[ossec-list] Re: monitor hostname changes

Hi Francesco, you can use syscheck to monitor the "hostname files": /etc/hosts, /etc/hostname, etc. Also, you can use commands to execute the "hostname" command and compare it with the

[ossec-list] Re: OSSEC logfile file missing alert

Hi Kumar, likely you need to create a specific rule in local_rules.xml. What messages are firing the rule 1002?. Regards. On Tuesday, May 31, 2016 at 6:06:02 PM UTC+2, Kumar Mg wrote: > > Thanks Dan. > > We were abke to get the alert for error message, however this started > alerting for all

[ossec-list] Re: Ignore an alert for first 10 minutes of environment build

Hi Tahir, I think there is no official way to do that. You could change the netstat command to show some special string when it is an initial environment and then if the output has that string, ignore it (using the proper alert). I hope it helps. Regards. On Monday, June 13, 2016 at 3:26:42

Re: [ossec-list] OSSEC agents on different subnet unable to connect OSSEC server

that IP an IP you expect an agent to come from? > Did you duplicate IPs when adding agents in manage_agents? > > > > > > > > > On Friday, 17 June 2016 08:49:28 UTC+1, Jesus Linares wrote: > >> > >> It should work with port 1514 UDP. Firs

Re: [ossec-list] OSSEC agents on different subnet unable to connect OSSEC server

Before doing what I said above, check if your client.keys doesn't have duplicated IPs. On Monday, June 20, 2016 at 9:35:12 AM UTC+2, Jesus Linares wrote: > > Hi Tahir, > > It could be an issue with the keys. OSSEC (agents and manager) keep a > counter of each message sent and r

Re: [ossec-list] Simple windows application text file log config?

Hi Tom, If you need to monitor a file (changes, permissions) you must to use syscheck . You *can't* know who made the change. In case you need to generate an alert according to each new line added to a file (event), you

Re: [ossec-list] Simple windows application text file log config?

Hi Tom, first of all, you need a decoder to capture the events. It seems that there is no a common part in the logs, so I suggest you to add a tag at the beginning of the log. Examples: local_decoder.xml: ^TomTag: tom_decoder updated User '(\S+)' updated by '(\S+)

Re: [ossec-list] Re: Custom OSSEC decoders - Windows rules not firing

Hi, With the new *sysmon decoders* it is necessary to split the current *windows decoder*. So, you must have the decoders in this order: ** ** Please, pay attention to the last one. If you want to use sysmon decoders, *you need this decoder too*. Try to replace your current windows

[ossec-list] Re: Windows Malware Detection

Hi, if you want to use Sysmon + OSSEC, here you have decoders for every Sysmon event: - Event ID 1: Process Created - Event ID 2: A process changed a file creation time - Event ID 3:

Re: [ossec-list] OSSEC agents on different subnet unable to connect OSSEC server

It should work with port 1514 UDP. First, check if you have connectivity between agents and manager (ping, telnet, tcpdump...) and review your network settings (routers, firewall rules, etc). Then, check out the ossec.log of each agent to see what it is the issue. On Thursday, June 16, 2016 at

[ossec-list] Re: IISv7.5 decoder attempt

' Description: 'Ignored URLs (simple queries).' Regards, Jesus Linares. On Saturday, February 6, 2016 at 9:04:53 PM UTC+1, Fredrik wrote: > > Guys! Thanks both for taking the time to respond! So, if I understand this > correctly I could use default IIS logging and go with Jesus s

[ossec-list] Re: IISv7.5 decoder attempt

You could use the decoder "web-accesslog-iis-default" as base to do your decoder: windows-date-format web-log true ^\d+.\d+.\d+.\d+ GET |^\d+.\d+.\d+.\d+ POST (\S+ \S*) \.* (\d+.\d+.\d+.\d+) \S*\.* (\d\d\d) \S+ \S+ \S+ url,srcip,id Example: 2016-02-02 08:45:31 10.32.10.14 GET

Re: [ossec-list] Ossec syscheck - How to ignore file extension ?

We talk about ignoring file extension here: https://groups.google.com/forum/?hl=en#!searchin/ossec-list/jesus/ossec-list/hFbTx5uxLmU/HTTNtrrbCgAJ You could use: .jpg$ Also, you can create a specific rule with "syscheck". Regards. Jesus Linares. On Wednesday, February 10, 2016 at 1

[ossec-list] Re: IISv7.5 decoder attempt

Hi Fredik, In a decoder you can use *program_name *or *prematch*: - - *program_name*: Executes the decoder if the program_name matches the "syslog" program name. - *prematch*: Executes the decoder if prematch matches any portion of the log field. Then, you should use *regex*:

[ossec-list] Re: Ossec syscheck - How to ignore file extension ?

