Re: [ossec-list] OSSEC flushed all the iptables rules

[Ryan Schulze]

Are you sure it was OSSEC? I just had a look at 
https://github.com/ossec/ossec-hids/blob/master/active-response/firewall-drop.sh 
The only iptables commands it does are the following four, and I can't 
see how they would flush an entire table/chain.


iptables -I INPUT -s ${IP} -j DROP
iptables -I FORWARD -s ${IP} -j DROP
iptables -D INPUT -s ${IP} -j DROP
iptables -D FORWARD -s ${IP} -j DROP

Do you have any other scripts running to manage your iptables that may 
conflict with the ossec active response script?





On 6/15/2016 2:44 AM, Zeal Vora wrote:
We had deployed OSSEC Client across all our servers in the evening and 
next day morning we find that all iptables rules were flushed. It were 
for around 50+ machines. OSSEC client were running. We then had stop 
OSSEC client for investigation and load iptables rules again.


On Tuesday, June 14, 2016 at 9:30:41 PM UTC+5:30, Antonio Querubin wrote:

On Tue, 14 Jun 2016, Zeal Vora wrote:

> We installed OSSEC in our production machines yesterday and
today we saw
> that all the iptables rules in all the machines were flushed.
Something
> similar to iptables -F
>
> Any idea on what can cause this ? I am aware that OSSEC
active-response can
> add or remove entries from iptables but have never knew about
flushing
> entire iptables rules.
>
> Any help will be appreciated.!

Normally, if an ossec client is stopped, it will remove all active
response entries added to the firewall rules and /etc/hosts.deny
from the
time ossec was started before exiting.  Is this what you're seeing
or are
the entire iptables rules completely gone?

Antonio Querubin
e-mail: to...@lavanauts.org 
xmpp: antonio...@gmail.com 

--

---
You received this message because you are subscribed to the Google 
Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to ossec-list+unsubscr...@googlegroups.com 
.

For more options, visit https://groups.google.com/d/optout.


--

--- 
You received this message because you are subscribed to the Google Groups "ossec-list" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Emails are not going

[Ryan Schulze]

There are a couple hops between ossec-maild and your inbox. Since you 
said maild is attempting to send the emails: where do they get stuck, 
does the local MTA have them, what are in the mail daemons logs?


On 3/18/2016 8:33 PM, sandeep dubey wrote:

Yes, it attempts but emails are not landing in inbox.

On Fri, Mar 18, 2016 at 8:13 PM, dan (ddp) > wrote:


On Fri, Mar 18, 2016 at 10:40 AM, sandeep dubey
mailto:sandeep.san...@gmail.com>> wrote:
> Hi,
>
> I am running OSSEC version 2.8.3-3trusty on 100+ node on AWS
EC2. Recently i
> noticed that alerts are not being sent from ossec, not even
single. It was
> working fine couple of days earlier. While digging into this i
observed that
> it not working for an email group but working for individual
email ids.
>
> Can some help to identify the issue and fix it. The same setup
with same
> email group is working at another system. The only different
between these
> two setups are that one has 100+ server where is has stopped
working and
> another has 15-20 nodes where it is working.
>
> I tried by restarting ossec services, ossec-maild is working,
local sendmail
> service is also working, test emails are going fine.
>

Does ossec-maild attempt to send anything?

>
> Current configuration is -
>
> 
>  yes
> x...@domain.com 
> a...@domain.com 
> 1...@domain.com 
>  localhost
> oss...@ossec.domain.com

>   
> -
> -
> -
> -
> 
>  1
>  8
>   
>
>   
> cloud-t...@domain.com

> 8
> 
>   
>
> --
> Regards,
> Sandeep
>
> --
>
> ---
> You received this message because you are subscribed to the
Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from
it, send an
> email to ossec-list+unsubscr...@googlegroups.com
.
> For more options, visit https://groups.google.com/d/optout.

--

---
You received this message because you are subscribed to the Google
Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it,
send an email to ossec-list+unsubscr...@googlegroups.com
.
For more options, visit https://groups.google.com/d/optout.




--
Regards,
Sandeep
--

---
You received this message because you are subscribed to the Google 
Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to ossec-list+unsubscr...@googlegroups.com 
.

For more options, visit https://groups.google.com/d/optout.


--

--- 
You received this message because you are subscribed to the Google Groups "ossec-list" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: Change ossec.conf globaly

[Ryan Schulze]

If he doesn't have any kind of configuration management/orchestration in 
place it might make more sense to use a minimal ossec.conf on the agents 
and deploy any changes via the shared/agent.conf on the master.


That way he won't run into problems again with settings on the agents he 
might have to manually remove.



On 3/8/2016 1:01 PM, Pedro S wrote:
I can't imagine a way to change ossec.conf on every agent if you are 
not using some deployment software (like Puppet).


One solution for further installations is to change default ossec.conf 
file in order to include your EventID exception.


Regards,

Pedro S.

On Monday, March 7, 2016 at 3:02:49 PM UTC+1, Abdulvehhab Agin wrote:

Hi,


We have lots of ossec.agent on Windows system; These ossec's
generate too much */"Audit Logs"/* and we don't want to collects
these logs;


When i change Ossec.conf  on client manually :


## New Ossec.conf



  Security
  eventchannel
  Event/System[EventID!="4648" and EventID!="4656" and
EventID!="4658"]





It works good but, we don't want to change this config manually on
each computer; Is there a way to deploy this config via OSSEC
Server like shared/agent.conf



Thanks for any help.





--

---
You received this message because you are subscribed to the Google 
Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to ossec-list+unsubscr...@googlegroups.com 
.

For more options, visit https://groups.google.com/d/optout.


--

--- 
You received this message because you are subscribed to the Google Groups "ossec-list" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Unattended install always asks...

[Ryan Schulze]

Have you tried setting USER_NO_STOP="y" (we use ansible too for building 
the binaries)?


On 2/19/2016 1:16 AM, Barry Kaplan wrote:

I cannot get the install to NOT ask

You already have OSSEC installed. Do you want to update it? 



I am installing via ansible, the ./install.sh can get invoked more 
than once. That's ok, I just need to ossec to not prompt. I have set 
USER_UPDATE="n" and "y" -- but still get prompted. What am I missing?

--

---
You received this message because you are subscribed to the Google 
Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to ossec-list+unsubscr...@googlegroups.com 
.

For more options, visit https://groups.google.com/d/optout.


--

--- 
You received this message because you are subscribed to the Google Groups "ossec-list" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] OSSEC not sending error.log

[Ryan Schulze]

If the logs are in your masters archives.log, then it would seem as if 
they *are* being sent, so that isn't the problem.
Do you have an example of an apache error log line that you expected to 
trigger an alert?



On 2/10/2016 1:52 AM, Maxim Surdu wrote:

i check my logs are in  /var/ossec/logs/ossec.log on the agent

but for manager logs are going in /var/ossec/logs/archives/archives.log

how to resolve it? and why my logs are going in archives?

marți, 9 februarie 2016, 18:03:27 UTC+2, Santiago Bassett a scris:

ossec-logcollector seems to be reading the file on the agent side.

Does the agent appear as connected? Please check
/var/ossec/logs/ossec.log on the agent and manager to see if there
are errors there.

Also, are you sure events are not being written to
/var/ossec/logs/archives/archives.log?


On Mon, Feb 8, 2016 at 11:28 PM, Maxim Surdu > wrote:

Hi Santiago,

This my output

root@my:/home/msurdu# lsof /var/log/apache2/error.log
COMMAND PID USER   FD   TYPE DEVICE SIZE/OFF   NODE NAME
apache24254 root2w   REG8,1  1299856 527904
/var/log/apache2/error.log
apache24259 www-data2w   REG8,1  1299856 527904
/var/log/apache2/error.log
apache24260 www-data2w   REG8,1  1299856 527904
/var/log/apache2/error.log
apache24261 www-data2w   REG8,1  1299856 527904
/var/log/apache2/error.log
apache24262 www-data2w   REG8,1  1299856 527904
/var/log/apache2/error.log
apache24263 www-data2w   REG8,1  1299856 527904
/var/log/apache2/error.log
apache24395 www-data2w   REG8,1  1299856 527904
/var/log/apache2/error.log
apache27539 www-data2w   REG8,1  1299856 527904
/var/log/apache2/error.log
tail  20004 root   14r   REG8,1  1299856 527904
/var/log/apache2/error.log
apache2   25483 www-data2w   REG8,1  1299856 527904
/var/log/apache2/error.log
ossec-log 28986 root   13r   REG8,1  1299856 527904
/var/log/apache2/error.log



this is begining of my ossec.conf of server

  
yes
yes
DC2.*.***
msurdu@*.**
ossec@*.**

  

 
1
6
 

the results are the same :( more suggestions?


marți, 9 februarie 2016, 04:53:05 UTC+2, Santiago Bassett a
scris:

Hi Maxim,

please check that ossec-logcollector process is running
and reading that file. You can do

lsof /var/log/apache2/error.log

If that is not the case there might be something wrong
with the configuration (maybe a typo).

If it is reading the logs, try enabling logall option on
the OSSEC manager, to see if those get actually there.

I hope that helps,

Santiago.

On Mon, Feb 8, 2016 at 7:23 AM, Maxim Surdu
 wrote:

Dear community,
I am having a problem in OSSEC. I have configured the
OSSEC client to monitor the Apache and Nginx error.log


apache
/var/log/nginx/access.log
  

  
apache
/var/log/nginx/error.log
  

 
apache
/var/log/apache2/error.log
   


apache
/var/log/apache2/access.log
   

in /var/log/apache2/error.log
logs are showed but not sended to server? any
help/solutions?
-- 


---
You received this message because you are subscribed
to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving
emails from it, send an email to
ossec-list+...@googlegroups.com.
For more options, visit
https://groups.google.com/d/optout
.


-- 


---
You received this message because you are subscribed to the
Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from
it, send an email to ossec-list+...@googlegroups.com
.
For more options, visit https://groups.google.com/d/optout
.


--

---
You received this message because you are subscribed to the Google 
Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email 

Re: [ossec-list] sharing memory between two virtual machine

[Ryan Schulze]

Not sure how this is OSSEC related, but unless you have a shared 
resource that both VMs can access (with sufficient locking mechanisms) 
I'd just use TCP/UDP and a client/server architecture.




On 2/3/2016 8:07 PM, Zakirasafi wrote:

Dear all

I have installed two virtual machine on XEN hypervisor. Now I want to 
communicate between that two virtual machine.I need help about sharing 
memory between two virtual machine. Please send me code for sharing 
memory between virtual machine. Or any type of code for communication 
between virtual machine.


Thanks in Advance.
*
*
*

*
*
*
*Thanks and Regards,*
Zakira Inayat
Ph.D Scholar in University of Malaya, Malaysia
--

---
You received this message because you are subscribed to the Google 
Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to ossec-list+unsubscr...@googlegroups.com 
.

For more options, visit https://groups.google.com/d/optout.


--

--- 
You received this message because you are subscribed to the Google Groups "ossec-list" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


smime.p7s
Description: S/MIME Cryptographic Signature

Re: [ossec-list] sending email through existing smtp server

[Ryan Schulze]

Just use 127.0.0.1 and set up your postifix 
to deal with the incoming mails accordingly.


On 12/4/2015 10:32 AM, Bruno Rodrigues wrote:

How can I do this?

I already have postfix working with mailgun, but OSSEC emails won't work.



On Sunday, November 8, 2015 at 11:51:45 AM UTC-2, Eero Volotinen wrote:

You should use local postfix to relay mails.

Eero

7.11.2015 10.55 ip. > kirjoitti:

Hi all,

I recently installed OSSEC 2.8.1 on a Debian machine, and I
really don't understand how this email setup works. My config
file looks like this:


  yes
  mye...@gmail.com 
  alt2.gmail-smtp-in.l.google.com

  mye...@gmail.com 


I got the impression that this is all you have to do to get it
to work. But I get the following errors in the log:
WARN: End of DATA not accepted by server
ERROR: Error Sending email to [gmail server ip] (smtp server)

When I look this up, no one has a clear response. For some
people, this works! For others, they had no choice but to make
their own smtp server. I'm concerned about all the possible
security risks that come with making my own smtp server, so I
was hoping this would handle it for me. Is this possible? Do I
need to put in a key somewhere? Or is something like ssmtp or
postfix the only way to go?

Thanks!
-- 


---
You received this message because you are subscribed to the
Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from
it, send an email to ossec-list+...@googlegroups.com
.
For more options, visit https://groups.google.com/d/optout
.

--

---
You received this message because you are subscribed to the Google 
Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to ossec-list+unsubscr...@googlegroups.com 
.

For more options, visit https://groups.google.com/d/optout.


--

--- 
You received this message because you are subscribed to the Google Groups "ossec-list" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


smime.p7s
Description: S/MIME Cryptographic Signature

Re: [ossec-list] ossec-logtest returns Level 0 but still getting email alerts Level 2

[Ryan Schulze]

On 11/30/2015 12:21 PM, Daniel Bray wrote:
On Mon, Nov 30, 2015 at 11:26 AM, dan (ddp) > wrote:



Last idea at the moment:
Copy archives.log. Open the copy in a text editor. Find an entry you
want to test against and delete everything else.
Delete the archives.log header from your chosen entry.
Run that through ossec-logtest:
`cat copy-of-archives.log | /var/ossec/bin/ossec-logtest`

See if it still gets reported as a 0. Maybe there's some odd spacing
issue that isn't maintained when copy/pasting it.


Still gets reported as 0, but email is Level 2.
--


Is this the only rule in your local_rules.xml that isn't working, or are 
all rules in your local_rules.xml not working?


--

--- 
You received this message because you are subscribed to the Google Groups "ossec-list" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


smime.p7s
Description: S/MIME Cryptographic Signature

Re: [ossec-list] Will app get blocked on heavy mysql queries?

[Ryan Schulze]

That depends on how you set up your active response. IIRC the default is 
to trigger for any rule 7 or higher. So just check which rules level 7 
or higher were triggered by you (e.g. bei checking the alert logs or 
your emails).


Since you mentioned phpmyadmin I'd guess maybe one of the SQL injection 
rules if phpmyadmin transfers certain requests as a GET (making it show 
up in the webserver logs).


On 11/10/2015 7:31 PM, frwa onto wrote:

Hi Santiago,
  This will just block the active response right. But 
in my case why is it that when I try to get huge data the active 
response comes into effect. I cant see which rule is fired to activate 
the active response? Is there any work around together with the active 
response being active?


On Wed, Nov 11, 2015 at 2:04 AM, Santiago Bassett 
mailto:santiago.bass...@gmail.com>> wrote:


You can find info here:


http://ossec-docs.readthedocs.org/en/latest/syntax/head_ossec_config.active-response.html


If unsure I suggest to disable it at /var/ossec/etc/ossec.conf

  

yes

  


On Tue, Nov 10, 2015 at 1:22 AM, frwa onto mailto:frwao...@gmail.com>> wrote:

Hi Ryan,
 I am not too good in tuning up my active response
or rules. Any tips on how to go about it?


