[ossec-list] Re: ossec run away cat and tr process
We are running RHEL and CentOS 6.6. mktemp exists. As a temporary fix, I'm adjusting the line using epoch time as follows: In /var/ossec/active-response/bin/host-deny.sh: TMP_FILE = /var/ossec/ossec-hosts.`date +%s` The system is using tr, cat, mktemp version (GNU coreutils) 8.4. Any ideas would be greatly appreciated. Thanks, Gil Vidals On Tuesday, January 20, 2015 at 3:47:28 PM UTC-8, Gil Vidals wrote: We're running ossec 2.8 and are finding instances where cat and tr are consuming a lot of CPU. The cat and tr processes have to be killed with the kill command since restarting ossec doesn't kill them. How can the run away cat and tr process be prevented? I found the portion of the ossec code that calls the cat and tr functions: elif [ x${ACTION} = xdelete ]; then lock; TMP_FILE=`mktemp /var/ossec/ossec-hosts.XX` if [ X${TMP_FILE} = X ]; then # Cheap fake tmpfile, but should be harder then no random data TMP_FILE=/var/ossec/ossec-hosts.`cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -1 ` fi if [ X$UNAME = XFreeBSD ]; then cat /etc/hosts.allow | grep -v ALL : ${IP} : deny$ ${TMP_FILE} mv ${TMP_FILE} /etc/hosts.allow else cat /etc/hosts.deny | grep -v ALL:${IP}$ ${TMP_FILE} cat ${TMP_FILE} /etc/hosts.deny rm ${TMP_FILE} fi unlock; exit 0; Thanks in advance for any help you can provide in resolving this issue. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: rule based geoip block
Thanks Daniel for incorporating the patch for geoip. Xme, roughly when would you think the geoip features will be made available in a stable release? Gil Vidals On Tuesday, May 26, 2015 at 2:53:56 PM UTC-7, Gil Vidals wrote: Since OSSEC has support for incorporating geoip, is there a way to include rules that are based on country code? I couldn't find any instructions in the manual for doing so. There are some custom rules I wrote that would be enhanced and triggered only for certain countries. I understand that the geoip library has to be enabled; however, I couldn't find whether rules can be written based on country or city codes that geoip would return. ossec_config global !-- to specify GeoIP database file location -- geoip_db_path/etc/GeoLiteCity.dat/geoip_db_path geoip6_db_path/etc/GeoLiteCityv6.dat/geoip6_db_path /global alerts !-- to add GeoIP info in alerts -- use_geoipyes/use_geoip /alerts /ossec_config Gil Vidals -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] rule based geoip block
What language is the source code? C? If we decide to contribute to the source code, it would be to add new tags: srccountry, srccity and dstcountry, dstcity. *srccountry:* Any country decoded as srccountry. Use ”!” to negate it. *example: (any country outside the US)* srccountry!US/srccountry On Wednesday, May 27, 2015 at 5:19:38 AM UTC-7, Xme wrote: Hi Gil, When I wrote this patch for OSSEC a long time ago (it was later integrated into the main branch), my goal was not to create geolocalized alerts. IMHO, to add this feature, it requires a lot of patching because you need to define a new keyword to be used in alerts like srcip, user, data, etc... But indeed, it could be a nice feature! Feel free to contribute to the source code! :-) /x On Tue, May 26, 2015 at 11:53 PM, Gil Vidals gvi...@eticainc.com javascript: wrote: Since OSSEC has support for incorporating geoip, is there a way to include rules that are based on country code? I couldn't find any instructions in the manual for doing so. There are some custom rules I wrote that would be enhanced and triggered only for certain countries. I understand that the geoip library has to be enabled; however, I couldn't find whether rules can be written based on country or city codes that geoip would return. ossec_config global !-- to specify GeoIP database file location -- geoip_db_path/etc/GeoLiteCity.dat/geoip_db_path geoip6_db_path/etc/GeoLiteCityv6.dat/geoip6_db_path /global alerts !-- to add GeoIP info in alerts -- use_geoipyes/use_geoip /alerts /ossec_config Gil Vidals -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com javascript:. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] rule based geoip block
Since OSSEC has support for incorporating geoip, is there a way to include rules that are based on country code? I couldn't find any instructions in the manual for doing so. There are some custom rules I wrote that would be enhanced and triggered only for certain countries. I understand that the geoip library has to be enabled; however, I couldn't find whether rules can be written based on country or city codes that geoip would return. ossec_config global !-- to specify GeoIP database file location -- geoip_db_path/etc/GeoLiteCity.dat/geoip_db_path geoip6_db_path/etc/GeoLiteCityv6.dat/geoip6_db_path /global alerts !-- to add GeoIP info in alerts -- use_geoipyes/use_geoip /alerts /ossec_config Gil Vidals -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: ossec run away cat and tr process
Thanks for the quick reply. I do see that mktemp exists and that the temp files have been created successfully on more than one occasion as you can see below. What other reason could there be for cat and tr running astray and consuming lots of CPU. (cat and tr will run for hours unless killed manually). # which mktemp /bin/mktemp # ls -l /var/ossec/ossec-hosts.* -rw--- 1 root ossec 0 Jan 2 01:15 /var/ossec/ossec-hosts.7aypDtwpES -rw--- 1 root ossec 0 Dec 3 00:31 /var/ossec/ossec-hosts.IeJGMBWseD -rw--- 1 root ossec 0 Nov 2 01:58 /var/ossec/ossec-hosts.IxQvPzkSbn -rw--- 1 root ossec 0 Dec 10 23:31 /var/ossec/ossec-hosts.QV2a7VwilS -rw--- 1 root ossec 0 Nov 10 23:32 /var/ossec/ossec-hosts.Rr0j0L3RTV -rw--- 1 root ossec 0 Jan 17 02:23 /var/ossec/ossec-hosts.SKfz9m2LPG -rw--- 1 root ossec 0 Jan 17 02:39 /var/ossec/ossec-hosts.SrSTWhUNH1 On Tuesday, January 20, 2015 at 3:47:28 PM UTC-8, Gil Vidals wrote: We're running ossec 2.8 and are finding instances where cat and tr are consuming a lot of CPU. The cat and tr processes have to be killed with the kill command since restarting ossec doesn't kill them. How can the run away cat and tr process be prevented? I found the portion of the ossec code that calls the cat and tr functions: elif [ x${ACTION} = xdelete ]; then lock; TMP_FILE=`mktemp /var/ossec/ossec-hosts.XX` if [ X${TMP_FILE} = X ]; then # Cheap fake tmpfile, but should be harder then no random data TMP_FILE=/var/ossec/ossec-hosts.`cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -1 ` fi if [ X$UNAME = XFreeBSD ]; then cat /etc/hosts.allow | grep -v ALL : ${IP} : deny$ ${TMP_FILE} mv ${TMP_FILE} /etc/hosts.allow else cat /etc/hosts.deny | grep -v ALL:${IP}$ ${TMP_FILE} cat ${TMP_FILE} /etc/hosts.deny rm ${TMP_FILE} fi unlock; exit 0; Thanks in advance for any help you can provide in resolving this issue. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] ossec run away cat and tr process
