On Thu, Jun 14, 2012 at 12:15 PM, Wilson Ricardo <[email protected]> wrote: > I changed the ip number and contact to avoid expose this things.... > this list is indexed on google. >
I understand that, but this: >>>>> <email_notification>yes</email_notification> >>>>> <email_to>wmail@email</email_to> >>>>> <smtp_server>smtp.int</smtp_server> >>>>> <email_from>logserver@IPDOSERVIDOR</email_from> and this: >>>>> <rules> >>>>> <include>rules_config.xml</include> >>>>> <include>pam_rules.xml</include> >>>>> <include>sshd_rules.xml</include> >>>>> <include>telnetd_rules.xml</include> >>>>> <include>syslog_rules.xml</include> >>>>> <include>arpwatch_rules.xml</include> >>>>> <include>symantec-av_rules.xml</include> >>>>> <include>symantec-ws_rules.xml</include> >>>>> <include>pix_rules.xml</include> >>>>> <include>named_rules.xml</include> >>>>> <include>smbd_rules.xml</include> >>>>> <include>vsftpd_rules.xml</include> >>>>> <include>pure-ftpd_rules.xml</include> >>>>> <include>proftpd_rules.xml</include> >>>>> <include>ms_ftpd_rules.xml</include> >>>>> <include>ftpd_rules.xml</include> >>>>> <include>hordeimp_rules.xml</include> >>>>> <include>roundcube_rules.xml</include> >>>>> <include>wordpress_rules.xml</include> >>>>> <include>cimserver_rules.xml</include> >>>>> <include>vpopmail_rules.xml</include> >>>>> <include>vmpop3d_rules.xml</include> >>>>> <include>courier_rules.xml</include> >>>>> <include>web_rules.xml</include> >>>>> <include>apache_rules.xml</include> >>>>> <include>nginx_rules.xml</include> >>>>> <include>php_rules.xml</include> >>>>> <include>mysql_rules.xml</include> >>>>> <include>postgresql_rules.xml</include> >>>>> <include>ids_rules.xml</include> >>>>> <include>squid_rules.xml</include> >>>>> <include>firewall_rules.xml</include> >>>>> <include>cisco-ios_rules.xml</include> >>>>> <include>netscreenfw_rules.xml</include> >>>>> <include>sonicwall_rules.xml</include> >>>>> <include>postfix_rules.xml</include> >>>>> <include>sendmail_rules.xml</include> >>>>> <include>imapd_rules.xml</include> >>>>> <include>mailscanner_rules.xml</include> >>>>> <include>dovecot_rules.xml</include> >>>>> <include>ms-exchange_rules.xml</include> >>>>> <include>racoon_rules.xml</include> >>>>> <include>vpn_concentrator_rules.xml</include> >>>>> <include>spamd_rules.xml</include> >>>>> <include>msauth_rules.xml</include> >>>>> <include>mcafee_av_rules.xml</include> >>>>> <include>trend-osce_rules.xml</include> >>>>> <include>ms-se_rules.xml</include> >>>>> <!-- <include>policy_rules.xml</include> --> >>>>> <include>zeus_rules.xml</include> >>>>> <include>solaris_bsm_rules.xml</include> >>>>> <include>vmware_rules.xml</include> >>>>> <include>ms_dhcp_rules.xml</include> >>>>> <include>asterisk_rules.xml</include> >>>>> <include>ossec_rules.xml</include> >>>>> <include>attack_rules.xml</include> >>>>> <include>openbsd_rules.xml</include> >>>>> <include>clam_av_rules.xml</include> >>>>> <include>bro-ids_rules.xml</include> >>>>> <include>dropbear_rules.xml</include> >>>>> <include>local_rules.xml</include> >>>>> </rules> and this: >>>>> <remote> >>>>> <connection>syslog</connection> >>>>> </remote> >>>>> <remote> >>>>> <connection>secure</connection> >>>>> </remote> >>>>> <alerts> >>>>> <log_alert_level>1</log_alert_level> >>>>> <email_alert_level>7</email_alert_level> >>>>> </alerts> do _not_ belong in an agent's ossec.conf. They belong in the server's ossec.conf. The ossec.conf you provided is not the ossec.conf on your agents, or you have big big issues. Either way, good luck. Hopefully someone else wants to try and