[ossec-list] Russian cyrillic
Hello, Just set up a VM with Ossec from the Virtual Appliance template and encountered a problem with monitoring Windows event logs. I set up a security audit for shares under Windows 2008 Server and when Ossec gets the log message i get the following output in Kibana - 2015 Mar 27 12:50:42 WinEvtLog: Security: AUDIT_FAILURE(5145): Microsoft-Windows-Security-Auditing: (no user): no domain: Hyper-V.domain.com: S-1-5-21-2832557239-2908104349-351431359-2274 e.zadora IAS 0x1c83c3ea0 File 192.168.8.6 56002 *\\HotSMS \\??\\C:\\Folders\\HotSMS \xC1\xE5\xEB\xFF\xEA\xEE\xE2 \xC5\xE2\xE3\xE5\xED\xE8\xE9\\+ Mars April\\9AA1D4E6.tmp 0xc0080 %%1539\r It seems that logs are passed correctly but not correctly displayed when a path to file contains symbols in cyrtillic. When i try to parse ossec current log file with iconv and change encoding from utf-8 to cp1251 - the correct path in cyrillic is displayed. So my key question is - how to make the path displayed correct in cyrtillic within OSSEC and Kibana web page. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Custom Rules for deeper registry monitoring
Hey Everyone, Huge fan of OSSEC, just got my first implementation up and operational. I have a few rules that I want to right, just for testing sake. What we are looking to do, is to write two separate rules that achieve similar results, and more specifically we want to know when any change is created to the registry, or when any file is created/deleted on the host. I was looking at what is being monitored currently, and wondering if I put a rule in place that says notify me when HKLM\System changes, ALERT. Is this possible? I know it seems like a lot of information that would be rolling in, but we are just trying to see all of what we can do with OSSEC. Please let me know if you can assist. V/R, Justin -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Active Response in windows 2008
On Thu, May 14, 2015 at 10:59 AM, HMath h.i.youss...@gmail.com wrote: First , sorry for my English I am new to OSSEC what happened is I was trying some attacks on iis on windows machine and alerts are generated in ossec server , I have supposed that ossec will block the attacking ip for 600 seconds, but that did not happen and when I did manually by /var/ossec/bin/agent_control -b 192.168.55.29 -f win_nullroute600 -u 002 the ip is blocked. can ossec do that automatically or not? Are the rules you have listed in the AR configuration below actually being triggered? Are you getting alerts for them from those systems? my current configuration on ossec server is . . global white_list127.0.0.1/white_list white_list^localhost.localdomain$/white_list white_list8.8.8.8/white_list /global remote connectionsyslog/connection /remote remote connectionsecure/connection /remote alerts log_alert_level1/log_alert_level email_alert_level6/email_alert_level /alerts command namehost-deny/name executablehost-deny.sh/executable expectsrcip/expect timeout_allowedyes/timeout_allowed /command command namefirewall-drop/name executablefirewall-drop.sh/executable expectsrcip/expect timeout_allowedyes/timeout_allowed /command command namedisable-account/name executabledisable-account.sh/executable expectuser/expect timeout_allowedyes/timeout_allowed /command command namerestart-ossec/name executablerestart-ossec.sh/executable expect/expect /command command nameroute-null/name executableroute-null.sh/executable expectsrcip/expect timeout_allowedyes/timeout_allowed /command command namewin_nullroute/name executableroute-null.cmd/executable expectsrcip/expect timeout_allowedyes/timeout_allowed /command !-- Active Response Config -- active-response !-- This response is going to execute the host-deny - command for every event that fires a rule with - level (severity) = 6. - The IP is going to be blocked for 600 seconds. -- commandhost-deny/command locationlocal/location level6/level timeout600/timeout /active-response !