Re: [ossec-list] Re: Problem with active response in 2.7
On Thu, Dec 13, 2012 at 10:04 AM, C. L. Martinez carlopm...@gmail.com wrote: On Thu, Dec 13, 2012 at 2:43 PM, dan (ddp) ddp...@gmail.com wrote: On Wed, Dec 12, 2012 at 6:13 AM, C. L. Martinez carlopm...@gmail.com wrote: On Wed, Dec 12, 2012 at 11:01 AM, dan (ddp) ddp...@gmail.com wrote: So I don't have to dig through the whining to find out: Did you check permissions? Perhaps of ar.conf? Yes. In ossec server: [root] ls -al total 184 drwxrwx--- 2 root ossec 4096 Dec 11 07:45 . dr-xr-x--- 3 root ossec 4096 Dec 11 06:58 .. -rw-r--r-- 1 root ossec 4321 Dec 11 07:45 agent.conf -r--r- 1 root ossec 161 Dec 11 06:58 ar.conf -r--r- 1 root ossec 9501 Nov 9 02:24 cis_debian_linux_rcl.txt -r--r- 1 root ossec 8192 Nov 9 02:24 cis_rhel5_linux_rcl.txt -r--r- 1 root ossec 14251 Nov 9 02:24 cis_rhel_linux_rcl.txt -rw-r--r-- 1 ossecr ossec 74698 Dec 12 08:18 merged.mg -r--r- 1 root ossec 14872 Nov 9 02:24 rootkit_files.txt -r--r- 1 root ossec 5193 Nov 9 02:24 rootkit_trojans.txt -r--r- 1 root ossec 4457 Nov 9 02:24 system_audit_rcl.txt -r--r- 1 root ossec 4682 Nov 9 02:24 win_applications_rcl.txt -r--r- 1 root ossec 3859 Nov 9 02:24 win_audit_rcl.txt -r--r- 1 root ossec 4929 Nov 9 02:24 win_malware_rcl.txt In the agent side: root:/var/ossec/etc/shared# ls -al total 162 drwxrwx--- 2 root ossec512 Dec 11 07:07 . dr-xr-x--- 3 root ossec512 Dec 10 13:17 .. -rw-r--r-- 1 ossec ossec 4321 Dec 11 12:13 agent.conf -rw-r--r-- 1 ossec ossec161 Dec 11 12:13 ar.conf -rw-r--r-- 1 ossec ossec 9501 Dec 11 12:13 cis_debian_linux_rcl.txt -rw-r--r-- 1 ossec ossec 8192 Dec 11 12:13 cis_rhel5_linux_rcl.txt -rw-r--r-- 1 ossec ossec 14251 Dec 11 12:13 cis_rhel_linux_rcl.txt -rw-r--r-- 1 ossec ossec 74698 Dec 11 12:13 merged.mg -rw-r--r-- 1 ossec ossec 14872 Dec 11 12:13 rootkit_files.txt -rw-r--r-- 1 ossec ossec 5193 Dec 11 12:13 rootkit_trojans.txt -rw-r--r-- 1 ossec ossec 4457 Dec 11 12:13 system_audit_rcl.txt -rw-r--r-- 1 ossec ossec 4682 Dec 11 12:13 win_applications_rcl.txt -rw-r--r-- 1 ossec ossec 3859 Dec 11 12:13 win_audit_rcl.txt -rw-r--r-- 1 ossec ossec 4929 Dec 11 12:13 win_malware_rcl.txt Anything useful in the ossec.log (why do I feel like I have to ask this)? Nothing. I don't see any abnormal ... Anything in the active response log? Active response log in ossec server is empty. But in the agent, appears an entry when I have executed command manually. Are any active responses working? That's the problem: I think not (only under 2.7 relese. Using relese 2.6, all works as expected). I have only defined two active responses: firewall-drop and restart-ossec. Is AR disabled? No. It is enabled for server and agents ... What is the contents of the ar.conf on the agent? I'm making sure my (main/AR) agent is on 2.7 so I can see if it's working for me. In the agent: root:/tmp# cat /var/ossec/etc/shared/ar.conf restart-ossec0 - restart-ossec.sh - 0 restart-ossec0 - restart-ossec.cmd - 0 firewall-drop86400 - firewall-drop.sh - 86400 restart-ossec0 - restart-ossec.sh - 0 In the server: root# cat /data/ossec/etc/shared/ar.conf restart-ossec0 - restart-ossec.sh - 0 restart-ossec0 - restart-ossec.cmd - 0 firewall-drop86400 - firewall-drop.sh - 86400 restart-ossec0 - restart-ossec.sh - 0 My active response is still working, so I'm not sure how to proceed in troubleshooting this.
