[ossec-list] no output seen from syslog_output

[Ted Timmons]

Hi. I'm setting up ossec 2.8.1, running on Ubuntu 14.04LTS.

I can see alerts (in /var/ossec/logs/alerts/alert.log) but they don't 
appear in syslog, even though I've configured it to be there. The following 
is my current config; I was running it with only the first two config items 
at first.

  

127.0.0.1

json

514

1

  


To round out the configuration details:

rsyslog is configured to accept UDP input:

module(load="imudp")

input(type="imudp" port="514" address="127.0.0.1")


I've proven it works with a simple little netcat:

 echo '<14>sourcehost message text' | nc -v -u -w 0 127.0.0.1 514


Here's a sample from alerts.log:


** Alert 1457050265.3945: - syslog,sudo

2016 Mar 04 00:11:05 ip-172-31-12-158->/var/log/auth.log

Rule: 5402 (level 3) -> 'Successful sudo to ROOT executed'

User: ubuntu

Mar  4 00:11:05 ip-172-31-12-158 sudo:   ubuntu : TTY=pts/3 ; 
PWD=/home/ubuntu ; USER=root ; COMMAND=/usr/bin/tail -f 
/var/ossec/logs/alerts/alerts.log


Dan provided an answer to this in May 2015, subject "Syslog output issue", 
but it is missing a lot of detail/followup from the user.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] agent_config syscheck configuration questions

[Joseph cosgrove]

Thanks! it didn't occur to me that using realtime and report_changes 
together could cause issues.  I will have to test this and see how it 
works. I realized that syscheck doesn't monitor new files until after it 
finishes the hardway, when i was trying to troubleshoot reporting and why 
it was taking so long. Thanks again for the help!

On Thursday, March 3, 2016 at 2:47:32 PM UTC-5, Santiago Bassett wrote:
>
> Afaik, ignore option has always worked fine, meaning that those files are 
> not scanned/monitored. Joseph, I would say problem is caused because you 
> are using realtime and report_changes together (pretty sure this could fill 
> up your hard disk space quickly). 
>
> Here are a couple of issues to keep in mind with realtime option:
>
> - It doesn't monitor files when rootcheck is running (meaning that it can 
> take actually a while to report the file change, could be several minutes)
>
> - It doesn't monitor new files, until the next iteration of syscheck (a 
> while loop), when file descriptors are reset for the directory monitored in 
> realtime. This can take SYSTEM_WAIT (300 seconds, hardcoded) + time to run 
> the syscheck + time to run the rootcheck. 
> Hope that helps
>
> On Thu, Mar 3, 2016 at 10:35 AM, dan (ddp) 
> > wrote:
>
>> On Thu, Mar 3, 2016 at 1:27 PM, Santiago Bassett
>> > wrote:
>> > Weird, are you sure the ignored directories are getting scanned? Maybe 
>> have
>> > a duplicated directory given to the Syscheck both in ossec.conf and
>> > agent.conf?
>> >
>>
>> Unless something has changed, that's been the way it's worked for years 
>> now.
>>
>> >
>> > On Thu, Mar 3, 2016 at 7:00 AM, Joseph cosgrove > >
>> > wrote:
>> >>
>> >> I have a large number of applications that i need to monitor and i was
>> >> wondering if there is a syscheck configuration option that i can use 
>> that
>> >> will not scan certain directories and/or files(similar to the way the
>> >> skip_nfs aborts syschecks). I have my agent_conf set to ignore the
>> >> directories that i want to ignore, however syscheck still scans on the
>> >> agents and creates entries in /var, potentially filling up diskspace. 
>> Given
>> >> the large number of apps that we have, writing custom rules to remedy 
>> this
>> >> is tedious.
>> >> I have my agent configuration scanning in real time like this:
>> >> > >> 
>> report_changes="yes">path/to/dirpath/to/logs
>> >>
>> >>
>> >>
>> >>
>> >> This is what is listed in the Documentation, is there a config option
>> >> anyone can think of that will help with my issue?
>> >>
>> >> ignore
>> >>
>> >> List of files or directories to be ignored (one entry per element). The
>> >> files and directories are still checked, but the results are ignored.
>> >>
>> >> Default: /etc/mtab
>> >>
>> >> Attributes:
>> >>
>> >> type: Value=sregex
>> >>
>> >> This is a simple regex pattern to filter out files so alerts are not
>> >> generated.
>> >>
>> >> --
>> >>
>> >> ---
>> >> You received this message because you are subscribed to the Google 
>> Groups
>> >> "ossec-list" group.
>> >> To unsubscribe from this group and stop receiving emails from it, send 
>> an
>> >> email to ossec-list+...@googlegroups.com .
>> >> For more options, visit https://groups.google.com/d/optout.
>> >
>> >
>> > --
>> >
>> > ---
>> > You received this message because you are subscribed to the Google 
>> Groups
>> > "ossec-list" group.
>> > To unsubscribe from this group and stop receiving emails from it, send 
>> an
>> > email to ossec-list+...@googlegroups.com .
>> > For more options, visit https://groups.google.com/d/optout.
>>
>> --
>>
>> ---
>> You received this message because you are subscribed to the Google Groups 
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to ossec-list+...@googlegroups.com .
>> For more options, visit https://groups.google.com/d/optout.
>>
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] agent_config syscheck configuration questions

[Santiago Bassett]

Afaik, ignore option has always worked fine, meaning that those files are
not scanned/monitored. Joseph, I would say problem is caused because you
are using realtime and report_changes together (pretty sure this could fill
up your hard disk space quickly).

Here are a couple of issues to keep in mind with realtime option:

- It doesn't monitor files when rootcheck is running (meaning that it can
take actually a while to report the file change, could be several minutes)

- It doesn't monitor new files, until the next iteration of syscheck (a
while loop), when file descriptors are reset for the directory monitored in
realtime. This can take SYSTEM_WAIT (300 seconds, hardcoded) + time to run
the syscheck + time to run the rootcheck.
Hope that helps

On Thu, Mar 3, 2016 at 10:35 AM, dan (ddp)  wrote:

> On Thu, Mar 3, 2016 at 1:27 PM, Santiago Bassett
>  wrote:
> > Weird, are you sure the ignored directories are getting scanned? Maybe
> have
> > a duplicated directory given to the Syscheck both in ossec.conf and
> > agent.conf?
> >
>
> Unless something has changed, that's been the way it's worked for years
> now.
>
> >
> > On Thu, Mar 3, 2016 at 7:00 AM, Joseph cosgrove 
> > wrote:
> >>
> >> I have a large number of applications that i need to monitor and i was
> >> wondering if there is a syscheck configuration option that i can use
> that
> >> will not scan certain directories and/or files(similar to the way the
> >> skip_nfs aborts syschecks). I have my agent_conf set to ignore the
> >> directories that i want to ignore, however syscheck still scans on the
> >> agents and creates entries in /var, potentially filling up diskspace.
> Given
> >> the large number of apps that we have, writing custom rules to remedy
> this
> >> is tedious.
> >> I have my agent configuration scanning in real time like this:
> >>  >>
> report_changes="yes">path/to/dirpath/to/logs
> >>
> >>
> >>
> >>
> >> This is what is listed in the Documentation, is there a config option
> >> anyone can think of that will help with my issue?
> >>
> >> ignore
> >>
> >> List of files or directories to be ignored (one entry per element). The
> >> files and directories are still checked, but the results are ignored.
> >>
> >> Default: /etc/mtab
> >>
> >> Attributes:
> >>
> >> type: Value=sregex
> >>
> >> This is a simple regex pattern to filter out files so alerts are not
> >> generated.
> >>
> >> --
> >>
> >> ---
> >> You received this message because you are subscribed to the Google
> Groups
> >> "ossec-list" group.
> >> To unsubscribe from this group and stop receiving emails from it, send
> an
> >> email to ossec-list+unsubscr...@googlegroups.com.
> >> For more options, visit https://groups.google.com/d/optout.
> >
> >
> > --
> >
> > ---
> > You received this message because you are subscribed to the Google Groups
> > "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send an
> > email to ossec-list+unsubscr...@googlegroups.com.
> > For more options, visit https://groups.google.com/d/optout.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Concerns related to when OSSEC server is unreachable/down?

