Re: [ossec-list] Re: Deploy OSSEC agent using .deb/.rpm packages in conjunction with preloaded-vars.conf (no terminal prompt configuration).

[marcos]

I thought about going that root, Alberto, but then I realized I need to 
build the package in local mode. I can write a bit about it if the 
community is interested.


I just opted to build the OSSEC package from source using a bash script 
piped into my fleet via AWS systems manager (for AWS Linux and Ubuntu 
18.04). It took me a while to debug it, but after some effort it deploys 
ossec flawesly, so far.


I can share the SSM template if you want to take a look.

Thanks all for the help, and best regards.

On 7/27/20 8:55 AM, Alberto Rodriguez wrote:

Hello

  I think that is not possible out of the box. You can make a script 
that downloads the package, install ossec, make the changes in 
ossec.conf with /sed/ or /awk/, and restart the agent.
In this repository: https://github.com/wazuh/wazuh-packages a package 
building tool is provided. Maybe you can adapt the script in order to 
build ossec and make your own packages with your desired 
configuration, this cloud be a second option.


Please, let me know if I can help you with this.

Regards,
Alberto R

On Wednesday, July 8, 2020 at 8:53:24 PM UTC+2 
m...@datarecoveryandforensics.com wrote:


Hello all,

Is it possible to carry out an unattended deployment of the OSSEC
agent using .deb/.rpm in conjunction with preloaded-vars.conf? How?

Thanks in advance.

--

---
You received this message because you are subscribed to the Google 
Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to ossec-list+unsubscr...@googlegroups.com 
.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/f78a929e-8267-4a2a-a1b8-b14e6687b1a3n%40googlegroups.com 
.


--

--- 
You received this message because you are subscribed to the Google Groups "ossec-list" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/2fc8024c-da68-40c1-ac31-112092ce36db%40datarecoveryandforensics.com.

Re: [ossec-list] Re: Deploy OSSEC agent using .deb/.rpm packages in conjunction with preloaded-vars.conf (no terminal prompt configuration).

[marcos]

root = route :)

On 7/27/20 10:13 PM, marcos wrote:


I thought about going that root, Alberto, but then I realized I need 
to build the package in local mode. I can write a bit about it if the 
community is interested.


I just opted to build the OSSEC package from source using a bash 
script piped into my fleet via AWS systems manager (for AWS Linux and 
Ubuntu 18.04). It took me a while to debug it, but after some effort 
it deploys ossec flawesly, so far.


I can share the SSM template if you want to take a look.

Thanks all for the help, and best regards.

On 7/27/20 8:55 AM, Alberto Rodriguez wrote:

Hello

  I think that is not possible out of the box. You can make a script 
that downloads the package, install ossec, make the changes in 
ossec.conf with /sed/ or /awk/, and restart the agent.
In this repository: https://github.com/wazuh/wazuh-packages a package 
building tool is provided. Maybe you can adapt the script in order to 
build ossec and make your own packages with your desired 
configuration, this cloud be a second option.


Please, let me know if I can help you with this.

Regards,
Alberto R

On Wednesday, July 8, 2020 at 8:53:24 PM UTC+2 
m...@datarecoveryandforensics.com wrote:


Hello all,

Is it possible to carry out an unattended deployment of the OSSEC
agent using .deb/.rpm in conjunction with preloaded-vars.conf? How?

Thanks in advance.

--

---
You received this message because you are subscribed to the Google 
Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, 
send an email to ossec-list+unsubscr...@googlegroups.com 
<mailto:ossec-list+unsubscr...@googlegroups.com>.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/f78a929e-8267-4a2a-a1b8-b14e6687b1a3n%40googlegroups.com 
<https://groups.google.com/d/msgid/ossec-list/f78a929e-8267-4a2a-a1b8-b14e6687b1a3n%40googlegroups.com?utm_medium=email_source=footer>.

--

---
You received this message because you are subscribed to the Google 
Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to ossec-list+unsubscr...@googlegroups.com 
<mailto:ossec-list+unsubscr...@googlegroups.com>.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/2fc8024c-da68-40c1-ac31-112092ce36db%40datarecoveryandforensics.com 
<https://groups.google.com/d/msgid/ossec-list/2fc8024c-da68-40c1-ac31-112092ce36db%40datarecoveryandforensics.com?utm_medium=email_source=footer>.


