Hi people, my OSSEC server show. WUI view:
2012 Jun 19 16:27:44 Rule Id: 18149 level: 3 Location: (VDynamic-dayco) 10.0.1.3->WinEvtLog Src IP: YNAMIC-DAYCO$ Windows User Logoff. 2012 Jun 19 16:27:44 Rule Id: 18105 level: 4 Location: (VDynamic-dayco) 10.0.1.3->WinEvtLog Src IP: o user) Windows audit failure event. 2012 Jun 19 16:27:44 Rule Id: 18105 level: 4 Location: (VDynamic-dayco) 10.0.1.3->WinEvtLog Src IP: o user) Windows audit failure event. 2012 Jun 19 16:27:44 Rule Id: 18105 level: 4 Location: (VDynamic-dayco) 10.0.1.3->WinEvtLog Src IP: o user) Windows audit failure event. OSSEC Alert log view: ** Alert 1340139464.176284: - windows, 2012 Jun 19 16:27:44 (VDynamic-dayco) 10.0.1.3->WinEvtLog Rule: 18105 (level 4) -> 'Windows audit failure event.' User: (no user) WinEvtLog: Security: AUDIT_FAILURE(5159): Microsoft-Windows-Security- Auditing: (no user): no domain: VDynamic-dayco.daycohost.local: The Windows Filtering Platform has blocked a bind to a local port. Application Information: Process ID: 680 Application Name: \device \harddiskvolume1\windows\system32\lsass.exe Network Information: Source Address: 0.0.0.0 Source Port: 53661 Protocol: 17 Filter Information: Filter Run-Time ID: 0 Layer Name: %%14608 Layer Run- Time ID: 36 ** Alert 1340139464.176940: - windows, 2012 Jun 19 16:27:44 (VDynamic-dayco) 10.0.1.3->WinEvtLog Rule: 18105 (level 4) -> 'Windows audit failure event.' User: (no user) WinEvtLog: Security: AUDIT_FAILURE(5159): Microsoft-Windows-Security- Auditing: (no user): no domain: VDynamic-dayco.daycohost.local: The Windows Filtering Platform has blocked a bind to a local port. Application Information: Process ID: 680 Application Name: \device \harddiskvolume1\windows\system32\lsass.exe Network Information: Source Address: 0.0.0.0 Source Port: 53662 Protocol: 17 Filter Information: Filter Run-Time ID: 0 Layer Name: %%14608 Layer Run- Time ID: 36 ** Alert 1340139464.177596: - windows, 2012 Jun 19 16:27:44 (VDynamic-dayco) 10.0.1.3->WinEvtLog Rule: 18105 (level 4) -> 'Windows audit failure event.'User: (no user) WinEvtLog: Security: AUDIT_FAILURE(5159): Microsoft-Windows-Security- Auditing: (no user): no domain: VDynamic-dayco.daycohost.local: The Windows Filtering Platform has blocked a bind to a local port. Application Information: Process ID: 1296 Application Name: \device \harddiskvolume1\windows\system32\svchost.exe Network Information: Source Address: 0.0.0.0 Source Port: 56759 Protocol: 17 Filter Information: Filter Run-Time ID: 0 Layer Name: %%14608 Layer Run- Time ID: 36 ** Alert 1340139464.178255: - windows, 2012 Jun 19 16:27:44 (VDynamic-dayco) 10.0.1.3->WinEvtLog Rule: 18149 (level 3) -> 'Windows User Logoff.'User: VDYNAMIC-DAYCO$ WinEvtLog: Security: AUDIT_SUCCESS(4634): Microsoft-Windows-Security- Auditing: VDYNAMIC-DAYCO$: DAYCOHOST: VDynamic-dayco.daycohost.local: An account was logged off. Subject: Security ID: S-1-5-18 Account Name: VDYNAMIC-DAYCO$ Account Domain: DAYCOHOST Logon ID: 0x6060269 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer." 4646,1 DB (MySQL) view, table Data: '997', '1', '(no user)', 'WinEvtLog: Security: AUDIT_FAILURE(5159): Microsoft-Windows-Security-Auditing: (no user): no domain: VDynamic- dayco.daycohost.local: The Windows Filtering Platform has blocked a bind to a local port. Application Information: Process ID: 1296 Application Name: /device/harddiskvolume1/windows/system32/ svchost.exe Network Information: Source Address: 0.0.0.0 Source Port: 64330 Protocol: 17 Filter Information: Filter Run-Time ID: 0 Layer Name: %%14608 Layer Run-Time ID: 36', NULL '998', '1', '(no user)', 'WinEvtLog: System: ERROR(7001): Service Control Manager: (no user): no domain: DYC-ACCUNETIX: The WinHTTP Web Proxy Auto-Discovery Service service depends on the DHCP Client service which failed to start because of the following error: % %1058 ', NULL '999', '1', '(no user)', 'WinEvtLog: Security: AUDIT_FAILURE(5159): Microsoft-Windows-Security-Auditing: (no user): no domain: VDynamic- dayco.daycohost.local: The Windows Filtering Platform has blocked a bind