Re: [ossec-list] Re: Problem with active response in 2.7
On Thu, Dec 20, 2012 at 1:37 PM, dan (ddp) ddp...@gmail.com wrote: On Thu, Dec 13, 2012 at 10:04 AM, C. L. Martinez carlopm...@gmail.com wrote: On Thu, Dec 13, 2012 at 2:43 PM, dan (ddp) ddp...@gmail.com wrote: On Wed, Dec 12, 2012 at 6:13 AM, C. L. Martinez carlopm...@gmail.com wrote: On Wed, Dec 12, 2012 at 11:01 AM, dan (ddp) ddp...@gmail.com wrote: So I don't have to dig through the whining to find out: Did you check permissions? Perhaps of ar.conf? Yes. In ossec server: [root] ls -al total 184 drwxrwx--- 2 root ossec 4096 Dec 11 07:45 . dr-xr-x--- 3 root ossec 4096 Dec 11 06:58 .. -rw-r--r-- 1 root ossec 4321 Dec 11 07:45 agent.conf -r--r- 1 root ossec 161 Dec 11 06:58 ar.conf -r--r- 1 root ossec 9501 Nov 9 02:24 cis_debian_linux_rcl.txt -r--r- 1 root ossec 8192 Nov 9 02:24 cis_rhel5_linux_rcl.txt -r--r- 1 root ossec 14251 Nov 9 02:24 cis_rhel_linux_rcl.txt -rw-r--r-- 1 ossecr ossec 74698 Dec 12 08:18 merged.mg -r--r- 1 root ossec 14872 Nov 9 02:24 rootkit_files.txt -r--r- 1 root ossec 5193 Nov 9 02:24 rootkit_trojans.txt -r--r- 1 root ossec 4457 Nov 9 02:24 system_audit_rcl.txt -r--r- 1 root ossec 4682 Nov 9 02:24 win_applications_rcl.txt -r--r- 1 root ossec 3859 Nov 9 02:24 win_audit_rcl.txt -r--r- 1 root ossec 4929 Nov 9 02:24 win_malware_rcl.txt In the agent side: root:/var/ossec/etc/shared# ls -al total 162 drwxrwx--- 2 root ossec512 Dec 11 07:07 . dr-xr-x--- 3 root ossec512 Dec 10 13:17 .. -rw-r--r-- 1 ossec ossec 4321 Dec 11 12:13 agent.conf -rw-r--r-- 1 ossec ossec161 Dec 11 12:13 ar.conf -rw-r--r-- 1 ossec ossec 9501 Dec 11 12:13 cis_debian_linux_rcl.txt -rw-r--r-- 1 ossec ossec 8192 Dec 11 12:13 cis_rhel5_linux_rcl.txt -rw-r--r-- 1 ossec ossec 14251 Dec 11 12:13 cis_rhel_linux_rcl.txt -rw-r--r-- 1 ossec ossec 74698 Dec 11 12:13 merged.mg -rw-r--r-- 1 ossec ossec 14872 Dec 11 12:13 rootkit_files.txt -rw-r--r-- 1 ossec ossec 5193 Dec 11 12:13 rootkit_trojans.txt -rw-r--r-- 1 ossec ossec 4457 Dec 11 12:13 system_audit_rcl.txt -rw-r--r-- 1 ossec ossec 4682 Dec 11 12:13 win_applications_rcl.txt -rw-r--r-- 1 ossec ossec 3859 Dec 11 12:13 win_audit_rcl.txt -rw-r--r-- 1 ossec ossec 4929 Dec 11 12:13 win_malware_rcl.txt Anything useful in the ossec.log (why do I feel like I have to ask this)? Nothing. I don't see any abnormal ... Anything in the active response log? Active response log in ossec server is empty. But in the agent, appears an entry when I have executed command manually. Are any active responses working? That's the problem: I think not (only under 2.7 relese. Using relese 2.6, all works as expected). I have only defined two active responses: firewall-drop and restart-ossec. Is AR disabled? No. It is enabled for server and agents ... What is the contents of the ar.conf on the agent? I'm making sure my (main/AR) agent is on 2.7 so I can see if it's working for me. In the agent: root:/tmp# cat /var/ossec/etc/shared/ar.conf restart-ossec0 - restart-ossec.sh - 0 restart-ossec0 - restart-ossec.cmd - 0 firewall-drop86400 - firewall-drop.sh - 86400 restart-ossec0 - restart-ossec.sh - 0 In the server: root# cat /data/ossec/etc/shared/ar.conf restart-ossec0 - restart-ossec.sh - 0 restart-ossec0 - restart-ossec.cmd - 0 firewall-drop86400 - firewall-drop.sh - 86400 restart-ossec0 - restart-ossec.sh - 0 My active response is still working, so I'm not sure how to proceed in troubleshooting this. Thanks Dan. I have installed another ossec 2.7 server to do more tests and see what it is not working ...
Re: [ossec-list] Re: Problem with active response in 2.7
On Wed, Dec 12, 2012 at 6:13 AM, C. L. Martinez carlopm...@gmail.com wrote: On Wed, Dec 12, 2012 at 11:01 AM, dan (ddp) ddp...@gmail.com wrote: So I don't have to dig through the whining to find out: Did you check permissions? Perhaps of ar.conf? Yes. In ossec server: [root] ls -al total 184 drwxrwx--- 2 root ossec 4096 Dec 11 07:45 . dr-xr-x--- 3 root ossec 4096 Dec 11 06:58 .. -rw-r--r-- 1 root ossec 4321 Dec 11 07:45 agent.conf -r--r- 1 root ossec 161 Dec 11 06:58 ar.conf -r--r- 1 root ossec 9501 Nov 9 02:24 cis_debian_linux_rcl.txt -r--r- 1 root ossec 8192 Nov 9 02:24 cis_rhel5_linux_rcl.txt -r--r- 1 root ossec 14251 Nov 9 02:24 cis_rhel_linux_rcl.txt -rw-r--r-- 1 ossecr ossec 74698 Dec 12 08:18 merged.mg -r--r- 1 root ossec 14872 Nov 9 02:24 rootkit_files.txt -r--r- 1 root ossec 5193 Nov 9 02:24 rootkit_trojans.txt -r--r- 1 root ossec 4457 Nov 9 02:24 system_audit_rcl.txt -r--r- 1 root ossec 4682 Nov 9 02:24 win_applications_rcl.txt -r--r- 1 root ossec 3859 Nov 9 02:24 win_audit_rcl.txt -r--r- 1 root ossec 4929 Nov 9 02:24 win_malware_rcl.txt In the agent side: root:/var/ossec/etc/shared# ls -al total 162 drwxrwx--- 2 root ossec512 Dec 11 07:07 . dr-xr-x--- 3 root ossec512 Dec 10 13:17 .. -rw-r--r-- 1 ossec ossec 4321 Dec 11 12:13 agent.conf -rw-r--r-- 1 ossec ossec161 Dec 11 12:13 ar.conf -rw-r--r-- 1 ossec ossec 9501 Dec 11 12:13 cis_debian_linux_rcl.txt -rw-r--r-- 1 ossec ossec 8192 Dec 11 12:13 cis_rhel5_linux_rcl.txt -rw-r--r-- 1 ossec ossec 14251 Dec 11 12:13 cis_rhel_linux_rcl.txt -rw-r--r-- 1 ossec ossec 74698 Dec 11 12:13 merged.mg -rw-r--r-- 1 ossec ossec 14872 Dec 11 12:13 rootkit_files.txt -rw-r--r-- 1 ossec ossec 5193 Dec 11 12:13 rootkit_trojans.txt -rw-r--r-- 1 ossec ossec 4457 Dec 11 12:13 system_audit_rcl.txt -rw-r--r-- 1 ossec ossec 4682 Dec 11 12:13 win_applications_rcl.txt -rw-r--r-- 1 ossec ossec 3859 Dec 11 12:13 win_audit_rcl.txt -rw-r--r-- 1 ossec ossec 4929 Dec 11 12:13 win_malware_rcl.txt Anything useful in the ossec.log (why do I feel like I have to ask this)? Nothing. I don't see any abnormal ... Anything in the active response log? Active response log in ossec server is empty. But in the agent, appears an entry when I have executed command manually. Are any active responses working? That's the problem: I think not (only under 2.7 relese. Using relese 2.6, all works as expected). I have only defined two active responses: firewall-drop and restart-ossec. Is AR disabled? No. It is enabled for server and agents ... What is the contents of the ar.conf on the agent? I'm making sure my (main/AR) agent is on 2.7 so I can see if it's working for me.
