Re: [ossec-list] Re: ERROR: Unable to Bind port '1514'

2017-08-28 Thread Carlos Islas 
Hello dan,

I killed the instance but anything happend, i had that start the process 
manualy because de services get down. =S

Regards...

El viernes, 25 de agosto de 2017, 11:01:25 (UTC-5), dan (ddpbsd) escribió:
>
>
>
> On Aug 25, 2017 11:32 AM, "Carlos Islas"  > wrote:
>
> Hi dan,
>
> Sorry, im newbie in that kind of commands. How can i kill the instance?
>
>
> I usually use `pkill ossec-remoted`
> You can also use `ps` to get the pid (or look for the pid in /var/ossec 
> somewhere) and kill it that way.
>
>
> Regards...
>
>
>
> El jueves, 24 de agosto de 2017, 16:19:57 (UTC-5), Carlos Islas escribió:
>>
>> Hello,
>>
>> I am having this issue when i execute the command ./ossec-remoted
>>
>> ossec.log:
>>
>> 2017/08/24 16:16:22 ossec-remoted: INFO: Started (pid: 19350).
>> 2017/08/24 16:16:22 ossec-remoted(1206): ERROR: Unable to Bind port '1514'
>>
>> Somebody could help me to examine that error?
>>
>> Regards...
>>
>> -- 
>
> --- 
> You received this message because you are subscribed to the Google Groups 
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to ossec-list+...@googlegroups.com .
> For more options, visit https://groups.google.com/d/optout.
>
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: ossec-keepalive

2017-08-28 Thread Leroy Tennison 
Thanks for the answer, that clarifies my understanding.  Sounds like you 
would like to see the alert details so here they are ("our-demo" below is 
an agent, not the server):

OSSEC HIDS Notification.
2017 Aug 27 08:20:39

Received From: (our-demo) 10.nnn.nnn.nnn->ossec-keepalive
Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
Portion of the log(s):

--MARK--: 
dh7GKhV3D=9_tT9mi+oFulZk!/aTDX2_mDueL^7wo;Y-[Bccq4-;^Pcb]Qcyh5n7QH@JrN5))x9$Y#6p835rYqu-@HdN=LsBknO.bu7%A]Yf)#8dJHvbfPGzEJ#vC/eMmb;1vhJdcQi+!&'o623tZdS.]#6xt@sFuYO.5=a7+Xe0+LwVV'xoLxlGe(lxfDkz]Ywi.!x)BCN5v98*k??VxZ]^LVg/;4@CwP;7tqUdaP8v6KU*;c_31yMU)aatm@d-u,XNm0/0joDj?I.2RvWfWef&4y)US^lNJtMdDiH1p$sop3y6'Ct._#$Se1UWKodCH.Fsg#)9TTGqr4-YPjV*+DEH/;.-UPs,[YoO(Qs_dYeu!J(taITE@=@rx9h(s%w0_Kj6[BU/'hslQT)Q]G_o@0FQ*[CRqgleRutLdv=KCkWAlJ*g^n8UvhegP+fo]rs['L_.7@HRDL(O_lUlywnc*6W^d2.MB3H8Xv5yaVxEaj(D8+OPZkR')rnzayo9+JI1;L'!MQext'@8b+t[n%kOO@wOdK5HCWcubJ/][Qs1KMD'^eB.A''w4p@p0;e,OhqQ/2'GmmbegEL+-#Ar5u]*JoPRhTNV0lfhvNNIZP[5BGc60*FATAl,Pi,W2Jl!d5*ymzotwjGf.I@X



 --END OF NOTIFICATION


On Monday, August 28, 2017 at 10:53:55 AM UTC-5, Leroy Tennison wrote:
>
> Just FYI, not sure if a resolution to 
> https://groups.google.com/forum/#!msg/ossec-list/dE3klm84JMU/kGZkRdSl3ZkJ 
> has been put in place or not but it is occurring in v2.9.2 - I received an 
> email alert (can post the text if it would be helpful).
>
> Related to this, I noticed that the alert level is 2, it appears that the 
> only place to set alert levels is in ossec.conf on the server or 'local' 
> (it is configured on the server as the 
> default: 7).
>
> I seem to remember seeing somewhere that a local install was one where the 
> server managed only itself but can't find that reference now, is that 
> correct?
>
> The other option is to configure the system as hybrid, if that would allow 
> the notification to be suppressed (and the implications of the change 
> weren't too great), I would be glad to configure it that way if someone 
> could point me to instructions on how to do so.
>
> Thanks for the help, my learning curve at this point is pretty steep.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: OSSEC regular expression example for agent.conf

2017-08-28 Thread dan (ddp) 
On Aug 28, 2017 2:46 PM, "Leroy Tennison"  wrote:

I wondered about that but verify-agent-conf didn't complain so I thought it
was valid.  I guess that means regex is only valid in rules?



