On Thu, Aug 15, 2013 at 3:00 PM, Blake Johnson <[email protected]> wrote: >> There's a setting to make that do-able. > > > Do tell. I don't remember seeing that anywhere in the docs. I may have > missed it. >
http://ossec.net/doc/syntax/head_internal_options.analysisd.html#intopt-logcollector.remote_commands=0 It's kinda hidden.. >> try running ossec-analysisd with gdb. "set follow-fork-mode >> child" to make sure the right process gets watched. > > > Apologies, I'm not much of a developer. Is this a change I can make in the > ossec-control start up script, or where do I specify to run analysisd with > gdb? > Start the processes with ossec-control, kill ossec-analysisd, run: gdb /var/ossec/bin/ossec-analysisd At the prompt run: set follow-fork-mode child run -d This will run ossec-analysisd in debug mode. If it crashes run: bt And copy the entire output. > Blake > > On Thursday, August 15, 2013 1:28:47 PM UTC-5, dan (ddpbsd) wrote: >> >> On Thu, Aug 15, 2013 at 2:21 PM, Blake Johnson <[email protected]> >> wrote: >> > Hi Dan, >> > >> > Aliases did occur to me, and honestly are the best option for longer >> > commands like this. That being said I'd like to avoid touching each >> > machine >> > (or rather telling our Unix admins to do so) since these commands are >> > not >> > configurable through shared/agent.conf. >> > >> >> There's a setting to make that do-able. >> >> > This is running the 2.7, latest stable version available. >> > >> > Here is the ossec.log entries for one startup sequence that failed >> > : >> > 2013/08/15 12:17:28 ossec-testrule: INFO: Reading local decoder file. >> > 2013/08/15 12:17:29 ossec-testrule: INFO: Started (pid: 1499). >> > 2013/08/15 12:17:29 ossec-csyslogd: INFO: Started (pid: 1521). >> > 2013/08/15 12:17:29 ossec-csyslogd: INFO: File queue connected. >> > 2013/08/15 12:17:29 ossec-csyslogd: INFO: Forwarding alerts via syslog >> > to: >> > '192.168.3.97:25001'. >> > 2013/08/15 12:17:29 ossec-csyslogd: INFO: Forwarding alerts via syslog >> > to: >> > '10.1.16.76:5000'. >> > 2013/08/15 12:17:29 ossec-maild: INFO: Started (pid: 1525). >> > 2013/08/15 12:17:29 ossec-execd: INFO: Started (pid: 1529). >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading local decoder file. >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: >> > 'rules_config.xml' >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: >> > 'pam_rules.xml' >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: >> > 'sshd_rules.xml' >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: >> > 'telnetd_rules.xml' >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: >> > 'syslog_rules.xml' >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: >> > 'arpwatch_rules.xml' >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: >> > 'symantec-av_rules.xml' >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: >> > 'symantec-ws_rules.xml' >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: >> > 'pix_rules.xml' >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: >> > 'named_rules.xml' >> > 2013/08/15 12:17:29 ossec-remoted: INFO: Started (pid: 1541). >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: >> > 'smbd_rules.xml' >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: >> > 'vsftpd_rules.xml' >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: >> > 'pure-ftpd_rules.xml' >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: >> > 'proftpd_rules.xml' >> > 2013/08/15 12:17:29 ossec-remoted: INFO: Started (pid: 1544). >> > 2013/08/15 12:17:29 ossec-remoted: Remote syslog allowed from: >> > '10.1.16.6' >> > 2013/08/15 12:17:29 ossec-remoted: Remote syslog allowed from: 'any' >> > 2013/08/15 12:17:29 ossec-remoted: INFO: Started (pid: 1543). >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: >> > 'ms_ftpd_rules.xml' >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: >> > 'ftpd_rules.xml' >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: >> > 'hordeimp_rules.xml' >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: >> > 'roundcube_rules.xml' >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: >> > 'wordpress_rules.xml' >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: >> > 'cimserver_rules.xml' >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: >> > 'vpopmail_rules.xml' >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: >> > 'vmpop3d_rules.xml' >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: >> > 'courier_rules.xml' >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: >> > 'web_rules.xml' >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: >> > 'web_appsec_rules.xml' >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: >> > 'apache_rules.xml' >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: >> > 'nginx_rules.xml' >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: >> > 'php_rules.xml' >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: >> > 'mysql_rules.xml' >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: >> > 'postgresql_rules.xml' >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: >> > 'ids_rules.xml' >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: >> > 'squid_rules.xml' >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: >> > 'firewall_rules.xml' >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: >> > 'cisco-ios_rules.xml' >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: >> > 'netscreenfw_rules.xml' >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: >> > 'sonicwall_rules.xml' >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: >> > 'postfix_rules.xml' >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: >> > 'sendmail_rules.xml' >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: >> > 'imapd_rules.xml' >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: >> > 'mailscanner_rules.xml' >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: >> > 'dovecot_rules.xml' >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: >> > 'ms-exchange_rules.xml' >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: >> > 'racoon_rules.xml' >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: >> > 'vpn_concentrator_rules.xml' >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: >> > 'spamd_rules.xml' >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: >> > 'msauth_rules.xml' >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: >> > 'mcafee_av_rules.xml' >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: >> > 'trend-osce_rules.xml' >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: >> > 'ms-se_rules.xml' >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: >> > 'zeus_rules.xml' >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: >> > 'solaris_bsm_rules.xml' >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: >> > 'vmware_rules.xml' >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: >> > 'ms_dhcp_rules.xml' >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: >> > 'asterisk_rules.xml' >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: >> > 'ossec_rules.xml' >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: >> > 'attack_rules.xml' >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: >> > 'openbsd_rules.xml' >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: >> > 'clam_av_rules.xml' >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: >> > 'bro-ids_rules.xml' >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: >> > 'dropbear_rules.xml' >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: >> > 'local_rules.xml' >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Total rules enabled: '1300' >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Ignoring file: '/etc/mtab' >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Ignoring file: '/etc/mnttab' >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Ignoring file: >> > '/etc/hosts.deny' >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Ignoring file: >> > '/etc/mail/statistics' >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Ignoring file: >> > '/etc/random-seed' >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Ignoring file: '/etc/adjtime' >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Ignoring file: >> > '/etc/httpd/logs' >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Ignoring file: '/etc/utmpx' >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Ignoring file: '/etc/wtmpx' >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Ignoring file: >> > '/etc/cups/certs' >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Ignoring file: >> > '/etc/dumpdates' >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Ignoring file: >> > '/etc/svc/volatile' >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Ignoring file: >> > 'C:\WINDOWS/System32/LogFiles' >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Ignoring file: >> > 'C:\WINDOWS/Debug' >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Ignoring file: >> > 'C:\WINDOWS/WindowsUpdate.log' >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Ignoring file: >> > 'C:\WINDOWS/iis6.log' >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Ignoring file: >> > 'C:\WINDOWS/system32/wbem/Logs' >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Ignoring file: >> > 'C:\WINDOWS/system32/wbem/Repository' >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Ignoring file: >> > 'C:\WINDOWS/Prefetch' >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Ignoring file: >> > 'C:\WINDOWS/PCHEALTH/HELPCTR/DataColl' >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Ignoring file: >> > 'C:\WINDOWS/SoftwareDistribution' >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Ignoring file: >> > 'C:\WINDOWS/Temp' >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Ignoring file: >> > 'C:\WINDOWS/system32/config' >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Ignoring file: >> > 'C:\WINDOWS/system32/spool' >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Ignoring file: >> > 'C:\WINDOWS/system32/CatRoot' >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: White listing IP: '127.0.0.1' >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: White listing IP: >> > '10.10.70.20' >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: White listing IP: >> > '10.1.11.54' >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: 3 IPs in the white list for >> > active response. >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: White listing Hostname: >> > 'localhost.localdomain' >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: 1 Hostname(s) in the white >> > list >> > for active response. >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Started (pid: 1533). >> > 2013/08/15 12:17:30 ossec-remoted(4111): INFO: Maximum number of agents >> > allowed: '256'. >> > 2013/08/15 12:17:30 ossec-remoted(1410): INFO: Reading authentication >> > keys >> > file. >> > 2013/08/15 12:17:30 ossec-remoted: INFO: Assigning counter for