[ossec-list] syscheck can take months to report new or changed files

[Sunny Day]

Is there a hard limit on the rate at which syscheck will report new/changed 
files?

I have roughly 120 clients reporting to one server.   I see frequent 
occasions where new or changed files (sometimes with realtime enabled, 
sometimes not) seem to be reported by syscheck days, weeks, or even months 
after they  were known to be added or modified.  

This usually coincides with updates to the OS and/or kernel. Looking 
through the logs, it looks to me like the server is limiting reports to 
roughly (but not always exactly) 10 reports at a time, a second or two 
apart.  For updates involving many thousands of files on 120 hosts, this 
can take so long that syscheck is simply not useful.   

I have documented specific examples of files that I know were added to the 
system months before they were actually reported by syscheck. Here is one.

As an example, this is from the ossec server's alert log on Sept. 25:

** Alert 1474812143.8448019: mail  - ossec, syscheck,
2016 Sep 25 07:02:23 (sampleclient) 10.0.0.9->syscheck
Rule: 554 (level 10) -> 'File added to the system.'
New file '/usr/lib/klibc/bin/cpio' added to the file system.

Yet this file was present at least as far back as May 18:

$ dpkg -S /usr/lib/klibc/bin/cpio
klibc-utils: /usr/lib/klibc/bin/cpio

$ zgrep -h -B2 klibc-utils /var/log/apt/history.log*
Start-Date: 2016-05-18  10:58:30
Commandline: /usr/bin/apt-get -y -o Dpkg::Options::=--force-confdef -o 
Dpkg::Options::=--force-confold dist-upgrade
Upgrade: libnl-genl-3-200:amd64 (3.2.21-1, 3.2.21-1ubuntu1.1), 
libnl-3-200:amd64 (3.2.21-1, 3.2.21-1ubuntu1.1), klibc-utils:
amd64 
(2.0.3-0ubuntu1, 2.0.3-0ubuntu1.14.04.1), lsb-base:amd64 
(4.1+Debian11ubuntu6, 4.1+Debian11ubuntu6.1), lsb-release:amd64 
(4.1+Debian11ubuntu6, 4.1+Debian11ubuntu6.1), libklibc:amd64 
(2.0.3-0ubuntu1, 2.0.3-0ubuntu1.14.04.1)

$ stat /usr/lib/klibc/bin/cpio
   File: /usr/lib/klibc/bin/cpio
   Size: 5168   Blocks: 16 IO Block: 4096   regular file
Device: 802h/2050d  Inode: 2360114 Links: 1
Access: (0755/-rwxr-xr-x)  Uid: (0/root)   Gid: (0/root)
Access: 2016-09-30 08:33:46.193812724 -0700
Modify: 2016-04-27 21:27:30.0 -0700
Change: 2016-05-18 10:58:33.066735324 -0700
  Birth: -


Below are the syscheck-related configurations on the server side which 
affect /usr on the client:

 
 
 no
 yes

 
 /etc/mtab
 /etc/blkid.tab
 

And here are the relevant client-side directives:

 
 
 43200

 /bin,/boot,/lib,/lib64,/opt,/sbin,/srv,/usr
 

I have verified that syscheck is taking about 3 hours to run, which is well 
within the specified excecution frequency.

2016/09/25 06:28:55 ossec-syscheckd: INFO: Starting syscheck scan 
(forwarding database).
2016/09/25 06:28:55 ossec-syscheckd: INFO: Starting syscheck database 
(pre-scan).
2016/09/25 09:38:29 ossec-syscheckd: INFO: Ending syscheck scan (forwarding 
database).
2016/09/25 21:39:02 ossec-syscheckd: INFO: Starting syscheck scan.
2016/09/26 00:48:32 ossec-syscheckd: INFO: Ending syscheck scan

If there's something obvious that I screwed up or overlooked, can anyone 
hit me on the head with it?

