from:"theresa mic\-snare"

[ossec-list] Re: white list specific ip on active response

2016-05-20 Thread theresa mic-snare

James, 

please check the active-responses.log on the respective agent/device.

and you might want to consider upgrading to a new version, because maybe 
there was indeed a bug in active response that has been addressed and fixed 
with a more recent version. Current Stable Version is 2.8.3 but if you plan 
to upgrade I would go for 2.9 (
https://github.com/ossec/ossec-hids/releases/tag/v2.9.0beta06) as this will 
soon be the next official release.

Am Donnerstag, 19. Mai 2016 18:37:06 UTC+2 schrieb James Siegel:
>
> Active response is acting up abnormally in 2.8.1
>
> Active response is enabled.
> Subnets are whitelisted in ossec.conf on the server.
> The server and the agents have all been restarted over the past few months 
> during patching cycles.
>
> Last week my boss was locked out by active response while demonstrating 
> something during a webex/team call.
>
> Last night, the CEO was locked out of a different box.
>
> Both of their devices were in a whitelisted subnet range. 
>
> In the case of my boss, he was logged in, and tried to su up to root and 
> that is when it happened.
>
> The CEO tried logging in to a box and was locked out.
>
> My boss has asked me to reach out and see if anyone else is having issues.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: OSSEC-abnormal-behavior-active-repsonse

2016-05-20 Thread theresa mic-snare

Have you checked the active responses log on the respective agent/device? 
/var/ossec/logs/active-responses.log
or on Windows systems C:\Program Files 
(x86)\ossec-agent\active-response\active-responses.log

Am Donnerstag, 19. Mai 2016 18:42:04 UTC+2 schrieb James Siegel:
>
> I have a set of subnets that are whitelisted.
> The server and agents were installed quite some time ago and are on 2.81.
>
> The server and the agents have been restarted at various times over the 
> past months as part of update/patching processes.
>
> The conf file was not changed during those time periods.
>
> My boss was locked out by active response, after successfully logging in, 
> then trying to su up to root, that occurred last Thursday.
>
> The CEO was locked out of a device last night.
>
> In both those instance, the devices they were originating from were part 
> of whitelisted subnets.
>
> Somehow, suddenly random occurrences of locking out whitelisted devices?
>
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Instalation OSSEC VM

2016-05-01 Thread theresa mic-snare

Hi Adiel,

short answer: yes, you can...

long answer: but you need to convert the OVA file into a OVF file, 
otherwise you'd get an error similar to "Unsupported hardware family..."
I once did this myself, it was a pain, but eventually I got it working

Check this link, this will help you get started:
http://www.baconapplications.com/export-a-virtualbox-machine-to-vmware/

regards,
theresa

Am Freitag, 29. April 2016 22:20:32 UTC+2 schrieb Adiel Navarro:
>
> Can I install ossec-vm-2.8.3.ova on VMWare vsphere esxi. 5.5?
>
>  
>
>  
>
>  
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] What's your favorite rules?

2016-04-26 Thread theresa mic-snare

Also, I should explain why I first wrote 1002
I often check for this rule (2 - Unknown problem somewhere in the system.) 
just to see if there are any false-positives that haven't been covered by 
an existing rule yet.
Then I would see which log event needs a new rule or decoder, so that it 
would be covered the next time it occurs :)


Am Dienstag, 26. April 2016 14:08:29 UTC+2 schrieb theresa mic-snare:
>
> I woke up this morning with a notification on my phone that this following 
> rule fired again:
>
> 
> 31108
> "\(\)\s*{\s*:;\s*}\s*;
> Shellshock attack detected
> attack,pci_dss_11.4,
> 
>
> Just as I thought that the Shellshock hype was over..someone from 
> China tried to penetrate my server again...
> harmless since I patch my server frequently, but still interesting to see 
> what's going on
>
> Good to see that OSSEC is capable of detecting recent/modern threats :)
>
> Am Dienstag, 26. April 2016 13:44:42 UTC+2 schrieb Jesus Linares:
>>
>> Interesting thread. 
>>
>> lately I'm using Amazon EC2 Rules 
>> <https://github.com/wazuh/ossec-rules/tree/master/rules-decoders/amazon-ec2>,
>>  
>> I feel them really useful and you can find more rules for Amazon in the 
>> linked repository. Also, you can find interesting this script 
>> <http://blog.wazuh.com/keep-your-ruleset-updated-automatically/>to 
>> update your rules automatically.
>>
>> I would like to know what rules are you missing in OSSEC.
>>
>>
>> Regards.
>> Jesus Linares.
>>
>> On Monday, April 25, 2016 at 12:20:50 AM UTC+2, theresa mic-snare wrote:
>>>
>>> 1002 ;))
>>>
>>> Am Freitag, 22. April 2016 19:07:32 UTC+2 schrieb namobud...@gmail.com:
>>>>
>>>> These worked great, just wondering if you have any updates.
>>>>
>>>> On Thursday, March 3, 2016 at 12:46:38 PM UTC-5, LostInThe Tubez wrote:
>>>>>
>>>>> Good thread idea. I’ve copied a few Windows-centric rules below. Some 
>>>>> of the rules that lean heavily on  could no doubt be improved, but 
>>>>> they don’t bother me with false positives or performance issues in my 
>>>>> small 
>>>>> environment, so I don’t worry about it. YMMV. I also have some decoders 
>>>>> and 
>>>>> rules for Cowrie honeypots, but intend to polish those up and submit a 
>>>>> pull 
>>>>> request for those one of these days. If anyone is interested in testing 
>>>>> them though, I could send those off list.
>>>>>
>>>>>  
>>>>>
>>>>> 
>>>>>
>>>>> 594
>>>>>
>>>>> \SOFTWARE\Microsoft\Windows\CurrentVersion\Run
>>>>>
>>>>> A change has been made to the software that 
>>>>> automatically runs at startup.
>>>>>
>>>>> 
>>>>>
>>>>>  
>>>>>
>>>>> 
>>>>>
>>>>> 18103
>>>>>
>>>>> Length specified in network packet
>>>>>
>>>>> Somebody is sending malformed data to your SQL 
>>>>> Server. You should probably investigate.
>>>>>
>>>>> 
>>>>>
>>>>>  
>>>>>
>>>>> 
>>>>>
>>>>> 18101
>>>>>
>>>>> PSEXESVC|PsExec
>>>>>
>>>>> Remote access via PSEXEC. If this wasn't 
>>>>> initiated by you, then you've got a problem.
>>>>>
>>>>> 
>>>>>
>>>>>  
>>>>>
>>>>> 
>>>>>
>>>>> 18102
>>>>>
>>>>> ^2004$
>>>>>
>>>>> diagnosed
>>>>>
>>>>> There's a problem with abnormal memory usage on 
>>>>> this system! Please investigate the indicated processes.
>>>>>
>>>>> 
>>>>>
>>>>>  
>>>>>
>>>>> 
>>>>>
>>>>> 18104
>>>>>
>>>>> 4698
>>>>>
>>>>> A scheduled task has been created on this 
>>>>> machine. Please review.
>>>>>
>>>>> Requires group

Re: [ossec-list] What's your favorite rules?

2016-04-26 Thread theresa mic-snare

I woke up this morning with a notification on my phone that this following 
rule fired again:


31108
"\(\)\s*{\s*:;\s*}\s*;
Shellshock attack detected
attack,pci_dss_11.4,


Just as I thought that the Shellshock hype was over..someone from China 
tried to penetrate my server again...
harmless since I patch my server frequently, but still interesting to see 
what's going on

Good to see that OSSEC is capable of detecting recent/modern threats :)

Am Dienstag, 26. April 2016 13:44:42 UTC+2 schrieb Jesus Linares:
>
> Interesting thread. 
>
> lately I'm using Amazon EC2 Rules 
> <https://github.com/wazuh/ossec-rules/tree/master/rules-decoders/amazon-ec2>, 
> I feel them really useful and you can find more rules for Amazon in the 
> linked repository. Also, you can find interesting this script 
> <http://blog.wazuh.com/keep-your-ruleset-updated-automatically/>to update 
> your rules automatically.
>
> I would like to know what rules are you missing in OSSEC.
>
>
> Regards.
> Jesus Linares.
>
> On Monday, April 25, 2016 at 12:20:50 AM UTC+2, theresa mic-snare wrote:
>>
>> 1002 ;))
>>
>> Am Freitag, 22. April 2016 19:07:32 UTC+2 schrieb namobud...@gmail.com:
>>>
>>> These worked great, just wondering if you have any updates.
>>>
>>> On Thursday, March 3, 2016 at 12:46:38 PM UTC-5, LostInThe Tubez wrote:
>>>>
>>>> Good thread idea. I’ve copied a few Windows-centric rules below. Some 
>>>> of the rules that lean heavily on  could no doubt be improved, but 
>>>> they don’t bother me with false positives or performance issues in my 
>>>> small 
>>>> environment, so I don’t worry about it. YMMV. I also have some decoders 
>>>> and 
>>>> rules for Cowrie honeypots, but intend to polish those up and submit a 
>>>> pull 
>>>> request for those one of these days. If anyone is interested in testing 
>>>> them though, I could send those off list.
>>>>
>>>>  
>>>>
>>>> 
>>>>
>>>> 594
>>>>
>>>> \SOFTWARE\Microsoft\Windows\CurrentVersion\Run
>>>>
>>>> A change has been made to the software that 
>>>> automatically runs at startup.
>>>>
>>>> 
>>>>
>>>>  
>>>>
>>>> 
>>>>
>>>> 18103
>>>>
>>>> Length specified in network packet
>>>>
>>>> Somebody is sending malformed data to your SQL 
>>>> Server. You should probably investigate.
>>>>
>>>> 
>>>>
>>>>  
>>>>
>>>> 
>>>>
>>>> 18101
>>>>
>>>> PSEXESVC|PsExec
>>>>
>>>> Remote access via PSEXEC. If this wasn't initiated 
>>>> by you, then you've got a problem.
>>>>
>>>> 
>>>>
>>>>  
>>>>
>>>> 
>>>>
>>>> 18102
>>>>
>>>> ^2004$
>>>>
>>>> diagnosed
>>>>
>>>> There's a problem with abnormal memory usage on 
>>>> this system! Please investigate the indicated processes.
>>>>
>>>> 
>>>>
>>>>  
>>>>
>>>> 
>>>>
>>>> 18104
>>>>
>>>> 4698
>>>>
>>>> A scheduled task has been created on this machine. 
>>>> Please review.
>>>>
>>>> Requires group policy modification to the Advanced 
>>>> Security Audit policy/Audit Other Object Access Events. See: 
>>>> https://technet.microsoft.com/en-us/library/dn319119.aspx
>>>>
>>>> 
>>>>
>>>>  
>>>>
>>>> 
>>>>
>>>> 18103
>>>>
>>>> 36874|36888
>>>>
>>>> recon_ssl,
>>>>
>>>> Add Schannel errors to the custom recon_ssl 
>>>> group
>>>>
>>>> 
>>>>
>>>>  
>>>>
>>>> >>> ignore="1800">
>>>>
>>>> recon_ssl
>>>>
>>>> There have been over 40 SSL cipher suite probes in 
>>>> the last two minutes. Someone may be performing reconnaissance on y

Re: [ossec-list] What's your favorite rules?

2016-04-24 Thread theresa mic-snare

1002 ;))

Am Freitag, 22. April 2016 19:07:32 UTC+2 schrieb namobud...@gmail.com:
>
> These worked great, just wondering if you have any updates.
>
> On Thursday, March 3, 2016 at 12:46:38 PM UTC-5, LostInThe Tubez wrote:
>>
>> Good thread idea. I’ve copied a few Windows-centric rules below. Some of 
>> the rules that lean heavily on  could no doubt be improved, but they 
>> don’t bother me with false positives or performance issues in my small 
>> environment, so I don’t worry about it. YMMV. I also have some decoders and 
>> rules for Cowrie honeypots, but intend to polish those up and submit a pull 
>> request for those one of these days. If anyone is interested in testing 
>> them though, I could send those off list.
>>
>>  
>>
>> 
>>
>> 594
>>
>> \SOFTWARE\Microsoft\Windows\CurrentVersion\Run
>>
>> A change has been made to the software that 
>> automatically runs at startup.
>>
>> 
>>
>>  
>>
>> 
>>
>> 18103
>>
>> Length specified in network packet
>>
>> Somebody is sending malformed data to your SQL 
>> Server. You should probably investigate.
>>
>> 
>>
>>  
>>
>> 
>>
>> 18101
>>
>> PSEXESVC|PsExec
>>
>> Remote access via PSEXEC. If this wasn't initiated 
>> by you, then you've got a problem.
>>
>> 
>>
>>  
>>
>> 
>>
>> 18102
>>
>> ^2004$
>>
>> diagnosed
>>
>> There's a problem with abnormal memory usage on this 
>> system! Please investigate the indicated processes.
>>
>> 
>>
>>  
>>
>> 
>>
>> 18104
>>
>> 4698
>>
>> A scheduled task has been created on this machine. 
>> Please review.
>>
>> Requires group policy modification to the Advanced Security 
>> Audit policy/Audit Other Object Access Events. See: 
>> https://technet.microsoft.com/en-us/library/dn319119.aspx
>>
>> 
>>
>>  
>>
>> 
>>
>> 18103
>>
>> 36874|36888
>>
>> recon_ssl,
>>
>> Add Schannel errors to the custom recon_ssl 
>> group
>>
>> 
>>
>>  
>>
>> 
>>
>> recon_ssl
>>
>> There have been over 40 SSL cipher suite probes in 
>> the last two minutes. Someone may be performing reconnaissance on your 
>> servers, assessing whether one of your SSL-enabled services is vulnerable 
>> to exploits.
>>
>> Unfortunately, Schannel errors are of limited usefulness. 
>> They occur without any indication of which IP address caused them, so 
>> consulting contextual log info or firewall logs is the only way to track 
>> down who is responsible.
>>
>> 
>>
>>  
>>
>> 
>>
>> 18103
>>
>> ^1000$|^1002$|^7023$|^7034$
>>
>> 
>>
>> A program or service has crashed. Investigate as 
>> appropriate.
>>
>> 
>>
>>  
>>
>> 
>>
>> 18101
>>
>> ^7045$
>>
>> A new service has been installed on this 
>> computer.
>>
>> 
>>
>>  
>>
>> *From:* ossec...@googlegroups.com [mailto:ossec...@googlegroups.com] *On 
>> Behalf Of *namobud...@gmail.com
>> *Sent:* Thursday, March 3, 2016 6:35 AM
>> *To:* ossec-list 
>> *Subject:* [ossec-list] What's your favorite rules?
>>
>>  
>>
>> I'm wondering what everyone's favorite rules are.
>>
>>  
>>
>> I'm trying to come up with some new rules to tighten security, so I would 
>> like to hear (and see code snippets) or folks favorites, and what they are 
>> designed to detect. I.E. detect commands run, look for certain IOC's and so 
>> on. I'm impressed with how much OSSEC does out of box too!
>>
>>  
>>
>> Thanks!
>>
>>  
>>
>> -- 
>>
>> --- 
>> You received this message because you are subscribed to the Google Groups 
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to ossec-list+...@googlegroups.com.
>> For more options, visit https://groups.google.com/d/optout.
>>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Disk usage monitor not working in RHEL5

2016-04-20 Thread theresa mic-snare

cool, would you mind sharing those custom rules with us? the threshold 
(over 90%) one is specifically appealing to me :)

Am Mittwoch, 20. April 2016 09:12:29 UTC+2 schrieb Robert Micallef:
>
> I added custom rules to alert if space is over 90%. 
>
> On 20 April 2016 at 02:16, Santiago Bassett  > wrote:
>
>> Out of curiosity, what is the rule supposed to trigger the alert?  The 
>> one is see by default looks for full partitions...
>>
>>
>> https://github.com/ossec/ossec-hids/blob/a7ca63d6d074f2f6bdb49f4bc79a054c31dcafc7/etc/rules/ossec_rules.xml#L137
>>
>> On Mon, Apr 18, 2016 at 2:07 AM, Robert Micallef > > wrote:
>>
>>> I tested it on CentOS 5 and the output of df is as expected (Single 
>>> line).
>>>
>>> We don't have a lot of RHEL5 but this happens on every 1 I tried so far 
>>> (I tried 7).
>>>
>>> Here is the output of df -h on RHEL5:
>>>
>>> FilesystemSize  Used Avail Use% Mounted on
>>> /dev/mapper/VolGroup00-LogVol00
>>>23G   16G  5.4G  75% /
>>> /dev/hda1  99M   13M   82M  14% /boot
>>> tmpfs 4.9G 0  4.9G   0% /dev/shm
>>>
>>> Here is the output of a CentOS 5 machine:
>>>
>>> FilesystemSize  Used Avail Use% Mounted on
>>> /dev/sda3 1.9T  1.7T  104G  95% /
>>> /dev/sda1  99M   36M   58M  39% /boot
>>> tmpfs 3.9G 0  3.9G   0% /dev/shm
>>>
>>> So the CentOS is a single line and OSSEC picks that log perfectly. But 
>>> RHEL5 it will see 2 logs:
>>>
>>> ossec: output: 'df -h': /dev/mapper/VolGroup00-LogVol00
>>> ossec: output: 'df -h':23G   16G  5.4G  75% /
>>>
>>> And doesn't work. Tested in RHEL 5.8 and 5.11.
>>>
>>> -- 
>>>
>>> --- 
>>> You received this message because you are subscribed to the Google 
>>> Groups "ossec-list" group.
>>> To unsubscribe from this group and stop receiving emails from it, send 
>>> an email to ossec-list+...@googlegroups.com .
>>> For more options, visit https://groups.google.com/d/optout.
>>>
>>
>> -- 
>>
>> --- 
>> You received this message because you are subscribed to a topic in the 
>> Google Groups "ossec-list" group.
>> To unsubscribe from this topic, visit 
>> https://groups.google.com/d/topic/ossec-list/A8ekjtycKY4/unsubscribe.
>> To unsubscribe from this group and all its topics, send an email to 
>> ossec-list+...@googlegroups.com .
>> For more options, visit https://groups.google.com/d/optout.
>>
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Ossec Agent 2.71 Keeps disconnecting from Ossec server 2.8.3

2016-04-20 Thread theresa mic-snare

awesome, thanks for sharing your experience with us Alexandre.
I'm sure this could be beneficial to others as well!

Am Dienstag, 19. April 2016 21:13:00 UTC+2 schrieb Alexandre Laquerre:
>
> So the final result was as follows, the first step i exported the agent 
> list and updated the list ( i basically erased 1000 agents that were no 
> longer used (#***) and then saved it in csv format. Following that i used 
> the script managed_agents -f to reimport the whole agent list with new IDS. 
> It basically took a good hour. Once done i creatied a script that would 
> uninstall + install the Ossec Agent (2.8.3) and then attribute its key to 
> the installation which basically takes 5 seconds and then it is up and 
> running. 
>
> So all is now good. 
>
> Hopefully this can help anyone that has a similar issue as well.
>
> Cheers,
>
>
> On Wednesday, April 13, 2016 at 11:23:28 AM UTC-4, Alexandre Laquerre 
> wrote:
>>
>> I have added my ossec.conf and agent.conf , Is it possible to have  a 
>> look to see if there is something that is off ? ( i have removed the IP 
>> adress for the agentless section)
>>
>> Thank you,
>>
>> Alex
>>
>> On Wednesday, April 13, 2016 at 10:40:00 AM UTC-4, Kat wrote:
>>>
>>> You should disable RIDS:
>>>
>>> remoted.verify_msg_id=0
>>>
>>> The errors should go away. The problem is, RIDS must be removed on both 
>>> agent and server, that may be causing issues.
>>>
>>> Kat
>>>
>>> On Tuesday, April 5, 2016 at 8:21:18 AM UTC-5, Alexandre LAQUERRE wrote:

 Hi,

 I have been using Ossec for quite a while and we decided to upgrade the 
 version (2.7.1) to 2.8.3 and that was relatively successful except for the 
 fact that it pulled a number on my Ossec.conf by creating indent problems 
 and adding open brackets in the wrong area but anyway it works. My issue 
 is 
 that for the moment our client will not update the OSSEC agents and wish 
 to 
 keep the 2.7.1 , I have not seen any documentation that would indicate a 
 compatibility issue however I noticed that no matter what I do , the 
 agents 
 will end up disconnecting. They will start out all active and then after 
 20 
 minutes or so they will all be disconnected except for a small minority. 

 When I performed the install I have set the maximum number of agents to 
 4096 because the client has about … I would say close to 3000 agents, 
 furthermore the installation did go well however I suspect that the 
 agent.conf file in the shared folder got messed up due to this update 
 being 
 very significant. I have been working on this issue for at least three 
 days 
 and I am no longer certain where to look.

 I would like to specify that I have already tried to erase the RIDS 
 while Ossec Is stop (server) and when I start it back up again the same 
 issue occurs. Now I am hoping the solution will not be to erase the rids 
 from the client as it would be a long process for our customer.

 Thank you,

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: reportd not sending any email

2016-04-18 Thread theresa mic-snare

will need to take a proper look at what's causing those segfaults 
tomorrow...

Am Dienstag, 19. April 2016 00:11:45 UTC+2 schrieb theresa mic-snare:
>
> oh no!!
> OSSEC segfaulted
>
> 2016-04-19T00:01:58.311800+02:
> 00 tron kernel: ossec-monitord[20021]: segfault at 1a ip 7f68290ab8b5 
> sp 7fff84248bc0 error 4 in libc-2.12.so[7f6829008000+18a000]
>
> since this was 1 Minute after midnight I suspect reportd causes this
>
> this is what the OSSEC log has to say:
>
> 2016/04/19 00:01:53 ossec-monitord: INFO: Starting daily reporting for 
> 'OSSEC: 
> Authentication Report'
> 2016/04/19 00:01:58 ossec-monitord: INFO: Report 'OSSEC: Authentication 
> Report' completed. Creating output...
> 2016/04/19 00:02:13 ossec-monitord: INFO: Starting daily reporting for 'Daily 
> report: File changes'
> 2016/04/19 00:02:18 ossec-monitord: INFO: Report 'Daily report: File 
> changes' completed. Creating output...
>
> a few seconds later another segfault
>
> 2016-04-19T00:02:18.278790+02:
> 00 tron kernel: ossec-monitord[20062]: segfault at 1a ip 7f68290ab8b5 
> sp 7fff84248bc0 error 4 in libc-2.12.so[7f6829008000+18a000]
>
> Hmm... :(
>
> Am Montag, 18. April 2016 17:37:48 UTC+2 schrieb dan (ddpbsd):
>>
>> On Mon, Apr 18, 2016 at 11:34 AM, theresa mic-snare 
>> <rockpr...@gmail.com> wrote: 
>> > Awesome, thanks for the tip Dan! 
>> > I will look for it tonight, if it actually works and does send a 
>> report, 
>> > then I will send a PR with a disclaimer on the documentation page, 
>> because 
>> > it isn't mentioned there yet. 
>> > 
>>
>> Much appreciated! 
>>
>> > I have also looked at the code to see if I could find any indicator 
>> when the 
>> > email would be sent...but alas, I haven't found anything there either. 
>> > 
>>
>> My bad memory is telling me monitord is the place to look. 
>>
>> > 
>> > Am Montag, 18. April 2016 17:24:37 UTC+2 schrieb theresa mic-snare: 
>> >> 
>> >> Hi all, 
>> >> 
>> >> I've configured reportd to send reports on syscheck and successful 
>> >> authentication 
>> >> 
>> >>  
>> >>authentication_success 
>> >>OSSEC: Authentication Report 
>> >>1...@456.com 
>> >>yes 
>> >>
>> >> 
>> >>
>> >>  syscheck 
>> >>  Daily report: File changes 
>> >>  1...@456.com 
>> >> 
>> >> 
>> >> 
>> >> However, I can run those reports fine in the terminal, but it doesn't 
>> send 
>> >> any reports through email. 
>> >> 
>> >> Yes: I have checked that ossec-maild is running it is, I swear! 
>> >> Yes: I have checked the spam/junk folder in my inbox as well I 
>> swear! 
>> >> 
>> >> When I run reportd manually it displays the report just fineand 
>> even 
>> >> in the logs it says 
>> >> 
>> >> 2016/04/18 17:13:49 ossec-reportd: INFO: Report completed. Creating 
>> >> output... 
>> >> 
>> >> I'd expect it at least to say this after I restart OSSEC as well? 
>> >> 
>> >> When does ossec-reportd run or does it have to be started through a 
>> >> cronjob? 
>> >> Does the mailing of reports work for you? 
>> >> 
>> >> best, 
>> >> theresa 
>> > 
>> > -- 
>> > 
>> > --- 
>> > You received this message because you are subscribed to the Google 
>> Groups 
>> > "ossec-list" group. 
>> > To unsubscribe from this group and stop receiving emails from it, send 
>> an 
>> > email to ossec-list+...@googlegroups.com. 
>> > For more options, visit https://groups.google.com/d/optout. 
>>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: reportd not sending any email

2016-04-18 Thread theresa mic-snare

oh no!!
OSSEC segfaulted

2016-04-19T00:01:58.311800+02:
00 tron kernel: ossec-monitord[20021]: segfault at 1a ip 7f68290ab8b5 
sp 7fff84248bc0 error 4 in libc-2.12.so[7f6829008000+18a000]

since this was 1 Minute after midnight I suspect reportd causes this

this is what the OSSEC log has to say:

2016/04/19 00:01:53 ossec-monitord: INFO: Starting daily reporting for 'OSSEC: 
Authentication Report'
2016/04/19 00:01:58 ossec-monitord: INFO: Report 'OSSEC: Authentication 
Report' completed. Creating output...
2016/04/19 00:02:13 ossec-monitord: INFO: Starting daily reporting for 'Daily 
report: File changes'
2016/04/19 00:02:18 ossec-monitord: INFO: Report 'Daily report: File 
changes' completed. Creating output...

a few seconds later another segfault

2016-04-19T00:02:18.278790+02:
00 tron kernel: ossec-monitord[20062]: segfault at 1a ip 7f68290ab8b5 
sp 7fff84248bc0 error 4 in libc-2.12.so[7f6829008000+18a000]

Hmm... :(

Am Montag, 18. April 2016 17:37:48 UTC+2 schrieb dan (ddpbsd):
>
> On Mon, Apr 18, 2016 at 11:34 AM, theresa mic-snare 
> <rockpr...@gmail.com > wrote: 
> > Awesome, thanks for the tip Dan! 
> > I will look for it tonight, if it actually works and does send a report, 
> > then I will send a PR with a disclaimer on the documentation page, 
> because 
> > it isn't mentioned there yet. 
> > 
>
> Much appreciated! 
>
> > I have also looked at the code to see if I could find any indicator when 
> the 
> > email would be sent...but alas, I haven't found anything there either. 
> > 
>
> My bad memory is telling me monitord is the place to look. 
>
> > 
> > Am Montag, 18. April 2016 17:24:37 UTC+2 schrieb theresa mic-snare: 
> >> 
> >> Hi all, 
> >> 
> >> I've configured reportd to send reports on syscheck and successful 
> >> authentication 
> >> 
> >>  
> >>authentication_success 
> >>OSSEC: Authentication Report 
> >>1...@456.com  
> >>yes 
> >>
> >> 
> >>
> >>  syscheck 
> >>  Daily report: File changes 
> >>  1...@456.com  
> >> 
> >> 
> >> 
> >> However, I can run those reports fine in the terminal, but it doesn't 
> send 
> >> any reports through email. 
> >> 
> >> Yes: I have checked that ossec-maild is running it is, I swear! 
> >> Yes: I have checked the spam/junk folder in my inbox as well I 
> swear! 
> >> 
> >> When I run reportd manually it displays the report just fineand 
> even 
> >> in the logs it says 
> >> 
> >> 2016/04/18 17:13:49 ossec-reportd: INFO: Report completed. Creating 
> >> output... 
> >> 
> >> I'd expect it at least to say this after I restart OSSEC as well? 
> >> 
> >> When does ossec-reportd run or does it have to be started through a 
> >> cronjob? 
> >> Does the mailing of reports work for you? 
> >> 
> >> best, 
> >> theresa 
> > 
> > -- 
> > 
> > --- 
> > You received this message because you are subscribed to the Google 
> Groups 
> > "ossec-list" group. 
> > To unsubscribe from this group and stop receiving emails from it, send 
> an 
> > email to ossec-list+...@googlegroups.com . 
> > For more options, visit https://groups.google.com/d/optout. 
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] my problem with rootcheck_control (part 2)

2016-04-06 Thread theresa mic-snare

anyone?
rootcheck is still an unresolved mystery to me

Am Dienstag, 5. April 2016 12:07:40 UTC+2 schrieb theresa mic-snare:
>
> Yes, I'm 100% positive, Dan!
> I've just reproduced my steps, and it seems that whenever I run the 
> rootcheck update (rootcheck_control -u 000) and wait for a rootcheck run to 
> complete (Ending rootcheck scan.)
>
> I don't see any log entries similar to the syscheck can like this
> 2016/04/05 08:24:50 ossec-syscheckd: INFO: Finished creating syscheck 
> database (pre-scan completed).
> 2016/04/05 08:25:02 ossec-syscheckd: INFO: Ending syscheck scan (forwarding 
> database).
>
> does this mean that rootcheck does not forward its results to the database?
>
> maybe I am doing something fundamentally wrong here, but at the moment 
> rootcheck does not write its results into the database unless I restart 
> OSSEC manually.
>
> rootcheck frequency is set to 300 (5 minutes)
> syscheck frequency is set to 79200 (22 hours)
>
> does rootcheck rely on syscheck in order to update the events in the 
> database?
>
> Am Montag, 4. April 2016 14:41:56 UTC+2 schrieb dan (ddpbsd):
>>
>> On Sat, Apr 2, 2016 at 5:36 PM, theresa mic-snare 
>> <rockpr...@gmail.com> wrote: 
>> > Hi, 
>> > 
>> > I have to say I'm particularly unfortunate with the rootcheck 
>> daemon...am I 
>> > the only one who keeps running into those problems? 
>> > 
>> > On my manager I was checking against the system_audit_ssh.txt that 
>> checks 
>> > the sshd_config. 
>> > I first started with the following unresolved issues 
>> > 
>> > [root@manager bin]# ./rootcheck_control -q -i 000 
>> > 
>> > Policy and auditing events for local system 'manager - 127.0.0.1': 
>> > 
>> > Outstanding events: 
>> > 
>> > 2016 Apr 02 18:31:43 (first time detected: 2016 Apr 02 18:31:43) 
>> > System Audit: System Audit: SSH Hardening - 5: Password Authentication 
>> > {PCI_DSS: 2.2.4}. File: /etc/ssh/sshd_config. Reference: 5 . 
>> > 
>> > 2016 Apr 02 18:31:43 (first time detected: 2016 Apr 02 18:31:43) 
>> > System Audit: System Audit: SSH Hardening - 7: Rhost or shost used for 
>> > authentication {PCI_DSS: 2.2.4}. File: /etc/ssh/sshd_config. Reference: 
>> 7 . 
>> > 
>> > 2016 Apr 02 18:31:43 (first time detected: 2016 Apr 02 18:31:43) 
>> > System Audit: System Audit: SSH Hardening - 8: Wrong Grace Time 
>> {PCI_DSS: 
>> > 2.2.4}. File: /etc/ssh/sshd_config. Reference: 8 . 
>> > 
>> > 2016 Apr 02 18:31:43 (first time detected: 2016 Apr 02 18:31:43) 
>> > System Audit: System Audit: SSH Hardening - 9: Wrong Maximum number of 
>> > authentication attempts {PCI_DSS: 2.2.4}. File: /etc/ssh/sshd_config. 
>> > Reference: 9 . 
>> > 
>> > 
>> > So far, so good. 
>> > I set the correct values inside sshd_config, restarted the sshd service 
>> > and waited until the rootcheck run ran again... For the troubleshooting 
>> sake 
>> > I set the interval to 5 minutes. 
>> > 
>> > But for some reason it didn't update the Outstanding events. only 
>> > updated the time. 
>> > 
>> > [root@manager bin]# ./rootcheck_control -q -i 000 
>> > 
>> > Policy and auditing events for local system 'manager - 127.0.0.1': 
>> > 
>> > Outstanding events: 
>> > 
>> > 2016 Apr 02 18:56:36 (first time detected: 2016 Apr 02 18:31:43) 
>> > System Audit: System Audit: SSH Hardening - 5: Password Authentication 
>> > {PCI_DSS: 2.2.4}. File: /etc/ssh/sshd_config. Reference: 5 . 
>> > 
>> > 2016 Apr 02 18:31:43 (first time detected: 2016 Apr 02 18:31:43) 
>> > System Audit: System Audit: SSH Hardening - 7: Rhost or shost used for 
>> > authentication {PCI_DSS: 2.2.4}. File: /etc/ssh/sshd_config. Reference: 
>> 7 . 
>> > 
>> > 2016 Apr 02 18:56:36 (first time detected: 2016 Apr 02 18:31:43) 
>> > System Audit: System Audit: SSH Hardening - 8: Wrong Grace Time 
>> {PCI_DSS: 
>> > 2.2.4}. File: /etc/ssh/sshd_config. Reference: 8 . 
>> > 
>> > 2016 Apr 02 18:31:43 (first time detected: 2016 Apr 02 18:31:43) 
>> > System Audit: System Audit: SSH Hardening - 9: Wrong Maximum number of 
>> > authentication attempts {PCI_DSS: 2.2.4}. File: /etc/ssh/sshd_config. 
>> > Reference: 9 . 
>> > 
>> > 
>> > I checked the syntax of the system_audit_ssh.txt but this seemed good 
>> to me 
>> > For instance the MaxAuthTries has this syntax 
>> &

[ossec-list] Re: Email notification for adding new users, new packages, triggering hours later

2016-04-06 Thread theresa mic-snare

Hi thak,

have you enabled the 'realtime="yes" ' option for the directories that 
you're monitoring in  ??
There's probably only the frequency set to run once every few day/hours...

-- 
theresa

Am Mittwoch, 6. April 2016 15:33:03 UTC+2 schrieb thak:
>
> Any idea what the likely reason would be for this? We were installing some 
> diagnostic packages yesterday afternoon, but I didn't get email 
> notifications until 0430 today. 
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] my problem with rootcheck_control (part 2)

2016-04-05 Thread theresa mic-snare

Yes, I'm 100% positive, Dan!
I've just reproduced my steps, and it seems that whenever I run the 
rootcheck update (rootcheck_control -u 000) and wait for a rootcheck run to 
complete (Ending rootcheck scan.)

I don't see any log entries similar to the syscheck can like this
2016/04/05 08:24:50 ossec-syscheckd: INFO: Finished creating syscheck 
database (pre-scan completed).
2016/04/05 08:25:02 ossec-syscheckd: INFO: Ending syscheck scan (forwarding 
database).

does this mean that rootcheck does not forward its results to the database?

maybe I am doing something fundamentally wrong here, but at the moment 
rootcheck does not write its results into the database unless I restart 
OSSEC manually.

rootcheck frequency is set to 300 (5 minutes)
syscheck frequency is set to 79200 (22 hours)

does rootcheck rely on syscheck in order to update the events in the 
database?

Am Montag, 4. April 2016 14:41:56 UTC+2 schrieb dan (ddpbsd):
>
> On Sat, Apr 2, 2016 at 5:36 PM, theresa mic-snare 
> <rockpr...@gmail.com > wrote: 
> > Hi, 
> > 
> > I have to say I'm particularly unfortunate with the rootcheck 
> daemon...am I 
> > the only one who keeps running into those problems? 
> > 
> > On my manager I was checking against the system_audit_ssh.txt that 
> checks 
> > the sshd_config. 
> > I first started with the following unresolved issues 
> > 
> > [root@manager bin]# ./rootcheck_control -q -i 000 
> > 
> > Policy and auditing events for local system 'manager - 127.0.0.1': 
> > 
> > Outstanding events: 
> > 
> > 2016 Apr 02 18:31:43 (first time detected: 2016 Apr 02 18:31:43) 
> > System Audit: System Audit: SSH Hardening - 5: Password Authentication 
> > {PCI_DSS: 2.2.4}. File: /etc/ssh/sshd_config. Reference: 5 . 
> > 
> > 2016 Apr 02 18:31:43 (first time detected: 2016 Apr 02 18:31:43) 
> > System Audit: System Audit: SSH Hardening - 7: Rhost or shost used for 
> > authentication {PCI_DSS: 2.2.4}. File: /etc/ssh/sshd_config. Reference: 
> 7 . 
> > 
> > 2016 Apr 02 18:31:43 (first time detected: 2016 Apr 02 18:31:43) 
> > System Audit: System Audit: SSH Hardening - 8: Wrong Grace Time 
> {PCI_DSS: 
> > 2.2.4}. File: /etc/ssh/sshd_config. Reference: 8 . 
> > 
> > 2016 Apr 02 18:31:43 (first time detected: 2016 Apr 02 18:31:43) 
> > System Audit: System Audit: SSH Hardening - 9: Wrong Maximum number of 
> > authentication attempts {PCI_DSS: 2.2.4}. File: /etc/ssh/sshd_config. 
> > Reference: 9 . 
> > 
> > 
> > So far, so good. 
> > I set the correct values inside sshd_config, restarted the sshd service 
> > and waited until the rootcheck run ran again... For the troubleshooting 
> sake 
> > I set the interval to 5 minutes. 
> > 
> > But for some reason it didn't update the Outstanding events. only 
> > updated the time. 
> > 
> > [root@manager bin]# ./rootcheck_control -q -i 000 
> > 
> > Policy and auditing events for local system 'manager - 127.0.0.1': 
> > 
> > Outstanding events: 
> > 
> > 2016 Apr 02 18:56:36 (first time detected: 2016 Apr 02 18:31:43) 
> > System Audit: System Audit: SSH Hardening - 5: Password Authentication 
> > {PCI_DSS: 2.2.4}. File: /etc/ssh/sshd_config. Reference: 5 . 
> > 
> > 2016 Apr 02 18:31:43 (first time detected: 2016 Apr 02 18:31:43) 
> > System Audit: System Audit: SSH Hardening - 7: Rhost or shost used for 
> > authentication {PCI_DSS: 2.2.4}. File: /etc/ssh/sshd_config. Reference: 
> 7 . 
> > 
> > 2016 Apr 02 18:56:36 (first time detected: 2016 Apr 02 18:31:43) 
> > System Audit: System Audit: SSH Hardening - 8: Wrong Grace Time 
> {PCI_DSS: 
> > 2.2.4}. File: /etc/ssh/sshd_config. Reference: 8 . 
> > 
> > 2016 Apr 02 18:31:43 (first time detected: 2016 Apr 02 18:31:43) 
> > System Audit: System Audit: SSH Hardening - 9: Wrong Maximum number of 
> > authentication attempts {PCI_DSS: 2.2.4}. File: /etc/ssh/sshd_config. 
> > Reference: 9 . 
> > 
> > 
> > I checked the syntax of the system_audit_ssh.txt but this seemed good to 
> me 
> > For instance the MaxAuthTries has this syntax 
> > 
> > # MaxAuthTries 3 
> > # The MaxAuthTries parameter specifices the maximum number of 
> authentication 
> > attempts permitted per connection. Once the number of failures reaches 
> half 
> > this value, additional failures are logged. 
> > # This should be set to 3. 
> > [SSH Hardening - 9: Wrong Maximum number of authentication attempts 
> > {PCI_DSS: 2.2.4}] [any] [9] 
> > f:$sshd_file -> !r:^# && r:MaxAuthTries && !r:3\s*$; 
> > f:$sshd_file -> r:^#\s*MaxAuthTr

[ossec-list] my problem with rootcheck_control (part 2)

2016-04-02 Thread theresa mic-snare

Hi,

I have to say I'm particularly unfortunate with the rootcheck daemon...am I 
the only one who keeps running into those problems?