Re: [ossec-list] Re: Problem with active response in 2.7
On Thu, Dec 13, 2012 at 2:43 PM, dan (ddp) ddp...@gmail.com wrote: On Wed, Dec 12, 2012 at 6:13 AM, C. L. Martinez carlopm...@gmail.com wrote: On Wed, Dec 12, 2012 at 11:01 AM, dan (ddp) ddp...@gmail.com wrote: So I don't have to dig through the whining to find out: Did you check permissions? Perhaps of ar.conf? Yes. In ossec server: [root] ls -al total 184 drwxrwx--- 2 root ossec 4096 Dec 11 07:45 . dr-xr-x--- 3 root ossec 4096 Dec 11 06:58 .. -rw-r--r-- 1 root ossec 4321 Dec 11 07:45 agent.conf -r--r- 1 root ossec 161 Dec 11 06:58 ar.conf -r--r- 1 root ossec 9501 Nov 9 02:24 cis_debian_linux_rcl.txt -r--r- 1 root ossec 8192 Nov 9 02:24 cis_rhel5_linux_rcl.txt -r--r- 1 root ossec 14251 Nov 9 02:24 cis_rhel_linux_rcl.txt -rw-r--r-- 1 ossecr ossec 74698 Dec 12 08:18 merged.mg -r--r- 1 root ossec 14872 Nov 9 02:24 rootkit_files.txt -r--r- 1 root ossec 5193 Nov 9 02:24 rootkit_trojans.txt -r--r- 1 root ossec 4457 Nov 9 02:24 system_audit_rcl.txt -r--r- 1 root ossec 4682 Nov 9 02:24 win_applications_rcl.txt -r--r- 1 root ossec 3859 Nov 9 02:24 win_audit_rcl.txt -r--r- 1 root ossec 4929 Nov 9 02:24 win_malware_rcl.txt In the agent side: root:/var/ossec/etc/shared# ls -al total 162 drwxrwx--- 2 root ossec512 Dec 11 07:07 . dr-xr-x--- 3 root ossec512 Dec 10 13:17 .. -rw-r--r-- 1 ossec ossec 4321 Dec 11 12:13 agent.conf -rw-r--r-- 1 ossec ossec161 Dec 11 12:13 ar.conf -rw-r--r-- 1 ossec ossec 9501 Dec 11 12:13 cis_debian_linux_rcl.txt -rw-r--r-- 1 ossec ossec 8192 Dec 11 12:13 cis_rhel5_linux_rcl.txt -rw-r--r-- 1 ossec ossec 14251 Dec 11 12:13 cis_rhel_linux_rcl.txt -rw-r--r-- 1 ossec ossec 74698 Dec 11 12:13 merged.mg -rw-r--r-- 1 ossec ossec 14872 Dec 11 12:13 rootkit_files.txt -rw-r--r-- 1 ossec ossec 5193 Dec 11 12:13 rootkit_trojans.txt -rw-r--r-- 1 ossec ossec 4457 Dec 11 12:13 system_audit_rcl.txt -rw-r--r-- 1 ossec ossec 4682 Dec 11 12:13 win_applications_rcl.txt -rw-r--r-- 1 ossec ossec 3859 Dec 11 12:13 win_audit_rcl.txt -rw-r--r-- 1 ossec ossec 4929 Dec 11 12:13 win_malware_rcl.txt Anything useful in the ossec.log (why do I feel like I have to ask this)? Nothing. I don't see any abnormal ... Anything in the active response log? Active response log in ossec server is empty. But in the agent, appears an entry when I have executed command manually. Are any active responses working? That's the problem: I think not (only under 2.7 relese. Using relese 2.6, all works as expected). I have only defined two active responses: firewall-drop and restart-ossec. Is AR disabled? No. It is enabled for server and agents ... What is the contents of the ar.conf on the agent? I'm making sure my (main/AR) agent is on 2.7 so I can see if it's working for me. In the agent: root:/tmp# cat /var/ossec/etc/shared/ar.conf restart-ossec0 - restart-ossec.sh - 0 restart-ossec0 - restart-ossec.cmd - 0 firewall-drop86400 - firewall-drop.sh - 86400 restart-ossec0 - restart-ossec.sh - 0 In the server: root# cat /data/ossec/etc/shared/ar.conf restart-ossec0 - restart-ossec.sh - 0 restart-ossec0 - restart-ossec.cmd - 0 firewall-drop86400 - firewall-drop.sh - 86400 restart-ossec0 - restart-ossec.sh - 0
Re: [ossec-list] Re: Problem with active response in 2.7
On Wed, Dec 12, 2012 at 7:38 AM, dan (ddp) ddp...@gmail.com wrote: On Dec 12, 2012 2:36 AM, C. L. Martinez carlopm...@gmail.com wrote: On Tue, Dec 11, 2012 at 6:47 AM, C. L. Martinez carlopm...@gmail.com wrote: On Mon, Dec 10, 2012 at 9:46 PM, Brenden Walker bren...@unruleable.org wrote: On Mon, 10 Dec 2012 13:15:50 -0800 (PST) Guilmxm guilhem.march...@gmail.com wrote: Hi, I had the same issue with Ossec 2.7 even with a server / agent fresh install, i confirm. Regards, Guilhem Weird, it's working fine in 2.7 for me. OSSEC HIDS agent_control. Available active responses: Response name: host-deny2400, command: host-deny.sh Response name: firewall-drop600, command: firewall-drop.sh and ossec.conf active-response !