--

--- 
You received this message because you are subscribed to the Google Groups "ossec-list" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/abf7ecdd-6db4-f5a4-fbef-d073e9b0f527%40datarecoveryandforensics.com.

Re: [ossec-list] Question about OSSEC server which reports files are changed, but the file seems unchanged

[Marcos Tang]

Hi Dan,

Refer to my previous email, I have the following findings. 

 *
 Output from the OSSEC server
 *

 [root@myserver ~]# /opt/ossec/bin/syscheck_control -i 049 -f
 /opt/syslog-ng/conf/syslog-ng.conf

 Integrity changes for agent 'myagent (049) - 10.XX.XX.XXX':
 Detailed information for entries matching:
 '/opt/syslog-ng/conf/syslog-ng.conf'

 2012 Jan 08 23:31:38,0 - /opt/syslog-ng/conf/syslog-ng.conf

 2012 Jan 19 08:31:27,0 - /opt/syslog-ng/conf/syslog-ng.conf
 File changed. [root@myserver ~]#


 *
 Output from the OSSEC agent
 *

 root@myagent% pwd
 /opt/ossec/queue/diff/local/opt/syslog-ng/conf/syslog-ng.conf
 root@myagent% ls -arlt
 total 8
 -rw-rw-r--   1 root other   1488 Jun 28  2011 last-entry
 drwxrwx---   3 root other512 Jun 28  2011 ..
 drwxrwx---   2 root other512 Jun 28  2011 .
 root@myagent%

The syscheck_control output just lists this file only. In general, the 
syscheck_control output is different as it will tell us whether it is a 
checksum, permission, file size change. Now, it just lists the file out without 
any explanation.

On the other hands, I login to the OSSEC client and I can't find any records 
about a new file is detected. From my personal understanding, if a file is 
changed, a file diff.XX would be generated under the 
/opt/ossec/queue/diff/local/opt/syslog-ng/conf/syslog-ng.conf. But I can't find 
this file.

Thanks  Regards,
Marcos

[ossec-list] Can anyone explain the syntax of the file /opt/ossec/queue/syscheck?

[Marcos Tang]

Hi,

I find my OSSEC server keeps reporting a file is changed. I checked that
file check sum and timestamp and it has nothing change, as far as I can
tell.

When I try to see what is going on inside the file
/opt/ossec/queue/syscheck/(ossec_client) 172.30.XX.XXX - syscheck, I
find there are 2 entries related to the same object.

The first line below should be created first with a +++ at the beginning
of that line. Somehow, when OSSEC server reports there is a change, it
create the last line.

Can anyone explain what is the meaning of +++  !++ and what is the
meaning of !132863#281 and !1330029335?

[root@myossec_svr syscheck]# cat (ossec_client) 172.30.XX.XXX -syscheck
+++1486:33188:0:1:a465a2fd02717050ca44d6cc24c5d458:bd37d291ce34e363af853958a31f241c74bd85d4
!132863#281 /opt/syslog-ng/conf/syslog-ng.conf
!++1486:33188:0:1:a465a2fd02717050ca44d6cc24c5d458:bd37d291ce34e363af853958a31f241c74bd85d4
!1330029335 /opt/syslog-ng/conf/syslog-ng.conf

Regards,
Marcos

Re: [ossec-list] Can anyone explain the syntax of the file /opt/ossec/queue/syscheck?

[Marcos Tang]

Hi Dan,

Thanks and please share the meaning of those fields with me, when you have a 
chance to see the source code.

Also thanks for your suggestion and I am going to remove the line having # 
and keep the last one.

Thanks  Regards,
Marcos Regards,
Marcos



 From: dan (ddp) ddp...@gmail.com
To: ossec-list@googlegroups.com 
Sent: Wednesday, February 29, 2012 7:03 PM
Subject: Re: [ossec-list] Can anyone explain the syntax of the file 
/opt/ossec/queue/syscheck?
 
On Wed, Feb 29, 2012 at 12:55 AM, Marcos Tang marcos.t...@gmail.com wrote:
 Hi,

 I find my OSSEC server keeps reporting a file is changed. I checked that
 file check sum and timestamp and it has nothing change, as far as I can
 tell.

 When I try to see what is going on inside the file
 /opt/ossec/queue/syscheck/(ossec_client) 172.30.XX.XXX - syscheck, I
 find there are 2 entries related to the same object.

