Re: [ossec-list] on ubuntu compile windows 64bit error

[weisst]

在 2017年4月15日星期六 UTC+8上午3:18:42，dan (ddpbsd)写道：
>
> On Thu, Apr 13, 2017 at 9:24 PM, weisst  
> wrote: 
> > windows 2012 r2 error 
> > 问题签名: 
> >   问题事件名称:APPCRASH 
> >   应用程序名:win32ui.exe 
> >   应用程序版本:0.0.0.0 
> >   应用程序时间戳:58ef28a9 
> >   故障模块名称:StackHash_bc03 
> >   故障模块版本:6.3.9600.17415 
> >   故障模块时间戳:5450559e 
> >   异常代码:c374 
> >   异常偏移:PCH_B7_FROM_ntdll+0x000911FA 
> >   OS 版本:6.3.9600.2.0.0.272.7 
> >   区域设置 ID:2052 
> >   其他信息 1:bc03 
> >   其他信息 2:bc03b0099517a014308582161a3173b5 
> >   其他信息 3:e3d5 
> >   其他信息 4:e3d5a6322d624c2d8e59088803c5efc2 
> > 
>
> I have no idea. Never seen that, and not sure what to do with it. 
> Google translate translated it just fine though. 
> You should be able to setup ossec without the gui. Just modify the 
> ossec.conf and client.keys. You'll need to get the key format from the 
> server, and you'll need to add the correct server IP to the 
> ossec.conf. 
>
Thanks dan, i try start ossec service without the gui, and config correct 
client.keys and ossec.conf, also error
windows 64 bit system is almost a standard system, can hava a plan hava a 
64 bit ossec, thanks again

