Re: [ossec-list] OSSEC Missing Logs
It's fairly busy but nothing insane. I didn't know of OSSEC had some sort of built in alerting/monitoring or statistics where I could see if it's truly missing those files. On Sunday, February 18, 2018 at 3:15:53 PM UTC-7, dan (ddpbsd) wrote: > > On Fri, Feb 16, 2018 at 4:02 PM, Eric > > wrote: > > I'm using OSSEC in a slightly unconventional manner where I have it > > installed on a centralized syslog server and it's tripping correlations > from > > multiple servers with just one agent. A small snippet of the setup is > below. > > > > ossec-server.domain.com monitoring: > > > > /logs/networking/*.log > > /logs/windows/*.log > > /logs/unix/*.log > > > > Overall this has worked pretty good for a low key correlation system for > > some alerts but I recently added a few more logs to it and I feel like > OSSEC > > is missing some entries now. For example, I see alerts being tripped > > /var/ossec/logs/alerts/alerts.log for some events, but others are not. I > > know for a fact while tailing the alerts.log file, I should have > received > > the alert below as I was also tailing the logs OSSEC was monitoring. > Below > > shows that the format is correct and it's decoding/alerting correctly > when > > running the test. Therefore my only conclusion is OSSEC is potentially > > getting overwhelmed and missing some. Is there a way to check that or > any > > other reason this wouldn't of tripped for me? > > > > It's possible that it got missed. Is the server busy? Is there enough > CPU/RAM? > Is the events per second rate very high? > > > Feb 16 13:04:34 server1 sudo: user_name : command not allowed ; > TTY=pts/0 > > ; PWD=/home/user_name ; USER=root ; COMMAND=/bin/su root > > > > > > **Phase 1: Completed pre-decoding. > >full event: 'Feb 16 13:04:34 server1 sudo: user_name : command > not > > allowed ; TTY=pts/0 ; PWD=/home/user_name ; USER=root ; COMMAND=/bin/su > > root' > >hostname: 'server1' > >program_name: 'sudo' > >log: ' user_name : command not allowed ; TTY=pts/0 ; > > PWD=/home/user_name ; USER=root ; COMMAND=/bin/su root' > > > > **Phase 2: Completed decoding. > >decoder: 'sudo' > >dstuser: 'user_name' > > > > **Phase 3: Completed filtering (rules). > >Rule id: '100012' > >Level: '10' > >Description: 'User attempted to run a command that was not > allowed.' > > **Alert to be generated. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to ossec-list+...@googlegroups.com . > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] OSSEC Missing Logs
I'm using OSSEC in a slightly unconventional manner where I have it installed on a centralized syslog server and it's tripping correlations from multiple servers with just one agent. A small snippet of the setup is below. ossec-server.domain.com monitoring: - /logs/networking/*.log - /logs/windows/*.log - /logs/unix/*.log Overall this has worked pretty good for a low key correlation system for some alerts but I recently added a few more logs to it and I feel like OSSEC is missing some entries now. For example, I see alerts being tripped /var/ossec/logs/alerts/alerts.log for some events, but others are not. I know for a fact while tailing the alerts.log file, I should have received the alert below as I was also tailing the logs OSSEC was monitoring. Below shows that the format is correct and it's decoding/alerting correctly when running the test. Therefore my only conclusion is OSSEC is potentially getting overwhelmed and missing some. Is there a way to check that or any other reason this wouldn't of tripped for me? Feb 16 13:04:34 server1 sudo: user_name : command not allowed ; TTY=pts/0 ; PWD=/home/user_name ; USER=root ; COMMAND=/bin/su root **Phase 1: Completed pre-decoding. full event: 'Feb 16 13:04:34 server1 sudo: user_name : command not allowed ; TTY=pts/0 ; PWD=/home/user_name ; USER=root ; COMMAND=/bin/su root' hostname: 'server1' program_name: 'sudo' log: ' user_name : command not allowed ; TTY=pts/0 ; PWD=/home/user_name ; USER=root ; COMMAND=/bin/su root' **Phase 2: Completed decoding. decoder: 'sudo' dstuser: 'user_name' **Phase 3: Completed filtering (rules). Rule id: '100012' Level: '10' Description: 'User attempted to run a command that was not allowed.' **Alert to be generated. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: Negative Match Criteria
Thanks Bruce. I didn't think about doing it that way but it definitely works. I really wish OSSEC would allow ! regex or just a simple Blah. On Friday, February 9, 2018 at 10:35:31 AM UTC-7, Bruce Westbrook wrote: > > Eric, short answer is unfortunately "no" (see my similar question recently > under the subject "Rule Exception - How?"). The only portion of a rule > that you can negate/exclude are for srcip and dstip (see > http://ossec-docs.readthedocs.io/en/latest/syntax/head_rules.html). > > What I've found is that to exclude a subset of items you need to create a > minimum of two rules. The first rule to catch only what you want to > exclude, the second rule to capture all the rest. A simple example to > simply ignore the ActiveSync log entries and do something with all the > rest, using your log line examples and the rule you posted (not sure what > rule #100210 is but assume it's to match the log lines for your rule): > > > >100210 >Microsoft-Server-ActiveSync >NOISE: Ignore ActiveSync log entries. > > > > >100210 >\.+\d+\s\w+.\w...@domain.com\.+ - 401 >Email authentication failure. > > > > Hope that helps point you in the right direction. > > > On Friday, February 9, 2018 at 10:38:47 AM UTC-5, Eric wrote: >> >> Hello, >> >> I'm working on a few custom rules and I was wondering if there is a "not >> equal to" item within OSSEC custom rules that I can use. I have the >> following logs and I want everything but the ActiveSync ones. >> >> Feb 9 00:00:00 X 2018-02-09 04:59:52 10.13.1.15 POST / >> autodiscover/autodiscover.xml &CorrelationID=;; 443 - >> us...@domain.com X.X.X.X SfBForMac/16.13.184.+(Mac+OSX+10.12.6) - >> 401 1 2148074254 0 >> >> Feb 9 00:00:00 X 2018-02-09 04:59:52 10.13.1.15 POST >> /EWS/Exchange.asmx &CorrelationID=;; 443 - us...@domain.com >> X.X.X.X SfBForMac/16.13.184.+(Mac+OSX+10.12.6) - 401 1 2148074254 0 >> >> Feb 9 00:00:01 X 2018-02-09 04:59:58 10.13.1.28 POST >> /Microsoft-Server-ActiveSync/default.eas ; 443 us...@domain.com X.X.X.X >> Android-Mail/7.10.22.174510681.release >> - 200 0 0 15 >> >> Right now I have the following logic and it works, but I'd prefer to just >> do a not equal to Activesync so I don't have to add additional regexes if a >> new log comes in. >> >> >>100210 >>autodiscovery.xml|Exchange.asmx >>\.+\d+\s\w+.\w...@domain.com\.+ - 401 >>Email authentication failure. >> >> >> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Negative Match Criteria
Hello, I'm working on a few custom rules and I was wondering if there is a "not equal to" item within OSSEC custom rules that I can use. I have the following logs and I want everything but the ActiveSync ones. Feb 9 00:00:00 X 2018-02-09 04:59:52 10.13.1.15 POST / autodiscover/autodiscover.xml &CorrelationID=;; 443 - u...@domain.com X.X.X.X SfBForMac/16.13.184.+(Mac+OSX+10.12.6) - 401 1 2148074254 0 Feb 9 00:00:00 X 2018-02-09 04:59:52 10.13.1.15 POST /EWS/Exchange.asmx &CorrelationID=;; 443 - u...@domain.com X.X.X.X SfBForMac/16.13.184.+(Mac+OSX+10.12.6) - 401 1 2148074254 0 Feb 9 00:00:01 X 2018-02-09 04:59:58 10.13.1.28 POST /Microsoft-Server-ActiveSync/default.eas ; 443 u...@domain.com X.X.X.X Android-Mail/7.10.22.174510681.release - 200 0 0 15 Right now I have the following logic and it works, but I'd prefer to just do a not equal to Activesync so I don't have to add additional regexes if a new log comes in. 100210 autodiscovery.xml|Exchange.asmx \.+\d+\s\w+.\w...@domain.com\.+ - 401 Email authentication failure. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: Treat Multiple Files as One
Thanks! I just confirmed your statement by looking at a recent correlation rule that tripped and I see how the original logs were spread out over 4 different log files. I really appreciate the clarification. On Wednesday, June 28, 2017 at 11:05:18 AM UTC-6, Jesus Linares wrote: > > Hi Eric, > > Right now, I believe OSSEC is only able to correlate multiple failed >> logins if they all happen to show up on only 1 of the log files > > > That is not correct. The rules are based on the content of a log, not in > the source. > > Pay attention to the following rules: > > > sshd > SSHD messages grouped. > > > > 5700 > *illegal user|invalid user* > sshd: Attempt to login using a non-existent user > > > invalid_login,authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_10.6.1, > > > > It is looking for the strings: "illegal user" or "invalid user" in a ssh > log. When is a ssh log? If it is decoded as ssh: > > > ^sshd > > > ... > > > Usually, there are no checks for the source of an event. > > I hope it helps. > Regards. > > On Tuesday, June 27, 2017 at 5:47:05 PM UTC+2, Eric wrote: >> >> I'm using OSSEC in a slightly untraditional way as a sudo SIEM. I have it >> running on 1 server and it's parsing through logs that are coming from >> multiple sources and then alerting me on what is going on. Overall this has >> worked fine but now I'm needing to spread out the load and the logs are >> being written to multiple files. Is there a way to tell OSSEC to treat 5 >> separate log files as the same source? >> >> The use case I have is file1.log, file2.log, file3.log, file4.log, and >> file5.log are all load balanced across a F5 VIP. So if you have fave >> multiple failed logins from user1 on server1, those failed logins could >> show up in any 5 of the log files. Right now, I believe OSSEC is only able >> to correlate multiple failed logins if they all happen to show up on only 1 >> of the log files. >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Treat Multiple Files as One
I'm using OSSEC in a slightly untraditional way as a sudo SIEM. I have it running on 1 server and it's parsing through logs that are coming from multiple sources and then alerting me on what is going on. Overall this has worked fine but now I'm needing to spread out the load and the logs are being written to multiple files. Is there a way to tell OSSEC to treat 5 separate log files as the same source? The use case I have is file1.log, file2.log, file3.log, file4.log, and file5.log are all load balanced across a F5 VIP. So if you have fave multiple failed logins from user1 on server1, those failed logins could show up in any 5 of the log files. Right now, I believe OSSEC is only able to correlate multiple failed logins if they all happen to show up on only 1 of the log files. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Agents not connecting to server after ossec server upgrade from 2.8.0 to 2.8.2
If you see something like the following your /var/ossec/logs/ossec.log file: ossec.log:2015/08/28 06:49:27 ossec-remoted(1407): ERROR: Duplicated counter for ‘AGENT-NAME'. Then it meant that you are re-using your Agent ID and Key, OSSEC keeps a counter when syncing between Server and Agent, this is to prevent some sort of “Replay” attacks. All you need to do is to remove the file with your AGENT NAME as filename in the the /var/ossec /queue/rids, do this in both Server and Agent installation, restart both server and agent, you are done. Regards, Eric Teng > On Aug 31, 2015, at 8:55 PM, Saulius Pabarska > wrote: > > I think the problem was because i extented maximum number of agents in > previuos version, and when i did upgrade it stopped work. > I downloaded sources, made > make setmaxagents > and run install > After that it seems everything is working. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com > <mailto:ossec-list+unsubscr...@googlegroups.com>. > For more options, visit https://groups.google.com/d/optout > <https://groups.google.com/d/optout>. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
RE: [ossec-list] Oseec Server output to Suslog Server
Yes ossec-csyslogd is enabled and running. I should have said default from OSSIM. thanks -Original Message- From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On Behalf Of dan (ddp) Sent: Monday, March 16, 2015 6:21 AM To: ossec-list@googlegroups.com Subject: Re: [ossec-list] Oseec Server output to Suslog Server On Fri, Mar 13, 2015 at 6:14 PM, DirtDiver wrote: > All, > > I have a fresh install with a default ossec.conf file. Below is the file. > I can not for the life of me get it to forward alerts/logs to the > remote syslog server. What i would really want to do is have this > send all Windows events to the syslog server 10.0.1.116. > > > > > > > > > > no > AV - Alert - "$TIMESTAMP" --> RID: "$RULEID"; RL: > "$RULELEVEL"; RG: "$RULEGROUP"; RC: "$RULECOMMENT"; USER: "$DSTUSER"; SRCIP: > "$SRCIP"; HOSTNAME: "$HOSTNAME"; LOCATION: "$LOCATION"; EVENT: > "[INIT]$FULLLOG[END]"; I don't think this is a default ossec.conf. > > 10.0.1.116 > 9000 > json > > Is ossec-csyslogd running? > > > > -- > > --- > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send > an email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
RE: [ossec-list] Oseec Server output to Suslog Server
