[ossec-list] Default checkpoint decoder provided by ossec doesn't works
Hi all, I am doing some tests sending checkpoint fw logs to ossec vi syslog and the default checkpoint decoder provided by ossec 2.6 doesn't works. For example using log explained in decoder.xml: 2012/04/30 10:26:13 ossec-testrule: INFO: Reading local decoder file. 2012/04/30 10:26:13 ossec-testrule: INFO: Reading loading the lists file: 'lists/dshield_list' 2012/04/30 10:26:13 ossec-testrule: INFO: Reading loading the lists file: 'lists/rbn_host_list' 2012/04/30 10:26:13 ossec-testrule: INFO: Reading loading the lists file: 'lists/rbn_subnet_list' 2012/04/30 10:26:13 ossec-testrule: INFO: Started (pid: 7884). ossec-testrule: Type one log per line. Checkpoint: 21Aug2007 14:49:26 drop 10.10.10.1 eth4 rule: 102; rule_uid: {----}; ICMP: Echo Request; src: 10.10.10.2; dst: 10.10.10.3; proto: icmp; ICMP Type: 8; ICMP Code: 0; product: VPN-1 FireWall-1; **Phase 1: Completed pre-decoding. full event: 'Checkpoint: 21Aug2007 14:49:26 drop 10.10.10.1 eth4 rule: 102; rule_uid: {----}; ICMP: Echo Request; src: 10.10.10.2; dst: 10.10.10.3; proto: icmp; ICMP Type: 8; ICMP Code: 0; product: VPN-1 FireWall-1;' hostname: 'plzfsgsip02' program_name: '(null)' log: 'Checkpoint: 21Aug2007 14:49:26 drop 10.10.10.1 eth4 rule: 102; rule_uid: {----}; ICMP: Echo Request; src: 10.10.10.2; dst: 10.10.10.3; proto: icmp; ICMP Type: 8; ICMP Code: 0; product: VPN-1 FireWall-1;' **Phase 2: Completed decoding. No decoder matched. Using a real sample: Checkpoint: 30Apr2012 9:52:24 accept 172.23.4.3 Lan2 rule: 54; rule_uid: {9FF8FDBD-D83B-4AF2-AA55-29E72F37DEC2}; service_id: https; src: 192.168.74.18; dst: 10.200.101.207; proto: tcp; product: VPN-1 FireWall-1; service: 443; s_port: ; **Phase 1: Completed pre-decoding. full event: 'Checkpoint: 30Apr2012 9:52:24 accept 172.23.4.3 Lan2 rule: 54; rule_uid: {9FF8FDBD-D83B-4AF2-AA55-29E72F37DEC2}; service_id: https; src: 192.168.74.18; dst: 10.200.101.207; proto: tcp; product: VPN-1 FireWall-1; service: 443; s_port: ;' hostname: 'ossecsrv02' program_name: '(null)' log: 'Checkpoint: 30Apr2012 9:52:24 accept 172.23.4.3 Lan2 rule: 54; rule_uid: {9FF8FDBD-D83B-4AF2-AA55-29E72F37DEC2}; service_id: https; src: 192.168.74.18; dst: 10.200.101.207; proto: tcp; product: VPN-1 FireWall-1; service: 443; s_port: ;' **Phase 2: Completed decoding. No decoder matched. Where is the problem?? -- CL Martinez carlopmart {at} gmail {d0t} com
[ossec-list] Re: Unable to connect to remoted
W dniu poniedziałek, 30 kwietnia 2012 09:52:29 UTC+2 użytkownik Mike Sievers napisał: Hi List, I am always getting the following error: agent_control -r -a 2012/04/30 09:44:19 agent_control(1210): ERROR: Queue '/queue/alerts/ar' not accessible: 'Queue not found'. 2012/04/30 09:44:34 agent_control(1301): ERROR: Unable to connect to active response queue. ** Unable to connect to remoted. What could it be? It is the newest version running in linux. Inst type is local. ??? OSSEC running ok? Show your log file from last hours.