On Tue, Nov 10, 2015 at 1:17 PM, Ryan Schulze
mailto:r...@dopefish.de>> wrote:

Sounds like you may want to look into fine tuning your
active response and/or rules.

On 11/9/2015 10:11 PM, frwa onto wrote:

Hi Santiago,
   I am just running as standalone so its
not a manager or agent. I have another machine for
instance I am using the older ossec 2.7.1 in that one I
have tried say I got my phpymadmin and when I start
browsing huge data ossec will block me an only after some
time I can login here is the active response log as below.

Tue Nov 10 11:48:12 MYT 2015
/var/ossec/active-response/bin/firewall-drop.sh add -
10.212.134.200 1447127292.12356 31106
Tue Nov 10 11:48:12 MYT 2015
/var/ossec/active-response/bin/host-deny.sh add -
10.212.134.200 1447127292.12356 31106
Tue Nov 10 11:58:42 MYT 2015
/var/ossec/active-response/bin/host-deny.sh delete -
10.212.134.200 1447127292.12356 31106
Tue Nov 10 11:58:42 MYT 2015
/var/ossec/active-response/bin/firewall-drop.sh delete -
10.212.134.200 1447127292.12356 31106

I dont know what trigger is exactly but I know due to my
browsing of huge data and also how to overcome this
issue? In my older version I saw this error too
ossec-execd: INFO: Active response command not present:
'/var/ossec/active-response/bin/restart-ossec.cmd'. Not
using it on this system.

This is my worry on the new machine using 2.8.1 the app
might get block from accessing the data.

On Tuesday, November 10, 2015 at 9:18:45 AM UTC+8,
Santiago Bassett wrote:

Are you running an agent or the manager? I don't
think OSSEC would block access to your mysql db.

On Mon, Nov 9, 2015 at 8:19 AM, frwa onto
 wrote:

Hi,
I have centos server. I have managed to
install ossec 2.8.1. It mainly runs a socket
programming app. For every instance of a
connection it will receive data and insert into
mysql db. What I worried in what scenario will it
block the access to this local mysql db as I can
see there some rules for mysql? Sorry very new to
these.
-- 


---
You received this message because you are
subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving
emails from it, send an email to
ossec-list+...@googlegroups.com.
For more options, visit
https://groups.google.com/d/optout.


-- 


---
You received this message because you are subscribed to
the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails
from it, send an email to
ossec-list+unsubscr...@googlegroups.com
<mailto:ossec-list+unsubscr...@googlegroups.com>.
For more options, visit https://groups.google.com/d/optout.


-- 


---
You received this message

Re: [ossec-list] Will app get blocked on heavy mysql queries?

[Ryan Schulze]

Sounds like you may want to look into fine tuning your active response 
and/or rules.


On 11/9/2015 10:11 PM, frwa onto wrote:

Hi Santiago,
   I am just running as standalone so its not a 
manager or agent. I have another machine for instance I am using the 
older ossec 2.7.1 in that one I have tried say I got my phpymadmin and 
when I start browsing huge data ossec will block me an only after some 
time I can login here is the active response log as below.


Tue Nov 10 11:48:12 MYT 2015 
/var/ossec/active-response/bin/firewall-drop.sh add - 10.212.134.200 
1447127292.12356 31106
Tue Nov 10 11:48:12 MYT 2015 
/var/ossec/active-response/bin/host-deny.sh add - 10.212.134.200 
1447127292.12356 31106
Tue Nov 10 11:58:42 MYT 2015 
/var/ossec/active-response/bin/host-deny.sh delete - 10.212.134.200 
1447127292.12356 31106
Tue Nov 10 11:58:42 MYT 2015 
/var/ossec/active-response/bin/firewall-drop.sh delete - 
10.212.134.200 1447127292.12356 31106


I dont know what trigger is exactly but I know due to my browsing of 
huge data and also how to overcome this issue? In my older version I 
saw this error too
ossec-execd: INFO: Active response command not present: 
'/var/ossec/active-response/bin/restart-ossec.cmd'. Not using it on 
this system.


This is my worry on the new machine using 2.8.1 the app might get 
block from accessing the data.


On Tuesday, November 10, 2015 at 9:18:45 AM UTC+8, Santiago Bassett 
wrote:


Are you running an agent or the manager? I don't think OSSEC would
block access to your mysql db.

On Mon, Nov 9, 2015 at 8:19 AM, frwa onto > wrote:

Hi,
I have centos server. I have managed to install ossec
2.8.1. It mainly runs a socket programming app. For every
instance of a connection it will receive data and insert into
mysql db. What I worried in what scenario will it block the
access to this local mysql db as I can see there some rules
for mysql? Sorry very new to these.
-- 


---
You received this message because you are subscribed to the
Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from
it, send an email to ossec-list+...@googlegroups.com
.
For more options, visit https://groups.google.com/d/optout
.


--

---
You received this message because you are subscribed to the Google 
Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to ossec-list+unsubscr...@googlegroups.com 
.

For more options, visit https://groups.google.com/d/optout.


--

--- 
You received this message because you are subscribed to the Google Groups "ossec-list" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


smime.p7s
Description: S/MIME Cryptographic Signature

Re: [ossec-list] Re: Ossec agent error

[Ryan Schulze]

Are you sure you added the agent right on the master; why is there a 
netmask in the IP field (it should be 172.20.21.39 not 172.20.21.39/24)?


On 11/4/2015 5:26 AM, Reinaldo Fernandes wrote:

And this is my agent failure connection:


--

---
You received this message because you are subscribed to the Google 
Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to ossec-list+unsubscr...@googlegroups.com 
.

For more options, visit https://groups.google.com/d/optout.


--

--- 
You received this message because you are subscribed to the Google Groups "ossec-list" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


smime.p7s
Description: S/MIME Cryptographic Signature

Re: [ossec-list] Re: Syslog from Debian to Ossec

[Ryan Schulze]

I've never see DDP logs. Do you have an example of the logs from DDP 
that you expect OSSEC to decode and generate alerts for? Or have you 
tried feeding the logs into /var/ossec/bin/ossec-logtest yourself and 
seeing if OSSEC can decode them?


I assume that if it is standard syslog format, you will only need to 
create some rules for stuff you want to trigger alerts. If you send it 
via netconsole you might need a decoder too to read the kernel log 
format (I don't remember if there is a decoder for kernel messages in 
the default setup or not, but writing one would be easy if it comes to 
that).


On 10/20/2015 5:02 AM, Tino Zidore wrote:
I have talked to the supporter for the DDP and they suggest netconsole 
to be able to get kernel logs even if the machine has crashed.


Does Ossec work with netconsole?

Here is the message from the supporter:
/What I suggested to extend logging with the Linux 'netconsole' 
feature. That are kernel messages send out over UDP and also work 
during a kernel crash (till panic where all stops)./

--

---
You received this message because you are subscribed to the Google 
Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to ossec-list+unsubscr...@googlegroups.com 
.

For more options, visit https://groups.google.com/d/optout.


--

--- 
You received this message because you are subscribed to the Google Groups "ossec-list" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


smime.p7s
Description: S/MIME Cryptographic Signature

Re: [ossec-list] Table agent empty

[Ryan Schulze]

agent-control -i  can show you that information.

On 10/1/2015 8:54 AM, Legolas Klaitxu wrote:
I'm going to work with the database of ossec and appears that the 
agent table from Ossec is empty.


Using agent-control -l I've able to insert into to the database the id 
of different clients, the hostname and the ip addresss but I wanna 
know how to get the last_contact date and versión of the agent.


could every one show me the way to follow?

regards
--

---
You received this message because you are subscribed to the Google 
Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to ossec-list+unsubscr...@googlegroups.com 
.

For more options, visit https://groups.google.com/d/optout.


--

--- 
You received this message because you are subscribed to the Google Groups "ossec-list" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


smime.p7s
Description: S/MIME Cryptographic Signature

Re: [ossec-list] Active Response - Skip Email

[Ryan Schulze]

Hmm, I haven't had problems with that in my environment. I have active 
responses set up that fire regardless on if a mail was triggered or not. 
The configuration for emails and active responses are in different 
blocks and don't necessarily rely on the level of a alert to trigger (I 
prefer using groups).
I don't know if the log_alert_level setting could affectactive responses 
if set too high, I'd have to have a look at the sourcecode to figure 
that out (or maybe someone else here knows it off hand).


On 9/25/2015 4:51 PM, BP9906 wrote:
Am I able to trigger an active response without having an email alert 
generated?


In previous versions, I noticed if I put the level too low (like 5) it 
wont trigger an active response because an email was not generated.


Is there a way to do this?

Thank you,
Brian

--

---
You received this message because you are subscribed to the Google 
Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to ossec-list+unsubscr...@googlegroups.com 
.

For more options, visit https://groups.google.com/d/optout.


--

--- 
You received this message because you are subscribed to the Google Groups "ossec-list" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


smime.p7s
Description: S/MIME Cryptographic Signature

Re: [ossec-list] Configure OSSEC for Real-time Alerts on File Modifications (not working)

[Ryan Schulze]

Last time I checked, the google mail servers require authentication.

This isn't supported by ossec. Use 127.0.0.1 as the mailserver for ossec 
and configure your local MTA (postfix, exim, sendmail, whatever) to send 
the incoming mails to the google mail servers (with auth).
Current MTA software is really good at what it does, and (aside from 
sendmail) not that hard to configure. Duplicating that work into ossec 
would be a waste of time in the long run.



On 9/28/2015 6:59 AM, Hak Bun wrote:

Dear OSSEC teams,

I am a new one to OSSEC,
I have configured with following link:
http://ubtutorials.com/tutorial/1119/how-install-and-configure-ossec-security-notifications-ubuntu-1404

but not work and as log showed:
os_maild(1223): ERROR: Error sending  email to 64.233.169.$


Thanks in advance for your reply.

Regards,
Bun Hak
--

---
You received this message because you are subscribed to the Google 
Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to ossec-list+unsubscr...@googlegroups.com 
.

For more options, visit https://groups.google.com/d/optout.


--

--- 
You received this message because you are subscribed to the Google Groups "ossec-list" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


smime.p7s
Description: S/MIME Cryptographic Signature

Re: [ossec-list] testing server agent on vmware

[Ryan Schulze]

Have you checked /var/ossec/logs/alerts/alerts.log on the OSSEC server 
to see if there were any alerts that would have generated an email? And 
if yes, what were the logs from the MTA for those emails?


On 9/7/2015 6:35 AM, Ramiz Ilyas wrote:

Dear All,

i have installed a virtual network on vmware. which has 3 machines.

one is server, one is linux machine, one is windows xp. my addressing 10.1.1.10 
for server and clients are .20,.21


i have given smtp server as localhost in config file, but /var/mail is not 
showing any emails.

there is no internet for this virtual network. i just want to generate email 
alerts for this 3 computer network.

is it possible.

i installed a MTA on my server, i can use sendmail on terminal and temporary 
file is generated.




--

--- 
You received this message because you are subscribed to the Google Groups "ossec-list" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


smime.p7s
Description: S/MIME Cryptographic Signature

Re: [ossec-list] How to purge/remove/delete data older than a specific date from within the database

[Ryan Schulze]

On a large deployment I wouldn't recommend doing the delete on the 
'data' and 'alert' tables since that locks those tables during the 
operation (may take a while depending on the size of your tables). If 
this isn't an issue for you, then deleting is the easiest way to get rid 
of old data.


We just rotate the data and alert tables monthly. That allows you to 
clean up old data and eventually drop the old tables altogether when 
they are no longer needed, without impacting the access to the current 
alert and data tables.


An example SQL for rotating the table looks like this:
  create table data_new like data;
  rename table data to data_07, data_new to data;

Since the rename is atomic, no data get's lost. You can rotate them how 
ever often you like (e.g. weekly, bi monthly, ...). The downside of 
course is that queries, that require a time frame that is larger than 
that contained in one table, get slightly more complicated (i.e. union 
selects), and you have additional work dealing with these tables (naming 
scheme, making sure they are eventually deleted, ...).


On 8/19/2015 11:04 AM, Jamey B wrote:

Hi,

Was there any update on this [old] thread? The URL below digs into 
MySQL cleaning, is this recommended for large deployments? I have 
numerous OSSEC servers running, I think this would benefit each one 
(performance wise).


https://jsosic.wordpress.com/2012/11/21/cleaning-ossec-mysql-database/


On Tuesday, February 22, 2011 at 5:15:44 AM UTC-5, Dimitris 
Chontzopoulos wrote:


Hey Dan,

It seems to me that data regarding events are stored/referenced in
multiple tables.

This stops me from just deleting data from a single table as it
could affect the rest of the data inside the other tables and end up
with an out-of-sync database.

Unless I'm horribly mistaken that is.

Can any of you guys comment on "how" data should be removed from
the Database? Is what Dan suggests sufficient or should we come up
with a 'join' and/or 'view' and delete data from there and not
directly from a single table?

Dimitris


-Original Message-
From: ossec...@googlegroups.com 
[mailto:ossec...@googlegroups.com ] On Behalf Of dan
(ddp)
Sent: Tuesday, February 22, 2011 03:52
To: ossec...@googlegroups.com 
Subject: Re: [ossec-list] How to purge/remove/delete data older
than a specific date from within the database

I think everything in the database it timestamped. You should be able
to make a query to delete everything previous to a certain date.

On Mon, Feb 21, 2011 at 7:01 AM, Dimitris Chontzopoulos
> wrote:
> Hello everyone,
>
> We're trying to remove data from within the OSSEC Database that
are older than a specific date, but we can't find a tool that
would
> remove that data easily without harming the rest of the database.
>
> Is there a query of some sort we could run, so as to gather the
data we're interested in and remove them afterwards?
>
> This might be a stupid question but I'm no MySQL Administrator
or 'that' experienced at all.
>
>
>
>
> Kind regards,
>
>
>
> Dimitris
>
>
>

--

---
You received this message because you are subscribed to the Google 
Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to ossec-list+unsubscr...@googlegroups.com 
.

For more options, visit https://groups.google.com/d/optout.


--

--- 
You received this message because you are subscribed to the Google Groups "ossec-list" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


smime.p7s
Description: S/MIME Cryptographic Signature

Re: [ossec-list] Re: Email alerts below certain level

[Ryan Schulze]

On 8/11/2015 6:17 AM, C0rn123 wrote:



Am Dienstag, 11. August 2015 12:47:25 UTC+2 schrieb C0rn123:

Hello,

I want to turn off ANY emails below a certain alert level.
Unfortunately the alert_by_email option in a lot of rules
overwrites the minimum alert level set in the ossec.conf. The
documentation of OSSEC says you can either overwrite every rule
with the no_email_option or write an own rule to not receive
emails of that levels anymore. However its nowhere in the
documentation (as far as i have seen) stated how to do this and i
couldnt find it anywhere else. Hope you can help me.

greets,
corn


For clarification -  i dont want to overwrite every rule that has 
alert_by_email option, but write a rule to not receive emails of that 
levels.


Since OSSEC always sends the mails to the recipient in the "global" 
config, I'd suggest just entering an email address there that is 
nullrouted/blackholed by the MTA. Then you can add a granular email 
config for alerts above a certain level that goes to you (or any other 
criteria you want).


