[ossec-list] Re: Whitelisting vulnerability scanners for specific rules

I haven't used address_match_key in a CDB, but this doc explains it pretty well. It's the type of lookup performed... https://ossec-docs.readthedocs.io/en/latest/syntax/head_rules.html Also - I'd consider adding your scanner IPs to the whitelist in ossec.conf, even if you're not using active

[ossec-list] Re: Decoder not liking Atlassian logs

Creating custom decoders isn't too terribly difficult to do; and I bet you could pay someone else if you wanted to farm that out (I'm thinking of the companies that specialize in OSSEC you may already know of). But doing it yourself probably wouldn't be as difficult as it sounds... and once

[ossec-list] How to configure OSSEC with multiple network cards in Windows Server 2008 R2

I have two network cards with two separate IP address's. The only way I can get the OSSEC server to see the agent on the Windows Server is if I use an IP range rather than one of the IP's. The network cards IP's are 172.27.86.18 and 172.27.86.19. I have to use the 172.27.86.0/24 when adding

Re: [ossec-list] How to configure OSSEC with multiple network cards in Windows Server 2008 R2

On Monday, August 26, 2013 4:34:20 PM UTC-4, Michael Starks wrote: On 26.08.2013 14:28, Brent Phillips wrote: I have two network cards with two separate IP address's. The only way I can get the OSSEC server to see the agent on the Windows Server is if I use an IP range rather than one

Re: [ossec-list] OSSEC as a SIEM

We are looking at implementing a similar setup but with less servers. Can you share any information about how you did it? Any tips? Thanks! On Monday, September 16, 2013 4:43:42 PM UTC-4, Janelle wrote: I have 3000+ servers feeding syslog into a single OSSEC server and OSSEC parses the data

[ossec-list] Microsoft Azure Multi-Factor Decode and Rules.

Not exactly sure if this is the right place to post this, but it took me some time to get working decodes for Microsoft's Azure Multi-Factor Authentication (PhoneFactor.net). It's pretty cool multifactor authentication for on-prem RDP Gateway and OWA using your phone as the second factor.

[ossec-list] Re: Microsoft Azure Multi-Factor Decode and Rules.

=after_parentPfauth \w+ for user '(\S+)'. Call status: (\S+) - \w+\s+\w+|\w+\s+\w+\s+\w+\../regex ordersrcuser, status/order /decoder On Friday, December 5, 2014 11:51:18 AM UTC-8, Brent Morris wrote: Not exactly sure if this is the right place to post this, but it took me some time to get

Re: [ossec-list] Re: Microsoft Azure Multi-Factor Decode and Rules.

: Pfauth failed for user 'DOMAIN\username'. Call status: SUCCESS_NO_PIN_BUT_TIMEOUT - No Phone Input - Timed Out. On Monday, December 8, 2014 5:03:57 AM UTC-8, dan (ddpbsd) wrote: On Fri, Dec 5, 2014 at 3:19 PM, Brent Morris brent@gmail.com javascript: wrote: Wish I could edit that last

[ossec-list] Re: Monitoring ASA - Agentless

I think dan mentioned it all - but basically... Run the register_host.sh and plug in your username@host password enablepassword Step 1 e.g. ./register_host.sh ciscouser@1.2.3.4 password enablepassword Steps 2 and 3 in your list are incorrect. Delete those... Edit the ossec.conf and

Re: [ossec-list] MS Windows server DHCP logs

I believe this is Windows Server 2012 R2. The header for that CDF is... ID,Date,Time,Description,IP Address,Host Name,MAC Address,User Name, TransactionID, QResult,Probationtime,

Re: [ossec-list] MS Windows server DHCP logs

Testing the OP's logs, I get an expected response. It should be noted that the log message needs to be truncated from archives.log prior to passing it to ossec-logtest. Even with the additional available fields in Windows 2012, the OSSEC decoder does recognize it as an MS DHCP log file.

