[ossec-list] OSSEC JSON complete log format
Hello everyone! I was trying to find all the possible fields that can exist in a JSON log entry that OSSEC produces. I know that by using decoders, you can add your own fields and extend the possible fields that OSSEC adds by itself. I'm referring to all the possible fields that can be produced exclusively by OSSEC's engine. Does anyone have any particular documentation or something close to that? Thanks! -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/8a0b6212-b2f3-4fcb-8723-0eee0441fd23n%40googlegroups.com.
Re: [ossec-list] OSSEC can't parse greek characters
Hello dan, thank you for your response. My goal is to enable OSSEC to parse utf-8. Isn't there any option that would allow me to do that? I would really like to contribute to OSSEC and add this myself. Sadly, I do not know how. Do you have any suggestions on how to start or where to look first? King regards, K.Stavridis -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/8ff56f9e-037a-4a5a-8e76-ab57323ed7d3o%40googlegroups.com.
[ossec-list] Re: Update OSSEC Server
Hello sparks, >From my experience, I suggest you follow the below steps to complete your upgrade. - First backup your current ossec rules, decoders, active-responses scripts and ossec.conf (JUST IN CASE YOU LATER NEED THEM, perhaps you've written custom rules and decoders) - Then download and extract the latest ossec server version - Initiate the installation and OSSEC should detect that you already have a prior version installed. It will ask you if you want to upgrade it. *You already have OSSEC installed. Do you want to update it? (y/n): y* - It will ask you if you want to update the rules as well. I suggest you do it. *Do you want to update the rules? (y/n): y* - Installation and upgrade will begin. - After the installation is finished, just check if every process is running and you're done. *$ **sudo /var/ossec/bin/ossec-control status* On Friday, August 7, 2020 at 12:09:57 AM UTC+3 sparks@gmail.com wrote: > Hello Community, > > Do you know if there is a procedure to update the OSSEC server from 2.9.3 > to the latest version? I was looking on Internet for information but i cant > find anything. > > I appreciate your help. > > Regards > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/4da91ba2-ea22-48e5-ae5c-23c21074744fn%40googlegroups.com.
[ossec-list] OSSEC can't parse greek characters
Hello everyone, When I install an agent on a machine, considering I live in Greece, I usually face the problem that windows logs contain some Greek characters and OSSEC server doesn't seem to be able to parse them. The part of the log that is in Greek (ex. a filename or a usename), after the analysis, is shown as weird characters and rectangles and stuff that of course are not machine readable or human readable. Does anyone have any suggestion on solving this issue? Thanks! -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/24b17f30-69c5-4c4b-8845-fd272bd92bc9n%40googlegroups.com.
[ossec-list] OSSEC syslog server
Hello everyone, When devices are configured to send remote syslog to OSSEC on port 514 (let's say a security product), are these syslog logs saved somewhere? even if they don't trigger an alert? As any other normal syslog server would do. The problem I'm trying to solve is that I want to supervise a service that will send logs to OSSEC with remote syslog on port 514 but since they won't trigger any alert and they will not match any decoder, I won't be able to see them anywhere. I want to see them all somehow so I can study their format and write the appropriate decoders and rules to satisfy that firewall's security requirements. Thanks! :) -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/dae419ac-49c5-4ce0-aed0-896ba07c8a2fo%40googlegroups.com.
[ossec-list] remote secure logging
Hello everyone, Let's say I have a firewall that I want to configure to send it's logs to my OSSEC server. I know that I can simply configure my firewall to send logs to my OSSEC server's IP and the ossec server like this: syslog {FIREWALL_IP} The thing is that this is an insecure connection and the logs are being sent unencrypted. In OSSEC's documentation it states that there is also the secure option that uses authentication and encryption for the logs and receives logs at port 1514. I set my firewall to send remote logs to OSSEC server's IP:1514 but I am not seeing the logs at archives.logs (I check the traffic on 1514 port and I indeed receive traffic from the firewall, although it's not logged) So I guess that the whole "secure" thing to work needs some kind of authentication as I stated before. My question is how do I actually configure that? On the firewall, and on the OSSEC server? Any answers or suggestions are appreciated! -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/dad13c7a-7c0e--ae04-46414f1ba62f%40googlegroups.com.
[ossec-list] Secure remote logging
Hello everyone, Let's say I have a firewall that I want to configure to send it's logs to my OSSEC server. I know that I can simply configure my firewall to send logs to my OSSEC server's IP and the ossec server like this: syslog 192.168.1.1 The thing is that this is an insecure connection and the logs are being sent unencrypted. In OSSEC's documentation it states that there is also the secure option that uses authentication and encryption for the logs and receives logs at port 1514. I set my firewall to send remote logs to OSSEC server's IP:1514 but I am not seeing the logs at archives.logs (I check the traffic on 1514 port and I indeed receive traffic from the firewall, although it's not logged) So I guess that the whole "secure" thing to work needs some kind of authentication as I stated before. My question is how do I actually configure that? On the firewall, and on the OSSEC server? Any answers or suggestions are appreciated! -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/30f766d7-4afd-4324-9603-be26cec47521%40googlegroups.com.
