[ossec-list] About the user login/login failed alert

[azol]

hello, 
I've setup the ossec server and agent in my serverS(server) and 
serverA(agent), but when I login into serverA, I have not receive the email 
alert, but if I change something in serverA, I can receive the email alert. 
So, my question is: how to make a email alert when some one login into 
system, like ssh, or ftp

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Integration with MS SCCM

[Irshad Rahimbux]

Dear Team,

I would like to integrate Microsoft SCCM with OSSIM.

All configuration has been done in ms-sccm.cfg [which was already 
available].

Logs are coming to /var/log/alienvault/agent.log but not 
to /var/ossec/logs/alerts/alerts.log

Any idea why and what I am doing wrong?

kindly advise.

Rgds.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: About the user login/login failed alert

[azol]

HI,

I set the email notify level to 3, and try to login into serverA through 
ssh, It's work, I receive the email alert.

Thank you!

And I've other question, I want block the user ip when the user login 
failed more then 3 times with ssh, then block the ip of user, I use 5712, 
but it did not work, I've try to login failed more then 10, it still do not 
block me.
here is my active-response in ossec.conf



no

firewall-drop

local

5712

8

120

60,120,180

  


here is my 5710 and 5712 rule defines

  

5700

illegal user|invalid user

sshd: Attempt to login using a non-existent 
user


invalid_login,authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_10.6.1,

  


  

5700

authentication failure; logname= uid=0 euid=0 tty=ssh|

input_userauth_request: invalid user|

PAM: User not known to the underlying authentication module for 
illegal user|

error retrieving information about user

sshd: Useless/Duplicated SSHD message without a 
user/ip.

  


  

5710

sshd: brute force trying to get access to 

the system.




authentication_failures,pci_dss_11.4,pci_dss_10.2.4,pci_dss_10.2.5,

  

On Thursday, June 29, 2017 at 2:19:23 AM UTC+8, migue...@wazuh.com wrote:
>
> Hi,
>
> The email notification is triggered when an alert reach or overpass the 
> level defined in  (by default is set to level 7), 
> setting this option to level 3 will send you email notifications for 
> successful logins attempts.
>
> * option reference:* 
> http://ossec-docs.readthedocs.io/en/latest/syntax/head_ossec_config.alerts.html#element-email_alert_level
> *Rules clasification:* 
> http://ossec-docs.readthedocs.io/en/latest/manual/rules-decoders/rule-levels.html.
>
> I hope this could help you
>
> Best regards.
>
> On Wednesday, June 28, 2017 at 2:03:23 PM UTC-4, az...@51ecommerce.com 
> wrote:
>>
>> hello, 
>> I've setup the ossec server and agent in my serverS(server) and 
>> serverA(agent), but when I login into serverA, I have not receive the email 
>> alert, but if I change something in serverA, I can receive the email alert. 
>> So, my question is: how to make a email alert when some one login into 
>> system, like ssh, or ftp
>>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: Passing entire log line to Active Response script - how?

[dan (ddp)]

On Wed, Jun 28, 2017 at 12:21 PM, Guy Or  wrote:
>> It doesnt work, a real shame... It will only work if you dont have spaces
>> in your log line.
>
>   This is really really really annoying lol... all that is needed is to wrap
> with ' ' the argument (log line with spaces and all sort of characters) when
> you pass it to the active response script (works when I manually run it)
> but I as a user cannot do that its ossec's code also why limit the
> argumets to srcip and user? what are the other parameters for (extra_data
> etc) just logging it seems and some rule filtering which kills the level
> of logic you can have in the active response script.
>
>
> Maybe in ossec 3...

You can submit a pull request at https://github.com/ossec/ossec-hids
Thanks a lot!

>>
>>
>
>
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: About the user login/login failed alert

[miguelangel]

Hi,

The email notification is triggered when an alert reach or overpass the 
level defined in  (by default is set to level 7), 
setting this option to level 3 will send you email notifications for 
successful logins attempts.

* option reference:* 
http://ossec-docs.readthedocs.io/en/latest/syntax/head_ossec_config.alerts.html#element-email_alert_level
*Rules clasification:* 
http://ossec-docs.readthedocs.io/en/latest/manual/rules-decoders/rule-levels.html.

I hope this could help you

Best regards.