On my manager I was checking against the system_audit_ssh.txt that checks 
the sshd_config.
I first started with the following unresolved issues

[root@manager bin]# ./rootcheck_control -q -i 000

Policy and auditing events for local system 'manager - 127.0.0.1':

Outstanding events: 

2016 Apr 02 18:31:43 (first time detected: 2016 Apr 02 18:31:43)
System Audit: System Audit: SSH Hardening - 5: Password Authentication {
PCI_DSS: 2.2.4}. File: /etc/ssh/sshd_config. Reference: 5 .

2016 Apr 02 18:31:43 (first time detected: 2016 Apr 02 18:31:43)
System Audit: System Audit: SSH Hardening - 7: Rhost or shost used for 
authentication {PCI_DSS: 2.2.4}. File: /etc/ssh/sshd_config. Reference: 7 .

2016 Apr 02 18:31:43 (first time detected: 2016 Apr 02 18:31:43)
System Audit: System Audit: SSH Hardening - 8: Wrong Grace Time {PCI_DSS: 
2.2.4}. File: /etc/ssh/sshd_config. Reference: 8 .

2016 Apr 02 18:31:43 (first time detected: 2016 Apr 02 18:31:43)
System Audit: System Audit: SSH Hardening - 9: Wrong Maximum number of 
authentication attempts {PCI_DSS: 2.2.4}. File: /etc/ssh/sshd_config. 
Reference: 9 .


So far, so good.
I set the correct values inside sshd_config, restarted the sshd service
and waited until the rootcheck run ran again... For the troubleshooting 
sake I set the interval to 5 minutes.

But for some reason it didn't update the Outstanding events. only 
updated the time.

[root@manager bin]# ./rootcheck_control -q -i 000

Policy and auditing events for local system 'manager - 127.0.0.1':

Outstanding events: 

2016 Apr 02 18:56:36 (first time detected: 2016 Apr 02 18:31:43)
System Audit: System Audit: SSH Hardening - 5: Password Authentication {
PCI_DSS: 2.2.4}. File: /etc/ssh/sshd_config. Reference: 5 .

2016 Apr 02 18:31:43 (first time detected: 2016 Apr 02 18:31:43)
System Audit: System Audit: SSH Hardening - 7: Rhost or shost used for 
authentication {PCI_DSS: 2.2.4}. File: /etc/ssh/sshd_config. Reference: 7 .

2016 Apr 02 18:56:36 (first time detected: 2016 Apr 02 18:31:43)
System Audit: System Audit: SSH Hardening - 8: Wrong Grace Time {PCI_DSS: 
2.2.4}. File: /etc/ssh/sshd_config. Reference: 8 .

2016 Apr 02 18:31:43 (first time detected: 2016 Apr 02 18:31:43)
System Audit: System Audit: SSH Hardening - 9: Wrong Maximum number of 
authentication attempts {PCI_DSS: 2.2.4}. File: /etc/ssh/sshd_config. 
Reference: 9 .


I checked the syntax of the system_audit_ssh.txt but this seemed good to me
For instance the MaxAuthTries has this syntax

# MaxAuthTries 3
# The MaxAuthTries parameter specifices the maximum number of 
authentication attempts permitted per connection. Once the number of 
failures reaches half this value, additional failures are logged.
# This should be set to 3.
[SSH Hardening - 9: Wrong Maximum number of authentication attempts {PCI_DSS
: 2.2.4}] [any] [9]
f:$sshd_file -> !r:^# && r:MaxAuthTries && !r:3\s*$;
f:$sshd_file -> r:^#\s*MaxAuthTries;
f:$sshd_file -> !r:MaxAuthTries;

my sshd_config has exact this value set "MaxAuthTries 3"

At the end I simply ran 
[root@manager bin]# ./rootcheck_control -u 000

and waited for another rootcheck run.
Unfortunately it needed a full ossec restart, because simply running 
returned nothing except an empty database

[root@manager bin]# ./rootcheck_control -L -i 000

Policy and auditing events for local system 'manager - 127.0.0.1':

Can someone maybe explain this behavior to me?
Why does it need an ossec restart, when a regular rootcheck run is not able 
to update the Outstanding events successfully
or in other words:
Why is OSSEC not able to update the database even after it was flushed 
using rootcheck_control - u 000
leaving the database empty until I restart OSSEC completely??

Maybe this is just another "Pebkac" error and me being just too stupid to 
get it properly working...
anyway, I would love to hear your experiences with rootcheckd and 
rootcheck_control

I'm using VERSION="v2.9.0" at the moment, pulled from github.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] new postfix rule doesn't fire....

2016-03-28 Thread theresa mic-snare

great, I will just do that :)
thanks for all your help!

Am Montag, 28. März 2016 17:56:09 UTC+2 schrieb dan (ddpbsd):
>
> On Mon, Mar 28, 2016 at 11:53 AM, theresa mic-snare 
> <rockpr...@gmail.com > wrote: 
> > Awesome, this worked! 
>
> Sweet. I'll submit a PR to change this. 
>
> > I'm going to work on some more postfix rules and decoders over the next 
> few 
> > days, because I have tons of Level 2 - Rule 1002 alerts that I want 
> gone. 
> > 
> > do you think they would be accepted (once they work properly) as a PR on 
> > github? 
> > 
>
> I think it would be worthwhile. To make it more likely to be accepted 
> include log samples or preferably tests in 
> contrib/ossec-testing/tests/. 
> You'll have to add a postfix.ini, but the file format is pretty simple. 
>
> > Am Montag, 28. März 2016 17:45:58 UTC+2 schrieb dan (ddpbsd): 
> >> 
> >> On Mon, Mar 28, 2016 at 11:42 AM, theresa mic-snare 
> >> <rockpr...@gmail.com> wrote: 
> >> > Sorry, it's this one 
> >> > 2016-03-23T01:09:28.962188+01:00 tron postfix/smtpd[472]: warning: 
> >> > 199.249.24.179.list.dsbl.org: RBL lookup error: Host or domain name 
> not 
> >> > found. Name service error for name=199.249.24.179.list.dsbl.org 
> type=A: 
> >> > Host 
> >> > not found, try again 
> >> > 
> >> 
> >> Thanks. It decodes fine for me (but who knows what I've done): 
> >> ossec-testrule: Type one log per line. 
> >> 
> >> 
> >> 
> >> **Phase 1: Completed pre-decoding. 
> >>full event: '2016-03-23T01:09:28.962188+01:00 tron 
> >> postfix/smtpd[472]: warning: 199.249.24.179.list.dsbl.org: RBL lookup 
> >> error: Host or domain name not found. Name service error for 
> >> name=199.249.24.179.list.dsbl.org type=A: Host not found, try again' 
> >>hostname: 'tron' 
> >>program_name: 'postfix/smtpd' 
> >>log: 'warning: 199.249.24.179.list.dsbl.org: RBL lookup error: 
> >> Host or domain name not found. Name service error for 
> >> name=199.249.24.179.list.dsbl.org type=A: Host not found, try again' 
> >> 
> >> **Phase 2: Completed decoding. 
> >>decoder: 'postfix' 
> >> 
> >> Try changing the OpenSMTPd decoder to this: 
> >>  
> >>   ^smtpd 
> >>  
> >> 
> >> 
> >> > Am Montag, 28. März 2016 17:39:32 UTC+2 schrieb dan (ddpbsd): 
> >> >> 
> >> >> On Mon, Mar 28, 2016 at 11:35 AM, theresa mic-snare 
> >> >> <rockpr...@gmail.com> wrote: 
> >> >> > Thanks, Dan! 
> >> >> > I now almost got it fully working your advice was really good! 
> >> >> > Here's my problem, somehow the OpenBSD smtpd decoders fire instead 
> of 
> >> >> > the 
> >> >> > postfixmaybe I'd need to rearrange the order in the ossec.conf 
> to 
> >> >> > load 
> >> >> > the postfix decoders last. 
> >> >> > because it also triggers this 
> >> >> > 
> >> >> >  
> >> >> >   smtpd 
> >> >> >  
> >> >> > 
> >> >> > However, when I uncomment this, my new postfix decoder works just 
> >> >> > fine 
> >> >> > here's my postfix decoder: 
> >> >> >  
> >> >> >   true 
> >> >> >   postfix 
> >> >> >   ^warning:  
> >> >> >   \d+.\d+\d+\d+.\w+.\w+.\w+: 
>  
> >> >> >   srcip 
> >> >> >  
> >> >> > 
> >> >> 
> >> >> This doesn't work with the previous log sample you supplied, what 
> log 
> >> >> message are you currently using? 
> >> >> 
> >> >> > Here are my postfix rules: 
> >> >> >
> >> >> > postfix-rbl 
> >> >> > Grouping of the postfix RBL rules. 
> >> >> >
> >> >> > 
> >> >> >
> >> >> > 3395 
> >> >> >  RBL lookup error:  
> >> >> > Host or domain name not found. Name service 
> >> >> > error 
> >> >> > spam,pci_dss_10.6.1,pci_dss_11.4, 
> >> >> >
> >> >> > 
> >> >> > ossec-logtest is now able to detect it: 
> >> >> > **Phase 2: Comp

Re: [ossec-list] new postfix rule doesn't fire....

2016-03-28 Thread theresa mic-snare

Awesome, this worked!
I'm going to work on some more postfix rules and decoders over the next few 
days, because I have tons of Level 2 - Rule 1002 alerts that I want gone.

do you think they would be accepted (once they work properly) as a PR on 
github?

Am Montag, 28. März 2016 17:45:58 UTC+2 schrieb dan (ddpbsd):
>
> On Mon, Mar 28, 2016 at 11:42 AM, theresa mic-snare 
> <rockpr...@gmail.com > wrote: 
> > Sorry, it's this one 
> > 2016-03-23T01:09:28.962188+01:00 tron postfix/smtpd[472]: warning: 
> > 199.249.24.179.list.dsbl.org: RBL lookup error: Host or domain name not 
> > found. Name service error for name=199.249.24.179.list.dsbl.org type=A: 
> Host 
> > not found, try again 
> > 
>
> Thanks. It decodes fine for me (but who knows what I've done): 
> ossec-testrule: Type one log per line. 
>
>
>
> **Phase 1: Completed pre-decoding. 
>full event: '2016-03-23T01:09:28.962188+01:00 tron 
> postfix/smtpd[472]: warning: 199.249.24.179.list.dsbl.org: RBL lookup 
> error: Host or domain name not found. Name service error for 
> name=199.249.24.179.list.dsbl.org type=A: Host not found, try again' 
>hostname: 'tron' 
>program_name: 'postfix/smtpd' 
>log: 'warning: 199.249.24.179.list.dsbl.org: RBL lookup error: 
> Host or domain name not found. Name service error for 
> name=199.249.24.179.list.dsbl.org type=A: Host not found, try again' 
>
> **Phase 2: Completed decoding. 
>decoder: 'postfix' 
>
> Try changing the OpenSMTPd decoder to this: 
>  
>   ^smtpd 
>  
>
>
> > Am Montag, 28. März 2016 17:39:32 UTC+2 schrieb dan (ddpbsd): 
> >> 
> >> On Mon, Mar 28, 2016 at 11:35 AM, theresa mic-snare 
> >> <rockpr...@gmail.com> wrote: 
> >> > Thanks, Dan! 
> >> > I now almost got it fully working your advice was really good! 
> >> > Here's my problem, somehow the OpenBSD smtpd decoders fire instead of 
> >> > the 
> >> > postfixmaybe I'd need to rearrange the order in the ossec.conf to 
> >> > load 
> >> > the postfix decoders last. 
> >> > because it also triggers this 
> >> > 
> >> >  
> >> >   smtpd 
> >> >  
> >> > 
> >> > However, when I uncomment this, my new postfix decoder works just 
> fine 
> >> > here's my postfix decoder: 
> >> >  
> >> >   true 
> >> >   postfix 
> >> >   ^warning:  
> >> >   \d+.\d+\d+\d+.\w+.\w+.\w+:  
> >> >   srcip 
> >> >  
> >> > 
> >> 
> >> This doesn't work with the previous log sample you supplied, what log 
> >> message are you currently using? 
> >> 
> >> > Here are my postfix rules: 
> >> >
> >> > postfix-rbl 
> >> > Grouping of the postfix RBL rules. 
> >> >
> >> > 
> >> >
> >> > 3395 
> >> >  RBL lookup error:  
> >> > Host or domain name not found. Name service 
> >> > error 
> >> > spam,pci_dss_10.6.1,pci_dss_11.4, 
> >> >
> >> > 
> >> > ossec-logtest is now able to detect it: 
> >> > **Phase 2: Completed decoding. 
> >> >decoder: 'postfix' 
> >> > 
> >> > **Phase 3: Completed filtering (rules). 
> >> >Rule id: '3396' 
> >> >Level: '6' 
> >> >Description: 'Host or domain name not found. Name service 
> error' 
> >> > **Alert to be generated. 
> >> > 
> >> > At the moment I really don't know how to prevent the clash with the 
> >> > openbsd 
> >> > decoder...hmm 
> >> > 
> >> > 
> >> > 
> >> > 
> >> > 
> >> > Am Montag, 28. März 2016 16:22:57 UTC+2 schrieb dan (ddpbsd): 
> >> >> 
> >> >> On Mon, Mar 28, 2016 at 10:00 AM, theresa mic-snare 
> >> >> <rockpr...@gmail.com> wrote: 
> >> >> > hmm, well I have this decoder in my ossec decoder set, 
> >> >> > /var/ossec/etc/ossec_decoders/postfix_decoders.xml 
> >> >> >  
> >> >> >   ^warning:  
> >> >> >   ^(\S+): hostname (\s+) 
> verification 
> >> >> > failed 
> >> >> >   srcip 
> >> >> >  
> >> >> > 
> >> >> > don't remember if I have added this myself, or if it came with the 
> >> >> >

Re: [ossec-list] new postfix rule doesn't fire....

2016-03-28 Thread theresa mic-snare

Sorry, it's this one
2016-03-23T01:09:28.962188+01:00 tron postfix/smtpd[472]: warning: 199.249.
24.179.list.dsbl.org: RBL lookup error: Host or domain name not found. Name 
service error for name=199.249.24.179.list.dsbl.org type=A: Host not found, 
try again

Am Montag, 28. März 2016 17:39:32 UTC+2 schrieb dan (ddpbsd):
>
> On Mon, Mar 28, 2016 at 11:35 AM, theresa mic-snare 
> <rockpr...@gmail.com > wrote: 
> > Thanks, Dan! 
> > I now almost got it fully working your advice was really good! 
> > Here's my problem, somehow the OpenBSD smtpd decoders fire instead of 
> the 
> > postfixmaybe I'd need to rearrange the order in the ossec.conf to 
> load 
> > the postfix decoders last. 
> > because it also triggers this 
> > 
> >  
> >   smtpd 
> >  
> > 
> > However, when I uncomment this, my new postfix decoder works just fine 
> > here's my postfix decoder: 
> >  
> >   true 
> >   postfix 
> >   ^warning:  
> >   \d+.\d+\d+\d+.\w+.\w+.\w+:  
> >   srcip 
> >  
> > 
>
> This doesn't work with the previous log sample you supplied, what log 
> message are you currently using? 
>
> > Here are my postfix rules: 
> >
> > postfix-rbl 
> > Grouping of the postfix RBL rules. 
> >
> > 
> >
> > 3395 
> >  RBL lookup error:  
> > Host or domain name not found. Name service 
> > error 
> > spam,pci_dss_10.6.1,pci_dss_11.4, 
> >
> > 
> > ossec-logtest is now able to detect it: 
> > **Phase 2: Completed decoding. 
> >decoder: 'postfix' 
> > 
> > **Phase 3: Completed filtering (rules). 
> >Rule id: '3396' 
> >Level: '6' 
> >Description: 'Host or domain name not found. Name service error' 
> > **Alert to be generated. 
> > 
> > At the moment I really don't know how to prevent the clash with the 
> openbsd 
> > decoder...hmm 
> > 
> > 
> > 
> > 
> > 
> > Am Montag, 28. März 2016 16:22:57 UTC+2 schrieb dan (ddpbsd): 
> >> 
> >> On Mon, Mar 28, 2016 at 10:00 AM, theresa mic-snare 
> >> <rockpr...@gmail.com> wrote: 
> >> > hmm, well I have this decoder in my ossec decoder set, 
> >> > /var/ossec/etc/ossec_decoders/postfix_decoders.xml 
> >> >  
> >> >   ^warning:  
> >> >   ^(\S+): hostname (\s+) verification 
> >> > failed 
> >> >   srcip 
> >> >  
> >> > 
> >> > don't remember if I have added this myself, or if it came with the 
> wazuh 
> >> > decoders 
> >> > then this decoder is used, by ossec-logtest 
> >> > but unfortunately my rule isn't triggering...hmm 
> >> > 
> >> > **Phase 1: Completed pre-decoding. 
> >> >full event: 'warning: 199.249.24.179.list.dsbl.org: RBL 
> lookup 
> >> > error: 
> >> > Host or domain name not found. Name service error for 
> >> > name=199.249.24.179.list.dsbl.org type=A: Host not found, try again' 
> >> >hostname: 'tron' 
> >> >program_name: '(null)' 
> >> >log: 'warning: 199.249.24.179.list.dsbl.org: RBL lookup 
> error: 
> >> > Host 
> >> > or domain name not found. Name service error for 
> >> > name=199.249.24.179.list.dsbl.org type=A: Host not found, try again' 
> >> > 
> >> > **Phase 2: Completed decoding. 
> >> >decoder: 'postfix-failed' 
> >> > 
> >> > **Phase 3: Completed filtering (rules). 
> >> >Rule id: '1002' 
> >> >Level: '2' 
> >> >Description: 'Unknown problem somewhere in the system.' 
> >> > **Alert to be generated. 
> >> > 
> >> > I've now had a look in my maillog and found the exact log message as 
> >> > postfix 
> >> > logged it: 
> >> > 2016-03-23T01:09:28.962188+01:00 tron postfix/smtpd[472]: warning: 
> >> > 199.249.24.179.list.dsbl.org: RBL lookup error: Host or domain name 
> not 
> >> > found. Name service error for name=199.249.24.179.list.dsbl.org 
> type=A: 
> >> > Host 
> >> > not found, try again 
> >> > 
> >> > after running this message now through ossec-logtest, I can see that 
> >> > another 
> >> > decoder matches, namely the smtpd decoder (openbsd_decoders.xml) 
> >> > 
> >> > **Phase 1: Completed pre-decodi

Re: [ossec-list] new postfix rule doesn't fire....

2016-03-28 Thread theresa mic-snare

Thanks, Dan!
I now almost got it fully working your advice was really good!
Here's my problem, somehow the OpenBSD smtpd decoders fire instead of the 
postfixmaybe I'd need to rearrange the order in the ossec.conf to load 
the postfix decoders last.
because it also triggers this


  smtpd


However, when I uncomment this, my new postfix decoder works just fine
here's my postfix decoder:

  true
  postfix
  ^warning: 
  \d+.\d+\d+\d+.\w+.\w+.\w+: 
  srcip


Here are my postfix rules:
  
postfix-rbl
Grouping of the postfix RBL rules.
  

  
3395
 RBL lookup error: 
Host or domain name not found. Name service error

spam,pci_dss_10.6.1,pci_dss_11.4,
  

ossec-logtest is now able to detect it:
**Phase 2: Completed decoding.
   decoder: 'postfix'





***Phase 3: Completed filtering (rules).   Rule id: '3396'   Level: 
'6'   Description: 'Host or domain name not found. Name service 
error'**Alert to be generated.*

At the moment I really don't know how to prevent the clash with the openbsd 
decoder...hmm





Am Montag, 28. März 2016 16:22:57 UTC+2 schrieb dan (ddpbsd):
>
> On Mon, Mar 28, 2016 at 10:00 AM, theresa mic-snare 
> <rockpr...@gmail.com > wrote: 
> > hmm, well I have this decoder in my ossec decoder set, 
> > /var/ossec/etc/ossec_decoders/postfix_decoders.xml 
> >  
> >   ^warning:  
> >   ^(\S+): hostname (\s+) verification 
> > failed 
> >   srcip 
> >  
> > 
> > don't remember if I have added this myself, or if it came with the wazuh 
> > decoders 
> > then this decoder is used, by ossec-logtest 
> > but unfortunately my rule isn't triggering...hmm 
> > 
> > **Phase 1: Completed pre-decoding. 
> >full event: 'warning: 199.249.24.179.list.dsbl.org: RBL lookup 
> error: 
> > Host or domain name not found. Name service error for 
> > name=199.249.24.179.list.dsbl.org type=A: Host not found, try again' 
> >hostname: 'tron' 
> >program_name: '(null)' 
> >log: 'warning: 199.249.24.179.list.dsbl.org: RBL lookup error: 
> Host 
> > or domain name not found. Name service error for 
> > name=199.249.24.179.list.dsbl.org type=A: Host not found, try again' 
> > 
> > **Phase 2: Completed decoding. 
> >decoder: 'postfix-failed' 
> > 
> > **Phase 3: Completed filtering (rules). 
> >Rule id: '1002' 
> >Level: '2' 
> >Description: 'Unknown problem somewhere in the system.' 
> > **Alert to be generated. 
> > 
> > I've now had a look in my maillog and found the exact log message as 
> postfix 
> > logged it: 
> > 2016-03-23T01:09:28.962188+01:00 tron postfix/smtpd[472]: warning: 
> > 199.249.24.179.list.dsbl.org: RBL lookup error: Host or domain name not 
> > found. Name service error for name=199.249.24.179.list.dsbl.org type=A: 
> Host 
> > not found, try again 
> > 
> > after running this message now through ossec-logtest, I can see that 
> another 
> > decoder matches, namely the smtpd decoder (openbsd_decoders.xml) 
> > 
> > **Phase 1: Completed pre-decoding. 
> >full event: '2016-03-23T01:09:28.962188+01:00 tron 
> > postfix/smtpd[472]: warning: 199.249.24.179.list.dsbl.org: RBL lookup 
> error: 
> > Host or domain name not found. Name service error for 
> > name=199.249.24.179.list.dsbl.org type=A: Host not found, try again' 
> >hostname: 'tron' 
> >program_name: 'postfix/smtpd' 
> >log: 'warning: 199.249.24.179.list.dsbl.org: RBL lookup error: 
> Host 
> > or domain name not found. Name service error for 
> > name=199.249.24.179.list.dsbl.org type=A: Host not found, try again' 
> > 
> > **Phase 2: Completed decoding. 
> >decoder: 'smtpd' 
> > 
> > **Phase 3: Completed filtering (rules). 
> >Rule id: '1002' 
> >Level: '2' 
> >Description: 'Unknown problem somewhere in the system.' 
> > **Alert to be generated. 
> > 
> > However, what am I doing wrong here? Why is this rule not triggering? 
> >
> > 3300 
> > RBL lookup error: 
> > Host or domain name not found. Name service 
> > error 
> > spam,pci_dss_10.6.1,pci_dss_11.4, 
> >
> > 
> > Am I missing something here? 
> > 
>
> Rule 3300 requires the decoder to be postfix-reject, not postfix-failed: 
>
> postfix-reject 
> Grouping of the postfix reject rules. 
>
>
>
> > Am Montag, 28. März 2016 14:44:51 UTC+2 schrieb dan (ddpbsd): 
> >> 
> >> On Fri, Mar 25, 2016 at 4:17 PM, theresa mic-snare 
> >> <rockpr...@gmail.

[ossec-list] new postfix rule doesn't fire....

2016-03-25 Thread theresa mic-snare

Hi,

i'm trying to write my first rules, by extending the existing postfix rules.

here's what i'm trying to test:

  3300
  RBL lookup error:
  Host or domain name not found. Name service error

  spam,


along with the log entry that i'm trying to test
warning: 199.249.24.179.list.dsbl.org: RBL lookup error: Host or domain 
name not found. Name service error for name=199.249.24.179.list.dsbl.org 
type=A: Host not found, try again

the rule is not firing, instead ossec-logtest is marking it as a "Level 2" 
alert "Unknown problem somewhere in the system."

what am I doing wrong here?

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] important questions on CDB lists

2016-03-25 Thread theresa mic-snare

excellent explanation, Dan! as always, thanks a lot :)

Am Dienstag, 22. März 2016 12:47:23 UTC+1 schrieb dan (ddpbsd):
>
> On Fri, Mar 18, 2016 at 3:42 PM, theresa mic-snare 
> <rockpr...@gmail.com > wrote: 
> > ehlo *, 
> > 
> > I have an important question about CDB lists, as I'm just researching 
> for my 
> > thesis on OSSEC. 
> > yes, i've read the documentation on readthedocs, maybe i'm too daft to 
> > understand it. 
> > 
> > what I have done so far: 
> > 
> > I've created a file called "baddomains" in /var/ossec/lists/ 
> > content is from zeustracker 
> > (https://zeustracker.abuse.ch/blocklist.php?download=baddomains) 
> > 
> > I've added the list in the  section 
> > lists/baddomains 
> > 
> > i've run 
> >   # bin/ossec-makelists 
> > 
> > 
> > i'm not quite sure what the purpose of the CDB lists is should a 
> rule 
> > fire as soon as one of those domains (content of baddomains) is 
> attacking 
> > me?! 
> > I don't think i've yet understood the positive/negative key match of it 
> > 
> > can someone please explain it to me with a real-life example? 
> > 
>
> I have a list with bad domains: 
> rules/lists/ossec.block 
>
> I get them from the same place you do, and more. The format is: 
> DOMAIN:bad domain 
>
> I have rules that watch my dns server logs for queries, and compare 
> the domains with the cdb list: 
>
> 500101  
> lists/ossec.block 
> Bad domain. 
>
>
> It should compare the value of the url field to the cdb and alert on 
> any DOMAIN found. I stuck undeadly.org in my block list for testing. 
> ossec-testrule: Type one log per line. 
>
> **Phase 1: Completed pre-decoding. 
>full event: 'Mar 22 07:21:25 ix unbound: [5756:0] info: 
> 127.0.0.1 undeadly.org. A IN' 
>hostname: 'ix' 
>program_name: 'unbound' 
>log: '[5756:0] info: 127.0.0.1 undeadly.org. A IN' 
>
> **Phase 2: Completed decoding. 
>decoder: 'unbound' 
>srcip: '127.0.0.1' 
>url: 'undeadly.org' 
>
> **Phase 3: Completed filtering (rules). 
>Rule id: '500101' 
>Level: '0' 
>Description: 'DNS A request.' 
>
>
>
> Oops. So obviously I'm doing something wrong, but I haven't tried to 
> track it down yet. That's how it's supposed to work though. 
>
> > also what does CDB stand for? I haven't found that in the OSSEC Docs 
> > either 
> > common database? central database?! 
> > 
> > thanks, 
> > theresa 
> > 
> > -- 
> > 
> > --- 
> > You received this message because you are subscribed to the Google 
> Groups 
> > "ossec-list" group. 
> > To unsubscribe from this group and stop receiving emails from it, send 
> an 
> > email to ossec-list+...@googlegroups.com . 
> > For more options, visit https://groups.google.com/d/optout. 
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] important questions on CDB lists

2016-03-19 Thread theresa mic-snare

ehlo *,

I have an important question about CDB lists, as I'm just researching for 
my thesis on OSSEC.
yes, i've read the documentation on readthedocs, maybe i'm too daft to 
understand it.

what I have done so far:

I've created a file called "baddomains" in /var/ossec/lists/
content is from zeustracker 
(https://zeustracker.abuse.ch/blocklist.php?download=baddomains)

I've added the list in the  section
lists/baddomains

i've run 
  # bin/ossec-makelists


i'm not quite sure what the purpose of the CDB lists is should a rule 
fire as soon as one of those domains (content of baddomains) is attacking 
me?!
I don't think i've yet understood the positive/negative key match of it

can someone please explain it to me with a real-life example?

also what does CDB stand for? I haven't found that in the OSSEC Docs 
either
common database? central database?!

thanks,
theresa

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] important questions on CDB lists

2016-03-19 Thread theresa mic-snare

Ahh, I think I've now got it :)
also found a very good example that showcases it better.

silly me ;)

Am Freitag, 18. März 2016 20:45:31 UTC+1 schrieb Eero Volotinen:
>
> Err. You must be joking? Try googling with 'CDB'.
>
> Eero
> 18.3.2016 9.42 ip. "theresa mic-snare" <rockpr...@gmail.com > 
> kirjoitti:
>
>> ehlo *,
>>
>> I have an important question about CDB lists, as I'm just researching for 
>> my thesis on OSSEC.
>> yes, i've read the documentation on readthedocs, maybe i'm too daft to 
>> understand it.
>>
>> what I have done so far:
>>
>> I've created a file called "baddomains" in /var/ossec/lists/
>> content is from zeustracker (
>> https://zeustracker.abuse.ch/blocklist.php?download=baddomains)
>>
>> I've added the list in the  section
>> lists/baddomains
>>
>> i've run 
>>   # bin/ossec-makelists
>>
>>
>> i'm not quite sure what the purpose of the CDB lists is should a rule 
>> fire as soon as one of those domains (content of baddomains) is attacking 
>> me?!
>> I don't think i've yet understood the positive/negative key match of it
>>
>> can someone please explain it to me with a real-life example?
>>
>> also what does CDB stand for? I haven't found that in the OSSEC Docs 
>> either
>> common database? central database?!
>>
>> thanks,
>> theresa
>>
>> -- 
>>
>> --- 
>> You received this message because you are subscribed to the Google Groups 
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to ossec-list+...@googlegroups.com .
>> For more options, visit https://groups.google.com/d/optout.
>>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] sharing ossec more maltrail

2016-01-22 Thread theresa mic-snare

I'm not sure, but if I understood correctly I think Christian just wanted 
to share his new fancy decoder with us :)

maybe best to submit it through a pull request on github so it wouldn't get 
lost here?!

@Christian: correct me if I misunderstood your post ;-)

Am Dienstag, 19. Januar 2016 22:55:40 UTC+1 schrieb Santiago Bassett:
>
> Hi Christian,
>
> what is exactly the question. Everything looks pretty good to me. Is it 
> not working? 
>
> Not sure about this regex:
>
> ^ \w+.\w+.\d+ (\d+) (\d+.\d+.\d+.\d+) (\w+) 
> (\d+) IP (\d+.\d+.\d+.\d+)
>
> Have you tried ossec-logtest?
>
> Best
>
> On Tue, Jan 19, 2016 at 8:30 AM, Christian Castro  > wrote:
>
>> Hello everyone,my first post here and sharing this ideia!
>>
>>
>>
>> I looking this tool maltrail -->https://github.com/stamparm/maltrail
>>
>> And i think will integrate with OSSEC!
>>
>>
>> LOGs of maltrail:
>>  tail -n 10 /var/log/maltrail/2016-01-19.log 
>> "2016-01-19 17:10:36.993361" my.host.666 84.74.125.85 44909 0.0.0.0 
>> 51103 TCP IP 84.74.125.85 "tor exit node (suspicious)" "blutmagie.de (+
>> binarydefense.com)"
>> "2016-01-19 17:10:37.029597" my.host.666 84.74.125.85 44909 0.0.0.0 
>> 51103 TCP IP 84.74.125.85 "tor exit node (suspicious)" "blutmagie.de (+
>> binarydefense.com)"
>> "2016-01-19 17:11:58.084216" my.host.666 84.74.125.85 34646 0.0.0.0 
>> 51103 TCP IP 84.74.125.85 "tor exit node (suspicious)" "blutmagie.de (+
>> binarydefense.com)"
>> "2016-01-19 17:11:58.051196" my.host.666 84.74.125.85 34646 0.0.0.0 
>> 51103 TCP IP 84.74.125.85 "tor exit node (suspicious)" "blutmagie.de (+
>> binarydefense.com)"
>>
>>
>>
>> ossec.conf
>>
>>   
>> /var/log/maltrail/%Y-%m-%d.log
>> syslog
>>   
>>
>> decoders.xml
>>
>> 
>>   ^"\d+-\d+-\d+ \d+:\d+:\d+.\d+"
>> 
>>
>> 
>>   maltrail
>>   ^ my.host.666 (\d+) (\d+.\d+.\d+.\d+) 
>> (\w+) (\d+) IP (\d+.\d+.\d+.\d+)
>>   srcport, dstip, dstport,protocol, srcip
>> 
>>
>> local_rules.xml
>>
>> 
>>   
>> maltrail
>> MAILTRAIL KILLALL MDF app group.
>>   
>>
>>   
>> 11
>> 0.0.0.0
>> attack
>> Possible attack from fucking ips!?
>>   
>> 
>>
>>
>>
>> Ideas or suggestions?
>>
>> Thks for reading!
>>
>>
>>
>>
>> -- 
>>
>> --- 
>> You received this message because you are subscribed to the Google Groups 
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to ossec-list+...@googlegroups.com .
>> For more options, visit https://groups.google.com/d/optout.
>>
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Very high load on stop ossec on Centos

2016-01-22 Thread theresa mic-snare

I think what Antonio meant was, the cause for your problem is already fixed 
in the source code on github.
so you either clone the repository on github and compile it yourself (then 
you have the latest release).
or you live with the problem and delete the stale files that you may find 
in /var/ossec looking like this:

ossec-hosts.1i6uugNQB3 
ossec-hosts.BFHjPh9dwg 
ossec-hosts.i4EvjkDXUh 
ossec-hosts.U3thtpzm6b 
ossec-hosts.1MeJfr9MGt 

but maybe I misread what Antonio described...

Am Freitag, 22. Januar 2016 10:23:42 UTC+1 schrieb Giorgio Biondi:
>
> Hi Antonio,
>
> Many thanks for quickly answer. 
>
> I have read from github, but I'm not coder and I not understand how make 
> to solve my problem. 
> You can give me some 'hints' for reduce load at service stop?
>
> Thanks for your time.
>
> Giorgio Biondi.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: bugfix syscheck permission representation

2016-01-22 Thread theresa mic-snare

Hi Stephan,

welcome to the OSSEC mailing list :)
thanks for your contributionpatches are usually submitted through pull 
requests on github. Do you have a github account?
check out https://github.com/ossec/ossec-hids and try to see if you can 
submit your patch there! :)

best,
theresa

Am Donnerstag, 21. Januar 2016 14:50:26 UTC+1 schrieb Stephan Leemburg:
>
> Hi All, 
>
> I just subscribed to the list, so forgive me any ignorance about how 
> things 
> are organized at this list. 
>
> The reason I subscribes is to submit a patch. I am currently configuring 
> and 
> tuning OSSEC for use at Airbus Defense and Space and while testing, I 
> noticed: 
>
> PRE: 
> $ ls -l /etc/shadow 
> -rw-r- 1 root shadow 1391 Dec 16 16:14 /etc/shadow 
>
> POST: 
> $ sudo chmod 660 /etc/shadow; ls -l /etc/shadow 
> -rw-rw 1 root shadow 1391 Dec 16 16:14 /etc/shadow 
>
> YIELDS: 
>
> OSSEC HIDS Notification. 
> 2016 Jan 21 11:10:28 
>
> Received From: (ssh_integrity_check_linux) root@vader->syscheck 
> Rule: 550 fired (level 7) -> "Integrity checksum changed." 
> Portion of the log(s): 
>
> Integrity checksum changed for: '/etc/shadow' 
> Permissions changed from '-w--t' to '-w--w-r-t' 
>
> in the database the permissions are: 
>
> #++1391:640:0:42:fa8049e0aeeb2311d43ab92ec8b1ad62:4e1895b70357ffda6f79b433bcc6c7fdb0aba368
>  
> !1453371028 /etc/shadow 
> !!+1391:620:0:42:fa8049e0aeeb2311d43ab92ec8b1ad62:4e1895b70357ffda6f79b433bcc6c7fdb0aba368
>  
> !1453374639 /etc/shadow 
>
> 640 interpreted as octal yields 1200 which is -w---t 
> 660 interpreted as octal yields 1224 which is -w--w--r-t 
>
> The source (analysisd/decoders/syscheck.c) reads (line 517:522): 
>
> /* Getting integer values */ 
> if(c_newperm && c_oldperm) 
> { 
> newperm = atoi(c_newperm); 
> oldperm = atoi(c_oldperm); 
> } 
>
> which should be: 
>
> /* Getting octal values */ 
> if(c_newperm && c_oldperm) 
> { 
> newperm = strtoul(c_newperm, 0, 8); 
> oldperm = strtoul(c_oldperm, 0, 8); 
> } 
>
> After patching and building, I now get (checksum changed because ossec was 
> added to my workstation): 
>
> OSSEC HIDS Notification. 
> 2016 Jan 21 14:16:12 
>
> Received From: (ssh_integrity_check_linux) root@vader->syscheck 
> Rule: 550 fired (level 7) -> "Integrity checksum changed." 
> Portion of the log(s): 
>
> Integrity checksum changed for: '/etc/shadow' 
> Size changed from '1391' to '1474' 
> Permissions changed from 'rw-rw' to 'rw-rw-r--' 
> Old md5sum was: 'fa8049e0aeeb2311d43ab92ec8b1ad62' 
> New md5sum is : 'dda758ee0f33df721288104f6992d018' 
> Old sha1sum was: '4e1895b70357ffda6f79b433bcc6c7fdb0aba368' 
> New sha1sum is : '2d1779d001693420dc4e1c686232a9fd063d4c33' 
>
> I have attached a patch-file for it. 
>
> -- 
> With kind regards, 
> Met vriendelijke groet, 
> Stephan Leemburg 
> IT Functions 
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] logcollector with sub directories -- wildcards?

2016-01-12 Thread theresa mic-snare

Hi,

I have a webserver with many vhosts, and each webspace has its own home 
directory where the apache logs are located.
is there a way to use a wildcard like * to let the logcollector know in 
which directories to search,
I don't wanna configure each directory in the ossec.conf on the agent.

i've tried /home/*/logs/
but it doesn't seem possible in the ossec.conf

I see a "ERROR: Glob error. Invalid pattern"

what do you think?

best,
theresa

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] logcollector with sub directories -- wildcards?

2016-01-12 Thread theresa mic-snare

yep, since the log files are tagged with a timestamp, like this: 
access_log-20160112
i've configured: 
"/home/*/logs/access_log_ssl-%Y%m%d"

the log file itself doesn't have the ".log" extension..maybe this is 
causing the problem?

Am Dienstag, 12. Januar 2016 12:32:54 UTC+1 schrieb dan (ddpbsd):
>
>
> On Jan 12, 2016 5:00 AM, "theresa mic-snare" <rockpr...@gmail.com 
> > wrote:
> >
> > Hi,
> >
> > I have a webserver with many vhosts, and each webspace has its own home 
> directory where the apache logs are located.
> > is there a way to use a wildcard like * to let the logcollector know in 
> which directories to search,
> > I don't wanna configure each directory in the ossec.conf on the agent.
> >
> > i've tried /home/*/logs/
> > but it doesn't seem possible in the ossec.conf
> >
> > I see a "ERROR: Glob error. Invalid pattern"
> >
>
> Did you try "/home/*/logs/log.log"? Somekind of globbing is available, but 
> I can'tremember specifics  (I don't use it).
>
> > what do you think?
> >
> > best,
> > theresa
> >
> > -- 
> >
> > --- 
> > You received this message because you are subscribed to the Google 
> Groups "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send 
> an email to ossec-list+...@googlegroups.com .
> > For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] logcollector with sub directories -- wildcards?

