On Tue, Sep 10, 2013 at 1:08 PM, frwa onto <[email protected]> wrote: > Dear Dan, > The problem now I had to rebuild the ossec and installed it. > But normally installation will ask is it local,server,agent. So in my case > all this was not asked. I guess my installation is local. > > I installed using this command yum install > ossec-hids-server-2.7-31.art.x86_64.rpm ossec-hids-2.7-31.art.x86_64.rpm. I > know where to setup the email that is /var/ossec/etc/ossec-server.conf. > Anything else I must configure? I know I read some article say that > Active-Response can be risky if not set well. >
I don't know anything about the RPMs. > I notice my .conf file have this. Should I remove it. > > <!-- Active Response Config --> > <active-response> > <!-- This response is going to execute the host-deny > - command for every event that fires a rule with > - level (severity) >= 6. > - The IP is going to be blocked for 600 seconds. > --> > <command>host-deny</command> > <location>local</location> > <level>6</level> > <timeout>600</timeout> > </active-response> > > <active-response> > <!-- Firewall Drop response. Block the IP for > - 600 seconds on the firewall (iptables, > - ipfilter, etc). > --> > <command>firewall-drop</command> > <location>local</location> > <level>6</level> > <timeout>600</timeout> > </active-response> > > So in my case will ossec go and get checksum for all my files ? > AR does not get checksums, syscheck does that. > Thank you. > > > > On Wed, Sep 11, 2013 at 12:53 AM, dan (ddp) <[email protected]> wrote: >> >> On Tue, Sep 10, 2013 at 12:41 PM, frwa onto <[email protected]> wrote: >> > Dear Dan, >> > >> > 1. Ok about the rules I wont take it as a concern for now. >> > >> > 2. Ok now I am clear among both the logs. >> > >> > 3. Since you said that active response should react based on the logs >> > rite >> > why do not want me to use it ? >> > >> >> I never said you shouldn't use it, I just said it wasn't necessary. >> >> > 4. Brief can I say that ossec will be reading the log files and >> > accordingly >> > it will react based on the logs. Can in react on files that are being >> > modified etc? >> > >> >> Agents get a checksum for files, and pass this checksum to the server >> in a log message. That log message is then analyzed, the checksum >> compared to the checksum in the db ,and if necessary an alert is >> created. Yes, AR can be triggered by files being modified. >> >> > Thank you. >> > >> > >> > On Wed, Sep 11, 2013 at 12:07 AM, dan (ddp) <[email protected]> wrote: >> >> >> >> On Tue, Sep 10, 2013 at 11:59 AM, frwa onto <[email protected]> wrote: >> >> > Dear Dan, >> >> > >> >> > 1. IS there any link on how to download and updates the latest rules. >> >> > Because how to update the installation(uninstall and reinstall ?) >> >> > unless >> >> > it >> >> > installed via yum rite ? But in my case my .rpm is rebuild? >> >> > >> >> >> >> I don't know anything about the RPMs. Just replace the rules files >> >> with newer copies. The rules don't get updated very often right now, >> >> so it isn't a big concern. >> >> >> >> > 2. Ok I can see all the logs in the /var/ossec/logs/alerts have a >> >> > rule >> >> > number. How about the one in /var/ossec/ossec.log what does this >> >> > represent >> >> > cause all the errors I post earlier was from this ossec.log. >> >> > >> >> >> >> Those are OSSEC logs. They are the logs from the OSSEC processes. >> >> >> >> > 3. I am trying to read from here on active-response >> >> > >> >> > http://www.ossec.net/doc/syntax/head_ossec_config.active-response.html >> >> > actually what is it ? So you said dont need to use any specific >> >> > reason >> >> > or >> >> > drawback of it? >> >> > >> >> >> >> I find it difficult to believe you've done any research into OSSEC if >> >> you don't know what active response is. >> >> >> >> It's the capability for OSSEC to automatically do things based on logs >> >> received. >> >> >> >> > Thank you. >> >> > >> >> > >> >> > On Tue, Sep 10, 2013 at 11:17 PM, dan (ddp) <[email protected]> wrote: >> >> >> >> >> >> On Tue, Sep 10, 2013 at 10:14 AM, frwa onto <[email protected]> >> >> >> wrote: >> >> >> > Dear DAn, >> >> >> > Sorry I will limit my question. >> >> >> > 1. How to manually update the rules? >> >> >> >> >> >> Either add your own to local_rules.xml, download