Thank you Dan, The first issue is solved. I was not monitoring the list (blacklist) so it would not fire an alert. I am now monitoring and it does fire. The second issue: I misunderstood the key to represent the second field. My list is now correct but it does not fire. So here is my reasoning (and perhaps demonstrated lack of understanding of OSSEC). Even though I have the blacklist configured correctly, the OSSEC agent will not detect an "offending" IP unless said IP shows up in a log/file on the system right? In otherwords, OSSEC will need to be reading from a file that is being fed from utilities such as tcpdump, snort, or wireshark... right? aka It does not have the capability to do port detection on its own. Thank you again
On Thursday, March 7, 2013 9:28:29 PM UTC-6, dan (ddpbsd) wrote: > There are 2 separate issues that you seem to be munging together. > Let's try to keep them separated a bit. > > On Thu, Mar 7, 2013 at 10:54 AM, TWAD <[email protected] <javascript:>> > wrote: > > I did not get a 550... and perhaps 550 may not have been the right > choice. > > You need to find out what rule is firing. When I set this up for > myself, 550 was the one I had used in my rule: > <rule id="510011" level="10"> > <if_sid>550</if_sid> > <match>/var/ossec/lists/blocked.txt</match> > <description>blocked.txt has been modified</description> > </rule> > > And then my active response uses this rule: > <active-response> > <command>makelists</command> > <location>server</location> > <rules_id>510011</rules_id> > </active-response> > > So find out why you aren't getting an alert for the file changing. Are > you monitoring the file's location in syscheck? Is the file in the > syscheck database? How often does syscheck run? > > > In fact, I do a grep for 192.168.1.10 (an IP in the blacklist) in > audit.log, > > messages, alert.log, and secure etc, and it does not show up, even > though is > > is an active agent. Here is the log after immediate start-up > > > > I'm totally confused by this. You were saying you were not getting an > alert based on your CDB list, right? > > Your rule: > <rule id="101004" level="10"> > <if_sid>101003</if_sid> > <list field="srcip" > lookup="address_match_key">lists/blacklist.txt.cdb</list> > <description>DNS query on a potentially malicious > domain.</description> > </rule> > > Your list: > IP1: 192.168.1.8 > IP2: 10.10.1.200 > > Your rule is matching on the key, the first field (eg: IP1, IP2). You > have expressed interest in the value (192.168.1.8), so I believe your > rule is useless as written. > You also need to make sure the decoder matched in 101003 decodes the > srcip correctly. You can use ossec-logtest to determine if this is the > case. > > > 2013/03/07 09:04:01 ossec-dbd: Connected to database 'wtshiddb' at > > '192.168.1.8'. > > 2013/03/07 09:04:01 ossec-execd: INFO: Started (pid: 5962). > > 2013/03/07 09:04:01 ossec-analysisd: INFO: Reading local decoder file. > > 2013/03/07 09:04:01 ossec-analysisd: INFO: Reading loading the lists > file: > > 'lists/blacklist.txt' > > 2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: > > 'rules_config.xml' > > 2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: > > 'pam_rules.xml' > > 2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: > > 'sshd_rules.xml' > > 2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: > > 'telnetd_rules.xml' > > 2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: > > 'syslog_rules.xml' > > 2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: > > 'arpwatch_rules.xml' > > 2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: > > 'symantec-av_rules.xml' > > 2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: > > 'symantec-ws_rules.xml' > > 2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: > > 'pix_rules.xml' > > 2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: > > 'named_rules.xml' > > 2013/03/07 09:04:01 ossec-remoted: INFO: Started (pid: 5974). > > 2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: > > 'smbd_rules.xml' > > 2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: > > 'vsftpd_rules.xml' > > 2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: > > 'pure-ftpd_rules.xml' > > 2013/03/07 09:04:01 ossec-remoted: INFO: Started (pid: 5976). > > 2013/03/07 09:04:01 ossec-remoted: Remote syslog allowed from: > > '192.168.1.0/24' > > 2013/03/07 09:04:01 ossec-remoted: Remote syslog allowed from: > > '10.10.1.0/24' > > 2013/03/07 09:04:01 ossec-remoted: INFO: Started (pid: 5975). > > 2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: > > 'proftpd_rules.xml' > > 2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: > > 'ms_ftpd_rules.xml' > > 2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: > > 'ftpd_rules.xml' > > 2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: > > 'hordeimp_rules.xml' > > 2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: > > 'roundcube_rules.xml' > > 2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: > > 'wordpress_rules.xml' > > 2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: > > 'cimserver_rules.xml' > > 2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: > > 'vpopmail_rules.xml' > > 2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: > > 'vmpop3d_rules.xml' > > 2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: > > 'courier_rules.xml' > > 2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: > > 'web_rules.xml' > > 2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: > > 'web_appsec_rules.xml' > > 2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: > > 'apache_rules.xml' > > 2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: > > 'nginx_rules.xml' > > 2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: > > 'php_rules.xml' > > 2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: > > 'mysql_rules.xml' > > 2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: > > 'postgresql_rules.xml' > > 2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: > > 'ids_rules.xml' > > 2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: > > 'squid_rules.xml' > > 2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: > > 'firewall_rules.xml' > > 2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: > > 'cisco-ios_rules.xml' > > 2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: > > 'netscreenfw_rules.xml' > > 2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: > > 'sonicwall_rules.xml' > > 2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: > > 'postfix_rules.xml' > > 2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: > > 'sendmail_rules.xml' > > 2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: > > 'imapd_rules.xml' > > 2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: > > 'mailscanner_rules.xml' > > 2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: > > 'dovecot_rules.xml' > > 2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: > > 'ms-exchange_rules.xml' > > 2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: > > 'racoon_rules.xml' > > 2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: > > 'vpn_concentrator_rules.xml' > > 2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: > > 'spamd_rules.xml' > > 2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: > > 'msauth_rules.xml' > > 2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: > > 'mcafee_av_rules.xml' > > 2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: > > 'trend-osce_rules.xml' > > 2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: > > 'ms-se_rules.xml' > > 2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: > > 'zeus_rules.xml' > > 2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: > > 'solaris_bsm_rules.xml' > > 2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: > > 'vmware_rules.xml' > > 2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: > > 'ms_dhcp_rules.xml' > > 2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: > > 'asterisk_rules.xml' > > 2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: > > 'ossec_rules.xml' > > 2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: > > 'attack_rules.xml' > > 2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: > > 'openbsd_rules.xml' > > 2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: > > 'clam_av_rules.xml' > > 2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: > > 'bro-ids_rules.xml' > > 2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: > > 'dropbear_rules.xml' > > 2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: > > 'local_rules.xml' > > 2013/03/07 09:04:01 ossec-analysisd: INFO: Total rules enabled: '1293' > > 2013/03/07 09:04:01 ossec-analysisd: INFO: Ignoring file: '/etc/mtab' > > 2013/03/07 09:04:01 ossec-analysisd: INFO: Ignoring file: '/etc/mnttab' > > 2013/03/07 09:04:01 ossec-analysisd: INFO: Ignoring file: > '/etc/hosts.deny' > > 2013/03/07 09:04:01 ossec-analysisd: INFO: Ignoring file: > > '/etc/mail/statistics' > > 2013/03/07 09:04:01 ossec-analysisd: INFO: Ignoring file: > '/etc/random-seed' > > 2013/03/07 09:04:01 ossec-analysisd: INFO: Ignoring file: '/etc/adjtime' > > 2013/03/07 09:04:01 ossec-analysisd: INFO: Ignoring file: > '/etc/httpd/logs' > > 2013/03/07 09:04:01 ossec-analysisd: INFO: Ignoring file: '/etc/utmpx' > > 2013/03/07 09:04:01 ossec-analysisd: INFO: Ignoring file: '/etc/wtmpx' > > 2013/03/07 09:04:01 ossec-analysisd: INFO: Ignoring file: > '/etc/cups/certs' > > 2013/03/07 09:04:01 ossec-analysisd: INFO: Ignoring file: > '/etc/dumpdates' > > 2013/03/07 09:04:01 ossec-analysisd: INFO: Ignoring file: > > '/etc/svc/volatile' > > 2013/03/07 09:04:01 ossec-analysisd: INFO: Ignoring file: > > 'C:\WINDOWS/System32/LogFiles' > > 2013/03/07 09:04:01 ossec-analysisd: INFO: Ignoring file: > 'C:\WINDOWS/Debug' > > 2013/03/07 09:04:01 ossec-analysisd: INFO: Ignoring file: > > 'C:\WINDOWS/WindowsUpdate.log' > > 2013/03/07 09:04:01 ossec-analysisd: INFO: Ignoring file: > > 'C:\WINDOWS/iis6.log' > > 2013/03/07 09:04:01 ossec-analysisd: INFO: Ignoring file: > > 'C:\WINDOWS/system32/wbem/Logs' > > 2013/03/07 09:04:01 ossec-analysisd: INFO: Ignoring file: > > 'C:\WINDOWS/system32/wbem/Repository' > > 2013/03/07 09:04:01 ossec-analysisd: INFO: Ignoring file: > > 'C:\WINDOWS/Prefetch' > > 2013/03/07 09:04:01 ossec-analysisd: INFO: Ignoring file: > > 'C:\WINDOWS/PCHEALTH/HELPCTR/DataColl' > > 2013/03/07 09:04:01 ossec-analysisd: INFO: Ignoring file: > > 'C:\WINDOWS/SoftwareDistribution' > > 2013/03/07 09:04:01 ossec-analysisd: INFO: Ignoring file: > 'C:\WINDOWS/Temp' > > 2013/03/07 09:04:01 ossec-analysisd: INFO: Ignoring file: > > 'C:\WINDOWS/system32/config' > > 2013/03/07 09:04:01 ossec-analysisd: INFO: Ignoring file: > > 'C:\WINDOWS/system32/spool' > > 2013/03/07 09:04:01 ossec-analysisd: INFO: Ignoring file: > > 'C:\WINDOWS/system32/CatRoot' > > 2013/03/07 09:04:01 ossec-analysisd: INFO: White listing IP: > '192.168.1.8' > > 2013/03/07 09:04:01 ossec-analysisd: INFO: White listing IP: > '192.168.1.7' > > 2013/03/07 09:04:01 ossec-analysisd: INFO: 2 IPs in the white list for > > active response. > > 2013/03/07 09:04:01 ossec-analysisd: INFO: No Hostname in the white list > for > > active reponse. > > 2013/03/07 09:04:01 ossec-analysisd: INFO: Started (pid: 5966). > > 2013/03/07 09:04:02 