-- Firewall Drop response. Block the IP for - 600 seconds on the firewall (iptables, - ipfilter, etc). -- active-response commandfirewall-drop/command locationlocal/location rules_id5551,5701,5703,5705,5706,5707,5712,5714,5719,5720,5731,31151,30101,30102,30105,30106,30107,30108,30109,30110,30112,30116, 11402,11403,11404,11451,11452,9501,9505,9510,9551,50106,50108,50120,50126,50180,31411, 31103,31104,31105,31106,31110,31109,31115,31151,31152,31153,31154,31161,31162,31163,31164,31165,31501,31502,31503,31504,31505, 31506,31507,31508,31510,31511,31512,31513,31514,31515,31516,31533,31550 /rules_id timeout600/timeout /active-response active-response commandwin_nullroute/command locationlocal/location rules_id11510,11511,11512,3851,3852,31501,31502,31503,31504,31505,18110,18111,18112,18113,18115,18116,18117,18118,18128,18129,18134,18138, 18141,18143,18144,18217,18219,18222,18225,18227,18228,18229,18230,18231,18232,18234,18235,18236,18237,18238,18239,18240,18241,18242, 18243,18244,18245,18246,18247,18248,18249,18250,18251,18252,18253,18254,18255,18256,18170,18171,18172,18151,18152,18153,18154,18155, 18156,50106,50108,50120,50126,50180,31411,9505,9510,9551,14151,5631, 31506,31507,31508,31510,31511,31512,31513,31514,31515,31516,31533,31550, 31103,31104,31105,31106,31110,31109,31115,31151,31152,31153,31154,31161,31162,31163,31164,31165 /rules_id timeout600/timeout /active-response On Thursday, May 14, 2015 at 4:43:16 PM UTC+2, dan (ddpbsd) wrote: On Thu, May 14, 2015 at 10:22 AM, HMath h.i.yo...@gmail.com wrote: Hi all , I have ossec manager running on centos ,and two agents one of them is running on windows 2008. The active response work fine on centos agent but on windows server not work automatically and work fine manually . I hope to figure out the problem. Can you provide any details? What isn't working? What is happening? What do you expect to happen? What is your current configuration? -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit
Re: [ossec-list] Re: OSSEC + CIS benchmark tests
On Tue, May 12, 2015 at 6:57 PM, autodidactic theoriginalg...@gmail.com wrote: Are there any updates to this feature or documentation about it? I see vary raw documentation in the sample CIS benchark policy audit files, but leaves me guessing about some of it? I want to write the policy for the newer CIS benchmarks for EL6 and EL7... any help or pointers to where I can learn more would be helpful... I haven't written anything about it, and I haven't looked into it enough to know the answers. also, i'm not sure how to implement a permissions check via this system. is it possible or perhaps it is not? On Thursday, July 10, 2008 at 12:43:36 PM UTC-7, Daniel Cid wrote: Hi list, I just posted in my blog about the new support for CIS benchmarks on OSSEC and I want to hear the feedback anyone may have. Link: http://www.ossec.net/dcid/?p=137 We just included support in the OSSEC Policy monitor to audit if a system is in compliance with the CIS Security Benchmarks (as of right now, only RHEL2-5, Fedora 1-5 and Debian/Ubuntu are supported - the other versions will be soon). If you want to try it out manually and provide some feedback to us, please follow the instructions bellow to test: First, grab the latest CVS snapshot and compile it (it will be included on v1.6 and above): # wget http://www.ossec.net/files/snapshots/ossec-hids-080710.tar.gz # tar -zxvf ossec-hids-080710.tar.gz # cd ossec-hids-080710/src/ # make clean # make libs # cd rootcheck # make binary The binary ossec-rootcheck will be created on the current directory and we can start using it. A simple scan on my Ubuntu box looked like this: (note, that it will do all the normal rootcheck tests plus the CIS scans -- just grep for CIS if you don't want to see the rest): # ./ossec-rootcheck .. [INFO]: System Audit: CIS - Testing against the CIS Debian Linux Benchmark v1.0. File: /proc/sys/kernel/ostype. Reference: http://www.ossec.net/wiki/index.php/CIS_DebianLinux . [INFO]: System Audit: CIS - Debian Linux 1.4 - Robust partition scheme - /tmp is not on its own partition. File: /etc/fstab. Reference: http://www.ossec.net/wiki/index.php/CIS_DebianLinux . [INFO]: System Audit: CIS - Debian Linux 1.4 - Robust partition scheme - /var is not on its own partition. File: /etc/fstab. Reference: http://www.ossec.net/wiki/index.php/CIS_DebianLinux . [INFO]: System Audit: CIS - Debian Linux 2.3 - SSH Configuration - Root login allowed. File: /etc/ssh/sshd_config. Reference: http://www.ossec.net/wiki/index.php/CIS_DebianLinux . [INFO]: System Audit: CIS - Debian Linux 2.4 - System Accounting - Sysstat not enabled. File: /etc/default/sysstat. Reference: http://www.ossec.net/wiki/index.php/CIS_DebianLinux . [INFO]: System Audit: CIS - Debian Linux 4.18 - Disable standard boot services - Squid Enabled. File: /etc/init.d/squid. Reference: http://www.ossec.net/wiki/index.php/CIS_DebianLinux . [INFO]: System Audit: CIS - Debian Linux 7.2 - Removable partition /media without 'nodev' set. File: /etc/fstab. Reference: http://www.ossec.net/wiki/index.php/CIS_DebianLinux . [INFO]: System Audit: CIS - Debian Linux 7.2 - Removable partition /media without 'nosuid' set. File: /etc/fstab. Reference: http://www.ossec.net/wiki/index.php/CIS_DebianLinux . [INFO]: System Audit: CIS - Debian Linux 7.3 - User-mounted removable partition /media. File: /etc/fstab. Reference: http://www.ossec.net/wiki/index.php/CIS_DebianLinux . [INFO]: System Audit: CIS - Debian Linux 8.8 - GRUB Password not set. File: /boot/grub/menu.lst. Reference: http://www.ossec.net/wiki/index.php/CIS_DebianLinux . .. Anyone here using CIS (or FDCC)? As always, feedback and suggestions are welcome. Thanks, -- Daniel B. Cid dcid ( at ) ossec.net -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: ossec-agent installation process automatization on windows
It should be enough sir Each agent needs their own key, but once the agent has the key and checks in with the server, it will pick up any custom configurations All the best On Thursday, May 14, 2015 at 7:02:32 PM UTC-4, Daniil Svetlov wrote: Hi! I'm trying update ossec-agent key on windows via cli. I have found, that wingui just make base64decode against key, received from server, and write it to file ossec.keys. If I'll repeate the same manually, is it enough for agent funtioning? Or I miss something? -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: Agent cannot connect to server, does not appear to be firewall or key related
Have you run a tcdpump or ngrep on the server to ensure packets are arriving on UDP port 1514? When the agent is initially restarted it begins a new dialog with the server and you should be able to see that on the wire On Thursday, May 14, 2015 at 5:31:28 PM UTC-4, Andy Theuninck wrote: I have OSSEC 2.8.1 server installed on CentOS 7. I have OSSEC 2.8.1 agent installed on a separate CentOS 6 box. The agent cannot connect to the server and I do not understand why. When the agent starts, I see this in the logs: 2015/05/14 15:35:11 ossec-agentd: INFO: Trying to connect to server ( 192.168.2.4:1514). 2015/05/14 15:35:11 ossec-agentd: INFO: Using IPv4 for: 192.168.2.4 . 2015/05/14 15:35:32 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: '192.168.2.4'. The server ossec.log show absolutely nothing while the agent is attempting to connect. This would lead me to believe it's a firewall (or general connectivity problem). However, I can connect to the server machine from the agent machine just fine using netcat. E.g., nc -uv 192.168.2.4 1514 If I type random things into the server after connecting with netcat, I get the expected log entries on the server: 2015/05/15 15:39:37 ossec-remoted(1403): ERROR: Incorrectly formated message from '192.168.2.3'. So far as I can tell, the agent machine has connectivity to UDP 1514 on the server machine, except ossec-agentd does not. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: Custom Rules for deeper registry monitoring
You'll want to test this yourself But you can manage what files are monitored and what registry entries are monitored in the host's config file for the Syscheck. Run the Agent Manger on the host and go to view config. Then you can just change the configuration file and save it, restart the agent and wait for results. It seems like it would be possible to put a rule for alerts to changes to HKLM\System. But quite frankly, you're going to be inundated with many alerts that may not be valuable. I've seen evidence of this when performing system comparisons for MSI creation of before/after an installation. Windows makes lots of tiny changes to the registry and the file system, even when it's idle. As for file system monitoring. I think you would be better served by turning on auditing and applying an audit policy to the file system. Set the server to log all and then only pull alerts on sensitive areas of your computer. You may find historical value in archiving all the changes to the OSSEC system for future review You might also check out Josh Bower's Sysmon 2.0 integration with OSSEC. This can help you monitor executable processes on your windows system good stuff! On Friday, May 15, 2015 at 5:15:13 AM UTC-7, Justin Hazard wrote: Hey Everyone, Huge fan of OSSEC, just got my first implementation up and operational. I have a few rules that I want to right, just for testing sake. What we are looking to do, is to write two separate rules that achieve similar results, and more specifically we want to know when any change is created to the registry, or when any file is created/deleted on the host. I was looking at what is being monitored currently, and wondering if I put a rule in place that says notify me when HKLM\System changes, ALERT. Is this possible? I know it seems like a lot of information that would be rolling in, but we are just trying to see all of what we can do with OSSEC. Please let me know if you can assist. V/R, Justin -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Re: OSSEC + CIS benchmark tests
