On Jan 7, 2012 1:38 AM, <[email protected]> wrote: Today's Topic Summary
Group: http://groups.google.com/group/ossec-list/topics - distributed blocking <#134b788305ab3381_group_thread_0> [2 Updates] - A more specific match? <#134b788305ab3381_group_thread_1> [1 Update] - syscheck granular alerting <#134b788305ab3381_group_thread_2> [4 Updates] - OSSEC RPM <#134b788305ab3381_group_thread_3> [7 Updates] - Exact windows event ID <#134b788305ab3381_group_thread_4> [3 Updates] - Trying to determine why I didn't get notified for a certain rule<#134b788305ab3381_group_thread_5>[6 Updates] - OSSEC Agent Disconnected - definition<#134b788305ab3381_group_thread_6>[1 Update] distributed blocking<http://groups.google.com/group/ossec-list/t/28c4cd984647310e> BP9906 <[email protected]> Jan 06 10:36AM -0800 As Dan mentions, yes, you'll need rule(s) to detect/log/alert on what you're looking for, then use ossec.conf on ossec server to trigger an active-response either locally on the agent (web server where the log originated) or active-response on the ossec server. We actually do active-response on the ossec server, created a custom script that does a bunch of stuff and then issues the agent_control -b <ip> -u <id> -f <active-response> for the specific agent(s) involved. This can be particularly useful when dealing with many webservers load-balanced. murf <[email protected]> Jan 06 07:36PM -0800 Thank you, gentlemen! As long as it is possible, I will forge ahead and try an implementation. BP9906's elaboration on how to push the command back to the agent machine will be valuable. murf A more specific match?<http://groups.google.com/group/ossec-list/t/60f65d17942a386b> murf <[email protected]> Jan 06 07:49PM -0800 Here I am again. I have a machine where the "big brother" stuff is being used to probe the sshd server. That generates, every 5 minutes, a message in /var/log/ secure: Jan 6 21:20:01 sysname sshd[3567]: Bad protocol version identification 'quit' from UNKNOWN Which triggers the 5701 rule in the rules. 5701's match is: "Bad Protocol version idendification" and it retaliates by trying to block the "UNKNOWN" ip in iptables.... not cool. What I'd like to do is intro a new rule that is more specific to this situation, <match>Bad protocol version identification 'quit' from UNKNOWN</match> and only alarm if it's more frequent than 1 in 5 minutes. The existing 5701 should then kick in if there was no more specific match. How exactly (or even roughly) would this sort of thing be achieved? murf syscheck granular alerting<http://groups.google.com/group/ossec-list/t/7ad382ffaccd23a6> Ross Lawrie <[email protected]> Jan 06 02:51PM -0800 Hi, I've been trying to get this to work, but I'm obviously missing something or not understanding something. What I'd like to do issue an alert to an alternate email address should a file change occur within a particular directory. From my reading, it seemed like the method to do this would be to create a custom rule, and then have an alert based on it in the ossec.conf. Unfortunately nothing seems to be happening... In local_rules.xml I've created a custom rule: <group name="syscheck,"> ... <rule id="100023" level="10"> <description>Change to a custom directory</description> <match>/home/ross</match> </rule> ... </group> (I've also tried <regex> rather than <match>) In ossec.conf, I've set this up: <ossec_config> ... <email_alerts> <email_to>[email protected]</email_to> <rule_id>100023</rule_id> <do_not_delay /> <do_not_group /> </email_alerts> ... </ossec_config> Now, alerting to the email address defined globally is working, and I'm seeing alerts on file changes/creation/deletion that I make within the directory I'm watching (/home/ross for example), but I'm not seeing alerts going to the email address shown above - nor alerts to either address with the description set in the custom rule. Perhaps I'm going about this the wrong way, or there's an easier way to do this, but my search engine results haven't helped me, so hopefully someone here can point me in the right direction. Ross. "dan (ddp)" <[email protected]> Jan 06 06:09PM -0500 > <description>Change to