subject:"Re\: \[ossec\-list\] Testing OSSEC"

Re: [ossec-list] Testing OSSEC

2017-08-31 Thread Ritu Soni

Hey,
Thanks for your suggestions. Now the ossec is generating logs and not 
giving errors after restarting it couple of times.
Now i want to implement the rule,that is want to perform an attack 
according to that rule. I have tried to login from PUTTY in Windows 3 times 
within 5 mins, so that it will show that "attack from same source IP".But 
it is not working.
What else can i do? or how is it going to work?
Any other method to get alert after adding this rule. Please suggest me.

On Friday, May 6, 2016 at 3:15:58 PM UTC+5:30, Jesus Linares wrote:
>
> Hi Jiri,
>
> also you can run the command "/var/ossec/bin/agent_control -lc" to get the 
> connected agents. Keep in mind that in order to know if an agent is 
> connected, disconnected or never connected OSSEC reads the modification 
> date of the files in /var/ossec/queue/agent-info/*:
>
>- if there is no file for the agent the status is never connected
>- if the modification time of the file is less than a defined tiemout, 
>the status is actived. If it is greater then the status is disconnected.
>
> The timeout is 3*NOTIFY_TIME+30, NOTIFY_TIME by default is 600 seconds.
>
> Regarding the rules to detect DDOS attacks, you could create something 
> like this:
>
> local_rules.xml:
> 
>
>
> 
> attacks|attack|automatic_attack
> 
> 
> Attacks from same source IP
>   
>
>
> 
>
> You are saying: if one of these groups (attack, attacks or 
> automatic_attack) have matched in the last 300 seconds more than 5 times 
> (frecuency + 2) and the event comes from the same ip, it could be a DDOS 
> attack. You can play with the variables (tiemframe and frecuency) or create 
> new rules with a specific group and append it to the rule.
>
> Regards.
> Jesus Linares.
>
>
>
> On Thursday, May 5, 2016 at 8:44:50 PM UTC+2, dan (ddpbsd) wrote:
>>
>> On Thu, May 5, 2016 at 2:12 PM, Jiri  wrote: 
>> > Hi, 
>> > 
>> > I just finished installing ossec on ubuntu as a server and windows 
>> agent on 
>> > another computer. How do i test if my agent is successfully connected 
>> to me? 
>> > Also, can someone help me on creating rules to detect an a ddos attack 
>> or 
>> > any attack on my server? 
>> > 
>>
>> On the server you can run `/var/ossec/bin/list_agents -c` to see the 
>> connected agents. 
>> Check out the rules that already exist in /var/ossec/rules. They 
>> should be useful as a template. 
>> If you still need help, please ask. 
>>
>> > Thanks, 
>> > Regards. 
>> > 
>> > -- 
>> > 
>> > --- 
>> > You received this message because you are subscribed to the Google 
>> Groups 
>> > "ossec-list" group. 
>> > To unsubscribe from this group and stop receiving emails from it, send 
>> an 
>> > email to ossec-list+...@googlegroups.com. 
>> > For more options, visit https://groups.google.com/d/optout. 
>>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Testing OSSEC

2016-05-11 Thread Jesus Linares

Hi,

there are several DDOS attack types: UDP/SYN/ICMP/HTTP flood, ping of the 
death, etc. If these attacks do not generate a log that OSSEC can read, the 
attack will not be detected.

Try to detect the DDOS attack in your machine manually: review apache logs, 
netstat or an specific tool to detect these types of attacks. Then, we can 
send the information obtained to OSSEC and play with specific rules or 
active response to block the attack.


