RE: [ossec-list] excluded files rule
Please forgive my noob question... globbing? Can version 2.0 support directory wildcards? Could I use .. \FUND\Clients\*\*\WebSvc\*\web.conf ? The file 'web.conf' is the only file they want monitored and I'm trying to figure out if it can be done via the Ossec.conf file locally or do I need to setup a rule to exclude every other file but that one. Thanks for your help! Patrick Swartz UNIX Planning & Engineering (DSUSSE) First Data 402-777-7337 desk 402-871-8981 cell -Original Message- From: ossec-list@googlegroups.com [mailto:ossec-l...@googlegroups.com] On Behalf Of dan (ddp) Sent: Thursday, May 06, 2010 4:53 PM To: ossec-list@googlegroups.com Subject: Re: [ossec-list] excluded files rule Are they simple enough to be able to use globbing for those files? On Thu, May 6, 2010 at 9:25 AM, Swartz, Patrick H wrote: > > Hi All, > > > > Using Ossec 2.0 server/client model. > > I have been asked if there is a way we can create a rule to exclude files > based on the following directory structure on a Windows machine... > > > > {WWWROOT}\FUND\Clients\\ names>\WebSvc\\web.config > > > > Currently our Ossec.conf file is very large due to each {WWWROOT} entry is > expanded to where ever ISS is setup, and each and > , and has to be expanded. For some 500 > servers, this equates to a very large number of lines in the config file. > > Or is there a better way to write our config file with those 'variables'? > > > > Any thoughts would be greatly appreciated. > > Thanks, > > > > Patrick Swartz > UNIX Planning & Engineering (DSUSSE) > > First Data > 402-777-7337 desk > 402-871-8981 cell > > > > > > The information in this message may be proprietary and/or confidential, and > protected from disclosure. If the reader of this message is not the intended > recipient, or an employee or agent responsible for delivering this message to > the intended recipient, you are hereby notified that any dissemination, > distribution or copying of this communication is strictly prohibited. If you > have received this communication in error, please notify First Data > immediately by replying to this message and deleting it from your computer. - The information in this message may be proprietary and/or confidential, and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify First Data immediately by replying to this message and deleting it from your computer.
[ossec-list] Rules and regular expressions
Hi All, Question about using the "!" in the local_rules.xml for the tag, like the following... 550, 551, 552 mdas sgsdas !sles10-docs thinking is that if any other server triggered with this rule the normal alert would take place, only on this server would the rule fire and the change be ignored Ignoring changes We are using Ossec v2.0. Thank you, Patrick Swartz UNIX Planning & Engineering (DSUSSE) First Data 402-777-7337 desk 402-871-8981 cell The information in this message may be proprietary and/or confidential, and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify First Data immediately by replying to this message and deleting it from your computer.
RE: [ossec-list] Rules and regular expressions
I was using the example from the Ossec book "OSSEC HIDS Guide" on page 123 where they used the "!" for the tag to say that if a source IP didn't come from within the subnet then to alert. Was hoping to be able to use the same logic with the tag. Here is the example from the book: 100124 authentication_failure main_sys !192.168.2.0/24 Severe SSHD password failure. Is the book wrong? Or does that expression only work for the tag? I can use the tag work if that is the case. Thanks, Patrick Swartz UNIX Planning & Engineering (DSUSSE) First Data 402-777-7337 desk 402-871-8981 cell From: ossec-list@googlegroups.com [mailto:ossec-l...@googlegroups.com] On Behalf Of Assaf Flatto Sent: Thursday, May 13, 2010 5:08 AM To: ossec list Subject: Re: [ossec-list] Rules and regular expressions At the moment this logic is not implemented in OSSEC , and i found it out when trying to do the same thing as you are . I created a rule with that logic , only to see that it is not working . I'd love to be told that i am wrong , as this will make the config and rules easier to maintain - but AFAIK , the "!" nullifier option is not with in the scope of the OSSEC rules loading logic . Assaf Swartz, Patrick H wrote: > > Hi All, > > > > Question about using the "!" in the local_rules.xml for the > tag, like the following... > > > > > > > > 550, 551, 552 > > mdas > > sgsdas > > !sles10-docs thinking is that if any > other server triggered with this rule the normal alert would take > place, only on this server would the rule fire and the change be ignored > > Ignoring changes > > > > > > We are using Ossec v2.0. > > > > Thank you, > > > > *_Patrick Swartz_**_ > _**/UNIX Planning & Engineering (DSUSSE)/* > > *First Data > *402-777-7337 desk > 402-871-8981 cell > > > > > > > > *The information in this message may be proprietary and/or > confidential, and protected from disclosure. If the reader of this > message is not the intended recipient, or an employee or agent > responsible for delivering this message to the intended recipient, you > are hereby notified that any dissemination, distribution or copying of > this communication is strictly prohibited. If you have received this > communication in error, please notify First Data immediately by > replying to this message and deleting it from your computer. * > -- Assaf Flatto Linux System Administrator No.9 | 6 Portal Way | London | W3 6RU | T: +44 (0)20 88 96 8014 | M: +44 (0)75 3568 1067 I am doing a Charity Bike ride On the 27 of June for the Capital to Coast Charity. Please help by Donating http://www.justgiving.com/Lovefilm-capital-to-coast LOVEFiLM UK Limited is a company registered in England and Wales. Registered Number: 06528297. Registered Office: No.9, 6 Portal Way, London W3 6RU, United Kingdom. This e-mail is confidential to the ordinary user of the e-mail address to which it was addressed. If you have received it in error, please delete it from your system and notify the sender immediately. This email message has been delivered safely and archived online by Mimecast. For more information please visit http://www.mimecast.co.uk
RE: [ossec-list] RE: All UNIX/LINUX agents disconnecting
Hi Daniel, Could you expand on the effects of disabling the counters? Understand the consequences would help us decide the best path to follow. Thank you for all you do! Patrick Swartz UNIX Planning & Engineering (DSUSSE) First Data 402-777-7337 desk 402-871-8981 cell -Original Message- From: ossec-list@googlegroups.com [mailto:ossec-l...@googlegroups.com] On Behalf Of Daniel Cid Sent: Friday, May 14, 2010 11:43 AM To: ossec-list@googlegroups.com Subject: Re: [ossec-list] RE: All UNIX/LINUX agents disconnecting Hi Lucio, There is two issues in this thread. One, the agent disconnects and then reconnects by itself. That's fine and can happen on high load environment or when a message gets dropped. The second issue that Mike mentioned happens when the counters get out of sync and the agent never reconnects. For this problem, you have to either clean the "rids" directory on the manager or disable the counters. To disable it, set verify_msg_id to 0 on the internal_options.conf file: # Verify msg id (set to 0 to disable it) remoted.verify_msg_id=0 Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On Thu, May 13, 2010 at 1:21 PM, Lucio Emanuel Soldo wrote: > Hi Mike, how are you? Could you post the final solution your team has > produced in order to fix its problem? > > Thanx alot! > > On Tue, May 11, 2010 at 6:56 PM, Pendergrast, Michael L > wrote: >> >> Yes we have >> >> although we have v1.6 >> >> I don't have the details as my team has worked the problem and is >> currently deployed. >> >> What we did find is that there is a counter in the agent and in the >> manager and if they get out of sequence the agent will stop (basicaqlly they >> get out of sequence). We also found that at startup of the UNIX agents that >> if multiple agents all start at the same time, the agents will stop. In >> this case, for initial startup we had to sequence the startup in about 10 >> min increments. >> >> Mike >> >> From: ossec-list@googlegroups.com [mailto:ossec-l...@googlegroups.com] On >> Behalf Of Griffith, Robert >> Sent: Tuesday, May 11, 2010 12:26 PM >> To: 'ossec-l...@ossec.net' >> Subject: [ossec-list] All UNIX/LINUX agents disconnecting >> Importance: High >> >> We have been running the new version of Ossec 2.4 in our environment for >> 3 weeks. Yesterday all of our UNIX/LINUX client agents started >> disconnecting. None of our Windows Server client agents have disconnected. >> Has anyone experienced this and/or found a resolution for this issue. >> >> Thank you, >> Robert >> > - The information in this message may be proprietary and/or confidential, and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify First Data immediately by replying to this message and deleting it from your computer.
RE: [ossec-list] Am I the only one getting 4 copies of everything to this list?
I get double posts, which am counting as a blessing that I'm not getting 4 copies. :-) Patrick Swartz UNIX Planning & Engineering (DSUSSE) First Data 402-777-7337 desk 402-871-8981 cell -Original Message- From: ossec-list@googlegroups.com [mailto:ossec-l...@googlegroups.com] On Behalf Of William Montgomery Sent: Tuesday, May 18, 2010 6:28 AM To: ossec-list@googlegroups.com Subject: Re: [ossec-list] Am I the only one getting 4 copies of everything to this list? B/K Walker wrote: > I'm getting 4 (maybe more) copies of every post, each with a different return-path and envelope-from headers (some sort of id used by google groups). > > This is the first googlegroup I've signed up for, I'm on dozens of other lists and never have seen this kind of behaviour. > > > Same here. - The information in this message may be proprietary and/or confidential, and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify First Data immediately by replying to this message and deleting it from your computer.
[ossec-list] Rules & matching
Hi All, As I continue to understand the proper use of rules, I still have a few questions. Given this list of files/directories that need to be monitored: /opt/Apache/httpd-2.2.12/conf/cmi_cntpay_p /opt/Apache/httpd-2.2.12/conf/opnpmnt_cntpay_p /opt/Apache/httpd-2.2.12/conf/sprt_cntpay_p /opt/Apache/httpd-2.2.12/conf/adjmnt_cntpay_p /opt/Apache/httpd-2.2.12/conf/cmi_cntpay_p /opt/Apache/httpd-2.2.12/conf/opnpmnt_cntpay_p /opt/Apache/httpd-2.2.12/conf/sprt_cntpay_p /opt/Apache/httpd-2.2.12/conf/adjmnt_cntpay_p /opt/JBoss/jboss-4.2.1.GA/server/ach_cntpay_p01/deploy/ /opt/JBoss/jboss-4.2.1.GA/server/ach_cntpay_p01/lib/ /opt/JBoss/jboss-4.2.1.GA/server/ach_cntpay_p01/conf/ /opt/JBoss/jboss-4.2.1.GA/server/adjmnt_cntpay_p01/deploy/ /opt/JBoss/jboss-4.2.1.GA/server/adjmnt_cntpay_p01/lib/ /opt/JBoss/jboss-4.2.1.GA/server/adjmnt_cntpay_p01/conf/ /opt/JBoss/jboss-4.2.1.GA/server/sprt_cntpay_p01/deploy/ /opt/JBoss/jboss-4.2.1.GA/server/sprt_cntpay_p01/lib/ /opt/JBoss/jboss-4.2.1.GA/server/sprt_cntpay_p01/conf/ Will this rule/match work? syscheck 550, 551, 552 cntpay Ignoring file changes 100502 nopirap1|nopirap2|nocirap1|nocirap2|nopintr1|ncbirap1 Changes to Application Or do I need to specify more of the path, something like $sprt_cntpay_p01/conf/ ? Thanks, Patrick Swartz UNIX Planning & Engineering (DSUSSE) First Data 402-777-7337 desk 402-871-8981 cell - The information in this message may be proprietary and/or confidential, and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify First Data immediately by replying to this message and deleting it from your computer.
[ossec-list] match tag in rules
Hi All, Can someone please point in the right direction with the proper use of the tag. Is there any difference in using: blah | blah1 | blah2 Versus: blah blah1 blah2 Is one way an "AND" and the other an "OR", or am I completely off track? Thanks, Patrick Swartz UNIX Planning & Engineering (DSUSSE) First Data 402-777-7337 desk 402-871-8981 cell - The information in this message may be proprietary and/or confidential, and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify First Data immediately by replying to this message and deleting it from your computer.
RE: [ossec-list] Changed file alerts and emails
Is there not a way to verify from the Ossec collector server? The bureaucratic layers to the email server logs are deep and wide such that no man can cross... Patrick Swartz UNIX Planning & Engineering (DSUSSE) First Data 402-777-7337 desk 402-201-1192 Company cell 402-871-8981 Personal cell -Original Message- From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On Behalf Of dan (ddp) Sent: Monday, August 08, 2011 1:29 PM To: ossec-list@googlegroups.com Subject: Re: [ossec-list] Changed file alerts and emails Check your email server's logs? On Fri, Aug 5, 2011 at 8:32 AM, Patrick Swartz wrote: > We recently had several files get changed and using syscheck_control > we can see that Ossec did alert on the change. However, we can't > verify that the email was sent. Our is set at 7 > and our is set at 5. But in this example this would > have been at least a 7, yes? > How do I go back to verify if an email notification was sent or not? > > /syscheck_control -i 647 -f /bin/setfont > Integrity changes for agent 'srvlx001(647) - 10.16.10.244': > Detailed information for entries matching: '/bin/setfont' > > 62949500 Dec 26 ,0 - /bin/setfont > File added to the database. > Integrity checking values: > Size: 118456 > Perm: rwxr-xr-x > Uid: 0 > Gid: 0 > Md5: 1b93a9014f95b1a4ffd6a7c01e77efc1 > Sha1: f36ddf4c07a4379ea6a7d3783bf5b351faef030e > > 112418531 Jul 01 á*],0 - /bin/setfont > File changed. - 1st time modified. > Integrity checking values: > Size: >11448 > Perm: rwxr-xr-x > Uid: 0 > Gid: 0 > Md5: >c5cd9f082926e07453ee01fb16122f10 > Sha1: >1cc841366200b35f756db0f61fce03fabd16e97b > - The information in this message may be proprietary and/or confidential, and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify First Data immediately by replying to this message and deleting it from your computer.