a custom directory</description> > <match>/home/ross</match> > </rule> Does this rule get triggered? > do this, but my search engine results haven't helped me, so hopefully > someone here can point me in the right direction. > Ross. Is the working address also an @riverstyx.net email address? Have you checked your maillogs to see if they provide a hint? Ross Lawrie <[email protected]> Jan 06 04:07PM -0800 On 12-01-06 03:09 PM, dan (ddp) wrote: >> <match>/home/ross</match> >> </rule> > Does this rule get triggered? Good question, I hadn't thought to track down the appropriate log file (alerts.log right?). It doesn't appear to be triggered, I'm only seeing the usual (550/554) ids being triggered, for example: ** Alert 1325894109.26688: mail - ossec,syscheck, 2012 Jan 06 15:55:09 myhost->syscheck Rule: 550 (level 7) -> 'Integrity checksum changed.' Integrity checksum changed for: '/home/ross/ross-test' Size changed from '47' to '13' Old md5sum was: 'c3fbbd59f074b47bcdc99ddbb4af329a' New md5sum is : '3ebfdcf378cc6221db90e4d6f11900f3' Old sha1sum was: '491150eb08a96cd1baf222df1e4173d21800457f' New sha1sum is : '76951d7c9d6b27d972c12866095cef8fca25b4e6' Does the match/regex not work against the line containing the file name? I have other custom rules that seem to work (and that I've disabled as part of my efforts to get this one to work, just in case they were conflicting somehow) so I think I've got it in the right place. I've changed the match/regex to only be against the word 'ross', just to try and increase my chances, but still no luck. >> Ross. > Is the working address also an @riverstyx.net email address? Have you > checked your maillogs to see if they provide a hint? The working address is also a riverstyx.net address, I've even tried the same address (since the description identifier and rule-id ought to make it distinguishable). As noted above though, I'm not seeing it trigger in the alerts.log, so obviously I've done something wrong with the actual rule at this point, and the email address isn't even getting a chance to be an issue at this point. "dan (ddp)" <[email protected]> Jan 06 07:52PM -0500 > conflicting somehow) so I think I've got it in the right place. I've > changed the match/regex to only be against the word 'ross', just to try > and increase my chances, but still no luck. Crud, I should have mentioned this in the previous email (but I just saw it). Try: <rule id="100023" level="10"> <if_sid>550</if_sid> <!-- This means if the rule 550 matches, but the file has /home/ross in it this rule should be triggered instead--> <description>Change to a custom directory</description> <match>/home/ross</match> </rule> Give that a shot. OSSEC RPM <http://groups.google.com/group/ossec-list/t/bdeb148a13087d8e> treydock <[email protected]> Jan 05 10:13PM -0800 I've created a fork of Jason's SRPM. Mostly the changes involve adding ability to deploy with agent.conf usage and also refining it to be almost duplicate to the source install as far as permissions go. I'll post here in next few days once it's finished. - Trey On Jan 5, 3:42 pm, Jason 'XenoPhage' Frisvold <[email protected]> wrote: "dan (ddp)" <[email protected]> Jan 06 09:22AM -0500 On Thu, Jan 5, 2012 at 4:42 PM, Jason 'XenoPhage' Frisvold >> That does help. I'm trying to do the same thing. > You can find the SRPM I created on my site : > http://godshell.com/software Any idea if ossec-authd works with your rpm? Jason 'XenoPhage' Frisvold <[email protected]> Jan 06 10:54AM -0500 On Jan 6, 2012, at 9:22 AM, dan (ddp) wrote: > Any idea if ossec-authd works with your rpm? It's a standard compile, so it's there. However, I haven't played with that yet. Though I very much want to .. I would LOVE to find a way to compress time so I can do all the things I need to do .. :P --------------------------- Jason 'XenoPhage' Frisvold [email protected] --------------------------- "Any sufficiently advanced magic is indistinguishable from technology." - Niven's Inverse of Clarke's Third Law Jason 'XenoPhage' Frisvold <[email protected]> Jan 06 10:54AM -0500 On Jan 6, 2012, at 1:13 AM, treydock wrote: > I've created a fork of