On Wednesday, June 28, 2017 at 2:03:23 PM UTC-4, az...@51ecommerce.com 
wrote:
>
> hello, 
> I've setup the ossec server and agent in my serverS(server) and 
> serverA(agent), but when I login into serverA, I have not receive the email 
> alert, but if I change something in serverA, I can receive the email alert. 
> So, my question is: how to make a email alert when some one login into 
> system, like ssh, or ftp
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Treat Multiple Files as One

[Jesus Linares]

Hi Eric,

Right now, I believe OSSEC is only able to correlate multiple failed logins 
> if they all happen to show up on only 1 of the log files


That is not correct. The rules are based on the content of a log, not in 
the source.

Pay attention to the following rules:

  
sshd
SSHD messages grouped.
  

   
5700
*illegal user|invalid user*
sshd: Attempt to login using a non-existent user


invalid_login,authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_10.6.1,

  

It is looking for the strings: "illegal user" or "invalid user" in a ssh 
log. When is a ssh log? If it is decoded as ssh: 


  ^sshd


...


Usually, there are no checks for the source of an event.

I hope it helps.
Regards.

On Tuesday, June 27, 2017 at 5:47:05 PM UTC+2, Eric wrote:
>
> I'm using OSSEC in a slightly untraditional way as a sudo SIEM. I have it 
> running on 1 server and it's parsing through logs that are coming from 
> multiple sources and then alerting me on what is going on. Overall this has 
> worked fine but now I'm needing to spread out the load and the logs are 
> being written to multiple files. Is there a way to tell OSSEC to treat 5 
> separate log files as the same source? 
>
> The use case I have is file1.log, file2.log, file3.log, file4.log, and 
> file5.log are all load balanced across a F5 VIP. So if you have fave 
> multiple failed logins from user1 on server1, those failed logins could 
> show up in any 5 of the log files. Right now, I believe OSSEC is only able 
> to correlate multiple failed logins if they all happen to show up on only 1 
> of the log files.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Block ssh user ip after failed login attempt in OSSEC

[Jesus Linares]

Hi,

the *frequency *attribute specifies the number of times (+2) the rule must 
have matched before firing. In this case, the rule 5720 will be fired if 
the rule 5716 is fired 8 times (6+2).

You must use *frequency="1"* to fire the rule after 3 attempts. Also, it is 
a good idea to add the *timeframe *attribute.

I hope it helps.
Regards.

On Wednesday, June 28, 2017 at 10:09:56 AM UTC+2, Rahul Tiwari wrote:
>
> I need to block the user ip after 3 times login failed attempt in ossec I 
> tried below in sshd_rules file
>
> 
> 5716
> 
> Multiple SSHD authentication failures.
> authentication_failures,
>   
>
> But its blocking the user ip after 10 attempt please help me out
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Passing entire log line to Active Response script - how?

[Jesus Linares]

Hi,

you are totally right. Active response configuration should allow any 
field: srcip, user, port, dynamic fields 
,
 
etc. It is in Wazuh roadmap.

It doesnt work, a real shame... It will only work if you dont have spaces 
> in your log line.

Could you share your log and your decoders?.

Thanks.
Regards.


On Wednesday, June 28, 2017 at 6:21:57 PM UTC+2, Guy Or wrote:
>
> It doesnt work, a real shame... It will only work if you dont have spaces 
>> in your log line. 
>>
>   This is really really really annoying lol... all that is needed is to 
> wrap with ' ' the argument (log line with spaces and all sort of 
> characters) when you pass it to the active response script (works when I 
> manually run it)  but I as a user cannot do that its ossec's code also 
> why limit the argumets to srcip and user? what are the other parameters for 
> (extra_data etc) just logging it seems and some rule filtering which 
> kills the level of logic you can have in the active response script. 
>
>
> Maybe in ossec 3...
>
>>  
>>
>  
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Passing entire log line to Active Response script - how?

[Guy Or]

>
> It doesnt work, a real shame... It will only work if you dont have spaces 
> in your log line. 
>
  This is really really really annoying lol... all that is needed is to 
wrap with ' ' the argument (log line with spaces and all sort of 
characters) when you pass it to the active response script (works when I 
manually run it)  but I as a user cannot do that its ossec's code also 
why limit the argumets to srcip and user? what are the other parameters for 
(extra_data etc) just logging it seems and some rule filtering which 
kills the level of logic you can have in the active response script. 


Maybe in ossec 3...

>  
>
 

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Block ssh user ip after failed login attempt in OSSEC

[Rahul Tiwari]

I need to block the user ip after 3 times login failed attempt in ossec I 
tried below in sshd_rules file


5716

Multiple SSHD authentication failures.
authentication_failures,
  

But its blocking the user ip after 10 attempt please help me out

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.