Rules and decoders are the only places that come to mind at the moment.



On Monday, August 28, 2017 at 9:40:53 AM UTC-5, Leroy Tennison wrote:
>
> I'm having trouble getting an ignore expression to actually ignore a
> change and suspect it's due to not understanding how OSSEC regular
> expressions work.  When I searched for examples I found very little so I'm
> hoping someone can reply with examples or explanations.  What I tried was:
>
> /var/lib/postgresql/9.5/main/base/\d+/\d+$
> /var/lib/postgresql/9.5/main/pg_xlog/\d+$
> /var/lib/postgresql/9.5/main/pg_subtrans/\d\d\
> w$
> /var/lib/postgresql/9.5/main/pg_subtrans/\d\d\
> w\w$
>
>
> I'm still getting alerts such as the following:
>
> Integrity checksum changed for: '/var/lib/postgresql/9.5/main/
> base/16387/1259'
> Integrity checksum changed for: '/var/lib/postgresql/9.5/main/
> pg_xlog/00010026'
> New file '/var/lib/postgresql/9.5/main/pg_subtrans/0019' added to the
> file system. (I configured new file alerting and am glad to see it's
> working but just not this directory).
>
> Thanks for the help.
>
> --

---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: OSSEC regular expression example for agent.conf

2017-08-28 Thread Leroy Tennison 
I wondered about that but verify-agent-conf didn't complain so I thought it 
was valid.  I guess that means regex is only valid in rules?

On Monday, August 28, 2017 at 9:40:53 AM UTC-5, Leroy Tennison wrote:
>
> I'm having trouble getting an ignore expression to actually ignore a 
> change and suspect it's due to not understanding how OSSEC regular 
> expressions work.  When I searched for examples I found very little so I'm 
> hoping someone can reply with examples or explanations.  What I tried was:
>
> /var/lib/postgresql/9.5/main/base/\d+/\d+$
> /var/lib/postgresql/9.5/main/pg_xlog/\d+$
>  type="regex">/var/lib/postgresql/9.5/main/pg_subtrans/\d\d\w$
>  type="regex">/var/lib/postgresql/9.5/main/pg_subtrans/\d\d\w\w$
>
>
> I'm still getting alerts such as the following:
>
> Integrity checksum changed for: 
> '/var/lib/postgresql/9.5/main/base/16387/1259'
> Integrity checksum changed for: 
> '/var/lib/postgresql/9.5/main/pg_xlog/00010026'
> New file '/var/lib/postgresql/9.5/main/pg_subtrans/0019' added to the file 
> system. (I configured new file alerting and am glad to see it's working 
> but just not this directory).
>
> Thanks for the help.
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] OSSEC regular expression example for agent.conf

2017-08-28 Thread Sean Roe 
I'm pretty sure ignores are available in agent.conf

Sean

On Mon, Aug 28, 2017 at 10:57 AM, dan (ddp)  wrote:

> On Mon, Aug 28, 2017 at 10:40 AM, Leroy Tennison
>  wrote:
> > I'm having trouble getting an ignore expression to actually ignore a
> change
> > and suspect it's due to not understanding how OSSEC regular expressions
> > work.  When I searched for examples I found very little so I'm hoping
> > someone can reply with examples or explanations.  What I tried was:
> >
> > /var/lib/postgresql/9.5/main/base/\d+/\d+$
> > /var/lib/postgresql/9.5/main/pg_xlog/\d+$
> >  > type="regex">/var/lib/postgresql/9.5/main/pg_subtrans/\d\d\w$
> >  > type="regex">/var/lib/postgresql/9.5/main/pg_subtrans/\d\d\w\w$
> >
>
> According to the documentation,
> (https://ossec.github.io/docs/syntax/head_ossec_config.syscheck.html)
> sregex is what's available here. This is a VERY limited regex subset
> as documented here:
> https://ossec.github.io/docs/syntax/regex.html#os-match-sregex-syntax
> Also, I'm not sure ignores can be used in agent.conf. It's possible
> I'm mis-remembering this though.
>
> >
> > I'm still getting alerts such as the following:
> >
> > Integrity checksum changed for:
> > '/var/lib/postgresql/9.5/main/base/16387/1259'
> > Integrity checksum changed for:
> > '/var/lib/postgresql/9.5/main/pg_xlog/00010026'
> > New file '/var/lib/postgresql/9.5/main/pg_subtrans/0019' added to the
> file
> > system. (I configured new file alerting and am glad to see it's working
> but
> > just not this directory).
> >
> > Thanks for the help.
> >
> > --
> >
> > ---
> > You received this message because you are subscribed to the Google Groups
> > "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send an
> > email to ossec-list+unsubscr...@googlegroups.com.
> > For more options, visit https://groups.google.com/d/optout.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] OSSEC regular expression example for agent.conf

