On Tue, Sep 6, 2016 at 7:22 AM, Daiyue Weng <[email protected]> wrote: > thanks, how to enable active response in ossec.conf? >
If it's disabled, delete that block. If it's not disabled, it should be running (`ps auxww | grep ossec-execd`) > On 6 September 2016 at 12:15, dan (ddp) <[email protected]> wrote: >> >> On Tue, Sep 6, 2016 at 7:13 AM, Daiyue Weng <[email protected]> wrote: >> > Could you elaborate the steps you went through? How does it work? >> > >> >> Make sure active response is enabled. >> run: >> /var/ossec/bin/agent_control -r -u 000 >> >> Wait. >> >> > On 6 September 2016 at 12:12, dan (ddp) <[email protected]> wrote: >> >> >> >> On Tue, Sep 6, 2016 at 6:59 AM, dan (ddp) <[email protected]> wrote: >> >> > On Tue, Sep 6, 2016 at 6:36 AM, dan (ddp) <[email protected]> wrote: >> >> >> On Sep 6, 2016 6:32 AM, "Daiyue Weng" <[email protected]> wrote: >> >> >>> >> >> >>> since I am running local-ossec, so agent_control doesn't do any >> >> >>> good >> >> >>> here? >> >> >>> >> >> >> >> >> >> I'll install a local instance and try it out for you. I'll report >> >> >> back >> >> >> shortly. >> >> >> >> >> > >> >> > Not positive, but it doesn't look like it's working. I'm not keeping >> >> > it around for another try. >> >> > You may just have to restart the syscheckd process. >> >> > >> >> >> >> It does look like this might be working, just had to have execd >> >> running and have a bit more patience. >> >> >> >> >>> On 5 September 2016 at 17:43, dan (ddp) <[email protected]> wrote: >> >> >>>> >> >> >>>> On Mon, Sep 5, 2016 at 12:29 PM, Daiyue Weng >> >> >>>> <[email protected]> >> >> >>>> wrote: >> >> >>>> > Hi, ideally we like ossec to check file integrity in real time, >> >> >>>> > if >> >> >>>> > not, >> >> >>>> > what >> >> >>>> > are the other options ossec can offer in that aspect? >> >> >>>> > >> >> >>>> >> >> >>>> It will do some things in real time, not all. I think it should be >> >> >>>> a >> >> >>>> fairly simple code change to add new files to the realtime >> >> >>>> options, >> >> >>>> but I've never really looked into it. >> >> >>>> >> >> >>>> > Is there a Syscheck cmd in ossec? >> >> >>>> > >> >> >>>> >> >> >>>> # /var/ossec/bin/agent_control -h >> >> >>>> >> >> >>>> OSSEC HIDS agent_control: Control remote agents. >> >> >>>> Available options: >> >> >>>> -h This help message. >> >> >>>> -l List available (active or not) agents. >> >> >>>> -lc List active agents. >> >> >>>> -i <id> Extracts information from an agent. >> >> >>>> -R <id> Restarts agent. >> >> >>>> -r -a Runs the integrity/rootkit checking on all >> >> >>>> agents >> >> >>>> now. >> >> >>>> -r -u <id> Runs the integrity/rootkit checking on one >> >> >>>> agent >> >> >>>> now. >> >> >>>> >> >> >>>> -b <ip> Blocks the specified ip address. >> >> >>>> -f <ar> Used with -b, specifies which response to run. >> >> >>>> -L List available active responses. >> >> >>>> -s Changes the output to CSV (comma delimited). >> >> >>>> >> >> >>>> >> >> >>>> > On 5 September 2016 