[ossec-list] Re: anyone know the status of the issue where IIS logs are not able to trigger on web_rules.xml

Interesting... I hadn't realized my IIS log files were being completely ignored. If I put my IIS server in IIS or NCSA logging mode... They are decoded as PureFTPD logs using ossec-logtest In W3C format - they come out like this.. **Phase 3: Completed filtering (rules). Rule id:

[ossec-list] Re: anyone know the status of the issue where IIS logs are not able to trigger on web_rules.xml

OK - on another system I'm able to get the web_rules.xml to trigger. I setup IIS logging on this system... in W3C format. selected all the fields.. #Fields: date time s-sitename s-computername s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs-version cs(User-Agent) cs(Cookie)

Re: [ossec-list] Re: anyone know the status of the issue where IIS logs are not able to trigger on web_rules.xml

:* ossec...@googlegroups.com javascript: [mailto: ossec...@googlegroups.com javascript:] *On Behalf Of *Brent Morris *Sent:* Friday, December 12, 2014 4:07 PM *To:* ossec...@googlegroups.com javascript: *Subject:* [ossec-list] Re: anyone know the status of the issue where IIS logs are not able

Re: [ossec-list] Re: anyone know the status of the issue where IIS logs are not able to trigger on web_rules.xml

...@googlegroups.com javascript: [ mailto:o...@googlegroups.com javascript:] *On Behalf Of *Brent Morris *Sent:* Friday, December 12, 2014 4:07 PM *To:* ossec...@googlegroups.com javascript: *Subject:* [ossec-list] Re: anyone know the status of the issue where IIS logs are not able to trigger

[ossec-list] Re: How to bypassing need fully-qualified address

what's your email_from/email_from address? It should be fully qualified if you're sending to gmail and the like... On Tuesday, December 16, 2014 8:23:16 AM UTC-8, finid wrote: In further troubleshooting email issues I have with a couple of servers not being able to send emails to certain

Re: [ossec-list] Re: How to bypassing need fully-qualified address

SMTP server, can I have the email_from address be any arbitrary email address? 2. Must the email_from address have to be a valid address? TIA -- finid On 2014-12-16 12:46, Brent Morris wrote: what's your email_from/email_from address? It should be fully qualified if you're

Re: [ossec-list] What to make of ossec-hosts.* files

I think what you're seeing is what is described in CVE-2014-5284 - http://www.ossec.net/?p=1135 Basically, they were in /tmp, and then a vulnerability was disclosed... so those files were moved from /tmp to /var/ossec in 2.8.1 On Tuesday, December 16, 2014 1:19:15 PM UTC-8, finid wrote: On

[ossec-list] Re: want to exclude (rem) rules in ossec.conf and just use syscheck

Personally, I wouldn't relegate OSSEC to run the syscheck components only. I would encourage you to keep the rules... OSSEC is noisy at first... but the goal is simple. Find ways to quiet OSSEC without inhibiting its ability to detect and alert you of malicious activity. That second part

[ossec-list] Re: Help creating rules

As Dan mentioned, turning the log all option on in your ossec.conf is a good idea. That might satisfy the PCI requirements to log those transactions so long as Active Directory auditing is turned up. It looks like you have Active Directory running... so system time changes will likely from

Re: [ossec-list] Re: anyone know the status of the issue where IIS logs are not able to trigger on web_rules.xml

: Saturday, December 13, 2014 11:50 To: ossec...@googlegroups.com javascript: Subject: Re: [ossec-list] Re: anyone know the status of the issue where IIS logs are not able to trigger on web_rules.xml On 12/12/2014 06:02 PM, Brent Morris wrote: It should be noted that the decoders seem fine

Re: [ossec-list] Re: anyone know the status of the issue where IIS logs are not able to trigger on web_rules.xml

[mailto:ossec...@googlegroups.com] On Behalf Of Michael Starks Sent: Saturday, December 13, 2014 11:50 To: ossec...@googlegroups.com Subject: Re: [ossec-list] Re: anyone know the status of the issue where IIS logs are not able to trigger on web_rules.xml On 12/12/2014 06:02 PM, Brent Morris wrote

[ossec-list] Re: Monitor installations and uninstallations on Windows machines

There are a couple approaches you could take. Turn on Audit Process Tracking Success/Failure - and use some creative match filters in the local_rules.xml to alert on setup.exe, msiexec, uninst.exe and other possible keywords. MSIExec is an easy one, but there are plenty of portable apps that

[ossec-list] Re: Monitor installations and uninstallations on Windows machines

Also, Applications and Services Logs Microsoft Application-Experience Program-Inventory might also be a place to setup monitoring There is a value for Number of installed programs On Wednesday, January 14, 2015 at 12:01:09 PM UTC-8, XMS967 wrote: Setup: server is on the CentOs virtual