-- This response is going to execute the host-deny - command for every event that fires a rule with - level (severity) = 6. - The IP is going to be blocked for 600 seconds. -- commandhost-deny/command locationlocal/location level6/level timeout2400/timeout /active-response active-response !-- Firewall Drop response. Block the IP for - 600 seconds on the firewall (iptables, - ipfilter, etc). -- commandfirewall-drop/command locationlocal/location level6/level timeout600/timeout /active-response Uhmm I have found another problem, well two problems: a) I have defined another active response: command namerestart-ossec/name executablerestart-ossec.sh/executable expect/expect /command active-response commandrestart-ossec/command locationall/location rules_id12/rules_id /active-response ... and It doesn't appears: [root@ossectst etc]# agent_control -L OSSEC HIDS agent_control. Available active responses: Response name: firewall-drop86400, command: firewall-drop.sh b) active response firewall-drop.sh it doesn't works for a FreeBSD 8.3 system (using version 2.6 for server and agent works) Please, any idea?? Any idea please?? This problem is really strange Run it manually, how does it fail? Pleasse give us enough info to help, I'm not installing FreeBSD. Running manually works ok: /var/ossec/active-response/bin/firewall-drop.sh add - 10.1961.132 1355211271.2446 5706 but it doesn't works automatically ...
Re: [ossec-list] Re: Problem with active response in 2.7
On Dec 12, 2012 5:48 AM, C. L. Martinez carlopm...@gmail.com wrote: On Wed, Dec 12, 2012 at 7:38 AM, dan (ddp) ddp...@gmail.com wrote: On Dec 12, 2012 2:36 AM, C. L. Martinez carlopm...@gmail.com wrote: On Tue, Dec 11, 2012 at 6:47 AM, C. L. Martinez carlopm...@gmail.com wrote: On Mon, Dec 10, 2012 at 9:46 PM, Brenden Walker bren...@unruleable.org wrote: On Mon, 10 Dec 2012 13:15:50 -0800 (PST) Guilmxm guilhem.march...@gmail.com wrote: Hi, I had the same issue with Ossec 2.7 even with a server / agent fresh install, i confirm. Regards, Guilhem Weird, it's working fine in 2.7 for me. OSSEC HIDS agent_control. Available active responses: Response name: host-deny2400, command: host-deny.sh Response name: firewall-drop600, command: firewall-drop.sh and ossec.conf active-response !-- This response is going to execute the host-deny - command for every event that fires a rule with - level (severity) = 6. - The IP is going to be blocked for 600 seconds. -- commandhost-deny/command locationlocal/location level6/level timeout2400/timeout /active-response active-response !-- Firewall Drop response. Block the IP for - 600 seconds on the firewall (iptables, - ipfilter, etc). -- commandfirewall-drop/command locationlocal/location level6/level timeout600/timeout /active-response Uhmm I have found another problem, well two problems: a) I have defined another active response: command namerestart-ossec/name executablerestart-ossec.sh/executable expect/expect /command active-response commandrestart-ossec/command locationall/location rules_id12/rules_id /active-response ... and It doesn't appears: [root@ossectst etc]# agent_control -L OSSEC HIDS agent_control. Available active responses: Response name: firewall-drop86400, command: firewall-drop.sh b) active response firewall-drop.sh it doesn't works for a FreeBSD 8.3 system (using version 2.6 for server and agent works) Please, any idea?? Any idea please?? This problem is really strange Run it manually, how does it fail? Pleasse give us enough info to help, I'm not installing FreeBSD. Running manually works ok: /var/ossec/active-response/bin/firewall-drop.sh add - 10.1961.132 1355211271.2446 5706 but it doesn't works automatically ... So I don't have to dig through the whining to find out: Did you check permissions? Perhaps of ar.conf? Anything useful in the ossec.log (why do I feel like I have to ask this)? Anything in the active response log? Are any active responses working? Is AR disabled?