at 17:23, dan (ddp) <[email protected]> >> >> >>>> > wrote: >> >> >>>> >> >> >> >>>> >> On Mon, Sep 5, 2016 at 12:14 PM, Daiyue Weng >> >> >>>> >> <[email protected]> >> >> >>>> >> wrote: >> >> >>>> >> > The /var/ossec/logs/alerts/alerts.log didn't show the >> >> >>>> >> > addition >> >> >>>> >> > of >> >> >>>> >> > the >> >> >>>> >> > file, >> >> >>>> >> > no alerts fired after adding a file to /home/user_name, which >> >> >>>> >> > is >> >> >>>> >> > monitored >> >> >>>> >> > by ossec. what's the possible problems? >> >> >>>> >> > >> >> >>>> >> >> >> >>>> >> A syscheck scan probably hasn't run since the file was added (I >> >> >>>> >> don't >> >> >>>> >> think it works with realtime). >> >> >>>> >> Try running a syscheck scan to see if an alert is created. >> >> >>>> >> >> >> >>>> >> > On Monday, 5 September 2016 17:02:06 UTC+1, dan (ddpbsd) >> >> >>>> >> > wrote: >> >> >>>> >> >> >> >> >>>> >> >> On Mon, Sep 5, 2016 at 11:53 AM, Daiyue Weng >> >> >>>> >> >> <[email protected]> >> >> >>>> >> >> wrote: >> >> >>>> >> >> > Using the above cmd, adding a file on a monitored >> >> >>>> >> >> > directory, >> >> >>>> >> >> > i.e. >> >> >>>> >> >> > /home/user_name, >> >> >>>> >> >> > >> >> >>>> >> >> > nothing is shown on tcpdump, >> >> >>>> >> >> > >> >> >>>> >> >> > tcpdump: listening on dummy0, link-type EN10MB (Ethernet), >> >> >>>> >> >> > capture >> >> >>>> >> >> > size >> >> >>>> >> >> > 262144 bytes >> >> >>>> >> >> > >> >> >>>> >> >> > >> >> >>>> >> >> >> >> >>>> >> >> You can use "-i INTERFACE_NAME" to change the interface it >> >> >>>> >> >> listens >> >> >>>> >> >> on. >> >> >>>> >> >> So make sure you're listening to the interface the emails >> >> >>>> >> >> should be >> >> >>>> >> >> sent >> >> >>>> >> >> from. >> >> >>>> >> >> Did any alerts fire while you were using tcpdump (check >> >> >>>> >> >> /var/ossec/logs/alerts/alerts.log). >> >> >>>> >> >> If not, that'll be a problem. >> >> >>>> >> >> >> >> >>>> >> >> > >> >> >>>> >> >> > >> >> >>>> >> >> > On Monday, 5 September 2016 16:44:57 UTC+1, dan (ddpbsd) >> >> >>>> >> >> > wrote: >> >> >>>> >> >> >> >> >> >>>> >> >> >> On Mon, Sep 5, 2016 at 11:42 AM, Daiyue Weng >> >> >>>> >> >> >> <[email protected]> >> >> >>>> >> >> >> wrote: >> >> >>>> >> >> >> > Hi, could you give me an example of using tcpdump in >> >> >>>> >> >> >> > this >> >> >>>> >> >> >> > case? >> >> >>>> >> >> >> > >> >> >>>> >> >> >> >> >> >>>> >> >> >> tcpdump -nnXxevvs 0 port 25 >> >> >>>> >> >> >> >> >> >>>> >> >> >> > cheers >> >> >>>> >> >> >> > >> >> >>>> >> >> >> > On Monday, 5 September 2016 15:57:08 UTC+1, dan >> >> >>>> >> >> >> > (ddpbsd) >> >> >>>> >> >> >> > wrote: >> >> >>>> >> >> >> >> >> >> >>>> >> >> >> >> On Mon, Sep 5, 2016 at 10:47 AM, Daiyue Weng >> >> >>>> >> >> >> >> <[email protected]> >> >> >>>> >> >> >> >> wrote: >> >> >>>> >> >> >> >> > Hi, since it is a fresh install of ossec, so I >> >> >>>> >> >> >> >> > didn't >> >> >>>> >> >> >> >> > get >> >> >>>> >> >> >> >> > any >> >> >>>> >> >> >> >> > emails. >> >> >>>> >> >> >> >> > The >> >> >>>> >> >> >> >> > notification is turn on as >> >> >>>> >> >> >> >> > >> >> >>>> >> >> >> >> >> >> >>>> >> >> >> >> Try using tcpdump (looking for connections to the >> >> >>>> >> >> >> >> email >> >> >>>> >> >> >> >> server >> >> >>>> >> >> >> >> from >> >> >>>> >> >> >> >> the OSSEC system) >> >> >>>> >> >> >> >> or check the maillogs on the email server to >> >> >>>> >> >> >> >> determine >> >> >>>> >> >> >> >> if >> >> >>>> >> >> >> >> there >> >> >>>> >> >> >> >> is >> >> >>>> >> >> >> >> an >> >> >>>> >> >> >> >> error when sending. >> >> >>>> >> >> >> >> >> >> >>>> >> >> >> >> > <alert_new_files>yes</alert_new_files> >> >> >>>> >> >> >> >> > >> >> >>>> >> >> >> >> > in ossec.conf >> >> >>>> >> >> >> >> > >> >> >>>> >> >> >> >> > On Monday, 5 September 2016 15:38:25 UTC+1, dan >> >> >>>> >> >> >> >> > (ddpbsd) >> >> >>>> >> >> >> >> > wrote: >> >> >>>> >> >> >> >> >> >> >> >>>> >> >> >> >> >> On Mon, Sep 5, 2016 at 10:33 AM, Daiyue Weng >> >> >>>> >> >> >> >> >> <[email protected]> >> >> >>>> >> >> >> >> >> wrote: >> >> >>>> >> >> >> >> >> > Hi, I installed ossec local on my cloud server, >> >> >>>> >> >> >> >> >> > and >> >> >>>> >> >> >> >> >> > configure >> >> >>>> >> >> >> >> >> > ossec.conf >> >> >>>> >> >> >> >> >> > as >> >> >>>> >> >> >> >> >> > follows, I tried to detect new additions using >> >> >>>> >> >> >> >> >> > <alert_new_files>yes</alert_new_files>. >> >> >>>> >> >> >> >> >> > >> >> >>>> >> >> >> >> >> > <global> >> >> >>>> >> >> >> >> >> > <email_notification>yes</email_notification> >> >> >>>> >> >> >> >> >> > <email_to>[email protected]</email_to> >> >> >>>> >> >> >> >> >> > <smtp_server>ns0.bt.net.</smtp_server> >> >> >>>> >> >> >> >> >> > <email_from>[email protected]</email_from> >> >> >>>> >> >> >> >> >> > </global> >> >> >>>> >> >> >> >> >> > <syscheck> >> >> >>>> >> >> >> >> >> > <!-- Frequency that syscheck is executed - >> >> >>>> >> >> >> >> >> > default >> >> >>>> >> >> >> >> >> > to >> >> >>>> >> >> >> >> >> > every >> >> >>>> >> >> >> >> >> > 22 >> >> >>>> >> >> >> >> >> > hours >> >> >>>> >> >> >> >> >> > --> >> >> >>>> >> >> >> >> >> > <frequency>79200</frequency> >> >> >>>> >> >> >> >> >> > <alert_new_files>yes</alert_new_files> >> >> >>>> >> >> >> >> >> > >> >> >>>> >> >> >> >> >> > <!-- Directories to check (perform all >> >> >>>> >> >> >> >> >> > possible >> >> >>>> >> >> >> >> >> > verifications) >> >> >>>> >> >> >> >> >> > --> >> >> >>>> >> >> >> >> >> > <directories report_changes="yes" >> >> >>>> >> >> >> >> >> > realtime="yes" >> >> >>>> >> >> >> >> >> > >> >> >>>> >> >> >> >> >> > >> >> >>>> >> >> >> >> >> > check_all="yes">/etc,/usr/bin,/usr/sbin</directories> >> >> >>>> >> >> >> >> >> > <directories report_changes="yes" >> >> >>>> >> >> >> >> >> > realtime="yes" >> >> >>>> >> >> >> >> >> > check_all="yes">/bin,/sbin</directories> >> >> >>>> >> >> >> >> >> > <directories report_changes="yes" >> >> >>>> >> >> >> >> >> > realtime="yes" >> >> >>>> >> >> >> >> >> > check_all="yes">/home/user_name</directories> >> >> >>>> >> >> >> >> >> > </syscheck> >> >> >>>> >> >> >> >> >> > >> >> >>>> >> >> >> >> >> > The local_rules.xml is like, >> >> >>>> >> >> >> >> >> > >> >> >>>> >> >> >> >> >> > <group name="local,syslog,"> >> >> >>>> >> >> >> >> >> > >> >> >>>> >> >> >> >> >> > <!