).
Rule id: '810002'
Level: '16'
Description: 'Buffalo NAS - Repeated Bad Sector Count!'
**Alert to be generated.
On Wednesday, April 25, 2018 at 11:34:07 AM UTC-5, Jacob Mcgrath wrote:
>
> This is the log sent to ossec:
>
> Apr 24 03:21:41 TS5400R33A kernelmon: cmd=io
: 'Buffalo NAS - Repeated Bad Sector Count!'
**Alert to be generated.
On Wednesday, April 25, 2018 at 11:34:07 AM UTC-5, Jacob Mcgrath wrote:
>
> This is the log sent to ossec:
>
> Apr 24 03:21:41 TS5400R33A kernelmon: cmd=ioerr sdc READ 50030496 1
>
> If I run threw logt
Do agent-less syslog's for ossec change on there delivery to the ossec
server? These are syslogs being sen t to ossec.
On Wednesday, April 25, 2018 at 11:34:07 AM UTC-5, Jacob Mcgrath wrote:
>
> This is the log sent to ossec:
>
> Apr 24 03:21:41 TS5400R33A kernelmon: cmd=io
tried these with no result:
kernelmon
^TS5400R33A
iptables
^TS5400R33A
On Wednesday, April 25, 2018 at 11:34:07 AM UTC-5, Jacob Mcgrath wrote:
>
> This is the log sent to ossec:
>
> Apr 24 03:21:41 TS5400R33A kernelmon: cmd=ioerr sdc READ 50030496 1
>
> If I r
This is the log sent to ossec:
Apr 24 03:21:41 TS5400R33A kernelmon: cmd=ioerr sdc READ 50030496 1
If I run threw logtest i get iptables as the final decoder:
**Phase 1: Completed pre-decoding.
full event: 'Apr 24 03:21:41 TS5400R33A kernelmon: cmd=ioerr sdc
READ 50030496 1'
I have not tested on AD controlled Windows 10 as of yet
He is mine its script base and tails from the sid 530
https://groups.google.com/forum/#!searchin/ossec-list/usb$20detection%7Csort:date/ossec-list/9P1wZM78jj4/CvibL-afAgAJ
you would need this in the Windows agent config.
Wondering if there is a way to use agent_control via cmd line to send
active response to all agents manually.
What i use for the single agent commands
/var/ossec/bin/agent_control -b 74.34.56.78 -f win_nullroute120 001
--
---
You received this message because you are subscribed to the
I have an So install and am deploying Ossec agents to my active directory
Windows 7 pc's with out much issues. No
i am attempting to setup for Win 10 Enterprise but these never can
connected to teh Ossec server. Have any done this before in reguards to
Windows10. I do have 2012 and 2016
will try ty I think my regex foo was off a bit
On Tuesday, October 11, 2016 at 6:41:56 PM UTC-5, Jacob Mcgrath wrote:
>
> I am looking at logging on a windows agent Teamviewer logs. The issue is
> the irregular output like soo.
>
> 673915615 Support Team20-05-2016 19:
I am looking at logging on a windows agent Teamviewer logs. The issue is
the irregular output like soo.
673915615 Support Team20-05-2016 19:37:51 20-05-2016 20:04:29
userRemoteControl {811FB7EC-E1EB-470A-B5EE-01E7290B7FDF}
151856824 01-06-2016 19:30:36
I ended up moving this bash script to the Security Onion server then with
help her wrote basic decoders and rules to trigger alerts. Still going to
play with the agent custom log file issue off and on.
On Friday, June 10, 2016 at 11:12:02 AM UTC-5, Jacob Mcgrath wrote:
>
> ANy have a issu
ty that did it ty
On Thursday, June 2, 2016 at 6:48:13 AM UTC-5, Jacob Mcgrath wrote:
>
> Was wondering on the best route/option to accomplish this?
>
>
> (similar to the USB storage detection)
>
> Was thinking about a batch or bash that would ping servers from a list to
09' Level: '12'
Description: 'Gaming Server Down 10 Minutes!'**Alert to be generated.*
On Thursday, June 2, 2016 at 6:48:13 AM UTC-5, Jacob Mcgrath wrote:
>
> Was wondering on the best route/option to accomplish this?
>
>
> (similar to the USB storage detection)
>
>
ion,
On Thursday, June 2, 2016 at 6:48:13 AM UTC-5, Jacob Mcgrath wrote:
>
> Was wondering on the best route/option to accomplish this?
>
>
> (similar to the USB storage detection)
>
> Was thinking about a batch or bash that would ping servers from a list to
> a file.
up of it. Still having the issue of log monitoring
of this alert from the native Ossec server... but I will have a solution
either way.