Re: [ossec-list] Re: Problem with active response in 2.7
On Wed, Dec 12, 2012 at 11:01 AM, dan (ddp) ddp...@gmail.com wrote: On Dec 12, 2012 5:48 AM, C. L. Martinez carlopm...@gmail.com wrote: On Wed, Dec 12, 2012 at 7:38 AM, dan (ddp) ddp...@gmail.com wrote: On Dec 12, 2012 2:36 AM, C. L. Martinez carlopm...@gmail.com wrote: On Tue, Dec 11, 2012 at 6:47 AM, C. L. Martinez carlopm...@gmail.com wrote: On Mon, Dec 10, 2012 at 9:46 PM, Brenden Walker bren...@unruleable.org wrote: On Mon, 10 Dec 2012 13:15:50 -0800 (PST) Guilmxm guilhem.march...@gmail.com wrote: Hi, I had the same issue with Ossec 2.7 even with a server / agent fresh install, i confirm. Regards, Guilhem Weird, it's working fine in 2.7 for me. OSSEC HIDS agent_control. Available active responses: Response name: host-deny2400, command: host-deny.sh Response name: firewall-drop600, command: firewall-drop.sh and ossec.conf active-response !-- This response is going to execute the host-deny - command for every event that fires a rule with - level (severity) = 6. - The IP is going to be blocked for 600 seconds. -- commandhost-deny/command locationlocal/location level6/level timeout2400/timeout /active-response active-response !-- Firewall Drop response. Block the IP for - 600 seconds on the firewall (iptables, - ipfilter, etc). -- commandfirewall-drop/command locationlocal/location level6/level timeout600/timeout /active-response Uhmm I have found another problem, well two problems: a) I have defined another active response: command namerestart-ossec/name executablerestart-ossec.sh/executable expect/expect /command active-response commandrestart-ossec/command locationall/location rules_id12/rules_id /active-response ... and It doesn't appears: [root@ossectst etc]# agent_control -L OSSEC HIDS agent_control. Available active responses: Response name: firewall-drop86400, command: firewall-drop.sh b) active response firewall-drop.sh it doesn't works for a FreeBSD 8.3 system (using version 2.6 for server and agent works) Please, any idea?? Any idea please?? This problem is really strange Run it manually, how does it fail? Pleasse give us enough info to help, I'm not installing FreeBSD. Running manually works ok: /var/ossec/active-response/bin/firewall-drop.sh add - 10.1961.132 1355211271.2446 5706 but it doesn't works automatically ... So I don't have to dig through the whining to find out: Did you check permissions? Perhaps of ar.conf? Yes. In ossec server: [root] ls -al total 184 drwxrwx--- 2 root ossec 4096 Dec 11 07:45 . dr-xr-x--- 3 root ossec 4096 Dec 11 06:58 .. -rw-r--r-- 1 root ossec 4321 Dec 11 07:45 agent.conf -r--r- 1 root ossec 161 Dec 11 06:58 ar.conf -r--r- 1 root ossec 9501 Nov 9 02:24 cis_debian_linux_rcl.txt -r--r- 1 root ossec 8192 Nov 9 02:24 cis_rhel5_linux_rcl.txt -r--r- 1 root ossec 14251 Nov 9 02:24 cis_rhel_linux_rcl.txt -rw-r--r-- 1 ossecr ossec 74698 Dec 12 08:18 merged.mg -r--r- 1 root ossec 14872 Nov 9 02:24 rootkit_files.txt -r--r- 1 root ossec 5193 Nov 9 02:24 rootkit_trojans.txt -r--r- 1 root ossec 4457 Nov 9 02:24 system_audit_rcl.txt -r--r- 1 root ossec 4682 Nov 9 02:24 win_applications_rcl.txt -r--r- 1 root ossec 3859 Nov 9 02:24 win_audit_rcl.txt -r--r- 1 root ossec 4929 Nov 9 02:24 win_malware_rcl.txt In the agent side: root:/var/ossec/etc/shared# ls -al total 162 drwxrwx--- 2 root ossec512 Dec 11 07:07 . dr-xr-x--- 3 root ossec512 Dec 10 13:17 .. -rw-r--r-- 1 ossec ossec 4321 Dec 11 12:13 agent.conf -rw-r--r-- 1 ossec ossec161 Dec 11 12:13 ar.conf -rw-r--r-- 1 ossec ossec 9501 Dec 11 12:13 cis_debian_linux_rcl.txt -rw-r--r-- 1 ossec ossec 8192 Dec 11 12:13 cis_rhel5_linux_rcl.txt -rw-r--r-- 1 ossec ossec 14251 Dec 11 12:13 cis_rhel_linux_rcl.txt -rw-r--r-- 1 ossec ossec 74698 Dec 11 12:13 merged.mg -rw-r--r-- 1 ossec ossec 14872 Dec 11 12:13 rootkit_files.txt -rw-r--r-- 1 ossec ossec 5193 Dec 11 12:13 rootkit_trojans.txt -rw-r--r-- 1 ossec ossec 4457 Dec 11 12:13 system_audit_rcl.txt -rw-r--r-- 1 ossec ossec 4682 Dec 11 12:13 win_applications_rcl.txt -rw-r--r-- 1 ossec ossec 3859 Dec 11 12:13 win_audit_rcl.txt -rw-r--r-- 1 ossec ossec 4929 Dec 11 12:13 win_malware_rcl.txt Anything useful in the ossec.log (why do I feel like I have to ask this)? Nothing. I don't see any abnormal ... Anything in the active response log? Active response log in ossec server is empty. But in the agent, appears an entry when I have executed command manually. Are any active responses working? That's the problem: I think not
Re: [ossec-list] Re: Problem with active response in 2.7
On Mon, Dec 10, 2012 at 9:46 PM, Brenden Walker bren...@unruleable.org wrote: On Mon, 10 Dec 2012 13:15:50 -0800 (PST) Guilmxm guilhem.march...@gmail.com wrote: Hi, I had the same issue with Ossec 2.7 even with a server / agent fresh install, i confirm. Regards, Guilhem Weird, it's working fine in 2.7 for me. OSSEC HIDS agent_control. Available active responses: Response name: host-deny2400, command: host-deny.sh Response name: firewall-drop600, command: firewall-drop.sh and ossec.conf active-response !-- This response is going to execute the host-deny - command for every event that fires a rule with - level (severity) = 6. - The IP is going to be blocked for 600 seconds. -- commandhost-deny/command locationlocal/location level6/level timeout2400/timeout /active-response active-response !-- Firewall Drop response. Block the IP for - 600 seconds on the firewall (iptables, - ipfilter, etc). -- commandfirewall-drop/command locationlocal/location level6/level timeout600/timeout /active-response Uhmm I have found another problem, well two problems: a) I have defined another active response: command namerestart-ossec/name executablerestart-ossec.sh/executable expect/expect /command active-response commandrestart-ossec/command locationall/location rules_id12/rules_id /active-response ... and It doesn't appears: [root@ossectst etc]# agent_control -L OSSEC HIDS agent_control. Available active responses: Response name: firewall-drop86400, command: firewall-drop.sh b) active response firewall-drop.sh it doesn't works for a FreeBSD 8.3 system (using version 2.6 for server and agent works) Please, any idea??