Re: [ossec-list] Default checkpoint decoder provided by ossec doesn't works
To start, your log message is missing the syslog header (timestamp and hostname). Then taking out the first \s+ in the prematch of the checkpoint decoder makes this work. In fact, changing the decoder to this made it work with one of your examples and one of the examples in the decoder.conf: decoder name=checkpoint-syslog program_name^Checkpoint/program_name prematch^\s*\S+ \d\d:\d\d:\d\d /prematch /decoder On Mon, Apr 30, 2012 at 4:31 AM, carlopmart carlopm...@gmail.com wrote: Hi all, I am doing some tests sending checkpoint fw logs to ossec vi syslog and the default checkpoint decoder provided by ossec 2.6 doesn't works. For example using log explained in decoder.xml: 2012/04/30 10:26:13 ossec-testrule: INFO: Reading local decoder file. 2012/04/30 10:26:13 ossec-testrule: INFO: Reading loading the lists file: 'lists/dshield_list' 2012/04/30 10:26:13 ossec-testrule: INFO: Reading loading the lists file: 'lists/rbn_host_list' 2012/04/30 10:26:13 ossec-testrule: INFO: Reading loading the lists file: 'lists/rbn_subnet_list' 2012/04/30 10:26:13 ossec-testrule: INFO: Started (pid: 7884). ossec-testrule: Type one log per line. Checkpoint: 21Aug2007 14:49:26 drop 10.10.10.1 eth4 rule: 102; rule_uid: {----}; ICMP: Echo Request; src: 10.10.10.2; dst: 10.10.10.3; proto: icmp; ICMP Type: 8; ICMP Code: 0; product: VPN-1 FireWall-1; **Phase 1: Completed pre-decoding. full event: 'Checkpoint: 21Aug2007 14:49:26 drop 10.10.10.1 eth4 rule: 102; rule_uid: {----}; ICMP: Echo Request; src: 10.10.10.2; dst: 10.10.10.3; proto: icmp; ICMP Type: 8; ICMP Code: 0; product: VPN-1 FireWall-1;' hostname: 'plzfsgsip02' program_name: '(null)' log: 'Checkpoint: 21Aug2007 14:49:26 drop 10.10.10.1 eth4 rule: 102; rule_uid: {----}; ICMP: Echo Request; src: 10.10.10.2; dst: 10.10.10.3; proto: icmp; ICMP Type: 8; ICMP Code: 0; product: VPN-1 FireWall-1;' **Phase 2: Completed decoding. No decoder matched. Using a real sample: Checkpoint: 30Apr2012 9:52:24 accept 172.23.4.3 Lan2 rule: 54; rule_uid: {9FF8FDBD-D83B-4AF2-AA55-29E72F37DEC2}; service_id: https; src: 192.168.74.18; dst: 10.200.101.207; proto: tcp; product: VPN-1 FireWall-1; service: 443; s_port: ; **Phase 1: Completed pre-decoding. full event: 'Checkpoint: 30Apr2012 9:52:24 accept 172.23.4.3 Lan2 rule: 54; rule_uid: {9FF8FDBD-D83B-4AF2-AA55-29E72F37DEC2}; service_id: https; src: 192.168.74.18; dst: 10.200.101.207; proto: tcp; product: VPN-1 FireWall-1; service: 443; s_port: ;' hostname: 'ossecsrv02' program_name: '(null)' log: 'Checkpoint: 30Apr2012 9:52:24 accept 172.23.4.3 Lan2 rule: 54; rule_uid: {9FF8FDBD-D83B-4AF2-AA55-29E72F37DEC2}; service_id: https; src: 192.168.74.18; dst: 10.200.101.207; proto: tcp; product: VPN-1 FireWall-1; service: 443; s_port: ;' **Phase 2: Completed decoding. No decoder matched. Where is the problem?? -- CL Martinez carlopmart {at} gmail {d0t} com
Re: [ossec-list] Re: Ossec 2.6 Compile errors on Mac Os 10.7.3
I'm disappointed that Apple released a broken compiler by default. :( On Sat, Apr 28, 2012 at 4:31 AM, Gappa gapp...@gmail.com wrote: ahahah i can feel a little bit of disappointing in your answer. My bad, i'm sorry, i didn't notice that i was using llvm compiler. I have changed it with the REAL gcc and now it works!!! :) thank you dan On 27 Apr, 20:49, dan (ddp) ddp...@gmail.com wrote: Use the real gcc instead of Apple's llvm/clang/whatever it is these days.