Hi Leo, I'm glad you can solve your issue with the rules, but *ignore *should work. The symbol ^ in ".jpg$" is a typo. You could try with .jpg$. Check the documentation out: http://ossec-docs.readthedocs.org/en/latest/manual/syscheck/ Regards. Jesus Linares. On Wednesday, Februar

[ossec-list] Re: active-response alerts?

ers/ossec/rules/ossec_rules.xml#L297>for active response. Look for rules with ID 600-606 in your alerts.log. Regards. Jesus Linares. On Sunday, February 21, 2016 at 2:37:11 PM UTC+1, Barry Kaplan wrote: > > I see on my clients lots of active response ssh blocks in > active-response

[ossec-list] Re: Alert message on the subject

Hi, I think you can't change the subject. At least, I can't find anything related to that in the documentation <http://ossec-docs.readthedocs.org/en/latest/syntax/head_ossec_config.email_alerts.html>. What is your final goal?. Regards. Jesus Linares. On Tuesday, February 23, 2016 at 6

Re: [ossec-list] Re: active-response alerts?

Decoder and rules for active-response are the same in both Wazuh and OSSEC. I meant that rules 601-606 are for a specific sh (check tag *action*), so if you are using a custom sh you will not see the alert. Also, alert 600 is generic (for all active responses) but level is 0. Regards. Jesus

[ossec-list] Re: clamav?

- Example: clamscan --infected -r /usr/share/clamav-testfiles --log=/var/log/clamav/clamav.log --stdout | *logger -i -t clamd* - clamd: I think, clamd writes in syslog by default. Regards. Jesus Linares. On Tuesday, February 23, 2016 at 9:10:34 AM UTC+1, Barry Kaplan wrote: >

Re: [ossec-list] Re: active-response alerts?

es.xml#L297>, you will see the alert in alerts.log. It's up to you to generate rules to track the active responses. I hope that helps. Regards. Jesus Linares. On Tuesday, February 23, 2016 at 6:42:45 AM UTC+1, Barry Kaplan wrote: > > So I'm confused then. The server decided to initiat

[ossec-list] Re: Why don't my rules do anything?

*Trying child rules. *Trying rule: 31108 - Ignored URLs (simple queries).Trying rule: 31511 - Blacklisted user agent (wget).* This is working: *31100,31108* requeststringtest.php request string test 2 Regards. Jesus Linares. On Thursday, February 25, 2016 at 5:1

[ossec-list] Re: Why don't my rules do anything?

Keep in mind that rule 31108 is for http codes 2xx and 3xx. If you want to log that request with 4xx or 5xx codes you should add these rules (31101, 31120...). It's working, but I'm thinking on a better way to do this. Regards. Jesus Linares. On Thursday, February 25, 2016 at 5:36:34 PM UTC

[ossec-list] Re: Why don't my rules do anything?

Well, I guess you can change the apache log format or improve/overwrite the decoders. Regards. Jesus Linares. On Thursday, February 25, 2016 at 6:18:08 PM UTC+1, James Culver wrote: > > Thank you, this is helpful. Now it works with and without GET parameters. > However, it only works

Re: [ossec-list] OSSEC Server Backup & Restore Procedure

sec-rules>. Script documentation <http://wazuh-documentation.readthedocs.org/en/latest/ossec_ruleset.html#automatic-installation> . Regards. Jesus Linares. On Thursday, February 25, 2016 at 7:37:30 AM UTC+1, Eero Volotinen wrote: > > Just shutdown the server and pack /var/ossec-

[ossec-list] Re: Anybody using CIS controls with OSSEC? (https://github.com/awailly/cis-ubuntu-ansible)

e standard boot services - Web server Enabled {CIS: 4.13 Debian Linux} {PCI_DSS: 2.2.2}. File: /etc/init.d/apache2. Reference: http://www.ossec.net/wiki/index.php/CIS_DebianLinux .", "decoder": { "name": "rootcheck" }, "hostname":

[ossec-list] Re: Anybody using CIS controls with OSSEC? (https://github.com/awailly/cis-ubuntu-ansible)

Sorry, I thought you were using default OSSEC rootchecks (debian, redhat, etc). That is the reason I recommend you to use rootchecks with tags (groups). My bad. I will try the *cis-ubuntu-ansible* rootchecks. On Friday, February 26, 2016 at 12:00:12 PM UTC+1, Pedro S wrote: > > Hi, > > I am

[ossec-list] Re: rule dependencies?