Re: [ossec-list] Re: Problem with active response in 2.7
On Tue, Dec 11, 2012 at 6:47 AM, C. L. Martinez carlopm...@gmail.com wrote: On Mon, Dec 10, 2012 at 9:46 PM, Brenden Walker bren...@unruleable.org wrote: On Mon, 10 Dec 2012 13:15:50 -0800 (PST) Guilmxm guilhem.march...@gmail.com wrote: Hi, I had the same issue with Ossec 2.7 even with a server / agent fresh install, i confirm. Regards, Guilhem Weird, it's working fine in 2.7 for me. OSSEC HIDS agent_control. Available active responses: Response name: host-deny2400, command: host-deny.sh Response name: firewall-drop600, command: firewall-drop.sh and ossec.conf active-response !-- This response is going to execute the host-deny - command for every event that fires a rule with - level (severity) = 6. - The IP is going to be blocked for 600 seconds. -- commandhost-deny/command locationlocal/location level6/level timeout2400/timeout /active-response active-response !-- Firewall Drop response. Block the IP for - 600 seconds on the firewall (iptables, - ipfilter, etc). -- commandfirewall-drop/command locationlocal/location level6/level timeout600/timeout /active-response Uhmm I have found another problem, well two problems: a) I have defined another active response: command namerestart-ossec/name executablerestart-ossec.sh/executable expect/expect /command active-response commandrestart-ossec/command locationall/location rules_id12/rules_id /active-response ... and It doesn't appears: [root@ossectst etc]# agent_control -L OSSEC HIDS agent_control. Available active responses: Response name: firewall-drop86400, command: firewall-drop.sh b) active response firewall-drop.sh it doesn't works for a FreeBSD 8.3 system (using version 2.6 for server and agent works) Please, any idea?? Any idea please?? This problem is really strange
Re: [ossec-list] Re: Problem with active response in 2.7
On Dec 12, 2012 2:36 AM, C. L. Martinez carlopm...@gmail.com wrote: On Tue, Dec 11, 2012 at 6:47 AM, C. L. Martinez carlopm...@gmail.com wrote: On Mon, Dec 10, 2012 at 9:46 PM, Brenden Walker bren...@unruleable.org wrote: On Mon, 10 Dec 2012 13:15:50 -0800 (PST) Guilmxm guilhem.march...@gmail.com wrote: Hi, I had the same issue with Ossec 2.7 even with a server / agent fresh install, i confirm. Regards, Guilhem Weird, it's working fine in 2.7 for me. OSSEC HIDS agent_control. Available active responses: Response name: host-deny2400, command: host-deny.sh Response name: firewall-drop600, command: firewall-drop.sh and ossec.conf active-response !-- This response is going to execute the host-deny - command for every event that fires a rule with - level (severity) = 6. - The IP is going to be blocked for 600 seconds. -- commandhost-deny/command locationlocal/location level6/level timeout2400/timeout /active-response active-response !-- Firewall Drop response. Block the IP for - 600 seconds on the firewall (iptables, - ipfilter, etc). -- commandfirewall-drop/command locationlocal/location level6/level timeout600/timeout /active-response Uhmm I have found another problem, well two problems: a) I have defined another active response: command namerestart-ossec/name executablerestart-ossec.sh/executable expect/expect /command active-response commandrestart-ossec/command locationall/location rules_id12/rules_id /active-response ... and It doesn't appears: [root@ossectst etc]# agent_control -L OSSEC HIDS agent_control. Available active responses: Response name: firewall-drop86400, command: firewall-drop.sh b) active response firewall-drop.sh it doesn't works for a FreeBSD 8.3 system (using version 2.6 for server and agent works) Please, any idea?? Any idea please?? This problem is really strange Run it manually, how does it fail? Pleasse give us enough info to help, I'm not installing FreeBSD.
[ossec-list] Re: Problem with active response in 2.7
On Mon, Dec 10, 2012 at 10:31 AM, C. L. Martinez carlopm...@gmail.com wrote: Hi all, I am using same active response options in one 2.6 ossec server and in another 2.7 ossec server. In version 2.6 all works ok as I expect, but under 2.7 it doesn't works. In both servers I have configured only this active response: command namefirewall-drop/name executablefirewall-drop.sh/executable expectsrcip/expect timeout_allowedyes/timeout_allowed /command active-response commandfirewall-drop/command locationall/location level6/level timeout86400/timeout repeated_offenders2880,4320,5760/repeated_offenders /active-response Executing agent_control in 2.7 ossec server, returns: [root@ossec27 /tmp]# agent_control -L OSSEC HIDS agent_control. Available active responses: No active response available. Do I need to reconfigure something under 2.7?? Ok, two errors appears. From server side: 2012/12/09 12:53:45 ossec-remoted: Error accessing file '/etc/shared/ar.conf' 2012/12/09 17:57:34 ossec-remoted: Error accessing file '/etc/shared/ar.conf' 2012/12/09 23:01:14 ossec-remoted: Error accessing file '/etc/shared/ar.conf' 2012/12/10 00:18:57 ossec-syscheckd: INFO: Starting syscheck scan. 2012/12/10 00:24:07 ossec-syscheckd: INFO: Ending syscheck scan. 2012/12/10 04:04:43 ossec-remoted: Error accessing file '/etc/shared/ar.conf' 2012/12/10 08:05:15 ossec-rootcheck: INFO: Starting rootcheck scan. 2012/12/10 08:09:45 ossec-rootcheck: INFO: Ending rootcheck scan. 2012/12/10 09:08:33 ossec-remoted: Error accessing file '/etc/shared/ar.conf' ..and from agent side: 2012/12/09 05:01:03 ossec-execd(1103): ERROR: Unable to open file '/var/ossec/etc/shared/ar.conf'. 2012/12/09 05:01:03 ossec-execd(1311): ERROR: Invalid command name 'firewall-drop86400' provided. 2012/12/09 07:32:51 ossec-execd(1103): ERROR: Unable to open file '/var/ossec/etc/shared/ar.conf'. 2012/12/09 07:32:51 ossec-execd(1311): ERROR: Invalid command name 'firewall-drop86400' provided. 2012/12/10 03:15:05 ossec-execd(1103): ERROR: Unable to open file '/var/ossec/etc/shared/ar.conf'. 2012/12/10 03:15:05 ossec-execd(1311): ERROR: Invalid command name 'firewall-drop86400' provided. 2012/12/10 04:00:04 ossec-rootcheck: INFO: Starting rootcheck scan. 2012/12/10 04:05:05 ossec-rootcheck: INFO: Ending rootcheck scan. 2012/12/10 04:05:05 ossec-syscheckd: INFO: Starting syscheck scan. 2012/12/10 04:10:01 ossec-syscheckd: INFO: Ending syscheck scan. 2012/12/10 05:01:28 ossec-execd(1103): ERROR: Unable to open file '/var/ossec/etc/shared/ar.conf'. 2012/12/10 05:01:28 ossec-execd(1311): ERROR: Invalid command name 'firewall-drop86400' provided. 2012/12/10 07:33:12 ossec-execd(1103): ERROR: Unable to open file '/var/ossec/etc/shared/ar.conf'. 2012/12/10 07:33:12 ossec-execd(1311): ERROR: Invalid command name 'firewall-drop86400' provided. But ar.conf exists in server: [root@plzfsiem01 ossec]# ls -la etc/shared/ar.conf -r--r- 1 root root 161 Dec 4 11:28 etc/shared/ar.conf with the following content: restart-ossec0 - restart-ossec.sh - 0 restart-ossec0 - restart-ossec.cmd - 0 firewall-drop86400 - firewall-drop.sh - 86400 restart-ossec0 - restart-ossec.sh - 0 but it doesn't exists in agent side. Do I need to change permissions??
