[ossec-list] syscheck can take months to report new or changed files
Is there a hard limit on the rate at which syscheck will report new/changed files? I have roughly 120 clients reporting to one server. I see frequent occasions where new or changed files (sometimes with realtime enabled, sometimes not) seem to be reported by syscheck days, weeks, or even months after they were known to be added or modified. This usually coincides with updates to the OS and/or kernel. Looking through the logs, it looks to me like the server is limiting reports to roughly (but not always exactly) 10 reports at a time, a second or two apart. For updates involving many thousands of files on 120 hosts, this can take so long that syscheck is simply not useful. I have documented specific examples of files that I know were added to the system months before they were actually reported by syscheck. Here is one. As an example, this is from the ossec server's alert log on Sept. 25: ** Alert 1474812143.8448019: mail - ossec, syscheck, 2016 Sep 25 07:02:23 (sampleclient) 10.0.0.9->syscheck Rule: 554 (level 10) -> 'File added to the system.' New file '/usr/lib/klibc/bin/cpio' added to the file system. Yet this file was present at least as far back as May 18: $ dpkg -S /usr/lib/klibc/bin/cpio klibc-utils: /usr/lib/klibc/bin/cpio $ zgrep -h -B2 klibc-utils /var/log/apt/history.log* Start-Date: 2016-05-18 10:58:30 Commandline: /usr/bin/apt-get -y -o Dpkg::Options::=--force-confdef -o Dpkg::Options::=--force-confold dist-upgrade Upgrade: libnl-genl-3-200:amd64 (3.2.21-1, 3.2.21-1ubuntu1.1), libnl-3-200:amd64 (3.2.21-1, 3.2.21-1ubuntu1.1), klibc-utils: amd64 (2.0.3-0ubuntu1, 2.0.3-0ubuntu1.14.04.1), lsb-base:amd64 (4.1+Debian11ubuntu6, 4.1+Debian11ubuntu6.1), lsb-release:amd64 (4.1+Debian11ubuntu6, 4.1+Debian11ubuntu6.1), libklibc:amd64 (2.0.3-0ubuntu1, 2.0.3-0ubuntu1.14.04.1) $ stat /usr/lib/klibc/bin/cpio File: /usr/lib/klibc/bin/cpio Size: 5168 Blocks: 16 IO Block: 4096 regular file Device: 802h/2050d Inode: 2360114 Links: 1 Access: (0755/-rwxr-xr-x) Uid: (0/root) Gid: (0/root) Access: 2016-09-30 08:33:46.193812724 -0700 Modify: 2016-04-27 21:27:30.0 -0700 Change: 2016-05-18 10:58:33.066735324 -0700 Birth: - Below are the syscheck-related configurations on the server side which affect /usr on the client: no yes /etc/mtab /etc/blkid.tab And here are the relevant client-side directives: 43200 /bin,/boot,/lib,/lib64,/opt,/sbin,/srv,/usr I have verified that syscheck is taking about 3 hours to run, which is well within the specified excecution frequency. 2016/09/25 06:28:55 ossec-syscheckd: INFO: Starting syscheck scan (forwarding database). 2016/09/25 06:28:55 ossec-syscheckd: INFO: Starting syscheck database (pre-scan). 2016/09/25 09:38:29 ossec-syscheckd: INFO: Ending syscheck scan (forwarding database). 2016/09/25 21:39:02 ossec-syscheckd: INFO: Starting syscheck scan. 2016/09/26 00:48:32 ossec-syscheckd: INFO: Ending syscheck scan If there's something obvious that I screwed up or overlooked, can anyone hit me on the head with it? -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Active response on server not working
That didn't work. Have to try something else. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Re: Unexpected FIM behavior
On Fri, Oct 14, 2016 at 5:52 PM, Mattwrote: > Realtime monitoring seems to be working now that I've adjusted the scan > frequency. Earlier the scan frequency was 4 hours, then 10 minutes. It's now > 20 minutes and realtime now seems to work. I don't claim it makes sense, > it's just what I'm observing. > > Ok I've discovered that the config doesn't like this line. I modified it to > reflect one of the others and it works. > > realtime="yes">C:\TestOSS3 > > And, I've realized it's also including multiple alerts in one email. I'd > rather have one email per alert, at least a way to configure it. But I get > this reduces the count of emails. > /var/ossec/etc/internal_options.conf # Maild grouping (0=disabled, 1=enabled) # Groups alerts within the same e-mail. maild.groupping=1 > > > On Friday, October 14, 2016 at 11:06:53 AM UTC-7, Matt wrote: >> >> Hello, >> >> I just installed OSSEC in the Azure space, HIDS seems ok but FIM isn't >> behaving consistently. >> >> First realtime monitoring simply isn't working. FIM only seem to work when >> the scan runs, which I have set to 10 minutes for testing. Second I only >> seem to get a fraction of the changes I've made. For testing I have 4 >> folder, and I make 2 changes in each folder, usually an edit and a delete >> and/or add. I just did that 2 time sin the last hour, so 16 changes, and I >> received only alerts for 3 of those changes. >> >> The OSSEC Manager server is CentOS, the agent is Windows Server 2012 R2. >> The agent does say "INFO: Real time file monitoring started.". >> >> Following are the configs for the manager server and the agent server. Is >> there something I am missing? >> >> Manager >> >> >> >> yes >> 500 >> redac...@redacted.com >> redacted.redacted.com >> redac...@redacted.com >> yes >> >> >> >> Agent, yes the lines are intentionally each a little different for the >> directories to monitor while fiddling with this. If one is wrong please let >> me know. >> >> >> >> >> >> 600 >> yes >> no >> >> no >> >> C:\TestOSS1 >> C:\TestOSS2 >> > realtime="yes">C:\TestOSS3 >> > check_all="yes">C:\TestOSS4 >> >> >> %WINDIR%/win.ini >> %WINDIR%/system.ini >> >> Thanks, >> Matt >> > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: Unexpected FIM behavior
