Hi Dan, Aliases did occur to me, and honestly are the best option for longer commands like this. That being said I'd like to avoid touching each machine (or rather telling our Unix admins to do so) since these commands are not configurable through shared/agent.conf.
This is running the 2.7, latest stable version available. Here is the ossec.log entries for one startup sequence that failed : 2013/08/15 12:17:28 ossec-testrule: INFO: Reading local decoder file. 2013/08/15 12:17:29 ossec-testrule: INFO: Started (pid: 1499). 2013/08/15 12:17:29 ossec-csyslogd: INFO: Started (pid: 1521). 2013/08/15 12:17:29 ossec-csyslogd: INFO: File queue connected. 2013/08/15 12:17:29 ossec-csyslogd: INFO: Forwarding alerts via syslog to: '192.168.3.97:25001'. 2013/08/15 12:17:29 ossec-csyslogd: INFO: Forwarding alerts via syslog to: '10.1.16.76:5000'. 2013/08/15 12:17:29 ossec-maild: INFO: Started (pid: 1525). 2013/08/15 12:17:29 ossec-execd: INFO: Started (pid: 1529). 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading local decoder file. 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: 'rules_config.xml' 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: 'pam_rules.xml' 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: 'sshd_rules.xml' 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: 'telnetd_rules.xml' 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: 'syslog_rules.xml' 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: 'arpwatch_rules.xml' 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: 'symantec-av_rules.xml' 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: 'symantec-ws_rules.xml' 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: 'pix_rules.xml' 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: 'named_rules.xml' 2013/08/15 12:17:29 ossec-remoted: INFO: Started (pid: 1541). 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: 'smbd_rules.xml' 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: 'vsftpd_rules.xml' 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: 'pure-ftpd_rules.xml' 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: 'proftpd_rules.xml' 2013/08/15 12:17:29 ossec-remoted: INFO: Started (pid: 1544). 2013/08/15 12:17:29 ossec-remoted: Remote syslog allowed from: '10.1.16.6' 2013/08/15 12:17:29 ossec-remoted: Remote syslog allowed from: 'any' 2013/08/15 12:17:29 ossec-remoted: INFO: Started (pid: 1543). 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: 'ms_ftpd_rules.xml' 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: 'ftpd_rules.xml' 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: 'hordeimp_rules.xml' 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: 'roundcube_rules.xml' 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: 'wordpress_rules.xml' 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: 'cimserver_rules.xml' 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: 'vpopmail_rules.xml' 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: 'vmpop3d_rules.xml' 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: 'courier_rules.xml' 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: 'web_rules.xml' 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: 'web_appsec_rules.xml' 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: 'apache_rules.xml' 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: 'nginx_rules.xml' 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: 'php_rules.xml' 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: 'mysql_rules.xml' 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: 'postgresql_rules.xml' 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: 'ids_rules.xml' 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: 'squid_rules.xml' 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: 'firewall_rules.xml' 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: 'cisco-ios_rules.xml' 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: 'netscreenfw_rules.xml' 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: 'sonicwall_rules.xml' 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: 'postfix_rules.xml' 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: 'sendmail_rules.xml' 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: 'imapd_rules.xml' 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: 'mailscanner_rules.xml' 