Re: [ossec-list] Overwrite Issues

dan (ddp) Thu, 15 Aug 2013 11:30:09 -0700

On Thu, Aug 15, 2013 at 2:21 PM, Blake Johnson <[email protected]> wrote:
> Hi Dan,
>
> Aliases did occur to me, and honestly are the best option for longer
> commands like this. That being said I'd like to avoid touching each machine
> (or rather telling our Unix admins to do so) since these commands are not
> configurable through shared/agent.conf.
>


There's a setting to make that do-able.

> This is running the 2.7, latest stable version available.
>
> Here is the ossec.log entries for one startup sequence that failed
> :
> 2013/08/15 12:17:28 ossec-testrule: INFO: Reading local decoder file.
> 2013/08/15 12:17:29 ossec-testrule: INFO: Started (pid: 1499).
> 2013/08/15 12:17:29 ossec-csyslogd: INFO: Started (pid: 1521).
> 2013/08/15 12:17:29 ossec-csyslogd: INFO: File queue connected.
> 2013/08/15 12:17:29 ossec-csyslogd: INFO: Forwarding alerts via syslog to:
> '192.168.3.97:25001'.
> 2013/08/15 12:17:29 ossec-csyslogd: INFO: Forwarding alerts via syslog to:
> '10.1.16.76:5000'.
> 2013/08/15 12:17:29 ossec-maild: INFO: Started (pid: 1525).
> 2013/08/15 12:17:29 ossec-execd: INFO: Started (pid: 1529).
> 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading local decoder file.
> 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file:
> 'rules_config.xml'
> 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file:
> 'pam_rules.xml'
> 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file:
> 'sshd_rules.xml'
> 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file:
> 'telnetd_rules.xml'
> 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file:
> 'syslog_rules.xml'
> 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file:
> 'arpwatch_rules.xml'
> 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file:
> 'symantec-av_rules.xml'
> 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file:
> 'symantec-ws_rules.xml'
> 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file:
> 'pix_rules.xml'
> 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file:
> 'named_rules.xml'
> 2013/08/15 12:17:29 ossec-remoted: INFO: Started (pid: 1541).
> 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file:
> 'smbd_rules.xml'
> 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file:
> 'vsftpd_rules.xml'
> 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file:
> 'pure-ftpd_rules.xml'
> 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file:
> 'proftpd_rules.xml'
> 2013/08/15 12:17:29 ossec-remoted: INFO: Started (pid: 1544).
> 2013/08/15 12:17:29 ossec-remoted: Remote syslog allowed from: '10.1.16.6'
> 2013/08/15 12:17:29 ossec-remoted: Remote syslog allowed from: 'any'
> 2013/08/15 12:17:29 ossec-remoted: INFO: Started (pid: 1543).
> 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file:
> 'ms_ftpd_rules.xml'
> 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file:
> 'ftpd_rules.xml'
> 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file:
> 'hordeimp_rules.xml'
> 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file:
> 'roundcube_rules.xml'
> 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file:
> 'wordpress_rules.xml'
> 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file:
> 'cimserver_rules.xml'
> 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file:
> 'vpopmail_rules.xml'
> 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file:
> 'vmpop3d_rules.xml'
> 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file:
> 'courier_rules.xml'
> 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file:
> 'web_rules.xml'
> 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file:
> 'web_appsec_rules.xml'
> 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file:
> 'apache_rules.xml'
> 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file:
> 'nginx_rules.xml'
> 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file:
> 'php_rules.xml'
> 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file:
> 'mysql_rules.xml'
> 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file:
> 'postgresql_rules.xml'
> 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file:
> 'ids_rules.xml'
> 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file:
