On Tue, Sep 6, 2016 at 6:59 AM, dan (ddp) <[email protected]> wrote: > On Tue, Sep 6, 2016 at 6:36 AM, dan (ddp) <[email protected]> wrote: >> On Sep 6, 2016 6:32 AM, "Daiyue Weng" <[email protected]> wrote: >>> >>> since I am running local-ossec, so agent_control doesn't do any good here? >>> >> >> I'll install a local instance and try it out for you. I'll report back >> shortly. >> > > Not positive, but it doesn't look like it's working. I'm not keeping > it around for another try. > You may just have to restart the syscheckd process. >
It does look like this might be working, just had to have execd running and have a bit more patience. >>> On 5 September 2016 at 17:43, dan (ddp) <[email protected]> wrote: >>>> >>>> On Mon, Sep 5, 2016 at 12:29 PM, Daiyue Weng <[email protected]> >>>> wrote: >>>> > Hi, ideally we like ossec to check file integrity in real time, if not, >>>> > what >>>> > are the other options ossec can offer in that aspect? >>>> > >>>> >>>> It will do some things in real time, not all. I think it should be a >>>> fairly simple code change to add new files to the realtime options, >>>> but I've never really looked into it. >>>> >>>> > Is there a Syscheck cmd in ossec? >>>> > >>>> >>>> # /var/ossec/bin/agent_control -h >>>> >>>> OSSEC HIDS agent_control: Control remote agents. >>>> Available options: >>>> -h This help message. >>>> -l List available (active or not) agents. >>>> -lc List active agents. >>>> -i <id> Extracts information from an agent. >>>> -R <id> Restarts agent. >>>> -r -a Runs the integrity/rootkit checking on all agents >>>> now. >>>> -r -u <id> Runs the integrity/rootkit checking on one agent now. >>>> >>>> -b <ip> Blocks the specified ip address. >>>> -f <ar> Used with -b, specifies which response to run. >>>> -L List available active responses. >>>> -s Changes the output to CSV (comma delimited). >>>> >>>> >>>> > On 5 September 2016 at 17:23, dan (ddp) <[email protected]> wrote: >>>> >> >>>> >> On Mon, Sep 5, 2016 at 12:14 PM, Daiyue Weng <[email protected]> >>>> >> wrote: >>>> >> > The /var/ossec/logs/alerts/alerts.log didn't show the addition of >>>> >> > the >>>> >> > file, >>>> >> > no alerts fired after adding a file to /home/user_name, which is >>>> >> > monitored >>>> >> > by ossec. what's the possible problems? >>>> >> > >>>> >> >>>> >> A syscheck scan probably hasn't run since the file was added (I don't >>>> >> think it works with realtime). >>>> >> Try running a syscheck scan to see if an alert is created. >>>> >> >>>> >> > On Monday, 5 September 2016 17:02:06 UTC+1, dan (ddpbsd) wrote: >>>> >> >> >>>> >> >> On Mon, Sep 5, 2016 at 11:53 AM, Daiyue Weng <[email protected]> >>>> >> >> wrote: >>>> >> >> > Using the above cmd, adding a file on a monitored directory, i.e. >>>> >> >> > /home/user_name, >>>> >> >> > >>>> >> >> > nothing is shown on tcpdump, >>>> >> >> > >>>> >> >> > tcpdump: listening on dummy0, link-type EN10MB (Ethernet), >>>> >> >> > capture >>>> >> >> > size >>>> >> >> > 262144 bytes >>>> >> >> > >>>> >> >> > >>>> >> >> >>>> >> >> You can use "-i INTERFACE_NAME" to change the interface it listens >>>> >> >> on. >>>> >> >> So make sure you're listening to the