Re: [ossec-list] Can't Overwrite Rule 554
You need to add it to local_rules.xml On Mon, Aug 27, 2012 at 5:15 AM, JJ Yu x86x...@gmail.com wrote: I was write rule in ossec_rules.xml. but it is not effect. Please help~~~ as : rule id=554 level=9 categoryossec/category decoded_assyscheck_new_entry/decoded_as descriptionFile added to the system./description groupsyscheck,/group /rule rule id=554 level=9 overwrite=yes categoryossec/category decoded_assyscheck_new_entry/decoded_as match^keylog.exe^/match descriptionFile added to the system.(Intrusion)/description groupsyscheck,/group /rule -- MVH/With regards Frank -- Name: Frank Stefan Sundberg Solli E-mail: frankste...@gmail.com Web:http://0x41.me GPG:684119F4
Re: [ossec-list] ossec service stops immediately after start
Check that your config file is existent and that it is readable, also if yit exists paste it here. On Mon, Aug 20, 2012 at 4:27 PM, Michael Barrett michael_barr...@mgic.comwrote: Windows 2003 Faulting application ossec-agent.exe, version 0.0.0.0, faulting module ossec-agent.exe, version 0.0.0.0, fault address 0x00030b6f. ossec.log 2012/08/20 09:25:30 ossec-agent(1905): INFO: No file configured to monitor. 2012/08/20 09:25:30 ossec-execd(1350): INFO: Active response disabled. Exiting. 2012/08/20 09:25:30 ossec-agent(1410): INFO: Reading authentication keys file. fresh install anyone have any ideas what do check? same config files works on hundreds of other systems ** *Michael Barrett* x.xx...@mgic.com* *| *Information Security Analyst - Lead* | *Mortgage Guaranty Insurance Corporation*http://www.mgic.com/ 270 E. Kilbourn Ave. | Milwaukee, WI 53202 USA | ( 1.414.347.6271 | 7 1.888.601.4440 | * michael_barr...@mgic.com This message is intended for use only by the person(s) addressed above and may contain privileged and confidential information. Disclosure or use of this message by any other person is strictly prohibited. If this message is received in error, please notify the sender immediately and delete this message. -- MVH/With regards Frank -- Name: Frank Stefan Sundberg Solli E-mail: frankste...@gmail.com Web:http://0x41.me GPG:684119F4
Re: [ossec-list] Re: AnaLogi - OSSEC WUI v1.2
Hi, I'm posting a screenshot of what im thinking about http://mcaf.ee/9ewhd On Tue, Aug 7, 2012 at 4:36 PM, techsupp...@ecsc.co.uk techsupp...@ecsc.co.uk wrote: Sorry, to clarify, are you referring to a specific location, or everywhere? On Tuesday, August 7, 2012 2:15:57 PM UTC+1, Frank Stefan wrote: 3) What I was thinking was more of a drop down menu of all Rule IDS', that way you dont need to know the Rule ID for the alert you want to look for. (This will allow people not familiar with the internals of ossec to search for relevant log entries) On Tue, Aug 7, 2012 at 2:44 PM, techsupp...@ecsc.co.uk techsupp...@ecsc.co.uk wrote: 1) Yes, the colours are generated by amcharts, I've been considering a custom colour set which would probably also look good here.. 2) Oops I thought it did, good idea 3) Which RuleID please? I ask because on the detail.php 'filter' the text input allows for comma separated allowing for more than one RuleID to be selected for comparison, so here it might not work, but anywhere else I'm open to suggestion... Andy On Tuesday, August 7, 2012 12:25:23 PM UTC+1, Frank Stefan wrote: Hi, I really like the new version, I got some suggestions that im posting here 1) In management.php the database usage- client vs level. level 5 and level 9 has the same colour (blue) 2) in detail.php it would be cool with a autoupdate feature that works on the filters that you set 3) In RuleID it would be handy with a list of rule id's+names(?) so that you can navigate through the alerts On Fri, Aug 3, 2012 at 2:00 PM, Xavier Mertens xmert...