2016-01-12 Thread theresa mic-snare

hmm, i think i might have identified the problem...
the ossec docs say

strftime and wildcards cannot be used on the same entry.


strftime make it possible to tag file names with timestamps right?
but it seems it's not possible to combine it with wildcards in filenames 
:

it looks like i need to specify the logs for each home directory...meh

Am Dienstag, 12. Januar 2016 12:42:17 UTC+1 schrieb theresa mic-snare:
>
> yep, since the log files are tagged with a timestamp, like this: 
> access_log-20160112
> i've configured: 
> "/home/*/logs/access_log_ssl-%Y%m%d"
>
> the log file itself doesn't have the ".log" extension..maybe this is 
> causing the problem?
>
> Am Dienstag, 12. Januar 2016 12:32:54 UTC+1 schrieb dan (ddpbsd):
>>
>>
>> On Jan 12, 2016 5:00 AM, "theresa mic-snare" <rockpr...@gmail.com> wrote:
>> >
>> > Hi,
>> >
>> > I have a webserver with many vhosts, and each webspace has its own home 
>> directory where the apache logs are located.
>> > is there a way to use a wildcard like * to let the logcollector know in 
>> which directories to search,
>> > I don't wanna configure each directory in the ossec.conf on the agent.
>> >
>> > i've tried /home/*/logs/
>> > but it doesn't seem possible in the ossec.conf
>> >
>> > I see a "ERROR: Glob error. Invalid pattern"
>> >
>>
>> Did you try "/home/*/logs/log.log"? Somekind of globbing is available, 
>> but I can'tremember specifics  (I don't use it).
>>
>> > what do you think?
>> >
>> > best,
>> > theresa
>> >
>> > -- 
>> >
>> > --- 
>> > You received this message because you are subscribed to the Google 
>> Groups "ossec-list" group.
>> > To unsubscribe from this group and stop receiving emails from it, send 
>> an email to ossec-list+...@googlegroups.com.
>> > For more options, visit https://groups.google.com/d/optout.
>>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] logcollector with sub directories -- wildcards?

2016-01-12 Thread theresa mic-snare

hmm, for the time being I remove the %Y%m%d and just used wildcards instead.
i'm a little surprised that the agent also analyses the logsi thought 
it was only collecting the logs (ossec-logcolletor) and forwarding them to 
master, which then does the decoding and analysing?!
I found in the logs
ossec-logcollector(1950): INFO: Analyzing file: /home/blabla/logs/access_log
-20151229.gz


Am Dienstag, 12. Januar 2016 12:55:55 UTC+1 schrieb dan (ddpbsd):
>
>
> On Jan 12, 2016 6:47 AM, "theresa mic-snare" <rockpr...@gmail.com 
> > wrote:
> >
> > hmm, i think i might have identified the problem...
> > the ossec docs say
> >
> >> strftime and wildcards cannot be used on the same entry.
> >
> >
> > strftime make it possible to tag file names with timestamps right?
> > but it seems it's not possible to combine it with wildcards in filenames 
> :
> >
> > it looks like i need to specify the logs for each home directory...meh
> >
>
> Submit a patch or use the unixlike system you've been provided. 
>
> > Am Dienstag, 12. Januar 2016 12:42:17 UTC+1 schrieb theresa mic-snare:
> >>
> >> yep, since the log files are tagged with a timestamp, like this: 
> access_log-20160112
> >> i've configured: 
> >> "/home/*/logs/access_log_ssl-%Y%m%d"
> >>
> >> the log file itself doesn't have the ".log" extension..maybe this is 
> causing the problem?
> >>
> >> Am Dienstag, 12. Januar 2016 12:32:54 UTC+1 schrieb dan (ddpbsd):
> >>>
> >>>
> >>> On Jan 12, 2016 5:00 AM, "theresa mic-snare" <rockpr...@gmail.com> 
> wrote:
> >>> >
> >>> > Hi,
> >>> >
> >>> > I have a webserver with many vhosts, and each webspace has its own 
> home directory where the apache logs are located.
> >>> > is there a way to use a wildcard like * to let the logcollector know 
> in which directories to search,
> >>> > I don't wanna configure each directory in the ossec.conf on the 
> agent.
> >>> >
> >>> > i've tried /home/*/logs/
> >>> > but it doesn't seem possible in the ossec.conf
> >>> >
> >>> > I see a "ERROR: Glob error. Invalid pattern"
> >>> >
> >>>
> >>> Did you try "/home/*/logs/log.log"? Somekind of globbing is available, 
> but I can'tremember specifics  (I don't use it).
> >>>
> >>> > what do you think?
> >>> >
> >>> > best,
> >>> > theresa
> >>> >
> >>> > -- 
> >>> >
> >>> > --- 
> >>> > You received this message because you are subscribed to the Google 
> Groups "ossec-list" group.
> >>> > To unsubscribe from this group and stop receiving emails from it, 
> send an email to ossec-list+...@googlegroups.com.
> >>> > For more options, visit https://groups.google.com/d/optout.
> >
> > -- 
> >
> > --- 
> > You received this message because you are subscribed to the Google 
> Groups "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send 
> an email to ossec-list+...@googlegroups.com .
> > For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] OSSEC-Docs link borken...

2016-01-06 Thread theresa mic-snare

well in the lang directory there are only various translations for dokuwiki 
included...simple txt files.
i suppose this rule triggered
d:$web_dirs -> ^id$;

because the language directory for indonesian was called "id"
i removed all the translations now and only kept english and german.

i suppose this problem shouldn't occur anymore during rootcheck. but i'm 
sure there will be other false-positives as well.
i think dokuwiki is considered fairly secure among the wiki tools.

Am Mittwoch, 6. Januar 2016 16:36:01 UTC+1 schrieb dan (ddpbsd):
>
> On Tue, Jan 5, 2016 at 4:16 PM, theresa mic-snare 
> <rockpr...@gmail.com > wrote: 
> > Hi guys, 
> > 
> > rootcheck (system audit) came up with a couple of alerts which reference 
> > this URLsadly the link is borken... 
> > http://www.ossec.net/wiki/index.php/WebAttacks_links 
> > 
>
> It's an old wiki reference, so it's probably long gone. 
>
> > I've also tried searching the ossec-docs for web attacks...sadly to no 
> > avail. 
> > 
> > anyway idea what it means? because I don't really have a clue what it 
> > means.. 
> > System Audit: Web exploits (uncommon file name inside htdocs) - Possible 
> >  compromise. File: /var/www/html/dokuwiki/lib/plugins/config/lang/id. 
>
> It looks like there is a file named "id" in 
> /var/www/html/dokuwiki/lib/plugins/config/lang. Take a look at that 
> file, try to figure out what it is. 
>
> > Reference: http://www.ossec.net/wiki/index.php/WebAttacks_links 
> > 
> > thanks, 
> > theresa 
> > 
> > -- 
> > 
> > --- 
> > You received this message because you are subscribed to the Google 
> Groups 
> > "ossec-list" group. 
> > To unsubscribe from this group and stop receiving emails from it, send 
> an 
> > email to ossec-list+...@googlegroups.com . 
> > For more options, visit https://groups.google.com/d/optout. 
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Tuning OSSEC

2016-01-06 Thread theresa mic-snare

the updater-rules script is super cool, takes the weight off my shoulders 
of having to update them manually. (caution: only works for rules in the 
master branch!!)
love it :)

Am Dienstag, 5. Januar 2016 20:16:46 UTC+1 schrieb Santiago Bassett:
>
> Forgot to mention all rules and decoders are fully compatible with any 
> OSSEC version higher or equal to 2.8, so you can use those wether or not 
> you decide to use the other modules (for integration with ELK or the 
> RESTful API). There is actually a script/tool that can be used to keep the 
> rules updated.
>
> Best
>
> On Tue, Jan 5, 2016 at 11:14 AM, Santiago Bassett  > wrote:
>
>> Hi,
>>
>> the dashboards we have created can be found here:
>>
>> https://github.com/wazuh/ossec-wazuh/tree/master/extensions/kibana
>>
>> Regarding the rules, here is the repo:
>>
>> https://github.com/wazuh/ossec-rules
>>
>> When the rule is related to a PCI control, that information is included 
>> in the groups section, for example:
>>
>>   
>>
>> 18105
>>
>> 
>> ^529$|^530$|^531$|^532$|^533$|^534$|^535$|^536$|^537$|^539$|^4625$
>>
>> Windows Logon Failure.
>>
>> win_authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,
>> 
>>
>>   
>>
>>
>> This, combined with the modified json output, allow us to create the 
>> dashboards for PCI in Kibana. 
>>
>> On the other hand we are about to publish rules/decoders for Amazon AWS 
>> (in case you happen to use it), you can already see the work we are doing 
>> in the development branch.
>>
>> Best
>>
>> On Tue, Jan 5, 2016 at 7:13 AM,  
>> wrote:
>>
>>> I took a look and it looks great, but I was wondering if you had any 
>>> customized dashboards or favorite OSSEC rules to share?
>>>
>>> Thanks for all the great work.
>>>
>>>
>>>
>>> On Tuesday, December 22, 2015 at 10:44:07 PM UTC-5, Santiago Bassett 
>>> wrote:

 Hi,

 in case you are interested, we have done some work integrating OSSEC 
 with ELK (specially for those using them to be compliant with PCI DSS, not 
 sure if this is the case), including the creation of Kibana dashboards.

 We have also created a RESTful API for OSSEC that we plan to use with 
 new Kibana plugins functionality (added in version 4.2), to be able to 
 monitor/control your OSSEC deployments from Kibana (e.g agent status, 
 syscheck or rootcheck settings, agent keys, loaded rules...)

 See more info in our website at: 
 http://documentation.wazuh.com/en/latest/ossec_elk.html

 Best regards,

 Santiago.

 On Thu, Dec 17, 2015 at 8:24 AM,  wrote:

> I've been tasked with tuning OSSEC.
>
> I've wondering if there is a general guideline or process. We have 
> OSSEC feeding into ELK stack. What are folks thoughts on tuning vs. 
> coming 
> up with better Kibana hunting searches?
>
> Thanks!
>
> -- 
>
> --- 
> You received this message because you are subscribed to the Google 
> Groups "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send 
> an email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

 -- 
>>>
>>> --- 
>>> You received this message because you are subscribed to the Google 
>>> Groups "ossec-list" group.
>>> To unsubscribe from this group and stop receiving emails from it, send 
>>> an email to ossec-list+...@googlegroups.com .
>>> For more options, visit https://groups.google.com/d/optout.
>>>
>>
>>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] OSSEC-Docs link borken...

2016-01-05 Thread theresa mic-snare

Hi guys,

rootcheck (system audit) came up with a couple of alerts which reference 
this URLsadly the link is borken...
http://www.ossec.net/wiki/index.php/WebAttacks_links

I've also tried searching the ossec-docs for web attacks...sadly to no 
avail.

anyway idea what it means? because I don't really have a clue what it 
means..
System Audit: Web exploits (uncommon file name inside htdocs) - Possible
 compromise. File: /var/www/html/dokuwiki/lib/plugins/config/lang/id. 
Reference: http://www.ossec.net/wiki/index.php/WebAttacks_links

thanks,
theresa

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] maillog hostname verification failed -- spam

2015-12-30 Thread theresa mic-snare

Hi guys,

sorry it's me again. Recently I've found myself flooded with one specific 
type of request. It seems automated because it happens hourly. Today I've 
had 16 of those so far:
postfix/smtpd[30215]: warning: 104.167.104.13: hostname Tor-Private.ru 
verification failed: Name or service not known

it started a few days ago

It's classified as a Level 2 alert as "Unknown problem somewhere in the 
system."
and it origins from the postfix log /var/log/maillog

here's my two questions:


   - is there anything I could do to make it stop? I have already created 
   an iptables rule but it seems to go on (DROP   all  --  
   Tor-Private.ru   anywhere )
   - I would like to create a rule for it in the postfix_rules, so that it 
   doesn't say "Unknown problem somewhere in the system." ...
  - what would be an ideal fit? "attempted mail relay abuse" or 
  something like that?
   
what do you think?


best,

theresa

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Nothing returned (or search expired)

2015-12-28 Thread theresa mic-snare

Hi Vipin,

ok, does the tmp directory exist inside your ossec installation?
this directory should belong to root:apache or whatever your group for the 
webserver user is called

I had this problem a while ago too, and I think this was my issue along 
with some missing SELinux permissions...

what does the webserver logs say?

best,
theresa

Am Montag, 28. Dezember 2015 04:57:51 UTC+1 schrieb Vipin Hooda:
>
> Hi Theresa,
>
>  
>
> Selinux is in disabled mode.
>
>  
>
>  
>
> Regards
>
> *Vipin Hooda*
>
>  
>
> *From:* ossec...@googlegroups.com  [mailto:
> ossec...@googlegroups.com ] *On Behalf Of *theresa mic-snare
> *Sent:* 27 December 2015 22:13
> *To:* ossec-list
> *Subject:* Re: [ossec-list] Nothing returned (or search expired)
>
>  
>
> Hi Vipin,
>
> out of curiosity, do you have SELinux enabled?
> Do you have it set to enforcing?
>
> best,
> theresa
>
> Am Freitag, 25. Dezember 2015 13:13:10 UTC+1 schrieb Vipin Hooda:
>
> Hi Dan, 
>
> Yes we have log level 7 alerts in OSSEC-WUI but I do not know from where I 
> can find PHP error details. So kindly guide. 
>
>
> Regards 
> Vipin Hooda 
>
> -Original Message- 
> From: ossec...@googlegroups.com [mailto:ossec...@googlegroups.com] On 
> Behalf Of dan (ddp) 
> Sent: 24 December 2015 18:44 
> To: ossec...@googlegroups.com 
> Subject: Re: [ossec-list] Nothing returned (or search expired) 
>
> On Thu, Dec 24, 2015 at 4:25 AM,  <vi...@acpl.com> wrote: 
> > Hi, 
> > 
> > We have installed OSSEC-WUI but when we search log level 7 then we are 
> > greeting error "Total alerts found: 5 Nothing returned (or search 
> expired)". 
> > Can someone help to fix the issue. 
> > 
>
> Are there any level 7 alerts in alerts.log? 
> Are there any PHP errors that might explain this? 
>
> > Regards 
> > Vipin Hooda 
> > 
> > -- 
> > 
> > --- 
> > You received this message because you are subscribed to the Google 
> > Groups "ossec-list" group. 
> > To unsubscribe from this group and stop receiving emails from it, send 
> > an email to ossec-list+...@googlegroups.com. 
> > For more options, visit https://groups.google.com/d/optout. 
>
> -- 
>
> --- 
> You received this message because you are subscribed to a topic in the 
> Google Groups "ossec-list" group. 
> To unsubscribe from this topic, visit 
> https://groups.google.com/d/topic/ossec-list/RSn2zhXabEs/unsubscribe. 
> To unsubscribe from this group and all its topics, send an email to 
> ossec-list+...@googlegroups.com. 
> For more options, visit https://groups.google.com/d/optout. 
>
> -- 
>
> --- 
> You received this message because you are subscribed to a topic in the 
> Google Groups "ossec-list" group.
> To unsubscribe from this topic, visit 
> https://groups.google.com/d/topic/ossec-list/RSn2zhXabEs/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to 
> ossec-list+...@googlegroups.com .
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Nothing returned (or search expired)

2015-12-28 Thread theresa mic-snare

yeah, check your webserver logs if you see something like this

Warning: opendir(/var/ossec/etc/ossec.conf) [function.opendir]: failed to open 
dir: Permission denied in /var/www/ossec-wui/lib/os_lib_handle.php on line 94



Am Montag, 28. Dezember 2015 16:44:07 UTC+1 schrieb dan (ddpbsd):
>
> On Fri, Dec 25, 2015 at 7:12 AM, Vipin Hooda  
> wrote: 
> > Hi Dan, 
> > 
> > Yes we have log level 7 alerts in OSSEC-WUI but I do not know from where 
> I can find PHP error details. So kindly guide. 
> > 
>
> I believe it will be in your webserver's error log. 
>
> > 
> > Regards 
> > Vipin Hooda 
> > 
> > -Original Message- 
> > From: ossec...@googlegroups.com  [mailto:
> ossec...@googlegroups.com ] On Behalf Of dan (ddp) 
> > Sent: 24 December 2015 18:44 
> > To: ossec...@googlegroups.com  
> > Subject: Re: [ossec-list] Nothing returned (or search expired) 
> > 
> > On Thu, Dec 24, 2015 at 4:25 AM,   wrote: 
> >> Hi, 
> >> 
> >> We have installed OSSEC-WUI but when we search log level 7 then we are 
> >> greeting error "Total alerts found: 5 Nothing returned (or search 
> expired)". 
> >> Can someone help to fix the issue. 
> >> 
> > 
> > Are there any level 7 alerts in alerts.log? 
> > Are there any PHP errors that might explain this? 
> > 
> >> Regards 
> >> Vipin Hooda 
> >> 
> >> -- 
> >> 
> >> --- 
> >> You received this message because you are subscribed to the Google 
> >> Groups "ossec-list" group. 
> >> To unsubscribe from this group and stop receiving emails from it, send 
> >> an email to ossec-list+...@googlegroups.com . 
> >> For more options, visit https://groups.google.com/d/optout. 
> > 
> > -- 
> > 
> > --- 
> > You received this message because you are subscribed to a topic in the 
> Google Groups "ossec-list" group. 
> > To unsubscribe from this topic, visit 
> https://groups.google.com/d/topic/ossec-list/RSn2zhXabEs/unsubscribe. 
> > To unsubscribe from this group and all its topics, send an email to 
> ossec-list+...@googlegroups.com . 
> > For more options, visit https://groups.google.com/d/optout. 
> > 
> > -- 
> > 
> > --- 
> > You received this message because you are subscribed to the Google 
> Groups "ossec-list" group. 
> > To unsubscribe from this group and stop receiving emails from it, send 
> an email to ossec-list+...@googlegroups.com . 
> > For more options, visit https://groups.google.com/d/optout. 
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Nothing returned (or search expired)

2015-12-27 Thread theresa mic-snare

Hi Vipin,

out of curiosity, do you have SELinux enabled?
Do you have it set to enforcing?

best,
theresa

Am Freitag, 25. Dezember 2015 13:13:10 UTC+1 schrieb Vipin Hooda:
>
> Hi Dan, 
>
> Yes we have log level 7 alerts in OSSEC-WUI but I do not know from where I 
> can find PHP error details. So kindly guide. 
>
>
> Regards 
> Vipin Hooda 
>
> -Original Message- 
> From: ossec...@googlegroups.com  [mailto:
> ossec...@googlegroups.com ] On Behalf Of dan (ddp) 
> Sent: 24 December 2015 18:44 
> To: ossec...@googlegroups.com  
> Subject: Re: [ossec-list] Nothing returned (or search expired) 
>
> On Thu, Dec 24, 2015 at 4:25 AM,   wrote: 
> > Hi, 
> > 
> > We have installed OSSEC-WUI but when we search log level 7 then we are 
> > greeting error "Total alerts found: 5 Nothing returned (or search 
> expired)". 
> > Can someone help to fix the issue. 
> > 
>
> Are there any level 7 alerts in alerts.log? 
> Are there any PHP errors that might explain this? 
>
> > Regards 
> > Vipin Hooda 
> > 
> > -- 
> > 
> > --- 
> > You received this message because you are subscribed to the Google 
> > Groups "ossec-list" group. 
> > To unsubscribe from this group and stop receiving emails from it, send 
> > an email to ossec-list+...@googlegroups.com . 
> > For more options, visit https://groups.google.com/d/optout. 
>
> -- 
>
> --- 
> You received this message because you are subscribed to a topic in the 
> Google Groups "ossec-list" group. 
> To unsubscribe from this topic, visit 
> https://groups.google.com/d/topic/ossec-list/RSn2zhXabEs/unsubscribe. 
> To unsubscribe from this group and all its topics, send an email to 
> ossec-list+...@googlegroups.com . 
> For more options, visit https://groups.google.com/d/optout. 
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] multiple errors during rootcheck

2015-12-23 Thread theresa mic-snare

hi everyone,

I'm receiving multiple errors during rootcheck... I think we discussed this 
a couple of months ago...and from what I remember it would be fixed in the 
next release?
2015/12/23 12:01:25 ERROR: statfs('/usr/local/apache') produced error: No 
such file or directory
2015/12/23 12:01:25 ERROR: statfs('/usr/local/apache2') produced error: No 
such file or directory
2015/12/23 12:01:25 ERROR: statfs('/usr/local/www') produced error: No such 
file or directory
2015/12/23 12:01:25 ERROR: statfs('/var/htdocs') produced error: No such 
file or directory
2015/12/23 12:01:25 ERROR: statfs('/home/httpd') produced error: No such 
file or directory
2015/12/23 12:01:25 ERROR: statfs('/usr/local/apache') produced error: No 
such file or directory
2015/12/23 12:01:25 ERROR: statfs('/usr/local/apache2') produced error: No 
such file or directory
2015/12/23 12:01:25 ERROR: statfs('/usr/local/www') produced error: No such 
file or directory

I'm still using the old stable version 2.8 (no idea which minor version, 
because in ossec-init.conf it only says 2.8)
Has this been fixed in 2.9 ?

and where do these statfs errors come from anyway? I don't think I have 
this in the ossec.conf so it must come from a .c file

and I've also got this error recently:
2015/12/23 13:09:20 ossec-syscheckd: ERROR: Unable to add directory to real 
time monitoring: '/var/www/html/dokuwiki/lib/plugins/config/lang/eu'. -1 28
2015/12/23 13:09:20 ossec-syscheckd: ERROR: Unable to add directory to real 
time monitoring: '/var/www/html/dokuwiki/lib/plugins/config/lang/ru'. -1 28
2015/12/23 13:09:20 ossec-syscheckd: ERROR: Unable to add directory to real 
time monitoring: 
'/var/www/html/dokuwiki/lib/plugins/config/lang/ca-valencia'. -1 28
2015/12/23 13:09:22 ossec-syscheckd: ERROR: Unable to add directory to real 
time monitoring: '/var/www/html/dokuwiki/lib/plugins/config/lang/mr'. -1 28
2015/12/23 13:09:22 ossec-syscheckd: ERROR: Unable to add directory to real 
time monitoring: '/var/www/html/dokuwiki/lib/plugins/config/lang/de'. -1 28
2015/12/23 13:09:22 ossec-syscheckd: ERROR: Unable to add directory to real 
time monitoring: '/var/www/html/dokuwiki/lib/plugins/config/lang/id-ni'. -1 
28
2015/12/23 13:09:22 ossec-syscheckd: ERROR: Unable to add directory to real 
time monitoring: '/var/www/html/dokuwiki/lib/plugins/config/lang/ja'. -1 28
2015/12/23 13:09:22 ossec-syscheckd: ERROR: Unable to add directory to real 
time monitoring: '/var/www/html/dokuwiki/lib/plugins/config/lang/fr'. -1 28
2015/12/23 13:09:22 ossec-syscheckd: ERROR: Unable to add directory to real 
time monitoring: '/var/www/html/dokuwiki/lib/plugins/config/lang/sl'. -1 28
2015/12/23 13:09:22 ossec-syscheckd: ERROR: Unable to add directory to real 
time monitoring: '/var/www/html/dokuwiki/lib/plugins/config/lang/zh'. -1 28

no idea why this cannot be added to real time monitoring.
any ideas?

sorry, if this has been asked before!

best,
theresa

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] multiple errors during rootcheck

2015-12-23 Thread theresa mic-snare

Hi Dan,

thanks for the pull request.
When upgrading to 2.9 I would need to uninstall my current ossec 
installation or is there a upgrade scenario?
would this mean I would lose my current data (e.g alerts, logs, etc...)
because if so, I will wait till february to install OSSEC 2.9, after my 
thesis project was accepted and finalized.

you were right, the two errors were unrelated.
I ran out of inodes previously, I coudn't even run a tail of the ossec.log 
anymore. I had it set to 8192 and then increased it to 16384.
The syscheck errors disappeared then...

Am Mittwoch, 23. Dezember 2015 13:46:25 UTC+1 schrieb dan (ddpbsd):
>
> On Wed, Dec 23, 2015 at 7:15 AM, theresa mic-snare 
> <rockpr...@gmail.com > wrote: 
> > hi everyone, 
> > 
> > I'm receiving multiple errors during rootcheck... I think we discussed 
> this 
> > a couple of months ago...and from what I remember it would be fixed in 
> the 
> > next release? 
> > 2015/12/23 12:01:25 ERROR: statfs('/usr/local/apache') produced error: 
> No 
> > such file or directory 
> > 2015/12/23 12:01:25 ERROR: statfs('/usr/local/apache2') produced error: 
> No 
> > such file or directory 
> > 2015/12/23 12:01:25 ERROR: statfs('/usr/local/www') produced error: No 
> such 
> > file or directory 
> > 2015/12/23 12:01:25 ERROR: statfs('/var/htdocs') produced error: No such 
> > file or directory 
> > 2015/12/23 12:01:25 ERROR: statfs('/home/httpd') produced error: No such 
> > file or directory 
> > 2015/12/23 12:01:25 ERROR: statfs('/usr/local/apache') produced error: 
> No 
> > such file or directory 
> > 2015/12/23 12:01:25 ERROR: statfs('/usr/local/apache2') produced error: 
> No 
> > such file or directory 
> > 2015/12/23 12:01:25 ERROR: statfs('/usr/local/www') produced error: No 
> such 
> > file or directory 
> > 
> > I'm still using the old stable version 2.8 (no idea which minor version, 
> > because in ossec-init.conf it only says 2.8) 
> > Has this been fixed in 2.9 ? 
> > 
>
> Download the beta and see: 
> https://bintray.com/ossec/ossec-hids/ossec-hids/2.9.0_beta_20151211/view 
> But no, I don't think it was. The PR I submitted for this was never 
> accepted, and it looks like I deleted the branch several months after 
> submitting it. So here's a new pull request: 
> https://github.com/ossec/ossec-hids/pull/720 
>
> > and where do these statfs errors come from anyway? I don't think I have 
> this 
> > in the ossec.conf so it must come from a .c file 
> > 
> > and I've also got this error recently: 
> > 2015/12/23 13:09:20 ossec-syscheckd: ERROR: Unable to add directory to 
> real 
> > time monitoring: '/var/www/html/dokuwiki/lib/plugins/config/lang/eu'. -1 
> 28 
> > 2015/12/23 13:09:20 ossec-syscheckd: ERROR: Unable to add directory to 
> real 
> > time monitoring: '/var/www/html/dokuwiki/lib/plugins/config/lang/ru'. -1 
> 28 
> > 2015/12/23 13:09:20 ossec-syscheckd: ERROR: Unable to add directory to 
> real 
> > time monitoring: 
> > '/var/www/html/dokuwiki/lib/plugins/config/lang/ca-valencia'. -1 28 
> > 2015/12/23 13:09:22 ossec-syscheckd: ERROR: Unable to add directory to 
> real 
> > time monitoring: '/var/www/html/dokuwiki/lib/plugins/config/lang/mr'. -1 
> 28 
> > 2015/12/23 13:09:22 ossec-syscheckd: ERROR: Unable to add directory to 
> real 
> > time monitoring: '/var/www/html/dokuwiki/lib/plugins/config/lang/de'. -1 
> 28 
> > 2015/12/23 13:09:22 ossec-syscheckd: ERROR: Unable to add directory to 
> real 
> > time monitoring: '/var/www/html/dokuwiki/lib/plugins/config/lang/id-ni'. 
> -1 
> > 28 
> > 2015/12/23 13:09:22 ossec-syscheckd: ERROR: Unable to add directory to 
> real 
> > time monitoring: '/var/www/html/dokuwiki/lib/plugins/config/lang/ja'. -1 
> 28 
> > 2015/12/23 13:09:22 ossec-syscheckd: ERROR: Unable to add directory to 
> real 
> > time monitoring: '/var/www/html/dokuwiki/lib/plugins/config/lang/fr'. -1 
> 28 
> > 2015/12/23 13:09:22 ossec-syscheckd: ERROR: Unable to add directory to 
> real 
> > time monitoring: '/var/www/html/dokuwiki/lib/plugins/config/lang/sl'. -1 
> 28 
> > 2015/12/23 13:09:22 ossec-syscheckd: ERROR: Unable to add directory to 
> real 
> > time monitoring: '/var/www/html/dokuwiki/lib/plugins/config/lang/zh'. -1 
> 28 
> > 
> > no idea why this cannot be added to real time monitoring. 
> > any ideas? 
> > 
>
> I don't think these issues are related. Have you run out of space? Run 
> out of inodes? Have some special permission or SELinux policy blocking 
> the operation? 
>
> > sorry, if this has been asked before! 
> > 
>

Re: [ossec-list] ossec-maild Error Sending email to 127.0.0.1

2015-12-22 Thread theresa mic-snare

hmm it looks as so ossec-maild has a problem with my ssmtp
ssmtp works fine, because it sent me an automated/generated email at 2:43 
in the morning.
i've set DEBUGGING=yes in the ssmtp.conf but the logs don't show any more 
info to debug

what surprises me is that on netstat ssmtp isn't showing any open 
connectings.
to me it looks like it's only opening a connection when it wants to send an 
email, there's no permanent open connection.

here's my ssmtp.conf
AuthUser=xx...@gmail.com
AuthPass=x
FromLineOverride=YES
mailhub=smtp.gmail.com:587
UseSTARTTLS=YES
TLS_CA_File=/etc/pki/tls/certs/ca-bundle.crt
Debug=YES

and my open connections:
netstat -tulpen
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address   Foreign Address 
State   User   Inode  PID/Program name   
tcp0  0 0.0.0.0:33060.0.0.0:*   
LISTEN  27 37255941313/mysqld 
tcp0  0 0.0.0.0:22  0.0.0.0:*   
LISTEN  0  11227  1216/sshd   
tcp0  0 :::22   :::*   
 LISTEN  0  11232  1216/sshd   
tcp0  0 :::8080 :::*   
 LISTEN  0  11642  1550/httpd  
tcp0  0 :::80   :::*   
 LISTEN  0  11638  1550/httpd  
udp0  0 0.0.0.0:15140.0.0.0:*   
0  13181  1926/ossec-remoted  
udp0  0 78.41.116.116:123   0.0.0.0:*   
0  11350  1256/ntpd   
udp0  0 127.0.0.1:123   0.0.0.0:*   
0  11346  1256/ntpd   
udp0  0 0.0.0.0:123 0.0.0.0:*   
0  11339  1256/ntpd   
udp0  0 ::1:123 :::*   
 0  11352  1256/ntpd   
udp0  0 fe80::5054:ff:fef6:4b74:123 :::*   
 0  11351  1256/ntpd   
udp0  0 :::123  :::*   
 0  11340  1256/ntpd   

I'm happy to do a TCPdump but at the moment I don't really know what to 
filter for...
is ossec--maild listening on a specific port or default 25 port for smtp?

thanks,
theresa

Am Montag, 21. Dezember 2015 14:00:56 UTC+1 schrieb dan (ddpbsd):
>
> On Sun, Dec 20, 2015 at 7:50 AM, theresa mic-snare 
> <rockpr...@gmail.com > wrote: 
> > Hi everyone, 
> > 
> > today I've noticed a problem with the ossec-maild process. 
> > The ossec.log keeps saying 
> > 
> > ossec-maild(1223): ERROR: Error Sending email to 127.0.0.1 (smtp server) 
> > 
> > Of course I started troubleshooting the problem and tried to send 
> several 
> > test-emails from the ossec master. 
> > I'm using ssmtp through my google-mail account by the way. 
> > All test mails that I sent arrived immediately, so sending mails through 
> my 
> > MTA seems to work as usual. 
> > 
> > Then I checked the mail log /var/log/maillog-20151220 
> > which to my surprise has the latest mail entry from yesterday 19:30 
> > Dec 19 19:30:03 tron sSMTP[3943]: Sent mail for b...@bla.org 
>  (221 2.0.0 
> > closing connection u126sm11888435wme.3 - gsmtp) uid=48 username=apache 
> > outbytes=1898 
> > 
> > changed the email address to b...@bla.org  for 
> demonstration purposes... 
> > 
> > 
> > at least the two test emails that I just send should appear in this log, 
> > right? 
> > 
> > I know that the root cause to this problem is NOT an ossec 
> problembut 
> > maybe you have an idea what the problem might be? 
> > I've checked the quota settings in my gmail account, (so far only 10% 
> > used...) 
> > I've also checked the disk space on my ossec master, still 21GB left on 
> / 
> > (where also /var is mounted) 
> > 
> > so I doubt it's a quota or diskspace problem. 
> > i've also restarted (stopped and started) ossec, to see if any zombie 
> > processes still allocated the filesystem, and it therefore showed that 
> > plenty of diskspace was available. 
> > but even after the restart of ossec it still shows that it has plenty of 
> > diskspace available. 
> > 
> > any other ideas how I could troubleshoot this problem? 
> > 
>
> Make sure ssmtp is still listening on 127.0.0.1. 
> Use tcpdump or something similar to sniff the traffic between 
> ossec-maild and ssmtp. 
> Turn on debugging on ss

Re: [ossec-list] ossec-maild Error Sending email to 127.0.0.1

2015-12-22 Thread theresa mic-snare

*FACEPALM*

problem solved.this is too embarrassing :(((
epic fail!

Am Dienstag, 22. Dezember 2015 10:54:45 UTC+1 schrieb theresa mic-snare:
>
> hmm it looks as so ossec-maild has a problem with my ssmtp
> ssmtp works fine, because it sent me an automated/generated email at 2:43 
> in the morning.
> i've set DEBUGGING=yes in the ssmtp.conf but the logs don't show any more 
> info to debug
>
> what surprises me is that on netstat ssmtp isn't showing any open 
> connectings.
> to me it looks like it's only opening a connection when it wants to send 
> an email, there's no permanent open connection.
>
> here's my ssmtp.conf
> AuthUser=xx...@gmail.com
> AuthPass=x
> FromLineOverride=YES
> mailhub=smtp.gmail.com:587
> UseSTARTTLS=YES
> TLS_CA_File=/etc/pki/tls/certs/ca-bundle.crt
> Debug=YES
>
> and my open connections:
> netstat -tulpen
> Active Internet connections (only servers)
> Proto Recv-Q Send-Q Local Address   Foreign Address   
>   State   User   Inode  PID/Program name   
> tcp0  0 0.0.0.0:33060.0.0.0:* 
>   LISTEN  27 37255941313/mysqld 
> tcp0  0 0.0.0.0:22  0.0.0.0:* 
>   LISTEN  0  11227  1216/sshd   
> tcp0  0 :::22   :::* 
>LISTEN  0  11232  1216/sshd   
> tcp0  0 :::8080 :::* 
>LISTEN  0  11642  1550/httpd  
> tcp0  0 :::80   :::* 
>LISTEN  0  11638  1550/httpd  
> udp0  0 0.0.0.0:15140.0.0.0:* 
>   0  13181  1926/ossec-remoted  
> udp0  0 78.41.116.116:123   0.0.0.0:* 
>   0  11350  1256/ntpd   
> udp0  0 127.0.0.1:123   0.0.0.0:* 
>   0  11346  1256/ntpd   
> udp0  0 0.0.0.0:123 0.0.0.0:* 
>   0  11339  1256/ntpd   
> udp0  0 ::1:123 :::* 
>0  11352  1256/ntpd   
> udp0  0 fe80::5054:ff:fef6:4b74:123 :::* 
>0  11351  1256/ntpd   
> udp0  0 :::123  :::* 
>0  11340  1256/ntpd   
>
> I'm happy to do a TCPdump but at the moment I don't really know what to 
> filter for...
> is ossec--maild listening on a specific port or default 25 port for smtp?
>
> thanks,
> theresa
>
> Am Montag, 21. Dezember 2015 14:00:56 UTC+1 schrieb dan (ddpbsd):
>>
>> On Sun, Dec 20, 2015 at 7:50 AM, theresa mic-snare 
>> <rockpr...@gmail.com> wrote: 
>> > Hi everyone, 
>> > 
>> > today I've noticed a problem with the ossec-maild process. 
>> > The ossec.log keeps saying 
>> > 
>> > ossec-maild(1223): ERROR: Error Sending email to 127.0.0.1 (smtp 
>> server) 
>> > 
>> > Of course I started troubleshooting the problem and tried to send 
>> several 
>> > test-emails from the ossec master. 
>> > I'm using ssmtp through my google-mail account by the way. 
>> > All test mails that I sent arrived immediately, so sending mails 
>> through my 
>> > MTA seems to work as usual. 
>> > 
>> > Then I checked the mail log /var/log/maillog-20151220 
>> > which to my surprise has the latest mail entry from yesterday 19:30 
>> > Dec 19 19:30:03 tron sSMTP[3943]: Sent mail for b...@bla.org (221 
>> 2.0.0 
>> > closing connection u126sm11888435wme.3 - gsmtp) uid=48 username=apache 
>> > outbytes=1898 
>> > 
>> > changed the email address to b...@bla.org for demonstration 
>> purposes... 
>> > 
>> > 
>> > at least the two test emails that I just send should appear in this 
>> log, 
>> > right? 
>> > 
>> > I know that the root cause to this problem is NOT an ossec 
>> problembut 
>> > maybe you have an idea what the problem might be? 
>> > I've checked the quota settings in my gmail account, (so far only 10% 
>> > used...) 
>> > I've also checked the disk space on my ossec master, still 21GB left on 
>> / 
>> > (where also /var is mounted) 
>> > 
>> > so I doubt it's a quota

[ossec-list] ossec-maild Error Sending email to 127.0.0.1

2015-12-20 Thread theresa mic-snare

Hi everyone,

today I've noticed a problem with the ossec-maild process.
The ossec.log keeps saying

ossec-maild(1223): ERROR: Error Sending email to 127.0.0.1 (smtp server)

Of course I started troubleshooting the problem and tried to send several 
test-emails from the ossec master.
I'm using ssmtp through my google-mail account by the way.
All test mails that I sent arrived immediately, so sending mails through my 
MTA seems to work as usual.

Then I checked the mail log /var/log/maillog-20151220
which to my surprise has the latest mail entry from yesterday 19:30
Dec 19 19:30:03 tron sSMTP[3943]: Sent mail for b...@bla.org (221 2.0.0 
closing connection u126sm11888435wme.3 - gsmtp) uid=48 username=apache 
outbytes=1898

changed the email address to b...@bla.org for demonstration purposes...


at least the two test emails that I just send should appear in this log, 
right?

I know that the root cause to this problem is NOT an ossec problembut 
maybe you have an idea what the problem might be?
I've checked the quota settings in my gmail account, (so far only 10% 
used...) 
I've also checked the disk space on my ossec master, still 21GB left on / 
(where also /var is mounted)

so I doubt it's a quota or diskspace problem.
i've also restarted (stopped and started) ossec, to see if any zombie 
processes still allocated the filesystem, and it therefore showed that 
plenty of diskspace was available.
but even after the restart of ossec it still shows that it has plenty of 
diskspace available.

any other ideas how I could troubleshoot this problem?

thanks,
theresa

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: ossec-maild Error Sending email to 127.0.0.1

2015-12-20 Thread theresa mic-snare

oh and I should also mention that ssmtp and ossec-maild worked fine for 
many many months now...
so, yes it has worked in the past just fine.

