[ossec-list] Re: Problem with a cisco 837 router

[[EMAIL PROTECTED]]

Refer to this thread about a similar discussion:

http://groups.google.com/group/ossec-list/browse_thread/thread/f78e998efb3c108b

Below is a snip from the thread above which shows you the sequence
numbers.

Here I have enabled service sequence-numbers on the router. From the
log file, you can
see the sequence numbers of the IOS logs are 38 and 39. I
believe the 43 and 44 are sequence numbers generated by the syslog
server (correct me if I am wrong).


Aug 21 16:18:23 192.168.1.1 43: 38: %SYS-5-CONFIG_I: Configured
from console by vty0 (203.10.110.199)
Aug 21 16:29:43 192.168.1.1 44: 39: %SEC-6-IPACCESSLOGS: list 5
denied 203.20.69.66 1 packet


And here I have entered no service sequence-numbers on the router.
From the log file, you can see there are no longer any IOS sequence
numbers like xx.


Aug 21 16:30:24 192.168.1.1 45: %SYS-5-CONFIG_I: Configured from
console by vty0 (203.10.110.199)
Aug 21 16:34:49 192.168.1.1 46: %SEC-6-IPACCESSLOGS: list 5 denied
203.20.69.66 2 packets


Contrast the above four lines of log with what I see on my router
when
I do a show log:

38: %SYS-5-CONFIG_I: Configured from console by vty0
(203.10.110.199)
39: %SEC-6-IPACCESSLOGS: list 5 denied 203.20.69.66 1 packet
%SYS-5-CONFIG_I: Configured from console by vty0 (203.10.110.199)
%SEC-6-IPACCESSLOGS: list 5 denied 203.20.69.66 2 packets

-

I haven't been able to get the OSSEC decoder to properly understand
cisco-ios_rules.xml. None of the rules fire at all even after I follow
what's on the wiki:

http://www.ossec.net/wiki/index.php/PIX_and_IOS_Syslog_Config_examples#Step-by-Step_Cisco_IOS_config

I'm not really a coder nor have extensive regex experience so I've
given up. To get Ossec to read my cisco logs I just create my rules
and place them inside the local_rules.xml and then restart OSSEC. You
will also have to edit the BAD_WORDS list in syslog_rules.xml and
remove the word denied else rule id 13 below won't fire.

Example:

rule id=12 level=5
match%SYS-5-CONFIG_I/match
descriptionConfiguration change detected./description
/rule

rule id=13 level=7
match%SEC-6-IPACCESSLOGS/match
descriptionUnauthorized access./description
/rule

rule id=14 level=9
match%LINEPROTO-5-UPDOWN/match
descriptionLine protocol UP/DOWN./description
/rule

rule id=14 level=9
match%LINK-3-UPDOWN/match
descriptionLink state UP/DOWN./description
/rule

I haven't loaded /bin/ossec-remoted as outlined in the wiki and simply
told Ossec to monitor my cisco log file (/var/log/cisco.log). This is
because I also log a lot of other things on the system and do not want
to disable the syslog daemon so that Ossec can use UDP port 514 to
monitor incoming Cisco IOS logs.

Edit and add to /etc/ossec.conf the cisco log file to monitor.

  localfile
log_formatsyslog/log_format
location/var/log/cisco.log/location
  /localfile

If you want to use /bin/ossec-remoted , this wiki entry might help you
out:

http://www.ossec.net/wiki/index.php/Know_How:Syslog_Config

As far as I know Cisco IOS doesn't give you the option to send IOS
logs on a different UDP port so you either turn off syslog and let
OSSEC use UDP port 514 or you keep syslog running and tell Ossec which
log file to monitor.

Hope that helps some people.

