subject:"\[ossec\-list\] OSSEC agent on windows laptops that will be out of the network"

Re: [ossec-list] OSSEC agent on windows laptops that will be out of the network

2017-01-26 Thread Dave Stoddard

One solution to the connectivity issue is to install a VPN on all of the 
external devices and communicate with the OSSEC server using the VPN. This 
is what we do for our clients and it works without any issues.  With regard 
to storing events, there is an older Windows event collector called Snare 
that had functionality to store alerts when the device was not connected to 
the network. You can download the source code for this tool (called Snare 
Core) to see what they are doing from this 
link: 
https://sourceforge.net/projects/snare/files/Snare%20for%20Windows/4.0.2.0/

Just a note that Snare is not the same as OSSEC, and does not have anywhere 
near the functionality of OSSEC (it is just an event collector with relay 
capability).  It also has issues on Windows 2012 Servers, and the community 
version has not been supported since 2013. However, if you want some ideas 
on how OSSEC could be modified to store alert data, this is good reference 
example.  You will need to be a C/C++ programmer to understand the code.  I 
have had this as a back burner project to look at it for some time.  If I 
ever get around to doing this, I will post it back to the OSSEC project. 
 We used Snare in the early version of our Red Gravity cybersecurity tool, 
but abandoned it for OSSEC once we realized that OSSEC had greater 
stability, was better supported, and ran on all platforms without issues. 
 The Snare code is also useful if you want to see how to set audit policy, 
group policy, and modify the Windows registry in C++. Hope this helps.

Best Regards,

Dave Stoddard
Network Alarm Corporation
12401 Prosperity Drive, Zone 4
Silver Spring, MD 20904-1694

https://networkalarmcorp.com
301-850-0668 x101 : office
301-455-0245 : mobile
dgs at networkalarmcorp dot com

On Wednesday, January 25, 2017 at 4:48:32 PM UTC-5, Kirk wrote:
>
> Has there been any further thought on this issue?  I am in the same boat.
>
> On Wednesday, September 14, 2016 at 12:43:56 AM UTC-5, Vilius wrote:
>>
>> Jesus,
>>
>> when question is should I send alert into the void or into archive, there 
>> are cases when archiving is a better option.
>>
>> Vilius
>>
>> On Tue, Sep 13, 2016 at 8:54 PM, Jesus Linares  wrote:
>>
>>> Vilius, OSSEC is designed to receive alerts from the present and not old 
>>> logs. If you send to OSSEC old logs, the alert timestamp will be the 
>>> timestamp when the alert was triggered (and not the timestamp when the log 
>>> was generated). I was talking about a related issue here 
>>> .
>>>
>>> Nick, usually it is not a good idea to make your Manager accessible from 
>>> the public Internet. If your server has a security breach, anyone could 
>>> access to confidential information of your agents. It could even control 
>>> them if they have the active response enabled. If you are sure, follow some 
>>> security hardening guide for your host and configure your firewall 
>>> properly. I would not recommend to make public a OSSEC Manager.
>>>
>>> Regards.
>>>
>>>
>>> On Tuesday, September 13, 2016 at 6:47:14 PM UTC+2, Nick Giannoulis 
>>> wrote:

 Didnt know you can use "ANY" , thats great thanks a lot. If my ossec 
 server is accessible externally any alerts from the agents should still 
 reach my server right ? ( if the agents are connected to the net and 
 nothing blocking )

 On Tuesday, 13 September 2016 10:51:37 UTC+1, Jesus Linares wrote:
>
> Hi,
>
> as Eero said, you can register your agents with ANY instead of the IP.
>
> anyway, remember that the agents send the alerts in real time. *Alerts 
> are 
> not stored to be sent later*. So, you are not going to receive the 
> alerts generated in your agents when they were not connected to the 
> Manager 
> network.
>
> Regards.
>
> On Tuesday, September 13, 2016 at 11:23:56 AM UTC+2, Eero Volotinen 
> wrote:
>>
>> You can use ip address any while creating agent keys for roaming 
>> devices.
>>
>> Eero
>>
>> 2016-09-13 10:58 GMT+03:00 Nick Giannoulis :
>>
>>> Hi all
>>>  I have an OSSEC server running perfectly monitoring all my servers. 
>>> I want to expand it to start monitoring my 'normal' clients ( win7-10 
>>> laptops and workstations ) . Some of these laptops will be outside of 
>>> the 
>>> network most of the time. Considering that ossec agents shouldnt have 
>>> the 
>>> same IP is there any work around for my situation ? i imagine at some 
>>> point 
>>> or another a few laptops will have the same IP while they are connected 
>>> to 
>>> various other networks. 
>>>
>>>
>>> -- 
>>>
>>> --- 
>>> You received this message because you are subscribed to the Google 
>>> Groups "ossec-list" group.
>>> To unsubscribe from this group and stop receiving emails from it, 
>>> send an email to ossec-list+...@go

Re: [ossec-list] OSSEC agent on windows laptops that will be out of the network

2017-01-25 Thread Kirk

Has there been any further thought on this issue?  I am in the same boat.

