So, on restarting OSSEC with the above referenced overwrite rule monitord, logcollector, and anlysisd all crash. I opened terminal windows and restarted all three of them with the gdb command you provided. All three stayed running in debug mode and did not crash again. That being said, only local alerts were being generated. Events sent over the secure channel and syslog were not being processed.
Unfortunately, this means I don't have much more detail to give you though. I'm arranging for a proper backup of my OSSEC directory, then I'll try an upgrade to 2.7.1. Blake On Thursday, August 15, 2013 2:31:50 PM UTC-5, dan (ddpbsd) wrote: > > On Thu, Aug 15, 2013 at 3:00 PM, Blake Johnson > <[email protected]<javascript:>> > wrote: > >> There's a setting to make that do-able. > > > > > > Do tell. I don't remember seeing that anywhere in the docs. I may have > > missed it. > > > > > http://ossec.net/doc/syntax/head_internal_options.analysisd.html#intopt-logcollector.remote_commands=0 > > > It's kinda hidden.. > > >> try running ossec-analysisd with gdb. "set follow-fork-mode > >> child" to make sure the right process gets watched. > > > > > > Apologies, I'm not much of a developer. Is this a change I can make in > the > > ossec-control start up script, or where do I specify to run analysisd > with > > gdb? > > > > Start the processes with ossec-control, kill ossec-analysisd, run: > > gdb /var/ossec/bin/ossec-analysisd > > At the prompt run: > set follow-fork-mode child > run -d > > This will run ossec-analysisd in debug mode. If it crashes run: > bt > > And copy the entire output. > > > Blake > > > > On Thursday, August 15, 2013 1:28:47 PM UTC-5, dan (ddpbsd) wrote: > >> > >> On Thu, Aug 15, 2013 at 2:21 PM, Blake Johnson <[email protected]> > >> wrote: > >> > Hi Dan, > >> > > >> > Aliases did occur to me, and honestly are the best option for longer > >> > commands like this. That being said I'd like to avoid touching each > >> > machine > >> > (or rather telling our Unix admins to do so) since these commands are > >> > not > >> > configurable through shared/agent.conf. > >> > > >> > >> There's a setting to make that do-able. > >> > >> > This is running the 2.7, latest stable version available. > >> > > >> > Here is the ossec.log entries for one startup sequence that failed > >> > : > >> > 2013/08/15 12:17:28 ossec-testrule: INFO: Reading local decoder file. > >> > 2013/08/15 12:17:29 ossec-testrule: INFO: Started (pid: 1499). > >> > 2013/08/15 12:17:29 ossec-csyslogd: INFO: Started (pid: 1521). > >> > 2013/08/15 12:17:29 ossec-csyslogd: INFO: File queue connected. > >> > 2013/08/15 12:17:29 ossec-csyslogd: INFO: Forwarding alerts via > syslog > >> > to: > >> > '192.168.3.97:25001'. > >> > 2013/08/15 12:17:29 ossec-csyslogd: INFO: Forwarding alerts via > syslog > >> > to: > >> > '10.1.16.76:5000'. > >> > 2013/08/15 12:17:29 ossec-maild: INFO: Started (pid: 1525). > >> > 2013/08/15 12:17:29 ossec-execd: INFO: Started (pid: 1529). > >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading local decoder > file. > >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: > >> > 'rules_config.xml' > >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: > >> > 'pam_rules.xml' > >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: > >> > 'sshd_rules.xml' > >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: > >> > 'telnetd_rules.xml' > >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: > >> > 'syslog_rules.xml' > >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: > >> > 'arpwatch_rules.xml' > >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: > >> > 'symantec-av_rules.xml' > >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: > >> > 'symantec-ws_rules.xml' > >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: > >> > 'pix_rules.xml' > >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: > >> > 'named_rules.xml' > >> > 2013/08/15 12:17:29 ossec-remoted: INFO: Started (pid: 1541). > >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: > >> > 'smbd_rules.xml' > >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: > >> > 'vsftpd_rules.xml' > >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: > >> > 'pure-ftpd_rules.xml' > >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: > >> > 'proftpd_rules.xml' > >> > 2013/08/15 12:17:29 ossec-remoted: INFO: Started (pid: 1544). > >> > 2013/08/15 12:17:29 ossec-remoted: Remote syslog allowed from: > >> > '10.1.16.6' > >> > 2013/08/15 12:17:29 ossec-remoted: Remote syslog allowed from: 'any' > >> > 2013/08/15 12:17:29 ossec-remoted: INFO: Started (pid: 1543). > >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: > >> > 'ms_ftpd_rules.xml' > >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: > >> > 'ftpd_rules.xml' > >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: > >> > 'hordeimp_rules.xml' > >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: > >> > 'roundcube_rules.xml' > >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: > >> > 'wordpress_rules.xml' > >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: > >> > 'cimserver_rules.xml' > >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: > >> > 'vpopmail_rules.xml' > >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: > >> > 'vmpop3d_rules.xml' > >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: > >> > 'courier_rules.xml' > >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: > >> > 'web_rules.xml' > >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: > >> > 'web_appsec_rules.xml' > >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: > >> > 'apache_rules.xml' > >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: > >> > 'nginx_rules.xml' > >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: > >> > 'php_rules.xml' > >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: > >> > 'mysql_rules.xml' > >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: > >> > 'postgresql_rules.xml' > >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: > >> > 'ids_rules.xml' > >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: > >> > 'squid_rules.xml' > >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: > >> > 'firewall_rules.xml' > >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: > >> > 'cisco-ios_rules.xml' > >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: > >> > 'netscreenfw_rules.xml' > >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: > >> > 'sonicwall_rules.xml' > >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: > >> > 'postfix_rules.xml' > >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: > >> > 'sendmail_rules.xml' > >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: > >> > 'imapd_rules.xml' > >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: > >> > 'mailscanner_rules.xml' > >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: > >> > 'dovecot_rules.xml' > >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: > >> > 'ms-exchange_rules.xml' > >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: > >> > 'racoon_rules.xml' > >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: > >> > 'vpn_concentrator_rules.xml' > >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: > >> > 'spamd_rules.xml' > >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: > >> > 'msauth_rules.xml' > >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: > >> > 'mcafee_av_rules.xml' > >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: > >> > 'trend-osce_rules.xml' > >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: > >> > 'ms-se_rules.xml' > >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: > >> > 'zeus_rules.xml' > >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: > >> > 'solaris_bsm_rules.xml' > >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: > >> > 'vmware_rules.xml' > >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: > >> > 'ms_dhcp_rules.xml' > >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: > >> > 'asterisk_rules.xml' > >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: > >> > 'ossec_rules.xml' > >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: > >> > 'attack_rules.xml' > >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: > >> > 'openbsd_rules.xml' > >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: > >> > 'clam_av_rules.xml' > >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: > >> > 'bro-ids_rules.xml' > >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: > >> > 'dropbear_rules.xml' > >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Reading rules file: > >> > 'local_rules.xml' > >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Total rules enabled: > '1300' > >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Ignoring file: '/etc/mtab' > >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Ignoring file: > '/etc/mnttab' > >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Ignoring file: > >> > '/etc/hosts.deny' > >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Ignoring file: > >> > '/etc/mail/statistics' > >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Ignoring file: > >> > '/etc/random-seed' > >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Ignoring file: > '/etc/adjtime' > >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Ignoring file: > >> > '/etc/httpd/logs' > >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Ignoring file: > '/etc/utmpx' > >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Ignoring file: > '/etc/wtmpx' > >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Ignoring file: > >> > '/etc/cups/certs' > >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Ignoring file: > >> > '/etc/dumpdates' > >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Ignoring file: > >> > '/etc/svc/volatile' > >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Ignoring file: > >> > 'C:\WINDOWS/System32/LogFiles' > >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Ignoring file: > >> > 'C:\WINDOWS/Debug' > >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Ignoring file: > >> > 'C:\WINDOWS/WindowsUpdate.log' > >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Ignoring file: > >> > 'C:\WINDOWS/iis6.log' > >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Ignoring file: > >> > 'C:\WINDOWS/system32/wbem/Logs' > >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Ignoring file: > >> > 'C:\WINDOWS/system32/wbem/Repository' > >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Ignoring file: > >> > 'C:\WINDOWS/Prefetch' > >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Ignoring file: > >> > 'C:\WINDOWS/PCHEALTH/HELPCTR/DataColl' > >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Ignoring file: > >> > 'C:\WINDOWS/SoftwareDistribution' > >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Ignoring file: > >> > 'C:\WINDOWS/Temp' > >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Ignoring file: > >> > 'C:\WINDOWS/system32/config' > >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Ignoring file: > >> > 'C:\WINDOWS/system32/spool' > >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Ignoring file: > >> > 'C:\WINDOWS/system32/CatRoot' > >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: White listing IP: > '127.0.0.1' > >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: White listing IP: > >> > '10.10.70.20' > >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: White listing IP: > >> > '10.1.11.54' > >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: 3 IPs in the white list > for > >> > active response. > >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: White listing Hostname: > >> > 'localhost.localdomain' > >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: 1 Hostname(s) in the white > >> > list > >> > for active response. > >> > 2013/08/15 12:17:29 ossec-analysisd: INFO: Started (pid: 1533). > >> > 2013/08/15 12:17:30 ossec-remoted(4111): INFO: Maximum number of > agents > >> > allowed: '256'. > >> > 2013/08/15 12:17:30 ossec-remoted(1410): INFO: Reading authentication > >> > keys > >> > file. > >> > 2013/08/15 12:17:30 ossec-remoted: INFO: Assigning counter for agent > >> > ****: > >> > '21:1769'. > >> > 2013/08/15 12:17:30 ossec-remoted: INFO: Assigning counter for agent > >> > ****: > >> > '3:1412'. > >> > 2013/08/15 12:17:30 ossec-remoted: INFO: Assigning counter for agent > >> > ****: > >> > '27:3342'. > >> > 2013/08/15 12:17:30 ossec-remoted: INFO: Assigning counter for agent > >> > ****: > >> > '35:2746'. > >> > 2013/08/15 12:17:30 ossec-remoted: INFO: Assigning counter for agent > >> > ****: > >> > '7:5067'. > >> > 2013/08/15 12:17:30 ossec-remoted: INFO: Assigning counter for agent > >> > ****: > >> > '6:6764'. > >> > 2013/08/15 12:17:30 ossec-remoted: INFO: Assigning sender counter: > 4:14 > >> > 2013/08/15 12:17:30 ossec-monitord: INFO: Started (pid: 1553). > >> > 2013/08/15 12:17:32 ossec-analysisd: INFO: Connected to > >> > '/queue/alerts/ar' > >> > (active-response queue) > >> > 2013/08/15 12:17:32 ossec-analysisd: INFO: Connected to > >> > '/queue/alerts/execq' (exec queue) > >> > 2013/08/15 12:17:34 ossec-syscheckd: INFO: Started (pid: 1549). > >> > 2013/08/15 12:17:34 ossec-rootcheck: INFO: Started (pid: 1549). > >> > 2013/08/15 12:17:34 ossec-syscheckd: INFO: Monitoring directory: > '/etc'. > >> > 2013/08/15 12:17:34 ossec-syscheckd: INFO: Monitoring directory: > >> > '/usr/bin'. > >> > 2013/08/15 12:17:34 ossec-syscheckd: INFO: Monitoring directory: > >> > '/usr/sbin'. > >> > 2013/08/15 12:17:34 ossec-syscheckd: INFO: Monitoring directory: > '/bin'. > >> > 2013/08/15 12:17:34 ossec-syscheckd: INFO: Monitoring directory: > >> > '/sbin'. > >> > 2013/08/15 