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Active response on server not working

[Herman Harperink]

That didn't work. Have to try something else.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: Unexpected FIM behavior

[dan (ddp)]

On Fri, Oct 14, 2016 at 5:52 PM, Matt  wrote:
> Realtime monitoring seems to be working now that I've adjusted the scan
> frequency. Earlier the scan frequency was 4 hours, then 10 minutes. It's now
> 20 minutes and realtime now seems to work. I don't claim it makes sense,
> it's just what I'm observing.
>
> Ok I've discovered that the config doesn't like this line. I modified it to
> reflect one of the others and it works.
>
>  realtime="yes">C:\TestOSS3
>
> And, I've realized it's also including multiple alerts in one email. I'd
> rather have one email per alert, at least a way to configure it. But I get
> this reduces the count of emails.
>

/var/ossec/etc/internal_options.conf
# Maild grouping (0=disabled, 1=enabled)
# Groups alerts within the same e-mail.
maild.groupping=1


>
>
> On Friday, October 14, 2016 at 11:06:53 AM UTC-7, Matt wrote:
>>
>> Hello,
>>
>> I just installed OSSEC in the Azure space, HIDS seems ok but FIM isn't
>> behaving consistently.
>>
>> First realtime monitoring simply isn't working. FIM only seem to work when
>> the scan runs, which I have set to 10 minutes for testing. Second I only
>> seem to get a fraction of the changes I've made. For testing I have 4
>> folder, and I make 2 changes in each folder, usually an edit and a delete
>> and/or add. I just did that 2 time sin the last hour, so 16 changes, and I
>> received only alerts for 3 of those changes.
>>
>> The OSSEC Manager server is CentOS, the agent is Windows Server 2012 R2.
>> The agent does say "INFO: Real time file monitoring started.".
>>
>> Following are the configs for the manager server and the agent server. Is
>> there something I am missing?
>>
>> Manager
>>
>> 
>>   
>> yes
>> 500
>> redac...@redacted.com
>> redacted.redacted.com
>> redac...@redacted.com
>> yes
>>   
>>
>>
>> Agent, yes the lines are intentionally each a little different for the
>> directories to monitor while fiddling with this. If one is wrong please let
>> me know.
>>
>>   
>>   
>>
>> 
>> 600
>> yes
>> no
>> 
>> no
>>
>> C:\TestOSS1
>> C:\TestOSS2
>> > realtime="yes">C:\TestOSS3
>> > check_all="yes">C:\TestOSS4
>>
>> 
>> %WINDIR%/win.ini
>> %WINDIR%/system.ini
>>
>> Thanks,
>> Matt
>>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Unexpected FIM behavior

[Victor Fernandez]

Hi Matt,

As we can see, Syscheck isn't very accurate with time for three main 
reasons:

   1. In order not to impact the system performance, Syscheck sleeps two 
   seconds for every 15 checked files. You can change this by changing the 
   settings "syscheck.sleep" and "syscheck.sleep_after" at file 
   *internal_options.conf*. For example, you can set "syscheck.sleep=0" in 
   a testing environment. I don't recommend you to set this value in a 
   production environment, although you can reduce the sleep time to 1 second 
   or increase the sleep_after to 50 files.
   2. After the Syscheck scan, the Rootcheck scan gets launched, and the 
   real-time monitor doesn't work until Rootcheck has ended.
   3. Sometimes Syscheck sleeps 5 minutes after a complete cycle 
   (syscheck+rootcheck+realtime monitoring).

I saw a little misconfiguration in your ossec.conf file: settings 
 and  are OK but they must be at the manager, 
not at the agent.


By last, note that the first Syscheck scan will never produce neither 
alerts about new files nor file changes reports, this is because Syscheck 
generates and sends a database to the server at each scan. The manager 
works by analyzing the differences between different versions of the 
database, but the first time the manager has no database and can't produce 
alerts.


Hope it helps.

Best regards,


Victor.


