[ossec-list] How ossec manager reads decoder

[Akash Munjal]

HI,

How ossec manager reads decoder...?

Thanks..

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Updates rules and signatures

[Alexis Lessard]

Thank you all!

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Updates rules and signatures

[Jesus Linares]

The script is only valid for Wazuh.


On Thursday, June 8, 2017 at 2:31:24 PM UTC+2, Alexis Lessard wrote:
>
> I did see that script. Seemed really interesting. Due to a lack of a test 
> environment, I didn't try it, but reading it, I was under the impression 
> that it only worked with a wazzuh installation and not with ossec vanilla. 
> Would it actually work without installing wazzuh?
>
> Le jeudi 8 juin 2017 05:14:07 UTC-4, Jesus Linares a écrit :
>>
>> Hi Alexis,
>>
>> Dan's method is the faster way to do it and it should work properly.
>>
>> Saying that, Wazuh does a great effort to centralice decoders, rules, 
>> rootchecks and OpenSCAP content in wazuh-ruleset 
>>  repository. Also, a script 
>> to 
>> update the ruleset is provided. Unfortunately, the ruleset (and the script) 
>> only works with Wazuh manager 2.0 due to compatibility issues (we included 
>> dynamic 
>> fields 
>> )
>>  
>> but OSSEC agents are fully compatible with Wazuh manager.
>>
>> I hope it helps.
>> Regards.
>>
>> On Thursday, June 8, 2017 at 3:48:05 AM UTC+2, dan (ddpbsd) wrote:
>>>
>>> On Wed, Jun 7, 2017 at 4:24 PM, Alexis Lessard 
>>>  wrote: 
>>> > Hi! 
>>> > 
>>> > What is the cleanest and easiest way to updates rules and signatures 
>>> of 
>>> > attacks and threats in ossec? I'm looking maybe for a command I could 
>>> use to 
>>> > automate it. When I execute  bin/manage_agents -V (to obtain version), 
>>> I get 
>>> > this: 
>>> > OSSEC HIDS v2.8.3 - Trend Micro Inc. 
>>> > 
>>> > According to the documentation for 2.8.1 right here, in order to 
>>> update 
>>> > those rules, we have to download the installation package and 
>>> reinstall it. 
>>> > The installation script should ask us to update. That seems pretty 
>>> > complicated and unorthodox. Is there a simpler way? 
>>> > 
>>>
>>> Clone the github repo, copy the decoder.xml and rules files to the 
>>> proper directory, restart ossec. 
>>>
>>> > Also, I think I should ask that question: Does anyone know how often 
>>> does 
>>> > ossec update their signatures and rules, or if they update them at 
>>> all? 
>>> > 
>>>
>>> When we do. A lot of it depends on how often people submit new rules, 
>>> decoders or even log samples. 
>>>
>>> > Thanks! 
>>> > 
>>> > -- 
>>> > 
>>> > --- 
>>> > You received this message because you are subscribed to the Google 
>>> Groups 
>>> > "ossec-list" group. 
>>> > To unsubscribe from this group and stop receiving emails from it, send 
>>> an 
>>> > email to ossec-list+...@googlegroups.com. 
>>> > For more options, visit https://groups.google.com/d/optout. 
>>>
>>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] ossec agent not running scheduled syscheck scan

[John Kondur]

I have the following in my ossec.conf on the agents:




21600



That should run syscheck every 6 hours, as you can see log below, I 
restarted the agent @ 12:30 pm yesterday, and it only did a syscheck scan 
once an hour later, and now it has been almost 20 hours and I don't see 
anymore that has run:






2017/06/07 12:32:40 ossec-syscheckd: INFO: Real time file monitoring 
started.
2017/06/07 12:32:40 ossec-syscheckd: INFO: Finished creating syscheck 
database (pre-scan completed).
2017/06/07 12:32:51 ossec-syscheckd: INFO: Ending syscheck scan (forwarding 
database).
2017/06/07 12:33:01 ossec-rootcheck: INFO: Starting rootcheck scan.
2017/06/07 12:48:56 ossec-rootcheck: INFO: Ending rootcheck scan.
2017/06/07 12:59:09 ossec-rootcheck: INFO: Starting rootcheck scan.
2017/06/07 13:16:09 ossec-rootcheck: INFO: Ending rootcheck scan.
2017/06/07 13:16:09 ossec-syscheckd: INFO: Starting syscheck scan.
2017/06/07 13:20:15 ossec-syscheckd: INFO: Ending syscheck scan.
2017/06/08 09:19:05 ossec-rootcheck: INFO: Starting rootcheck scan.



I checked this on 2 boxes running the agent, and both are not running every 
6 hours.  I am running version 2.8.3-53 on both the server and the client.