interface the emails should be >>>> >> >> sent >>>> >> >> from. >>>> >> >> Did any alerts fire while you were using tcpdump (check >>>> >> >> /var/ossec/logs/alerts/alerts.log). >>>> >> >> If not, that'll be a problem. >>>> >> >> >>>> >> >> > >>>> >> >> > >>>> >> >> > On Monday, 5 September 2016 16:44:57 UTC+1, dan (ddpbsd) wrote: >>>> >> >> >> >>>> >> >> >> On Mon, Sep 5, 2016 at 11:42 AM, Daiyue Weng >>>> >> >> >> <[email protected]> >>>> >> >> >> wrote: >>>> >> >> >> > Hi, could you give me an example of using tcpdump in this >>>> >> >> >> > case? >>>> >> >> >> > >>>> >> >> >> >>>> >> >> >> tcpdump -nnXxevvs 0 port 25 >>>> >> >> >> >>>> >> >> >> > cheers >>>> >> >> >> > >>>> >> >> >> > On Monday, 5 September 2016 15:57:08 UTC+1, dan (ddpbsd) >>>> >> >> >> > wrote: >>>> >> >> >> >> >>>> >> >> >> >> On Mon, Sep 5, 2016 at 10:47 AM, Daiyue Weng >>>> >> >> >> >> <[email protected]> >>>> >> >> >> >> wrote: >>>> >> >> >> >> > Hi, since it is a fresh install of ossec, so I didn't get >>>> >> >> >> >> > any >>>> >> >> >> >> > emails. >>>> >> >> >> >> > The >>>> >> >> >> >> > notification is turn on as >>>> >> >> >> >> > >>>> >> >> >> >> >>>> >> >> >> >> Try using tcpdump (looking for connections to the email >>>> >> >> >> >> server >>>> >> >> >> >> from >>>> >> >> >> >> the OSSEC system) >>>> >> >> >> >> or check the maillogs on the email server to determine if >>>> >> >> >> >> there >>>> >> >> >> >> is >>>> >> >> >> >> an >>>> >> >> >> >> error when sending. >>>> >> >> >> >> >>>> >> >> >> >> > <alert_new_files>yes</alert_new_files> >>>> >> >> >> >> > >>>> >> >> >> >> > in ossec.conf >>>> >> >> >> >> > >>>> >> >> >> >> > On Monday, 5 September 2016 15:38:25 UTC+1, dan (ddpbsd) >>>> >> >> >> >> > wrote: >>>> >> >> >> >> >> >>>> >> >> >> >> >> On Mon, Sep 5, 2016 at 10:33 AM, Daiyue Weng >>>> >> >> >> >> >> <[email protected]> >>>> >> >> >> >> >> wrote: >>>> >> >> >> >> >> > Hi, I installed ossec local on my cloud server, and >>>> >> >> >> >> >> > configure >>>> >> >> >> >> >> > ossec.conf >>>> >> >> >> >> >> > as >>>> >> >> >> >> >> > follows, I tried to detect new additions using >>>> >> >> >> >> >> > <alert_new_files>yes</alert_new_files>. >>>> >> >> >> >> >> > >>>> >> >> >> >> >> > <global> >>>> >> >> >> >> >> > <email_notification>yes</email_notification> >>>> >> >> >> >> >> > <email_to>[email protected]</email_to> >>>> >> >> >> >> >> > <smtp_server>ns0.bt.net.</smtp_server> >>>> >> >> >> >> >> > <email_from>[email protected]</email_from> >>>> >> >> >> >> >> > </global> >>>> >> >> >> >> >> > <syscheck> >>>> >> >> >> >> >> > <!-- Frequency that syscheck is executed - default >>>> >> >> >> >> >> > to >>>> >> >> >> >> >> > every >>>> >> >> >> >> >> > 22 >>>> >> >> >> >> >> > hours >>>> >> >> >> >> >> > --> >>>> >> >> >> >> >> > <frequency>79200</frequency> >>>> >> >> >> >> >> > <alert_new_files>yes</alert_new_files> >>>> >> >> >> >> >> > >>>> >> >> >> >> >> > <!