Re: [ossec-list] OSSEC install on Solaris 9

2017-06-26 Thread Mathew Habicht 
Here is one way

5- Installing the system
 - Running the Makefile
mksh: Fatal error: Cannot load command `/usr/ccs/bin': Bad file number
Current working directory /export/ossec-hids-2.8.1/src
*** Error code 1
make: Fatal error: Command failed for target `all'

 Error 0x5.
 Building error. Unable to finish the installation.
 
Here is another way.
5- Installing the system
 - Running the Makefile

 *** Making zlib (by Jean-loup Gailly and Mark Adler)  *** 
cp -pr zlib-1.2.8/zlib.h zlib-1.2.8/zconf.h ../headers/


 *** Making cJSON (by Dave Gamble)  *** 
cp -pr cJSON.h ../../headers/
cp -pr libcJSON.a ../


 *** Making Lua 5.2 (by team at PUC-Rio in Brazi)  *** 
 Copyright © 1994â2014 Lua.org, PUC-Rio. 
cd src && make solaris
make all SYSCFLAGS="-DLUA_USE_POSIX -DLUA_USE_DLOPEN" SYSLIBS="-ldl"



 *** Making os_xml *** 

`os_xml.a' is up to date.


 *** Making os_regex *** 

`os_regex.a' is up to date.


 *** Making os_net *** 

`os_net.a' is up to date.


 *** Making os_crypto *** 

cc -g -Wall -I../../ -I../../headers  -DDEFAULTDIR=\"/var/ossec\" -DCLIENT 
 -DSOLARIS -DHIGHFIRST  -DARGV0=\"blowfish_op\" -DOSSECHIDS -c bf_op.c 
bf_skey.c bf_enc.c
/usr/ucb/cc:  language optional software package not installed
*** Error code 1
make: Fatal error: Command failed for target `bf'
Current working directory /export/ossec-hids-2.8.1/src/os_crypto/blowfish
*** Error code 1
make: Fatal error: Command failed for target `os_crypto'
Current working directory /export/ossec-hids-2.8.1/src/os_crypto

Error Making os_crypto
*** Error code 1
make: Fatal error: Command failed for target `all'

 Error 0x5.
 Building error. Unable to finish the installation.


On Monday, June 26, 2017 at 2:16:59 PM UTC-4, Eero Volotinen wrote:
>
> Hi,
>
> Please give error messages.
>
> Eero
>
> 2017-06-26 20:55 GMT+03:00 Mathew Habicht  >:
>
>>
>> I am attempting to install OSSEC 2.8.1 on a Sparc Solaris 9 server, But I am 
>> having compiler issues and the install will not complete. Are there 
>> instructions 
>> that are specific to installing on Solaris 9? I have found all the 
>> errors I am seeing but all the resolutions are for Solaris 10.
>>
>> Thanks for the help.
>>
>> -- 
>>
>> --- 
>> You received this message because you are subscribed to the Google Groups 
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to ossec-list+...@googlegroups.com .
>> For more options, visit https://groups.google.com/d/optout.
>>
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] OSSEC install on Solaris 9

2017-06-26 Thread Eero Volotinen 
do you have compiler installed on system?

Eero

26.6.2017 9.37 ip. "Mathew Habicht"  kirjoitti:

> Here is one way
>
> 5- Installing the system
>  - Running the Makefile
> mksh: Fatal error: Cannot load command `/usr/ccs/bin': Bad file number
> Current working directory /export/ossec-hids-2.8.1/src
> *** Error code 1
> make: Fatal error: Command failed for target `all'
>
>  Error 0x5.
>  Building error. Unable to finish the installation.
>
> Here is another way.
> 5- Installing the system
>  - Running the Makefile
>
>  *** Making zlib (by Jean-loup Gailly and Mark Adler)  ***
> cp -pr zlib-1.2.8/zlib.h zlib-1.2.8/zconf.h ../headers/
>
>
>  *** Making cJSON (by Dave Gamble)  ***
> cp -pr cJSON.h ../../headers/
> cp -pr libcJSON.a ../
>
>
>  *** Making Lua 5.2 (by team at PUC-Rio in Brazi)  ***
>  Copyright © 1994â2014 Lua.org, PUC-Rio.
> cd src && make solaris
> make all SYSCFLAGS="-DLUA_USE_POSIX -DLUA_USE_DLOPEN" SYSLIBS="-ldl"
>
>
>
>  *** Making os_xml ***
>
> `os_xml.a' is up to date.
>
>
>  *** Making os_regex ***
>
> `os_regex.a' is up to date.
>
>
>  *** Making os_net ***
>
> `os_net.a' is up to date.
>
>
>  *** Making os_crypto ***
>
> cc -g -Wall -I../../ -I../../headers  -DDEFAULTDIR=\"/var/ossec\" -DCLIENT
>  -DSOLARIS -DHIGHFIRST  -DARGV0=\"blowfish_op\" -DOSSECHIDS -c bf_op.c
> bf_skey.c bf_enc.c
> /usr/ucb/cc:  language optional software package not installed
> *** Error code 1
> make: Fatal error: Command failed for target `bf'
> Current working directory /export/ossec-hids-2.8.1/src/os_crypto/blowfish
> *** Error code 1
> make: Fatal error: Command failed for target `os_crypto'
> Current working directory /export/ossec-hids-2.8.1/src/os_crypto
>
> Error Making os_crypto
> *** Error code 1
> make: Fatal error: Command failed for target `all'
>
>  Error 0x5.
>  Building error. Unable to finish the installation.
>
>
> On Monday, June 26, 2017 at 2:16:59 PM UTC-4, Eero Volotinen wrote:
>>
>> Hi,
>>
>> Please give error messages.
>>
>> Eero
>>
>> 2017-06-26 20:55 GMT+03:00 Mathew Habicht :
>>
>>>
>>> I am attempting to install OSSEC 2.8.1 on a Sparc Solaris 9 server, But
>>> I am having compiler issues and the install will not complete. Are
>>> there instructions that are specific to installing on Solaris 9? I have
>>> found all the errors I am seeing but all the resolutions are for
>>> Solaris 10.
>>>
>>> Thanks for the help.
>>>
>>> --
>>>
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "ossec-list" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to ossec-list+...@googlegroups.com.
>>> For more options, visit https://groups.google.com/d/optout.
>>>
>>
>> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] OSSEC install on Solaris 9

2017-06-26 Thread Mathew Habicht 
# gcc --version
gcc (GCC) 4.7.2
Copyright (C) 2012 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

 # cc --version
/usr/ucb/cc:  language optional software package not installed



On Monday, June 26, 2017 at 3:25:45 PM UTC-4, Eero Volotinen wrote:
>
> is cc / gcc command in your path?
>
> what is output of following command  cc --version and gcc --version ?
>
> Eero
>
> 2017-06-26 22:12 GMT+03:00 Mathew Habicht  >:
>
>> Yes, I added 4 packages. 1-GCC and 3-LIB
>>
>> On Monday, June 26, 2017 at 3:06:33 PM UTC-4, Eero Volotinen wrote:
>>>
>>> do you have compiler installed on system?
>>>
>>> Eero
>>>
>>> 26.6.2017 9.37 ip. "Mathew Habicht"  kirjoitti:
>>>
 Here is one way

 5- Installing the system
  - Running the Makefile
 mksh: Fatal error: Cannot load command `/usr/ccs/bin': Bad file number
 Current working directory /export/ossec-hids-2.8.1/src
 *** Error code 1
 make: Fatal error: Command failed for target `all'

  Error 0x5.
  Building error. Unable to finish the installation.
  
 Here is another way.
 5- Installing the system
  - Running the Makefile

  *** Making zlib (by Jean-loup Gailly and Mark Adler)  *** 
 cp -pr zlib-1.2.8/zlib.h zlib-1.2.8/zconf.h ../headers/


  *** Making cJSON (by Dave Gamble)  *** 
 cp -pr cJSON.h ../../headers/
 cp -pr libcJSON.a ../


  *** Making Lua 5.2 (by team at PUC-Rio in Brazi)  *** 
  Copyright © 1994â2014 Lua.org, PUC-Rio. 
 cd src && make solaris
 make all SYSCFLAGS="-DLUA_USE_POSIX -DLUA_USE_DLOPEN" SYSLIBS="-ldl"



  *** Making os_xml *** 

 `os_xml.a' is up to date.


