date:20170824

Re: [ossec-list] ERROR: Unable to Bind port '1514'

2017-08-24 Thread dan (ddp)

On Aug 24, 2017 6:28 PM, "Carlos Islas"  wrote:

Hello dan,

Yes is remoted. Here is the result for netstat

root@vknxsegfim:/var/ossec/logs# netstat -an | grep 1514
udp0  0 0.0.0.0:15140.0.0.0:*
root@vknxsegfim:/var/ossec/logs#


Ok, so only 1 copy of remoted can bind to that port at a time. Kill the
first instance, and the second should run.


Regarads

El jueves, 24 de agosto de 2017, 16:39:53 (UTC-5), dan (ddpbsd) escribió:
>
>
>
> On Aug 24, 2017 5:20 PM, "Carlos Islas"  wrote:
>
> Hello,
>
> I am having this issue when i execute the command ./ossec-remoted
>
> ossec.log:
>
> 2017/08/24 16:16:22 ossec-remoted: INFO: Started (pid: 19350).
> 2017/08/24 16:16:22 ossec-remoted(1206): ERROR: Unable to Bind port '1514'
>
> Somebody could help me to examine that error?
>
>
> Is remoted running?
> Is something else listening on 1514? `netstat -an |grep 1514`
>
>
> Regards...
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+...@googlegroups.com.
>
> For more options, visit https://groups.google.com/d/optout.
>
>
> --

---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] ERROR: Unable to Bind port '1514'

2017-08-24 Thread Carlos Islas

Hello dan,

Yes is remoted. Here is the result for netstat

root@vknxsegfim:/var/ossec/logs# netstat -an | grep 1514
udp0  0 0.0.0.0:15140.0.0.0:*
root@vknxsegfim:/var/ossec/logs#

Regarads

El jueves, 24 de agosto de 2017, 16:39:53 (UTC-5), dan (ddpbsd) escribió:
>
>
>
> On Aug 24, 2017 5:20 PM, "Carlos Islas"  > wrote:
>
> Hello,
>
> I am having this issue when i execute the command ./ossec-remoted
>
> ossec.log:
>
> 2017/08/24 16:16:22 ossec-remoted: INFO: Started (pid: 19350).
> 2017/08/24 16:16:22 ossec-remoted(1206): ERROR: Unable to Bind port '1514'
>
> Somebody could help me to examine that error?
>
>
> Is remoted running? 
> Is something else listening on 1514? `netstat -an |grep 1514`
>
>
> Regards...
>
> -- 
>
> --- 
> You received this message because you are subscribed to the Google Groups 
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to ossec-list+...@googlegroups.com .
> For more options, visit https://groups.google.com/d/optout.
>
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: Testing OSSEC

2017-08-24 Thread dan (ddp)

On Aug 24, 2017 12:56 PM, "Ritu Soni"  wrote:

Ok, thanks.
have you added the rule in local_rules.xml file? or any other xml file?



I added it to my local_rules.xml file, outside of the  tag near the
bottom.


