[ossec-list] syslog facility when sending to remote syslog server?
Hi all, I've been using osssec for a while now and I really like it. I'm now trying to integrate ossec with a monitoring application. I'd like to have ossec send Alerts to a remote host via syslog. I have it all working, with one exception. It looks like ossec forwards ALL events as local0.warning. is this configurable? is there a way to change it? what I'd really love is a way to set an Alert level to a specific facility / severity so that the monitoring system can handle different events differently without having to do much parsing of the message contents. Does anyone have any tips or pointers? thanks! J -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: syslog facility when sending to remote syslog server?
Thanks Dan On Friday, 13 January 2017 10:44:46 UTC-5, Joel wrote: > > Hi all, > > I've been using osssec for a while now and I really like it. > > I'm now trying to integrate ossec with a monitoring application. I'd like > to have ossec send Alerts to a remote host via syslog. > > I have it all working, with one exception. It looks like ossec forwards > ALL events as local0.warning. > > is this configurable? is there a way to change it? > > what I'd really love is a way to set an Alert level to a specific facility > / severity so that the monitoring system can handle different events > differently without having to do much parsing of the message contents. > > Does anyone have any tips or pointers? > > thanks! > > J > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] ossec-analysisd won't start, "could not create directory"
hi all, man, not having a good day. I was starting to run out of space on my / volume as a result of ossec logs piling up. i need to keep the logs, so i added a new drive (to the ossec VMW vm) mounted it and then moved the logs/ directory to the new mount. now, when starting ossec, ossec-analysisd won't start. I think it's trying to chroot and can't cross the filesystem boundary...? 2017/01/13 19:24:47 ossec-analysisd(1210): ERROR: Queue '/queue/alerts/ar' > not accessible: 'Connection refused'. > 2017/01/13 19:24:47 ossec-analysisd(1301): ERROR: Unable to connect to > active response queue. > 2017/01/13 19:24:50 ossec-analysisd(1210): ERROR: Queue > '/queue/alerts/execq' not accessible: 'Connection refused'. > 2017/01/13 19:24:50 ossec-analysisd(1301): ERROR: Unable to connect to > active response queue. > 2017/01/13 19:24:50 ossec-analysisd: DEBUG: Active response Init completed. > 2017/01/13 19:24:50 ossec-analysisd(1107): ERROR: Could not create > directory '/logs/archives/2017/' due to [(2)-(No such file or directory)]. and [root@e-ossec-001: /var/ossec]# ls -ald /data/logs/ossec/ > drwxr-xr-x 6 ossec ossec 129 Jan 13 19:03 /data/logs/ossec/ > [root@e-ossec-001: /var/ossec]# ls -al /var/ossec/ > total 24 > dr-xr-x--- 16 root ossec 4096 Jan 13 18:55 . > drwxr-xr-x. 20 root root 4096 Jan 13 19:21 .. > dr-xr-x--- 3 root ossec 16 Jan 12 22:05 active-response > dr-xr-x--- 2 root ossec 4096 Oct 6 13:37 agentless > drwxr-x--- 3 root ossec 19 Oct 6 13:37 backup > dr-xr-x--- 2 root root 4096 Jan 12 18:43 bin > dr-xr-x--- 5 root ossec 4096 Jan 13 16:34 etc > drwxr-x--- 2 root ossec 34 Oct 6 13:37 integrations > lrwxrwxrwx 1 root root16 Jan 13 18:55 logs -> /data/logs/ossec > dr-xr-x--- 4 root root34 Oct 6 13:37 lua > dr-xr-x--- 11 root ossec 150 Oct 6 13:38 queue > dr-xr-x--- 2 root ossec 4096 Oct 17 13:36 rules > drwx-- 2 root ossec6 Oct 6 13:37 .ssh > drwxr-x--- 5 ossec ossec 61 Oct 6 13:57 stats > dr-xr-x--T 2 root ossec6 Oct 6 13:37 tmp > dr-xr-x--- 3 root root20 Oct 6 13:37 update > dr-xr-x--- 3 root ossec 16 Jan 13 19:24 var do I need to keep it allon the same volume? thanks! Joel -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Can the windows agent report to Wazuh and OSSIM simultaneously?
Am I able to setup the OSSEC windows agent to report to both a Wazuh and a OSSIM server at the same time? -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] remoted not starting
I have an ansible-ized install of ossec as a server, using the art rpm's to install (ossec-hids and ossec-hids-server). I have it working as expected on a server in our office, however when I run the same setup on a server in our remote data center I am unable to get remoted to stay running. Both of these servers started as centos 6.5 minimal installs.. both are x86_64. Everything starts up, including remoted, but remoted then exits after it forks. From gdb: Reading symbols from /var/ossec/bin/ossec-remoted...Reading symbols from /usr/lib/debug/var/ossec/bin/ossec-remoted.debug...done. done. (gdb) set follow-fork-mode child (gdb) run -df Starting program: /var/ossec/bin/ossec-remoted -df [Thread debugging using libthread_db enabled] 2014/11/25 00:43:05 ossec-remoted: DEBUG: Starting ... 2014/11/25 00:43:05 ossec-remoted: INFO: Started (pid: 24882). [New process 24885] [Thread debugging using libthread_db enabled] 2014/11/25 00:43:05 ossec-remoted: DEBUG: Forking remoted: '0'. 2014/11/25 00:43:05 ossec-remoted: INFO: Started (pid: 24885). 2014/11/25 00:43:05 ossec-remoted: DEBUG: Running manager_init [New Thread 0x775ea700 (LWP 24886)] [New Thread 0x76be9700 (LWP 24887)] 2014/11/25 00:43:05 ossec-remoted: INFO: (unix_domain) Maximum send buffer set to: '124928'. 2014/11/25 00:43:05 ossec-remoted(4111): INFO: Maximum number of agents allowed: '256'. 2014/11/25 00:43:05 ossec-remoted(1410): INFO: Reading authentication keys file. 2014/11/25 00:43:05 ossec-remoted(1750): ERROR: No remote connection configured. Exiting. [Thread 0x775ea700 (LWP 24886) exited] [Thread 0x76be9700 (LWP 24887) exited] ossec.log: 2014/11/25 00:43:05 ossec-remoted: DEBUG: Starting ... 2014/11/25 00:43:05 ossec-remoted: INFO: Started (pid: 24882). 2014/11/25 00:43:05 ossec-remoted: DEBUG: Forking remoted: '0'. ossec.conf (I've tried every variation I can think of here, including removing all but the line. Removing the remote config entirely also has no affect on the above issue: secure 1514 udp 192.168.3.11 So, what could be causing this? The same configuration works on my server that's local to me. I've grep'd through /var/ossec for any other mentions of "remote" that might be causing problems, and none exist. Searching for this gets me several people who have had the same error but they don't care because they aren't running ossec as a server. Any guesses/thoughts on why remoted would fail to find the remote configuration would be huge. I've spent hours on this already. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] remoted not starting
On Tuesday, November 25, 2014 6:14:48 AM UTC-8, dan (ddpbsd) wrote: > > On Mon, Nov 24, 2014 at 7:52 PM, Joel Parker > wrote: > > (gdb) set follow-fork-mode child > > (gdb) run -df > > set follow-fork-mode child > or > run -df > hmm?? > > ossec.conf (I've tried every variation I can think of here, including > > removing all but the line. Removing the remote config entirely > also > > has no affect on the above issue: > > > > secure > > 1514 > > udp > > I think protocol only really does anything with the syslog transport. > good point. Though I do have protocol on my working server. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] remoted not starting
