On Tue, Jun 19, 2012 at 5:31 PM, Dayco Telecom <[email protected]> wrote: > Hi people, my OSSEC server show. > > WUI view: > > 2012 Jun 19 16:27:44 Rule Id: 18149 level: 3 > Location: (VDynamic-dayco) 10.0.1.3->WinEvtLog > Src IP: YNAMIC-DAYCO$ > Windows User Logoff. >
You're still using a broken WUI. Update it and try again. > > > 2012 Jun 19 16:27:44 Rule Id: 18105 level: 4 > Location: (VDynamic-dayco) 10.0.1.3->WinEvtLog > Src IP: o user) > Windows audit failure event. > > > > 2012 Jun 19 16:27:44 Rule Id: 18105 level: 4 > Location: (VDynamic-dayco) 10.0.1.3->WinEvtLog > Src IP: o user) > Windows audit failure event. > > > > 2012 Jun 19 16:27:44 Rule Id: 18105 level: 4 > Location: (VDynamic-dayco) 10.0.1.3->WinEvtLog > Src IP: o user) > Windows audit failure event. > > > OSSEC Alert log view: > > ** Alert 1340139464.176284: - windows, > 2012 Jun 19 16:27:44 (VDynamic-dayco) 10.0.1.3->WinEvtLog > Rule: 18105 (level 4) -> 'Windows audit failure event.' > User: (no user) > WinEvtLog: Security: AUDIT_FAILURE(5159): Microsoft-Windows-Security- > Auditing: (no user): no domain: VDynamic-dayco.daycohost.local: The > Windows Filtering Platform has blocked a bind to a local port. > Application Information: Process ID: 680 Application Name: \device > \harddiskvolume1\windows\system32\lsass.exe Network Information: > Source Address: 0.0.0.0 Source Port: 53661 Protocol: 17 Filter > Information: Filter Run-Time ID: 0 Layer Name: %%14608 Layer Run- > Time ID: 36 > > ** Alert 1340139464.176940: - windows, > 2012 Jun 19 16:27:44 (VDynamic-dayco) 10.0.1.3->WinEvtLog > Rule: 18105 (level 4) -> 'Windows audit failure event.' > User: (no user) > WinEvtLog: Security: AUDIT_FAILURE(5159): Microsoft-Windows-Security- > Auditing: (no user): no domain: VDynamic-dayco.daycohost.local: The > Windows Filtering Platform has blocked a bind to a local port. > Application Information: Process ID: 680 Application Name: \device > \harddiskvolume1\windows\system32\lsass.exe Network Information: > Source Address: 0.0.0.0 Source Port: 53662 Protocol: 17 Filter > Information: Filter Run-Time ID: 0 Layer Name: %%14608 Layer Run- > Time ID: 36 > > ** Alert 1340139464.177596: - windows, > 2012 Jun 19 16:27:44 (VDynamic-dayco) 10.0.1.3->WinEvtLog > Rule: 18105 (level 4) -> 'Windows audit failure event.'User: (no user) > WinEvtLog: Security: AUDIT_FAILURE(5159): Microsoft-Windows-Security- > Auditing: (no user): no domain: VDynamic-dayco.daycohost.local: The > Windows Filtering Platform has blocked a bind to a local port. > Application Information: Process ID: 1296 Application Name: \device > \harddiskvolume1\windows\system32\svchost.exe Network Information: > Source Address: 0.0.0.0 Source Port: 56759 Protocol: 17 Filter > Information: Filter Run-Time ID: 0 Layer Name: %%14608 Layer Run- > Time ID: 36 > > ** Alert 1340139464.178255: - windows, > 2012 Jun 19 16:27:44 (VDynamic-dayco) 10.0.1.3->WinEvtLog > Rule: 18149 (level 3) -> 'Windows User Logoff.'User: VDYNAMIC-DAYCO$ > WinEvtLog: Security: AUDIT_SUCCESS(4634): Microsoft-Windows-Security- > Auditing: VDYNAMIC-DAYCO$: DAYCOHOST: VDynamic-dayco.daycohost.local: > An account was logged off. Subject: Security ID: S-1-5-18 Account > Name: VDYNAMIC-DAYCO$ Account Domain: DAYCOHOST Logon ID: > 0x6060269 Logon Type: 3 This event is generated when a logon > session is destroyed. It may be positively correlated with a logon > event using the Logon ID value. Logon IDs are only unique between > reboots on the same computer." 