[jkrew]

Greetings,

I'm in the process of evaluating the use of OSSEC on a large number of 
server instances. One of the biggest concerns expressed to me is whether or 
not the assets that host the Agent will be adversely affected if the Server 
become unavailable and the Agent is still running. For instance, I want to 
make sure that items that need to be sent to the Server don't "back up" in 
a queue somewhere that might fill up disk space over time.

I'm in the process of digging into the docs and running some tests, but I 
thought I would ask if any of you have encountered issues when the Server 
becomes unavailable?

Thanks for your input,
John

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] agent_config syscheck configuration questions

[dan (ddp)]

On Thu, Mar 3, 2016 at 1:27 PM, Santiago Bassett
 wrote:
> Weird, are you sure the ignored directories are getting scanned? Maybe have
> a duplicated directory given to the Syscheck both in ossec.conf and
> agent.conf?
>

Unless something has changed, that's been the way it's worked for years now.

>
> On Thu, Mar 3, 2016 at 7:00 AM, Joseph cosgrove 
> wrote:
>>
>> I have a large number of applications that i need to monitor and i was
>> wondering if there is a syscheck configuration option that i can use that
>> will not scan certain directories and/or files(similar to the way the
>> skip_nfs aborts syschecks). I have my agent_conf set to ignore the
>> directories that i want to ignore, however syscheck still scans on the
>> agents and creates entries in /var, potentially filling up diskspace. Given
>> the large number of apps that we have, writing custom rules to remedy this
>> is tedious.
>> I have my agent configuration scanning in real time like this:
>> > report_changes="yes">path/to/dirpath/to/logs
>>
>>
>>
>>
>> This is what is listed in the Documentation, is there a config option
>> anyone can think of that will help with my issue?
>>
>> ignore
>>
>> List of files or directories to be ignored (one entry per element). The
>> files and directories are still checked, but the results are ignored.
>>
>> Default: /etc/mtab
>>
>> Attributes:
>>
>> type: Value=sregex
>>
>> This is a simple regex pattern to filter out files so alerts are not
>> generated.
>>
>> --
>>
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to ossec-list+unsubscr...@googlegroups.com.
>> For more options, visit https://groups.google.com/d/optout.
>
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Help with setting up email alerts

[dan (ddp)]

On Thu, Mar 3, 2016 at 1:28 PM, jkrew  wrote:
> Ok, this is the agent. I  thought one could configure the agent to fire off
> emails because of this bit in the doc:
> (http://ossec-docs.readthedocs.org/en/latest/syntax/head_ossec_config.global.html)
>
> Supported types
>
> Global options are available in the the following installation types:
>
> server
> local
>

Neither of those are 'agent.'

> So that helps me understand why it doesn't work, for sure. My purpose is to
> measure how long it takes for the server to alert on an issue compared to
> when it is first reported. I guess I won't use the email option for this.
>

I believe there's a rule for agents restarting, which could be sent
out by the ossec server.

> Thanks much - I can't believe I didn't catch this.
>
> On Thursday, March 3, 2016 at 1:12:25 PM UTC-5, dan (ddpbsd) wrote:
>>
>> On Thu, Mar 3, 2016 at 1:09 PM, jkrew  wrote:
>> > Greetings,
>> >
>> > We are using OSSEC as provided by CloudAware. I'm in the process of
>> > setting
>> > up some custom alerts for testing, alerts I would like to receive via
>> > email.
>> >
>> > I am able to send email from the Linux host via the following:
>> > echo "test" | mail -s "subject line" mye...@domain.name
>> >
>> > To help troubleshoot, I've set the following debug options in
>> > internal_options.conf:
>> > syscheck.debug=1
>> > agent.debug=1
>> >
>> > And here is what I've configured in ossec.conf:
>> >
>> >
>> > 
>> > 
>> > cloud aware server
>>
>> Is this an agent or the server?
>>
>> > 
>> >
>> >   
>> > yes
>> > my email address
>> > 127.0.0.1
>> > ro...@dns.name
>> >   
>> >
>> >   
>> >1
>> >
>> >   
>> >
>> > I see no errors in the ossec.log file that indicates that it's even
>> > attempting to send mail. Am I correct that it should attempt to send me
>> > an
>> > email each time I restart OSSEC - that looks to be a level 7 alert.
>> >
>> > Any suggestions for troubleshooting would be MUCH appreciated - it feels
>> > like there might be an override setting that I'm simply not aware of,
>> > but I
>> > have yet to find anything of that nature.
>> >
>>
>> agents do not send email, just the ossec server.
>>
>> > --
>> >
>> > ---
>> > You received this message because you are subscribed to the Google
>> > Groups
>> > "ossec-list" group.
>> > To unsubscribe from this group and stop receiving emails from it, send
>> > an
>> > email to ossec-list+...@googlegroups.com.
>> > For more options, visit https://groups.google.com/d/optout.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Help with setting up email alerts

[jkrew]

Ok, this is the agent. I  thought one could configure the agent to fire off 
emails because of this bit in the doc:
(http://ossec-docs.readthedocs.org/en/latest/syntax/head_ossec_config.global.html)
Supported types 

Global options are available in the the following installation types:

   - server
   - local

So that helps me understand why it doesn't work, for sure. My purpose is to 
measure how long it takes for the server to alert on an issue compared to 
when it is first reported. I guess I won't use the email option for this. 

Thanks much - I can't believe I didn't catch this.

On Thursday, March 3, 2016 at 1:12:25 PM UTC-5, dan (ddpbsd) wrote:
>
> On Thu, Mar 3, 2016 at 1:09 PM, jkrew > 
> wrote: 
> > Greetings, 
> > 
> > We are using OSSEC as provided by CloudAware. I'm in the process of 
> setting 
> > up some custom alerts for testing, alerts I would like to receive via 
> email. 
> > 
> > I am able to send email from the Linux host via the following: 
> > echo "test" | mail -s "subject line" mye...@domain.name  
> > 
> > To help troubleshoot, I've set the following debug options in 
> > internal_options.conf: 
> > syscheck.debug=1 
> > agent.debug=1 
> > 
> > And here is what I've configured in ossec.conf: 
> > 
> > 
> >  
> >  
> > cloud aware server 
>
> Is this an agent or the server? 
>
> >  
> > 
> >
> > yes 
> > my email address 
> > 127.0.0.1 
> > ro...@dns.name  
> >
> > 
> >
> >1 
> > 
> >
> > 
> > I see no errors in the ossec.log file that indicates that it's even 
> > attempting to send mail. Am I correct that it should attempt to send me 
> an 
> > email each time I restart OSSEC - that looks to be a level 7 alert. 
> > 
> > Any suggestions for troubleshooting would be MUCH appreciated - it feels 
> > like there might be an override setting that I'm simply not aware of, 
> but I 
> > have yet to find anything of that nature. 
> > 
>
> agents do not send email, just the ossec server. 
>
> > -- 
> > 
> > --- 
> > You received this message because you are subscribed to the Google 
> Groups 
> > "ossec-list" group. 
> > To unsubscribe from this group and stop receiving emails from it, send 
> an 
> > email to ossec-list+...@googlegroups.com . 
> > For more options, visit https://groups.google.com/d/optout. 
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] agent_config syscheck configuration questions

[Santiago Bassett]

Weird, are you sure the ignored directories are getting scanned? Maybe have
a duplicated directory given to the Syscheck both in ossec.conf and
agent.conf?