That was it. So, apparently, not only does ossec-remoted check for the existence of client.keys, but it also needs client.keys to be populated with at least one agent? The error, documentation, and results from searches all don't make that clear :( thank you very much! On Tuesday, November 25, 2014 3:51:51 AM UTC-8, Colin Bruce wrote: > > Dear Joel, > > > > What I am about to suggest is probably silly but have you configured an > agent at the remote installation. If there are no agents installed then > remoted stops as it has nothing to do. I see from your gdb output that it > reads the authentication keys but I am not sure if it says that even when > the keys file is empty. > > > > Just a thought. > > > > Best wishes… > > Colin > > > > *From:* ossec...@googlegroups.com [mailto: > ossec...@googlegroups.com ] *On Behalf Of *Joel Parker > *Sent:* 25 November 2014 00:52 > *To:* ossec...@googlegroups.com > *Subject:* [ossec-list] remoted not starting > > > > I have an ansible-ized install of ossec as a server, using the art rpm's > to install (ossec-hids and ossec-hids-server). I have it working as > expected on a server in our office, however when I run the same setup on a > server in our remote data center I am unable to get remoted to stay > running. Both of these servers started as centos 6.5 minimal installs.. > both are x86_64. > > > > Everything starts up, including remoted, but remoted then exits after it > forks. From gdb: > > > > Reading symbols from /var/ossec/bin/ossec-remoted...Reading symbols from > /usr/lib/debug/var/ossec/bin/ossec-remoted.debug...done. > > done. > > (gdb) set follow-fork-mode child > > (gdb) run -df > > Starting program: /var/ossec/bin/ossec-remoted -df > > [Thread debugging using libthread_db enabled] > > 2014/11/25 00:43:05 ossec-remoted: DEBUG: Starting ... > > 2014/11/25 00:43:05 ossec-remoted: INFO: Started (pid: 24882). > > [New process 24885] > > [Thread debugging using libthread_db enabled] > > 2014/11/25 00:43:05 ossec-remoted: DEBUG: Forking remoted: '0'. > > 2014/11/25 00:43:05 ossec-remoted: INFO: Started (pid: 24885). > > 2014/11/25 00:43:05 ossec-remoted: DEBUG: Running manager_init > > [New Thread 0x775ea700 (LWP 24886)] > > [New Thread 0x76be9700 (LWP 24887)] > > 2014/11/25 00:43:05 ossec-remoted: INFO: (unix_domain) Maximum send buffer > set to: '124928'. > > 2014/11/25 00:43:05 ossec-remoted(4111): INFO: Maximum number of agents > allowed: '256'. > > 2014/11/25 00:43:05 ossec-remoted(1410): INFO: Reading authentication keys > file. > > 2014/11/25 00:43:05 ossec-remoted(1750): ERROR: No remote connection > configured. Exiting. > > [Thread 0x775ea700 (LWP 24886) exited] > > [Thread 0x76be9700 (LWP 24887) exited] > > > ossec.log: > > 2014/11/25 00:43:05 ossec-remoted: DEBUG: Starting ... > > 2014/11/25 00:43:05 ossec-remoted: INFO: Started (pid: 24882). > > 2014/11/25 00:43:05 ossec-remoted: DEBUG: Forking remoted: '0'. > > > > ossec.conf (I've tried every variation I can think of here, including > removing all but the line. Removing the remote config entirely > also has no affect on the above issue: > > > > secure > > 1514 > > udp > > 192.168.3.11 > > > > > > > > So, what could be causing this? The same configuration works on my server > that's local to me. I've grep'd through /var/ossec for any other mentions > of "remote" that might be causing problems, and none exist. Searching for > this gets me several people who have had the same error but they don't care > because they aren't running ossec as a server. > > Any guesses/thoughts on why remoted would fail to find the remote > configuration would be huge. I've spent hours on this already. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+...@googlegroups.com . > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Re: OSSEC & Splunk integration
On Wed, Apr 14, 2010 at 10:11 PM, uifjlh wrote: > Paul, > > I seem to have some piece missing my self ? ... the search part of > Splunk Works, and I have OSSEC Data there, from my OSSEC clients to > the OSSEC server, (the same box as the Splunk server) ... but when I > try the OSSEC plugin... this is the error I get. > > 500 Internal Server Error > > TypeError: 'NoneType' object is unsubscriptable I'm having the same issue. The application was uploaded via a tarball, not via the HTTP interface (firewall restrictions). Followed readme. Also I'm using an SSH tunnel to connect to port 8000... although everything else works fine, can't imagine this is the issue. I've also tried the .conf files mentioned in the earlier thread. Any ideas? -- $ echo "kpfmAdpoofdufevq/dp/vl" | perl -pe 's/(.)/chr(ord($1)-1)/ge'
Re: [ossec-list] Re: OSSEC & Splunk integration
On Thu, Apr 15, 2010 at 12:09 PM, Joel Merrick wrote: > On Wed, Apr 14, 2010 at 10:11 PM, uifjlh wrote: >> Paul, >> >> I seem to have some piece missing my self ? ... the search part of >> Splunk Works, and I have OSSEC Data there, from my OSSEC clients to >> the OSSEC server, (the same box as the Splunk server) ... but when I >> try the OSSEC plugin... this is the error I get. >> >> 500 Internal Server Error >> >> TypeError: 'NoneType' object is unsubscriptable > > I'm having the same issue. > > The application was uploaded via a tarball, not via the HTTP interface > (firewall restrictions). Followed readme. > > Also I'm using an SSH tunnel to connect to port 8000... although > everything else works fine, can't imagine this is the issue. > > I've also tried the .conf files mentioned in the earlier thread. > > Any ideas? > Traceback from log.. 2010-04-15 11:13:31,610 WARNING [4bc6f4dada8cdefac] view:170 - "ossec" app does not have a navigation configuration file defined. 2010-04-15 11:13:31,612 ERROR [4bc6f4dada8cdefac] view:183 - 'NoneType' object is unsubscriptable Traceback (most recent call last): File "/opt/splunk/lib/python2.6/site-packages/splunk/appserver/mrsparkle/controllers/view.py", line 178, in getAppNav navDefinition = et.XML(navDefinition['eai:data'], parser) TypeError: 'NoneType' object is unsubscriptable 2010-04-15 11:13:31,614 INFO[4bc6f4dada8cdefac] _cplogging:55 - [15/Apr/2010:11:13:31] HTTP Request Headers: REFERER: http://127.0.0.1:8000/en-US/app/launcher/home HOST: 127.0.0.1:8000 ACCEPT: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 ACCEPT-CHARSET: ISO-8859-1,utf-8;q=0.7,*;q=0.3 USER-AGENT: Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/533.3 (KHTML, like Gecko) Chrome/5.0.365.0 Safari/533.3 CONNECTION: keep-alive COOKIE: session_id_8000=5fb669c5532f94c5559209e1cd2541340d1f9334 Remote-Addr: 127.0.0.1 ACCEPT-LANGUAGE: en-US,en;q=0.8 ACCEPT-ENCODING: gzip,deflate,sdch 2010-04-15 11:13:31,619 DEBUG [4bc6f4dada8cdefac] _cplogging:55 - [15/Apr/2010:11:13:31] HTTP Traceback (most recent call last): File "/opt/splunk/lib/python2.6/site-packages/cherrypy/_cprequest.py", line 606, in respond cherrypy.response.body = self.handler() File "/opt/splunk/lib/python2.6/site-packages/cherrypy/_cpdispatch.py", line 25, in __call__ return self.callable(*self.args, **self.kwargs) File "/opt/splunk/lib/python2.6/site-packages/splunk/appserver/mrsparkle/lib/routes.py", line 307, in default return route.target(self, **kw) File "", line 1, in File "/opt/splunk/lib/python2.6/site-packages/splunk/appserver/mrsparkle/lib/decorators.py", line 38, in rundecs return fn(*a, **kw) File "", line 1, in File "/opt/splunk/lib/python2.6/site-packages/splunk/appserver/mrsparkle/lib/decorators.py", line 93, in check return fn(self, *a, **kw) File "", line 1, in File "/opt/splunk/lib/python2.6/site-packages/splunk/appserver/mrsparkle/lib/decorators.py", line 141, in validate_ip return fn(self, *a, **kw) File "", line 1, in File "/opt/splunk/lib/python2.6/site-packages/splunk/appserver/mrsparkle/lib/decorators.py", line 276, in preform_sso_check return fn(self, *a, **kw) File "", line 1, in File "/opt/splunk/lib/python2.6/site-packages/splunk/appserver/mrsparkle/lib/decorators.py", line 309, in check_login return fn(self, *a, **kw) File "", line 1, in File "/opt/splunk/lib/python2.6/site-packages/splunk/appserver/mrsparkle/lib/decorators.py", line 330, in handle_exceptions return fn(self, *a, **kw) File "/opt/splunk/lib/python2.6/site-packages/splunk/appserver/mrsparkle/controllers/view.py", line 779, in appDispatcher nav, defaultView = self.getAppNav(app, views) File "/opt/splunk/lib/python2.6/site-packages/splunk/appserver/mrsparkle/controllers/view.py", line 178, in getAppNav navDefinition = et.XML(navDefinition['eai:data'], parser) TypeError: 'NoneType' object is unsubscriptable I'm using Debian Lenny, Latest splunk (4.1) and latest ossec (2.4) Reading the changelogs say it's only been tested with OSSEC v1.6.1 and OSSEC v2.0 - something must have changed -- $ echo "kpfmAdpoofdufevq/dp/vl" | perl -pe 's/(.)/chr(ord($1)-1)/ge' -- To unsubscribe, reply using "remove me" as the subject.
Re: [ossec-list] Re: OSSEC & Splunk integration
Well, it doesn't seem to be displaying anything... OSSEC log directory is being monitored, however sourcetype="ossec" produced nothing. Files have been indexed. Any ideas? On Thu, Apr 15, 2010 at 1:05 PM, Joel Merrick wrote: > I have this working now, > > I had to manually add an application, then copy the contents of the > tarball... restart.. works! > > h.t.h. > > -- > $ echo "kpfmAdpoofdufevq/dp/vl" | perl -pe 's/(.)/chr(ord($1)-1)/ge' > -- $ echo "kpfmAdpoofdufevq/dp/vl" | perl -pe 's/(.)/chr(ord($1)-1)/ge' -- To unsubscribe, reply using "remove me" as the subject.
Re: [ossec-list] Re: OSSEC & Splunk integration
I have this working now, I had to manually add an application, then copy the contents of the tarball... restart.. works! h.t.h. -- $ echo "kpfmAdpoofdufevq/dp/vl" | perl -pe 's/(.)/chr(ord($1)-1)/ge' -- To unsubscribe, reply using "remove me" as the subject.
