Re: [ossec-list] OSSEC agent 2.9 failing on solaris 10

2018-11-27 Thread Eero Volotinen 
install or compile newer version of openssl into machine and try
recompiling ossec?

Ire Kourkoumelis  kirjoitti ti 27. marrask. 2018 klo
18.31:

> So, what can I do to resolv this and install ossec?
>
>
>
> El martes, 27 de noviembre de 2018, 13:25:10 (UTC-3), dan (ddpbsd)
> escribió:
>>
>> On Tue, Nov 27, 2018 at 11:08 AM Ire Kourkoumelis 
>> wrote:
>> >
>> > Hello!! Thanks for the answer!!
>> >
>> >
>> > In   Oracle Linux Server release 5.8
>> >
>> >
>> > This is the version:
>> >
>> >  openssl-0.9.8e-22.el5
>> >  openssl-0.9.8e-22.el5
>> >
>>
>> Yep, that's probably too old to have "TLSv1_2_method"
>>
>> >
>> > I tryed to update but seems it is the latest versison
>> >
>> >
>> > # yum install openssl
>> >
>> > Loaded plugins: rhnplugin, security
>> > This system is not registered with ULN.
>> > ULN support will be disabled.
>> > Setting up Install Process
>> > Nothing to do
>> >
>> >
>> >
>> > #uname -a
>> > Linux compilar 2.6.32-300.10.1.el5uek #1 SMP Wed Feb 22 17:37:40 EST
>> 2012 x86_64 x86_64 x86_64 GNU/Linux
>> >
>> >
>> >
>> >
>> >
>> > El martes, 27 de noviembre de 2018, 13:01:15 (UTC-3), dan (ddpbsd)
>> escribió:
>> >>
>> >>
>> >>
>> >> On Tue, Nov 27, 2018 at 10:43 AM Ire Kourkoumelis 
>> wrote:
>> >>>
>> >>> Can you helpme with this error in the ./install.sh  ?
>> >>>
>> >>> os_auth/ssl.c: In function ‘get_ssl_context’:
>> >>> os_auth/ssl.c:107: warning: implicit declaration of function
>> ‘TLSv1_2_method’
>> >>> os_auth/ssl.c:107: warning: assignment makes pointer from integer
>> without a cast
>> >>> os_auth/ssl.c:108: warning: passing argument 1 of ‘SSL_CTX_new’
>> discards qualifiers from pointer target type
>> >>> CC os_auth/check_cert.o
>> >>> CC agent-auth
>> >>> os_auth/ssl.o: In function `get_ssl_context':
>> >>> ssl.c:(.text+0x263): undefined reference to `TLSv1_2_method'
>> >>> collect2: ld returned 1 exit status
>> >>> make: *** [agent-auth] Error 1
>> >>>
>> >>>  Error 0x5.
>> >>>  Building error. Unable to finish the installation.
>> >>>
>> >>>
>> >>
>> >> Old version of OpenSSL?
>> >>
>> >>
>> >>>
>> >>>
>> >>>
>> >>>
>> >>> El jueves, 21 de diciembre de 2017, 10:08:59 (UTC-3), dan (ddpbsd)
>> escribió:
>> 
>>  On Tue, Dec 12, 2017 at 4:54 PM, Harish P 
>> wrote:
>>  > Hi Dan
>>  >
>>  > We are using
>>  >
>>  > # openssl version
>>  > OpenSSL 1.0.1p 9 Jul 2015
>>  > #
>>  >
>> 
>>  That should be a good version. It sounds like the installation isn't
>>  picking it up for some reason.
>>  You can try compiling with "V=1" to see the actual command output.
>> It
>>  might give you a clue as to where the issue is.
>> 
>>  >
>>  > On Friday, December 8, 2017 at 8:28:34 PM UTC-8, dan (ddpbsd)
>> wrote:
>>  >>
>>  >> On Fri, Dec 8, 2017 at 4:33 PM, Harish P 
>> wrote:
>>  >> > Hi
>>  >> >
>>  >> > OSSEC agent installation failed with following error on Solaris
>> 10.
>>  >> > Please
>>  >> > help
>>  >> >
>>  >> > CC agent-auth
>>  >> > Undefined   first referenced
>>  >> >  symbol in file
>>  >> > TLSv1_2_method  os_auth/ssl.o
>>  >> > ld: fatal: symbol referencing errors. No output written to
>> agent-auth
>>  >> > collect2: ld returned 1 exit status
>>  >> > gmake: *** [agent-auth] Error 1
>>  >> >
>>  >> >  Error 0x5.
>>  >> >  Building error. Unable to finish the installation.
>>  >> >
>>  >>
>>  >> What version of the openssl libs do you have installed?
>>  >>
>>  >> > --
>>  >> >
>>  >> > ---
>>  >> > You received this message because you are subscribed to the
>> Google
>>  >> > Groups
>>  >> > "ossec-list" group.
>>  >> > To unsubscribe from this group and stop receiving emails from
>> it, send
>>  >> > an
>>  >> > email to ossec-list+...@googlegroups.com.
>>  >> > For more options, visit https://groups.google.com/d/optout.
>>  >
>>  > --
>>  >
>>  > ---
>>  > You received this message because you are subscribed to the Google
>> Groups
>>  > "ossec-list" group.
>>  > To unsubscribe from this group and stop receiving emails from it,
>> send an
>>  > email to ossec-list+...@googlegroups.com.
>>  > For more options, visit https://groups.google.com/d/optout.
>> >>>
>> >>> --
>> >>>
>> >>> ---
>> >>> You received this message because you are subscribed to the Google
>> Groups "ossec-list" group.
>> >>> To unsubscribe from this group and stop receiving emails from it,
>> send an email to ossec-list+...@googlegroups.com.
>> >>> For more options, visit https://groups.google.com/d/optout.
>> >
>> > --
>> >
>> > ---
>> > You received this message because you are subscribed to the Google
>> Groups "ossec-list" group.
>> > To unsubscribe from this group and stop receiving emails from it, send
>> an email to ossec-list+...@googlegroups.com.
>> > For more options, visit

Re: [ossec-list] [v2.8.3][ossec-maild] ERROR (smtp server)

2018-06-06 Thread Eero Volotinen 
well. does telnet localhost work fine?

Eero

ti 29. toukok. 2018 klo 12.06  kirjoitti:

> Hi,
>
> I am receiving the error:
>
>
>
> *2018/05/28 17:29:54 ossec-maild(1223): ERROR: Error Sending email to
> 127.0.0.1 (smtp server)2018/05/28 18:00:01 ossec-maild(1223): ERROR: Error
> Sending email to 127.0.0.1 (smtp server)2018/05/28 18:22:07
> ossec-maild(1223): ERROR: Error Sending email to 127.0.0.1 (smtp server)*
>
> Postfix is already set up and it's working on fine. (*postfix's log is
> empty*)
>
> I have changed smtp_relay in my global config to localhost and 127.0.0.1
> but neither worked.
>
> I have changed  in my ossec config to localhost and 127.0.0.1
> but neither worked.
>
> Thanks in advance.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: PCI 10.5.5 Requirement OSSEC configuration

2018-05-14 Thread Eero Volotinen 
Log hashing? integrity? Try samhain to guard your ossec logs?

Eero

ma 14. toukok. 2018 klo 19.48 Will Duckworth 
kirjoitti:

> Did you ever find out a method? Or just assume the indexing is enough?
>
>
>
> On Thursday, 9 February 2012 19:57:46 UTC, awhitehatter wrote:
>>
>> Hi There,
>>
>> Can someone assist me with PCI requirement 10.5.5 as it relates to
>> configuring of OSSEC?
>>
>> The requirement says:
>>
>> 10.5.5 -
>> Use file-integrity monitoring or change detection software on logs to
>> ensure that existing log data cannot be changed without generating
>> alerts(although new data being added should not cause an alert).
>>
>> OSSEC says in .pdf (http://www.ossec.net/ossec-docs/ossec-PCI-
>> Solution.pdf ):
>>
>> OSSEC's System Integrity Checking module can be configured to monitor
>> file system changes (such as changes to files, new files getting
>> created, new directories being created, files being removed etc)
>> and ... OSSEC will not alert on new additions to log files but instead
>> would only alert if the new entries indicate malicious behavior. The
>> combination of system integrity and logs inspection can help
>> administrators monitor log files without a lot of false alerts.
>>
>> So how is this configuration created? Can someone provide examples or
>> some sort of starting point?
>>
>> thanks for reading!!
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Ossec agent installation issue on AIX Server's

2018-02-12 Thread Eero Volotinen 
Well. I don't have access to AIX system, so I cannot fix or help with issue.

Eero

On Mon, Feb 12, 2018 at 11:12 AM, Sardar Salim Shaikh 
wrote:

> Hi Eero,
>
> Thanks for your reply !!!
>
> The gcc version on AIX 6.1 is : gcc-4.8.3-1
>
> Please help me with this issue, I'm stuck at this.
>
> Thanks and best Regards,
> Sardar S.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Ossec agent installation issue on AIX Server's

2018-01-29 Thread Eero Volotinen 
Well, are you using gcc on aix? what is output of cc --version and gcc
--version

Eero

2018-01-29 8:55 GMT+02:00 Sardar Salim Shaikh :

> Hello All,
>
> I'm facing some issues installing the ossec agent on the AIX Server 6.3
> and 7.1, I'm getting below error's while installation, Please find the
> attached screenshots of error's.
>
> Kindly help me to fix this issue.
>
>
>
> Thanks and Best Regards,
>
> Sardar Shaikh
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Solaris 10 install issue - Fatal error in reader: Makefile, line 4

2017-06-29 Thread Eero Volotinen 
you could also try to edit file src/makefile:

find line 4:

uname_S := $(shell sh -c 'uname -s 2>/dev/null || echo not')


and replace it with


uname_S=SunOS


and try again..


Eero

2017-06-30 2:04 GMT+03:00 Eero Volotinen <eero.voloti...@iki.fi>:

> what is output of:
>
> make --version
>
>
> as you can see from errormessage, problem is in the makefile.
>
> 2017-06-29 23:39 GMT+03:00 Robert <robert.mille...@gmail.com>:
>
>> I am having issues installing on Solaris 10 (i.e. Solaris 10 8/11
>> s10s_u10wos_17b SPARC) and am getting the error below when it tries to
>> finish the install.
>>
>> 5- Installing the system
>>  - Running the Makefile
>> make: Fatal error in reader: Makefile, line 4: Unexpected end of line seen
>>
>>  Error 0x5.
>>  Building error. Unable to finish the installation.
>>
>>
>> The line in question is "uname_S := $(shell sh -c 'uname -s 2>/dev/null
>> || echo not') ".  The output from that command is below.
>>
>> # sh -c 'uname -s 2>/dev/null || echo not'
>> SunOS
>>
>>
>> I tried changing the first line of the install.sh script to "#!/bin/bash"
>> and that didn't work.  I checked our compilers and we have gcc installed
>> but not cc.  Below is the gcc version.
>>
>> # gcc --version
>> gcc (GCC) 3.4.3 (csl-sol210-3_4-branch+sol_rpath)
>> Copyright (C) 2004 Free Software Foundation, Inc.
>>
>>
>> Below is the output using the following command: /bin/sh -x ./install.sh.
>>
>> MAKEBIN=make
>> + [ XSunOS = XOpenBSD ]
>> + [ XSunOS = XFreeBSD ]
>> + [ XSunOS = XNetBSD ]
>> + [ XSunOS = XDragonflyBSD ]
>> + [ X%NUNAME = XBitrig ]
>> + echo  - Running the Makefile
>>  - Running the Makefile
>> + cd ./src
>> + [ X = X ]
>> + make PREFIX=/var/ossec TARGET=agent build
>> make: Fatal error in reader: Makefile, line 4: Unexpected end of line seen
>> + [ 1 != 0 ]
>> + cd ../
>> + catError 0x5-build
>> FILE=0x5-build
>> FILE_PATH=./etc/templates/en/errors/0x5-build.txt
>> + isFile ./etc/templates/en/errors/0x5-build.txt
>> FILE=./etc/templates/en/errors/0x5-build.txt
>> + ls ./etc/templates/en/errors/0x5-build.txt
>> + [ 0 = 0 ]
>> + echo true
>> + return 0
>> + [ true = false ]
>> + cat ./etc/templates/en/errors/0x5-build.txt
>>
>>  Error 0x5.
>>  Building error. Unable to finish the installation.
>>
>>
>> I also tried patching our install.sh script using the patch
>> (src_init_update_sh.diff) that was provided in another thread but that
>> patch doesn't work.  Not to mention that thread was back in 2013.
>>
>> Any ideas?
>>
>> --
>>
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to ossec-list+unsubscr...@googlegroups.com.
>> For more options, visit https://groups.google.com/d/optout.
>>
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Solaris 10 install issue - Fatal error in reader: Makefile, line 4

2017-06-29 Thread Eero Volotinen 
what is output of:

make --version


as you can see from errormessage, problem is in the makefile.

2017-06-29 23:39 GMT+03:00 Robert :

> I am having issues installing on Solaris 10 (i.e. Solaris 10 8/11
> s10s_u10wos_17b SPARC) and am getting the error below when it tries to
> finish the install.
>
> 5- Installing the system
>  - Running the Makefile
> make: Fatal error in reader: Makefile, line 4: Unexpected end of line seen
>
>  Error 0x5.
>  Building error. Unable to finish the installation.
>
>
> The line in question is "uname_S := $(shell sh -c 'uname -s 2>/dev/null ||
> echo not') ".  The output from that command is below.
>
> # sh -c 'uname -s 2>/dev/null || echo not'
> SunOS
>
>
> I tried changing the first line of the install.sh script to "#!/bin/bash"
> and that didn't work.  I checked our compilers and we have gcc installed
> but not cc.  Below is the gcc version.
>
> # gcc --version
> gcc (GCC) 3.4.3 (csl-sol210-3_4-branch+sol_rpath)
> Copyright (C) 2004 Free Software Foundation, Inc.
>
>
> Below is the output using the following command: /bin/sh -x ./install.sh.
>
> MAKEBIN=make
> + [ XSunOS = XOpenBSD ]
> + [ XSunOS = XFreeBSD ]
> + [ XSunOS = XNetBSD ]
> + [ XSunOS = XDragonflyBSD ]
> + [ X%NUNAME = XBitrig ]
> + echo  - Running the Makefile
>  - Running the Makefile
> + cd ./src
> + [ X = X ]
> + make PREFIX=/var/ossec TARGET=agent build
> make: Fatal error in reader: Makefile, line 4: Unexpected end of line seen
> + [ 1 != 0 ]
> + cd ../
> + catError 0x5-build
> FILE=0x5-build
> FILE_PATH=./etc/templates/en/errors/0x5-build.txt
> + isFile ./etc/templates/en/errors/0x5-build.txt
> FILE=./etc/templates/en/errors/0x5-build.txt
> + ls ./etc/templates/en/errors/0x5-build.txt
> + [ 0 = 0 ]
> + echo true
> + return 0
> + [ true = false ]
> + cat ./etc/templates/en/errors/0x5-build.txt
>
>  Error 0x5.
>  Building error. Unable to finish the installation.
>
>
> I also tried patching our install.sh script using the patch
> (src_init_update_sh.diff) that was provided in another thread but that
> patch doesn't work.  Not to mention that thread was back in 2013.
>
> Any ideas?
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] OSSEC install on Solaris 9

2017-06-26 Thread Eero Volotinen 
so, you are using sun compiler instead of gcc.. just fix that issue..

26.6.2017 10.32 ip. "Mathew Habicht" <mathewhabi...@gmail.com> kirjoitti:

> # gcc --version
> gcc (GCC) 4.7.2
> Copyright (C) 2012 Free Software Foundation, Inc.
> This is free software; see the source for copying conditions.  There is NO
> warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
>
>  # cc --version
> /usr/ucb/cc:  language optional software package not installed
>
>
>
> On Monday, June 26, 2017 at 3:25:45 PM UTC-4, Eero Volotinen wrote:
>>
>> is cc / gcc command in your path?
>>
>> what is output of following command  cc --version and gcc --version ?
>>
>> Eero
>>
>> 2017-06-26 22:12 GMT+03:00 Mathew Habicht <mathew...@gmail.com>:
>>
>>> Yes, I added 4 packages. 1-GCC and 3-LIB
>>>
>>> On Monday, June 26, 2017 at 3:06:33 PM UTC-4, Eero Volotinen wrote:
>>>>
>>>> do you have compiler installed on system?
>>>>
>>>> Eero
>>>>
>>>> 26.6.2017 9.37 ip. "Mathew Habicht" <mathew...@gmail.com> kirjoitti:
>>>>
>>>>> Here is one way
>>>>>
>>>>> 5- Installing the system
>>>>>  - Running the Makefile
>>>>> mksh: Fatal error: Cannot load command `/usr/ccs/bin': Bad file number
>>>>> Current working directory /export/ossec-hids-2.8.1/src
>>>>> *** Error code 1
>>>>> make: Fatal error: Command failed for target `all'
>>>>>
>>>>>  Error 0x5.
>>>>>  Building error. Unable to finish the installation.
>>>>>
>>>>> Here is another way.
>>>>> 5- Installing the system
>>>>>  - Running the Makefile
>>>>>
>>>>>  *** Making zlib (by Jean-loup Gailly and Mark Adler)  ***
>>>>> cp -pr zlib-1.2.8/zlib.h zlib-1.2.8/zconf.h ../headers/
>>>>>
>>>>>
>>>>>  *** Making cJSON (by Dave Gamble)  ***
>>>>> cp -pr cJSON.h ../../headers/
>>>>> cp -pr libcJSON.a ../
>>>>>
>>>>>
>>>>>  *** Making Lua 5.2 (by team at PUC-Rio in Brazi)  ***
>>>>>  Copyright © 1994â2014 Lua.org, PUC-Rio.
>>>>> cd src && make solaris
>>>>> make all SYSCFLAGS="-DLUA_USE_POSIX -DLUA_USE_DLOPEN" SYSLIBS="-ldl"
>>>>>
>>>>>
>>>>>
>>>>>  *** Making os_xml ***
>>>>>
>>>>> `os_xml.a' is up to date.
>>>>>
>>>>>
>>>>>  *** Making os_regex ***
>>>>>
>>>>> `os_regex.a' is up to date.
>>>>>
>>>>>
>>>>>  *** Making os_net ***
>>>>>
>>>>> `os_net.a' is up to date.
>>>>>
>>>>>
>>>>>  *** Making os_crypto ***
>>>>>
>>>>> cc -g -Wall -I../../ -I../../headers  -DDEFAULTDIR=\"/var/ossec\"
>>>>> -DCLIENT  -DSOLARIS -DHIGHFIRST  -DARGV0=\"blowfish_op\" -DOSSECHIDS 
>>>>> -c
>>>>> bf_op.c bf_skey.c bf_enc.c
>>>>> /usr/ucb/cc:  language optional software package not installed
>>>>> *** Error code 1
>>>>> make: Fatal error: Command failed for target `bf'
>>>>> Current working directory /export/ossec-hids-2.8.1/src/o
>>>>> s_crypto/blowfish
>>>>> *** Error code 1
>>>>> make: Fatal error: Command failed for target `os_crypto'
>>>>> Current working directory /export/ossec-hids-2.8.1/src/os_crypto
>>>>>
>>>>> Error Making os_crypto
>>>>> *** Error code 1
>>>>> make: Fatal error: Command failed for target `all'
>>>>>
>>>>>  Error 0x5.
>>>>>  Building error. Unable to finish the installation.
>>>>>
>>>>>
>>>>> On Monday, June 26, 2017 at 2:16:59 PM UTC-4, Eero Volotinen wrote:
>>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> Please give error messages.
>>>>>>
>>>>>> Eero
>>>>>>
>>>>>> 2017-06-26 20:55 GMT+03:00 Mathew Habicht <mathew...@gmail.com>:
>>>>>>
>>>>>>>
>>>>>>> I am attempting to install OSSEC 2.8.1 on a Sparc Solaris 9 server,
>>>

Re: [ossec-list] OSSEC install on Solaris 9

2017-06-26 Thread Eero Volotinen 
do you have compiler installed on system?

Eero

26.6.2017 9.37 ip. "Mathew Habicht" <mathewhabi...@gmail.com> kirjoitti:

> Here is one way
>
> 5- Installing the system
>  - Running the Makefile
> mksh: Fatal error: Cannot load command `/usr/ccs/bin': Bad file number
> Current working directory /export/ossec-hids-2.8.1/src
> *** Error code 1
> make: Fatal error: Command failed for target `all'
>
>  Error 0x5.
>  Building error. Unable to finish the installation.
>
> Here is another way.
> 5- Installing the system
>  - Running the Makefile
>
>  *** Making zlib (by Jean-loup Gailly and Mark Adler)  ***
> cp -pr zlib-1.2.8/zlib.h zlib-1.2.8/zconf.h ../headers/
>
>
>  *** Making cJSON (by Dave Gamble)  ***
> cp -pr cJSON.h ../../headers/
> cp -pr libcJSON.a ../
>
>
>  *** Making Lua 5.2 (by team at PUC-Rio in Brazi)  ***
>  Copyright © 1994â2014 Lua.org, PUC-Rio.
> cd src && make solaris
> make all SYSCFLAGS="-DLUA_USE_POSIX -DLUA_USE_DLOPEN" SYSLIBS="-ldl"
>
>
>
>  *** Making os_xml ***
>
> `os_xml.a' is up to date.
>
>
>  *** Making os_regex ***
>
> `os_regex.a' is up to date.
>
>
>  *** Making os_net ***
>
> `os_net.a' is up to date.
>
>
>  *** Making os_crypto ***
>
> cc -g -Wall -I../../ -I../../headers  -DDEFAULTDIR=\"/var/ossec\" -DCLIENT
>  -DSOLARIS -DHIGHFIRST  -DARGV0=\"blowfish_op\" -DOSSECHIDS -c bf_op.c
> bf_skey.c bf_enc.c
> /usr/ucb/cc:  language optional software package not installed
> *** Error code 1
> make: Fatal error: Command failed for target `bf'
> Current working directory /export/ossec-hids-2.8.1/src/os_crypto/blowfish
> *** Error code 1
> make: Fatal error: Command failed for target `os_crypto'
> Current working directory /export/ossec-hids-2.8.1/src/os_crypto
>
> Error Making os_crypto
> *** Error code 1
> make: Fatal error: Command failed for target `all'
>
>  Error 0x5.
>  Building error. Unable to finish the installation.
>
>
> On Monday, June 26, 2017 at 2:16:59 PM UTC-4, Eero Volotinen wrote:
>>
>> Hi,
>>
>> Please give error messages.
>>
>> Eero
>>
>> 2017-06-26 20:55 GMT+03:00 Mathew Habicht <mathew...@gmail.com>:
>>
>>>
>>> I am attempting to install OSSEC 2.8.1 on a Sparc Solaris 9 server, But
>>> I am having compiler issues and the install will not complete. Are
>>> there instructions that are specific to installing on Solaris 9? I have
>>> found all the errors I am seeing but all the resolutions are for
>>> Solaris 10.
>>>
>>> Thanks for the help.
>>>
>>> --
>>>
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "ossec-list" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to ossec-list+...@googlegroups.com.
>>> For more options, visit https://groups.google.com/d/optout.
>>>
>>
>> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] can't access https://www.atomicorp.com/downloads

2017-03-06 Thread Eero Volotinen 
Works fine from my browser.

