date:20170823

[ossec-list] getting autentication alerts from Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational

2017-08-23 Thread Golemus

Hello,
On ossec 2.8.3 I am trying to get alerts only for rdp autentications alerts 
from windows agents.
These events are shown in the event log 
Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational
for example with eventID 1149 

I have in my windows agents conf file

  

Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational
eventchannel
  

-
on the server in my local_rules.xml
I have



Remote Desktop Services
Remote Desktop Connection Established



I get no messages from the remote client 
(that sends alerts if I use Security )

I see some traffic from client to server with tcpdump if I generate 1149 
logon events
But no evidence even with 
yes  in ossec server.

Anyone can share some insight?

Many thanks
g.


-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: Testing OSSEC

2017-08-23 Thread dan (ddp)

On Aug 23, 2017 6:18 AM, "Ritu Soni"  wrote:

Hello,
My work requirement is that OSSEC should generate an alert " Attack
Detected " ,when the request from same ip address is received by the server
for 3 or more times within 300 seconds.
I have done changes in syslog_rules.xml file:
**
*attacks|attack|automatic_attack*
*alert_by_email*
*DDOS Attack Detected*
*  *
But when i restart OSSEC,it generates an error msg:
*OSSEC analysisd: Testing rules failed. Configuration error. Exiting*.

Are these changes made correct?if not, please suggest the changes to
achieve the same.

I don't see anything obviously incorrect with the changes. I'm not sure
if_matched_group accepts multiple groups, or if they are pipe delimited
though. Getting the actual errors (from logtest -t or the ossec.log) might
help.

Stylistically though, modifying the rules files (except local_rules.xml) is
a bad idea. Changes will be overwritten during updates. Also, I consider
rule 1002 to be very important, and changing it isn't something I
encourage.

On Monday, August 21, 2017 at 10:43:53 PM UTC+5:30, dan (ddpbsd) wrote:

>
>
> On Aug 21, 2017 1:07 PM, "Ritu Soni"  wrote:
>
> Hey,
> When i perform any changes to xml files, ossec stopped working.
> should i use ''make" command for those changes to work or any other
> command after performing the changes ?
>
>
>
> You can run `ossec-logtest -t` to test your changes before reatarting
> ossec. If there are issues, it should display error messages.
>
>
>>
>
> On Monday, August 21, 2017 at 10:25:45 PM UTC+5:30, dan (ddpbsd) wrote:
>>
>>
>>
>> On Aug 21, 2017 12:54 PM, "Ritu Soni"  wrote:
>>
>> hello,
>> I have installed OSSEC on UBUNTU server.
>> I want to perform changes in OSSEC rules, so that it can detect an attack
>> and display an alert like "DDOS Attack".
>> Is it possible to perform changes in rules of OSSEC using xml files?
>> What could be the possible method for this, please guide me.
>>
>>
>> Local additiona or changes to the rules can be done in
>> /var/ossec/rules/local_rules.xml
>>
>>
>>
>>
>> --
>>
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to ossec-list+...@googlegroups.com.
>>
>> For more options, visit https://groups.google.com/d/optout.
>>
>>
>> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>
>
> --

---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: Testing OSSEC

2017-08-23 Thread Ritu Soni

Hello,
My work requirement is that OSSEC should generate an alert " Attack 
Detected " ,when the request from same ip address is received by the server 
for 3 or more times within 300 seconds.
I have done changes in syslog_rules.xml file:
**
*attacks|attack|automatic_attack*
*alert_by_email*
*DDOS Attack Detected*
*  *
But when i restart OSSEC,it generates an error msg:
*OSSEC analysisd: Testing rules failed. Configuration error. Exiting*.

Are these changes made correct?if not, please suggest the changes to 
achieve the same.

On Monday, August 21, 2017 at 10:43:53 PM UTC+5:30, dan (ddpbsd) wrote:
>
>
>
> On Aug 21, 2017 1:07 PM, "Ritu Soni"  
> wrote:
>
> Hey,
> When i perform any changes to xml files, ossec stopped working.
> should i use ''make" command for those changes to work or any other 
> command after performing the changes ?
>
>
>
> You can run `ossec-logtest -t` to test your changes before reatarting 
> ossec. If there are issues, it should display error messages.
>
>  
>>
>
> On Monday, August 21, 2017 at 10:25:45 PM UTC+5:30, dan (ddpbsd) wrote:
>>
>>
>>
>> On Aug 21, 2017 12:54 PM, "Ritu Soni"  wrote:
>>
>> hello,
>> I have installed OSSEC on UBUNTU server.
>> I want to perform changes in OSSEC rules, so that it can detect an attack 
>> and display an alert like "DDOS Attack". 
>> Is it possible to perform changes in rules of OSSEC using xml files?
>> What could be the possible method for this, please guide me.
>>
>>
>> Local additiona or changes to the rules can be done in 
>> /var/ossec/rules/local_rules.xml
>>
>>
>>
>>
>> -- 
>>
>> --- 
>> You received this message because you are subscribed to the Google Groups 
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to ossec-list+...@googlegroups.com.
>>
>> For more options, visit https://groups.google.com/d/optout.
>>
>>
>> -- 
>
> --- 
> You received this message because you are subscribed to the Google Groups 
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to ossec-list+...@googlegroups.com .
> For more options, visit https://groups.google.com/d/optout.
>
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] getting autentication alerts from Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational

Re: [ossec-list] Re: Testing OSSEC

Re: [ossec-list] Re: Testing OSSEC

3 matches

Site Navigation

Mail list logo

Footer information