Re: [ossec-list] Default checkpoint decoder provided by ossec doesn't works
Oops ... You are right dan .. I have missed timestamp and hostname ... Doing some adjustements, decoder works now ... On 04/30/2012 02:59 PM, dan (ddp) wrote: To start, your log message is missing the syslog header (timestamp and hostname). Then taking out the first \s+ in the prematch of the checkpoint decoder makes this work. In fact, changing the decoder to this made it work with one of your examples and one of the examples in the decoder.conf: decoder name=checkpoint-syslog program_name^Checkpoint/program_name prematch^\s*\S+ \d\d:\d\d:\d\d/prematch /decoder On Mon, Apr 30, 2012 at 4:31 AM, carlopmartcarlopm...@gmail.com wrote: Hi all, I am doing some tests sending checkpoint fw logs to ossec vi syslog and the default checkpoint decoder provided by ossec 2.6 doesn't works. For example using log explained in decoder.xml: 2012/04/30 10:26:13 ossec-testrule: INFO: Reading local decoder file. 2012/04/30 10:26:13 ossec-testrule: INFO: Reading loading the lists file: 'lists/dshield_list' 2012/04/30 10:26:13 ossec-testrule: INFO: Reading loading the lists file: 'lists/rbn_host_list' 2012/04/30 10:26:13 ossec-testrule: INFO: Reading loading the lists file: 'lists/rbn_subnet_list' 2012/04/30 10:26:13 ossec-testrule: INFO: Started (pid: 7884). ossec-testrule: Type one log per line. Checkpoint: 21Aug2007 14:49:26 drop 10.10.10.1eth4 rule: 102; rule_uid: {----}; ICMP: Echo Request; src: 10.10.10.2; dst: 10.10.10.3; proto: icmp; ICMP Type: 8; ICMP Code: 0; product: VPN-1 FireWall-1; **Phase 1: Completed pre-decoding. full event: 'Checkpoint: 21Aug2007 14:49:26 drop 10.10.10.1eth4 rule: 102; rule_uid: {----}; ICMP: Echo Request; src: 10.10.10.2; dst: 10.10.10.3; proto: icmp; ICMP Type: 8; ICMP Code: 0; product: VPN-1 FireWall-1;' hostname: 'plzfsgsip02' program_name: '(null)' log: 'Checkpoint: 21Aug2007 14:49:26 drop 10.10.10.1eth4 rule: 102; rule_uid: {----}; ICMP: Echo Request; src: 10.10.10.2; dst: 10.10.10.3; proto: icmp; ICMP Type: 8; ICMP Code: 0; product: VPN-1 FireWall-1;' **Phase 2: Completed decoding. No decoder matched. Using a real sample: Checkpoint: 30Apr2012 9:52:24 accept 172.23.4.3Lan2 rule: 54; rule_uid: {9FF8FDBD-D83B-4AF2-AA55-29E72F37DEC2}; service_id: https; src: 192.168.74.18; dst: 10.200.101.207; proto: tcp; product: VPN-1 FireWall-1; service: 443; s_port: ; **Phase 1: Completed pre-decoding. full event: 'Checkpoint: 30Apr2012 9:52:24 accept 172.23.4.3Lan2 rule: 54; rule_uid: {9FF8FDBD-D83B-4AF2-AA55-29E72F37DEC2}; service_id: https; src: 192.168.74.18; dst: 10.200.101.207; proto: tcp; product: VPN-1 FireWall-1; service: 443; s_port: ;' hostname: 'ossecsrv02' program_name: '(null)' log: 'Checkpoint: 30Apr2012 9:52:24 accept 172.23.4.3Lan2 rule: 54; rule_uid: {9FF8FDBD-D83B-4AF2-AA55-29E72F37DEC2}; service_id: https; src: 192.168.74.18; dst: 10.200.101.207; proto: tcp; product: VPN-1 FireWall-1; service: 443; s_port: ;' **Phase 2: Completed decoding. No decoder matched. Where is the problem?? -- CL Martinez carlopmart {at} gmail {d0t} com -- CL Martinez carlopmart {at} gmail {d0t} com
[ossec-list] Where the OSSEC configurations are...