[ossec-list] Re: Problem with active response in 2.7
On Mon, Dec 10, 2012 at 10:49 AM, C. L. Martinez carlopm...@gmail.com wrote: On Mon, Dec 10, 2012 at 10:31 AM, C. L. Martinez carlopm...@gmail.com wrote: Hi all, I am using same active response options in one 2.6 ossec server and in another 2.7 ossec server. In version 2.6 all works ok as I expect, but under 2.7 it doesn't works. In both servers I have configured only this active response: command namefirewall-drop/name executablefirewall-drop.sh/executable expectsrcip/expect timeout_allowedyes/timeout_allowed /command active-response commandfirewall-drop/command locationall/location level6/level timeout86400/timeout repeated_offenders2880,4320,5760/repeated_offenders /active-response Executing agent_control in 2.7 ossec server, returns: [root@ossec27 /tmp]# agent_control -L OSSEC HIDS agent_control. Available active responses: No active response available. Do I need to reconfigure something under 2.7?? Ok, two errors appears. From server side: 2012/12/09 12:53:45 ossec-remoted: Error accessing file '/etc/shared/ar.conf' 2012/12/09 17:57:34 ossec-remoted: Error accessing file '/etc/shared/ar.conf' 2012/12/09 23:01:14 ossec-remoted: Error accessing file '/etc/shared/ar.conf' 2012/12/10 00:18:57 ossec-syscheckd: INFO: Starting syscheck scan. 2012/12/10 00:24:07 ossec-syscheckd: INFO: Ending syscheck scan. 2012/12/10 04:04:43 ossec-remoted: Error accessing file '/etc/shared/ar.conf' 2012/12/10 08:05:15 ossec-rootcheck: INFO: Starting rootcheck scan. 2012/12/10 08:09:45 ossec-rootcheck: INFO: Ending rootcheck scan. 2012/12/10 09:08:33 ossec-remoted: Error accessing file '/etc/shared/ar.conf' ..and from agent side: 2012/12/09 05:01:03 ossec-execd(1103): ERROR: Unable to open file '/var/ossec/etc/shared/ar.conf'. 2012/12/09 05:01:03 ossec-execd(1311): ERROR: Invalid command name 'firewall-drop86400' provided. 2012/12/09 07:32:51 ossec-execd(1103): ERROR: Unable to open file '/var/ossec/etc/shared/ar.conf'. 2012/12/09 07:32:51 ossec-execd(1311): ERROR: Invalid command name 'firewall-drop86400' provided. 2012/12/10 03:15:05 ossec-execd(1103): ERROR: Unable to open file '/var/ossec/etc/shared/ar.conf'. 2012/12/10 03:15:05 ossec-execd(1311): ERROR: Invalid command name 'firewall-drop86400' provided. 2012/12/10 04:00:04 ossec-rootcheck: INFO: Starting rootcheck scan. 2012/12/10 04:05:05 ossec-rootcheck: INFO: Ending rootcheck scan. 2012/12/10 04:05:05 ossec-syscheckd: INFO: Starting syscheck scan. 2012/12/10 04:10:01 ossec-syscheckd: INFO: Ending syscheck scan. 2012/12/10 05:01:28 ossec-execd(1103): ERROR: Unable to open file '/var/ossec/etc/shared/ar.conf'. 2012/12/10 05:01:28 ossec-execd(1311): ERROR: Invalid command name 'firewall-drop86400' provided. 2012/12/10 07:33:12 ossec-execd(1103): ERROR: Unable to open file '/var/ossec/etc/shared/ar.conf'. 2012/12/10 07:33:12 ossec-execd(1311): ERROR: Invalid command name 'firewall-drop86400' provided. But ar.conf exists in server: [root@plzfsiem01 ossec]# ls -la etc/shared/ar.conf -r--r- 1 root root 161 Dec 4 11:28 etc/shared/ar.conf with the following content: restart-ossec0 - restart-ossec.sh - 0 restart-ossec0 - restart-ossec.cmd - 0 firewall-drop86400 - firewall-drop.sh - 86400 restart-ossec0 - restart-ossec.sh - 0 but it doesn't exists in agent side. Do I need to change permissions?? Ok, problem is fixed doing chgrp ossec ar.conf, but this file is created during first ossec startup ... Maybe is it a bug??
