[ossec-list] Re: ossec server reporting itself as 0.0.0.0 and more

[Leonardo Goldim]

hey meir my logs are equal to logs you post here in the list before... ---------------- LOG ---------------------------- ** Alert 1158838515.0: 2006 Sep 21 08:35:15 smart09->/var/log/secure Rule: 5303 (level 3) -> 'User sucessfully changed UID to root' Src IP: (none) User: (none) su: pam_unix(su:session): session opened for user root by (uid=501) ** Alert 1158844531.229: 2006 Sep 21 10:15:31 smart09->/var/log/secure Rule: 5303 (level 3) -> 'User sucessfully changed UID to root' Src IP: (none) User: (none) su: pam_unix(su:session): session opened for user root by (uid=501) ---------------- LOG ---------------------------- i was looking at base db and consulting the table signature i saw the signatures are registered there, but the base interface don't show this information ... here are a little bit of table: -------------- TABLE ------------------ +--------+-------------------------------------------------------------------------------+--------------+--------------+---------+---------+---------+ | sig_id | sig_name                                                                      | sig_class_id | sig_priority | sig_rev | sig_sid | sig_gid | +--------+-------------------------------------------------------------------------------+--------------+--------------+---------+---------+---------+ |      1 | 'Unknown problem somewhere in the system.'                                    |            1 |            7 |       0 |     102 |    NULL | |      2 | 'SSHD authentication failed.'                                                 |            1 |            5 |       0 |    1516 |    NULL | |      3 | 'Attempt to access an non-existent file.'                                     |            1 |            5 |       0 |    3012 |    NULL | |      4 | 'Web server 400 error code.'                                                  |            1 |            5 |       0 |    3101 |    NULL | |      5 | 'Integrity checksum of file '/etc/httpd/conf/httpd.conf' has changed.'        |            1 |            8 |       0 |      13 |    NULL | |      6 | 'Multiple attempts to access non-existent files (web scan) from same source.' |            1 |           10 |       0 |    3014 |    NULL | |      7 | 'User authentication failure.'                                                |            1 |            5 |       0 |     401 |    NULL | |      8 | 'User sucessfully changed UID to root'                                        |            1 |            3 |       0 |    1103 |    NULL | |      9 | 'Integrity checksum of file '/etc/alsa/pcm/dsnoop.conf' has changed.'         |            1 |            8 |       0 |      13 |    NULL | |     10 | 'Integrity checksum of file '/etc/alsa/pcm/dmix.conf' has changed.'           |            1 |            8 |       0 |      13 |    NULL | +--------+-------------------------------------------------------------------------------+--------------+--------------+---------+---------+---------+ -------------- TABLE ------------------ here are the base interface:  ID   < Signature >   < Timestamp >   < Source Address >   < Dest. Address >   < Layer 4 Proto >  #0-(1-1) 1 2006-07-31 10:41:33 0.0.0.0 10.0.0.9 IP its possible the ossim has broken something more? which version of base you are using? -- ________________________________________ Leonardo Goldim - Auditoria Intranetworks [EMAIL PROTECTED] Intranetworks Rua Marquês do Pombal 1710/805 Porto Alegre - RS - 90540-000 +55 51 3325-5700 +55 51 8415-8604 Meir Michanie wrote: the only thing I can sugest is that you look at the alerts log in the wiki. if your alert log format is not there append it and I can check more On 9/21/06, Leonardo Goldim <[EMAIL PROTECTED]> wrote: hey meir i had installed ossim and this one change somethings at my base, so i download the base source and install it in another place. i do these steps for install ossec-ui: * mysqladmin create base -p * mysql base -p < snort_tables.sql * mysql base -p < ossec2base.sql * mysql base -p < trunc_ossecbase.sql * configure my new base to access the base db * cat /opt/ossec/rules/*.xml |ossec2basetxt.pl -e -o /var/www/html/ossecbase/signatures/ * cat /opt/ossec/logs/alerts/2006/Jul/ossec-alerts-31.log |ossec2mysql.pl --interface manualfeed after this i access the url http://127.0.0.1/ossecbase/ but the problem with signatures continue, look: ID      < <http://127.0.0.1/ossecbase/base_qry_main.php?caller=&num_result_rows=27807&current_view=0&sort_order=sig_a > Signature > <http://127.0.0.1/ossecbase/base_qry_main.php?caller=&num_result_rows=27807&current_view=0&sort_order=sig_d >          < <http://127.0.0.1/ossecbase/base_qry_main.php?caller=&num_result_rows=27807&current_view=0&sort_order=time_a > Timestamp > <http://127.0.0.1/ossecbase/base_qry_main.php?caller=&num_result_rows=27807&current_view=0&sort_order=time_d >          < <http://127.0.0.1/ossecbase/base_qry_main.php?caller=&num_result_rows=27807&current_view=0&sort_order=sip_a > Source Address > <http://127.0.0.1/ossecbase/base_qry_main.php?caller=&num_result_rows=27807&current_view=0&sort_order=sip_d >          < <http://127.0.0.1/ossecbase/base_qry_main.php?caller=&num_result_rows=27807&current_view=0&sort_order=dip_a > Dest. Address > <http://127.0.0.1/ossecbase/base_qry_main.php?caller=&num_result_rows=27807&current_view=0&sort_order=dip_d >          < <http://127.0.0.1/ossecbase/base_qry_main.php?caller=&num_result_rows=27807&current_view=0&sort_order=proto_a > Layer 4 Proto > <http://127.0.0.1/ossecbase/base_qry_main.php?caller=&num_result_rows=27807&current_view=0&sort_order=proto_d > #0-(1-1) <http://127.0.0.1/ossecbase/base_qry_alert.php?submit=%230-%281-1%29&sort_order=>         1       2006-07-31 10:41:33     0.0.0.0 <http://127.0.0.1/ossecbase/base_stat_ipaddr.php?ip=0.0.0.0&netmask=32 >         10.0.0.9 <http://127.0.0.1/ossecbase/base_stat_ipaddr.php?ip=10.0.0.9&netmask32 >         IP i don't know what i can do anymore ... do you have any suggestion? but the good side is that the "problem" with dest. address and source address appears to be ok. -- ________________________________________ Leonardo Goldim - Auditoria Intranetworks [EMAIL PROTECTED] Intranetworks Rua Marquês do Pombal 1710/805 Porto Alegre - RS - 90540-000 +55 51 3325-5700 +55 51 8415-8604 Meir Michanie wrote: > > > On 9/19/06, *Leonardo Goldim* <[EMAIL PROTECTED] > <mailto:[EMAIL PROTECTED]>> wrote: > > >     hey meir > >     do you have any suggestion that i can do to correct my problem with >     signatures? > >     after this fixes at ossec-ui, how we have to import the signatures ? >     with the ossec2base_sigs.pl or ossec2basetxt.pl ? >     in my case i used ossec2basetxt.pl ... > > > ossec2base_sigs.pl is  legacy. > I will remove it from cvs > it doesn't hurts but it is not needed.