On Thursday, August 24, 2017 at 6:14:56 PM UTC+5:30, dan (ddpbsd) wrote:
>
> On Thu, Aug 24, 2017 at 8:35 AM, dan (ddp)  wrote:
> >
> >
> > On Aug 24, 2017 4:40 AM, "Ritu Soni"  wrote:
> >
> > Hello, ok
>
> > I simply want to test the rule for DDOS Attack,which is discussed
> > previously:
> > local_rules.xml:
> > 
> >
> >
> > 
> >
> > attacks|attack|automatic_attack
>
> >
> > 
> > Attacks from same source IP
> >   
> >
> >
> > 
> > But this is not working. I get errors while adding this new rule.
> > What is the possible solution for making this rule work?
> >
> >
> > Keeping those errors a secret is bot going to help me help you solve the
> > problem. Either look at the errors and troubleshoot your problem, or
> share
> > them and let me do it.
> >
>
> Testing this rule provided me with no errors, so my first guess is
> that you have the  tag inside of another  tag.
>
> >
> >
> > On Wednesday, August 23, 2017 at 5:46:17 PM UTC+5:30, dan (ddpbsd)
> wrote:
> >>
> >>
> >>
> >> On Aug 23, 2017 6:18 AM, "Ritu Soni"  wrote:
> >>
> >> Hello,
> >> My work requirement is that OSSEC should generate an alert " Attack
> >> Detected " ,when the request from same ip address is received by the
> server
> >> for 3 or more times within 300 seconds.
> >> I have done changes in syslog_rules.xml file:
> >> 
> >> attacks|attack|automatic_attack
>
> >> alert_by_email
> >> DDOS Attack Detected
> >>   
> >> But when i restart OSSEC,it generates an error msg:
> >> OSSEC analysisd: Testing rules failed. Configuration error. Exiting.
> >>
> >> Are these changes made correct?if not, please suggest the changes to
> >> achieve the same.
> >>
> >>
> >>
> >> I don't see anything obviously incorrect with the changes. I'm not sure
> >> if_matched_group accepts multiple groups, or if they are pipe delimited
> >> though. Getting the actual errors (from logtest -t or the ossec.log)
> might
> >> help.
> >>
> >> Stylistically though, modifying the rules files (except
> local_rules.xml)
> >> is a bad idea. Changes will be overwritten during updates. Also, I
> consider
> >> rule 1002 to be very important, and changing it isn't something I
> encourage.
> >>
> >>
> >>
> >> On Monday, August 21, 2017 at 10:43:53 PM UTC+5:30, dan (ddpbsd) wrote:
> >>>
> >>>
> >>>
> >>> On Aug 21, 2017 1:07 PM, "Ritu Soni"  wrote:
> >>>
> >>> Hey,
> >>> When i perform any changes to xml files, ossec stopped working.
> >>> should i use ''make" command for those changes to work or any other
> >>> command after performing the changes ?
> >>>
> >>>
> >>>
> >>> You can run `ossec-logtest -t` to test your changes before reatarting
> >>> ossec. If there are issues, it should display error messages.
> 
> 
> >>>
> >>>
> >>> On Monday, August 21, 2017 at 10:25:45 PM UTC+5:30, dan (ddpbsd)
> wrote:
> 
> 
> 
>  On Aug 21, 2017 12:54 PM, "Ritu Soni"  wrote:
> 
>  hello,
>  I have installed OSSEC on UBUNTU server.
>  I want to perform changes in OSSEC rules, so that it can detect an
>  attack and display an alert like "DDOS Attack".
>  Is it possible to perform changes in rules of OSSEC using xml files?
>  What could be the possible method for this, please guide me.
> 
> 
>  Local additiona or changes to the rules can be done in
>  /var/ossec/rules/local_rules.xml
> 
> 
> 
> 
>  --
> 
>  ---
>  You received this message because you are subscribed to the Google
>  Groups "ossec-list" group.
>  To unsubscribe from this group and stop receiving emails from it,
> send
>  an email to ossec-list+...@googlegroups.com.
> 
>  For more options, visit https://groups.google.com/d/optout.
> 
> 
> >>> --
> >>>
> >>> ---
> >>> You received this message because you are subscribed to the Google
> Groups
> >>> "ossec-list" group.
> >>> To unsubscribe from this group and stop receiving emails from it, send
> an
> >>> email to ossec-list+...@googlegroups.com.
> >>> For more options, visit https://groups.google.com/d/optout.
> >>>
> >>>
> >> --
> >>
> >> ---
> >> You received this message because you are subscribed to the Google
> Groups
> >> "ossec-list" group.
> >> To unsubscribe from this group and stop receiving emails from it, send
> an
> >> email to ossec-list+...@googlegroups.com.
> >> For more options, visit https://groups.google.com/d/optout.
> >>
> >>
> > --
> >
> > ---
> > You received this message because you are subscribed to the Google
> Groups
> > "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send
> an
> > email to

Re: [ossec-list] ERROR: Unable to Bind port '1514'

2017-08-24 Thread dan (ddp)

On Aug 24, 2017 5:20 PM, "Carlos Islas"  wrote:

Hello,

I am having this issue when i execute the command ./ossec-remoted

ossec.log:

2017/08/24 16:16:22 ossec-remoted: INFO: Started (pid: 19350).
2017/08/24 16:16:22 ossec-remoted(1206): ERROR: Unable to Bind port '1514'

Somebody could help me to examine that error?


Is remoted running?
Is something else listening on 1514? `netstat -an |grep 1514`


Regards...