  *** Making os_regex *** 

 `os_regex.a' is up to date.


  *** Making os_net *** 

 `os_net.a' is up to date.


  *** Making os_crypto *** 

 cc -g -Wall -I../../ -I../../headers  -DDEFAULTDIR=\"/var/ossec\" 
 -DCLIENT  -DSOLARIS -DHIGHFIRST  -DARGV0=\"blowfish_op\" -DOSSECHIDS 
 -c 
 bf_op.c bf_skey.c bf_enc.c
 /usr/ucb/cc:  language optional software package not installed
 *** Error code 1
 make: Fatal error: Command failed for target `bf'
 Current working directory 
 /export/ossec-hids-2.8.1/src/os_crypto/blowfish
 *** Error code 1
 make: Fatal error: Command failed for target `os_crypto'
 Current working directory /export/ossec-hids-2.8.1/src/os_crypto

 Error Making os_crypto
 *** Error code 1
 make: Fatal error: Command failed for target `all'

  Error 0x5.
  Building error. Unable to finish the installation.


 On Monday, June 26, 2017 at 2:16:59 PM UTC-4, Eero Volotinen wrote:
>
> Hi,
>
> Please give error messages.
>
> Eero
>
> 2017-06-26 20:55 GMT+03:00 Mathew Habicht :
>
>>
>> I am attempting to install OSSEC 2.8.1 on a Sparc Solaris 9 server, 
>> But I am having compiler issues and the install will not complete. 
>> Are there instructions that are specific to installing on Solaris 9? 
>> I have found all the errors I am seeing but all the resolutions are 
>> for Solaris 10.
>>
>> Thanks for the help.
>>
>> -- 
>>
>> --- 
>> You received this message because you are subscribed to the Google 
>> Groups "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, 
>> send an email to ossec-list+...@googlegroups.com.
>> For more options, visit https://groups.google.com/d/optout.
>>
>
> -- 

 --- 
 You received this message because you are subscribed to the Google 
 Groups "ossec-list" group.
 To unsubscribe from this group and stop receiving emails from it, send 
 an email to ossec-list+...@googlegroups.com.
 For more options, visit https://groups.google.com/d/optout.

>>> -- 
>>
>> --- 
>> You received this message because you are subscribed to the Google Groups 
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to ossec-list+...@googlegroups.com .
>> For more options, visit https://groups.google.com/d/optout.
>>
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] OSSEC install on Solaris 9

2017-06-26 Thread Mathew Habicht 

I am attempting to install OSSEC 2.8.1 on a Sparc Solaris 9 server, But I am 
having compiler issues and the install will not complete. Are there 
instructions 
that are specific to installing on Solaris 9? I have found all the errors I 
am seeing but all the resolutions are for Solaris 10.

Thanks for the help.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] OSSEC install on Solaris 9