Hi, did you create a new rule with "if_group"?. Could you paste here the full output of logtest? Here an example of "if_group" (local_rules.xml): authentication_success authentication_success Hi, this is an authentication_success Feb 27 12:57:40 LinMV sshd[1552]:

[ossec-list] Re: Ignore specific files in directories

Hi, you can use this rule: <*if_group*>syscheck for: '/var/lib/tomcat7/OFFLINE/ for: '\.+.pdf' NO PDF Alert I think if_group is better than if_matched_group. Also your regex is wrong because the event doesn't begin (^) with "/var.." and end ($) with "pdf". The event is

Re: [ossec-list] Re: Ignore specific files in directories

You are right, *ignore *is a *OS_Match/sregex*. You could use: .pdf$|.odt$ I hope you find it useful ;) On Thursday, January 21, 2016 at 1:19:11 PM UTC+1, ono-sendai wrote: > > On 20/01/2016 17:53, Jesus Linares wrote: > > > you can use this rule: > > > > &

[ossec-list] Re: IISv7.5 decoder attempt

if you share the stuff about track connecting devices ;) Regards. Jesus Linares. On Sunday, February 14, 2016 at 8:26:49 PM UTC+1, Fredrik wrote: > > Good example! Definitely helpful! Thanks! > > One thing, I know I read about it somewhere, but how do I group my entries > in the l

[ossec-list] Re: Get actual Agent IP

ossec-remoted <https://github.com/wazuh/ossec-wazuh/commit/b277f0b159a0145d7501d446c429db19a50f922a>to show agent IP when reported as invalid. So, maybe we can log the IP when the agent connects for first time, or with the keep-alive, etc. Regards. Jesus Linares. On Saturday, February 13

Re: [ossec-list] Re: Ossec syscheck - How to ignore file extension ?

'\.+.extension' Ignore /path1/path2/*.extension Regards. Jesus Linares. On Tuesday, February 16, 2016 at 2:39:52 AM UTC+1, dan (ddpbsd) wrote: > > > On Feb 15, 2016 8:31 PM, "Leo G" <leo.g...@gmail.com > wrote: > > > > Thanks Jesus Linares, > > > > Y

[ossec-list] Re:

.6 (CVE-2015-8562)"] [hostname "xyz.com"] [uri "/"] [unique_id "VsLzrS4Zyx3R5xy6tzH0zAk"]' **Phase 2: Completed decoding. decoder: 'apache-errorlog' srcip: '46.4.84.147' **Phase 3: Completed filtering (rules). Rule id: '30411' Level: '7' Description: 'Mod

[ossec-list] Re:

com/ossec/ossec-hids/pull/746> to ossec-hids. Regards, Jesus Linares. On Wednesday, February 17, 2016 at 8:17:54 PM UTC+1, webwzrd wrote: > > Jesus, > > You were spot on! Your analyses and solution worked perfectly. Thank you > so much. I had made some additional Ossec ru

[ossec-list] Re: the length of time the user logged in

Hi Maxim, what is the OS of your agents?. What kind of login you want to alert?. ssh, ftp, normal login? Regards. On Thursday, February 18, 2016 at 10:14:32 AM UTC+1, Maxim Surdu wrote: > > Hi dear community, > > i install and configure about 10 agents, and of course i have a lot of > users,

[ossec-list] Re: exclude service-users

Hi Maxim, First, you have to activate policy_rules: ossec.conf: policy_rules.xml I guess the problem with your rule is that the decoder is not extracting the field *user*. For example, if I switch between user root to homer: "root@LinMV:~# su homer" it is generated this log: "Feb 18 11:23:17

[ossec-list] Re: exclude service-users

Regarding cpanel users... I don't know cpanel, but it seems is part of chkservd service (info <https://forums.cpanel.net/threads/pure-ftpd-127-0-0-1-info-__cpanel__service__auth__ftpd.103069/>). Anyway, you can ignore them using rules. Regards. Jesus Linares On Thursday, February 18

[ossec-list] Re: IISv7.5 decoder attempt

ules). Rule id: '100120' Level: '12' Description: 'URL requested -- images/logo2.png' **Alert to be generated. Are you sure about the url?. Could you paste here the log?. Try always your rules with /var/ossec/bin/ossec-logtest. Regards. Jesus Linares On Thursday, February