[ossec-list] About active responses
Hey guys, Can I have an active response only activated for a specific agent? (active reponse's location is on ossec server) Example: I have agent1 and agent2, I have 2 active responses AR1 and AR2. I want AR1 to be triggered only by agent1 events and AR2 to be triggered only by agent2 events. Is this possible? Example config: commandname1 server // some config here? specifying agent1 3 commandname2 server // some config here? specifying agent2 3 Thanks! have a nice day! -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/2a4319d3-dc11-4cd8-913c-e7d3fba3ece5%40googlegroups.com.
[ossec-list] CDB list question
Hello everyone. I have some md5/sha256 hashes in a cdb list and I want to detect them with the functionality. The problem is that I am decoding the information with field name like "hash" but I can't really use it like that: hashes because OSSEC doesn't allow the usage of any fields other than the following. - Value: srcip - Value: srcport - Value: dstip - Value: dstport - Value: extra_data - Value: user - Value: url - Value: id - Value: hostname - Value: program_name - Value: status - Value: action Do you have any suggestiongs? :) Thanks -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/ec2ede71-a91c-498e-90fd-3e8143cb9f1b%40googlegroups.com.
[ossec-list] About new OSSEC's dynamic decoders
Hey guys, so I really like the new dynamic decoders. But how can I use a dynamic field to trigger a rule? Lets say I extract md5 into a dynamic field with a decoder md5 I can't use the tag XXX into any rule. How am I supposed to check the value I extracted with the decoder? Thanks -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/9c8e9d2f-5bb4-4142-a1e2-7e4fc24fa25f%40googlegroups.com.
[ossec-list] About ransomwares
Hello guys! What are your thoughts on detecting ransomware on a machine with OSSEC? Windows server or linux alike? How would you approach it? Thanks! :D -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/3003611b-b175-44df-a95e-c3b5c026f39d%40googlegroups.com.
[ossec-list] Rules for specific agents
Hello everyone, Is it possible to have some rules only for specific agents? Let's say that: and will only match for agent "agent1" or his agent id 001 and will only match for agent "agent2" or his agent id 002 Is there a way to do it? Thanks in advance! -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/75953670-d4d0-4744-9043-020544baae8a%40googlegroups.com.
[ossec-list] Re: CDB format problem
Tested your 1st point, doesn't seem to work. I tried inserting "192.168.1.x" instead of 192.168.1.x (which I know it worked), and I didn't get a match. On Wednesday, July 17, 2019 at 12:46:39 PM UTC+3, Brian Candler wrote: > > On Tuesday, 16 July 2019 13:44:33 UTC+1, Kyriakos Stavridis wrote: >> >> How can I surpass that obstacle (double : in every entry) when compiling >> the cdb list with ossec-makelists? Any ideas? >> >> > Looking in src/analysisd/lists_make.c, it appears that both keys and > values can be surrounded by double quotes, which should solve your problem > (if the code works). > > Otherwise, CDB <https://cr.yp.to/cdb.html> files are 8-bit clean. You > could compile them with the native cdbmake > <https://cr.yp.to/cdb/cdbmake.html> utility instead, which has a > different input format with explicit lengths for key and value parts. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/6c4a6b2e-0048-4e6a-bdc1-16058a18227d%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] CDB format problem
Hello, I've been trying to use a cdb to alert on access to bad urls with ossec. The cdb format is the following: key1:value key2:value As you see the delimiter is predefined as the character ':' So my problem is that when the key must be a url, it surely must have : somewhere in it, let's say https://groups.google.com/forum As you see there will always be a : somewhere inside a valid url. So the list before compiling should look like: https://docs.python.org/3/library/os.html:suspicious https://stackabuse.com/read-a-file-line-by-line-in-python/:malicious How can I surpass that obstacle (double : in every entry) when compiling the cdb list with ossec-makelists? Any ideas? Has anyone done something similar before? Thanks in advance and have a nice day. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/8b85061b-f7a7-4a03-b527-505ed4a99702%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Monitoring Users loggin on and off from Active Directory.
Hello everyone. I am trying to use OSSEC to monitor the logons and logoffs by employees on our Active Directory server. The problem is that there is too much noise generated by the AD and I cannot find a way to isolate the events I need monitored to get the correct results. The AD server generates about 5-6 events everytime a user logs on or logs off (logon Event ID 4624, logoff Event ID 4634). The desirable result is to have alerts like : "User 'X' performed a logon" / "User 'X' performed a logoff". OSSEC by default has windows logon and logoff rules (4624, 4634) but they trigger at each event with these IDs and you cannot have a specific result, too much noise is generated. Has anyone implemented successfully the monitoring of user logons/logoffs to the AD server with OSSEC? How can I isolate the noise and get the desirable results? Thanks in advance! -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/ac693020-d0a5-4d05-ab24-a94005757741%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Enable option for a specific agent only?
Hello, Could I enable the option for specific agents only? I don't want all the events created by all agents saved, I just need them save for some of them in particular. Is this possible in any way? I can't seem to find a way to do it. Thanks! -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/5fd3e530-1a14-4d66-876e-5d27cda4195c%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Option for one specific agent only?
Hello, Could I enable the option only for one or two specific agents? I don't want to save all the events created by every agent in archives, I just need them saved for some of them. Is it possible somehow? I can't seem to find a way to achieve that. Thanks! -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/a2c3ec67-0667-42c3-8701-e005751958c9%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.