On Thu, Mar 3, 2016 at 7:00 AM, Joseph cosgrove 
wrote:

> I have a large number of applications that i need to monitor and i was
> wondering if there is a syscheck configuration option that i can use that
> will not scan certain directories and/or files(similar to the way the
> skip_nfs aborts syschecks). I have my agent_conf set to ignore the
> directories that i want to ignore, however syscheck still scans on the
> agents and creates entries in /var, potentially filling up diskspace. Given
> the large number of apps that we have, writing custom rules to remedy this
> is tedious.
> I have my agent configuration scanning in real time like this:
>  report_changes="yes">path/to/dir
> path/to/logs
>
>
>
>
> This is what is listed in the Documentation, is there a config option
> anyone can think of that will help with my issue?
>
> ignore
>
> List of files or directories to be ignored (one entry per element). *The
> files and directories are still checked, but the results are ignored.*
>
> *Default:* /etc/mtab
>
> *Attributes:*
>
>-
>
>*type*: Value=sregex
>
>- This is a simple regex pattern to filter out files so alerts are not
>   generated.
>
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Apache log porting to Ossec server

[Santiago Bassett]

Yes, it is possible. You need to use OSSEC logall option and have
logstash/filebeat reading /var/ossec/logs/archives.log

My advice is to use different Elastcisearch indexes, one for the alerts and
one for the raw logs (archives)

On Wed, Mar 2, 2016 at 11:16 PM, Bhuvanesh Bhuvanachandran <
bhuvane...@gmail.com> wrote:

> Hi Folks,
>
> I am new to Ossec, and trying out the functionalities of Ossec for a
> requirement in my company. I need some help with some of the concepts that
> I am trying to achieve.
>
> Basically I am using a combination of  Ossec + Logstash + Elastic search
>  Kibana  to get the things visualized in a useful way. All these components
> integrated successfully.
>
> I have one apache web server (for testing purpose ) which is monitored by
> Ossec agent and the results are getting shipped to the Ossec server.  But
> when looking at the syslog output  of Ossec server I can only see some
> suspicious/error log entries of apache; like log entries with 400 error
> code, that triggers some Ossec rules. On IDS point of view it is perfect.
> But I need all logs getting shipped to a central server.
>
> What I am expecting here is, I want to get all logs of apache (Including
> 200 status code) get shipped to Ossec server and made available at the
> syslog output of Ossec server so that logstash can further parse the logs.
>
> Is this something possible with Ossec ?  If it is how I can achieve this ?
> Please advise.
>
>
> Thanks & Regards,
>
> Bhuvanesh
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Help with setting up email alerts

[dan (ddp)]

On Thu, Mar 3, 2016 at 1:09 PM, jkrew  wrote:
> Greetings,
>
> We are using OSSEC as provided by CloudAware. I'm in the process of setting
> up some custom alerts for testing, alerts I would like to receive via email.
>
> I am able to send email from the Linux host via the following:
> echo "test" | mail -s "subject line" myem...@domain.name
>
> To help troubleshoot, I've set the following debug options in
> internal_options.conf:
> syscheck.debug=1
> agent.debug=1
>
> And here is what I've configured in ossec.conf:
>
>
> 
> 
> cloud aware server

Is this an agent or the server?

> 
>
>   
> yes
> my email address
> 127.0.0.1
> r...@dns.name
>   
>
>   
>1
>
>   
>
> I see no errors in the ossec.log file that indicates that it's even
> attempting to send mail. Am I correct that it should attempt to send me an
> email each time I restart OSSEC - that looks to be a level 7 alert.
>
> Any suggestions for troubleshooting would be MUCH appreciated - it feels
> like there might be an override setting that I'm simply not aware of, but I
> have yet to find anything of that nature.
>

agents do not send email, just the ossec server.

> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Help with setting up email alerts

[jkrew]

Greetings,

We are using OSSEC as provided by CloudAware. I'm in the process of setting 
up some custom alerts for testing, alerts I would like to receive via 
email. 

I am able to send email from the Linux host via the following:
echo "test" | mail -s "subject line" myem...@domain.name

To help troubleshoot, I've set the following debug options in 
internal_options.conf:
syscheck.debug=1
agent.debug=1

And here is what I've configured in ossec.conf:




cloud aware server


  
yes
my email address
127.0.0.1
r...@dns.name
  

  
   1
   
  

I see no errors in the ossec.log file that indicates that it's even 
attempting to send mail. Am I correct that it should attempt to send me an 
email each time I restart OSSEC - that looks to be a level 7 alert.

Any suggestions for troubleshooting would be MUCH appreciated - it feels 
like there might be an override setting that I'm simply not aware of, but I 
have yet to find anything of that nature. 

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

RE: [ossec-list] What's your favorite rules?

[lostinthetubez]

Good thread idea. I’ve copied a few Windows-centric rules below. Some of the 
rules that lean heavily on  could no doubt be improved, but they don’t 
bother me with false positives or performance issues in my small environment, 
so I don’t worry about it. YMMV. I also have some decoders and rules for Cowrie 
honeypots, but intend to polish those up and submit a pull request for those 
one of these days. If anyone is interested in testing them though, I could send 
those off list.

 



594

\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

A change has been made to the software that automatically 
runs at startup.



 



18103

Length specified in network packet

Somebody is sending malformed data to your SQL Server. You 
should probably investigate.



 



18101

PSEXESVC|PsExec

Remote access via PSEXEC. If this wasn't initiated by you, 
then you've got a problem.



 



18102

^2004$

diagnosed

There's a problem with abnormal memory usage on this 
system! Please investigate the indicated processes.



 



18104

4698

A scheduled task has been created on this machine. Please 
review.

Requires group policy modification to the Advanced Security Audit 
policy/Audit Other Object Access Events. See: 
https://technet.microsoft.com/en-us/library/dn319119.aspx



 



18103

36874|36888

recon_ssl,

Add Schannel errors to the custom recon_ssl 
group



 



recon_ssl

There have been over 40 SSL cipher suite probes in the 
last two minutes. Someone may be performing reconnaissance on your servers, 
assessing whether one of your SSL-enabled services is vulnerable to 
exploits.

Unfortunately, Schannel errors are of limited usefulness. They 
occur without any indication of which IP address caused them, so consulting 
contextual log info or firewall logs is the only way to track down who is 
responsible.



 



18103

^1000$|^1002$|^7023$|^7034$



A program or service has crashed. Investigate as 
appropriate.