4646,1 > > > DB (MySQL) view, table Data: > > '997', '1', '(no user)', 'WinEvtLog: Security: AUDIT_FAILURE(5159): > Microsoft-Windows-Security-Auditing: (no user): no domain: VDynamic- > dayco.daycohost.local: The Windows Filtering Platform has blocked a > bind to a local port. Application Information: Process ID: 1296 > Application Name: /device/harddiskvolume1/windows/system32/ > svchost.exe Network Information: Source Address: 0.0.0.0 Source > Port: 64330 Protocol: 17 Filter Information: Filter Run-Time ID: > 0 Layer Name: %%14608 Layer Run-Time ID: 36', NULL > '998', '1', '(no user)', 'WinEvtLog: System: ERROR(7001): Service > Control Manager: (no user): no domain: DYC-ACCUNETIX: The WinHTTP Web > Proxy Auto-Discovery Service service depends on the DHCP Client > service which failed to start because of the following error: % > %1058 ', NULL > '999', '1', '(no user)', 'WinEvtLog: Security: AUDIT_FAILURE(5159): > Microsoft-Windows-Security-Auditing: (no user): no domain: VDynamic- > dayco.daycohost.local: The Windows Filtering Platform has blocked a > bind to a local port. Application Information: Process ID: 680 > Application Name: /device/harddiskvolume1/windows/system32/lsass.exe > Network Information: Source Address: 0.0.0.0 Source Port: 64331 > Protocol: 17 Filter Information: Filter Run-Time ID: 0 Layer > Name: %%14608 Layer Run-Time ID: 36', NULL > '1000', '1', '(no user)', 'WinEvtLog: Security: AUDIT_FAILURE(5159): > Microsoft-Windows-Security-Auditing: (no user): no domain: VDynamic- > dayco.daycohost.local: The Windows Filtering Platform has blocked a > bind to a local port. Application Information: Process ID: 680 > Application Name: /device/harddiskvolume1/windows/system32/lsass.exe > Network Information: Source Address: 0.0.0.0 Source Port: 64332 > Protocol: 17 Filter Information: Filter Run-Time ID: 0 Layer > Name: %%14608 Layer Run-Time ID: 36', NULL > > > The installation of the compiled OSSEC was install using the OSSEC > books guide and the OSSEC.net documetation. > The installation of the OSSEC WUI was install using the OSSEC.net > documetation. > > > The others OSSEC server I installed before was on a lab with non > compiled DB mode and another with compiled DB mode w/o enabling it and > all works fine till then > > > I choose DB Compiled this time 'cause it's a OSSEC Server for non-lab > enviroment and it's going to be a Core plattform with around 500 > Clients, so the amount of logs can be high. > > I don't know if some aditional configuration is necesary to WUI for > read the Data from DB or if the WUI just simple read the log. > WUI does not look at the db, just the logs. > > * Any idea? > * I need to re-configure to a non DB compiled mode to work that way? > It should work fine with or without the db. > > Thanks a lot!!! > > > > Cheers... > > > > On 19 jun, 14:55, "dan (ddp)" <[email protected]> wrote: >> On Tue, Jun 19, 2012 at 2:48 PM, Mike Disley >> >> <[email protected]> wrote: >> > Yes, it's a full_command rule but I'm not using OSSEC with a