Re: [ossec-list] Testing OSSEC
Hey, Thanks for your suggestions. Now the ossec is generating logs and not giving errors after restarting it couple of times. Now i want to implement the rule,that is want to perform an attack according to that rule. I have tried to login from PUTTY in Windows 3 times within 5 mins, so that it will show that "attack from same source IP".But it is not working. What else can i do? or how is it going to work? Any other method to get alert after adding this rule. Please suggest me. On Friday, May 6, 2016 at 3:15:58 PM UTC+5:30, Jesus Linares wrote: > > Hi Jiri, > > also you can run the command "/var/ossec/bin/agent_control -lc" to get the > connected agents. Keep in mind that in order to know if an agent is > connected, disconnected or never connected OSSEC reads the modification > date of the files in /var/ossec/queue/agent-info/*: > >- if there is no file for the agent the status is never connected >- if the modification time of the file is less than a defined tiemout, >the status is actived. If it is greater then the status is disconnected. > > The timeout is 3*NOTIFY_TIME+30, NOTIFY_TIME by default is 600 seconds. > > Regarding the rules to detect DDOS attacks, you could create something > like this: > > local_rules.xml: > > > > > attacks|attack|automatic_attack > > > Attacks from same source IP > > > > > > You are saying: if one of these groups (attack, attacks or > automatic_attack) have matched in the last 300 seconds more than 5 times > (frecuency + 2) and the event comes from the same ip, it could be a DDOS > attack. You can play with the variables (tiemframe and frecuency) or create > new rules with a specific group and append it to the rule. > > Regards. > Jesus Linares. > > > > On Thursday, May 5, 2016 at 8:44:50 PM UTC+2, dan (ddpbsd) wrote: >> >> On Thu, May 5, 2016 at 2:12 PM, Jiriwrote: >> > Hi, >> > >> > I just finished installing ossec on ubuntu as a server and windows >> agent on >> > another computer. How do i test if my agent is successfully connected >> to me? >> > Also, can someone help me on creating rules to detect an a ddos attack >> or >> > any attack on my server? >> > >> >> On the server you can run `/var/ossec/bin/list_agents -c` to see the >> connected agents. >> Check out the rules that already exist in /var/ossec/rules. They >> should be useful as a template. >> If you still need help, please ask. >> >> > Thanks, >> > Regards. >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> an >> > email to ossec-list+...@googlegroups.com. >> > For more options, visit https://groups.google.com/d/optout. >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Testing OSSEC
Hi, there are several DDOS attack types: UDP/SYN/ICMP/HTTP flood, ping of the death, etc. If these attacks do not generate a log that OSSEC can read, the attack will not be detected. Try to detect the DDOS attack in your machine manually: review apache logs, netstat or an specific tool to detect these types of attacks. Then, we can send the information obtained to OSSEC and play with specific rules or active response to block the attack. On Tuesday, May 10, 2016 at 8:28:21 PM UTC+2, Jiri wrote: > > HI, thanks for your response. I am using XOIC and also RDOS tu simulate > DDOS attack but both are not working. The web ui are not detecting any > attack and on RDOS it looks like the software aren't even connected to the > server. > > On Friday, May 6, 2016 at 5:45:58 PM UTC+8, Jesus Linares wrote: >> >> Hi Jiri, >> >> also you can run the command "/var/ossec/bin/agent_control -lc" to get >> the connected agents. Keep in mind that in order to know if an agent is >> connected, disconnected or never connected OSSEC reads the modification >> date of the files in /var/ossec/queue/agent-info/*: >> >>- if there is no file for the agent the status is never connected >>- if the modification time of the file is less than a defined >>tiemout, the status is actived. If it is greater then the status is >>disconnected. >> >> The timeout is 3*NOTIFY_TIME+30, NOTIFY_TIME by default is 600 seconds. >> >> Regarding the rules to detect DDOS attacks, you could create something >> like this: >> >> local_rules.xml: >> >> >> >> >> attacks|attack|automatic_attack >> >> >> Attacks from same source IP >> >> >> >> >> >> You are saying: if one of these groups (attack, attacks or >> automatic_attack) have matched in the last 300 seconds more than 5 times >> (frecuency + 2) and the event comes from the same ip, it could be a DDOS >> attack. You can play with the variables (tiemframe and frecuency) or create >> new rules with a specific group and append it to the rule. >> >> Regards. >> Jesus Linares. >> >> >> >> On Thursday, May 5, 2016 at 8:44:50 PM UTC+2, dan (ddpbsd) wrote: >>> >>> On Thu, May 5, 2016 at 2:12 PM, Jiriwrote: >>> > Hi, >>> > >>> > I just finished installing ossec on ubuntu as a server and windows >>> agent on >>> > another computer. How do i test if my agent is successfully connected >>> to me? >>> > Also, can someone help me on creating rules to detect an a ddos attack >>> or >>> > any attack on my server? >>> > >>> >>> On the server you can run `/var/ossec/bin/list_agents -c` to see the >>> connected agents. >>> Check out the rules that already exist in /var/ossec/rules. They >>> should be useful as a template. >>> If you still need help, please ask. >>> >>> > Thanks, >>> > Regards. >>> > >>> > -- >>> > >>> > --- >>> > You received this message because you are subscribed to the Google >>> Groups >>> > "ossec-list" group. >>> > To unsubscribe from this group and stop receiving emails from it, send >>> an >>> > email to ossec-list+...@googlegroups.com. >>> > For more options, visit https://groups.google.com/d/optout. >>> >> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Testing OSSEC