On Wednesday, September 14, 2016 at 12:43:56 AM UTC-5, Vilius wrote:
>
> Jesus,
>
> when question is should I send alert into the void or into archive, there 
> are cases when archiving is a better option.
>
> Vilius
>
> On Tue, Sep 13, 2016 at 8:54 PM, Jesus Linares  > wrote:
>
>> Vilius, OSSEC is designed to receive alerts from the present and not old 
>> logs. If you send to OSSEC old logs, the alert timestamp will be the 
>> timestamp when the alert was triggered (and not the timestamp when the log 
>> was generated). I was talking about a related issue here 
>> .
>>
>> Nick, usually it is not a good idea to make your Manager accessible from 
>> the public Internet. If your server has a security breach, anyone could 
>> access to confidential information of your agents. It could even control 
>> them if they have the active response enabled. If you are sure, follow some 
>> security hardening guide for your host and configure your firewall 
>> properly. I would not recommend to make public a OSSEC Manager.
>>
>> Regards.
>>
>>
>> On Tuesday, September 13, 2016 at 6:47:14 PM UTC+2, Nick Giannoulis wrote:
>>>
>>> Didnt know you can use "ANY" , thats great thanks a lot. If my ossec 
>>> server is accessible externally any alerts from the agents should still 
>>> reach my server right ? ( if the agents are connected to the net and 
>>> nothing blocking )
>>>
>>> On Tuesday, 13 September 2016 10:51:37 UTC+1, Jesus Linares wrote:

 Hi,

 as Eero said, you can register your agents with ANY instead of the IP.

 anyway, remember that the agents send the alerts in real time. *Alerts are 
 not stored to be sent later*. So, you are not going to receive the 
 alerts generated in your agents when they were not connected to the 
 Manager 
 network.

 Regards.

 On Tuesday, September 13, 2016 at 11:23:56 AM UTC+2, Eero Volotinen 
 wrote:
>
> You can use ip address any while creating agent keys for roaming 
> devices.
>
> Eero
>
> 2016-09-13 10:58 GMT+03:00 Nick Giannoulis :
>
>> Hi all
>>  I have an OSSEC server running perfectly monitoring all my servers. 
>> I want to expand it to start monitoring my 'normal' clients ( win7-10 
>> laptops and workstations ) . Some of these laptops will be outside of 
>> the 
>> network most of the time. Considering that ossec agents shouldnt have 
>> the 
>> same IP is there any work around for my situation ? i imagine at some 
>> point 
>> or another a few laptops will have the same IP while they are connected 
>> to 
>> various other networks. 
>>
>>
>> -- 
>>
>> --- 
>> You received this message because you are subscribed to the Google 
>> Groups "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, 
>> send an email to ossec-list+...@googlegroups.com.
>> For more options, visit https://groups.google.com/d/optout.
>>
>
> -- 
>>
>> --- 
>> You received this message because you are subscribed to the Google Groups 
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to ossec-list+...@googlegroups.com .
>> For more options, visit https://groups.google.com/d/optout.
>>
>
>
>
> -- 
> /Vilius
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] OSSEC agent on windows laptops that will be out of the network

2016-09-13 Thread Vilius Benetis

Jesus,

when question is should I send alert into the void or into archive, there
are cases when archiving is a better option.

Vilius

On Tue, Sep 13, 2016 at 8:54 PM, Jesus Linares  wrote:

> Vilius, OSSEC is designed to receive alerts from the present and not old
> logs. If you send to OSSEC old logs, the alert timestamp will be the
> timestamp when the alert was triggered (and not the timestamp when the log
> was generated). I was talking about a related issue here
> .
>
> Nick, usually it is not a good idea to make your Manager accessible from
> the public Internet. If your server has a security breach, anyone could
> access to confidential information of your agents. It could even control
> them if they have the active response enabled. If you are sure, follow some
> security hardening guide for your host and configure your firewall
> properly. I would not recommend to make public a OSSEC Manager.
>
> Regards.
>
>
> On Tuesday, September 13, 2016 at 6:47:14 PM UTC+2, Nick Giannoulis wrote:
>>
>> Didnt know you can use "ANY" , thats great thanks a lot. If my ossec
>> server is accessible externally any alerts from the agents should still
>> reach my server right ? ( if the agents are connected to the net and
>> nothing blocking )
>>
>> On Tuesday, 13 September 2016 10:51:37 UTC+1, Jesus Linares wrote:
>>>
>>> Hi,
>>>
>>> as Eero said, you can register your agents with ANY instead of the IP.
>>>
>>> anyway, remember that the agents send the alerts in real time. *Alerts are
>>> not stored to be sent later*. So, you are not going to receive the
>>> alerts generated in your agents when they were not connected to the Manager
>>> network.
>>>
>>> Regards.
>>>
>>> On Tuesday, September 13, 2016 at 11:23:56 AM UTC+2, Eero Volotinen
>>> wrote:

 You can use ip address any while creating agent keys for roaming
 devices.