Re: [ossec-list] Can't filter rule by IP

Hi, I agree with Dan. Anyway, why are you using "composite rules", I mean with *timeframe*, *frequency*, etc. If you want to ignore some hosts you should use *if_sid *instead of *if_matched_sid*. Regards. Jesus Linares. On Thursday, February 18, 2016 at 11:49:12 PM UTC+1, dan (ddp

[ossec-list] Re: the length of time the user logged in

umentation.readthedocs.org/en/latest/ossec_elk.html>" probably you can create a query to get the time. I don't know how to do it exactly, but here you have some ideas ;). Regards. Jesus Linares. On Friday, February 19, 2016 at 10:09:03 AM UTC+1, Maxim Surdu wrote: > > Hi Je

[ossec-list] Re: Rule for 'Incorrectly formated message from x.x.x.x'

Hi, add ossec.log to your ossec.conf using . Then, you need to create decoders and rules for that events. Regards, Jesus Linares. On Tuesday, March 15, 2016 at 1:20:33 PM UTC+1, Matthias Fraidl wrote: > > Hi list, > > > > is there a way, (or does anyone have implemented

Re: [ossec-list] How are the best test to ossec rules

Hi, Define exactly what you want to test. Some generic test that you can do: - Review ossec.log - Review connectivity with agents - Check host performance with command 'top'. - Review most common alerts Regards, Jesus Linares. On Tuesday, April 5, 2016 at 5:20:22 PM UTC+2, dan

Re: [ossec-list] OSSEC agents show as Active even after the OSSEC Process on server is stopped

a defined tiemout, the status is *actived*. If it is greater then the status is *disconnected*. I guess those files are updated by the Manager each time that the agents send a "keep-alive". I'm not sure, but I think the timeout is around 30 minutes. Regards, Jesus Linares. On Tuesda

[ossec-list] Re: When new ossec build is planning ?

What commit do you mean? On Tuesday, April 5, 2016 at 8:06:17 PM UTC+2, ba...@x-cart.com wrote: > > Hello! > I very interested in this commit for support proftpd logs. > > Is there're any plans on new ossec deb packages, that will include this > commit ? > Or better way is build ossec myself ? >

[ossec-list] Re: Decoding long messages - multiple regex statements

match, but sometimes it is no necessary. Regarding your last question, could you use the same log format in your firewall and in the blade?. Paste here two logs of each one (firewall and blade) and your decoders, and we will take a look ;) Regards. Jesus Linares On Friday, March 4, 2016 at 9:08:34 PM

[ossec-list] Re: Custom Windows Decoders

specific decoders for other format, but I don't see why you need that. Regards. Jesus Linares. On Monday, March 7, 2016 at 3:53:39 AM UTC+1, gp85...@gmail.com wrote: > > Hello, > > I was wondering if there is a guide on how to write decoders for Windows > Server 2008 and 2012 Secu

[ossec-list] Re: Change ossec.conf globaly

6" and EventID!="4658"] Regards. Jesus Linares. On Monday, March 7, 2016 at 3:02:49 PM UTC+1, Abdulvehhab Agin wrote: > > Hi, > > > We have lots of ossec.agent on Windows system; These ossec's generate too > much *"Audit Logs"* and we don't w

[ossec-list] Re: Why don't my rules do anything?

Hi Fredrik, The expression *31100,31108* is an *OR *expression. If 31100 or 31108 have matched, then the rule matches. Regards. Jesus Linares. On Monday, February 29, 2016 at 9:42:20 AM UTC+1, Fredrik wrote: > > Hi Jesus, > > > Sorry to break into the conversation like this - i

Re: [ossec-list] Error reading XML file 'rules//local_rules.xml': XMLERR: String overflow. (line 89)

: LOGIN user '(\S+)' user ExampleLogin authentication_success LOGIN authentication_success Bad user 100011 *lists/allow_usersAllow user* Regards. Jesus Linares. On Thursday

[ossec-list] Re: Decoding long messages - multiple regex statements

"\.". Maybe you can do it whit \S+. Regards, Jesus Linares. On Thursday, March 3, 2016 at 10:05:16 AM UTC+1, Pedro S wrote: > > Hi Fredrik, > > I don't think OSSEC allow regex to work backwards, from end to beginning, > I know that can be specify on other languages

[ossec-list] Re: Disable Email Alerts from a particular source ip

* *overrides granular email alert levels: . Individual rules can override this with the *alert_by_email *option. Regards. Jesus Linares. On Tuesday, March 1, 2016 at 3:02:19 PM UTC+1, calvin ratti wrote: > > Hi, > > I have a VA scanner which I have added in the Whitelist to pr

