Re: [ossec-list] Merge EventChannel fix into 2.8?

[DefensiveDepth]

Got most of the way through the build, then hit a wall, see errors here:

http://screencast.com/t/jHFO69Ml 

I will take another stab at it tonight/tomorrow--If anybody has any 
comments on the current errors, let me know.

Thanks

-Josh


-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: Solaris 10 compile error

[theresa mic-snare]

it was indeed in a different location :)
i symlinked it to the other location where it should supposedly be 
/usr/include/openssl/opensslconf.h

and ran the installation script again.
but now i'm running into a different error

 *** Making os_crypto *** 
 
cc -g -Wall -I../../ -I../../headers  -DDEFAULTDIR=\"/var/ossec\" -DCLIENT 
-DUSE_OPENSSL -DSOLARIS -DHIGHFIRST  -DARGV0=\"blowfish_op\" 
-DOSSECHIDS -c bf_op.c bf_skey.c bf_enc.c 
cc: -W option with unknown program all 
*** Error code 1 
make: Fatal error: Command failed for target `bf' 
Current working directory /root/ossec-hids-2.8.2/src/os_crypto/blowfish 
*** Error code 1 
The following command caused the error: 
cd blowfish; make 
make: Fatal error: Command failed for target `os_crypto' 
Current working directory /root/ossec-hids-2.8.2/src/os_crypto 
 
Error Making os_crypto 
*** Error code 1 
The following command caused the error: 
/bin/bash ./Makeall all 
make: Fatal error: Command failed for target `all' 
 
 Error 0x5. 
 Building error. Unable to finish the installation.



Am Donnerstag, 24. September 2015 14:28:14 UTC+2 schrieb dan (ddpbsd):
>
>
> On Sep 24, 2015 8:23 AM, "theresa mic-snare"  > wrote:
> >
> > hmm I see.
> > but I managed to build it on a Solaris 11 machine without any 
> problems without having to modify any Make or any other file. Hmm...
> >
>
> Was opensslconf.h in a different location on solaris 11?
>
> >
> > Am Donnerstag, 24. September 2015 14:18:27 UTC+2 schrieb dan (ddpbsd):
> >>
> >> On Thu, Sep 24, 2015 at 8:14 AM, theresa mic-snare 
> >>  wrote: 
> >> > Dan, do you currently have OSSEC installed on a Solaris machine? 
> >> > if so, could you please tell me where the opensslconf.h is located on 
> your 
> >> > system? 
> >> > 
> >>
> >> No, sorry. I can't afford Oracle machines, and I doubt my wife would 
> >> appreciate the noise. :P 
> >>
> >> I'm guessing you would need "-I/usr/sfw/include" in the build command 
> >> for os_crypto. You might be able to add it to the CFLAGS or LDFLAGS in 
> >> the Config.Make, but I haven't tried any of this. 
> >>
> >> > thanks, 
> >> > theresa 
> >> > 
> >> > Am Mittwoch, 23. September 2015 15:02:25 UTC+2 schrieb dan (ddpbsd): 
> >> >> 
> >> >> 
> >> >> On Sep 23, 2015 8:59 AM, "theresa mic-snare"  
> wrote: 
> >> >> > 
> >> >> > by the way: 
> >> >> > 
> >> >> > I have found the file opensslconf.h that is allegedly missing on 
> my 
> >> >> > server... 
> >> >> > it's located under: 
> >> >> > /usr/sfw/include/openssl/opensslconf.h 
> >> >> > 
> >> >> > is the path maybe somewhere hardcoded, so that it's maybe looking 
> in the 
> >> >> > wrong place? 
> >> >> > 
> >> >> 
> >> >> That would be my guess. 
> >> >> 
> >> >> > cheers, 
> >> >> > theresa 
> >> >> > 
> >> >> > 
> >> >> > Am Mittwoch, 23. September 2015 14:45:05 UTC+2 schrieb theresa 
> >> >> > mic-snare: 
> >> >> >> 
> >> >> >> Hi everyone, 
> >> >> >> 
> >> >> >> I was just trying to compile OSSEC 2.8.2 on a Solaris 10 (SPARC) 
> >> >> >> server, and got the following error: 
> >> >> >> 
> >> >> >>  *** Making os_crypto *** 
> >> >> >> 
> >> >> >> /opt/csw/bin/gcc -g -Wall -I../../ -I../../headers 
> >> >> >> -DDEFAULTDIR=\"/var/ossec\" -DCLIENT -DUSE_OPENSSL -DSOLARIS 
> -DHIGHFIRST 
> >> >> >> -DARGV0=\"blowfish_op\" -DOSSECHIDS -c bf_op.c bf_skey.c bf_enc.c 
> >> >> >> In file included from bf_skey.c:62:0: 
> >> >> >> bf_locl.h:69:55: fatal error: openssl/opensslconf.h: No such file 
> or 
> >> >> >> directory 
> >> >> >>  #include  /* BF_PTR, BF_PTR2 */ 
> >> >> >>^ 
> >> >> >> compilation terminated. 
> >> >> >> In file included from bf_enc.c:60:0: 
> >> >> >> bf_locl.h:69:55: fatal error: openssl/opensslconf.h: No such file 
> or 
> >> >> >> directory 
> >> >> >>  #include  /* BF_PTR, BF_PTR2 */ 
> >> >> >>^ 
> >> >> >> compilation terminated. 
> >> >> >> *** Error code 1 
> >> >> >> make: Fatal error: Command failed for target `bf' 
> >> >> >> Current working directory 
> /root/ossec-hids-2.8.2/src/os_crypto/blowfish 
> >> >> >> *** Error code 1 
> >> >> >> The following command caused the error: 
> >> >> >> cd blowfish; make 
> >> >> >> make: Fatal error: Command failed for target `os_crypto' 
> >> >> >> Current working directory /root/ossec-hids-2.8.2/src/os_crypto 
> >> >> >> 
> >> >> >> Error Making os_crypto 
> >> >> >> *** Error code 1 
> >> >> >> The following command caused the error: 
> >> >> >> /bin/bash ./Makeall all 
> >> >> >> make: Fatal error: Command failed for target `all' 
> >> >> >> 
> >> >> >>  Error 0x5. 
> >> >> >>  Building error. Unable to finish the installation. 
> >> >> >> 
> >> >> >> 
> >> >> >> 
> >> >> >> I think there seems to be some kind of OpenSSL dependency 
> issue... 
> >> >> >> I have also added the following lines in the install.sh script 
> (to make 
> >> >> >> sure the OpenSSL 

Re: [ossec-list] Merge EventChannel fix into 2.8?

[dan (ddp)]

On Thu, Sep 24, 2015 at 6:31 AM, DefensiveDepth  wrote:
> Got most of the way through the build, then hit a wall, see errors here:
>
> http://screencast.com/t/jHFO69Ml
>

I didn't even make any changes there. Try adding "#include "
to src/syscheckd/seechanges.c.

> I will take another stab at it tonight/tomorrow--If anybody has any comments
> on the current errors, let me know.
>
> Thanks
>
> -Josh
>
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: Solaris 10 compile error

[dan (ddp)]

On Sep 24, 2015 8:23 AM, "theresa mic-snare"  wrote:
>
> hmm I see.
> but I managed to build it on a Solaris 11 machine without any
problems without having to modify any Make or any other file. Hmm...
>

Was opensslconf.h in a different location on solaris 11?

>
> Am Donnerstag, 24. September 2015 14:18:27 UTC+2 schrieb dan (ddpbsd):
>>
>> On Thu, Sep 24, 2015 at 8:14 AM, theresa mic-snare
>>  wrote:
>> > Dan, do you currently have OSSEC installed on a Solaris machine?
>> > if so, could you please tell me where the opensslconf.h is located on
your
>> > system?
>> >
>>
>> No, sorry. I can't afford Oracle machines, and I doubt my wife would
>> appreciate the noise. :P
>>
>> I'm guessing you would need "-I/usr/sfw/include" in the build command
>> for os_crypto. You might be able to add it to the CFLAGS or LDFLAGS in
>> the Config.Make, but I haven't tried any of this.
>>
>> > thanks,
>> > theresa
>> >
>> > Am Mittwoch, 23. September 2015 15:02:25 UTC+2 schrieb dan (ddpbsd):
>> >>
>> >>
>> >> On Sep 23, 2015 8:59 AM, "theresa mic-snare" 
wrote:
>> >> >
>> >> > by the way:
>> >> >
>> >> > I have found the file opensslconf.h that is allegedly missing on my
>> >> > server...
>> >> > it's located under:
>> >> > /usr/sfw/include/openssl/opensslconf.h
>> >> >
>> >> > is the path maybe somewhere hardcoded, so that it's maybe looking
in the
>> >> > wrong place?
>> >> >
>> >>
>> >> That would be my guess.
>> >>
>> >> > cheers,
>> >> > theresa
>> >> >
>> >> >
>> >> > Am Mittwoch, 23. September 2015 14:45:05 UTC+2 schrieb theresa
>> >> > mic-snare:
>> >> >>
>> >> >> Hi everyone,
>> >> >>
>> >> >> I was just trying to compile OSSEC 2.8.2 on a Solaris 10 (SPARC)
>> >> >> server, and got the following error:
>> >> >>
>> >> >>  *** Making os_crypto ***
>> >> >>
>> >> >> /opt/csw/bin/gcc -g -Wall -I../../ -I../../headers
>> >> >> -DDEFAULTDIR=\"/var/ossec\" -DCLIENT -DUSE_OPENSSL -DSOLARIS
-DHIGHFIRST
>> >> >> -DARGV0=\"blowfish_op\" -DOSSECHIDS -c bf_op.c bf_skey.c bf_enc.c
>> >> >> In file included from bf_skey.c:62:0:
>> >> >> bf_locl.h:69:55: fatal error: openssl/opensslconf.h: No such file
or
>> >> >> directory
>> >> >>  #include  /* BF_PTR, BF_PTR2 */
>> >> >>^
>> >> >> compilation terminated.
>> >> >> In file included from bf_enc.c:60:0:
>> >> >> bf_locl.h:69:55: fatal error: openssl/opensslconf.h: No such file
or
>> >> >> directory
>> >> >>  #include  /* BF_PTR, BF_PTR2 */
>> >> >>^
>> >> >> compilation terminated.
>> >> >> *** Error code 1
>> >> >> make: Fatal error: Command failed for target `bf'
>> >> >> Current working directory
/root/ossec-hids-2.8.2/src/os_crypto/blowfish
>> >> >> *** Error code 1
>> >> >> The following command caused the error:
>> >> >> cd blowfish; make
>> >> >> make: Fatal error: Command failed for target `os_crypto'
>> >> >> Current working directory /root/ossec-hids-2.8.2/src/os_crypto
>> >> >>
>> >> >> Error Making os_crypto
>> >> >> *** Error code 1
>> >> >> The following command caused the error:
>> >> >> /bin/bash ./Makeall all
>> >> >> make: Fatal error: Command failed for target `all'
>> >> >>
>> >> >>  Error 0x5.
>> >> >>  Building error. Unable to finish the installation.
>> >> >>
>> >> >>
>> >> >>
>> >> >> I think there seems to be some kind of OpenSSL dependency issue...
>> >> >> I have also added the following lines in the install.sh script (to
make
>> >> >> sure the OpenSSL libraries get linked)
>> >> >> echo "DEXTRA=-DUSE_OPENSSL" >> ./src/Config.OS
>> >> >> echo "OPENSSLCMD=-lssl -lcrypto" >> ./src/Config.OS
>> >> >>
>> >> >>
>> >> >> I'm using the following OpenSSL version:
>> >> >> OpenSSL 0.9.7d 17 Mar 2004 (+ security fixes for: CVE-2005-2969
>> >> >> CVE-2006-2937 CVE-2006-2940 CVE-2006-3738 CVE-2006-4339
CVE-2006-4343
>> >> >> CVE-2006-7250 CVE-2007-5135 CVE-2007-3108 CVE-2008-5077
CVE-2008-7270
>> >> >> CVE-2009-0590 CVE-2009-2409 CVE-2009-3555 CVE-2010-4180
CVE-2011-4576
>> >> >> CVE-2011-4619 CVE-2012-0884 CVE-2012-1165 CVE-2012-2110
CVE-2012-2131
>> >> >> CVE-2012-2333 CVE-2013-0166 CVE-2013-0169)
>> >> >>
>> >> >> anyone come across the same problem?
>> >> >>
>> >> >> cheers,
>> >> >> theresa
>> >> >
>> >> > --
>> >> >
>> >> > ---
>> >> > You received this message because you are subscribed to the Google
>> >> > Groups "ossec-list" group.
>> >> > To unsubscribe from this group and stop receiving emails from it,
send
>> >> > an email to ossec-list+...@googlegroups.com.
>> >> > For more options, visit https://groups.google.com/d/optout.
>> >
>> > --
>> >
>> > ---
>> > You received this message because you are subscribed to the Google
Groups
>> > "ossec-list" group.
>> > To unsubscribe from this group and stop receiving emails from it, send
an
>> > email to ossec-list+...@googlegroups.com.
>> > For more options, visit https://groups.google.com/d/optout.
>
> --
>
> ---
> You received this 