>
> > 联机阅读隐私声明: 
> >   http://go.microsoft.com/fwlink/?linkid=280262 
> > 
> > 如果无法获取联机隐私声明，请脱机阅读我们的隐私声明: 
> >   C:\Windows\system32\zh-CN\erofflps.txt 
> > 
> > 
> > 在 2017年4月14日星期五 UTC+8上午6:24:19，dan (ddpbsd)写道： 
> >> 
> >> On Thu, Apr 13, 2017 at 5:14 AM, weisst  wrote: 
> >> > Dear all 
> >> > 
> >> > i try compile windows 64bit on Ubuntu 16.10, and i install depend 
> >> > 
> >> > sudo apt-get install build-essential -y 
> >> > sudo apt-get install nsis nsis-common -y 
> >> > sudo apt-get install mingw-w64 mingw-w64-common mingw-w64-x86-64-dev 
> -y 
> >> > 
> >> > i find mingw use x86_64-w64-mingw32-gcc replace 
> amd64-mingw32msvc-gcc,so 
> >> > i 
> >> > mod Makefile 
> >> > 
> >> > ifneq (,$(shell which amd64-mingw32msvc-gcc)) 
> >> > MING_BASE:=amd64-mingw32msvc- 
> >> > 
> >> > to 
> >> > 
> >> > ifneq (,$(shell which x86_64-w64-mingw32-gcc)) 
> >> > MING_BASE:=x86_64-w64-mingw32- 
> >> > else 
> >> > 
> >> 
> >> You might have to make similar changes to 
> >> src/external/lua/src/Makefile.mingw 
> >> But I've never tried it. 
> >> 
> >> > then make TARGET=winagent , i get some error 
> >> > 
> >> > x86_64-w64-mingw32-gcc -shared -o lua52.dll lapi.o lcode.o lctype.o 
> >> > ldebug.o 
> >> > ldo.o ldump.o lfunc.o lgc.o llex.o lmem.o lobject.o lopcodes.o 
> lparser.o 
> >> > lstate.o lstring.o ltable.o ltm.o lundump.o lvm.o lzio.o lauxlib.o 
> >> > lbaselib.o lbitlib.o lcorolib.o ldblib.o liolib.o lmathlib.o loslib.o 
> >> > lstrlib.o ltablib.o loadlib.o linit.o 
> >> > strip --strip-unneeded lua52.dll 
> >> > x86_64-w64-mingw32-gcc -o ossec-lua.exe -s lua.o lua52.dll -lm 
> >> > make[2]: Leaving directory 
> >> > '/tmp/ossec-hids-master/src/external/lua-5.2.3/src' 
> >> > make -f Makefile.mingw "LUAC_T=ossec-luac.exe" ossec-luac.exe 
> >> > make[2]: Entering directory 
> >> > '/tmp/ossec-hids-master/src/external/lua-5.2.3/src' 
> >> > x86_64-w64-mingw32-gcc -O2 -Wall -DLUA_COMPAT_ALL -c -o luac.o luac.c 
> >> > i686-w64-mingw32-ar rcu liblua.a lapi.o lcode.o lctype.o ldebug.o 
> ldo.o 
> >> > ldump.o lfunc.o lgc.o llex.o lmem.o lobject.o lopcodes.o lparser.o 
> >> > lstate.o 
> >> > lstring.o ltable.o ltm.o lundump.o lvm.o lzio.o lauxlib.o lbaselib.o 
> >> > lbitlib.o lcorolib.o ldblib.o liolib.o lmathlib.o loslib.o lstrlib.o 
> >> > ltablib.o loadlib.o linit.o 
> >> > i686-w64-mingw32-ar: u' modifier ignored sinceD' is the default (see 
> >> > `U') 
> >> > i686-w64-mingw32-ranlib liblua.a 
> >> > x86_64-w64-mingw32-gcc -o ossec-luac.exe luac.o liblua.a -lm 
> >> > liblua.a: error adding symbols: Archive has no index; run ranlib to 
> add 
> >> > one 
> >> > collect2: error: ld returned 1 exit status 
> >> > Makefile.mingw:66: recipe for target 'ossec-luac.exe' failed 
> >> > make[2]: *** [ossec-luac.exe] Error 1 
> >> > make[2]: Leaving directory 
> >> > '/tmp/ossec-hids-master/src/external/lua-5.2.3/src' 
> >> > Makefile.mingw:112: recipe for target 'mingw' failed 
> >> > make[1]: *** [mingw] Error 2 
> >> > make[1]: Leaving directory 
> >> > '/tmp/ossec-hids-master/src/external/lua-5.2.3/src' 
> >> > Makefile:609: recipe for target 'winagent' failed 
> >> > make: *** [winagent] Error 2 
> >> > 
> >> > i try to fix the problem, then i mod lua-5.2.3/src/Makefile.mingw 
> >> > 
> >> > CC= i686-w64-mingw32-gcc 
> >> > CFLAGS= -O2 -Wall -DLUA_COMPAT_ALL $(SYSCFLAGS) $(MYCFLAGS) 
> >> > LDFLAGS= $(SYSLDFLAGS) $(MYLDFLAGS) 
> >> > LIBS= -lm $(SYSLIBS) $(MYLIBS) 
> >> > 
> >> > AR= i686-w64-mingw32-ar rcu 
> >> > RANLIB= i686-w64-mingw32-ranlib 
> >> > RM= rm -f 
> >> > 
> >> > try replace all i686-w64-mingw32 to x86_64-w64-mingw32,then complie 
> >> > success 
> >> > but install on windows 64bit system,ossec agent can't start,have some 
> >> > error, 
> >> > help me fix it,thanks 

[ossec-list] Re: Rule 510 is triggering events but logtest is not showing any rules that should be triggered

[Rob Williams]

Hi Jesus, the first rule is what I am trying. You said I can match the file 
in  but can I do that when the file changes as is not one file I 
want to ignore. Can I use regex syntax in rules? I used it in decoders as I 
thought I wasn't able to. Thanks!


510

Ignore rule 510 for 600 seconds if the same ID is matched.