> 'squid_rules.xml'
> 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file:
> 'firewall_rules.xml'
> 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file:
> 'cisco-ios_rules.xml'
> 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file:
> 'netscreenfw_rules.xml'
> 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file:
> 'sonicwall_rules.xml'
> 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file:
> 'postfix_rules.xml'
> 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file:
> 'sendmail_rules.xml'
> 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file:
> 'imapd_rules.xml'
> 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file:
> 'mailscanner_rules.xml'
> 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file:
> 'dovecot_rules.xml'
> 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file:
> 'ms-exchange_rules.xml'
> 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file:
> 'racoon_rules.xml'
> 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file:
> 'vpn_concentrator_rules.xml'
> 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file:
> 'spamd_rules.xml'
> 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file:
> 'msauth_rules.xml'
> 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file:
> 'mcafee_av_rules.xml'
> 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file:
> 'trend-osce_rules.xml'
> 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file:
> 'ms-se_rules.xml'
> 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file:
> 'zeus_rules.xml'
> 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file:
> 'solaris_bsm_rules.xml'
> 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file:
> 'vmware_rules.xml'
> 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file:
> 'ms_dhcp_rules.xml'
> 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file:
> 'asterisk_rules.xml'
> 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file:
> 'ossec_rules.xml'
> 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file:
> 'attack_rules.xml'
> 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file:
> 'openbsd_rules.xml'
> 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file:
> 'clam_av_rules.xml'
> 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file:
> 'bro-ids_rules.xml'
> 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file:
> 'dropbear_rules.xml'
> 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file:
> 'local_rules.xml'
> 2013/08/15 12:17:29 ossec-analysisd: INFO: Total rules enabled: '1300'
> 2013/08/15 12:17:29 ossec-analysisd: INFO: Ignoring file: '/etc/mtab'
> 2013/08/15 12:17:29 ossec-analysisd: INFO: Ignoring file: '/etc/mnttab'
> 2013/08/15 12:17:29 ossec-analysisd: INFO: Ignoring file: '/etc/hosts.deny'
> 2013/08/15 12:17:29 ossec-analysisd: INFO: Ignoring file:
> '/etc/mail/statistics'
> 2013/08/15 12:17:29 ossec-analysisd: INFO: Ignoring file: '/etc/random-seed'
> 2013/08/15 12:17:29 ossec-analysisd: INFO: Ignoring file: '/etc/adjtime'
> 2013/08/15 12:17:29 ossec-analysisd: INFO: Ignoring file: '/etc/httpd/logs'
> 2013/08/15 12:17:29 ossec-analysisd: INFO: Ignoring file: '/etc/utmpx'
> 2013/08/15 12:17:29 ossec-analysisd: INFO: Ignoring file: '/etc/wtmpx'
> 2013/08/15 12:17:29 ossec-analysisd: INFO: Ignoring file: '/etc/cups/certs'
> 2013/08/15 12:17:29 ossec-analysisd: INFO: Ignoring file: '/etc/dumpdates'
> 2013/08/15 12:17:29 ossec-analysisd: INFO: Ignoring file:
> '/etc/svc/volatile'
> 2013/08/15 12:17:29 ossec-analysisd: INFO: Ignoring file:
> 'C:\WINDOWS/System32/LogFiles'
> 2013/08/15 12:17:29 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/Debug'
> 2013/08/15 12:17:29 ossec-analysisd: INFO: Ignoring file:
> 'C:\WINDOWS/WindowsUpdate.log'
> 2013/08/15 12:17:29 ossec-analysisd: INFO: Ignoring file:
> 'C:\WINDOWS/iis6.log'
> 2013/08/15 12:17:29 ossec-analysisd: INFO: Ignoring file:
> 'C:\WINDOWS/system32/wbem/Logs'
> 2013/08/15 12:17:29 ossec-analysisd: INFO: Ignoring file:
> 'C:\WINDOWS/system32/wbem/Repository'
> 2013/08/15 12:17:29 ossec-analysisd: INFO: Ignoring file:
> 'C:\WINDOWS/Prefetch'
> 2013/08/15 12:17:29 ossec-analysisd: INFO: Ignoring file:
> 'C:\WINDOWS/PCHEALTH/HELPCTR/DataColl'