We're running ossec 2.8 and are finding instances where cat and tr are consuming a lot of CPU. The cat and tr processes have to be killed with the kill command since restarting ossec doesn't kill them. How can the run away cat and tr process be prevented? I found the portion of the ossec code that calls the cat and tr functions: elif [ x${ACTION} = xdelete ]; then lock; TMP_FILE=`mktemp /var/ossec/ossec-hosts.XX` if [ X${TMP_FILE} = X ]; then # Cheap fake tmpfile, but should be harder then no random data TMP_FILE=/var/ossec/ossec-hosts.`cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -1 ` fi if [ X$UNAME = XFreeBSD ]; then cat /etc/hosts.allow | grep -v ALL : ${IP} : deny$ ${TMP_FILE} mv ${TMP_FILE} /etc/hosts.allow else cat /etc/hosts.deny | grep -v ALL:${IP}$ ${TMP_FILE} cat ${TMP_FILE} /etc/hosts.deny rm ${TMP_FILE} fi unlock; exit 0; Thanks in advance for any help you can provide in resolving this issue. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] clearing ossec db
How can I clear the ossec db for the active responses? I'm not using mysql for ossec. I have installed whatever the default db is. I don't need to clear the sys checks; instead I want to clear the active responses. Is there a way to do this? -- Gil Vidals CONFIDENTIALITY NOTICE: The information contained in this transmission may contain privileged and confidential information. It is intended only for the use of the person(s) named above. If you are not the intended recipient, please contact the sender by reply email and permanently delete the original message.
Re: [ossec-list] clearing ossec db
Dan, Can you tell me specifically what file to clear AND will this resolve the following condition: 1) active response drops an IP as planned 2) sysadmin restarts the firewall (which clears all the IP drop rules) 3) ossec believes the drop is still in place, but it isn't! Gil Vidals On Tue, Aug 21, 2012 at 10:50 AM, dan (ddp) ddp...@gmail.com wrote: On Tue, Aug 21, 2012 at 1:37 PM, Gil Vidals gvid...@gmail.com wrote: How can I clear the ossec db for the active responses? I'm not using mysql for ossec. I have installed whatever the default db is. I don't need to clear the sys checks; instead I want to clear the active responses. Is there a way to do this? -- Gil Vidals CONFIDENTIALITY NOTICE: The information contained in this transmission may contain privileged and confidential information. It is intended only for the use of the person(s) named above. If you are not the intended recipient, please contact the sender by reply email and permanently delete the original message. By default OSSEC only logs to text files. I guess you could stop the OSSEC processes, clear the file, and start OSSEC back up. -- Gil Vidals CONFIDENTIALITY NOTICE: The information contained in this transmission may contain privileged and confidential information. It is intended only for the use of the person(s) named above. If you are not the intended recipient, please contact the sender by reply email and permanently delete the original message.
Re: [ossec-list] clearing ossec db
Dan, We have active response set to 1 hr, 1 day, 1 week, so assuming the IP is being blocked for one week and the iptables is reset in the middle of the week by the sysadmin, then the IP we thought was being blocked is actually not being blocked. Here is a clearer explanation: Monday - block for IP 1.1.1.1 starts for one week Tuesday - sysadmin clears iptables (no more block for 1.1.1.1) ... - sysadmin has to wait until next monday before OSSEC will start blocking the desired IP again Monday - ossec clears block for 1.1.1.1 Gil Vidals On Tue, Aug 21, 2012 at 12:00 PM, dan (ddp) ddp...@gmail.com wrote: On Tue, Aug 21, 2012 at 2:50 PM, Gil Vidals gvid...@gmail.com wrote: Dan, Can you tell me specifically what file to clear AND will this resolve the following condition: 1) active response drops an IP as planned 2) sysadmin restarts the firewall (which clears all the IP drop rules) 3) ossec believes the drop is still in place, but it isn't! Gil Vidals I don't understand the problem in the above scenario. What are you trying to achieve specifically? Are you worried that the admin removed the block and OSSEC won't re-block it until after it's remove the block? Don't remove the block on the host. Or save the OSSEC blocked hosts and reload them when the firewall is reloaded. I don't know where that info is kept on the OSSEC server, possibly just in memory. On Tue, Aug 21, 2012 at 10:50 AM, dan (ddp) ddp...@gmail.com wrote: On Tue, Aug 21, 2012 at 1:37 PM, Gil Vidals gvid...@gmail.com wrote: How can I clear the ossec db for the active responses? I'm not using mysql for ossec. I have installed whatever the default db is. I don't need to clear the sys checks; instead I want to clear the active responses. Is there a way to do this? -- Gil Vidals CONFIDENTIALITY NOTICE: The information contained in this transmission may contain privileged and confidential information. It is intended only for the use of the person(s) named above. If you are not the intended recipient, please contact the sender by reply email and permanently delete the original message. By default OSSEC only logs to text files. I guess you could stop the OSSEC processes, clear the file, and start OSSEC back up. -- Gil Vidals CONFIDENTIALITY NOTICE: The information contained in this transmission may contain privileged and confidential information. It is intended only for the use of the person(s) named above. If you are not the intended recipient, please contact the sender by reply email and permanently delete the original message. -- Gil Vidals CONFIDENTIALITY NOTICE: The information contained in this transmission may contain privileged and confidential information. It is intended only for the use of the person(s) named above. If you are not the intended recipient, please contact the sender by reply email and permanently delete the original message.
