On Dec 2, 2015 5:21 AM, "H.Merijn Brand" <[email protected]> wrote: > > This is still wrong in 2.8.3 !!! > > Why is this easy fix not accepted? >
I missed your email about it in the threads we were discussing 2.8.3, and it's a feature I don't use. Sorry about that. > 2015-04-02 11:30 GMT+02:00 H.Merijn Brand <[email protected]>: >> >> The format is not quite what matches the rest of the hosts.deny file >> >> # head /etc/hosts.deny >> ALL:183.1.1.1/255.192.0.0 >> ALL:58.218.1.1/255.224.0.0 >> ALL:182.96.1.1/255.224.0.0 >> ALL:183.96.1.1/255.224.0.0 >> ALL:113.96.1.1/255.240.0.0 >> ALL:222.208.1.1/255.240.0.0 >> >> # tail -10 /etc/hosts.deny >> ALL:218.106.254.121/255.255.255.255 >> ALL:219.234.80.221/255.255.255.255 >> ALL:220.187.241.24/255.255.255.255 >> ALL:220.194.202.139/255.255.255.255 >> ALL:222.236.44.115/255.255.255.255 >> ALL:223.197.52.236/255.255.255.255 >> ALL:202.120.50.131 >> ALL:202.120.50.131 >> ALL:202.120.50.131 >> ALL:202.120.50.131 >> >> It is xdelete that ruins the file ... >> >> + '[' xdelete = xdelete ']' >> + lock >> + i=0 >> + '[' 1 ']' >> + mkdir /var/ossec/active-response/host-deny-lock >> + MSL=0 >> + '[' 0 = 0 ']' >> + echo 11976 >> + return >> mktemp /var/ossec/ossec-hosts.XXXXXXXXXX >> ++ mktemp /var/ossec/ossec-hosts.XXXXXXXXXX >> + TMP_FILE = /var/ossec/ossec-hosts.WH8SSsvOj7 >> /var/ossec/active-response/bin/host-deny.sh: line 114: TMP_FILE: command not found >> + '[' X = X ']' >> cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -1 >> ++ cat /dev/urandom >> ++ tr -dc a-zA-Z0-9 >> ++ fold -w 32 >> ++ head -1 >> + TMP_FILE = /var/ossec/ossec-hosts.3K92OdZnWGq9XRCHQYOqCcmlOeFqrsF8 >> /var/ossec/active-response/bin/host-deny.sh: line 117: TMP_FILE: command not found >> + '[' XLinux = XFreeBSD ']' >> + cat /etc/hosts.deny >> + grep -v 'ALL:202.120.50.131$' >> /var/ossec/active-response/bin/host-deny.sh: line 123: ${TMP_FILE}: ambiguous redirect >> + cat >> >> >> OBVIOUSLY!!! >> >> >> # Deleting from hosts.deny >> elif [ "x${ACTION}" = "xdelete" ]; then >> lock; >> TMP_FILE = `mktemp /var/ossec/ossec-hosts.XXXXXXXXXX` >> if [ "X${TMP_FILE}" = "X" ]; then >> # Cheap fake tmpfile, but should be harder then no random data >> TMP_FILE = "/var/ossec/ossec-hosts.`cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -1 `" >> fi >> >> ==> >> >> # Deleting from hosts.deny >> elif [ "x${ACTION}" = "xdelete" ]; then >> lock; >> TMP_FILE=`mktemp /var/ossec/ossec-hosts.XXXXXXXXXX` >> if [ "X${TMP_FILE}" = "X" ]; then >> # Cheap fake tmpfile, but should be harder then no random data >> TMP_FILE="/var/ossec/ossec-hosts.`cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -1 `" >> fi >> >> >> TWO erroneous uses of VAR = val instead of VAR=val >> >> >> 2015-04-02 10:48 GMT+02:00 <[email protected]>: >>> >>> [email protected] >>> Google Groups >>> Today's topic summary >>> View all topics >>> send eventlog to ossec - 2 Updates >>> Wheezy/x86 : installation does not creates startup script - 2 Updates >>> collect all logs and add OpenVPN logs - 21 Updates >>> Please help with CDB lists.... - 1 Update >>> OSSEC active responce replaces hosts.deny and iptables - 2 Updates >>> send eventlog to ossec >>> [email protected]: Apr 01 02:03PM -0700 >>> >>> I found 2.9-beta03, https://github.com/ossec/ossec-hids/releases, I tried >>> to install but it was unsuccessful, I attach two files. >>> ...more >>> [email protected]: Apr 01 02:14PM -0700 >>> >>> I found 2.9-beta03, https://github.com/ossec/ossec-hids/releases, I tried >>> to install but it was unsuccessful, I attach two files. >>> ...more >>> Back to top >>> Wheezy/x86 : installation does not creates startup script >>> [email protected]: Apr 01 08:53AM -0700 >>> >>> Hi, >>> >>> I have a similar problem as belouw (subject on Jessie and system.d