RE: [ossec-list] Maximum Number of Agents Allowed
That is the default maximum, however it is modifiable by going into the /src directory (of the install package) and running "make setmaxagents", this will prompt you asking for a new maximum value. You will then need to recompile to take advantage of the new value. We currently use 4096 (with close to 2000 active agents) with no issues. Patrick Swartz -Original Message- From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On Behalf Of PJG Sent: Thursday, August 18, 2011 4:49 AM To: ossec-list Subject: [ossec-list] Maxiumum Number of Agents Allowed Dear All, We are planning on ramping up our OSSEC deployment. There's a warning which is seen in the log files which states: INFO: Maximum number of agents allowed: '256'. Does anyone know if this is an actual limit, or simply recommended? Also if it is breached, does this have any impact on the service? If so, is there anyway to increase this amount? Thanks Pip - The information in this message may be proprietary and/or confidential, and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify First Data immediately by replying to this message and deleting it from your computer.
[ossec-list] Rule help please
Hi All, I apologize for troubling the list with what I thought was a simple rule, but for the life of me I can't figure out why my rule isn't firing. I'm running OSSEC 2.6 on SuSE 10 and am testing with a Linux and a Window client. Here is part of my ossec.conf E:\BlueScreendev_root E:\InetPub\wwwroot\EFTPSRefDev E:\InetPub\wwwroot\BlueScreen_root E:\InetPub\wwwroot\ISTS_root E:\OLRSDev_Root\MyRT E:\OURSDev_Root E:\PRSDev_root E:\VLRSdev_Root And here is the rule that I'm trying to get to work... syscheck 550, 551, 552, 553, 554 EFTPSREF|ISTSREF|MYRT|OURS|PRS|VLRS|BlueScreendev_root|EFTPSRefDe v|BlueScreen_root|ISTS_root|olrs_root|OURS_root|prs_root|VLRSRef|MyRT|OU RSDev_Root|PRSDev_root|VLRSdev_Root Testing rule 100724 100724 Changes to Web Files Using ./syscheck_control -i ### does show that the changes are being noticed, but I am not getting any alerts. I have another testing rule as suggested from here -- http://www.immutablesecurity.com/index.php/2010/10/20/2woo-tips-tricks/ -- and that works. Any help would be greatly appreciated as I only dive into OSSEC about every two years and it takes me a while to relearn all that I did previously. Thanks to all in the group, Patrick Swartz - The information in this message may be proprietary and/or confidential, and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify First Data immediately by replying to this message and deleting it from your computer.
RE: [ossec-list] Rule help please
I have setup a rule where one only has the and the other only has the and still neither fire. I have removed all rules except rules_config.xml, ossec_rules.xml, and local_rules.xml to remove all non-syscheck alerts, and guess what ... syscheck isn't alerting on anything! Period. No changes from the standard /etc,/bin,/sbin (for example) are alerting. Where do I go to figure this issue out? Is there a way to test syscheck other than just making changes to a file and waiting? Please help. Thanks, Patrick Swartz -Original Message- From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On Behalf Of Daniel Cid Sent: Saturday, August 27, 2011 6:50 AM To: ossec-list@googlegroups.com Subject: Re: [ossec-list] Rule help please Hi Patrick, Try using only or only , not both. I think that's what is causing the issue. Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On Fri, Aug 26, 2011 at 11:35 AM, Swartz, Patrick H wrote: > Hi All, > I apologize for troubling the list with what I thought was a simple > rule, but for the life of me I can't figure out why my rule isn't > firing. > > I'm running OSSEC 2.6 on SuSE 10 and am testing with a Linux and a > Window client. > Here is part of my ossec.conf > check_all="yes">E:\BlueScreendev_root > check_all="yes">E:\InetPub\wwwroot\EFTPSRefDev > check_all="yes">E:\InetPub\wwwroot\BlueScreen_root > check_all="yes">E:\InetPub\wwwroot\ISTS_root > check_all="yes">E:\OLRSDev_Root\MyRT > check_all="yes">E:\OURSDev_Root > check_all="yes">E:\PRSDev_root > check_all="yes">E:\VLRSdev_Root > > And here is the rule that I'm trying to get to work... > > syscheck > 550, 551, 552, 553, 554 > EFTPSREF|ISTSREF|MYRT|OURS|PRS|VLRS|BlueScreendev_root|EFTPSRefDe > v|BlueScreen_root|ISTS_root|olrs_root|OURS_root|prs_root|VLRSRef|MyRT|OU > RSDev_Root|PRSDev_root|VLRSdev_Root > Testing rule 100724 > > > 100724 > Changes to Web Files > > > Using ./syscheck_control -i ### does show that the changes are being > noticed, but I am not getting any alerts. > > I have another testing rule as suggested from here -- > http://www.immutablesecurity.com/index.php/2010/10/20/2woo-tips-tricks/ > -- and that works. > > Any help would be greatly appreciated as I only dive into OSSEC about > every two years and it takes me a while to relearn all that I did > previously. > > Thanks to all in the group, > > Patrick Swartz > > > > > - > The information in this message may be proprietary and/or > confidential, and protected from disclosure. If the reader of this > message is not the intended recipient, or an employee or agent > responsible for delivering this message to the intended recipient, > you are hereby notified that any dissemination, distribution or > copying of this communication is strictly prohibited. If you have > received this communication in error, please notify First Data > immediately by replying to this message and deleting it from your > computer. >
RE: [ossec-list] Rule help please
Update. I removed my local_rules.xml and now am getting syscheck alerts. So, now I need to figure out what changed from 2.0 to 2.6 in how local_rules are processed. I see a long day ahead rewriting my local_rules once I figure out how they work again. Patrick Swartz -Original Message- From: Swartz, Patrick H Sent: Sunday, August 28, 2011 8:19 AM To: ossec-list@googlegroups.com Subject: RE: [ossec-list] Rule help please I have setup a rule where one only has the and the other only has the and still neither fire. I have removed all rules except rules_config.xml, ossec_rules.xml, and local_rules.xml to remove all non-syscheck alerts, and guess what ... syscheck isn't alerting on anything! Period. No changes from the standard /etc,/bin,/sbin (for example) are alerting. Where do I go to figure this issue out? Is there a way to test syscheck other than just making changes to a file and waiting? Please help. Thanks, Patrick Swartz -Original Message- From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On Behalf Of Daniel Cid Sent: Saturday, August 27, 2011 6:50 AM To: ossec-list@googlegroups.com Subject: Re: [ossec-list] Rule help please Hi Patrick, Try using only or only , not both. I think that's what is causing the issue. Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On Fri, Aug 26, 2011 at 11:35 AM, Swartz, Patrick H wrote: > Hi All, > I apologize for troubling the list with what I thought was a simple > rule, but for the life of me I can't figure out why my rule isn't > firing. > > I'm running OSSEC 2.6 on SuSE 10 and am testing with a Linux and a > Window client. > Here is part of my ossec.conf > check_all="yes">E:\BlueScreendev_root > check_all="yes">E:\InetPub\wwwroot\EFTPSRefDev > check_all="yes">E:\InetPub\wwwroot\BlueScreen_root > check_all="yes">E:\InetPub\wwwroot\ISTS_root > check_all="yes">E:\OLRSDev_Root\MyRT > check_all="yes">E:\OURSDev_Root > check_all="yes">E:\PRSDev_root > check_all="yes">E:\VLRSdev_Root > > And here is the rule that I'm trying to get to work... > > syscheck > 550, 551, 552, 553, 554 > EFTPSREF|ISTSREF|MYRT|OURS|PRS|VLRS|BlueScreendev_root|EFTPSRefDe > v|BlueScreen_root|ISTS_root|olrs_root|OURS_root|prs_root|VLRSRef|MyRT|OU > RSDev_Root|PRSDev_root|VLRSdev_Root > Testing rule 100724 > > > 100724 > Changes to Web Files > > > Using ./syscheck_control -i ### does show that the changes are being > noticed, but I am not getting any alerts. > > I have another testing rule as suggested from here -- > http://www.immutablesecurity.com/index.php/2010/10/20/2woo-tips-tricks/ > -- and that works. > > Any help would be greatly appreciated as I only dive into OSSEC about > every two years and it takes me a while to relearn all that I did > previously. > > Thanks to all in the group, > > Patrick Swartz > > > > > - > The information in this message may be proprietary and/or > confidential, and protected from disclosure. If the reader of this > message is not the intended recipient, or an employee or agent > responsible for delivering this message to the intended recipient, > you are hereby notified that any dissemination, distribution or > copying of this communication is strictly prohibited. If you have > received this communication in error, please notify First Data > immediately by replying to this message and deleting it from your > computer. >
RE: [ossec-list] Rule help please
Can ossec-logtest be used for syscheck rule testing? If so, how? For example, if I use " ../bin/syscheck_control -i 031" and get a listing of changes like this: 2011 Aug 29 09:13:00,4 - /inetpub/wwwroot/VLRS/file1c.txt 2011 Aug 29 09:13:00,4 - /inetpub/wwwroot/VLRS/file1a.txt 2011 Aug 29 09:13:00,4 - /inetpub/wwwroot/VLRS/file1d.txt 2011 Aug 29 09:13:00,4 - /inetpub/wwwroot/VLRS/file1b.txt Can I use ossec-logtest on one of those entries? ossec-testrule: Type one log per line. 2011 Aug 29 09:13:00,4 - /inetpub/wwwroot/VLRS/file1b.txt **Phase 1: Completed pre-decoding. full event: '2011 Aug 29 09:13:00,4 - /inetpub/wwwroot/VLRS/file1b.txt' hostname: 'sles10ossec' program_name: '(null)' log: '2011 Aug 29 09:13:00,4 - /inetpub/wwwroot/VLRS/file1b.txt' **Phase 2: Completed decoding. No decoder matched. This would lead me to believe that ossec-logtest cannot be used, but I don't know. Thank you for any input, Patrick Swartz -Original Message- From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On Behalf Of Swartz, Patrick H Sent: Sunday, August 28, 2011 8:47 AM To: ossec-list@googlegroups.com Subject: RE: [ossec-list] Rule help please Update. I removed my local_rules.xml and now am getting syscheck alerts. So, now I need to figure out what changed from 2.0 to 2.6 in how local_rules are processed. I see a long day ahead rewriting my local_rules once I figure out how they work again. Patrick Swartz -Original Message- From: Swartz, Patrick H Sent: Sunday, August 28, 2011 8:19 AM To: ossec-list@googlegroups.com Subject: RE: [ossec-list] Rule help please I have setup a rule where one only has the and the other only has the and still neither fire. I have removed all rules except rules_config.xml, ossec_rules.xml, and local_rules.xml to remove all non-syscheck alerts, and guess what ... syscheck isn't alerting on anything! Period. No changes from the standard /etc,/bin,/sbin (for example) are alerting. Where do I go to figure this issue out? Is there a way to test syscheck other than just making changes to a file and waiting? Please help. Thanks, Patrick Swartz -Original Message- From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On Behalf Of Daniel Cid Sent: Saturday, August 27, 2011 6:50 AM To: ossec-list@googlegroups.com Subject: Re: [ossec-list] Rule help please Hi Patrick, Try using only or only , not both. I think that's what is causing the issue. Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On Fri, Aug 26, 2011 at 11:35 AM, Swartz, Patrick H wrote: > Hi All, > I apologize for troubling the list with what I thought was a simple > rule, but for the life of me I can't figure out why my rule isn't > firing. > > I'm running OSSEC 2.6 on SuSE 10 and am testing with a Linux and a > Window client. > Here is part of my ossec.conf > check_all="yes">E:\BlueScreendev_root > check_all="yes">E:\InetPub\wwwroot\EFTPSRefDev > check_all="yes">E:\InetPub\wwwroot\BlueScreen_root > check_all="yes">E:\InetPub\wwwroot\ISTS_root > check_all="yes">E:\OLRSDev_Root\MyRT > check_all="yes">E:\OURSDev_Root > check_all="yes">E:\PRSDev_root > check_all="yes">E:\VLRSdev_Root > > And here is the rule that I'm trying to get to work... > > syscheck > 550, 551, 552, 553, 554 > EFTPSREF|ISTSREF|MYRT|OURS|PRS|VLRS|BlueScreendev_root|EFTPSRefDe > v|BlueScreen_root|ISTS_root|olrs_root|OURS_root|prs_root|VLRSRef|MyRT|OU > RSDev_Root|PRSDev_root|VLRSdev_Root > Testing rule 100724 > > > 100724 > Changes to Web Files > > > Using ./syscheck_control -i ### does show that the changes are being > noticed, but I am not getting any alerts. > > I have another testing rule as suggested from here -- > http://www.immutablesecurity.com/index.php/2010/10/20/2woo-tips-tricks/ > -- and that works. > > Any help would be greatly appreciated as I only dive into OSSEC about > every two years and it takes me a while to relearn all that I did > previously. > > Thanks to all in the group, > > Patrick Swartz > > > > > - > The information in this message may be proprietary and/or > confidential, and protected from disclosure. If the reader of this > message is not the intended recipient, or an employee or agent > responsible for delivering this message to the intended recipient, > you are hereby notified that any dissemination, distribution or > copying of this communication is strictly prohibited. If you have > received this communication in error, please notify First Data > immediately by replying to this message and deleting it from your > computer. >
RE: [ossec-list] Rule help please