[ossec-list] Re: Windows Event Channels of Interest

), and account logons. Grab your centralized antivirus management logs also if possible. Network Policy Server accounting (radius server). It gets a little noisy in here with all that on... -Brent On Thursday, January 15, 2015 at 9:16:44 AM UTC-8, Chris Decker wrote: All, I'm a long-time

Re: [ossec-list] Re: I cannot monitor my ASA 5520 by using OSSEC

Bingo! Your ASA is not configured properly for logging. ssh to the device and login enable (enter password) config t logging trap debugging exit write mem exit if debugging is too much info, you can lower it to notifications as in Eero's example. But you're never going to see your ASA

[ossec-list] Need help testing decodes for Cisco Prime Security Manager (PRSM)

Hi... I am curious if anyone is using a Cisco NGFW with Cisco PRSM I'd love to get a little input on these and perhaps see what logs look like from other Cisco NFGW devices with PRSM. And if you are using this firewall, would you help in testing the syslog feature of PRSM to OSSEC?

[ossec-list] Re: Need help testing decodes for Cisco Prime Security Manager (PRSM)

,user,extra_data/order /decoder it still needs some tweaking... if anyone out there (*listens for crickets*) has a Cisco CX product and wants to test its syslog abilities. On Tuesday, January 27, 2015 at 4:18:38 PM UTC-8, Brent Morris wrote: Hi... I am curious if anyone is using

Re: [ossec-list] Re: I cannot monitor my ASA 5520 by using OSSEC

It'd also help to see the commands you sent to the ASA for syslogging. sh run log or sh run | inc log On Friday, February 6, 2015 at 8:34:12 AM UTC-8, dan (ddpbsd) wrote: On Fri, Feb 6, 2015 at 11:28 AM, Network Infrastructure panhat...@gmail.com javascript: wrote: I the folder:

Re: [ossec-list] OSSEC Agentless script not passing commands

the permissions on .passlist on my system are 744 On Tuesday, March 17, 2015 at 5:37:46 AM UTC-7, Gaetan Noel wrote: Thanks for you answer, you were right, the script waits for a and our switchs give us a # so I've changed the script accordingly and it works now. Only problem is, when

[ossec-list] Re: Bypassing Asterisk rules

You might need to flesh out the rules for asterisk. I didn't see anything based on INVITE in the asterisk section of the decodes or the built-in rules. Sometimes it's necessary to add what you want to watch for in the local_rules.xml - it shouldn't be too tough to add a match/match for

Re: [ossec-list] OSSEC Decodes for Cisco ASA CX - Context-Aware Firewall - PRSM

for the on-prem Microsoft Azure 2FA if that would help (I posted earlier on this). Thanks for your help! On Tuesday, February 3, 2015 at 7:54:48 AM UTC-8, dan (ddpbsd) wrote: On Tue, Feb 3, 2015 at 8:44 AM, Brent Morris brent@gmail.com javascript: wrote: Greetings all. Would it be better

Re: [ossec-list] OSSEC Decodes for Cisco ASA CX - Context-Aware Firewall - PRSM

Thanks for the tip. I submitted it as a pull request... -Brent On Tuesday, March 10, 2015 at 1:29:51 PM UTC-7, ChristianB wrote: Here is the commit: https://github.com/score1more4me/ossec-hids/commit/ed45c6fc6fe02a9016e1e709f17a1960fcf42c40 It's not a pull request yet. Regards

[ossec-list] Re: nmap

I haven't done it, but the documentation is here: https://github.com/ossec/ossec-hids/blob/master/doc/nmap.txt On Wednesday, March 11, 2015 at 7:39:30 AM UTC-7, alex petrov wrote: how to configure ossec to monitor logs nmap and output signal issue of changing the state of the port or host?

[ossec-list] Re: OSSEC Agent Version shows 2.8 when 2.8.1 is installed.