service) >>> on Wheezy/x86-32: when I install the ossec-hids package, no init.d/ossec is >>> copied, and, of course, the LSB ...more >>> Santiago Bassett <[email protected]>: Apr 01 09:49AM -0700 >>> >>> Hi Frank, >>> >>> I am the installers maintainer, sorry for the inconvenience. Not sure yet >>> what is causing this problem, but will work on it right away. Hopefully I >>> can have new packages ready in a few ...more >>> Back to top >>> collect all logs and add OpenVPN logs >>> [email protected]: Apr 01 04:37AM -0700 >>> >>> hi, >>> >>> First I want that ossec collects all logs. >>> I have put the logall options and >>> log alertlevel is even at 0 >>> >>> >>> <global> >>> <logall>yes</logall> >>> </global> >>> >>> >>> >>> <alerts> ...more >>> "dan (ddp)" <[email protected]>: Apr 01 07:46AM -0400 >>> >>> >>> > stil I don't get all log information, i usually get logs regarding event 3 >>> > (mostly or higher). >>> >>> > what else do I need to do, so OSSEC will log all events? >>> >>> All log messages received by ...more >>> [email protected]: Apr 01 04:57AM -0700 >>> >>> On Wednesday, April 1, 2015 at 1:47:03 PM UTC+2, dan (ddpbsd) wrote: >>> >>> > > Second question is about OpenVPN >>> >>> > > Can I gather openvpn events to OSSEC? >>> >>> > If it logs to a file you can. >>> ...more >>> "dan (ddp)" <[email protected]>: Apr 01 08:03AM -0400 >>> >>> > also if you want, >>> > but I would like to know if there is an easy way for OSSEC to read the >>> > openvpn log files >>> >>> Add localfile options pointing to the logfiles in the system's >>> ...more >>> [email protected]: Apr 01 05:11AM -0700 >>> >>> >>> > you mean something like this and the information will be collected by >>> > OSSEC agent (the openvpn is installed on a different server, managed by the >>> > client)? >>> >>> >>> >>> >>> <ossec_config> ...more >>> "dan (ddp)" <[email protected]>: Apr 01 08:14AM -0400 >>> >>> >> you mean something like this and the information will be collected by >>> >> OSSEC agent (the openvpn is installed on a different server, managed by the >>> >> client)? >>> >>> Something like that, yes. ...more >>> [email protected]: Apr 01 05:15AM -0700 >>> >>> well I will test this and let you know. >>> >>> thx Dan !! >>> >>> On Wednesday, April 1, 2015 at 2:14:17 PM UTC+2, dan (ddpbsd) wrote: >>> ...more >>> [email protected]: Apr 01 05:38AM -0700 >>> >>> Hello Dan, >>> >>> sorry, this is the correct format: >>> >>> >>> <localfile> >>> <log_format>syslog</log_format> >>> <location>/etc/openvpn/log/openvpn.log</location> >>> </localfile> >>> >>> >>> >>> the ossec services ...more >>> "dan (ddp)" <[email protected]>: Apr 01 08:48AM -0400 >>> >>> > I double checked the file and it was generating messages after I restarted >>> > ossec >>> > does ossec look only for erros and discard other information? >>> >>> No, it should send all log messages the agent ...more >>> Santiago Bassett <[email protected]>: Apr 01 06:13AM -0700 >>> >>> Also it might help to run "lsof /etc/openvpn/log/openvpn.log" to confirm >>> ossec-logcollector process is reading that file. As well check that the >>> logs are written in syslog format. >>> >>> ...more >>> [email protected]: Apr 01 06:13AM -0700 >>> >>> Oke, this is what I found in the ossec.log >>> >>> ERROR: Unable to open file '/etc/openvpn/log/openvpn.log' >>> >>> INFO: File not available, ignoring it: '/etc/openvpn/log/openvpn.log' >>> >>> ...more >>> "dan (ddp)" <[email protected]>: Apr 01 09:23AM -0400 >>> >>> > the openvpn.log doesn't reside on the ossec server but on a client, maybe >>> > the ossec server was checking local >>> > or should I put this rule on client config file? >>> >>> As I've said a number of times ...more >>> [email protected]: Apr 01 07:11AM -0700 >>> >>> what use is this solution