The result is that OSSEC sends the alerts you don't want to the email 
address that discards them; and alerts you want to both email addresses. 
Probably not the most elegant or nicest looking solution (since your MTA 
still has to process incoming mails that no one will read since it will 
blackhole them), but it does what you want. If you are grouping mails 
together (either because you activated it, or because you hit the max 
emails per hour limit) you will still get alerts you don't want, so you 
may want to bump up the max-per-hour too while you are at it.


Config would look somewhat similar to this:

  
yes
localhost
dev-null@localhost
os...@domain.tld
9000
  

  
real.u...@domain.tld
7
  

--

--- 
You received this message because you are subscribed to the Google Groups "ossec-list" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


smime.p7s
Description: S/MIME Cryptographic Signature

Re: [ossec-list] email_idsname does not work (ossec-hids-server-2.8.1-48)

[Ryan Schulze]

I just tried the package on a CentOS server and it worked as expected 
(ossec-hids-2.8.1-48.el6.art.x86_64.rpm and 
ossec-hids-server-2.8.1-48.el6.art.x86_64.rpm)


My global config looked something like this:
  
yes
localhost.
my@email.address
va...@fqdn.foo
Devserver
  

And the following header was added to the EMail:
X-IDS-OSSEC: Devserver

Just to be sure we are on the same page, this changes the headers in the 
emails, not the subject.



On 8/5/2015 1:33 PM, H Le wrote:

Thanks, Ryan. Please let me know your finding.

On Tuesday, August 4, 2015 at 9:54:30 PM UTC-6, Ryan Schulze wrote:

Yes, that should have picked up the change. Tomorrow I can try to
set up a CentOS test environment to have a look at the .rpm. I
don't have any OSSEC servers running on CentOS so I have no
experience with what is in the rpm package and if it was compiled
with any special settings.

On 8/4/2015 5:17 PM, H Le wrote:

Hi Ryan,

Thanks for the reply.  The 'X-IDS-OSSEC' did not at all show up.

After I added the tags to the ossec.conf file, I ran
'/var/ossec/bin/ossec-control restart'  That should pick up the
change, right?

/var/ossec/bin/ossec-control restart
Killing ossec-monitord ..
Killing ossec-logcollector ..
Killing ossec-remoted ..
Killing ossec-syscheckd ..
Killing ossec-analysisd ..
Killing ossec-maild ..
Killing ossec-execd ..
OSSEC HIDS v2.8 Stopped
Starting OSSEC HIDS v2.8 (by Trend Micro Inc.)...
Started ossec-maild...
Started ossec-execd...
Started ossec-analysisd...
Started ossec-logcollector...
Started ossec-remoted...
Started ossec-syscheckd...
Started ossec-monitord...
Completed.

On Tuesday, August 4, 2015 at 3:15:22 PM UTC-6, Ryan Schulze wrote:

I remember submitting that pull request for 2.8.0, so it
should be in your 2.8.1 version (I didn't add any compile
time options to deactivate it).
Did you make sure that ossec-maild died when you restarted
the ossec daemons (it may be an old process still delivering
your mail that didn't pick up the change to ossec.conf)?

Is the "X-IDS-OSSEC:" not showing up at all in your email
headers, or is it there but just without any/empty value?


On 8/4/2015 12:43 PM, H Le wrote:

Hi,

I am using ossec-hids-server-2.8.1-48.el6.art.x86_64.rpm to
install an OSSEC server.  In the ossec.conf file, I included
Development in order to add a
some text to the email header.  But this configuration
change did not produce any change in the email header.  Just
wondering if this RPM already includes support for
email_idsname or if I miss any extra config.

Thanks,
-Hung Le
-- 


---
You received this message because you are subscribed to the
Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails
from it, send an email to ossec-list+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout
<https://groups.google.com/d/optout>.


-- 


---
You received this message because you are subscribed to the
Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it,
send an email to ossec-list+...@googlegroups.com .
For more options, visit https://groups.google.com/d/optout
<https://groups.google.com/d/optout>.


--

---
You received this message because you are subscribed to the Google 
Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to ossec-list+unsubscr...@googlegroups.com 
<mailto:ossec-list+unsubscr...@googlegroups.com>.

For more options, visit https://groups.google.com/d/optout.


--

--- 
You received this message because you are subscribed to the Google Groups "ossec-list" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


smime.p7s
Description: S/MIME Cryptographic Signature

Re: [ossec-list] email_idsname does not work (ossec-hids-server-2.8.1-48)

[Ryan Schulze]

Yes, that should have picked up the change. Tomorrow I can try to set up 
a CentOS test environment to have a look at the .rpm. I don't have any 
OSSEC servers running on CentOS so I have no experience with what is in 
the rpm package and if it was compiled with any special settings.


On 8/4/2015 5:17 PM, H Le wrote:

Hi Ryan,

Thanks for the reply.  The 'X-IDS-OSSEC' did not at all show up.

After I added the tags to the ossec.conf file, I ran 
'/var/ossec/bin/ossec-control restart'  That should pick up the 
change, right?


/var/ossec/bin/ossec-control restart
Killing ossec-monitord ..
Killing ossec-logcollector ..
Killing ossec-remoted ..
Killing ossec-syscheckd ..
Killing ossec-analysisd ..
Killing ossec-maild ..
Killing ossec-execd ..
OSSEC HIDS v2.8 Stopped
Starting OSSEC HIDS v2.8 (by Trend Micro Inc.)...
Started ossec-maild...
Started ossec-execd...
Started ossec-analysisd...
Started ossec-logcollector...
Started ossec-remoted...
Started ossec-syscheckd...
Started ossec-monitord...
Completed.

On Tuesday, August 4, 2015 at 3:15:22 PM UTC-6, Ryan Schulze wrote:

I remember submitting that pull request for 2.8.0, so it should be
in your 2.8.1 version (I didn't add any compile time options to
deactivate it).
Did you make sure that ossec-maild died when you restarted the
ossec daemons (it may be an old process still delivering your mail
that didn't pick up the change to ossec.conf)?

Is the "X-IDS-OSSEC:" not showing up at all in your email headers,
or is it there but just without any/empty value?


On 8/4/2015 12:43 PM, H Le wrote:

Hi,

I am using ossec-hids-server-2.8.1-48.el6.art.x86_64.rpm to
install an OSSEC server.  In the ossec.conf file, I included
Development in order to add a some
text to the email header.  But this configuration change did not
produce any change in the email header.  Just wondering if this
RPM already includes support for email_idsname or if I miss any
extra config.

Thanks,
-Hung Le
-- 


---
You received this message because you are subscribed to the
Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it,
send an email to ossec-list+...@googlegroups.com .
For more options, visit https://groups.google.com/d/optout
<https://groups.google.com/d/optout>.


--

---
You received this message because you are subscribed to the Google 
Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to ossec-list+unsubscr...@googlegroups.com 
<mailto:ossec-list+unsubscr...@googlegroups.com>.

For more options, visit https://groups.google.com/d/optout.


--

--- 
You received this message because you are subscribed to the Google Groups "ossec-list" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


smime.p7s
Description: S/MIME Cryptographic Signature

Re: [ossec-list] email_idsname does not work (ossec-hids-server-2.8.1-48)

[Ryan Schulze]

I remember submitting that pull request for 2.8.0, so it should be in 
your 2.8.1 version (I didn't add any compile time options to deactivate it).
Did you make sure that ossec-maild died when you restarted the ossec 
daemons (it may be an old process still delivering your mail that didn't 
pick up the change to ossec.conf)?


Is the "X-IDS-OSSEC:" not showing up at all in your email headers, or is 
it there but just without any/empty value?



On 8/4/2015 12:43 PM, H Le wrote:

Hi,

I am using ossec-hids-server-2.8.1-48.el6.art.x86_64.rpm to install an 
OSSEC server.  In the ossec.conf file, I included 
Development in order to add a some text 
to the email header.  But this configuration change did not produce 
any change in the email header.  Just wondering if this RPM already 
includes support for email_idsname or if I miss any extra config.


Thanks,
-Hung Le
--

---
You received this message because you are subscribed to the Google 
Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to ossec-list+unsubscr...@googlegroups.com 
.

For more options, visit https://groups.google.com/d/optout.


--

--- 
You received this message because you are subscribed to the Google Groups "ossec-list" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


smime.p7s
Description: S/MIME Cryptographic Signature

Re: [ossec-list] Ubuntu

[Ryan Schulze]

I had a look at the Makeall file, and if the header (dev) files for 
magic are found, it is compiled with libmagic, if they aren't found it 
isn't. So by default it does try to compile with libmagic, but if it 
can't find the required files to do so, it falls back to not using libmagic.


On 7/27/2015 4:47 AM, theresa mic-snare wrote:

Hi James,

i'm now really interested in this...

Would you mind sharing the RHEL binaries with me? I would love to try 
the OSSEC enabled libmagic version on my CentOS test server.


out of curiosity: is there any disadvantage that comes with libmagic? 
why is it not enabled by default?


Am Mittwoch, 22. Juli 2015 17:00:02 UTC+2 schrieb James Edwards:

I think this is a compiler issue... I checked my RHEL compilation
and it used gcc-4.4.7, so I downgraded from gcc-4.8 on Ubuntu to
gcc-4.4 and am able to get this to successfully compile with libmagic.

On another note, it is worth noting that I was able to
successfully compile OSSEC from git using gcc-4.8 with libmagic
support.

Thanks,
James

On Wednesday, July 22, 2015 at 7:43:21 AM UTC-4, dan (ddpbsd) wrote:


On Jul 20, 2015 3:27 PM, "James Edwards" 
wrote:
>
> Hi All,
>
> I'm trying to compile OSSEC on Ubuntu 14.04 with libmagic
support and I keep running into the following error when
compiling syscheck (same error running Makeall as well):
>
> [root@hostname]/tmp/ossec-hids-2.8.2/src/syscheckd# make
> cc -g -Wall -I../ -I../headers-DUSEINOTIFY -DUSE_MAGIC 
-DARGV0=\"ossec-syscheckd\" -DOSSECHIDS -lmagic  syscheck.c

config.c seechanges.c run_realtime.c create_db.c run_check.c
../config/lib_config.a ../rootcheck/rootcheck_lib.a
../shared/lib_shared.a ../os_xml/os_xml.a
../os_regex/os_regex.a ../os_net/os_net.a
../os_crypto/os_crypto.a -o ossec-syscheckd
> /tmp/cc9nExX5.o: In function `init_magic':
> /tmp/ossec-hids-2.8.2/src/syscheckd/syscheck.c:43: undefined
reference to `magic_open'

Which file provides magic_open?

> /tmp/ossec-hids-2.8.2/src/syscheckd/syscheck.c:47: undefined
reference to `magic_error'
> /tmp/ossec-hids-2.8.2/src/syscheckd/syscheck.c:50: undefined
reference to `magic_load'
> /tmp/ossec-hids-2.8.2/src/syscheckd/syscheck.c:52: undefined
reference to `magic_error'
> /tmp/ossec-hids-2.8.2/src/syscheckd/syscheck.c:54: undefined
reference to `magic_close'
> /tmp/ccLsn7RT.o: In function `is_text':
> /tmp/ossec-hids-2.8.2/src/syscheckd/seechanges.c:24:
undefined reference to `magic_buffer'
> /tmp/ossec-hids-2.8.2/src/syscheckd/seechanges.c:28:
undefined reference to `magic_error'
> collect2: error: ld returned 1 exit status
> make: *** [syscheck] Error 1
>
> libmagic-dev 5.14-2ubuntu3.3 is installed and I see the
following magic.h header files:
>
> /usr/include/linux/magic.h
> /usr/include/magic.h
>
> Any advice on how to resolve this?
>
> Thanks,
> James
>
> --
>
> ---
> You received this message because you are subscribed to the
Google Groups "ossec-list" group.
> To unsubscribe from this group and stop receiving emails
from it, send an email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

--

---
You received this message because you are subscribed to the Google 
Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to ossec-list+unsubscr...@googlegroups.com 



.
For more options, visit https://groups.google.com/d/optout.


--

--- 
You received this message because you are subscribed to the Google Groups "ossec-list" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


smime.p7s
Description: S/MIME Cryptographic Signature

Re: [ossec-list] httpd logs (possible attacks/intrusions)

[Ryan Schulze]

In a nutshell: In order to use the list you would have to tell OSSEC to 
use the list, then create one or more rules that uses that list, then 
tell ossec which active response to use when one of those rules gets 
triggered.


The following example uses the list to firewall IPs on the blacklist if 
they trigger too many 404 error on a webserver:


Tell ossec to use ip_blacklist by adding the list to the  block 
(where all the includes are for the xml rule files)

/var/ossec/etc/ossec.conf
  

  lists/ip_blacklist

  

Then copy the file to /var/ossec/lists/ip_blacklist and execute 
/var/ossec/bin/ossec-makelists (generated a .cdb version of the list)
Then create a rule in local_rules.xml that uses the list, 
http://ossec-docs.readthedocs.org/en/latest/manual/rules-decoders/rule-lists.html 
has more details on how to use CDBs in rules.

/var/ossec/rules/local_rules.xml
  
31151
lookup="address_match_key">lists/ip_blacklist
Multiple web server 400 error codes from a malicious 
IP

ar_malicious_ip,
  

Now we will tell OSSEC what to do when the rule triggers. I like to use 
groups to trigger active responses instead of alert levels to have more 
control over what happens when (that is why we added the 
"ar_malicious_ip" group to the rule in the previous step, it also allows 
us to easily create multiple rules that trigger a specific active 
response). 
http://ossec-docs.readthedocs.org/en/latest/syntax/head_ossec_config.active-response.html 
has more information on options for active response. If I remember 
correctly the "firewall-drop" command is in the default config and you 
won't have to add it.

/var/ossec/etc/ossec.conf
  

  firewall-drop
  firewall-drop.sh
  srcip
  yes



  firewall-drop
  local
  ar_malicious_ip
  600
30,60,120

  

That's all. OSSEC loads the lists, the rules use the list, if one of the 
rules using a list get's triggered it kicks off an active response that 
executes a command.


On 7/25/2015 1:06 PM, theresa mic-snare wrote:

Great, thanks for the bash script, Ryan.
but what else to do after downloading the IP blocklist? how could I 
feed ossec with it?

maybe through an active-response?

Am Samstag, 25. Juli 2015 04:56:07 UTC+2 schrieb Ryan Schulze:

I played around with IP reputation and CDB a while back, but never
pushed it to my live servers. I found the following bash snippet
on my test server, it may be of use for someone (although the
alienvault list is pretty long and contains different levels of
"evil" may be worth parsing and splitting up).