Re: [ossec-list] Re: OSSEC & Splunk integration
On Thu, Apr 15, 2010 at 1:22 PM, Joel Merrick wrote: > Well, it doesn't seem to be displaying anything... > > OSSEC log directory is being monitored, however sourcetype="ossec" > produced nothing. Files have been indexed. > > Any ideas? Seems as though the string parsing is not right. splunk is setting the sourcetype to ossec-{level} A simple recode in the search query from sourcetype="ossec" to sourcetype="ossec*" Works. > > On Thu, Apr 15, 2010 at 1:05 PM, Joel Merrick wrote: >> I have this working now, >> >> I had to manually add an application, then copy the contents of the >> tarball... restart.. works! >> >> h.t.h. >> >> -- >> $ echo "kpfmAdpoofdufevq/dp/vl" | perl -pe 's/(.)/chr(ord($1)-1)/ge' >> > > > > -- > $ echo "kpfmAdpoofdufevq/dp/vl" | perl -pe 's/(.)/chr(ord($1)-1)/ge' > -- $ echo "kpfmAdpoofdufevq/dp/vl" | perl -pe 's/(.)/chr(ord($1)-1)/ge' -- To unsubscribe, reply using "remove me" as the subject.
Re: [ossec-list] Re: OSSEC & Splunk integration
On Thu, Apr 15, 2010 at 9:28 PM, Paul Southerington wrote: > That sounds like Splunk's automatic sourcetype assignment. How do you have > the data coming in? (syslog? Direct to a Splunk listening port? Or pointed > directly to the OSSEC alerts file on the local machine?) Sorry, only just seen this.. I've got rsyslog accepting syslog traffic from remote servers and splunk/ossec is indexing and analysing that > > If you look in inputs.conf, or in the Manager within Splunk you should be > able to set the sourcetype to 'ossec' there. > Cool, will give it a whirl :) > > > On Thu, Apr 15, 2010 at 8:25 AM, Joel Merrick > wrote: >> >> On Thu, Apr 15, 2010 at 1:22 PM, Joel Merrick >> wrote: >> > Well, it doesn't seem to be displaying anything... >> > >> > OSSEC log directory is being monitored, however sourcetype="ossec" >> > produced nothing. Files have been indexed. >> > >> > Any ideas? >> >> Seems as though the string parsing is not right. >> >> splunk is setting the sourcetype to ossec-{level} >> >> A simple recode in the search query from >> >> sourcetype="ossec" >> >> to >> >> sourcetype="ossec*" >> >> Works. >> >> >> > >> > On Thu, Apr 15, 2010 at 1:05 PM, Joel Merrick >> > wrote: >> >> I have this working now, >> >> >> >> I had to manually add an application, then copy the contents of the >> >> tarball... restart.. works! >> >> >> >> h.t.h. >> >> >> >> -- >> >> $ echo "kpfmAdpoofdufevq/dp/vl" | perl -pe 's/(.)/chr(ord($1)-1)/ge' >> >> >> > >> > >> > >> > -- >> > $ echo "kpfmAdpoofdufevq/dp/vl" | perl -pe 's/(.)/chr(ord($1)-1)/ge' >> > >> >> >> >> -- >> $ echo "kpfmAdpoofdufevq/dp/vl" | perl -pe 's/(.)/chr(ord($1)-1)/ge' >> >> >> -- >> To unsubscribe, reply using "remove me" as the subject. > > -- $ echo "kpfmAdpoofdufevq/dp/vl" | perl -pe 's/(.)/chr(ord($1)-1)/ge'
[ossec-list] centralized management
Hi guys, I'm just getting started with ossec. So far, it seems like a great tool! I need to deploy this in a centralized management configuration. I'm reading through the docs and experimenting in a lab. One thing i'm not clear on his what gets configured on the agents vs. what gets configured on the server. in the agent.conf, do i need to add sections for: ... (for event logs, txt logs, etc) Also, I've read the architecture page, but I"m still not clear on how events are processed. Could the data flow be explained as this: -agent monitors files, does system and root checks, etc -forward all configured inputs to the server -server checks events against the rules, sends alerts/reports and tells the agent to run active responses -agent runs active responses (if told to do so by the server) or does the agent do it's own checking an only forwards "interesting events"? Thanks, sorry for the rambling, just trying to get this all straight in my head. thanks, J
[ossec-list] Re: Copying OSSEC installation?
Hey, there's an entry in the FAQ about this... http://www.ossec.net/wiki/Know_How:BinaryInstall J On Feb 22, 2:38 pm, Jeremy Lee wrote: > As luck would have it, the same engineer was assigned to the ticket I > opened! :D > > *sigh* > > Guess I'll be trying the binary-install method. > > On Tue, Feb 22, 2011 at 11:34 AM, Jeremy Lee wrote: > > That's what I thought :) I stopped chatting with him after several more > > exchanges and am just going to have another engineer install it. He must be > > in a bad mood today :P > > > On Tue, Feb 22, 2011 at 11:08 AM, dan (ddp) wrote: > > >> I'm going to try not to be too snarky with my response (not directed > >> at you, but at the "installing gcc is insecure!" mentality). > >> Emphasis on try. ;) > > >> On Tue, Feb 22, 2011 at 1:49 PM, jplee3 wrote: > >> > Hey all, > > >> > One of the syseng's here was complaining about how having GCC on a > >> > publicly accessible server is insecure, etc. I partly agree, except > >> > couldn't we just install GCC, then install OSSEC, then remove GCC? > > >> Yes. You could install gcc, install OSSEC, and then remove gcc. > >> Just like an attacker can break in, install gcc, do the deed, and > >> uninstall gcc (although if they use packages and don't shut off OSSEC > >> you'll get an alert ;)). > >> /me rages > > >> > Anyway, that's beside the point... I wanted to ask, if it is possible, > >> > how one would go about copying an OSSEC installation from one server > >> > to another (assuming both servers have the same OS installed). I'd > >> > imagine it would probably not be the most trivial thing to do > >> > (compared to simply having GCC installed and then uninstalling once it > >> > is no longer required). I'm guessing the following steps would need to > >> > be taken at least: > > >> > 1) Stop OSSEC > >> > 2) Tar.gz the current OSSEC directory (as well as OSSEC init and > >> > startup conf/script) > > >> Remember to use -p (or a GNU equivalent) to preserve permissions. > > >> > 3) Copy to server B > >> > 4) Create the OSSEC username/group on server B > > >> Keeping the uids/guid the same if possible. > > >> > 5) Untar the OSSEC dir and clear the log files > >> > 6) Run manage_agents on server/agent to add and initialize > >> > 7) Start OSSEC > > >> > I'm just afraid that there might be other quirks with trying to do it > >> > this way - any thoughts/advice? > > >> > I've already opened a ticket to have another syseng install GCC in the > >> > meantime (to avoid the hassle). Of course, if OSSEC had been installed > >> > on these servers in accordance with our policy, to begin with, I > >> > wouldn't be asking any of these fun questions. :) > > >>http://www.ossec.net/doc/manual/installation/installation-binary.html... > > >> I haven't tried the binary install methods, but I don't remember > >> seeing many issues with it. > >
[ossec-list] ossec server behind nat?
Hi gang, I'm wondering if there's any tricks to getting ossec working when the server is behind a NAT. here's the case: i have some linode servers that i'd like to monitor with ossec. the ossec server is in the office behind a NATting firewall. the ossecn agent on the linode boxes is configured to use the public IP on the default port (1514). the firewall will translate the public IP to the internal (rfc 1918) address, but don't change the port. I'm trying to get the linode agents to be managed centrally, so the only thing in the ossec.conf is the 1.2.3.4 stuff. looking at the logs on the agent, I see these messages repeated many times: 2011/02/22 03:25:33 ossec-agentd: INFO: Trying to connect to server (gw.domain.com/1.2.3.4:1514). 2011/02/22 03:25:54 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: 'gw.domain.com/1.2.3.4' and: 2011/02/22 20:58:25 ossec-agentd(1214): WARN: Problem receiving message from 1.2.3.4. When i stop/start the agent (on the linode systems), i get this: Starting OSSEC HIDS v2.5.1 (by Trend Micro Inc.)... Started ossec-execd... Started ossec-agentd... 2011/02/22 21:15:05 ossec-logcollector(1905): INFO: No file configured to monitor. Started ossec-logcollector... 2011/02/22 21:15:05 ossec-syscheckd(1702): INFO: No directory provided for syscheck to monitor. bin/ossec-control: line 138: 9682 Segmentation fault ${DIR}/bin/$ {i} any ideas how i can get this working? Thanks, J
[ossec-list] dump agent config.
hey gang, sorry for the quick double tap.. I was wondering if there's a way to dump an agent's config. since moving all my config into agent.conf on the central server, i can't tell how a particular agent is configured... I know i can compare the md5sum of the server and the agent using agent_control... just wondering if there's a way to get the agent to dump it's view of the config...? cheers, J
[ossec-list] active response in central management?
hey gang, I'm working on my centralized management of ossec and it seems to be going well. However, it seems that since i centralized and moved all the configuration to agent.conf, my active response rules have stopped working. (last entry in active-response.log is Feb. 21, last SSH brute force attach in /var/log/auth is like from 10 minutes ago). Where should the active response configuration stuff go in a centralized deployment? -in the agent.conf? in which block? ? -in the ossec.conf on the server? my agent.conf only has the IP of the server block. nothing else. i'm hoping i can keep it that way. Thanks! J
Re: [ossec-list] active response in central management?
