[ossec-list] Can OSSEC read named pipes?

[Martin]

I’m trying to use name pipes in syslog-ng. I first creat the file with
the command mkfifo syslog_fifo and then setup syslog-ng to send logs
to the file. Using the command tail –f syslog_fifo, I’m getting a lot
of information. However, when I configure ossec to use this file as a
syslog file, I’m getting the following information.

2008/12/22 15:50:04 ossec-logcollector(1116): ERROR: Error handling
file '/root/syslog/syslog_fifo' (fseek).
2008/12/22 15:50:04 ossec-logcollector(1950): INFO: Analyzing file: '/
root/syslog/syslog_fifo'.
2008/12/22 15:50:04 ossec-logcollector: INFO: Started (pid: 9864).
2008/12/22 15:52:14 ossec-logcollector(1904): INFO: File not
available, ignoring it: '/root/syslog/syslog_fifo'.

Can ossec read named pipes files? If so, what should I do?
Cheers
Martin

[ossec-list] OSSEC does not detect new log files

[Martin]

It looks like OSSEC does not detect new log files.
I’m currently monitoring a few different syslog-ng log feeds. Logfiles
are only created when there is log data. I’m currently creating log
files using the “week number” such as /var/log/remote/”IP address”/
logfile-“weeknumber”.log. Every Monday new log files are automatically
created by syslog-ng. Resulting in directories such as this.
Logfile-49.log
Logfile-50.log
Logfile-51.log

OSSEC is set to monitor /var/log/remote/*/*.log.
When OSSEC starts, it will start monitor all existing files in the
correct path. However, as new files are created, OSSEC does not detect
the new log files. So far the only work around I’ve found is to
restart ossec. However, as I intend to monitor a huge amount of
servers, ossec would probably have to be restarted every few hours and
that is not a workable solution.

Does anyone know if it is possible to make ossec detect new log files
in the directories it is suppose to monitor?

Best Regards
Martin

[ossec-list] Re: OSSEC does not detect new log files

[Martin]

Is it possible to combine them, such as
/var/log/*/logfile-%U.log
Cheers
Martin

[ossec-list] Re: Can OSSEC read named pipes?

[Martin]

I was on 1.5 and is now on 1.6. Pipes is now working. However, it
seems to have a minor issue with multiple pipes but I'm ok with a
single pipel. I did notice syslog-ng starting to use a lot of cpu when
sending 20K syslog messages per second. However, creating a ram disk
and put the fifo/pipe file on the ram disk halved the cpu load.

Cheers

On Dec 23 2008, 6:15 am, "Daniel Cid"  wrote:
> Hi Martin,
>
> Which version of ossec are you using? We added support for pipes in
> v1.6...
>
> Thanks,
>
> --
> Daniel B. Cid
> dcid ( at ) ossec.net
>
> On Sun, Dec 21, 2008 at 10:57 PM, Martin  wrote:
>
> > I'm trying to use name pipes in syslog-ng. I first creat the file with
> > the command mkfifo syslog_fifo and then setup syslog-ng to send logs
> > to the file. Using the command tail –f syslog_fifo, I'm getting a lot
> > of information. However, when I configure ossec to use this file as a
> > syslog file, I'm getting the following information.
>
> > 2008/12/22 15:50:04 ossec-logcollector(1116): ERROR: Error handling
> > file '/root/syslog/syslog_fifo' (fseek).
> > 2008/12/22 15:50:04 ossec-logcollector(1950): INFO: Analyzing file: '/
> > root/syslog/syslog_fifo'.
> > 2008/12/22 15:50:04 ossec-logcollector: INFO: Started (pid: 9864).
> > 2008/12/22 15:52:14 ossec-logcollector(1904): INFO: File not
> > available, ignoring it: '/root/syslog/syslog_fifo'.
>
> > Can ossec read named pipes files? If so, what should I do?
> > Cheers
> > Martin

[ossec-list] Unable to send email to remote exchange server.

[Martin]

Until now, I've used the local sendmail server for sending email.
Sending via a local mail server works fine. For various reasons, I now
have to start sending the emails directly to our exchange server.
However, as soon as I change the ip address from localhost to the IP
address of the mail server, I start getting errors in the ossec.log
file and no emails are received. The error I'm getting is "ossec-maild
(1223): ERROR: Error Sending email to n.n.n.n (smtp server)".
I've done some tcpdump of the traffic and I can capture the following
data;
220 hostname Microsoft ESMTP MAIL Service ready at  Tue, 6 Jan 2009
11:24:01 +1300
Helo notify.ossec.net
250 hostname Hello [n.n.n.n]
Mail From: 
250 2.1.0 os...@syslogsender OK

The message "250 2.1.0 os...@syslogsender OK" is from the excange
server. The next thing I would expect is for my ossec server to send
the Rcpt To command with my email address however the very next
package the ossec server sends is a [Fin,Ack] to the exchange server.

If I telnet to the mail server manually on port 25 I can send email
just fine.
# telnet n.n.n.n 25
Trying n.n.n.n...
Connected to n.n.n.n.
Escape character is '^]'.
220 hostname Microsoft ESMTP MAIL Service ready at  Tue, 6 Jan 2009
14:50:51 +1300
Helo notify.ossec.net
250 hostname [n.n.n.n]
Mail From: 
250 2.1.0 os...@syslogsender OK
Rcpt To:
250 2.1.5 m...@emailaddress
data
354 Start mail input; end with .
Subject: test
.
250 2.6.0  Queued mail for delivery
quit
221 2.0.0 hostname Service closing transmission channel
Connection closed by foreign host.

Does anyone have any idea why ossec may be shutting down the
connection in the middle of the email delivery? Is anyone else able to
send direclty to an exchange server?

Cheers
/Martin

[ossec-list] Re: Unable to send email to remote exchange server.

[Martin]

Thank you both for your feedback.
Yes, the telnet was from the same server.
I have followed the wiki to setup granular alert notification but it
looks like it is buggy.
http://www.ossec.net/wiki/index.php/Know_How:GranularEmail
This config does _not_ work: (Used in the initial post I did.)


  
yes
dns name of server
os...@syslog.snip
4
dns name of mail server
5


  my email address
  5
  



However, when I change the config to the following, I'm receiving
emails.


yes
dns name of server
os...@syslog.snip
4
dns name of mail server
My email address
5


I.e. Standard email setup in the global section works, but not using
granular configuration with .
Any ideas?
Cheers
Martin

On Jan 7, 11:09 am, "McClinton, Rick" 
wrote:
> Your telnet test is from the same server as ossec, right? Sorry, just 
> checking.
>
> I'm reading src/os_mail/sendmail.c from 081212 snapshot; it's looking to find 
> '250' in the line that came back, which it certainly seems it should have.
>
> If it helps, there is a debug flag in this file; you can change sendmail.c to 
> define MAIL_DEBUG_FLAG as 1 and then you'll get some more feedback from ossec.
>
> Rick McClinton
>
> -Original Message-
> From: ossec-list@googlegroups.com [mailto:ossec-l...@googlegroups.com] On 
> Behalf Of Martin
> Sent: Monday, January 05, 2009 8:59 PM
> To: ossec-list
> Subject: [ossec-list] Unable to send email to remote exchange server.
>
> Importance: Low
>
> Until now, I've used the local sendmail server for sending email.
> Sending via a local mail server works fine. For various reasons, I now
> have to start sending the emails directly to our exchange server.
> However, as soon as I change the ip address from localhost to the IP
> address of the mail server, I start getting errors in the ossec.log
> file and no emails are received. The error I'm getting is "ossec-maild
> (1223): ERROR: Error Sending email to n.n.n.n (smtp server)".
> I've done some tcpdump of the traffic and I can capture the following
> data;
> 220 hostname Microsoft ESMTP MAIL Service ready at  Tue, 6 Jan 2009
> 11:24:01 +1300
> Helo notify.ossec.net
> 250 hostname Hello [n.n.n.n]
> Mail From: 
> 250 2.1.0 os...@syslogsender OK
>
> The message "250 2.1.0 os...@syslogsender OK" is from the excange
> server. The next thing I would expect is for my ossec server to send
> the Rcpt To command with my email address however the very next
> package the ossec server sends is a [Fin,Ack] to the exchange server.
>
> If I telnet to the mail server manually on port 25 I can send email
> just fine.
> # telnet n.n.n.n 25
> Trying n.n.n.n...
> Connected to n.n.n.n.
> Escape character is '^]'.
> 220 hostname Microsoft ESMTP MAIL Service ready at  Tue, 6 Jan 2009
> 14:50:51 +1300
> Helo notify.ossec.net
> 250 hostname [n.n.n.n]
> Mail From: 
> 250 2.1.0 os...@syslogsender OK
> Rcpt To:
> 250 2.1.5 m...@emailaddress
> data
> 354 Start mail input; end with .
> Subject: test
> .
> 250 2.6.0  Queued mail for delivery
> quit
> 221 2.0.0 hostname Service closing transmission channel
> Connection closed by foreign host.
>
> Does anyone have any idea why ossec may be shutting down the
> connection in the middle of the email delivery? Is anyone else able to
> send direclty to an exchange server?
>
> Cheers
> /Martin
>
> This message contains TMA Resources confidential information and is intended 
> only for the individual named. If you are not the named addressee you should 
> not disseminate, distribute or copy this e-mail. Please notify the sender 
> immediately by e-mail if you have received this e-mail by mistake and delete 
> this e-mail from your system. E-mail transmission cannot be guaranteed to be 
> secure or error-free as information could be intercepted, corrupted, lost, 
> destroyed, arrive late or incomplete, or contain viruses. The sender 
> therefore does not accept liability for any errors or omissions in the 
> contents of this message which arise as a result of e-mail transmission. If 
> verification is required please request a hard-copy version.

[ossec-list] Re: Unable to send email to remote exchange server.

[Martin]

Thanks
Even though you have email_alers, you have an email_to in the global
section. After adding a mail_to entry in the global section, the
mail_alerts started to work. I guess this is a bug.
Thank you for helping demystifying the issue. Time to figure out what
the  section does...
Cheers
Martin

On Jan 8, 10:30 am, "McClinton, Rick" 
wrote:
> Sorry Martin, I'm not sure what you're running into there.
>
> I have this working in my production system: (1.6.1)
>   
>     yes
>     m...@email
>     my.server.net.
>     oss...@myossec.server.net
>     999
>   
>
>   
>    helpd...@customer.net
>    customerweb1|customerweb2
>    13
>   
>
> It does send alerts to them on their servers based on the level. I have a 
> custom rule triggering at that level for them. I don't know why I have a 
> terminating . on my smtp_server.
>
> While collecting this I notice there is also this section:
>   
>     1
>     7
>   
>
> I don't know what levels you're looking at for your test messages, but you 
> have '5' in your examples -- have you reduced email_alert_level to 5?

[ossec-list] Re: Unable to send email to remote exchange server.

[Martin]

The core of the problem seems to be . If you don't have an
 in the  section, ossec can not send email to
anyone. And as soon as I add an entry with  to the global
section, my  start working.
I.e. you can not use  unless you have an  in
the  section.
Cheers
/Martin

On Jan 8, 10:30 am, "McClinton, Rick" 
wrote:
> Sorry Martin, I'm not sure what you're running into there.
>
> I have this working in my production system: (1.6.1)
>   
>     yes
>     m...@email
>     my.server.net.
>     oss...@myossec.server.net
>     999
>   
>
>   
>    helpd...@customer.net
>    customerweb1|customerweb2
>    13
>   
>
> It does send alerts to them on their servers based on the level. I have a 
> custom rule triggering at that level for them. I don't know why I have a 
> terminating . on my smtp_server.
>
> While collecting this I notice there is also this section:
>   
>     1
>     7
>   
>
> I don't know what levels you're looking at for your test messages, but you 
> have '5' in your examples -- have you reduced email_alert_level to 5?
>
> HTH
> Rick McClinton
>
> -Original Message-
> From: ossec-list@googlegroups.com [mailto:ossec-l...@googlegroups.com] On 
> Behalf Of Martin
> Sent: Wednesday, January 07, 2009 3:37 PM
> To: ossec-list
> Subject: [ossec-list] Re: Unable to send email to remote exchange server.
>
> Importance: Low
>
> Thank you both for your feedback.
> Yes, the telnet was from the same server.
> I have followed the wiki to setup granular alert notification but it
> looks like it is 
> buggy.http://www.ossec.net/wiki/index.php/Know_How:GranularEmail
> This config does _not_ work: (Used in the initial post I did.)
>
> 
>   
>     yes
>     dns name of server
>     os...@syslog.snip
>     4
>     dns name of mail server
>     5
> 
> 
>       my email address
>       5
>       
> 
>
> However, when I change the config to the following, I'm receiving
> emails.
> 
> 
>     yes
>     dns name of server
>     os...@syslog.snip
>     4
>     dns name of mail server
>     My email address
>     5
> 
>
> I.e. Standard email setup in the global section works, but not using
> granular configuration with .
> Any ideas?
> Cheers
> Martin
>
> This message contains TMA Resources confidential information and is intended 
> only for the individual named. If you are not the named addressee you should 
> not disseminate, distribute or copy this e-mail. Please notify the sender 
> immediately by e-mail if you have received this e-mail by mistake and delete 
> this e-mail from your system. E-mail transmission cannot be guaranteed to be 
> secure or error-free as information could be intercepted, corrupted, lost, 
> destroyed, arrive late or incomplete, or contain viruses. The sender 
> therefore does not accept liability for any errors or omissions in the 
> contents of this message which arise as a result of e-mail transmission. If 
> verification is required please request a hard-copy version.

[ossec-list] Drop IP on all agents

[Martin]

Hello,

First, i'm sorry if the question has already been asked.

So what i'm trying to achieve is this ;

If someone fail to log in, too many time on one of my agent, I want this ip 
to be drop on all others agents and the server.

Same goes the other way around if someone try on the server i want it to be 
drop on the server and all the agents.

I tried to edit the file ossec.conf on the server and put "*all*' instead 
of 'l*ocal*' 



  

host-deny
all
6
600
  


  

firewall-drop
all
6
600
  

If i want to edit the number of failed attempts ssh, which file do I have 
to edit. /var/ossec/rules/sshd_rules.xml ?


Thanks for your help,
Best regards.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Drop IP on all agents

[Martin]

Hello,

Thank you for your answer.

I modified the Active-Response in the file /var/ossec/etc/ossec.conf to 
look like this;


  

host-deny
all
6
600
  


  

firewall-drop
all
6
600
  


Then i added the following in /var/ossec/rules/local_rules.xml




   
5710
SSHD brute force trying to get access to 
the system.

authentication_failures,
  


  
5716

Multiple SSHD authentication failures.
authentication_failures,
  




and finally restarted ossec-control, but it ain't working. I can still try 
to log after 6 attempts ..

Le mercredi 15 mars 2017 19:01:37 UTC+1, dan (ddpbsd) a écrit :
>
> On Wed, Mar 15, 2017 at 7:25 AM, Martin > 
> wrote: 
> > Hello, 
> > 
> > First, i'm sorry if the question has already been asked. 
> > 
> > So what i'm trying to achieve is this ; 
> > 
> > If someone fail to log in, too many time on one of my agent, I want this 
> ip 
> > to be drop on all others agents and the server. 
> > 
> > Same goes the other way around if someone try on the server i want it to 
> be 
> > drop on the server and all the agents. 
> > 
> > I tried to edit the file ossec.conf on the server and put "all' instead 
> of 
> > 'local' 
> > 
> > 
> >  
> >
> >  
> > host-deny 
> > all 
> > 6 
> > 600 
> >
> > 
> > 
> >
> >  
> > firewall-drop 
> > all 
> > 6 
> > 600 
> >
> > 
> > If i want to edit the number of failed attempts ssh, which file do I 
> have to 
> > edit. /var/ossec/rules/sshd_rules.xml ? 
> > 
>
> You can copy the rule you want to modify to local_rules.xml, and add: 
> overwrite="yes" 
> to the "
> > 
> > Thanks for your help, 
> > Best regards. 
> > 
> > -- 
> > 
> > --- 
> > You received this message because you are subscribed to the Google 
> Groups 
> > "ossec-list" group. 
> > To unsubscribe from this group and stop receiving emails from it, send 
> an 
> > email to ossec-list+...@googlegroups.com . 
> > For more options, visit https://groups.google.com/d/optout. 
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Drop IP on all agents

[Martin]

Hello,

It is working now, i've re install my set-up. And after having modify the 
files, i did : */var/ossec/bin/ossec-control restart* on the server and all 
the agents. Before, I was doing this on the server only and 
*/var/ossec/bin/agent_control 
-R* for the agents (but maybe my files were wrong) ..

The only problem remaining is that the connexion get drop on all the agents 
but not on the server. (I've nothing on the active-response.log on the 
server).

When I run firewall-drop manually (on the server) it is working but I can 
still log on every agents.

Best regards

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Drop IP on all agents

[Martin]

Ok the problem was that I thought that all as stated 
in the doc would execute the command everywhere (meaning on all the agents 
& the server). 

But "all" means all the agents except the server.

In order to execute the command on all the agents and the server, I had to 
duplicate the active-response ;

  
host-deny
all
6
600
  

  
firewall-drop
all
6
600
  
  
  
host-deny
server
6
600
  

  
firewall-drop
server
6
600
  

Thank you again for your help dan.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Custom decoder & rule not working

[Martin]

Hello,

I've those kind of log comming from a custom app

>
> [2017-03-23 10:18:01] app.ERROR: Authentication failure for IP: 172.17.0.1 
> [] []


I'm trying to block an ip with to much authentication failure.

So I did a custom decoder which is working ;


  ^\p\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d\p 




  app.ERROR
  ^app.ERROR: \.+ (\S+) for IP: (\S+) 
(\.+)\s(\.+)$
  status,srcip,extra_data,extra_data


and I want theses rules working with this log .


app.ERROR
Multiple login attempts bepark.eu/fr/connexion

  


  
100201

Multiple login attempts bepark.eu/fr/connexion

authentication_failures,
  


But this what I get when testing with */var/ossec/bin/ossec-logtest*



[2017-03-23 10:18:01] app.ERROR: Authentication failure for IP: 172.17.0.1 
[] []




**Phase 1: Completed pre-decoding.
   full event: '[2017-03-23 10:18:01] app.ERROR: Authentication failure 
for IP: 172.17.0.1 [] []'
   hostname: 'Digital-Ocean-1'
   program_name: '(null)'
   log: '[2017-03-23 10:18:01] app.ERROR: Authentication failure for 
IP: 172.17.0.1 [] []'


**Phase 2: Completed decoding.
   decoder: 'app.ERROR'
   status: 'failure'
   srcip: '172.17.0.1'
   extra_data: '[]'
   extra_data: '[]'


**Phase 3: Completed filtering (rules).
   Rule id: '2501'
   Level: '5'
   Description: 'User authentication failure.'
**Alert to be generated.

why are my rules not working over the 2501 one ?

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Custom decoder & rules not working

[Martin]

Hello,

I've those kind of log comming from a custom app

>
> [2017-03-23 10:18:01] app.ERROR: Authentication failure for IP: 172.17.0.1 
> [] []


I'm trying to block an ip with to much authentication failure.

So I did a custom decoder which is working ;


  ^\p\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d\p 




  app.ERROR
  ^app.ERROR: \.+ (\S+) for IP: (\S+) 
(\.+)\s(\.+)$
  status,srcip,extra_data,extra_data


and I want theses rules working with this log .


app.ERROR
Multiple login attempts customapp
  


  
100201

Multiple login attempts customapp
authentication_failures,
  


But this what I get when testing with */var/ossec/bin/ossec-logtest*



[2017-03-23 10:18:01] app.ERROR: Authentication failure for IP: 172.17.0.1 
[] []




**Phase 1: Completed pre-decoding.
   full event: '[2017-03-23 10:18:01] app.ERROR: Authentication failure 
for IP: 172.17.0.1 [] []'
   hostname: 'Digital-Ocean-1'
   program_name: '(null)'
   log: '[2017-03-23 10:18:01] app.ERROR: Authentication failure for 
IP: 172.17.0.1 [] []'


**Phase 2: Completed decoding.
   decoder: 'app.ERROR'
   status: 'failure'
   srcip: '172.17.0.1'
   extra_data: '[]'
   extra_data: '[]'


**Phase 3: Completed filtering (rules).
   Rule id: '2501'
   Level: '5'
   Description: 'User authentication failure.'
**Alert to be generated.

why are my rules not working over the 2501 one ?

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Custom decoder & rule not working

[Martin]

Oh ok thank you, you made it clear for me ! 

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Custom decoder & rules not working

[Martin]

Indeed it was evaluated first because the level of the rule 2501 (5) is 
higher than my rule.

Thank you for your answer !

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Redundancy manager (backup)

[Martin]

Hello everyone,

I was wondering, what happen if the "manager" bug / shutdown ? 

It might sounds stupid but what behavior will the agents have ? Will they 
make my server bug, consume too much cpu/ram or trying to send message all 
the time etc ?

Is there a way to have a second manager as a backup or make redundancy ? 

Best regards !

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Redundancy manager (backup)

[Martin]

Hello everyone,

I was wondering, what happen if the "manager" bug / shutdown ? 

