[ossec-list] rule dependencies?

I made an attempt to trim down the rules but ended up with the following error: 2016/02/27 05:05:24 rules_list: Group 'authentication_success' not found. Invalid 'if_group' Do rules need to loaded in a specific order, or did I remove a file that is depended on by another file? In either case,

Re: [ossec-list] Re: DNS caching for ?

This is this the kind of thing that is likely better (easily) implemented outside of the main ossec managers. Maybe an external tool or cron. I use the following shell script for example (added to cron to run every 10min to restart ossec in case the IP changes): #!/bin/sh mydomain=`cat

Re: [ossec-list] Re: DNS caching for ?

Another question: My original scenario was when there was NO dns yet to resolve -- only later did the dns record get added. In that case. What I was seeing in that case was the agent would keep issue the error that it could not connect. But if the agent was not even able to resolve to an ip

Re: [ossec-list] Re: DNS caching for ?

Is it expensive to restart an agent? For my case (the OP) I can use consul-template to watch for the when the ossec-remoted's IP has changed and rewrite the IP in the config file then restart the agent. Would the reconnects to the server need to spread out or can it handle the thundering herd

Re: [ossec-list] Re: DNS caching for ?

On Fri, 26 Feb 2016, dan (ddp) wrote: IIRC, there was some talk previously about adding a dns daemon that could be queried from inside the chroot. I can't remember exactly what I had found, but it related to libasr (https://github.com/OpenSMTPD/libasr). Maybe a dnsd of some sort built into

Re: [ossec-list] Re: DNS caching for ?

On Fri, Feb 26, 2016 at 12:59 PM, Antonio Querubin wrote: > On Fri, 26 Feb 2016, dan (ddp) wrote: > >> IIRC, there was some talk previously about adding a dns daemon that >> could be queried from inside the chroot. >> I can't remember exactly what I had found, but it related

Re: [ossec-list] Re: DNS caching for ?

On Fri, 26 Feb 2016, dan (ddp) wrote: IIRC, there was some talk previously about adding a dns daemon that could be queried from inside the chroot. I can't remember exactly what I had found, but it related to libasr (https://github.com/OpenSMTPD/libasr). Maybe a dnsd of some sort built into

Re: [ossec-list] Re: DNS caching for ?

On Fri, Feb 26, 2016 at 12:39 PM, Antonio Querubin wrote: > On Fri, 26 Feb 2016, Pedro S wrote: > >> The proxy server will be a good external solution of course, >> >> About OSSEC, maybe we need something like "reload", NOT restart, reload >> could allow OSSEC to read again

[ossec-list] Re: Log rotation by ossec-monitord

Hi, Archives functionality is designed to log everything (all the events, be alerts or not), I think is pretty normal that this file grows so much if you have a large environment. I can't see a way to make OSSEC rotate the file more than daily (or split it), if you want to split the file with

[ossec-list] Re: Anybody using CIS controls with OSSEC? (https://github.com/awailly/cis-ubuntu-ansible)

Ok, here's a real CIS question. It looks like the CIS checks have only run on the ossec server. What does it take for these to run on the clients? Do I need to specify rootchecks on the client ossec.conf? Or should it get pushed down from the server? -- --- You received this message because

[ossec-list] Re: Anybody using CIS controls with OSSEC? (https://github.com/awailly/cis-ubuntu-ansible)

One thing I noticed in kibana, the rule.groups goes down as far rootcheck, but not CIS. rule.groups ossec, rootcheck Wait, I was just going to ask for an easier way to filter on CIS alerts. But then I found the CIS kibana dashboard. :-))) -- --- You received this message because you

[ossec-list] Re: Anybody using CIS controls with OSSEC? (https://github.com/awailly/cis-ubuntu-ansible)

I'm pretty sure now this was a decoy wrt cis-ubuntu-ansible. Something was blocking access from the agent to server, but it was not cis-ubuntu-ansible. In any case, I could not reproduce the problem after rebuilding the [ossec agent] node. Pedro, thanks for the pointer to internal_options.conf

Re: [ossec-list] List of OSSEC rules?