Re: [ossec-list] proftpd frequency response not triggered
Dan, You were right. The source ip field wasn't being decoded properly for my version of proftpd, so I updated the decoder.xml as follows: decoder name=proftpd-ip parentproftpd/parent !-- regex^\S+ \(\S+[(\S+)]\)/regex -- regex\(\S+[(\S+)]\)/regex ordersrcip/order /decoder Now all is good and the srcip is set. Aug 18 11:22:55 207.158.10.18 proftpd[12112]: (24.249.207.4[24.249.207.4]) INFO: Login incorrect. **Phase 1: Completed pre-decoding. full event: 'Aug 18 11:22:55 207.158.10.18 proftpd[12112]: (24.249.207.4[24.249.207.4]) INFO: Login incorrect.' hostname: '207.158.10.18' program_name: 'proftpd' log: '(24.249.207.4[24.249.207.4]) INFO: Login incorrect.' **Phase 2: Completed decoding. decoder: 'proftpd' srcip: '24.249.207.4' = THIS WAS MISSING BEFORE. Gil Vidals / VM Racks On Wed, Aug 15, 2012 at 6:27 AM, dan (ddp) ddp...@gmail.com wrote: On Sat, Aug 11, 2012 at 3:22 AM, Gil Vidals gvid...@gmail.com wrote: I need in understanding why the frequency rule in proftpd_rules.xml isn't triggering. I ran the following log line through ossec-logtest more than 15 times and yet active response isn't triggered: Aug 10 23:22:54 184.5.70.39 proftpd[15897] INFO: Login incorrect. PASS (hidden) OSSEC SERVER RULE: !-- rule id=11204 level=5 -- rule id=11204 level=8 if_sid11200/if_sid matchIncorrect password.$|Login failed|Login incorrect/match descriptionLogin failed accessing the FTP server/description groupauthentication_failed,/group /rule rule id=11251 level=10 frequency=6 timeframe=120 if_matched_sid11204/if_matched_sid same_source_ip / descriptionFTP brute force (multiple failed logins)./description groupauthentication_failures,/group /rule active-response disabledno/disabled commandfirewall-drop/command !-- local means on the server that had the event; e.g., lan.web.truepath.com -- locationlocal/location !-- increased from 6 on 20120725 -- level8/level timeout600/timeout /active-response **Phase 1: Completed pre-decoding. full event: 'Aug 10 23:22:54 184.5.70.39 proftpd[15897] INFO: Login incorrect. PASS (hidden)' hostname: '184.5.70.39' program_name: 'proftpd' log: 'INFO: Login incorrect. PASS (hidden)' **Phase 2: Completed decoding. decoder: 'proftpd' Your active response probably expects a srcip. **Rule debugging: Trying rule: 1 - Generic template for all syslog rules. *Rule 1 matched. *Trying child rules. Trying rule: 5500 - Grouping of the pam_unix rules. Trying rule: 5700 - SSHD messages grouped. Trying rule: 5600 - Grouping for the telnetd rules Trying rule: 2100 - NFS rules grouped. Trying rule: 2507 - OpenLDAP group. Trying rule: 2550 - rshd messages grouped. Trying rule: 2701 - Ignoring procmail messages. Trying rule: 2800 - Pre-match rule for smartd. Trying rule: 5100 - Pre-match rule for kernel messages Trying rule: 5200 - Ignoring hpiod for producing useless logs. Trying rule: 2830 - Crontab rule group. Trying rule: 5300 - Initial grouping for su messages. Trying rule: 5400 - Initial group for sudo messages Trying rule: 9100 - PPTPD messages grouped Trying rule: 9200 - Squid syslog messages grouped Trying rule: 2900 - Dpkg (Debian Package) log. Trying rule: 2930 - Yum logs. Trying rule: 2931 - Yum logs. Trying rule: 7200 - Grouping of the arpwatch rules. Trying rule: 7300 - Grouping of Symantec AV rules. Trying rule: 7400 - Grouping of Symantec Web Security rules. Trying rule: 4300 - Grouping of PIX rules Trying rule: 12100 - Grouping of the named rules Trying rule: 13100 - Grouping for the smbd rules. Trying rule: 13106 - (null) Trying rule: 11400 - Grouping for the vsftpd rules. Trying rule: 11300 - Grouping for the pure-ftpd rules. Trying rule: 11200 - Grouping for the proftpd rules. *Rule 11200 matched. *Trying child rules. Trying rule: 11202 - FTP session closed. Trying rule: 11221 - IPv6 error and mod-delay info (ignored). Trying rule: 11209 - Attempt to bypass firewall that can't adequately keep state of FTP traffic. Trying rule: 11218 - FTP process crashed. Trying rule: 11219 - FTP server Buffer overflow attempt. Trying rule: 11210 - Multiple failed login attempts. Trying rule: 11204 - Login failed accessing the FTP server *Rule 11204 matched. *Trying child rules. Trying rule: 11251 - FTP brute force (multiple failed logins). Trying rule: 40111 - Multiple authentication failures. **Phase 3: Completed filtering (rules). Rule id: '11204' Level: '8' Description: 'Login failed accessing the FTP server' **Alert
[ossec-list] active response not triggering; how to debug?