I apologize for the jumbled mess. The reason for the two rules was because there was supposed to be a in the second rule of the machines we needed alerted on and the first rule eliminate all the rest. The idea was that we don't need to be alerted on the test machines but do so on the production but both have the same directory structure. I did find the reason my rules weren't firing ... I had a few and that had an extra "|" at the end. Once I remove those things started working again. Thanks all, Patrick Swartz -Original Message- From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On Behalf Of dan (ddp) Sent: Monday, September 05, 2011 1:32 PM To: ossec-list@googlegroups.com Subject: Re: [ossec-list] Rule help please What is your real goal? This thread is a jumbled mess. On Fri, Aug 26, 2011 at 10:35 AM, Swartz, Patrick H wrote: > Hi All, > I apologize for troubling the list with what I thought was a simple > rule, but for the life of me I can't figure out why my rule isn't > firing. > Which rule? You include 2. 100724 is a level 0 so nothing will be logged, and I think 100725 is just looking for a level 0 alert so it won't fire. 100725 also looks like it's ONLY looking for 100724, and in that case bump the level of 100724 to 7 and 100725 becomes redundant. Try it with 100724 as a level 1. > I'm running OSSEC 2.6 on SuSE 10 and am testing with a Linux and a > Window client. > Here is part of my ossec.conf > check_all="yes">E:\BlueScreendev_root > check_all="yes">E:\InetPub\wwwroot\EFTPSRefDev > check_all="yes">E:\InetPub\wwwroot\BlueScreen_root > check_all="yes">E:\InetPub\wwwroot\ISTS_root > check_all="yes">E:\OLRSDev_Root\MyRT > check_all="yes">E:\OURSDev_Root > check_all="yes">E:\PRSDev_root > check_all="yes">E:\VLRSdev_Root > > And here is the rule that I'm trying to get to work... > > syscheck > 550, 551, 552, 553, 554 > EFTPSREF|ISTSREF|MYRT|OURS|PRS|VLRS|BlueScreendev_root|EFTPSRefDe > v|BlueScreen_root|ISTS_root|olrs_root|OURS_root|prs_root|VLRSRef|MyRT|OU > RSDev_Root|PRSDev_root|VLRSdev_Root > Testing rule 100724 > > > 100724 > Changes to Web Files > > > Using ./syscheck_control -i ### does show that the changes are being > noticed, but I am not getting any alerts. > > I have another testing rule as suggested from here -- > http://www.immutablesecurity.com/index.php/2010/10/20/2woo-tips-tricks/ > -- and that works. > > Any help would be greatly appreciated as I only dive into OSSEC about > every two years and it takes me a while to relearn all that I did > previously. > > Thanks to all in the group, > > Patrick Swartz > > > > > - > The information in this message may be proprietary and/or > confidential, and protected from disclosure. If the reader of this > message is not the intended recipient, or an employee or agent > responsible for delivering this message to the intended recipient, > you are hereby notified that any dissemination, distribution or > copying of this communication is strictly prohibited. If you have > received this communication in error, please notify First Data > immediately by replying to this message and deleting it from your > computer. >
RE: [ossec-list] OSSEC syscheckd and Change Control Systems
Absolutely! I'm not a coder, but can help test. Patrick Swartz -Original Message- From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On Behalf Of Nick Green Sent: Monday, September 12, 2011 5:57 AM To: ossec-list@googlegroups.com Subject: RE: [ossec-list] OSSEC syscheckd and Change Control Systems Is this something people would be interested in if we put some dev time into it? We would create some kind of change daemons for both Linux puppet style change control systems and Windows SCCM change control system. (exact details to be fleshed out if the interest is there) Regards /nick -Original Message- From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On Behalf Of dan (ddp) Sent: Wednesday, September 07, 2011 6:46 PM To: ossec-list@googlegroups.com Subject: Re: [ossec-list] OSSEC syscheckd and Change Control Systems There's currently no way to do this. On Wed, Sep 7, 2011 at 12:26 PM, Nick Green wrote: > Hi List, > > Just joined and have a scenario I need to crack ... > > 1. Ossec monitors file system file integrity. > 2. Change control system updates files e.g. /etc/passwd 3. Change > control system notifies ossec of new files to update md5/sha1 > checksums BUT not alert because is authorized change. > > (that's the gist ... it a lot more complicated on the auth side but > for this illustration its enough) > > Does anyone run a similar installation as the above? Does ossec have a > command line call you update a file but not alert? > > > Many thanks > > /Nick - The information in this message may be proprietary and/or confidential, and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify First Data immediately by replying to this message and deleting it from your computer.
RE: [ossec-list] Client ossec.conf log_alert_levels
Dan, Since the wui is a dead project, and you suggest "using a modern and maintained Project", can you give suggestions as to what some of those are? I have looked at the Ossec-Slunk project, but it seems almost as dead, the maintainer doesn't answer any questions and there isn't a newsgroup like this one to get help from other users. Base+Ossec also seems to be a dead project as it requires mysql hooks that no longer work with 2.6 and it isn't maintained any longer either. So, what else is there? The wui is where I want managers to get stats and reports and keep them off the command line. Thanks, Patrick -Original Message- From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On Behalf Of dan (ddp) Sent: Wednesday, September 28, 2011 7:23 AM To: ossec-list@googlegroups.com Subject: Re: [ossec-list] Client ossec.conf log_alert_levels On Wed, Sep 28, 2011 at 6:27 AM, Andrew Shepherd wrote: > Hi Dan, thanks for the reply. > > Do you know of any material that will help with the following please as I am > drawing blanks (or a lack of coffee is breaking my ability to google)... > > The changes which have to be made to the WebUI to allow it to read entries > in syslog format instead of /logs/alerts/alerts.log (as defined in WebUI > lib/os_lib_alerts.php). > I have no idea. I don't use the wui. It's a dead project and doesn't function properly with ossec 2.6. I'd use a modern and maintained project. > I'm struggling to understand who is responsible for encryption in the syslog > multi server setup, is it an ossec flag/feature... do you have to use > stunnel is rsyslog still called and that service is responsible etc > OSSEC's client syslog does not do encryption. I recommend pointing it at a local rsyslog or syslog-ng instance. syslog-ng or rsyslog can then do reliable and encrypted delivery to another rsyslog/syslog-ng installation on the other end. OSSEC can then read the logfiles produced by that syslog. > Thanks, Andy > > > Date: Wed, 28 Sep 2011 05:38:54 -0400 > Subject: Re: [ossec-list] Client ossec.conf log_alert_levels > From: ddp...@gmail.com > To: ossec-list@googlegroups.com > > Agents don't send alerts to servers, they send logs. If you want to limit > the data going from the site, you should setup a local manager and forward > alerts to your central ossec manager. > On Sep 28, 2011 5:36 AM, "Andrew Shepherd" wrote: >> >> >> I've bought/read the Syngress book, read ossec.net and dcid.me, and had a >> good look through this group but so far no luck. >> >> The >> problem I'm facing is the in ossec.conf for >> clients doesn't seem to have an effect. I've read somewhere that >> can be used on the server AND the client to >> limit alerts that are sent to the server. >> >> However even when I set this to 9 (for example) on the client... >> >> 9 >> 12 >> >> >> ...there >> is still an almost constant UDP stream from client to server, and the >> log on the ossec server keeps receiving/logging level 6 alerts etc. >> >> Project details: >> -Server is on a site with limited bandwidth and will not support constant >> reporting of ALL alerts by EVERY client >> -All traffic MUST be encrypted >> -I'm >> avoiding syslog as I'm not a fan of the format syslog will store in >> (not sure how to parse that back to a WebUI) and I can't see many tuts >> on the best way for encryption >> -client version ossec-hids-2.5.1-1 >> >> I've read >> http://dcid.me/2008/08/multi-server-architecture/ >> But can't see any follow up of the 'same communication channel' but I may >> be missing something. >> >> Any help greatly appreciated. >> Andy > - The information in this message may be proprietary and/or confidential, and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify First Data immediately by replying to this message and deleting it from your computer.
[ossec-list] Agentless communication question
Is the communication between the OSSEC manager and an agentless agent encrypted? Or is it dependent on the RPC method used? Thanks, Patrick Swartz - The information in this message may be proprietary and/or confidential, and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify First Data immediately by replying to this message and deleting it from your computer.
[ossec-list] Agentless log monitoring
The online manual states that log monitoring for Agentless is slated for sometime in the future. Does anyone know when that might come to fruition? Thanks, Patrick Swartz - The information in this message may be proprietary and/or confidential, and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify First Data immediately by replying to this message and deleting it from your computer.
RE: [ossec-list] Agentless log monitoring
Hi Dan, Thanks for the quick reply, but I'm a bit confused (no surprise there...). The on-line doc states that agentless doesn't support log monitoring ... "Agentless monitoring allows you to run integrity checking (and in the future log monitoring) ..." By that statement only FIM is available. I'm really hoping that the manual is just out of date, and syslog monitoring is available. Patrick Swartz -Original Message- From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On Behalf Of dan (ddp) Sent: Monday, October 10, 2011 1:16 PM To: ossec-list@googlegroups.com Subject: Re: [ossec-list] Agentless log monitoring There's nothing special planned that I'm aware of. Remote syslog covers most devices. On Mon, Oct 10, 2011 at 10:15 AM, Swartz, Patrick H wrote: > > The online manual states that log monitoring for Agentless is slated > for sometime in the future. Does anyone know when that might come to > fruition? > > Thanks, > > Patrick Swartz > > - > The information in this message may be proprietary and/or > confidential, and protected from disclosure. If the reader of this > message is not the intended recipient, or an employee or agent > responsible for delivering this message to the intended recipient, > you are hereby notified that any dissemination, distribution or > copying of this communication is strictly prohibited. If you have > received this communication in error, please notify First Data > immediately by replying to this message and deleting it from your > computer. >
[ossec-list] ossec-authd keys
I'm trying to setup ossec-authd using Daniel's instructions at http://dcid.me/2011/01/automatically-creating-and-setting-up-the-agent-k eys/ But, I get this error when trying to run: /bin/ossec-authd -d ERROR: Not compiled. Missing OpenSSL support. Could this be because we are installed in /opt/ossec instead of /var/ossec? Is ossec-authd hard coded to only look for the keys in /var/ossec/etc/? Thanks for any help or suggestions, Patrick Swartz - The information in this message may be proprietary and/or confidential, and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify First Data immediately by replying to this message and deleting it from your computer.
RE: [ossec-list] Re: latest spec file - 2.6?
I would be glad to help with any testing for this. I have multiple flavors (SLES[9-11] & RHEL[3-6] - 32bit/64bit) and a wide variety of hardware to test with. I can't be much help with the actual spec file, but willing to help with the testing. Patrick Swartz -Original Message- From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On Behalf Of treydock Sent: Thursday, October 13, 2011 8:14 AM To: ossec-list Subject: [ossec-list] Re: latest spec file - 2.6? On Oct 12, 2:01 pm, "dan (ddp)" wrote: > On Wed, Oct 12, 2011 at 2:55 PM, Jason 'XenoPhage' Frisvold > > wrote: > > On Oct 12, 2011, at 1:59 PM, dan (ddp) wrote: > >> I'm the wrong Dan, but PLEASE do this. :) > > > Yup, meant the magical Mr. Cid. :) > > >> I've tweaked the one in your srpm a bit, mostly to remove the patches. > >> It seems to compile, but I haven't done any more testing than that. > > > Sure, I'd be happy to put something together.. Perhaps Trey and I should > > put our heads together.. Anyone else interested? > > I'm not a wiz with rpm, but keep me in the loop. :) > > > > > > > > > --- > > Jason 'XenoPhage' Frisvold > > xenoph...@godshell.com > > --- > > "Any sufficiently advanced magic is indistinguishable from technology." > > - Niven's Inverse of Clarke's Third Law I'd be fine getting together and building an official or un-official RPM set for OSSEC. I'm contemplating making all my RPMs available via a yum repo. Right now I run one internally at work, and would either publish it's URL or replicate it to my personal web space. The only changes I made was removing some of the patched code, that isn't present when installing from source, and adding the option to clear out ossec.conf and add agent.conf that can be managed by the server. I also touch the var/active-response.log file on clients as I like to monitor that for changes. The rest of the changes were to file permissions. I've tested mine pretty thoroughly, I had the CentOS 5 and 6 x86_64 recently pushed by Puppet to 4 systems. Once it was installed all I had to do was add the key from the server, start the daemon and it worked. The rest of my servers where upgraded to 2.6 via RPMs. - Trey - The information in this message may be proprietary and/or confidential, and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify First Data immediately by replying to this message and deleting it from your computer.
