Re: [ossec-list] OSSEC flushed all the iptables rules

Are you sure it was OSSEC? I just had a look at https://github.com/ossec/ossec-hids/blob/master/active-response/firewall-drop.sh The only iptables commands it does are the following four, and I can't see how they would flush an entire table/chain. iptables -I INPUT -s ${IP} -j DROP iptables

Re: [ossec-list] Emails are not going

There are a couple hops between ossec-maild and your inbox. Since you said maild is attempting to send the emails: where do they get stuck, does the local MTA have them, what are in the mail daemons logs? On 3/18/2016 8:33 PM, sandeep dubey wrote: Yes, it attempts but emails are not landing

Re: [ossec-list] Re: Change ossec.conf globaly

If he doesn't have any kind of configuration management/orchestration in place it might make more sense to use a minimal ossec.conf on the agents and deploy any changes via the shared/agent.conf on the master. That way he won't run into problems again with settings on the agents he might have

Re: [ossec-list] Unattended install always asks...

Have you tried setting USER_NO_STOP="y" (we use ansible too for building the binaries)? On 2/19/2016 1:16 AM, Barry Kaplan wrote: I cannot get the install to NOT ask You already have OSSEC installed. Do you want to update it? I am installing via ansible, the ./install.sh can get

Re: [ossec-list] OSSEC not sending error.log

If the logs are in your masters archives.log, then it would seem as if they *are* being sent, so that isn't the problem. Do you have an example of an apache error log line that you expected to trigger an alert? On 2/10/2016 1:52 AM, Maxim Surdu wrote: i check my logs are in

Re: [ossec-list] sharing memory between two virtual machine

Not sure how this is OSSEC related, but unless you have a shared resource that both VMs can access (with sufficient locking mechanisms) I'd just use TCP/UDP and a client/server architecture. On 2/3/2016 8:07 PM, Zakirasafi wrote: Dear all I have installed two virtual machine on XEN

Re: [ossec-list] sending email through existing smtp server

Just use 127.0.0.1 and set up your postifix to deal with the incoming mails accordingly. On 12/4/2015 10:32 AM, Bruno Rodrigues wrote: How can I do this? I already have postfix working with mailgun, but OSSEC emails won't work. On Sunday, November 8, 2015 at 11:51:45 AM UTC-2, Eero

Re: [ossec-list] ossec-logtest returns Level 0 but still getting email alerts Level 2

On 11/30/2015 12:21 PM, Daniel Bray wrote: On Mon, Nov 30, 2015 at 11:26 AM, dan (ddp) > wrote: Last idea at the moment: Copy archives.log. Open the copy in a text editor. Find an entry you want to test against and delete everything else.

Re: [ossec-list] Will app get blocked on heavy mysql queries?

ao...@gmail.com <mailto:frwao...@gmail.com>> wrote: Hi Ryan, I am not too good in tuning up my active response or rules. Any tips on how to go about it? On Tue, Nov 10, 2015 at 1:17 PM, Ryan Schulze <r...@dopefish.de <mailto:r...@dopefish.d

Re: [ossec-list] Will app get blocked on heavy mysql queries?

Sounds like you may want to look into fine tuning your active response and/or rules. On 11/9/2015 10:11 PM, frwa onto wrote: Hi Santiago, I am just running as standalone so its not a manager or agent. I have another machine for instance I am using the older ossec 2.7.1 in

Re: [ossec-list] Re: Ossec agent error

Are you sure you added the agent right on the master; why is there a netmask in the IP field (it should be 172.20.21.39 not 172.20.21.39/24)? On 11/4/2015 5:26 AM, Reinaldo Fernandes wrote: And this is my agent failure connection: -- --- You received this message because you are subscribed

Re: [ossec-list] Re: Syslog from Debian to Ossec

I've never see DDP logs. Do you have an example of the logs from DDP that you expect OSSEC to decode and generate alerts for? Or have you tried feeding the logs into /var/ossec/bin/ossec-logtest yourself and seeing if OSSEC can decode them? I assume that if it is standard syslog format, you

Re: [ossec-list] Table agent empty

agent-control -i can show you that information. On 10/1/2015 8:54 AM, Legolas Klaitxu wrote: I'm going to work with the database of ossec and appears that the agent table from Ossec is empty. Using agent-control -l I've able to insert into to the database the id of different clients, the

Re: [ossec-list] Active Response - Skip Email

Hmm, I haven't had problems with that in my environment. I have active responses set up that fire regardless on if a mail was triggered or not. The configuration for emails and active responses are in different blocks and don't necessarily rely on the level of a alert to trigger (I prefer

