Re: [ossec-list] Install Agent on OSSEC Server?
On Thu, Mar 13, 2014 at 4:49 PM, Mike Wisniewski wrote: > > Thanks all for the help. I had another machine laying around, so I > installed an 'agent' to the second machine. Once I did that and had it > report to the server, everything started working fine and it inserts the > blocks in my hosts.deny. > > I don't know if it's a bug per se, but I believe that the active responses > shouldn't make you install an agent if you just have a server running. Then > again, if you are just using one machine, you should probably install > 'local' anyways. > It's not a bug, you did the wrong installation. > > Thanks for the responses and help! > > > > > On Thursday, March 13, 2014 2:54:43 PM UTC-5, Mike Wisniewski wrote: >> >> Please see below for the answers... >> >> On Thursday, March 13, 2014 1:30:37 PM UTC-5, dan (ddpbsd) wrote: >>> >>> On Thu, Mar 13, 2014 at 2:24 PM, Mike Wisniewski >>> wrote: >>> > Thanks for the quick response. Please see inline for naswers. >>> > >>> > On Thursday, March 13, 2014 12:57:34 PM UTC-5, dan (ddpbsd) wrote: >>> >> >>> >> On Thu, Mar 13, 2014 at 1:53 PM, Mike Wisniewski >>> >> wrote: >>> >> [...] >>> >> >>> >> >>> >> Are you using active response? >>> > >>> > >>> > Yes, I am trying to use active response. I'm trying to get it to dump >>> > IP's >>> > in /etc/hosts.deny. I am reading logs from another device in a >>> > directory >>> > that doesn't support ossec. It's actually dumping the apache logs and >>> > I'm >>> > trying to get it to add it to the hosts.deny on the server. >>> > >>> >>> Make sure AR isn't disabled. Make sure ossec-execd is running. Make >>> sure AR is configured for the server and not just the agents. >>> >> >> I believe I enabled AR for the 'host-deny' command. Attached is my config >> file. >> >> http://pastebin.com/PY8C10Uc >> >> ossec-execd is running as well. The alert shows up in the 'alerts.log' >> file as well, but doesn't add it to /etc/hosts.deny or the >> activeresponse.log. Here's a snip of an alert of me doing a vulnerability >> scan against that box. >> >> ** Alert 1394732302.250449: - apache,invalid_request, >> 2014 Mar 13 12:38:22 snoopy->/data/device-Logs/Apache/sys-error.log >> Rule: 30115 (level 5) -> 'Invalid URI (bad client request).' >> Src IP: 10.0.1.9 >> [Thu Mar 13 12:38:22 2014] [error] [client 10.0.1.9] Invalid URI in >> request GET /%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd >> HTTP/1.1 >> >> >> Thanks for your response and help. >> > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Install Agent on OSSEC Server?
Thanks all for the help. I had another machine laying around, so I installed an 'agent' to the second machine. Once I did that and had it report to the server, everything started working fine and it inserts the blocks in my hosts.deny. I don't know if it's a bug per se, but I believe that the active responses shouldn't make you install an agent if you just have a server running. Then again, if you are just using one machine, you should probably install 'local' anyways. Thanks for the responses and help! On Thursday, March 13, 2014 2:54:43 PM UTC-5, Mike Wisniewski wrote: > > Please see below for the answers... > > On Thursday, March 13, 2014 1:30:37 PM UTC-5, dan (ddpbsd) wrote: >> >> On Thu, Mar 13, 2014 at 2:24 PM, Mike Wisniewski >> wrote: >> > Thanks for the quick response. Please see inline for naswers. >> > >> > On Thursday, March 13, 2014 12:57:34 PM UTC-5, dan (ddpbsd) wrote: >> >> >> >> On Thu, Mar 13, 2014 at 1:53 PM, Mike Wisniewski >> wrote: >> >> [...] >> >> >> >> >> >> Are you using active response? >> > >> > >> > Yes, I am trying to use active response. I'm trying to get it to dump >> IP's >> > in /etc/hosts.deny. I am reading logs from another device in a >> directory >> > that doesn't support ossec. It's actually dumping the apache logs and >> I'm >> > trying to get it to add it to the hosts.deny on the server. >> > >> >> Make sure AR isn't disabled. Make sure ossec-execd is running. Make >> sure AR is configured for the server and not just the agents. >> >> > I believe I enabled AR for the 'host-deny' command. Attached is my config > file. > > http://pastebin.com/PY8C10Uc > > ossec-execd is running as well. The alert shows up in the 'alerts.log' > file as well, but doesn't add it to /etc/hosts.deny or the > activeresponse.log. Here's a snip of an alert of me doing a vulnerability > scan against that box. > > ** Alert 1394732302.250449: - apache,invalid_request, > 2014 Mar 13 12:38:22 snoopy->/data/device-Logs/Apache/sys-error.log > Rule: 30115 (level 5) -> 'Invalid URI (bad client request).' > Src IP: 10.0.1.9 > [Thu Mar 13 12:38:22 2014] [error] [client 10.0.1.9] Invalid URI in > request GET /%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd > HTTP/1.1 > > > Thanks for your response and help. > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Install Agent on OSSEC Server?