[ossec-list] Re: About error output in ossec.log

timeout. Regards, Jesus Linares. On Thursday, March 31, 2016 at 8:34:50 PM UTC+2, twiko...@gmail.com wrote: > > Hello. I'm with a loot of this output lines im my ossec.log agent. > This is normal? For I am monitoring a few servers with it. There may be > overload > > > > 2

[ossec-list] Re: new files does not creating alert at all

Check out this blog: http://perezbox.com/2013/07/ossec-detecting-new-files-understanding-how-it-works/ Pay attention to the part: "REAL TIME VS ALERT ON NEW". Regards, Jesus Linares. On Thursday, March 31, 2016 at 9:08:37 PM UTC+2, jingxu...@bettercloud.com wrote: >

[ossec-list] Re: Decoding long messages - multiple regex statements

-test ^block|^allow (\w+) \S+ \S+ src: (\d+.\d+.\d+.\d+); dst: (\d+.\d+.\d+.\d+) action,srcip,dstip Checkpoint-test resource: (\S+); proxy_src_ip: \S+; product: (\.+); url, extra_data P.S. My name is Jesus, not Jose ;). Regards, Jesus Linares. On Wednesday, March 30, 2016

[ossec-list] Re: Filter Windows Event Log at client

Hi, try with *and*/*or*: Security eventchannel Event/System[EventID=5140 and EventID=5144] Regards, Jesus Linares. On Monday, March 28, 2016 at 10:58:57 AM UTC+2, Duẩn Phạm wrote: > > Hi, > > I have installed the new version of OSSEC v2.8.3. I have a windows ossec >

Re: [ossec-list] OSSEC Rule Creation Help

to paste here some logs samples about you want detect. Regards, Jesus Linares. On Thursday, March 24, 2016 at 1:41:47 PM UTC+1, namobud...@gmail.com wrote: > > Thanks Santiago, > > The logs I would be examining are just standard windows logs, I wonder if > it's just a question of bui

[ossec-list] Re: How to research "Host-based anomaly detection event (rootcheck)."

stem calls looking for discrepancies. So, your process 13380 is not in /proc. Try to find it using ps -e | grep 892 Regards, Jesus Linares. On Thursday, March 24, 2016 at 2:15:00 PM UTC+1, Johnny InfoSec wrote: > > Greetings :-) > > Just got this alert, and was wondering if you could

[ossec-list] Re: Decoding long messages - multiple regex statements

of log, maybe "web_client_type" or "mail". What firewall are you using? Version?. Paste here more logs. Regards, Jesus Linares On Thursday, March 24, 2016 at 9:47:28 PM UTC+1, Fredrik wrote: > > Hi Jesus, > > > Got sidetracked with other projects, and fina

Re: [ossec-list] Re: windows active response logic

ogs. Regards, Jesus Linares. On Wednesday, April 13, 2016 at 1:54:33 PM UTC+2, dan (ddpbsd) wrote: > > On Wed, Apr 13, 2016 at 7:47 AM, Jacob Mcgrath > <jacob.xt...@gmail.com > wrote: > > Forgot that part before bed, > > > > Question is; Is it possible for a Windows

Re: [ossec-list] What's your favorite rules?

wazuh.com/keep-your-ruleset-updated-automatically/>to update your rules automatically. I would like to know what rules are you missing in OSSEC. Regards. Jesus Linares. On Monday, April 25, 2016 at 12:20:50 AM UTC+2, theresa mic-snare wrote: > > 1002 ;)) > > Am Freitag, 22. A

[ossec-list] Re: Change alert level for changes to system configuration files and system binaries

est/manual/syscheck/index.html#configuration-examples> . Regards, Jesus Linares. On Tuesday, April 26, 2016 at 7:15:40 PM UTC+2, Tahir Hafiz wrote: > > Guys I am staring at this: > > > /etc,/usr/bin,/usr/sbin > /bin,/sbin > > > Does anyone know where I c

[ossec-list] Re: reindexing logs

Hi Maxim, what was the problem with logstash? How is your configuration?. A typical configuration is Manager + Logstash forwarder and other machine with ELK. So you should debug if each part is receiving the logs. Quick debug guide: Logstash forwarder: -

[ossec-list] Re: Decoder Regex help

ompleted decoding. decoder: 'arlog' id: 'Skype' action: 'Logon' url: 'c:\program files (x86)\skype\phone\skype.exe' **Phase 3: Completed filtering (rules). Rule id: '1002' Level: '0' Description: 'Unknown problem somewhere in the system.' I hope it help