> 2013/08/15 12:17:29 ossec-analysisd: INFO: Ignoring file:
> 'C:\WINDOWS/SoftwareDistribution'
> 2013/08/15 12:17:29 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/Temp'
> 2013/08/15 12:17:29 ossec-analysisd: INFO: Ignoring file:
> 'C:\WINDOWS/system32/config'
> 2013/08/15 12:17:29 ossec-analysisd: INFO: Ignoring file:
> 'C:\WINDOWS/system32/spool'
> 2013/08/15 12:17:29 ossec-analysisd: INFO: Ignoring file:
> 'C:\WINDOWS/system32/CatRoot'
> 2013/08/15 12:17:29 ossec-analysisd: INFO: White listing IP: '127.0.0.1'
> 2013/08/15 12:17:29 ossec-analysisd: INFO: White listing IP: '10.10.70.20'
> 2013/08/15 12:17:29 ossec-analysisd: INFO: White listing IP: '10.1.11.54'
> 2013/08/15 12:17:29 ossec-analysisd: INFO: 3 IPs in the white list for
> active response.
> 2013/08/15 12:17:29 ossec-analysisd: INFO: White listing Hostname:
> 'localhost.localdomain'
> 2013/08/15 12:17:29 ossec-analysisd: INFO: 1 Hostname(s) in the white list
> for active response.
> 2013/08/15 12:17:29 ossec-analysisd: INFO: Started (pid: 1533).
> 2013/08/15 12:17:30 ossec-remoted(4111): INFO: Maximum number of agents
> allowed: '256'.
> 2013/08/15 12:17:30 ossec-remoted(1410): INFO: Reading authentication keys
> file.
> 2013/08/15 12:17:30 ossec-remoted: INFO: Assigning counter for agent ****:
> '21:1769'.
> 2013/08/15 12:17:30 ossec-remoted: INFO: Assigning counter for agent ****:
> '3:1412'.
> 2013/08/15 12:17:30 ossec-remoted: INFO: Assigning counter for agent ****:
> '27:3342'.
> 2013/08/15 12:17:30 ossec-remoted: INFO: Assigning counter for agent ****:
> '35:2746'.
> 2013/08/15 12:17:30 ossec-remoted: INFO: Assigning counter for agent ****:
> '7:5067'.
> 2013/08/15 12:17:30 ossec-remoted: INFO: Assigning counter for agent ****:
> '6:6764'.
> 2013/08/15 12:17:30 ossec-remoted: INFO: Assigning sender counter: 4:14
> 2013/08/15 12:17:30 ossec-monitord: INFO: Started (pid: 1553).
> 2013/08/15 12:17:32 ossec-analysisd: INFO: Connected to '/queue/alerts/ar'
> (active-response queue)
> 2013/08/15 12:17:32 ossec-analysisd: INFO: Connected to
> '/queue/alerts/execq' (exec queue)
> 2013/08/15 12:17:34 ossec-syscheckd: INFO: Started (pid: 1549).
> 2013/08/15 12:17:34 ossec-rootcheck: INFO: Started (pid: 1549).
> 2013/08/15 12:17:34 ossec-syscheckd: INFO: Monitoring directory: '/etc'.
> 2013/08/15 12:17:34 ossec-syscheckd: INFO: Monitoring directory: '/usr/bin'.
> 2013/08/15 12:17:34 ossec-syscheckd: INFO: Monitoring directory:
> '/usr/sbin'.
> 2013/08/15 12:17:34 ossec-syscheckd: INFO: Monitoring directory: '/bin'.
> 2013/08/15 12:17:34 ossec-syscheckd: INFO: Monitoring directory: '/sbin'.
> 2013/08/15 12:17:35 ossec-logcollector(1950): INFO: Analyzing file:
> '/var/log/messages'.
> 2013/08/15 12:17:35 ossec-logcollector(1950): INFO: Analyzing file:
> '/var/log/secure'.
> 2013/08/15 12:17:35 ossec-logcollector(1950): INFO: Analyzing file:
> '/var/log/maillog'.
> 2013/08/15 12:17:35 ossec-logcollector: INFO: Started (pid: 1537).
> 2013/08/15 12:18:01 ossec-logcollector: socketerr (not available).
> 2013/08/15 12:18:01 ossec-logcollector(1224): ERROR: Error sending message
> to queue.
> 2013/08/15 12:18:04 ossec-logcollector(1210): ERROR: Queue
> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
> 2013/08/15 12:18:04 ossec-logcollector(1211): ERROR: Unable to access queue:
> '/var/ossec/queue/ossec/queue'. Giving up..
> 2013/08/15 12:18:28 ossec-remoted: socketerr (not available).
> 2013/08/15 12:18:28 ossec-remoted(1210): ERROR: Queue '/queue/ossec/queue'
> not accessible: 'Connection refused'.
> 2013/08/15 12:18:31 ossec-remoted(1210): ERROR: Queue '/queue/ossec/queue'
> not accessible: 'Connection refused'.
> 2013/08/15 12:18:31 ossec-remoted(1211): ERROR: Unable to access queue:
> '/queue/ossec/queue'. Giving up..
> 2013/08/15 12:18:36 ossec-syscheckd: INFO: Starting syscheck scan
> (forwarding database).
> 2013/08/15 12:18:36 ossec-syscheckd: socketerr (not available).
> 2013/08/15 12:18:36 ossec-syscheckd(1224): ERROR: Error sending message to
> queue.
> 2013/08/15 12:18:39 ossec-syscheckd(1210): ERROR: Queue
> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
> 2013/08/15 12:18:39 ossec-syscheckd(1211): ERROR: Unable to access queue:
> '/var/ossec/queue/ossec/queue'. Giving up..
>
>

