Re: [ossec-list] OSSEC on Raspberry Pi 2
Hello Shaharyar, compiling from source works just fine Jan On Sun, Feb 7, 2016 at 6:39 PM, Shaharyar Chaudhrywrote: > Hey, I was wondering how you got the ossec agent to work on rpi, is there > a guide to this? I am trying to get agent on my rpi2 model to work. Any > help would be great. > > Cheers :) > > > On Thursday, October 15, 2015 at 9:50:38 AM UTC-4, Jedi Meister wrote: >> >> So, >> >> I rebuild the server with the SAME tar.gz file and restart it. >> >> Now i receive the alerts from the clients. >> >> ** Alert 1444916936.103875: - syslog,sshd,authentication_failed, >> 2015 Oct 15 15:48:56 (hal) 78.46.76.44->/var/log/auth.log >> Rule: 5716 (level 5) -> 'SSHD authentication failed.' >> Src IP: 80.87.168.98 >> User: itsolutions >> Oct 15 15:48:55 hal sshd[21772]: Failed password for foobar from >> 80.87.168.98 port 55976 ssh2 >> >> >> VERY Strange. But anyway, it works now. >> >> Thanks for the help!! >> >> Am Donnerstag, 15. Oktober 2015 15:44:39 UTC+2 schrieb Jedi Meister: >>> >>> Sorry, >>> >>> You didn't give us much to go on. Did you create a new key for this >>> agent? >>> Yes, new keys were generated on the rasperrby for the agents >>> >>> >>> Did you install it? >>> I used the install.sh method of the installation tar.gz >>> >>> >>> Did you restart the OSSEC processes after adding the key? >>> Yes, Restart or ossec and restart of the system >>> >>> Are you sure there's no firewall on the OSSEC manager blocking the >>> traffic? >>> Correct, Iptables is flushed, the firewall before let the ossec >>> communication pass (as I receive the data with the same rule on the old >>> system) >>> >>> Are there any logs from the manager's ossec.log file that might hint >>> at the problem? >>> >>> No, there is only the no indication. I included the full log: >>> >>> 2015/10/15 15:42:17 ossec-testrule: INFO: Reading local decoder file. >>> 2015/10/15 15:42:18 ossec-testrule: INFO: Started (pid: 5575). >>> 2015/10/15 15:42:18 ossec-maild: INFO: Started (pid: 5587). >>> 2015/10/15 15:42:18 ossec-execd: INFO: Started (pid: 5591). >>> 2015/10/15 15:42:18 ossec-remoted: INFO: Started (pid: 5603). >>> 2015/10/15 15:42:18 ossec-remoted: INFO: Started (pid: 5605). >>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading local decoder file. >>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >>> 'rules_config.xml' >>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >>> 'pam_rules.xml' >>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >>> 'sshd_rules.xml' >>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >>> 'telnetd_rules.xml' >>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >>> 'syslog_rules.xml' >>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >>> 'arpwatch_rules.xml' >>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >>> 'symantec-av_rules.xml' >>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >>> 'symantec-ws_rules.xml' >>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >>> 'pix_rules.xml' >>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >>> 'named_rules.xml' >>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >>> 'smbd_rules.xml' >>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >>> 'vsftpd_rules.xml' >>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >>> 'pure-ftpd_rules.xml' >>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >>> 'proftpd_rules.xml' >>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >>> 'ms_ftpd_rules.xml' >>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >>> 'ftpd_rules.xml' >>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >>> 'hordeimp_rules.xml' >>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >>> 'roundcube_rules.xml' >>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >>> 'wordpress_rules.xml' >>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >>> 'cimserver_rules.xml' >>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >>> 'vpopmail_rules.xml' >>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >>> 'vmpop3d_rules.xml' >>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >>> 'courier_rules.xml' >>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >>> 'web_rules.xml' >>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >>> 'web_appsec_rules.xml' >>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >>> 'apache_rules.xml' >>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >>> 'nginx_rules.xml' >>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >>> 'php_rules.xml' >>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >>> 'mysql_rules.xml' >>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file: >>>
Re: [ossec-list] Does a single machine scenario use an agent?
