[ossec-list] stupid question on ossec configuration

[Eero Volotinen]

Hi List,

I want alert to ossec when linux interface (ethernet) link goes down ?
How to do this?

--
Eero

Re: [ossec-list] stupid question on ossec configuration

[Eero Volotinen]

2011/9/7 Jeremy Lee :
> Try adding an OSSEC localfile full_command directive using one of the
> following commands listed in this thread (basically, ethtool or mii-tool):
>
> http://lists.samba.org/archive/linux/2006-June/015442.html

Sounds like bad solution? I think message "link up" and "link down"
shows on kernel message log. how to monitor this?

--
Eero

Re: [ossec-list] stupid question on ossec configuration

[Eero Volotinen]

2011/9/7 Jeremy Lee :
> Your intention, though, is to essentially alert you when the link status
> changes no? full_command works very well for this purpose. Otherwise, if you
> can figure out how to do it with the log file, by all means...

Yes, it's important to detect when links goes down, up or flaps up and
down. anyway, using sudo to run command without password looks a bit
insecure solution.

--
Eero

Re: [ossec-list] stupid question on ossec configuration

[Eero Volotinen]

> Dumb question in return: If the network is down, how is it going to
> notify you?

It will notify when link comes back?

>
> You probably want one or more external boxes monitoring connectivity and
> let them send messages.  Nagios?

This is used for audit purposes.

--
Eero

Re: [ossec-list] disable-account

[Eero Volotinen]

2011/9/19 Damien Hull :
> I just installed OSSEC version 2.6 on ubuntu 10.04. I tried to
> configure OSSEC to disable a user account with no luck.
>
> I tested it by typing the wrong password into "su". I get an email but
> the account is still active.
>
> How do I disable user accounts with OSSEC?
>

is active response enabled?

--
Eero

[ossec-list] ossec 2.6 mysql install is not correct?

[Eero Volotinen]

Hi List,

Looks like instructions at
http://www.ossec.net/wiki/Know_How:DatabaseOutput are not working for
2.6, because database schema is not same?

correct database.schema can be from from sources under directory:
./src/os_dbd/ ?



--
Eero

[ossec-list] ossec mysql schema update files

[Eero Volotinen]

Hi List,

After upgrading to 2.6 the mysql schema is not working. is there
update files to update mysql schema, without deleting old data?

--
Eero

Re: [ossec-list] Problem with ossec compiled support mysql

[Eero Volotinen]

2012/3/12 Roa :
> http://pastebin.com/gyqK52QQ
>
> The ossec server running in  Ubuntu .
>
>
>
> *** Making os_dbd ***
>
> make[1]: Entering directory `/home/desarrollo/ossec-hids-2.6/src/
> os_dbd'
> Compiling DB support with:
> gcc -g -Wall -I../ -I../headers  -DDEFAULTDIR=\"/var/ossec\" -
> DUSE_OPENSSL     -DARGV0=\"ossec-dbd\" -DXML_VAR=\"var\" -DOSSECHIDS
> -I/usr/include/mysql  -DBIG_JOINS=1  -fno-strict-aliasing   -
> DUNIV_LINUX -DUNIV_LINUX -Wl,-Bsymbolic-functions -rdynamic -L/usr/lib/
> mysql -lmysqlclient -DDBD -DUMYSQL  *.c ../config/lib_config.a ../
> shared/lib_shared.a ../os_net/os_net.a ../os_regex/os_regex.a ../
> os_xml/os_xml.a -o ossec-dbd
> /tmp/ccPgXRxv.o: In function `mysql_osdb_connect':
> /home/desarrollo/ossec-hids-2.6/src/os_dbd/db_op.c:164: undefined
> reference to `mysql_init'
> /home/desarrollo/ossec-hids-2.6/src/os_dbd/db_op.c:178: undefined
> reference to `mysql_options'
> /home/desarrollo/ossec-hids-2.6/src/os_dbd/db_op.c:183: undefined
> reference to `mysql_options'
> /home/desarrollo/ossec-hids-2.6/src/os_dbd/db_op.c:186: undefined
> reference to `mysql_real_connect'
> /home/desarrollo/ossec-hids-2.6/src/os_dbd/db_op.c:189: undefined
> reference to `mysql_error'
> /home/desarrollo/ossec-hids-2.6/src/os_dbd/db_op.c:190: undefined
> reference to `mysql_close'
> /tmp/ccPgXRxv.o: In function `mysql_osdb_close':
> /home/desarrollo/ossec-hids-2.6/src/os_dbd/db_op.c:204: undefined
> reference to `mysql_close'
> /tmp/ccPgXRxv.o: In function `mysql_osdb_query_insert':
> /home/desarrollo/ossec-hids-2.6/src/os_dbd/db_op.c:215: undefined
> reference to `mysql_query'
> /home/desarrollo/ossec-hids-2.6/src/os_dbd/db_op.c:218: undefined
> reference to `mysql_error'
> /tmp/ccPgXRxv.o: In function `mysql_osdb_query_select':
> /home/desarrollo/ossec-hids-2.6/src/os_dbd/db_op.c:240: undefined
> reference to `mysql_query'
> /home/desarrollo/ossec-hids-2.6/src/os_dbd/db_op.c:243: undefined
> reference to `mysql_error'
> /home/desarrollo/ossec-hids-2.6/src/os_dbd/db_op.c:250: undefined
> reference to `mysql_use_result'
> /home/desarrollo/ossec-hids-2.6/src/os_dbd/db_op.c:254: undefined
> reference to `mysql_error'
> /home/desarrollo/ossec-hids-2.6/src/os_dbd/db_op.c:261: undefined
> reference to `mysql_fetch_row'
> /home/desarrollo/ossec-hids-2.6/src/os_dbd/db_op.c:268: undefined
> reference to `mysql_free_result'
> collect2: ld returned 1 exit status
> make[1]: *** [default] Error 1
> make[1]: Leaving directory `/home/desarrollo/ossec-hids-2.6/src/
> os_dbd'
>
> Error Making os_dbd
> make: *** [all] Error 1
>
>  Error 0x5.
>  Building error. Unable to finish the installation.

You are missing mysql-dev and libraries? package name is something
like mysql-dev or mysql-devel on ubuntu

to solve problem, try installing libraries first:

sudo apt-get install mysql-dev
sudo apt-get install mysql-devel

--
Eero

--
Eero

[ossec-list] any (good) audit(d) logfile decoder for ossec available?

[Eero Volotinen]

Hi List,

any (good) audit(d) logfile decoder for ossec available?

--
Eero

Re: [ossec-list] Suckit rootkit

[Eero Volotinen]

2012/4/24 Mike Sievers :
> Hi,
>
> ossec version is 2.6
> md5sum: 5a8582fbad878819fdcc598d15902b57  /sbin/init
> (dont´t know yet if it is ok)
>
> Mike
>
>
> 2012/4/23 dan (ddp) 
>
>> What version of OSSEC?
>> Does the md5 or sha for /sbin/init match what it should?
>>
>> On Sun, Apr 22, 2012 at 8:41 AM, Mike Sievers
>>  wrote:
>> > Hi List,
>> >
>> > on my opensuse 12.1 I found:
>> > Trojaned version of file '/sbin/init' detected. Signature used: 'HOME'
>> > (Suckit rootkit).
>> > I hope this is false positive, isn´t it?
>> > And some alerts like this:
>> > File '/dev/.sysconfig/network/config-lo' present on /dev. Possible
>> > hidden
>> > file.
>> >
>> > ???
>
>

How about checking from package manager:

rpm -qf /sbin/init (what provides that package)
rpm --verify package-name

example from centos 6.2

[root@xxx ~]# rpm -qf /sbin/init
upstart-0.6.5-10.el6.x86_64
[root@xx ~]# rpm -V upstart



--
Eero

[ossec-list] one of my ossec agents disconnect every day about a twice in a day

[Eero Volotinen]

Is there any nice way to debug why it disconnects twice a day?

Client just cannot connect to server and after some minutes it just
connects again. This problem is really annoying.


--
Eero

Re: [ossec-list] one of my ossec agents disconnect every day about a twice in a day

[Eero Volotinen]

2012/5/14 dan (ddp) :
> Run it in debug mode? Run the manager in debug mode?
>
> On Sat, May 12, 2012 at 4:07 AM, Eero Volotinen  wrote:
>> Is there any nice way to debug why it disconnects twice a day?
>>
>> Client just cannot connect to server and after some minutes it just
>> connects again. This problem is really annoying.

Ok, I just enabled agent debug. on normal log it just says:

2012/05/13 04:30:41 ossec-syscheckd: INFO: Starting syscheck scan.
2012/05/13 06:26:02 ossec-syscheckd: INFO: Ending syscheck scan.
2012/05/13 09:00:09 ossec-syscheckd: INFO: Starting syscheck scan.
2012/05/13 10:06:03 ossec-agentd: WARN: Server unavailable. Setting lock.
2012/05/13 10:06:13 ossec-agentd(4102): INFO: Connected to the server
(X.X.X.X:1514).
2012/05/13 10:06:13 ossec-agentd: INFO: Server responded. Releasing lock.
2012/05/13 10:55:30 ossec-syscheckd: INFO: Ending syscheck scan.
2012/05/13 13:29:29 ossec-syscheckd: INFO: Starting syscheck scan.
2012/05/13 15:24:49 ossec-syscheckd: INFO: Ending syscheck scan.
2012/05/13 18:01:54 ossec-syscheckd: INFO: Starting syscheck scan.
2012/05/13 19:22:01 ossec-agentd: INFO: Event count after '2':
7980100->4621576 (57%)
2012/05/13 19:57:14 ossec-syscheckd: INFO: Ending syscheck scan.
2012/05/13 22:08:07 ossec-rootcheck: INFO: Starting rootcheck scan.
2012/05/13 22:18:57 ossec-rootcheck: INFO: Ending rootcheck scan.
2012/05/13 22:33:57 ossec-syscheckd: INFO: Starting syscheck scan.
2012/05/14 00:29:17 ossec-syscheckd: INFO: Ending syscheck scan.
2012/05/14 03:07:17 ossec-syscheckd: INFO: Starting syscheck scan.
2012/05/14 05:02:37 ossec-syscheckd: INFO: Ending syscheck scan.
2012/05/14 06:12:11 ossec-agentd: WARN: Server unavailable. Setting lock.
2012/05/14 06:12:12 ossec-agentd(4102): INFO: Connected to the server
(X.X.X.X:1514).
2012/05/14 06:12:12 ossec-agentd: INFO: Server responded. Releasing lock.
2012/05/14 07:36:58 ossec-syscheckd: INFO: Starting syscheck scan.
2012/05/14 08:25:12 ossec-agentd: INFO: Event count after '2':
4953459->3993264 (80%)
2012/05/14 09:32:19 ossec-syscheckd: INFO: Ending syscheck scan.
2012/05/14 12:07:31 ossec-syscheckd: INFO: Starting syscheck scan.
2012/05/14 13:26:40 ossec-agentd: WARN: Server unavailable. Setting lock.
2012/05/14 13:26:41 ossec-agentd(4102): INFO: Connected to the server
(X.X.X.X:1514).
2012/05/14 13:26:41 ossec-agentd: INFO: Server responded. Releasing lock.
2012/05/14 14:02:52 ossec-syscheckd: INFO: Ending syscheck scan.
2012/05/14 15:10:41 ossec-agentd: WARN: Server unavailable. Setting lock.
2012/05/14 15:10:42 ossec-agentd(4102): INFO: Connected to the server
(X.X.X.X:1514).
2012/05/14 15:10:42 ossec-agentd: INFO: Server responded. Releasing lock.
2012/05/14 16:37:41 ossec-syscheckd: INFO: Starting syscheck scan.

at same time other agents are working fine..

--
Eero

[ossec-list] multiple daily email reports?

[Eero Volotinen]

Hi List,

What is correct syntax of multiple email reports on ossec.conf:

is it like this ?

 
authentication_success
srcip
Daily report: Successful logins
m...@example.com
 


syscheck
Daily report: File changes
m...@example.com


I just want both reports to my email at daily

thanks.

br,
--
Eero

Re: [ossec-list] tcp-syn-flood-attack

[Eero Volotinen]

2012/7/13 sahil sharma :
> Hi,
>
> I want to block a TCP-SYN-FLOOD attacker attacking my server.
> I have launched the attack but I can't see any logs.
>
> How can we detect that there is flooding at the SERVER.

You need some way to detect tcp-syn-flooding, maybe using custom iptables rules?