ossec-remoted(4111): INFO: Maximum number of agents > > allowed: '256'. > > 2013/03/07 09:04:02 ossec-remoted(1410): INFO: Reading authentication > keys > > file. > > 2013/03/07 09:04:02 ossec-remoted: INFO: Assigning counter for agent > Dads: > > '0:533'. > > 2013/03/07 09:04:02 ossec-remoted: INFO: Assigning counter for agent > > Win2012: '9:7228'. > > 2013/03/07 09:04:02 ossec-remoted: INFO: Assigning counter for agent > > Solaris10: '3:8363'. > > 2013/03/07 09:04:02 ossec-remoted: INFO: Assigning sender counter: > 0:2081 > > 2013/03/07 09:04:02 ossec-monitord: INFO: Started (pid: 5985). > > 2013/03/07 09:04:03 ossec-dbd: INFO: Started (pid: 5955). > > 2013/03/07 09:04:04 ossec-analysisd: INFO: Connected to > > '/queue/alerts/execq' (exec queue) > > 2013/03/07 09:04:06 ossec-syscheckd: INFO: Started (pid: 5981). > > 2013/03/07 09:04:06 ossec-rootcheck: INFO: Started (pid: 5981). > > 2013/03/07 09:04:06 ossec-syscheckd: INFO: Monitoring directory: '/etc'. > > 2013/03/07 09:04:06 ossec-syscheckd: INFO: Monitoring directory: > '/usr/bin'. > > 2013/03/07 09:04:06 ossec-syscheckd: INFO: Monitoring directory: > > '/usr/sbin'. > > 2013/03/07 09:04:06 ossec-syscheckd: INFO: Monitoring directory: '/bin'. > > 2013/03/07 09:04:06 ossec-syscheckd: INFO: Monitoring directory: > '/sbin'. > > 2013/03/07 09:04:07 ossec-logcollector(1950): INFO: Analyzing file: > > '/var/log/audit/audit.log'. > > 2013/03/07 09:04:07 ossec-logcollector(1950): INFO: Analyzing file: > > '/var/log/messages'. > > 2013/03/07 09:04:07 ossec-logcollector(1950): INFO: Analyzing file: > > '/var/log/secure'. > > 2013/03/07 09:04:07 ossec-logcollector(1950): INFO: Analyzing file: > > '/var/log/maillog'. > > 2013/03/07 09:04:07 ossec-logcollector: INFO: Monitoring output of > > command(360): df -h > > 2013/03/07 09:04:07 ossec-logcollector: INFO: Monitoring full output of > > command(360): netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort > > 2013/03/07 09:04:07 ossec-logcollector: INFO: Monitoring full output of > > command(360): last -n 5 > > 2013/03/07 09:04:07 ossec-logcollector: INFO: Started (pid: 5970). > > 2013/03/07 09:05:08 ossec-syscheckd: INFO: Starting syscheck scan > > (forwarding database). > > 2013/03/07 09:05:08 ossec-syscheckd: INFO: Starting syscheck database > > (pre-scan). > > > > > > > > > > > > > > On Thursday, March 7, 2013 12:35:21 AM UTC-6, dan (ddpbsd) wrote: > >> > >> > >> On Mar 6, 2013 11:31 PM, "TWAD" <[email protected]> wrote: > >> > > >> > Hey Dan, I took your advice and created a CDB with over 10k IPs and > then > >> > I added one of my local IPs to test for an alert. However, the alert > does > >> > not fire when one of my local hosts trys to connect or when I change > the > >> > blacklists file. I am running tcpdump and I can see the host trying > to > >> > connect, but nothing in the alert.log. The active response log is > still at 0 > >> > as well. What am I doing wrong? > >> > > >> > >> Please provide a log sample. > >> > >> > Blacklist format for CDB: > >> > IP1: 192.168.1.8 > >> > IP2: 10.10.1.200 > >> > etc > >> > > >> > In ossec.conf I have > >> > <rules> > >> > ... > >> > > >> > <list>lists/blacklist.txt</list> > >> > > >> > <include>local_rules.xml</include> > >> > > >> > </rules> > >> > > >> > > >> > > >> > I added this to execute ossec-makelist when the blacklist changes. I > do > >> > not believe it worked because I ran it manuallyy and it showed an > update was > >> > needed > >> > > >> > <command> > >> > > >> > <name>makelists</name> > >> > > >> > <executable>makelists.sh</executable> > >> > > >> > <expect></expect> > >> > > >> > </command> > >> > > >> > > >> > > >> > <active-response> > >> > > >> > <disabled>no</disabled> > >> > > >> > <command>makelists</command> > >> > > >> > <location>server</location> > >> > > >> > <rules_id>105001</rules_id> > >> > > >> > </active-response> > >> > > >> > > >> > Here is my blacklist file with the new CDB created from Makelists > >> > > >> > [root@RHEL6-4 lists]# ls -la > >> > > >> > total 712 > >> > > >> > drwxr-xr-x. 2 ossec ossec 4096 Mar 6 22:03 . > >> > > >> > dr-xr-x---. 