#!/bin/bash
{
  curl
"https://zeustracker.abuse.ch/blocklist.php?download=ipblocklist";
<https://zeustracker.abuse.ch/blocklist.php?download=ipblocklist> |\
  egrep "^[0-9]" | awk '{print $1":ZeuS IP blocklist"}'

  curl "https://reputation.alienvault.com/reputation.generic";
<https://reputation.alienvault.com/reputation.generic> |\
  egrep "^[0-9]" | cut -d, -f1 | sed 's/ # /:/'

} > ip_blacklist


On 7/24/2015 7:46 PM, Santiago Bassett wrote:

Hi Theresa,

my guess is that you are probably victim of web crawlers more
than anything else. In any case it would be interesting to search
those source IPs info in IP reputation databases to see if those
are well known attackers.

Has anyone in this list use an IP reputation database in a CDB
list? I would probably try something like that and see how it goes.

Best



On Fri, Jul 24, 2015 at 12:32 PM, theresa mic-snare
> wrote:

hi folks,

i need some help with intepreting webserver logfiles (apache
logs).
while setting up my ossec-test environment for my thesis
project, I've also setup a wordpress on an apache webserver
as a "honeypot". although there's no real content, except the
standard wordpress posts & pages that comes with the
installation, I already have some "visitors". I see these
dubious looking requests. I'm not sure if these are
threats/attacks against my wordpress installation.
I'm not really familiar with apache logs, but I need some
threats/attacks to explain in my thesis. I thought this would
be the best way to get started.

I have PLENTY of the following requests in my httpd logs

|
SrcIP:115.239.228.8
115.239.228.8--[24/Jul/2015:19:22:42+0200]"GET
http://zc.qq.com/cgi-bin/common/attr?id=260714&r=0.7636925813952972
HTTP/1.1"404292"-""Mozilla/5.0 (compatible; MSIE 9.0; Windows
NT 6.1; Trident/5.0; 360SE)"

|

Judging by the HTTP status code it's not really a threat,
right? it's probal

Re: [ossec-list] httpd logs (possible attacks/intrusions)

[Ryan Schulze]

I played around with IP reputation and CDB a while back, but never 
pushed it to my live servers. I found the following bash snippet on my 
test server, it may be of use for someone (although the alienvault list 
is pretty long and contains different levels of "evil" may be worth 
parsing and splitting up).


#!/bin/bash
{
  curl "https://zeustracker.abuse.ch/blocklist.php?download=ipblocklist"; |\
  egrep "^[0-9]" | awk '{print $1":ZeuS IP blocklist"}'

  curl "https://reputation.alienvault.com/reputation.generic"; |\
  egrep "^[0-9]" | cut -d, -f1 | sed 's/ # /:/'

} > ip_blacklist


On 7/24/2015 7:46 PM, Santiago Bassett wrote:

Hi Theresa,

my guess is that you are probably victim of web crawlers more than 
anything else. In any case it would be interesting to search those 
source IPs info in IP reputation databases to see if those are well 
known attackers.


Has anyone in this list use an IP reputation database in a CDB list? I 
would probably try something like that and see how it goes.


Best



On Fri, Jul 24, 2015 at 12:32 PM, theresa mic-snare 
mailto:rockprinz...@gmail.com>> wrote:


hi folks,

i need some help with intepreting webserver logfiles (apache logs).
while setting up my ossec-test environment for my thesis project,
I've also setup a wordpress on an apache webserver as a
"honeypot". although there's no real content, except the standard
wordpress posts & pages that comes with the installation, I
already have some "visitors". I see these dubious looking
requests. I'm not sure if these are threats/attacks against my
wordpress installation.
I'm not really familiar with apache logs, but I need some
threats/attacks to explain in my thesis. I thought this would be
the best way to get started.

I have PLENTY of the following requests in my httpd logs

|
SrcIP:115.239.228.8
115.239.228.8--[24/Jul/2015:19:22:42+0200]"GET
http://zc.qq.com/cgi-bin/common/attr?id=260714&r=0.7636925813952972 
HTTP/1.1"404292"-""Mozilla/5.0
(compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; 360SE)"

|

Judging by the HTTP status code it's not really a threat, right?
it's probaly just some hacker with a tool who's looking for
vulnerabilities? or is this just nonsense/junk?

|
ReceivedFrom:tron->/var/log/httpd/access_log
Rule:31515fired (level 6)->"PHPMyAdmin scans (looking for setup.php)."
Portionof the log(s):

178.33.154.144--[24/Jul/2015:11:55:15+0200]"GET
/phpMyAdmin/scripts/setup.php HTTP/1.1"403309"-""-"
|

also this
|
ReceivedFrom:tron->/var/log/httpd/access_log
Rule:31101fired (level 5)->"Web server 400 error code."
Portionof the log(s):

202.137.235.243--[24/Jul/2015:07:34:11+0200]"HEAD
/ossec-wui/index.php HTTP/1.1"401-"-""-"
|

i'm surprised they found out about it.glad i protected it with
htaccess and they didn't come in. ;)

and lots of other requests that return HTTP 403 (forbidden) or 404
(not found)

i'm not quite sure what to make of it.
i didn't realise my server was so exposeddid they just find
the IP by scanning for http ports?!

looking to some feedback,
theresa
-- 


---
You received this message because you are subscribed to the Google
Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it,
send an email to ossec-list+unsubscr...@googlegroups.com
.
For more options, visit https://groups.google.com/d/optout.


--

---
You received this message because you are subscribed to the Google 
Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to ossec-list+unsubscr...@googlegroups.com 
.

For more options, visit https://groups.google.com/d/optout.


--

--- 
You received this message because you are subscribed to the Google Groups "ossec-list" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


smime.p7s
Description: S/MIME Cryptographic Signature

Re: [ossec-list] Re: Ubuntu

[Ryan Schulze]

I can verify the problem with Ubuntu 14.04.

According to the syscheck docs libmagic is optionally used with 
report_changes (if found on the system). I haven't checked the source 
code yet to see what exactly the ramifications are, but according to the 
docs:


http://ossec-docs.readthedocs.org/en/latest/manual/syscheck/
"Report Changes"
If OSSEC has not been compiled with libmagic support, 
report_changes will copy any file designated, e.g. mp3,
iso, executable, /chroot/dev/urandom (which would fill your hard 
drive). So unless libmagic is used, be very carefull

on which directory you enable report_changes.


On 7/21/2015 12:22 AM, theresa mic-snare wrote:

Hi James,

I'm not the expert here, but I just had a quick look in the docs... 
I'm not sure if this is possible or even supported.

I couldn't find any reference to libmagic

Have you checked?
http://ossec-docs.readthedocs.org/en/latest/development/build/makefile.html

Out of curiosity, what whould OSSEC be capable of doing with ligmagic 
support other than recognizing file formats (which it usually does) ?!


best,
theresa

Am Montag, 20. Juli 2015 21:27:30 UTC+2 schrieb James Edwards:

Hi All,

I'm trying to compile OSSEC on Ubuntu 14.04 with libmagic support
and I keep running into the following error when compiling
syscheck (same error running Makeall as well):

[root@hostname]/tmp/ossec-hids-2.8.2/src/syscheckd# make
cc -g -Wall -I../ -I../headers-DUSEINOTIFY -DUSE_MAGIC 
-DARGV0=\"ossec-syscheckd\" -DOSSECHIDS -lmagic  syscheck.c

config.c seechanges.c run_realtime.c create_db.c run_check.c
../config/lib_config.a ../rootcheck/rootcheck_lib.a
../shared/lib_shared.a ../os_xml/os_xml.a ../os_regex/os_regex.a
../os_net/os_net.a ../os_crypto/os_crypto.a -o ossec-syscheckd
/tmp/cc9nExX5.o: In function `init_magic':
/tmp/ossec-hids-2.8.2/src/syscheckd/syscheck.c:43: undefined
reference to `magic_open'
/tmp/ossec-hids-2.8.2/src/syscheckd/syscheck.c:47: undefined
reference to `magic_error'
/tmp/ossec-hids-2.8.2/src/syscheckd/syscheck.c:50: undefined
reference to `magic_load'
/tmp/ossec-hids-2.8.2/src/syscheckd/syscheck.c:52: undefined
reference to `magic_error'
/tmp/ossec-hids-2.8.2/src/syscheckd/syscheck.c:54: undefined
reference to `magic_close'
/tmp/ccLsn7RT.o: In function `is_text':
/tmp/ossec-hids-2.8.2/src/syscheckd/seechanges.c:24: undefined
reference to `magic_buffer'
/tmp/ossec-hids-2.8.2/src/syscheckd/seechanges.c:28: undefined
reference to `magic_error'
collect2: error: ld returned 1 exit status
make: *** [syscheck] Error 1

libmagic-dev 5.14-2ubuntu3.3 is installed and I see the following
magic.h header files:

/usr/include/linux/magic.h
/usr/include/magic.h

Any advice on how to resolve this?

Thanks,
James

--

---
You received this message because you are subscribed to the Google 
Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to ossec-list+unsubscr...@googlegroups.com 
.

For more options, visit https://groups.google.com/d/optout.


--

--- 
You received this message because you are subscribed to the Google Groups "ossec-list" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


smime.p7s
Description: S/MIME Cryptographic Signature

Re: [ossec-list] ERror connecting database

[Ryan Schulze]

Yes, that is what I pointed out in my last email, according to your 
netstat your mysql is only listening to 127.0.0.1:3306, but you are 
trying to connect to 172.16.15.154:3306.
OSSEC can't connect to mysql if you point it to an IP:PORT combination 
where there is no daemon listening.



On 7/17/2015 1:03 AM, Legolas Klaitxu wrote:

One question about the database configuration.

I've my ossec server and their database in the same server but I've 
configured the database Ip with the eth0 ip address. That could be the 
problem and I've to assign 127.0.0.1?


regards

El jueves, 16 de julio de 2015, 19:18:14 (UTC+2), dan (ddpbsd) escribió:


On Jul 16, 2015 11:14 AM, "Legolas Klaitxu" > wrote:
>
> I've actívate the log in mysql and mantain the IP address no the
localhost
>
> As you can see the events are inserting ok into the database
>
> 65 Query INSERT INTO data(id, server_id, user, full_log)
VALUES ('69', '1', 'Tareas_C', '2015 Jul 16 17:03:18 WinEvtLog:
Security: AUDIT_SUCCESS(4634):
Microsoft-Windows-Security-Auditing: TAreasC: IND: miservidor: An
account was logged off. Subject:  Security ID:  S-1-5-21-  Account
Name:  Tareas_  Account Domain: IND  Logon ID:  0x11f65bed4  Logon
Type:   3  This event is generated when a logon session is
destroyed. It may be positively correlated with a logon event
using the Logon ID value. Logon IDs are only unique between
reboots on the same computer."  4646,1')
> 65 Query INSERT INTO

alert(id,server_id,rule_id,timestamp,location_id,src_ip,src_port,dst_ip,dst_port,alertid)
VALUES ('69', '1', '18149','1437058097', '6', '0', '0', '0', '0',
'1437058092.4614772')
>65 Query INSERT INTO data(id, server_id,
user, full_log) VALUES ('70', '1', 'TAreasC', '2015 Jul 16
17:03:20 WinEvtLog: Security: AUDIT_SUCCESS(4634):
Microsoft-Windows-Security-Auditing: Tareas_PROD.SVC: IND:
BAE-I-WEB1D.ind.aronde.es <http://BAE-I-WEB1D.ind.aronde.es>: An
account was logged off. Subject:  Security ID:
S-1-5-21-635382758-268241423-2897451402-2711  Account Name:
Tareas_PROD.SVC  Account Domain:  IND  Logon ID: 0x11f65c049 
Logon Type:   3  This event is generated when a logon session is

destroyed. It may be positively correlated with a logon event
using the Logon ID value. Logon IDs are only unique between
reboots on the same computer."  4646,1')
>65 Query INSERT INTO

alert(id,server_id,rule_id,timestamp,location_id,src_ip,src_port,dst_ip,dst_port,alertid)
VALUES ('70', '1', '18149','1437058097', '6', '0', '0', '0', '0',
'1437058096.4615492')
>

So no errors?

> In Ossec server the problema persists
>
> 2015/07/16 16:49:59 ossec-dbd(5202): ERROR: Error connecting to
database '172.16.15.154'(ossec): ERROR: Can't connect to MySQL
server on '172.16.15.154' (111).
> 2015/07/16 16:51:23 ossec-dbd(5202): ERROR: Error connecting to
    database '172.16.15.154'(ossec): ERROR: Can't connect to MySQL
server on '172.16.15.154' (111).
>

From what i see, 111 means connection is refused. Mysql has a
troubleshooting page for this error code, perhaps that has the
solution?

> I think sometimes Works properly but in others moments no :(
>
>
>
> El jueves, 16 de julio de 2015, 16:05:56 (UTC+2), Ryan Schulze
escribió:
>>
>>
>> You redacted the IP address in the ossec logs, so I'm assuming
it is something other than 127.0.0.1?
>> Because your netstat shows that mysql is only bound to 127.0.0.1.
>>
>>
>> On 7/16/2015 4:01 AM, Legolas Klaitxu wrote:
>>>
>>> Good Morning,
>>>
>>> I've started to work with ossec and reviewing the log I
identify this error
>>>
>>> 2015/07/16 10:30:37 ossec-syscheckd: INFO: Starting syscheck
database (pre-scan).
>>> 2015/07/16 10:30:50 ossec-dbd(5202): ERROR: Error connecting
to database   (ossec): ERROR: Can't connect to MySQL
server on  (111).
>>> 2015/07/16 10:31:31 ossec-dbd(5202): ERROR: Error connecting
to database  (ossec): ERROR: Can't connect to MySQL
server on  (111).
>>> 2015/07/16 10:32:30 ossec-dbd(5202): ERROR: Error connecting
to database  (ossec): ERROR: Can't connect to MySQL
server on  (111).
>>

Re: [ossec-list] ERror connecting database

[Ryan Schulze]

You redacted the IP address in the ossec logs, so I'm assuming it is 
something other than 127.0.0.1?

Because your netstat shows that mysql is only bound to 127.0.0.1.


On 7/16/2015 4:01 AM, Legolas Klaitxu wrote:

Good Morning,

I've started to work with ossec and reviewing the log I identify this 
error


2015/07/16 10:30:37 ossec-syscheckd: INFO: Starting syscheck database 
(pre-scan).
2015/07/16 10:30:50 ossec-dbd(5202): ERROR: Error connecting to 
database   (ossec): ERROR: Can't connect to MySQL server 
on  (111).
2015/07/16 10:31:31 ossec-dbd(5202): ERROR: Error connecting to 
database  (ossec): ERROR: Can't connect to MySQL server on 
 (111).
2015/07/16 10:32:30 ossec-dbd(5202): ERROR: Error connecting to 
database  (ossec): ERROR: Can't connect to MySQL server on 
 (111).
2015/07/16 10:35:30 ossec-dbd(5202): ERROR: Error connecting to 
database   (ossec): ERROR: Can't connect to MySQL server 
on   (111).
2015/07/16 10:36:21 ossec-dbd(5202): ERROR: Error connecting to 
database  (ossec): ERROR: Can't connect to MySQL server on 
  (111).
2015/07/16 10:38:31 ossec-dbd(5202): ERROR: Error connecting to 
database  (ossec): ERROR: Can't connect to MySQL server on 
 (111).
2015/07/16 10:38:48 ossec-syscheckd: INFO: Finished creating syscheck 
database (pre-scan completed).
2015/07/16 10:39:00 ossec-syscheckd: INFO: Ending syscheck scan 
(forwarding database).
2015/07/16 10:39:13 ossec-dbd(5202): ERROR: Error connecting to 
database  (ossec): ERROR: Can't connect to MySQL server on 
  (111).

