On Mon, Mar 24, 2014 at 12:29 PM, Merrill Cook <[email protected]> wrote: >> Src IP: ministrator > > I'm confused. It looks like the information for "src ip" isn't getting into > the Ossec message properly -- that is, it is getting the string > "ministrator" when you want the source IP address. >
The OSSEC alert is just fine, the WUI is wrong. Somewhere a long long time ago the OSSEC log format changed slightly. Since the WUI was, at the time, a dead project it was not updated with the changes. The 0.8 version should have this fixed. > Doesn't Ossec agent watch the Windows log? If the information is not in the > Windows log, it won't get into the Ossec log. If the information is there in > the Windows event log, but is not making it into the Ossec messages, > wouldn't that mean that the rule isn't properly parsing the IP address out > of the event log? > This is essentially correct (the decoders pull the IP address out, not the rules). But the source IPs _are_ being decoded properly in the examples that were sent. The problem was that WUI 0.3 is broken. > > > On Mon, Mar 24, 2014 at 11:21 AM, Julien Semaan <[email protected]> > wrote: >> >> Ok this answer my question. I taught maybe ossec would get the source ip >> from the socket it receives the logs from but if it's only information is >> the agent ip (which is useless when using a network) and that the source ip >> needs to be decoded in the log line then we can't use it since the log lines >> from windows do not contain that information. >> >> Thank you very much for your help ! >> >> Le lundi 24 mars 2014 11:00:28 UTC-4, dan (ddpbsd) a écrit : >>> >>> On Mon, Mar 24, 2014 at 10:18 AM, Julien Semaan <[email protected]> >>> wrote: >>> > We'll probably have to wait for the deployment of the event channel >>> > module >>> > for a part of the detection. >>> > >>> > I updated the web ui to 0.8 and instead of writing a part of the log in >>> > the >>> > srcip, the field is simply empty. >>> > >>> > I need to have the source ip to integrate with our system. If it's not >>> > in >>> > the ui does it mean that i can't get it ? >>> > >>> >>> Not at all. I don't use the UI, so it's tough to say what's happening >>> there. >>> >>> You can use the ossec-logtest utility to see if the source IP is being >>> decoded. Looking at the screen shot you sent previously, only 1 of the >>> log messages appears to have an IP address in it (I could have missed >>> others in the logs), and it is decoded just fine. Not all alerts will >>> have a source IP. >>> >>> If a log message contains a source IP, and it isn't decoded properly, >>> you can always adjust the decoders to handle it. Heck, you can post to >>> the list and I'll help. Or open an issue and I'll help (others too). >>> We all want the log messages to decoder better than they currently >>> are. >>> >>> > Thank you ! >>> > >>> > Le lundi 24 mars 2014 09:58:58 UTC-4, dan (ddpbsd) a écrit : >>> >> >>> >> On Mon, Mar 24, 2014 at 9:40 AM, Julien Semaan <[email protected]> >>> >> wrote: >>> >> > For point 1 : >>> >> > Agent is configured using network 172.20.20.0/24 in order to support >>> >> > DHCP. >>> >> > >>> >> > When looking in the ossec web ui i get these alerts : >>> >> > 2014 Mar 24 09:23:03 Rule Id: 18149 level: 3 >>> >> > Location: (hello) 172.20.20.0->WinEvtLog >>> >> > Src IP: ministrator >>> >> >>> >> Sounds like you're using 0.3. Don't do that. 0.8 has this (and other >>> >> stuff fixed). >>> >> >>> >> > Windows User Logoff. >>> >> > >>> >> > The source ip is simply a part of the log and not the ip. Since i'm >>> >> > using a >>> >> > network for the agent configuration i can't see where we could grab >>> >> > the >>> >> > source ip to call an external script. >>> >> > >>> >> > I also included a printscreen of the ossec ui >>> >> > >>> >> > For point 2 : >>> >> > I activated the logall option and the changed time event with id >>> >> > 4616 is >>> >> > not >>> >> > sent to the ossec manager. >>> >> > >>> >> > I am guessing the event i'm looking for is part of the newer windows >>> >> > logs >>> >> > (Windows Vista +). >>> >> > >>> >> >>> >> Eventchannel (maybe?) is "supported" in the new code. Not entirely >>> >> sure it's 100% yet though (I try not to worry about Windows). >>> >> >>> >> > Thank you ! >>> >> > >>> >> > Le lundi 24 mars 2014 08:48:57 UTC-4, dan (ddpbsd) a écrit : >>> >> >> >>> >> >> >>> >> >> On Mar 24, 2014 8:45 AM, "Julien Semaan" <[email protected]> >>> >> >> wrote: >>> >> >> > >>> >> >> > Hi, >>> >> >> > >>> >> >> > I am currently