Am Sonntag, 20. Dezember 2015 13:50:27 UTC+1 schrieb theresa mic-snare:
>
> Hi everyone,
>
> today I've noticed a problem with the ossec-maild process.
> The ossec.log keeps saying
>
> ossec-maild(1223): ERROR: Error Sending email to 127.0.0.1 (smtp server)
>
> Of course I started troubleshooting the problem and tried to send several 
> test-emails from the ossec master.
> I'm using ssmtp through my google-mail account by the way.
> All test mails that I sent arrived immediately, so sending mails through 
> my MTA seems to work as usual.
>
> Then I checked the mail log /var/log/maillog-20151220
> which to my surprise has the latest mail entry from yesterday 19:30
> Dec 19 19:30:03 tron sSMTP[3943]: Sent mail for b...@bla.org (221 2.0.0 
> closing connection u126sm11888435wme.3 - gsmtp) uid=48 username=apache 
> outbytes=1898
>
> changed the email address to b...@bla.org for demonstration purposes...
>
>
> at least the two test emails that I just send should appear in this log, 
> right?
>
> I know that the root cause to this problem is NOT an ossec problembut 
> maybe you have an idea what the problem might be?
> I've checked the quota settings in my gmail account, (so far only 10% 
> used...) 
> I've also checked the disk space on my ossec master, still 21GB left on / 
> (where also /var is mounted)
>
> so I doubt it's a quota or diskspace problem.
> i've also restarted (stopped and started) ossec, to see if any zombie 
> processes still allocated the filesystem, and it therefore showed that 
> plenty of diskspace was available.
> but even after the restart of ossec it still shows that it has plenty of 
> diskspace available.
>
> any other ideas how I could troubleshoot this problem?
>
> thanks,
> theresa
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] disable Active Response on individual servers

2015-12-18 Thread theresa mic-snare

Hi all,

please correct me if I am wrong, I just noticed that the active response 
can only be disabled on the master but not on individual agents.
is that true?

I think it's a shame, because I just want to use it only on specific 
machines, that are expose to the bad bad internet :)
I know I could just whitelist all the internal IPs, because it's unlikely 
that an attack could be started from inside...

wouldn't it be nice to have the possbility to just

  
yes
  

on the agent ossec.conf ? :

is there any reason is can only be controlled from the master?
i'd like to understand it better.

thanks,
theresa

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] disable Active Response on individual servers

2015-12-18 Thread theresa mic-snare

so, does this mean it is also possible to disable it with the above 
mentioned syntax in the ossec.conf on the agent?

sorry for double-checking and the stupid question, but I haven't found it 
in the official docs:

Active-reponse options are available in the the following installation 
> types:
>
>- server
>- local
>
>
the yes tag is one of those options, right?!

and shouldn't there also be a log entry in the ossec.conf, something like 
this
ossec-execd(1350): INFO: Active response disabled. Exiting.

after restarting the agent?
i haven't found this log entry after disabling it in the ossec.conf on the 
agent and restarted this agent afterwards.

Am Freitag, 18. Dezember 2015 15:55:38 UTC+1 schrieb dan (ddpbsd):
>
> On Fri, Dec 18, 2015 at 9:40 AM, theresa mic-snare 
> <rockpr...@gmail.com > wrote: 
> > Hi all, 
> > 
> > please correct me if I am wrong, I just noticed that the active response 
> can 
> > only be disabled on the master but not on individual agents. 
> > is that true? 
> > 
> > I think it's a shame, because I just want to use it only on specific 
> > machines, that are expose to the bad bad internet :) 
> > I know I could just whitelist all the internal IPs, because it's 
> unlikely 
> > that an attack could be started from inside... 
> > 
> > wouldn't it be nice to have the possbility to just 
> > 
> >
> > yes 
> >
> > 
> > on the agent ossec.conf ? : 
> > 
> > is there any reason is can only be controlled from the master? 
> > i'd like to understand it better. 
> > 
>
> That should work to disable AR (as a whole) on the agent. 
>
> > thanks, 
> > theresa 
> > 
> > -- 
> > 
> > --- 
> > You received this message because you are subscribed to the Google 
> Groups 
> > "ossec-list" group. 
> > To unsubscribe from this group and stop receiving emails from it, send 
> an 
> > email to ossec-list+...@googlegroups.com . 
> > For more options, visit https://groups.google.com/d/optout. 
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] disable Active Response on individual servers

2015-12-18 Thread theresa mic-snare

thank you, dan!
i appreciate all effort that is being put into the ossec documentation.
it makes my life and i'm sure for others as well, so much easier :)

Am Freitag, 18. Dezember 2015 17:40:43 UTC+1 schrieb dan (ddpbsd):
>
>
> On Dec 18, 2015 11:21 AM, "theresa mic-snare" <rockpr...@gmail.com 
> > wrote:
> >
> > I'm such a fool *bangs head against the wall*
> >
> > it was sitting right there in the ossec.log ...my eyes just didn't see.
> >
> >
> >> 2015/12/18 15:29:51 ossec-execd(1350): INFO: Active response disabled. 
> Exiting.
> >> 2015/12/18 15:29:54 ossec-agentd: INFO: Unable to connect to the active 
> response queue (disabled).
> >>
> >
> > so all is fine now :)
> >
> > from my understanding of the ossec-doc regarding AR was, that those 
> options were only available on the master.
> > initally i thought that AR was only configured and controlled by the 
> master.
> >
>
> I'll try to adjust the docs again, maybe spend more than 2 minutes on it.
>
> > thanks as usual for your quick answers!! :) 
> >
> > Am Freitag, 18. Dezember 2015 17:09:47 UTC+1 schrieb dan (ddpbsd):
> >>
> >>
> >> On Dec 18, 2015 11:00 AM, "theresa mic-snare" <rockpr...@gmail.com> 
> wrote:
> >> >
> >> > so, does this mean it is also possible to disable it with the above 
> mentioned syntax in the ossec.conf on the agent?
> >> >
> >>
> >> Yes.
> >>
> >> > sorry for double-checking and the stupid question, but I haven't 
> found it in the official docs:
> >> >
> >> >> Active-reponse options are available in the the following 
> installation types:
> >> >>
> >> >> server
> >> >> local
> >> >
> >> >
> >> > the yes tag is one of those options, right?!
> >> >
> >>
> >> As usual my poor grasp of the English language is casuing the 
> confusion. That option is available on agents. It disables AR entirely for 
> that agent. So far no one has brought up the situation of disablig it 
> entirely on some agents, but not others.
> >>
> >> > and shouldn't there also be a log entry in the ossec.conf, something 
> like this
> >> > ossec-execd(1350): INFO: Active response disabled. Exiting.
> >> >
> >> > after restarting the agent?
> >>
> >> No clue. Probably.
> >>
> >> > i haven't found this log entry after disabling it in the ossec.conf 
> on the agent and restarted this agent afterwards.
> >> >
> >> >
> >> > Am Freitag, 18. Dezember 2015 15:55:38 UTC+1 schrieb dan (ddpbsd):
> >> >>
> >> >> On Fri, Dec 18, 2015 at 9:40 AM, theresa mic-snare 
> >> >> <rockpr...@gmail.com> wrote: 
> >> >> > Hi all, 
> >> >> > 
> >> >> > please correct me if I am wrong, I just noticed that the active 
> response can 
> >> >> > only be disabled on the master but not on individual agents. 
> >> >> > is that true? 
> >> >> > 
> >> >> > I think it's a shame, because I just want to use it only on 
> specific 
> >> >> > machines, that are expose to the bad bad internet :) 
> >> >> > I know I could just whitelist all the internal IPs, because it's 
> unlikely 
> >> >> > that an attack could be started from inside... 
> >> >> > 
> >> >> > wouldn't it be nice to have the possbility to just 
> >> >> > 
> >> >> >
> >> >> > yes 
> >> >> >
> >> >> > 
> >> >> > on the agent ossec.conf ? : 
> >> >> > 
> >> >> > is there any reason is can only be controlled from the master? 
> >> >> > i'd like to understand it better. 
> >> >> > 
> >> >>
> >> >> That should work to disable AR (as a whole) on the agent. 
> >> >>
> >> >> > thanks, 
> >> >> > theresa 
> >> >> > 
> >> >> > -- 
> >> >> > 
> >> >> > --- 
> >> >> > You received this message because you are subscribed to the Google 
> Groups 
> >> >> > "ossec-list" group. 
> >> >> > To unsubscribe from this group and stop receiving emails from it, 
> send an 
> >> >> > email to ossec-list+...@googlegroups.com. 
> >> >> > For more options, visit https://groups.google.com/d/optout. 
> >> >
> >> > -- 
> >> >
> >> > --- 
> >> > You received this message because you are subscribed to the Google 
> Groups "ossec-list" group.
> >> > To unsubscribe from this group and stop receiving emails from it, 
> send an email to ossec-list+...@googlegroups.com.
> >> > For more options, visit https://groups.google.com/d/optout.
> >
> > -- 
> >
> > --- 
> > You received this message because you are subscribed to the Google 
> Groups "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send 
> an email to ossec-list+...@googlegroups.com .
> > For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] disable Active Response on individual servers

2015-12-18 Thread theresa mic-snare

I'm such a fool *bangs head against the wall*

it was sitting right there in the ossec.log ...my eyes just didn't see.


2015/12/18 15:29:51 ossec-execd(1350): INFO: Active response disabled. 
> Exiting.
> 2015/12/18 15:29:54 ossec-agentd: INFO: Unable to connect to the active 
> response queue (disabled).
>
>
so all is fine now :)

from my understanding of the ossec-doc regarding AR was, that those options 
were only available on the master.
initally i thought that AR was only configured and controlled by the master.

thanks as usual for your quick answers!! :) 

Am Freitag, 18. Dezember 2015 17:09:47 UTC+1 schrieb dan (ddpbsd):
>
>
> On Dec 18, 2015 11:00 AM, "theresa mic-snare" <rockpr...@gmail.com 
> > wrote:
> >
> > so, does this mean it is also possible to disable it with the above 
> mentioned syntax in the ossec.conf on the agent?
> >
>
> Yes.
>
> > sorry for double-checking and the stupid question, but I haven't found 
> it in the official docs:
> >
> >> Active-reponse options are available in the the following installation 
> types:
> >>
> >> server
> >> local
> >
> >
> > the yes tag is one of those options, right?!
> >
>
> As usual my poor grasp of the English language is casuing the confusion. 
> That option is available on agents. It disables AR entirely for that agent. 
> So far no one has brought up the situation of disablig it entirely on some 
> agents, but not others.
>
> > and shouldn't there also be a log entry in the ossec.conf, something 
> like this
> > ossec-execd(1350): INFO: Active response disabled. Exiting.
> >
> > after restarting the agent?
>
> No clue. Probably.
>
> > i haven't found this log entry after disabling it in the ossec.conf on 
> the agent and restarted this agent afterwards.
> >
> >
> > Am Freitag, 18. Dezember 2015 15:55:38 UTC+1 schrieb dan (ddpbsd):
> >>
> >> On Fri, Dec 18, 2015 at 9:40 AM, theresa mic-snare 
> >> <rockpr...@gmail.com> wrote: 
> >> > Hi all, 
> >> > 
> >> > please correct me if I am wrong, I just noticed that the active 
> response can 
> >> > only be disabled on the master but not on individual agents. 
> >> > is that true? 
> >> > 
> >> > I think it's a shame, because I just want to use it only on specific 
> >> > machines, that are expose to the bad bad internet :) 
> >> > I know I could just whitelist all the internal IPs, because it's 
> unlikely 
> >> > that an attack could be started from inside... 
> >> > 
> >> > wouldn't it be nice to have the possbility to just 
> >> > 
> >> >
> >> > yes 
> >> >
> >> > 
> >> > on the agent ossec.conf ? : 
> >> > 
> >> > is there any reason is can only be controlled from the master? 
> >> > i'd like to understand it better. 
> >> > 
> >>
> >> That should work to disable AR (as a whole) on the agent. 
> >>
> >> > thanks, 
> >> > theresa 
> >> > 
> >> > -- 
> >> > 
> >> > --- 
> >> > You received this message because you are subscribed to the Google 
> Groups 
> >> > "ossec-list" group. 
> >> > To unsubscribe from this group and stop receiving emails from it, 
> send an 
> >> > email to ossec-list+...@googlegroups.com. 
> >> > For more options, visit https://groups.google.com/d/optout. 
> >
> > -- 
> >
> > --- 
> > You received this message because you are subscribed to the Google 
> Groups "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send 
> an email to ossec-list+...@googlegroups.com .
> > For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: OSSEC virtual appliance (Kibana) -- no results found

2015-10-09 Thread theresa mic-snare

Had a certificate problem in my logstash config, now everything works well as 
expected. 

At the moment I'm still a fan of ossec-wui. It has a better overview and 
filtering for specific categories and log formats.
I'll play around with kibana a bit more, maybe I can create something similar...

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: (possible) webserver attack

2015-10-06 Thread theresa mic-snare

Hi Brent,

thanks for the perfect explanations.

I just checked, my archives.log is 0 bytes, seems like it was log-rotated 
during the night.
and in the monthly folder, e.g Oct or Sep are only checksum logs, e.g 
ossec-archive-01.log.sum

But I've seen multiple requests from 1 IP address and put those requests 
into a txt file (I've attached it to this post)

no idea why my archives.log is empty :(

regards,
theresa

Am Montag, 5. Oktober 2015 20:02:29 UTC+2 schrieb Brent Morris:
>
> Yeah, you're in the neighborhood.
>
> First - can you post some content from your archives.log with those Apache 
> logs?  I can help better if I can see what you're seeing.
>
> You need to see exactly what you're passing to the URL field using 
> ossec-logtest in order to make your cdb list correctly.  Sometimes the 
> decoder puts extra characters in the URL field, such as a space and a 
> hyphen.  At least that was my case.
>
> Here's a blurb from my cdb list nexpose makes the following requests 
> during a web audit.
>
> /spiffymcgee.cfm -:16
> /spiffymcgee.jsp -:16
> /jbossmq-httpil/ -:16
> /spiffymcgee.nsf -:16
> /spiffymcgee.jsp -:16
> /spiffymcgee.nsf -:16
>
> The important bits are on the left side of the colon.  I think I used 
> excel to autonumber and populate the right side of the colon.  But you're 
> basically going to compare whatever is being passed to the URL field with 
> exactly the content on the left side of the colon.  So you can see you'll 
> need to be creative in your ability to separate out the URLs from the rest 
> of the junk in your logs along with checking and removing valid URLs that 
> might be in the list.  In your example #1 example, I would only use 
> "/pub/english.cgi 
> -:16" . there is a space and a hypen in my case when running the logs 
> against ossec-logtest.  I can't emphasis enough that it needs to be EXACT. 
>  Partial matches will not trigger the rule.
>
> The list will reside in /var/ossec/lists/urlblacklist
>
> then run ./ossec-makelists
>
> In your ossec.conf - add lists/urlblacklist inside 
>  
>
> Add the rule to local_rules.xml
>
> Use ossec-logtest to verify new rule is working properly.
>
> Add the active response to ossec.conf
>
> restart ossec and test with a real request to a URL in the list.  Verify 
> active response has done its deed.
>
> HTH!
> -Brent
>
>
>
>
>
>
>
>
>
>
>
> On Monday, October 5, 2015 at 10:36:35 AM UTC-7, theresa mic-snare wrote:
>>
>> Hi Brent,
>>
>> thank you very much for your help and your explanations.
>>
>> I'm just getting started with OSSEC, most of this is all new to me, but 
>> I'm learning quickly ;)
>> what does CDB stand for? I looked it up in the OSSEC docs and also 
>> googled it? does it stand for common database?
>> according to the Docs I need to complile the CDB list with 
>> ossec-makelists , right?
>>
>> I want to understand this properly, and thus I want to document it for my 
>> thesis project -- so please correct me if I misunderstood you:
>>
>>
>>1. i will create a list with the HTTP request strings, e.g: GET 
>>/pub/english.cgi HTTP/1.0" 403 5 "
>>https://www.youtube.com/watch?v=FoUWHfh733Y; "() { goo;}; echo 
>>Content-Type: text/plain ; echo ; echo shellshot_`expr 1344 - 7` and put 
>> it 
>>into a list/txt file. i.e urlblacklist.txt
>>2. then I will run ossec-makelists on this
>>3. then I will setup a rule to block those requests  where does 
>>this go?! Is it a rule inside the rules directory??!
>>
>> 
>>   31151 <http://www.ossec.net/doc/search.html?q=rule-id-31151>
>> 
>>   lists/urlblacklist
>> Web Vulnerability Scanner Detected
>> 
>>
>> the rule that fired for me (according to my OSSEC WUI) was rule ID: 31151 
>> <http://www.ossec.net/doc/search.html?q=rule-id-31151>
>>
>>1. finally I will create a AR in my ossec.conf
>>
>> firewall-drop
>>  server
>>  184780
>>  300
>> 2,10,60,120,1440
>>  
>>
>> Hopefully I'm not too far off
>>
>> thanks,
>> theresa
>>
>> Am Montag, 5. Oktober 2015 18:55:16 UTC+2 schrieb Brent Morris:
>>>
>>> I'm not familiar with apache logs... but it looks like you are being 
>>> scanned with a web vulnerability scanner from an attacker in China.  The 
>>> youtube string you see, I believe, is the user-agent string supplied by the 
>>> scanning host.
>>>
>>> Compile all the URL requests and setup a cdb lis

[ossec-list] Re: (possible) webserver attack

2015-10-05 Thread theresa mic-snare

Hi Brent,

thank you very much for your help and your explanations.

I'm just getting started with OSSEC, most of this is all new to me, but I'm 
learning quickly ;)
what does CDB stand for? I looked it up in the OSSEC docs and also googled 
it? does it stand for common database?
according to the Docs I need to complile the CDB list with ossec-makelists 
, right?

I want to understand this properly, and thus I want to document it for my 
thesis project -- so please correct me if I misunderstood you:


   1. i will create a list with the HTTP request strings, e.g: GET 
   /pub/english.cgi HTTP/1.0" 403 5 
   "https://www.youtube.com/watch?v=FoUWHfh733Y; "() { goo;}; echo 
   Content-Type: text/plain ; echo ; echo shellshot_`expr 1344 - 7` and put it 
   into a list/txt file. i.e urlblacklist.txt
   2. then I will run ossec-makelists on this
   3. then I will setup a rule to block those requests  where does this 
   go?! Is it a rule inside the rules directory??!


  31151 <http://www.ossec.net/doc/search.html?q=rule-id-31151>

  lists/urlblacklist
Web Vulnerability Scanner Detected


the rule that fired for me (according to my OSSEC WUI) was rule ID: 31151 
<http://www.ossec.net/doc/search.html?q=rule-id-31151>

   1. finally I will create a AR in my ossec.conf

firewall-drop
 server
 184780
 300
2,10,60,120,1440
 

Hopefully I'm not too far off

thanks,
theresa

Am Montag, 5. Oktober 2015 18:55:16 UTC+2 schrieb Brent Morris:
>
> I'm not familiar with apache logs... but it looks like you are being 
> scanned with a web vulnerability scanner from an attacker in China.  The 
> youtube string you see, I believe, is the user-agent string supplied by the 
> scanning host.
>
> Compile all the URL requests and setup a cdb list in OSSEC.  Then setup an 
> active response based on the URL requested to block the offending IP 
> address.  The rule will look something like the following.
>
> 
>   31100
>   lists/urlblacklist
> Web Vulnerability Scanner Detected
> 
>
> and active response... assumes firewall-drop command will actually block 
> the attacker at your perimeter.
>
> firewall-drop
> server
> 184780
> 300
> 2,10,60,120,1440
>   
>
> Now all you need is the list and testing :)
>
>
>
>
>
> On Monday, October 5, 2015 at 4:25:18 AM UTC-7, theresa mic-snare wrote:
>>
>> Hi all,
>>
>> it's my weekly ossec question post ;)
>>
>> maybe you can help shed some light onto this one, as I'm not really good 
>> with HTTP/Apache return codes.
>> I have tons of these types of requests in my current Apache webserver log
>>
>> 125.122.211.198 - - [15/Sep/2015:00:50:58 +0200] "GET /admin.cgi 
>> HTTP/1.0" 403 5 "https://www.youtube.com/watch?v=FoUWHfh733Y; "() { 
>> goo;}; echo Content-Type: text/plain ; echo ; echo shellshot_`expr 1344 -
>>  7`"
>> 125.122.211.198 - - [15/Sep/2015:00:50:50 +0200] "GET 
>> /catalog/index.cgi HTTP/1.0" 403 5 
>> "https://www.youtube.com/watch?v=FoUWHfh733Y; "() { goo;}; echo 
>> Content-Type: text/plain ; echo ; echo shellshot_`expr 1344 - 7`"
>> 125.122.211.198
>>  - - [15/Sep/2015:00:50:49 +0200] "GET /cart.cgi HTTP/1.0" 403 5 
>> "https://www.youtube.com/watch?v=FoUWHfh733Y; "() { goo;}; echo 
>> Content-Type: text/plain ; echo ; echo shellshot_`expr 1344 - 7`"
>> 125.122.211.198
>>  - - [15/Sep/2015:00:50:49 +0200] "GET /cartcart.cgi HTTP/1.0" 403 5 
>> "https://www.youtube.com/watch?v=FoUWHfh733Y; "() { goo;}; echo 
>> Content-Type: text/plain ; echo ; echo shellshot_`expr 1344 - 7`"
>> 125.122.211.198
>>  - - [15/Sep/2015:00:50:48 +0200] "GET /bigconf.cgi HTTP/1.0" 403 5 
>> "https://www.youtube.com/watch?v=FoUWHfh733Y; "() { goo;}; echo 
>> Content-Type: text/plain ; echo ; echo shellshot_`expr 1344 - 7`"
>> 125.122.211.198
>>  - - [15/Sep/2015:00:50:47 +0200] "GET /bandwidth/index.cgi HTTP/1.0" 
>> 403 5 "https://www.youtube.com/watch?v=FoUWHfh733Y; "() { goo;}; echo 
>> Content-Type: text/plain ; echo ; echo shellshot_`expr 1344 - 7`"
>> 125.122.211.198
>>  - - [15/Sep/2015:00:50:47 +0200] "GET /b2-include/b2edit.showposts.php 
>> HTTP/1.0" 403 5 "https://www.youtube.com/watch?v=FoUWHfh733Y; "() { 
>> goo;}; echo Content-Type: text/plain ; echo ; echo shellshot_`expr 1344 -
>>  7`"
>> 125.122.211.198 - - [15/Sep/2015:00:50:46 +0200] "GET 
>> /axis-cgi/buffer/command.cgi HTTP/1.0" 403 5 
>> "https://www.youtube.com/watch?v=FoUWHfh733Y; "() { goo;}; echo 
>>

Re: [ossec-list] Re: logs with datestamps in filenames

2015-10-05 Thread theresa mic-snare

Ok, I think I just found what the '"problem" was.
the file with the datestamp gets scanned, my OSSEC-WUI only had a problem 
showing them. Maybe it has a problem displaying the "Weblogs format" ?!

When I search for "Category: Access control (all)" or "Category: 
Reconnaissance (all) I get plenty of results from the access.log

However when I search all categories for the Weblogs (all) in the Log 
formats section I get nothing in return.
Hope this makes sense?

I have tested this on 2 different OSSEC servers with 2 different WUI 
versions.
The Squid Logs search works out of the box.

I know the development of WUI is discontinued, but for my test installation 
for thesis project it's superb. I have only very few ressources (2GB of 
RAM) and 2 cores. As we know Logstash for ELK uses up to 30GB (which is 
recommended) which I cannot afford at this time.

so ideally I would like to know, in case someone else still uses WUI:
have you noticed this behaviour as well?
is this a "works as designed" thing?

thanks very much in advance :)
theresa

Am Freitag, 2. Oktober 2015 20:14:02 UTC+2 schrieb theresa mic-snare:
>
>
>
> Am Freitag, 2. Oktober 2015 19:39:09 UTC+2 schrieb dan (ddpbsd):
>>
>> On Fri, Oct 2, 2015 at 1:32 PM, theresa mic-snare 
>> <rockpr...@gmail.com> wrote: 
>> > Hmm, I'm a bit confused Dan. 
>> > 
>> > I found this in the logs: 
>> > 2015/10/02 13:01:26 ossec-logcollector(1952): INFO: Monitoring variable 
>> log 
>> > file: '/var/log/httpd/error_log-20151002'. 
>> > 2015/10/02 13:01:26 ossec-logcollector(1950): INFO: Analyzing file: 
>> > '/var/log/httpd/error_log-20151002'. 
>> > 2015/10/02 13:01:26 ossec-logcollector(1952): INFO: Monitoring variable 
>> log 
>> > file: '/var/log/httpd/access_log-20151002'. 
>> > 2015/10/02 13:01:26 ossec-logcollector(1950): INFO: Analyzing file: 
>> > '/var/log/httpd/access_log-20151002'. 
>> > 2015/10/02 13:01:26 ossec-logcollector(1950): INFO: Analyzing file: 
>> > '/var/ossec/logs/active-responses.log'. 
>> > 2015/10/02 13:01:26 ossec-logcollector: INFO: Started (pid: 2610). 
>> > 
>> > so far so good. Ossec is not complaining that the file cannot be found, 
>> so 
>> > it should actually find some alerts, right?! 
>> > however the last entry in the ossec.log is this: 
>> > 2015/10/02 13:27:29 ossec-rootcheck: INFO: Starting rootcheck scan. 
>> > 2015/10/02 13:45:22 ossec-rootcheck: INFO: Ending rootcheck scan. 
>> > 
>> > this is almost 6 hours ago!!! 
>> > 
>> > I have not found one single alert to my apache log file. 
>> > the ossec.conf looks like this: 
>> >
>> > apache 
>> > /var/log/httpd/access_log-%Y%m%d 
>> >
>> > 
>> > same goes for the error_log 
>> > 
>>
>> Are you sure there are logs that should trigger alerts? Turn on the 
>> log all option (on the manager), restart the OSSEC processes, and 
>> check the archives.log file for entries from those files. 
>>
>
> Ok, I just did that.
> I'm afraid that this option will soon lead to a full/overflowing 
> filesystem. I will watch it though... if it gets to big, I will disable it 
> again.
>
>
>> > Also I'm a bit confused why are there 2 different config files which 
>> > basically do the same thing? 
>> > /var/ossec/etc/ossec.conf 
>> > and 
>> > /var/ossec/etc/shared/agent.conf 
>> > 
>> > which one shall I use? 
>> > 
>>
>> Depends. The ossec.conf is for that local system. The agent.conf is 
>> for the agents. It should be modified on the manager, and will be sent 
>> to all of the agents. When the agent is restarted it combines the 
>> configurations. So if you're fine configuring each agent (possibly 
>> through puppet or something similar), ossec.conf is fine. If you want 
>> central management without setting up puppet or something, use the 
>> agent.conf. 
>>
>
> Awesome, thanks very much for the perfect explanation as usual! Thanks!
> I think I will go with Puppet because we have so many different servers 
> with different setups and different OS running on it.
> I think it will be "cleaner" to handle them individually through puppet, 
> although it certainly is more work/effort.
>  
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: logs with datestamps in filenames

2015-10-05 Thread theresa mic-snare

changed it to "apache" which apparently fixed it for me. :)

I'm happy to send a pull-request if anyone wants to merge it.
I don't think it would break any other functionality of WUI. It seems to 
work all fine for me...

Am Montag, 5. Oktober 2015 14:19:38 UTC+2 schrieb theresa mic-snare:
>
> Of course, you're right Dan... as always ;-)
>
> Weblogs looks for
> "Web logs" => array( "Web logs (all)" => "web-log" )
>
>
>
>
>
> while Squid looks for:
>
>
>
>
> "Squid" => array( "Squid (all)" => "squid" )
> I'm not an expert, but shouldn't web-log say something like "apache" or 
> "httpd" ?
> https://github.com/ossec/ossec-wui/blob/master/lib/ossec_formats.php  ... 
> Line Number: 72
>
>
> Am Montag, 5. Oktober 2015 14:00:33 UTC+2 schrieb dan (ddpbsd):
>>
>> On Mon, Oct 5, 2015 at 7:44 AM, theresa mic-snare 
>> <rockpr...@gmail.com> wrote: 
>> > Ok, I think I just found what the '"problem" was. 
>> > the file with the datestamp gets scanned, my OSSEC-WUI only had a 
>> problem 
>> > showing them. Maybe it has a problem displaying the "Weblogs format" ?! 
>> > 
>> > When I search for "Category: Access control (all)" or "Category: 
>> > Reconnaissance (all) I get plenty of results from the access.log 
>> > 
>> > However when I search all categories for the Weblogs (all) in the Log 
>> > formats section I get nothing in return. 
>> > Hope this makes sense? 
>> > 
>>
>> What does this Weblogs search actually look for? 
>>
>>
>> > I have tested this on 2 different OSSEC servers with 2 different WUI 
>> > versions. 
>> > The Squid Logs search works out of the box. 
>> > 
>> > I know the development of WUI is discontinued, but for my test 
>> installation 
>>
>> It's open source, so it's only as discontinued as you want it to be. ;-) 
>>
>> > for thesis project it's superb. I have only very few ressources (2GB of 
>> RAM) 
>> > and 2 cores. As we know Logstash for ELK uses up to 30GB (which is 
>> > recommended) which I cannot afford at this time. 
>> > 
>> > so ideally I would like to know, in case someone else still uses WUI: 
>> > have you noticed this behaviour as well? 
>> > is this a "works as designed" thing? 
>> > 
>> > thanks very much in advance :) 
>> > theresa 
>> > 
>> > 
>> > Am Freitag, 2. Oktober 2015 20:14:02 UTC+2 schrieb theresa mic-snare: 
>> >> 
>> >> 
>> >> 
>> >> Am Freitag, 2. Oktober 2015 19:39:09 UTC+2 schrieb dan (ddpbsd): 
>> >>> 
>> >>> On Fri, Oct 2, 2015 at 1:32 PM, theresa mic-snare 
>> >>> <rockpr...@gmail.com> wrote: 
>> >>> > Hmm, I'm a bit confused Dan. 
>> >>> > 
>> >>> > I found this in the logs: 
>> >>> > 2015/10/02 13:01:26 ossec-logcollector(1952): INFO: Monitoring 
>> variable 
>> >>> > log 
>> >>> > file: '/var/log/httpd/error_log-20151002'. 
>> >>> > 2015/10/02 13:01:26 ossec-logcollector(1950): INFO: Analyzing file: 
>> >>> > '/var/log/httpd/error_log-20151002'. 
>> >>> > 2015/10/02 13:01:26 ossec-logcollector(1952): INFO: Monitoring 
>> variable 
>> >>> > log 
>> >>> > file: '/var/log/httpd/access_log-20151002'. 
>> >>> > 2015/10/02 13:01:26 ossec-logcollector(1950): INFO: Analyzing file: 
>> >>> > '/var/log/httpd/access_log-20151002'. 
>> >>> > 2015/10/02 13:01:26 ossec-logcollector(1950): INFO: Analyzing file: 
>> >>> > '/var/ossec/logs/active-responses.log'. 
>> >>> > 2015/10/02 13:01:26 ossec-logcollector: INFO: Started (pid: 2610). 
>> >>> > 
>> >>> > so far so good. Ossec is not complaining that the file cannot be 
>> found, 
>> >>> > so 
>> >>> > it should actually find some alerts, right?! 
>> >>> > however the last entry in the ossec.log is this: 
>> >>> > 2015/10/02 13:27:29 ossec-rootcheck: INFO: Starting rootcheck scan. 
>> >>> > 2015/10/02 13:45:22 ossec-rootcheck: INFO: Ending rootcheck scan. 
>> >>> > 
>> >>> > this is almost 6 hours ago!!! 
>> >>> > 
>> >>> > I have not found one single alert to my apac

Re: [ossec-list] Re: logs with datestamps in filenames

2015-10-05 Thread theresa mic-snare



Am Montag, 5. Oktober 2015 14:37:23 UTC+2 schrieb dan (ddpbsd):
>
> On Mon, Oct 5, 2015 at 8:19 AM, theresa mic-snare 
> <rockpr...@gmail.com > wrote: 
> > 
> > Of course, you're right Dan... as always ;-) 
> > 
> > Weblogs looks for 
> > "Web logs" => array( "Web logs (all)" => "web-log" ) 
> > 
> > 
> > 
> > 
> > 
> > while Squid looks for: 
> > 
> > 
> > 
> > 
> > "Squid" => array( "Squid (all)" => "squid" ) 
> > 
> > I'm not an expert, but shouldn't web-log say something like "apache" or 
> "httpd" ? 
> > https://github.com/ossec/ossec-wui/blob/master/lib/ossec_formats.php 
>  ... Line Number: 72 
> > 
>
> So it looks like apache events using the ncsa logging format should be 
> categorized as "web-log" traffic 
> (https://github.com/ossec/ossec-hids/blob/master/etc/decoder.xml#L1662). 
> It looks like the top level rule also sets this category 
> (
> https://github.com/ossec/ossec-hids/blob/master/etc/rules/web_rules.xml#L20). 
>
>

I changed the web-log to apache and now I get some results
was this wrong?
 

> I'm not able to do any testing at the moment to see how/if that makes 
> it into the alerts.log file or anything. Does the "squid" tag make it 
> into the log file? 
>
>
yup, "squid" makes it into the log file. I get lots of results when I 
search by "Squid".
 

> > 
> > Am Montag, 5. Oktober 2015 14:00:33 UTC+2 schrieb dan (ddpbsd): 
> >> 
> >> On Mon, Oct 5, 2015 at 7:44 AM, theresa mic-snare 
> >> <rockpr...@gmail.com> wrote: 
> >> > Ok, I think I just found what the '"problem" was. 
> >> > the file with the datestamp gets scanned, my OSSEC-WUI only had a 
> problem 
> >> > showing them. Maybe it has a problem displaying the "Weblogs format" 
> ?! 
> >> > 
> >> > When I search for "Category: Access control (all)" or "Category: 
> >> > Reconnaissance (all) I get plenty of results from the access.log 
> >> > 
> >> > However when I search all categories for the Weblogs (all) in the Log 
> >> > formats section I get nothing in return. 
> >> > Hope this makes sense? 
> >> > 
> >> 
> >> What does this Weblogs search actually look for? 
> >> 
> >> 
> >> > I have tested this on 2 different OSSEC servers with 2 different WUI 
> >> > versions. 
> >> > The Squid Logs search works out of the box. 
> >> > 
> >> > I know the development of WUI is discontinued, but for my test 
> installation 
> >> 
> >> It's open source, so it's only as discontinued as you want it to be. 
> ;-) 
> >> 
> >> > for thesis project it's superb. I have only very few ressources (2GB 
> of RAM) 
> >> > and 2 cores. As we know Logstash for ELK uses up to 30GB (which is 
> >> > recommended) which I cannot afford at this time. 
> >> > 
> >> > so ideally I would like to know, in case someone else still uses WUI: 
> >> > have you noticed this behaviour as well? 
> >> > is this a "works as designed" thing? 
> >> > 
> >> > thanks very much in advance :) 
> >> > theresa 
> >> > 
> >> > 
> >> > Am Freitag, 2. Oktober 2015 20:14:02 UTC+2 schrieb theresa mic-snare: 
> >> >> 
> >> >> 
> >> >> 
> >> >> Am Freitag, 2. Oktober 2015 19:39:09 UTC+2 schrieb dan (ddpbsd): 
> >> >>> 
> >> >>> On Fri, Oct 2, 2015 at 1:32 PM, theresa mic-snare 
> >> >>> <rockpr...@gmail.com> wrote: 
> >> >>> > Hmm, I'm a bit confused Dan. 
> >> >>> > 
> >> >>> > I found this in the logs: 
> >> >>> > 2015/10/02 13:01:26 ossec-logcollector(1952): INFO: Monitoring 
> variable 
> >> >>> > log 
> >> >>> > file: '/var/log/httpd/error_log-20151002'. 
> >> >>> > 2015/10/02 13:01:26 ossec-logcollector(1950): INFO: Analyzing 
> file: 
> >> >>> > '/var/log/httpd/error_log-20151002'. 
> >> >>> > 2015/10/02 13:01:26 ossec-logcollector(1952): INFO: Monitoring 
> variable 
> >> >>> > log 
> >> >>> > file: '/var/log/httpd/access_log-20151002'. 
> >> >>> > 2015/10/02 13:01:26 os

[ossec-list] (possible) webserver attack

2015-10-05 Thread theresa mic-snare

Hi all,

it's my weekly ossec question post ;)

maybe you can help shed some light onto this one, as I'm not really good 
with HTTP/Apache return codes.
I have tons of these types of requests in my current Apache webserver log

125.122.211.198 - - [15/Sep/2015:00:50:58 +0200] "GET /admin.cgi 
HTTP/1.0" 403 5 "https://www.youtube.com/watch?v=FoUWHfh733Y; "() { 
goo;}; echo Content-Type: text/plain ; echo ; echo shellshot_`expr 1344 -
 7`"
125.122.211.198 - - [15/Sep/2015:00:50:50 +0200] "GET 
/catalog/index.cgi HTTP/1.0" 403 5 
"https://www.youtube.com/watch?v=FoUWHfh733Y; "() { goo;}; echo 
Content-Type: text/plain ; echo ; echo shellshot_`expr 1344 - 7`"
125.122.211.198
 - - [15/Sep/2015:00:50:49 +0200] "GET /cart.cgi HTTP/1.0" 403 5 
"https://www.youtube.com/watch?v=FoUWHfh733Y; "() { goo;}; echo 
Content-Type: text/plain ; echo ; echo shellshot_`expr 1344 - 7`"
125.122.211.198
 - - [15/Sep/2015:00:50:49 +0200] "GET /cartcart.cgi HTTP/1.0" 403 5 
"https://www.youtube.com/watch?v=FoUWHfh733Y; "() { goo;}; echo 
Content-Type: text/plain ; echo ; echo shellshot_`expr 1344 - 7`"
125.122.211.198
 - - [15/Sep/2015:00:50:48 +0200] "GET /bigconf.cgi HTTP/1.0" 403 5 
"https://www.youtube.com/watch?v=FoUWHfh733Y; "() { goo;}; echo 
Content-Type: text/plain ; echo ; echo shellshot_`expr 1344 - 7`"
125.122.211.198
 - - [15/Sep/2015:00:50:47 +0200] "GET /bandwidth/index.cgi HTTP/1.0" 
403 5 "https://www.youtube.com/watch?v=FoUWHfh733Y; "() { goo;}; echo 
Content-Type: text/plain ; echo ; echo shellshot_`expr 1344 - 7`"
125.122.211.198
 - - [15/Sep/2015:00:50:47 +0200] "GET /b2-include/b2edit.showposts.php 
HTTP/1.0" 403 5 "https://www.youtube.com/watch?v=FoUWHfh733Y; "() { 
goo;}; echo Content-Type: text/plain ; echo ; echo shellshot_`expr 1344 -
 7`"
125.122.211.198 - - [15/Sep/2015:00:50:46 +0200] "GET 
/axis-cgi/buffer/command.cgi HTTP/1.0" 403 5 
"https://www.youtube.com/watch?v=FoUWHfh733Y; "() { goo;}; echo 
Content-Type: text/plain ; echo ; echo shellshot_`expr 1344 - 7`"
125.122.211.198
 - - [15/Sep/2015:00:50:45 +0200] "GET /apps/web/vs_diag.cgi HTTP/1.0" 
403 5 "https://www.youtube.com/watch?v=FoUWHfh733Y; "() { goo;}; echo 
Content-Type: text/plain ; echo ; echo shellshot_`expr 1344 - 7`"
125.122.211.198
 - - [15/Sep/2015:00:50:45 +0200] "GET /analyse.cgi HTTP/1.0" 403 2790 
"https://www.youtube.com/watch?v=FoUWHfh733Y; "() { goo;}; echo 
Content-Type: text/plain ; echo ; echo shellshot_`expr 1344 - 7`"
125.122.211.198
 - - [15/Sep/2015:00:50:44 +0200] "GET /aktivate/cgi-bin/catgy.cgi 
HTTP/1.0" 404 8436 "https://www.youtube.com/watch?v=FoUWHfh733Y; "() { 
goo;}; echo Content-Type: text/plain ; echo ; echo shellshot_`expr 1344 -
 7`"
125.122.211.198 - - [15/Sep/2015:00:50:43 +0200] "GET /agora.cgi
 HTTP/1.0" 404 8436 "https://www.youtube.com/watch?v=FoUWHfh733Y; "() { 
goo;}; echo Content-Type: text/plain ; echo ; echo shellshot_`expr 1344 -
 7`"

what are these doing except trying to call a youtube video?
I was once told that the GET requests are not as harmful as the POST 
requests...

