On Sep 6, 2016 6:32 AM, "Daiyue Weng" <[email protected]> wrote: > > since I am running local-ossec, so agent_control doesn't do any good here? >
I'll install a local instance and try it out for you. I'll report back shortly. > On 5 September 2016 at 17:43, dan (ddp) <[email protected]> wrote: >> >> On Mon, Sep 5, 2016 at 12:29 PM, Daiyue Weng <[email protected]> wrote: >> > Hi, ideally we like ossec to check file integrity in real time, if not, what >> > are the other options ossec can offer in that aspect? >> > >> >> It will do some things in real time, not all. I think it should be a >> fairly simple code change to add new files to the realtime options, >> but I've never really looked into it. >> >> > Is there a Syscheck cmd in ossec? >> > >> >> # /var/ossec/bin/agent_control -h >> >> OSSEC HIDS agent_control: Control remote agents. >> Available options: >> -h This help message. >> -l List available (active or not) agents. >> -lc List active agents. >> -i <id> Extracts information from an agent. >> -R <id> Restarts agent. >> -r -a Runs the integrity/rootkit checking on all agents now. >> -r -u <id> Runs the integrity/rootkit checking on one agent now. >> >> -b <ip> Blocks the specified ip address. >> -f <ar> Used with -b, specifies which response to run. >> -L List available active responses. >> -s Changes the output to CSV (comma delimited). >> >> >> > On 5 September 2016 at 17:23, dan (ddp) <[email protected]> wrote: >> >> >> >> On Mon, Sep 5, 2016 at 12:14 PM, Daiyue Weng <[email protected]> wrote: >> >> > The /var/ossec/logs/alerts/alerts.log didn't show the addition of the >> >> > file, >> >> > no alerts fired after adding a file to /home/user_name, which is >> >> > monitored >> >> > by ossec. what's the possible problems? >> >> > >> >> >> >> A syscheck scan probably hasn't run since the file was added (I don't >> >> think it works with realtime). >> >> Try running a syscheck scan to see if an alert is created. >> >> >> >> > On Monday, 5 September 2016 17:02:06 UTC+1, dan (ddpbsd) wrote: >> >> >> >> >> >> On Mon, Sep 5, 2016 at 11:53 AM, Daiyue Weng <[email protected]> >> >> >> wrote: >> >> >> > Using the above cmd, adding a file on a monitored directory, i.e. >> >> >> > /home/user_name, >> >> >> > >> >> >> > nothing is shown on tcpdump, >> >> >> > >> >> >> > tcpdump: listening on dummy0, link-type EN10MB (Ethernet), capture >> >> >> > size >> >> >> > 262144 bytes >> >> >> > >> >> >> > >> >> >> >> >> >> You can use "-i INTERFACE_NAME" to change the interface it listens on. >> >> >> So make sure you're listening to the interface the emails should be >> >> >> sent >> >> >> from. >> >> >> Did any alerts fire while you were using tcpdump (check >> >> >> /var/ossec/logs/alerts/alerts.log). >> >> >> If not, that'll be a problem. >> >> >> >> >> >> > >> >> >> > >> >> >> > On Monday, 5 September 2016 16:44:57 UTC+1, dan (ddpbsd) wrote: >> >> >> >> >> >> >> >> On Mon, Sep 5, 2016 at 11:42 AM, Daiyue Weng <[email protected] > >> >> >> >> wrote: >> >> >> >> > Hi, could you give me an example of using tcpdump in this case? >> >> >> >> > >> >> >> >> >> >> >> >> tcpdump -nnXxevvs 0 port 25 >> >> >> >> >> >> >> >> > cheers >> >> >> >> > >> >> >> >> > On Monday, 5 September 2016 15:57:08 UTC+1, dan (ddpbsd) wrote: >> >> >> >> >> >> >> >> >> >> On Mon, Sep 5, 2016 at 10:47 AM, Daiyue Weng < [email protected]> >> >> >> >> >> wrote: >> >> >> >> >> > Hi, since it is a fresh install of ossec, so I didn't get any >> >> >> >> >> > emails. >> >> >> >> >> > The >> >> >> >> >> > notification is turn on as >> >> >> >> >> > >> >> >> >> >> >> >> >> >> >> Try using tcpdump (looking for connections to the email