Re: [ossec-list] CentOS 7
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 9/15/15 10:50 PM, Dillon Korman wrote: > Hi, > > Is the CentOS 7 version coming soon? I only see 5 and 6. Also, does > the CentOS version work perfectly with RHEL? Oh hell, I'll jump on the bandwagon too.. I have a repo here : http://repo.godshell.com Based on the atomic stuff, with some of their extras removed. - -- - ------- Jason 'XenoPhage' Frisvold xenoph...@godshell.com - --- “Space,” it says, “is big. Really big. You just won’t believe how vastly, hugely, mindbogglingly big it is. I mean, you may think it’s a long way down the road to the chemist’s, but that’s just peanuts to space.” - - The Hitchhikers Guide to the Galaxy -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org iEYEARECAAYFAlX7ItsACgkQ8CjzPZyTUTQG6wCgosJBwDK0lm4s1SGvwGBvsZI6 PskAn1ZYZdNgETb72hp8EQvNnT1sEudM =bPLn -END PGP SIGNATURE- -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Regarding installation of OSSEC in Linux systems
On Nov 16, 2012, at 7:37 AM, Eero Volotinen wrote: > You can also use SELinux with ossec, but it requires some tuning.. Any idea if there's a how-to out there identifying how to do this? > -- > Eero ------- Jason 'XenoPhage' Frisvold xenoph...@godshell.com --- "Any sufficiently advanced magic is indistinguishable from technology." - Niven's Inverse of Clarke's Third Law
Re: [ossec-list] OSSEC Symposium Summer 2012, July 12-13, Cupertino, CA
Not to be distrustful, but why would trend micro announce this and put the sign up page on a non-trend micro domain? And announce via a gmail address? I smell a scam... - Friz On Jun 5, 2012, at 6:48 PM, JB wrote: > Trend Micro has announced the first OSSEC Symposium to the open source > community. It's a two-day event to be held in Cupertino, California, USA on > July 12-13, 2012. The agenda include Trend Micro managers talking about the > future direction of OSSEC project, expert OSSEC developers presenting their > experience, and fellow OSSEC users sharing their success stories as well as > pain points. > > Your participation can influence the future of OSSEC. > Registration is free and lunch will be provided on both days. > See http://vichargrave.com/ossec-symposium/ for details. > > JB Cheng > OSSEC Project Manager > Cupertino, CA, USA
Re: [ossec-list] Web Server Trouble
On Jan 24, 2012, at 8:37 AM, Joe Gedeon wrote: > You should look at your logs and see what is triggering the 400's and > fix that issue if it is a server side issue. Agreed. Basically, the web browser is trying to obtain something from the server that's just not there. Thus, 400 errors are triggered. As a result, OSSEC sees a bunch of these fly by and considers it an attack. It's far better to fix the underlying problem than to alter OSSEC to ignore such things. ----------- Jason 'XenoPhage' Frisvold xenoph...@godshell.com --- "Any sufficiently advanced magic is indistinguishable from technology." - Niven's Inverse of Clarke's Third Law
Re: [ossec-list] Linux Management Server, Windows Agents, streamline config files from manager
On Jan 23, 2012, at 7:23 PM, BP9906 wrote:
> Word of advice too. When you make changes to the agent.conf on the
> ossec server, it takes a few minutes to copy down to the agents. Then
> you have to somehow remember to restart all the agents to re-read the
> newly copied agent.conf file. To restart all the agents, you can do
> something like this:
>
> for i in `/var/ossec/bin/agent_control -l | grep "ID:" | awk '{print
> $2}' | sed 's/.$//'`; do /var/ossec/bin/agent_control -R $i; sleep 2;
> done
Or, if you're into a more automated method, you can do this :
http://blog.godshell.com/blog/archives/291-Helpful-Rules-For-OSSEC.html
---
Jason 'XenoPhage' Frisvold
xenoph...@godshell.com
---
"Any sufficiently advanced magic is indistinguishable from technology."
- Niven's Inverse of Clarke's Third Law
Re: [ossec-list] Web Server Trouble
On Jan 23, 2012, at 5:05 PM, Damien Hull wrote: > I have ossec 2.6 running on Ubuntu 10.04 LTS. This is a web server > running LAMP > > There are several websites on this server. Every now and then OSSEC > will block an IP address for accessing a website. This is not an > attack of any kind. I've had it happen to me. I'll access a website on > the server and bam, blocked. > > I have it configured to unblock the IP after 10 minutes. I figured > after 10 minutes a hacker will get tired and move on. I don't want > this to happen with users of my server. > > Is there a way to configure OSSEC so this doesn't happen? I've never > taken the time to tweak OSSEC > > NOTE > The latest alert was for Moodle. I'm guessing a user clicked on > something and OSSEC didn't like it... It blocks for a reason. If you can provide the alert it sent, that would go a long way to identifying what it's seeing as bad. It's probably something simple. I haven't had a chance to fully test Moodle as of yet, but I expect there will be a number of items that need to be handled in order to make it all run smoothly. Incidentally, is this Moodle 1 or 2? --- Jason 'XenoPhage' Frisvold xenoph...@godshell.com --- "Any sufficiently advanced magic is indistinguishable from technology." - Niven's Inverse of Clarke's Third Law signature.asc Description: Message signed with OpenPGP using GPGMail
Re: [ossec-list] how to clone
On Jan 18, 2012, at 8:34 AM, dan (ddp) wrote: > In that case it's as simple as `hg clone > https://bitbucket.org/dcid/ossec-hids` Right, right.. Mercurial clone.. I've got git on the brain these days.. :P --- Jason 'XenoPhage' Frisvold xenoph...@godshell.com --- "Any sufficiently advanced magic is indistinguishable from technology." - Niven's Inverse of Clarke's Third Law
Re: [ossec-list] how to clone
On Jan 17, 2012, at 7:07 PM, dan (ddp) wrote: > What? It's an old post (January, 2011) from dcid.. I believe they're not understanding how to do a git clone. I believe, however, that this code is in the latest release, so all you need to do is get the latest stable release from ossec.net and those features are in there. > On Sun, Jan 15, 2012 at 1:16 PM, satyanarayan mahapatra > wrote: >> Hi >> >> as suggested -http://dcid.me/2011/01/automatically-creating-and- >> setting-up-the-agent-keys/ hear i clicked on get source on my windows >> machine after that don't know how to clone with ossec install on >> Ubuntu >> >> advance thanks for help --- Jason 'XenoPhage' Frisvold xenoph...@godshell.com --- "Any sufficiently advanced magic is indistinguishable from technology." - Niven's Inverse of Clarke's Third Law signature.asc Description: Message signed with OpenPGP using GPGMail
Re: [ossec-list] 2.6 compile error on RHEL3u9
On Jan 11, 2012, at 3:34 PM, Swartz, Patrick H wrote: > Hi All, > I'm need to compile 2.6 on a RHEL3u9 server but it fails at the > os_auth phase. The following Openssl packages are installed -- > openssl-0.9.7a-33.23, openssl096b-0.9.6b-16.46, and > openssl-devel-0.9.7a-33.23 > We need the compile to be built with openssl. RHEL 3.9? That's a bit old at this point, no? Redhat end-of-lifed that in October of 2010, which means you're not getting security updates anymore.. I'd recommend getting onto something newer .. ------- Jason 'XenoPhage' Frisvold xenoph...@godshell.com --- "Any sufficiently advanced magic is indistinguishable from technology." - Niven's Inverse of Clarke's Third Law signature.asc Description: Message signed with OpenPGP using GPGMail
[ossec-list] Whitelisting by server
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 white_list is a global option in ossec.conf .. But is there an easy way to whitelist by server? For instance, I want to whitelist some web developer IPs on the web servers, but I don't want them whitelisted on other servers such as database or storage servers. I don't see a very easy way to do this, though.. Thoughts? - -- - ------- Jason 'XenoPhage' Frisvold xenoph...@godshell.com - --- "Any sufficiently advanced magic is indistinguishable from technology.\" - - Niven's Inverse of Clarke's Third Law -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.18 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk8LMhQACgkQO80o6DJ8Uvn0+gCfWZGS1Wu6LZHoK/zO6OviRcp1 ATsAn3ojJ1+LA7PU7x9//X1gMXcO4RI8 =B9hT -END PGP SIGNATURE-
Re: [ossec-list] OSSEC RPM
On Jan 6, 2012, at 1:13 AM, treydock wrote: > I've created a fork of Jason's SRPM. Mostly the changes involve > adding ability to deploy with agent.conf usage and also refining it to > be almost duplicate to the source install as far as permissions go. Hrm.. I'm intrigued. Are there problems with the permissions? > I'll post here in next few days once it's finished. Yes, PLEEZE! > - Trey --- Jason 'XenoPhage' Frisvold xenoph...@godshell.com --- "Any sufficiently advanced magic is indistinguishable from technology." - Niven's Inverse of Clarke's Third Law
Re: [ossec-list] OSSEC RPM
On Jan 6, 2012, at 9:22 AM, dan (ddp) wrote: > Any idea if ossec-authd works with your rpm? It's a standard compile, so it's there. However, I haven't played with that yet. Though I very much want to .. I would LOVE to find a way to compress time so I can do all the things I need to do .. :P ------- Jason 'XenoPhage' Frisvold xenoph...@godshell.com --- "Any sufficiently advanced magic is indistinguishable from technology." - Niven's Inverse of Clarke's Third Law
Re: [ossec-list] OSSEC RPM
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/05/2012 01:21 AM, Joe S wrote: > That does help. I'm trying to do the same thing. You can find the SRPM I created on my site : http://godshell.com/software - -- - --- Jason 'XenoPhage' Frisvold xenoph...@godshell.com - --- "Any sufficiently advanced magic is indistinguishable from technology.\" - - Niven's Inverse of Clarke's Third Law -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.18 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk8GGTgACgkQO80o6DJ8UvnpugCcD3R0QPGsauqHOmNGwNZrWBFJ NWsAn1mTnFB8V1FnITfSaCc8TMelXTdI =Sec2 -END PGP SIGNATURE-
Re: [ossec-list] rpm agent howto set it up to a remote ossec server
On Nov 17, 2011, at 3:47 PM, dan (ddp) wrote: > On Tue, Nov 15, 2011 at 6:27 PM, thing wrote: >> Hi, >> >> I just installed the agent and server via rpm to a RHEL6 setup, >> however when I run the scripts in ~bin to configure the agent on the >> remote RHEL box it does not ask me for the server IP. >> > > We don't currently provide RPMs. Where did you get this one? RPMs aren't really meant to be interactive, so this sort of this is actually expected. The RPM I built has just a generic config file used for all setups. --- Jason 'XenoPhage' Frisvold xenoph...@godshell.com --- "Any sufficiently advanced magic is indistinguishable from technology." - Niven's Inverse of Clarke's Third Law
Re: [ossec-list] latest spec file - 2.6?
On Oct 14, 2011, at 11:25 AM, Kat wrote: > Very glad I seemed to spark some interest in getthing the SPEC files > updated. It just makes for a much nicer/cleaner release for 2.6 since > the SPEC is very old there and missing compiles of a lot of the newer > features. I'm open to suggestions on improvements. What features are you referring to? > Thanks to all and if I can help, just let me know. > > -K ----------- Jason 'XenoPhage' Frisvold xenoph...@godshell.com --- "Any sufficiently advanced magic is indistinguishable from technology." - Niven's Inverse of Clarke's Third Law
Re: [ossec-list] latest spec file - 2.6?
On Oct 12, 2011, at 1:59 PM, dan (ddp) wrote: > I'm the wrong Dan, but PLEASE do this. :) Yup, meant the magical Mr. Cid. :) > I've tweaked the one in your srpm a bit, mostly to remove the patches. > It seems to compile, but I haven't done any more testing than that. Sure, I'd be happy to put something together.. Perhaps Trey and I should put our heads together.. Anyone else interested? ------- Jason 'XenoPhage' Frisvold xenoph...@godshell.com --- "Any sufficiently advanced magic is indistinguishable from technology." - Niven's Inverse of Clarke's Third Law
Re: [ossec-list] Integrity check functionality
On Oct 12, 2011, at 1:58 PM, dan (ddp) wrote: > The srpm is yours. I understand the patches are not. I'm pretty sure > they were accurately labeled. Cool. Just want to make sure I'm not getting credit for something I didn't do.. :) ----------- Jason 'XenoPhage' Frisvold xenoph...@godshell.com --- "Any sufficiently advanced magic is indistinguishable from technology." - Niven's Inverse of Clarke's Third Law
Re: [ossec-list] latest spec file - 2.6?