dig this information out of you. > "<ignore>/var/www*</ignore>" is valid? > Do you want to ignore the literal '/var/www*'? If so, then yes. If you do not have a file named 'www*' (asterisk included), then it is incorrect. > On Thu, Jun 14, 2012 at 1:09 PM, dan (ddp) <[email protected]> wrote: >> On Thu, Jun 14, 2012 at 12:07 PM, Wilson Ricardo <[email protected]> >> wrote: >>> It is config from the client. >>> >> >> You are either incorrect or you have bigger problems than /var/www >> being checked. The agents will not have the rules/email stuff defined, >> and will have a server-ip. >> >> I also stick by my sregex comment. >> >>> On Thu, Jun 14, 2012 at 12:49 PM, dan (ddp) <[email protected]> wrote: >>>> On Thu, Jun 14, 2012 at 11:36 AM, Wilson Ricardo <[email protected]> >>>> wrote: >>>>> ossec.conf: >>>>> <ossec_config> >>>>> <global> >>>>> <email_notification>yes</email_notification> >>>>> <email_to>wmail@email</email_to> >>>>> <smtp_server>smtp.int</smtp_server> >>>>> <email_from>logserver@IPDOSERVIDOR</email_from> >>>>> </global> >>>>> >>>> >>>> Are the agents checking /var/www or is the OSSEC server? This appears >>>> to be the server's ossec.conf. You didn't provide the agents' >>>> ossec.conf? >>>> >>>>> <rules> >>>>> <include>rules_config.xml</include> >>>>> <include>pam_rules.xml</include> >>>>> <include>sshd_rules.xml</include> >>>>> <include>telnetd_rules.xml</include> >>>>> <include>syslog_rules.xml</include> >>>>> <include>arpwatch_rules.xml</include> >>>>> <include>symantec-av_rules.xml</include> >>>>> <include>symantec-ws_rules.xml</include> >>>>> <include>pix_rules.xml</include> >>>>> <include>named_rules.xml</include> >>>>> <include>smbd_rules.xml</include> >>>>> <include>vsftpd_rules.xml</include> >>>>> <include>pure-ftpd_rules.xml</include> >>>>> <include>proftpd_rules.xml</include> >>>>> <include>ms_ftpd_rules.xml</include> >>>>> <include>ftpd_rules.xml</include> >>>>> <include>hordeimp_rules.xml</include> >>>>> <include>roundcube_rules.xml</include> >>>>> <include>wordpress_rules.xml</include> >>>>> <include>cimserver_rules.xml</include> >>>>> <include>vpopmail_rules.xml</include> >>>>> <include>vmpop3d_rules.xml</include> >>>>> <include>courier_rules.xml</include> >>>>> <include>web_rules.xml</include> >>>>> <include>apache_rules.xml</include> >>>>> <include>nginx_rules.xml</include> >>>>> <include>php_rules.xml</include> >>>>> <include>mysql_rules.xml</include> >>>>> <include>postgresql_rules.xml</include> >>>>> <include>ids_rules.xml</include> >>>>> <include>squid_rules.xml</include> >>>>> <include>firewall_rules.xml</include> >>>>> <include>cisco-ios_rules.xml</include> >>>>> <include>netscreenfw_rules.xml</include> >>>>> <include>sonicwall_rules.xml</include> >>>>> <include>postfix_rules.xml</include> >>>>> <include>sendmail_rules.xml</include> >>>>> <include>imapd_rules.xml</include> >>>>> <include>mailscanner_rules.xml</include> >>>>> <include>dovecot_rules.xml</include> >>>>> <include>ms-exchange_rules.xml</include> >>>>> <include>racoon_rules.xml</include> >>>>> <include>vpn_concentrator_rules.xml</include> >>>>> <include>spamd_rules.xml</include> >>>>> <include>msauth_rules.xml</include> >>>>> <include>mcafee_av_rules.xml</include> >>>>> <include>trend-osce_rules.xml</include> >>>>> <include>ms-se_rules.xml</include> >>>>> <!