The second of my two cents, concerns the ability to restart all agents
from the central server.
A Basic functionality, but I understand the risk, that goes with it.
It is a simple request, but not from an architectural or security
view.
However, since we do propose a centralised
For me, the most defying discredit to OSSEC is the loss off alerts, in
the High-availability Solution.
I am trying to defend OSSEC in face of management,
but it is really hard when OSSEC comes with a default blackout of 30
minutes.
Following the description for a multi-server architecture, the
Hey, thanks for pointing this out. I'll try this version as soon as possible
and report here how it works.
btw, hp-ux version is 11.23 on ia64 (if needed, I could check it on 11.31
but it's a bit harder :)
cheers,
marco
On Wed, Oct 20, 2010 at 2:53 PM, dan (ddp) ddp...@gmail.com wrote:
Hi Dan,
my test config is very short
I have now changed agent_config to agent_config os='Linux'
Now it works
agent_config os='Linux'
syscheck
directories check_all=yes/boot/directories
ignore/etc/dhcpd.conf/ignore
ignore/var/log/mail.info/ignore
ignore/var/log/mail.warn/ignore
Let's think about the actual attack vectors and hallmarks of an attack.
What happens when a host is attacked? What are the usual sequence of
events that take place? How can OSSEC effectively detect these while
keeping the noise down?
--
Michael Starks
[I] Immutable Security
For those that get bombarded with alerts when patching:
http://www.immutablesecurity.com/index.php/2010/10/21/2woo-taming-syscheck/
--
Michael Starks
[I] Immutable Security
http://www.immutablesecurity.com
Seconded, were in the same boat, the auditors don't like that alerts are not
resent should the ossec server be unreachable. We didn't bother detailing
everything else, as far as they know it's realtime alerting :)
-rich
On Thu, Oct 21, 2010 at 2:35 AM, spacekiwi spacekiwi...@gmail.com wrote:
back. I did a fresh installation on a hp-ux 11.23 box with the snapshot you
suggested and it seems to work pretty well.
i mean, no socket busy error at all. same for the old hp-ux server with
problems: I updated the agent and now it's working properly.
if you need any help to test some patch on
Hi list,
the server was already connected and there is no firewall.
I still can't connect agent and server, but why?
2010/10/21 13:36:39 ossec-agentd: INFO: Trying to connect to server (
192.168.2.11:1514).
2010/10/21 13:37:00 ossec-agentd(4101): WARN: Waiting for server reply (not
started).
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 10/21/2010 08:36 AM, Michael Starks wrote:
For those that get bombarded with alerts when patching:
http://www.immutablesecurity.com/index.php/2010/10/21/2woo-taming-syscheck/
Decoders Unite! All about decoders -
OSSEC tries to bind to the port and checks the output of netstat and
compares the results. If they don't match up it reports it.
This could be a sign that a process had bound to a port when it
checked the first part, and the process was dead when it tried the
second check.
It could also mean that
Always start with the server, then move on to the agents.
On Thu, Oct 21, 2010 at 6:20 AM, Mike Sievers
saturnge...@googlemail.com wrote:
Hi Dan,
my test config is very short
I have now changed agent_config to agent_config os='Linux'
Now it works
agent_config os='Linux'
syscheck
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 10/20/2010 07:15 PM, Michael Starks wrote:
I agree completely. But just so you are aware, OSSEC integrates nicely
with Splunk for a non-free solution.
Non-free if you want more than 500 Megs per day and some of the fancier
features.. There is a
On Thu, Oct 21, 2010 at 7:42 AM, Mike Sievers
saturnge...@googlemail.com wrote:
Hi list,
the server was already connected and there is no firewall.
I still can't connect agent and server, but why?
2010/10/21 13:36:39 ossec-agentd: INFO: Trying to connect to server
(192.168.2.11:1514).
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 10/20/2010 06:01 PM, Shane Warner wrote:
Not sure what platform you're on, but we build an RPM package and set
any important configuration files up with the config(noreplace)
directive to prevent them from being overwritten on updates.
Wouldn't
On Thu, Oct 21, 2010 at 9:16 AM, Jason 'XenoPhage' Frisvold
xenoph...@godshell.com wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 10/20/2010 07:15 PM, Michael Starks wrote:
I agree completely. But just so you are aware, OSSEC integrates nicely
with Splunk for a non-free solution.