then? wasn't the point of OSSEC to have a >>> centralized management.... >>> in my case we don't have so much servers running, but for enterprise >>> environment this is not ...more >>> Santiago Bassett <[email protected]>: Apr 01 07:51AM -0700 >>> >>> OSSEC supports centralized configuration management: >>> http://ossec-docs.readthedocs.org/en/latest/manual/agent/agent-configuration.html >>> >>> Thousands of Open Source solutions are used daily in ...more >>> Inaki Rodriguez <[email protected]>: Apr 01 04:35PM +0200 >>> >>> Hi! >>> >>> Sorry but I have deployed OSSEC on more than 400 servers, with the >>> config centralized. Probably the problem is not OSSEC (maybe a RTFM >>> related problem). You can specify the log files on your ...more >>> [email protected]: Apr 01 08:16AM -0700 >>> >>> Hello Santiago, >>> Just because a lot of people use a certain product, doesn't mean it's a >>> good product. >>> The main reason people use open source is because its free. >>> anyway, I see great potential ...more >>> [email protected]: Apr 01 08:51AM -0700 >>> >>> Thx Inaki, >>> >>> I doing my best to get it working, it's just taking a lot of time and >>> frustrating >>> and it is working, but just need to fine tune a couple of things... >>> >>> On Wednesday, April 1, 2015 ...more >>> [email protected]: Apr 01 08:53AM -0700 >>> >>> can you get ossec to get all information from a certain log file and report >>> it? >>> have you tried using this command: /var/ossec/bin/util.sh addfile >>> this is also handy, but how to revert it back ...more >>> Inaki Rodriguez <[email protected]>: Apr 01 05:45PM +0200 >>> >>> My contribution: >>> >>> <!-- Wed Apr 1 11:18:26 2015 91.126.130.4:63972 TLS: Username/Password >>> authentication succeeded for username 'USERNAME' --> >>> <decoder name="openvpn-success"> >>> ...more >>> "dan (ddp)" <[email protected]>: Apr 01 12:38PM -0400 >>> >>> > what use is this solution then? wasn't the point of OSSEC to have a >>> > centralized management.... >>> >>> It does, in the agent.conf. But you seemed to be having enough issues >>> with basic configuration ...more >>> "dan (ddp)" <[email protected]>: Apr 01 12:40PM -0400 >>> >>> > ossec? >>> > so not just alerts, but all the information in a log (this log file >>> > generates very few) >>> >>> Add a localfile option to read that log file. That will read all of >>> the information and ...more >>> Back to top >>> Please help with CDB lists.... >>> Brent Morris <[email protected]>: Apr 01 08:32AM -0700 >>> >>> I found it... >>> >>> the issue was that I prepended a / ossec.conf <list> >>> >>> bad >>> <list>*/*lists/filename</list> >>> >>> good! >>> <list>lists/filename</list> >>> >>> >>> Thanks for your help! >>> >>> On Tuesday, March 31, ...more >>> Back to top >>> OSSEC active responce replaces hosts.deny and iptables >>> "H.Merijn Brand" <[email protected]>: Apr 01 06:55AM -0700 >>> >>> Op maandag 9 maart 2015 16:15:41 UTC+1 schreef dan (ddpbsd): >>> >>> > I don't see anything in host-deny.sh that should be replacing the >>> > file. Try running it manually (maybe with /bin/sh -x) to see if ...more >>> "dan (ddp)" <[email protected]>: Apr 01 10:22AM -0400 >>> >>> > like >>> >>> > # sh -x /var/ossec/active-response/bin/host-deny.sh 202.120.50.131 >>> >>> > ? >>> >>> Looking at the script, it seems you need: >>> host-deny.sh add - 10.10.10.10 >>> >>> >>> ...more >>> Back to top >>> You received this digest because you're subscribed to updates for this group. You can change your settings on the group membership page. >>> To unsubscribe from this group and stop receiving emails from it send an email to [email protected]. >> >> > > -- > > --- > You received this message because you are subscribed to the Google Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