2015/07/16 10:39:20 ossec-rootcheck: INFO: Starting rootcheck scan.
2015/07/16 10:39:30 ossec-dbd(5202): ERROR: Error connecting to 
database  (ossec): ERROR: Can't connect to MySQL server 
on (111).


/var/ossec/logs/alerts # 
netstat -atp | grep LISTEN
tcp0  0 localhost:mysql *:* 
LISTEN  3324/mysqld


Mysql is UP, I've updated /var/ossec/etc/internal_options.conf" 
setting dbd.reconnect_attempts to 30 but the error persists.


any help?

regards

--

---
You received this message because you are subscribed to the Google 
Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to ossec-list+unsubscr...@googlegroups.com 
.

For more options, visit https://groups.google.com/d/optout.


--

--- 
You received this message because you are subscribed to the Google Groups "ossec-list" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


smime.p7s
Description: S/MIME Cryptographic Signature

Re: [ossec-list] Level 10 messages for whitelisted IP's

[Ryan Schulze]

You are right, srcip can't be comma separated, but you can use a cdb 
list, the full details about the cdb lists is here:

http://ossec-docs.readthedocs.org/en/latest/manual/rules-decoders/rule-lists.html

Your rule would look something like this:


  5703,31161
  lists/name_of_list
  Ignore this


And you would have to add the list to the  block of you server config

  
lists/name_of_list
 ...

On 6/11/2015 1:34 AM, H.Merijn Brand wrote:

Thank you. Now installed with the desired IP's
From those docs, I concluded that one would need a rule per IP. srcip 
cannot be a comma-separated list, right?


Op woensdag 10 juni 2015 21:44:44 UTC+2 schreef Binet, Valere 
(NIH/NIA/IRP) [C]:


Your personal rules go in /var/ossec/rules/local_rules.xml

Example :
  
5703,31161
   1.2.3.4
   Ignore this


--

---
You received this message because you are subscribed to the Google 
Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to ossec-list+unsubscr...@googlegroups.com 
.

For more options, visit https://groups.google.com/d/optout.


--

--- 
You received this message because you are subscribed to the Google Groups "ossec-list" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


smime.p7s
Description: S/MIME Cryptographic Signature

Re: [ossec-list] Specific rules for specific agents

[Ryan Schulze]

Last time I checked the hostname format is "(agent name) agent 
IP->logfile" and is not determined by the decoded logs in the file.


That means although you can use hostname to match specific log files 
(e.g. "/var/log/apache2/foobar.access.log") you 
don't have to and can also use it to match the agent name or agent IP 
part of the entry (e.g. "backend4").


If you using hostname to filter apache logs based on the vhost, then I 
assume it is because your logs are vhost specific (something like 
www.something.tld.access.log).



On 3/30/2015 12:48 PM, pverr...@cruiseplanners.com wrote:
Thanks for the reply.  From what I can tell hostname is determined by 
the actual contents of the log entry.  For instance, if I'm looking at 
an Apache log, then hostname comes across as the virtual host that the 
request was made on and not the name of the agent.


On Monday, March 30, 2015 at 10:43:18 AM UTC-4, dan (ddpbsd) wrote:

On Mon, Mar 30, 2015 at 10:37 AM,  > wrote:
> Hi all, I'm relatively new to Ossec and I believe I understand
process of
> writing custom rules.  One of the issues I'm running into is
wanting to
> write custom rules but only for specific agents.  I currently
have one Ossec
> server with roughly twenty or so agents.  Some of these agents
are kicking
> off alerts that I want to ignore but only on those agents
specifically, I do
> not want to ignore them on all agents.  I've seen posts that
talk about
> using srcip or hostname but these seem to pull the information
from the
> host's logs and not from the agent itself.  This seems like it
would be a
> fundamental requirement of using the centralized system,
however, I can't
> find the answer anywhere.  Please help me figure this out.  Thanks.
>

Did you try using hostname? I haven't looked into this in a while,
but
that is the answer that comes to mind.

> - Patrick
>
> --
>
> ---
> You received this message because you are subscribed to the
Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from
it, send an
> email to ossec-list+...@googlegroups.com .
> For more options, visit https://groups.google.com/d/optout
.

--

---
You received this message because you are subscribed to the Google 
Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to ossec-list+unsubscr...@googlegroups.com 
.

For more options, visit https://groups.google.com/d/optout.


--

--- 
You received this message because you are subscribed to the Google Groups "ossec-list" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


smime.p7s
Description: S/MIME Cryptographic Signature

Re: [ossec-list] import key on agent non interactive

[Ryan Schulze]

If you have the data for the agents client.keys you can just write it 
directly to the file

echo 'key data' > /var/ossec/etc/client.keys

It will be the same line as on the master. Works fine here (we use 
ansible for deployment and the client.keys is built on each host from a 
template)


On 1/28/2015 7:57 AM, Michael Jerger wrote:


Hi,

I currently try to write an automated ossec agent deplyment and am 
struggeling over setting the agents key. I try on agent system:


/var/ossec/bin/manage_agents -i somekey

but get sth. like:

<== Agent information:

<== ID:14

<== Name:xxx..

<== IP Address:xxx.xxx.xxx.xxx

<== Confirm adding it?(y/n):

interactive input is dificult for my config management. So my question is:

Is there a way to set agents-key non-interactive?

Best regards,

Michael

--

Michael Jerger, Geschäftsführer

meissa GmbH

Telefon:



+49-178-818 98 78

Sitz d. Gesellschaft:



72770 Reutlingen, Zeppelinstr. 13

Geschäftsführer:



Michael Jerger

Registergericht:



AG Stuttgart, HRB746775

UstID:



DE292015368

--

---
You received this message because you are subscribed to the Google 
Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to ossec-list+unsubscr...@googlegroups.com 
.

For more options, visit https://groups.google.com/d/optout.


--

--- 
You received this message because you are subscribed to the Google Groups "ossec-list" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


smime.p7s
Description: S/MIME Cryptographic Signature

Re: [ossec-list] Re: Test script for ossec ids on apache logs?

[Ryan Schulze]

On 12/24/2014 2:54 PM, dan (ddp) wrote:



On Dec 24, 2014 3:48 PM, "Glenn Ford" > wrote:

>
> You are saying it's NOT working? Umm, so how do I proceed to figure 
out whats wrong?

>

Remove the pure transfer decoder.

Since 'pure-transfer' and 'web-accesslog' are both in the default 
decoder.xml, I'm not sure suggesting "just go deactivate parts of it" is 
the best course of action, especially since you then also have to go 
deactivate any rules referencing the 'pure-transfer' decoder and thus 
generate a situation where upgrading OSSEC has a good potential to break 
stuff again.


It looks more like a problem in the default web-accesslog decoder imo. 
If you feed the exact same log to it with a positive timezone offset 
(+0500 instead of -0500) it works.
To be sure I just did a 2.8.1 clean install on a test system and a part 
of the example logs shown in the decoder.xml for web-accesslog don't get 
decoded as web-accesslog. Attaching test case below, both log entries 
are valid apache default format logs, just from different timezones. On 
first glance I didn't see anything wrong in the decoder.xml regex, in 
the regex sourcecode, or anything in analysisd/cleanevent.c  that would 
get in the way. My gut feeling says that something inside OSSEC is 
mangling the apache logs since adding a remote logname to the apache 
test log "fixes" the problem (the first dash after the IP, "22.33.44.55 
foo - [16/Oct..."), although this is something you will probably seldom 
see in valid logs.


When I get it narrowed down I'll create a git issue/pull request (unless 
of course someone else knows the solution off-hand and can help out).



test:/var/ossec# cat /tmp/ossec_test

22.33.44.55 - - [16/Oct/2014:22:54:43 +0200] "GET /some/file.html 
HTTP/1.1" 200 1488 "-" "curl version foo"
22.33.44.55 - - [16/Oct/2014:22:54:43 -0200] "GET /some/file.html 
HTTP/1.1" 200 1488 "-" "curl version foo"


test:/var/ossec# cat /tmp/ossec_test | /var/ossec/bin/ossec-logtest
2014/12/28 23:06:21 ossec-testrule: INFO: Reading local decoder file.
2014/12/28 23:06:21 ossec-testrule: INFO: Started (pid: 21117).
ossec-testrule: Type one log per line.



**Phase 1: Completed pre-decoding.
   full event: '22.33.44.55 - - [16/Oct/2014:22:54:43 +0200] "GET 
/some/file.html HTTP/1.1" 200 1488 "-" "curl version foo"'

   hostname: 'test'
   program_name: '(null)'
   log: '22.33.44.55 - - [16/Oct/2014:22:54:43 +0200] "GET 
/some/file.html HTTP/1.1" 200 1488 "-" "curl version foo"'


**Phase 2: Completed decoding.
   decoder: 'web-accesslog'
   srcip: '22.33.44.55'
   url: '/some/file.html'
   id: '200'

**Phase 3: Completed filtering (rules).
   Rule id: '31108'
   Level: '0'
   Description: 'Ignored URLs (simple queries).'


**Phase 1: Completed pre-decoding.
   full event: '22.33.44.55 - - [16/Oct/2014:22:54:43 -0200] "GET 
/some/file.html HTTP/1.1" 200 1488 "-" "curl version foo"'

   hostname: 'test'
   program_name: '(null)'
   log: '22.33.44.55 - - [16/Oct/2014:22:54:43 -0200] "GET 
/some/file.html HTTP/1.1" 200 1488 "-" "curl version foo"'


**Phase 2: Completed decoding.
   decoder: 'pure-transfer'

**Phase 3: Completed filtering (rules).
   Rule id: '11310'
   Level: '0'
   Description: 'Rule grouping for pure ftpd transfers.'

--

--- 
You received this message because you are subscribed to the Google Groups "ossec-list" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


smime.p7s
Description: S/MIME Cryptographic Signature

Re: [ossec-list] Automatically AgentRestarts

[Ryan Schulze]

You can set the cron up on the master and have it send a restart to all 
the connected agents with agent_control


(quick&dirty would be something like "for id in 
$(/var/ossec/bin/agent_control -lc|cut -d, -f1|cut -d: -f2); do 
/var/ossec/bin/agent_control -R ${id};done")



On 7/18/2014 8:59 AM, Alexander Pietrasch wrote:
Yeah your right but in our infrastructure we have Windows-Clients and 
it is a step more to set up a cronjob on every system.


Am Freitag, 18. Juli 2014 13:59:36 UTC+2 schrieb dan (ddpbsd):

On Fri, Jul 18, 2014 at 6:25 AM, Alexander Pietrasch
> wrote:
> Hey everyone,
>
> is it possible to set a timer, that the agents restart herself
or you can
> set a clocktime where the agents restart?
>
> I didnt't find something like that but maybe you can implement
this in a new
> version?
>

man cron

All reasonable systems have these facilities built in. ;)

> Best regards,
> Alex
>
> --
>
> ---
> You received this message because you are subscribed to the
Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from
it, send an
> email to ossec-list+...@googlegroups.com .
> For more options, visit https://groups.google.com/d/optout
.

--

---
You received this message because you are subscribed to the Google 
Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to ossec-list+unsubscr...@googlegroups.com 
.

For more options, visit https://groups.google.com/d/optout.




smime.p7s
Description: S/MIME Cryptographic Signature

Re: [ossec-list] Ossec remoted not able to create pid in linux

[Ryan Schulze]

does ossec-logtest -v spit out any problems?

On 4/17/2014 5:36 AM, Ankit Singh wrote:


Hi am restarting ossec and remoted not starting up

--





smime.p7s
Description: S/MIME Cryptographic Signature

Re: [ossec-list] ossec-maild tags

[Ryan Schulze]

Hi,

We had a similar requirement here. I just added an additional option to 
the ossec.conf that get's added into the mail headers ("X-IDS-OSSEC: 
$value") to be able to use that to sort the emails from the different 
masters.


I currently don't have a patch file with only that change (for stupid 
reasons all our changes are currently lumped into one big patch file), 
but If you can wait until next week I'm planning on having a look at git 
and forks and all that fun. So I should, at the very least, have a patch 
file or fork with that feature singled out.


Ryan


On 3/13/2014 2:01 AM, Gaurav Rajput wrote:

Hi,

I have 3 different infrastructures (Development, Production and 
Testing), running the same configuration (with same ip-address and 
subnet) and nodes. I have 3 ossec-servers running. Each ossec-server 
is sending the mails to a central gmail account.


All I want is, to categorize the mails from each infrastructure. In 
other words I want to tag the emails with Dev, Prod or Test. Is there 
any way to do this, as I searched a lot in the configuration file ???


Thanks.
--

---
You received this message because you are subscribed to the Google 
Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to ossec-list+unsubscr...@googlegroups.com 
.

For more options, visit https://groups.google.com/d/optout.




smime.p7s
Description: S/MIME Cryptographic Signature

Re: [ossec-list] How to isntall without prompts

[Ryan Schulze]

I  believe the file you are looking for is "etc/preloaded-vars.conf", 
just fill out all the "answers" to the questions in that file and 
install.sh won't ask for them.



On 2/11/2014 5:23 PM, David Montgomery wrote:

Hi,

Newbie trying to install agent and server.  Will build my own chef 
recipes.


Wowee...If I were a prompt I would love ossec.  Where are the docs 
to bypass all of the prompts?  Or to people use expect to install agents?


I am on ubunutu 12.04

Thanks


--

---
You received this message because you are subscribed to the Google 
Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to ossec-list+unsubscr...@googlegroups.com.

For more options, visit https://groups.google.com/groups/opt_out.





smime.p7s
Description: S/MIME Cryptographic Signature

Re: [ossec-list] "minor ossec" issue

[Ryan Schulze]

IIRC if you delete the queue/rids/${AgentID} on the agent and master and 
restart ossec on both it should "reset" it.


On 2/11/2014 6:47 PM, Eero Volotinen wrote:

Hi List,

I have some issues with ossec. My ossec server was down about week and 
after starting ossec server, all clients start to flood server and 
they also eat disk io from client servers.


How to resolve this issue, ie. reset all clients to fresh "today" state?



--
Eero
--

---
You received this message because you are subscribed to the Google 
Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to ossec-list+unsubscr...@googlegroups.com.

For more options, visit https://groups.google.com/groups/opt_out.





smime.p7s
Description: S/MIME Cryptographic Signature

Re: [ossec-list] breaking up ossec.conf into smaller files

[Ryan Schulze]

On 1/14/2014 10:54 AM, Darin Perusich wrote:

Hello All,

Is is possible to break the various ossec configuration options into
individual files and include them in the main ossec.conf? Say I put
syscheck opts into syscheck.xml, localfile opts in localfile.xml, etc.

I'm not finding anything about this from google nor a quick review of
the os_xml code.