Thanks Dan. I added an section to the Linux section of the agent.conf. It is contained inside the section (which is where I found the Windows active-response lines). seems that doesn't work. I'm moving it out of the section now to see if that makes a difference. J On Thu, Feb 24, 2011 at 2:33 PM, dan (ddp) wrote: > Hi J, > > On Wed, Feb 23, 2011 at 9:59 PM, wrote: >> Hey Dan, >> >> I've got two main sections in my agent.conf. >> >> >> >> >> Each was cut/pasted from an original (default) ossec.conf for the particular >> platform. >> >> The Windows section has: >> >> >> yes >> >> > > This disabled AR on that agent. > >> But the Linux section didn't have any such section. >> > > I think it's "no" by default, so that should be enabled. Is ossec-execd > running? > >> In the manager's ossec.conf, there some sections that >> define command/location/level/timeout, etc but no disable yes/no. >> >> I'll keep experimenting, but if anyone has a working sample of an agent.conf >> with active responses working, I'd greatly appreciate it! >> >> Thanks! >> >> J >> >> -Original Message- >> From: "dan (ddp)" >> Sender: ossec-list@googlegroups.com >> Date: Wed, 23 Feb 2011 21:36:49 >> To: >> Reply-To: ossec-list@googlegroups.com >> Subject: Re: [ossec-list] active response in central management? >> >> I think it goes in the manager's ossec.conf >> >> On Wed, Feb 23, 2011 at 9:22 PM, Joel Brooks wrote: >>> hey gang, >>> >>> I'm working on my centralized management of ossec and it seems to be >>> going well. >>> >>> However, it seems that since i centralized and moved all the >>> configuration to agent.conf, my active response rules have stopped >>> working. (last entry in active-response.log is Feb. 21, last SSH >>> brute force attach in /var/log/auth is like from 10 minutes ago). >>> >>> Where should the active response configuration stuff go in a >>> centralized deployment? >>> -in the agent.conf? in which block? ? >>> -in the ossec.conf on the server? >>> >>> my agent.conf only has the IP of the server block. nothing else. i'm >>> hoping i can keep it that way. >>> >>> Thanks! >>> >>> J >> >
[ossec-list] active response - firewall drop
hey gang, OK, on to a new problem with active responses... I've got active responses working. the one i'm mainly interested right now is the SSHD bruce force rule/response (rule id=5712). when this rule is matched, the firewall drop command is executed, but the active-response.log shows: Thu Feb 24 16:07:28 EST 2011 Unable to run (iptables returning != 2): 1 - /var/ossec/active-response/bin/firewall-drop.sh delete - berlin219.server4you.de 1298581018.65613 5703 Thu Feb 24 16:07:29 EST 2011 Unable to run (iptables returning != 2): 2 - /var/ossec/active-response/bin/firewall-drop.sh delete - berlin219.server4you.de 1298581018.65613 5703 running the script by hand, I see that the script is being called with a hostname, not an ip address, so iptables rejects the rule. the host name in the active-response.log is not resolveable. my /var/log/secure shows: 2011-02-24T15:56:52.505288-05:00 linode0 sshd[17907]: reverse mapping checking getaddrinfo for berlin219.server4you.de failed - POSSIBLE BREAK-IN ATTEMPT! /var/log/secure:2011-02-24T15:56:52.594892-05:00 linode0 sshd[17909]: reverse mapping checking getaddrinfo for berlin219.server4you.de failed - POSSIBLE BREAK-IN ATTEMPT! is there a way to get the IP for this rule instead of the hostname? thanks, J
Fwd: [ossec-list] active response in central management?
ok, ar still not working. I'm attaching my ossec.conf (from the manager/server) and the agent.conf files for reference. For testing, I'm simply logging into ssh with a bad username/password (from a non-whitelisted ip address) to see if the responses fire. J -- Forwarded message -- From: dan (ddp) Date: Thu, Feb 24, 2011 at 3:48 PM Subject: Re: [ossec-list] active response in central management? To: Joel Brooks That's still within the syscheck section. Can you send your active response configuration (in the manager's ossec.conf)? Also detail how you're testing the AR. Make sure ossec-execd is running, and check for log messages about AR in ossec.log. On Thu, Feb 24, 2011 at 3:10 PM, Joel Brooks wrote: > here's the tail end of the Linux section of my agent.conf: > > > no > > > > > but it seems that active responses still don't fire on the Linux agents. > > how can i troubleshoot this further? > > thanks! > > J > > On Thu, Feb 24, 2011 at 3:04 PM, dan (ddp) wrote: >> Yeah, it shouldn't be inside of the syscheck section. It is its own section. >> >> On Thu, Feb 24, 2011 at 3:02 PM, Joel Brooks wrote: >>> Thanks Dan. >>> >>> I added an section to the Linux section of the >>> agent.conf. It is contained inside the section >>> (which is where I found the Windows active-response lines). >>> >>> seems that doesn't work. >>> >>> I'm moving it out of the section now to see if that makes >>> a difference. >>> >>> J >>> >>> >>> >>> On Thu, Feb 24, 2011 at 2:33 PM, dan (ddp) wrote: >>>> Hi J, >>>> >>>> On Wed, Feb 23, 2011 at 9:59 PM, wrote: >>>>> Hey Dan, >>>>> >>>>> I've got two main sections in my agent.conf. >>>>> >>>>> >>>>> >>>>> >>>>> Each was cut/pasted from an original (default) ossec.conf for the >>>>> particular platform. >>>>> >>>>> The Windows section has: >>>>> >>>>> >>>>> yes >>>>> >>>>> >>>> >>>> This disabled AR on that agent. >>>> >>>>> But the Linux section didn't have any such section. >>>>> >>>> >>>> I think it's "no" by default, so that should be enabled. Is ossec-execd >>>> running? >>>> >>>>> In the manager's ossec.conf, there some sections that >>>>> define command/location/level/timeout, etc but no disable yes/no. >>>>> >>>>> I'll keep experimenting, but if anyone has a working sample of an >>>>> agent.conf with active responses working, I'd greatly appreciate it! >>>>> >>>>> Thanks! >>>>> >>>>> J >>>>> >>>>> -Original Message- >>>>> From: "dan (ddp)" >>>>> Sender: ossec-list@googlegroups.com >>>>> Date: Wed, 23 Feb 2011 21:36:49 >>>>> To: >>>>> Reply-To: ossec-list@googlegroups.com >>>>> Subject: Re: [ossec-list] active response in central management? >>>>> >>>>> I think it goes in the manager's ossec.conf >>>>> >>>>> On Wed, Feb 23, 2011 at 9:22 PM, Joel Brooks >>>>> wrote: >>>>>> hey gang, >>>>>> >>>>>> I'm working on my centralized management of ossec and it seems to be >>>>>> going well. >>>>>> >>>>>> However, it seems that since i centralized and moved all the >>>>>> configuration to agent.conf, my active response rules have stopped >>>>>> working. (last entry in active-response.log is Feb. 21, last SSH >>>>>> brute force attach in /var/log/auth is like from 10 minutes ago). >>>>>> >>>>>> Where should the active response configuration stuff go in a >>>>>> centralized deployment? >>>>>> -in the agent.conf? in which block? ? >>>>>> -in the ossec.conf on the server? >>>>>> >>>>>> my agent.conf only has the IP of the server block. nothing else. i'm >>>>>> hoping i can keep it that way. >>>>>> >>>>>> Thanks! >>>>>> >>>>>> J >>>>> >>>> >>> >> > ossec.conf Description: Binary data agent.conf Description: Binary data
Re: [ossec-list] active response in central management?
i still haven't got it working. I've tried moving the definitions and the sections to the agent.conf, and still no joy. i just can't get active response to work in central management mode. I found that executing bin/agent_control -b 1.2.3.4 -f firewall-drop -u 000 from the manager results in the following in the ossec.log on the agent. 2011/02/25 19:53:01 ossec-execd: INFO: Active response command not present: '/var/ossec/active-response/bin/restart-ossec.cmd'. Not using it on this system. 2011/02/25 19:53:01 ossec-execd(1311): ERROR: Invalid command name 'firewall-drop' provided. any further insights / thoughts would be greatly appreciated! J On Fri, Feb 25, 2011 at 10:58 AM, Jason 'XenoPhage' Frisvold wrote: > On Feb 24, 2011, at 2:33 PM, "dan (ddp)" wrote: >>> >>> yes >>> >>> >> >> This disabled AR on that agent. > > This is in the agent.conf, right? I had been disabling specific agents by > creating an active response at the top of my ossec.conf with that agent_id > identified. This looks MUCH easier and doesn't require a restart of my main > OSSEC server.. > > - Jason
Re: [ossec-list] active response in central management?