Re: [ossec-list] Re: Solaris 10 compile error

[dan (ddp)]

On Sep 24, 2015 8:46 AM, "theresa mic-snare"  wrote:
>
> it was indeed in a different location :)
> i symlinked it to the other location where it should supposedly be
/usr/include/openssl/opensslconf.h
>
> and ran the installation script again.
> but now i'm running into a different error
>
>  *** Making os_crypto ***
>
> cc -g -Wall -I../../ -I../../headers  -DDEFAULTDIR=\"/var/ossec\"
-DCLIENT -DUSE_OPENSSL -DSOLARIS -DHIGHFIRST  -DARGV0=\"blowfish_op\"
-DOSSECHIDS -c bf_op.c bf_skey.c bf_enc.c
> cc: -W option with unknown program all

That right there makes me think it isn't using gcc as the compiler (-Wall
has been around for a while now).

> *** Error code 1
> make: Fatal error: Command failed for target `bf'
> Current working directory /root/ossec-hids-2.8.2/src/os_crypto/blowfish
> *** Error code 1
> The following command caused the error:
> cd blowfish; make
> make: Fatal error: Command failed for target `os_crypto'
> Current working directory /root/ossec-hids-2.8.2/src/os_crypto
>
> Error Making os_crypto
> *** Error code 1
> The following command caused the error:
> /bin/bash ./Makeall all
> make: Fatal error: Command failed for target `all'
>
>  Error 0x5.
>  Building error. Unable to finish the installation.
>
>
>
> Am Donnerstag, 24. September 2015 14:28:14 UTC+2 schrieb dan (ddpbsd):
>>
>>
>> On Sep 24, 2015 8:23 AM, "theresa mic-snare"  wrote:
>> >
>> > hmm I see.
>> > but I managed to build it on a Solaris 11 machine without any
problems without having to modify any Make or any other file. Hmm...
>> >
>>
>> Was opensslconf.h in a different location on solaris 11?
>>
>> >
>> > Am Donnerstag, 24. September 2015 14:18:27 UTC+2 schrieb dan (ddpbsd):
>> >>
>> >> On Thu, Sep 24, 2015 at 8:14 AM, theresa mic-snare
>> >>  wrote:
>> >> > Dan, do you currently have OSSEC installed on a Solaris machine?
>> >> > if so, could you please tell me where the opensslconf.h is located
on your
>> >> > system?
>> >> >
>> >>
>> >> No, sorry. I can't afford Oracle machines, and I doubt my wife would
>> >> appreciate the noise. :P
>> >>
>> >> I'm guessing you would need "-I/usr/sfw/include" in the build command
>> >> for os_crypto. You might be able to add it to the CFLAGS or LDFLAGS
in
>> >> the Config.Make, but I haven't tried any of this.
>> >>
>> >> > thanks,
>> >> > theresa
>> >> >
>> >> > Am Mittwoch, 23. September 2015 15:02:25 UTC+2 schrieb dan
(ddpbsd):
>> >> >>
>> >> >>
>> >> >> On Sep 23, 2015 8:59 AM, "theresa mic-snare" 
wrote:
>> >> >> >
>> >> >> > by the way:
>> >> >> >
>> >> >> > I have found the file opensslconf.h that is allegedly missing on
my
>> >> >> > server...
>> >> >> > it's located under:
>> >> >> > /usr/sfw/include/openssl/opensslconf.h
>> >> >> >
>> >> >> > is the path maybe somewhere hardcoded, so that it's maybe
looking in the
>> >> >> > wrong place?
>> >> >> >
>> >> >>
>> >> >> That would be my guess.
>> >> >>
>> >> >> > cheers,
>> >> >> > theresa
>> >> >> >
>> >> >> >
>> >> >> > Am Mittwoch, 23. September 2015 14:45:05 UTC+2 schrieb theresa
>> >> >> > mic-snare:
>> >> >> >>
>> >> >> >> Hi everyone,
>> >> >> >>
>> >> >> >> I was just trying to compile OSSEC 2.8.2 on a Solaris 10
(SPARC)
>> >> >> >> server, and got the following error:
>> >> >> >>
>> >> >> >>  *** Making os_crypto ***
>> >> >> >>
>> >> >> >> /opt/csw/bin/gcc -g -Wall -I../../ -I../../headers
>> >> >> >> -DDEFAULTDIR=\"/var/ossec\" -DCLIENT -DUSE_OPENSSL -DSOLARIS
-DHIGHFIRST
>> >> >> >> -DARGV0=\"blowfish_op\" -DOSSECHIDS -c bf_op.c bf_skey.c
bf_enc.c
>> >> >> >> In file included from bf_skey.c:62:0:
>> >> >> >> bf_locl.h:69:55: fatal error: openssl/opensslconf.h: No such
file or
>> >> >> >> directory
>> >> >> >>  #include  /* BF_PTR, BF_PTR2 */
>> >> >> >>^
>> >> >> >> compilation terminated.
>> >> >> >> In file included from bf_enc.c:60:0:
>> >> >> >> bf_locl.h:69:55: fatal error: openssl/opensslconf.h: No such
file or
>> >> >> >> directory
>> >> >> >>  #include  /* BF_PTR, BF_PTR2 */
>> >> >> >>^
>> >> >> >> compilation terminated.
>> >> >> >> *** Error code 1
>> >> >> >> make: Fatal error: Command failed for target `bf'
>> >> >> >> Current working directory
/root/ossec-hids-2.8.2/src/os_crypto/blowfish
>> >> >> >> *** Error code 1
>> >> >> >> The following command caused the error:
>> >> >> >> cd blowfish; make
>> >> >> >> make: Fatal error: Command failed for target `os_crypto'
>> >> >> >> Current working directory /root/ossec-hids-2.8.2/src/os_crypto
>> >> >> >>
>> >> >> >> Error Making os_crypto
>> >> >> >> *** Error code 1
>> >> >> >> The following command caused the error:
>> >> >> >> /bin/bash ./Makeall all
>> >> >> >> make: Fatal error: Command failed for target `all'
>> >> >> >>
>> >> >> >>  Error 0x5.
>> >> >> >>  Building error. Unable to finish the installation.
>> >> >> >>
>> >> >> >>
>> >> >> 

Re: [ossec-list] Wrong time on osserver /var/ossec/logs/ossec.log

[dan (ddp)]

On Sep 24, 2015 8:54 AM, "Valentin Yefimov"  wrote:
>
> Greetings friends!
>
> I use ossec version 0.8-beta. In log: /var/ossec/logs/ossec.log I see
strange things... timestamps:
>
> 2015/09/24 05:25:55 ossec-analysisd: INFO: 3 IPs in the white list for
active response.
> 2015/09/24 05:25:55 ossec-analysisd: INFO: White listing Hostname:
'localhost.localdomain'
> 2015/09/24 05:25:55 ossec-analysisd: INFO: 1 Hostname(s) in the white
list for active response.
> 2015/09/24 05:25:55 ossec-analysisd: INFO: Started (pid: 30568).
> 2015/09/24 05:25:56 ossec-monitord: INFO: Started (pid: 30587).
> 2015/09/24 05:25:58 ossec-analysisd: INFO: Connected to
'/queue/alerts/ar' (active-response queue)
> 2015/09/24 05:25:58 ossec-analysisd: INFO: Connected to
'/queue/alerts/execq' (exec queue)
> 2015/09/24 05:25:58 ossec-analysisd: No sid search!! XXX
> 2015/09/24 15:26:03 ossec-syscheckd(1210): ERROR: Queue
'/var/ossec/queue/ossec/queue' not accessible: 'Connection
> refused'.
> 2015/09/24 15:26:03 ossec-syscheckd(1210): ERROR: Queue
'/var/ossec/queue/ossec/queue' not accessible: 'Connection
> refused'.
> 2015/09/24 15:26:04 ossec-logcollector(1210): ERROR: Queue
'/var/ossec/queue/ossec/queue' not accessible: 'Connecti
> on refused'.
> 2015/09/24 15:26:04 ossec-logcollector(1211): ERROR: Unable to access
queue: '/var/ossec/queue/ossec/queue'. Giving
>  up..
> 2015/09/24 05:26:09 ossec-monitord(1210): ERROR: Queue
'/queue/ossec/queue' not accessible: 'Connection refused'.
> 2015/09/24 05:26:09 ossec-monitord(1211): ERROR: Unable to access queue:
'/queue/ossec/queue'. Giving up..
> 2015/09/24 15:26:11 ossec-syscheckd(1210): ERROR: Queue
'/var/ossec/queue/ossec/queue' not accessible: 'Connection
> refused'.
> 2015/09/24 15:26:11 ossec-syscheckd(1210): ERROR: Queue
'/var/ossec/queue/ossec/queue' not accessible: 'Connection
> refused'.
> 2015/09/24 15:26:20 ossec-execd(1314): INFO: Shutdown received. Deleting
responses.
> 2015/09/24 15:26:20 ossec-execd(1225): INFO: SIGNAL Received. Exit
Cleaning...
> 2015/09/24 15:26:24 ossec-syscheckd(1210): ERROR: Queue
'/var/ossec/queue/ossec/queue' not accessible: 'Connection
> refused'.
> 2015/09/24 15:26:24 ossec-syscheckd(1211): ERROR: Unable to access queue:
'/var/ossec/queue/ossec/queue'. Giving up
> ..
> 2015/09/24 15:27:09 ossec-testrule: INFO: Reading local decoder file.
> 2015/09/24 15:27:10 ossec-testrule: INFO: Started (pid: 2584).
> 2015/09/24 15:27:11 ossec-maild: INFO: E-Mail notification disabled.
Clean Exit.
> 2015/09/24 15:27:11 ossec-execd: INFO: Started (pid: 2627).
> 2015/09/24 05:27:11 ossec-analysisd: INFO: Reading local decoder file.
> 2015/09/24 05:27:11 ossec-analysisd: INFO: Reading rules file:
'rules_config.xml'
> 2015/09/24 05:27:11 ossec-analysisd: INFO: Reading rules file:
'pam_rules.xml'
>
> Service ossec-analysisd lives in the past tense! ;) And agents are not
active...
> The right time on the server: 2015/09/24 15:27 and not 05:25! I setup the
NTP client to synchronize time... long before that.
> Who can tell me what's wrong?
>
>

