[ossec-list] regex help/clarification - specify all files with a given extension
Running v3.3.0 on the server and v3.2.0 on the client, trying to exclude *.bz2 in a given directory, I tried: /path/to/.bz2$ based on another post. I obviously don't understand how to do it because it's not working. /var/ossec/etc/shared/agent.conf shows the above and ossec.conf on the client has: 10.22.14.11 bfr, cfg, ubuntu I've also tried the above with the qcow2 extension and get the same result. In general, how do I write an OSSEC specification to exclude all files with a given extension? Thanks for your help. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/6b541572-515d-4346-9fc7-cc57a5f2b76b%40googlegroups.com.
[ossec-list] Re: grep false positive
Thanks for the reply, sounds like I need to upgrade the server to the latest version. On Thursday, January 23, 2020 at 5:46:43 PM UTC-6, Leroy Tennison wrote: > > Received the following message: Trojaned version of file '/bin/grep' > detected. Signature used: 'bash|givemer|/dev/' (Generic)." on 18.04.3 LTS. > Downloaded the deb from Ubuntu standard repositories, extracted grep (in > /tmp) and compared sha512sums for it and /bin/grep - identical. I received > another message about a trojaned file for s-nail (also on Ubuntu 16.04) > recently and, in that case, simply de-installed the package since it wasn't > needed. Now I'm wondering if these are false positives. Appears the agent > is 3.1.0, server is 2.9.1. Any suggestions or further steps i can take? > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/55c05e8c-0b4b-4405-bd14-7b79f34c31c1%40googlegroups.com.
[ossec-list] grep false positive
Received the following message: Trojaned version of file '/bin/grep' detected. Signature used: 'bash|givemer|/dev/' (Generic)." on 18.04.3 LTS. Downloaded the deb from Ubuntu standard repositories, extracted grep (in /tmp) and compared sha512sums for it and /bin/grep - identical. I received another message about a trojaned file for s-nail (also on Ubuntu 16.04) recently and, in that case, simply de-installed the package since it wasn't needed. Now I'm wondering if these are false positives. Appears the agent is 3.1.0, server is 2.9.1. Any suggestions or further steps i can take? -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/77699c5a-21ea-43ea-83f3-4588ed3794b8%40googlegroups.com.
[ossec-list] Re: OSSEC syscheck on defined Agent
You need to clarify, are these servers agents? If so then you need to look into config-profile for the agent configuration. Define different profiles in the manager's /var/ossec/etc/shared/agent.conf and specify the appropriate profile for the agent it it's ossec.conf using config-profile. On Tuesday, November 14, 2017 at 7:53:56 AM UTC-6, amar haq wrote: > > Dear All > > Could OSSEC perform syscheck for File Integration Monitoring on specific > agent. let's say I have 5 servers.Server A,B,C,D,E. > on server A , I just want to monitor /var/www/html/Demo/demo.db. > on server B, i want to monitor only /ngingx/index.html. > on Server C, i want to monitor /var/www/html/XYZ.xx, etc > > > could you help me? because I read that Active rsponse have tag > to define specific agent. > > thankyou. > Amar. > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: Ossec Windows Agent trying to connect forever
Wait a minute, is this a new install, how did you get the key installed on the client? If there's an automated way to do that please post in a reply. On Tuesday, November 14, 2017 at 7:26:55 AM UTC-6, Julia Vitoria Cardoso wrote: > > Hi, i have a test setup with a windows agent and a server CentOS. > > I wrote a .bat to install agent and it seems ok, but looking at the logs > it only says > > 2017/11/14 11:14:27 ossec-agentd(4101): WARN: Waiting for server reply > (not started). Tried: 'serverhost.stuff'. > > 2017/11/14 11:15:05 ossec-agentd: INFO: Trying to connect to server > serverhost.stuff, port 1514. > > 2017/11/14 11:15:05 INFO: Connected to serverhost.stuff at > address 10.10.x.y:1514, port 1514 > > 2017/11/14 11:15:26 ossec-agentd(4101): WARN: Waiting for server reply > (not started). Tried: 'serverhost.stuff'. > > 2017/11/14 11:16:22 ossec-agentd: INFO: Trying to connect to server > serverhost.stuff, port 1514. > > 2017/11/14 11:16:22 INFO: Connected to serverhost.stuff at > address 10.10.x.y:1514, port 1514 > > 2017/11/14 11:16:43 ossec-agentd(4101): WARN: Waiting for server reply > (not started). Tried: 'serverhost.stuff'. > > 2017/11/14 11:17:57 ossec-agentd: INFO: Trying to connect to server > sep0265cb.sep.local, port 1514. > > 2017/11/14 11:17:57 INFO: Connected to serverhost.stuff at address > 10.10.x.y:1514, port 1514 > > It goes forever! It means it is working? May i change some value of time > between keep alive messages? > > Also im receiving errors with agent.conf that i already saw in other posts. > > ERROR: Error reading XML file 'shared/agent.conf': XMLERR: File > 'shared/agent.conf' not found. (line 16). > > Im convinved i have a connection issue or udp cache stuff. But cant figure > out. > > > All this together can be a connection issue? Or misconfiguration? > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: Ossec Windows Agent trying to connect forever