[ossec-list] 2.6 compile error on RHEL3u9
Hi All, I'm need to compile 2.6 on a RHEL3u9 server but it fails at the os_auth phase. The following Openssl packages are installed -- openssl-0.9.7a-33.23, openssl096b-0.9.6b-16.46, and openssl-devel-0.9.7a-33.23 We need the compile to be built with openssl. Here are the messages during the build: *** Making os_auth *** make[1]: Entering directory `/root/ossec-hids-2.6/src/os_auth' gcc -g -Wall -I../ -I../headers -DDEFAULTDIR=\"/opt/ossec/\" -DCLIENT -DUSE_OPENSSL -DARGV0=\"ossec-authd\" -DXML_VAR=\"var\" -DOSSECHIDS main-server.c ssl.c ../addagent/validate.c ../config/lib_config.a ../shared/lib_shared.a ../os_net/os_net.a ../os_regex/os_regex.a ../os_crypto/os_crypto.a ../os_zlib/os_zlib.c ../external/libz.a -lssl -lcrypto -o ossec-authd In file included from /usr/include/openssl/ssl.h:179, from auth.h:24, from main-server.c:14: /usr/include/openssl/kssl.h:72:18: krb5.h: No such file or directory In file included from /usr/include/openssl/ssl.h:179, from auth.h:24, from main-server.c:14: /usr/include/openssl/kssl.h:134: syntax error before "krb5_enctype" /usr/include/openssl/kssl.h:136: syntax error before '*' token /usr/include/openssl/kssl.h:137: syntax error before '}' token /usr/include/openssl/kssl.h:149: syntax error before "kssl_ctx_setstring" /usr/include/openssl/kssl.h:149: syntax error before '*' token /usr/include/openssl/kssl.h:150: syntax error before '*' token /usr/include/openssl/kssl.h:151: syntax error before '*' token /usr/include/openssl/kssl.h:151: syntax error before '*' token /usr/include/openssl/kssl.h:152: syntax error before '*' token /usr/include/openssl/kssl.h:153: syntax error before "kssl_ctx_setprinc" /usr/include/openssl/kssl.h:153: syntax error before '*' token /usr/include/openssl/kssl.h:155: syntax error before "kssl_cget_tkt" /usr/include/openssl/kssl.h:155: syntax error before '*' token /usr/include/openssl/kssl.h:157: syntax error before "kssl_sget_tkt" /usr/include/openssl/kssl.h:157: syntax error before '*' token /usr/include/openssl/kssl.h:159: syntax error before "kssl_ctx_setkey" /usr/include/openssl/kssl.h:159: syntax error before '*' token /usr/include/openssl/kssl.h:161: syntax error before "context" /usr/include/openssl/kssl.h:162: syntax error before "kssl_build_principal_2" /usr/include/openssl/kssl.h:162: syntax error before "context" /usr/include/openssl/kssl.h:165: syntax error before "kssl_validate_times" /usr/include/openssl/kssl.h:165: syntax error before "atime" /usr/include/openssl/kssl.h:167: syntax error before "kssl_check_authent" /usr/include/openssl/kssl.h:167: syntax error before '*' token /usr/include/openssl/kssl.h:169: syntax error before "enctype" In file included from auth.h:24, from main-server.c:14: /usr/include/openssl/ssl.h:909: syntax error before "KSSL_CTX" /usr/include/openssl/ssl.h:931: syntax error before '}' token In file included from /usr/include/openssl/ssl.h:179, from auth.h:24, from ssl.c:16: /usr/include/openssl/kssl.h:72:18: krb5.h: No such file or directory In file included from /usr/include/openssl/ssl.h:179, from auth.h:24, from ssl.c:16: /usr/include/openssl/kssl.h:134: syntax error before "krb5_enctype" /usr/include/openssl/kssl.h:136: syntax error before '*' token /usr/include/openssl/kssl.h:137: syntax error before '}' token /usr/include/openssl/kssl.h:149: syntax error before "kssl_ctx_setstring" /usr/include/openssl/kssl.h:149: syntax error before '*' token /usr/include/openssl/kssl.h:150: syntax error before '*' token /usr/include/openssl/kssl.h:151: syntax error before '*' token /usr/include/openssl/kssl.h:151: syntax error before '*' token /usr/include/openssl/kssl.h:152: syntax error before '*' token /usr/include/openssl/kssl.h:153: syntax error before "kssl_ctx_setprinc" /usr/include/openssl/kssl.h:153: syntax error before '*' token /usr/include/openssl/kssl.h:155: syntax error before "kssl_cget_tkt" /usr/include/openssl/kssl.h:155: syntax error before '*' token /usr/include/openssl/kssl.h:157: syntax error before "kssl_sget_tkt" /usr/include/openssl/kssl.h:157: syntax error before '*' token /usr/include/openssl/kssl.h:159: syntax error before "kssl_ctx_setkey" /usr/include/openssl/kssl.h:159: syntax error before '*' token /usr/include/openssl/kssl.h:161: syntax error before "context" /usr/include/openssl/kssl.h:162: syntax error before "kssl_build_principal_2" /usr/include/openssl/kssl.h:162: syntax error before "context" /usr/include/openssl/kssl.h:165: syntax error before "kssl_validate_times" /usr/include/openssl/kssl.h:165: syntax error before "atime" /usr/include/openssl/kssl.h:167: syntax error before "kssl_check_authent" /us
RE: [ossec-list] 2.6 compile error on RHEL3u9
Hi Dan, Thanks for the quick reply.. Here is what is installed on the build server: rpm -qa|grep krb5 krb5-workstation-1.2.7-64 krb5-devel-1.2.7-64 krb5-libs-1.2.7-64 pam_krb5-1.79-1 But, I don't see any krb5 headers like yours under /usr/include. Patrick Swartz -Original Message- From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On Behalf Of dan (ddp) Sent: Wednesday, January 11, 2012 3:17 PM To: ossec-list@googlegroups.com Subject: Re: [ossec-list] 2.6 compile error on RHEL3u9 On Wed, Jan 11, 2012 at 3:34 PM, Swartz, Patrick H wrote: > > Hi All, > I'm need to compile 2.6 on a RHEL3u9 server but it fails at the > os_auth phase. The following Openssl packages are installed -- > openssl-0.9.7a-33.23, openssl096b-0.9.6b-16.46, and > openssl-devel-0.9.7a-33.23 > We need the compile to be built with openssl. > > Here are the messages during the build: > > *** Making os_auth *** > > make[1]: Entering directory `/root/ossec-hids-2.6/src/os_auth' > gcc -g -Wall -I../ -I../headers -DDEFAULTDIR=\"/opt/ossec/\" > -DCLIENT -DUSE_OPENSSL -DARGV0=\"ossec-authd\" -DXML_VAR=\"var\" > -DOSSECHIDS main-server.c ssl.c ../addagent/validate.c > ../config/lib_config.a ../shared/lib_shared.a ../os_net/os_net.a > ../os_regex/os_regex.a ../os_crypto/os_crypto.a ../os_zlib/os_zlib.c > ../external/libz.a -lssl -lcrypto -o ossec-authd > In file included from /usr/include/openssl/ssl.h:179, > from auth.h:24, > from main-server.c:14: > /usr/include/openssl/kssl.h:72:18: krb5.h: No such file or directory My guess would be that the openssl devel package needs a kerberos package it didn't install. Maybe: [ddp@corrin include]$ rpm -qf /usr/include/krb5.h krb5-devel-1.6.1-62.el5 > In file included from /usr/include/openssl/ssl.h:179, > from auth.h:24, > from main-server.c:14: > /usr/include/openssl/kssl.h:134: syntax error before "krb5_enctype" > /usr/include/openssl/kssl.h:136: syntax error before '*' token > /usr/include/openssl/kssl.h:137: syntax error before '}' token > /usr/include/openssl/kssl.h:149: syntax error before > "kssl_ctx_setstring" > /usr/include/openssl/kssl.h:149: syntax error before '*' token > /usr/include/openssl/kssl.h:150: syntax error before '*' token > /usr/include/openssl/kssl.h:151: syntax error before '*' token > /usr/include/openssl/kssl.h:151: syntax error before '*' token > /usr/include/openssl/kssl.h:152: syntax error before '*' token > /usr/include/openssl/kssl.h:153: syntax error before > "kssl_ctx_setprinc" > /usr/include/openssl/kssl.h:153: syntax error before '*' token > /usr/include/openssl/kssl.h:155: syntax error before "kssl_cget_tkt" > /usr/include/openssl/kssl.h:155: syntax error before '*' token > /usr/include/openssl/kssl.h:157: syntax error before "kssl_sget_tkt" > /usr/include/openssl/kssl.h:157: syntax error before '*' token > /usr/include/openssl/kssl.h:159: syntax error before > "kssl_ctx_setkey" > /usr/include/openssl/kssl.h:159: syntax error before '*' token > /usr/include/openssl/kssl.h:161: syntax error before "context" > /usr/include/openssl/kssl.h:162: syntax error before > "kssl_build_principal_2" > /usr/include/openssl/kssl.h:162: syntax error before "context" > /usr/include/openssl/kssl.h:165: syntax error before > "kssl_validate_times" > /usr/include/openssl/kssl.h:165: syntax error before "atime" > /usr/include/openssl/kssl.h:167: syntax error before > "kssl_check_authent" > /usr/include/openssl/kssl.h:167: syntax error before '*' token > /usr/include/openssl/kssl.h:169: syntax error before "enctype" > In file included from auth.h:24, > from main-server.c:14: > /usr/include/openssl/ssl.h:909: syntax error before "KSSL_CTX" > /usr/include/openssl/ssl.h:931: syntax error before '}' token > In file included from /usr/include/openssl/ssl.h:179, > from auth.h:24, > from ssl.c:16: > /usr/include/openssl/kssl.h:72:18: krb5.h: No such file or directory > In file included from /usr/include/openssl/ssl.h:179, > from auth.h:24, > from ssl.c:16: > /usr/include/openssl/kssl.h:134: syntax error before "krb5_enctype" > /usr/include/openssl/kssl.h:136: syntax error before '*' token > /usr/include/openssl/kssl.h:137: syntax error before '}' tok
RE: [ossec-list] 2.6 compile error on RHEL3u9
Update.. that Kerberos header is under -- /usr/kerberos/include/krb5.h ... Is this just a matter of telling the ossec compile where to look? If so, how do I do that? Thanks! Patrick Swartz -Original Message- From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On Behalf Of Swartz, Patrick H Sent: Wednesday, January 11, 2012 3:34 PM To: ossec-list@googlegroups.com Subject: RE: [ossec-list] 2.6 compile error on RHEL3u9 Hi Dan, Thanks for the quick reply.. Here is what is installed on the build server: rpm -qa|grep krb5 krb5-workstation-1.2.7-64 krb5-devel-1.2.7-64 krb5-libs-1.2.7-64 pam_krb5-1.79-1 But, I don't see any krb5 headers like yours under /usr/include. Patrick Swartz -Original Message- From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On Behalf Of dan (ddp) Sent: Wednesday, January 11, 2012 3:17 PM To: ossec-list@googlegroups.com Subject: Re: [ossec-list] 2.6 compile error on RHEL3u9 On Wed, Jan 11, 2012 at 3:34 PM, Swartz, Patrick H wrote: > > Hi All, > I'm need to compile 2.6 on a RHEL3u9 server but it fails at the > os_auth phase. The following Openssl packages are installed -- > openssl-0.9.7a-33.23, openssl096b-0.9.6b-16.46, and > openssl-devel-0.9.7a-33.23 > We need the compile to be built with openssl. > > Here are the messages during the build: > > *** Making os_auth *** > > make[1]: Entering directory `/root/ossec-hids-2.6/src/os_auth' > gcc -g -Wall -I../ -I../headers -DDEFAULTDIR=\"/opt/ossec/\" > -DCLIENT -DUSE_OPENSSL -DARGV0=\"ossec-authd\" -DXML_VAR=\"var\" > -DOSSECHIDS main-server.c ssl.c ../addagent/validate.c > ../config/lib_config.a ../shared/lib_shared.a ../os_net/os_net.a > ../os_regex/os_regex.a ../os_crypto/os_crypto.a ../os_zlib/os_zlib.c > ../external/libz.a -lssl -lcrypto -o ossec-authd > In file included from /usr/include/openssl/ssl.h:179, > from auth.h:24, > from main-server.c:14: > /usr/include/openssl/kssl.h:72:18: krb5.h: No such file or directory My guess would be that the openssl devel package needs a kerberos package it didn't install. Maybe: [ddp@corrin include]$ rpm -qf /usr/include/krb5.h krb5-devel-1.6.1-62.el5 > In file included from /usr/include/openssl/ssl.h:179, > from auth.h:24, > from main-server.c:14: > /usr/include/openssl/kssl.h:134: syntax error before "krb5_enctype" > /usr/include/openssl/kssl.h:136: syntax error before '*' token > /usr/include/openssl/kssl.h:137: syntax error before '}' token > /usr/include/openssl/kssl.h:149: syntax error before > "kssl_ctx_setstring" > /usr/include/openssl/kssl.h:149: syntax error before '*' token > /usr/include/openssl/kssl.h:150: syntax error before '*' token > /usr/include/openssl/kssl.h:151: syntax error before '*' token > /usr/include/openssl/kssl.h:151: syntax error before '*' token > /usr/include/openssl/kssl.h:152: syntax error before '*' token > /usr/include/openssl/kssl.h:153: syntax error before > "kssl_ctx_setprinc" > /usr/include/openssl/kssl.h:153: syntax error before '*' token > /usr/include/openssl/kssl.h:155: syntax error before "kssl_cget_tkt" > /usr/include/openssl/kssl.h:155: syntax error before '*' token > /usr/include/openssl/kssl.h:157: syntax error before "kssl_sget_tkt" > /usr/include/openssl/kssl.h:157: syntax error before '*' token > /usr/include/openssl/kssl.h:159: syntax error before > "kssl_ctx_setkey" > /usr/include/openssl/kssl.h:159: syntax error before '*' token > /usr/include/openssl/kssl.h:161: syntax error before "context" > /usr/include/openssl/kssl.h:162: syntax error before > "kssl_build_principal_2" > /usr/include/openssl/kssl.h:162: syntax error before "context" > /usr/include/openssl/kssl.h:165: syntax error before > "kssl_validate_times" > /usr/include/openssl/kssl.h:165: syntax error before "atime" > /usr/include/openssl/kssl.h:167: syntax error before > "kssl_check_authent" > /usr/include/openssl/kssl.h:167: syntax error before '*' token > /usr/include/openssl/kssl.h:169: syntax error before "enctype" > In file included from auth.h:24, > from main-server.c:14: > /usr/include/openssl/ssl.h:909: syntax error before "KSSL_CTX" > /usr/include/openssl/ssl.h:931: syntax error before '}' token > In file included from /usr/include/openssl/ssl.h:179, > from auth.h:24, > from ssl.c:16: &g