[ossec-list] Re: parent usage in local_decoder.xml

Also, I will fix the issue in the next Wazuh release, so you will not need to use a custom decoder. Likely I will change the name to something more readable as *ossec_decoders/kernel_decoders.xml*. Thanks. On Monday, May 23, 2016 at 10:22:33 AM UTC+2, Jesus Linares wrote: > > Hi Dave,

[ossec-list] Re: parent usage in local_decoder.xml

=11844 DF PROTO=TCP SPT=64357 DPT=22 WINDOW=8192 RES=0x00 SYN URGP=0' **Phase 2: Completed decoding. decoder: 'iptables' action: 'DROP' srcip: '116.110.88.148' srcdst: '192.168.0.3' Regards, Jesus Linares. On Saturday, May 21, 2016 at 7:58:35 PM UTC+2, Dave Vehrs

[ossec-list] Re: IIS 8 FTP log monitor & alert

Hi Jacob, the rule 16 will be fired when rule 15 fires 8 times (6+2). It seems to work: **Phase 1: Completed pre-decoding. full event: '2016-05-23 20:03:38 10.18.100.24 23138 - FTPSVC4 SPMEDIA1 - 10.20.199.157 12600 PASS *** 530 1326 41 101 16 0

[ossec-list] Re: IIS 8 FTP log monitor & alert

Hi, you are right, the problem should be with your rule. Do you have local_rules.xml included in ossec.conf?. What OSSEC version are you running?. In my version it is working (Wazuh ): 2016-05-23 20:03:38 10.18.100.24 23138 - FTPSVC4 SPMEDIA1 - 10.20.199.157 12600

[ossec-list] Re: Repeated offenders?

Hi, I guess that your command needs an IP, so if your rule *xxx *doesn't have the field *srcip *extracted (by the proper decoder) the active-response will not work. Also, keep in mind that *repeated_offenders *must be in* ossec.conf* of *every agent* (*shared/agent.conf* or

[ossec-list] Re: Windows Defender Decoder ?

Hi Brent, Your rules are in OSSEC by default (with other ID, why?) but you added a few new rules. could you send a PR to OSSEC or Wazuh with your new rules?. Thanks. On Wednesday, May 18, 2016 at 8:38:16 PM UTC+2, Rob B wrote: > >

Re: [ossec-list] Testing OSSEC

> DDOS attack but both are not working. The web ui are not detecting any > attack and on RDOS it looks like the software aren't even connected to the > server. > > On Friday, May 6, 2016 at 5:45:58 PM UTC+8, Jesus Linares wrote: >> >> Hi Jiri, >> >> also you can

Re: [ossec-list] Have Snort signature trigger Ossec active response...?

Hi Jacob, That sounds interesting. In case you need help to create decoders/rules or active responses for your snort logs paste here some log samples. On Tuesday, May 10, 2016 at 10:41:36 PM UTC+2, Santiago Bassett wrote: > > That seems doable yes. I haven't seen that done before, but

Re: [ossec-list] Re: Have Snort signature trigger Ossec active response...?

Hi Jacob, OSSEC is decoding your log as a windows event: **Phase 1: Completed pre-decoding. full event: '2016-05-12 16:08:58 pid(2410) Sending sock222f690: InsertEvent {0 0 unknown alamo-eth1-1 {2016-05-12 16:08:58} 3 106 {Port Scan} 10.40.2.75 10.40.3.253 6 56496 10247 1 901 0 8 8

[ossec-list] Re: Security Matrices With OSSEC

Hi, you could use OSSEC + ELK Stack to create measurable security matrices. Check out these images: General alerts , PCI evolution

Re: [ossec-list] Ossec rules matching order and other

Hi Issam, regarding to the rule order, OSSEC checks a rule and its childs recursively. Try to launch *ossec-logtest* with argument *-v*: log: '2014 Dec 20 09:29:47 WinEvtLog: Microsoft-Windows-Sysmon/Operational: INFORMATION(1): Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: WIN-U93G48C7BOP:

[ossec-list] Re: Ossec & Windows mass deployment and server based agent config?

tml#element-log_format> ). I'll check it. Regards. Jesus Linares. On Sunday, May 1, 2016 at 1:52:31 AM UTC+2, Robert Bardo wrote: > > Couple things I noticed.. > > I would use a .cmd, not .bat as I seem to vaguely remember a .cmd must be > used.. it works now for me. > &g

Re: [ossec-list] Re: Ossec & Windows mass deployment and server based agent config?