 



18101

^7045$

A new service has been installed on this 
computer.



 

From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On 
Behalf Of namobuddhaon...@gmail.com
Sent: Thursday, March 3, 2016 6:35 AM
To: ossec-list 
Subject: [ossec-list] What's your favorite rules?

 

I'm wondering what everyone's favorite rules are.

 

I'm trying to come up with some new rules to tighten security, so I would like 
to hear (and see code snippets) or folks favorites, and what they are designed 
to detect. I.E. detect commands run, look for certain IOC's and so on. I'm 
impressed with how much OSSEC does out of box too!

 

Thanks!

 

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com 
 .
For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

RE: [ossec-list] Disable Email Alerts from a particular source ip

[lostinthetubez]

You must include your rules inside of a group tag. Unless I’m totally missing 
something, that is what analysisd is complaining about.

 

From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On 
Behalf Of calvin ratti
Sent: Wednesday, March 2, 2016 4:25 AM
To: ossec-list 
Subject: Re: [ossec-list] Disable Email Alerts from a particular source ip

 

Thanks all for your feedback. I added the following in the local_rules.xml 
after  --> and before  but running into errors:

 



7

1.2.3.4

2.3.4.5  /24

Ignoring rule any level above 7 from Whitelisted IPs



 

Error:

 

"OSSEC analysisd: Testing rules failed. Configuration error. Exiting."

 

Any ideas what I could be doing wrong?

 

Cal


On Wednesday, 2 March 2016 10:44:22 UTC+5:30, Daniel Cid wrote:

That's correct as long as the srcip is being decoded. You may need two 
rules just in case: 

 
7 
1.2.3.0/24   
Ignoring rule any level above 7 from Whitelisted IPs 
 

 
7 
 1.2.3.\d+  
Ignoring rule any level above 7 from Whitelisted IPs 
 

The second one is a bit dangerous as it may open you up to log 
injections, but you can use that as a start or tie it down to only 
some logs formats. 

thanks, 

On Tue, Mar 1, 2016 at 10:00 AM, calvin ratti  
> wrote: 
> Hi, 
> 
> I have a VA scanner which I have added in the Whitelist to prevent Active 
> Response from blocking the scans. What I also understand from here is that 
> to prevent email alerts, I should create a custom rule. Is the following 
> syntax proper or am i missing something: 
> 
>  
> 7 
> 1.2.3.4/24   
> Ignoring rule any level above 7 from Whitelisted 
> IPs 
>  
> 
> rule id is unique, we have configured to send email alerts only for level 7 
> & above. 
> 
> -Cal 
> 
> -- 
> 
> --- 
> You received this message because you are subscribed to the Google Groups 
> "ossec-list" group. 
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to ossec-list+...@googlegroups.com  . 
> For more options, visit https://groups.google.com/d/optout. 

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com 
 .
For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] agent_config syscheck configuration questions

[Joseph cosgrove]

I have a large number of applications that i need to monitor and i was 
wondering if there is a syscheck configuration option that i can use that 
will not scan certain directories and/or files(similar to the way the 
skip_nfs aborts syschecks). I have my agent_conf set to ignore the 
directories that i want to ignore, however syscheck still scans on the 
agents and creates entries in /var, potentially filling up diskspace. Given 
the large number of apps that we have, writing custom rules to remedy this 
is tedious. 
I have my agent configuration scanning in real time like this: 
path/to/dirpath/to/logs




This is what is listed in the Documentation, is there a config option 
anyone can think of that will help with my issue?

ignore

List of files or directories to be ignored (one entry per element). *The 
files and directories are still checked, but the results are ignored.*

*Default:* /etc/mtab

*Attributes:*

   - 
   
   *type*: Value=sregex
   
   - This is a simple regex pattern to filter out files so alerts are not 
  generated.
  
   

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] What's your favorite rules?

[namobuddhaonion]

I'm wondering what everyone's favorite rules are.

I'm trying to come up with some new rules to tighten security, so I would 
like to hear (and see code snippets) or folks favorites, and what they are 
designed to detect. I.E. detect commands run, look for certain IOC's and so 
on. I'm impressed with how much OSSEC does out of box too!

Thanks!

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Error reading XML file 'rules//local_rules.xml': XMLERR: String overflow. (line 89)

[Jesus Linares]

Hi,

yes, a cdb list is what you need.

1. Create the list: /var/ossec/lists/allow_users.txt
$ cat allow_users
jesuslinares:
maxim:

2. Add the file to ossec.conf:


  
lists/allow_users

3. Compile the list
$ /var/ossec/bin/ossec-makelists


4. Use in your rules:
lists/allow_users


Example:


LOGIN
user '(\S+)'
user





ExampleLogin
authentication_success
LOGIN



authentication_success
Bad user



100011

*lists/allow_usersAllow 
user*



Regards.
Jesus Linares.



On Thursday, March 3, 2016 at 12:50:06 PM UTC+1, dan (ddpbsd) wrote:
>
>
> On Mar 3, 2016 6:30 AM, "Maxim Surdu" > 
> wrote:
> >
> > is it a solution but can i create a list and a rule to read all my 
> list from the file, or something like this because now i have 300 clinets 
> but it can be more and it will not working more.
> >
>
> If that username isdecoded into a user field, you might be able to create 
> a cdb database and filter based on that.
>
> > thanks for your responsiveness
> >
> > joi, 3 martie 2016, 12:13:36 UTC+2, dan (ddpbsd) a scris:
> >>
> >>
> >> On Mar 3, 2016 4:18 AM, "Maxim Surdu"  wrote:
> >> >
> >> > Hi dear community,
> >> >
> >> > i install and configure about 10 agents, and of course i have a lot 
> of users,a part of this users are ftp Clients
> >> >
> >> > in policy-rules.xml 
> >> >
> >> > i have next rules
> >> >
> >> > 
> >> >   
> >> > authentication_success
> >> > 4 pm -  7 am
> >> > Successful login during non-business 
> hours.
> >> > login_time,
> >> >   
> >> >
> >> >   
> >> > authentication_success
> >> > weekends
> >> > Successful login during weekend.
> >> > login_day,
> >> >   
> >> >
> >> >
> >> >
> >> > OSSEC HIDS Notification.
> >> >
> >> > 2016 Mar 02 19:05:41
> >> >
> >> >  
> >> >
> >> > Received From: (host.xx.xx) xxx.xxx.xxx.xxx->/var/log/messages
> >> >
> >> > Rule: 17101 fired (level 9) -> "Successful login during non-business 
> hours."
> >> >
> >> > Portion of the log(s):
> >> >
> >> >  
> >> >
> >> > Mar  2 21:05:38 host pure-ftpd: (?@xxx.xxx.xx.xxx) [INFO] transpor is 
> now logged in
> >> >
> >> >  
> >> >
> >> >  
> >> >
> >> >  
> >> >
> >> >  --END OF NOTIFICATION
> >> >
> >> >
> >> >
> >> >
> >> > transpor is username of my client
> >> >
> >> > and i add a rule to ignore alerts of  this users because they are 
> clients
> >> > in local_rules i create next rule to ignore "Successful login during 
> non-business hours" and "Successful login during weekend" for FTP clinets
> >> >
> >> > 
> >> > 
> >> > authentication_success
> >> > 4 pm - 7 am
> >> > Successful login during non-business 
> hours.
> >> > login_time,pci_dss_10.2.5,pci_dss_10.6.1,
> >> > 
> >> >
> >> > 
> >> > authentication_success
> >> > weekends
> >> > Successful login during weekend.
> >> > login_day,pci_dss_10.2.5,pci_dss_10.6.1,
> >> >   
> >> >
> >> >
> >> > 
> >> >   17101
> >> >transpor | client1 | client2 | client3 | ... | 
> client 50 
> >> >   Sesion open by  Client
> >> > 
> >> >
> >> > 
> >> >   17102
> >> > transpor | client1 | client2 | client3 | ... | 
> client 50 
> >> >   Sesion open by Client
> >> > 
> >> >
> >> >
> >> > because i have a lot of clients ossec give me error and not started, 
> how can manage or edit this rule ?
> >> >
> >>
> >> Have you tried to create multiple rules, each with only a portion of 
> the client list?
> >>
> >> > i appreciate your help, and a lot of respect for developers and 
> community!
> >> >
> >> > -- 
> >> >
> >> > --- 
> >> > You received this message because you are subscribed to the Google 
> Groups "ossec-list" group.
> >> > To unsubscribe from this group and stop receiving emails from it, 
> send an email to ossec-list+...@googlegroups.com.
> >>
> >> > For more options, visit https://groups.google.com/d/optout.
> >
> > -- 
> >
> > --- 
> > You received this message because you are subscribed to the Google 
> Groups "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send 
> an email to ossec-list+...@googlegroups.com .
> > For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Decoding long messages - multiple regex statements