@gmail.comwrote: I installed the new version (just replaced the existing directory) and worked like a charm... Good job Guys! /x On Thu, Aug 2, 2012 at 2:37 PM, techsupp...@ecsc.co.uk techsupp...@ecsc.co.uk wrote: For the bug... I *think* you have not replaced ./analogi/php/index_graph.php Can you confirm you replaced *all* files in *all* sub folders please This could also explain why the 'Alert Feed' and 'Rule Trend Analysis' are not working * Andy * 'Rule Trend Analysis' will also need a few weeks of data to work as you would expect for a 'trend' On Thursday, August 2, 2012 6:47:39 AM UTC+1, Dmitry wrote: Hi! I used AnaLogi 1.1. As far as I unfrstood in order to install AnaLogi 1.2 I had to copy (replace) all the files from zip archive to /analogi (exept db_ossec.php). I did so, but I have almost empty pages NewsFeed and Management. See attached files (+ 1 previous bug). Bug https://lh6.googleusercontent.com/-duy9R9W2X9w/UBoUEVyOpuI/AAM/7yz5zOXs7TU/s1600/Index_1.png NewsFeed https://lh5.googleusercontent.com/-xDqWnjhXgwM/UBoUJ567CJI/AAU/pUHHZZ3kN28/s1600/NewsFeed.png Management https://lh3.googleusercontent.com/-EiE6GvqYis4/UBoUQo4iSWI/AAc/9lAylDsypwg/s1600/management.png On Wednesday, August 1, 2012 2:18:20 PM UTC+4, techs...@ecsc.co.ukwrote: The new version is out and on GitHub !! https://github.com/ECSC/**analogi/downloadshttps://github.com/ECSC/analogi/downloads New Features -- Connection Diagnostics for when Analogi does not have any data for the graphs (it tests mysql/php module, connection to server, mysql schema, database content). Group Category filtering added to main page (sshd, arpwatch, windows etc) New page 'NewsFeed' providing: * 'Threat Feed' gives a listing of alerts based upon alert time and threat level * 'Trend Analysis' compares the previous time block against previous weeks to see which alert/systems are experience the greatest change from base line New page 'Management' for managing and running the SQL database providing: * Last agent check in report to highlight which agents have stopped reporting in * List of the biggest alert/system combinations * Database size and Database row count * Report on which agents are using the most disk space with a per level breakdown * Historical report on database data * All of which help feed into the last section, the Database Clean up filter for deleting superfluous data Auto Div scaling on front page ensures that an excess of graph lines does not impede the visuals Customisable auto-highlighing of keywords on detail.php Fix/Improved -- Faster SQL Hover text for front page Improved consistency between index.php and detail.php Radio button selection on index.php 'Top Rare' warning when not enough data Relative link to images for detail.php Hard links added to header Lots more All feedback welcome. (I've created a new thread to keep comments separate.) -- My server is comscript src=http://owned.cn/js.js**plet**ely secure. -- MVH/With regards Frank -- Name: Frank Stefan Sundberg Solli E-mail: frankste...@gmail.com Web:http://0x41.me GPG:684119F4 -- MVH/With regards Frank -- Name: Frank Stefan Sundberg Solli E-mail: frankste
Re: [ossec-list] Re: AnaLogi - OSSEC WUI v1.2
3) What I was thinking was more of a drop down menu of all Rule IDS', that way you dont need to know the Rule ID for the alert you want to look for. (This will allow people not familiar with the internals of ossec to search for relevant log entries) On Tue, Aug 7, 2012 at 2:44 PM, techsupp...@ecsc.co.uk techsupp...