[ossec-list] Re: osssec-dbd problems
Hi Thomas, IF OSSEC is not able to store the alerts in the database, it is suppose to write the error to ossec.log and keep trying until it works (so you will not lose any alerts). As for it just stopping, we would need more information to try to debug it. Only ossec-dbd stopped or all ossec processes? Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On Nov 12, 2007 5:27 AM, Tomas Olsson [EMAIL PROTECTED] wrote: Tomas Olsson wrote: Hi, I am running OSSEC 1.4 storing the alerts on MySQL but it seems not to be robust enogh for using on my PowerBook. I started running OSSEC this last Friday and today I still get email alertss but there is no alerts stored in the database. I have both OSSEC and MySQL running on my PowerBook. When I look at what processes are running ossec-dbd is not running but there is no error message in the ossec.log telling when it stopped. Now I have restarted ossec and it seems to work as it should. Maybe OSSEC cannot handle that I bring the computer home where it gets a completely different IP address although I use 'localhost' as hostname in the configuration file? /Tomas And what would happen if the MySQL server is not reachable from a computer? I would like to monitor computers that store their alerts in a MySQl database but if the MySQL server is not reachable the alerts should be queued until the server is available again. /Tomas
[ossec-list] Re: Windows rootcheck
Hi Chris, Thanks for the information. This is indeed a false positive and can easily be ignored by adding the following local rule: rule id=100101 level=0 if_sid510/if_sid match^NTFS Alternate data stream found/match regexProgram Files/Exchsrvr/Mailroot//regex descriptionIgnored common NTFS ADS entries./description /rule I will make sure to add that to the default list of valid ADS for the next version... Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On Nov 4, 2007 1:20 PM, Chris Buechler [EMAIL PROTECTED] wrote: On 11/3/07, Dennis Borkhus-Veto [EMAIL PROTECTED] wrote: I have received the following error on a win 2003 svr with exchange 2003 how should I go about checking this. rootcheck Rule: 510 fired (level 7) - Host-based anomaly detection event (rootcheck). Portion of the log(s): NTFS Alternate data stream found: 'C:\/Program Files/Exchsrvr/Mailroot/vsi 1/Queue/NTFS_63bb493301c81d7f0d86.EML:PROPERTIES-LIVE'. Possible hidden content. This is your Exchange SMTP queue. It uses alternate data streams to function. From http://technet.microsoft.com/en-us/library/bb124461.aspx Messages are categorized only once. For messages in the \Queue folder on the file system, the categorizer uses alternate data streams, a little known NTFS feature, to persist the MailMsg property stream, which includes message envelope and categorization information. Alternate data streams enable data storage in hidden files, which are linked to a visible file on an NTFS partition. When the SMTP service cannot transfer a message immediately and must retry at a later time, the message is saved and closed. Part of that operation involves saving the existing MailMsg property stream, so that it can be reloaded and used when the message transfer is retried. However, if you must categorize a message again (for example, if it is queued for a destination server that no longer exists) you will notice that categorization is not performed a second time. So this is normal. I'm not familiar enough with OSSEC yet to tell you how to silence this, but hopefully somebody else will weigh in on that. Chris
[ossec-list] Re: Possible bug in ossec-rootcheck on CentOS 5
Hi Peter, These are false positives for sure. I will make sure to fix it for the next version. Thanks for letting us know. *if you can, please open a bug about it at: http://www.ossec.net/bugs/ -- Daniel B. Cid dcid ( at ) ossec.net On Nov 3, 2007 11:09 AM, Peter M. Abraham [EMAIL PROTECTED] wrote: Greetings: CentOS 5 uses /dev/.udev/ I believe the following are false positives: [FAILED]: File '/dev/.udev/db/[EMAIL PROTECTED]@device-mapper' present on / dev. Possible hidden file. [FAILED]: File '/dev/.udev/db/[EMAIL PROTECTED]@sda2' present on /dev. Possible hidden file. [FAILED]: File '/dev/.udev/db/[EMAIL PROTECTED]@sda1' present on /dev. Possible hidden file. [FAILED]: File '/dev/.udev/db/[EMAIL PROTECTED]@sda3' present on /dev. Possible hidden file. [FAILED]: File '/dev/.udev/db/[EMAIL PROTECTED]@sda7' present on /dev. Possible hidden file. [FAILED]: File '/dev/.udev/db/[EMAIL PROTECTED]@sda6' present on /dev. Possible hidden file. [FAILED]: File '/dev/.udev/db/[EMAIL PROTECTED]@sda8' present on /dev. Possible hidden file. [FAILED]: File '/dev/.udev/db/[EMAIL PROTECTED]@sda5' present on /dev. Possible hidden file. [FAILED]: File '/dev/.udev/db/[EMAIL PROTECTED]@sda4' present on /dev. Possible hidden file. [FAILED]: File '/dev/.udev/db/[EMAIL PROTECTED]' present on /dev. Possible hidden file. [FAILED]: File '/dev/.udev/db/[EMAIL PROTECTED]@[EMAIL PROTECTED]' present on / dev. Possible hidden file. [FAILED]: File '/dev/.udev/db/[EMAIL PROTECTED]' present on /dev. Possible hidden file. [FAILED]: File '/dev/.udev/db/[EMAIL PROTECTED]@usbdev3.1' present on / dev. Possible hidden file. [FAILED]: File '/dev/.udev/db/[EMAIL PROTECTED]@usbdev2.1' present on / dev. Possible hidden file. [FAILED]: File '/dev/.udev/db/[EMAIL PROTECTED]@usbdev4.1' present on / dev. Possible hidden file. [FAILED]: File '/dev/.udev/db/[EMAIL PROTECTED]@usbdev1.1' present on / dev. Possible hidden file. [FAILED]: File '/dev/.udev/db/[EMAIL PROTECTED]' present on /dev. Possible hidden file. [FAILED]: File '/dev/.udev/db/[EMAIL PROTECTED]@usbdev4.3' present on / dev. Possible hidden file. [FAILED]: File '/dev/.udev/db/[EMAIL PROTECTED]' present on /dev. Possible hidden file. [FAILED]: File '/dev/.udev/db/[EMAIL PROTECTED]@usbdev2.3' present on / dev. Possible hidden file. [FAILED]: File '/dev/.udev/db/[EMAIL PROTECTED]@[EMAIL PROTECTED]' present on / dev. Possible hidden file. [FAILED]: File '/dev/.udev/db/[EMAIL PROTECTED]@[EMAIL PROTECTED]' present on / dev. Possible hidden file. [FAILED]: File '/dev/.udev/db/[EMAIL PROTECTED]@[EMAIL PROTECTED]' present on / dev. Possible hidden file. [FAILED]: File '/dev/.udev/db/[EMAIL PROTECTED]@msr1' present on /dev. Possible hidden file. [FAILED]: File '/dev/.udev/db/[EMAIL PROTECTED]@mice' present on /dev. Possible hidden file. [FAILED]: File '/dev/.udev/db/[EMAIL PROTECTED]@msr0' present on /dev. Possible hidden file. [FAILED]: File '/dev/.udev/db/[EMAIL PROTECTED]@cpu0' present on /dev. Possible hidden file. [FAILED]: File '/dev/.udev/db/[EMAIL PROTECTED]@cpu1' present on /dev. Possible hidden file. [FAILED]: File '/dev/.udev/uevent_seqnum' present on /dev. Possible hidden file. If these are false positives, please fix in the next version of ossec- rootcheck Thank you.
[ossec-list] Re: Windows Audit
Hi Dennis, This is very easy to do with a local rule. You just need to match based on the policy you added and the agents you are interested to monitor. Example: rule id=100122 level=10 if_sid512/if_sid matchMy custom process check/match hostnameagent1|agent2|agent3/hostname descriptionWindows Audit event test./description grouprootcheck,/group /rule If you can show us a sample of the alerts you are getting, we can help you write a real rule for it... Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On Nov 2, 2007 9:08 AM, Dennis Borkhus-Veto [EMAIL PROTECTED] wrote: Yes this is in Ossec now, but the windows audit file affects all of the Windows agents. I want to watch processes that are not on all of the machines so now if I watch say IIS it has to be running on all of the windows agents or I will get alerts on it. Sincerly Dennis Borkhus-Veto Systems Administrator MEE Material Handling L.L.C -Original Message- From: ossec-list@googlegroups.com [mailto:[EMAIL PROTECTED] On Behalf Of Peter M. Abraham Sent: Thursday, November 01, 2007 8:32 PM To: ossec-list Subject: [ossec-list] Re: Windows Audit Greetings Dennis: If I understand your question correctly, are you asking to be alerted if a process fails or otherwise was running and then stops? If yes, does the process in question record anything in a log file? If not in a log file, if you are comfortable scripting, you might be able to write something to regularly write the process tree to a file, and do a regular expression against the process name that should be running; when not present, then alert. Thank you.
[ossec-list] Re: v 1.4
Hi Herb, Every alert is sent to the database, including integrity checking events. A quick SQL to get all files that were changed is (for postgresql): SELECT to_timestamp(timestamp), rule_id, location.name, full_log FROM alert,location, data WHERE location.id = alert.location_id AND data.id = alert.id AND data.server_id = alert.server_id AND (rule_id = 550 OR rule_id = 551 OR rule_id = 552 OR rule_id = 553); 2007-08-28 00:14:29-03 | 550 | (esqueleto) 192.168.2.99-syscheck | Integrity checksum changed for: `/etc/postgresql/8.1/main/pg_hba.conf` 2007-08-28 00:14:35-03 | 550 | (esqueleto) 192.168.2.99-syscheck | Integrity checksum changed for: `/etc/postgresql/8.1/main/postgresql.conf` 2007-08-28 21:47:41-03 | 550 | (esqueleto) 192.168.2.99-syscheck | Integrity checksum changed for: `/var/ossec/etc/internal_options.conf` 2007-08-29 22:23:49-03 | 551 | (esqueleto) 192.168.2.99-syscheck | Integrity checksum changed for: `/var/ossec/etc/ossec.conf` 2007-08-30 06:31:43-03 | 550 | (winhome) 192.168.2.190-syscheck | Integrity checksum changed for: `C:WINDOWS/system32/drivers/etc/hosts` *for MySQL it would be something like: SELECT FROM_UNIXTIME(timestamp) time, rule_id,location.name location, INET_NTOA(src_ip) srcip, full_log FROM alert,location, data WHERE location.id = alert.location_id AND data.id = alert.id AND data.server_id = alert.server_id AND rule_id = 550; Hope it helps. -- Daniel B. Cid dcid ( at ) ossec.net On Oct 30, 2007 5:45 PM, Herb Steck [EMAIL PROTECTED] wrote: I'm glad to see that Ossec is finally able to log to a mysql database. I do have a question though. What all is sent to the database? I am using Ossec strictly for the hids capability. But it looks like only the log alerts like the windows event logs or syslogs are sent to the database. What I am really looking for is to be able to create a report of files that have changed on each host within the past 24 hours, past week, past 30 days, etc. Was hoping I could pull this information out of the database. Is this data being sent or is it still in the flat log files? Thanks
[ossec-list] Re: OSSEC v1.4 Available
Hi Peter, OSSEC will use the IP address specified by the kernel to access that specific destination ( the server). So, if you have two ips in different interfaces configured to be in the same network, your internal routing is going to be all messed up. A simple way to fix that is to configure the agent IP (when running the manage_agents tool) to be a network instead of a unique address. (like 192.168.2.0/24): http://www.ossec.net/wiki/index.php/Know_How:DynamicIPs That should fix the problem (you will need to re-import the new key in the agent too). Hope it helps. -- Daniel B. Cid dcid ( at ) ossec.net On 10/30/07, Peter M. Abraham [EMAIL PROTECTED] wrote: Greetings Daniel: Thank you for your thanks. On a CentOS 3 server where I upgraded from 1.3 to 1.4, I'm having a problem where the agent is trying to communicate via one of the bound IP's to the server, but not the primary IP address. So on the server, I'm getting: 2007/10/30 11:48:51 ossec-remoted(1213): Message from xxx.xxx.xxx.xxx not allowed where the IP is not the primary network card IP (which is bound to eth0). How can I fix this problem? Thank you.
[ossec-list] Re: Support for CheckPoint Firewall-1
Hi, It is currently not officially supported, but Dean Takemori wrote some decoders for it already: http://www.ossec.net/bugs/show_bug.cgi?id=60 The only reason why it is not in there is because of the lacking of testing and sample logs. If you can share some of your logs, it can be very helpful.. Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On 10/31/07, carlopmart [EMAIL PROTECTED] wrote: Hi all, Is cp firewall-1 log format supported? If not, exists some option to record alerts via ossec-agent to ossec-server? Thanks. -- CL Martinez carlopmart {at} gmail {d0t} com
[ossec-list] Re: Clients don't work when OSSEC server is in High Availability?
Hi Timothy, I can't help you much with the iptables rules, but you could try using the local_ip option in the server config to specify the IP address for OSSEC to use (in your case the ip of eth0:1). *example for ip 10.2.3.4: remote local_ip10.2.3.4/local_ip /remote http://www.ossec.net/main/manual/#remote_options As for OSSEC analyzing the dst ip of the incoming packet and using that for the reply, I will take a look into implementing that (for v1.5)... Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On 10/25/07, Timothy Meader [EMAIL PROTECTED] wrote: David, thanks for the reply. I've tried adding that line to my iptables config (came up with a similar example after a web search), but every time I do, I'm no longer able to startup IPtables due to an error about seems to have a -t table option when I run /etc/init.d/iptables start. Admittedly, I don't know enough about iptables syntax, but could you provide more explicit instruction on WHERE to add that line? My actual /etc/sysconfig/iptables file is in the message below (and my original message). Where in that file would that line fit in? Thanks in advance. PS - I'd posted to the Linux-HA list as well for any possible help, and one user stated that perhaps OSSEC isn't acting the way a program should in order to run properly on a multi-homed system. They stated that, in multi-homed cases, OSSEC should ideally be analyzing the original dstip for packets it processes, and send all outgoing responses with a matching srcip to avoid all this hassle. Is there anyone that should be contacted to hopefully get OSSEC setup using the proper behavior for HA or multi-homed systems? As it continues to increase in popularity, I can see this only increasing as a problem. At 11:01 AM 10/25/2007, you wrote: * PGP Signed by an unknown key: 10/25/07 at 11:01:29 Tim, I think you need to add a SNAT rule to use iptables for this. I'm not in a position to test this but I think something like this may work for you: -t nat -A POSTROUTING -o eth0 -p udp --dport 1514 -j SNAT --to xxx.xxx.xxx.29 The intent (as I said, I can't check this) is to add to the nat table a postrouting rule for udp output on eth0 to port 1514 that jumps to source network address translation setting the source address to be xxx.xxx.xxx.29. I hope that at least points you in the right direction. -David Timothy Meader wrote: Hello, I'm having an issue that I'm hoping someone could provide me some help on. To give a brief synopsis of the situation: We originally had a single server setup running OSSEC. Last week, we decided to combine this server with another two that were running as a simple log server (in high availability fail-over mode using heartbeat) to make better use of the existing systems. The log server portion is running on the virtual IP xxx.xxx.xxx.7 on eth0:0, the OSSEC server is setup to run on a secondary virtual IP, xxx.xxx.xxx.29, on eth0:1. When running on a single server, OSSEC worked fine. But now, the clients refuse to communicate properly with the server. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :RH-Firewall-1-INPUT - [0:0] -A INPUT -j RH-Firewall-1-INPUT -A FORWARD -j RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -i eth1 -j ACCEPT -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT -A RH-Firewall-1-INPUT -p 50 -j ACCEPT -A RH-Firewall-1-INPUT -p 51 -j ACCEPT -A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 514 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 514 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 720 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 1514 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 5514 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 5140 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 8000:8001 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 8089 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited COMMIT --- Tim Meader L-3 Communications, NASA EOS Security Operations [EMAIL PROTECTED] (301) 614-6371 -- ___ GPG (http
[ossec-list] Re: Can't get OSSEC to fire active response for custom proftpd rule
Hi Steve, That's definitely the problem. Our decoders for proftpd expect the syslog format (with program name, hostname, etc), which is not present in there... OSSEC currently does not support multilog (that you are using), but it is in our todo list for the future. If you can share a full set of logs (plus their location) of your proftpd, it will help us when adding support for it. *for the time being, you can probably change the proftpd config to log directly to syslog... Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On 10/25/07, Steve West [EMAIL PROTECTED] wrote: Daniel Cid wrote: Hi Steve, Are the alerts being generated based on your rule? No. I don't see anything in /var/ossec/logs/alerts/alerts.log regarding my attempts. I have ossec monitoring my proftpd logs /var/log/proftpd/current but maybe my log file format is not compatible w/ ossec. Here is a sample of my proftpd log file entries which should have invoked my custom rule: @4000471f54bc2f83d75c localhost (70.108.23.105[70.108.23.105]) - FTP session opened. @4000471f54bc352c4ff4 localhost (70.108.23.105[70.108.23.105]) - no such user 'anonymous' @4000471f54bc352cc13c localhost (70.108.23.105[70.108.23.105]) - USER anonymous: no such user found from 70.108.23.105 [70.108.23.105] to xxx.xxx.xxx.:21 @4000471f54be1b68039c localhost (70.108.23.105[70.108.23.105]) - FTP session closed. @4000471f54be228d6bbc localhost (70.108.23.105[70.108.23.105]) - FTP session opened. @4000471f54be251d9834 localhost (70.108.23.105[70.108.23.105]) - mod_delay/0.5: delaying for 26 usecs @4000471f54be29cd1a6c localhost (70.108.23.105[70.108.23.105]) - no such user 'anonymous' @4000471f54be29cd782c localhost (70.108.23.105[70.108.23.105]) - USER anonymous: no such user found from 70.108.23.105 [70.108.23.105] to xxx.xxx.xxx.:21 @4000471f54be29ce4f04 localhost (70.108.23.105[70.108.23.105]) - mod_delay/0.5: delaying for 46 usecs @4000471f54c62ad67034 localhost (70.108.23.105[70.108.23.105]) - FTP session closed. Could it be that my multilog file format is responsible? thx, SW Youneed to make sure that the srcip is present in the alert (meaning that it was decoded properly), otherwise the active response is not going to fire. Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On 10/24/07, Steve West [EMAIL PROTECTED] wrote: Michael Starks wrote: Try 21 or 22 invalid logins in 60 seconds. -Mike Hi Mike, Thanks for the suggestion! I try over 25 invalid logins and still ossec active response doesn't fire. Not really sure why but I think it might be related to my rule or the underlaying proftpd group rule 11200. SW
[ossec-list] Re: Strange behaviour with some agents...
Hi again It worked!! Thanks for your help. En/na Michael Starks ha escrit: Daniel Rubio wrote: In the last days I've been having problems contacting with some ossec agents, I changed some directory permissions, but after, I recovered from backup, reinstalled, upgraded, re-created the agents... but some agents doesn't still contact with the server. Daniel, As David has noted, this seems to be a problem with the rids. This should help: http://www.ossec.net/ossec-list/2007-January/msg00034.html Regards, Mike -- Daniel Rubio Rodrguez OASI (Organisme Autnom Per la Societat de la Informaci) c/ Assalt, 12 43003 - Tarragona Tef.: 977.244.007 - Fax: 977.224.517 e-mail: drubio a oasi.org
[ossec-list] Strange behaviour with some agents...
