[ossec-list] Defcon 19

Hey, anyone around here on DefCon and like to meet? Cheers, oscar

[ossec-list] Re: Can Ossec be configured to catch all upon no rule matched?

Try putting a yes within the ... section of the ossec.conf of your server then restart. All log entries forwarded by the agents should then be stored in the /var/ossec/logs/archives subdirectory. Of course you have to make sure that the agents configuration includes the desired logfiles. Kind re

[ossec-list] Re: Using OSSEC to monitor OSSEC

Regarding OSSEC monitoring: I also wrote an decoder for active responses being executed. To make it work, you have to configure ossec to monitor /var/ossec/logs/active- responses.log on agents and the server. ^Mo|^Di|^Mi|^Do|^Fr|^Sa|^So|^Mon|^Tue|^Wed|^Thu|^Fri|^Sat| ^Sun \d\d. \w\w\w \d\d:

[ossec-list] Re: Way to log all commands run after sudo'ing/su'ing [to "root"]

Hey, OSSEC itself is not capable of logging commands after sudo'ing to root or similar. Actually it is not meant for logging itself but for log analysis. It only creates logs for the HIDS itself and alerts generated. Even with process monitoring, OSSEC itself does not create the output but runs a

Re: [ossec-list] Rule 31106

Cf. the files in {$OSSECDIR}/rules/ There you will find a xml file called web_rules.xml Within that file you will find rule 31106: 31103, 31104, 31105 ^200 A web attack returned code 200 (success). attack, It states that if an event matches rule 31103-31105 (located in the

Re: [ossec-list] Alert fires at level 10 but doesn't active response

Hey, Active Response runs only if a) the level of the matched rule is as high as the threshold for active response (see ossec.conf) b) the decoder can extract a source IP from the log entry You do not need to do any coding here. Just some XML descriptions. What alerts is ossec giving you for yo

Re: [ossec-list] Two match in the same rule

Yes, this is possible. There already is a rule matching for "System Time Changed" in msauth_rules.xml. It has the rule id 18140 and looks for an id of 520 decoded in a log entry. If you want a rule with a severity of 10 for example that also matches "C:\Program Files\VMware\VMware Tools\VMwareServi

Re: [ossec-list] local rules with alternate active-response script?

You need to do the following steps: 1. Copy your script to the active response dir of ossec. 2. Register your script as an active response within ossec.conf: myAR myAR.sh 3. Define the criteria for your new AR in ossec.conf: fmyAR local 11, 12

Re: [ossec-list] Ghost machine showing up

Hey, when removing an agent with manage_agents, it seems like the agent-info file stored in {ossecdir}/queue/agent-info/ will not be deleted. If you delete that file (in your case probably named "elvis-144.122.90.10" and refresh the WUI, the ghost should not show up anymore. KR, Oscar On Mon, M

Re: [ossec-list] OSSEC-agentless unable to access

Hey, Disclaimer: I'm not really experienced with agentless. But I'd guess removing the hosts from the .passlist files and running register_host.sh for them again might help. On Mon, Mar 15, 2010 at 8:23 AM, Nino Ibrahim wrote: > Hello, > > I use OSSEC agentless to monitoring integrity of my VMw

Re: [ossec-list] File Integrity checks for /dev, /boot and hidden files with ossec

Does OSSEC really miss out on hidden files? Can't test it right now, but that would be a serious problem imho. On Fri, Mar 12, 2010 at 7:38 PM, dan (ddp) wrote: > I imagine there might be difficulties with udev or devfs or whatever > linux is using now. Haven't tried it though. > > On Fri, Mar 1

[ossec-list] Conflicts when running ossec agents with different ip's from the same IP

I had the following scenario today: A host (myPC) with a fixed IP (MAC adress based DHCP) has two different operating systems installed, Windows XP and Linux (Kernel 2.6). I have one OSSEC server. I installed a Linux agent on myPC and registered it on the server with the name myPC-linux and id 00

Re: [ossec-list] Re: Local Rules

ks, that helps a lot. The documentation on ossec is somewhat sparse, > it’s difficult to find this stuff out looking at the manual and the wiki. > > > -- > > *From:* ossec-list@googlegroups.com [mailto:ossec-l...@googlegroups.com] *On > Behalf Of

