Re: [ossec-list] Re: Quickest way to test an updated local_rules.xml

Like Dan said, it won't rescan old logs. If you are looking a way to rescan every past event.. that will be difficult and even if you can do it, the alerts timestamp will be wrong. I am sorry but I am not sure of understanding what you mean by "restart the predecoding, decoding of everything".

Re: [ossec-list] internal_options.conf and ossec.conf performance tuning

Hi Tahir, We have been experimenting with those values of syscheck, I can tell you it's like SUPER FAST when you set sleep to 0, I have some videos recorded about how can OSSEC completes a 3000 files database in few seconds. On my tests OSSEC can works with 0 sleep but be aware because the agent

Re: [ossec-list] Creating Custom System_Audit Checks for Password Complexity

Hi, I don't think you can use that kind of regular expressions in OSSEC, the regex engine being used by OSSEC is OSRegex (created specially for OSSEC), and it is limited in terms of complex regex patterns. Find more information about how can you use OSRegex:

Re: [ossec-list] opening up the permissions on the alerts.log file

Hi, You said there is "anything sensitive" but.. OSSEC process alerts coming from Endpoints and all the info is security relevant so.. someone can use alerts info (IP's, directories, files, hostnames) for malicious purposes. Beside that, I don't think changing readable attributes will suppose a

Re: [ossec-list] List of OSSEC rules?

You are welcome! I'll upload it into some website or repository folder. It is some simple but works, in the future I will extract too the PCI compliance requirement of every rule. If you need the rules with PCI requirements groups try out Wazuh Ruleset. Regards, Pedro S. On Thu, Feb 25, 2016

Re: [ossec-list] Wazuh fork and Sysmon

Hi Rob B, There are decoders for every Sysmon event, the main fields are been extracted. There are only created rules for Sysmon Event ID 1. See the attached example: 2014 Dec 20 09:29:47

Re: [ossec-list] Windows agent - unable to start agent (check config)

Did you use the UI (win32ui.exe) to add the key? You need to import the key extracted from Manager. Open it as Administrator, paste the key on "Authentication key" and click on "Save" button. The log is telling us that you didn't add the key, so the file client.keys is not created. On Tue, Mar

Re: [ossec-list] Finding out the exact OSSEC server version

Hi Tahir, They way I do it is reading /etc/ossec-init.conf. cat /etc/ossec-init.conf > DIRECTORY="/var/ossec" > VERSION="v2.9.0" > DATE="jue may 12 00:43:32 PDT 2016" > TYPE="server" Best regards, Pedro S. On Mon, May 23, 2016 at 5:42 PM, Tahir Hafiz wrote: > Dear

Re: [ossec-list] How to divide ossec alerts from any sources into different files?

Hi, You can process alerts.json with Logstash, use a filter in the output section and write to different files that you prefer (use codec to specify output format): output { > > if [AgentName] == "agent1" { > >

Re: [ossec-list] Re: Duplicated counter

Hi, I don't think *verify_msg *will be related with those errors. It seems like those files (EventChannel bookmarks) not longer exist in tmp folder or OSSEC does not have enough permissions, try to reinstall the agent. If you prefer, paste here your EventChannel queries so I can test them in my

Re: [ossec-list] USB storage detect & recursive file list

Hi, Nice commands, very useful, thanks for sharing. Both commands are working on my labs, the second one prints the full list of files at the terminal and writes into C:\temp\test.txt file (watch out the last *" *quotes before ). I am not sure if you need to merge the two commands output into

Re: [ossec-list] Re: USB storage detect & recursive file list

I think has a character limitation, try to remove empty spaces or make shorter the test.txt content. On Wed, Apr 20, 2016 at 12:39 AM, Jacob Mcgrath wrote: > Will try droping the | select -Skip 2 from the Get-Content see if that > works or maby a -Raw output arg >

