Re: [ossec-list] Whitelist instead of blacklist

TWAD Thu, 07 Mar 2013 08:11:07 -0800

I did not get a 550... and perhaps 550 may not have been the right choice. 
In fact, I do a grep for 192.168.1.10 (an IP in the blacklist) in 
audit.log, messages, alert.log, and secure etc, and it does not show up, 
even though is is an active agent.   Here is the log after immediate 
start-up

*2013/03/07 09:04:01 ossec-dbd: Connected to database 'wtshiddb' at 
'192.168.1.8'.
2013/03/07 09:04:01 ossec-execd: INFO: Started (pid: 5962).
2013/03/07 09:04:01 ossec-analysisd: INFO: Reading local decoder file.
2013/03/07 09:04:01 ossec-analysisd: INFO: Reading loading the lists file: 
'lists/blacklist.txt'
2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: 
'rules_config.xml'
2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: 
'pam_rules.xml'
2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: 
'sshd_rules.xml'
2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: 
'telnetd_rules.xml'
2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: 
'syslog_rules.xml'
2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: 
'arpwatch_rules.xml'
2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: 
'symantec-av_rules.xml'
2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: 
'symantec-ws_rules.xml'
2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: 
'pix_rules.xml'
2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: 
'named_rules.xml'
2013/03/07 09:04:01 ossec-remoted: INFO: Started (pid: 5974).
2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: 
'smbd_rules.xml'
2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: 
'vsftpd_rules.xml'
2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: 
'pure-ftpd_rules.xml'
2013/03/07 09:04:01 ossec-remoted: INFO: Started (pid: 5976).
2013/03/07 09:04:01 ossec-remoted: Remote syslog allowed from: 
'192.168.1.0/24'
2013/03/07 09:04:01 ossec-remoted: Remote syslog allowed from: 
'10.10.1.0/24'
2013/03/07 09:04:01 ossec-remoted: INFO: Started (pid: 5975).
2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: 
'proftpd_rules.xml'
2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: 
'ms_ftpd_rules.xml'
2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: 
'ftpd_rules.xml'
2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: 
'hordeimp_rules.xml'
2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: 
'roundcube_rules.xml'
2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: 
'wordpress_rules.xml'
2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: 
'cimserver_rules.xml'
2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: 
'vpopmail_rules.xml'
2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: 
'vmpop3d_rules.xml'
2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: 
'courier_rules.xml'
2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: 
'web_rules.xml'
2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: 
'web_appsec_rules.xml'
2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: 
'apache_rules.xml'
2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: 
'nginx_rules.xml'
2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: 
'php_rules.xml'
2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: 
'mysql_rules.xml'
2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: 
'postgresql_rules.xml'
2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: 
'ids_rules.xml'
2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: 