to a local port. Application Information: Process ID: 680 Application Name: /device/harddiskvolume1/windows/system32/lsass.exe Network Information: Source Address: 0.0.0.0 Source Port: 64331 Protocol: 17 Filter Information: Filter Run-Time ID: 0 Layer Name: %%14608 Layer Run-Time ID: 36', NULL '1000', '1', '(no user)', 'WinEvtLog: Security: AUDIT_FAILURE(5159): Microsoft-Windows-Security-Auditing: (no user): no domain: VDynamic- dayco.daycohost.local: The Windows Filtering Platform has blocked a bind to a local port. Application Information: Process ID: 680 Application Name: /device/harddiskvolume1/windows/system32/lsass.exe Network Information: Source Address: 0.0.0.0 Source Port: 64332 Protocol: 17 Filter Information: Filter Run-Time ID: 0 Layer Name: %%14608 Layer Run-Time ID: 36', NULL The installation of the compiled OSSEC was install using the OSSEC books guide and the OSSEC.net documetation. The installation of the OSSEC WUI was install using the OSSEC.net documetation. The others OSSEC server I installed before was on a lab with non compiled DB mode and another with compiled DB mode w/o enabling it and all works fine till then I choose DB Compiled this time 'cause it's a OSSEC Server for non-lab enviroment and it's going to be a Core plattform with around 500 Clients, so the amount of logs can be high. I don't know if some aditional configuration is necesary to WUI for read the Data from DB or if the WUI just simple read the log. * Any idea? * I need to re-configure to a non DB compiled mode to work that way? Thanks a lot!!! Cheers... On 19 jun, 14:55, "dan (ddp)" <[email protected]> wrote: > On Tue, Jun 19, 2012 at 2:48 PM, Mike Disley > > <[email protected]> wrote: > > Yes, it's a full_command rule but I'm not using OSSEC with a DB. > > Oops, I didn't notice that you weren't the OP. So, yeah, you probably > installed the patches incorrectly. > > Yet another reason I avoid the WUI: I don't know php. > > > > > -----Original Message----- > > From: [email protected] [mailto:[email protected]] On > > Behalf Of dan (ddp) > > Sent: Tuesday, June 19, 2012 2:30 PM > > To: [email protected] > > Subject: Re: [ossec-list] Re: Error in message formating on OSSEC Wui > > > On Tue, Jun 19, 2012 at 1:35 PM, Mike Disley > > <[email protected]> wrote: > >> Greetings, > >> I have the same prob. I applied the patches but no joy. Enclosed is an > >> alert first from the WUI and the corresponding entry in alerts.log. > > >> OSSEC WUI Alert List: > > >> 2012 Jun 19 12:45:40 Rule Id: 140123 level: 7 > >> Location: (someonesPC) 1x.21.1.1x4->netstat -an | findstr "\80\> > >> \443\>" | findstr TCP Src IP: utput: 'netstat -an | findstr "\80\> > >> \443\>" | findstr TCP': TCP 1X.21.1.1X4:34594 66.35.45.157:443 > >> ESTABLISHED Outbound Internet Access Detected > >> ossec: output: 'netstat -an | findstr "\80\> \443\>" | findstr TCP': > >> TCP 1X.21.1.1x4:22697 23.9.96.60:443 CLOSE_WAIT > > >> OSSEC Server alerts.log > > >> ** Alert 1340124340.19381: mail - local > >> 2012 Jun 19 12:45:40 (someonesPC) 1x.21.1.1x4->netstat -an | findstr > >> "\80\> \443\>" | findstr TCP > >> Rule: 140123 (level 7) -> 'Outbound Internet Access Detected' > >> ossec: output: 'netstat -an | findstr "\80\> \443\>" | findstr TCP': > >> TCP 1x.21.1.1x4:34594 66.35.45.157:443 ESTABLISHED Previous > >> output: > >> ossec: output: 'netstat -an | findstr "\80\> \443\>" | findstr TCP': > >> TCP 1x.21.1.1x4:22697 23.9.96.60:443 CLOSE_WAIT > > > I'm guessing that this is some full_command based rule. If so, add an alias > > to it to make it a little more manageable. > > > This rule is parsed correctly on the non-db systems? If so, you've done > > something wrong with the WUI on the db system. > > >> -----Original Message----- > >> From: [email protected] [mailto:[email protected]] > >> On Behalf Of dan (ddp) > >> Sent: Tuesday, June 19, 2012 12:46 PM > >> To: [email protected] > >> Subject: Re: [ossec-list] Re: Error in message formating on OSSEC Wui > > >> On Tue, Jun 19, 2012 at 12:34 PM, Dayco Telecom <[email protected]> > >> wrote: > >>> Hi