Thanks Dan!. Jacob, did you solve your problem?. On Wednesday, May 4, 2016 at 1:20:38 PM UTC+2, dan (ddpbsd) wrote: > > On Tue, May 3, 2016 at 5:53 AM, Jesus Linares <je...@wazuh.com > > wrote: > > Hi, > > > > it seems that full command cannot be used in

Re: [ossec-list] Testing OSSEC

conds more than 5 times (frecuency + 2) and the event comes from the same ip, it could be a DDOS attack. You can play with the variables (tiemframe and frecuency) or create new rules with a specific group and append it to the rule. Regards. Jesus Linares. On Thursday, May 5, 2016 at 8:44:5

Re: [ossec-list] Agent sending alerts, but OSSEC still reports agent as "Never Connected"

Hi Abhi, yes, OSSEC reads the files /var/ossec/queue/agent-info/* to know if agent is active or not. More information: https://groups.google.com/forum/#!topic/ossec-list/ijwdhMoXD4Q Remove all files (so, now the state of every agent is Never connected), and restart manager and agents. After

[ossec-list] Re: ossec-syscheckd: INFO: (unix_domain) Maximum send buffer set to: '212992'. error and client not active

Hi, the log "(unix_domain) Maximum send buffer set to: '212992'" is just an informational message to show the maximum socket size. could you explain in more detail your question?. On Saturday, May 7, 2016 at 5:19:59 PM UTC+2, ici...@turgutozal.edu.tr wrote: > > Hi ; > > my system also has 5

[ossec-list] Re: Decoding long messages - multiple regex statements

ent Data Enforcement; Total logs: 3; Suppressed logs: 2; proto: tcp; dst: 104.16.65.50; src: 192.168.10.204; product: SmartDefense; service: https; s_port: 56814; FollowUp: Not Followed; product_family: Network; Decoder: ^FredikFirewall firewall Regards, Jesus Linares. On Friday, Ap

Re: [ossec-list] Rule 1002 continues to fire after creating local overwriting rule

Your rule seems to work well. Could you paste here the output of logtest? On Monday, April 18, 2016 at 6:05:54 PM UTC+2, LostInThe Tubez wrote: > > Your rule triggers for me when I test it (on v2.8.3), so the problem is > likely not with your rule. It is worth noting however that the >

[ossec-list] Re: IIS 8 FTP log monitor & alert

Hi Jacob, I have no idea what is happening. ossec.conf: etc/decoder.xml etc/local_decoder.xml local_decoder.xml: windows-date-format true ^\d+.\d+.\d+.\d+ \d+ \S+ FTPSVC ^(\d+.\d+.\d+.\d+) \d+ (\S+) \S+ \S+ \S+ \S+ \d+ (\S+) \S+ (\d+) srcip,user,action,id

[ossec-list] Re: IIS 8 FTP log monitor & alert

I guess you know it, but you must restart OSSEC after changing decoder, rules or ossec.conf. On Wednesday, May 25, 2016 at 10:37:49 AM UTC+2, Jesus Linares wrote: > > Hi Jacob, > > I have no idea what is happening. > > ossec.conf: > > etc/decoder.xml >

[ossec-list] Re: parent usage in local_decoder.xml

Hi Dave, that happens. Maybe I didn't explain it very well. Just add a prematch to the USB decoder in kernel-iptables_apparmor_decoders.xml and use this decoder in your local_decoder file: iptables

Re: [ossec-list] eventchannel decoder testing

Hi Craig, the raw event is: 2016 Jul 29 22:32:24 WinEvtLog: Microsoft-Windows-Sysmon/Operational: INFORMATION(1): Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: Win7-x64-PC1 .hackme.local: Process Create: UtcTime: 2016-07-30 03:32:24.846 ProcessGuid: {67C360F4-1FC8-579C--001017F41E00}

Re: [ossec-list] eventchannel decoder testing

id: '184666' Level: '12' Description: 'Sysmon - Suspicious Process - svchost.exe' You can find decoders for all sysmon events here <https://github.com/wazuh/ossec-rules/blob/master/rules-decoders/ossec/decoders/windows_decoders.xml#L197> . Regards. On Monday, August 1, 2016 at 9:46:31 A

Re: [ossec-list] eventchannel decoder testing

yLevel: \.*HashType: \S* \s*Hash: (\S*) \s*ParentProcessGuid: > \S* \s*ParentProcessID: \S* \s*ParentImage: (\.*) > \s*ParentCommandLine: > status,user,url,data > > > > > On Monday, August 1, 2016 at 2:50:22 AM UTC-5, Jesus Linares wrote: >> >> It seems the output of ossec