On May 15, 2015 5:27 PM, The O.G. theoriginalg...@gmail.com wrote: So, does that mean the best way to understand how the system policy audit works is to basically read the source code in rootcheck system? It simply means I cannot answer many questions about it. Reading the aource is one way to get a better understanding. Someone with more knowledge about the topic answering is another way. I will definitely add this to my (not)short list of things to dig into though. On Fri, May 15, 2015 at 5:04 AM, dan (ddp) ddp...@gmail.com wrote: On Tue, May 12, 2015 at 6:57 PM, autodidactic theoriginalg...@gmail.com wrote: Are there any updates to this feature or documentation about it? I see vary raw documentation in the sample CIS benchark policy audit files, but leaves me guessing about some of it? I want to write the policy for the newer CIS benchmarks for EL6 and EL7... any help or pointers to where I can learn more would be helpful... I haven't written anything about it, and I haven't looked into it enough to know the answers. also, i'm not sure how to implement a permissions check via this system. is it possible or perhaps it is not? On Thursday, July 10, 2008 at 12:43:36 PM UTC-7, Daniel Cid wrote: Hi list, I just posted in my blog about the new support for CIS benchmarks on OSSEC and I want to hear the feedback anyone may have. Link: http://www.ossec.net/dcid/?p=137 We just included support in the OSSEC Policy monitor to audit if a system is in compliance with the CIS Security Benchmarks (as of right now, only RHEL2-5, Fedora 1-5 and Debian/Ubuntu are supported - the other versions will be soon). If you want to try it out manually and provide some feedback to us, please follow the instructions bellow to test: First, grab the latest CVS snapshot and compile it (it will be included on v1.6 and above): # wget http://www.ossec.net/files/snapshots/ossec-hids-080710.tar.gz # tar -zxvf ossec-hids-080710.tar.gz # cd ossec-hids-080710/src/ # make clean # make libs # cd rootcheck # make binary The binary ossec-rootcheck will be created on the current directory and we can start using it. A simple scan on my Ubuntu box looked like this: (note, that it will do all the normal rootcheck tests plus the CIS scans -- just grep for CIS if you don't want to see the rest): # ./ossec-rootcheck .. [INFO]: System Audit: CIS - Testing against the CIS Debian Linux Benchmark v1.0. File: /proc/sys/kernel/ostype. Reference: http://www.ossec.net/wiki/index.php/CIS_DebianLinux . [INFO]: System Audit: CIS - Debian Linux 1.4 - Robust partition scheme - /tmp is not on its own partition. File: /etc/fstab. Reference: http://www.ossec.net/wiki/index.php/CIS_DebianLinux . [INFO]: System Audit: CIS - Debian Linux 1.4 - Robust partition scheme - /var is not on its own partition. File: /etc/fstab. Reference: http://www.ossec.net/wiki/index.php/CIS_DebianLinux . [INFO]: System Audit: CIS - Debian Linux 2.3 - SSH Configuration - Root login allowed. File: /etc/ssh/sshd_config. Reference: http://www.ossec.net/wiki/index.php/CIS_DebianLinux . [INFO]: System Audit: CIS - Debian Linux 2.4 - System Accounting - Sysstat not enabled. File: /etc/default/sysstat. Reference: http://www.ossec.net/wiki/index.php/CIS_DebianLinux . [INFO]: System Audit: CIS - Debian Linux 4.18 - Disable standard boot services - Squid Enabled. File: /etc/init.d/squid. Reference: http://www.ossec.net/wiki/index.php/CIS_DebianLinux . [INFO]: System Audit: CIS - Debian Linux 7.2 - Removable partition /media without 'nodev' set. File: /etc/fstab. Reference: http://www.ossec.net/wiki/index.php/CIS_DebianLinux . [INFO]: System Audit: CIS - Debian Linux 7.2 - Removable partition /media without 'nosuid' set. File: /etc/fstab. Reference: http://www.ossec.net/wiki/index.php/CIS_DebianLinux . [INFO]: System Audit: CIS - Debian Linux 7.3 - User-mounted removable partition /media. File: /etc/fstab. Reference: http://www.ossec.net/wiki/index.php/CIS_DebianLinux . [INFO]: System Audit: CIS - Debian Linux 8.8 - GRUB Password not set. File: /boot/grub/menu.lst. Reference: http://www.ossec.net/wiki/index.php/CIS_DebianLinux . .. Anyone here using CIS (or FDCC)? As always, feedback and suggestions are welcome. Thanks, -- Daniel B. Cid dcid ( at ) ossec.net -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving
Re: [ossec-list] host specific rules
Hi Sebastian, not sure what could be the problem here. Did you figure it out? Best On Wed, May 13, 2015 at 7:21 AM, skotthof sebastian.kotth...@rz.uni-mannheim.de wrote: OK, thank you. I checked how to use CDBs now, seems this is really what I need. Really cool! Nevertheless, now I ran into that issue: https://github.com/ossec/ossec-hids/issues/147 )-; I extended sshd rule 5710 with a own rule: group name=syslog,sshd, rule id=2 level=5 if_sid5710/if_sid !--if_matched_sid5710/if_matched_sid -- !--same_source_ip / -- list field=hostnamelists/testhosts.list/list descriptionAttempt to login using a non-existent user/description /rule /group Because I'm not shure, what hostname is at the moment, I putted everything in my lists/testhosts.list IP_ADDRESS-/var/log/auth.log: test IP_ADDRESS: test HOST: test FQDN: test when I run ossec-logtest from ossec user or root, it seems to work: --- ... /opt/ossec# sudo -u ossec ./bin/ossec-logtest 2015/05/13 16:07:20 ossec-testrule: INFO: Reading local decoder file. 2015/05/13 16:07:20 ossec-testrule: INFO: Reading the lists file: 'lists/testhosts.list' 2015/05/13 16:07:20 ossec-testrule: INFO: Started (pid: 3095). ossec-testrule: Type one log per line. May 13 15:52:53 delft sshd[16328]: Failed password for invalid user test11 from XX.XX.XX.XX port 38981 ssh2 **Phase 1: Completed pre-decoding. full event: 'May 13 15:52:53 delft sshd[16328]: Failed password for invalid user test11 from XX.XX.XX.XX port 38981 ssh2' hostname: 'delft' program_name: 'sshd' log: 'Failed password for invalid user test11 from XX.XX.XX.XX port 38981 ssh2' **Phase 2: Completed decoding. decoder: 'sshd' srcip: ' XX.XX.XX.XX' **Phase 3: Completed filtering (rules). Rule id: '2' Level: '5' Description: 'Attempt to login using a non-existent user' **Alert to be generated. --- So my rule with id 2000 seems to generate an alert. But when I check logs/alerts/alerts.log and try to login in real, I get: --- ** Alert 1431526211.28025: - syslog,sshd,invalid_login,authentication_failed, 2015 May 13 16:10:11 (delft.DOMAIN) XX.XX.XX.XX-/var/log/auth.log Rule: 5710 (level 5) - 'Attempt to login using a non-existent user' Src IP: XX.XX.XX.XX May 13 16:10:11 delft sshd[17432]: Invalid user test11 from XX.XX.XX.XX ** Alert 1431526213.28360: - syslog,access_control,authentication_failed, 2015 May 13 16:10:13 (delft.DOMAIN) XX.XX.XX.XX-/var/log/auth.log Rule: 2501 (level 5) - 'User authentication failure.' Src IP: ede.DOMAIN May 13 16:10:12 delft sshd[17432]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=ede.DOMAIN ** Alert 1431526215.28773: - syslog,sshd,invalid_login,authentication_failed, 2015 May 13 16:10:15 (delft.DOMAIN) XX.XX.XX.XX-/var/log/auth.log Rule: 5710 (level 5) - 'Attempt to login using a non-existent user' Src IP: XX.XX.XX.XX May 13 16:10:14 delft sshd[17432]: Failed password for invalid user test11 from XX.XX.XX.XX port 39052 ssh2 --- Here the 5710 is alerting. PS: My ossec is located under /opt/ossec and yes, I have a hybrid server (server + local-agent + on_remote_agent) if this is important. The ssh tests I run with the remote-agent. I restarted Ossec on both machines several times. Sebastian On Tue, May 12, 2015 at 10:26:21AM -0700, Santiago Bassett wrote: You could probably use CDB lists in the rules On Tue, May 12, 2015 at 8:34 AM, skotthof [1]sebastian.kotth...@rz.uni-mannheim.de wrote: Hi, okay thanks. I have tested this by changing a rule for ssh login: rule id=5710 level=5 if_sid5700/if_sid matchillegal user|invalid user/match hostnameIP_ADDRESS_1-/var/log/auth.log/hostname hostnameIP_ADDRESS_1-/var/log/auth.log/hostname descriptionAttempt to login using a non-existent user/description groupinvalid_login,authentication_failed,/group /rule Unfortunately it is not possible to put multiple hostname lines like in the example. The least one overrides the others. So I would have to create multiple versions of that rule with different IDs, for every agent. Then there will be the problem, that I will also need multiple rules where if_matched_sid5710/if_matched_sid is defined. This is all concerning ossec-analysisd, right? I think multiple hostnames will depend on the type of the hostname variable in src/analysisd/rules.h typedef struct _RuleInfo { ... OSMatch *hostname; ... I think at the moment this is only one single hostname (src/os_regex/os_regex.h). So any
