Re: [ossec-list] Testing OSSEC

2016-05-11 Thread Jesus Linares 
Hi,

there are several DDOS attack types: UDP/SYN/ICMP/HTTP flood, ping of the 
death, etc. If these attacks do not generate a log that OSSEC can read, the 
attack will not be detected.

Try to detect the DDOS attack in your machine manually: review apache logs, 
netstat or an specific tool to detect these types of attacks. Then, we can 
send the information obtained to OSSEC and play with specific rules or 
active response to block the attack.


On Tuesday, May 10, 2016 at 8:28:21 PM UTC+2, Jiri wrote:
>
> HI, thanks for your response. I am using XOIC and also RDOS tu simulate 
> DDOS attack but both are not working. The web ui are not detecting any 
> attack and on RDOS it looks like the software aren't even connected to the 
> server. 
>
> On Friday, May 6, 2016 at 5:45:58 PM UTC+8, Jesus Linares wrote:
>>
>> Hi Jiri,
>>
>> also you can run the command "/var/ossec/bin/agent_control -lc" to get 
>> the connected agents. Keep in mind that in order to know if an agent is 
>> connected, disconnected or never connected OSSEC reads the modification 
>> date of the files in /var/ossec/queue/agent-info/*:
>>
>>- if there is no file for the agent the status is never connected
>>- if the modification time of the file is less than a defined 
>>tiemout, the status is actived. If it is greater then the status is 
>>disconnected.
>>
>> The timeout is 3*NOTIFY_TIME+30, NOTIFY_TIME by default is 600 seconds.
>>
>> Regarding the rules to detect DDOS attacks, you could create something 
>> like this:
>>
>> local_rules.xml:
>> 
>>
>>
>> 
>> attacks|attack|automatic_attack
>> 
>> 
>> Attacks from same source IP
>>   
>>
>>
>> 
>>
>> You are saying: if one of these groups (attack, attacks or 
>> automatic_attack) have matched in the last 300 seconds more than 5 times 
>> (frecuency + 2) and the event comes from the same ip, it could be a DDOS 
>> attack. You can play with the variables (tiemframe and frecuency) or create 
>> new rules with a specific group and append it to the rule.
>>
>> Regards.
>> Jesus Linares.
>>
>>
>>
>> On Thursday, May 5, 2016 at 8:44:50 PM UTC+2, dan (ddpbsd) wrote:
>>>
>>> On Thu, May 5, 2016 at 2:12 PM, Jiri  wrote: 
>>> > Hi, 
>>> > 
>>> > I just finished installing ossec on ubuntu as a server and windows 
>>> agent on 
>>> > another computer. How do i test if my agent is successfully connected 
>>> to me? 
>>> > Also, can someone help me on creating rules to detect an a ddos attack 
>>> or 
>>> > any attack on my server? 
>>> > 
>>>
>>> On the server you can run `/var/ossec/bin/list_agents -c` to see the 
>>> connected agents. 
>>> Check out the rules that already exist in /var/ossec/rules. They 
>>> should be useful as a template. 
>>> If you still need help, please ask. 
>>>
>>> > Thanks, 
>>> > Regards. 
>>> > 
>>> > -- 
>>> > 
>>> > --- 
>>> > You received this message because you are subscribed to the Google 
>>> Groups 
>>> > "ossec-list" group. 
>>> > To unsubscribe from this group and stop receiving emails from it, send 
>>> an 
>>> > email to ossec-list+...@googlegroups.com. 
>>> > For more options, visit https://groups.google.com/d/optout. 
>>>
>>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Have Snort signature trigger Ossec active response...?

2016-05-11 Thread Jacob Mcgrath 
I had to re-purpose my Vm playground PE R900 until I get a replacement 
motherboard for my signage server; so it may take a bit until I can 
start playing with this.  But it looks like there is a way to use Barnyard 
to decode alerts to a readable log format.  At least from what I read.

I am referencing this   log alerts 


On Tuesday, May 10, 2016 at 3:35:26 PM UTC-5, Jacob Mcgrath wrote:
>
> Is it possible to have Ossec monitor Snort logs for certain Sid's and then 
> trigger the active response on all agents when event occurs.
>
> Looking at reacting to Nmap and Nessus type  scans on my internal network.
>
>
> I guess I would have to monitor the Security Onion servers snort log for 
> Sid's for port scans.
>
> In the Security Onion server I have  /etc/nsm/rules/local.rules 
>
>
> # look for stealth port scans/sweeps
> alert tcp any any -> any any (msg:"SYN FIN Scan"; flags: SF;sid:900;)
> alert tcp any any -> any any (msg:"FIN Scan"; flags: F;sid:901;)
> alert tcp any any -> any any (msg:"NULL Scan"; flags: 0;sid:902;)
> alert tcp any any -> any any (msg:"XMAS Scan"; flags: FPU;sid:903;)
> alert tcp any any -> any any (msg:"Full XMAS Scan"; flags: SRAFPU;sid:
> 904;)
> alert tcp any any -> any any (msg:"URG Scan"; flags: U;sid:905;)
> alert tcp any any -> any any (msg:"URG FIN Scan"; flags: FU;sid:906;)
> alert tcp any any -> any any (msg:"PUSH FIN Scan"; flags: FP;sid:907;)
> alert tcp any any -> any any (msg:"URG PUSH Scan"; flags: PU;sid:908;)
> alert tcp any any -> any any (flags: A; ack: 0; msg:"NMAP TCP ping!";sid:
> 909;)
>
>
>
>
> How would one write the local local.rules for the Ossec server to trigger 
> active responses route-null function on agents.
>
>
> 1. Snort see's port scans and writes alert to log
> 2. Ossec see's snorts port scan alerts in log and triggers route-null on 
> all agents.
>
> I there a guide to setting something like this up ?
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Have Snort signature trigger Ossec active response...?