How can I debug why the active response is failing for a rule with level 9 and active response is set to level 8? Both the alert and ossec-logtest show the rule is triggering as expected and yet no firewall-drop.sh is triggered on the agent (remote) server. ** Alert 1344845403.1519353: mail - syslog,proftpd, 2012 Aug 13 01:10:03 (web) 10.84.168.18-/hsphere/local/var/proftpd/auth.log Rule: 11204 (level 9) - 'Login failed accessing the FTP server' Aug 13 01:10:02 68.111.178.4 proftpd[30057] INFO: Login incorrect. PASS (hidden) ossec-testrule: Type one log per line. Aug 13 01:10:02 68.111.178.4 proftpd[30057] INFO: Login incorrect. PASS (hidden) **Phase 1: Completed pre-decoding. full event: 'Aug 13 01:10:02 68.111.178.4 proftpd[30057] INFO: Login incorrect. PASS (hidden)' hostname: '68.111.178.4' program_name: 'proftpd' log: 'INFO: Login incorrect. PASS (hidden)' **Phase 2: Completed decoding. decoder: 'proftpd' **Rule debugging: Trying rule: 1 - Generic template for all syslog rules. *Rule 1 matched. *Trying child rules. Trying rule: 5500 - Grouping of the pam_unix rules. Trying rule: 5700 - SSHD messages grouped. Trying rule: 5600 - Grouping for the telnetd rules Trying rule: 2100 - NFS rules grouped. Trying rule: 2507 - OpenLDAP group. Trying rule: 2550 - rshd messages grouped. Trying rule: 2701 - Ignoring procmail messages. Trying rule: 2800 - Pre-match rule for smartd. Trying rule: 5100 - Pre-match rule for kernel messages Trying rule: 5200 - Ignoring hpiod for producing useless logs. Trying rule: 2830 - Crontab rule group. Trying rule: 5300 - Initial grouping for su messages. Trying rule: 5400 - Initial group for sudo messages Trying rule: 9100 - PPTPD messages grouped Trying rule: 9200 - Squid syslog messages grouped Trying rule: 2900 - Dpkg (Debian Package) log. Trying rule: 2930 - Yum logs. Trying rule: 2931 - Yum logs. Trying rule: 7200 - Grouping of the arpwatch rules. Trying rule: 7300 - Grouping of Symantec AV rules. Trying rule: 7400 - Grouping of Symantec Web Security rules. Trying rule: 4300 - Grouping of PIX rules Trying rule: 12100 - Grouping of the named rules Trying rule: 13100 - Grouping for the smbd rules. Trying rule: 13106 - (null) Trying rule: 11400 - Grouping for the vsftpd rules. Trying rule: 11300 - Grouping for the pure-ftpd rules. Trying rule: 11200 - Grouping for the proftpd rules. *Rule 11200 matched. *Trying child rules. Trying rule: 11202 - FTP session closed. Trying rule: 11221 - IPv6 error and mod-delay info (ignored). Trying rule: 11209 - Attempt to bypass firewall that can't adequately keep state of FTP traffic. Trying rule: 11218 - FTP process crashed. Trying rule: 11219 - FTP server Buffer overflow attempt. Trying rule: 11210 - Multiple failed login attempts. Trying rule: 11204 - Login failed accessing the FTP server *Rule 11204 matched. *Trying child rules. Trying rule: 40111 - Multiple authentication failures. **Phase 3: Completed filtering (rules). Rule id: '11204' Level: '9' Description: 'Login failed accessing the FTP server' **Alert to be generated. server ossec.conf active-response disabledno/disabled commandfirewall-drop/command !-- local means on the server that had the event; e.g., lan.web.truepath.com -- locationlocal/location level8/level timeout600/timeout /active-response agent ossec.conf !-- block 1 hr, 1 day, 1 week on repeated offenses -- active-response repeated_offenders60,1440,10080/repeated_offenders /active-response Any hints? -- Gil Vidals CONFIDENTIALITY NOTICE: The information contained in this transmission may contain privileged and confidential information. It is intended only for the use of the person(s) named above. If you are not the intended recipient, please contact the sender by reply email and permanently delete the original message.
Re: [ossec-list] Active-Response only executing on server not agents
I've been attempting to use active-response for several months and after reading this particular post. I'm starting to realize that active-response doesn't really work in the server/client(agent) model. In particular, user cmlara, has dug pretty deep into it and may have identified the buggy lines of code. I'm willing to convert my server/client installs to stand alone servers. Before doing so, I'd like to hear from others if the stand alone (server) works well with active response enabled. Looking forward to hearing back as I'm eager to use active-response and all it's benefits. Gil Vidals / VM Racks Founder On Thu, Aug 2, 2012 at 9:22 AM, cmlara ipstea...@gmail.com wrote: AR is active in the config (Showny the command running on the server) AR is active on the client (by default in ossec.conf you must turn it off manually)and proven by running agent_control manually from the command line. I went ahead and started following the logic of the code. I can track the issue down to analysisd/alert/os_exec.c (Using verbose();) os 2012/08/02 05:44:48 AR-location 4 2012/08/02 05:44:48 CMLARA: PreForwarder Config.ar 3 REMOTE_AR 1, lf-location /var/syslog/hosts/frontend1/2012/08/02/syslog.log /* Active response to the forwarder */ else if((Config.ar REMOTE_AR) (lf-location[0] == '(')) Bitwise on Config.ar and REMOTE_AR ( 3 1 ) == 0011 0001 = 0001 = TRUE followed by logic and lf-location first digit being a ( which is FALSE first digit is a / in mine. Not exactly sure why I'm not seeing (agentid) on my messages but that seems to be the cause On Thursday, August 2, 2012 1:03:28 AM UTC, dan (ddpbsd) wrote: If AR isn't working on the agents when the server AR block was removed start inveatigating the agents. Is ar enabled? Is execd running? If you turn on debug (-d) are there any interesting log messages? On Aug 1, 2012 8:59 PM, cmlara wrote: As far as I can tell it isn't but I am far from the expert here. I know I'm not seeing packets outbound so it for sure isn't network related must be config somewhere. Will run a few more tests on that tonight and try and trace it down. If anyone else has more info let me know. On Wednesday, August 1, 2012 2:30:45 PM UTC-7, dan (ddpbsd) wrote: I thought it was first come first served. On Aug 1, 2012 5:26 PM, cmlara wrote: Hello Dan, It sounds like you are saying the rule is