 The first line below should be created first with a +++ at the beginning
 of that line. Somehow, when OSSEC server reports there is a change, it
 create the last line.

 Can anyone explain what is the meaning of +++  !++ and what is the

I'd have to spend some time looking at the source, but I think it
means the file has changed once.

 meaning of !132863#281 and !1330029335?


I think those are supposed to be timestamps, but the # shouldn't be
there. I'd either delete that entry or clear the syscheck db and start
over for that host.

 [root@myossec_svr syscheck]# cat (ossec_client) 172.30.XX.XXX -syscheck
 +++1486:33188:0:1:a465a2fd02717050ca44d6cc24c5d458:bd37d291ce34e363af853958a31f241c74bd85d4
 !132863#281 /opt/syslog-ng/conf/syslog-ng.conf
 !++1486:33188:0:1:a465a2fd02717050ca44d6cc24c5d458:bd37d291ce34e363af853958a31f241c74bd85d4
 !1330029335 /opt/syslog-ng/conf/syslog-ng.conf

 Regards,
 Marcos

[ossec-list] Qustios about how OSSEC works. Q1 is the time displayed by syscheck_control, Q2 is OSSEC able to detect change using cp -p option?

[Marcos Tang]

Hi,

I have 2 questions about OSSEC and I want to know your answer. 


Today, the syscheck_control -i 125 -f /usr/local/bin/test1 shows the following 
results (See background information section below).


My understanding to the syscheck_conrol output is 

(a) this file is initially added to the DB (first scan) at Jun 15 08:05:46. 

(b) However, this file is not found anymore on Jun 29 08:48:52.

When OSSEC tells this file is not found at Jun 29 08:48:52, what is the exact 
meaning of this time stamp? Is it the time the next scan time? Or is it the 
time the file is deleted?


Besides, if I use the command cp -p test1.bak test1 which copy back the file 
to the original location without changing the modified time, will OSSEC able to 
detect it on the next scan?

Thanks  Regards,
Marcos

 


===

Background Information
===
(1) Inside the agent.conf file, I set the frequency of the integrity check is 
24 hours


agent_config os=unix
 
 !-- Syscheck - Integrity Checking config. --
  syscheck 
 
    !-- Default frequency, every 24 hours. It doesn't need to be higher
  -  on most systems and one a day should be enough.
  --    
    frequency86400/frequency


(2) From the syschceck_control output, I get the following:

Integrity changes for agent 'agent123 (125) - 172.30.79.7':
Detailed information for entries matching: '/usr/local/bin/test1'

2012 Jun 15 08:05:46,0 - /usr/local/bin/test1
File added to the database. 
Integrity checking values:
   Size: 19
   Perm: rwxrwxrwx
   Uid:  269378
   Gid:  30100
   Md5:  ad7dac2dc34dd91cf691847522c34ac2
   Sha1: b17ddaeb2775ff652df6279eebc8ef6c6f4be906

2012 Jun 29 08:48:52,0 - /usr/local/bin/test1
File changed. - 1st time modified.
Integrity checking values:
   Size: 19
   Perm: rwxrwxrwx
   Uid:  269378
   Gid:  30100
   Md5:  xxx
   Sha1: xxx


 
Regards,
Marcos

Re: [ossec-list] Qustios about how OSSEC works. Q1 is the time displayed by syscheck_control, Q2 is OSSEC able to detect change using cp -p option?

[Marcos Tang]

Hi Dan,

Thanks.

Regards,
Marcos

On Tue, Jul 10, 2012 at 10:12 PM, dan (ddp) ddp...@gmail.com wrote:

 On Sat, Jun 30, 2012 at 2:02 PM, Marcos Tang marcostang2...@yahoo.com
 wrote:
  Hi,
 
  I have 2 questions about OSSEC and I want to know your answer.
 
  Today, the syscheck_control -i 125 -f /usr/local/bin/test1 shows the
  following results (See background information section below).
 

 Scrolling to reference the information below then scrolling back to
 read the questions was quite annoying.

  My understanding to the syscheck_conrol output is
  (a) this file is initially added to the DB (first scan) at Jun 15
 08:05:46.
  (b) However, this file is not found anymore on Jun 29 08:48:52.
 
  When OSSEC tells this file is not found at Jun 29 08:48:52, what is the
  exact meaning of this time stamp? Is it the time the next scan time? Or
 is
  it the time the file is deleted?
 