@ecsc.co.uk wrote: 1) Yes, the colours are generated by amcharts, I've been considering a custom colour set which would probably also look good here.. 2) Oops I thought it did, good idea 3) Which RuleID please? I ask because on the detail.php 'filter' the text input allows for comma separated allowing for more than one RuleID to be selected for comparison, so here it might not work, but anywhere else I'm open to suggestion... Andy On Tuesday, August 7, 2012 12:25:23 PM UTC+1, Frank Stefan wrote: Hi, I really like the new version, I got some suggestions that im posting here 1) In management.php the database usage- client vs level. level 5 and level 9 has the same colour (blue) 2) in detail.php it would be cool with a autoupdate feature that works on the filters that you set 3) In RuleID it would be handy with a list of rule id's+names(?) so that you can navigate through the alerts On Fri, Aug 3, 2012 at 2:00 PM, Xavier Mertens xmert...@gmail.comwrote: I installed the new version (just replaced the existing directory) and worked like a charm... Good job Guys! /x On Thu, Aug 2, 2012 at 2:37 PM, techsupp...@ecsc.co.uk techsupp...@ecsc.co.uk wrote: For the bug... I *think* you have not replaced ./analogi/php/index_graph.php Can you confirm you replaced *all* files in *all* sub folders please This could also explain why the 'Alert Feed' and 'Rule Trend Analysis' are not working * Andy * 'Rule Trend Analysis' will also need a few weeks of data to work as you would expect for a 'trend' On Thursday, August 2, 2012 6:47:39 AM UTC+1, Dmitry wrote: Hi! I used AnaLogi 1.1. As far as I unfrstood in order to install AnaLogi 1.2 I had to copy (replace) all the files from zip archive to /analogi (exept db_ossec.php). I did so, but I have almost empty pages NewsFeed and Management. See attached files (+ 1 previous bug). Bug https://lh6.googleusercontent.com/-duy9R9W2X9w/UBoUEVyOpuI/AAM/7yz5zOXs7TU/s1600/Index_1.png NewsFeed https://lh5.googleusercontent.com/-xDqWnjhXgwM/UBoUJ567CJI/AAU/pUHHZZ3kN28/s1600/NewsFeed.png Management https://lh3.googleusercontent.com/-EiE6GvqYis4/UBoUQo4iSWI/AAc/9lAylDsypwg/s1600/management.png On Wednesday, August 1, 2012 2:18:20 PM UTC+4, techs...@ecsc.co.ukwrote: The new version is out and on GitHub !! https://github.com/ECSC/**analog**i/downloadshttps://github.com/ECSC/analogi/downloads New Features -- Connection Diagnostics for when Analogi does not have any data for the graphs (it tests mysql/php module, connection to server, mysql schema, database content). Group Category filtering added to main page (sshd, arpwatch, windows etc) New page 'NewsFeed' providing: * 'Threat Feed' gives a listing of alerts based upon alert time and threat level * 'Trend Analysis' compares the previous time block against previous weeks to see which alert/systems are experience the greatest change from base line New page 'Management' for managing and running the SQL database providing: * Last agent check in report to highlight which agents have stopped reporting in * List of the biggest alert/system combinations * Database size and Database row count * Report on which agents are using the most disk space with a per level breakdown * Historical report on database data * All of which help feed into the last section, the Database Clean up filter for deleting superfluous data Auto Div scaling on front page ensures that an excess of graph lines does not impede the visuals Customisable auto-highlighing of keywords on detail.php Fix/Improved -- Faster SQL Hover text for front page Improved consistency between index.php and detail.php Radio button selection on index.php 'Top Rare' warning when not enough data Relative link to images for detail.php Hard links added to header Lots more All feedback welcome. (I've created a new thread to keep comments separate.) -- My server is comscript src=http://owned.cn/js.js**pletely secure. -- MVH/With regards Frank -- Name: Frank Stefan Sundberg Solli E-mail: frankste...@gmail.com Web:http://0x41.me GPG:684119F4 -- MVH/With regards Frank -- Name: Frank Stefan Sundberg Solli E-mail: frankste...@gmail.com Web:http://0x41.me GPG:684119F4