-- Directories to check (perform all possible >>>> >> >> >> >> >> > verifications) >>>> >> >> >> >> >> > --> >>>> >> >> >> >> >> > <directories report_changes="yes" realtime="yes" >>>> >> >> >> >> >> > check_all="yes">/etc,/usr/bin,/usr/sbin</directories> >>>> >> >> >> >> >> > <directories report_changes="yes" realtime="yes" >>>> >> >> >> >> >> > check_all="yes">/bin,/sbin</directories> >>>> >> >> >> >> >> > <directories report_changes="yes" realtime="yes" >>>> >> >> >> >> >> > check_all="yes">/home/user_name</directories> >>>> >> >> >> >> >> > </syscheck> >>>> >> >> >> >> >> > >>>> >> >> >> >> >> > The local_rules.xml is like, >>>> >> >> >> >> >> > >>>> >> >> >> >> >> > <group name="local,syslog,"> >>>> >> >> >> >> >> > >>>> >> >> >> >> >> > <!-- Note that rule id 5711 is defined at the >>>> >> >> >> >> >> > ssh_rules >>>> >> >> >> >> >> > file >>>> >> >> >> >> >> > - as a ssh failed login. This is just an example >>>> >> >> >> >> >> > - since ip 1.1.1.1 shouldn't be used anywhere. >>>> >> >> >> >> >> > - Level 0 means ignore. >>>> >> >> >> >> >> > --> >>>> >> >> >> >> >> > <rule id="100001" level="0"> >>>> >> >> >> >> >> > <if_sid>5711</if_sid> >>>> >> >> >> >> >> > <srcip>1.1.1.1</srcip> >>>> >> >> >> >> >> > <description>Example of rule that will ignore sshd >>>> >> >> >> >> >> > </description> >>>> >> >> >> >> >> > <description>failed logins from IP >>>> >> >> >> >> >> > 1.1.1.1.</description> >>>> >> >> >> >> >> > </rule> >>>> >> >> >> >> >> > >>>> >> >> >> >> >> > <rule id="554" level="7" overwrite="yes"> >>>> >> >> >> >> >> > <category>ossec</category> >>>> >> >> >> >> >> > <decoded_as>syscheck_new_entry</decoded_as> >>>> >> >> >> >> >> > <description>File added to the >>>> >> >> >> >> >> > system.</description> >>>> >> >> >> >> >> > <group>syscheck,</group> >>>> >> >> >> >> >> > </rule> >>>> >> >> >> >> >> > </group> <!-- SYSLOG,LOCAL --> >>>> >> >> >> >> >> > >>>> >> >> >> >> >> > Now, if I added a file in home/user_name, there is no >>>> >> >> >> >> >> > email >>>> >> >> >> >> >> > notification >>>> >> >> >> >> >> > coming through the SMTP server. I am using smtp.bt.net, >>>> >> >> >> >> >> > using >>>> >> >> >> >> >> > >>>> >> >> >> >> >> > dig -t mx smtp.bt.net >>>> >> >> >> >> >> > >>>> >> >> >> >> >> > >>>> >> >> >> >> >> > to get the SMTP server. Whats the possible reasons that >>>> >> >> >> >> >> > I am >>>> >> >> >> >> >> > not >>>> >> >> >> >> >> > getting >>>> >> >> >> >> >> > the >>>> >> >> >> >> >> > email? >>>> >> >> >> >> >> > >>>> >> >> >> >> >> >>>> >> >> >> >> >> Are you getting emails for other alerts? >>>> >> >> >> >> >> Are alerts being triggered for these new files? >>>> >> >> >> >> >> >>>> >> >> >> >> >> > Many thanks >>>> >> >> >> >> >> > >>>> >> >> >> >> >> > -- >>>> >> >> >> >> >> > >>>> >> >> >> >> >> > --- >>>> >> >> >> >> >> > You received this message because you are subscribed to >>>> >> >> >> >> >> > the >>>> >> >> >> >> >> > Google >>>> >> >> >> >> >> > Groups >>>> >> >> >> >> >> > "ossec-list" group. >>>> >> >> >> >> >> > To unsubscribe from this group and stop receiving emails >>>> >> >> >> >> >> > from >>>> >> >> >> >> >> > it, >>>> >> >> >> >> >> > send >>>> >> >> >> >> >> > an >>>> >> >> >> >> >> > email to [email protected]. >>>> >> >> >> >> >> > For more options, visit >>>> >> >> >> >> >> > https://groups.google.com/d/optout. >>>> >> >> >> >> > >>>> >> >> >> >> > -- >>>> >> >> >> >> > >>>> >> >> >> >> > --- >>>> >> >> >> >> > You received this message