On Monday, April 17, 2017 at 3:16:48 AM UTC-5, Jesus Linares wrote:
>
> What rule did you use?. Please, share here the rule and the alerts that 
> you want to ignore.
>
> I'd need the ID from the decoder to do so
>
> There are no xml decoders for rootcheck. What you want to extract in the 
> id field is the file, right?. You can do a *match* in the rule for the 
> file.
>
> Regards.
>
> On Friday, April 14, 2017 at 12:13:50 AM UTC+2, Rob Williams wrote:
>>
>> Hi Jesus,
>>
>> Thanks for the reply. I have noticed when I activate this rule, it blocks 
>> all events and does not alert on the first event. Also note, I am trying to 
>> use the ID field from my decoder to match against. I can't just use a 
>> static match as the ID continuously changes so I'd need the ID from the 
>> decoder to do so. Any ideas? Thanks!
>>
>> On Wednesday, April 5, 2017 at 12:26:31 PM UTC-7, Rob Williams wrote:
>>>
>>> Hi all,
>>>
>>> I'm running into an issue where rule 510 is triggering and I'm getting 
>>> spammed with alerts but I can't seem to tune it correctly. What's weird is 
>>> that I am still getting alerted for rule 510 for this log, but I can't 
>>> figure out how to get that to show in logtest. Basically, I am getting 
>>> spammed with rule 510 and trying to filter it down more and here is what 
>>> happens when I enter the log in logtest: any ideas on how to fix 
>>> this?
>>>
>>> **Phase 1: Completed pre-decoding.
>>>
>>>full event: 'File '/filepath/' is owned by root and has written 
>>> permissions to anyone.'
>>>
>>>hostname: 'hostname'
>>>
>>>program_name: '(null)'
>>>
>>>log: 'File '/filepath/' is owned by root and has written 
>>> permissions to anyone.'
>>>
>>>
>>> **Phase 2: Completed decoding.
>>>
>>>decoder: 'sample_decoder_setup'
>>>
>>>id: '/filepath/'
>>>
>>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Alert suppression sha1sum

[Kumar G]

Hi Team,

In our ossec environment we are getting lots of sha1sum alerts (even though
its not configured) and that are irrelevant to us. Is there any way to
suppress these alerts?

** Alert 1491577582.15621: mail  - ossec,syscheck,

2017 Apr 07 10:06:22 inssys01->syscheck

Rule: 550 (level 7) -> 'Integrity checksum changed.'

Integrity checksum changed for: '/home/sysuser/message'

Old sha1sum was: '1e8e7937157db3ec01ad59dea488b4a9febf49f7'

New sha1sum is : 'xxx'



** Alert 1491577958.15840: mail  - ossec,syscheck,

2017 Apr 07 10:12:38 inssys01->syscheck

Rule: 550 (level 7) -> 'Integrity checksum changed.'

Integrity checksum changed for: '/home/sysuser/message'

Old sha1sum was: 'xxx'

New sha1sum is : '1e8e7937157db3ec01ad59dea488b4a9febf49f7'

Since the integrity checksum sometimes have other FIM checks also alerted,
we need to suppress only when we have the sha1sum alerts are triggered.


Will we be able to accomplish this with the help of decoders / rules
addition?



Thanks
Kumar

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: OSSEC Agent not works

[Руслан Аминджанов]

I am reinstalling system right now but it looks like this was the issue. 
Thank you very much!

понедельник, 17 апреля 2017 г., 7:01:29 UTC+5:45 пользователь Victor 
Fernandez написал:
>
> Hi,
>
> have you more than one network interface on your manager? I see your 
> tcpdump log a bit unusual:
>
> 00:58:11.619862 IP 10.2.2.3.43453 > *10.2.2.12*.fujitsu-dtcns: UDP, 
> length 73
> 00:58:11.620415 IP *10.2.2.13*.fujitsu-dtcns > 10.2.2.3.43453: UDP, 
> length 73
>
>
> It seems that the manager is responding (probably an ACK message) but it 
> is doing it from a different IP (10.2.2.13 instead of 10.2.2.12).
>
> Do you see any error at /var/ossec/log/ossec.log at the agent?
>
> Best regards. 
>
> On Sat, Apr 15, 2017 at 11:59 PM, Kat  
> wrote:
>
>> It really sounds like you are missing a step -- perhaps post the steps 
>> you do for the install, adding an agent etc, showing the commands and 
>> results. We need something more to help you. 
>>
>> Kat
>>
>>
>> On Thursday, April 13, 2017 at 5:24:32 PM UTC-5, Руслан Аминджанов wrote:
>>>
>>> Hello!
>>> I installed OSSEC server and client on 2 hosts whoever agent showed as 
>>> "Never connected". There is no firewall between these hosts and if I use 
>>> netcat to connect to server It log shows that message is not properly 
>>> formated.
>>> Output of tcpdump:
>>>
>>> 00:58:11.619862 IP 10.2.2.3.43453 > 10.2.2.12.fujitsu-dtcns: UDP, length 
>>> 73
>>>
>>> 00:58:11.620415 IP 10.2.2.13.fujitsu-dtcns > 10.2.2.3.43453: UDP, length 
>>> 73
>>>
>>> 00:58:15.620201 IP 10.2.2.3.43453 > 10.2.2.12.fujitsu-dtcns: UDP, length 
>>> 73
>>>
>>> 00:58:15.620618 IP 10.2.2.13.fujitsu-dtcns > 10.2.2.3.43453: UDP, length 
>>> 73
>>>
>>> 00:58:20.620619 IP 10.2.2.3.43453 > 10.2.2.12.fujitsu-dtcns: UDP, length 
>>> 73
>>>
>>> 00:58:20.621167 IP 10.2.2.13.fujitsu-dtcns > 10.2.2.3.43453: UDP, length 
>>> 73
>>>
>>> 00:58:26.621162 IP 10.2.2.3.43453 > 10.2.2.12.fujitsu-dtcns: UDP, length 
>>> 73
>>>
>>> 00:58:26.621703 IP 10.2.2.13.fujitsu-dtcns > 10.2.2.3.43453: UDP, length 
>>> 73
>>>
>> -- 
>>
>> --- 
>> You received this message because you are subscribed to the Google Groups 
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to ossec-list+...@googlegroups.com .
>> For more options, visit https://groups.google.com/d/optout.
>>
>
>
>
> -- 
> Victor M. Fernandez-Castro
> IT Security Engineer
> Wazuh Inc.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Rule 510 is triggering events but logtest is not showing any rules that should be triggered

