-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I took the [gentoo-user] tag out, because this reply showed up in that lists folder. ;-)
[EMAIL PROTECTED] wrote: > gentuxx <[EMAIL PROTECTED]> writes: > > >>> This is the overview on the home page: >>> >>> OSSEC HIDS is an Open Source Host-based Intrusion Detection System. It >>> performs log analysis, integrity checking, rootkit detection, >>> time-based alerting and active response. >>> >>> After that there is a manual the describes running the tool, but I >>> never see any detailed summary of what it really does and how to >>> access the analysis. >>> >>> I've gone way OT here but I hoped you might write to me privately and >>> describe in some detail what you do with it... >>> >> Your hopes are realized! (???) ;-) I'm not sure if the "FROM" address >> is truly a private address, so if you want to send a different address, >> I would be happy to help you where I can. OSSEC reports alerts a couple >> of different ways. If you DID enable mail notification, then if an >> event occurs that is higher than level 6 (by default), then (assuming >> you configured the mailhost and email address correctly) you should see >> an email describing the alert. This will depend on the logs and files >> that you are monitoring. If you did NOT enable email monitoring, then >> you can check the logs at >> '/var/ossec/logs/alerts/2006/$(month)/logfile.log' for alerts. >> "logfile.log" will represent the type of log and the day of the month >> (check http://www.ossec.net/wiki/index.php/Know_How:OSSEC_Logging and >> http://www.ossec.net/wiki/index.php/Know_How:Rules_Severity for more >> detail). > > Thanks... the From address is a real one... no munging. > I did setup mail alert and did get one so apparently there is a > default set of log files being monitored. Yes, there is a default set. The install script either goes with a "best guess" list, or attempts to do some checking as to which apps are installed on your system that you might want to monitor (apache). The install script should have showed you which files it was going to monitor by default. Barring that, it should be something along the lines of the following: /var/log/messages /var/log/secure /var/log/xferlog (if you have apache) /var/log/apache/access.log /var/log/apache/error.log > > Looking at the log area you mentioned I do see detailed analysis. > Some non-user attemtps to login including the IP etc. Good stuff > there. > >> Right now, I have ossec monitoring several logs on the "server" host as >> well as a couple "agents", one of them a Windows agent, including >> syslog, apache, and others. If you have any more questions please feel >> free to email me privately. I've included the ossec-list here in case >> others who use it can offer more than I. > > I thought I'd join the list so my response would not be rejected > but the ossec FAQ doesn't bother to mention the address where I > might do that... but I've left the Cc in place the list doesn't > require membership before accepting posts. I don't think this list blocks non-member posts. (Daniel, that may be something you want to consider.) Subscription instructions for the lists are here: http://www.ossec.net/en/mailing_lists.html > > OK, here I'm a bit confused about the server/agent setup. I took it > that one needs to setup a server and at least one agent to see reports. > > I haven't ventured into monitoring on windows yet but I guessed that, > on my gentoo box I needed both server and agent to see anything > usefull. > > Is that right or close so far? Not exactly true. If you want to monitor *only* your gentoo system, then you want to do a "local" install. If you have another system that you would like to monitor, /in addition to/ you gentoo system, then you would set up your gentoo system as the server and your other system as an agent (for example). > > All I see in /etc/ossec-init.conf is: > DIRECTORY="/var/ossec" > VERSION="v0.9-1" > DATE="Mon Aug 21 23:41:54 CDT 2006" > TYPE="server" > This file is equivalent to a /etc/conf.d/ossec file for gentoo. I don't know if that change has made it into the CVS tree or not. (I'm not a developer, just a contributor.) > There appears to be NO man pages with the source. Further in toplevel > I see a file `CONFIG' that has this non-helpfull bit: > > == Configuring OSSEC == > > Just follow the steps from the install.sh script. > More information at > http://www.ossec.net/en/manual.html > > Going to the suggested