My first guess is that the wrong timezone is set. Copy the tzfile of your
timezone to /var/ossec/etc/localtime

> --
>
> ---
> You received this message because you are subscribed to the Google Groups
"ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: Solaris 10 compile error

[theresa mic-snare]

of course you were right, Dan!
I had to export CC to point to where GCC is installed (in my case in 
/opt/csw/bin/gcc)

worked perfectly, until I ran in yet another problem. but this time I think 
something's wrong with my ssl.h in /usr/include/openssl/ssl.h

 *** Making os_auth ***

/opt/csw/bin/gcc -g -Wall -I../ -I../headers  -DDEFAULTDIR=\"/var/ossec\" 
-DCLIENT -DUSE_OPENSSL -DSOLARIS -DHIGHFIRST  -DARGV0=\"ossec-authd\" 
-DOSSECHIDS -lsocket -lnsl -lresolv main-server.c ssl.c 
../addagent/validate.c ../config/lib_config.a ../shared/lib_shared.a 
../os_net/os_net.a ../os_regex/os_regex.a ../os_crypto/os_crypto.a 
../os_zlib/os_zlib.c ../external/libz.a -lssl -lcrypto -o ossec-authd
main-server.c: In function 'ssl_error':
main-server.c:53:31: warning: passing argument 1 of 'SSL_get_error' 
discards 'const' qualifier from pointer target type
 switch (SSL_get_error(ssl, ret))
   ^
In file included from auth.h:45:0,
 from main-server.c:29:
/usr/include/openssl/ssl.h:1408:5: note: expected 'struct SSL *' but 
argument is of type 'const struct SSL *'
 int SSL_get_error(SSL *s,int ret_code);
 ^
ld: fatal: library -lssl: not found
ld: fatal: library -lcrypto: not found
ld: fatal: file processing errors. No output written to ossec-authd
*** Error code 1
make: Fatal error: Command failed for target `auth1'
Current working directory /root/ossec-hids-2.8.2/src/os_auth



Am Donnerstag, 24. September 2015 14:57:08 UTC+2 schrieb dan (ddpbsd):
>
>
> On Sep 24, 2015 8:46 AM, "theresa mic-snare"  > wrote:
> >
> > it was indeed in a different location :)
> > i symlinked it to the other location where it should supposedly be 
> /usr/include/openssl/opensslconf.h
> >
> > and ran the installation script again.
> > but now i'm running into a different error
> >
> >  *** Making os_crypto *** 
> >  
> > cc -g -Wall -I../../ -I../../headers  -DDEFAULTDIR=\"/var/ossec\" 
> -DCLIENT -DUSE_OPENSSL -DSOLARIS -DHIGHFIRST  -DARGV0=\"blowfish_op\" 
> -DOSSECHIDS -c bf_op.c bf_skey.c bf_enc.c 
> > cc: -W option with unknown program all 
>
> That right there makes me think it isn't using gcc as the compiler (-Wall 
> has been around for a while now).
>
> > *** Error code 1 
> > make: Fatal error: Command failed for target `bf' 
> > Current working directory /root/ossec-hids-2.8.2/src/os_crypto/blowfish 
> > *** Error code 1 
> > The following command caused the error: 
> > cd blowfish; make 
> > make: Fatal error: Command failed for target `os_crypto' 
> > Current working directory /root/ossec-hids-2.8.2/src/os_crypto 
> >  
> > Error Making os_crypto 
> > *** Error code 1 
> > The following command caused the error: 
> > /bin/bash ./Makeall all 
> > make: Fatal error: Command failed for target `all' 
> >  
> >  Error 0x5. 
> >  Building error. Unable to finish the installation.
> >
> >
> >
> > Am Donnerstag, 24. September 2015 14:28:14 UTC+2 schrieb dan (ddpbsd):
> >>
> >>
> >> On Sep 24, 2015 8:23 AM, "theresa mic-snare"  
> wrote:
> >> >
> >> > hmm I see.
> >> > but I managed to build it on a Solaris 11 machine without any 
> problems without having to modify any Make or any other file. Hmm...
> >> >
> >>
> >> Was opensslconf.h in a different location on solaris 11?
> >>
> >> >
> >> > Am Donnerstag, 24. September 2015 14:18:27 UTC+2 schrieb dan (ddpbsd):
> >> >>
> >> >> On Thu, Sep 24, 2015 at 8:14 AM, theresa mic-snare 
> >> >>  wrote: 
> >> >> > Dan, do you currently have OSSEC installed on a Solaris machine? 
> >> >> > if so, could you please tell me where the opensslconf.h is located 
> on your 
> >> >> > system? 
> >> >> > 
> >> >>
> >> >> No, sorry. I can't afford Oracle machines, and I doubt my wife would 
> >> >> appreciate the noise. :P 
> >> >>
> >> >> I'm guessing you would need "-I/usr/sfw/include" in the build 
> command 
> >> >> for os_crypto. You might be able to add it to the CFLAGS or LDFLAGS 
> in 
> >> >> the Config.Make, but I haven't tried any of this. 
> >> >>
> >> >> > thanks, 
> >> >> > theresa 
> >> >> > 
> >> >> > Am Mittwoch, 23. September 2015 15:02:25 UTC+2 schrieb dan 
> (ddpbsd): 
> >> >> >> 
> >> >> >> 
> >> >> >> On Sep 23, 2015 8:59 AM, "theresa mic-snare"  
> wrote: 
> >> >> >> > 
> >> >> >> > by the way: 
> >> >> >> > 
> >> >> >> > I have found the file opensslconf.h that is allegedly missing 
> on my 
> >> >> >> > server... 
> >> >> >> > it's located under: 
> >> >> >> > /usr/sfw/include/openssl/opensslconf.h 
> >> >> >> > 
> >> >> >> > is the path maybe somewhere hardcoded, so that it's maybe 
> looking in the 
> >> >> >> > wrong place? 
> >> >> >> > 
> >> >> >> 
> >> >> >> That would be my guess. 
> >> >> >> 
> >> >> >> > cheers, 
> >> >> >> > theresa 
> >> >> >> > 
> >> >> >> > 
> >> >> >> > Am Mittwoch, 23. September 2015 14:45:05 UTC+2 schrieb theresa 
> >> >> >> > mic-snare: 
> >> >> >> >> 
> >> >> >> >> Hi everyone, 
> >> >> >> >> 

Re: [ossec-list] Re: Solaris 10 compile error

[dan (ddp)]

On Thu, Sep 24, 2015 at 8:14 AM, theresa mic-snare
 wrote:
> Dan, do you currently have OSSEC installed on a Solaris machine?
> if so, could you please tell me where the opensslconf.h is located on your
> system?
>

No, sorry. I can't afford Oracle machines, and I doubt my wife would
appreciate the noise. :P

I'm guessing you would need "-I/usr/sfw/include" in the build command
for os_crypto. You might be able to add it to the CFLAGS or LDFLAGS in
the Config.Make, but I haven't tried any of this.

> thanks,
> theresa
>
> Am Mittwoch, 23. September 2015 15:02:25 UTC+2 schrieb dan (ddpbsd):
>>
>>
>> On Sep 23, 2015 8:59 AM, "theresa mic-snare"  wrote:
>> >
>> > by the way:
>> >
>> > I have found the file opensslconf.h that is allegedly missing on my
>> > server...
>> > it's located under:
>> > /usr/sfw/include/openssl/opensslconf.h
>> >
>> > is the path maybe somewhere hardcoded, so that it's maybe looking in the
>> > wrong place?
>> >
>>
>> That would be my guess.
>>
>> > cheers,
>> > theresa
>> >
>> >
>> > Am Mittwoch, 23. September 2015 14:45:05 UTC+2 schrieb theresa
>> > mic-snare:
>> >>
>> >> Hi everyone,
>> >>
>> >> I was just trying to compile OSSEC 2.8.2 on a Solaris 10 (SPARC)
>> >> server, and got the following error:
>> >>
>> >>  *** Making os_crypto ***
>> >>
>> >> /opt/csw/bin/gcc -g -Wall -I../../ -I../../headers
>> >> -DDEFAULTDIR=\"/var/ossec\" -DCLIENT -DUSE_OPENSSL -DSOLARIS -DHIGHFIRST
>> >> -DARGV0=\"blowfish_op\" -DOSSECHIDS -c bf_op.c bf_skey.c bf_enc.c
>> >> In file included from bf_skey.c:62:0:
>> >> bf_locl.h:69:55: fatal error: openssl/opensslconf.h: No such file or
>> >> directory
>> >>  #include  /* BF_PTR, BF_PTR2 */
>> >>^
>> >> compilation terminated.
>> >> In file included from bf_enc.c:60:0:
>> >> bf_locl.h:69:55: fatal error: openssl/opensslconf.h: No such file or
>> >> directory
>> >>  #include  /* BF_PTR, BF_PTR2 */
>> >>^
>> >> compilation terminated.
>> >> *** Error code 1
>> >> make: Fatal error: Command failed for target `bf'
>> >> Current working directory /root/ossec-hids-2.8.2/src/os_crypto/blowfish
>> >> *** Error code 1
>> >> The following command caused the error:
>> >> cd blowfish; make
>> >> make: Fatal error: Command failed for target `os_crypto'
>> >> Current working directory /root/ossec-hids-2.8.2/src/os_crypto
>> >>
>> >> Error Making os_crypto
>> >> *** Error code 1
>> >> The following command caused the error:
>> >> /bin/bash ./Makeall all
>> >> make: Fatal error: Command failed for target `all'
>> >>
>> >>  Error 0x5.
>> >>  Building error. Unable to finish the installation.
>> >>
>> >>
>> >>
>> >> I think there seems to be some kind of OpenSSL dependency issue...
>> >> I have also added the following lines in the install.sh script (to make
>> >> sure the OpenSSL libraries get linked)
>> >> echo "DEXTRA=-DUSE_OPENSSL" >> ./src/Config.OS
>> >> echo "OPENSSLCMD=-lssl -lcrypto" >> ./src/Config.OS
>> >>
>> >>
>> >> I'm using the following OpenSSL version:
>> >> OpenSSL 0.9.7d 17 Mar 2004 (+ security fixes for: CVE-2005-2969
>> >> CVE-2006-2937 CVE-2006-2940 CVE-2006-3738 CVE-2006-4339 CVE-2006-4343
>> >> CVE-2006-7250 CVE-2007-5135 CVE-2007-3108 CVE-2008-5077 CVE-2008-7270
>> >> CVE-2009-0590 CVE-2009-2409 CVE-2009-3555 CVE-2010-4180 CVE-2011-4576
>> >> CVE-2011-4619 CVE-2012-0884 CVE-2012-1165 CVE-2012-2110 CVE-2012-2131
>> >> CVE-2012-2333 CVE-2013-0166 CVE-2013-0169)
>> >>
>> >> anyone come across the same problem?
>> >>
>> >> cheers,
>> >> theresa
>> >
>> > --
>> >
>> > ---
>> > You received this message because you are subscribed to the Google
>> > Groups "ossec-list" group.
>> > To unsubscribe from this group and stop receiving emails from it, send
>> > an email to ossec-list+...@googlegroups.com.
>> > For more options, visit https://groups.google.com/d/optout.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: Solaris 10 compile error

[theresa mic-snare]

hmm I see.
but I managed to build it on a Solaris 11 machine without any problems 
without having to modify any Make or any other file. Hmm...