RE: [ossec-list] 2.6 compile error on RHEL3u9
Please forgive this noobie question.. how does one apply said diff? Patrick Swartz -Original Message- From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On Behalf Of dan (ddp) Sent: Wednesday, January 11, 2012 3:59 PM To: ossec-list@googlegroups.com Subject: Re: [ossec-list] 2.6 compile error on RHEL3u9 Actually, you can try this diff (no promises ;)): --- Config.Make.origWed Jan 11 16:58:30 2012 +++ Config.Make Wed Jan 11 16:58:39 2012 @@ -8,7 +8,7 @@ include ${PT}Config.OS -CFLAGS = -g -Wall -I${PT} -I${PT}headers ${CPATH} ${CEXTRA} ${DEXTRA} ${EEXTRA} ${FEXTRA} ${GEXTRA} ${HEXTRA} -DARGV0=\"${NAME}\" -DXML_VAR=\"var\" -DOSSECHIDS +CFLAGS = -g -Wall -I${PT} -I${PT}headers -I/usr/kerberos/include ${CPATH} ${CEXTRA} ${DEXTRA} ${EEXTRA} ${FEXTRA} ${GEXTRA} ${HEXTRA} -DARGV0=\"${NAME}\" -DXML_VAR=\"var\" -DOSSECHIDS SOURCES = *.c OBJECTS = *.o On Wed, Jan 11, 2012 at 4:38 PM, Swartz, Patrick H wrote: > Update.. that Kerberos header is under -- /usr/kerberos/include/krb5.h ... > Is this just a matter of telling the ossec compile where to look? If so, how > do I do that? > > Thanks! > > Patrick Swartz > > > -Original Message- > From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On > Behalf Of Swartz, Patrick H > Sent: Wednesday, January 11, 2012 3:34 PM > To: ossec-list@googlegroups.com > Subject: RE: [ossec-list] 2.6 compile error on RHEL3u9 > > Hi Dan, > Thanks for the quick reply.. > Here is what is installed on the build server: > > rpm -qa|grep krb5 > krb5-workstation-1.2.7-64 > krb5-devel-1.2.7-64 > krb5-libs-1.2.7-64 > pam_krb5-1.79-1 > > But, I don't see any krb5 headers like yours under /usr/include. > > Patrick Swartz > > > > -Original Message- > From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On > Behalf Of dan (ddp) > Sent: Wednesday, January 11, 2012 3:17 PM > To: ossec-list@googlegroups.com > Subject: Re: [ossec-list] 2.6 compile error on RHEL3u9 > > On Wed, Jan 11, 2012 at 3:34 PM, Swartz, Patrick H > wrote: >> >> Hi All, >> I'm need to compile 2.6 on a RHEL3u9 server but it fails at the >> os_auth phase. The following Openssl packages are installed -- >> openssl-0.9.7a-33.23, openssl096b-0.9.6b-16.46, and >> openssl-devel-0.9.7a-33.23 >> We need the compile to be built with openssl. >> >> Here are the messages during the build: >> >> *** Making os_auth *** >> >> make[1]: Entering directory `/root/ossec-hids-2.6/src/os_auth' >> gcc -g -Wall -I../ -I../headers -DDEFAULTDIR=\"/opt/ossec/\" >> -DCLIENT -DUSE_OPENSSL -DARGV0=\"ossec-authd\" -DXML_VAR=\"var\" >> -DOSSECHIDS main-server.c ssl.c ../addagent/validate.c >> ../config/lib_config.a ../shared/lib_shared.a ../os_net/os_net.a >> ../os_regex/os_regex.a ../os_crypto/os_crypto.a ../os_zlib/os_zlib.c >> ../external/libz.a -lssl -lcrypto -o ossec-authd >> In file included from /usr/include/openssl/ssl.h:179, >> from auth.h:24, >> from main-server.c:14: >> /usr/include/openssl/kssl.h:72:18: krb5.h: No such file or directory > > My guess would be that the openssl devel package needs a kerberos > package it didn't install. > > Maybe: > [ddp@corrin include]$ rpm -qf /usr/include/krb5.h > krb5-devel-1.6.1-62.el5 > > >> In file included from /usr/include/openssl/ssl.h:179, >> from auth.h:24, >> from main-server.c:14: >> /usr/include/openssl/kssl.h:134: syntax error before "krb5_enctype" >> /usr/include/openssl/kssl.h:136: syntax error before '*' token >> /usr/include/openssl/kssl.h:137: syntax error before '}' token >> /usr/include/openssl/kssl.h:149: syntax error before >> "kssl_ctx_setstring" >> /usr/include/openssl/kssl.h:149: syntax error before '*' token >> /usr/include/openssl/kssl.h:150: syntax error before '*' token >> /usr/include/openssl/kssl.h:151: syntax error before '*' token >> /usr/include/openssl/kssl.h:151: syntax error before '*' token >> /usr/include/openssl/kssl.h:152: syntax error before '*' token >> /usr/include/openssl/kssl.h:153: syntax error before >> "kssl_ctx_setprinc" >> /usr/include/openssl/kssl.h:153: syntax error before '*' token >> /usr/include/openssl/kssl.h:155: syntax error before "kssl_cget_tkt" >> /usr/include/openssl/kssl.h:155: syntax error before '*' token >> /usr/includ
RE: [ossec-list] 2.6 compile error on RHEL3u9
Hi Dan, Adding the "-I..." did the trick!! Couldn't get the patch to work, but not an issue since adding the line worked. Just wanted to post results for future readers... Thanks again! Patrick Swartz -Original Message- From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On Behalf Of dan (ddp) Sent: Wednesday, January 11, 2012 4:23 PM To: ossec-list@googlegroups.com Subject: Re: [ossec-list] 2.6 compile error on RHEL3u9 Copy it to a text file on the linux system. Change into the src directory (/home/patrick/ossec-hids-2.6/src or whatever) and run: patch < /path/to/text/file That should work. If not, just add "-I/usr/kerberos/include " to the CFLAGS line and give it a shot. On Wed, Jan 11, 2012 at 5:17 PM, Swartz, Patrick H wrote: > Please forgive this noobie question.. how does one apply said diff? > > Patrick Swartz > > > -Original Message- > From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On > Behalf Of dan (ddp) > Sent: Wednesday, January 11, 2012 3:59 PM > To: ossec-list@googlegroups.com > Subject: Re: [ossec-list] 2.6 compile error on RHEL3u9 > > Actually, you can try this diff (no promises ;)): > > --- Config.Make.orig Wed Jan 11 16:58:30 2012 > +++ Config.Make Wed Jan 11 16:58:39 2012 > @@ -8,7 +8,7 @@ > include ${PT}Config.OS > > > -CFLAGS = -g -Wall -I${PT} -I${PT}headers ${CPATH} ${CEXTRA} ${DEXTRA} > ${EEXTRA} ${FEXTRA} ${GEXTRA} ${HEXTRA} -DARGV0=\"${NAME}\" > -DXML_VAR=\"var\" -DOSSECHIDS > +CFLAGS = -g -Wall -I${PT} -I${PT}headers -I/usr/kerberos/include > ${CPATH} ${CEXTRA} ${DEXTRA} ${EEXTRA} ${FEXTRA} ${GEXTRA} ${HEXTRA} > -DARGV0=\"${NAME}\" -DXML_VAR=\"var\" -DOSSECHIDS > > SOURCES = *.c > OBJECTS = *.o > > > On Wed, Jan 11, 2012 at 4:38 PM, Swartz, Patrick H > wrote: >> Update.. that Kerberos header is under -- /usr/kerberos/include/krb5.h ... >> Is this just a matter of telling the ossec compile where to look? If so, how >> do I do that? >> >> Thanks! >> >> Patrick Swartz >> >> >> -Original Message- >> From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On >> Behalf Of Swartz, Patrick H >> Sent: Wednesday, January 11, 2012 3:34 PM >> To: ossec-list@googlegroups.com >> Subject: RE: [ossec-list] 2.6 compile error on RHEL3u9 >> >> Hi Dan, >> Thanks for the quick reply.. >> Here is what is installed on the build server: >> >> rpm -qa|grep krb5 >> krb5-workstation-1.2.7-64 >> krb5-devel-1.2.7-64 >> krb5-libs-1.2.7-64 >> pam_krb5-1.79-1 >> >> But, I don't see any krb5 headers like yours under /usr/include. >> >> Patrick Swartz >> >> >> >> -Original Message- >> From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On >> Behalf Of dan (ddp) >> Sent: Wednesday, January 11, 2012 3:17 PM >> To: ossec-list@googlegroups.com >> Subject: Re: [ossec-list] 2.6 compile error on RHEL3u9 >> >> On Wed, Jan 11, 2012 at 3:34 PM, Swartz, Patrick H >> wrote: >>> >>> Hi All, >>> I'm need to compile 2.6 on a RHEL3u9 server but it fails at the >>> os_auth phase. The following Openssl packages are installed -- >>> openssl-0.9.7a-33.23, openssl096b-0.9.6b-16.46, and >>> openssl-devel-0.9.7a-33.23 >>> We need the compile to be built with openssl. >>> >>> Here are the messages during the build: >>> >>> *** Making os_auth *** >>> >>> make[1]: Entering directory `/root/ossec-hids-2.6/src/os_auth' >>> gcc -g -Wall -I../ -I../headers -DDEFAULTDIR=\"/opt/ossec/\" >>> -DCLIENT -DUSE_OPENSSL -DARGV0=\"ossec-authd\" -DXML_VAR=\"var\" >>> -DOSSECHIDS main-server.c ssl.c ../addagent/validate.c >>> ../config/lib_config.a ../shared/lib_shared.a ../os_net/os_net.a >>> ../os_regex/os_regex.a ../os_crypto/os_crypto.a ../os_zlib/os_zlib.c >>> ../external/libz.a -lssl -lcrypto -o ossec-authd >>> In file included from /usr/include/openssl/ssl.h:179, >>> from auth.h:24, >>> from main-server.c:14: >>> /usr/include/openssl/kssl.h:72:18: krb5.h: No such file or directory >> >> My guess would be that the openssl devel package needs a kerberos >> package it didn't install. >> >> Maybe: >> [ddp@corrin include]$ rpm -qf /usr/include/krb5.h >> krb5-devel-1.6.1-62.el5 >> >> >>> In file included from /usr/include/openssl/ssl
RE: [ossec-list] 2.6 compile error on RHEL3u9
Yeah, I know... ya preaching to the choir I'm afraid. Same goes for our SLES9, AIX5, and Solaris 8 servers... and a bunch of others that I'm too ashamed to mention... :-) Patrick Swartz -Original Message- From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On Behalf Of Jason 'XenoPhage' Frisvold Sent: Wednesday, January 11, 2012 6:53 PM To: ossec-list@googlegroups.com Subject: Re: [ossec-list] 2.6 compile error on RHEL3u9 On Jan 11, 2012, at 3:34 PM, Swartz, Patrick H wrote: > Hi All, > I'm need to compile 2.6 on a RHEL3u9 server but it fails at the > os_auth phase. The following Openssl packages are installed -- > openssl-0.9.7a-33.23, openssl096b-0.9.6b-16.46, and > openssl-devel-0.9.7a-33.23 > We need the compile to be built with openssl. RHEL 3.9? That's a bit old at this point, no? Redhat end-of-lifed that in October of 2010, which means you're not getting security updates anymore.. I'd recommend getting onto something newer .. --- Jason 'XenoPhage' Frisvold xenoph...@godshell.com --- "Any sufficiently advanced magic is indistinguishable from technology." - Niven's Inverse of Clarke's Third Law - The information in this message may be proprietary and/or confidential, and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify First Data immediately by replying to this message and deleting it from your computer.
[ossec-list] Solaris compile with SSL support help
Hi All, We are trying to compile Ossec 2.6 on Solaris (starting with Solaris 10) with SSL support. Here is what we have -- System: SunOS 5.10 It appears that the headers are at -- /usr/sfw/include/openssl aes.h conf.h err.h obj_mac.h rc2.h stack.h asn1_mac.h crypto.h evp.h objects.h rc4.h symhacks.h asn1.h des_old.h hmac.h ocsp.h rc5.h tls1.h asn1t.hdes.h idea.h opensslconf.h ripemd.h tmdiff.h bio.h dh.h krb5_asn.h opensslv.h rsa.h txt_db.h blowfish.h dsa.h kssl.h ossl_typ.h safestack.h ui_compat.h bn.h dso.h lhash.hpem.h sha.h ui.h buffer.h e_os2.hmd2.h pem2.h ssl.h x509_vfy.h cast.h ebcdic.h md4.h pkcs12.h ssl2.h x509.h comp.h ec.h md5.h pkcs7.hssl23.h x509v3.h conf_api.h engine.h mdc2.h rand.h ssl3.h Additional info if it helps -- root# ls /usr/sfw/lib/*ssl* /usr/sfw/lib/libssl_extra.so.0.9.7 /usr/sfw/lib/llib-lssl /usr/sfw/lib/libssl.so /usr/sfw/lib/llib-lssl.ln /usr/sfw/lib/libssl.so.0.9.7 system SUNWopenssl-commands OpenSSL Commands (Usr) system SUNWopenssl-include OpenSSL Header Files system SUNWopenssl-librariesOpenSSL Libraries (Usr) system SUNWopenssl-man OpenSSL Manual Pages system SUNWopensslr OpenSSL (Root) root# openssl version OpenSSL 0.9.7d 17 Mar 2004 (+ security fixes for: CVE-2005-2969 CVE-2006-2937 CVE-2006-2940 CVE-2006-3738 CVE-2006-4339 CVE-2006-4343 CVE-2007-5135 CVE-2007-3108 CVE-2008-5077 CVE-2008-7270 CVE-2009-0590 CVE-2009-3555 CVE-2010-4180) Are there other packages I need to install or modify the make file somehow? Thanks for your help!! Patrick Swartz - The information in this message may be proprietary and/or confidential, and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify First Data immediately by replying to this message and deleting it from your computer.
