On Thu, Jun 21, 2012 at 11:58 AM, Dayco Telecom <[email protected]> wrote: > Hi Dan, I did install the WUI again this morning and the WUI is stil > wrong, the WUI is v0.3 > > What can I do? > >
Are you using the patched files? The ones that are supposed to work with the new logging format? 0.3 is broken, it's dead. You have to use the patched version. > cheers... > > > > On 20 jun, 08:48, "dan (ddp)" <[email protected]> wrote: >> On Tue, Jun 19, 2012 at 5:31 PM, Dayco Telecom <[email protected]> wrote: >> > Hi people, my OSSEC server show. >> >> > WUI view: >> >> > 2012 Jun 19 16:27:44 Rule Id: 18149 level: 3 >> > Location: (VDynamic-dayco) 10.0.1.3->WinEvtLog >> > Src IP: YNAMIC-DAYCO$ >> > Windows User Logoff. >> >> You're still using a broken WUI. Update it and try again. >> >> >> >> >> >> >> >> > 2012 Jun 19 16:27:44 Rule Id: 18105 level: 4 >> > Location: (VDynamic-dayco) 10.0.1.3->WinEvtLog >> > Src IP: o user) >> > Windows audit failure event. >> >> > 2012 Jun 19 16:27:44 Rule Id: 18105 level: 4 >> > Location: (VDynamic-dayco) 10.0.1.3->WinEvtLog >> > Src IP: o user) >> > Windows audit failure event. >> >> > 2012 Jun 19 16:27:44 Rule Id: 18105 level: 4 >> > Location: (VDynamic-dayco) 10.0.1.3->WinEvtLog >> > Src IP: o user) >> > Windows audit failure event. >> >> > OSSEC Alert log view: >> >> > ** Alert 1340139464.176284: - windows, >> > 2012 Jun 19 16:27:44 (VDynamic-dayco) 10.0.1.3->WinEvtLog >> > Rule: 18105 (level 4) -> 'Windows audit failure event.' >> > User: (no user) >> > WinEvtLog: Security: AUDIT_FAILURE(5159): Microsoft-Windows-Security- >> > Auditing: (no user): no domain: VDynamic-dayco.daycohost.local: The >> > Windows Filtering Platform has blocked a bind to a local port. >> > Application Information: Process ID: 680 Application Name: \device >> > \harddiskvolume1\windows\system32\lsass.exe Network Information: >> > Source Address: 0.0.0.0 Source Port: 53661 Protocol: 17 Filter >> > Information: Filter Run-Time ID: 0 Layer Name: %%14608 Layer Run- >> > Time ID: 36 >> >> > ** Alert 1340139464.176940: - windows, >> > 2012 Jun 19 16:27:44 (VDynamic-dayco) 10.0.1.3->WinEvtLog >> > Rule: 18105 (level 4) -> 'Windows audit failure event.' >> > User: (no user) >> > WinEvtLog: Security: AUDIT_FAILURE(5159): Microsoft-Windows-Security- >> > Auditing: (no user): no domain: VDynamic-dayco.daycohost.local: The >> > Windows Filtering Platform has blocked a bind to a local port. >> > Application Information: Process ID: 680 Application Name: \device >> > \harddiskvolume1\windows\system32\lsass.exe Network Information: >> > Source Address: 0.0.0.0 Source Port: 53662 Protocol: 17 Filter >> > Information: Filter Run-Time ID: 0 Layer Name: %%14608 Layer Run- >> > Time ID: 36 >> >> > ** Alert 1340139464.177596: - windows, >> > 2012 Jun 19 16:27:44 (VDynamic-dayco) 10.0.1.3->WinEvtLog >> > Rule: 18105 (level 4) -> 'Windows audit failure event.'User: (no user) >> > WinEvtLog: Security: AUDIT_FAILURE(5159): Microsoft-Windows-Security- >> > Auditing: (no user): no domain: VDynamic-dayco.daycohost.local: The >> > Windows Filtering Platform has blocked a bind to a local port. >> > Application Information: Process ID: 1296 Application Name: \device >> > \harddiskvolume1\windows\system32\svchost.exe Network Information: >> > Source Address: 0.0.0.0 Source Port: 56759 Protocol: 17 Filter >> > Information: Filter Run-Time ID: 0 Layer Name: %%14608 Layer Run- >> > Time ID: 36 >> >> > ** Alert 1340139464.178255: - windows, >> > 2012 