20.12.2012 18:14, dan (ddp) пишет:
On Thu, Dec 20, 2012 at 9:12 AM, Уласов Алексей <a.ula...@gmail.com> wrote:
20.12.2012 17:41, dan (ddp) пишет:
On Sun, Dec 16, 2012 at 2:20 PM, orfan <a.ula...@gmail.com> wrote:
Where is ossec stores rootcheck's base?
What do you mean by rootcheck's base?
четверг, 13 декабря 2012 г., 22:18:04 UTC+4 пользователь orfan написал:
./rootcheck_control -i 004
Policy and auditing events for agent 'venus (004) - 10.0.0.3':
Resolved events:
2012 Dec 08 03:14:03 (first time detected: 2012 Dec 08 03:14:03)
System Audit: System Audit: Possible backdoor. File:
/usr/home/www/mysite/htdocs/dumper.php.
Outstanding events:
2012 Dec 13 05:25:51 (first time detected: 2012 Dec 08 03:10:10)
System Audit: System Audit: Web exploits (uncommon file name inside
htdocs) - Possible compromise. File: /usr/home/www/mysite/git/.ssh.
Reference: http://www.ossec.net/wiki/index.php/WebAttacks_links .
2012 Dec 13 05:28:16 (first time detected: 2012 Dec 08 03:14:03)
System Audit: System Audit: Possible backdoor.
File:/usr/home/www/mysite/htdocs/cfg/main.php.
2012 Dec 13 05:28:16 (first time detected: 2012 Dec 08 03:14:03)
System Audit: System Audit: Possible backdoor. File:
/usr/home/www/mysite/htdocs/shopz.php.
2012 Dec 13 05:28:53 (first time detected: 2012 Dec 08 03:14:32)
System Audit: System Audit: Possible redirector. File:
/usr/home/www/mysite/htdocs/.htaccess.
2012 Dec 13 05:34:21 (first time detected: 2012 Dec 08 03:20:37)
System Audit: Interface 'igb1' in promiscuous mode.
Yes, dates are correct in the alert.log.
Version: ossec-hids-server-2.6_2
Make sure you have rules for these (I don't have any installations of
2.6 left, and 2.6_2 makes no sense to me).
четверг, 13 декабря 2012 г., 18:45:38 UTC+4 пользователь dan (ddpbsd)
написал:
On Wed, Dec 12, 2012 at 10:07 AM, orfan <a.ul...@gmail.com> wrote:
Ossec don't send messages about system audit events. But I can see the
events when run 'rootcheck_control -i XXX'. And there is no records
about
that events in alert.log file. It worked before, i recieved the email
about
system audit events from ossec. I don't know why it not work now.
Are these entries recent? (I don't have any entries, so I have no idea
what they look like)
Are you checking the correct dates in the alert.log files?
What version of OSSEC?
среда, 12 декабря 2012 г., 1:56:26 UTC+4 пользователь dan (ddpbsd)
написал:
On Mon, Dec 10, 2012 at 10:12 AM, orfan <a.ul...@gmail.com> wrote:
I have ossec-hids-server-2.6_2.
<rule id="509" level="0">
<category>ossec</category>
<decoded_as>rootcheck</decoded_as>
<description>Rootcheck event.</description>
<group>rootcheck,</group>
</rule>
Decoded as "rootcheck", but i can't find rootcheck decoder in
decoder.xml.
Is it normal?
I believe that decoder is actually coded inside of rootcheck for speed
reasons.
I mean the options (-i -u) of rootcheck_control utility.
-u <id> Updates (clear) the database for the agent.
-i <id> Prints database for the agent.
Probably /var/ossec/queue/rootcheck
Thanks.