Bothand there are no FWs between anyi could try to do 127.0.0.1 to see if it can send to its self. -Original Message- From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On Behalf Of David Lang Sent: Friday, March 13, 2015 3:09 PM To: ossec-list@googlegroups.com Subject: RE: [ossec-list] Oseec Server output to Suslog Server are you trying to tcpdump on the sender or the receiver? David Lang On Fri, 13 Mar 2015, Eric Huffman wrote: > Date: Fri, 13 Mar 2015 22:50:52 + > From: Eric Huffman > Reply-To: ossec-list@googlegroups.com > To: "ossec-list@googlegroups.com" > Subject: RE: [ossec-list] Oseec Server output to Suslog Server > > I do have a tcpdump setup and do not see anythingand I have the > ossec syslog enabled as well > > -Original Message- > From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] > On Behalf Of David Lang > Sent: Friday, March 13, 2015 2:34 PM > To: ossec-list@googlegroups.com > Subject: Re: [ossec-list] Oseec Server output to Suslog Server > > the problem is probably not on the ossec side. I've got the following > in my config and it's working > > > 127.0.0.1 > 514 > json > > > what are you sending to? have you done a tcpdump to see what's happening? > > David Lang > > On Fri, 13 Mar 2015, DirtDiver wrote: > >> Date: Fri, 13 Mar 2015 15:14:25 -0700 (PDT) >> From: DirtDiver >> Reply-To: ossec-list@googlegroups.com >> To: ossec-list@googlegroups.com >> Subject: [ossec-list] Oseec Server output to Suslog Server >> >> All, >> >> I have a fresh install with a default ossec.conf file. Below is the file. >> I can not for the life of me get it to forward alerts/logs to the >> remote syslog server. What i would really want to do is have this >> send all Windows events to the syslog server 10.0.1.116. >> >> >> >> >> >> >> >> >> >> no >> AV - Alert - "$TIMESTAMP" --> RID: >> "$RULEID"; >> RL: "$RULELEVEL"; RG: "$RULEGROUP"; RC: "$RULECOMMENT"; USER: >> "$DSTUSER"; >> SRCIP: "$SRCIP"; HOSTNAME: "$HOSTNAME"; LOCATION: "$LOCATION"; EVENT: >> "[INIT]$FULLLOG[END]"; >> >>yes >> 21600 >> no >> no >> yes >> /etc,/usr/bin,/usr/sbin >> /bin,/sbin >> > check_sum="yes">C:\Windows\system32 >> /etc/mtab >> /etc/mnttab >> /etc/hosts.deny >> /etc/mail/statistics >> /etc/random-seed >> /etc/adjtime >> /etc/httpd/logs >> /etc/utmpx >> /etc/wtmpx >> /etc/cups/certs >> /etc/dumpdates >> /etc/svc/volatile >> C:\WINDOWS/System32/LogFiles >> C:\WINDOWS/Debug >> C:\WINDOWS/WindowsUpdate.log >> C:\WINDOWS/iis6.log >> C:\WINDOWS/system32/wbem/Logs >> C:\WINDOWS/system32/wbem/Repository >> C:\WINDOWS/Prefetch >> C:\WINDOWS/PCHEALTH/HELPCTR/DataColl >> C:\WINDOWS/SoftwareDistribution >> C:\WINDOWS/Temp >> C:\WINDOWS/system32/config >> C:\WINDOWS/system32/spool >> C:\WINDOWS/system32/CatRoot >> >> >> >> /var/ossec/etc/shared/rootkit_files.txt> > >> >> /var/ossec/etc/shared/rootkit_trojans.txt> r >> ojans> >> >> /var/ossec/etc/shared/system_audit_rcl.txt> t >>> >> >> /var/ossec/etc/shared/cis_debian_linux_rcl.txt> a >> udit> >> >> /var/ossec/etc/shared/cis_rhel_linux_rcl.txt> d >> it> >> >> /var/ossec/etc/shared/cis_rhel5_linux_rcl.txt >> >> >> yes >> >> >> secure >> >> >> 1 >> >> >> >> syslog >> /var/log/messages >> >> >> syslog >> /var/log/auth.log >> >> >> syslog >> /var/log/syslog >> >> >> syslog >> /var/log/mail.info >> >> >> syslog >> /var/log/dpkg.log >> >> >> apache >> /var/log/apache2/error.log >> >> >> apache >> /var/log/apache2/access.log >> >> >> >> >> >> >> >> >> >> >> >> >>
RE: [ossec-list] Oseec Server output to Suslog Server
I do have a tcpdump setup and do not see anythingand I have the ossec syslog enabled as well -Original Message- From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On Behalf Of David Lang Sent: Friday, March 13, 2015 2:34 PM To: ossec-list@googlegroups.com Subject: Re: [ossec-list] Oseec Server output to Suslog Server the problem is probably not on the ossec side. I've got the following in my config and it's working 127.0.0.1 514 json what are you sending to? have you done a tcpdump to see what's happening? David Lang On Fri, 13 Mar 2015, DirtDiver wrote: > Date: Fri, 13 Mar 2015 15:14:25 -0700 (PDT) > From: DirtDiver > Reply-To: ossec-list@googlegroups.com > To: ossec-list@googlegroups.com > Subject: [ossec-list] Oseec Server output to Suslog Server > > All, > > I have a fresh install with a default ossec.conf file. Below is the file. > I can not for the life of me get it to forward alerts/logs to the > remote syslog server. What i would really want to do is have this > send all Windows events to the syslog server 10.0.1.116. > > > > > > > > > > no > AV - Alert - "$TIMESTAMP" --> RID: > "$RULEID"; > RL: "$RULELEVEL"; RG: "$RULEGROUP"; RC: "$RULECOMMENT"; USER: > "$DSTUSER"; > SRCIP: "$SRCIP"; HOSTNAME: "$HOSTNAME"; LOCATION: "$LOCATION"; EVENT: > "[INIT]$FULLLOG[END]"; > >yes > 21600 > no > no > yes > /etc,/usr/bin,/usr/sbin > /bin,/sbin > check_sum="yes">C:\Windows\system32 > /etc/mtab > /etc/mnttab > /etc/hosts.deny > /etc/mail/statistics > /etc/random-seed > /etc/adjtime > /etc/httpd/logs > /etc/utmpx > /etc/wtmpx > /etc/cups/certs > /etc/dumpdates > /etc/svc/volatile > C:\WINDOWS/System32/LogFiles > C:\WINDOWS/Debug > C:\WINDOWS/WindowsUpdate.log > C:\WINDOWS/iis6.log > C:\WINDOWS/system32/wbem/Logs > C:\WINDOWS/system32/wbem/Repository > C:\WINDOWS/Prefetch > C:\WINDOWS/PCHEALTH/HELPCTR/DataColl > C:\WINDOWS/SoftwareDistribution > C:\WINDOWS/Temp > C:\WINDOWS/system32/config > C:\WINDOWS/system32/spool > C:\WINDOWS/system32/CatRoot > > > > /var/ossec/etc/shared/rootkit_files.txt > > /var/ossec/etc/shared/rootkit_trojans.txt ojans> > > /var/ossec/etc/shared/system_audit_rcl.txt > > > /var/ossec/etc/shared/cis_debian_linux_rcl.txt udit> > > /var/ossec/etc/shared/cis_rhel_linux_rcl.txt it> > > /var/ossec/etc/shared/cis_rhel5_linux_rcl.txt > > > yes > > > secure > > > 1 > > > > syslog > /var/log/messages > > > syslog > /var/log/auth.log > > > syslog > /var/log/syslog > > > syslog > /var/log/mail.info > > > syslog > /var/log/dpkg.log > > > apache > /var/log/apache2/error.log > > > apache > /var/log/apache2/access.log > > > > > > > > > > > > > > > rules_config.xml > pam_rules.xml > sshd_rules.xml > telnetd_rules.xml > syslog_rules.xml > arpwatch_rules.xml > symantec-av_rules.xml > symantec-ws_rules.xml > pix_rules.xml > named_rules.xml > smbd_rules.xml > vsftpd_rules.xml > pure-ftpd_rules.xml > proftpd_rules.xml > ms_ftpd_rules.xml > ftpd_rules.xml > hordeimp_rules.xml > vpopmail_rules.xml > vmpop3d_rules.xml > courier_rules.xml > web_rules.xml > apache_rules.xml > mysql_rules.xml > postgresql_rules.xml > ids_rules.xml > squid_rules.xml > firewall_rules.xml > cisco-ios_rules.xml > netscreenfw_rules.xml > sonicwall_rules.xml > postfix_rules.xml > sendmail_rules.xml > imapd_rules.xml > mailscanner_rules.xml > ms-exchange_rules.xml > racoon_rules.xml > vpn_concentrator_rules.xml > spamd_rules.xml > msauth_rules.xml > mcafee_av_rules.xml > > zeus_rules.xml > solaris_bsm_rules.xml > vmware_rules.xml > ossec_rules.xml > attack_rules.xml > local_rules.xml > ms_dhcp_rules.xml >alienvault-directory-service_rules.xml > > > > > 10.0.1.116 > 9000 > json > > > > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Re: Issue triggering Active Response on Windows 2012
I ended up just tossing the regex since it's useless for IPv6 addresses. > I wish Windows had a built-in shell util for validating any IP address. > I had considered tossing it too. But I hate to loose even basic validation. I had also considered using Python or just writing a simple C# utility to validate using the IPAddress.Parse() library call, but that might be overkill. > I wonder if this is something specific to Windows 2012 as I've got it > working for windows 7. I haven't gotten around to testing with 2012 > yet. > I'm wondering myself, I am working my way through the MacOS active response today and I can't get agent_control -b x.x.x.x -f resp -u to work on the Mac same as my Win X. Although, tests against the Unix hosts work flawlessly. Since I haven't had an SSH scan since I configured and restarted everything I can't see if a real event will trigger a response like it does on my Win X hosts. I can't believe I am actually hoping for an attack to test the response... :} Now you have me curious... I am having one of our server guys spin me up a 2012 instance to bang on it, so I can see if there is a consistent pattern here. ... I am probably going to go though the source at this point, I'm still not convinced its a bug yet though... I'm still in the early stages of wrapping my brain around it and I may have messed up or missed something somewhere. Rather than trying to choose the interface IP I found it simpler to just > set the gateway to either 0.0.0.0 or :: whichever applies. > I had considered hard coding it too. I might still. It all depends on if I stick with nulling the traffic routes or move to using the Windows and Mac firewall to drop packets. The windows firewall rules will be persistent and that is not actually advantageous for a number of reasons. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Re: Issue triggering Active Response on Windows 2012
On Tuesday, September 23, 2014 2:19:16 PM UTC-4, Michael Starks wrote: > > On 2014-09-23 13:05, Eric Johnfelt wrote: > > couldn't stand to let it be. I had to update the broken one with a more > complicated broken one. :) > > Ahahaha... that sounds familiar... :) > I think people assumed it worked, but when I looked at it, I realized > that it never could have. > No doubt, but I always assume first, I'm the one who messed up, I've found that its more productive, less embarrassing and on the upside, you benefit from a more intimate understanding of what you are working on. So, technically, it's still helpful. I am going through the Mac OS X active-response now and I already have a headache... but at least the process is no longer a mystery. > It should, but I think it is better to expect malicious input (or at > least malformed), especially since the OSSEC service runs as SYSTEM. My > opinion is that all AR scripts should stand alone and fail safely even > in undefined threat scenarios. > I figured as much and I agree. > Every time I write something in batch I inevitably say to myself "It > hurts!" and "Why, why why?!" Look at the updated script and the hoop I > had to jump through just to grab the OSSECPATH from the registry. Ugh. > Yep... common experiences, I feel your pain. > I guess the biggest thing to consider with Windows is that there are > multiple versions and they may not all have things like Power Shell. I > think that's why the script was originally written in batch--to serve > the lowest common denominator. Maybe the solution is to use a batch > wrapper that calls Power Shell or something else if it can find it, then > falls back to the hackish methods used currently. > Well, that was jist of my question, is there an accepted "how far back" does the community feel support is needed? Aside from features introduced over time, VBScript goes back to Win9x/Win2K (WinNT4.0 with option pack). So there is a potential there depending on what level of legacy support people want. (Although admittedly... the older an install is... the more likely it needs an OSSEC agent with active-response anyway :} ). I don't wish to harp on Windows though... Mostly, my needs at the moment require protecting our researcher's equipment and those tend to be mostly *nix with a smattering of Windows and Mac OS. But I also have staff equipment that arguably, greatly outnumbers the research machines, and they are Win/Mac. Which brings me to another question... what is the largest number of managed agents you've heard of anyone using? Or more to the point, how scalable is OSSEC? - Eric -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Re: Issue triggering Active Response on Windows 2012
Hi Michael, I can say, no, its not an updated batch file, its the stock one from the windows agent distribution. I was unaware there was an update, thanks for that nugget. I will find and grab it later today for comparison. Don't take my comments as disparaging. Given our networking team refuses to do *any* active-response from the core down to the edge devices... even though we have all the tools for it and no policy or funding from senior leadership, OSSEC really has been a blessing and also fills some other gaps neatly; I am looking forward to greatly building out our fledgling install. Right now I am proofing it out and the active response has been very encouraging. I entered the fray from 2.8 only about a month ago and have little to no knowledge of historically significant milestones in OSSEC's development aside from it switching ownership a couple of times and a number of people on the SANS advisory board having recommended it. I assumed the route-null.cmd batch worked at some point and maybe fell by the way side during continued development, but I guess not. :( Although, I am curious, going back to the Regex issue... I'm all for bounds checking, but is there some other engineering reason why it was included? I mean, technically, can't the script expect the manager to send the correct parameters? I agree, NT based command scripts can be a challenge, I've seen some smart people do some really crazy-neat things with them, but it always seems the code is necessarily overburdened with coding tricks to get anything done (ie. few approaches seem to be simple and clean). I have been mulling over getting more involved, if you have any advice in this regard over whats on the website, I'd like to hear it. I am already mulling over some local customization that might hopefully be useful to people with similar setups and constraints. BTW- Thanks for the feedback and enlightenment. - Eric On Tue, Sep 23, 2014 at 12:13 PM, Michael Starks < ossec-l...@michaelstarks.com> wrote: > On 2014-09-23 10:40, Eric Johnfelt wrote: > > The active-response script that comes with the Windows agent is just >> hopelessly broken... here is why... >> > > It didn't work at all prior to 2.8. At least it works now from the command > line (with the latest update). As to why it only works that way remains to > be seen. > > - The 2.8.1 script expects positional parameter %2 to be the IP >> Address, its not, %3 is >> > > Is this with the updated script I sent to the list or the original one? I > submitted a dev version accidentally for 2.8. But it was still no worse off > than <2.8, since that version also didn't work. :) My intention was not to > change the approach, but to make what was there actually at least work with > an updated version. > > - The regular expression for validating IP's is wrong. Findstr's >> RegExp facility is well... just terrible, so >> [0-9]*.[0-9]*.[0-9]*.[0-9]* is the best you can do, but its not 100% >> correct for validating IP addresses either, but it works for the >> complete subset of valid addresses. >> > > The regex is as good as it can get by using a batch file with findstr. As > you mentioned, the regexp facility of findstr is terrible. But the version > prior to 2.8 had nothing, so this is... something. > > - The OSSECPATH variable is not set. This *should* be set in the >> environment via the install, or manually (via Start|Right-Click >> Computer Properties|Advanced System Settings|Environment Variables, be >> admin when you do so) Obviously some people prefer setting a registry >> key and looking it up... and that's fine too. >> > > Is this with the updated script I sent to the list or the original one? It > should be set now. I agree that the installer should take care of this and > it should be an environment variable. Patches are welcome! > > - The method used to choose the null-route is a bit flawed. It doesn't >> take into account any combination of multiple IP's or network >> interfaces; which is common for people using any kind of >> virtualization (Virtual Box, VMware, Virtual PC) or servers with >> multiple IPs or NICS. Technically, it will still work, it is just... >> not fundamentally correct and your mileage may vary. >> > > Yup, but there isn't a better way unless the AR is written in something > better. The batch approach is terrible. I think it should be rewritten in > something like Power Shell, but whatever it is has to work across different > Windows versions natively, or it has to be built into OSSEC. I'm no longer > interested in fighting with Windows scripting. > > Lastly, testing the active-response does not seem to work... at least >> f
