Re: [ossec-list] Re: important questions on CDB lists

2016-12-09 Thread Jesus Linares 
Hi Omar,

if you don't mind, please share your decoders, rules and CDB list and I can 
test it in my lab.

Thanks.

On Wednesday, December 7, 2016 at 9:01:18 PM UTC+1, Omar M wrote:
>
> Hi Dan,
> Thanks for the quick response.
>
> The objective is to create a rule that will trigger if a restricted 
> package is installed on the system.  This is what I've done so far:
>
>1. Created a custom decoder for Yum.  This works fine.  The logs are 
>decoded properly and the name of the package that is installed is decoded 
>and stored in "id"
>2. Created a cdb file; placed the cdb file in /var/ossec/rules/; and 
>updated ossec.conf to include cdb-list under the rules 
>section. The cdb file compiles as expected
>3. Created a custom rule (see below) 
>4. Run ossec-logtest (the output of logtest is below).
>
> The rule is getting called but the alert never fires, see the output 
> below.  
>
> ==RULES
>  
>   
> yum
> Yum custom group.
>   
>
>   
> 11
> cdb-list -->
> illegal package installed via Yum!!!
>   
> 
> ===
>
> Logtest Output==
> # ./ossec-logtest -vvv
> 2016/12/07 13:14:07 ossec-testrule: INFO: Reading local decoder file.
> 2016/12/07 13:14:07 ossec-testrule: INFO: Reading the lists file: 
> 'cdb-list'
> 2016/12/07 13:14:07 ossec-testrule: INFO: Started (pid: 8075).
> ossec-testrule: Type one log per line.
>
> Dec  7 07:05:06 ax yum: Installed: libX11-devel - 1.0.3-9.el5.i386
>
>
> **Phase 1: Completed pre-decoding.
>full event: 'Dec  7 07:05:06 ax yum: Installed: libX11-devel - 
> 1.0.3-9.el5.i386'
>hostname: 'ax'
>program_name: 'yum'
>log: 'Installed: libX11-devel - 1.0.3-9.el5.i386'
>
> **Phase 2: Completed decoding.
>decoder: 'yum'
>id: 'libX11-devel'
>
> **Rule debugging:
> Trying rule: 1 - Generic template for all syslog rules.
>*Rule 1 matched.
>*Trying child rules.
> Trying rule: 600 - Active Response Messages Grouped
> Trying rule: 11 - Yum custom group.
>*Rule 11 matched.
>*Trying child rules.
> Trying rule: 110001 - illegal package installed via Yum!!!
>
> **Phase 3: Completed filtering (rules).
>Rule id: '11'
>Level: '0'
>Description: 'Yum custom group.'
> ==
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: important questions on CDB lists

2016-12-07 Thread Omar M 
Hi Dan,
Thanks for the quick response.

The objective is to create a rule that will trigger if a restricted package 
is installed on the system.  This is what I've done so far:

   1. Created a custom decoder for Yum.  This works fine.  The logs are 
   decoded properly and the name of the package that is installed is decoded 
   and stored in "id"
   2. Created a cdb file; placed the cdb file in /var/ossec/rules/; and 
   updated ossec.conf to include cdb-list under the rules 
   section. The cdb file compiles as expected
   3. Created a custom rule (see below) 
   4. Run ossec-logtest (the output of logtest is below).

The rule is getting called but the alert never fires, see the output below. 
 

==RULES
 
  
yum
Yum custom group.
  

  
11
cdb-list -->
illegal package installed via Yum!!!
  

===

Logtest Output==
# ./ossec-logtest -vvv
2016/12/07 13:14:07 ossec-testrule: INFO: Reading local decoder file.
2016/12/07 13:14:07 ossec-testrule: INFO: Reading the lists file: 'cdb-list'
2016/12/07 13:14:07 ossec-testrule: INFO: Started (pid: 8075).
ossec-testrule: Type one log per line.

Dec  7 07:05:06 ax yum: Installed: libX11-devel - 1.0.3-9.el5.i386


**Phase 1: Completed pre-decoding.
   full event: 'Dec  7 07:05:06 ax yum: Installed: libX11-devel - 
1.0.3-9.el5.i386'
   hostname: 'ax'
   program_name: 'yum'
   log: 'Installed: libX11-devel - 1.0.3-9.el5.i386'

**Phase 2: Completed decoding.
   decoder: 'yum'
   id: 'libX11-devel'

**Rule debugging:
Trying rule: 1 - Generic template for all syslog rules.
   *Rule 1 matched.
   *Trying child rules.
Trying rule: 600 - Active Response Messages Grouped
Trying rule: 11 - Yum custom group.
   *Rule 11 matched.
   *Trying child rules.
Trying rule: 110001 - illegal package installed via Yum!!!

**Phase 3: Completed filtering (rules).
   Rule id: '11'
   Level: '0'
   Description: 'Yum custom group.'
==

-- 
*The information contained in or attached to this email is strictly 
confidential. If you are not the intended recipient, please notify us 
immediately by telephone and return the message to us.*

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: important questions on CDB lists

2016-12-07 Thread dan (ddp) 
On Wed, Dec 7, 2016 at 12:39 PM, Omar M  wrote:
> Did anyone find a solution to this problem?
>
> I've compiled the CDB and created the rules but cannot seem to get the
> lookup to work
>

I'd really need more information than this to help you.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: important questions on CDB lists

2016-12-07 Thread Omar M 
Did anyone find a solution to this problem?

I've compiled the CDB and created the rules but cannot seem to get the 
lookup to work

On Friday, March 18, 2016 at 3:42:50 PM UTC-4, theresa mic-snare wrote:
>
> ehlo *,
>
> I have an important question about CDB lists, as I'm just researching for 
> my thesis on OSSEC.
> yes, i've read the documentation on readthedocs, maybe i'm too daft to 
> understand it.
>
> what I have done so far:
>
> I've created a file called "baddomains" in /var/ossec/lists/
> content is from zeustracker (
> https://zeustracker.abuse.ch/blocklist.php?download=baddomains)
>
> I've added the list in the  section
> lists/baddomains
>
> i've run 
>   # bin/ossec-makelists
>
>
> i'm not quite sure what the purpose of the CDB lists is should a rule 
> fire as soon as one of those domains (content of baddomains) is attacking 
> me?!
> I don't think i've yet understood the positive/negative key match of it
>
> can someone please explain it to me with a real-life example?
>
> also what does CDB stand for? I haven't found that in the OSSEC Docs 
> either
> common database? central database?!
>
> thanks,
> theresa
>

-- 
*The information contained in or attached to this email is strictly 
confidential. If you are not the intended recipient, please notify us 
immediately by telephone and return the message to us.*

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.