Jun 19 16:27:44 (VDynamic-dayco) 10.0.1.3->WinEvtLog >> > Rule: 18149 (level 3) -> 'Windows User Logoff.'User: VDYNAMIC-DAYCO$ >> > WinEvtLog: Security: AUDIT_SUCCESS(4634): Microsoft-Windows-Security- >> > Auditing: VDYNAMIC-DAYCO$: DAYCOHOST: VDynamic-dayco.daycohost.local: >> > An account was logged off. Subject: Security ID: S-1-5-18 Account >> > Name: VDYNAMIC-DAYCO$ Account Domain: DAYCOHOST Logon ID: >> > 0x6060269 Logon Type: 3 This event is generated when a logon >> > session is destroyed. It may be positively correlated with a logon >> > event using the Logon ID value. Logon IDs are only unique between >> > reboots on the same computer." 4646,1 >> >> > DB (MySQL) view, table Data: >> >> > '997', '1', '(no user)', 'WinEvtLog: Security: AUDIT_FAILURE(5159): >> > Microsoft-Windows-Security-Auditing: (no user): no domain: VDynamic- >> > dayco.daycohost.local: The Windows Filtering Platform has blocked a >> > bind to a local port. Application Information: Process ID: 1296 >> > Application Name: /device/harddiskvolume1/windows/system32/ >> > svchost.exe Network Information: Source Address: 0.0.0.0 Source >> > Port: 64330 Protocol: 17 Filter Information: Filter Run-Time ID: >> > 0 Layer Name: %%14608 Layer Run-Time ID: 36', NULL >> > '998', '1', '(no user)', 'WinEvtLog: System: ERROR(7001): Service >> > Control Manager: (no user): no domain: DYC-ACCUNETIX: The WinHTTP Web >> > Proxy Auto-Discovery Service service depends on the DHCP Client >> > service which failed to start because of the following error: % >> > %1058 ', NULL >> > '999', '1', '(no user)', 'WinEvtLog: Security: AUDIT_FAILURE(5159): >> > Microsoft-Windows-Security-Auditing: (no user): no domain: VDynamic- >> > dayco.daycohost.local: The Windows Filtering Platform has blocked a >> > bind to a local port. Application Information: Process ID: 680 >> > Application Name: /device/harddiskvolume1/windows/system32/lsass.exe >> > Network Information: Source Address: 0.0.0.0 Source Port: 64331 >> > Protocol: 17 Filter Information: Filter Run-Time ID: 0 Layer >> > Name: %%14608 Layer Run-Time ID: 36', NULL >> > '1000', '1', '(no user)', 'WinEvtLog: Security: AUDIT_FAILURE(5159): >> > Microsoft-Windows-Security-Auditing: (no user): no domain: VDynamic- >> > dayco.daycohost.local: The Windows Filtering Platform has blocked a >> > bind to a local port. Application Information: Process ID: 680 >> > Application Name: /device/harddiskvolume1/windows/system32/lsass.exe >> > Network Information: Source Address: 0.0.0.0 Source Port: 64332 >> > Protocol: 17 Filter Information: Filter Run-Time ID: 0 Layer >> > Name: %%14608 Layer Run-Time ID: 36', NULL >> >> > The installation of the compiled OSSEC was install using the OSSEC >> > books guide and the OSSEC.net documetation. >> > The installation of the OSSEC WUI was install using the OSSEC.net >> > documetation. >> >> > The others OSSEC server I installed before was on a lab with non >> > compiled DB mode and another with compiled DB mode w/o enabling it and >> > all works fine till then >> >> > I choose DB Compiled this time 'cause it's a OSSEC Server for non-lab >> > enviroment and it's going to be a Core plattform with around 500 >> > Clients, so the amount of logs can be high. >> >> > I don't know if some aditional configuration is necesary to WUI for >> > read the Data from DB or if the WUI just simple read the log. >> >> WUI does not look at the db, just the logs. >> >> >> >> > * Any idea? >> > * I need to re-configure to