Am Donnerstag, 24. September 2015 14:18:27 UTC+2 schrieb dan (ddpbsd):
>
> On Thu, Sep 24, 2015 at 8:14 AM, theresa mic-snare 
>  wrote: 
> > Dan, do you currently have OSSEC installed on a Solaris machine? 
> > if so, could you please tell me where the opensslconf.h is located on 
> your 
> > system? 
> > 
>
> No, sorry. I can't afford Oracle machines, and I doubt my wife would 
> appreciate the noise. :P 
>
> I'm guessing you would need "-I/usr/sfw/include" in the build command 
> for os_crypto. You might be able to add it to the CFLAGS or LDFLAGS in 
> the Config.Make, but I haven't tried any of this. 
>
> > thanks, 
> > theresa 
> > 
> > Am Mittwoch, 23. September 2015 15:02:25 UTC+2 schrieb dan (ddpbsd): 
> >> 
> >> 
> >> On Sep 23, 2015 8:59 AM, "theresa mic-snare"  
> wrote: 
> >> > 
> >> > by the way: 
> >> > 
> >> > I have found the file opensslconf.h that is allegedly missing on my 
> >> > server... 
> >> > it's located under: 
> >> > /usr/sfw/include/openssl/opensslconf.h 
> >> > 
> >> > is the path maybe somewhere hardcoded, so that it's maybe looking in 
> the 
> >> > wrong place? 
> >> > 
> >> 
> >> That would be my guess. 
> >> 
> >> > cheers, 
> >> > theresa 
> >> > 
> >> > 
> >> > Am Mittwoch, 23. September 2015 14:45:05 UTC+2 schrieb theresa 
> >> > mic-snare: 
> >> >> 
> >> >> Hi everyone, 
> >> >> 
> >> >> I was just trying to compile OSSEC 2.8.2 on a Solaris 10 (SPARC) 
> >> >> server, and got the following error: 
> >> >> 
> >> >>  *** Making os_crypto *** 
> >> >> 
> >> >> /opt/csw/bin/gcc -g -Wall -I../../ -I../../headers 
> >> >> -DDEFAULTDIR=\"/var/ossec\" -DCLIENT -DUSE_OPENSSL -DSOLARIS 
> -DHIGHFIRST 
> >> >> -DARGV0=\"blowfish_op\" -DOSSECHIDS -c bf_op.c bf_skey.c bf_enc.c 
> >> >> In file included from bf_skey.c:62:0: 
> >> >> bf_locl.h:69:55: fatal error: openssl/opensslconf.h: No such file or 
> >> >> directory 
> >> >>  #include  /* BF_PTR, BF_PTR2 */ 
> >> >>^ 
> >> >> compilation terminated. 
> >> >> In file included from bf_enc.c:60:0: 
> >> >> bf_locl.h:69:55: fatal error: openssl/opensslconf.h: No such file or 
> >> >> directory 
> >> >>  #include  /* BF_PTR, BF_PTR2 */ 
> >> >>^ 
> >> >> compilation terminated. 
> >> >> *** Error code 1 
> >> >> make: Fatal error: Command failed for target `bf' 
> >> >> Current working directory 
> /root/ossec-hids-2.8.2/src/os_crypto/blowfish 
> >> >> *** Error code 1 
> >> >> The following command caused the error: 
> >> >> cd blowfish; make 
> >> >> make: Fatal error: Command failed for target `os_crypto' 
> >> >> Current working directory /root/ossec-hids-2.8.2/src/os_crypto 
> >> >> 
> >> >> Error Making os_crypto 
> >> >> *** Error code 1 
> >> >> The following command caused the error: 
> >> >> /bin/bash ./Makeall all 
> >> >> make: Fatal error: Command failed for target `all' 
> >> >> 
> >> >>  Error 0x5. 
> >> >>  Building error. Unable to finish the installation. 
> >> >> 
> >> >> 
> >> >> 
> >> >> I think there seems to be some kind of OpenSSL dependency issue... 
> >> >> I have also added the following lines in the install.sh script (to 
> make 
> >> >> sure the OpenSSL libraries get linked) 
> >> >> echo "DEXTRA=-DUSE_OPENSSL" >> ./src/Config.OS 
> >> >> echo "OPENSSLCMD=-lssl -lcrypto" >> ./src/Config.OS 
> >> >> 
> >> >> 
> >> >> I'm using the following OpenSSL version: 
> >> >> OpenSSL 0.9.7d 17 Mar 2004 (+ security fixes for: CVE-2005-2969 
> >> >> CVE-2006-2937 CVE-2006-2940 CVE-2006-3738 CVE-2006-4339 
> CVE-2006-4343 
> >> >> CVE-2006-7250 CVE-2007-5135 CVE-2007-3108 CVE-2008-5077 
> CVE-2008-7270 
> >> >> CVE-2009-0590 CVE-2009-2409 CVE-2009-3555 CVE-2010-4180 
> CVE-2011-4576 
> >> >> CVE-2011-4619 CVE-2012-0884 CVE-2012-1165 CVE-2012-2110 
> CVE-2012-2131 
> >> >> CVE-2012-2333 CVE-2013-0166 CVE-2013-0169) 
> >> >> 
> >> >> anyone come across the same problem? 
> >> >> 
> >> >> cheers, 
> >> >> theresa 
> >> > 
> >> > -- 
> >> > 
> >> > --- 
> >> > You received this message because you are subscribed to the Google 
> >> > Groups "ossec-list" group. 
> >> > To unsubscribe from this group and stop receiving emails from it, 
> send 
> >> > an email to ossec-list+...@googlegroups.com. 
> >> > For more options, visit https://groups.google.com/d/optout. 
> > 
> > -- 
> > 
> > --- 
> > You received this message because you are subscribed to the Google 
> Groups 
> > "ossec-list" group. 
> > To unsubscribe from this group and stop receiving emails from it, send 
> an 
> > email to ossec-list+...@googlegroups.com . 
> > For more options, visit https://groups.google.com/d/optout. 
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and 

[ossec-list] Sysmon-Enriched Log Collection and Windows Event Forwarding

[Wes]

Please excuse me if this is not the proper place, but I was reading Josh's 
paper 
(https://www.sans.org/reading-room/whitepapers/forensics/sysmon-enrich-security-onion-039-s-host-level-capabilities-35837)
 
in regard to the use of Sysmon, Windows Event Collector Framework, and 
OSSEC to forward logs from Windows workstations and servers to Security 
Onion, but I wanted to be sure about a thing or two before I began such a 
project.  

>From the paper, I can see that the intention (for the Hybrid setup) is that 
Sysmon will be running on all workstations (onsite/offsite), and all 
workstations will be configured with Windows Event Forwarding to forward 
logs to a log collector (OSSEC). From here the log collector will forward 
information to Security Onion (sensor)

--The log collector should be running the OSSEC *agent, *correct?  Or is 
this to run the manager?  I guess my impression was that the agent only 
collected logs locally, but from what I have read gives me the impression 
that the agent can be forwarded logs and forward those logs as well? 

Again please excuse my ignorance--if anyone could clarify or could point me 
towards some more information, I would greatly appreciate it.

Thanks,

Wes


-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Sysmon-Enriched Log Collection and Windows Event Forwarding

[dan (ddp)]

On Sep 24, 2015 9:15 AM, "Wes"  wrote:
>
> Please excuse me if this is not the proper place, but I was reading
Josh's paper (
https://www.sans.org/reading-room/whitepapers/forensics/sysmon-enrich-security-onion-039-s-host-level-capabilities-35837)
in regard to the use of Sysmon, Windows Event Collector Framework, and
OSSEC to forward logs from Windows workstations and servers to Security
Onion, but I wanted to be sure about a thing or two before I began such a
project.
>
> From the paper, I can see that the intention (for the Hybrid setup) is
that Sysmon will be running on all workstations (onsite/offsite), and all
workstations will be configured with Windows Event Forwarding to forward
logs to a log collector (OSSEC). From here the log collector will forward
information to Security Onion (sensor)
>
> --The log collector should be running the OSSEC agent, correct?  Or is
this to run the manager?  I guess my impression was that the agent only
collected logs locally, but from what I have read gives me the impression
that the agent can be forwarded logs and forward those logs as well?
>

I've only skimmed the hybrid section of the paper, and i don't know a lot
about windows event forwarder, but I would assume the log collector is a
windows system. Because of that it can only run the ossec agent software.
It looks like the collector collects the logs via wef, allowing the ossec
agent to pull them in, and forwars them onto the ossec server.

Josh is on the list though, and I would expect him to reply when he gets a
chance. :-)

> Again please excuse my ignorance--if anyone could clarify or could point
me towards some more information, I would greatly appreciate it.
>
> Thanks,
>
> Wes
>
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
"ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Wrong time on osserver /var/ossec/logs/ossec.log

[Valentin Yefimov]

Greetings friends!

I use ossec version 0.8-beta. In log: /var/ossec/logs/ossec.log I see 
strange things... timestamps:

2015/09/24 05:25:55 ossec-analysisd: INFO: 3 IPs in the white list for 
active response.
2015/09/24 05:25:55 ossec-analysisd: INFO: White listing Hostname: 
'localhost.localdomain'
2015/09/24 05:25:55 ossec-analysisd: INFO: 1 Hostname(s) in the white list 
for active response.
2015/09/24 05:25:55 ossec-analysisd: INFO: Started (pid: 30568).
2015/09/24 05:25:56 ossec-monitord: INFO: Started (pid: 30587).
2015/09/24 05:25:58 ossec-analysisd: INFO: Connected to '/queue/alerts/ar' 
(active-response queue)
2015/09/24 05:25:58 ossec-analysisd: INFO: Connected to 
'/queue/alerts/execq' (exec queue)
2015/09/24 05:25:58 ossec-analysisd: No sid search!! XXX
2015/09/24 15:26:03 ossec-syscheckd(1210): ERROR: Queue 
'/var/ossec/queue/ossec/queue' not accessible: 'Connection
refused'.
2015/09/24 15:26:03 ossec-syscheckd(1210): ERROR: Queue 
'/var/ossec/queue/ossec/queue' not accessible: 'Connection
refused'.
2015/09/24 15:26:04 ossec-logcollector(1210): ERROR: Queue 
'/var/ossec/queue/ossec/queue' not accessible: 'Connecti
on refused'.
2015/09/24 15:26:04 ossec-logcollector(1211): ERROR: Unable to access 
queue: '/var/ossec/queue/ossec/queue'. Giving
 up..
2015/09/24 05:26:09 ossec-monitord(1210): ERROR: Queue '/queue/ossec/queue' 
not accessible: 'Connection refused'.
2015/09/24 05:26:09 ossec-monitord(1211): ERROR: Unable to access queue: 
'/queue/ossec/queue'. Giving up..
2015/09/24 15:26:11 ossec-syscheckd(1210): ERROR: Queue 
'/var/ossec/queue/ossec/queue' not accessible: 'Connection
refused'.
2015/09/24 15:26:11 ossec-syscheckd(1210): ERROR: Queue 
'/var/ossec/queue/ossec/queue' not accessible: 'Connection
refused'.
2015/09/24 15:26:20 ossec-execd(1314): INFO: Shutdown received. Deleting 
responses.
2015/09/24 15:26:20 ossec-execd(1225): INFO: SIGNAL Received. Exit 
Cleaning...
2015/09/24 15:26:24 ossec-syscheckd(1210): ERROR: Queue 
'/var/ossec/queue/ossec/queue' not accessible: 'Connection
refused'.
2015/09/24 15:26:24 ossec-syscheckd(1211): ERROR: Unable to access queue: 
'/var/ossec/queue/ossec/queue'. Giving up
..
2015/09/24 15:27:09 ossec-testrule: INFO: Reading local decoder file.
2015/09/24 15:27:10 ossec-testrule: INFO: Started (pid: 2584).
2015/09/24 15:27:11 ossec-maild: INFO: E-Mail notification disabled. Clean 
Exit.
2015/09/24 15:27:11 ossec-execd: INFO: Started (pid: 2627).
2015/09/24 05:27:11 ossec-analysisd: INFO: Reading local decoder file.
2015/09/24 05:27:11 ossec-analysisd: INFO: Reading rules file: 
'rules_config.xml'
2015/09/24 05:27:11 ossec-analysisd: INFO: Reading rules file: 
'pam_rules.xml'

Service ossec-analysisd lives in the past tense! ;) And agents are not 
active...
The right time on the server: 2015/09/24 15:27 and not 05:25! I setup the 
NTP client to synchronize time... long before that.
Who can tell me what's wrong?