Eero

2017-03-06 9:58 GMT+02:00 :

> I can't access https://www.atomicorp.com/downloads, the website return
> this error:
>
> Forbidden You do not have permission to access this document.
>
> --
> Web Server at atomicorp.com
> does anyone had this problems?
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] ossec-remoted not running

2017-03-01 Thread Eero Volotinen 
Is something runnin on port 1514 already? or ossec already running?

Eero

2017-03-01 13:50 GMT+02:00 Eduardo Reichert Figueiredo <
eduardo.reich...@hotmail.com>:

> Dear All,
> i doing installing ossec server in RHEL 6.8, but just ossec-remoted not
> running, i do troubleshooting with commands bellow:
> #gdb /var/ossec-2.9/bin/ossec-remoted
> ###RESULT###
> ...
> Reading symbols from /var/ossec-2.9/bin/ossec-remoted...(no debugging
> symbols found)...done.
> (gdb) set follow-fork-mode child
> (gdb) run -df
> Starting program: /var/ossec-2.9/bin/ossec-remoted -df
> [Thread debugging using libthread_db enabled]
> 2017/03/01 08:36:40 ossec-remoted: DEBUG: Starting ...
> 2017/03/01 08:36:40 ossec-remoted: INFO: Started (pid: 88290).
> [New process 88293]
> 2017/03/01 08:36:40 ossec-remoted: DEBUG: Forking remoted: '1'.
> 2017/03/01 08:36:40 ossec-remoted(1206): ERROR: Unable to Bind port '1514'
> [Thread debugging using libthread_db enabled]
> 2017/03/01 08:36:40 ossec-remoted: DEBUG: Forking remoted: '0'.
> 2017/03/01 08:36:40 ossec-remoted: Remote syslog allowed from: '0.0.0.0/0'
> 2017/03/01 08:36:40 ossec-remoted: Remote syslog allowed from: '0.0.0.0/0'
> *2017/03/01 08:36:40 ossec-remoted(1206): ERROR: Unable to Bind port
> '1514'*
>
> Program exited with code 01.
> Missing separate debuginfos, use: debuginfo-install
> glibc-2.12-1.192.el6.x86_64 keyutils-libs-1.4-5.el6.x86_64
> krb5-libs-1.10.3-57.el6.x86_64 libcom_err-1.41.12-22.el6.x86_64
> libselinux-2.0.94-7.el6.x86_64 openssl-1.0.1e-48.el6_8.4.x86_64
> zlib-1.2.3-29.el6.x86_64
> (gdb) Q
>
> Can you help me?
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Mass monitoring log files in a folder on windows

2017-02-14 Thread Eero Volotinen 
Then it might require modifications to ossec sourcecode.

Eero

2017-02-14 14:20 GMT+02:00 Tibor Luth <tibor...@gmail.com>:

> None of them work. Neither *.log, *log nor any regex between the
>  tags (on windows using ossec 2.8). ossec-agent(1103): ERROR:
> Unable to open file... Only strftime works but in some of my cases it's not
> enough :(
>
> Regards
>
> T.
>
> 2017. február 14., kedd 1:19:41 UTC+1 időpontban Eero Volotinen a
> következőt írta:
>>
>> try *log instead of *.log
>>
>> Eero
>>
>> 13.2.2017 6.19 ip. "Tibor Luth" <tibo...@gmail.com> kirjoitti:
>>
>>> Thanks.
>>> Reading this for second time I've realized what strftime means. So it
>>> can work in most cases and I'll try.
>>> But there are one unique application that appends random
>>> characters/numbers at the end of the filename like:
>>> log-20160829124854-kibe.1519.22082016.log. The "1519.22" part is
>>> random. That's why I wanted to use *.log. :(
>>>
>>> 2017. február 13., hétfő 14:54:32 UTC+1 időpontban Eero Volotinen a
>>> következőt írta:
>>>>
>>>> Check out this:
>>>>
>>>> Date Based Example
>>>>
>>>> For log files that change according to the date, you can also specify a
>>>> strftime format to replace the day, month, year, etc. For example, to
>>>> monitor the log C:\Windows\app\log-08-12-15.log, where 08 is the year,
>>>> 12 is the month and 15 the day (and it is rolled over every day), do:
>>>>
>>>> 
>>>> C:\Windows\app\log-%y-%m-%d.log
>>>> syslog
>>>>
>>>> Eero
>>>>
>>>> 2017-02-13 15:50 GMT+02:00 Tibor Luth <tibo...@gmail.com>:
>>>>
>>>>> Unfortunatley I cannot solve the issue in the subject.
>>>>>
>>>>> I wrote a few rows in the agent.conf (according to ossec-docs), but
>>>>> got an error.
>>>>>
>>>>> 
>>>>> 
>>>>> X:\mylogs\*.log
>>>>> syslog
>>>>> 
>>>>>
>>>>> The error is:
>>>>>
>>>>> *"ERROR*: *Glob error*. *Invalid pattern..."*
>>>>>
>>>>>
>>>>>
>>>>> If I skip the * wildcard and use a proper filename it has no errors.
>>>>> How could I solve this? My log file names in that folder are like 
>>>>> logfile_20170202-145321.log.
>>>>>
>>>>> Regards
>>>>>
>>>>> T.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>>
>>>>> ---
>>>>> You received this message because you are subscribed to the Google
>>>>> Groups "ossec-list" group.
>>>>> To unsubscribe from this group and stop receiving emails from it, send
>>>>> an email to ossec-list+...@googlegroups.com.
>>>>> For more options, visit https://groups.google.com/d/optout.
>>>>>
>>>>
>>>> --
>>>
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "ossec-list" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to ossec-list+...@googlegroups.com.
>>> For more options, visit https://groups.google.com/d/optout.
>>>
>> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Mass monitoring log files in a folder on windows

2017-02-13 Thread Eero Volotinen 
try *log instead of *.log

Eero

13.2.2017 6.19 ip. "Tibor Luth" <tibor...@gmail.com> kirjoitti:

> Thanks.
> Reading this for second time I've realized what strftime means. So it can
> work in most cases and I'll try.
> But there are one unique application that appends random
> characters/numbers at the end of the filename like:
> log-20160829124854-kibe.1519.22082016.log. The "1519.22" part is random.
> That's why I wanted to use *.log. :(
>
> 2017. február 13., hétfő 14:54:32 UTC+1 időpontban Eero Volotinen a
> következőt írta:
>>
>> Check out this:
>>
>> Date Based Example
>>
>> For log files that change according to the date, you can also specify a
>> strftime format to replace the day, month, year, etc. For example, to
>> monitor the log C:\Windows\app\log-08-12-15.log, where 08 is the year,
>> 12 is the month and 15 the day (and it is rolled over every day), do:
>>
>> 
>> C:\Windows\app\log-%y-%m-%d.log
>> syslog
>>
>> Eero
>>
>> 2017-02-13 15:50 GMT+02:00 Tibor Luth <tibo...@gmail.com>:
>>
>>> Unfortunatley I cannot solve the issue in the subject.
>>>
>>> I wrote a few rows in the agent.conf (according to ossec-docs), but got
>>> an error.
>>>
>>> 
>>> 
>>> X:\mylogs\*.log
>>> syslog
>>> 
>>>
>>> The error is:
>>>
>>> *"ERROR*: *Glob error*. *Invalid pattern..."*
>>>
>>>
>>>
>>> If I skip the * wildcard and use a proper filename it has no errors.
>>> How could I solve this? My log file names in that folder are like 
>>> logfile_20170202-145321.log.
>>>
>>> Regards
>>>
>>> T.
>>>
>>>
>>>
>>>
>>> --
>>>
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "ossec-list" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to ossec-list+...@googlegroups.com.
>>> For more options, visit https://groups.google.com/d/optout.
>>>
>>
>> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Mass monitoring log files in a folder on windows

2017-02-13 Thread Eero Volotinen 
Check out this:

Date Based Example

For log files that change according to the date, you can also specify a
strftime format to replace the day, month, year, etc. For example, to
monitor the log C:\Windows\app\log-08-12-15.log, where 08 is the year, 12
is the month and 15 the day (and it is rolled over every day), do:


C:\Windows\app\log-%y-%m-%d.log
syslog

Eero

2017-02-13 15:50 GMT+02:00 Tibor Luth :

> Unfortunatley I cannot solve the issue in the subject.
>
> I wrote a few rows in the agent.conf (according to ossec-docs), but got an
> error.
>
> 
> 
> X:\mylogs\*.log
> syslog
> 
>
> The error is:
>
> *"ERROR*: *Glob error*. *Invalid pattern..."*
>
>
>
> If I skip the * wildcard and use a proper filename it has no errors.
> How could I solve this? My log file names in that folder are like 
> logfile_20170202-145321.log.
>
> Regards
>
> T.
>
>
>
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Email Alerts on Google Compute Instances

2016-12-13 Thread Eero Volotinen 
How about using local postfix for smarthost and configuring relay with it?

--
Eero

2016-12-13 13:37 GMT+02:00 flippery_fish :

> Hi,
>
> Google Compute Engine does not allow outbound connections on ports 25,
> 465, and 587.
>
> As recommended by GCE, I have setup mailjet on 2525 which works fine for
> outbound mail relay.
>
> Is there a way to send the OSSEC email notifications to send on specific
> port (i.e. in.mailjet.com:2525 in my case)?
>
> If not, is there a workaround?  Of course i could do something like write
> the OSEC notifications to json file, parse that and send manually, but was
> hoping to avoid doing that.
>
>
>
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: How to change the OSSEC installation directory in windows

2016-09-22 Thread Eero Volotinen 
How about modifying the installation package?

Eero

2016-09-22 12:56 GMT+03:00 Victor Fernandez :

> Hi,
>
> when you run the OSSEC installer for Windows, you can choose the location
> where OSSEC will be installed. This shouldn't be a problem.
>
> Since OSSEC registers a background service on Windows, you should first
> install OSSEC into another partition and then create the C:\ drive image.
>
> Hope it helps.
> Best regards.
>
> Victor.
>
>
>
> On Thursday, September 22, 2016 at 10:13:30 AM UTC+2, vikas wrote:
>>
>> Hello all,
>>
>> We have a group of servers where the C:/ drive gets re-imaged daily with
>> a standard image. Since its going to be same image that all the servers
>> use, not sure how to make OSSEC part of that image and avoid agent-server
>> registration issues. So we wanted to install it on a different drive to
>> avoid the complications, but couldn't find an option to specify custom path
>> for installation. Is it possible?
>>
>> Thank you for your help!
>>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] OSSEC agent on windows laptops that will be out of the network

2016-09-13 Thread Eero Volotinen 
You can use ip address any while creating agent keys for roaming devices.

Eero

2016-09-13 10:58 GMT+03:00 Nick Giannoulis :

> Hi all
>  I have an OSSEC server running perfectly monitoring all my servers. I
> want to expand it to start monitoring my 'normal' clients ( win7-10 laptops
> and workstations ) . Some of these laptops will be outside of the network
> most of the time. Considering that ossec agents shouldnt have the same IP
> is there any work around for my situation ? i imagine at some point or
> another a few laptops will have the same IP while they are connected to
> various other networks.
>
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] in solaris - does realtime check work?

2016-09-08 Thread Eero Volotinen 
I think that realtime monitoring is not supported under solaris.

eero

8.9.2016 9.40 ip. "Stephen LuShing"  kirjoitti:

> I install ossec in solaris and trying to check some directories so I setup
> the following in ossec.conf
>
>
> 
>  check_all="yes">/etc,/usr/bin,/usr/sbin,/usr/sfw/bin
>  check_all="yes">/bin,/sbin,/usr/ccs/bin
> yes
>
> When I started - I get the WARN message - will ossec check for it will be
> ignored.
>
> 2016/09/08 14:36:03 ossec-syscheckd: INFO: Monitoring directory: '/etc'.
> 2016/09/08 14:36:03 ossec-syscheckd: INFO: Monitoring directory:
> '/usr/bin'.
> 2016/09/08 14:36:03 ossec-syscheckd: INFO: Monitoring directory:
> '/usr/sbin'.
> 2016/09/08 14:36:03 ossec-syscheckd: INFO: Monitoring directory:
> '/usr/sfw/bin'.
> 2016/09/08 14:36:03 ossec-syscheckd: INFO: Monitoring directory: '/bin'.
> 2016/09/08 14:36:03 ossec-syscheckd: INFO: Monitoring directory: '/sbin'.
> 2016/09/08 14:36:03 ossec-syscheckd: INFO: Monitoring directory:
> '/usr/ccs/bin'.
> 2016/09/08 14:36:03 ossec-syscheckd: WARN: Ignoring flag for real time
> monitoring on directory: '/etc'.
> 2016/09/08 14:36:03 ossec-syscheckd: WARN: Ignoring flag for real time
> monitoring on directory: '/usr/bin'.
> 2016/09/08 14:36:03 ossec-syscheckd: WARN: Ignoring flag for real time
> monitoring on directory: '/usr/sbin'.
> 2016/09/08 14:36:03 ossec-syscheckd: WARN: Ignoring flag for real time
> monitoring on directory: '/usr/sfw/bin'.
> 2016/09/08 14:36:03 ossec-syscheckd: WARN: Ignoring flag for real time
> monitoring on directory: '/bin'.
> 2016/09/08 14:36:03 ossec-syscheckd: WARN: Ignoring flag for real time
> monitoring on directory: '/sbin'.
> 2016/09/08 14:36:03 ossec-syscheckd: WARN: Ignoring flag for real time
> monitoring on directory: '/usr/ccs/bin'.
>
>
> Stephen LuShing
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] trying to install ossec on solaris 10

2016-09-06 Thread Eero Volotinen 
try installing gcc and then point cc to gcc binary.

Eero

2016-09-06 22:28 GMT+03:00 Stephen LuShing :

> - I am running bash and fixed some places where the was a /bin/sh to
> ./bin/bash.
> - Since Solaris 10 has no cc - I install Sun Studio 12.2 and pointed the
> path of cc to ./opt/solstudio12.2/bin.
> Ran a sh -x install.sh to see wht is going on and here is the problem as
> it tried to compile but something is not right when it used -Wall option
>
> I am not much a programmer (some basic) as I was wondering if anyone has
> seem this or maybe it is a simple fix.
>
> Thanks in advance
>
> Steve lushing
>
> FOLLOWING IS PART OF THE COMPILE THAT FAILED
>
>
> + echo 5- Installing the system
> 5- Installing the system
> + echo DIR="/var/ossec"
> + [ X = Xdebug ]
> + echo CEXTRA= -DDEFAULTDIR=\"/var/ossec\" -DCLIENT
> + echo  - Running the Makefile
>  - Running the Makefile
> + cd ./src
> + [ X = X ]
> + make all
>
>  *** Making zlib (by Jean-loup Gailly and Mark Adler)  ***
> cp -pr zlib-1.2.8/zlib.h zlib-1.2.8/zconf.h ../headers/
>
>
>  *** Making cJSON (by Dave Gamble)  ***
> cc -g -Wall -I../../ -I../../headers  -DDEFAULTDIR=\"/var/ossec\" -DCLIENT
> -DUSE_OPENSSL -DSOLARIS -DHIGHFIRST  -DARGV0=\"cJSON\" -DOSSECHIDS -c
> cJSON.c
> cc: -W option with unknown program all
> *** Error code 1
> make: Fatal error: Command failed for target `libcJSON.a'
> Current working directory /export/home/netsml/ossec-
> hids-2.8.3/src/external/cJSON
>
> Error Making cJSON
> *** Error code 1
> The following command caused the error:
> /bin/bash ./Makeall all
> make: Fatal error: Command failed for target `all'
> + [ 1 != 0 ]
> + cd ../
> + catError 0x5-build
> FILE=0x5-build
> FILE_PATH=./etc/templates/en/errors/0x5-build.txt
> + isFile ./etc/templates/en/errors/0x5-build.txt
> FILE=./etc/templates/en/errors/0x5-build.txt
> + ls ./etc/templates/en/errors/0x5-build.txt
> + [ 0 = 0 ]
> + echo true
> + return 0
> + [ true = false ]
> + cat ./etc/templates/en/errors/0x5-build.txt
>
>  Error 0x5.
>  Building error. Unable to finish the installation.
>
> + exit 1
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] cannot connect to ossec server on docker

2016-08-26 Thread Eero Volotinen 
Try creating client key with correct ip addresa..

27.8.2016 12.35 ap. "Ka-Hing Cheung"  kirjoitti:

> I have ossec server and agent running in two different docker images. The
> agent is not able to connect to the server:
>
>
> 2016/08/26 20:56:25 ossec-agentd: INFO: Trying to connect to server (ossec
> .domain/10.0.129.94:1514).
> 2016/08/26 20:56:25 ossec-agentd: INFO: Using IPv4 for: 10.0.129.94 .
> 2016/08/26 20:56:46 ossec-agentd(4101): WARN: Waiting for server reply (
> not started). Tried: 'ossec.domain/10.0.129.94'.
>
>
> There's no log on the server for the connection attempt. However, if I
> execute nc -u 10.0.129.94 1514 and send a random message, I see this in
> the server log:
>
>
> 2016/08/26 19:19:46 ossec-remoted(1213): WARN: Message from 172.17.42.1 not 
> allowed.
>
>
> 172.17.42.1 is the IP from the docker interface. I already have this in my
> server ossec.conf:
>
>
>
>  
>  127.0.0.1
>  10.0.0.0/16
>  172.17.0.0/16
>  
>
>  
>  secure
>  10.0.0.0/16
>  172.17.0.0/16
>  
>
>
> Any ideas?
>
> - Ka-Hing
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Irregular Agent Activity in OSSEC agents

2016-07-20 Thread Eero Volotinen 
Are you running out of network or disk speed?

Eero

20.7.2016 10.39 ip. "eyal gershon"  kirjoitti:

> Hey Jose,
>
> There was no update or upgrade done.
> I performed the procedure you mentioned before but the results stayed the
> same.
>
> I have around 1600 servers and 400 who do not connect.
>
> Do you have any other idea on why this happens?
> Or any thing else I can test?
>
>
> On Wed, Jul 20, 2016 at 6:03 PM, Jose Luis Ruiz  wrote:
>
>> Hi Eyal,
>>
>> ​
>>
>> this is a familiar problem that we have come across in the past as well. The 
>> counter of the rids file can run out of sync, if the manager and the 
>> respective agent have troubles exchanging control messages.
>>
>> Have you perhaps reinstalled the manager or one of the agents recently?
>>
>> ​
>>
>> You can fix your problem by following the below steps:
>>
>> ​
>>
>>   1.  On every agent:
>>
>> ​
>>
>>  1.   stop ossec
>>
>>  2.   go to: .../ossec/queue/rids (or ossec-agent/rids on Windows) and 
>> remove every file in there.
>>
>> ​
>>
>>2. Go to the server:
>>
>> ​
>>
>>   1.  Stop ossec
>>
>>   2.  Remove the rids file with the same name as the agent id that is 
>> reporting errors.
>>
>> ​
>>
>>3. Restart the server
>>
>>4. Restart the agents.
>>
>> ​
>>
>> If you have reinstalled one of your machines recently, then we recommend 
>> that you use the update option. Do not remove and reinstall the ossec 
>> server, unless you plan to do the same for all agents.
>>
>> Just a heads up, please refrain from using the same agent key between 
>> multiple agents, or the same agent key after you removed/re-installed an 
>> agent….
>>
>>
>> Reference:
>> http://ossec-docs.readthedocs.io/en/latest/faq/unexpected.html#fixing-duplicate-errors
>>
>>
>> Regards
>> ---
>> Jose Luis Ruiz
>> Wazuh Inc.
>> j...@wazuh.com
>>
>> On July 20, 2016 at 11:54:41 AM, eyal gershon (gershon...@gmail.com)
>> wrote:
>>
>> Hey Everyone,
>>
>> I am noticing some irregular activity in some of my OSSEC agents -
>>
>> *A little bit about the system - *
>>
>> My Deployment is on 2000~ servers managed from dedicated ossec manager.
>> I currently have 1600~ agents connected on a full basis and 400~ servers
>> who connect and disconnect all the time.
>>
>> All the ports are opened (confirmation with NC and telnet)
>>
>> On my management server I see the following error in the logs -
>>
>> 2016/07/20 05:33:49 ossec-remoted(1407): ERROR: Duplicated counter for
>> '**'.
>> 2016/07/20 05:33:55 ossec-remoted: WARN: Duplicate error:  global:
>>
>>
>> I checked the /var/ossec/queue/rids and made sure there is only a single
>> entry in there and that entry is the same on both host and Management.
>> I made a double check and also compared client.keys on both servers,Same
>> Key and same Entry on both servers.
>>
>>
>> I did a key exchange manually between both servers just to make sure
>> Nothing was wrong in that section.
>> Same error.
>>
>>
>> Does anyone have an idea on how to continue?
>> --
>>
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to ossec-list+unsubscr...@googlegroups.com.
>> For more options, visit https://groups.google.com/d/optout.
>>
>>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Solaris Compilation - Visibility

2016-07-20 Thread Eero Volotinen 
Tried compiling ossec 2.8.3 under Solaris/x86 5.10 and it worked. Any of
these messages are not errors, they are just warnings.

Please provide complete output from compiling.

