Re: [ossec-list] Mass Deployment

2011-03-18 Thread Frank Stefan Sundberg Solli 
Hi. Maybe puppet (http://www.puppetlabs.com) Is worth taking a look at?

On Fri, Mar 18, 2011 at 4:09 PM, ash kumar  wrote:

> I am looking to do a mass deployment of OSSEC agents to windows
> workstations. I do not want to invest in an IBM product (BigFix) to do this.
> Is there are clean way to achieve this in an automated way? I am not opposed
> to creating a single key for a sub-net to ease the pain.
>
> Thanks in advance
>
> Ash
>



-- 
MVH/With regards

Frank

[ossec-list] Svar: Active Response ban on multiple http requests

2011-05-07 Thread Frank Stefan Sundberg Solli 
Hi.

Yes you can do ban on the "multiple 400 errors from same source IP"

Take this example


firewall-drop
local
5720, 11210 
600

Svar: Re: [ossec-list] Detecting new files, and running a custom shared/rootkit.txt check against them

2011-05-07 Thread Frank Stefan Sundberg Solli 
Hi Michael, thanks for replying.

Normally (I think?) rootcheck only checks specified files, while i want it 
to check a custom directory recursively and check for signatures that ive 
written and do it live.

Re: [ossec-list] Agent.conf not getting copied over/inconsistent

2011-05-09 Thread Frank Stefan Sundberg Solli 
On 05/09/2011 07:01 PM, jplee3 wrote:
> Hey guys,
>
> What's the best way to troubleshoot issues with the agent.conf? I've
> enabled debugging but this doesn't seem to help. I'm trying to figure
> out why my agent.conf isn't consistently getting pushed out to my
> agents. I forced this on one agent and it seemed to take. Then I
> changed the agent.conf again and have been trying to force the push
> again by repeatedly stopping/starting or restarting the agent on the
> server first then on the machine with the OSSEC agent. but the conf
> doesn't seem to get pushed at all.
>
> Any ideas?
Hi.

This usually takes a while, did you restart the agents after you
restarted the server?

-- 
MVH/With regards

Frank
--
Name:   Frank Stefan Sundberg Solli
E-mail: frankste...@gmail.com
GPG:684119F4

Re: [ossec-list] ossec.conf propagation to clients

2011-06-06 Thread Frank Stefan Sundberg Solli 
Hi.

The file can be found in shared/agent.conf

On Mon, Jun 6, 2011 at 3:42 AM, treydock  wrote:

> What settings from the OSSEC server's etc/ossec.conf file are used to
> on the clients?  For example I've defined rules and active responses
> on my server, and they are working fine, but what about 
> items?  Is there a way to centrally define what local files an agent
> should be checking, or would this be the case where something like
> Puppet comes into play?  I have this on my server, and it works, but
> just realized I probably need to push this to my clients,
>
>
>  
>syslog
>/var/ossec/logs/active-responses.log
>  
>
> Thanks
> - Trey




-- 
MVH/With regards

Frank
--
Name: Frank Stefan Sundberg Solli
E-mail: frankste...@gmail.com
Web:http://fssol.blogspot.com
GPG:684119F4

Re: [ossec-list] ossec.conf propagation to clients

2011-06-06 Thread Frank Stefan Sundberg Solli 
You should put all the config in shared/agent.conf your ossec.conf on the
sensors/agents should be as minimal as xx..xxx.x

On Mon, Jun 6, 2011 at 2:50 PM, Christopher Moraes wrote:

> Hi Frank,
>
> If I create an agent.conf file on the server, will it overwrite the
> settings of the agent's local ossec.conf or are the two configs merged in
> some way?
>
>
> On Mon, Jun 6, 2011 at 6:29 AM, Frank Stefan Sundberg Solli <
> frankste...@gmail.com> wrote:
>
>> Hi.
>>
>> The file can be found in shared/agent.conf
>>
>>
>> On Mon, Jun 6, 2011 at 3:42 AM, treydock  wrote:
>>
>>> What settings from the OSSEC server's etc/ossec.conf file are used to
>>> on the clients?  For example I've defined rules and active responses
>>> on my server, and they are working fine, but what about 
>>> items?  Is there a way to centrally define what local files an agent
>>> should be checking, or would this be the case where something like
>>> Puppet comes into play?  I have this on my server, and it works, but
>>> just realized I probably need to push this to my clients,
>>>
>>>
>>>  
>>>syslog
>>>/var/ossec/logs/active-responses.log
>>>  
>>>
>>> Thanks
>>> - Trey
>>
>>
>>
>>
>> --
>> MVH/With regards
>>
>> Frank
>> --
>> Name: Frank Stefan Sundberg Solli
>> E-mail: frankste...@gmail.com
>> Web:http://fssol.blogspot.com
>> GPG:684119F4
>>
>>
>


-- 
MVH/With regards

Frank
--
Name: Frank Stefan Sundberg Solli
E-mail: frankste...@gmail.com
Web:http://fssol.blogspot.com
GPG:684119F4

Re: [ossec-list] Several hundred alerts for "Integrity checksum changed"

2011-08-03 Thread Frank Stefan Sundberg Solli 
Hi.

This amount of Checksum Changes have never happened to me, on any of my
CPanel or Debian/Ubuntu/FreeBSD-servers. What kind of disitribution do you
run? Maybe you/the system auto updated itself to a new version.