the latest rules >> >> >> from >> >> >> the repository, or update your OSSEC installation. >> >> >> >> >> >> > 2. Here I dont see any rules.IT does not state what rule >> >> >> > >> >> >> >> >> >> Any entry in alerts.log is there because the log message triggered a >> >> >> rule. The rule id is mentioned in each entry. For example: >> >> >> ** Alert 1378572677.0: - syslog,sshd,authentication_success, >> >> >> 2013 Sep 08 00:51:17 capture->/var/log/secure >> >> >> Rule: 5715 (level 3) -> 'SSHD authentication success.' >> >> >> Src IP: 60.50.38.78 >> >> >> User: root >> >> >> Sep 8 00:51:17 capture sshd[11987]: Accepted password for root from >> >> >> **.**.**.78 port 3516 ssh2 >> >> >> >> >> >> The above alert was for rule 5715. If you look in >> >> >> /var/ossec/rules/sshd_rules.xml you should see rule 5715. >> >> >> >> >> >> >> >> >> >> 2013/08/31 15:12:15 ossec-logcollector: INFO: Started (pid: >> >> >> >> 5972). >> >> >> >> 2013/08/31 15:12:15 ossec-analysisd(1210): ERROR: Queue >> >> >> >> '/queue/alerts/ar' >> >> >> >> not accessible: 'Connection refused'. >> >> >> >> 2013/08/31 15:12:15 ossec-analysisd(1301): ERROR: Unable to >> >> >> >> connect >> >> >> >> to >> >> >> >> active response queue. >> >> >> > >> >> >> > Isnt active response a key for ossec? How to enable it and what is >> >> >> > does? >> >> >> > >> >> >> >> >> >> You don't have to use it. >> >> >> >> >> >> > Thank you very much. >> >> >> > >> >> >> > >> >> >> > >> >> >> > On Tuesday, September 10, 2013 9:12:09 PM UTC+8, dan (ddpbsd) >> >> >> > wrote: >> >> >> >> >> >> >> >> On Sat, Sep 7, 2013 at 1:03 PM, frwa onto <[email protected]> >> >> >> >> wrote: >> >> >> >> > Dear Dan, >> >> >> >> > Yes I went into the ossec.log and saw like below. >> >> >> >> > I >> >> >> >> > got >> >> >> >> > few >> >> >> >> > things to ask here first I saw it say 1229 total rules enabled. >> >> >> >> > Will >> >> >> >> > the >> >> >> >> > rules increase by itself or need manual intervention ? Why some >> >> >> >> > are >> >> >> >> > showing >> >> >> >> >> >> >> >> You will have to update the rules manually (for now). >> >> >> >> >> >> >> >> > as errors? Another error is this one Queue '/queue/alerts/ar' >> >> >> >> > not >> >> >> >> >> >> >> >> What rules are showing up as errors? >> >> >> >> >> >> >> >> > accessible: 'Connection refused'.? >> >> >> >> >> >> >> >> Are you using active response? If not, ignore. >> >> >> >> >> >> >> >> > >> >> >> >> > >> >> >> >> > 2013/08/31 15:12:10 ossec-monitord: INFO: Started (pid: 5986). >> >> >> >> > 2013/08/31 15:12:15 ossec-logcollector(1950): INFO: Analyzing >> >> >> >> > file: >> >> >> >> > '/var/log/messages'. >> >> >> >> > 2013/08/31 15:12:15 ossec-logcollector(1103): ERROR: Unable to >> >> >> >> > open >> >> >> >> > file >> >> >> >> > '/var/log/authlog'. >> >> >> >> > 2013/08/31 15:12:15 ossec-logcollector(1950): INFO: Analyzing >> >> >> >> > file: >> >> >> >> > '/var/log/authlog'. >> >> >> >> > 2013/08/31 15:12:15 ossec-logcollector(1950): INFO: Analyzing >> >> >> >> > file: >> >> >> >> > '/var/log/secure'. >> >> >> >> > 2013/08/31 15:12:15 ossec-logcollector(1103): ERROR: Unable to >> >> >> >> > open >> >> >> >> > file >> >> >> >> > '/var/log/xferlog'. >> >> >> >> > 2013/08/31 15:12:15 ossec-logcollector(1950): INFO: Analyzing >> >> >> >> > file: >> >> >> >> > '/var/log/xferlog'. >> >> >> >> > 2013/08/31 15:12:15 ossec-logcollector(1950): INFO: Analyzing >> >> >> >> > file: >> >> >> >> > '/var/log/maillog'. >> >> >> >> > 2013/08/31 15:12:15 ossec-logcollector(1103): ERROR: Unable to >> >> >> >> > open >> >> >> >> > file >> >> >> >> > '/var/www/logs/access_log'. >> >> >> >> > 2013/08/31 15:12:15 ossec-logcollector(1950): INFO: Analyzing >> >> >> >> > file: >> >> >> >> > '/var/www/logs/access_log'. >> >> >> >> > 2013/08/31 15:12:15 ossec-logcollector(1103): ERROR: Unable to >> >> >> >> > open >> >> >> >> > file >> >> >> >> > '/var/www/logs/error_log'. >> >> >> >> > 2013/08/31 15:12:15 ossec-logcollector(1950): INFO: Analyzing >> >> >> >> > file: >> >> >> >> > '/var/www/logs/error_log'. >> >> >> >> > 2013/08/31 15:12:15 ossec-logcollector: INFO: Started (pid: >> >> >> >> > 5972). >> >> >> >> > 2013/08/31 15:12:15 ossec-analysisd(1210): ERROR: Queue >> >> >> >> > '/queue/alerts/ar' >> >> >> >> > not accessible: 'Connection refused'. >> >> >> >> > 2013/08/31 