[ossec-list] Re: Custom Rules for deeper registry monitoring
Hi Brent, I appreciate the response, and it seems like the way forward for the Registry Monitoring portion. I will test it out, and let you know how it works. I understand it is going to generate a lot of stuff, but I am just testing it right now, and need to figure out a few things, and it will help. Once full blown implementation is upon us, I will adjust as needed. As for the Auditing portion, I like the idea, but not sure where to turn on that function. Just so you are aware, I am running OSSEC OVF against Windows hosts currently. Could I do something like this: syscheck directories check_all=yesC:,D:/directories /syscheck Or, are you talking about another feature I have yet to stumble across yet? I also am not sure, if this is the correct syntax, or if I need to put in special characters like you would for something like a PCRE rule or something. Thanks again for the help, I really appreciate it. Justin On Friday, May 15, 2015 at 12:20:51 PM UTC-4, Brent Morris wrote: You'll want to test this yourself But you can manage what files are monitored and what registry entries are monitored in the host's config file for the Syscheck. Run the Agent Manger on the host and go to view config. Then you can just change the configuration file and save it, restart the agent and wait for results. It seems like it would be possible to put a rule for alerts to changes to HKLM\System. But quite frankly, you're going to be inundated with many alerts that may not be valuable. I've seen evidence of this when performing system comparisons for MSI creation of before/after an installation. Windows makes lots of tiny changes to the registry and the file system, even when it's idle. As for file system monitoring. I think you would be better served by turning on auditing and applying an audit policy to the file system. Set the server to log all and then only pull alerts on sensitive areas of your computer. You may find historical value in archiving all the changes to the OSSEC system for future review You might also check out Josh Bower's Sysmon 2.0 integration with OSSEC. This can help you monitor executable processes on your windows system good stuff! On Friday, May 15, 2015 at 5:15:13 AM UTC-7, Justin Hazard wrote: Hey Everyone, Huge fan of OSSEC, just got my first implementation up and operational. I have a few rules that I want to right, just for testing sake. What we are looking to do, is to write two separate rules that achieve similar results, and more specifically we want to know when any change is created to the registry, or when any file is created/deleted on the host. I was looking at what is being monitored currently, and wondering if I put a rule in place that says notify me when HKLM\System changes, ALERT. Is this possible? I know it seems like a lot of information that would be rolling in, but we are just trying to see all of what we can do with OSSEC. Please let me know if you can assist. V/R, Justin -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: Custom Rules for deeper registry monitoring
Syscheck only runs on intervals, and will have some limitations in a 64 bit environment. Please see the issue below. https://github.com/ossec/ossec-hids/issues/301 Another way to accomplish your goal would be to turn on auditing on the Windows computer. This is either done through Group Policy or Local Policy. Enable Audit Object Access for success and failure. Then Open the properties of the folder you want to monitor, Security tab, Advanced, Advanced Security Settings, Auditing tab and add the users/groups you want to audit. The OSSEC agent will pass the audit logs to the manager in real-time. You can try those syscheck settings you mentioned. I'd be interested to hear your results! On Friday, May 15, 2015 at 1:04:23 PM UTC-7, Justin Hazard wrote: Hi Brent, I appreciate the response, and it seems like the way forward for the Registry Monitoring portion. I will test it out, and let you know how it works. I understand it is going to generate a lot of stuff, but I am just testing it right now, and need to figure out a few things, and it will help. Once full blown implementation is upon us, I will adjust as needed. As for the Auditing portion, I like the idea, but not sure where to turn on that function. Just so you are aware, I am running OSSEC OVF against Windows hosts currently. Could I do something like this: syscheck directories check_all=yesC:,D:/directories /syscheck Or, are you talking