RE: [ossec-list] Solaris compile with SSL support help
Hi Dan, Well.. that helped it compile .. however, even though I didn't see any errors when I run the agent-auth command I get the error -- /opt/ossecPS/bin/agent-auth -h ERROR: Not compiled. Missing OpenSSL support. Here is a snip of the compiling .. *** Making os_auth *** gcc -g -Wall -I../ -I../headers -I/usr/sfw/include/openssl -DDEFAULTDIR=\"/opt/ossecPS\" -DCLIENT -DSOLARIS -DHIGHFIRST -DARGV0=\"ossec-authd\" -DXML_VAR=\"var\" -DOSSECHIDS -lsocket -lnsl -lresolv main-server.c ssl.c ../addagent/validate.c ../config/lib_config.a ../shared/lib_shared.a ../os_net/os_net.a ../os_regex/os_regex.a ../os_crypto/os_crypto.a ../os_zlib/os_zlib.c ../external/libz.a -o ossec-authd Patrick Swartz -Original Message- From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On Behalf Of dan (ddp) Sent: Monday, January 16, 2012 6:07 PM To: ossec-list@googlegroups.com Subject: Re: [ossec-list] Solaris compile with SSL support help I'm guessing it didn't work? Try adding -I/usr/sfw/include/openssl to the CFLAGS line of src/Config.Make (add it before ${CPATH} ) On Mon, Jan 16, 2012 at 4:19 PM, Swartz, Patrick H wrote: > > Hi All, > We are trying to compile Ossec 2.6 on Solaris (starting with Solaris > 10) with SSL support. > > Here is what we have -- System: SunOS 5.10 > > It appears that the headers are at -- /usr/sfw/include/openssl > aes.h conf.h err.h obj_mac.h rc2.h > stack.h > asn1_mac.h crypto.h evp.h objects.h rc4.h > symhacks.h > asn1.h des_old.h hmac.h ocsp.h rc5.h > tls1.h > asn1t.h des.h idea.h opensslconf.h ripemd.h > tmdiff.h > bio.h dh.h krb5_asn.h opensslv.h rsa.h > txt_db.h > blowfish.h dsa.h kssl.h ossl_typ.h safestack.h > ui_compat.h > bn.h dso.h lhash.h pem.h sha.h > ui.h > buffer.h e_os2.h md2.h pem2.h ssl.h > x509_vfy.h > cast.h ebcdic.h md4.h pkcs12.h ssl2.h > x509.h > comp.h ec.h md5.h pkcs7.h ssl23.h > x509v3.h > conf_api.h engine.h mdc2.h rand.h ssl3.h > > Additional info if it helps -- > root# ls /usr/sfw/lib/*ssl* > /usr/sfw/lib/libssl_extra.so.0.9.7 /usr/sfw/lib/llib-lssl > /usr/sfw/lib/libssl.so /usr/sfw/lib/llib-lssl.ln > /usr/sfw/lib/libssl.so.0.9.7 > > system SUNWopenssl-commands OpenSSL Commands (Usr) > system SUNWopenssl-include OpenSSL Header Files > system SUNWopenssl-libraries OpenSSL Libraries (Usr) > system SUNWopenssl-man OpenSSL Manual Pages > system SUNWopensslr OpenSSL (Root) > > > root# openssl version > OpenSSL 0.9.7d 17 Mar 2004 (+ security fixes for: CVE-2005-2969 > CVE-2006-2937 CVE-2006-2940 CVE-2006-3738 CVE-2006-4339 CVE-2006-4343 > CVE-2007-5135 CVE-2007-3108 CVE-2008-5077 CVE-2008-7270 CVE-2009-0590 > CVE-2009-3555 CVE-2010-4180) > > Are there other packages I need to install or modify the make file > somehow? > > Thanks for your help!! > > Patrick Swartz > > > > > - > The information in this message may be proprietary and/or > confidential, and protected from disclosure. If the reader of this > message is not the intended recipient, or an employee or agent > responsible for delivering this message to the intended recipient, > you are hereby notified that any dissemination, distribution or > copying of this communication is strictly prohibited. If you have > received this communication in error, please notify First Data > immediately by replying to this message and deleting it from your > computer.
RE: [ossec-list] Solaris compile with SSL support help
Hi Dan, I tried adding that line to the (both at the beginning and end, in different attempts) and this is the error that shows up during the compile -- gcc: -lssl: linker input file unused because linking not done gcc: -lcrypto: linker input file unused because linking not done I apologize for the trouble, but if ya have any other suggestions I would be very grateful. Thanks so much, Patrick Swartz -Original Message- From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On Behalf Of dan (ddp) Sent: Tuesday, January 17, 2012 6:05 PM To: ossec-list@googlegroups.com Subject: Re: [ossec-list] Solaris compile with SSL support help On Tue, Jan 17, 2012 at 11:45 AM, Swartz, Patrick H wrote: > Hi Dan, > Well.. that helped it compile .. however, even though I didn't see any errors > when I run the agent-auth command I get the error -- > /opt/ossecPS/bin/agent-auth -h > ERROR: Not compiled. Missing OpenSSL support. > > > Here is a snip of the compiling .. > > *** Making os_auth *** > > gcc -g -Wall -I../ -I../headers -I/usr/sfw/include/openssl > -DDEFAULTDIR=\"/opt/ossecPS\" -DCLIENT -DSOLARIS -DHIGHFIRST > -DARGV0=\"ossec-authd\" -DXML_VAR=\"var\" -DOSSECHIDS -lsocket -lnsl -lresolv > main-server.c ssl.c ../addagent/validate.c ../config/lib_config.a > ../shared/lib_shared.a ../os_net/os_net.a ../os_regex/os_regex.a > ../os_crypto/os_crypto.a ../os_zlib/os_zlib.c ../external/libz.a -o > ossec-authd > > > Patrick Swartz > Try adding "-lssl -lcrypto -DUSE_OPENSSL" to the line. > > -Original Message- > From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On > Behalf Of dan (ddp) > Sent: Monday, January 16, 2012 6:07 PM > To: ossec-list@googlegroups.com > Subject: Re: [ossec-list] Solaris compile with SSL support help > > I'm guessing it didn't work? > > Try adding -I/usr/sfw/include/openssl to the CFLAGS line of > src/Config.Make (add it before ${CPATH} ) > > On Mon, Jan 16, 2012 at 4:19 PM, Swartz, Patrick H > wrote: >> >> Hi All, >> We are trying to compile Ossec 2.6 on Solaris (starting with Solaris >> 10) with SSL support. >> >> Here is what we have -- System: SunOS 5.10 >> >> It appears that the headers are at -- /usr/sfw/include/openssl >> aes.h conf.h err.h obj_mac.h rc2.h >> stack.h >> asn1_mac.h crypto.h evp.h objects.h rc4.h >> symhacks.h >> asn1.h des_old.h hmac.h ocsp.h rc5.h >> tls1.h >> asn1t.h des.h idea.h opensslconf.h ripemd.h >> tmdiff.h >> bio.h dh.h krb5_asn.h opensslv.h rsa.h >> txt_db.h >> blowfish.h dsa.h kssl.h ossl_typ.h safestack.h >> ui_compat.h >> bn.h dso.h lhash.h pem.h sha.h >> ui.h >> buffer.h e_os2.h md2.h pem2.h ssl.h >> x509_vfy.h >> cast.h ebcdic.h md4.h pkcs12.h ssl2.h >> x509.h >> comp.h ec.h md5.h pkcs7.h ssl23.h >> x509v3.h >> conf_api.h engine.h mdc2.h rand.h ssl3.h >> >> Additional info if it helps -- >> root# ls /usr/sfw/lib/*ssl* >> /usr/sfw/lib/libssl_extra.so.0.9.7 /usr/sfw/lib/llib-lssl >> /usr/sfw/lib/libssl.so /usr/sfw/lib/llib-lssl.ln >> /usr/sfw/lib/libssl.so.0.9.7 >> >> system SUNWopenssl-commands OpenSSL Commands (Usr) >> system SUNWopenssl-include OpenSSL Header Files >> system SUNWopenssl-libraries OpenSSL Libraries (Usr) >> system SUNWopenssl-man OpenSSL Manual Pages >> system SUNWopensslr OpenSSL (Root) >> >> >> root# openssl version >> OpenSSL 0.9.7d 17 Mar 2004 (+ security fixes for: CVE-2005-2969 >> CVE-2006-2937 CVE-2006-2940 CVE-2006-3738 CVE-2006-4339 CVE-2006-4343 >> CVE-2007-5135 CVE-2007-3108 CVE-2008-5077 CVE-2008-7270 CVE-2009-0590 >> CVE-2009-3555 CVE-2010-4180) >> >> Are there other packages I need to install or modify the make file >> somehow? >> >> Thanks for your help!! >> >> Patrick Swartz >> >> >> >> >> - >> The information in this message may be proprietary and/or >> confidential, and protected from disclosure. If the reader of this >> message is not the intended recipient, or an employee or agent >> responsible for delivering this message to the intended recipient, >> you are hereby notified that any dissemination, distribution or >> copying of this communication is strictly prohibited. If you have >> received this communication in error, please notify First Data >> immediately by replying to this message and deleting it from your >> computer.
RE: [ossec-list] Solaris compile with SSL support help
Oh how I wish I could give ya ssh access... oh hum... Ummm srvadpsun01:root:/export/home/phswartz/ossec-hids-2.6/src # patch < ../patch.txt Looks like a unified context diff. File to patch: ?? Patrick Swartz -Original Message- From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On Behalf Of dan (ddp) Sent: Wednesday, January 18, 2012 7:53 AM To: ossec-list@googlegroups.com Subject: Re: [ossec-list] Solaris compile with SSL support help On Wed, Jan 18, 2012 at 8:44 AM, Swartz, Patrick H wrote: > Hi Dan, > I tried adding that line to the (both at the beginning and end, in > different attempts) and this is the error that shows up during the > compile -- > gcc: -lssl: linker input file unused because linking not done > gcc: -lcrypto: linker input file unused because linking not done > > I apologize for the trouble, but if ya have any other suggestions I would be > very grateful. > > Thanks so much, > > Patrick Swartz > Give me ssh access, and I can get it done. ;) Seriously though, OSSEC expects these items to be in sane locations. Nothing about Solaris is sane. Remove what I told you to add in the last email and apply the attached diff. It basically tells the Makeall script to look in the insane location Solaris has installed openssl to. > > > -Original Message- > From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] > On Behalf Of dan (ddp) > Sent: Tuesday, January 17, 2012 6:05 PM > To: ossec-list@googlegroups.com > Subject: Re: [ossec-list] Solaris compile with SSL support help > > On Tue, Jan 17, 2012 at 11:45 AM, Swartz, Patrick H > wrote: >> Hi Dan, >> Well.. that helped it compile .. however, even though I didn't see >> any errors when I run the agent-auth command I get the error -- >> /opt/ossecPS/bin/agent-auth -h >> ERROR: Not compiled. Missing OpenSSL support. >> >> >> Here is a snip of the compiling .. >> >> *** Making os_auth *** >> >> gcc -g -Wall -I../ -I../headers -I/usr/sfw/include/openssl >> -DDEFAULTDIR=\"/opt/ossecPS\" -DCLIENT -DSOLARIS -DHIGHFIRST >> -DARGV0=\"ossec-authd\" -DXML_VAR=\"var\" -DOSSECHIDS -lsocket -lnsl >> -lresolv main-server.c ssl.c ../addagent/validate.c >> ../config/lib_config.a ../shared/lib_shared.a ../os_net/os_net.a >> ../os_regex/os_regex.a ../os_crypto/os_crypto.a ../os_zlib/os_zlib.c >> ../external/libz.a -o ossec-authd >> >> >> Patrick Swartz >> > > Try adding "-lssl -lcrypto -DUSE_OPENSSL" to the line. > >> >> -Original Message- >> From: ossec-list@googlegroups.com >> [mailto:ossec-list@googlegroups.com] On Behalf Of dan (ddp) >> Sent: Monday, January 16, 2012 6:07 PM >> To: ossec-list@googlegroups.com >> Subject: Re: [ossec-list] Solaris compile with SSL support help >> >> I'm guessing it didn't work? >> >> Try adding -I/usr/sfw/include/openssl to the CFLAGS line of >> src/Config.Make (add it before ${CPATH} ) >> >> On Mon, Jan 16, 2012 at 4:19 PM, Swartz, Patrick H >> wrote: >>> >>> Hi All, >>> We are trying to compile Ossec 2.6 on Solaris (starting with >>> Solaris >>> 10) with SSL support. >>> >>> Here is what we have -- System: SunOS 5.10 >>> >>> It appears that the headers are at -- /usr/sfw/include/openssl aes.h >>> >>> conf.h err.h obj_mac.h rc2.h stack.h >>> asn1_mac.h crypto.h evp.h objects.h rc4.h >>> symhacks.h asn1.h des_old.h hmac.h ocsp.h >>> rc5.h tls1.h asn1t.h des.h idea.h >>> opensslconf.h ripemd.h tmdiff.h bio.h dh.h >>> krb5_asn.h opensslv.h rsa.h txt_db.h blowfish.h dsa.h >>> kssl.h ossl_typ.h safestack.h ui_compat.h bn.h >>> dso.h lhash.h pem.h sha.h ui.h buffer.h >>> e_os2.h md2.h pem2.h ssl.h x509_vfy.h cast.h >>> >>> ebcdic.h md4.h pkcs12.h ssl2.h x509.h comp.h >>> ec.h md5.h pkcs7.h ssl23.h x509v3.h >>> conf_api.h engine.h mdc2.h rand.h ssl3.h >>> >>> Additional info if it helps -- >>> root# ls /usr/sfw/lib/*ssl* >>> /usr/sfw/lib/libssl_extra.so.0.9.7 /usr/sfw/lib/llib-lssl >>> /usr/sfw/lib/libssl.so /usr/sfw/lib/llib-lssl.ln >>> /usr/sfw/lib/libssl.so.0.9.7 >>&
