Re: [ossec-list] Re: ACTIVE-RESPONSE NOT WORKING

2021-02-22 Thread Natassia S 
I don't know about stopping it completely but you can slow it substantially
by using progressively larger penalty times for repeat offenders.

Natassia

On Fri, Sep 25, 2020 at 12:41 AM lê danh  wrote:

> oh i did it and it works great, it can block me before i get my password,
> thank you so much
>
> Vào Th 4, 23 thg 9, 2020 vào lúc 18:21 Daniel Folch <
> daniel.fo...@wazuh.com> đã viết:
>
>> Hello,
>>
>> First, let us start with the active response configuration of the manager
>> and agent, the configuration you shared should be used on the manager side,
>> and for the agent you just need to set it like this:
>>
>>   
>> no
>> /var/ossec/etc/wpk_root.pem
>> yes
>>   
>>
>> As a side note, the rule 5720 is triggered when the rule 5716 activates 8
>> times in a short period of time, so having both of them in the active
>> response is not necessary.
>>
>> Hydra tests the passwords in the list sequentially and it is really fast
>> so if your list only contains few passwords it may be possible for hydra to
>> test the correct password from the list before active response can shut
>> down the connection form the IP, this should not happen in a real brute
>> force attack as the list of passwords would be long enough for active
>> response to act in time. A possibility to minimize this phenomenom would be
>> to reduce the number of attempts needed before shutting down.
>>
>> Just to verify could you share the length of the list you are using for
>> this test, and if possible could you try running Hydra like this to verify
>> that active response is working as intended:
>>
>> hydra -l agent -x 1:5:aA1 [AGENT_IP] ssh
>>
>> This will try to test all combinations of lowercase characters, uppercase
>> characters, and numbers with a length between 1 and 5, so it should not be
>> able to find your password before active response triggers.
>>
>> Regards,
>> Daniel Folch
>>
>> On Tuesday, September 22, 2020 at 1:07:58 PM UTC+2, conm...@gmail.com
>> wrote:
>>>
>>> Hi everybody
>>> I have seen an article about configuring active-response to block SSH
>>> bruteforce on https://wazuh.com/blog/blocking-attacks-active-response/
>>>
>>> I have configured the direction and added some ssh related rules hoping
>>> that it will prevent the attack, but it doesn't work.
>>> I configured the following in ossec.conf:
>>> 
>>>  firewall-drop 
>>>  firewall-drop.sh 
>>>  srcip 
>>>  yes 
>>> 
>>>
>>> 
>>>  firewall-drop 
>>>  local 
>>>  5712,5716,5720 
>>>  1800 
>>> 
>>>
>>> I still find the password to login after bruteforce, I use the following
>>> command to attack:
>>> hydra -l agent -P /home/attacker/Desktop/list.txt 192.168.10.2 -t 4 ssh
>>>
>>> Is there any way the active-response can prevent this
>>> thanks everyone
>>>
>> --
>>
>> ---
>> You received this message because you are subscribed to a topic in the
>> Google Groups "ossec-list" group.
>> To unsubscribe from this topic, visit
>> https://groups.google.com/d/topic/ossec-list/cy2mP6V_zl0/unsubscribe.
>> To unsubscribe from this group and all its topics, send an email to
>> ossec-list+unsubscr...@googlegroups.com.
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/ossec-list/fc270a22-8c00-4094-a5b5-fed439442598o%40googlegroups.com
>> 
>> .
>>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ossec-list/CAO7JTbF%2B3Ds6MoAp4SVr9woseQ1f%2Bj1RB7OgY3Dw%3DGvfwbp5Sw%40mail.gmail.com
> 
> .
>


-- 
Software updates are like hand-washing for computers.  So simple that it
doesn't seem like it could make much of a difference, but it does.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/CAFN5h2%2BaOrK0fQqTXKS8g0QOWdO72rTjTawsN8q%3DPiG5wtCmHA%40mail.gmail.com.

Re: [ossec-list] no properly formatted SHA256 checksum lines found

2019-12-11 Thread Natassia S 
Sorry that this is coming in bits and pieces.  It looks to me that -c
option is used when verifying the checksum file.

[ Downloads]$ sha256sum -c  ossec-hids-2.8.3.tar.gz.*sha256 *
ossec-hids-2.8.3.tar.gz: OK

I don't think that the actual program tar file contains a checksum (hence
the error) and you use the command without any options to *calculate *a sum
that you compare to the checksum file that you download separately.