Re: [ossec-list] testing server agent on vmware

Have you checked /var/ossec/logs/alerts/alerts.log on the OSSEC server to see if there were any alerts that would have generated an email? And if yes, what were the logs from the MTA for those emails? On 9/7/2015 6:35 AM, Ramiz Ilyas wrote: Dear All, i have installed a virtual network on

Re: [ossec-list] How to purge/remove/delete data older than a specific date from within the database

On a large deployment I wouldn't recommend doing the delete on the 'data' and 'alert' tables since that locks those tables during the operation (may take a while depending on the size of your tables). If this isn't an issue for you, then deleting is the easiest way to get rid of old data. We

Re: [ossec-list] Re: Email alerts below certain level

On 8/11/2015 6:17 AM, C0rn123 wrote: Am Dienstag, 11. August 2015 12:47:25 UTC+2 schrieb C0rn123: Hello, I want to turn off ANY emails below a certain alert level. Unfortunately the alert_by_email option in a lot of rules overwrites the minimum alert level set in the

Re: [ossec-list] email_idsname does not work (ossec-hids-server-2.8.1-48)

I remember submitting that pull request for 2.8.0, so it should be in your 2.8.1 version (I didn't add any compile time options to deactivate it). Did you make sure that ossec-maild died when you restarted the ossec daemons (it may be an old process still delivering your mail that didn't pick

Re: [ossec-list] email_idsname does not work (ossec-hids-server-2.8.1-48)

... Started ossec-logcollector... Started ossec-remoted... Started ossec-syscheckd... Started ossec-monitord... Completed. On Tuesday, August 4, 2015 at 3:15:22 PM UTC-6, Ryan Schulze wrote: I remember submitting that pull request for 2.8.0, so it should be in your 2.8.1 version (I didn't add

Re: [ossec-list] Ubuntu

I had a look at the Makeall file, and if the header (dev) files for magic are found, it is compiled with libmagic, if they aren't found it isn't. So by default it does try to compile with libmagic, but if it can't find the required files to do so, it falls back to not using libmagic. On

Re: [ossec-list] httpd logs (possible attacks/intrusions)

a command. On 7/25/2015 1:06 PM, theresa mic-snare wrote: Great, thanks for the bash script, Ryan. but what else to do after downloading the IP blocklist? how could I feed ossec with it? maybe through an active-response? Am Samstag, 25. Juli 2015 04:56:07 UTC+2 schrieb Ryan Schulze: I played

Re: [ossec-list] httpd logs (possible attacks/intrusions)

I played around with IP reputation and CDB a while back, but never pushed it to my live servers. I found the following bash snippet on my test server, it may be of use for someone (although the alienvault list is pretty long and contains different levels of evil may be worth parsing and

Re: [ossec-list] Re: Ubuntu

I can verify the problem with Ubuntu 14.04. According to the syscheck docs libmagic is optionally used with report_changes (if found on the system). I haven't checked the source code yet to see what exactly the ramifications are, but according to the docs:

Re: [ossec-list] ERror connecting database

? I think sometimes Works properly but in others moments no :( El jueves, 16 de julio de 2015, 16:05:56 (UTC+2), Ryan Schulze escribió: You redacted the IP address in the ossec logs, so I'm assuming it is something other than 127.0.0.1? Because your

Re: [ossec-list] ERror connecting database

You redacted the IP address in the ossec logs, so I'm assuming it is something other than 127.0.0.1? Because your netstat shows that mysql is only bound to 127.0.0.1. On 7/16/2015 4:01 AM, Legolas Klaitxu wrote: Good Morning, I've started to work with ossec and reviewing the log I identify

Re: [ossec-list] Level 10 messages for whitelisted IP's

You are right, srcip can't be comma separated, but you can use a cdb list, the full details about the cdb lists is here: http://ossec-docs.readthedocs.org/en/latest/manual/rules-decoders/rule-lists.html Your rule would look something like this: rule id=100078 level=“0 if_sid5703,31161/if_sid

Re: [ossec-list] Specific rules for specific agents

Last time I checked the hostname format is (agent name) agent IP-logfile and is not determined by the decoded logs in the file. That means although you can use hostname to match specific log files (e.g. hostname/var/log/apache2/foobar.access.log/hostname) you don't have to and can also use

Re: [ossec-list] import key on agent non interactive

If you have the data for the agents client.keys you can just write it directly to the file echo 'key data' /var/ossec/etc/client.keys It will be the same line as on the master. Works fine here (we use ansible for deployment and the client.keys is built on each host from a template) On

Re: [ossec-list] Re: Test script for ossec ids on apache logs?