I think ossec can detect iptables with log-prefix DROP

--
Eero

Re: [ossec-list] real-time monitoring of growing log - PCI DSS 10.5.5

[Eero Volotinen]

2012/9/19 Andreas Lang :
> Hello,
>
> We have some questions regarding analysing log files with OSSEC referring to
> the log file requirements in PCI-DSS 10.5.5.
>
> PCI DSS 10.5.5.:
> Use file-integrity monitoring or change-detection software on logs to ensure
> that existing log data cannot be changed without generating alerts (although
> new data being added should not cause an alert).
>
> To cover this issue we wanted to enable real-time monitoring on our log file
> directories. Unfortunately we are getting this error:
> Ignoring flag for real time monitoring on directory: '/data/'
>
> Our servers are based on Ubuntu 10.04, 11.04 and 11.10, all x64 systems. We
> are using OSSEC 2.5 for clients and server. I know, that for real-time
> monitoring the tool inotify-tools must be installed, but unfortunately this
> didn’t resolve the issue.
> Do you have any suggestions have we can make the real-time monitoring of
> growing log files working correctly?

how about installing samhain on ossec server to monitor ossec logs?

--
Eero

[ossec-list] commercial rule updates for ossec

[Eero Volotinen]

Hi List,

is there any commercial rule updates available for ossec?

--
Eero

[ossec-list] ossec inotify status on rhel 5 and 6

[Eero Volotinen]

Hi,

Is inotify working on rhel 5 and 6 on ossec?

--
Eero

Re: [ossec-list] real-time monitoring of growing log - PCI DSS 10.5.5

[Eero Volotinen]

2012/9/19 dan (ddp) :
> On Wed, Sep 19, 2012 at 6:59 AM, Andreas Lang  wrote:
>> Hello,
>>
>> We have some questions regarding analysing log files with OSSEC referring to
>> the log file requirements in PCI-DSS 10.5.5.
>>
>> PCI DSS 10.5.5.:
>> Use file-integrity monitoring or change-detection software on logs to ensure
>> that existing log data cannot be changed without generating alerts (although
>> new data being added should not cause an alert).
>>
>> To cover this issue we wanted to enable real-time monitoring on our log file
>> directories. Unfortunately we are getting this error:
>> Ignoring flag for real time monitoring on directory: '/data/'
>>
>> Our servers are based on Ubuntu 10.04, 11.04 and 11.10, all x64 systems. We
>> are using OSSEC 2.5 for clients and server. I know, that for real-time
>> monitoring the tool inotify-tools must be installed, but unfortunately this
>> didn’t resolve the issue.
>> Do you have any suggestions have we can make the real-time monitoring of
>> growing log files working correctly?
>>
>> Thank you very much in advantage
>>
>> Regards.
>>
>> Andreas Lang
>>
>
> Are you sure the inotify stuff was enabled in the build? It sounds
> like the support didn't get compiled in.

does ossec support log analysis in realtime? or only directory
checksumming realtime?

--
Eero

Re: [ossec-list] SQL Server

[Eero Volotinen]

Hi,

How about using snort or greensql ?

Eero


2012/10/8 Alejandro Martinez :
> Hi all!
>
> I see that there are some rules to audit SQL Server logon/logoff.
>
> Is there any chance (maybe using profiler) to audit more things ? like
> triggers executed, sentences like create table, drop table, etc.
>
> Thanks
> Alejandro

Re: [ossec-list] Regarding installation of OSSEC in Linux systems

[Eero Volotinen]

2012/11/16 Subhadip Dutta :
> Hi,
>
> Someone asked me what extra functionality OSSEC is going to give over
> SELinux that one will install OSSEC in Linux systems and disable the
> security enabled features of SELinux. I, being new to OSSEC, could not
> answer this. Can someone kindly answer this for me?

- IDS/IPS
- File Integrity monitoring
- Alerts
- Centralized logging

You can also use SELinux with ossec, but it requires some tuning..

--
Eero

Re: [ossec-list] FreeBSD install problems

[Eero Volotinen]

2012/11/20 bujanga :
> Yes, 1 is a local admin issue.
>
> Here is more on 2 from a different server running FreeBSD
> 7.3-RELEASE-p1. I am willing to do more here if you want, just let me
> know.
>
> -
>  *** Making os_csyslogd ***
>
> gcc -g -Wall -I../ -I../headers  -DDEFAULTDIR=\"/var/ossec\" -DCLIENT
> -DUSE_OPENSSL  -DARGV0=\"ossec-csyslogd\" -DXML_VAR=\"var\"
> -DOSSECHIDS  *.c ../config/lib_config.a ../shared/lib_shared.a
> ../os_net/os_net.a ../os_regex/os_regex.a ../os_xml/os_xml.a -o
> ossec-csyslogd
> csyslogd.c: In function 'field_add_string':
> csyslogd.c:117: warning: implicit declaration of function 'strnlen'
> /var/tmp//cc23x9Np.o(.text+0x24f): In function `field_add_string':
> /root/apps/ossec/ossec-hids-2.7/src/os_csyslogd/csyslogd.c:117:
> undefined reference to `strnlen'
> /var/tmp//cc23x9Np.o(.text+0x369): In function `field_add_truncated':
> /root/apps/ossec/ossec-hids-2.7/src/os_csyslogd/csyslogd.c:142:
> undefined reference to `strnlen'
> /var/tmp//cc23x9Np.o(.text+0x57f): In function `field_add_int':
> /root/apps/ossec/ossec-hids-2.7/src/os_csyslogd/csyslogd.c:191:
> undefined reference to `strnlen'
> *** Error code 1
>
> Stop in /root/apps/ossec/ossec-hids-2.7/src/os_csyslogd.
>
> Error Making os_csyslogd
> *** Error code 1
>
> Stop in /root/apps/ossec/ossec-hids-2.7/src.
>
>  Error 0x5.
>  Building error. Unable to finish the installation.

Because strnlen is not part of freebsd libc ?

Eero

Re: [ossec-list] FreeBSD install problems

[Eero Volotinen]

Does it work on newer version of freebsd?

Eero

2012/11/20 Eero Volotinen :
> 2012/11/20 bujanga :
>> Yes, 1 is a local admin issue.
>>
>> Here is more on 2 from a different server running FreeBSD
>> 7.3-RELEASE-p1. I am willing to do more here if you want, just let me
>> know.
>>
>> -
>>  *** Making os_csyslogd ***
>>
>> gcc -g -Wall -I../ -I../headers  -DDEFAULTDIR=\"/var/ossec\" -DCLIENT
>> -DUSE_OPENSSL  -DARGV0=\"ossec-csyslogd\" -DXML_VAR=\"var\"
>> -DOSSECHIDS  *.c ../config/lib_config.a ../shared/lib_shared.a
>> ../os_net/os_net.a ../os_regex/os_regex.a ../os_xml/os_xml.a -o
>> ossec-csyslogd
>> csyslogd.c: In function 'field_add_string':
>> csyslogd.c:117: warning: implicit declaration of function 'strnlen'
>> /var/tmp//cc23x9Np.o(.text+0x24f): In function `field_add_string':
>> /root/apps/ossec/ossec-hids-2.7/src/os_csyslogd/csyslogd.c:117:
>> undefined reference to `strnlen'
>> /var/tmp//cc23x9Np.o(.text+0x369): In function `field_add_truncated':
>> /root/apps/ossec/ossec-hids-2.7/src/os_csyslogd/csyslogd.c:142:
>> undefined reference to `strnlen'
>> /var/tmp//cc23x9Np.o(.text+0x57f): In function `field_add_int':
>> /root/apps/ossec/ossec-hids-2.7/src/os_csyslogd/csyslogd.c:191:
>> undefined reference to `strnlen'
>> *** Error code 1
>>
>> Stop in /root/apps/ossec/ossec-hids-2.7/src/os_csyslogd.
>>
>> Error Making os_csyslogd
>> *** Error code 1
>>
>> Stop in /root/apps/ossec/ossec-hids-2.7/src.
>>
>>  Error 0x5.
>>  Building error. Unable to finish the installation.
>
> Because strnlen is not part of freebsd libc ?
>
> Eero

Re: [ossec-list] FreeBSD install problems

[Eero Volotinen]

2012/11/20 bujanga :
> Patch has no effect on the FreeBSD 7.x. (OSSEC v 2.6 does install)

Does? or does not?

Eero

Re: [ossec-list] FreeBSD install problems

[Eero Volotinen]

2012/11/20 Eero Volotinen :
> 2012/11/20 bujanga :
>> Patch has no effect on the FreeBSD 7.x. (OSSEC v 2.6 does install)
>
> Does? or does not?
>
> Eero

strnlen is missing from freebsd 7.4?

http://www.freebsd.org/cgi/man.cgi?query=strnlen&apropos=0&sektion=0&manpath=FreeBSD+7.4-stable&arch=default&format=html

just tested and strnlen is really missing from freebsd 7.4

--
Eero

Re: [ossec-list] FreeBSD install problems

[Eero Volotinen]

2012/11/20 bujanga :
> OSSEC 2.7 does NOT install.
>
> OSSEC 2.6 does install.
>
> On Tue, Nov 20, 2012 at 2:22 PM, Eero Volotinen  wrote:
>> 2012/11/20 bujanga :
>>> Patch has no effect on the FreeBSD 7.x. (OSSEC v 2.6 does install)
>>
>> Does? or does not?
>>
>> Eero

--- csyslogd.c-new  2012-11-20 22:53:28.0 +
+++ csyslogd.c  2012-11-20 22:54:27.0 +
@@ -23,6 +23,18 @@
 #include "csyslogd.h"
 #include "os_net/os_net.h"

+#ifndef HAVE_STRNLEN
+   size_t strnlen(char *s, size_t maxlen)
+   {
+   size_t i;
+
+   for (i= 0; i < maxlen && *s != '\0'; i++, s++)
+   ;
+   return i;
+   }
+#endif
+
+

this is required to compile ossec on freebsd 7.4

..

--
Eero

Re: [ossec-list] FreeBSD install problems

[Eero Volotinen]

So, is ossec now working find on freebsd 7.4?


--
Eero

2012/11/20 Eero Volotinen :
> 2012/11/20 bujanga :
>> OSSEC 2.7 does NOT install.
>>
>> OSSEC 2.6 does install.
>>
>> On Tue, Nov 20, 2012 at 2:22 PM, Eero Volotinen  
>> wrote:
>>> 2012/11/20 bujanga :
>>>> Patch has no effect on the FreeBSD 7.x. (OSSEC v 2.6 does install)
>>>
>>> Does? or does not?
>>>
>>> Eero
>
> --- csyslogd.c-new  2012-11-20 22:53:28.0 +
> +++ csyslogd.c  2012-11-20 22:54:27.0 +
> @@ -23,6 +23,18 @@
>  #include "csyslogd.h"
>  #include "os_net/os_net.h"
>
> +#ifndef HAVE_STRNLEN
> +   size_t strnlen(char *s, size_t maxlen)
> +   {
> +   size_t i;
> +
> +   for (i= 0; i < maxlen && *s != '\0'; i++, s++)
> +   ;
> +   return i;
> +   }
> +#endif
> +
> +
>
> this is required to compile ossec on freebsd 7.4
>
> ..
>
> --
> Eero

Re: [ossec-list] FreeBSD install problems

[Eero Volotinen]

2012/11/21 Scott :
> I had problems with installing on OS X 10.5; I ended up adding a #else to
> the above and coding my own strnlen function.

so, problem is in freebsd < 8.X and on < OSX 10.6

so, this might require patch to official source.


Eero

Re: [ossec-list] Maximum number of agents allowed:

[Eero Volotinen]

2013/2/28 Alexander Hartner :
> Any option of achieving the same without a re-compile. Ideally we would like
> to use the binary distribution to be able to pull new versions via the rpm
> repository. Installing from source would require us to manage the version of
> OSSEC server manually.
>
> --

Well, currently number of agents is hardcoded into ossec sources.

--
Eero

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [ossec-list] Basic OSSEC Configuration for Web Servers / Website Security

[Eero Volotinen]

2013/3/13 Tony Perez :
> Hey Folks
>
> I put together this little post to better help those that are using OSSEC on
> their web servers:
> http://tonyonsecurity.com/2013/03/13/ossec-for-website-security-part-i/
>
> It's nothing too complicated but a little something that many seem to forget
> or not think about. Hope it helps someone.