Re: [ossec-list] Centralized Agent Config Question

It doesn't overwrite it as ddp said. There is an agent.conf file in each ossec agents install dir under /etc/shared/. This file will be replaced everytime the agent.conf on the server is changed with the updated one. However the ossec.conf located in /etc will remain unchanged. Every time you start

Re: [ossec-list] Re: Local Rules

Hey, using program name is sufficient if you want to exclude about all snort logs that would match rule 1002. There is no extra option needed. Instead of you can also use snort or both (cf. decoders.xml if there is any other program_name affected by the snort decoder, if there isn't, decoded_as

Re: [ossec-list] Re: Local Rules

'snort' *log:* 'Check for Bounce Attacks: YES alert: YES' As far as I know and in the rule matching step is only applied to the field predecoded as log. If I'm wrong about this, please let me know. On Thu, Mar 11, 2010 at 5:37 PM, oscar schneider wrote: &

Re: [ossec-list] Re: Inconsistent reports

What are the permissions for the AlertList.php file and containing directories (ossec-wui/lib/Ossec and ossec-wui/lib)? On Thu, Mar 11, 2010 at 4:04 AM, Dave S wrote: > I'm seeing "output-tmp..." files in the ./tmp directory with current > date/time, so I assume that's not the issue. > > I consi

Re: [ossec-list] Re: immediately scan after new installed patchen

I have a few more questions regarding admin triggered updates of files monitored by syscheck. What would be the "correct" procedure to update the syscheck database without getting alerts? Does syscheck_update create alerts or is it a tool that is designed for updating the syscheck db without aler

Re: [ossec-list] Centralized-config os determination

I dont know how it is determined by OSSEC, but you can see what OS is running on an agent by running /var/ossec/bin/agent_control -i [agent id]. It will among other information output the agent's OS. On Mon, Mar 8, 2010 at 2:59 PM, Jason wrote: > I have a question about the centralized agent con

Re: [ossec-list] Local Rules Syntax

> > > > I guess I still have the issue that snort01|snort02 is > not working for the second hostname (ie. alerts are being fired still.) > > > -- > > *From:* ossec-list@googlegroups.com [mailto:ossec-l...@googlegroups.com] *On > Behalf

Re: [ossec-list] Local Rules Syntax

ar 2010, at 18:06, Jefferson, Shawn wrote: > > > > Hi, > > > > I have tried this, but unfortunately it doesn’t seem to work for the > “snort02” hostname (ie. I still get alerts from that machine, but not from > the snort01. > > > > Thanks, > > Shawn &g

Re: [ossec-list] Local Rules Syntax

Hey, not sure at the moment but I think it should be snort01|snort02 instead. Kind regards, oscar On Tue, Mar 2, 2010 at 6:55 PM, Jefferson, Shawn < shawn.jeffer...@bcferries.com> wrote: > Hi, > > I’m putting some local rules into the local_rules.xml file on the manager > (from what I’ve re

Re: [ossec-list] Local Rules

Hi, you have to restart the server before the rule is recognized by the analysis engine. On Wed, Mar 3, 2010 at 8:35 AM, --[ UxBoD ]-- wrote: > Hi, > > If I add a local rule is the change instantaneous or does it require a > restart of the ossec ? > > -- > Thanks, Phil >

Re: [ossec-list] Checksums for integrity check

It uses md5 and sha1, look at the following alert for example: Received From: ossec-server->syscheck Rule: 550 fired (level 7) -> "Integrity checksum changed." Portion of the log(s): Integrity checksum changed for: '/etc/passwd-' Size changed from '1257' to '1369' Old *md5sum* was: 'bab476e083da

Re: [ossec-list] Re: PF support

.9.52991 > 10.0.0.10.960: S, cksum 0x95e9, > 1947926839:1947926839(0) win 1024 > Feb 15 22:13:23 rtr-mel pf: 10 rule 153/0(match): block in on em4: > (tos 0x0, ttl 42, id 28324, offset 0, flags [none], proto TCP (6), > length 44) 172.24.0.9.52991 > 10.0.0.10.2111: S, cksum 0x

