[ossec-list] fts or first-time cache in decoder syntax
I was going reviewing the windows decoder and noticed "name, location, user, system_name" I could not find any reference in the documentation as to what this was for. I finally found a reference to it in one of the message on this mailing list, need help on writing rules (http://groups.google.com/ group/ossec-list/browse_thread/thread/ b8bdc5dae941eb18/77f39262b2e416a3?lnk=gst&q=first-time+cache#) >From my understanding in the decoder says which attributes should be added to the First-time cache. Then in the rules you can use to check if this is the first time this attribute value has been seen. Please correct me if I am wrong. I wanted to mention it here for others to easily find. Also can this be added to the documentation somewhere? The closest I came to finding it in the documentation was here: http://www.ossec.net/doc/syntax/head_decoders.html#element-decoder
[ossec-list] Re: Overriding composite rule (18152)
I knew I was missing something simple, overwrite="yes".
I do vaguely remember reading about this option. Yes, it is here:
http://www.ossec.net/wiki/Know_How:Email_Alerts_below_7
Dan, your suggestion did not work. it was still preferring the 18152.
Although I took your suggestion and did the following.
win_authentication_failed
Possible Brute force attack against windows logins
(10 failures within 2 minutes).
authentication_failures,
win_authentication_failed
Multiple Windows Logon Failures.
authentication_failures,
This will fire 18152 (Possible Brute force) if the user is the same,
other wise it will fire the new rule 100300.
During my testing I do see that ossec is saying the user is SYSTEM and
not user1. I see that the decoder assigns dstuser: SYSTEM, which is
the attribute for Security.
Rule: 18139 (level 5) -> 'Windows DC Logon Failure.'
User: SYSTEM
WinEvtLog: Security: AUDIT_FAILURE(675): Security: SYSTEM: NT
AUTHORITY: SERVER1: Pre-authentication failed: User Name: user1
User ID:%{S-1-5-21-1296043670-581226567-3024351967-8251}
Service Name: krbtgt/KEYANO.LOCAL Pre-Authentication Type: 0x0
Failure Code: 0x19 Client Address: 10.0.0.10
This means rule 100300 will never be fired, because any failed
attempts looks like it comes from the same user.
Has anyone else encountered this? I will take a look at the decoder
later today to see what is going on.
I may have to find or create a new log event for a failed logon
attempt. I have recently created a rule to ignore Pre-Authentication
fails (Failure Code: 0x18 and 0x19), since we are using windows 2003
and windows 7.
-- See:
http://www.mcbsys.com/techblog/2009/12/windows-7-causes-675-0x19-security-errors-in-windows-2003-domain/
-- See: http://www.ossec.net/wiki/Know_How:Multiple_Failures_WindowsAD
On Feb 2, 6:18 am, "dan (ddp)" wrote:
> On Wed, Feb 1, 2012 at 5:02 PM, alsdks wrote:
> > try that 18152 rule again in your local rules with overwrite="yes"
> > option , to overwrite the original rule and see how it goes .
>
> (WARNING: I do not know if this will work! Try it, see if it works. Or not.)
>
> Combined with the above, you could try adding your rule 100300 to
> local_rules, and copy rule 18152 with the overwrite="yes" (and no
> other changes) below it.
>
> This might move the detection order to prefer the 100300 rule over
> 18152 when the same user is involved. Might not though, I can't test
> it at the moment.
>
>
>
>
>
>
>
> > On Feb 1, 11:20 pm, tao_zhyn wrote:
> >> I want to be notified if their are 10 failed logon attempts within 2
> >> minutes from the same user.
>
> >> I know that rule 18152 sends an alert when their are 10 (8) failed
> >> attempts within 2 minutes.
>
> >> From msauth_rules.xml
>
> >>
> >> win_authentication_failed
> >> Multiple Windows Logon Failures.
> >> authentication_failures,
> >>
>
> >> I have tried adding the following to my local_rules.xml
>
> >>
> >> win_authentication_failed
> >>
> >> Possible Brute force attack against windows logins
> >> (10 failures within 2 minutes).