Looks good, but how about activating active responses too? and also
logall option? and some scripts for sms alerts? :)

--
Eero

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [ossec-list] Ossec for centos 6.3

[Eero Volotinen]

2013/3/14 shai singh :
> Hi,
> Can anyone suggest where and how to install centos 6.3 using the
> yum method or should I install it manually?

see url: http://www.ossec.net/?page_id=19

"RPMs for RHEL, CentOS, Fedora and others

Available in the AtomiCorp repository. To install:

# wget -q -O - https://www.atomicorp.com/installers/atomic |sh
# yum install ossec-hids ossec-hids-server (or ossec-hids-client for the agent)"


--
Eero

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [ossec-list] Ossec for centos 6.3

[Eero Volotinen]

2013/3/14 shai singh :
> Hi eero,
>I tried with this repo then when I run the next time yum
> update it try to upgrade all my other software which I dont need to
> upgrade how to avoid where it will only update ossec from this repo?

http://wiki.centos.org/PackageManagement/Yum/Priorities

--
Eero

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [ossec-list] Ossec for centos 6.3

[Eero Volotinen]

2013/3/14 robert lazarski :
> On Thu, Mar 14, 2013 at 11:55 AM, shai singh  wrote:
>> Hi,
>> Can anyone suggest where and how to install centos 6.3 using the
>> yum method or should I install it manually?
>>
>
> I always installed manually. I had issues with 2.6 and false alerts on
> netstat, so you probably want the latest, 2.7 .
>
> Actually I just looked and don't see a centos repo entry for ossec anyways.

you could use yum-priorities:
http://wiki.centos.org/PackageManagement/Yum/Priorities
--
Eero

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [ossec-list] Ossec for centos 6.3

[Eero Volotinen]

2013/3/14 shai singh :
> Dear Eero,
>So next time if I need updates for ossec what should I
> do bring back its priority up is it? Thank you.

Please, read that web page for more information.

--
Eero

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [ossec-list] Basic Windows Config questions

[Eero Volotinen]

2013/2/11 Charles Bailey :
> I wanted the 'Best' IDS for my Windows Apache server, and after a lot of
> looking around I chose OSSEC. Documentation was pretty sparse, and I'm a
> Linux newbie, but somehow I managed to install Ubuntu, OSSEC, and the Web

For WebServer, mod_security is better than ossec, but it requires lot
of configuration.

--
Eero

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [ossec-list] Encrypt traffic between agents and manager

[Eero Volotinen]

> First:
> I configured the manager as a central syslog, I wanted to know if there is a
> way to encrypt
> traffic between agents and manager using TLS or SSL.
>

it is already encrypted.

> Second:
> By default OSSEC archives the logs and compresses them using gzip, is it
> possible to use bzip2 ?

Not without modifications to sourcecode, because ossec contains
internal gzip library for log compression.

--
Eero

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [ossec-list] geoip support

[Eero Volotinen]

2013/3/20 ioannis katadikos :
> Hello guys.
> i am using ossec 2.7 but during installation i did not add the geoip
> support.
> From what i can read i have to recompile the ossec with the geoip add on.
> Can this be made without loosing all ossec confs and installation variables
> (agents etc.)??
> Thanks

yes. remember to backup /var/ossec before going recompile. (not
required, but as safety ..)

--
Eero

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [ossec-list] ossec-agent-win32-2.6.exe identified as Win32:Evo-gen

[Eero Volotinen]

Hm, looks intresting:

https://www.virustotal.com/en-gb/file/5a103f752b4eca2905b885227e0ca256ae464933180ec03f9a61100f5a76b0d4/analysis/

--
Eero


2013/4/16 Laurent CREPET 

> Hello,
>
> Today, I had to download OSSEC files again. So I use wget with my old list
> of download links, on a windows workstation.
>
> When wget tried to download the following file:
> http://www.ossec.net/files/ossec-agent-win32-2.6.exe
>
> ...Avast antivirus sent an alert and blocked the download. It gives the
> following status:
> "Threat: Win32:Evo-gen [Susp]".
>
> Versions:
> - Program: 8.0.1483
> - Virus definitions: 130415-1
>
> A quick search in on the OSSEC google group did not showed up reports
> about file ossec-agent-win32-2.6.exe. So, even if the file is not the
> current version, I think it could be interesting to report this issue.
>
> -- Laurent.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [ossec-list] ossec-agent-win32-2.6.exe identified as Win32:Evo-gen

[Eero Volotinen]

It's is false positive:

gpg --verify ossec-agent-win32-2.6.exe.sig
gpg: Signature made Tue 19 Jul 2011 21:25:23 EEST using RSA key ID A3901351
gpg: Good signature from "Daniel B. Cid "
gpg: WARNING: This key is not certified with a trusted signature!
gpg:  There is no indication that the signature belongs to the
owner.
Primary key fingerprint: 6F11 9E06 487A AF17 C84C  E48A 456B 17CF A390 1351

please file report to avast

--
Eero


2013/4/16 Laurent CREPET 

> Hello,
>
> Today, I had to download OSSEC files again. So I use wget with my old list
> of download links, on a windows workstation.
>
> When wget tried to download the following file:
> http://www.ossec.net/files/ossec-agent-win32-2.6.exe
>
> ...Avast antivirus sent an alert and blocked the download. It gives the
> following status:
> "Threat: Win32:Evo-gen [Susp]".
>
> Versions:
> - Program: 8.0.1483
> - Virus definitions: 130415-1
>
> A quick search in on the OSSEC google group did not showed up reports
> about file ossec-agent-win32-2.6.exe. So, even if the file is not the
> current version, I think it could be interesting to report this issue.
>
> -- Laurent.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [ossec-list] ossec-agent-win32-2.6.exe identified as Win32:Evo-gen

[Eero Volotinen]

So, at least avast fixed the false positive issue:


https://www.virustotal.com/en-gb/file/5a103f752b4eca2905b885227e0ca256ae464933180ec03f9a61100f5a76b0d4/analysis/1366141457/

--
Eero


2013/4/16 Laurent CREPET 

> Hello,
>
> I've forwarded our discussion to vi...@avast.com.
>
> Regards,
> -- Laurent.
>
>
>
> 2013/4/16 Eero Volotinen 
>
>> It's is false positive:
>>
>> gpg --verify ossec-agent-win32-2.6.exe.sig
>> gpg: Signature made Tue 19 Jul 2011 21:25:23 EEST using RSA key ID
>> A3901351
>> gpg: Good signature from "Daniel B. Cid "
>> gpg: WARNING: This key is not certified with a trusted signature!
>> gpg:  There is no indication that the signature belongs to the
>> owner.
>> Primary key fingerprint: 6F11 9E06 487A AF17 C84C  E48A 456B 17CF A390
>> 1351
>>
>> please file report to avast
>>
>> --
>> Eero
>>
>>
>> 2013/4/16 Laurent CREPET 
>>
>>> Hello,
>>>
>>> Today, I had to download OSSEC files again. So I use wget with my old
>>> list of download links, on a windows workstation.
>>>
>>> When wget tried to download the following file:
>>> http://www.ossec.net/files/ossec-agent-win32-2.6.exe
>>>
>>> ...Avast antivirus sent an alert and blocked the download. It gives the
>>> following status:
>>> "Threat: Win32:Evo-gen [Susp]".
>>>
>>> Versions:
>>> - Program: 8.0.1483
>>> - Virus definitions: 130415-1
>>>
>>> A quick search in on the OSSEC google group did not showed up reports
>>> about file ossec-agent-win32-2.6.exe. So, even if the file is not the
>>> current version, I think it could be interesting to report this issue.
>>>
>>> -- Laurent.
>>>
>>> --
>>>
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "ossec-list" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to ossec-list+unsubscr...@googlegroups.com.
>>> For more options, visit https://groups.google.com/groups/opt_out.
>>>
>>>
>>>
>>
>>  --
>>
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to ossec-list+unsubscr...@googlegroups.com.
>> For more options, visit https://groups.google.com/groups/opt_out.
>>
>>
>>
>
>  --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [ossec-list] How to store level 0 alerts (all logs) at server and save logs at agents?

[Eero Volotinen]

see at faq:

Log messages from the agents are not stored by default. After analysis they
are deleted unless the  option is included in the manager’s
ossec.conf.


2013/4/23 Aliev, Dmitry 

> Hi
> Is that possible to store full logs (level 0) from all agent hosts at
> ossec server?
> i've changed *
>
> <
> **log_alert_level> to 0, restarted server, but there is no any level 0-1
> events in log/alerts/alerts.log. Or am i looking at wrong directory?*
>
> And more, OSSEC deletes logs from agents. How to say it not to delete logs
> at agents?
>
> Thanks
>
>
>
>  --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [ossec-list] OSSEC log rotation and retention

[Eero Volotinen]

Stores forever, if logall is enabled. Rotates logs daily.

--
Eero


2013/6/11 Michael Starks 

> On 11.06.2013 08:22, Matthew Ayres wrote:
>
>> Good morning fellow OSSEC users I am currently working on documentation
>> for OSSEC and would like to know how long does OSSEC keep the archives
>> logs I know it rotates them daily I would like to know if it deletes old
>> ones and if so how often and were can I change that to meet our
>> requirements
>>
>
> As far as I know, it keeps the logs indefinitely.
>
>
> --
>
> --- You received this message because you are subscribed to the Google
> Groups "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to 
> ossec-list+unsubscribe@**googlegroups.com
> .
> For more options, visit 
> https://groups.google.com/**groups/opt_out
> .
>
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

[ossec-list] all cisco asa error codes (9.1) in ossec format

[Eero Volotinen]

ripped from
http://www.cisco.com/en/US/docs/security/asa/asa91/system/message/asa91log.pdf

available at http://ping-viini.org/pix_rules.xml

if anyone needs.


--
Eero

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

[ossec-list] Re: all cisco asa error codes (9.1) in ossec format

[Eero Volotinen]

sources to generate rules are also available on request, if someone need
them also.


2013/6/22 Eero Volotinen 

> ripped from
> http://www.cisco.com/en/US/docs/security/asa/asa91/system/message/asa91log.pdf
>
> available at http://ping-viini.org/pix_rules.xml
>
> if anyone needs.
>
>
> --
> Eero
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [ossec-list] Trouble installing Agent on Solaris 10

[Eero Volotinen]

maybe this fixes it on current version?

--- csyslogd.c-new  2012-11-20 22:53:28.0 +
+++ csyslogd.c  2012-11-20 22:54:27.0 +
@@ -23,6 +23,18 @@
 #include "csyslogd.h"
 #include "os_net/os_net.h"

+#ifndef HAVE_STRNLEN
+   size_t strnlen(char *s, size_t maxlen)
+   {
+   size_t i;
+
+   for (i= 0; i < maxlen && *s != '\0'; i++, s++)
+   ;
+   return i;
+   }
+#endif
+
+

--
Eero


2013/6/24 David Blanton 

> Here is the full message I get during the make. I noticed in an older
> thread you posted a fix and was wondering if there was any other concrete
> fixes you have available.
>
> *** Making os_csyslogd ***
>
> gcc -g -Wall -I../ -I../headers  -DDEFAULTDIR=\"/home/dblanton/ossec\"
> -DCLIENT  -DSOLARIS -DHIGHFIRST -DARGV0=\"ossec-csyslogd\"
> -DXML_VAR=\"var\" -DOSSECHIDS -lsocket -lnsl -lresolv *.c
> ../config/lib_config.a ../shared/lib_shared.a ../os_net/os_net.a
> ../os_regex/os_regex.a ../os_xml/os_xml.a -o ossec-csyslogd
> csyslogd.c: In function `field_add_string':
> csyslogd.c:117: warning: implicit declaration of function `strnlen'
> Undefined   first referenced
>  symbol in file
> strnlen /var/tmp//cc9GyBBv.o
> ld: fatal: Symbol referencing errors. No output written to ossec-csyslogd
> collect2: ld returned 1 exit status
> *** Error code 1
> make: Fatal error: Command failed for target `default'
> Current working directory
> /home/dblanton/ossec-install/ossec-hids-2.7/src/os_csyslogd
>
>
> Error Making os_csyslogd
> *** Error code 1
> The following command caused the error:
> /bin/sh ./Makeall all
> make: Fatal error: Command failed for target `all'
>
>  Error 0x5.
>  Building error. Unable to finish the installation.
>
>
>
> On Monday, June 24, 2013 12:21:16 PM UTC-4, dan (ddpbsd) wrote:
>
>> On Mon, Jun 24, 2013 at 11:59 AM, David Blanton
>>  wrote:
>> > The error I am getting during the installation process:
>> >
>> > Error Making os_csyslogd
>> > *** Error code 1
>> > The following command caused the error:
>> > /bin/sh ./Makeall all
>> > make: Fatal error: Command failed for target `all'
>> >
>> >  Error 0x5.
>> >  Building error. Unable to finish the installation.
>> >
>>
>> I have to believe there is an actual error message before this.
>>
>> >
>> > I tried the solution #vi install.sh
>> >
>> > and change the first line of code from #!bin/sh to #!bin/bash however
>> it did
>> > not work.
>> >
>> > I also tried to find that error line by / /Makeall all in vi however it
>> > could not find it. Any tips?
>> >
>> > --
>> >
>> > ---
>> > You received this message because you are subscribed to the Google
>> Groups
>> > "ossec-list" group.
>> > To unsubscribe from this group and stop receiving emails from it, send
>> an
>> > email to ossec-list+...@**googlegroups.com.
>> > For more options, visit 
>> > https://groups.google.com/**groups/opt_out.
>>
>> >
>> >
>>
>  --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [ossec-list] ossec-hids and ossec-hids-server missing from Atomicorp

[Eero Volotinen]

what files are missing? looks like ossec requires inotify from epel
repository?