Re: [ossec-list] single mail reports

Hi, I think the following should work to only receive one e-mail per hour for alerts of severity between 5 and 9: 1) Think about the minimal alert level that you would like to be emailed about within an hour. Default would be 7 in addition to the rules that have an alert_by_email tag, like e.g. r

Re: [ossec-list] Why ossec send a email ? Problem with alert

Do you really get ALL alerts? The example Wim posted is not the only rule that has a level below 7 but regardless forces an e-mail alert but there are others, e.g. rule 1002. Make sure you really get e-mails for alerts triggered by rules that do not contain alert_by_email and have a severity lower

Re: [ossec-list] Re: Ossec '/var/ossec/queue/ossec/queue' not accessible:

Even though you resolved the issue, could you please tell us what the faulty configuration was? On Thu, Feb 11, 2010 at 11:21 AM, Ozgur Ozdemircili < ozgur.ozdemirc...@gmail.com> wrote: > Hi mike, > > I did. It gave me the same output. While working on it I noticed the > problem disappears when I

Re: [ossec-list] PF support

Hi, if you have a default ossec.conf with your e.mail adress and smtp server configured correctly you should get an email if 16 drops occur in 45 seconds. Of course you also need to make sure that the firewall messages are passed to ossec, e.g. by configuring it in ossec.conf as localfile. To see

Re: [ossec-list] Problem with ossec as agent

Hi, it seems like OSSEC is looking for the client.keys in /etc/ instead of /var/ossec/etc. Did you change anything in your ossec-init.conf or in the internal options? Or maybe the permissions for the client.keys somehow got messed up. Did you do your installation with the install.sh script? On

[ossec-list] OSSEC deployments in your network

Hey OSSEC list, I would like to ask you a few questions about how OSSEC is deployed at your company. Of course the answers to these contain sensitive data, so I would already be very happy about vague answers if necessary. So here we go: 1) Do you deploy OSSEC only on servers or also on desktop

Re: [ossec-list] Block

Hi, yes it does if you activated "Active Response" capabilities during installation, I think the default setting for that is "yes". Your ossec.conf should contain an active response section that looks like this (excerpt): host-deny host-deny.sh srcip yes host-

Re: [ossec-list] Re: Decoder problems

went into your decoder. Try rewriting it. Apart from that I have no idea how to solve the problem. On Thu, Feb 4, 2010 at 3:46 PM, Gnowar wrote: > Damn, which version do you use ? > > I'm using v2.3 ! > > Any solution except a new installation of OSSEC ? > > Thanks ! &g

Re: [ossec-list] what does this mean?

On my installation rule 11 alerts always look like this: 2010 Feb 07 11:25:11 Rule Id: 11level: 4 Location: (hostname) host_ip->/var/log/logfile Excessive number of events (above normal). So there I can see which agent and which logfile is responsible

Re: [ossec-list] Decoder problems

Hey, I copy/pasted your decoder into a test environment and ran ossec-logtest. Here it seems to work fine: 2010/02/04 14:36:05 ossec-testrule: INFO: Started (pid: 31105). ossec-testrule: Type one log per line. Feb 1 15:51:45 192.168.1.1 **Phase 1: Completed pre-decoding. full event: 'F

[ossec-list] Question regarding an entry in ossec.log

Hey, can anybody tell me what the following line in ossec.log means: ossec-remoted: INFO: Event count after '2': 1393713->1465256 (105%) Kind regards, Oscar

Re: [ossec-list] Regex error with logtest, but ok with online regex validator. How to find the error ?

Hi, You don't need an escape backslash in front of the slash in your decoder. Remove that on both of your "\/" combos in the decoders and it should work. Cf. http://www.ossec.net/wiki/Know_How:Regex_Readme Kind regards On Tue, Jan 12, 2010 at 11:52 AM, gilles loriquer wrote: > Hey, > > I'm tr

Re: [ossec-list] Web UI Install

Hey, I believe the username and password hash are stored in the .htpasswd file to restrict access to the WUI to valid users. On Wed, Dec 23, 2009 at 9:23 PM, Bernard Golden wrote: > I'd like to do an automated install of the webui, but am stymied by > its requirement to have a user name and pass