i can get the active response to fire by passing "-b 1.2.3.4 -f firewall-drop600 -u 000" firewall-drop600 is in the ar.conf. I guess i don't (yet) understand what uses ar.conf and what uses ossec.conf. brain dump- from what i think i understand then, the ossec.conf on the manager controls that manager config. the manager decides when an active response should run and simply tells an agent to block an ip address by using a script (much like calling agent_control -b... by hand). the ossec.conf on the agent controls the agent config. It can be as simple as the configuration parameter telling the agent to get it's config from the manager, or as complex as defining local configuration parameters (including active response rules, etc). the agent.conf on the manager controls the agents' config. it can essentially contain any of the client config parameters.. syscheck, rootcheck, etc. the agent.conf is modified on the manager and distributed to the agents on some time based schedule (1-2 hours?) unless both manager and agents are restarted. the agent.conf on an agent should be exactly the same as the agent.conf on the manager (and can be verified by the md5sum). - I will try in debug mode, and i will make sure i'm firing a rule that is level 6 or higher. thanks for your patience Dan. J On Fri, Feb 25, 2011 at 9:02 PM, dan (ddp) wrote: > Hi Joel, > > On Fri, Feb 25, 2011 at 7:59 PM, Joel Brooks wrote: >> i still haven't got it working. >> >> I've tried moving the definitions and the >> sections to the agent.conf, and still no joy. >> > > No joy because the MANAGER doesn't use the agent.conf. > >> i just can't get active response to work in central management mode. >> >> I found that executing >> >> bin/agent_control -b 1.2.3.4 -f firewall-drop -u 000 >> >> from the manager results in the following in the ossec.log on the agent. >> >> 2011/02/25 19:53:01 ossec-execd: INFO: Active response command not >> present: '/var/ossec/active-response/bin/restart-ossec.cmd'. Not using >> it on this system. >> > > The restart-ossec.cmd is a Windows AR, this message can be ignored. > >> 2011/02/25 19:53:01 ossec-execd(1311): ERROR: Invalid command name >> 'firewall-drop' provided. >> > > That's strange. I see it in the ossec.conf you sent to the mailing > list (or this could be asking for the actual command > /var/ossec/active-response/bin/firewall-drop.sh, I can't test to find > out at the moment). > > Can you turn on debugging on the agents? I'm hoping that might help. > > I don't think the firewall-drop command would be the one to fire, > since the host-deny command is used in the first active-response block > and they use the same parameters. > >> any further insights / thoughts would be greatly appreciated! >> >> J >> > > When you try testing this with SSH, which alert is firing? Your AR > configuration requires that it be level 6+. > It looks like most of the (single) ssh authentication failure alerts > are level 5 or lower. >
Re: [ossec-list] active response in central management?
success! I ran the ossec-remoted in debug mode on the manager and found a stream of these: 2011/02/26 13:15:48 ossec-remoted(1403): ERROR: Incorrectly formated message from '192.168.0.1'. 2011/02/26 13:15:53 ossec-remoted(1403): ERROR: Incorrectly formated message from '192.168.0.1'. 2011/02/26 13:15:59 ossec-remoted(1403): ERROR: Incorrectly formated message from '192.168.0.1'. 2011/02/26 13:21:43 ossec-remoted(1403): ERROR: Incorrectly formated message from '192.168.0.1'. 2011/02/26 13:21:49 ossec-remoted(1403): ERROR: Incorrectly formated message from '192.168.0.1'. some googling told me that this is sometimes related to the keys for the agent. I looked at the client.keys file on both agent and manager and found that the manager had several entries for the 192.168.0.1 ip address (while troubleshooting, i removed the agent and re-added it once or twice). the deleted entries showed the IP address as "###-0.1" or something like that. I should have kept a copy, but i just deleted those lines from the client.keys on the manager leaving only the current key/agent #. restarted both manager and agent, and poof, everything started working. so, lessons: ossec.conf on agent only needs the section. everything else can be done in the agent.conf. active-responses work when the agent is properly configured and properly communicating with the manager. running the manager daemons in debug mode can be very informative. definetly got to know ossec a bit better these last few days. cheers, J On Fri, Feb 25, 2011 at 9:25 PM, Joel Brooks wrote: > i can get the active response to fire by passing "-b 1.2.3.4 -f > firewall-drop600 -u 000" > > firewall-drop600 is in the ar.conf. > > I guess i don't (yet) understand what uses ar.conf and what uses ossec.conf. > > brain dump- > from what i think i understand then, > > the ossec.conf on the manager controls that manager config. > > the manager decides when an active response should run and simply > tells an agent to block an ip address by using a script (much like > calling agent_control -b... by hand). > > the ossec.conf on the agent controls the agent config. It can be as > simple as the configuration parameter telling the agent to > get it's config from the manager, or as complex as defining local > configuration parameters (including active response rules, etc). > > the agent.conf on the manager controls the agents' config. it can > essentially contain any of the client config parameters.. syscheck, > rootcheck, etc. the agent.conf is modified on the manager and > distributed to the agents on some time based schedule (1-2 hours?) > unless both manager and agents are restarted. the agent.conf on an > agent should be exactly the same as the agent.conf on the manager (and > can be verified by the md5sum). > > - > I will try in debug mode, and i will make sure i'm firing a rule that > is level 6 or higher. > > thanks for your patience Dan. > > J > > > > > On Fri, Feb 25, 2011 at 9:02 PM, dan (ddp) wrote: >> Hi Joel, >> >> On Fri, Feb 25, 2011 at 7:59 PM, Joel Brooks wrote: >>> i still haven't got it working. >>> >>> I've tried moving the definitions and the >>> sections to the agent.conf, and still no joy. >>> >> >> No joy because the MANAGER doesn't use the agent.conf. >> >>> i just can't get active response to work in central management mode. >>> >>> I found that executing >>> >>> bin/agent_control -b 1.2.3.4 -f firewall-drop -u 000 >>> >>> from the manager results in the following in the ossec.log on the agent. >>> >>> 2011/02/25 19:53:01 ossec-execd: INFO: Active response command not >>> present: '/var/ossec/active-response/bin/restart-ossec.cmd'. Not using >>> it on this system. >>> >> >> The restart-ossec.cmd is a Windows AR, this message can be ignored. >> >>> 2011/02/25 19:53:01 ossec-execd(1311): ERROR: Invalid command name >>> 'firewall-drop' provided. >>> >> >> That's strange. I see it in the ossec.conf you sent to the mailing >> list (or this could be asking for the actual command >> /var/ossec/active-response/bin/firewall-drop.sh, I can't test to find >> out at the moment). >> >> Can you turn on debugging on the agents? I'm hoping that might help. >> >> I don't think the firewall-drop command would be the one to fire, >> since the host-deny command is used in the first active-response block >> and they use the same parameters. >> >>> any further insights / thoughts would be greatly appreciated! >>> >>> J >>> >> >> When you try testing this with SSH, which alert is firing? Your AR >> configuration requires that it be level 6+. >> It looks like most of the (single) ssh authentication failure alerts >> are level 5 or lower. >> >
[ossec-list] List blocked IPs without using iptables
Hello Daniel and all, I am using OSSEC 2.5.1 on different Linux environments for the past year and half with OpenSIPs and Asterisk applications to ban SIP brute-forcing attackers and of course it is doing its job very well. Thank you to all people involved with the development of this software. So, for the past 2 days I've been in a battle with having a way to check which IPs are blocked by OSSEC-Server in an agent. I know that if I look into the active-responses.log I'll see what were the actions taken in a certain agent ( add and delete from the Iptables ) and if I look on the IPTables I'll be able to see the blocked IPs as well. But in an agent that the IPtables are complex there is no way of making sure that I am looking at OSSEC inserted rules. My theory is that the server or the agent knows the association between the timeout, the blocked IP and the agent so that it can remove that active-response ( rule on the IPTable ) just after the timeout occured. Question is: where can I find that association, i.e where is the list of the blocked IPs of an agent? I already looked into this list and the IRC channel and didn't find any information regarding this which for me it's odd because it seems to me that this should be a functionality asked by a lot of people. On the same page of this problem I would like to know if it's possible to remove an IPTable rule without doing an "iptables -D" and without restarting the agent. You see, if I remove a rule "by hand", and because I am using timeouts of 24h, if the attacker tries again it'll send email_alerts but it'll not apply the active-response. So, my other question is: Is it possible to remove an active response before it's timeout where the agent is aware of that? Thank you very much for your time. Best Regards, Joel Oliveira