It might sounds stupid but what behavior will the agents have ? Will they 
make my server bug, consume too much cpu/ram or trying to send message all 
the time etc ?

Is there a way to have a second manager as a backup or make redundancy ? 

Best regards !

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Redundancy manager (backup)

[Martin]

Hi Victor,

Now that I know it is possible to have a second manager in case the first 
one stop running.  I'm wondering, is there a proper way to copy the first 
manager to duplicate it ? Like that i won't have to configure the second 
manager as I did with the first one.

And I was looking aswell if there were a way to automaticaly deploy agent 
on server and add them on the manager without having to use the script 
.install ? Because, let's say I've 100 agents to deploy, it will take me a 
while doing it with the script ...


Thank you for your answer !

Best regards.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Redundancy manager (backup)

[Martin]

I know it is possible with "Unattended Source Installation" but i'd still 
have to add manually these agents on the manager or is there another way :) 
?

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Redundancy manager (backup)

[Martin]

Is it possible to deploy them (agents) easily via chef ? 

THank you again for your answers!

Best regards.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Redundancy manager (backup)

[Martin]

Hello Victor,

I tried to run a second manager and I've the same file 
/var/ossec/etc/client.keys 
on it and on the first manager. I've copied the local_rules, ossec.conf, 
local_decoder as well.

And I've specified on the agents to listen on him as you told me ;

 10.0.0.1 10.0.0.2 


My first manager (10.0.0.1 here) is shutdown and none the agents are 
listening on 10.0.0.2. 

What sould I look into ? 

Best regards.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Redundancy manager (backup)

[Martin]

Even after 1 hour my agents won't connect to the second manager.

Here are the step that i've done so far; 

   - Having my two managers with the same ossec.conf, local_decoder, 
   local_rules, client, client.keys
   - Opening the port 1514 on all the agents and the manager.
   - Specify the manager's ip on the agents

  
10.0.0.1 10.0.0.2 

Maybe it has to do with what Viktor said about Rids counter, i'm not sure.

Best regards.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Redundancy manager (backup)

[Martin]

Hello,

Thank you for your answers ! 

This is finaly working, what I had to do was to allow the traffic through 
1514 with the following ;

*On the agent :*


   - sudo iptables -D INPUT -j DROP
   - iptables -A INPUT -p UDP --dport 1514 -s 10.0.0.1 -j ACCEPT
   - iptables -A INPUT -p UDP --dport 1514 -s 10.0.0.2 -j ACCEPT
   - iptables -A OUTPUT -j ACCEPT
   - sudo iptables -A INPUT -j DROP
   
*On the manager :*


   - sudo iptables -D INPUT -j DROP
   - iptables -A INPUT -p UDP --dport 1514 -s IP_agent_1 -j ACCEPT
   - iptables -A INPUT -p UDP --dport 1514 -s IP_agent_2 -j ACCEPT
   - iptables -A INPUT -p UDP --dport 1514 -s IP_agent_3 -j ACCEPT
   - iptables -A OUTPUT -j ACCEPT
   - sudo iptables -A INPUT -j DROP

I don't think that this is the right way to do it, but it works now..

Best regards.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Opening port for ossec server/agents

[Martin]

Hello,

I'm getting a bit lost with the port opening for ossec. 

Let's say I have 3 machines running on ubuntu 16.04. I do a fresh install 
of OSSEC manager on the machine A and a fresh install of ossec agent on 
both B & C.

Now I want to register my machines B & C using ossec-authd;  

I have the certificat on my manager so I run 'ossec-authd' .

on my agents I run 'agent-auth -m IP_Manager'

But this won't work unless I open the port 1515 (by default) with iptables 
plus the udp 1514 , what should the correct steps be ? Or better is there a 
way to automate it ? 

Best regards. 

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Should have gone to ossec

[Martin West]

http://blogs.zdnet.com/security/?p=6123&tag=nl.e589

:-(

Martin West



-- 
To unsubscribe, reply using "remove me" as the subject.

[ossec-list] Active Response on Windows events

[Martin Gottlieb]

Hi,

Is OSSEC capable of triggering an active response on Windows events?  In 
particular, I am frequently
seeing event 18152, "Multiple Windows Logon Failures", but no active 
response is ever triggered.
There are 2 (at least) different variations on the events, 1 for Windows 
log-in failures and another

for SQL Server log-in failures.

I added the null_cmd command mentioned in the docs, but I'd be happy if 
it just triggered the firewall drop script.


Am I missing something in the configuration?

thanks.

Martin

Re: [ossec-list] Active Response on Windows events

[Martin Gottlieb]

Thanks, Tanishk.  I'm really surprised nothing has been written for 
windows yet.  Am I correct

in assuming the script would reside on the Windows agent machine?

Obviously, the windows agent communicates with the Linux server.  Is it 
not possible to have
an active response script triggered on the server side as happens with 
Linux agents?


Thanks.

Martin

On 4/22/2011 3:28 PM, Tanishk Lakhaani wrote:

Hey martin,
All these default active response scripts are written for a specific event. 
Read these scripts to understand these scripts.

For the event of ur interest -- multiple logon failures...for linux, there is a 
default active response script -- for locking the account. But for windows 
there is no such script. What u can do is that u can create your own customised 
script and use it for active response purposes.

Regards
Tanishk lakhaani
Sent from BlackBerry® on Airtel

-Original Message-
From: Martin Gottlieb
Sender: ossec-list@googlegroups.com
Date: Fri, 22 Apr 2011 08:22:37
To:
Reply-To: ossec-list@googlegroups.com
Subject: [ossec-list] Active Response on Windows events

Hi,

Is OSSEC capable of triggering an active response on Windows events?  In
particular, I am frequently
seeing event 18152, "Multiple Windows Logon Failures", but no active
response is ever triggered.
There are 2 (at least) different variations on the events, 1 for Windows
log-in failures and another
for SQL Server log-in failures.

I added the null_cmd command mentioned in the docs, but I'd be happy if
it just triggered the firewall drop script.

Am I missing something in the configuration?

thanks.

Martin

Re: [ossec-list] Active Response on Windows events

[Martin Gottlieb]

I guess what I'm trying to understand is this:

When an event is triggered from a Linux agent, the firewall drop script 
is run on the
OSSEC server (in addition to the hosts deny script being called on the 
agent).  I don't recall
doing anything special to make this happen when I installed OSSEC, I 
assume it is part of

the default behavior.

When an event is triggered on a Windows agent, the firewall drop script 
is NOT called on the server,
but I would like it to be.  I would like the default behavior on Windows 
agents to be the same
as Linux agents, at least as far as what happens on the OSSEC server.  
The Windows agent is
obviously reporting the event to the server as it logs it and reports it 
to me.


Am I understanding the responses so far to mean that I have to write a 
script to make this

happen, and that the script needs to reside on the Windows agent?

Thanks again.

Martin

On 4/22/2011 4:24 PM, dan (ddp) wrote:

Hi Tanishk,
The active response scripts should exist on the systems (agents and
servers) they need to be run on.

On Fri, Apr 22, 2011 at 4:17 PM, Tanishk Lakhaani  wrote:

Hey martin,
See, the active response related scripts will be placed at the server side, 
executed at the server/client side (depending upon the way it is configured in 
ossec.conf using the location tab) and the commands written in these scripts 
will actually take an action on the agent side. This is the basic of active 
response.
Sent from BlackBerry® on Airtel

-Original Message-----
From: Martin Gottlieb
Sender: ossec-list@googlegroups.com
Date: Fri, 22 Apr 2011 16:04:14
To:
Reply-To: ossec-list@googlegroups.com
Subject: Re: [ossec-list] Active Response on Windows events


Thanks, Tanishk.  I'm really surprised nothing has been written for
windows yet.  Am I correct
in assuming the script would reside on the Windows agent machine?

Obviously, the windows agent communicates with the Linux server.  Is it
not possible to have
an active response script triggered on the server side as happens with
Linux agents?

Thanks.

Martin

On 4/22/2011 3:28 PM, Tanishk Lakhaani wrote:

Hey martin,
All these default active response scripts are written for a specific event. 
Read these scripts to understand these scripts.

For the event of ur interest -- multiple logon failures...for linux, there is a 
default active response script -- for locking the account. But for windows 
there is no such script. What u can do is that u can create your own customised 
script and use it for active response purposes.

Regards
Tanishk lakhaani
Sent from BlackBerry® on Airtel

-Original Message-----
From: Martin Gottlieb
Sender: ossec-list@googlegroups.com
Date: Fri, 22 Apr 2011 08:22:37
To:
Reply-To: ossec-list@googlegroups.com
Subject: [ossec-list] Active Response on Windows events

Hi,

Is OSSEC capable of triggering an active response on Windows events?  In
particular, I am frequently
seeing event 18152, "Multiple Windows Logon Failures", but no active
response is ever triggered.
There are 2 (at least) different variations on the events, 1 for Windows
log-in failures and another
for SQL Server log-in failures.

I added the null_cmd command mentioned in the docs, but I'd be happy if
it just triggered the firewall drop script.

Am I missing something in the configuration?

thanks.

Martin

Re: [ossec-list] Active Response on Windows events

[Martin Gottlieb]

Shouldn't this block from the config on the OSSEC server:



firewall-drop
as
6
3600


cause the firewall drop script to be run on the server for any event 
that is level 6 or higher, regardless of
which agent it came from?  That's all I'm trying to accomplish, I don't 
need anything to run on the Windows

agent if I can get the firewall drop script to run on the server.

Thanks.

Martin

On 4/22/2011 4:58 PM, dan (ddp) wrote:

Hi Martin,

On Fri, Apr 22, 2011 at 4:37 PM, Martin Gottlieb  wrote:

I guess what I'm trying to understand is this:

When an event is triggered from a Linux agent, the firewall drop script is
run on the
OSSEC server (in addition to the hosts deny script being called on the
agent).  I don't recall
doing anything special to make this happen when I installed OSSEC, I assume
it is part of
the default behavior.


The default actions (if I'm reading
https://bitbucket.org/dcid/ossec-hids/src/4908b28513b0/etc/ossec-server.conf
correctly) is that the script is run on the system where the log
message originated.
Unless you changed the configurations the scripts shouldn't be running
on both the server and the agents.


When an event is triggered on a Windows agent, the firewall drop script is
NOT called on the server,
but I would like it to be.  I would like the default behavior on Windows
agents to be the same
as Linux agents, at least as far as what happens on the OSSEC server.  The
Windows agent is
obviously reporting the event to the server as it logs it and reports it to
me.

Am I understanding the responses so far to mean that I have to write a
script to make this
happen, and that the script needs to reside on the Windows agent?

Thanks again.

Martin


The script would have to reside on all of the systems you want it to
run on. Having it run on both Windows and Linux systems may be
difficult.

Re: [ossec-list] Active Response on Windows events

[Martin Gottlieb]

Thanks!  I'll give that a try.  Sorry if I wasn't entirely clear about this.

Martin

On 4/22/2011 5:12 PM, dan (ddp) wrote:

Hi Martin,

On Fri, Apr 22, 2011 at 5:08 PM, Martin Gottlieb  wrote:

Shouldn't this block from the config on the OSSEC server:

   
 
 firewall-drop
 as
 6
 3600
   

cause the firewall drop script to be run on the server for any event that is
level 6 or higher, regardless of
which agent it came from?  That's all I'm trying to accomplish, I don't need
anything to run on the Windows
agent if I can get the firewall drop script to run on the server.

Thanks.

Martin


Oh, I get it now. Your  field looks wrong. It should be
server
http://www.ossec.net/doc/syntax/head_ossec_config.active-responce.html#element-active-response.location


On 4/22/2011 4:58 PM, dan (ddp) wrote:

Hi Martin,

On Fri, Apr 22, 2011 at 4:37 PM, Martin Gottlieb
wrote:

I guess what I'm trying to understand is this:

When an event is triggered from a Linux agent, the firewall drop script is
run on the
OSSEC server (in addition to the hosts deny script being called on the
agent).  I don't recall
doing anything special to make this happen when I installed OSSEC, I assume
it is part of
the default behavior.

The default actions (if I'm reading
https://bitbucket.org/dcid/ossec-hids/src/4908b28513b0/etc/ossec-server.conf
correctly) is that the script is run on the system where the log
message originated.
Unless you changed the configurations the scripts shouldn't be running
on both the server and the agents.

When an event is triggered on a Windows agent, the firewall drop script is
NOT called on the server,
but I would like it to be.  I would like the default behavior on Windows
agents to be the same
as Linux agents, at least as far as what happens on the OSSEC server.  The
Windows agent is
obviously reporting the event to the server as it logs it and reports it to
me.

Am I understanding the responses so far to mean that I have to write a
script to make this
happen, and that the script needs to reside on the Windows agent?

Thanks again.

Martin

The script would have to reside on all of the systems you want it to
run on. Having it run on both Windows and Linux systems may be
difficult.

Re: [ossec-list] Re: Active Response on Windows events

[Martin Gottlieb]

Awesome, thanks!  The events I'm seeing generally take 2 forms:

SQL Server Events:

WinEvtLog: Application: AUDIT_FAILURE(18456): MSSQLSERVER: (no user): no 
domain: WINSERVER: Login failed for user 'admin'. [CLIENT: 203.81.30.248]



And general Windows Events:

WinEvtLog: Security: AUDIT_FAILURE(529): Security: SYSTEM: NT AUTHORITY: 
WINSERVER: Logon Failure:  Reason: Unknown user name or bad 
password   User Name: adminDomain: WINSERVER   Logon 
Type: 10  Logon Process: User32   Authentication Package: 
Negotiate   Workstation Name: WINSERVER Caller User Name: WINSERVER$
Caller Domain: WINDOMAINCaller Logon ID: (0x0,0x3E7)
Caller Process ID: 532  Transited Services: -   Source Network 
Address: 118.126.5.109   Source Port: 3041

Would these work as the corresponding decoders:


^WinEvtLog: Application: AUDIT_FAILURE\(\d+\): MSSQLSERVER: 
\.* Login failed for user

'(\w+)'. [CLIENT: (\d+.\d+.\d+.\d+)]
user,srcip



^WinEvtLog: Security: AUDIT_FAILURE\(\d+\): Security\.* Logon 
Failure: 
User Name: (\w+) \.* Source Network 
Address: (\d+.\d+.\d+.\d+)

user,srcip


Thanks.

Martin


On 4/22/2011 7:28 PM, AndiC wrote:

The problem I found was that the Windows decoder in the server /dev/
ossec/etc/decoder.xml does not extract the "srcip", so you have
nothing to work with to block

Now this is what I replaced mine with:


   windows
   ^WinEvtLog:
   ^\.+: (\w+)\((\d+)\): (\.+):
   (\.+): \.+: (\S+):
 \.+: \.+: \.+: \.+: \.+: \.+:
   \.+: \.+: \.+: \.+: \.+: \.+: \.+: \.+:
   \.(\S+)
   status, id, extra_data, user, system_name, srcip
   name, location, user, system_name  

Then, in /dev/ossec/rules/msauth.xml, I replaced rule 18152 with:

   
 win_authentication_failed
 
 Multiple Windows Logon Failures Same IP.
 authentication_failures,
   
   
 win_authentication_failed
 Multiple Windows Logon Failures.
 authentication_failures,
   

I also dropped $MS_FREQ (start of msauth.xml) to 3

This works for me, and my Windows clients are well protected.

I am sure someone could write a far more eloquent decode Regex - sorry
I'm just coming to grips with that. I'm also uncertain if this will
work against anything other than Server 2003 for which it is written

But this is only the decoder that needs some tuning, the rest seems
fine

Regards

Andy


On Apr 23, 9:08 am, Martin Gottlieb  wrote:

Shouldn't this block from the config on the OSSEC server:



firewall-drop
as
6
3600


cause the firewall drop script to be run on the server for any event
that is level 6 or higher, regardless of
which agent it came from?  That's all I'm trying to accomplish, I don't
need anything to run on the Windows
agent if I can get the firewall drop script to run on the server.

Thanks.

Martin

On 4/22/2011 4:58 PM, dan (ddp) wrote:




Hi Martin,
On Fri, Apr 22, 2011 at 4:37 PM, Martin Gottliebwrote:

I guess what I'm trying to understand is this:
When an event is triggered from a Linux agent, the firewall drop script is
run on the
OSSEC server (in addition to the hosts deny script being called on the
agent).  I don't recall
doing anything special to make this happen when I installed OSSEC, I assume
it is part of
the default behavior.

The default actions (if I'm reading
https://bitbucket.org/dcid/ossec-hids/src/4908b28513b0/etc/ossec-serv...
correctly) is that the script is run on the system where the log
message originated.
Unless you changed the configurations the scripts shouldn't be running
on both the server and the agents.

When an event is triggered on a Windows agent, the firewall drop script is
NOT called on the server,
but I would like it to be.  I would like the default behavior on Windows
agents to be the same
as Linux agents, at least as far as what happens on the OSSEC server.  The
Windows agent is
obviously reporting the event to the server as it logs it and reports it to
me.
Am I understanding the responses so far to mean that I have to write a
script to make this
happen, and that the script needs to reside on the Windows agent?
Thanks again.
Martin

The script would have to reside on all of the systems you want it to
run on. Having it run on both Windows and Linux systems may be
difficult.- Hide quoted text -

- Show quoted text -

Re: [ossec-list] Re: Active Response on Windows events

[Martin Gottlieb]

Hi Andy,

Thanks again for another great piece of advice.  ossec-logtest seems to 
confirm that the
regexes are good.  The SQL Server decoder triggers rule 2501, level 5.  
I had to add the

following to my local rules to get the winevt decoder to also trigger 2501:


Logon Failure
authentication_failed,
User authentication failure.


I think this should to the trick.  Thanks again for your help.

Martin

On 4/23/2011 5:26 PM, Andy Cockroft (andic) wrote:


Hi

I didn't have that much success with a Regex similar to the one you 
wrote, I ended up having to specify everything in a very long-handed 
way -- as I said perhaps someone could write the decoder far more 
eloquently than I -- especially constructs such as \.* in the middle 
of the Regex


However, what I did do, is make my changes to the decoder and  run 
ossec-logtest -- this makes checking the decoder and rules so much 
easier without actually affecting production operation


Best I can do for now -- hope you have your Rules sorted as well -- 
ossec-logtest will check these at the same time


Andy

*From:*ossec-list@googlegroups.com 
[mailto:ossec-list@googlegroups.com] *On Behalf Of *Martin Gottlieb

*Sent:* Sunday, 24 April 2011 3:16 a.m.
*To:* ossec-list@googlegroups.com
*Subject:* Re: [ossec-list] Re: Active Response on Windows events


Awesome, thanks!  The events I'm seeing generally take 2 forms:

SQL Server Events:

WinEvtLog: Application: AUDIT_FAILURE(18456): MSSQLSERVER: (no user): 
no domain: WINSERVER: Login failed for user 'admin'. [CLIENT: 
203.81.30.248]



And general Windows Events:

WinEvtLog: Security: AUDIT_FAILURE(529): Security: SYSTEM: NT AUTHORITY: 
WINSERVER: Logon Failure:   Reason:Unknown user name or bad 
password User Name: adminDomain:WINSERVER  Logon 
Type: 10 Logon Process: User32  Authentication Package: 
Negotiate Workstation Name: WINSERVER   Caller User Name: 
WINSERVER$  Caller Domain: WINDOMAIN   Caller Logon ID: (0x0,0x3E7) 
   Caller Process ID: 532 Transited Services: -  Source 
Network Address: 118.126.5.109  Source Port: 3041

Would these work as the corresponding decoders:


^WinEvtLog: Application: AUDIT_FAILURE\(\d+\): MSSQLSERVER: 
\.* Login failed for user
'(\w+)'. [CLIENT: 
(\d+.\d+.\d+.\d+)]

user,srcip



^WinEvtLog: Security: AUDIT_FAILURE\(\d+\): Security\.* 
Logon Failure: 
User Name: (\w+) \.* Source Network 
Address: (\d+.\d+.\d+.\d+)

user,srcip


Thanks.

Martin


On 4/22/2011 7:28 PM, AndiC wrote:

The problem I found was that the Windows decoder in the server /dev/
ossec/etc/decoder.xml does not extract the "srcip", so you have
nothing to work with to block
  
Now this is what I replaced mine with:
  


   windows
   ^WinEvtLog:
   ^\.+: (\w+)\((\d+)\): (\.+):
   (\.+): \.+: (\S+):
 \.+: \.+: \.+: \.+: \.+: \.+:
   \.+: \.+: \.+: \.+: \.+: \.+: \.+: \.+:
   \.(\S+)
   status, id, extra_data, user, system_name, srcip
   name, location, user, system_name  
  
Then, in /dev/ossec/rules/msauth.xml, I replaced rule 18152 with:
  
   

 win_authentication_failed
 
 Multiple Windows Logon Failures Same IP.
 authentication_failures,
   
   
 win_authentication_failed
 Multiple Windows Logon Failures.
 authentication_failures,
   
  
I also dropped $MS_FREQ (start of msauth.xml) to 3
  
This works for me, and my Windows clients are well protected.
  