[ossec-list] Re: Cisco IOS question

[[EMAIL PROTECTED]]

Because I can't get Ossec to properly work with Cisco IOS logs I've
opted to use local_rules.xml and place my rules in there.

rule id=12 level=5
match%SYS-5-CONFIG_I/match
descriptionConfiguration change detected./description
/rule

rule id=13 level=7
match%SEC-6-IPACCESSLOGS/match
descriptionUnauthorized access./description
/rule

rule id=14 level=9
match%LINEPROTO-5-UPDOWN/match
descriptionLine protocol UP/DOWN./description
/rule

rule id=14 level=9
match%LINK-3-UPDOWN/match
descriptionLink state UP/DOWN./description
/rule

I've tested it out and it's doing what I want it to do now.
Hope that helps some people out.

If anyone has Ossec properly working with Cisco IOS logs, could they
please post the necessary config from the router and ossec.conf file?

Thanks.

[ossec-list] First custom rule - please check my syntax

[Peter M. Abraham]

Greetings:

I was investigating Apache segmentation faults on one of the servers
monitored by ossec 1.3, and found that right before the segmentation
fault was a hack attempt against shtml.dll (a FrontPage component).

I created the following rule in /var/ossec/rules/local_rules.xml

group name=apache-custom,
  rule id=90100 level=12
if_sid30101/if_sid
matchshtml.dll/match
descriptionPossible FrontPage hack attempt/description
  /rule
/group

The if_sid is based on Apache error messages grouped as this error
occurs in the Apache error log.

Did I write the rule correctly?  Are there any recommended changes?

Thank you.

[ossec-list] Re: Ossec failed after server reboot

[Peter M. Abraham]

Greetings:

I created a small number of sonicwall rules in /var/ossec/rules/
local_rules.xml

When I restarted ossec, it told me there was no sonicwall decoder.

When I commented out the decoder section for sonicwall in /var/ossec/
etc/decoder.xml I was told there is an error in the sonicwall decoder.

I was not sure how to fix the error, but wanted to pass this along.

Thank you.

P.S.  I did privately email relevant sonicwall log info.

[ossec-list] Re: OSSEC Web Interface--Unable to access ossec directory

[Joel Gray]

Hi all,

I am running into the same issue.  I tried various combinations
including setting the type to var_log_t,httpd_log_t and others and
changing the user to system (basically setting the enforcement as the
httpd logs) but all to no avail.

Has anyone had any luck with it?  For the time being I've turned off
enforcement which fixes the WUI error, but I would like to get SELinux
re-enabled.

Best Regards,
-Joel


-Original Message-
From: ossec-list@googlegroups.com [mailto:[EMAIL PROTECTED]
On Behalf Of Jeff Schroeder
Sent: Monday, August 13, 2007 5:33 PM
To: ossec-list
Subject: [ossec-list] Re: OSSEC Web Interface--Unable to access ossec
directory


avc deny = SELinux problem. I'm not any SELinux guru, but you might be
able to fix this.

http://fedoraproject.org/wiki/SELinux/apache Gives a few pointers.

I *think* something like this will work until a proper SELinux policy
is written for ossec:
chcon -R -h -t httpd_unconfined_script_exec_t /path/to/ossec-wui
chcon -R -h -t httpd_sys_content_t /var/ossec/logs

If you get tired of all of this and want to disable SELinux:
setenforce 0

Try looking at what labels are on ossec and on apache:
ps aux -Z | egrep 'httpd|ossec'
ls -alZ /var/ossec/ /path/to/ossec-wui

The -Z option shows SELinux labelling attributes. You can also use the
avc deny messages you got to feed into the audit2allow tool to create
a
template that permits what was denied. Note that I have 0 fedora boxes
to test this on so it is mostly from what I can read and remember.

On Aug 13, 3:16 pm, Robert5156 [EMAIL PROTECTED] wrote:
 I followed the instructi0ons in the link below

 http://www.ossec.net/wiki/index.php/OSSECWUI:Install

 for installing web interface.

 I did add the web user to the ossec group and i did restart the apache
 service.