-- 

---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] ERROR: Unable to Bind port '1514'

2017-08-24 Thread Carlos Islas

Hello,

I am having this issue when i execute the command ./ossec-remoted

ossec.log:

2017/08/24 16:16:22 ossec-remoted: INFO: Started (pid: 19350).
2017/08/24 16:16:22 ossec-remoted(1206): ERROR: Unable to Bind port '1514'

Somebody could help me to examine that error?

Regards...

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: Testing OSSEC

2017-08-24 Thread Ritu Soni



Hey,
>
> When I add the same rule in local_rules.xml file, I get the following 
errors:
*2017/08/24 22:54:00 ossec-config(1501): ERROR: Invalid SMTP Server: 
alt1.gmail-smtp-in.l.google.com.*
*2017/08/24 22:54:00 ossec-config(1202): ERROR: Configuration error at 
'/var/ossec/etc/ossec.conf'. Exiting.*
*2017/08/24 22:54:00 ossec-maild(1202): ERROR: Configuration error at 
'/var/ossec/etc/ossec.conf'. Exiting.*
*ossec-maild did not start correctly.*
How to solve this ?
 

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: Testing OSSEC

2017-08-24 Thread Ritu Soni

Ok, thanks.
have you added the rule in local_rules.xml file? or any other xml file?

On Thursday, August 24, 2017 at 6:14:56 PM UTC+5:30, dan (ddpbsd) wrote:
>
> On Thu, Aug 24, 2017 at 8:35 AM, dan (ddp)  
> wrote: 
> > 
> > 
> > On Aug 24, 2017 4:40 AM, "Ritu Soni"  
> wrote: 
> > 
> > Hello, ok
> > I simply want to test the rule for DDOS Attack,which is discussed 
> > previously: 
> > local_rules.xml: 
> >  
> > 
> > 
> >  
> > 
> > 
> attacks|attack|automatic_attack 
> > 
> >  
> > Attacks from same source IP 
> >
> > 
> > 
> >  
> > But this is not working. I get errors while adding this new rule. 
> > What is the possible solution for making this rule work? 
> > 
> > 
> > Keeping those errors a secret is bot going to help me help you solve the 
> > problem. Either look at the errors and troubleshoot your problem, or 
> share 
> > them and let me do it. 
> > 
>
> Testing this rule provided me with no errors, so my first guess is 
> that you have the  tag inside of another  tag. 
>
> > 
> > 
> > On Wednesday, August 23, 2017 at 5:46:17 PM UTC+5:30, dan (ddpbsd) 
> wrote: 
> >> 
> >> 
> >> 
> >> On Aug 23, 2017 6:18 AM, "Ritu Soni"  wrote: 
> >> 
> >> Hello, 
> >> My work requirement is that OSSEC should generate an alert " Attack 
> >> Detected " ,when the request from same ip address is received by the 
> server 
> >> for 3 or more times within 300 seconds. 
> >> I have done changes in syslog_rules.xml file: 
> >>  
> >> 
> attacks|attack|automatic_attack 
> >> alert_by_email 
> >> DDOS Attack Detected 
> >>
> >> But when i restart OSSEC,it generates an error msg: 
> >> OSSEC analysisd: Testing rules failed. Configuration error. Exiting. 
> >> 
> >> Are these changes made correct?if not, please suggest the changes to 
> >> achieve the same. 
> >> 
> >> 
> >> 
> >> I don't see anything obviously incorrect with the changes. I'm not sure 
> >> if_matched_group accepts multiple groups, or if they are pipe delimited 
> >> though. Getting the actual errors (from logtest -t or the ossec.log) 
> might 
> >> help. 
> >> 
> >> Stylistically though, modifying the rules files (except 
> local_rules.xml) 
> >> is a bad idea. Changes will be overwritten during updates. Also, I 
> consider 
> >> rule 1002 to be very important, and changing it isn't something I 
> encourage. 
> >> 
> >> 
> >> 
> >> On Monday, August 21, 2017 at 10:43:53 PM UTC+5:30, dan (ddpbsd) wrote: 
> >>> 
> >>> 
> >>> 
> >>> On Aug 21, 2017 1:07 PM, "Ritu Soni"  wrote: 
> >>> 
> >>> Hey, 
> >>> When i perform any changes to xml files, ossec stopped working. 
> >>> should i use ''make" command for those changes to work or any other 
> >>> command after performing the changes ? 
> >>> 
> >>> 
> >>> 
> >>> You can run `ossec-logtest -t` to test your changes before reatarting 
> >>> ossec. If there are issues, it should display error messages. 
>  
>  
> >>> 
> >>> 
> >>> On Monday, August 21, 2017 at 10:25:45 PM UTC+5:30, dan (ddpbsd) 
> wrote: 
>  
>  
>  
>  On Aug 21, 2017 12:54 PM, "Ritu Soni"  wrote: 
>  
>  hello, 
>  I have installed OSSEC on UBUNTU server. 
>  I want to perform changes in OSSEC rules, so that it can detect an 
>  attack and display an alert like "DDOS Attack". 
>  Is it possible to perform changes in rules of OSSEC using xml files? 
>  What could be the possible method for this, please guide me. 
>  
>  
>  Local additiona or changes to the rules can be done in 
>  /var/ossec/rules/local_rules.xml 
>  
>  
>  
>  
>  -- 
>  
>  --- 
>  You received this message because you are subscribed to the Google 
>  Groups "ossec-list" group. 
>  To unsubscribe from this group and stop receiving emails from it, 
> send 
>  an email to ossec-list+...@googlegroups.com. 
>  
>  For more options, visit https://groups.google.com/d/optout. 
>  
>  
> >>> -- 
> >>> 
> >>> --- 
> >>> You received this message because you are subscribed to the Google 
> Groups 
> >>> "ossec-list" group. 
> >>> To unsubscribe from this group and stop receiving emails from it, send 
> an 
> >>> email to ossec-list+...@googlegroups.com. 
> >>> For more options, visit https://groups.google.com/d/optout. 
> >>> 
> >>> 
> >> -- 
> >> 
> >> --- 
> >> You received this message because you are subscribed to the Google 
> Groups 
> >> "ossec-list" group. 
> >> To unsubscribe from this group and stop receiving emails from it, send 
> an 
> >> email to ossec-list+...@googlegroups.com. 
> >> For more options, visit https://groups.google.com/d/optout. 
> >> 
> >> 
> > -- 
> > 
> > --- 
> > You received this message because you are subscribed to the Google 
> Groups 
> > "ossec-list" group. 
> > To unsubscribe from this group and stop receiving emails from it, send 
> an 
> > email to