On Oct 11, 2011, at 9:19 PM, treydock wrote: > I have RPMs for CentOS 5 and 6 here, > http://itscblog.tamu.edu/ossec-2-6-rpms-for-centos/, > as well as the SRPMs to customize with. Jason's SRPM was what made > mine possible, I only tweaked a few things. Oh sure.. Like I don't have enough to do.. Now I need to go look and see what makes yours so cool.. ;) Anything major in there? Something I should add? Or maybe we all get together and make "official" ones for OSSEC and get Dan's blessing? > - Trey --- Jason 'XenoPhage' Frisvold xenoph...@godshell.com --- "Any sufficiently advanced magic is indistinguishable from technology." - Niven's Inverse of Clarke's Third Law
Re: [ossec-list] Integrity check functionality
On Oct 11, 2011, at 10:56 AM, dan (ddp) wrote: > Please open an issue for this at > https://bitbucket.org/ddpbsd/ossec-hids-testing > > I'm also looking at the patches you have in your rpm. I think some of > them are already in my testing tree, but definitely not all. They're not my patches.. Credit where credit is due. I believe I put the author information in the notes.. And if I didn't, then I need to fix that.. ----------- Jason 'XenoPhage' Frisvold xenoph...@godshell.com --- "Any sufficiently advanced magic is indistinguishable from technology." - Niven's Inverse of Clarke's Third Law
Re: [ossec-list] Integrity check functionality
On Oct 11, 2011, at 9:25 AM, dan (ddp) wrote: > It currently does not rotate ossec.log. Well.. Then it's working as expected. We should fix that, though.. :) --- Jason 'XenoPhage' Frisvold xenoph...@godshell.com --- "Any sufficiently advanced magic is indistinguishable from technology." - Niven's Inverse of Clarke's Third Law
Re: [ossec-list] Integrity check functionality
On Oct 3, 2011, at 10:47 AM, Daniel Cid wrote: > Yes, you need monitord. It is the process that will rotate logs and do > some internal > maintenance tasks… Should it be rotating ossec.log as well? > It shouldn't use too much resources... ------- Jason 'XenoPhage' Frisvold xenoph...@godshell.com --- "Any sufficiently advanced magic is indistinguishable from technology." - Niven's Inverse of Clarke's Third Law
Re: [ossec-list] latest spec file - 2.6?
On Oct 3, 2011, at 9:35 AM, Kat wrote: > Just curious if anyone has a current spec file for agent and server > for 2.6? All the ones I am finding are very old. A lot of changes have > occurred and i don't want to re-invent the wheel if someone else has > already done the work. You can find an SRPM on my site : http://godshell.com/software It includes a few patches, but starts with pristine source. It should be easy enough to remove the patches if that's what you're after. It's based on the AtomicTurtle spec. > thanks > ~k ------- Jason 'XenoPhage' Frisvold xenoph...@godshell.com --- "Any sufficiently advanced magic is indistinguishable from technology." - Niven's Inverse of Clarke's Third Law
Re: [ossec-list] Third Annual Week of OSSEC
On Sep 28, 2011, at 9:01 PM, Michael Starks wrote: > It's almost that time of year again. October is National Cybersecurity > Awareness Month. It's also the third year that we have the opportunity to > come together as a community to share some great OSSEC info. This year we > have designated Oct 23-29. Phew.. plenty of time to craft some ideas for posts! > So, start thinking about those blog posts, how-tos, patches, documentation > updates, new features and or any other OSSEC-fu you can contribute. Feel free > to get creative. Maybe the OSSEC logo could be morphed into something cool. > Everyone has a talent. > > Sharing made OSSEC what it is today and I hope this can be the biggest year > yet! Speaking of cyber security month.. Anyone headed to DerbyCon this weekend? --- Jason 'XenoPhage' Frisvold xenoph...@godshell.com --- "Any sufficiently advanced magic is indistinguishable from technology." - Niven's Inverse of Clarke's Third Law
Re: [ossec-list] All Agents offline
On Sep 10, 2011, at 7:24 PM, dan (ddp) wrote: > I have a bad python script (ossecctl) that does certain ossec related > tasks. One of them checks on the status of ossec agents. In nrpe I > have check_agents setup to run "ossecctl status agents" and if an > agent is not connected it exits 1 (I think, it's a nagios warning) and > lists the bad agents. > I keep meaning to clean it up a bit to be a bit smarter (check a list > to see if the agent is mobile and is allowed to be disconnected, alert > at critical after X minutes, etc.). I just haven't gotten around to > it. > Another change I keep meaning to make is having it check the agent > status directly instead of relying on ossec-control. Any chance you'd share the script? I've been meaning to learn Python.. :P --- Jason 'XenoPhage' Frisvold xenoph...@godshell.com --- "Any sufficiently advanced magic is indistinguishable from technology." - Niven's Inverse of Clarke's Third Law
Re: [ossec-list] All Agents offline
On Sep 8, 2011, at 2:29 PM, dan (ddp) wrote: >> 1 - How to monitor this? I have raised the Agent offline alert to a >> higher level, but I would like some automated monitoring of this >> state. > > I use nagios. I'm interested in how you're doing this.. Can you explain further? ------- Jason 'XenoPhage' Frisvold xenoph...@godshell.com --- "Any sufficiently advanced magic is indistinguishable from technology." - Niven's Inverse of Clarke's Third Law signature.asc Description: Message signed with OpenPGP using GPGMail
Re: [ossec-list] Rule not firing properly?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 08/16/2011 05:35 PM, dan (ddp) wrote: > Are there any entries in the agent's active-responses.log (for any > AR action, not just this one)? Is AR working? Is execd running? Yes, the AR attempt for the invalid hostname is in there. AR, in general, is working. Yes, execd is running. This is the master server, but also the server where these active responses should be firing. - -- - ------- Jason 'XenoPhage' Frisvold xenoph...@godshell.com - --- "Any sufficiently advanced magic is indistinguishable from technology.\" - - Niven's Inverse of Clarke's Third Law -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.17 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk5Lz8cACgkQO80o6DJ8UvlR3gCgk5lYQvAP7Zj0mnjxk25N0z8v TCoAnAjXrq2MU0yS2+2UdxxdcRv54lmY =53Qw -END PGP SIGNATURE-
Re: [ossec-list] Rule not firing properly?
Sorry, apparently the new GPGMail extension I have doesn't quite work right.. Or I have a setting wrong.. Let's try this again without that enabled... Hi all, OSSEC 2.6 on a CentOS 5.6 system. I was just nailed with an SSH brute force attack which = apparently lasted a while. I received a whole bunch of mails from OSSEC = about it, yet it did nothing to stop it.. I understand why for some of = the messages, but not others. For instance, the following triggered an active response, as = expected, but unfortunately, the attack wasn't stopped because the = reverse address was invalid. OSSEC HIDS Notification. 2011 Aug 15 20:53:06 Received From: myserver->/var/log/secure Rule: 5703 fired (level 10) -> "Possible breakin attempt (high number of = reverse lookup errors)." Portion of the log(s): Aug 15 20:53:05 myserver sshd[23210]: reverse mapping checking = getaddrinfo for 122-146-120-139.static.sparqnet.net failed - POSSIBLE = BREAK-IN ATTEMPT! Aug 15 20:53:01 myserver sshd[23207]: reverse mapping checking = getaddrinfo for 122-146-120-139.static.sparqnet.net failed - POSSIBLE = BREAK-IN ATTEMPT! Aug 15 20:53:01 myserver sshd[23205]: reverse mapping checking = getaddrinfo for 122-146-120-139.static.sparqnet.net failed - POSSIBLE = BREAK-IN ATTEMPT! Aug 15 20:52:57 myserver sshd[23178]: reverse mapping checking = getaddrinfo for 122-146-120-139.static.sparqnet.net failed - POSSIBLE = BREAK-IN ATTEMPT! Aug 15 20:52:57 myserver sshd[23166]: reverse mapping checking = getaddrinfo for 122-146-120-139.static.sparqnet.net failed - POSSIBLE = BREAK-IN ATTEMPT! Aug 15 20:52:54 myserver sshd[23141]: reverse mapping checking = getaddrinfo for 122-146-120-139.static.sparqnet.net failed - POSSIBLE = BREAK-IN ATTEMPT! --END OF NOTIFICATION [me@ myserver ~]$ host 122-146-120-139.static.sparqnet.net Host 122-146-120-139.static.sparqnet.net not found: 3(NXDOMAIN) [me@myserver ~]$=20 Sure, I get it. Not sure how to prevent that one, though the forward = address is easily handled by another alert, right? Apparently not, = though. Here's the alert that never triggered an active response : OSSEC HIDS Notification. 2011 Aug 15 21:02:52 Received From: myserver->/var/log/secure Rule: 5551 fired (level 10) -> "Multiple failed logins in a small period = of time." Portion of the log(s): Aug 15 21:02:51 myserver sshd[29303]: pam_unix(sshd:auth): = authentication failure; logname=3D uid=3D0 euid=3D0 tty=3Dssh ruser=3D = rhost=3D122.146.120.139=20 Aug 15 21:02:51 myserver sshd[29302]: pam_unix(sshd:auth): = authentication failure; logname=3D uid=3D0 euid=3D0 tty=3Dssh ruser=3D = rhost=3D122.146.120.139=20 Aug 15 21:02:47 myserver sshd[29220]: pam_unix(sshd:auth): = authentication failure; logname=3D uid=3D0 euid=3D0 tty=3Dssh ruser=3D = rhost=3D122.146.120.139=20 Aug 15 21:02:47 myserver sshd[29219]: pam_unix(sshd:auth): = authentication failure; logname=3D uid=3D0 euid=3D0 tty=3Dssh ruser=3D = rhost=3D122.146.120.139=20 Aug 15 21:02:43 myserver sshd[29213]: pam_unix(sshd:auth): = authentication failure; logname=3D uid=3D0 euid=3D0 tty=3Dssh ruser=3D = rhost=3D122.146.120.139=20 Aug 15 21:02:43 myserver sshd[29212]: pam_unix(sshd:auth): = authentication failure; logname=3D uid=3D0 euid=3D0 tty=3Dssh ruser=3D = rhost=3D122.146.120.139=20 Aug 15 21:02:39 myserver sshd[29209]: pam_unix(sshd:auth): = authentication failure; logname=3D uid=3D0 euid=3D0 tty=3Dssh ruser=3D = rhost=3D122.146.120.139=20 Aug 15 21:02:39 myserver sshd[29208]: pam_unix(sshd:auth): = authentication failure; logname=3D uid=3D0 euid=3D0 tty=3Dssh ruser=3D = rhost=3D122.146.120.139=20 --END OF NOTIFICATION Nothing in the active response log. Nothing in the ossec.log=85 Here = are the last two entries in the ossec.log : 2011/08/15 19:04:35 ossec-syscheckd: INFO: Ending syscheck scan. 2011/08/15 21:09:35 ossec-syscheckd: INFO: Starting syscheck scan. And a grep of rule 5551 from the active-responses.log : [root@myserver logs]# grep 5551 active-responses.log [root@myserver logs]#=20 So what gives? My active response section in ossec.conf seems to be = correct : firewall-drop local 6 21600 720,1440,10080 I'm at a loss.. Any thoughts? --- Jason 'XenoPhage' Frisvold xenoph...@godshell.com --- "Any sufficiently advanced magic is indistinguishable from technology." - Niven's Inverse of Clarke's Third Law PGP.sig Description: OpenPGP digital signature
[ossec-list] Rule not firing properly?