The interesting thing is the main server works just fine as seen below here:


2017/06/07 04:07:58 ossec-syscheckd: INFO: Starting syscheck scan.
2017/06/07 04:08:20 ossec-syscheckd: INFO: Ending syscheck scan.
2017/06/07 10:08:25 ossec-syscheckd: INFO: Starting syscheck scan.
2017/06/07 10:08:47 ossec-syscheckd: INFO: Ending syscheck scan.
2017/06/07 12:13:49 ossec-rootcheck: INFO: Starting rootcheck scan.
2017/06/07 12:18:17 ossec-rootcheck: INFO: Ending rootcheck scan.
2017/06/07 16:13:20 ossec-syscheckd: INFO: Starting syscheck scan.
2017/06/07 16:13:42 ossec-syscheckd: INFO: Ending syscheck scan.
2017/06/07 22:13:47 ossec-syscheckd: INFO: Starting syscheck scan.
2017/06/07 22:14:09 ossec-syscheckd: INFO: Ending syscheck scan.
2017/06/08 00:00:43 ossec-monitord: INFO: Starting daily reporting for 
'Daily report: File changes'
2017/06/08 00:00:48 ossec-monitord: INFO: Report 'Daily report: File 
changes' completed. Creating output...
2017/06/08 04:14:13 ossec-syscheckd: INFO: Starting syscheck scan.
2017/06/08 04:14:35 ossec-syscheckd: INFO: Ending syscheck scan.
2017/06/08 08:19:38 ossec-rootcheck: INFO: Starting rootcheck scan.
2017/06/08 08:23:58 ossec-rootcheck: INFO: Ending rootcheck scan.



Just curious if anyone has any ideas why this might happen and if there is 
a fix?

Thanks in advance

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: OSSEC rule to avoid alerts for apt-daily

[Jesus Linares]

Hi Fredrik,

you want to do something like: "if Starting daily apt activities -> disable 
syscheck for that agent". I think there is no way to do it. The rule engine 
doesn't allow rules like "if event A (starting apt) and event B (syscheck) 
-> rule to ignore event".

You can create a rule to ignore syscheck events between a range of time. Do 
you know when the update will be executed?.

Regards.

On Thursday, June 8, 2017 at 10:05:12 AM UTC+2, Fredrik Hilmersson wrote:
>
> Hello,
>
> So i'm getting more and more comfortable with the configuration and server 
> - agent architecture. However, now i'd like to step it up and start create 
> my own custom rules and would appreciate some guidance and pointers.
>
> The rule i'd like to create is to avoid alerts during the apt-daily update 
> which triggers the integrity check and renders in plenty notifications. The 
> syslog outputs "Starting daily apt activites..." before the 
> apt-daily.service run its updates, so I thought one way would be to timeout 
> the integrity check rule for x seconds once the apt-daily appear in the 
> syslog. I don't know there might be an even more 'reliable' solution?
>
> Any pointers or ideas would be greatly appreciated!
>
> Kind regards,
> Fredrik
>
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Updates rules and signatures

[Jesus Linares]

Hi Alexis,

Dan's method is the faster way to do it and it should work properly.

Saying that, Wazuh does a great effort to centralice decoders, rules, 
rootchecks and OpenSCAP content in wazuh-ruleset 
 repository. Also, a script 
to 
update the ruleset is provided. Unfortunately, the ruleset (and the script) 
only works with Wazuh manager 2.0 due to compatibility issues (we included 
dynamic 
fields 
)
 
but OSSEC agents are fully compatible with Wazuh manager.

I hope it helps.
Regards.

On Thursday, June 8, 2017 at 3:48:05 AM UTC+2, dan (ddpbsd) wrote:
>
> On Wed, Jun 7, 2017 at 4:24 PM, Alexis Lessard 
>  wrote: 
> > Hi! 
> > 
> > What is the cleanest and easiest way to updates rules and signatures of 
> > attacks and threats in ossec? I'm looking maybe for a command I could 
> use to 
> > automate it. When I execute  bin/manage_agents -V (to obtain version), I 
> get 
> > this: 
> > OSSEC HIDS v2.8.3 - Trend Micro Inc. 
> > 
> > According to the documentation for 2.8.1 right here, in order to update 
> > those rules, we have to download the installation package and reinstall 
> it. 
> > The installation script should ask us to update. That seems pretty 
> > complicated and unorthodox. Is there a simpler way? 
> > 
>
> Clone the github repo, copy the decoder.xml and rules files to the 
> proper directory, restart ossec. 
>
> > Also, I think I should ask that question: Does anyone know how often 
> does 
> > ossec update their signatures and rules, or if they update them at all? 
> > 
>
> When we do. A lot of it depends on how often people submit new rules, 
> decoders or even log samples. 
>
> > Thanks! 
> > 
> > -- 
> > 
> > --- 
> > You received this message because you are subscribed to the Google 
> Groups 
> > "ossec-list" group. 
> > To unsubscribe from this group and stop receiving emails from it, send 
> an 
> > email to ossec-list+...@googlegroups.com . 
> > For more options, visit https://groups.google.com/d/optout. 
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: How to know when syscheck agent finishes a scan?

