Are you sure it was OSSEC? I just had a look at
https://github.com/ossec/ossec-hids/blob/master/active-response/firewall-drop.sh
The only iptables commands it does are the following four, and I can't
see how they would flush an entire table/chain.
iptables -I INPUT -s ${IP} -j DROP
iptables
There are a couple hops between ossec-maild and your inbox. Since you
said maild is attempting to send the emails: where do they get stuck,
does the local MTA have them, what are in the mail daemons logs?
On 3/18/2016 8:33 PM, sandeep dubey wrote:
Yes, it attempts but emails are not landing
If he doesn't have any kind of configuration management/orchestration in
place it might make more sense to use a minimal ossec.conf on the agents
and deploy any changes via the shared/agent.conf on the master.
That way he won't run into problems again with settings on the agents he
might have
Have you tried setting USER_NO_STOP="y" (we use ansible too for building
the binaries)?
On 2/19/2016 1:16 AM, Barry Kaplan wrote:
I cannot get the install to NOT ask
You already have OSSEC installed. Do you want to update it?
I am installing via ansible, the ./install.sh can get
If the logs are in your masters archives.log, then it would seem as if
they *are* being sent, so that isn't the problem.
Do you have an example of an apache error log line that you expected to
trigger an alert?
On 2/10/2016 1:52 AM, Maxim Surdu wrote:
i check my logs are in
Not sure how this is OSSEC related, but unless you have a shared
resource that both VMs can access (with sufficient locking mechanisms)
I'd just use TCP/UDP and a client/server architecture.
On 2/3/2016 8:07 PM, Zakirasafi wrote:
Dear all
I have installed two virtual machine on XEN
Just use 127.0.0.1 and set up your postifix
to deal with the incoming mails accordingly.
On 12/4/2015 10:32 AM, Bruno Rodrigues wrote:
How can I do this?
I already have postfix working with mailgun, but OSSEC emails won't work.
On Sunday, November 8, 2015 at 11:51:45 AM UTC-2, Eero
On 11/30/2015 12:21 PM, Daniel Bray wrote:
On Mon, Nov 30, 2015 at 11:26 AM, dan (ddp) > wrote:
Last idea at the moment:
Copy archives.log. Open the copy in a text editor. Find an entry you
want to test against and delete everything else.
ao...@gmail.com
<mailto:frwao...@gmail.com>> wrote:
Hi Ryan,
I am not too good in tuning up my active response
or rules. Any tips on how to go about it?
On Tue, Nov 10, 2015 at 1:17 PM, Ryan Schulze
<r...@dopefish.de <mailto:r...@dopefish.d
Sounds like you may want to look into fine tuning your active response
and/or rules.
On 11/9/2015 10:11 PM, frwa onto wrote:
Hi Santiago,
I am just running as standalone so its not a
manager or agent. I have another machine for instance I am using the
older ossec 2.7.1 in
Are you sure you added the agent right on the master; why is there a
netmask in the IP field (it should be 172.20.21.39 not 172.20.21.39/24)?
On 11/4/2015 5:26 AM, Reinaldo Fernandes wrote:
And this is my agent failure connection:
--
---
You received this message because you are subscribed
I've never see DDP logs. Do you have an example of the logs from DDP
that you expect OSSEC to decode and generate alerts for? Or have you
tried feeding the logs into /var/ossec/bin/ossec-logtest yourself and
seeing if OSSEC can decode them?
I assume that if it is standard syslog format, you
agent-control -i can show you that information.
On 10/1/2015 8:54 AM, Legolas Klaitxu wrote:
I'm going to work with the database of ossec and appears that the
agent table from Ossec is empty.
Using agent-control -l I've able to insert into to the database the id
of different clients, the
Hmm, I haven't had problems with that in my environment. I have active
responses set up that fire regardless on if a mail was triggered or not.
The configuration for emails and active responses are in different
blocks and don't necessarily rely on the level of a alert to trigger (I
prefer
Have you checked /var/ossec/logs/alerts/alerts.log on the OSSEC server
to see if there were any alerts that would have generated an email? And
if yes, what were the logs from the MTA for those emails?
