Re: [ossec-list] Overwrite Issues

[Blake Johnson]

>
> There's a setting to make that do-able. 
>

Do tell. I don't remember seeing that anywhere in the docs. I may have 
missed it.

try running ossec-analysisd with gdb. "set follow-fork-mode 
> child" to make sure the right process gets watched. 
>

Apologies, I'm not much of a developer. Is this a change I can make in the 
ossec-control start up script, or where do I specify to run analysisd with 
gdb?

Blake 

On Thursday, August 15, 2013 1:28:47 PM UTC-5, dan (ddpbsd) wrote:
>
> On Thu, Aug 15, 2013 at 2:21 PM, Blake Johnson 
> <bl...@forwardadv.com<javascript:>> 
> wrote: 
> > Hi Dan, 
> > 
> > Aliases did occur to me, and honestly are the best option for longer 
> > commands like this. That being said I'd like to avoid touching each 
> machine 
> > (or rather telling our Unix admins to do so) since these commands are 
> not 
> > configurable through shared/agent.conf. 
> > 
>
> There's a setting to make that do-able. 
>
> > This is running the 2.7, latest stable version available. 
> > 
> > Here is the ossec.log entries for one startup sequence that failed 
> > : 
> > 2013/08/15 12:17:28 ossec-testrule: INFO: Reading local decoder file. 
> > 2013/08/15 12:17:29 ossec-testrule: INFO: Started (pid: 1499). 
> > 2013/08/15 12:17:29 ossec-csyslogd: INFO: Started (pid: 1521). 
> > 2013/08/15 12:17:29 ossec-csyslogd: INFO: File queue connected. 
> > 2013/08/15 12:17:29 ossec-csyslogd: INFO: Forwarding alerts via syslog 
> to: 
> > '192.168.3.97:25001'. 
> > 2013/08/15 12:17:29 ossec-csyslogd: INFO: Forwarding alerts via syslog 
> to: 
> > '10.1.16.76:5000'. 
> > 2013/08/15 12:17:29 ossec-maild: INFO: Started (pid: 1525). 
> > 2013/08/15 12:17:29 ossec-execd: INFO: Started (pid: 1529). 
> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading local decoder file. 
> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: 
> > 'rules_config.xml' 
> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: 
> > 'pam_rules.xml' 
> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: 
> > 'sshd_rules.xml' 
> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: 
> > 'telnetd_rules.xml' 
> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: 
> > 'syslog_rules.xml' 
> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: 
> > 'arpwatch_rules.xml' 
> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: 
> > 'symantec-av_rules.xml' 
> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: 
> > 'symantec-ws_rules.xml' 
> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: 
> > 'pix_rules.xml' 
> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: 
> > 'named_rules.xml' 
> > 2013/08/15 12:17:29 ossec-remoted: INFO: Started (pid: 1541). 
> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: 
> > 'smbd_rules.xml' 
> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: 
> > 'vsftpd_rules.xml' 
> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: 
> > 'pure-ftpd_rules.xml' 
> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: 
> > 'proftpd_rules.xml' 
> > 2013/08/15 12:17:29 ossec-remoted: INFO: Started (pid: 1544). 
> > 2013/08/15 12:17:29 ossec-remoted: Remote syslog allowed from: 
> '10.1.16.6' 
> > 2013/08/15 12:17:29 ossec-remoted: Remote syslog allowed from: 'any' 
> > 2013/08/15 12:17:29 ossec-remoted: INFO: Started (pid: 1543). 
> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: 
> > 'ms_ftpd_rules.xml' 
> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: 
> > 'ftpd_rules.xml' 
> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: 
> > 'hordeimp_rules.xml' 
> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: 
> > 'roundcube_rules.xml' 
> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: 
> > 'wordpress_rules.xml' 
> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: 
> > 'cimserver_rules.xml' 
> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: 
> > 'vpopmail_rules.xml' 
> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: 
> > 'vmpop3d_rules.xml' 
> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: 
> > 'courier_rules.xml' 
> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: 
> > 'web_rules.xml' 
> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: 
> > 'web_appsec_rules.xml' 
> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: 
> > 'apache_rules.xml' 
> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: 
> > 'nginx_rules.xml' 
> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: 
> > 'php_rules.xml' 
> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: 
> > 'mysql_rules.xml' 
> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: 
> > 'postgresql_rules.xml' 
> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: 
> > 'ids_rules.xml' 
> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: 
> > 'squid_rules.xml' 
> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: 
> > 'firewall_rules.xml' 
> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: 
> > 'cisco-ios_rules.xml' 
> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: 
> > 'netscreenfw_rules.xml' 
> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: 
> > 'sonicwall_rules.xml' 
> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: 
> > 'postfix_rules.xml' 
> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: 
> > 'sendmail_rules.xml' 
> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: 
> > 'imapd_rules.xml' 
> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: 
> > 'mailscanner_rules.xml' 
> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: 
> > 'dovecot_rules.xml' 
> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: 
> > 'ms-exchange_rules.xml' 
> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: 
> > 'racoon_rules.xml' 
> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: 
> > 'vpn_concentrator_rules.xml' 
> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: 
> > 'spamd_rules.xml' 
> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: 
> > 'msauth_rules.xml' 
> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: 
> > 'mcafee_av_rules.xml' 
> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: 
> > 'trend-osce_rules.xml' 
> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: 
> > 'ms-se_rules.xml' 
> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: 
> > 'zeus_rules.xml' 
> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: 
> > 'solaris_bsm_rules.xml' 
> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: 
> > 'vmware_rules.xml' 
> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: 
> > 'ms_dhcp_rules.xml' 
> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: 
> > 'asterisk_rules.xml' 
> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: 
> > 'ossec_rules.xml' 
> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: 
> > 'attack_rules.xml' 
> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: 
> > 'openbsd_rules.xml' 
> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: 
> > 'clam_av_rules.xml' 
> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: 
> > 'bro-ids_rules.xml' 
> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: 
> > 'dropbear_rules.xml' 
> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: 
> > 'local_rules.xml' 
> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Total rules enabled: '1300' 
> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Ignoring file: '/etc/mtab' 
> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Ignoring file: '/etc/mnttab' 
> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Ignoring file: 
> '/etc/hosts.deny' 
> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Ignoring file: 
> > '/etc/mail/statistics' 
> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Ignoring file: 
> '/etc/random-seed' 
> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Ignoring file: '/etc/adjtime' 
> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Ignoring file: 
> '/etc/httpd/logs' 
> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Ignoring file: '/etc/utmpx' 
> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Ignoring file: '/etc/wtmpx' 
> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Ignoring file: 
> '/etc/cups/certs' 
> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Ignoring file: 
> '/etc/dumpdates' 
> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Ignoring file: 
> > '/etc/svc/volatile' 
> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Ignoring file: 
> > 'C:\WINDOWS/System32/LogFiles' 
> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Ignoring file: 
> 'C:\WINDOWS/Debug' 
> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Ignoring file: 
> > 'C:\WINDOWS/WindowsUpdate.log' 
> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Ignoring file: 
> > 'C:\WINDOWS/iis6.log' 
> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Ignoring file: 
> > 'C:\WINDOWS/system32/wbem/Logs' 
> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Ignoring file: 
> > 'C:\WINDOWS/system32/wbem/Repository' 
> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Ignoring file: 
> > 'C:\WINDOWS/Prefetch' 
> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Ignoring file: 
> > 'C:\WINDOWS/PCHEALTH/HELPCTR/DataColl' 
> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Ignoring file: 
> > 'C:\WINDOWS/SoftwareDistribution' 
> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Ignoring file: 
> 'C:\WINDOWS/Temp' 
> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Ignoring file: 
> > 'C:\WINDOWS/system32/config' 
> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Ignoring file: 
> > 'C:\WINDOWS/system32/spool' 
> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Ignoring file: 
> > 'C:\WINDOWS/system32/CatRoot' 
> > 2013/08/15 12:17:29 ossec-analysisd: INFO: White listing IP: '127.0.0.1' 
> > 2013/08/15 12:17:29 ossec-analysisd: INFO: White listing IP: 
> '10.10.70.20' 
> > 2013/08/15 12:17:29 ossec-analysisd: INFO: White listing IP: 
> '10.1.11.54' 
> > 2013/08/15 12:17:29 ossec-analysisd: INFO: 3 IPs in the white list for 
> > active response. 
> > 2013/08/15 12:17:29 ossec-analysisd: INFO: White listing Hostname: 
> > 'localhost.localdomain' 
> > 2013/08/15 12:17:29 ossec-analysisd: INFO: 1 Hostname(s) in the white 
> list 
> > for active response. 
> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Started (pid: 1533). 
> > 2013/08/15 12:17:30 ossec-remoted(4111): INFO: Maximum number of agents 
> > allowed: '256'. 
> > 2013/08/15 12:17:30 ossec-remoted(1410): INFO: Reading authentication 
> keys 
> > file. 
> > 2013/08/15 12:17:30 ossec-remoted: INFO: Assigning counter for agent 
> ****: 
> > '21:1769'. 
> > 2013/08/15 12:17:30 ossec-remoted: INFO: Assigning counter for agent 
> ****: 
> > '3:1412'. 
> > 2013/08/15 12:17:30 ossec-remoted: INFO: Assigning counter for agent 
> ****: 
> > '27:3342'. 
> > 2013/08/15 12:17:30 ossec-remoted: INFO: Assigning counter for agent 
> ****: 
> > '35:2746'. 
> > 2013/08/15 12:17:30 ossec-remoted: INFO: Assigning counter for agent 
> ****: 
> > '7:5067'. 
> > 2013/08/15 12:17:30 ossec-remoted: INFO: Assigning counter for agent 
> ****: 
> > '6:6764'. 
> > 2013/08/15 12:17:30 ossec-remoted: INFO: Assigning sender counter: 4:14 
> > 2013/08/15 12:17:30 ossec-monitord: INFO: Started (pid: 1553). 
> > 2013/08/15 12:17:32 ossec-analysisd: INFO: Connected to 
> '/queue/alerts/ar' 
> > (active-response queue) 
> > 2013/08/15 12:17:32 ossec-analysisd: INFO: Connected to 
> > '/queue/alerts/execq' (exec queue) 
> > 2013/08/15 12:17:34 ossec-syscheckd: INFO: Started (pid: 1549). 
> > 2013/08/15 12:17:34 ossec-rootcheck: INFO: Started (pid: 1549). 
> > 2013/08/15 12:17:34 ossec-syscheckd: INFO: Monitoring directory: '/etc'. 
> > 2013/08/15 12:17:34 ossec-syscheckd: INFO: Monitoring directory: 
> '/usr/bin'. 
> > 2013/08/15 12:17:34 ossec-syscheckd: INFO: Monitoring directory: 
> > '/usr/sbin'. 
> > 2013/08/15 12:17:34 ossec-syscheckd: INFO: Monitoring directory: '/bin'. 
> > 2013/08/15 12:17:34 ossec-syscheckd: INFO: Monitoring directory: 
> '/sbin'. 
> > 2013/08/15 12:17:35 ossec-logcollector(1950): INFO: Analyzing file: 
> > '/var/log/messages'. 
> > 2013/08/15 12:17:35 ossec-logcollector(1950): INFO: Analyzing file: 
> > '/var/log/secure'. 
> > 2013/08/15 12:17:35 ossec-logcollector(1950): INFO: Analyzing file: 