On Wed, Aug 3, 2011 at 2:11 PM, Chris Phillips wrote:

> Hi All,
>
> Recently, I received about 400+ "Alert Level 7" notifications, for a single
> server, all related to "Integrity checksum changed" events.
>
> I am really worried about this, but I can see no reason why it has
> happened.
>
> The situation has not re-occurred and has not happened on any of the other
> servers we have OSSEC installed on.
>
> Can anyone please explain what could cause this?  I am hoping it's some
> sort of obscure but OK OSSEC anomaly!
>
> Cheers,
> --
> ChrisP (slightly panicky)
>
>
> -Original Message-
> From: OSSEC HIDS
> Sent: 28 July 2011 08:46
> To: Chris Phillips
> Subject: OSSEC Notification (myserver) - Alert level 7
>
> OSSEC HIDS Notification.
> 2011 Jul 28 08:46:23
>
> Received From: (myserver) >syscheck
> Rule: 550 fired (level 7) -> "Integrity checksum changed."
> Portion of the log(s):
>
> Integrity checksum changed for: '/sbin/debugfs'
> Old md5sum was: 'fd96fc82b74a47577835538ccf6d2adb'
> New md5sum is : 'c4c01019d7806734e857996adc63cf17'
> Old sha1sum was: 'c57a92218bd321ff8b27c154e2f5b29185530728'
> New sha1sum is : '4550b5743fe3368bc1bac683c60c14c232b671e5'
>
>  --END OF NOTIFICATION
>



-- 
MVH/With regards

Frank
--
Name: Frank Stefan Sundberg Solli
E-mail: frankste...@gmail.com
GPG:684119F4

Re: [ossec-list] Detecting the Apache Range Header DoS Attack

2011-09-07 Thread Frank Stefan Sundberg Solli 
Thats local_rules

On Wed, Sep 7, 2011 at 9:40 AM, Mike Disley  wrote:

> Excellent write up.  Would you put this rule in the local_rules or
> web_rules file?
>
> Cheers,
> Mike
>
>
>
> -Original Message-
> From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On
> Behalf Of Michael Starks
> Sent: Sunday, August 28, 2011 12:42 PM
> To: ossec-list@googlegroups.com
> Subject: [ossec-list] Detecting the Apache Range Header DoS Attack
>
>
> http://www.immutablesecurity.com/index.php/2011/08/28/detecting-the-apache-range-header-dos-attack-with-ossec/
>
> Testing of the rules and feedback appreciated.
>



-- 
MVH/With regards

Frank
--
Name: Frank Stefan Sundberg Solli
E-mail: frankste...@gmail.com
Web:http://fssol.blogspot.com
GPG:684119F4

Re: [ossec-list] can i make ossec report if new file to add my system

2011-09-10 Thread Frank Stefan Sundberg Solli 
New files will first be added/detected after a syscheck is ran.

On Fri, Sep 9, 2011 at 8:16 AM, khang0001  wrote:

> i want to make ossec report to my email if new file to add my system
> in the folder i turn on real monitor in syscheck.
> my ossec can indentify file to delete, file to be modify, but can`t
> indentify new file to upload my system




-- 
MVH/With regards

Frank
--
Name:     Frank Stefan Sundberg Solli
E-mail: frankste...@gmail.com
Web:http://0x41.me <http://fssol.blogspot.com>
GPG:684119F4

Re: [ossec-list] application/binary is installed

2012-03-03 Thread Frank Stefan Sundberg Solli 
Hi.

You can tweak the CIS check to check if a specific file exists and alert by
that.
You can also write a rule that parses dpkg.log/yum.log to see if the file
is beeing installed.

On Sat, Mar 3, 2012 at 10:36 AM, Monika Singh wrote:

> Hi.
>
> ** **
>
> I am new to ossec.
>
> I have ossec server – agent setup
>
> Is it possible to check if an application/binary is installed on any of
> the agent (*nix) by ossec?
>
> ** **
>
> Regards,
>
> Monika
>
> ** **
>



-- 
MVH/With regards

Frank
--
Name: Frank Stefan Sundberg Solli
E-mail: frankste...@gmail.com
Web:http://0x41.me
GPG:684119F4

Re: [ossec-list] Problem with ossec compiled support mysql

2012-03-13 Thread Frank Stefan Sundberg Solli 
Is this Ubuntu 10.10?
http://www.mail-archive.com/ossec-list@googlegroups.com/msg12795.html
Might be related if last post doesnt solve things


On Mon, Mar 12, 2012 at 7:24 AM, Eero Volotinen wrote:

> 2012/3/12 Roa :
> > http://pastebin.com/gyqK52QQ
> >
> > The ossec server running in  Ubuntu .
> >
> >
> >
> > *** Making os_dbd ***
> >
> > make[1]: Entering directory `/home/desarrollo/ossec-hids-2.6/src/
> > os_dbd'
> > Compiling DB support with:
> > gcc -g -Wall -I../ -I../headers  -DDEFAULTDIR=\"/var/ossec\" -
> > DUSE_OPENSSL -DARGV0=\"ossec-dbd\" -DXML_VAR=\"var\" -DOSSECHIDS
> > -I/usr/include/mysql  -DBIG_JOINS=1  -fno-strict-aliasing   -
> > DUNIV_LINUX -DUNIV_LINUX -Wl,-Bsymbolic-functions -rdynamic -L/usr/lib/
> > mysql -lmysqlclient -DDBD -DUMYSQL  *.c ../config/lib_config.a ../
> > shared/lib_shared.a ../os_net/os_net.a ../os_regex/os_regex.a ../
> > os_xml/os_xml.a -o ossec-dbd
> > /tmp/ccPgXRxv.o: In function `mysql_osdb_connect':
> > /home/desarrollo/ossec-hids-2.6/src/os_dbd/db_op.c:164: undefined
> > reference to `mysql_init'
> > /home/desarrollo/ossec-hids-2.6/src/os_dbd/db_op.c:178: undefined
> > reference to `mysql_options'
> > /home/desarrollo/ossec-hids-2.6/src/os_dbd/db_op.c:183: undefined
> > reference to `mysql_options'
> > /home/desarrollo/ossec-hids-2.6/src/os_dbd/db_op.c:186: undefined
> > reference to `mysql_real_connect'
> > /home/desarrollo/ossec-hids-2.6/src/os_dbd/db_op.c:189: undefined
> > reference to `mysql_error'
> > /home/desarrollo/ossec-hids-2.6/src/os_dbd/db_op.c:190: undefined
> > reference to `mysql_close'
> > /tmp/ccPgXRxv.o: In function `mysql_osdb_close':
> > /home/desarrollo/ossec-hids-2.6/src/os_dbd/db_op.c:204: undefined
> > reference to `mysql_close'
> > /tmp/ccPgXRxv.o: In function `mysql_osdb_query_insert':
> > /home/desarrollo/ossec-hids-2.6/src/os_dbd/db_op.c:215: undefined
> > reference to `mysql_query'
> > /home/desarrollo/ossec-hids-2.6/src/os_dbd/db_op.c:218: undefined
> > reference to `mysql_error'
> > /tmp/ccPgXRxv.o: In function `mysql_osdb_query_select':
> > /home/desarrollo/ossec-hids-2.6/src/os_dbd/db_op.c:240: undefined
> > reference to `mysql_query'
> > /home/desarrollo/ossec-hids-2.6/src/os_dbd/db_op.c:243: undefined
> > reference to `mysql_error'
> > /home/desarrollo/ossec-hids-2.6/src/os_dbd/db_op.c:250: undefined
> > reference to `mysql_use_result'
> > /home/desarrollo/ossec-hids-2.6/src/os_dbd/db_op.c:254: undefined
> > reference to `mysql_error'
> > /home/desarrollo/ossec-hids-2.6/src/os_dbd/db_op.c:261: undefined
> > reference to `mysql_fetch_row'
> > /home/desarrollo/ossec-hids-2.6/src/os_dbd/db_op.c:268: undefined
> > reference to `mysql_free_result'
> > collect2: ld returned 1 exit status
> > make[1]: *** [default] Error 1
> > make[1]: Leaving directory `/home/desarrollo/ossec-hids-2.6/src/
> > os_dbd'
> >
> > Error Making os_dbd
> > make: *** [all] Error 1
> >
> >  Error 0x5.
> >  Building error. Unable to finish the installation.
>
> You are missing mysql-dev and libraries? package name is something
> like mysql-dev or mysql-devel on ubuntu
>
> to solve problem, try installing libraries first:
>
> sudo apt-get install mysql-dev
> sudo apt-get install mysql-devel
>
> --
> Eero
>
> --
> Eero
>



-- 
MVH/With regards

Frank
--
Name: Frank Stefan Sundberg Solli
E-mail: frankste...@gmail.com
Web:http://0x41.me
GPG:684119F4

Re: [ossec-list] OSSEC WUI

2012-05-04 Thread Frank Stefan Sundberg Solli 
Check the file permissions, and also your apache error.log

On Fri, May 4, 2012 at 2:50 AM, Solayris  wrote:

> Hello,
>
> I have Apache 2.2 with PHP and ossec-wui installed on CentOS system.
> ossec-wui is in /var/www/htdocs/ directory. The DocumentRoot is set
> to /var/www/htdocs and a link is created for index.php in this
> location. When I try to access index.php from a web-browser the 403
> Forbidden error comes up. "You don't have permission to access /
> index.php on this server." Is there more information on this WUI
> available other them README file?
>
> Thank you,
>
> Solayris
>



-- 
MVH/With regards

Frank
--
Name: Frank Stefan Sundberg Solli
E-mail: frankste...@gmail.com
Web:http://0x41.me
GPG:684119F4

Re: [ossec-list] Re: AnaLogi - OSSEC WUI

2012-06-28 Thread Frank Stefan Sundberg Solli 
May I suggest displaying Rule names instead of Rule ID's in both the graph
and rows. And also it would be nice to have a drop down menu of all Rule
Names

On Thu, Jun 28, 2012 at 5:53 PM, Brett Y  wrote:

> I don't know if the graph isn't displaying properly. It IS displaying
> however, and it doesn't look wrong. I changed the first instance of
> $tmpdate=$rowchart['res_time']**; to 
> $tmpdate=intval($rowchart['**res_time']); and
> I am still getting the warnings in toprare.php. We are using RHEL 5.7, and
> the version of PHP that shipped with that.
>
>
> On Thursday, June 28, 2012 1:30:19 AM UTC-7, techs...@ecsc.co.uk wrote:
>>
>> Can you amend the first instance and see if it still errors please.  If
>> so I will amend the rest.  I presume this error is stopping the graphs from
>> displaying properly?
>>
>> Your error says 'expects long' but php.net documentation says date()
>> expects an integer, so just wondering if it helps in your instance.  I will
>> need to see what is causing it, might be different versions of PHP
>> expecting different types?
>>
>>
>> On Wednesday, June 27, 2012 4:43:14 PM UTC+1, Brett Y wrote:
>>>
>>> I seem to be getting the error in toprare.php as well at line 51. The
>>> line looks similar to line 127 in index_graph.php
>>>
>>> On Wednesday, June 27, 2012 1:47:09 AM UTC-7, techs...@ecsc.co.uk wrote:
>>>>
>>>> Hi Brett,
>>>>
>>>> I'm wondering if your PHP config is a little different to mine.  To
>>>> test a fix.workaround can you please amend the code at the place shown
>>>> (index_graph.php line 127)
>>>>
>>>> Change the line from:
>>>> $tmpdate=$rowchart['res_time']**;
>>>>
>>>> to
>>>> $tmpdate=intval($rowchart['**res_time']);
>>>>
>>>> If this works PLEASE let me know and I will amend this for the next
>>>> release.
>>>>
>>>> Many Thanks
>>>> Andy
>>>>
>>>>
>>>>
>>>>
>>>> On Tuesday, June 26, 2012 10:24:53 PM UTC+1, Brett Y wrote:
>>>>>
>>>>> I get errors in my apache log that say "date() expects parameter 2 to
>>>>> be long, string given in analogi/php/index_graph.php on line 127"
>>>>>
>>>>> On Friday, June 15, 2012 5:40:51 AM UTC-7, techs...@ecsc.co.uk wrote:
>>>>>>
>>>>>> FYI Guys,  AnaLogi v1.1 is now up.  A few small tweaks, bug fixes,
>>>>>> output to CSV and multi database support.
>>>>>>
>>>>>> Any feedback appreciated.
>>>>>>
>>>>>> Andy
>>>>>>
>>>>>


-- 
MVH/With regards

Frank
--
Name: Frank Stefan Sundberg Solli
E-mail: frankste...@gmail.com
Web:http://0x41.me
GPG:684119F4

Re: [ossec-list] Simple(?) - Forensics (historical?) but live

2012-06-29 Thread Frank Stefan Sundberg Solli 
Hi,

You can try to pipe the data into ossec's syslog daemon with cat and netcat

On Fri, Jun 29, 2012 at 7:07 PM, Kat  wrote:

> Here's hoping there is a simple answer to this. I know of the technique to
> run the forensics into ossec-logtest. And that is a fabulous tool/method.
> But, I want to take a previous years data - BO - (before ossec) and run it
> through and have ossec actually process it into the appropriate log files
> (and perhaps mysql or spunk) just as if it was live data. In other words,
> process it like live data so it is logged and saved in the database/splunk.
> The reason for this is simple - to build up the past couple of years of raw
> data into a searchable/historical reference.
>
> I know ossec-logtest can be piped into anything, but before I start trying
> it, I am wondering if you could use the same method of catting the files
> but into live ossec?
>
> Off to try some tests - if I find anything, I will let you know. If anyone
> else can think of a way to do it, would love to hear.
>
> thanks
> ~k
>



-- 
MVH/With regards

Frank
--
Name: Frank Stefan Sundberg Solli
E-mail: frankste...@gmail.com
Web:http://0x41.me
GPG:684119F4

Re: [ossec-list] Re: AnaLogi - OSSEC WUI v1.2

2012-08-03 Thread Frank Stefan Sundberg Solli 
Thanks for the new update, where can I find the thread about the comments?

On Fri, Aug 3, 2012 at 11:27 AM, Dmitry  wrote:

> Thanks a lot.
> You are quite right. I'm windows user, so i was not able to extract and
> correctly copy Analogi files.
>
>
> On Thursday, August 2, 2012 4:37:54 PM UTC+4, techs...@ecsc.co.uk wrote:
>>
>> For the bug... I *think* you have not replaced
>> ./analogi/php/index_graph.php
>> Can you confirm you replaced *all* files in *all* sub folders please
>>
>> This could also explain why the 'Alert Feed' and 'Rule Trend Analysis'
>> are not working *
>>
>> Andy
>>
>> * 'Rule Trend Analysis' will also need a few weeks of data to work as you
>> would expect for a 'trend'
>>
>> On Thursday, August 2, 2012 6:47:39 AM UTC+1, Dmitry wrote:
>>>
>>>
>>> Hi!
>>>
>>> I used AnaLogi 1.1.
>>> As far as I unfrstood in order to install AnaLogi 1.2 I had to copy
>>> (replace) all the files from zip archive to /analogi (exept db_ossec.php).
>>> I did so, but I have almost empty pages NewsFeed and Management.
>>> See attached files (+ 1 previous bug).
>>> Bug
>>>
>>> <https://lh6.googleusercontent.com/-duy9R9W2X9w/UBoUEVyOpuI/AAM/7yz5zOXs7TU/s1600/Index_1.png>
>>> NewsFeed
>>>
>>>
>>> <https://lh5.googleusercontent.com/-xDqWnjhXgwM/UBoUJ567CJI/AAU/pUHHZZ3kN28/s1600/NewsFeed.png>
>>> Management
>>>
>>> <https://lh3.googleusercontent.com/-EiE6GvqYis4/UBoUQo4iSWI/AAc/9lAylDsypwg/s1600/management.png>
>>>
>>>
>>> On Wednesday, August 1, 2012 2:18:20 PM UTC+4, techs...@ecsc.co.ukwrote:
>>>>
>>>> The new version is out and on GitHub !!
>>>>
>>>> https://github.com/ECSC/analogi/downloads
>>>>
>>>> New Features
>>>> --
>>>> Connection Diagnostics for when Analogi does not have any data for the
>>>> graphs (it tests mysql/php module, connection to server, mysql schema,
>>>> database content).
>>>>
>>>> Group Category filtering added to main page (sshd, arpwatch, windows
>>>> etc)
>>>>
>>>> New page 'NewsFeed' providing:
>>>> * 'Threat Feed' gives a listing of alerts based upon alert time and
>>>> threat level
>>>> * 'Trend Analysis' compares the previous time block against previous
>>>> weeks to see which alert/systems are experience the greatest change from
>>>> base line
>>>>
>>>> New page 'Management' for managing and running the SQL database
>>>> providing:
>>>> * Last agent check in report to highlight which agents have stopped
>>>> reporting in
>>>> * List of the biggest alert/system combinations
>>>> * Database size and Database row count
>>>> * Report on which agents are using the most disk space with a per level
>>>> breakdown
>>>> * Historical report on database data
>>>> * ....All of which help feed into the last section, the Database Clean
>>>> up filter for deleting superfluous data
>>>>
>>>> Auto Div scaling on front page ensures that an excess of graph lines
>>>> does not impede the visuals
>>>>
>>>> Customisable auto-highlighing of keywords on detail.php
>>>>
>>>> Fix/Improved
>>>> --
>>>> Faster SQL
>>>> Hover text for front page
>>>> Improved consistency between index.php and detail.php
>>>> Radio button selection on index.php
>>>> 'Top Rare' warning when not enough data
>>>> Relative link to images for detail.php
>>>> Hard links added to header
>>>> Lots more
>>>>
>>>>
>>>> All feedback welcome.
>>>>
>>>> (I've created a new thread to keep comments separate.)
>>>>
>>>