Although the context was AliewnVault this solution worked for me in an internally-installed manager-client environment: http://www.itinthedatacenter.com/wordpress/?p=369 On Tuesday, November 14, 2017 at 7:26:55 AM UTC-6, Julia Vitoria Cardoso wrote: > > Hi, i have a test setup with a windows agent and a server CentOS. > > I wrote a .bat to install agent and it seems ok, but looking at the logs > it only says > > 2017/11/14 11:14:27 ossec-agentd(4101): WARN: Waiting for server reply > (not started). Tried: 'serverhost.stuff'. > > 2017/11/14 11:15:05 ossec-agentd: INFO: Trying to connect to server > serverhost.stuff, port 1514. > > 2017/11/14 11:15:05 INFO: Connected to serverhost.stuff at > address 10.10.x.y:1514, port 1514 > > 2017/11/14 11:15:26 ossec-agentd(4101): WARN: Waiting for server reply > (not started). Tried: 'serverhost.stuff'. > > 2017/11/14 11:16:22 ossec-agentd: INFO: Trying to connect to server > serverhost.stuff, port 1514. > > 2017/11/14 11:16:22 INFO: Connected to serverhost.stuff at > address 10.10.x.y:1514, port 1514 > > 2017/11/14 11:16:43 ossec-agentd(4101): WARN: Waiting for server reply > (not started). Tried: 'serverhost.stuff'. > > 2017/11/14 11:17:57 ossec-agentd: INFO: Trying to connect to server > sep0265cb.sep.local, port 1514. > > 2017/11/14 11:17:57 INFO: Connected to serverhost.stuff at address > 10.10.x.y:1514, port 1514 > > It goes forever! It means it is working? May i change some value of time > between keep alive messages? > > Also im receiving errors with agent.conf that i already saw in other posts. > > ERROR: Error reading XML file 'shared/agent.conf': XMLERR: File > 'shared/agent.conf' not found. (line 16). > > Im convinved i have a connection issue or udp cache stuff. But cant figure > out. > > > All this together can be a connection issue? Or misconfiguration? > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Filter log output to exclude specific messages
The context is /var/log/syslog monitoring, I have one system which is generating numerous messages which I don't want to receive alerts for. I would prefer to avoid a rules-based approach because I'm just beginning to understand OSSEC and others with less knowledge than i need to be able to administer it as well. I want to exclude certain messages from syslog evaluation and noticed the ability to use a command (such as 'grep -v ... ???) under localfile. Is this a reasonable solution to my requirement? (If this is a reasonable solution) Do I also need to use the full_command and frequency options or will just specifying syslog as the log_format suffice? I assume that I will need to configure /var/log/syslog monitoring on each system since configuring it it agent.conf and having a different configuration on the specific system would produce conflicting configuration, correct? Thanks for your help. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] "New file" false positives on version 2.9.1
I should have said that this was a new install, the start of the agent was as a result of completing the installation. On Wednesday, September 27, 2017 at 8:04:28 AM UTC-5, dan (ddpbsd) wrote: > > On Fri, Sep 22, 2017 at 12:11 PM, Leroy Tennison > <leroy.t...@gmail.com > wrote: > > Couldn't find anything about this is the archives, I started the agent > and > > about 10 minutes later got an email with about 100 files listed as being > > new. The first 20 were in /usr/share/i18n/locales and I looked at about > the > > first 10. Using stat to display the access/modify/change time stamps > for > > all files in the directory and sorting the list, as best as I can tell, > all > > files in the directory (338 total) were accessed after starting the > agent > > but only 20 surfaced as being new files. Scanning through the list, it > > appears that all change dates are 8/14/17 and all modification dates are > > 6/16/17 (I individually checked some of those reported as new files). > > > > There have been reports of syscheck missing files on a scan, perhaps > those were missed previously? > > > Any ideas? Anything i need to post? Thanks for the help. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to ossec-list+...@googlegroups.com . > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] "New file" false positives on version 2.9.1