I'd check to see if your host-deny.sh script includes the following. I believe the only change from 2.8 to 2.8.1 was a workaround for CVE-2014-5284. https://github.com/ossec/ossec-hids/commit/b4c42b1b0053d16e69e4581d2a52286ab2a248ff On Wednesday, March 11, 2015 at 6:52:10 PM UTC-7, D-Dub

[ossec-list] Re: Trying to create a application whitelist for Windows

Nevermind - I am going to try this.. and adapt it for Windows Audit process logs. http://blog.rootshell.be/2014/02/10/tracking-processesmalwares-using-ossec/ On Tuesday, March 24, 2015 at 10:55:47 AM UTC-7, Brent Morris wrote: I'd like to create an application white list from Windows audit

[ossec-list] Please help with CDB lists....

*Raw Log...* 2015 Mar 31 11:37:27 WinEvtLog: System: INFORMATION(1): Sysmon: Username: SYSTEM-NAME: SYSTEM-NAME: Process Create: UtcTime: 3/31/2015 06:37:27.465 PM ProcessGuid: {7531FA7E-E967-551A--0010D2A58706} ProcessId: 5868 Image: C:\Folder\Folder\file.exe

[ossec-list] Re: Sysmon OSSEC (Security Onion Integration)

Thanks Josh! Great stuff here... For my particular use case, sysmon will log to the SYSTEM eventlog and enable me to capture more in-depth information beyond the image name of the executables being launched on the system. I'll implement this next week! -Brent On Friday, March 27, 2015 at 6

[ossec-list] Re: Please help with CDB lists....

-makelists file extensions... The above are my raw notes that eventually worked -Josh On Tuesday, March 31, 2015 at 4:52:51 PM UTC-4, Brent Morris wrote: *Raw Log...* 2015 Mar 31 11:37:27 WinEvtLog: System: INFORMATION(1): Sysmon: Username: SYSTEM-NAME: SYSTEM-NAME: Process Create

[ossec-list] Re: Windows DNS log monitoring

That DNS.log file doesn't get populated until you stop the DNS service. It looks like it's zero bytes until you stop the DNS service, at which point it fills up the file with data for review... You'd probably be better off grabbing one of the event channels for DNS-Server Audit. On Tuesday,

[ossec-list] Re: Trying to create a application whitelist for Windows

Josh - Thanks for the link and the information! I took a quick peek at your work and it looks very thorough! I will give it my full attention next week when I have more time. Here's my quick and dirty approach for this... It was clear to me that the windows decoder is a good start. Which is

[ossec-list] Trying to create a application whitelist for Windows

I'd like to create an application white list from Windows audit logs. I have some systems that are fairly static in nature. They only do one thing, and I want to be alerted when they deviate from this behavior. An example use case could be a Windows Embedded POS (no cheeky acronym intended).

[ossec-list] Re: Process monitoring and alert is missing.

Yeah, it looks like you solved it... the 500 alerts are for OSSEC. OSSEC will automatically alert you when an agent goes on or offline... what are your intentions with that rule? I'm not sure you need the regular expression line if you just want to rewrite the alert level of a 530 rule. On

[ossec-list] Re: How Long Will It Take Me To Get OSSEC Up Running?

I'll take a shot at answering this... *1. How long do you think it will take to run up the OSSEC installation on 1 VM and get 15-20 network components configured?* This depends entirely on your approach. Install a Linux distribution and install OSSEC won't take you very long at all. There's

[ossec-list] Re: Active-Response and Fortinet firewall?

https://groups.google.com/forum/#!topic/ossec-list/_0fqn9fU8WA I've done something similar in the past with an ASA. I have no experience with a Fortinet firewall, but if you can manage it via SSH, you should be able to crawl into the ASA's example fairly easily. On Monday, May 4, 2015 at

Re: [ossec-list] Agentless Network Devices

You might need to tune the agentless script. Not sure if you're running PIX or the ASA script but the script is in /var/ossec/agentless look for the send show running-config or send show version. With the Cisco CLI, you can omit information using the grep -v... it should be in there as

Re: [ossec-list] Agentless network diff not showing correct info

Although it would be nice to see an entire list of changes in an alert email. I think the agentless alert has performed its duty of providing an alert that the configuration of your device has changed. You can go into /var/ossec/queue/diff and find the entire captures of the device in

[ossec-list] Re: Custom Rules for deeper registry monitoring

You'll want to test this yourself But you can manage what files are monitored and what registry entries are monitored in the host's config file for the Syscheck. Run the Agent Manger on the host and go to view config. Then you can just change the configuration file and save it, restart

