On Mon, Sep 5, 2016 at 12:29 PM, Daiyue Weng <[email protected]> wrote:
> Hi, ideally we like ossec to check file integrity in real time, if not, what
> are the other options ossec can offer in that aspect?
>
It will do some things in real time, not all. I think it should be a
fairly simple code change to add new files to the realtime options,
but I've never really looked into it.
> Is there a Syscheck cmd in ossec?
>
# /var/ossec/bin/agent_control -h
OSSEC HIDS agent_control: Control remote agents.
Available options:
-h This help message.
-l List available (active or not) agents.
-lc List active agents.
-i <id> Extracts information from an agent.
-R <id> Restarts agent.
-r -a Runs the integrity/rootkit checking on all agents now.
-r -u <id> Runs the integrity/rootkit checking on one agent now.
-b <ip> Blocks the specified ip address.
-f <ar> Used with -b, specifies which response to run.
-L List available active responses.
-s Changes the output to CSV (comma delimited).
> On 5 September 2016 at 17:23, dan (ddp) <[email protected]> wrote:
>>
>> On Mon, Sep 5, 2016 at 12:14 PM, Daiyue Weng <[email protected]> wrote:
>> > The /var/ossec/logs/alerts/alerts.log didn't show the addition of the
>> > file,
>> > no alerts fired after adding a file to /home/user_name, which is
>> > monitored
>> > by ossec. what's the possible problems?
>> >
>>
>> A syscheck scan probably hasn't run since the file was added (I don't
>> think it works with realtime).
>> Try running a syscheck scan to see if an alert is created.
>>
>> > On Monday, 5 September 2016 17:02:06 UTC+1, dan (ddpbsd) wrote:
>> >>
>> >> On Mon, Sep 5, 2016 at 11:53 AM, Daiyue Weng <[email protected]>
>> >> wrote:
>> >> > Using the above cmd, adding a file on a monitored directory, i.e.
>> >> > /home/user_name,
>> >> >
>> >> > nothing is shown on tcpdump,
>> >> >
>> >> > tcpdump: listening on dummy0, link-type EN10MB (Ethernet), capture
>> >> > size
>> >> > 262144 bytes
>> >> >
>> >> >
>> >>
>> >> You can use "-i INTERFACE_NAME" to change the interface it listens on.
>> >> So make sure you're listening to the interface the emails should be
>> >> sent
>> >> from.
>> >> Did any alerts fire while you were using tcpdump (check
>> >> /var/ossec/logs/alerts/alerts.log).
>> >> If not, that'll be a problem.
>> >>
>> >> >
>> >> >
>> >> > On Monday, 5 September 2016 16:44:57 UTC+1, dan (ddpbsd) wrote:
>> >> >>
>> >> >> On Mon, Sep 5, 2016 at 11:42 AM, Daiyue Weng <[email protected]>
>> >> >> wrote:
>> >> >> > Hi, could you give me an example of using tcpdump in this case?
>> >> >> >
>> >> >>
>> >> >> tcpdump -nnXxevvs 0 port 25
>> >> >>
>> >> >> > cheers
>> >> >> >
>> >> >> > On Monday, 5 September 2016 15:57:08 UTC+1, dan (ddpbsd) wrote:
>> >> >> >>
>> >> >> >> On Mon, Sep 5, 2016 at 10:47 AM, Daiyue Weng <[email protected]>
>> >> >> >> wrote:
>> >> >> >> > Hi, since it is a fresh install of ossec, so I didn't get any
>> >> >> >> > emails.
>> >> >> >> > The
>> >> >> >> > notification is turn on as
>> >> >> >> >
>> >> >> >>
>> >> >> >> Try using tcpdump (looking for connections to the email server
>> >> >> >> from
>> >> >> >> the OSSEC system)
>> >> >> >> or check the maillogs on the email server to determine if there
>> >> >> >> is
>> >> >> >> an
>> >> >> >> error when sending.
>> >> >> >>
>> >> >> >> > <alert_new_files>yes</alert_new_files>
>> >> >> >> >
>> >> >> >> > in ossec.conf
>> >> >> >> >
>> >> >> >> > On Monday, 5 September 2016 15:38:25 UTC+1, dan (ddpbsd) wrote:
>> >> >> >> >>
>> >> >> >> >> On Mon, Sep 5, 2016 at 10:33 AM, Daiyue Weng
>> >> >> >> >> <[email protected]>
>> >> >> >> >> wrote:
>> >> >> >> >> > Hi, I installed ossec local on my cloud server, and
>> >> >> >> >> > configure
>> >> >> >> >> > ossec.conf
>> >> >> >> >> > as
>> >> >> >> >> > follows, I tried to detect new additions using
>> >> >> >> >> > <alert_new_files>yes</alert_new_files>.