binmRonulI36G.bin Description: PGP/MIME Versions Identification PGP.asc Description: Message encrypted with OpenPGP using GPGMail
Re: [ossec-list] Defcon 19
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Aug 5, 2011, at 7:42 PM, oscar schneider wrote: > Hey, > > anyone around here on DefCon and like to meet? I wish... I'll be at DerbyCon in the fall.. Anyone headed there? > Cheers, > > oscar - ------- Jason 'XenoPhage' Frisvold xenoph...@godshell.com - --- "Any sufficiently advanced magic is indistinguishable from technology." - - Niven's Inverse of Clarke's Third Law -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.16 (Darwin) iEYEARECAAYFAk49WZUACgkQ8CjzPZyTUTQK9wCgjsEA02iAjwHpVholdsJrrkWC snwAn1d8Zb9dsQe0n+8BiEhexjipAJ2S =JC5z -END PGP SIGNATURE-
Re: [ossec-list] Re: Monitoring logins via btmp and wtmp
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Aug 1, 2011, at 6:55 PM, Alisha Kloc wrote: > Unfortunately, we can't make any changes to the HP-UX system, which > means no cron jobs, no clearing logs, etc. All we're allowed to touch > is OSSEC agent stuff. Within that, I have some flexibility if I use > the process monitor to call a simple shell script, which allows > consecutive commands like you suggested, but anything beyond that > isn't allowed. > > Sounds like this might not be possible... What about tmp files? Run last and spit it out to /tmp/lastlog or something.. Then have ossec monitor that file. Any changes should pop out with check_diff. Or, if you can't do it locally on the hp-ux server, write a script on the ossec manager that logs into the hp-ux machine, runs last, and stores that locally on the ossec manager. Then just monitor that log. > -Alisha - --- Jason 'XenoPhage' Frisvold xenoph...@godshell.com - --- "Any sufficiently advanced magic is indistinguishable from technology." - - Niven's Inverse of Clarke's Third Law -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.16 (Darwin) iEYEARECAAYFAk459bwACgkQ8CjzPZyTUTTMMwCcCNjQ3cL0lL+G/byMwIvRj6hE h3gAniADRO6Fd1JVWJGmJoSPi8Vs7Xw+ =JCh9 -END PGP SIGNATURE-
Re: [ossec-list] Several hundred alerts for "Integrity checksum changed"
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Aug 3, 2011, at 10:41 AM, Chris Phillips wrote: > Many Thanks Daniel, > > That is just what I needed to hear/read! > > I can see that we do have prelinking turned ON, but not sure it's a "choice" > rather than an OS default, so we may end up switching it OFF as I doubt we > see any benefits from it. Prelinking seems to benefit desktop situations more than server situations, provided the server is mostly static with respect to the daemons running. So turning it off on a server could result in a few milliseconds of delay on a reboot or restart of a service, but overall likely won't cause any issues during normal operation. > Cheers, > -- > ChrisP > > Chris Phillips > Service Designer, intY Ltd. > +44 (0)1454 640 532 > > > -Original Message- > From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On > Behalf Of Daniel Cid > Sent: 03 August 2011 13:57 > To: ossec-list@googlegroups.com > Subject: Re: [ossec-list] Several hundred alerts for "Integrity checksum > changed" > > Probably because of prelinking... More details here: > > http://www.ossec.net/wiki/Know_How:Check_Sums > > Thanks, > > -- > Daniel B. Cid > dcid ( at ) ossec.net > > On Wed, Aug 3, 2011 at 9:11 AM, Chris Phillips > wrote: >> Hi All, >> >> Recently, I received about 400+ "Alert Level 7" notifications, for a single >> server, all related to "Integrity checksum changed" events. >> >> I am really worried about this, but I can see no reason why it has happened. >> >> The situation has not re-occurred and has not happened on any of the other >> servers we have OSSEC installed on. >> >> Can anyone please explain what could cause this? I am hoping it's some sort >> of obscure but OK OSSEC anomaly! >> >> Cheers, >> -- >> ChrisP (slightly panicky) >> >> >> -Original Message- >> From: OSSEC HIDS >> Sent: 28 July 2011 08:46 >> To: Chris Phillips >> Subject: OSSEC Notification (myserver) - Alert level 7 >> >> OSSEC HIDS Notification. >> 2011 Jul 28 08:46:23 >> >> Received From: (myserver) >syscheck >> Rule: 550 fired (level 7) -> "Integrity checksum changed." >> Portion of the log(s): >> >> Integrity checksum changed for: '/sbin/debugfs' >> Old md5sum was: 'fd96fc82b74a47577835538ccf6d2adb' >> New md5sum is : 'c4c01019d7806734e857996adc63cf17' >> Old sha1sum was: 'c57a92218bd321ff8b27c154e2f5b29185530728' >> New sha1sum is : '4550b5743fe3368bc1bac683c60c14c232b671e5' >> >> --END OF NOTIFICATION >> > > Scanned by MailDefender - managed email security from intY - > www.maildefender.net > > Information in this electronic mail is confidential and may be legally > privileged. It is intended solely for the addressee. Access to this mail by > anyone else is unauthorised. If you are not the intended recipient any use, > disclosure, copying or distribution of this message is prohibited and may be > unlawful. When addressed to our customers, any information contained in this > message is subject to intY's Terms & Conditions. Please rely on your own > virus scanning and procedures with regard to any attachments to this message. > > Scanned by MailDefender - managed email security from intY - > www.maildefender.net > - --- Jason 'XenoPhage' Frisvold xenoph...@godshell.com - --- "Any sufficiently advanced magic is indistinguishable from technology." - - Niven's Inverse of Clarke's Third Law -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.16 (Darwin) iEYEARECAAYFAk459JwACgkQ8CjzPZyTUTRdwQCeP6Lra2YR2n6sKIQr8NcGFPqq CD0An1/qMuY6e+fCM50CrAI2aI+1JRT9 =PE0i -END PGP SIGNATURE-
Re: [ossec-list] OSSEC v2.6 released
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Jul 19, 2011, at 3:31 PM, Daniel Cid wrote: > Hi lists, > > We are very happy to announce the availability of OSSEC version 2.6. > > This has been a long release cycle, but it is here now with some good > new features and very stable (thanks to our beta users). > Our manual for the new version is also live at http://www.ossec.net/doc/ . > > Release notes + new features + contributor list: > http://www.ossec.net/main/ossec-v2-6-released > > You can download the new version from: http://www.ossec.net/main/downloads/ Congrats all! I'll have an RPM up shortly for this new release.. :) > *The GPG key was changed as well. So make sure to download the new one > before verifying the package. > > > Thanks! > Daniel B. Cid (in name of the OSSEC + Trend team) > d...@ossec.net - --- Jason 'XenoPhage' Frisvold xenoph...@godshell.com - --- "Any sufficiently advanced magic is indistinguishable from technology." - - Niven's Inverse of Clarke's Third Law -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) iEYEARECAAYFAk4l9DMACgkQ8CjzPZyTUTQw3QCcCj+DOsSVAkwl07zCRJbod8D4 /vkAnRWtggVM9NUqm4OxBatt2Hh5QAU/ =QoEt -END PGP SIGNATURE-
Re: [ossec-list] Re: Alert level "0" in rule and frequency
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 07/06/2011 08:15 PM, jplee3 wrote: > One other question I have regarding frequency rules and hierarchy. We > currently have two frequency rules setup to trigger against a parent > rule where the difference is the frequencies - one is set to trigger > when it sees the parent rule triggered 6 or more times in a minute. > The other is set to trigger when it sees the parent rule triggered 12 > or more times in 5 minutes. The problem is that the 12x in 5min rule > never triggers. It seems that the 6x per minute rule supersedes it > always. Is there a way to get the second "upper" threshold rule to > trigger as well? > > I thought I read somewhere about something like this being > implemented... like chaining frequency rules. Unfortunately, I don't > recall where exactly I saw this. Maybe someone can refresh my memory > and point me in the right direction? Might this work similar to how the active responses work? ie, put the higher trigger before the lower one. So if the 6x trigger is rule 10005 and the 12x is 10015, then flip the sids putting the 12x first. > TIA! - -- - --- Jason 'XenoPhage' Frisvold xenoph...@godshell.com - --- "Any sufficiently advanced magic is indistinguishable from technology." - - Niven's Inverse of Clarke's Third Law -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.17 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk4V59AACgkQ8CjzPZyTUTS3sgCeIb1D+odL3NYxbfajoPeak6LL xN4AnigPguIPFNnWGqbOk+trtfuZmEdV =Mjh0 -END PGP SIGNATURE-
Re: [ossec-list] Enhanced OSSEC: Agent Config Profiles now supports inheritance/merging
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 06/17/2011 12:16 PM, Christopher Moraes wrote: > Hi everyone, > > Continuing with my enhancements to support agent configuration profiles > (see thread > : > http://groups.google.com/group/ossec-list/browse_thread/thread/28a76c8180e28a4b), > I have added the feature that Jason Frisvold suggested i.e. combining of > profiles. I've rolled Chris' patches in with the latest version of 2.6 from Daniel and released an SRPM. You can find it here (along with some other software as well) : https://www.godshell.com/software Please let me know if you encounter any problems with the site or the RPMS. Thanks! - -- - ------- Jason 'XenoPhage' Frisvold xenoph...@godshell.com - --- "Any sufficiently advanced magic is indistinguishable from technology." - - Niven's Inverse of Clarke's Third Law -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.17 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk4V5fwACgkQ8CjzPZyTUTRsjwCeLP144V+eas7Uv4HBG+mAOHAc VXoAniUcTjHpljkVn6qNlibfg6BV0Ee5 =HWuu -END PGP SIGNATURE-
Re: [ossec-list] Re: Any way to disable the netstat components of syscheckd/rootcheck?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 06/20/2011 04:05 PM, Christopher Moraes wrote: > Hi, > > On Tue, May 17, 2011 at 4:36 PM, Daniel Cid <mailto:daniel@gmail.com>> wrote: > > Btw, anyone interested in doing a config check for each of those > functions? So we can disable/enable them via ossec.conf? Good way > to get started coding on ossec :) > > > I made the changes to ossec code to make these checks configurable via > ossec.conf. The relevant changeset in my repo is > https://bitbucket.org/cmoraes/ossec/changeset/46f14c668cfa Is there a magic button or CLI command I can run to get HG to spit out a diff file? I'm building RPMs of the beta and I'd like to add this in as a patch to the core ... Same goes for the agent config profiles ... Thanks ! > HTH, > Chris - -- - --- Jason 'XenoPhage' Frisvold xenoph...@godshell.com - --- "Any sufficiently advanced magic is indistinguishable from technology." - - Niven's Inverse of Clarke's Third Law -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.17 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk4OL9gACgkQ8CjzPZyTUTQ59gCgph93ZF4PrWGeEl1eI7Ak5bHw oFQAmgJhsiFn9lQ2PU00MIrso/gc66lX =vzua -END PGP SIGNATURE-
Re: [ossec-list] if_sid vs if_matched_sid
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 06/27/2011 05:09 PM, dan (ddp) wrote: >> Wikis suck. The current documentation can be found at >> https://bitbucket.org/ddpbsd/ossec-rules >> It's done in sphinx (with help from paver). Someone else started it, >> and I don't have a good grasp on how to do anything fancy with it. But >> I can definitely update the above. >> Feel free to fork it, modify it, etc. And/or create issues on bitbucket for >> me. I should be savvy enough to figure this out.. :P hginit.com here I come! >> dan - -- - --- Jason 'XenoPhage' Frisvold xenoph...@godshell.com - --- "Any sufficiently advanced magic is indistinguishable from technology." - - Niven's Inverse of Clarke's Third Law -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.17 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk4KFQMACgkQ8CjzPZyTUTRDhACgiPgJGYR6gSF57UzMMkLQoFsB G1oAoI1zJBQihvs8iCIlXql6W1O2oq9o =N/vS -END PGP SIGNATURE-
[ossec-list] if_sid vs if_matched_sid
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi all, I'd like to see the online docs updated to make this more clear. Can someone please verify my understanding (original from http://www.ossec.net/doc/syntax/head_rules.html#options) : group.rule.if_sid Matches if the ID has matched once. Allowed: Any rule id group.rule.if_matched_sid Matches if the ID has matched multiple times. Used for composite rules. Allowed: Any rule id If this is correct, who do I need to contact to get the online docs updated? Or maybe the online docs should all be moved to the wiki so the community can update it? - -- - --- Jason 'XenoPhage' Frisvold xenoph...@godshell.com - --- "Any sufficiently advanced magic is indistinguishable from technology." - - Niven's Inverse of Clarke's Third Law -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.17 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk4I0JIACgkQ8CjzPZyTUTQ0KQCeNrV4+Z30ivqj40GbWkdsB27y RWUAmQFvpQBuhS0WFImE0LOYIYyZnHFv =2EZS -END PGP SIGNATURE-
