On Mon, May 28, 2012 at 10:27 AM, hoa nguyen <[email protected]> wrote:
> hi Dan,
>
> I've done logall -> yes and logtest a log from archives.log.
> Here is result. I think that the decode is not correct. I'm using
> defaul decode and default rule ssh of OSsec.
>
> 2012 May 28 21:18:40 (xp) 192.168.1.1->WinEvtLog WinEvtLog:
You didn't strip the header.
> Application: INFORMATION(0): sshd: SYSTEM: NT AUTHORITY: CUBEAN:
> sshd : PID 888 : Failed password for illegal user phuonghien from
> 192.168.1.25 port 35681 ssh2
>
>
> **Phase 1: Completed pre-decoding.
> full event: '2012 May 28 21:18:40 (xp) 192.168.1.1->WinEvtLog
> WinEvtLog: Application: INFORMATION(0): sshd: SYSTEM: NT AUTHORITY:
> CUBEAN: sshd : PID 888 : Failed password for illegal user phuonghien
> from 192.168.1.25 port 35681 ssh2'
> hostname: 'phuonghien-laptop'
> program_name: '(null)'
> log: '2012 May 28 21:18:40 (xp) 192.168.1.1->WinEvtLog
> WinEvtLog: Application: INFORMATION(0): sshd: SYSTEM: NT AUTHORITY:
> CUBEAN: sshd : PID 888 : Failed password for illegal user phuonghien
> from 192.168.1.25 port 35681 ssh2'
>
> **Phase 2: Completed decoding.
> No decoder matched.
>
> **Phase 3: Completed filtering (rules).
> Rule id: '1002'
> Level: '2'
> Description: 'Unknown problem somewhere in the system.'
> **Alert to be generated.
>
After stripping the header it looks like this:
**Phase 1: Completed pre-decoding.
full event: 'WinEvtLog: Application: INFORMATION(0): sshd:
SYSTEM: NT AUTHORITY: CUBEAN: sshd : PID 888 : Failed password for
illegal user phuonghien from 192.1
68.1.25 port 35681 ssh2'
hostname: 'ix'
program_name: '(null)'
log: 'WinEvtLog: Application: INFORMATION(0): sshd: SYSTEM: NT
AUTHORITY: CUBEAN: sshd : PID 888 : Failed password for illegal user
phuonghien from 192.168.1.25
port 35681 ssh2'
**Phase 2: Completed decoding.
decoder: 'windows'
status: 'INFORMATION'
id: '0'
extra_data: 'sshd'
dstuser: 'SYSTEM'
system_name: 'CUBEAN'
**Phase 3: Completed filtering (rules).
Rule id: '18101'
Level: '0'
Description: 'Windows informational event.'
So basically, the log looks nothing like the typical sshd logs. I'm
not sure I can come up with a way to adjust the sshd decoder to handle
real sshd logs and these logs. You may have to write a decoder for
Winsshd (or whatever you want to call it), along with rules for it.
>
>
> On May 28, 7:14 pm, "dan (ddp)" <[email protected]> wrote:
>> On Sun, May 27, 2012 at 1:04 PM, hoa nguyen <[email protected]> wrote:
>> > Hi Dan,
>>
>> > Thanks you very much for your response.
>> > My problem is OK. I found this error that the device tap0 (virtual
>> > bridge). tap0 receive data from XP (not device eth0).
>>
>> > But, I have other problem: I'm trying test a rule using SSHD.
>> > scenario: ossecserver: ubuntu and ossecagent: XP (virtual machine)
>> > - I trying toconnectremotly (from ubuntu) to XP using ssh. On XP, i
>> > see sshd event in Event viewer.
>>
>> Are you monitoring that stream (or whatever event viewer calls it?)?
>> Turn on the log all option on the OSSECserver, restart the OSSEC
>> processes and try again. Do you see the log in
>> /var/ossec/logs/archives/archives.log? If not, then the log isn't
>> making it to the OSSECserverto be processed. If it is, reply with a
>> copy of the log. We'll use ossec-logtest to see how it is decoded and
>> to correct any issues.
>>
>> > - But i can't see this event (or ALERT) on ossecserver.
>>
>> What alert are you expecting?
>>
>>
>>
>> > Please help me a solution
>>
>> > Thanks again
>>
>> > On May 23, 9:23 pm, "dan (ddp)" <[email protected]> wrote:
>> >> What version of OSSEC (onserverandagent)?
>>
>> >> Has theagentever successfully communicated with theserver?
>>
>> >> Run tcpdump on theserver. Can you see the udp packets arriving on
>> >> port 1514? Do you see response packets back to theagent? Are the
>> >> packets from theagentcoming in from the correct IP (the correct IP
>> >> is the IP you entered into manage_agents on theserverwhen adding the
>> >>agent)?
>>
>> >> Recopy the key from theserverto theagentand restart theagent's
>> >> ossec service.
>>
>> >> Anything in theserveroragent'sossec.log? Try running the ossec
>> >> processes in debug mode. Does anything show up in the logs now?
>>
>> >> On Wed, May 23, 2012 at 5:26 AM, hoa nguyen <[email protected]> wrote:
>> >> > I'd tried.
>> >> > But this problem isn't OK yet.
>>
>> >> > Ubuntu and XP virtual machine, two node communicate via NIC eth0
>> >> > Please help me a solution
>> >> > Thanks
>>
>> >> > Hoa
>>
>> >> > On May 23, 3:16 pm, mikes <[email protected]> wrote:
>> >> >> Try it:
>>
>> >> >> /etc/init.d/ossec stop
>> >> >> rm /var/ossec/queue/rids/*
>> >> >> /etc/init.d/ossec start
>>
>> >> >> And check key foragent. Try removeagentfromserverand generate new key,
>> >> >> remember delete rids/* after
>>
>> >> >> W dniu ¶roda, 11 kwietnia 2012 09:59:41 UTC+2 u¿ytkownik
>> >> >> [email protected]
>> >> >> napisa³:
>>
>> >> >> > Hi,
>> >> >> > I have ossecserveron ubuntu, and anagent on windows xp. windows xp
>> >> >> > is a virtual machine.
>> >> >> > At beginning, everything is OK. But when I chang virtual machine to
>> >> >> > older snapshot (itsagentworks fine when I took this snapshot), the
>> >> >> >agentcan notconnecttoserveronly more. It's log is as follow:
>>
>> >> >> > 2012/04/11 15:17:59 ossec-agent: INFO: Started (pid: 6404).
>> >> >> > 2012/04/11 15:18:09 ossec-agent: WARN: Process locked. Waiting for
>> >> >> > permission...
>> >> >> > 2012/04/11 15:18:20 ossec-agent(4101): WARN: Waiting forserverreply
>> >> >> > (not started). Tried: '202.197.1.100'.
>> >> >> > 2012/04/11 15:18:22 ossec-agent: INFO: Trying toconnecttoserver
>> >> >> > (202.197.1.100:1514).
>> >> >> > 2012/04/11 15:18:22 ossec-agent: INFO: Using IPv4 for: 202.197.1.100
>> >> >> > .
>> >> >> > 2012/04/11 15:18:43 ossec-agent(4101): WARN: Waiting forserverreply
>> >> >> > (not started). Tried: '202.197.1.100'.
>>
>> >> >> > What's the problem with it?
>> >> >> > Gratitude!