[ Downloads]$ sha256sum ossec-hids-2.8.3.tar.gz
917989e23330d18b0d900e8722392cdbe4f17364a547508742c0fd005a1df7dd
ossec-hids-2.8.3.tar.gz

Natassia


On Wed, Dec 11, 2019 at 7:29 AM Natassia S  wrote:

> Correction, I just noticed that you used the -c option and got the same
> error as you did.  I normally run sha256sum without any flags.
>
> Natassia
>
> On Wed, Dec 11, 2019 at 7:27 AM Natassia S  wrote:
>
>> I'm not sure why you got the error.  I ran the sha256sum on the same file
>> on a CentOS 8 box, got the same checksum and no errors.  I'm guessing that
>> you already tried downloading a fresh copy?
>>
>> Natassia
>>
>> On Wed, Dec 11, 2019 at 3:14 AM karthik s  wrote:
>>
>>> Hello Team,
>>>
>>> When I try to run below command, i'm getting this error. Could someone
>>> help me ASAP.
>>>
>>> ubuntu@ip-x-x-x-x:~$ cat ossec-hids-2.8.3.tar.gz.sha256
>>> SHA256 (ossec-hids-2.8.3.tar.gz) =
>>> 917989e23330d18b0d900e8722392cdbe4f17364a547508742c0fd005a1df7dd
>>> ubuntu@ip-x-x-x-x:~$ sha256sum -c  ossec-hids-2.8.3.tar.gz.sha256
>>> ossec-hids-2.8.3.tar.gz
>>> ossec-hids-2.8.3.tar.gz: OK
>>> sha256sum: ossec-hids-2.8.3.tar.gz: no properly formatted SHA256
>>> checksum lines found
>>> ubuntu@ip-x-x-x-x:~$
>>>
>>> Thanks and Regards,
>>> Karthik
>>>
>>> --
>>>
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "ossec-list" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to ossec-list+unsubscr...@googlegroups.com.
>>> To view this discussion on the web visit
>>> https://groups.google.com/d/msgid/ossec-list/f11e7cea-c4e8-4d22-b7d6-25012db7d5e0%40googlegroups.com
>>> <https://groups.google.com/d/msgid/ossec-list/f11e7cea-c4e8-4d22-b7d6-25012db7d5e0%40googlegroups.com?utm_medium=email_source=footer>
>>> .
>>>
>>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/CAFN5h2%2B6hK-EuBFZ-YzOuOu6yWg5Ao%2B0RiYH7bc9Dq_CKNWb0w%40mail.gmail.com.

Re: [ossec-list] no properly formatted SHA256 checksum lines found

2019-12-11 Thread Natassia S 
I'm not sure why you got the error.  I ran the sha256sum on the same file
on a CentOS 8 box, got the same checksum and no errors.  I'm guessing that
you already tried downloading a fresh copy?

Natassia

On Wed, Dec 11, 2019 at 3:14 AM karthik s  wrote:

> Hello Team,
>
> When I try to run below command, i'm getting this error. Could someone
> help me ASAP.
>
> ubuntu@ip-x-x-x-x:~$ cat ossec-hids-2.8.3.tar.gz.sha256
> SHA256 (ossec-hids-2.8.3.tar.gz) =
> 917989e23330d18b0d900e8722392cdbe4f17364a547508742c0fd005a1df7dd
> ubuntu@ip-x-x-x-x:~$ sha256sum -c  ossec-hids-2.8.3.tar.gz.sha256
> ossec-hids-2.8.3.tar.gz
> ossec-hids-2.8.3.tar.gz: OK
> sha256sum: ossec-hids-2.8.3.tar.gz: no properly formatted SHA256 checksum
> lines found
> ubuntu@ip-x-x-x-x:~$
>
> Thanks and Regards,
> Karthik
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ossec-list/f11e7cea-c4e8-4d22-b7d6-25012db7d5e0%40googlegroups.com
> 
> .
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/CAFN5h2%2BRV0Y%2BZESbCuYOLpsxtDxvnDmH4DJdXFFi%2BZwdBvxX5A%40mail.gmail.com.

Re: [ossec-list] no properly formatted SHA256 checksum lines found

2019-12-11 Thread Natassia S 
Correction, I just noticed that you used the -c option and got the same
error as you did.  I normally run sha256sum without any flags.