Jason's SRPM. Mostly the changes involve > adding ability to deploy with agent.conf usage and also refining it to > be almost duplicate to the source install as far as permissions go. Hrm.. I'm intrigued. Are there problems with the permissions? > I'll post here in next few days once it's finished. Yes, PLEEZE! --------------------------- Jason 'XenoPhage' Frisvold [email protected] --------------------------- "Any sufficiently advanced magic is indistinguishable from technology." - Niven's Inverse of Clarke's Third Law "dan (ddp)" <[email protected]> Jan 06 11:08AM -0500 On Fri, Jan 6, 2012 at 10:54 AM, Jason 'XenoPhage' Frisvold > On Jan 6, 2012, at 9:22 AM, dan (ddp) wrote: >> Any idea if ossec-authd works with your rpm? > It's a standard compile, so it's there. However, I haven't played with that yet. Though I very much want to .. I would LOVE to find a way to compress time so I can do all the things I need to do .. :P That was one of the big problems with the atomic RPMs. authd didn't work. Stephane Rossan <[email protected]> Jan 06 07:12PM In my RPM, ossec-authd works, it just generates a lot of defunct processes, a restart of the daemon, on a regular basis, fixes that. "dan (ddp)" <[email protected]> Jan 06 03:01PM -0500 > In my RPM, ossec-authd works, it just generates a lot of defunct > processes, a restart of the daemon, on a regular basis, fixes that. But your RPM is weird. And I don't think you should be having an issue like that. Exact windows event ID<http://groups.google.com/group/ossec-list/t/d8021682c6c2a35e> banjer <[email protected]> Jan 06 05:34AM -0800 Hi, I'm trying to log Windows update events, which in Windows is Event ID 19. I have had success with this rule: <rule id="100034" level="1"> <if_sid>18101</if_sid> <status>^INFORMATION</status> <id>19</id> <description>Windows Update successfully installed.</description> </rule> OSSEC will now log typical update events such as this: WinEvtLog: System: INFORMATION(19): Microsoft-Windows- WindowsUpdateClient: SYSTEM: NT AUTHORITY: myserver.domain.foo.com: Security Update for Microsoft .NET Framework 2.0 SP2 on Windows Vista SP2 and Windows Server 2008 SP2 for x64 (KB2656362) {7ECDE510- CD10-478B-89EC-1D7B255C3419} 104 However, it also log and informational events with 19 in the event ID, such as: WinEvtLog: Application: INFORMATION(3198): MSSQL$CAST: SYSTEM: NT AUTHORITY: SEDNA.omni.imsweb.com: I/O was resumed on database castmain60-vt-report_test_updated. No user action is required. Is it possible to log an event id that is EXACTLY 19? Thanks! "dan (ddp)" <[email protected]> Jan 06 09:15AM -0500 Try: <id>^19$</id> BP9906 <[email protected]> Jan 06 10:38AM -0800 Dan is right, I've found that <id>##</id> wont work as well as <id>^##</id> or <id>^##$</id>. (## = windows event id) Trying to determine why I didn't get notified for a certain rule<http://groups.google.com/group/ossec-list/t/c7fcb5be7d3897db> "dan (ddp)" <[email protected]> Jan 06 09:17AM -0500 > Great. Thanks for the starting point, Dan. If you continue to have issues, posting a log sample might help. Marc Esher <[email protected]> Jan 06 09:41AM -0500 > On Thu, Jan 5, 2012 at 4:31 PM, Marc Esher <[email protected]> wrote: >> Great. Thanks for the starting point, Dan. > If you continue to have issues, posting a log sample might help. Thanks Dan. I narrowed it down to the fact that the IIS log settings were not set to log cookies. Consequently, the parser was not correctly identifying the status-code field. Turning on all logging fixed that. However, there's still something strange: I have an email alert rule set up to email me for log-level 10. <email_alerts> <email_to>my email....</email_to> <level>10</level> </email_alerts> <email_alerts> <email_to>my email...