Re: [ossec-list] Re: Real Time Alerts

dan (ddp) Thu, 28 Mar 2013 05:36:20 -0700

On Wed, Mar 27, 2013 at 10:53 PM, Chris Decker <[email protected]> wrote:
> All,
>
> I've been digging around trying to figure out what the problem is and I have
> theory:
> I didn't always have auto_ignore set to 'no'.  I did get alerts for the 1st,
> 2nd and 3rd change to /tmp/demo/test.  Perhaps I'm no longer getting alerts
> because the fact that I already received my 3 alerts for that file is
> persisting across restarts, and isn't respecting my change of the
> auto_ignore setting?
>
> Thoughts?
>


Seems like an easy thing to test. Let us know. :)

>
> Thanks,
> Chris
>
>
> On Wed, Mar 27, 2013 at 10:17 AM, Chris Decker <[email protected]>
> wrote:
>>
>> All,
>>
>> I just did a fresh, fairly vanilla install of OSSEC 2.7 (official
>> release).  I'm getting mixed results with realtime alerts - sometimes it
>> works fine, sometimes the 'diff' file doesn't reflect the change minutes
>> after I have made it, while other times the 'diff' file is showing the
>> change but I don't receive an alert.
>>
>> Is there something obvious I am missing?  Relevant snippets of
>> information:
>>
>> cat /etc/redhat-release
>> CentOS release 6.4 (Final)
>>
>> rpm -ql kernel-devel | grep inotify
>> /usr/src/kernels/2.6.32-358.el6.x86_64/fs/notify/inotify
>> /usr/src/kernels/2.6.32-358.el6.x86_64/fs/notify/inotify/Kconfig
>> /usr/src/kernels/2.6.32-358.el6.x86_64/fs/notify/inotify/Makefile
>> /usr/src/kernels/2.6.32-358.el6.x86_64/include/config/inotify
>> /usr/src/kernels/2.6.32-358.el6.x86_64/include/config/inotify.h
>> /usr/src/kernels/2.6.32-358.el6.x86_64/include/config/inotify/user.h
>> /usr/src/kernels/2.6.32-358.el6.x86_64/include/linux/inotify.h
>> /usr/src/kernels/2.6.32-358.2.1.el6.x86_64/fs/notify/inotify
>> /usr/src/kernels/2.6.32-358.2.1.el6.x86_64/fs/notify/inotify/Kconfig
>> /usr/src/kernels/2.6.32-358.2.1.el6.x86_64/fs/notify/inotify/Makefile
>> /usr/src/kernels/2.6.32-358.2.1.el6.x86_64/include/config/inotify
>> /usr/src/kernels/2.6.32-358.2.1.el6.x86_64/include/config/inotify.h
>> /usr/src/kernels/2.6.32-358.2.1.el6.x86_64/include/config/inotify/user.h
>> /usr/src/kernels/2.6.32-358.2.1.el6.x86_64/include/linux/inotify.h
>>
>>
>> rpm -qa | grep kernel
>> kernel-devel-2.6.32-358.el6.x86_64
>> libreport-plugin-kerneloops-2.0.9-15.el6.centos.x86_64
>> abrt-addon-kerneloops-2.0.8-15.el6.centos.x86_64
>> kernel-firmware-2.6.32-358.2.1.el6.noarch
>> kernel-headers-2.6.32-358.2.1.el6.x86_64
>> dracut-kernel-004-303.el6.noarch
>> kernel-2.6.32-358.2.1.el6.x86_64
>> kernel-2.6.32-358.el6.x86_64
>> kernel-devel-2.6.32-358.2.1.el6.x86_64
>>
>>
>>   <syscheck>
>>     <frequency>79200</frequency>
>>     <auto_ignore>no</auto_ignore>
>>     <scan_on_start>no</scan_on_start>
>>     <directories realtime="yes" report_changes="yes"
>> check_all="yes">/tmp/demo</directories>
>>   </syscheck>
>>
>>
>> date
>> Wed Mar 27 07:10:03 PDT 2013
>>
>> /var/ossec/queue/diff/local/tmp/demo/test
>> [root@manager test]# ll
>> total 16
>> -rw-r--r--. 1 root root 11 Mar 27 05:51 diff.1364388706
>> -rw-r--r--. 1 root root 12 Mar 27 06:50 diff.1364392256
>> -rw-r--r--. 1 root root 11 Mar 27 06:50 last-entry
>> -rw-r--r--. 1 root root  0 Mar 27 05:43 state.1364388217
>> -rw-r--r--. 1 root root  5 Mar 27 05:51 state.1364388706
>>
>> -rw-r--r--. 1 root root 47 Mar 27 07:09 /tmp/demo/test
>>
>>
>> I did verify that real time monitoring was started and rootcheck was
>> complete before I attempted my test:
>> 2013/03/27 07:02:00 ossec-testrule: INFO: Reading local decoder file.