Hi Matt, As we can see, Syscheck isn't very accurate with time for three main reasons: 1. In order not to impact the system performance, Syscheck sleeps two seconds for every 15 checked files. You can change this by changing the settings "syscheck.sleep" and "syscheck.sleep_after" at file *internal_options.conf*. For example, you can set "syscheck.sleep=0" in a testing environment. I don't recommend you to set this value in a production environment, although you can reduce the sleep time to 1 second or increase the sleep_after to 50 files. 2. After the Syscheck scan, the Rootcheck scan gets launched, and the real-time monitor doesn't work until Rootcheck has ended. 3. Sometimes Syscheck sleeps 5 minutes after a complete cycle (syscheck+rootcheck+realtime monitoring). I saw a little misconfiguration in your ossec.conf file: settings and are OK but they must be at the manager, not at the agent. By last, note that the first Syscheck scan will never produce neither alerts about new files nor file changes reports, this is because Syscheck generates and sends a database to the server at each scan. The manager works by analyzing the differences between different versions of the database, but the first time the manager has no database and can't produce alerts. Hope it helps. Best regards, Victor. On Saturday, October 15, 2016 at 1:10:25 AM UTC+2, Matt wrote: > > I've changed the scan frequency to 40 minutes, and realtime isn't working. > I've edited files 2 times, nothing. Hopefully it at least fires off when > the next scan happens. > > > > On Friday, October 14, 2016 at 11:06:53 AM UTC-7, Matt wrote: > >> Hello, >> >> I just installed OSSEC in the Azure space, HIDS seems ok but FIM isn't >> behaving consistently. >> >> First realtime monitoring simply isn't working. FIM only seem to work >> when the scan runs, which I have set to 10 minutes for testing. Second I >> only seem to get a fraction of the changes I've made. For testing I have 4 >> folder, and I make 2 changes in each folder, usually an edit and a delete >> and/or add. I just did that 2 time sin the last hour, so 16 changes, and I >> received only alerts for 3 of those changes. >> >> The OSSEC Manager server is CentOS, the agent is Windows Server 2012 R2. >> The agent does say "INFO: Real time file monitoring started.". >> >> Following are the configs for the manager server and the agent server. Is >> there something I am missing? >> >> Manager >> >> >> >> yes >> 500 >> reda...@redacted.com >> redacted.redacted.com >> reda...@redacted.com >> yes >> >> >> Agent, yes the lines are intentionally each a little different for the >> directories to monitor while fiddling with this. If one is wrong please let >> me know. >> >> >> >> >> >> 600 >> yes >> no >> >> no >> >> C:\TestOSS1 >> C:\TestOSS2 >> > realtime="yes">C:\TestOSS3 >> > check_all="yes">C:\TestOSS4 >> >> >> %WINDIR%/win.ini >> %WINDIR%/system.ini >> >> Thanks, >> Matt >> >> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Active response on server not working
On Mon, Oct 17, 2016 at 9:02 AM, Herman Harperinkwrote: >> Been testing a little more with this. With all all >> agents get updated, except for the server. On the server AR just does not >> work like that. > > Offcourse, with local it works on the server. > > So, when you want to protect all your agents from the same attackers, you'll > be left with a vuln. Ossec Server :-) > Add 2 active-responses, one for agents and one for the server. > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Active response on server not working
> > Been testing a little more with this. With all all > agents get updated, except for the server. On the server AR just does not > work like that. > Offcourse, with local it works on the server. So, when you want to protect all your agents from the same attackers, you'll be left with a vuln. Ossec Server :-) -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: Question:Edit/change agent's IP Address
Hi, Do you refer to changing the agent's IP on registering at manage_agents? In that case you may use the word *"any"* when the program asks for the IP address: $ sudo /var/ossec/bin/manage_agents > > * OSSEC HIDS v2.9.0 Agent manager. * > * The following options are available: * > >(A)dd an agent (A). >(E)xtract key for an agent (E). >(L)ist already added agents (L). >(R)emove an agent (R). >(Q)uit. > Choose your action: A,E,L,R or Q: A > > - Adding a new agent (use '\q' to return to the main menu). > Please provide the following: >* A name for the new agent: TestAgent >* The IP Address of the new agent: any >* An ID for the new agent[001]: > This way the manager will always accept the client (if the agent's name and key match) no matter the IP address. Hope it helps. Best regards, Victor. On Friday, October 14, 2016 at 8:47:43 PM UTC+2, Tristan wrote: > > > > On Tuesday, 28 September 2010 22:48:23 UTC-5, Mike Smith wrote: >> >> Hello, >> >> Can you edit or change an Agent's IP Address if it has changed. >> Either Windows or Linux? >> >> Can you use OSSEC on a DHCP client or only Static IP Addressed Servers? >> >> Thanks, >> >> Mike >> > > > Hi Mike. > > I work on Datto problems often as we use them for our clients at our IT > Office. I found out we do not have the rights to make changes to Agent ip > addresses once they are already made. So, you have two options...1) call > Datto to have them do it on their back end...2) remove and setup the agents > again from scratch. Sucks but that is all you can do. > > Tristan > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.