'squid_rules.xml'
2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: 
'firewall_rules.xml'
2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: 
'cisco-ios_rules.xml'
2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: 
'netscreenfw_rules.xml'
2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: 
'sonicwall_rules.xml'
2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: 
'postfix_rules.xml'
2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: 
'sendmail_rules.xml'
2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: 
'imapd_rules.xml'
2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: 
'mailscanner_rules.xml'
2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: 
'dovecot_rules.xml'
2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: 
'ms-exchange_rules.xml'
2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: 
'racoon_rules.xml'
2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: 
'vpn_concentrator_rules.xml'
2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: 
'spamd_rules.xml'
2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: 
'msauth_rules.xml'
2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: 
'mcafee_av_rules.xml'
2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: 
'trend-osce_rules.xml'
2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: 
'ms-se_rules.xml'
2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: 
'zeus_rules.xml'
2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: 
'solaris_bsm_rules.xml'
2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: 
'vmware_rules.xml'
2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: 
'ms_dhcp_rules.xml'
2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: 
'asterisk_rules.xml'
2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: 
'ossec_rules.xml'
2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: 
'attack_rules.xml'
2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: 
'openbsd_rules.xml'
2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: 
'clam_av_rules.xml'
2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: 
'bro-ids_rules.xml'
2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: 
'dropbear_rules.xml'
2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: 
'local_rules.xml'
2013/03/07 09:04:01 ossec-analysisd: INFO: Total rules enabled: '1293'
2013/03/07 09:04:01 ossec-analysisd: INFO: Ignoring file: '/etc/mtab'
2013/03/07 09:04:01 ossec-analysisd: INFO: Ignoring file: '/etc/mnttab'
2013/03/07 09:04:01 ossec-analysisd: INFO: Ignoring file: '/etc/hosts.deny'
2013/03/07 09:04:01 ossec-analysisd: INFO: Ignoring file: 
'/etc/mail/statistics'
2013/03/07 09:04:01 ossec-analysisd: INFO: Ignoring file: '/etc/random-seed'
2013/03/07 09:04:01 ossec-analysisd: INFO: Ignoring file: '/etc/adjtime'
2013/03/07 09:04:01 ossec-analysisd: INFO: Ignoring file: '/etc/httpd/logs'
2013/03/07 09:04:01 ossec-analysisd: INFO: Ignoring file: '/etc/utmpx'
2013/03/07 09:04:01 ossec-analysisd: INFO: Ignoring file: '/etc/wtmpx'
2013/03/07 09:04:01 ossec-analysisd: INFO: Ignoring file: '/etc/cups/certs'
2013/03/07 09:04:01 ossec-analysisd: INFO: Ignoring file: '/etc/dumpdates'
2013/03/07 09:04:01 ossec-analysisd: INFO: Ignoring file: 
'/etc/svc/volatile'
2013/03/07 09:04:01 ossec-analysisd: INFO: Ignoring file: 
'C:\WINDOWS/System32/LogFiles'
2013/03/07 09:04:01 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/Debug'
2013/03/07 09:04:01 ossec-analysisd: INFO: Ignoring file: 