2017-06-26 Thread Mathew Habicht 
Yes, I added 4 packages. 1-GCC and 3-LIB

On Monday, June 26, 2017 at 3:06:33 PM UTC-4, Eero Volotinen wrote:
>
> do you have compiler installed on system?
>
> Eero
>
> 26.6.2017 9.37 ip. "Mathew Habicht"  
> kirjoitti:
>
>> Here is one way
>>
>> 5- Installing the system
>>  - Running the Makefile
>> mksh: Fatal error: Cannot load command `/usr/ccs/bin': Bad file number
>> Current working directory /export/ossec-hids-2.8.1/src
>> *** Error code 1
>> make: Fatal error: Command failed for target `all'
>>
>>  Error 0x5.
>>  Building error. Unable to finish the installation.
>>  
>> Here is another way.
>> 5- Installing the system
>>  - Running the Makefile
>>
>>  *** Making zlib (by Jean-loup Gailly and Mark Adler)  *** 
>> cp -pr zlib-1.2.8/zlib.h zlib-1.2.8/zconf.h ../headers/
>>
>>
>>  *** Making cJSON (by Dave Gamble)  *** 
>> cp -pr cJSON.h ../../headers/
>> cp -pr libcJSON.a ../
>>
>>
>>  *** Making Lua 5.2 (by team at PUC-Rio in Brazi)  *** 
>>  Copyright © 1994â2014 Lua.org, PUC-Rio. 
>> cd src && make solaris
>> make all SYSCFLAGS="-DLUA_USE_POSIX -DLUA_USE_DLOPEN" SYSLIBS="-ldl"
>>
>>
>>
>>  *** Making os_xml *** 
>>
>> `os_xml.a' is up to date.
>>
>>
>>  *** Making os_regex *** 
>>
>> `os_regex.a' is up to date.
>>
>>
>>  *** Making os_net *** 
>>
>> `os_net.a' is up to date.
>>
>>
>>  *** Making os_crypto *** 
>>
>> cc -g -Wall -I../../ -I../../headers  -DDEFAULTDIR=\"/var/ossec\" 
>> -DCLIENT  -DSOLARIS -DHIGHFIRST  -DARGV0=\"blowfish_op\" -DOSSECHIDS -c 
>> bf_op.c bf_skey.c bf_enc.c
>> /usr/ucb/cc:  language optional software package not installed
>> *** Error code 1
>> make: Fatal error: Command failed for target `bf'
>> Current working directory /export/ossec-hids-2.8.1/src/os_crypto/blowfish
>> *** Error code 1
>> make: Fatal error: Command failed for target `os_crypto'
>> Current working directory /export/ossec-hids-2.8.1/src/os_crypto
>>
>> Error Making os_crypto
>> *** Error code 1
>> make: Fatal error: Command failed for target `all'
>>
>>  Error 0x5.
>>  Building error. Unable to finish the installation.
>>
>>
>> On Monday, June 26, 2017 at 2:16:59 PM UTC-4, Eero Volotinen wrote:
>>>
>>> Hi,
>>>
>>> Please give error messages.
>>>
>>> Eero
>>>
>>> 2017-06-26 20:55 GMT+03:00 Mathew Habicht :
>>>

 I am attempting to install OSSEC 2.8.1 on a Sparc Solaris 9 server, But 
 I am having compiler issues and the install will not complete. Are 
 there instructions that are specific to installing on Solaris 9? I 
 have found all the errors I am seeing but all the resolutions are for 
 Solaris 10.

 Thanks for the help.

 -- 

 --- 
 You received this message because you are subscribed to the Google 
 Groups "ossec-list" group.
 To unsubscribe from this group and stop receiving emails from it, send 
 an email to ossec-list+...@googlegroups.com.
 For more options, visit https://groups.google.com/d/optout.

>>>
>>> -- 
>>
>> --- 
>> You received this message because you are subscribed to the Google Groups 
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to ossec-list+...@googlegroups.com .
>> For more options, visit https://groups.google.com/d/optout.
>>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] OSSEC install on Solaris 9

2017-06-26 Thread Eero Volotinen 
so, you are using sun compiler instead of gcc.. just fix that issue..

26.6.2017 10.32 ip. "Mathew Habicht"  kirjoitti:

> # gcc --version
> gcc (GCC) 4.7.2
> Copyright (C) 2012 Free Software Foundation, Inc.
> This is free software; see the source for copying conditions.  There is NO
> warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
>
>  # cc --version
> /usr/ucb/cc:  language optional software package not installed
>
>
>
> On Monday, June 26, 2017 at 3:25:45 PM UTC-4, Eero Volotinen wrote:
>>
>> is cc / gcc command in your path?
>>
>> what is output of following command  cc --version and gcc --version ?
>>
>> Eero
>>
>> 2017-06-26 22:12 GMT+03:00 Mathew Habicht :
>>
>>> Yes, I added 4 packages. 1-GCC and 3-LIB
>>>
>>> On Monday, June 26, 2017 at 3:06:33 PM UTC-4, Eero Volotinen wrote:

 do you have compiler installed on system?