-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: Solaris 10 compile error

[theresa mic-snare]

Dan, do you currently have OSSEC installed on a Solaris machine?
if so, could you please tell me where the opensslconf.h is located on your 
system?

thanks,
theresa

Am Mittwoch, 23. September 2015 15:02:25 UTC+2 schrieb dan (ddpbsd):
>
>
> On Sep 23, 2015 8:59 AM, "theresa mic-snare"  > wrote:
> >
> > by the way:
> >
> > I have found the file opensslconf.h that is allegedly missing on my 
> server...
> > it's located under:
> > /usr/sfw/include/openssl/opensslconf.h
> >
> > is the path maybe somewhere hardcoded, so that it's maybe looking in the 
> wrong place?
> >
>
> That would be my guess.
>
> > cheers,
> > theresa
> >
> >
> > Am Mittwoch, 23. September 2015 14:45:05 UTC+2 schrieb theresa mic-snare:
> >>
> >> Hi everyone,
> >>
> >> I was just trying to compile OSSEC 2.8.2 on a Solaris 10 (SPARC) 
> server, and got the following error:
> >>
> >>  *** Making os_crypto *** 
> >>
> >> /opt/csw/bin/gcc -g -Wall -I../../ -I../../headers 
>  -DDEFAULTDIR=\"/var/ossec\" -DCLIENT -DUSE_OPENSSL -DSOLARIS -DHIGHFIRST   
>-DARGV0=\"blowfish_op\" -DOSSECHIDS -c bf_op.c bf_skey.c bf_enc.c
> >> In file included from bf_skey.c:62:0:
> >> bf_locl.h:69:55: fatal error: openssl/opensslconf.h: No such file or 
> directory
> >>  #include  /* BF_PTR, BF_PTR2 */
> >>^
> >> compilation terminated.
> >> In file included from bf_enc.c:60:0:
> >> bf_locl.h:69:55: fatal error: openssl/opensslconf.h: No such file or 
> directory
> >>  #include  /* BF_PTR, BF_PTR2 */
> >>^
> >> compilation terminated.
> >> *** Error code 1
> >> make: Fatal error: Command failed for target `bf'
> >> Current working directory /root/ossec-hids-2.8.2/src/os_crypto/blowfish
> >> *** Error code 1
> >> The following command caused the error:
> >> cd blowfish; make
> >> make: Fatal error: Command failed for target `os_crypto'
> >> Current working directory /root/ossec-hids-2.8.2/src/os_crypto
> >>
> >> Error Making os_crypto
> >> *** Error code 1
> >> The following command caused the error:
> >> /bin/bash ./Makeall all
> >> make: Fatal error: Command failed for target `all'
> >>
> >>  Error 0x5.
> >>  Building error. Unable to finish the installation.
> >>
> >>
> >>
> >> I think there seems to be some kind of OpenSSL dependency issue...
> >> I have also added the following lines in the install.sh script (to make 
> sure the OpenSSL libraries get linked)
> >> echo "DEXTRA=-DUSE_OPENSSL" >> ./src/Config.OS
> >> echo "OPENSSLCMD=-lssl -lcrypto" >> ./src/Config.OS
> >>
> >>
> >> I'm using the following OpenSSL version:
> >> OpenSSL 0.9.7d 17 Mar 2004 (+ security fixes for: CVE-2005-2969 
> CVE-2006-2937 CVE-2006-2940 CVE-2006-3738 CVE-2006-4339 CVE-2006-4343 
> CVE-2006-7250 CVE-2007-5135 CVE-2007-3108 CVE-2008-5077 CVE-2008-7270 
> CVE-2009-0590 CVE-2009-2409 CVE-2009-3555 CVE-2010-4180 CVE-2011-4576 
> CVE-2011-4619 CVE-2012-0884 CVE-2012-1165 CVE-2012-2110 CVE-2012-2131 
> CVE-2012-2333 CVE-2013-0166 CVE-2013-0169)
> >>
> >> anyone come across the same problem?
> >>
> >> cheers,
> >> theresa
> >
> > -- 
> >
> > --- 
> > You received this message because you are subscribed to the Google 
> Groups "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send 
> an email to ossec-list+...@googlegroups.com .
> > For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: Solaris 10 compile error

[dan (ddp)]

On Thu, Sep 24, 2015 at 9:24 AM, theresa mic-snare
 wrote:
> of course you were right, Dan!
> I had to export CC to point to where GCC is installed (in my case in
> /opt/csw/bin/gcc)
>
> worked perfectly, until I ran in yet another problem. but this time I think
> something's wrong with my ssl.h in /usr/include/openssl/ssl.h
>
>  *** Making os_auth ***
>
> /opt/csw/bin/gcc -g -Wall -I../ -I../headers  -DDEFAULTDIR=\"/var/ossec\"
> -DCLIENT -DUSE_OPENSSL -DSOLARIS -DHIGHFIRST  -DARGV0=\"ossec-authd\"
> -DOSSECHIDS -lsocket -lnsl -lresolv main-server.c ssl.c
> ../addagent/validate.c ../config/lib_config.a ../shared/lib_shared.a
> ../os_net/os_net.a ../os_regex/os_regex.a ../os_crypto/os_crypto.a
> ../os_zlib/os_zlib.c ../external/libz.a -lssl -lcrypto -o ossec-authd

I'm guessing you're missing some -I (capital i) and -L magic in here.
Maybe:
"-I/usr/sfw/include -L/usr/sfw/lib"

I don't remember anyone else reporting these types of issues with this release.
I wish I knew what they did differently than you (maybe not upgrade?).
It would make working with Solaris a little easier in the next
release.

> main-server.c: In function 'ssl_error':
> main-server.c:53:31: warning: passing argument 1 of 'SSL_get_error' discards
> 'const' qualifier from pointer target type
>  switch (SSL_get_error(ssl, ret))
>^
> In file included from auth.h:45:0,
>  from main-server.c:29:
> /usr/include/openssl/ssl.h:1408:5: note: expected 'struct SSL *' but
> argument is of type 'const struct SSL *'
>  int SSL_get_error(SSL *s,int ret_code);
>  ^
> ld: fatal: library -lssl: not found
> ld: fatal: library -lcrypto: not found
> ld: fatal: file processing errors. No output written to ossec-authd
> *** Error code 1
> make: Fatal error: Command failed for target `auth1'
> Current working directory /root/ossec-hids-2.8.2/src/os_auth
>
>
>
> Am Donnerstag, 24. September 2015 14:57:08 UTC+2 schrieb dan (ddpbsd):
>>
>>
>> On Sep 24, 2015 8:46 AM, "theresa mic-snare"  wrote:
>> >
>> > it was indeed in a different location :)
>> > i symlinked it to the other location where it should supposedly be
>> > /usr/include/openssl/opensslconf.h
>> >
>> > and ran the installation script again.
>> > but now i'm running into a different error
>> >
>> >  *** Making os_crypto ***
>> >
>> > cc -g -Wall -I../../ -I../../headers  -DDEFAULTDIR=\"/var/ossec\"
>> > -DCLIENT -DUSE_OPENSSL -DSOLARIS -DHIGHFIRST  -DARGV0=\"blowfish_op\"
>> > -DOSSECHIDS -c bf_op.c bf_skey.c bf_enc.c
>> > cc: -W option with unknown program all
>>
>> That right there makes me think it isn't using gcc as the compiler (-Wall
>> has been around for a while now).
>>
>> > *** Error code 1
>> > make: Fatal error: Command failed for target `bf'
>> > Current working directory /root/ossec-hids-2.8.2/src/os_crypto/blowfish
>> > *** Error code 1
>> > The following command caused the error:
>> > cd blowfish; make
>> > make: Fatal error: Command failed for target `os_crypto'
>> > Current working directory /root/ossec-hids-2.8.2/src/os_crypto
>> >
>> > Error Making os_crypto
>> > *** Error code 1
>> > The following command caused the error:
>> > /bin/bash ./Makeall all
>> > make: Fatal error: Command failed for target `all'
>> >
>> >  Error 0x5.
>> >  Building error. Unable to finish the installation.
>> >
>> >
>> >
>> > Am Donnerstag, 24. September 2015 14:28:14 UTC+2 schrieb dan (ddpbsd):
>> >>
>> >>
>> >> On Sep 24, 2015 8:23 AM, "theresa mic-snare" 
>> >> wrote:
>> >> >
>> >> > hmm I see.
>> >> > but I managed to build it on a Solaris 11 machine without any
>> >> > problems without having to modify any Make or any other file. Hmm...
>> >> >
>> >>
>> >> Was opensslconf.h in a different location on solaris 11?
>> >>
>> >> >
>> >> > Am Donnerstag, 24. September 2015 14:18:27 UTC+2 schrieb dan
>> >> > (ddpbsd):
>> >> >>
>> >> >> On Thu, Sep 24, 2015 at 8:14 AM, theresa mic-snare
>> >> >>  wrote:
>> >> >> > Dan, do you currently have OSSEC installed on a Solaris machine?
>> >> >> > if so, could you please tell me where the opensslconf.h is located
>> >> >> > on your
>> >> >> > system?
>> >> >> >
>> >> >>
>> >> >> No, sorry. I can't afford Oracle machines, and I doubt my wife would
>> >> >> appreciate the noise. :P
>> >> >>
>> >> >> I'm guessing you would need "-I/usr/sfw/include" in the build
>> >> >> command
>> >> >> for os_crypto. You might be able to add it to the CFLAGS or LDFLAGS
>> >> >> in
>> >> >> the Config.Make, but I haven't tried any of this.
>> >> >>
>> >> >> > thanks,
>> >> >> > theresa
>> >> >> >
>> >> >> > Am Mittwoch, 23. September 2015 15:02:25 UTC+2 schrieb dan
>> >> >> > (ddpbsd):
>> >> >> >>
>> >> >> >>
>> >> >> >> On Sep 23, 2015 8:59 AM, "theresa mic-snare"
>> >> >> >>  wrote:
>> >> >> >> >
>> >> >> >> > by the way:
>> >> >> >> >
>> >> >> >> > I have found the file opensslconf.h that is allegedly 

Re: [ossec-list] Sysmon-Enriched Log Collection and Windows Event Forwarding

[Wes]

Thanks for your help, Dan.