Mike, I read the post and replace the files that Holger attached, > >>> restart apache and OSSEC but the Web UI is still wrong. I was reading > >>> and someone said around that the WUI isn't interact with the DB > >>> (MySQL in my case) to show the alerts and it just extract the info > >>> from the log files directly. The thing is I see this behaviour only > >>> with this server that I compiled to DB. > > >>> I just installed another 2 OSSEC servers and everything is fine. > > >>> Do you know something about it o another idea? > > >>> Thanks a lot for all your help, it's really appreciated!!! > > >>> Kind regards! > > >> What kind of problems does it show on the server with the db? What does > >> the log entry look like in alerts.log? > > >>> On 19 jun, 09:00, Mike Disley <[email protected]> wrote: > >>>> Greetings, > >>>> I believe this is the thread that discusses the problem. > > >>>>https://groups.google.com/forum/#!searchin/ossec-list/wui/ossec-list/... > > >>>> Regards, > >>>> Mike > > >>>> -----Original Message----- > >>>> From: [email protected] > >>>> [mailto:[email protected]] On Behalf Of Dayco Telecom > >>>> Sent: Monday, June 18, 2012 3:53 PM > >>>> To: ossec-list > >>>> Subject: [ossec-list] Re: Error in message formating on OSSEC Wui > > >>>> Hi Dan, I had been reading all the posts in the archives like you > >>>> suggested, but I don't find the links you mentioned. The only one post > >>>> with the symthoms is the message with the ID: > >>>> CAMyQvMqSgODHH4qOOVcdUoC0V5baO7J_GiQxrSEEJs-_KXW4hg () mail ! gmail ! > >>>> com from 2012-03-01 11:09:16 > >>>> But you two are talking about a tool called "splunk" and not about the > >>>> solution. > > >>>> can you be more specific in where are the links or even the solutions? > > >>>> Thanks a lot... > > >>>> Kind regards! > > >>>> On 18 jun, 13:19, "dan (ddp)" <[email protected]> wrote: > >>>> > On Mon, Jun 18, 2012 at 1:12 PM, Dayco Telecom <[email protected]> > >>>> > wrote: > >>>> > > Hi OSSEC Comunity, I have an issue with a new > >>>> > > installation of OSSEC 2.6, I just have been installed and > >>>> > > configured the server. This server is RHEL 6.2 compiled to MySQL > >>>> > > and it's in the network 192.x.x.x and the agents in the network > >>>> > > 10.x.x.x with 2 FW between them. The problem is that the Wui > >>>> > > show the messasges in an incorrect format, i.e.: > > >>>> > > 2012 Jun 15 16:43:38 Rule Id: 11 level: 4 > >>>> > > Location: (oraclemanager) 172.28.67.242->WinEvtLog Src IP: > >>>> > > mdaycohost Excessive number of events (above normal). > > >>>> > > 2012 Jun 15 16:38:40 Rule Id: 5501 level: 3 > >>>> > > Location: ossec->/var/log/secure Src IP: 6:38:39 ossec su: > >>>> > > pam_unix(su-l:session): session opened for user root by > >>>> > > accdayco(uid=500) Login session opened. > >>>> > > ** Alert 1339794683.22885: mail - ossec, > >>>> > > 2012 Jun 15 16:41:23 ossec->ossec-monitord > >>>> > > Rule: 502 (level 3) -> 'Ossec server started.' > >>>> > > ossec: Ossec started. > >>>> > > 2012 Jun 15 16:35:01 Rule Id: 5501 level: 3 > >>>> > > Location: ossec->/var/log/secure Src IP: 6:35:00 ossec > >>>> > > sshd[8458]: pam_unix(sshd:session): session opened for user > >>>> > > accdayco by (uid=0) Login session opened. > >>>> > > ** Alert 1339794307.22371: - pam,syslog,authentication_success, > >>>> > > 2012 Jun 15 16:35:07 ossec->/var/log/secure > >>>> > > Rule: 5501 (level 3) -> 'Login session opened.' > >>>> > > Jun 15 16:35:06 ossec su: pam_unix(su-l:session): session opened > >>>> > > for user root by accdayco(uid=500) > > >>>> > > Can you help me? > > >>>> > > Kind regards! > > >>>> > > Oscar D'Lima > >>>> > > Especialista I | Coordinación de Mejora Continua de los > >>>> > > Servicios > >>>> > > Tlf: +58 212 999.90.38 | +58 414 236.78.02 > > >>>> > > Torre Dayco, Calle Londres, Urb. Las Mercedes, > >>>> > > Caracas, Venezuela. ZP 1060-A > >>>> > > Master +58 212 999.9100 > > >>>> > > daycohost.com > > >>>> > It's a known issue in the WUI 0.3 release. Some people have fixed > >>>> > it, look in the archives for links.