On Tuesday, May 10, 2016 at 8:28:21 PM UTC+2, Jiri wrote:
>
> HI, thanks for your response. I am using XOIC and also RDOS tu simulate 
> DDOS attack but both are not working. The web ui are not detecting any 
> attack and on RDOS it looks like the software aren't even connected to the 
> server. 
>
> On Friday, May 6, 2016 at 5:45:58 PM UTC+8, Jesus Linares wrote:
>>
>> Hi Jiri,
>>
>> also you can run the command "/var/ossec/bin/agent_control -lc" to get 
>> the connected agents. Keep in mind that in order to know if an agent is 
>> connected, disconnected or never connected OSSEC reads the modification 
>> date of the files in /var/ossec/queue/agent-info/*:
>>
>>- if there is no file for the agent the status is never connected
>>- if the modification time of the file is less than a defined 
>>tiemout, the status is actived. If it is greater then the status is 
>>disconnected.
>>
>> The timeout is 3*NOTIFY_TIME+30, NOTIFY_TIME by default is 600 seconds.
>>
>> Regarding the rules to detect DDOS attacks, you could create something 
>> like this:
>>
>> local_rules.xml:
>> 
>>
>>
>> 
>> attacks|attack|automatic_attack
>> 
>> 
>> Attacks from same source IP
>>   
>>
>>
>> 
>>
>> You are saying: if one of these groups (attack, attacks or 
>> automatic_attack) have matched in the last 300 seconds more than 5 times 
>> (frecuency + 2) and the event comes from the same ip, it could be a DDOS 
>> attack. You can play with the variables (tiemframe and frecuency) or create 
>> new rules with a specific group and append it to the rule.
>>
>> Regards.
>> Jesus Linares.
>>
>>
>>
>> On Thursday, May 5, 2016 at 8:44:50 PM UTC+2, dan (ddpbsd) wrote:
>>>
>>> On Thu, May 5, 2016 at 2:12 PM, Jiri  wrote: 
>>> > Hi, 
>>> > 
>>> > I just finished installing ossec on ubuntu as a server and windows 
>>> agent on 
>>> > another computer. How do i test if my agent is successfully connected 
>>> to me? 
>>> > Also, can someone help me on creating rules to detect an a ddos attack 
>>> or 
>>> > any attack on my server? 
>>> > 
>>>
>>> On the server you can run `/var/ossec/bin/list_agents -c` to see the 
>>> connected agents. 
>>> Check out the rules that already exist in /var/ossec/rules. They 
>>> should be useful as a template. 
>>> If you still need help, please ask. 
>>>
>>> > Thanks, 
>>> > Regards. 
>>> > 
>>> > -- 
>>> > 
>>> > --- 
>>> > You received this message because you are subscribed to the Google 
>>> Groups 
>>> > "ossec-list" group. 
>>> > To unsubscribe from this group and stop receiving emails from it, send 
>>> an 
>>> > email to ossec-list+...@googlegroups.com. 
>>> > For more options, visit https://groups.google.com/d/optout. 
>>>
>>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Testing OSSEC

2016-05-10 Thread Jiri

HI, thanks for your response. I am using XOIC and also RDOS tu simulate 
DDOS attack but both are not working. The web ui are not detecting any 
attack and on RDOS it looks like the software aren't even connected to the 
server. 

On Friday, May 6, 2016 at 5:45:58 PM UTC+8, Jesus Linares wrote:
>
> Hi Jiri,
>
> also you can run the command "/var/ossec/bin/agent_control -lc" to get the 
> connected agents. Keep in mind that in order to know if an agent is 
> connected, disconnected or never connected OSSEC reads the modification 
> date of the files in /var/ossec/queue/agent-info/*:
>
>- if there is no file for the agent the status is never connected
>- if the modification time of the file is less than a defined tiemout, 
>the status is actived. If it is greater then the status is disconnected.
>
> The timeout is 3*NOTIFY_TIME+30, NOTIFY_TIME by default is 600 seconds.
>
> Regarding the rules to detect DDOS attacks, you could create something 
> like this:
>
> local_rules.xml:
> 
>
>
> 
> attacks|attack|automatic_attack
> 
> 
> Attacks from same source IP
>   
>
>
> 
>
> You are saying: if one of these groups (attack, attacks or 
> automatic_attack) have matched in the last 300 seconds more than 5 times 
> (frecuency + 2) and the event comes from the same ip, it could be a DDOS 
> attack. You can play with the variables (tiemframe and frecuency) or create 
> new rules with a specific group and append it to the rule.
>
> Regards.
> Jesus Linares.
>
>
>
> On Thursday, May 5, 2016 at 8:44:50 PM UTC+2, dan (ddpbsd) wrote:
>>
>> On Thu, May 5, 2016 at 2:12 PM, Jiri  wrote: 
>> > Hi, 
>> > 
>> > I just finished installing ossec on ubuntu as a server and windows 
>> agent on 
>> > another computer. How do i test if my agent is successfully connected 
>> to me? 
>> > Also, can someone help me on creating rules to detect an a ddos attack 
>> or 
>> > any attack on my server? 
>> > 
>>
>> On the server you can run `/var/ossec/bin/list_agents -c` to see the 
>> connected agents. 
>> Check out the rules that already exist in /var/ossec/rules. They 
>> should be useful as a template. 
>> If you still need help, please ask. 
>>
>> > Thanks, 
>> > Regards. 
>> > 
>> > -- 
>> > 
>> > --- 
>> > You received this message because you are subscribed to the Google 
>> Groups 
>> > "ossec-list" group. 
>> > To unsubscribe from this group and stop receiving emails from it, send 
>> an 
>> > email to ossec-list+...@googlegroups.com. 
>> > For more options, visit https://groups.google.com/d/optout. 
>>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Testing OSSEC