On 9/7/2015 6:35 AM, Ramiz Ilyas wrote:
Dear All,
i have installed a virtual network on
On a large deployment I wouldn't recommend doing the delete on the
'data' and 'alert' tables since that locks those tables during the
operation (may take a while depending on the size of your tables). If
this isn't an issue for you, then deleting is the easiest way to get rid
of old data.
We
On 8/11/2015 6:17 AM, C0rn123 wrote:
Am Dienstag, 11. August 2015 12:47:25 UTC+2 schrieb C0rn123:
Hello,
I want to turn off ANY emails below a certain alert level.
Unfortunately the alert_by_email option in a lot of rules
overwrites the minimum alert level set in the
I remember submitting that pull request for 2.8.0, so it should be in
your 2.8.1 version (I didn't add any compile time options to deactivate it).
Did you make sure that ossec-maild died when you restarted the ossec
daemons (it may be an old process still delivering your mail that didn't
pick
...
Started ossec-logcollector...
Started ossec-remoted...
Started ossec-syscheckd...
Started ossec-monitord...
Completed.
On Tuesday, August 4, 2015 at 3:15:22 PM UTC-6, Ryan Schulze wrote:
I remember submitting that pull request for 2.8.0, so it should be
in your 2.8.1 version (I didn't add
I had a look at the Makeall file, and if the header (dev) files for
magic are found, it is compiled with libmagic, if they aren't found it
isn't. So by default it does try to compile with libmagic, but if it
can't find the required files to do so, it falls back to not using libmagic.
On
a command.
On 7/25/2015 1:06 PM, theresa mic-snare wrote:
Great, thanks for the bash script, Ryan.
but what else to do after downloading the IP blocklist? how could I
feed ossec with it?
maybe through an active-response?
Am Samstag, 25. Juli 2015 04:56:07 UTC+2 schrieb Ryan Schulze:
I played
I played around with IP reputation and CDB a while back, but never
pushed it to my live servers. I found the following bash snippet on my
test server, it may be of use for someone (although the alienvault list
is pretty long and contains different levels of evil may be worth
parsing and
I can verify the problem with Ubuntu 14.04.
According to the syscheck docs libmagic is optionally used with
report_changes (if found on the system). I haven't checked the source
code yet to see what exactly the ramifications are, but according to the
docs:
?
I think sometimes Works properly but in others moments no :(
El jueves, 16 de julio de 2015, 16:05:56 (UTC+2), Ryan Schulze
escribió:
You redacted the IP address in the ossec logs, so I'm assuming
it is something other than 127.0.0.1?
Because your
You redacted the IP address in the ossec logs, so I'm assuming it is
something other than 127.0.0.1?
Because your netstat shows that mysql is only bound to 127.0.0.1.
On 7/16/2015 4:01 AM, Legolas Klaitxu wrote:
Good Morning,
I've started to work with ossec and reviewing the log I identify
You are right, srcip can't be comma separated, but you can use a cdb
list, the full details about the cdb lists is here:
http://ossec-docs.readthedocs.org/en/latest/manual/rules-decoders/rule-lists.html
Your rule would look something like this:
rule id=100078 level=“0
if_sid5703,31161/if_sid
Last time I checked the hostname format is (agent name) agent
IP-logfile and is not determined by the decoded logs in the file.
That means although you can use hostname to match specific log files
(e.g. hostname/var/log/apache2/foobar.access.log/hostname) you
don't have to and can also use
If you have the data for the agents client.keys you can just write it
directly to the file
echo 'key data' /var/ossec/etc/client.keys
It will be the same line as on the master. Works fine here (we use
ansible for deployment and the client.keys is built on each host from a
template)
On
On 12/24/2014 2:54 PM, dan (ddp) wrote:
On Dec 24, 2014 3:48 PM, Glenn Ford gmfpa...@gmail.com
mailto:gmfpa...@gmail.com wrote:
You are saying it's NOT working? Umm, so how do I proceed to figure
out whats wrong?
