We'll probably have to wait for the deployment of the event channel module for a part of the detection.
I updated the web ui to 0.8 and instead of writing a part of the log in the srcip, the field is simply empty. I need to have the source ip to integrate with our system. If it's not in the ui does it mean that i can't get it ? Thank you ! Le lundi 24 mars 2014 09:58:58 UTC-4, dan (ddpbsd) a écrit : > > On Mon, Mar 24, 2014 at 9:40 AM, Julien Semaan > <[email protected]<javascript:>> > wrote: > > For point 1 : > > Agent is configured using network 172.20.20.0/24 in order to support > DHCP. > > > > When looking in the ossec web ui i get these alerts : > > 2014 Mar 24 09:23:03 Rule Id: 18149 level: 3 > > Location: (hello) 172.20.20.0->WinEvtLog > > Src IP: ministrator > > Sounds like you're using 0.3. Don't do that. 0.8 has this (and other > stuff fixed). > > > Windows User Logoff. > > > > The source ip is simply a part of the log and not the ip. Since i'm > using a > > network for the agent configuration i can't see where we could grab the > > source ip to call an external script. > > > > I also included a printscreen of the ossec ui > > > > For point 2 : > > I activated the logall option and the changed time event with id 4616 is > not > > sent to the ossec manager. > > > > I am guessing the event i'm looking for is part of the newer windows > logs > > (Windows Vista +). > > > > Eventchannel (maybe?) is "supported" in the new code. Not entirely > sure it's 100% yet though (I try not to worry about Windows). > > > Thank you ! > > > > Le lundi 24 mars 2014 08:48:57 UTC-4, dan (ddpbsd) a écrit : > >> > >> > >> On Mar 24, 2014 8:45 AM, "Julien Semaan" <[email protected]> wrote: > >> > > >> > Hi, > >> > > >> > I am currently working on the PacketFence project which does network > >> > access control. > >> > > >> > We are looking into integrating OSSEC with PacketFence in order to > >> > isolate clients based on specific events that happen on the clients. > >> > > >> > After installing and testing there are a few issues that i would need > >> > help with. > >> > > >> > Setup i have : > >> > - OSSEC server is built from the master on your git repo and uses > OSSEC > >> > WebUI > >> > - Linux agent is also built from the master on your git repo > >> > - Windows agent is version 2.7.1 which is available on your website > >> > - Agent is configured using a network and not using the direct ip > >> > address. > >> > > >> > 1 - Source ip > >> > In order to isolate the client we will always need the source ip that > >> > triggered the violation. Looking into the alerts in the GUI the > source ip is > >> > always a part of the log but never the real source ip. Is it a bug > with the > >> > GUI or that the source ip will never be populated except when > directly > >> > available in the log line ? > >> > > >> > >> Can you provide an example? This doesn't make any sense. > >> > >> > 2 - Windows event log > >> > OS Version : Windows 7 64-bit > >> > I am getting alerts from our Windows test station. In order to be > able > >> > to repeatedly test the integration I tried to add a new rule for the > event > >> > id 4616 which is the time changed event in the category Security in > the > >> > event logs. I wrote a rule directly in the rules/msauth_rules.xml to > >> > intercept that event. > >> > > >> > Here is the rule (it's in the windows group) > >> > <rule id="100101" level="8"> > >> > <if_sid>18101</if_sid> > >> > <id>^4616$</id> > >> > <description>IF YOU SEE THIS THEN CELEBRATE </description> > >> > <group>system_error,</group> > >> > </rule> > >> > > >> > I cannot get the alert to be intercepted. I tested the rule using > >> > ossec-logtest using this line : > >> > WinEvtLog: System: INFORMATION(4616): Test: (no user): no domain: > >> > TESTINGLAPTOP.inverse.local: The system time was changed. > >> > > >> > This line triggers the alert successfully but when changing the time > on > >> > the client the alert doesn't show up on the OSSEC server but does in > the > >> > windows event log. Is there another configuration that i need to add > on the > >> > agent ? Also is it possible to see all the log lines that come to the > OSSEC > >> > server because that would make debugging easier. > >> Did you restart the ossed processes on the manager after adding the > rule? > >> You can turn on the log all option on the manager to see all logs being > >> passed to ossec. > >> > >> > > >> > Thank you! > >> > > >> > -- > >> > > >> > --- > >> > You received this message because you are subscribed to the Google > >> > Groups "ossec-list" group. > >> > To unsubscribe from this group and stop receiving emails from it, > send > >> > an email to [email protected]. > >> > >> > For more options, visit https://groups.google.com/d/optout. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