 Check your logs. When does ossec.log say the scan was? Turn on the log
 all option, check for log messages about a changed file and compare
 the timestamps. I'm guessing it will be scan times, because I don't
 know of a way to find the deleted time (when realtime isn't in use).

  Besides, if I use the command cp -p test1.bak test1 which copy back the
  file to the original location without changing the modified time, will
 OSSEC
  able to detect it on the next scan?
 

 Did the file change? If so, then yes it should catch it.

  Thanks  Regards,
  Marcos
 
 
 
 
  ===
  Background Information
  ===
  (1) Inside the agent.conf file, I set the frequency of the integrity
 check
  is 24 hours
 
  agent_config os=unix
 
   !-- Syscheck - Integrity Checking config. --
syscheck
 
  !-- Default frequency, every 24 hours. It doesn't need to be higher
-  on most systems and one a day should be enough.
--
  frequency86400/frequency
 
  (2) From the syschceck_control output, I get the following:
 
  Integrity changes for agent 'agent123 (125) - 172.30.79.7':
  Detailed information for entries matching: '/usr/local/bin/test1'
 
  2012 Jun 15 08:05:46,0 - /usr/local/bin/test1
  File added to the database.
  Integrity checking values:
 Size: 19
 Perm: rwxrwxrwx
 Uid:  269378
 Gid:  30100
 Md5:  ad7dac2dc34dd91cf691847522c34ac2
 Sha1: b17ddaeb2775ff652df6279eebc8ef6c6f4be906
 
  2012 Jun 29 08:48:52,0 - /usr/local/bin/test1
  File changed. - 1st time modified.
  Integrity checking values:
 Size: 19
 Perm: rwxrwxrwx
 Uid:  269378
 Gid:  30100
 Md5:  xxx
 Sha1: xxx
 
 
  Regards,
  Marcos

[ossec-list] ossec-remoted can't be started on OSSEC server when the number of OSSEC agents larger than the default vaule

[Marcos Tang]

Hi,

I am deploying OSSEC to my working environment and I am having issue to add 
OSSEC agents more than the default supported number.

I follow this URL 
(http://www.ossec.net/doc/faq/unexpected.html?highlight=maximum#errors-when-dealing-with-multiple-agents)
 and I re-compiled the OSSEC server and I have increased the number of 
supported 
agents to 1024. However, whenever I start the OSSEC server and the number of 
agents over the default value, I see the following errors from the ossec.log.


2010/12/10 03:04:47 ossec-remoted(4111): INFO: Maximum number of agents allowed:
 '1024'.
2010/12/10 03:04:47 ossec-remoted(1410): INFO: Reading authentication keys file.
2010/12/10 03:04:48 ossec-remoted: Unable to open agent file. errno: 24
2010/12/10 03:04:48 ossec-remoted(1103): ERROR: Unable to open file '/queue/rids
/248'.


Since the ossec-remoted process can't be started and ALL OSSEC agents can't 
talk 
to my server. Once I reduce the number of OSSEC agents below the default value, 
it works fine.

Is there anyone which hits the same problem and how do you solve it?

My OSSEC server is installed on a Sun Solaris 8 machine. 

Best regards,
Marcos


  

[ossec-list] Timestamp of the integrity checksum files will be updated according to frequency parameter inside the agent.conf file?

[Marcos Tang]

Hi,

I have a question about the behavior of the frequency parameter inside the 
agent.conf file.

Right now, the OSSEC agent has the agent.conf file with 
frequency86400/frequency setup, or it will scan the files every 20 hours. 

One observation from the OSSEC server is the timestamp of the output integrity 
files found at /opt/ossec/queue/syscheck/ is not updated very 20 hours. I can 
see some files are created back to 1 month ago. 

Is it true if there is no file change on the OSSEC agent, will the timestamp of 
the corresponding syscheck file at the OSSEC server gets updated every 20 
hours? Or it will not be updated until some changes are detected?

Remarks: The output of syscheck_control -l shows that OSSEC agent is ACTIVE 
all the time. So I think the communication between them should be ok.
 