-- 
MVH/With regards

Frank
--
Name: Frank Stefan Sundberg Solli
E-mail: frankste...@gmail.com
Web:http://0x41.me
GPG:684119F4

Re: [ossec-list] Re: AnaLogi - OSSEC WUI v1.2

2012-08-07 Thread Frank Stefan Sundberg Solli 
Hi, I really like the new version, I got some suggestions that im posting
here

1) In management.php the database usage- client vs level. level 5 and level
9 has the same colour (blue)
2) in detail.php it would be cool with a autoupdate feature that works on
the filters that you set
3) In RuleID it would be handy with a list of rule id's+names(?) so that
you can navigate through the alerts

On Fri, Aug 3, 2012 at 2:00 PM, Xavier Mertens  wrote:

> I installed the new version (just replaced the existing directory) and
> worked like a charm...
>
> Good job Guys!
>
> /x
>
> On Thu, Aug 2, 2012 at 2:37 PM, techsupp...@ecsc.co.uk <
> techsupp...@ecsc.co.uk> wrote:
>
>> For the bug... I *think* you have not replaced
>> ./analogi/php/index_graph.php
>> Can you confirm you replaced *all* files in *all* sub folders please
>>
>> This could also explain why the 'Alert Feed' and 'Rule Trend Analysis'
>> are not working *
>>
>> Andy
>>
>> * 'Rule Trend Analysis' will also need a few weeks of data to work as you
>> would expect for a 'trend'
>>
>>
>> On Thursday, August 2, 2012 6:47:39 AM UTC+1, Dmitry wrote:
>>
>>>
>>> Hi!
>>>
>>> I used AnaLogi 1.1.
>>> As far as I unfrstood in order to install AnaLogi 1.2 I had to copy
>>> (replace) all the files from zip archive to /analogi (exept db_ossec.php).
>>> I did so, but I have almost empty pages NewsFeed and Management.
>>> See attached files (+ 1 previous bug).
>>> Bug
>>>
>>> 
>>> NewsFeed
>>>
>>>
>>> 
>>> Management
>>>
>>> 
>>>
>>>
>>> On Wednesday, August 1, 2012 2:18:20 PM UTC+4, techs...@ecsc.co.ukwrote:
>>>
 The new version is out and on GitHub !!

 https://github.com/ECSC/**analogi/downloads

 New Features
 --
 Connection Diagnostics for when Analogi does not have any data for the
 graphs (it tests mysql/php module, connection to server, mysql schema,
 database content).

 Group Category filtering added to main page (sshd, arpwatch, windows
 etc)

 New page 'NewsFeed' providing:
 * 'Threat Feed' gives a listing of alerts based upon alert time and
 threat level
 * 'Trend Analysis' compares the previous time block against previous
 weeks to see which alert/systems are experience the greatest change from
 base line

 New page 'Management' for managing and running the SQL database
 providing:
 * Last agent check in report to highlight which agents have stopped
 reporting in
 * List of the biggest alert/system combinations
 * Database size and Database row count
 * Report on which agents are using the most disk space with a per level
 breakdown
 * Historical report on database data
 * All of which help feed into the last section, the Database Clean
 up filter for deleting superfluous data

 Auto Div scaling on front page ensures that an excess of graph lines
 does not impede the visuals

 Customisable auto-highlighing of keywords on detail.php

 Fix/Improved
 --
 Faster SQL
 Hover text for front page
 Improved consistency between index.php and detail.php
 Radio button selection on index.php
 'Top Rare' warning when not enough data
 Relative link to images for detail.php
 Hard links added to header
 Lots more


 All feedback welcome.

 (I've created a new thread to keep comments separate.)