Wes




On Thursday, September 24, 2015 at 9:28:04 AM UTC-4, dan (ddpbsd) wrote:
>
>
> On Sep 24, 2015 9:15 AM, "Wes"  wrote:
> >
> > Please excuse me if this is not the proper place, but I was reading 
> Josh's paper (
> https://www.sans.org/reading-room/whitepapers/forensics/sysmon-enrich-security-onion-039-s-host-level-capabilities-35837)
>  
> in regard to the use of Sysmon, Windows Event Collector Framework, and 
> OSSEC to forward logs from Windows workstations and servers to Security 
> Onion, but I wanted to be sure about a thing or two before I began such a 
> project.  
> >
> > From the paper, I can see that the intention (for the Hybrid setup) is 
> that Sysmon will be running on all workstations (onsite/offsite), and all 
> workstations will be configured with Windows Event Forwarding to forward 
> logs to a log collector (OSSEC). From here the log collector will forward 
> information to Security Onion (sensor)
> >
> > --The log collector should be running the OSSEC agent, correct?  Or is 
> this to run the manager?  I guess my impression was that the agent only 
> collected logs locally, but from what I have read gives me the impression 
> that the agent can be forwarded logs and forward those logs as well? 
> >
>
> I've only skimmed the hybrid section of the paper, and i don't know a lot 
> about windows event forwarder, but I would assume the log collector is a 
> windows system. Because of that it can only run the ossec agent software. 
> It looks like the collector collects the logs via wef, allowing the ossec 
> agent to pull them in, and forwars them onto the ossec server.
>
> Josh is on the list though, and I would expect him to reply when he gets a 
> chance. :-)
>
> > Again please excuse my ignorance--if anyone could clarify or could point 
> me towards some more information, I would greatly appreciate it.
> >
> > Thanks,
> >
> > Wes
> >
> >
> > -- 
> >
> > --- 
> > You received this message because you are subscribed to the Google 
> Groups "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send 
> an email to ossec-list+...@googlegroups.com .
> > For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] ossec-analysisd out of memory

[Thomas Unger]

Hello,

i run ossec 2.8.1 compiled from source on a centos (el6 x64) 8GB Box quite 
stable for over 2 years (incl prev. ossec versions).
Last week suddenly there was no processing of alerst. It turned out that 
ossec-analysisd was killed due to out of memory.
Today it happended again and so i thought i write this message here.

There were no system changes. The only thing is that i add new custom rules 
from time to time. Could this be a problem?

Any ideas? The os is up todate. reboot after first crash was done.


This is an excerpt from var/log/messages

Sep 18 21:08:47 mybox-time kernel: ossec-analysisd invoked oom-killer: 
gfp_mask=0x280da, order=0, oom_adj=0, oom_score_adj=0
Sep 18 21:08:47 mybox-time kernel: ossec-analysisd cpuset=/ mems_allowed=0
Sep 18 21:08:47 mybox-time kernel: Pid: 4709, comm: ossec-analysisd Not 
tainted 2.6.32-573.3.1.el6.x86_64 #1
Sep 18 21:08:47 mybox-time kernel: Call Trace:
Sep 18 21:08:47 mybox-time kernel: [] ? 
cpuset_print_task_mems_allowed+0x91/0xb0
Sep 18 21:08:47 mybox-time kernel: [] ? 
dump_header+0x90/0x1b0
Sep 18 21:08:47 mybox-time kernel: [] ? 
security_real_capable_noaudit+0x3c/0x70
Sep 18 21:08:47 mybox-time kernel: [] ? 
oom_kill_process+0x82/0x2a0
Sep 18 21:08:47 mybox-time kernel: [] ? 
select_bad_process+0xe1/0x120
Sep 18 21:08:47 mybox-time kernel: [] ? 
out_of_memory+0x220/0x3c0
Sep 18 21:08:47 mybox-time kernel: [] ? 
__alloc_pages_nodemask+0x93c/0x950
Sep 18 21:08:47 mybox-time kernel: [] ? 
alloc_pages_vma+0x9a/0x150
Sep 18 21:08:47 mybox-time kernel: [] ? 
handle_pte_fault+0x73d/0xb20
Sep 18 21:08:47 mybox-time kernel: [] ? 
inode_has_perm+0x54/0xa0
Sep 18 21:08:47 mybox-time kernel: [] ? 
mntput_no_expire+0x30/0x110
Sep 18 21:08:47 mybox-time kernel: [] ? 
handle_mm_fault+0x299/0x3d0
Sep 18 21:08:47 mybox-time kernel: [] ? 
__do_page_fault+0x146/0x500
Sep 18 21:08:47 mybox-time kernel: [] ? 
_atomic_dec_and_lock+0x55/0x80
Sep 18 21:08:47 mybox-time kernel: [] ? 
cp_new_stat+0xe4/0x100
Sep 18 21:08:47 mybox-time kernel: [] ? 
do_page_fault+0x3e/0xa0
Sep 18 21:08:47 mybox-time kernel: [] ? 
page_fault+0x25/0x30
Sep 18 21:08:47 mybox-time kernel: Mem-Info:
Sep 18 21:08:47 mybox-time kernel: Node 0 DMA per-cpu:
Sep 18 21:08:47 mybox-time kernel: CPU0: hi:0, btch:   1 usd:   0
Sep 18 21:08:47 mybox-time kernel: CPU1: hi:0, btch:   1 usd:   0
Sep 18 21:08:47 mybox-time kernel: CPU2: hi:0, btch:   1 usd:   0
Sep 18 21:08:47 mybox-time kernel: CPU3: hi:0, btch:   1 usd:   0
Sep 18 21:08:47 mybox-time kernel: Node 0 DMA32 per-cpu:
Sep 18 21:08:47 mybox-time kernel: CPU0: hi:  186, btch:  31 usd:  37
Sep 18 21:08:47 mybox-time kernel: CPU1: hi:  186, btch:  31 usd:  20
Sep 18 21:08:47 mybox-time kernel: CPU2: hi:  186, btch:  31 usd:  43
Sep 18 21:08:47 mybox-time kernel: CPU3: hi:  186, btch:  31 usd:  30
Sep 18 21:08:47 mybox-time kernel: Node 0 Normal per-cpu:
Sep 18 21:08:47 mybox-time kernel: CPU0: hi:  186, btch:  31 usd:  40
Sep 18 21:08:47 mybox-time kernel: CPU1: hi:  186, btch:  31 usd: 155
Sep 18 21:08:47 mybox-time kernel: CPU2: hi:  186, btch:  31 usd: 125
Sep 18 21:08:47 mybox-time kernel: CPU3: hi:  186, btch:  31 usd:  48
Sep 18 21:08:47 mybox-time kernel: active_anon:1614908 inactive_anon:328929 
isolated_anon:0
Sep 18 21:08:47 mybox-time kernel: active_file:48 inactive_file:1234 
isolated_file:0
Sep 18 21:08:47 mybox-time kernel: unevictable:0 dirty:12 writeback:0 
unstable:0
Sep 18 21:08:47 mybox-time kernel: free:25770 slab_reclaimable:2230 
slab_unreclaimable:15166
Sep 18 21:08:47 mybox-time kernel: mapped:226 shmem:19 pagetables:8230 
bounce:0
Sep 18 21:08:47 mybox-time kernel: Node 0 DMA free:15660kB min:124kB 
low:152kB high:184kB active_anon:0kB inactive_anon:0kB active_file:0kB 
inactive_file:0kB unevictable:0kB isolated(anon):0kB isolated(file):0kB 
present:15268kB mlocked:0kB dirty:0kB writeback:0kB mapped:0kB shmem:0kB 
slab_reclaimable:0kB slab_unreclaimable:0kB kernel_stack:0kB pagetables:0kB 
unstable:0kB bounce:0kB writeback_tmp:0kB pages_scanned:0 
all_unreclaimable? yes
Sep 18 21:08:47 mybox-time kernel: lowmem_reserve[]: 0 3000 8050 8050
Sep 18 21:08:47 mybox-time kernel: Node 0 DMA32 free:45112kB min:25140kB 
low:31424kB high:37708kB active_anon:2181396kB inactive_anon:572004kB 
active_file:16kB inactive_file:388kB unevictable:0kB isolated(anon):0kB 
isolated(file):0kB present:3072160kB mlocked:0kB dirty:8kB writeback:0kB 
mapped:16kB shmem:0kB slab_reclaimable:436kB slab_unreclaimable:200kB 
kernel_stack:0kB pagetables:2532kB unstable:0kB bounce:0kB 
writeback_tmp:0kB pages_scanned:43 all_unreclaimable? yes
Sep 18 21:08:47 mybox-time kernel: lowmem_reserve[]: 0 0 5050 5050
Sep 18 21:08:47 mybox-time kernel: Node 0 Normal free:42308kB min:42316kB 
low:52892kB high:63472kB active_anon:4278236kB inactive_anon:743712kB 
active_file:176kB inactive_file:4548kB unevictable:0kB isolated(anon):0kB 
isolated(file):0kB present:5171200kB mlocked:0kB dirty:40kB 

Re: [ossec-list] Re: Solaris 10 compile error

[theresa mic-snare]

where shall I put this?