only one AR block per command name? I know the stock conig has Host.deny and firewall-drop as stock configs on level 6 and I see both of these triggering on the server.. To test this though I went ahead and dropped the firewall-drop that goes to the server, so the only entires are the ALL followed by the AGENT id 001 firewall-drop commands The firewall rule does not execute on the local server now nor does it activate on the agent Doesn't sound like its a 'one AR block per command name limit but perhaps I misunderstood your comment about what is not handled On Wednesday, August 1, 2012 1:40:29 PM UTC-7, dan (ddpbsd) wrote: On Wed, Aug 1, 2012 at 4:34 PM, cmlara wrote: Thanks for the response dan. The configs look right to me the problem is that per the logs the Automated Responses are NOT going across to the agent they are only running on the server which is not what I need. I need the firewall to block on the agents. You didn't set it up to do that. I put some inline notes about the config below but it boils down to : server according to posts I've seen -- Runs the command on Managment Server only all -- Runs on all agents and excludes the managment server (the source code seems to back this up on quick glance) -- Really should be called 'all agents' Don't disagree, but that won't be changing. ID 001 -- this was a fallback testing. So I have good contact to the agent (according to agent_control manual testing run from the command line by me not by OSSEC itself) AR inside OSSEC it is only executing on the local server (as configured in the first AR block) and is ignoring the 2nd and 3rd AR blocks that say to execute the responses on the agents themselves. On Wednesday, August 1, 2012 1:07:02 PM UTC-7, dan (ddpbsd) wrote: I don't see a problem with the config, it sounds like it's doing what you've configured it to do. On Wed, Aug 1, 2012 at 3:56 PM, cmlara wrote: Hello All, I have setup a new server with OSSEC 2.6 on it running FreeBSD 9.0 64bit I have a single agent (ID: 001) running on a Linux node (Ubuntu 12.04 LTS 32bit 3.4 kernel) I feed all my logs back via syslog to the central logging server that is the same server urnning ossec. OSSEC is configured to monitor the log files AR is setup with: active-response !-- Firewall Drop response. Block the IP for - 600 seconds on the firewall (iptables, - ipfilter, etc
[ossec-list] proftpd frequency response not triggered
I need in understanding why the frequency rule in proftpd_rules.xml isn't triggering. I ran the following log line through ossec-logtest more than 15 times and yet active response isn't triggered: Aug 10 23:22:54 184.5.70.39 proftpd[15897] INFO: Login incorrect. PASS (hidden) OSSEC SERVER RULE: !-- rule id=11204 level=5 -- rule id=11204 level=8 if_sid11200/if_sid matchIncorrect password.$|Login failed|Login incorrect/match descriptionLogin failed accessing the FTP server/description groupauthentication_failed,/group /rule rule id=11251 level=10 frequency=6 timeframe=120 if_matched_sid11204/if_matched_sid same_source_ip / descriptionFTP brute force (multiple failed logins)./description groupauthentication_failures,/group /rule active-response disabledno/disabled commandfirewall-drop/command !-- local means on the server that had the event; e.g., lan.web.truepath.com -- locationlocal/location !-- increased from 6 on 20120725 -- level8/level timeout600/timeout /active-response **Phase 1: Completed pre-decoding. full event: 'Aug 10 23:22:54 184.5.70.39 proftpd[15897] INFO: Login incorrect. PASS (hidden)' hostname: '184.5.70.39' program_name: 'proftpd' log: 'INFO: Login incorrect. PASS (hidden)' **Phase 2: Completed decoding. decoder: 'proftpd' **Rule debugging: Trying rule: 1 - Generic template for all syslog rules. *Rule 1 matched. *Trying child rules. Trying rule: 5500 - Grouping of the pam_unix rules. Trying rule: 5700 - SSHD messages grouped. Trying rule: 5600 - Grouping for the telnetd rules Trying rule: 2100 - NFS rules grouped. Trying rule: 2507 - OpenLDAP group. Trying rule: 2550 - rshd messages grouped. Trying rule: 2701 - Ignoring procmail messages. Trying rule: 2800 - Pre-match rule for smartd. Trying rule: 5100 - Pre-match rule for kernel messages Trying rule: 5200 - Ignoring hpiod for producing useless logs. Trying rule: 2830 - Crontab rule group. Trying rule: 5300 - Initial grouping for su messages. Trying rule: 5400 - Initial group for sudo messages Trying rule: 9100 - PPTPD messages grouped Trying rule: 9200 - Squid syslog messages grouped Trying rule: 2900 - Dpkg (Debian Package) log. Trying rule: 2930 - Yum logs. Trying rule: 2931 - Yum logs. Trying rule: 7200 - Grouping of the arpwatch rules. Trying rule: 7300 - Grouping of Symantec AV rules. Trying rule: 7400 - Grouping of Symantec Web Security rules. Trying rule: 4300 - Grouping of PIX rules Trying rule: 12100 - Grouping of the named rules Trying rule: 13100 - Grouping for the smbd rules. Trying rule: 13106 - (null) Trying rule: 11400 - Grouping for the vsftpd rules. Trying rule: 11300 - Grouping for the pure-ftpd rules. Trying rule: 11200 - Grouping for the proftpd rules. *Rule 11200 matched. *Trying child rules. Trying rule: 11202 - FTP session closed. Trying rule: 11221 - IPv6 error and mod-delay info (ignored). Trying rule: 11209 - Attempt to bypass firewall that can't adequately keep state of FTP traffic. Trying rule: 11218 - FTP process crashed. Trying rule: 11219 - FTP server Buffer overflow attempt. Trying rule: 11210 - Multiple failed login attempts. Trying rule: 11204 - Login failed accessing the FTP server *Rule 11204 matched. *Trying child rules. Trying rule: 11251 - FTP brute force (multiple failed logins). Trying rule: 40111 - Multiple authentication failures. **Phase 3: Completed filtering (rules). Rule id: '11204' Level: '8' Description: 'Login failed accessing the FTP server' **Alert to be generated. -- Gil Vidals CONFIDENTIALITY NOTICE: The information contained in this transmission may contain privileged and confidential information. It is intended only for the use of the person(s) named above. If you are not the intended recipient, please contact the sender by reply email and permanently delete the original message.