I don't have 2.7 to test with. You could try running the latest 2.7.1
code, or try running ossec-analysisd with gdb. "set follow-fork-mode
child" to make sure the right process gets watched.

> Blake
>
> On Thursday, August 15, 2013 1:04:30 PM UTC-5, dan (ddpbsd) wrote:
>>
>> On Thu, Aug 15, 2013 at 1:36 PM, Blake Johnson <[email protected]>
>> wrote:
>> > I'm finding that built in rule 533 is too broad for my use case as I
>> > have
>> > several commands that begin with netstat -tan that I would like to alert
>> > on
>> > and are configured in agent ossec.conf files.
>> >
>>
>> For your custom netstat commands, use an alias to label it and match
>> that alias instead.
>>
>> Did you happen to see an error related to these issues?
>> Do you happen to know what version of OSSEC you're uring?
>>
>> > I've attempted to address this with a rule overwrite that includes the
>> > full
>> > out of the box netstat command that rule 533 is designed to alert on:
>> >
>> >   <rule id="533" level="7" overwrite="yes">
>> >     <if_sid>530</if_sid>
>> >     <match>ossec: output: 'netstat -tan |grep LISTEN |grep -v 127.0.0.1
>> > |
>> > sort'</match>
>> >     <check_diff />
>> >     <description>Listened ports status (netstat) changed (new port
>> > opened or
>> > closed).</description>
>> >   </rule>
>> >
>> > If I include this rule my several ossec processes die shortly after
>> > launch
>> > because of connection refused errors to certain queue files. If I
>> > comment
>> > out this rule OSSEC runs as expected.
>> >
>> > Are there syntax issues in my overwrite rule I should be aware of?
>> >
>> > Thanks
>> >
>> > Blake
>> >
>> > --
>> >
>> > ---
>> > You received this message because you are subscribed to the Google
>> > Groups
>> > "ossec-list" group.
>> > To unsubscribe from this group and stop receiving emails from it, send
>> > an
>> > email to [email protected].
>> > For more options, visit https://groups.google.com/groups/opt_out.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> For more options, visit https://groups.google.com/groups/opt_out.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.

Re: [ossec-list] Overwrite Issues

Reply via email to