RE: [ossec-list] Solaris compile with SSL support help
Ugh... please ignore my question about the patch... dead brain cell somewhere... However, after successfully patching the Makeall file, the compile looks to be working for a bit.. then gcc -g -Wall -I../ -I../headers -I/usr/sfw/include/openssl -DDEFAULTDIR=\"/opt/ossecPS4\" -DCLIENT -DUSE_OPENSSL -DSOLARIS -DHIGHFIRST -DARGV0=\"ossec-syscheckd\" -DXML_VAR=\"var\" -lsocket -lnsl -lresolv syscheck.c config.c seechanges.c run_realtime.c create_db.c run_check.c ../config/lib_config.a ../rootcheck/rootcheck_lib.a ../shared/lib_shared.a ../os_xml/os_xml.a ../os_regex/os_regex.a ../os_net/os_net.a ../os_crypto/os_crypto.a -o ossec-syscheckd Undefined first referenced symbol in file rootcheck_init /var/tmp//ccHkHQm9.o ld: fatal: Symbol referencing errors. No output written to ossec-syscheckd collect2: ld returned 1 exit status *** Error code 1 make: Fatal error: Command failed for target `syscheck' Current working directory /export/home/phswartz/ossec-hids-2.6/src/syscheckd Error Making syscheckd *** Error code 1 The following command caused the error: /bin/sh ./Makeall all make: Fatal error: Command failed for target `all' Error 0x5. Building error. Unable to finish the installation. Patrick Swartz UNIX Planning & Engineering (DSUSSE) First Data 402-777-7337 desk 402-201-1192 Company cell 402-871-8981 Personal cell -Original Message- From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On Behalf Of dan (ddp) Sent: Wednesday, January 18, 2012 7:53 AM To: ossec-list@googlegroups.com Subject: Re: [ossec-list] Solaris compile with SSL support help On Wed, Jan 18, 2012 at 8:44 AM, Swartz, Patrick H wrote: > Hi Dan, > I tried adding that line to the (both at the beginning and end, in > different attempts) and this is the error that shows up during the > compile -- > gcc: -lssl: linker input file unused because linking not done > gcc: -lcrypto: linker input file unused because linking not done > > I apologize for the trouble, but if ya have any other suggestions I would be > very grateful. > > Thanks so much, > > Patrick Swartz > Give me ssh access, and I can get it done. ;) Seriously though, OSSEC expects these items to be in sane locations. Nothing about Solaris is sane. Remove what I told you to add in the last email and apply the attached diff. It basically tells the Makeall script to look in the insane location Solaris has installed openssl to. > > > -Original Message- > From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] > On Behalf Of dan (ddp) > Sent: Tuesday, January 17, 2012 6:05 PM > To: ossec-list@googlegroups.com > Subject: Re: [ossec-list] Solaris compile with SSL support help > > On Tue, Jan 17, 2012 at 11:45 AM, Swartz, Patrick H > wrote: >> Hi Dan, >> Well.. that helped it compile .. however, even though I didn't see >> any errors when I run the agent-auth command I get the error -- >> /opt/ossecPS/bin/agent-auth -h >> ERROR: Not compiled. Missing OpenSSL support. >> >> >> Here is a snip of the compiling .. >> >> *** Making os_auth *** >> >> gcc -g -Wall -I../ -I../headers -I/usr/sfw/include/openssl >> -DDEFAULTDIR=\"/opt/ossecPS\" -DCLIENT -DSOLARIS -DHIGHFIRST >> -DARGV0=\"ossec-authd\" -DXML_VAR=\"var\" -DOSSECHIDS -lsocket -lnsl >> -lresolv main-server.c ssl.c ../addagent/validate.c >> ../config/lib_config.a ../shared/lib_shared.a ../os_net/os_net.a >> ../os_regex/os_regex.a ../os_crypto/os_crypto.a ../os_zlib/os_zlib.c >> ../external/libz.a -o ossec-authd >> >> >> Patrick Swartz >> > > Try adding "-lssl -lcrypto -DUSE_OPENSSL" to the line. > >> >> -Original Message- >> From: ossec-list@googlegroups.com >> [mailto:ossec-list@googlegroups.com] On Behalf Of dan (ddp) >> Sent: Monday, January 16, 2012 6:07 PM >> To: ossec-list@googlegroups.com >> Subject: Re: [ossec-list] Solaris compile with SSL support help >> >> I'm guessing it didn't work? >> >> Try adding -I/usr/sfw/include/openssl to the CFLAGS line of >> src/Config.Make (add it before ${CPATH} ) >> >> On Mon, Jan 16, 2012 at 4:19 PM, Swartz, Patrick H >> wrote: >>> >>> Hi All, >>> We are trying to compile Ossec 2.6 on Solaris (starting with >>> Solaris >>> 10) with SSL support. >>> >>> Here is what we have -- System: SunOS 5.10 >>> >>> It appears that the headers are at -- /usr/sfw/include/openssl aes.h >>> >>> conf.h err.h
RE: [ossec-list] Solaris compile with SSL support help
Update... Started with a fresh untar of the source, updated the Makeall with the openssl path and now we get a clean compile AND looks like we have ssl support now!! YEAH!! Huge Thank you to Dan! Patrick Swartz -Original Message- From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On Behalf Of dan (ddp) Sent: Wednesday, January 18, 2012 8:40 AM To: ossec-list@googlegroups.com Subject: Re: [ossec-list] Solaris compile with SSL support help On Wed, Jan 18, 2012 at 9:14 AM, Swartz, Patrick H wrote: > Ugh... please ignore my question about the patch... dead brain cell > somewhere... > > However, after successfully patching the Makeall file, the compile looks to > be working for a bit.. then > > gcc -g -Wall -I../ -I../headers -I/usr/sfw/include/openssl > -DDEFAULTDIR=\"/opt/ossecPS4\" -DCLIENT -DUSE_OPENSSL -DSOLARIS -DHIGHFIRST > -DARGV0=\"ossec-syscheckd\" -DXML_VAR=\"var\" -lsocket -lnsl -lresolv > syscheck.c config.c seechanges.c run_realtime.c create_db.c run_check.c > ../config/lib_config.a ../rootcheck/rootcheck_lib.a ../shared/lib_shared.a > ../os_xml/os_xml.a ../os_regex/os_regex.a ../os_net/os_net.a > ../os_crypto/os_crypto.a -o ossec-syscheckd > Undefined first referenced > symbol in file > rootcheck_init /var/tmp//ccHkHQm9.o This is pretty much beyond me. It looks like the rootcheck files are broken since it can't find rootcheck_init? Was there any errors or anything when building rootcheck? `cd ossec-hids-2.6/src/rootcheck && make` > ld: fatal: Symbol referencing errors. No output written to ossec-syscheckd > collect2: ld returned 1 exit status > *** Error code 1 > make: Fatal error: Command failed for target `syscheck' > Current working directory /export/home/phswartz/ossec-hids-2.6/src/syscheckd > > Error Making syscheckd > *** Error code 1 > The following command caused the error: > /bin/sh ./Makeall all > make: Fatal error: Command failed for target `all' > > Error 0x5. > Building error. Unable to finish the installation. > > > Patrick Swartz > UNIX Planning & Engineering (DSUSSE) > First Data > 402-777-7337 desk > 402-201-1192 Company cell > 402-871-8981 Personal cell > > > > -Original Message- > From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On > Behalf Of dan (ddp) > Sent: Wednesday, January 18, 2012 7:53 AM > To: ossec-list@googlegroups.com > Subject: Re: [ossec-list] Solaris compile with SSL support help > > On Wed, Jan 18, 2012 at 8:44 AM, Swartz, Patrick H > wrote: >> Hi Dan, >> I tried adding that line to the (both at the beginning and end, in >> different attempts) and this is the error that shows up during the >> compile -- >> gcc: -lssl: linker input file unused because linking not done >> gcc: -lcrypto: linker input file unused because linking not done >> >> I apologize for the trouble, but if ya have any other suggestions I would be >> very grateful. >> >> Thanks so much, >> >> Patrick Swartz >> > > Give me ssh access, and I can get it done. ;) > > Seriously though, OSSEC expects these items to be in sane locations. > Nothing about Solaris is sane. Remove what I told you to add in the last > email and apply the attached diff. It basically tells the Makeall script to > look in the insane location Solaris has installed openssl to. > > >> >> >> -Original Message- >> From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] >> On Behalf Of dan (ddp) >> Sent: Tuesday, January 17, 2012 6:05 PM >> To: ossec-list@googlegroups.com >> Subject: Re: [ossec-list] Solaris compile with SSL support help >> >> On Tue, Jan 17, 2012 at 11:45 AM, Swartz, Patrick H >> wrote: >>> Hi Dan, >>> Well.. that helped it compile .. however, even though I didn't see >>> any errors when I run the agent-auth command I get the error -- >>> /opt/ossecPS/bin/agent-auth -h >>> ERROR: Not compiled. Missing OpenSSL support. >>> >>> >>> Here is a snip of the compiling .. >>> >>> *** Making os_auth *** >>> >>> gcc -g -Wall -I../ -I../headers -I/usr/sfw/include/openssl >>> -DDEFAULTDIR=\"/opt/ossecPS\" -DCLIENT -DSOLARIS -DHIGHFIRST >>> -DARGV0=\"ossec-authd\" -DXML_VAR=\"var\" -DOSSECHIDS -lsocket -lnsl >>> -lresolv main-server.c ssl.c ../addagent/validate.c >>> ../config/lib_config.a ../shared/lib_shared.a ../os_net/os_net.a >>> ../os_regex/os_regex.a ../os_crypto/os_
[ossec-list] Now on to AIX .. error compiling 2.6
Hi All, Well, with RH, SuSE, and Solaris10 out of the way.. now on to AIX5.3... I tried compiling the OSSEC package on a AIX 5.3 system and I get these errors 5- Installing the system - Running the Makefile *** Making zlib (by Jean-loup Gailly and Mark Adler) *** gcc -c -g -Wall -I../../ -I../../headers -DDEFAULTDIR=\"/opt/ossec\" -DCLIENT -DUSE_OPENSSL -DAIX -DHIGHFIRST -DARGV0=\"zlib\" -DXML_VAR=\"var\" -DOSSECHIDS *.c gcc: error trying to exec 'cc1': execvp: No such file or directory gcc: error trying to exec 'cc1': execvp: No such file or directory gcc: error trying to exec 'cc1': execvp: No such file or directory gcc: error trying to exec 'cc1': execvp: No such file or directory gcc: error trying to exec 'cc1': execvp: No such file or directory gcc: error trying to exec 'cc1': execvp: No such file or directory gcc: error trying to exec 'cc1': execvp: No such file or directory gcc: error trying to exec 'cc1': execvp: No such file or directory gcc: error trying to exec 'cc1': execvp: No such file or directory gcc: error trying to exec 'cc1': execvp: No such file or directory gcc: error trying to exec 'cc1': execvp: No such file or directory gcc: error trying to exec 'cc1': execvp: No such file or directory make: 1254-004 The error code from the last command is 1. Stop. cp -pr zlib.h zconf.h ../../headers/ cp -pr libz.a ../ cp: libz.a: A file or directory in the path name does not exist. make: 1254-004 The error code from the last command is 1. Stop. *** Making os_xml *** gcc -DXML_VAR=\"var\" -g -Wall -I../ -I../headers -DDEFAULTDIR=\"/opt/ossec\" -DCLIENT -DUSE_OPENSSL -DAIX -DHIGHFIRST -DARGV0=\"os_xml\" -DXML_VAR=\"var\" -DOSSECHIDS -c os_xml.c os_xml_access.c os_xml_node_access.c os_xml_variables.c os_xml_writer.c gcc: error trying to exec 'cc1': execvp: No such file or directory gcc: error trying to exec 'cc1': execvp: No such file or directory gcc: error trying to exec 'cc1': execvp: No such file or directory gcc: error trying to exec 'cc1': execvp: No such file or directory gcc: error trying to exec 'cc1': execvp: No such file or directory make: 1254-004 The error code from the last command is 1. Stop. Error Making os_xml make: 1254-004 The error code from the last command is 1. Stop. Error 0x5. Building error. Unable to finish the installation. I wasn't sure if this was related to openssl, so I thought would include the paths here... root@a9tvir982:/# find / -name opensslconf.h* /opt/freeware/include/openssl/opensslconf.h /usr/include/openssl/opensslconf.h I appreciate any and all help, Patrick Swartz - The information in this message may be proprietary and/or confidential, and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify First Data immediately by replying to this message and deleting it from your computer.