I suppose it's just some script kiddie running a webserver attack script.
should I worry?

how to block these?

I have a couple of other request types as well, but they all follow the 
same pattern.

best,
theresa

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: logs with datestamps in filenames

2015-10-05 Thread theresa mic-snare

ok, no problem but what exactly do you mean by 
"sanitized squid logs" ?

you mean normal squid logs before they were analyzed by ossec?

Am Montag, 5. Oktober 2015 14:54:59 UTC+2 schrieb dan (ddpbsd):
>
>
> On Oct 5, 2015 8:46 AM, "theresa mic-snare" <rockpr...@gmail.com 
> > wrote:
> >
> >
> >
> > Am Montag, 5. Oktober 2015 14:37:23 UTC+2 schrieb dan (ddpbsd):
> >>
> >> On Mon, Oct 5, 2015 at 8:19 AM, theresa mic-snare 
> >> <rockpr...@gmail.com> wrote: 
> >> > 
> >> > Of course, you're right Dan... as always ;-) 
> >> > 
> >> > Weblogs looks for 
> >> > "Web logs" => array( "Web logs (all)" => "web-log" ) 
> >> > 
> >> > 
> >> > 
> >> > 
> >> > 
> >> > while Squid looks for: 
> >> > 
> >> > 
> >> > 
> >> > 
> >> > "Squid" => array( "Squid (all)" => "squid" ) 
> >> > 
> >> > I'm not an expert, but shouldn't web-log say something like "apache" 
> or "httpd" ? 
> >> > https://github.com/ossec/ossec-wui/blob/master/lib/ossec_formats.php 
>  ... Line Number: 72 
> >> > 
> >>
> >> So it looks like apache events using the ncsa logging format should be 
> >> categorized as "web-log" traffic 
> >> (https://github.com/ossec/ossec-hids/blob/master/etc/decoder.xml#L1662). 
>
> >> It looks like the top level rule also sets this category 
> >> (
> https://github.com/ossec/ossec-hids/blob/master/etc/rules/web_rules.xml#L20). 
>
> >
> >
> > I changed the web-log to apache and now I get some results
> > was this wrong?
> >  
>
> I don't know. :-) More testing will need to be done.
>
> >>
> >> I'm not able to do any testing at the moment to see how/if that makes 
> >> it into the alerts.log file or anything. Does the "squid" tag make it 
> >> into the log file? 
> >>
> >
> > yup, "squid" makes it into the log file. I get lots of results when I 
> search by "Squid".
> >  
>
> Can you send me some sanitized squid logs? That might help the testing. 
>
> >>
> >> > 
> >> > Am Montag, 5. Oktober 2015 14:00:33 UTC+2 schrieb dan (ddpbsd): 
> >> >> 
> >> >> On Mon, Oct 5, 2015 at 7:44 AM, theresa mic-snare 
> >> >> <rockpr...@gmail.com> wrote: 
> >> >> > Ok, I think I just found what the '"problem" was. 
> >> >> > the file with the datestamp gets scanned, my OSSEC-WUI only had a 
> problem 
> >> >> > showing them. Maybe it has a problem displaying the "Weblogs 
> format" ?! 
> >> >> > 
> >> >> > When I search for "Category: Access control (all)" or "Category: 
> >> >> > Reconnaissance (all) I get plenty of results from the access.log 
> >> >> > 
> >> >> > However when I search all categories for the Weblogs (all) in the 
> Log 
> >> >> > formats section I get nothing in return. 
> >> >> > Hope this makes sense? 
> >> >> > 
> >> >> 
> >> >> What does this Weblogs search actually look for? 
> >> >> 
> >> >> 
> >> >> > I have tested this on 2 different OSSEC servers with 2 different 
> WUI 
> >> >> > versions. 
> >> >> > The Squid Logs search works out of the box. 
> >> >> > 
> >> >> > I know the development of WUI is discontinued, but for my test 
> installation 
> >> >> 
> >> >> It's open source, so it's only as discontinued as you want it to be. 
> ;-) 
> >> >> 
> >> >> > for thesis project it's superb. I have only very few ressources 
> (2GB of RAM) 
> >> >> > and 2 cores. As we know Logstash for ELK uses up to 30GB (which is 
> >> >> > recommended) which I cannot afford at this time. 
> >> >> > 
> >> >> > so ideally I would like to know, in case someone else still uses 
> WUI: 
> >> >> > have you noticed this behaviour as well? 
> >> >> > is this a "works as designed" thing? 
> >> >> > 
> >> >> > thanks very much in advance :) 
> >> >> > theresa 
> >> >&g

Re: [ossec-list] Re: logs with datestamps in filenames

2015-10-05 Thread theresa mic-snare

yeah sure!
would it be alright for you if I emailed the raw squid logs to your gmail 
address?

Am Montag, 5. Oktober 2015 15:37:05 UTC+2 schrieb dan (ddpbsd):
>
>
> On Oct 5, 2015 9:24 AM, "theresa mic-snare" <rockpr...@gmail.com 
> > wrote:
> >
> > ok, no problem but what exactly do you mean by 
> > "sanitized squid logs" ?
> >
> > you mean normal squid logs before they were analyzed by ossec?
> >
>
> Yes, raw squid logs. If you have IPs, usernames, or domains you don't want 
> to be public, change them to aomething generic (10.0.0.1 instead of your 
> squid's ip, etc.). I'm hoping to add these to the rule tests already in 
> place (if that's ok). I don't want something sensitive added to the github 
> repo!
>
> > Am Montag, 5. Oktober 2015 14:54:59 UTC+2 schrieb dan (ddpbsd):
> >>
> >>
> >> On Oct 5, 2015 8:46 AM, "theresa mic-snare" <rockpr...@gmail.com> 
> wrote:
> >> >
> >> >
> >> >
> >> > Am Montag, 5. Oktober 2015 14:37:23 UTC+2 schrieb dan (ddpbsd):
> >> >>
> >> >> On Mon, Oct 5, 2015 at 8:19 AM, theresa mic-snare 
> >> >> <rockpr...@gmail.com> wrote: 
> >> >> > 
> >> >> > Of course, you're right Dan... as always ;-) 
> >> >> > 
> >> >> > Weblogs looks for 
> >> >> > "Web logs" => array( "Web logs (all)" => "web-log" ) 
> >> >> > 
> >> >> > 
> >> >> > 
> >> >> > 
> >> >> > 
> >> >> > while Squid looks for: 
> >> >> > 
> >> >> > 
> >> >> > 
> >> >> > 
> >> >> > "Squid" => array( "Squid (all)" => "squid" ) 
> >> >> > 
> >> >> > I'm not an expert, but shouldn't web-log say something like 
> "apache" or "httpd" ? 
> >> >> > 
> https://github.com/ossec/ossec-wui/blob/master/lib/ossec_formats.php  ... 
> Line Number: 72 
> >> >> > 
> >> >>
> >> >> So it looks like apache events using the ncsa logging format should 
> be 
> >> >> categorized as "web-log" traffic 
> >> >> (
> https://github.com/ossec/ossec-hids/blob/master/etc/decoder.xml#L1662). 
> >> >> It looks like the top level rule also sets this category 
> >> >> (
> https://github.com/ossec/ossec-hids/blob/master/etc/rules/web_rules.xml#L20). 
>
> >> >
> >> >
> >> > I changed the web-log to apache and now I get some results
> >> > was this wrong?
> >> >  
> >>
> >> I don't know. :-) More testing will need to be done.
> >>
> >> >>
> >> >> I'm not able to do any testing at the moment to see how/if that 
> makes 
> >> >> it into the alerts.log file or anything. Does the "squid" tag make 
> it 
> >> >> into the log file? 
> >> >>
> >> >
> >> > yup, "squid" makes it into the log file. I get lots of results when I 
> search by "Squid".
> >> >  
> >>
> >> Can you send me some sanitized squid logs? That might help the testing.
> >>
> >> >>
> >> >> > 
> >> >> > Am Montag, 5. Oktober 2015 14:00:33 UTC+2 schrieb dan (ddpbsd): 
> >> >> >> 
> >> >> >> On Mon, Oct 5, 2015 at 7:44 AM, theresa mic-snare 
> >> >> >> <rockpr...@gmail.com> wrote: 
> >> >> >> > Ok, I think I just found what the '"problem" was. 
> >> >> >> > the file with the datestamp gets scanned, my OSSEC-WUI only had 
> a problem 
> >> >> >> > showing them. Maybe it has a problem displaying the "Weblogs 
> format" ?! 
> >> >> >> > 
> >> >> >> > When I search for "Category: Access control (all)" or 
> "Category: 
> >> >> >> > Reconnaissance (all) I get plenty of results from the 
> access.log 
> >> >> >> > 
> >> >> >> > However when I search all categories for the Weblogs (all) in 
> the Log 
> >> >> >> > formats section I get nothing in return. 
> >> >> >> > Hope this makes sense? 
> >> >> >> > 
>

[ossec-list] OSSEC virtual appliance (Kibana) -- no results found

2015-10-02 Thread theresa mic-snare

Hi,

at the moment I'm having problems with Kibana displaying *ANYTHING* in my 
ossec virtual appliance 2.8.2
while OSSEC WUI works perfectly well, I assume it doesn't have anything to 
do with ossec

so I assume it must be to do with Logstash or Elasticsearch not running 
properly?!

The error I'm getting is

No resultsfound :|

I understand the error is pretty vague and doesn't say much...
but at the moment I have *zero* experience with ELK, so I was hoping that 
maybe you could point me in the right direction...

I just checked, logstash is stopped
I assume it does need to run, right?!
or is this handled by OSSEC providing the logs?!

many thanks in advance,
theresa

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] logs with datestamps in filenames

2015-10-02 Thread theresa mic-snare

Hi,

since we're log-rotating our logs on a daily basis, we have a couple of 
logs with datestamps in their filenames.
e.g "access_log-20151002"

how could I add this to the log analysis
/var/log/httpd/access_log

any ideas?

thanks,
theresa

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: logs with datestamps in filenames

2015-10-02 Thread theresa mic-snare

because somehow this doesn't work

/var/log/httpd/access_log-%Y%m%d

somehow ossec still thinks it's called "access_log"
ossec-logcollector(1904): INFO: File not available, ignoring it: 
'/var/log/httpd/access_log'.

and yes i've restarted the ossec agent.

Am Freitag, 2. Oktober 2015 12:48:27 UTC+2 schrieb theresa mic-snare:
>
> Hi,
>
> since we're log-rotating our logs on a daily basis, we have a couple of 
> logs with datestamps in their filenames.
> e.g "access_log-20151002"
>
> how could I add this to the log analysis
> /var/log/httpd/access_log
>
> any ideas?
>
> thanks,
> theresa
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: logs with datestamps in filenames

2015-10-02 Thread theresa mic-snare

Hmm, I'm a bit confused Dan.

I found this in the logs:
2015/10/02 13:01:26 ossec-logcollector(1952): INFO: Monitoring variable log 
file: '/var/log/httpd/error_log-20151002'.
2015/10/02 13:01:26 ossec-logcollector(1950): INFO: Analyzing file: 
'/var/log/httpd/error_log-20151002'.
2015/10/02 13:01:26 ossec-logcollector(1952): INFO: Monitoring variable log 
file: '/var/log/httpd/access_log-20151002'.
2015/10/02 13:01:26 ossec-logcollector(1950): INFO: Analyzing file: 
'/var/log/httpd/access_log-20151002'.
2015/10/02 13:01:26 ossec-logcollector(1950): INFO: Analyzing file: 
'/var/ossec/logs/active-responses.log'.
2015/10/02 13:01:26 ossec-logcollector: INFO: Started (pid: 2610).

so far so good. Ossec is not complaining that the file cannot be found, so 
it should actually find some alerts, right?!
however the last entry in the ossec.log is this:
2015/10/02 13:27:29 ossec-rootcheck: INFO: Starting rootcheck scan.
2015/10/02 13:45:22 ossec-rootcheck: INFO: Ending rootcheck scan.

this is almost 6 hours ago!!!

I have not found one single alert to my apache log file.
the ossec.conf looks like this:

apache
/var/log/httpd/access_log-%Y%m%d

same goes for the error_log

Also I'm a bit confused why are there 2 different config files which 
basically do the same thing?
/var/ossec/etc/ossec.conf 
and
/var/ossec/etc/shared/agent.conf

which one shall I use?

Am Freitag, 2. Oktober 2015 13:24:44 UTC+2 schrieb dan (ddpbsd):
>
> On Fri, Oct 2, 2015 at 6:59 AM, theresa mic-snare 
> <rockpr...@gmail.com > wrote: 
> > because somehow this doesn't work 
> > 
> > /var/log/httpd/access_log-%Y%m%d 
> > 
> > somehow ossec still thinks it's called "access_log" 
> > ossec-logcollector(1904): INFO: File not available, ignoring it: 
> > '/var/log/httpd/access_log'. 
> > 
> > and yes i've restarted the ossec agent. 
> > 
>
> That should be the right way to do it. I haven't tried it lately 
> though, so  no clue why it isn't working for you. 
>
> > 
> > Am Freitag, 2. Oktober 2015 12:48:27 UTC+2 schrieb theresa mic-snare: 
> >> 
> >> Hi, 
> >> 
> >> since we're log-rotating our logs on a daily basis, we have a couple of 
> >> logs with datestamps in their filenames. 
> >> e.g "access_log-20151002" 
> >> 
> >> how could I add this to the log analysis 
> >> /var/log/httpd/access_log 
> >> 
> >> any ideas? 
> >> 
> >> thanks, 
> >> theresa 
> > 
> > -- 
> > 
> > --- 
> > You received this message because you are subscribed to the Google 
> Groups 
> > "ossec-list" group. 
> > To unsubscribe from this group and stop receiving emails from it, send 
> an 
> > email to ossec-list+...@googlegroups.com . 
> > For more options, visit https://groups.google.com/d/optout. 
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: logs with datestamps in filenames

2015-10-02 Thread theresa mic-snare



Am Freitag, 2. Oktober 2015 19:39:09 UTC+2 schrieb dan (ddpbsd):
>
> On Fri, Oct 2, 2015 at 1:32 PM, theresa mic-snare 
> <rockpr...@gmail.com > wrote: 
> > Hmm, I'm a bit confused Dan. 
> > 
> > I found this in the logs: 
> > 2015/10/02 13:01:26 ossec-logcollector(1952): INFO: Monitoring variable 
> log 
> > file: '/var/log/httpd/error_log-20151002'. 
> > 2015/10/02 13:01:26 ossec-logcollector(1950): INFO: Analyzing file: 
> > '/var/log/httpd/error_log-20151002'. 
> > 2015/10/02 13:01:26 ossec-logcollector(1952): INFO: Monitoring variable 
> log 
> > file: '/var/log/httpd/access_log-20151002'. 
> > 2015/10/02 13:01:26 ossec-logcollector(1950): INFO: Analyzing file: 
> > '/var/log/httpd/access_log-20151002'. 
> > 2015/10/02 13:01:26 ossec-logcollector(1950): INFO: Analyzing file: 
> > '/var/ossec/logs/active-responses.log'. 
> > 2015/10/02 13:01:26 ossec-logcollector: INFO: Started (pid: 2610). 
> > 
> > so far so good. Ossec is not complaining that the file cannot be found, 
> so 
> > it should actually find some alerts, right?! 
> > however the last entry in the ossec.log is this: 
> > 2015/10/02 13:27:29 ossec-rootcheck: INFO: Starting rootcheck scan. 
> > 2015/10/02 13:45:22 ossec-rootcheck: INFO: Ending rootcheck scan. 
> > 
> > this is almost 6 hours ago!!! 
> > 
> > I have not found one single alert to my apache log file. 
> > the ossec.conf looks like this: 
> >
> > apache 
> > /var/log/httpd/access_log-%Y%m%d 
> >
> > 
> > same goes for the error_log 
> > 
>
> Are you sure there are logs that should trigger alerts? Turn on the 
> log all option (on the manager), restart the OSSEC processes, and 
> check the archives.log file for entries from those files. 
>

Ok, I just did that.
I'm afraid that this option will soon lead to a full/overflowing 
filesystem. I will watch it though... if it gets to big, I will disable it 
again.


> > Also I'm a bit confused why are there 2 different config files which 
> > basically do the same thing? 
> > /var/ossec/etc/ossec.conf 
> > and 
> > /var/ossec/etc/shared/agent.conf 
> > 
> > which one shall I use? 
> > 
>
> Depends. The ossec.conf is for that local system. The agent.conf is 
> for the agents. It should be modified on the manager, and will be sent 
> to all of the agents. When the agent is restarted it combines the 
> configurations. So if you're fine configuring each agent (possibly 
> through puppet or something similar), ossec.conf is fine. If you want 
> central management without setting up puppet or something, use the 
> agent.conf. 
>

Awesome, thanks very much for the perfect explanation as usual! Thanks!
I think I will go with Puppet because we have so many different servers 
with different setups and different OS running on it.
I think it will be "cleaner" to handle them individually through puppet, 
although it certainly is more work/effort.
 

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] 99 problems but the agentd ain't one??

2015-09-29 Thread theresa mic-snare

Ok, FW colleague just confirmed that it's blocked by the firewall.
It was caused by a misunderstanding.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] 99 problems but the agentd ain't one??

2015-09-28 Thread theresa mic-snare

how I learned to embrace this page 
[http://ossec-docs.readthedocs.org/en/latest/faq/unexpected.html] and the 
magic of tcpdump
now i'm trying to prove the firewall colleague wrong and that he has to 
take a closer look in order to troubleshoot this...

accordingly to the tcpdump on the agent: the agent is trying to send 
something to the master it sending something (i even looked at it in 
wireshark) but the information is pretty 'empty'... it doesn't really 
say much.
accordingly to the tcpdump on the master: NOTHING is received, 0 
bytes...nada! hence the request must be lost somewhere on the way

and i've also run a tcp dump on the master listening for an agent within 
the same network segment (the same VLAN) so there is defniitely no firewall 
inbetween. and of course I see traffic therelots of traffic.
it's no surprise to me, because according to the ossec.log this agent has 
successfully connected to the master

but somehow i needed to present some facts to the firewall 
colleague...after all facts don't lie, and neither does the DOCS page :)

a thousand thanks to whoever wrote that page!! :)

Am Montag, 28. September 2015 14:38:19 UTC+2 schrieb dan (ddpbsd):
>
> On Mon, Sep 28, 2015 at 2:46 AM, theresa mic-snare 
> <rockpr...@gmail.com > wrote: 
> > hi guys, 
> > 
> > I have a problem with the agentd not being able to connect to the ossec 
> > master on a couple of machines (linux and solaris) 
> > 
> > 2015/09/28 08:34:26 ossec-agentd(4101): WARN: Waiting for server reply 
> (not 
> > started). Tried: '1.2.3.4'. 
> > 2015/09/28 08:34:28 ossec-agentd: INFO: Trying to connect to server 
> > (1.2.3.4:1514). 
> > 2015/09/28 08:34:28 ossec-agentd: INFO: Using IPv4 for: 1.2.3.4 . 
> > 2015/09/28 08:34:49 ossec-agentd(4101): WARN: Waiting for server reply 
> (not 
> > started). Tried: '1.2.3.4'. 
> > 2015/09/28 08:35:09 ossec-agentd: INFO: Trying to connect to server 
> > (1.2.3.4:1514). 
> > 2015/09/28 08:35:09 ossec-agentd: INFO: Using IPv4 for: 1.2.3.4 . 
> > 2015/09/28 08:35:11 ossec-syscheckd: INFO: Starting syscheck scan 
> > (forwarding database). 
> > 2015/09/28 08:35:11 ossec-syscheckd: WARN: Process locked. Waiting for 
> > permission... 
> > 2015/09/28 08:35:30 ossec-agentd(4101): WARN: Waiting for server reply 
> (not 
> > started). Tried: '1.2.3.4'. 
> > 
> > the following processes are running on the agent: 
> > root 25538 1   0 08:34:05 ?   0:00 
> > /var/ossec/bin/ossec-logcollector 
> > root 25530 1   0 08:34:05 ?   0:00 
> > /var/ossec/bin/ossec-execd 
> > root 25542 1   0 08:34:05 ?   0:00 
> > /var/ossec/bin/ossec-syscheckd 
> >ossec 25534 1   0 08:34:05 ?   0:00 
> > /var/ossec/bin/ossec-agentd 
> > 
> > 
> > the master is not "actively" blocking the requests, e.g by iptables or 
> the 
> > like. 
> > for the master I'm using the ossec virtual appliance by the way. 
> > 
> > i have one agent successfully connected, which is in the same VLAN as 
> the 
> > master. 
> > 
> > i talked to my colleague who's managing the firewall, he said he doesn't 
> see 
> > any drops 
> > 
> > do you have any ideas, what could be causing the unsuccessful attempts?! 
> > 
>
> Set the manager to debug mode (/var/ossec/bin/ossec-control enable 
> debug), restart the processes, and look at the ossec.log for errors. 
> Make sure the agent's IP address that was entered into manage_agents 
> is where the packets appear to be coming from (no NAT in between). 
> I guess make sure the packets are making it to the manager. 
>
>
> > thanks, 
> > theresa 
> > 
> > -- 
> > 
> > --- 
> > You received this message because you are subscribed to the Google 
> Groups 
> > "ossec-list" group. 
> > To unsubscribe from this group and stop receiving emails from it, send 
> an 
> > email to ossec-list+...@googlegroups.com . 
> > For more options, visit https://groups.google.com/d/optout. 
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: Solaris 10 compile error

2015-09-25 Thread theresa mic-snare

Hi Dan,

I managed to fix the problem.
Yesterday I used the gcc provided by the OpenCSW repository
Today I tried it with the original gcc from the SUNW packages. I don't know 
what's the difference between the two, but somehow it only works with this 
one (located in /usr/sfw/bin/gcc).

i've managed to successfully compile them both on Solaris 11 and Solaris 10.
and I will soon provide the packages that I built for the community. If 
anyone else can use them, then it was at least the sweat and tears worth :)

Dan, thanks *VERY* much for bearing with me :)

best,
theresa

Am Donnerstag, 24. September 2015 16:21:02 UTC+2 schrieb dan (ddpbsd):
>
>
> On Sep 24, 2015 10:05 AM, "theresa mic-snare" <rockpr...@gmail.com 
> > wrote:
> >
> > where shall I put this?
> >
>
> src/os_crypto/blowfish/Makefile maybe? 
>
> >
> > Am Donnerstag, 24. September 2015 15:34:07 UTC+2 schrieb dan (ddpbsd):
> >>
> >> On Thu, Sep 24, 2015 at 9:24 AM, theresa mic-snare 
> >> <rockpr...@gmail.com> wrote: 
> >> > of course you were right, Dan! 
> >> > I had to export CC to point to where GCC is installed (in my case in 
> >> > /opt/csw/bin/gcc) 
> >> > 
> >> > worked perfectly, until I ran in yet another problem. but this time I 
> think 
> >> > something's wrong with my ssl.h in /usr/include/openssl/ssl.h 
> >> > 
> >> >  *** Making os_auth *** 
> >> > 
> >> > /opt/csw/bin/gcc -g -Wall -I../ -I../headers 
>  -DDEFAULTDIR=\"/var/ossec\" 
> >> > -DCLIENT -DUSE_OPENSSL -DSOLARIS -DHIGHFIRST 
>  -DARGV0=\"ossec-authd\" 
> >> > -DOSSECHIDS -lsocket -lnsl -lresolv main-server.c ssl.c 
> >> > ../addagent/validate.c ../config/lib_config.a ../shared/lib_shared.a 
> >> > ../os_net/os_net.a ../os_regex/os_regex.a ../os_crypto/os_crypto.a 
> >> > ../os_zlib/os_zlib.c ../external/libz.a -lssl -lcrypto -o ossec-authd 
> >>
> >> I'm guessing you're missing some -I (capital i) and -L magic in here. 
> >> Maybe: 
> >> "-I/usr/sfw/include -L/usr/sfw/lib" 
> >>
> >> I don't remember anyone else reporting these types of issues with this 
> release. 
> >> I wish I knew what they did differently than you (maybe not upgrade?). 
> >> It would make working with Solaris a little easier in the next 
> >> release. 
> >>
> >> > main-server.c: In function 'ssl_error': 
> >> > main-server.c:53:31: warning: passing argument 1 of 'SSL_get_error' 
> discards 
> >> > 'const' qualifier from pointer target type 
> >> >  switch (SSL_get_error(ssl, ret)) 
> >> >^ 
> >> > In file included from auth.h:45:0, 
> >> >  from main-server.c:29: 
> >> > /usr/include/openssl/ssl.h:1408:5: note: expected 'struct SSL *' but 
> >> > argument is of type 'const struct SSL *' 
> >> >  int SSL_get_error(SSL *s,int ret_code); 
> >> >  ^ 
> >> > ld: fatal: library -lssl: not found 
> >> > ld: fatal: library -lcrypto: not found 
> >> > ld: fatal: file processing errors. No output written to ossec-authd 
> >> > *** Error code 1 
> >> > make: Fatal error: Command failed for target `auth1' 
> >> > Current working directory /root/ossec-hids-2.8.2/src/os_auth 
> >> > 
> >> > 
> >> > 
> >> > Am Donnerstag, 24. September 2015 14:57:08 UTC+2 schrieb dan 
> (ddpbsd): 
> >> >> 
> >> >> 
> >> >> On Sep 24, 2015 8:46 AM, "theresa mic-snare" <rockpr...@gmail.com> 
> wrote: 
> >> >> > 
> >> >> > it was indeed in a different location :) 
> >> >> > i symlinked it to the other location where it should supposedly be 
> >> >> > /usr/include/openssl/opensslconf.h 
> >> >> > 
> >> >> > and ran the installation script again. 
> >> >> > but now i'm running into a different error 
> >> >> > 
> >> >> >  *** Making os_crypto *** 
> >> >> > 
> >> >> > cc -g -Wall -I../../ -I../../headers  -DDEFAULTDIR=\"/var/ossec\" 
> >> >> > -DCLIENT -DUSE_OPENSSL -DSOLARIS -DHIGHFIRST 
>  -DARGV0=\"blowfish_op\" 
> >> >> > -DOSSECHIDS -c bf_op.c bf_skey.c bf_enc.c 
> >> >> > cc: -W option with unknown program all 
> >> >> 
> >> >> Th

Re: [ossec-list] Re: Solaris 10 compile error

2015-09-24 Thread theresa mic-snare

it was indeed in a different location :)
i symlinked it to the other location where it should supposedly be 
/usr/include/openssl/opensslconf.h

and ran the installation script again.
but now i'm running into a different error

 *** Making os_crypto *** 
 
cc -g -Wall -I../../ -I../../headers  -DDEFAULTDIR=\"/var/ossec\" -DCLIENT 
-DUSE_OPENSSL -DSOLARIS -DHIGHFIRST  -DARGV0=\"blowfish_op\" 
-DOSSECHIDS -c bf_op.c bf_skey.c bf_enc.c 
cc: -W option with unknown program all 
*** Error code 1 
make: Fatal error: Command failed for target `bf' 
Current working directory /root/ossec-hids-2.8.2/src/os_crypto/blowfish 
*** Error code 1 
The following command caused the error: 
cd blowfish; make 
make: Fatal error: Command failed for target `os_crypto' 
Current working directory /root/ossec-hids-2.8.2/src/os_crypto 
 
Error Making os_crypto 
*** Error code 1 
The following command caused the error: 
/bin/bash ./Makeall all 
make: Fatal error: Command failed for target `all' 
 
 Error 0x5. 
 Building error. Unable to finish the installation.



Am Donnerstag, 24. September 2015 14:28:14 UTC+2 schrieb dan (ddpbsd):
>
>
> On Sep 24, 2015 8:23 AM, "theresa mic-snare" <rockpr...@gmail.com 
> > wrote:
> >
> > hmm I see.
> > but I managed to build it on a Solaris 11 machine without any 
> problems without having to modify any Make or any other file. Hmm...
> >
>
> Was opensslconf.h in a different location on solaris 11?
>
> >
> > Am Donnerstag, 24. September 2015 14:18:27 UTC+2 schrieb dan (ddpbsd):
> >>
> >> On Thu, Sep 24, 2015 at 8:14 AM, theresa mic-snare 
> >> <rockpr...@gmail.com> wrote: 
> >> > Dan, do you currently have OSSEC installed on a Solaris machine? 
> >> > if so, could you please tell me where the opensslconf.h is located on 
> your 
> >> > system? 
> >> > 
> >>
> >> No, sorry. I can't afford Oracle machines, and I doubt my wife would 
> >> appreciate the noise. :P 
> >>
> >> I'm guessing you would need "-I/usr/sfw/include" in the build command 
> >> for os_crypto. You might be able to add it to the CFLAGS or LDFLAGS in 
> >> the Config.Make, but I haven't tried any of this. 
> >>
> >> > thanks, 
> >> > theresa 
> >> > 
> >> > Am Mittwoch, 23. September 2015 15:02:25 UTC+2 schrieb dan (ddpbsd): 
> >> >> 
> >> >> 
> >> >> On Sep 23, 2015 8:59 AM, "theresa mic-snare" <rockpr...@gmail.com> 
> wrote: 
> >> >> > 
> >> >> > by the way: 
> >> >> > 
> >> >> > I have found the file opensslconf.h that is allegedly missing on 
> my 
> >> >> > server... 
> >> >> > it's located under: 
> >> >> > /usr/sfw/include/openssl/opensslconf.h 
> >> >> > 
> >> >> > is the path maybe somewhere hardcoded, so that it's maybe looking 
> in the 
> >> >> > wrong place? 
> >> >> > 
> >> >> 
> >> >> That would be my guess. 
> >> >> 
> >> >> > cheers, 
> >> >> > theresa 
> >> >> > 
> >> >> > 
> >> >> > Am Mittwoch, 23. September 2015 14:45:05 UTC+2 schrieb theresa 
> >> >> > mic-snare: 
> >> >> >> 
> >> >> >> Hi everyone, 
> >> >> >> 
> >> >> >> I was just trying to compile OSSEC 2.8.2 on a Solaris 10 (SPARC) 
> >> >> >> server, and got the following error: 
> >> >> >> 
> >> >> >>  *** Making os_crypto *** 
> >> >> >> 
> >> >> >> /opt/csw/bin/gcc -g -Wall -I../../ -I../../headers 
> >> >> >> -DDEFAULTDIR=\"/var/ossec\" -DCLIENT -DUSE_OPENSSL -DSOLARIS 
> -DHIGHFIRST 
> >> >> >> -DARGV0=\"blowfish_op\" -DOSSECHIDS -c bf_op.c bf_skey.c bf_enc.c 
> >> >> >> In file included from bf_skey.c:62:0: 
> >> >> >> bf_locl.h:69:55: fatal error: openssl/opensslconf.h: No such file 
> or 
> >> >> >> directory 
> >> >> >>  #include  /* BF_PTR, BF_PTR2 */ 
> >> >> >>^ 
> >> >> >> compilation terminated. 
> >> >> >> In file included from bf_enc.c:60:0: 
> >> >> >> bf_locl.h:69:55: fatal error: openssl/opensslconf.h: No such file 
> or 
>

Re: [ossec-list] Re: Solaris 10 compile error

2015-09-24 Thread theresa mic-snare

of course you were right, Dan!
I had to export CC to point to where GCC is installed (in my case in 
/opt/csw/bin/gcc)

worked perfectly, until I ran in yet another problem. but this time I think 
something's wrong with my ssl.h in /usr/include/openssl/ssl.h

 *** Making os_auth ***

/opt/csw/bin/gcc -g -Wall -I../ -I../headers  -DDEFAULTDIR=\"/var/ossec\" 
-DCLIENT -DUSE_OPENSSL -DSOLARIS -DHIGHFIRST  -DARGV0=\"ossec-authd\" 
-DOSSECHIDS -lsocket -lnsl -lresolv main-server.c ssl.c 
../addagent/validate.c ../config/lib_config.a ../shared/lib_shared.a 
../os_net/os_net.a ../os_regex/os_regex.a ../os_crypto/os_crypto.a 
../os_zlib/os_zlib.c ../external/libz.a -lssl -lcrypto -o ossec-authd
main-server.c: In function 'ssl_error':
main-server.c:53:31: warning: passing argument 1 of 'SSL_get_error' 
discards 'const' qualifier from pointer target type
 switch (SSL_get_error(ssl, ret))
   ^
In file included from auth.h:45:0,
 from main-server.c:29:
/usr/include/openssl/ssl.h:1408:5: note: expected 'struct SSL *' but 
argument is of type 'const struct SSL *'
 int SSL_get_error(SSL *s,int ret_code);
 ^
ld: fatal: library -lssl: not found
ld: fatal: library -lcrypto: not found
ld: fatal: file processing errors. No output written to ossec-authd
*** Error code 1
make: Fatal error: Command failed for target `auth1'
Current working directory /root/ossec-hids-2.8.2/src/os_auth



Am Donnerstag, 24. September 2015 14:57:08 UTC+2 schrieb dan (ddpbsd):
>
>
> On Sep 24, 2015 8:46 AM, "theresa mic-snare" <rockpr...@gmail.com 
> > wrote:
> >
> > it was indeed in a different location :)
> > i symlinked it to the other location where it should supposedly be 
> /usr/include/openssl/opensslconf.h
> >
> > and ran the installation script again.
> > but now i'm running into a different error
> >
> >  *** Making os_crypto *** 
> >  
> > cc -g -Wall -I../../ -I../../headers  -DDEFAULTDIR=\"/var/ossec\" 
> -DCLIENT -DUSE_OPENSSL -DSOLARIS -DHIGHFIRST  -DARGV0=\"blowfish_op\" 
> -DOSSECHIDS -c bf_op.c bf_skey.c bf_enc.c 
> > cc: -W option with unknown program all 
>
> That right there makes me think it isn't using gcc as the compiler (-Wall 
> has been around for a while now).
>
> > *** Error code 1 
> > make: Fatal error: Command failed for target `bf' 
> > Current working directory /root/ossec-hids-2.8.2/src/os_crypto/blowfish 
> > *** Error code 1 
> > The following command caused the error: 
> > cd blowfish; make 
> > make: Fatal error: Command failed for target `os_crypto' 
> > Current working directory /root/ossec-hids-2.8.2/src/os_crypto 
> >  
> > Error Making os_crypto 
> > *** Error code 1 
> > The following command caused the error: 
> > /bin/bash ./Makeall all 
> > make: Fatal error: Command failed for target `all' 
> >  
> >  Error 0x5. 
> >  Building error. Unable to finish the installation.
> >
> >
> >
> > Am Donnerstag, 24. September 2015 14:28:14 UTC+2 schrieb dan (ddpbsd):
> >>
> >>
> >> On Sep 24, 2015 8:23 AM, "theresa mic-snare" <rockpr...@gmail.com> 
> wrote:
> >> >
> >> > hmm I see.
> >> > but I managed to build it on a Solaris 11 machine without any 
> problems without having to modify any Make or any other file. Hmm...
> >> >
> >>
> >> Was opensslconf.h in a different location on solaris 11?
> >>
> >> >
> >> > Am Donnerstag, 24. September 2015 14:18:27 UTC+2 schrieb dan (ddpbsd):
> >> >>
> >> >> On Thu, Sep 24, 2015 at 8:14 AM, theresa mic-snare 
> >> >> <rockpr...@gmail.com> wrote: 
> >> >> > Dan, do you currently have OSSEC installed on a Solaris machine? 
> >> >> > if so, could you please tell me where the opensslconf.h is located 
> on your 
> >> >> > system? 
> >> >> > 
> >> >>
> >> >> No, sorry. I can't afford Oracle machines, and I doubt my wife would 
> >> >> appreciate the noise. :P 
> >> >>
> >> >> I'm guessing you would need "-I/usr/sfw/include" in the build 
> command 
> >> >> for os_crypto. You might be able to add it to the CFLAGS or LDFLAGS 
> in 
> >> >> the Config.Make, but I haven't tried any of this. 
> >> >>
> >> >> > thanks, 
> >> >> > theresa 
> >> >> > 
> >> >> > Am Mittwoch, 23. September 2015 15:02:25 UTC+2 schrieb dan 
> (ddpbsd): 
> >> &g

Re: [ossec-list] Re: Solaris 10 compile error

2015-09-24 Thread theresa mic-snare

hmm I see.
but I managed to build it on a Solaris 11 machine without any problems 
without having to modify any Make or any other file. Hmm...

