I have iptables/router on yet another box that has been serving my organization admirabley (I'd also like to monitor this box with ossec-hids). What I'd like to do use the iptables/router box to be the recipient of ip addresses added to the deny list, rather than the ossec-hids server. I'm thinking that this should be possible, but don't know how to do it. Can someone help? Many thanks, and best wishes. Dimitri -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
[ossec-list] Re: Active response - firewall
On Tuesday August 08 2006 5:17 pm, Lars Scheithauer wrote: Eya, Dimitri! This eMail from the list should give you the idea on how to do it. Regards, Lars Hi Kayvan, In order to make active-response work on agents, you should configure the server with active-response I think. Then you may specify the active-reponse location (i.e.,local, analysis-server, defined-agent or all) I'm adding related parts of my configuration file to give idea: /var/ossec/etc/ossec.conf on server: command namehost-deny/name executablehost-deny.sh/executable expectsrcip/expect timeout_allowedyes/timeout_allowed /command command namefirewall-drop/name executablefirewall-drop.sh/executable expectsrcip/expect timeout_allowedyes/timeout_allowed /command command namedisable-account/name executabledisable-account.sh/executable expectuser/expect timeout_allowedyes/timeout_allowed /command !-- Active Response Config -- active-response !-- This response is going to execute the host-deny - command for every event that fires a rule with - level (severity) = 6. - The IP is going to be blocked for 600 seconds. -- commandhost-deny/command locationlocal/location level6/level timeout600/timeout /active-response active-response !-- Firewall Drop response. Block the IP for - 600 seconds on the firewall (iptables, - ipfilter, etc). -- commandfirewall-drop/command locationlocal/location level6/level timeout600/timeout /active-response I have no configuration for active-response on agent, however, I answered Yes to the active-response questions on both server and agent installation. You can find detailed informaion about active-response configuration at http://www.ossec.net/en/manual.html - 7.1.2 Responses Configuration. Best Regards, Ahmet Ozturk. Kayvan A. Sylvan wrote: I have one outward-facing host, let's call it ssh-host, with an ssh port accessible to the WAN. I have another host inside my firewall, called engserver. I installed OSSEC on engserver as a server install, but without active response. I installed the client install on ssh-host, answering Yes to the active response questions. ssh-host is an OSSEC agent of engserver and I see email alerts, so I know things are working correctly. However, looking at /var/ossec/active-response/ on ssh-host, it seems that the active response stuff is not activated. I *know* this host gets a lot of scans and brute force attempts to login. Does anyone know what's going on? The /var/ossec/etc/ossec.conf on ssh-host seems very minimal and does not mention any of the stuff for host-deny or firewall-deny. Thanks! ---Kayvan Am 08.08.2006 um 22:52 schrieb Dimitri Yioulos: Hello to all. First, congratulations to the development team on an exellent piece of software (recognized by SANS, no less)! It was easy to install, and tweaking to one's own specifications is straightforward. I very much look forward to future releases. Apologies if this is completely lame, but one tweak that I'd like some help on is firewalling. I have installed ossec-hids on a separate server, and added the agent piece to other server which mainly sit in a DMZ. I have iptables/router on yet another box that has been serving my organization admirabley (I'd also like to monitor this box with ossec-hids). What I'd like to do use the iptables/router box to be the recipient of ip addresses added to the deny list, rather than the ossec-hids server. I'm thinking that this should be possible, but don't know how to do it. Can someone help? Many thanks, and best wishes. Dimitri -- Lars, Thanks for your response. I'm bottom-posting here as I don't know the ettiquet of the list. So, in the following directive, I should use defined-agent (the agent_id of the iptables/router box, of course) as the location! active-response !-- Firewall Drop response. Block the IP for - 600 seconds on the firewall (iptables, - ipfilter, etc). -- commandfirewall-drop/command locationdefined-agent id/location level6/level timeout600/timeout /active-response Ok, clear enough. I guess I didn't grasp a simple concept. Are there any firewall rules I need to add to the iptables/router box in order for this to work? Dimitri -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