I am sure someone could write a far more eloquent decode Regex - sorry

I'm just coming to grips with that. I'm also uncertain if this will
work against anything other than Server 2003 for which it is written
  
But this is only the decoder that needs some tuning, the rest seems

fine
  
Regards
  
Andy
  
  
On Apr 23, 9:08 am, Martin Gottlieb  <mailto:mar...@axion-it.net>  wrote:


Shouldn't this block from the config on the OSSEC server:

  






firewall-drop

as

6

3600



  


cause the firewall drop script to be run on the server for any event

that is level 6 or higher, regardless of

which agent it came from?  That's all I'm trying to accomplish, I don't

need anything to run on the Windows

agent if I can get the firewall drop script to run on the server.

  


Thanks.

  


Martin

  


On 4/22/2011 4:58 PM, dan (ddp) wrote:

  

  

      


Hi Martin,

  


On Fri, Apr 22, 2011 at 4:37 PM, Martin Gottlieb  
<mailto:mar...@axion-it.net>wrote:

I guess what I'm trying to understand is this:

  


When an event is triggered from a Linux agent, the firewall drop 
script is

run on the

OSSEC server (in addition to the hosts deny script being called on 
the

agent).  I don't recall

doing anything special to ma

Re: [ossec-list] Re: Active Response on Windows events

[Martin Gottlieb]

Thanks, my ossec server is a router/firewall, my apologies for omitting 
this detail.  I was really
just trying to figure out how to get the server to trigger the script(s) 
in the first place on the

windows events, since it was clearly getting notified about the events.

With help from Andy, I believe I have found that the issue boils down to 
the decoders.  I think I
have a fix i place now and will be posting a "RESOLVED" message once I 
have verified this (just waiting

for someone to attack the server).

Thanks again to everyone who offered help on this.

Martin

On 4/25/2011 11:23 AM, Scott VR wrote:
It is important to undertstand that firewall-drop.sh script executes 
unix/linux commands and the only way that invoking it on the server 
will serve any function to protect your windows hosts is if your ossec 
server is *also* running as a router/firewall in front of your windows 
boxes. If this is the case, it's a pretty major piece of the design 
that you left off of your description. If it's not the case, you are 
going to need something similar (which I think you alluded to in your 
inital email) to the null-route.cmd setup outlined in 
http://www.ossec.net/main/manual/manual-active-response-on-windows.


In summary, if your ossec server is also a router for your network, 
then running the ipfilters/ipchains/ipsec commands in the 
firewall-drop.sh script will work, with the proper regex to obtain 
srcip. If it is not, the running this command on the ossec server will 
have no effect and you need to run the command on the windows box 
through its agent.


Cheers,

On Sat, Apr 23, 2011 at 10:27 PM, Martin Gottlieb <mailto:mar...@axion-it.net>> wrote:



Hi Andy,

Thanks again for another great piece of advice.  ossec-logtest
seems to confirm that the
regexes are good.  The SQL Server decoder triggers rule 2501,
level 5.  I had to add the
following to my local rules to get the winevt decoder to also
trigger 2501:


Logon Failure
authentication_failed,
User authentication failure.


I think this should to the trick.  Thanks again for your help.

Martin


On 4/23/2011 5:26 PM, Andy Cockroft (andic) wrote:


Hi

I didn’t have that much success with a Regex similar to the one
you wrote, I ended up having to specify everything in a very
long-handed way – as I said perhaps someone could write the
decoder far more eloquently than I – especially constructs such
as \.* in the middle of the Regex

However, what I did do, is make my changes to the decoder and
 run ossec-logtest – this makes checking the decoder and rules so
much easier without actually affecting production operation

Best I can do for now – hope you have your Rules sorted as well –
ossec-logtest will check these at the same time

Andy

*From:*ossec-list@googlegroups.com
<mailto:ossec-list@googlegroups.com>
[mailto:ossec-list@googlegroups.com] *On Behalf Of *Martin Gottlieb
*Sent:* Sunday, 24 April 2011 3:16 a.m.
*To:* ossec-list@googlegroups.com
<mailto:ossec-list@googlegroups.com>
*Subject:* Re: [ossec-list] Re: Active Response on Windows events


Awesome, thanks!  The events I'm seeing generally take 2 forms:

SQL Server Events:

WinEvtLog: Application: AUDIT_FAILURE(18456): MSSQLSERVER: (no
user): no domain: WINSERVER: Login failed for user 'admin'.
[CLIENT: 203.81.30.248 ]


And general Windows Events:

WinEvtLog: Security: AUDIT_FAILURE(529): Security: SYSTEM: NT AUTHORITY: 
WINSERVER: Logon Failure:   Reason:Unknown user name or bad 
password User Name: adminDomain:WINSERVER  Logon 
Type: 10 Logon Process: User32  Authentication Package: 
Negotiate Workstation Name: WINSERVER   Caller User Name: 
WINSERVER$  Caller Domain: WINDOMAIN   Caller Logon ID: (0x0,0x3E7) 
   Caller Process ID: 532 Transi
ted Services: -  Source Network Address: 118.126.5.109  
Source Port: 3041

Would these work as the corresponding decoders:


^WinEvtLog: Application: AUDIT_FAILURE\(\d+\):
MSSQLSERVER: \.* Login failed for user
'(\w+)'. [CLIENT:
(\d+.\d+.\d+.\d+)]
user,srcip



^WinEvtLog: Security: AUDIT_FAILURE\(\d+\): Security\.*
Logon Failure: 
User Name: (\w+) \.* Source
Network Address: (\d+.\d+.\d+.\d+)
user,srcip


Thanks.

Martin


On 4/22/2011 7:28 PM, AndiC wrote:

The problem I found was that the Windows decoder in the server /dev/
ossec/etc/decoder.xml does not extract the "srcip", so you have
nothing to work with to block
  
Now this is what I replaced mine with:
  


   windows
   ^WinEvtLog:
   ^\.+: (\w+)\((\d+)\): (\.+):
   (\.+): \.+: (\S+):
 \.+: \.+: \.+

Re: [ossec-list] Re: Active Response on Windows events

[Martin Gottlieb]

Well, I thought I was making progress, but now I'm not so sure.  My 
MSSQL decoder has triggered a couple
of active responses, so I believe it is working properly. But, I am not 
getting any alerts on windows logon

failures (I did previously), much less an active response.

I found the following event in my ossec alert log (identifying info 
modified):


** Alert 1303837130.3865847: - syslog,false_positivesauthentication_failed,
2011 Apr 26 12:58:50 (win3) 2.1.1.2->WinEvtLog
Rule: 100245 (level 5) -> 'User authentication failure.'
Src IP: (none)
User: (none)
WinEvtLog: Security: AUDIT_FAILURE(529): Security: SYSTEM: NT AUTHORITY: 
WINSERVER: Logon Failure:   Reason: Unknown user name or 
bad password   User Name: ryan Domain: 
WINSERVERLogon Type: 10  Logon Process: 
User32   Authentication Package: Negotiate   Workstation 
Name: WINSERVER  Caller User Name: WINSERVER$ Caller 
Domain: WINDOMAIN  Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 5716 Transited Services: -   Source 
Network Address: 7.7.7.226  Source Port: 51287


What's strange is that it does not match the SrcIP or User fields.  When 
I run this log entry through ossec-logtest, I get the

following results:

**Phase 2: Completed decoding.
   decoder: 'winevt'
   dstuser: 'ryan'
   srcip: '7.7.7.226'

**Phase 3: Completed filtering (rules).
   Rule id: '100245'
   Level: '5'
   Description: 'User authentication failure.'
**Alert to be generated.

So clearly the winevt decoder is working correctly.  Any ideas as to why 
it works in test mode, but not "live"?

Here's the winevt decoder:


^WinEvtLog:\s*Security:\s*AUDIT_FAILURE\(\d+\):\s*Security\.* 
Logon Failure: 
User Name:\s+(\w+) \.* Source Network 
Address:\s+(\d+.\d+.\d+.\d+)

user,srcip


I did make a few minor changes since my previous posts, mainly replacing 
spaces with "\s*" to allow for multiple white-space characters.


Thanks.

Martin

On 4/25/2011 11:43 AM, Martin Gottlieb wrote:


Thanks, my ossec server is a router/firewall, my apologies for 
omitting this detail.  I was really
just trying to figure out how to get the server to trigger the 
script(s) in the first place on the

windows events, since it was clearly getting notified about the events.

With help from Andy, I believe I have found that the issue boils down 
to the decoders.  I think I
have a fix i place now and will be posting a "RESOLVED" message once I 
have verified this (just waiting

for someone to attack the server).

Thanks again to everyone who offered help on this.

Martin

On 4/25/2011 11:23 AM, Scott VR wrote:
It is important to undertstand that firewall-drop.sh script executes 
unix/linux commands and the only way that invoking it on the server 
will serve any function to protect your windows hosts is if your 
ossec server is *also* running as a router/firewall in front of your 
windows boxes. If this is the case, it's a pretty major piece of the 
design that you left off of your description. If it's not the case, 
you are going to need something similar (which I think you alluded to 
in your inital email) to the null-route.cmd setup outlined in 
http://www.ossec.net/main/manual/manual-active-response-on-windows.


In summary, if your ossec server is also a router for your network, 
then running the ipfilters/ipchains/ipsec commands in the 
firewall-drop.sh script will work, with the proper regex to obtain 
srcip. If it is not, the running this command on the ossec server 
will have no effect and you need to run the command on the windows 
box through its agent.


Cheers,

On Sat, Apr 23, 2011 at 10:27 PM, Martin Gottlieb 
mailto:mar...@axion-it.net>> wrote:



Hi Andy,

Thanks again for another great piece of advice.  ossec-logtest
seems to confirm that the
regexes are good.  The SQL Server decoder triggers rule 2501,
level 5.  I had to add the
following to my local rules to get the winevt decoder to also
trigger 2501:


Logon Failure
    authentication_failed,
User authentication failure.


I think this should to the trick.  Thanks again for your help.

Martin


On 4/23/2011 5:26 PM, Andy Cockroft (andic) wrote:


Hi

I didn’t have that much success with a Regex similar to the one
you wrote, I ended up having to specify everything in a very
long-handed way – as I said perhaps someone could write the
decoder far more eloquently than I – especially constructs such
as \.* in the middle of the Regex

However, what I did do, is make my changes to the decoder and
 run ossec-logtest – this makes checking the decoder and rules
so much easier without actually affecting production operation

Best I can do for now – hope y

Re: [ossec-list] Re: Active Response on Windows events

[Martin Gottlieb]

good point, I should not be expecting email alerts on the level 5 rule.  
But since it's not recording the SrcIP

value, it never triggers the level 10 rule, which I did also create:


Logon Failure
authentication_failed,
User authentication failure.



100245
Windows brute force trying to get access to 
the system.

authentication_failures,


So my original question remains, why is it not able to extract the SrcIP 
address using the decoder that I created

and verified using ossec-logtest?

Thanks.

Martin


On 4/27/2011 3:27 PM, Andy Cockroft (andic) wrote:


Hi

This is triggering a level 5 alert -- will that actually do anything 
on your system? Or do you have another rule for multiple occurrences?


Certainly for mine, I have a level 10 alert for multiple occurrences 
(more than 3) which then activates the response on the windows agent


Just a random thought

Andy

*From:*ossec-list@googlegroups.com 
[mailto:ossec-list@googlegroups.com] *On Behalf Of *Martin Gottlieb

*Sent:* Thursday, 28 April 2011 1:23 a.m.
*To:* ossec-list@googlegroups.com
*Subject:* Re: [ossec-list] Re: Active Response on Windows events


Well, I thought I was making progress, but now I'm not so sure.  My 
MSSQL decoder has triggered a couple
of active responses, so I believe it is working properly. But, I am 
not getting any alerts on windows logon

failures (I did previously), much less an active response.

I found the following event in my ossec alert log (identifying info 
modified):


** Alert 1303837130.3865847: - 
syslog,false_positivesauthentication_failed,

2011 Apr 26 12:58:50 (win3) 2.1.1.2->WinEvtLog
Rule: 100245 (level 5) -> 'User authentication failure.'
Src IP: (none)
User: (none)
WinEvtLog: Security: AUDIT_FAILURE(529): Security: SYSTEM: NT 
AUTHORITY: WINSERVER: Logon Failure:   Reason: Unknown 
user name or bad password   User Name: ryan 
Domain: WINSERVERLogon Type: 10  Logon 
Process: User32   Authentication Package: Negotiate   
Workstation Name: WINSERVER  Caller User Name: 
WINSERVER$ Caller Domain: WINDOMAIN  Caller Logon ID: 
(0x0,0x3E7)Caller Process ID: 5716 Transited 
Services: -   Source Network Address: 7.7.7.226  
Source Port: 51287


What's strange is that it does not match the SrcIP or User fields.  
When I run this log entry through ossec-logtest, I get the

following results:

**Phase 2: Completed decoding.
   decoder: 'winevt'
   dstuser: 'ryan'
   srcip: '7.7.7.226'

**Phase 3: Completed filtering (rules).
   Rule id: '100245'
   Level: '5'
   Description: 'User authentication failure.'
**Alert to be generated.

So clearly the winevt decoder is working correctly.  Any ideas as to 
why it works in test mode, but not "live"?

Here's the winevt decoder:


^WinEvtLog:\s*Security:\s*AUDIT_FAILURE\(\d+\):\s*Security\.* Logon 
Failure: 
User Name:\s+(\w+) \.* Source Network 
Address:\s+(\d+.\d+.\d+.\d+)

user,srcip


I did make a few minor changes since my previous posts, mainly 
replacing spaces with "\s*" to allow for multiple white-space characters.


Thanks.

Martin

On 4/25/2011 11:43 AM, Martin Gottlieb wrote:


Thanks, my ossec server is a router/firewall, my apologies for 
omitting this detail.  I was really
just trying to figure out how to get the server to trigger the 
script(s) in the first place on the

windows events, since it was clearly getting notified about the events.

With help from Andy, I believe I have found that the issue boils down 
to the decoders.  I think I
have a fix i place now and will be posting a "RESOLVED" message once I 
have verified this (just waiting

for someone to attack the server).

Thanks again to everyone who offered help on this.

Martin

On 4/25/2011 11:23 AM, Scott VR wrote:

It is important to undertstand that firewall-drop.sh script executes 
unix/linux commands and the only way that invoking it on the server 
will serve any function to protect your windows hosts is if your ossec 
server is *also* running as a router/firewall in front of your windows 
boxes. If this is the case, it's a pretty major piece of the design 
that you left off of your description. If it's not the case, you are 
going to need something similar (which I think you alluded to in your 
inital email) to the null-route.cmd setup outlined in 
http://www.ossec.net/main/manual/manual-active-response-on-windows.


In summary, if your ossec server is also a router for your network, 
then running the ipfilters/ipchains/ipsec commands in the 
firewall-drop.sh script will work, with the proper regex to obtain 
srcip. If it is not, the running this command on the ossec server will 
have no effect and you need to run the command on the windows box 
through its agent.


Cheers,

On Sat, Apr 23, 2011 at 10

Re: [ossec-list] Re: Active Response on Windows events

[Martin Gottlieb]

Thanks, that does work.  The problem is that when a real intruder is 
triggering my level 5 rule (100245),
it is not recording the source IP, so it has no way of ever triggering 
the level 10 rule.  That is what I am
trying to figure out, why the decoder is not working properly "live" 
when it works fine using ossec-logtest.


On 4/27/2011 4:01 PM, Andy Cockroft (andic) wrote:


Hi

You should be able to run ossec-logtest repeatedly (ie 6 times at 
least) with the same data, and you should see what it does in 
triggering the level 10 rule


Andy

*From:*ossec-list@googlegroups.com 
[mailto:ossec-list@googlegroups.com] *On Behalf Of *Martin Gottlieb

*Sent:* Thursday, 28 April 2011 7:36 a.m.
*To:* ossec-list@googlegroups.com
*Subject:* Re: [ossec-list] Re: Active Response on Windows events


good point, I should not be expecting email alerts on the level 5 
rule.  But since it's not recording the SrcIP

value, it never triggers the level 10 rule, which I did also create:


Logon Failure
authentication_failed,
User authentication failure.



100245
Windows brute force trying to get access to 
the system.

authentication_failures,


So my original question remains, why is it not able to extract the 
SrcIP address using the decoder that I created

and verified using ossec-logtest?

Thanks.

Martin


On 4/27/2011 3:27 PM, Andy Cockroft (andic) wrote:

Hi

This is triggering a level 5 alert -- will that actually do anything 
on your system? Or do you have another rule for multiple occurrences?


Certainly for mine, I have a level 10 alert for multiple occurrences 
(more than 3) which then activates the response on the windows agent


Just a random thought

Andy

*From:*ossec-list@googlegroups.com 
<mailto:ossec-list@googlegroups.com> 
[mailto:ossec-list@googlegroups.com] *On Behalf Of *Martin Gottlieb

*Sent:* Thursday, 28 April 2011 1:23 a.m.
*To:* ossec-list@googlegroups.com <mailto:ossec-list@googlegroups.com>
*Subject:* Re: [ossec-list] Re: Active Response on Windows events


Well, I thought I was making progress, but now I'm not so sure.  My 
MSSQL decoder has triggered a couple
of active responses, so I believe it is working properly. But, I am 
not getting any alerts on windows logon

failures (I did previously), much less an active response.

I found the following event in my ossec alert log (identifying info 
modified):


** Alert 1303837130.3865847: - 
syslog,false_positivesauthentication_failed,

2011 Apr 26 12:58:50 (win3) 2.1.1.2->WinEvtLog
Rule: 100245 (level 5) -> 'User authentication failure.'
Src IP: (none)
User: (none)
WinEvtLog: Security: AUDIT_FAILURE(529): Security: SYSTEM: NT 
AUTHORITY: WINSERVER: Logon Failure:   Reason: Unknown 
user name or bad password   User Name: ryan 
Domain: WINSERVERLogon Type: 10  Logon 
Process: User32   Authentication Package: Negotiate   
Workstation Name: WINSERVER  Caller User Name: 
WINSERVER$ Caller Domain: WINDOMAIN  Caller Logon ID: 
(0x0,0x3E7)Caller Process ID: 5716 Transited 
Services: -   Source Network Address: 7.7.7.226  
Source Port: 51287


What's strange is that it does not match the SrcIP or User fields.  
When I run this log entry through ossec-logtest, I get the

following results:

**Phase 2: Completed decoding.
   decoder: 'winevt'
   dstuser: 'ryan'
   srcip: '7.7.7.226'

**Phase 3: Completed filtering (rules).
   Rule id: '100245'
   Level: '5'
   Description: 'User authentication failure.'
**Alert to be generated.

So clearly the winevt decoder is working correctly.  Any ideas as to 
why it works in test mode, but not "live"?

Here's the winevt decoder:


^WinEvtLog:\s*Security:\s*AUDIT_FAILURE\(\d+\):\s*Security\.* Logon 
Failure: 
User Name:\s+(\w+) \.* Source Network 
Address:\s+(\d+.\d+.\d+.\d+)

user,srcip


I did make a few minor changes since my previous posts, mainly 
replacing spaces with "\s*" to allow for multiple white-space characters.


Thanks.

Martin

On 4/25/2011 11:43 AM, Martin Gottlieb wrote:


Thanks, my ossec server is a router/firewall, my apologies for 
omitting this detail.  I was really
just trying to figure out how to get the server to trigger the 
script(s) in the first place on the

windows events, since it was clearly getting notified about the events.

With help from Andy, I believe I have found that the issue boils down 
to the decoders.  I think I
have a fix i place now and will be posting a "RESOLVED" message once I 
have verified this (just waiting

for someone to attack the server).

Thanks again to everyone who offered help on this.

Martin

On 4/25/2011 11:23 AM, Scott VR wrote:

It is important to undertstand that firewall-drop.sh script executes 
unix/linux commands and the only way that invoking it o

Re: [ossec-list] Re: Active Response on Windows events [RESOLVED]

[Martin Gottlieb]

Finally figured out what was going on with the Windows Event log decoder:

I originally had this:


^WinEvtLog: Security: AUDIT_FAILURE\(\d+\): Security\.* Logon 
Failure: 
User Name: (\w+) \.* Source Network 
Address: (\d+.\d+.\d+.\d+)

user,srcip


When I copied and pasted an event from the alert log (see WinEvtLog in 
thread below) into ossec-logtest, everything matched and
it worked fine.  The problem with that approach is that tabs and other 
characters get converted to spaces.


When I ran the command: sed -n 16741p 
logs/alerts/2011/May/ossec-alerts-04.log | bin/ossec-logtest
from within /var/ossec, the decoder did not extract the user and srcip 
fields.  I then ran:
sed -n 16741p logs/alerts/2011/May/ossec-alerts-04.log | od -a  and 
found that each Name: Value pair was

preceded by a variable number of spaces and then a *TAB *character.

It turns out that *\s* only matches spaces, not any white-space 
character.  So I changed my regex to this:


User\s+Name:\s*(\w+)\s+\.*Source Network 
Address:\s+(\d+.\d+.\d+.\d+)\s+


and it  now works.