 Eero

 26.6.2017 9.37 ip. "Mathew Habicht"  kirjoitti:

> Here is one way
>
> 5- Installing the system
>  - Running the Makefile
> mksh: Fatal error: Cannot load command `/usr/ccs/bin': Bad file number
> Current working directory /export/ossec-hids-2.8.1/src
> *** Error code 1
> make: Fatal error: Command failed for target `all'
>
>  Error 0x5.
>  Building error. Unable to finish the installation.
>
> Here is another way.
> 5- Installing the system
>  - Running the Makefile
>
>  *** Making zlib (by Jean-loup Gailly and Mark Adler)  ***
> cp -pr zlib-1.2.8/zlib.h zlib-1.2.8/zconf.h ../headers/
>
>
>  *** Making cJSON (by Dave Gamble)  ***
> cp -pr cJSON.h ../../headers/
> cp -pr libcJSON.a ../
>
>
>  *** Making Lua 5.2 (by team at PUC-Rio in Brazi)  ***
>  Copyright © 1994â2014 Lua.org, PUC-Rio.
> cd src && make solaris
> make all SYSCFLAGS="-DLUA_USE_POSIX -DLUA_USE_DLOPEN" SYSLIBS="-ldl"
>
>
>
>  *** Making os_xml ***
>
> `os_xml.a' is up to date.
>
>
>  *** Making os_regex ***
>
> `os_regex.a' is up to date.
>
>
>  *** Making os_net ***
>
> `os_net.a' is up to date.
>
>
>  *** Making os_crypto ***
>
> cc -g -Wall -I../../ -I../../headers  -DDEFAULTDIR=\"/var/ossec\"
> -DCLIENT  -DSOLARIS -DHIGHFIRST  -DARGV0=\"blowfish_op\" -DOSSECHIDS 
> -c
> bf_op.c bf_skey.c bf_enc.c
> /usr/ucb/cc:  language optional software package not installed
> *** Error code 1
> make: Fatal error: Command failed for target `bf'
> Current working directory /export/ossec-hids-2.8.1/src/o
> s_crypto/blowfish
> *** Error code 1
> make: Fatal error: Command failed for target `os_crypto'
> Current working directory /export/ossec-hids-2.8.1/src/os_crypto
>
> Error Making os_crypto
> *** Error code 1
> make: Fatal error: Command failed for target `all'
>
>  Error 0x5.
>  Building error. Unable to finish the installation.
>
>
> On Monday, June 26, 2017 at 2:16:59 PM UTC-4, Eero Volotinen wrote:
>>
>> Hi,
>>
>> Please give error messages.
>>
>> Eero
>>
>> 2017-06-26 20:55 GMT+03:00 Mathew Habicht :
>>
>>>
>>> I am attempting to install OSSEC 2.8.1 on a Sparc Solaris 9 server,
>>> But I am having compiler issues and the install will not complete.
>>> Are there instructions that are specific to installing on Solaris
>>> 9? I have found all the errors I am seeing but all the resolutions
>>> are for Solaris 10.
>>>
>>> Thanks for the help.
>>>
>>> --
>>>
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "ossec-list" group.
>>> To unsubscribe from this group and stop receiving emails from it,
>>> send an email to ossec-list+...@googlegroups.com.
>>> For more options, visit https://groups.google.com/d/optout.
>>>
>>
>> --
>
> ---
> You received this message because you are subscribed to the Google
> Groups "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>
 --
>>>
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "ossec-list" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to ossec-list+...@googlegroups.com.
>>> For more options, visit https://groups.google.com/d/optout.
>>>
>>
>> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit

Re: [ossec-list] OSSEC block vulnerability scanners head user_agent

2017-06-26 Thread Jesus Linares 
What is the output of ossec-logtest?.

Once you have a rule for that event, you can create an active response.

Regards.