 When i access the site http ://anyhost/ossec-wui/ i am getting the
 error on the web page saying

 Unable to access ossec directory

 I also get a notification from OSSEC installed on this system saying
 the following

 OSSEC HIDS Notification.
 2007 Aug 13 16:09:20

 Received From: systemname-/var/log/messages
 Rule: 1002 fired (level 7) - Unknown problem somewhere in the
 system.
 Portion of the log(s):

 Aug 13 16:09:19 systemname kernel: audit(1187046559.343:130): avc:
 denied  { read } for  pid=29595 comm=httpd name=ossec dev=dm-0
 ino=16957254 scontext=root:system_r:httpd_t:s0
 tcontext=root:object_r:var_t:s0 tclass=dir

  --END OF NOTIFICATION

 Help please.
 apache is my web user.Found by using ps -aux | grep http

 The tmp/ folder inside ossec-wui folder has the following permissions

 drwxrwxrwx 2 root apache  4096 Aug 13 15:05 tmp

 The etc/group file has
 ossec:x:3004:apache added

 /var/ossec is the dir which has ossec installed.The permissions for
 ossec folder are as follows.

 dr-xr-xr-- 11 rootossec   4096 Aug  8 11:07 ossec

 Help please. Running Fedora 6

[ossec-list] Snort Full Issue

[Zachary Roetemeyer]

I am launching two instances of snort with the following commands:

/usr/local/bin/snort -i eth2 -A full -c /etc/snort/snort.conf -D
/usr/local/bin/snort -i eth3 -A full -c /etc/snort/snort.conf -D

I have this in my ossec.conf file with ossec running in agent mode on
my snort sensor:
 localfile
log_formatsnort-full/log_format
location/var/log/snort/alert/location
  /localfile

This is what I get in my ossec.log:
2007/08/31 11:23:51 ossec-logcollector: Started (pid: 5249).
2007/08/31 11:30:13 ossec-logcollector: Bad formated snort full file.
2007/08/31 11:44:51 ossec-logcollector: Bad formated snort full file.
2007/08/31 12:06:55 ossec-logcollector: Bad formated snort full file.
2007/08/31 12:15:53 ossec-logcollector: Bad formated snort full file.
2007/08/31 12:17:31 ossec-logcollector: Bad formated snort full file.
2007/08/31 12:17:57 ossec-logcollector: Bad formated snort full file.
2007/08/31 12:18:39 ossec-logcollector: Bad formated snort full file.
2007/08/31 12:19:29 ossec-logcollector: Bad formated snort full file.
2007/08/31 12:21:09 ossec-logcollector: Bad formated snort full file.
2007/08/31 12:21:35 ossec-logcollector: Bad formated snort full file.
2007/08/31 12:22:21 ossec-logcollector(1904): File not available,
ignoring it: '/var/log/snort/alert'.


After which I stop getting any alerts from ossec on the snort events.
Does anyone have any ideas as to why this may be happening (if there
was a previous discussion about this issue please let me know...and
point me at it).

I'm using ossec 1.3 with snort 2.7.0.1.

-- 
Zac Roetemeyer
[EMAIL PROTECTED]

[ossec-list] IMAP fetch overflow

[Jonathan Hipkiss]

Hi,

Has anybody got any ideas of what this is: IMAP Fetch Overflow Attempt

[**] [1:3070:1] IMAP fetch overflow attempt [**][Classification: Misc 
Attack] [Priority: 2] ???.???.???.???:48104 - ???.???.???.???:143

It triggers every time I try and collect email using Thunderbird on my 
pc accessing my local email server using IMAP.

I can't find any reference to this attack.

Thanks



Jonathan

[ossec-list] Re: OSSEC Web Interface--Unable to access ossec directory

[MdMonk]

Props to Syndrowm for guiding me in figuring this out. Thanks Evan!
#

This will change the selinux permissions on the /var/ossec directory,
to match those of the web directory. You can get more restrictive but
I'm unsure exactly which directories the web server would need access
to in the ossec dir (/var/ossec).