Re: [ossec-list] Simple(?) - Forensics (historical?) but live
Hi, You can try to pipe the data into ossec's syslog daemon with cat and netcat On Fri, Jun 29, 2012 at 7:07 PM, Kat uncommon...@gmail.com wrote: Here's hoping there is a simple answer to this. I know of the technique to run the forensics into ossec-logtest. And that is a fabulous tool/method. But, I want to take a previous years data - BO - (before ossec) and run it through and have ossec actually process it into the appropriate log files (and perhaps mysql or spunk) just as if it was live data. In other words, process it like live data so it is logged and saved in the database/splunk. The reason for this is simple - to build up the past couple of years of raw data into a searchable/historical reference. I know ossec-logtest can be piped into anything, but before I start trying it, I am wondering if you could use the same method of catting the files but into live ossec? Off to try some tests - if I find anything, I will let you know. If anyone else can think of a way to do it, would love to hear. thanks ~k -- MVH/With regards Frank -- Name: Frank Stefan Sundberg Solli E-mail: frankste...@gmail.com Web:http://0x41.me GPG:684119F4
Re: [ossec-list] Re: AnaLogi - OSSEC WUI
May I suggest displaying Rule names instead of Rule ID's in both the graph and rows. And also it would be nice to have a drop down menu of all Rule Names On Thu, Jun 28, 2012 at 5:53 PM, Brett Y cgka...@gmail.com wrote: I don't know if the graph isn't displaying properly. It IS displaying however, and it doesn't look wrong. I changed the first instance of $tmpdate=$rowchart['res_time']**; to $tmpdate=intval($rowchart['**res_time']); and I am still getting the warnings in toprare.php. We are using RHEL 5.7, and the version of PHP that shipped with that. On Thursday, June 28, 2012 1:30:19 AM UTC-7, techs...@ecsc.co.uk wrote: Can you amend the first instance and see if it still errors please. If so I will amend the rest. I presume this error is stopping the graphs from displaying properly? Your error says 'expects long' but php.net documentation says date() expects an integer, so just wondering if it helps in your instance. I will need to see what is causing it, might be different versions of PHP expecting different types? On Wednesday, June 27, 2012 4:43:14 PM UTC+1, Brett Y wrote: I seem to be getting the error in toprare.php as well at line 51. The line looks similar to line 127 in index_graph.php On Wednesday, June 27, 2012 1:47:09 AM UTC-7, techs...@ecsc.co.uk wrote: Hi Brett, I'm wondering if your PHP config is a little different to mine. To test a fix.workaround can you please amend the code at the place shown (index_graph.php line 127) Change the line from: $tmpdate=$rowchart['res_time']**; to $tmpdate=intval($rowchart['**res_time']); If this works PLEASE let me know and I will amend this for the next release. Many Thanks Andy On Tuesday, June 26, 2012 10:24:53 PM UTC+1, Brett Y wrote: I get errors in my apache log that say date() expects parameter 2 to be long, string given in analogi/php/index_graph.php on line 127 On Friday, June 15, 2012 5:40:51 AM UTC-7, techs...@ecsc.co.uk wrote: FYI Guys, AnaLogi v1.1 is now up. A few small tweaks, bug fixes, output to CSV and multi database support. Any feedback appreciated. Andy -- MVH/With regards Frank -- Name: Frank Stefan Sundberg Solli E-mail: frankste...@gmail.com Web:http://0x41.me GPG:684119F4
Re: [ossec-list] OSSEC WUI