agent >> > ****: >> > '21:1769'. >> > 2013/08/15 12:17:30 ossec-remoted: INFO: Assigning counter for agent >> > ****: >> > '3:1412'. >> > 2013/08/15 12:17:30 ossec-remoted: INFO: Assigning counter for agent >> > ****: >> > '27:3342'. >> > 2013/08/15 12:17:30 ossec-remoted: INFO: Assigning counter for agent >> > ****: >> > '35:2746'. >> > 2013/08/15 12:17:30 ossec-remoted: INFO: Assigning counter for agent >> > ****: >> > '7:5067'. >> > 2013/08/15 12:17:30 ossec-remoted: INFO: Assigning counter for agent >> > ****: >> > '6:6764'. >> > 2013/08/15 12:17:30 ossec-remoted: INFO: Assigning sender counter: 4:14 >> > 2013/08/15 12:17:30 ossec-monitord: INFO: Started (pid: 1553). >> > 2013/08/15 12:17:32 ossec-analysisd: INFO: Connected to >> > '/queue/alerts/ar' >> > (active-response queue) >> > 2013/08/15 12:17:32 ossec-analysisd: INFO: Connected to >> > '/queue/alerts/execq' (exec queue) >> > 2013/08/15 12:17:34 ossec-syscheckd: INFO: Started (pid: 1549). >> > 2013/08/15 12:17:34 ossec-rootcheck: INFO: Started (pid: 1549). >> > 2013/08/15 12:17:34 ossec-syscheckd: INFO: Monitoring directory: '/etc'. >> > 2013/08/15 12:17:34 ossec-syscheckd: INFO: Monitoring directory: >> > '/usr/bin'. >> > 2013/08/15 12:17:34 ossec-syscheckd: INFO: Monitoring directory: >> > '/usr/sbin'. >> > 2013/08/15 12:17:34 ossec-syscheckd: INFO: Monitoring directory: '/bin'. >> > 2013/08/15 12:17:34 ossec-syscheckd: INFO: Monitoring directory: >> > '/sbin'. >> > 2013/08/15 12:17:35 ossec-logcollector(1950): INFO: Analyzing file: >> > '/var/log/messages'. >> > 2013/08/15 12:17:35 ossec-logcollector(1950): INFO: Analyzing file: >> > '/var/log/secure'. >> > 2013/08/15 12:17:35 ossec-logcollector(1950): INFO: Analyzing file: >> > '/var/log/maillog'. >> > 2013/08/15 12:17:35 ossec-logcollector: INFO: Started (pid: 1537). >> > 2013/08/15 12:18:01 ossec-logcollector: socketerr (not available). >> > 2013/08/15 12:18:01 ossec-logcollector(1224): ERROR: Error sending >> > message >> > to queue. >> > 2013/08/15 12:18:04 ossec-logcollector(1210): ERROR: Queue >> > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. >> > 2013/08/15 12:18:04 ossec-logcollector(1211): ERROR: Unable to access >> > queue: >> > '/var/ossec/queue/ossec/queue'. Giving up.. >> > 2013/08/15 12:18:28 ossec-remoted: socketerr (not available). >> > 2013/08/15 12:18:28 ossec-remoted(1210): ERROR: Queue >> > '/queue/ossec/queue' >> > not accessible: 'Connection refused'. >> > 2013/08/15 12:18:31 ossec-remoted(1210): ERROR: Queue >> > '/queue/ossec/queue' >> > not accessible: 'Connection refused'. >> > 2013/08/15 12:18:31 ossec-remoted(1211): ERROR: Unable to access queue: >> > '/queue/ossec/queue'. Giving up.. >> > 2013/08/15 12:18:36 ossec-syscheckd: INFO: Starting syscheck scan >> > (forwarding database). >> > 2013/08/15 12:18:36 ossec-syscheckd: socketerr (not available). >> > 2013/08/15 12:18:36 ossec-syscheckd(1224): ERROR: Error sending message >> > to >> > queue. >> > 2013/08/15 12:18:39 ossec-syscheckd(1210): ERROR: Queue >> > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. >> > 2013/08/15 12:18:39 ossec-syscheckd(1211): ERROR: Unable to access >> > queue: >> > '/var/ossec/queue/ossec/queue'. Giving up.. >> > >> > >> >> I don't have 2.7 to test with. You could try running the latest 2.7.1 >> code, or try running ossec-analysisd with gdb. "set follow-fork-mode >> child" to make sure the right process gets watched. >> >> > Blake >> > >> > On Thursday, August 15, 2013 1:04:30 PM UTC-5, dan (ddpbsd) wrote: >> >> >> >> On Thu, Aug 15, 2013 at 1:36 PM, Blake Johnson <[email protected]> >> >> wrote: >> >> > I'm finding that built in rule 533 is too broad for my use case as I >> >> > have >> >> > several commands that begin with netstat -tan that I would like to >> >> > alert >> >> > on >> >> > and are configured in agent ossec.conf files. >> >> > >> >> >> >> For your custom netstat commands, use an alias to label it and match >> >> that alias instead. >> >> >> >> Did you happen to see an error related to these issues? >> >> Do you happen to know what version of OSSEC you're uring? >> >> >> >> > I've attempted to address this with a rule overwrite that includes >> >> > the >> >> > full >> >> > out of the box netstat command that rule 533 is designed to alert on: >> >> > >> >> > <rule id="533" level="7" overwrite="yes"> >> >> > <if_sid>530</if_sid> >> >> > <match>ossec: output: 'netstat -tan |grep LISTEN |grep -v >> >> > 127.0.0.1 >> >> > | >> >> > sort'</match> >> >> > <check_diff /> >> >> > <description>Listened ports status (netstat) changed (new port >> >> > opened or >> >> > closed).</description> >> >> > </rule> >> >> > >> >> > If I include this rule my several ossec processes die shortly after >> >> > launch >> >> > because of connection refused errors to certain queue files. If I >> >> > comment >> >> > out this rule OSSEC runs as expected. >> >> > >> >> > Are there syntax issues in my overwrite rule I should be aware of? >> >> > >> >> > Thanks >> >> > >> >> > Blake >> >> > >> >> > -- >> >> > >> >> > --- >> >> > You received this message because you are subscribed to the Google >> >> > Groups >> >> > "ossec-list" group. >> >> > To unsubscribe from this group and stop receiving emails from it, >> >> > send >> >> > an >> >> > email to [email protected]. >> >> > For more options, visit https://groups.google.com/groups/opt_out. >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/groups/opt_out. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