because you are subscribed to the >>>> >> >> >> >> > Google >>>> >> >> >> >> > Groups >>>> >> >> >> >> > "ossec-list" group. >>>> >> >> >> >> > To unsubscribe from this group and stop receiving emails >>>> >> >> >> >> > from >>>> >> >> >> >> > it, >>>> >> >> >> >> > send >>>> >> >> >> >> > an >>>> >> >> >> >> > email to [email protected]. >>>> >> >> >> >> > For more options, visit https://groups.google.com/d/optout. >>>> >> >> >> > >>>> >> >> >> > -- >>>> >> >> >> > >>>> >> >> >> > --- >>>> >> >> >> > You received this message because you are subscribed to the >>>> >> >> >> > Google >>>> >> >> >> > Groups >>>> >> >> >> > "ossec-list" group. >>>> >> >> >> > To unsubscribe from this group and stop receiving emails from >>>> >> >> >> > it, >>>> >> >> >> > send >>>> >> >> >> > an >>>> >> >> >> > email to [email protected]. >>>> >> >> >> > For more options, visit https://groups.google.com/d/optout. >>>> >> >> > >>>> >> >> > -- >>>> >> >> > >>>> >> >> > --- >>>> >> >> > You received this message because you are subscribed to the >>>> >> >> > Google >>>> >> >> > Groups >>>> >> >> > "ossec-list" group. >>>> >> >> > To unsubscribe from this group and stop receiving emails from it, >>>> >> >> > send >>>> >> >> > an >>>> >> >> > email to [email protected]. >>>> >> >> > For more options, visit https://groups.google.com/d/optout. >>>> >> > >>>> >> > -- >>>> >> > >>>> >> > --- >>>> >> > You received this message because you are subscribed to the Google >>>> >> > Groups >>>> >> > "ossec-list" group. >>>> >> > To unsubscribe from this group and stop receiving emails from it, >>>> >> > send >>>> >> > an >>>> >> > email to [email protected]. >>>> >> > For more options, visit https://groups.google.com/d/optout. >>>> >> >>>> >> -- >>>> >> >>>> >> --- >>>> >> You received this message because you are subscribed to a topic in the >>>> >> Google Groups "ossec-list" group. >>>> >> To unsubscribe from this topic, visit >>>> >> https://groups.google.com/d/topic/ossec-list/fknE75We_dw/unsubscribe. >>>> >> To unsubscribe from this group and all its topics, send an email to >>>> >> [email protected]. >>>> >> For more options, visit https://groups.google.com/d/optout. >>>> > >>>> > >>>> > -- >>>> > >>>> > --- >>>> > You received this message because you are subscribed to the Google >>>> > Groups >>>> > "ossec-list" group. >>>> > To unsubscribe from this group and stop receiving emails from it, send >>>> > an >>>> > email to [email protected]. >>>> > For more options, visit https://groups.google.com/d/optout. >>>> >>>> -- >>>> >>>> --- >>>> You received this message because you are subscribed to a topic in the >>>> Google Groups "ossec-list" group. >>>> To unsubscribe from this topic, visit >>>> https://groups.google.com/d/topic/ossec-list/fknE75We_dw/unsubscribe. >>>> To unsubscribe from this group and all its topics, send an email to >>>> [email protected]. >>>> For more options, visit https://groups.google.com/d/optout. >>> >>> >>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google Groups >>> "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send an >>> email to [email protected]. >>> For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