15:12:15 ossec-analysisd(1301): ERROR: Unable to >> >> >> >> > connect >> >> >> >> > to >> >> >> >> > active response queue. >> >> >> >> > 2013/08/31 15:12:15 ossec-analysisd: INFO: Connected to >> >> >> >> > '/queue/alerts/execq' (exec queue) >> >> >> >> > 2013/08/31 15:12:16 ossec-syscheckd: INFO: Started (pid: 5982). >> >> >> >> > 2013/08/31 15:12:16 ossec-rootcheck: INFO: Started (pid: 5982). >> >> >> >> > 2013/08/31 15:12:16 ossec-syscheckd: INFO: Monitoring >> >> >> >> > directory: >> >> >> >> > '/etc'. >> >> >> >> > 2013/08/31 15:12:16 ossec-syscheckd: INFO: Monitoring >> >> >> >> > directory: >> >> >> >> > '/usr/bin'. >> >> >> >> > 2013/08/31 15:12:16 ossec-syscheckd: INFO: Monitoring >> >> >> >> > directory: >> >> >> >> > '/usr/sbin'. >> >> >> >> > 2013/08/31 15:12:16 ossec-syscheckd: INFO: Monitoring >> >> >> >> > directory: >> >> >> >> > '/bin'. >> >> >> >> > 2013/08/31 15:12:16 ossec-syscheckd: INFO: Monitoring >> >> >> >> > directory: >> >> >> >> > '/sbin'. >> >> >> >> > 2013/08/31 15:14:10 ossec-syscheckd: INFO: Starting syscheck >> >> >> >> > scan >> >> >> >> > (forwarding database). >> >> >> >> > 2013/08/31 15:14:10 ossec-syscheckd: INFO: Starting syscheck >> >> >> >> > database >> >> >> >> > (pre-scan). >> >> >> >> > 2013/08/31 15:14:25 ossec-logcollector(1904): INFO: File not >> >> >> >> > available, >> >> >> >> > ignoring it: '/var/log/authlog'. >> >> >> >> > 2013/08/31 15:14:25 ossec-logcollector(1904): INFO: File not >> >> >> >> > available, >> >> >> >> > ignoring it: '/var/log/xferlog'. >> >> >> >> > 2013/08/31 15:14:25 ossec-logcollector(1904): INFO: File not >> >> >> >> > available, >> >> >> >> > ignoring it: '/var/www/logs/access_log'. >> >> >> >> > 2013/08/31 15:14:25 ossec-logcollector(1904): INFO: File not >> >> >> >> > available, >> >> >> >> > ignoring it: '/var/www/logs/error_log'. >> >> >> >> > 2013/08/31 15:20:13 ossec-testrule: INFO: Reading local decoder >> >> >> >> > file. >> >> >> >> > 2013/08/31 15:20:13 ossec-testrule: INFO: Started (pid: 6010). >> >> >> >> > 2013/08/31 15:20:14 ossec-remoted: INFO: Started (pid: 6064). >> >> >> >> > 2013/08/31 15:26:10 ossec-syscheckd: INFO: Finished creating >> >> >> >> > syscheck >> >> >> >> > database (pre-scan completed). >> >> >> >> > 2013/08/31 15:26:24 ossec-syscheckd: INFO: Ending syscheck scan >> >> >> >> > (forwarding >> >> >> >> > database). >> >> >> >> > 2013/08/31 15:27:04 ossec-rootcheck: INFO: Starting rootcheck >> >> >> >> > scan. >> >> >> >> > 2013/08/31 15:31:02 ossec-rootcheck: INFO: Ending rootcheck >> >> >> >> > scan. >> >> >> >> > 2013/08/31 16:47:07 ossec-execd: INFO: Active response command >> >> >> >> > not >> >> >> >> > present: >> >> >> >> > '/var/ossec/active-response/bin/restart-ossec.cmd'. Not using >> >> >> >> > it >> >> >> >> > on >> >> >> >> > this >> >> >> >> > system. >> >> >> >> > 2013/09/01 00:00:30 ossec-monitord: No previous md5 checksum >> >> >> >> > found: >> >> >> >> > '/logs/archives/2013/Aug/ossec-archive-30.log.sum'. Starting >> >> >> >> > over. >> >> >> >> > 2013/09/01 00:00:30 ossec-monitord: No previous sha1 checksum >> >> >> >> > found: >> >> >> >> > '/logs/archives/2013/Aug/ossec-archive-30.log.sum'. Starting >> >> >> >> > over. >> >> >> >> > 2013/09/01 00:00:30 ossec-monitord: No previous md5 checksum >> >> >> >> > found: >> >> >> >> > '/logs/alerts/2013/Aug/ossec-alerts-30.log.sum'. Starting over. >> >> >> >> > 2013/09/01 00:00:30 ossec-monitord: No previous sha1 checksum >> >> >> >> > found: >> >> >> >> > '/logs/alerts/2013/Aug/ossec-alerts-30.log.sum'. Starting over. >> >> >> >> > 2013/09/01 00:00:30 ossec-monitord: No previous md5 checksum >> >> >> >> > found: >> >> >> >> > '/logs/firewall/2013/Aug/ossec-firewall-30.log.sum'. Starting >> >> >> >> > over. >> >> >> >> > 2013/09/01 00:00:30 ossec-monitord: No previous sha1 checksum >> >> >> >> > found: >> >> >> >> > '/logs/firewall/2013/Aug/ossec-firewall-30.log.sum'. Starting >> >> >> >> > over. >> >> >> >> > 2013/09/01 11:31:02 ossec-syscheckd: INFO: Starting syscheck >> >> >> >> > scan. >> >> >> >> > 2013/09/01 11:43:25 ossec-syscheckd: INFO: Ending syscheck >> >> >> >> > scan. >> >> >> >> > 2013/09/01 11:48:25 ossec-rootcheck: INFO: Starting rootcheck >> >> >> >> > scan. >> >> >> >> > 2013/09/01 11:51:57 ossec-rootcheck: INFO: Ending rootcheck >> >> >> >> > scan. >> >> >> >> > 