Thanks to everyone who offered suggestions, especially Andy who pointed 
me to ossec-logtest.


Martin


On 4/23/2011 5:26 PM, Andy Cockroft (andic) wrote:


Hi

I didn't have that much success with a Regex similar to the one you 
wrote, I ended up having to specify everything in a very long-handed 
way -- as I said perhaps someone could write the decoder far more 
eloquently than I -- especially constructs such as \.* in the middle 
of the Regex


However, what I did do, is make my changes to the decoder and  run 
ossec-logtest -- this makes checking the decoder and rules so much 
easier without actually affecting production operation


Best I can do for now -- hope you have your Rules sorted as well -- 
ossec-logtest will check these at the same time


Andy

*From:*ossec-list@googlegroups.com 
[mailto:ossec-list@googlegroups.com] *On Behalf Of *Martin Gottlieb

*Sent:* Sunday, 24 April 2011 3:16 a.m.
*To:* ossec-list@googlegroups.com
*Subject:* Re: [ossec-list] Re: Active Response on Windows events


Awesome, thanks!  The events I'm seeing generally take 2 forms:

SQL Server Events:

WinEvtLog: Application: AUDIT_FAILURE(18456): MSSQLSERVER: (no user): 
no domain: WINSERVER: Login failed for user 'admin'. [CLIENT: 
203.81.30.248]



And general Windows Events:

WinEvtLog: Security: AUDIT_FAILURE(529): Security: SYSTEM: NT AUTHORITY: 
WINSERVER: Logon Failure:   Reason:Unknown user name or bad 
password User Name: adminDomain:WINSERVER  Logon 
Type: 10 Logon Process: User32  Authentication Package: 
Negotiate Workstation Name: WINSERVER   Caller User Name: 
WINSERVER$  Caller Domain: WINDOMAIN   Caller Logon ID: (0x0,0x3E7) 
   Caller Process ID: 532 Transited Services: -  Source 
Network Address: 118.126.5.109  Source Port: 3041

Would these work as the corresponding decoders:


^WinEvtLog: Application: AUDIT_FAILURE\(\d+\): MSSQLSERVER: 
\.* Login failed for user
'(\w+)'. [CLIENT: 
(\d+.\d+.\d+.\d+)]

user,srcip



^WinEvtLog: Security: AUDIT_FAILURE\(\d+\): Security\.* 
Logon Failure: 
User Name: (\w+) \.* Source Network 
Address: (\d+.\d+.\d+.\d+)

user,srcip


Thanks.

Martin


On 4/22/2011 7:28 PM, AndiC wrote:

The problem I found was that the Windows decoder in the server /dev/
ossec/etc/decoder.xml does not extract the "srcip", so you have
nothing to work with to block
  
Now this is what I replaced mine with:
  


   windows
   ^WinEvtLog:
   ^\.+: (\w+)\((\d+)\): (\.+):
   (\.+): \.+: (\S+):
 \.+: \.+: \.+: \.+: \.+: \.+:
   \.+: \.+: \.+: \.+: \.+: \.+: \.+: \.+:
   \.(\S+)
   status, id, extra_data, user, system_name, srcip
   name, location, user, system_name  
  
Then, in /dev/ossec/rules/msauth.xml, I replaced rule 18152 with:
  
   

 win_authentication_failed
 
 Multiple Windows Logon Failures Same IP.
 authentication_failures,
   
   
 win_authentication_failed
 Multiple Windows Logon Failures.
 authentication_failures,
   
  
I also dropped $MS_FREQ (start of msauth.xml) to 3
  
This works for me, and my Windows clients are well protected.
  
I am sure someone could write a far more eloquent decode Regex - sorry

I'm just coming to grips with that. I'm also uncertain if this will
work against anything other than Server 2003 for which it is written
  
But this is only the decoder that needs some tuning, the rest seems

fine
  
Regards
  
Andy
  
  
On Apr 23, 9:08 am, Martin Gottlieb  <mailto:mar...@axion-it.net>  wrote:


Shouldn't this block from the config on the OSSEC server:

  






firewall-drop

as

6

3600



  


cause the firewall drop script to be run on the server for any event

that is level 6 or higher, regardless of

which agent it came from?  That's all 

Re: [ossec-list] Re: Active Response on Windows events [RESOLVED]

[Martin Gottlieb]

On 5/4/2011 10:26 PM, Michael Starks wrote:

On 05/04/2011 08:32 PM, Martin Gottlieb wrote:


When I ran the command: sed -n 16741p
logs/alerts/2011/May/ossec-alerts-04.log | bin/ossec-logtest
from within /var/ossec, the decoder did not extract the user and srcip
fields. I then ran:
sed -n 16741p logs/alerts/2011/May/ossec-alerts-04.log | od -a and found
that each Name: Value pair was
preceded by a variable number of spaces and then a *TAB *character.

It turns out that *\s* only matches spaces, not any white-space
character. So I changed my regex to this:

User\s+Name:\s*(\w+)\s+\.*Source Network
Address:\s+(\d+.\d+.\d+.\d+)\s+

and it now works.


Thanks for sharing your solution and for introducing me to od. That 
looks pretty useful. I guess the lesson here is to feed the log sample 
directly from archives.log into ossec-logtest to avoid any translation 
issues. That's something that I certainly haven't been doing.


So is the number of spaces variable depending on the Windows version, 
or in general? I am surprised we haven't seen this before..


i was referring specifically to the Windows log when mentioning the # of 
spaces.  I think you'd have to take any

given log record on a case-by-case basis.

Re: [ossec-list] Using OSSEC on apache behind amazon ELB

[Martin Gottlieb]

Are the active responses getting the ELB IP addresses from your Apache 
access/error logs?  We
had a similar situation with Apache behind proxy servers.  Apache was 
logging the IP addresses
of the proxy servers.  The trick was to get Apache to log the client IP 
addresses.


If this is the case, you might want to look into mod_rpaf, which 
replaces the proxy IP addresses
with the actual client IPs.  This solution relies on the proxy servers 
(or load-balancers in your case)
adding a header ( X-Forwarded-For ) to the request that gets passed on 
to Apache.


Hope this helps.

Martin

On 5/23/2011 7:55 AM, Michael Burns wrote:

Hi,
We have OSSEC installed on a couple of web servers being load balanced
by ELB. We're finding that active response is blocking the ELB IP
address which effectively means our site becomes unavailable for the
duration of the active response.

Is it possible to use OSSEC active response behind a load balancer and
block based on the IP address of the actual request rather than the
load balancer?

Many Thanks,
Michael

Re: [ossec-list] Using OSSEC on apache behind amazon ELB

[Martin Gottlieb]

I guess it depends on your OSSEC/Network configuration.   Our OSSEC 
server triggers the firewall-drop
script on our firewall, which blocks access to our entire network, 
regardless of which OSSEC client triggered

the alert.

If you are only running active response scripts on the individual 
clients, then as Andy had mentioned,
you will need to write a script that runs on your Apache servers that 
calls the corresponding active
response script  on the ELB(s), .  rsh should do the trick if they're 
all Linux boxes.


On 5/24/2011 4:35 AM, Michael Burns wrote:

Hi,

We can log the X-Forwarded-For header in the apache log so we have the 
IP of the actual client performing the request rather than the ELB.


I'm a bit confused about how we would use the X-Forwarded-For  IP to 
block the offending client since there is only ever a connection 
between the load balancer and the web server; adding a  firewall rule 
to block the X-Forwarded-For IP wouldn't have any effect.


Thanks.

On 23 May 2011 19:52, Martin Gottlieb <mailto:mar...@axion-it.net>> wrote:



Are the active responses getting the ELB IP addresses from your
Apache access/error logs?  We
had a similar situation with Apache behind proxy servers.  Apache
was logging the IP addresses
of the proxy servers.  The trick was to get Apache to log the
client IP addresses.

If this is the case, you might want to look into mod_rpaf, which
replaces the proxy IP addresses
with the actual client IPs.  This solution relies on the proxy
servers (or load-balancers in your case)
adding a header ( X-Forwarded-For ) to the request that gets
passed on to Apache.

    Hope this helps.

Martin


On 5/23/2011 7:55 AM, Michael Burns wrote:

Hi,
We have OSSEC installed on a couple of web servers being load
balanced
by ELB. We're finding that active response is blocking the ELB IP
address which effectively means our site becomes unavailable
for the
duration of the active response.

Is it possible to use OSSEC active response behind a load
balancer and
block based on the IP address of the actual request rather
than the
load balancer?

Many Thanks,
Michael



--

The information in this email is confidential and may be legally privileged.  
It is intended solely for the addressee.  Access to this email by anyone else 
is unauthorised.  If you are not the intended recipient, any disclosure, 
copying, distribution or any action taken or omitted to be taken in reliance on 
it, is prohibited and may be unlawful.

QMetric Group Limited company number 07151701 the registered office of which is 
at 3 More Riverside, London, United Kingdom, SE1 2AQ.

[ossec-list] Repeated Offenders not triggering

[Martin G]

I am running an agent/server configuration of OSSEC.  I have added the 
repeated offenders configuration block to all of my agents and the server 
as follows:

  
120,180,240
  


When I restart OSSEC, I do see the messages indicating that it recognizes 
the settings:

2013/03/12 10:05:50 ossec-execd: INFO: Adding offenders timeout: 120 (for 
#1)
2013/03/12 10:05:50 ossec-execd: INFO: Adding offenders timeout: 180 (for 
#2)
2013/03/12 10:05:50 ossec-execd: INFO: Adding offenders timeout: 240 (for 
#3)

However, I continue to see repeated attacks that are coming back every 
hour, or rather, the blocking is deleted after one hour each time:

Tue Mar 12 04:02:23 EDT 2013 
/var/ossec/active-response/bin/firewall-drop.sh add - 209.190.64.19 
1363075343.32232753 5720
Tue Mar 12 05:02:55 EDT 2013 
/var/ossec/active-response/bin/firewall-drop.sh delete - 209.190.64.19 
1363075343.32232753 5720
Tue Mar 12 05:45:03 EDT 2013 
/var/ossec/active-response/bin/firewall-drop.sh add - 209.190.64.19 
1363081503.103380375 5712
Tue Mar 12 06:46:19 EDT 2013 
/var/ossec/active-response/bin/firewall-drop.sh delete - 209.190.64.19 
1363081503.103380375 5712
Tue Mar 12 06:47:26 EDT 2013 
/var/ossec/active-response/bin/firewall-drop.sh add - 209.190.64.19 
1363085246.126982032 5712
Tue Mar 12 07:48:42 EDT 2013 
/var/ossec/active-response/bin/firewall-drop.sh delete - 209.190.64.19 
1363085246.126982032 5712
Tue Mar 12 08:02:53 EDT 2013 
/var/ossec/active-response/bin/firewall-drop.sh add - 209.190.64.19 
1363089773.151565087 5712
Tue Mar 12 09:04:16 EDT 2013 
/var/ossec/active-response/bin/firewall-drop.sh delete - 209.190.64.19 
1363089773.151565087 5712
Tue Mar 12 09:05:23 EDT 2013 
/var/ossec/active-response/bin/firewall-drop.sh add - 209.190.64.19 
1363093523.180046077 5712
Tue Mar 12 10:06:29 EDT 2013 
/var/ossec/active-response/bin/firewall-drop.sh add - 209.190.64.19 
1363097189.212231955 5712

I am running OSSEC version 2.6 on all machines.

The only answer I've seen to this issue is to make sure it is configured on 
the agent side but, as I mentioned, I am already doing that.

Am I missing something?

Thanks.

Martin

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

[ossec-list] repeated_offenders not working

[Martin Gottlieb]

Hello,

I have added the repeated_offenders configuration block to all of my 
agents and the server as follows:



120180240


When I restart OSSEC on the agent, I do see the messages indicating that 
it recognizes the settings:


2013/03/12 11:17:40 ossec-execd: INFO: Adding offenders timeout: 120 
(for #1)
2013/03/12 11:17:40 ossec-execd: INFO: Adding offenders timeout: 180 
(for #2)
2013/03/12 11:17:40 ossec-execd: INFO: Adding offenders timeout: 240 
(for #3)


However, I continue to see repeated attacks where the blocking is 
deleted after the default 60 minutes each time:


Tue Mar 12 04:02:23 EDT 2013 
/var/ossec/active-response/bin/firewall-drop.sh add - 209.190.64.19 
1363075343.32232753 5720
Tue Mar 12 05:02:55 EDT 2013 
/var/ossec/active-response/bin/firewall-drop.sh delete - 209.190.64.19 
1363075343.32232753 5720
Tue Mar 12 05:45:03 EDT 2013 
/var/ossec/active-response/bin/firewall-drop.sh add - 209.190.64.19 
1363081503.103380375 5712
Tue Mar 12 06:46:19 EDT 2013 
/var/ossec/active-response/bin/firewall-drop.sh delete - 209.190.64.19 
1363081503.103380375 5712
Tue Mar 12 06:47:26 EDT 2013 
/var/ossec/active-response/bin/firewall-drop.sh add - 209.190.64.19 
1363085246.126982032 5712
Tue Mar 12 07:48:42 EDT 2013 
/var/ossec/active-response/bin/firewall-drop.sh delete - 209.190.64.19 
1363085246.126982032 5712
Tue Mar 12 08:02:53 EDT 2013 
/var/ossec/active-response/bin/firewall-drop.sh add - 209.190.64.19 
1363089773.151565087 5712
Tue Mar 12 09:04:16 EDT 2013 
/var/ossec/active-response/bin/firewall-drop.sh delete - 209.190.64.19 
1363089773.151565087 5712
Tue Mar 12 09:05:23 EDT 2013 
/var/ossec/active-response/bin/firewall-drop.sh add - 209.190.64.19 
1363093523.180046077 5712
Tue Mar 12 10:06:19 EDT 2013 
/var/ossec/active-response/bin/firewall-drop.sh delete - 209.190.64.19 
1363093523.180046077 5712


The only solution I've seen to this issue is to make sure this is 
configured on the agent side, not the server.  As I mentioned, I have 
done this.

I am running OSSEC 2.6 on the server and all agents.

Am I missing something?

thanks.

Martin

PS.  Sorry if this is a duplicate posting, I tried posting through the 
web interface and it didn't show up.


--

--- 
You received this message because you are subscribed to the Google Groups "ossec-list" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [ossec-list] repeated_offenders not working

[Martin G]

Not for me, but apparently it does for others.

On Tuesday, March 12, 2013 11:56:56 AM UTC-4, dan (ddpbsd) wrote:
>
>
> On Mar 12, 2013 11:40 AM, "Martin Gottlieb" 
> > 
> wrote:
> >
> >
> > Hello,
> >
> > I have added the repeated_offenders configuration block to all of my 
> agents and the server as follows: 
> >
> >  
> > 120180240 
> >  
> >
> > When I restart OSSEC on the agent, I do see the messages indicating that 
> it recognizes the settings:
> >
> > 2013/03/12 11:17:40 ossec-execd: INFO: Adding offenders timeout: 120 
> (for #1)
> > 2013/03/12 11:17:40 ossec-execd: INFO: Adding offenders timeout: 180 
> (for #2)
> > 2013/03/12 11:17:40 ossec-execd: INFO: Adding offenders timeout: 240 
> (for #3)
> >
> > However, I continue to see repeated attacks where the blocking is 
> deleted after the default 60 minutes each time:
> >
> > Tue Mar 12 04:02:23 EDT 2013 
> /var/ossec/active-response/bin/firewall-drop.sh add - 209.190.64.19 
> 1363075343.32232753 5720
> > Tue Mar 12 05:02:55 EDT 2013 
> /var/ossec/active-response/bin/firewall-drop.sh delete - 209.190.64.19 
> 1363075343.32232753 5720
> > Tue Mar 12 05:45:03 EDT 2013 
> /var/ossec/active-response/bin/firewall-drop.sh add - 209.190.64.19 
> 1363081503.103380375 5712
> > Tue Mar 12 06:46:19 EDT 2013 
> /var/ossec/active-response/bin/firewall-drop.sh delete - 209.190.64.19 
> 1363081503.103380375 5712
> > Tue Mar 12 06:47:26 EDT 2013 
> /var/ossec/active-response/bin/firewall-drop.sh add - 209.190.64.19 
> 1363085246.126982032 5712
> > Tue Mar 12 07:48:42 EDT 2013 
> /var/ossec/active-response/bin/firewall-drop.sh delete - 209.190.64.19 
> 1363085246.126982032 5712
> > Tue Mar 12 08:02:53 EDT 2013 
> /var/ossec/active-response/bin/firewall-drop.sh add - 209.190.64.19 
> 1363089773.151565087 5712
> > Tue Mar 12 09:04:16 EDT 2013 
> /var/ossec/active-response/bin/firewall-drop.sh delete - 209.190.64.19 
> 1363089773.151565087 5712
> > Tue Mar 12 09:05:23 EDT 2013 
> /var/ossec/active-response/bin/firewall-drop.sh add - 209.190.64.19 
> 1363093523.180046077 5712
> > Tue Mar 12 10:06:19 EDT 2013 
> /var/ossec/active-response/bin/firewall-drop.sh delete - 209.190.64.19 
> 1363093523.180046077 5712
> >
> > The only solution I've seen to this issue is to make sure this is 
> configured on the agent side, not the server.  As I mentioned, I have done 
> this.
>
> So this works if you correctly configure this setting on the agent?
>
> > I am running OSSEC 2.6 on the server and all agents.
> >
> > Am I missing something?
> >
> > thanks.
> >
> > Martin
> >
> > PS.  Sorry if this is a duplicate posting, I tried posting through the 
> web interface and it didn't show up.
> >
> > -- 
> >  
> > --- 
> > You received this message because you are subscribed to the Google 
> Groups "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send 
> an email to ossec-list+...@googlegroups.com .
> > For more options, visit https://groups.google.com/groups/opt_out.
> >  
> >  
>  

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

[ossec-list] Adding rule causes Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused' errors

[Dave Martin]

I recently installed OSSEC 2.8 and have been adding rules to 
local_rules.xml with no problems until today.

When I add the following rule:

  
syslog
%ASA-3-305006: regular translation creation failed for 
icmp
Ignore Cisco ASA error 305006
  

I see the following errors on restart:

2014/09/18 17:03:11 ossec-syscheckd(1210): ERROR: Queue 
'/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2014/09/18 17:03:11 ossec-rootcheck(1210): ERROR: Queue 
'/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.

If I comment the rule and restart, all components startup without error. 
 Totally repeatable.  This suggests that there are no problems with 
permissions, etc.

The odd thing, is that the local_rules.xml contains a nearly-identical rule 
that causes no such problems:

  
syslog
%ASA-4-313005: No matching connection for ICMP error 
message
Ignore Cisco ASA error 313005
  

I've retyped and pasted and edited the working rule to guarantee that there 
are no invisible characters.

Any ideas what could be causing these errors?

Thanks!

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Adding rule causes Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused' errors

[Dave Martin]

If I delete another rule, the one in question can be added with no errors. 
 I guess we can only have 17 rules. :-)

Cheers!

On Thursday, September 18, 2014 5:10:13 PM UTC-7, Dave Martin wrote:
>
> I recently installed OSSEC 2.8 and have been adding rules to 
> local_rules.xml with no problems until today.
>
> When I add the following rule:
>
>   
> syslog
> %ASA-3-305006: regular translation creation failed for 
> icmp
> Ignore Cisco ASA error 305006
>   
>
> I see the following errors on restart:
>
> 2014/09/18 17:03:11 ossec-syscheckd(1210): ERROR: Queue 
> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
> 2014/09/18 17:03:11 ossec-rootcheck(1210): ERROR: Queue 
> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
>
> If I comment the rule and restart, all components startup without error. 
>  Totally repeatable.  This suggests that there are no problems with 
> permissions, etc.
>
> The odd thing, is that the local_rules.xml contains a nearly-identical 
> rule that causes no such problems:
>
>   
> syslog
> %ASA-4-313005: No matching connection for ICMP error 
> message
> Ignore Cisco ASA error 313005
>   
>
> I've retyped and pasted and edited the working rule to guarantee that 
> there are no invisible characters.
>
> Any ideas what could be causing these errors?
>
> Thanks!
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Adding rule causes Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused' errors

[Dave Martin]

Thanks all.  I've attached a sanitized local_rules.xml file that exhibits 
the problem.  On my system, if I uncomment the last rule in the file and 
restart OSSEC, it throws the errors.

Cheers!

On Thursday, September 18, 2014 5:10:13 PM UTC-7, Dave Martin wrote:
>
> I recently installed OSSEC 2.8 and have been adding rules to 
> local_rules.xml with no problems until today.
>
> When I add the following rule:
>
>   
> syslog
> %ASA-3-305006: regular translation creation failed for 
> icmp
> Ignore Cisco ASA error 305006
>   
>
> I see the following errors on restart:
>
> 2014/09/18 17:03:11 ossec-syscheckd(1210): ERROR: Queue 
> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
> 2014/09/18 17:03:11 ossec-rootcheck(1210): ERROR: Queue 
> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
>
> If I comment the rule and restart, all components startup without error. 
>  Totally repeatable.  This suggests that there are no problems with 
> permissions, etc.
>
> The odd thing, is that the local_rules.xml contains a nearly-identical 
> rule that causes no such problems:
>
>   
> syslog
> %ASA-4-313005: No matching connection for ICMP error 
> message
> Ignore Cisco ASA error 313005
>   
>
> I've retyped and pasted and edited the working rule to guarantee that 
> there are no invisible characters.
>
> Any ideas what could be causing these errors?
>
> Thanks!
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


local_rules.xml
Description: XML document

[ossec-list] Re: Adding rule causes Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused' errors

[Dave Martin]

Removing the  sections did the trick.  Thanks!