On Sunday, June 25, 2017 at 12:06:23 AM UTC+2, Fredrik Hilmersson wrote:
>
> I spoke to early, Still getting spammed ...
>
> Den lördag 24 juni 2017 kl. 22:20:13 UTC+2 skrev Fredrik Hilmersson:
>>
>> Thank you!
>>
>> Den lördag 24 juni 2017 kl. 21:21:48 UTC+2 skrev dan (ddpbsd):
>>>
>>> On Sat, Jun 24, 2017 at 2:08 PM, Fredrik Hilmersson 
>>>  wrote: 
>>> > Hello, 
>>> > 
>>> > so recently I got spammed by this vulnerability scanner. 
>>> > The HEAD is always the same, in regards to the $user_agent, Jorgee 
>>> > 
>>> > ** Alert 1498324205.1278330: - web,accesslog, 
>>> > 2017 Jun 24 17:10:05 (OSSEC AGENT) SRCIP->/var/log/nginx/access.log 
>>> > Rule: 31101 (level 5) -> 'Web server 400 error code.' 
>>> > 213.119.18.4 - - [24/Jun/2017:19:10:05 +0200] HEAD 
>>> > http://SRCIP:80/sql/phpmyadmin2/ HTTP/1.1 404 0 - Mozilla/5.0 Jorgee 
>>> > 
>>> > So i'm wondering if anyone has a good idea or rule how to block/ban 
>>> these 
>>> > attempts? 
>>> > 
>>> > Kind regards, 
>>> > Fredrik 
>>> > 
>>>
>>> Possibly something like: 
>>>  
>>>   nginx-errorlog 
>>>Jorgee$ 
>>>   Jorgee is loud 
>>>  
>>>
>>>
>>> > -- 
>>> > 
>>> > --- 
>>> > You received this message because you are subscribed to the Google 
>>> Groups 
>>> > "ossec-list" group. 
>>> > To unsubscribe from this group and stop receiving emails from it, send 
>>> an 
>>> > email to ossec-list+...@googlegroups.com. 
>>> > For more options, visit https://groups.google.com/d/optout. 
>>>
>>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Passing entire log line to Active Response script - how?

2017-06-26 Thread Jesus Linares 
Hi,

active response only accepts *user *and *srcip *as arguments. So, you need 
to create a decoder to extract the log as user or srcip. I'm not sure if 
this regex will work: "^(\.+)$".

I hope it helps.

On Sunday, June 25, 2017 at 7:06:31 PM UTC+2, dan (ddpbsd) wrote:
>
>
>
> On Jun 25, 2017 1:05 PM, "Guy Or"  wrote:
>
> Hello,
>
> I am writing decoders, rules and scripts that monitor my uwsgi application.
>
> Say that I write a decoder for a certain event that appears in the log, 
> and that triggers a rule I wrote for it (using 'decoded_as').
>
> How do I pass the entrie log line to my custom active response script, so 
> that I can use the information in the logic of the script?
>
> FYI : I am using ossec and zabbix in conjunction, right now I detect and 
> parse events with ossec real time log monitoring and send the information 
> to zabbix trappers. Works wonderfully
>
>
> Decode the entire log message as ?
>
>
> -- 
>
> --- 
> You received this message because you are subscribed to the Google Groups 
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to ossec-list+...@googlegroups.com .
> For more options, visit https://groups.google.com/d/optout.
>
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] ossec on cent os 7

2017-06-26 Thread Jesus Linares 
Hi,

keep in mind that the previous link 
 
is for OSSEC 2.8.2 and the latest release is v2.9.1 
. I recommend you to install 
OSSEC from packages, here you can find the 
packages for OSSEC 2.8.3 (we are working on the new packages for OSSEC 
2.9.1).

On the other hand, I encourage you to take a look at Wazuh 
, here 
you
 
can find a guide for RPM based distributions.

I hope it helps.
Regards.