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: 'dovecot_rules.xml' 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: 'ms-exchange_rules.xml' 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: 'racoon_rules.xml' 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: 'vpn_concentrator_rules.xml' 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: 'spamd_rules.xml' 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: 'msauth_rules.xml' 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: 'mcafee_av_rules.xml' 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: 'trend-osce_rules.xml' 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: 'ms-se_rules.xml' 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: 'zeus_rules.xml' 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: 'solaris_bsm_rules.xml' 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: 'vmware_rules.xml' 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: 'ms_dhcp_rules.xml' 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: 'asterisk_rules.xml' 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: 'ossec_rules.xml' 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: 'attack_rules.xml' 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: 'openbsd_rules.xml' 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: 'clam_av_rules.xml' 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: 'bro-ids_rules.xml' 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: 'dropbear_rules.xml' 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: 'local_rules.xml' 2013/08/15 12:17:29 ossec-analysisd: INFO: Total rules enabled: '1300' 2013/08/15 12:17:29 ossec-analysisd: INFO: Ignoring file: '/etc/mtab' 2013/08/15 12:17:29 ossec-analysisd: INFO: Ignoring file: '/etc/mnttab' 2013/08/15 12:17:29 ossec-analysisd: INFO: Ignoring file: '/etc/hosts.deny' 2013/08/15 12:17:29 ossec-analysisd: INFO: Ignoring file: '/etc/mail/statistics' 2013/08/15 12:17:29 ossec-analysisd: INFO: Ignoring file: '/etc/random-seed' 2013/08/15 12:17:29 ossec-analysisd: INFO: Ignoring file: '/etc/adjtime' 2013/08/15 12:17:29 ossec-analysisd: INFO: Ignoring file: '/etc/httpd/logs' 2013/08/15 12:17:29 ossec-analysisd: INFO: Ignoring file: '/etc/utmpx' 2013/08/15 12:17:29 ossec-analysisd: INFO: Ignoring file: '/etc/wtmpx' 2013/08/15 12:17:29 ossec-analysisd: INFO: Ignoring file: '/etc/cups/certs' 2013/08/15 12:17:29 ossec-analysisd: INFO: Ignoring file: '/etc/dumpdates' 2013/08/15 12:17:29 ossec-analysisd: INFO: Ignoring file: '/etc/svc/volatile' 2013/08/15 12:17:29 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/System32/LogFiles' 2013/08/15 12:17:29 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/Debug' 2013/08/15 12:17:29 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/WindowsUpdate.log' 2013/08/15 12:17:29 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/iis6.log' 2013/08/15 12:17:29 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/system32/wbem/Logs' 2013/08/15 12:17:29 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/system32/wbem/Repository' 2013/08/15 12:17:29 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/Prefetch' 2013/08/15 12:17:29 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/PCHEALTH/HELPCTR/DataColl' 2013/08/15 12:17:29 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/SoftwareDistribution' 2013/08/15 12:17:29 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/Temp' 2013/08/15 12:17:29 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/system32/config' 2013/08/15 12:17:29 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/system32/spool' 2013/08/15 12:17:29 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/system32/CatRoot' 2013/08/15 12:17:29 ossec-analysisd: INFO: White listing IP: '127.0.0.1' 2013/08/15 12:17:29 ossec-analysisd: INFO: White listing IP: '10.10.70.20' 2013/08/15 12:17:29 ossec-analysisd: INFO: White listing IP: '10.1.11.54' 2013/08/15 12:17:29 ossec-analysisd: INFO: 3 IPs in the white list for active response. 2013/08/15 12:17:29 ossec-analysisd: INFO: White listing Hostname: 'localhost.localdomain' 2013/08/15 12:17:29 ossec-analysisd: INFO: 1 Hostname(s) in the white list for active response. 2013/08/15 12:17:29 ossec-analysisd: INFO: Started (pid: 1533). 2013/08/15 12:17:30 ossec-remoted(4111): INFO: Maximum number of agents allowed: '256'. 