In the last days I've been having problems contacting with some ossec agents, I changed some directory permissions, but after, I recovered from backup, reinstalled, upgraded, re-created the agents... but some agents doesn't still contact with the server. it's a bit confusing, in the web interface, these clients doesn't appear (previously I think they appeared as inactive), I look to the firewall but doesn't seem to have comunication problems, I don't know what to do... In the ossec log for one of these clients, appears (nightly 1.4 release): 2007/10/24 11:19:21 ossec-agentd: Duplicate error: global: 25, local: 8838, saved global: 26, saved local:7118 2007/10/24 11:19:21 ossec-agentd(1407): Duplicated counter for 'DB'. 2007/10/24 11:19:21 ossec-agentd(1214): Problem receiving message from 192.168.200.245. 2007/10/24 11:19:30 ossec-agentd: Duplicate error: global: 25, local: 8839, saved global: 26, saved local:7118 2007/10/24 11:19:30 ossec-agentd(1407): Duplicated counter for 'DB'. 2007/10/24 11:19:30 ossec-agentd(1214): Problem receiving message from 192.168.200.245. 2007/10/24 11:19:35 ossec-agentd(4101): Waiting for server reply (not started). In other (1.1): 2007/10/24 12:36:39 ossec-syscheckd(1702): No directory provided for 'directories' element. 2007/10/24 12:36:39 ossec-execd(1350): Active response disabled. Exiting. 2007/10/24 12:36:39 ossec-syscheckd(1702): No directory provided for 'directories' element. 2007/10/24 12:36:39 ossec-syscheckd: Syscheck disabled. Exiting. 2007/10/24 12:36:45 ossec-logcollector(1950): Analyzing file: '/var/log/authlog'. 2007/10/24 12:36:45 ossec-logcollector(1950): Analyzing file: '/var/log/syslog'. 2007/10/24 12:36:45 ossec-logcollector(1950): Analyzing file: '/var/adm/messages'. 2007/10/24 12:36:45 ossec-logcollector: Started (pid: 4314). 2007/10/24 12:36:49 ossec-logcollector: Process locked. Waiting for permission... Actually, the server is a nightly 1.4 release -- Daniel Rubio Rodríguez OASI (Organisme Autònom Per la Societat de la Informació) c/ Assalt, 12 43003 - Tarragona Tef.: 977.244.007 - Fax: 977.224.517 e-mail: drubio a oasi.org
[ossec-list] Re: Ossec on windows
Hi Marco, It is in the changelog of the version 1.3: http://www.ossec.net/announcements/v1.3-2007-08-08.txt -Fixed file descriptor leak on the Windows agent while reading the Windows registry. (Reported by Luke Bradeen lbradeen at suresource.com) Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On 10/24/07, Marco Supino [EMAIL PROTECTED] wrote: Where can I find this info ? I couldn't find anything in the changelog Marco. From: ossec-list@googlegroups.com [mailto:[EMAIL PROTECTED] On Behalf Of McClinton, Rick Sent: Wednesday, October 24, 2007 17:05 To: ossec-list@googlegroups.com Subject: [ossec-list] Re: Ossec on windows Yes, It is due to a resource pool leak in those versions. Upgrade to 1.3. From: ossec-list@googlegroups.com [mailto:[EMAIL PROTECTED] On Behalf Of Marco Supino Sent: Wednesday, October 24, 2007 10:47 AM To: ossec-list@googlegroups.com Subject: [ossec-list] Ossec on windows Importance: Low Hi, I am having a problem with Ossec running on windows, versions 1.1 and 1.2, the machine stops working after a few weeks, The windows is running an agent connected to a central server. Messages like not enough server storage is available to process this command and things like that start showing up in the logs, I am not positive this is because of Ossec, but this has started happening on machines running it, Anyone else experience things like this ? Thanks
[ossec-list] Re: Can't get OSSEC to fire active response for custom proftpd rule
Hi Steve, Are the alerts being generated based on your rule? If yes, can you show us the output of them? (from /var/ossec/logs/alerts.log ). You need to make sure that the srcip is present in the alert (meaning that it was decoded properly), otherwise the active response is not going to fire. Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On 10/24/07, Steve West [EMAIL PROTECTED] wrote: Michael Starks wrote: Try 21 or 22 invalid logins in 60 seconds. -Mike Hi Mike, Thanks for the suggestion! I try over 25 invalid logins and still ossec active response doesn't fire. Not really sure why but I think it might be related to my rule or the underlaying proftpd group rule 11200. SW
[ossec-list] Re: AIX 5.3 sshd logins and sudo
Hi Nerijus, Can you refresh my memory regarding which pthread issues? We definitely want that fixed for the next version. Anyone else using AIX in here to try out the new version? Link for v1.4 beta: http://www.ossec.net/files/snapshots/ossec-hids-071023.tar.gz Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On 10/23/07, Nerijus Krukauskas [EMAIL PROTECTED] wrote: Hi, On 12/10/2007, Daniel Cid [EMAIL PROTECTED] wrote: I made some changes to the pre-decoders within ossec to support the syslog format from AIX. If you can try it out from: http://www.ossec.net/files/snapshots/ossec-hids-071011.tar.gz It should parse properly all these messages. I took http://www.ossec.net/files/snapshots/ossec-hids-071018.tar.gz. It still has the same hassles with pthread.h includes. How do I check that it parses ssh messages correctly? -- http://nk99.org/
[ossec-list] Re: Mysql database output
Hi Adjete, Very strange error. It looks like that your ossec-maild wasn't updated during the upgrade process. Can youtry again with the v1.4 BETA2? More information about it at: http://www.ossec.net/dcid/?p=114 You will need to run a few commands before the ./install.sh this time: $ cd ossec-hids-1.4 $ cd src; make setdb; cd .. $ ./install.sh http://www.ossec.net/wiki/index.php/Know_How:DatabaseOutput Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On 10/17/07, adjete wilson [EMAIL PROTECTED] wrote: i installed 1.4 beta and i'm still getting the error. ossec will only run if i remove the database output entry Starting OSSEC: 2007/10/17 10:52:27 ossec-maild(1230): Invalid element in the configuration: 'database_output'. 2007/10/17 10:52:27 ossec-maild(1202): Configuration error at '/var/ossec/etc/ossec.conf'. Exiting. 2007/10/17 10:52:27 ossec-maild(1202): Configuration error at '/var/ossec/etc/ossec.conf'. Exiting. On 10/15/07, adjete wilson [EMAIL PROTECTED] wrote: sorry for the confusion, that was just the generic output from the manual. I changed it to mysql as the option in my config. On 10/14/07, Meir Michanie [EMAIL PROTECTED] wrote: you said that you want to log to mysql while the conf you sent it says postregsql. ? On 10/13/07, Rodrigo Montoro (Sp0oKeR) [EMAIL PROTECTED] wrote: Try http://www.ossec.net/dcid/?p=112 Regards, On 10/13/07, Michael Starks [EMAIL PROTECTED] wrote: pipo02 wrote: i'm using 1.3, which i thought support that option. I don't think so. It's not in the changelog: http://ossec.net/announcements/v1.3-2007-08-08.txt -- = Rodrigo Ribeiro Montoro Analista de Segurança SnortCP / RHCE / LPIC-I http://spookerlabs.multiply.com = -- Adjete Wilson -- Adjete Wilson
[ossec-list] Re: Solved: troubleshooting syscheck suggestions?
Hi David, Thanks for tracking this down. By default we ignore /proc to avoid this kind of problem, but we don't check for it on other places of the system. It would be nice to have this information in the wiki if you can post it in there (or anyone else). I will also look in the code to see if we can change anything to avoid it (maybe by looking at the proc filesystem or something like that)... Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On 10/17/07, David Williams [EMAIL PROTECTED] wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Adding an absurd amount of verbose() calls I tracked down my problem: I was trying to verify integrity of named files in my Fedora named chroot jail. read_dir() in create_db.c never finished in the /var/named/chroot/proc directory. So if anyone else running named chrooted in /var/named/chroot adds directories check_all=yes/var/named/directories to ossec.conf, you probably want to add a corresponding ignore/var/named/chroot/proc/ignore.I imagine this would be a problem for other chrooted software; however, once I tracked down where the problem was and added the ignore line, I stopped troubleshooting. It's not clear to me exactly why it was unhappy, but it is clear that checking the integrity of things in /proc does not make much sense -- those are too ephemeral. -David David Williams wrote: Hi, I have a small OSSEC installation and one of my agents won't check on more than one file. I've let it run for a while (a day or more). I'm getting alerts about logs so the communication between client and server is OK, and I see the syscheck file grow but only by one or two files for every restart of the agent. syscheck is running (status and top both report it working fine). Are there any troubleshooting tips I should try or do I just recreate the agent and see if that fixes it? Thanks for any pointers, -David - -- ___ GPG (http://www.gnupg.org/) key available from: http://www.kayakero.net/per/david/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFHFl0zCzuSgviBh00RAqZiAJ4/gMFzpRNwhWgmcEGXIYOEu99njQCgyxf5 CtojCew1Gba+3Me0SQJJ/14= =rmq9 -END PGP SIGNATURE-
[ossec-list] Re: OSSEC 1.3 and Windows 2003 64-bit Agent disconnects
Hi Peter, From your log, it looks like that the agent is working fine, but for some reason losing the connection to the server very often (and reconnecting right away). Are you getting events from this agent? Is there an entry for it at /var/ossec/queue/syscheck ? Is your server reporting that the agent is going down? It is funny that I saw this already on another Windows 2003 system, but could not reproduce it anywhere else... Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On 10/18/07, Peter M. Abraham [EMAIL PROTECTED] wrote: Greetings: The steps listed on http://www.ossec.net/wiki/index.php/Errors:AgentCommunication worked for a CentOS 5, 64-bit machine; but did not work on Windows 2003, 64-bit. 2007/10/17 21:12:00 ossec-agent: Assigning sender counter: 15:3287 2007/10/17 21:12:00 ossec-agent: Connecting to server ([central server ip]:1514). 2007/10/17 21:12:00 ossec-agent: Starting syscheckd thread. 2007/10/17 21:12:00 ossec-rootcheck: Started (pid: 1108). 2007/10/17 21:12:00 ossec-agent: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes'. 2007/10/17 21:12:00 ossec-agent: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft'. 2007/10/17 21:12:00 ossec-agent: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Policies'. 2007/10/17 21:12:00 ossec-agent: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control'. 2007/10/17 21:12:00 ossec-agent: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services'. 2007/10/17 21:12:00 ossec-agent: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Security'. 2007/10/17 21:12:00 ossec-agent: Monitoring directory: 'C:\WINDOWS'. 2007/10/17 21:12:00 ossec-agent: Started (pid: 1108). 2007/10/17 21:12:01 ossec-agent(4102): Connected to the server. 2007/10/17 21:12:01 ossec-agent(1951): Analyzing event log: 'Application'. 2007/10/17 22:29:55 ossec-agent: Event count after '2': 4135462- 3503968 (84%) 2007/10/17 23:35:24 ossec-agent: Server unavailable. Setting lock. 2007/10/17 23:35:25 ossec-agent: Server responded. Releasing lock. 2007/10/18 00:27:26 ossec-agent: Server unavailable. Setting lock. 2007/10/18 00:27:29 ossec-agent: Server responded. Releasing lock. 2007/10/18 01:32:46 ossec-agent: Server unavailable. Setting lock. 2007/10/18 01:32:47 ossec-agent: Server responded. Releasing lock. 2007/10/18 02:51:07 ossec-agent: Server unavailable. Setting lock. 2007/10/18 02:51:08 ossec-agent: Server responded. Releasing lock. 2007/10/18 03:23:39 ossec-agent: Server unavailable. Setting lock. 2007/10/18 03:23:42 ossec-agent: Server responded. Releasing lock. 2007/10/18 03:56:13 ossec-agent: Server unavailable. Setting lock. 2007/10/18 03:56:14 ossec-agent: Server responded. Releasing lock. 2007/10/18 05:20:58 ossec-agent: Server unavailable. Setting lock. 2007/10/18 05:20:59 ossec-agent: Server responded. Releasing lock. 2007/10/18 06:06:30 ossec-agent: Server unavailable. Setting lock. 2007/10/18 06:06:33 ossec-agent: Server responded. Releasing lock. 2007/10/18 06:39:04 ossec-agent: Server unavailable. Setting lock. 2007/10/18 06:39:05 ossec-agent: Server responded. Releasing lock. 2007/10/18 07:11:36 ossec-agent: Server unavailable. Setting lock. 2007/10/18 07:11:39 ossec-agent: Server responded. Releasing lock. 2007/10/18 07:44:09 ossec-agent: Server unavailable. Setting lock. 2007/10/18 07:44:12 ossec-agent: Server responded. Releasing lock. How can this be fixed? Thank you.
[ossec-list] Re: How are rules enacted?
Hi John, Rick explained it well, just edit your rules at local_rules.xml and restart the server when done. Nothing needs to be restarted at the agent side. As for writing your own rules, the following document can be very helpful: http://www.ossec.net/ossec-docs/auscert-2007-dcid.pdf Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On 10/12/07, John Hinton [EMAIL PROTECTED] wrote: I have set up a server/agents system. These are on CentOS systems so it would be equivalent to RedHat EL servers. I'm wondering what needs to be done upon the edit of a rule. Does the server need to be restarted? Do each of the agents need to be restarted? Does the server and all of the agents need to be restarted? Or, does the rule go into effect at the time of the edit or maybe something is set to reread the rules at some time afterwards? Yes, I'm experimenting with rules and am trying to figure out if I have an 'order' situation, where one rule steps in before my new rule is enacted which will likely be the topic of my next post after knowing the answer to this. Thanks for a great program! Best, John Hinton
[ossec-list] Re: ossec-.13 agent stopping by itself on CentOS 5 64-bit
Hi Peter, I have ossec running on 64-bit systems without any problem (both Linux and OpenBSD). Is there any errors on your server log? The following links may help: http://www.ossec.net/wiki/index.php/Errors:AgentCommunication http://www.ossec.net/wiki/index.php/Errors:1403 Btw, if that doesn't work, try our beta for the v1.4 to see if the problem persists... http://www.ossec.net/files/snapshots/ossec-hids-071016.tar.gz Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On 10/16/07, Peter M. Abraham [EMAIL PROTECTED] wrote: Greetings: 2007/10/16 09:02:44 ossec-agentd: Started (pid: 7137). 2007/10/16 09:02:44 ossec-agentd: Connecting to server ([ossec server ip]:1514). 2007/10/16 09:02:46 ossec-syscheckd: Started (pid: 7145). 2007/10/16 09:02:46 ossec-rootcheck: Started (pid: 7145). 2007/10/16 09:02:50 ossec-logcollector(1950): Analyzing file: '/var/ log/messages'. 2007/10/16 09:02:50 ossec-logcollector(1950): Analyzing file: '/var/ log/secure'. 2007/10/16 09:02:50 ossec-logcollector(1950): Analyzing file: '/var/ log/maillog'. 2007/10/16 09:02:50 ossec-logcollector(1950): Analyzing file: '/ hsphere/local/var/httpd/logs/error_log'. 2007/10/16 09:02:50 ossec-logcollector(1950): Analyzing file: '/ hsphere/local/var/httpd/logs/access_log'. 2007/10/16 09:02:50 ossec-logcollector: Started (pid: 7141). 2007/10/16 09:02:59 ossec-agentd(4101): Waiting for server reply (not started). 2007/10/16 09:03:02 ossec-logcollector: Process locked. Waiting for permission... 2007/10/16 09:03:15 ossec-agentd(4101): Waiting for server reply (not started). 2007/10/16 09:03:46 ossec-agentd(4101): Waiting for server reply (not started). 2007/10/16 09:04:32 ossec-agentd(4101): Waiting for server reply (not started). Then it fails. The ossec server is running ok. We have a similar problem with Windows 2003 64-bit edition. Please advise how we can get ossec to work on 64-bit operating systems. Thank you.
[ossec-list] Re: AIX 5.3 sshd logins and sudo
Hi Nerijus (and Carlos), I made some changes to the pre-decoders within ossec to support the syslog format from AIX. If you can try it out from: http://www.ossec.net/files/snapshots/ossec-hids-071011.tar.gz It should parse properly all these messages. Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On 10/11/07, Nerijus Krukauskas [EMAIL PROTECTED] wrote: Hi, On 11/10/2007, Daniel Cid [EMAIL PROTECTED] wrote: We expect: Oct 9 09:50:40 MACHINE sshd[229596]: Accepted password for USER from 172.29.14.41 port 55839 ssh2 While you have: Oct 9 09:50:40 MACHINE auth|security:info sshd[229596]: Accepted password for USER from 172.29.14.41 port 55839 ssh2 Is this something special to your AIX config? Can you change it to the standard format? Any other AIX user in here with more information on this? Yep. AIX 5.3 that I am testing ossec on generates this: Oct 11 08:05:46 machine auth|security:info sshd[323808]: Accepted publickey for user from host port 37909 ssh2 -- http://nk99.org/
[ossec-list] Re: Centralized configuration on the server side
Hi, We are not there yet :) Some of the configuration can be shared between the server and agents (everything under /var/ossec/etc/shared/, including rootkit check configs, active responses, application detection, etc), but not the main ossec.conf... Also, since we have all the rules on the server side, we don't need to share them... I have some plans to improve that in the future, but currently it is not possible. Btw, what kind of configuration are you interested in changing on all agents? Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On 10/8/07, carlopmart [EMAIL PROTECTED] wrote: Hi all, I have deployed 10 agents (all systems are xen guests: openbsd, linux and windows 2k3) and 1 server using OSSEC and all works very very well. But I want to know how can I centralize all agent configurations on the server side (to modify only one or twice times) and then distribute this config from server automatically to the agents. Is it possible??? Thanks. -- CL Martinez carlopmart {at} gmail {d0t} com
[ossec-list] Re: Re-installing OSSEC as an agent
Hi Andy, The easiest way is to uninstall OSSEC and reinstall it as an agent. To uninstall, just do: # rm -rf /var/ossec/ # rm /etc/ossec-init.conf And re-run the install.sh... Hope it helps. -- Daniel B. Cid dcid ( at ) ossec.net On 10/8/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Hi There, We've installed OSSEC as a local install on every server so far and did not use the server/agent model. This might have been a bad move because we have all our servers running a local install of OSSEC and we want to now have a central management system so that white lists can easily be implemented on the server and rolled out to all agents. Just need some details about how to make this work. Do we just re-run install.sh and choose the agent installation or do we have to totally uninstall OSSEC - if we have to uninstall OSSEC, how do we do this? Thanks. Andy
[ossec-list] Re: My own rules
Hi Dan, For your first rule, kernelgrsec is decoded as the program_name, so you need to change your rule to: rule id=100010 level=0 program_name^kernelgrsec/program_name descriptionKernelgrsec messages./description /rule *the regex and match tags, only look for the log message after the syslog header. Hope it helps. -- Daniel B. Cid dcid ( at ) ossec.net On 9/19/07, Dan [EMAIL PROTECTED] wrote: Hi Thanks for your help. I was able to make my own rules. But with some of them i have a problem :-( I have a application which reports to syslog and i need to match some of these messages. But there is everytime the rule id 1002 triggering (syslog with $badwords)! I did in the local_rules.xml a new group group name=syslog,errors, and entered my rules. For example: rule id=100010 level=0 regexkernelgrsec:|/regex descriptionxxx/description /rule rule id=100011 level=7 if_sid100010/if_sid match^failure/match descriptionxxx/description /rule The first rule won't generate an alert, but the second one should. But there always triggers the rule 1002. What error is in my filters? Thanks for your help. Regards, Dan Am 19.09.2007 um 03:18 schrieb Daniel Cid: Hi Daniel, Regarding how to write the rules, the following documents can help: http://www.ossec.net/ossec-docs/auscert-2007-dcid.pdf http://www.ossec.net/wiki/index.php/Know_How:Ignore_Rules Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On 9/18/07, Peter M. Abraham [EMAIL PROTECTED] wrote: Greetings Daniel: Custom rules can be placed in /var/ossec/rules/local_rules.xml Thank you.
[ossec-list] Re: Syslog-NG with OSSEC Questions!
Hi Wilson, OSSEC can definitely monitor your logs and generate alerts on real time. That's why it was written for :) Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On 10/10/07, Wilson Lai [EMAIL PROTECTED] wrote: Dear ALL, I have now installed the Syslog-NG server for centralizing all syslog messages from windows and linux machines. And now, I am looking forward a monitoring tool that could check the severity level of the incoming message and alert me through e-mail. Another question, once the event message has sent to the Syslog-NG server, could OSSEC alert me by e-mail immediately (real time alerting)? Thanks. Regards, Wilson Lai System Engineer IT Dept., SJM Office ( : (853)2978585 Mobile ( : (853)66506709 Email +: : [EMAIL PROTECTED]
[ossec-list] Re: AIX 5.3 sshd logins and sudo
Hi Carlos, OSSEC already has parsers for these logs, but they are coming in a non standard syslog format. We expect: Oct 9 09:50:40 MACHINE sshd[229596]: Accepted password for USER from 172.29.14.41 port 55839 ssh2 While you have: Oct 9 09:50:40 MACHINE auth|security:info sshd[229596]: Accepted password for USER from 172.29.14.41 port 55839 ssh2 Is this something special to your AIX config? Can you change it to the standard format? Any other AIX user in here with more information on this? Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On 10/9/07, Carlos Eduardo Pedroza Santiviago [EMAIL PROTECTED] wrote: Hi, Below is an output of my sshd logins, its currently an AIX 5.3: Oct 9 09:50:40 MACHINE auth|security:info sshd[229596]: Accepted password for USER from 172.29.14.41 port 55839 ssh2 After that, i issue a sudo su, and then it gets logged as: Oct 9 09:50:41 MACHINE auth|security:notice sudo: USER : TTY=pts/22 ; PWD=/home/USER ; USER=root ; COMMAND=/usr/bin/su Oct 9 09:50:41 MACHINE auth|security:notice su: from root to root at /dev/pts/22 Could this be added as a standard rule or should i create a customized version here? More information about the system: (MACHINE:/var/log)$ uname -a AIX MACHINE 3 5 00C3541E4C00 (MACHINE:/var/log)$ oslevel -r 5300-04 thank you, -- Carlos Eduardo Pedroza Santiviago http://softwarelivre.net | Passo-a-passo rumo à liberdade!
[ossec-list] Re: alert_new_files problem
Hi John, You need to add this configuration to the ossec server, not the agent (same to the auto_ignore option). *Also, the alert will only come by the next time syscheck runs (which is by default every 12 hours). Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On 10/9/07, PKTan [EMAIL PROTECTED] wrote: Hi, I am evaluating the OSSEC software, tried configure the alert_new_files option in the syscheck configuration , but it didn't work. I created a c:\test folder with 2 files. Added the following to the window oseec agent ossec.conf syscheck frequency60/frequency directories check_all=yesC:\test/directories alert_new_filesyes/alert_new_files auto_ignoreno/auto_ignore ... ... ... ... /syscheck after restarting the agent , I added files into the c\test directory, but OSSEC-SERVER didn't receive any new file alert. Anyone can advise what go wrong ? Do I need to make any chance to the server ossec.conf file ? your prompt reply is greatly appreciated. Thank you in advance. Regards John Real people. Real questions. Real answers. Share what you know.