[Jesus Linares]

Hi,

I would add a *prematch *tag:


  Checkpoint
  **
  (\w+) \p\w+ \w+ 
src:\s(\d+.\d+.\d+.\d+);\sdst:\s(\d+.\d+.\d+.\d+)
  action,srcip,dstip



  Checkpoint
  \.*resource: (\.*);\.*product: (\.*);
  url,extra_data



Each decoder must have a *prematch* tag. Try this example without *prematch 
*and see what happens.



TestDecoder




TestDecoder
TypeA
value1: hi; value2: (\S+)
id




TestDecoder
value3: (\S+)
extra_data




TestDecoder
TypeB
field1: hi; value2: (\S+)
id



Also, when it is possible, try to don't use the character "\.". Maybe you 
can do it whit \S+.

Regards,
Jesus Linares.

On Thursday, March 3, 2016 at 10:05:16 AM UTC+1, Pedro S wrote:
>
> Hi Fredrik,
>
> I don't think OSSEC allow regex to work backwards, from end to beginning, 
> I know that can be specify on other languages with some flags, but I am not 
> sure if we can do that here. 
>
> Regarding to your decoder, we have two options, include the extraction of 
> "resource" and product" fields on the same decoder:
>
> FULL DECODER
>
> 
>   Checkpoint
>   (\w+) \p\w+ \w+ 
> src:\s(\d+.\d+.\d+.\d+);\sdst:\s(\d+.\d+.\d+.\d+)\.*resource: 
> (\.*);\.*product: (\.*);
>   action,srcip,dstip,url,extra_data
> 
>
> Or in a better way, separate the extraction in two different decoders, so 
> we can be sure that in case of "resource" and "product" fields do not 
> exists, our decoder still will parse and work.
>
> SPLIT DECODERS:
>
> 
>   Checkpoint
>   (\w+) \p\w+ \w+ 
> src:\s(\d+.\d+.\d+.\d+);\sdst:\s(\d+.\d+.\d+.\d+)
>   action,srcip,dstip
> 
>
>
> 
>   Checkpoint
>   \.*resource: (\.*);\.*product: (\.*);
> 
>   url,extra_data
> 
>
>
>
> LOGTEST OUTPUT
> **Phase 1: Completed pre-decoding.
>full event: 'Jan 27 09:41:01 127.0.0.1 Jan 27 9:32:28 st4600fw01n1 
> allow  appi_name: **; app_desc: **; app_id: 10063753; app_category: 
> **; matched_category: **; app_properties: **; app_risk: **; 
> app_rule_id: **; app_rule_name: **; web_client_type: Chrome; 
> web_server_type: Microsoft-IIS; app_sig_id: 10063753:5; resource: 
> http://www.aliveproxy.com/; proxy_src_ip: 192.168.1.15 product: 
> Application Control; service: http; s_port: 58579; product_family: Network;'
>hostname: '127.0.0.1'
>program_name: '(null)'
>log: 'Jan 27 9:32:28 st4600fw01n1 allow  192.168.1.15; dst: 89.208.212.2; proto: tcp; appi_name: **; app_desc: 
> **; app_id: 10063753; app_category: **; matched_category: **; 
> app_properties: **; app_risk: **; app_rule_id: **; 
> app_rule_name: **; web_client_type: Chrome; web_server_type: 
> Microsoft-IIS; app_sig_id: 10063753:5; resource: 
> http://www.aliveproxy.com/; proxy_src_ip: 192.168.1.15 product: 
> Application Control; service: http; s_port: 58579; product_family: Network;'
>
>
> **Phase 2: Completed decoding.
>decoder: 'Checkpoint'
>action: 'allow'
>srcip: '192.168.1.15'
>dstip: '89.208.212.2'
> *   url*
> *: 'http://www.aliveproxy.com/ '  
>  extra_data: 'Application Control'*
>
>
> **Phase 3: Completed filtering (rules).
>Rule id: '4100'
>Level: '0'
>Description: 'Firewall rules grouped.'
>
>
> In both decoders, I am using wildcards *.* *and expecting always "
> *resource*" before "*product*", either way won't work. 
>
> You asked about using another "regex" line in the same decoder, it will 
> work too, like this:
>
> 
>   Checkpoint
>   (\w+) \p\w+ \w+ 
> src:\s(\d+.\d+.\d+.\d+);\sdst:\s(\d+.\d+.\d+.\d+)
>   *\.*resource: (\.*);\.*product: (\.*);*
>   action,srcip,dstip, url, extra_data
> 
>
>
>
> Best regards,
>
> Pedro S.
>
>
>
> On Wednesday, March 2, 2016 at 11:03:08 AM UTC+1, Fredrik wrote:
>>
>> Hi All,
>>
>>
>> Came across this where I think I would be helped by extracting fields 
>> both in forward (from beginning) and in reverse (from end) order of 
>> messages!? Is this possible, if so, is it stupid given that there are other 
>> (better) ways to accomplish the same thing :/ ? 
>>
>> In addition to the fields my current decoder extracts, I was hoping to 
>> extract the resource (http://www.aliveproxy.com/) and also the product 
>> (Application 
>> Control;). My idea was to add a secondary statement, before the  
>> statement, something in the lines of:
>> $/p\w+\s[...] and work my way backward so that I can extract 
>> Application Control and resource . How would you suggest I do this?! 
>>
>> Thanks again for all the great help - hope my threads (and questions) can 
>> be useful for other newstarters outhere trying to get there feet off the 
>> ground ;) 
>>
>> Best regards,
>> Fredrik 
>>
>> LOG-MESSAGE
>>
>> *Jan 27 09:41:01 127.0.0.1 Jan 27 9:32:28 st4600fw01n1 *allow > src: 192.168.1.15; dst: 89.208.212.2; proto: tcp; appi_name: **; 
>> app_desc: **; app_id: 10063753; app_category: **; 
>> matched_category: **; app_properties: **; app_ri

Re: [ossec-list] Error reading XML file 'rules//local_rules.xml': XMLERR: String overflow. (line 89)

[dan (ddp)]

On Mar 3, 2016 6:30 AM, "Maxim Surdu"  wrote:
>
> is it a solution but can i create a list and a rule to read all my
list from the file, or something like this because now i have 300 clinets
but it can be more and it will not working more.
>

If that username isdecoded into a user field, you might be able to create a
cdb database and filter based on that.

