[ossec-list] OSSEC newbie

Tue, 11 Sep 2018 09:20:35 -0700 

Hi all,

I just installed ossec 3.0.0 on Redhat 6. My ossec.conf has the following 
entry 

<ossec_config>
  <global>
    <email_notification>yes</email_notification>
    <email_to>support@xxxxx</email_to>
    <smtp_server>xxxxxxx</smtp_server>
    <email_from>ossecm@xxxxx</email_from>
  </global>

and

    <directories realtime="yes" report_changes="yes" 
check_all="yes">/opt/modx</directories>


Besides this, nothing has changed, went with the default since my main 
concern are /var/log/nginx/access.log and /opt/modx


In my ossec.log I see the following:
2018/09/11 10:58:56 ossec-syscheckd: INFO: Monitoring directory: '/etc', 
with options perm | size | owner | group | md5sum | sha1sum.
2018/09/11 10:58:56 ossec-syscheckd: INFO: Monitoring directory: 
'/usr/bin', with options perm | size | owner | group | md5sum | sha1sum.
2018/09/11 10:58:56 ossec-syscheckd: INFO: Monitoring directory: 
'/usr/sbin', with options perm | size | owner | group | md5sum | sha1sum.
2018/09/11 10:58:56 ossec-syscheckd: INFO: Monitoring directory: 
'/opt/modx', with options perm | size | owner | group | md5sum | sha1sum | 
realtime | report_changes.
2018/09/11 10:58:56 ossec-syscheckd: INFO: ignoring: '/etc/mtab'
2018/09/11 10:58:56 ossec-syscheckd: INFO: ignoring: '/etc/mnttab'
2018/09/11 10:58:56 ossec-syscheckd: INFO: ignoring: '/etc/hosts.deny'
2018/09/11 10:58:56 ossec-syscheckd: INFO: ignoring: '/etc/mail/statistics'
2018/09/11 10:58:56 ossec-syscheckd: INFO: ignoring: '/etc/random-seed'
2018/09/11 10:58:56 ossec-syscheckd: INFO: ignoring: '/etc/adjtime'
2018/09/11 10:58:56 ossec-syscheckd: INFO: ignoring: '/etc/httpd/logs'
2018/09/11 10:58:56 ossec-syscheckd: INFO: ignoring: '/etc/utmpx'
2018/09/11 10:58:56 ossec-syscheckd: INFO: ignoring: '/etc/wtmpx'
2018/09/11 10:58:56 ossec-syscheckd: INFO: ignoring: '/etc/cups/certs'
2018/09/11 10:58:56 ossec-syscheckd: INFO: ignoring: '/etc/dumpdates'
2018/09/11 10:58:56 ossec-syscheckd: INFO: ignoring: '/etc/svc/volatile'
2018/09/11 10:58:56 ossec-syscheckd: INFO: ignoring: '/var/ossec'
2018/09/11 10:58:56 ossec-syscheckd: INFO: ignoring: '/usr/bin'
2018/09/11 10:58:56 ossec-syscheckd: INFO: ignoring: '/usr/sbin'
2018/09/11 10:58:56 ossec-syscheckd: INFO: ignoring: '/bin'
2018/09/11 10:58:56 ossec-syscheckd: INFO: ignoring: '/sbin'
2018/09/11 10:58:56 ossec-syscheckd: INFO: ignoring: '/boot'
2018/09/11 10:58:56 ossec-syscheckd: INFO: ignoring: 
'/opt/modx/core/cache/logs'
2018/09/11 10:58:56 ossec-syscheckd: INFO: ignoring: '/opt/modx/downloads'
2018/09/11 10:58:56 ossec-syscheckd: INFO: ignoring: 
'C:\WINDOWS/System32/LogFiles'
2018/09/11 10:58:56 ossec-syscheckd: INFO: ignoring: 'C:\WINDOWS/Debug'
2018/09/11 10:58:56 ossec-syscheckd: INFO: ignoring: 
'C:\WINDOWS/WindowsUpdate.log'
2018/09/11 10:58:56 ossec-syscheckd: INFO: ignoring: 'C:\WINDOWS/iis6.log'
2018/09/11 10:58:56 ossec-syscheckd: INFO: ignoring: 
'C:\WINDOWS/system32/wbem/Logs'
2018/09/11 10:58:56 ossec-syscheckd: INFO: ignoring: 
'C:\WINDOWS/system32/wbem/Repository'
2018/09/11 10:58:56 ossec-syscheckd: INFO: ignoring: 'C:\WINDOWS/Prefetch'
2018/09/11 10:58:56 ossec-syscheckd: INFO: ignoring: 
'C:\WINDOWS/PCHEALTH/HELPCTR/DataColl'
2018/09/11 10:58:56 ossec-syscheckd: INFO: ignoring: 
'C:\WINDOWS/SoftwareDistribution'
2018/09/11 10:58:56 ossec-syscheckd: INFO: ignoring: 'C:\WINDOWS/Temp'
2018/09/11 10:58:56 ossec-syscheckd: INFO: ignoring: 
'C:\WINDOWS/system32/config'
2018/09/11 10:58:56 ossec-syscheckd: INFO: ignoring: 
'C:\WINDOWS/system32/spool'
2018/09/11 10:58:56 ossec-syscheckd: INFO: ignoring: 
'C:\WINDOWS/system32/CatRoot'
2018/09/11 10:58:56 ossec-syscheckd: INFO: Directory set for real time 
monitoring: '/opt/modx'.
2018/09/11 10:58:57 ossec-logcollector(1950): INFO: Analyzing file: 
'/var/log/messages'.
2018/09/11 10:58:57 ossec-logcollector(1950): INFO: Analyzing file: 
'/var/log/secure'.
2018/09/11 10:58:57 ossec-logcollector(1950): INFO: Analyzing file: 
'/var/log/maillog'.
2018/09/11 10:58:57 ossec-logcollector(1950): INFO: Analyzing file: 
'/var/log/nginx/access.log'.
2018/09/11 10:58:57 ossec-logcollector(1950): INFO: Analyzing file: 
'/var/log/nginx/error.log'.
2018/09/11 10:58:57 ossec-logcollector: INFO: Monitoring output of 
command(360): df -P
2018/09/11 10:58:57 ossec-logcollector: INFO: Monitoring full output of 
command(360): netstat -tan |grep LISTEN |egrep -v '(127.0.0.1| ::1)' | sort
2018/09/11 10:58:57 ossec-logcollector: INFO: Monitoring full output of 
command(360): last -n 5
2018/09/11 10:58:57 ossec-logcollector: INFO: Started (pid: 5025).
2018/09/11 10:59:16 INFO: Connected to xxxxxxx at address 10.124.229.22, 
port 25
2018/09/11 10:59:58 ossec-syscheckd: INFO: Starting syscheck scan 
(forwarding database).
2018/09/11 10:59:58 ossec-syscheckd: INFO: Starting syscheck database 
(pre-scan).
2018/09/11 11:04:31 ossec-syscheckd: INFO: Initializing real time file 
monitoring (not started).
2018/09/11 11:32:10 ossec-syscheckd: INFO: Real time file monitoring 
started.
2018/09/11 11:32:10 ossec-syscheckd: INFO: Finished creating syscheck 
database (pre-scan completed).
2018/09/11 11:32:22 ossec-syscheckd: INFO: Ending syscheck scan (forwarding 
database).
2018/09/11 11:32:42 rootcheck: INFO: Starting rootcheck scan.
2018/09/11 11:44:56 rootcheck: INFO: Ending rootcheck scan.