Re: [ossec-list] Re: active-response question on the ossec server Options
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Jun 19, 2011, at 6:09 PM, pierz wrote: > Yes exactly, regarding the manual, this is the purpose of the > all statement. > > But agents doesn't block IP if the attack occur on the server. That seems to be correct. I haven't tried this myself as of yet. Too chicken.. :P Do you have any other active response blocks in your config, or just the one with location all ? Are you verifying the lack of block via logs, or by checking iptables directly? - ----------- Jason 'XenoPhage' Frisvold xenoph...@godshell.com - --- "Any sufficiently advanced magic is indistinguishable from technology." - - Niven's Inverse of Clarke's Third Law -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) iEYEARECAAYFAk3/j2gACgkQ8CjzPZyTUTQx+gCePaAsokVgKyfY8AnCZedoDGNb w/gAn3Q26+Hn3gqMIU9VwB+HUFrZiJE5 =/Qm6 -END PGP SIGNATURE-
Re: [ossec-list] Re: shared config being distributed to ALL hosts
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 06/14/2011 10:54 PM, GeorgeY wrote: > Thanks Dan and Christopher. Most helpful. > Now to my next question ;), after any changes to agent.conf, the > automatic "pushing" of the updated agent.conf file is working as > expected. This is great. However, is the configuration applied > immediately or it requires a manual restart of the Ossec HIDS service > on the Windows machines? i tried the agent_control -R option but Unfortunately, this is currently an issue with OSSEC. Of course, you can also argue that not automatically restarting the agents on a new config push is a feature.. But regardless, if it's something you're looking to do, then you may be in luck. Note : This works for Linux and requires some changes to make it work in Windows. I'm not in a Windows environment, so I'm not sure what the exact changes are. I can give some hints, though. :) The short version is this. Add the following to your local_rules.xml file (using an appropriately unique rule id) syscheck agent.conf changed, restarting OSSEC /var/ossec/etc/shared/agent.conf What this will do is use syscheck (which you should have configured to monitor the ossec directory) to watch the agent.conf file (you'll need to update the location of that file for windows). If it changes, it triggers a level 12 alert. Next, add the following to your ossec.conf file on the server (above all other active response sections) : restart-ossec restart-ossec.sh srcip no restart-ossec local 15 This looks specifically for rule 15 (or whatever rule ID you're using) and if it fires, launches the restart-ossec command on the machine that triggered the alert. You'll need to write a restart-ossec program for windows, but I imagine you can use powershell or something like that to make it work. A restart on the ossec service should do it. That should get you on the right road. If you would, please post any modifications you make back to the list so others can benefit. I'm interested in what the restart-ossec.cmd program for windows might look like. Enjoy. - -- - --- Jason 'XenoPhage' Frisvold xenoph...@godshell.com - --- "Any sufficiently advanced magic is indistinguishable from technology." - - Niven's Inverse of Clarke's Third Law -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.17 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk347HMACgkQ8CjzPZyTUTQqdACglvHott3QVSMr2rPD6q95Rsl+ f4cAn0z6677aozm+65msiaoPXVO/ZTwK =aPRc -END PGP SIGNATURE-
Re: [ossec-list] Enhanced OSSEC to support agent profile configurations
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 06/15/2011 08:42 AM, Daniel Cid wrote: > Not on 2.6, since it has been frozen for the beta already, but > certainly on 2.7 :) Then the logical question is.. When's 2.7 getting released? ;) > And yes, keep the patches coming. I'm going to need to learn how to use git so I can start contributing rules.. :) > Thanks! - -- - ----------- Jason 'XenoPhage' Frisvold xenoph...@godshell.com - --- "Any sufficiently advanced magic is indistinguishable from technology." - - Niven's Inverse of Clarke's Third Law -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.17 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk346c0ACgkQ8CjzPZyTUTSvvACePYA+wzlXIVeqtK45fdFY2gx8 bOQAn1BeRjoMlutKkRluSQryWWwoGWgR =HZoT -END PGP SIGNATURE-
Re: [ossec-list] Re: Web Interface parsing with beta 2.6
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Jun 10, 2011, at 2:30 PM, dan (ddp) wrote: > I'm starting to play with logstash. Before that I played a bit with splunk. > I mostly use email though. Hrm.. logstash looks interesting. I'll have to check it out.. In my spare time, of course.. *sigh* - --- Jason 'XenoPhage' Frisvold xenoph...@godshell.com - --- "Any sufficiently advanced magic is indistinguishable from technology." - - Niven's Inverse of Clarke's Third Law -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) iEYEARECAAYFAk3ybfUACgkQ8CjzPZyTUTQzVwCgn0Z5dfUXC0Yh85ypOsGJA4dP lkcAni6nNIVHWldTSkXRqWJrgtEpO1Pk =RDnQ -END PGP SIGNATURE-
Re: [ossec-list] Anti-DDoS Rule
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Jun 10, 2011, at 2:49 PM, Jeremy Lee wrote: > Ahhh I think I see now :) > > But wouldn't he want a catch-all of *everything* that passes through. 31100 > and 31108 seem to be 'watershed' where alerts will go either way but not both. Yeah, I'm interested in catching everything, so I was hoping 31100 would be the way to go .. > You can't do something like this either can you? 31100, > 31108 (I vaguely recall asking this and getting a response > of "no") Nope, tried that. ossec balks .. *sigh* - --- Jason 'XenoPhage' Frisvold xenoph...@godshell.com - --- "Any sufficiently advanced magic is indistinguishable from technology." - - Niven's Inverse of Clarke's Third Law -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) iEYEARECAAYFAk3ybTwACgkQ8CjzPZyTUTQa5wCfSqLGVoGh4/SbBX0INEZNJHUR GXUAn3caDdXJjyf82yaz/JfghmxWaUbr =6Dr/ -END PGP SIGNATURE-
Re: [ossec-list] Anti-DDoS Rule
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 06/08/2011 02:38 PM, Jason 'XenoPhage' Frisvold wrote: > Hi all, > > I'm trying to put together a rudimentary anti-DDoS rule in OSSEC and I > could use a hand .. Basically, I'm looking to block anyone who > excessively hits a web server. This is what I have thus far : > > >31100 > >Excessive access, Temporary block > > > This seems to be correct, but I can't get it to trigger with > ossec-logtest .. Any tips? Am I approaching this the wrong way? Anyone have suggestions on how to handle this? - -- - --- Jason 'XenoPhage' Frisvold xenoph...@godshell.com - --- "Any sufficiently advanced magic is indistinguishable from technology." - - Niven's Inverse of Clarke's Third Law -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.17 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk3yNAAACgkQ8CjzPZyTUTSbFwCfSJDVL8mV6dDTtS26ud57FlHs Wm0An3S9bH4zYtjj3hFtfh5iJyTPMCVl =lDy9 -END PGP SIGNATURE-
Re: [ossec-list] Enhanced OSSEC to support agent profile configurations
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 06/10/2011 10:02 AM, Christopher Moraes wrote: > Could you explain this a little more? > > Did you mean that agent.conf should support multiple profiles? If yes, > then, that is supported. Inside the managers agent.conf, you can have > multiple blocks, each with a different profile name. > > Or did you mean inheritance of profiles. E.g. "Linux-DBServer" inherits > the base "Linux" profile The latter. So, on any given machine I can do something like this : 10.200.36.157 LinuxOracleDBServer,LinuxWebServer Or 10.200.36.157 LinuxOracleDBServer LinuxWebServer Note : I'm thinking out loud here.. I like being able to use merging to create profiles for disparate parts and combine them together as needed. - -- - --- Jason 'XenoPhage' Frisvold xenoph...@godshell.com - --- "Any sufficiently advanced magic is indistinguishable from technology." - - Niven's Inverse of Clarke's Third Law -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.17 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk3yM7QACgkQ8CjzPZyTUTS21gCffl7VX4VJieGqlamfhyzgpbW7 3hUAnRdmsL6XlKyGc2+GIE5Wj8wbGf8v =3xaq -END PGP SIGNATURE-
Re: [ossec-list] Re: OSSEC 2.6 beta-1 available
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 06/08/2011 10:04 PM, treydock wrote: > Jason I'd be very interested in a SRPM for this release. I've > attempted to modify the spec file found in the SRPM from atomic, but > with limited experience writing spec files it's slow. I aim to please. http://www.godshell.com/software This was initially built by modifying the atomic RPM. I haven't kept up with what changes I've made since then, though. As always, at your own risk. > Thanks > - Trey - -- - --- Jason 'XenoPhage' Frisvold xenoph...@godshell.com - --- "Any sufficiently advanced magic is indistinguishable from technology." - - Niven's Inverse of Clarke's Third Law -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.17 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk3w7V0ACgkQ8CjzPZyTUTR3jwCfXR9hwxnqzMsiweZxmVwzL/3w OnIAnAr5A40HtppzoZUs5q1IDsckYtrU =eBMs -END PGP SIGNATURE-
Re: [ossec-list] Active Responses triggered but no events logged
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 06/09/2011 12:54 AM, treydock wrote: > Looking at Rule #5706 this is Level 6 so it correctly triggered an > active response. However I'm concerned as to why OSSEC didn't log an > alert or anything besides the active-response. What more are you expecting? It logged the active response that was triggered.. ? > Thanks > - Trey - -- - ----------- Jason 'XenoPhage' Frisvold xenoph...@godshell.com - --- "Any sufficiently advanced magic is indistinguishable from technology." - - Niven's Inverse of Clarke's Third Law -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.17 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk3w5o4ACgkQ8CjzPZyTUTTXcQCfX/FNVyTT85QheUhaOCVKONhD CH0AmgINMAVq/KrrQ9aiz0Xsm820HNm1 =gZCr -END PGP SIGNATURE-
[ossec-list] Anti-DDoS Rule
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi all, I'm trying to put together a rudimentary anti-DDoS rule in OSSEC and I could use a hand .. Basically, I'm looking to block anyone who excessively hits a web server. This is what I have thus far : 31100 Excessive access, Temporary block This seems to be correct, but I can't get it to trigger with ossec-logtest .. Any tips? Thanks, - -- - ------- Jason 'XenoPhage' Frisvold xenoph...@godshell.com - --- "Any sufficiently advanced magic is indistinguishable from technology." - - Niven's Inverse of Clarke's Third Law -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.17 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk3vwbEACgkQ8CjzPZyTUTQqtACgj8Ljlxnsdj9+Asy6y7Dr8zBN xhEAn3vQ21eiqKTN9YuX40wUmwrb1KgY =uLr0 -END PGP SIGNATURE-
Re: [ossec-list] OSSEC 2.6 beta-1 available
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Jun 7, 2011, at 12:26 PM, Daniel Cid wrote: > Hi list, > > The beta version of OSSEC 2.6 is available and waiting for testers :) > More information (including new features, > download link, etc) here: > > http://dcid.me/2011/06/ossec-2-6-beta-1-available/ > > Please help out if you can. I've wrapped this all up in a nice SRPM that I can make available if anyone is interested. Daniel, After installing and restarting, I'm seeing this : Killing ossec-monitord .. Killing ossec-logcollector .. Killing ossec-remoted .. Killing ossec-syscheckd .. Killing ossec-analysisd .. Killing ossec-maild .. Killing ossec-execd .. OSSEC HIDS v2.6 Stopped Starting OSSEC HIDS v2.6 (by Trend Micro Inc.)... 127 Started ossec-maild... Started ossec-execd... Started ossec-analysisd... Started ossec-logcollector... Started ossec-remoted... Started ossec-syscheckd... Started ossec-monitord... Completed. What's the 127 mean? Leftover debug? > Thanks, - --- Jason 'XenoPhage' Frisvold xenoph...@godshell.com - --- "Any sufficiently advanced magic is indistinguishable from technology." - - Niven's Inverse of Clarke's Third Law -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) iEYEARECAAYFAk3ueqUACgkQ8CjzPZyTUTTshwCfUZx0pUCcg6EKAM8ViXMzvVV9 mFQAn290NGUDAlb+NhJo3UnjN0Mlc0Y2 =vqGV -END PGP SIGNATURE-
Re: [ossec-list] Installation and use without root access?
On Apr 14, 2011, at 1:15 PM, sempai wrote: > Hello, > > I'm in a position where it would be advantageous to run ossec-hids as > a server by an unprivileged user. > > Has anyone already gone down this road before and written > documentation or shared their installation details? Wouldn't running as an unprivileged user significantly reduce the functionality? ------- Jason 'XenoPhage' Frisvold xenoph...@godshell.com --- "Any sufficiently advanced magic is indistinguishable from technology." - Niven's Inverse of Clarke's Third Law
Re: [ossec-list] OSSEC server won't bind to 1514/UDP...