 Eero

 2016-09-13 10:58 GMT+03:00 Nick Giannoulis :

> Hi all
>  I have an OSSEC server running perfectly monitoring all my servers. I
> want to expand it to start monitoring my 'normal' clients ( win7-10 
> laptops
> and workstations ) . Some of these laptops will be outside of the network
> most of the time. Considering that ossec agents shouldnt have the same IP
> is there any work around for my situation ? i imagine at some point or
> another a few laptops will have the same IP while they are connected to
> various other networks.
>
>
> --
>
> ---
> You received this message because you are subscribed to the Google
> Groups "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

 --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>



-- 
/Vilius

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] OSSEC agent on windows laptops that will be out of the network

2016-09-13 Thread Jesus Linares

Vilius, OSSEC is designed to receive alerts from the present and not old 
logs. If you send to OSSEC old logs, the alert timestamp will be the 
timestamp when the alert was triggered (and not the timestamp when the log 
was generated). I was talking about a related issue here 
.

Nick, usually it is not a good idea to make your Manager accessible from 
the public Internet. If your server has a security breach, anyone could 
access to confidential information of your agents. It could even control 
them if they have the active response enabled. If you are sure, follow some 
security hardening guide for your host and configure your firewall 
properly. I would not recommend to make public a OSSEC Manager.

Regards.

On Tuesday, September 13, 2016 at 6:47:14 PM UTC+2, Nick Giannoulis wrote:
>
> Didnt know you can use "ANY" , thats great thanks a lot. If my ossec 
> server is accessible externally any alerts from the agents should still 
> reach my server right ? ( if the agents are connected to the net and 
> nothing blocking )
>
> On Tuesday, 13 September 2016 10:51:37 UTC+1, Jesus Linares wrote:
>>
>> Hi,
>>
>> as Eero said, you can register your agents with ANY instead of the IP.
>>
>> anyway, remember that the agents send the alerts in real time. *Alerts are 
>> not stored to be sent later*. So, you are not going to receive the 
>> alerts generated in your agents when they were not connected to the Manager 
>> network.
>>
>> Regards.
>>
>> On Tuesday, September 13, 2016 at 11:23:56 AM UTC+2, Eero Volotinen wrote:
>>>
>>> You can use ip address any while creating agent keys for roaming devices.
>>>
>>> Eero
>>>
>>> 2016-09-13 10:58 GMT+03:00 Nick Giannoulis :
>>>
 Hi all
  I have an OSSEC server running perfectly monitoring all my servers. I 
 want to expand it to start monitoring my 'normal' clients ( win7-10 
 laptops 
 and workstations ) . Some of these laptops will be outside of the network 
 most of the time. Considering that ossec agents shouldnt have the same IP 
 is there any work around for my situation ? i imagine at some point or 
 another a few laptops will have the same IP while they are connected to 
 various other networks. 


 -- 

 --- 
 You received this message because you are subscribed to the Google 
 Groups "ossec-list" group.
 To unsubscribe from this group and stop receiving emails from it, send 
 an email to ossec-list+...@googlegroups.com.
 For more options, visit https://groups.google.com/d/optout.

>>>
>>>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] OSSEC agent on windows laptops that will be out of the network

2016-09-13 Thread Nick Giannoulis

Didnt know you can use "ANY" , thats great thanks a lot. If my ossec server 
is accessible externally any alerts from the agents should still reach my 
server right ? ( if the agents are connected to the net and nothing 
blocking )