Couldn't find anything about this is the archives, I started the agent and about 10 minutes later got an email with about 100 files listed as being new. The first 20 were in /usr/share/i18n/locales and I looked at about the first 10. Using stat to display the access/modify/change time stamps for all files in the directory and sorting the list, as best as I can tell, all files in the directory (338 total) were accessed after starting the agent but only 20 surfaced as being new files. Scanning through the list, it appears that all change dates are 8/14/17 and all modification dates are 6/16/17 (I individually checked some of those reported as new files). Any ideas? Anything i need to post? Thanks for the help. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: agent.conf update confusion
Thanks again, I appreciate your patience with my learning curve. On Tuesday, September 5, 2017 at 3:21:41 PM UTC-5, Leroy Tennison wrote: > > Just beginning to use OSSEC and going through a trial-and-error process > setting up a configuration for an internal application. Searched for this > before posting and ended up with more questions than answers. > > > https://groups.google.com/forum/#!msg/ossec-list/8P52JbzyOPg/pGGI-6_KrD0J;context-place=forum/ossec-list > > posed my question but the context leaves more questions: > > I realize > http://ossec-docs.readthedocs.io/en/latest/cookbooks/recipes/ar-agent-conf-restart.html > > is user contributed but its reference to restart-ossec.sh seems incomplete > because there's no parameter and running restart-ossec.sh without > parameters produces an error (on v 2.9.2). Second, restart-ossec.sh > appears to deal with updates to hosts.deny, did they just borrow the > script? Third, this URL restarts OSSEC on the manager but how does that > cause a restart on the agents (which seems necessary to get agent.conf > updated on them)? > > Maybe answering an alternate question is more appropriate, if I need to > update agent.conf, what are the steps I need to take to successfully > propagate the change? (These questions are coming from the bottom of > https://ossec.github.io/docs/manual/syscheck/index.html since the > situation seems similar) Does the OSSEC manager's processes need to be > stopped then restarted after clearing the agent's database and, following > that, a syscheck scan launched on the agent? > > Thanks for clearing up the confusion. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] agent.conf update confusion
Just beginning to use OSSEC and going through a trial-and-error process setting up a configuration for an internal application. Searched for this before posting and ended up with more questions than answers. https://groups.google.com/forum/#!msg/ossec-list/8P52JbzyOPg/pGGI-6_KrD0J;context-place=forum/ossec-list posed my question but the context leaves more questions: I realize http://ossec-docs.readthedocs.io/en/latest/cookbooks/recipes/ar-agent-conf-restart.html is user contributed but its reference to restart-ossec.sh seems incomplete because there's no parameter and running restart-ossec.sh without parameters produces an error (on v 2.9.2). Second, restart-ossec.sh appears to deal with updates to hosts.deny, did they just borrow the script? Third, this URL restarts OSSEC on the manager but how does that cause a restart on the agents (which seems necessary to get agent.conf updated on them)? Maybe answering an alternate question is more appropriate, if I need to update agent.conf, what are the steps I need to take to successfully propagate the change? (These questions are coming from the bottom of https://ossec.github.io/docs/manual/syscheck/index.html since the situation seems similar) Does the OSSEC manager's processes need to be stopped then restarted after clearing the agent's database and, following that, a syscheck scan launched on the agent? Thanks for clearing up the confusion. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: ossec-keepalive
Thanks for the answer, that clarifies my understanding. Sounds like you
would like to see the alert details so here they are ("our-demo" below is
an agent, not the server):
OSSEC HIDS Notification.