Am Donnerstag, 24. September 2015 14:18:27 UTC+2 schrieb dan (ddpbsd):
>
> On Thu, Sep 24, 2015 at 8:14 AM, theresa mic-snare 
> <rockpr...@gmail.com > wrote: 
> > Dan, do you currently have OSSEC installed on a Solaris machine? 
> > if so, could you please tell me where the opensslconf.h is located on 
> your 
> > system? 
> > 
>
> No, sorry. I can't afford Oracle machines, and I doubt my wife would 
> appreciate the noise. :P 
>
> I'm guessing you would need "-I/usr/sfw/include" in the build command 
> for os_crypto. You might be able to add it to the CFLAGS or LDFLAGS in 
> the Config.Make, but I haven't tried any of this. 
>
> > thanks, 
> > theresa 
> > 
> > Am Mittwoch, 23. September 2015 15:02:25 UTC+2 schrieb dan (ddpbsd): 
> >> 
> >> 
> >> On Sep 23, 2015 8:59 AM, "theresa mic-snare" <rockpr...@gmail.com> 
> wrote: 
> >> > 
> >> > by the way: 
> >> > 
> >> > I have found the file opensslconf.h that is allegedly missing on my 
> >> > server... 
> >> > it's located under: 
> >> > /usr/sfw/include/openssl/opensslconf.h 
> >> > 
> >> > is the path maybe somewhere hardcoded, so that it's maybe looking in 
> the 
> >> > wrong place? 
> >> > 
> >> 
> >> That would be my guess. 
> >> 
> >> > cheers, 
> >> > theresa 
> >> > 
> >> > 
> >> > Am Mittwoch, 23. September 2015 14:45:05 UTC+2 schrieb theresa 
> >> > mic-snare: 
> >> >> 
> >> >> Hi everyone, 
> >> >> 
> >> >> I was just trying to compile OSSEC 2.8.2 on a Solaris 10 (SPARC) 
> >> >> server, and got the following error: 
> >> >> 
> >> >>  *** Making os_crypto *** 
> >> >> 
> >> >> /opt/csw/bin/gcc -g -Wall -I../../ -I../../headers 
> >> >> -DDEFAULTDIR=\"/var/ossec\" -DCLIENT -DUSE_OPENSSL -DSOLARIS 
> -DHIGHFIRST 
> >> >> -DARGV0=\"blowfish_op\" -DOSSECHIDS -c bf_op.c bf_skey.c bf_enc.c 
> >> >> In file included from bf_skey.c:62:0: 
> >> >> bf_locl.h:69:55: fatal error: openssl/opensslconf.h: No such file or 
> >> >> directory 
> >> >>  #include  /* BF_PTR, BF_PTR2 */ 
> >> >>^ 
> >> >> compilation terminated. 
> >> >> In file included from bf_enc.c:60:0: 
> >> >> bf_locl.h:69:55: fatal error: openssl/opensslconf.h: No such file or 
> >> >> directory 
> >> >>  #include  /* BF_PTR, BF_PTR2 */ 
> >> >>^ 
> >> >> compilation terminated. 
> >> >> *** Error code 1 
> >> >> make: Fatal error: Command failed for target `bf' 
> >> >> Current working directory 
> /root/ossec-hids-2.8.2/src/os_crypto/blowfish 
> >> >> *** Error code 1 
> >> >> The following command caused the error: 
> >> >> cd blowfish; make 
> >> >> make: Fatal error: Command failed for target `os_crypto' 
> >> >> Current working directory /root/ossec-hids-2.8.2/src/os_crypto 
> >> >> 
> >> >> Error Making os_crypto 
> >> >> *** Error code 1 
> >> >> The following command caused the error: 
> >> >> /bin/bash ./Makeall all 
> >> >> make: Fatal error: Command failed for target `all' 
> >> >> 
> >> >>  Error 0x5. 
> >> >>  Building error. Unable to finish the installation. 
> >> >> 
> >> >> 
> >> >> 
> >> >> I think there seems to be some kind of OpenSSL dependency issue... 
> >> >> I have also added the following lines in the install.sh script (to 
> make 
> >> >> sure the OpenSSL libraries get linked) 
> >> >> echo "DEXTRA=-DUSE_OPENSSL" >> ./src/Config.OS 
> >> >> echo "OPENSSLCMD=-lssl -lcrypto" >> ./src/Config.OS 
> >> >> 
> >> >> 
> >> >> I'm using the following OpenSSL version: 
> >> >> OpenSSL 0.9.7d 17 Mar 2004 (+ security fixes for: CVE-2005-2969 
> >> >> CVE-2006-2937 CVE-2006-2940 CVE-2006-3738 CVE-2006-43

Re: [ossec-list] Re: Solaris 10 compile error

2015-09-24 Thread theresa mic-snare

Dan, do you currently have OSSEC installed on a Solaris machine?
if so, could you please tell me where the opensslconf.h is located on your 
system?

thanks,
theresa

Am Mittwoch, 23. September 2015 15:02:25 UTC+2 schrieb dan (ddpbsd):
>
>
> On Sep 23, 2015 8:59 AM, "theresa mic-snare" <rockpr...@gmail.com 
> > wrote:
> >
> > by the way:
> >
> > I have found the file opensslconf.h that is allegedly missing on my 
> server...
> > it's located under:
> > /usr/sfw/include/openssl/opensslconf.h
> >
> > is the path maybe somewhere hardcoded, so that it's maybe looking in the 
> wrong place?
> >
>
> That would be my guess.
>
> > cheers,
> > theresa
> >
> >
> > Am Mittwoch, 23. September 2015 14:45:05 UTC+2 schrieb theresa mic-snare:
> >>
> >> Hi everyone,
> >>
> >> I was just trying to compile OSSEC 2.8.2 on a Solaris 10 (SPARC) 
> server, and got the following error:
> >>
> >>  *** Making os_crypto *** 
> >>
> >> /opt/csw/bin/gcc -g -Wall -I../../ -I../../headers 
>  -DDEFAULTDIR=\"/var/ossec\" -DCLIENT -DUSE_OPENSSL -DSOLARIS -DHIGHFIRST   
>-DARGV0=\"blowfish_op\" -DOSSECHIDS -c bf_op.c bf_skey.c bf_enc.c
> >> In file included from bf_skey.c:62:0:
> >> bf_locl.h:69:55: fatal error: openssl/opensslconf.h: No such file or 
> directory
> >>  #include  /* BF_PTR, BF_PTR2 */
> >>^
> >> compilation terminated.
> >> In file included from bf_enc.c:60:0:
> >> bf_locl.h:69:55: fatal error: openssl/opensslconf.h: No such file or 
> directory
> >>  #include  /* BF_PTR, BF_PTR2 */
> >>^
> >> compilation terminated.
> >> *** Error code 1
> >> make: Fatal error: Command failed for target `bf'
> >> Current working directory /root/ossec-hids-2.8.2/src/os_crypto/blowfish
> >> *** Error code 1
> >> The following command caused the error:
> >> cd blowfish; make
> >> make: Fatal error: Command failed for target `os_crypto'
> >> Current working directory /root/ossec-hids-2.8.2/src/os_crypto
> >>
> >> Error Making os_crypto
> >> *** Error code 1
> >> The following command caused the error:
> >> /bin/bash ./Makeall all
> >> make: Fatal error: Command failed for target `all'
> >>
> >>  Error 0x5.
> >>  Building error. Unable to finish the installation.
> >>
> >>
> >>
> >> I think there seems to be some kind of OpenSSL dependency issue...
> >> I have also added the following lines in the install.sh script (to make 
> sure the OpenSSL libraries get linked)
> >> echo "DEXTRA=-DUSE_OPENSSL" >> ./src/Config.OS
> >> echo "OPENSSLCMD=-lssl -lcrypto" >> ./src/Config.OS
> >>
> >>
> >> I'm using the following OpenSSL version:
> >> OpenSSL 0.9.7d 17 Mar 2004 (+ security fixes for: CVE-2005-2969 
> CVE-2006-2937 CVE-2006-2940 CVE-2006-3738 CVE-2006-4339 CVE-2006-4343 
> CVE-2006-7250 CVE-2007-5135 CVE-2007-3108 CVE-2008-5077 CVE-2008-7270 
> CVE-2009-0590 CVE-2009-2409 CVE-2009-3555 CVE-2010-4180 CVE-2011-4576 
> CVE-2011-4619 CVE-2012-0884 CVE-2012-1165 CVE-2012-2110 CVE-2012-2131 
> CVE-2012-2333 CVE-2013-0166 CVE-2013-0169)
> >>
> >> anyone come across the same problem?
> >>
> >> cheers,
> >> theresa
> >
> > -- 
> >
> > --- 
> > You received this message because you are subscribed to the Google 
> Groups "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send 
> an email to ossec-list+...@googlegroups.com .
> > For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: Solaris 10 compile error

2015-09-24 Thread theresa mic-snare

where shall I put this?

Am Donnerstag, 24. September 2015 15:34:07 UTC+2 schrieb dan (ddpbsd):
>
> On Thu, Sep 24, 2015 at 9:24 AM, theresa mic-snare 
> <rockpr...@gmail.com > wrote: 
> > of course you were right, Dan! 
> > I had to export CC to point to where GCC is installed (in my case in 
> > /opt/csw/bin/gcc) 
> > 
> > worked perfectly, until I ran in yet another problem. but this time I 
> think 
> > something's wrong with my ssl.h in /usr/include/openssl/ssl.h 
> > 
> >  *** Making os_auth *** 
> > 
> > /opt/csw/bin/gcc -g -Wall -I../ -I../headers 
>  -DDEFAULTDIR=\"/var/ossec\" 
> > -DCLIENT -DUSE_OPENSSL -DSOLARIS -DHIGHFIRST 
>  -DARGV0=\"ossec-authd\" 
> > -DOSSECHIDS -lsocket -lnsl -lresolv main-server.c ssl.c 
> > ../addagent/validate.c ../config/lib_config.a ../shared/lib_shared.a 
> > ../os_net/os_net.a ../os_regex/os_regex.a ../os_crypto/os_crypto.a 
> > ../os_zlib/os_zlib.c ../external/libz.a -lssl -lcrypto -o ossec-authd 
>
> I'm guessing you're missing some -I (capital i) and -L magic in here. 
> Maybe: 
> "-I/usr/sfw/include -L/usr/sfw/lib" 
>
> I don't remember anyone else reporting these types of issues with this 
> release. 
> I wish I knew what they did differently than you (maybe not upgrade?). 
> It would make working with Solaris a little easier in the next 
> release. 
>
> > main-server.c: In function 'ssl_error': 
> > main-server.c:53:31: warning: passing argument 1 of 'SSL_get_error' 
> discards 
> > 'const' qualifier from pointer target type 
> >  switch (SSL_get_error(ssl, ret)) 
> >^ 
> > In file included from auth.h:45:0, 
> >  from main-server.c:29: 
> > /usr/include/openssl/ssl.h:1408:5: note: expected 'struct SSL *' but 
> > argument is of type 'const struct SSL *' 
> >  int SSL_get_error(SSL *s,int ret_code); 
> >  ^ 
> > ld: fatal: library -lssl: not found 
> > ld: fatal: library -lcrypto: not found 
> > ld: fatal: file processing errors. No output written to ossec-authd 
> > *** Error code 1 
> > make: Fatal error: Command failed for target `auth1' 
> > Current working directory /root/ossec-hids-2.8.2/src/os_auth 
> > 
> > 
> > 
> > Am Donnerstag, 24. September 2015 14:57:08 UTC+2 schrieb dan (ddpbsd): 
> >> 
> >> 
> >> On Sep 24, 2015 8:46 AM, "theresa mic-snare" <rockpr...@gmail.com> 
> wrote: 
> >> > 
> >> > it was indeed in a different location :) 
> >> > i symlinked it to the other location where it should supposedly be 
> >> > /usr/include/openssl/opensslconf.h 
> >> > 
> >> > and ran the installation script again. 
> >> > but now i'm running into a different error 
> >> > 
> >> >  *** Making os_crypto *** 
> >> > 
> >> > cc -g -Wall -I../../ -I../../headers  -DDEFAULTDIR=\"/var/ossec\" 
> >> > -DCLIENT -DUSE_OPENSSL -DSOLARIS -DHIGHFIRST 
>  -DARGV0=\"blowfish_op\" 
> >> > -DOSSECHIDS -c bf_op.c bf_skey.c bf_enc.c 
> >> > cc: -W option with unknown program all 
> >> 
> >> That right there makes me think it isn't using gcc as the compiler 
> (-Wall 
> >> has been around for a while now). 
> >> 
> >> > *** Error code 1 
> >> > make: Fatal error: Command failed for target `bf' 
> >> > Current working directory 
> /root/ossec-hids-2.8.2/src/os_crypto/blowfish 
> >> > *** Error code 1 
> >> > The following command caused the error: 
> >> > cd blowfish; make 
> >> > make: Fatal error: Command failed for target `os_crypto' 
> >> > Current working directory /root/ossec-hids-2.8.2/src/os_crypto 
> >> > 
> >> > Error Making os_crypto 
> >> > *** Error code 1 
> >> > The following command caused the error: 
> >> > /bin/bash ./Makeall all 
> >> > make: Fatal error: Command failed for target `all' 
> >> > 
> >> >  Error 0x5. 
> >> >  Building error. Unable to finish the installation. 
> >> > 
> >> > 
> >> > 
> >> > Am Donnerstag, 24. September 2015 14:28:14 UTC+2 schrieb dan 
> (ddpbsd): 
> >> >> 
> >> >> 
> >> >> On Sep 24, 2015 8:23 AM, "theresa mic-snare" <rockpr...@gmail.com> 
> >> >> wrote: 
> >> >> > 
> >> >> > hmm I see. 
> >> >> > but I ma

Re: [ossec-list] Re: Solaris 10 compile error

2015-09-23 Thread theresa mic-snare

would be good to know...then I can create a symlink for the correct path
do you know in which source file I could look?

Am Mittwoch, 23. September 2015 15:02:25 UTC+2 schrieb dan (ddpbsd):
>
>
> On Sep 23, 2015 8:59 AM, "theresa mic-snare" <rockpr...@gmail.com 
> > wrote:
> >
> > by the way:
> >
> > I have found the file opensslconf.h that is allegedly missing on my 
> server...
> > it's located under:
> > /usr/sfw/include/openssl/opensslconf.h
> >
> > is the path maybe somewhere hardcoded, so that it's maybe looking in the 
> wrong place?
> >
>
> That would be my guess.
>
> > cheers,
> > theresa
> >
> >
> > Am Mittwoch, 23. September 2015 14:45:05 UTC+2 schrieb theresa mic-snare:
> >>
> >> Hi everyone,
> >>
> >> I was just trying to compile OSSEC 2.8.2 on a Solaris 10 (SPARC) 
> server, and got the following error:
> >>
> >>  *** Making os_crypto *** 
> >>
> >> /opt/csw/bin/gcc -g -Wall -I../../ -I../../headers 
>  -DDEFAULTDIR=\"/var/ossec\" -DCLIENT -DUSE_OPENSSL -DSOLARIS -DHIGHFIRST   
>-DARGV0=\"blowfish_op\" -DOSSECHIDS -c bf_op.c bf_skey.c bf_enc.c
> >> In file included from bf_skey.c:62:0:
> >> bf_locl.h:69:55: fatal error: openssl/opensslconf.h: No such file or 
> directory
> >>  #include  /* BF_PTR, BF_PTR2 */
> >>^
> >> compilation terminated.
> >> In file included from bf_enc.c:60:0:
> >> bf_locl.h:69:55: fatal error: openssl/opensslconf.h: No such file or 
> directory
> >>  #include  /* BF_PTR, BF_PTR2 */
> >>^
> >> compilation terminated.
> >> *** Error code 1
> >> make: Fatal error: Command failed for target `bf'
> >> Current working directory /root/ossec-hids-2.8.2/src/os_crypto/blowfish
> >> *** Error code 1
> >> The following command caused the error:
> >> cd blowfish; make
> >> make: Fatal error: Command failed for target `os_crypto'
> >> Current working directory /root/ossec-hids-2.8.2/src/os_crypto
> >>
> >> Error Making os_crypto
> >> *** Error code 1
> >> The following command caused the error:
> >> /bin/bash ./Makeall all
> >> make: Fatal error: Command failed for target `all'
> >>
> >>  Error 0x5.
> >>  Building error. Unable to finish the installation.
> >>
> >>
> >>
> >> I think there seems to be some kind of OpenSSL dependency issue...
> >> I have also added the following lines in the install.sh script (to make 
> sure the OpenSSL libraries get linked)
> >> echo "DEXTRA=-DUSE_OPENSSL" >> ./src/Config.OS
> >> echo "OPENSSLCMD=-lssl -lcrypto" >> ./src/Config.OS
> >>
> >>
> >> I'm using the following OpenSSL version:
> >> OpenSSL 0.9.7d 17 Mar 2004 (+ security fixes for: CVE-2005-2969 
> CVE-2006-2937 CVE-2006-2940 CVE-2006-3738 CVE-2006-4339 CVE-2006-4343 
> CVE-2006-7250 CVE-2007-5135 CVE-2007-3108 CVE-2008-5077 CVE-2008-7270 
> CVE-2009-0590 CVE-2009-2409 CVE-2009-3555 CVE-2010-4180 CVE-2011-4576 
> CVE-2011-4619 CVE-2012-0884 CVE-2012-1165 CVE-2012-2110 CVE-2012-2131 
> CVE-2012-2333 CVE-2013-0166 CVE-2013-0169)
> >>
> >> anyone come across the same problem?
> >>
> >> cheers,
> >> theresa
> >
> > -- 
> >
> > --- 
> > You received this message because you are subscribed to the Google 
> Groups "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send 
> an email to ossec-list+...@googlegroups.com .
> > For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Solaris 10 compile error

2015-09-23 Thread theresa mic-snare

by the way:

I have found the file opensslconf.h that is allegedly missing on my 
server...
it's located under:
/usr/sfw/include/openssl/opensslconf.h

is the path maybe somewhere hardcoded, so that it's maybe looking in the 
wrong place?

cheers,
theresa

Am Mittwoch, 23. September 2015 14:45:05 UTC+2 schrieb theresa mic-snare:
>
> Hi everyone,
>
> I was just trying to compile OSSEC 2.8.2 on a Solaris 10 (SPARC) server, 
> and got the following error:
>
>  *** Making os_crypto *** 
>
> /opt/csw/bin/gcc -g -Wall -I../../ -I../../headers  
> -DDEFAULTDIR=\"/var/ossec\" 
> -DCLIENT -DUSE_OPENSSL -DSOLARIS -DHIGHFIRST  -DARGV0=\"blowfish_op\" 
> -DOSSECHIDS -c bf_op.c bf_skey.c bf_enc.c
> In file included from bf_skey.c:62:0:
> bf_locl.h:69:55: fatal error: openssl/opensslconf.h: No such file or 
> directory
>  #include  /* BF_PTR, BF_PTR2 */
>^
> compilation terminated.
> In file included from bf_enc.c:60:0:
> bf_locl.h:69:55: fatal error: openssl/opensslconf.h: No such file or 
> directory
>  #include  /* BF_PTR, BF_PTR2 */
>^
> compilation terminated.
> *** Error code 1
> make: Fatal error: Command failed for target `bf'
> Current working directory /root/ossec-hids-2.8.2/src/os_crypto/blowfish
> *** Error code 1
> The following command caused the error:
> cd blowfish; make
> make: Fatal error: Command failed for target `os_crypto'
> Current working directory /root/ossec-hids-2.8.2/src/os_crypto
>
> Error Making os_crypto
> *** Error code 1
> The following command caused the error:
> /bin/bash ./Makeall all
> make: Fatal error: Command failed for target `all'
>
>  Error 0x5.
>  Building error. Unable to finish the installation.
>
>
>
> I think there seems to be some kind of OpenSSL dependency issue...
> I have also added the following lines in the install.sh script (to make 
> sure the OpenSSL libraries get linked)
> echo "DEXTRA=-DUSE_OPENSSL" >> ./src/Config.OS
> echo "OPENSSLCMD=-lssl -lcrypto" >> ./src/Config.OS
>
>
> I'm using the following OpenSSL version:
> OpenSSL 0.9.7d 17 Mar 2004 (+ security fixes for: CVE-2005-2969 
> CVE-2006-2937 CVE-2006-2940 CVE-2006-3738 CVE-2006-4339 CVE-2006-4343 
> CVE-2006-7250 CVE-2007-5135 CVE-2007-3108 CVE-2008-5077 CVE-2008-7270 
> CVE-2009-0590 CVE-2009-2409 CVE-2009-3555 CVE-2010-4180 CVE-2011-4576 
> CVE-2011-4619 CVE-2012-0884 CVE-2012-1165 CVE-2012-2110 CVE-2012-2131 
> CVE-2012-2333 CVE-2013-0166 CVE-2013-0169)
>
> anyone come across the same problem?
>
> cheers,
> theresa
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] OSSEC Windows Client registration failed

2015-09-23 Thread theresa mic-snare



Hi guys,

yesterday I wanted to install the windows client on a Win7 workstation.
The installation went fine, however the registration with the OSSEC master 
failed.

Error that I got was:
Which permissions does the config need on windows?











-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] OSSEC Windows Client registration failed

2015-09-23 Thread theresa mic-snare

Thanks guys, I will try that. I currently don't have any access to the 
workstation (I'm at home)
but I will give it a shot.
Is the windows firewall by default enabled?

Sorry, I don't have any windows know-howI'm only ever using *NIX based 
systems...

what strikes me thoughto me it seems like a *permission* problem (see 
screenshots --> unable to set permissions on auth key files) rather than a 
firewall that's dropping the connection?!

I will uninstall and reinstall with the administrator user (although I 
thought I had used itbut obviously not)

Am Mittwoch, 23. September 2015 19:59:09 UTC+2 schrieb jose:
>
> Please review your firewall, usually windows block the traffic 
>
> And try to restart the service manually as well 
>
> Rewards
>
> Enviado desde mi iPhone
>
> El 23 sept 2015, a las 18:53, theresa mic-snare <rockpr...@gmail.com 
> > escribió:
>
> Hi guys,
>
> yesterday I wanted to install the windows client on a Win7 workstation.
> The installation went fine, however the registration with the OSSEC master 
> failed.
>
> Error that I got was:
> Which permissions does the config need on windows?
>
>
>
>
>
>
> <https://lh3.googleusercontent.com/-m5eABLuBbSU/VgLY3r86rSI/Cwo/Y5YGnACwi9w/s1600/ossec_windows2.png>
>
>
>
> <https://lh3.googleusercontent.com/-qFSk9JekmbM/VgLYL9xYxnI/Cwk/Dtet0Lm5Agg/s1600/ossec_windows1.png>
>
>
> -- 
>
> --- 
> You received this message because you are subscribed to the Google Groups 
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to ossec-list+...@googlegroups.com .
> For more options, visit https://groups.google.com/d/optout.
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] OSSEC Windows Client registration failed

2015-09-23 Thread theresa mic-snare

this is what I already did, when I saw it's a permission problem. --> right 
click and Run as Administrator
same effect :(

Am Mittwoch, 23. September 2015 21:43:43 UTC+2 schrieb LostInThe Tubez:
>
> Before you go through the trouble of uninstalling/reinstalling, make sure 
> you are launching the agent manager by right clicking and ‘Run as 
> Administrator.’ If you aren’t doing this then UAC may very well be blocking 
> your access to client.keys and the conf file. The Windows Firewall does 
> indeed come enabled by default, but that isn’t the issue here (it also 
> doesn’t block any outbound connections by default, unless domain policy is 
> at play).
>
>  
>
> *From:* ossec...@googlegroups.com  [mailto:
> ossec...@googlegroups.com ] *On Behalf Of *theresa mic-snare
> *Sent:* Wednesday, September 23, 2015 12:38 PM
> *To:* ossec-list <ossec...@googlegroups.com >
> *Subject:* Re: [ossec-list] OSSEC Windows Client registration failed
>
>  
>
> Thanks guys, I will try that. I currently don't have any access to the 
> workstation (I'm at home)
> but I will give it a shot.
> Is the windows firewall by default enabled?
>
> Sorry, I don't have any windows know-howI'm only ever using *NIX based 
> systems...
>
> what strikes me thoughto me it seems like a *permission* problem (see 
> screenshots --> unable to set permissions on auth key files) rather than a 
> firewall that's dropping the connection?!
>
> I will uninstall and reinstall with the administrator user (although I 
> thought I had used itbut obviously not)
>
> Am Mittwoch, 23. September 2015 19:59:09 UTC+2 schrieb jose:
>
> Please review your firewall, usually windows block the traffic 
>
>  
>
> And try to restart the service manually as well 
>
>  
>
> Rewards
>
> Enviado desde mi iPhone
>
>
> El 23 sept 2015, a las 18:53, theresa mic-snare <rockpr...@gmail.com> 
> escribió:
>
> Hi guys,
>
>
> yesterday I wanted to install the windows client on a Win7 workstation.
> The installation went fine, however the registration with the OSSEC master 
> failed.
>
> Error that I got was:
> Which permissions does the config need on windows?
>
>  
>
>  
>
>  
>
>  
>
>
> <https://lh3.googleusercontent.com/-m5eABLuBbSU/VgLY3r86rSI/Cwo/Y5YGnACwi9w/s1600/ossec_windows2.png>
>
>   
> <https://lh3.googleusercontent.com/-m5eABLuBbSU/VgLY3r86rSI/Cwo/Y5YGnACwi9w/s1600/ossec_windows2.png>
>
>
> <https://lh3.googleusercontent.com/-m5eABLuBbSU/VgLY3r86rSI/Cwo/Y5YGnACwi9w/s1600/ossec_windows2.png>
>
>   
> <https://lh3.googleusercontent.com/-m5eABLuBbSU/VgLY3r86rSI/Cwo/Y5YGnACwi9w/s1600/ossec_windows2.png>
>
> -- 
>
> --- 
> You received this message because you are subscribed to the Google Groups 
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to *ossec-list+...@googlegroups.com*.
> For more options, visit *https://groups.google.com/d/optout*. 
> <https://lh3.googleusercontent.com/-m5eABLuBbSU/VgLY3r86rSI/Cwo/Y5YGnACwi9w/s1600/ossec_windows2.png>
>
> -- 
>
> --- 
> You received this message because you are subscribed to the Google Groups 
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to *ossec-list+unsubscr...@googlegroups.com*.
> For more options, visit *https://groups.google.com/d/optout*. 
> <https://lh3.googleusercontent.com/-m5eABLuBbSU/VgLY3r86rSI/Cwo/Y5YGnACwi9w/s1600/ossec_windows2.png>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] How do I monitor the rate of email sent on a Postfix email Ubuntu server?

2015-08-14 Thread theresa mic-snare

Hi Joseph,

You're probably looking for something like this:

email_maxperhour
Specifies the maximum number of e-mails to be sent per hour. All emails in 
excess of this setting will be queued for later distribution.
Default: 12
Allowed: Any number from 1 to 

Note
At the end of the hour any queued emails will be sent together in one email. 
This is true whether the mail grouping is enabled or disabled.

Regards,
theresa

-- 

--- 
You received this message because you are subscribed to the Google Groups 
ossec-list group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] my problem with rootcheck / CIS checks

2015-08-13 Thread theresa mic-snare

Thanks to Santi for troubleshooting with me!! Brilliant work, I'd have been 
so lost without you.

i have no problem with compiling 2.9 from github, but when do you think 
will it get officially released? for my test-environment it's fine but 
production-wise i'd rather stick with official releases and repos. it will 
make life easier for mass-deployments and also to update the agents and the 
master. is there a timeline when 2.9 will get released?

who's running the atomicorp repositories? :)

Am Donnerstag, 13. August 2015 01:33:51 UTC+2 schrieb Santiago Bassett:

 After troubleshooting the issue with Theresa, finally found it. It is a 
 bug in the way localtime function is called in shared/read-agents.c 

 Fixed in version 2.9 by cgzones. See commit here: 


 https://github.com/ossec/ossec-hids/commit/e87f415eeef268f6d95b04d569b8d51e260bbc27#diff-7c75ce14fc99e77cf2ac6208fbb99946

 Theresa, if you compile version 2.9 it will work ;-)

 On Wed, Aug 12, 2015 at 1:50 PM, theresa mic-snare rockpr...@gmail.com 
 javascript: wrote:

 oh and I've also deleted the rootcheck file (or moved it somewhere else). 
 still the same problem with the segfaults :(

 Am Mittwoch, 12. August 2015 00:48:49 UTC+2 schrieb Santiago Bassett:

 The file looks good to me. Is the segfault happening only with agent 000 
 or with all of them? If it is only 000 I would try completely deleting 
 rootcheck file and running the check again. If you still have the segfault 
 try compiling 2.9 version. I could not trigger the segfault in my 
 environment.

 On Tue, Aug 11, 2015 at 12:48 PM, theresa mic-snare rockpr...@gmail.com 
 wrote:

 i just checked the queue/rootcheck/rootcheck file, it looks like this
 !1439300728!1439195883 Starting syscheck scan.
 !1439302513!1439197646 Ending syscheck scan.
 !1439318491!1439197686 Starting rootcheck scan.
 !1439318493!1439197688 System Audit: CIS - Testing against the CIS Red Hat 
 Enterprise Linux 5 Benchmark v2.1.0. File: /etc/redhat-release. Reference: 
 http://www.ossec.net/ .
 !1439318493!1439197688 System Audit: CIS - RHEL6 - Build considerations - 
 Robust partition scheme - /tmp is not on its own partition. File: /etc/
 fstab. Reference: http://www.ossec.net/wiki/index.php/CIS_RHEL6 .
 !1439318493!1439197688 System Audit: CIS - RHEL6 - Build considerations - 
 Robust partition scheme - /var is not on its own partition. File: /etc/
 fstab. Reference: http://www.ossec.net/wiki/index.php/CIS_RHEL6 .
 !1439318493!1439197688 System Audit: CIS - RHEL6 - Build considerations - 
 Robust partition scheme - /var/tmp is bound to /tmp. File: /etc/fstab. 
 Reference: http://www.ossec.net/wiki/index.php/CIS_RHEL6 .
 !1439314890!1439197952 Ending rootcheck scan.
 !1439199726!1439199726 System Audit: CIS - RHEL6 1.4.2 - SELinux not set 
 to enforcing. File: /etc/selinux/config. Reference: http://
 www.ossec.net/wiki/index.php/CIS_RHEL6 .


 similar to the unresolved issues, when i run the print.

 i'm using the ossec binaries from the atomicorp repository, which is 2.8.2
 ossec-hids-server-2.8.2-49.el6.art.x86_64
 ossec-hids-2.8.2-49.el6.art.x86_64

 owner/permission of the rootcheck file is the following:
 -rw-r-. 1 ossec ossec 1159 11. Aug 21:48 
 /var/ossec/queue/rootcheck/rootcheck




 Am Dienstag, 11. August 2015 21:18:30 UTC+2 schrieb Santiago Bassett:

 I see, somehow my mail client (gmail) was not displaying the whole strace 
 output, now I can see it.   

 The segfault appears after looking into queue/rootcheck/rootcheck and 
 writing No entries found. 

 Having a look at the code I realized that is done in the function 
 _do_print_rootcheck (shared/read-agent.c), called by print_rootcheck (in 
 the same file), which is called at util/rootcheck_control.c when you want 
 to update rootcheck database using an agent info (with -L -i options).

 How does your queue/rootcheck/rootcheck file looks like? I wonder if it is 
 malformed. As well, what ossec version are you using? I am using latest 
 github code and run the same command with no issues.

 I hope that helps!

 Santiago.


 open(/etc/passwd, O_RDONLY|O_CLOEXEC) = 3
 fstat(3, {st_mode=S_IFREG|0644, st_size=1348, ...}) = 0
 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
  0x7ffb97d03000
 read(3, root:x:0:0:root:/root:/bin/bash\n..., 4096) = 1348
 close(3)= 0
 munmap(0x7ffb97d03000, 4096)= 0
 setgroups(1, [498]) = 0
 setresgid(-1, 498, -1)  = 0
 setgid(498) = 0
 chdir(/var/ossec) = 0
 chroot(/var/ossec)= 0
 chdir(/)  = 0
 setuid(498) = 0
 setresuid(-1, 498, -1)  = 0
 uname({sys=Linux, node=tron, ...})  = 0
 fstat(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 0), ...}) = 0
 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
  0x7ffb97d03000
 write(1, \n, 1

Re: [ossec-list] my problem with rootcheck / CIS checks

2015-08-13 Thread theresa mic-snare

Good news: I've finally upgraded to the latest version available on github. 
The ossec-version still says 2.8 (so it's not offically 2.9 yet?!)
it indeed fixed my issue.

I finally see also the Last scan timestamp and most importantly no more 
Segfaults when running rootcheck_control -L :)

Last scan: 2015 Aug 13 21:50:20


Great thanks again to Santi for so patiently fixing and discovering this 
issue!

Am Donnerstag, 13. August 2015 14:32:23 UTC+2 schrieb theresa mic-snare:

 Thanks to Santi for troubleshooting with me!! Brilliant work, I'd have 
 been so lost without you.

 i have no problem with compiling 2.9 from github, but when do you think 
 will it get officially released? for my test-environment it's fine but 
 production-wise i'd rather stick with official releases and repos. it will 
 make life easier for mass-deployments and also to update the agents and the 
 master. is there a timeline when 2.9 will get released?

 who's running the atomicorp repositories? :)

 Am Donnerstag, 13. August 2015 01:33:51 UTC+2 schrieb Santiago Bassett:

 After troubleshooting the issue with Theresa, finally found it. It is a 
 bug in the way localtime function is called in shared/read-agents.c 

 Fixed in version 2.9 by cgzones. See commit here: 


 https://github.com/ossec/ossec-hids/commit/e87f415eeef268f6d95b04d569b8d51e260bbc27#diff-7c75ce14fc99e77cf2ac6208fbb99946

 Theresa, if you compile version 2.9 it will work ;-)

 On Wed, Aug 12, 2015 at 1:50 PM, theresa mic-snare rockpr...@gmail.com 
 wrote:

 oh and I've also deleted the rootcheck file (or moved it somewhere else). 
 still the same problem with the segfaults :(

 Am Mittwoch, 12. August 2015 00:48:49 UTC+2 schrieb Santiago Bassett:

 The file looks good to me. Is the segfault happening only with agent 000 
 or with all of them? If it is only 000 I would try completely deleting 
 rootcheck file and running the check again. If you still have the segfault 
 try compiling 2.9 version. I could not trigger the segfault in my 
 environment.

 On Tue, Aug 11, 2015 at 12:48 PM, theresa mic-snare rockpr...@gmail.com 
 wrote:

 i just checked the queue/rootcheck/rootcheck file, it looks like this
 !1439300728!1439195883 Starting syscheck scan.
 !1439302513!1439197646 Ending syscheck scan.
 !1439318491!1439197686 Starting rootcheck scan.
 !1439318493!1439197688 System Audit: CIS - Testing against the CIS Red Hat 
 Enterprise Linux 5 Benchmark v2.1.0. File: /etc/redhat-release. Reference: 
 http://www.ossec.net/ .
 !1439318493!1439197688 System Audit: CIS - RHEL6 - Build considerations - 
 Robust partition scheme - /tmp is not on its own partition. File: /etc/
 fstab. Reference: http://www.ossec.net/wiki/index.php/CIS_RHEL6 .
 !1439318493!1439197688 System Audit: CIS - RHEL6 - Build considerations - 
 Robust partition scheme - /var is not on its own partition. File: /etc/
 fstab. Reference: http://www.ossec.net/wiki/index.php/CIS_RHEL6 .
 !1439318493!1439197688 System Audit: CIS - RHEL6 - Build considerations - 
 Robust partition scheme - /var/tmp is bound to /tmp. File: /etc/fstab. 
 Reference: http://www.ossec.net/wiki/index.php/CIS_RHEL6 .
 !1439314890!1439197952 Ending rootcheck scan.
 !1439199726!1439199726 System Audit: CIS - RHEL6 1.4.2 - SELinux not set 
 to enforcing. File: /etc/selinux/config. Reference: http://
 www.ossec.net/wiki/index.php/CIS_RHEL6 .


 similar to the unresolved issues, when i run the print.

 i'm using the ossec binaries from the atomicorp repository, which is 2.8.2
 ossec-hids-server-2.8.2-49.el6.art.x86_64
 ossec-hids-2.8.2-49.el6.art.x86_64

 owner/permission of the rootcheck file is the following:
 -rw-r-. 1 ossec ossec 1159 11. Aug 21:48 
 /var/ossec/queue/rootcheck/rootcheck




 Am Dienstag, 11. August 2015 21:18:30 UTC+2 schrieb Santiago Bassett:

 I see, somehow my mail client (gmail) was not displaying the whole strace 
 output, now I can see it.   

 The segfault appears after looking into queue/rootcheck/rootcheck and 
 writing No entries found. 

 Having a look at the code I realized that is done in the function 
 _do_print_rootcheck (shared/read-agent.c), called by print_rootcheck (in 
 the same file), which is called at util/rootcheck_control.c when you want 
 to update rootcheck database using an agent info (with -L -i options).

 How does your queue/rootcheck/rootcheck file looks like? I wonder if it is 
 malformed. As well, what ossec version are you using? I am using latest 
 github code and run the same command with no issues.

 I hope that helps!

 Santiago.


 open(/etc/passwd, O_RDONLY|O_CLOEXEC) = 3
 fstat(3, {st_mode=S_IFREG|0644, st_size=1348, ...}) = 0
 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
  0x7ffb97d03000
 read(3, root:x:0:0:root:/root:/bin/bash\n..., 4096) = 1348
 close(3)= 0
 munmap(0x7ffb97d03000, 4096)= 0
 setgroups(1, [498]) = 0
 setresgid(-1, 498, -1)  = 0
 setgid(498

Re: [ossec-list] my problem with rootcheck / CIS checks

2015-08-12 Thread theresa mic-snare

bad news...looks like I have to compile the github version 2.9 ...meh
maybe I'm lazy, but I love the comfort of using binaries (e.g rpm's or 
deb's) not just for me in my test-environment, but furthermore for my 
company as well.

I've just had another segfault with the other agent.

Aug 12 22:42:17 tron kernel: rootcheck_contr[19479]: segfault at 8 ip 
7f66580f1925 sp 7fff5c392440 error 4 in libc-2.12.so[7f665804e000+
18a000]


this was definitely coming from the agent


bin/rootcheck_control -L -i 002

 Policy and auditing events for agent 'concave (002) - ':

 Resolved events: 

 ** No entries found.
 Segmentation fault.


If this really is a bug, and I just happened to be stumbled upon it, then 
it would be cool if it could be addressed. But at the moment I'm kinda the 
only one who's running into this problem, using the atomicorp rpm's right?!
I would love to have RPMs for mass-deployment...

hmm :(


Am Mittwoch, 12. August 2015 00:48:49 UTC+2 schrieb Santiago Bassett:

 The file looks good to me. Is the segfault happening only with agent 000 
 or with all of them? If it is only 000 I would try completely deleting 
 rootcheck file and running the check again. If you still have the segfault 
 try compiling 2.9 version. I could not trigger the segfault in my 
 environment.

 On Tue, Aug 11, 2015 at 12:48 PM, theresa mic-snare rockpr...@gmail.com 
 javascript: wrote:

 i just checked the queue/rootcheck/rootcheck file, it looks like this
 !1439300728!1439195883 Starting syscheck scan.
 !1439302513!1439197646 Ending syscheck scan.
 !1439318491!1439197686 Starting rootcheck scan.
 !1439318493!1439197688 System Audit: CIS - Testing against the CIS Red Hat 
 Enterprise Linux 5 Benchmark v2.1.0. File: /etc/redhat-release. Reference: 
 http://www.ossec.net/ .
 !1439318493!1439197688 System Audit: CIS - RHEL6 - Build considerations - 
 Robust partition scheme - /tmp is not on its own partition. File: /etc/
 fstab. Reference: http://www.ossec.net/wiki/index.php/CIS_RHEL6 .
 !1439318493!1439197688 System Audit: CIS - RHEL6 - Build considerations - 
 Robust partition scheme - /var is not on its own partition. File: /etc/
 fstab. Reference: http://www.ossec.net/wiki/index.php/CIS_RHEL6 .
 !1439318493!1439197688 System Audit: CIS - RHEL6 - Build considerations - 
 Robust partition scheme - /var/tmp is bound to /tmp. File: /etc/fstab. 
 Reference: http://www.ossec.net/wiki/index.php/CIS_RHEL6 .
 !1439314890!1439197952 Ending rootcheck scan.
 !1439199726!1439199726 System Audit: CIS - RHEL6 1.4.2 - SELinux not set 
 to enforcing. File: /etc/selinux/config. Reference: http://
 www.ossec.net/wiki/index.php/CIS_RHEL6 .


 similar to the unresolved issues, when i run the print.

 i'm using the ossec binaries from the atomicorp repository, which is 2.8.2
 ossec-hids-server-2.8.2-49.el6.art.x86_64
 ossec-hids-2.8.2-49.el6.art.x86_64

 owner/permission of the rootcheck file is the following:
 -rw-r-. 1 ossec ossec 1159 11. Aug 21:48 
 /var/ossec/queue/rootcheck/rootcheck




 Am Dienstag, 11. August 2015 21:18:30 UTC+2 schrieb Santiago Bassett:

 I see, somehow my mail client (gmail) was not displaying the whole strace 
 output, now I can see it.   