> >> authentication_failures,
> >>
>
> >> When i use ossec_logtest the rule 18152 is fired, but never 100300.
>
> >> FYI: I have a file ossec_test file with 10 lines of the same bad login
> >> for testing.
>
> >> WinEvtLog: Security: AUDIT_FAILURE(675): Security: SYSTEM: NT
> >> AUTHORITY: SERVER1: Pre-authentication failed: User Name:
> >> user1 User ID: %
> >> {S-1-5-21-1296043670-581226567-3024351967-8251} Service Name:
> >> krbtgt/DOMAIN.LOCAL
> >> Pre-Authentication Type: 0x0 Failure Code: 0x19
> >> Client
> >> Address: 10.0.0.10
>
> >> ---
>
> >> I also tried the following in my local_rules.xml in the hope that it
> >> would override the one previously defined.
>
> >>
> >> win_authentication_failed
> >>
> >> Multiple Windows Logon Failures. (Same User Test) >> description>
> >> authentication_failures,
> >>
>
> >> When I use ossec_logtest the old rule is fired, does not have "(Same
> >> User Test)" in the description.
>
> >> --
>
> >> After some playing around I went back to my first try but modified the
> >> frequecy.
>
> >>
> >> win_authentication_failed
> >>
> >> Possible Brute force attack against windows logins
> >> (10 failures within 2 minutes).
> >> authentication_failures,
> >>
>
> >> This would trigger the rule. If I increased the frequency to 6 then
> >> the rule 18152 would be triggered.
>
> >> Any idea at what I am doing wrong or pointers on how to do this
> >> correctly.
>
> >> Thanks
[ossec-list] Overriding composite rule (18152)
I want to be notified if their are 10 failed logon attempts within 2
minutes from the same user.
I know that rule 18152 sends an alert when their are 10 (8) failed
attempts within 2 minutes.
>From msauth_rules.xml
win_authentication_failed
Multiple Windows Logon Failures.
authentication_failures,
I have tried adding the following to my local_rules.xml
win_authentication_failed
Possible Brute force attack against windows logins
(10 failures within 2 minutes).
authentication_failures,
When i use ossec_logtest the rule 18152 is fired, but never 100300.
FYI: I have a file ossec_test file with 10 lines of the same bad login
for testing.
WinEvtLog: Security: AUDIT_FAILURE(675): Security: SYSTEM: NT
AUTHORITY: SERVER1: Pre-authentication failed: User Name:
user1 User ID:%
{S-1-5-21-1296043670-581226567-3024351967-8251} Service Name:
krbtgt/DOMAIN.LOCAL
Pre-Authentication Type: 0x0Failure Code: 0x19 Client
Address: 10.0.0.10
---
I also tried the following in my local_rules.xml in the hope that it
would override the one previously defined.
win_authentication_failed
Multiple Windows Logon Failures. (Same User Test)
authentication_failures,
When I use ossec_logtest the old rule is fired, does not have "(Same
User Test)" in the description.
--
After some playing around I went back to my first try but modified the
frequecy.
win_authentication_failed
Possible Brute force attack against windows logins
(10 failures within 2 minutes).
authentication_failures,
This would trigger the rule. If I increased the frequency to 6 then
the rule 18152 would be triggered.
Any idea at what I am doing wrong or pointers on how to do this
correctly.