2016-05-11 Thread Jesus Linares 
Hi Jacob,

That sounds interesting. In case you need help to create decoders/rules or 
active responses for your snort logs paste here some log samples.


On Tuesday, May 10, 2016 at 10:41:36 PM UTC+2, Santiago Bassett wrote:
>
> That seems doable yes. I haven't seen that done before, but theoretically 
> should work.
>
> On Tue, May 10, 2016 at 1:35 PM, Jacob Mcgrath  > wrote:
>
>> Is it possible to have Ossec monitor Snort logs for certain Sid's and 
>> then trigger the active response on all agents when event occurs.
>>
>> Looking at reacting to Nmap and Nessus type  scans on my internal network.
>>
>>
>> I guess I would have to monitor the Security Onion servers snort log for 
>> Sid's for port scans.
>>
>> In the Security Onion server I have  /etc/nsm/rules/local.rules 
>>
>>
>> # look for stealth port scans/sweeps
>> alert tcp any any -> any any (msg:"SYN FIN Scan"; flags: SF;sid:900;)
>> alert tcp any any -> any any (msg:"FIN Scan"; flags: F;sid:901;)
>> alert tcp any any -> any any (msg:"NULL Scan"; flags: 0;sid:902;)
>> alert tcp any any -> any any (msg:"XMAS Scan"; flags: FPU;sid:903;)
>> alert tcp any any -> any any (msg:"Full XMAS Scan"; flags: SRAFPU;sid:
>> 904;)
>> alert tcp any any -> any any (msg:"URG Scan"; flags: U;sid:905;)
>> alert tcp any any -> any any (msg:"URG FIN Scan"; flags: FU;sid:906;)
>> alert tcp any any -> any any (msg:"PUSH FIN Scan"; flags: FP;sid:907
>> ;)
>> alert tcp any any -> any any (msg:"URG PUSH Scan"; flags: PU;sid:908
>> ;)
>> alert tcp any any -> any any (flags: A; ack: 0; msg:"NMAP TCP ping!";sid:
>> 909;)
>>
>>
>>
>>
>> How would one write the local local.rules for the Ossec server to trigger 
>> active responses route-null function on agents.
>>
>>
>> 1. Snort see's port scans and writes alert to log
>> 2. Ossec see's snorts port scan alerts in log and triggers route-null on 
>> all agents.
>>
>> I there a guide to setting something like this up ?
>>
>> -- 
>>
>> --- 
>> You received this message because you are subscribed to the Google Groups 
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to ossec-list+...@googlegroups.com .
>> For more options, visit https://groups.google.com/d/optout.
>>
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Duplicated counter

2016-05-11 Thread Abdulvehhab Agin 
Hi,



Sometimes ossec server says *"ERROR: Duplicated counter for"* errors. 
Especially we have mass log, and log sending protocol is UDP, so rids 
counter' agent and server sometimes inconsistent;


When i see this error, I see the agent is inactive. After this; agent wont 
send any logs.


How can i solve this problem?


OSSEC version 2.8.3

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] OSSEC Agent EPS

2016-05-11 Thread Abdulvehhab Agin 
I will try to mesause by using ossec-eps.sh; but i see it is not for
spesific agent; it is global average for all agents. am i right?


I think "logall option" must be configurable in server; it storage events
in server, i think server will be down :( It has 100 agent.


When we start ossec service (windows) after 7-10 days; ossec use %7 CPU (i5
machine); and we see 6gb ram usage for svchost.exe. Is it normal?
When we stop ossec server, after 7-10 days; there is no ram issues




2016-05-11 23:25 GMT+03:00 Santiago Bassett :

> Try using this script:
>
> https://github.com/ossec/ossec-hids/blob/master/contrib/ossec-eps.sh
>
> Another option is to enable logall option and count events in archive.log
> (you can count all events in a day and then do the math).
>
> Regarding resources it depends on how much data OSSEC manager/agents will
> be processing. There is no official benchmarks so I would recommend to run
> it in a pre-production environment first.
>
> I hope it helps
>
> On Wed, May 11, 2016 at 12:57 PM, Abdulvehhab Agin 
> wrote:
>
>> Hello,
>>
>>
>> Is there a way to measure OSSEC agent EPS count; not alarm?
>>
>> And Please let me know us of system resources.
>>
>>
>> Thanks
>>
>> --
>>
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to ossec-list+unsubscr...@googlegroups.com.
>> For more options, visit https://groups.google.com/d/optout.
>>
>
> --
>
> ---
> You received this message because you are subscribed to a topic in the
> Google Groups "ossec-list" group.
> To unsubscribe from this topic, visit
> https://groups.google.com/d/topic/ossec-list/E4gFpT2YF1A/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
> ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] OSSEC Agent EPS

2016-05-11 Thread Santiago Bassett 
Try using this script:

https://github.com/ossec/ossec-hids/blob/master/contrib/ossec-eps.sh

Another option is to enable logall option and count events in archive.log
(you can count all events in a day and then do the math).

Regarding resources it depends on how much data OSSEC manager/agents will
be processing. There is no official benchmarks so I would recommend to run
it in a pre-production environment first.

I hope it helps

On Wed, May 11, 2016 at 12:57 PM, Abdulvehhab Agin 
wrote:

> Hello,
>
>
> Is there a way to measure OSSEC agent EPS count; not alarm?
>
> And Please let me know us of system resources.
>
>
> Thanks
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] OSSEC Agent EPS

2016-05-11 Thread Abdulvehhab Agin 
Hello,


Is there a way to measure OSSEC agent EPS count; not alarm?

And Please let me know us of system resources.


Thanks

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.