'C:\WINDOWS/WindowsUpdate.log'
2013/03/07 09:04:01 ossec-analysisd: INFO: Ignoring file: 
'C:\WINDOWS/iis6.log'
2013/03/07 09:04:01 ossec-analysisd: INFO: Ignoring file: 
'C:\WINDOWS/system32/wbem/Logs'
2013/03/07 09:04:01 ossec-analysisd: INFO: Ignoring file: 
'C:\WINDOWS/system32/wbem/Repository'
2013/03/07 09:04:01 ossec-analysisd: INFO: Ignoring file: 
'C:\WINDOWS/Prefetch'
2013/03/07 09:04:01 ossec-analysisd: INFO: Ignoring file: 
'C:\WINDOWS/PCHEALTH/HELPCTR/DataColl'
2013/03/07 09:04:01 ossec-analysisd: INFO: Ignoring file: 
'C:\WINDOWS/SoftwareDistribution'
2013/03/07 09:04:01 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/Temp'
2013/03/07 09:04:01 ossec-analysisd: INFO: Ignoring file: 
'C:\WINDOWS/system32/config'
2013/03/07 09:04:01 ossec-analysisd: INFO: Ignoring file: 
'C:\WINDOWS/system32/spool'
2013/03/07 09:04:01 ossec-analysisd: INFO: Ignoring file: 
'C:\WINDOWS/system32/CatRoot'
2013/03/07 09:04:01 ossec-analysisd: INFO: White listing IP: '192.168.1.8'
2013/03/07 09:04:01 ossec-analysisd: INFO: White listing IP: '192.168.1.7'
2013/03/07 09:04:01 ossec-analysisd: INFO: 2 IPs in the white list for 
active response.
2013/03/07 09:04:01 ossec-analysisd: INFO: No Hostname in the white list 
for active reponse.
2013/03/07 09:04:01 ossec-analysisd: INFO: Started (pid: 5966).
2013/03/07 09:04:02 ossec-remoted(4111): INFO: Maximum number of agents 
allowed: '256'.
2013/03/07 09:04:02 ossec-remoted(1410): INFO: Reading authentication keys 
file.
2013/03/07 09:04:02 ossec-remoted: INFO: Assigning counter for agent Dads: 
'0:533'.
2013/03/07 09:04:02 ossec-remoted: INFO: Assigning counter for agent 
Win2012: '9:7228'.
2013/03/07 09:04:02 ossec-remoted: INFO: Assigning counter for agent 
Solaris10: '3:8363'.
2013/03/07 09:04:02 ossec-remoted: INFO: Assigning sender counter: 0:2081
2013/03/07 09:04:02 ossec-monitord: INFO: Started (pid: 5985).
2013/03/07 09:04:03 ossec-dbd: INFO: Started (pid: 5955).
2013/03/07 09:04:04 ossec-analysisd: INFO: Connected to 
'/queue/alerts/execq' (exec queue)
2013/03/07 09:04:06 ossec-syscheckd: INFO: Started (pid: 5981).
2013/03/07 09:04:06 ossec-rootcheck: INFO: Started (pid: 5981).
2013/03/07 09:04:06 ossec-syscheckd: INFO: Monitoring directory: '/etc'.
2013/03/07 09:04:06 ossec-syscheckd: INFO: Monitoring directory: '/usr/bin'.
2013/03/07 09:04:06 ossec-syscheckd: INFO: Monitoring directory: 
'/usr/sbin'.
2013/03/07 09:04:06 ossec-syscheckd: INFO: Monitoring directory: '/bin'.
2013/03/07 09:04:06 ossec-syscheckd: INFO: Monitoring directory: '/sbin'.
2013/03/07 09:04:07 ossec-logcollector(1950): INFO: Analyzing file: 
'/var/log/audit/audit.log'.
2013/03/07 09:04:07 ossec-logcollector(1950): INFO: Analyzing file: 
'/var/log/messages'.
2013/03/07 09:04:07 ossec-logcollector(1950): INFO: Analyzing file: 
'/var/log/secure'.
2013/03/07 09:04:07 ossec-logcollector(1950): INFO: Analyzing file: 
'/var/log/maillog'.
2013/03/07 09:04:07 ossec-logcollector: INFO: Monitoring output of 
command(360): df -h
2013/03/07 09:04:07 ossec-logcollector: INFO: Monitoring full output of 
command(360): netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort
2013/03/07 09:04:07 ossec-logcollector: INFO: Monitoring full output of 
command(360): last -n 5
2013/03/07 09:04:07 ossec-logcollector: INFO: Started (pid: 5970).
2013/03/07 09:05:08 ossec-syscheckd: INFO: Starting syscheck scan 
(forwarding database).
2013/03/07 09:05:08 ossec-syscheckd: INFO: Starting syscheck database 
(pre-scan).*