On Saturday, October 15, 2016 at 1:10:25 AM UTC+2, Matt wrote:
>
> I've changed the scan frequency to 40 minutes, and realtime isn't working. 
> I've edited files 2 times, nothing. Hopefully it at least fires off when 
> the next scan happens.
>
>
>
> On Friday, October 14, 2016 at 11:06:53 AM UTC-7, Matt wrote:
>
>> Hello,
>>
>> I just installed OSSEC in the Azure space, HIDS seems ok but FIM isn't 
>> behaving consistently.
>>
>> First realtime monitoring simply isn't working. FIM only seem to work 
>> when the scan runs, which I have set to 10 minutes for testing. Second I 
>> only seem to get a fraction of the changes I've made. For testing I have 4 
>> folder, and I make 2 changes in each folder, usually an edit and a delete 
>> and/or add. I just did that 2 time sin the last hour, so 16 changes, and I 
>> received only alerts for 3 of those changes.
>>
>> The OSSEC Manager server is CentOS, the agent is Windows Server 2012 R2. 
>> The agent does say "INFO: Real time file monitoring started.".
>>
>> Following are the configs for the manager server and the agent server. Is 
>> there something I am missing? 
>>
>> Manager
>>
>> 
>>   
>> yes
>> 500
>> reda...@redacted.com 
>> redacted.redacted.com
>> reda...@redacted.com 
>> yes
>>   
>>
>> Agent, yes the lines are intentionally each a little different for the 
>> directories to monitor while fiddling with this. If one is wrong please let 
>> me know.
>>
>>   
>>   
>>   
>> 
>> 600
>> yes
>> no
>> 
>> no  
>>
>> C:\TestOSS1
>> C:\TestOSS2
>> > realtime="yes">C:\TestOSS3
>> > check_all="yes">C:\TestOSS4
>>
>> 
>> %WINDIR%/win.ini
>> %WINDIR%/system.ini
>>
>> Thanks,
>> Matt
>>
>>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Active response on server not working

[dan (ddp)]

On Mon, Oct 17, 2016 at 9:02 AM, Herman Harperink
 wrote:
>> Been testing a little more with this. With all all
>> agents get updated, except for the server. On the server AR just does not
>> work like that.
>
> Offcourse, with local  it works on the server.
>
> So, when you want to protect all your agents from the same attackers, you'll
> be left with a vuln. Ossec Server :-)
>

Add 2 active-responses, one for agents and one for the server.


> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Active response on server not working

[Herman Harperink]

>
> Been testing a little more with this. With all all 
> agents get updated, except for the server. On the server AR just does not 
> work like that.
>
Offcourse, with local  it works on the server.

So, when you want to protect all your agents from the same attackers, 
you'll be left with a vuln. Ossec Server :-)

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Question:Edit/change agent's IP Address

[Victor Fernandez]

Hi,

Do you refer to changing the agent's IP on registering at manage_agents?

In that case you may use the word *"any"* when the program asks for the IP 
address:

$ sudo /var/ossec/bin/manage_agents 

 
>

> * OSSEC HIDS v2.9.0 Agent manager. *
> * The following options are available: *
> 
>(A)dd an agent (A).
>(E)xtract key for an agent (E).
>(L)ist already added agents (L).
>(R)emove an agent (R).
>(Q)uit.
> Choose your action: A,E,L,R or Q: A
>
> - Adding a new agent (use '\q' to return to the main menu).
>   Please provide the following:
>* A name for the new agent: TestAgent
>* The IP Address of the new agent: any
>* An ID for the new agent[001]: 
>

This way the manager will always accept the client (if the agent's name and 
key match) no matter the IP address.

Hope it helps. 

Best regards,
Victor.


On Friday, October 14, 2016 at 8:47:43 PM UTC+2, Tristan wrote:
>
>
>
> On Tuesday, 28 September 2010 22:48:23 UTC-5, Mike Smith wrote:
>>
>> Hello,
>>
>> Can you edit or change an Agent's IP Address if it has changed.
>> Either Windows or Linux?
>>
>> Can you use OSSEC on a DHCP client or only Static IP Addressed Servers?
>>
>> Thanks,
>>
>> Mike
>>
>
>
> Hi Mike.
>
> I work on Datto problems often as we use them for our clients at our IT 
> Office. I found out we do not have the rights to make changes to Agent ip 
> addresses once they are already made. So, you have two options...1) call 
> Datto to have them do it on their back end...2) remove and setup the agents 
> again from scratch. Sucks but that is all you can do.
>
> Tristan 
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.