subject:"\[ossec\-list\] Re\: Integrity checksum size changed to 0 or from 0 \- false positive"

Re: [ossec-list] Re: Integrity checksum size changed to 0 or from 0 - false positive

2016-02-02 Thread Santiago Bassett

Yes, same thing happened to me in the past and I think is a limitation in
the message size. I ended up changing the command, but I guess recompiling
would work too.

Best

On Fri, Jan 29, 2016 at 3:31 AM, q 
wrote:

> Hello!
>
> i have a problem with a long output too.
>
> i run netstat -tupln and got trancated output.
>
> and i dont know how to avoid this.
>
>
>
>
>
>
> On 29.01.2016 11:52, ZaNN wrote:
>
> Hi again,
>
> Anyone is monitoring iptables output? Anyone has faced the problem of a
> long command output?
>
> Thanks in advance
>
> El miércoles, 27 de enero de 2016, 9:26:48 (UTC+1), ZaNN escribió:
>>
>> Hola Daniel,
>>
>> Yes, that was my first try. Problem was that the result of an iptables
>> command was too large and the content was truncated mostly of the time.
>> Therefore, it was triggering false positives.
>>
>> Do you think of another way of perform an iptables -S check diff in real
>> time?
>>
>>
>> El miércoles, 27 de enero de 2016, 6:44:03 (UTC+1), Daniel Cid escribió:
>>>
>>> Yes, that would be an issue. Have you tried not sending the output to a
>>> file and using the check_diff option on the rules itself?
>>>
>>> You could do:
>>>
>>>   
>>> full_command
>>> iptables -S
>>> iptables_status
>>> 3600
>>>   
>>>
>>> And then write a rule to alert on changes:
>>>
>>>   
>>> 530
>>> ossec: output: 'iptables_status
>>> 
>>> Iptables changed
>>>   
>>>
>>> See if that works.
>>>
>>> thanks,
>>>
>>>
>>> On Monday, January 25, 2016 at 8:51:31 AM UTC-4, ZaNN wrote:

 Hi all,

 I have configured a checksum alert in real time that triggers and
 e-mail alert each time a file is being modified. This file is an output of
 an iptables command executed in all agents every hour:

   
 full_command
 iptables -S  >
 /var/ossec/active-response/iptables_diff.txt
 iptables_status
 3600
   

 The problem is that lot of times false positives are received due to
 size changed *to 0 or from 0*. Not every hour definitely.

 Integrity checksum changed for: 
 '/var/ossec/active-response/iptables_diff.txt'*Size changed from '1089' to 
 '0'*
 What changed:
 1,20d0
 < -P INPUT DROP
 < -P FORWARD DROP
 < -P OUTPUT ACCEPT
 < -N LOGGING
 < -N OUTPUT-NOLOG
 < -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
 < -A INPUT -p icmp -j ACCEPT
 < -A INPUT -i lo -j ACCEPT
 < -A INPUT -s 10.0.0.0/8 -p tcp -m state --state NEW -m tcp --dport 22 -j 
 ACCEPT
 < -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
 < -A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
 < -A OUTPUT -d 8.8.8.8/32 -p udp -m udp --dport 53 -m state --state NEW -j 
 OUTPUT-NOLOG
 < -A OUTPUT -d 8.8.4.4/32 -p udp -m udp --dport 53 -m state --state NEW -j 
 OUTPUT-NOLOG
 < -A OUTPUT -p udp -m udp --dport 123 -m state --state NEW -j OUTPUT-NOLOG
 < -A OUTPUT -d 192.168.116.0/24 -p udp -m udp --dport 1514 -m state 
 --state NEW -j OUTPUT-NOLOG
 < -A OUTPUT -d 192.168.116.0/24 -p udp -m udp --dport 514 -m state --state 
 NEW -j OUTPUT-NOLOG
 Old md5sum was: '0b43600d67c9fdde33912771c81927e2'
 New md5sum is : 'd41d8cd98f00b204e9800998ecf8427e'
 Old sha1sum was: 'e991b6897be54bfc0fd2ef0410fd5e50d54317b6'
 New sha1sum is : 'da39a3ee5e6b4b0d3255bfef95601890afd80709'


 Integrity checksum changed for: 
 '/var/ossec/active-response/iptables_diff.txt'*Size changed from '0' to 
 '1089'*
 What changed:
 0a1,20

 -P INPUT DROP
 -P FORWARD DROP
 -P OUTPUT ACCEPT
 -N LOGGING
 -N OUTPUT-NOLOG
 -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
 -A INPUT -p icmp -j ACCEPT
 -A INPUT -i lo -j ACCEPT





 I suspect that this behaviour is related to real time (inotify) and 
 rewrite the file each time the command is executed ( > ). Is there any 
 best practice to avoid this false
 positives? maybe a delay in real time check?