[ossec-list] Re: [Fwd: OSSEC Notification - (RPSSQL01) 10.10.1.253 - Alert level 7]
Hi Chad, I would suggest ignoring this directory on the ossec server. Just add an additional line to the syscheck ignore: ignoreC:\WINDOWS/system32/inetsrv/History/ignore It should solve it. For the next version, I will make sure it comes ignored by default... Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On 10/2/07, Chad Robertson [EMAIL PROTECTED] wrote: I didn't see a response for this. I'm having the same issue. Since upgrading to the latest version of OSSEC many of my servers are generating this alert. See below. -- OSSEC HIDS Notification. 2007 Oct 02 05:11:12 Received From: (xx) x.x.x.x-syscheck Rule: 553 fired (level 7) - File deleted. Unable to retrieve checksum. Portion of the log(s): File 'C:\WINDOWS/system32/inetsrv/History/MBSchema_030206_00.xml' was deleted. Unable to retrieve checksum. --END OF NOTIFICATION OSSEC HIDS Notification. 2007 Oct 02 05:11:12 Received From: (xx) x.x.x.x-syscheck Rule: 553 fired (level 7) - File deleted. Unable to retrieve checksum. Portion of the log(s): File 'C:\WINDOWS/system32/inetsrv/History/MBSchema_030207_00.xml' was deleted. Unable to retrieve checksum. --END OF NOTIFICATION OSSEC HIDS Notification. 2007 Oct 02 05:11:12 Received From: (xx) x.x.x.x-syscheck Rule: 553 fired (level 7) - File deleted. Unable to retrieve checksum. Portion of the log(s): File 'C:\WINDOWS/system32/inetsrv/History/MBSchema_030208_00.xml' was deleted. Unable to retrieve checksum. --END OF NOTIFICATION Thanks, -chad From: ossec-list@googlegroups.com [mailto:[EMAIL PROTECTED] On Behalf Of Clayton Dillard Sent: Wednesday, August 29, 2007 4:55 PM To: ossec-list Subject: [ossec-list] [Fwd: OSSEC Notification - (RPSSQL01) 10.10.1.253 - Alert level 7] Recently installed OSSEC agent on a Windows Server 2003 R2 box with MS SQL 2005 on it, as well as IIS. Getting this alert. Anyone got any insight as to whether this is normal as IIS gens backups of the config and purges old ones? Thanks in advance, Clayton Dillard Forwarded Message From: OSSEC HIDS [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: OSSEC Notification - (RPSSQL01) 10.10.1.253 - Alert level 7 Date: Wed, 29 Aug 2007 14:55:08 EDT OSSEC HIDS Notification. 2007 Aug 29 14:54:56 Received From: (RPSSQL01) x.x.x.x-syscheck Rule: 553 fired (level 7) - File deleted. Unable to retrieve checksum. Portion of the log(s): File 'C:\WINDOWS/system32/inetsrv/History/MBSchema_88_00.xml' was deleted. Unable to retrieve checksum. --END OF NOTIFICATION OSSEC HIDS Notification. 2007 Aug 29 14:54:56 Received From: (RPSSQL01) x.x.x.x-syscheck Rule: 553 fired (level 7) - File deleted. Unable to retrieve checksum. Portion of the log(s): File 'C:\WINDOWS/system32/inetsrv/History/MetaBase_88_00.xml' was deleted. Unable to retrieve checksum. --END OF NOTIFICATION OSSEC HIDS Notification. 2007 Aug 29 14:54:56 Received From: (RPSSQL01) x.x.x.x-syscheck Rule: 550 fired (level 7) - Integrity checksum changed. Portion of the log(s): Integrity checksum changed for: 'C:\WINDOWS/system32/inetsrv/MetaBase.xml' Old md5sum was: 'ef3df1597cbd473280064e6b3d1cfc81' New md5sum is : 'fbe18ed853cfc84594097085c21a2c36' Old sha1sum was: '13613487f40d277c23438431269ae0e5fd761726' New sha1sum is : '2169491d00a7f7b2c498767e9c351d8ed9abfe4b' --END OF NOTIFICATION Clayton Dillard Director of Information Technology RPS Technology LLC Tel: 919-319-4301 x205 Cell: 919-414-0265 Fax: 919-882-8261 The information in this e-mail, and any attachment therein, is confidential and for use by the addressee only. If you are not the intended recipient, please return the e-mail to the sender and delete it from your computer. Although RPS Technology attempts to sweep e-mail and attachments for viruses, it does not guarantee that either are virus-free and accepts no liability for any damage sustained as a result of viruses.
[ossec-list] Re: Syscheck enhancements
Hi Nick, Reply inline... On 10/2/07, Consolo, Nick [EMAIL PROTECTED] wrote: Hello, First of all thanks for all the work on ossec. It's a great product. I have two questions regarding the syscheck portion of the product. Thanks :) I am glad you are enjoying it. 1.In the syscheck database it is recording the uid and gid of each file entered. Is it possible to modify the notifications to include these in file modification and creation notifications? Currently it is not possible, but it is in our TODO list to add support for it...Just wait a few months :) 2. Is it possible to run the syscheck daemon in an active mode so it detects new files instantly, instead of running it periodically to detect them? No, it is not possible. It would require some kernel (lkm) changes to be notified on every new addition to the monitored directories.. I know it is possible to do on Windows, but on Linux, BSD's (and similars), it would require kernel hacking... Anyone interested in taking such a task? :) Thanks, -- Daniel B. Cid dcid ( at ) ossec.net
[ossec-list] Re: Incorrectly formated message
Hi Jon, Generally this is a problem with the keys. Take a look at the following pages in our FAQ: http://www.ossec.net/wiki/index.php/Errors:AgentCommunication http://www.ossec.net/wiki/index.php/Errors:1403 If that doesn't help, try giving us the following info: http://www.ossec.net/wiki/index.php/Community_manual:BugReport *the logs from one of those agents and the server should be enough. Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On 9/28/07, Jon Whittington [EMAIL PROTECTED] wrote: Hello, I am getting the following error logged on the ossec server: ossec-remoted(1403): Incorrectly formated message from 'IP ADDRESS' I read a couple of other posts on this and followed the suggestions there (confirmed the correct key, confirmed the IP address in the client.key file). The message is caused by 2 Windows 2003 R2 x64 servers – I have another 2 identical servers working fine. Is there any information I can provide to aid in troubleshooting? Cheers, Jon No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.488 / Virus Database: 269.13.33/1034 - Release Date: 9/27/2007 5:00 PM
[ossec-list] Re: filter rules on host and log file?
Hi JM, I think you are confusing it a bit. The logformat in the localfile configuration is only used to tell ossec how to read the logs, not anything else. In fact, the apache, squid, syslog fields act the same in there (all one entry per line logs)... What determines the category of them is the decoder. If the decoder reads a PIX log, it will set it to the firewall category or if it reads a apache log, it will set it as web_log (look at the decoders.xml and the type tags). Regarding your log, our decoder is not treating it properly as a firewall because it has an additional hostname in there. Sep 28 10:21:21 10.2.103.1 Sep 28 2007 10:21:21 firewall-hostname : %ASA-2-106001: Inbound TCP connection denied from 216.239.51.104/80 to 1.2.3.4/56713 flags PSH ACK on interface outside We support the PIX date format, but not an additional hostname. Take a look at the following link: http://www.ossec.net/wiki/index.php/PIX_and_IOS_Syslog_Config_examples#Configuring_PIX *btw, you can keep the additional timestamp in there, but not the extra hostname. Hope it helps. -- Daniel B. Cid dcid ( at ) ossec.net On 9/28/07, ubahmapk [EMAIL PROTECTED] wrote: This is a question I've been wondering: what logformat value should be used for a firewall rule, if it isn't syslog? I checked the source in localfile-config.c and I don't see any value there that indicates this is possible. The only values I see are: syslog, snort-full, snort- fast, apache, iis, squid, nmapg, and EVENTLOG. I can see where Philipp could change his logformat to apache or iis (since he is concerned with a webserver), but I'm getting 1002 on all my firewall entries, too. A bit of background: we use syslog-ng as our syslog server instead of the built-in ossec syslog server because syslog-ng gives us the ability to break out our logs into separate files which is a great help when we are manually examining the logs during troubleshooting. I've added the files to be watched in the ossec.conf as syslog files. A sample log entrie looks like: Sep 28 10:21:21 10.2.103.1 Sep 28 2007 10:21:21 firewall-hostname : %ASA-2-106001: Inbound TCP connection denied from 216.239.51.104/80 to 1.2.3.4/56713 flags PSH ACK on interface outside The first timestamp is the time on the syslog server and the second timestamp is from the original host. This allows some correlation if the time is off[1] Granted, I haven't been using OSSEC for very long and have a lot of reading in front of me, but I haven't found much in the way of logformat options. Despite the fact that I plastered everywhere that OSSEC supports such and such. Are all these supposed to go into syslog format? And does OSSEC have a problem with running a seperate syslog server? Thanks for all your help. JM [1] yes we use NTP for time, but sometimes things go wrong and this double entry for time has proven to be a great help to us in the past. On Sep 27, 8:03 pm, Daniel Cid [EMAIL PROTECTED] wrote: Hi Philipp, Sorry for the late reply... Catching up on e-mails :) Your web servers logs should not be checked against rule 1002, which is exclusive to syslog messages. Internally, on ossec, we separate the logs per category (weblog, syslog, proxy, firewall, etc) and it wouldn't match Apache logs against syslog ones, unless the apachelogis not being decoded properly. Can you show us a sample from your logs? Are they in a different format than the default apache one? Thanks, -- Daniel B. Cid dcid ( at ) ossec.net
[ossec-list] Re: OSSEC alert to IDMEF
Hi Tomas, Sebastien Tricaud sent us a patch to add support for IDMEF on ossec, so it can communicate with Prelude. If you are interested in alpha versions, you can try it out at: http://www.ossec.net/files/snapshots/ossec-hids-070927.tar.gz *Just need to run the following before compiling: cd src; make setprelude; cd ..; Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On 9/25/07, Tomas Olsson [EMAIL PROTECTED] wrote: Hi, Has anybody done any work on converting OSSEC alerts into IDMEF (http://www.rfc-editor.org/rfc/rfc4765.txt)? /Tomas
[ossec-list] Re: Active Responses
Hi Andy, The best way to ignore those is to write a local rule to ignore the event, instead of just ignoring them for the active response. Since you know it is a false positive, you don't need to be seeing alerts about them. Something like that would work (just copy to your local_rules.xml): rule id=100101 level=0 if_sid31101/if_sid urlurl1_to_ignore|url2_to_ignore/url descriptionIgnoring false positives.../description /rule Hope it helps. -- Daniel B. Cid dcid ( at ) ossec.net On 9/27/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Although it's good to enable active response for just the rules you want - is there a way to do the opposite that allows you to add a rule that won't fire off active response (like an exception list). For example I am getting a lot of web customers who have embedded javascript code in their HTML files that does not exsit - hence triggering Rule: 31151 (level 10) - 'Mutiple web server 400 error codes from same source ip.'. Because I have active response turned on, these unknowing customer's IPs are blocked after browsing to a few pages within the site because the web server can't find that java scripts. I know it's bad coding but is there a way to exclude this rule from triggering active response without having to turn active response off. Thanks. Andy
[ossec-list] Re: OSSEC Email-notification: multiple email-addresses/recipients possible?
Hi, Actually, this format will not work. You need to specify each email address on its own email_to tag: email_to[EMAIL PROTECTED]/email_to email_to[EMAIL PROTECTED]/email_to email_toxxx/email_to Hope it helps. -- Daniel B. Cid dcid ( at ) ossec.net On 9/27/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Yes it is. Try adding something like this to your ossec.conf file. email_alerts email_to[EMAIL PROTECTED],[EMAIL PROTECTED]/email_to rule_id12/rule_id do_not_delay / do_not_group / /email_alerts On Sep 21, 5:08 pm, Verlag Neue Stadt [EMAIL PROTECTED] wrote: Hello, is it possible to define serveral email-addresses/recipients (were email-notifications are beeing sent) ? Thank's a lot for your feedback! John
[ossec-list] Re: OSSEC server down: do agents continue to check integrity?
Hi Tim, They will continue forever :) Basically, we don't queue the logs in memory, but we just store the location (pointer) of the last log that was read (and for integrity checking, the last file checked). When the server is back, we continue where we left... Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On 9/20/07, Tim Slighter [EMAIL PROTECTED] wrote: I would be interested in knowing just how long (time or in terms of amount of data in queue) the agents will continue to queue up while the OSSEC server is down. On 9/20/07, David Williams [EMAIL PROTECTED] wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 John, My understanding and experience of the architecture is that the server does all the checking and alerting. The clients pass along to the server what might be interesting information: log entries and file metadata. The server decides what of the information is important enough to alert about. So while the server is down, the agents will continue to queue up interesting information. When the server comes back on-line, the agents send their information to server and it decides what to send out alerts (or active responses) about. So the agents will continue to check the metadata about their files - -- but the server holds the file integrity database for the agents. The agents don't know if a file has changed or not, the server determines that. Once the server is back, it will compare the information the agents send about files with the database to determine what has changed. I hope that helps, -David Verlag Neue Stadt wrote: Hello, we are contemplaing about using OSSEC and would like to know: What happend if the OSSec server is down, are the clients able to continue to check the integrity of the client/agent? Thank's a lot for any feedback! John - -- ___ GPG (http://www.gnupg.org/) key available from: http://www.kayakero.net/per/david/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFG8o29CzuSgviBh00RApIYAJ95iNz04nyda/sA2Ly9RnZZkHjDSgCgjucY 8vTKcFmmp1zrHPO+wUrTUqY= =uadi -END PGP SIGNATURE-
[ossec-list] Re: ossec logrotate
Hi Dan, The rotation of the OSSEC logs happen at the end of each day (as soon as the day changes). It will generate the checksum of the log and gzip it (alerts.log is just a link to the current day log at /var/ossec/logs/alerts/Year/Month/day ). Your tool just needs to check when the inode of the alerts.log changes and re open it... Hope it helps. -- Daniel B. Cid dcid ( at ) ossec.net On 9/19/07, Dan [EMAIL PROTECTED] wrote: Hi list How is the logrotation of ossec build? I use an external tool to check the alerts.log, and with the logrotation it could happen, that i loose events. Is there any chance to configure the timing by myself or to start the rotation by myself? Regards, Dan
[ossec-list] Re: Granular Email Options
Hi, It is currently not the possible. The design we chose is that every e-mail alert will go to the main address specified in the global section (the alerts that should be e-mailed are set in the email_alert_level option or within a specific rule). From within these e-mails is that we filter with the granular e-mail options... So, if in the granular option you choose to email everything above level 1, it will in fact only be e-mailed the ones above email_alert_level. Does it makes sense? Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On 9/17/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Adding to this discussion, is it possible to have one particular rule ID email me at [EMAIL PROTECTED] and not email the default email address [EMAIL PROTECTED] I've applied the following rules below to ossec.conf and it's working ok but I'm getting two emails - one is sent to [EMAIL PROTECTED] based on the global rules and another sent to my email address based on the email_alerts rule. I just want rule id 12 to be sent to my personal email address and not the entire sysadmin email address??? Thanks. global email_notificationyes/email_notification email_to[EMAIL PROTECTED]/email_to smtp_servermail.mydomain.com/smtp_server email_from[EMAIL PROTECTED]/email_from /global email_alerts email_to[EMAIL PROTECTED]/email_to rule_id12/rule_id do_not_delay / do_not_group / /email_alerts alerts log_alert_level1/log_alert_level email_alert_level4/email_alert_level /alerts
[ossec-list] Re: My own rules
Hi Daniel, Regarding how to write the rules, the following documents can help: http://www.ossec.net/ossec-docs/auscert-2007-dcid.pdf http://www.ossec.net/wiki/index.php/Know_How:Ignore_Rules Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On 9/18/07, Peter M. Abraham [EMAIL PROTECTED] wrote: Greetings Daniel: Custom rules can be placed in /var/ossec/rules/local_rules.xml Thank you.
[ossec-list] Re: Seeking help with custom rule
Hi Peter, This log should already be matching the following rule: rule id=30115 level=5 if_sid30101/if_sid matchInvalid URI in request/match descriptionInvalid URI (bad client request)./description groupinvalid_request,/group /rule Isn't it? If you want to ignore this shtml.exe, just create a local rule looking for it: .. if_sid30115/if_sid match/shtml.exe//match .. Hope it helps. -- Daniel B. Cid dcid ( at ) ossec.net On 9/18/07, Peter M. Abraham [EMAIL PROTECTED] wrote: Greetings: Apache error_log entry: [Tue Sep 18 19:04:59 2007] [error] [client 195.244.128.240] Invalid URI in request GET /../_vti_bin/shtml.exe/SI/contest.htm/map HTTP/1.1 How would I write the match portion of the rule to just key in on Invalid URI and shtml.exe? Thank you.
[ossec-list] Re: Problem on email notification
Hi Paco (and anyone else with the problem), Can you send a copy of one or two ossec e-mails to us? They must include the original headers and the time it was supposed to show. Without that it is going to be hard to find out what is going on. Thanks, -- Daniel B. Cid On 9/18/07, Paco Avila [EMAIL PROTECTED] wrote: I have the same problem with Evolution. El lun, 17-09-2007 a las 17:00 -0700, [EMAIL PROTECTED] escribió: I have tested this with a different email client(I use Thunderbird) but the same thing happened. also in case of any problem with the browser it should show the same symptom for other emails. Cheers On Sep 6, 10:36 pm, Peter M. Abraham [EMAIL PROTECTED] wrote: Greetings: Given you stated, The notification on the email body shows: 2007 Sep 02 02:11:20 could it be possible your email client is not properly converting the date and time? Thank you. -- Paco Avila [EMAIL PROTECTED]
[ossec-list] Re: Problem with log_format named
Hi Valerio, Yes, OSSEC can monitor named logs and you need to use the syslog log format in the config. You need to look at our rules to see what is wrong... Can you submit the logs that are generating the false positive to us? It would be much easier to fix them with that in hand. Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On 9/17/07, Valerio Daelli [EMAIL PROTECTED] wrote: Hi we use ossec-hids 1.3 on FreeBSD and we would like to monitor the logs of BIND. If we use a log_format of 'named' the server cannot even start. If we use a log_format of syslog for the log file of named we get tons of false positives. Is it possible on ossec-hids 1.3 to monitor the logs of named? Which log_format should we use? Thanks a lot Valerio Daelli
[ossec-list] Re: Regex Help
Hi, A few suggestions to make it work: 1- Simplify your match (taken from David's reply): If you are looking for a word, just use match (much faster): matchDuplicate TCP SYN from/match 2- A better solution would be to use the pix ID that you want: id^4-419002/id 3- Do not write ignore rules based on correlations. If you look at rule 4383, it will alert on multiple warning messages from the PIX (id 4313). Just ignoring the 4313 instead of the 4383 will be much cleaner... 4- This log is not being decoded by the pix decoder, so you can't use the srcip/dstip options. My suggestion would be: rule id=12 level=0 if_sid4313/if_sid id^4-419002/id regexfrom inside:xxx.xxx.xxx.xxx/regex descriptionRule that will ignore Duplicate/description /rule Hope it helps. -- Daniel B. Cid dcid ( at ) ossec.net On 9/14/07, mcamacho75 [EMAIL PROTECTED] wrote: I appreciate greatly your suggestion but it doesnt appear to be working. I implemented the following rule: rule id=12 level=0 if_sid4383/if_sid srcipxxx.xxx.xxx.xxx/srcip matchDuplicate TCP SYN/match descriptionRule that will ignore Duplicate/description descriptionTCP SYN from IP xxx.xxx.xxx.xxx/description /rule I purposely left out the srcport portion becuase the source port in this case is dynamic. I also tried to using a regex rule and couldnt get it to work that way either. I will keep working on it but in the meantime I welcome any additional suggestions. If I am able to come up with a working rule I will be sure to post it. Thanks again!! On Sep 14, 1:37 pm, David Williams [EMAIL PROTECTED] wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I think you're on the right path but OSSEC has already parsed the log entry (to extract source and destination IPs) so you may need something more like this (of course, I'm not able to test this): rule id=12 level=0 if_sid4383/if_sid srcipxxx.xxx.xxx.xxx/srcip srcport9200/srcport matchDuplicate TCP SYN/match descriptionRule that will ignore Duplicate/description descriptionTCP SYN from IP xxx.xxx.xxx.xxx/description /rule -David mcamacho75 wrote: I am trying to create a rule that will prevent email notifications for the following alert but cant seem to make it work. Below is an example of the email I would like to ignore: Received From: ktwapp-8-172.16.230.10 Rule: 4383 fired (level 10) - Multiple PIX warning messages. Portion of the log(s): %ASA-4-419002: Duplicate TCP SYN from inside:xxx.xxx.xxx.xxx/9200 to inside:xxx.xxx.xxx.xxx/1170 with different initial sequence number I have created the following rule within the local_rules.xml file but it doesnt seem to have any effect: rule id=12 level=0 if_sid4383/if_sid regex\.+Duplicate\sTCP\sSYN\sfrom\sinside\p:xxx\p.xxx\p.xxx\p.xxx \.+/regex descriptionRule that will ignore Duplicate/description descriptionTCP SYN from IP xxx.xxx.xxx.xxx/description /rule Any help in figuring out what I am doing wrong would be greatly appreicated. Thanks - -- ___ GPG (http://www.gnupg.org/) key available from:http://www.kayakero.net/per/david/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora -http://enigmail.mozdev.org iD8DBQFG6sbwCzuSgviBh00RAqwMAJ457KEQzSb7ftBmvqOwqL9S01c/MwCeKwUu vagr2zymjcDFGCsAZE7P8fU= =oS2U -END PGP SIGNATURE-- Hide quoted text - - Show quoted text -
[ossec-list] Re: Ignore clients logs from the server
Hi Chris, The location where the alert came from can be searched using the hostname tag. For example: rule id=110007 level=0 if_sid1003, 31101, 1002/if_sid hostnameerror_log/hostname descriptionWeb log ignore./description /rule Basically, when you look at an alert it has: Received From: (xx) 192.168.2.0-/var/log/messages Everything after the from: is what the hostname matches... **ok, before someone complains, I know hostname is not the best name for this option, but this is what we have now. Patches are welcome :) Hope it helps. -- Daniel B. Cid dcid ( at ) ossec.net On 9/14/07, Chris Russell [EMAIL PROTECTED] wrote: Forgive me if this has already been discussed, but I searched the archives and I couldn't find anything on this topic. I would like to ignore logs on my clients, but because I have a large number of clients, I would like to set the server to ignore the logs rather than edit the ossec.conf file on every client. Is this possible? As an example, I would like to ignore the /etc/httpd/logs/error_log file on my clients. So I tried putting this rule in to the local_rules.xml file on my server: rule id=110007 level=0 if_sid1003, 31101, 1002/if_sid match/etc/httpd/logs/error_log/match descriptionWeb log ignore./description /rule But, it didn't work. I assume the name of the log can't be matched by the match directive? Is there any other directive that I could try? Thanks.