2017 Aug 27 08:20:39
Received From: (our-demo) 10.nnn.nnn.nnn->ossec-keepalive
Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
Portion of the log(s):
--MARK--:
dh7GKhV3D=9_tT9mi+oFulZk!/aTDX2_mDueL^7wo;Y-[Bccq4-;^Pcb]Qcyh5n7QH@JrN5))x9$Y#6p835rYqu-@HdN=LsBknO.bu7%A]Yf)#8dJHvbfPGzEJ#vC/eMmb;1vhJdcQi+!&'o623tZdS.]#6xt@sFuYO.5=a7+Xe0+LwVV'xoLxlGe(lxfDkz]Ywi.!x)BCN5v98*k??VxZ]^LVg/;4@CwP;7tqUdaP8v6KU*;c_31yMU)aatm@d-u,XNm0/0joDj?I.2RvWfWef&4y)US^lNJtMdDiH1p$sop3y6'Ct._#$Se1UWKodCH.Fsg#)9TTGqr4-YPjV*+DEH/;.-UPs,[YoO(Qs_dYeu!J(taITE@=@rx9h(s%w0_Kj6[BU/'hslQT)Q]G_o@0FQ*[CRqgleRutLdv=KCkWAlJ*g^n8UvhegP+fo]rs['L_.7@HRDL(O_lUlywnc*6W^d2.MB3H8Xv5yaVxEaj(D8+OPZkR')rnzayo9+JI1;L'!MQext'@8b+t[n%kOO@wOdK5HCWcubJ/][Qs1KMD'^eB.A''w4p@p0;e,OhqQ/2'GmmbegEL+-#Ar5u]*JoPRhTNV0lfhvNNIZP[5BGc60*FATAl,Pi,W2Jl!d5*ymzotwjGf.I@X
--END OF NOTIFICATION
On Monday, August 28, 2017 at 10:53:55 AM UTC-5, Leroy Tennison wrote:
>
> Just FYI, not sure if a resolution to
> https://groups.google.com/forum/#!msg/ossec-list/dE3klm84JMU/kGZkRdSl3ZkJ
> has been put in place or not but it is occurring in v2.9.2 - I received an
> email alert (can post the text if it would be helpful).
>
> Related to this, I noticed that the alert level is 2, it appears that the
> only place to set alert levels is in ossec.conf on the server or 'local'
> (it is configured on the server as the
> default: 7).
>
> I seem to remember seeing somewhere that a local install was one where the
> server managed only itself but can't find that reference now, is that
> correct?
>
> The other option is to configure the system as hybrid, if that would allow
> the notification to be suppressed (and the implications of the change
> weren't too great), I would be glad to configure it that way if someone
> could point me to instructions on how to do so.
>
> Thanks for the help, my learning curve at this point is pretty steep.