On 12/24/2014 2:54 PM, dan (ddp) wrote: On Dec 24, 2014 3:48 PM, Glenn Ford gmfpa...@gmail.com mailto:gmfpa...@gmail.com wrote: You are saying it's NOT working? Umm, so how do I proceed to figure out whats wrong? Remove the pure transfer decoder. Since 'pure-transfer' and

Re: [ossec-list] Automatically AgentRestarts

You can set the cron up on the master and have it send a restart to all the connected agents with agent_control (quickdirty would be something like for id in $(/var/ossec/bin/agent_control -lc|cut -d, -f1|cut -d: -f2); do /var/ossec/bin/agent_control -R ${id};done) On 7/18/2014 8:59 AM,

Re: [ossec-list] Ossec remoted not able to create pid in linux

does ossec-logtest -v spit out any problems? On 4/17/2014 5:36 AM, Ankit Singh wrote: Hi am restarting ossec and remoted not starting up -- smime.p7s Description: S/MIME Cryptographic Signature

Re: [ossec-list] ossec-maild tags

Hi, We had a similar requirement here. I just added an additional option to the ossec.conf that get's added into the mail headers (X-IDS-OSSEC: $value) to be able to use that to sort the emails from the different masters. I currently don't have a patch file with only that change (for stupid

Re: [ossec-list] How to isntall without prompts

I believe the file you are looking for is etc/preloaded-vars.conf, just fill out all the answers to the questions in that file and install.sh won't ask for them. On 2/11/2014 5:23 PM, David Montgomery wrote: Hi, Newbie trying to install agent and server. Will build my own chef recipes.

Re: [ossec-list] minor ossec issue

IIRC if you delete the queue/rids/${AgentID} on the agent and master and restart ossec on both it should reset it. On 2/11/2014 6:47 PM, Eero Volotinen wrote: Hi List, I have some issues with ossec. My ossec server was down about week and after starting ossec server, all clients start to

Re: [ossec-list] breaking up ossec.conf into smaller files

On 1/14/2014 10:54 AM, Darin Perusich wrote: Hello All, Is is possible to break the various ossec configuration options into individual files and include them in the main ossec.conf? Say I put syscheck opts into syscheck.xml, localfile opts in localfile.xml, etc. I'm not finding anything about

Re: [ossec-list] ignore alerts

On 1/3/2014 10:15 AM, Rich Rumble wrote: On Thursday, January 2, 2014 6:13:55 PM UTC-5, dan (ddpbsd) wrote: On Thu, Jan 2, 2014 at 6:10 PM, dan (ddp) ddp...@gmail.com javascript: wrote: I'll have to jump on a computer later to test. Rulea still do not belong on the agents.

Re: [ossec-list] Multiple email addresses for a single email_alert

AFAIK not possible within OSSEC. If it's always the same people you could make a maillinglist on your mailserver and send it to that. On 10/14/2013 2:08 PM, Lalbee99 wrote: When configuring email alerts is there anyway to incorporate more than a single email address per email_alert. In

Re: [ossec-list] SSH taking too much time

Do you have any active responses configured that would trigger (i.e. an unconditional active response for alerts level 7 or higher that is now active since you bumped 5715 to level 7)? On 8/30/2013 11:07 AM, sandeep dubey wrote: Forgot to mention that DNS has no issue at all. On Aug 30,

Re: [ossec-list] Ossec with mysql

How many ossec master servers do you have sending data to the database? i.e. how many entries are there in the 'server' table? If you only have one master then all entries will have the same server_id. Also, a heads up if you have multiple master servers sending their data to the database:

Re: [ossec-list] Re: Error Unable to access ossec directory using ossec-wui

Based on your ls output I'd say that the error message is occurring since Apache isn't allowed to access the directory. Did you add any ACLs to the directory to allow access that we aren't seeing here? Have you tried just su'ing to your apache user to see if it can access everything like it

Re: [ossec-list] Re: Seeking assistance with agent install.

Even if I know where it is (and probably most other people following the list) I suspect anyone that is considering using OSSEC in a production environment will want to stick with the stable releases found on the official website. That seems like a flaw in their process. If they refuse to use

Re: [ossec-list] Re: Seeking assistance with agent install.

On 3/7/2013 8:34 PM, dan (ddp) wrote: On Thu, Mar 7, 2013 at 4:55 PM, Joe Gedeon joe.ged...@gmail.com wrote: Yes, but a 2.7.1 has not been uploaded to the download site that corrects the issues. Latest release still downloads 2.6 even. Due to the bugs that have been corrected since 2.7 came

Re: [ossec-list] Re: Seeking assistance with agent install.

On 3/7/2013 8:33 PM, dan (ddp) wrote: Make sure /bin/sh is bash and not dash. Actually the problem is that the script is using bash syntax even though is has /bin/sh as the shebang. The script should either be changed to only use sh syntax or use #!/bin/bash smime.p7s Description: S/MIME

Re: [ossec-list] Granular E-Mail alerts

Hmm, there are various ways to accomplish this. Since you want alerts from a specific set of alerts, I would suggest the following: add the rules you want to be notified of to a additional group and make sure they will trigger sending an email regardless of their level. Then just have ossec

Re: [ossec-list] Large ruleset causing ossec startup issues?