> thanks for your responsiveness
>
> joi, 3 martie 2016, 12:13:36 UTC+2, dan (ddpbsd) a scris:
>>
>>
>> On Mar 3, 2016 4:18 AM, "Maxim Surdu"  wrote:
>> >
>> > Hi dear community,
>> >
>> > i install and configure about 10 agents, and of course i have a lot of
users,a part of this users are ftp Clients
>> >
>> > in policy-rules.xml
>> >
>> > i have next rules
>> >
>> > 
>> >   
>> > authentication_success
>> > 4 pm -  7 am
>> > Successful login during non-business
hours.
>> > login_time,
>> >   
>> >
>> >   
>> > authentication_success
>> > weekends
>> > Successful login during weekend.
>> > login_day,
>> >   
>> >
>> >
>> >
>> > OSSEC HIDS Notification.
>> >
>> > 2016 Mar 02 19:05:41
>> >
>> >
>> >
>> > Received From: (host.xx.xx) xxx.xxx.xxx.xxx->/var/log/messages
>> >
>> > Rule: 17101 fired (level 9) -> "Successful login during non-business
hours."
>> >
>> > Portion of the log(s):
>> >
>> >
>> >
>> > Mar  2 21:05:38 host pure-ftpd: (?@xxx.xxx.xx.xxx) [INFO] transpor is
now logged in
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >  --END OF NOTIFICATION
>> >
>> >
>> >
>> >
>> > transpor is username of my client
>> >
>> > and i add a rule to ignore alerts of  this users because they are
clients
>> > in local_rules i create next rule to ignore "Successful login during
non-business hours" and "Successful login during weekend" for FTP clinets
>> >
>> > 
>> > 
>> > authentication_success
>> > 4 pm - 7 am
>> > Successful login during non-business
hours.
>> > login_time,pci_dss_10.2.5,pci_dss_10.6.1,
>> > 
>> >
>> > 
>> > authentication_success
>> > weekends
>> > Successful login during weekend.
>> > login_day,pci_dss_10.2.5,pci_dss_10.6.1,
>> >   
>> >
>> >
>> > 
>> >   17101
>> >transpor | client1 | client2 | client3 | ... |
client 50 
>> >   Sesion open by  Client
>> > 
>> >
>> > 
>> >   17102
>> > transpor | client1 | client2 | client3 | ... |
client 50 
>> >   Sesion open by Client
>> > 
>> >
>> >
>> > because i have a lot of clients ossec give me error and not started,
how can manage or edit this rule ?
>> >
>>
>> Have you tried to create multiple rules, each with only a portion of the
client list?
>>
>> > i appreciate your help, and a lot of respect for developers and
community!
>> >
>> > --
>> >
>> > ---
>> > You received this message because you are subscribed to the Google
Groups "ossec-list" group.
>> > To unsubscribe from this group and stop receiving emails from it, send
an email to ossec-list+...@googlegroups.com.
>>
>> > For more options, visit https://groups.google.com/d/optout.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
"ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Error reading XML file 'rules//local_rules.xml': XMLERR: String overflow. (line 89)

[Maxim Surdu]

is it a solution but can i create a list and a rule to read all my 
list from the file, or something like this because now i have 300 clinets 
but it can be more and it will not working more.

thanks for your responsiveness

joi, 3 martie 2016, 12:13:36 UTC+2, dan (ddpbsd) a scris:
>
>
> On Mar 3, 2016 4:18 AM, "Maxim Surdu" > 
> wrote:
> >
> > Hi dear community,
> >
> > i install and configure about 10 agents, and of course i have a lot of 
> users,a part of this users are ftp Clients
> >
> > in policy-rules.xml 
> >
> > i have next rules
> >
> > 
> >   
> > authentication_success
> > 4 pm -  7 am
> > Successful login during non-business 
> hours.
> > login_time,
> >   
> >
> >   
> > authentication_success
> > weekends
> > Successful login during weekend.
> > login_day,
> >   
> >
> >
> >
> > OSSEC HIDS Notification.
> >
> > 2016 Mar 02 19:05:41
> >
> >  
> >
> > Received From: (host.xx.xx) xxx.xxx.xxx.xxx->/var/log/messages
> >
> > Rule: 17101 fired (level 9) -> "Successful login during non-business 
> hours."
> >
> > Portion of the log(s):
> >
> >  
> >
> > Mar  2 21:05:38 host pure-ftpd: (?@xxx.xxx.xx.xxx) [INFO] transpor is 
> now logged in
> >
> >  
> >
> >  
> >
> >  
> >
> >  --END OF NOTIFICATION
> >
> >
> >
> >
> > transpor is username of my client
> >
> > and i add a rule to ignore alerts of  this users because they are clients
> > in local_rules i create next rule to ignore "Successful login during 
> non-business hours" and "Successful login during weekend" for FTP clinets
> >
> > 
> > 
> > authentication_success
> > 4 pm - 7 am
> > Successful login during non-business 
> hours.
> > login_time,pci_dss_10.2.5,pci_dss_10.6.1,
> > 
> >
> > 
> > authentication_success
> > weekends
> > Successful login during weekend.
> > login_day,pci_dss_10.2.5,pci_dss_10.6.1,
> >   
> >
> >
> > 
> >   17101
> >transpor | client1 | client2 | client3 | ... | client 
> 50 
> >   Sesion open by  Client
> > 
> >
> > 
> >   17102
> > transpor | client1 | client2 | client3 | ... | client 
> 50 
> >   Sesion open by Client
> > 
> >
> >
> > because i have a lot of clients ossec give me error and not started, how 
> can manage or edit this rule ?
> >
>
> Have you tried to create multiple rules, each with only a portion of the 
> client list?
>
> > i appreciate your help, and a lot of respect for developers and 
> community!
> >
> > -- 
> >
> > --- 
> > You received this message because you are subscribed to the Google 
> Groups "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send 
> an email to ossec-list+...@googlegroups.com .
> > For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Help needed with Ossec implementation

[Pedro S]

Hi,

If you need to forward to Elastic all the events (not only alerts), try to 
enable the option *yes* (available at Wazuh Fork 
) like this:

ossec.conf

  
 yes
  

You will find a log file at */var/ossec/logs/archives/archives.json, *then 
set up Logstash conf file to read from that file:

input {
  file {
type => "ossec-alerts"
path => "/var/ossec/logs/archives/*archives*.json"
codec => "json"
  }
}

Set the output to Elasticsearch server:

output {
  elasticsearch {
 hosts => ["your_elastic_search_ip:9200"]
 index => "ossec-%{+.MM.dd}"
 document_type => "ossec"
 template => "/etc/logstash/elastic-ossec-template.json"
 template_name => "ossec"
 template_overwrite => true
}
}

If everything goes well, you should see on Kibana every log collect by your 
OSSEC agents.

Be careful, archives option collect *everything *so archives.json/log and 
elasticsearch indexes will be huge if you have a large deployment.