Hello Derek, just install ossec in local mode, this should be best for you. Brgds Jan On Mon, Oct 13, 2014 at 3:06 PM, de...@scratters.com wrote: I'm exploring the use of OSSEC and I've got a question the docs I've read aren't yet answering. I think it's going to be quicker to just ask... I have a single Linux box which runs in the DMZ. It has a few services, with Apache and Squid being the main ones. I want to put OSSEC on it primarily in a log monitoring role. The thing that just won't click from reading the docs and presentations so far is whether a single machine scenario uses an agent or not. There appear to be these possibilities: * the manager and agent run together and the agent talks to its local manager using localhost based communications; * the manager sort of runs the agent's processes itself, and hence there is no communications between the two pieces; * something else. :) I know the answer is in there somewhere, but I've been wading though docs for 3 hours now and I've probably missed it. Can someone point me at the answer? -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] OSSEC rule for Shellshock CGI attacks?
Michael, if you remove if_sid, will it match anything? I am trying now to play with it a bit and it doesn't match. I created vulnerable cgi script. All 40x attempts are matched by 31101. **Phase 1: Completed pre-decoding. full event: '111.111.111.111 - - [07/Oct/2014:12:53:51 +] GET /cgi-bin/test.cgi HTTP/1.1 404 1666 - () { test;};echo \\\Content-type: text/plain\\\; echo; echo; /bin/cat /etc/passwd' hostname: 'Ossec1' program_name: '(null)' log: '111.111.111.111 - - [07/Oct/2014:12:53:51 +] GET /cgi-bin/test.cgi HTTP/1.1 404 1666 - () { test;};echo \\\Content-type: text/plain\\\; echo; echo; /bin/cat /etc/passwd' **Phase 2: Completed decoding. decoder: 'web-accesslog' srcip: '111.111.111.111' url: '/cgi-bin/test.cgi' id: '404' **Rule debugging: Trying rule: 4 - Generic template for all web rules. *Rule 4 matched. *Trying child rules. Trying rule: 31100 - Access log messages grouped. *Rule 31100 matched. *Trying child rules. Trying rule: 31108 - Ignored URLs (simple queries). Trying rule: 31115 - URL too long. Higher than allowed on most browsers. Possible attack. Trying rule: 31103 - SQL injection attempt. Trying rule: 31104 - Common web attack. Trying rule: 31105 - XSS (Cross Site Scripting) attempt. Trying rule: 31110 - PHP CGI-bin vulnerability attempt. Trying rule: 31109 - MSSQL Injection attempt (/ur.php, urchin.js) Trying rule: 31164 - SQL injection attempt. Trying rule: 31165 - SQL injection attempt. Trying rule: 31501 - WordPress Comment Spam (coming from a fake search engine UA). Trying rule: 31502 - TimThumb vulnerability exploit attempt. Trying rule: 31503 - osCommerce login.php bypass attempt. Trying rule: 31504 - osCommerce file manager login.php bypass attempt. Trying rule: 31505 - TimThumb backdoor access attempt. Trying rule: 31506 - Cart.php directory transversal attempt. Trying rule: 31507 - MSSQL Injection attempt (ur.php, urchin.js). Trying rule: 31508 - Blacklisted user agent (known malicious user agent). Trying rule: 31511 - Blacklisted user agent (wget). Trying rule: 31512 - Uploadify vulnerability exploit attempt. Trying rule: 31513 - BBS delete.php exploit attempt. Trying rule: 31514 - Simple shell.php command execution. Trying rule: 31515 - PHPMyAdmin scans (looking for setup.php). Trying rule: 31516 - Suspicious URL access. Trying rule: 31550 - Anomaly URL query (attempting to pass null termination). Trying rule: 31101 - Web server 400 error code. *Rule 31101 matched. *Trying child rules. Trying rule: 31102 - Ignored extensions on 400 error codes. Trying rule: 31140 - Ignoring google/msn/yahoo bots. Trying rule: 31141 - Ignored 499's on nginx. Trying rule: 31151 - Multiple web server 400 error codes from same source ip. **Phase 3: Completed filtering (rules). Rule id: '31101' Level: '5' Description: 'Web server 400 error code.' **Alert to be generated. There is even bigger issue. When status code is 200, rule 31108 matches and attack is ignored **Phase 1: Completed pre-decoding. full event: '111.111.111.111 - - [07/Oct/2014:12:53:51 +] GET /cgi-bin/test.cgi HTTP/1.1 200 1666 - () { test;};echo \\\Content-type: text/plain\\\; echo; echo; /bin/cat /etc/passwd' hostname: 'Ossec1' program_name: '(null)' log: '111.111.111.111 - - [07/Oct/2014:12:53:51 +] GET /cgi-bin/test.cgi HTTP/1.1 200 1666 - () { test;};echo \\\Content-type: text/plain\\\; echo; echo; /bin/cat /etc/passwd' **Phase 2: Completed decoding. decoder: 'web-accesslog' srcip: '111.111.111.111' url: '/cgi-bin/test.cgi' id: '200' **Rule debugging: Trying rule: 4 - Generic template for all web rules. *Rule 4 matched. *Trying child rules. Trying rule: 31100 - Access log messages grouped. *Rule 31100 matched. *Trying child rules. Trying rule: 31108 - Ignored URLs (simple queries). *Rule 31108 matched. *Trying child rules. Trying rule: 31509 - CMS (WordPress or Joomla) login attempt. **Phase 3: Completed filtering (rules). Rule id: '31108' Level: '0' Description: 'Ignored URLs (simple queries).' Jan On Mon, Oct 6, 2014 at 5:52 PM, Michael Starks ossec-l...@michaelstarks.com wrote: On 2014-10-04 5:30, Jan Andrasko wrote: Hello Michael, Thanks for sharing this. Any specific reason for the '.+' after the '()'? You are right, '.*' is better. Thanks for pointing this out. Also, the ':' before ';' is not part of the exploit, so you may want to remove that. You are right again, there can be anything before ';'. I think there is a bug in either the OSSEC code or documentation, as I was getting some false-positives for this. The issue seems to be with the () characters, which, in my experience, need
Re: [ossec-list] OSSEC rule for Shellshock CGI attacks?
Hello Michael, Thanks for sharing this. Any specific reason for the '\.+' after the '()'? You are right, '\.*' is better. Thanks for pointing this out. Also, the ':' before ';' is not part of the exploit, so you may want to remove that. You are right again, there can be anything before ';'. Rob, issue with your rule was that this string is not part of url. It is usually in place of user agent, which is not decoded by Ossec. Therefore you need to regex whole log message. Brgds Jan On Sat, Oct 4, 2014 at 12:48 AM, Michael Starks ossec-l...@michaelstarks.com wrote: On 2014-10-03 9:12, Jan Andrasko wrote: rule id=120003 level=13 if_sid31100/if_sid regex()\.+{\.+:;};/regex descriptionShellshock Attempt/description groupattack,/group /rule Thanks for sharing this. Any specific reason for the '\.+' after the '()'? I'm not sure you'll always see something there. Also, the ':' before ';' is not part of the exploit, so you may want to remove that. I am testing this version: rule id=100085 level=13 if_sid31100/if_sid regex()\.*{\.*;};/regex descriptionShellshock Exploit Attempt/description groupattack,/group /rule As it were, this is a very unique string so I bet something like this would even work without too many false-positives: rule id=100085 level=13 if_sid31100/if_sid regex()\.*{/regex descriptionShellshock Exploit Attempt/description groupattack,/group /rule This version should account for some URL encoding: rule id=100085 level=13 if_sid31100/if_sid regex()\.*{|%28%29+%7B|%28%29%7B/regex descriptionShellshock Exploit Attempt/description groupattack,/group /rule -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] OSSEC rule for Shellshock CGI attacks?
Hello Rob, this works for us: rule id=120003 level=13 if_sid31100/if_sid regex()\.+{\.+:;};/regex descriptionShellshock Attempt/description groupattack,/group /rule Brgds Jan On Thu, Oct 2, 2014 at 3:08 PM, Robert Moerman rjmfphotogra...@gmail.com wrote: Hello, I've been trying to write a rule to detect CGI-based shellshock attacks via the apache log parser, but I find the signature doesn't fire (even when I see the string in the apache logs): *Detect () { :; }; in url string* rule id=12 level=13 if_sid31100/if_sid url() { :; };/url descriptionShellshock Attempt/description groupattack,/group /rule *Detect () { :; }; transposed in url string* rule id=13 level=13 if_sid31100/if_sid url()%20%7B%20:;%20%7D;/url descriptionShellshock Attempt/description groupattack,/group /rule Has anyone done this successfully? Thanks - Rob -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] rule test succeeds but fails to alert