Natassia

On Wed, Dec 11, 2019 at 7:27 AM Natassia S  wrote:

> I'm not sure why you got the error.  I ran the sha256sum on the same file
> on a CentOS 8 box, got the same checksum and no errors.  I'm guessing that
> you already tried downloading a fresh copy?
>
> Natassia
>
> On Wed, Dec 11, 2019 at 3:14 AM karthik s  wrote:
>
>> Hello Team,
>>
>> When I try to run below command, i'm getting this error. Could someone
>> help me ASAP.
>>
>> ubuntu@ip-x-x-x-x:~$ cat ossec-hids-2.8.3.tar.gz.sha256
>> SHA256 (ossec-hids-2.8.3.tar.gz) =
>> 917989e23330d18b0d900e8722392cdbe4f17364a547508742c0fd005a1df7dd
>> ubuntu@ip-x-x-x-x:~$ sha256sum -c  ossec-hids-2.8.3.tar.gz.sha256
>> ossec-hids-2.8.3.tar.gz
>> ossec-hids-2.8.3.tar.gz: OK
>> sha256sum: ossec-hids-2.8.3.tar.gz: no properly formatted SHA256 checksum
>> lines found
>> ubuntu@ip-x-x-x-x:~$
>>
>> Thanks and Regards,
>> Karthik
>>
>> --
>>
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to ossec-list+unsubscr...@googlegroups.com.
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/ossec-list/f11e7cea-c4e8-4d22-b7d6-25012db7d5e0%40googlegroups.com
>> <https://groups.google.com/d/msgid/ossec-list/f11e7cea-c4e8-4d22-b7d6-25012db7d5e0%40googlegroups.com?utm_medium=email_source=footer>
>> .
>>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/CAFN5h2JPC8t2w4ncBEP2U3THOQYDYcTt_n5y7ZivhsgiBfr7Bg%40mail.gmail.com.

Re: [ossec-list] OSSEC 3.3.0 Install CentOS 8

2019-12-02 Thread Natassia S 
Yeah, I got rid of the copy that I made.

I was able to install 2.8.3 on my new CentOS 8 machine.  :)

Natassia


On Mon, Dec 2, 2019 at 1:27 PM dan (ddp)  wrote:

>
>
> On Mon, Dec 2, 2019 at 3:56 PM Natassia S  wrote:
>
>> Everything came out of 3.3.0.tar.gz
>>
>> I compared the contents and the same directory for 2.8.3 also has no
>> pcre2 but it has a Makefile.  On a whim I put a copy of the 2.8.3 Makefile
>> in the 3.3.0 folder and got the same error.
>>
>
> The 2.8.3 Makefile would probably add more issues.
>
>
>> Natassia
>>
>> On Mon, Dec 2, 2019 at 12:33 PM dan (ddp)  wrote:
>>
>>>
>>>
>>> On Mon, Dec 2, 2019 at 3:07 PM Natassia M Stelmaszek 
>>> wrote:
>>>
>>>> Bad Installation Package???
>>>>
>>>> I'm trying to build a new machine that includes OSSEC 3.3.0.  When I
>>>> run the install.sh, use default responses for a local installation, it
>>>> gives me the following error.
>>>>
>>>> sudo ./install.sh
>>>>
>>>>
>>>>
>>>> - Running the Makefile
>>>>
>>>> cc  -DMAX_AGENTS=2048 -DOSSECHIDS -DDEFAULTDIR=\"/var/ossec\"
>>>> -DUSER=\"ossec\" -DREMUSER=\"ossecr\" -DGROUPGLOBAL=\"ossec\"
>>>> -DMAILUSER=\"ossecm\" -DLinux -DINOTIFY_ENABLED -DZLIB_SYSTEM
>>>> -I./external/pcre2-10.32//install/include/ -DPCRE2_STATIC -DUSE_PCRE2_JIT
>>>> -DLIBOPENSSL_ENABLED -DLOCAL -Wall -Wextra -I./ -I./headers/ -c
>>>> external/cJSON/cJSON.c -o external/cJSON/cJSON.o
>>>>
>>>> ar -crs libcJSON.a external/cJSON/cJSON.o
>>>>
>>>> ranlib libcJSON.a
>>>>
>>>> cd external/pcre2-10.32/ && \
>>>>
>>>> ./configure \
>>>>
>>>> 
>>>> --prefix=/home/stelmn/ossec-hids-3.3.0/src/external/pcre2-10.32//install
>>>> \
>>>>
>>>> --enable-jit \
>>>>
>>>> --disable-shared \
>>>>
>>>> --enable-static && \
>>>>
>>>> make install-libLTLIBRARIES install-nodist_includeHEADERS
>>>>
>>>> /bin/sh: line 0: cd: external/pcre2-10.32/: No such file or directory
>>>>
>>>> make: *** [Makefile:770:
>>>> external/pcre2-10.32//install/lib/libpcre2-8.a] Error 1
>>>>
>>>>
>>>>
>>>
>>> With that version of ossec you need to untar the pcre2 source in the
>>> above directory. Or you can install the devel package and set PCRE2_SYSTEM=y
>>>
>>>
>>>  Error 0x5.
>>>>
>>>>  Building error. Unable to finish the installation.
>>>>
>>>>
>>>> I've verified that kernel-headers are installed, tried two different
>>>> machines and even tried updating an OSSEC installation on a CentOS 7
>>>> machine but I keep getting the same failure.  It appears that the script is
>>>> looking for pcre2 in the src directory but it doesn't exist.
>>>>
>>>>
>>>> $ pwd
>>>> /home/stelmn/Downloads/ossec-hids-3.3.0/src/external
>>>> $ ls
>>>> cJSON  lua  lua-5.2.3  zlib-1.2.11
>>>>
>>>> Is something missing from the download file or am I overlooking
>>>> something?
>>>>
>>>> Natassia
>>>>
>>>> --
>>>>
>>>> ---
>>>> You received this message because you are subscribed to the Google
>>>> Groups "ossec-list" group.
>>>> To unsubscribe from this group and stop receiving emails from it, send
>>>> an email to ossec-list+unsubscr...@googlegroups.com.
>>>> To view this discussion on the web visit
>>>> https://groups.google.com/d/msgid/ossec-list/07cf4c14-2480-48a7-b19f-b698d9c66fd2%40googlegroups.com
>>>> <https://groups.google.com/d/msgid/ossec-list/07cf4c14-2480-48a7-b19f-b698d9c66fd2%40googlegroups.com?utm_medium=email_source=footer>
>>>> .
>>>>
>>> --
>>>
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "ossec-list" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to ossec-list+unsubscr...@googlegroups.com.
>>>
>> To view this discussion on the web visit
>>> https://groups.go