 Thanks in advance



 --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to

Re: [ossec-list] Re: Integrity checksum size changed to 0 or from 0 - false positive

2016-01-29 Thread q

Hello!

i have a problem with a long output too.

i run netstat -tupln and got trancated output.

and i dont know how to avoid this.





On 29.01.2016 11:52, ZaNN wrote:
> Hi again,
>
> Anyone is monitoring iptables output? Anyone has faced the problem of
> a long command output?
>
> Thanks in advance
>
> El miércoles, 27 de enero de 2016, 9:26:48 (UTC+1), ZaNN escribió:
>
> Hola Daniel,
>
> Yes, that was my first try. Problem was that the result of an
> iptables command was too large and the content was truncated
> mostly of the time. Therefore, it was triggering false positives.
>
> Do you think of another way of perform an iptables -S check diff
> in real time?
>
>
> El miércoles, 27 de enero de 2016, 6:44:03 (UTC+1), Daniel Cid
> escribió:
>
> Yes, that would be an issue. Have you tried not sending the
> output to a file and using the check_diff option on the rules
> itself?
>
> You could do:
>
>   
> full_command
> iptables -S
> iptables_status
> 3600
>   
>
> And then write a rule to alert on changes:
>
>   
> 530
> ossec: output: 'iptables_status
> 
> Iptables changed
>   
>
> See if that works.
>
> thanks,
>
>
> On Monday, January 25, 2016 at 8:51:31 AM UTC-4, ZaNN wrote:
>
> Hi all,
>
> I have configured a checksum alert in real time that
> triggers and e-mail alert each time a file is being
> modified. This file is an output of an iptables command
> executed in all agents every hour:
>
>   
> full_command
> iptables -S  >
> /var/ossec/active-response/iptables_diff.txt
> iptables_status
> 3600
>   
>
> The problem is that lot of times false positives are
> received due to size changed *to 0 or from 0*. Not every
> hour definitely.
>
> Integrity checksum changed for: 
> '/var/ossec/active-response/iptables_diff.txt'
> *Size changed from '1089' to '0'*
> What changed:
> 1,20d0
> < -P INPUT DROP
> < -P FORWARD DROP
> < -P OUTPUT ACCEPT
> < -N LOGGING
> < -N OUTPUT-NOLOG
> < -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
> < -A INPUT -p icmp -j ACCEPT 
> < -A INPUT -i lo -j ACCEPT 
> < -A INPUT -s 10.0.0.0/8  -p tcp -m state 
> --state NEW -m tcp --dport 22 -j ACCEPT 
> < -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j 
> ACCEPT 
> < -A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j 
> ACCEPT 
> < -A OUTPUT -d 8.8.8.8/32  -p udp -m udp 
> --dport 53 -m state --state NEW -j OUTPUT-NOLOG 
> < -A OUTPUT -d 8.8.4.4/32  -p udp -m udp 
> --dport 53 -m state --state NEW -j OUTPUT-NOLOG 
> < -A OUTPUT -p udp -m udp --dport 123 -m state --state NEW -j 
> OUTPUT-NOLOG 
> < -A OUTPUT -d 192.168.116.0/24  -p udp 
> -m udp --dport 1514 -m state --state NEW -j OUTPUT-NOLOG 
> < -A OUTPUT -d 192.168.116.0/24  -p udp 
> -m udp --dport 514 -m state --state NEW -j OUTPUT-NOLOG 
> Old md5sum was: '0b43600d67c9fdde33912771c81927e2'
> New md5sum is : 'd41d8cd98f00b204e9800998ecf8427e'
> Old sha1sum was: 'e991b6897be54bfc0fd2ef0410fd5e50d54317b6'
> New sha1sum is : 'da39a3ee5e6b4b0d3255bfef95601890afd80709'
>
>
> Integrity checksum changed for: 
> '/var/ossec/active-response/iptables_diff.txt'
> *Size changed from '0' to '1089'*
> What changed:
> 0a1,20
>
>> -P INPUT DROP
>> -P FORWARD DROP
>> -P OUTPUT ACCEPT
>> -N LOGGING
>> -N OUTPUT-NOLOG
>> -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
>> -A INPUT -p icmp -j ACCEPT 
>> -A INPUT -i lo -j ACCEPT 
>
>
>  
>
> I suspect that this behaviour is related to real time (inotify) 
> and rewrite the file each time the command is executed ( > ). Is there any 
> best practice to avoid this false 
> positives? maybe a delay in real time check? 
>
> Thanks in advance
>
>
> -- 
>
> ---
> You received this message because you are subscribed to the Google
> Groups "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to ossec-list+unsubscr...@googlegroups.com
> .
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message