DB. >> >> Oops, I didn't notice that you weren't the OP. So, yeah, you probably >> installed the patches incorrectly. >> >> Yet another reason I avoid the WUI: I don't know php. >> >> >> >> > -----Original Message----- >> > From: [email protected] [mailto:[email protected]] On >> > Behalf Of dan (ddp) >> > Sent: Tuesday, June 19, 2012 2:30 PM >> > To: [email protected] >> > Subject: Re: [ossec-list] Re: Error in message formating on OSSEC Wui >> >> > On Tue, Jun 19, 2012 at 1:35 PM, Mike Disley >> > <[email protected]> wrote: >> >> Greetings, >> >> I have the same prob. I applied the patches but no joy. Enclosed is an >> >> alert first from the WUI and the corresponding entry in alerts.log. >> >> >> OSSEC WUI Alert List: >> >> >> 2012 Jun 19 12:45:40 Rule Id: 140123 level: 7 >> >> Location: (someonesPC) 1x.21.1.1x4->netstat -an | findstr "\80\> >> >> \443\>" | findstr TCP Src IP: utput: 'netstat -an | findstr "\80\> >> >> \443\>" | findstr TCP': TCP 1X.21.1.1X4:34594 66.35.45.157:443 >> >> ESTABLISHED Outbound Internet Access Detected >> >> ossec: output: 'netstat -an | findstr "\80\> \443\>" | findstr TCP': >> >> TCP 1X.21.1.1x4:22697 23.9.96.60:443 CLOSE_WAIT >> >> >> OSSEC Server alerts.log >> >> >> ** Alert 1340124340.19381: mail - local >> >> 2012 Jun 19 12:45:40 (someonesPC) 1x.21.1.1x4->netstat -an | findstr >> >> "\80\> \443\>" | findstr TCP >> >> Rule: 140123 (level 7) -> 'Outbound Internet Access Detected' >> >> ossec: output: 'netstat -an | findstr "\80\> \443\>" | findstr TCP': >> >> TCP 1x.21.1.1x4:34594 66.35.45.157:443 ESTABLISHED Previous >> >> output: >> >> ossec: output: 'netstat -an | findstr "\80\> \443\>" | findstr TCP': >> >> TCP 1x.21.1.1x4:22697 23.9.96.60:443 CLOSE_WAIT >> >> > I'm guessing that this is some full_command based rule. If so, add an >> > alias to it to make it a little more manageable. >> >> > This rule is parsed correctly on the non-db systems? If so, you've done >> > something wrong with the WUI on the db system. >> >> >> -----Original Message----- >> >> From: [email protected] [mailto:[email protected]] >> >> On Behalf Of dan (ddp) >> >> Sent: Tuesday, June 19, 2012 12:46 PM >> >> To: [email protected] >> >> Subject: Re: [ossec-list] Re: Error in message formating on OSSEC Wui >> >> >> On Tue, Jun 19, 2012 at 12:34 PM, Dayco Telecom <[email protected]> >> >> wrote: >> >>> Hi Mike, I read the post and replace the files that Holger attached, >> >>> restart apache and OSSEC but the Web UI is still wrong. I was reading >> >>> and someone said around that the WUI isn't interact with the DB >> >>> (MySQL in my case) to show the alerts and it just extract the info >> >>> from the log files directly. The thing is I see this behaviour only >> >>> with this server that I compiled to DB. >> >> >>> I just installed another 2 OSSEC servers and everything is fine. >> >> >>> Do you know something about it o another idea? >> >> >>> Thanks a lot for all your help, it's really appreciated!!! >> >> >>> Kind regards! >> >> >> What kind of problems does it show on the server with the db? What does >> >> the log entry look like in alerts.log? >> >> >>> On 19 jun, 09:00, Mike Disley <[email protected]> wrote: >> >>>> Greetings, >> >>>> I believe this is the thread that discusses the