about another feature I have yet to stumble across yet? I also am not sure, if this is the correct syntax, or if I need to put in special characters like you would for something like a PCRE rule or something. Thanks again for the help, I really appreciate it. Justin On Friday, May 15, 2015 at 12:20:51 PM UTC-4, Brent Morris wrote: You'll want to test this yourself But you can manage what files are monitored and what registry entries are monitored in the host's config file for the Syscheck. Run the Agent Manger on the host and go to view config. Then you can just change the configuration file and save it, restart the agent and wait for results. It seems like it would be possible to put a rule for alerts to changes to HKLM\System. But quite frankly, you're going to be inundated with many alerts that may not be valuable. I've seen evidence of this when performing system comparisons for MSI creation of before/after an installation. Windows makes lots of tiny changes to the registry and the file system, even when it's idle. As for file system monitoring. I think you would be better served by turning on auditing and applying an audit policy to the file system. Set the server to log all and then only pull alerts on sensitive areas of your computer. You may find historical value in archiving all the changes to the OSSEC system for future review You might also check out Josh Bower's Sysmon 2.0 integration with OSSEC. This can help you monitor executable processes on your windows system good stuff! On Friday, May 15, 2015 at 5:15:13 AM UTC-7, Justin Hazard wrote: Hey Everyone, Huge fan of OSSEC, just got my first implementation up and operational. I have a few rules that I want to right, just for testing sake. What we are looking to do, is to write two separate rules that achieve similar results, and more specifically we want to know when any change is created to the registry, or when any file is created/deleted on the host. I was looking at what is being monitored currently, and wondering if I put a rule in place that says notify me when HKLM\System changes, ALERT. Is this possible? I know it seems like a lot of information that would be rolling in, but we are just trying to see all of what we can do with OSSEC. Please let me know if you can assist. V/R, Justin -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: Agent cannot connect to server, does not appear to be firewall or key related
Close. Firewall logging on the client side helped. The OSSEC server has two IPs on the same network. It was receiving messages from the agent on one IP but sending the response back on the other IP. The agent's firewall was then dropping the response as unrelated. Specifying a local_ip in the server ossec.conf resolved the problem. On Friday, May 15, 2015 at 8:12:55 AM UTC-5, Grant Leonard wrote: Have you run a tcdpump or ngrep on the server to ensure packets are arriving on UDP port 1514? When the agent is initially restarted it begins a new dialog with the server and you should be able to see that on the wire On Thursday, May 14, 2015 at 5:31:28 PM UTC-4, Andy Theuninck wrote: I have OSSEC 2.8.1 server installed on CentOS 7. I have OSSEC 2.8.1 agent installed on a separate CentOS 6 box. The agent cannot connect to the server and I do not understand why. When the agent starts, I see this in the logs: 2015/05/14 15:35:11 ossec-agentd: INFO: Trying to connect to server ( 192.168.2.4:1514). 2015/05/14 15:35:11 ossec-agentd: INFO: Using IPv4 for: 192.168.2.4 . 2015/05/14 15:35:32 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: '192.168.2.4'. The server ossec.log show absolutely nothing while the agent is attempting to connect. This would lead me to believe it's a firewall (or general connectivity problem). However, I can connect to the server machine from the agent machine just fine using netcat. E.g., nc -uv 192.168.2.4 1514 If I type random things into the server after connecting with netcat, I get the expected log entries on the server: 2015/05/15 15:39:37 ossec-remoted(1403): ERROR: Incorrectly formated message from '192.168.2.3'. So far as I can tell, the agent machine has connectivity to UDP 1514 on the server machine, except ossec-agentd does not. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Active response not working