** 

** 

On Thursday, March 7, 2013 12:35:21 AM UTC-6, dan (ddpbsd) wrote:

>
> On Mar 6, 2013 11:31 PM, "TWAD" <[email protected] <javascript:>> wrote:
> >
> > Hey Dan, I took your advice and created a CDB with over 10k IPs and then 
> I added one of my local IPs to test for an alert. However, the alert does 
> not fire when one of my local hosts trys to connect or when I change the 
> blacklists file. I am running tcpdump and I can see the host trying to 
> connect, but nothing in the alert.log. The active response log is still at 
> 0 as well. What am I doing wrong?
> >  
>
> Please provide a log sample.
>
> > Blacklist format for CDB:
> > IP1: 192.168.1.8
> > IP2: 10.10.1.200
> > etc
> >  
> > In ossec.conf I have
> > <rules>
> > ...
> >
> >      <list>lists/blacklist.txt</list>
> >
> >      <include>local_rules.xml</include>
> >
> > </rules>
> >
> >  
> >
> >  I added this to execute ossec-makelist when the blacklist changes. I do 
> not believe it worked because I ran it manuallyy and it showed an update 
> was needed
> >
> > <command> 
> >
> >    <name>makelists</name>
> >
> >    <executable>makelists.sh</executable>
> >
> >    <expect></expect>
> >
> > </command>
> >
> >  
> >
> > <active-response>
> >
> >    <disabled>no</disabled>
> >
> >    <command>makelists</command>
> >
> >    <location>server</location>
> >
> >    <rules_id>105001</rules_id>
> >
> > </active-response>
> >
> >  
> > Here is my blacklist file with the new CDB created from Makelists
> >
> > [root@RHEL6-4 lists]# ls -la
> >
> > total 712
> >
> > drwxr-xr-x.  2 ossec ossec   4096 Mar  6 22:03 .
> >
> > dr-xr-x---. 15 root  ossec   4096 Mar  6 16:49 ..
> >
> > -rw-r--r--.  1 ossec ossec 239574 Mar  6 22:03 blacklist.txt
> >
> > -rw-r--r--.  1 ossec ossec 478742 Mar  6 17:09 blacklist.txt.cdb
> >
> >  
> >
> > My local_rules.xml addition for the alert
> >
> >  
> >
> > <rule id="101003" level="0" noalert="1">
> >
> >      <decoded_as>unbound</decoded_as>
> >
> >      <description>Grouping for unbound.</description>
> >
> >    </rule>
> >
> >   
> >
> >  <rule id="101004" level="10">
> >
> >      <if_sid>101003</if_sid>
> >
> >      <list field="srcip" 
> lookup="address_match_key">lists/blacklist.txt.cdb</list>
> >
> >      <description>DNS query on a potentially malicious 
> domain.</description> </rule>
> >
> > <rule id="101005" level="10">
> >
> >    <if_sid>550</if_sid>
> >
>
> Did you get a 550 with the path you defined below?
>
> >    <match>/var/ossec/lists/blacklist.txt</match>
> >
> >    <description>blacklist.txt has been modified</description>
> >
> > </rule>
> >
> >  
> >
> >  
> >
> >  
> >
> >  
> >
> >
> > On Tuesday, March 5, 2013 5:45:10 PM UTC-6, dan (ddpbsd) wrote:
> >>
> >> On Mon, Mar 4, 2013 at 4:45 PM, TWAD <[email protected]> wrote: 
> >> > Hey everybody, 
> >> > I have a task that I'm struggling with; could you help? 
> >> > 
> >> > Task: I need to have a blacklist capability on all of my agents ( to 
> alert, 
> >> > not block) 
> >> > 
> >>
> >> Alerts are only created by the server, not the agents. 
> >>
> >> > Issue 1: The blacklist contains over 700 IPs (currently) so creating 
> a rule 
> >> > for each would (to me) seem taxing on the agent and server 
> >> > 
> >>
> >> Using a cdb seems like a decent option. I had a cdb of over 100k 
> >> domains at one point. 
> >>
> >> > Issue 2: The white list will contain over 200 IPs or 10 
> domains/subnets 
> >> > 
> >> > Questions: 
> >> > 
> >> > Should I use a white list instead of the blacklist? 
> >> > Has anybody on this list done this? 
> >> > What is the most practical method? 
> >> > 
> >> > Reasearch: 
> >> > 
> >> > I found an excellent example written by Anthony Kasza 
> >> > (anthonykasza.webs.com/docs/honeyports.pdf) but none of my agents 
> will be 
> >> > running nc. 
> >> > I looked on this list and other great resources but do not have a 
> good 
> >> > answer 
> >> > 
> >> > Thank you in advance for your time! 
> >> > 
> >> > -- 
> >> > 
> >> > --- 
> >> > You received this message because you are subscribed to the Google 
> Groups 
> >> > "ossec-list" group. 
> >> > To unsubscribe from this group and stop receiving emails from it, 
> send an 
> >> > email to [email protected]. 
> >> > For more options, visit https://groups.google.com/groups/opt_out. 
> >> > 
> >> > 
> >
> > -- 
> >  
> > --- 
> > You received this message because you are subscribed to the Google 
> Groups "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send 
> an email to [email protected] <javascript:>.
> > For more options, visit https://groups.google.com/groups/opt_out.
> >  
> >  
>  

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.

Re: [ossec-list] Whitelist instead of blacklist

Reply via email to