[ossec-list] ossec rules and server restart
I need some help in understanding why a rule isn't being obeyed. The exception I created, rule id 10, seems to be working properly according to the ossec-logtest, but my customer's IP is still being blocked by the ossec agent. I may be making some bad assumptions. Are these assumptions correct? 1. The rules are defined only in the server's ossec.conf (AND NOT in the agent's ossec.conf), right? 2. Is it necessary to restart the agent's after updating or creating a new rule? ossec-testrule: Type one log per line. Jul 25 10:31:10 web6 suhosin[17752]: ALERT - Include filename ('../../../../wp-config.php') contains too many '../' (attacker '216.115.6.136', file '/hsphere/local/home/lfc2012/ livingfaithchurchwi.org/hp_wordpress/wp-content/plugins/web-ninja-google-analytics/js/gadmain.js.php', line 24) **Phase 1: Completed pre-decoding. full event: 'Jul 25 10:31:10 web6 suhosin[17752]: ALERT - Include filename ('../../../../wp-config.php') contains too many '../' (attacker '216.115.6.136', file '/hsphere/local/home/lfc2012/ livingfaithchurchwi.org/hp_wordpress/wp-content/plugins/web-ninja-google-analytics/js/gadmain.js.php', line 24) ' hostname: 'web6' program_name: 'suhosin' log: 'ALERT - Include filename ('../../../../wp-config.php') contains too many '../' (attacker '216.115.6.136', file '/hsphere/local/home/lfc2012/ livingfaithchurchwi.org/hp_wordpress/wp-content/plugins/web-ninja-google-analytics/js/gadmain.js.php', line 24) ' **Phase 2: Completed decoding. decoder: 'suhosin' id: 'Include filename ('../../../../wp-config.php') contains too many '../'' srcip: '216.115.6.136' **Rule debugging: Trying rule: 3 - Generic template for all ids rules. *Rule 3 matched. *Trying child rules. Trying rule: 20100 - First time this IDS alert is generated. *Rule 20100 matched. *Trying child rules. Trying rule: 20102 - Ignored snort ids. Trying rule: 20103 - Ignored snort ids. Trying rule: 10 - ignore suhosin blocks for now *Rule 10 matched. **Phase 3: Completed filtering (rules). Rule id: '10' Level: '0' Description: 'ignore suhosin blocks for now' -- Gil Vidals CONFIDENTIALITY NOTICE: The information contained in this transmission may contain privileged and confidential information. It is intended only for the use of the person(s) named above. If you are not the intended recipient, please contact the sender by reply email and permanently delete the original message.
[ossec-list] proftp and compatible log format
I'm struggling trying to find a format for proftp logs that will be compatible with OSSEC. Can anyone help me in defining the log format that will work? My server's log file seems to be incompatible: /var/log/proftpd/current @40005005a3de304eb10c 207.158.10.18 (:::108.216.105.169[:::108.216.105.169]) - USER schuyler (Login failed): Incorrect password. @40005005a3d929323614 207.158.10.18 (:::108.216.105.169[:::108.216.105.169]) - USER schuyler (Login failed): Incorrect password. @40005005a3d21ee51884 207.158.10.18 (:::108.216.105.169[:::108.216.105.169]) - USER schuyler (Login failed): Incorrect password. @40005005a40a2bbf64ec 207.158.10.18 (:::108.216.105.169[:::108.216.105.169]) - USER schuyler (Login failed): Incorrect password. -- Gil Vidals CONFIDENTIALITY NOTICE: The information contained in this transmission may contain privileged and confidential information. It is intended only for the use of the person(s) named above. If you are not the intended recipient, please contact the sender by reply email and permanently delete the original message.
[ossec-list] repeated_offenders not working
Repeated offenders tag in active response doesn't seem to be working. Do the agents need to be upgraded for repeated offenders to work? - ossec server 2.6.0 - ossec agent 2.5.1 active-response disabledno/disabled commandfirewall-drop/command !-- local means on the server that had the event; e.g., lan.web.truepath.com -- locationlocal/location level6/level timeout600/timeout !-- block 1 hr, 1 day, 1 week on repeated offenses -- repeated_offenders60,1440,10080/repeated_offenders /active-response log of the agent shows: [root@mail3 ~]# cat /var/ossec/logs/active-responses.log Sun Jul 15 09:42:09 PDT 2012 /var/ossec/active-response/bin/firewall-drop.sh add - 184.151.190.36 1342370529.17815356 9952 Sun Jul 15 09:52:39 PDT 2012 /var/ossec/active-response/bin/firewall-drop.sh delete - 184.151.190.36 1342370529.17815356 9952 Sun Jul 15 11:00:32 PDT 2012 /var/ossec/active-response/bin/firewall-drop.sh add - 184.151.190.36 1342375232.20150806 9952 Sun Jul 15 11:11:02 PDT 2012 /var/ossec/active-response/bin/firewall-drop.sh delete - 184.151.190.36 1342375232.20150806 9952 Sun Jul 15 11:23:28 PDT 2012 /var/ossec/active-response/bin/firewall-drop.sh add - 184.151.190.36 1342376608.20831211 9952 Sun Jul 15 11:33:58 PDT 2012 /var/ossec/active-response/bin/firewall-drop.sh delete - 184.151.190.36 1342376608.20831211 9952 Sun Jul 15 11:38:41 PDT 2012 /var/ossec/active-response/bin/firewall-drop.sh add - 184.151.190.36 1342377521.21301498 9952 Sun Jul 15 11:49:11 PDT 2012 /var/ossec/active-response/bin/firewall-drop.sh delete - 184.151.190.36 1342377521.21301498 9952 Sun Jul 15 13:26:21 PDT 2012 /var/ossec/active-response/bin/firewall-drop.sh add - 184.151.190.36 1342383981.24654764 9952 Sun Jul 15 13:36:51 PDT 2012 /var/ossec/active-response/bin/firewall-drop.sh delete - 184.151.190.36 1342383981.24654764 9952 Sun Jul 15 15:37:36 PDT 2012 /var/ossec/active-response/bin/firewall-drop.sh add - 110.186.220.231 1342391856.28661211 9952 -- Gil Vidals CONFIDENTIALITY NOTICE: The information contained in this transmission may contain privileged and confidential information. It is intended only for the use of the person(s) named above. If you are not the intended recipient, please contact the sender by reply email and permanently delete the original message.