 The segfault appears after looking into queue/rootcheck/rootcheck and 
 writing No entries found. 

 Having a look at the code I realized that is done in the function 
 _do_print_rootcheck (shared/read-agent.c), called by print_rootcheck (in 
 the same file), which is called at util/rootcheck_control.c when you want 
 to update rootcheck database using an agent info (with -L -i options).

 How does your queue/rootcheck/rootcheck file looks like? I wonder if it is 
 malformed. As well, what ossec version are you using? I am using latest 
 github code and run the same command with no issues.

 I hope that helps!

 Santiago.


 open(/etc/passwd, O_RDONLY|O_CLOEXEC) = 3
 fstat(3, {st_mode=S_IFREG|0644, st_size=1348, ...}) = 0
 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
  0x7ffb97d03000
 read(3, root:x:0:0:root:/root:/bin/bash\n..., 4096) = 1348
 close(3)= 0
 munmap(0x7ffb97d03000, 4096)= 0
 setgroups(1, [498]) = 0
 setresgid(-1, 498, -1)  = 0
 setgid(498) = 0
 chdir(/var/ossec) = 0
 chroot(/var/ossec)= 0
 chdir(/)  = 0
 setuid(498) = 0
 setresuid(-1, 498, -1)  = 0
 uname({sys=Linux, node=tron, ...})  = 0
 fstat(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 0), ...}) = 0
 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
  0x7ffb97d03000
 write(1, \n, 1
 )   = 1
 write(1, Policy and auditing events for l..., 64Policy and auditing 
 events for local system 'tron - 127.0.0.1':
 ) = 64
 open(/queue/rootcheck/rootcheck, O_RDWR) = 3
 fstat(3, {st_mode=S_IFREG|0640, st_size=1159

Re: [ossec-list] my problem with rootcheck / CIS checks

2015-08-12 Thread theresa mic-snare

oh and I've also deleted the rootcheck file (or moved it somewhere else). 
still the same problem with the segfaults :(

Am Mittwoch, 12. August 2015 00:48:49 UTC+2 schrieb Santiago Bassett:

 The file looks good to me. Is the segfault happening only with agent 000 
 or with all of them? If it is only 000 I would try completely deleting 
 rootcheck file and running the check again. If you still have the segfault 
 try compiling 2.9 version. I could not trigger the segfault in my 
 environment.

 On Tue, Aug 11, 2015 at 12:48 PM, theresa mic-snare rockpr...@gmail.com 
 javascript: wrote:

 i just checked the queue/rootcheck/rootcheck file, it looks like this
 !1439300728!1439195883 Starting syscheck scan.
 !1439302513!1439197646 Ending syscheck scan.
 !1439318491!1439197686 Starting rootcheck scan.
 !1439318493!1439197688 System Audit: CIS - Testing against the CIS Red Hat 
 Enterprise Linux 5 Benchmark v2.1.0. File: /etc/redhat-release. Reference: 
 http://www.ossec.net/ .
 !1439318493!1439197688 System Audit: CIS - RHEL6 - Build considerations - 
 Robust partition scheme - /tmp is not on its own partition. File: /etc/
 fstab. Reference: http://www.ossec.net/wiki/index.php/CIS_RHEL6 .
 !1439318493!1439197688 System Audit: CIS - RHEL6 - Build considerations - 
 Robust partition scheme - /var is not on its own partition. File: /etc/
 fstab. Reference: http://www.ossec.net/wiki/index.php/CIS_RHEL6 .
 !1439318493!1439197688 System Audit: CIS - RHEL6 - Build considerations - 
 Robust partition scheme - /var/tmp is bound to /tmp. File: /etc/fstab. 
 Reference: http://www.ossec.net/wiki/index.php/CIS_RHEL6 .
 !1439314890!1439197952 Ending rootcheck scan.
 !1439199726!1439199726 System Audit: CIS - RHEL6 1.4.2 - SELinux not set 
 to enforcing. File: /etc/selinux/config. Reference: http://
 www.ossec.net/wiki/index.php/CIS_RHEL6 .


 similar to the unresolved issues, when i run the print.

 i'm using the ossec binaries from the atomicorp repository, which is 2.8.2
 ossec-hids-server-2.8.2-49.el6.art.x86_64
 ossec-hids-2.8.2-49.el6.art.x86_64

 owner/permission of the rootcheck file is the following:
 -rw-r-. 1 ossec ossec 1159 11. Aug 21:48 
 /var/ossec/queue/rootcheck/rootcheck




 Am Dienstag, 11. August 2015 21:18:30 UTC+2 schrieb Santiago Bassett:

 I see, somehow my mail client (gmail) was not displaying the whole strace 
 output, now I can see it.   

 The segfault appears after looking into queue/rootcheck/rootcheck and 
 writing No entries found. 

 Having a look at the code I realized that is done in the function 
 _do_print_rootcheck (shared/read-agent.c), called by print_rootcheck (in 
 the same file), which is called at util/rootcheck_control.c when you want 
 to update rootcheck database using an agent info (with -L -i options).

 How does your queue/rootcheck/rootcheck file looks like? I wonder if it is 
 malformed. As well, what ossec version are you using? I am using latest 
 github code and run the same command with no issues.

 I hope that helps!

 Santiago.


 open(/etc/passwd, O_RDONLY|O_CLOEXEC) = 3
 fstat(3, {st_mode=S_IFREG|0644, st_size=1348, ...}) = 0
 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
  0x7ffb97d03000
 read(3, root:x:0:0:root:/root:/bin/bash\n..., 4096) = 1348
 close(3)= 0
 munmap(0x7ffb97d03000, 4096)= 0
 setgroups(1, [498]) = 0
 setresgid(-1, 498, -1)  = 0
 setgid(498) = 0
 chdir(/var/ossec) = 0
 chroot(/var/ossec)= 0
 chdir(/)  = 0
 setuid(498) = 0
 setresuid(-1, 498, -1)  = 0
 uname({sys=Linux, node=tron, ...})  = 0
 fstat(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 0), ...}) = 0
 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
  0x7ffb97d03000
 write(1, \n, 1
 )   = 1
 write(1, Policy and auditing events for l..., 64Policy and auditing 
 events for local system 'tron - 127.0.0.1':
 ) = 64
 open(/queue/rootcheck/rootcheck, O_RDWR) = 3
 fstat(3, {st_mode=S_IFREG|0640, st_size=1159, ...}) = 0
 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
  0x7ffb97d02000
 read(3, !1439226925!1439195883 Starting ..., 4096) = 1159
 lseek(3, 0, SEEK_SET)   = 0
 write(1, \nResolved events: \n\n, 20
 Resolved events: 

 ) = 20
 read(3, !1439226925!1439195883 Starting ..., 4096) = 1159
 read(3, , 4096)   = 0
 write(1, ** No entries found.\n, 21** No entries found.
 )  = 21
 lseek(3, 0, SEEK_SET)   = 0
 open(/etc/localtime, O_RDONLY)= 4
 fstat(4, {st_mode=S_IFREG|0644, st_size=2211, ...}) = 0
 fstat(4, {st_mode=S_IFREG|0644, st_size=2211, ...}) = 0

 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
  0x7ffb97d01000
 read(4, TZif2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0\6\0\0\0\0

Re: [ossec-list] my problem with rootcheck / CIS checks

2015-08-11 Thread theresa mic-snare

Hi Santi,

yes the process crashed already from what I can see it
because at the end up the system call it says


 *--- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0x8} ---+++ 
 killed by SIGSEGV +++*


and below that the typical Segmentation fault

I called strace with the following parameter strace -C bin/rootcheck_control 
-L -i 000
was this sufficient or do I need something else?

thanks,
theresa

Am Montag, 10. August 2015 23:11:59 UTC+2 schrieb Santiago Bassett:

 Hi Theresa,

 did the process crash already? We need it to crash :-)



 On Mon, Aug 10, 2015 at 2:03 PM, theresa mic-snare rockpr...@gmail.com 
 javascript: wrote:

 Hi Santi,

 I've now run rootcheck_control with strace, but I'm not quite sure what to 
 make of it

 strace -C bin/rootcheck_control -L -i 000
 execve(bin/rootcheck_control, [bin/rootcheck_control, -L, -i, 
 000], [/* 18 vars */]) = 0
 brk(0)  = 0x7ffb98ad
 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 
 0x7ffb97d04000
 access(/etc/ld.so.preload, R_OK)  = -1 ENOENT (No such file or 
 directory)
 open(/etc/ld.so.cache, O_RDONLY)  = 3
 fstat(3, {st_mode=S_IFREG|0644, st_size=18775, ...}) = 0
 mmap(NULL, 18775, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7ffb97cff000
 close(3)= 0
 open(/lib64/libc.so.6, O_RDONLY)  = 3
 read(3, \177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0\0\1\0\0\0p\356\1\0\0\0\0\0
 ..., 832) = 832
 fstat(3, {st_mode=S_IFREG|0755, st_size=1921216, ...}) = 0
 mmap(NULL, 3750152, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) 
 = 0x7ffb97752000
 mprotect(0x7ffb978dc000, 2097152, PROT_NONE) = 0
 mmap(0x7ffb97adc000, 20480, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|
 MAP_DENYWRITE, 3, 0x18a000) = 0x7ffb97adc000
 mmap(0x7ffb97ae1000, 18696, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|
 MAP_ANONYMOUS, -1, 0) = 0x7ffb97ae1000
 close(3)= 0
 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 
 0x7ffb97cfe000
 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 
 0x7ffb97cfd000
 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 
 0x7ffb97cfc000
 arch_prctl(ARCH_SET_FS, 0x7ffb97cfd700) = 0
 mprotect(0x7ffb97adc000, 16384, PROT_READ) = 0
 mprotect(0x7ffb97f2c000, 4096, PROT_READ) = 0
 mprotect(0x7ffb97d05000, 4096, PROT_READ) = 0
 munmap(0x7ffb97cff000, 18775)   = 0
 brk(0)  = 0x7ffb98ad
 brk(0x7ffb98af1000) = 0x7ffb98af1000
 socket(PF_LOCAL, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 3
 connect(3, {sa_family=AF_LOCAL, sun_path=/var/run/nscd/socket}, 110) = -
 1 ENOENT (No such file or directory)
 close(3)= 0
 socket(PF_LOCAL, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 3
 connect(3, {sa_family=AF_LOCAL, sun_path=/var/run/nscd/socket}, 110) = -
 1 ENOENT (No such file or directory)
 close(3)= 0
 open(/etc/nsswitch.conf, O_RDONLY)= 3
 fstat(3, {st_mode=S_IFREG|0644, st_size=1688, ...}) = 0
 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 
 0x7ffb97d03000
 read(3, #\n# /etc/nsswitch.conf\n#\n# An ex..., 4096) = 1688
 read(3, , 4096)   = 0
 close(3)= 0
 munmap(0x7ffb97d03000, 4096)= 0
 open(/etc/ld.so.cache, O_RDONLY)  = 3
 fstat(3, {st_mode=S_IFREG|0644, st_size=18775, ...}) = 0
 mmap(NULL, 18775, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7ffb97cff000
 close(3)= 0
 open(/lib64/libnss_files.so.2, O_RDONLY) = 3
 read(3, \177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0\0\1\0\0\0\360!\0\0\0\0\0\0
 ..., 832) = 832
 fstat(3, {st_mode=S_IFREG|0755, st_size=65928, ...}) = 0
 mmap(NULL, 2151824, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) 
 = 0x7ffb97544000
 mprotect(0x7ffb9755, 2097152, PROT_NONE) = 0
 mmap(0x7ffb9775, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|
 MAP_DENYWRITE, 3, 0xc000) = 0x7ffb9775
 close(3)= 0
 mprotect(0x7ffb9775, 4096, PROT_READ) = 0
 munmap(0x7ffb97cff000, 18775)   = 0
 open(/etc/group, O_RDONLY|O_CLOEXEC)  = 3
 fcntl(3, F_GETFD)   = 0x1 (flags FD_CLOEXEC)
 fstat(3, {st_mode=S_IFREG|0644, st_size=577, ...}) = 0
 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 
 0x7ffb97d03000
 read(3, root:x:0:\nbin:x:1:bin,daemon\ndae..., 4096) = 577
 close(3)= 0
 munmap(0x7ffb97d03000, 4096)= 0
 socket(PF_LOCAL, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 3
 connect(3, {sa_family=AF_LOCAL, sun_path=/var/run/nscd/socket}, 110) = -
 1 ENOENT (No such file or directory)
 close(3)= 0
 socket(PF_LOCAL, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 3
 connect(3, {sa_family=AF_LOCAL, sun_path=/var/run/nscd/socket}, 110) = -
 1 ENOENT

Re: [ossec-list] Re: SEIM system with OSSEC.

2015-08-11 Thread theresa mic-snare

Hi,

my problem with OSSIM or USM always was that Alienvault only provides a 
debian-based image.
however a lot of companies use red hat based distros...whether it's RHEL or 
CENTOS.
of course you could argue that it's still a linux distro, but it doesn't 
really match with most corporate strategies if you have a lot of RHEL-based 
servers and then one single debian appliance or vice versa.

it would also be nice if you could deploy the open-source community version 
(OSSIM) on physical servers and not just for VMs...

just my 2cents..

Am Dienstag, 11. August 2015 21:54:10 UTC+2 schrieb Daniil Svetlov:

 Hi, Jaime!

 I'm not mean aspecially OSSIM.
 It was try OSSIM and Prelude (Prewikka).
 OSSIM can work only with single user. And only with limited number of 
 OSSEC agents.
 Community version of prewikka uses some kind of deoptimized SQL queries, 
 so MySQL server can't answer quickly. It also have very poor 
 visualizations. And it seems that new owners of Prelude remove some 
 functions from community version.



 вт, 11 авг. 2015 г. в 22:35, Jaime Blasco jaime@alienvault.com 
 javascript::

 If you are talking about OSSIM, it doesn't contain any limits and it is 
 based on top of Open Source and free software as well. There are more than 
 10k installation worldwide and it is maintained by a company and the core 
 technology is used in a commercial product as well. It also gives you many 
 more capabilities (Netflow, IDS, Vulnerability Scanning, Correlation, Asset 
 discovery, IOC matching, etc).

 Happy to answer any questions about OSSIM

 Regards



 On Tue, Aug 11, 2015 at 12:09 PM, Daniil Svetlov svetlov...@gmail.com 
 javascript: wrote:

 Jason, LightSIEM maintain one database for all events. It's not 
 important from what sources it comes. OSSEC and Snort logs goes through 
 normalization process, where they are parsed in spacial fields and alert 
 level are reduce for common scale.

 Answering your question you need only one server of LightSIEM for 
 building SIEM.

 Also, note, that except others freeware SIEM, LightSIEM doesn't 
 contain any limits and build on  top of opensource and free software.


 пн, 10 авг. 2015 г. в 17:42, Grant Leonard gr...@castraconsulting.com 
 javascript::

 a SIEM platform of any kind is a correlation tool for comparing and 
 contrasting logs from disparate device types

 As you have seen, 3 different folks provided 3 different answers and 
 that will likely be true when talking with any professionals.

 for 200 devices, you will need a decent size server, OSSIM (and 
 ultimately Alienvault) have the OSSEC server running on their main server 
 and remote sensor devices allowing you to manually deploy OSSEC agents and 
 control OSSEC agent configurations from a GUI as well as command line.

 If you are only managing 200 servers and no other log feeds, OSSIM 
 might be a good place to start as you will get some pre-canned ideas for 
 writing subsequent rules/directives/escalations.

 If, however, you choose to add additional feeds, you might keep the 
 200+ agents reporting to a remote sensor and use the server for just 
 correlation/presentation. Your options are wide open, give it a try!

 https://www.alienvault.com/products/ossim


 Grant Leonard
 Castra Consulting, LLC http://castraconsulting.com/#/
 919-949-4002

 On Sun, Aug 9, 2015 at 10:46 AM, 'Jason Long' via ossec-list 
 ossec...@googlegroups.com javascript: wrote:

 Thank you.
 Grant , Can you give me more information? I want to implement SIEM for 
 a windows network with 200 clients. Which requirements are need? 



 On Saturday, August 8, 2015 8:58 PM, Grant Leonard 
 gr...@castraconsulting.com javascript: wrote:


 Try Alienvault or OSSIM, they both make good use of OSSEC and add 
 additional tools you will need for detecting the spread of malware

 On Friday, August 7, 2015 at 6:40:54 AM UTC-4, Jason Long wrote:

 Hello Experts.
 How can I launch a SEIM for my local network and find the spread point 
 of malware in my local network? 
 Any idea? Please let me know which tools are needed.


 Thank you.

 -- 

 --- 
 You received this message because you are subscribed to the Google 
 Groups ossec-list group.
 To unsubscribe from this group and stop receiving emails from it, send 
 an email to ossec-list+...@googlegroups.com javascript:.
 For more options, visit https://groups.google.com/d/optout.


 -- 

 --- 
 You received this message because you are subscribed to a topic in the 
 Google Groups ossec-list group.
 To unsubscribe from this topic, visit 
 https://groups.google.com/d/topic/ossec-list/oAWYa0XDz1M/unsubscribe.
 To unsubscribe from this group and all its topics, send an email to 
 ossec-list+...@googlegroups.com javascript:.


 For more options, visit https://groups.google.com/d/optout.

 -- 

 --- 
 You received this message because you are subscribed to the Google 
 Groups ossec-list group.
 To unsubscribe from this group and stop receiving emails from it, send 
 an email to

Re: [ossec-list] my problem with rootcheck / CIS checks

2015-08-11 Thread theresa mic-snare

i just checked the queue/rootcheck/rootcheck file, it looks like this
!1439300728!1439195883 Starting syscheck scan.
!1439302513!1439197646 Ending syscheck scan.
!1439318491!1439197686 Starting rootcheck scan.
!1439318493!1439197688 System Audit: CIS - Testing against the CIS Red Hat 
Enterprise Linux 5 Benchmark v2.1.0. File: /etc/redhat-release. Reference: 
http://www.ossec.net/ .
!1439318493!1439197688 System Audit: CIS - RHEL6 - Build considerations - 
Robust partition scheme - /tmp is not on its own partition. File: /etc/fstab
. Reference: http://www.ossec.net/wiki/index.php/CIS_RHEL6 .
!1439318493!1439197688 System Audit: CIS - RHEL6 - Build considerations - 
Robust partition scheme - /var is not on its own partition. File: /etc/fstab
. Reference: http://www.ossec.net/wiki/index.php/CIS_RHEL6 .
!1439318493!1439197688 System Audit: CIS - RHEL6 - Build considerations - 
Robust partition scheme - /var/tmp is bound to /tmp. File: /etc/fstab. 
Reference: http://www.ossec.net/wiki/index.php/CIS_RHEL6 .
!1439314890!1439197952 Ending rootcheck scan.
!1439199726!1439199726 System Audit: CIS - RHEL6 1.4.2 - SELinux not set to 
enforcing. File: /etc/selinux/config. Reference: 
http://www.ossec.net/wiki/index.php/CIS_RHEL6 
.


similar to the unresolved issues, when i run the print.

i'm using the ossec binaries from the atomicorp repository, which is 2.8.2
ossec-hids-server-2.8.2-49.el6.art.x86_64
ossec-hids-2.8.2-49.el6.art.x86_64

owner/permission of the rootcheck file is the following:
-rw-r-. 1 ossec ossec 1159 11. Aug 21:48 
/var/ossec/queue/rootcheck/rootcheck



Am Dienstag, 11. August 2015 21:18:30 UTC+2 schrieb Santiago Bassett:

 I see, somehow my mail client (gmail) was not displaying the whole strace 
 output, now I can see it.   

 The segfault appears after looking into queue/rootcheck/rootcheck and 
 writing No entries found. 

 Having a look at the code I realized that is done in the function 
 _do_print_rootcheck (shared/read-agent.c), called by print_rootcheck (in 
 the same file), which is called at util/rootcheck_control.c when you want 
 to update rootcheck database using an agent info (with -L -i options).

 How does your queue/rootcheck/rootcheck file looks like? I wonder if it is 
 malformed. As well, what ossec version are you using? I am using latest 
 github code and run the same command with no issues.

 I hope that helps!

 Santiago.


 open(/etc/passwd, O_RDONLY|O_CLOEXEC) = 3
 fstat(3, {st_mode=S_IFREG|0644, st_size=1348, ...}) = 0
 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
  0x7ffb97d03000
 read(3, root:x:0:0:root:/root:/bin/bash\n..., 4096) = 1348
 close(3)= 0
 munmap(0x7ffb97d03000, 4096)= 0
 setgroups(1, [498]) = 0
 setresgid(-1, 498, -1)  = 0
 setgid(498) = 0
 chdir(/var/ossec) = 0
 chroot(/var/ossec)= 0
 chdir(/)  = 0
 setuid(498) = 0
 setresuid(-1, 498, -1)  = 0
 uname({sys=Linux, node=tron, ...})  = 0
 fstat(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 0), ...}) = 0
 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
  0x7ffb97d03000
 write(1, \n, 1
 )   = 1
 write(1, Policy and auditing events for l..., 64Policy and auditing 
 events for local system 'tron - 127.0.0.1':
 ) = 64
 open(/queue/rootcheck/rootcheck, O_RDWR) = 3
 fstat(3, {st_mode=S_IFREG|0640, st_size=1159, ...}) = 0
 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
  0x7ffb97d02000
 read(3, !1439226925!1439195883 Starting ..., 4096) = 1159
 lseek(3, 0, SEEK_SET)   = 0
 write(1, \nResolved events: \n\n, 20
 Resolved events: 

 ) = 20
 read(3, !1439226925!1439195883 Starting ..., 4096) = 1159
 read(3, , 4096)   = 0
 write(1, ** No entries found.\n, 21** No entries found.
 )  = 21
 lseek(3, 0, SEEK_SET)   = 0
 open(/etc/localtime, O_RDONLY)= 4
 fstat(4, {st_mode=S_IFREG|0644, st_size=2211, ...}) = 0
 fstat(4, {st_mode=S_IFREG|0644, st_size=2211, ...}) = 0

 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
  0x7ffb97d01000
 read(4, TZif2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0\6\0\0\0\0..., 
 4096) = 2211
 lseek(4, -1410, SEEK_CUR)   = 801
 read(4, TZif2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\7\0\0\0\7\0\0\0\0..., 
 4096) = 1410
 close(4)= 0
 munmap(0x7ffb97d01000, 4096)= 0
 --- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0x8} ---
 +++ killed by SIGSEGV +++

 On Tue, Aug 11, 2015 at 1:13 AM, theresa mic-snare rockpr...@gmail.com 
 javascript: wrote:

 Hi Santi,

 yes the process crashed already from what I can see it
 because at the end up the system call it says


 *--- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0x8

[ossec-list] my problem with rootcheck / CIS checks

2015-08-10 Thread theresa mic-snare

hi all,

as you may have noticed I've been playing around with the rootcheck module, 
e.g for the CIS checks.
what i've noticed is that the CIS (audit) checks are not really updated 
unless I do a complete restart of ossec (ossec-control restart).

neither a syscheck_update -u local nor a agent_control -r -u 000 or a 
rootcheck_control -u 000 is going to update the CIS benchmark

how I noticed that?
well, rootcheck_control says the latest outstanding event is e.g this:
2015 Aug 10 11:42:06 (first time detected: 2015 Aug 10 11:42:06)
System Audit: System Audit: CIS - RHEL6 1.4.2 - SELinux not set to enforcing
. File: /etc/selinux/config. Reference: 
http://www.ossec.net/wiki/index.php/CIS_RHEL6 
.


this means the last time the check was updated was over 5 hours ago.
But my rootcheck is running on an hourly basis, and according to the 
ossec.log it just ran a couple of minutes ago

2015/08/10 17:56:36 ossec-rootcheck: INFO: Starting rootcheck scan.
2015/08/10 18:01:12 ossec-rootcheck: INFO: Ending rootcheck scan.

so this kinda doesn't match.

btw, i can prove that the above mentioned CIS check should be marked as 
resolved because according to sestatus i have selinux set to enforcing.

SELinux status: enabled
SELinuxfs mount:/selinux
Current mode:   enforcing
Mode from config file:  enforcing
Policy version: 24
Policy from config file:targeted

then I had a quick look at my own system logs (messages.log) and found this
Aug 10 18:45:23 tron kernel: rootcheck_contr[20641]: segfault at 8 ip 
7f851fe8b925 sp 7ffdc8c73240 error 4 in 
libc-2.12.so[7f851fde8000+18a000]

this is the result when I run *rootcheck_control -L -i 000*

I bet when I restart ossec completely this above mentioned CIS check will 
vanish (it will not be marked as resolved) as somehow the database  is 
cleared.

anyone ran into this problem as well?

i'm running the latest ossec version 2.8.2

-- 

--- 
You received this message because you are subscribed to the Google Groups 
ossec-list group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] my problem with rootcheck / CIS checks

2015-08-10 Thread theresa mic-snare

good idea.
do you want me to run strace with any specific options?

Am Montag, 10. August 2015 20:28:20 UTC+2 schrieb Santiago Bassett:

 Haven't seen that before. Try running rootcheck_control with strace to 
 debug that segfault

 Best

 On Mon, Aug 10, 2015 at 9:54 AM, theresa mic-snare rockpr...@gmail.com 
 javascript: wrote:

 hi all,

 as you may have noticed I've been playing around with the rootcheck 
 module, e.g for the CIS checks.
 what i've noticed is that the CIS (audit) checks are not really updated 
 unless I do a complete restart of ossec (ossec-control restart).

 neither a syscheck_update -u local nor a agent_control -r -u 000 or a 
 rootcheck_control -u 000 is going to update the CIS benchmark

 how I noticed that?
 well, rootcheck_control says the latest outstanding event is e.g this:
 2015 Aug 10 11:42:06 (first time detected: 2015 Aug 10 11:42:06)
 System Audit: System Audit: CIS - RHEL6 1.4.2 - SELinux not set to 
 enforcing. File: /etc/selinux/config. Reference: http://
 www.ossec.net/wiki/index.php/CIS_RHEL6 .


 this means the last time the check was updated was over 5 hours ago.
 But my rootcheck is running on an hourly basis, and according to the 
 ossec.log it just ran a couple of minutes ago

 2015/08/10 17:56:36 ossec-rootcheck: INFO: Starting rootcheck scan.
 2015/08/10 18:01:12 ossec-rootcheck: INFO: Ending rootcheck scan.

 so this kinda doesn't match.

 btw, i can prove that the above mentioned CIS check should be marked as 
 resolved because according to sestatus i have selinux set to enforcing.

 SELinux status: enabled
 SELinuxfs mount:/selinux
 Current mode:   enforcing
 Mode from config file:  enforcing
 Policy version: 24
 Policy from config file:targeted

 then I had a quick look at my own system logs (messages.log) and found 
 this
 Aug 10 18:45:23 tron kernel: rootcheck_contr[20641]: segfault at 8 ip 
 7f851fe8b925 sp 7ffdc8c73240 error 4 in 
 libc-2.12.so[7f851fde8000+18a000]

 this is the result when I run *rootcheck_control -L -i 000*

 I bet when I restart ossec completely this above mentioned CIS check will 
 vanish (it will not be marked as resolved) as somehow the database  is 
 cleared.

 anyone ran into this problem as well?

 i'm running the latest ossec version 2.8.2

 -- 

 --- 
 You received this message because you are subscribed to the Google Groups 
 ossec-list group.
 To unsubscribe from this group and stop receiving emails from it, send an 
 email to ossec-list+...@googlegroups.com javascript:.
 For more options, visit https://groups.google.com/d/optout.




-- 

--- 
You received this message because you are subscribed to the Google Groups 
ossec-list group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] OSSEC WUI can't read alerts.log

2015-08-09 Thread theresa mic-snare

such a shame that WUI is no longer supported/developed.
i understand that they rather focus on improving OSSEC than work on a web 
tool that displays the alerts.
i understand that ELK (especially logstash and kibana) do the job nicely...

but WUI was the perfect pick for my thesis project (test environment) as 
I'm running the OSSEC appliance on a 2gb VM, and I don't have the 
possibility to add more RAM..
alas elasticsearch and logstash are a memory eating slug therefore I'm 
unable to run ELK on my test server...
also it would be a bit overkill just for one OSSEC master and one agent.


Am Samstag, 8. August 2015 22:49:16 UTC+2 schrieb Daniel:

 Interesting that ossec-wui isn't supported. I downloaded the appliance 
 right from ossec.net and was following the instructions.

 Went through my running processes and checked out their configs... sure 
 enough, kibana is also included.

 Opened up a browser to localhost:5601 and Kibana is still running like a 
 champ. Not even going to try to fix the wui since I'm more familiar with 
 ELK.

 Thanks for the help, Eero.

 On Saturday, August 8, 2015 at 4:31:42 PM UTC-4, Eero Volotinen wrote:

 Well, 

 Check memory_limit on php also.

 Ossec wui is no longer supported. You should use kibana+elastic search 
 instead of it.

 Eero

 Eero
 Thanks for the quick response. 

 I chown'ed alerts.log from ossec.ossec to ossec.apache and still got the 
 error. 

 I then chmod'ed alerts.log from 640 to 666 and still got the error.

 Alerts.log is still growing, though. Up to 4.2G.

 On Saturday, August 8, 2015 at 3:29:32 PM UTC-4, Eero Volotinen wrote:

 Well, you need to give correct permissions to apache as wui is running 
 under apache uid..

 Eeeo
 8.8.2015 8.27 ip. Daniel Twardowski noghri...@gmail.com kirjoitti:


 I'm using OSSEC Server Virtual Appliance 2.8.2 and last night I 
 configured a few domain controllers to send it their logs. When I came in 
 today, the WUI is displaying an error of:
 Warning:  fopen(/var/ossec/logs/alerts/alerts.log): failed to open 
 stream: Value too large for defined data type in 
 /opt/lampp/htdocs/ossec-wui/lib/os_lib_alerts.php on line 839

 My alerts.log file is 3.5G. If I delete it and restart ossec services, 
 the file is recreated at 3.5G. Is this an issue with file size? If so, can 
 I up the log rotation to more than just once a day? And how would I flush 
 whatever buffer keeps recreating the 3.5G alerts.log file so I can get 
 back 
 to reviewing logs?

 Similar, but unanswered message from 2013:

 https://groups.google.com/forum/#!msg/ossec-list/topCxSvvmBk/5t4YEfPTTYUJ

 Thanks.

 Dan

 -- 

 --- 
 You received this message because you are subscribed to the Google 
 Groups ossec-list group.
 To unsubscribe from this group and stop receiving emails from it, send 
 an email to ossec-list+...@googlegroups.com.
 For more options, visit https://groups.google.com/d/optout.



-- 

--- 
You received this message because you are subscribed to the Google Groups 
ossec-list group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Can't acess to CENTOs OSSEC server via putty - after login the connection drops

2015-08-01 Thread theresa mic-snare

Hi Jorge,

you have a typo in your eth0 interface config BOOTPROTO=satic instead 
should read static
why do you have 3 different IPs on your eth0 interface? same IP with 
different netmasks?! you probably only want the /24 subnet

can you even connect through SSH to the server or do you use some kind of 
console-access to the server?

best,
theresa

Am Freitag, 31. Juli 2015 13:59:24 UTC+2 schrieb Jorge Neves:



 quinta-feira, 30 de Julho de 2015 às 17:22:19 UTC+1, Jorge Neves escreveu:

 Thank you,

 I am getting this:

 quinta-feira, 30 de Julho de 2015 às 16:49:55 UTC+1, dan (ddpbsd) 
 escreveu:


 On Jul 30, 2015 11:42 AM, Jorge Neves jorge...@gmail.com wrote:
 
  Hi,
 
  I am new with OSSEC and basic with linux.
 
 
  I am having an issue where when I login to the server using putty it 
 drops the connection.
 
 
  I have already whit listed it on the ossec-server.conf file.
 
  The version I am using is 2.8.2.
 
  Can someone help me please.
 

 If you have physical access to the system, check /var/log/messages 
 (and/or authlog) for relevant log messages. You can also check 
 /var/ossec/logs/alerts/alerts.log for ossec alerts that may be related.

  thank you
 
  Regards
  J
 
  -- 
 
  --- 
  You received this message because you are subscribed to the Google 
 Groups ossec-list group.
  To unsubscribe from this group and stop receiving emails from it, send 
 an email to ossec-list+...@googlegroups.com.
  For more options, visit https://groups.google.com/d/optout.



-- 

--- 
You received this message because you are subscribed to the Google Groups 
ossec-list group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: can i use user!root/user

2015-07-30 Thread theresa mic-snare

not really OSSEC related, but what I've implemented on my server is.

PermitRootLogin no in the sshd config
and i'm using Fail2Ban which blocks all IPs from unsuccessful logins for 
a certain period of time. I'm sure this can be changed to permanently bans 
as well.

I can highly recommend Fail2Ban :)

Am Mittwoch, 29. Juli 2015 23:44:18 UTC+2 schrieb Ashley Drees:

 Hi Brent.

 Plan was, if anyone logs in from anywhere as root, the source IP should be 
 blocked permanently and possibly an email sent to the admins as we do not 
 support root logins anywhere for any reason, so anyone trying to log into 
 that account is up to no good, this we will repeat for all the usual 
 suspect accounts, which we do not use for that reason.

 If someone logs in from anywhere as a legitimate user and fails to place 
 the correct password then at the third fail then they are blocked for 600 
 seconds - if they do it again move into 
 the repeated_offenders30,90,120,/repeated_offenders place.

 As this is my first time with OSSEC, i was looking for user!user/user 
 kind of statement - but it seems to need trees of logic to make it work.

 On 29 July 2015 at 17:46, Brent Morris brent@gmail.com javascript: 
 wrote:

 Ashley, 

 Can you provide more details about what you're trying to accomplish?  It 
 appears that you'd like to use active-response with repeated_offenders - 
 but I'm not quite sure.

 If the above is correct, then you'd want to set your active-response up 
 to match the rules for the alerts you're receiving on invalid logons or 
 matchroot/match

 -Brent

 On Wednesday, July 29, 2015 at 9:06:41 AM UTC-7, Ashley Drees wrote:

 Ok, not so much ignore, I am looking for a way to ban permanently any IP 
 that tries to log in as root, but have a short ban for anyone just 
 forgetting the password, fail more than 3 times and they get an increasing 
 delay.

 Ashley Drees
 07956726775


 On 29 Jul 2015, at 13:31, Brent Morris brent@gmail.com wrote:

 That won't work...  

 I typically will overwrite an alert level if I want to ignore certain 
 users.  

 http://ossec-docs.readthedocs.org/en/latest/syntax/head_rules.html


 On Wednesday, July 29, 2015 at 3:09:43 AM UTC-7, Ashley Drees wrote:

 can i use user!root/user in a rule to NOT match user root?




-- 

--- 
You received this message because you are subscribed to the Google Groups 
ossec-list group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] CIS checks via OSSEC

2015-07-28 Thread theresa mic-snare

Hi again,

I don't quite understand how these checks work.
Rootcheck complains about the following checks:

2015 Jul 28 20:24:43 (first time detected: 2015 Jul 27 17:21:47)
System Audit: System Audit: CIS - RHEL6 1.4.2 - SELinux not set to enforcing
. File: /etc/selinux/config. Reference:
http://www.ossec.net/wiki/index.php/CIS_RHEL6
.

2015 Jul 28 20:24:43 (first time detected: 2015 Jul 27 17:21:47)
System Audit: System Audit: CIS - RHEL6 1.4.2 - SELinux policy not set to
targeted. File: /etc/selinux/config. Reference:
http://www.ossec.net/wiki/index.php/CIS_RHEL6

It's perfectly clear what is meant by it, but for the sake of it, I will
post what's in the CIS file as well:

# 1.4.2 Set selinux state
[CIS - RHEL6 1.4.2 - SELinux not set to enforcing] [any] [http:
//www.ossec.net/wiki/index.php/CIS_RHEL6]
f:/etc/selinux/config - r:SELINUX=enforcing;

# 1.4.3 Set seliux policy
[CIS - RHEL6 1.4.2 - SELinux policy not set to targeted] [any] [http:
//www.ossec.net/wiki/index.php/CIS_RHEL6]
f:/etc/selinux/config - r:SELINUXTYPE=targeted;

meaning I have to check the SELinux config, here we go:

SELINUX=enforcing
SELINUXTYPE=targeted

Sorry, but what I'm doing wrong here...I don't understand it.

Other checks are not being acknowledge either...

# Controls source route validation
net.ipv4.conf.all.accept_source_route = 1

# Do not accept source routing
net.ipv4.conf.default.accept_source_route = 1

# Controls ICMP secure redirects
net.ipv4.conf.all.accept_redirects = 1

# Log packets with impossible addresses to kernel log? yes
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1
net.ipv4.conf.lo.log_martians = 1
net.ipv4.conf.eth0.log_martians = 1

does this look OK to you?!
anyone had any experience?

thanks,
theresa

Am Montag, 27. Juli 2015 17:01:12 UTC+2 schrieb theresa mic-snare:

Hi all,

since
https://github.com/ossec/ossec-hids/blob/master/src/rootcheck/db/cis_rhel6_linux_rcl.txt

seems a bit incomplete, I'd start to complete it.
lots of important checks are still tagged as to do

please let me know if anyone is already working on the RHEL6 checks or has
it even completed.
I'd like to avoid that I work on something that someone else has already
completed/or is still working on.

so please let me know!

i'd contribute the complete file then as a pull request on github.

thanks,
theresa

Am Montag, 27. Juli 2015 08:46:26 UTC+2 schrieb theresa mic-snare:

Hi Santi,

great, thanks for looking this up :)

for some reason it works nowsurprising.
maybe it takes some time after an inital run...

I now have plenty of Outstanding events, great :)

best,
theresa

Am Sonntag, 26. Juli 2015 00:54:38 UTC+2 schrieb Santiago Bassett:

Hi Theresa,

have a look at this doc:

https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf

I was also curious and found the explanation in page 5:

Scored:
Failure to comply with Scored recommendations will decrease the final
benchmark score. Compliance with Scored recommendations will increase the
final benchmark score.

Not Scored:
Failure to comply with Not Scored recommendations will not decrease
the final benchmark score. Compliance with Not Scored recommendations
will not increase the final benchmark score.

Regarding your other question, I am not sure why you don't have alerts,
are you sure you added the right config in ossec.conf? Something like
system_auditpath_to_your_cis_rules/system_audit, remember it needs to
be added for the agents.

Best

On Sat, Jul 25, 2015 at 3:19 PM, theresa mic-snare rockpr...@gmail.com
wrote:

I just checked my ossec.conf I was surprised to find out that the
rootcheck for CIS isn't even defined.
but I quickly added the cis_rhel6_linux.rcl.txt that Santi provided,
thx Santi :)

when I called rootcheck_control I got the following return
Resolved events:

** No entries found.

Outstanding events:

** No entries found.

is this possible?
does this need to run a few times (more than once) in order to show
anything?
maybe it has to do that the rhel6 cis check seems a bit incomplete

what does SCORED and NOT SCORED mean in the cis check?

i find it hard to believe that my system passed all the tests...