Eero

2016-07-19 22:28 GMT+03:00 Kumar Mg :

> Hi,
>
> We also have the agent compilation issue on the Solaris platform with the
> 2.8.3 version of code. How can we fix the "Checking for
> attribute(visibility) support... No"?
>
> For time being we updated the lua* conf updated to remove the warning
> message, however the below warning are still showing up.
>
>
> *** Making zlib (by Jean-loup Gailly and Mark Adler)  ***
> cd zlib-1.2.8/; ./configure; make libz.a;
> Checking for shared library support...
> Building shared library libz.so.1.2.8 with /usr/sfw/bin/gcc.
> Checking for off64_t... Yes.
> Checking for fseeko... Yes.
> Checking for strerror... Yes.
> Checking for unistd.h... Yes.
> Checking for stdarg.h... Yes.
> Checking whether to use vs[n]printf() or s[n]printf()... using
> vs[n]printf().
> Checking for vsnprintf() in stdio.h... Yes.
> Checking for return value of vsnprintf()... Yes.
> Checking for attribute(visibility) support... No.
>
>
>
> *** Making monitord ***
>
> /usr/sfw/bin/gcc -g -Wall -I../ -I../headers  -DCLIENT -DUSE_OPENSSL
> -DSOLARIS -DHIGHFIRST  -DARGV0=\"ossec-monitord\" -DOSSECHIDS -lsocket
> -lnsl -lresolv compress_log.c main.c manage_files.c monitor_agents.c
> monitord.c sign_log.c generate_reports.c ../os_maild/sendcustomemail.c
> ../config/lib_config.a ../shared/lib_shared.a ../os_net/os_net.a
> ../os_regex/os_regex.a ../os_xml/os_xml.a ../os_crypto/os_crypto.a
> ../os_zlib/os_zlib.c ../external/libz.a -o ossec-monitord
> generate_reports.c: In function `generate_reports':
> generate_reports.c:59: warning: int format, pid_t arg (arg 4)
> /usr/sfw/bin/gcc -g -Wall -I../ -I../headers  -DCLIENT -DUSE_OPENSSL
> -DSOLARIS -DHIGHFIRST  -DARGV0=\"ossec-monitord\" -DOSSECHIDS -lsocket
> -lnsl -lresolv -UARGV0 -DARGV0=\"ossec-reportd\" report.c
> ../config/lib_config.a ../shared/lib_shared.a ../os_net/os_net.a
> ../os_regex/os_regex.a ../os_xml/os_xml.a ../os_crypto/os_crypto.a
> ../os_zlib/os_zlib.c ../external/libz.a -o ossec-reportd
>
>
> *** Making os_auth ***
>
> /usr/sfw/bin/gcc -g -Wall -I../ -I../headers  -DCLIENT -DUSE_OPENSSL
> -DSOLARIS -DHIGHFIRST  -DARGV0=\"ossec-authd\" -DOSSECHIDS -lsocket
> -lnsl -lresolv main-server.c ssl.c ../addagent/validate.c
> ../config/lib_config.a ../shared/lib_shared.a ../os_net/os_net.a
> ../os_regex/os_regex.a ../os_crypto/os_crypto.a ../os_zlib/os_zlib.c
> ../external/libz.a -lssl -lcrypto -o ossec-authd
> main-server.c: In function `ssl_error':
> main-server.c:53: warning: passing arg 1 of `SSL_get_error' discards
> qualifiers from pointer target type
> /usr/sfw/bin/gcc -g -Wall -I../ -I../headers  -DCLIENT -DUSE_OPENSSL
> -DSOLARIS -DHIGHFIRST  -DARGV0=\"ossec-authd\" -DOSSECHIDS -lsocket
> -lnsl -lresolv main-client.c ssl.c ../addagent/validate.c
> ../config/lib_config.a ../shared/lib_shared.a ../os_net/os_net.a
> ../os_regex/os_regex.a ../os_crypto/os_crypto.a ../os_zlib/os_zlib.c
> ../external/libz.a -lssl -lcrypto -o agent-auth
>
>
>
> If any one can shower some light on this, that will be great.
>
>
> Thanks
> Kumar
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Solaris Compilation - Visibility

2016-07-19 Thread Eero Volotinen 
what is your solaris version, platform and gcc version?

this might be related to zlib..

Eero

2016-07-19 22:28 GMT+03:00 Kumar Mg :

> Hi,
>
> We also have the agent compilation issue on the Solaris platform with the
> 2.8.3 version of code. How can we fix the "Checking for
> attribute(visibility) support... No"?
>
> For time being we updated the lua* conf updated to remove the warning
> message, however the below warning are still showing up.
>
>
> *** Making zlib (by Jean-loup Gailly and Mark Adler)  ***
> cd zlib-1.2.8/; ./configure; make libz.a;
> Checking for shared library support...
> Building shared library libz.so.1.2.8 with /usr/sfw/bin/gcc.
> Checking for off64_t... Yes.
> Checking for fseeko... Yes.
> Checking for strerror... Yes.
> Checking for unistd.h... Yes.
> Checking for stdarg.h... Yes.
> Checking whether to use vs[n]printf() or s[n]printf()... using
> vs[n]printf().
> Checking for vsnprintf() in stdio.h... Yes.
> Checking for return value of vsnprintf()... Yes.
> Checking for attribute(visibility) support... No.
>
>
>
> *** Making monitord ***
>
> /usr/sfw/bin/gcc -g -Wall -I../ -I../headers  -DCLIENT -DUSE_OPENSSL
> -DSOLARIS -DHIGHFIRST  -DARGV0=\"ossec-monitord\" -DOSSECHIDS -lsocket
> -lnsl -lresolv compress_log.c main.c manage_files.c monitor_agents.c
> monitord.c sign_log.c generate_reports.c ../os_maild/sendcustomemail.c
> ../config/lib_config.a ../shared/lib_shared.a ../os_net/os_net.a
> ../os_regex/os_regex.a ../os_xml/os_xml.a ../os_crypto/os_crypto.a
> ../os_zlib/os_zlib.c ../external/libz.a -o ossec-monitord
> generate_reports.c: In function `generate_reports':
> generate_reports.c:59: warning: int format, pid_t arg (arg 4)
> /usr/sfw/bin/gcc -g -Wall -I../ -I../headers  -DCLIENT -DUSE_OPENSSL
> -DSOLARIS -DHIGHFIRST  -DARGV0=\"ossec-monitord\" -DOSSECHIDS -lsocket
> -lnsl -lresolv -UARGV0 -DARGV0=\"ossec-reportd\" report.c
> ../config/lib_config.a ../shared/lib_shared.a ../os_net/os_net.a
> ../os_regex/os_regex.a ../os_xml/os_xml.a ../os_crypto/os_crypto.a
> ../os_zlib/os_zlib.c ../external/libz.a -o ossec-reportd
>
>
> *** Making os_auth ***
>
> /usr/sfw/bin/gcc -g -Wall -I../ -I../headers  -DCLIENT -DUSE_OPENSSL
> -DSOLARIS -DHIGHFIRST  -DARGV0=\"ossec-authd\" -DOSSECHIDS -lsocket
> -lnsl -lresolv main-server.c ssl.c ../addagent/validate.c
> ../config/lib_config.a ../shared/lib_shared.a ../os_net/os_net.a
> ../os_regex/os_regex.a ../os_crypto/os_crypto.a ../os_zlib/os_zlib.c
> ../external/libz.a -lssl -lcrypto -o ossec-authd
> main-server.c: In function `ssl_error':
> main-server.c:53: warning: passing arg 1 of `SSL_get_error' discards
> qualifiers from pointer target type
> /usr/sfw/bin/gcc -g -Wall -I../ -I../headers  -DCLIENT -DUSE_OPENSSL
> -DSOLARIS -DHIGHFIRST  -DARGV0=\"ossec-authd\" -DOSSECHIDS -lsocket
> -lnsl -lresolv main-client.c ssl.c ../addagent/validate.c
> ../config/lib_config.a ../shared/lib_shared.a ../os_net/os_net.a
> ../os_regex/os_regex.a ../os_crypto/os_crypto.a ../os_zlib/os_zlib.c
> ../external/libz.a -lssl -lcrypto -o agent-auth
>
>
>
> If any one can shower some light on this, that will be great.
>
>
> Thanks
> Kumar
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] not able to send alert mail

2016-07-04 Thread Eero Volotinen 
Use local smtp instead of it.

Eero
4.7.2016 10.43 ap. "rvb n"  kirjoitti:

> Hi Friends,
>
> I am trying to send alert mail from my ossec server to googleapps mail but
> i could not make it. getting enclosed error
>
> my smtp server is googleapp server
>
> os_sendmail(1767): WARN: End of DATA not accepted by server
> 2016/07/04 07:26:37 ossec-maild(1223): ERROR: Error Sending email to
> 74.125.192.27 (smtp server)
>
> pls help
>
> Thanks
> Nit
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Ransomware.

2016-06-07 Thread Eero Volotinen 
Well. This is impossible. There is no way to see difference between normal
file access and virus crypting all your files..

Eero
7.6.2016 6.31 ip. "Nate"  kirjoitti:

> We currently have samba file servers, which of course log access and
> whatnot to the samba logs.
>
> I'm curious if I might be able to leverage ossec as a means to detect if a
> system is attempting to lock up one of our shares due to a ransomware
> infection.
>
> I could picture a rule that either detected a large amount of access from
> a single client, or maybe a file name match on different extensions and
> whatnot.  The idea would be to detect this behavior and then block the
> client before they get a chance to encrypt the share.
>
> Has anyone done something like this?  I'm curious if it might be possible.
>
>
> Thanks!
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Ossec Over TCP

2016-05-05 Thread Eero Volotinen 
well. tcp is not supported?

Eero

2016-05-05 9:02 GMT+03:00 Vani Paridhyani :

> Hi!
>
> I need to run ossec over tcp. I made below modifications:
>
> In server ossec.conf:
>
>   
>
> syslog
>
> 1515
>
> tcp
>
>   
>
>
> In client ossec.conf:
>
>
>   
>
> x.x.x.x
>
> 1515
>
>   
>
>
> Getting below error in client ossec.log
>
>
> ERROR: Unable to send message to server.
>
>
> PS: I am able to telnet to the server from the client on port 1515. Still
> this error.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: id "|" or "," ??

2016-03-28 Thread Eero Volotinen 
They are regexp operators ^ beginning of line and $ is end of line..

Eero
28.3.2016 10.11 ip. "Rob B"  kirjoitti:

> PS. Almost forgot to add :
>
>   What  does this mean?   ^1000$|^1002$
>
> The "^" and the '$'  before the pipe really has me perplexed.
>
> Thx.
>
>
>
> On Monday, March 28, 2016 at 3:07:30 PM UTC-4, Rob B wrote:
>>
>> Heya Folks,
>>
>>   I've been looking for the docs that explain the difference between the
>> use of the '|" and the "," when specifying the id numbers within a rule. I
>> cant find anything that explains the use.
>>
>> Could someone explain to me the differences by way of use?  or provide a
>> link that I may have missed?
>>
>>
>>
>> Two arbitrary use case EXAMPLES of what I am after is:
>>
>> A.)  Within sid 18103, look for id 12345 followed by 12346, followed by
>> 12347
>> B.)  Within sid 18103, look for id 11234 and 11254
>>
>>
>> Thank you!
>>
>> R.B.
>>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: ssh_asa-fwsmconfig_diff

2016-03-28 Thread Eero Volotinen 
Please read docs and scripts used for this functionality. You need to
supply enable password too.
28.3.2016 2.15 ip. "Yurii Shatylo" <yuriishat...@gmail.com> kirjoitti:

> Did you mean I need to add second line to *.psslist *with same
> credentials for ENABLE mode?
>
> KR, Yurii
>
> 2016-03-28 14:10 GMT+03:00 Eero Volotinen <eero.voloti...@iki.fi>:
>
>> you need to supply both passwords to register_host.sh
>>
>> --
>> Eero
>>
>> 2016-03-28 14:04 GMT+03:00 Yurii Shatylo <yuriishat...@gmail.com>:
>>
>>> Hello,
>>>
>>> Cisco settings is setup correctly because I manually logon to ASA
>>> without any issues and run the command "show ran conf".
>>> Do you which line has to be configure in script? In password list I have
>>> registered login and password by "*register_host.sh*" and I
>>> successfully authenticate (without ENABLE mode) when I start checking the
>>> script. I have only issue with ENABLE mode password.
>>>
>>> KR, Yurii
>>>
>>> 2016-03-28 13:57 GMT+03:00 Eero Volotinen <eero.voloti...@iki.fi>:
>>>
>>>> You need to configure correct enable password in cisco and script too.
>>>> (or to password list)
>>>>
>>>> --
>>>> Eero
>>>>
>>>> 2016-03-28 13:46 GMT+03:00 Yurii Shatylo <yuriishat...@gmail.com>:
>>>>
>>>>> Dear Colleagues,
>>>>>
>>>>> Some time ago I setup Cisco ASA agentless monitoring. After Brent’s
>>>>> clarification I found out that I have missed some settings which I
>>>>> successfully setup. When the settings were implemented I tried to check by
>>>>> “./agentless/ssh_asa-fwsmconfig_diff user...@192.168.0.1” command but
>>>>> result was unsuccessful. The first authentication level is OK but when the
>>>>> script pushed “enable” command I got error:
>>>>>
>>>>>
>>>>>
>>>>> “*enable*
>>>>>
>>>>> *Password:*
>>>>>
>>>>> *Invalid password*
>>>>>
>>>>> *Password: ERROR: Incorrect enable password to remote host:
>>>>> ishatylo@192.168.0.1 <ishatylo@192.168.0.1>* “
>>>>>
>>>>>
>>>>>
>>>>> I guess it connected with some missing information in the scrip or
>>>>> maybe else. Could you please help me?
>>>>>
>>>>> Thank you in advance.
>>>>>
>>>>> KR, Yurii
>>>>>
>>>>> 2016-03-26 18:21 GMT+02:00 Yurii Shatylo <yuriishat...@gmail.com>:
>>>>>
>>>>>> Hi Brent!
>>>>>>
>>>>>> I have provided authentication information follow the document. As
>>>>>> the result I got:
>>>>>>
>>>>>> *Host ishatylo@192.168.1.1 added
>>>>>>
>>>>>> After that started ./ssh_asa-fwsmconfig_diff ishatylo@192.168.1.1
>>>>>> but got an error:
>>>>>>
>>>>>> ERROR: Password list not present (use "register_host" first)
>>>>>>
>>>>>> Do you know how to fix it?
>>>>>>
>>>>>> Yurii
>>>>>>
>>>>>>
>>>>>> On Thursday, March 17, 2016 at 5:21:35 PM UTC+2, Brent Morris wrote:
>>>>>>
>>>>>>> Hi Yurii,
>>>>>>>
>>>>>>> Did you use the register_host.sh script as documented
>>>>>>> http://ossec-docs.readthedocs.org/en/latest/manual/agent/agentless-monitoring.html
>>>>>>> ?  If so, there should be a file called .passlist in the
>>>>>>> /var/ossec/agentless folder.  open that file and ensure the information 
>>>>>>> is
>>>>>>> correct.
>>>>>>>
>>>>>>> You can test your agentless with this method.
>>>>>>>
>>>>>>> be sure your current working directory is /var/ossec
>>>>>>>
>>>>>>> pwd
>>>>>>> /var/ossec
>>>>>>>
>>>>>>> from there..
>>>>>>>
>>>>>>> ./agentless/ssh_asa-fwsmconfig_diff user...@192.168.0.1
>>>>>>>
>>>>>>> Check the output and see where the trouble is.
>>

Re: [ossec-list] Re: ssh_asa-fwsmconfig_diff

2016-03-28 Thread Eero Volotinen 
you need to supply both passwords to register_host.sh

--
Eero

2016-03-28 14:04 GMT+03:00 Yurii Shatylo <yuriishat...@gmail.com>:

> Hello,
>
> Cisco settings is setup correctly because I manually logon to ASA without
> any issues and run the command "show ran conf".
> Do you which line has to be configure in script? In password list I have
> registered login and password by "*register_host.sh*" and I successfully
> authenticate (without ENABLE mode) when I start checking the script. I have
> only issue with ENABLE mode password.
>
> KR, Yurii
>
> 2016-03-28 13:57 GMT+03:00 Eero Volotinen <eero.voloti...@iki.fi>:
>
>> You need to configure correct enable password in cisco and script too.
>> (or to password list)
>>
>> --
>> Eero
>>
>> 2016-03-28 13:46 GMT+03:00 Yurii Shatylo <yuriishat...@gmail.com>:
>>
>>> Dear Colleagues,
>>>
>>> Some time ago I setup Cisco ASA agentless monitoring. After Brent’s
>>> clarification I found out that I have missed some settings which I
>>> successfully setup. When the settings were implemented I tried to check by
>>> “./agentless/ssh_asa-fwsmconfig_diff user...@192.168.0.1” command but
>>> result was unsuccessful. The first authentication level is OK but when the
>>> script pushed “enable” command I got error:
>>>
>>>
>>>
>>> “*enable*
>>>
>>> *Password:*
>>>
>>> *Invalid password*
>>>
>>> *Password: ERROR: Incorrect enable password to remote host:
>>> ishatylo@192.168.0.1 <ishatylo@192.168.0.1>* “
>>>
>>>
>>>
>>> I guess it connected with some missing information in the scrip or maybe
>>> else. Could you please help me?
>>>
>>> Thank you in advance.
>>>
>>> KR, Yurii
>>>
>>> 2016-03-26 18:21 GMT+02:00 Yurii Shatylo <yuriishat...@gmail.com>:
>>>
>>>> Hi Brent!
>>>>
>>>> I have provided authentication information follow the document. As the
>>>> result I got:
>>>>
>>>> *Host ishatylo@192.168.1.1 added
>>>>
>>>> After that started ./ssh_asa-fwsmconfig_diff ishatylo@192.168.1.1 but
>>>> got an error:
>>>>
>>>> ERROR: Password list not present (use "register_host" first)
>>>>
>>>> Do you know how to fix it?
>>>>
>>>> Yurii
>>>>
>>>>
>>>> On Thursday, March 17, 2016 at 5:21:35 PM UTC+2, Brent Morris wrote:
>>>>
>>>>> Hi Yurii,
>>>>>
>>>>> Did you use the register_host.sh script as documented
>>>>> http://ossec-docs.readthedocs.org/en/latest/manual/agent/agentless-monitoring.html
>>>>> ?  If so, there should be a file called .passlist in the
>>>>> /var/ossec/agentless folder.  open that file and ensure the information is
>>>>> correct.
>>>>>
>>>>> You can test your agentless with this method.
>>>>>
>>>>> be sure your current working directory is /var/ossec
>>>>>
>>>>> pwd
>>>>> /var/ossec
>>>>>
>>>>> from there..
>>>>>
>>>>> ./agentless/ssh_asa-fwsmconfig_diff user...@192.168.0.1
>>>>>
>>>>> Check the output and see where the trouble is.
>>>>>
>>>>> Hope this helps!!!
>>>>>
>>>>> -Brent
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On Wednesday, March 16, 2016 at 8:24:29 AM UTC-7, Yurii Shatylo wrote:
>>>>>>
>>>>>> Dear Colleagues,
>>>>>>
>>>>>> Could you give me a hand with my issue?
>>>>>> I've put credentials to the *ssh_asa-fwsmconfig_diff *and as the
>>>>>> result I've got (2016/03/16 11:29:13 ossec-agentlessd: INFO: Test passed
>>>>>> for 'ssh_asa-fwsmconfig_diff). After that I deleted ACL on the cisco asa
>>>>>> but nothing happened. It seems like script which produces difference is 
>>>>>> not
>>>>>> working.
>>>>>> *There is my general config file:*
>>>>>>
>>>>>> 
>>>>>>   ssh_asa-fwsmconfig_diff
>>>>>>   300
>>>>>>   user...@192.168.0.1
>>>>>>   periodic_diff
>>>>&g

Re: [ossec-list] Re: ssh_asa-fwsmconfig_diff

2016-03-28 Thread Eero Volotinen 
You need to configure correct enable password in cisco and script too. (or
to password list)

--
Eero

2016-03-28 13:46 GMT+03:00 Yurii Shatylo :

> Dear Colleagues,
>
> Some time ago I setup Cisco ASA agentless monitoring. After Brent’s
> clarification I found out that I have missed some settings which I
> successfully setup. When the settings were implemented I tried to check by
> “./agentless/ssh_asa-fwsmconfig_diff user...@192.168.0.1” command but
> result was unsuccessful. The first authentication level is OK but when the
> script pushed “enable” command I got error:
>
>
>
> “*enable*
>
> *Password:*
>
> *Invalid password*
>
> *Password: ERROR: Incorrect enable password to remote host:
> ishatylo@192.168.0.1 * “
>
>
>
> I guess it connected with some missing information in the scrip or maybe
> else. Could you please help me?
>
> Thank you in advance.
>
> KR, Yurii
>
> 2016-03-26 18:21 GMT+02:00 Yurii Shatylo :
>
>> Hi Brent!
>>
>> I have provided authentication information follow the document. As the
>> result I got:
>>
>> *Host ishatylo@192.168.1.1 added
>>
>> After that started ./ssh_asa-fwsmconfig_diff ishatylo@192.168.1.1 but
>> got an error:
>>
>> ERROR: Password list not present (use "register_host" first)
>>
>> Do you know how to fix it?
>>
>> Yurii
>>
>>
>> On Thursday, March 17, 2016 at 5:21:35 PM UTC+2, Brent Morris wrote:
>>
>>> Hi Yurii,
>>>
>>> Did you use the register_host.sh script as documented
>>> http://ossec-docs.readthedocs.org/en/latest/manual/agent/agentless-monitoring.html
>>> ?  If so, there should be a file called .passlist in the
>>> /var/ossec/agentless folder.  open that file and ensure the information is
>>> correct.
>>>
>>> You can test your agentless with this method.
>>>
>>> be sure your current working directory is /var/ossec
>>>
>>> pwd
>>> /var/ossec
>>>
>>> from there..
>>>
>>> ./agentless/ssh_asa-fwsmconfig_diff user...@192.168.0.1
>>>
>>> Check the output and see where the trouble is.
>>>
>>> Hope this helps!!!
>>>
>>> -Brent
>>>
>>>
>>>
>>>
>>>
>>> On Wednesday, March 16, 2016 at 8:24:29 AM UTC-7, Yurii Shatylo wrote:

 Dear Colleagues,

 Could you give me a hand with my issue?
 I've put credentials to the *ssh_asa-fwsmconfig_diff *and as the
 result I've got (2016/03/16 11:29:13 ossec-agentlessd: INFO: Test passed
 for 'ssh_asa-fwsmconfig_diff). After that I deleted ACL on the cisco asa
 but nothing happened. It seems like script which produces difference is not
 working.
 *There is my general config file:*

 
   ssh_asa-fwsmconfig_diff
   300
   user...@192.168.0.1
   periodic_diff
 

 *Thank you in advance.*
 *Yurii*

>>> --
>>
>> ---
>> You received this message because you are subscribed to a topic in the
>> Google Groups "ossec-list" group.
>> To unsubscribe from this topic, visit
>> https://groups.google.com/d/topic/ossec-list/FXo7fizdOII/unsubscribe.
>> To unsubscribe from this group and all its topics, send an email to
>> ossec-list+unsubscr...@googlegroups.com.
>> For more options, visit https://groups.google.com/d/optout.
>>
>
>
>
> --
> С уважением,
> Юрий
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Facing error while installing ossec agent in Centos 7

2016-03-19 Thread Eero Volotinen 
You need to install gcc on your system
19.3.2016 2.33 ip. "ROSHIN SARATH.S"  kirjoitti:

> i tried to install OSSEC agent OSSEC HIDS v2.8 in Centos 7  but getting an
> error in final stage
> error is in below
>
> 5- Installing the system
>  - Running the Makefile
> ./Makeall: line 127: cc: command not found
> ./Makeall: line 128: ./isbigendian: No such file or directory
> INFO: Little endian set.
>
>  *** Making zlib (by Jean-loup Gailly and Mark Adler)  ***
> make[1]: Entering directory `/home/admin/ossec-hids-2.8.1/src/external'
> cd zlib-1.2.8/; ./configure; make libz.a;
> Checking for gcc...
> Compiler error reporting is too harsh for ./configure (perhaps remove
> -Werror).
> ** ./configure aborting.
> make[2]: Entering directory
> `/home/admin/ossec-hids-2.8.1/src/external/zlib-1.2.8'
> make[2]: *** No rule to make target `libz.a'.  Stop.
> make[2]: Leaving directory
> `/home/admin/ossec-hids-2.8.1/src/external/zlib-1.2.8'
> make[1]: *** [libz.a] Error 2
> make[1]: Leaving directory `/home/admin/ossec-hids-2.8.1/src/external'
>
> Error Making zlib
> make: *** [all] Error 1
>
>  Error 0x5.
>  Building error. Unable to finish the installation.
>
>
> please help me on this
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] important questions on CDB lists

2016-03-18 Thread Eero Volotinen 
Err. You must be joking? Try googling with 'CDB'.