-- Note that rule id 5711 is defined at the >> >> >>>> >> >> >> >> >> > ssh_rules >> >> >>>> >> >> >> >> >> > file >> >> >>>> >> >> >> >> >> > - as a ssh failed login. This is just an >> >> >>>> >> >> >> >> >> > example >> >> >>>> >> >> >> >> >> > - since ip 1.1.1.1 shouldn't be used >> >> >>>> >> >> >> >> >> > anywhere. >> >> >>>> >> >> >> >> >> > - Level 0 means ignore. >> >> >>>> >> >> >> >> >> > --> >> >> >>>> >> >> >> >> >> > <rule id="100001" level="0"> >> >> >>>> >> >> >> >> >> > <if_sid>5711</if_sid> >> >> >>>> >> >> >> >> >> > <srcip>1.1.1.1</srcip> >> >> >>>> >> >> >> >> >> > <description>Example of rule that will >> >> >>>> >> >> >> >> >> > ignore >> >> >>>> >> >> >> >> >> > sshd >> >> >>>> >> >> >> >> >> > </description> >> >> >>>> >> >> >> >> >> > <description>failed logins from IP >> >> >>>> >> >> >> >> >> > 1.1.1.1.</description> >> >> >>>> >> >> >> >> >> > </rule> >> >> >>>> >> >> >> >> >> > >> >> >>>> >> >> >> >> >> > <rule id="554" level="7" overwrite="yes"> >> >> >>>> >> >> >> >> >> > <category>ossec</category> >> >> >>>> >> >> >> >> >> > <decoded_as>syscheck_new_entry</decoded_as> >> >> >>>> >> >> >> >> >> > <description>File added to the >> >> >>>> >> >> >> >> >> > system.</description> >> >> >>>> >> >> >> >> >> > <group>syscheck,</group> >> >> >>>> >> >> >> >> >> > </rule> >> >> >>>> >> >> >> >> >> > </group> <!-- SYSLOG,LOCAL --> >> >> >>>> >> >> >> >> >> > >> >> >>>> >> >> >> >> >> > Now, if I added a file in home/user_name, there >> >> >>>> >> >> >> >> >> > is >> >> >>>> >> >> >> >> >> > no >> >> >>>> >> >> >> >> >> > email >> >> >>>> >> >> >> >> >> > notification >> >> >>>> >> >> >> >> >> > coming through the SMTP server. I am using >> >> >>>> >> >> >> >> >> > smtp.bt.net, >> >> >>>> >> >> >> >> >> > using >> >> >>>> >> >> >> >> >> > >> >> >>>> >> >> >> >> >> > dig -t mx smtp.bt.net >> >> >>>> >> >> >> >> >> > >> >> >>>> >> >> >> >> >> > >> >> >>>> >> >> >> >> >> > to get the SMTP server. Whats the possible >> >> >>>> >> >> >> >> >> > reasons >> >> >>>> >> >> >> >> >> > that >> >> >>>> >> >> >> >> >> > I am >> >> >>>> >> >> >> >> >> > not >> >> >>>> >> >> >> >> >> > getting >> >> >>>> >> >> >> >> >> > the >> >> >>>> >> >> >> >> >> > email? >> >> >>>> >> >> >> >> >> > >> >> >>>> >> >> >> >> >> >> >> >>>> >> >> >> >> >> Are you getting emails for other alerts? >> >> >>>> >> >> >> >> >> Are alerts being triggered for these new files? >> >> >>>> >> >> >> >> >> >> >> >>>> >> >> >> >> >> > Many thanks >> >> >>>> >> >> >> >> >> > >> >> >>>> >> >> >> >> >> > -- >> >> >>>> >> >> >> >> >> > >> >> >>>> >> >> >> >> >> > --- >> >> >>>> >> >> >> >> >> > You received this message because you are >> >> >>>> >> >> >> >> >> > subscribed >> >> >>>> >> >> >> >> >> > to >> >> >>>> >> >> >> >> >> > the >> >> >>>> >> >> >> >> >> > Google >> >> >>>> >> >> >> >> >> > Groups >> >> >>>> >> >> >> >> >> > "ossec-list" group. >> >> >>>> >> >> >> >> >> > To unsubscribe from this group and stop receiving >> >> >>>> >> >> >> >> >> > emails >> >> >>>> >> >> >> >> >> > from >> >> >>>> >> >> >> >> >> > it, >> >> >>>> >> >> >> >> >> > send >> >> >>>> >> >> >> >> >> > an >> >> >>>> >> >> >> >> >> > email to [email protected]. >> >> >>>> >> >> >> >> >> > For more options, visit >> >> >>>> >> >> >> >> >> > https://groups.google.com/d/optout. >> >> >>>> >> >> >> >> > >> >> >>>> >> >> >> >> > -- >> >> >>>> >> >> >> >> > >> >> >>>> >> >> >> >> > --- >> >> >>>> >> >> >> >> > You received this message because you are subscribed >> >> >>>> >> >> >> >> > to >> >> >>>> >> >> >> >> > the >> >> >>>> >> >> >> >> > Google >> >> >>>> >> >> >> >> > Groups >> >> >>>> >> >> >> >> > "ossec-list" group. >> >> >>>> >> >> >> >> > To unsubscribe from this group and stop receiving >> >> >>>> >> >> >> >> > emails >> >> >>>> >> >> >> >> > from >> >> >>>> >> >> >> >> > it, >> >> >>>> >> >> >> >> > send >> >> >>>> >> >> >> >> > an >> >> >>>> >> >> >> >> > email to [email protected]. >> >> >>>> >> >> >> >> > For more options, visit >> >> >>>> >> >> >> >> > https://groups.google.com/d/optout. >> >> >>>> >> >> >> > >> >> >>>> >> >> >> > -- >> >> >>>> >> >> >> > >> >> >>>> >> >> >> > --- >> >> >>>> >> >> >> > You received this message because you are subscribed to >> >> >>>> >> >> >> > the >> >> >>>> >> >> >> > Google >> >> >>>> >> >> >> > Groups >> >> >>>> >> >> >> > "ossec-list" group. >> >> >>>> >> >> >> > To unsubscribe from this group and stop receiving >> >> >>>> >> >> >> > emails >> >> >>>> >> >> >> > from >> >> >>>> >> >> >> > it, >> >> >>>> >> >> >> > send >> >> >>>> >> >> >> > an >> >> >>>> >> >> >> > email to [email protected]. >> >> >>>> >> >> >> > For more options, visit >> >> >>>> >> >> >> > https://groups.google.com/d/optout. >> >> >>>> >> >> > >> >> >>>> >> >> > -- >> >> >>>> >> >> > >> >> >>>> >> >> > --- >> >> >>>> >> >> > You received this message because you are subscribed to >> >> >>>> >> >> > the >> >> >>>> >> >> > Google >> >> >>>> >> >> > Groups >> >> >>>> >> >> > "ossec-list" group. >> >> >>>> >> >> > To unsubscribe from this group and stop receiving emails >> >> >>>> >> >> > from >> >> >>>> >> >> > it, >> >> >>>> >> >> > send >> >> >>>> >> >> > an >> >> >>>> >> >> > email to [email protected]. >> >> >>>> >> >> > For more options, visit >> >> >>>> >> >> > https://groups.google.com/d/optout. >> >> >>>> >> > >> >> >>>> >> > -- >> >> >>>> >> > >> >> >>>> >> > --- >> >> >>>> >> > You received this message because you are subscribed to the >> >> >>>> >> > Google >> >> >>>> >> > Groups >> >> >>>> >> > "ossec-list" group. >> >> >>>> >> > To unsubscribe from this group and stop receiving emails from >> >> >>>> >> > it, >> >> >>>> >> > send >> >> >>>> >> > an >> >> >>>> >> > email to [email protected]. >> >> >>>> >> > For