[ossec-list] Re: List blocked IPs without using iptables
Hello, Just bumping this issue. Does anyone know anything about this? Thanks, Joel Oliveira Quarta-feira, 21 de Março de 2012 16h58min44s UTC, Joel Oliveira escreveu: > > Hello Daniel and all, > > I am using OSSEC 2.5.1 on different Linux environments for the past year > and half with OpenSIPs and Asterisk applications to ban SIP brute-forcing > attackers and of course it is doing its job very well. Thank you to all > people involved with the development of this software. > > So, for the past 2 days I've been in a battle with having a way to check > which IPs are blocked by OSSEC-Server in an agent. I know that if I look > into the active-responses.log I'll see what were the actions taken in a > certain agent ( add and delete from the Iptables ) and if I look on the > IPTables I'll be able to see the blocked IPs as well. But in an agent that > the IPtables are complex there is no way of making sure that I am looking > at OSSEC inserted rules. > > My theory is that the server or the agent knows the association between > the timeout, the blocked IP and the agent so that it can remove that > active-response ( rule on the IPTable ) just after the timeout occured. > Question is: where can I find that association, i.e where is the list of > the blocked IPs of an agent? > > I already looked into this list and the IRC channel and didn't find any > information regarding this which for me it's odd because it seems to me > that this should be a functionality asked by a lot of people. > > On the same page of this problem I would like to know if it's possible to > remove an IPTable rule without doing an "iptables -D" and without > restarting the agent. You see, if I remove a rule "by hand", and because I > am using timeouts of 24h, if the attacker tries again it'll send > email_alerts but it'll not apply the active-response. So, my other question > is: Is it possible to remove an active response before it's timeout where > the agent is aware of that? > > Thank you very much for your time. Best Regards, > Joel Oliveira >
[ossec-list] Re: List blocked IPs without using iptables
Thanks for your input BP9906. It seems to me that OSSEC works this way as design, but I would like if someone could please explain to me why isn't so simple to check a list of blocked-IPs. In my opinion this would be a feature-request asked by a lot of users but instead I can't find anywhere other people asking for this. So I would be very grateful if someone would explain to me why maybe my request is so strange. Thank you very much for your time, Joel Oliveira Segunda-feira, 9 de Abril de 2012 18:52:59 UTC+1, BP9906 escreveu: > > I think the answer is no. When I use null route to block an IP for a given > agent, if I manually remove that null route for an IP (i dont know if the > null route was there previous to ossec agent null routing it), then the > agent wont re-null route the IP until the timeout has happened or I restart > the agent. Perhaps the answer for you is to use a block mechanism that is > unique to ossec agent and not anything else. > > Sorry I couldnt help more. > > > On Thursday, April 5, 2012 8:08:15 AM UTC-7, Joel Oliveira wrote: >> >> Hello, >> >> Just bumping this issue. Does anyone know anything about this? >> >> Thanks, >> Joel Oliveira >> >> Quarta-feira, 21 de Março de 2012 16h58min44s UTC, Joel Oliveira escreveu: >>> >>> Hello Daniel and all, >>> >>> I am using OSSEC 2.5.1 on different Linux environments for the past year >>> and half with OpenSIPs and Asterisk applications to ban SIP brute-forcing >>> attackers and of course it is doing its job very well. Thank you to all >>> people involved with the development of this software. >>> >>> So, for the past 2 days I've been in a battle with having a way to check >>> which IPs are blocked by OSSEC-Server in an agent. I know that if I look >>> into the active-responses.log I'll see what were the actions taken in a >>> certain agent ( add and delete from the Iptables ) and if I look on the >>> IPTables I'll be able to see the blocked IPs as well. But in an agent that >>> the IPtables are complex there is no way of making sure that I am looking >>> at OSSEC inserted rules. >>> >>> My theory is that the server or the agent knows the association between >>> the timeout, the blocked IP and the agent so that it can remove that >>> active-response ( rule on the IPTable ) just after the timeout occured. >>> Question is: where can I find that association, i.e where is the list of >>> the blocked IPs of an agent? >>> >>> I already looked into this list and the IRC channel and didn't find any >>> information regarding this which for me it's odd because it seems to me >>> that this should be a functionality asked by a lot of people. >>> >>> On the same page of this problem I would like to know if it's possible >>> to remove an IPTable rule without doing an "iptables -D" and without >>> restarting the agent. You see, if I remove a rule "by hand", and because I >>> am using timeouts of 24h, if the attacker tries again it'll send >>> email_alerts but it'll not apply the active-response. So, my other question >>> is: Is it possible to remove an active response before it's timeout where >>> the agent is aware of that? >>> >>> Thank you very much for your time. Best Regards, >>> Joel Oliveira >>> >>
[ossec-list] Evaluating ossec
Hello everyone, We recently set up OSSEC HIDS using the client/server model. So far things have been working fairly well and it is looking like a good however there is a circumstance on one web server where a buggy source control client causes several 400 errors in a short timeframe causing rule 3151 to fire. Since several developers use this server legitimately for source control, is there a way to exclude their known IP address from that rule? So far trying things such as the whitelist and using !. in the rule have been unsuccessfully. Thanks in advance, -Joel
[ossec-list] Re: Evaluating ossec
Thanks for the quick response! That looks like exactly what we needed. -Joel -Original Message- From: ossec-list@googlegroups.com [mailto:[EMAIL PROTECTED] On Behalf Of Daniel Cid Sent: Monday, August 14, 2006 2:30 PM To: ossec-list@googlegroups.com Cc: Joel Gray Subject: [ossec-list] Re: Evaluating ossec Hi Joel, There are multiple ways of doing that. The easiest way is to: -go to /var/ossec/rules/web_rules.xml -find the rule 3101 (you will see that rule 3151 looks for multiple 3101- 400 errors) -change it to be: 3100 ^40 !192.168.2.0/24 Web server 400 error code. And it should work. However, if you do that, you will lose your changes when you update to the next version. The right way of doing it is to: -create a file /var/ossec/rules/local_rules.xml -Add a new rule in it: 3151 192.168.2.0/24 Ignoring local network -Edit /var/ossec/etc/ossec.conf and include "local_rules.xml" on it. -Restart ossec. Just a warning. We will release version 0.9-1 soon (hopefully tomorrow) and it will change the rules ids of all rules (we had to organize it now..). The new ids are: http://www.ossec.net/rule_ids.txt Hope it helps. -- Daniel B. Cid dcid ( at ) ossec.net On 8/14/06, Joel Gray <[EMAIL PROTECTED]> wrote: > > > Hello everyone, > > We recently set up OSSEC HIDS using the client/server model. So far > things have been working fairly well and it is looking like a good > however there is a circumstance on one web server where a buggy source > control client causes several 400 errors in a short timeframe causing > rule 3151 to fire. Since several developers use this server > legitimately for source control, is there a way to exclude their known > IP address from that rule? So far trying things such as the whitelist > and using !. in the rule have been unsuccessfully. > > Thanks in advance, > -Joel
[ossec-list] Re: Firewall actions... question.
