Hi Daniel, On Fri, 2011-04-29 at 22:19 -0300, Daniel Cid wrote: > Hi Rainer, > > Can you send your ossec.log? It should show if the repeated offenders > started properly or not...
I can't see anything related to repeated offenders in the log, however, here's a portion of it. 2011/04/25 14:09:16 ossec-monitord(1225): INFO: SIGNAL Received. Exit Cleaning... 2011/04/25 14:09:16 ossec-logcollector(1225): INFO: SIGNAL Received. Exit Cleaning... 2011/04/25 14:09:16 ossec-syscheckd(1225): INFO: SIGNAL Received. Exit Cleaning... 2011/04/25 14:09:16 ossec-analysisd(1225): INFO: SIGNAL Received. Exit Cleaning... 2011/04/25 14:09:16 ossec-maild(1225): INFO: SIGNAL Received. Exit Cleaning... 2011/04/25 14:09:16 ossec-execd(1314): INFO: Shutdown received. Deleting responses. 2011/04/25 14:09:16 ossec-execd(1225): INFO: SIGNAL Received. Exit Cleaning... 2011/04/25 14:09:16 ossec-testrule: INFO: Reading local decoder file. 2011/04/25 14:09:17 ossec-maild: INFO: Started (pid: 2127). 2011/04/25 14:09:17 ossec-execd: INFO: Started (pid: 2131). 2011/04/25 14:09:17 ossec-analysisd: INFO: Reading local decoder file. 2011/04/25 14:09:17 ossec-analysisd: INFO: Reading rules file: 'rules_config.xml' 2011/04/25 14:09:17 ossec-analysisd: INFO: Reading rules file: 'pam_rules.xml' 2011/04/25 14:09:17 ossec-analysisd: INFO: Reading rules file: 'sshd_rules.xml' 2011/04/25 14:09:17 ossec-analysisd: INFO: Reading rules file: 'telnetd_rules.xml' 2011/04/25 14:09:17 ossec-analysisd: INFO: Reading rules file: 'syslog_rules.xml' 2011/04/25 14:09:17 ossec-analysisd: INFO: Reading rules file: 'arpwatch_rules.xml' 2011/04/25 14:09:17 ossec-analysisd: INFO: Reading rules file: 'symantec-av_rules.xml' 2011/04/25 14:09:17 ossec-analysisd: INFO: Reading rules file: 'symantec-ws_rules.xml' 2011/04/25 14:09:17 ossec-analysisd: INFO: Reading rules file: 'pix_rules.xml' 2011/04/25 14:09:17 ossec-analysisd: INFO: Reading rules file: 'named_rules.xml' 2011/04/25 14:09:17 ossec-analysisd: INFO: Reading rules file: 'smbd_rules.xml' 2011/04/25 14:09:17 ossec-analysisd: INFO: Reading rules file: 'vsftpd_rules.xml' 2011/04/25 14:09:17 ossec-analysisd: INFO: Reading rules file: 'pure-ftpd_rules.xml' 2011/04/25 14:09:17 ossec-analysisd: INFO: Reading rules file: 'proftpd_rules.xml' 2011/04/25 14:09:17 ossec-analysisd: INFO: Reading rules file: 'ms_ftpd_rules.xml' 2011/04/25 14:09:17 ossec-analysisd: INFO: Reading rules file: 'ftpd_rules.xml' 2011/04/25 14:09:17 ossec-analysisd: INFO: Reading rules file: 'hordeimp_rules.xml' 2011/04/25 14:09:17 ossec-analysisd: INFO: Reading rules file: 'roundcube_rules.xml' 2011/04/25 14:09:17 ossec-analysisd: INFO: Reading rules file: 'wordpress_rules.xml' 2011/04/25 14:09:17 ossec-analysisd: INFO: Reading rules file: 'cimserver_rules.xml' 2011/04/25 14:09:17 ossec-analysisd: INFO: Reading rules file: 'vpopmail_rules.xml' 2011/04/25 14:09:17 ossec-analysisd: INFO: Reading rules file: 'vmpop3d_rules.xml' 2011/04/25 14:09:17 ossec-analysisd: INFO: Reading rules file: 'courier_rules.xml' 2011/04/25 14:09:17 ossec-analysisd: INFO: Reading rules file: 'web_rules.xml' 2011/04/25 14:09:17 ossec-analysisd: INFO: Reading rules file: 'apache_rules.xml' 2011/04/25 14:09:17 ossec-analysisd: INFO: Reading rules file: 'nginx_rules.xml' 2011/04/25 14:09:17 ossec-analysisd: INFO: Reading rules file: 'php_rules.xml' 2011/04/25 14:09:17 ossec-analysisd: INFO: Reading rules file: 'mysql_rules.xml' 2011/04/25 14:09:17 ossec-analysisd: INFO: Reading rules file: 'postgresql_rules.xml' 2011/04/25 14:09:17 ossec-analysisd: INFO: Reading rules file: 'ids_rules.xml' 2011/04/25 14:09:17 ossec-analysisd: INFO: Reading rules file: 'squid_rules.xml' 2011/04/25 14:09:17 