[ossec-list] Re: Integrity checksum size changed to 0 or from 0 - false positive

2016-01-29 Thread ZaNN

Hi again,

Anyone is monitoring iptables output? Anyone has faced the problem of a 
long command output?

Thanks in advance

El miércoles, 27 de enero de 2016, 9:26:48 (UTC+1), ZaNN escribió:
>
> Hola Daniel,
>
> Yes, that was my first try. Problem was that the result of an iptables 
> command was too large and the content was truncated mostly of the time. 
> Therefore, it was triggering false positives.
>
> Do you think of another way of perform an iptables -S check diff in real 
> time? 
>
>
> El miércoles, 27 de enero de 2016, 6:44:03 (UTC+1), Daniel Cid escribió:
>>
>> Yes, that would be an issue. Have you tried not sending the output to a 
>> file and using the check_diff option on the rules itself?
>>
>> You could do:
>>
>>   
>> full_command
>> iptables -S
>> iptables_status
>> 3600
>>   
>>
>> And then write a rule to alert on changes:
>>
>>   
>> 530
>> ossec: output: 'iptables_status
>> 
>> Iptables changed
>>   
>>
>> See if that works.
>>
>> thanks,
>>
>>
>> On Monday, January 25, 2016 at 8:51:31 AM UTC-4, ZaNN wrote:
>>>
>>> Hi all,
>>>
>>> I have configured a checksum alert in real time that triggers and e-mail 
>>> alert each time a file is being modified. This file is an output of an 
>>> iptables command executed in all agents every hour:
>>>
>>>   
>>> full_command
>>> iptables -S  > 
>>> /var/ossec/active-response/iptables_diff.txt
>>> iptables_status
>>> 3600
>>>   
>>>
>>> The problem is that lot of times false positives are received due to 
>>> size changed *to 0 or from 0*. Not every hour definitely. 
>>>
>>> Integrity checksum changed for: 
>>> '/var/ossec/active-response/iptables_diff.txt'*Size changed from '1089' to 
>>> '0'*
>>> What changed:
>>> 1,20d0
>>> < -P INPUT DROP
>>> < -P FORWARD DROP
>>> < -P OUTPUT ACCEPT
>>> < -N LOGGING
>>> < -N OUTPUT-NOLOG
>>> < -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
>>> < -A INPUT -p icmp -j ACCEPT 
>>> < -A INPUT -i lo -j ACCEPT 
>>> < -A INPUT -s 10.0.0.0/8 -p tcp -m state --state NEW -m tcp --dport 22 -j 
>>> ACCEPT 
>>> < -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT 
>>> < -A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT 
>>> < -A OUTPUT -d 8.8.8.8/32 -p udp -m udp --dport 53 -m state --state NEW -j 
>>> OUTPUT-NOLOG 
>>> < -A OUTPUT -d 8.8.4.4/32 -p udp -m udp --dport 53 -m state --state NEW -j 
>>> OUTPUT-NOLOG 
>>> < -A OUTPUT -p udp -m udp --dport 123 -m state --state NEW -j OUTPUT-NOLOG 
>>> < -A OUTPUT -d 192.168.116.0/24 -p udp -m udp --dport 1514 -m state --state 
>>> NEW -j OUTPUT-NOLOG 
>>> < -A OUTPUT -d 192.168.116.0/24 -p udp -m udp --dport 514 -m state --state 
>>> NEW -j OUTPUT-NOLOG 
>>> Old md5sum was: '0b43600d67c9fdde33912771c81927e2'
>>> New md5sum is : 'd41d8cd98f00b204e9800998ecf8427e'
>>> Old sha1sum was: 'e991b6897be54bfc0fd2ef0410fd5e50d54317b6'
>>> New sha1sum is : 'da39a3ee5e6b4b0d3255bfef95601890afd80709'
>>>
>>>
>>> Integrity checksum changed for: 
>>> '/var/ossec/active-response/iptables_diff.txt'*Size changed from '0' to 
>>> '1089'*
>>> What changed:
>>> 0a1,20
>>>
>>> -P INPUT DROP
>>> -P FORWARD DROP
>>> -P OUTPUT ACCEPT
>>> -N LOGGING
>>> -N OUTPUT-NOLOG
>>> -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
>>> -A INPUT -p icmp -j ACCEPT 
>>> -A INPUT -i lo -j ACCEPT 
>>>
>>>
>>>
>>>  
>>>
>>>
>>> I suspect that this behaviour is related to real time (inotify) and rewrite 
>>> the file each time the command is executed ( > ). Is there any best 
>>> practice to avoid this false 
>>> positives? maybe a delay in real time check? 
>>>
>>> Thanks in advance
>>>
>>>
>>>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Integrity checksum size changed to 0 or from 0 - false positive