 --
 My server is com

Re: [ossec-list] Re: AnaLogi - OSSEC WUI v1.2

2012-08-07 Thread Frank Stefan Sundberg Solli 
3) What I was thinking was more of a drop down menu of all Rule IDS', that
way you dont need to know the Rule ID for the alert you want to look for.
(This will allow people not familiar with the internals of ossec to search
for relevant log entries)


On Tue, Aug 7, 2012 at 2:44 PM, techsupp...@ecsc.co.uk <
techsupp...@ecsc.co.uk> wrote:

> 1) Yes, the colours are generated by amcharts, I've been considering a
> custom colour set which would probably also look good here..
> 2) Oops I thought it did, good idea
> 3) Which RuleID please? I ask because on the detail.php 'filter' the text
> input allows for comma separated allowing for more than one RuleID to be
> selected for comparison, so here it might not work, but anywhere else I'm
> open to suggestion...
>
> Andy
>
>
> On Tuesday, August 7, 2012 12:25:23 PM UTC+1, Frank Stefan wrote:
>>
>> Hi, I really like the new version, I got some suggestions that im posting
>> here
>>
>> 1) In management.php the database usage- client vs level. level 5 and
>> level 9 has the same colour (blue)
>> 2) in detail.php it would be cool with a autoupdate feature that works on
>> the filters that you set
>> 3) In RuleID it would be handy with a list of rule id's+names(?) so that
>> you can navigate through the alerts
>>
>> On Fri, Aug 3, 2012 at 2:00 PM, Xavier Mertens wrote:
>>
>>> I installed the new version (just replaced the existing directory) and
>>> worked like a charm...
>>>
>>> Good job Guys!
>>>
>>> /x
>>>
>>> On Thu, Aug 2, 2012 at 2:37 PM, techsupp...@ecsc.co.uk <
>>> techsupp...@ecsc.co.uk> wrote:
>>>
 For the bug... I *think* you have not replaced
 ./analogi/php/index_graph.php
 Can you confirm you replaced *all* files in *all* sub folders please

 This could also explain why the 'Alert Feed' and 'Rule Trend Analysis'
 are not working *

 Andy

 * 'Rule Trend Analysis' will also need a few weeks of data to work as
 you would expect for a 'trend'


 On Thursday, August 2, 2012 6:47:39 AM UTC+1, Dmitry wrote:

>
> Hi!
>
> I used AnaLogi 1.1.
> As far as I unfrstood in order to install AnaLogi 1.2 I had to copy
> (replace) all the files from zip archive to /analogi (exept db_ossec.php).
> I did so, but I have almost empty pages NewsFeed and Management.
> See attached files (+ 1 previous bug).
> Bug
>
> 
> NewsFeed
>
>
> 
> Management
>
> 
>
>
> On Wednesday, August 1, 2012 2:18:20 PM UTC+4, techs...@ecsc.co.ukwrote:
>
>>  The new version is out and on GitHub !!
>>
>> https://github.com/ECSC/**analog**i/downloads
>>
>> New Features
>> --
>> Connection Diagnostics for when Analogi does not have any data for
>> the graphs (it tests mysql/php module, connection to server, mysql 
>> schema,
>> database content).
>>
>> Group Category filtering added to main page (sshd, arpwatch, windows
>> etc)
>>
>> New page 'NewsFeed' providing:
>> * 'Threat Feed' gives a listing of alerts based upon alert time and
>> threat level
>> * 'Trend Analysis' compares the previous time block against previous
>> weeks to see which alert/systems are experience the greatest change from
>> base line
>>
>> New page 'Management' for managing and running the SQL database
>> providing:
>> * Last agent check in report to highlight which agents have stopped
>> reporting in
>> * List of the biggest alert/system combinations
>> * Database size and Database row count
>> * Report on which agents are using the most disk space with a per
>> level breakdown
>> * Historical report on database data
>> * All of which help feed into the last section, the Database
>> Clean up filter for deleting superfluous data
>>
>> Auto Div scaling on front page ensures that an excess of graph lines
>> does not impede the visuals
>>
>> Customisable auto-highlighing of keywords on detail.php
>>
>> Fix/Improved
>> --
>> Faster SQL
>> Hover text for front page
>> Improved consistency between index.php and detail.php
>> Radio button selection on index.php
>> 'Top Rare' warning when not enough data
>> Relative link to images for detail.php
>> Hard links added to header
>> Lots more
>>
>>
>> All feedback welcome.
>>
>> (I've created a new thread to keep comments separate.)
>>
>> --
>> My server is com

Re: [ossec-list] Re: AnaLogi - OSSEC WUI v1.2

2012-08-08 Thread Frank Stefan Sundberg Solli 
Hi, I'm posting a screenshot of what im thinking about http://mcaf.ee/9ewhd

On Tue, Aug 7, 2012 at 4:36 PM, techsupp...@ecsc.co.uk <
techsupp...@ecsc.co.uk> wrote:

> Sorry, to clarify, are you referring to a specific location, or
> everywhere?
>
> On Tuesday, August 7, 2012 2:15:57 PM UTC+1, Frank Stefan wrote:
>>
>> 3) What I was thinking was more of a drop down menu of all Rule IDS',
>> that way you dont need to know the Rule ID for the alert you want to look
>> for. (This will allow people not familiar with the internals of ossec to
>> search for relevant log entries)
>>
>>
>> On Tue, Aug 7, 2012 at 2:44 PM, techsupp...@ecsc.co.uk <
>> techsupp...@ecsc.co.uk> wrote:
>>
>>> 1) Yes, the colours are generated by amcharts, I've been considering a
>>> custom colour set which would probably also look good here..
>>> 2) Oops I thought it did, good idea
>>> 3) Which RuleID please? I ask because on the detail.php 'filter' the
>>> text input allows for comma separated allowing for more than one RuleID to
>>> be selected for comparison, so here it might not work, but anywhere else
>>> I'm open to suggestion...
>>>
>>> Andy
>>>
>>>
>>> On Tuesday, August 7, 2012 12:25:23 PM UTC+1, Frank Stefan wrote:

 Hi, I really like the new version, I got some suggestions that im
 posting here

 1) In management.php the database usage- client vs level. level 5 and
 level 9 has the same colour (blue)
 2) in detail.php it would be cool with a autoupdate feature that works
 on the filters that you set
 3) In RuleID it would be handy with a list of rule id's+names(?) so
 that you can navigate through the alerts

 On Fri, Aug 3, 2012 at 2:00 PM, Xavier Mertens wrote:

> I installed the new version (just replaced the existing directory) and
> worked like a charm...
>
> Good job Guys!
>
> /x
>
> On Thu, Aug 2, 2012 at 2:37 PM, techsupp...@ecsc.co.uk <
> techsupp...@ecsc.co.uk> wrote:
>
>> For the bug... I *think* you have not replaced
>> ./analogi/php/index_graph.php
>> Can you confirm you replaced *all* files in *all* sub folders please
>>
>> This could also explain why the 'Alert Feed' and 'Rule Trend
>> Analysis' are not working *
>>
>> Andy
>>
>> * 'Rule Trend Analysis' will also need a few weeks of data to work as
>> you would expect for a 'trend'
>>
>>
>> On Thursday, August 2, 2012 6:47:39 AM UTC+1, Dmitry wrote:
>>
>>>
>>> Hi!
>>>
>>> I used AnaLogi 1.1.
>>> As far as I unfrstood in order to install AnaLogi 1.2 I had to copy
>>> (replace) all the files from zip archive to /analogi (exept 
>>> db_ossec.php).
>>> I did so, but I have almost empty pages NewsFeed and Management.
>>> See attached files (+ 1 previous bug).
>>> Bug
>>>
>>> 
>>> NewsFeed
>>>
>>>
>>> 
>>> Management
>>>
>>> 
>>>
>>>
>>> On Wednesday, August 1, 2012 2:18:20 PM UTC+4, techs...@ecsc.co.ukwrote:
>>>
  The new version is out and on GitHub !!

 https://github.com/ECSC/**analogi/downloads

 New Features
 --
 Connection Diagnostics for when Analogi does not have any data for
 the graphs (it tests mysql/php module, connection to server, mysql 
 schema,
 database content).

 Group Category filtering added to main page (sshd, arpwatch,
 windows etc)

 New page 'NewsFeed' providing:
 * 'Threat Feed' gives a listing of alerts based upon alert time and
 threat level
 * 'Trend Analysis' compares the previous time block against
 previous weeks to see which alert/systems are experience the greatest
 change from base line

 New page 'Management' for managing and running the SQL database
 providing:
 * Last agent check in report to highlight which agents have stopped
 reporting in
 * List of the biggest alert/system combinations
 * Database size and Database row count
 * Report on which agents are using the most disk space with a per
 level breakdown
 * Historical report on database data
 * All of which help feed into the last section, the Database
 Clean up filter for deleting superfluous data

 Auto Div scaling on front page ensures that an excess of graph
 lines does not impede the visuals

 Customisable auto-highlighing of keywords on detail.php

 Fix/Im

Re: [ossec-list] Re: AnaLogi - OSSEC WUI v1.2

2012-08-09 Thread Frank Stefan Sundberg Solli 
Oh, you are correct, agree on that one :)

On Wed, Aug 8, 2012 at 4:16 PM, techsupp...@ecsc.co.uk <
techsupp...@ecsc.co.uk> wrote:

> Sorry Frank, I'm still not with you :(
>
> I believe your image shows 'categories' (defined by
> login_day) rather than Rule IDs?  Like Splunk I have a
> category/group filter on the index.php.
>
> The graph breakdown on index.php has RuleID and RuleDescription
>
> The Top10 Rule breakdown on index.php has the rule description (but not
> ID, though you can see this by hovering over a link)
>
> On detail.php if you specify a RuleID this is described, if not then
> results just have a RuleID
> * I am hesitant to have a drop down for the detail.php filtering as this
> would remove the ability to search for rule "550,551,552" etc
>
> Newsfeed Trend shows ID and Description
>
> Let me know
> Andy
>
>
>
>
> On Wednesday, August 8, 2012 8:04:01 AM UTC+1, Frank Stefan wrote:
>
>> Hi, I'm posting a screenshot of what im thinking about
>> http://mcaf.ee/9ewhd
>>
>> On Tue, Aug 7, 2012 at 4:36 PM, techs...@ecsc.co.uk 
>> wrote:
>>
>>> Sorry, to clarify, are you referring to a specific location, or
>>> everywhere?
>>>
>>> On Tuesday, August 7, 2012 2:15:57 PM UTC+1, Frank Stefan wrote:
>>>
 3) What I was thinking was more of a drop down menu of all Rule IDS',
 that way you dont need to know the Rule ID for the alert you want to look
 for. (This will allow people not familiar with the internals of ossec to
 search for relevant log entries)