Am Dienstag, 14. Juli 2015 20:11:09 UTC+2 schrieb Santiago Bassett:

I think this is the latest version of those rules:

https://github.com/ossec/ossec-hids/blob/master/src/rootcheck/db/cis_rhel6_linux_rcl.txt

On Tue, Jul 14, 2015 at 11:08 AM, theresa mic-snare
rockpr...@gmail.com wrote:

also, I'd like to update this page to something more up-to-date (RHEL
6 / 7) once I understand how it works and what it does

http://ossec-docs.readthedocs.org/en/latest/manual/rootcheck/audit/CIS_rhel5.html

reading into it right now...

Am Dienstag, 14. Juli 2015 20:03:24 UTC+2 schrieb theresa mic-snare:

hi folks,

i just found this interesting thread.
wanted to ask, is there any update

Re: [ossec-list] CIS checks via OSSEC

2015-07-27 Thread theresa mic-snare

Hi all,

since 
https://github.com/ossec/ossec-hids/blob/master/src/rootcheck/db/cis_rhel6_linux_rcl.txt
 
seems a bit incomplete, I'd start to complete it.
lots of important checks are still tagged as to do

please let me know if anyone is already working on the RHEL6 checks or has 
it even completed.
I'd like to avoid that I work on something that someone else has already 
completed/or is still working on.

so please let me know!

i'd contribute the complete file then as a pull request on github.

thanks,
theresa

Am Montag, 27. Juli 2015 08:46:26 UTC+2 schrieb theresa mic-snare:

 Hi Santi,

 great, thanks for looking this up :)

 for some reason it works nowsurprising.
 maybe it takes some time after an inital run...

 I now have plenty of Outstanding events, great :)

 best,
 theresa

 Am Sonntag, 26. Juli 2015 00:54:38 UTC+2 schrieb Santiago Bassett:

 Hi Theresa,

 have a look at this doc:


 https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf

 I was also curious and found the explanation in page 5:

 Scored:
 Failure to comply with Scored recommendations will decrease the final 
 benchmark score. Compliance with Scored recommendations will increase the 
 final benchmark score. 

 Not Scored:
 Failure to comply with Not Scored recommendations will not decrease the 
 final benchmark score. Compliance with Not Scored recommendations will 
 not increase the final benchmark score.


 Regarding your other question, I am not sure why you don't have alerts, 
 are you sure you added the right config in ossec.conf? Something like 
 system_auditpath_to_your_cis_rules/system_audit, remember it needs to 
 be added for the agents.

 Best

 On Sat, Jul 25, 2015 at 3:19 PM, theresa mic-snare rockpr...@gmail.com 
 wrote:

 I just checked my ossec.conf I was surprised to find out that the 
 rootcheck for CIS isn't even defined.
 but I quickly added the cis_rhel6_linux.rcl.txt that Santi provided, thx 
 Santi :)

 when I called rootcheck_control I got the following return
 Resolved events: 

 ** No entries found.

 Outstanding events: 

 ** No entries found.


 is this possible?
 does this need to run a few times (more than once) in order to show 
 anything?
 maybe it has to do that the rhel6 cis check seems a bit incomplete

 what does SCORED and NOT SCORED mean in the cis check?

 i find it hard to believe that my system passed all the tests...


 Am Dienstag, 14. Juli 2015 20:11:09 UTC+2 schrieb Santiago Bassett:

 I think this is the latest version of those rules:


 https://github.com/ossec/ossec-hids/blob/master/src/rootcheck/db/cis_rhel6_linux_rcl.txt

 On Tue, Jul 14, 2015 at 11:08 AM, theresa mic-snare 
 rockpr...@gmail.com wrote:

 also, I'd like to update this page to something more up-to-date (RHEL 
 6 / 7) once I understand how it works and what it does

 http://ossec-docs.readthedocs.org/en/latest/manual/rootcheck/audit/CIS_rhel5.html

 reading into it right now...



 Am Dienstag, 14. Juli 2015 20:03:24 UTC+2 schrieb theresa mic-snare:

 hi folks,

 i just found this interesting thread.
 wanted to ask, is there any update with this? how could I contribute? 
 I could do some testing on CentOS 6/RHEL...

 Am Mittwoch, 23. Juli 2014 15:45:46 UTC+2 schrieb Michael Starks:

 On 2014-07-23 4:56, Christian Beer wrote: 
  Hi I downloaded the Benchmark paper and tool a quick look. 
  
  The question is what is to do? As I understand the document one 
 has to 
  copy the script snippets from the audit sections into the CIS text 
  files 
  and annotate with some information, right? 
  
  This seems to me like a copypaste job and a pull request on 
 github. 

 It's a little more involved than that. The CIS checks are performed 
 by 
 rootcheck and that has it's own synatx. It doesn't just execute 
 scripts. 

  -- 

 --- 
 You received this message because you are subscribed to the Google 
 Groups ossec-list group.
 To unsubscribe from this group and stop receiving emails from it, send 
 an email to ossec-list+...@googlegroups.com.
 For more options, visit https://groups.google.com/d/optout.





-- 

--- 
You received this message because you are subscribed to the Google Groups 
ossec-list group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] CIS checks via OSSEC

2015-07-27 Thread theresa mic-snare

Hi Santi,

great, thanks for looking this up :)

for some reason it works nowsurprising.
maybe it takes some time after an inital run...

I now have plenty of Outstanding events, great :)

best,
theresa

Am Sonntag, 26. Juli 2015 00:54:38 UTC+2 schrieb Santiago Bassett:

 Hi Theresa,

 have a look at this doc:


 https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf

 I was also curious and found the explanation in page 5:

 Scored:
 Failure to comply with Scored recommendations will decrease the final 
 benchmark score. Compliance with Scored recommendations will increase the 
 final benchmark score. 

 Not Scored:
 Failure to comply with Not Scored recommendations will not decrease the 
 final benchmark score. Compliance with Not Scored recommendations will 
 not increase the final benchmark score.


 Regarding your other question, I am not sure why you don't have alerts, 
 are you sure you added the right config in ossec.conf? Something like 
 system_auditpath_to_your_cis_rules/system_audit, remember it needs to 
 be added for the agents.

 Best

 On Sat, Jul 25, 2015 at 3:19 PM, theresa mic-snare rockpr...@gmail.com 
 javascript: wrote:

 I just checked my ossec.conf I was surprised to find out that the 
 rootcheck for CIS isn't even defined.
 but I quickly added the cis_rhel6_linux.rcl.txt that Santi provided, thx 
 Santi :)

 when I called rootcheck_control I got the following return
 Resolved events: 

 ** No entries found.

 Outstanding events: 

 ** No entries found.


 is this possible?
 does this need to run a few times (more than once) in order to show 
 anything?
 maybe it has to do that the rhel6 cis check seems a bit incomplete

 what does SCORED and NOT SCORED mean in the cis check?

 i find it hard to believe that my system passed all the tests...


 Am Dienstag, 14. Juli 2015 20:11:09 UTC+2 schrieb Santiago Bassett:

 I think this is the latest version of those rules:


 https://github.com/ossec/ossec-hids/blob/master/src/rootcheck/db/cis_rhel6_linux_rcl.txt

 On Tue, Jul 14, 2015 at 11:08 AM, theresa mic-snare rockpr...@gmail.com
  wrote:

 also, I'd like to update this page to something more up-to-date (RHEL 6 
 / 7) once I understand how it works and what it does

 http://ossec-docs.readthedocs.org/en/latest/manual/rootcheck/audit/CIS_rhel5.html

 reading into it right now...



 Am Dienstag, 14. Juli 2015 20:03:24 UTC+2 schrieb theresa mic-snare:

 hi folks,

 i just found this interesting thread.
 wanted to ask, is there any update with this? how could I contribute? 
 I could do some testing on CentOS 6/RHEL...

 Am Mittwoch, 23. Juli 2014 15:45:46 UTC+2 schrieb Michael Starks:

 On 2014-07-23 4:56, Christian Beer wrote: 
  Hi I downloaded the Benchmark paper and tool a quick look. 
  
  The question is what is to do? As I understand the document one has 
 to 
  copy the script snippets from the audit sections into the CIS text 
  files 
  and annotate with some information, right? 
  
  This seems to me like a copypaste job and a pull request on 
 github. 

 It's a little more involved than that. The CIS checks are performed 
 by 
 rootcheck and that has it's own synatx. It doesn't just execute 
 scripts. 

  -- 

 --- 
 You received this message because you are subscribed to the Google 
 Groups ossec-list group.
 To unsubscribe from this group and stop receiving emails from it, send 
 an email to ossec-list+...@googlegroups.com.
 For more options, visit https://groups.google.com/d/optout.





-- 

--- 
You received this message because you are subscribed to the Google Groups 
ossec-list group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Ossec installation

2015-07-27 Thread theresa mic-snare

Hi,

depends on what you want to install (Master or agent?)
also what kind of operating system are you using?

br,
theresa

Am Montag, 27. Juli 2015 11:11:34 UTC+2 schrieb Y@GE$H MAKWANA:

 Hi All,

 During googling for ossec I found this wonderful group. thanks for 
 creating this.

 I am new for Ossec and require to install the same. Please anyone help for 
 step by step guide to install Ossec.

 Thanks,
 Yogesh M




-- 

--- 
You received this message because you are subscribed to the Google Groups 
ossec-list group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Ubuntu

2015-07-27 Thread theresa mic-snare

Hi James,

i'm now really interested in this...

Would you mind sharing the RHEL binaries with me? I would love to try the 
OSSEC enabled libmagic version on my CentOS test server.

out of curiosity: is there any disadvantage that comes with libmagic? why 
is it not enabled by default?

Am Mittwoch, 22. Juli 2015 17:00:02 UTC+2 schrieb James Edwards:

 I think this is a compiler issue... I checked my RHEL compilation and it 
 used gcc-4.4.7, so I downgraded from gcc-4.8 on Ubuntu to gcc-4.4 and am 
 able to get this to successfully compile with libmagic.

 On another note, it is worth noting that I was able to successfully 
 compile OSSEC from git using gcc-4.8 with libmagic support.

 Thanks,
 James

 On Wednesday, July 22, 2015 at 7:43:21 AM UTC-4, dan (ddpbsd) wrote:


 On Jul 20, 2015 3:27 PM, James Edwards x86bs...@gmail.com wrote:
 
  Hi All,
 
  I'm trying to compile OSSEC on Ubuntu 14.04 with libmagic support and I 
 keep running into the following error when compiling syscheck (same error 
 running Makeall as well):
 
  [root@hostname]/tmp/ossec-hids-2.8.2/src/syscheckd# make
  cc -g -Wall -I../ -I../headers-DUSEINOTIFY-DUSE_MAGIC  
 -DARGV0=\ossec-syscheckd\ -DOSSECHIDS -lmagic  syscheck.c config.c 
 seechanges.c run_realtime.c create_db.c run_check.c ../config/lib_config.a 
 ../rootcheck/rootcheck_lib.a ../shared/lib_shared.a ../os_xml/os_xml.a 
 ../os_regex/os_regex.a ../os_net/os_net.a ../os_crypto/os_crypto.a -o 
 ossec-syscheckd
  /tmp/cc9nExX5.o: In function `init_magic':
  /tmp/ossec-hids-2.8.2/src/syscheckd/syscheck.c:43: undefined reference 
 to `magic_open'

 Which file provides magic_open?

  /tmp/ossec-hids-2.8.2/src/syscheckd/syscheck.c:47: undefined reference 
 to `magic_error'
  /tmp/ossec-hids-2.8.2/src/syscheckd/syscheck.c:50: undefined reference 
 to `magic_load'
  /tmp/ossec-hids-2.8.2/src/syscheckd/syscheck.c:52: undefined reference 
 to `magic_error'
  /tmp/ossec-hids-2.8.2/src/syscheckd/syscheck.c:54: undefined reference 
 to `magic_close'
  /tmp/ccLsn7RT.o: In function `is_text':
  /tmp/ossec-hids-2.8.2/src/syscheckd/seechanges.c:24: undefined 
 reference to `magic_buffer'
  /tmp/ossec-hids-2.8.2/src/syscheckd/seechanges.c:28: undefined 
 reference to `magic_error'
  collect2: error: ld returned 1 exit status
  make: *** [syscheck] Error 1
 
  libmagic-dev 5.14-2ubuntu3.3 is installed and I see the following 
 magic.h header files:
 
  /usr/include/linux/magic.h
  /usr/include/magic.h
 
  Any advice on how to resolve this?
 
  Thanks,
  James
 
  -- 
 
  --- 
  You received this message because you are subscribed to the Google 
 Groups ossec-list group.
  To unsubscribe from this group and stop receiving emails from it, send 
 an email to ossec-list+...@googlegroups.com.
  For more options, visit https://groups.google.com/d/optout.
  


-- 

--- 
You received this message because you are subscribed to the Google Groups 
ossec-list group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] CIS checks via OSSEC

2015-07-25 Thread theresa mic-snare

I just checked my ossec.conf I was surprised to find out that the rootcheck 
for CIS isn't even defined.
but I quickly added the cis_rhel6_linux.rcl.txt that Santi provided, thx 
Santi :)

when I called rootcheck_control I got the following return
Resolved events: 

** No entries found.

Outstanding events: 

** No entries found.


is this possible?
does this need to run a few times (more than once) in order to show 
anything?
maybe it has to do that the rhel6 cis check seems a bit incomplete

what does SCORED and NOT SCORED mean in the cis check?

i find it hard to believe that my system passed all the tests...


Am Dienstag, 14. Juli 2015 20:11:09 UTC+2 schrieb Santiago Bassett:

 I think this is the latest version of those rules:


 https://github.com/ossec/ossec-hids/blob/master/src/rootcheck/db/cis_rhel6_linux_rcl.txt

 On Tue, Jul 14, 2015 at 11:08 AM, theresa mic-snare rockpr...@gmail.com 
 javascript: wrote:

 also, I'd like to update this page to something more up-to-date (RHEL 6 / 
 7) once I understand how it works and what it does

 http://ossec-docs.readthedocs.org/en/latest/manual/rootcheck/audit/CIS_rhel5.html

 reading into it right now...



 Am Dienstag, 14. Juli 2015 20:03:24 UTC+2 schrieb theresa mic-snare:

 hi folks,

 i just found this interesting thread.
 wanted to ask, is there any update with this? how could I contribute? I 
 could do some testing on CentOS 6/RHEL...

 Am Mittwoch, 23. Juli 2014 15:45:46 UTC+2 schrieb Michael Starks:

 On 2014-07-23 4:56, Christian Beer wrote: 
  Hi I downloaded the Benchmark paper and tool a quick look. 
  
  The question is what is to do? As I understand the document one has 
 to 
  copy the script snippets from the audit sections into the CIS text 
  files 
  and annotate with some information, right? 
  
  This seems to me like a copypaste job and a pull request on github. 

 It's a little more involved than that. The CIS checks are performed by 
 rootcheck and that has it's own synatx. It doesn't just execute 
 scripts. 

  -- 

 --- 
 You received this message because you are subscribed to the Google Groups 
 ossec-list group.
 To unsubscribe from this group and stop receiving emails from it, send an 
 email to ossec-list+...@googlegroups.com javascript:.
 For more options, visit https://groups.google.com/d/optout.




-- 

--- 
You received this message because you are subscribed to the Google Groups 
ossec-list group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] httpd logs (possible attacks/intrusions)

2015-07-25 Thread theresa mic-snare

Great, thanks for the bash script, Ryan.
but what else to do after downloading the IP blocklist? how could I feed 
ossec with it?
maybe through an active-response?

Am Samstag, 25. Juli 2015 04:56:07 UTC+2 schrieb Ryan Schulze:

  I played around with IP reputation and CDB a while back, but never 
 pushed it to my live servers. I found the following bash snippet on my test 
 server, it may be of use for someone (although the alienvault list is 
 pretty long and contains different levels of evil may be worth parsing 
 and splitting up).

 #!/bin/bash 
 {
   curl https://zeustracker.abuse.ch/blocklist.php?download=ipblocklist; 
 https://zeustracker.abuse.ch/blocklist.php?download=ipblocklist |\
   egrep ^[0-9] | awk '{print $1:ZeuS IP blocklist}'

   curl https://reputation.alienvault.com/reputation.generic; 
 https://reputation.alienvault.com/reputation.generic |\
   egrep ^[0-9] | cut -d, -f1 | sed 's/ # /:/'

 }  ip_blacklist


 On 7/24/2015 7:46 PM, Santiago Bassett wrote:
  
 Hi Theresa,  

  my guess is that you are probably victim of web crawlers more than 
 anything else. In any case it would be interesting to search those source 
 IPs info in IP reputation databases to see if those are well known 
 attackers. 

  Has anyone in this list use an IP reputation database in a CDB list? I 
 would probably try something like that and see how it goes.

  Best

  
  
 On Fri, Jul 24, 2015 at 12:32 PM, theresa mic-snare  javascript:
 rockpr...@gmail.com javascript: wrote:

 hi folks,

 i need some help with intepreting webserver logfiles (apache logs).
 while setting up my ossec-test environment for my thesis project, I've 
 also setup a wordpress on an apache webserver as a honeypot. although 
 there's no real content, except the standard wordpress posts  pages that 
 comes with the installation, I already have some visitors. I see these 
 dubious looking requests. I'm not sure if these are threats/attacks against 
 my wordpress installation.
 I'm not really familiar with apache logs, but I need some threats/attacks 
 to explain in my thesis. I thought this would be the best way to get 
 started.

 I have PLENTY of the following requests in my httpd logs

  Src IP: 115.239.228.8
 115.239.228.8 - - [24/Jul/2015:19:22:42 +0200] GET 
 http://zc.qq.com/cgi-bin/common/attr?id=260714r=0.7636925813952972 
 HTTP/1.1 404 292 - Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 
 6.1; Trident/5.0; 360SE)

  
 Judging by the HTTP status code it's not really a threat, right? it's 
 probaly just some hacker with a tool who's looking for vulnerabilities? or 
 is this just nonsense/junk?

  Received From: tron-/var/log/httpd/access_log
 Rule: 31515 fired (level 6) - PHPMyAdmin scans (looking for 
 setup.php).
 Portion of the log(s):

 178.33.154.144 - - [24/Jul/2015:11:55:15 +0200] GET 
 /phpMyAdmin/scripts/setup.php HTTP/1.1 403 309 - -
  
 also this
  Received From: tron-/var/log/httpd/access_log
 Rule: 31101 fired (level 5) - Web server 400 error code.
 Portion of the log(s):

 202.137.235.243 - - [24/Jul/2015:07:34:11 +0200] HEAD 
 /ossec-wui/index.php HTTP/1.1 401 - - -
  
 i'm surprised they found out about it.glad i protected it with 
 htaccess and they didn't come in. ;)

 and lots of other requests that return HTTP 403 (forbidden) or 404 (not 
 found)

 i'm not quite sure what to make of it.
 i didn't realise my server was so exposeddid they just find the IP by 
 scanning for http ports?!

 looking to some feedback,
 theresa
  -- 

 --- 
 You received this message because you are subscribed to the Google Groups 
 ossec-list group.
 To unsubscribe from this group and stop receiving emails from it, send an 
 email to ossec-list+...@googlegroups.com javascript:.
 For more options, visit https://groups.google.com/d/optout.

  
  -- 

 --- 
 You received this message because you are subscribed to the Google Groups 
 ossec-list group.
 To unsubscribe from this group and stop receiving emails from it, send an 
 email to ossec-list+...@googlegroups.com javascript:.
 For more options, visit https://groups.google.com/d/optout.


  

-- 

--- 
You received this message because you are subscribed to the Google Groups 
ossec-list group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] httpd logs (possible attacks/intrusions)

2015-07-24 Thread theresa mic-snare

hi folks,

i need some help with intepreting webserver logfiles (apache logs).
while setting up my ossec-test environment for my thesis project, I've also 
setup a wordpress on an apache webserver as a honeypot. although there's 
no real content, except the standard wordpress posts  pages that comes 
with the installation, I already have some visitors. I see these dubious 
looking requests. I'm not sure if these are threats/attacks against my 
wordpress installation.
I'm not really familiar with apache logs, but I need some threats/attacks 
to explain in my thesis. I thought this would be the best way to get 
started.

I have PLENTY of the following requests in my httpd logs

Src IP: 115.239.228.8
115.239.228.8 - - [24/Jul/2015:19:22:42 +0200] GET 
http://zc.qq.com/cgi-bin/common/attr?id=260714r=0.7636925813952972 
HTTP/1.1 404 292 - Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; 
Trident/5.0; 360SE)


Judging by the HTTP status code it's not really a threat, right? it's 
probaly just some hacker with a tool who's looking for vulnerabilities? or 
is this just nonsense/junk?

Received From: tron-/var/log/httpd/access_log
Rule: 31515 fired (level 6) - PHPMyAdmin scans (looking for setup.php).
Portion of the log(s):

178.33.154.144 - - [24/Jul/2015:11:55:15 +0200] GET 
/phpMyAdmin/scripts/setup.php HTTP/1.1 403 309 - -

also this
Received From: tron-/var/log/httpd/access_log
Rule: 31101 fired (level 5) - Web server 400 error code.
Portion of the log(s):

202.137.235.243 - - [24/Jul/2015:07:34:11 +0200] HEAD /ossec-wui/index.php 
HTTP/1.1 401 - - -

i'm surprised they found out about it.glad i protected it with htaccess 
and they didn't come in. ;)

and lots of other requests that return HTTP 403 (forbidden) or 404 (not 
found)

i'm not quite sure what to make of it.
i didn't realise my server was so exposeddid they just find the IP by 
scanning for http ports?!

looking to some feedback,
theresa

-- 

--- 
You received this message because you are subscribed to the Google Groups 
ossec-list group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Ubuntu

2015-07-22 Thread theresa mic-snare

James, thanks for the information on what libmagic does!!
and Congratulations for solving the compiler mystery! :)

Would you mind sharing the RHEL binaries with me? I would love to try the 
OSSEC enabled libmagic version on my CentOS test server.

out of curiosity: is there any disadvantage that comes with libmagic? why 
is it not enabled by default?

cheers,
theresa

Am Mittwoch, 22. Juli 2015 17:00:02 UTC+2 schrieb James Edwards:

 I think this is a compiler issue... I checked my RHEL compilation and it 
 used gcc-4.4.7, so I downgraded from gcc-4.8 on Ubuntu to gcc-4.4 and am 
 able to get this to successfully compile with libmagic.

 On another note, it is worth noting that I was able to successfully 
 compile OSSEC from git using gcc-4.8 with libmagic support.

 Thanks,
 James

 On Wednesday, July 22, 2015 at 7:43:21 AM UTC-4, dan (ddpbsd) wrote:


 On Jul 20, 2015 3:27 PM, James Edwards x86bs...@gmail.com wrote:
 
  Hi All,
 
  I'm trying to compile OSSEC on Ubuntu 14.04 with libmagic support and I 
 keep running into the following error when compiling syscheck (same error 
 running Makeall as well):
 
  [root@hostname]/tmp/ossec-hids-2.8.2/src/syscheckd# make
  cc -g -Wall -I../ -I../headers-DUSEINOTIFY-DUSE_MAGIC  
 -DARGV0=\ossec-syscheckd\ -DOSSECHIDS -lmagic  syscheck.c config.c 
 seechanges.c run_realtime.c create_db.c run_check.c ../config/lib_config.a 
 ../rootcheck/rootcheck_lib.a ../shared/lib_shared.a ../os_xml/os_xml.a 
 ../os_regex/os_regex.a ../os_net/os_net.a ../os_crypto/os_crypto.a -o 
 ossec-syscheckd
  /tmp/cc9nExX5.o: In function `init_magic':
  /tmp/ossec-hids-2.8.2/src/syscheckd/syscheck.c:43: undefined reference 
 to `magic_open'

 Which file provides magic_open?

  /tmp/ossec-hids-2.8.2/src/syscheckd/syscheck.c:47: undefined reference 
 to `magic_error'
  /tmp/ossec-hids-2.8.2/src/syscheckd/syscheck.c:50: undefined reference 
 to `magic_load'
  /tmp/ossec-hids-2.8.2/src/syscheckd/syscheck.c:52: undefined reference 
 to `magic_error'
  /tmp/ossec-hids-2.8.2/src/syscheckd/syscheck.c:54: undefined reference 
 to `magic_close'
  /tmp/ccLsn7RT.o: In function `is_text':
  /tmp/ossec-hids-2.8.2/src/syscheckd/seechanges.c:24: undefined 
 reference to `magic_buffer'
  /tmp/ossec-hids-2.8.2/src/syscheckd/seechanges.c:28: undefined 
 reference to `magic_error'
  collect2: error: ld returned 1 exit status
  make: *** [syscheck] Error 1
 
  libmagic-dev 5.14-2ubuntu3.3 is installed and I see the following 
 magic.h header files:
 
  /usr/include/linux/magic.h
  /usr/include/magic.h
 
  Any advice on how to resolve this?
 
  Thanks,
  James
 
  -- 
 
  --- 
  You received this message because you are subscribed to the Google 
 Groups ossec-list group.
  To unsubscribe from this group and stop receiving emails from it, send 
 an email to ossec-list+...@googlegroups.com.
  For more options, visit https://groups.google.com/d/optout.
  


-- 

--- 
You received this message because you are subscribed to the Google Groups 
ossec-list group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: Ubuntu

2015-07-22 Thread theresa mic-snare

Ok, sorry for the stupid questions. 
But what does libmagic exactly do? 
How does it enhance OSSEC?
How can I check if my OSSEC installation has libmagic support enable? 
Is this only necessary for the Master or for the Agent as well? (Agents do 
syschecks too)

thanks,
theresa

Am Dienstag, 21. Juli 2015 16:13:27 UTC+2 schrieb James Edwards:

 Due to the scope of the directories that we are monitoring, and a lot of 
 NFS shares, space and performance are concerns with OSSEC.  By leveraging 
 libmagic, it helps resolve the space issues.  In my case (on a working RHEL 
 compilation) without libmagic, /var/ossec/queue was ~770MB, while with 
 libmagic, it is ~62MB.

 On another note, I've previously recompiled the software in our RHEL 
 environment (6.6) using the same source tarball with libmagic, but Ubuntu 
 14.04 has been problematic for me.  Thanks for confirming, Ryan.

 Thanks,
 James

 On Tuesday, July 21, 2015 at 8:36:52 AM UTC-4, Ryan Schulze wrote:

  I can verify the problem with Ubuntu 14.04.

 According to the syscheck docs libmagic is optionally used with 
 report_changes (if found on the system). I haven't checked the source code 
 yet to see what exactly the ramifications are, but according to the docs:

 http://ossec-docs.readthedocs.org/en/latest/manual/syscheck/ 
 Report Changes
 If OSSEC has not been compiled with libmagic support, report_changes 
 will copy any file designated, e.g. mp3, 
 iso, executable, /chroot/dev/urandom (which would fill your hard 
 drive). So unless libmagic is used, be very carefull 
 on which directory you enable report_changes.


 On 7/21/2015 12:22 AM, theresa mic-snare wrote:
  
 Hi James,

 I'm not the expert here, but I just had a quick look in the docs... I'm 
 not sure if this is possible or even supported.
 I couldn't find any reference to libmagic

 Have you checked?

 http://ossec-docs.readthedocs.org/en/latest/development/build/makefile.html

 Out of curiosity, what whould OSSEC be capable of doing with ligmagic 
 support other than recognizing file formats (which it usually does) ?!

 best,
 theresa

 Am Montag, 20. Juli 2015 21:27:30 UTC+2 schrieb James Edwards: 

 Hi All,

 I'm trying to compile OSSEC on Ubuntu 14.04 with libmagic support and I 
 keep running into the following error when compiling syscheck (same error 
 running Makeall as well):

 [root@hostname]/tmp/ossec-hids-2.8.2/src/syscheckd# make
 cc -g -Wall -I../ -I../headers-DUSEINOTIFY-DUSE_MAGIC  
 -DARGV0=\ossec-syscheckd\ -DOSSECHIDS -lmagic  syscheck.c config.c 
 seechanges.c run_realtime.c create_db.c run_check.c ../config/lib_config.a 
 ../rootcheck/rootcheck_lib.a ../shared/lib_shared.a ../os_xml/os_xml.a 
 ../os_regex/os_regex.a ../os_net/os_net.a ../os_crypto/os_crypto.a -o 
 ossec-syscheckd
 /tmp/cc9nExX5.o: In function `init_magic':
 /tmp/ossec-hids-2.8.2/src/syscheckd/syscheck.c:43: undefined reference 
 to `magic_open'
 /tmp/ossec-hids-2.8.2/src/syscheckd/syscheck.c:47: undefined reference 
 to `magic_error'
 /tmp/ossec-hids-2.8.2/src/syscheckd/syscheck.c:50: undefined reference 
 to `magic_load'
 /tmp/ossec-hids-2.8.2/src/syscheckd/syscheck.c:52: undefined reference 
 to `magic_error'
 /tmp/ossec-hids-2.8.2/src/syscheckd/syscheck.c:54: undefined reference 
 to `magic_close'
 /tmp/ccLsn7RT.o: In function `is_text':
 /tmp/ossec-hids-2.8.2/src/syscheckd/seechanges.c:24: undefined reference 
 to `magic_buffer'
 /tmp/ossec-hids-2.8.2/src/syscheckd/seechanges.c:28: undefined reference 
 to `magic_error'
 collect2: error: ld returned 1 exit status
 make: *** [syscheck] Error 1

 libmagic-dev 5.14-2ubuntu3.3 is installed and I see the following 
 magic.h header files:

 /usr/include/linux/magic.h
 /usr/include/magic.h

 Any advice on how to resolve this?

 Thanks,
 James
  
  -- 

 --- 
 You received this message because you are subscribed to the Google Groups 
 ossec-list group.
 To unsubscribe from this group and stop receiving emails from it, send an 
 email to ossec-list+...@googlegroups.com.
 For more options, visit https://groups.google.com/d/optout.


  

-- 

--- 
You received this message because you are subscribed to the Google Groups 
ossec-list group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Ubuntu

2015-07-21 Thread theresa mic-snare

Hi James,

I'm not the expert here, but I just had a quick look in the docs... I'm not 
sure if this is possible or even supported.
I couldn't find any reference to libmagic

Have you checked?
http://ossec-docs.readthedocs.org/en/latest/development/build/makefile.html

Out of curiosity, what whould OSSEC be capable of doing with ligmagic 
support other than recognizing file formats (which it usually does) ?!

best,
theresa

Am Montag, 20. Juli 2015 21:27:30 UTC+2 schrieb James Edwards:

 Hi All,

 I'm trying to compile OSSEC on Ubuntu 14.04 with libmagic support and I 
 keep running into the following error when compiling syscheck (same error 
 running Makeall as well):

 [root@hostname]/tmp/ossec-hids-2.8.2/src/syscheckd# make
 cc -g -Wall -I../ -I../headers-DUSEINOTIFY-DUSE_MAGIC  
 -DARGV0=\ossec-syscheckd\ -DOSSECHIDS -lmagic  syscheck.c config.c 
 seechanges.c run_realtime.c create_db.c run_check.c ../config/lib_config.a 
 ../rootcheck/rootcheck_lib.a ../shared/lib_shared.a ../os_xml/os_xml.a 
 ../os_regex/os_regex.a ../os_net/os_net.a ../os_crypto/os_crypto.a -o 
 ossec-syscheckd
 /tmp/cc9nExX5.o: In function `init_magic':
 /tmp/ossec-hids-2.8.2/src/syscheckd/syscheck.c:43: undefined reference to 
 `magic_open'
 /tmp/ossec-hids-2.8.2/src/syscheckd/syscheck.c:47: undefined reference to 
 `magic_error'
 /tmp/ossec-hids-2.8.2/src/syscheckd/syscheck.c:50: undefined reference to 
 `magic_load'
 /tmp/ossec-hids-2.8.2/src/syscheckd/syscheck.c:52: undefined reference to 
 `magic_error'
 /tmp/ossec-hids-2.8.2/src/syscheckd/syscheck.c:54: undefined reference to 
 `magic_close'
 /tmp/ccLsn7RT.o: In function `is_text':
 /tmp/ossec-hids-2.8.2/src/syscheckd/seechanges.c:24: undefined reference 
 to `magic_buffer'
 /tmp/ossec-hids-2.8.2/src/syscheckd/seechanges.c:28: undefined reference 
 to `magic_error'
 collect2: error: ld returned 1 exit status
 make: *** [syscheck] Error 1

 libmagic-dev 5.14-2ubuntu3.3 is installed and I see the following magic.h 
 header files:

 /usr/include/linux/magic.h
 /usr/include/magic.h

 Any advice on how to resolve this?

 Thanks,
 James


-- 

--- 
You received this message because you are subscribed to the Google Groups 
ossec-list group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Get list of files Ossec is monitoring

2015-07-18 Thread theresa mic-snare

hi,

you mean as in log analysis or monitoring as in file integrity monitoring 
(syschecks) ?!
actually everything should be defined in the ossec.conf if i'm not 
mistaken

Am Samstag, 18. Juli 2015 15:38:05 UTC+2 schrieb Andries Jansen:

 Can I get a list of log files Ossec is monitoring? I've used some 
 wildcards and I want to know if Ossec is monitoring the right files.


-- 

--- 
You received this message because you are subscribed to the Google Groups 
ossec-list group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: netstream session error?!

2015-07-17 Thread theresa mic-snare

*Ok, forget about it.*
this seems to be a rsyslog problem, probably related to TLS encrytion 
has nothing to do with OSSEC or any rules.

Am Freitag, 17. Juli 2015 13:08:27 UTC+2 schrieb theresa mic-snare:

 hi folks,

 i justf found this in the notifications emails:

 Rule: 1002 fired (level 2) - Unknown problem

 somewhere in the system.

 rsyslogd-2078: netstream session 0x7fcd3f20 will be closed due to 
 error

 I have absolutely no idea what this is supposed to mean... it looks a bit 
 cryptic to me.

 any ideas as what's that supposed to mean?

 cheers,
 theresa


-- 

--- 
You received this message because you are subscribed to the Google Groups 
ossec-list group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] ossec-wui search broken?

2015-07-17 Thread theresa mic-snare

I've opened an issue on github...
I don't know what else to do now to fix this problem :(

Am Mittwoch, 15. Juli 2015 21:11:03 UTC+2 schrieb theresa mic-snare:


 first of all, let me thank you for the time and effort you've put into 
 troubleshooting for me so far it's very appreciated. 
 also i'm documenting it all as i'm writing my thesis on ossec :)

 oh yeah, sorry forgot to mention:

 OS: centos 6.6
 apache: 2.2
 latest version of WUI (cloned it straight off github)

 Am Mittwoch, 15. Juli 2015 21:01:46 UTC+2 schrieb dan (ddpbsd):


 On Jul 15, 2015 2:55 PM, theresa mic-snare rockpr...@gmail.com wrote:
 
  nope, selinux is disabled (set to permissive)
  i am running this on a small VM (with not many ressources) that why I 
 hesitate to get the ELK stack going i think it'd be a bit of an 
 overkill for my test environment.
 

 I can't do any testing right now, but I can try later (time and memory 
 permitting). Other than that, I don't have any other ideas at the moment.
 Which distro are you using? I'm assuming apache. Which version of the 
 wui? The latest code in the repo or 0.8?

  would you mind editing your previous post? I forgot to remove my 
 website url in my previous post.
 
 
  Am Mittwoch, 15. Juli 2015 20:36:28 UTC+2 schrieb theresa mic-snare:
 
  hmm the partition is mounted rw (no other options)  it's a single 
 logical volume.
 
  nope, just dozens of this PHP Warning:  fopen(./tmp/output-tmp.1-59-
  9f77eb3ab2892420b85818ac18f09a01.php): failed to open stream: No such 
 file or directory in /var/www/html/ossec-wui/lib/os_lib_alerts.php on line 
 39
 
  that's the thing:
  the temp file doesn't exist, nor does the tmp directory in the 
 ossec-wui directory exist.
  the whole ossec-wui directory (and its subdirectories) belong to 
 root:root instead of apache:apache
  maybe this is the problem?
 
  i cloned it off of github and followed the instruction. hmm
 
 
  Am Mittwoch, 15. Juli 2015 20:03:06 UTC+2 schrieb dan (ddpbsd):
 
 
  On Jul 15, 2015 1:57 PM, theresa mic-snare rockpr...@gmail.com 
 wrote:
  
  
  
   Am Mittwoch, 15. Juli 2015 19:49:18 UTC+2 schrieb dan (ddpbsd):
  
  
   On Jul 15, 2015 1:44 PM, theresa mic-snare rockpr...@gmail.com 
 wrote:
   
oh yeah, there are tons of messages like this in the apache 
 error log
   
PHP Warning: 
  fopen(./tmp/output-tmp.1-57-8cd5679a49c37a4583dfa34473436ab4.php): failed 
 to open stream: No such file or directory in 
 /var/www/html/ossec-wui/lib/os_lib_alerts.php on line 39
   
  
   So make sure that temp file isn't getting created. What are the 
 owner/group and perma of the tmp dir?
  
  
  
   hmm there's no tmp dir in /var/www/html/ossec-wui
  
   the owner/group and perma of the /var/ossec/tmp dir however are:
   root:apache and 770
  
 
  What are the mount options for the partition /var/ossec is on? 
  Are there any log messages prior to the one you posted about not 
 being able to create the temp file?
  Does the temp file exist? If so, what are the perms?
 

  
@dan: what do you use instead? logstash and kibana?
   
  
   I don't use anything currently, but the elk stack has worked fine 
 for me in the past. Graylog2 was also decent. Splunk was ok except for the 
 500mb/day limit on the free version.
  
Am Mittwoch, 15. Juli 2015 19:07:32 UTC+2 schrieb dan (ddpbsd):
   
   
On Jul 9, 2015 5:36 PM, theresa mic-snare 
 rockpr...@gmail.com wrote:

 hi all,

 yes, it's me again ;)

 i've cloned the ossec-wui from github.com
 and wanted to search my alerts.

 in the time frame i put from yesterday (e.g 2017-07-08) and 
 till now
 Minimum Level: all
 SrcIP: a specific IP that I got through the notification 
 emails (and that I can also find in the alerts.log)
 other than that everything is default.

 at the bottom of the page it says:
 Total alerts found: 3339
 Output divided in 4 pages.

 and
 Page 1 (338 alerts)   
 Nothing returned (or search expired). 

 which is crazy, because there was only 1 alert from this 
 specific IP.

 also no alert is actually showing up, unlike in the 
 alerts.log or in the email notification.

 what i'm doing wrong here?

 I could also attach a screenshot if need be

   
Are there any related log messages in the webserver's log 
 files? I don't use the wui (it's currently a dead project), but I kinda 
 remember it logging when things went wrong.
   
 thanks theresa

 -- 

 --- 
 You received this message because you are subscribed to the 
 Google Groups ossec-list group.
 To unsubscribe from this group and stop receiving emails from 
 it, send an email to ossec-list+...@googlegroups.com.
   
 For more options, visit https://groups.google.com/d/optout.
   
-- 
   
--- 
You received this message because you are subscribed to the 
 Google Groups ossec-list group.
To unsubscribe from

1 2 >

1 - 100 of 141 matches

Mail list logo