[ossec-list] agent-auth not working - internal error
Hi All I ran across an issue last night that I can't find an answer for. In our environment we have 2 machines setup as Ossec servers (due to geographic/firewall rules), one of them responds fine when a client sends the key request using 'agent-auth -m 10.10.10.1 -D /opt/ossec", however, for clients trying to connect to the other we get an "(internal error)". For example: Log from the client -> INFO: Using agent name as: n1dpmmgr2 INFO: Send request to manager. Waiting for reply. ERROR: Internal manager error adding agent: n1dpmmgr2 (from manager) ERROR: Unable to add agent. (from manager) INFO: Connection closed. Corresponding log from the server (all that it is...): 2012/02/10 03:21:55 ossec-authd: ERROR: Unable to add agent: n1dpmmgr2 (internal error) We have tried, stopping/starting the Ossec server, stopping starting ossec-authd, even recompiled, but none helped. One note of interest, for each time a client connects and requests a key, a "[ossec-authd] " process would show up in a process listing. Any and all help would be greatly appreciated! Patrick Swartz - The information in this message may be proprietary and/or confidential, and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify First Data immediately by replying to this message and deleting it from your computer.
[ossec-list] RE: agent-auth not working - internal error
Hi All, I just realized I didn't specify which version of Ossec we are running, my apologies. Ossec 2.6 running on SUSE Enterprise 11sp1 64bit, with 4GB of RAM and 2 CPUs and currently 2281 active connections. Thanks again for any help you can provide. Patrick Swartz -Original Message- From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On Behalf Of Swartz, Patrick H Sent: Friday, February 10, 2012 10:32 AM To: ossec-list@googlegroups.com Subject: [ossec-list] agent-auth not working - internal error Hi All I ran across an issue last night that I can't find an answer for. In our environment we have 2 machines setup as Ossec servers (due to geographic/firewall rules), one of them responds fine when a client sends the key request using 'agent-auth -m 10.10.10.1 -D /opt/ossec", however, for clients trying to connect to the other we get an "(internal error)". For example: Log from the client -> INFO: Using agent name as: n1dpmmgr2 INFO: Send request to manager. Waiting for reply. ERROR: Internal manager error adding agent: n1dpmmgr2 (from manager) ERROR: Unable to add agent. (from manager) INFO: Connection closed. Corresponding log from the server (all that it is...): 2012/02/10 03:21:55 ossec-authd: ERROR: Unable to add agent: n1dpmmgr2 (internal error) We have tried, stopping/starting the Ossec server, stopping starting ossec-authd, even recompiled, but none helped. One note of interest, for each time a client connects and requests a key, a "[ossec-authd] " process would show up in a process listing. Any and all help would be greatly appreciated! Patrick Swartz - The information in this message may be proprietary and/or confidential, and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify First Data immediately by replying to this message and deleting it from your computer.
RE: [ossec-list] agent-auth not working - internal error
Hi Dan, Yes we use the -D option. I have reason to believe that we are hitting a hard-coded limit of 4000 in the addagent/validate.c file. Our current client.keys file is at ID 4043 for the latest entry. I'm not sure if simply modifying that amount and recompiling would be enough or are there other lines/files that need to be changed? Patrick Swartz -Original Message- From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On Behalf Of dan (ddp) Sent: Tuesday, February 14, 2012 9:18 AM To: ossec-list@googlegroups.com Subject: Re: [ossec-list] agent-auth not working - internal error How are you running ossec-authd? Do you need the "-D /opt/ossec" flag for agent-auth? Is there already an n1dpmmgr2 agent? Maybe check permissions on the client.keys file. On Fri, Feb 10, 2012 at 11:32 AM, Swartz, Patrick H wrote: > > Hi All > I ran across an issue last night that I can't find an answer for. In our > environment we have 2 machines setup as Ossec servers (due to > geographic/firewall rules), one of them responds fine when a client sends the > key request using 'agent-auth -m 10.10.10.1 -D /opt/ossec", however, for > clients trying to connect to the other we get an "(internal error)". > For example: > Log from the client -> > INFO: Using agent name as: n1dpmmgr2 > INFO: Send request to manager. Waiting for reply. > ERROR: Internal manager error adding agent: n1dpmmgr2 (from manager) > ERROR: Unable to add agent. (from manager) > INFO: Connection closed. > > Corresponding log from the server (all that it is...): > 2012/02/10 03:21:55 ossec-authd: ERROR: Unable to add agent: n1dpmmgr2 > (internal error) > > We have tried, stopping/starting the Ossec server, stopping starting > ossec-authd, even recompiled, but none helped. > > One note of interest, for each time a client connects and requests a key, a > "[ossec-authd] " process would show up in a process listing. > > Any and all help would be greatly appreciated! > > Patrick Swartz > > > > > - > The information in this message may be proprietary and/or > confidential, and protected from disclosure. If the reader of this > message is not the intended recipient, or an employee or agent > responsible for delivering this message to the intended recipient, > you are hereby notified that any dissemination, distribution or > copying of this communication is strictly prohibited. If you have > received this communication in error, please notify First Data > immediately by replying to this message and deleting it from your > computer.
[ossec-list]
Hi All, Another Solaris compile issue. This time with Solaris 8 (yes, I know it is old and unsupported). We modified the Makeall file to point to the openssl headers, but it still fails. This is with Ossec 2.6. root# find /usr/local -name opensslconf.h /usr/local/ssl/include/openssl/opensslconf.h root# grep opensslconf.h src/Makeall #ls /usr/include/openssl/opensslconf.h > /dev/null 2>&1 ls /usr/local/ssl/include/openssl/opensslconf.h > /dev/null 2>&1 root# /usr/local/ssl/bin/openssl version OpenSSL 1.0.0c 2 Dec 2010 *** Making os_crypto *** gcc -g -Wall -I../../ -I../../headers -DDEFAULTDIR=\"/opt/ossec\" -DCLIENT -DUSE_OPENSSL -DSOLARIS -DHIGHFIRST-DARGV0=\"blowfish_op\" -DXML_VAR=\"var\" -DOSSECHIDS -c bf_op.c bf_skey.c bf_enc.c In file included from bf_skey.c:62: bf_locl.h:69:55: openssl/opensslconf.h: No such file or directory In file included from bf_enc.c:60: bf_locl.h:69:55: openssl/opensslconf.h: No such file or directory *** Error code 1 make: Fatal error: Command failed for target `bf' Current working directory /var/tmp/ossec/ossec-hids-2.6/src/os_crypto/blowfish *** Error code 1 make: Fatal error: Command failed for target `os_crypto' Current working directory /var/tmp/ossec/ossec-hids-2.6/src/os_crypto Error Making os_crypto *** Error code 1 make: Fatal error: Command failed for target `all' Any and all help would be greatly appreciated! Thanks, Patrick Swartz - The information in this message may be proprietary and/or confidential, and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify First Data immediately by replying to this message and deleting it from your computer.
[ossec-list] Solaris8 compile issue
My apologies for posting w/o a subject line... Patrick Swartz -Original Message- From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On Behalf Of Swartz, Patrick H Sent: Thursday, February 16, 2012 4:59 PM To: ossec-list@googlegroups.com Subject: [ossec-list] Hi All, Another Solaris compile issue. This time with Solaris 8 (yes, I know it is old and unsupported). We modified the Makeall file to point to the openssl headers, but it still fails. This is with Ossec 2.6. root# find /usr/local -name opensslconf.h /usr/local/ssl/include/openssl/opensslconf.h root# grep opensslconf.h src/Makeall #ls /usr/include/openssl/opensslconf.h > /dev/null 2>&1 ls /usr/local/ssl/include/openssl/opensslconf.h > /dev/null 2>&1 root# /usr/local/ssl/bin/openssl version OpenSSL 1.0.0c 2 Dec 2010 *** Making os_crypto *** gcc -g -Wall -I../../ -I../../headers -DDEFAULTDIR=\"/opt/ossec\" -DCLIENT -DUSE_OPENSSL -DSOLARIS -DHIGHFIRST-DARGV0=\"blowfish_op\" -DXML_VAR=\"var\" -DOSSECHIDS -c bf_op.c bf_skey.c bf_enc.c In file included from bf_skey.c:62: bf_locl.h:69:55: openssl/opensslconf.h: No such file or directory In file included from bf_enc.c:60: bf_locl.h:69:55: openssl/opensslconf.h: No such file or directory *** Error code 1 make: Fatal error: Command failed for target `bf' Current working directory /var/tmp/ossec/ossec-hids-2.6/src/os_crypto/blowfish *** Error code 1 make: Fatal error: Command failed for target `os_crypto' Current working directory /var/tmp/ossec/ossec-hids-2.6/src/os_crypto Error Making os_crypto *** Error code 1 make: Fatal error: Command failed for target `all' Any and all help would be greatly appreciated! Thanks, Patrick Swartz - The information in this message may be proprietary and/or confidential, and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify First Data immediately by replying to this message and deleting it from your computer.
[ossec-list]
Hi All, I need a second set of eyes. For some reason I can't seem to get Ossec to generate alerts for syscheck rules any longer. I can use syscheck_control to see the files are being recognized as changed, but no actual alerts are being generated. I'm using Ossec 2.6 on Linux for the collector server and testing using a variety of clients. I'm including all of the standard rules. Here is part of my ossec.conf on the collector server: 300 no /etc,/usr/bin,/usr/sbin /bin,/sbin 3 3 I'm sure I'm just missing something, but I simply can't find it so any help would be greatly appreciated. Patrick Swartz - The information in this message may be proprietary and/or confidential, and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify First Data immediately by replying to this message and deleting it from your computer.
[ossec-list] syslog output to multiple syslog servers
Hi All, When using the syslog output, is it possible to send the output to two different syslog servers? This is what I have in our server's ossec.conf -- 192.168.246.96 514 172.27.146.15 10009 I ran tcpdump to capture the syslog output using this command: tcpdump - -w /tmp/ossec_3.pcap -i eth0 port 514 or port 10009 However, the only data captured was for port 514. Can only one be used? Or is there something else I need to do? Thanks, Patrick Swartz - The information in this message may be proprietary and/or confidential, and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify First Data immediately by replying to this message and deleting it from your computer.
[ossec-list] RE: agent-auth (4000 limit)
Hi, modifying the src/addagent/validate.c file -- { i = 1024; snprintf(nid, 6, "%d", i); while(IDExist(nid)) { i++; snprintf(nid, 6, "%d", i); if(i >= 9000) { return(NULL); } } id = nid; } The original value is 4000, we upped that to 9000 and everything seems to be working now. Hope that helps, Patrick Swartz -Original Message- From: Tate Hansen [mailto:t...@clearnetsec.com] Sent: Monday, April 02, 2012 2:11 PM To: ossec-list@googlegroups.com Cc: Swartz, Patrick H Subject: agent-auth (4000 limit) Hi: I just ran into this issue over the weekend - did you find a solution? On 2/14/12 9:54 AM, "Swartz, Patrick H" wrote: >Hi Dan, >Yes we use the -D option. I have reason to believe that we are hitting a >hard-coded limit of 4000 in the addagent/validate.c file. Our current >client.keys file is at ID 4043 for the latest entry. > >I'm not sure if simply modifying that amount and recompiling would be >enough or are there other lines/files that need to be changed? > > >Patrick Swartz > - The information in this message may be proprietary and/or confidential, and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify First Data immediately by replying to this message and deleting it from your computer.
RE: [ossec-list] Can nto have centralized agent config working
We also had the same trouble getting the central config to work until we were told that active-response had to be enabled on the clients first. I don't think that is documented anywhere, but it is what got our central config to start working. Patrick Swartz -Original Message- From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On Behalf Of dan (ddp) Sent: Wednesday, August 01, 2012 8:10 AM To: ossec-list@googlegroups.com Subject: Re: [ossec-list] Can nto have centralized agent config working On Tue, Jul 31, 2012 at 7:16 PM, Steve Kieu wrote: >> >> It could take a while for it to be pushed. I think if you run the >> processes in debug mode the transfer will be logged. Running in debug >> mode might be a good idea to see if it logs information on why the >> agent.conf isn't being pushed. >> > > I suppose that I change in the server and client as well file > etc/internal_options.conf and set all debug options to 1 (from 0) - I did > this and restart both of them. No strange message spotted > But did you run the processes in debug mode (-d)? > I guess the process deadling with this is ossec-remoted so it does not log > anything usefull. Check all other is the same > > 2012/08/01 03:04:22 ossec-remoted: INFO: Assigning sender counter: 0:502 > 2012/08/01 03:06:46 ossec-remoted: INFO: Started (pid: 23100). > 2012/08/01 03:06:46 ossec-remoted: Remote syslog allowed from: '10.0.0.0/8' > 2012/08/01 03:06:46 ossec-remoted: INFO: Started (pid: 23101). > 2012/08/01 03:06:46 ossec-remoted: INFO: Started (pid: 23102). > 2012/08/01 03:06:47 ossec-remoted: INFO: Assigning counter for agent > build-centos5-i386: '0:1208'. > 2012/08/01 03:06:47 ossec-remoted: INFO: Assigning sender counter: 0:504 > > and after restarting client it still says: > > 2012/08/01 09:08:35 ossec-rootcheck: No rootcheck_files file configured. > 2012/08/01 09:08:35 ossec-rootcheck: No rootcheck_trojans file configured. > > I do think this is a bug - but strange that it does not happen to anyone > else (maybe no one run the same as my test set up ) ? Can anyone to confirm, > a fresh installation of ossec, and mots importantly the client side, > etc/share/agent.conf is removed and etc/ossec.conf only contain the server > IP information - > I think it's an admin issue, no evidence of a bug has been provided. I'm testing it out now though. The information in this message may be proprietary and/or confidential, and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify First Data immediately by replying to this message and deleting it from your computer.
[ossec-list] alerting on directory listing
Hi All, Here is a really off-the-wall question that we are being asked -- Is it possible to put monitoring in place that would tell when a directory listing is returned by TomCat? Thanks, Patrick The information in this message may be proprietary and/or confidential, and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify First Data immediately by replying to this message and deleting it from your computer.