Look, I am new here. Yes, the answers may have been spoon fed, but I didn't ask you for the feeding. You obviously know the product. I just installed it, and basically the documentation told me how to start it. It you think my questions are below you, just ignore them. I directed the question to the list. You didn't have to answer it, you chose to answer it. I know what a 'cat' command is, and I know how pipes work. What I asked what what was in /tmp/j? All you had to do is what Jeremy said, the contents of the messages file. Or you could have ignored me altogether and not answered the question. I don't know how long you have used OSSEC, but I've had it for a week. I see how it works now, but until it was pointed out what was in /tmp/j how was I to determine that. If you don't feel like answering my email, that fine with me. But you don't have to answer by trying to put me down at the same time.
On Tue, Feb 5, 2013 at 11:07 AM, dan (ddp) <[email protected]> wrote: > On Tue, Feb 5, 2013 at 1:01 PM, Greg Ramos <[email protected]> wrote: >> I did read the entire email several times. It doesn't say what you >> placed in /tmp/j. >> > > It most certainly did. Multiple times. > > If you look at the output of the command (cat /tmp/j | > /var/ossec/bin/ossec-logtest) you would see: > full event: 'Feb 4 07:20:23 appoc9 sshd[901]: [ID 947420 > auth.warning] refused connect from 60.13.74.23' > > As you should know from running ossec-logtest, this entry is the log > message fed to ossec-logtest. Putting 2 and 2 together makes it > obvious that what was fed into logtest was what was in the file > (that's what the first part of the command followed by the magical > pipe does, welcome to unix basics). > > The contents of /tmp/j were displayed, for anyone who was willing to > read the email. I didn't think that was too much to ask for > (essentially) spoon fed answers. > >> On Tue, Feb 5, 2013 at 10:37 AM, dan (ddp) <[email protected]> wrote: >>> On Tue, Feb 5, 2013 at 12:05 PM, Greg Ramos <[email protected]> wrote: >>>> Yeo, that rule worked. May I ask, what was in /tmp/j that you used to test? >>>> >>> >>> You should read my entire email next time. >>> >>> ** >>> full event: 'Feb 4 07:20:23 appoc9 sshd[901]: [ID 947420 >>> auth.warning] refused connect from 60.13.74.23' >>> ** >>> >>>> >>>> OSSEC HIDS Notification. >>>> 2013 Feb 05 16:43:21 >>>> >>>> Received From: appoc9->/var/adm/messages >>>> Rule: 9999 fired (level 7) -> "SSH connection blocked by tcp wrappers." >>>> Portion of the log(s): >>>> >>>> Feb 5 09:43:21 appoc9 sshd[14737]: [ID 947420 auth.warning] refused >>>> connect from 64.118.82.235 >>>> >>>> >>>> >>>> --END OF NOTIFICATION >>>> >>>> >>>> On Mon, Feb 4, 2013 at 6:29 PM, dan (ddp) <[email protected]> wrote: >>>>> On Mon, Feb 4, 2013 at 7:21 PM, Greg Ramos <[email protected]> wrote: >>>>>> I was constantly being hit from this machine: >>>>>> >>>>>> Feb 4 07:20:23 appoc9 sshd[901]: [ID 947420 auth.warning] refused >>>>>> connect from 60.13.74.23 >>>>> >>>>> I'm guessing your email alert level is set to 7. This log message >>>>> appears to trigger a level 5 alert. >>>>> >>>>> # cat /tmp/j | /var/ossec/bin/ossec-logtest >>>>> 2013/02/04 20:25:25 ossec-testrule: INFO: Reading decoder file >>>>> etc/decoder.xml. >>>>> 2013/02/04 20:25:25 ossec-testrule: INFO: Reading decoder file >>>>> etc/local_decoder.xml. >>>>> 2013/02/04 20:25:25 ossec-testrule: INFO: Reading decoder file >>>>> etc/wip/nsd_decoder.xml. >>>>> 2013/02/04 20:25:25 ossec-testrule: INFO: Reading the lists file: >>>>> 'lists/blocked.txt.cdb' >>>>> 2013/02/04 20:25:25 ossec-testrule: INFO: Reading the lists file: >>>>> 'lists/userlist.txt.cdb' >>>>> 2013/02/04 20:25:25 ossec-testrule: INFO: Reading the lists file: >>>>> 'lists/banneduser.txt.cdb' >>>>> 2013/02/04 20:25:25 ossec-testrule: INFO: Started (pid: 28087). >>>>> ossec-testrule: Type one log per line. >>>>> >>>>> >>>>> >>>>> **Phase 1: Completed pre-decoding. >>>>> full event: 'Feb 4 07:20:23 appoc9 sshd[901]: [ID 947420 >>>>> auth.warning] refused connect from 60.13.74.23' >>>>> hostname: 'appoc9' >>>>> program_name: 'sshd' >>>>> log: 'refused connect from 60.13.74.23' >>>>> >>>>> **Phase 2: Completed decoding. >>>>> decoder: 'sshd' >>>>> srcip: '60.13.74.23' >>>>> >>>>> **Phase 3: Completed filtering (rules). >>>>> Rule id: '2503' >>>>> Level: '5' >>>>> Description: 'Connection blocked by Tcp Wrappers.' >>>>> **Alert to be generated. >>>>> >>>>> >>>>> You can raise this by adding this to the local_rules.xml: >>>>> >>>>> <rule id="INSERT ID" level="7"> >>>>> <if_sid>2503</if_sid> >>>>> <program_name>sshd</program_name> >>>>> <description>SSH connection blocked by tcp wrappers.</description> >>>>> </rule> >>>>> >>>>> You should then end up with something like: >>>>> # cat /tmp/j | /var/ossec/bin/ossec-logtest >>>>> 2013/02/04 20:29:19 ossec-testrule: INFO: Reading decoder file >>>>> etc/decoder.xml. >>>>> 2013/02/04 20:29:19 ossec-testrule: INFO: Reading decoder file >>>>> etc/local_decoder.xml. >>>>> 2013/02/04 20:29:19 ossec-testrule: INFO: Reading decoder file >>>>> etc/wip/nsd_decoder.xml. >>>>> 2013/02/04 20:29:19 ossec-testrule: INFO: Reading the lists file: >>>>> 'lists/blocked.txt.cdb' >>>>> 2013/02/04 20:29:19 ossec-testrule: INFO: Reading the lists file: >>>>> 'lists/userlist.txt.cdb' >>>>> 2013/02/04 20:29:19 ossec-testrule: INFO: Reading the lists file: >>>>> 'lists/banneduser.txt.cdb' >>>>> 2013/02/04 20:29:20 ossec-testrule: INFO: Started (pid: 20573). >>>>> ossec-testrule: Type one log per line. >>>>> >>>>> >>>>> >>>>> **Phase 1: Completed pre-decoding. >>>>> full event: 'Feb 4 07:20:23 appoc9 sshd[901]: [ID 947420 >>>>> auth.warning] refused connect from 60.13.74.23' >>>>> hostname: 'appoc9' >>>>> program_name: 'sshd' >>>>> log: 'refused connect from 60.13.74.23' >>>>> >>>>> **Phase 2: Completed decoding. >>>>> decoder: 'sshd' >>>>> srcip: '60.13.74.23' >>>>> >>>>> **Phase 3: Completed filtering (rules). >>>>> Rule id: '100091' >>>>> Level: '7' >>>>> Description: 'SSH connection blocked by tcp wrappers.' >>>>> **Alert to be generated. >>>>> >>>>> >>>>> I'm not sure this could get any more basic. >>>>> >>>>>> Feb 4 07:25:13 appoc9 sshd[1117]: [ID 947420 auth.warning] refused >>>>>> connect from 60.13.74.23 >>>>>> Feb 4 07:25:14 appoc9 sshd[1118]: [ID 947420 auth.warning] refused >>>>>> connect from 60.13.74.23 >>>>>> Feb 4 07:25:17 appoc9 sshd[1119]: [ID 947420 auth.warning] refused >>>>>> connect from 60.13.74.23 >>>>>> Feb 4 07:25:19 appoc9 sshd[1120]: [ID 947420 auth.warning] refused >>>>>> connect from 60.13.74.23 >>>>>> Feb 4 07:25:21 appoc9 sshd[1121]: [ID 947420 auth.warning] refused >>>>>> connect from 60.13.74.23 >>>>>> Feb 4 07:25:21 appoc9 sshd[1122]: [ID 947420 auth.warning] refused >>>>>> connect from 60.13.74.23 >>>>>> Feb 4 07:25:24 appoc9 sshd[1123]: [ID 947420 auth.warning] refused >>>>>> connect from 60.13.74.23 >>>>>> Feb 4 07:25:24 appoc9 sshd[1124]: [ID 947420 auth.warning] refused >>>>>> connect from 60.13.74.23 >>>>>> Feb 4 07:25:26 appoc9 sshd[1125]: [ID 947420 auth.warning] refused >>>>>> connect from 60.13.74.23 >>>>>> Feb 4 07:25:26 appoc9 sshd[1126]: [ID 947420 auth.warning] refused >>>>>> connect from 60.13.74.23 >>>>>> Feb 4 07:25:28 appoc9 sshd[1127]: [ID 947420 auth.warning] refused >>>>>> connect from 60.13.74.23 >>>>>> Feb 4 07:25:29 appoc9 sshd[1128]: [ID 947420 auth.warning] refused >>>>>> connect from 60.13.74.23 >>>>>> Feb 4 07:25:31 appoc9 sshd[1129]: [ID 947420 auth.warning] refused >>>>>> connect from 60.13.74.23 >>>>>> Feb 4 07:25:31 appoc9 sshd[1130]: [ID 947420 auth.warning] refused >>>>>> connect from 60.13.74.23 >>>>>> Feb 4 07:25:33 appoc9 sshd[1131]: [ID 947420 auth.warning] refused >>>>>> connect from 60.13.74.23 >>>>>> Feb 4 07:25:34 appoc9 sshd[1132]: [ID 947420 auth.warning] refused >>>>>> connect from 60.13.74.23 >>>>>> Feb 4 07:25:36 appoc9 sshd[1133]: [ID 947420 auth.warning] refused >>>>>> connect from 60.13.74.23 >>>>>> Feb 4 07:25:36 appoc9 sshd[1134]: [ID 947420 auth.warning] refused >>>>>> connect from 