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: OSSEC regular expression example for agent.conf
I wondered about that but verify-agent-conf didn't complain so I thought it was valid. I guess that means regex is only valid in rules? On Monday, August 28, 2017 at 9:40:53 AM UTC-5, Leroy Tennison wrote: > > I'm having trouble getting an ignore expression to actually ignore a > change and suspect it's due to not understanding how OSSEC regular > expressions work. When I searched for examples I found very little so I'm > hoping someone can reply with examples or explanations. What I tried was: > > /var/lib/postgresql/9.5/main/base/\d+/\d+$ > /var/lib/postgresql/9.5/main/pg_xlog/\d+$ > type="regex">/var/lib/postgresql/9.5/main/pg_subtrans/\d\d\w$ > type="regex">/var/lib/postgresql/9.5/main/pg_subtrans/\d\d\w\w$ > > > I'm still getting alerts such as the following: > > Integrity checksum changed for: > '/var/lib/postgresql/9.5/main/base/16387/1259' > Integrity checksum changed for: > '/var/lib/postgresql/9.5/main/pg_xlog/00010026' > New file '/var/lib/postgresql/9.5/main/pg_subtrans/0019' added to the file > system. (I configured new file alerting and am glad to see it's working > but just not this directory). > > Thanks for the help. > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] ossec-keepalive
Just FYI, not sure if a resolution to https://groups.google.com/forum/#!msg/ossec-list/dE3klm84JMU/kGZkRdSl3ZkJ has been put in place or not but it is occurring in v2.9.2 - I received an email alert (can post the text if it would be helpful). Related to this, I noticed that the alert level is 2, it appears that the only place to set alert levels is in ossec.conf on the server or 'local' (it is configured on the server as the default: 7). I seem to remember seeing somewhere that a local install was one where the server managed only itself but can't find that reference now, is that correct? The other option is to configure the system as hybrid, if that would allow the notification to be suppressed (and the implications of the change weren't too great), I would be glad to configure it that way if someone could point me to instructions on how to do so. Thanks for the help, my learning curve at this point is pretty steep. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] OSSEC regular expression example for agent.conf
I'm having trouble getting an ignore expression to actually ignore a change and suspect it's due to not understanding how OSSEC regular expressions work. When I searched for examples I found very little so I'm hoping someone can reply with examples or explanations. What I tried was: /var/lib/postgresql/9.5/main/base/\d+/\d+$ /var/lib/postgresql/9.5/main/pg_xlog/\d+$ /var/lib/postgresql/9.5/main/pg_subtrans/\d\d\w$ /var/lib/postgresql/9.5/main/pg_subtrans/\d\d\w\w$ I'm still getting alerts such as the following: Integrity checksum changed for: '/var/lib/postgresql/9.5/main/base/16387/1259' Integrity checksum changed for: '/var/lib/postgresql/9.5/main/pg_xlog/00010026' New file '/var/lib/postgresql/9.5/main/pg_subtrans/0019' added to the file system. (I configured new file alerting and am glad to see it's working but just not this directory). Thanks for the help. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Newby question
Hopefully final question about this, I notice the default manager's agent.conf has a configuration simply for os="linux" (and windows) as well as one which has no qualifier, I'm assuming those configurations apply to all systems with that os and all systems respectively. Correct? Suggestion, these might be worthwhile Architecture or FAQ additions. On Tuesday, August 22, 2017 at 11:00:04 AM UTC-5, dan (ddpbsd) wrote: > > > > On Aug 22, 2017 11:55 AM, "Leroy Tennison" <leroy.t...@gmail.com > > wrote: > > Thank you for your reply, sadly, that's exactly what I've done (doubled > up). I'll go fix that. Correct me if I'm wrong but, from your reply, it > appears that I need to examine both the manager's agent.conf as well as the > agent's ossec.conf to determine the "effective" configuration. > > > That is correct. Unfortunately that would be correct in any conceivable > scenario I can come up with. > At best you can minimize the ossec.conf and utilize the agent.conf as much > as possible. > > > On Monday, August 21, 2017 at 5:40:53 PM UTC-5, dan (ddpbsd) wrote: >> >> >> >> On Aug 21, 2017 4:39 PM, "Leroy Tennison" <leroy.t...