[ossec-list] Re: Issue triggering Active Response on Windows 2012
Hi All, I have had similar problems, and I can see in this thread that many people have discovered a number of the problems. But I'd like to write them out here so that everyone understands them fully. For completeness, I am using OSSEC 2.8.1 on Ubuntu 14.04 LTS and a gamut of hosts, Windows, MacOS, Linux. The active-response script that comes with the Windows agent is just hopelessly broken... here is why... - The 2.8.1 script expects positional parameter %2 to be the IP Address, its not, %3 is - The regular expression for validating IP's is wrong. Findstr's RegExp facility is well... just terrible, so [0-9]*\.[0-9]*\.[0-9]*\.[0-9]* is the best you can do, but its not 100% correct for validating IP addresses either, but it works for the complete subset of valid addresses. - The OSSECPATH variable is not set. This *should* be set in the environment via the install, or manually (via Start|Right-Click Computer Properties|Advanced System Settings|Environment Variables, be admin when you do so) Obviously some people prefer setting a registry key and looking it up... and that's fine too. - The method used to choose the null-route is a bit flawed. It doesn't take into account any combination of multiple IP's or network interfaces; which is common for people using any kind of virtualization (Virtual Box, VMware, Virtual PC) or servers with multiple IPs or NICS. Technically, it will still work, it is just... not fundamentally correct and your mileage may vary. Lastly, testing the active-response does not seem to work... at least for me... I'm still working on that... however I can say the following for certain. First, when I issue a test, I see the packet received via wireshark, the agent just doesn't seem to respond. However, when a real active-response comes in from the manager, the route-null.cmd script is executed; with the fixes mentioned above, the script does work. I have a theory that the packet from agent_control for testing is just slightly different from an actual active-response event packet, but... the packets appear... rightfully so, encrypted or obscured... so technically I can't tell what the difference is using wireshark. I'd have to dive into the agent_control and manager daemons source code to know for sure if there is any difference... I'm just not that intrepid enough to do that just right now. I see a few people have replaced the script completely, I am considering that myself using a powershell or VBScript (both of which have a *much* better regex facility for validating strings (and IP addresses)) as well as giving me APIs (particularly WMI) to determine the best IP to null route on from the available interfaces and local addresses, or just use the internal firewall to block via NETSH or the ActiveX control for the firewall facility. Anyhow, the point is, you can fix the bundled script or replace it; replacing will give you access to better AND more functionality, IMHO. Either way fixed or replaced, when it works... its a beautiful thing. I would however, like to see the agent_control, OSSECPATH variable and script fixed in the distro, mainly because the bugs are *extremely* frustrating and at least two of them are easily fixable. Anyhow, that's my 2 cents on the matter. - Eric On Thursday, July 31, 2014 9:53:54 AM UTC-4, James Whittington wrote: > I am trying to get Active Response working on a Windows 2012 server. > I enabled AR in the local Windows 2012 OSSEC config file. > On the agent side OSSEC Log I get some warnings about some linux shell > based active responses not being present (which makes sense) > > I copied over a Windows null route script we use on a Windows 2008r2 > server. > I created the command and ar configuration on the OSSEC server > I then tried to test the AR script which looked like this: > > *root@monitor:/var/ossec/bin# ./agent_control -b 120.138.126.238 -f > win_route-null1800 -u 001* > > *OSSEC HIDS agent_control: Running active response 'win_route-null1800' > on: 001 * > > > *Under OSSEC 2.7 I would see this line when I tried to trigger an AR * > > *2014/07/30 21:32:08 ossec-agent: ERROR: Unable to create active response > process.* > > *Setting windows.debug levels in internal_options.conf generated more log > output but not any more detail on why AR was not triggering?* > > *I upgraded to OSSEC 2.8 upgrading both the OSSEC Server and Windows agen* > t > Now I don't see anything logged in the agent side ossec log when I trigger > the active response > > The interesting thing to me is under either version I can trigger a > restart of the agent from the OSSEC server and that event does appear in a > client side active response log so it appears some communication is > occuring. > > Any ideas on how to troubleshoot why A
[ossec-list] Syscheck Causing Analysdsd to stop working
Hello, I am using OSSEC to monitor 4 custom file locations that rotate on a daily basis. This has been working fine for about a week so I decided to turn on the integrity checking option as well. Once I do this, the log analysis portion stops working. Below is my setup. /mnt/logs/server1/5-14-14.log.gz (archived file from previous day) /mnt/logs/server1/5-15-14.log.gz (archived file from previous day) /mnt/logs/server1/5-15-14.log (current log file that is being written to) /mnt/logs/server2/5-14-14.log.gz (archived file from previous day) /mnt/logs/server2/5-15-14.log.gz (archived file from previous day) /mnt/logs/server2/5-15-14.log (current log file that is being written to) I have the following syscheck settings. 21600 /mnt/logs/server1,/mnt/logs/server2 .log$ This works fine as it ignores the .log file and does the integrity check on the other files. However I am not sure why it causes the analysis engine to stop tailing the log files correctly. If I restart ossec it works fine for a while and then randomly stops again with no error messages. When I turn off the syscheck option, the analysis engine never messes up. Any thoughts? Thanks, Eric -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Same_location not working
Hello, I'm having issues with windows failed logins being grouped based on the location. Below is the rule in question. win_authentication_failed Multiple Windows Logon Failures. authentication_failures, With the rule above, I want only alerts being grouped together if they are destined for the same machine. Since there is not an option for same_system_name, and I see in the OSSEC GUI that it is parsing out location correctly, I thought it would work but it's not. Below is what see in the web interface. As you can see, it's tripping rule 18153 but it's doing it for multiple servers and not just one. How do I get it where it will only show multiple failed logins just from 1 server at a time? Level:9 - Multiple Windows audit failure events. Rule Id:18153 Location:aaaserver1.test.com->/logs/Windows/2014-03-06.log User:test-account Mar 6 14:55:45 aaaserver1.test.com Mar 6 14:55:43 aaaserver1.test.com Mar 6 14:55:37 cccserver3.test.com Mar 6 14:55:30 aaaserver1.test.com Mar 6 14:55:30 aaaserver1.test.com Mar 6 14:55:30 bbbserver2.test.com -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Combing Reportd Summarized Sections
Hello, I am working on generating a summarized report for auditing purposes. Currently ossec-reportd has some pretty good options, but they all require additional work as far as seeing the top alerts and then digging deeper into the raw logs to see the username or additional information. Currently I am using this command. sudo cat /var/ossec/logs/alerts/alerts.log | sudo /var/ossec/bin/ossec-reportd -n "Level 10+ Alerts" -f level 10 -r rule location -r location user The related searches gives me the following summarized sections. Related entries for 'Location': server1->/logs/test.log |20 | user: 'root' user: 'admin' user: 'joe.bob' server8->/logs/test.log |15 | user: 'root' Related entries for 'Rule': 5720 - Multiple SSHD authentication failures. |25 | location: 'server1->/logs/test.log' location: 'server8->/logs/test.log' 40112 - Multiple authentication failures fol.. |10 | location: 'server1->/logs/test.log' location: 'server8->/logs/test.log' Is there anyway I can combine these into 1 section? I'd like to see related entries for rule and then it break down per location and per username. I just want 1 section to look at and not have to ping pong back and forth between other raw logs or summarized sections. Thanks, Eric -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [ossec-list] Windows Source IP Parsing
I've made a few more tweaks due to one group using spaces instead of tabs on their Snare config. So both I just created 2 separate decoders to get them both. I also cleaned up a few minor items. windows MSWinEventLog\t\d\.+\w\w\w \d\d \d\d windows windows-snare :\d\d:\d\d \d\d\d\d\t(\d+)\t\.+ \t\.+\\(\S+)\tN/A\W+(\w+)\sAudit\t(\w+)\tLogon id, user, status, system_name name, location, user, system_name windows windows-snare Source Network Address: (\S+) srcip windows windows-snare Source IP Address: (\S+) srcip windows MSWinEventLog\W+\d\.+\w\w\w \d\d \d\d windows windows-snare-2 :\d\d:\d\d \d\d\d\d\W+(\d+)\W+\.+ \W+\.+\\(\S+)\W+N/A\W+(\w+)\sAudit\W+(\w+) id, user, status, system_name name, location, user, system_name windows windows-snare-2 Source Network Address: (\S+) srcip On Monday, October 7, 2013 11:08:55 AM UTC-4, Eric wrote: > > Ok! I finally got this working after much drinking. The regex tester I was > using and the what OSSEC was parsing didn't match up correctly. On my > tester, it shows a tab or multiple white spaces so I used \t and or \s+. > However OSSEC didn't like that and never matched the parser on that portion > so I ended up using \W+ and it worked fine. So below is the parser that is > matching up to all of the appropriate fields. So if you are working on > these, please keep that in mind. When in doubt, just do a (\.+) and see > what it parses out as, as it may have additional characters you didn't > expect. This is for Snare format and has the syslog header at the front of > it. > > The only annoying part now is that Windows doesn't log the source IP for > the failed events so I can't correctly do a rule where "multiple failed > logins from X IP and then one successful login form the same IP withing Y > time frame". Not sure how I'm going to do that. > > > windows > MSWinEventLog\t\d\t\.+\t\d+\t\w\w\S+ \w\w\w \d\d > \d\d > > > > windows > windows-snare > :\d\d:\d\d \d\d\d\d\t(\d+)\t\.+ > \t\.+\\(\S+)\tN/A\W(\.+)\s+Audit\t(\.+)\tLogon > id, user, status, system_name > name, location, user, system_name > > > > windows > windows-snare > Source Network Address: (\S+) > srcip > > > > windows > windows-snare > Source IP Address: (\S+) > srcip > > > > On Friday, October 4, 2013 11:14:38 AM UTC-4, dan (ddpbsd) wrote: >> >> On Fri, Oct 4, 2013 at 11:08 AM, Eric wrote: >> > Michael, >> > >> > Can you please link me to the decoder you are using? I took the blog >> post >> > that Nathaniel recommended (thank you very much) and spun my own >> version of >> > it since I'm using Snare logs and it didn't match up. >> > >> >> https://groups.google.com/forum/#!topic/ossec-list/1F_2Axytgzg >> >> > >> > windows >> > MSWinEventLog\t\d\t\.+\t\d+\t\w\w\S+ \w\w\w \d\d >> \d\d >> > >> > >> > >> > windows >> > windows-snare >> > :\d\d:\d\d \d\d\d\d\t(\d+)\t\.+ >> > \t(\.+)\\(\S+)\t\.+ >> > id, extra_data, user, system_name >> > name, location, user, system_name >> > >> > >> > >> > windows >> > windows-snare >> > Source Network Address: (\S+) >> > srcip >> > >> > >> > >> > windows >> > windows-snare >> > Source IP Address: (\S+) >> > srcip >> > >> > >> > When I run my Windows events through it, I get the following results >> using >> > logtest. >> > >> > **Phase 2: Completed decoding. >> >decoder: 'windows-snare' >> >id: '4624' >> >extra_data: 'WIN-SERVER1' >> >dstuser: 'Administrator' >> >srcip: '10.1.1.1' >> > >> > **Phase 3: Completed filtering (rules). >> >Rule id: '18100' >> >Level: '0' >> >Description: 'Group of windows rules.' >> > >> > Sot it appears my parsing is working correctly now. I'm just confused >> why it >> > only tripped rule 18100 and not rule 18107 as well since it should trip >> off >> > of the ID. >> > >> > >> > On Thursday, October 3, 2013 9:12:27 PM UTC-4, Michael Starks wrote: >> >> >> >> On 10/03/2013 04:10 PM, Nathaniel Bentz
Re: [ossec-list] Windows Source IP Parsing
Ok! I finally got this working after much drinking. The regex tester I was using and the what OSSEC was parsing didn't match up correctly. On my tester, it shows a tab or multiple white spaces so I used \t and or \s+. However OSSEC didn't like that and never matched the parser on that portion so I ended up using \W+ and it worked fine. So below is the parser that is matching up to all of the appropriate fields. So if you are working on these, please keep that in mind. When in doubt, just do a (\.+) and see what it parses out as, as it may have additional characters you didn't expect. This is for Snare format and has the syslog header at the front of it. The only annoying part now is that Windows doesn't log the source IP for the failed events so I can't correctly do a rule where "multiple failed logins from X IP and then one successful login form the same IP withing Y time frame". Not sure how I'm going to do that. windows MSWinEventLog\t\d\t\.+\t\d+\t\w\w\S+ \w\w\w \d\d \d\d windows windows-snare :\d\d:\d\d \d\d\d\d\t(\d+)\t\.+ \t\.+\\(\S+)\tN/A\W(\.+)\s+Audit\t(\.+)\tLogon id, user, status, system_name name, location, user, system_name windows windows-snare Source Network Address: (\S+) srcip windows windows-snare Source IP Address: (\S+) srcip On Friday, October 4, 2013 11:14:38 AM UTC-4, dan (ddpbsd) wrote: > > On Fri, Oct 4, 2013 at 11:08 AM, Eric > > wrote: > > Michael, > > > > Can you please link me to the decoder you are using? I took the blog > post > > that Nathaniel recommended (thank you very much) and spun my own version > of > > it since I'm using Snare logs and it didn't match up. > > > > https://groups.google.com/forum/#!topic/ossec-list/1F_2Axytgzg > > > > > windows > > MSWinEventLog\t\d\t\.+\t\d+\t\w\w\S+ \w\w\w \d\d > \d\d > > > > > > > > windows > > windows-snare > > :\d\d:\d\d \d\d\d\d\t(\d+)\t\.+ > > \t(\.+)\\(\S+)\t\.+ > > id, extra_data, user, system_name > > name, location, user, system_name > > > > > > > > windows > > windows-snare > > Source Network Address: (\S+) > > srcip > > > > > > > > windows > > windows-snare > > Source IP Address: (\S+) > > srcip > > > > > > When I run my Windows events through it, I get the following results > using > > logtest. > > > > **Phase 2: Completed decoding. > >decoder: 'windows-snare' > >id: '4624' > >extra_data: 'WIN-SERVER1' > >dstuser: 'Administrator' > >srcip: '10.1.1.1' > > > > **Phase 3: Completed filtering (rules). > >Rule id: '18100' > >Level: '0' > >Description: 'Group of windows rules.' > > > > Sot it appears my parsing is working correctly now. I'm just confused > why it > > only tripped rule 18100 and not rule 18107 as well since it should trip > off > > of the ID. > > > > > > On Thursday, October 3, 2013 9:12:27 PM UTC-4, Michael Starks wrote: > >> > >> On 10/03/2013 04:10 PM, Nathaniel Bentzinger wrote: > >> > Sorry I ment to include my full decoder file too: > >> > >> Have you seen the decoder I have been using in the other thread? I'm > not > >> sure how this one compares, so it might be useful to see where we have > >> similarities and differences. > >> > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to ossec-list+...@googlegroups.com . > > For more options, visit https://groups.google.com/groups/opt_out. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [ossec-list] Windows Source IP Parsing