2013/09/01 21:29:43 ossec-monitord(1225): INFO: SIGNAL >> >> >> >> > Received. >> >> >> >> > Exit >> >> >> >> > Cleaning... >> >> >> >> > 2013/09/01 21:29:43 ossec-logcollector(1225): INFO: SIGNAL >> >> >> >> > Received. >> >> >> >> > Exit >> >> >> >> > Cleaning... >> >> >> >> > 2013/09/01 21:29:43 ossec-syscheckd(1225): INFO: SIGNAL >> >> >> >> > Received. >> >> >> >> > Exit >> >> >> >> > Cleaning... >> >> >> >> > 2013/09/01 21:29:43 ossec-analysisd(1225): INFO: SIGNAL >> >> >> >> > Received. >> >> >> >> > Exit >> >> >> >> > Cleaning... >> >> >> >> > 2013/09/01 21:29:43 ossec-execd(1314): INFO: Shutdown received. >> >> >> >> > Deleting >> >> >> >> > responses. >> >> >> >> > 2013/09/01 21:29:43 ossec-execd(1225): INFO: SIGNAL Received. >> >> >> >> > Exit >> >> >> >> > Cleaning... >> >> >> >> > 2013/09/01 21:32:07 ossec-testrule: INFO: Reading local decoder >> >> >> >> > file. >> >> >> >> > 2013/09/01 21:32:07 ossec-testrule: INFO: Started (pid: 1246). >> >> >> >> > 2013/09/01 21:32:08 DEBUG: I am creating the SQLite table. >> >> >> >> > 2013/09/01 21:32:08 ossec-execd: INFO: Started (pid: 1269). >> >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading local >> >> >> >> > decoder >> >> >> >> > file. >> >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> >> >> > 'rules_config.xml' >> >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> >> >> > 'pam_rules.xml' >> >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> >> >> > 'sshd_rules.xml' >> >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> >> >> > 'telnetd_rules.xml' >> >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> >> >> > 'syslog_rules.xml' >> >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> >> >> > 'arpwatch_rules.xml' >> >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> >> >> > 'symantec-av_rules.xml' >> >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> >> >> > 'symantec-ws_rules.xml' >> >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> >> >> > 'pix_rules.xml' >> >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> >> >> > 'named_rules.xml' >> >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> >> >> > 'smbd_rules.xml' >> >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> >> >> > 'vsftpd_rules.xml' >> >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> >> >> > 'pure-ftpd_rules.xml' >> >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> >> >> > 'proftpd_rules.xml' >> >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> >> >> > 'ms_ftpd_rules.xml' >> >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> >> >> > 'ftpd_rules.xml' >> >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> >> >> > 'hordeimp_rules.xml' >> >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> >> >> > 'roundcube_rules.xml' >> >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> >> >> > 'wordpress_rules.xml' >> >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> >> >> > 'cimserver_rules.xml' >> >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> >> >> > 'vpopmail_rules.xml' >> >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> >> >> > 'vmpop3d_rules.xml' >> >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> >> >> > 'courier_rules.xml' >> >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> >> >> > 'web_rules.xml' >> >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> >> >> > 'web_appsec_rules.xml' >> >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> >> >> > 'apache_rules.xml' >> >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> >> >> > 'nginx_rules.xml' >> >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> >> >> > 'php_rules.xml' >> >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> >> >> > 'mysql_rules.xml' >> >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> >> >> > 'postgresql_rules.xml' >> >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> >> >> > 'ids_rules.xml' >> >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> >> >> > 'squid_rules.xml' >> >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> >> >> > 'firewall_rules.xml' >> >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> >> >> > 'cisco-ios_rules.xml' >> >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> >> >> > 'netscreenfw_rules.xml' >> >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> >> >> > 