Eero


2013/6/24 Michael Bradley 

> When trying to get the ossec-hids and ossec-hids-server from AtomicCorp:
> (Fedora Rhel4.1)
>
> # wget -q -O - https://www.atomicorp.com/installers/atomic |sh
> # yum install ossec-hids ossec-hids-server (or ossec-hids-client for the
> agent)
>
>
> I find the two files are missing.  So I manually browsed to the AtomicCorp
> site and found the same.  I went elsewhere for the files and found them at
> rpm.pbone.net but I couldn't verify the signature and will not use those.
>
> Any suggestions?
>
> TIA.
>
> Michael
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [ossec-list] ossec-hids client only install - missing files

[Eero Volotinen]

My guess: install also ossec-hids-server package?

Eero


2013/7/17 Tim Starid 

> Howdy,
>
> I'm trying to install ossec-hids 2.7-24 RHEL 6 RPM from the atomic repo.
> The rpm -i works fine as does the ossec-configure. The problem is once I'm
> configured I don't have the ossec-control binary to start ossec.
>
> The only functionality I want form OSSEC is a local install. I'm going to
> use it to parse and email alerts. No agents, no active resistance, no
> frills.
>
> Does anyone know if I need to install an older RPM and then upgrade to the
> latest version or something of that nature? Or if I'm doing something
> wrong? I checked pkgs.org and it agrees that the files aren't present in
> the rpm. My output below shows my problem:
>
> [root@myserver bin]# ls
> ossec-configure
> [root@myserver bin]# pwd
> /var/ossec/bin
>
> I have the latest RPM:
> ossec-hids-2.7-24.el6.art.x86_64.rpm
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [ossec-list] OSSEC alert email hostname

[Eero Volotinen]

os_maild_client.c:snprintf(mail->subject, SUBJECT_SIZE -1,
MAIL_SUBJECT_FULL2,
os_maild_client.c:snprintf(mail->subject, SUBJECT_SIZE -1,
MAIL_SUBJECT_FULL,
os_maild_client.c:snprintf(mail->subject, SUBJECT_SIZE -1,
MAIL_SUBJECT,



2013/7/22 Chris Kempel 

> I did see a post earlier about having to modify the source code.  However,
> I do not understand where it's getting the %s value.
>
> #define MAIL_SUBJECT"OSSEC Notification - %s - Alert level %d"
>
> If I knew that then I would be able to modify.
>
> When you say agent name, is it possible for me to change that?  Is that
> done via the manage-agents executable?
>
>
> On Monday, July 22, 2013 3:02:18 PM UTC-5, dan (ddpbsd) wrote:
>>
>> On Mon, Jul 22, 2013 at 4:00 PM, Chris Kempel 
>> wrote:
>> > No, it's referring to ocs since that's the hostname that the agent is
>> > running on.
>> >
>> > On Monday, July 22, 2013 2:50:54 PM UTC-5, dan (ddpbsd) wrote:
>> >>
>> >> On Mon, Jul 22, 2013 at 3:48 PM, Chris Kempel 
>> wrote:
>> >> > Is it possible to have alerts display the FQDN?  Like the example
>> below.
>> >> >
>> >> > OSSEC HIDS Notification.
>> >> > 2013 Jul 22 14:16:42
>> >> >
>> >> > Received From: (ocs) X.X.X.X->ossec
>> >> > Rule: 503 fired (level 3) -> "Ossec agent started."
>> >> > Portion of the log(s):
>> >> >
>> >> > ossec: Agent started: 'ocs->X.X.X.X'.
>> >> >
>> >> > Right now it shows ocs but I would like it to display the FQDN
>> >> > ocs.mydomain.com instead.
>> >> >
>> >> > Where do I configure that?
>> >> >
>> >>
>> >> Isn't that the agent name, not the hostname?
>> >>
>> >> > --
>> >> >
>> >> > ---
>> >> > You received this message because you are subscribed to the Google
>> >> > Groups
>> >> > "ossec-list" group.
>> >> > To unsubscribe from this group and stop receiving emails from it,
>> send
>> >> > an
>> >> > email to ossec-list+...@googlegroups.**com.
>> >> > For more options, visit 
>> >> > https://groups.google.com/**groups/opt_out.
>>
>> >> >
>> >> >
>> >
>> > --
>> >
>> > ---
>> > You received this message because you are subscribed to the Google
>> Groups
>> > "ossec-list" group.
>> > To unsubscribe from this group and stop receiving emails from it, send
>> an
>> > email to ossec-list+...@**googlegroups.com.
>> > For more options, visit 
>> > https://groups.google.com/**groups/opt_out.
>>
>> >
>> >
>>
>> Interesting. On my system it's the agent name.Are you using the secure
>> transport mode or syslog?
>>
>> You'll have to modify the source to get it to work the way you want.
>>
>  --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [ossec-list] 2.6 compile error on RHEL3u9

[Eero Volotinen]

:(  er..  this must be bad dream. someone still using RHEL 3 ?

--
Eero


2012/1/12 Swartz, Patrick H 

> Yeah, I know... ya preaching to the choir I'm afraid.  Same goes for our
> SLES9, AIX5, and Solaris 8 servers... and a bunch of others that I'm too
> ashamed to mention... :-)
>
> Patrick Swartz
>
>
> -Original Message-
> From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com]
> On Behalf Of Jason 'XenoPhage' Frisvold
> Sent: Wednesday, January 11, 2012 6:53 PM
> To: ossec-list@googlegroups.com
> Subject: Re: [ossec-list] 2.6 compile error on RHEL3u9
>
> On Jan 11, 2012, at 3:34 PM, Swartz, Patrick H wrote:
> >   Hi All,
> >   I'm need to compile 2.6 on a RHEL3u9 server but it fails at the
> > os_auth phase. The following Openssl packages are installed --
> > openssl-0.9.7a-33.23, openssl096b-0.9.6b-16.46, and
> > openssl-devel-0.9.7a-33.23
> > We need the compile to be built with openssl.
>
>
> RHEL 3.9?  That's a bit old at this point, no?  Redhat end-of-lifed that
> in October of 2010, which means you're not getting security updates
> anymore..  I'd recommend getting onto something newer ..
>
> ---
> Jason 'XenoPhage' Frisvold
> xenoph...@godshell.com
> ---
> "Any sufficiently advanced magic is indistinguishable from technology."
> - Niven's Inverse of Clarke's Third Law
>
>
>
>
> -
> The information in this message may be proprietary and/or
> confidential, and protected from disclosure.  If the reader of this
> message is not the intended recipient, or an employee or agent
> responsible for delivering this message to the intended recipient,
> you are hereby notified that any dissemination, distribution or
> copying of this communication is strictly prohibited. If you have
> received this communication in error, please notify First Data
> immediately by replying to this message and deleting it from your
> computer.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [ossec-list] OSSEC Agent Fails to Install on Solaris 8

[Eero Volotinen]

does version 2.6 or 2.7 work or compile?

--
Eero


2013/10/17 Micheal Dignin 

> Greetings, **
>
> We recently decided to use OSSEC for server and workstation monitoring. I
> have been able to successfully roll it out to all of our machines, but I am
> having some issues installing the agent on an old server. This is the last
> machine that I need to install the agent on. It is running Solaris 8 and I
> have been told by members of the development team that it would take a
> large amount of time and effort to upgrade. Unfortunately, I was informed
> that upgrading is not an option and we have a security mandate to monitor
> it. I have read the documentation and verified that the following packages
> are installed: SUNWxcu4, SUNWsprot, SUNWtoo, SUNbtool, SUNWhea, SUNWarc.
> When I run the install.sh script, it stops in the following location and
> fails to install:
>
> ***Making config***
>
> ** **
>
> gcc -c -g -Wall -I../ -I../headers -DDEFAULTDIR=\"/var/ossec\" -DCLIENT
> -DSOLARIS -DHIGHFIRST -DARGV0=\"ossec-config\" -DXML_VAR=\"var\"
> -DOSSECHIDS *.c
>
> ** **
>
> active-reponse.c: In function `ReadActiveReponses':
>
> active-reponse.c:63: parse error before `struct'
>
> active-reponse.c:64: `os_group' undeclared (first use in this function)***
> *
>
> active-reponse.c:64: (Each undeclared identifier is reported only once ***
> *
>
> active-reponse.c:64: for each function it appears in.)
>
> syscheck-config.c: In function `read_attr':
>
> syscheck-config.c:214: parse error before `char'
>
> syscheck-config.c:263: `ret' undeclared (first use in this function)
>
> syscheck-config.c:263: (Each undeclared identifier is reported only once *
> ***
>
> syscheck-config.c:263: for each function it appears in.)
>
> syscheck-config.c:552: `i' undeclared (first use in this function)
>
> syscheck-config.c:553: `dir_org' undeclared (first use in this function)**
> **
>
> syscheck-config.c:559: warning: control reaches end of non-void function**
> **
>
> ** **
>
> ***Error code 1
>
> make: Fatal error: Command failed for target `logcollector'
>
> Current working directory /opt/ossec-hids-2.7.1-beta-1/src/config
>
> Error Making config
>
> ** **
>
> ***Error code 1
>
> make: Fatal error: Command failed for target `all'
>
> ** **
>
> Error 0x5.
>
> Building error. Unable to finish the installation.
>
> ** **
>
> The OSSEC agent installation compiles up to this point. I have searched
> all over the Internet for a fix on this and have not found anything on it.
> I am trying to install the ossec-hids-2.7.1-beta-1 agent.  
>
> Any help on resolving this issue would be much appreciated.
>
> Thanks, 
> Michael
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [ossec-list] Customizing the OSSEC Email Alert Body??

[Eero Volotinen]

This might not be possible without modifying ossec source code?

for example you can modify src/os_maild/os_maild_client.c and recompile
ossec.

br,
--
Eero


2013/12/9 Jimmy L 

> Hello all,
>
> I'm currently configuring an OSSEC installation and could use some
> assistance with the email configuration. I have emails alerts working fine.
> However, what I would do it have is customized the email body to contain a
> brief message and link to the Web UI. For example: To review historical
> logs please visit the OSSEC web user interface at the following link:
> x.x.x.x/analogi . Any assistance is appreciated.  Thanks :)
>
>
>  --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

[ossec-list] "minor ossec" issue

[Eero Volotinen]

Hi List,

I have some issues with ossec. My ossec server was down about week and
after starting ossec server, all clients start to flood server and they
also eat disk io from client servers.

How to resolve this issue, ie. reset all clients to fresh "today" state?



--
Eero

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [ossec-list] OSSEC Splunk or other RHEL option?

[Eero Volotinen]

How about fluentd+kibana?
12.4.2014 16.05 kirjoitti "Glenn Ford" :

> Hi all,
>
> I was originally going to do an OSSEC -> OSSIM setup but running into some
> issues with RHEL compliance since OSSIM is Debian.
>
> Now I was looking at Splunk (Free) Enterprise but noticed the splunk app
> to integrate OSSEC is now 2 years old and most likely does not work with
> Splunk v6.
>
> Does anyone have an SIEM solution that has a free crippleware version such
> as alientvault ossim or splunk enterprise that works on RHEL?
>
> Thanks in advance,
>
> Glenn
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Red Hat 7.0 and OSSEC

[Eero Volotinen]

2014-06-01 17:56 GMT+03:00 Aaron Hunter :

> Given the major changes in Red Hat 7.0 what do the OSSEC developers
> recommend with respect to upgrading from 6.x to 7.0?
>
>
Well, did you notice any issues on rhel 7 rc?


--
Eero

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] detected Malware in ossec-agent-win32-2.8.exe

[Eero Volotinen]

2014-06-23 17:06 GMT+03:00 Vilius Benetis :

> Hi,
>
> which exactly file you used? where you have downloaded it from?
>
> please try to upload to https://www.virustotal.com/, it will show more
> information who is triggered.
>
> Then as well, please provide the link here for us to see the hash of the
> file, then we could see if file was tampered with.
>
>
https://www.virustotal.com/en/file/65c84cc11b3364665568a94cef42518847d981151b0b2ebe49f83211b7f0b530/analysis/

downloaded from: ossec-agent-win32-2.8.exe


I hope that is false positive :)

--
Eero

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Ossec compatibility with Redhat

[Eero Volotinen]

2014-07-16 10:35 GMT+03:00 Amritha Kumar :

> Hi,
>
> One of my customer has installed Ossec on a RedHat server RHEL 5.4. Now
> this server needs to patched as per PCIDSS requirements. The current RedHat
> OS version is RHEL 5.4, once patched the version will be 5.10. Please let
> us know if Ossec v2.6 is compatible with RHEL 5.10.
>
>
>
Yes, it is compatible. Note that you should also update ossec to latest
stable as required in PCI DSS patch requirements.