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 03/23/2011 10:54 AM, Eric Hansen wrote: > Yeaup; 770 with root:ossec, and I used install.sh to install OSSEC. I > know I also can't install Safe Squid either on Arch Linux (it won't > generate a full serial key), so I'm wondering if it just might be a lost > cause. I can continue looking into it as well, but I'm not sure what > else to do. I may have to install arch just to figure this out... I wish I had an answer for you. Anyone else running Arch? > When your work speaks for itself, don’t interrupt. > – Henry J. Kaiser > > > On Wed, Mar 23, 2011 at 9:25 AM, Jason 'XenoPhage' Frisvold > mailto:xenoph...@godshell.com>> wrote: > > On 03/22/2011 11:10 PM, Eric Hansen wrote: >> Lol, the only thing I'm beginning to wonder is that Arch Linux, > for one >> reason or another, isn't liking OSSEC. Correct, the server cannot > bind >> to 1514/UDP (the agent has the port open just fine trying to > connect to >> the server). My OSSEC is installed in /var/ossec, the default path. >> The shared is located in /var/ossec/etc/shared, and it's > ossec:ossec w/ >> permission 770. > > And the files within the shared directory are root:ossec with 770 > permissions? > > I'm not sure why Arch wouldn't like OSSEC.. I know arch has some > peculiar (at least to me) ways of doing things, but I thought that was > just my own unfamiliarity with the system. You used install.sh to set > up the server, yes? > - -- - --- Jason 'XenoPhage' Frisvold xenoph...@godshell.com - --- "Any sufficiently advanced magic is indistinguishable from technology." - - Niven's Inverse of Clarke's Third Law -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk2LiAUACgkQ8CjzPZyTUTT0twCdEP0gqGW6ifXoZT0oXAkUtqHi nRMAniD3byV+9t22R/bMDZnx4nOIGl/k =GR7r -END PGP SIGNATURE-
Re: [ossec-list] OSSEC server won't bind to 1514/UDP...
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 03/22/2011 11:10 PM, Eric Hansen wrote: > Lol, the only thing I'm beginning to wonder is that Arch Linux, for one > reason or another, isn't liking OSSEC. Correct, the server cannot bind > to 1514/UDP (the agent has the port open just fine trying to connect to > the server). My OSSEC is installed in /var/ossec, the default path. > The shared is located in /var/ossec/etc/shared, and it's ossec:ossec w/ > permission 770. And the files within the shared directory are root:ossec with 770 permissions? I'm not sure why Arch wouldn't like OSSEC.. I know arch has some peculiar (at least to me) ways of doing things, but I thought that was just my own unfamiliarity with the system. You used install.sh to set up the server, yes? - -- - --- Jason 'XenoPhage' Frisvold xenoph...@godshell.com - --- "Any sufficiently advanced magic is indistinguishable from technology." - - Niven's Inverse of Clarke's Third Law -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk2J9K0ACgkQ8CjzPZyTUTRzCACgmoNCN1NQTH5zquIBw1EIt5DU TwgAoJK4yVyYlfsVkPTPg/CMZhfSpzi5 =Y23S -END PGP SIGNATURE-
Re: [ossec-list] OSSEC server won't bind to 1514/UDP...
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 03/21/2011 05:29 PM, Eric Hansen wrote: > Nah, I'm using Arch Linux which doesn't include anything beyond the > core files needed for Bash and Linux, and I really dislike (to put it > nicely) SELinux. You know, if you want help, you're really going to have to have one of the problems I'm describing so we can fix it.. ;) Ok.. Let me re-iterate so I understand the problem.. Your server (not agent) won't bind to port 1514/UDP. Is that correct? The error you see in the logs : "ERROR: Unable to create merged file: '/etc/shared/merged.mg'." is on the server, correct? What are the permissions on the /etc/shared ... wait.. /etc/shared? Did you relocate the ossec install? That should be /var/ossec/etc/shared ... Where is OSSEC installed? What are the permissions on the shared directory (wherever it is) ? It appears that remoted isn't running, perhaps because of directory permissions problems. On my install, the shared directory is owned by ossec.ossec and has permissions of 770 . - -- - --- Jason 'XenoPhage' Frisvold xenoph...@godshell.com - --- "Any sufficiently advanced magic is indistinguishable from technology." - - Niven's Inverse of Clarke's Third Law -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk2IuLwACgkQ8CjzPZyTUTRpiQCeOtGypM3UaEKSbWEYNDL4kRCH OOQAn2GfNN4vn6p90jsLdG4snjmNctzk =/UMv -END PGP SIGNATURE-
Re: [ossec-list] OSSEC server won't bind to 1514/UDP...
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 03/18/2011 11:43 PM, Eric Hansen wrote: > That I did. Are you running selinux, perchance? > When your work speaks for itself, don’t interrupt. > – Henry J. Kaiser - -- - ------- Jason 'XenoPhage' Frisvold xenoph...@godshell.com - --- "Any sufficiently advanced magic is indistinguishable from technology." - - Niven's Inverse of Clarke's Third Law -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk2HvRsACgkQ8CjzPZyTUTR77gCgmg6Uq8qXva7lF2LnWZyZKAQv DvEAoJkx7GX+MBehuQIJq/X60y4MYnnn =zwM6 -END PGP SIGNATURE-
Re: [ossec-list] ossec-logtest error
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 03/21/2011 07:19 AM, Branimir Pačar wrote: > Hi all, > > 2011/03/21 12:03:36 ossec-analysisd(1226): ERROR: Error reading XML file > 'etc/decoder.xml': XML ERR: Element not closed: ; (line 1635). What's on line 1635? > When I look in decoder.xml there is nothing ?suspicious? in line 1635. > only similiar thing close to that is trend-osce decoder That decoder matches what I have ... > After I've commented entire decoder, ossec-logtest passes this phase but > next thing is that it shows following error: Odd.. What you pasted in matches, character for character, what I have in my decoder. > 2011/03/21 12:10:40 ossec-analysisd: Invalid option 'compiled_rule' for > rule '31108'. > > 2011/03/21 12:10:40 ossec-testrule(1220): ERROR: Error loading the > rules: 'web_rules.xml'. > > Can anyone suggest me what to do so i could use ossec-logtest? It sounds like something didn't compile right.. You shouldn't be getting errors like this. Unfortunately, I haven't used AIX in forever, so I'm not 100% sure what would be different here that would cause this. Have you tried a different server and/or reinstalling? > Regards, > Branimir - -- - --- Jason 'XenoPhage' Frisvold xenoph...@godshell.com - --- "Any sufficiently advanced magic is indistinguishable from technology." - - Niven's Inverse of Clarke's Third Law -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk2Hjj4ACgkQ8CjzPZyTUTTCJgCfSgomPheBT6vts4ywKUklcdtr HyMAoKlO318HFnnlQBDpPvOuCK/DIeZJ =zn5E -END PGP SIGNATURE-
Re: [ossec-list] OSSEC server won't bind to 1514/UDP...
On Mar 18, 2011, at 10:20 AM, Eric Hansen wrote: > > First, I'd like to say that I've been doing a lot of Goggling around and > tried a lot of things to no avail. Did you register the client on the server using manage_agents? And did you then copy the key to the client and install it using manage_agent? ------- Jason 'XenoPhage' Frisvold xenoph...@godshell.com --- "Any sufficiently advanced magic is indistinguishable from technology." - Niven's Inverse of Clarke's Third Law
Re: [ossec-list] 404 Not Found
On Mar 15, 2011, at 10:18 AM, Gurtaj Singh wrote: > Yea Jason thats exactly what i heard about the wui.(its unsupported and > stuff) > Thanks for letting me know about splunk, I'll try it out. > :) They just released version 4.2 today apparently.. I've been playing around with it for a bit and it looks pretty nice. The ossec plugin was already updated for it. ----------- Jason 'XenoPhage' Frisvold xenoph...@godshell.com --- "Any sufficiently advanced magic is indistinguishable from technology." - Niven's Inverse of Clarke's Third Law
Re: [ossec-list] Re: Deletion of log data
On Mar 7, 2011, at 2:31 PM, Nate Woodward wrote: > I'll give this a try, but assuming the rule does work (it's one of the > rules that ships with OSSEC, after all), how do I make sure log > tampering will be detected no matter what? The OSSEC book says the time > between syschecks has a minimum frequency of an hour, and I can't > exactly ask crackers to only tamper with my logs X minutes after the top > of the hour. I don't believe these are syscheck rules, but are, instead, rules for the ossec.log file. They reference rule 500 which is a log message decoded as ossec. syscheck rules specifically reference syscheck in the rules themselves. ------- Jason 'XenoPhage' Frisvold xenoph...@godshell.com --- "Any sufficiently advanced magic is indistinguishable from technology." - Niven's Inverse of Clarke's Third Law
Re: [ossec-list] 404 Not Found
On Mar 7, 2011, at 3:15 PM, Gurtaj Singh wrote: > and as to why i want to use it --REASON is my employer wants a GUI :( Can I recommend looking at Splunk? The free version of splunk is generally more than enough to handle a fairly high number of OSSEC agents. The OSSEC-wui doesn't seem to be well supported or updated at this point. Splunk with the free OSSEC splunk plugin works wonderfully. I wonder if it's worth removing the wui altogether from the OSSEC site or at least marking it as unsupported. ------- Jason 'XenoPhage' Frisvold xenoph...@godshell.com --- "Any sufficiently advanced magic is indistinguishable from technology." - Niven's Inverse of Clarke's Third Law
Re: [ossec-list] Maybe a false positive with rule 510
On Mar 4, 2011, at 2:30 PM, dan (ddp) wrote: > I haven't done much research into this, but my guess would be that > this is a false positive. > /dev/shm seems to be some strange shared memory access. > lsof is claiming that those files are deleted (type = DEL). > > My best guess would be that this is some kind of strange interaction > between /dev/shm, the clustering stuff, and OSSEC's checks. I'd hit up > support at redhat to see if they have any thoughts on the matter. This happens when a file is deleted underneath an OSSEC rootkit scan. I've seen it a few times and every time it happens it's the same explanation. --- Jason 'XenoPhage' Frisvold xenoph...@godshell.com --- "Any sufficiently advanced magic is indistinguishable from technology." - Niven's Inverse of Clarke's Third Law
Re: [ossec-list] How to check active response has been activated ornot ??