[ossec-list] Re: Alert level 12
Hi Eric, You shouldn't be too worried about, since it is just a scanner or something like that. If you do a netcat (or telnet) to your ssh server you will get the same error. I will reduce the severity of this one... Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On 9/12/07, Eric Yeoh [EMAIL PROTECTED] wrote: Hi , I got the below message from one of our servers: OSSEC HIDS Notification. 2007 Sep 12 16:24:25 Received From: birdy-/var/log/secure Rule: 5701 fired (level 12) - Possible attack on the ssh server (or version gathering). Portion of the log(s): Sep 12 16:24:24 raven sshd[647]: Bad protocol version identification '\377\364\377\375\006' from UNKNOWN I see that it is a possible scanis that something I should be worried about. I haven't got a Level 12 alert before. Please advise. Regards, Eric
[ossec-list] Re: Install OSSEC to /: it's possible?
Hi Slava, We do not allow the installation to be at /, because we set the permissions very tight and it would probably break your system (just imagine /bin not being accessible)... In addition to that, ossec runs on chroot and it makes no sense to chroot to /. *Feel free to re-write the installation scripts, but just make sure they work on all the operating systems we currently support (Linux, *BSD, Solaris, AIX, etc) and have at least all the current functionality (+ being easy to use :)). Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On 9/6/07, Slava Semushin [EMAIL PROTECTED] wrote: Hello! In install.sh script exist following code: Code for verify installation dir not allow to me specify root (/) as installation directory: [EMAIL PROTECTED] ~]$ echo / |grep -E ^/[a-zA-Z0-9/-]{3,128}$/dev/null 21; echo rc=$? rc=1 So I suggest change this behavior: - echo $ANSWER | grep -E ^/[a-zA-Z0-9/-]{3,128}$ /dev/null 21 +printf '%s' $ANSWER | grep -E ^/[[:alnum:]/-]{0,128}$ /dev/null 21 What's think developers about this change? Should I post the bug for this? Thanks in advance. P.S. I think It's impossible. All scripts expects /var/ossec =( But I want have FHS-compliant system. For example this code can broke system (build in chroot environment under unprivileged user saves my system): 120 # Default for all directories 121 chmod -R 550 ${DIR} 122 chown -R root:${GROUP} ${DIR} All works right when DIR equal to /var/ossec, but what happens when DIR=/ ?! : P.S. BTW, ideally all installation scripts should be completely rewritten IMHO. -- + Slava Semushin | slava.semushin @ gmail.com + ALT Linux Team | php-coder @ altlinux.ru
[ossec-list] Re: Server move
Hi Reggie, My suggestion would be: -Copy the whole /var/ossec and /etc/ossec-init.conf to the new system. -Reinstall ossec (running the install.sh and choose the upgrade option). It should do it.. Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On 9/5/07, Reggie Griffin [EMAIL PROTECTED] wrote: Is there any information on the best way to move the OSSEC server from one host to another? Would like to at minimum retain all my client keys. -Reggie
[ossec-list] Re: Active-Responses Perl
Hi Daniel. You can execute anything you want in there (from perl, to .sh, java, etc). It just need to have the executable flag set and accept the proper arguments (add, delete, etc). Hope it helps. -- Daniel B. Cid dcid ( at ) ossec.net On 9/3/07, Dan [EMAIL PROTECTED] wrote: Hi Ossec List It is possible to execute a perl file within the active responses? Or are only bash scripts allowed? Thanks. Regards, Daniel
[ossec-list] Re: Problem with a cisco 837 router
Hi, I made some fixes to the cisco IOS decoder and it should work now with the sequence numbers. However, your syslog server should not add additional sequence numbers, because it is against the RFC. If you can try it out (just run the upgrade option): http://www.ossec.net/files/snapshots/ossec-hids-070902.tar.gz Btw, nice local rules :) Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On 8/31/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Refer to this thread about a similar discussion: http://groups.google.com/group/ossec-list/browse_thread/thread/f78e998efb3c108b Below is a snip from the thread above which shows you the sequence numbers. Here I have enabled service sequence-numbers on the router. From the log file, you can see the sequence numbers of the IOS logs are 38 and 39. I believe the 43 and 44 are sequence numbers generated by the syslog server (correct me if I am wrong). Aug 21 16:18:23 192.168.1.1 43: 38: %SYS-5-CONFIG_I: Configured from console by vty0 (203.10.110.199) Aug 21 16:29:43 192.168.1.1 44: 39: %SEC-6-IPACCESSLOGS: list 5 denied 203.20.69.66 1 packet And here I have entered no service sequence-numbers on the router. From the log file, you can see there are no longer any IOS sequence numbers like xx. Aug 21 16:30:24 192.168.1.1 45: %SYS-5-CONFIG_I: Configured from console by vty0 (203.10.110.199) Aug 21 16:34:49 192.168.1.1 46: %SEC-6-IPACCESSLOGS: list 5 denied 203.20.69.66 2 packets Contrast the above four lines of log with what I see on my router when I do a show log: 38: %SYS-5-CONFIG_I: Configured from console by vty0 (203.10.110.199) 39: %SEC-6-IPACCESSLOGS: list 5 denied 203.20.69.66 1 packet %SYS-5-CONFIG_I: Configured from console by vty0 (203.10.110.199) %SEC-6-IPACCESSLOGS: list 5 denied 203.20.69.66 2 packets - I haven't been able to get the OSSEC decoder to properly understand cisco-ios_rules.xml. None of the rules fire at all even after I follow what's on the wiki: http://www.ossec.net/wiki/index.php/PIX_and_IOS_Syslog_Config_examples#Step-by-Step_Cisco_IOS_config I'm not really a coder nor have extensive regex experience so I've given up. To get Ossec to read my cisco logs I just create my rules and place them inside the local_rules.xml and then restart OSSEC. You will also have to edit the BAD_WORDS list in syslog_rules.xml and remove the word denied else rule id 13 below won't fire. Example: rule id=12 level=5 match%SYS-5-CONFIG_I/match descriptionConfiguration change detected./description /rule rule id=13 level=7 match%SEC-6-IPACCESSLOGS/match descriptionUnauthorized access./description /rule rule id=14 level=9 match%LINEPROTO-5-UPDOWN/match descriptionLine protocol UP/DOWN./description /rule rule id=14 level=9 match%LINK-3-UPDOWN/match descriptionLink state UP/DOWN./description /rule I haven't loaded /bin/ossec-remoted as outlined in the wiki and simply told Ossec to monitor my cisco log file (/var/log/cisco.log). This is because I also log a lot of other things on the system and do not want to disable the syslog daemon so that Ossec can use UDP port 514 to monitor incoming Cisco IOS logs. Edit and add to /etc/ossec.conf the cisco log file to monitor. localfile log_formatsyslog/log_format location/var/log/cisco.log/location /localfile If you want to use /bin/ossec-remoted , this wiki entry might help you out: http://www.ossec.net/wiki/index.php/Know_How:Syslog_Config As far as I know Cisco IOS doesn't give you the option to send IOS logs on a different UDP port so you either turn off syslog and let OSSEC use UDP port 514 or you keep syslog running and tell Ossec which log file to monitor. Hope that helps some people.
[ossec-list] Re: First custom rule - please check my syntax
Hi Peter, Your rule looks good to me. If you can show us the log that you want to match, it may be easier to improve it a bit more. The only change I would do is to use an id above 100,000 since these are reserved for local rules. Hope it helps. -- Daniel B. Cid dcid ( at ) ossec.net On 8/31/07, Peter M. Abraham [EMAIL PROTECTED] wrote: Greetings: I was investigating Apache segmentation faults on one of the servers monitored by ossec 1.3, and found that right before the segmentation fault was a hack attempt against shtml.dll (a FrontPage component). I created the following rule in /var/ossec/rules/local_rules.xml group name=apache-custom, rule id=90100 level=12 if_sid30101/if_sid matchshtml.dll/match descriptionPossible FrontPage hack attempt/description /rule /group The if_sid is based on Apache error messages grouped as this error occurs in the Apache error log. Did I write the rule correctly? Are there any recommended changes? Thank you.
[ossec-list] Re: disabling active response
Hi Stephen, Sorry about it. I made a fix for it and released it on the following snapshot: http://www.ossec.net/files/snapshots/ossec-hids-070829.tar.gz Just install it on your agent and disable active response as it should be: active-response disabledyes/disabled /active-response Hope it helps. -- Daniel B. Cid dcid ( at ) ossec.net On 8/22/07, Stephen Williamson [EMAIL PROTECTED] wrote: Will I did as you suggested active_response disabledyes/disabled /active_response but it stops in error on the change. See below. Steve OSSEC HIDS v1.3 Stopped Starting OSSEC HIDS v1.3 (by Daniel B. Cid)... 2007/08/22 09:06:10 ossec-agentd(1230): Invalid element in the configuration: 'active_response'. 2007/08/22 09:06:10 ossec-agentd(1202): Configuration error at '/var/ossec/etc/ossec.conf'. Exiting. 2007/08/22 09:06:10 ossec-agentd(1215): No client configured. Exiting. ossec-agentd: Configuration error. Exiting - Hi Stephen, It is actually a bug in ossec. You need to set it to: (note the underline instead of a dash) active_response disabledyes/disabled /active_response Thanks, -- Daniel B. Cid dcid ( at ) ossec.net --
[ossec-list] Re: MySQL
Hi Thorne and Dan, I just released a snapshot (alfa stage) with some rules/decoders for mysql error and generic query logs: http://www.ossec.net/files/snapshots/ossec-hids-070828.tar.gz You just need to add your mysql log file to the ossec config: localfile log_formatmysql_log/log_format location/var/log/mysql/sys.err/location /localfile And it should just work (same format for the mysql query log). Btw, this snapshot also comes with MySQL/PostgreSQL database support for storing the alerts. If anyone is interested, just come by our irc channel (#ossec on freenode) and we will help you to set it up (docs not ready yet). Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On 8/23/07, Thorne Lawler [EMAIL PROTECTED] wrote: Dan, Please let me know if you find any, that would be very handy. What would be even better would be some kind of ossec plugin to mysql to do sql-level sanity-checking and log issues through the ossec alert mechanism. As an alternative, if anyone knows of a sql-checking gadget for mysql of some kind which logs to syslog, that would make ossec rules much easier. -- Thorne Lawler Technical Consultant ICT Outsourcing Services | Infrastructure Services | Unix Storage and Delivery KAZ Group Pty Ltd 360 Elizabeth Street | Melbourne Victoria 3000 (03) 9631 1747 | 0408 491 552 | Fax: (03) 9654 7334 [EMAIL PROTECTED] | www.kaz-group.com This communication may contain confidential information and/or copyright material of KAZ Group Pty Ltd ABN 25 002 124 405 and its related bodies corporate. It may also be the subject of legal professional privilege. If you are not an intended recipient, you must not keep, forward, copy, use, save or rely on this communication and any such action is unauthorised and prohibited. If you have received this communication in error, please reply to this e-mail to notify the sender of its incorrect delivery, and then delete both it and your reply Dan [EMAIL PROTECTED] Sent by: ossec-list@googlegroups.com 23/08/2007 05:26 PM Please respond to ossec-list@googlegroups.com To ossec-list@googlegroups.com cc Subject [ossec-list] MySQL Hi I'm looking for MySQL rules for Ossec 1.3! Is there anyone who has such rules? Thanks for your help. Regards, Daniel This communication may contain confidential information and/or copyright material of KAZ Group Pty Ltd ABN 25 002 124 405 and its related bodies corporate. It may also be the subject of legal professional privilege. If you are not an intended recipient, you must not keep, forward, copy, use, save or rely on this communication and any such action is unauthorised and prohibited. If you have received this communication in error, please reply to this e-mail to notify the sender of its incorrect delivery, and then delete both it and your reply.
[ossec-list] Re: Cisco ASA log
Yes, it supports logs from PIX, ASA and FWSM. Most of them are the same and our decoders handle all cases... Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On 8/28/07, Patrick Roelke [EMAIL PROTECTED] wrote: I can't recall if the PIX logs are the same as the ASA but it should log with no modifications. Worst case you may need to modify the decoder. On 8/28/07, Tomas Olsson [EMAIL PROTECTED] wrote: Hi, Can OSSEC parse and alert from a Cisco ASA firewall log? /Tomas
[ossec-list] Re: Rootkit check, check?
Hi Andrew, There is a very subtle acknowledgement that the rootcheck scan ran that is stored on the server side. If you go to /var/ossec/queue/rootcheck you will see one entry for each agent (plus the one for the server, just named rootcheck). If you look at any of the files in there, you will have one entry named: !1188240193!1185146265 Starting rootcheck scan. Where the line is divided as: !last time this message was sent!first time message was sent Message Every time rootcheck runs, it sends this message to the server and the timestamp is updated. So, with a very simple hack you can get the last time of scan (for agent winhome in the example): # cd /var/ossec/queue/rootcheck # date -r `cat *winhome* | grep Starting rootcheck scan | cut -d ! -f 2` Sun Aug 26 23:20:11 ADT 2007 For Linux, you can't use the -r, but you need: # date -d '1970-01-01 1188181211 sec' Mon Aug 27 03:20:11 ADT 2007 *Anyone willing to come up with some perl/shell script to show up the last scans for all agents? Might be useful Hope it helps. -- Daniel B. Cid dcid ( at ) ossec.net On 8/27/07, Andrew Storms [EMAIL PROTECTED] wrote: Thanks. Its not a matter of rootcheck doing its job, its a matter of needing a positive auditable event that the system was checked for rootkits. On 8/26/07 11:44 AM, Peter M. Abraham [EMAIL PROTECTED] wrote: Greetings Andrew: While I don't know the shortest route, a thought came to mind about installing the rootcheck separately on the server and running it manually. If everything is ok, ossec might not report anything (which is what you may or may not be getting). If there are errors, things of note, then check what emails you may have been getting which may related to the error types. Here's how you can install the rootcheck separately: mkdir /usr/local/src cd /usr/local/src wget http://www.ossec.net/rootcheck/files/rootcheck-0.7.tar.gz gzip -d -c rootcheck-0.7.tar.gz | gtar xvf - cd rootcheck-0.7 make all ./ossec-rootcheck Thank you.
[ossec-list] Re: ossec-rootcheck found hidden ports -- how can I verify if this is a false positive or not?
Hi David, In addition to what you mentioned, if you are using Linux, it can also be caused by a bug in an application that is binding to a TCP port, but not listening on it. For some weird reason, Linux does not report these ports on netstat... More info here: http://www.ossec.net/dcid/?p=87 *Linux is the only OS that reports this incorrectly (even Windows does this right :/)... Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On 8/27/07, David Williams [EMAIL PROTECTED] wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 In my previous life, we had several busy servers and they would often alert like this because of temporary port usage. I believed the alert was because OSSEC tried to bind to a port, could not then ran netstat and did not see the port in use. So I scripted up a little perl script to try to bind to the ports reported by OSSEC. My theory was: if I could bind to them then nothing trojaned was listening on them. And netstat would not show them as used since the connection that used them was ephemeral. I'm afraid I don't have the perl script handy anymore -- but it was not too hard to cook up. I guess the question is, does OSSEC report that the same ports are hidden over time or are they different ports? If the same ports, and netstat is not showing them as in use, and you can't bind to them because something is bound to them, that seems bad. If the hidden ports change over time, it seems more likely to me that the server is busy and OSSEC can't bind to the port but when it comes back to see if netstat shows it in use, it's free again. Just another couple of cents worth -David Jeff Schroeder wrote: On Aug 27, 11:11 am, Peter M. Abraham [EMAIL PROTECTED] wrote: Greetings: I replaced the netstat on the server (actually updated net-tools which was out dated), rpm -V net-tools-1.60-37.EL4.9 Provides no output for which I understand means the package verified ok. You realize that even though the netstat package is ok, that your c library, or worse, your kernel could have been patched with a rootkitted version, right? If the box has been compromised with an advanced rootkit, it might also patch the rpm command. Your best bet would be to bring the system down, boot it up with a live cd, and check the md5sums of said binaries. Perhaps running something like chkrootkit or rkhunter also. Just a few thoughts that might or might not help. - -- ___ GPG (http://www.gnupg.org/) key available from: http://www.kayakero.net/per/david/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFG02wICzuSgviBh00RApl6AKCoHcuqOzKiz4hiV6wbRCDpabxkSQCePFfR +eZB4K095rUHcapQyPWHxfo= =5VWM -END PGP SIGNATURE-
[ossec-list] Re: ossec-execd invoked oom-killer
Hi Daniel, Are you sure ossec did this? First, it doesn't run on kernel mode, so even if it crashed, it would not crash the whole system. It also doesn't use a lot of memory, so I can't see it being responsible for that... Can you show us more information? If you are still getting alerts from that agent, it means that ossec didn't died on there, so something else caused that... Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On 8/23/07, Paquet Daniel [EMAIL PROTECTED] wrote: Well my DHCP server got nerfed by oom-killer that seems to be invoked from ossec. What's up with that? And I have a bunch of stack dump after the oom-killer invoked from ossec. Here is the mail I got from ossec: OSSEC HIDS Notification. 2007 Aug 23 01:12:00 Received From: (DHCP-MASTER) xxx.xxx.xxx.xxx -/var/log/messages Rule: 1002 fired (level 7) - Unknown problem somewhere in the system. Portion of the log(s): Aug 23 01:11:58 d-132-204-220-8 kernel: [c0404aa5] error_code+0x39/0x40 Then a bunch of OSSEC HIDS Notification. 2007 Aug 23 01:12:00 Received From: (DHCP-MASTER) xxx.xxx.xxx.xxx-/var/log/messages Rule: 1002 fired (level 7) - Unknown problem somewhere in the system. Portion of the log(s): Aug 23 01:11:58 d-132-204-220-8 kernel: [c0404aa5] DWARF2 unwinder stuck at error_code+0x39/0x40error_code+0x39/0x40 And my logs are more fun. Anyone know why he did this? Or can tell me what can I seek to correct the issue. By chance I have 2 dhcp servers the other one took the control when my master one died. -- Daniel Paquet Technicien Informatique Service des Résidences 514-343-6111 #1665
[ossec-list] ossec-execd invoked oom-killer
Well my DHCP server got nerfed by oom-killer that seems to be invoked from ossec. What's up with that? And I have a bunch of stack dump after the oom-killer invoked from ossec. Here is the mail I got from ossec: OSSEC HIDS Notification. 2007 Aug 23 01:12:00 Received From: (DHCP-MASTER) xxx.xxx.xxx.xxx -/var/log/messages Rule: 1002 fired (level 7) - Unknown problem somewhere in the system. Portion of the log(s): Aug 23 01:11:58 d-132-204-220-8 kernel: [c0404aa5] error_code+0x39/0x40 Then a bunch of OSSEC HIDS Notification. 2007 Aug 23 01:12:00 Received From: (DHCP-MASTER) xxx.xxx.xxx.xxx-/var/log/messages Rule: 1002 fired (level 7) - Unknown problem somewhere in the system. Portion of the log(s): Aug 23 01:11:58 d-132-204-220-8 kernel: [c0404aa5] DWARF2 unwinder stuck at error_code+0x39/0x40error_code+0x39/0x40 And my logs are more fun. Anyone know why he did this? Or can tell me what can I seek to correct the issue. By chance I have 2 dhcp servers the other one took the control when my master one died. -- Daniel Paquet Technicien Informatique Service des Résidences 514-343-6111 #1665
[ossec-list] Re: Active response question
Hi Peter, They should happen almost at the same time, with the active response before the e-mail (most of the time). Basically, as soon as the alert is fired, it is sent to the os-remoted (on the server), which forwards to the correct agent. Hope it helps. -- Daniel B. Cid dcid ( at ) ossec.net On 8/21/07, Peter M. Abraham [EMAIL PROTECTED] wrote: Greetings Daniel: You were on target, and thank you for pointing out the log file: aug 17 16:58:08 CEST 2007 /var/ossec/active-response/bin/firewall- drop.sh add - 61.136.58.249 1187360911.3960043 5720 aug 17 17:02:01 CEST 2007 /var/ossec/active-response/bin/firewall- drop.sh delete - 61.136.58.249 1187360911.3960043 5720 I guess I was not seeing it in time. May I ask how quickly does the firewall drop occur on the agent itself in relation to the email sent from the ossec server? Thank you.