'sonicwall_rules.xml' >> >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> >> >> > 'postfix_rules.xml' >> >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> >> >> > 'sendmail_rules.xml' >> >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> >> >> > 'imapd_rules.xml' >> >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> >> >> > 'mailscanner_rules.xml' >> >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> >> >> > 'dovecot_rules.xml' >> >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> >> >> > 'ms-exchange_rules.xml' >> >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> >> >> > 'racoon_rules.xml' >> >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> >> >> > 'vpn_concentrator_rules.xml' >> >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> >> >> > 'spamd_rules.xml' >> >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> >> >> > 'msauth_rules.xml' >> >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> >> >> > 'mcafee_av_rules.xml' >> >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> >> >> > 'trend-osce_rules.xml' >> >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> >> >> > 'ms-se_rules.xml' >> >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> >> >> > 'zeus_rules.xml' >> >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> >> >> > 'solaris_bsm_rules.xml' >> >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> >> >> > 'vmware_rules.xml' >> >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> >> >> > 'ms_dhcp_rules.xml' >> >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> >> >> > 'asterisk_rules.xml' >> >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> >> >> > 'ossec_rules.xml' >> >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> >> >> > 'attack_rules.xml' >> >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> >> >> > 'local_rules.xml' >> >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Total rules enabled: >> >> >> >> > '1229' >> >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Ignoring file: >> >> >> >> > '/etc/mtab' >> >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Ignoring file: >> >> >> >> > '/etc/hosts.deny' >> >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Ignoring file: >> >> >> >> > '/etc/mail/statistics' >> >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Ignoring file: >> >> >> >> > '/etc/random-seed' >> >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Ignoring file: >> >> >> >> > '/etc/adjtime' >> >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Ignoring file: >> >> >> >> > '/etc/httpd/logs' >> >> >> >> > >> >> >> >> > >> >> >> >> > 2013/09/01 21:32:14 ossec-logcollector(1950): INFO: Analyzing >> >> >> >> > file: >> >> >> >> > '/var/log/messages'. >> >> >> >> > 2013/09/01 21:32:14 ossec-logcollector(1103): ERROR: Unable to >> >> >> >> > open >> >> >> >> > file >> >> >> >> > '/var/log/authlog'. >> >> >> >> > 2013/09/01 21:32:14 ossec-logcollector(1950): INFO: Analyzing >> >> >> >> > file: >> >> >> >> > '/var/log/authlog'. >> >> >> >> > 2013/09/01 21:32:14 ossec-logcollector(1950): INFO: Analyzing >> >> >> >> > file: >> >> >> >> > '/var/log/secure'. >> >> >> >> > 2013/09/01 21:32:14 ossec-logcollector(1103): ERROR: Unable to >> >> >> >> > open >> >> >> >> > file >> >> >> >> > '/var/log/xferlog'. >> >> >> >> > 2013/09/01 21:32:14 ossec-logcollector(1950): INFO: Analyzing >> >> >> >> > file: >> >> >> >> > '/var/log/xferlog'. >> >> >> >> > 2013/09/01 21:32:14 ossec-logcollector(1950): INFO: Analyzing >> >> >> >> > file: >> >> >> >> > '/var/log/maillog'. >> >> >> >> > >> >> >> >> > 2013/09/01 21:32:14 ossec-analysisd(1210): ERROR: Queue >> >> >> >> > '/queue/alerts/ar' >> >> >> >> > not accessible: 'Connection refused'. >> >> >> >> > 2013/09/01 21:32:14 ossec-analysisd(1301): ERROR: Unable to >> >> >> >> > connect >> >> >> >> > to >> >> >> >> > active response queue. >> >> >> >> > >> >> >> >> > 2013/09/06 03:18:42 ossec-rootcheck: INFO: Starting rootcheck >> >> >> >> > scan. >> >> >> >> > 2013/09/06 03:22:50 ossec-rootcheck: INFO: Ending rootcheck >> >> >> >> > scan. >> >> >> >> > 2013/09/06 16:33:13 ossec-testrule: INFO: Reading local decoder >> >> >> >> > file. >> >> >> >> > 2013/09/06 16:33:13 ossec-testrule: INFO: Started (pid: 10245). >> >> >> >> > 2013/09/06 16:33:31 ossec-testrule: INFO: Reading local decoder >> >> >> >> > file. >> >> >> >> > 2013/09/06 16:33:31 ossec-testrule: INFO: Started (pid: 10248). >> >> >> >> > 2013/09/06 16:34:01 ossec-testrule: INFO: Reading local decoder >> >> >> >> > file. >> >> >> >> > 2013/09/06 16:34:01 ossec-testrule: INFO: Started (pid: 10250). >> >> >> >> > 2013/09/06 23:17:50 ossec-syscheckd: INFO: Starting syscheck >> >> >> >> > scan. >> >> >> >> > 2013/09/06 23:30:42 ossec-syscheckd: INFO: Ending syscheck >> >> >> >> > scan. >> >> >> >> > 2013/09/06 23:35:42 ossec-rootcheck: INFO: Starting rootcheck >> >> >> >> > scan. >> >> >> >> > 2013/09/06 23:39:49 ossec-rootcheck: INFO: Ending rootcheck >> >> >> >> > scan. >> >> >> >> > 2013/09/07 19:34:49 ossec-syscheckd: INFO: Starting syscheck >> >> >> >> > scan. >> >> >> >> > 2013/09/07 19:47:41 ossec-syscheckd: INFO: Ending syscheck >> >> >> >> > scan. >> >> >> >> > 2013/09/07 19:52:41 ossec-rootcheck: INFO: Starting rootcheck >> >> >> >> > scan. >> >> >> >> > 2013/09/07 19:56:47 ossec-rootcheck: INFO: Ending rootcheck >> >> >> >> > scan. >> >> >> >> > >> >> >> >> > The rootcheck runs by itself is it automatically? >> >> >> >> > >> >> >> >> >> >> >> >> Looks like it. >> >> >> >> >> >> >> >> > >> >> >> >> > NExt I went into alerts.log. So will all this be alerted via >> >> >> >> > email >> >> >> >> > or >> >> >> >> > only >> >> >> >> > some alerts? >> >> >> >> > >> >> >> >> >> >> >> >> Some alerts will trigger emails, some will not. You can customize >> >> >> >> a >> >> >> >> lot >> >> >> >> of >> >> >> >> that. >> >> >> >> >> >> >> >> > Saw this. >> >> >> >> > >> >> >> >> > ** Alert 1378572677.0: - syslog,sshd,authentication_success, >> >> >> >> > 2013 Sep 08 00:51:17 capture->/var/log/secure >> >> >> >> > Rule: 5715 (level 3) -> 'SSHD authentication success.' >> >> >> >> > Src IP: 60.50.38.78 >> >> >> >> > User: root >> >> >> >> > Sep 8 00:51:17 capture sshd[11987]: Accepted password for root >> >> >> >> > from >> >> >> >> > **.**.**.78 port 3516 ssh2 >> >> >> >> > >> >> >> >> > ** Alert 1378572679.290: - pam,syslog,authentication_success, >> >> >> >> > 2013 Sep 08 00:51:19 capture->/var/log/secure >> >> >> >> > Rule: 5501 (level 3) -> 'Login session opened.' >> >> >> >> > Sep 8 00:51:17 capture sshd[11987]: pam_unix(sshd:session): >> >> >> >> > session >> >> >> >> > opened >> >> >> >> > for user root by (uid=0) >> >> >> >> > >> >> >> >> > ** Alert 1378572745.548: - syslog,sshd,authentication_success, >> >> >> >> > 2013 Sep 08 00:52:25 capture->/var/log/secure >> >> >> >> > Rule: 5715 (level 3) -> 'SSHD authentication success.' >> >> >> >> > Src IP: 60.50.38.78 >> >> >> >> > User: root >> >> >> >> > Sep 8 00:52:24 capture sshd[11985]: Accepted password for root >> >> >> >> > from >> >> >> >> > **.**.**.78 port 3512 ssh2 >> >> >> >> > >> >> >> >> > ** Alert 1378572745.840: - pam,syslog,authentication_success, >> >> >> >> > 2013 Sep 08 00:52:25 capture->/var/log/secure >> >> >> >> > Rule: 5501 (level 3) -> 'Login session opened.' >> >> >> >> > Sep 8 00:52:25 capture sshd[11985]: pam_unix(sshd:session): >> >> >> >> > session >> >> >> >> > opened >> >> >> >> > for user root by (uid=0) >> >> >> >> > >> >> >> >> > >> >> >> >> > Another thing this process zcat /var/log/*.gz | >> >> >> >> > /var/ossec/bin/ossec-logtest >> >> >> >> > basically what are we going to look out from here? >> >> >> >> > >> >> >> >> >> >> >> >> That will provide some alerts. In fact, the "-a" flag to >> >> >> >> ossec-logtest >> >> >> >> should provide alerts very similar to what is in alerts.log. >> >> >> >> >> >> >> >> Other than that, this question is too broad for me to answer. >> >> >> >> >> >> >> >> > >> >> >> >> > >> >> >> >> > >> >> >> >> > >> >> >> >> > On Friday, September 6, 2013 11:14:40 PM UTC+8, dan (ddpbsd) >> >> >> >> > wrote: >> >> >> >> >> >> >> >> >> >> On Fri, Sep 6, 2013 at 4:51 AM, frwa onto <[email protected]> >> >> >> >> >> wrote: >> >> >> >> >> > Dear Dan, >> >> >> >> >> > I know your option you gave is just for single >> >> >> >> >> > file. >> >> >> >> >> > I >> >> >> >> >> > Want to >> >> >> >> >> > do the whole of /var/log how to go about with that which I >> >> >> >> >> > think >> >> >> >> >> > that >> >> >> >> >> > is >> >> >> >> >> > what ossec-logtest does right. >> >> >> >> >> > I know neither of this does now work.. >> >> >> >> >> > cat /var/log | /var/ossec/bin/ossec-logtest > >> >> >> >> >> > /usr/local/ossetest.txt >> >> >> >> >> > 2>&1 >> >> >> >> >> > cat: /var/log: Is a directory >> >> >> >> >> > [root@capture var]# zcat /var/log | >> >> >> >> >> > /var/ossec/bin/ossec-logtest >> >> >> >> >> > > >> >> >> >> >> > /usr/local/ossetest.txt 2>&1 >> >> >> >> >> > gzip: /var/log is a directory -- ignored >> >> >> >> >> > >> >> >> >> >> >> >> >> >> >> You're running this on a linux or unix-like system, use the >> >> >> >> >> tools >> >> >> >> >> available. >> >> >> >> >> zcat /var/log/*.gz | /var/ossec/bin/ossec-logtest >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> > How to confirm that syscheck is running. Normally where and >> >> >> >> >> > what >> >> >> >> >> > are >> >> >> >> >> > the >> >> >> >> >> > logfiles of ossec for us to to view or look?. Thank you. >> >> >> >> >> > Sorry >> >> >> >> >> > very >> >> >> >> >> > new >> >> >> >> >> > to >> >> >> >> >> > this tool. >> >> >> >> >> > >> >> >> >> >> >> >> >> >> >> /var/ossec/logs/ossec.log contains information like when >> >> >> >> >> syscheck >> >> >> >> >> runs. >> >> >> >> >> /var/ossec/logs/alerts/alerts.log has alert information. >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> > On Thursday, September 5, 2013 9:25:13 PM UTC+8, dan >> >> >> >> >> > (ddpbsd) >> >> >> >> >> > wrote: >> >> >> >> >> >> >> >> >> >> >> >> On Wed, Sep 4, 2013 at 1:54 PM, frwa onto >> >> >> >> >> >> <[email protected]> >> >> >> >> >> >> wrote: >> >> >> >> >> >> > Dear Dan, >> >> >> >> >> >> > For ossec-logtest I just ran like this >> >> >> >> >> >> > ./ossec-logtest? >> >> >> >> >> >> > How >> >> >> >> >> >> >> >> >> >> >> >> The easiest way is to pipe the log file through logtest: >> >> >> >> >> >> cat /path/to/logfile | /var/ossec/bin/ossec-logtest >> >> >> >> >> >> >> >> >> >> >> >> Use zcat if the logfile is compressed. If you want to >> >> >> >> >> >> redirect >> >> >> >> >> >> the >> >> >> >> >> >> output to a file, use this: >> >> >> >> >> >> cat /path/to/logfile | /var/ossec/bin/ossec-logtest > >> >> >> >> >> >> /path/to/file >> >> >> >> >> >> 2>&1 >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> > about the syscheck how to run it? What will both of this >> >> >> >> >> >> > script >> >> >> >> >> >> > eventually >> >> >> >> >> >> >> >> >> >> >> >> By default, syscheck will run when OSSEC starts. >> >> >> >> >> >> >> >> >> >> >> >> > be doing? Do I need to run the rootcheck ? >> >> >> >> >> >> > >> >> >> >> >> >> >> >> >> >> >> >> Same as syscheck I believe. >> >> >> >> >> >> >> >> >> >> >> >> > On Wednesday, September 4, 2013 9:38:07 PM UTC+8, dan >> >> >> >> >> >> > (ddpbsd) >> >> >> >> >> >> > wrote: >> >> >> >> >> >> >> >> >> >> >> >> >> >> On Tue, Sep 3, 2013 at 12:36 AM, frwa onto >> >> >> >> >> >> >> <[email protected]> >> >> >> >> >> >> >> wrote: >> >> >> >> >> >> >> > Hi All, >> >> >> >> >> >> >> > I just rebuild and install ossec on my centos >> >> >> >> >> >> >> > 6.4 >> >> >> >> >> >> >> > machine. >> >> >> >> >> >> >> > So >> >> >> >> >> >> >> > what >> >> >> >> >> >> >> > is the next step be done as this is any existing >> >> >> >> >> >> >> > machine >> >> >> >> >> >> >> > and >> >> >> >> >> >> >> > I >> >> >> >> >> >> >> > want >> >> >> >> >> >> >> > to >> >> >> >> >> >> >> > check >> >> >> >> >> >> >> > for any previous intrusion? I also want to get alerts >> >> >> >> >> >> >> > on >> >> >> >> >> >> >> > updates >> >> >> >> >> >> >> > on >> >> >> >> >> >> >> > my >> >> >> >> >> >> >> > local >> >> >> >> >> >> >> > files or any new files created? I am sorry very new to >> >> >> >> >> >> >> > it. >> >> >> >> >> >> >> > >> >> >> >> >> >> >> >> >> >> >> >> >> >> You can use ossec-logtest to check old log files, and >> >> >> >> >> >> >> syscheck >> >> >> >> >> >> >> has a >> >> >> >> >> >> >> default configuration that can cover most needs. If you >> >> >> >> >> >> >> have >> >> >> >> >> >> >> custom >> >> >> >> >> >> >> locations that must be monitored, you should add them to >> >> >> >> >> >> >> the >> >> >> >> >> >> >> ossec.conf in the syscheck section. >> >> >> >> >> >> >> >> >> >> >> >> >> >> > -- >> >> >> >> >> >> >> > >> >> >> >> >> >> >> > --- >> >> >> >> >> >> >> > You received this message because you are subscribed >> >> >> >> >> >> >> > to >> >> >> >> >> >> >> > the >> >> >> >> >> >> >> > Google >> >> >> >> >> >> >> > Groups >> >> >> >> >> >> >> > "ossec-list" group. >> >> >> >> >> >> >> > To unsubscribe from this group and stop receiving >> >> >> >> >> >> >> > emails >> >> >> >> >> >> >> > from >> >> >> >> >> >> >> > it, >> >> >> >> >> >> >> > send >> >> >> >> >> >> >> > an >> >> >> >> >> >> >> > email to [email protected]. >> >> >> >> >> >> >> > For more options, visit >> >> >> >> >> >> >> > https://groups.google.com/groups/opt_out. >> >> >> >> >> >> > >> >> >> >> >> >> > -- >> >> >> >> >> >> > >> >> >> >> >> >> > --- >> >> >> >> >> >> > You received this message because you are subscribed to >> >> >> >> >> >> > the >> >> >> >> >> >> > Google >> >> >> >> >> >> > Groups >> >> >> >> >> >> > "ossec-list" group. >> >> >> >> >> >> > To unsubscribe from this group and stop receiving emails >> >> >> >> >> >> > from >> >> >> >> >> >> > it, >> >> >> >> >> >> > send >> >> >> >> >> >> > an >> >> >> >> >> >> > email to [email protected]. >> >> >> >> >> >> > For more options, visit >> >> >> >> >> >> > https://groups.google.com/groups/opt_out. >> >> >> >> >> > >> >> >> >> >> > -- >> >> >> >> >> > >> >> >> >> >> > --- >> >> >> >> >> > You received this message because you are subscribed to the >> >> >> >> >> > Google >> >> >> >> >> > Groups >> >> >> >> >> > "ossec-list" group. >> >> >> >> >> > To unsubscribe from this group and stop receiving emails >> >> >> >> >> > from >> >> >> >> >> > it, >> >> >> >> >> > send >> >> >> >> >> > an >> >> >> >> >> > email to [email protected]. >> >> >> >> >> > For more options, visit >> >> >> >> >> > https://groups.google.com/groups/opt_out. >> >> >> >> > >> >> >> >> > -- >> >> >> >> > >> >> >> >> > --- >> >> >> >> > You received this message because you are subscribed to the >> >> >> >> > Google >> >> >> >> > Groups >> >> >> >> > "ossec-list" group. >> >> >> >> > To unsubscribe from this group and stop receiving emails from >> >> >> >> > it, >> >> >> >> > send >> >> >> >> > an >> >> >> >> > email to [email protected]. >> >> >> >> > For more options, visit >> >> >> >> > https://groups.google.com/groups/opt_out. >> >> >> > >> >> >> > -- >> >> >> > >> >> >> > --- >> >> >> > You received this message because you are subscribed to the Google >> >> >> > Groups >> >> >> > "ossec-list" group. >> >> >> > To unsubscribe from this group and stop receiving emails from it, >> >> >> > send >> >> >> > an >> >> >> > email to [email protected]. >> >> >> > For more options, visit https://groups.google.com/groups/opt_out. >> >> >> >> >> >> -- >> >> >> >> >> >> --- >> >> >> You received this message because you are subscribed to a topic in >> >> >> the >> >> >> Google Groups "ossec-list" group. >> >> >> To unsubscribe from this topic, visit >> >> >> >> >> >> https://groups.google.com/d/topic/ossec-list/n0-gBzCdh3M/unsubscribe. >> >> >> To unsubscribe from this group and all its topics, send an email to >> >> >> [email protected]. >> >> >> >> >> >> For more options, visit https://groups.google.com/groups/opt_out. >> >> > >> >> > >> >> > -- >> >> > >> >> > --- >> >> > You received this message because you are subscribed to the Google >> >> > Groups >> >> > "ossec-list" group. >> >> > To unsubscribe from this group and stop receiving emails from it, >> >> > send >> >> > an >> >> > email to [email protected]. >> >> > For more options, visit https://groups.google.com/groups/opt_out. >> >> >> >> -- >> >> >> >> --- >> >> You received this message because you are subscribed to a topic in the >> >> Google Groups "ossec-list" group. >> >> To unsubscribe from this topic, visit >> >> https://groups.google.com/d/topic/ossec-list/n0-gBzCdh3M/unsubscribe. >> >> To unsubscribe from this group and all its topics, send an email to >> >> [email protected]. >> >> For more options, visit https://groups.google.com/groups/opt_out. >> > >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/groups/opt_out. >> >> -- >> >> --- >> You received this message because you are subscribed to a topic in the >> Google Groups "ossec-list" group. >> To unsubscribe from this topic, visit >> https://groups.google.com/d/topic/ossec-list/n0-gBzCdh3M/unsubscribe. >> To unsubscribe from this group and all its topics, send an email to >> [email protected]. >> For more options, visit https://groups.google.com/groups/opt_out. > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