Re: [ossec-list] Parsing OSSEC XML Rules

Hi Dave, thanks for sharing your conclusions with us, let me answer you each point. *"convert the OSSEC/WAZUH rules to a MySQL database table"* In case it helps, I think OSSEC already insert each rule into a MySQL database, I can't try it out right now but you can see in the links below the MySQL

Re: [ossec-list] Last time agent connected to server

Hi, try checking the last keep alive or the last modification date of agent-info file. /var/ossec/bin/agent_control -i 005 Output: >Agent ID: 005 >Agent Name: agent-ubuntu >IP address: 10.0.0.xx >Status: Disconnected >Operating system:Linux vpc-agent-ubuntu-public

Re: [ossec-list] Re: Last time agent connected to server

Thanks Victor. Quick fix to your useful command, it is missing queue folder: $ find /var/ossec/queue/agent-info/* -mtime +60 -ls On Tue, Aug 2, 2016 at 11:37 AM, Victor Fernandez wrote: > Hi Derek. > > You can do that by watching the modification time (with ls or stat) of

Re: [ossec-list] internal_options.conf and ossec.conf performance tuning

Hi, syscheck.sleep_after minimum value is 1, you can't set 0, anyway once you set syscheck.sleep to 0, sleep_after does not matter because it won't sleep in any case. Regarding to syscheck frequency, remember never set it lower than 300 and be aware that if you are using the default values of

Re: [ossec-list] Re: Update Wazuh with standard Ossec files

Hi Alejandro, Let me help here. I don't think your error is related with compatibility issues, and it is not true that the agent included on Wazuh is older than an OSSEC agent 2.8.3, in fact, is newer (based on OSSEC 2.9+). OSSEC Agents are totally compatible with Wazuh fork, meaning that you

Re: [ossec-list] OSSEC_PCI_DSS_Guide for PCI DSS 3.1 (or 3.2)?

eleasing version 3.1 I hope it helps, best regards, Pedro Sanchez. On Thu, Jan 26, 2017 at 7:21 PM, Igor Gatis <i...@esfera5.com.br> wrote: > Hi, > > I found this doc from Wazuh which tells how OSSEC helps on PCI: > https://wazuh.com/resources/OSSEC_PCI_DSS_Guide.pdf &g

Re: [ossec-list] Rewrite output for accesses field in Windows Event 4656

Hi Nguyen, Thanks for the digit meaning, in my experience, for Windows or Windows desktop latest versions the digits have been replaced by the terms, but I am not sure what Windows versions have digits or terms. You could do the correlation at C level on OSSEC, maybe using a CDB List (matching

Re: [ossec-list] is there any way to increase alerts.log file size

Hi Daiyue, I don't really understand what you mean for "new syscheck" is replacing previous logs, please could you explain this in detail? Regarding to the rotation of alerts.log, we can't configure the log size, it is rotating daily no matter how much weights, it will rotate every day. If you

Re: [ossec-list] is there any way to increase alerts.log file size

yuew...@gmail.com> wrote: > okay, I see. thanks for the explanation. > > syscheck is done every 22 hours by default, so that is what I mean by "new > syscheck". > > cheers > > On 6 September 2016 at 10:22, Pedro Sanchez <pe...@wazuh.com> wrote: >

Re: [ossec-list] ossec-authd: Unable to connect

0 0 :::22 :::* >>> LISTEN >>> >>> Now 1515 is in listening state and is also allowed in iptables but I am >>> not able to telnet it. Moreover when I do manual agent key registration ,it >>> works perfectly. I even checked by doin

Re: [ossec-list] ossec-authd: Unable to connect

e to communicate with ossec server on port 1515. For > that i even added port 1515 in iptables , Since agent isn't able to > communicate so tcpdump on server shows 0 packets. > > tcp0 0 0.0.0.0:15150.0.0.0:* > LISTEN 5504/ossec-authd > > >

Re: [ossec-list] ossec-authd: Unable to connect

Hi Ali, Could you confirm that ossec-authd is running and listening on the sensor? You could use > > netstat -pna | grep 1515 The expected output will be similar to: tcp0 0 0.0.0.0:15150.0.0.0:* LISTEN > 9684/ossec-authd It seems like you have