HI, thanks for your response. I am using XOIC and also RDOS tu simulate DDOS attack but both are not working. The web ui are not detecting any attack and on RDOS it looks like the software aren't even connected to the server. On Friday, May 6, 2016 at 5:45:58 PM UTC+8, Jesus Linares wrote: > > Hi Jiri, > > also you can run the command "/var/ossec/bin/agent_control -lc" to get the > connected agents. Keep in mind that in order to know if an agent is > connected, disconnected or never connected OSSEC reads the modification > date of the files in /var/ossec/queue/agent-info/*: > >- if there is no file for the agent the status is never connected >- if the modification time of the file is less than a defined tiemout, >the status is actived. If it is greater then the status is disconnected. > > The timeout is 3*NOTIFY_TIME+30, NOTIFY_TIME by default is 600 seconds. > > Regarding the rules to detect DDOS attacks, you could create something > like this: > > local_rules.xml: > > > > > attacks|attack|automatic_attack > > > Attacks from same source IP > > > > > > You are saying: if one of these groups (attack, attacks or > automatic_attack) have matched in the last 300 seconds more than 5 times > (frecuency + 2) and the event comes from the same ip, it could be a DDOS > attack. You can play with the variables (tiemframe and frecuency) or create > new rules with a specific group and append it to the rule. > > Regards. > Jesus Linares. > > > > On Thursday, May 5, 2016 at 8:44:50 PM UTC+2, dan (ddpbsd) wrote: >> >> On Thu, May 5, 2016 at 2:12 PM, Jiriwrote: >> > Hi, >> > >> > I just finished installing ossec on ubuntu as a server and windows >> agent on >> > another computer. How do i test if my agent is successfully connected >> to me? >> > Also, can someone help me on creating rules to detect an a ddos attack >> or >> > any attack on my server? >> > >> >> On the server you can run `/var/ossec/bin/list_agents -c` to see the >> connected agents. >> Check out the rules that already exist in /var/ossec/rules. They >> should be useful as a template. >> If you still need help, please ask. >> >> > Thanks, >> > Regards. >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> an >> > email to ossec-list+...@googlegroups.com. >> > For more options, visit https://groups.google.com/d/optout. >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Testing OSSEC
Hi Jiri, also you can run the command "/var/ossec/bin/agent_control -lc" to get the connected agents. Keep in mind that in order to know if an agent is connected, disconnected or never connected OSSEC reads the modification date of the files in /var/ossec/queue/agent-info/*: - if there is no file for the agent the status is never connected - if the modification time of the file is less than a defined tiemout, the status is actived. If it is greater then the status is disconnected. The timeout is 3*NOTIFY_TIME+30, NOTIFY_TIME by default is 600 seconds. Regarding the rules to detect DDOS attacks, you could create something like this: local_rules.xml: attacks|attack|automatic_attack Attacks from same source IP You are saying: if one of these groups (attack, attacks or automatic_attack) have matched in the last 300 seconds more than 5 times (frecuency + 2) and the event comes from the same ip, it could be a DDOS attack. You can play with the variables (tiemframe and frecuency) or create new rules with a specific group and append it to the rule. Regards. Jesus Linares. On Thursday, May 5, 2016 at 8:44:50 PM UTC+2, dan (ddpbsd) wrote: > > On Thu, May 5, 2016 at 2:12 PM, Jiri> wrote: > > Hi, > > > > I just finished installing ossec on ubuntu as a server and windows agent > on > > another computer. How do i test if my agent is successfully connected to > me? > > Also, can someone help me on creating rules to detect an a ddos attack > or > > any attack on my server? > > > > On the server you can run `/var/ossec/bin/list_agents -c` to see the > connected agents. > Check out the rules that already exist in /var/ossec/rules. They > should be useful as a template. > If you still need help, please ask. > > > Thanks, > > Regards. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to ossec-list+...@googlegroups.com . > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Testing OSSEC
On Thu, May 5, 2016 at 2:12 PM, Jiriwrote: > Hi, > > I just finished installing ossec on ubuntu as a server and windows agent on > another computer. How do i test if my agent is successfully connected to me? > Also, can someone help me on creating rules to detect an a ddos attack or > any attack on my server? > On the server you can run `/var/ossec/bin/list_agents -c` to see the connected agents. Check out the rules that already exist in /var/ossec/rules. They should be useful as a template. If you still need help, please ask. > Thanks, > Regards. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.