On Mar 3, 2011, at 9:37 PM, dan (ddp) wrote: > Hi Tanishk, > I don't mean to setup syscheck to watch it, I mean to use it as a > localfile source: > > syslog > /var/ossec/logs/active-response.log > > > You'll have to write a rule for it, but that shouldn't be too hard. Allow me to assist. I don't believe I'm the original author of this, but it works.. :) First, the decoder (put this in /var/ossec/etc/local_decoder.xml) ^Mon|^Tue|^Wed|^Thu|^Fri|^Sat|^Sun \S+\s+\d+ \d\d:\d\d:\d\d \S+ \d+ /var/ossec/active-response/bin/(\S+) (\S+) - (\S+) (\d+.\d+) \d+ action, status, srcip, id And now the rules (I don't follow the recommended rule numbering, I have my own scheme. Adjust accordingly) ar_log active_response_notification firewall-drop.sh add Active response firewall-drop.sh was run, host blocked ar_log active_response_notification firewall-drop.sh delete Active response firewall-drop.sh was run, host unblocked ar_log active_response_notification host-deny.sh add Active response host-deny.sh was run, host added to hosts.deny ar_log active_response_notification host-deny.sh delete Active response host-deny.sh was run, host removed from hosts.deny > On Thu, Mar 3, 2011 at 9:33 PM, Tanishk Lakhaani > wrote: >> Hi dan, >> Configuring ossec to watch the active response.log file will fire an alert >> w.r.t Integrity Checksum Changed Event w.r.t active response.log file. But >> what I am looking foirward is, that I get the actual active response log on >> my email, (email alerting is configured). >> >> >> Regards >> Tanishk Lakhaani >> Sent from BlackBerry® on Airtel >> >> -Original Message- >> From: "dan (ddp)" >> Sender: ossec-list@googlegroups.com >> Date: Wed, 2 Mar 2011 15:38:36 >> To: >> Reply-To: ossec-list@googlegroups.com >> Subject: Re: [ossec-list] How to check active response has been activated or >> not ?? >> >> Check the active-response.log file (on the system that runs the active >> response). >> You can configure OSSEC to watch the active-response.log file and fire >> off an email/alert when a new entry is added. It's simple to do, and >> helps solve the notification problem. >> >> On Wed, Mar 2, 2011 at 2:18 PM, Tanishk Lakhaani >> wrote: >> --- Jason 'XenoPhage' Frisvold xenoph...@godshell.com --- "Any sufficiently advanced magic is indistinguishable from technology." - Niven's Inverse of Clarke's Third Law
Re: [ossec-list] ossec centralized configuration
On Mar 3, 2011, at 12:30 PM, satish patel wrote: > Look like my managment server pushed agent.conf to client after > restart agent i got follwoing error "No file configured to monitor" I > did specify each and every log files in agents.conf > > Starting OSSEC HIDS v2.5.1 (by Trend Micro Inc.)... > Started ossec-execd... > Started ossec-agentd... > 2011/03/03 09:30:38 ossec-logcollector(1905): INFO: No file configured > to monitor. > Started ossec-logcollector... > 2011/03/03 09:30:38 ossec-syscheckd(1702): INFO: No directory provided > for syscheck to monitor. > 2011/03/03 09:30:38 ossec-syscheckd: WARN: Syscheck disabled. > Started ossec-syscheckd... > Completed. You may see this on a new client (agent) install, especially if you modify the client ossec.conf to only contain the IP of the server. I handle this by starting the client, waiting a few moments, and then restarting the client. Typically the agent.conf is sent from the server to the client within the first few seconds so a restart causes the client to properly see the agent.conf file and act accordingly. --- Jason 'XenoPhage' Frisvold xenoph...@godshell.com --- "Any sufficiently advanced magic is indistinguishable from technology." - Niven's Inverse of Clarke's Third Law
Re: [ossec-list] ossec centralized configuration
On Mar 3, 2011, at 11:52 AM, satish patel wrote: > Added: This document need to specify which side its talking about > client/server (agent/manager) > http://www.ossec.net/main/manual/centralized-config/ > > There is no keyword regarding this is agents side config or manager side ? In this particular document, all commands and configuration edits are on the server side. The exception being "Restart the agent" which, obviously, must happen on the agent. Or, I suppose you could use agent_control on the server side as well, now that I think about it. > -Satish ------- Jason 'XenoPhage' Frisvold xenoph...@godshell.com --- "Any sufficiently advanced magic is indistinguishable from technology." - Niven's Inverse of Clarke's Third Law
Re: [ossec-list] ossec centralized configuration
On Mar 3, 2011, at 12:04 PM, satish patel wrote: > This boy did a great job in documentation of centralized > configuration. We would like this kind of doc on ossec.net website. > > http://blog.godshell.com/blog/archives/274-WoO-Day-3-Meet-the-agent.htmla Wow, uh, thanks. I tried to make everything as concise as I could to make it more readable. I'll see if I can take a look at the OSSEC manual itself and try to make it more readable. ------- Jason 'XenoPhage' Frisvold xenoph...@godshell.com --- "Any sufficiently advanced magic is indistinguishable from technology." - Niven's Inverse of Clarke's Third Law
Re: [ossec-list] Local_rules.xml ... public repository ?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 02/25/2011 02:11 PM, dan (ddp) wrote: > People have shared rules on this list, the dev list, the IRC channel, > and probably other methods. > > Does anyone think an ossec-rules mailing list would be useful? Yes, definitely. I still find a centralized rules repository to be useful, though, and I think OSSEC should have an official one, whether that's run by OSSEC or by a community member. - -- - ------- Jason 'XenoPhage' Frisvold xenoph...@godshell.com - --- "Any sufficiently advanced magic is indistinguishable from technology." - - Niven's Inverse of Clarke's Third Law -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk13tigACgkQ8CjzPZyTUTRmIACbByvU78312pxoal+AWKK/BnpS 5bEAoIyesAayCLq72NJiyLjtnUJXqx4N =jSb1 -END PGP SIGNATURE-
Re: [ossec-list] syscheck alert information
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Feb 28, 2011, at 3:13 PM, dan (ddp) wrote: > It isn't possible at the moment. There are some things I want improved > in the syscheck stuff, but no timelines, promises, hints, ipads, or > guarantees. Well, I'm sure there's a wishlist somewhere.. :) As long as it's on there and the right people have the wishlist, I'll be satisfied. > dan - ------- Jason 'XenoPhage' Frisvold xenoph...@godshell.com - --- "Any sufficiently advanced magic is indistinguishable from technology." - - Niven's Inverse of Clarke's Third Law -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) iEYEARECAAYFAk1sYmoACgkQ8CjzPZyTUTR7wACfbFq6jlg2h2Xgu81LHkb5q9wQ 0F8An24nRc6Ffb0OZjwUpXjg/Wnh3gQc =N79+ -END PGP SIGNATURE-
[ossec-list] syscheck alert information
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi all, Quick question. Is there a way to get OSSEC to send a bit more information with a syscheck alert? It would be nice if OSSEC sent previously known information as well as what the new information is. For instance, file size, mtime, ctime, and permissions. Does any of this functionality exist currently? (A quick search doesn't turn anything up) Or perhaps is it something that can be added for 2.6 or 2.7 ? Thanks, - -- - --- Jason 'XenoPhage' Frisvold xenoph...@godshell.com - --- "Any sufficiently advanced magic is indistinguishable from technology." - - Niven's Inverse of Clarke's Third Law -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk1rw8sACgkQ8CjzPZyTUTRjQQCdEBeKY8c8FnRtKUEDFEv8Cmm9 J3wAmgJw2ASV2U9kFP0e+24NVCCCTj8K =uHYe -END PGP SIGNATURE-
Re: [ossec-list] active response in central management?
On Feb 24, 2011, at 2:33 PM, "dan (ddp)" wrote: >> >> yes >> >> > > This disabled AR on that agent. This is in the agent.conf, right? I had been disabling specific agents by creating an active response at the top of my ossec.conf with that agent_id identified. This looks MUCH easier and doesn't require a restart of my main OSSEC server.. - Jason
Re: [ossec-list] File and folder monitoring
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 02/23/2011 01:12 PM, Chad Hammond wrote: > How do I setup file and folder monitoring on a directory? > > Any help with this would be greatly appreciated. Add a syscheck section to your ossec.conf and/or agent.conf file : 7200 no yes /etc >Chad Hammond - -- - --- Jason 'XenoPhage' Frisvold xenoph...@godshell.com - --- "Any sufficiently advanced magic is indistinguishable from technology." - - Niven's Inverse of Clarke's Third Law -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk1lVzAACgkQ8CjzPZyTUTQ1NgCgpcXbhIpIvSRYT0yfnMqF1tzB nkMAoKL1DDux85mdiM/RQfl9fuk5jisV =IQFp -END PGP SIGNATURE-
Re: [ossec-list] Re: high availability solution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Jan 12, 2011, at 12:44 PM, Daniel Cid wrote: > Yes, and it has worked well for me. > > One caveat is that the rids (message ids) will have to be > exchanged/synced between each manager in the > HA. A simple solution is to disable the id check, so it should just > work without any sync... I was planning on syncing the RIDs .. The RIDs shouldn't change unless a new agent is added, right? What's the security impact of disabling the RIDs? What does that open me up for? > Daniel B. Cid Thanks, - ------- Jason 'XenoPhage' Frisvold xenoph...@godshell.com - --- "Any sufficiently advanced magic is indistinguishable from technology." - - Niven's Inverse of Clarke's Third Law -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) iEYEARECAAYFAk06TlwACgkQ8CjzPZyTUTRJVwCcCESUSZOaqlv9ERfDLGXMa/0R 7xEAn2Ud2WvHEHO79mq2odb6wDm6Z1JF =I1RZ -END PGP SIGNATURE-
Re: [ossec-list] ossec agent and logs
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Jan 11, 2011, at 1:21 PM, Netsyphon wrote: > Splunk is nice but I had troubles getting it to work with the ossec plugin, > may try again. It's also somewhat cost prohibitive since it's doing only a > small portion of what it's needed for compared to ossec. I agree on the > snare comparison, it's not practical for the security minded. Unless you have a huge number of OSSEC clients, I think the free version of splunk handles everything just fine. You lose some features such as automated reporting and the ability to create users, but it works really well. - ------- Jason 'XenoPhage' Frisvold xenoph...@godshell.com - --- "Any sufficiently advanced magic is indistinguishable from technology." - - Niven's Inverse of Clarke's Third Law -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) iEYEARECAAYFAk06UAUACgkQ8CjzPZyTUTSlSwCeNBD/WP+yghJe2YUs99EauikT j24AnAlI0J93efkho3DeIHhbMofzvlKX =5vqi -END PGP SIGNATURE-
Re: [ossec-list] Re: ossec agent and logs
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Jan 13, 2011, at 2:09 PM, dan (ddp) wrote: > I'm not disagreeing with you because I haven't done any testing, but > according to splunk the light forwarder shouldn't use more than about > 25MB of ram and 256kb of network. > The trainer also mentioned he had helped with an installation where a > splunk LF was installed on every desktop/laptop in the organization. > Seemed like a neat idea, but knowing the machine I use at work even > with the resource limits it could be a bit much. You don't necessarily need to use the light forwarder, though. You can always use push the data to splunk using something like rsyslog or syslog-ng. The biggest difference here is that the spiunk will give you the ability to do SSL. There was also mention of a new light forwarder coming "soon" that will really be a light installation. Right now the light forwarder is a full splunk install with just a few items turned on. This new forwarder, I believe they're calliing it the ultra light forwarder, will be stripped down to the bare minimum. - --- Jason 'XenoPhage' Frisvold xenoph...@godshell.com - --- "Any sufficiently advanced magic is indistinguishable from technology." - - Niven's Inverse of Clarke's Third Law -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) iEYEARECAAYFAk06T0cACgkQ8CjzPZyTUTQm1QCfdJ6nYjf/cvpugTb6q9pyp3Rp srQAn1nzJNSJV7X74ACSYpsGCC8MrGq1 =SOOT -END PGP SIGNATURE-
Re: [ossec-list] OSSEC in the Enterprise
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Jan 10, 2011, at 11:07 AM, ItsMikeE wrote: > On a different (but related) note, has anyone set up a a second OSSEC server, > to provide enterprise-level resilience? This is something I want to do in the near future before I get too far along in my deployment. - --- Jason 'XenoPhage' Frisvold xenoph...@godshell.com - --- "Any sufficiently advanced magic is indistinguishable from technology." - - Niven's Inverse of Clarke's Third Law -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) iEYEARECAAYFAk06SYkACgkQ8CjzPZyTUTQ9NACgnvzvheLL/Aemf3iTgxguPxNo tNYAn1SzeQkub7pZAg3R/w7CBcZTNEEp =quIg -END PGP SIGNATURE-
Re: [ossec-list] Error in destination mail with agent created with IP address = any
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 12/21/2010 01:52 PM, dan (ddp) wrote: > Or are you saying that an event from agent1 is showing up in an email > that mentioned agent2 in the subject? The latter happens to me all the time. It's a bit disconcerting, actually. I believe the "fix" was to disable email grouping, but that just results in more email. :) - -- - ----------- Jason 'XenoPhage' Frisvold xenoph...@godshell.com - --- "Any sufficiently advanced magic is indistinguishable from technology." - - Niven's Inverse of Clarke's Third Law -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk0mHdsACgkQ8CjzPZyTUTTj/wCfYnz9fm2zqkboIUZVYSMIlUaa DWsAn133Js22MNlqgKfE+4LT+hDzlh37 =512T -END PGP SIGNATURE-
Re: [ossec-list] Different active response dutations for each level
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 12/15/2010 02:57 PM, dan (ddp) wrote: > Give it a shot. Might work. > > I'd think you would need to put the higher level ARs at the top > though, since 6 means 6+. > Haven't investigated that though, so I could be way off. Yes, the higher level has to come first. I'm using this in production already. :) - -- - ----------- Jason 'XenoPhage' Frisvold xenoph...@godshell.com - --- "Any sufficiently advanced magic is indistinguishable from technology." - - Niven's Inverse of Clarke's Third Law -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk0mBnsACgkQ8CjzPZyTUTQvVgCfbALGR296nxIFa773ti2ucwPy lh4An2Mbgj/Ta0vt0e189jmCxSkF2o82 =1lr/ -END PGP SIGNATURE-
Re: [ossec-list] Consolidate active-response.logs
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Dec 30, 2010, at 7:44 PM, dan (ddp) wrote: > Have ossec read the active-response.log file? > > > syslog > /var/ossec/logs/active-response.log > > > It's not elegant, but should work. You! With your inescapable logic! ... Thanks. :) I should have thought of that... :P - ------- Jason 'XenoPhage' Frisvold xenoph...@godshell.com - --- "Any sufficiently advanced magic is indistinguishable from technology." - - Niven's Inverse of Clarke's Third Law -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) iEYEARECAAYFAk0eInIACgkQ8CjzPZyTUTTDoQCfWMur9kTtorfLI5YXzF/SNJtM qLQAn0UvoQAWZVDUvD8eMqaTED9JyFY9 =S+qG -END PGP SIGNATURE-
Re: [ossec-list] Consolidate active-response.logs
On Dec 30, 2010, at 4:55 PM, Saket wrote: > Hi, > > Is there a way to consolidate all the active-response.log file from > all the agents? > > It is difficult to access each agents active-response.log, I am > presuming there is a way to consolidate all the active-response.log in > the server. > > I know the alert logs can be sent to a syslog server, Is it possible > to send the active-response logs aswell ? I'd like to second this. I know I can use something like rsyslog to send this data, but as I'm already using ossec to send the normal logs, it would be nice to send the response log as well. > Thanks, > Saket
[ossec-list] Happy Holidays!