Michael, Can you please link me to the decoder you are using? I took the blog post that Nathaniel recommended (thank you very much) and spun my own version of it since I'm using Snare logs and it didn't match up. windows MSWinEventLog\t\d\t\.+\t\d+\t\w\w\S+ \w\w\w \d\d \d\d windows windows-snare :\d\d:\d\d \d\d\d\d\t(\d+)\t\.+ \t(\.+)\\(\S+)\t\.+ id, extra_data, user, system_name name, location, user, system_name windows windows-snare Source Network Address: (\S+) srcip windows windows-snare Source IP Address: (\S+) srcip When I run my Windows events through it, I get the following results using logtest. **Phase 2: Completed decoding. decoder: 'windows-snare' id: '4624' extra_data: 'WIN-SERVER1' dstuser: 'Administrator' srcip: '10.1.1.1' **Phase 3: Completed filtering (rules). Rule id: '18100' Level: '0' Description: 'Group of windows rules.' Sot it appears my parsing is working correctly now. I'm just confused why it only tripped rule 18100 and not rule 18107 as well since it should trip off of the ID. On Thursday, October 3, 2013 9:12:27 PM UTC-4, Michael Starks wrote: > > On 10/03/2013 04:10 PM, Nathaniel Bentzinger wrote: > > Sorry I ment to include my full decoder file too: > > Have you seen the decoder I have been using in the other thread? I'm not > sure how this one compares, so it might be useful to see where we have > similarities and differences. > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [ossec-list] Windows Source IP Parsing
I need some help modifying my Windows Audit parser to get the IP address/hostname. The current one looks like this: windows ^MSWinEventLog\t\d\t\.+\t\d+\t\w\w\S+ \w\w\w \d\d \d\d ^:\d\d:\d\d \d\d\d\d\t(\d+)\t(\.+) \t(\.+)\t\.+\t(\.+)\t(\.+)\t id, extra_data, user, status, system_name name, id, location, user, system_name My modified one looks like this: windows ^MSWinEventLog\t\d\t\.+\t\d+\t\w\w\S+ \w\w\w \d\d \d\d ^:\d\d:\d\d \d\d\d\d\t(\d+)\t\.+ \t(\.+)\\(\S+)\t id, srcip, user name, id, location, user, system_name The log I'm trying to match is: Oct 3 12:50:01 WIN-SERVER1 MSWinEventLog 1 Security 474 Thu Oct 03 12:50:00 2013 4624 Microsoft-Windows-Security-Auditing WIN-SERVER1\Administrator N/A Success Audit WIN-SERVER1 Logon An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-SERVER1$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 10 New Logon: Security ID: S-1-5-21-2885816794-3785768203-2620152398-500 Account Name: Administrator Account Domain: WIN-SERVER1 Logon ID: 0xd8f9af1 Logon GUID: {----} Process Information: Process ID: 0x2c70 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: WIN-SERVER1 Source Network Address: 10.1.1.1 Source Port: 34916 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local When using a general regex tester, everything works fine, other than for some reason OSSEC does (\.+) instead of a (.+) and I'm unsure why the ^ is at the beginning of the after_prematch string. I just mimiced those settings fromt he one that works. When I use my new parser, no alerts ever hit my OSSEC wui, therefore it looks like it's not parsing them correctly at all. On Wednesday, October 2, 2013 9:32:44 AM UTC-4, dan (ddpbsd) wrote: > > On Wed, Oct 2, 2013 at 9:29 AM, Eric > > wrote: > > Dan, > > > > Are you referring to the "etc/decoder.xml" file? I started looking in > there > > yesterday but didn't get very far due to other issues coming up. I just > > assumed that the source IP would be a common field that was parsed for > > general Snare logs. > > > > It would be in decoder.xml I guess probably. It's really tough to > figure out since I don't have any log samples to work with. Good luck! > > > Thanks, > > Eric > > > > On Tuesday, October 1, 2013 3:00:36 PM UTC-4, dan (ddpbsd) wrote: > >> > >> On Tue, Oct 1, 2013 at 2:58 PM, Eric wrote: > >> > Hello, > >> > > >> > I am using OSSEC in a server config with no actual agents. I am > having > >> > Snare > >> > logs from my Windows servers sent to /var/log/remotesys.log and > having > >> > OSSEC > >> > monitor that file to trip alerts. This works for the most part but > I'm > >> > having a few issues. The main issue is on rules such as 40112 - > Multiple > >> > authentication failures followed by a success. This works fine when I > >> > test > >> > it with local SSH on the box as the "Src IP" is parsed out and shown > >> > correctly when I'm reviewing the logs in OSSEC-wui. But on the > Windows > >> > box, > >> > it isn't showing a Src IP section. I see Level, Rule ID, Location > >> > (server1's > >> > DNS name -> /var/log/remotesys.log), and user > >> > (192.168.10.10\administrator). > >> > I would think it could trip the "from same IP" correlation that rule > >> > 40112 > >> > needs from the location or first part of the user field, but it isn't > >> > working. Once I remove the from same IP part of the rule I can get it > to > >> > trip on Windows events too. But I have to have that part since I will > >> > have > >> > hundreds of Windows servers sending logs to the same location. > >> > > >> > Thanks for the help. > >> > Eric > >> > > >> > >> Make sure a usable IP address is decoded. > >> > >> > -- > >> > > >> > --- > >> > You received this message because you are subscribed to the Google > >> > Groups > >> > "o
Re: [ossec-list] Windows Source IP Parsing
Dan, Are you referring to the "etc/decoder.xml" file? I started looking in there yesterday but didn't get very far due to other issues coming up. I just assumed that the source IP would be a common field that was parsed for general Snare logs. Thanks, Eric On Tuesday, October 1, 2013 3:00:36 PM UTC-4, dan (ddpbsd) wrote: > > On Tue, Oct 1, 2013 at 2:58 PM, Eric > > wrote: > > Hello, > > > > I am using OSSEC in a server config with no actual agents. I am having > Snare > > logs from my Windows servers sent to /var/log/remotesys.log and having > OSSEC > > monitor that file to trip alerts. This works for the most part but I'm > > having a few issues. The main issue is on rules such as 40112 - Multiple > > authentication failures followed by a success. This works fine when I > test > > it with local SSH on the box as the "Src IP" is parsed out and shown > > correctly when I'm reviewing the logs in OSSEC-wui. But on the Windows > box, > > it isn't showing a Src IP section. I see Level, Rule ID, Location > (server1's > > DNS name -> /var/log/remotesys.log), and user > (192.168.10.10\administrator). > > I would think it could trip the "from same IP" correlation that rule > 40112 > > needs from the location or first part of the user field, but it isn't > > working. Once I remove the from same IP part of the rule I can get it to > > trip on Windows events too. But I have to have that part since I will > have > > hundreds of Windows servers sending logs to the same location. > > > > Thanks for the help. > > Eric > > > > Make sure a usable IP address is decoded. > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to ossec-list+...@googlegroups.com . > > For more options, visit https://groups.google.com/groups/opt_out. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
[ossec-list] Windows Source IP Parsing
Hello, I am using OSSEC in a server config with no actual agents. I am having Snare logs from my Windows servers sent to /var/log/remotesys.log and having OSSEC monitor that file to trip alerts. This works for the most part but I'm having a few issues. The main issue is on rules such as 40112 - Multiple authentication failures followed by a success. This works fine when I test it with local SSH on the box as the "Src IP" is parsed out and shown correctly when I'm reviewing the logs in OSSEC-wui. But on the Windows box, it isn't showing a Src IP section. I see Level, Rule ID, Location (server1's DNS name -> /var/log/remotesys.log), and user (192.168.10.10\administrator). I would think it could trip the "from same IP" correlation that rule 40112 needs from the location or first part of the user field, but it isn't working. Once I remove the from same IP part of the rule I can get it to trip on Windows events too. But I have to have that part since I will have hundreds of Windows servers sending logs to the same location. Thanks for the help. Eric -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [ossec-list] OSSEC as a SIEM
Are you using the open source version of AV OSSIM or the paid for version? I had concerns about the amount of events per second on the open source version could handle. Because just the firewall that we want to alert off of sends around 200 - 300 events per second. On Monday, September 16, 2013 4:43:42 PM UTC-4, Janelle wrote: > > I have 3000+ servers feeding syslog into a single OSSEC server and OSSEC > parses the data just fine. It is also very easy to use something like > filtering within syslog (in this case syslog-ng) to write filters and > process the hosts, groups of hosts, etc, to drop the alerts in different > locations as needed. OSSEC still processes everything seeing all 3000 hosts > uniquely, and alerting is done vial AV OSSIM. > > Works beautifully. > ~J > > On Monday, September 16, 2013 12:39:20 PM UTC-7, Michael Starks wrote: >> >> On 16.09.2013 14:04, Eric wrote: >> >> ... >> >> > My main fear is since I'm not >> > using OSSEC's agent portion of it, it looks like the only agent is >> > localhost and is therefore going to combine a lot of the traffic we >> > see into 1 big alert. If I get login failures from server1 and >> > server2, it will treat this as the same source and correlate it a lot >> > faster than it would if it treated them as separate servers. >> >> I have layered OSSEC on top of an existing syslog server in several >> environments. As long as the log messages themselves don't look like >> they are all coming from the same place, OSSEC will see them as separate >> systems. The hostname portion of the syslog is extracted like any other >> field, so it will work. >> >> By not using agents, you will lose some functionality; namely, active >> response, integrity checking and rootkit detection. >> >> If you're looking for SIEM-like functionality (asset valuation, etc), >> try the solution from AlienVault. OSSEC is deeply integrated into their >> solution and they have contributed back to OSSEC. >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [ossec-list] OSSEC as a SIEM
Thank you very much for your information. The logs are showing as coming from the correct source, but I didn't know if OSSEC was treating them correctly. Below is the main example that I've come across.This is also true for the Windows multiple failed logins. It's correlating 2 different servers and 2 different user names together and then in the final alert info, only shows the latest. Does this look right to you? Level:10 - Multiple SSHD authentication failures. Rule Id: 5720 Location: vm1->/var/log/secure Src IP: 192.168.1.1 User: user1 Sep 16 13:53:01 vm1 sshd[25275]: Failed password for user1 from 192.168.1.1 port 1344 ssh2 Sep 16 13:55:36 server2 sshd[13616]: Failed password for joe from 10.2.2.2 port 1342 ssh2 Sep 16 13:52:59 vm1 sshd[25275]: Failed password for user1 from 192.168.1.1 port 1344 ssh2 Sep 16 13:55:34 server2 sshd[13616]: Failed password for joe from 10.2.2.2 port 1342 ssh2 Sep 16 13:55:29 server2 sshd[13616]: Failed password for joe from 10.2.2.2 port 1342 ssh2 Sep 16 13:52:20 vm1 sshd[25271]: Failed password for user1 from 192.168.1.1 port 1327 ssh2 Sep 16 13:52:18 vm1 sshd[25271]: Failed password for user1 from 192.168.1.1 port 1327 ssh2 Sep 16 13:52:15 vm1 sshd[25271]: Failed password for user1 from 192.168.1.1 port 1327 ssh2 I have also tried the open source version of AlienVault, but everything I read about it and after doing a small POC, I didn't think it could handle the events per second we needed. On Monday, September 16, 2013 3:39:20 PM UTC-4, Michael Starks wrote: > > On 16.09.2013 14:04, Eric wrote: > > ... > > > My main fear is since I'm not > > using OSSEC's agent portion of it, it looks like the only agent is > > localhost and is therefore going to combine a lot of the traffic we > > see into 1 big alert. If I get login failures from server1 and > > server2, it will treat this as the same source and correlate it a lot > > faster than it would if it treated them as separate servers. > > I have layered OSSEC on top of an existing syslog server in several > environments. As long as the log messages themselves don't look like > they are all coming from the same place, OSSEC will see them as separate > systems. The hostname portion of the syslog is extracted like any other > field, so it will work. > > By not using agents, you will lose some functionality; namely, active > response, integrity checking and rootkit detection. > > If you're looking for SIEM-like functionality (asset valuation, etc), > try the solution from AlienVault. OSSEC is deeply integrated into their > solution and they have contributed back to OSSEC. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
[ossec-list] OSSEC as a SIEM