 On Tue, Aug 7, 2012 at 2:44 PM, techs...@ecsc.co.uk <
 techs...@ecsc.co.uk> wrote:

> 1) Yes, the colours are generated by amcharts, I've been considering a
> custom colour set which would probably also look good here..
> 2) Oops I thought it did, good idea
> 3) Which RuleID please? I ask because on the detail.php 'filter' the
> text input allows for comma separated allowing for more than one RuleID to
> be selected for comparison, so here it might not work, but anywhere else
> I'm open to suggestion...
>
> Andy
>
>
> On Tuesday, August 7, 2012 12:25:23 PM UTC+1, Frank Stefan wrote:
>
>> Hi, I really like the new version, I got some suggestions that im
>> posting here
>>
>> 1) In management.php the database usage- client vs level. level 5 and
>> level 9 has the same colour (blue)
>> 2) in detail.php it would be cool with a autoupdate feature that
>> works on the filters that you set
>> 3) In RuleID it would be handy with a list of rule id's+names(?) so
>> that you can navigate through the alerts
>>
>> On Fri, Aug 3, 2012 at 2:00 PM, Xavier Mertens wrote:
>>
>>> I installed the new version (just replaced the existing directory)
>>> and worked like a charm...
>>>
>>> Good job Guys!
>>>
>>> /x
>>>
>>>
>>> On Thu, Aug 2, 2012 at 2:37 PM, techs...@ecsc.co.uk <
>>> techs...@ecsc.co.uk> wrote:
>>>
 For the bug... I *think* you have not replaced
 ./analogi/php/index_graph.php
 Can you confirm you replaced *all* files in *all* sub folders please

 This could also explain why the 'Alert Feed' and 'Rule Trend
 Analysis' are not working *

 Andy

 * 'Rule Trend Analysis' will also need a few weeks of data to work
 as you would expect for a 'trend'


 On Thursday, August 2, 2012 6:47:39 AM UTC+1, Dmitry wrote:

>
> Hi!
>
> I used AnaLogi 1.1.
> As far as I unfrstood in order to install AnaLogi 1.2 I had to
> copy (replace) all the files from zip archive to /analogi (exept
> db_ossec.php).
> I did so, but I have almost empty pages NewsFeed and Management.
> See attached files (+ 1 previous bug).
> Bug
>
> 
> NewsFeed
>
>
> 
> Management
>
> 
>
>
> On Wednesday, August 1, 2012 2:18:20 PM UTC+4, 
> techs...@ecsc.co.ukwrote:
>
>>  The new version is out and on GitHub !!
>>
>> https://github.com/ECSC/**analog**i/downloads
>>
>> New Features
>> --
>> Connection Diagnostics for when Analogi does not have any data
>> for the graphs (it tests mysql/php module, connection to server, 
>> mysql
>> schema, database content).
>>
>> Group Category filtering added to main page (sshd, arpwatch,
>> windows etc)
>>
>>

Re: [ossec-list] ossec service stops immediately after start

2012-08-20 Thread Frank Stefan Sundberg Solli 
Check that your config file is existent and that it is readable, also if
yit exists paste it here.

On Mon, Aug 20, 2012 at 4:27 PM, Michael Barrett
wrote:

>
>
>
> Windows 2003
>
> Faulting application ossec-agent.exe, version 0.0.0.0, faulting module
> ossec-agent.exe, version 0.0.0.0, fault address 0x00030b6f.
>
>
>
> ossec.log
>
> 2012/08/20 09:25:30 ossec-agent(1905): INFO: No file configured to monitor.
>
> 2012/08/20 09:25:30 ossec-execd(1350): INFO: Active response disabled.
> Exiting.
>
> 2012/08/20 09:25:30 ossec-agent(1410): INFO: Reading authentication keys
> file.
>
>
> fresh install
>
>
>
> anyone have any ideas what do check?
>
> same config files works on hundreds of other systems
>
>
> **
> *Michael Barrett* * *| *Information Security
> Analyst - Lead* | *Mortgage Guaranty Insurance 
> Corporation*<http://www.mgic.com/>
> 270 E. Kilbourn Ave. | Milwaukee, WI  53202 USA | ( 1.414.347.6271 | 7
> 1.888.601.4440 | * michael_barr...@mgic.com
>
> This message is intended for use only by the person(s) addressed above and
> may contain privileged and confidential information. Disclosure or use of
> this message by any other person is strictly prohibited. If this message is
> received in error, please notify the sender immediately and delete this
> message.
>



-- 
MVH/With regards

Frank
--
Name: Frank Stefan Sundberg Solli
E-mail: frankste...@gmail.com
Web:http://0x41.me
GPG:684119F4

Re: [ossec-list] Can't Overwrite Rule 554

2012-08-27 Thread Frank Stefan Sundberg Solli 
You need to add it to local_rules.xml

On Mon, Aug 27, 2012 at 5:15 AM, JJ Yu  wrote:

> I was write rule in ossec_rules.xml. but it is not effect. Please help~~~
> as :
>   
>
> ossec
>
> syscheck_new_entry
>
> File added to the system.
>
> syscheck,
>
>   
>
>
>  
>
> ossec
>
> syscheck_new_entry
>
> ^keylog.exe^
>
> File added to the system.(Intrusion)
>
> syscheck,
>
>   
>



-- 
MVH/With regards

Frank
--
Name: Frank Stefan Sundberg Solli
E-mail: frankste...@gmail.com
Web:http://0x41.me
GPG:684119F4