2016-05-06 Thread Jesus Linares

Hi Jiri,

also you can run the command "/var/ossec/bin/agent_control -lc" to get the 
connected agents. Keep in mind that in order to know if an agent is 
connected, disconnected or never connected OSSEC reads the modification 
date of the files in /var/ossec/queue/agent-info/*:

   - if there is no file for the agent the status is never connected
   - if the modification time of the file is less than a defined tiemout, 
   the status is actived. If it is greater then the status is disconnected.

The timeout is 3*NOTIFY_TIME+30, NOTIFY_TIME by default is 600 seconds.

Regarding the rules to detect DDOS attacks, you could create something like 
this:

local_rules.xml:

attacks|attack|automatic_attack

Attacks from same source IP

You are saying: if one of these groups (attack, attacks or 
automatic_attack) have matched in the last 300 seconds more than 5 times 
(frecuency + 2) and the event comes from the same ip, it could be a DDOS 
attack. You can play with the variables (tiemframe and frecuency) or create 
new rules with a specific group and append it to the rule.

Regards.
Jesus Linares.

On Thursday, May 5, 2016 at 8:44:50 PM UTC+2, dan (ddpbsd) wrote:
>
> On Thu, May 5, 2016 at 2:12 PM, Jiri  
> wrote: 
> > Hi, 
> > 
> > I just finished installing ossec on ubuntu as a server and windows agent 
> on 
> > another computer. How do i test if my agent is successfully connected to 
> me? 
> > Also, can someone help me on creating rules to detect an a ddos attack 
> or 
> > any attack on my server? 
> > 
>
> On the server you can run `/var/ossec/bin/list_agents -c` to see the 
> connected agents. 
> Check out the rules that already exist in /var/ossec/rules. They 
> should be useful as a template. 
> If you still need help, please ask. 
>
> > Thanks, 
> > Regards. 
> > 
> > -- 
> > 
> > --- 
> > You received this message because you are subscribed to the Google 
> Groups 
> > "ossec-list" group. 
> > To unsubscribe from this group and stop receiving emails from it, send 
> an 
> > email to ossec-list+...@googlegroups.com . 
> > For more options, visit https://groups.google.com/d/optout. 
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Testing OSSEC

2016-05-05 Thread dan (ddp)

On Thu, May 5, 2016 at 2:12 PM, Jiri  wrote:
> Hi,
>
> I just finished installing ossec on ubuntu as a server and windows agent on
> another computer. How do i test if my agent is successfully connected to me?
> Also, can someone help me on creating rules to detect an a ddos attack or
> any attack on my server?
>

On the server you can run `/var/ossec/bin/list_agents -c` to see the
connected agents.
Check out the rules that already exist in /var/ossec/rules. They
should be useful as a template.
If you still need help, please ask.

> Thanks,
> Regards.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Testing OSSEC

Re: [ossec-list] Testing OSSEC

Re: [ossec-list] Testing OSSEC

Re: [ossec-list] Testing OSSEC

Re: [ossec-list] Testing OSSEC

5 matches

Site Navigation

Mail list logo

Footer information