--
Eero

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] pgp signatures for releases

[Eero Volotinen]

Hi List,

looking for gpg signatures for ossec releases? where I can download them?

--
Eero

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] pgp signatures for releases

[Eero Volotinen]

2014-11-12 16:08 GMT+02:00 dan (ddp) :

> On Sat, Nov 8, 2014 at 5:12 AM, Eero Volotinen 
> wrote:
> > Hi List,
> >
> > looking for gpg signatures for ossec releases? where I can download them?
> >
>
> It doesn't look like they're currently offered.
>

So, is there any way to verify that source distribution is not tampered?
SHA checksum from same server is not reliable way to do this.

--
Eero

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Monitoring /var/ossec

[Eero Volotinen]

2014-12-01 0:20 GMT+02:00 :

> Hi,
>
> In a test installation, I noticed that if I add /var/ossec directory in
> the list of directories that syscheck should monitor, disk usage speeds up
> really fast. In less than 2 hours, disk usage on on a test system doubled.
>
> What's the best practice for monitoring /var/ossec? I want to keep an eye
> on what's going on inside that directory, but not use up that much disk
> space.
>
> In general, what's the recommended method of monitoring a log directory?
>

How about using samhain or auditd for that ?

--
Eero

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Juniper SSG > OSSEC via syslog

[Eero Volotinen]

> I'm looking to avoid having to worry about disk space for this sort of
> config.
>
>
You must be joking? Disk space is _very_ cheap nowadays and it's also
possible to use compression ..

--
Eero

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Can use OSSEC for FIM solution ,

[Eero Volotinen]

2015-02-10 18:42 GMT+02:00 shankey :

> HI TEAm ,
>
> Can is use OSSEC for FIM solution, to clear my PCI Audit, if yes,
>

Yes, it can act as fim.


> then help me with the hardware requirement and installation procedure.
>

Err. Maybe you need to hire consult ..

--
Eero

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: I cannot monitor my ASA 5520 by using OSSEC

[Eero Volotinen]

You need to enable logging to syslog server first. command is like logging
trap 
example:

conf t
logging trap notifications
wr

br,
Eero
--

2015-02-11 8:50 GMT+02:00 Network Infrastructure :

> This is the message when I use the command:
>
> but it doesn't work
>
> ASA5520# sh run log
> logging enable
> logging asdm informational
> logging host inside 192.168.10.11
> ASA5520# sh run | inc log
>  service-object tcp eq klogin
>  service-object tcp eq login
>  service-object udp eq syslog
>  service-object udp eq syslog
>  service-object udp eq syslog
> logging enable
> logging asdm informational
> logging host inside 192.168.10.11
>
>
> On Friday, February 6, 2015 at 9:11:33 AM UTC+7, Network Infrastructure
> wrote:
>
>> I have configured OSSEC to monitor my ASA 5520 but I cannot see anything
>>
>> In ASA 5520, I enable syslog server to send syslog to my OSSEC
>>
>>
>> In OSSEC, the /var/ossec/etc/ossec.conf, I configed:
>>
>> 
>>
>> 
>>   syslog
>>   IP_OF_CISCO_DEVICE
>> 
>> 
>>   yes
>> 
>>
>> 
>>
>> Then I restart ossec services but I cannot see anything.
>>
>>
>> Help me please ...
>>
>  --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Can use OSSEC for FIM solution ,

[Eero Volotinen]

2015-02-11 12:42 GMT+02:00 shankey :

>
> HOW server and client communicate? what are the port that need to be open ?
>
> Can we use some other port for client to server communication.
>
>
>
HOW about reading the *docs* first?

--
Eero

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: I cannot monitor my ASA 5520 by using OSSEC

[Eero Volotinen]

2015-02-12 6:06 GMT+02:00 Network Infrastructure :

> When I open ossec.log I saw that:
>
> Remote syslog allowed from: '192.168.10.1'
> Error: Unable to bind port '514'
>
>
is syslog already using that port?

--
Eero

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: I cannot monitor my ASA 5520 by using OSSEC

[Eero Volotinen]

2015-02-12 10:18 GMT+02:00 Network Infrastructure :

> I don't know about this problem
>
>
You cannot run two services (daemons) on same port. You need to reconfigure
syslog or/and disable and stop it.

--
Eero

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: I cannot monitor my ASA 5520 by using OSSEC

[Eero Volotinen]

2015-02-12 10:47 GMT+02:00 Network Infrastructure :

> can you guide me to config it?
>
>
No, you need to use google to find instructions to do that.

--
Eero

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: I cannot monitor my ASA 5520 by using OSSEC

[Eero Volotinen]

2015-02-13 17:43 GMT+02:00 Network Infrastructure :

> I don't see anything but I think I config my ASA working properly.
>
>
Well, well.

http://www.killyourdarlingsjournal.com/wp/wp-content/uploads/2014/06/5881861191_90de8b5bc9.jpg


--
Eero

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Cannot OSSEC to MySQL Server

[Eero Volotinen]

2015-03-21 19:18 GMT+02:00 Network Infrastructure :

> Help me please!
>
> I installed and configured OSSEC on CentOS 6.6
> and also install XAMPP 1.8.1 to sent report to MySQL Server but I got
> error as below:
>
> ossec-dbd(5202): ERROR: Error connecting to database
> 'xxx.xxx.xxx.xxx'(ossec): ERROR: Can't connect to MySQL server on
> 'xxx.xxx.xxx.xxx'
>

is authentication configured correctly on ossec and also on mysql-server?

--
Eero

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Cannot OSSEC to MySQL Server

[Eero Volotinen]

Is telnet 127.0.0.1 3306 working? No connection refused reply?

Eero

21.3.2015 7.36 ip. kirjoitti "Network Infrastructure" <
panhatiger...@gmail.com>:
>
> Help me please!
>
> I installed and configured OSSEC on CentOS 6.6
> and also install XAMPP 1.8.1 to sent report to MySQL Server but I got
error as below:
>
> ossec-dbd(5202): ERROR: Error connecting to database
'xxx.xxx.xxx.xxx'(ossec): ERROR: Can't connect to MySQL server on
'xxx.xxx.xxx.xxx' (110).
>
>
> Help me please!
>
> Thank
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
"ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Cannot get Syslog from Cisco Devices

[Eero Volotinen]

Try following settings on cisco (asa)

logging enable

logging trap notifications



--

Eero

2015-03-24 22:09 GMT+02:00 Nhen Panha :

> Hello sir!
>
> Today, I would like to ask you the problem between configuration Ossec and
> Cisco devices.
>
> In cisco router and switch I config:
>
> logging on
> logging host IP_OF_MY_OSSEC_SERVER
> logging trap alerts
> logging facility local7
>
> In the Ossec manager:
>
> in the file ossec.conf, I add
>
> 
> 
>   syslog
>   IP_OF_CISCO_DEVICE
> 
>  
>   yes
> 
>
> 
>
> Then I restart the Ossec services but in the
> file /var/ossec/logs/archives/archives.log
> I didn't see anything. So help me please
>
>
> Thank with best regard
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: Cannot get Syslog from Cisco Devices

[Eero Volotinen]

2015-03-24 23:31 GMT+02:00 Nhen Panha :

> Help me to configure my router with ossec manager
>

Do you really understand how cisco logging works?  logging trap XXX sets
the log level of cisco to syslog.

http://www.cisco.com/c/en/us/td/docs/ios/netmgmt/command/reference/nm_book/nm_09.html#wp1015177

try logging trap *informational and testa again.*

*level alerts almost disables logging, so you don't get much logs to syslog
or ossec.*

--
Eero

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: Can OSSEC log all process the user open in Microsoft Windows?

[Eero Volotinen]

How about reading the documentation ?

Eero
31.3.2015 6.17 ip. kirjoitti "Nhen Panha" :

> Sorry sir!
>
> My skill is Cisco configuration. I don't know how to Configure windows to
> track the information.
> Could you help me please?
>
> On Sunday, March 29, 2015 at 6:22:01 PM UTC+7, Nhen Panha wrote:
>>
>> Hi sir!
>>
>> Last week I have install OSSEC to monitor my Windows Server and Windows
>> 8.1.
>>
>> I want to control all activities that users do something in My Windows
>> for example I want to know when user open browser, copy document,
>> .
>>
>> What should I config OSSEC manager and my Windows?
>>
>> Help me please?
>>
>  --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] ERROR: Invalid ID for the source ip: 'x.x.x.x'

[Eero Volotinen]

2015-04-07 21:55 GMT+03:00 Sinisha Erceg :

>  Hello,
>
>
>
> I apologize in advance for lack of understanding and I’ve attempted to
> look through the forums but I have inherited OSSEC from a predecessor and I
> have limited *nix experience.  I’ve managed to fix some items but some are
> still very bewildering.
>
>
>
> I’ll start with the error:  ERROR: Invalid ID for the source ip: 'x.x.x.x'
> and the IP addresses they list are nowhere in our agent listing.  I’m
> having issues even trying to discover the host that this error is
> indicating but there are a whole bunch of these for IP addresses that we
> have not installed OSSEC on.
>
>
>
> Where can I start to look?  Again, without going into this too much more,
> I have attempted to search the forums and can find information generally on
> this error if the IP is valid but I’m stumped on the fact that it’s giving
> me this error knowing that those IPs have never been added to the server.
>
>
>
> Any assistance would be greatly appreciated.
>
>
>
Hi,

Agent key contains ip address of agent, if ANY is not used instead of ip
address.

check the documentation about agents:
http://ossec-docs.readthedocs.org/en/latest/manual/agent/agent-management.html

--
Eero

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] ERROR: Invalid ID for the source ip: 'x.x.x.x'

[Eero Volotinen]

Is source address incorrect? Ipsec connections, firewalls with nat rules
can cause this kind of issues.

Try dumping ossec traffic from manager and check that ip source is correct?

Eero
7.4.2015 11.36 ip. "Sinisha Erceg"  kirjoitti:

>  Thanks Eero for your quick reply.  I am aware of this and we only use
> either a direct IP address or a subnet range.  Would this still occur using
> a subnet?  We explicitly do not use ANY.  I may have tested this on a box a
> while back but it’s nothing that is currently being used for any of our
> monitored hosts.
>
>
>
>
>
> *Sinisha Erceg* IT Security Analyst
>
>
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] JD for review: Oracle GL Restructuring Technical Consultant @ Dublin, OH

[Eero Volotinen]

Hi,

Please stop spamming ossec list.

--
Eero

2015-04-08 0:16 GMT+03:00 saquib ansari :

> *Please have a look on the below requirement and if interested revert me
> back with your updated profile.*
>
>
>
> *Role: Oracle GL Restructuring Technical Consultant*
>
> *Location: Dublin, OH*
>
> *Start Date:  ASAP*
>
> *Duration:2+ months*
>
>
>
>
>
> *Job Description   *
>
>
>
> ERP Fins/EBS Core Financials/Technical/GL Restructuring
>
> • Client is looking for technical resource that can help them with
> EBS data chances due to a restructuring project.
>
> • The desired experience for this work is someone who has done
> divestiture projects/GL restructuring.  The need is to have someone start
> on-site in Dublin, Ohio ASAP and have them on site for approximately 2
> months.
>
> Please see below for a list of modules that the resource should be
> familiar with:
>
>   Fixed assets
>
>   Payables
>
>   Projects
>
>   General Ledger
>
>   AL
>
>   Purchasing
>
>   Property Manager
>
>
>
>
>
> *Saquib Ansari*
>
> *IT Recruiter   *|
> *Technology Resource Group Inc.  *3736 Hills-dale Court Santa Clara, CA
> 95051
>
> Office: 408-709-1760. EXT: 848. Fax: 408-884-2409
>
> saq...@tresourceinc.com | www.tresourceinc.com
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] ETL Developer at Woodlawn,MD

[Eero Volotinen]

Please remove this spammer from mailinglist?