In my alert.log file

** Alert 1536679973.596: - ossec,rootcheck,
2018 Sep 11 11:32:53 switchover->rootcheck
Rule: 516 (level 3) -> 'System Audit event.'
System Audit: PHP - Expose PHP is enabled. File: /etc/php.ini.

** Alert 1536679973.792: - ossec,rootcheck,
2018 Sep 11 11:32:53 switchover->rootcheck
Rule: 516 (level 3) -> 'System Audit event.'
System Audit: PHP - Allow URL fopen is enabled. File: /etc/php.ini.

** Alert 1536680164.993: - web,accesslog,
2018 Sep 11 11:36:04 switchover->/var/log/nginx/access.log
Rule: 31101 (level 5) -> 'Web server 400 error code.'
Src IP: 58.218.66.227
58.218.66.227 - - [11/Sep/2018:11:36:03 -0400] "PUT /txtpd35313.txt 
HTTP/1.1" 403 162 "-" "Mozilla/4.0 (compatible; Win32; 
WinHttp.WinHttpRequest.5)" "-"

** Alert 1536680164.1325: - apache,
2018 Sep 11 11:36:04 switchover->/var/log/nginx/error.log
Rule: 31301 (level 3) -> 'Nginx error message.'
Src IP: 58.218.66.227
2018/09/11 11:36:03 [error] 2668#0: *389736 NAXSI_FMT: 
ip=58.218.66.227&server=www.frgt.com&uri=/txtpd35313.txt&learning=0&vers=0.56&total_processed=3438&total_blocked=120&block=1&zone0=BODY&id0=11&var_name0=,
 
client: 58.218.66.227, server: www.frgt.com, request: "PUT /txtpd35313.txt 
HTTP/1.1", host: "www.frgt.com"

** Alert 1536681139.2657: - apache,
2018 Sep 11 11:52:19 switchover->/var/log/nginx/error.log
Rule: 31301 (level 3) -> 'Nginx error message.'
Src IP: 54.153.176.224
2018/09/11 11:52:17 [error] 2665#0: *390291 NAXSI_FMT: 
ip=54.153.176.224&server=www.frgt.com&uri=/installer-backup.php&learning=0&vers=0.56&total_processed=8733&total_blocked=351&block=1&zone0=BODY&id0=16&var_name0=,
 
client: 54.153.176.224, server: www.frgt.com, request: "POST 
/installer-backup.php HTTP/1.1", host: "www.frgt.com", referrer: 
"www.frgt.com/wp-admin/admin-ajax.php"

** Alert 1536681796.4185: - apache,
2018 Sep 11 12:03:16 switchover->/var/log/nginx/error.log
Rule: 31301 (level 3) -> 'Nginx error message.'
Src IP: 18.184.209.31
2018/09/11 12:03:15 [error] 2662#0: *390610 NAXSI_FMT: 
ip=18.184.209.31&server=www.frgt.com&uri=/rss/RSSCategoryItemList.aspx&learning=0&vers=0.56&total_processed=4340&total_blocked=179&block=1&cscore0=$SQL&score0=8&zone0=ARGS&id0=1015&var_name0=catname,
 
client: 18.184.209.31, server: www.frgt.com, request: "GET 
/rss/RSSCategoryItemList.aspx?CATCDCode=76&CATName=Navigation,%20Guidance,%20&%20Control
 
HTTP/1.1", host: "www.frgt.com"





I do not see any email alerts come in, even after I touched a file in 
/opt/modx


Thanks

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

Reply via email to