Remove the pure transfer decoder.
Since 'pure-transfer' and
You can set the cron up on the master and have it send a restart to all
the connected agents with agent_control
(quickdirty would be something like for id in
$(/var/ossec/bin/agent_control -lc|cut -d, -f1|cut -d: -f2); do
/var/ossec/bin/agent_control -R ${id};done)
On 7/18/2014 8:59 AM,
does ossec-logtest -v spit out any problems?
On 4/17/2014 5:36 AM, Ankit Singh wrote:
Hi am restarting ossec and remoted not starting up
--
smime.p7s
Description: S/MIME Cryptographic Signature
Hi,
We had a similar requirement here. I just added an additional option to
the ossec.conf that get's added into the mail headers (X-IDS-OSSEC:
$value) to be able to use that to sort the emails from the different
masters.
I currently don't have a patch file with only that change (for stupid
I believe the file you are looking for is etc/preloaded-vars.conf,
just fill out all the answers to the questions in that file and
install.sh won't ask for them.
On 2/11/2014 5:23 PM, David Montgomery wrote:
Hi,
Newbie trying to install agent and server. Will build my own chef
recipes.
IIRC if you delete the queue/rids/${AgentID} on the agent and master and
restart ossec on both it should reset it.
On 2/11/2014 6:47 PM, Eero Volotinen wrote:
Hi List,
I have some issues with ossec. My ossec server was down about week and
after starting ossec server, all clients start to
On 1/14/2014 10:54 AM, Darin Perusich wrote:
Hello All,
Is is possible to break the various ossec configuration options into
individual files and include them in the main ossec.conf? Say I put
syscheck opts into syscheck.xml, localfile opts in localfile.xml, etc.
I'm not finding anything about
On 1/3/2014 10:15 AM, Rich Rumble wrote:
On Thursday, January 2, 2014 6:13:55 PM UTC-5, dan (ddpbsd) wrote:
On Thu, Jan 2, 2014 at 6:10 PM, dan (ddp) ddp...@gmail.com
javascript: wrote:
I'll have to jump on a computer later to test. Rulea still do
not belong on
the agents.
AFAIK not possible within OSSEC. If it's always the same people you
could make a maillinglist on your mailserver and send it to that.
On 10/14/2013 2:08 PM, Lalbee99 wrote:
When configuring email alerts is there anyway to incorporate more than
a single email address per email_alert. In
Do you have any active responses configured that would trigger (i.e. an
unconditional active response for alerts level 7 or higher that is now
active since you bumped 5715 to level 7)?
On 8/30/2013 11:07 AM, sandeep dubey wrote:
Forgot to mention that DNS has no issue at all.
On Aug 30,
How many ossec master servers do you have sending data to the database?
i.e. how many entries are there in the 'server' table?
If you only have one master then all entries will have the same server_id.
Also, a heads up if you have multiple master servers sending their data
to the database:
Based on your ls output I'd say that the error message is occurring
since Apache isn't allowed to access the directory. Did you add any ACLs
to the directory to allow access that we aren't seeing here? Have you
tried just su'ing to your apache user to see if it can access everything
like it
Even if I know where it is (and probably most other people following the
list) I suspect anyone that is considering using OSSEC in a production
environment will want to stick with the stable releases found on the
official website.
That seems like a flaw in their process. If they refuse to use
On 3/7/2013 8:34 PM, dan (ddp) wrote:
On Thu, Mar 7, 2013 at 4:55 PM, Joe Gedeon joe.ged...@gmail.com wrote:
Yes, but a 2.7.1 has not been uploaded to the download site that corrects
the issues. Latest release still downloads 2.6 even. Due to the bugs that
have been corrected since 2.7 came
On 3/7/2013 8:33 PM, dan (ddp) wrote:
Make sure /bin/sh is bash and not dash.
Actually the problem is that the script is using bash syntax even though
is has /bin/sh as the shebang.
The script should either be changed to only use sh syntax or use #!/bin/bash
smime.p7s
Description: S/MIME
Hmm, there are various ways to accomplish this.