Re: [ossec-list] OSSEC 3.3.0 Install CentOS 8

2019-12-02 Thread Natassia S 
Everything came out of 3.3.0.tar.gz

I compared the contents and the same directory for 2.8.3 also has no pcre2
but it has a Makefile.  On a whim I put a copy of the 2.8.3 Makefile in the
3.3.0 folder and got the same error.

Natassia

On Mon, Dec 2, 2019 at 12:33 PM dan (ddp)  wrote:

>
>
> On Mon, Dec 2, 2019 at 3:07 PM Natassia M Stelmaszek 
> wrote:
>
>> Bad Installation Package???
>>
>> I'm trying to build a new machine that includes OSSEC 3.3.0.  When I run
>> the install.sh, use default responses for a local installation, it gives me
>> the following error.
>>
>> sudo ./install.sh
>>
>>
>>
>> - Running the Makefile
>>
>> cc  -DMAX_AGENTS=2048 -DOSSECHIDS -DDEFAULTDIR=\"/var/ossec\"
>> -DUSER=\"ossec\" -DREMUSER=\"ossecr\" -DGROUPGLOBAL=\"ossec\"
>> -DMAILUSER=\"ossecm\" -DLinux -DINOTIFY_ENABLED -DZLIB_SYSTEM
>> -I./external/pcre2-10.32//install/include/ -DPCRE2_STATIC -DUSE_PCRE2_JIT
>> -DLIBOPENSSL_ENABLED -DLOCAL -Wall -Wextra -I./ -I./headers/ -c
>> external/cJSON/cJSON.c -o external/cJSON/cJSON.o
>>
>> ar -crs libcJSON.a external/cJSON/cJSON.o
>>
>> ranlib libcJSON.a
>>
>> cd external/pcre2-10.32/ && \
>>
>> ./configure \
>>
>> 
>> --prefix=/home/stelmn/ossec-hids-3.3.0/src/external/pcre2-10.32//install
>> \
>>
>> --enable-jit \
>>
>> --disable-shared \
>>
>> --enable-static && \
>>
>> make install-libLTLIBRARIES install-nodist_includeHEADERS
>>
>> /bin/sh: line 0: cd: external/pcre2-10.32/: No such file or directory
>>
>> make: *** [Makefile:770: external/pcre2-10.32//install/lib/libpcre2-8.a]
>> Error 1
>>
>>
>>
>
> With that version of ossec you need to untar the pcre2 source in the above
> directory. Or you can install the devel package and set PCRE2_SYSTEM=y
>
>
>  Error 0x5.
>>
>>  Building error. Unable to finish the installation.
>>
>>
>> I've verified that kernel-headers are installed, tried two different
>> machines and even tried updating an OSSEC installation on a CentOS 7
>> machine but I keep getting the same failure.  It appears that the script is
>> looking for pcre2 in the src directory but it doesn't exist.
>>
>>
>> $ pwd
>> /home/stelmn/Downloads/ossec-hids-3.3.0/src/external
>> $ ls
>> cJSON  lua  lua-5.2.3  zlib-1.2.11
>>
>> Is something missing from the download file or am I overlooking something?
>>
>> Natassia
>>
>> --
>>
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to ossec-list+unsubscr...@googlegroups.com.
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/ossec-list/07cf4c14-2480-48a7-b19f-b698d9c66fd2%40googlegroups.com
>> 
>> .
>>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ossec-list/CAMyQvMrX0oCpx%2BAJ7v5rLpV_YgrChWHBKqidrWqOjksoi3Zk4g%40mail.gmail.com
> 
> .
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/CAFN5h2KGsUxC8Qp0JdmiyYRBNb9Xu%3DnPkaYYS-Nnug5_%3DTEmMw%40mail.gmail.com.