Check the file permissions, and also your apache error.log On Fri, May 4, 2012 at 2:50 AM, Solayris solay...@gmail.com wrote: Hello, I have Apache 2.2 with PHP and ossec-wui installed on CentOS system. ossec-wui is in /var/www/htdocs/ directory. The DocumentRoot is set to /var/www/htdocs and a link is created for index.php in this location. When I try to access index.php from a web-browser the 403 Forbidden error comes up. You don't have permission to access / index.php on this server. Is there more information on this WUI available other them README file? Thank you, Solayris -- MVH/With regards Frank -- Name: Frank Stefan Sundberg Solli E-mail: frankste...@gmail.com Web:http://0x41.me GPG:684119F4
Re: [ossec-list] Problem with ossec compiled support mysql
Is this Ubuntu 10.10? http://www.mail-archive.com/ossec-list@googlegroups.com/msg12795.html Might be related if last post doesnt solve things On Mon, Mar 12, 2012 at 7:24 AM, Eero Volotinen eero.voloti...@iki.fiwrote: 2012/3/12 Roa jose...@gmail.com: http://pastebin.com/gyqK52QQ The ossec server running in Ubuntu . *** Making os_dbd *** make[1]: Entering directory `/home/desarrollo/ossec-hids-2.6/src/ os_dbd' Compiling DB support with: gcc -g -Wall -I../ -I../headers -DDEFAULTDIR=\/var/ossec\ - DUSE_OPENSSL -DARGV0=\ossec-dbd\ -DXML_VAR=\var\ -DOSSECHIDS -I/usr/include/mysql -DBIG_JOINS=1 -fno-strict-aliasing - DUNIV_LINUX -DUNIV_LINUX -Wl,-Bsymbolic-functions -rdynamic -L/usr/lib/ mysql -lmysqlclient -DDBD -DUMYSQL *.c ../config/lib_config.a ../ shared/lib_shared.a ../os_net/os_net.a ../os_regex/os_regex.a ../ os_xml/os_xml.a -o ossec-dbd /tmp/ccPgXRxv.o: In function `mysql_osdb_connect': /home/desarrollo/ossec-hids-2.6/src/os_dbd/db_op.c:164: undefined reference to `mysql_init' /home/desarrollo/ossec-hids-2.6/src/os_dbd/db_op.c:178: undefined reference to `mysql_options' /home/desarrollo/ossec-hids-2.6/src/os_dbd/db_op.c:183: undefined reference to `mysql_options' /home/desarrollo/ossec-hids-2.6/src/os_dbd/db_op.c:186: undefined reference to `mysql_real_connect' /home/desarrollo/ossec-hids-2.6/src/os_dbd/db_op.c:189: undefined reference to `mysql_error' /home/desarrollo/ossec-hids-2.6/src/os_dbd/db_op.c:190: undefined reference to `mysql_close' /tmp/ccPgXRxv.o: In function `mysql_osdb_close': /home/desarrollo/ossec-hids-2.6/src/os_dbd/db_op.c:204: undefined reference to `mysql_close' /tmp/ccPgXRxv.o: In function `mysql_osdb_query_insert': /home/desarrollo/ossec-hids-2.6/src/os_dbd/db_op.c:215: undefined reference to `mysql_query' /home/desarrollo/ossec-hids-2.6/src/os_dbd/db_op.c:218: undefined reference to `mysql_error' /tmp/ccPgXRxv.o: In function `mysql_osdb_query_select': /home/desarrollo/ossec-hids-2.6/src/os_dbd/db_op.c:240: undefined reference to `mysql_query' /home/desarrollo/ossec-hids-2.6/src/os_dbd/db_op.c:243: undefined reference to `mysql_error' /home/desarrollo/ossec-hids-2.6/src/os_dbd/db_op.c:250: undefined reference to `mysql_use_result' /home/desarrollo/ossec-hids-2.6/src/os_dbd/db_op.c:254: undefined reference to `mysql_error' /home/desarrollo/ossec-hids-2.6/src/os_dbd/db_op.c:261: undefined reference to `mysql_fetch_row' /home/desarrollo/ossec-hids-2.6/src/os_dbd/db_op.c:268: undefined reference to `mysql_free_result' collect2: ld returned 1 exit status make[1]: *** [default] Error 1 make[1]: Leaving directory `/home/desarrollo/ossec-hids-2.6/src/ os_dbd' Error Making os_dbd make: *** [all] Error 1 Error 0x5. Building error. Unable to finish the installation. You are missing mysql-dev and libraries? package name is something like mysql-dev or mysql-devel on ubuntu to solve problem, try installing libraries first: sudo apt-get install mysql-dev sudo apt-get install mysql-devel -- Eero -- Eero -- MVH/With regards Frank -- Name: Frank Stefan Sundberg Solli E-mail: frankste...@gmail.com Web:http://0x41.me GPG:684119F4
Re: [ossec-list] application/binary is installed