2016-01-27 Thread ZaNN

Hola Daniel,

Yes, that was my first try. Problem was that the result of an iptables 
command was too large and the content was truncated mostly of the time. 
Therefore, it was triggering false positives.

Do you think of another way of perform an iptables -S check diff in real 
time? 


El miércoles, 27 de enero de 2016, 6:44:03 (UTC+1), Daniel Cid escribió:
>
> Yes, that would be an issue. Have you tried not sending the output to a 
> file and using the check_diff option on the rules itself?
>
> You could do:
>
>   
> full_command
> iptables -S
> iptables_status
> 3600
>   
>
> And then write a rule to alert on changes:
>
>   
> 530
> ossec: output: 'iptables_status
> 
> Iptables changed
>   
>
> See if that works.
>
> thanks,
>
>
> On Monday, January 25, 2016 at 8:51:31 AM UTC-4, ZaNN wrote:
>>
>> Hi all,
>>
>> I have configured a checksum alert in real time that triggers and e-mail 
>> alert each time a file is being modified. This file is an output of an 
>> iptables command executed in all agents every hour:
>>
>>   
>> full_command
>> iptables -S  > 
>> /var/ossec/active-response/iptables_diff.txt
>> iptables_status
>> 3600
>>   
>>
>> The problem is that lot of times false positives are received due to size 
>> changed *to 0 or from 0*. Not every hour definitely. 
>>
>> Integrity checksum changed for: 
>> '/var/ossec/active-response/iptables_diff.txt'*Size changed from '1089' to 
>> '0'*
>> What changed:
>> 1,20d0
>> < -P INPUT DROP
>> < -P FORWARD DROP
>> < -P OUTPUT ACCEPT
>> < -N LOGGING
>> < -N OUTPUT-NOLOG
>> < -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
>> < -A INPUT -p icmp -j ACCEPT 
>> < -A INPUT -i lo -j ACCEPT 
>> < -A INPUT -s 10.0.0.0/8 -p tcp -m state --state NEW -m tcp --dport 22 -j 
>> ACCEPT 
>> < -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT 
>> < -A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT 
>> < -A OUTPUT -d 8.8.8.8/32 -p udp -m udp --dport 53 -m state --state NEW -j 
>> OUTPUT-NOLOG 
>> < -A OUTPUT -d 8.8.4.4/32 -p udp -m udp --dport 53 -m state --state NEW -j 
>> OUTPUT-NOLOG 
>> < -A OUTPUT -p udp -m udp --dport 123 -m state --state NEW -j OUTPUT-NOLOG 
>> < -A OUTPUT -d 192.168.116.0/24 -p udp -m udp --dport 1514 -m state --state 
>> NEW -j OUTPUT-NOLOG 
>> < -A OUTPUT -d 192.168.116.0/24 -p udp -m udp --dport 514 -m state --state 
>> NEW -j OUTPUT-NOLOG 
>> Old md5sum was: '0b43600d67c9fdde33912771c81927e2'
>> New md5sum is : 'd41d8cd98f00b204e9800998ecf8427e'
>> Old sha1sum was: 'e991b6897be54bfc0fd2ef0410fd5e50d54317b6'
>> New sha1sum is : 'da39a3ee5e6b4b0d3255bfef95601890afd80709'
>>
>>
>> Integrity checksum changed for: 
>> '/var/ossec/active-response/iptables_diff.txt'*Size changed from '0' to 
>> '1089'*
>> What changed:
>> 0a1,20
>>
>> -P INPUT DROP
>> -P FORWARD DROP
>> -P OUTPUT ACCEPT
>> -N LOGGING
>> -N OUTPUT-NOLOG
>> -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
>> -A INPUT -p icmp -j ACCEPT 
>> -A INPUT -i lo -j ACCEPT 
>>
>>
>>
>>  
>>
>>
>> I suspect that this behaviour is related to real time (inotify) and rewrite 
>> the file each time the command is executed ( > ). Is there any best practice 
>> to avoid this false 
>> positives? maybe a delay in real time check? 
>>
>> Thanks in advance
>>
>>
>>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Integrity checksum size changed to 0 or from 0 - false positive