server >> >> >> >> >> from >> >> >> >> >> the OSSEC system) >> >> >> >> >> or check the maillogs on the email server to determine if there >> >> >> >> >> is >> >> >> >> >> an >> >> >> >> >> error when sending. >> >> >> >> >> >> >> >> >> >> > <alert_new_files>yes</alert_new_files> >> >> >> >> >> > >> >> >> >> >> > in ossec.conf >> >> >> >> >> > >> >> >> >> >> > On Monday, 5 September 2016 15:38:25 UTC+1, dan (ddpbsd) wrote: >> >> >> >> >> >> >> >> >> >> >> >> On Mon, Sep 5, 2016 at 10:33 AM, Daiyue Weng >> >> >> >> >> >> <[email protected]> >> >> >> >> >> >> wrote: >> >> >> >> >> >> > Hi, I installed ossec local on my cloud server, and >> >> >> >> >> >> > configure >> >> >> >> >> >> > ossec.conf >> >> >> >> >> >> > as >> >> >> >> >> >> > follows, I tried to detect new additions using >> >> >> >> >> >> > <alert_new_files>yes</alert_new_files>. >> >> >> >> >> >> > >> >> >> >> >> >> > <global> >> >> >> >> >> >> > <email_notification>yes</email_notification> >> >> >> >> >> >> > <email_to>[email protected]</email_to> >> >> >> >> >> >> > <smtp_server>ns0.bt.net.</smtp_server> >> >> >> >> >> >> > <email_from>[email protected]</email_from> >> >> >> >> >> >> > </global> >> >> >> >> >> >> > <syscheck> >> >> >> >> >> >> > <!-- Frequency that syscheck is executed - default to >> >> >> >> >> >> > every >> >> >> >> >> >> > 22 >> >> >> >> >> >> > hours >> >> >> >> >> >> > --> >> >> >> >> >> >> > <frequency>79200</frequency> >> >> >> >> >> >> > <alert_new_files>yes</alert_new_files> >> >> >> >> >> >> > >> >> >> >> >> >> > <!-- Directories to check (perform all possible >> >> >> >> >> >> > verifications) >> >> >> >> >> >> > --> >> >> >> >> >> >> > <directories report_changes="yes" realtime="yes" >> >> >> >> >> >> > check_all="yes">/etc,/usr/bin,/usr/sbin</directories> >> >> >> >> >> >> > <directories report_changes="yes" realtime="yes" >> >> >> >> >> >> > check_all="yes">/bin,/sbin</directories> >> >> >> >> >> >> > <directories report_changes="yes" realtime="yes" >> >> >> >> >> >> > check_all="yes">/home/user_name</directories> >> >> >> >> >> >> > </syscheck> >> >> >> >> >> >> > >> >> >> >> >> >> > The local_rules.xml is like, >> >> >> >> >> >> > >> >> >> >> >> >> > <group name="local,syslog,"> >> >> >> >> >> >> > >> >> >> >> >> >> > <!-- Note that rule id 5711 is defined at the ssh_rules >> >> >> >> >> >> > file >> >> >> >> >> >> > - as a ssh failed login. This is just an example >> >> >> >> >> >> > - since ip 1.1.1.1 shouldn't be used anywhere. >> >> >> >> >> >> > - Level 0 means ignore. >> >> >> >> >> >> > --> >> >> >> >> >> >> > <rule id="100001" level="0"> >> >> >> >> >> >> > <if_sid>5711</if_sid> >> >> >> >> >> >> > <srcip>1.1.1.1</srcip> >> >> >> >> >> >> > <description>Example of rule that will ignore sshd >> >> >> >> >> >> > </description> >> >> >> >> >> >> > <description>failed logins from IP >> >> >> >> >> >> > 1.1.1.1.</description> >> >> >> >> >> >> > </rule> >> >> >> >> >> >> > >> >> >> >> >> >> > <rule id="554" level="7" overwrite="yes"> >> >> >> >> >> >> > <category>ossec</category> >> >> >> >> >> >> > <decoded_as>syscheck_new_entry</decoded_as> >> >> >> >> >> >> > <description>File added to the system.</description> >> >> >> >> >> >> > <group>syscheck,</group> >> >> >> >> >> >> > </rule> >> >> >> >> >> >> > </group> <!