On Sunday, June 25, 2017 at 8:37:58 PM UTC+2, PG@Wazuh wrote:
>
> Detailed instructions on vultr.com:
>
> https://www.vultr.com/docs/how-to-install-ossec-hids-on-a-centos-7-server
>
> Regards.
> —PG
> IT Security Engineer
> Wazuh Inc.
> Unix, BASIC, C, PASCAL, APL, ADA, and PROFANITY spoken here.
>
>
> On Jun 24, 2017, at 7:23 PM, satvi...@gmail.com  wrote:
>
> how to install ossec on centos 7?
>
> -- 
>
> --- 
> You received this message because you are subscribed to the Google Groups 
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to ossec-list+...@googlegroups.com .
> For more options, visit https://groups.google.com/d/optout.
>
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] OSSEC block vulnerability scanners head user_agent

2017-06-26 Thread Fredrik Hilmersson 
Hello Jesus,

So, I think I've got the rule to work.

1. Rule:


  31101
  web-accesslog
   Jorgee$
  Jorgee vulnerability scanner


2. Logtest output:

SRCIP - - [26/Jun/2017:08:38:43 +0200] "HEAD http://HOSTIP:80/phpmyadmin4/ 
HTTP/1.1" 404 0 "-" "Mozilla/5.0 Jorgee

**Phase 1: Completed pre-decoding.
full event: 'SRCIP - - [26/Jun/2017:08:38:43 +0200] "HEAD 
http://HOSTIP:80/phpmyadmin4/ 
HTTP/1.1" 404 0 "-" "Mozilla/5.0 Jorgee'

  hostname: 'agent-id'
 program_name: '(null)'
 log: 'SRCIP - - [26/Jun/2017:08:38:43 +0200] "HEAD 
http://HOSTIP:80/phpmyadmin4/ HTTP/1.1" 404 0 "-" "Mozilla/5.0 Jorgee'

**Phase 2: Completed decoding.

  decoder: 'web-accesslog'
  srcip: 'SRCIP'
  url: 'http://HOSTIP:80/phpmyadmin4/'
  id: '404'

**Phase 3: Completed filtering (rules).

  Rule id: '100205'
  Level: '0'
  Description: 'Jorgee vulnerability scanner'

Kind regards,
Fredrik

Den måndag 26 juni 2017 kl. 10:48:16 UTC+2 skrev Jesus Linares:
>
> What is the output of ossec-logtest?.
>
> Once you have a rule for that event, you can create an active response.
>
> Regards.
>
> On Sunday, June 25, 2017 at 12:06:23 AM UTC+2, Fredrik Hilmersson wrote:
>>
>> I spoke to early, Still getting spammed ...
>>
>> Den lördag 24 juni 2017 kl. 22:20:13 UTC+2 skrev Fredrik Hilmersson:
>>>
>>> Thank you!
>>>
>>> Den lördag 24 juni 2017 kl. 21:21:48 UTC+2 skrev dan (ddpbsd):

 On Sat, Jun 24, 2017 at 2:08 PM, Fredrik Hilmersson 
  wrote: 
 > Hello, 
 > 
 > so recently I got spammed by this vulnerability scanner. 
 > The HEAD is always the same, in regards to the $user_agent, Jorgee 
 > 
 > ** Alert 1498324205.1278330: - web,accesslog, 
 > 2017 Jun 24 17:10:05 (OSSEC AGENT) SRCIP->/var/log/nginx/access.log 
 > Rule: 31101 (level 5) -> 'Web server 400 error code.' 
 > 213.119.18.4 - - [24/Jun/2017:19:10:05 +0200] HEAD 
 > http://SRCIP:80/sql/phpmyadmin2/ HTTP/1.1 404 0 - Mozilla/5.0 Jorgee 
 > 
 > So i'm wondering if anyone has a good idea or rule how to block/ban 
 these 
 > attempts? 
 > 
 > Kind regards, 
 > Fredrik 
 > 

 Possibly something like: 
  
   nginx-errorlog 
Jorgee$ 
   Jorgee is loud 
  


 > -- 
 > 
 > --- 
 > You received this message because you are subscribed to the Google 
 Groups 
 > "ossec-list" group. 
 > To unsubscribe from this group and stop receiving emails from it, 
 send an 
 > email to ossec-list+...@googlegroups.com. 
 > For more options, visit https://groups.google.com/d/optout. 