For this example, the web dir is /var/www, and ossec is in /var/ossec:
chcon -R --reference /var/www/ /var/ossec/

That is what worked on my FC6 box. And it worked on F7 (just confirmed).

You can get more restrictive in your modifications of the selinux
permissions if you know what dirs and files the web server needs to
access; then modify the chcon cmd as needed.

NOTE: This works for my setup, and didn't break anything (that I have
seen so far). That's not to say that it wouldn't fubar your setup.
What's the acronym? YMMV. :)

-Chuck (MdMonk)

On 8/31/07, Joel Gray [EMAIL PROTECTED] wrote:

 Hi all,

 I am running into the same issue.  I tried various combinations
 including setting the type to var_log_t,httpd_log_t and others and
 changing the user to system (basically setting the enforcement as the
 httpd logs) but all to no avail.

 Has anyone had any luck with it?  For the time being I've turned off
 enforcement which fixes the WUI error, but I would like to get SELinux
 re-enabled.

 Best Regards,
 -Joel


 -Original Message-
 From: ossec-list@googlegroups.com [mailto:[EMAIL PROTECTED]
 On Behalf Of Jeff Schroeder
 Sent: Monday, August 13, 2007 5:33 PM
 To: ossec-list
 Subject: [ossec-list] Re: OSSEC Web Interface--Unable to access ossec
 directory


 avc deny = SELinux problem. I'm not any SELinux guru, but you might be
 able to fix this.

 http://fedoraproject.org/wiki/SELinux/apache Gives a few pointers.

 I *think* something like this will work until a proper SELinux policy
 is written for ossec:
 chcon -R -h -t httpd_unconfined_script_exec_t /path/to/ossec-wui
 chcon -R -h -t httpd_sys_content_t /var/ossec/logs

 If you get tired of all of this and want to disable SELinux:
 setenforce 0

 Try looking at what labels are on ossec and on apache:
 ps aux -Z | egrep 'httpd|ossec'
 ls -alZ /var/ossec/ /path/to/ossec-wui

 The -Z option shows SELinux labelling attributes. You can also use the
 avc deny messages you got to feed into the audit2allow tool to create
 a
 template that permits what was denied. Note that I have 0 fedora boxes
 to test this on so it is mostly from what I can read and remember.

 On Aug 13, 3:16 pm, Robert5156 [EMAIL PROTECTED] wrote:
  I followed the instructi0ons in the link below
 
  http://www.ossec.net/wiki/index.php/OSSECWUI:Install
 
  for installing web interface.
 
  I did add the web user to the ossec group and i did restart the apache
  service.
 
  When i access the site http ://anyhost/ossec-wui/ i am getting the
  error on the web page saying
 
  Unable to access ossec directory
 
  I also get a notification from OSSEC installed on this system saying
  the following
 
  OSSEC HIDS Notification.
  2007 Aug 13 16:09:20
 
  Received From: systemname-/var/log/messages
  Rule: 1002 fired (level 7) - Unknown problem somewhere in the
  system.
  Portion of the log(s):
 
  Aug 13 16:09:19 systemname kernel: audit(1187046559.343:130): avc:
  denied  { read } for  pid=29595 comm=httpd name=ossec dev=dm-0
  ino=16957254 scontext=root:system_r:httpd_t:s0
  tcontext=root:object_r:var_t:s0 tclass=dir
 
   --END OF NOTIFICATION
 
  Help please.
  apache is my web user.Found by using ps -aux | grep http
 
  The tmp/ folder inside ossec-wui folder has the following permissions
 
  drwxrwxrwx 2 root apache  4096 Aug 13 15:05 tmp
 
  The etc/group file has
  ossec:x:3004:apache added
 
  /var/ossec is the dir which has ossec installed.The permissions for
  ossec folder are as follows.
 
  dr-xr-xr-- 11 rootossec   4096 Aug  8 11:07 ossec
 
  Help please. Running Fedora 6