2016-01-26 Thread Daniel Cid

Yes, that would be an issue. Have you tried not sending the output to a 
file and using the check_diff option on the rules itself?

You could do:

  
full_command
iptables -S
iptables_status
3600
  

And then write a rule to alert on changes:

  
530
ossec: output: 'iptables_status

Iptables changed
  

See if that works.

thanks,


On Monday, January 25, 2016 at 8:51:31 AM UTC-4, ZaNN wrote:
>
> Hi all,
>
> I have configured a checksum alert in real time that triggers and e-mail 
> alert each time a file is being modified. This file is an output of an 
> iptables command executed in all agents every hour:
>
>   
> full_command
> iptables -S  > 
> /var/ossec/active-response/iptables_diff.txt
> iptables_status
> 3600
>   
>
> The problem is that lot of times false positives are received due to size 
> changed *to 0 or from 0*. Not every hour definitely. 
>
> Integrity checksum changed for: 
> '/var/ossec/active-response/iptables_diff.txt'*Size changed from '1089' to 
> '0'*
> What changed:
> 1,20d0
> < -P INPUT DROP
> < -P FORWARD DROP
> < -P OUTPUT ACCEPT
> < -N LOGGING
> < -N OUTPUT-NOLOG
> < -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
> < -A INPUT -p icmp -j ACCEPT 
> < -A INPUT -i lo -j ACCEPT 
> < -A INPUT -s 10.0.0.0/8 -p tcp -m state --state NEW -m tcp --dport 22 -j 
> ACCEPT 
> < -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT 
> < -A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT 
> < -A OUTPUT -d 8.8.8.8/32 -p udp -m udp --dport 53 -m state --state NEW -j 
> OUTPUT-NOLOG 
> < -A OUTPUT -d 8.8.4.4/32 -p udp -m udp --dport 53 -m state --state NEW -j 
> OUTPUT-NOLOG 
> < -A OUTPUT -p udp -m udp --dport 123 -m state --state NEW -j OUTPUT-NOLOG 
> < -A OUTPUT -d 192.168.116.0/24 -p udp -m udp --dport 1514 -m state --state 
> NEW -j OUTPUT-NOLOG 
> < -A OUTPUT -d 192.168.116.0/24 -p udp -m udp --dport 514 -m state --state 
> NEW -j OUTPUT-NOLOG 
> Old md5sum was: '0b43600d67c9fdde33912771c81927e2'
> New md5sum is : 'd41d8cd98f00b204e9800998ecf8427e'
> Old sha1sum was: 'e991b6897be54bfc0fd2ef0410fd5e50d54317b6'
> New sha1sum is : 'da39a3ee5e6b4b0d3255bfef95601890afd80709'
>
>
> Integrity checksum changed for: 
> '/var/ossec/active-response/iptables_diff.txt'*Size changed from '0' to 
> '1089'*
> What changed:
> 0a1,20
>
> -P INPUT DROP
> -P FORWARD DROP
> -P OUTPUT ACCEPT
> -N LOGGING
> -N OUTPUT-NOLOG
> -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
> -A INPUT -p icmp -j ACCEPT 
> -A INPUT -i lo -j ACCEPT 
>
>
>
>  
>
>
> I suspect that this behaviour is related to real time (inotify) and rewrite 
> the file each time the command is executed ( > ). Is there any best practice 
> to avoid this false 
> positives? maybe a delay in real time check? 
>
> Thanks in advance
>
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: Integrity checksum size changed to 0 or from 0 - false positive

Re: [ossec-list] Re: Integrity checksum size changed to 0 or from 0 - false positive

[ossec-list] Re: Integrity checksum size changed to 0 or from 0 - false positive

[ossec-list] Re: Integrity checksum size changed to 0 or from 0 - false positive

[ossec-list] Re: Integrity checksum size changed to 0 or from 0 - false positive

5 matches

Site Navigation

Mail list logo

Footer information