[ossec-list] Re: Ossec failed after server reboot
Hi DM, Please give us more information to debug/reproduce your issue. What happens if you do a service ossec restart? Anything else in the logs besides these messages? Most of the time, we need at least the following information: http://www.ossec.net/wiki/index.php/Community_manual:BugReport Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On 8/21/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Hello, I rebooted the server and found ossec failed. I tried to start it service ossec start Starting OSSEC: 2007/08/21 00:56:01 ossec-syscheckd(1210): Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection r efused'. 2007/08/21 00:56:01 ossec-rootcheck(1210): Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. 2007/08/21 00:56:09 ossec-syscheckd(1210): Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. 2007/08/21 00:56:09 ossec-rootcheck(1210): Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. 2007/08/21 00:56:22 ossec-syscheckd(1210): Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. 2007/08/21 00:56:22 ossec-rootcheck(1211): Unable to access queue: '/var/ossec/queue/ossec/queue'. Giving up.. [FAILED] Any idea why it failed? Regards, DM
[ossec-list] Re: Wishlist: Active response for the longer term
Hi Thorne, You raise a valid concern regarding our timeouts (which is by default 10 minutes, not 5) and it was chosen mainly based on some sshd brute force scripts (that I had access on the past), which gave up on a specific ip after 5/6 minutes without response. That's why 10, so they would leave us alone for a while... Why is it not longer? First, ips change quite often, so if the timeout is very long you can end up blocking valid users. Second, active responses are dangerous and our alerts can have false positives (if you forget your password or get multiple 404s in a small period of time, etc). To minimize the problems caused by these false positives, we decided to keep the value small. Our manual talks a bit about it: http://www.ossec.net/main/manual/#active-response *Like any security tool, ossec should be customized, and the defaults are just what we thought would be best for the majority of users. If in your environment you can live with the risk of being blocked for a few days, just increase it :) Anyway, I really liked your idea of a dynamic timeouts and I will add it to our todo list. Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On 8/21/07, Thorne Lawler [EMAIL PROTECTED] wrote: Jeff, ossec-list@googlegroups.com wrote on 22/08/2007 06:53:59 AM: On Aug 20, 7:58 pm, Thorne Lawler [EMAIL PROTECTED] wrote: I'm sure there was some solid reasoning behind the default fixed value for active-response.timeout. I'd love to hear it if anyone knows what it was. Ever heard of the term spoofing? Think about if someone malicious spoofed the ip addresses of valid hosts and blocked them all. This would be an easy way to make a server useless. http://en.wikipedia.org/wiki/IP_address_spoofing https://www.trouble.net.au/~thorin/cute/suckeggs.shtml Yes, thanks, I believe I've heard of it. :-) I've got three takes on this: 1. If a substantial amount of spoofed traffic is coming in through your ISP, consider changing ISPs: Spoofing, especially for stateful (i.e. TCP traffic) requires some serious router subversion. If the source is local, your ISP needs to beef up their per-client routing controls, or possibly boot a troublemaker. What I'm trying to say is: any significant amount of spoofing is in itself a security problem. If someone is able to spoof the IPs of any significant number of your valid client hosts, blocking everything but administrative for a while might not be such a bad idea. 2. This is what the whitelist is for. If you get noise on an IP and it gets blocked incorrectly, you whitelist it. This is just as true for legitimate clients as it is for spoofing or proxy-aggregation or DHCP turnover or any other potential IP-identity confusion. Actual example: My friend is debugging his rather crufty new webDAV mechanism to maintain his site on my server. It spews out bazillions of 404 errors every time he tries to connect, and OSSEC obediently cuts him off. He complains, so I add him to the whitelist. 3. How is five minutes any less harmful than an hour, or a day? If someone is spoofing an IP, they can get that IP cut off in less than a second. That still means they can keep it cut off more than 99% of the time. So my question stands: Why five minutes? -- Thorne Lawler Technical Consultant ICT Outsourcing Services | Infrastructure Services | Unix Storage and Delivery KAZ Group Pty Ltd 360 Elizabeth Street | Melbourne Victoria 3000 (03) 9631 1747 | 0408 491 552 | Fax: (03) 9654 7334 [EMAIL PROTECTED] | www.kaz-group.com This communication may contain confidential information and/or copyright material of KAZ Group Pty Ltd ABN 25 002 124 405 and its related bodies corporate. It may also be the subject of legal professional privilege. If you are not an intended recipient, you must not keep, forward, copy, use, save or rely on this communication and any such action is unauthorised and prohibited. If you have received this communication in error, please reply to this e-mail to notify the sender of its incorrect delivery, and then delete both it and your reply This communication may contain confidential information and/or copyright material of KAZ Group Pty Ltd ABN 25 002 124 405 and its related bodies corporate. It may also be the subject of legal professional privilege. If you are not an intended recipient, you must not keep, forward, copy, use, save or rely on this communication and any such action is unauthorised and prohibited. If you have received this communication in error, please reply to this e-mail to notify the sender of its incorrect delivery, and then delete both it and your reply.
[ossec-list] Re: disabling active response
Hi Stephen, It is actually a bug in ossec. You need to set it to: (note the underline instead of a dash) active_response disabledyes/disabled /active_response Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On 8/21/07, Stephen Williamson [EMAIL PROTECTED] wrote: I have some agents that I installed (ver 1.3) on Red Hat Linux. I installed with active response disabled. In the ossec.conf I have the entries: active-response disabledyes/disabled /active-response I start the agents and certain types of activity cause the active response to fire. (false positives) Here is some entries in the active-responses.log: Tue Aug 21 13:23:57 CDT 2007 /var/ossec/active-response/bin/firewall-drop.sh add - xx.xx.1.180 1187724114.275471 20100 Tue Aug 21 13:25:46 CDT 2007 /var/ossec/active-response/bin/firewall-drop.sh add - xx.xx.1.177 1187724222.472389 20101 Tue Aug 21 13:25:48 CDT 2007 /var/ossec/active-response/bin/firewall-drop.sh add - 64.73.46.137 1187724224.472771 20101 Tue Aug 21 13:27:46 CDT 2007 /var/ossec/active-response/bin/firewall-drop.sh add - 69.66.62.2 1187724342.474372 20100 Tue Aug 21 13:32:04 CDT 2007 /var/ossec/active-response/bin/firewall-drop.sh add - 63.103.212.185 1187724600.478238 20101 Tue Aug 21 13:33:34 CDT 2007 /var/ossec/active-response/bin/firewall-drop.sh delete - xx.xx.1.7 1187723788.271250 20101 Tue Aug 21 13:36:02 CDT 2007 /var/ossec/active-response/bin/firewall-drop.sh delete - xx.xx.1.180 1187724114.275471 20100 Am I misinterpreting the entry in ossec.conf? -- Stephen Williamson Secured Technology LLC Phone: 913.219.6142 Office:913.236.4288 email:[EMAIL PROTECTED]
[ossec-list] Re: Monitoring Sonicwall Firewalls with OSSEC
Hi Peter, I agree with Jeff. If you can send some logs to us, we can definitely write some rules/decoders for it. We only have a few samples: http://www.ossec.net/wiki/index.php/Log_Samples_Sonicwall But with a few more we can easily add support for it. *btw, if you prefer, you can send to me privately to avoid having to remove ip addresses, etc. Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On 8/18/07, Jeff Schroeder [EMAIL PROTECTED] wrote: On Aug 17, 8:18 pm, Peter M. Abraham [EMAIL PROTECTED] wrote: Does anyone have any rules they have, and are willing to share in terms of monitoring SonicWall Pro series firewalls? If you could paste some log lines, it probably wouldn't take much to write decoders for it. Once decoders are written that work, they can be included with the next version of ossec.
[ossec-list] Re: netscreen logs
Hi Tom, Can you send some log samples to us? Our decoder looks for: decoder name=netscreenfw program_name^sav00|^ns5gt/program_name prematch^NetScreen device_id/prematch /decoder Probably that's why it only works with ns5gt. However, we were told this would be present in all netscreen logs, so if that is different, let us know. Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On 8/20/07, Tom Bicer [EMAIL PROTECTED] wrote: I've been trying to get ossec work with netscreen logs. I'm unable to figure out why only device name ns5gt works. Replacing that name with any other valid device name in decoder.xml doesn't produce any records in firewall.log I also tried completely removing program_name and just leaving prematch, it still doesn't produce any entries in firewall.log I'd appreciate any suggestions anyone may have. Tom
[ossec-list] Re: Active response question
Hi Peter, Note that the timeout for the active response is of 10 minutes, so after that the ip is going to be removed from block list. If you look at /var/ossec/logs/active-responses.log do you see the responses being called? (look at the agent that generated the alert and not at the server). If the entry is not there, please send to us your ossec.conf and some more information to understand/reproduce the issue. http://www.ossec.net/wiki/index.php/Community_manual:BugReport Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On 8/17/07, Peter M. Abraham [EMAIL PROTECTED] wrote: Greetings: When I first installed the ossec server (now server and agents are on version 1.3), and then the ossec agents, I answered no to active response. From testing, I can tell the rules for multi-attempt attacks on ssh -- 5712,5720 -- appear to be very accurate, so I wanted to enable active response for those two rules. On the ossec server I edited /var/ossec/etc/ossec.conf to remove any disable entries for active response and add the following: active-response commandfirewall-drop/command locationlocal/location rules_id5712,5720/rules_id timeout600/timeout /active-response Then on four servers hit the hardest by brute force SSH attempts, I edited their /var/ossec/etc/ossec.conf files to remove the disabled active-response lines (3 lines). Then I restarted ossec on the server, then the agents. Yet, as 5712 and 5720 rules fire after the restart, I log onto the four servers which are sending the alerts to the ossec server and check iptables for the attacking IP and do not find it present. If I did not answer yes to active response on installation, do I have to re-install ossec and answer yes to active response in order for active response to work? Thank you.
[ossec-list] Re: POP3 brute force rule not firing
Hi Steve, Thanks for the suggestion. I committed your improved decoder to CVS already and it will be included in the next version. As for having custom decoders, I am thinking on creating a new local_decoders.xml, because right now all entries on decoders.xml are overwritten during upgrade. Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On 8/15/07, Steve West [EMAIL PROTECTED] wrote: Hi Dave, Thank you so much for all of your help! Just for clarification, our vpopmail logs do NOT have the http:// stuff which I'm seeing being added in your reply. It seems that the OSSEC decoder might need a new rule or updating to catch pop3 brute force attacks where the attacker doesn't send a domain name (ie user@:69.3.64.3 ... rather than [EMAIL PROTECTED]: 69.3.64.3). Daniel, can the decoder vpopmail rules be edited to catch something like the following: user@:x.x.x.x [EMAIL PROTECTED]:x.x.x.x I think this is achievable if the regex is changed to: (\S+)@\S*:(\d+.\d+.\d+.\d+)$ What do u think? Can anyone else see a problem with this? So, the decoder rule would be as follows: decoder name=vpopmail-notfound parentvpopmail/parent prematch^vchkpw-pop3: vpopmail user not /prematch regex offset=after_prematch^found (\S+)@\S*:(\d+.\d+.\d+.\d+)$/regex orderuser, srcip/order /decoder And lastly, how can I add custom decoder rules that would survive OSSEC updates? thx,
[ossec-list] Re: Solaris Installation Problem
Hi Courtney, I only have access to a Solaris 10 on intel and it works fine. For some reason it looks like your shell is not reading the output of the read commands or your grep is not support the -E argument. Try the following: $ read A foo bar $ echo $A foo bar If you get the output of A, the problem is with grep. On Solaris we try to use the one at /usr/xpg4/bin/grep , do you have it? You might need to install it, because we use the binaries at /usr/xpg4/bin to compile ossec... Anyone else using Solaris that can give some help? Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On 8/13/07, Grimland, Courtney [EMAIL PROTECTED] wrote: [EMAIL PROTECTED]:~$ uname -a SunOS ren 5.10 Generic_125101-10 i86pc i386 i86pc Just downloaded 1.3 to try it out, and the install went smoothly on RHEL 4. However, on my Solaris 10 box I'm having problems with the installation script. I hit ENTER for the default language selection, ENTER again to continue, and enter local installation type. When it asks me where to install, I type in /opt/ossec and press ENTER but it just repeats the same question. If I press ENTER to accept the default location, it moves on to email notification. ENTER to accept the default, and it asks me for an email address. I enter my address and it continues to ask me for an email address. I can't get past this part. Why isn't it accepting my input on some of the questions? I tried running the script under various shells (sh, bash, ksh), to see if it made any difference but it didn't. -- Courtney Grimland Software Systems Specialist II University of Texas Arlington Library 817.272.1479 - Office 682.438.8033 - Cell 817.272.7022 - Fax
[ossec-list] Re: What is the best way to modify included rules for alert levels
Hi Peter, If you just want to change the severity, just copy the rule to local_rules.xml and set 'overwrite = yes', and the original one will be changed. This feature is not well documented, but this presentation explains it a bit: http://www.ossec.net/ossec-docs/auscert-2007-dcid.pdf Also here: http://www.ossec.net/ossec-list/2007-March/msg00079.html example (to overwrite rule 1002): rule id =1002 level = 10 overwrite=yes .. /rule or: rule id=1002 level=8 overwrite=yes matchSegmentation|XYZ/match descriptionRule 1002 overwriten. /description /rule Hope it helps. -- Daniel B. Cid dcid ( at ) ossec.net On 8/9/07, Peter M. Abraham [EMAIL PROTECTED] wrote: Greetings: What is the best way to modify the included ossec rules to change the alert levels so those changes will be preserved come upgrade time? If I copy the rule set to local_rules.xml, then do rules in local_rules.xml that have the exact same rule id as another file (say apache_rules.xml) override apache_rules.xml for the given rule in question? Thank you.
[ossec-list] Re: rule chaining
Hi Josh, A few changes for your decoders to make them more robust (never checking the same information twice): decoder name=xauthcheck program_nameXAuth/program_name /decoder decoder name=xauthcheck-success parentxauthcheck/parent prematchSUCCEEDED for/prematch regexXAuthCheck from (\S+) by (\S+) SUCCEEDED for user (\S+)/regex ordersrcip, url, user/order /decoder decoder name=xauthcheck-failure parentxauthcheck/parent prematchFAILED because/prematch regexXAuthCheck from (\S+) by (\S+) FAILED/regex ordersrcip, url/order /decoder Now, for the rules, as I said, it is based on the severity, with the 0 starting first. In addition to that, the rules are also first match, so as soon as a rule fires, it stops checking the others. A simple way to have your rules is: rule id=100100 level=0 decoded_asxauthcheck/decoded_as descriptionXAuthCheck grouped/description /rule rule id=100102 level=3 if_sid100100/if_sid matchSUCCEEDED for/match descriptionXAuthCheck Success/description /rule rule id=100103 level=3 if_sid100100/if_sid matchFAILED because/match descriptionXAuthCheck Failure/description /rule It guarantees that the 100100 is going to be checked first, followed by the 1001002 and 100103... Hope it helps. -- Daniel B. Cid dcid ( at ) ossec.net On 8/9/07, Josh Drummond [EMAIL PROTECTED] wrote: At 06:10 PM 8/8/2007, Daniel Cid wrote: Hi Josh, Reply inline... On 8/8/07, Josh Drummond [EMAIL PROTECTED] wrote: I've setup custom decoders and rules for a custom log format I would like to monitor. Can you post them to us? Seeing the decoders/rules will make things easier. Here is (as example) what I currently have that doesn't seem to work: Decoders: decoder name=xauthcheck-success program_nameXAuth/program_name prematchSUCCEEDED for/prematch regexXAuthCheck from (\S+) by (\S+) SUCCEEDED for user (\S+)/regex ordersrcip, url, user/order /decoder decoder name=xauthcheck-failure program_nameXAuth/program_name prematchFAILED because/prematch regexXAuthCheck from (\S+) by (\S+) FAILED/regex ordersrcip, url/order /decoder Rules: rule id=13 level=0 if_sid2501/if_sid program_nameXAuth/program_name descriptionIgnore general user auth failure for xauthcheck logs/description /rule rule id=100100 level=3 decoded_asxauthcheck-success/decoded_as descriptionXAuthCheck Success/description /rule rule id=100101 level=3 decoded_asxauthcheck-failure/decoded_as descriptionXAuthCheck Failure/description /rule So my rule #13 suppresses default rule #2501 if my custom decoded log is the entry being examined, that works. However custom rule #100101 that should also match (its a case where the end of the url token has login, thus triggering rule #2501 with the match on login FAILED) doesn't get triggered. That rule does get triggered for all cases that don't match #2501, so that is known to work. It sounds like because those two rules are level 3, that they won't get fired because a level 0 rule came first? Using this logic I made the following changes to the rules: rule id=100100 level=0 decoded_asxauthcheck-success/decoded_as descriptionXAuthCheck Success/description /rule rule id=100102 level=3 if_sid100100/if_sid descriptionXAuthCheck Success/description /rule rule id=100101 level=0 decoded_asxauthcheck-failure/decoded_as descriptionXAuthCheck Failure/description /rule rule id=100103 level=3 if_sid100101/if_sid descriptionXAuthCheck Failure/description /rule in order for the custom rules to be on the same level as the muted #2501. This actually does work, but seems clunky and duplication of work for just this specific case. I don't quite understand the reasoning for the dependence of rule levels? Everything seems to be working correctly except in the case where the custom log just happens to match one of the default rules as well (rule #2501, its matching on login failed). So it looks like it is firing off the rule and not continuing. I tried writing another local rule that ignores that 2501 rule if the program_name matches my custom decoded program, and this works as well. However, although it now ignores rule #2501 in that special case, it still doesn't fire off my custom local rule that matches it further down the chain. It seems like the first rule it finds that matches (or ignores) the log, it stops right there, and I'm guessing since it starts with the low-numbered rules (the default ones) it will never get to my local rules. Is there a way around this? Yes, there is. Since you wrote a decoder for your rules, you can write a rule like: rule id=100100 level=0 decoded_asmy_custom_decoder/decoded_as descriptionAll the messages from my decoder./description
[ossec-list] Re: Wildcards on log files
Hi Jonas, Yes, you can use wildcards in the log files. Wiki entry about it: http://www.ossec.net/wiki/index.php/Know_Host:MultipleLogs Hope it helps. -- Daniel B. Cid dcid ( at ) ossec.net On 8/8/07, Jonas [EMAIL PROTECTED] wrote: It would be possible use wildcards to indicate the log files? i.e.: localfile log_formatapache/log_format location/var/log/apache2/*-access.log/location /localfile
[ossec-list] OSSEC v1.3 released
Hi lists, We are pleased to announce the general availability of OSSEC version 1.3. This is one of our biggest releases so far, our first under the GPLv3, with numerous new features and bug fixes. This new version comes with the following new major features: * User interface to manage the Windows Agent. http://www.ossec.net/dcid/?p=91 (screenshots) * Support for Courier pop3/imapd logs. * Support for Cisco IOS logs. * Support for Symantec Web Security logs. * Support for SMF-SAV Sendmail filter logs. * Chinese Translation of the installation script. * Support for host-based policy monitoring/enforcement on Windows systems. http://www.ossec.net/wiki/index.php/Know_How:WindowsPolicy (more info) * and much more... Changelog: http://www.ossec.net/announcements/v1.3-2007-08-08.txt Release message: http://www.ossec.net/main/ossec-v13-released Download: http://www.ossec.net/main/downloads Special thanks to Michael Starks, Brian Wang, Serge Dubrouski, Logan O'Sullivan Bruns and Dave Lowe for the contributions and Dennis Borkhus-Veto, John Ives and Liliane Cid for beta testing this release. Thanks! -- Daniel B. Cid dcid ( at ) ossec.net
[ossec-list] Re: OSSEC-- File integrity check??