Since you want alerts from a specific set of alerts, I would suggest the
following: add the rules you want to be notified of to a additional
group and make sure they will trigger sending an email regardless of
their level. Then just have ossec
Hi James,
that sounds like quite a few new rules in that list. I've never had that
many, so can't say what side affects it may have. But after looking at
the SANS document I would suggest shortening it down to one rule that
uses CDB lists and looks like this (based off the rule template from
Hi Vilius,
If you are using the OSSEC Web UI 0.3 download from ossec.net you may
want to have a look at some of the patches here on the list.
e.g. http://osdir.com/ml/ossec-list/2012-06/msg00161.html
The log format changed with version OSSEC 2.6 and broke some of the
functionality of the Web
PM UTC-8, Ryan Schulze wrote:
I stumbled across a weird phenomenon today. I noticed that
some of my
apache logs were being decoded as syslogs.
As far as I can tell, if the 1st, 3rd and 4th octet of the IP are
three-digit and the 2nd octed is two-digit
I stumbled across a weird phenomenon today. I noticed that some of my
apache logs were being decoded as syslogs.
As far as I can tell, if the 1st, 3rd and 4th octet of the IP are
three-digit and the 2nd octed is two-digit AND apache logged a username
(e.g. due to .htaccess) then ossec doesn't
Are you sure your CPU is your bottleneck? How does it behave after
tuning the syscheck options?
On 11/28/2012 5:11 AM, Yesodha wrote:
Hi,
Can anyone response this ticket?Still i am facing this issue.
Regards,
Yesodha Prabhu
On Wednesday, October 10, 2012 2:23:23 PM UTC+5:30, Yesodha wrote:
Hi Chris,
the email notification works like this: emails always get sent to the
global email_to, and any granular email config is added as an
additional recipient of the email.
Our solution was to just set the global email_to to a email address
that discards mail (like blackhole or devnull).
I'd strongly suggest avoiding any active reponses on the web attack
rules until you've tweaked them to fit your applications ;-)
(and even then I'd really be careful since an attacker can use CSRF on a
random site in the internet to cause a victim to send queries to your
server that will
Can you do that again, but this time as /bin/sh -x register_rule.sh
build ?
On 8/22/2012 7:10 PM, Christopher Werby wrote:
root@xxx:/tmp/ossec-hids-2.6/src/analysisd/compiled_rules# /bin/sh -x
register_rule.sh
On 8/17/2012 1:17 PM, dan (ddp) wrote:
Since you've installed OSSEC somewhere silly, [...]
totally off-topic, but I always wondered why the default installation is
in /var and not /opt ?
Maybe it's just me (I started out with SunOS/Solaris and then
transitioned to Linux later), but I prefer
Have you checked the timezone of your OSSEC Server?
On 7/20/2012 7:51 AM, Dmitry wrote:
I have the folowing notification:
/OSSEC HIDS Notification./
/2012 Jul 16 *06:14:50*
Received From: (srv-fl-bdc) 172.19.41.96-WinEvtLog
Rule: 18110 fired (level 8) - User account enabled or created.
Portion
On 6/25/2012 10:05 AM, dan (ddp) wrote:
I think the WUI is currently so bad that encouraging its use does more
harm than good. There are good alternatives for viewing logs, why
would I thank someone for pushing a bad one?
In that case it would be a good idea to have the WUI marked as
-
From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On
Behalf Of Ryan Schulze
Sent: Friday, June 22, 2012 8:01 PM
To: ossec-list@googlegroups.com
Subject: Re: [ossec-list] Re: Error in message formating on OSSEC Wui
On 6/21/2012 2:47 PM, dan (ddp) wrote:
I prefer a fix
On 6/21/2012 2:47 PM, dan (ddp) wrote:
I prefer a fix or solution. I'm not a developer and not intended to
be...
Hire someone who knows PHP.
WUI is junk. No one seems to be able to get it working properly.
Aww WUI isn't that bad, considering the poor thing has to parse logfiles
I find it
57 matches
Mail list logo