[ossec-list] Re: Custom Rules for deeper registry monitoring

to the manager in real-time. You can try those syscheck settings you mentioned. I'd be interested to hear your results! On Friday, May 15, 2015 at 1:04:23 PM UTC-7, Justin Hazard wrote: Hi Brent, I appreciate the response, and it seems like the way forward for the Registry Monitoring portion. I

[ossec-list] Re: whitelist and logging

Add that logall option right in the global section and restart ossec. On Wednesday, April 15, 2015 at 2:07:02 AM UTC-7, ri...@amcoonline.net wrote: @brent Morris I don't have the option logall set on either the server or agent. Which section does it go in? Here is the local_rules.xml

[ossec-list] Re: whitelist and logging

Do you have the logallyes/logall option set in your ossec.conf? When I scan my ossec box, I see plenty of attempts in the archive.log... On Monday, April 13, 2015 at 5:26:15 PM UTC-7, ri...@amcoonline.net wrote: Hi gang: I've been working hard to get up-to-date on OSSEC but as you all

Re: [ossec-list] Re: Agentless not writing what changes are detected

the syslog output is not showing the full changes ? On mer. 8 avr. 2015 at 15:36 Brent Morris brent@gmail.com javascript: wrote: Yeah, I realized I'm going to get an alert every day for the botnet filter license counter too. Which command are you referring to? On Wednesday, April 8

[ossec-list] Re: Agentless not writing what changes are detected

Yeah, I realized I'm going to get an alert every day for the botnet filter license counter too. Which command are you referring to? On Wednesday, April 8, 2015 at 12:16:22 PM UTC-7, Gaetan Noel wrote: Thanks for your help guys. You are right Brett, the alert.log has all the info. The issue

[ossec-list] Re: Ossec iis log recognize problem

So to get IIS to work right, I had to go into IIS Manager, click on Default Web Site (or appropriate site) open the properties window for Logging. Select the W3C format. Click Select Fields and check every box on that list. I also choose to roll over logs on a daily schedule, and use local

[ossec-list] Re: OSSEC.NET site down?

it works for me... http://downforeveryoneorjustme.com/ On Wednesday, June 3, 2015 at 12:29:13 PM UTC-7, Juan Aguilar wrote: Is it me or has the ossec.net site been down all day? -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To

Re: [ossec-list] Re: Ossec iis log recognize problem

Dan, That shouldn't be too hard to do.. I can take a swipe at it if you like. On Friday, May 22, 2015 at 5:25:28 AM UTC-7, dan (ddpbsd) wrote: On Wed, May 20, 2015 at 5:36 PM, Brent Morris brent@gmail.com javascript: wrote: So to get IIS to work right, I had to go into IIS Manager

[ossec-list] Re: [OSSEC] How to write decoder for Java process

The best way to get help from us would be to post a sample log from OSSEC. You're going to want to move your custom decoder from decoder.xml to local_decoder.xml so it won't be overwritten during an upgrade. My process for writing custom decoders is to open two shells to your ossec server.

[ossec-list] plugin

Does anyone have a netmotion mobility plugin Brent -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options

[ossec-list] Re: OSSEC Agent Install - Windows

Bryan, Do you need help compiling the source code for the Windows agent? I was able to muddle my way through the process of this and can offer some assistance if that was your question. Looking through my .bash_history - it looks like the following commands got me there. This is on the

Re: [ossec-list] Can't acess to CENTOs OSSEC server via putty - after login the connection drops

You look like you may have misconfigured your IP addresses eth0 has 3 IP addresses. 10.80.1.100 is configured twice. Once for a class A and once for a class C subnet Can you show the contents of the following? ifconfig -a and nm-tool I suspect you just need to configure your network

[ossec-list] Re: Exclude a event based on the log message

**Phase 1: Completed pre-decoding. full event: '2015-07-02 12:11:46 DROP TCP 10.13.1.6 10.13.16.7 443 3562 40 A 1283761885 1189402707 7504 - - - RECEIVE' hostname: 'ossec' program_name: '(null)' log: '2015-07-02 12:11:46 DROP TCP 10.13.1.6 10.13.16.7 443 3562 40 A

[ossec-list] Re: OSSEC root login detect configuration

Best way to do this is to check out what logs are being generated when you login as root. On my system, I see the following: Jun 30 08:42:26 ossec sshd[26600]: pam_unix(sshd:session): session opened for user root by (uid=0) I usually just paste the actual log into ossec-logtest to see what