Hi Robert, Did you restart the server after adding the alert_new_filesyes/alert_new_files entry? Also, take a look at this post that explains a bit more about the alert_new_files option: http://www.ossec.net/ossec-list/2007-May/msg5.html Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On 8/1/07, Robert5156 [EMAIL PROTECTED] wrote: I installed server on fedora and an agent on windows XP sp2 system. Everything is working fine except when i test the file integrity checking, it is not reporting any new files created. It is reporting any content changes of existing files ,but not new files. Can any one look at the config files and let me know what is wrong. Below is the ossec.conf file on the server and ossec.conf file contents of XP client agent. __Linux Server ossec.conf file___ ossec_config ossec_config global email_notificationyes/email_notification email_toEMAIL/email_to smtp_serverSERVER NAME/smtp_server email_from[EMAIL PROTECTED]/email_from integrity_checking6/integrity_checking /global rules includerules_config.xml/include includepam_rules.xml/include includesshd_rules.xml/include includetelnetd_rules.xml/include includesyslog_rules.xml/include includearpwatch_rules.xml/include includesymantec-av_rules.xml/include includepix_rules.xml/include includenamed_rules.xml/include includesmbd_rules.xml/include includevsftpd_rules.xml/include includepure-ftpd_rules.xml/include includeproftpd_rules.xml/include includems_ftpd_rules.xml/include includehordeimp_rules.xml/include includevpopmail_rules.xml/include includeweb_rules.xml/include includeapache_rules.xml/include includeids_rules.xml/include includesquid_rules.xml/include includefirewall_rules.xml/include includenetscreenfw_rules.xml/include includepostfix_rules.xml/include includesendmail_rules.xml/include includeimapd_rules.xml/include includemailscanner_rules.xml/include includems-exchange_rules.xml/include includeracoon_rules.xml/include includevpn_concentrator_rules.xml/include includespamd_rules.xml/include includemsauth_rules.xml/include !-- includepolicy_rules.xml/include -- includeattack_rules.xml/include includezeus_rules.xml/include includeossec_rules.xml/include includelocal_rules.xml/include /rules syscheck !-- Frequency that syscheck is executed - default to every 6 hours -- frequency600/frequency !-- Directories to check (perform all possible verifications) -- directories check_all=yes/etc,/usr/bin,/usr/sbin/directories directories check_all=yes/bin,/sbin/directories directories check_all=yesC:\WINDOWS/directories alert_new_filesyes/alert_new_files auto_ignoreno/auto_ignore !-- Files/directories to ignore -- ignore/etc/mtab/ignore ignore/etc/mnttab/ignore ignore/etc/hosts.deny/ignore ignore/etc/mail/statistics/ignore ignore/etc/random-seed/ignore ignore/etc/adjtime/ignore ignore/etc/httpd/logs/ignore ignore/etc/utmpx/ignore ignore/etc/wtmpx/ignore ignore/etc/cups/certs/ignore !-- Windows files to ignore -- ignoreC:\WINDOWS/System32/LogFiles/ignore ignoreC:\WINDOWS/Debug/ignore ignoreC:\WINDOWS/WindowsUpdate.log/ignore ignoreC:\WINDOWS/iis6.log/ignore ignoreC:\WINDOWS/system32/wbem/Logs/ignore ignoreC:\WINDOWS/system32/wbem/Repository/ignore ignoreC:\WINDOWS/Prefetch/ignore ignoreC:\WINDOWS/PCHEALTH/HELPCTR/DataColl/ignore ignoreC:\WINDOWS/SoftwareDistribution/ignore ignoreC:\WINDOWS/Temp/ignore ignoreC:\WINDOWS/system32/config/ignore ignoreC:\WINDOWS/system32/spool/ignore ignoreC:\WINDOWS/system32/CatRoot/ignore /syscheck rootcheck rootkit_files/var/ossec/etc/shared/rootkit_files.txt/ rootkit_files rootkit_trojans/var/ossec/etc/shared/rootkit_trojans.txt/ rootkit_trojans /rootcheck alerts log_alert_level1/log_alert_level email_alert_level7/email_alert_level /alerts --END _ Below is the XP-client agent's ossec.conf file contents. __XP_client config ossec_config client !-- IP address of the Ossec HIDS server -- server-ipserverIP/server-ip /client !-- Updated syscheck config -- ossec_config syscheck frequency600/frequency alert_new_filesyes/alert_new_files directories check_all=yesC:\WINDOWS/directories ignoreC:\WINDOWS/System32/LogFiles/ignore ignoreC:\WINDOWS/system32/wbem/Logs/ignore ignoreC:\WINDOWS/Prefetch/ignore ignoreC:\WINDOWS/Debug/ignore ignoreC:\WINDOWS/PCHEALTH/HELPCTR/DataColl/ignore ignoreC:\WINDOWS/SoftwareDistribution/ignore ignoreC:\WINDOWS/Temp/ignore
[ossec-list] Re: OSSEC error message blows up log file
Hi David, The issue with syscheck_update is that it requires restaring the server after you use that. Otherwise, you can get some very weird errors (like the one mentioned). The best way to do it is by: -Stopping server. -Running syscheck_update -Starting server. Maybe that was the issue? Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On 8/2/07, David Williams [EMAIL PROTECTED] wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Daniel, I was just writing to say I've not seen that problem in a while -- but I just checked the logs and it's back. I upgraded the server which required a reboot recently and I believe I did a syscheck_update -a after that. I've also just swapped some machines around (same name and IP became different hardware); when I did that, I removed the old agent and created a new agent, with a new, higher ID. And I don't see how this makes a difference but I have ossec installed in /home/ossec (where I have lots of room to grow). All of these systems now have been rebuilt recently with 1.2. I have a gzipped tar file of the directory (334K) and a gzipped copy of ossec.log (3.4M); where should I send them (and do you want the log file)? -David Daniel Cid wrote: Hi John (and David), I never saw these message myself on ossec since they can only happen if your integrity checking database gets corrupted. It could happen if you upgraded from an old version of ossec (before 1.0) and the upgrade didn't work out very well Can you send me a zipped (or gziped) copy of your /var/ossec/queue/syscheck? I want to see what is wrong in there... Btw, is anyone else seeing those? If yes, please send me a copy of the above directory to debug... Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On 7/31/07, David Williams [EMAIL PROTECTED] wrote: John, Daniel will be able to explain further I'm sure. It appears there are null string (missing) names in your integrity database. Those messages look like warnings rather than serious errors (the testing just moves on to the next entry). In my case, when I start to see those, I stop ossec, delete the databases and let ossec rebuild them. I'm sure that's not the best way to deal with the issue though -David John Whittington wrote: Hi I'm pretty new to OSSEC, please bear with me: I recently set up OSSEC-HIDS to manage several RHEL machines our organization's web servers. One machine was set up as the server with 13 agents. I configured them with the install script and pretty quickly seemed to get them up and running. I am having two problems, one of which concerns false positives, but I'll post that to a different thread. My immediate problem is this: in the past week I've been getting the following error showing up in log/ossec.log: ossec-analysisd: Invalid integrity message in the database. When it returns this error, it does so many times over; typically 500 times in the last three days, but on Friday it wrote this error 668,072 times. Needless to say our ossec.log file has suddenly gotten rather large. I've restarted OSSEC on the server a few times now without it seeming to make any difference. Can anyone tell me what this error means? I only found one page on the OSSEC site that mentions it specifically, and it was a thread from the dev mailing list. Unfortunately I'm no C programmer. FWIW OSSEC itself seems to keep working fine, and still alerts us to events like new users logging in or changes to system files. Any feedback would be appreciated; I can send more detailed info as requested. Thanks John - -- ___ GPG (http://www.gnupg.org/) key available from: http://www.kayakero.net/per/david/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFGsn/LCzuSgviBh00RAjXzAKC0igHvP1ETAfGnTGQSaESjQfS2mwCeLFs2 baxYzDgLE1JfA6kh1nUxk00= =zJc2 -END PGP SIGNATURE-
[ossec-list] Re: OSSEC error message blows up log file
Hi John (and David), I never saw these message myself on ossec since they can only happen if your integrity checking database gets corrupted. It could happen if you upgraded from an old version of ossec (before 1.0) and the upgrade didn't work out very well Can you send me a zipped (or gziped) copy of your /var/ossec/queue/syscheck? I want to see what is wrong in there... Btw, is anyone else seeing those? If yes, please send me a copy of the above directory to debug... Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On 7/31/07, David Williams [EMAIL PROTECTED] wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 John, Daniel will be able to explain further I'm sure. It appears there are null string (missing) names in your integrity database. Those messages look like warnings rather than serious errors (the testing just moves on to the next entry). In my case, when I start to see those, I stop ossec, delete the databases and let ossec rebuild them. I'm sure that's not the best way to deal with the issue though -David John Whittington wrote: Hi – I'm pretty new to OSSEC, please bear with me: I recently set up OSSEC-HIDS to manage several RHEL machines – our organization's web servers. One machine was set up as the server with 13 agents. I configured them with the install script and pretty quickly seemed to get them up and running. I am having two problems, one of which concerns false positives, but I'll post that to a different thread. My immediate problem is this: in the past week I've been getting the following error showing up in log/ossec.log: ossec-analysisd: Invalid integrity message in the database. When it returns this error, it does so many times over; typically 500 times in the last three days, but on Friday it wrote this error 668,072 times. Needless to say our ossec.log file has suddenly gotten rather large. I've restarted OSSEC on the server a few times now without it seeming to make any difference. Can anyone tell me what this error means? I only found one page on the OSSEC site that mentions it specifically, and it was a thread from the dev mailing list. Unfortunately I'm no C programmer. FWIW OSSEC itself seems to keep working fine, and still alerts us to events like new users logging in or changes to system files. Any feedback would be appreciated; I can send more detailed info as requested. Thanks – John - -- ___ GPG (http://www.gnupg.org/) key available from: http://www.kayakero.net/per/david/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFGr9iWCzuSgviBh00RAudSAKCnZP7w5DC5CZvOTaX6JkbQKRy/AQCgqb1/ cXQezqI9ag/GpXZAElebIn4= =Wa6Z -END PGP SIGNATURE-
[ossec-list] Re: OSSEC and phpmyadmin
Hi LNick, As Steve suggested, the best way to ignore those is by creating a local rule. A simple one would be: rule id=100013 level=0 if_sid31103/if_sid url^/phpmyadmin//url descriptionIgnoring phpMyAdmin events./description /rule Just copy it to your /var/ossec/rules/local_rules.xml and it should solve your problem. Regarding the white list, it should have worked too, but you would still get the alerts, but not the active response. If you can show us your ossec config and active response log, we can try to see what is going on.. Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On 5/9/07, LNick [EMAIL PROTECTED] wrote: Hello, I was attempting to edit a mysql table using phpmyadmin on a system I have an OSSEC agent installed. I got the following alert: OSSEC HIDS Notification. 2007 May 09 09:11:36 Received From: ubuntu-dev-/var/log/apache2/access.log Rule: 31106 fired (level 12) - A web attack returned code 200 (success). Portion of the log(s): 10.1.1.182 - - [09/May/2007:09:11:36 -0400] GET /phpmyadmin/ tbl_change.php? db=mbintranetdbtable=wp_optionstoken=b34a8a55beeb46c2d936f8d9300a6aa6pos=0session_max_rows=30disp_direction=horizontalrepeat_cells=100dontlimitchars=0primary_key= +%60wp_options%60.%60option_id%60+%3D+1+AND+%60wp_options%60.%60blog_id %60+%3D+0+AND+CONVERT%28%60wp_options%60.%60option_name%60+USING +utf8%29+%3D+%27siteurl%27sql_query=SELECT+%2A+FROM+%60wp_options %60goto=sql.php HTTP/1.1 200 4660 http://10.1.1.80/phpmyadmin/ sql.php? db=wordpresstable=wp_optionstoken=b34a8a55beeb46c2d936f8d9300a6aa6goto=tbl_properties_structure.phpback=tbl_properties_structure.phppos=0 Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.1) The active response kicked in and blocked all traffic from my machine, so I added it to the white list on the OSSEC server by FQDN and IP, and restarted OSSEC on the server. Hoever every time I try to edit with phpmyadmin I still get the alert and active response. Do I need to add a whitelist in the agent config? Or something else?
[ossec-list] Re: Ds: Ossec 1.2 and 1.3 won't compile on OpenBSD 4.1
Hey, I am lost in here. You can only set the BINARY_INSTALL if you pre-compiled ossec and created your own package to perform binary installs on systems without a compiler. To do that, you first need to compile ossec (go to ossec-hids-xx/src and run make all) and then enable BINARY_INSTALL, repackage ossec and install it on any system that does not have a compiler... If that's not the issue, let me know. Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On 7/30/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: The compile error only happens with the BINARY_INSTALL=X ; I solved it like this: Normal instal with #BINARY_INSTALL=X Copied the /var/ossec/bin to sourcedir When installing the source-package to another 4.1 computer. Enabled the binary install again and it worked. It isn't pretty, but it works :-) Oorspronkelijk bericht Van: [EMAIL PROTECTED] Datum : 29/07/2007 23:55 Aan: [EMAIL PROTECTED] Onderw: Ossec 1.2 and 1.3 won#39;t compile on OpenBSD 4.1 I'm trying to compile OSSEC 1.2 (but have also tried to compile with 070722 and 070727) with binary install on OpenBSD 4.1. I've tried it in a virtual machine and also on a fresh install on a i386 (with comp41. tgz). When compiling on Linux everything works fine. I've set USER_BINARYINSTALL=x in etc/preloaded-vars.conf but OSSEC will not install. Only /bin/ossec-control is being created. Since I cannot find any logs or see any error I'm not sure what went wrong. The mailing list also doesn't give any clues apart from the restart-issue with 1.2.
[ossec-list] Re: Ossec Problem: email_alert_level not being honored. Alert level 3 received in mail.
Hi Will, You need to create a local rule to ignore/change it. Our FAQ has information about it: http://www.ossec.net/wiki/index.php/Know_How:Ignore_Rules My presentation at AusCERT also helps to understand it: http://www.ossec.net/ossec-docs/auscert-2007-dcid.pdf A step by step in your case would be: 1- Edit /var/ossec/rules/local_rules.xml and add the following: group name=local rule id=100101 level=3 if_sid18119/if_sid hostnametermsrv1/hostname descriptionFirst time this user logged in this system -- no email alert/description /rule /group 2- Restart ossec. By making this change, all first time alerts from host termserv1 will have only a severity of 3, without the alert_by_email option... Hope it helps. -- Daniel B. Cid dcid ( at ) ossec.net On 7/26/07, Will Froning [EMAIL PROTECTED] wrote: Hello Daniel, On 7/26/07, Daniel Cid [EMAIL PROTECTED] wrote: Hey, If I am not misunderstanding the problem, this is not a bug on ossec, but it happens because some rules have: optionsalert_by_email/options to bypass the default e-mail alerting level. Check out: http://www.ossec.net/ossec-list/2007-July/msg00034.html http://www.ossec.net/ossec-list/2007-July/msg00035.html If that's not it, let me know and we can try to figure out what is happening... That was it. My bad. So I found one of the offending rules in rules/msauth_rules.xml. How would I go about disabling it for just one server? The example is, we have a terminal server where potentially over 1000 new users may use it in a semester. For these types of servers it wouldn't provide any additional information to send me 1000 of the below messages as it's normal: Received From: (termsrv1) 192.168.35.40-WinEvtLog Rule: 18119 fired (level 3) - First time this user logged in this system. This is a Solaris 10 server with W2k3 agent. The manual and list archives didn't clue me in, so any help would be great. Thanks, Will Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On 7/25/07, Will Froning [EMAIL PROTECTED] wrote: Hello All, On 7/25/07, Will Froning [EMAIL PROTECTED] wrote: Hello All, Here's a me too message on this. Server/agent with the most recent snapshot I could find running on Solaris 10. I just confirmed that this is still happening with ossec-hids-070722.tar.gz. Any suggestions on tracking this down? Thanks, Will On 7/25/07, Clayton Dillard [EMAIL PROTECTED] wrote: I too have this issue. My ossec.conf file is the same as Frank's (defaults) and yet I receive alerts daily that are at levels below 7. I have a server/agent setup. Thanks, - Cheers Clayton Dillard Frank Spierings wrote: Hi people, I have a problem with my OSSEC server. The ossec.conf is pretty default. I only changed the email to address. This is the only alerts group in the file: alerts log_alert_level1/log_alert_level email_alert_level7/email_alert_level /alerts Still I'm receiving ossec agent started emails from the server, which are level 3. I checked out the specific rule, but I dont see any indication why it should send me these mails. Any idea where I should start my quest? Thanks, Frank Spierings -- Will Froning Unix SysAdmin [EMAIL PROTECTED] MSN: [EMAIL PROTECTED] YIM: will_froning AIM: willfroning -- Will Froning Unix SysAdmin [EMAIL PROTECTED] MSN: [EMAIL PROTECTED] YIM: will_froning AIM: willfroning -- Will Froning Unix SysAdmin [EMAIL PROTECTED] MSN: [EMAIL PROTECTED] YIM: will_froning AIM: willfroning
[ossec-list] Windows policy monitoring
Hey guys (ossec-list and ossec-dev), I posted in the ossec blog about the Windows policy monitoring that is going to be available on ossec v1.3. If you are interested, take a look at: http://www.ossec.net/dcid/?p=99 For our beta versions of v1.3, look at (we need beta testers): http://www.ossec.net/dcid/?p=97 From the blog: OSSEC v1.3 will come with support for Windows policy monitoring, allowing you to verify that all your systems conform to a set of policies regarding configuration settings, applications usage, etc. They are configured centrally on the ossec server and pushed down to all your agents. With the Windows policy monitoring, you can get alerts like the following (detecting Skype and Yahoo): 2007 Jul 22 17:42:57 Rule Id: 514 level: 2 Location: (winhome) 192.168.2.190-rootcheck Windows application monitor event. Application Found: Chat/IM - Yahoo. 2007 Jul 22 17:42:57 Rule Id: 514 level: 2 Location: (winhome) 192.168.2.190-rootcheck Windows application monitor event. Application Found: Chat/IM/VoIP - Skype. And compliance alerts like the following: 2007 Jul 23 13:44:54 Rule Id: 512 level: 3 Location: (winhome) 192.168.2.190-rootcheck Windows Audit event. Windows Audit: Null sessions allowed. 2007 Jul 23 13:44:54 Rule Id: 512 level: 3 Location: (winhome) 192.168.2.190-rootcheck Windows Audit event. Windows Audit: LM authentication allowed (weak passwords). Read more: http://www.ossec.net/wiki/index.php/Know_How:WindowsPolicy Thanks, -- Daniel B. Cid dcid ( at ) ossec.net
[ossec-list] Re: rootkit or trojaned version netstat alerts
That might also be the problem (bug in the linux kernel): from: http://www.ossec.net/dcid/?p=87 If you ever had trouble with hidden ports on Linux (2.4 and 2.6), I may have figured out one of the possible causes today (and no, it is not a rootkit). To keep the story short: if you bind any TCP port, but do not listen on it, netstat will not show it at all (the same does not happen with UDP ports). Here is the idea. If you get this simple C program, it will attempt to bind every TCP port from 1025 to 1050, but it will not listen on them. After it is done, if you do a netstat (or fuser or lsof) nothing will be shown. However, if you try to use the port, you will get an error saying that it is already in use. Hope it helps. -- Daniel B. Cid dcid ( at ) ossec.net On 7/26/07, Ken A [EMAIL PROTECTED] wrote: Clayton Dillard wrote: I've received several alerts from one host where ossec is telling me that due to several ephemeral, hidden TCP ports being open/listening that the box might be rooted or have a trojaned netstat. I've run chkrootkit and the system passes. It's true that netstat does not see these ports in use. How can I verify this and how accurate is the ossec alert/check? Here's an example alert from OSSEC: OSSEC HIDS Notification. 2007 Jul 25 12:03:50 Received From: (BOXEN01) 1.2.3.4-rootcheck Rule: 510 fired (level 7) - Host-based anomaly detection event (rootcheck). Portion of the log(s): Port '33477'(tcp) hidden. Kernel-level rootkit or trojaned version of netstat. --END OF NOTIFICATION Thanks, If you have a busy server that runs a daemon that opens and closes high ports quickly, ossec can generate false positives on this rule. I see it fairly often with ftp smtp. Ken -- Ken Anderson Pacific.Net
[ossec-list] Re: Active Response behind a load balancer
Hi Reggie, Looking at your previous e-mail, you are having these errors because you used the same agent id/name into multiple systems. Even if they have the same IP, you need to give different ids/names. If you make this change and re-import all the keys, it should all work. Regarding the communication, the client (agent) always connect using UDP port 1514 to the server and uses any high level local port (like any other application). Note that the agent does not bind to these local ports... If you want to configure a firewall between them, just open dst port 1514 and keep the state. http://www.ossec.net/wiki/index.php/Errors:AgentCommunication *You can also change the port 1514, by specifying the port tag. Hope it helps. -- Daniel B. Cid dcid ( at ) ossec.net On 7/26/07, Reggie Griffin [EMAIL PROTECTED] wrote: Daniel, Thanks, that was very helpful. Anyway to hardcode the UDP port that client communicates to the server with? Looks like a random port in the 5s. Snippet from tcpdump. 11:24:50.443020 IP ossec.server.1514 loadbalance.54244: UDP, length 73 Being able to lock that to one port would be very helpful. -Reggie Daniel Cid wrote: Hi Reggie, OSSEC should work with systems behind a load balancer, but you must give a different agent name and agent id for each one of them (even though the ip address is the same -- like 101/30 that you gave). That entry in the wiki can be of help: http://www.ossec.net/wiki/index.php/Know_How:DynamicIPs If doesn't solve your problem, can you show us your server and agent logs? Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On 7/25/07, Reggie Griffin [EMAIL PROTECTED] wrote: Hello, Been using OSSEC for a while now, and I must say that it's an awesome tool. Many thanks. To my question: Does anyone have advice on how to use the Active Response with systems sitting behind a load balancer? We have 3 systems with OSSEC installed that are setup as the same agent as far as the OSSEC server knows. An example from manage_agents. ID: 00xx, Name: loadbalance, IP: 192.168.0.101/30 The logging seems to work fine, but the clients can't connect to the queues on the server. 2007/07/25 12:48:44 ossec-agentd(1210): Queue '/queue/alerts/execq' not accessible. 2007/07/25 12:48:59 ossec-agentd(1301): Unable to connect to active response queue. 2007/07/25 12:49:00 ossec-agentd(4102): Connected to the server. I am not sure I approached this correctly, or if there is an easier way to accomplish this. Should I just install OSSEC with individual local only installs? If so, is there a way to accomplish the centralized logging part(which I like a lot), and have the rest of the OSSEC install only be concerned with managing that one host(most importantly, the Active Response)? Any thoughts? -Reggie
[ossec-list] Re: Ossec Problem: email_alert_level not being honored. Alert level 3 received in mail.