2017-08-28 Thread dan (ddp) 
On Mon, Aug 28, 2017 at 10:40 AM, Leroy Tennison
 wrote:
> I'm having trouble getting an ignore expression to actually ignore a change
> and suspect it's due to not understanding how OSSEC regular expressions
> work.  When I searched for examples I found very little so I'm hoping
> someone can reply with examples or explanations.  What I tried was:
>
> /var/lib/postgresql/9.5/main/base/\d+/\d+$
> /var/lib/postgresql/9.5/main/pg_xlog/\d+$
>  type="regex">/var/lib/postgresql/9.5/main/pg_subtrans/\d\d\w$
>  type="regex">/var/lib/postgresql/9.5/main/pg_subtrans/\d\d\w\w$
>

According to the documentation,
(https://ossec.github.io/docs/syntax/head_ossec_config.syscheck.html)
sregex is what's available here. This is a VERY limited regex subset
as documented here:
https://ossec.github.io/docs/syntax/regex.html#os-match-sregex-syntax
Also, I'm not sure ignores can be used in agent.conf. It's possible
I'm mis-remembering this though.

>
> I'm still getting alerts such as the following:
>
> Integrity checksum changed for:
> '/var/lib/postgresql/9.5/main/base/16387/1259'
> Integrity checksum changed for:
> '/var/lib/postgresql/9.5/main/pg_xlog/00010026'
> New file '/var/lib/postgresql/9.5/main/pg_subtrans/0019' added to the file
> system. (I configured new file alerting and am glad to see it's working but
> just not this directory).
>
> Thanks for the help.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] OSSEC 2.8.3, Server doesnot trigger email alerts for agent

2017-08-28 Thread dan (ddp) 
On Mon, Aug 28, 2017 at 2:25 AM, Tirumala Raja Siriki
 wrote:
> Email levels are at enough priority, I am getting emails now after stopping
> alerting from RDP. I have multiple RDP where agent is installed and I get
> lot of false alerts from RDPs, for Authentication failure and Account locked
> out.
>

If you're seeing false positives, it would be great if you reported
them. We could fix them (or they have been fixed in recent versions of
OSSEC).

> On Thursday, August 24, 2017 at 6:07:05 PM UTC+5:30, dan (ddpbsd) wrote:
>>
>>
>>
>> On Aug 24, 2017 8:31 AM, "Tirumala Raja Siriki" 
>> wrote:
>>
>> Hi Everyone,
>>
>> I am running Ossec 2.8.3 version on Server as well as agents. I am not
>> getting any email alerts from Ossec Server(Suse Linux) for one of the agent
>> which is also running on Suse Linux.
>> I see alerts are getting logged in /var/ossec/logs/alerts/alerts.log file
>> but no emails triggered. Other agents are working fine.
>> I noticed Ossec Server has rsyslog running while Agent has syslog-ng. Is
>> there any changes needs to be done for logging.
>>
>> Any help is appreciated.
>>
>>
>> Are the alerts that this agent triggers high enough level to be semt via
>> email? Are the alerts grouped with other alerts in a single email?
>>
>>
>>
>> Many Thanks
>>
>> --
>>
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to ossec-list+...@googlegroups.com.
>> For more options, visit https://groups.google.com/d/optout.
>>
>>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: Testing OSSEC