Thanks!

--
Later,
Darin


Nothing builtin, but you can build the logic yourself.
I use a ossec.conf.d/ style directory with all the fragments and 
whenever I deploy changes to the ossec server it cat's the files 
together to ossec.conf.


--

--- 
You received this message because you are subscribed to the Google Groups "ossec-list" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [ossec-list] ignore alerts

[Ryan Schulze]

On 1/3/2014 10:15 AM, Rich Rumble wrote:

On Thursday, January 2, 2014 6:13:55 PM UTC-5, dan (ddpbsd) wrote:

On Thu, Jan 2, 2014 at 6:10 PM, dan (ddp) > wrote:
> I'll have to jump on a computer later to test. Rulea still do
not belong on
> the agents. Never have, never will. I'll try to add a faq entry
on that.
>

Oops, I can't seem to find the log sample.

I've got it working now, I had duplicated the rules in the file 
because my VI skillz are like that :)
I am using the names without wild cards separated with pipe "|", and 
once I restarted the whole server, not just ossec it began 
working/ignoring. I am using lowercase names in the rule even though 
the names are uppercase when I entered them as agents. I have not 
tried with wildcards and I don't think I will since I only have a 
handful to ignore on. Basically OSSEC is duplicating the effort with 
that alert and it's a chatty/large alert for us.

Thanks for the tips nonetheless!
-rich
--


I've never tried it out with hostnames but using a CDB list in the rule 
might make things easier to maintain if you end up needing to add more 
hostnames.

http://www.ossec.net/doc/manual/rules-decoders/rule-lists.html


smime.p7s
Description: S/MIME Cryptographic Signature

Re: [ossec-list] Multiple email addresses for a single email_alert

[Ryan Schulze]

AFAIK not possible within OSSEC. If it's always the same people you 
could make a maillinglist on your mailserver and send it to that.



On 10/14/2013 2:08 PM, Lalbee99 wrote:
When configuring email alerts is there anyway to incorporate more than 
a single email address per email_alert. In example, I have 3 users 
that need to receive email alerts from the servers: magnum1 and 
magnum2. I don't want to write three separate email_alerts for the 
same machines (tedious.)

 
   
clint.eastw...@the.old.west.com
magnum1|magnum2
   6
   
 


   
charles.bron...@the.old.west.com
magnum1|magnum2
   6
   
 

   
john.wa...@the.old.west.com
magnum1|magnum2
   6
   
 

-Leo




smime.p7s
Description: S/MIME Cryptographic Signature

Re: [ossec-list] SSH taking too much time

[Ryan Schulze]

Do you have any active responses configured that would trigger (i.e. an 
unconditional active response for alerts level 7 or higher that is now 
active since you bumped 5715 to level 7)?



On 8/30/2013 11:07 AM, sandeep dubey wrote:


Forgot to mention that DNS has no issue at all.

On Aug 30, 2013 9:36 PM, "sandeep dubey" > wrote:


Thanks for the reply dan.
This issue was observed on both server and all agents.

On Aug 30, 2013 9:30 PM, "dan (ddp)" mailto:ddp...@gmail.com>> wrote:

On Fri, Aug 30, 2013 at 3:41 AM, sandeep dubey
mailto:sandeep.san...@gmail.com>>
wrote:
> Hi All,
>
> Recently, I faced an strange issue with my setup, where ssh
login was taking
> around 11-12 min for each attempts. I segregated this issue
in two parts -
>
> 1. I was able to login to system using ssh, but not able to
perform any
> single command on terminal. But after 10-15 min, it becomes
normal and able
> to do all the tasks.
>
> 2. Server was throwing "Connection Timeout" error, or it
accepts the
> key/password on target server (as per auth.log) but session
was given after
> 10-15 min.
>
> All the above issue solve by making one recent change in
OSSEC, and that is
> disabling the ssh rule id 5715.
>
> What i did with OSSEC eariler ?
> I wanted to log the successful ssh attempt so i change the
level for rule
> 5715 to 7 from 3 and restarted ossec service. It worked as
expected, But
> after couple of hours i started facing above issue.
>
> My setup details -
> Host OS = Ubuntu 10.04
> OSSEC = 2.7
> Sever / Client setup
> AR enabled.
> AWS EC2 instances
>

Was this problem seen on the server or an agent? Was DNS
working properly?

> I have two question -
>
> 1. I didn't understand how this change affect the SSH login.
>

Neither do I.

> 2. Is there a way that i can get alerts at sepecific level
but can log all
> levels starting from level 3 ?
> For example - I want to get email alerts at above level 7,
but log all
> alerts starting from level 3.
>

Yes, configure ossec to email level 7, and log level 3.

http://www.ossec.net/doc/syntax/head_ossec_config.alerts.html#element-alerts

> Thanks
> Sandeep
>
> --
>
> ---
> You received this message because you are subscribed to the
Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails
from it, send an
> email to ossec-list+unsubscr...@googlegroups.com
.
> For more options, visit
https://groups.google.com/groups/opt_out.

--

---
You received this message because you are subscribed to the
Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from
it, send an email to ossec-list+unsubscr...@googlegroups.com
.
For more options, visit https://groups.google.com/groups/opt_out.

--

---
You received this message because you are subscribed to the Google 
Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to ossec-list+unsubscr...@googlegroups.com.

For more options, visit https://groups.google.com/groups/opt_out.




smime.p7s
Description: S/MIME Cryptographic Signature

Re: [ossec-list] Ossec with mysql

[Ryan Schulze]

How many ossec master servers do you have sending data to the database? 
i.e. how many entries are there in the 'server' table?


If you only have one master then all entries will have the same server_id.

Also, a heads up if you have multiple master servers sending their data 
to the database: the id field in alert and data are only unique to the 
server_id, so when joining the 2 tables you need to join on both id and 
server_id.


On 5/15/2013 8:27 PM, netzerosp...@gmail.com wrote:

Hi guys,

I'm trying to install ossec with mysql support
But all the server_id field is having value 1
I'm confused how to do query with this
Can anyone help?
Powered by Telkomsel BlackBerry®







smime.p7s
Description: S/MIME Cryptographic Signature

Re: [ossec-list] Re: Error "Unable to access ossec directory" using ossec-wui

[Ryan Schulze]

Based on your ls output I'd say that the error message is occurring 
since Apache isn't allowed to access the directory. Did you add any ACLs 
to the directory to allow access that we aren't seeing here? Have you 
tried just su'ing to your apache user to see if it can access everything 
like it needs to?



On 5/10/2013 4:27 PM, David Juarez wrote:
still not working... Apache is running well, tested a basic index.html 
and works.. except the ossec wui..


any recommendations?

Thanks.

Regards,
David Juarez


On Fri, May 10, 2013 at 2:26 PM, David Juarez > wrote:


here are changes made to ossec_conf.php

$ossec_dir="/var2/ossec";

the error message I received is coming from: (note below)


/* Starting handle */
$ossec_handle = os_handle_start($ossec_dir);
if($ossec_handle == NULL)
{
echo "Unable to access ossec directory.\n";
return(1);
}


Looks like somehow can start the os_handle_start




On Fri, May 10, 2013 at 1:01 PM, David Juarez mailto:djuar...@usfca.edu>> wrote:

Hi,

I am having problems access ossec directory when trying to use
the web
I receive the error message from my browser.

""Unable to access ossec directory"

I can access the webserver from
http://138.202.80.161/ossec-wui/index.php?f=s

and I am able to see the tabs where
Main, Search, Integrity Checking, Stats, About..

am I missing something..

Note: I installed ossec under a diff partition using LVM
/var2

all is working well, except the web..

Any recommendations? am I missing something.
your help is greatly appreciated.

Thanks.

David Juarez

I decompresse/untar ossec-wui-0.3.tar.gz.
mv mv ossec-wui* /var/www/html/ossec-wui


[root@syslog-rhel63-svr html]# pwd
/var/www/html
[root@syslog-rhel63-svr html]# ls -l
total 4
drwxr-xr-x. 8 root ossec 4096 May  9 17:08 ossec-wui
[root@syslog-rhel63-svr html]# ls -l ossec-wui/
total 92
-rwxr-xr-x. 1 root ossec   317 May  9 17:08 CONTRIB
drwxr-xr-x. 3 root ossec  4096 May  9 17:08 css
-rw-r--r--. 1 root ossec   218 May  9 17:08 htaccess_def.txt
drwxr-xr-x. 2 root ossec  4096 May  9 17:08 img
-rwxr-xr-x. 1 root ossec  5177 May  9 17:08 index.php
drwxr-xr-x. 2 root ossec  4096 May  9 17:08 js
drwxr-xr-x. 3 root ossec  4096 May  9 17:08 lib
-rw-r--r--. 1 root ossec 35745 May  9 17:08 LICENSE
-rw-r--r--. 1 root ossec   462 May  9 17:08 ossec_conf.php
-rw-r--r--. 1 root ossec  1449 May  9 17:08 README
-rw-r--r--. 1 root ossec   923 May  9 17:08 README.search
-rwxr-xr-x. 1 root ossec  1824 May  9 17:08 setup.sh
drwxr-xr-x. 2 root ossec  4096 May 10 12:30 site
drwxrwxrwx. 2 root ossec  4096 May  9 17:08 tmp


ran the setup.sh script created 3 users apache, and nobody

[root@syslog-rhel63-svr html]# grep ossec /etc/group
ossec:x:502:apache,nobody
[root@syslog-rhel63-svr html]#


Fix permissions
# chmod 770 tmp/
# chgrp www-data tmp/
# apachectl restart


[root@syslog-rhel63-svr html]# service httpd status
httpd (pid  13291) is running...
[root@syslog-rhel63-svr html]# ps -ef | grep httpd
root 13291 1  0 12:40 ?  00:00:00 /usr/sbin/httpd
apache   13293 13291  0 12:40 ?  00:00:00 /usr/sbin/httpd
apache   13294 13291  0 12:40 ?  00:00:00 /usr/sbin/httpd
apache   13295 13291  0 12:40 ?  00:00:00 /usr/sbin/httpd
apache   13296 13291  0 12:40 ?  00:00:00 /usr/sbin/httpd
apache   13297 13291  0 12:40 ?  00:00:00 /usr/sbin/httpd
apache   13298 13291  0 12:40 ?  00:00:00 /usr/sbin/httpd
apache   13299 13291  0 12:40 ?  00:00:00 /usr/sbin/httpd
apache   13300 13291  0 12:40 ?  00:00:00 /usr/sbin/httpd
apache   13301 13291  0 12:40 ?  00:00:00 /usr/sbin/httpd
root 13388 10691  0 12:55 pts/200:00:00 grep httpd
[root@syslog-rhel63-svr html]#


[root@syslog-rhel63-svr html]# df -h
FilesystemSize  Used Avail Use% Mounted on
/dev/sda3  51G  6.0G 43G  13% /
tmpfs 1.9G   72K  1.9G   1% /dev/shm
/dev/sda1 243M   59M  172M  26% /boot
/dev/mapper/vg--ossec-lv--ossec
  197G  232M  187G   1% /var2
[root@syslog-rhel63-svr html]#


[root@syslog-rhel63-svr html]# ls -ld /var2/ossec/
dr-xr-x---. 13 root ossec 4096 May  9 15:01 /var2/ossec/


[root@syslog-rhel63-svr html]# ls -l /var2
total 24
drwx--.  2 root root  16384 May  9 14:30 lost+found
dr-xr-x---. 13 root ossec  4096 May  9 15:01 ossec

Re: [ossec-list] Re: Seeking assistance with agent install.

[Ryan Schulze]

Even if I know where it is (and probably most other people following the
list) I suspect anyone that is considering using OSSEC in a production
environment will want to stick with the stable releases found on the
official website.


That seems like a flaw in their process. If they refuse to use the
source, why use open source?

No one said anything about not using sourcecode, but the only source you 
get off the official website is 2.7 and no information about where to 
access any development repositories. So as long as you stick to official 
information, 2.7 is the most current you can get.
I have no idea who is developing what in which repository and who's 
repository merges into official releases, so I write my patches against 
2.7. I may look around at what other people are doing, but as long as it 
isn't an official beta or RC on the website, I'm not going to worry much 
about what people do in their repositories.




smime.p7s
Description: S/MIME Cryptographic Signature

Re: [ossec-list] Re: Seeking assistance with agent install.

[Ryan Schulze]

On 3/7/2013 8:34 PM, dan (ddp) wrote:

On Thu, Mar 7, 2013 at 4:55 PM, Joe Gedeon  wrote:

Yes, but a 2.7.1 has not been uploaded to the download site that corrects
the issues.  Latest release still downloads 2.6 even.  Due to the bugs that
have been corrected since 2.7 came out one would think that 2.7.1 would
already be the chosen version to host on the site for download.


Use the bitbucket source, it's easier.



Easier said than done since there is no reference to the sourcecode on 
bitbucket anywhere on ossec.net (one unsuspecting link to the 2.6 
changelog and the list of contributors aren't obvious places to look or 
find it).


Even if I know where it is (and probably most other people following the 
list) I suspect anyone that is considering using OSSEC in a production 
environment will want to stick with the stable releases found on the 
official website.




smime.p7s
Description: S/MIME Cryptographic Signature

Re: [ossec-list] Re: Seeking assistance with agent install.

[Ryan Schulze]

On 3/7/2013 8:33 PM, dan (ddp) wrote:

Make sure /bin/sh is bash and not dash.
Actually the problem is that the script is using bash syntax even though 
is has /bin/sh as the shebang.

The script should either be changed to only use sh syntax or use #!/bin/bash




smime.p7s
Description: S/MIME Cryptographic Signature

Re: [ossec-list] Granular E-Mail alerts

[Ryan Schulze]

Hmm, there are various ways to accomplish this.
Since you want alerts from a specific set of alerts, I would suggest the 
following: add the rules you want to be notified of to a additional 
group and make sure they will trigger sending an email regardless of 
their level. Then just have ossec send mails of this additional group to 
the email address.
As an alternative to overwriting the original rule you can also just add 
new rules to trigger if the old was was called (...) 
and add the options and group to the new rule. I'm not sure why you 
think they would get doubled in any statistics.


local_rules.xml:
  
5700
^Accepted|authenticated.$
SSHD authentication success.
authentication_success,access_notification,
alert_by_email
  
  
5500
session opened for user 
Login session opened.
authentication_success,access_notification,
alert_by_email
  
  
5400
 ; USER=root ; COMMAND=
Successful sudo to ROOT executed
access_notification,
alert_by_email
  


ossec.conf:
  
 em...@email.com
access_notification


  



On 3/5/2013 11:17 AM, Willen Borges Coelho wrote:


Hi,

I'm new using Ossec and I'm trying to configure email alerts, but with 
no success.


I would like to only be notified by email alerts about events id 5715, 
5501 and 5402, but after I configure this granular alert editing 
ossec.conf, it doesn't work.


Whenever I edit the email_alert_level to level 3, I get a lot of 
emails with many events, witch is not expected.