[ossec-list] Re: can i use user!root/user

receiving on invalid logons or matchroot/match -Brent On Wednesday, July 29, 2015 at 9:06:41 AM UTC-7, Ashley Drees wrote: Ok, not so much ignore, I am looking for a way to ban permanently any IP that tries to log in as root, but have a short ban for anyone just forgetting the password, fail

[ossec-list] Re: can i use user!root/user

That won't work... I typically will overwrite an alert level if I want to ignore certain users. http://ossec-docs.readthedocs.org/en/latest/syntax/head_rules.html On Wednesday, July 29, 2015 at 3:09:43 AM UTC-7, Ashley Drees wrote: can i use user!root/user in a rule to NOT match user

[ossec-list] Re: Windows time changes Alert

Hi Moe, Edit your /var/ossec/rules/local_rules.xml and add this.. 18104 ^520$|^4616$ System time changed. time_changed, That should do the trick so long as alert level 7 meets the alert level threshold set in your ossec.conf On Friday, October 9, 2015 at 11:15:41 AM

[ossec-list] Re: alert to monitor my system admins

depending on your alert threshold set in your ossec.conf -Brent On Wednesday, October 7, 2015 at 11:58:24 AM UTC-7, Farnsworth, Robert wrote: > > How would I go about writing a rule to capture my system administrators > when they make a change to any user related function such as add

[ossec-list] Re: (possible) webserver attack

lists/urlblacklist inside Add the rule to local_rules.xml Use ossec-logtest to verify new rule is working properly. Add the active response to ossec.conf restart ossec and test with a real request to a URL in the list. Verify active response has done its deed. HTH! -Brent

Re: [ossec-list] Re: Monitor Windows Services Shutdown

5, 2015 at 10:59:25 AM UTC-6, Brent Morris wrote: >> >> It's easier for us to test if you can post it from your archives.log on >> ossec :) >> >> On Monday, October 5, 2015 at 9:52:20 AM UTC-7, Daniel Baker wrote: >>> >>> - http://schemas.microsoft.

[ossec-list] Re: ossec-analysisd: Invalid decoder name

I don't see that you closed the group name=usermod section of your xml with a /group That might be it! On Friday, July 10, 2015 at 12:51:03 PM UTC-7, repquota wrote: Hi, I have another problem. I added new file to my ossec rules and after reload ossec i have in ossec logs something like:

[ossec-list] Re: Log Rotation issues

Hi Robert, Is ossec-monitord running? This process takes care of the log rotations. I would restart it with the -d option to run it in debug mode to see if it can give you more info. On Tuesday, September 15, 2015 at 6:53:42 AM UTC-7, Farnsworth, Robert wrote: > Nobody has had an issue

[ossec-list] Re: Windows Agent No active Response

Sean, I don't have a Terminal Server any longer to test on... Are you using the more granular Advanced Auditing policies on your 2012 boxes? In my Remote Desktop testing, I see two events that correlate. There's a AUDIT_FAILURE for 4768 4625 - both of these together reveal the IP address of

Re: FW: [ossec-list] Re: Log Rotation issues - Resolved

This sounds like it should be reported as an issue/bug on Github. On Friday, September 25, 2015 at 6:55:39 AM UTC-7, Farnsworth, Robert wrote: > > Thought I would let you know I have resolved this, I believe the problem > stemmed from my alerts.log getting way too large and the Log Rotation

Re: [ossec-list] Merge EventChannel fix into 2.8?

(I'm assuming it is fixed in 2.9) - sure! Compile and post the 2.9 client binaries on ossec.net with checksums, etc. Or would this create other issues? On Monday, September 21, 2015 at 2:19:58 PM UTC-7, DefensiveDepth wrote: > @Brent, the 2.9 beta that has it fixed? >>>

Re: [ossec-list] Merge EventChannel fix into 2.8?

Would it be easier to host a compiled version of the fixed client? I think that might solve some of the challenges here... On Monday, September 21, 2015 at 5:41:46 AM UTC-7, dan (ddpbsd) wrote: > > I'm afraid it will fall to the same issues 2.9 is having right now, but I > will give it a shot.