-- SYSLOG,LOCAL --> >> >> >> >> >> >> > >> >> >> >> >> >> > Now, if I added a file in home/user_name, there is no email >> >> >> >> >> >> > notification >> >> >> >> >> >> > coming through the SMTP server. I am using smtp.bt.net, >> >> >> >> >> >> > using >> >> >> >> >> >> > >> >> >> >> >> >> > dig -t mx smtp.bt.net >> >> >> >> >> >> > >> >> >> >> >> >> > >> >> >> >> >> >> > to get the SMTP server. Whats the possible reasons that I am >> >> >> >> >> >> > not >> >> >> >> >> >> > getting >> >> >> >> >> >> > the >> >> >> >> >> >> > email? >> >> >> >> >> >> > >> >> >> >> >> >> >> >> >> >> >> >> Are you getting emails for other alerts? >> >> >> >> >> >> Are alerts being triggered for these new files? >> >> >> >> >> >> >> >> >> >> >> >> > Many thanks >> >> >> >> >> >> > >> >> >> >> >> >> > -- >> >> >> >> >> >> > >> >> >> >> >> >> > --- >> >> >> >> >> >> > You received this message because you are subscribed to the >> >> >> >> >> >> > Google >> >> >> >> >> >> > Groups >> >> >> >> >> >> > "ossec-list" group. >> >> >> >> >> >> > To unsubscribe from this group and stop receiving emails >> >> >> >> >> >> > from >> >> >> >> >> >> > it, >> >> >> >> >> >> > send >> >> >> >> >> >> > an >> >> >> >> >> >> > email to [email protected]. >> >> >> >> >> >> > For more options, visit https://groups.google.com/d/optout. >> >> >> >> >> > >> >> >> >> >> > -- >> >> >> >> >> > >> >> >> >> >> > --- >> >> >> >> >> > You received this message because you are subscribed to the >> >> >> >> >> > Google >> >> >> >> >> > Groups >> >> >> >> >> > "ossec-list" group. >> >> >> >> >> > To unsubscribe from this group and stop receiving emails from >> >> >> >> >> > it, >> >> >> >> >> > send >> >> >> >> >> > an >> >> >> >> >> > email to [email protected]. >> >> >> >> >> > For more options, visit https://groups.google.com/d/optout. >> >> >> >> > >> >> >> >> > -- >> >> >> >> > >> >> >> >> > --- >> >> >> >> > You received this message because you are subscribed to the Google >> >> >> >> > Groups >> >> >> >> > "ossec-list" group. >> >> >> >> > To unsubscribe from this group and stop receiving emails from it, >> >> >> >> > send >> >> >> >> > an >> >> >> >> > email to [email protected]. >> >> >> >> > For more options, visit https://groups.google.com/d/optout. >> >> >> > >> >> >> > -- >> >> >> > >> >> >> > --- >> >> >> > You received this message because you are subscribed to the Google >> >> >> > Groups >> >> >> > "ossec-list" group. >> >> >> > To unsubscribe from this group and stop receiving emails from it, >> >> >> > send >> >> >> > an >> >> >> > email to [email protected]. >> >> >> > For more options, visit https://groups.google.com/d/optout. >> >> > >> >> > -- >> >> > >> >> > --- >> >> > You received this message because you are subscribed to the Google >> >> > Groups >> >> > "ossec-list" group. >> >> > To unsubscribe from this group and stop receiving emails from it, send >> >> > an >> >> > email to [email protected]. >> >> > For more options, visit https://groups.google.com/d/optout. >> >> >> >> -- >> >> >> >> --- >> >> You received this message because you are subscribed to a topic in the >> >> Google Groups "ossec-list" group. >> >> To unsubscribe from this topic, visit >> >> https://groups.google.com/d/topic/ossec-list/fknE75We_dw/unsubscribe. >> >> To unsubscribe from this group and all its topics, send an email to >> >> [email protected]. >> >> For more options, visit https://groups.google.com/d/optout. >> > >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/d/optout. >> >> -- >> >> --- >> You received this message because you are subscribed to a topic in the Google Groups "ossec-list" group. >> To unsubscribe from this topic, visit https://groups.google.com/d/topic/ossec-list/fknE75We_dw/unsubscribe. >> To unsubscribe from this group and all its topics, send an email to [email protected]. >> For more options, visit https://groups.google.com/d/optout. > > > -- > > --- > You received this message because you are subscribed to the Google Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