12:17:35 ossec-logcollector(1950): INFO: Analyzing file: > >> > '/var/log/messages'. > >> > 2013/08/15 12:17:35 ossec-logcollector(1950): INFO: Analyzing file: > >> > '/var/log/secure'. > >> > 2013/08/15 12:17:35 ossec-logcollector(1950): INFO: Analyzing file: > >> > '/var/log/maillog'. > >> > 2013/08/15 12:17:35 ossec-logcollector: INFO: Started (pid: 1537). > >> > 2013/08/15 12:18:01 ossec-logcollector: socketerr (not available). > >> > 2013/08/15 12:18:01 ossec-logcollector(1224): ERROR: Error sending > >> > message > >> > to queue. > >> > 2013/08/15 12:18:04 ossec-logcollector(1210): ERROR: Queue > >> > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > >> > 2013/08/15 12:18:04 ossec-logcollector(1211): ERROR: Unable to access > >> > queue: > >> > '/var/ossec/queue/ossec/queue'. Giving up.. > >> > 2013/08/15 12:18:28 ossec-remoted: socketerr (not available). > >> > 2013/08/15 12:18:28 ossec-remoted(1210): ERROR: Queue > >> > '/queue/ossec/queue' > >> > not accessible: 'Connection refused'. > >> > 2013/08/15 12:18:31 ossec-remoted(1210): ERROR: Queue > >> > '/queue/ossec/queue' > >> > not accessible: 'Connection refused'. > >> > 2013/08/15 12:18:31 ossec-remoted(1211): ERROR: Unable to access > queue: > >> > '/queue/ossec/queue'. Giving up.. > >> > 2013/08/15 12:18:36 ossec-syscheckd: INFO: Starting syscheck scan > >> > (forwarding database). > >> > 2013/08/15 12:18:36 ossec-syscheckd: socketerr (not available). > >> > 2013/08/15 12:18:36 ossec-syscheckd(1224): ERROR: Error sending > message > >> > to > >> > queue. > >> > 2013/08/15 12:18:39 ossec-syscheckd(1210): ERROR: Queue > >> > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > >> > 2013/08/15 12:18:39 ossec-syscheckd(1211): ERROR: Unable to access > >> > queue: > >> > '/var/ossec/queue/ossec/queue'. Giving up.. > >> > > >> > > >> > >> I don't have 2.7 to test with. You could try running the latest 2.7.1 > >> code, or try running ossec-analysisd with gdb. "set follow-fork-mode > >> child" to make sure the right process gets watched. > >> > >> > Blake > >> > > >> > On Thursday, August 15, 2013 1:04:30 PM UTC-5, dan (ddpbsd) wrote: > >> >> > >> >> On Thu, Aug 15, 2013 at 1:36 PM, Blake Johnson <[email protected]> > > >> >> wrote: > >> >> > I'm finding that built in rule 533 is too broad for my use case as > I > >> >> > have > >> >> > several commands that begin with netstat -tan that I would like to > >> >> > alert > >> >> > on > >> >> > and are configured in agent ossec.conf files. > >> >> > > >> >> > >> >> For your custom netstat commands, use an alias to label it and match > >> >> that alias instead. > >> >> > >> >> Did you happen to see an error related to these issues? > >> >> Do you happen to know what version of OSSEC you're uring? > >> >> > >> >> > I've attempted to address this with a rule overwrite that includes > >> >> > the > >> >> > full > >> >> > out of the box netstat command that rule 533 is designed to alert > on: > >> >> > > >> >> > <rule id="533" level="7" overwrite="yes"> > >> >> > <if_sid>530</if_sid> > >> >> > <match>ossec: output: 'netstat -tan |grep LISTEN |grep -v > >> >> > 127.0.0.1 > >> >> > | > >> >> > sort'</match> > >> >> > <check_diff /> > >> >> > <description>Listened ports status (netstat) changed (new port > >> >> > opened or > >> >> > closed).</description> > >> >> > </rule> > >> >> > > >> >> > If I include this rule my several ossec processes die shortly > after > >> >> > launch > >> >> > because of connection refused errors to certain queue files. If I > >> >> > comment > >> >> > out this rule OSSEC runs as expected. > >> >> > > >> >> > Are there syntax issues in my overwrite rule I should be aware of? > >> >> > > >> >> > Thanks > >> >> > > >> >> > Blake > >> >> > > >> >> > -- > >> >> > > >> >> > --- > >> >> > You received this message because you are subscribed to the Google > >> >> > Groups > >> >> > "ossec-list" group. > >> >> > To unsubscribe from this group and stop receiving emails from it, > >> >> > send > >> >> > an > >> >> > email to [email protected]. > >> >> > For more options, visit https://groups.google.com/groups/opt_out. > >> > > >> > -- > >> > > >> > --- > >> > You received this message because you are subscribed to the Google > >> > Groups > >> > "ossec-list" group. > >> > To unsubscribe from this group and stop receiving emails from it, > send > >> > an > >> > email to [email protected]. > >> > For more options, visit https://groups.google.com/groups/opt_out. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/groups/opt_out. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