Regards,

Pedro S.


On Thursday, March 3, 2016 at 11:07:05 AM UTC+1, Bhuvanesh Bhuvanachandran 
wrote:
>
> Hi Folks,
>
>  
>
> I am new to Ossec, and trying out the functionalities of Ossec for a 
> requirement in my company. I need some help with some of the concepts that 
> I am trying to achieve.
>
>  
>
> Basically I am using a combination of  Ossec + Logstash + Elastic search  
> Kibana  to get the things visualized in a useful way. All these components 
> integrated successfully.
>
>  
>
> I have one apache web server (for testing purpose ) which is monitored by 
> Ossec agent and the results are getting shipped to the Ossec server.  But 
> when looking at the syslog output  of Ossec server I can only see some 
> suspicious/error log entries of apache; like log entries with 400 error 
> code, that triggers some Ossec rules. On IDS point of view it is perfect. 
> But I need all logs getting shipped to a central server.
>
>  
>
> What I am expecting here is, I want to get all logs of apache (Including 
> 200 status code) get shipped to Ossec server and made available at the 
> syslog output of Ossec server so that logstash can further parse the logs.
>
>  
>
> Is this something possible with Ossec ?  If it is how I can achieve this ? 
> Please advise.
>
>  
>
>  
>
> Thanks & Regards,
>
>  
>
> Bhuvanesh
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Error reading XML file 'rules//local_rules.xml': XMLERR: String overflow. (line 89)

[dan (ddp)]

On Mar 3, 2016 4:18 AM, "Maxim Surdu"  wrote:
>
> Hi dear community,
>
> i install and configure about 10 agents, and of course i have a lot of
users,a part of this users are ftp Clients
>
> in policy-rules.xml
>
> i have next rules
>
> 
>   
> authentication_success
> 4 pm -  7 am
> Successful login during non-business hours.
> login_time,
>   
>
>   
> authentication_success
> weekends
> Successful login during weekend.
> login_day,
>   
>
>
>
> OSSEC HIDS Notification.
>
> 2016 Mar 02 19:05:41
>
>
>
> Received From: (host.xx.xx) xxx.xxx.xxx.xxx->/var/log/messages
>
> Rule: 17101 fired (level 9) -> "Successful login during non-business
hours."
>
> Portion of the log(s):
>
>
>
> Mar  2 21:05:38 host pure-ftpd: (?@xxx.xxx.xx.xxx) [INFO] transpor is now
logged in
>
>
>
>
>
>
>
>  --END OF NOTIFICATION
>
>
>
>
> transpor is username of my client
>
> and i add a rule to ignore alerts of  this users because they are clients
> in local_rules i create next rule to ignore "Successful login during
non-business hours" and "Successful login during weekend" for FTP clinets
>
> 
> 
> authentication_success
> 4 pm - 7 am
> Successful login during non-business
hours.
> login_time,pci_dss_10.2.5,pci_dss_10.6.1,
> 
>
> 
> authentication_success
> weekends
> Successful login during weekend.
> login_day,pci_dss_10.2.5,pci_dss_10.6.1,
>   
>
>
> 
>   17101
>transpor | client1 | client2 | client3 | ... | client
50 
>   Sesion open by  Client
> 
>
> 
>   17102
> transpor | client1 | client2 | client3 | ... | client
50 
>   Sesion open by Client
> 
>
>
> because i have a lot of clients ossec give me error and not started, how
can manage or edit this rule ?
>

Have you tried to create multiple rules, each with only a portion of the
client list?

> i appreciate your help, and a lot of respect for developers and community!
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
"ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Help needed with Ossec implementation

[dan (ddp)]

On Mar 3, 2016 5:07 AM, "Bhuvanesh Bhuvanachandran" 
wrote:
>
> Hi Folks,
>
>
>
> I am new to Ossec, and trying out the functionalities of Ossec for a
requirement in my company. I need some help with some of the concepts that
I am trying to achieve.
>
>
>
> Basically I am using a combination of  Ossec + Logstash + Elastic search
Kibana  to get the things visualized in a useful way. All these components
integrated successfully.
>
>
>
> I have one apache web server (for testing purpose ) which is monitored by
Ossec agent and the results are getting shipped to the Ossec server.  But
when looking at the syslog output  of Ossec server I can only see some
suspicious/error log entries of apache; like log entries with 400 error
code, that triggers some Ossec rules. On IDS point of view it is perfect.
But I need all logs getting shipped to a central server.
>
>
>
> What I am expecting here is, I want to get all logs of apache (Including
200 status code) get shipped to Ossec server and made available at the
syslog output of Ossec server so that logstash can further parse the logs.
>
>
>
> Is this something possible with Ossec ?  If it is how I can achieve this
? Please advise.
>

If you use the log all option all logs ossec receives will be saved to
archives.log. the syslog output is just for alerts though.

>
>
>
>
> Thanks & Regards,
>
>
>
> Bhuvanesh
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
"ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Apache log porting to Ossec server

[Bhuvanesh Bhuvanachandran]

Hi Folks,

I am new to Ossec, and trying out the functionalities of Ossec for a 
requirement in my company. I need some help with some of the concepts that 
I am trying to achieve.

Basically I am using a combination of  Ossec + Logstash + Elastic search 
 Kibana  to get the things visualized in a useful way. All these components 
integrated successfully.

I have one apache web server (for testing purpose ) which is monitored by 
Ossec agent and the results are getting shipped to the Ossec server.  But 
when looking at the syslog output  of Ossec server I can only see some 
suspicious/error log entries of apache; like log entries with 400 error 
code, that triggers some Ossec rules. On IDS point of view it is perfect. 
But I need all logs getting shipped to a central server.

What I am expecting here is, I want to get all logs of apache (Including 
200 status code) get shipped to Ossec server and made available at the 
syslog output of Ossec server so that logstash can further parse the logs.

Is this something possible with Ossec ?  If it is how I can achieve this ? 
Please advise.


Thanks & Regards,
 
Bhuvanesh

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Help needed with Ossec implementation

[Bhuvanesh Bhuvanachandran]

Hi Folks,

 

I am new to Ossec, and trying out the functionalities of Ossec for a 
requirement in my company. I need some help with some of the concepts that 
I am trying to achieve.

 

Basically I am using a combination of  Ossec + Logstash + Elastic search  
Kibana  to get the things visualized in a useful way. All these components 
integrated successfully.

 

I have one apache web server (for testing purpose ) which is monitored by 
Ossec agent and the results are getting shipped to the Ossec server.  But 
when looking at the syslog output  of Ossec server I can only see some 
suspicious/error log entries of apache; like log entries with 400 error 
code, that triggers some Ossec rules. On IDS point of view it is perfect. 
But I need all logs getting shipped to a central server.

 

What I am expecting here is, I want to get all logs of apache (Including 
200 status code) get shipped to Ossec server and made available at the 
syslog output of Ossec server so that logstash can further parse the logs.

 

Is this something possible with Ossec ?  If it is how I can achieve this ? 
Please advise.

 

 

Thanks & Regards,

 

Bhuvanesh

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Error reading XML file 'rules//local_rules.xml': XMLERR: String overflow. (line 89)

[Maxim Surdu]

Hi dear community,

i install and configure about 10 agents, and of course i have a lot of 
users,a part of this users are ftp Clients

in policy-rules.xml 

i have next rules


  
authentication_success
4 pm -  7 am
Successful login during non-business hours.
login_time,
  

  
authentication_success
weekends
Successful login during weekend.
login_day,
  



OSSEC HIDS Notification.