Re: [ossec-list] Firewall appliance : netasq/stormshield

2016-12-07 Thread Natassia S 
The book does a good job of describing the process of writing custom
decoders.

Natassia

On Wed, Dec 7, 2016 at 4:06 AM, dan (ddp)  wrote:

> On Wed, Dec 7, 2016 at 5:26 AM, 1kn0  wrote:
> > Greetings,
> >
> > I'm new to OSSEC and I didn't find an answer to my problem on the list.
> > I've appliance firewalls (netasq and stormshield) on a network. These
> > firewalls exports their log to the computer where OSSEC is installed.
> >
> > For tests :
> >
> > I connect on the administration pages of the firewall, with a an invalid
> > user/password.
> >>
> >> Dec  2 15:42:29 192.168.10.1 id=firewall time="2016-12-02 15:42:28"
> >> fw="FW1" tz=+ startime="2016-12-02 15:42:28" user="admin"
> >> src=192.168.10.2 ruleid=0 method="PLAIN" error=4 msg="Authentication
> request
> >> invalid" logtype="auth"#015
> >
> >
> > I connect to the firewall with SSH
> >>
> >> Dec  2 14:37:42 192.168.10.1 id=firewall time="2016-12-02 14:37:41"
> >> fw="FW1" tz=+ startime="2016-12-02 14:37:40" pri=5 confid=01
> slotlevel=2
> >> ruleid=1 srcif="Ethernet2" srcifname="port2" ipproto=tcp proto=ssh
> >> src=192.168.10.2 srcport=33659 srcportname=ephemeral_fw_tcp
> srcname=Routeur
> >> dst=192.168.10.1 dstport=22 dstportname=ssh dstname=FW action=pass
> >> logtype="filter"#015
> >
> >
> >
> > Is there decoder and rules for firewall?
> > How to configure decode/rules to analyze all events reported by the
> > firewalls?
> >
>
> I don't believe there are decoders or rules for this firewall (never
> heard of it actually).
> Running the samples provided through ossec-logtest, I get the following
> output:
> **Phase 1: Completed pre-decoding.
>full event: 'Dec  2 15:42:29 192.168.10.1 id=firewall
> time="2016-12-02 15:42:28" fw="FW1" tz=+ startime="2016-12-02
> 15:42:28" user="admin" src=192.168.10.2 ruleid=0 method="PLAIN"
> error=4 msg="Authentication request invalid" logtype="auth"#015'
>hostname: '192.168.10.1'
>program_name: '(null)'
>log: 'id=firewall time="2016-12-02 15:42:28" fw="FW1" tz=+
> startime="2016-12-02 15:42:28" user="admin" src=192.168.10.2 ruleid=0
> method="PLAIN" error=4 msg="Authentication request invalid"
> logtype="auth"#015'
>
> **Phase 2: Completed decoding.
>No decoder matched.
>
> **Phase 3: Completed filtering (rules).
>Rule id: '1002'
>Level: '2'
>Description: 'Unknown problem somewhere in the system.'
> **Alert to be generated.
>
>
> **Phase 1: Completed pre-decoding.
>full event: 'Dec  2 14:37:42 192.168.10.1 id=firewall
> time="2016-12-02 14:37:41" fw="FW1" tz=+ startime="2016-12-02
> 14:37:40" pri=5 confid=01 slotlevel=2 ruleid=1 srcif="Ethernet2"
> srcifname="port2" ipproto=tcp proto=ssh src=192.168.10.2 srcport=33659
> srcportname=ephemeral_fw_tcp srcname=Routeur dst=192.168.10.1
> dstport=22 dstportname=ssh dstname=FW action=pass
> logtype="filter"#015'
>hostname: '192.168.10.1'
>program_name: '(null)'
>log: 'id=firewall time="2016-12-02 14:37:41" fw="FW1" tz=+