On Tuesday, 13 September 2016 10:51:37 UTC+1, Jesus Linares wrote:
>
> Hi,
>
> as Eero said, you can register your agents with ANY instead of the IP.
>
> anyway, remember that the agents send the alerts in real time. *Alerts are 
> not stored to be sent later*. So, you are not going to receive the alerts 
> generated in your agents when they were not connected to the Manager 
> network.
>
> Regards.
>
> On Tuesday, September 13, 2016 at 11:23:56 AM UTC+2, Eero Volotinen wrote:
>>
>> You can use ip address any while creating agent keys for roaming devices.
>>
>> Eero
>>
>> 2016-09-13 10:58 GMT+03:00 Nick Giannoulis :
>>
>>> Hi all
>>>  I have an OSSEC server running perfectly monitoring all my servers. I 
>>> want to expand it to start monitoring my 'normal' clients ( win7-10 laptops 
>>> and workstations ) . Some of these laptops will be outside of the network 
>>> most of the time. Considering that ossec agents shouldnt have the same IP 
>>> is there any work around for my situation ? i imagine at some point or 
>>> another a few laptops will have the same IP while they are connected to 
>>> various other networks. 
>>>
>>>
>>> -- 
>>>
>>> --- 
>>> You received this message because you are subscribed to the Google 
>>> Groups "ossec-list" group.
>>> To unsubscribe from this group and stop receiving emails from it, send 
>>> an email to ossec-list+...@googlegroups.com.
>>> For more options, visit https://groups.google.com/d/optout.
>>>
>>
>>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] OSSEC agent on windows laptops that will be out of the network

2016-09-13 Thread Vilius Benetis

Hey,

anyone hacked/tested a workaround for this issue - caching/releasing? For
example by logging into native MS event log in order to process it later
via MS event subscription or caching syslog agent?

V


anyway, remember that the agents send the alerts in real time. *Alerts are
> not stored to be sent later*. So, you are not going to receive the alerts
> generated in your agents when they were not connected to the Manager
> network.
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] OSSEC agent on windows laptops that will be out of the network

2016-09-13 Thread Jesus Linares

Hi,

as Eero said, you can register your agents with ANY instead of the IP.

anyway, remember that the agents send the alerts in real time. *Alerts are 
not stored to be sent later*. So, you are not going to receive the alerts 
generated in your agents when they were not connected to the Manager 
network.

Regards.

On Tuesday, September 13, 2016 at 11:23:56 AM UTC+2, Eero Volotinen wrote:
>
> You can use ip address any while creating agent keys for roaming devices.
>
> Eero
>
> 2016-09-13 10:58 GMT+03:00 Nick Giannoulis  >:
>
>> Hi all
>>  I have an OSSEC server running perfectly monitoring all my servers. I 
>> want to expand it to start monitoring my 'normal' clients ( win7-10 laptops 
>> and workstations ) . Some of these laptops will be outside of the network 
>> most of the time. Considering that ossec agents shouldnt have the same IP 
>> is there any work around for my situation ? i imagine at some point or 
>> another a few laptops will have the same IP while they are connected to 
>> various other networks. 
>>
>>
>> -- 
>>
>> --- 
>> You received this message because you are subscribed to the Google Groups 
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to ossec-list+...@googlegroups.com .
>> For more options, visit https://groups.google.com/d/optout.
>>
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] OSSEC agent on windows laptops that will be out of the network

2016-09-13 Thread Eero Volotinen

You can use ip address any while creating agent keys for roaming devices.

Eero

2016-09-13 10:58 GMT+03:00 Nick Giannoulis :

> Hi all
>  I have an OSSEC server running perfectly monitoring all my servers. I
> want to expand it to start monitoring my 'normal' clients ( win7-10 laptops
> and workstations ) . Some of these laptops will be outside of the network
> most of the time. Considering that ossec agents shouldnt have the same IP
> is there any work around for my situation ? i imagine at some point or
> another a few laptops will have the same IP while they are connected to
> various other networks.
>
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] OSSEC agent on windows laptops that will be out of the network

2016-09-13 Thread Nick Giannoulis

Hi all
 I have an OSSEC server running perfectly monitoring all my servers. I want 
to expand it to start monitoring my 'normal' clients ( win7-10 laptops and 
workstations ) . Some of these laptops will be outside of the network most 
of the time. Considering that ossec agents shouldnt have the same IP is 
there any work around for my situation ? i imagine at some point or another 
a few laptops will have the same IP while they are connected to various 
other networks. 


-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] OSSEC agent on windows laptops that will be out of the network

Re: [ossec-list] OSSEC agent on windows laptops that will be out of the network

Re: [ossec-list] OSSEC agent on windows laptops that will be out of the network

Re: [ossec-list] OSSEC agent on windows laptops that will be out of the network

Re: [ossec-list] OSSEC agent on windows laptops that will be out of the network

Re: [ossec-list] OSSEC agent on windows laptops that will be out of the network

Re: [ossec-list] OSSEC agent on windows laptops that will be out of the network

Re: [ossec-list] OSSEC agent on windows laptops that will be out of the network

[ossec-list] OSSEC agent on windows laptops that will be out of the network

9 matches

Site Navigation

Mail list logo

Footer information