[ossec-list] Re: repeated_offenders not working
Apparently repeated_offenders must be added to the ossec.conf in the agents (not the server). I'll upgrade the agents to 2.6 and then add the repeated_offenders to the conf and see if that solves it. Gil Vidals On Sun, Jul 15, 2012 at 4:55 PM, Gil Vidals gvid...@gmail.com wrote: Repeated offenders tag in active response doesn't seem to be working. Do the agents need to be upgraded for repeated offenders to work? - ossec server 2.6.0 - ossec agent 2.5.1 active-response disabledno/disabled commandfirewall-drop/command !-- local means on the server that had the event; e.g., lan.web.truepath.com -- locationlocal/location level6/level timeout600/timeout !-- block 1 hr, 1 day, 1 week on repeated offenses -- repeated_offenders60,1440,10080/repeated_offenders /active-response log of the agent shows: [root@mail3 ~]# cat /var/ossec/logs/active-responses.log Sun Jul 15 09:42:09 PDT 2012 /var/ossec/active-response/bin/firewall-drop.sh add - 184.151.190.36 1342370529.17815356 9952 Sun Jul 15 09:52:39 PDT 2012 /var/ossec/active-response/bin/firewall-drop.sh delete - 184.151.190.36 1342370529.17815356 9952 Sun Jul 15 11:00:32 PDT 2012 /var/ossec/active-response/bin/firewall-drop.sh add - 184.151.190.36 1342375232.20150806 9952 Sun Jul 15 11:11:02 PDT 2012 /var/ossec/active-response/bin/firewall-drop.sh delete - 184.151.190.36 1342375232.20150806 9952 Sun Jul 15 11:23:28 PDT 2012 /var/ossec/active-response/bin/firewall-drop.sh add - 184.151.190.36 1342376608.20831211 9952 Sun Jul 15 11:33:58 PDT 2012 /var/ossec/active-response/bin/firewall-drop.sh delete - 184.151.190.36 1342376608.20831211 9952 Sun Jul 15 11:38:41 PDT 2012 /var/ossec/active-response/bin/firewall-drop.sh add - 184.151.190.36 1342377521.21301498 9952 Sun Jul 15 11:49:11 PDT 2012 /var/ossec/active-response/bin/firewall-drop.sh delete - 184.151.190.36 1342377521.21301498 9952 Sun Jul 15 13:26:21 PDT 2012 /var/ossec/active-response/bin/firewall-drop.sh add - 184.151.190.36 1342383981.24654764 9952 Sun Jul 15 13:36:51 PDT 2012 /var/ossec/active-response/bin/firewall-drop.sh delete - 184.151.190.36 1342383981.24654764 9952 Sun Jul 15 15:37:36 PDT 2012 /var/ossec/active-response/bin/firewall-drop.sh add - 110.186.220.231 1342391856.28661211 9952 -- Gil Vidals CONFIDENTIALITY NOTICE: The information contained in this transmission may contain privileged and confidential information. It is intended only for the use of the person(s) named above. If you are not the intended recipient, please contact the sender by reply email and permanently delete the original message. -- Gil Vidals CONFIDENTIALITY NOTICE: The information contained in this transmission may contain privileged and confidential information. It is intended only for the use of the person(s) named above. If you are not the intended recipient, please contact the sender by reply email and permanently delete the original message.
[ossec-list] ossec-maild version 2.4.1 dies frequently
After upgrading my server to OSSEC Version 2.4.1, the ossec-maild daemon dies frequently each day. Nothing else I am aware of in my system has changed. Is anyone else experiencing ossec-maild dying? Is there a solution to this problem you are aware of? Thanks, Gil Vidals VM Racks - ESX Hosting
[ossec-list] overriding rules problem
I am trying to override part of rule 31106, but it's not working. Any help or hints would be most welcome. I'm trying to avoid getting notified when this condition occurs: Received From: (croatia) 192.168.0.100-/hsphere/local/home/cpanel/apache/logs/access_log Rule: 31106 fired (level 12) - A web attack returned code 200 (success). Portion of the log(s): 173.85.169.203 - - [27/Feb/2010:01:27:34 -0800] GET /studio/servlet/psoft. counter.CounterService ?action=countid=411accept-language=undefineduser-agent=Mozilla/5.0%20%28Windows%3B%20U%3B%20Windows%20NT%205.1%3B%20en-US%3B%20rv%3A1.9.1.8%29%20Gecko/20100202%20Firefox/3.5.8%20% 28.NET%20CLR%203.5.30729%29size=1024colors=32ref=http%3A// www.google.com/search%3Fhl%3Den%26client%3Dfirefox-a%26hs%3DFWJ%26rls%3Dorg.mozilla%3Aen-US%3Aofficial%26ei%3DfOWIS46EEYP18QaRxe2aDw%26sa%3DX%26oi%3Dspellfullpage%26resnum%3D0%26ct%3Dresult%26cd%3D2%26ved%3D0CAYQvwUoAQ%26%26q%3Dspirit+life+christian+church+las+vegas%26spell%3D1java=truerand=0.057259379032712276 HTTP/1.1 200 180 Here is my first failed attempt of writing an override rule: group name=web,accesslog, !-- level one will still log it but not report it; if you do not want to log it at all use level=0 -- rule id=100101 level=1 timeframe=160 if_matched_sid31106/if_matched_sid regexpsoft.counter.CounterService/regex descriptionsitestudio counter is not a web attack/description group name=attack,/group /rule /group And here are the rules that are responsible for the ossec alert I am trying to turn off. rule id=31104 level=6 if_sid31100/if_sid !-- Attempt to do directory transversal, simple sql injections, - or access to the etc or bin directory (unix). -- url%027|%00|%01|%7f|%2E%2E|%0A|%0D|../..|..\..|echo;|../url urlcmd.exe|root.exe|_mem_bin|msadc|/winnt/|/url url/x90/|default.ida|/sumthin|nsiislog.dll|chmod%|wget%|cd%|/url urlcat%|exec%|rm%20/url descriptionCommon web attack./description infohttp://www.armbrustconsulting.com/LogEntries.html/info groupattack,/group /rule rule id=31105 level=6 if_sid31100/if_sid url%3Cscript|%2Fscript|script|script%3E|SRC=javascript|IMG%20|/url url%20ONLOAD=|INPUT%20|iframe%20/url descriptionXSS (Cross Site Scripting) attempt./description groupattack,/group /rule rule id=31106 level=12 if_sid31103, 31104, 31105/if_sid id^200/id descriptionA web attack returned code 200 (success)./description groupattack,/group /rule I would appreciate any help and advice. Thank you. Gil Vidals