> startime="2016-12-02 14:37:40" pri=5 confid=01 slotlevel=2 ruleid=1
> srcif="Ethernet2" srcifname="port2" ipproto=tcp proto=ssh
> src=192.168.10.2 srcport=33659 srcportname=ephemeral_fw_tcp
> srcname=Routeur dst=192.168.10.1 dstport=22 dstportname=ssh dstname=FW
> action=pass logtype="filter"#015'
>
> **Phase 2: Completed decoding.
>No decoder matched.
>
>
> Adding the following deocder to local_decoder.xml gives us "decoder:
> 'netasq'" (although this is untested against other logs to make sure
> there are no conflicts):
> 
>   ^id=
> 
>
>
> These decoders flesh it out a bit:
> 
>   netasq
>   logtype="auth"
>   ^id=(\S+) time=\.+ fw="(\w+)" \.+ user="(\S+)" src=(\S+) \.+
> logtype="auth"
>   id, extra_data, user, srcip
> 
>
> 
>   netasq
>logtype="filter"
>   ^id=(\S+) time=\.+ fw="(\w+)" \.+ ipproto=(\S+) proto=(\S+)
> src=(\S+) srcport=(\d+) \.+ dst=(\S+) dstport=(\d+) \.+ action=(\S+)
> 
>   id, extra_data, protocol, protocol, srcip, srcport, dstip,
> dstport, action
> 
>
> **Phase 1: Completed pre-decoding.
>full event: 'Dec  2 15:42:29 192.168.10.1 id=firewall
> time="2016-12-02 15:42:28" fw="FW1" tz=+ startime="2016-12-02
> 15:42:28" user="admin" src=192.168.10.2 ruleid=0 method="PLAIN"
> error=4 msg="Authentication request invalid" logtype="auth"#015'
>hostname: '192.168.10.1'
>program_name: '(null)'
>log: 'id=firewall time="2016-12-02 15:42:28" fw="FW1" tz=+
> startime="2016-12-02 15:42:28" user="admin" src=192.168.10.2 ruleid=0
> method="PLAIN" error=4 msg="Authentication request invalid"
> logtype="auth"#015'
>
> **Phase 2: Completed decoding.
>decoder: 'netasq'
>id: 'firewall'
>extra_data: 'FW1'
>dstuser: 'admin'
>srcip: '192.168.10.2'
>
>
> **Phase 1: Completed pre-decoding.
>full event: 'Dec  2 14:37:42 192.168.10.1 id=firewall
> time="2016-12-02 14:37:41" fw="FW1" tz=+

Re: [ossec-list] Selecting multiple, discreet weekdays

2016-11-18 Thread Natassia S 
Yes that did it, thanks!

:)
Natassia

On Fri, Nov 18, 2016 at 9:42 AM, Daniel Cid  wrote:

> It should work with spaces or commas:
>
> monday, tuesday, friday
>
> thanks,
>
> On Fri, Nov 18, 2016 at 1:24 PM,  wrote:
>
>> Is it possible to select multiple, discreet days using the weekday
>> function?
>>
>> I can get the rule to run if I select a single day and it looks like I
>> should be able to specify weekends or weekdays.  What I would like to do is
>> to specify certain days, in this case Sunday, Monday, Wednesday and
>> Friday.  I tried using the pipe to "or" them together (Sunday|Monday|etc.,)
>> but that gives me "OSSEC analysisd: Testing rules failed. Configuration
>> error. Exiting." when I restart.
>>
>> Is there a way to do this with a single  specification or will I
>> have to write a composite rule?
>>
>> Natassia
>>
>> --
>>
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to ossec-list+unsubscr...@googlegroups.com.
>> For more options, visit https://groups.google.com/d/optout.
>>
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.