Am Donnerstag, 24. September 2015 15:34:07 UTC+2 schrieb dan (ddpbsd):
>
> On Thu, Sep 24, 2015 at 9:24 AM, theresa mic-snare 
>  wrote: 
> > of course you were right, Dan! 
> > I had to export CC to point to where GCC is installed (in my case in 
> > /opt/csw/bin/gcc) 
> > 
> > worked perfectly, until I ran in yet another problem. but this time I 
> think 
> > something's wrong with my ssl.h in /usr/include/openssl/ssl.h 
> > 
> >  *** Making os_auth *** 
> > 
> > /opt/csw/bin/gcc -g -Wall -I../ -I../headers 
>  -DDEFAULTDIR=\"/var/ossec\" 
> > -DCLIENT -DUSE_OPENSSL -DSOLARIS -DHIGHFIRST 
>  -DARGV0=\"ossec-authd\" 
> > -DOSSECHIDS -lsocket -lnsl -lresolv main-server.c ssl.c 
> > ../addagent/validate.c ../config/lib_config.a ../shared/lib_shared.a 
> > ../os_net/os_net.a ../os_regex/os_regex.a ../os_crypto/os_crypto.a 
> > ../os_zlib/os_zlib.c ../external/libz.a -lssl -lcrypto -o ossec-authd 
>
> I'm guessing you're missing some -I (capital i) and -L magic in here. 
> Maybe: 
> "-I/usr/sfw/include -L/usr/sfw/lib" 
>
> I don't remember anyone else reporting these types of issues with this 
> release. 
> I wish I knew what they did differently than you (maybe not upgrade?). 
> It would make working with Solaris a little easier in the next 
> release. 
>
> > main-server.c: In function 'ssl_error': 
> > main-server.c:53:31: warning: passing argument 1 of 'SSL_get_error' 
> discards 
> > 'const' qualifier from pointer target type 
> >  switch (SSL_get_error(ssl, ret)) 
> >^ 
> > In file included from auth.h:45:0, 
> >  from main-server.c:29: 
> > /usr/include/openssl/ssl.h:1408:5: note: expected 'struct SSL *' but 
> > argument is of type 'const struct SSL *' 
> >  int SSL_get_error(SSL *s,int ret_code); 
> >  ^ 
> > ld: fatal: library -lssl: not found 
> > ld: fatal: library -lcrypto: not found 
> > ld: fatal: file processing errors. No output written to ossec-authd 
> > *** Error code 1 
> > make: Fatal error: Command failed for target `auth1' 
> > Current working directory /root/ossec-hids-2.8.2/src/os_auth 
> > 
> > 
> > 
> > Am Donnerstag, 24. September 2015 14:57:08 UTC+2 schrieb dan (ddpbsd): 
> >> 
> >> 
> >> On Sep 24, 2015 8:46 AM, "theresa mic-snare"  
> wrote: 
> >> > 
> >> > it was indeed in a different location :) 
> >> > i symlinked it to the other location where it should supposedly be 
> >> > /usr/include/openssl/opensslconf.h 
> >> > 
> >> > and ran the installation script again. 
> >> > but now i'm running into a different error 
> >> > 
> >> >  *** Making os_crypto *** 
> >> > 
> >> > cc -g -Wall -I../../ -I../../headers  -DDEFAULTDIR=\"/var/ossec\" 
> >> > -DCLIENT -DUSE_OPENSSL -DSOLARIS -DHIGHFIRST 
>  -DARGV0=\"blowfish_op\" 
> >> > -DOSSECHIDS -c bf_op.c bf_skey.c bf_enc.c 
> >> > cc: -W option with unknown program all 
> >> 
> >> That right there makes me think it isn't using gcc as the compiler 
> (-Wall 
> >> has been around for a while now). 
> >> 
> >> > *** Error code 1 
> >> > make: Fatal error: Command failed for target `bf' 
> >> > Current working directory 
> /root/ossec-hids-2.8.2/src/os_crypto/blowfish 
> >> > *** Error code 1 
> >> > The following command caused the error: 
> >> > cd blowfish; make 
> >> > make: Fatal error: Command failed for target `os_crypto' 
> >> > Current working directory /root/ossec-hids-2.8.2/src/os_crypto 
> >> > 
> >> > Error Making os_crypto 
> >> > *** Error code 1 
> >> > The following command caused the error: 
> >> > /bin/bash ./Makeall all 
> >> > make: Fatal error: Command failed for target `all' 
> >> > 
> >> >  Error 0x5. 
> >> >  Building error. Unable to finish the installation. 
> >> > 
> >> > 
> >> > 
> >> > Am Donnerstag, 24. September 2015 14:28:14 UTC+2 schrieb dan 
> (ddpbsd): 
> >> >> 
> >> >> 
> >> >> On Sep 24, 2015 8:23 AM, "theresa mic-snare"  
> >> >> wrote: 
> >> >> > 
> >> >> > hmm I see. 
> >> >> > but I managed to build it on a Solaris 11 machine without any 
> >> >> > problems without having to modify any Make or any other file. 
> Hmm... 
> >> >> > 
> >> >> 
> >> >> Was opensslconf.h in a different location on solaris 11? 
> >> >> 
> >> >> > 
> >> >> > Am Donnerstag, 24. September 2015 14:18:27 UTC+2 schrieb dan 
> >> >> > (ddpbsd): 
> >> >> >> 
> >> >> >> On Thu, Sep 24, 2015 at 8:14 AM, theresa mic-snare 
> >> >> >>  wrote: 
> >> >> >> > Dan, do you currently have OSSEC installed on a Solaris 
> machine? 
> >> >> >> > if so, could you please tell me where the opensslconf.h is 
> located 
> >> >> >> > on your 
> >> >> >> > system? 
> >> >> >> > 
> >> >> >> 
> >> >> >> No, sorry. I can't afford Oracle machines, and I doubt my wife 
> would 
> >> >> >> appreciate the noise. :P 
> >> >> >> 
> >> >> >> I'm guessing you would need "-I/usr/sfw/include" in the build 
> >> >> >> command 
> >> >> >> for os_crypto. You might be able to add 

Re: [ossec-list] Merge EventChannel fix into 2.8?

[DefensiveDepth]

>
> @Dan, added and tried the build again - errored out with the same exact 
> message.



 

-Josh 

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Sysmon-Enriched Log Collection and Windows Event Forwarding

[DefensiveDepth]

Greetings Wes,

Yes, Dan is correct - the "collector" is a windows server that has the 
OSSEC client installed on it and configured through  to 
forward the logs onto the SO sensor.

You don't have to use WEF for collecting the logs... You could use the 
OSSEC client installed locally, nxlog, or something else like that. 

-Josh

On Thursday, September 24, 2015 at 9:37:23 AM UTC-4, Wes wrote:
>
>
> Thanks for your help, Dan.
>
> Wes
>
>
>
>
> On Thursday, September 24, 2015 at 9:28:04 AM UTC-4, dan (ddpbsd) wrote:
>>
>>
>> On Sep 24, 2015 9:15 AM, "Wes"  wrote:
>> >
>> > Please excuse me if this is not the proper place, but I was reading 
>> Josh's paper (
>> https://www.sans.org/reading-room/whitepapers/forensics/sysmon-enrich-security-onion-039-s-host-level-capabilities-35837)
>>  
>> in regard to the use of Sysmon, Windows Event Collector Framework, and 
>> OSSEC to forward logs from Windows workstations and servers to Security 
>> Onion, but I wanted to be sure about a thing or two before I began such a 
>> project.  
>> >
>> > From the paper, I can see that the intention (for the Hybrid setup) is 
>> that Sysmon will be running on all workstations (onsite/offsite), and all 
>> workstations will be configured with Windows Event Forwarding to forward 
>> logs to a log collector (OSSEC). From here the log collector will forward 
>> information to Security Onion (sensor)
>> >
>> > --The log collector should be running the OSSEC agent, correct?  Or is 
>> this to run the manager?  I guess my impression was that the agent only 
>> collected logs locally, but from what I have read gives me the impression 
>> that the agent can be forwarded logs and forward those logs as well? 
>> >
>>
>> I've only skimmed the hybrid section of the paper, and i don't know a lot 
>> about windows event forwarder, but I would assume the log collector is a 
>> windows system. Because of that it can only run the ossec agent software. 
>> It looks like the collector collects the logs via wef, allowing the ossec 
>> agent to pull them in, and forwars them onto the ossec server.
>>
>> Josh is on the list though, and I would expect him to reply when he gets 
>> a chance. :-)
>>
>> > Again please excuse my ignorance--if anyone could clarify or could 
>> point me towards some more information, I would greatly appreciate it.
>> >
>> > Thanks,
>> >
>> > Wes
>> >
>> >
>> > -- 
>> >
>> > --- 
>> > You received this message because you are subscribed to the Google 
>> Groups "ossec-list" group.
>> > To unsubscribe from this group and stop receiving emails from it, send 
>> an email to ossec-list+...@googlegroups.com.
>> > For more options, visit https://groups.google.com/d/optout.
>>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Ignore file/dir in a given timeframe

[MatthijsG]

On my VPS, cron does some updating for files. This happens every day at 
4.30 am. And every day at 4.31 i get an alert from Ossec. So, Ossec is 
working ;-)

I know how to add a rule to  a file or folder. However, is it 
possible to ignore a file or folder between - let's say - 4 and 5 am? 

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Ignore file/dir in a given timeframe

[dan (ddp)]

On Sep 24, 2015 10:15 AM, "MatthijsG"  wrote:
>
> On my VPS, cron does some updating for files. This happens every day at
4.30 am. And every day at 4.31 i get an alert from Ossec. So, Ossec is
working ;-)
>
> I know how to add a rule to  a file or folder. However, is it
possible to ignore a file or folder between - let's say - 4 and 5 am?
>

Look at the time rule option.

> --
>
> ---
> You received this message because you are subscribed to the Google Groups
"ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: Solaris 10 compile error

[dan (ddp)]

On Sep 24, 2015 10:05 AM, "theresa mic-snare" 
wrote:
>
> where shall I put this?
>

src/os_crypto/blowfish/Makefile maybe?

>
> Am Donnerstag, 24. September 2015 15:34:07 UTC+2 schrieb dan (ddpbsd):
>>
>> On Thu, Sep 24, 2015 at 9:24 AM, theresa mic-snare
>>  wrote:
>> > of course you were right, Dan!
>> > I had to export CC to point to where GCC is installed (in my case in
>> > /opt/csw/bin/gcc)
>> >
>> > worked perfectly, until I ran in yet another problem. but this time I
think
>> > something's wrong with my ssl.h in /usr/include/openssl/ssl.h
>> >
>> >  *** Making os_auth ***
>> >
>> > /opt/csw/bin/gcc -g -Wall -I../ -I../headers
 -DDEFAULTDIR=\"/var/ossec\"
>> > -DCLIENT -DUSE_OPENSSL -DSOLARIS -DHIGHFIRST
 -DARGV0=\"ossec-authd\"
>> > -DOSSECHIDS -lsocket -lnsl -lresolv main-server.c ssl.c
>> > ../addagent/validate.c ../config/lib_config.a ../shared/lib_shared.a
>> > ../os_net/os_net.a ../os_regex/os_regex.a ../os_crypto/os_crypto.a
>> > ../os_zlib/os_zlib.c ../external/libz.a -lssl -lcrypto -o ossec-authd
>>
>> I'm guessing you're missing some -I (capital i) and -L magic in here.
>> Maybe:
>> "-I/usr/sfw/include -L/usr/sfw/lib"
>>
>> I don't remember anyone else reporting these types of issues with this
release.
>> I wish I knew what they did differently than you (maybe not upgrade?).
>> It would make working with Solaris a little easier in the next
>> release.
>>
>> > main-server.c: In function 'ssl_error':
>> > main-server.c:53:31: warning: passing argument 1 of 'SSL_get_error'
discards
>> > 'const' qualifier from pointer target type
>> >  switch (SSL_get_error(ssl, ret))
>> >^
>> > In file included from auth.h:45:0,
>> >  from main-server.c:29:
>> > /usr/include/openssl/ssl.h:1408:5: note: expected 'struct SSL *' but
>> > argument is of type 'const struct SSL *'
>> >  int SSL_get_error(SSL *s,int ret_code);
>> >  ^
>> > ld: fatal: library -lssl: not found
>> > ld: fatal: library -lcrypto: not found
>> > ld: fatal: file processing errors. No output written to ossec-authd
>> > *** Error code 1
>> > make: Fatal error: Command failed for target `auth1'
>> > Current working directory /root/ossec-hids-2.8.2/src/os_auth
>> >
>> >
>> >
>> > Am Donnerstag, 24. September 2015 14:57:08 UTC+2 schrieb dan (ddpbsd):
>> >>
>> >>
>> >> On Sep 24, 2015 8:46 AM, "theresa mic-snare" 
wrote:
>> >> >
>> >> > it was indeed in a different location :)
>> >> > i symlinked it to the other location where it should supposedly be
>> >> > /usr/include/openssl/opensslconf.h
>> >> >
>> >> > and ran the installation script again.
>> >> > but now i'm running into a different error
>> >> >
>> >> >  *** Making os_crypto ***
>> >> >
>> >> > cc -g -Wall -I../../ -I../../headers  -DDEFAULTDIR=\"/var/ossec\"
>> >> > -DCLIENT -DUSE_OPENSSL -DSOLARIS -DHIGHFIRST
 -DARGV0=\"blowfish_op\"
>> >> > -DOSSECHIDS -c bf_op.c bf_skey.c bf_enc.c
>> >> > cc: -W option with unknown program all
>> >>
>> >> That right there makes me think it isn't using gcc as the compiler
(-Wall
>> >> has been around for a while now).
>> >>
>> >> > *** Error code 1
>> >> > make: Fatal error: Command failed for target `bf'
>> >> > Current working directory
/root/ossec-hids-2.8.2/src/os_crypto/blowfish
>> >> > *** Error code 1
>> >> > The following command caused the error:
>> >> > cd blowfish; make
>> >> > make: Fatal error: Command failed for target `os_crypto'
>> >> > Current working directory /root/ossec-hids-2.8.2/src/os_crypto
>> >> >
>> >> > Error Making os_crypto
>> >> > *** Error code 1
>> >> > The following command caused the error:
>> >> > /bin/bash ./Makeall all
>> >> > make: Fatal error: Command failed for target `all'
>> >> >
>> >> >  Error 0x5.
>> >> >  Building error. Unable to finish the installation.
>> >> >
>> >> >
>> >> >
>> >> > Am Donnerstag, 24. September 2015 14:28:14 UTC+2 schrieb dan
(ddpbsd):
>> >> >>
>> >> >>
>> >> >> On Sep 24, 2015 8:23 AM, "theresa mic-snare" 
>> >> >> wrote:
>> >> >> >
>> >> >> > hmm I see.
>> >> >> > but I managed to build it on a Solaris 11 machine without any
>> >> >> > problems without having to modify any Make or any other
file. Hmm...
>> >> >> >
>> >> >>
>> >> >> Was opensslconf.h in a different location on solaris 11?
>> >> >>
>> >> >> >
>> >> >> > Am Donnerstag, 24. September 2015 14:18:27 UTC+2 schrieb dan
>> >> >> > (ddpbsd):
>> >> >> >>
>> >> >> >> On Thu, Sep 24, 2015 at 8:14 AM, theresa mic-snare
>> >> >> >>  wrote:
>> >> >> >> > Dan, do you currently have OSSEC installed on a Solaris
machine?
>> >> >> >> > if so, could you please tell me where the opensslconf.h is
located
>> >> >> >> > on your
>> >> >> >> > system?
>> >> >> >> >
>> >> >> >>
>> >> >> >> No, sorry. I can't afford Oracle machines, and I doubt my wife
would
>> >> >> >> appreciate the noise. :P
>> >> >> >>
>> >> >> >> I'm guessing you would need "-I/usr/sfw/include" in 

Re: [ossec-list] ossec-remoted not running

[Matt Hickie]

Hi Dan - thanks for the reply.