Re: [ossec-list] Re: Testing OSSEC

2017-08-24 Thread dan (ddp)

On Aug 24, 2017 4:40 AM, "Ritu Soni"  wrote:

Hello,
I simply want to test the rule for DDOS Attack,which is discussed
previously:
local_rules.xml:





attacks|attack|automatic_attack


Attacks from same source IP
  



But this is not working. I get errors while adding this new rule.
What is the possible solution for making this rule work?


Keeping those errors a secret is bot going to help me help you solve the
problem. Either look at the errors and troubleshoot your problem, or share
them and let me do it.



On Wednesday, August 23, 2017 at 5:46:17 PM UTC+5:30, dan (ddpbsd) wrote:

>
>
> On Aug 23, 2017 6:18 AM, "Ritu Soni"  wrote:
>
> Hello,
> My work requirement is that OSSEC should generate an alert " Attack
> Detected " ,when the request from same ip address is received by the server
> for 3 or more times within 300 seconds.
> I have done changes in syslog_rules.xml file:
> **
> *attacks|attack|automatic_attack*
> *alert_by_email*
> *DDOS Attack Detected*
> *  *
> But when i restart OSSEC,it generates an error msg:
> *OSSEC analysisd: Testing rules failed. Configuration error. Exiting*.
>
> Are these changes made correct?if not, please suggest the changes to
> achieve the same.
>
>
>
> I don't see anything obviously incorrect with the changes. I'm not sure
> if_matched_group accepts multiple groups, or if they are pipe delimited
> though. Getting the actual errors (from logtest -t or the ossec.log) might
> help.
>
> Stylistically though, modifying the rules files (except local_rules.xml)
> is a bad idea. Changes will be overwritten during updates. Also, I consider
> rule 1002 to be very important, and changing it isn't something I
> encourage.
>
>
>
> On Monday, August 21, 2017 at 10:43:53 PM UTC+5:30, dan (ddpbsd) wrote:
>
>>
>>
>> On Aug 21, 2017 1:07 PM, "Ritu Soni"  wrote:
>>
>> Hey,
>> When i perform any changes to xml files, ossec stopped working.
>> should i use ''make" command for those changes to work or any other
>> command after performing the changes ?
>>
>>
>>
>> You can run `ossec-logtest -t` to test your changes before reatarting
>> ossec. If there are issues, it should display error messages.
>>
>>
>>>
>>
>> On Monday, August 21, 2017 at 10:25:45 PM UTC+5:30, dan (ddpbsd) wrote:
>>>
>>>
>>>
>>> On Aug 21, 2017 12:54 PM, "Ritu Soni"  wrote:
>>>
>>> hello,
>>> I have installed OSSEC on UBUNTU server.
>>> I want to perform changes in OSSEC rules, so that it can detect an
>>> attack and display an alert like "DDOS Attack".
>>> Is it possible to perform changes in rules of OSSEC using xml files?
>>> What could be the possible method for this, please guide me.
>>>
>>>
>>> Local additiona or changes to the rules can be done in
>>> /var/ossec/rules/local_rules.xml
>>>
>>>
>>>
>>>
>>> --
>>>
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "ossec-list" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to ossec-list+...@googlegroups.com.
>>>
>>> For more options, visit https://groups.google.com/d/optout.
>>>
>>>
>>> --
>>
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to ossec-list+...@googlegroups.com.
>> For more options, visit https://groups.google.com/d/optout.
>>
>>
>> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>
>
> --