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 For those that celebrate, and even those that don't! Happy Holidays all! Thanks for all of the support you provided when I was rolling out OSSEC for the first time and all the support you continue to provide as I continue to expand my OSSEC knowledge! - --- Jason 'XenoPhage' Frisvold xenoph...@godshell.com - --- "Any sufficiently advanced magic is indistinguishable from technology." - - Niven's Inverse of Clarke's Third Law -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) iEYEARECAAYFAk0WT2YACgkQ8CjzPZyTUTQZBwCfagZBnvvatanlg43D4vuRIn78 0wQAn1jW0NPdt6cHE63/3FDWpeIUJI8U =qrnH -END PGP SIGNATURE-
Re: [ossec-list] Strange Alert
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Dec 7, 2010, at 5:03 PM, dan (ddp) wrote: > It's an OSSEC keep-alive message. It's not supposed to be in the logs, > but it is. It's fixed in the latest snapshot. Yeah, sorry about the noise.. I noticed another thread about this.. I should read before posting. :) - ----------- Jason 'XenoPhage' Frisvold xenoph...@godshell.com - --- "Any sufficiently advanced magic is indistinguishable from technology." - - Niven's Inverse of Clarke's Third Law -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) iEYEARECAAYFAkz/0RwACgkQ8CjzPZyTUTRzGACfber8274NkwK39uXtUDzuBoVK kE4An1jCkYH5hOLr8TsKu7XJVtZcfW7/ =50ss -END PGP SIGNATURE-
[ossec-list] Strange Alert
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I received the following notification from ossec today and I have no idea what it is. I've truncated the output for security reasons since it looks like it *might* be some sort of encoded string. Any idea what this is? OSSEC HIDS Notification. 2010 Dec 07 09:22:47 Received From: (myServer) 192.168.0.1->ossec-keepalive Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system." Portion of the log(s): - --MARK--: *I&ccQ? - --END OF NOTIFICATION - ----------- Jason 'XenoPhage' Frisvold xenoph...@godshell.com - --- "Any sufficiently advanced magic is indistinguishable from technology." - - Niven's Inverse of Clarke's Third Law -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) iEYEARECAAYFAkz+rPwACgkQ8CjzPZyTUTQCCgCgn61LT9l/dVNXvNH3zcGRJ1Z6 7IsAoI9l9llPws8CJW877cmJVLtIVH+n =83Nw -END PGP SIGNATURE-
Re: [ossec-list] Active response against external harware.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 11/29/2010 02:31 PM, dan (ddp) wrote: > Since the SSH keys probably wouldn't have a passphrase to use them, > it's basically just as risky as having the password (IMHO). Slightly less overall risk as you don't expose a password that might be used elsewhere.. Or give a clue as to how you construct your passwords. - -- - ----------- Jason 'XenoPhage' Frisvold xenoph...@godshell.com - --- "Any sufficiently advanced magic is indistinguishable from technology." - - Niven's Inverse of Clarke's Third Law -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkz2hsoACgkQ8CjzPZyTUTQm3ACfUtjC6EAUfT3KGcXps/AB3BfF nk0AnjH20D+hghSUDydje2zgz0O9Wc5o =f/bm -END PGP SIGNATURE-
Re: [ossec-list] First time this user logged in this system Question
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Nov 20, 2010, at 1:49 AM, Mike Smith wrote: > Hello, > > Is there any way that I can have OSSEC, alert each time a user logs > into a computer, and not the first time, like the default action. > > Because I think this is a great feature and would like to get it to > work all of the time and not just the first time. So if I wanted to > add this feature, where would I configure it. Untested, but if you add this to local_rules.xml and restart the server, this should do it : authentication_success alert_by_email authentication_success User logged in. > Thanks, > > -M - ------- Jason 'XenoPhage' Frisvold xenoph...@godshell.com - --- "Any sufficiently advanced magic is indistinguishable from technology." - - Niven's Inverse of Clarke's Third Law -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) iEYEARECAAYFAkzoNtYACgkQ8CjzPZyTUTRRcgCeKaG8uAXVy6pAyGk9ghvWJr5g AzYAnjUXS51xY5T5dzCXbVjECkF9TjJw =B/4U -END PGP SIGNATURE-
Re: [ossec-list] Daily Report have blank body, data is part of subject line
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Nov 19, 2010, at 2:23 PM, dan (ddp) wrote: > I wonder why these mail servers handle the traffic so differently. > > On the "does not work" list we have: > exim4 > Exchange > > Anyone else having issues want to chime in? > > I've tried it with OpenBSD's smtpd, and probably sendmail. So those > will be the start of a "does work" list. Anyone want to contribute to > this list? qmail works fine as well. - --- Jason 'XenoPhage' Frisvold xenoph...@godshell.com - --- "Any sufficiently advanced magic is indistinguishable from technology." - - Niven's Inverse of Clarke's Third Law -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) iEYEARECAAYFAkznQdUACgkQ8CjzPZyTUTTslwCbBp68j0QdlTQUE1eTe8ZkSGHe cFAAoJzwDFhFEguc+nIVvB5pkHAs4z51 =gMW7 -END PGP SIGNATURE-
Re: [ossec-list] Re: Bug report for OSSEC 2.5.1 ("ftpd-mac-failure" decoder in decoder.xml)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Oct 28, 2010, at 3:08 PM, blacklight wrote: > The syslog message was generated on a Linux 2.6 machine serving as an > OSSEC agent host. The Linux 2.6 machine is running Fedora Core 5. Isn't FC5 a tad old? > I worked with this host because it is accessible from the outside and > it was being bombed with FTP login requests from a single, unknown > external IP. > > I expect that this solution works out for all out hosts because we are > pretty much standardized on Linux 2.6 - both Fedora Core 5 and Centos > 5 - if we were not standardized, I'd go crazy :) Your fix works, sort of. It appears that this line : [(\d+.\d+.\d+.\d+)]$ Expects something along the lines of : [123.123.123.123] while your log message doesn't have the square brackets, are there other instances that would? If the rule is switched to use (\S+) instead, then srcip will have extra characters in it that will cause the active response to fail. Instead, try this : (\d+.\d+.\d+.\d+) This will match the first IP address after the prematch. It should catch the log entries you have provided as well as those that may have square brackets. - ------- Jason 'XenoPhage' Frisvold xenoph...@godshell.com - --- "Any sufficiently advanced magic is indistinguishable from technology." - - Niven's Inverse of Clarke's Third Law -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) iEYEARECAAYFAkzOLCEACgkQ8CjzPZyTUTRgmgCdEwDiGbaLs/hRSxCFRgM7sWFR zeQAn2JmDCtXFcHyG3vQOMM7Sd0OCvDW =TlMq -END PGP SIGNATURE-
Re: [ossec-list] Handling directory traversal false positives
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 10/26/2010 02:29 PM, dan (ddp) wrote: > The only thing I can think of is to watch the logs and implement > ignore rules for the legitimate stuff you come across. Be as specific > as possible. Ouch .. So much for sanity.. Well, no one said security was easy, right? - -- - ------- Jason 'XenoPhage' Frisvold xenoph...@godshell.com - --- "Any sufficiently advanced magic is indistinguishable from technology." - - Niven's Inverse of Clarke's Third Law -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.14 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkzHL94ACgkQ8CjzPZyTUTRPjgCbBpNyx9PwXmoskNzJStRy62kA fVIAn3pGsbzSwOWVAjA1dwtV9v9HFYEU =k8aq -END PGP SIGNATURE-
Re: [ossec-list] Handling directory traversal false positives
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Oct 21, 2010, at 8:15 PM, Jason 'XenoPhage' Frisvold wrote: > I find myself struggling with how to handle directory traversal false > positives. The following happily triggers rule 31104 and active response > blocks the IP. > > 204.41.5.50 - - [21/Oct/2010:08:43:53 -0400] "GET /../index.html HTTP/1.1" > 400 303 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" > > The problem is that, unfortunately, this is actually legit.. While I wish I > could control poor web coding, I cannot.. *sigh* > > I can put an ignore in, but that would hamper detecting an actual traversal > attack. I can think of a few ways to alter it so it detects two or more > directories being traversed, but I can think of a few ways to defeat that > too.. So, how do I handle this? > > Thanks, One more time.. Anyone have any thoughts on this? I'm not sure where to head with this one... Anyone else having this problem? - --- Jason 'XenoPhage' Frisvold xenoph...@godshell.com - --- "Any sufficiently advanced magic is indistinguishable from technology." - - Niven's Inverse of Clarke's Third Law -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) iEYEARECAAYFAkzGRXoACgkQ8CjzPZyTUTQr6wCdFz7GuioTc4caZQlBZxwoUlMp qyEAn2Lr+SrFHvtlANs5Qh73jkJYVLlB =jOdT -END PGP SIGNATURE-
Re: [ossec-list] Re: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused' - on agent
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 10/25/2010 09:45 AM, ItsMikeE wrote: > Turned out to be caused by group ownership of etc/client.keys file. > Somehow it had been set to root:root. Switched to root:ossec and OSSEC > started up as normal. If it helps, I have some bare-bones RPM packages here : http://www.godshell.com/software > Thanks for your help - -- - --- Jason 'XenoPhage' Frisvold xenoph...@godshell.com - --- "Any sufficiently advanced magic is indistinguishable from technology." - - Niven's Inverse of Clarke's Third Law -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.14 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkzFvdkACgkQ8CjzPZyTUTRvegCfeECmhbz2D2qPGySKt9Aza/qJ m5cAn1intCT/Gjm236xCt3xjAhzHSwPx =umHe -END PGP SIGNATURE-
Re: [ossec-list] Day 7: Making it happen: who, what, when and how?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Oct 23, 2010, at 10:44 PM, dan (ddp) wrote: > A rules style guide would be something I'd definitely be interested in > helping out with. I'll be writing a bunch of (non-Windows ;) rules > myself, so keeping them consistent would be nice. I'll second this one.. I want to release the rules I have, as well as rules I come up with moving forward, but having some sort of "style guide" would be helpful.. > I'll continue working on my WIP rules, hopefully growing the > applications list a bit. I've also got a few ideas for the code, so > learning C is on my list of things to do in my spare time. What is this "spare time" you speak of.. - --- Jason 'XenoPhage' Frisvold xenoph...@godshell.com - --- "Any sufficiently advanced magic is indistinguishable from technology." - - Niven's Inverse of Clarke's Third Law -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) iEYEARECAAYFAkzDpOMACgkQ8CjzPZyTUTSAgwCfSSFAYVvwHFk/VWxKVL7iczuX FqwAn2tNHLWbl2sEBObPoNsWXsQoT+bf =9jPt -END PGP SIGNATURE-
Re: [ossec-list] 2WoO Day 7: Supporting New Applications the Right Way
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Oct 23, 2010, at 11:33 AM, Michael Starks wrote: > http://www.immutablesecurity.com/index.php/2010/10/23/2woo-day-7-supporting-new-applications-the-right-way/ Err.. better late than never? Day 7 - Tidbits : http://blog.godshell.com/blog/archives/278-WoO-Day-7-Tidbits.html - --- Jason 'XenoPhage' Frisvold xenoph...@godshell.com - --- "Any sufficiently advanced magic is indistinguishable from technology." - - Niven's Inverse of Clarke's Third Law -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) iEYEARECAAYFAkzDk8kACgkQ8CjzPZyTUTQ/cQCeKXNm8o2PsNPY9kFM3VYFVHqB hpMAoIl23+43+fqcLF+k84pthdyZE4o9 =NlFG -END PGP SIGNATURE-
Re: [ossec-list] Email alerting options