--
Eero

2015-04-09 19:23 GMT+03:00 saquib ansari :

> *
>   NOTE: Only
> for W2 candidates*
>
>
> *Job Title:* ETL Developer
>
> *Location:* Woodlawn, MD
>
> *Duration:*  2+ years(extendable)
>
> *Minimum Experience: * 5+ Years
>
> *Required Education: * BA/BS Degree
>
>
>
> *Job Description:*
>
>
>
> We have an immediate need for an* ETL Developer (Tier III) *who will:
>
>- Plan, conduct, and coordinate software development activities.
>- Design, develop, document, test, and debug software that contains
>logical and mathematical solutions to business/mission problems or
>questions in computer language for solutions by means of data processing
>equipment.
>- Apply the appropriate standards, processes, procedures, and tools
>throughout the development life cycle.
>- Apply knowledge of computer hardware and software subject matter to
>be programmed in business/mission applications, information processing
>techniques used, and information gathered from system users to develop
>software.
>- Correct program errors, prepare operating instructions, compile
>documentation of program development, and analyze system capabilities to
>resolve questions of program intent, output requirements, input data
>acquisition, programming techniques, and controls.
>- Ensure software standards are met.
>- Support the maintenance and development of the extract transform and
>load (ETL) aspects of the data warehouse.
>- Maintain an understanding of the inputs received from the data
>source providers.
>- Support the analysis, design, development and implementation of new
>ETL requirements.
>- Recommend changes to enhance the data warehouse data cleansing and
>conversion processes.
>- Support testing and validation of the new data conversion processes.
>- Be responsible for supporting planning activities and supporting the
>on schedule delivery of milestone and deliverables.
>
> *Job Requirements:*
>
>- Must possess three (3) years Informatica experience and five (5) to
>eight (8) years’ related experience.
>- Must possess effective oral and written skills and strong analytical
>and problem solving capabilities.
>- Must have a working knowledge of the SDLC and the associated
>processes and documentation.
>- Must be a team player able to work in a dynamic environment.
>
> *Education:*
>
>- Bachelor of Science in related field or equivalent years of
>experience.
>
>
> *Saquib Ansari*
>
> *IT Recruiter   *|
> *Technology Resource Group Inc.  *3736 Hills-dale Court Santa Clara, CA
> 95051
>
> Office: 408-709-1760. EXT: 848. Fax: 408-884-2409
>
> saq...@tresourceinc.com | www.tresourceinc.com
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Problem with snort

[Eero Volotinen]

How snort logging is configured? Full or fast mode?
3.5.2015 2.51 ap. "AMINE.E"  kirjoitti:

> Hi
>
> I have noticed something with snort-full log format, that it is not
> logging the *full_log* into "/var/ossec/logs/alerts/alert.log".
> it just takes the *first* line and logs it. And when i ran
> ossec-logcollector with debug mode i can see this :
> 2015/05/03 00:22:13 ossec-logcollector: DEBUG: Reading *syslog* message:
> 
>
> syslog ? it is not what i have configured ossec to. Because :
> 
> snort-full
> /var/log/snort/alert
>   
> where might be the problem ?
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Error on osssec 2.8.1 installation - Permission Issue?

[Eero Volotinen]

Really root user? Try again..

Eero
5.5.2015 2.53 ap. "Bruno Alvisio"  kirjoitti:

> Hello,
>
> I am trying to install osssec 2.8.1 on Linux hybrid version. When I run
> the ./install.sh script as root: I get the following error:
>
> ./install.sh: line 725: ./etc/ossec.mc: Permission denied
>
>
> 5- Installing the system
>
> ./install.sh: line 69: ./src/LOCATION: Permission denied
>
> ./install.sh: line 77: ./src/Config.OS: Permission denied
>
>  - Running the Makefile
>
> ./Makeall: line 62: Config.OS: Permission denied
>
> ./Makeall: line 67: Config.OS: Permission denied
>
> ./Makeall: line 68: Config.OS: Permission denied
>
> ./Makeall: line 77: Config.OS: Permission denied
>
> ./Makeall: line 126: isbigendian.c: Permission denied
>
> cc: isbigendian.c: No such file or directory
>
> cc: no input files
>
> ./Makeall: line 128: ./isbigendian: No such file or directory
>
> INFO: Little endian set.
>
> ./Makeall: line 141: Config.OS: Permission denied
>
>
>  *** Making zlib (by Jean-loup Gailly and Mark Adler)  ***
>
> make[1]: Entering directory `/home/balvisio/ossec-hids-2.8.1/src/external'
>
> ../Config.Make:8: ../Config.OS: No such file or directory
>
> make[1]: *** No rule to make target `../Config.OS'.  Stop.
>
> make[1]: Leaving directory `/home/balvisio/ossec-hids-2.8.1/src/external'
>
>
> Error Making zlib
>
> make: *** [all] Error 1
>
>
>  Error 0x5.
>
>  Building error. Unable to finish the installation.
>
>
>
> I am not sure if this is a permissions' issue given that I am 'root' or
> there is something going on with the 'isbigendian.c' file that cannot be
> found. Any help would be greatly appreciated.
>
> Bruno
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Error on osssec 2.8.1 installation - Permission Issue?

[Eero Volotinen]

Well. What is output of id? Is some of fs mounted as ro? What is output of
mount command?

Eero
5.5.2015 4.40 ap. "Bruno Alvisio"  kirjoitti:

> I am quite sure I am the root user.
>
> Also while the script runs, I get the following messages:
>
> 
>
>   3.5- Do you want to enable remote syslog (port 514 udp)? (y/n) [y]: y
>
>
>- Remote syslog enabled.
>
> ./install.sh: line 680: ./etc/ossec.mc: Permission denied
>
> ./install.sh: line 681: ./etc/ossec.mc: Permission denied
>
> ./install.sh: line 682: ./etc/ossec.mc: Permission denied
>
> ./install.sh: line 683: ./etc/ossec.mc: Permission denied
>
> ./install.sh: line 687: ./etc/ossec.mc: Permission denied
>
> ./install.sh: line 688: ./etc/ossec.mc: Permission denied
>
> ./install.sh: line 689: ./etc/ossec.mc: Permission denied
>
> ./install.sh: line 690: ./etc/ossec.mc: Permission denied
>
> ./install.sh: line 695: ./etc/ossec.mc: Permission denied
>
> ./install.sh: line 696: ./etc/ossec.mc: Permission denied
>
> ./install.sh: line 697: ./etc/ossec.mc: Permission denied
>
> ./install.sh: line 701: ./etc/ossec.mc: Permission denied
>
> -
>
>
> I am pretty sure I am root since the script doesn't even start if you are
> not.
>
>
> Thanks,
>
>
> Bruno
>
>
>
>
> On Monday, May 4, 2015 at 5:02:11 PM UTC-7, Eero Volotinen wrote:
>>
>> Really root user? Try again..
>>
>> Eero
>> 5.5.2015 2.53 ap. "Bruno Alvisio"  kirjoitti:
>>
>>> Hello,
>>>
>>> I am trying to install osssec 2.8.1 on Linux hybrid version. When I run
>>> the ./install.sh script as root: I get the following error:
>>>
>>> ./install.sh: line 725: ./etc/ossec.mc: Permission denied
>>>
>>>
>>> 5- Installing the system
>>>
>>> ./install.sh: line 69: ./src/LOCATION: Permission denied
>>>
>>> ./install.sh: line 77: ./src/Config.OS: Permission denied
>>>
>>>  - Running the Makefile
>>>
>>> ./Makeall: line 62: Config.OS: Permission denied
>>>
>>> ./Makeall: line 67: Config.OS: Permission denied
>>>
>>> ./Makeall: line 68: Config.OS: Permission denied
>>>
>>> ./Makeall: line 77: Config.OS: Permission denied
>>>
>>> ./Makeall: line 126: isbigendian.c: Permission denied
>>>
>>> cc: isbigendian.c: No such file or directory
>>>
>>> cc: no input files
>>>
>>> ./Makeall: line 128: ./isbigendian: No such file or directory
>>>
>>> INFO: Little endian set.
>>>
>>> ./Makeall: line 141: Config.OS: Permission denied
>>>
>>>
>>>  *** Making zlib (by Jean-loup Gailly and Mark Adler)  ***
>>>
>>> make[1]: Entering directory
>>> `/home/balvisio/ossec-hids-2.8.1/src/external'
>>>
>>> ../Config.Make:8: ../Config.OS: No such file or directory
>>>
>>> make[1]: *** No rule to make target `../Config.OS'.  Stop.
>>>
>>> make[1]: Leaving directory `/home/balvisio/ossec-hids-2.8.1/src/external'
>>>
>>>
>>> Error Making zlib
>>>
>>> make: *** [all] Error 1
>>>
>>>
>>>  Error 0x5.
>>>
>>>  Building error. Unable to finish the installation.
>>>
>>>
>>>
>>> I am not sure if this is a permissions' issue given that I am 'root' or
>>> there is something going on with the 'isbigendian.c' file that cannot be
>>> found. Any help would be greatly appreciated.
>>>
>>> Bruno
>>>
>>> --
>>>
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "ossec-list" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to ossec-list+...@googlegroups.com.
>>> For more options, visit https://groups.google.com/d/optout.
>>>
>>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Blank /etc/hosts.deny

[Eero Volotinen]

Well, did you actived active response? It might modify hosts.deny ..
10.5.2015 7.53 ip.  kirjoitti:

> Hi,
>
> Before installing OSSEC on a Debian 8 server, I took a look at the
> hosts.deny and hosts.allow files and noted that they were not blank. After
> installing OSSEC, however, the hosts.deny file is blank, not even a comment
> or # character.
>
> Is that expected, or did something go wrong during installation?
>
> TIA,
>
>
>
> --
> finid
>
> --
>
> --- You received this message because you are subscribed to the Google
> Groups "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] authenticated smtp usage...

[Eero Volotinen]

How about using postix on localhost? Much better solution..
On Jun 15, 2015 6:04 PM, "Mark Feferman"  wrote:

> I know this topic has been discussed many times, but I'm not sure why it
> isn't implemented.
>
> send_from_email_username
> email_password
>
> Granted, there are going to be issues sending to smtp servers that require
> SSL/TLS, etc.., but that's far less of an issue (i.e., finding one that
> doesn't require SSL/TLS) that finding one that doesn't require
> authentication.
>
> I understand the security aspect, but the database credentials are already
> stored there in plain text.
>
> $.02
>
>  --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Updating ossec is done on ossec server only

[Eero Volotinen]

Yes, you should update clients too.

Eero
26.7.2015 2.57 ip. "HMath"  kirjoitti:

> Greetings,
>
> I have updated ossec server to latest version , should I update it also in
> all clients ?
>
> Thank you
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] OSSEC WUI can't read alerts.log

[Eero Volotinen]

Well, you need to give correct permissions to apache as wui is running
under apache uid..

Eeeo
8.8.2015 8.27 ip. "Daniel Twardowski"  kirjoitti:

>
> I'm using OSSEC Server Virtual Appliance 2.8.2 and last night I configured
> a few domain controllers to send it their logs. When I came in today, the
> WUI is displaying an error of:
> "Warning:  fopen(/var/ossec/logs/alerts/alerts.log): failed to open
> stream: Value too large for defined data type in
> /opt/lampp/htdocs/ossec-wui/lib/os_lib_alerts.php on line 839"
>
> My alerts.log file is 3.5G. If I delete it and restart ossec services, the
> file is recreated at 3.5G. Is this an issue with file size? If so, can I up
> the log rotation to more than just once a day? And how would I flush
> whatever buffer keeps recreating the 3.5G alerts.log file so I can get back
> to reviewing logs?
>
> Similar, but unanswered message from 2013:
> https://groups.google.com/forum/#!msg/ossec-list/topCxSvvmBk/5t4YEfPTTYUJ
>
> Thanks.
>
> Dan
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] OSSEC WUI can't read alerts.log

[Eero Volotinen]

Well,

Check memory_limit on php also.

Ossec wui is no longer supported. You should use kibana+elastic search
instead of it.

Eero

Eero
Thanks for the quick response.

I chown'ed alerts.log from ossec.ossec to ossec.apache and still got the
error.

I then chmod'ed alerts.log from 640 to 666 and still got the error.

Alerts.log is still growing, though. Up to 4.2G.

On Saturday, August 8, 2015 at 3:29:32 PM UTC-4, Eero Volotinen wrote:
>
> Well, you need to give correct permissions to apache as wui is running
> under apache uid..
>
> Eeeo
> 8.8.2015 8.27 ip. "Daniel Twardowski"  kirjoitti:
>
>>
>> I'm using OSSEC Server Virtual Appliance 2.8.2 and last night I
>> configured a few domain controllers to send it their logs. When I came in
>> today, the WUI is displaying an error of:
>> "Warning:  fopen(/var/ossec/logs/alerts/alerts.log): failed to open
>> stream: Value too large for defined data type in
>> /opt/lampp/htdocs/ossec-wui/lib/os_lib_alerts.php on line 839"
>>
>> My alerts.log file is 3.5G. If I delete it and restart ossec services,
>> the file is recreated at 3.5G. Is this an issue with file size? If so, can
>> I up the log rotation to more than just once a day? And how would I flush
>> whatever buffer keeps recreating the 3.5G alerts.log file so I can get back
>> to reviewing logs?
>>
>> Similar, but unanswered message from 2013:
>> https://groups.google.com/forum/#!msg/ossec-list/topCxSvvmBk/5t4YEfPTTYUJ
>>
>> Thanks.
>>
>> Dan
>>
>> --
>>
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to ossec-list+...@googlegroups.com.
>> For more options, visit https://groups.google.com/d/optout.
>>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Glibc 2.14 dependency

[Eero Volotinen]

Just install it from sources or from atomic repo..