[Jesus Linares]

What rule did you use?. Please, share here the rule and the alerts that you 
want to ignore.

I'd need the ID from the decoder to do so

There are no xml decoders for rootcheck. What you want to extract in the id 
field is the file, right?. You can do a *match* in the rule for the file.

Regards.

On Friday, April 14, 2017 at 12:13:50 AM UTC+2, Rob Williams wrote:
>
> Hi Jesus,
>
> Thanks for the reply. I have noticed when I activate this rule, it blocks 
> all events and does not alert on the first event. Also note, I am trying to 
> use the ID field from my decoder to match against. I can't just use a 
> static match as the ID continuously changes so I'd need the ID from the 
> decoder to do so. Any ideas? Thanks!
>
> On Wednesday, April 5, 2017 at 12:26:31 PM UTC-7, Rob Williams wrote:
>>
>> Hi all,
>>
>> I'm running into an issue where rule 510 is triggering and I'm getting 
>> spammed with alerts but I can't seem to tune it correctly. What's weird is 
>> that I am still getting alerted for rule 510 for this log, but I can't 
>> figure out how to get that to show in logtest. Basically, I am getting 
>> spammed with rule 510 and trying to filter it down more and here is what 
>> happens when I enter the log in logtest: any ideas on how to fix 
>> this?
>>
>> **Phase 1: Completed pre-decoding.
>>
>>full event: 'File '/filepath/' is owned by root and has written 
>> permissions to anyone.'
>>
>>hostname: 'hostname'
>>
>>program_name: '(null)'
>>
>>log: 'File '/filepath/' is owned by root and has written 
>> permissions to anyone.'
>>
>>
>> **Phase 2: Completed decoding.
>>
>>decoder: 'sample_decoder_setup'
>>
>>id: '/filepath/'
>>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] How soon does an agent disconnect appear

[Jesus Linares]

Check out *notify_time* and *time-reconnect*
: 
http://ossec-docs.readthedocs.io/en/latest/syntax/head_ossec_config.client.html#ossec-conf-client-options

On Friday, April 14, 2017 at 12:08:02 AM UTC+2, dan (ddpbsd) wrote:
>
> On Wed, Apr 12, 2017 at 4:01 PM, Nikki S  > wrote: 
> > How long does it take for the agent to appear as 'disconnected'?  I read 
> on 
> > another thread that the 'keep alive' needs to fail three times. I could 
> not 
> > find where we set the frequency of the agent check in. 
> > 
>
> I think it's 10 minutes, and I don't think it's currently configurable 
> in ossec.conf. 
>
> > Thank you! 
> > 
> > -- 
> > 
> > --- 
> > You received this message because you are subscribed to the Google 
> Groups 
> > "ossec-list" group. 
> > To unsubscribe from this group and stop receiving emails from it, send 
> an 
> > email to ossec-list+...@googlegroups.com . 
> > For more options, visit https://groups.google.com/d/optout. 
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Is it possible to trigger an active response on a rule with a severity level of 0?