ossec-analysisd: INFO: Reading rules file: 'firewall_rules.xml' 2011/04/25 14:09:17 ossec-analysisd: INFO: Reading rules file: 'cisco-ios_rules.xml' 2011/04/25 14:09:17 ossec-analysisd: INFO: Reading rules file: 'netscreenfw_rules.xml' 2011/04/25 14:09:17 ossec-analysisd: INFO: Reading rules file: 'sonicwall_rules.xml' 2011/04/25 14:09:17 ossec-analysisd: INFO: Reading rules file: 'postfix_rules.xml' 2011/04/25 14:09:17 ossec-analysisd: INFO: Reading rules file: 'sendmail_rules.xml' 2011/04/25 14:09:17 ossec-analysisd: INFO: Reading rules file: 'imapd_rules.xml' 2011/04/25 14:09:17 ossec-analysisd: INFO: Reading rules file: 'mailscanner_rules.xml' 2011/04/25 14:09:17 ossec-analysisd: INFO: Reading rules file: 'dovecot_rules.xml' 2011/04/25 14:09:17 ossec-analysisd: INFO: Reading rules file: 'ms-exchange_rules.xml' 2011/04/25 14:09:17 ossec-analysisd: INFO: Reading rules file: 'racoon_rules.xml' 2011/04/25 14:09:17 ossec-analysisd: INFO: Reading rules file: 'vpn_concentrator_rules.xml' 2011/04/25 14:09:17 ossec-analysisd: INFO: Reading rules file: 'spamd_rules.xml' 2011/04/25 14:09:17 ossec-analysisd: INFO: Reading rules file: 'msauth_rules.xml' 2011/04/25 14:09:17 ossec-analysisd: INFO: Reading rules file: 'mcafee_av_rules.xml' 2011/04/25 14:09:17 ossec-analysisd: INFO: Reading rules file: 'trend-osce_rules.xml' 2011/04/25 14:09:17 ossec-analysisd: INFO: Reading rules file: 'ms-se_rules.xml' 2011/04/25 14:09:17 ossec-analysisd: INFO: Reading rules file: 'zeus_rules.xml' 2011/04/25 14:09:17 ossec-analysisd: INFO: Reading rules file: 'solaris_bsm_rules.xml' 2011/04/25 14:09:17 ossec-analysisd: INFO: Reading rules file: 'vmware_rules.xml' 2011/04/25 14:09:17 ossec-analysisd: INFO: Reading rules file: 'ms_dhcp_rules.xml' 2011/04/25 14:09:17 ossec-analysisd: INFO: Reading rules file: 'asterisk_rules.xml' 2011/04/25 14:09:17 ossec-analysisd: INFO: Reading rules file: 'ossec_rules.xml' 2011/04/25 14:09:17 ossec-analysisd: INFO: Reading rules file: 'attack_rules.xml' 2011/04/25 14:09:17 ossec-analysisd: INFO: Reading rules file: 'local_rules.xml' 2011/04/25 14:09:17 ossec-analysisd: INFO: Total rules enabled: '1175' 2011/04/25 14:09:17 ossec-analysisd: INFO: Ignoring file: '/etc/mtab' 2011/04/25 14:09:17 ossec-analysisd: INFO: Ignoring file: '/etc/mnttab' 2011/04/25 14:09:17 ossec-analysisd: INFO: Ignoring file: '/etc/hosts.deny' 2011/04/25 14:09:17 ossec-analysisd: INFO: Ignoring file: '/etc/mail/statistics' 2011/04/25 14:09:17 ossec-analysisd: INFO: Ignoring file: '/etc/random-seed' 2011/04/25 14:09:17 ossec-analysisd: INFO: Ignoring file: '/etc/adjtime' 2011/04/25 14:09:17 ossec-analysisd: INFO: Ignoring file: '/etc/httpd/logs' 2011/04/25 14:09:17 ossec-analysisd: INFO: Ignoring file: '/etc/utmpx' 2011/04/25 14:09:17 ossec-analysisd: INFO: Ignoring file: '/etc/wtmpx' 2011/04/25 14:09:17 ossec-analysisd: INFO: Ignoring file: '/etc/cups/certs' 2011/04/25 14:09:17 ossec-analysisd: INFO: Ignoring file: '/etc/dumpdates' 2011/04/25 14:09:17 ossec-analysisd: INFO: Ignoring file: '/etc/svc/volatile' 2011/04/25 14:09:17 ossec-analysisd: INFO: Ignoring file: 'C: \WINDOWS/System32/LogFiles' 2011/04/25 14:09:17 ossec-analysisd: INFO: Ignoring file: 'C: \WINDOWS/Debug' 2011/04/25 14:09:17 ossec-analysisd: INFO: Ignoring file: 'C: \WINDOWS/WindowsUpdate.log' 2011/04/25 14:09:17 ossec-analysisd: INFO: Ignoring file: 'C: \WINDOWS/iis6.log' 2011/04/25 14:09:17 ossec-analysisd: INFO: Ignoring file: 'C: \WINDOWS/system32/wbem/Logs' 2011/04/25 14:09:17 ossec-analysisd: INFO: Ignoring file: 'C: \WINDOWS/system32/wbem/Repository' 2011/04/25 14:09:17 ossec-analysisd: INFO: Ignoring file: 'C: \WINDOWS/Prefetch' 2011/04/25 14:09:17 ossec-analysisd: INFO: Ignoring file: 'C: \WINDOWS/PCHEALTH/HELPCTR/DataColl' 2011/04/25 14:09:17 ossec-analysisd: INFO: Ignoring file: 'C: \WINDOWS/SoftwareDistribution' 2011/04/25 14:09:17 ossec-analysisd: INFO: Ignoring file: 'C: \WINDOWS/Temp' 2011/04/25 14:09:17 ossec-analysisd: INFO: Ignoring file: 'C: \WINDOWS/system32/config' 2011/04/25 14:09:17 ossec-analysisd: INFO: Ignoring file: 'C: \WINDOWS/system32/spool' 2011/04/25 14:09:17 ossec-analysisd: INFO: Ignoring file: 'C: \WINDOWS/system32/CatRoot' 2011/04/25 14:09:17 ossec-analysisd: INFO: White listing IP: '127.0.0.1' [...] 2011/04/25 14:09:17 ossec-analysisd: INFO: White listing IP: '1.2.3.4' 2011/04/25 14:09:17 ossec-analysisd: INFO: 15 IPs in the white list for active response. 2011/04/25 14:09:17 ossec-analysisd: INFO: White listing Hostname: 'localhost.localdomain' 2011/04/25 14:09:17 ossec-analysisd: INFO: 1 Hostname(s) in the white list for active response. 2011/04/25 14:09:17 ossec-analysisd: INFO: Started (pid: 2135). 2011/04/25 14:09:17 ossec-monitord: INFO: Started (pid: 2147). 2011/04/25 14:09:20 ossec-analysisd: INFO: Connected to '/queue/alerts/execq' (exec queue) 2011/04/25 14:09:21 ossec-syscheckd: INFO: Started (pid: 2143). 2011/04/25 14:09:21 ossec-rootcheck: INFO: Started (pid: 2143). 2011/04/25 14:09:21 ossec-syscheckd: INFO: Monitoring directory: '/etc'. 2011/04/25 14:09:21 ossec-syscheckd: INFO: Monitoring directory: '/usr/bin'. 2011/04/25 14:09:21 ossec-syscheckd: INFO: Monitoring directory: '/usr/sbin'. 2011/04/25 14:09:21 ossec-syscheckd: INFO: Monitoring directory: '/bin'. 2011/04/25 14:09:21 ossec-syscheckd: INFO: Monitoring directory: '/sbin'. 2011/04/25 14:09:23 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/messages'. 2011/04/25 14:09:23 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/auth.log'. 2011/04/25 14:09:23 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/syslog'. 2011/04/25 14:09:23 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/mail.info'. 2011/04/25 14:09:23 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/dpkg.log'. 2011/04/25 14:09:23 ossec-logcollector(1950): INFO: Analyzing file: '/opt/psa/var/log/xferlog'. 2011/04/25 14:09:23 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/apache2/error.log'. 2011/04/25 14:09:23 ossec-logcollector(1950): INFO: Analyzing file: '/var/www/vhosts/example/statistics/logs/error_log'. [...] 2011/04/25 14:09:23 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/apache2/access.log'. 2011/04/25 14:09:23 ossec-logcollector(1950): INFO: Analyzing file: '/opt/psa/admin/logs/httpsd_access_log'. 2011/04/25 14:09:23 ossec-logcollector: INFO: Started (pid: 2139). 2011/04/25 14:10:23 ossec-syscheckd: INFO: Starting syscheck scan (forwarding database). 2011/04/25 14:10:23 ossec-syscheckd: INFO: Starting syscheck database (pre-scan). 2011/04/25 14:16:38 ossec-execd: INFO: Active response command not present: '/var/ossec/active-response/bin/restart-ossec.cmd'. Not using it on this system. 2011/04/25 14:19:28 ossec-syscheckd: INFO: Finished creating syscheck database (pre-scan completed). 2011/04/25 14:19:40 ossec-syscheckd: INFO: Ending syscheck scan (forwarding database). 2011/04/25 14:20:00 ossec-rootcheck: INFO: Starting rootcheck scan. 2011/04/25 14:37:53 ossec-rootcheck: INFO: Ending rootcheck scan. However, it's not so important anymore, I switched back to 2.5.1, because besides the repeated_offenders not working, the snapshot neither did not work with the "command" monitoring, e.g. monitoring the average load, which I plan to use in the future. But if there should ever be a working ossec like the 2.5.1 but with repeated_offenders included, I'd be very interested. greetings, Rainer.