Re: [ossec-list] overriding rules problem
Daniel, Thank you so much for your answer. I will try your suggestion today. By the way, I am relatively new to OSSEC and have been enjoying your product. I am using it on about a dozen linux servers and I plan on becoming more proficient with it. --Gil Vidals On Mon, Mar 1, 2010 at 10:28 AM, Daniel Cid daniel@gmail.com wrote: Hi Gil, You need to use if_sid instead of if_matched_sid. The later is only used for composite rules (when matching across multiple events). hope that helps. -- Daniel B. Cid dcid ( at ) ossec.net On Sun, Feb 28, 2010 at 11:41 PM, Gil Vidals gvid...@gmail.com wrote: I am trying to override part of rule 31106, but it's not working. Any help or hints would be most welcome. I'm trying to avoid getting notified when this condition occurs: Received From: (croatia) 192.168.0.100-/hsphere/local/home/cpanel/apache/logs/access_log Rule: 31106 fired (level 12) - A web attack returned code 200 (success). Portion of the log(s): 173.85.169.203 - - [27/Feb/2010:01:27:34 -0800] GET /studio/servlet/psoft.counter.CounterService?action=countid=411accept-language=undefineduser-agent=Mozilla/5.0%20%28Windows%3B%20U%3B%20Windows%20NT%205.1%3B%20en-US%3B%20rv%3A1.9.1.8%29%20Gecko/20100202%20Firefox/3.5.8%20% 28.NET%20CLR%203.5.30729%29size=1024colors=32ref=http%3A// www.google.com/search%3Fhl%3Den%26client%3Dfirefox-a%26hs%3DFWJ%26rls%3Dorg.mozilla%3Aen-US%3Aofficial%26ei%3DfOWIS46EEYP18QaRxe2aDw%26sa%3DX%26oi%3Dspellfullpage%26resnum%3D0%26ct%3Dresult%26cd%3D2%26ved%3D0CAYQvwUoAQ%26%26q%3Dspirit+life+christian+church+las+vegas%26spell%3D1java=truerand=0.057259379032712276HTTP/1.1 200 180 Here is my first failed attempt of writing an override rule: group name=web,accesslog, !-- level one will still log it but not report it; if you do not want to log it at all use level=0 -- rule id=100101 level=1 timeframe=160 if_matched_sid31106/if_matched_sid regexpsoft.counter.CounterService/regex descriptionsitestudio counter is not a web attack/description group name=attack,/group /rule /group And here are the rules that are responsible for the ossec alert I am trying to turn off. rule id=31104 level=6 if_sid31100/if_sid !-- Attempt to do directory transversal, simple sql injections, - or access to the etc or bin directory (unix). -- url%027|%00|%01|%7f|%2E%2E|%0A|%0D|../..|..\..|echo;|../url urlcmd.exe|root.exe|_mem_bin|msadc|/winnt/|/url url/x90/|default.ida|/sumthin|nsiislog.dll|chmod%|wget%|cd%|/url urlcat%|exec%|rm%20/url descriptionCommon web attack./description infohttp://www.armbrustconsulting.com/LogEntries.html/info groupattack,/group /rule rule id=31105 level=6 if_sid31100/if_sid url%3Cscript|%2Fscript|script|script%3E|SRC=javascript|IMG%20|/url url%20ONLOAD=|INPUT%20|iframe%20/url descriptionXSS (Cross Site Scripting) attempt./description groupattack,/group /rule rule id=31106 level=12 if_sid31103, 31104, 31105/if_sid id^200/id descriptionA web attack returned code 200 (success)./description groupattack,/group /rule I would appreciate any help and advice. Thank you. Gil Vidals
[ossec-list] Re: agenless monitoring full featured?
Well, I didn't get any one to chime in, but it seems to me that it's not possible to monitor logs such as /var/log/messages using the agentless tag. So I am using the agent model now which works great. On Sun, Apr 26, 2009 at 8:38 AM, Gil Vidals gvid...@gmail.com wrote: I'm new to OSSEC and have successfully installed the server v2.0. I'd like to go for the agentless version on my linux hosts, but the documentation is a hazzy on what features are available on the agentless version. 1) Is it true that the agentless version doesn't do log monitoring yet? *Agentless monitoring* allows you to run integrity checking (and in the future log monitoring) 2) Is is this still correct in the manual? Once you have added all your systems, you need to configure OSSEChttp://www.ossec.net/to monitor them. By default, we have 4 agentless types (but we plan to add more soon): *ssh_integrity_check_bsd*, *ssh_integrity_check_linux*, * ssh_generic_diff* and *ssh_pixconfig_diff*. I really need log monitoring, so if that feature isn't available yet, I'll install the regular version instead of agentless. I'm looking forward to getting started. --Gil Vidals
[ossec-list] Agentless monitoring and rules
I'm new to OSSEC and have successfully installed the latest version with agentless monitoring. I installed the example config and received my first notification alerts for my agentless linux host: agentless typessh_generic_diff/type frequency60/frequency hostr...@account.erased.com/host stateperiodic_diff/state argumentsls -la /etc; cat /etc/passwd/arguments /agentless However, I don't understand how to add the rules that I see in my ossec.conf (see below) to my agentless linux host. I would appreciate any guidance (I read the OSSEC HIDS book, but it doesn't address agentless monitoring). Basically I want my linux servers to run agentless and use the default include rules. rules includerules_config.xml/include includepam_rules.xml/include includesshd_rules.xml/include includetelnetd_rules.xml/include /rules Gil Vidals