Hey, If I am not misunderstanding the problem, this is not a bug on ossec, but it happens because some rules have: optionsalert_by_email/options to bypass the default e-mail alerting level. Check out: http://www.ossec.net/ossec-list/2007-July/msg00034.html http://www.ossec.net/ossec-list/2007-July/msg00035.html If that's not it, let me know and we can try to figure out what is happening... Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On 7/25/07, Will Froning [EMAIL PROTECTED] wrote: Hello All, On 7/25/07, Will Froning [EMAIL PROTECTED] wrote: Hello All, Here's a me too message on this. Server/agent with the most recent snapshot I could find running on Solaris 10. I just confirmed that this is still happening with ossec-hids-070722.tar.gz. Any suggestions on tracking this down? Thanks, Will On 7/25/07, Clayton Dillard [EMAIL PROTECTED] wrote: I too have this issue. My ossec.conf file is the same as Frank's (defaults) and yet I receive alerts daily that are at levels below 7. I have a server/agent setup. Thanks, - Cheers Clayton Dillard Frank Spierings wrote: Hi people, I have a problem with my OSSEC server. The ossec.conf is pretty default. I only changed the email to address. This is the only alerts group in the file: alerts log_alert_level1/log_alert_level email_alert_level7/email_alert_level /alerts Still I'm receiving ossec agent started emails from the server, which are level 3. I checked out the specific rule, but I dont see any indication why it should send me these mails. Any idea where I should start my quest? Thanks, Frank Spierings -- Will Froning Unix SysAdmin [EMAIL PROTECTED] MSN: [EMAIL PROTECTED] YIM: will_froning AIM: willfroning -- Will Froning Unix SysAdmin [EMAIL PROTECTED] MSN: [EMAIL PROTECTED] YIM: will_froning AIM: willfroning
[ossec-list] Re: ossec 1.2 Problems on OpenBSD 4.1-stable
Hi Chris, Can you try our latest snapshot (in fact, v1.3 beta1)? I don't have OpenBSD 4.1 installed, but it seems to be a memory problem, since the error messages are receiving garbage from memory. Try the following: http://www.ossec.net/files/snapshots/ossec-hids-070722.tar.gz And let us know if the problem persists (we fixed a lot of issues on this version). Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On 7/23/07, Chris Tankersley [EMAIL PROTECTED] wrote: We were having problems with ossec just stopping on OpenBSD 4.1-stable, so we set up a cron to stop, then start the ossec server every 12 hours. Starting on Friday, we started getting e-mails from the cron service about ossec not starting correctly, or not running when it goes to shut off. I've put the cron alerts below. Has anyone else had issues running Ossec on OpenBSD 4.1-stable? Our Linux boxes running it never have an issue and have been solid. Chris CRON TO RESTART OSSEC @ 07/22/07 00:00 = Killing ossec-monitord .. Killing ossec-logcollector .. Killing ossec-syscheckd .. Killing ossec-analysisd .. Killing ossec-maild .. Killing ossec-execd .. OSSEC HIDS v1.2 Stopped Starting OSSEC HIDS v1.2 (by Daniel B. Cid)... Started ossec-maild... Started ossec-execd... Started ossec-analysisd... Started ossec-logcollector... Started ossec-syscheckd... Started ossec-monitord... Completed. CRON TO RESTART OSSEC @ 07/22/07 12:00 = Killing ossec-monitord .. Killing ossec-logcollector .. Killing ossec-syscheckd .. Killing ossec-analysisd .. Killing ossec-maild .. Killing ossec-execd .. OSSEC HIDS v1.2 Stopped Starting OSSEC HIDS v1.2 (by Daniel B. Cid)... 2007/07/22 12:00:02 ossec-analysisd(1227): Error applying XML variables: 'Grouping of the postfix rules.'. 2007/07/22 12:00:02 ossec-analysisd(1220): Error loading the rules: 'postfix_rules.xml'. ossec-analysisd: Configuration error. Exiting CRON TO RESTART OSSEC @ 07/23/07 00:00 = ossec-monitord not running .. ossec-logcollector not running .. ossec-syscheckd not running .. ossec-analysisd not running .. ossec-maild not running .. ossec-execd not running .. OSSEC HIDS v1.2 Stopped Starting OSSEC HIDS v1.2 (by Daniel B. Cid)... 2007/07/23 00:00:01 ossec-analysisd(1227): Error applying XML variables: '(bad sequence of commands).'. 2007/07/23 00:00:01 ossec-analysisd(1220): Error loading the rules: 'postfix_rules.xml'. ossec-analysisd: Configuration error. Exiting CRON TO RESTART OSSEC @ 07/23/07 12:00 = ossec-monitord not running .. ossec-logcollector not running .. ossec-syscheckd not running .. ossec-analysisd not running .. ossec-maild not running .. ossec-execd not running .. OSSEC HIDS v1.2 Stopped Starting OSSEC HIDS v1.2 (by Daniel B. Cid)... Started ossec-maild... Started ossec-execd... Started ossec-analysisd... Started ossec-logcollector... 2007/07/23 12:00:04 ossec-syscheckd(1210): Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. 2007/07/23 12:00:04 ossec-rootcheck(1210): Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. 2007/07/23 12:00:12 ossec-syscheckd(1210): Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. 2007/07/23 12:00:12 ossec-rootcheck(1210): Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. 2007/07/23 12:00:25 ossec-syscheckd(1210): Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. 2007/07/23 12:00:25 ossec-rootcheck(1211): Unable to access queue: '/var/ossec/queue/ossec/queue'. Giving up.. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
[ossec-list] Re: Server - Agent Rule Relationship
Hi Clayton, Within the ossec model, the agents have no information about rules whatsoever. So, if you need to modify a rule, you need to do it on the server side. How do you do it? If you have a rule like that (from our FAQ): group name=local rule id=100101 level=0 if_sid123, 456/if_sid matchxyz/match descriptionEvents ignored/description /rule /group But you only want it to apply to one agent, you need to use the hostname tag to limit it to the agents you want: group name=local rule id=100101 level=0 if_sid123, 456/if_sid matchxyz/match hostnameagent1|agent2/hostname descriptionEvents ignored/description /rule /group Hope it helps. *http://www.ossec.net/wiki/index.php/Know_How:Ignore_Rules -- Daniel B. Cid dcid ( at ) ossec.net On 7/24/07, Clayton Dillard [EMAIL PROTECTED] wrote: I'm a bit fuzzed on the relationship between the server and agents with respect to rule processing. I have an OSSEC server with several agents connected. If I want to make a change to a rule that affects a given host, do I make the change on the server or the host(s)? Thanks, -- Clayton Dillard [EMAIL PROTECTED] RPS Technology, LLC
[ossec-list] Re: granular email
Hi John, When using the granular email option, you need to raise the rule level above the e-mail_alert_level or use the alert_by_email option to set it for a specific rule. Basically, on the header of the alert you need to have the mail in there for it to be evaluated by maild: ** Alert 1185249260.298: mail - xx, Anyway, in my opinion, the best way to accomplish what you are trying to do is by creating a local rule that is going to alert on any successful login to this host: rule id=100200 level=3 if_groupauthentication_success/if_group hostnamesystem1/hostname optionsalert_by_email/options descriptionLogin to secure server./description /rule After that, you can create your granular config: email_alerts email_to[EMAIL PROTECTED]/email_to rule_id100200/rule_id do_not_delay / /email_alerts hope it helps... -- Daniel B. Cid dcid ( at ) ossec.net On 7/24/07, John Ives [EMAIL PROTECTED] wrote: If we are using the granular email option to send out email on selected items, do we need to raise the rule level to above the email_alert_level setting? I have a few systems, that have access to particularly important data and which are actually logged into only a couple times a day (when I need to access some of the stored data, for example). I would like to devise a system whereby I am notified whenever I log in. While I may eventually do this as a active response script (the idea being that if anyone ever gets a page when they did not log in they would know to initiate emergency response procedures), I am interested in seeing if there is a simpler way of accomplishing this. I have written the appropriate rule to isolate my login (this is a viable, though ugly, option for me since there are fewer than 5 accounts that will have access to the important systems), and there is an appropriate event in alerts.log file, but no email. The email alert in the ossec.conf file is (I have also tried this as an sms alert with no luck): email_alerts email_to[EMAIL PROTECTED]/email_to rule_id666011/rule_id do_not_delay / /email_alerts and the alert in the log file looks like: ** Alert 1185311433.1585718: - localauthentication_success, 2007 Jul 24 14:10:33 SYSTEM-/var/log/auth.log Rule: 666011 (level 3) - 'SSHD authentication success.' Src IP: XXX.XXX.XXX.XXX User: jives Jul 24 14:10:33 SYSTEM sshd[55220]: Accepted keyboard-interactive/pam for jives from XXX.XXX.XXX.XXX port 62398 ssh2 Thanks. John -- - John Ives Phone (510) 642-7773 System Network SecurityCell (510) 229-8676 University of California, Berkeley -
[ossec-list] Re: ossec removal question
Hi Barbaros, I remember that someone in the past sent me a script to remove ossec, but I never got around to integrate it with ossec (whosoever did it, please send to me again). Anyway, the easiest way to remove ossec is to do the following: -Remove /var/ossec -Remove the init script (generally /etc/init.d/ossec and all the references on /etc/rc.X) -Remove all the ossec users -Remove /etc/ossec-init.conf Hope it helps. -- Daniel B. Cid dcid ( at ) ossec.net On 7/21/07, Barbaros Usekes [EMAIL PROTECTED] wrote: Hello, I installed ossec to my server yesterday, for trying it and now i want to remove it but i dont know how to do it. I am a newbie. I just deleted ossec files and folders, and when my server starts it tries to start ossec also and it gives error as : Starting OSSEC: /etc/init.d/ossec: line 36: /var/ossec/bin/ossec-control: No such file or directory This error is because i deleted most (i thought i deleted all) files and folders of ossec, but it seems not. I guess i need to also remove /etc/init.d/ossec. Am i doing things right or is there a different removal method?
[ossec-list] Re: Dont block force brute atack in ftp server
Hi Jose, Can you show us a few samples of your proftpd logs? Also, look at the ossec alerts log and the active responses log to make sure that it really didn't block the attack. By default it will unblock the ip after 10 minutes... Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On 7/17/07, José Colzani [EMAIL PROTECTED] wrote: Hi people, first sorry by my english, i,m brazilian, and speack portuguese. I have used ossec in all my servers, and today my ftp server was have a brute force atack, and the ossec dont log this atack. Why ? In my ossec.conf i have the lines include for the proftpd.log and the location tag, appoint for the correct log file /var/log/proftpd.log Thank You for all. José Carlos Colzani - Brusque SC E-mail - linoxman em yahoo.com.br linoxman em gmail.com.br GNU/Linux - 2.6.20.16 / Kubuntu 7.04 User linux #241077 Novo Yahoo! Cadê? - Experimente uma nova busca. http://yahoo.com.br/oqueeuganhocomisso
[ossec-list] Re: SSH brute force and firewall drop.
Hi Fletch, Which operating system are you using? The logs are not well formatted, so ossec is not parsing them correctly. They start with the date/time, followed by the program name (with the weird brackets around them): Jul 16 21:37:18 [sshd(pam_unix)] authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=remoteIP Jul 16 21:37:16 [sshd] error: PAM: Authentication failure for illegal user fred from remoteIP Ossec expects the date/time followed by hostname and followed by the program name without brackets (notmal syslog message): Dec 13 09:19:09 hostname sshd(pam_unix) We would need to change some of the decoders to support this format... Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On 7/16/07, Fletch Hasues [EMAIL PROTECTED] wrote: Greetings, I am trying to configure a host to prevent access via firewall drop by using the rules that I see firing, and lately those are of multiple authentication failures. So far, I have not been able to get active response to make use of the firewall-drop.sh script to block access. if I login with a false user and try to login, I see the logs noting that this is happening, and it does send out e-mail, but the active-response fails to firewall the IP. Received From: myhost-/var/log/everything/current Rule: 40111 fired (level 10) - Multiple authentication failures. Portion of the log(s): Jul 16 21:37:18 [sshd(pam_unix)] authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=remoteIP Jul 16 21:37:16 [sshd] error: PAM: Authentication failure for illegal user fred from remoteIP Jul 16 21:37:14 [sshd(pam_unix)] authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost= remoteIP Jul 16 21:37:10 [sshd] error: PAM: Authentication failure for illegal user fred from remoteIP My ossec.conf file appears as: ossec_config global email_notificationyes/email_notification email_tomyemail/email_to smtp_servermysmtp/smtp_server email_from [EMAIL PROTECTED]/email_from /global rules includerules_config.xml/include includepam_rules.xml/include includesshd_rules.xml/include includetelnetd_rules.xml/include includesyslog_rules.xml/include includearpwatch_rules.xml/include includesymantec-av_rules.xml/include includepix_rules.xml/include includenamed_rules.xml/include includesmbd_rules.xml/include includevsftpd_rules.xml/include includepure-ftpd_rules.xml/include includeproftpd_rules.xml/include includems_ftpd_rules.xml/include includehordeimp_rules.xml/include includevpopmail_rules.xml/include includeweb_rules.xml/include includeapache_rules.xml/include includeids_rules.xml/include includesquid_rules.xml/include includefirewall_rules.xml/include includenetscreenfw_rules.xml/include includepostfix_rules.xml/include includesendmail_rules.xml/include includeimapd_rules.xml/include includemailscanner_rules.xml/include includems-exchange_rules.xml/include includeracoon_rules.xml/include includevpn_concentrator_rules.xml/include includespamd_rules.xml/include includemsauth_rules.xml/include !-- includepolicy_rules.xml/include -- includeattack_rules.xml/include includezeus_rules.xml/include includeossec_rules.xml/include includelocal_rules.xml/include /rules syscheck !-- Frequency that syscheck is executed - default to every 6 hours -- frequency21600/frequency !-- Directories to check (perform all possible verifications) -- directories check_all=yes/etc,/usr/bin,/usr/sbin/directories directories check_all=yes/bin,/sbin/directories !-- Files/directories to ignore -- ignore/etc/mtab/ignore ignore/etc/mnttab/ignore ignore/etc/hosts.deny/ignore ignore/etc/mail/statistics/ignore ignore/etc/random-seed/ignore ignore/etc/adjtime/ignore ignore/etc/httpd/logs/ignore ignore/etc/utmpx/ignore ignore/etc/wtmpx/ignore ignore/etc/cups/certs/ignore !-- Windows files to ignore -- ignoreC:\WINDOWS/System32/LogFiles/ignore ignoreC:\WINDOWS/Debug/ignore ignoreC:\WINDOWS/WindowsUpdate.log/ignore ignoreC:\WINDOWS/iis6.log/ignore ignoreC:\WINDOWS/system32/wbem/Logs/ignore ignoreC:\WINDOWS/system32/wbem/Repository/ignore ignoreC:\WINDOWS/Prefetch/ignore ignoreC:\WINDOWS/PCHEALTH/HELPCTR/DataColl/ignore ignoreC:\WINDOWS/SoftwareDistribution/ignore ignoreC:\WINDOWS/Temp/ignore ignoreC:\WINDOWS/system32/config/ignore ignoreC:\WINDOWS/system32/spool/ignore ignoreC:\WINDOWS/system32/CatRoot/ignore /syscheck rootcheck rootkit_files/var/ossec/etc/shared/rootkit_files.txt/rootkit_files rootkit_trojans/var/ossec/etc/shared/rootkit_trojans.txt/rootkit_trojans /rootcheck global white_list127.0.0.1/white_list white_list^localhost.localdomain$/white_list
[ossec-list] Re: Storing logs in a different location
Hi Zach, Currently this is not possible. Ossec runs in chroot, so the log files must be inside its working directory (which is by default /var/ossec). A simple way to fix this is by doing the following: -Remove /etc/ossec-init.conf -Move /var/ossec to /tmp (just to keep it in there for a while) -Install ossec normally in the new location. -Copy everything from /tmp/ossec/logs , /tmp/ossec/etc , /tmp/ossec/rules, /tmp/ossec/queue and /tmp/ossec/stats to the new location. Theoretically, you can just copy the whole ossec dir to a new location, but the binaries will still try to use the other location, so reinstalling make it easier Hope it helps. -- Daniel B. Cid dcid ( at ) ossec.net On 7/13/07, Zach Patrick [EMAIL PROTECTED] wrote: Hi List, Ossec is located at /var/ossec, and the logs are currently being stored at /var/ossec/logs. The /var/ partition on our ossec server is not very large and the logs are growing rapidly. I've been looking through the documentation, ossec files, and mailing list, and can't seem to find anywhere to specify where I want to store the log files. Is there an easy way to do this without needing to reinstall with ossec in a different directory or using links? Thanks for any help! ~Zach
[ossec-list] Re: What happens if the ossec server is down?
Hi Paco, Joking aside, the agent will detect that the server is down (after a few minutes without the keep alive messages) and stop reading/sending events until it is back up (it will detect when the server is back again). Hope it helps, -- Daniel B. Cid dcid ( at ) ossec.net On 7/13/07, Paco Avila [EMAIL PROTECTED] wrote: El jue, 12-07-2007 a las 09:21 -0500, Will Metcalf escribió: Fire and brimstone coming down from the skies, Rivers and seas boiling, Forty years of darkness, earthquakes, volcanoes, the dead rising from the grave. Human sacrifice, dogs and cats living together - mass hysteria. Sorry I just couldn't resist... ;-) This seems to be a BIG problem :P -- Paco Avila [EMAIL PROTECTED]
[ossec-list] Updates on the project (GPLv3, Windows UI, policy auditing, etc)
Hi list, A lot is going on lately and I would like to keep everyone updated. Here it go: *Next version will come with a simplified UI to manage the Windows agent. I really need people trying it out. More information: http://www.ossec.net/dcid/?p=91 *We opened a list with our CVS commits. More info: http://www.ossec.net/dcid/?p=90 *I am thinking on updating ossec's license to the gplv3. I exposed my reasons at http://www.ossec.net/dcid/?p=95 and I would love some feedback. Basically, I am looking for reasons not to update. *I need beta testers for the next version. If you are willing to help us out, let me know. We need testers with access to Windows 2000, Windows 2003, Windows XP, Solaris, Linux, *BSD, AIX, HP-UX or Mac. If you have access to any of these systems, you can help us :) Yes, no one left behind... *I am adding policy auditing to the next version of the Windows agent. Basically, it will allow you to alert when any setting is out of compliance (e.g. PCI) or when specific applications are installed, etc. Example of entries that you can do: [Microsoft Firewall disabled] [any] [] r:HKEY_LOCAL_MACHINE\software\policies\microsoft\windowsfirewall\domainprofile - enablefirewall - !0; r:HKEY_LOCAL_MACHINE\software\policies\microsoft\windowsfirewall\standardprofile - enablefirewall - !0; [Null sessions allowed] [any] [] r:HKLM\System\CurrentControlSet\Control\Lsa - RestrictAnonymous - 0; [Chat/IM/VoIP - Skype] [any] [] f:\Program Files\Skype\Phone; f:\Documents and Settings\All Users\Documents\My Skype Pictures; f:\Documents and Settings\Skype; f:\Documents and Settings\All Users\Start Menu\Programs\Skype; r:HKLM\SOFTWARE\Skype; r:HKEY_LOCAL_MACHINE\Software\Policies\Skype; p:Skype.exe; It will be all controlled and configured from the server side. If you have suggestions and would like to help building the applications profiles and default audit settings, let me know. Thanks, -- Daniel B. Cid dcid ( at ) ossec.net
[ossec-list] Re: Waiting for server reply (not started)
Hi Tim, I just added a new entry to the wiki with more information regarding it: http://www.ossec.net/wiki/index.php/Errors:AgentCommunication Can you try all the steps in there to see if it works? If not, we would need to see your logs (from server and agent) to try to figure out what is happening. Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On 6/29/07, Tim Boyer [EMAIL PROTECTED] wrote: Yup. Just tried it again, just to be sure - no luck. Hi Tim, Did you restart the server after adding the new agents? And after that start the new agents? E. 2007/6/29, Tim Boyer [EMAIL PROTECTED]: You know you're getting old when you google for an answer - and find one of your own posts. But this is _slightly_ different. I'm getting the subject's error on a client. The last time it happened, it was a firewall issue - I was letting port 1514 out, but not back in. This time, I'm letting 1514 go both ways. [EMAIL PROTECTED] logs]# nc -u 192.168.1.200 1514 Testing going to the server [EMAIL PROTECTED] bin]# nc -ul 1514 Testing going to the server [EMAIL PROTECTED] bin]# nc -u 192.168.42.1 1514 Testing going back [EMAIL PROTECTED] logs]# nc -ul -p 1514 Testing going back So it's not a firewall issue. Reinforcing this is the fact that I've got a half-dozen agents working fine: [EMAIL PROTECTED] bin]# ./list_agents -a defiant-192.168.1.130 is available. roosevelt-192.168.1.80 is available. gage-192.168.2.95 is available. melbourne-192.168.1.90 is available. saratoga-192.168.1.250 is available. challenger-192.168.1.79 is available. tolstoy-192.168.1.75 is available. I've deleted the agent keys and re-created them, and then re-imported them - so it's not that. Anyone have any suggestions? Thanks, -- Tim Boyer Director Information Systems and Engineering Projects Denman Tire Corporation [EMAIL PROTECTED]
[ossec-list] Re: custom rule alert for windows installer
Hi Gary, I am glad you are enjoying ossec so far, rest inline.. On 6/26/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: I want to receive an alert whenever there is software installed on the Windows 2003 box so I can see if updates etc are installed properly and no one puts any unauthorised programs on the server. Good idea... Not all programs are going to generate events (specially if they use different installers), but as a policy violation measure it is pretty good. The Windows Msi installer events are information events seem to all have Event IDs like: 117xx. I've tried the following to get it working, but no luck yet. In msauth_rules.xml it has the following: rule id=18101 level=0 if_sid18100/if_sid status^INFORMATION/status descriptionWindows informational event./description /rule Since I'm after information events and the level of the above rule is 0, I figured it would drop the event and go no further, so I put the following in the local_rules.xml group name=local,windows, rule id=18101 level=1 overwrite=yes if_sid18100/if_sid status^INFORMATION/status descriptionWindows informational event./description /rule Sounds correct to me, but you don't need to set the level to 1 in here for your other rule to work. However, for debugging it is good. Are you getting every informational event on /var/ossec/logs/alerts/alerts.log? !-- Trying to alert Windows application installations. -- rule id=100101 level=8 if_sid18101/if_sid id^117/id descriptionWindows Installation Activity/description /rule /group Am I going about this the right way or is there something else I need to do? Looks like you are doing it correctly. Look at the alerts.log and you should be getting now every windows informational log too. If it is not, try sending a couple of log samples for us to take a look. Also, when I edit the rules or the configuration files, do I need to restart the server and/or agent? I've been restarting the server, because what I understand from the wiki is that the server sends new rules out to the agents. You only need to restart the server. The agent does no log parsing... Any help would be much appreciated. -GP hope it helps. -- Daniel B. Cid dcid ( at ) ossec.net
[ossec-list] Re: Wierd Windows Agent Error
Hi Rob, That's expected if the agent can't connect to the server, otherwise you have some weird error. Can you provide us with your whole ossec.log from the agent? Also, if you can show us the ossec.conf (of the agent), it can help too. *which ossec version are you using? Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On 6/26/07, Rob [EMAIL PROTECTED] wrote: I've done a search and didn't find any answers as to why I'm seeing this over and over on the windows agents. Any ideas? It goes away when I reboot the ossec server and then recycle the agents themselves. Seems like no alerts go through either. Mix and match of Windows 2000 and 2003 agents. 2007/06/04 14:33:06 ossec-agent: Error waiting mutex (timeout). 2007/06/04 14:33:21 ossec-agent: Error waiting mutex (timeout). 2007/06/04 14:33:36 ossec-agent: Error waiting mutex (timeout).
[ossec-list] Re: Windows eventlog NTDS.evt logging
Hi Dmitrii, You need to pass the event log name (like Application or Security) to the location tag, instead of the real location of the event log. That's why Application works and C:\WINDOWS\System32\config\AppEvent.Evt fails. For NTDS, I am afraid that ossec will not support it properly, since we hard-coded a validator looking for Security, Application or System... I will see if I can fix it for the next snapshot. Is there any more event log sources that we may need to add? Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On 6/26/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Hello! I'm trying to add extended event logging to windows agents on Windows Server 2003 domain controller. There is event log C:\WINDOWS\system32\config\NTDS.evt but when i try to add string like this: localfile locationC:\WINDOWS\system32\config\NTDS.evt/location log_formateventlog/log_format /localfile it exits with error: 2007/06/26 10:47:26 ossec-agent: DEBUG: Reading logcollector configuration. 2007/06/26 10:47:26 ossec-agent(1903): Invalid event log: 'C:\WINDOWS\System32\config\NTDS.Evt'. 2007/06/26 10:47:26 ossec-agent(1202): Configuration error at 'ossec.conf'. Exiting. Tried to change location to NTDS. Unsuccessfull. Does anyone solved this problem? P.S. localfile locationApplication/location log_formateventlog/log_format /localfile works, but when i try to change location like this locationC:\WINDOWS\System32\config\AppEvent.Evt/location it crashes with error. Thanks. Dmitrii Chebotarev, Russia.