velvin, can you try to run ossec-logtest more verbose with command ossec-logtest -v and paste the results here? I had similar issues with ossec-logtest giving different results than ossec-analysisd in the past. Jan On Fri, Aug 29, 2014 at 8:44 PM, dan (ddp) ddp...@gmail.com wrote: On Fri, Aug 29, 2014 at 12:16 PM, velvin vel...@gmail.com wrote: Regardless of the rule ID it triggers, the issue I'm seeing is that while manually testing the rule using the ossec-logtest tells me alert to be generated but in actual testing (causing the event ID from a host with agent running) no alerts or log entry is generated (except rule ID 1002). I know the workstation is sending the correct log since I see rule ID 1002 generate the alert but the windows msauth rules are not hit. I am stuck here Make sure the OSSEC processes restart after you make changes. Other than that, I cannot reproduce this issue, so I have no clue. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Re: wget download forbidden
Hello Joe, for me too, however all howtos and installation manuals don't contain information that you have to use -U option in wget. Could be misleading for newbies. Jan On Wed, Aug 27, 2014 at 1:12 AM, Joe Evango joe.eva...@gmail.com wrote: Hello, This works for me: wget -U ossec http://www.ossec.net/files/ossec-hids-2.8.tar.gz On Tuesday, July 29, 2014 6:30:38 AM UTC-7, Jan Andrasko wrote: Hi guys, today, when trying to download ossec from your website, I was constatnly getting 403 error: wget http://www.ossec.net/files/ossec-hids-2.8.tar.gz --2014-07-29 15:16:21-- http://www.ossec.net/files/ossec-hids-2.8.tar.gz Resolving www.ossec.net (www.ossec.net)... 150.70.191.237 Connecting to www.ossec.net (www.ossec.net)|150.70.191.237|:80... connected. HTTP request sent, awaiting response... 403 Forbidden 2014-07-29 15:16:21 ERROR 403: Forbidden. After spoofing Mozilla Firefox user agent, file was downloaded correctly. Is there any special reason for blocking wget downloads? Thanks Jan -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] wget download forbidden
Hi guys, today, when trying to download ossec from your website, I was constatnly getting 403 error: wget http://www.ossec.net/files/ossec-hids-2.8.tar.gz --2014-07-29 15:16:21-- http://www.ossec.net/files/ossec-hids-2.8.tar.gz Resolving www.ossec.net (www.ossec.net)... 150.70.191.237 Connecting to www.ossec.net (www.ossec.net)|150.70.191.237|:80... connected. HTTP request sent, awaiting response... 403 Forbidden 2014-07-29 15:16:21 ERROR 403: Forbidden. After spoofing Mozilla Firefox user agent, file was downloaded correctly. Is there any special reason for blocking wget downloads? Thanks Jan -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Setting email
Hello Evan, rule 1002 matches every log which contains these words: var name=BAD_WORDScore_dumped|failure|error|attack|bad |illegal |denied|refused|unauthorized|fatal|failed|Segmentation Fault|Corrupted/var and is by default configured to aler by email rule id=1002 level=2 match$BAD_WORDS/match options*alert_by_email*/options descriptionUnknown problem somewhere in the system./description /rule You can create new local rule to override this for either only iptables or all events with ID 1002 Jan On Fri, Apr 11, 2014 at 4:23 PM, Evan evster...@gmail.com wrote: All of them are like this one: OSSEC HIDS Notification. 2014 Apr 11 00:48:55 Received From: my_host_name-/var/log/syslog Rule: 1002 fired (level 2) - Unknown problem somewhere in the system. Portion of the log(s): Apr 11 00:48:47 my_host_name kernel: iptables denied: IN=eth0 OUT= MAC=ff:3c:91:70:34:ec:84:38:af:0d:97:c1:09:11 SRC=xx.xx.xx.xx DST=xx.xx.xx.xx LEN=76 TOS=0x00 PREC=0x00 TTL=53 ID=57740 PROTO=UDP SPT=455 DPT=123 LEN=56 (I replaced both IPs with x's) On Thursday, April 10, 2014 9:16:13 PM UTC-5, nicolaszin wrote: Which alerts is it? does the alert has a “alert_by_email” by any chance? On Thu, Apr 10, 2014 at 9:03 PM, Evan evst...@gmail.com wrote: Today I installed OSSEC on my server and I have these settings: global email_notificationyes/email_notification email_tomy-email...@gmail.com/email_to smtp_serverlocalhost/smtp_server email_fromossecm@scaver/email_from /global email_alerts email_tomy-email...@gmail.com/email_to level7/level /email_alerts Near the end of the file I have these lines as well: alerts log_alert_level1/log_alert_level email_alert_level8/email_alert_level /alerts But with these settings I get an email from OSSEC every 5 seconds and it's a Level 2 alert. What do I need to configure so that I only get an email for level 7 and above? Thanks, Evan -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.