I am working on a log aggregation project and wanted to add some minor correlations/security intelligence to the mix. Currently I have logs from ~400 servers coming into a syslog-ng box. I was looking into a few programs such as SEC (Simple Event Correlator), OSSEC, etc. to do this. For SEC, I could easily have the process tail the file(s) I am writing to and have it trip alerts off of it. However I would have to build in a lot of custom rules and there wouldn't be a pretty GUI as there is with OSSEC. So I was thinking of using OSSEC as a local install and instead of having it handle all of the agents, just have it tail the log file(s) and trip alerts. My main fear is since I'm not using OSSEC's agent portion of it, it looks like the only agent is localhost and is therefore going to combine a lot of the traffic we see into 1 big alert. If I get login failures from server1 and server2, it will treat this as the same source and correlate it a lot faster than it would if it treated them as separate servers. Is there any logic I can put into OSSEC to make this local/non agent config work with multiple server logs coming in, or would you recommend even trying? My goal is to use the current syslog feed we have from the 400 servers with the OSSEC logic. I don't want to have to install agents on these machines. Thanks in advance, Eric -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [ossec-list] Problem witch syscheck - file integrity
Thanks for pointing this out, I was having the same problem where the inotify.h is not under sys/inotify.h I was able to resolve this by apt-get install gcc-multilib to get inotify.h to be under sys/ On Tuesday, November 8, 2011 8:41:05 AM UTC-5, dan (ddpbsd) wrote: > > On Thu, Nov 3, 2011 at 9:50 AM, Yi-Huan Chan (Hubert) > > wrote: > > Just modify my patch for this case > > > > diff -r a705659a30d0 src/Makeall > > --- a/src/Makeall Thu Nov 03 04:39:44 2011 +0800 > > +++ b/src/Makeall Thu Nov 03 21:45:53 2011 +0800 > > @@ -71,7 +71,12 @@ > > ls /usr/include/sys/inotify.h > /dev/null 2>&1 > > if [ $? = 0 ]; then > > echo "EEXTRA=-DUSEINOTIFY" >> Config.OS > > -fi > > +else > > +ls /usr/include/x86_64-linux-gnu/sys/inotify.h > /dev/null > 2>&1 > > +if [ $? = 0 ]; then > > +echo "EEXTRA=-DUSEINOTIFY" >> Config.OS > > +fi > > +fi > > > > fi > > > > Do you think it's a good way to fix it? > > > > I think Ubuntu should fix their install. ;) > > > On Thu, Nov 3, 2011 at 5:35 AM, dan (ddp) > > wrote: > >> [ddp@zanovar ~]$ uname -a > >> Linux zanovar.example.com 2.6.32-71.29.1.el6.x86_64 #1 SMP Mon Jun 27 > >> 19:49:27 BST 2011 x86_64 x86_64 x86_64 GNU/Linux > >> [ddp@zanovar ~]$ ls -l /usr/include/x86_64-linux-gnu/sys/inotify.h > >> ls: cannot access /usr/include/x86_64-linux-gnu/sys/inotify.h: No such > >> file or directory > >> [ddp@zanovar ~]$ ls -l /usr/include/sys/inotify.h > >> -rw-r--r--. 1 root root 3941 Jun 25 08:25 /usr/include/sys/inotify.h > >> > >> > >> On Wed, Nov 2, 2011 at 5:19 PM, Yi-Huan Chan (Hubert) > >> > wrote: > >>> My guess is that, your linux machine is x86_64. > >>> For my machine (ubuntu 11.10 amd64), the inotify.h is not under > >>> sys/inotify.h, so the build script will not enable inotify support. > >>> > >>> I modify Makeall for my case > >>> > >>> diff -r a705659a30d0 src/Makeall > >>> --- a/src/Makeall Thu Nov 03 04:39:44 2011 +0800 > >>> +++ b/src/Makeall Thu Nov 03 05:13:19 2011 +0800 > >>> @@ -68,7 +68,11 @@ > >>> > >>> # Checking for inotify > >>> if [ "X$OS" = "XLinux" ]; then > >>> -ls /usr/include/sys/inotify.h > /dev/null 2>&1 > >>> +INOTIFY_H_PATH="/usr/include/sys/inotify.h" > >>> +if [ "X$MACH" = "Xx86_64" ]; then > >>> + > INOTIFY_H_PATH="/usr/include/x86_64-linux-gnu/sys/inotify.h" > >>> +fi > >>> +ls "$INOTIFY_H_PATH" > /dev/null 2>&1 > >>> if [ $? = 0 ]; then > >>> echo "EEXTRA=-DUSEINOTIFY" >> Config.OS > >>> fi > >>> > >>> On Wed, Nov 2, 2011 at 11:27 PM, Calum > > wrote: > On 2 November 2011 15:00, dan (ddp) > > wrote: > > This assumes he's using a linux that supports inotify. > > There are ones that don't? :) > > >>> > >> > > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [ossec-list] Questions about file monitoring
Le mercredi 16 janvier 2013 à 11:19 -0500, dan (ddp) a écrit : > On Wed, Jan 16, 2013 at 11:12 AM, Eric Lederrey wrote: > > Dear ossec-list people, > > > > I tested the file-monitoring capabilities of ossec. On a windows client > > I created a directory "C:\kyos_ossec_tests" and configured it in > > ossec.conf like that : > > > > C: > > \kyos_ossec_tests > > > > And then I created, modified and deleted files and directories. > > > > Here are the observations I made during the tests. > > > > * if the directory your are monitoring is configured with > > check_all=yes : the changes will be reported only after each scan > > > > * if alert_new_files is enabled on the server : the new files are > > reported only after each scan > > > > * if realtime=yes is configured, only the modifications (not creation, > > or deletion) are reported almost in real time : creation and deletion > > are reported after each scan. > > > > * the deletion of a subdir is not reported by ossec. Only the files > > deleted will be reported. > > > > Am I understanding correctly the behavior of ossec ? > > > > Best Regards, > > -- > > -- > > Eric LEDERREY > > Ingénieur sécurité et systèmes > > > > > > KYOS IT SECURITY > > Audit, Conseil et Solutions en Sécurité Informatique > > 12 bis avenue Rosemont - 1208 Genève > > Bureau : +41 22 734 78 88 - Fax: +41 22 734 79 03 > > www.kyos.ch - eric.leder...@kyos.ch > > ---- > > > > Sounds about right. Ok thank you for your reply. I suggest that you put this into the documentation, because it is useful to people that need to enforce some kind of policy. Best regards -- -- Eric LEDERREY Ingénieur sécurité et systèmes KYOS IT SECURITY Audit, Conseil et Solutions en Sécurité Informatique 12 bis avenue Rosemont - 1208 Genève Bureau : +41 22 734 78 88 - Fax: +41 22 734 79 03 www.kyos.ch - eric.leder...@kyos.ch
[ossec-list] Questions about file monitoring
Dear ossec-list people, I tested the file-monitoring capabilities of ossec. On a windows client I created a directory "C:\kyos_ossec_tests" and configured it in ossec.conf like that : C: \kyos_ossec_tests And then I created, modified and deleted files and directories. Here are the observations I made during the tests. * if the directory your are monitoring is configured with check_all=yes : the changes will be reported only after each scan * if alert_new_files is enabled on the server : the new files are reported only after each scan * if realtime=yes is configured, only the modifications (not creation, or deletion) are reported almost in real time : creation and deletion are reported after each scan. * the deletion of a subdir is not reported by ossec. Only the files deleted will be reported. Am I understanding correctly the behavior of ossec ? Best Regards, -- -- Eric LEDERREY Ingénieur sécurité et systèmes KYOS IT SECURITY Audit, Conseil et Solutions en Sécurité Informatique 12 bis avenue Rosemont - 1208 Genève Bureau : +41 22 734 78 88 - Fax: +41 22 734 79 03 www.kyos.ch - eric.leder...@kyos.ch
Re: [ossec-list] OSSEC RPMs
On Wednesday, June 27, 2012 8:49:38 AM UTC-4, dan (ddpbsd) wrote: > > On Thu, Jun 14, 2012 at 6:32 PM, Eric G wrote: > > Hello list, > > > > I've built OSSEC 2.6 RPMs on the OpenSUSE build service, and they can be > > found here: > > http://download.opensuse.org/repositories/home:/ericgearhart:/ossec/ > > > > I've gotten OSSEC to build for RHEL/CentOS 5 and 6, both x86 and x64... > I > > can try building for more distros if there's demand for it > > > > To the dev team - thanks for OSSEC! It's a great server security tool > > > > Eric > > > > Does the agent auth work with your RPMs? That used to be an issue with > a number of RPMs we've had in the past. > I'm not sure... can anyone test? I didn't specifically (or deliberately) do anything in the spec file's make section to disable agent auth -- Eric http://www.linkedin.com/in/ericgearhart
Re: [ossec-list] Multiple Agents with 1 Key
Dan, Thank you very much for all of your information. You've been very helpful. I just have 1 more quick question then I'll stop bugging you, for now. :) Is there any other way to manage the keys or do some sort of automated agent key management? I know there is ossec-authd that would work on an internal system with individual IPs for each host but I didn't know how/if that would work with a mixed environment of agents and multiple agents coming from 1 IP. Thanks again, Eric On Wednesday, June 27, 2012 12:21:06 PM UTC-4, dan (ddpbsd) wrote: > > On Wed, Jun 27, 2012 at 12:15 PM, Eric wrote: > > Thank you for the information. Is there any better way that you can > think of > > architecting this setup? One of the main concerns is that location1 will > > reuse Host1's key for Host2 and then it completely confuse those > monitoring > > the alerts. > > > > You could setup local OSSEC servers and have them forward their alerts > to a central OSSEC server. > > Tell the locations that re-using keys is bad, and they shouldn't do > it. Write it out in crayon if you have to. > > > > > On Wednesday, June 27, 2012 10:43:47 AM UTC-4, dan (ddpbsd) wrote: > >> > >> > Hello, > >> > > >> > I am working on a deployment that is going to involve multiple > external > >> > locations (behind a NAT) with all of them talking back to 1 server. > >> > > >> > Location 1 will be a mixture of Linux and Windows agents. There will > be > >> > ~10 > >> > hosts at this location all going out of a single NAT, 1.1.1.1. > >> > Location 2 will have ~5 Linux machines going out a single NAT, > 2.2.2.2. > >> > Location 3 will have ~20 Windows machines going out a single NAT, > >> > 3.3.3.3. > >> > > >> > So far I have gotten this general setup to work by creating an > >> > individual > >> > key for each host and setting the IP address to "any". However, I am > >> > curious > >> > if there is anyway to set up 1 key per location and have all agents > >> > share > >> > that one key. So I can give location 1 keyA and they put that on all > of > >> > the > >> > agents and it is able to talk by to the portal. I kinda sorta gotten > >> > this to > >> > work by creating Location1 on the OSSEC server and giving it an IP of > >> > 1.1.1.1/32. I know if I just do 1.1.1.1 it says duplicate key error > but > >> > if I > >> > put a CIDR around it, it has worked sometimes and other times it > hasn't. > >> > So > >> > that is my first question. Is this scenario doable? > >> > > >> > >> No. Each individual agent requires its own unique key. > >> > >> > My second question is if I am able to make the above setup work, is > >> > there > >> > anyway I can distinguish the individual agents from one another? I > know > >> > by > >> > default, if we have the hostnames set up correctly, I will see > Location1 > >> > as > >> > the "location" but I will see host1 somewhere in the log to > distinguish > >> > it. > >> > Are there any additional fields that I can force OSSEC to send with > the > >> > logs, such as the internal IP? This is especially the case for > integrity > >> > checking alerts since it doesn't even give the hostname on those. Can > I > >> > force it to? > >> > > >> > Thanks in advance for any advice/information you all have. >
Re: [ossec-list] Multiple Agents with 1 Key
Thank you for the information. Is there any better way that you can think of architecting this setup? One of the main concerns is that location1 will reuse Host1's key for Host2 and then it completely confuse those monitoring the alerts. On Wednesday, June 27, 2012 10:43:47 AM UTC-4, dan (ddpbsd) wrote: > > > Hello, > > > > I am working on a deployment that is going to involve multiple external > > locations (behind a NAT) with all of them talking back to 1 server. > > > > Location 1 will be a mixture of Linux and Windows agents. There will be > ~10 > > hosts at this location all going out of a single NAT, 1.1.1.1. > > Location 2 will have ~5 Linux machines going out a single NAT, 2.2.2.2. > > Location 3 will have ~20 Windows machines going out a single NAT, > 3.3.3.3. > > > > So far I have gotten this general setup to work by creating an > individual > > key for each host and setting the IP address to "any". However, I am > curious > > if there is anyway to set up 1 key per location and have all agents > share > > that one key. So I can give location 1 keyA and they put that on all of > the > > agents and it is able to talk by to the portal. I kinda sorta gotten > this to > > work by creating Location1 on the OSSEC server and giving it an IP of > > 1.1.1.1/32. I know if I just do 1.1.1.1 it says duplicate key error but > if I > > put a CIDR around it, it has worked sometimes and other times it hasn't. > So > > that is my first question. Is this scenario doable? > > > > No. Each individual agent requires its own unique key. > > > My second question is if I am able to make the above setup work, is > there > > anyway I can distinguish the individual agents from one another? I know > by > > default, if we have the hostnames set up correctly, I will see Location1 > as > > the "location" but I will see host1 somewhere in the log to distinguish > it. > > Are there any additional fields that I can force OSSEC to send with the > > logs, such as the internal IP? This is especially the case for integrity > > checking alerts since it doesn't even give the hostname on those. Can I > > force it to? > > > > Thanks in advance for any advice/information you all have. >
[ossec-list] Multiple Agents with 1 Key
Hello, I am working on a deployment that is going to involve multiple external locations (behind a NAT) with all of them talking back to 1 server. Location 1 will be a mixture of Linux and Windows agents. There will be ~10 hosts at this location all going out of a single NAT, 1.1.1.1. Location 2 will have ~5 Linux machines going out a single NAT, 2.2.2.2. Location 3 will have ~20 Windows machines going out a single NAT, 3.3.3.3. So far I have gotten this general setup to work by creating an individual key for each host and setting the IP address to "any". However, I am curious if there is anyway to set up 1 key per location and have all agents share that one key. So I can give location 1 keyA and they put that on all of the agents and it is able to talk by to the portal. I kinda sorta gotten this to work by creating Location1 on the OSSEC server and giving it an IP of 1.1.1.1/32. I know if I just do 1.1.1.1 it says duplicate key error but if I put a CIDR around it, it has worked sometimes and other times it hasn't. So that is my first question. Is this scenario doable? My second question is if I am able to make the above setup work, is there anyway I can distinguish the individual agents from one another? I know by default, if we have the hostnames set up correctly, I will see Location1 as the "location" but I will see host1 somewhere in the log to distinguish it. Are there any additional fields that I can force OSSEC to send with the logs, such as the internal IP? This is especially the case for integrity checking alerts since it doesn't even give the hostname on those. Can I force it to? Thanks in advance for any advice/information you all have.