more options, visit https://groups.google.com/d/optout. >> >> >>>> >> >> >> >>>> >> -- >> >> >>>> >> >> >> >>>> >> --- >> >> >>>> >> You received this message because you are subscribed to a topic >> >> >>>> >> in >> >> >>>> >> the >> >> >>>> >> Google Groups "ossec-list" group. >> >> >>>> >> To unsubscribe from this topic, visit >> >> >>>> >> >> >> >>>> >> >> >> >>>> >> https://groups.google.com/d/topic/ossec-list/fknE75We_dw/unsubscribe. >> >> >>>> >> To unsubscribe from this group and all its topics, send an >> >> >>>> >> email >> >> >>>> >> to >> >> >>>> >> [email protected]. >> >> >>>> >> For more options, visit https://groups.google.com/d/optout. >> >> >>>> > >> >> >>>> > >> >> >>>> > -- >> >> >>>> > >> >> >>>> > --- >> >> >>>> > You received this message because you are subscribed to the >> >> >>>> > Google >> >> >>>> > Groups >> >> >>>> > "ossec-list" group. >> >> >>>> > To unsubscribe from this group and stop receiving emails from >> >> >>>> > it, >> >> >>>> > send >> >> >>>> > an >> >> >>>> > email to [email protected]. >> >> >>>> > For more options, visit https://groups.google.com/d/optout. >> >> >>>> >> >> >>>> -- >> >> >>>> >> >> >>>> --- >> >> >>>> You received this message because you are subscribed to a topic in >> >> >>>> the >> >> >>>> Google Groups "ossec-list" group. >> >> >>>> To unsubscribe from this topic, visit >> >> >>>> >> >> >>>> https://groups.google.com/d/topic/ossec-list/fknE75We_dw/unsubscribe. >> >> >>>> To unsubscribe from this group and all its topics, send an email >> >> >>>> to >> >> >>>> [email protected]. >> >> >>>> For more options, visit https://groups.google.com/d/optout. >> >> >>> >> >> >>> >> >> >>> -- >> >> >>> >> >> >>> --- >> >> >>> You received this message because you are subscribed to the Google >> >> >>> Groups >> >> >>> "ossec-list" group. >> >> >>> To unsubscribe from this group and stop receiving emails from it, >> >> >>> send >> >> >>> an >> >> >>> email to [email protected]. >> >> >>> For more options, visit https://groups.google.com/d/optout. >> >> >> >> -- >> >> >> >> --- >> >> You received this message because you are subscribed to a topic in the >> >> Google Groups "ossec-list" group. >> >> To unsubscribe from this topic, visit >> >> https://groups.google.com/d/topic/ossec-list/fknE75We_dw/unsubscribe. >> >> To unsubscribe from this group and all its topics, send an email to >> >> [email protected]. >> >> For more options, visit https://groups.google.com/d/optout. >> > >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/d/optout. >> >> -- >> >> --- >> You received this message because you are subscribed to a topic in the >> Google Groups "ossec-list" group. >> To unsubscribe from this topic, visit >> https://groups.google.com/d/topic/ossec-list/fknE75We_dw/unsubscribe. >> To unsubscribe from this group and all its topics, send an email to >> [email protected]. >> For more options, visit https://groups.google.com/d/optout. > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