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Oct 23, 2010, at 1:38 AM, jplee3 wrote: > I have a couple questions: > > 1) Is there a way to suppress the body of the OSSEC log so that it > doesn't necessarily appear in the email? I'm setting up alerting via > SMS but the long log messages causes the SMS to get cut off. There is an sms format option you can use, though I'm not sure what it does to the message, exactly. You can find info here : http://www.ossec.net/doc/manual/output/granular-email-output.html > 2) Do the "" levels in the ossec.conf affect whether emails go > out if using the "" option? I have the alert levels set > to the default (1=log and 7=email). I was testing out one of the rules > and set the alert level to "6" and no emails were sent when it > tripped. I changed it to alert level "10" and got an email doing that > though. My understanding was that the email_alert option should be > independent of the setting. The email setting determines what level alerts are sent via email. So, the default setting of 7 means that an alert of level 7 or more is sent via email. This is why your level 6 alert did not get emailed. It should have ended up in the log, however. > TIA! - --- Jason 'XenoPhage' Frisvold xenoph...@godshell.com - --- "Any sufficiently advanced magic is indistinguishable from technology." - - Niven's Inverse of Clarke's Third Law -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) iEYEARECAAYFAkzC7U8ACgkQ8CjzPZyTUTSO/ACfUqTWMfD0RhZFsCwTzLjg1fzF V9AAnikOD8eviR/DyB6TsxFQUtsROVLf =YPmH -END PGP SIGNATURE-
Re: [ossec-list] 2WoO Day 6: Running Multiple Instances on One Box
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 10/22/2010 08:26 AM, Michael Starks wrote: > http://www.immutablesecurity.com/index.php/2010/10/22/2woo-day-6-running-multiple-instances-on-one-box/ Day 6 - Layin' Down The Law - http://blog.godshell.com/blog/archives/277-WoO-Day-6-Layin-Down-The-Law.html - -- - --- Jason 'XenoPhage' Frisvold xenoph...@godshell.com - --- "Any sufficiently advanced magic is indistinguishable from technology." - - Niven's Inverse of Clarke's Third Law -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.14 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkzBia8ACgkQ8CjzPZyTUTSTSACfencck05DEr/MrqQTC1DCRS1K HyQAoKROYwRipkdkG39dli5b6GQIy3s5 =hi5R -END PGP SIGNATURE-
[ossec-list] Handling directory traversal false positives
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I find myself struggling with how to handle directory traversal false positives. The following happily triggers rule 31104 and active response blocks the IP. 204.41.5.50 - - [21/Oct/2010:08:43:53 -0400] "GET /../index.html HTTP/1.1" 400 303 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" The problem is that, unfortunately, this is actually legit.. While I wish I could control poor web coding, I cannot.. *sigh* I can put an ignore in, but that would hamper detecting an actual traversal attack. I can think of a few ways to alter it so it detects two or more directories being traversed, but I can think of a few ways to defeat that too.. So, how do I handle this? Thanks, - ----------- Jason 'XenoPhage' Frisvold xenoph...@godshell.com - --- "Any sufficiently advanced magic is indistinguishable from technology." - - Niven's Inverse of Clarke's Third Law -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) iEYEARECAAYFAkzA17kACgkQ8CjzPZyTUTQW9gCeNB5GVSD/wU7C/JgWzNk9kc6B BlUAoKSI2wfIw9aIH8v1Gz1yrBHO0TH3 =73u2 -END PGP SIGNATURE-
Re: [ossec-list] Day 4: What bugs you: problems, challenges and room for improvement.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Oct 21, 2010, at 9:41 AM, dan (ddp) wrote: > Depends on your definition of "free." ;) Touche ... :) - ------- Jason 'XenoPhage' Frisvold xenoph...@godshell.com - --- "Any sufficiently advanced magic is indistinguishable from technology." - - Niven's Inverse of Clarke's Third Law -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) iEYEARECAAYFAkzAzCAACgkQ8CjzPZyTUTSk3ACeNNWqY1b6mNgIXLpBiHr6TluT g5cAnj5cwoUTk2E+XxtSLgP92HiHmh6b =XKgA -END PGP SIGNATURE-
Re: [ossec-list] I may have missed this resent subject
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Oct 21, 2010, at 2:01 PM, wrote: > Anyone: After upgrading my management Servers to 2.5.1 I'm getting, after I > restart the agents > > 2010/10/21 13:56:04 ossec-testrule: INFO: Reading local decoder file. > > Any information on this would be great. I believe this just means it's loading the local decoder file.. What version were you running previously? > Thank You Christian - ------- Jason 'XenoPhage' Frisvold xenoph...@godshell.com - --- "Any sufficiently advanced magic is indistinguishable from technology." - - Niven's Inverse of Clarke's Third Law -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) iEYEARECAAYFAkzAgZQACgkQ8CjzPZyTUTQo0ACgiiv/njBVlCcQ9hpqVnbPdZfj 3V4An0joMmo2pQ8Kabf/VuLGHTmX942c =YydX -END PGP SIGNATURE-
Re: [ossec-list] Day 4: What bugs you: problems, challenges and room for improvement.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 10/20/2010 07:15 PM, Michael Starks wrote: > I agree completely. But just so you are aware, OSSEC integrates nicely > with Splunk for a non-free solution. Non-free if you want more than 500 Megs per day and some of the fancier features.. There is a free version of splunk that works with plugins.. - -- - --- Jason 'XenoPhage' Frisvold xenoph...@godshell.com - --- "Any sufficiently advanced magic is indistinguishable from technology." - - Niven's Inverse of Clarke's Third Law -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.14 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkzAPSAACgkQ8CjzPZyTUTQfAwCgklHBC6E77ICaWkzz1i/9p0uH L7AAoJQn2TbmdI6pwlbLyr+FIbFOhwIs =41fW -END PGP SIGNATURE-
Re: [ossec-list] Day 4: What bugs you: problems, challenges and room for improvement.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 10/20/2010 06:01 PM, Shane Warner wrote: > Not sure what platform you're on, but we build an RPM package and set > any important configuration files up with the config(noreplace) > directive to prevent them from being overwritten on updates. Wouldn't that prevent installation of new versions of the rules? - -- - ------- Jason 'XenoPhage' Frisvold xenoph...@godshell.com - --- "Any sufficiently advanced magic is indistinguishable from technology." - - Niven's Inverse of Clarke's Third Law -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.14 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkzAPOIACgkQ8CjzPZyTUTSdewCfRbwaXJgqSyxvTVzj/IZ4+Ai2 fy4An0+VDzww9TbrIqcJ4DydLQMnHBJs =gKZ/ -END PGP SIGNATURE-
Re: [ossec-list] 2WoO Day 5: Taming File Integrity Alerts
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 10/21/2010 08:36 AM, Michael Starks wrote: > For those that get bombarded with alerts when patching: > > http://www.immutablesecurity.com/index.php/2010/10/21/2woo-taming-syscheck/ Decoders Unite! All about decoders - http://blog.godshell.com/blog/archives/276-WoO-Day-5-Decoders-Unite!.html - -- - ------- Jason 'XenoPhage' Frisvold xenoph...@godshell.com - --- "Any sufficiently advanced magic is indistinguishable from technology." - - Niven's Inverse of Clarke's Third Law -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.14 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkzAOlsACgkQ8CjzPZyTUTTinACaAqJ4K08p07+SD8VLpKQMeQsH LB8An0aUduFem+NifCrOEuGjMXUDWYpw =RSE2 -END PGP SIGNATURE-
Re: [ossec-list] Day 4: What bugs you: problems, challenges and room for improvement.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 10/20/2010 02:10 PM, Derek Morris wrote: > I would have to say the Upgrade process. I have to do a diff on > numerous rules files that i have edited and takes quite a bit of pain > staking work to complete. Really? I simply created additional files for my modified rules. So where ossec ships with, say, firewall_rules.xml, I created firewall_rules_local.xml. An upgrade won't override that. Additionally, I've ensured (somewhat) that I have not used any of the rule IDs that are currently reserved. I'm aware that the official line is that local rules should use the range 10-10, but I chose to merely add 10 to any ruleset range I'm modifying. So, if I have to make a change to, say, rule 31101 to ignore a monitoring station, I create a rule in the range of 131100-131199 and override that rule. Just use an if_sid to make sure it's an override. Another assumption here is that the numbering in the rules doesn't change.. I don't believe that will be the case without extremely large, blinking, sound-activated disclaimers by the developers. And even then, I'm pretty sure they'll try to avoid that. - -- - --- Jason 'XenoPhage' Frisvold xenoph...@godshell.com - --- "Any sufficiently advanced magic is indistinguishable from technology." - - Niven's Inverse of Clarke's Third Law -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.14 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAky/VNAACgkQ8CjzPZyTUTSj8ACfVyFtH5RXjO4CTdtQ4zSzN8GS xQAAnRziQh4F9NbQZE1OEd059wHBTPG3 =ByCX -END PGP SIGNATURE-
Re: [ossec-list] 2WoO Day 3: Abusing OSSEC–the Cou ntermeasures
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 10/19/2010 08:25 AM, Michael Starks wrote: > http://www.immutablesecurity.com/index.php/2010/10/19/2woo-day-3-abusing-ossec-the-countermeasures/ And over at the Godshell blog, Meet The Agent ... http://blog.godshell.com/blog/archives/274-WoO-Day-3-Meet-the-agent.html Feel free to leave comments, I crave feedback! :) - -- - --- Jason 'XenoPhage' Frisvold xenoph...@godshell.com - --- "Any sufficiently advanced magic is indistinguishable from technology." - - Niven's Inverse of Clarke's Third Law -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.14 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAky9nHwACgkQ8CjzPZyTUTQteACfcT3XZT0mnz8J7wo8raSD+bSs TCsAnjQ8+ZaRFb9sU4W0Of8WA4pRQvkJ =/ana -END PGP SIGNATURE-
Re: [ossec-list] 2WoO Day 2: Tell your story. How has OSSEC helped you?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 10/18/2010 08:35 AM, Michael Starks wrote: > This is the day we get to recount our experiences of how OSSEC has saved > the day, or just saved us some scratch. People coming by later on who > read these will get a sense for OSSEC and if it can work in their > environment. What say you? Last year at this time I was running Osiris and depending on Logwatch for most of my log analysis. Osiris is a solid product, but, unfortunately, it hasn't been updated in some time. Likewise, Logwatch is also a solid product, but depending on it for complete log analysis is cumbersome, at best. And finally, fail2ban was being used to detect various attacks and block them. Fail2ban is still a pretty decent product and I heartily recommend it if OSSEC is to much for your needs. OSSEC helped to solve both of these problems and even added additional features that I have found to be incredibly useful. Now I can centrally manage all of my machines, ensure integrity via hashing, and respond to a wide array of events. The flexibility of OSSEC allows me to trigger on virtually any event and respond with whatever I can express in a script. As I learn more about OSSEC, I'm sure I'll unlock even more capability that I'm not even aware of yet. This is becoming one of the more powerful tools in my security belt and I'm excited to see what comes next. - -- - ------- Jason 'XenoPhage' Frisvold xenoph...@godshell.com - --- "Any sufficiently advanced magic is indistinguishable from technology." - - Niven's Inverse of Clarke's Third Law -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.14 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAky8YpIACgkQ8CjzPZyTUTSjBQCfU6CktgMZi429b7YWbDi+6Hzd 2XQAn0A95nqcwYce+Wu4TP6bzQb5QSoh =2SNm -END PGP SIGNATURE-
Re: [ossec-list] 2WoO Day 2: Abusing OSSEC
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 10/18/2010 08:33 AM, Michael Starks wrote: > http://www.immutablesecurity.com/index.php/2010/10/18/2woo-day-2-abusing-ossec/ Any my contribution for the day is here : http://blog.godshell.com/blog/archives/273-WoO-Day-2-In-The-Beginning-html - -- - --- Jason 'XenoPhage' Frisvold xenoph...@godshell.com - --- "Any sufficiently advanced magic is indistinguishable from technology." - - Niven's Inverse of Clarke's Third Law -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.14 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAky8XQ0ACgkQ8CjzPZyTUTSXywCgpjDrbEqhlDKtCVDy6VJbkwUk +OIAoJDWC6EDafz6MXv5Skfo5Dt09ciP =kdgo -END PGP SIGNATURE-