Hi James, that sounds like quite a few new rules in that list. I've never had that many, so can't say what side affects it may have. But after looking at the SANS document I would suggest shortening it down to one rule that uses CDB lists and looks like this (based off the rule template from

Re: [ossec-list] OSSEC-WUI SrcIP parsing question

Hi Vilius, If you are using the OSSEC Web UI 0.3 download from ossec.net you may want to have a look at some of the patches here on the list. e.g. http://osdir.com/ml/ossec-list/2012-06/msg00161.html The log format changed with version OSSEC 2.6 and broke some of the functionality of the Web

Re: [ossec-list] Re: Error with web-accesslog decoder logs with and certain IP adresses + .htaccess

PM UTC-8, Ryan Schulze wrote: I stumbled across a weird phenomenon today. I noticed that some of my apache logs were being decoded as syslogs. As far as I can tell, if the 1st, 3rd and 4th octet of the IP are three-digit and the 2nd octed is two-digit

[ossec-list] Error with web-accesslog decoder logs with and certain IP adresses + .htaccess

I stumbled across a weird phenomenon today. I noticed that some of my apache logs were being decoded as syslogs. As far as I can tell, if the 1st, 3rd and 4th octet of the IP are three-digit and the 2nd octed is two-digit AND apache logged a username (e.g. due to .htaccess) then ossec doesn't

Re: [ossec-list] ossec-syscheckd consumes more cpu space and make apache to down

Are you sure your CPU is your bottleneck? How does it behave after tuning the syscheck options? On 11/28/2012 5:11 AM, Yesodha wrote: Hi, Can anyone response this ticket?Still i am facing this issue. Regards, Yesodha Prabhu On Wednesday, October 10, 2012 2:23:23 PM UTC+5:30, Yesodha wrote:

Re: [ossec-list] email alerts - alert levels

Hi Chris, the email notification works like this: emails always get sent to the global email_to, and any granular email config is added as an additional recipient of the email. Our solution was to just set the global email_to to a email address that discards mail (like blackhole or devnull).

Re: [ossec-list] web attack returned code 200

I'd strongly suggest avoiding any active reponses on the web attack rules until you've tweaked them to fit your applications ;-) (and even then I'd really be careful since an attacker can use CSRF on a random site in the internet to cause a victim to send queries to your server that will

Re: [ossec-list] analysisd register_rule.sh script permission error halts install

Can you do that again, but this time as /bin/sh -x register_rule.sh build ? On 8/22/2012 7:10 PM, Christopher Werby wrote: root@xxx:/tmp/ossec-hids-2.6/src/analysisd/compiled_rules# /bin/sh -x register_rule.sh

Re: [ossec-list] firewall -- ossec via UDP 514 : WARN: Message from 10.5.4.1 not allowed.

On 8/17/2012 1:17 PM, dan (ddp) wrote: Since you've installed OSSEC somewhere silly, [...] totally off-topic, but I always wondered why the default installation is in /var and not /opt ? Maybe it's just me (I started out with SunOS/Solaris and then transitioned to Linux later), but I prefer

Re: [ossec-list] Wrong time of notification

Have you checked the timezone of your OSSEC Server? On 7/20/2012 7:51 AM, Dmitry wrote: I have the folowing notification: /OSSEC HIDS Notification./ /2012 Jul 16 *06:14:50* Received From: (srv-fl-bdc) 172.19.41.96-WinEvtLog Rule: 18110 fired (level 8) - User account enabled or created. Portion

Re: [ossec-list] Re: Error in message formating on OSSEC Wui

On 6/25/2012 10:05 AM, dan (ddp) wrote: I think the WUI is currently so bad that encouraging its use does more harm than good. There are good alternatives for viewing logs, why would I thank someone for pushing a bad one? In that case it would be a good idea to have the WUI marked as

Re: [ossec-list] Re: Error in message formating on OSSEC Wui

- From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On Behalf Of Ryan Schulze Sent: Friday, June 22, 2012 8:01 PM To: ossec-list@googlegroups.com Subject: Re: [ossec-list] Re: Error in message formating on OSSEC Wui On 6/21/2012 2:47 PM, dan (ddp) wrote: I prefer a fix

Re: [ossec-list] Re: Error in message formating on OSSEC Wui

On 6/21/2012 2:47 PM, dan (ddp) wrote: I prefer a fix or solution. I'm not a developer and not intended to be... Hire someone who knows PHP. WUI is junk. No one seems to be able to get it working properly. Aww WUI isn't that bad, considering the poor thing has to parse logfiles I find it