The pull request was submitted and accepted. :-) On Fri, Feb 26, 2016 at 6:12 AM, Pedro S wrote: > I'll sent a pull request as soon as posible to ossec-hids, I would like to > include some few options before sending it. > > > On Thursday, February 25, 2016 at 8:18:57 PM UTC+1,

Re: [ossec-list] List of OSSEC rules?

Great script =)! Thanks On Fri, Feb 26, 2016 at 8:12 AM, Pedro S wrote: > I'll sent a pull request as soon as posible to ossec-hids, I would like to > include some few options before sending it. > > > On Thursday, February 25, 2016 at 8:18:57 PM UTC+1, thak wrote: >> >>

Re: [ossec-list] Rule 554

On Feb 26, 2016 8:34 AM, "Evros Nireas" wrote: > > Hello All, > > I have 2 Linux machines have already installed ossec agent.I succesfully disable this rule like this > (ossec_rules.xml) > > <--!rule id="554" level="0"> Since the rule is level 0, and the

[ossec-list] Rule 554

Hello All, I have 2 Linux machines have already installed ossec agent.I succesfully disable this rule like this (ossec_rules.xml) <--!rule id="554" level="0"> ossec syscheck_new_entry File added to the system. syscheck, but the other one still send mail whenever a new file

[ossec-list] Re: Server not responding to agent messages (1218/4101)

No I changed this on post.;) This has to be the case .. as each time I see ...WARN: Waiting for server reply... on client tcpdump sends out the ... ip-10-.ec2.internal.51508 > ip-.ec2.internal.fujitsu-dtcns: UDP, length 73 so the server IP on client is correct, yes. thanks anyway. Le

[ossec-list] Log rotation by ossec-monitord

Hello Please tell me, how can I change settings for log rotation by ossec-monitord? I see only options that change compression and signing. If this is not possible can I use logrotate.d to produce splinter copies of the ‘archives’ file (which is very large in my environment) on a more regular

Re: [ossec-list] Re: DNS caching for ?

The proxy server will be a good external solution of course, About OSSEC, maybe we need something like "reload", NOT restart, reload could allow OSSEC to read again all the configuration files and refresh internal structures, sure it won't be easy but.. just thinking. On Thursday, February

Re: [ossec-list] List of OSSEC rules?

I'll sent a pull request as soon as posible to ossec-hids, I would like to include some few options before sending it. On Thursday, February 25, 2016 at 8:18:57 PM UTC+1, thak wrote: > > Interesting. We maintain a few compliance standards (not PCI) so I will > look into it for sure. > > On

[ossec-list] Re: Server not responding to agent messages (1218/4101)

Hi, Stupid question, acording to your logs: 2016/02/25 21:16:25 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: ''. Is server IP setting on the Agent set correctly? Seems like OSSEC is reading "" as the remote IP or did you change it on purpose on the post? Like

[ossec-list] Re: Anybody using CIS controls with OSSEC? (https://github.com/awailly/cis-ubuntu-ansible)

Sorry, I thought you were using default OSSEC rootchecks (debian, redhat, etc). That is the reason I recommend you to use rootchecks with tags (groups). My bad. I will try the *cis-ubuntu-ansible* rootchecks. On Friday, February 26, 2016 at 12:00:12 PM UTC+1, Pedro S wrote: > > Hi, > > I am

[ossec-list] Re: Anybody using CIS controls with OSSEC? (https://github.com/awailly/cis-ubuntu-ansible)

Hi, I am not familiar with *cis-ubuntu-ansible* but you can try to debug OSSEC log to inspect what exactly is blocking the contact. Open internal_options.conf and set: remoted.debug=2 syscheck.debug=2 analysisd.debug=2 logcollector.debug=2 # Unix agentd agent.debug=2 Restart and review what

[ossec-list] Re: Anybody using CIS controls with OSSEC? (https://github.com/awailly/cis-ubuntu-ansible)

Hi, rootcheck is running properly? I mean, you see the logs "Starting rootcheck..." and "Ending rootcheck..."?. Maybe it is a syntax error. If you are using ossec-wazuh , you will see that each control has a tag with the CIS and PCI reference (*{CIS: 4.13