[ossec-list] Firewall rules grouped

I'm curious how "Firewall rules grouped" land in the firewall log. Consider the log Sep 21 2015 05:35:12: %ASA-4-106023: Deny tcp src outside:3.1.33.7/56323 dst inside:1.1.1.1/8891 by access-group "outside_access_inside" [0x0, 0x0] Returns the following. **Phase 1: Completed

Re: [ossec-list] Re: Monitor Windows Services Shutdown

It's easier for us to test if you can post it from your archives.log on ossec :) On Monday, October 5, 2015 at 9:52:20 AM UTC-7, Daniel Baker wrote: > > - http://schemas.microsoft.com/win/2004/08/events/event > *"> > - > > 1100 >

[ossec-list] Re: (possible) webserver attack

I'm not familiar with apache logs... but it looks like you are being scanned with a web vulnerability scanner from an attacker in China. The youtube string you see, I believe, is the user-agent string supplied by the scanning host. Compile all the URL requests and setup a cdb list in OSSEC.

[ossec-list] Re: Outlook Web Access (2003) logs

I added a "default IIS" decoder to the github repository, but I don't suppose it will release until the next major version. For now, I think you need to reconfigure IIS logging to match what OSSEC is looking for. Go into IIS Manager, click on Default Web Site (or appropriate site) open the

Re: [ossec-list] Ransomware.

realized it was the last thing on my list to do after employing all the other "best" (good) practices in cryptolocker prevention. In the end, I thought application whitelisting alone would yield a better return. :/ -Brent On Thursday, June 9, 2016 at 3:27:50 AM UTC-7, Nate wrote: &g

[ossec-list] Re: ISS 7 + 404/200 error decoders/rules..

Hi Jacob, What version of OSSEC are you on? It doesn't look like you've configured your IIS servers logging to meet the OSSEC 2.8 decoder expectations. But even having said that, I'd submitted some "IIS default" decodes to the github repository some time back. So when I test your log against

[ossec-list] Re: Custom OSSEC decoders - Windows rules not firing

You should try these for Sysmon events. https://github.com/defensivedepth/Sysmon_OSSEC/blob/master/Sysmon_OSSEC-Decoders.xml I'm not familiar with wazuh, if it's a fork of OSSEC decoders/rules or what? I can tell you that the ones I've linked will work without breaking other things... On

Re: [ossec-list] Re: Custom OSSEC decoders - Windows rules not firing

you can run: > > ossec_ruleset.py -a -u -s > > That will create a backup of your existing rules and decoders, install new > ones, and modify your ossec.conf to include these lines: > > etc/ossec_decoders > > etc/wazuh_decoders > > Hope that helps, &

[ossec-list] Re: Windows Malware Detection

http://santi-bassett.blogspot.com/2014/09/osseccon-2014-malware-detection-with.html Another option would be to glean the SHA1 values of malware, and create and use the Sysmon blacklist. But automating a blacklist of SHA1 values for malware, using Sysmon and a CDB list in OSSEC would be a

[ossec-list] Re: IISv7.5 decoder attempt

or servers with multiple addresses, I can see why destip would be useful Or the action (IIS verb). Give us a little more background as to what problem you're trying to solve and I'm sure we can help you further :) -Brent On Saturday, February 6, 2016 at 12:04:53 PM UTC-8, Fredrik

[ossec-list] Re: IISv7.5 decoder attempt

In order to get OSSEC to work with IIS logs, you have to basically enable all the Extended logging options... Be sure to check the "use local time for file naming and rollover" - otherwise your OSSEC will be dark for a few hours while it catches up with IIS's GMT time.

Re: [ossec-list] firewall.log and ICMP?

;ICMP"... I need to keep traces of such events... > > /x > > On Tue, Jan 26, 2016 at 11:40 PM, Brent Morris <brent@gmail.com > > wrote: > >> Good catch! >> >> I think the ASA provides ports just as part of internal processing of the >>

[ossec-list] Cryptolocker, Windows file system auditing

I turned on file system auditing on our Windows shares quite a long time ago, it's just handy to have running for those times when you want to find out specifics when users get paranoid. This isn't an original thought but it seems like we have almost all the ingredients to come up with a

Re: [ossec-list] firewall.log and ICMP?