> > '/var/log/maillog'. 
> > 2013/08/15 12:17:35 ossec-logcollector: INFO: Started (pid: 1537). 
> > 2013/08/15 12:18:01 ossec-logcollector: socketerr (not available). 
> > 2013/08/15 12:18:01 ossec-logcollector(1224): ERROR: Error sending 
> message 
> > to queue. 
> > 2013/08/15 12:18:04 ossec-logcollector(1210): ERROR: Queue 
> > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. 
> > 2013/08/15 12:18:04 ossec-logcollector(1211): ERROR: Unable to access 
> queue: 
> > '/var/ossec/queue/ossec/queue'. Giving up.. 
> > 2013/08/15 12:18:28 ossec-remoted: socketerr (not available). 
> > 2013/08/15 12:18:28 ossec-remoted(1210): ERROR: Queue 
> '/queue/ossec/queue' 
> > not accessible: 'Connection refused'. 
> > 2013/08/15 12:18:31 ossec-remoted(1210): ERROR: Queue 
> '/queue/ossec/queue' 
> > not accessible: 'Connection refused'. 
> > 2013/08/15 12:18:31 ossec-remoted(1211): ERROR: Unable to access queue: 
> > '/queue/ossec/queue'. Giving up.. 
> > 2013/08/15 12:18:36 ossec-syscheckd: INFO: Starting syscheck scan 
> > (forwarding database). 
> > 2013/08/15 12:18:36 ossec-syscheckd: socketerr (not available). 
> > 2013/08/15 12:18:36 ossec-syscheckd(1224): ERROR: Error sending message 
> to 
> > queue. 
> > 2013/08/15 12:18:39 ossec-syscheckd(1210): ERROR: Queue 
> > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. 
> > 2013/08/15 12:18:39 ossec-syscheckd(1211): ERROR: Unable to access 
> queue: 
> > '/var/ossec/queue/ossec/queue'. Giving up.. 
> > 
> > 
>
> I don't have 2.7 to test with. You could try running the latest 2.7.1 
> code, or try running ossec-analysisd with gdb. "set follow-fork-mode 
> child" to make sure the right process gets watched. 
>
> > Blake 
> > 
> > On Thursday, August 15, 2013 1:04:30 PM UTC-5, dan (ddpbsd) wrote: 
> >> 
> >> On Thu, Aug 15, 2013 at 1:36 PM, Blake Johnson <bl...@forwardadv.com> 
> >> wrote: 
> >> > I'm finding that built in rule 533 is too broad for my use case as I 
> >> > have 
> >> > several commands that begin with netstat -tan that I would like to 
> alert 
> >> > on 
> >> > and are configured in agent ossec.conf files. 
> >> > 
> >> 
> >> For your custom netstat commands, use an alias to label it and match 
> >> that alias instead. 
> >> 
> >> Did you happen to see an error related to these issues? 
> >> Do you happen to know what version of OSSEC you're uring? 
> >> 
> >> > I've attempted to address this with a rule overwrite that includes 
> the 
> >> > full 
> >> > out of the box netstat command that rule 533 is designed to alert on: 
> >> > 
> >> >   <rule id="533" level="7" overwrite="yes"> 
> >> >     <if_sid>530</if_sid> 
> >> >     <match>ossec: output: 'netstat -tan |grep LISTEN |grep -v 
> 127.0.0.1 
> >> > | 
> >> > sort'</match> 
> >> >     <check_diff /> 
> >> >     <description>Listened ports status (netstat) changed (new port 
> >> > opened or 
> >> > closed).</description> 
> >> >   </rule> 
> >> > 
> >> > If I include this rule my several ossec processes die shortly after 
> >> > launch 
> >> > because of connection refused errors to certain queue files. If I 
> >> > comment 
> >> > out this rule OSSEC runs as expected. 
> >> > 
> >> > Are there syntax issues in my overwrite rule I should be aware of? 
> >> > 
> >> > Thanks 
> >> > 
> >> > Blake 
> >> > 
> >> > -- 
> >> > 
> >> > --- 
> >> > You received this message because you are subscribed to the Google 
> >> > Groups 
> >> > "ossec-list" group. 
> >> > To unsubscribe from this group and stop receiving emails from it, 
> send 
> >> > an 
> >> > email to ossec-list+...@googlegroups.com. 
> >> > For more options, visit https://groups.google.com/groups/opt_out. 
> > 
> > -- 
> > 
> > --- 
> > You received this message because you are subscribed to the Google 
> Groups 
> > "ossec-list" group. 
> > To unsubscribe from this group and stop receiving emails from it, send 
> an 
> > email to ossec-list+...@googlegroups.com <javascript:>. 
> > For more options, visit https://groups.google.com/groups/opt_out. 
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.