>> >> >> >> >> >
>> >> >> >> >> > <global>
>> >> >> >> >> > <email_notification>yes</email_notification>
>> >> >> >> >> > <email_to>[email protected]</email_to>
>> >> >> >> >> > <smtp_server>ns0.bt.net.</smtp_server>
>> >> >> >> >> > <email_from>[email protected]</email_from>
>> >> >> >> >> > </global>
>> >> >> >> >> > <syscheck>
>> >> >> >> >> > <!-- Frequency that syscheck is executed - default to
>> >> >> >> >> > every
>> >> >> >> >> > 22
>> >> >> >> >> > hours
>> >> >> >> >> > -->
>> >> >> >> >> > <frequency>79200</frequency>
>> >> >> >> >> > <alert_new_files>yes</alert_new_files>
>> >> >> >> >> >
>> >> >> >> >> > <!-- Directories to check (perform all possible
>> >> >> >> >> > verifications)
>> >> >> >> >> > -->
>> >> >> >> >> > <directories report_changes="yes" realtime="yes"
>> >> >> >> >> > check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
>> >> >> >> >> > <directories report_changes="yes" realtime="yes"
>> >> >> >> >> > check_all="yes">/bin,/sbin</directories>
>> >> >> >> >> > <directories report_changes="yes" realtime="yes"
>> >> >> >> >> > check_all="yes">/home/user_name</directories>
>> >> >> >> >> > </syscheck>
>> >> >> >> >> >
>> >> >> >> >> > The local_rules.xml is like,
>> >> >> >> >> >
>> >> >> >> >> > <group name="local,syslog,">
>> >> >> >> >> >
>> >> >> >> >> > <!-- Note that rule id 5711 is defined at the ssh_rules
>> >> >> >> >> > file
>> >> >> >> >> > - as a ssh failed login. This is just an example
>> >> >> >> >> > - since ip 1.1.1.1 shouldn't be used anywhere.
>> >> >> >> >> > - Level 0 means ignore.
>> >> >> >> >> > -->
>> >> >> >> >> > <rule id="100001" level="0">
>> >> >> >> >> > <if_sid>5711</if_sid>
>> >> >> >> >> > <srcip>1.1.1.1</srcip>
>> >> >> >> >> > <description>Example of rule that will ignore sshd
>> >> >> >> >> > </description>
>> >> >> >> >> > <description>failed logins from IP
>> >> >> >> >> > 1.1.1.1.</description>
>> >> >> >> >> > </rule>
>> >> >> >> >> >
>> >> >> >> >> > <rule id="554" level="7" overwrite="yes">
>> >> >> >> >> > <category>ossec</category>
>> >> >> >> >> > <decoded_as>syscheck_new_entry</decoded_as>
>> >> >> >> >> > <description>File added to the system.</description>
>> >> >> >> >> > <group>syscheck,</group>
>> >> >> >> >> > </rule>
>> >> >> >> >> > </group> <!-- SYSLOG,LOCAL -->
>> >> >> >> >> >
>> >> >> >> >> > Now, if I added a file in home/user_name, there is no email
>> >> >> >> >> > notification
>> >> >> >> >> > coming through the SMTP server. I am using smtp.bt.net,
>> >> >> >> >> > using
>> >> >> >> >> >
>> >> >> >> >> > dig -t mx smtp.bt.net
>> >> >> >> >> >
>> >> >> >> >> >
>> >> >> >> >> > to get the SMTP server. Whats the possible reasons that I am
>> >> >> >> >> > not
>> >> >> >> >> > getting
>> >> >> >> >> > the
>> >> >> >> >> > email?
>> >> >> >> >> >
>> >> >> >> >>
>> >> >> >> >> Are you getting emails for other alerts?
>> >> >> >> >> Are alerts being triggered for these new files?
>> >> >> >> >>
>> >> >> >> >> > Many thanks
>> >> >> >> >> >
>> >> >> >> >> > --
>> >> >> >> >> >
>> >> >> >> >> > ---
>> >> >> >> >> > You received this message because you are subscribed to the
>> >> >> >> >> > Google
>> >> >> >> >> > Groups
>> >> >> >> >> > "ossec-list" group.
>> >> >> >> >> > To unsubscribe from this group and stop receiving emails
>> >> >> >> >> > from
>> >> >> >> >> > it,
>> >> >> >> >> > send
>> >> >> >> >> > an
>> >> >> >> >> > email to [email protected].
>> >> >> >> >> > For more options, visit https://groups.google.com/d/optout.
>> >> >> >> >
>> >> >> >> > --
>> >> >> >> >
>> >> >> >> > ---
>> >> >> >> > You received this message because you are subscribed to the
>> >> >> >> > Google
>> >> >> >> > Groups
>> >> >> >> > "ossec-list" group.
>> >> >> >> > To unsubscribe from this group and stop receiving emails from
>> >> >> >> > it,
>> >> >> >> > send
>> >> >> >> > an
>> >> >> >> > email to [email protected].
>> >> >> >> > For more options, visit https://groups.google.com/d/optout.
>> >> >> >
>> >> >> > --
>> >> >> >
>> >> >> > ---
>> >> >> > You received this message because you are subscribed to the Google
>> >> >> > Groups
>> >> >> > "ossec-list" group.
>> >> >> > To unsubscribe from this group and stop receiving emails from it,
>> >> >> > send
>> >> >> > an
>> >> >> > email to [email protected].
>> >> >> > For more options, visit https://groups.google.com/d/optout.
>> >> >
>> >> > --
>> >> >
>> >> > ---
>> >> > You received this message because you are subscribed to the Google
>> >> > Groups
>> >> > "ossec-list" group.
>> >> > To unsubscribe from this group and stop receiving emails from it,
>> >> > send
>> >> > an
>> >> > email to [email protected].
>> >> > For more options, visit https://groups.google.com/d/optout.
>> >
>> > --
>> >
>> > ---
>> > You received this message because you are subscribed to the Google
>> > Groups
>> > "ossec-list" group.
>> > To unsubscribe from this group and stop receiving emails from it, send
>> > an
>> > email to [email protected].
>> > For more options, visit https://groups.google.com/d/optout.
>>
>> --
>>
>> ---
>> You received this message because you are subscribed to a topic in the
>> Google Groups "ossec-list" group.
>> To unsubscribe from this topic, visit
>> https://groups.google.com/d/topic/ossec-list/fknE75We_dw/unsubscribe.
>> To unsubscribe from this group and all its topics, send an email to
>> [email protected].
>> For more options, visit https://groups.google.com/d/optout.
>
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