On Thursday, June 2, 2016 at 6:48:13 AM UTC-5, Jacob Mcgrath wrote:
>
> Was wondering on the best route/option to accomplish this?
>
>
> (sim
windows-date-format
true
^\d+.\d+.\d+.\d+ GET |^\d+.\d+.\d+.\d+
POST
(\S+ \S*) \.* (\d+.\d+.\d+.\d+) \S*\.*
(\d\d\d) \S+ \S+ \S+
url,srcip,id
On Thursday, May 26, 2016 at 3:33:30 PM UTC-5, Jacob Mcgrath wrote:
>
>
>
> Looking to take these logs from two sep
these lesser checks.
On Friday, June 10, 2016 at 11:12:02 AM UTC-5, Jacob Mcgrath wrote:
>
> ANy have a issue like this The Ossec server says its not available and
> ignores it. But it is thereweird ?
>
> root@alamo:/home/mis/admin-tools/logs# tail \ ping-domain.log
> S
on restart end of log
On Friday, June 10, 2016 at 11:12:02 AM UTC-5, Jacob Mcgrath wrote:
>
> ANy have a issue like this The Ossec server says its not available and
> ignores it. But it is thereweird ?
>
> root@alamo:/home/mis/admin-tools/logs# tail \ ping-domain.log
ANy have a issue like this The Ossec server says its not available and
ignores it. But it is thereweird ?
root@alamo:/home/mis/admin-tools/logs# tail \ ping-domain.log
System Check Domain Cluster - A appears to be down 06092016 09:50:01
System Check Domain Cluster - A
np
On Thursday, June 2, 2016 at 6:48:13 AM UTC-5, Jacob Mcgrath wrote:
>
> Was wondering on the best route/option to accomplish this?
>
>
> (similar to the USB storage detection)
>
> Was thinking about a batch or bash that would ping servers from a list to
> a file. T
ok ok I see what you are talking about
On Thursday, June 2, 2016 at 6:48:13 AM UTC-5, Jacob Mcgrath wrote:
>
> Was wondering on the best route/option to accomplish this?
>
>
> (similar to the USB storage detection)
>
> Was thinking about a batch or bash that would pin
I think I am going to reinstall my Security Onion had off the wall
issues with other things as well. Will try on my test server when I get
home Might have a semi borked install
On Thursday, June 2, 2016 at 6:48:13 AM UTC-5, Jacob Mcgrath wrote:
>
> Was wondering on the best
TC-5, Jacob Mcgrath wrote:
>
> Was wondering on the best route/option to accomplish this?
>
>
> (similar to the USB storage detection)
>
> Was thinking about a batch or bash that would ping servers from a list to
> a file. That every so many minute this
> file would be o
attacks,
On Thursday, June 2, 2016 at 6:48:13 AM UTC-5, Jacob Mcgrath wrote:
>
> Was wondering on the best route/option to accomplish this?
>
>
> (similar to the USB storage detection)
>
> Was thinking about a batch or bash that would ping servers from a list to
Ill post my final decoders & rules + script soon
On Thursday, June 2, 2016 at 6:48:13 AM UTC-5, Jacob Mcgrath wrote:
>
> Was wondering on the best route/option to accomplish this?
>
>
> (similar to the USB storage detection)
>
> Was thinking about a batch or bash tha
it works on my test system at home which is the same install as at the shop
so WTF sry for the crazy &(^*(^%
On Thursday, June 2, 2016 at 6:48:13 AM UTC-5, Jacob Mcgrath wrote:
>
> Was wondering on the best route/option to accomplish this?
>
>
> (similar to the US
With this it still hits the 1002 rule
pingserv
Grouping For Server Ping Group
100010
FAILURE
FAILURE
On Thursday, June 2, 2016 at 6:48:13 AM UTC-5, Jacob Mcgrath wrote:
>
> Was wondering on the best route/option to accomplish this?
>
>
working with the decoders at the moment
On Thursday, June 2, 2016 at 6:37:02 AM UTC-5, Jacob Mcgrath wrote:
>
> Ok, think I got it. Waiting till server log level is tuned up a bit then
> I will go for it again.
>
> On Friday, May 27, 2016 at 7:12:41 AM UTC-5, dan (ddpbsd) wrot
).
Rule id: '1002'
Level: '2'
Description: 'Unknown problem somewhere in the system.'
**Alert to be generated.
The issue is that I am not able to trigger the rule bellow:
pingserv
Grouping For Server Ping Group
On Thursday, June 2, 2016 at 6:48:13 AM UTC-5, Jacob
Was wondering on the best route/option to accomplish this?