problem. >> >> >>>>https://groups.google.com/forum/#!searchin/ossec-list/wui/ossec-list/... >> >> >>>> Regards, >> >>>> Mike >> >> >>>> -----Original Message----- >> >>>> From: [email protected] >> >>>> [mailto:[email protected]] On Behalf Of Dayco Telecom >> >>>> Sent: Monday, June 18, 2012 3:53 PM >> >>>> To: ossec-list >> >>>> Subject: [ossec-list] Re: Error in message formating on OSSEC Wui >> >> >>>> Hi Dan, I had been reading all the posts in the archives like you >> >>>> suggested, but I don't find the links you mentioned. The only one post >> >>>> with the symthoms is the message with the ID: >> >>>> CAMyQvMqSgODHH4qOOVcdUoC0V5baO7J_GiQxrSEEJs-_KXW4hg () mail ! gmail ! >> >>>> com from 2012-03-01 11:09:16 >> >>>> But you two are talking about a tool called "splunk" and not about the >> >>>> solution. >> >> >>>> can you be more specific in where are the links or even the solutions? >> >> >>>> Thanks a lot... >> >> >>>> Kind regards! >> >> >>>> On 18 jun, 13:19, "dan (ddp)" <[email protected]> wrote: >> >>>> > On Mon, Jun 18, 2012 at 1:12 PM, Dayco Telecom <[email protected]> >> >>>> > wrote: >> >>>> > > Hi OSSEC Comunity, I have an issue with a new >> >>>> > > installation of OSSEC 2.6, I just have been installed and >> >>>> > > configured the server. This server is RHEL 6.2 compiled to MySQL >> >>>> > > and it's in the network 192.x.x.x and the agents in the network >> >>>> > > 10.x.x.x with 2 FW between them. The problem is that the Wui >> >>>> > > show the messasges in an incorrect format, i.e.: >> >> >>>> > > 2012 Jun 15 16:43:38 Rule Id: 11 level: 4 >> >>>> > > Location: (oraclemanager) 172.28.67.242->WinEvtLog Src IP: >> >>>> > > mdaycohost Excessive number of events (above normal). >> >> >>>> > > 2012 Jun 15 16:38:40 Rule Id: 5501 level: 3 >> >>>> > > Location: ossec->/var/log/secure Src IP: 6:38:39 ossec su: >> >>>> > > pam_unix(su-l:session): session opened for user root by >> >>>> > > accdayco(uid=500) Login session opened. >> >>>> > > ** Alert 1339794683.22885: mail - ossec, >> >>>> > > 2012 Jun 15 16:41:23 ossec->ossec-monitord >> >>>> > > Rule: 502 (level 3) -> 'Ossec server started.' >> >>>> > > ossec: Ossec started. >> >>>> > > 2012 Jun 15 16:35:01 Rule Id: 5501 level: 3 >> >>>> > > Location: ossec->/var/log/secure Src IP: 6:35:00 ossec >> >>>> > > sshd[8458]: pam_unix(sshd:session): session opened for user >> >>>> > > accdayco by (uid=0) Login session opened. >> >>>> > > ** Alert 1339794307.22371: - pam,syslog,authentication_success, >> >>>> > > 2012 Jun 15 16:35:07 ossec->/var/log/secure >> >>>> > > Rule: 5501 (level 3) -> 'Login session opened.' >> >>>> > > Jun 15 16:35:06 ossec su: pam_unix(su-l:session): session opened >> >>>> > > for user root by accdayco(uid=500) >> >> >>>> > > Can you help me? >> >> >>>> > > Kind regards! >> >> >>>> > > Oscar D'Lima >> >>>> > > Especialista I | Coordinación de Mejora Continua de los >> >>>> > > Servicios >> >>>> > > Tlf: +58 212 999.90.38 | +58 414 236.78.02 >> >> >>>> > > Torre Dayco, Calle Londres, Urb. Las Mercedes, >> >>>> > > Caracas, Venezuela. ZP 1060-A >> >>>> > > Master +58 212 999.9100 >> >> >>>> > > daycohost.com >> >> >>>> > It's a known issue in the WUI 0.3 release. Some people have fixed >> >>>> > it, look in the archives for links.