[ossec-list] ossec syslog to splunk
Splunk guy says ossec hasn't been sending anything to splunk for a while. Nothing in ossec's config has changed. Is there a log anywhere that can show me what's happening with the "syslog" parameter? -- Eric Jacobs Thomas Publishing Company Infrastructure and operations Information Technology Group Phone: 215-494-7312 Email: ejac...@thomaspublishing.com
[ossec-list] OSSEC RPMs
Hello list, I've built OSSEC 2.6 RPMs on the OpenSUSE build service, and they can be found here: http://download.opensuse.org/repositories/home:/ericgearhart:/ossec/ I've gotten OSSEC to build for RHEL/CentOS 5 and 6, both x86 and x64... I can try building for more distros if there's demand for it To the dev team - thanks for OSSEC! It's a great server security tool Eric
Re: [ossec-list] OSSEC server won't bind to 1514/UDP...
Yeaup; 770 with root:ossec, and I used install.sh to install OSSEC. I know I also can't install Safe Squid either on Arch Linux (it won't generate a full serial key), so I'm wondering if it just might be a lost cause. I can continue looking into it as well, but I'm not sure what else to do. When your work speaks for itself, don’t interrupt. – Henry J. Kaiser On Wed, Mar 23, 2011 at 9:25 AM, Jason 'XenoPhage' Frisvold < xenoph...@godshell.com> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > On 03/22/2011 11:10 PM, Eric Hansen wrote: > > Lol, the only thing I'm beginning to wonder is that Arch Linux, for one > > reason or another, isn't liking OSSEC. Correct, the server cannot bind > > to 1514/UDP (the agent has the port open just fine trying to connect to > > the server). My OSSEC is installed in /var/ossec, the default path. > > The shared is located in /var/ossec/etc/shared, and it's ossec:ossec w/ > > permission 770. > > And the files within the shared directory are root:ossec with 770 > permissions? > > I'm not sure why Arch wouldn't like OSSEC.. I know arch has some > peculiar (at least to me) ways of doing things, but I thought that was > just my own unfamiliarity with the system. You used install.sh to set > up the server, yes? > > - -- > - --- > Jason 'XenoPhage' Frisvold > xenoph...@godshell.com > - --- > "Any sufficiently advanced magic is indistinguishable from technology." > - - Niven's Inverse of Clarke's Third Law > -BEGIN PGP SIGNATURE- > Version: GnuPG v2.0.16 (GNU/Linux) > Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ > > iEYEARECAAYFAk2J9K0ACgkQ8CjzPZyTUTRzCACgmoNCN1NQTH5zquIBw1EIt5DU > TwgAoJK4yVyYlfsVkPTPg/CMZhfSpzi5 > =Y23S > -END PGP SIGNATURE- >
Re: [ossec-list] OSSEC server won't bind to 1514/UDP...
Lol, the only thing I'm beginning to wonder is that Arch Linux, for one reason or another, isn't liking OSSEC. Correct, the server cannot bind to 1514/UDP (the agent has the port open just fine trying to connect to the server). My OSSEC is installed in /var/ossec, the default path. The shared is located in /var/ossec/etc/shared, and it's ossec:ossec w/ permission 770. When your work speaks for itself, don’t interrupt. – Henry J. Kaiser On Tue, Mar 22, 2011 at 10:57 AM, Jason 'XenoPhage' Frisvold < xenoph...@godshell.com> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > On 03/21/2011 05:29 PM, Eric Hansen wrote: > > Nah, I'm using Arch Linux which doesn't include anything beyond the > > core files needed for Bash and Linux, and I really dislike (to put it > > nicely) SELinux. > > You know, if you want help, you're really going to have to have one of > the problems I'm describing so we can fix it.. ;) > > Ok.. Let me re-iterate so I understand the problem.. Your server (not > agent) won't bind to port 1514/UDP. Is that correct? > > The error you see in the logs : "ERROR: Unable to create merged file: > '/etc/shared/merged.mg'." is on the server, correct? What are the > permissions on the /etc/shared ... wait.. /etc/shared? Did you > relocate the ossec install? That should be /var/ossec/etc/shared ... > Where is OSSEC installed? > > What are the permissions on the shared directory (wherever it is) ? It > appears that remoted isn't running, perhaps because of directory > permissions problems. On my install, the shared directory is owned by > ossec.ossec and has permissions of 770 . > > - -- > - --- > Jason 'XenoPhage' Frisvold > xenoph...@godshell.com > - --- > "Any sufficiently advanced magic is indistinguishable from technology." > - - Niven's Inverse of Clarke's Third Law > -BEGIN PGP SIGNATURE- > Version: GnuPG v2.0.16 (GNU/Linux) > Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ > > iEYEARECAAYFAk2IuLwACgkQ8CjzPZyTUTRpiQCeOtGypM3UaEKSbWEYNDL4kRCH > OOQAn2GfNN4vn6p90jsLdG4snjmNctzk > =/UMv > -END PGP SIGNATURE- >
Re: [ossec-list] OSSEC server won't bind to 1514/UDP...
Nah, I'm using Arch Linux which doesn't include anything beyond the core files needed for Bash and Linux, and I really dislike (to put it nicely) SELinux. When your work speaks for itself, don’t interrupt. – Henry J. Kaiser On Mon, Mar 21, 2011 at 5:03 PM, Jason 'XenoPhage' Frisvold wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > On 03/18/2011 11:43 PM, Eric Hansen wrote: >> That I did. > > Are you running selinux, perchance? > >> When your work speaks for itself, don’t interrupt. >> – Henry J. Kaiser > > > - -- > - --- > Jason 'XenoPhage' Frisvold > xenoph...@godshell.com > - --- > "Any sufficiently advanced magic is indistinguishable from technology." > - - Niven's Inverse of Clarke's Third Law > -BEGIN PGP SIGNATURE- > Version: GnuPG v2.0.16 (GNU/Linux) > Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ > > iEYEARECAAYFAk2HvRsACgkQ8CjzPZyTUTR77gCgmg6Uq8qXva7lF2LnWZyZKAQv > DvEAoJkx7GX+MBehuQIJq/X60y4MYnnn > =zwM6 > -END PGP SIGNATURE- >
Re: [ossec-list] OSSEC server won't bind to 1514/UDP...
That I did. When your work speaks for itself, don’t interrupt. – Henry J. Kaiser On Fri, Mar 18, 2011 at 10:07 PM, Jason 'XenoPhage' Frisvold wrote: > On Mar 18, 2011, at 10:20 AM, Eric Hansen wrote: >> >> First, I'd like to say that I've been doing a lot of Goggling around and >> tried a lot of things to no avail. > > Did you register the client on the server using manage_agents? And did you > then copy the key to the client and install it using manage_agent? > > > --- > Jason 'XenoPhage' Frisvold > xenoph...@godshell.com > --- > "Any sufficiently advanced magic is indistinguishable from technology." > - Niven's Inverse of Clarke's Third Law > > > > >
[ossec-list] Re: OSSEC server won't bind to 1514/UDP...
Also, I ran tcpdump on UDP/1514 and I do get traffic on the server: 00 [03/18/11 11:40:57 AM] - root# tcpdump -vv -i eth0 -A -s 0 udp port 1514 tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 11:41:35.833808 IP (tos 0x0, ttl 64, id 11077, offset 0, flags [DF], proto UDP (17), length 101) 192.168.1.101.47492 > 192.168.1.103.fujitsu-dtcns: [udp sum ok] UDP, length 73 E..e+E@.@..&...e...g.QLW:..hF.`*{{$|.&._I-.Y wCm..*...j..~RW...K.D.*.n#)P.].1 11:41:41.834555 IP (tos 0x0, ttl 64, id 11078, offset 0, flags [DF], proto UDP (17), length 101) 192.168.1.101.47492 > 192.168.1.103.fujitsu-dtcns: [udp sum ok] UDP, length 73 :..|v5.U.S..qJB\P.Y&..N...r.r.Uu.-Q.tT.&...B..i U..LB{.@].qF. 11:41:51.834053 IP (tos 0x0, ttl 64, id 11079, offset 0, flags [DF], proto UDP (17), length 101) 192.168.1.101.47492 > 192.168.1.103.fujitsu-dtcns: [udp sum ok] UDP, length 73 E..e+G@ .@..$...e...g.Q..:...%.1...Jf.1a.%..2Yt./'C(...{.^...G.c.M.^\.o~X. 11:42:00.836577 IP (tos 0x0, ttl 64, id 18580, offset 0, flags [DF], proto UDP (17), length 101) 192.168.1.101.48716 > 192.168.1.103.fujitsu-dtcns: [udp sum ok] UDP, length 73 E..eH.@.@.me...g.L...Q..: ..Y.o...G.DN.1`z..u.04[.%..y.).a.c..3?. When your work speaks for itself, don’t interrupt. – Henry J. Kaiser On Fri, Mar 18, 2011 at 10:20 AM, Eric Hansen wrote: > First, I'd like to say that I've been doing a lot of Goggling around and > tried a lot of things to no avail. > > Error: > > 2011/03/18 09:46:34 ossec-logcollector: INFO: Started (pid: 5415). > 2011/03/18 09:46:38 ossec-agentd(1218): ERROR: Unable to send message to > server. > 2011/03/18 09:46:44 ossec-syscheckd: Setting SCHED_BATCH returned: 0 > 2011/03/18 09:46:50 ossec-agentd(1218): ERROR: Unable to send message to > server. > 2011/03/18 09:46:51 ossec-agentd(4101): WARN: Waiting for server reply (not > started). Tried: '192.168.1.103'. > > uname -a > Linux s4u 2.6.37-ARCH #1 SMP PREEMPT Fri Feb 18 16:58:42 UTC 2011 i686 AMD > Sempron(tm) Processor 3100+ AuthenticAMD GNU/Linux > > My flavor I'm running on both is Arch Linux. > > I've uninstalled iptables on both the server and agent (wanted to see if > this was causing any issues). I've also edited /etc/hosts.deny to comment > out the ALL: ALL line, and add the ALL: ALL line to hosts.allow. I've done > this for both agent and server, as well as opened up UDP port 1514 on my > router/firewall to point to the server. > > Here's my section in ossec.conf for the server: > > > secure > > > > (I've also tried it with the lines not commented out and it still doesn't > make a difference. > > ossec-init.conf (server): > DIRECTORY="/var/ossec" > VERSION="v2.5.1" > DATE="Thu Mar 10 12:36:34 EST 2011" > TYPE="server" > > -- The agent one specifies "agent" for type. -- > > In internal_options.conf, all the daemons have level 2 debugging and I set > up ossec-control bash script to run each daemon with the -d flag for > debugging. > > When running cat /var/ossec/logs/ossec.log | grep remoted here's what I > get: > > 2011/03/18 09:27:25 ossec-remoted: DEBUG: Starting ... > 2011/03/18 09:27:25 ossec-remoted: INFO: Started (pid: 22933). > 2011/03/18 09:27:25 ossec-remoted: DEBUG: Forking remoted: '0'. > 2011/03/18 09:27:25 ossec-remoted: INFO: Started (pid: 22934). > 2011/03/18 09:27:25 ossec-remoted: ERROR: Unable to create merged file: > '/etc/shared/merged.mg'. > 2011/03/18 09:27:25 ossec-remoted: ERROR: Unable to create merged file: > '/etc/shared/merged.mg'. > 2011/03/18 09:27:25 ossec-remoted: ERROR: Unable to create merged file: > '/etc/shared/merged.mg'. > 2011/03/18 09:27:25 ossec-remoted: ERROR: Unable to create merged file: > '/etc/shared/merged.mg'. > 2011/03/18 09:27:25 ossec-remoted: ERROR: Unable to create merged file: > '/etc/shared/merged.mg'. > 2011/03/18 09:27:25 ossec-remoted: ERROR: Unable to create merged file: > '/etc/shared/merged.mg'. > 2011/03/18 09:27:25 ossec-remoted: ERROR: Unable to create merged file: > '/etc/shared/merged.mg'. > 2011/03/18 09:27:25 ossec-remoted: ERROR: Unable to create merged file: > '/etc/shared/merged.mg'. > 2011/03/18 09:27:25 ossec-remoted: ERROR: Unable to create merged file: > '/etc/shared/merged.mg'. > 2011/03/18 09:27:25 ossec-remoted: ERROR: Unable to create merged file: > '/etc/shared/merged.mg'. > 2011/03/18 09:27:25 ossec-remoted: ERROR: Unable to create merged file: > '/etc/shared/merged.mg'. >
[ossec-list] OSSEC server won't bind to 1514/UDP...