(similar to the USB storage detection)
Was thinking about a batch or bash that would ping servers from a list to a
file. That every so many minute this
file would be overwritten with the new results.
If the results "differ" from the
Ok, think I got it. Waiting till server log level is tuned up a bit then I
will go for it again.
On Friday, May 27, 2016 at 7:12:41 AM UTC-5, dan (ddpbsd) wrote:
>
> On Thu, May 26, 2016 at 4:33 PM, Jacob Mcgrath
> <jacob.xt...@gmail.com > wrote:
> >
> >
> >
v2.8
On Thursday, May 26, 2016 at 3:33:30 PM UTC-5, Jacob Mcgrath wrote:
>
>
>
> Looking to take these logs from two seperate server applications and
> perform alerts and possibly responses to them.
>
> server 1:
>
> 2016-05-26 15:45:47 172.18.2.247 POST /wfc/
> know what rule it is matching to compare against your local_rules.xml
> entries.
>
>
> On Thursday, May 26, 2016 at 1:35:30 PM UTC-7, Jacob Mcgrath wrote:
>>
>> I am still struggling with the general syntax of regex...
>>
>> On Thursday, May 26,
I am still struggling with the general syntax of regex...
On Thursday, May 26, 2016 at 3:33:30 PM UTC-5, Jacob Mcgrath wrote:
>
>
>
> Looking to take these logs from two seperate server applications and
> perform alerts and possibly responses to them.
>
> server 1:
&g
Looking to take these logs from two seperate server applications and
perform alerts and possibly responses to them.
server 1:
2016-05-26 15:45:47 172.18.2.247 POST /wfc/portal - 443 - 10.18.100.24
Mozilla/5.0+(Windows+NT+6.3;+WOW64;+rv:39.0)+Gecko/20100101+Firefox/39.0
200 0 0 15
2016-05-26
n_failures,
On Monday, May 23, 2016 at 3:51:28 PM UTC-5, Jacob Mcgrath wrote:
>
> Here is what I have so far...
>
> *Agent config*
>
>
>
>
> C:\inetpub\logs\LogFiles\FTPSVC4\u_ex%y%m%d.log
> iis
>
>
> *Server local_decoder.xml*
>
>
>
-24 19:02:01 10.18.100.24 53101 - FTPSVC4 SPMEDIA1 - 10.20.199.157
12600 PASS *** 530 1326 41 101 11 0
1475ab80-1b75-43ce-9b59-d2d61cf15c63 - An+error+oc
curred+during+the+authentication+process.
On Monday, May 23, 2016 at 3:51:28 PM UTC-5, Jacob Mcgrath
Level: '5'
> Description: 'FTP Authentication failed.'
> **Alert to be generated.
>
>
>
>
> On Tuesday, May 24, 2016 at 5:39:55 PM UTC+2, Jacob Mcgrath wrote:
>>
>> I can run 8-10 failed logins and do get email alerts for them so I
>> believe the
75da -
An+error+occurred+during+the+authentication+process.
--END OF NOTIFICATION
On Monday, May 23, 2016 at 3:51:28 PM UTC-5, Jacob Mcgrath wrote:
>
> Here is what I have so far...
>
> *Agent config*
>
>
>
>
> C:\inetpub\logs\LogFiles\FTPSVC4\u_ex%y%m%d.log
I can run 8-10 failed logins and do get email alerts for them so I believe
the decoder is working but the rules are not being applied and the fall
back is rule:1002 for some reason
On Tuesday, May 24, 2016 at 10:24:24 AM UTC-5, Jacob Mcgrath wrote:
>
> Weird I run the logtest and
rent log (with other format) or just you are not receiving anything.
> Configure ossec to log all events:
>
> yes
>
> Then, review archives/archives.log. In case you are receiving the ftp
> logs, paste here some examples and we can help a little more.
>
>
> Reg
Here is what I have so far...
*Agent config*
C:\inetpub\logs\LogFiles\FTPSVC4\u_ex%y%m%d.log
iis
*Server local_decoder.xml*
windows-date-format
true
^\d+.\d+.\d+.\d+ \d+ \S+ FTPSVC
^(\d+.\d+.\d+.\d+) \d+ (\S+) \S+ \S+ \S
+ \S+
\d+ (\S+) \S+ (\d+)
10.40.3.253 6 56496 10247 1 901 0 8 8 1}
On Tuesday, May 10, 2016 at 3:35:26 PM UTC-5, Jacob Mcgrath wrote:
>
> Is it possible to have Ossec monitor Snort logs for certain Sid's and then
> trigger the active response on all agents when event occurs.