Daniel, I've disabled the active-response because it was blocking IP's that, due to our circumstances, we did not want. We have 1 server on the public networks that serves as a mail-forwarder and DNS machine. I would like to use active response on this one when it detects attempts based on ssh brute force (which happens several times a day). I've already changed some of the rules so that certain events (multiple spam attempts, etc..) report at a lower level. It seems like level 10+ is where I'd like it to run the firewall-drop and host-deny scripts. Is the example below the way to do this as well? Ex: firewall-drop defined-agent 001 10 600 host-deny defined-agent 001 10 600 Thanks in advance -Joel -Original Message- From: ossec-list@googlegroups.com [mailto:[EMAIL PROTECTED] On Behalf Of Daniel Cid Sent: Friday, September 08, 2006 10:36 AM To: ossec-list@googlegroups.com Subject: [ossec-list] Re: Firewall actions... question. Hi Forrest, Having the ossec-server in the internal system is actually the right way of doing it. To configure ossec to always do the blocking at the firewall, just change your active response configuration from "local" to "defined-agent" and give the agent_id of the firewall. Example (running all firewall-drop responses on the agent 003): firewall-drop defined-agent 003 6 600 Hope it helps. -- Daniel B. Cid dcid ( at ) ossec.net On 9/8/06, Forrest Aldrich <[EMAIL PROTECTED]> wrote: > > I have a server and agent that I'm testing. > > The configuration is: > > agent = firewall > server = internal system > > The internal system is being NAT'd to for mail and some other things. > What I want to have happen is firewall rules get dropped in for the > active-response, but they should be sent to the agent (firewall) not > the server. > > I realize that's backwards about how it normally works; however, it > seems to me that having the "server" on the peripheral network isn't > the most secure way of doing this. > > I will reconfigure it all if necessary, if that's the only way this > will really work well... > > > Thanks. > >
[ossec-list] Help shutting down an alert
Hi all, I'm getting an alert on an internal server that, at one point, I had been able to ignore. Recently I moved the logs that apache (wn32 version) uses to a different drive for space considerations and since doing so have begun getting the alert again. The reason I wish to ignore the alert is due to it's cause. The client software (TortoiseSVN) simply requests methods not available currently. Here is the alert: Received From: ([myserver]) x.x.x.20->\apache2/logs/access.log Rule: 31151 fired (level 10) -> "Mutiple web server 400 error codes from same source ip." Portion of the log(s): x.x.x.90 - - [13/Sep/2006:07:01:53 -0700] "PROPFIND /svn/[]/Extranet/branches/SOW-101 HTTP/1.1" 401 587 x.x.x.90 - - [13/Sep/2006:07:01:51 -0700] "PROPFIND /svn/[]/[]/trunk HTTP/1.1" 401 587 x.x.x.90 - - [13/Sep/2006:07:00:53 -0700] "PROPFIND /svn/[]/[]/2.5 HTTP/1.1" 401 587 x.x.x.90 - - [13/Sep/2006:07:00:53 -0700] "PROPFIND /svn/[]/Extranet/branches/SOW-101 HTTP/1.1" 401 587 x.x.x.90 - - [13/Sep/2006:07:00:21 -0700] "PROPFIND /svn/[]/[]/trunk HTTP/1.1" 401 587 x.x.x.90 - - [13/Sep/2006:06:59:53 -0700] "PROPFIND /svn/[]/[]/2.5 HTTP/1.1" 401 587 x.x.x.90 - - [13/Sep/2006:06:59:50 -0700] "PROPFIND /svn/[]/[]/trunk HTTP/1.1" 401 587 x.x.x.90 - - [13/Sep/2006:06:58:52 -0700] "PROPFIND /svn/[]/[]/trunk HTTP/1.1" 401 587 x.x.x.90 - - [13/Sep/2006:06:58:52 -0700] "PROPFIND /svn/[]/Extranet/branches/SOW-101 HTTP/1.1" 401 587 At one point I put the following into my local_rules.xml file on the server which got rid of the message: 31101 x.x.x.0/16 Ignoring local network I see that this new alert uses a different rule number so I've tried to do the same thing by putting the following into the local_rules.xml file: 31151 x.x.x.0/16 Ignoring local network This does not seem to override anything and even after restarting ossec I still receive the notifications every time someone uses the source control client. Am I doing something wrong or simply missing a step somewhere else? Oh, as a side note I did modify the agent machine config with the new path to the logs. It was a simply update since the line was already there with the old logs. I did restart the windows service (NET STOP OssecSvc;NET START OssecSvc) after the change. Thanks in advance! -Joel
[ossec-list] Re: Help shutting down an alert
Daniel, Thank you, that was indeed the issue! On another note I learned in correcting this that the rules are processed in the order that they are listed in the ossec.conf file. The result was that originally I added the local_rules.xml as my first one this time around and that caused ossec to fail due to the file looking for another rule that had not been loaded yet. While this is not a huge deal that may be something to think about for the future as well, loading all of the rules before processing them. Thank you again for pointing me in the right direction. -Joel -Original Message- From: ossec-list@googlegroups.com [mailto:[EMAIL PROTECTED] On Behalf Of Daniel Cid Sent: Wednesday, September 13, 2006 1:25 PM To: ossec-list@googlegroups.com Subject: [ossec-list] Re: Help shutting down an alert Do you have the local_rules.xml configured to be included at /var/ossec/etc/ossec.conf ? The update probably removed it from there (yes, this is something we need to fix)... Let us know if it fixes or not.. -- Daniel B. Cid dcid ( at ) ossec.net On 9/13/06, Joel Gray <[EMAIL PROTECTED]> wrote: > > Hi all, > > I'm getting an alert on an internal server that, at one point, I had > been able to ignore. Recently I moved the logs that apache (wn32 > version) uses to a different drive for space considerations and since > doing so have begun getting the alert again. The reason I wish to > ignore the alert is due to it's cause. The client software > (TortoiseSVN) simply requests methods not available currently. > > Here is the alert: > Received From: ([myserver]) x.x.x.20->\apache2/logs/access.log > > Rule: 31151 fired (level 10) -> "Mutiple web server 400 error codes > from same source ip." > > Portion of the log(s): > > x.x.x.90 - - [13/Sep/2006:07:01:53 -0700] "PROPFIND > /svn/[]/Extranet/branches/SOW-101 HTTP/1.1" 401 587 x.x.x.90 - - > [13/Sep/2006:07:01:51 -0700] "PROPFIND /svn/[]/[]/trunk > HTTP/1.1" 401 587 x.x.x.90 - - [13/Sep/2006:07:00:53 -0700] "PROPFIND > /svn/[]/[]/2.5 HTTP/1.1" 401 587 x.x.x.90 - - > [13/Sep/2006:07:00:53 -0700] "PROPFIND > /svn/[]/Extranet/branches/SOW-101 HTTP/1.1" 401 587 x.x.x.90 - - > [13/Sep/2006:07:00:21 -0700] "PROPFIND /svn/[]/[]/trunk > HTTP/1.1" 401 587 x.x.x.90 - - [13/Sep/2006:06:59:53 -0700] "PROPFIND > /svn/[]/[]/2.5 HTTP/1.1" 401 587 x.x.x.90 - - > [13/Sep/2006:06:59:50 -0700] "PROPFIND /svn/[]/[]/trunk > HTTP/1.1" 401 587 x.x.x.90 - - [13/Sep/2006:06:58:52 -0700] "PROPFIND > /svn/[]/[]/trunk HTTP/1.1" 401 587 x.x.x.90 - - > [13/Sep/2006:06:58:52 -0700] "PROPFIND > /svn/[]/Extranet/branches/SOW-101 HTTP/1.1" 401 587 > > > At one point I put the following into my local_rules.xml file on the > server which got rid of the message: > > > 31101 > x.x.x.0/16 > Ignoring local network > > > I see that this new alert uses a different rule number so I've tried > to do the same thing by putting the following into the local_rules.xml > file: > > > 31151 > x.x.x.0/16 > Ignoring local network > > > This does not seem to override anything and even after restarting > ossec I still receive the notifications every time someone uses the > source control client. Am I doing something wrong or simply missing a > step somewhere else? > > Oh, as a side note I did modify the agent machine config with the new > path to the logs. It was a simply update since the line was already > there with the old logs. I did restart the windows service (NET STOP > OssecSvc;NET START OssecSvc) after the change. > > Thanks in advance! > -Joel >
[ossec-list] Active Response not working...
Hi all, I've recently had a series of attacks that cause the appropriate alert level 10 to fire, however on the client they come from the active response is not running the firewall-drop script. It does work for most of the ssh attacks that come in adding the iptables rule and 600 seconds later removing it. The only thing that I've noticed that is different is that the host is reported as [EMAIL PROTECTED] instead of a username. I ran the firewall-drop script and enclosed the ? with single quotes '?' and it added my iptables rule just fine. I do not know if that has anything to do with it or not, but I wanted to let you know just in case. Here is the alert. OSSEC HIDS Notification. 2006 Sep 16 07:42:06 Received From: (x) x.x.x.x.->/var/log/messages Rule: 11306 fired (level 10) -> "FTP brute force (multiple failed logins)." Portion of the log(s): pure-ftpd: ([EMAIL PROTECTED]) [WARNING] Authentication failed for user [Administrator] pure-ftpd: ([EMAIL PROTECTED]) [WARNING] Authentication failed for user [Administrator] pure-ftpd: ([EMAIL PROTECTED]) [WARNING] Authentication failed for user [Administrator] pure-ftpd: ([EMAIL PROTECTED]) [WARNING] Authentication failed for user [Administrator] pure-ftpd: ([EMAIL PROTECTED]) [WARNING] Authentication failed for user [Administrator] pure-ftpd: ([EMAIL PROTECTED]) [WARNING] Authentication failed for user [Administrator] pure-ftpd: ([EMAIL PROTECTED]) [WARNING] Authentication failed for user [Administrator] --END OF NOTIFICATION - Joel
[ossec-list] Re: Active Response not working...