Thanks
[ossec-list] Re: Cisco IOS Decoder
I looked into this further today. On the Cisco IOS 12.2 switch i see this when I do a show log: %SYS-5-CONFIG_I: Configured from console by user1 on vty0 (10.10.10.10) In the archive logs I see the following: 2012 Jan 30 14:11:11 OSSEC->10.0.0.1 : %SYS-5-CONFIG_I: Configured from console by user1 on vty0 (10.10.10.10) I am not sure where the extra " : " is coming from. The switch might be sending it when it is sending to the syslog server (as shown in the TCPDUMP below), but I have no idea how to stop the switch from doing this. TCPDUMP: 14:34:11.404677 IP 10.10.10.10.58188 > 10.0.0.1.syslog: SYSLOG local4.notice, length: 88 E..t..G?.L...`..<165>:.%SYS-5- CONFIG_I:.Configured.from.console.by.user1.on.vty0.(10.10.10.10) I am not sure if this is specific issue with IOS 12.2. Moving forward I will keep my modified Cisco IOS decoder and re-create all the rules in cisco-ios_rules.xml and copy them to out local_rules.xml. Then modify them as "^:$FOO". If anyone is interested I can post all me modifications. On Jan 27, 3:27 pm, "dan (ddp)" wrote: > There isn't a way to modify the log messages before they're decoded. > It might be easier to figure out why your logs are being mangled > rather than "correcting" all of the rules. > > > > > > > > On Thu, Jan 26, 2012 at 3:24 PM, tao_zhyn wrote: > > We are trying to get the Cisco syslogs to be processed by OSSEC. > > > We did everything suggested > > inhttp://www.ossec.net/wiki/PIX_and_IOS_Syslog_Config_examples. > > But OSSEC was not decoding or applying any rules to the incoming > > message. I was able to see the messages in the archives.log. > > > After some digging it looks like we are getting an extra character > > from the IOS device. > > > From the Archive.log: > > 2012 Jan 26 10:39:30 OSSEC->10.0.0.1 : %SYS-5-CONFIG_I: Configured > > from console by USER on vty0 (10.0.0.2) > > > From my understanding this means OSSEC is receiving: > > : %SYS-5-CONFIG_I: Configured from console by USER on vty0 (10.0.0.2) > > > I am not sure why our switches are starting the logs with ":" but this > > is not what the current decoder is looking for. > > I have updated the decoder to allow for this format as shown below: > > > > > > > > > ^%\w+-\d-\w+: |^: %\w+-\d-\w+: > > > > > > > > > > > > > ^%\w+-\d-\w+: |^: %\w+-\d-\w+: > > > > > With the updated decoder, not all the Cisco rules are being applied. > > The reason is the rules are looking for "%FOO", but it is getting ": > > %FOO" > > My questions, how can i get to the decoder to toss out the ":" during > > the decoding phase? > > > The other solution is to update the Cisco rules (or copy and paste > > them into local rules), so it looks for "^: %FOO" instead of "^%FOO".
[ossec-list] Cisco IOS Decoder
We are trying to get the Cisco syslogs to be processed by OSSEC. We did everything suggested in http://www.ossec.net/wiki/PIX_and_IOS_Syslog_Config_examples. But OSSEC was not decoding or applying any rules to the incoming message. I was able to see the messages in the archives.log. After some digging it looks like we are getting an extra character from the IOS device. >From the Archive.log: 2012 Jan 26 10:39:30 OSSEC->10.0.0.1 : %SYS-5-CONFIG_I: Configured from console by USER on vty0 (10.0.0.2) >From my understanding this means OSSEC is receiving: : %SYS-5-CONFIG_I: Configured from console by USER on vty0 (10.0.0.2) I am not sure why our switches are starting the logs with ":" but this is not what the current decoder is looking for. I have updated the decoder to allow for this format as shown below: ^%\w+-\d-\w+: |^: %\w+-\d-\w+: ^%\w+-\d-\w+: |^: %\w+-\d-\w+: With the updated decoder, not all the Cisco rules are being applied. The reason is the rules are looking for "%FOO", but it is getting ": %FOO" My questions, how can i get to the decoder to toss out the ":" during the decoding phase? The other solution is to update the Cisco rules (or copy and paste them into local rules), so it looks for "^: %FOO" instead of "^%FOO".