URL, then thru the list to the one on `config'. I > find silly non-usefull baloney like this: > > Some of these options should only be used by the "agent" > installation and some should only be used on the "server" or "local" > installations. The list bellow shows each installation type and > their options: > > Apparently `server = local' but really it is different so why not > explain that? "Server" installations include the "remote" tag. Without this in the config, it is, for all intents and purposes, a local install. > > This document appears to be written by children who were unable to keep > a consistent idea throughout. The documentation is a work in progress. Check the wiki for more detailed information. It is constantly being updated, and fleshed out as I (and others, hopefully), learn more about the tool. Wiki link: http://www.ossec.net/wiki > > The bit about generating a key is completely confusing. I'm told to > cut and paste it to `the agent side'. But as I followed along with > ./install.sh I saw nothing that looked like an `agent side'. > > No telling what that was supposed to mean. After you have installed both the server and the agent (on another system), you have to use the /var/ossec/bin/manage_agents tool to add your agent to the server. This process generates the key that you need to copy and paste into your agent. That process is described here: http://www.ossec.net/en/manual.html#manageagents > > Then I'm pointed to unreadable pile of XML in > /var/ossec/etc/ossec.conf > > Apparenty the authors have ignored the time honored > variable = value > style of config. > I'm sure there was a reason for using XML. I'm not a big fan of it either, but I'm relatively familiar with it, so it wasn't a big deal for me. It does actually make sense to use XML for the rules, but not so much for the config. Maybe it would be handy to have a converter (time-honored -> XML). > So, ok I have a default config at /var/ossec/etc/ossec.conf. > > Far as I can tell, to modify that I need to use some longwinded > complicated inserts that aren't really explained anywhere. > > Can you show how you've changed the default config and why? I have made several changes to my default config, and am constantly playing with it trying to find new things to add for monitoring. I'll do my best to explain them in sections: <global> <white_list>127.0.0.1</white_list> <white_list>192.168.0.100</white_list> <white_list>192.168.0.200</white_list> </global> This allows my agents to talk to the server. This and the '<remote>' tags are required for server operation. Otherwise, your install reverts to a "local" install. <localfile> <log_format>syslog</log_format> <location>/var/log/ipcop.msgs</location> </localfile> Add monitoring for ipcop.msgs file. My linux router syslogs to my gentoo server, so I want to monitor the messages coming from that system. There is actually a way (I believe) to monitor the actual syslog stream, but I haven't quite gotten that far, yet. <localfile> <log_format>snort-full</log_format> <location>/var/log/snort/alert</location> </localfile> Add monitoring for snort. <localfile> <log_format>apache</log_format> <location>/var/log/apache/error_log</location> </localfile> Add monitoring for apache. <localfile> <log_format>apache</log_format> <location>/var/log/apache/access_log</location> </localfile> Add monitoring for apache. <localfile> <log_format>nmapg</log_format> <location>/var/log/nmap-out.log</location> </localfile> Adds nmap greppable file monitoring. This is described on the wiki: http://www.ossec.net/wiki/index.php/Tutorials:Nmap_Correlation. This is supposed to check for new hosts and open port changes. <localfile> <log_format>syslog</log_format> <location>/var/log/mbmlog</location> </localfile> This one is a work in progress. I have Motherboard Monitor (MBM) on one of my Windows systems. MBM syslogs to my gentoo system and I want to be able to send an alert if temperatures get too high, a fan stops, etc. Like I said, work in progress <include>user_defined.xml</include> Includes user defined rules. This allows me to put in all of my custom rules without botching up the other rules files. HTH - -- gentux echo "hfouvyyAhnbjm/dpn" | perl -pe 's/(.)/chr(ord($1)-1)/ge' gentux's gpg fingerprint ==> 5495 0388 67FF 0B89 1239 D840 4CF0 39E2 18D3 4A9E -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQFE63hDTPA54hjTSp4RAoWiAKCVYqyXUjv2D9ooqv1D+RvA388CIwCgrekO ePgMeCZ5afyyfaFUXbJ2u1E= =5Cul -----END PGP SIGNATURE-----