I saw in old emails the possibility of rewrite the event_id changing 
its level in local_rules.xml, but in the statistics they get doubled, 
so I much rather not go that way.


I wouldn't like to get notified by automatic emails, if possible 
deactivate the email_alert_level, I've tried to set level 0, with no 
success.


My configuration:

  

yes

em...@email.com

smtp.email.com

os...@email.com

100

yes

  

  

1

8

  

  

 em...@email.com

3

5715, 5501, 5402





  

  

em...@email.com

11402

webserver.domain.com







Regards,

*Willen Borges Coelho*






smime.p7s
Description: S/MIME Cryptographic Signature

Re: [ossec-list] Large ruleset causing ossec startup issues?

[Ryan Schulze]

Hi James,

that sounds like quite a few new rules in that list. I've never had that 
many, so can't say what side affects it may have. But after looking at 
the SANS document I would suggest shortening it down to one rule that 
uses CDB lists and looks like this (based off the rule template from the 
document):



  
3100
lists/ip_shunlist
Shun!
  


Then you just have to populate the ip_shunlist file and add the 
following to the ossec.conf in the  section:

lists/ip_shunlist

IMHO easier to maintain (just update the list of IPs), and the list can 
be used for multiple rules.
Have a look at the OSSEC documentation for how the IP List should be 
formatted:

http://www.ossec.net/doc/manual/rules-decoders/rule-lists.html



On 2/18/2013 4:46 PM, James Whittington wrote:


I read a whitepaper by the SANS institute where they gave an example 
of taking an emerging threats blacklist and creating a custom ruleset 
from it's IPs.


(http://www.sans.org/reading_room/whitepapers/detection/practical-ossec_33699)

I was pretty sure I had all the pieces working and in fact could do a 
logtest successfully using the newly created ruleset.


This is OSSEC HIDS v2.7-beta2 by the way.

On an OSSEC restart however analysis had a couple of errors and none 
of my remote logs seems to be flowing through anymore?


2013/02/18 16:58:29 ossec-syscheckd: INFO: Monitoring directory: '/bin'.

2013/02/18 16:58:29 ossec-syscheckd: INFO: Monitoring directory: '/sbin'.

2013/02/18 16:58:29 ossec-analysisd(1210): ERROR: Queue 
'/queue/alerts/ar' not accessible: 'Connection refused'.


2013/02/18 16:58:29 ossec-analysisd(1301): ERROR: Unable to connect to 
active response queue.


2013/02/18 16:58:29 ossec-analysisd: INFO: Connected to 
'/queue/alerts/execq' (exec queue)


After commenting out the ruleset in the ossec.conf file fixed things 
so it seems tied to this new ruleset.


The new rules are a bit larger at 1.7 MB so maybe something is timing out?

Any ideas out there on this?

I like the idea of incorporating a well known blacklist into ossec.

Thanks,

James Whittington

--

---
You received this message because you are subscribed to the Google 
Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to ossec-list+unsubscr...@googlegroups.com.

For more options, visit https://groups.google.com/groups/opt_out.




--

--- 
You received this message because you are subscribed to the Google Groups "ossec-list" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [ossec-list] OSSEC-WUI SrcIP parsing question

[Ryan Schulze]

Hi Vilius,

If you are using the OSSEC Web UI 0.3 download from ossec.net you may 
want to have a look at some of the patches here on the list.

e.g. http://osdir.com/ml/ossec-list/2012-06/msg00161.html

The log format changed with version OSSEC 2.6 and broke some of the 
functionality of the Web UI. I don't use it any more, so I can't say if 
the changes still work with 2.7, but as long as the log formatting is 
the same, it should.


On 2/2/2013 1:23 PM, Vilius Benetis wrote:

Hey,

I try to understand where exactly ossec-wui is parsing srcip, as I 
have often bad parsing, for example:


2013 Feb 02 10:48:42 Rule Id: 2901 
 level: 3

Location: ubuntu->/var/log/dpkg.log
Src IP: 02 10:48:41 install libapr1  1.4.6-1
New dpkg (Debian Package) requested to install.
** Alert 1359830922.3553: - syslog,dpkg,
2013 Feb 02 10:48:42 ubuntu->/var/log/dpkg.log
Rule: 2901 (level 3) -> 'New dpkg (Debian Package) requested to install.'
2013-02-02 10:48:41 install libaprutil1  1.3.12+dfsg-3

2013 Feb 02 10:48:32 Rule Id: 5501 
 level: 3

Location: ubuntu->/var/log/auth.log
Src IP: 0:48:32 ubuntu sudo: pam_unix(sudo:session): session opened 
for user root by user(uid=1000)

Login session opened.
** Alert 1359830922.3117: - syslog,dpkg,
2013 Feb 02 10:48:42 ubuntu->/var/log/dpkg.log
Rule: 2901 (level 3) -> 'New dpkg (Debian Package) requested to install.'
2013-02-02 10:48:41 install libcap2  1:2.22-1ubuntu3

this comes from local agent, but equally strange results sometimes 
come from remotes as well.


I believe, that sometimes IP address cannot be extracted, but then 
most probably in this field should be nothing, right?


My programming/debugging skills are very rusty, but if it is not too 
tricky, I could try to adjust regexp not to fire such results, which 
messes up statistics and filtering.


--
/Vilius
--


--

--- 
You received this message because you are subscribed to the Google Groups "ossec-list" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [ossec-list] Re: Error with web-accesslog decoder logs with and certain IP adresses + .htaccess

[Ryan Schulze]

Awesome, thanks for the patch.
I tried it out on or test servers, and then bumped it to our live 
servers. No problems, no side affects. Looks good :-)




On 1/11/2013 4:18 PM, Jb Cheng wrote:
Try the attached patch which modifies analysisd/cleanevent.c and 
report back. Thanks!


On Friday, January 11, 2013 2:04:05 PM UTC-8, Jb Cheng wrote:

Found the root cause at "analysisd/cleanevent.c".
If you have an IP address which happens to meet the conditional
statement, the first 14 characters of the log will be stripped
(and cause "No decoder matched").

You can modify the following code so there won't be false positives:
489 /* Checking for squid date format
490  * 1140804070.368  11623
491  * seconds from 00:00:00 1970-01-01 UTC
492  */
493 else if((loglen > 32) &&
494 (pieces[0] == '1') &&
495 (pieces[10] == '.') &&
496 (pieces[14] == ' ') &&
497 (isdigit((int)pieces[13])) &&
498 (isdigit((int)pieces[1])) &&
499 ((pieces[21] == ' ')||(pieces[22] == ' ')))
500 {
501 lf->log+=14;


On Thursday, December 27, 2012 12:10:46 PM UTC-8, Ryan Schulze wrote:

I stumbled across a weird phenomenon today. I noticed that
some of my
apache logs were being decoded as syslogs.

As far as I can tell, if the 1st, 3rd and 4th octet of the IP are
three-digit and the 2nd octed is two-digit AND apache logged a
username
(e.g. due to .htaccess) then ossec doesn't decode it as
web-accesslog.

Tests were done with a fresh install of ossec 2.7 on ubuntu
12.04, no
local decoder or rules.

I can replicate the problem with the following two lines:

111.22.111.111 - test [26/Dec/2012:17:51:27 +0100] "POST /api/
HTTP/1.1"
200 20 "somereferrer" "somebrowser"
No decoder matched

111.222.111.111 - test [26/Dec/2012:17:51:27 +0100] "POST /api/
HTTP/1.1" 200 20 "somereferrer" "somebrowser"
decoder: 'web-accesslog'

111.22.111.111 - - [26/Dec/2012:17:51:27 +0100] "POST /api/
HTTP/1.1"
200 20 "somereferrer" "somebrowser"
decoder: 'web-accesslog'


Does anyone have an idea where I would fix this? (which part
of the
source tree will I have to look at for the decoder regex logic)?

logs:
> rtest:~# /var/ossec/bin/ossec-logtest
> 2012/12/27 21:05:08 ossec-testrule: INFO: Reading local
decoder file.
> 2012/12/27 21:05:08 ossec-testrule: INFO: Started (pid: 17574).
> ossec-testrule: Type one log per line.
>
> 111.22.111.111 - test [26/Dec/2012:17:51:27 +0100] "POST /api/
> HTTP/1.1" 200 20 "somereferrer" "somebrowser"
>
>
> **Phase 1: Completed pre-decoding.
>full event: '111.22.111.111 - test
[26/Dec/2012:17:51:27 +0100]
> "POST /api/ HTTP/1.1" 200 20 "somereferrer" "somebrowser"'
>hostname: 'rtest'
>program_name: '(null)'
>log: '- test [26/Dec/2012:17:51:27 +0100] "POST /api/
HTTP/1.1"
> 200 20 "somereferrer" "somebrowser"'
>
> **Phase 2: Completed decoding.
>No decoder matched.
>
> 111.222.111.111 - test [26/Dec/2012:17:51:27 +0100] "POST /api/
> HTTP/1.1" 200 20 "somereferrer" "somebrowser"
>
>
> **Phase 1: Completed pre-decoding.
>full event: '111.222.111.111 - test
[26/Dec/2012:17:51:27
> +0100] "POST /api/ HTTP/1.1" 200 20 "somereferrer"
"somebrowser"'
>hostname: 'rtest'
>program_name: '(null)'
>log: '111.222.111.111 - test [26/Dec/2012:17:51:27
+0100] "POST
> /api/ HTTP/1.1" 200 20 "somereferrer" "somebrowser"'
>
> **Phase 2: Completed decoding.
>decoder: 'web-accesslog'
>srcip: '111.222.111.111'
>url: '/api/'
>id: '200'
>
> **Phase 3: Completed filtering (rules).
>Rule id: '31108'
>Level: '

[ossec-list] Error with web-accesslog decoder logs with and certain IP adresses + .htaccess

[Ryan Schulze]

I stumbled across a weird phenomenon today. I noticed that some of my 
apache logs were being decoded as syslogs.


As far as I can tell, if the 1st, 3rd and 4th octet of the IP are 
three-digit and the 2nd octed is two-digit AND apache logged a username 
(e.g. due to .htaccess) then ossec doesn't decode it as web-accesslog.


Tests were done with a fresh install of ossec 2.7 on ubuntu 12.04, no 
local decoder or rules.


I can replicate the problem with the following two lines:

111.22.111.111 - test [26/Dec/2012:17:51:27 +0100] "POST /api/ HTTP/1.1" 
200 20 "somereferrer" "somebrowser"

No decoder matched

111.222.111.111 - test [26/Dec/2012:17:51:27 +0100] "POST /api/ 
HTTP/1.1" 200 20 "somereferrer" "somebrowser"

decoder: 'web-accesslog'

111.22.111.111 - - [26/Dec/2012:17:51:27 +0100] "POST /api/ HTTP/1.1" 
200 20 "somereferrer" "somebrowser"

decoder: 'web-accesslog'


Does anyone have an idea where I would fix this? (which part of the 
source tree will I have to look at for the decoder regex logic)?


logs:

rtest:~# /var/ossec/bin/ossec-logtest
2012/12/27 21:05:08 ossec-testrule: INFO: Reading local decoder file.
2012/12/27 21:05:08 ossec-testrule: INFO: Started (pid: 17574).
ossec-testrule: Type one log per line.

111.22.111.111 - test [26/Dec/2012:17:51:27 +0100] "POST /api/ 
HTTP/1.1" 200 20 "somereferrer" "somebrowser"



**Phase 1: Completed pre-decoding.
   full event: '111.22.111.111 - test [26/Dec/2012:17:51:27 +0100] 
"POST /api/ HTTP/1.1" 200 20 "somereferrer" "somebrowser"'

   hostname: 'rtest'
   program_name: '(null)'
   log: '- test [26/Dec/2012:17:51:27 +0100] "POST /api/ HTTP/1.1" 
200 20 "somereferrer" "somebrowser"'


**Phase 2: Completed decoding.
   No decoder matched.

111.222.111.111 - test [26/Dec/2012:17:51:27 +0100] "POST /api/ 
HTTP/1.1" 200 20 "somereferrer" "somebrowser"



**Phase 1: Completed pre-decoding.
   full event: '111.222.111.111 - test [26/Dec/2012:17:51:27 
+0100] "POST /api/ HTTP/1.1" 200 20 "somereferrer" "somebrowser"'

   hostname: 'rtest'
   program_name: '(null)'
   log: '111.222.111.111 - test [26/Dec/2012:17:51:27 +0100] "POST 
/api/ HTTP/1.1" 200 20 "somereferrer" "somebrowser"'


**Phase 2: Completed decoding.
   decoder: 'web-accesslog'
   srcip: '111.222.111.111'
   url: '/api/'
   id: '200'

**Phase 3: Completed filtering (rules).
   Rule id: '31108'
   Level: '0'
   Description: 'Ignored URLs (simple queries).'

111.22.111.111 - - [26/Dec/2012:17:51:27 +0100] "POST /api/ HTTP/1.1" 
200 20 "somereferrer" "somebrowser"



**Phase 1: Completed pre-decoding.
   full event: '111.22.111.111 - - [26/Dec/2012:17:51:27 +0100] 
"POST /api/ HTTP/1.1" 200 20 "somereferrer" "somebrowser"'

   hostname: 'rtest'
   program_name: '(null)'
   log: '111.22.111.111 - - [26/Dec/2012:17:51:27 +0100] "POST 
/api/ HTTP/1.1" 200 20 "somereferrer" "somebrowser"'


**Phase 2: Completed decoding.
   decoder: 'web-accesslog'
   srcip: '111.22.111.111'
   url: '/api/'
   id: '200'

**Phase 3: Completed filtering (rules).
   Rule id: '31108'
   Level: '0'
   Description: 'Ignored URLs (simple queries).'

Re: [ossec-list] ossec-syscheckd consumes more cpu space and make apache to down

[Ryan Schulze]

Are you sure your CPU is your bottleneck? How does it behave after 
tuning the syscheck options?


On 11/28/2012 5:11 AM, Yesodha wrote:

Hi,

Can anyone response this ticket?Still i am facing this issue.

Regards,
Yesodha Prabhu

On Wednesday, October 10, 2012 2:23:23 PM UTC+5:30, Yesodha wrote:


No,I didn't do any syscheck tuning.

Regards,
Yesodha P

On Thursday, October 4, 2012 6:35:02 PM UTC+5:30, dan (ddpbsd) wrote:

On Thu, Oct 4, 2012 at 4:13 AM, Yesodha
 wrote:
> Hi,
>
> Whenever my linux runs the process ossec-syscheckd,this
process consumes
> more cpu space and make httpd down.
>
> In this server asl 3.0 is installed.Can you please suggest
some ideas to fix
> this issue?
>
> Regards,
> Yesodha Prabhu

Have you done any syscheck tuning?

http://www.ossec.net/doc/syntax/head_internal_options.analysisd.html#internal-options-conf-syscheck

Re: [ossec-list] email alerts - alert levels

[Ryan Schulze]

Hi Chris,

the email notification works like this: emails always get sent to the 
global , and any granular email config is added as an 
additional recipient of the email.
Our solution was to just set the global  to a email address 
that discards mail (like blackhole or devnull). And then set up the 
granular email notifications for the levels,groups,location, ... you 
want. that makes the whole system behave more like you would expect (we 
use it so that different departments get mails for their own services).
if you are expecting a lot of emails, you may want to set the global 
 to a higher number to avoid grouping of multiple 
alerts into one email.