2013/08/15 12:17:30 ossec-remoted(1410): INFO: Reading authentication keys file. 2013/08/15 12:17:30 ossec-remoted: INFO: Assigning counter for agent ****: '21:1769'. 2013/08/15 12:17:30 ossec-remoted: INFO: Assigning counter for agent ****: '3:1412'. 2013/08/15 12:17:30 ossec-remoted: INFO: Assigning counter for agent ****: '27:3342'. 2013/08/15 12:17:30 ossec-remoted: INFO: Assigning counter for agent ****: '35:2746'. 2013/08/15 12:17:30 ossec-remoted: INFO: Assigning counter for agent ****: '7:5067'. 2013/08/15 12:17:30 ossec-remoted: INFO: Assigning counter for agent ****: '6:6764'. 2013/08/15 12:17:30 ossec-remoted: INFO: Assigning sender counter: 4:14 2013/08/15 12:17:30 ossec-monitord: INFO: Started (pid: 1553). 2013/08/15 12:17:32 ossec-analysisd: INFO: Connected to '/queue/alerts/ar' (active-response queue) 2013/08/15 12:17:32 ossec-analysisd: INFO: Connected to '/queue/alerts/execq' (exec queue) 2013/08/15 12:17:34 ossec-syscheckd: INFO: Started (pid: 1549). 2013/08/15 12:17:34 ossec-rootcheck: INFO: Started (pid: 1549). 2013/08/15 12:17:34 ossec-syscheckd: INFO: Monitoring directory: '/etc'. 2013/08/15 12:17:34 ossec-syscheckd: INFO: Monitoring directory: '/usr/bin'. 2013/08/15 12:17:34 ossec-syscheckd: INFO: Monitoring directory: '/usr/sbin'. 2013/08/15 12:17:34 ossec-syscheckd: INFO: Monitoring directory: '/bin'. 2013/08/15 12:17:34 ossec-syscheckd: INFO: Monitoring directory: '/sbin'. 2013/08/15 12:17:35 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/messages'. 2013/08/15 12:17:35 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/secure'. 2013/08/15 12:17:35 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/maillog'. 2013/08/15 12:17:35 ossec-logcollector: INFO: Started (pid: 1537). 2013/08/15 12:18:01 ossec-logcollector: socketerr (not available). 2013/08/15 12:18:01 ossec-logcollector(1224): ERROR: Error sending message to queue. 2013/08/15 12:18:04 ossec-logcollector(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. 2013/08/15 12:18:04 ossec-logcollector(1211): ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue'. Giving up.. 2013/08/15 12:18:28 ossec-remoted: socketerr (not available). 2013/08/15 12:18:28 ossec-remoted(1210): ERROR: Queue '/queue/ossec/queue' not accessible: 'Connection refused'. 2013/08/15 12:18:31 ossec-remoted(1210): ERROR: Queue '/queue/ossec/queue' not accessible: 'Connection refused'. 2013/08/15 12:18:31 ossec-remoted(1211): ERROR: Unable to access queue: '/queue/ossec/queue'. Giving up.. 2013/08/15 12:18:36 ossec-syscheckd: INFO: Starting syscheck scan (forwarding database). 2013/08/15 12:18:36 ossec-syscheckd: socketerr (not available). 2013/08/15 12:18:36 ossec-syscheckd(1224): ERROR: Error sending message to queue. 2013/08/15 12:18:39 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. 2013/08/15 12:18:39 ossec-syscheckd(1211): ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue'. Giving up.. Blake On Thursday, August 15, 2013 1:04:30 PM UTC-5, dan (ddpbsd) wrote: > > On Thu, Aug 15, 2013 at 1:36 PM, Blake Johnson > <[email protected]<javascript:>> > wrote: > > I'm finding that built in rule 533 is too broad for my use case as I > have > > several commands that begin with netstat -tan that I would like to alert > on > > and are configured in agent ossec.conf files. > > > > For your custom netstat commands, use an alias to label it and match > that alias instead. > > Did you happen to see an error related to these issues? > Do you happen to know what version of OSSEC you're uring? > > > I've attempted to address this with a rule overwrite that includes the > full > > out of the box netstat command that rule 533 is designed to alert on: > > > > <rule id="533" level="7" overwrite="yes"> > > <if_sid>530</if_sid> > > <match>ossec: output: 'netstat -tan |grep LISTEN |grep -v 127.0.0.1 > | > > sort'</match> > > <check_diff /> > > <description>Listened ports status (netstat) changed (new port > opened or > > closed).</description> > > </rule> > > > > If I include this rule my several ossec processes die shortly after > launch > > because of connection refused errors to certain queue files. If I > comment > > out this rule OSSEC runs as expected. > > > > Are there syntax issues in my overwrite rule I should be aware of? > > > > Thanks > > > > Blake > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/groups/opt_out. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