Eero
27.8.2015 3.02 ip. "Onion Guy"  kirjoitti:

> Hello all,
>
> It appears the latest version of OSSEC requires glibc 2.14.  Are there any
> versions that require a lower version, specifically 2.12?  I am running
> CentOS 6 so this is posing an issue.
>
> Thanks.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Checkpoint OPSEC Certification

[Eero Volotinen]

Hi,

Is there any problems to set checkpoint to log into syslog and then use
ossec agent on box to forward logs to ossec server? This is usual way to do
this..

--
Eero

2015-09-25 0:37 GMT+03:00 :

> Hello, I'm trying to get my Checkpoint firewall, ips, vpn, etc. logs into
> OSSEC, but Checkpoint is telling me that it has to be OPSEC certified in
> order to make a connection. If you are pulling your CheckPoint Gaia R77.20
> firewall logs into OSSEC, how did you do it? I have seen the articles on
> forwarding syslog, but those are only the OS log files. I have also seen THIS
>
> article
> on using an 'agent in the middle' to create a secure connection, but there
> has to be a better way. Any help would be greatly appreciated!
>
> Thanks!
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] ossec-remoted(1213): WARN: Message from x.x.x.x not allowed.

[Eero Volotinen]

well, you need to use correct ip address while creating client key or using
ip address ANY ..

--
Eero

2015-10-14 15:49 GMT+03:00 Hari Krishna :

> I have both my clients and servers are behind the nat and connected with
> VPN tunnel, Agents within the servers subnet, able to communicate to the
> server, but agents with different network are not able to communicate to
> the server, when i troubleshot the issue found following message at server.
>
>  ossec-remoted(1213): WARN: Message from  192.168.5.1 (gateway ip ) not
> allowed.
>
> *[image:
> http://c29ab44caa2d732d4dd0-b76a82c58b319f049c27bd14d94da9ed.r21.cf2.rackcdn.com/email-signature.png]
> *
>
> *Disclaimer: *This message and any attachments are solely intended for
> the addressee(s). It may also be TechAspect confidential, privileged and /
> or subject to copyright. Access to this email by anyone else is
> unauthorized. If you are not the intended recipient, any disclosure,
> copying, distribution or any action taken or omitted to be taken in
> reliance on it, is prohibited and may be unlawful. If you have received
> this in error, please notify the sender immediately by return e-mail and
> delete it from your computer. While all care has been taken, TechAspect
> management disclaims all liabilities for loss or damages to person(s) or
> properties arising from misuse of any information provided or the message
> being infected by computer virus or other contamination.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] ossec-remoted(1213): WARN: Message from x.x.x.x not allowed.

[Eero Volotinen]

to client key ip address field ..

--
Eero

2015-10-15 8:31 GMT+03:00 hari krishna :

> Can you explain in detailed about the solution, where do i have to add
> this ANY ?
>
>
>
> On Wednesday, October 14, 2015 at 6:54:45 PM UTC+5:30, Eero Volotinen
> wrote:
>>
>> well, you need to use correct ip address while creating client key or
>> using ip address ANY ..
>>
>> --
>> Eero
>>
>> 2015-10-14 15:49 GMT+03:00 Hari Krishna :
>>
>>> I have both my clients and servers are behind the nat and connected with
>>> VPN tunnel, Agents within the servers subnet, able to communicate to the
>>> server, but agents with different network are not able to communicate to
>>> the server, when i troubleshot the issue found following message at server.
>>>
>>>  ossec-remoted(1213): WARN: Message from  192.168.5.1 (gateway ip ) not
>>> allowed.
>>>
>>> *[image:
>>> http://c29ab44caa2d732d4dd0-b76a82c58b319f049c27bd14d94da9ed.r21.cf2.rackcdn.com/email-signature.png]
>>> <http://c29ab44caa2d732d4dd0-b76a82c58b319f049c27bd14d94da9ed.r21.cf2.rackcdn.com/email-signature.png>*
>>>
>>> *Disclaimer: *This message and any attachments are solely intended for
>>> the addressee(s). It may also be TechAspect confidential, privileged and /
>>> or subject to copyright. Access to this email by anyone else is
>>> unauthorized. If you are not the intended recipient, any disclosure,
>>> copying, distribution or any action taken or omitted to be taken in
>>> reliance on it, is prohibited and may be unlawful. If you have received
>>> this in error, please notify the sender immediately by return e-mail and
>>> delete it from your computer. While all care has been taken, TechAspect
>>> management disclaims all liabilities for loss or damages to person(s) or
>>> properties arising from misuse of any information provided or the message
>>> being infected by computer virus or other contamination.
>>>
>>> --
>>>
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "ossec-list" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to ossec-list+...@googlegroups.com.
>>> For more options, visit https://groups.google.com/d/optout.
>>>
>>
>> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] ossec-remoted(1213): WARN: Message from x.x.x.x not allowed.

[Eero Volotinen]

Well. then your agent is coming from wrong address due to nat/ipsec.

You need to use any from agents coming from nat or fix ipsec/nat system.

--
Eero

2015-10-15 9:17 GMT+03:00 hari krishna :

> I have used static ip addresses for all agents, instead of wildcards, as i
> described earlier, agent and clients are having communications but behind
> the NAT through the Site to Site VPN connections
>
>
>
> On Thursday, October 15, 2015 at 11:07:51 AM UTC+5:30, Eero Volotinen
> wrote:
>>
>> to client key ip address field ..
>>
>> --
>> Eero
>>
>> 2015-10-15 8:31 GMT+03:00 hari krishna :
>>
>>> Can you explain in detailed about the solution, where do i have to add
>>> this ANY ?
>>>
>>>
>>>
>>> On Wednesday, October 14, 2015 at 6:54:45 PM UTC+5:30, Eero Volotinen
>>> wrote:
>>>>
>>>> well, you need to use correct ip address while creating client key or
>>>> using ip address ANY ..
>>>>
>>>> --
>>>> Eero
>>>>
>>>> 2015-10-14 15:49 GMT+03:00 Hari Krishna :
>>>>
>>>>> I have both my clients and servers are behind the nat and connected
>>>>> with VPN tunnel, Agents within the servers subnet, able to communicate to
>>>>> the server, but agents with different network are not able to communicate
>>>>> to the server, when i troubleshot the issue found following message at
>>>>> server.
>>>>>
>>>>>  ossec-remoted(1213): WARN: Message from  192.168.5.1 (gateway ip )
>>>>> not allowed.
>>>>>
>>>>> *[image:
>>>>> http://c29ab44caa2d732d4dd0-b76a82c58b319f049c27bd14d94da9ed.r21.cf2.rackcdn.com/email-signature.png]
>>>>> <http://c29ab44caa2d732d4dd0-b76a82c58b319f049c27bd14d94da9ed.r21.cf2.rackcdn.com/email-signature.png>*
>>>>>
>>>>> *Disclaimer: *This message and any attachments are solely intended
>>>>> for the addressee(s). It may also be TechAspect confidential, privileged
>>>>> and / or subject to copyright. Access to this email by anyone else is
>>>>> unauthorized. If you are not the intended recipient, any disclosure,
>>>>> copying, distribution or any action taken or omitted to be taken in
>>>>> reliance on it, is prohibited and may be unlawful. If you have received
>>>>> this in error, please notify the sender immediately by return e-mail and
>>>>> delete it from your computer. While all care has been taken, TechAspect
>>>>> management disclaims all liabilities for loss or damages to person(s) or
>>>>> properties arising from misuse of any information provided or the message
>>>>> being infected by computer virus or other contamination.
>>>>>
>>>>> --
>>>>>
>>>>> ---
>>>>> You received this message because you are subscribed to the Google
>>>>> Groups "ossec-list" group.
>>>>> To unsubscribe from this group and stop receiving emails from it, send
>>>>> an email to ossec-list+...@googlegroups.com.
>>>>> For more options, visit https://groups.google.com/d/optout.
>>>>>
>>>>
>>>> --
>>>
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "ossec-list" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to ossec-list+...@googlegroups.com.
>>> For more options, visit https://groups.google.com/d/optout.
>>>
>>
>> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] OSSEC error log

[Eero Volotinen]

how about configuring ipsec psk correctly? I don't see much related to
ossec.

--
Eero

2015-10-16 8:30 GMT+03:00 Abdul Adil :

> Hi OSSEC Community,
>
> Could any one please help with this error log from OSSEC ?
> Oct  1 03:17:18 ip-XX-X-X-XX.us-west-2.server 2015:pmthrfw1 pluto[5281]:
> "S_REF_IpsSitPmtToDpIpsec_5" #140687: malformed payload in packet. Probable
> authentication failure (mismatch of preshared secrets?)
>
> And why this kind of error is occuring ,the following is the log from the
> server:
> 2015:09:29-00:01:22 pmthrfw1 pluto[5281]: "S_REF_IpsSitPmtToDpIpsec_5"
> #134143: next payload type of ISAKMP Identification Payload has an unknown
> value: 155
> 2015:09:29-00:01:22 pmthrfw1 pluto[5281]: "S_REF_IpsSitPmtToDpIpsec_5"
> #134143: malformed payload in packet. Probable authentication failure
> (mismatch of preshared secrets?)
> 2015:09:29-00:01:22 pmthrfw1 pluto[5281]: "S_REF_IpsSitPmtToDpIpsec_5"
> #134143: sending encrypted notification PAYLOAD_MALFORMED to x.x.x.x:4500
> 2015:09:29-00:01:24 pmthrfw1 pluto[5281]: "S_REF_IpsSitPmtToDpIpsec_5"
> #134142: next payload type of ISAKMP Identification Payload has an unknown
> value: 206
> 2015:09:29-00:01:24 pmthrfw1 pluto[5281]: "S_REF_IpsSitPmtToDpIpsec_5"
> #134142: malformed payload in packet. Probable authentication failure
> (mismatch of preshared secrets?)
> 2015:09:29-00:01:24 pmthrfw1 pluto[5281]: "S_REF_IpsSitPmtToDpIpsec_5"
> #134142: sending encrypted notification PAYLOAD_MALFORMED to x.x.x.x:4500
> 2015:09:29-00:01:32 pmthrfw1 pluto[5281]: "S_REF_IpsSitPmtToDpIpsec_5"
> #134143: next payload type of ISAKMP Identification Payload has an unknown
> value: 155
> 2015:09:29-00:01:32 pmthrfw1 pluto[5281]: "S_REF_IpsSitPmtToDpIpsec_5"
> #134143: malformed payload in packet. Probable authentication failure
> (mismatch of preshared secrets?)
>
> Please provide a solution to overcome this issue.
>
> Thank you,
> Abdul Adil.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] how to set alert for authentication failure attempt in windows

[Eero Volotinen]

it's already included in ossec ruleset, just configure alert levels for
email or sms?

Eero

2015-10-23 6:48 GMT+03:00 Hak Bun :

> Dear All,
>
> How can I set alert for authentication failure attempt in windows?
>
> Thanks in advance for your comment.
> Hak
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: Watchguard Firebox logs

[Eero Volotinen]

Did you checked out watchguard dimension appliance?