[ossec-list] Re: Clarification on Windows ossec.conf vs shared/agent.conf
On Jan 16, 5:13 pm, "dan (ddp)" wrote: > On Mon, Jan 16, 2012 at 4:09 PM, tao_zhyn wrote: > > I am testing out Centralized agent configuration to a Windows machine. > > > Setup > > = > > Manger: > > * CentOS 5 > > * OSSEC v2.6 > > * Created and modified /var/ossec/etc/shared/agent.conf > > * For testing purposed I copied everything from the windows ossec.conf > > "Default Configuration" to the agent.conf. > > * Modified permission as followed: -rw-r--r-- 1 root ossec 902 Jan > > 16 09:59 agent.conf > > > Agent: > > * Windows 2003 > > * Windows agent version 2.6 > > * Installed as running as expected > > > From the Documentation, > > http://www.ossec.net/doc/manual/agent/agent-configuration.html > > it is not entirely clear how this works. > > > At first I was waiting for C:\Program Files\ossec-agent\ossec.conf to > > be modified after trying to push out the configuration from the > > manager (restarted the manager and forced a integrity/rootkit check on > > the client). I thought it would replace the content in C:\Program > > Files\ossec-agent\ossec.conf with the configuration applicable > > configuration settings in /var/ossec/etc/shared/agent.conf. > > At no point did I see anything in the documentation that suggested > ossec.conf would be modified. Which part of the doc gave you this > impression? I can try to work on making it better. No the documentation did not give that impression. It does not mention any about what happens on the client side. It was an initial assumption that I made. I think it would be good to mention what files are affected on the client (both windows and linux) when a configuration is pushed from the manager. For instance does everything in shared sync between agent and manager? Or is it only agent.conf. > > > I finally realized that it copies /var/ossec/etc/shared/agent.conf to > > C:\Program Files\ossec-agent\shared\agent.conf. So it looks like it > > is working. > > This would explain why I see the following error message: 2012/01/16 > > 08:55:54 ossec-agent(1756): ERROR: Duplicated directory given: 'C: > > \WINDOWS/win.ini'. > > > Does this mean the windows agent loads both ossec.conf and shared/ > > agent.conf? > > If so, which one has precedence? For examples if I have > > "72000" in ossec.conf and "43200 > frequency>" in shared/agent.conf, which setting gets applied? > > I believe the ossec.conf version. I generally keep the ossec.conf on > agents as simple as possible, usually containing only the IP of the > manager. > > I tried taking a quick review of the source code. It looks like the client loads ossec.conf when it starts. Then it loads agent.conf when it loads each system, log collector, system check and rootkit check. > > > > > > > > > > > Bonus Question > > I also have the following WARNings in my log (on the windows machine): > > > 2012/01/16 13:48:24 ossec-agent: INFO: Ending rootcheck scan. > > 2012/01/16 13:48:24 ossec-agent: INFO: Starting syscheck scan. > > 2012/01/16 13:55:03 ossec-agent: WARN: Unknown message received. No > > action defined. > > > > 2012/01/16 13:55:05 ossec-agent: WARN: Unknown message received. No > > action defined. > > 2012/01/16 13:59:03 ossec-agent: INFO: Event count after '2': > > 8179674->5417984 (66%) > > 2012/01/16 14:00:59 ossec-agent: INFO: Ending syscheck scan. > > 2012/01/16 14:01:45 ossec-agent: WARN: Unknown message received. No > > action defined. > > ... > > > This only started showing up after I started testing centralized agent > > configuration. If it helps I can post my agent.conf. > > Other than these messages, is the agent working? Please post the > agent.conf, I've never seen these messages. My initial (test) agent.conf was just a copy and paste of everything in ossec.conf between tags (as shown below). Application eventlog Security eventlog System eventlog ./shared/win_audit_rcl.txt ./shared/win_applications_rcl.txt ./shared/win_malware_rcl.txt 43200 no %WINDIR%/win.ini %WINDIR%/system.ini C:\autoexec.bat C:\config.sys C:\boot.ini %WINDIR%/System32/CONFIG.NT %WINDIR%/System32/AUTOEXEC.NT %WINDIR%/System32/at.exe %WINDIR%/System32/attrib.exe %WINDIR%/System32/cacls.exe %WINDIR%/System32/debug.exe %WINDIR%/System32/drwatson.exe %WINDIR%/System32/drwtsn32.exe %WINDIR%/System32/edlin.exe %WINDIR%/System32/eventcreate.exe %WINDIR%/System32/eventtrigg