Regards,
Marcos

[ossec-list] Question about OSSEC server which reports files are changed, but the file seems unchanged

[Marcos Tang]

Hi OSSEC users and Dan


High-level background of my current setup:

- Several OSSEC servers are running on Solaris
- OSSEC agents are running on Solaris and reporting to the above OSSEC servers

- Running /opt/ossec/bin/agent_control -lc shows the agents are connecting to 
the server
- File integrity check is enabled and several configuration files are being 
monitored. One of the files being monitored is syslog-ng.conf 


My problem:

Recently I find more than one OSSEC servers detect changes on this 
syslog-ng.conf file (this file is installed on all OSSEC clients). However, 
when I run the below command, it doesn't tell me what exactly is changed. I 
have also checked the file integrity myself and I also don't see anything wrong.

*
Output from the OSSEC server
*

[root@myserver ~]# /opt/ossec/bin/syscheck_control -i 049 -f 
/opt/syslog-ng/conf/syslog-ng.conf

Integrity changes for agent 'myagent (049) - 10.XX.XX.XXX':
Detailed information for entries matching: '/opt/syslog-ng/conf/syslog-ng.conf'

2012 Jan 08 23:31:38,0 - /opt/syslog-ng/conf/syslog-ng.conf

2012 Jan 19 08:31:27,0 - /opt/syslog-ng/conf/syslog-ng.conf
File changed. [root@myserver ~]# 



*
Output from the OSSEC agent

*
root@myagent% pwd
/opt/ossec/queue/diff/local/opt/syslog-ng/conf/syslog-ng.conf
root@spewgp2c35% ls -arlt
total 8
-rw-rw-r--   1 root other   1488 Jun 28  2011 last-entry
drwxrwx---   3 root other    512 Jun 28  2011 ..
drwxrwx---   2 root other    512 Jun 28  2011 .
root@myagent% 


 
My questions:

Why there is no integrity change detected but OSSEC servers report the file is 
changed? 


Regards,
Marcos

[ossec-list] Re: ossec-hid, configuration for gmail smtp server (email alerts) related question

[Marcos Neves]

Yes, OSSEC-HIDS does not support gmail cause TLS plus email authentication.A
solution I use is install email-relay and configure it to send using gmail.
Works like a charm! :)

Marcos Neves
+55 44 3263-8132
+55 44 9918-8488


On Thu, Feb 5, 2009 at 3:00 PM, cnk lists.canuck...@gmail.com wrote:


 Hey Arthur,

 This has come up before.  The solution was to use this smtp server and
 make sure your ISP isn't blocking outbound smtp traffic:

 smtp_serveralt2.gmail-smtp-in.l.google.com./smtp_server

 Cheers,

 cnk

 On Thu, Feb 5, 2009 at 11:23 AM, Arthur R crowstr...@hotmail.com wrote:
  I have compiled ossec-hid here on my Ubuntu box.  It asked for email
  notification, i selected yes.  I entered my gmail address, and it seemed
 to
  have auto detected a default gmail smtp server for email reporting.  it
 did
  not however, prompt for a password for smtp sending.  I am unsure if a
  password is necessary for the sending of SMTP gmail, however, i'd rather
 not
  wait until its too late to find out.  also, i dont have a sendmail daemon
 on
  its system.  I assumed that since it detected gmail smtp, that perhaps,
 it
  might be able to simply, send the mail.  perhaps i need clarification on
  this too.
 
  thanks so much.
 
 
 
  
  Windows Live™: Keep your life in sync. See how it works.

[ossec-list] Re: client port

[Marcos Aurelio Rodrigues]

Read the FAQ, i think it will help you..

http://www.ossec.net/wiki/index.php/Errors:AgentCommunication

-- 

Marcos Aurelio Rodrigues (DEiGrAtiA-33)
[EMAIL PROTECTED]
CCNA, MCSO
Mirabilia laudo semprer, Dei



On Feb 11, 2008 3:23 AM, Herb Steck [EMAIL PROTECTED] wrote:

  What port(s) does the client use to talk to the server?  I need to load
 the client onto some servers in my dmz and need them to talk to the ossesc
 server.



 Thanks

[ossec-list] Apache log analysis program

[Marcos M Garcia]

I have an OSSEC client and server.

Both of them have connectivity, and the agent is sending alerts to the 
server when, for example, and FTP attack is detected.

While performing several tests (sniffing traffic), I've seen that the agent 
sends alerts to the server when a web attack is detected, but the server 
never sends the corresponding email, and the alert is not recorded on the 
server's log.

Can anyone please help me?

-- 

--- 
You received this message because you are subscribed to the Google Groups 
ossec-list group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.