Eero
27.10.2015 10.49 ap. "Tero Onttonen"  kirjoitti:

> Hi,
>
> I would be interested in to find a solution regarding Watchguard logs. I
> did not find a solution after some searching.
>
> Did this go any further?
>
> Br,
> Tero
>
> On Wednesday, March 11, 2009 at 2:11:44 PM UTC+2, rob.but...@gmail.com
> wrote:
>>
>> Thanks.  I'm also working AQTRONIX WebKnight logs too.  Here's a few
>> watchguard examples.  I've blanked a few bits of info.  Note that
>> we've adopted a convention of putting wg_ at the start of the system
>> name so we can identify them as watchguard logs, but perhaps this
>> isn't the best way ?
>>
>> 2009 Mar 11 12:07:07 wa-hids1->195.xx.xx.xx 2009-03-11 12:16:49
>> wg_Peterborough disp="Deny"   pri="1" policy="Unhandled Internal
>> Packet-00" src_
>> ip="172.12.10.26" dst_ip="81.137.245.126" pr="3085/tcp"
>> src_port="2122" dst_port="3085" src_intf="1-Trusted" dst_intf="0-
>> External"   tcpinfo="off
>> set 7 S 3884792327 win 65535"   rc="101" msg="denied" pckt_len="48"
>> ttl="128"
>>
>> 2009 Mar 11 12:07:06 wa-hids1->195.xx.xx.xx 2009-03-11 12:16:48
>> wg_Peterborough disp="Allow"  proxy[15055]: pri="4" policy="HTTP-
>> proxy-00" src_i
>> p="172.12.10.116" dst_ip="69.63.176.188" pr="http/tcp"
>> src_port="58482" dst_port="80" src_intf="1-Trusted" dst_intf="0-
>> External" src_ip_nat="195.
>> 99.165.66" src_port_nat="13917" rc="592" msg_id="262171"
>> msg="ProxyStrip: HTTP Header match" proxy_act="HTTP-Client"
>> rule_name="Default" header="
>> X-Channel-Host: channel138:8081\x0d\x0a"
>> src_user="xusername@Active Directory"
>>
>> 2009 Mar 11 12:07:03 wa-hids1->195.xx.xx.xx 2009-03-11 12:16:45
>> wg_Peterborough disp="Deny"   pri="1" policy="Unhandled External
>> Packet-00" src_
>> ip="192.168.30.11" dst_ip="172.12.10.130" pr="135/tcp" src_port="4533"
>> dst_port="135" src_intf="WALAN_PELAN/IPsec" dst_intf="1-Trusted"
>> tcpinfo
>> ="offset 7 S 2723202119 win 65535"   dst_user="username@Active
>> Directory" rc="101" msg="denied (decrypted packet, SA info: id
>> 0x341e7636 )" pck
>> t_len="48" ttl="128"
>>
>> On Mar 10, 8:35 pm, Daniel Cid  wrote:
>> > Hi Rob,
>> >
>> > I don't think anyone did this yet. Can you share some of your logs
>> > with us? We can certainly
>> > help writing some rules/decoders if we get some samples...
>> >
>> > Thanks,
>> >
>> > --
>> > Daniel B. Cid
>> > dcid ( at ) ossec.net
>> >
>> > On Mon, Mar 2, 2009 at 10:47 AM,   wrote:
>> >
>> > > Hi,
>> > > Has anyone got OSSEC to parse Watchguard Firebox logs ?  I have my
>> > > logs coming in via syslog, and being stored, but if I run them
>> through
>> > > logtest they get recognized as Debian dpkg logs, so I guess ossec is
>> > > pretty much ignoring them.
>> >
>> > > The format seems to be missing a unique key to spot the logs as being
>> > > from the watchguards, sadly.  We are considering using the firebox
>> > > system name to identify them (e.g. adding wg_ at the start of all our
>> > > firewall system names so I can match on a regexp with that string in
>> > > it).  However, before I spend time on this, I wonder whether anyone
>> > > else has already do the hard work ?
>> >
>> > > If not, any pointers to instructions on writing new decoders and
>> rules
>> > > would be most welcome.  If I get anything worth sharing, I'll offer
>> it
>> > > back to the project or at least post my findings here.
>> >
>> > > Rob
>>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] OSSEC INSTALLATION ERROR ON AIX 7

[Eero Volotinen]

what is output of command:

cc --version

Eero

2015-10-28 8:59 GMT+02:00 :

> We are facing difficulties in installation of Ossec on our AIX 7.1 server.
>
> Error we are getting
>
> *5- Installing the system*
>
> *- Running the Makefile*
>
>
>
>  Making zlib (by Jean-loup Gailly and Mark Adler)  
>
> *cd zlib-1.2.8/; ./configure; make libz.a;*
>
> *Checking for gcc...*
>
> *Compiler error reporting is too harsh for ./configure (perhaps remove
> -Werror).*
>
> *** ./configure aborting.*
>
> *make: 1254-004 The error code from the last command is 1.*
>
>
>
>
>
> *Stop.*
>
>
>
> *Error Making zlib*
>
> *make: 1254-004 The error code from the last command is 1.*
>
>
>
>
>
> *Stop.*
>
>
>
> *Error 0x5.*
>
> *Building error. Unable to finish the installation*
>
>
>
> With GBM, we have tried to install 3 versions of GCC compiler and all
> failed.
>
>  gcc-c++-4.8.3-1 is the last version GBM have tried.
>
>
> It would be very helpful if you could provide us a suitable solution for
> this.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Level: 6 - Attempt to use mail server as relay (client host rejected).

[Eero Volotinen]

Your postfix is incorrectly configured.this is not related with ossec in
anyway.

Eero
2.11.2015 11.37 ap. "Hak Bun"  kirjoitti:

> Dear All,
>
> I have just installed Postfix, Dovecot, and Squirrelmail.
> When I test sending out through the web mail, my yahoo can receive the
> email.
>
> But I get an error "Recipient address rejected: Access denied" when telnet
> smtp to outside or local mail:
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> *telnet localhost smtpTrying 127.0.0.1...Connected to localhost.Escape
> character is '^]'.220 ossec.myossec.com  ESMTP
> Postfixehlo localhost250-ossec.myossec.com
> 250-PIPELINING250-SIZE
> 1024250-VRFY250-ETRN250-STARTTLS250-AUTH LOGIN PLAIN250-AUTH=LOGIN
> PLAIN250-ENHANCEDSTATUSCODES250-8BITMIME250 DSNmail from: hak250 2.1.0
> Okrcpt to: hak_...@yahoo.com 554 5.7.1
> >: Recipient address rejected: Access
> deniedrcpt to: long554 5.7.1 : Recipient address rejected: Access
> denied*
>
>
> And also get an error with configuration in OSSEC
>
>
> Error
> "
> *Level: *
> *6 - Attempt to use mail server as relay (client host rejected).*
> *Rule Id: *
>
> *3301  *
> *Location: *
>
> *localhost->/var/log/maillog *
> *Src IP: *
>
> *192.168.56.101 Nov 2 16:05:06 localhost postfix/smtpd[7815]: NOQUEUE:
> reject: RCPT from myossec.local[192.168.56.101]: 554 5.7.1
> >: Recipient address rejected:
> Access denied; from= to= > proto=SMTP helo= >*
>
> "
>
> Please help if you know
> Thanks
> Hak
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Ossec agent error

[Eero Volotinen]

this is firewall issue.disable local firewall on ossec server.

eero

tiistai 3. marraskuuta 2015 Reinaldo Fernandes <
fernandes.jreina...@gmail.com> kirjoitti:

> Hello,
>
>
>
> My name is Reinaldo Fernandes and I’m contacting you regarding the Ossec
> solution
>
> I have been trying to deploy this on our environment ( Windows mainly) but
> the agent it’s not able to communicate with the Ossec server (They are both
> on the same VLAN, no firewall between).
>
>
>
> *This is the error: *
>
>
>
> 2015/11/03 10:44:47 ossec-agent: INFO: Trying to connect to server (
> 172.20.21.43:1514).
>
>
>
> 2015/11/03 10:44:47 ossec-agent: INFO: Using IPv4 for: 172.20.21.43 .
>
>
>
> 2015/11/03 10:45:09 ossec-agent(4101): WARN: Waiting for server reply (not
> started). Tried: '172.20.21.43'.
>
>
>
> *When I try to look up at the logs on the Ossec server this is the only
> info that I got:*
>
>
>
> [root@ossec user]# /var/ossec/logs/ossec.log
>
> /var/ossec/logs/ossec.log: line 1: syntax error near unexpected token `('
>
> /var/ossec/logs/ossec.log: line 1: `2015/06/12 15:52:36
> ossec-monitord(1225): INFO: SIGNAL Received. Exit Cleaning...'
>
>
>
> Any clue or tip on how to solve this situation?
>
>
>
> *Reinaldo Fernandes*
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com
> 
> .
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: Ossec agent error

[Eero Volotinen]

Are you trying to execute log file?

You need to run sudo tail filename, not sudo filename

Eero
3.11.2015 5.40 ip. "Reinaldo Fernandes" 
kirjoitti:

> Hi dan,
> I did now:
> sudo /var/ossec/logs/ossec.log
>
> and I got exactly the same entrys on the logs as before:
>
> [root@ossec user]# /var/ossec/logs/ossec.log
>
> /var/ossec/logs/ossec.log: line 1: syntax error near unexpected token `('
>
> /var/ossec/logs/ossec.log: line 1: `2015/06/12 15:52:36
> ossec-monitord(1225): INFO: SIGNAL Received. Exit Cleaning...'
>
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: Ossec agent error

[Eero Volotinen]

sudo tail -f /path/to/filename

Eero
3.11.2015 6.26 ip. "Reinaldo Fernandes" 
kirjoitti:

>
> Can you provide me the correct command to run??
> Thank you
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: Ossec agent error

[Eero Volotinen]

Well, you said that server is located at .200. It isn't according this log .
4.11.2015 12.58 ip. "Reinaldo Fernandes" 
kirjoitti:

> Shouldn't I receive a connected successfully instead of this warnig?
>
> I found this and it's says that the agent is having issues to connect to
> the server:
>
> *The following log messages may appear in the ossec.log file on an agent
> when it is having issues connecting to a manager:*
>
> 2011/11/13 18:05:13 ossec-agent: WARN: Process locked. Waiting for 
> permission...2011/11/13 18:05:24 ossec-agent(4101): WARN: Waiting for server 
> reply (not started). Tried: '10.10.134.241'.2011/11/13 18:05:26 ossec-agent: 
> INFO: Trying to connect to server (10.10.134.241:1514).2011/11/13 18:05:26 
> ossec-agent: INFO: Using IPv4 for: 10.10.134.241 .2011/11/13 18:05:47 
> ossec-agent(4101): WARN: Waiting for server reply (not started). Tried: 
> '10.10.134.241'.
>
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Create an alert for NTP offset

[Eero Volotinen]

You should use nagios for this kind of checks.

Eero
4.11.2015 6.08 ip. "Robert Micallef"  kirjoitti:

> Hi,
>
> I was wondering if anyone can help me configure a decoder and subsequently
> an alert for when the NTP offset becomes too high. For security reasons I
> had to configure a server to retrieve the time from outside and then all
> other servers retrieve the time from this first server. The problems is
> after a couple of months one or two servers will go out of sync by minutes.
> I tried to resolve the issue but can't figure out why NTP sometimes doesn't
> work well on some systems with basically the same configuration. So I am
> close to giving up on NTP.
>
> Anyway I was wondering if I can create an alert then so I can manually fix
> the problem when it happens. The problem is I don't know how to create a
> decoder for this. The command ntpq -pn gives out the output:
>
>  remote   refid  st t when poll reach   delay   offset
> jitter
>
> ==
>  10.55.11.213   91.121.169.203 u  840 102400.765  -1972.3
> 0.000
>
> Since the values change I don't know how to just get the offset and for
> instance alert us if it is over 1500 like in this case. For instance the
> poll is 840 now so 3 digits but will soon be 2 digits so I don't know how
> to have a decoder for that. And some numbers might have decimal points at
> one point and not have at another point.
>
> Another command which could work is ntpstat which gives the output:
> synchronised to unspecified at stratum 4
>time correct to within 16875 ms
>polling server every 1024 s
>
> This I could create a decoder for but the output is so inaccurate that
> this is useless.
>
> Does anyone know how this can be done please?
>
> Thanks,
> Robert
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] sending email through existing smtp server

[Eero Volotinen]

You should use local postfix to relay mails.

Eero
7.11.2015 10.55 ip.  kirjoitti:

> Hi all,
>
> I recently installed OSSEC 2.8.1 on a Debian machine, and I really don't
> understand how this email setup works. My config file looks like this:
>
> 
>   yes
>   myem...@gmail.com
>   alt2.gmail-smtp-in.l.google.com
>   myem...@gmail.com
> 
>
> I got the impression that this is all you have to do to get it to work.
> But I get the following errors in the log:
> WARN: End of DATA not accepted by server
> ERROR: Error Sending email to [gmail server ip] (smtp server)
>
> When I look this up, no one has a clear response. For some people, this
> works! For others, they had no choice but to make their own smtp server.
> I'm concerned about all the possible security risks that come with making
> my own smtp server, so I was hoping this would handle it for me. Is this
> possible? Do I need to put in a key somewhere? Or is something like ssmtp
> or postfix the only way to go?
>
> Thanks!
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Ossec Client 2.8.3 Detect As Malware

[Eero Volotinen]

Try using virustotal scanning service. That is possibly false positive.

Eero
11.11.2015 2.48 ip.  kirjoitti:

> Guys
>
> I did download ossec client 2.8.3 and received a warning message: The file
> has a malware: BehavesLike.Win32.Dropper.tc
> I use mcafee webgateway 7.6.0 in my enviroment
> Could be a false positive? Anyone had same behavior?
> sha 256 Hash File: 93CD29B4C676E61304BFBE10E554D1AA011ABF91
>
>
> Regards
>
> Gus
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.