[ossec-list] Re: Problem with active response in 2.7
Hi, I had the same issue with Ossec 2.7 even with a server / agent fresh install, i confirm. Regards, Guilhem Le lundi 10 décembre 2012 12:00:30 UTC+1, carlopmart a écrit : On Mon, Dec 10, 2012 at 10:49 AM, C. L. Martinez carlo...@gmail.comjavascript: wrote: On Mon, Dec 10, 2012 at 10:31 AM, C. L. Martinez carlo...@gmail.comjavascript: wrote: Hi all, I am using same active response options in one 2.6 ossec server and in another 2.7 ossec server. In version 2.6 all works ok as I expect, but under 2.7 it doesn't works. In both servers I have configured only this active response: command namefirewall-drop/name executablefirewall-drop.sh/executable expectsrcip/expect timeout_allowedyes/timeout_allowed /command active-response commandfirewall-drop/command locationall/location level6/level timeout86400/timeout repeated_offenders2880,4320,5760/repeated_offenders /active-response Executing agent_control in 2.7 ossec server, returns: [root@ossec27 /tmp]# agent_control -L OSSEC HIDS agent_control. Available active responses: No active response available. Do I need to reconfigure something under 2.7?? Ok, two errors appears. From server side: 2012/12/09 12:53:45 ossec-remoted: Error accessing file '/etc/shared/ar.conf' 2012/12/09 17:57:34 ossec-remoted: Error accessing file '/etc/shared/ar.conf' 2012/12/09 23:01:14 ossec-remoted: Error accessing file '/etc/shared/ar.conf' 2012/12/10 00:18:57 ossec-syscheckd: INFO: Starting syscheck scan. 2012/12/10 00:24:07 ossec-syscheckd: INFO: Ending syscheck scan. 2012/12/10 04:04:43 ossec-remoted: Error accessing file '/etc/shared/ar.conf' 2012/12/10 08:05:15 ossec-rootcheck: INFO: Starting rootcheck scan. 2012/12/10 08:09:45 ossec-rootcheck: INFO: Ending rootcheck scan. 2012/12/10 09:08:33 ossec-remoted: Error accessing file '/etc/shared/ar.conf' ..and from agent side: 2012/12/09 05:01:03 ossec-execd(1103): ERROR: Unable to open file '/var/ossec/etc/shared/ar.conf'. 2012/12/09 05:01:03 ossec-execd(1311): ERROR: Invalid command name 'firewall-drop86400' provided. 2012/12/09 07:32:51 ossec-execd(1103): ERROR: Unable to open file '/var/ossec/etc/shared/ar.conf'. 2012/12/09 07:32:51 ossec-execd(1311): ERROR: Invalid command name 'firewall-drop86400' provided. 2012/12/10 03:15:05 ossec-execd(1103): ERROR: Unable to open file '/var/ossec/etc/shared/ar.conf'. 2012/12/10 03:15:05 ossec-execd(1311): ERROR: Invalid command name 'firewall-drop86400' provided. 2012/12/10 04:00:04 ossec-rootcheck: INFO: Starting rootcheck scan. 2012/12/10 04:05:05 ossec-rootcheck: INFO: Ending rootcheck scan. 2012/12/10 04:05:05 ossec-syscheckd: INFO: Starting syscheck scan. 2012/12/10 04:10:01 ossec-syscheckd: INFO: Ending syscheck scan. 2012/12/10 05:01:28 ossec-execd(1103): ERROR: Unable to open file '/var/ossec/etc/shared/ar.conf'. 2012/12/10 05:01:28 ossec-execd(1311): ERROR: Invalid command name 'firewall-drop86400' provided. 2012/12/10 07:33:12 ossec-execd(1103): ERROR: Unable to open file '/var/ossec/etc/shared/ar.conf'. 2012/12/10 07:33:12 ossec-execd(1311): ERROR: Invalid command name 'firewall-drop86400' provided. But ar.conf exists in server: [root@plzfsiem01 ossec]# ls -la etc/shared/ar.conf -r--r- 1 root root 161 Dec 4 11:28 etc/shared/ar.conf with the following content: restart-ossec0 - restart-ossec.sh - 0 restart-ossec0 - restart-ossec.cmd - 0 firewall-drop86400 - firewall-drop.sh - 86400 restart-ossec0 - restart-ossec.sh - 0 but it doesn't exists in agent side. Do I need to change permissions?? Ok, problem is fixed doing chgrp ossec ar.conf, but this file is created during first ossec startup ... Maybe is it a bug??
Re: [ossec-list] Re: Problem with active response in 2.7
On Mon, 10 Dec 2012 13:15:50 -0800 (PST) Guilmxm guilhem.march...@gmail.com wrote: Hi, I had the same issue with Ossec 2.7 even with a server / agent fresh install, i confirm. Regards, Guilhem Weird, it's working fine in 2.7 for me. OSSEC HIDS agent_control. Available active responses: Response name: host-deny2400, command: host-deny.sh Response name: firewall-drop600, command: firewall-drop.sh and ossec.conf active-response !-- This response is going to execute the host-deny - command for every event that fires a rule with - level (severity) = 6. - The IP is going to be blocked for 600 seconds. -- commandhost-deny/command locationlocal/location level6/level timeout2400/timeout /active-response active-response !-- Firewall Drop response. Block the IP for - 600 seconds on the firewall (iptables, - ipfilter, etc). -- commandfirewall-drop/command locationlocal/location level6/level timeout600/timeout /active-response
[ossec-list] Re: Problem with active response in 2.7
Le lundi 10 décembre 2012 11:31:10 UTC+1, carlopmart a écrit : Hi all, I am using same active response options in one 2.6 ossec server and in another 2.7 ossec server. In version 2.6 all works ok as I expect, but under 2.7 it doesn't works. In both servers I have configured only this active response: command namefirewall-drop/name executablefirewall-drop.sh/executable expectsrcip/expect timeout_allowedyes/timeout_allowed /command active-response commandfirewall-drop/command locationall/location level6/level timeout86400/timeout repeated_offenders2880,4320,5760/repeated_offenders /active-response Executing agent_control in 2.7 ossec server, returns: [root@ossec27 /tmp]# agent_control -L OSSEC HIDS agent_control. Available active responses: No active response available. Do I need to reconfigure something under 2.7??