>> 2013/03/27 07:02:00 ossec-testrule: INFO: Started (pid: 15023).
>> 2013/03/27 07:02:00 ossec-maild: INFO: E-Mail notification disabled. Clean
>> Exit.
>> 2013/03/27 07:02:00 ossec-execd: INFO: Started (pid: 15046).
>> 2013/03/27 07:02:00 ossec-analysisd: INFO: Reading local decoder file.
>> 2013/03/27 07:02:00 ossec-analysisd: INFO: Reading rules file:
>> 'rules_config.xml'
>> 2013/03/27 07:02:00 ossec-analysisd: INFO: Reading rules file:
>> 'pam_rules.xml'
>> 2013/03/27 07:02:00 ossec-analysisd: INFO: Reading rules file:
>> 'sshd_rules.xml'
>> 2013/03/27 07:02:00 ossec-analysisd: INFO: Reading rules file:
>> 'telnetd_rules.xml'
>> 2013/03/27 07:02:00 ossec-analysisd: INFO: Reading rules file:
>> 'syslog_rules.xml'
>> 2013/03/27 07:02:00 ossec-analysisd: INFO: Reading rules file:
>> 'arpwatch_rules.xml'
>> 2013/03/27 07:02:00 ossec-analysisd: INFO: Reading rules file:
>> 'symantec-av_rules.xml'
>> 2013/03/27 07:02:00 ossec-analysisd: INFO: Reading rules file:
>> 'symantec-ws_rules.xml'
>> 2013/03/27 07:02:00 ossec-analysisd: INFO: Reading rules file:
>> 'pix_rules.xml'
>> 2013/03/27 07:02:00 ossec-analysisd: INFO: Reading rules file:
>> 'named_rules.xml'
>> 2013/03/27 07:02:00 ossec-analysisd: INFO: Reading rules file:
>> 'smbd_rules.xml'
>> 2013/03/27 07:02:00 ossec-analysisd: INFO: Reading rules file:
>> 'vsftpd_rules.xml'
>> 2013/03/27 07:02:00 ossec-analysisd: INFO: Reading rules file:
>> 'pure-ftpd_rules.xml'
>> 2013/03/27 07:02:00 ossec-analysisd: INFO: Reading rules file:
>> 'proftpd_rules.xml'
>> 2013/03/27 07:02:00 ossec-analysisd: INFO: Reading rules file:
>> 'ms_ftpd_rules.xml'
>> 2013/03/27 07:02:00 ossec-analysisd: INFO: Reading rules file:
>> 'ftpd_rules.xml'
>> 2013/03/27 07:02:00 ossec-analysisd: INFO: Reading rules file:
>> 'hordeimp_rules.xml'
>> 2013/03/27 07:02:00 ossec-analysisd: INFO: Reading rules file:
>> 'roundcube_rules.xml'
>> 2013/03/27 07:02:00 ossec-analysisd: INFO: Reading rules file:
>> 'wordpress_rules.xml'
>> 2013/03/27 07:02:00 ossec-analysisd: INFO: Reading rules file:
>> 'cimserver_rules.xml'
>> 2013/03/27 07:02:00 ossec-analysisd: INFO: Reading rules file:
>> 'vpopmail_rules.xml'
>> 2013/03/27 07:02:00 ossec-analysisd: INFO: Reading rules file:
>> 'vmpop3d_rules.xml'
>> 2013/03/27 07:02:00 ossec-analysisd: INFO: Reading rules file:
>> 'courier_rules.xml'
>> 2013/03/27 07:02:00 ossec-analysisd: INFO: Reading rules file:
>> 'web_rules.xml'
>> 2013/03/27 07:02:00 ossec-analysisd: INFO: Reading rules file:
>> 'web_appsec_rules.xml'
>> 2013/03/27 07:02:00 ossec-analysisd: INFO: Reading rules file:
>> 'apache_rules.xml'
>> 2013/03/27 07:02:00 ossec-analysisd: INFO: Reading rules file:
>> 'nginx_rules.xml'
>> 2013/03/27 07:02:00 ossec-analysisd: INFO: Reading rules file:
>> 'php_rules.xml'
>> 2013/03/27 07:02:00 ossec-analysisd: INFO: Reading rules file:
>> 'mysql_rules.xml'
>> 2013/03/27 07:02:00 ossec-analysisd: INFO: Reading rules file:
>> 'postgresql_rules.xml'
>> 2013/03/27 07:02:00 ossec-analysisd: INFO: Reading rules file:
>> 'ids_rules.xml'
>> 2013/03/27 07:02:00 ossec-analysisd: INFO: Reading rules file:
>> 'squid_rules.xml'
>> 2013/03/27 07:02:00 ossec-analysisd: INFO: Reading rules file:
>> 'firewall_rules.xml'
>> 2013/03/27 07:02:00 ossec-analysisd: INFO: Reading rules file:
>> 'cisco-ios_rules.xml'
>> 2013/03/27 07:02:00 ossec-analysisd: INFO: Reading rules file:
>> 'netscreenfw_rules.xml'
>> 2013/03/27 07:02:00 ossec-analysisd: INFO: Reading rules file:
>> 'sonicwall_rules.xml'
>> 2013/03/27 07:02:00 ossec-analysisd: INFO: Reading rules file:
>> 'postfix_rules.xml'
>> 2013/03/27 07:02:00 ossec-analysisd: INFO: Reading rules file:
>> 'sendmail_rules.xml'
>> 2013/03/27 07:02:00 ossec-analysisd: INFO: Reading rules file:
>> 'imapd_rules.xml'
>> 2013/03/27 07:02:00 ossec-analysisd: INFO: Reading rules file:
>> 'mailscanner_rules.xml'
>> 2013/03/27 07:02:00 ossec-analysisd: INFO: Reading rules file:
>> 'dovecot_rules.xml'
>> 2013/03/27 07:02:00 ossec-analysisd: INFO: Reading rules file:
>> 'ms-exchange_rules.xml'
>> 2013/03/27 07:02:00 ossec-analysisd: INFO: Reading rules file:
>> 'racoon_rules.xml'
>> 2013/03/27 07:02:00 ossec-analysisd: INFO: Reading rules file:
>> 'vpn_concentrator_rules.xml'
>> 2013/03/27 07:02:00 ossec-analysisd: INFO: Reading rules file:
>> 'spamd_rules.xml'
>> 2013/03/27 07:02:00 ossec-analysisd: INFO: Reading rules file:
>> 'msauth_rules.xml'
>> 2013/03/27 07:02:00 ossec-analysisd: INFO: Reading rules file:
>> 'mcafee_av_rules.xml'
>> 2013/03/27 07:02:00 ossec-analysisd: INFO: Reading rules file:
>> 'trend-osce_rules.xml'
>> 2013/03/27 07:02:00 ossec-analysisd: INFO: Reading rules file:
>> 'ms-se_rules.xml'
>> 2013/03/27 07:02:00 ossec-analysisd: INFO: Reading rules file:
>> 'zeus_rules.xml'
>> 2013/03/27 07:02:00 ossec-analysisd: INFO: Reading rules file:
>> 'solaris_bsm_rules.xml'
>> 2013/03/27 07:02:00 ossec-analysisd: INFO: Reading rules file:
>> 'vmware_rules.xml'
>> 2013/03/27 07:02:00 ossec-analysisd: INFO: Reading rules file:
>> 'ms_dhcp_rules.xml'
>> 2013/03/27 07:02:00 ossec-analysisd: INFO: Reading rules file:
>> 'asterisk_rules.xml'
>> 2013/03/27 07:02:00 ossec-analysisd: INFO: Reading rules file:
>> 'ossec_rules.xml'
>> 2013/03/27 07:02:00 ossec-analysisd: INFO: Reading rules file:
>> 'attack_rules.xml'
>> 2013/03/27 07:02:00 ossec-analysisd: INFO: Reading rules file:
>> 'openbsd_rules.xml'
>> 2013/03/27 07:02:00 ossec-analysisd: INFO: Reading rules file:
>> 'clam_av_rules.xml'
>> 2013/03/27 07:02:00 ossec-analysisd: INFO: Reading rules file:
>> 'bro-ids_rules.xml'
>> 2013/03/27 07:02:00 ossec-analysisd: INFO: Reading rules file:
>> 'dropbear_rules.xml'
>> 2013/03/27 07:02:00 ossec-analysisd: INFO: Reading rules file:
>> 'local_rules.xml'
>> 2013/03/27 07:02:00 ossec-analysisd: INFO: Total rules enabled: '1313'
>> 2013/03/27 07:02:00 ossec-analysisd: INFO: Ignoring file: '/etc/mtab'
>> 2013/03/27 07:02:00 ossec-analysisd: INFO: Ignoring file: '/etc/mnttab'
>> 2013/03/27 07:02:00 ossec-analysisd: INFO: Ignoring file:
>> '/etc/hosts.deny'
>> 2013/03/27 07:02:00 ossec-analysisd: INFO: Ignoring file:
>> '/etc/mail/statistics'
>> 2013/03/27 07:02:00 ossec-analysisd: INFO: Ignoring file:
>> '/etc/random-seed'
>> 2013/03/27 07:02:00 ossec-analysisd: INFO: Ignoring file: '/etc/adjtime'
>> 2013/03/27 07:02:00 ossec-analysisd: INFO: Ignoring file:
>> '/etc/httpd/logs'
>> 2013/03/27 07:02:00 ossec-analysisd: INFO: Ignoring file: '/etc/utmpx'
>> 2013/03/27 07:02:00 ossec-analysisd: INFO: Ignoring file: '/etc/wtmpx'
>> 2013/03/27 07:02:00 ossec-analysisd: INFO: Ignoring file:
>> '/etc/cups/certs'
>> 2013/03/27 07:02:00 ossec-analysisd: INFO: Ignoring file: '/etc/dumpdates'
>> 2013/03/27 07:02:00 ossec-analysisd: INFO: Ignoring file:
>> '/etc/svc/volatile'
>> 2013/03/27 07:02:00 ossec-analysisd: INFO: No IP in the white list for
>> active reponse.
>> 2013/03/27 07:02:00 ossec-analysisd: INFO: No Hostname in the white list
>> for active reponse.
>> 2013/03/27 07:02:00 ossec-analysisd: INFO: Started (pid: 15050).
>> 2013/03/27 07:02:00 ossec-remoted: INFO: Started (pid: 15058).
>> 2013/03/27 07:02:00 ossec-remoted: INFO: Started (pid: 15059).
>> 2013/03/27 07:02:00 ossec-remoted: Error accessing file
>> '/etc/shared/ar.conf'
>> 2013/03/27 07:02:00 ossec-remoted(4111): INFO: Maximum number of agents
>> allowed: '256'.
>> 2013/03/27 07:02:00 ossec-remoted(1410): INFO: Reading authentication keys
>> file.
>> 2013/03/27 07:02:00 ossec-remoted: INFO: Assigning counter for agent
>> agent: '0:8827'.
>> 2013/03/27 07:02:00 ossec-remoted: INFO: Assigning counter for agent
>> kibana: '1:3532'.
>> 2013/03/27 07:02:00 ossec-remoted: INFO: Assigning sender counter: 0:1039
>> 2013/03/27 07:02:00 ossec-monitord: INFO: Started (pid: 15068).
>> 2013/03/27 07:02:03 ossec-analysisd: INFO: Connected to '/queue/alerts/ar'
>> (active-response queue)
>> 2013/03/27 07:02:03 ossec-analysisd: INFO: Connected to
>> '/queue/alerts/execq' (exec queue)
>> 2013/03/27 07:02:04 ossec-syscheckd: INFO: Started (pid: 15065).
>> 2013/03/27 07:02:04 ossec-rootcheck: INFO: Started (pid: 15065).
>> 2013/03/27 07:02:04 ossec-syscheckd: INFO: Monitoring directory:
>> '/tmp/demo'.
>> 2013/03/27 07:02:04 ossec-syscheckd: INFO: Directory set for real time
>> monitoring: '/tmp/demo'.
>> 2013/03/27 07:02:06 ossec-logcollector(1950): INFO: Analyzing file:
>> '/var/log/messages'.
>> 2013/03/27 07:02:06 ossec-logcollector(1950): INFO: Analyzing file:
>> '/var/log/secure'.
>> 2013/03/27 07:02:06 ossec-logcollector(1950): INFO: Analyzing file:
>> '/var/log/maillog'.
>> 2013/03/27 07:02:06 ossec-logcollector: INFO: Monitoring output of
>> command(360): df -h
>> 2013/03/27 07:02:06 ossec-logcollector: INFO: Monitoring full output of
>> command(360): netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort
>> 2013/03/27 07:02:06 ossec-logcollector: INFO: Monitoring full output of
>> command(360): last -n 5
>> 2013/03/27 07:02:06 ossec-logcollector: INFO: Started (pid: 15053).
>>
>>
>>
>> Thanks,
>> Chris
>>
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> For more options, visit https://groups.google.com/groups/opt_out.
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.

Re: [ossec-list] Re: Real Time Alerts

Reply via email to