Eero
18.3.2016 9.42 ip. "theresa mic-snare"  kirjoitti:

> ehlo *,
>
> I have an important question about CDB lists, as I'm just researching for
> my thesis on OSSEC.
> yes, i've read the documentation on readthedocs, maybe i'm too daft to
> understand it.
>
> what I have done so far:
>
> I've created a file called "baddomains" in /var/ossec/lists/
> content is from zeustracker (
> https://zeustracker.abuse.ch/blocklist.php?download=baddomains)
>
> I've added the list in the  section
> lists/baddomains
>
> i've run
>   # bin/ossec-makelists
>
>
> i'm not quite sure what the purpose of the CDB lists is should a rule
> fire as soon as one of those domains (content of baddomains) is attacking
> me?!
> I don't think i've yet understood the positive/negative key match of it
>
> can someone please explain it to me with a real-life example?
>
> also what does CDB stand for? I haven't found that in the OSSEC Docs
> either
> common database? central database?!
>
> thanks,
> theresa
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: OSSEC compilation error on 5.3 AIX

2016-03-15 Thread Eero Volotinen 
Well. You must be joking. Get one.

--
Eero

2016-03-15 18:44 GMT+02:00 Aymen Belkhiria <belkhiria.ay...@gmail.com>:

> The issue is that I don't have a test environnement.
>
> BR
>
> On Tuesday, March 15, 2016 at 2:15:50 PM UTC+1, Eero Volotinen wrote:
>>
>> Compile on test host and copy binaries to production host..
>>
>> Eero
>> 15.3.2016 3.04 ip. "Aymen Belkhiria" <belkhir...@gmail.com> kirjoitti:
>>
>>> Hi there,
>>>>
>>>
>>> I have to install ossec in AIX 5.3 do you have the recompiled ossec
>>> agent version? was you able to compile it.
>>> The issue is that the server is on production and the client doesn't
>>> accept to install gcc on it.
>>>
>>> Please advise?
>>>
>>> --
>>>
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "ossec-list" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to ossec-list+...@googlegroups.com.
>>> For more options, visit https://groups.google.com/d/optout.
>>>
>> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: OSSEC compilation error on 5.3 AIX

2016-03-15 Thread Eero Volotinen 
Compile on test host and copy binaries to production host..

Eero
15.3.2016 3.04 ip. "Aymen Belkhiria"  kirjoitti:

> Hi there,
>>
>
> I have to install ossec in AIX 5.3 do you have the recompiled ossec agent
> version? was you able to compile it.
> The issue is that the server is on production and the client doesn't
> accept to install gcc on it.
>
> Please advise?
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] OSSEC Server Backup & Restore Procedure

2016-02-24 Thread Eero Volotinen 
Just shutdown the server and pack /var/ossec-directory and init scripts to
tarball? restore works just unpacking the tarball to correct directory.

--
Eero

2016-02-25 7:56 GMT+02:00 :

> Hi Team,
>
> Can someone help tell how to take backup & restore for OSSEC 2.8.3.
>
>
> Regards
> Vipin Hooda
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Alert fires, but no email generated?

2016-02-23 Thread Eero Volotinen 
is this working on your ossec server:

echo foo | mail youremail@yourdomain -s 'test'

could you give example of your mail configuration?

Eero

2016-02-24 9:00 GMT+02:00 Fredrik <fredrik.ke...@gmail.com>:

> Thanks Eero!
>
> Anything specific to look for that could conflict with this particular
> alert - mail alerts seems to be working fine for other rules?
>
> I checked the mail.info for anything obvious, but couldn't see anything
> suspicious at a first glance...
>
> Best regards,
> Fredrik
>
> On Wednesday, February 24, 2016 at 7:54:43 AM UTC+1, Eero Volotinen wrote:
>>
>> Please check your mail server configuration?
>>
>> 2016-02-24 8:28 GMT+02:00 Fredrik <fredri...@gmail.com>:
>>
>>> Thanks Santiago, please find more details below.
>>>
>>> Best regards,
>>> Fredrik
>>>
>>> Yes, I see the alert written to alerts.log (pulled the alert below out
>>> of the archive from yesterday) and email alerts are working for other
>>> rules. I also restarted ossec but to no avail. Strange!
>>>
>>> ossec-alerts-23.log.gz:
>>> Rule: 100130 (level 12) -> 'SCEP malware alert' Feb 23 20:37:00 ossec-svr
>>> SCEP[26715]: Malware alert: client2.domain.com Exploit:Java/CVE-2012-
>>> 1723!jar Number of infections: 1 Last detection time(UTC time): 8/5/2013
>>> 10:42:41 AM file:_C:\Users\toho\AppData\LocalLow\Sun\Java\Deployment\
>>> cache\6.0\9\748789-14f29c54 Quarantine Succeeded
>>>
>>> ossec.conf:
>>>  
>>>1
>>>7
>>>  
>>>
>>>
>>>
>>>
>>> On Wednesday, February 24, 2016 at 2:46:31 AM UTC+1, Santiago Bassett
>>> wrote:
>>>>
>>>> Did you say other alerts are triggering emails correctly? Everything
>>>> looks good to me, but here are some questions that might help troubleshoot
>>>> the problem.
>>>>
>>>> Do you see the alert in alerts.log file?
>>>> Have you configured other global email settings?
>>>> What is your email_alerts_level?
>>>>
>>>>
>>>> On Tue, Feb 23, 2016 at 12:11 PM, Fredrik <fredri...@gmail.com> wrote:
>>>>
>>>>> Hi All,
>>>>>
>>>>> Another question for all you Ossec gurus. I have another rule set up
>>>>> to handle messages in a somewhat strange format (below). I would like this
>>>>> to ultimately trigger an email alert - which is working for other rules.
>>>>>
>>>>> Feb 23 20:18:06 ossec-srv SCEP[26457]: Malware alert: client2.domain.com
>>>>> Exploit:Java/CVE-2012-1723!jar Number of infections: 1 Last detection
>>>>> time(UTC time): 8/5/2013 10:42:41 AM file:_C:\Users\user1\AppData\
>>>>> LocalLow\Sun\Java\Deployment\cache\6.0\9\748789-14f29c54 Quarantine
>>>>> Succeeded
>>>>>
>>>>> I see that an alert is written to alerts.log, and ossec-logtest
>>>>> finished processing with **Alert to be generated. However, no email is
>>>>> sent?
>>>>>
>>>>> 
>>>>>
>>>>>MSSCEP
>>>>>alert_by_email
>>>>>SCEP malware alert
>>>>>   
>>>>> 
>>>>>
>>>>> As I wasn't sure how to best extract fields from the message above,
>>>>> the decoder simply matches on , please feel free to suggest
>>>>> variants to decode the message and make use of the fields available in
>>>>> OSSEC. Perhaps my failure to do so, can have something to do with the
>>>>> missing email alert?
>>>>>
>>>>> 
>>>>>   SCEP
>>>>>   syslog
>>>>> 
>>>>>
>>>>>
>>>>> Finally, output from ossec-logtest:
>>>>>
>>>>> **Phase 1: Completed pre-decoding.
>>>>>full event: 'Feb 23 20:18:06 ossec-srv SCEP[26457]: Malware
>>>>> alert: client2.domain.com Exploit:Java/CVE-2012-1723!jar Number of
>>>>> infections: 1 Last detection time(UTC time): 8/5/2013 10:42:41 AM
>>>>> file:_C:\Users\toho\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9\748789-14f29c54
>>>>> Quarantine Succeeded'
>>>>>hostname: 'ossec-srv'
>>>>>program_name: 'SCEP'
>>>>>log: 'Malware alert: client2.domain.com
>>>>> Exploit:Java/CVE-2012-1723!jar Number of infections: 1 Last detec

Re: [ossec-list] Alert fires, but no email generated?

2016-02-23 Thread Eero Volotinen 
Please check your mail server configuration?

2016-02-24 8:28 GMT+02:00 Fredrik :

> Thanks Santiago, please find more details below.
>
> Best regards,
> Fredrik
>
> Yes, I see the alert written to alerts.log (pulled the alert below out of
> the archive from yesterday) and email alerts are working for other rules. I
> also restarted ossec but to no avail. Strange!
>
> ossec-alerts-23.log.gz:
> Rule: 100130 (level 12) -> 'SCEP malware alert' Feb 23 20:37:00 ossec-svr
> SCEP[26715]: Malware alert: client2.domain.com Exploit:Java/CVE-2012-1723!jar
> Number of infections: 1 Last detection time(UTC time): 8/5/2013 10:42:41
> AM file:_C:\Users\toho\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9\
> 748789-14f29c54 Quarantine Succeeded
>
> ossec.conf:
>  
>1
>7
>  
>
>
>
>
> On Wednesday, February 24, 2016 at 2:46:31 AM UTC+1, Santiago Bassett
> wrote:
>>
>> Did you say other alerts are triggering emails correctly? Everything
>> looks good to me, but here are some questions that might help troubleshoot
>> the problem.
>>
>> Do you see the alert in alerts.log file?
>> Have you configured other global email settings?
>> What is your email_alerts_level?
>>
>>
>> On Tue, Feb 23, 2016 at 12:11 PM, Fredrik  wrote:
>>
>>> Hi All,
>>>
>>> Another question for all you Ossec gurus. I have another rule set up to
>>> handle messages in a somewhat strange format (below). I would like this to
>>> ultimately trigger an email alert - which is working for other rules.
>>>
>>> Feb 23 20:18:06 ossec-srv SCEP[26457]: Malware alert: client2.domain.com
>>> Exploit:Java/CVE-2012-1723!jar Number of infections: 1 Last detection
>>> time(UTC time): 8/5/2013 10:42:41 AM file:_C:\Users\user1\AppData\
>>> LocalLow\Sun\Java\Deployment\cache\6.0\9\748789-14f29c54 Quarantine
>>> Succeeded
>>>
>>> I see that an alert is written to alerts.log, and ossec-logtest finished
>>> processing with **Alert to be generated. However, no email is sent?
>>>
>>> 
>>>
>>>MSSCEP
>>>alert_by_email
>>>SCEP malware alert
>>>   
>>> 
>>>
>>> As I wasn't sure how to best extract fields from the message above, the
>>> decoder simply matches on , please feel free to suggest
>>> variants to decode the message and make use of the fields available in
>>> OSSEC. Perhaps my failure to do so, can have something to do with the
>>> missing email alert?
>>>
>>> 
>>>   SCEP
>>>   syslog
>>> 
>>>
>>>
>>> Finally, output from ossec-logtest:
>>>
>>> **Phase 1: Completed pre-decoding.
>>>full event: 'Feb 23 20:18:06 ossec-srv SCEP[26457]: Malware
>>> alert: client2.domain.com Exploit:Java/CVE-2012-1723!jar Number of
>>> infections: 1 Last detection time(UTC time): 8/5/2013 10:42:41 AM
>>> file:_C:\Users\toho\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9\748789-14f29c54
>>> Quarantine Succeeded'
>>>hostname: 'ossec-srv'
>>>program_name: 'SCEP'
>>>log: 'Malware alert: client2.domain.com
>>> Exploit:Java/CVE-2012-1723!jar Number of infections: 1 Last detection
>>> time(UTC time): 8/5/2013 10:42:41 AM
>>> file:_C:\Users\toho\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9\748789-14f29c54
>>> Quarantine Succeeded'
>>>
>>> **Phase 2: Completed decoding.
>>>decoder: 'MSSCEP'
>>>
>>> **Phase 3: Completed filtering (rules).
>>>Rule id: '100130'
>>>Level: '12'
>>>Description: 'SCEP malware alert'
>>> **Alert to be generated.
>>>
>>> Best regards,
>>> Fredrik
>>>
>>> --
>>>
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "ossec-list" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to ossec-list+...@googlegroups.com.
>>> For more options, visit https://groups.google.com/d/optout.
>>>
>>
>> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] ERROR: Incorrectly formated message

2016-02-02 Thread Eero Volotinen 
Key is incorrect ? Try deleting old key and re adding agent?
2.2.2016 6.41 ip. "Robert"  kirjoitti:

> Hi,
>
> I already removed and readded one of my agent to to the OSSEC server
> (following this guide
> 
> ), but still got *ossec-remoted(1403): ERROR: Incorrectly formated
> message from '192.168.8.43'*.
> I have no clue why this is not working. I am using 2.8.3 version (server
> and agent).
> As i checked the client information on the server and the client is the
> same.
>
> Are you have any idea what the hack wrong?
>
> Thanks, Robert
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: Global Mail limit

2016-01-29 Thread Eero Volotinen 
Well, why there is such low limit without #define INT_MAX_VALUE YY

Is should be like (Mail->maxperhour > INT_MAX_VALUE) ?




--
Eero

2016-01-28 16:22 GMT+02:00 :

> Hi,
>
> I found that limit and it's hardcoded at function Read_Global(), in
> src/config/global-config.c
>
> if ((Mail->maxperhour <= 0) || (Mail->maxperhour > )) {
> merror(XML_VALUEERR, __local_name, node[i]->element, node[i]->content);
> return (OS_INVALID);
> }
>
> You may increase this limit as you need it and recompile your OSSEC
> manager, but there's no way to use a greater number of emails by modifying
> a config file.
>
> I hope this will help you.
>
> Best regards.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: Global Mail limit

2016-01-29 Thread Eero Volotinen 
Well, how about still using some #define MAX_VALUE for that ?

2016-01-29 20:47 GMT+02:00 Daniel Cid <daniel@gmail.com>:

> I added this limit early on to prevent a flood of emails in case of a
> config mistake or an attack.
>
> Plus, operationally speaking, I doubt any team can realistically handle
> and investigate more than 10,000+ emails in an hour :)
>
> thanks,
>
>
>
>
>
> On Fri, Jan 29, 2016 at 1:16 PM, Eero Volotinen <eero.voloti...@iki.fi>
> wrote:
>
>> Well, why there is such low limit without #define INT_MAX_VALUE YY
>>
>> Is should be like (Mail->maxperhour > INT_MAX_VALUE) ?
>>
>>
>>
>>
>> --
>> Eero
>>
>> 2016-01-28 16:22 GMT+02:00 <vic...@wazuh.com>:
>>
>>> Hi,
>>>
>>> I found that limit and it's hardcoded at function Read_Global(), in
>>> src/config/global-config.c
>>>
>>> if ((Mail->maxperhour <= 0) || (Mail->maxperhour > )) {
>>> merror(XML_VALUEERR, __local_name, node[i]->element, node[i]->content);
>>> return (OS_INVALID);
>>> }
>>>
>>> You may increase this limit as you need it and recompile your OSSEC
>>> manager, but there's no way to use a greater number of emails by modifying
>>> a config file.
>>>
>>> I hope this will help you.
>>>
>>> Best regards.
>>>
>>> --
>>>
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "ossec-list" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to ossec-list+unsubscr...@googlegroups.com.
>>> For more options, visit https://groups.google.com/d/optout.
>>>
>>
>> --
>>
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to ossec-list+unsubscr...@googlegroups.com.
>> For more options, visit https://groups.google.com/d/optout.
>>
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Global Mail limit

2016-01-28 Thread Eero Volotinen 
So, you are sending over  in one hour?

Changing that requires patch and recompiling ossec server.

--
Eero

2016-01-28 11:10 GMT+02:00 Lionel Caignec :

> Hi,
>
> I use ossec to monitor all servers activities from my enterprise including
> creation/modification of file.
>
> I forward to each sysadmin (configured in ossec.conf) all alert from their
> server.
>
> Today i face a problem, i have many server wich generate mail alert, and
> the global mail restriction (max ) is not enough.
> Is it possible to disable this limit, or is it hardcoded
>
> Thanks for help.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] OSSEC installation error cc: error trying to exec 'as': execvp

2015-11-18 Thread Eero Volotinen 
Path of as binary, not /var/ossec

Eero

ke 18. marraskuuta 2015 klo 19.39 Edward <ecanmas...@gmail.com> kirjoitti:

> rpm -qf /var/ossec
> file /var/ossec is not owned by any package
>
>
>
> On Wednesday, November 18, 2015 at 6:34:44 PM UTC+1, Eero Volotinen wrote:
>
>> what is output of which as on server that ossec works?
>>
>> what is output of rpm -qf `which as` or rpm -qf /path/to/as on server
>> that it works.
>>
>> --
>> Eero
>>
>>
>>
>> 2015-11-18 19:15 GMT+02:00 Edward <ecanm...@gmail.com>:
>>
>>> I did install this package and still the same issue
>>>
>>>
>>> might be the compiler is missing critical components
>>> I am getting lost in this issue
>>>
>>> On Wednesday, November 18, 2015 at 6:04:17 PM UTC+1, Eero Volotinen
>>> wrote:
>>>>
>>>> Well,
>>>>
>>>> you need to install c++ develoment tools.
>>>>
>>>> see url:
>>>> http://serverfault.com/questions/437680/equivalent-development-build-tools-for-suse-professional-11
>>>>
>>>> I think package name is 'Basis-Devel'
>>>>
>>>> and zypper install --type pattern Basis-Devel
>>>>
>>>> should install needed files to compile ossec..
>>>>
>>>> Note that I have not used sles for years, so command might work or not..
>>>>
>>>> --
>>>> Eero
>>>>
>>>>
>>>>
>>>> 2015-11-18 18:39 GMT+02:00 Edward <ecanm...@gmail.com>:
>>>>
>>>>> Hello Eero,
>>>>>
>>>>> Thank you for the effort and sorry for the late reply.
>>>>> How did you manage to get the requirements?
>>>>> I checked this against another server with the same sles11 sp1 and not
>>>>> all were found, but ossec is installed on this one and working.
>>>>> This is getting real frustrating, I need to know what exactly is going
>>>>> wrong.
>>>>> anyhelp would be much appreciated
>>>>>
>>>>>
>>>>>
>>>>> On Monday, November 16, 2015 at 8:52:15 PM UTC+1, Eero Volotinen wrote:
>>>>>>
>>>>>> Well, I extracted buildrequirements from source packages and they
>>>>>> look like this:
>>>>>>
>>>>>> *BuildReq*uires:  coreutils
>>>>>>
>>>>>> *BuildReq*uires:  zlib-devel-static
>>>>>>
>>>>>> *BuildReq*uires:  zlib-devel
>>>>>>
>>>>>> *BuildReq*uires:  glibc-devel
>>>>>>
>>>>>> *BuildReq*uires:  openssl-devel
>>>>>>
>>>>>> *BuildReq*uires:  mysql-devel
>>>>>>
>>>>>> *BuildReq*uires:  postgresql-devel
>>>>>>
>>>>>> *BuildReq*uires:  update-alternatives
>>>>>>
>>>>>> *BuildReq*uires:  apache2-devel
>>>>>>
>>>>>> *BuildReq*uires:  systemd
>>>>>>
>>>>>> So, you should install them and after that you should be able to
>>>>>> compile ossec from sources.
>>>>>>
>>>>>> --
>>>>>> Eero
>>>>>>
>>>>>> 2015-11-16 16:33 GMT+02:00 Edward <ecanm...@gmail.com>:
>>>>>>
>>>>>>> I am trying to install ossec agent (2.8.1) on sles 11 sp1 and when
>>>>>>> running the ./install.sh I get this error:
>>>>>>>
>>>>>>> cc: error trying to exec 'as': execvp: No such file or directory
>>>>>>>
>>>>>>> I did install make and gcc-c++ , but I have the feeling I am missing
>>>>>>> packages
>>>>>>> in /var/log/messages I dont see any logs regarding ossec
>>>>>>>
>>>>>>> here is the complete error:
>>>>>>>
>>>>>>> 5- Installing the system
>>>>>>>  - Running the Makefile
>>>>>>> cc: error trying to exec 'as': execvp: No such file or directory
>>>>>>> ./Makeall: line 128: ./isbigendian: No such file or directory
>>>>>>> INFO: Little endian set.
>>>>>>>
>>>>>>>  *** Making zlib (by Jean-loup Gailly and Mark Adler)  ***
>>>>>>> make[1]: Entering

Re: [ossec-list] OSSEC installation error cc: error trying to exec 'as': execvp

2015-11-18 Thread Eero Volotinen 
well, I extracted it from src.rpm spec file.