Re: [ossec-list] ossec alert json missing dedicated agent host location

Hi Ron, If you are using a integration with Elasticseach, try out Wazuh fork based on OSSEC, augmented JSON capabilities including the AgentName you need. Internal field "lf->hostname" includes parenthesis like you said, so we are extracting the content inside, also we rename the field in

Re: [ossec-list] Re: Don't see the intrusion logs

Can you see other alerts coming from your agent on the WUI? Try to grep your agent name in /var/ossec/logs/alerts/alerts.log. Remember to Add your web server user (apache, www or nobody) to the ossec group. On Thu, Nov 17, 2016 at 10:55 AM, Arthur Hidalgo wrote: >

Re: [ossec-list] Don't see the intrusion logs

Hi Arthur, What do you mean by "on the Web?" OSSEC WUI? Your configuration looks right, is your agent connected? You can check the status with: */var/ossec/bin/agent_control -l* Once the agent is connected, it should report log/secure events to the Manager. Best regards, Pedro S. On Thu,

Re: [ossec-list] trouble getting agent to connect to host

Seems like the agent is waiting for the ACK (HC_ACK) control message but it is not receiving it (start_agent.c ), few things you can try: - Disable counters on both sides,

Re: [ossec-list] Active response with multiple rules_group

Hi Brad, Taking a look at C code, it seems like it is using "OS_Regex" between the group list (rules_group tag) and the actual rule group, meaning that maybe we can use regular expression in tag (C lines: here

Re: [ossec-list] Failed md5 for: /etc/shared/merged.mg -- deleting.

Hi, I am sorry Mitchell but I can't think about what is happening there, it seems related to the transfer like you said, next step you need will be inserting some debug control messages to figure out what is happening. - When generating the files: client-agent/notify.c

Re: [ossec-list] Chroot directory change option

Hi, The best way to start just the ones you need is to disabled them at ossec.conf, that way the won't boot, for example for "exced" you can disable Active-response and that will be enough to not boot that daemon. Regarding to change chroot directory, you are right, each binary has a "-D" option

Re: [ossec-list] Failed md5 for: /etc/shared/merged.mg -- deleting.

Hi Sean, OSSEC compress the whole /var/ossec/etc/shared directory, including the agent.conf and push everything (merged.mg) to the agents. Sometimes if you have something not entirely readable on that folder the push fails, what content do you have in shared folder? Everytime a file is sent to

Re: [ossec-list] trouble getting agent to connect to host

For sure that ACK "HC_STARTUP" is not reaching the agent and that is why it does not connect. So the manager is sending the startup and it has connectivity with the agent host but not with the agent software. Confirm if the agent is listening at the right port, also you can use "strace" at agentd

Re: [ossec-list] Re: DNS block active response script not run for named rule

it's tricky. So.. everything is working as expected? AR up and running? Regards, Pedro Sanchez. On Tue, Mar 14, 2017 at 9:43 PM, Ralph Durkee <ralph.dur...@gmail.com> wrote: > Pedro thanks again for your help. > > > I think I found the problem, but the work around requires modif

Re: [ossec-list] CDB Lists and MD5 checksums

zuh/wazuh > > And do you know if it works with the standard ossec clients? Or will I > need to install new clients on my servers for this to work? > > Thanks, > BJ > > On Thursday, March 9, 2017 at 8:46:59 AM UTC-7, Pedro Sanchez wrote: >> >> Hi BJ, >> >>

Re: [ossec-list] CDB Lists and MD5 checksums

you had were related to not compiling / including properly the SQLite libraries. Regards, Pedro Sanchez. On Thu, Mar 9, 2017 at 1:33 AM, BJ <b...@bjtaylor.net> wrote: > Thank you Pedro. That's good information. > > With that in mind, I've decided to give this a try: > https:/