On Thursday, September 18, 2014 5:10:13 PM UTC-7, Dave Martin wrote:
>
> I recently installed OSSEC 2.8 and have been adding rules to 
> local_rules.xml with no problems until today.
>
> When I add the following rule:
>
>   
> syslog
> %ASA-3-305006: regular translation creation failed for 
> icmp
> Ignore Cisco ASA error 305006
>   
>
> I see the following errors on restart:
>
> 2014/09/18 17:03:11 ossec-syscheckd(1210): ERROR: Queue 
> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
> 2014/09/18 17:03:11 ossec-rootcheck(1210): ERROR: Queue 
> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
>
> If I comment the rule and restart, all components startup without error. 
>  Totally repeatable.  This suggests that there are no problems with 
> permissions, etc.
>
> The odd thing, is that the local_rules.xml contains a nearly-identical 
> rule that causes no such problems:
>
>   
> syslog
> %ASA-4-313005: No matching connection for ICMP error 
> message
> Ignore Cisco ASA error 313005
>   
>
> I've retyped and pasted and edited the working rule to guarantee that 
> there are no invisible characters.
>
> Any ideas what could be causing these errors?
>
> Thanks!
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] OSSEC not using database, where does it store information?

[Andrew Martin]

I am also interested in this topic. If I am understanding it correctly, 
each time OSSEC scans a client, it essentially creates a list of metadata 
for each matching file (including filesize, modification time, md5sum, 
sha1sum, filename, etc). From what I can see, this data is stored in 
/var/ossec/queue/syscheck/ and the format is documented here:
http://marc.info/?l=ossec-list&m=135842957311803&w=2

What happens with each subsequent scan? I would guess that OSSEC keeps at 
least the previous scan around and then diffs it with the most recent scan 
to see which files have been modified. If so, where is each subsequent scan 
stored on the OSSEC manager server? For example, is it something like this:

   - /var/ossec/queue/syscheck/ (most recent scan)
   - /var/ossec/queue/syscheck/.1 (scan from 6 hours ago)
   - /var/ossec/queue/syscheck/.2 (scan from 12 hours ago)


Thanks!

On Monday, 27 October 2014 09:23:29 UTC-5, dan (ddpbsd) wrote:
>
> On Fri, Oct 24, 2014 at 5:27 PM, Kyle Hopfensperger 
> > wrote: 
> > Hello, 
> > 
> > I just created an OSSEC server (14.04) and have it running on a few test 
> > machines, both Linux and Windows. I'm wondering where it is storing the 
> > information? I have it setup to use mysql but the tables seem to be 
> empty, 
>
> There's an alerts (data?) table, I think. Is that one empty? 
>
> > yet the ossec-wui shows data when I search. 
> > 
>
> In the past the WUI has used the text logfiles in /var/ossec/logs to 
> populate the pages. I don't think this has changed. 
>
> > 
> > Thanks for the help 
> > 
> > -- 
> > 
> > --- 
> > You received this message because you are subscribed to the Google 
> Groups 
> > "ossec-list" group. 
> > To unsubscribe from this group and stop receiving emails from it, send 
> an 
> > email to ossec-list+...@googlegroups.com . 
> > For more options, visit https://groups.google.com/d/optout. 
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] OSSEC not using database, where does it store information?

[Andrew Martin]

Okay, thanks for the clarification. Is there a point at which old entries
are then purged from the file (or do they remain in there forever)?

On 28 October 2014 08:47, dan (ddp)  wrote:

> On Tue, Oct 28, 2014 at 9:42 AM, Andrew Martin
>  wrote:
> > I am also interested in this topic. If I am understanding it correctly,
> each
> > time OSSEC scans a client, it essentially creates a list of metadata for
> > each matching file (including filesize, modification time, md5sum,
> sha1sum,
> > filename, etc). From what I can see, this data is stored in
> > /var/ossec/queue/syscheck/ and the format is documented here:
> > http://marc.info/?l=ossec-list&m=135842957311803&w=2
> >
> > What happens with each subsequent scan? I would guess that OSSEC keeps at
> > least the previous scan around and then diffs it with the most recent
> scan
> > to see which files have been modified. If so, where is each subsequent
> scan
> > stored on the OSSEC manager server? For example, is it something like
> this:
> >
>
> Nope. New or updated entries are added to the file. Old entries are
> commented out.
>
> > /var/ossec/queue/syscheck/ (most recent scan)
> > /var/ossec/queue/syscheck/.1 (scan from 6 hours ago)
> > /var/ossec/queue/syscheck/.2 (scan from 12 hours ago)
> >
> >
> > Thanks!
> >
> > On Monday, 27 October 2014 09:23:29 UTC-5, dan (ddpbsd) wrote:
> >>
> >> On Fri, Oct 24, 2014 at 5:27 PM, Kyle Hopfensperger
> >>  wrote:
> >> > Hello,
> >> >
> >> > I just created an OSSEC server (14.04) and have it running on a few
> test
> >> > machines, both Linux and Windows. I'm wondering where it is storing
> the
> >> > information? I have it setup to use mysql but the tables seem to be
> >> > empty,
> >>
> >> There's an alerts (data?) table, I think. Is that one empty?
> >>
> >> > yet the ossec-wui shows data when I search.
> >> >
> >>
> >> In the past the WUI has used the text logfiles in /var/ossec/logs to
> >> populate the pages. I don't think this has changed.
> >>
> >> >
> >> > Thanks for the help
> >> >
> >> > --
> >> >
> >> > ---
> >> > You received this message because you are subscribed to the Google
> >> > Groups
> >> > "ossec-list" group.
> >> > To unsubscribe from this group and stop receiving emails from it, send
> >> > an
> >> > email to ossec-list+...@googlegroups.com.
> >> > For more options, visit https://groups.google.com/d/optout.
> >
> > --
> >
> > ---
> > You received this message because you are subscribed to the Google Groups
> > "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send an
> > email to ossec-list+unsubscr...@googlegroups.com.
> > For more options, visit https://groups.google.com/d/optout.
>
> --
>
> ---
> You received this message because you are subscribed to a topic in the
> Google Groups "ossec-list" group.
> To unsubscribe from this topic, visit
> https://groups.google.com/d/topic/ossec-list/UxHoFxw7tqM/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
> ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] syscheck rule 550 - logs from ossec server missing hashes

[Martin Kvocka]

Hi,

we have Ossec server/agents (2.7.0) for monitoring file integrity. Both 
include check_all="yes" in their syscheck configurations. The agents work 
perfectly and report file changes including their old/current MD5 and SHA1 
hashes. However, logs from the Ossec server machine report only file 
changes, but don't include the hashes. 

Did any of you encounter this issue? How should I debug it?

Thanks

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: syscheck rule 550 - logs from ossec server missing hashes

[Martin Kvocka]

Hi,

I'll try to simulate this tomorrow in virtual machines, as I don't have the 
necessary access to the environment (I only receive the logs from syslog). 
I'll post the results. 

MK

On Tuesday, January 13, 2015 at 3:40:26 PM UTC+1, Martin Kvocka wrote:
>
> Hi,
>
> we have Ossec server/agents (2.7.0) for monitoring file integrity. Both 
> include check_all="yes" in their syscheck configurations. The agents work 
> perfectly and report file changes including their old/current MD5 and SHA1 
> hashes. However, logs from the Ossec server machine report only file 
> changes, but don't include the hashes. 
>
> Did any of you encounter this issue? How should I debug it?
>
> Thanks
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] syscheck rule 550 - logs from ossec server missing hashes

[Martin Kvocka]

Hi,

I managed to get the samples. In manager syscheck queue I found the 
following:

#++0:33206:0:0:f5679adb3c830f61d8fed1c287d42e62:5546733b9afdb2a403c8e58f85c74af2739ddb58
 
!1421093166 C:\Program Files/Microsoft SQL 
Server/MSSQL11.APPS/MSSQL/Log/system_health_0_13065544715577.xel
#++312832:33206:0:0:f5679adb3c830f61d8fed1c287d42e62:5546733b9afdb2a403c8e58f85c74af2739ddb58
 
!1421129146 C:\Program Files/Microsoft SQL 
Server/MSSQL11.APPS/MSSQL/Log/system_health_0_13065544715577.xel
#!+465920:33206:0:0:f5679adb3c830f61d8fed1c287d42e62:5546733b9afdb2a403c8e58f85c74af2739ddb58
 
!1421165040 C:\Program Files/Microsoft SQL 
Server/MSSQL11.APPS/MSSQL/Log/system_health_0_13065544715577.xel
!!!619520:33206:0:0:f5679adb3c830f61d8fed1c287d42e62:5546733b9afdb2a403c8e58f85c74af2739ddb58
 
!1421201008 C:\Program Files/Microsoft SQL 
Server/MSSQL11.APPS/MSSQL/Log/system_health_0_13065544715577.xel

And in logs:

Jan 13 07:05:46 a.b.c.d ossec: Alert Level: 7; Rule: 550 - Integrity 
checksum changed.; Location: (hostname) a.b.c.d->syscheck; Integrity 
checksum changed for: 'C:\Program Files/Microsoft 
SQL Server/MSSQL11.APPS/MSSQL/Log/system_health_0_13065544715577.xel'

Jan 13 17:04:00 a.b.c.d ossec: Alert Level: 7; Rule: 550 - Integrity 
checksum changed.; Location: (hostname) a.b.c.d->syscheck; Integrity 
checksum changed for: 'C:\Program Files/Microsoft 
SQL Server/MSSQL11.APPS/MSSQL/Log/system_health_0_13065544715577.xel'


I just realized that the .xel file seems to be a log file and may change 
often - may this be the cause?

Thanks,
MK

On Tuesday, January 13, 2015 at 3:43:21 PM UTC+1, dan (ddpbsd) wrote:
>
> On Tue, Jan 13, 2015 at 9:40 AM, Martin Kvocka  > wrote: 
> > Hi, 
> > 
> > we have Ossec server/agents (2.7.0) for monitoring file integrity. Both 
> > include check_all="yes" in their syscheck configurations. The agents 
> work 
> > perfectly and report file changes including their old/current MD5 and 
> SHA1 
> > hashes. However, logs from the Ossec server machine report only file 
> > changes, but don't include the hashes. 
> > 
> > Did any of you encounter this issue? How should I debug it? 
> > 
>
>
> Can you show us an example? 
> Do the hashes exist in the syscheck db for the manager? 
>
> > Thanks 
> > 
> > -- 
> > 
> > --- 
> > You received this message because you are subscribed to the Google 
> Groups 
> > "ossec-list" group. 
> > To unsubscribe from this group and stop receiving emails from it, send 
> an 
> > email to ossec-list+...@googlegroups.com . 
> > For more options, visit https://groups.google.com/d/optout. 
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] syscheck rule 550 - logs from ossec server missing hashes

[Martin Kvocka]

I checked the alerts log and the hashes are not there. There are however
longer entries than these (f.e. registry keys) that include hashes.

I will, for now, assume that the hash is not computed as the file changes
too often and will observe if other (standard) files report hashes
correctly.

Thanks for your help dan.

On Wed, Jan 14, 2015 at 3:52 PM, dan (ddp)  wrote:

> On Wed, Jan 14, 2015 at 4:56 AM, Martin Kvocka  wrote:
> > Hi,
> >
> > I managed to get the samples. In manager syscheck queue I found the
> > following:
> >
> >
> #++0:33206:0:0:f5679adb3c830f61d8fed1c287d42e62:5546733b9afdb2a403c8e58f85c74af2739ddb58
> > !1421093166 C:\Program Files/Microsoft SQL
> > Server/MSSQL11.APPS/MSSQL/Log/system_health_0_13065544715577.xel
> >
> #++312832:33206:0:0:f5679adb3c830f61d8fed1c287d42e62:5546733b9afdb2a403c8e58f85c74af2739ddb58
> > !1421129146 C:\Program Files/Microsoft SQL
> > Server/MSSQL11.APPS/MSSQL/Log/system_health_0_13065544715577.xel
> >
> #!+465920:33206:0:0:f5679adb3c830f61d8fed1c287d42e62:5546733b9afdb2a403c8e58f85c74af2739ddb58
> > !1421165040 C:\Program Files/Microsoft SQL
> > Server/MSSQL11.APPS/MSSQL/Log/system_health_0_13065544715577.xel
> >
> !!!619520:33206:0:0:f5679adb3c830f61d8fed1c287d42e62:5546733b9afdb2a403c8e58f85c74af2739ddb58
> > !1421201008 C:\Program Files/Microsoft SQL
> > Server/MSSQL11.APPS/MSSQL/Log/system_health_0_13065544715577.xel
> >
> > And in logs:
> >
> > Jan 13 07:05:46 a.b.c.d ossec: Alert Level: 7; Rule: 550 - Integrity
> > checksum changed.; Location: (hostname) a.b.c.d->syscheck; Integrity
> > checksum changed for: 'C:\Program Files/Microsoft SQL
> > Server/MSSQL11.APPS/MSSQL/Log/system_health_0_13065544715577.xel'
> >
> > Jan 13 17:04:00 a.b.c.d ossec: Alert Level: 7; Rule: 550 - Integrity
> > checksum changed.; Location: (hostname) a.b.c.d->syscheck; Integrity
> > checksum changed for: 'C:\Program Files/Microsoft SQL
> > Server/MSSQL11.APPS/MSSQL/Log/system_health_0_13065544715577.xel'
> >
> >
> > I just realized that the .xel file seems to be a log file and may change
> > often - may this be the cause?
> >
>
> The hashes are there in the syscheck db, but not in your syslog
> messages. I'm guessing that adding the hashes makes the messages too
> long so they were trimmed. You can check the alerts.log file for the
> original alerts to see if the hashes are there.
>
> > Thanks,
> > MK
> >
> > On Tuesday, January 13, 2015 at 3:43:21 PM UTC+1, dan (ddpbsd) wrote:
> >>
> >> On Tue, Jan 13, 2015 at 9:40 AM, Martin Kvocka 
> wrote:
> >> > Hi,
> >> >
> >> > we have Ossec server/agents (2.7.0) for monitoring file integrity.
> Both
> >> > include check_all="yes" in their syscheck configurations. The agents
> >> > work
> >> > perfectly and report file changes including their old/current MD5 and
> >> > SHA1
> >> > hashes. However, logs from the Ossec server machine report only file
> >> > changes, but don't include the hashes.
> >> >
> >> > Did any of you encounter this issue? How should I debug it?
> >> >
> >>
> >>
> >> Can you show us an example?
> >> Do the hashes exist in the syscheck db for the manager?
> >>
> >> > Thanks
> >> >
> >> > --
> >> >
> >> > ---
> >> > You received this message because you are subscribed to the Google
> >> > Groups
> >> > "ossec-list" group.
> >> > To unsubscribe from this group and stop receiving emails from it, send
> >> > an
> >> > email to ossec-list+...@googlegroups.com.
> >> > For more options, visit https://groups.google.com/d/optout.
> >
> > --
> >
> > ---
> > You received this message because you are subscribed to the Google Groups
> > "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send an
> > email to ossec-list+unsubscr...@googlegroups.com.
> > For more options, visit https://groups.google.com/d/optout.
>
> --
>
> ---
> You received this message because you are subscribed to a topic in the
> Google Groups "ossec-list" group.
> To unsubscribe from this topic, visit
> https://groups.google.com/d/topic/ossec-list/RVTdJCErFSo/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
> ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] syscheck rule 550 - logs from ossec server missing hashes

[Martin Kvocka]

Yes, here are two:

** Alert 1421201008.92848: mail  - ossec,syscheck,
2015 Jan 14 03:03:28 (hostname) a.b.c.d->syscheck
Rule: 550 (level 7) -> 'Integrity checksum changed.'
Integrity checksum changed for: 'C:\Program Files/Microsoft SQL 
Server/MSSQL11.APPS/MSSQL/Log/system_health_0_13065544715577.xel'
Size changed from '465920' to '619520'

** Alert 1421236975.304052: mail  - ossec,syscheck,
2015 Jan 14 13:02:55 (hostname) a.b.c.d->syscheck
Rule: 550 (level 7) -> 'Integrity checksum changed.'
Integrity checksum changed for: 'C:\Program Files/Microsoft SQL 
Server/MSSQL11.APPS/MSSQL/Log/system_health_0_13065544715577.xel'
Size changed from '619520' to '773120'

Alert including hashes:

** Alert 1421237527.307675: mail  - ossec,syscheck,
2015 Jan 14 13:12:07 (hostname) a.b.c.d->syscheck
Rule: 550 (level 7) -> 'Integrity checksum changed.'
Integrity checksum changed for: 'C:\Program Files/ESET/ESET File 
Security/em023_32.dat'
Size changed from '4999753' to '4837924'
Old md5sum was: 'b1cc041394714fa91d79ffb191f86e52'
New md5sum is : '02bae5f0b36acaa39b894111efabb0f3'
Old sha1sum was: '3a02dc803999a7e66304c0bf7d501ed3dad03f75'
New sha1sum is : '99eb652ad7dd9e2c782c5599d1eaa5e3dc2078fb'



On Thursday, January 15, 2015 at 2:19:26 PM UTC+1, dan (ddpbsd) wrote:
>
> On Thu, Jan 15, 2015 at 4:39 AM, Martin Kvocka  > wrote: 
> > I checked the alerts log and the hashes are not there. There are however 
> > longer entries than these (f.e. registry keys) that include hashes. 
> > 
>
> Can you provide an example of an alert that does not include the hash? 
> I've never seen that before. 
>
> > I will, for now, assume that the hash is not computed as the file 
> changes 
> > too often and will observe if other (standard) files report hashes 
> > correctly. 
> > 
>
> The examples from the syscheck db have hashes. The hashes are being 
> computed. 
>
> > Thanks for your help dan. 
> > 
> > On Wed, Jan 14, 2015 at 3:52 PM, dan (ddp)  > wrote: 
> >> 
> >> On Wed, Jan 14, 2015 at 4:56 AM, Martin Kvocka  > wrote: 
> >> > Hi, 
> >> > 
> >> > I managed to get the samples. In manager syscheck queue I found the 
> >> > following: 
> >> > 
> >> > 
> >> > 
> #++0:33206:0:0:f5679adb3c830f61d8fed1c287d42e62:5546733b9afdb2a403c8e58f85c74af2739ddb58
>  
>
> >> > !1421093166 C:\Program Files/Microsoft SQL 
> >> > Server/MSSQL11.APPS/MSSQL/Log/system_health_0_13065544715577.xel 
> >> > 
> >> > 
> #++312832:33206:0:0:f5679adb3c830f61d8fed1c287d42e62:5546733b9afdb2a403c8e58f85c74af2739ddb58
>  
>
> >> > !1421129146 C:\Program Files/Microsoft SQL 
> >> > Server/MSSQL11.APPS/MSSQL/Log/system_health_0_13065544715577.xel 
> >> > 
> >> > 
> #!+465920:33206:0:0:f5679adb3c830f61d8fed1c287d42e62:5546733b9afdb2a403c8e58f85c74af2739ddb58
>  
>
> >> > !1421165040 C:\Program Files/Microsoft SQL 
> >> > Server/MSSQL11.APPS/MSSQL/Log/system_health_0_13065544715577.xel 
> >> > 
> >> > 
> !!!619520:33206:0:0:f5679adb3c830f61d8fed1c287d42e62:5546733b9afdb2a403c8e58f85c74af2739ddb58
>  
>
> >> > !1421201008 C:\Program Files/Microsoft SQL 
> >> > Server/MSSQL11.APPS/MSSQL/Log/system_health_0_13065544715577.xel 
> >> > 
> >> > And in logs: 
> >> > 
> >> > Jan 13 07:05:46 a.b.c.d ossec: Alert Level: 7; Rule: 550 - Integrity 
> >> > checksum changed.; Location: (hostname) a.b.c.d->syscheck; Integrity 
> >> > checksum changed for: 'C:\Program Files/Microsoft SQL 
> >> > Server/MSSQL11.APPS/MSSQL/Log/system_health_0_13065544715577.xel' 
> >> > 
> >> > Jan 13 17:04:00 a.b.c.d ossec: Alert Level: 7; Rule: 550 - Integrity 
> >> > checksum changed.; Location: (hostname) a.b.c.d->syscheck; Integrity 
> >> > checksum changed for: 'C:\Program Files/Microsoft SQL 
> >> > Server/MSSQL11.APPS/MSSQL/Log/system_health_0_13065544715577.xel' 
> >> > 
> >> > 
> >> > I just realized that the .xel file seems to be a log file and may 
> change 
> >> > often - may this be the cause? 
> >> > 
> >> 
> >> The hashes are there in the syscheck db, but not in your syslog 
> >> messages. I'm guessing that adding the hashes makes the messages too 
> >> long so they were trimmed. You can check the aler

Re: [ossec-list] syscheck rule 550 - logs from ossec server missing hashes

[Martin Kvocka]

Ok, I understand it now. I thought size/permission changes would be a
different rule, not 550.