Further research showed the /var/ossec/queue ownership as root:ossec.  

I changed this to ossec:ossec.  I left the permissions at 750.

Time to change my puppet scripts and rebake the image.  It is a mystery how 
it ever worked with settings like this

Again - Thanks!
Matt

On Tuesday, September 22, 2015 at 7:16:33 PM UTC-7, dan (ddpbsd) wrote:
>
> On Tue, Sep 22, 2015 at 4:56 AM, Matt Hickie  > wrote: 
> > Running into an issue with ossec-remoted not running.  Setup had been 
> > working for over a couple of months and now the remoted process just 
> seems 
> > to die.  This is running on AWS linux 
> > 
> > Enabled debug with gdb. 
> > 
> > /var/ossec/bin/ossec-control enable debug 
> > /var/ossec/bin/ossec-control restart 
> > 
> > ran ossec-remoted in gdb. Below is output. 
> > 
> > Any help would be greatly appreciated. I am a bit worried I have 
> exceeded 
> > the max agents.  It should not be that many >256 yet and was hopping to 
> see 
> > something from the gdb. 
> > 
>
> If there are more than 256, did you recompile with support for more 
> agents? Are there any log messages in the ossec.log related to 
> remoted? 
>
> > Thanks! 
> > 
> > gdb output 
> >  
> > gdb /var/ossec/bin/ossec-remoted 
> > GNU gdb (GDB) Amazon Linux (7.6.1-51.27.amzn1) 
> > Copyright (C) 2013 Free Software Foundation, Inc. 
> > License GPLv3+: GNU GPL version 3 or later 
> >  
> > This is free software: you are free to change and redistribute it. 
> > There is NO WARRANTY, to the extent permitted by law.  Type "show 
> copying" 
> > and "show warranty" for details. 
> > This GDB was configured as "x86_64-amazon-linux-gnu". 
> > For bug reporting instructions, please see: 
> > ... 
> > Reading symbols from /var/ossec/bin/ossec-remoted...Reading symbols from 
> > /usr/lib/debug/var/ossec/bin/ossec-remoted.debug... 
> > warning: Skipping deprecated .gdb_index section in 
> > /usr/lib/debug/var/ossec/bin/ossec-remoted.debug. 
> > Do "set use-deprecated-index-sections on" before the file is read 
> > to use the section anyway. 
> > done. 
> > done. 
> > (gdb) set follow-fork-mode child 
> > (gdb) run 
> > Starting program: /var/ossec/bin/ossec-remoted 
> > [Thread debugging using libthread_db enabled] 
> > Using host libthread_db library "/lib64/libthread_db.so.1". 
> > 2015/09/21 23:05:34 ossec-remoted: DEBUG: Starting ... 
> > [New process 7230] 
> > [Thread debugging using libthread_db enabled] 
> > Using host libthread_db library "/lib64/libthread_db.so.1". 
> > [New process 7231] 
> > [Thread debugging using libthread_db enabled] 
> > Using host libthread_db library "/lib64/libthread_db.so.1". 
> > [New process 7232] 
> > [Thread debugging using libthread_db enabled] 
> > Using host libthread_db library "/lib64/libthread_db.so.1". 
> > [New Thread 0x775f2700 (LWP 7233)] 
> > [New Thread 0x76df1700 (LWP 7234)] 
> > [Thread 0x76df1700 (LWP 7234) exited] 
> > [Thread 0x775f2700 (LWP 7233) exited] 
> > [Inferior 4 (process 7232) exited with code 01] 
> > (gdb) 
> > 
>
> Did you run any other commands to try and get any more info? 
>
> > -- 
> > 
> > --- 
> > You received this message because you are subscribed to the Google 
> Groups 
> > "ossec-list" group. 
> > To unsubscribe from this group and stop receiving emails from it, send 
> an 
> > email to ossec-list+...@googlegroups.com . 
> > For more options, visit https://groups.google.com/d/optout. 
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Merge EventChannel fix into 2.8?

[SoulAuctioneer]

That is my doing. When fixing CVE-2015-3222 I inadvertantly broke the 
Windows builds with my backport to 2.8.2. I fixed in the master branch so 
2.9 wouldn't have the problem but never felt the need to backport the fix 
but since we are doing another 2.8.x release it seems like we should. You 
need some form of this to get things working again:

https://github.com/awiddersheim/ossec-hids/commit/d65dc132b5da831ec3c3c8b20b9c19862616cfac

Sorry about that.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Merge EventChannel fix into 2.8?

[DefensiveDepth]

I should make it clear that I am using this as a guide:

http://ossec-docs.readthedocs.org/en/latest/manual/installation/compile-ossec-mingw.html

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Windows agent key import

[dan (ddp)]

On Sep 24, 2015 3:00 PM, "Derek Day"  wrote:
>
> I'm trying to automate the install of 3000+ 2.8 windows agents. I know
there is a silent switch to install the agent, but is there a way to import
the extracted key during the install also?
>

If you search the group there are a number of possible solutions that have
been posted over the years.

> --
>
> ---
> You received this message because you are subscribed to the Google Groups
"ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Splunk for OSSEC a

[Jamey B]

Hi,

Do you get the same result if you set the time span to 7 days? 30 days?
Have you set OSSEC to log these alerts or change the alert levels?
Do you have one OSSEC server, or multiple OSSEC Servers?

I would also ensure you're sending via SYSLOG to the appropriate Splunk 
instance (some installs might only listen to 514). What may be happening is 
the server is reporting the stats as it should, but it isn't forwarding 
SYSLOG to Splunk correctly.



On Wednesday, September 23, 2015 at 10:07:13 AM UTC-4, Edward wrote:
>
> Hello people,
>
> On my Ossec server I have installed splunk and also the ossec app for 
> splunk.
> I see now a nice dashboard, but if I look at the figures :
>
>
>
> 
>
>
>
>
>
> if you look at signatures, you see number with no description.
>
>
> 
>
>
>
> When you click on it, it shows zero data.
>
>
> 
>
>
> Have you seen this before?
> Thi is very annoying, because there is 100 times more of this sort and the 
> reports will get very messy.
>
>
>
>
>
> 
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Windows agent key import

[Derek Day]

I'm trying to automate the install of 3000+ 2.8 windows agents. I know 
there is a silent switch to install the agent, but is there a way to import 
the extracted key during the install also? 

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Active response srcip changes whether response is executed

[Ben]

Glen,

Any advice on changing rsyslog format from hostname to IP addresses? I am 
running on CentOS 6.5, and wanting to change the log hostname to IP 
address, so I can pass the variable to AR command, then I will get to your 
same problem:-) Thanks.

On Monday, February 9, 2015 at 5:13:35 PM UTC-5, Glen Leeder wrote:
>
> Thanks Dan,
>
> I've changed my rsyslog format to IP addresses instead of hosts and all is 
> good.
>
> Do you know whether the  directive requires that 
> srcip is specified or will it work without that?
>
> Glen
>
> On Monday, February 9, 2015 at 11:08:11 PM UTC+10, dan (ddpbsd) wrote:
>>
>> On Mon, Feb 9, 2015 at 4:26 AM, Glen Leeder  wrote: 
>> > Hi, 
>> > 
>> > I using ossec 2.8.1 on Ubuntu 14.04 running locally only, no agents. I 
>> have 
>> > the following local_rules.xml defined to exercise syslog monitoring : 
>> > $ sudo more /var/ossec/rules/local_rules.xml 
>> >  
>> >
>> > OSSEC-TESTER-RULE 
>> > OSSEC Test Alert 
>> >
>> >  
>> > 
>> > When this rule triggers (by running 'logger "OSSEC-TESTER-RULE"), an 
>> active 
>> > response is executed due to this ossec.conf: 
>> >  
>> > post2slack 
>> > ar_slack.sh 
>> >  
>> > no 
>> >  
>> > 
>> >  
>> > post2slack 
>> > local 
>> > 4 
>> >  
>> > 
>> > This works as expected provided I do not populate the command  
>> > field. If I specify srcip the alert still triggers, 
>> > however, the active response is no longer executed. the syslog entry 
>> ends up 
>> > as something like: 
>> > Feb  9 19:19:53 myhostname gleeder: OSSEC-TESTER-RULE 
>> > 
>>
>> There is no IP in this log message to be decoded, so it makes sense 
>> that AR won't be triggered if it expects there to be a source ip. 
>>
>> > I can't determine from the documentation whether this should work or 
>> not. 
>> > myhostname resolves to 127.0.0.1 but I haven't got any white_list IPs 
>> > specified anyway (my end goal is a to have some white_listing which is 
>> why I 
>> > specified srcip). 
>> > 
>> > Is there an implicit white_list default or another reason why 
>> specifying 
>> > srcip causes the response to no longer execute? 
>> > Is srcip required for white_list to work? 
>> > 
>> > Best regards, 
>> > Glen 
>> > 
>> > -- 
>> > 
>> > --- 
>> > You received this message because you are subscribed to the Google 
>> Groups 
>> > "ossec-list" group. 
>> > To unsubscribe from this group and stop receiving emails from it, send 
>> an 
>> > email to ossec-list+...@googlegroups.com. 
>> > For more options, visit https://groups.google.com/d/optout. 
>>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Checkpoint OPSEC Certification

[jdean]

Hello, I'm trying to get my Checkpoint firewall, ips, vpn, etc. logs into 
OSSEC, but Checkpoint is telling me that it has to be OPSEC certified in 
order to make a connection. If you are pulling your CheckPoint Gaia R77.20 
firewall logs into OSSEC, how did you do it? I have seen the articles on 
forwarding syslog, but those are only the OS log files. I have also seen THIS 
article
 
on using an 'agent in the middle' to create a secure connection, but there 
has to be a better way. Any help would be greatly appreciated!

Thanks!

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Merge EventChannel fix into 2.8?

[SoulAuctioneer]

Was talking to Dan today. Will try to put together some merge requests to 
his branch and 2.8.3 that will hopefully fix these things. Hopefully will 
find some time in the next few days to make that happen.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.