--
Eero

2015-11-18 18:39 GMT+02:00 Edward <ecanmas...@gmail.com>:

> Hello Eero,
>
> Thank you for the effort and sorry for the late reply.
> How did you manage to get the requirements?
> I checked this against another server with the same sles11 sp1 and not all
> were found, but ossec is installed on this one and working.
> This is getting real frustrating, I need to know what exactly is going
> wrong.
> anyhelp would be much appreciated
>
>
>
> On Monday, November 16, 2015 at 8:52:15 PM UTC+1, Eero Volotinen wrote:
>>
>> Well, I extracted buildrequirements from source packages and they look
>> like this:
>>
>> *BuildReq*uires:  coreutils
>>
>> *BuildReq*uires:  zlib-devel-static
>>
>> *BuildReq*uires:  zlib-devel
>>
>> *BuildReq*uires:  glibc-devel
>>
>> *BuildReq*uires:  openssl-devel
>>
>> *BuildReq*uires:  mysql-devel
>>
>> *BuildReq*uires:  postgresql-devel
>>
>> *BuildReq*uires:  update-alternatives
>>
>> *BuildReq*uires:  apache2-devel
>>
>> *BuildReq*uires:  systemd
>>
>> So, you should install them and after that you should be able to compile
>> ossec from sources.
>>
>> --
>> Eero
>>
>> 2015-11-16 16:33 GMT+02:00 Edward <ecanm...@gmail.com>:
>>
>>> I am trying to install ossec agent (2.8.1) on sles 11 sp1 and when
>>> running the ./install.sh I get this error:
>>>
>>> cc: error trying to exec 'as': execvp: No such file or directory
>>>
>>> I did install make and gcc-c++ , but I have the feeling I am missing
>>> packages
>>> in /var/log/messages I dont see any logs regarding ossec
>>>
>>> here is the complete error:
>>>
>>> 5- Installing the system
>>>  - Running the Makefile
>>> cc: error trying to exec 'as': execvp: No such file or directory
>>> ./Makeall: line 128: ./isbigendian: No such file or directory
>>> INFO: Little endian set.
>>>
>>>  *** Making zlib (by Jean-loup Gailly and Mark Adler)  ***
>>> make[1]: Entering directory `/tmp/ossec-hids-2.8.1/src/external'
>>> cd zlib-1.2.8/; ./configure; make libz.a;
>>> Checking for gcc...
>>> Compiler error reporting is too harsh for ./configure (perhaps remove
>>> -Werror).
>>> ** ./configure aborting.
>>> make[2]: Entering directory
>>> `/tmp/ossec-hids-2.8.1/src/external/zlib-1.2.8'
>>> make[2]: *** No rule to make target `libz.a'.  Stop.
>>> make[2]: Leaving directory
>>> `/tmp/ossec-hids-2.8.1/src/external/zlib-1.2.8'
>>> make[1]: *** [libz.a] Error 2
>>> make[1]: Leaving directory `/tmp/ossec-hids-2.8.1/src/external'
>>>
>>> Error Making zlib
>>> make: *** [all] Error 1
>>>
>>>  Error 0x5.
>>>  Building error. Unable to finish the installation.
>>>
>>>
>>>
>>> --
>>>
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "ossec-list" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to ossec-list+...@googlegroups.com.
>>> For more options, visit https://groups.google.com/d/optout.
>>>
>>
>> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] OSSEC installation error cc: error trying to exec 'as': execvp

2015-11-18 Thread Eero Volotinen 
Well,

you need to install c++ develoment tools.

see url:
http://serverfault.com/questions/437680/equivalent-development-build-tools-for-suse-professional-11

I think package name is 'Basis-Devel'

and zypper install --type pattern Basis-Devel

should install needed files to compile ossec..

Note that I have not used sles for years, so command might work or not..

--
Eero



2015-11-18 18:39 GMT+02:00 Edward <ecanmas...@gmail.com>:

> Hello Eero,
>
> Thank you for the effort and sorry for the late reply.
> How did you manage to get the requirements?
> I checked this against another server with the same sles11 sp1 and not all
> were found, but ossec is installed on this one and working.
> This is getting real frustrating, I need to know what exactly is going
> wrong.
> anyhelp would be much appreciated
>
>
>
> On Monday, November 16, 2015 at 8:52:15 PM UTC+1, Eero Volotinen wrote:
>>
>> Well, I extracted buildrequirements from source packages and they look
>> like this:
>>
>> *BuildReq*uires:  coreutils
>>
>> *BuildReq*uires:  zlib-devel-static
>>
>> *BuildReq*uires:  zlib-devel
>>
>> *BuildReq*uires:  glibc-devel
>>
>> *BuildReq*uires:  openssl-devel
>>
>> *BuildReq*uires:  mysql-devel
>>
>> *BuildReq*uires:  postgresql-devel
>>
>> *BuildReq*uires:  update-alternatives
>>
>> *BuildReq*uires:  apache2-devel
>>
>> *BuildReq*uires:  systemd
>>
>> So, you should install them and after that you should be able to compile
>> ossec from sources.
>>
>> --
>> Eero
>>
>> 2015-11-16 16:33 GMT+02:00 Edward <ecanm...@gmail.com>:
>>
>>> I am trying to install ossec agent (2.8.1) on sles 11 sp1 and when
>>> running the ./install.sh I get this error:
>>>
>>> cc: error trying to exec 'as': execvp: No such file or directory
>>>
>>> I did install make and gcc-c++ , but I have the feeling I am missing
>>> packages
>>> in /var/log/messages I dont see any logs regarding ossec
>>>
>>> here is the complete error:
>>>
>>> 5- Installing the system
>>>  - Running the Makefile
>>> cc: error trying to exec 'as': execvp: No such file or directory
>>> ./Makeall: line 128: ./isbigendian: No such file or directory
>>> INFO: Little endian set.
>>>
>>>  *** Making zlib (by Jean-loup Gailly and Mark Adler)  ***
>>> make[1]: Entering directory `/tmp/ossec-hids-2.8.1/src/external'
>>> cd zlib-1.2.8/; ./configure; make libz.a;
>>> Checking for gcc...
>>> Compiler error reporting is too harsh for ./configure (perhaps remove
>>> -Werror).
>>> ** ./configure aborting.
>>> make[2]: Entering directory
>>> `/tmp/ossec-hids-2.8.1/src/external/zlib-1.2.8'
>>> make[2]: *** No rule to make target `libz.a'.  Stop.
>>> make[2]: Leaving directory
>>> `/tmp/ossec-hids-2.8.1/src/external/zlib-1.2.8'
>>> make[1]: *** [libz.a] Error 2
>>> make[1]: Leaving directory `/tmp/ossec-hids-2.8.1/src/external'
>>>
>>> Error Making zlib
>>> make: *** [all] Error 1
>>>
>>>  Error 0x5.
>>>  Building error. Unable to finish the installation.
>>>
>>>
>>>
>>> --
>>>
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "ossec-list" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to ossec-list+...@googlegroups.com.
>>> For more options, visit https://groups.google.com/d/optout.
>>>
>>
>> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] OSSEC installation error cc: error trying to exec 'as': execvp

2015-11-18 Thread Eero Volotinen 
what is output of which as on server that ossec works?

what is output of rpm -qf `which as` or rpm -qf /path/to/as on server that
it works.

--
Eero



2015-11-18 19:15 GMT+02:00 Edward <ecanmas...@gmail.com>:

> I did install this package and still the same issue
>
>
> might be the compiler is missing critical components
> I am getting lost in this issue
>
> On Wednesday, November 18, 2015 at 6:04:17 PM UTC+1, Eero Volotinen wrote:
>>
>> Well,
>>
>> you need to install c++ develoment tools.
>>
>> see url:
>> http://serverfault.com/questions/437680/equivalent-development-build-tools-for-suse-professional-11
>>
>> I think package name is 'Basis-Devel'
>>
>> and zypper install --type pattern Basis-Devel
>>
>> should install needed files to compile ossec..
>>
>> Note that I have not used sles for years, so command might work or not..
>>
>> --
>> Eero
>>
>>
>>
>> 2015-11-18 18:39 GMT+02:00 Edward <ecanm...@gmail.com>:
>>
>>> Hello Eero,
>>>
>>> Thank you for the effort and sorry for the late reply.
>>> How did you manage to get the requirements?
>>> I checked this against another server with the same sles11 sp1 and not
>>> all were found, but ossec is installed on this one and working.
>>> This is getting real frustrating, I need to know what exactly is going
>>> wrong.
>>> anyhelp would be much appreciated
>>>
>>>
>>>
>>> On Monday, November 16, 2015 at 8:52:15 PM UTC+1, Eero Volotinen wrote:
>>>>
>>>> Well, I extracted buildrequirements from source packages and they look
>>>> like this:
>>>>
>>>> *BuildReq*uires:  coreutils
>>>>
>>>> *BuildReq*uires:  zlib-devel-static
>>>>
>>>> *BuildReq*uires:  zlib-devel
>>>>
>>>> *BuildReq*uires:  glibc-devel
>>>>
>>>> *BuildReq*uires:  openssl-devel
>>>>
>>>> *BuildReq*uires:  mysql-devel
>>>>
>>>> *BuildReq*uires:  postgresql-devel
>>>>
>>>> *BuildReq*uires:  update-alternatives
>>>>
>>>> *BuildReq*uires:  apache2-devel
>>>>
>>>> *BuildReq*uires:  systemd
>>>>
>>>> So, you should install them and after that you should be able to
>>>> compile ossec from sources.
>>>>
>>>> --
>>>> Eero
>>>>
>>>> 2015-11-16 16:33 GMT+02:00 Edward <ecanm...@gmail.com>:
>>>>
>>>>> I am trying to install ossec agent (2.8.1) on sles 11 sp1 and when
>>>>> running the ./install.sh I get this error:
>>>>>
>>>>> cc: error trying to exec 'as': execvp: No such file or directory
>>>>>
>>>>> I did install make and gcc-c++ , but I have the feeling I am missing
>>>>> packages
>>>>> in /var/log/messages I dont see any logs regarding ossec
>>>>>
>>>>> here is the complete error:
>>>>>
>>>>> 5- Installing the system
>>>>>  - Running the Makefile
>>>>> cc: error trying to exec 'as': execvp: No such file or directory
>>>>> ./Makeall: line 128: ./isbigendian: No such file or directory
>>>>> INFO: Little endian set.
>>>>>
>>>>>  *** Making zlib (by Jean-loup Gailly and Mark Adler)  ***
>>>>> make[1]: Entering directory `/tmp/ossec-hids-2.8.1/src/external'
>>>>> cd zlib-1.2.8/; ./configure; make libz.a;
>>>>> Checking for gcc...
>>>>> Compiler error reporting is too harsh for ./configure (perhaps remove
>>>>> -Werror).
>>>>> ** ./configure aborting.
>>>>> make[2]: Entering directory
>>>>> `/tmp/ossec-hids-2.8.1/src/external/zlib-1.2.8'
>>>>> make[2]: *** No rule to make target `libz.a'.  Stop.
>>>>> make[2]: Leaving directory
>>>>> `/tmp/ossec-hids-2.8.1/src/external/zlib-1.2.8'
>>>>> make[1]: *** [libz.a] Error 2
>>>>> make[1]: Leaving directory `/tmp/ossec-hids-2.8.1/src/external'
>>>>>
>>>>> Error Making zlib
>>>>> make: *** [all] Error 1
>>>>>
>>>>>  Error 0x5.
>>>>>  Building error. Unable to finish the installation.
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>>
>>>>> ---
>>>>> You received this message because you are subscribed to the Google
>>>>> Groups "ossec-list" group.
>>>>> To unsubscribe from this group and stop receiving emails from it, send
>>>>> an email to ossec-list+...@googlegroups.com.
>>>>> For more options, visit https://groups.google.com/d/optout.
>>>>>
>>>>
>>>> --
>>>
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "ossec-list" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to ossec-list+...@googlegroups.com.
>>> For more options, visit https://groups.google.com/d/optout.
>>>
>>
>> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] OSSEC installation error cc: error trying to exec 'as': execvp

2015-11-16 Thread Eero Volotinen 
I think assembler 'as' is missing.
16.11.2015 4.41 ip. "Edward"  kirjoitti:

> I am trying to install ossec agent (2.8.1) on sles 11 sp1 and when running
> the ./install.sh I get this error:
>
> cc: error trying to exec 'as': execvp: No such file or directory
>
> I did install make and gcc-c++ , but I have the feeling I am missing
> packages
> in /var/log/messages I dont see any logs regarding ossec
>
> here is the complete error:
>
> 5- Installing the system
>  - Running the Makefile
> cc: error trying to exec 'as': execvp: No such file or directory
> ./Makeall: line 128: ./isbigendian: No such file or directory
> INFO: Little endian set.
>
>  *** Making zlib (by Jean-loup Gailly and Mark Adler)  ***
> make[1]: Entering directory `/tmp/ossec-hids-2.8.1/src/external'
> cd zlib-1.2.8/; ./configure; make libz.a;
> Checking for gcc...
> Compiler error reporting is too harsh for ./configure (perhaps remove
> -Werror).
> ** ./configure aborting.
> make[2]: Entering directory `/tmp/ossec-hids-2.8.1/src/external/zlib-1.2.8'
> make[2]: *** No rule to make target `libz.a'.  Stop.
> make[2]: Leaving directory `/tmp/ossec-hids-2.8.1/src/external/zlib-1.2.8'
> make[1]: *** [libz.a] Error 2
> make[1]: Leaving directory `/tmp/ossec-hids-2.8.1/src/external'
>
> Error Making zlib
> make: *** [all] Error 1
>
>  Error 0x5.
>  Building error. Unable to finish the installation.
>
>
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] OSSEC installation error cc: error trying to exec 'as': execvp

2015-11-16 Thread Eero Volotinen 
Well, i am not so familiar with suse package manager.

http://software.opensuse.org/package/ossec-hids

Maybe that repo providers needed packages?

Eero
16.11.2015 6.38 ip. "Edward" <ecanmas...@gmail.com> kirjoitti:

> I see what you mean, I already searched for "as" before sending my post.
> There is no "as" package. Probably it is named something else? I really do
> think I am missing a package because I had also issues sometime ago with
> other servers and
> at the end it was installing the correct packages. It seems the ossec
> software from the official website is not made for Sles and thats why I
> have all these issue's.
> what is also annoying is that there is nothing in /var/log/messages , is
> there some debug function as to why the installer is not working?
>
>
> On Monday, November 16, 2015 at 5:26:56 PM UTC+1, Eero Volotinen wrote:
>>
>> Well, using package manager? It depends on distribution. Usually you can
>> use package manager search functionality to find out name of package.
>>
>> Eero
>> 16.11.2015 6.23 ip. "Edward" <ecanm...@gmail.com> kirjoitti:
>>
>>> and how do I install this assembler ?
>>>
>>> On Monday, November 16, 2015 at 5:00:30 PM UTC+1, Eero Volotinen wrote:
>>>>
>>>> I think assembler 'as' is missing.
>>>> 16.11.2015 4.41 ip. "Edward" <ecanm...@gmail.com> kirjoitti:
>>>>
>>>>> I am trying to install ossec agent (2.8.1) on sles 11 sp1 and when
>>>>> running the ./install.sh I get this error:
>>>>>
>>>>> cc: error trying to exec 'as': execvp: No such file or directory
>>>>>
>>>>> I did install make and gcc-c++ , but I have the feeling I am missing
>>>>> packages
>>>>> in /var/log/messages I dont see any logs regarding ossec
>>>>>
>>>>> here is the complete error:
>>>>>
>>>>> 5- Installing the system
>>>>>  - Running the Makefile
>>>>> cc: error trying to exec 'as': execvp: No such file or directory
>>>>> ./Makeall: line 128: ./isbigendian: No such file or directory
>>>>> INFO: Little endian set.
>>>>>
>>>>>  *** Making zlib (by Jean-loup Gailly and Mark Adler)  ***
>>>>> make[1]: Entering directory `/tmp/ossec-hids-2.8.1/src/external'
>>>>> cd zlib-1.2.8/; ./configure; make libz.a;
>>>>> Checking for gcc...
>>>>> Compiler error reporting is too harsh for ./configure (perhaps remove
>>>>> -Werror).
>>>>> ** ./configure aborting.
>>>>> make[2]: Entering directory
>>>>> `/tmp/ossec-hids-2.8.1/src/external/zlib-1.2.8'
>>>>> make[2]: *** No rule to make target `libz.a'.  Stop.
>>>>> make[2]: Leaving directory
>>>>> `/tmp/ossec-hids-2.8.1/src/external/zlib-1.2.8'
>>>>> make[1]: *** [libz.a] Error 2
>>>>> make[1]: Leaving directory `/tmp/ossec-hids-2.8.1/src/external'
>>>>>
>>>>> Error Making zlib
>>>>> make: *** [all] Error 1
>>>>>
>>>>>  Error 0x5.
>>>>>  Building error. Unable to finish the installation.
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>>
>>>>> ---
>>>>> You received this message because you are subscribed to the Google
>>>>> Groups "ossec-list" group.
>>>>> To unsubscribe from this group and stop receiving emails from it, send
>>>>> an email to ossec-list+...@googlegroups.com.
>>>>> For more options, visit https://groups.google.com/d/optout.
>>>>>
>>>> --
>>>
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "ossec-list" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to ossec-list+...@googlegroups.com.
>>> For more options, visit https://groups.google.com/d/optout.
>>>
>> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] OSSEC installation error cc: error trying to exec 'as': execvp

2015-11-16 Thread Eero Volotinen 
Well, using package manager? It depends on distribution. Usually you can
use package manager search functionality to find out name of package.

Eero
16.11.2015 6.23 ip. "Edward" <ecanmas...@gmail.com> kirjoitti:

> and how do I install this assembler ?
>
> On Monday, November 16, 2015 at 5:00:30 PM UTC+1, Eero Volotinen wrote:
>>
>> I think assembler 'as' is missing.
>> 16.11.2015 4.41 ip. "Edward" <ecanm...@gmail.com> kirjoitti:
>>
>>> I am trying to install ossec agent (2.8.1) on sles 11 sp1 and when
>>> running the ./install.sh I get this error:
>>>
>>> cc: error trying to exec 'as': execvp: No such file or directory
>>>
>>> I did install make and gcc-c++ , but I have the feeling I am missing
>>> packages
>>> in /var/log/messages I dont see any logs regarding ossec
>>>
>>> here is the complete error:
>>>
>>> 5- Installing the system
>>>  - Running the Makefile
>>> cc: error trying to exec 'as': execvp: No such file or directory
>>> ./Makeall: line 128: ./isbigendian: No such file or directory
>>> INFO: Little endian set.
>>>
>>>  *** Making zlib (by Jean-loup Gailly and Mark Adler)  ***
>>> make[1]: Entering directory `/tmp/ossec-hids-2.8.1/src/external'
>>> cd zlib-1.2.8/; ./configure; make libz.a;
>>> Checking for gcc...
>>> Compiler error reporting is too harsh for ./configure (perhaps remove
>>> -Werror).
>>> ** ./configure aborting.
>>> make[2]: Entering directory
>>> `/tmp/ossec-hids-2.8.1/src/external/zlib-1.2.8'
>>> make[2]: *** No rule to make target `libz.a'.  Stop.
>>> make[2]: Leaving directory
>>> `/tmp/ossec-hids-2.8.1/src/external/zlib-1.2.8'
>>> make[1]: *** [libz.a] Error 2
>>> make[1]: Leaving directory `/tmp/ossec-hids-2.8.1/src/external'
>>>
>>> Error Making zlib
>>> make: *** [all] Error 1
>>>
>>>  Error 0x5.
>>>  Building error. Unable to finish the installation.
>>>
>>>
>>>
>>> --
>>>
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "ossec-list" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to ossec-list+...@googlegroups.com.
>>> For more options, visit https://groups.google.com/d/optout.
>>>
>> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] OSSEC installation error cc: error trying to exec 'as': execvp

2015-11-16 Thread Eero Volotinen 
You installed wrong package. src.rpm is source package.

you need to install correct package:

http://download.opensuse.org/repositories/server:/monitoring/SLE_11_SP3/i586/ossec-hids-2.8.1-1.1.i586.rpm
is for 32bit architecture
and
http://download.opensuse.org/repositories/server:/monitoring/SLE_11_SP3/x86_64/ossec-hids-2.8.1-1.1.x86_64.rpm
for 64bit architecture.

please install the correct version..

--
Eero

2015-11-16 19:09 GMT+02:00 Edward <ecanmas...@gmail.com>:

> nevermind, the package has not been installed and probably its not for
> sles11sp1:
>
> rpm -q ossec-hids-2.8.1-1.1.src.rpm
> package ossec-hids-2.8.1-1.1.src.rpm is not installed
>
>
>
>
> On Monday, November 16, 2015 at 6:03:27 PM UTC+1, Edward wrote:
>>
>> Thx for the link, I have already seen that one, but this version is
>> unstable and also for sles 11 sp3 , I have sp1
>> anyway, I did the install the rpm package...
>>
>> rpm -Uhv ossec-hids-2.8.1-1.1.src.rpm
>> warning: ossec-hids-2.8.1-1.1.src.rpm: Header V3 DSA signature: NOKEY,
>> key ID ee454f98
>>1:ossec-hids ###
>> [100%]
>>
>>
>> so it has been installed it, but I don't see the installation... don't
>> see the ossec directory being installed
>> package doesnt seem to be working
>>
>>
>>
>> On Monday, November 16, 2015 at 5:42:00 PM UTC+1, Eero Volotinen wrote:
>>>
>>> Well, i am not so familiar with suse package manager.
>>>
>>> http://software.opensuse.org/package/ossec-hids
>>>
>>> Maybe that repo providers needed packages?
>>>
>>> Eero
>>> 16.11.2015 6.38 ip. "Edward" <ecanm...@gmail.com> kirjoitti:
>>>
>>>> I see what you mean, I already searched for "as" before sending my post.
>>>> There is no "as" package. Probably it is named something else? I really
>>>> do think I am missing a package because I had also issues sometime ago with
>>>> other servers and
>>>> at the end it was installing the correct packages. It seems the ossec
>>>> software from the official website is not made for Sles and thats why I
>>>> have all these issue's.
>>>> what is also annoying is that there is nothing in /var/log/messages ,
>>>> is there some debug function as to why the installer is not working?
>>>>
>>>>
>>>> On Monday, November 16, 2015 at 5:26:56 PM UTC+1, Eero Volotinen wrote:
>>>>>
>>>>> Well, using package manager? It depends on distribution. Usually you
>>>>> can use package manager search functionality to find out name of package.
>>>>>
>>>>> Eero
>>>>> 16.11.2015 6.23 ip. "Edward" <ecanm...@gmail.com> kirjoitti:
>>>>>
>>>>>> and how do I install this assembler ?
>>>>>>
>>>>>> On Monday, November 16, 2015 at 5:00:30 PM UTC+1, Eero Volotinen
>>>>>> wrote:
>>>>>>>
>>>>>>> I think assembler 'as' is missing.
>>>>>>> 16.11.2015 4.41 ip. "Edward" <ecanm...@gmail.com> kirjoitti:
>>>>>>>
>>>>>>>> I am trying to install ossec agent (2.8.1) on sles 11 sp1 and when
>>>>>>>> running the ./install.sh I get this error:
>>>>>>>>
>>>>>>>> cc: error trying to exec 'as': execvp: No such file or directory
>>>>>>>>
>>>>>>>> I did install make and gcc-c++ , but I have the feeling I am
>>>>>>>> missing packages
>>>>>>>> in /var/log/messages I dont see any logs regarding ossec
>>>>>>>>
>>>>>>>> here is the complete error:
>>>>>>>>
>>>>>>>> 5- Installing the system
>>>>>>>>  - Running the Makefile
>>>>>>>> cc: error trying to exec 'as': execvp: No such file or directory
>>>>>>>> ./Makeall: line 128: ./isbigendian: No such file or directory
>>>>>>>> INFO: Little endian set.
>>>>>>>>
>>>>>>>>  *** Making zlib (by Jean-loup Gailly and Mark Adler)  ***
>>>>>>>> make[1]: Entering directory `/tmp/ossec-hids-2.8.1/src/external'
>>>>>>>> cd zlib-1.2.8/; ./configure; make libz.a;
>>>>>>>> Checking for gcc...
>>>>>>>> Compiler error rep

Re: [ossec-list] OSSEC installation error cc: error trying to exec 'as': execvp

2015-11-16 Thread Eero Volotinen 
well, package name does not contain 'x86_64.rpm'

rpm -q ossec-hids should be enought. or rpm -qa |grep ossec to find out
package name.