I have ossec server(CentOS) and ossec agent(win7). -On server- ossec.conf: command nameeject_usb/name executableevent.cmd/executable expectsrcip/expect timeout_allowedyes/timeout_allowed /command active-response commandeject_usb/command locationlocal/location rules_id120005/rules_id timeout30/timeout /active-response local_rule.xml: group name=Event_USB rule id=12 level=0 decoded_asEvent_USB/decoded_as descriptionEvent USB/description /rule rule id=120005 level=7 if_sid12/if_sid matchUSB/match descriptionDetected USB Storage/description /rule /group -On agent-- I have event.cmd has content: shutdown -s -t 00 When I plug USB on agent, I have alert on server but active response doesn't working to shutdown agent. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Re: OSSEC + CIS benchmark tests
So, does that mean the best way to understand how the system policy audit works is to basically read the source code in rootcheck system? On Fri, May 15, 2015 at 5:04 AM, dan (ddp) ddp...@gmail.com wrote: On Tue, May 12, 2015 at 6:57 PM, autodidactic theoriginalg...@gmail.com wrote: Are there any updates to this feature or documentation about it? I see vary raw documentation in the sample CIS benchark policy audit files, but leaves me guessing about some of it? I want to write the policy for the newer CIS benchmarks for EL6 and EL7... any help or pointers to where I can learn more would be helpful... I haven't written anything about it, and I haven't looked into it enough to know the answers. also, i'm not sure how to implement a permissions check via this system. is it possible or perhaps it is not? On Thursday, July 10, 2008 at 12:43:36 PM UTC-7, Daniel Cid wrote: Hi list, I just posted in my blog about the new support for CIS benchmarks on OSSEC and I want to hear the feedback anyone may have. Link: http://www.ossec.net/dcid/?p=137 We just included support in the OSSEC Policy monitor to audit if a system is in compliance with the CIS Security Benchmarks (as of right now, only RHEL2-5, Fedora 1-5 and Debian/Ubuntu are supported - the other versions will be soon). If you want to try it out manually and provide some feedback to us, please follow the instructions bellow to test: First, grab the latest CVS snapshot and compile it (it will be included on v1.6 and above): # wget http://www.ossec.net/files/snapshots/ossec-hids-080710.tar.gz # tar -zxvf ossec-hids-080710.tar.gz # cd ossec-hids-080710/src/ # make clean # make libs # cd rootcheck # make binary The binary ossec-rootcheck will be created on the current directory and we can start using it. A simple scan on my Ubuntu box looked like this: (note, that it will do all the normal rootcheck tests plus the CIS scans -- just grep for CIS if you don't want to see the rest): # ./ossec-rootcheck .. [INFO]: System Audit: CIS - Testing against the CIS Debian Linux Benchmark v1.0. File: /proc/sys/kernel/ostype. Reference: http://www.ossec.net/wiki/index.php/CIS_DebianLinux . [INFO]: System Audit: CIS - Debian Linux 1.4 - Robust partition scheme - /tmp is not on its own partition. File: /etc/fstab. Reference: http://www.ossec.net/wiki/index.php/CIS_DebianLinux . [INFO]: System Audit: CIS - Debian Linux 1.4 - Robust partition scheme - /var is not on its own partition. File: /etc/fstab. Reference: http://www.ossec.net/wiki/index.php/CIS_DebianLinux . [INFO]: System Audit: CIS - Debian Linux 2.3 - SSH Configuration - Root login allowed. File: /etc/ssh/sshd_config. Reference: http://www.ossec.net/wiki/index.php/CIS_DebianLinux . [INFO]: System Audit: CIS - Debian Linux 2.4 - System Accounting - Sysstat not enabled. File: /etc/default/sysstat. Reference: http://www.ossec.net/wiki/index.php/CIS_DebianLinux . [INFO]: System Audit: CIS - Debian Linux 4.18 - Disable standard boot services - Squid Enabled. File: /etc/init.d/squid. Reference: http://www.ossec.net/wiki/index.php/CIS_DebianLinux . [INFO]: System Audit: CIS - Debian Linux 7.2 - Removable partition /media without 'nodev' set. File: /etc/fstab. Reference: http://www.ossec.net/wiki/index.php/CIS_DebianLinux . [INFO]: System Audit: CIS - Debian Linux 7.2 - Removable partition /media without 'nosuid' set. File: /etc/fstab. Reference: http://www.ossec.net/wiki/index.php/CIS_DebianLinux . [INFO]: System Audit: CIS - Debian Linux 7.3 - User-mounted removable partition /media. File: /etc/fstab. Reference: http://www.ossec.net/wiki/index.php/CIS_DebianLinux . [INFO]: System Audit: CIS - Debian Linux 8.8 - GRUB Password not set. File: /boot/grub/menu.lst. Reference: http://www.ossec.net/wiki/index.php/CIS_DebianLinux . .. Anyone here using CIS (or FDCC)? As always, feedback and suggestions are welcome. Thanks, -- Daniel B. Cid dcid ( at ) ossec.net -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to