Daniel, Excellent, I had a suspicion that it was something like that. Thanks for the response! -Joel -Original Message- From: ossec-list@googlegroups.com [mailto:[EMAIL PROTECTED] On Behalf Of Daniel Cid Sent: Thursday, September 21, 2006 12:08 PM To: ossec-list@googlegroups.com Subject: [ossec-list] Re: Active Response not working... Hi Joel, I tought I had replied to you already, but looks like I didn't. If you look at your logs you will see some messages about "invalid username '?'". The problem is that ossec validates the username/srcip before sending to the active response scripts and it was considering the user "?" as invalid. I made some changes to fix it and it is available in the 0.9-2 beta version (and it will be in the final 0.9-2). http://www.ossec.net/files/snapshots/ Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On 9/16/06, Joel Gray <[EMAIL PROTECTED]> wrote: > > Hi all, > > I've recently had a series of attacks that cause the appropriate alert > level 10 to fire, however on the client they come from the active > response is not running the firewall-drop script. It does work for > most of the ssh attacks that come in adding the iptables rule and 600 > seconds later removing it. > > The only thing that I've noticed that is different is that the host is > reported as [EMAIL PROTECTED] instead of a username. I ran the firewall-drop > script and enclosed the ? with single quotes '?' and it added my > iptables rule just fine. I do not know if that has anything to do > with it or not, but I wanted to let you know just in case. > > Here is the alert. > > OSSEC HIDS Notification. > 2006 Sep 16 07:42:06 > > Received From: (x) x.x.x.x.->/var/log/messages > Rule: 11306 fired (level 10) -> "FTP brute force (multiple failed > logins)." > Portion of the log(s): > > pure-ftpd: ([EMAIL PROTECTED]) [WARNING] Authentication failed for user > [Administrator] > pure-ftpd: ([EMAIL PROTECTED]) [WARNING] Authentication failed for user > [Administrator] > pure-ftpd: ([EMAIL PROTECTED]) [WARNING] Authentication failed for user > [Administrator] > pure-ftpd: ([EMAIL PROTECTED]) [WARNING] Authentication failed for user > [Administrator] > pure-ftpd: ([EMAIL PROTECTED]) [WARNING] Authentication failed for user > [Administrator] > pure-ftpd: ([EMAIL PROTECTED]) [WARNING] Authentication failed for user > [Administrator] > pure-ftpd: ([EMAIL PROTECTED]) [WARNING] Authentication failed for user > [Administrator] > > > > --END OF NOTIFICATION > > > > - Joel >
[ossec-list] Re: OSSEC Web Interface--Unable to access ossec directory
Hi all, I am running into the same issue. I tried various combinations including setting the type to var_log_t,httpd_log_t and others and changing the user to system (basically setting the enforcement as the httpd logs) but all to no avail. Has anyone had any luck with it? For the time being I've turned off enforcement which fixes the WUI error, but I would like to get SELinux re-enabled. Best Regards, -Joel -Original Message- From: ossec-list@googlegroups.com [mailto:[EMAIL PROTECTED] On Behalf Of Jeff Schroeder Sent: Monday, August 13, 2007 5:33 PM To: ossec-list Subject: [ossec-list] Re: OSSEC Web Interface--Unable to access ossec directory avc deny = SELinux problem. I'm not any SELinux guru, but you might be able to fix this. http://fedoraproject.org/wiki/SELinux/apache Gives a few pointers. I *think* something like this will work until a proper SELinux policy is written for ossec: chcon -R -h -t httpd_unconfined_script_exec_t /path/to/ossec-wui chcon -R -h -t httpd_sys_content_t /var/ossec/logs If you get tired of all of this and want to disable SELinux: setenforce 0 Try looking at what labels are on ossec and on apache: ps aux -Z | egrep 'httpd|ossec' ls -alZ /var/ossec/ /path/to/ossec-wui The -Z option shows SELinux labelling attributes. You can also use the avc deny messages you got to feed into the audit2allow tool to create a template that permits what was denied. Note that I have 0 fedora boxes to test this on so it is mostly from what I can read and remember. On Aug 13, 3:16 pm, Robert5156 <[EMAIL PROTECTED]> wrote: > I followed the instructi0ons in the link below > > http://www.ossec.net/wiki/index.php/OSSECWUI:Install > > for installing web interface. > > I did add the web user to the ossec group and i did restart the apache > service. > > When i access the site "http ://anyhost/ossec-wui/" i am getting the > error on the web page saying > > "Unable to access ossec directory" > > I also get a notification from OSSEC installed on this system saying > the following > > OSSEC HIDS Notification. > 2007 Aug 13 16:09:20 > > Received From: systemname->/var/log/messages > Rule: 1002 fired (level 7) -> "Unknown problem somewhere in the > system." > Portion of the log(s): > > Aug 13 16:09:19 systemname kernel: audit(1187046559.343:130): avc: > denied { read } for pid=29595 comm="httpd" name="ossec" dev=dm-0 > ino=16957254 scontext=root:system_r:httpd_t:s0 > tcontext=root:object_r:var_t:s0 tclass=dir > > --END OF NOTIFICATION > > Help please. > apache is my web user.Found by using ps -aux | grep http > > The tmp/ folder inside ossec-wui folder has the following permissions > > drwxrwxrwx 2 root apache 4096 Aug 13 15:05 tmp > > The etc/group file has > "ossec:x:3004:apache" added > > /var/ossec is the dir which has ossec installed.The permissions for > ossec folder are as follows. > > dr-xr-xr-- 11 rootossec 4096 Aug 8 11:07 ossec > > Help please. Running Fedora 6
[ossec-list] Re: OSSEC Web Interface--Unable to access ossec directory
That did it! I'll admit that I'm still learning a bunch about selinux. I completely missed the --reference option. I'll have to play more with restrictions later, but for the time being it's working and enabled. Thanks! Best Regards, -Joel -Original Message- From: ossec-list@googlegroups.com [mailto:[EMAIL PROTECTED] On Behalf Of MdMonk Sent: Friday, August 31, 2007 2:04 PM To: ossec-list@googlegroups.com Subject: [ossec-list] Re: OSSEC Web Interface--Unable to access ossec directory Props to Syndrowm for guiding me in figuring this out. Thanks Evan! # This will change the selinux permissions on the /var/ossec directory, to match those of the web directory. You can get more restrictive but I'm unsure exactly which directories the web server would need access to in the ossec dir (/var/ossec). For this example, the web dir is /var/www, and ossec is in /var/ossec: chcon -R --reference /var/www/ /var/ossec/ That is what worked on my FC6 box. And it worked on F7 (just confirmed). You can get more restrictive in your modifications of the selinux permissions if you know what dirs and files the web server needs to access; then modify the chcon cmd as needed. NOTE: This works for my setup, and didn't break anything (that I have seen so far). That's not to say that it wouldn't fubar your setup. What's the acronym? YMMV. :) -Chuck (MdMonk) On 8/31/07, Joel Gray <[EMAIL PROTECTED]> wrote: > > Hi all, > > I am running into the same issue. I tried various combinations > including setting the type to var_log_t,httpd_log_t and others and > changing the user to system (basically setting the enforcement as the > httpd logs) but all to no avail. > > Has anyone had any luck with it? For the time being I've turned off > enforcement which fixes the WUI error, but I would like to get SELinux > re-enabled. > > Best Regards, > -Joel > > > -Original Message- > From: ossec-list@googlegroups.com [mailto:[EMAIL PROTECTED] > On Behalf Of Jeff Schroeder > Sent: Monday, August 13, 2007 5:33 PM > To: ossec-list > Subject: [ossec-list] Re: OSSEC Web Interface--Unable to access ossec > directory > > > avc deny = SELinux problem. I'm not any SELinux guru, but you might be > able to fix this. > > http://fedoraproject.org/wiki/SELinux/apache Gives a few pointers. > > I *think* something like this will work until a proper SELinux policy > is written for ossec: > chcon -R -h -t httpd_unconfined_script_exec_t /path/to/ossec-wui > chcon -R -h -t httpd_sys_content_t /var/ossec/logs > > If you get tired of all of this and want to disable SELinux: > setenforce 0 > > Try looking at what labels are on ossec and on apache: > ps aux -Z | egrep 'httpd|ossec' > ls -alZ /var/ossec/ /path/to/ossec-wui > > The -Z option shows SELinux labelling attributes. You can also use the > avc deny messages you got to feed into the audit2allow tool to create > a > template that permits what was denied. Note that I have 0 fedora boxes > to test this on so it is mostly from what I can read and remember. > > On Aug 13, 3:16 pm, Robert5156 <[EMAIL PROTECTED]> wrote: > > I followed the instructi0ons in the link below > > > > http://www.ossec.net/wiki/index.php/OSSECWUI:Install > > > > for installing web interface. > > > > I did add the web user to the ossec group and i did restart the apache > > service. > > > > When i access the site "http ://anyhost/ossec-wui/" i am getting the > > error on the web page saying > > > > "Unable to access ossec directory" > > > > I also get a notification from OSSEC installed on this system saying > > the following > > > > OSSEC HIDS Notification. > > 2007 Aug 13 16:09:20 > > > > Received From: systemname->/var/log/messages > > Rule: 1002 fired (level 7) -> "Unknown problem somewhere in the > > system." > > Portion of the log(s): > > > > Aug 13 16:09:19 systemname kernel: audit(1187046559.343:130): avc: > > denied { read } for pid=29595 comm="httpd" name="ossec" dev=dm-0 > > ino=16957254 scontext=root:system_r:httpd_t:s0 > > tcontext=root:object_r:var_t:s0 tclass=dir > > > > --END OF NOTIFICATION > > > > Help please. > > apache is my web user.Found by using ps -aux | grep http > > > > The tmp/ folder inside ossec-wui folder has the following permissions > > > > drwxrwxrwx 2 root apache 4096 Aug 13 15:05 tmp > > > > The etc/group file has > > "ossec:x:3004:apache" added > > > > /var/ossec is the dir which has ossec installed.The permissions for > > ossec folder are as follows. > > > > dr-xr-xr-- 11 rootossec 4096 Aug 8 11:07 ossec > > > > Help please. Running Fedora 6 > >
[ossec-list] Re: Week of OSSEC - lots of tips / good information about OSSEC
On Sun, Nov 1, 2009 at 9:14 PM, Michael Starks wrote: > > The presentation is currently in Open Document format. Anyone know of a > way I can add an audio track with the proper timing in an *open* format? > Use vncrec to capture a vnc session and record to theora? -- $ echo "kpfmAdpoofdufevq/dp/vl" | perl -pe 's/(.)/chr(ord($1)-1)/ge'
Re: [ossec-list] Problem with Centos installation guide
On Wed, Dec 23, 2009 at 12:17 PM, Robert Lourenco wrote: > Hi > > > > The link to installing Ossec on Centos does not work. And my installation > does not work either. > Diagnostics would help :) -- $ echo "kpfmAdpoofdufevq/dp/vl" | perl -pe 's/(.)/chr(ord($1)-1)/ge'
Re: [ossec-list] Feature Requests ?
> > Appreciate your response; though as syscheck runs as root it is very hard > to set via limits.conf as it would effect all root processes. I thought > about adding ossec as a supplementary group to root and using that to reset > the priority via limits.conf but I believe it only looks at the primary > group. Do you believe this request would be feasible or should I look at > alternative methods; though it would offer greater flexibility via the > shared agent configuration of OSSEC. > > Thanks. > How about a cron job that looks for the process ID of the running check (using pgrep) and renices.. that's the way I have done it with other I/O intensive apps that I wanted to slow down in the past... alternatively a wrapper script? If you have a configuration management system, then that would be trivial to deploy Ta, Joel -- $ echo "kpfmAdpoofdufevq/dp/vl" | perl -pe 's/(.)/chr(ord($1)-1)/ge'