Please see below for the answers... On Thursday, March 13, 2014 1:30:37 PM UTC-5, dan (ddpbsd) wrote: > > On Thu, Mar 13, 2014 at 2:24 PM, Mike Wisniewski > > > wrote: > > Thanks for the quick response. Please see inline for naswers. > > > > On Thursday, March 13, 2014 12:57:34 PM UTC-5, dan (ddpbsd) wrote: > >> > >> On Thu, Mar 13, 2014 at 1:53 PM, Mike Wisniewski > wrote: > >> [...] > >> > >> > >> Are you using active response? > > > > > > Yes, I am trying to use active response. I'm trying to get it to dump > IP's > > in /etc/hosts.deny. I am reading logs from another device in a > directory > > that doesn't support ossec. It's actually dumping the apache logs and > I'm > > trying to get it to add it to the hosts.deny on the server. > > > > Make sure AR isn't disabled. Make sure ossec-execd is running. Make > sure AR is configured for the server and not just the agents. > > I believe I enabled AR for the 'host-deny' command. Attached is my config file. http://pastebin.com/PY8C10Uc ossec-execd is running as well. The alert shows up in the 'alerts.log' file as well, but doesn't add it to /etc/hosts.deny or the activeresponse.log. Here's a snip of an alert of me doing a vulnerability scan against that box. ** Alert 1394732302.250449: - apache,invalid_request, 2014 Mar 13 12:38:22 snoopy->/data/device-Logs/Apache/sys-error.log Rule: 30115 (level 5) -> 'Invalid URI (bad client request).' Src IP: 10.0.1.9 [Thu Mar 13 12:38:22 2014] [error] [client 10.0.1.9] Invalid URI in request GET /%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd HTTP/1.1 Thanks for your response and help. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Install Agent on OSSEC Server?
On Thu, Mar 13, 2014 at 2:24 PM, Mike Wisniewski wrote: > Thanks for the quick response. Please see inline for naswers. > > On Thursday, March 13, 2014 12:57:34 PM UTC-5, dan (ddpbsd) wrote: >> >> On Thu, Mar 13, 2014 at 1:53 PM, Mike Wisniewski wrote: >> [...] >> >> >> Are you using active response? > > > Yes, I am trying to use active response. I'm trying to get it to dump IP's > in /etc/hosts.deny. I am reading logs from another device in a directory > that doesn't support ossec. It's actually dumping the apache logs and I'm > trying to get it to add it to the hosts.deny on the server. > Make sure AR isn't disabled. Make sure ossec-execd is running. Make sure AR is configured for the server and not just the agents. >> >> >> > and the FAQ says to install the agentbut it's a server that's >> > already >> > being monitored by OSSEC by default. >> > >> >> I'll have to check that out, because it makes no sense. > > > I know one thing is to check to see if 'ossec-analysis' is running, which it > is. > Yeah, I checked out the FAQ and explained it in a second email. > > Thanks all for the help. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Install Agent on OSSEC Server?