60.13.74.23 >>>>>> Feb 4 07:25:38 appoc9 sshd[1135]: [ID 947420 auth.warning] refused >>>>>> connect from 60.13.74.23 >>>>>> Feb 4 07:25:38 appoc9 sshd[1136]: [ID 947420 auth.warning] refused >>>>>> connect from 60.13.74.23 >>>>>> Feb 4 07:25:40 appoc9 sshd[1137]: [ID 947420 auth.warning] refused >>>>>> connect from 60.13.74.23 >>>>>> Feb 4 07:25:40 appoc9 sshd[1138]: [ID 947420 auth.warning] refused >>>>>> connect from 60.13.74.23 >>>>>> Feb 4 07:25:44 appoc9 sshd[1139]: [ID 947420 auth.warning] refused >>>>>> connect from 60.13.74.23 >>>>>> Feb 4 08:42:35 appoc9 sshd[6446]: [ID 947420 auth.warning] refused >>>>>> connect from fenderforum.com >>>>>> Feb 4 15:09:48 appoc9 sshd[25065]: [ID 947420 auth.warning] refused >>>>>> connect from 87.101.142.139 >>>>>> >>>>>> >>>>>> On Mon, Feb 4, 2013 at 5:09 PM, dan (ddp) <[email protected]> wrote: >>>>>>> >>>>>>> On Feb 4, 2013 6:33 PM, "Greg Ramos" <[email protected]> wrote: >>>>>>>> >>>>>>>> OK, I purchased the book on Amazon. I noticed the date is pretty old, >>>>>>>> considering things are changing all the time, but perhaps it will help >>>>>>>> me to learn the software. Anyway, one of the primary reasons I install >>>>>>>> the package, was to monitor ssh refusals. I am getting notification of >>>>>>>> failed logins, but not refusals. In other words, I had a machine that >>>>>>>> was refused by the tcp wrappers, and noted in /var/adm/messages, but >>>>>>>> did not receive an alert for any of these attempts. I have used >>>>>>>> 'swatch' before which I could set up to look for ssh refusals, similar >>>>>>>> to logwatch. The problem with logwatch, unless I don't have it >>>>>>>> configured correctly, is I get a report the next day. I am looking for >>>>>>>> something that monitors attempts live, which OSSEC does, I am just >>>>>>>> missing the refused attempts. >>>>>>>> >>>>>>>> >>>>>>>> OSSEC Host-Based Intrusion Detection Guide >>>>>>>> >>>>>>>> -- >>>>>>>> >>>>>>> >>>>>>> Please provide a log sample. >>>>>>> >>>>>>>> --- >>>>>>>> You received this message because you are subscribed to the Google >>>>>>>> Groups >>>>>>>> "ossec-list" group. >>>>>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>>>>> an >>>>>>>> email to [email protected]. >>>>>>>> For more options, visit https://groups.google.com/groups/opt_out. >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> -- >>>>>>> >>>>>>> --- >>>>>>> You received this message because you are subscribed to the Google >>>>>>> Groups >>>>>>> "ossec-list" group. >>>>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>>>> an >>>>>>> email to [email protected]. >>>>>>> For more options, visit https://groups.google.com/groups/opt_out. >>>>>>> >>>>>>> >>>>>> >>>>>> -- >>>>>> >>>>>> --- >>>>>> You received this message because you are subscribed to the Google >>>>>> Groups "ossec-list" group. >>>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>>> an email to [email protected]. >>>>>> For more options, visit https://groups.google.com/groups/opt_out. >>>>>> >>>>>> >>>>> >>>>> -- >>>>> >>>>> --- >>>>> You received this message because you are subscribed to the Google Groups >>>>> "ossec-list" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send an >>>>> email to [email protected]. >>>>> For more options, visit https://groups.google.com/groups/opt_out. >>>>> >>>>> >>>> >>>> -- >>>> >>>> --- >>>> You received this message because you are subscribed to the Google Groups >>>> "ossec-list" group. >>>> To unsubscribe from this group and stop receiving emails from it, send an >>>> email to [email protected]. >>>> For more options, visit https://groups.google.com/groups/opt_out. >>>> >>>> >>> >>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google Groups >>> "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send an >>> email to [email protected]. >>> For more options, visit https://groups.google.com/groups/opt_out. >>> >>> >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/groups/opt_out. >> >> > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