2016 Mar 02 19:05:41

 

Received From: (host.xx.xx) xxx.xxx.xxx.xxx->/var/log/messages

Rule: 17101 fired (level 9) -> "Successful login during non-business hours."

Portion of the log(s):

 

Mar  2 21:05:38 host pure-ftpd: (?@xxx.xxx.xx.xxx) [INFO] transpor is now 
logged in

 

 

 

 --END OF NOTIFICATION



transpor is username of my client

and i add a rule to ignore alerts of  this users because they are clients
in local_rules i create next rule to ignore "Successful login during 
non-business hours" and "Successful login during weekend" for FTP clinets



authentication_success
4 pm - 7 am
Successful login during non-business 
hours.
login_time,pci_dss_10.2.5,pci_dss_10.6.1,



authentication_success
weekends
Successful login during weekend.
login_day,pci_dss_10.2.5,pci_dss_10.6.1,
  



  17101
   transpor | client1 | client2 | client3 | ... | client 50 

  Sesion open by  Client



  17102
transpor | client1 | client2 | client3 | ... | client 50 

  Sesion open by Client



because i have a lot of clients ossec give me error and not started, how 
can manage or edit this rule ?

i appreciate your help, and a lot of respect for developers and community!

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Decoding long messages - multiple regex statements

[Pedro S]

Hi Fredrik,

I don't think OSSEC allow regex to work backwards, from end to beginning, I 
know that can be specify on other languages with some flags, but I am not 
sure if we can do that here. 

Regarding to your decoder, we have two options, include the extraction of 
"resource" and product" fields on the same decoder:

FULL DECODER


  Checkpoint
  (\w+) \p\w+ \w+ 
src:\s(\d+.\d+.\d+.\d+);\sdst:\s(\d+.\d+.\d+.\d+)\.*resource: 
(\.*);\.*product: (\.*);
  action,srcip,dstip,url,extra_data


Or in a better way, separate the extraction in two different decoders, so 
we can be sure that in case of "resource" and "product" fields do not 
exists, our decoder still will parse and work.

SPLIT DECODERS:


  Checkpoint
  (\w+) \p\w+ \w+ 
src:\s(\d+.\d+.\d+.\d+);\sdst:\s(\d+.\d+.\d+.\d+)
  action,srcip,dstip




  Checkpoint
  \.*resource: (\.*);\.*product: (\.*);
  url,extra_data




LOGTEST OUTPUT
**Phase 1: Completed pre-decoding.
   full event: 'Jan 27 09:41:01 127.0.0.1 Jan 27 9:32:28 st4600fw01n1 
allow http://www.aliveproxy.com/; proxy_src_ip: 192.168.1.15 product: Application 
Control; service: http; s_port: 58579; product_family: Network;'
   hostname: '127.0.0.1'
   program_name: '(null)'
   log: 'Jan 27 9:32:28 st4600fw01n1 allow http://www.aliveproxy.com/; proxy_src_ip: 192.168.1.15 product: Application 
Control; service: http; s_port: 58579; product_family: Network;'


**Phase 2: Completed decoding.
   decoder: 'Checkpoint'
   action: 'allow'
   srcip: '192.168.1.15'
   dstip: '89.208.212.2'
*   url*
*: 'http://www.aliveproxy.com/'   extra_data: 'Application Control'*


**Phase 3: Completed filtering (rules).
   Rule id: '4100'
   Level: '0'
   Description: 'Firewall rules grouped.'


In both decoders, I am using wildcards *.* *and expecting always "*resource*" 
before "*product*", either way won't work. 

You asked about using another "regex" line in the same decoder, it will 
work too, like this:


  Checkpoint
  (\w+) \p\w+ \w+ 
src:\s(\d+.\d+.\d+.\d+);\sdst:\s(\d+.\d+.\d+.\d+)
  *\.*resource: (\.*);\.*product: (\.*);*
  action,srcip,dstip, url, extra_data




Best regards,

Pedro S.



On Wednesday, March 2, 2016 at 11:03:08 AM UTC+1, Fredrik wrote:
>
> Hi All,
>
>
> Came across this where I think I would be helped by extracting fields both 
> in forward (from beginning) and in reverse (from end) order of messages!? 
> Is this possible, if so, is it stupid given that there are other (better) 
> ways to accomplish the same thing :/ ? 
>
> In addition to the fields my current decoder extracts, I was hoping to 
> extract the resource (http://www.aliveproxy.com/) and also the product 
> (Application 
> Control;). My idea was to add a secondary statement, before the  
> statement, something in the lines of:
> $/p\w+\s[...] and work my way backward so that I can extract 
> Application Control and resource . How would you suggest I do this?! 
>
> Thanks again for all the great help - hope my threads (and questions) can 
> be useful for other newstarters outhere trying to get there feet off the 
> ground ;) 
>
> Best regards,
> Fredrik 
>
> LOG-MESSAGE
>
> *Jan 27 09:41:01 127.0.0.1 Jan 27 9:32:28 st4600fw01n1 *allow  src: 192.168.1.15; dst: 89.208.212.2; proto: tcp; appi_name: **; 
> app_desc: **; app_id: 10063753; app_category: **; matched_category
> : **; app_properties: **; app_risk: **; app_rule_id: **; 
> app_rule_name: **; web_client_type: Chrome; web_server_type: Microsoft
> -IIS; app_sig_id: 10063753:5; resource: http://www.aliveproxy.com/; 
> proxy_src_ip: 192.168.1.15 product: Application Control; service: http; 
> s_port: 58579; product_family: Network;
>
> MY CURRENT DECODER
>
> 
>   ^\w+ \d+ \d+:\d+:\d+ st4600fw01n\d
>   firewall
> 
>
> 
>   Checkpoint
>   (\w+) \p\w+ \w+ 
> src:\s(\d+.\d+.\d+.\d+);\sdst:\s(\d+.\d+.\d+.\d+)
>   action,srcip,dstip
> 
>
> LOGTEST OUTPUT
>
>
> **Phase 1: Completed pre-decoding.
>full event: 'Jan 27 09:41:01 127.0.0.1 Jan 27 9:32:28 st4600fw01n1 
> allow  appi_name: **; app_desc: **; app_id: 10063753; app_category: 
> **; matched_category: **; app_properties: **; app_risk: **; 
> app_rule_id: **; app_rule_name: **; web_client_type: Chrome; 
> web_server_type: Microsoft-IIS; app_sig_id: 10063753:5; resource: 
> http://www.aliveproxy.com/; proxy_src_ip: 192.168.1.15; product: 
> Application Control; service: http; s_port: 58579; product_family: Network;'
>hostname: '127.0.0.1'
>program_name: '(null)'
>log: 'Jan 27 9:32:28 st4600fw01n1 allow  192.168.1.15; dst: 89.208.212.2; proto: tcp; appi_name: **; app_desc: 
> **; app_id: 10063753; app_category: **; matched_category: **; 
> app_properties: **; app_risk: **; app_rule_id: **; 
> app_rule_name: **; web_client_type: Chrome; web_server_type: 
> Microsoft-IIS; app_sig_id: 10063753:5; resource: 
> http://www.aliveproxy.com/; proxy_src_ip