Eero

2015-11-16 19:36 GMT+02:00 Edward <ecanmas...@gmail.com>:

> thx Eero,
>
> I did realize that and did get the correct package:
> rpm -Uhv ossec-hids-2.8.1-1.1.x86_64.rpm
> warning: ossec-hids-2.8.1-1.1.x86_64.rpm: Header V3 DSA signature: NOKEY,
> key ID ee454f98
> Preparing...###
> [100%]
> package ossec-hids-2.8.1-1.1.x86_64 is already installed
>
>
> but when i search for rpm i get:
>
>  rpm -q  ossec-hids-2.8.1-1.1.x86_64.rpm
> package ossec-hids-2.8.1-1.1.x86_64.rpm is not installed
>
> I checked the directories and /var/ossec has not being created
>
> it doesn't look like it has been installed
>
>
>
> On Monday, November 16, 2015 at 6:29:26 PM UTC+1, Eero Volotinen wrote:
>>
>> You installed wrong package. src.rpm is source package.
>>
>> you need to install correct package:
>>
>>
>> http://download.opensuse.org/repositories/server:/monitoring/SLE_11_SP3/i586/ossec-hids-2.8.1-1.1.i586.rpm
>> is for 32bit architecture
>> and
>> http://download.opensuse.org/repositories/server:/monitoring/SLE_11_SP3/x86_64/ossec-hids-2.8.1-1.1.x86_64.rpm
>> for 64bit architecture.
>>
>> please install the correct version..
>>
>> --
>> Eero
>>
>> 2015-11-16 19:09 GMT+02:00 Edward <ecanm...@gmail.com>:
>>
>>> nevermind, the package has not been installed and probably its not for
>>> sles11sp1:
>>>
>>> rpm -q ossec-hids-2.8.1-1.1.src.rpm
>>> package ossec-hids-2.8.1-1.1.src.rpm is not installed
>>>
>>>
>>>
>>>
>>> On Monday, November 16, 2015 at 6:03:27 PM UTC+1, Edward wrote:
>>>>
>>>> Thx for the link, I have already seen that one, but this version is
>>>> unstable and also for sles 11 sp3 , I have sp1
>>>> anyway, I did the install the rpm package...
>>>>
>>>> rpm -Uhv ossec-hids-2.8.1-1.1.src.rpm
>>>> warning: ossec-hids-2.8.1-1.1.src.rpm: Header V3 DSA signature: NOKEY,
>>>> key ID ee454f98
>>>>1:ossec-hids ###
>>>> [100%]
>>>>
>>>>
>>>> so it has been installed it, but I don't see the installation... don't
>>>> see the ossec directory being installed
>>>> package doesnt seem to be working
>>>>
>>>>
>>>>
>>>> On Monday, November 16, 2015 at 5:42:00 PM UTC+1, Eero Volotinen wrote:
>>>>>
>>>>> Well, i am not so familiar with suse package manager.
>>>>>
>>>>> http://software.opensuse.org/package/ossec-hids
>>>>>
>>>>> Maybe that repo providers needed packages?
>>>>>
>>>>> Eero
>>>>> 16.11.2015 6.38 ip. "Edward" <ecanm...@gmail.com> kirjoitti:
>>>>>
>>>>>> I see what you mean, I already searched for "as" before sending my
>>>>>> post.
>>>>>> There is no "as" package. Probably it is named something else? I
>>>>>> really do think I am missing a package because I had also issues sometime
>>>>>> ago with other servers and
>>>>>> at the end it was installing the correct packages. It seems the ossec
>>>>>> software from the official website is not made for Sles and thats why I
>>>>>> have all these issue's.
>>>>>> what is also annoying is that there is nothing in /var/log/messages ,
>>>>>> is there some debug function as to why the installer is not working?
>>>>>>
>>>>>>
>>>>>> On Monday, November 16, 2015 at 5:26:56 PM UTC+1, Eero Volotinen
>>>>>> wrote:
>>>>>>>
>>>>>>> Well, using package manager? It depends on distribution. Usually you
>>>>>>> can use package manager search functionality to find out name of 
>>>>>>> package.
>>>>>>>
>>>>>>> Eero
>>>>>>> 16.11.2015 6.23 ip. "Edward" <ecanm...@gmail.com> kirjoitti:
>>>>>>>
>>>>>>>> and how do I install this assembler ?
>>>>>>>>
>>>>>>>> On Monday, November 16, 2015 at 5:00:30 PM UTC+1, Eero Volotinen
>>>>>>>

Re: [ossec-list] OSSEC installation error cc: error trying to exec 'as': execvp

2015-11-16 Thread Eero Volotinen 
Well, I extracted buildrequirements from source packages and they look like
this:

*BuildReq*uires:  coreutils

*BuildReq*uires:  zlib-devel-static

*BuildReq*uires:  zlib-devel

*BuildReq*uires:  glibc-devel

*BuildReq*uires:  openssl-devel

*BuildReq*uires:  mysql-devel

*BuildReq*uires:  postgresql-devel

*BuildReq*uires:  update-alternatives

*BuildReq*uires:  apache2-devel

*BuildReq*uires:  systemd

So, you should install them and after that you should be able to compile
ossec from sources.

--
Eero

2015-11-16 16:33 GMT+02:00 Edward :

> I am trying to install ossec agent (2.8.1) on sles 11 sp1 and when running
> the ./install.sh I get this error:
>
> cc: error trying to exec 'as': execvp: No such file or directory
>
> I did install make and gcc-c++ , but I have the feeling I am missing
> packages
> in /var/log/messages I dont see any logs regarding ossec
>
> here is the complete error:
>
> 5- Installing the system
>  - Running the Makefile
> cc: error trying to exec 'as': execvp: No such file or directory
> ./Makeall: line 128: ./isbigendian: No such file or directory
> INFO: Little endian set.
>
>  *** Making zlib (by Jean-loup Gailly and Mark Adler)  ***
> make[1]: Entering directory `/tmp/ossec-hids-2.8.1/src/external'
> cd zlib-1.2.8/; ./configure; make libz.a;
> Checking for gcc...
> Compiler error reporting is too harsh for ./configure (perhaps remove
> -Werror).
> ** ./configure aborting.
> make[2]: Entering directory `/tmp/ossec-hids-2.8.1/src/external/zlib-1.2.8'
> make[2]: *** No rule to make target `libz.a'.  Stop.
> make[2]: Leaving directory `/tmp/ossec-hids-2.8.1/src/external/zlib-1.2.8'
> make[1]: *** [libz.a] Error 2
> make[1]: Leaving directory `/tmp/ossec-hids-2.8.1/src/external'
>
> Error Making zlib
> make: *** [all] Error 1
>
>  Error 0x5.
>  Building error. Unable to finish the installation.
>
>
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Ossec Client 2.8.3 Detect As Malware

2015-11-11 Thread Eero Volotinen 
Try using virustotal scanning service. That is possibly false positive.

Eero
11.11.2015 2.48 ip.  kirjoitti:

> Guys
>
> I did download ossec client 2.8.3 and received a warning message: The file
> has a malware: BehavesLike.Win32.Dropper.tc
> I use mcafee webgateway 7.6.0 in my enviroment
> Could be a false positive? Anyone had same behavior?
> sha 256 Hash File: 93CD29B4C676E61304BFBE10E554D1AA011ABF91
>
>
> Regards
>
> Gus
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] sending email through existing smtp server

2015-11-08 Thread Eero Volotinen 
You should use local postfix to relay mails.

Eero
7.11.2015 10.55 ip.  kirjoitti:

> Hi all,
>
> I recently installed OSSEC 2.8.1 on a Debian machine, and I really don't
> understand how this email setup works. My config file looks like this:
>
> 
>   yes
>   myem...@gmail.com
>   alt2.gmail-smtp-in.l.google.com
>   myem...@gmail.com
> 
>
> I got the impression that this is all you have to do to get it to work.
> But I get the following errors in the log:
> WARN: End of DATA not accepted by server
> ERROR: Error Sending email to [gmail server ip] (smtp server)
>
> When I look this up, no one has a clear response. For some people, this
> works! For others, they had no choice but to make their own smtp server.
> I'm concerned about all the possible security risks that come with making
> my own smtp server, so I was hoping this would handle it for me. Is this
> possible? Do I need to put in a key somewhere? Or is something like ssmtp
> or postfix the only way to go?
>
> Thanks!
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Create an alert for NTP offset

2015-11-04 Thread Eero Volotinen 
You should use nagios for this kind of checks.

Eero
4.11.2015 6.08 ip. "Robert Micallef"  kirjoitti:

> Hi,
>
> I was wondering if anyone can help me configure a decoder and subsequently
> an alert for when the NTP offset becomes too high. For security reasons I
> had to configure a server to retrieve the time from outside and then all
> other servers retrieve the time from this first server. The problems is
> after a couple of months one or two servers will go out of sync by minutes.
> I tried to resolve the issue but can't figure out why NTP sometimes doesn't
> work well on some systems with basically the same configuration. So I am
> close to giving up on NTP.
>
> Anyway I was wondering if I can create an alert then so I can manually fix
> the problem when it happens. The problem is I don't know how to create a
> decoder for this. The command ntpq -pn gives out the output:
>
>  remote   refid  st t when poll reach   delay   offset
> jitter
>
> ==
>  10.55.11.213   91.121.169.203 u  840 102400.765  -1972.3
> 0.000
>
> Since the values change I don't know how to just get the offset and for
> instance alert us if it is over 1500 like in this case. For instance the
> poll is 840 now so 3 digits but will soon be 2 digits so I don't know how
> to have a decoder for that. And some numbers might have decimal points at
> one point and not have at another point.
>
> Another command which could work is ntpstat which gives the output:
> synchronised to unspecified at stratum 4
>time correct to within 16875 ms
>polling server every 1024 s
>
> This I could create a decoder for but the output is so inaccurate that
> this is useless.
>
> Does anyone know how this can be done please?
>
> Thanks,
> Robert
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: Ossec agent error

2015-11-04 Thread Eero Volotinen 
Well, you said that server is located at .200. It isn't according this log .
4.11.2015 12.58 ip. "Reinaldo Fernandes" 
kirjoitti:

> Shouldn't I receive a connected successfully instead of this warnig?
>
> I found this and it's says that the agent is having issues to connect to
> the server:
>
> *The following log messages may appear in the ossec.log file on an agent
> when it is having issues connecting to a manager:*
>
> 2011/11/13 18:05:13 ossec-agent: WARN: Process locked. Waiting for 
> permission...2011/11/13 18:05:24 ossec-agent(4101): WARN: Waiting for server 
> reply (not started). Tried: '10.10.134.241'.2011/11/13 18:05:26 ossec-agent: 
> INFO: Trying to connect to server (10.10.134.241:1514).2011/11/13 18:05:26 
> ossec-agent: INFO: Using IPv4 for: 10.10.134.241 .2011/11/13 18:05:47 
> ossec-agent(4101): WARN: Waiting for server reply (not started). Tried: 
> '10.10.134.241'.
>
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: Ossec agent error

2015-11-03 Thread Eero Volotinen 
Are you trying to execute log file?

You need to run sudo tail filename, not sudo filename

Eero
3.11.2015 5.40 ip. "Reinaldo Fernandes" 
kirjoitti:

> Hi dan,
> I did now:
> sudo /var/ossec/logs/ossec.log
>
> and I got exactly the same entrys on the logs as before:
>
> [root@ossec user]# /var/ossec/logs/ossec.log
>
> /var/ossec/logs/ossec.log: line 1: syntax error near unexpected token `('
>
> /var/ossec/logs/ossec.log: line 1: `2015/06/12 15:52:36
> ossec-monitord(1225): INFO: SIGNAL Received. Exit Cleaning...'
>
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: Ossec agent error

2015-11-03 Thread Eero Volotinen 
sudo tail -f /path/to/filename

Eero
3.11.2015 6.26 ip. "Reinaldo Fernandes" 
kirjoitti:

>
> Can you provide me the correct command to run??
> Thank you
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Ossec agent error

2015-11-03 Thread Eero Volotinen 
this is firewall issue.disable local firewall on ossec server.

eero

tiistai 3. marraskuuta 2015 Reinaldo Fernandes <
fernandes.jreina...@gmail.com> kirjoitti:

> Hello,
>
>
>
> My name is Reinaldo Fernandes and I’m contacting you regarding the Ossec
> solution
>
> I have been trying to deploy this on our environment ( Windows mainly) but
> the agent it’s not able to communicate with the Ossec server (They are both
> on the same VLAN, no firewall between).
>
>
>
> *This is the error: *
>
>
>
> 2015/11/03 10:44:47 ossec-agent: INFO: Trying to connect to server (
> 172.20.21.43:1514).
>
>
>
> 2015/11/03 10:44:47 ossec-agent: INFO: Using IPv4 for: 172.20.21.43 .
>
>
>
> 2015/11/03 10:45:09 ossec-agent(4101): WARN: Waiting for server reply (not
> started). Tried: '172.20.21.43'.
>
>
>
> *When I try to look up at the logs on the Ossec server this is the only
> info that I got:*
>
>
>
> [root@ossec user]# /var/ossec/logs/ossec.log
>
> /var/ossec/logs/ossec.log: line 1: syntax error near unexpected token `('
>
> /var/ossec/logs/ossec.log: line 1: `2015/06/12 15:52:36
> ossec-monitord(1225): INFO: SIGNAL Received. Exit Cleaning...'
>
>
>
> Any clue or tip on how to solve this situation?
>
>
>
> *Reinaldo Fernandes*
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com
> 
> .
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Level: 6 - Attempt to use mail server as relay (client host rejected).

2015-11-02 Thread Eero Volotinen 
Your postfix is incorrectly configured.this is not related with ossec in
anyway.

Eero
2.11.2015 11.37 ap. "Hak Bun"  kirjoitti:

> Dear All,
>
> I have just installed Postfix, Dovecot, and Squirrelmail.
> When I test sending out through the web mail, my yahoo can receive the
> email.
>
> But I get an error "Recipient address rejected: Access denied" when telnet
> smtp to outside or local mail:
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> *telnet localhost smtpTrying 127.0.0.1...Connected to localhost.Escape
> character is '^]'.220 ossec.myossec.com  ESMTP
> Postfixehlo localhost250-ossec.myossec.com
> 250-PIPELINING250-SIZE
> 1024250-VRFY250-ETRN250-STARTTLS250-AUTH LOGIN PLAIN250-AUTH=LOGIN
> PLAIN250-ENHANCEDSTATUSCODES250-8BITMIME250 DSNmail from: hak250 2.1.0
> Okrcpt to: hak_...@yahoo.com 554 5.7.1
> >: Recipient address rejected: Access
> deniedrcpt to: long554 5.7.1 : Recipient address rejected: Access
> denied*
>
>
> And also get an error with configuration in OSSEC
>
>
> Error
> "
> *Level: *
> *6 - Attempt to use mail server as relay (client host rejected).*
> *Rule Id: *
>
> *3301  *
> *Location: *
>
> *localhost->/var/log/maillog *
> *Src IP: *
>
> *192.168.56.101 Nov 2 16:05:06 localhost postfix/smtpd[7815]: NOQUEUE:
> reject: RCPT from myossec.local[192.168.56.101]: 554 5.7.1
> >: Recipient address rejected:
> Access denied; from= to= > proto=SMTP helo= >*
>
> "
>
> Please help if you know
> Thanks
> Hak
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] OSSEC INSTALLATION ERROR ON AIX 7

2015-10-28 Thread Eero Volotinen 
what is output of command:

cc --version

Eero

2015-10-28 8:59 GMT+02:00 :

> We are facing difficulties in installation of Ossec on our AIX 7.1 server.
>
> Error we are getting
>
> *5- Installing the system*
>
> *- Running the Makefile*
>
>
>
>  Making zlib (by Jean-loup Gailly and Mark Adler)  
>
> *cd zlib-1.2.8/; ./configure; make libz.a;*
>
> *Checking for gcc...*
>
> *Compiler error reporting is too harsh for ./configure (perhaps remove
> -Werror).*
>
> *** ./configure aborting.*
>
> *make: 1254-004 The error code from the last command is 1.*
>
>
>
>
>
> *Stop.*
>
>
>
> *Error Making zlib*
>
> *make: 1254-004 The error code from the last command is 1.*
>
>
>
>
>
> *Stop.*
>
>
>
> *Error 0x5.*
>
> *Building error. Unable to finish the installation*
>
>
>
> With GBM, we have tried to install 3 versions of GCC compiler and all
> failed.
>
>  gcc-c++-4.8.3-1 is the last version GBM have tried.
>
>
> It would be very helpful if you could provide us a suitable solution for
> this.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: Watchguard Firebox logs

2015-10-27 Thread Eero Volotinen 
Did you checked out watchguard dimension appliance?

Eero
27.10.2015 10.49 ap. "Tero Onttonen"  kirjoitti:

> Hi,
>
> I would be interested in to find a solution regarding Watchguard logs. I
> did not find a solution after some searching.
>
> Did this go any further?
>
> Br,
> Tero
>
> On Wednesday, March 11, 2009 at 2:11:44 PM UTC+2, rob.but...@gmail.com
> wrote:
>>
>> Thanks.  I'm also working AQTRONIX WebKnight logs too.  Here's a few
>> watchguard examples.  I've blanked a few bits of info.  Note that
>> we've adopted a convention of putting wg_ at the start of the system
>> name so we can identify them as watchguard logs, but perhaps this
>> isn't the best way ?
>>
>> 2009 Mar 11 12:07:07 wa-hids1->195.xx.xx.xx 2009-03-11 12:16:49
>> wg_Peterborough disp="Deny"   pri="1" policy="Unhandled Internal
>> Packet-00" src_
>> ip="172.12.10.26" dst_ip="81.137.245.126" pr="3085/tcp"
>> src_port="2122" dst_port="3085" src_intf="1-Trusted" dst_intf="0-
>> External"   tcpinfo="off
>> set 7 S 3884792327 win 65535"   rc="101" msg="denied" pckt_len="48"
>> ttl="128"
>>
>> 2009 Mar 11 12:07:06 wa-hids1->195.xx.xx.xx 2009-03-11 12:16:48
>> wg_Peterborough disp="Allow"  proxy[15055]: pri="4" policy="HTTP-
>> proxy-00" src_i
>> p="172.12.10.116" dst_ip="69.63.176.188" pr="http/tcp"
>> src_port="58482" dst_port="80" src_intf="1-Trusted" dst_intf="0-
>> External" src_ip_nat="195.
>> 99.165.66" src_port_nat="13917" rc="592" msg_id="262171"
>> msg="ProxyStrip: HTTP Header match" proxy_act="HTTP-Client"
>> rule_name="Default" header="
>> X-Channel-Host: channel138:8081\x0d\x0a"
>> src_user="xusername@Active Directory"
>>
>> 2009 Mar 11 12:07:03 wa-hids1->195.xx.xx.xx 2009-03-11 12:16:45
>> wg_Peterborough disp="Deny"   pri="1" policy="Unhandled External
>> Packet-00" src_
>> ip="192.168.30.11" dst_ip="172.12.10.130" pr="135/tcp" src_port="4533"
>> dst_port="135" src_intf="WALAN_PELAN/IPsec" dst_intf="1-Trusted"
>> tcpinfo
>> ="offset 7 S 2723202119 win 65535"   dst_user="username@Active
>> Directory" rc="101" msg="denied (decrypted packet, SA info: id
>> 0x341e7636 )" pck
>> t_len="48" ttl="128"
>>
>> On Mar 10, 8:35 pm, Daniel Cid  wrote:
>> > Hi Rob,
>> >
>> > I don't think anyone did this yet. Can you share some of your logs
>> > with us? We can certainly
>> > help writing some rules/decoders if we get some samples...
>> >
>> > Thanks,
>> >
>> > --
>> > Daniel B. Cid
>> > dcid ( at ) ossec.net
>> >
>> > On Mon, Mar 2, 2009 at 10:47 AM,   wrote:
>> >
>> > > Hi,
>> > > Has anyone got OSSEC to parse Watchguard Firebox logs ?  I have my
>> > > logs coming in via syslog, and being stored, but if I run them
>> through
>> > > logtest they get recognized as Debian dpkg logs, so I guess ossec is
>> > > pretty much ignoring them.
>> >
>> > > The format seems to be missing a unique key to spot the logs as being
>> > > from the watchguards, sadly.  We are considering using the firebox
>> > > system name to identify them (e.g. adding wg_ at the start of all our
>> > > firewall system names so I can match on a regexp with that string in
>> > > it).  However, before I spend time on this, I wonder whether anyone
>> > > else has already do the hard work ?
>> >
>> > > If not, any pointers to instructions on writing new decoders and
>> rules
>> > > would be most welcome.  If I get anything worth sharing, I'll offer
>> it
>> > > back to the project or at least post my findings here.
>> >
>> > > Rob
>>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] how to set alert for authentication failure attempt in windows

2015-10-22 Thread Eero Volotinen 
it's already included in ossec ruleset, just configure alert levels for
email or sms?