Thanks!

On Thu, Jan 15, 2015 at 4:27 PM, dan (ddp)  wrote:

> On Thu, Jan 15, 2015 at 9:45 AM, Martin Kvocka  wrote:
> > Yes, here are two:
> >
> > ** Alert 1421201008.92848: mail  - ossec,syscheck,
> > 2015 Jan 14 03:03:28 (hostname) a.b.c.d->syscheck
> > Rule: 550 (level 7) -> 'Integrity checksum changed.'
> > Integrity checksum changed for: 'C:\Program Files/Microsoft SQL
> > Server/MSSQL11.APPS/MSSQL/Log/system_health_0_13065544715577.xel'
> > Size changed from '465920' to '619520'
> >
> > ** Alert 1421236975.304052: mail  - ossec,syscheck,
> > 2015 Jan 14 13:02:55 (hostname) a.b.c.d->syscheck
> > Rule: 550 (level 7) -> 'Integrity checksum changed.'
> > Integrity checksum changed for: 'C:\Program Files/Microsoft SQL
> > Server/MSSQL11.APPS/MSSQL/Log/system_health_0_13065544715577.xel'
> > Size changed from '619520' to '773120'
> >
>
> Checking the size is a different check than the checksum. If you just
> want checksums, look at the check_all option in your 
> blocks.
>
> > Alert including hashes:
> >
> > ** Alert 1421237527.307675: mail  - ossec,syscheck,
> > 2015 Jan 14 13:12:07 (hostname) a.b.c.d->syscheck
> > Rule: 550 (level 7) -> 'Integrity checksum changed.'
> > Integrity checksum changed for: 'C:\Program Files/ESET/ESET File
> > Security/em023_32.dat'
> > Size changed from '4999753' to '4837924'
> > Old md5sum was: 'b1cc041394714fa91d79ffb191f86e52'
> > New md5sum is : '02bae5f0b36acaa39b894111efabb0f3'
> > Old sha1sum was: '3a02dc803999a7e66304c0bf7d501ed3dad03f75'
> > New sha1sum is : '99eb652ad7dd9e2c782c5599d1eaa5e3dc2078fb'
> >
> >
> >
> > On Thursday, January 15, 2015 at 2:19:26 PM UTC+1, dan (ddpbsd) wrote:
> >>
> >> On Thu, Jan 15, 2015 at 4:39 AM, Martin Kvocka 
> wrote:
> >> > I checked the alerts log and the hashes are not there. There are
> however
> >> > longer entries than these (f.e. registry keys) that include hashes.
> >> >
> >>
> >> Can you provide an example of an alert that does not include the hash?
> >> I've never seen that before.
> >>
> >> > I will, for now, assume that the hash is not computed as the file
> >> > changes
> >> > too often and will observe if other (standard) files report hashes
> >> > correctly.
> >> >
> >>
> >> The examples from the syscheck db have hashes. The hashes are being
> >> computed.
> >>
> >> > Thanks for your help dan.
> >> >
> >> > On Wed, Jan 14, 2015 at 3:52 PM, dan (ddp)  wrote:
> >> >>
> >> >> On Wed, Jan 14, 2015 at 4:56 AM, Martin Kvocka 
> >> >> wrote:
> >> >> > Hi,
> >> >> >
> >> >> > I managed to get the samples. In manager syscheck queue I found the
> >> >> > following:
> >> >> >
> >> >> >
> >> >> >
> >> >> >
> #++0:33206:0:0:f5679adb3c830f61d8fed1c287d42e62:5546733b9afdb2a403c8e58f85c74af2739ddb58
> >> >> > !1421093166 C:\Program Files/Microsoft SQL
> >> >> >
> Server/MSSQL11.APPS/MSSQL/Log/system_health_0_13065544715577.xel
> >> >> >
> >> >> >
> >> >> >
> #++312832:33206:0:0:f5679adb3c830f61d8fed1c287d42e62:5546733b9afdb2a403c8e58f85c74af2739ddb58
> >> >> > !1421129146 C:\Program Files/Microsoft SQL
> >> >> >
> Server/MSSQL11.APPS/MSSQL/Log/system_health_0_13065544715577.xel
> >> >> >
> >> >> >
> >> >> >
> #!+465920:33206:0:0:f5679adb3c830f61d8fed1c287d42e62:5546733b9afdb2a403c8e58f85c74af2739ddb58
> >> >> > !1421165040 C:\Program Files/Microsoft SQL
> >> >> >
> Server/MSSQL11.APPS/MSSQL/Log/system_health_0_13065544715577.xel
> >> >> >
> >> >> >
> >> >> >
> !!!619520:33206:0:0:f5679adb3c830f61d8fed1c287d42e62:5546733b9afdb2a403c8e58f85c74af2739ddb58
> >> >> > !1421201008 C:\Program Files/Microsoft SQL
> >> >> >
> Server/MSSQL11.APPS/MSSQL/Log/system_health_0_13065544715577.xel
> >> >> >
> >> >> > And in logs:
> >> >> >
> >> &

[ossec-list] Active Response - What am I missing

[Martin G]

Hi,

I'm new to Ossec and I have it configured and setup using the 2.8.1 virtual 
appliance. Everythig is working great except for Active Response and I 
cannot figure out what I am missing in order to get it working.I'm using 
Ossec to monitor a Linux web server and a spam filtering server. 

On the Ossec virtual server, in ossec.conf, I have the following command 
definition
 
  
firewall-drop
firewall-drop.sh
srcip
yes
  

and then the active response section
 
firewall-drop
local
31151
600
30,60,120
  

I have saved and restarted ossec, however the active response does not 
appear to be working.

If I run agent_control -L I get the following
./agent_control -L

OSSEC HIDS agent_control. Available active responses:

   No active response available.

I have also tried adding the line
no to the active response section without it making 
any difference.

Is there some master switch to turn active response on?
What am I missing in order to get this working? 

Thanks for the help

Martin








-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Active Response - What am I missing

[Martin G]

On Friday, 20 February 2015 04:59:28 UTC-7, dan (ddpbsd) wrote:
>
> On Thu, Feb 19, 2015 at 10:25 PM, Martin G  > wrote: 
> > Hi, 
> > 
> > I'm new to Ossec and I have it configured and setup using the 2.8.1 
> virtual 
> > appliance. Everythig is working great except for Active Response and I 
> > cannot figure out what I am missing in order to get it working.I'm using 
> > Ossec to monitor a Linux web server and a spam filtering server. 
> > 
> > On the Ossec virtual server, in ossec.conf, I have the following command 
> > definition 
> > 
> >
> > firewall-drop 
> > firewall-drop.sh 
> > srcip 
> > yes 
> >
> > 
> > and then the active response section 
> >   
> > firewall-drop 
> > local 
> > 31151 
> > 600 
> > 30,60,120 
> >
> > 
> > I have saved and restarted ossec, however the active response does not 
> > appear to be working. 
> > 
> > If I run agent_control -L I get the following 
> > ./agent_control -L 
> > 
> > OSSEC HIDS agent_control. Available active responses: 
> > 
> >No active response available. 
> > 
> > I have also tried adding the line 
> > no to the active response section without it making 
> any 
> > difference. 
> > 
> > Is there some master switch to turn active response on? 
> > What am I missing in order to get this working? 
> > 
>
> Is ossec-execd running on the agent? 
>

Yes ossec-execd is running on each agent
 

> Does /var/ossec/etc/shared/ar.conf exist on the agent? Are the contents 
> sane? 
>

It appeared that ar.conf was missing on each agent. I created ar.conf form 
the master server and placed it in the shared folder of each client
 

> Did you keep AR enabled on the agent when you installed OSSEC? 
>

I installed the clients using the Atomic RPM's and so did not go through 
the installation/configuration 

ossec_agent -L still says that there is no active response but I now see 
entries on the clients in the active-response.log file, so assume it is 
working.

Thx

Martin

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] alert email

[pascal martin]

yes

2015-05-08 20:39 GMT+02:00 dan (ddp) :

> On Fri, May 8, 2015 at 2:36 PM, pmartin2b  wrote:
> > Hi,
> > I used this configuration in ossec.conf to receive email from ossec
> >
> > 
> > 1
> > 6
> >   
> >
> > but I already received alert from level 2.
> > how can I change the ossec.conf ?
> >
>
> Was it rule ID 1002?
>
> > thk
> >
> > --
> >
> > ---
> > You received this message because you are subscribed to the Google Groups
> > "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send an
> > email to ossec-list+unsubscr...@googlegroups.com.
> > For more options, visit https://groups.google.com/d/optout.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Agents unable to send messages to Server

[Martin Gottlieb]

Hello,

I am trying to set up a new install of OSSEC and am having difficulty
getting the agents
to communicate with the server.  

All machines have port 1514 open and I have added the agent machines'
ip addresses to
the server config (using  ) and generated and
imported new authentication keys on
each Agent.

In the server log, I am seeing lots of messages like this:

2006/08/03
13:57:54 ossec-remoted(2202): Error uncompressing string.

Are there any dependencies on the versions of zlib ?

My Server is running Fedora Core release 4 (Stentz), which has zlib
version zlib-1.2.2.2-5.fc4

One Agent  is running RH7.3 with zlib 1.1.4-8.7x and another is running
RH ES 3 with zlib 1.1.4-8.1
The first agent is logging errors like:

2006/08/03
13:13:23 ossec-agentd(1218): Unable to send message to server.

while the other agent is not logging any errors at all.

Any ideas ?  Sorry if I've omitted any pertinent info, I'll be happy to
provide additional config info if it would be helpful.

Thanks.

Martin

[ossec-list] ossec 0.9

[Martin Leung]

Hi,

Just tried ossec 0.9 and have some queries:

1. The syscheck daemon takes up significant CPU time on my box.
Can it be throttled or scheduled at a fixed time?

2. I enabled active-response on server but disabled on agent
machine. However, agent host still responses to attack using
policy on server. Is it a bug or feature?

3. The time zone fix stated at:

 http://www.ossec.net/ossec-list/2006-June/msg00019.html

seems has side-effect. On my Fedora 4 box, the mail header
becomes + (HKT). I reverted the change and it works
(becomes +0800).

4. On Solaris, it may worth to include /var/adm/message to the
default monitor list.

BTW, OSSEC is great. Easy to install and useful.

Rgds.
Martin

[ossec-list] Re: ossec 0.9

[Martin Leung]

Hi oahmet,

oahmet wrote:


Hi again,

I just checked my 0.9 installed debian box and everything seems normal.
Alert e-mails are coming with correct date (timezone values).
Is it possible to send us a sample alert e-mail with full headers?
(just copy&paste from /var/spool/mail).


Here you are:

Return-path: <[EMAIL PROTECTED]>
Date: Sun, 06 Aug 2006 01:42:49 + (HKT)
From: OSSEC HIDS <[EMAIL PROTECTED]>
Subject: OSSEC Notification - localhost - Alert level 8
To: [EMAIL PROTECTED]

The above is from Fedora Core 5.

Also, I think I found a typo at point 3.5 of the installation script. 
The script says syslog collector port is 514 but it seems to be 1514 
instead.


ossec-rem   621   ossecr4u  IPv4 10883705   UDP *:1514



PS: I'll also add /var/adm/messages to config file on solaris systems.

Regards,

Ahmet Ozturk.



Ahmet Ozturk wrote:


Hi Martin,

Let me answer your first 2 questions:
1. I'm not sure if you can throttle the syscheck cpu usage directly
(you may use nice command for a running process, but I don't know


Thanks for the idea. I will modify the ossec-control script to reduce 
its priority.


a way to automate this). syscheckd  starts to run  every 2 hours by 
default,
you may want to change this. (see  and other options in 
ossec.conf)

(http://www.ossec.net/en/manual.html#syscheck_options)


The frequency is what I concern. I would prefer to have it run when my 
server is free. It could be some time early in the morning or when the 
CPU usage drops below certain level.




2. For active-response issue, please check the  option
in ossec.conf file on the server. if it has the value "local" it will 
execute

the active-response on the agent that generated the alert. If you want to
use active-response only on your server, this value should be set to
"analysis-server". 
(http://www.ossec.net/en/manual.html#active-response-config)


Tried but I got the following error:

[etc]# /etc/init.d/ossec restart
Stopping OSSEC:[  OK  ]
Starting OSSEC: 2006/08/06 00:38:39 ossec-analysisd(1302): Invalid 
active response location: 'analysis-server'.

2006/08/06 00:38:39 ossec-analysisd(1202): Configuration problem. Exiting.
2006/08/06 00:38:39 ossec-analysisd(1202): Configuration problem. Exiting.
   [FAILED]
Rgds.
Martin



I'll also check the timezone issue this night.

Regards,

Ahmet Ozturk.

Martin Leung wrote:


Hi,

Just tried ossec 0.9 and have some queries:

1. The syscheck daemon takes up significant CPU time on my box.
Can it be throttled or scheduled at a fixed time?

2. I enabled active-response on server but disabled on agent
machine. However, agent host still responses to attack using
policy on server. Is it a bug or feature?

3. The time zone fix stated at:

 http://www.ossec.net/ossec-list/2006-June/msg00019.html

seems has side-effect. On my Fedora 4 box, the mail header
becomes + (HKT). I reverted the change and it works
(becomes +0800).

4. On Solaris, it may worth to include /var/adm/message to the
default monitor list.

BTW, OSSEC is great. Easy to install and useful.

Rgds.
Martin
  




smime.p7s
Description: S/MIME Cryptographic Signature

[ossec-list] Re: Agents unable to send messages to Server

[Martin Gottlieb]

Sorry for the confusion, no it is not working, it's just not logging
any errors.  There are no files
in the /var/ossec/queue/agent-info/ 
directory on my server.

Martin

Daniel Cid wrote:

Do you mean it is working now? If you look on the server at
  
/var/ossec/queue/agent-info/
  
you should see a file for each agent that you have. If the file is
  
there it is because they are
  
able to communicate correctly.
  
  
Thanks,
  
  
--
  
Daniel B. Cid
  
dcid ( at ) ossec.net
  
  
On 8/4/06, Martin Gottlieb <[EMAIL PROTECTED]> wrote:
  
  

 Hi Daniel,


 Thanks for the reply.  I double-checked the agent keys and they are
all

correct and cleared out the

 iptables rule sets on both machines before testing.  Still no luck.


 Attached are the files and output you requested. (slightly sanitized
).  I

tried a new install and restarted everything.

 This time through, the logs aren't showing any errors at all, so I'm
really

not sure what to make of it.


 Thanks for your help in tracking this down.


 Martin

 .



 Daniel Cid wrote:


 Hi Martin,


 I had this problem before when I misconfigured the keys for the
agents.

 Can you make sure that the first agent, really has the right key on it
(

 that matches his ip address)? Also, make sure that iptables is not

 blocking port 1514...


 *I don't think that the zlib version is the problem...


 *do an ifconfig on the agent and look at /var/ossec/etc/client.keys to
make

 sure that the IP address is correct in there.


 If that does not fix the problem, can you show us the following files:


 *for both server and agents:

 /var/ossec/etc/ossec.conf

 /var/ossec/logs/ossec.log

 /var/ossec/etc/client.keys (change the secret key before posting)

 ifconfig -a

 iptables -vL


 Hope it helps..


 --

 Daniel B. Cid

 dcid ( at ) ossec.net
    
    

 On 8/3/06, Martin Gottlieb <[EMAIL PROTECTED]> wrote:




  Hello,


  I am trying to set up a new install of OSSEC and am having difficulty

 getting the agents

  to communicate with the server.


  All machines have port 1514 open and I have added the agent machines'
ip

 addresses to

  the server config (using  ) and generated and
imported new

 authentication keys on

  each Agent.


  In the server log, I am seeing lots of messages like this:


  2006/08/03 13:57:54 ossec-remoted(2202): Error uncompressing string.


  Are there any dependencies on the versions of zlib ?


  My Server is running Fedora Core release 4 (Stentz), which has zlib

version

 zlib-1.2.2.2-5.fc4


  One Agent  is running RH7.3 with zlib 1.1.4-8.7x and another is
running RH

 ES 3 with zlib 1.1.4-8.1

  The first agent is logging errors like:


  2006/08/03 13:13:23 ossec-agentd(1218): Unable to send message to
server.


  while the other agent is not logging any errors at all.


  Any ideas ?  Sorry if I've omitted any pertinent info, I'll be happy
to

 provide additional config info if it would be helpful.


  Thanks.


  Martin






  

[ossec-list] Re: ossec 0.9

[Martin Leung]

Hi Daniel,

Daniel Cid wrote:


Hi Martin,

If you disabled active response on the agent, there is *no way that 
any response
I still got notification from the agent host and that is all I  want. 
Enable active-response on a production system
seems a bit risky to me. It could easily cause the feeling of unreliable 
service to end-user.

is going to be executed over there. When it is disabled, "ossec-execd"
(the daemon responsible for executing response) will not even start.

ossec-execd seems still running.

If you look at
  
/var/ossec/active-responses/ there should be no log file there (on the
  
agent system).
  
  

Yes, the log file had not been updated since I disabled active-response.

*Can you do a "ps auwx |grep ossec" in the agent, just to confirm that
execd is not
ossecm4137  0.0  0.0   1772   468 ?S12:14   0:00 
/var/ossec/bin/ossec-maild
root  4141  0.0  0.0   1636   412 ?S12:14   0:00 
/var/ossec/bin/ossec-execd
ossec 4145  0.1  0.1   1964   848 ?S12:14   0:04 
/var/ossec/bin/ossec-analysisd
root  4149  0.0  0.0   1644   424 ?S12:14   0:00 
/var/ossec/bin/ossec-logcollector
ossecr4155  0.0  0.1  22332   708 ?Sl   12:14   0:01 
/var/ossec/bin/ossec-remoted
root  4161  1.5  0.1   1792   832 ?S12:14   0:40 
/var/ossec/bin/ossec-syscheckd



running? If it is, can you show us your config file?


Attached.

Rgds.
Martin
Related to the syscheck problem, increasing the frequency is going to 
help (and

also nicing it), but we will come up with a better solution to fix it
in the next version.


Thanks.
Martin

Thanks for the report!

--
Daniel B. Cid
dcid ( at ) ossec.net


Hi oahmet,

oahmet wrote:
>
> Hi again,
>
> I just checked my 0.9 installed debian box and everything seems 
normal.

> Alert e-mails are coming with correct date (timezone values).
> Is it possible to send us a sample alert e-mail with full headers?
> (just copy&paste from /var/spool/mail).

Here you are:

Return-path: <[EMAIL PROTECTED]>
Date: Sun, 06 Aug 2006 01:42:49 + (HKT)
From: OSSEC HIDS <[EMAIL PROTECTED]>
Subject: OSSEC Notification - localhost - Alert level 8


The above is from Fedora Core 5.

Also, I think I found a typo at point 3.5 of the installation script.
The script says syslog collector port is 514 but it seems to be 1514
instead.

ossec-rem   621   ossecr4u  IPv4 10883705   UDP *:1514

>
> PS: I'll also add /var/adm/messages to config file on solaris systems.
>
> Regards,
>
> Ahmet Ozturk.
>
>
>
> Ahmet Ozturk wrote:
>>
>> Hi Martin,
>>
>> Let me answer your first 2 questions:
>> 1. I'm not sure if you can throttle the syscheck cpu usage directly
>> (you may use nice command for a running process, but I don't know

Thanks for the idea. I will modify the ossec-control script to reduce
its priority.

>> a way to automate this). syscheckd  starts to run  every 2 hours by
>> default,
>> you may want to change this. (see  and other options in
>> ossec.conf)
>> (http://www.ossec.net/en/manual.html#syscheck_options)

The frequency is what I concern. I would prefer to have it run when my
server is free. It could be some time early in the morning or when the
CPU usage drops below certain level.

>>
>> 2. For active-response issue, please check the  option
>> in ossec.conf file on the server. if it has the value "local" it will
>> execute
>> the active-response on the agent that generated the alert. If you 
want to

>> use active-response only on your server, this value should be set to
>> "analysis-server".
>> (http://www.ossec.net/en/manual.html#active-response-config)

Tried but I got the following error:

[etc]# /etc/init.d/ossec restart
Stopping OSSEC:[  OK  ]
Starting OSSEC: 2006/08/06 00:38:39 ossec-analysisd(1302): Invalid
active response location: 'analysis-server'.
2006/08/06 00:38:39 ossec-analysisd(1202): Configuration problem. 
Exiting.
2006/08/06 00:38:39 ossec-analysisd(1202): Configuration problem. 
Exiting.