a non DB compiled mode to work that way? >> >> It should work fine with or without the db. >> >> >> >> >> >> > Thanks a lot!!! >> >> > Cheers... >> >> > On 19 jun, 14:55, "dan (ddp)" <[email protected]> wrote: >> >> On Tue, Jun 19, 2012 at 2:48 PM, Mike Disley >> >> >> <[email protected]> wrote: >> >> > Yes, it's a full_command rule but I'm not using OSSEC with a DB. >> >> >> Oops, I didn't notice that you weren't the OP. So, yeah, you probably >> >> installed the patches incorrectly. >> >> >> Yet another reason I avoid the WUI: I don't know php. >> >> >> > -----Original Message----- >> >> > From: [email protected] [mailto:[email protected]] >> >> > On Behalf Of dan (ddp) >> >> > Sent: Tuesday, June 19, 2012 2:30 PM >> >> > To: [email protected] >> >> > Subject: Re: [ossec-list] Re: Error in message formating on OSSEC Wui >> >> >> > On Tue, Jun 19, 2012 at 1:35 PM, Mike Disley >> >> > <[email protected]> wrote: >> >> >> Greetings, >> >> >> I have the same prob. I applied the patches but no joy. Enclosed is >> >> >> an alert first from the WUI and the corresponding entry in alerts.log. >> >> >> >> OSSEC WUI Alert List: >> >> >> >> 2012 Jun 19 12:45:40 Rule Id: 140123 level: 7 >> >> >> Location: (someonesPC) 1x.21.1.1x4->netstat -an | findstr "\80\> >> >> >> \443\>" | findstr TCP Src IP: utput: 'netstat -an | findstr "\80\> >> >> >> \443\>" | findstr TCP': TCP 1X.21.1.1X4:34594 66.35.45.157:443 >> >> >> ESTABLISHED Outbound Internet Access Detected >> >> >> ossec: output: 'netstat -an | findstr "\80\> \443\>" | findstr TCP': >> >> >> TCP 1X.21.1.1x4:22697 23.9.96.60:443 CLOSE_WAIT >> >> >> >> OSSEC Server alerts.log >> >> >> >> ** Alert 1340124340.19381: mail - local >> >> >> 2012 Jun 19 12:45:40 (someonesPC) 1x.21.1.1x4->netstat -an | findstr >> >> >> "\80\> \443\>" | findstr TCP >> >> >> Rule: 140123 (level 7) -> 'Outbound Internet Access Detected' >> >> >> ossec: output: 'netstat -an | findstr "\80\> \443\>" | findstr TCP': >> >> >> TCP 1x.21.1.1x4:34594 66.35.45.157:443 ESTABLISHED >> >> >> Previous output: >> >> >> ossec: output: 'netstat -an | findstr "\80\> \443\>" | findstr TCP': >> >> >> TCP 1x.21.1.1x4:22697 23.9.96.60:443 CLOSE_WAIT >> >> >> > I'm guessing that this is some full_command based rule. If so, add an >> >> > alias to it to make it a little more manageable. >> >> >> > This rule is parsed correctly on the non-db systems? If so, you've done >> >> > something wrong with the WUI on the db system. >> >> >> >> -----Original Message----- >> >> >> From: [email protected] [mailto:[email protected]] >> >> >> On Behalf Of dan (ddp) >> >> >> Sent: Tuesday, June 19, 2012 12:46 PM >> >> >> To: [email protected] >> >> >> Subject: Re: [ossec-list] Re: Error in message formating on OSSEC Wui >> >> >> >> On Tue, Jun 19, 2012 at 12:34 PM, Dayco Telecom <[email protected]> >> >> >> wrote: >> >> >>> Hi Mike, I read the post and replace the files that Holger attached, >> >> >>> restart apache and OSSEC but the Web UI is still wrong. I was reading >> >> >>> and someone said around that the WUI isn't interact with the DB >> >> >>> (MySQL in my case) to show the alerts and it just extract the info >> >> >>> from the log files directly. The thing is I see this behaviour only >> >> >>> with this server that I compiled to DB. >> >> >> >>> I just installed another 2 OSSEC servers and everything is fine. >> >> >> >>> Do you know something about it o another idea? >> >> >> >>> Thanks a lot for all your help, it's... >> >> leer más »