</email_to> <rule_id>31151</rule_id> </email_alerts> I triggered the multiple 404 error codes rule, and I see it in the alert log: ** Alert 1325859327.297377: mail - web,accesslog,web_scan,recon, 2012 Jan 06 09:15:27 (yyyy) XXXX->\inetpub\logs\LogFiles\W3SVC\u_ex120106.log Rule: 31151 (level 10) -> 'Mutiple web server 400 error codes from same source ip.' ..... My understanding of this is that the rule is triggered, and due to "mail" being in the log message, it should be sending the email as configured. In fact, I imagine it should send two emails, 1 for reaching a log-level of 10, and the other for matching rule 31151 However, when I tail /var/log/maillog, I see no evidence of mail being sent (and obviously I didn't receive any emails). Thoughts? Thanks again. Marc "dan (ddp)" <[email protected]> Jan 06 09:58AM -0500 > <email_to>my email...</email_to> > <rule_id>31151</rule_id> > </email_alerts> You should have an email setup in the <global section>, not just the granular email setups. <ossec_config> <global> <email_to>my email....</email_to> <level>10</level> <email_notification>yes</email_notification> <smtp_server>127.0.0.1</smtp_server> <email_from>[email protected]</email_from> <email_maxperhour>100</email_maxperhour> </global> <email_alerts> <email_to>my email...</email_to> <rule_id>31151</rule_id> </email_alerts> Marc Esher <[email protected]> Jan 06 10:19AM -0500 >> <email_to>my email...</email_to> >> <rule_id>31151</rule_id> >> </email_alerts> Can't imagine why I'd need that. Nonetheless, I added it as you suggested, and I get an error on ossec restart indicating <level> is invalid in the global config. Thoughts? "dan (ddp)" <[email protected]> Jan 06 10:41AM -0500 >>> <rule_id>31151</rule_id> >>> </email_alerts> > Can't imagine why I'd need that. Nonetheless, I added it as you Having a global email section is always necessary. > suggested, and I get an error on ossec restart indicating <level> is > invalid in the global config. Ok, I'll fix it: <ossec_config> <global> <email_to>my email....</email_to> <email_notification>yes</email_notification> <smtp_server>127.0.0.1</smtp_server> <email_from>[email protected]</email_from> </global> <email_alerts> <email_to>my email...</email_to> <rule_id>31151</rule_id> </email_alerts> <!-- XXX This is probably already in your ossec.conf, you should modify it --> <alerts> <log_alert_level>1</log_alert_level> <email_alert_level>10</email_alert_level> </alerts> > Thoughts? Troubleshooting should be part of your job description. Marc Esher <[email protected]> Jan 06 12:11PM -0500 >>>> </email_alerts> >> Can't imagine why I'd need that. Nonetheless, I added it as you > Having a global email section is always necessary. Got it. I had that, but I only had the server and "from" configured, not the "to". Frankly, even with the log level set to 10, it's just way too noisy -- I get all manner of windows audit junk that I don't care about (not in real-time, anyway), and I haven't dug in to figure out how to filter them out yet. Ideally, I just want to get notifications on certain classes of rules -- like the web rules for example. Interestingly enough, in the last several hours, the "404" rule has quit working as it was previously. I no longer see any entries in the alerts log. Using logtest shows that the same entries, when pasted into stdin, do trigger the alert. But the log monitoring on the agent server isn't picking them up. Weird. OSSEC Agent Disconnected - definition<http://groups.google.com/group/ossec-list/t/50b9da8e0706b3c8> "dan (ddp)" <[email protected]> Jan 06 09:21AM -0500 > I'm not trying to ask a dumb question for an obvious description, but > what does "Ossec agent disconnected" mean? I think (but haven't verified) that it means the manager didn't receive a 3 consecutive keep alives. > time are within a minute or so. > So why get alerts on these? Also, why not get alerts on ossec agent > reconnected? No idea, I thought there was an event for that. > received by the ossec server? I've noticed that select windows events > are not making it to the ossec server, but my EPS (events per second) > is only ~311 for Jan 2012. Is it always the same events? The communication is UDP, so it's entirely possible there are missing events. You received this message because you are subscribed to the Google Group ossec-list. You can post via email <[email protected]>. To unsubscribe from this group, send<[email protected]>an empty message. For more options, visit <http://groups.google.com/group/ossec-list/topics>this group.