Set up this way your config could look somewhat like this (although 
alerts >= level 12 would go to both accounts):




yes
devnull@localhost
server
ossec@domain

...snip...

3
6

...snip...

account2@domain
cisco-ios
9


account1@domain
cisco-ios
12



On 10/24/2012 8:17 AM, Chris H wrote:

Hi Dan,

I've since realised that the cisco alerts get classified in the 
grouping as "syslog,cisco-ios,authentication_failed,"; I initially 
took this as that it was in multiple groups, not that it was 
hierarchical.  Using the following config means that the alerts are 
being sent to account2, as well as account1:



yes
account1@domain
server
ossec@domain

...snip...

3
6

...snip...

account2@domain
syslog,cisco-ios
9


However, I'm getting all alerts above 6 going to account1@, and cisco 
alerts above 9 going to account1@ & account2@;  what I really want is 
only cisco alerts being emailed, and only to account2@ (although I 
would settle for them going to both accounts).  Is there a way to have 
email alerts off by default and only on for selected alert types?


Here is a sample from alerts.log:

2012 Oct 24 12:04:52 LOG-01->172.19.80.143
Rule: 4724 (level 9) -> 'Failed login to the router.'
886384: 510544: Oct 24 12:04:51.701 BST: %SEC_LOGIN-4-LOGIN_FAILED: 
Login failed [user: ] [Source: 172.19.80.13] [localport: 22] [Reason: 
Login Authentication Failed] at 12:04:51 BST Wed Oct 24 2012


Thanks.

On Wednesday, October 24, 2012 1:46:01 PM UTC+1, dan (ddpbsd) wrote:

On Wed, Oct 24, 2012 at 6:09 AM, Chris H > wrote:
> Hi,
>
> I'm trying to configure email alerts.  I want to use granular
alerting, so
> that specific alerts (i.e. Cisco) go to specific teams.  I only
want
> specific alert groups generating emails, not everything.  I've
enabled the
> global alerts, and tested that it works globally by adding
> 9.  This works fine.
>
> What I'm trying to do now is change it to only send alerts that
match a
> single group and level, and no others.  I have
email_notification, email_to
> and smtp_server set in the global.  I have removed
email_alert_level, and
> added a new email_alert
>
> 
> yes
> account1@domain
> server
> ossec@domain
> 
> ...snip...
> 
> 3
> 
> ...snip...
> 
> account2@domain
> cisco-ios

Are you sure you have rules in a cisco-ios group? Can you provide
samples of the alerts you are expecting to go to this email address?

> 9
> 
>
> emails are being generated, but they are going to
account1@domain, rather
> than account2@domain.
>
> What am I missing?
>
> Thanks,
>
> C

Re: [ossec-list] web attack returned code 200

[Ryan Schulze]

I'd strongly suggest avoiding any active reponses on the web attack 
rules until you've tweaked them to fit your applications ;-)


(and even then I'd really be careful since an attacker can use CSRF on a 
random site in the internet to cause a victim to send queries to your 
server that will trigger your active response)


On 10/16/2012 9:32 AM, Leonardo Bacha Abrantes wrote:

hey guys,


I received an alert about sucess on attack.
looking in my access.log I found the log that started this alert:

1.2.3.4 - - [16/Oct/2012:05:03:28 -0300] "GET
/sample-folder/news/global-report..?page=91 HTTP/1.1" 200 9694




**Phase 1: Completed pre-decoding.
full event: '1.2.3.4 - - [16/Oct/2012:05:03:28 -0300] "GET
/sample-folder/news/global-report..?page=91 HTTP/1.1" 200 9694'
hostname: 'megatron'
program_name: '(null)'
log: '1.2.3.4 - - [16/Oct/2012:05:03:28 -0300] "GET
/sample-folder/news/global-report..?page=91 HTTP/1.1" 200 9694'

**Phase 2: Completed decoding.
decoder: 'web-accesslog'
srcip: '1.2.3.4'
url: '/sample-folder/news/global-report..?page=91'
id: '200'

**Phase 3: Completed filtering (rules).
Rule id: '31106'
Level: '6'
Description: 'A web attack returned code 200 (success).'
**Alert to be generated.



The active response blocked the source ip. I  checked Integrity
Checking database and it didn't show any changes on files, so, it was
a false positive.
Had anyone the same issue ?

many thanks!

Re: [ossec-list] Errors with telnet.exe binary under Windows 2008 R2

[Ryan Schulze]

forward slash, backslash problem ?

'C:\Windows/System32/telnet.exe' != 'C:\Windows\System32\telnet.exe'

On 8/25/2012 1:17 PM, carlopmart wrote:

Hi all,

 I have 15 servers with Windows 2008 R2 with ossec agent installed on 
them. All works ok with ossec agent with the exception of telnet.exe 
binary. This binary is installed on ALL servers, but ossec.logs shows 
me this error on all agents:


2012/08/25 17:47:03 ossec-agent: WARN: Error opening directory: 
'C:\Windows/System32/telnet.exe': No such file or directory


 Why?? telnet.exe exists in this path:

C:\Windows\System32>dir telnet.exe
 Volume in drive C is Windows Disk
 Volume Serial Number is 6206-8E1E

 Directory of C:\Windows\System32

14/07/2009  01:3979,872 telnet.exe
   1 File(s) 79,872 bytes
   0 Dir(s)  149,738,332,160 bytes free

C:\Windows\System32>

Thanks.

Re: [ossec-list] analysisd register_rule.sh script permission error halts install

[Ryan Schulze]

Can you do that again, but this time as "/bin/sh -x register_rule.sh 
build" ?


On 8/22/2012 7:10 PM, Christopher Werby wrote:
root@xxx:/tmp/ossec-hids-2.6/src/analysisd/compiled_rules# /bin/sh -x 
register_rule.sh

Re: [ossec-list] firewall --> ossec via UDP 514 : "WARN: Message from 10.5.4.1 not allowed."

[Ryan Schulze]

On 8/17/2012 1:17 PM, dan (ddp) wrote:

Since you've installed OSSEC somewhere silly, [...]
totally off-topic, but I always wondered why the default installation is 
in /var and not /opt ?
Maybe it's just me (I started out with SunOS/Solaris and then 
transitioned to Linux later), but I prefer software that didn't come 
from a packet manager to reside in /opt or /usr/local/

Re: [ossec-list] Can OSSEC 2.6 support SHA-256 or SHA-512 algorithms?

[Ryan Schulze]

Do you remember where you read that? As far as I can see FIPS 140-3 is 
still in draft and sha-1 is still in the list. But considering the draft 
has been around for years it would be good to have a heads up if it 
get's deprecated when the final release comes around.



On 8/7/2012 12:15 PM, Wei Zhang wrote:
We have requirement to use FIPS 140-2 hashing algorithm. I read 
somewhere that md5sum or sha1sum will not be on the approve list in 
the future.  assuming that is true, i would have to remove OSSEC off 
25+ servers. dont really want to do that.


On Tue, Aug 7, 2012 at 12:43 PM, dan (ddp) > wrote:


On Tue, Aug 7, 2012 at 12:26 PM, Wei Zhang mailto:acur...@gmail.com>> wrote:
> Is there a place for feature request? +1 for SHA-256 or SHA512
>

https://bitbucket.org/dcid/ossec-hids In the issues section

Is there a specific reason you want one of these? Are these required
by something specific?

>
> On Tue, Aug 7, 2012 at 12:13 PM, dan (ddp) mailto:ddp...@gmail.com>> wrote:
>>
>> On Tue, Aug 7, 2012 at 12:10 PM, Diezou mailto:secur...@diezou.net>> wrote:
>> > Hello,
>> > Can OSSEC 2.6 support SHA-256 or SHA-512 algorithms?
>> > If not (that I think after docs reading), I'd like to know if
these
>> > algorithms act as a part of future roadmap?
>> > Thanks
>>
>> No, and not really.
>
>

Re: [ossec-list] Wrong time of notification

[Ryan Schulze]

Have you checked the timezone of your OSSEC Server?

On 7/20/2012 7:51 AM, Dmitry wrote:

I have the folowing notification:
/OSSEC HIDS Notification./
/2012 Jul 16 *06:14:50*

Received From: (srv-fl-bdc) 172.19.41.96->WinEvtLog
Rule: 18110 fired (level 8) -> "User account enabled or created."
Portion of the log(s):

WinEvtLog: Security: AUDIT_SUCCESS(4741): 
Microsoft-Windows-Security-Auditing: (no user): no domain: 
SRV-FL-BDC.fast.local: A computer account was created. Subject: 
Security ID: S-1-5-21-3227760434-1372198118-1359596449-1114 Account 
Name: dg Account Domain: FAST Logon ID: 0x6bee32e New Computer 
Account: Security ID: S-1-5-21-3227760434-1372198118-1359596449-2167 
Account Name: SRV-FL-TMG$ Account Domain: FAST Attributes: SAM Account 
Name: SRV-FL-TMG$ Display Name: - User Principal Name: - Home 
Directory: - Home Drive: - Script Path: - Profile Path: - User 
Workstations: - Password Last Set: 7/16/2012 *2:09:37 PM*  Account 
Expires: %%1794 Primary Group ID: 515 AllowedToDelegateTo: - Old UAC 
Value: 0x0 New UAC Value: 0x80 User Account Control: %%2087 User 
Parameters: - SID History: - Logon Hours: %%1793 DNS Host Name: 
SRV-FL-TMG.fast.local Service Principal Names: 
HOST/SRV-FL-TMG.fast.local RestrictedKrbHost/SRV-FL-TMG.fastlane.local 
HOST/SRV-FL-TMG RestrictedKrbHost/SRV-FL-TMG Additional Information: 
Privileges -/


You see the time of notification and the time of event are different.
The time of receiving e-mail notification was *14:09*
The time on ossec server is correct.

So I wonder where ossec server got this wrong time?

Re: [ossec-list] Re: Error in message formating on OSSEC Wui

[Ryan Schulze]

On 6/25/2012 10:05 AM, dan (ddp) wrote:
I think the WUI is currently so bad that encouraging its use does more 
harm than good. There are good alternatives for viewing logs, why 
would I thank someone for pushing a bad one?


In that case it would be a good idea to have the WUI marked as 
deprecated on http://www.ossec.net/main/downloads and links to the 
alternatives posted.
All frontends I found require the data to be in a database and/or are 
full-blown all-in-one solutions that aren't really suited for just 
searching through the logs. Yes I know, that is a primarily problem of 
how we are running OSSEC here and when I change our OSSEC servers to 
write their alerts to a central database it will go away.


Ryan

Re: [ossec-list] Re: Error in message formating on OSSEC Wui

[Ryan Schulze]

Ok, finished playing around with the code and testing it with my logs 
and it should now work with OSSEC 2.6 again. If anyone runs into 
problems with the patch just poke me and I'll see if I can help out.


Below are links to a patchfile and a tar.gz with the changed files. The 
important changes are in lib/os_lib_alerts.php the other files are more 
or less just cosmetic changes making the alerts a bit easier to read, 
and previous fixes already posted on this list.


http://www.dopefish.de/files/ossec/ossec-wui-0.3_ossec_2.6.patch
http://www.dopefish.de/files/ossec/ossec-wui-0.3_ossec_2.6.patch.tgz

List of all changes ( http://www.dopefish.de/archives/1154 )
- Works with the OSSEC 2.6 alert log file format
- Changed Rule ID Link to better work with the new OSSEC documentation wiki
- Added “user” field to alert output
- Widened the layout by a few pixels (to 1000px) and changed the CSS 
/alert layout to make the individual alerts better readable

- Moved some of the hardcoded formatting to CSS

Ryan


On 6/23/2012 9:56 AM, Mike Disley wrote:

Ryan,
You are awesome.  Those of us using this "dead" and "junk" tool will be most 
appreciative.

Cheers,
Mike



-Original Message-
From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On 
Behalf Of Ryan Schulze
Sent: Friday, June 22, 2012 8:01 PM
To: ossec-list@googlegroups.com
Subject: Re: [ossec-list] Re: Error in message formating on OSSEC Wui

On 6/21/2012 2:47 PM, dan (ddp) wrote:

I prefer a fix or solution. I'm not a developer and not intended to
be...


Hire someone who knows PHP.

WUI is junk. No one seems to be able to get it working properly.



Aww WUI isn't that bad, considering the poor thing has to parse logfiles I find 
it does a pretty good job. Since OSSEC supports writing alerts to a database, 
recoding WUI to (optionally) use the database backend for pulling the alert 
data would be cool (any motivated PHP programmers out there / on the list 
willing to do it?).

As far as I can tell, the main problem with WUI and OSSEC 2.6 seems to be that in 2.6 the lines 
"Src IP:" and "User:" are optional in the alert logs (depending on if they have 
values or not). Should be easy enough to fix, and by the end of the weekend I should have enough 
test data to see if my little hotfix works or breaks.

Will keep the thread updated with my progress :-)

Re: [ossec-list] Re: Error in message formating on OSSEC Wui

[Ryan Schulze]

On 6/21/2012 2:47 PM, dan (ddp) wrote:

I prefer a fix or solution. I'm not a developer and not intended to
be...


Hire someone who knows PHP.

WUI is junk. No one seems to be able to get it working properly.


Aww WUI isn't that bad, considering the poor thing has to parse logfiles 
I find it does a pretty good job. Since OSSEC supports writing alerts to 
a database, recoding WUI to (optionally) use the database backend for 
pulling the alert data would be cool (any motivated PHP programmers out 
there / on the list willing to do it?).


As far as I can tell, the main problem with WUI and OSSEC 2.6 seems to 
be that in 2.6 the lines "Src IP:" and "User:" are optional in the alert 
logs (depending on if they have values or not). Should be easy enough to 
fix, and by the end of the weekend I should have enough test data to see 
if my little hotfix works or breaks.


Will keep the thread updated with my progress :-)

[ossec-list] Re: Active response to email abuse contact of IP block owner?

[Ryan Schulze]

Hi Chris,

sorry to dig up this old mail, just wanted to ask if you stumbled across 
anything interesting since I was also thinking about automatic generation 
of abuse mails with OSSEC?

Ryan


On Wednesday, December 21, 2011 10:32:41 AM UTC-6, Chris Warren wrote:
>
> Hi all,
> Has anyone attempted, or done this?
> When triggered, it would look up the whois record for the IP and find the 
> abuse contact, sending them an email with the notification.
> Just wanted to check around before adding it to my to-do list ;)
>
> Being the abuse contact for about 25,000 IPs, I get many emails like this 
> from things like BFD, and find them very useful (usually in identifying 
> hacked machines, but sometimes naughty customers).  The fact that I act on 
> these emails tells me that others out there do as well.
>
> Sorry if this has been discussed before.  I did a bit of searching but 
> didn't come up with anything.
>
> Chris
>
>