Eero

2015-10-23 6:48 GMT+03:00 Hak Bun :

> Dear All,
>
> How can I set alert for authentication failure attempt in windows?
>
> Thanks in advance for your comment.
> Hak
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] OSSEC error log

2015-10-16 Thread Eero Volotinen 
how about configuring ipsec psk correctly? I don't see much related to
ossec.

--
Eero

2015-10-16 8:30 GMT+03:00 Abdul Adil :

> Hi OSSEC Community,
>
> Could any one please help with this error log from OSSEC ?
> Oct  1 03:17:18 ip-XX-X-X-XX.us-west-2.server 2015:pmthrfw1 pluto[5281]:
> "S_REF_IpsSitPmtToDpIpsec_5" #140687: malformed payload in packet. Probable
> authentication failure (mismatch of preshared secrets?)
>
> And why this kind of error is occuring ,the following is the log from the
> server:
> 2015:09:29-00:01:22 pmthrfw1 pluto[5281]: "S_REF_IpsSitPmtToDpIpsec_5"
> #134143: next payload type of ISAKMP Identification Payload has an unknown
> value: 155
> 2015:09:29-00:01:22 pmthrfw1 pluto[5281]: "S_REF_IpsSitPmtToDpIpsec_5"
> #134143: malformed payload in packet. Probable authentication failure
> (mismatch of preshared secrets?)
> 2015:09:29-00:01:22 pmthrfw1 pluto[5281]: "S_REF_IpsSitPmtToDpIpsec_5"
> #134143: sending encrypted notification PAYLOAD_MALFORMED to x.x.x.x:4500
> 2015:09:29-00:01:24 pmthrfw1 pluto[5281]: "S_REF_IpsSitPmtToDpIpsec_5"
> #134142: next payload type of ISAKMP Identification Payload has an unknown
> value: 206
> 2015:09:29-00:01:24 pmthrfw1 pluto[5281]: "S_REF_IpsSitPmtToDpIpsec_5"
> #134142: malformed payload in packet. Probable authentication failure
> (mismatch of preshared secrets?)
> 2015:09:29-00:01:24 pmthrfw1 pluto[5281]: "S_REF_IpsSitPmtToDpIpsec_5"
> #134142: sending encrypted notification PAYLOAD_MALFORMED to x.x.x.x:4500
> 2015:09:29-00:01:32 pmthrfw1 pluto[5281]: "S_REF_IpsSitPmtToDpIpsec_5"
> #134143: next payload type of ISAKMP Identification Payload has an unknown
> value: 155
> 2015:09:29-00:01:32 pmthrfw1 pluto[5281]: "S_REF_IpsSitPmtToDpIpsec_5"
> #134143: malformed payload in packet. Probable authentication failure
> (mismatch of preshared secrets?)
>
> Please provide a solution to overcome this issue.
>
> Thank you,
> Abdul Adil.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] ossec-remoted(1213): WARN: Message from x.x.x.x not allowed.

2015-10-15 Thread Eero Volotinen 
Well. then your agent is coming from wrong address due to nat/ipsec.

You need to use any from agents coming from nat or fix ipsec/nat system.

--
Eero

2015-10-15 9:17 GMT+03:00 hari krishna <g2h...@gmail.com>:

> I have used static ip addresses for all agents, instead of wildcards, as i
> described earlier, agent and clients are having communications but behind
> the NAT through the Site to Site VPN connections
>
>
>
> On Thursday, October 15, 2015 at 11:07:51 AM UTC+5:30, Eero Volotinen
> wrote:
>>
>> to client key ip address field ..
>>
>> --
>> Eero
>>
>> 2015-10-15 8:31 GMT+03:00 hari krishna <g2h...@gmail.com>:
>>
>>> Can you explain in detailed about the solution, where do i have to add
>>> this ANY ?
>>>
>>>
>>>
>>> On Wednesday, October 14, 2015 at 6:54:45 PM UTC+5:30, Eero Volotinen
>>> wrote:
>>>>
>>>> well, you need to use correct ip address while creating client key or
>>>> using ip address ANY ..
>>>>
>>>> --
>>>> Eero
>>>>
>>>> 2015-10-14 15:49 GMT+03:00 Hari Krishna <harikr...@techaspect.com>:
>>>>
>>>>> I have both my clients and servers are behind the nat and connected
>>>>> with VPN tunnel, Agents within the servers subnet, able to communicate to
>>>>> the server, but agents with different network are not able to communicate
>>>>> to the server, when i troubleshot the issue found following message at
>>>>> server.
>>>>>
>>>>>  ossec-remoted(1213): WARN: Message from  192.168.5.1 (gateway ip )
>>>>> not allowed.
>>>>>
>>>>> *[image:
>>>>> http://c29ab44caa2d732d4dd0-b76a82c58b319f049c27bd14d94da9ed.r21.cf2.rackcdn.com/email-signature.png]
>>>>> <http://c29ab44caa2d732d4dd0-b76a82c58b319f049c27bd14d94da9ed.r21.cf2.rackcdn.com/email-signature.png>*
>>>>>
>>>>> *Disclaimer: *This message and any attachments are solely intended
>>>>> for the addressee(s). It may also be TechAspect confidential, privileged
>>>>> and / or subject to copyright. Access to this email by anyone else is
>>>>> unauthorized. If you are not the intended recipient, any disclosure,
>>>>> copying, distribution or any action taken or omitted to be taken in
>>>>> reliance on it, is prohibited and may be unlawful. If you have received
>>>>> this in error, please notify the sender immediately by return e-mail and
>>>>> delete it from your computer. While all care has been taken, TechAspect
>>>>> management disclaims all liabilities for loss or damages to person(s) or
>>>>> properties arising from misuse of any information provided or the message
>>>>> being infected by computer virus or other contamination.
>>>>>
>>>>> --
>>>>>
>>>>> ---
>>>>> You received this message because you are subscribed to the Google
>>>>> Groups "ossec-list" group.
>>>>> To unsubscribe from this group and stop receiving emails from it, send
>>>>> an email to ossec-list+...@googlegroups.com.
>>>>> For more options, visit https://groups.google.com/d/optout.
>>>>>
>>>>
>>>> --
>>>
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "ossec-list" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to ossec-list+...@googlegroups.com.
>>> For more options, visit https://groups.google.com/d/optout.
>>>
>>
>> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] ossec-remoted(1213): WARN: Message from x.x.x.x not allowed.

2015-10-14 Thread Eero Volotinen 
well, you need to use correct ip address while creating client key or using
ip address ANY ..

--
Eero

2015-10-14 15:49 GMT+03:00 Hari Krishna :

> I have both my clients and servers are behind the nat and connected with
> VPN tunnel, Agents within the servers subnet, able to communicate to the
> server, but agents with different network are not able to communicate to
> the server, when i troubleshot the issue found following message at server.
>
>  ossec-remoted(1213): WARN: Message from  192.168.5.1 (gateway ip ) not
> allowed.
>
> *[image:
> http://c29ab44caa2d732d4dd0-b76a82c58b319f049c27bd14d94da9ed.r21.cf2.rackcdn.com/email-signature.png]
> *
>
> *Disclaimer: *This message and any attachments are solely intended for
> the addressee(s). It may also be TechAspect confidential, privileged and /
> or subject to copyright. Access to this email by anyone else is
> unauthorized. If you are not the intended recipient, any disclosure,
> copying, distribution or any action taken or omitted to be taken in
> reliance on it, is prohibited and may be unlawful. If you have received
> this in error, please notify the sender immediately by return e-mail and
> delete it from your computer. While all care has been taken, TechAspect
> management disclaims all liabilities for loss or damages to person(s) or
> properties arising from misuse of any information provided or the message
> being infected by computer virus or other contamination.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] ossec-remoted(1213): WARN: Message from x.x.x.x not allowed.

2015-10-14 Thread Eero Volotinen 
to client key ip address field ..

--
Eero

2015-10-15 8:31 GMT+03:00 hari krishna <g2h...@gmail.com>:

> Can you explain in detailed about the solution, where do i have to add
> this ANY ?
>
>
>
> On Wednesday, October 14, 2015 at 6:54:45 PM UTC+5:30, Eero Volotinen
> wrote:
>>
>> well, you need to use correct ip address while creating client key or
>> using ip address ANY ..
>>
>> --
>> Eero
>>
>> 2015-10-14 15:49 GMT+03:00 Hari Krishna <harikr...@techaspect.com>:
>>
>>> I have both my clients and servers are behind the nat and connected with
>>> VPN tunnel, Agents within the servers subnet, able to communicate to the
>>> server, but agents with different network are not able to communicate to
>>> the server, when i troubleshot the issue found following message at server.
>>>
>>>  ossec-remoted(1213): WARN: Message from  192.168.5.1 (gateway ip ) not
>>> allowed.
>>>
>>> *[image:
>>> http://c29ab44caa2d732d4dd0-b76a82c58b319f049c27bd14d94da9ed.r21.cf2.rackcdn.com/email-signature.png]
>>> <http://c29ab44caa2d732d4dd0-b76a82c58b319f049c27bd14d94da9ed.r21.cf2.rackcdn.com/email-signature.png>*
>>>
>>> *Disclaimer: *This message and any attachments are solely intended for
>>> the addressee(s). It may also be TechAspect confidential, privileged and /
>>> or subject to copyright. Access to this email by anyone else is
>>> unauthorized. If you are not the intended recipient, any disclosure,
>>> copying, distribution or any action taken or omitted to be taken in
>>> reliance on it, is prohibited and may be unlawful. If you have received
>>> this in error, please notify the sender immediately by return e-mail and
>>> delete it from your computer. While all care has been taken, TechAspect
>>> management disclaims all liabilities for loss or damages to person(s) or
>>> properties arising from misuse of any information provided or the message
>>> being infected by computer virus or other contamination.
>>>
>>> --
>>>
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "ossec-list" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to ossec-list+...@googlegroups.com.
>>> For more options, visit https://groups.google.com/d/optout.
>>>
>>
>> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Checkpoint OPSEC Certification

2015-09-25 Thread Eero Volotinen 
Hi,

Is there any problems to set checkpoint to log into syslog and then use
ossec agent on box to forward logs to ossec server? This is usual way to do
this..

--
Eero

2015-09-25 0:37 GMT+03:00 :

> Hello, I'm trying to get my Checkpoint firewall, ips, vpn, etc. logs into
> OSSEC, but Checkpoint is telling me that it has to be OPSEC certified in
> order to make a connection. If you are pulling your CheckPoint Gaia R77.20
> firewall logs into OSSEC, how did you do it? I have seen the articles on
> forwarding syslog, but those are only the OS log files. I have also seen THIS
>
> article
> on using an 'agent in the middle' to create a secure connection, but there
> has to be a better way. Any help would be greatly appreciated!
>
> Thanks!
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Glibc 2.14 dependency

2015-08-27 Thread Eero Volotinen 
Just install it from sources or from atomic repo..

Eero
27.8.2015 3.02 ip. Onion Guy oni0nytiru...@gmail.com kirjoitti:

 Hello all,

 It appears the latest version of OSSEC requires glibc 2.14.  Are there any
 versions that require a lower version, specifically 2.12?  I am running
 CentOS 6 so this is posing an issue.

 Thanks.

 --

 ---
 You received this message because you are subscribed to the Google Groups
 ossec-list group.
 To unsubscribe from this group and stop receiving emails from it, send an
 email to ossec-list+unsubscr...@googlegroups.com.
 For more options, visit https://groups.google.com/d/optout.


-- 

--- 
You received this message because you are subscribed to the Google Groups 
ossec-list group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] OSSEC WUI can't read alerts.log

2015-08-08 Thread Eero Volotinen 
Well, you need to give correct permissions to apache as wui is running
under apache uid..

Eeeo
8.8.2015 8.27 ip. Daniel Twardowski noghrisli...@gmail.com kirjoitti:


 I'm using OSSEC Server Virtual Appliance 2.8.2 and last night I configured
 a few domain controllers to send it their logs. When I came in today, the
 WUI is displaying an error of:
 Warning:  fopen(/var/ossec/logs/alerts/alerts.log): failed to open
 stream: Value too large for defined data type in
 /opt/lampp/htdocs/ossec-wui/lib/os_lib_alerts.php on line 839

 My alerts.log file is 3.5G. If I delete it and restart ossec services, the
 file is recreated at 3.5G. Is this an issue with file size? If so, can I up
 the log rotation to more than just once a day? And how would I flush
 whatever buffer keeps recreating the 3.5G alerts.log file so I can get back
 to reviewing logs?

 Similar, but unanswered message from 2013:
 https://groups.google.com/forum/#!msg/ossec-list/topCxSvvmBk/5t4YEfPTTYUJ

 Thanks.

 Dan

 --

 ---
 You received this message because you are subscribed to the Google Groups
 ossec-list group.
 To unsubscribe from this group and stop receiving emails from it, send an
 email to ossec-list+unsubscr...@googlegroups.com.
 For more options, visit https://groups.google.com/d/optout.


-- 

--- 
You received this message because you are subscribed to the Google Groups 
ossec-list group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] OSSEC WUI can't read alerts.log

2015-08-08 Thread Eero Volotinen 
Well,

Check memory_limit on php also.

Ossec wui is no longer supported. You should use kibana+elastic search
instead of it.

Eero

Eero
Thanks for the quick response.

I chown'ed alerts.log from ossec.ossec to ossec.apache and still got the
error.

I then chmod'ed alerts.log from 640 to 666 and still got the error.

Alerts.log is still growing, though. Up to 4.2G.

On Saturday, August 8, 2015 at 3:29:32 PM UTC-4, Eero Volotinen wrote:

 Well, you need to give correct permissions to apache as wui is running
 under apache uid..

 Eeeo
 8.8.2015 8.27 ip. Daniel Twardowski noghri...@gmail.com kirjoitti:


 I'm using OSSEC Server Virtual Appliance 2.8.2 and last night I
 configured a few domain controllers to send it their logs. When I came in
 today, the WUI is displaying an error of:
 Warning:  fopen(/var/ossec/logs/alerts/alerts.log): failed to open
 stream: Value too large for defined data type in
 /opt/lampp/htdocs/ossec-wui/lib/os_lib_alerts.php on line 839

 My alerts.log file is 3.5G. If I delete it and restart ossec services,
 the file is recreated at 3.5G. Is this an issue with file size? If so, can
 I up the log rotation to more than just once a day? And how would I flush
 whatever buffer keeps recreating the 3.5G alerts.log file so I can get back
 to reviewing logs?

 Similar, but unanswered message from 2013:
 https://groups.google.com/forum/#!msg/ossec-list/topCxSvvmBk/5t4YEfPTTYUJ

 Thanks.

 Dan

 --

 ---
 You received this message because you are subscribed to the Google Groups
 ossec-list group.
 To unsubscribe from this group and stop receiving emails from it, send an
 email to ossec-list+...@googlegroups.com.
 For more options, visit https://groups.google.com/d/optout.



-- 

--- 
You received this message because you are subscribed to the Google Groups 
ossec-list group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Updating ossec is done on ossec server only

2015-07-27 Thread Eero Volotinen 
Yes, you should update clients too.

Eero
26.7.2015 2.57 ip. HMath h.i.youss...@gmail.com kirjoitti:

 Greetings,

 I have updated ossec server to latest version , should I update it also in
 all clients ?

 Thank you

 --

 ---
 You received this message because you are subscribed to the Google Groups
 ossec-list group.
 To unsubscribe from this group and stop receiving emails from it, send an
 email to ossec-list+unsubscr...@googlegroups.com.
 For more options, visit https://groups.google.com/d/optout.


-- 

--- 
You received this message because you are subscribed to the Google Groups 
ossec-list group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] authenticated smtp usage...

2015-06-15 Thread Eero Volotinen 
How about using postix on localhost? Much better solution..
On Jun 15, 2015 6:04 PM, Mark Feferman mark.fefer...@gmail.com wrote:

 I know this topic has been discussed many times, but I'm not sure why it
 isn't implemented.

 smtp_usernamesend_from_email_username/smtp_username
 smtp_passwordemail_password/smtp_password

 Granted, there are going to be issues sending to smtp servers that require
 SSL/TLS, etc.., but that's far less of an issue (i.e., finding one that
 doesn't require SSL/TLS) that finding one that doesn't require
 authentication.

 I understand the security aspect, but the database credentials are already
 stored there in plain text.

 $.02

  --

 ---
 You received this message because you are subscribed to the Google Groups
 ossec-list group.
 To unsubscribe from this group and stop receiving emails from it, send an
 email to ossec-list+unsubscr...@googlegroups.com.
 For more options, visit https://groups.google.com/d/optout.


-- 

--- 
You received this message because you are subscribed to the Google Groups 
ossec-list group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Blank /etc/hosts.deny

2015-05-10 Thread Eero Volotinen 
Well, did you actived active response? It might modify hosts.deny ..
10.5.2015 7.53 ip. fi...@vivaldi.net kirjoitti:

 Hi,

 Before installing OSSEC on a Debian 8 server, I took a look at the
 hosts.deny and hosts.allow files and noted that they were not blank. After
 installing OSSEC, however, the hosts.deny file is blank, not even a comment
 or # character.

 Is that expected, or did something go wrong during installation?

 TIA,



 --
 finid

 --

 --- You received this message because you are subscribed to the Google
 Groups ossec-list group.
 To unsubscribe from this group and stop receiving emails from it, send an
 email to ossec-list+unsubscr...@googlegroups.com.
 For more options, visit https://groups.google.com/d/optout.


-- 

--- 
You received this message because you are subscribed to the Google Groups 
ossec-list group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Error on osssec 2.8.1 installation - Permission Issue?

2015-05-05 Thread Eero Volotinen 
Well. What is output of id? Is some of fs mounted as ro? What is output of
mount command?

Eero
5.5.2015 4.40 ap. Bruno Alvisio bruno.alvi...@gmail.com kirjoitti:

 I am quite sure I am the root user.

 Also while the script runs, I get the following messages:

 

   3.5- Do you want to enable remote syslog (port 514 udp)? (y/n) [y]: y


- Remote syslog enabled.

 ./install.sh: line 680: ./etc/ossec.mc: Permission denied

 ./install.sh: line 681: ./etc/ossec.mc: Permission denied

 ./install.sh: line 682: ./etc/ossec.mc: Permission denied

 ./install.sh: line 683: ./etc/ossec.mc: Permission denied

 ./install.sh: line 687: ./etc/ossec.mc: Permission denied

 ./install.sh: line 688: ./etc/ossec.mc: Permission denied

 ./install.sh: line 689: ./etc/ossec.mc: Permission denied

 ./install.sh: line 690: ./etc/ossec.mc: Permission denied

 ./install.sh: line 695: ./etc/ossec.mc: Permission denied

 ./install.sh: line 696: ./etc/ossec.mc: Permission denied

 ./install.sh: line 697: ./etc/ossec.mc: Permission denied

 ./install.sh: line 701: ./etc/ossec.mc: Permission denied

 -


 I am pretty sure I am root since the script doesn't even start if you are
 not.


 Thanks,


 Bruno




 On Monday, May 4, 2015 at 5:02:11 PM UTC-7, Eero Volotinen wrote:

 Really root user? Try again..

 Eero
 5.5.2015 2.53 ap. Bruno Alvisio bruno@gmail.com kirjoitti:

 Hello,

 I am trying to install osssec 2.8.1 on Linux hybrid version. When I run
 the ./install.sh script as root: I get the following error:

 ./install.sh: line 725: ./etc/ossec.mc: Permission denied


 5- Installing the system

 ./install.sh: line 69: ./src/LOCATION: Permission denied

 ./install.sh: line 77: ./src/Config.OS: Permission denied

  - Running the Makefile

 ./Makeall: line 62: Config.OS: Permission denied

 ./Makeall: line 67: Config.OS: Permission denied

 ./Makeall: line 68: Config.OS: Permission denied

 ./Makeall: line 77: Config.OS: Permission denied

 ./Makeall: line 126: isbigendian.c: Permission denied

 cc: isbigendian.c: No such file or directory

 cc: no input files

 ./Makeall: line 128: ./isbigendian: No such file or directory

 INFO: Little endian set.

 ./Makeall: line 141: Config.OS: Permission denied


  *** Making zlib (by Jean-loup Gailly and Mark Adler)  ***

 make[1]: Entering directory
 `/home/balvisio/ossec-hids-2.8.1/src/external'

 ../Config.Make:8: ../Config.OS: No such file or directory

 make[1]: *** No rule to make target `../Config.OS'.  Stop.

 make[1]: Leaving directory `/home/balvisio/ossec-hids-2.8.1/src/external'


 Error Making zlib

 make: *** [all] Error 1


  Error 0x5.

  Building error. Unable to finish the installation.



 I am not sure if this is a permissions' issue given that I am 'root' or
 there is something going on with the 'isbigendian.c' file that cannot be
 found. Any help would be greatly appreciated.

 Bruno

 --

 ---
 You received this message because you are subscribed to the Google
 Groups ossec-list group.
 To unsubscribe from this group and stop receiving emails from it, send
 an email to ossec-list+...@googlegroups.com.
 For more options, visit https://groups.google.com/d/optout.



-- 

--- 
You received this message because you are subscribed to the Google Groups 
ossec-list group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Error on osssec 2.8.1 installation - Permission Issue?

2015-05-04 Thread Eero Volotinen 
Really root user? Try again..

Eero
5.5.2015 2.53 ap. Bruno Alvisio bruno.alvi...@gmail.com kirjoitti:

 Hello,

 I am trying to install osssec 2.8.1 on Linux hybrid version. When I run
 the ./install.sh script as root: I get the following error:

 ./install.sh: line 725: ./etc/ossec.mc: Permission denied


 5- Installing the system

 ./install.sh: line 69: ./src/LOCATION: Permission denied

 ./install.sh: line 77: ./src/Config.OS: Permission denied

  - Running the Makefile

 ./Makeall: line 62: Config.OS: Permission denied

 ./Makeall: line 67: Config.OS: Permission denied

 ./Makeall: line 68: Config.OS: Permission denied

 ./Makeall: line 77: Config.OS: Permission denied

 ./Makeall: line 126: isbigendian.c: Permission denied

 cc: isbigendian.c: No such file or directory

 cc: no input files

 ./Makeall: line 128: ./isbigendian: No such file or directory

 INFO: Little endian set.