Re: [ossec-list] eventchannel decoder testing

Hi Craig, did you try to use the new decoders?. I think it could be work. Steps: - Create a backup of your decoder.xml - Replace "windows decoder" copying from line 174 to 417 of this file

[ossec-list] Re: Applications and Services Log assistance

Hi, would you mind to share log samples for the rules? Thanks. On Thursday, August 11, 2016 at 4:10:25 PM UTC+2, robertsc...@gmail.com wrote: > > Thanks Derek, will give that a go! > > On Thursday, August 11, 2016 at 8:56:24 AM UTC-5, Derek Morris wrote: >> >> So here is what I have in my

[ossec-list] Re: Deface detection multi site

day, August 12, 2016 at 11:41:21 AM UTC+2, Trần Khoa wrote: > > Hi Jesus Linares, > > Thanks you for responsing my stack :). I've check > */var/ossec/logs/archives/archives.log > *and there is nothing in there, i mean there is no character in the log. > I've also review my rules

[ossec-list] Re: Deface detection multi site

Hi, review the event generated with the command in /var/ossec/logs/archives/archives.log. Then, use the binary /var/ossec/bin/ossec-logtest to review your rules. Regards. On Tuesday, August 9, 2016 at 11:18:10 AM UTC+2, Trần Khoa wrote: > > Hi everyone, > I have followed detecting deface

[ossec-list] Re: Custom rules to send email alerts about Chrome Remote Desktop events

Hi Kevin, I added your rules to Ossec Wazuh ruleset . Check it out here: https://github.com/wazuh/ossec-rules/blob/master/rules-decoders/ossec/rules/msauth_rules.xml#L961 Thanks for your contribution!. Regards. On Monday, June 6, 2016 at 11:49:29 PM

[ossec-list] Re: OSSEC and offline logs

Hi Tahir, you need decoders and rules in order to analyse the logs with OSSEC. If you share your logs we can help you to do it. Here you will find a detailed guide about how to integrate OSSEC with ELK. Regards. On

[ossec-list] Re: Ossec Brute force block question

Hi, The field "location" in the configuration of Active Response means where the command will be executed: - local: on the agent that generated the event - server: on the OSSEC server - defined-agent: on a specific agent (when using this option, you need to set the agent_id to use)

[ossec-list] Re: rootcheck performance issues

Hi JDS, rootcheck does a lot of things: check rootkit_files and rootkit_trojans, scan the /dev directory looking for anomalies, check the file system looking for unusual files and permissions, inspect all process IDs, look for the presence of hidden ports, scan all network interfaces, etc. I

Re: [ossec-list] separate notifications

Hi Andreas, enable "logall" option in ossec.conf. You will see the all events in /var/ossec/logs/archives/archives.log. Syscheck events look like: "Integrity checksum changed for: '/path1/path2/path3/file.ext'". So, you could create a rule like: syscheck for: '/etc Syscheck: /etc

Re: [ossec-list] for file name

Hi, It's up to you. I like to use URL for path/filenames. Here the fields: - srcuser: extracts the source username - dstuser: extracts the destination (target) username - user: an alias to dstuser (only one of the two can be used) - srcip: source ip - dstip: dst ip - srcport:

[ossec-list] Re: Create custom rule for OSSEC 2.8.3, to capture specific phrase in application log

Hi, you should create decoders and rules for that event. Check out the documentation: http://ossec-docs.readthedocs.io/en/latest/syntax/analysis.html Also. you can use the binary /var/ossec/bin/ossec-logtest to test your own decoders/rules. On Monday, January 30, 2017 at 7:04:34 AM UTC-8, Eli

[ossec-list] Re: Alerts generated despite level '0' rule being hit

Hi Daniel, review *archives.log* to be sure the log is how you expected. Also, check out *alerts.log* to see the alert. Remember that *ossec-logtest* shows alerts with level 0, but OSSEC does not or at least it should not. Regards. On Friday, January 27, 2017 at 8:00:19 AM UTC-8, Daniel B.

[ossec-list] Re: local_decoder.xml -- can't override (ignore) parent decoder

Hi Daniel, ossec-logtest always shows the name of the parent. If you want to ignore that alert, just create a rule in local_rules.xml: 5104 Ignore rule 5104. Jan 16 20:46:57 machine_name kernel: [347956.184868] device veth9c8da7ba entered promiscuous mode **Phase 1:

  1   2   3   >