>>>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] OSSEC block vulnerability scanners head user_agent

2017-06-26 Thread Jesus Linares 
Good job.

Also, you can block the IP using active response 
.

Regards.

On Monday, June 26, 2017 at 11:12:02 AM UTC+2, Fredrik Hilmersson wrote:
>
> Hello Jesus,
>
> So, I think I've got the rule to work.
>
> 1. Rule:
>
> 
>   31101
>   web-accesslog
>Jorgee$
>   Jorgee vulnerability scanner
> 
>
> 2. Logtest output:
>
> SRCIP - - [26/Jun/2017:08:38:43 +0200] "HEAD http://HOSTIP:80/phpmyadmin4/ 
> HTTP/1.1" 404 0 "-" "Mozilla/5.0 Jorgee
>
> **Phase 1: Completed pre-decoding.
> full event: 'SRCIP - - [26/Jun/2017:08:38:43 +0200] "HEAD 
> http://HOSTIP:80/phpmyadmin4/ 
> HTTP/1.1" 404 0 "-" "Mozilla/5.0 Jorgee'
>
>   hostname: 'agent-id'
>  program_name: '(null)'
>  log: 'SRCIP - - [26/Jun/2017:08:38:43 +0200] "HEAD 
> http://HOSTIP:80/phpmyadmin4/ HTTP/1.1" 404 0 "-" "Mozilla/5.0 Jorgee'
>
> **Phase 2: Completed decoding.
>
>   decoder: 'web-accesslog'
>   srcip: 'SRCIP'
>   url: 'http://HOSTIP:80/phpmyadmin4/'
>   id: '404'
>
> **Phase 3: Completed filtering (rules).
>
>   Rule id: '100205'
>   Level: '0'
>   Description: 'Jorgee vulnerability scanner'
>
> Kind regards,
> Fredrik
>
> Den måndag 26 juni 2017 kl. 10:48:16 UTC+2 skrev Jesus Linares:
>>
>> What is the output of ossec-logtest?.
>>
>> Once you have a rule for that event, you can create an active response.
>>
>> Regards.
>>
>> On Sunday, June 25, 2017 at 12:06:23 AM UTC+2, Fredrik Hilmersson wrote:
>>>
>>> I spoke to early, Still getting spammed ...
>>>
>>> Den lördag 24 juni 2017 kl. 22:20:13 UTC+2 skrev Fredrik Hilmersson:

 Thank you!

 Den lördag 24 juni 2017 kl. 21:21:48 UTC+2 skrev dan (ddpbsd):
>
> On Sat, Jun 24, 2017 at 2:08 PM, Fredrik Hilmersson 
>  wrote: 
> > Hello, 
> > 
> > so recently I got spammed by this vulnerability scanner. 
> > The HEAD is always the same, in regards to the $user_agent, Jorgee 
> > 
> > ** Alert 1498324205.1278330: - web,accesslog, 
> > 2017 Jun 24 17:10:05 (OSSEC AGENT) SRCIP->/var/log/nginx/access.log 
> > Rule: 31101 (level 5) -> 'Web server 400 error code.' 
> > 213.119.18.4 - - [24/Jun/2017:19:10:05 +0200] HEAD 
> > http://SRCIP:80/sql/phpmyadmin2/ HTTP/1.1 404 0 - Mozilla/5.0 
> Jorgee 
> > 
> > So i'm wondering if anyone has a good idea or rule how to block/ban 
> these 
> > attempts? 
> > 
> > Kind regards, 
> > Fredrik 
> > 
>
> Possibly something like: 
>  
>   nginx-errorlog 
>Jorgee$ 
>   Jorgee is loud 
>  
>
>
> > -- 
> > 
> > --- 
> > You received this message because you are subscribed to the Google 
> Groups 
> > "ossec-list" group. 
> > To unsubscribe from this group and stop receiving emails from it, 
> send an 
> > email to ossec-list+...@googlegroups.com. 
> > For more options, visit https://groups.google.com/d/optout. 
>


-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.