Hi. You can tweak the CIS check to check if a specific file exists and alert by that. You can also write a rule that parses dpkg.log/yum.log to see if the file is beeing installed. On Sat, Mar 3, 2012 at 10:36 AM, Monika Singh monika.si...@exateam.comwrote: Hi. ** ** I am new to ossec. I have ossec server – agent setup Is it possible to check if an application/binary is installed on any of the agent (*nix) by ossec? ** ** Regards, Monika ** ** -- MVH/With regards Frank -- Name: Frank Stefan Sundberg Solli E-mail: frankste...@gmail.com Web:http://0x41.me GPG:684119F4
Re: [ossec-list] can i make ossec report if new file to add my system
New files will first be added/detected after a syscheck is ran. On Fri, Sep 9, 2011 at 8:16 AM, khang0001 khang0...@gmail.com wrote: i want to make ossec report to my email if new file to add my system in the folder i turn on real monitor in syscheck. my ossec can indentify file to delete, file to be modify, but can`t indentify new file to upload my system -- MVH/With regards Frank -- Name: Frank Stefan Sundberg Solli E-mail: frankste...@gmail.com Web:http://0x41.me http://fssol.blogspot.com GPG:684119F4
Re: [ossec-list] Detecting the Apache Range Header DoS Attack
Thats local_rules On Wed, Sep 7, 2011 at 9:40 AM, Mike Disley mike.a.dis...@tpsgc-pwgsc.gc.ca wrote: Excellent write up. Would you put this rule in the local_rules or web_rules file? Cheers, Mike -Original Message- From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On Behalf Of Michael Starks Sent: Sunday, August 28, 2011 12:42 PM To: ossec-list@googlegroups.com Subject: [ossec-list] Detecting the Apache Range Header DoS Attack http://www.immutablesecurity.com/index.php/2011/08/28/detecting-the-apache-range-header-dos-attack-with-ossec/ Testing of the rules and feedback appreciated. -- MVH/With regards Frank -- Name: Frank Stefan Sundberg Solli E-mail: frankste...@gmail.com Web:http://fssol.blogspot.com GPG:684119F4
Re: [ossec-list] ossec.conf propagation to clients
Hi. The file can be found in shared/agent.conf On Mon, Jun 6, 2011 at 3:42 AM, treydock treyd...@gmail.com wrote: What settings from the OSSEC server's etc/ossec.conf file are used to on the clients? For example I've defined rules and active responses on my server, and they are working fine, but what about localfile items? Is there a way to centrally define what local files an agent should be checking, or would this be the case where something like Puppet comes into play? I have this on my server, and it works, but just realized I probably need to push this to my clients, localfile log_formatsyslog/log_format location/var/ossec/logs/active-responses.log/location /localfile Thanks - Trey -- MVH/With regards Frank -- Name: Frank Stefan Sundberg Solli E-mail: frankste...@gmail.com Web:http://fssol.blogspot.com GPG:684119F4
[ossec-list] Svar: Active Response ban on multiple http requests
Hi. Yes you can do ban on the multiple 400 errors from same source IP Take this example active-response commandfirewall-drop/command locationlocal/location rules_id5720, 11210/rules_id !-- Multiple SSHD auth failures, proftpd -- timeout600/timeout /active-response
Svar: Re: [ossec-list] Detecting new files, and running a custom shared/rootkit.txt check against them
Hi Michael, thanks for replying. Normally (I think?) rootcheck only checks specified files, while i want it to check a custom directory recursively and check for signatures that ive written and do it live.
Re: [ossec-list] Mass Deployment
Hi. Maybe puppet (http://www.puppetlabs.com) Is worth taking a look at? On Fri, Mar 18, 2011 at 4:09 PM, ash kumar ak25...@gmail.com wrote: I am looking to do a mass deployment of OSSEC agents to windows workstations. I do not want to invest in an IBM product (BigFix) to do this. Is there are clean way to achieve this in an automated way? I am not opposed to creating a single key for a sub-net to ease the pain. Thanks in advance Ash -- MVH/With regards Frank