>
> Looking at reacting to Nmap
referencing this log alerts
<http://commons.oreilly.com/wiki/index.php/Snort_Cookbook/Logging,_Alerts,_and_Output_Plug-ins#Logging_Only_Alerts>
On Tuesday, May 10, 2016 at 3:35:26 PM UTC-5, Jacob Mcgrath wrote:
>
> Is it possible to have Ossec monitor Snort logs for certain Sid's and the
Is it possible to have Ossec monitor Snort logs for certain Sid's and then
trigger the active response on all agents when event occurs.
Looking at reacting to Nmap and Nessus type scans on my internal network.
I guess I would have to monitor the Security Onion servers snort log for
Sid's for
I have win 8, 10, Server 2003/2008/2012 I will test on when I get a moment
at work.
On Wednesday, July 2, 2014 at 11:28:31 AM UTC-5, morgan cox wrote:
>
> Hi
>
> I cannot get active response to work
>
> how can I debug why active response on Windows agents is not working ?
>
> linux agents are
Ok on Win7 Ent it seams to be working ok... ty
On Wednesday, July 2, 2014 at 11:28:31 AM UTC-5, morgan cox wrote:
>
> Hi
>
> I cannot get active response to work
>
> how can I debug why active response on Windows agents is not working ?
>
> linux agents are fine - i.e drop/active response is
Ok, let me know when it time for my guinea piging to start lol.
On Wednesday, July 2, 2014 at 11:28:31 AM UTC-5, morgan cox wrote:
>
> Hi
>
> I cannot get active response to work
>
> how can I debug why active response on Windows agents is not working ?
>
> linux agents are fine - i.e
Thank you Antonio
On Wednesday, July 2, 2014 at 11:28:31 AM UTC-5, morgan cox wrote:
>
> Hi
>
> I cannot get active response to work
>
> how can I debug why active response on Windows agents is not working ?
>
> linux agents are fine - i.e drop/active response is working
>
> I have followed -
The script works locally at work
If I invoke a active response from the ossec server like so
/var/ossec/bin/agent_control -b 1.2.3.4 -f win_nullroute600 -u 007
I see that the C:\Program Files
(x86)\ossec-agent\active-response\active-responses.log is generated...with
this input...
Not at work yet but the new one from git repo works "locally". I will test
in a couple hours at work :)
:: Script to null route an ip address.
@ECHO OFF
ECHO.
:: Set some variables
FOR /F "TOKENS=1* DELIMS= " %%A IN ('DATE/T') DO SET DAT=%%A %%B
FOR /F "TOKENS=1-3 DELIMS=:" %%A IN ("%TIME%")
yes I have no life "but" since I am dropping routes on my internal network
I can check the first octet.. or to checks in chain style for other
subnets...
ECHO "%2" | %WINDIR%\system32\findstr.exe /R "10\." >nul || ECHO Invalid IP
&& EXIT /B 2
On Wednesday, July 2, 2014 at 11:28:31 AM
For me it was the IP checking part of the script on Windows 7 Enterprise...
I commented it out for now until I have a little time to rework the
checking function... I will post it later when this happens.
:: Check for a valid IP
::ECHO "%2" | %WINDIR%\system32\findstr.exe /R
Thanks peps for the info, digging into it as we speak
On Thursday, April 28, 2016 at 6:57:30 AM UTC-5, Jacob Mcgrath wrote:
>
> I have a 200-300 workstation network and roughly 60-80 servers in either
> heavy metal or virtual clusters.
>
>
> From what I read I can use a .cvs f
<https://lh3.googleusercontent.com/-77P49OfgEuI/VyOAW-JH46I/CYQ/rWZvCMTOkl0240wJOUI5DtIt46YXC5xfQCLcB/s1600/squert.PNG>
On Friday, April 29, 2016 at 6:48:57 AM UTC-5, Jacob Mcgrath wrote:
>
> Ok, here is my .Bat script I use to Check for & list files contained
> w
st started at: Fri Apr 29 15:13:54 2016
Rootcheck last started at: Fri Apr 29 15:14:26 2016
Wondering if the Active Directory permission structure is causing issues
with Ossec config pushes.??
On Thursday, April 28, 2016 at 6:57:30 AM UTC-5, Jacob Mcgrath wrote:
>
> I have a 200-300 wor
Ok, here is my .Bat script I use to Check for & list files contained within
the usb drive. If no drive is detected the output file would not change
there for not causing
an alarm when the drive is removed. If no drive is present the script
exits causing no change to the usbstor.txt thus no
And I get this in Squert on my Security Onion...