 ./Makeall: line 141: Config.OS: Permission denied


  *** Making zlib (by Jean-loup Gailly and Mark Adler)  ***

 make[1]: Entering directory `/home/balvisio/ossec-hids-2.8.1/src/external'

 ../Config.Make:8: ../Config.OS: No such file or directory

 make[1]: *** No rule to make target `../Config.OS'.  Stop.

 make[1]: Leaving directory `/home/balvisio/ossec-hids-2.8.1/src/external'


 Error Making zlib

 make: *** [all] Error 1


  Error 0x5.

  Building error. Unable to finish the installation.



 I am not sure if this is a permissions' issue given that I am 'root' or
 there is something going on with the 'isbigendian.c' file that cannot be
 found. Any help would be greatly appreciated.

 Bruno

 --

 ---
 You received this message because you are subscribed to the Google Groups
 ossec-list group.
 To unsubscribe from this group and stop receiving emails from it, send an
 email to ossec-list+unsubscr...@googlegroups.com.
 For more options, visit https://groups.google.com/d/optout.


-- 

--- 
You received this message because you are subscribed to the Google Groups 
ossec-list group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Problem with snort

2015-05-02 Thread Eero Volotinen 
How snort logging is configured? Full or fast mode?
3.5.2015 2.51 ap. AMINE.E amine.eloui...@um5s.net.ma kirjoitti:

 Hi

 I have noticed something with snort-full log format, that it is not
 logging the *full_log* into /var/ossec/logs/alerts/alert.log.
 it just takes the *first* line and logs it. And when i ran
 ossec-logcollector with debug mode i can see this :
 2015/05/03 00:22:13 ossec-logcollector: DEBUG: Reading *syslog* message:
 

 syslog ? it is not what i have configured ossec to. Because :
 localfile
 log_formatsnort-full/log_format
 location/var/log/snort/alert/location
   /localfile

 where might be the problem ?

 --

 ---
 You received this message because you are subscribed to the Google Groups
 ossec-list group.
 To unsubscribe from this group and stop receiving emails from it, send an
 email to ossec-list+unsubscr...@googlegroups.com.
 For more options, visit https://groups.google.com/d/optout.


-- 

--- 
You received this message because you are subscribed to the Google Groups 
ossec-list group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] ETL Developer at Woodlawn,MD

2015-04-09 Thread Eero Volotinen 
Please remove this spammer from mailinglist?

--
Eero

2015-04-09 19:23 GMT+03:00 saquib ansari saquib8860.ans...@gmail.com:

 *
   NOTE: Only
 for W2 candidates*


 *Job Title:* ETL Developer

 *Location:* Woodlawn, MD

 *Duration:*  2+ years(extendable)

 *Minimum Experience: * 5+ Years

 *Required Education: * BA/BS Degree



 *Job Description:*



 We have an immediate need for an* ETL Developer (Tier III) *who will:

- Plan, conduct, and coordinate software development activities.
- Design, develop, document, test, and debug software that contains
logical and mathematical solutions to business/mission problems or
questions in computer language for solutions by means of data processing
equipment.
- Apply the appropriate standards, processes, procedures, and tools
throughout the development life cycle.
- Apply knowledge of computer hardware and software subject matter to
be programmed in business/mission applications, information processing
techniques used, and information gathered from system users to develop
software.
- Correct program errors, prepare operating instructions, compile
documentation of program development, and analyze system capabilities to
resolve questions of program intent, output requirements, input data
acquisition, programming techniques, and controls.
- Ensure software standards are met.
- Support the maintenance and development of the extract transform and
load (ETL) aspects of the data warehouse.
- Maintain an understanding of the inputs received from the data
source providers.
- Support the analysis, design, development and implementation of new
ETL requirements.
- Recommend changes to enhance the data warehouse data cleansing and
conversion processes.
- Support testing and validation of the new data conversion processes.
- Be responsible for supporting planning activities and supporting the
on schedule delivery of milestone and deliverables.

 *Job Requirements:*

- Must possess three (3) years Informatica experience and five (5) to
eight (8) years’ related experience.
- Must possess effective oral and written skills and strong analytical
and problem solving capabilities.
- Must have a working knowledge of the SDLC and the associated
processes and documentation.
- Must be a team player able to work in a dynamic environment.

 *Education:*

- Bachelor of Science in related field or equivalent years of
experience.


 *Saquib Ansari*

 *IT Recruiter   *|
 *Technology Resource Group Inc.  *3736 Hills-dale Court Santa Clara, CA
 95051

 Office: 408-709-1760. EXT: 848. Fax: 408-884-2409

 saq...@tresourceinc.com | www.tresourceinc.com

 --

 ---
 You received this message because you are subscribed to the Google Groups
 ossec-list group.
 To unsubscribe from this group and stop receiving emails from it, send an
 email to ossec-list+unsubscr...@googlegroups.com.
 For more options, visit https://groups.google.com/d/optout.


-- 

--- 
You received this message because you are subscribed to the Google Groups 
ossec-list group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] ERROR: Invalid ID for the source ip: 'x.x.x.x'

2015-04-07 Thread Eero Volotinen 
2015-04-07 21:55 GMT+03:00 Sinisha Erceg ser...@windmobile.ca:

  Hello,



 I apologize in advance for lack of understanding and I’ve attempted to
 look through the forums but I have inherited OSSEC from a predecessor and I
 have limited *nix experience.  I’ve managed to fix some items but some are
 still very bewildering.



 I’ll start with the error:  ERROR: Invalid ID for the source ip: 'x.x.x.x'
 and the IP addresses they list are nowhere in our agent listing.  I’m
 having issues even trying to discover the host that this error is
 indicating but there are a whole bunch of these for IP addresses that we
 have not installed OSSEC on.



 Where can I start to look?  Again, without going into this too much more,
 I have attempted to search the forums and can find information generally on
 this error if the IP is valid but I’m stumped on the fact that it’s giving
 me this error knowing that those IPs have never been added to the server.



 Any assistance would be greatly appreciated.



Hi,

Agent key contains ip address of agent, if ANY is not used instead of ip
address.

check the documentation about agents:
http://ossec-docs.readthedocs.org/en/latest/manual/agent/agent-management.html

--
Eero

-- 

--- 
You received this message because you are subscribed to the Google Groups 
ossec-list group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] ERROR: Invalid ID for the source ip: 'x.x.x.x'

2015-04-07 Thread Eero Volotinen 
Is source address incorrect? Ipsec connections, firewalls with nat rules
can cause this kind of issues.

Try dumping ossec traffic from manager and check that ip source is correct?

Eero
7.4.2015 11.36 ip. Sinisha Erceg ser...@windmobile.ca kirjoitti:

  Thanks Eero for your quick reply.  I am aware of this and we only use
 either a direct IP address or a subnet range.  Would this still occur using
 a subnet?  We explicitly do not use ANY.  I may have tested this on a box a
 while back but it’s nothing that is currently being used for any of our
 monitored hosts.





 *Sinisha Erceg* IT Security Analyst



 --

 ---
 You received this message because you are subscribed to the Google Groups
 ossec-list group.
 To unsubscribe from this group and stop receiving emails from it, send an
 email to ossec-list+unsubscr...@googlegroups.com.
 For more options, visit https://groups.google.com/d/optout.


-- 

--- 
You received this message because you are subscribed to the Google Groups 
ossec-list group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] JD for review: Oracle GL Restructuring Technical Consultant @ Dublin, OH

2015-04-07 Thread Eero Volotinen 
Hi,

Please stop spamming ossec list.

--
Eero

2015-04-08 0:16 GMT+03:00 saquib ansari saquib8860.ans...@gmail.com:

 *Please have a look on the below requirement and if interested revert me
 back with your updated profile.*



 *Role: Oracle GL Restructuring Technical Consultant*

 *Location: Dublin, OH*

 *Start Date:  ASAP*

 *Duration:2+ months*





 *Job Description   *



 ERP Fins/EBS Core Financials/Technical/GL Restructuring

 • Client is looking for technical resource that can help them with
 EBS data chances due to a restructuring project.

 • The desired experience for this work is someone who has done
 divestiture projects/GL restructuring.  The need is to have someone start
 on-site in Dublin, Ohio ASAP and have them on site for approximately 2
 months.

 Please see below for a list of modules that the resource should be
 familiar with:

   Fixed assets

   Payables

   Projects

   General Ledger

   AL

   Purchasing

   Property Manager





 *Saquib Ansari*

 *IT Recruiter   *|
 *Technology Resource Group Inc.  *3736 Hills-dale Court Santa Clara, CA
 95051

 Office: 408-709-1760. EXT: 848. Fax: 408-884-2409

 saq...@tresourceinc.com | www.tresourceinc.com

 --

 ---
 You received this message because you are subscribed to the Google Groups
 ossec-list group.
 To unsubscribe from this group and stop receiving emails from it, send an
 email to ossec-list+unsubscr...@googlegroups.com.
 For more options, visit https://groups.google.com/d/optout.


-- 

--- 
You received this message because you are subscribed to the Google Groups 
ossec-list group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: Can OSSEC log all process the user open in Microsoft Windows?

2015-03-31 Thread Eero Volotinen 
How about reading the documentation ?

Eero
31.3.2015 6.17 ip. kirjoitti Nhen Panha panhan...@gmail.com:

 Sorry sir!

 My skill is Cisco configuration. I don't know how to Configure windows to
 track the information.
 Could you help me please?

 On Sunday, March 29, 2015 at 6:22:01 PM UTC+7, Nhen Panha wrote:

 Hi sir!

 Last week I have install OSSEC to monitor my Windows Server and Windows
 8.1.

 I want to control all activities that users do something in My Windows
 for example I want to know when user open browser, copy document,
 .

 What should I config OSSEC manager and my Windows?

 Help me please?

  --

 ---
 You received this message because you are subscribed to the Google Groups
 ossec-list group.
 To unsubscribe from this group and stop receiving emails from it, send an
 email to ossec-list+unsubscr...@googlegroups.com.
 For more options, visit https://groups.google.com/d/optout.


-- 

--- 
You received this message because you are subscribed to the Google Groups 
ossec-list group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: Cannot get Syslog from Cisco Devices

2015-03-24 Thread Eero Volotinen 
2015-03-24 23:31 GMT+02:00 Nhen Panha panhan...@gmail.com:

 Help me to configure my router with ossec manager


Do you really understand how cisco logging works?  logging trap XXX sets
the log level of cisco to syslog.

http://www.cisco.com/c/en/us/td/docs/ios/netmgmt/command/reference/nm_book/nm_09.html#wp1015177

try logging trap *informational and testa again.*

*level alerts almost disables logging, so you don't get much logs to syslog
or ossec.*

--
Eero

-- 

--- 
You received this message because you are subscribed to the Google Groups 
ossec-list group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Cannot get Syslog from Cisco Devices

2015-03-24 Thread Eero Volotinen 
Try following settings on cisco (asa)

logging enable

logging trap notifications



--

Eero

2015-03-24 22:09 GMT+02:00 Nhen Panha panhan...@gmail.com:

 Hello sir!

 Today, I would like to ask you the problem between configuration Ossec and
 Cisco devices.

 In cisco router and switch I config:

 logging on
 logging host IP_OF_MY_OSSEC_SERVER
 logging trap alerts
 logging facility local7

 In the Ossec manager:

 in the file ossec.conf, I add

 ossec_config
 remote
   connectionsyslog/connection
   allowed-ipsIP_OF_CISCO_DEVICE/allowed-ips
 /remote
  global
   logallyes/logall
 /global

 /ossec_config

 Then I restart the Ossec services but in the
 file /var/ossec/logs/archives/archives.log
 I didn't see anything. So help me please


 Thank with best regard

 --

 ---
 You received this message because you are subscribed to the Google Groups
 ossec-list group.
 To unsubscribe from this group and stop receiving emails from it, send an
 email to ossec-list+unsubscr...@googlegroups.com.
 For more options, visit https://groups.google.com/d/optout.


-- 

--- 
You received this message because you are subscribed to the Google Groups 
ossec-list group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Cannot OSSEC to MySQL Server

2015-03-21 Thread Eero Volotinen 
2015-03-21 19:18 GMT+02:00 Network Infrastructure panhatiger...@gmail.com:

 Help me please!

 I installed and configured OSSEC on CentOS 6.6
 and also install XAMPP 1.8.1 to sent report to MySQL Server but I got
 error as below:

 ossec-dbd(5202): ERROR: Error connecting to database
 'xxx.xxx.xxx.xxx'(ossec): ERROR: Can't connect to MySQL server on
 'xxx.xxx.xxx.xxx'


is authentication configured correctly on ossec and also on mysql-server?

--
Eero

-- 

--- 
You received this message because you are subscribed to the Google Groups 
ossec-list group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Cannot OSSEC to MySQL Server

2015-03-21 Thread Eero Volotinen 
Is telnet 127.0.0.1 3306 working? No connection refused reply?

Eero

21.3.2015 7.36 ip. kirjoitti Network Infrastructure 
panhatiger...@gmail.com:

 Help me please!

 I installed and configured OSSEC on CentOS 6.6
 and also install XAMPP 1.8.1 to sent report to MySQL Server but I got
error as below:

 ossec-dbd(5202): ERROR: Error connecting to database
'xxx.xxx.xxx.xxx'(ossec): ERROR: Can't connect to MySQL server on
'xxx.xxx.xxx.xxx' (110).


 Help me please!

 Thank

 --

 ---
 You received this message because you are subscribed to the Google Groups
ossec-list group.
 To unsubscribe from this group and stop receiving emails from it, send an
email to ossec-list+unsubscr...@googlegroups.com.
 For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
ossec-list group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: I cannot monitor my ASA 5520 by using OSSEC

2015-02-13 Thread Eero Volotinen 
2015-02-13 17:43 GMT+02:00 Network Infrastructure panhatiger...@gmail.com:

 I don't see anything but I think I config my ASA working properly.


Well, well.

http://www.killyourdarlingsjournal.com/wp/wp-content/uploads/2014/06/5881861191_90de8b5bc9.jpg


--
Eero

-- 

--- 
You received this message because you are subscribed to the Google Groups 
ossec-list group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: I cannot monitor my ASA 5520 by using OSSEC

2015-02-12 Thread Eero Volotinen 
2015-02-12 10:18 GMT+02:00 Network Infrastructure panhatiger...@gmail.com:

 I don't know about this problem


You cannot run two services (daemons) on same port. You need to reconfigure
syslog or/and disable and stop it.

--
Eero

-- 

--- 
You received this message because you are subscribed to the Google Groups 
ossec-list group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: I cannot monitor my ASA 5520 by using OSSEC

2015-02-12 Thread Eero Volotinen 
2015-02-12 10:47 GMT+02:00 Network Infrastructure panhatiger...@gmail.com:

 can you guide me to config it?


No, you need to use google to find instructions to do that.

--
Eero

-- 

--- 
You received this message because you are subscribed to the Google Groups 
ossec-list group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: I cannot monitor my ASA 5520 by using OSSEC

2015-02-11 Thread Eero Volotinen 
2015-02-12 6:06 GMT+02:00 Network Infrastructure panhatiger...@gmail.com:

 When I open ossec.log I saw that:

 Remote syslog allowed from: '192.168.10.1'
 Error: Unable to bind port '514'


is syslog already using that port?

--
Eero

-- 

--- 
You received this message because you are subscribed to the Google Groups 
ossec-list group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: I cannot monitor my ASA 5520 by using OSSEC

2015-02-11 Thread Eero Volotinen 
You need to enable logging to syslog server first. command is like logging
trap syslog-level
example:

conf t
logging trap notifications
wr

br,
Eero
--

2015-02-11 8:50 GMT+02:00 Network Infrastructure panhatiger...@gmail.com:

 This is the message when I use the command:

 but it doesn't work

 ASA5520# sh run log
 logging enable
 logging asdm informational
 logging host inside 192.168.10.11
 ASA5520# sh run | inc log
  service-object tcp eq klogin
  service-object tcp eq login
  service-object udp eq syslog
  service-object udp eq syslog
  service-object udp eq syslog
 logging enable
 logging asdm informational
 logging host inside 192.168.10.11


 On Friday, February 6, 2015 at 9:11:33 AM UTC+7, Network Infrastructure
 wrote:

 I have configured OSSEC to monitor my ASA 5520 but I cannot see anything

 In ASA 5520, I enable syslog server to send syslog to my OSSEC


 In OSSEC, the /var/ossec/etc/ossec.conf, I configed:

 ossec_config

 remote
   connectionsyslog/connection
   allowed-ipsIP_OF_CISCO_DEVICE/allowed-ips
 /remote
 global
   logallyes/logall
 /global

 /ossec_config

 Then I restart ossec services but I cannot see anything.


 Help me please ...

  --

 ---
 You received this message because you are subscribed to the Google Groups
 ossec-list group.
 To unsubscribe from this group and stop receiving emails from it, send an
 email to ossec-list+unsubscr...@googlegroups.com.
 For more options, visit https://groups.google.com/d/optout.


-- 

--- 
You received this message because you are subscribed to the Google Groups 
ossec-list group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Can use OSSEC for FIM solution ,

2015-02-11 Thread Eero Volotinen 
2015-02-11 12:42 GMT+02:00 shankey shankey.ci...@gmail.com:


 HOW server and client communicate? what are the port that need to be open ?

 Can we use some other port for client to server communication.



HOW about reading the *docs* first?

--
Eero

-- 

--- 
You received this message because you are subscribed to the Google Groups 
ossec-list group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Can use OSSEC for FIM solution ,

2015-02-10 Thread Eero Volotinen 
2015-02-10 18:42 GMT+02:00 shankey shankey.ci...@gmail.com:

 HI TEAm ,

 Can is use OSSEC for FIM solution, to clear my PCI Audit, if yes,


Yes, it can act as fim.


 then help me with the hardware requirement and installation procedure.


Err. Maybe you need to hire consult ..

--
Eero

-- 

--- 
You received this message because you are subscribed to the Google Groups 
ossec-list group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Juniper SSG OSSEC via syslog

2014-12-08 Thread Eero Volotinen 
 I'm looking to avoid having to worry about disk space for this sort of
 config.


You must be joking? Disk space is _very_ cheap nowadays and it's also
possible to use compression ..

--
Eero

-- 

--- 
You received this message because you are subscribed to the Google Groups 
ossec-list group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Monitoring /var/ossec

2014-11-30 Thread Eero Volotinen 
2014-12-01 0:20 GMT+02:00 fi...@vivaldi.net:

 Hi,

 In a test installation, I noticed that if I add /var/ossec directory in
 the list of directories that syscheck should monitor, disk usage speeds up
 really fast. In less than 2 hours, disk usage on on a test system doubled.

 What's the best practice for monitoring /var/ossec? I want to keep an eye
 on what's going on inside that directory, but not use up that much disk
 space.

 In general, what's the recommended method of monitoring a log directory?


How about using samhain or auditd for that ?

--
Eero

-- 

--- 
You received this message because you are subscribed to the Google Groups 
ossec-list group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] pgp signatures for releases

2014-11-12 Thread Eero Volotinen 
2014-11-12 16:08 GMT+02:00 dan (ddp) ddp...@gmail.com:

 On Sat, Nov 8, 2014 at 5:12 AM, Eero Volotinen eero.voloti...@iki.fi
 wrote:
  Hi List,
 
  looking for gpg signatures for ossec releases? where I can download them?
 

 It doesn't look like they're currently offered.


So, is there any way to verify that source distribution is not tampered?
SHA checksum from same server is not reliable way to do this.

--
Eero

-- 

--- 
You received this message because you are subscribed to the Google Groups 
ossec-list group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] pgp signatures for releases

2014-11-08 Thread Eero Volotinen 
Hi List,

looking for gpg signatures for ossec releases? where I can download them?

--
Eero

-- 

--- 
You received this message because you are subscribed to the Google Groups 
ossec-list group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Ossec compatibility with Redhat

2014-07-16 Thread Eero Volotinen 
2014-07-16 10:35 GMT+03:00 Amritha Kumar amritha.kumar4...@gmail.com:

 Hi,

 One of my customer has installed Ossec on a RedHat server RHEL 5.4. Now
 this server needs to patched as per PCIDSS requirements. The current RedHat
 OS version is RHEL 5.4, once patched the version will be 5.10. Please let
 us know if Ossec v2.6 is compatible with RHEL 5.10.



Yes, it is compatible. Note that you should also update ossec to latest
stable as required in PCI DSS patch requirements.

--
Eero

-- 

--- 
You received this message because you are subscribed to the Google Groups 
ossec-list group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Red Hat 7.0 and OSSEC

2014-06-01 Thread Eero Volotinen 
2014-06-01 17:56 GMT+03:00 Aaron Hunter aaron.hunt...@gmail.com:

 Given the major changes in Red Hat 7.0 what do the OSSEC developers
 recommend with respect to upgrading from 6.x to 7.0?


Well, did you notice any issues on rhel 7 rc?


--
Eero

-- 

--- 
You received this message because you are subscribed to the Google Groups 
ossec-list group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] OSSEC Splunk or other RHEL option?

2014-04-12 Thread Eero Volotinen 
How about fluentd+kibana?
12.4.2014 16.05 kirjoitti Glenn Ford gmfpa...@gmail.com:

 Hi all,

 I was originally going to do an OSSEC - OSSIM setup but running into some
 issues with RHEL compliance since OSSIM is Debian.

 Now I was looking at Splunk (Free) Enterprise but noticed the splunk app
 to integrate OSSEC is now 2 years old and most likely does not work with
 Splunk v6.

 Does anyone have an SIEM solution that has a free crippleware version such
 as alientvault ossim or splunk enterprise that works on RHEL?

 Thanks in advance,

 Glenn

 --

 ---
 You received this message because you are subscribed to the Google Groups
 ossec-list group.
 To unsubscribe from this group and stop receiving emails from it, send an
 email to ossec-list+unsubscr...@googlegroups.com.
 For more options, visit https://groups.google.com/d/optout.


-- 

--- 
You received this message because you are subscribed to the Google Groups 
ossec-list group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] minor ossec issue

2014-02-11 Thread Eero Volotinen 
Hi List,

I have some issues with ossec. My ossec server was down about week and
after starting ossec server, all clients start to flood server and they
also eat disk io from client servers.

How to resolve this issue, ie. reset all clients to fresh today state?



--
Eero

-- 

--- 
You received this message because you are subscribed to the Google Groups 
ossec-list group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

  1   2   >