[FAILED]
Rgds.
Martin




  
yes
myemail
mymailserver
[EMAIL PROTECTED]
  

  

7200


/usr/local/etc,/usr/local/bin,/usr/local/sbin
/etc,/usr/bin,/usr/sbin
/bin,/sbin


/etc/mtab
/etc/mnttab
/etc/hosts.deny
/etc/mail/statistics
/etc/random-seed
/etc/adjtime
/etc/httpd/logs
/etc/utmpx
/etc/wtmpx


C:\WINDOWS/System32/LogFiles
C:\WINDOWS/WindowsUpdate.log
C:\WINDOWS/system32/wbem/Logs
C:\WINDOWS/Prefetch
C:\WINDOWS/PCHEALTH/HELPCTR/DataColl
C:\WINDOWS/SoftwareDistribution/DataStore
C:\WINDOWS/SoftwareDistribution/ReportingEvents.log

[ossec-list] queries on configuring ossec

[Martin Leung]

Hi,

I have a few configuration questions. Can someone help?

1. Can I configure syscheckd to report for new file? It seems only
   file change is detected.

2. Can I include part of a ignored directory in syscheck? For example,
   would the following config detect change in /var/ossec/bin ?

   
 /
 /var
 /var/ossec/bin
 /var/ossec/rules
   

3. Why do the rule files in /var/ossec/rules have the execution bit set?

-r-xr-x---   1 root ossec  4415 Jun  7 10:31 apache_rules.xml
-r-xr-x---   1 root ossec  2969 Jul 21 03:56 attack_rules.xml

4. I renice syscheckd to priority 19 and keep using the default 2 hrs
   run frequency. What would happen if the daemon can't finish scanning
   all the files within the period?

Thanks in advance.
Martin

[ossec-list] Re: ossec-agentd: error compressing string

[Martin Gottlieb]

 
Was a solution ever posted for this one ?  I checked the archives and
did not see one.

I am experiencing the same problem on 2 different x86_64 boxes set up
as agents.  I'm getting "Error compressing string" 
followed by "Error creating encrypted message" errors.  I did compile
ossec locally on each machine.

Thanks.

Martin

David Vasil wrote:

  oahmet wrote:
  
  
Hi agian David,

Debian-amd64 was just a blind guess :)

  
  
Not a problem, I should have been more specific in my initial question.

  
  
Let me ask another question:
Did you use the same rpm for your i686 and amd64 machines?
If so, please create rpms on both your server(i686) and
on your client (amd64).

  
  
I did not use the same rpm.  I compiled and installed the server using
the install script provided with the OSSEC source.  The only reason I
installed the amd64 system with the RPM for x86_64 was to test various
deployment methods (as some of our servers are not installed with
compilers, etc.).

  
  
I think this is a little endian/big endian issue. (AFAIK x86_64 is a
big endian architecture).

  
  
I wrote a quick program and verified both systems are little endian.

I brought another agent up (i686 this time) and this time there is
traffic between the hosts.  The client logs show no errors (besides not
being able to open logs which dont exist at the moment).  The server
side logs one of these for every udp packet it sees:

2006/08/08 13:40:39 ossec-remoted(2202): Error uncompressing string.
2006/08/08 13:40:45 ossec-remoted(2202): Error uncompressing string.
2006/08/08 13:41:29 ossec-remoted(2202): Error uncompressing string.

At least the client and server are talking to each other now between
these two archs, but the server isnt accepting the input.  I verified
both client and server have matching keys in their client.xml files.

What situations would cause this type of behavior?  The x86_64 client
has trouble compressing the strings, and the i686 server has trouble
uncompressing strings.

  

[ossec-list] Re: ossec-agentd: error compressing string

[Martin Gottlieb]

Hi Daniel,

I've been playing with this also and have narrowed it down to the
following lines (39-40)
in    src/external/zlib-1.2.3/compress.c:

   
stream.avail_out = (uInt)*destLen;
    if ((uLong)stream.avail_out != *destLen) return Z_BUF_ERROR;

If you change line 40 to:

    if
((uInt)stream.avail_out != (uInt)*destLen) return Z_BUF_ERROR;

it seems to fix this problem, but I have a feeling it defeats
the original intent (though I'm not sure what the original intent was).

Martin

Daniel Cid wrote:

It looks like there is a problem with zlib and 64 bits (since the
errors
  
are during the compression phase). I am doing some testings in here,
  
but unfortunately I don't have any 64b machine to test..
  
  
*btw, thanks everyone for the useful information you are sending me...
  
  
*Looking at zlib page, they don't mention any problem with 64 bits,
  
so it could still be something in ossec...
  
  
I will post something regarding that soon.
  
  
--
  
Daniel B. Cid
  
dcid ( at ) ossec.net
  
  
  
On 8/9/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
  
  

David Vasil wrote:

> Martin Gottlieb wrote:

> >

> > Was a solution ever posted for this one ?  I checked the
archives and

> > did not see one.

> >

> > I am experiencing the same problem on 2 different x86_64
boxes set up as

> > agents.  I'm getting "Error compressing string"

> > followed by "Error creating encrypted message" errors.  I did
compile

> > ossec locally on each machine.

>

> Nope, no solution yet.  I have tried compiling from source as well
and

> it gave the same problems as with the RPM package I created.

>

> --

> -dave


I had an x86_64 build acting as a server and a i386 build acting as a

client, and got 'error uncompressing string'. By replacing the x86_64

server with the i386 server, the error is gone and events are being

logged. It appears to me that at least some part of ossec is not 64-bit

clean.



  

[ossec-list] Re: Windows Event Log

[Martin Leung]

Hi Oyesanya,

You may try to trip the wire by adding new user or having multiple (6 at 
least) logon failure.


Rgds.
Martin


Oyesanya, Femi wrote:
Yes.  It's processing syscheck for files but not for the event logs 
How can I check that the event log files actually made it to the server.




Sample syscheck 



OSSEC HIDS Notification.
2006 Aug 10 02:23:13

Received From: (test002) 165.68.202.246->syscheck
Rule: 13 fired (level 8) -> "Integrity checksum of file
'C:\WINDOWS/setupapi.log' has changed."
Portion of the log(s):

Integrity checksum changed for: 'C:\WINDOWS/setupapi.log'
Size changed from '565551' to '566065'
Old md5sum was: 'fc41eb657bb388d53b3bf90c5ed2e92f'
New md5sum is : '5355965e4a3136a4625d8d1038a3939c'
Old sha1sum was: '53ba069832a8f0d23b6ead429da99cfdb1135691'
New sha1sum is : '8a17b102c6d6d758e68485e499e05d405945e491'



 --END OF NOTIFICATION


-Original Message-
From: ossec-list@googlegroups.com [mailto:[EMAIL PROTECTED]
On Behalf Of Ahmet Ozturk
Sent: Thursday, August 10, 2006 10:02 AM
To: ossec-list@googlegroups.com
Subject: [ossec-list] Re: Windows Event Log


Hi again,

Did you start the OSSEC Hids service on windows
agent after installation?
(Control Panel->Admin Tools->Services)
Is it running already?

Regards,

Ahmet Ozturk.

Oyesanya, Femi wrote:
msauth_rules.xml  rules already ships with the server 


-Original Message-
From: ossec-list@googlegroups.com [mailto:[EMAIL PROTECTED]
On Behalf Of Ahmet Ozturk
Sent: Thursday, August 10, 2006 9:23 AM
To: ossec-list@googlegroups.com
Subject: [ossec-list] Re: Windows Event Log


Hi,

Just install server and windows agent as described in the manual
(http://www.ossec.net/en/manual.html#windows)
Then please be sure that windows_rules.xml file is included
in ossec.conf file.
That's all you need to do to process your windows agent's event
logs on the server.

Regards,

Ahmet Ozturk.

Oyesanya, Femi wrote:
 

 


 Hello:

 


Does anyone know what I need to do to have ossec server process
windows 
event logs and send alerts ?   

 


Thanks







smime.p7s
Description: S/MIME Cryptographic Signature

[ossec-list] Does ossec-agent on Windows require to listen at udp port 3911

[Martin Leung]

Hi list,

I found the following event log from an Ossec Windows agent:

The Windows Firewall has detected an application listening for incoming 
traffic.


Name: -
Path: C:\Program Files\ossec-agent\ossec-agent.exe
Process identifier: 2084
User account: SYSTEM
User domain: NT AUTHORITY
Service: Yes
RPC server: No
IP version: IPv4
IP protocol: UDP
Port number: 3911
Allowed: No
User notified: No

Do I have to allow the traffic?

Rgds.
Martin


smime.p7s
Description: S/MIME Cryptographic Signature

[ossec-list] need help on writing rules

[Martin Leung]

Hi list,

I'm writing rules for the Windows Firewall but have problem on using 
first-time cache.


I want to get email alert the first time a program was blocked. With the 
rules below, rule 8502 was never triggered.


BTW, are there any doc on rule syntax?

Rgds.
Martin

===


  
8005
^861
fw_blocked
The Windows Firewall has detected an application 
listening for incoming traffic.

  





  
fw_blocked
alert_by_email

First time application blocked by Windows 
Firewall.

  




==
** Alert 1155281253.43328:
2006 Aug 11 15:27:33 (MYHOST) 192.168.10.25->WinEvtLog
Rule: 8308 (level 4) -> 'The Windows Firewall has detected an 
application listening for incoming traffic.'

Src IP: (none)
User: admin
WinEvtLog: Security: AUDIT_FAILURE(861): Security: admin: MYHOST: 
MYHOST: nc C:\utils\nc.exe 2912 amdin MYHOST No No IPv4 TCP 28384 No No


** Alert 1155282533.44825:
2006 Aug 11 15:48:53 (MYHOST) 192.168.10.25->WinEvtLog
Rule: 8308 (level 4) -> 'The Windows Firewall has detected an 
application listening for incoming traffic.'

Src IP: (none)
User: admin
WinEvtLog: Security: AUDIT_FAILURE(861): Security: admin: MYHOST: 
MYHOST: - C:\WINDOWS\system32\nslookup.exe 2876 admin MYHOST No No IPv4 
UDP 1731 No No




smime.p7s
Description: S/MIME Cryptographic Signature

[ossec-list] handshake between server and agent

[Martin Leung]

Hi,

Are there any acknowledgement between server and agent? Will agent queue 
and resend alerts in case of network failure?


Rgds.
Martin


smime.p7s
Description: S/MIME Cryptographic Signature

[ossec-list] Re: windows file integrity question, ossec is great!

[Martin Leung]

Hi,


gentux

UDP being connectionless, I don't see how the client can possibly "know"
that the message was received; however, a modifiable threshold on the
server could possibly help with the issue.  For example, a setting in
the .conf file that tells it to expect 5 messages every 15 minutes,
otherwise send an alert (numbers complete subject to user
determination).  Of course, a better place for the setting would be in
the clients.conf file so that you can set these specs per client rather
than an overall setting for the server.




Sorry for interrupt but I've an idea on acknowledgement to share:

- Add an unique sequence ID to each message the client send.
- Define a threshold that the server has to acknowledge,
  e.g. every 100 messages
- client caches all unacknowledge message
- when the threshold is reached, client will resent all
  unacknowledge message
- Server acknowledges client with the last sequence number received
  occassionally

Rgds.
Martin



smime.p7s
Description: S/MIME Cryptographic Signature

[ossec-list] Re: Agent unable to communicate with server/ssh session logging/whitelisting

[Martin Gottlieb]

I think the fix that was applied to compress.c still needs to be
applied to uncompr.c ( ../src/external/zlib-1.2.3 ).

Change line 42 from:

   if
((uLong)stream.avail_out != *destLen) return Z_BUF_ERROR;

To

   if
((uInt)stream.avail_out != (uInt)*destLen) return Z_BUF_ERROR;


Martin

[EMAIL PROTECTED] wrote:

  I am having the same problem with ossec 0.9-1a running Ubuntu on a Sun
x4100.  It seems to be an x86_64 kernel problem, but I don't have a
solution yet.

Rick

  

[ossec-list] Re: Registry monitoring on ossec (input request)

[Martin Leung]

I think those listed in Autoruns:

http://www.microsoft.com/technet/sysinternals/utilities/autoruns.mspx

are quite complete.

Rgds.
Martin


>
> This should get you started (watch for wrapping):
>
> Null Sessions:
> System\CurrentControlSet\Services\LanmanServer\Parameters\NullSession
> LSA: System\CurrentControlSet\Control\Lsa
> Run: Software\Microsoft\Windows\CurrentVersion\Run
> RunOnce: Software\Microsoft\Windows\CurrentVersion\RunOnce
> RunOnceEx: Software\Microsoft\Windows\CurrentVersion\RunOnceEx
> RunServices: Software\Microsoft\Windows\CurrentVersion\RunServices
> Services: System\CurrentControlSet\Services
> Known DLLs: System\CurrentControlSet\Control\Session Manager\KnownDLLs
> Remote Access: System\CurrentControlSet\Control\SecurePipeServers\winreg
> SessionManager-BootExecute:
> System\CurrentControlSet\Control\SessionManager\BootExecute
> Windows Appinit_DLLs: Software\Microsoft\Windows
> NT\CurrentVersion\Windows\AppInit_DLLs
> Winlogin AutoAdminLogin: Software\Microsoft\Windows
> NT\CurrentVersion\Winlogon\AutoAdminLogon
> Winlogin DefaultPassword: Software\Microsoft\Windows
> NT\CurrentVersion\Winlogon\DefaultPassword
> Winlogin-Shell: Software\Microsoft\Windows
> NT\CurrentVersion\Winlogon\Shell
>
> There are some locations for Windows Certificate Server stuff I have
> somewhere.  I'll try to get those to you, as well.
>
> Disclaimer: Most of the items on this list were taken from the config of
> a popular commercial HID.  It's just registry locations, so I can't see
> how this would be a violation of any copyrights.
>
> Daniel Cid wrote:
>>
>> Hello everyone,
>>
>> I just completed adding support for monitoring the Windows registry on
>> ossec. It seems to be fairly stable right now and hopefully a beta
>> version will be available soon (lots of tests will be required).
>>
>> The configuration will have the following options available: (inside
>> the syscheck area):
>>
>> HKEY_LOCAL_MACHINE,HKEY_LOCAL_MACHINE\Software,
>> HKEY_USERS\Example
>> HKEY_LOCAL_MACHINE\Software\Microsoft
>>
>> Where the first option is a list (comma separated) of registry entries
>> to monitor and
>> the second is a list of entries to ignore.
>>
>> A question now for you guys (Windows users):
>>
>> -Which registry entries should we monitor by default?
>>
>> I was thinking on everything at HKEY_LOCAL_MACHINE\SYSTEM,
>> HKEY_LOCAL_MACHINE\SECURITY and HKEY_LOCAL_MACHINE\SAM.
>>
>> Is there anything else worth checking too? Please let me know your
>> comments...
>>
>> *btw, next version (1.0) is comming soon...
>>
>> Thanks,
>>
>> --
>> Daniel B. Cid
>> dcid ( at ) ossec.net

[ossec-list] ossec on lunar linux

[Martin West]

Got this error ...

Received From: andromda->rootcheck
Rule: 14 fired (level 8) -> "Rootkit detection engine message"
Portion of the log(s):

Trojaned version of file '/bin/netstat' detected. Signature used: 'bash|
^/bin/sh|/dev/[^aik]|/prof|grep|addr\.h' (Trojan)

and chkrootkit also flagged it but we think it is invalid ...

"I put one of my top guys on this and his analysis is that the reason
lots of rootkit-packages trigger on our netstat is that its been built
with debugging-symbols and contains the string "sockaddr.h" which most 
rootkit-checkers isn't used to seeing.

    Cheers Leif"

Thanks for a great product.

Martin West

[ossec-list] Re: Help: What do I do about a rootkit?

[Martin West]

On Fri, 2007-03-02 at 11:55 -0800, Jim Starr wrote:
> I did more looking through the list archives (a search feature would
> be
> nice) and found the posts on this subject.  I ran chkrootkit and
> 

try 

site:http://www.ossec.net/ search_args


-- 
Regards
Martin West
http://www.objectgizmos.com
07879 680 096

[ossec-list] Re: OSSEC 1.1 BETA2 available

[Martin West]

On Sat, 2007-03-03 at 20:53 -0400, Daniel Cid wrote:
> If you are looking for a way to help the project, here is your chance.
> 

Fedora Core 6 -
Linux 2.6.19-1.2911.6.4.fc6 #1 SMP Sat Feb 24 14:39:04 EST 2007 i686
i686 i386 GNU/Linux

Installed default server installation, no problems, seems to be running
OK.

-- 

Regards Martin West
07809 305 404
http://www.objectgizmos.com
16 SHEARWAY BUSINESS PARK,FOLKESTONE,KENT,CT19 4RH   
Company No. 05912944

[ossec-list] Re: OSSEC 1.1 BETA2 available

[Martin West]

On Sat, 2007-03-03 at 20:53 -0400, Daniel Cid wrote:
> If you are looking for a way to help the project, here is your chance.
> 

There does not seem to be an uninstall function.

I presume you have to delete /var/ossec and the init.d script.

-- 

Regards Martin West
07809 305 404
http://www.objectgizmos.com
16 SHEARWAY BUSINESS PARK,FOLKESTONE,KENT,CT19 4RH   
Company No. 05912944

[ossec-list] '/var/ossec/queue/ossec/queue' not accessible

[Martin West]

I just noticed this in the log ...

2007/03/26 18:01:31 ossec-maild: Started (pid: 3264).
2007/03/26 18:01:32 ossec-execd: Started (pid: 3269).
2007/03/26 18:01:35 ossec-syscheckd(1210): Queue
'/var/ossec/queue/ossec/queue' not accessible.
2007/03/26 18:01:35 ossec-rootcheck(1210): Queue
'/var/ossec/queue/ossec/queue' not accessible.
2007/03/26 18:01:43 ossec-syscheckd(1210): Queue
'/var/ossec/queue/ossec/queue' not accessible.
2007/03/26 18:01:43 ossec-rootcheck(1210): Queue
'/var/ossec/queue/ossec/queue' not accessible.
2007/03/26 18:01:56 ossec-syscheckd(1210): Queue
'/var/ossec/queue/ossec/queue' not accessible.
2007/03/26 18:01:56 ossec-rootcheck(1211): Unable to access queue:
'/var/ossec/queue/ossec/queue'. Giving up..

Is it a problem?

Im running ossec-hids-070301

ls -l /var/ossec/queue/ossec/queue
srw-rw 1 ossec ossec 0 Mar 26 14:43 /var/ossec/queue/ossec/queue


-- 
Regards
Martin West
http://www.objectgizmos.com
07879 680 096

[ossec-list] Re: '/var/ossec/queue/ossec/queue' not accessible

[Martin West]

K, Thanks, its gone from the current logs now.

On Mon, 2007-03-26 at 22:40 -0400, David Williams wrote:
> up again, I got the queue not accessible error; restarting ossec
> fixed it for me (the stop script removes the socket, I believe).
> 
-- 

Regards Martin West
07809 305 404
http://www.objectgizmos.com
16 SHEARWAY BUSINESS PARK,FOLKESTONE,KENT,CT19 4RH   
Company No. 05912944

[ossec-list] Re: Authentication of Users using WebUI

[Martin West]

The AuthUserFile line should point at the .htpasswd file, 
check out http://httpd.apache.org/docs/1.3/howto/htaccess.html

On Wed, 2007-04-04 at 12:00 +0530, Pankaj P. Pawar wrote:
> 
> ***
> Your mail has been scanned by InterScan.
> ***-***
> 
> 
> Sorry,
> 
> I found that file and tried the following config
> 
> .htaccess:
> AuthName "Restricted Area"
> AuthType Basic
> AuthUserFile /dev/null
> Require valid-user
> 
> .htpasswd:
> Nsdl: MdDipi2T6TjlA
> 
> The moment I restart Apache, I am getting default Welcome page.
> I don't understand how do I revert back.
> Should I delete the Ossec-wui folder and re-install the package again??
> 
> Pankaj P.
> 
> 
> 
> -Original Message-
> From: ossec-list@googlegroups.com [mailto:[EMAIL PROTECTED]
> On Behalf Of Pankaj P. Pawar
> Sent: Wednesday, April 04, 2007 9:58 AM
> To: [EMAIL PROTECTED]
> Cc: ossec-list@googlegroups.com; Daniel Cid
> Subject: [ossec-list] Re: Authentication of Users using WebUI
> 
> ***
> Your mail has been scanned by InterScan.
> ***-***
> 
> 
> 
> 
> ***
> Your mail has been scanned by InterScan.
> ***-***
> 
> 
> I have tried searching the htaccess file, but I could find only manuals
> in the /var/www/manual/howto/htaccess.html for the same.
> 
> Pankaj P.
> 

Martin West

[ossec-list] Re: SVN v. OSSEC

[Martin West]

Interesting. I run svn and ossec but I run an svn server which might be
an alternative work around. There is an incentive to use the svn server
as its quite a bit faster/more efficient that the http interface.

That said I did have an unexplained hang of the svn server. svn uses
port 3690 by default. 

Does ossec do anything with port 3690.

On Sat, 2007-04-07 at 06:43 -0500, Steven Ourada wrote:
> Learned of an interesting interaction between Subversion (SVN) and  href="http://www.ossec.net/";>OSSEC, an intrusion detection system 

[ossec-list] adsl rule

[Martin West]

I wrote a rule 



  
  adsl
  Grouping for the adsl rules.
  