First, I'd like to say that I've been doing a lot of Goggling around and tried a lot of things to no avail. Error: 2011/03/18 09:46:34 ossec-logcollector: INFO: Started (pid: 5415). 2011/03/18 09:46:38 ossec-agentd(1218): ERROR: Unable to send message to server. 2011/03/18 09:46:44 ossec-syscheckd: Setting SCHED_BATCH returned: 0 2011/03/18 09:46:50 ossec-agentd(1218): ERROR: Unable to send message to server. 2011/03/18 09:46:51 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: '192.168.1.103'. uname -a Linux s4u 2.6.37-ARCH #1 SMP PREEMPT Fri Feb 18 16:58:42 UTC 2011 i686 AMD Sempron(tm) Processor 3100+ AuthenticAMD GNU/Linux My flavor I'm running on both is Arch Linux. I've uninstalled iptables on both the server and agent (wanted to see if this was causing any issues). I've also edited /etc/hosts.deny to comment out the ALL: ALL line, and add the ALL: ALL line to hosts.allow. I've done this for both agent and server, as well as opened up UDP port 1514 on my router/firewall to point to the server. Here's my section in ossec.conf for the server: secure (I've also tried it with the lines not commented out and it still doesn't make a difference. ossec-init.conf (server): DIRECTORY="/var/ossec" VERSION="v2.5.1" DATE="Thu Mar 10 12:36:34 EST 2011" TYPE="server" -- The agent one specifies "agent" for type. -- In internal_options.conf, all the daemons have level 2 debugging and I set up ossec-control bash script to run each daemon with the -d flag for debugging. When running cat /var/ossec/logs/ossec.log | grep remoted here's what I get: 2011/03/18 09:27:25 ossec-remoted: DEBUG: Starting ... 2011/03/18 09:27:25 ossec-remoted: INFO: Started (pid: 22933). 2011/03/18 09:27:25 ossec-remoted: DEBUG: Forking remoted: '0'. 2011/03/18 09:27:25 ossec-remoted: INFO: Started (pid: 22934). 2011/03/18 09:27:25 ossec-remoted: ERROR: Unable to create merged file: '/etc/shared/merged.mg'. 2011/03/18 09:27:25 ossec-remoted: ERROR: Unable to create merged file: '/etc/shared/merged.mg'. 2011/03/18 09:27:25 ossec-remoted: ERROR: Unable to create merged file: '/etc/shared/merged.mg'. 2011/03/18 09:27:25 ossec-remoted: ERROR: Unable to create merged file: '/etc/shared/merged.mg'. 2011/03/18 09:27:25 ossec-remoted: ERROR: Unable to create merged file: '/etc/shared/merged.mg'. 2011/03/18 09:27:25 ossec-remoted: ERROR: Unable to create merged file: '/etc/shared/merged.mg'. 2011/03/18 09:27:25 ossec-remoted: ERROR: Unable to create merged file: '/etc/shared/merged.mg'. 2011/03/18 09:27:25 ossec-remoted: ERROR: Unable to create merged file: '/etc/shared/merged.mg'. 2011/03/18 09:27:25 ossec-remoted: ERROR: Unable to create merged file: '/etc/shared/merged.mg'. 2011/03/18 09:27:25 ossec-remoted: ERROR: Unable to create merged file: '/etc/shared/merged.mg'. 2011/03/18 09:27:25 ossec-remoted: ERROR: Unable to create merged file: '/etc/shared/merged.mg'. 2011/03/18 09:27:25 ossec-remoted: DEBUG: Running manager_init 2011/03/18 09:27:26 ossec-remoted: INFO: (unix_domain) Maximum send buffer set to: '114688'. 2011/03/18 09:27:26 ossec-remoted(4111): INFO: Maximum number of agents allowed: '256'. 2011/03/18 09:27:26 ossec-remoted(1410): INFO: Reading authentication keys file. 2011/03/18 09:27:26 ossec-remoted: DEBUG: OS_StartCounter. 2011/03/18 09:27:26 ossec-remoted: OS_StartCounter: keysize: 1 Here's the output for netstat: netstat -np Active Internet connections (w/o servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp0 0 192.168.1.103:8069.14.233.178:61774 FIN_WAIT2 - tcp0 0 192.168.1.103:8069.14.233.178:61769 FIN_WAIT2 - tcp0 0 192.168.1.103:8018 69.14.233.178:42808 ESTABLISHED 22630/sshd: love [p udp0 0 192.168.1.103:2011 194.97.114.3:2010 ESTABLISHED 1005/ts3server_linu udp0 0 192.168.1.103:38894 194.97.114.3:2010 ESTABLISHED 1005/ts3server_linu Active UNIX domain sockets (w/o servers) Proto RefCnt Flags Type State I-Node PID/Program name Path unix 7 [ ] DGRAM3851 921/syslog-ng /dev/log unix 6 [ ] DGRAM2231128 16682/ossec-analysi /queue/ossec/queue unix 2 [ ] DGRAM2107 416/udevd @/org/kernel/udev/udevd unix 3 [ ] DGRAM2231117 16677/ossec-execd /var/ossec/queue/alerts/execq unix 2 [ ] DGRAM2375980 22635/su unix 2 [ ] DGRAM2375966 22634/sudo unix 3 [ ] STREAM CONNECTED 2375942 22630/sshd: love [p unix 3 [ ] STREAM CONNECTED 2375941 22632/0 unix 2 [ ] DGRAM2231155 16700/ossec-monitor unix 2 [ ] DGRAM2231154 16682/ossec-analysi unix 2 [ ] DGRAM2231153 16682/ossec-ana
[ossec-list] Rule 5501 user: (none)
Hi, I was wondering why the rule 5501 is always setting the user to "none" even though we can see it in the syslog message. "session opened for user root by (uid=0)" ** Alert 1286899055.442273: - pam,syslog,authentication_success, 2010 Oct 12 11:57:35 ossec->/var/log/secure Rule: 5501 (level 3) -> 'Login session opened.' Src IP: (none) User: (none) Oct 12 11:57:34 ossec sshd[2067]: pam_unix(sshd:session): session opened for user root by (uid=0) Thank you for your time Eric
Re: [ossec-list] Having problem with install on 64bit system
Michael, I'm just throwing my two cents in here... in my experience header checksums that Wireshark picks up as being 000 instead of the correct value is usually because of TCP offload in the NIC... it's usually TOE doing its job, and you're not seeing the checksum being computed because the computation of the checksum is offloaded to the NIC hardware. Crazy stuff I know... hopefully it helps you a little bit though. On Fri, Jul 2, 2010 at 10:21 AM, Michael Barrett wrote: > > Anyone have any ideas about this? > > I can install the agent but it can't talk to the server, there are no > network controls in place and other servers on this subnet work fine. > >
Re: [ossec-list] Composite Rule Help
Hi Phil, I don't know enough to add meaningfully, but in the last paragraph this looked unusual. Perhaps same_source_ip is built into ossec, but the tags look like it's missing brackets. Is this supposed to send a notification email or make an active response? Eric > Hi, > > I am attempting to write a suit of rules for Zimbra but have a issue with > the composite rules. Within my local_rules.xml I have: > > > > zimbra > Zimbra Messages Grouped > > > > 100100 > account not found$ > Account Unknown > account_unknown,zimbra_failures, > > > > 100100 > invalid password$ > Invalid Password > invalid_password, > > > > 100100 > preauth mismatch$ > Preauth Mismatch > preauth_mismatch,zimbra_failures, > > > > > > zimbra_failures > > Zimbra Multiple Failures > > > > Individually they are work fine; yet if I fire off 10 entries to the log > file for preauth mismatch the composite rule does not alert. Is there > something glaringly wrong in my ruleset ?
RE: [ossec-list] Customized Decoder
Phil, If you have any comments or rules to share that would be great. Thank you. I needed to block the IP of anyone who repeatedly uses the wrong password to access a Zimbra account. So far, I added audit.log to the logs that get monitored by ossec and I added a rule to the decoder to extract the IP. Seems to be working. I have set the timeout to 1 hour. The IPs of anyone who uses the incorrect password are being blocked via iptables for one hour. It's not helping the initial account being attacked as that locks itself after 4 attempts but then no other accounts can be attacked after that. Also, this way the hacker gets an access denied message and may move on to more vulnerable machines (it appears to me the locked zimbra account still appears to the user/hacker to be rejecting incorrect passwords). Added to ossec.conf on the Zimbra server: syslog /opt/zimbra/log/audit.log On the OSSEC server I added to the decoder.xml: \d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d,\d\d\d WARN zimbra ip=(\d+.\d+.\d+.\d+); srcip zimbra oip=(\d+.\d+.\d+.\d+); srcip -Original Message- From: ossec-list@googlegroups.com [mailto:ossec-l...@googlegroups.com] On Behalf Of --[ UxBoD ]-- Sent: Sunday, May 02, 2010 11:11 AM To: ossec-list@googlegroups.com Subject: Re: [ossec-list] Customized Decoder Eric, what are you specifically trying to trap from Zimbra ? I may be able to share some of my rules if you would like. -- Thanks, Phil (uxbod - Zimbra moderator)
RE: [ossec-list] Re: Customized Decoder
Thank you very much Dave and Dan! I guess I was trying too hard. LOL Everything is working great with ossec. Thanks so much to everyone involved with this project. I LOVE this program!!! * Hi Eric, First off, your entire regex is enclosed in square brackets which is incorrect. I'd try simplifying the regular expression to something like oip=(\d+.\d+.\d+.\d+); Try that, Dave * I can't test this at the moment, so be gentle. ;) Is oip= always an IP? If so, you could cut out a lot of the complexity by doing something like: oip=(\d+.\d+.\d+.\d+); If that works, you can then build up anything else you want around it. Get the important stuff working, and make the regex more specific afterwards. Also, the order of the decoders is important. I've gotten things to work before by moving them around a bit.
[ossec-list] Customized Decoder
Hi I've created two decoders and one is working correctly, but the second isn't. I can't see where my error is. Can anyone help? Both work off the same parent, so the parent should be fine. Perhaps the slashes are throwing me off? zimbra [\S+] [name=\S+;oip=(\d+.\d+.\d+.\d+);\S+;] srcip -- Subscription settings: http://groups.google.com/group/ossec-list/subscribe?hl=en
RE: [ossec-list] Active Responses
Hi Daniel, Thank you, I was able to get that working. Eric - Original Message - From: "Daniel Cid" To: ossec-list@googlegroups.com Sent: Monday, April 26, 2010 10:12:52 AM Subject: Re: [ossec-list] Active Responses Hi Eric, You don't have to duplicate the scripts. Just add a new active-response section and give it a very high timeout and specify the rule id you want: firewall-drop local 3302 Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On Fri, Apr 23, 2010 at 5:45 PM, Eric Biondi wrote: > I would like to treat one Rule violation different from the rest. I'll > duplicate the scripts for firewall drop under a different name and add > commands in ossec.conf for the new script. > > Instead of Level 7 or above triggering the command, I'd like to have a > specific postfix rule be the trigger. What would the tags be for this? > Instead of can I use something else? I want to make > the firewall drop permanent for Rule: 3302. > > Thanks, Eric > > > > > -- > Subscription settings: http://groups.google.com/group/ossec-list/subscribe?hl=en >
[ossec-list] Active Responses
I would like to treat one Rule violation different from the rest. I'll duplicate the scripts for firewall drop under a different name and add commands in ossec.conf for the new script. Instead of Level 7 or above triggering the command, I'd like to have a specific postfix rule be the trigger. What would the tags be for this? Instead of can I use something else? I want to make the firewall drop permanent for Rule: 3302. Thanks, Eric -- Subscription settings: http://groups.google.com/group/ossec-list/subscribe?hl=en
[ossec-list] OSSEC ignore type - does the sregex support NOT?
We need to basically ignore all filetype extensions except a specific list - we only care about integrity checking on *.exe, *.bat, *.com, *.cmd and *.dll files I've thought about using an "ignore files" regex with a NOT operator, and just include my 5 file types as the NOTs. I can't tell if http://www.ossec.net/wiki/Know_How:Regex_Readme says if the way I need a NOT operator (?! in regex I think..) will work... PS This is something we're implementing in order to pass a DIACAP audit, so I'm not the only one who would be helped by a resolution to this (this is finding V0002907 in the Windows DIACAP STIG if anyone is curious)
[ossec-list] Re: RPMS for Centos 5 x86_64 available
On Mon, Jul 6, 2009 at 8:29 AM, wrote: > > Hi Rafael, > > Download the source rpm: > http://3es.atomicrocketturtle.com/packages/ossec/ossec-hids-2.1.1-2.art.src.rpm The OpenSUSE build service could be used to build these RPMs as well... I'll give it a shot -- Eric http://nixwizard.net
[ossec-list] Re: How do I see what has changed within a changed file?
On Thu, Jun 11, 2009 at 5:07 AM, William Maddler wrote: > > That's right. OSSEC can't tell what changed, nor it could. > Basicly a "critical" file isn't supposed to change unless there is a > good reason for that (e.g. an upgrade). Welll OSSEC *could* keep copies of certain critical files and diff against them... it's technically possible, even if it's not implemented yet -- Eric http://nixwizard.net
[ossec-list] Monitoring HAproxy logs with OSSEC
Has anyone had any experience monitoring HAproxy logs with OSSEC? (see http://haproxy.1wt.eu/ for details on HAproxy - in a nutshell, it's a high performance load balancer) We're contemplating moving to it at work, but a definite prerequisite of it would be the ability of OSSEC to monitor its logs and act on intrusion attempts. As far as I've read, HAproxy can log to syslog, I'm just not sure what format it uses. Hopefully if there's an Apache style access.log somewhere then this wouldn't be too difficult I'd think... -- Thanks, Eric http://nixwizard.net
[ossec-list] Re: Need info ...