[ossec-list] Clarification on Windows ossec.conf vs shared/agent.conf
I am testing out Centralized agent configuration to a Windows machine. Setup = Manger: * CentOS 5 * OSSEC v2.6 * Created and modified /var/ossec/etc/shared/agent.conf * For testing purposed I copied everything from the windows ossec.conf "Default Configuration" to the agent.conf. * Modified permission as followed: -rw-r--r-- 1 root ossec 902 Jan 16 09:59 agent.conf Agent: * Windows 2003 * Windows agent version 2.6 * Installed as running as expected >From the Documentation, >http://www.ossec.net/doc/manual/agent/agent-configuration.html it is not entirely clear how this works. At first I was waiting for C:\Program Files\ossec-agent\ossec.conf to be modified after trying to push out the configuration from the manager (restarted the manager and forced a integrity/rootkit check on the client). I thought it would replace the content in C:\Program Files\ossec-agent\ossec.conf with the configuration applicable configuration settings in /var/ossec/etc/shared/agent.conf. I finally realized that it copies /var/ossec/etc/shared/agent.conf to C:\Program Files\ossec-agent\shared\agent.conf. So it looks like it is working. This would explain why I see the following error message: 2012/01/16 08:55:54 ossec-agent(1756): ERROR: Duplicated directory given: 'C: \WINDOWS/win.ini'. Does this mean the windows agent loads both ossec.conf and shared/ agent.conf? If so, which one has precedence? For examples if I have "72000" in ossec.conf and "43200" in shared/agent.conf, which setting gets applied? Bonus Question I also have the following WARNings in my log (on the windows machine): 2012/01/16 13:48:24 ossec-agent: INFO: Ending rootcheck scan. 2012/01/16 13:48:24 ossec-agent: INFO: Starting syscheck scan. 2012/01/16 13:55:03 ossec-agent: WARN: Unknown message received. No action defined. 2012/01/16 13:55:05 ossec-agent: WARN: Unknown message received. No action defined. 2012/01/16 13:59:03 ossec-agent: INFO: Event count after '2': 8179674->5417984 (66%) 2012/01/16 14:00:59 ossec-agent: INFO: Ending syscheck scan. 2012/01/16 14:01:45 ossec-agent: WARN: Unknown message received. No action defined. ... This only started showing up after I started testing centralized agent configuration. If it helps I can post my agent.conf.
[ossec-list] Re: check sum file not found
I am experiencing the same issue. I was able to download "http:// www.ossec.net/files/ossec-hids-latest.tar.gz" but I cannot find any file at "http://www.ossec.net/files/ossec-hids-latest_sum.txt";. I would like to verify the ossec-hids-latest.tar.gz before I install it. On Jan 11, 5:37 pm, David Blondeau wrote: > I got the same issue than the OP when I followed the installation manual. > The file referenced in the installation manual > ishttp://www.ossec.net/files/ossec-hids-latest_tar_gz_checksum.txtbut it > does not seem to exist. If someone can either correct that or change the > documentation on the website, that could be helpful for new users. > > $curlhttp://www.ossec.net/files/ossec-hids-latest_tar_gz_checksum.txt > > 404 Not Found > > 404 Not Found > nginx > > > > David > > > > > > > > On Wed, Jan 11, 2012 at 2:58 PM, dan (ddp) wrote: > > On Wed, Jan 11, 2012 at 5:51 PM, satyanarayan mahapatra > > wrote: > > > hi thanks for quick response but while try to get through wget getting > > > error > > > All I can really say is that it works for me. What error did you get? > > > > On Jan 12, 3:15 am, "dan (ddp)" wrote: > > >> According tohttp://www.ossec.net/main/downloadsthelatest checksum > > >> file is at:http://www.ossec.net/files/ossec-hids-2.6_checksum.txt > > > >> On Wed, Jan 11, 2012 at 5:03 PM, satyanarayan mahapatra > > > >> wrote: > > >> >http://www.ossec.net/main/manual/manual-installation > > > >> > when click on checksum getting error file not found > > > >> >http://www.ossec.net/files/ossec-hids-latest_tar_gz_checksum.txt