  101000
  Monitor adsl line down
  ADSL line is down



  101000
  Monitor adsl line up
  ADSL line is up


 

to check for log entries ...

Apr  7 16:57:02 thecla2 kernel: ATM dev 0: ADSL line is down
Apr  7 16:57:03 thecla2 kernel: ATM dev 0: ADSL line is synchronising
Apr  7 16:57:43 thecla2 kernel: ATM dev 0: ADSL line is up (2656 kb/s
down | 448 kb/s up)

However it does seem to trigger, well at least generate an email.

It gets loaded ...

2007/04/04 23:44:34 ossec-analysisd: Reading rules file:
'adsl_rules.xml'

Is it just me or is the documentation a bit sparse?

Thanks Martin West

[ossec-list] Re: adsl rule

[Martin West]

Thanks, I just cloned one the examples 

On Sun, 2007-04-08 at 23:34 -0300, Daniel Cid wrote:
> Is the rule working or not working (I wasn't really sure from your
> e-mail)? I see that you specified the "decoded_as" on rule 101000, but
> did you create a decoder for it? The
> decoded_as looks for a valid decoder name on decoders.xml
> 
-- 

Regards Martin West
07809 305 404
skype:amartinwest1
http://www.objectgizmos.com
16 SHEARWAY BUSINESS PARK,FOLKESTONE,KENT,CT19 4RH   
Company No. 05912944

[ossec-list] Re: ossec startup

[Martin West]

What version of solaris?

Martin West

[ossec-list] bastille linux

[Martin West]

http://www.bastille-linux.org/

Just came across this, thought it might be of interest.

regards Martin West

[ossec-list] Re: ossec startup

[Martin West]

I recall having to use new adm cmds on the lastest solaris. Im not in
work now till Monday - Ill check then if the problem has not been
resolved.

This may help ..
http://nb.inode.co.nz/articles/Solaris10_Evaluation.html


 On Thu, 2007-04-12 at 06:51 -0400, Pete wrote:
> This is happening in Solaris 9 and Solaris 10.  I've triple-checked
> the permissions on all the files.  Still no go.
> 
-- 

Regards Martin West
07809 305 404
skype:amartinwest1
http://www.objectgizmos.com
16 SHEARWAY BUSINESS PARK,FOLKESTONE,KENT,CT19 4RH   
Company No. 05912944

[ossec-list] Re: ossec startup

[Martin West]

On Mon, 2007-04-16 at 14:12 -0400, Pete wrote:
> It appears the startup script will not run if the effective and real
> uid is root.  However, when I log into the system and su then run the
> startup script, the $USER variable is still my username, but I have
> root priveledges?  Does this help? 
> 

did you do "su" or "su -", the latter should set the USER name to root.



Regards Martin West

[ossec-list] breakin?

[Martin West]

ossec just threw up some files in usr/bin had changed and they hadnt
been upgraded by yum. 

Some stuff in ncurses and less, so I moved out to a quarantine folder
and reinstalled the rpms for the affected files. 

How can I tell if this is a virus?

Thanks

-- 
Regards
Martin West

[ossec-list] 1.3 Upgrade - missing libc6-dev

[Martin West]

 Some how my libc6-dev package had become deinstalled - Im running a cut
down debian system (but not that cut down :-) ) - and this was the
result, maybe you might like to add an extra idiot check :-)

Thanks as always for a great tool.

 You are about to start the installation process of the OSSEC HIDS.
 You must have a C compiler pre-installed in your system.
 If you have any questions or comments, please send an e-mail
 to [EMAIL PROTECTED] (or [EMAIL PROTECTED]).

  - System: Linux thecla2 2.6.19
  - User: root
  - Host: thecla2


  -- Press ENTER to continue or Ctrl-C to abort. --


 - You already have OSSEC installed. Do you want to update it? (y/n): y
 - Do you want to update the rules? (y/n): y


2- Setting up the installation environment.


- Installation will be made at  /var/ossec .

5- Installing the system
 - Running the Makefile

 *** Making zlib (by Jean-loup Gailly and Mark Adler)  ***
make[1]: Entering directory
`/root/installs/ossec-hids-1.3/src/external/zlib-1.2.3'
gcc -c -g -Wall -I../../ -I../../headers  -DDEFAULTDIR=\"/var/ossec\"
-DARGV0=\"zlib\" -DXML_VAR=\"var\" -DOSSECHIDS *.c
In file included from crc32.c:29:
zutil.h:23:22: error: string.h: No such file or directory
zutil.h:24:22: error: stdlib.h: No such file or directory
zutil.h:38:23: error: errno.h: No such file or directory
In file included
from /usr/lib/gcc/i486-linux-gnu/4.1.2/include/syslimits.h:7,

from /usr/lib/gcc/i486-linux-gnu/4.1.2/include/limits.h:11,
 from crc32.c:36:
/usr/lib/gcc/i486-linux-gnu/4.1.2/include/limits.h:122:61: error:
limits.h: No such file or directory
In file included from deflate.h:16,
 from deflate.c:52:
zutil.h:23:22: error: string.h: No such file or directory
zutil.h:24:22: error: stdlib.h: No such file or directory
zutil.h:38:23: error: errno.h: No such file or directory
deflate.c: In function ‘deflateSetDictionary’:
deflate.c:339: warning: implicit declaration of function ‘memcpy’
deflate.c:339: warning: incompatible implicit declaration of built-in
function ‘memcpy’
deflate.c: In function ‘flush_pending’:
deflate.c:540: warning: incompatible implicit declaration of built-in
function ‘memcpy’
deflate.c: In function ‘deflate’:
deflate.c:817: warning: implicit declaration of function ‘memset’
deflate.c:817: warning: incompatible implicit declaration of built-in
function ‘memset’
deflate.c: In function ‘deflateCopy’:
deflate.c:912: warning: incompatible implicit declaration of built-in
function ‘memcpy’
deflate.c: In function ‘read_buf’:
deflate.c:976: warning: incompatible implicit declaration of built-in
function ‘memcpy’
deflate.c: In function ‘lm_init’:
deflate.c:991: warning: incompatible implicit declaration of built-in
function ‘memset’
deflate.c: In function ‘fill_window’:
deflate.c:1295: warning: incompatible implicit declaration of built-in
function ‘memcpy’
gzio.c:10:19: error: stdio.h: No such file or directory
In file included from gzio.c:12:
zutil.h:23:22: error: string.h: No such file or directory
zutil.h:24:22: error: stdlib.h: No such file or directory
zutil.h:38:23: error: errno.h: No such file or directory
gzio.c:60: error: expected specifier-qualifier-list before ‘FILE’
gzio.c:81: error: expected ‘)’ before ‘*’ token
gzio.c: In function ‘gz_open’:
gzio.c:109: warning: implicit declaration of function ‘malloc’
gzio.c:109: warning: incompatible implicit declaration of built-in
function ‘malloc’
gzio.c:115: error: ‘gz_stream’ has no member named ‘inbuf’
gzio.c:116: error: ‘gz_stream’ has no member named ‘outbuf’
gzio.c:118: error: ‘gz_stream’ has no member named ‘file’
gzio.c:121: error: ‘gz_stream’ has no member named ‘in’
gzio.c:122: error: ‘gz_stream’ has no member named ‘out’
gzio.c:123: error: ‘gz_stream’ has no member named ‘back’
gzio.c:123: error: ‘EOF’ undeclared (first use in this function)
gzio.c:123: error: (Each undeclared identifier is reported only once
gzio.c:123: error: for each function it appears in.)
gzio.c:124: error: ‘gz_stream’ has no member named ‘crc’
gzio.c:125: error: ‘gz_stream’ has no member named ‘msg’
gzio.c:126: error: ‘gz_stream’ has no member named ‘transparent’
gzio.c:128: warning: implicit declaration of function ‘strlen’
gzio.c:128: warning: incompatible implicit declaration of built-in
function ‘strlen’
gzio.c:130: error: ‘gz_stream’ has no member named ‘path’
gzio.c:131: error: ‘gz_stream’ has no member named ‘path’
gzio.c:134: error: ‘gz_stream’ has no member named ‘path’
gzio.c:135: warning: implicit declaration of function ‘strncpy’
gzio.c:135: warning: incompatible implicit declaration of built-in
function ‘strncpy’
gzio.c:135: error: ‘gz_stream’ has no member named ‘path’
gzio.c:137: error: ‘gz_stream’ has no member named ‘mode’
gzio.c:139: error: ‘gz_stream’ has no member named ‘mode’
gzio.c:140: error: ‘gz_stream’ has no member named ‘mode’
gzio.c:153: error: ‘gz_stream’ has no member named ‘mode’
gzio.c:155: error: ‘gz_stream’ has no member named ‘mode’
gzio.c:163: error: ‘gz_stream’ has no memb

[ossec-list] missed attack

[Martin West]

ecause not listed in AllowUsers
Nov 21 21:49:57 thecla2 sshd[20832]: User root from d33.z1.infracom.it
not allowed because not listed in AllowUsers
Nov 21 21:49:59 thecla2 sshd[20836]: User root from d33.z1.infracom.it
not allowed because not listed in AllowUsers
Nov 21 21:50:00 thecla2 sshd[20842]: Invalid user sadmin from
82.193.15.51
Nov 21 21:50:01 thecla2 CRON[20847]: (pam_unix) session opened for user
www-data by (uid=0)
Nov 21 21:50:01 thecla2 CRON[20847]: (pam_unix) session closed for user
www-data
Nov 21 21:50:02 thecla2 sshd[20846]: User root from d33.z1.infracom.it
not allowed because not listed in AllowUsers
Nov 21 21:50:04 thecla2 sshd[20854]: Invalid user mythtv from
82.193.15.51

Thanks as usual for a great product.
-- 

Regards Martin West

[ossec-list] adsl rules

[Martin West]

I use this simple ruleset to imform when the adsl line goes up and down

Output looks like ...

OSSEC HIDS Notification.
2007 Nov 22 02:35:37

Received From: thecla2->/var/log/messages
Rule: 101002 fired (level 8) -> "Monitor adsl line up"
Portion of the log(s):

Nov 22 02:35:36 thecla2 kernel: ATM dev 0: ADSL line is up (2752 kb/s
down | 448 kb/s up)



 --END OF NOTIFICATION

Martin West


adsl_rules.xml
Description: XML document

[ossec-list] Re: missed attack

[Martin West]

Yes, as I said in the append some, the "Invalid User", do get picked up
from auth.log

It would appear to be the "not allowed" entries that are not picked up. 

Thanks

On Fri, 2007-11-23 at 11:44 -0800, Peter M. Abraham wrote:
> In /var/ossec/etc/ossec.conf is your auth.log being monitored?
> 
-- 

Regards Martin West

[ossec-list] Re: missed attack

[Martin West]

No, another occurred yesterday

 **Unmatched Entries**
 User root from web3.guihosting.com not allowed because not listed in
AllowUsers : 32 time(s)

Ill check the ossec logs to see if there is anything untoward there.

Thanks

On Sun, 2007-11-25 at 11:25 -0400, Daniel Cid wrote:
> Are you sure it is not being caught? I ran your log in here and got an
> alert (using v1.4):
> 
-- 

Regards Martin West
07809 305 404
skype:amartinwest1
http://www.objectgizmos.com
16 SHEARWAY BUSINESS PARK,FOLKESTONE,KENT,CT19 4RH   
Company No. 05912944

[ossec-list] Re: missed attack

[Martin West]

Interestingly there are entries in the active-response log for that ip.

and a series of these ...

** Alert 1195896462.4274: - syslog,sshd,invalid_login,
2007 Nov 24 09:27:42 thecla2->/var/log/auth.log
Rule: 5710 (level 5) -> 'Attempt to login using a non-existent user'
Src IP: 65.254.35.58
User: (none)
Nov 24 09:27:40 thecla2 sshd[921]: Invalid user mythtv from 65.254.35.58

These were in the alert log. Just no email. Ill look in the email logs
to see if it went astray there but its odd I get other alerts and it
didnt get flagged as spam.

Thanks

On Sun, 2007-11-25 at 11:25 -0400, Daniel Cid wrote:
> Are you sure it is not being caught? I ran your log in here and got an
> alert (using v1.4):
> 
-- 

Regards Martin West
07809 305 404
skype:amartinwest1
http://www.objectgizmos.com
16 SHEARWAY BUSINESS PARK,FOLKESTONE,KENT,CT19 4RH   
Company No. 05912944

[ossec-list] Re: missed attack

[Martin West]

I think it must be an oddity in my mail system. The email was sent.
Thanks for the help, sorry for the noise.

On Sun, 2007-11-25 at 11:25 -0400, Daniel Cid wrote:
> Are you sure it is not being caught? I ran your log in here and got an
> alert (using v1.4):
> 
-- 

Regards Martin West
07809 305 404
skype:amartinwest1
http://www.objectgizmos.com
16 SHEARWAY BUSINESS PARK,FOLKESTONE,KENT,CT19 4RH   
Company No. 05912944

[ossec-list] Re: missed attack

[Martin West]

Ive investigated this further as I saw in logwatch ...

 Login attempted when not in AllowUsers list:
mysql : 5 Time(s)
nobody : 62 Time(s)
root : 215 Time(s)

which seemed a bit excessive with ossec running.

attached are three files

ossec-prob.log - from auth.log shows the attack started at 8:02 

ossec-alerts-16.log.gz - the alerts log shows block at 8:24

ossec.log - shows a problem connecting to the ar queue.

Question 1: Is it correct behaviour that it took twenty two minutes to
block the attack?

Question 2: Any ideas on the ar queue connection problem? Is it
connected to problem 1? I tried restarting ossec but the same error came
up.

This is ossec 1.4 running on debian, kernel 2.6.22-3-686.

Thanks.
  
-- 

Regards Martin West

2007/12/17 08:48:31 ossec-logcollector(1950): Analyzing file: '/var/log/messages'.
2007/12/17 08:48:31 ossec-logcollector(1950): Analyzing file: '/var/log/auth.log'.
2007/12/17 08:48:31 ossec-logcollector(1950): Analyzing file: '/var/log/syslog'.
2007/12/17 08:48:31 ossec-logcollector(1950): Analyzing file: '/var/log/mail.info'.
2007/12/17 08:48:31 ossec-logcollector(1950): Analyzing file: '/var/log/apache2/error.log'.
2007/12/17 08:48:31 ossec-logcollector(1950): Analyzing file: '/var/log/apache2/access.log'.
2007/12/17 08:48:31 ossec-logcollector: Started (pid: 29023).
2007/12/17 08:48:31 ossec-analysisd(1210): Queue '/queue/alerts/ar' not accessible: 'Connection refused'.
2007/12/17 08:48:31 ossec-analysisd(1301): Unable to connect to active response queue.
2007/12/17 08:48:31 ossec-analysisd: Connected to '/queue/alerts/execq' (exec queue)


ossec-alerts-16.log.gz
Description: GNU Zip compressed data
Dec 16 08:02:38 thecla2 sshd[12042]: Did not receive identification string from 203.250.179.11
Dec 16 08:05:36 thecla2 sshd[12386]: User mysql from 203.250.179.11 not allowed because not listed in AllowUsers
Dec 16 08:05:39 thecla2 sshd[12394]: User mysql from 203.250.179.11 not allowed because not listed in AllowUsers
Dec 16 08:05:42 thecla2 sshd[12402]: User mysql from 203.250.179.11 not allowed because not listed in AllowUsers
Dec 16 08:05:45 thecla2 sshd[12410]: User mysql from 203.250.179.11 not allowed because not listed in AllowUsers
Dec 16 08:05:48 thecla2 sshd[12416]: User mysql from 203.250.179.11 not allowed because not listed in AllowUsers
Dec 16 08:05:51 thecla2 sshd[12424]: Invalid user mysqlshell from 203.250.179.11
Dec 16 08:05:54 thecla2 sshd[12432]: Invalid user mysqlshell from 203.250.179.11
Dec 16 08:05:57 thecla2 sshd[12440]: Invalid user apache from 203.250.179.11
Dec 16 08:06:00 thecla2 sshd[12448]: Invalid user apache from 203.250.179.11
Dec 16 08:06:03 thecla2 sshd[12456]: Invalid user apache from 203.250.179.11
Dec 16 08:06:06 thecla2 sshd[12463]: Invalid user apache from 203.250.179.11
Dec 16 08:06:09 thecla2 sshd[12471]: Invalid user apache from 203.250.179.11
Dec 16 08:06:12 thecla2 sshd[12479]: Invalid user apache from 203.250.179.11
Dec 16 08:06:15 thecla2 sshd[12486]: Invalid user apache from 203.250.179.11
Dec 16 08:06:18 thecla2 sshd[12495]: Invalid user apache from 203.250.179.11
Dec 16 08:06:21 thecla2 sshd[12503]: Invalid user apache2 from 203.250.179.11
Dec 16 08:06:24 thecla2 sshd[12510]: Invalid user apache2 from 203.250.179.11
Dec 16 08:06:27 thecla2 sshd[12518]: Invalid user apache2 from 203.250.179.11
Dec 16 08:06:30 thecla2 sshd[12526]: Invalid user apache2 from 203.250.179.11
Dec 16 08:06:33 thecla2 sshd[12534]: User nobody from 203.250.179.11 not allowed because not listed in AllowUsers
Dec 16 08:06:36 thecla2 sshd[12541]: User nobody from 203.250.179.11 not allowed because not listed in AllowUsers
Dec 16 08:06:39 thecla2 sshd[12549]: User nobody from 203.250.179.11 not allowed because not listed in AllowUsers
Dec 16 08:06:42 thecla2 sshd[12557]: User nobody from 203.250.179.11 not allowed because not listed in AllowUsers
Dec 16 08:06:45 thecla2 sshd[12565]: User nobody from 203.250.179.11 not allowed because not listed in AllowUsers
Dec 16 08:06:48 thecla2 sshd[12573]: User nobody from 203.250.179.11 not allowed because not listed in AllowUsers
Dec 16 08:06:51 thecla2 sshd[12579]: User nobody from 203.250.179.11 not allowed because not listed in AllowUsers
Dec 16 08:06:54 thecla2 sshd[12588]: User nobody from 203.250.179.11 not allowed because not listed in AllowUsers
Dec 16 08:06:57 thecla2 sshd[12595]: User nobody from 203.250.179.11 not allowed because not listed in AllowUsers
Dec 16 08:07:00 thecla2 sshd[12603]: User nobody from 203.250.179.11 not allowed because not listed in AllowUsers
Dec 16 08:07:03 thecla2 sshd[12611]: User nobody from 203.250.179.11 not allowed because not listed in AllowUsers
Dec 16 08:07:06 thecla2 sshd[12623]: User nobody from 203.250.179.11 not allowed because not listed in AllowUsers
Dec 16 08:07:09 thecla2 sshd[12631]: User nobody from 203.250.179.11 not allowed because not listed in AllowUser

[ossec-list] Re: missed attack

[Martin West]

Thanks.

On Tue, 2007-12-18 at 20:54 -0400, Daniel Cid wrote:
> behavior and fix the problem inside ossec. You
> can try with the following package to see if the problem persists.
> 
> 
-- 

Regards Martin West
07809 305 404
skype:amartinwest1
http://www.objectgizmos.com
16 SHEARWAY BUSINESS PARK,FOLKESTONE,KENT,CT19 4RH   
Company No. 05912944

[ossec-list] Unable to connect to active response queue.

[Martin West]

2007/12/19 20:32:22 ossec-logcollector: Started (pid: 14295).
2007/12/19 20:32:22 ossec-analysisd(1210): Queue '/queue/alerts/ar' not
accessible: 'Connection refused'.
2007/12/19 20:32:22 ossec-analysisd(1301): Unable to connect to active
response queue.
2007/12/19 20:32:22 ossec-analysisd: Connected to
'/queue/alerts/execq' (exec queue)

Any ideas on this?

This is on

http://www.ossec.net/files/snapshots/ossec-hids-071218.tar.gz

though it was a problem on 1.4

-- 

Regards Martin West

[ossec-list] adsl rules

[Martin West]

Just had the first notification from the new rule, couple of things

1)
** Alert 1198095893.7112: mail  - syslog,linuxkernel,
2007 Dec 19 20:24:53 thecla2->/var/log/messages
Rule: 5130 (level 7) -> 'Monitor adsl line is down.'
Src IP: (none)
User: (none)
Dec 19 20:24:53 thecla2 kernel: ATM dev 0: ADSL line is down

** Alert 1198095915.7357: - syslog,linuxkernel,
2007 Dec 19 20:25:15 thecla2->/var/log/messages
Rule: 5131 (level 3) -> 'Monitor ADAL line is up.'
Src IP: (none)
User: (none)
Dec 19 20:25:14 thecla2 kernel: ATM dev 0: ADSL line is up (2752 kb/s
down | 448 kb/s up)

Rule 5131 says ADAL instead of ADSL but in the latest update it is spelt
correctly - assume this is already fixed - the event came in before I
installed the latest update.

2) You have set the level for rule 5131 to 3, I think it should match
the down rule, nice to see these in pairs and the up event has the
connection speed which I find useful.

Thanks

-- 

Regards Martin West