@gmail.com> wrote: >> >> I have added to /var/ossec/etc/shared/agent.conf a profile for a class >> of machine and updated the agent's ossec.conf with the config-profile in >> the block. >> >> Do I need to remove the , and all >> entries on the client or will the manager simply override them? Is the >> result "either (the manager configuration)/or (the agent configuration)" or >> cumulative (both components apply? >> >> >> Cumulative. All options are applied. It is important syscheck entries are >> not doubled up. >> >> Changing the agent.conf to over-riding ossec.conf options is something I >> am interesred in, but javen't had time for. >> >> >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to ossec-list+...@googlegroups.com. >> >> For more options, visit https://groups.google.com/d/optout. >> >> >> -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+...@googlegroups.com . > For more options, visit https://groups.google.com/d/optout. > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Is a "percent change" criteria available?
Nagios..., we happen to use Icinga, I'll look at that approach. Thanks (again). On Monday, August 21, 2017 at 5:42:30 PM UTC-5, dan (ddpbsd) wrote: > > > > On Aug 21, 2017 4:58 PM, "Leroy Tennison" <leroy.t...@gmail.com > > wrote: > > I'm hoping to implement a constraint where, if disk space used (on a > specific tree such as /home) changes by more than a certain percent then it > will trigger an alert. I have a controlled environment (PCI) where delta > disk space usage changes should be pretty predictable, my goal is to > hopefully spot malware installation or other tampering by an abnormal > change in disk space utilization. > > I realize that this approach is anything but perfect, however, I am hoping > it will augment monitoring for areas of the disk where strict checking is > not feasible. If there are alternative ways to accomplish this goal I'm > open to any suggestions. I looked at agentless monitoring but it appears > that the requirement is "exact match" or alert. I understand that I could > write a script which returned the same output if my criteria was met but > that would mean storing history locally which would itself be subject to > attack. I'm also not sure if agent and agentless configuration can be > combined. > > > You might be able to do some active response trickery, but I think > somethinglike nagios or collectd might be better suited for this. > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+...@googlegroups.com . > For more options, visit https://groups.google.com/d/optout. > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Newby question
Thank you for your reply, sadly, that's exactly what I've done (doubled up). I'll go fix that. Correct me if I'm wrong but, from your reply, it appears that I need to examine both the manager's agent.conf as well as the agent's ossec.conf to determine the "effective" configuration. On Monday, August 21, 2017 at 5:40:53 PM UTC-5, dan (ddpbsd) wrote: > > > > On Aug 21, 2017 4:39 PM, "Leroy Tennison" <leroy.t...@gmail.com > > wrote: > > I have added to /var/ossec/etc/shared/agent.conf a profile for a class of > machine and updated the agent's ossec.conf with the config-profile in the > block. > > Do I need to remove the , and all > entries on the client or will the manager simply override them? Is the > result "either (the manager configuration)/or (the agent configuration)" or > cumulative (both components apply? > > > Cumulative. All options are applied. It is important syscheck entries are > not doubled up. > > Changing the agent.conf to over-riding ossec.conf options is something I > am interesred in, but javen't had time for. > > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+...@googlegroups.com . > For more options, visit https://groups.google.com/d/optout. > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Newby question
I have added to /var/ossec/etc/shared/agent.conf a profile for a class of machine and updated the agent's ossec.conf with the config-profile in the block. Do I need to remove the , and all entries on the client or will the manager simply override them? Is the result "either (the manager configuration)/or (the agent configuration)" or cumulative (both components apply? -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