-- <include>policy_rules.xml</include> --> >>>>> <include>zeus_rules.xml</include> >>>>> <include>solaris_bsm_rules.xml</include> >>>>> <include>vmware_rules.xml</include> >>>>> <include>ms_dhcp_rules.xml</include> >>>>> <include>asterisk_rules.xml</include> >>>>> <include>ossec_rules.xml</include> >>>>> <include>attack_rules.xml</include> >>>>> <include>openbsd_rules.xml</include> >>>>> <include>clam_av_rules.xml</include> >>>>> <include>bro-ids_rules.xml</include> >>>>> <include>dropbear_rules.xml</include> >>>>> <include>local_rules.xml</include> >>>>> </rules> >>>>> >>>>> >>>>> <syscheck> >>>>> <!-- Frequency that syscheck is executed - default to every 22 hours >>>>> --> >>>>> <frequency>79200</frequency> >>>>> >>>>> <!-- Directories to check (perform all possible verifications) --> >>>>> <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories> >>>>> <directories check_all="yes">/bin,/sbin</directories> >>>>> >>>>> <!-- Files/directories to ignore --> >>>>> <ignore>/etc/mtab</ignore> >>>>> <ignore>/etc/mnttab</ignore> >>>>> <ignore>/etc/hosts.deny</ignore> >>>>> <ignore>/etc/mail/statistics</ignore> >>>>> <ignore>/etc/random-seed</ignore> >>>>> <ignore>/etc/adjtime</ignore> >>>>> <ignore>/etc/httpd/logs</ignore> >>>>> <ignore>/etc/utmpx</ignore> >>>>> <ignore>/etc/wtmpx</ignore> >>>>> <ignore>/etc/cups/certs</ignore> >>>>> <ignore>/etc/dumpdates</ignore> >>>>> <ignore>/etc/prelink.cache</ignore> >>>>> <ignore>/etc/svc/volatile</ignore> >>>>> <ignore>/usr/bin/inotifywait</ignore> >>>>> <ignore>/usr/bin/inotifywatch</ignore> >>>>> <ignore type="sregex">/var/www*</ignore> >>>>> <ignore type="sregex">/OESP/www*</ignore> >>>>> >>>> >>>> Very quickly, those aren't valid sregex entries. >>>> >>>>> <!-- Windows files to ignore --> >>>>> <ignore>C:\WINDOWS/System32/LogFiles</ignore> >>>>> <ignore>C:\WINDOWS/Debug</ignore> >>>>> <ignore>C:\WINDOWS/WindowsUpdate.log</ignore> >>>>> <ignore>C:\WINDOWS/iis6.log</ignore> >>>>> <ignore>C:\WINDOWS/system32/wbem/Logs</ignore> >>>>> <ignore>C:\WINDOWS/system32/wbem/Repository</ignore> >>>>> <ignore>C:\WINDOWS/Prefetch</ignore> >>>>> <ignore>C:\WINDOWS/PCHEALTH/HELPCTR/DataColl</ignore> >>>>> <ignore>C:\WINDOWS/SoftwareDistribution</ignore> >>>>> <ignore>C:\WINDOWS/Temp</ignore> >>>>> <ignore>C:\WINDOWS/system32/config</ignore> >>>>> <ignore>C:\WINDOWS/system32/spool</ignore> >>>>> <ignore>C:\WINDOWS/system32/CatRoot</ignore> >>>>> </syscheck> >>>>> >>>>> >>>>> <rootcheck> >>>>> <rootkit_files>/var/ossec//etc/shared/rootkit_files.txt</rootkit_files> >>>>> >>>>> <rootkit_trojans>/var/ossec//etc/shared/rootkit_trojans.txt</rootkit_trojans> >>>>> >>>>> <system_audit>/var/ossec//etc/shared/system_audit_rcl.txt</system_audit> >>>>> >>>>> <system_audit>/var/ossec//etc/shared/cis_rhel_linux_rcl.txt</system_audit> >>>>> >>>>> <system_audit>/var/ossec//etc/shared/cis_rhel5_linux_rcl.txt</system_audit> >>>>> <ignore>/usr/bin/inotifywait</ignore> >>>>> <ignore>/usr/bin/inotifywatch</ignore> >>>>> <ignore type="sregex">/var/www*</ignore> >>>>> <ignore type="sregex">/OESP/www*</ignore> >>>>> </rootcheck> >>>>> >>>>> <remote> >>>>> <connection>syslog</connection> >>>>> </remote> >>>>> <remote> >>>>> <connection>secure</connection> >>>>> </remote> >>>>> <alerts> >>>>> <log_alert_level>1</log_alert_level> >>>>> <email_alert_level>7</email_alert_level> >>>>> </alerts> >>>>> >>>>> >>>>> <localfile> >>>>> <log_format>syslog</log_format> >>>>> <location>/var/log/messages</location> >>>>> </localfile> >>>>> >>>>> <localfile> >>>>> <log_format>syslog</log_format> >>>>> <location>/var/log/secure</location> >>>>> </localfile> >>>>> >>>>> <localfile> >>>>> <log_format>syslog</log_format> >>>>> <location>/var/log/maillog</location> >>>>> </localfile> >>>>> >>>>> </ossec_config> >>>>> >>>>> agent.conf: >>>>> <agent_config os="Linux"> >>>>> <syscheck> >>>>> <!