Thanks for the quick response. Please see inline for naswers. On Thursday, March 13, 2014 12:57:34 PM UTC-5, dan (ddpbsd) wrote: > > On Thu, Mar 13, 2014 at 1:53 PM, Mike Wisniewski > > > wrote: > [...] > > Are you using active response? > Yes, I am trying to use active response. I'm trying to get it to dump IP's in /etc/hosts.deny. I am reading logs from another device in a directory that doesn't support ossec. It's actually dumping the apache logs and I'm trying to get it to add it to the hosts.deny on the server. > > > and the FAQ says to install the agentbut it's a server that's > already > > being monitored by OSSEC by default. > > > > I'll have to check that out, because it makes no sense. > I know one thing is to check to see if 'ossec-analysis' is running, which it is. Thanks all for the help. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Install Agent on OSSEC Server?
On Thu, Mar 13, 2014 at 1:57 PM, dan (ddp) wrote: > On Thu, Mar 13, 2014 at 1:53 PM, Mike Wisniewski wrote: >> Simple question... Do I have to install an OSSEC agent on the Server? If >> so, should I specify a different default directory? >> > > No, you do not need to install an OSSEC agent on the OSSEC manager. > The server installation performs those functions for that system > already. > >> Something makes me think I don't think so because the server already >> monitors files, but I'm seeing this message... >> >> 2014/03/13 12:42:17 ossec-analysisd(1210): ERROR: Queue '/queue/alerts/ar' >> not accessible: 'Connection refused'. >> 2014/03/13 12:42:17 ossec-analysisd(1301): ERROR: Unable to connect to >> active response queue. >> 2014/03/13 12:42:17 ossec-analysisd: INFO: Connected to >> '/queue/alerts/execq' (exec queue) >> > > Are you using active response? > >> and the FAQ says to install the agentbut it's a server that's already >> being monitored by OSSEC by default. >> > > I'll have to check that out, because it makes no sense. > Ok, the FAQ (http://ossec-docs.readthedocs.org/en/latest/faq/unexpected.html#check-queue-alerts-ar) actually says to add an agent with manage_agents, not to perform an agent installation on the OSSEC manager. >> Thanks in advanced. >> >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to ossec-list+unsubscr...@googlegroups.com. >> For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Install Agent on OSSEC Server?
On Thu, Mar 13, 2014 at 1:53 PM, Mike Wisniewski wrote: > Simple question... Do I have to install an OSSEC agent on the Server? If > so, should I specify a different default directory? > No, you do not need to install an OSSEC agent on the OSSEC manager. The server installation performs those functions for that system already. > Something makes me think I don't think so because the server already > monitors files, but I'm seeing this message... > > 2014/03/13 12:42:17 ossec-analysisd(1210): ERROR: Queue '/queue/alerts/ar' > not accessible: 'Connection refused'. > 2014/03/13 12:42:17 ossec-analysisd(1301): ERROR: Unable to connect to > active response queue. > 2014/03/13 12:42:17 ossec-analysisd: INFO: Connected to > '/queue/alerts/execq' (exec queue) > Are you using active response? > and the FAQ says to install the agentbut it's a server that's already > being monitored by OSSEC by default. > I'll have to check that out, because it makes no sense. > Thanks in advanced. > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Install Agent on OSSEC Server?
Simple question... Do I have to install an OSSEC agent on the Server? If so, should I specify a different default directory? Something makes me think I don't think so because the server already monitors files, but I'm seeing this message... 2014/03/13 12:42:17 ossec-analysisd(1210): ERROR: Queue '/queue/alerts/ar' not accessible: 'Connection refused'. 2014/03/13 12:42:17 ossec-analysisd(1301): ERROR: Unable to connect to active response queue. 2014/03/13 12:42:17 ossec-analysisd: INFO: Connected to '/queue/alerts/execq' (exec queue) and the FAQ says to install the agentbut it's a server that's already being monitored by OSSEC by default. Thanks in advanced. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.