[ossec-list] Re: MacOS X newbie with OSSEC installation problems

de dev environment installed. Is > the SDK(s) installed? > > -Chuck > > On Thu, Dec 17, 2009 at 12:49 PM, oscar schneider > wrote: > > > Hi, > > > today I was asked to install an OSSEC agent on a MacBook with MacOS X, > > however it didn't go too well

[ossec-list] MacOS X newbie with OSSEC installation problems

Hi, today I was asked to install an OSSEC agent on a MacBook with MacOS X, however it didn't go too well and after answering all questions the install.sh script asks I got the following error msgs. cc -c -g -Wall -I../../ -I../../headers -DDEFAULTDIR=\"/var/lib/ ossec \" -DCLIENT -DDarwin -DHIG

Re: [ossec-list] Rule: 20152 question as it relates to active response

1. Check if the alert level is high enough to trigger active response -> check rule alert level and compare /var/ossec/etc/ossec.conf for the minimum alert level to trigger an active response (i think default is level="7" or "6") If the level of the rule is too low, you have 3 options. a) make a tr

[ossec-list] Re: Question regarding notifications about active response and centr. config

Hey, I didnt find anything in the manual and made a clean server install where there is no option to choose to get emails about triggered active responses. Of course I have normal email notifications configured, and if you put the level you want to receive them on to the same as the one for the ex

[ossec-list] Re: WUI - Ossec Search Unable to Work

wui search feature. On Dec 11, 3:20 pm, David Alanis wrote: > Quoting oscar schneider : > > > > > Hey, > > > I think the tmp/ subdir in the ossec dir should have "ossec" as group. > > The tmp/ dir in the folder where your webUI is located should have > > &

[ossec-list] Re: WUI - Ossec Search Unable to Work

Hey, I think the tmp/ subdir in the ossec dir should have "ossec" as group. The tmp/ dir in the folder where your webUI is located should have "lighttpd" as group and have chmod 770. Maybe you just executed " 6- Fix the permissions for the tmp directory and restart Apache (for the new permissions

[ossec-list] Question regarding notifications about active response and centr. config

Hi, I was wondering if there is a trivial way to send an email notification everytime an active response is triggered? If there isn't I would start monitoring the {ossecdir}/logs/ar.log on the agents and server and write rules to give me an alert everytime a line is appended to that file which wou

Re: [ossec-list] ossec-control What function does the Jobs have?

Hi, I'm not sure about this, but I think: ossec-monitored: ??? ossec-logcollector: is responsible for collecting changes in the logfiles specified in $OSSECDIR$/etc/ossec.conf ossec-remoted: is responsible for maintaining connections to remote devices (e.g. hosts with the ossec agent installed) o

[ossec-list] Re: Active Response Excludes

Hi, find the id of the rule that is triggered when the child process dies and edit the ossecdir/rules/ftpd_rules.xml (where that rule probably is located) for the corresponding rule to a lower level, e.g. 4 (make sure it's lower than the level for the host_deny active response configured in your o

[ossec-list] Re: newbie doesn't understand an ossec.log entry

Hi, I think since active response is available for both Windows and unix operating systems, the restart-ossec.cmd is only created on Win- Agents. However the ar.conf and the merged.mg in "$YOUR_OSSEC_DIR/etc/ shared" contain an entry for restart-ossec.cmd, maybe to keep these files platform indep

[ossec-list] Re: How can I find out if my Ossec-server gets remote syslogs?

> > I think you need to setup the server itself to accept incoming syslog > messages. Refer to your syslogd's documentation on how to do that. > Check the log files on that server to see if anything's coming in from > those devices. But isn't that just a replacement for remote syslog? If I under

[ossec-list] How can I find out if my Ossec-server gets remote syslogs?

Hi, how can I find out if my OSSEC server receives the syslogs from a network device which sends them? I added the following in to my ossec.conf of the server: syslog (IP adress of network device (port number) I had a look at http://www.ossec.net/wiki/index.php/Know_How:Syslog

[ossec-list] Requirements for a secure OSSEC server

Hello, I want to perform an OSSEC server installation on a clean machine. I want the machine to be as secure as possible and prefer to install Debian as OS. Do any of you have some recommendations or hints I should follow for setting up the server? Kind Regards, Oscar