Re: [ossec-list] CDB Lists and MD5 checksums

le2 > d41d8cd98f00b204e9800998ecf8427c:file3 > d41d8cd98f00b204e9800998ecf8427d:file4 ossec.conf > *etc/lists/whitelist_md5* *Compile CDB List* > /var/ossec/bin/ossec-makelists Maybe someone figure out a different way to do this. Regards, Pedro Sanchez. On Wed, Mar 8, 2017 at 1:13 AM, BJ

Re: [ossec-list] CDB Lists and MD5 checksums

; Normally, I'd turn the logging verbosity up at this point, but if it can't >>> even parse the conf file, I'm not sure that will work. I also compared this >>> config to the list of rules in the folder, and against another config I >>> have running. How can I dig into

Re: [ossec-list] Developer ossec

://help.github.com/articles/creating-a-pull-request/, https://yangsu.github.io/pull-request-tutorial/. Best regards, Pedro Sanchez. On Mon, Mar 13, 2017 at 12:23 PM, Eduardo Reichert Figueiredo < eduardo.reich...@hotmail.com> wrote: > Hi all, > this ossec is writed in C, correct? > &g

[ossec-list] Re: DNS block active response script not run for named rule

l -b ip_address_to_block -f firewall-dns-query-drop5400 -u agent_id* - Permissions: Confirm your scripts have permissions to root:ossec and rwxr-x--- Hope it helps, best regards, Pedro Sanchez. On Monday, March 13, 2017 at 3:11:50 PM UTC+1, Ralph Durkee wrote: > > >

Re: [ossec-list] Re: DNS block active response script not run for named rule

("*all*" option is not working on my environment) >>- Ruleset: I did verify your decoders and rules, still, you could use >>bin/ossec-logtest tool and paste your event, just to confirm they are >>working properly on your installation >>- You could run the acti

Re: [ossec-list] Re: OSSEC Reporting Dump to CSV and reporting range setting

You could also take a look into "OSSEC Reportd" tool, you could aggregate stats for rules ids, groups, location etc..: - http://ossec-docs.readthedocs.io/en/latest/programs/ossec-reportd.html For CSV output you could

Re: [ossec-list] Using OSSEC HIDS to spot rogue software

Regards, Pedro Sanchez. On Tue, May 16, 2017 at 6:30 PM, 'ian diddams' via ossec-list < ossec-list@googlegroups.com> wrote: > Apologies in advance if this is a FAQ - Ive googled a bit but can;t see > anything obvious returned. > > Ive been asked to find out of OSSEC HIDS (wh

Re: [ossec-list] TargetUserName is not mapped to an indexed field

Hi AntonH, I can see your full_log on Kibana screenshots, it seems like even OSSEC is not getting that field on the raw_log, meaning we are not extracting it from the EventChannel. Currently OSSEC is not extracting all the fields detail on the XML, related code:

Re: [ossec-list] Unable to connect with agent

nd current time is greater than 30 minutes, the manager "switch" the status of that agent to Disconnected. One funny trick is to update manually all the files in agent-info folder, then run agent_control -lc and look how all your agents seem "Active" haha. Regards, Pedro Sanchez

Re: [ossec-list] Disable the ossec-agent for OS updates.

Hi, If you want to disable syscheck component for specific folders, you could push an setting for syscheck block using agent.conf centralized configuration. For example, you could ignore something like: */etc/* Reference here

Re: [ossec-list] Re: Using OSSEC HIDS to spot rogue software

Hi, The URL you sent here contains files dated for 2010 year, I am not sure what is "rootcheck 2.4" but I think it is OSSEC version 2.4.1, currently the stable version is 2.9. Rootcheck is included on the standard OSSEC Agent installation, you don't need to install it as a "separate component".

Re: [ossec-list] running ossec-authd in the background as a daemon

Hi, You could use password setting for ossec-authd and/or SSL certificates to validate/authorize incoming requests, using those capabilities could help you