-- Frequency that syscheck is executed - default to every 22 hours >>>>> --> >>>>> <frequency>79200</frequency> >>>>> >>>>> <!-- Directories to check (perform all possible verifications) --> >>>>> <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories> >>>>> <directories check_all="yes">/bin,/sbin</directories> >>>>> >>>>> <!-- Files/directories to ignore --> >>>>> <ignore>/etc/mtab</ignore> >>>>> <ignore>/etc/mnttab</ignore> >>>>> <ignore>/etc/hosts.deny</ignore> >>>>> <ignore>/etc/mail/statistics</ignore> >>>>> <ignore>/etc/random-seed</ignore> >>>>> <ignore>/etc/adjtime</ignore> >>>>> <ignore>/etc/httpd/logs</ignore> >>>>> <ignore>/etc/utmpx</ignore> >>>>> <ignore>/etc/wtmpx</ignore> >>>>> <ignore>/etc/cups/certs</ignore> >>>>> <ignore>/etc/dumpdates</ignore> >>>>> <ignore>/etc/svc/volatile</ignore> >>>>> <ignore>/usr/bin/inotifywait</ignore> >>>>> <ignore>/usr/bin/inotifywatch</ignore> >>>>> <ignore type="sregex">/var/www*</ignore> >>>>> <ignore type="sregex">/OESP/www*</ignore> >>>>> >>>>> >>>>> </syscheck> >>>>> >>>>> <!-- Files to monitor (localfiles) --> >>>>> <localfile> >>>>> <log_format>syslog</log_format> >>>>> <location>/var/log/messages</location> >>>>> </localfile> >>>>> >>>>> <localfile> >>>>> <log_format>syslog</log_format> >>>>> <location>/var/log/secure</location> >>>>> </localfile> >>>>> >>>>> <localfile> >>>>> <log_format>syslog</log_format> >>>>> <location>/var/log/maillog</location> >>>>> </localfile> >>>>> >>>>> <localfile> >>>>> <log_format>apache</log_format> >>>>> <location>/var/log/httpd/error_log</location> >>>>> </localfile> >>>>> >>>>> <localfile> >>>>> <log_format>apache</log_format> >>>>> <location>/var/log/httpd/access_log</location> >>>>> </localfile> >>>>> >>>>> <localfile> >>>>> <log_format>syslog</log_format> >>>>> <location>/var/ossec/logs/active-responses.log</location> >>>>> </localfile> >>>>> >>>>> </agent_config> >>>>> >>>>> <agent_config os="Windows"> >>>>> <syscheck> >>>>> <!-- Frequency that syscheck is executed - default to every 22 hours >>>>> --> >>>>> <frequency>79200</frequency> >>>>> >>>>> <!-- Windows files to ignore --> >>>>> <ignore>C:\WINDOWS/System32/LogFiles</ignore> >>>>> <ignore>C:\WINDOWS/Debug</ignore> >>>>> <ignore>C:\WINDOWS/WindowsUpdate.log</ignore> >>>>> <ignore>C:\WINDOWS/iis6.log</ignore> >>>>> <ignore>C:\WINDOWS/system32/wbem/Logs</ignore> >>>>> <ignore>C:\WINDOWS/system32/wbem/Repository</ignore> >>>>> <ignore>C:\WINDOWS/Prefetch</ignore> >>>>> <ignore>C:\WINDOWS/PCHEALTH/HELPCTR/DataColl</ignore> >>>>> <ignore>C:\WINDOWS/SoftwareDistribution</ignore> >>>>> <ignore>C:\WINDOWS/Temp</ignore> >>>>> <ignore>C:\WINDOWS/system32/config</ignore> >>>>> <ignore>C:\WINDOWS/system32/spool</ignore> >>>>> <ignore>C:\WINDOWS/system32/CatRoot</ignore> >>>>> </syscheck> >>>>> </agent_config> >>>>> >>>>> <agent_config> >>>>> <rootcheck> >>>>> <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files> >>>>> >>>>> <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans> >>>>> <system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit> >>>>> >>>>> <system_audit>/var/ossec/etc/shared/cis_debian_linux_rcl.txt</system_audit> >>>>> >>>>> <system_audit>/var/ossec/etc/shared/cis_rhel_linux_rcl.txt</system_audit> >>>>> >>>>> <system_audit>/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt</system_audit> >>>>> <ignore>/usr/bin/inotifywait</ignore> >>>>> <ignore>/usr/bin/inotifywatch</ignore> >>>>> <ignore type="sregex">/var/www*</ignore> >>>>> <ignore type="sregex">/OESP/www*</ignore> >>>>> </rootcheck> >>>>> </agent_config> >>>>> >>>>> >>>>>