working on the PacketFence project which does >>> >> >> > network >>> >> >> > access control. >>> >> >> > >>> >> >> > We are looking into integrating OSSEC with PacketFence in order >>> >> >> > to >>> >> >> > isolate clients based on specific events that happen on the >>> >> >> > clients. >>> >> >> > >>> >> >> > After installing and testing there are a few issues that i would >>> >> >> > need >>> >> >> > help with. >>> >> >> > >>> >> >> > Setup i have : >>> >> >> > - OSSEC server is built from the master on your git repo and uses >>> >> >> > OSSEC >>> >> >> > WebUI >>> >> >> > - Linux agent is also built from the master on your git repo >>> >> >> > - Windows agent is version 2.7.1 which is available on your >>> >> >> > website >>> >> >> > - Agent is configured using a network and not using the direct >>> >> >> > ip >>> >> >> > address. >>> >> >> > >>> >> >> > 1 - Source ip >>> >> >> > In order to isolate the client we will always need the source ip >>> >> >> > that >>> >> >> > triggered the violation. Looking into the alerts in the GUI the >>> >> >> > source ip is >>> >> >> > always a part of the log but never the real source ip. Is it a >>> >> >> > bug >>> >> >> > with the >>> >> >> > GUI or that the source ip will never be populated except when >>> >> >> > directly >>> >> >> > available in the log line ? >>> >> >> > >>> >> >> >>> >> >> Can you provide an example? This doesn't make any sense. >>> >> >> >>> >> >> > 2 - Windows event log >>> >> >> > OS Version : Windows 7 64-bit >>> >> >> > I am getting alerts from our Windows test station. In order to be >>> >> >> > able >>> >> >> > to repeatedly test the integration I tried to add a new rule for >>> >> >> > the >>> >> >> > event >>> >> >> > id 4616 which is the time changed event in the category Security >>> >> >> > in >>> >> >> > the >>> >> >> > event logs. I wrote a rule directly in the rules/msauth_rules.xml >>> >> >> > to >>> >> >> > intercept that event. >>> >> >> > >>> >> >> > Here is the rule (it's in the windows group) >>> >> >> > <rule id="100101" level="8"> >>> >> >> > <if_sid>18101</if_sid> >>> >> >> > <id>^4616$</id> >>> >> >> > <description>IF YOU SEE THIS THEN CELEBRATE </description> >>> >> >> > <group>system_error,</group> >>> >> >> > </rule> >>> >> >> > >>> >> >> > I cannot get the alert to be intercepted. I tested the rule using >>> >> >> > ossec-logtest using this line : >>> >> >> > WinEvtLog: System: INFORMATION(4616): Test: (no user): no domain: >>> >> >> > TESTINGLAPTOP.inverse.local: The system time was changed. >>> >> >> > >>> >> >> > This line triggers the alert successfully but when changing the >>> >> >> > time >>> >> >> > on >>> >> >> > the client the alert doesn't show up on the OSSEC server but does >>> >> >> > in >>> >> >> > the >>> >> >> > windows event log. Is there another configuration that i need to >>> >> >> > add >>> >> >> > on the >>> >> >> > agent ? Also is it possible to see all the log lines that come to >>> >> >> > the >>> >> >> > OSSEC >>> >> >> > server because that would make debugging easier. >>> >> >> Did you restart the ossed processes on the manager after adding the >>> >> >> rule? >>> >> >> You can turn on the log all option on the manager to see all logs >>> >> >> being >>> >> >> passed to ossec. >>> >> >> >>> >> >> > >>> >> >> > Thank you! >>> >> >> > >>> >> >> > -- >>> >> >> > >>> >> >> > --- >>> >> >> > You received this message because you are subscribed to the >>> >> >> > Google >>> >> >> > Groups "ossec-list" group. >>> >> >> > To unsubscribe from this group and stop receiving emails from it, >>> >> >> > send >>> >> >> > an email to [email protected]. >>> >> >> >>> >> >> > For more options, visit https://groups.google.com/d/optout. >>> >> > >>> >> > -- >>> >> > >>> >> > --- >>> >> > You received this message because you are subscribed to the Google >>> >> > Groups >>> >> > "ossec-list" group. >>> >> > To unsubscribe from this group and stop receiving emails from it, >>> >> > send >>> >> > an >>> >> > email to [email protected]. >>> >> > For more options, visit https://groups.google.com/d/optout. >>> > >>> > -- >>> > >>> > --- >>> > You received this message because you are subscribed to the Google >>> > Groups >>> > "ossec-list" group. >>> > To unsubscribe from this group and stop receiving emails from it, send >>> > an >>> > email to [email protected]. >>> > For more options, visit https://groups.google.com/d/optout. >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/d/optout. > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