Today, we thank Daniel Cid for creating OSSEC.
Daniel has been working on OSSEC for a long time now. He started on it
long before being snatched up by Third Brigade, having already put
thousands of hours into the project. He chose to make it free and open so
everyone could benefit.
Some
This is a bit rough. I've tested it to make sure it doesn't hurt
anything else, but my tests aren't exhaustive. Also, it's tough with
only 1 log sample to make sure I've got everything. And last but not
least, I didn't look at the other web decoders to make sure the items
I placed in order match
Thank you and well done, Daniel!
On Thu, Oct 21, 2010 at 8:57 AM, Michael Starks
ossec-l...@michaelstarks.com wrote:
Today, we thank Daniel Cid for creating OSSEC.
Daniel has been working on OSSEC for a long time now. He started on it
long before being snatched up by Third Brigade, having
I have some servers with a large number of files to be monitored
(syscheck takes about 4 hours to run).
Currently running OSSEC 2.4.1 on RHEL 5. Upgrade to OSSEC 2.5.1 is
imminent
Currently I have left internal_options.conf with default values.
Any recommendations on making changes to minimise
Thank you for the hard work Daniel! You've done an excellent job with this
and we all appreciate the effort! Thanks to the OSSEC community and the
OSSEC email group for all the support as well! I couldn't have learned any
more without all of your help!
On Thu, Oct 21, 2010 at 7:11 AM, Charlie
On Thu, Oct 21, 2010 at 07:34:48AM -0500, Michael Starks wrote:
. What happens when a host is attacked?
Something get in our system
What are the usual
sequence of events that take place? How can OSSEC effectively detect
these while keeping the noise down?
Some suspicious traffic may be
Thanks Daniel! OSSEC Rules! :)
-Chuck (MdMonk)
On Thu, Oct 21, 2010 at 9:31 AM, cristian paul peñaranda rojas
p...@kristianpaul.org wrote:
Thanks Daniel Cid for making security logs analisis fast and reliable ! :)
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (GNU/Linux)
I'd like to see an upgrade that allows the agent's to re-read the config files
automatically... at least the shared/agent.conf, so no restarts are required.
-Original Message-
From: ossec-list@googlegroups.com [mailto:ossec-l...@googlegroups.com] On
Behalf Of spacekiwi
Sent: Wednesday,
Anyway to specify an agent config by the OS? full_command doesn't work on
Windows 2000 (yes, I know old...). Currently I have a netstat command for
windows, but would like to restrict it to only windows 2003/2008, etc... and
exclude windows 2000 machines.
My experience has been:
Servers:
- vulnerability exploited
- processes created
- listening ports changed
- users created
- software installed
- changes to administrators group
- backdoors created
- new connections to Internet (ie. reverse shells, CC, etc)
Desktops:
- drive-by downloads
-
On Thu, 2010-10-21 at 08:57 -0500, Michael Starks wrote:
Today, we thank Daniel Cid for creating OSSEC.
Daniel has been working on OSSEC for a long time now. He started on it
long before being snatched up by Third Brigade, having already put
thousands of hours into the project. He chose to
Thank you Dan for your answer.
I have run an md5sum on my monitored server and another on an isolated
machine : they are identical ... Ouf !
Thank you.
Best regards.
On 21 oct, 15:07, dan (ddp) ddp...@gmail.com wrote:
OSSEC tries to bind to the port and checks the output of netstat and
Thank you Daniel!
On Thu, Oct 21, 2010 at 12:56 PM, John A. Sullivan III
jsulli...@opensourcedevel.com wrote:
On Thu, 2010-10-21 at 08:57 -0500, Michael Starks wrote:
Today, we thank Daniel Cid for creating OSSEC.
Daniel has been working on OSSEC for a long time now. He started on it
long
This isn't restart-free, but I setup an active response to restart agents when
agent.conf has changed.
-Original Message-
From: Jefferson, Shawn
Sent: 10/21/2010 12:31:14 PM
Subject: RE: [ossec-list] Re: Day 4: What bugs you: problems, challenges and
room for improvement.
I'd like
On Thu, 21 Oct 2010 17:31:30 +, ddp...@gmail.com ddp...@gmail.com
wrote:
This isn't restart-free, but I setup an active response to restart
agents
when agent.conf has changed.