[Jesus Linares]

Hi Rob,

I'm not sure, but you can increase the level to 1 and:

set the attribute noalert 

:



or use the options no_log 

:

no_log

Let me know if it works.

Regards.



On Friday, April 14, 2017 at 12:05:08 AM UTC+2, dan (ddpbsd) wrote:
>
> On Wed, Apr 12, 2017 at 1:40 PM, Rob Williams  > wrote: 
> > Essentially, I want to trigger an active response for a rule that I 
> created 
> > that has a severity level of 0. I created this rule because I did not 
> want 
> > to be alerted on the default rule and only wanted to be alerted based on 
> the 
> > output from my active response. My question is if I have the severity 
> level 
> > of 0, will it just be completely ignored without the active response 
> even 
> > triggering? I ask because I'm having trouble setting it up properly and 
> want 
> > to rule out if this is the cause. Thank you for your help in advance. 
> > 
>
> I think it will be ignored, but I've never tried it. You could try 
> bumping the level to 1 to see if that fixes the issue. 
>
> > -- 
> > 
> > --- 
> > You received this message because you are subscribed to the Google 
> Groups 
> > "ossec-list" group. 
> > To unsubscribe from this group and stop receiving emails from it, send 
> an 
> > email to ossec-list+...@googlegroups.com . 
> > For more options, visit https://groups.google.com/d/optout. 
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: OSSEC Agent not works

[Victor Fernandez]

Hi,

have you more than one network interface on your manager? I see your tcpdump
log a bit unusual:

00:58:11.619862 IP 10.2.2.3.43453 > *10.2.2.12*.fujitsu-dtcns: UDP, length
73
00:58:11.620415 IP *10.2.2.13*.fujitsu-dtcns > 10.2.2.3.43453: UDP, length
73


It seems that the manager is responding (probably an ACK message) but it is
doing it from a different IP (10.2.2.13 instead of 10.2.2.12).

Do you see any error at /var/ossec/log/ossec.log at the agent?

Best regards.

On Sat, Apr 15, 2017 at 11:59 PM, Kat  wrote:

> It really sounds like you are missing a step -- perhaps post the steps you
> do for the install, adding an agent etc, showing the commands and results.
> We need something more to help you.
>
> Kat
>
>
> On Thursday, April 13, 2017 at 5:24:32 PM UTC-5, Руслан Аминджанов wrote:
>>
>> Hello!
>> I installed OSSEC server and client on 2 hosts whoever agent showed as
>> "Never connected". There is no firewall between these hosts and if I use
>> netcat to connect to server It log shows that message is not properly
>> formated.
>> Output of tcpdump:
>>
>> 00:58:11.619862 IP 10.2.2.3.43453 > 10.2.2.12.fujitsu-dtcns: UDP, length
>> 73
>>
>> 00:58:11.620415 IP 10.2.2.13.fujitsu-dtcns > 10.2.2.3.43453: UDP, length
>> 73
>>
>> 00:58:15.620201 IP 10.2.2.3.43453 > 10.2.2.12.fujitsu-dtcns: UDP, length
>> 73
>>
>> 00:58:15.620618 IP 10.2.2.13.fujitsu-dtcns > 10.2.2.3.43453: UDP, length
>> 73
>>
>> 00:58:20.620619 IP 10.2.2.3.43453 > 10.2.2.12.fujitsu-dtcns: UDP, length
>> 73
>>
>> 00:58:20.621167 IP 10.2.2.13.fujitsu-dtcns > 10.2.2.3.43453: UDP, length
>> 73
>>
>> 00:58:26.621162 IP 10.2.2.3.43453 > 10.2.2.12.fujitsu-dtcns: UDP, length
>> 73
>>
>> 00:58:26.621703 IP 10.2.2.13.fujitsu-dtcns > 10.2.2.3.43453: UDP, length
>> 73
>>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>



-- 
Victor M. Fernandez-Castro
IT Security Engineer
Wazuh Inc.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.