<https://lh3.googleusercontent.com/-s8bBhwqjuDc/VyIsbVMoMaI/CWM/ntYZ5QQQYYYJM1rxu8gFSPyP2B-LN3-nACLcB/s1600/squert.PNG>
On Thursday, April 28, 2016 at 10:21:58 AM UTC-5, Jacob Mcgrath wrote:
>
> Ok, here is my .Bat script I
Now In Squert i can see this report and or alert...
<https://lh3.googleusercontent.com/-Ooskcm7_A2U/VyIrGUcx9iI/CWA/CsSu3vRW83Y8kbU89cVAGTV7PgWqSVk8QCLcB/s1600/squert.PNG>
On Thursday, April 28, 2016 at 10:21:58 AM UTC-5, Jacob Mcgrath wrote:
>
> Ok, here is my .Bat
iles Listed:
4 File(s)420,707,928 bytes
2 Dir(s) 3,328,983,040 bytes free
Previous output:
ossec: output: 'USBDevices':
--END OF NOTIFICATION
In Squert I can see this:
On Tuesday, April 19, 2016 at 2:23:39 PM UTC-5, Jacob Mcgrath wrote:
>
>
I have a 200-300 workstation network and roughly 60-80 servers in either
heavy metal or virtual clusters.
>From what I read I can use a .cvs file with hostnames to assign Ossec keys
to agents in large volumes. Has any done this / or had issues with this
method?
Passing down windows agent
I I have a "working" solution not elegant as I wanted but Does work.
When I get to work I will post!
On Tuesday, April 19, 2016 at 2:23:39 PM UTC-5, Jacob Mcgrath wrote:
>
> I have a basic Windows agent setting to alert me when a storage device is
> detecte
>
> 530
>
> ossec: output: 'USB-Audit'
>
> USB Connected - Current Session Information
>
>
>
>
> On Tuesday, April 19, 2016 at 3:23:39 PM UTC-4, Jacob Mcgrath wrote:
>>
>> I have a basic Windows agent setting to alert m
rectory of E:\System Volume Information
--END OF NOTIFICATION
On Tuesday, April 19, 2016 at 2:23:39 PM UTC-5, Jacob Mcgrath wrote:
>
> I have a basic Windows agent setting to alert me when a storage device is
> detected using Power shell..
>
>
> full_command
>
as in ossecs host logs in order to search via keyword say
"usb" is ELSA... I am still not
totally up to speed on how this works..
On Wednesday, April 20, 2016 at 3:23:31 PM UTC-5, Jacob Mcgrath wrote:
>
> Wonder if I could wrap it into a test.ps1 and execute threw
> powershell
Wonder if I could wrap it into a test.ps1 and execute threw
powershell.exe
-noprofile -executionpolicy bypass -file .\test.ps1
On Tuesday, April 19, 2016 at 2:23:39 PM UTC-5, Jacob Mcgrath wrote:
>
> I have a basic Windows agent setting to alert me when a storage device is
> detec
Will try droping the | select -Skip 2 from the Get-Content see if that
works or maby a -Raw output arg
On Tuesday, April 19, 2016 at 2:23:39 PM UTC-5, Jacob Mcgrath wrote:
>
> I have a basic Windows agent setting to alert me when a storage device is
> detected using Po
--END OF
NOTIFICATION
It is missing the remaining content on that C:\temp\tmp.txt ... But I am
close :)
On Tuesday, April 19, 2016 at 2:23:39 PM UTC-5, Jacob Mcgrath wrote:
>
> I have a basic Windows agent setting to alert me when a storage device is
> detected using Power shell..
>
I have a basic Windows agent setting to alert me when a storage device is
detected using Power shell..
full_command
powershell.exe -command "gwmi win32_diskdrive | select
Model,InterfaceType,serialnumber,Size,MediaType,CapabilityDescriptions
>
C:\temp\usbdetect.txt ; (gc
Forgot that part before bed,
Question is; Is it possible for a Windows agent to have an active response
let say to network scans?
On Tuesday, April 12, 2016 at 3:52:09 PM UTC-5, Rob B wrote:
>
> Hello Folks,
>
> Could someone help me wrap my head around the windows active response
>
I am as well interested in this process in regards to OSSEC and windows
active response. I am considering a deployment on a
AD controlled business environment. Was considering active response for
windows clients when network scans are detected, nmap Nessus, MBSA ect ect.
As well as logging
71 matches
Mail list logo