15 root ossec 4096 Mar 6 16:49 .. > >> > > >> > -rw-r--r--. 1 ossec ossec 239574 Mar 6 22:03 blacklist.txt > >> > > >> > -rw-r--r--. 1 ossec ossec 478742 Mar 6 17:09 blacklist.txt.cdb > >> > > >> > > >> > > >> > My local_rules.xml addition for the alert > >> > > >> > > >> > > >> > <rule id="101003" level="0" noalert="1"> > >> > > >> > <decoded_as>unbound</decoded_as> > >> > > >> > <description>Grouping for unbound.</description> > >> > > >> > </rule> > >> > > >> > > >> > > >> > <rule id="101004" level="10"> > >> > > >> > <if_sid>101003</if_sid> > >> > > >> > <list field="srcip" > >> > lookup="address_match_key">lists/blacklist.txt.cdb</list> > >> > > >> > <description>DNS query on a potentially malicious > >> > domain.</description> </rule> > >> > > >> > <rule id="101005" level="10"> > >> > > >> > <if_sid>550</if_sid> > >> > > >> > >> Did you get a 550 with the path you defined below? > >> > >> > <match>/var/ossec/lists/blacklist.txt</match> > >> > > >> > <description>blacklist.txt has been modified</description> > >> > > >> > </rule> > >> > > >> > > >> > > >> > > >> > > >> > > >> > > >> > > >> > > >> > > >> > On Tuesday, March 5, 2013 5:45:10 PM UTC-6, dan (ddpbsd) wrote: > >> >> > >> >> On Mon, Mar 4, 2013 at 4:45 PM, TWAD <[email protected]> wrote: > >> >> > Hey everybody, > >> >> > I have a task that I'm struggling with; could you help? > >> >> > > >> >> > Task: I need to have a blacklist capability on all of my agents ( > to > >> >> > alert, > >> >> > not block) > >> >> > > >> >> > >> >> Alerts are only created by the server, not the agents. > >> >> > >> >> > Issue 1: The blacklist contains over 700 IPs (currently) so > creating > >> >> > a rule > >> >> > for each would (to me) seem taxing on the agent and server > >> >> > > >> >> > >> >> Using a cdb seems like a decent option. I had a cdb of over 100k > >> >> domains at one point. > >> >> > >> >> > Issue 2: The white list will contain over 200 IPs or 10 > >> >> > domains/subnets > >> >> > > >> >> > Questions: > >> >> > > >> >> > Should I use a white list instead of the blacklist? > >> >> > Has anybody on this list done this? > >> >> > What is the most practical method? > >> >> > > >> >> > Reasearch: > >> >> > > >> >> > I found an excellent example written by Anthony Kasza > >> >> > (anthonykasza.webs.com/docs/honeyports.pdf) but none of my agents > >> >> > will be > >> >> > running nc. > >> >> > I looked on this list and other great resources but do not have a > >> >> > good > >> >> > answer > >> >> > > >> >> > Thank you in advance for your time! > >> >> > > >> >> > -- > >> >> > > >> >> > --- > >> >> > You received this message because you are subscribed to the Google > >> >> > Groups > >> >> > "ossec-list" group. > >> >> > To unsubscribe from this group and stop receiving emails from it, > >> >> > send an > >> >> > email to [email protected]. > >> >> > For more options, visit https://groups.google.com/groups/opt_out. > >> >> > > >> >> > > >> > > >> > -- > >> > > >> > --- > >> > You received this message because you are subscribed to the Google > >> > Groups "ossec-list" group. > >> > To unsubscribe from this group and stop receiving emails from it, > send > >> > an email to [email protected]. > >> > For more options, visit https://groups.google.com/groups/opt_out. > >> > > >> > > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/groups/opt_out. > > > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