[ossec-list] Re: OSSEC Server Crashing on Solaris 9
Hi Erik, Sorry for taking long to reply to you, but it looks like that your problem should be fixed in the following snapshot: http://www.ossec.net/files/snapshots/ossec-hids-070625.tar.gz Thanks to Logan Bruns in the dev-list for the patch... -- Daniel B. Cid dcid ( at ) ossec.net On 6/18/07, Erik Delfgaauw [EMAIL PROTECTED] wrote: Hi Daniel, Here's what I did, maybe it already points out something, or maybe I did it wrong, please check: I've edited ossec-control and added -d -d in the following section: == # We actually start them now. for i in ${SDAEMONS}; do pstatus ${i}; if [ $? = 0 ]; then ${DIR}/bin/${i} -d -d; if [ $? != 0 ]; then unlock; exit 1; fi echo Started ${i}... else echo ${i} already running... fi done == I then start OSSEC using ./ossec-control start in /opt/ossec/bin, which outputs the following: == Starting OSSEC HIDS v1.2 (by Daniel B. Cid)... 2007/06/17 16:38:16 ossec-maild: Starting ... 2007/06/17 16:38:16 ossec-maild: E-Mail notification disabled. Clean Exit. Started ossec-maild... Started ossec-execd... 2007/06/17 16:38:16 ossec-analysisd: Starting ... 2007/06/17 16:38:16 ossec-analysisd: Found user/group ... 2007/06/17 16:38:16 ossec-analysisd: Active response initialized ... 2007/06/17 16:38:16 ossec-analysisd: Read configuration ... Started ossec-analysisd... 2007/06/17 16:38:16 ossec-logcollector: Starting ... Started ossec-logcollector... 2007/06/17 16:38:17 ossec-remoted: Starting ... Started ossec-remoted... 2007/06/17 16:38:17 ossec-rootcheck: Starting ... 2007/06/17 16:38:17 ossec-rootcheck: Starting queue ... 2007/06/17 16:38:20 ossec-syscheckd(1210): Queue '/opt/ossec/queue/ossec/queue' not accessible: 'Destination address required'. 2007/06/17 16:38:20 ossec-rootcheck(1210): Queue '/opt/ossec/queue/ossec/queue' not accessible: 'Destination address required'. 2007/06/17 16:38:28 ossec-syscheckd(1210): Queue '/opt/ossec/queue/ossec/queue' not accessible: 'Destination address required'. 2007/06/17 16:38:28 ossec-rootcheck(1210): Queue '/opt/ossec/queue/ossec/queue' not accessible: 'Destination address required'. 2007/06/17 16:38:41 ossec-syscheckd(1210): Queue '/opt/ossec/queue/ossec/queue' not accessible: 'Destination address required'. 2007/06/17 16:38:41 ossec-rootcheck(1211): Unable to access queue: '/opt/ossec/queue/ossec/queue'. Giving up.. == The OSSEC log file then contains the following: == 2007/06/17 16:38:16 ossec-maild: Starting ... 2007/06/17 16:38:16 ossec-maild: E-Mail notification disabled. Clean Exit. 2007/06/17 16:38:16 ossec-execd: Started (pid: 10759). 2007/06/17 16:38:16 ossec-analysisd: Starting ... 2007/06/17 16:38:16 ossec-analysisd: Found user/group ... 2007/06/17 16:38:16 ossec-analysisd: Active response initialized ... 2007/06/17 16:38:16 ossec-analysisd: Read configuration ... 2007/06/17 16:38:16 ossec-logcollector: Starting ... 2007/06/17 16:38:17 ossec-logcollector: DEBUG: Waiting main daemons to settle. 2007/06/17 16:38:17 ossec-remoted: Starting ... 2007/06/17 16:38:17 ossec-remoted: Started (pid: 10770). 2007/06/17 16:38:17 ossec-remoted: DEBUG: Forking remoted: '0'. 2007/06/17 16:38:17 ossec-remoted: Started (pid: 10771). 2007/06/17 16:38:17 ossec-remoted: DEBUG: Starting manager_unit 2007/06/17 16:38:17 ossec-rootcheck: Starting ... 2007/06/17 16:38:17 ossec-rootcheck: Starting queue ... 2007/06/17 16:38:20 ossec-remoted(1210): Queue '/queue/ossec/queue' not accessible: 'Destination address required'. 2007/06/17 16:38:20 ossec-remoted(1211): Unable to access queue: '/queue/ossec/queue'. Giving up.. 2007/06/17 16:38:20 ossec-syscheckd(1210): Queue '/opt/ossec/queue/ossec/queue' not accessible: 'Destination address required'. 2007/06/17 16:38:20 ossec-rootcheck(1210): Queue '/opt/ossec/queue/ossec/queue' not accessible: 'Destination address required'. 2007/06/17 16:38:26 ossec-logcollector(1210): Queue '/opt/ossec/queue/ossec/queue' not accessible: 'Destination address required'. 2007/06/17 16:38:26 ossec-logcollector(1211): Unable to access queue: '/opt/ossec/queue/ossec/queue'. Giving up.. 2007/06/17 16:38:28 ossec-syscheckd(1210): Queue '/opt/ossec/queue/ossec/queue' not accessible: 'Destination address required'. 2007/06/17 16:38:28 ossec-rootcheck(1210): Queue '/opt/ossec/queue/ossec/queue' not accessible: 'Destination address required'. 2007/06/17 16:38:41 ossec-syscheckd(1210): Queue '/opt/ossec/queue/ossec/queue' not accessible: 'Destination address required'. 2007/06/17 16:38:41 ossec-rootcheck(1211): Unable to access queue: '/opt/ossec
[ossec-list] Re: Whitelisting specific syslog message
Hi Steve, A lot of people have problems finding stuff on our wiki, but we plan to keep improving it (and any help is welcome). As Michael said, you can send the log entries to the list so we can help you out or you use the following documents from our FAQ: http://www.ossec.net/wiki/index.php/Know_How:Ignore_Rules http://www.ossec.net/wiki/index.php/Know_How:CorrelateSnort Also, my presentation at AusCERT/Confidence can be of help too: http://www.ossec.net/ossec-docs/auscert-2007-dcid.pdf Hope it helps, -- Daniel B. Cid dcid ( at ) ossec.net On 6/21/07, Steve Johnson [EMAIL PROTECTED] wrote: Hi, There is a syslog message that triggers rule 1002 for syslog, which is about alerting on certain keyword. The message happens when we try to set an ssh tunnel when the port has already been used by someone else and has the keyword error generated by sshd. I don't want to remove the keyword from rule 1002 or even less ignore the rule completely, but I was wondering if there was a way to whitelist certain specific syslog messages? I could not find the information in the wiki, so I hope I didn't just overlook it :-) Thanks, Steve Johnson
[ossec-list] Re: Integrity Checking Not Working -- BREAKTHROUGH ;-)
Hi Erik, Did you restart Apache after making the group changes? This is the only thing I can think of... OSSEC WUI only requires PHP 4 or above with Posix support... Hope it helps. -- Daniel B. Cid dcid ( at ) ossec.net On 6/19/07, Erik Delfgaauw [EMAIL PROTECTED] wrote: Hi Brad, Wish that was the case, both times I run the script as the apache user, one time from command line, and one time through the web server, think something might be wrong with my Apache / PHP configuration, but I can't figure out what. phpinfo doesn't show anything strange. There are no errors. I was thinking of environment settings, but there's nothing OSSEC related in the environment of the apache user. Is there anything in addition that OSSEC requires, besides PHP? Does it need any additional PHP modules or libraries? E. 2007/6/19, Brad Lhotsky [EMAIL PROTECTED]: Perhaps you're running them as different users and it's a permissions problem? Erik Delfgaauw wrote: Hi folks, I have found out that when I do: apache@host:/var/www/website/ossec-wui php index.php f=i ...I get a correct output with an Agent name picklist containing all the agents, plus the Integrity Check information displayed below. However, when I go to: http://host/ossec-wui/index.php?f=i ...I get an incorrect output with an empty Agent name picklist (or merely containing ossec-server), and no Integrity Check information is displayed. So, apparently OSSEC-WUI is working fine, but somehow it goes wrong between Apache and PHP. We have tried PHP debugging, but apparently it's not that there are any errors occuring, it is just not working properly ;-) Does anybody have any idea or hint on where to look regarding this strange behavior? A PHP script that returns different information when launched on the command line than when launched through Apache web server, without returning errors? Thanks in advance ! E. 2007/5/30, Erik Delfgaauw [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] : Hi Daniel, Verified once more, the web user is apache, and it has definitely access to the OSSEC-WUI tmp directory. In a different environment which IS working, in the OSSEC-WUI tmp directory, I see a file called output-tmp-some-id.php, and this file does not exist in the NOT working environment. How to proceed, where else can I look? Can it also be an Apache setting that is causing the problem? E. 2007/5/28, Daniel Cid [EMAIL PROTECTED] mailto: [EMAIL PROTECTED]: Hi Erik, Yes, I mean the ossec-wui tmp directory :) sorry for not being specific. Also, make sure to restart apache, otherwise the group permissions will not apply. Let me know how it goes :) Thanks, Daniel On 5/27/07, Erik Delfgaauw [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Hi Daniel, I guess you mean the OSSEC-WUI tmp directory right? Just to be 100% sure, because there's also a /tmp and a /var/ossec/tmp. I will verify once more, gotta admit that it already makes me feel stupid now, if this is the case ;-) Thanks, will get back to you this Tuesday ! E. 2007/5/27, Daniel Cid [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]: Hi Erik, Can you make sure that your web server is really running as user www? Probably a ps auwx |grep http will show you that. It looks like to me that php can't write to the tmp directory... daniel On 5/25/07, Erik Delfgaauw [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Hi Daniel, /var/ossec/queue/syscheck/ contains a bunch of files with a naming scheme like: (host) ip-syscheck .(host) ip-syscheck.cpt There is a couple for each agent, plus there's: syscheck .syscheck.cpt I have executed every single step from the OSSEC WUI install guide, the only thing about permissions was regarding the ossec-wui/tmp/ directory (chmod 770/chgrp www), there are no errors in the web server log, and I have just found out that Stats isn't working too, and ONLY real time search is working. So, very likely a permission problem
[ossec-list] Re: New OSSEC User: False Positive
Hi Josh, Great suggestion, but I would recommend to use the url tag instead of the match to ignore these patterns.: rule id=100101 level=0 if_sid31106/if_sid url^/images/listing_photos/url descriptionEvents ignored/description /rule Just add that to local_rules.xml and you should be good to go. *btw, I don't think that these rules are very likely to generate false positives, specially on Unix systems (where people don't use spaces for file names). It is matching on the %20from%20, which is commonly used on SQL injections... hope it helps. -- Daniel B. Cid dcid ( at ) ossec.net On 6/19/07, Josh Drummond [EMAIL PROTECTED] wrote: Hi, You could add an ignore rule for that rule id #31106... look at http://www.ossec.net/wiki/index.php/Know_How:Ignore_Rules for details. I would not ignore that rule completely though, because the last thing you want are false negatives, and that is a common attack. Consider ignoring that rule id but only if you match /images/ in the URL or something like that, its unlikely someone will SQL Inject something in an images directory. HTH, ~Josh At 02:15 PM 6/19/2007, [EMAIL PROTECTED] wrote: I just installed OSSEC in local mode on a server this morning that hosts a handful of domains. I'm getting the following false positive: ** Alert 1182271050.356: mail - web,accesslog,attack, 2007 Jun 19 09:37:30 122-/home/domain/logs/access_log Rule: 31106 (level 12) - 'A web attack returned code 200 (success).' Src IP: 192.168.0.1 User: (none) 192.168.0.1 - - [19/Jun/2007:09:37:29 -0700] GET /images/listing_photos/thumb_11_house%20from%20gate.jpg HTTP/1.1 200 8069 The log file entry is: 192.168.0.1 - - [17/Jun/2007:15:42:18 -0700] GET /images/listing_photos/thumb_11_house%20from%20gate.jpg HTTP/1.1 200 8069 It looks like it's matching on rule 31106 in web_rules.xml due to the image file name containing the word from surrounded by spaces. I imagine the likelihood of this happening elsewhere is high. How best should I deal with the issue? Thanks.
[ossec-list] Re: ossec 1.2 failing to compile on Solaris 8
Hi Serge, My bad, I was testing with my own cvs copy. It should work now: //www.ossec.net/files/snapshots/ossec-hids-070619.tar.gz Thanks for testing... -- Daniel B. Cid dcid ( at ) ossec.net On 6/18/07, Serge Dubrouski [EMAIL PROTECTED] wrote: It does not compile: gcc -g -Wall -I../ -I../headers-lsocket -lnsl -lresolv -DSOLARIS -DHIGHFIRST -DARGV0=\ossec-rootcheck\ -DXML_VAR=\var\ -DOSSECHIDS -c check_open_ports.c check_rc_pids.c check_rc_trojans.c run_rk_check.c check_rc_dev.c check_rc_ports.c common.c common_rcl.c win-common.c check_rc_files.c check_rc_readproc.c os_string.c check_rc_if.c check_rc_sys.c rootcheck.c config.c -D_GNU_SOURCE gcc: common_rcl.c: No such file or directory On 6/18/07, Daniel Cid [EMAIL PROTECTED] wrote: Hi Warren and Serge, Thanks for all the information. I fixed this issue and it would be nice if you could take a look: http://www.ossec.net/files/snapshots/ossec-hids-070618.tar.gz *should compile cleanly on solaris and any other system. *Warren: it is nice to know that ossec is working well over there :) thanks for letting us know. Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On 6/16/07, Warren Petrofsky [EMAIL PROTECTED] wrote: Daniel and Serge, Each of your solutions compiled without a problem. Thanks so much for the fast response! -- Warren P.S. Daniel, thanks for all of the excellent work on ossec! We are planning to expand our usage here at the School of Arts and Sciences at Upenn to include the majority of our linux and unix servers. Daniel Cid wrote: Hi Serge, Thanks for the information. Would the following work? #ifndef va_copy #define va_copy __va_copy #endif It all under the #ifdef SOLARIS on header/shared.h? Warren, can you try that too? If that works (and doesn't break other versions of Solaris, I will commit that). *btw, you guys can blame sourceforge for it being broken. I used to use the compile farm to test ossec on most operating systems, but since they disabled it, I have no way of testing it. Thanks, -- Daniel B. Cid dcid ( at ) ossec.net -- Serge Dubrouski.
[ossec-list] Re: ossic-analysisd 100% CPU usage
Hi Clayton, Can you give us the following information: http://www.ossec.net/wiki/index.php/Community_manual:BugReport Without that is very hard to troubleshoot what is going on... Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On 6/17/07, Clayton Dillard [EMAIL PROTECTED] wrote: I've noticed that on two of our servers that are running CentOS 5 and the latest stable ossec, the ossec-analysisd process is causing sustained 100% CPU utilization. Anyone else seen this or know how I might troubleshoot this? I've had to disable the ossec service on both boxes for now. Thanks, -- Clayton Dillard [EMAIL PROTECTED] RPS Technology, LLC
[ossec-list] Re: Multiple Cisco Firewalls with Active-Response
Hi Jens, Reply inline.. On 6/14/07, Harsem, Jens [EMAIL PROTECTED] wrote: Hello all, thank you for the support help that this list and the ossec.net web site provides. And I am hoping to stretch this a bit further… please I have got an Cisco ASA that is currently sending its syslogs over to my OSSEC machine. This is running on a cut down version of Red Hat and running very nicely. I get my e-mail alerts as I should when things happen that should not. Good :) # We should run on linux if [ X${UNAME} = XLinux ]; then Not what you expected I am sure, it is a kluge, but it works – and I am a happy man. The idea is very good, and maybe you could share your script with us? Are you using ssh or telnet to log to the ASA? We could clean up it a little bit and make it available for everyone (I know external active responses are something many people have asked before)... And here is my problem – I do not want it to be hard coded, really, I would like this to be picked up from the log entries. I have another ASA somewhere else that I also want to have send its Syslog messages to this OSSEC Server. And I want to have the same goodness on that ASA. Hence my question (after a half marathon) – is there any way that I can extract the IP of the source of the Syslog files for the shun un-shun of the hosts for the ASA? I am hoping for a parameter that I can use in that script so that I can parse it to a text file and use it as well. Yes, you can. If you look at the script, we only use up to the argument 5 (rule id), but if you use the argument $6 and $7 they will have the agent (or ip of the device) that generated the alert, so based on that you can device where to shun ... If anyone has ASAs and wants to know how those text files work with the ASA please let me know – I would be more than happy to help. Yes, please (see above) :) Hope it helps. -- Daniel B. Cid dcid ( at ) ossec.net
[ossec-list] Re: localfile problem
Hi James, Reply inline... On 6/15/07, James Ervin [EMAIL PROTECTED] wrote: For administrative reasons, we have to keep the OSSEC server separate from the central syslog server, so we opted not to install OSSEC on the syslog server in server mode (i.e., we can't have OSSEC listening on port 514 on the syslog server). You could have installed ossec in the syslog server (even in server mode) and disabled the remote syslog option. You would only need to configure it to read the local log files (containing the logs from all your systems). However, my OSSEC installation doesn't seem to be differentiating between the hosts properly ni this configuration. Maybe someone on the list has some suggestions? Caveat: I have not upgraded to OSSEC 1.2 yet. The issue is that your logs are not well formated (according to the syslog RFC) and ossec doesn't know how to extract the hostnames. Your logs are: 2007-06-14T15:48:55-04:00 internalhost1 While on syslog, it would be: Jun 14 15:48:55 internalhost1 That's why ossec is not using the hostnames. Is it something you did specially for your environment or is syslog-ng setting the time/date like that? *Not only the hostnames are not being parsed, but also the program name (e.g sshd), which are causing your ossec install to miss a lot of stuff (some of are rules/decoders are based on the program name)... Hope it helps.. -- Daniel B. Cid dcid ( at ) ossec.net
[ossec-list] Re: ossec 1.2 failing to compile on Solaris 8
Hi Serge, Thanks for the information. Would the following work? #ifndef va_copy #define va_copy __va_copy #endif It all under the #ifdef SOLARIS on header/shared.h? Warren, can you try that too? If that works (and doesn't break other versions of Solaris, I will commit that). *btw, you guys can blame sourceforge for it being broken. I used to use the compile farm to test ossec on most operating systems, but since they disabled it, I have no way of testing it. Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On 6/14/07, Serge Dubrouski [EMAIL PROTECTED] wrote: Some additional info. gcc 2.95.3 has definition for __va_copy but not for va_copy: /* Copy __gnuc_va_list into another variable of this type. */ #define __va_copy(dest, src) (dest) = (src) in the lib/gcc-lib/sparc-sun-solaris2.8/2.95.3/include/stdarg.h. Later versions of gcc have following definition: #if !defined(__STRICT_ANSI__) || __STDC_VERSION__ + 0 = 199900L #define va_copy(d,s)__builtin_va_copy(d,s) #endif #define __va_copy(d,s) __builtin_va_copy(d,s) On 6/14/07, Serge Dubrouski [EMAIL PROTECTED] wrote: Deifinition for va_copy on Solaris 8 in stdarg.h looks like that: /* * va_copy is a Solaris extension to provide a portable way to perform * a variable argument list ``bookmarking'' function. */ #if defined(__EXTENSIONS__) || ((__STDC__ - 0 == 0) \ !defined(_POSIX_C_SOURCE) !defined(_XOPEN_SOURCE)) #define va_copy(to, from) ((to) = (from)) #endif /* defined(__EXTENSIONS__) || ((__STDC__ - 0 == 0) ... ) */ It looks like that #if doesn't work for OSSEC compilation. I was lazy to do deeper investigation on this problem so I just added #define va_copy(to, from) ((to) = (from)) into src/shared/debug_op.c After that evrything compiled all right. On 6/14/07, Warren Petrofsky [EMAIL PROTECTED] wrote: Hi Folks, I have never had a problem building ossec before, and had 0.9-2 and -3 compiled on this system (solaris 8 with gcc 2.95.3), but I just tried to build 1.2 and received the following error: - *** Making os_maild *** gcc -g -Wall -I../ -I../headers -DDEFAULTDIR=\/var/ossec\ -DCLIENT -lsocket -lnsl -lresolv -DSOLARIS -DHIGHFIRST -DARGV0=\ossec-maild\ -DXML_VAR=\var\ -DOSSECHIDS maild.c config.c os_maild_client.c sendmail.c mail_list.c ../config/*.c ../shared/lib_shared.a ../os_net/os_net.a ../os_regex/os_regex.a ../os_xml/os_xml.a -o ossec-maild Undefined first referenced symbol in file va_copy ../shared/lib_shared.a(debug_op.o) ld: fatal: Symbol referencing errors. No output written to ossec-maild collect2: ld returned 1 exit status *** Error code 1 make: Fatal error: Command failed for target `addclient' Current working directory /pkg/src/ossec-hids-1.2/src/os_maild Error Making os_maild *** Error code 1 make: Fatal error: Command failed for target `all' Error 0x5. Building error. Unable to finish the installation. - Any suggestions? Thanks so much, Warren [EMAIL PROTECTED] p.s. Earlier in the build, I did see a warning re: va_copy: *** Making shared *** gcc -c -g -Wall -I../ -I../headers -DDEFAULTDIR=\/var/ossec\ -DCLIENT -lsocket -lnsl -lresolv -DSOLARIS -DHIGHFIRST -DARGV0=\shared-libs\ -DXML_VAR=\var\ -DOSSECHIDS *.c debug_op.c: In function `_log': debug_op.c:62: warning: implicit declaration of function `va_copy' gcc: -lsocket: linker input file unused since linking not done gcc: -lnsl: linker input file unused since linking not done gcc: -lresolv: linker input file unused since linking not done ar cru lib_shared.a *.o ranlib lib_shared.a -- Serge Dubrouski. -- Serge Dubrouski.