Xavier, I'm collecting logs from my ASA and I do see ICMP traffic in my firewall.log - 2016 Jan 26 12:00:50 ossec->192.168.168.168 CLOSED ICMP 1.2.3.4:10254->external.addr:10254 2016 Jan 26 12:00:54 ossec->192.168.168.168 CLOSED ICMP 1.2.3.4:10510->external.addr:10510 2016 Jan 26 12:00:57

Re: [ossec-list] firewall.log and ICMP?

CP or UDP connection, you'd see Built outbound TCP connection 60148807 for outside:137.135.12.16/443 (137.135.12.16/443) to inside:1.2.3.4/11515 (external.ip.addr/11515) On Tuesday, January 26, 2016 at 2:10:25 PM UTC-8, Xavier Mertens wrote: > > Hi Brent, > I think that I found

[ossec-list] Re: IISv7.5 decoder attempt

gt; Fredrik > > On Thursday, February 11, 2016 at 12:25:33 AM UTC+1, Brent Morris wrote: >> >> eesh... hotkeys got away from me and I posted too fast. >> >> Sure.. >> >> You can do some active response stuff on ID 400... That's fun to do! >>

[ossec-list] Re: IISv7.5 decoder attempt

UTC-8, Brent Morris wrote: > > Sure.. > > You can do some active response stuff on ID 400... That's fun to do! > > For me personally, I took a fingerprint of all the web vulnerability > scanners and made it into a CDB list. This was from Nexpose, OpenVAS, and > a pilfered s

[ossec-list] Re: IISv7.5 decoder attempt

and added a rule. Local_rules.xml 31100 lists/urlblacklist Web Vulnerability Scanner Detected ossec.config On Tuesday, February 9, 2016 at 1:24:24 PM UTC-8, Fredrik wrote: > > Hi Brent, > > > Just mentioned in post to Jesus that I have been (still am) learning as

[ossec-list] Re: Disable Email Alerts from a particular source ip

You also might try using a pipe (or). I use this for to omit alerts from certain addresses. 7 192.168.2.1|192.168.2.2 Ignoring rule any level above 7 from ip X. On Tuesday, March 1, 2016 at 8:12:13 AM UTC-8, Jesus Linares wrote: > > Hi, > > I think your rule is proper. You can

[ossec-list] Re: ssh_asa-fwsmconfig_diff

can test your agentless with this method. be sure your current working directory is /var/ossec pwd /var/ossec from there.. ./agentless/ssh_asa-fwsmconfig_diff user...@192.168.0.1 Check the output and see where the trouble is. Hope this helps!!! -Brent On Wednesday, March 16, 2016 at 8

Re: [ossec-list] Re: ssh_asa-fwsmconfig_diff

list) >> >>>>>> >> >>>>>> -- >> >>>>>> Eero >> >>>>>> >> >>>>>> 2016-03-28 13:46 GMT+03:00 Yurii Shatylo <yuriis...@gmail.com >> >: >> >>>>>>>

[ossec-list] Re: Windows Defender Decoder ?

to update OSSEC or try any of the new distributions lately. On Thursday, May 19, 2016 at 12:25:09 AM UTC-7, Jesus Linares wrote: > > Hi Brent, > > Your rules are in OSSEC by default (with other ID, why?) but you added a > few new rules. > > could you send a PR to OSSEC or Wazuh

[ossec-list] Re: Windows Defender Decoder ?

Rob - can you post your OSSEC version of the log? I can check my rules. These are a culmination of gleaned rules that I updated some time back with new event IDs. Yours is covered in there but I would like to test it against a valid OSSEC log. So if you can post it from the OSSEC

[ossec-list] Android's Outlook app causing crazy logs in IIS/Exchange

reason the agent has the same limitation as syslog for communication? Thanks for any responses!!! -Brent -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an

[ossec-list] Re: OSSEC rule to detect new run keys added to the registry

AFAIK - OSSEC already checks those run locations. I've wondered about the Wow6432Node Run location, but I believe it checks those too. Check your ossec.conf on the clients and you'll see those Run locations are in there by default. On Wednesday, December 14, 2016 at 11:27:10 AM UTC-8,

[ossec-list] Migration to 2.9.2

Hi Gang! I've been on 2.8x for some time, and it's time to upgrade. The in place upgrade failed miserably; mostly due to ipv6 issues. I do wish the install.sh script would check for ipv6 support and soft fail if it's not found. I recompiled with the ipv4 workaround, and was able to get

  1   2   >