Thansk for the info./ Eric -Original Message- From: ossec-list@googlegroups.com [mailto:ossec-l...@googlegroups.com] On Behalf Of David Williams Sent: Friday, February 20, 2009 3:08 AM To: ossec-list@googlegroups.com Subject: [ossec-list] Re: Need info ... -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Eric, In my case, I have ossec's file integrity run against the ossec configuration directory. It does not prevent someone with root privileges from changing the file (and conceivably taking the directory out of the file integrity test) but I believe they would also have restart it to make that take effect, and the restart would be logged. -David Eric Franckx wrote: > Hi, > > > > In fact I want to know : > > · The ossec.conf file is located on the server and agent ? > > · Is there a solution to set all file son the server (conf > files) and not on the agent site ? > > · How can you prevent a user on the agent (with enough right) to > change the conf on the agent site ? > > > > Regards, > > > > Eric > > > > > > *From:* ossec-list@googlegroups.com [mailto:ossec-l...@googlegroups.com] > *On Behalf Of *Partha Panda > *Sent:* Thursday, February 19, 2009 4:57 PM > *To:* ossec-list@googlegroups.com; ossec-l...@ossec.net > *Subject:* [ossec-list] Re: Need info ... > > > > Hi Eric > > Yes, you can do this with Ossec. You can override rules ins the > local_rules.xml to define exceptions. You can find more information at > http://www.ossec.net/wiki/index.php/Know_How:Ignore_Rules. > > > > Hope this helps > > > > Partha > > > > *From:* ossec-list@googlegroups.com [mailto:ossec-l...@googlegroups.com] > *On Behalf Of *Eric Franckx > *Sent:* Thursday, February 19, 2009 4:39 AM > *To:* ossec-l...@ossec.net > *Subject:* [ossec-list] Need info ... > > > > Hi, > > We are looking for a HIDS tool to be implemented in our company. > > > > The features of you product are great but I didn’t find info about: > > · How can I update my rule if a modification on a host (agent) > was done but needed à apply a patch for example ? > > · Is there a way from the central place to “add’” this change > into the database file ? à so it will not generate an “alert” > > Regards, > > > > > > Eric Franckx > /Enterprise IT Architect/ > > NorthgateArinso > Bld. de l'Humanité / Humaniteitslaan 116 > 1070 Brussels > BELGIUM > > Phone: +32 2 558 06 70 > Fax: +32 2 558 06 80 > Mobile: +32 477 37 69 74 > E-mail: eric.fran...@northgatearinso.com > <mailto:firstname.lastn...@northgatearinso.com> > URL: www.northgatearinso.com <http://www.northgatearinso.com/> > > > > > - -- ___ GPG (http://www.gnupg.org/) key available from: http://www.kayakero.net/per/david/ -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkmeEIYACgkQCzuSgviBh00KvgCgiwkx6tdVCJlouRg0hDLJkC0e ZTgAn0GBRfishgWOxbmfRQleNSnhHg2L =sfEp -END PGP SIGNATURE-
[ossec-list] Re: Need info ...
Hi, In fact I want to know : · The ossec.conf file is located on the server and agent ? · Is there a solution to set all file son the server (conf files) and not on the agent site ? · How can you prevent a user on the agent (with enough right) to change the conf on the agent site ? Regards, Eric From: ossec-list@googlegroups.com [mailto:ossec-l...@googlegroups.com] On Behalf Of Partha Panda Sent: Thursday, February 19, 2009 4:57 PM To: ossec-list@googlegroups.com; ossec-l...@ossec.net Subject: [ossec-list] Re: Need info ... Hi Eric Yes, you can do this with Ossec. You can override rules ins the local_rules.xml to define exceptions. You can find more information at http://www.ossec.net/wiki/index.php/Know_How:Ignore_Rules. Hope this helps Partha From: ossec-list@googlegroups.com [mailto:ossec-l...@googlegroups.com] On Behalf Of Eric Franckx Sent: Thursday, February 19, 2009 4:39 AM To: ossec-l...@ossec.net Subject: [ossec-list] Need info ... Hi, We are looking for a HIDS tool to be implemented in our company. The features of you product are great but I didn't find info about: · How can I update my rule if a modification on a host (agent) was done but needed à apply a patch for example ? · Is there a way from the central place to "add'" this change into the database file ? à so it will not generate an "alert" Regards, Eric Franckx Enterprise IT Architect NorthgateArinso Bld. de l'Humanité / Humaniteitslaan 116 1070 Brussels BELGIUM Phone: +32 2 558 06 70 Fax: +32 2 558 06 80 Mobile: +32 477 37 69 74 E-mail: eric.fran...@northgatearinso.com <mailto:firstname.lastn...@northgatearinso.com> URL: www.northgatearinso.com <http://www.northgatearinso.com/>
[ossec-list] Need info ...
Hi, We are looking for a HIDS tool to be implemented in our company. The features of you product are great but I didn't find info about: · How can I update my rule if a modification on a host (agent) was done but needed à apply a patch for example ? · Is there a way from the central place to "add'" this change into the database file ? à so it will not generate an "alert" Regards, Eric Franckx Enterprise IT Architect NorthgateArinso Bld. de l'Humanité / Humaniteitslaan 116 1070 Brussels BELGIUM Phone: +32 2 558 06 70 Fax: +32 2 558 06 80 Mobile: +32 477 37 69 74 E-mail: eric.fran...@northgatearinso.com <mailto:firstname.lastn...@northgatearinso.com> URL: www.northgatearinso.com <http://www.northgatearinso.com/>
[ossec-list] ossec and system updates: forcing immediate syscheck
All, Wanted to ping the group for thoughts/opinions on interactions between file integrity checks and administrative operating system updates. For example, in the case of a large-scale ossec implementation where multiple groups are tasked with updating various pieces of the system, i.e. one group is responsible for the OS installs themselves, and another group handles the apps/services running on them, and they might not always know what each other are up to. The result is a stream of alerts that are effectively false positives, because the file checksum changes are due to purposeful maintenance taking place. The task to overcome this is to make ossec a functional component of the update process, by making it play nice with scheduled system maintenance. There are two components to this: 1) Be able to force an immediate syscheck to 're-baseline' the file integrity checksum database immediately following whatever admin-triggered action resulted in changes to things on the filesystem. Ideally this 're-baseline' mode would ignore syscheck file scanning throttles like syscheck.sleep and syscheck.sleep_after because an administratively-triggered syscheck operation during a scheduled maintenance window should probably run as fast as possible. 2) Be able to squelch the alerts that result from the 're-baseline' syscheck, as everything found by this operation will likely be purposeful and not worthy of an alert. So, with these objectives in mind, some questions spring to mind: Is there currently a way to force a syscheck? Will a simple agent restart result in it beginning one? A potentially useful feature here would be to send the agent a signal, say, SIGUSR1 to trigger this special syscheck, ignoring any throttling options in the process. As for alerting, it gets a little complicated. The obvious, oversimplified method would be for the agent to simply not alert when it executes the special 're-baseline' syscheck. But this is (equally obviously) a horrible idea, as any intruder with a clue will simply send SIGUSR1 or whatever should trigger the immediate syscheck and happily have his rootkit rolled into the file integrity checksum list without being noticed. So, the alert squelching clearly needs to happen at the ossec server. Extending the concept of maintenance windows, time slices in which alerts may safely be ignored and not emailed out, to the server could be one way to accomplish this. Preferably, this would be implemented such that maintenance windows could be updated dynamically without restarting the ossec server. One could do this in a custom fashion today by writing alerts to a database, and layer some custom scripts atop it that simply purge alerts for a host during a time period as dictated by the maintenance window. Anyway, just curious what the community thinks about this. Happy to submit feature requests based on what we come up with. best, -e
[ossec-list] Re: How to ignore spurious "hidden file" alerts?
I get that too (ubuntu 8.04). Don't know the answer. In case you didn't see it, here's a recent thread on the subject: '[ossec-list] Re: shm hidden file alert' - MARC http://marc.info/?l=ossec-list&m=122099254509051&w=2 -Eric On Wed, Nov 5, 2008 at 2:31 PM, Kayvan A. Sylvan <[EMAIL PROTECTED]> wrote: > > I get these alerts: > > Received From: satyr->rootcheck > Rule: 510 fired (level 7) -> "Host-based anomaly detection event > (rootcheck)." > Portion of the log(s): > > File '/dev/shm/pulse-shm-43637809' present on /dev. Possible hidden file. > > How do I cause OSSEC not to send an alert for /dev/shm/pulse-shm-\d+ ? > > Thanks for any replies. > > Best regards, > > ---Kayvan >
[ossec-list] Re: how to disregard all local log file messages with a certain hostname?
Thanks Peter and Daniel. Yeah I should probably reconfigure syslog eventually. For now I'm also trying to increase my understanding how rules get triggered. It looks like your suggestion works for me, to add an element in addition to . My first try was the following addition to local_rules.xml, which did *not* "undo" alerts that had already been triggered for myhost.mydomain.com: Ignore localfile entries from myhost.mydomain.com . myhost.mydomain.com but this one does work: 1 Ignore localfile entries from myhost.mydomain.com . myhost.mydomain.com Was I going to need to add of the rules to get it to fire? I noticed an if_sid rule could get it to work also, but then it seemed I was going to have to add one new rule for every existing rule. Why isn't by itself enough to get the rule to match? -Eric On Mon, Nov 3, 2008 at 1:45 PM, Daniel Cid <[EMAIL PROTECTED]> wrote: > > Hi Eric, > > If you use the tag as Peter said, it will work properly > (you can probably add 1 to > make sure it is inspected for every event). However, OSSEC will still > waste time processing this events, so it > might be a better idea to configure your syslog server to log every > remote syslog event from this host > to a separate file that OSSEC is not monitoring. > > Hope it helps. > > -- > Daniel B. Cid > dcid ( at ) ossec.net > > > On Sat, Nov 1, 2008 at 10:34 PM, Eric Wemhoff <[EMAIL PROTECTED]> wrote: > > I've been trying and searching the manual and the forums, and I'm sure > > there's a simple solution, but I haven't been able to figure it out yet.. > > > > I have an agent machine sending log msgs to a server machine via ossec's > > 'secure' connection. Ossec reports alerts based on those (working > great). > > > > The agent machine also remote-syslog's those messages to the server, > which > > are received by syslogd and saved in /var/log/*.log on the server > (because I > > want them saved for posterity). So now I get duplicate versions of every > > log-based alert, which is expected, since the log msgs come across the > > secure connection, and they also show up in the local log files, which > ossec > > is also inspecting. > > > > But I don't want duplicate alerts. How can I tell ossec to not consider > all > > log messages in the local log files that come from the agent, ie, that > have > > agent_hostname as hostname? I've made various attempts to add elements > to > > local_rules.xml, but no luck so far. > > > > -Eric > > > > >
[ossec-list] how to disregard all local log file messages with a certain hostname?
I've been trying and searching the manual and the forums, and I'm sure there's a simple solution, but I haven't been able to figure it out yet.. I have an agent machine sending log msgs to a server machine via ossec's 'secure' connection. Ossec reports alerts based on those (working great). The agent machine also remote-syslog's those messages to the server, which are received by syslogd and saved in /var/log/*.log on the server (because I want them saved for posterity). So now I get duplicate versions of every log-based alert, which is expected, since the log msgs come across the secure connection, and they also show up in the local log files, which ossec is also inspecting. But I don't want duplicate alerts. How can I tell ossec to not consider all log messages in the local log files that come from the agent, ie, that have agent_hostname as hostname? I've made various attempts to add elements to local_rules.xml, but no luck so far. -Eric
[ossec-list] Re: Agent Error in ossec-remoted
Mine has gotten worse! The following appears in the ossec.log: 2008/09/29 09:43:02 ossec-remoted(1403): Incorrectly formated message from '192.168.0.200'. 2008/09/29 09:52:42 ossec-remoted(1403): Incorrectly formated message from '192.168.0.150'. 2008/09/29 09:56:47 ossec-remoted(1403): Incorrectly formated message from '192.168.0.200'. Hoping an upgrade of the agent to v1.6 will resolve this and the original issue as described below. Thanks, Eric -Original Message- From: ossec-list@googlegroups.com [mailto:[EMAIL PROTECTED] On Behalf Of binc Sent: Friday, September 26, 2008 9:48 AM To: ossec-list Subject: [ossec-list] Re: Agent Error in ossec-remoted Hi, same problem here after upgrading the "ossec server" to version 1.6. I've the problem with agent v1.4 or v1.6 ! On the console it seem all work fine... and I receive notification from the client... regards nick On Sep 23, 4:17 pm, [EMAIL PROTECTED] wrote: > Not sure what caused this issue. I have two agents running v1.4 and > both were operational and stable. > > On the 19th of Sept, one sensor started the following error: > 2008/09/23 08:43:51 ossec-remoted:Invalidmessagefrom > '192.168.0.150' (strchr \n) > > The ossec-wui is showing the agent last keep alive as current. No > recent events were provided though. > > Any thoughts? > > Was going to upgrade the agents this week to v1.6, might be a good day > to try it.
[ossec-list] Alert level 12
Hi , I got the below message from one of our servers: OSSEC HIDS Notification. 2007 Sep 12 16:24:25 Received From: birdy->/var/log/secure Rule: 5701 fired (level 12) -> "Possible attack on the ssh server (or version gathering)." Portion of the log(s): Sep 12 16:24:24 raven sshd[647]: Bad protocol version identification '\377\364\377\375\006' from UNKNOWN I see that it is a possible scanis that something I should be worried about. I haven't got a Level 12 alert before. Please advise. Regards, Eric
[ossec-list] SSH, BigBrother, and IPv6 addresses
I'm new at OSSEC and am currently evaluating it for use on my network. I am continually getting emails (ips and names purposefully munged): == OSSEC HIDS Notification. 2006 Oct 11 14:40:34 Received From: (client1) 1.1.1.2->/var/log/secure Rule: 5701 fired (level 12) -> "Possible attack on the ssh server (or version gathering)" Portion of the log(s): sshd[3822]: Bad protocol version identification 'Big-Brother-Monitor-1.9e' from :::1.1.1.1 == Note that the IP is in IPv6 format. I put in: == 5701 1.1.1.1 Ignore BigBrother ssh connections == Into my local rules. I still get the email. If I change the IP to the IPv6 address, OSSEC won't restart because the IP is in the wrong format. Can anyone tell me how to stop OSSEC from telling me that BigBrother is just doing it's job? Eric Stewart - Network Admin, USF Tampa Library - [EMAIL PROTECTED] Given a problem to solve or an intriguing thread to follow from moment to moment, that sort of geek will focus so sharply that they forget to eat when hungry. - Feen, Benjy: Origins of Sysadmins http://www.monkeybagel.com/sysadmin.html