Just learning OSSEC here using the documentation on ossec.net to troubleshoot some problems.I am receiving excessive HIDS notifications in a log for a windows machines(an agent) in my OSSEC environment. When looking at the security log, it seems that too many events are being added to the queue, mostly system activity, in the security log of the windows machine. Which files should I look to, to start adjusting configurations for what I want to ignore and what I would like to include in the alerts.log file? I looked at ossec.conf and now I just don't see a file where I can modify alerts going into the alerts.log file. Thank you.
Re: [ossec-list] Where the OSSEC configurations are...
You can add custom rules to /var/ossec/rules/local_rules.xml. You can use these rules to either look for something that isn't covered by the default rules or to ignore something you don't want to see. On Mon, Apr 30, 2012 at 1:59 PM, A-Dubbs arlendelcasti...@gmail.com wrote: Just learning OSSEC here using the documentation on ossec.net to troubleshoot some problems.I am receiving excessive HIDS notifications in a log for a windows machines(an agent) in my OSSEC environment. When looking at the security log, it seems that too many events are being added to the queue, mostly system activity, in the security log of the windows machine. Which files should I look to, to start adjusting configurations for what I want to ignore and what I would like to include in the alerts.log file? I looked at ossec.conf and now I just don't see a file where I can modify alerts going into the alerts.log file. Thank you.
[ossec-list] msauth_rules.xml file, is this for Microsoft Windows rules?
I'm looking for the rules file for adjusting what gets logged for Microsoft Windows systems. Is msauth_rules.xml the correct file?
Re: [ossec-list] msauth_rules.xml file, is this for Microsoft Windows rules?
Modifying the default rules directly isn't encouraged. Your changes will be overwritten on an upgrade. You should add custom rules to /var/ossec/rules/local_rules.xml. You can create custom rules to look for new things the default rules don't cover, or to ignore rules that are already in place. On Mon, Apr 30, 2012 at 2:42 PM, A-Dubbs arlendelcasti...@gmail.com wrote: I'm looking for the rules file for adjusting what gets logged for Microsoft Windows systems. Is msauth_rules.xml the correct file?
[ossec-list] Problem with ossec's syslog options and ossec-remoted process
Hi all, I have several problems with ossec-remoted process and ossec's syslog remote options. My ossec server is configured to receive syslog messages via tcp port. The problem is the amount of syslog messages that ossec can receive, not seem to be many. Configuration is: syslog forwarder ossec-remote process... Using this configuration, ossec doesn't trigger alerts because groups these alerts (sometime three or four messages in the same alert and sometimes more). As you can see, some alerts works and anothers not ... Changing to udp, ossec loose a lot of messages ... Another option I've tried is to use a third server that redirects all messages to a text file in syslog format. It was the worst solution: ossec reads messages two hours late ... Then, what is tha solution. Is not posible to use remote syslog option in a production environments?? Thanks. -- CL Martinez carlopmart {at} gmail {d0t} com
Re: [ossec-list] Problem with ossec's syslog options and ossec-remoted process
On Apr 30, 2012 4:11 PM, carlopmart carlopm...@gmail.com wrote: Hi all, I have several problems with ossec-remoted process and ossec's syslog remote options. My ossec server is configured to receive syslog messages via tcp port. The problem is the amount of syslog messages that ossec can receive, not seem to be many. Configuration is: syslog forwarder ossec-remote process... What are you using as your forwarder? Using this configuration, ossec doesn't trigger alerts because groups these alerts (sometime three or four messages in the same alert and What does this mean? If multiple alerts are grouped together in an alert, an alert is triggered. sometimes more). As you can see, some alerts works and anothers not ... I can't see, no examples were provided. Changing to udp, ossec loose a lot of messages ... Another option I've tried is to use a third server that redirects all messages to a text file in syslog format. It was the worst solution: ossec reads messages two hours late ... Then, what is tha solution. Is not posible to use remote syslog option in a production environments?? Thanks. -- CL Martinez carlopmart {at} gmail {d0t} com