2017-08-28 Thread dan (ddp) 
On Mon, Aug 28, 2017 at 12:17 AM, Ritu Soni  wrote:
>>> hey,
>
>   I have added the rule in local_rules.xml file in way as in the
> attached image..
>   After adding the rule, i have restarted OSSEC services. But I get
> the following errors:
>   Starting OSSEC HIDS v2.8.3 (by Trend Micro Inc.)...
>   Started ossec-dbd...
>   2017/08/28 09:40:55 ossec-config(1501): ERROR: Invalid SMTP
> Server: alt1.gmail-smtp-in.l.google.com.
>   2017/08/28 09:40:55 ossec-config(1202): ERROR: Configuration error
> at '/var/ossec/etc/ossec.conf'. Exiting.
>   2017/08/28 09:40:55 ossec-maild(1202): ERROR: Configuration error
> at '/var/ossec/etc/ossec.conf'. Exiting.
>   ossec-maild did not start correctly.
>   Did i miss anything? or any other command should have been used to
> make that rule work? Please guide me to solve this problem.

That error has nothing to do with the rule you added. I think there's
an issue with name resolution for maild, but I haven't looked into it
yet.

>>
>>
>>
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to ossec-list+...@googlegroups.com.
>> For more options, visit https://groups.google.com/d/optout.
>>
>>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] ossec-keepalive

2017-08-28 Thread Leroy Tennison 
Just FYI, not sure if a resolution 
to https://groups.google.com/forum/#!msg/ossec-list/dE3klm84JMU/kGZkRdSl3ZkJ 
has been put in place or not but it is occurring in v2.9.2 - I received an 
email alert (can post the text if it would be helpful).

Related to this, I noticed that the alert level is 2, it appears that the 
only place to set alert levels is in ossec.conf on the server or 'local' 
(it is configured on the server as the 
default: 7).

I seem to remember seeing somewhere that a local install was one where the 
server managed only itself but can't find that reference now, is that 
correct?

The other option is to configure the system as hybrid, if that would allow 
the notification to be suppressed (and the implications of the change 
weren't too great), I would be glad to configure it that way if someone 
could point me to instructions on how to do so.

Thanks for the help, my learning curve at this point is pretty steep.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] OSSEC regular expression example for agent.conf

2017-08-28 Thread Leroy Tennison 
I'm having trouble getting an ignore expression to actually ignore a change 
and suspect it's due to not understanding how OSSEC regular expressions 
work.  When I searched for examples I found very little so I'm hoping 
someone can reply with examples or explanations.  What I tried was:

/var/lib/postgresql/9.5/main/base/\d+/\d+$
/var/lib/postgresql/9.5/main/pg_xlog/\d+$
/var/lib/postgresql/9.5/main/pg_subtrans/\d\d\w$
/var/lib/postgresql/9.5/main/pg_subtrans/\d\d\w\w$


I'm still getting alerts such as the following:

Integrity checksum changed for: 
'/var/lib/postgresql/9.5/main/base/16387/1259'
Integrity checksum changed for: 
'/var/lib/postgresql/9.5/main/pg_xlog/00010026'
New file '/var/lib/postgresql/9.5/main/pg_subtrans/0019' added to the file 
system. (I configured new file alerting and am glad to see it's working but 
just not this directory).

Thanks for the help.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] OSSEC 2.8.3, Server doesnot trigger email alerts for agent

2017-08-28 Thread Tirumala Raja Siriki 
Email levels are at enough priority, I am getting emails now after stopping 
alerting from RDP. I have multiple RDP where agent is installed and I get 
lot of false alerts from RDPs, for Authentication failure and Account 
locked out.

On Thursday, August 24, 2017 at 6:07:05 PM UTC+5:30, dan (ddpbsd) wrote:
>
>
>
> On Aug 24, 2017 8:31 AM, "Tirumala Raja Siriki"  > wrote:
>
> Hi Everyone,
>
> I am running Ossec 2.8.3 version on Server as well as agents. I am not 
> getting any email alerts from Ossec Server(Suse Linux) for one of the agent 
> which is also running on Suse Linux.
> I see alerts are getting logged in /var/ossec/logs/alerts/alerts.log file 
> but no emails triggered. Other agents are working fine.
> I noticed Ossec Server has rsyslog running while Agent has syslog-ng. Is 
> there any changes needs to be done for logging.
>
> Any help is appreciated.
>
>
> Are the alerts that this agent triggers high enough level to be semt via 
> email? Are the alerts grouped with other alerts in a single email?
>
>
>
> Many Thanks
>
> -- 
>
> --- 
> You received this message because you are subscribed to the Google Groups 
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to ossec-list+...@googlegroups.com .
> For more options, visit https://groups.google.com/d/optout.
>
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.