---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] OSSEC 2.8.3, Server doesnot trigger email alerts for agent

2017-08-24 Thread Tirumala Raja Siriki

Hi Everyone,

I am running Ossec 2.8.3 version on Server as well as agents. I am not 
getting any email alerts from Ossec Server(Suse Linux) for one of the agent 
which is also running on Suse Linux.
I see alerts are getting logged in /var/ossec/logs/alerts/alerts.log file 
but no emails triggered. Other agents are working fine.
I noticed Ossec Server has rsyslog running while Agent has syslog-ng. Is 
there any changes needs to be done for logging.

Any help is appreciated.


Many Thanks

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Ossec 2.8.3, Email alert mismatch

2017-08-24 Thread Tirumala Raja Siriki

Hi Everyone,

Email alert mismatch, I have email alerts from Ossec agent(Suse Linux) with 
message header as "Successful sudo to ROOT executed",with but the content 
in the alert is for other Ossec agents(RDP servers).
 
The Email alert looks like this:

OSSEC Alert - Agent Name(Linux) - Level 14 - Successful sudo to ROOT 
executed

Received From: Agent Name->WinEvtLog
Rule: 18138 fired (level 7) -> "Logon Failure - Account locked out."
Portion of the log(s):

2017 Aug 24 06:59:16 WinEvtLog: Security: AUDIT_FAILURE(4625): 
Microsoft-Windows-Security-Auditing: (no user): no domain: WIN-C49P2039Q3K: 
An account failed to log on. Subject:  Security ID:  S-1-0-0  Account 
Name:  -  Account Domain:  -  Logon ID:  0x0  Logon Type:   3  Account For 
Which Logon Failed:  Security ID:  S-1-0-0  Account Name:  PHOENIX  Account 
Domain:Failure Information:  Failure Reason:  %%2313  Status:  
 0xc06d  Sub Status:  0xc064  Process Information:  Caller Process 
ID: 0x0  Caller Process Name: -  Network Information:  Workstation Name:  
 Source Network Address: -  Source Port:  -  Detailed Authentication 
Information:  Logon Process:  NtLmSsp   Authentication Package: NTLM  
Transited Services: -  Package Name (NTLM only): -  Key Length:  0  This 
event is generated when a logon request fails. It is generated on the 
computer where access was attempted.



Could anyone provide any info on this. Any help is appreciated.

Many Thanks

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] ERROR: Unable to Bind port '1514'

Re: [ossec-list] ERROR: Unable to Bind port '1514'

Re: [ossec-list] Re: Testing OSSEC

Re: [ossec-list] ERROR: Unable to Bind port '1514'

[ossec-list] ERROR: Unable to Bind port '1514'

Re: [ossec-list] Re: Testing OSSEC

Re: [ossec-list] Re: Testing OSSEC

Re: [ossec-list] Re: Testing OSSEC

[ossec-list] OSSEC 2.8.3, Server doesnot trigger email alerts for agent

[ossec-list] Ossec 2.8.3, Email alert mismatch

10 matches

Site Navigation

Mail list logo

Footer information