When ddpbsd mentioned this to me in IRC, I set this up for my Windows
agents:
First, you'll need this in
I'll try to do this tomorrow. I don't think it's too difficult to
do.On Thu, Oct 21, 2010 at 1:56 PM, Jefferson, Shawn
shawn.jeffer...@bcferries.com wrote:
Nice! Could you post what is required? I haven't played with AR at all yet.
-Original Message-
From: ossec-list@googlegroups.com
I was running 2.4.1 Looks like a testrule may have been included somewhere
Jason 'XenoPhage' Frisvold xenoph...@godshell.com 10/21/2010 2:08 PM
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Oct 21, 2010, at 2:01 PM, ko...@mnr.org wrote:
Anyone: After upgrading my management Servers to
On Thu, 21 Oct 2010 11:02:55 -0700 (PDT), JC jdcon...@hewitt.com wrote:
Hi -
I saw the with the 2.5 release the Windows Agent has a silent install
switch, but I cannot find any documentation of how to use the switch.
I've tried /s, /q, /silent, /quiet and everything I can think
Resolved - Sorry for the post the /s is case sensitive and needs to
be /S.
On Thu, Oct 21, 2010 at 2:01 PM, ko...@mnr.org wrote:
Anyone: After upgrading my management Servers to 2.5.1 I'm getting, after I
restart the agents
2010/10/21 13:56:04 ossec-testrule: INFO: Reading local decoder file.
Any information on this would be great.
Thank You Christian
This is
On Thu, Oct 21, 2010 at 2:08 PM, Michael Starks
ossec-l...@michaelstarks.com wrote:
On Thu, 21 Oct 2010 17:31:30 +, ddp...@gmail.com ddp...@gmail.com
wrote:
This isn't restart-free, but I setup an active response to restart
agents
when agent.conf has changed.
When ddpbsd mentioned this
On Thu, 21 Oct 2010 10:37:59 -0600, Jefferson, Shawn
shawn.jeffer...@bcferries.com wrote:
My experience has been:
Servers:
- vulnerability exploited
- processes created
- listening ports changed
- users created
- software installed
- changes to administrators group
- backdoors created
I also had a tough time finding what the actual switch was. Maybe adding a /?
to the windows installer that will print the available switches (if possible),
and an addition to the documentation.
BTW, I noticed changes to the on-line documentation and it's looking great!
-Original
Thank You for the quick response. I think your Silent install was a Great
addition for client installs.
dan (ddp) ddp...@gmail.com 10/21/2010 2:25 PM
On Thu, Oct 21, 2010 at 2:01 PM, ko...@mnr.org wrote:
Anyone: After upgrading my management Servers to 2.5.1 I'm getting, after I
restart
Thanks Daniel!
On 10/21/10, cnk lists.canuck...@gmail.com wrote:
Thank you Daniel!
On Thu, Oct 21, 2010 at 12:56 PM, John A. Sullivan III
jsulli...@opensourcedevel.com wrote:
On Thu, 2010-10-21 at 08:57 -0500, Michael Starks wrote:
Today, we thank Daniel Cid for creating OSSEC.
Daniel has
Hi Jefferson,
Yes, you can. Just add the following to the agent config:
agent_config os=Microsoft Windows XP Home Edition Service Pack 3
..
/agent
And it will match only on XP with SP3. You can also do:
agent_config os=Windows XP|Windows 2003
..
/agent
To match only on XP and 2003.
thanks,
Wow, I appreciate that :) But the big thanks should be to everyone in
these lists:
http://www.ossec.net/main/ossecteam/
https://bitbucket.org/dcid/ossec-hids/src/tip/CONTRIBUTORS
And probably a lot more people that I forgot to add, that sent
suggestions, patches, and
are involved with the
Hi: We spun up a ruby on rails web app (backed by mongodb=speed) that allows
us to do daily alert reviews quickly for us that means being able to view
all the alerts in one view with quick pivoting.
It is currently an internal app, but we can push out a VM or something to
see if others¹ like
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
I find myself struggling with how to handle directory traversal false
positives. The following happily triggers rule 31104 and active response
blocks the IP.
204.41.5.50 - - [21/Oct/2010:08:43:53 -0400] GET /../index.html HTTP/1.1 400
303 -
45 matches
Mail list logo