[Jesus Linares]

>
> Thanks that helped a lot and definitely speed it up.  We went from several 
> hours to 4 minutes now.  This includes our entire webapp

If syscheck sends too much events in a short period of time, it is possible 
that they are lost due to UDP. So, don't use too low values.

Is there a way to speed up rootcheck?  That is the longest part of the scan 
> that takes 15 minutes now, so the whole process takes approx 20 minutes now.

Rootcheck does a lot of things (documentation 
).
 
You can enable only what you want:

   - check_dev
   - check_files
   - check_if
   - check_pids
   - check_policy
   - check_ports
   - check_sys
   - check_trojans
   - check_unixaudit
   - check_winapps
   - check_winapps
   - check_winmalware
   
The main reason is anytime we deploy I want to follow what is in the doc, 
> stop ossec on manager, then clear database and run a new baseline, but 
> trying to speed up the process.  If there is a way to disable rootcheck 
> when I do that command?  I need to do that becuase otherwise I will get 
> tons of emails every time we do a deploy.

If you want to disable rootcheck remotely in an agent, you can use the 
agent.conf 

.

Regards.


On Wednesday, June 7, 2017 at 8:13:24 PM UTC+2, John Kondur wrote:
>
> Thanks that helped a lot and definitely speed it up.  We went from several 
> hours to 4 minutes now.  This includes our entire webapp
>
>
> Is there a way to speed up rootcheck?  That is the longest part of the 
> scan that takes 15 minutes now, so the whole process takes approx 20 
> minutes now.
>
> But I would like to either disable root check when you send for example 
> the following command:
>
>  /var/ossec/bin/agent_control -r -u 1027
>
>
> The main reason is anytime we deploy I want to follow what is in the doc, 
> stop ossec on manager, then clear database and run a new baseline, but 
> trying to speed up the process.  If there is a way to disable rootcheck 
> when I do that command?  I need to do that becuase otherwise I will get 
> tons of emails every time we do a deploy.
>
> Thanks
>
>
> On Wednesday, June 7, 2017 at 11:36:13 AM UTC-4, Jesus Linares wrote:
>>
>> Hi John,
>>
>> there is a way to speed up syscheck. By default *syscheck sleeps 2 
>> seconds each 15 files*. This avoid packet loss due to UDP. You can 
>> overwrite this configuration in *local_internal_options.conf*:
>>
>> $ nano /var/ossec/etc/local_internal_options.conf
>>
>> syscheck.sleep=1
>> syscheck.sleep_after=150
>>
>>
>> This is 20 times faster than the default configuration. I would not 
>> increase these values more than 1 - 150.
>>
>> How many files are you scanning?. Remember that syscheck is only for 
>> important files.
>>
>> In *ossec.log *you should see something like:
>>
>> 2017/06/07 14:21:51 ossec-syscheckd: INFO: Starting syscheck scan
>> ...
>> 2017/06/07 14:27:19 ossec-syscheckd: INFO: Ending syscheck scan
>>
>>
>> I hope it helps.
>> Regards.
>>
>>
>> On Wednesday, June 7, 2017 at 4:54:07 PM UTC+2, jose wrote:
>>>
>>> Hi John
>>>
>>> You cannot speed the syscheck, but you can always add the option 
>>> *realtime* for your more important folders, with this option you will 
>>> have the alerts in “real time” :)
>>>
>>>
>>> https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html?highlight=realtime
>>>
>>>
>>> Regards
>>> ---
>>> Jose Luis Ruiz
>>> Wazuh Inc.
>>> jo...@wazuh.com
>>>
>>> On June 7, 2017 at 10:15:19 AM, John Kondur (kongf...@gmail.com) wrote:
>>>
>>> Thanks I did find it that did help, 
>>>
>>> I had two more questions not sure if I should start another thread:
>>>
>>> I had frequency set on the agents to:
>>>
>>> 7200
>>>
>>> I looked in the ossec.log and it never kicked off, and it has been 15 
>>> hours since the last scan finished.  I restarted the agent and it kicked 
>>> off but any idea what might not start it?  
>>>
>>>
>>>
>>> Second question:
>>>
>>> The scans seem to take a very long time, I ran it and it takes 4 hours 
>>> on one of my web servers.  Is it the size of the files or the number of 
>>> files that determines the scan and is there anyway to speed it up?  
>>>
>>>
>>> Thanks
>>>
>>>
>>>
>>> On Wednesday, June 7, 2017 at 5:21:01 AM UTC-4, Jesus Linares wrote: 

 Review the ossec.conf of the agent 1027. You should see a log for 
 starting/ending rootcheck and syscheck. 

 I hope it helps.

 On Tuesday, June 6, 2017 at 9:17:11 PM UTC+2, John Kondur wrote: 
>
> Thanks but unfortunately all it shows is the following: 
>
>
> OSSEC HIDS agent_control. Agent information:
>Agent ID:   1027
>Agent Name: server1
>IP address: any/any
>Status: Active
>
>Operating system:Linux 4.4.
>Client version:  OSSEC HIDS v2.8.3