[ossec-list] Re: Problem with a cisco 837 router
Refer to this thread about a similar discussion: http://groups.google.com/group/ossec-list/browse_thread/thread/f78e998efb3c108b Below is a snip from the thread above which shows you the sequence numbers. Here I have enabled service sequence-numbers on the router. From the log file, you can see the sequence numbers of the IOS logs are 38 and 39. I believe the 43 and 44 are sequence numbers generated by the syslog server (correct me if I am wrong). Aug 21 16:18:23 192.168.1.1 43: 38: %SYS-5-CONFIG_I: Configured from console by vty0 (203.10.110.199) Aug 21 16:29:43 192.168.1.1 44: 39: %SEC-6-IPACCESSLOGS: list 5 denied 203.20.69.66 1 packet And here I have entered no service sequence-numbers on the router. From the log file, you can see there are no longer any IOS sequence numbers like xx. Aug 21 16:30:24 192.168.1.1 45: %SYS-5-CONFIG_I: Configured from console by vty0 (203.10.110.199) Aug 21 16:34:49 192.168.1.1 46: %SEC-6-IPACCESSLOGS: list 5 denied 203.20.69.66 2 packets Contrast the above four lines of log with what I see on my router when I do a show log: 38: %SYS-5-CONFIG_I: Configured from console by vty0 (203.10.110.199) 39: %SEC-6-IPACCESSLOGS: list 5 denied 203.20.69.66 1 packet %SYS-5-CONFIG_I: Configured from console by vty0 (203.10.110.199) %SEC-6-IPACCESSLOGS: list 5 denied 203.20.69.66 2 packets - I haven't been able to get the OSSEC decoder to properly understand cisco-ios_rules.xml. None of the rules fire at all even after I follow what's on the wiki: http://www.ossec.net/wiki/index.php/PIX_and_IOS_Syslog_Config_examples#Step-by-Step_Cisco_IOS_config I'm not really a coder nor have extensive regex experience so I've given up. To get Ossec to read my cisco logs I just create my rules and place them inside the local_rules.xml and then restart OSSEC. You will also have to edit the BAD_WORDS list in syslog_rules.xml and remove the word denied else rule id 13 below won't fire. Example: rule id=12 level=5 match%SYS-5-CONFIG_I/match descriptionConfiguration change detected./description /rule rule id=13 level=7 match%SEC-6-IPACCESSLOGS/match descriptionUnauthorized access./description /rule rule id=14 level=9 match%LINEPROTO-5-UPDOWN/match descriptionLine protocol UP/DOWN./description /rule rule id=14 level=9 match%LINK-3-UPDOWN/match descriptionLink state UP/DOWN./description /rule I haven't loaded /bin/ossec-remoted as outlined in the wiki and simply told Ossec to monitor my cisco log file (/var/log/cisco.log). This is because I also log a lot of other things on the system and do not want to disable the syslog daemon so that Ossec can use UDP port 514 to monitor incoming Cisco IOS logs. Edit and add to /etc/ossec.conf the cisco log file to monitor. localfile log_formatsyslog/log_format location/var/log/cisco.log/location /localfile If you want to use /bin/ossec-remoted , this wiki entry might help you out: http://www.ossec.net/wiki/index.php/Know_How:Syslog_Config As far as I know Cisco IOS doesn't give you the option to send IOS logs on a different UDP port so you either turn off syslog and let OSSEC use UDP port 514 or you keep syslog running and tell Ossec which log file to monitor. Hope that helps some people.
[ossec-list] Re: Cisco IOS question
Because I can't get Ossec to properly work with Cisco IOS logs I've opted to use local_rules.xml and place my rules in there. rule id=12 level=5 match%SYS-5-CONFIG_I/match descriptionConfiguration change detected./description /rule rule id=13 level=7 match%SEC-6-IPACCESSLOGS/match descriptionUnauthorized access./description /rule rule id=14 level=9 match%LINEPROTO-5-UPDOWN/match descriptionLine protocol UP/DOWN./description /rule rule id=14 level=9 match%LINK-3-UPDOWN/match descriptionLink state UP/DOWN./description /rule I've tested it out and it's doing what I want it to do now. Hope that helps some people out. If anyone has Ossec properly working with Cisco IOS logs, could they please post the necessary config from the router and ossec.conf file? Thanks.
[ossec-list] First custom rule - please check my syntax
Greetings: I was investigating Apache segmentation faults on one of the servers monitored by ossec 1.3, and found that right before the segmentation fault was a hack attempt against shtml.dll (a FrontPage component). I created the following rule in /var/ossec/rules/local_rules.xml group name=apache-custom, rule id=90100 level=12 if_sid30101/if_sid matchshtml.dll/match descriptionPossible FrontPage hack attempt/description /rule /group The if_sid is based on Apache error messages grouped as this error occurs in the Apache error log. Did I write the rule correctly? Are there any recommended changes? Thank you.
[ossec-list] Re: Ossec failed after server reboot
Greetings: I created a small number of sonicwall rules in /var/ossec/rules/ local_rules.xml When I restarted ossec, it told me there was no sonicwall decoder. When I commented out the decoder section for sonicwall in /var/ossec/ etc/decoder.xml I was told there is an error in the sonicwall decoder. I was not sure how to fix the error, but wanted to pass this along. Thank you. P.S. I did privately email relevant sonicwall log info.
[ossec-list] Re: OSSEC Web Interface--Unable to access ossec directory
Hi all, I am running into the same issue. I tried various combinations including setting the type to var_log_t,httpd_log_t and others and changing the user to system (basically setting the enforcement as the httpd logs) but all to no avail. Has anyone had any luck with it? For the time being I've turned off enforcement which fixes the WUI error, but I would like to get SELinux re-enabled. Best Regards, -Joel -Original Message- From: ossec-list@googlegroups.com [mailto:[EMAIL PROTECTED] On Behalf Of Jeff Schroeder Sent: Monday, August 13, 2007 5:33 PM To: ossec-list Subject: [ossec-list] Re: OSSEC Web Interface--Unable to access ossec directory avc deny = SELinux problem. I'm not any SELinux guru, but you might be able to fix this. http://fedoraproject.org/wiki/SELinux/apache Gives a few pointers. I *think* something like this will work until a proper SELinux policy is written for ossec: chcon -R -h -t httpd_unconfined_script_exec_t /path/to/ossec-wui chcon -R -h -t httpd_sys_content_t /var/ossec/logs If you get tired of all of this and want to disable SELinux: setenforce 0 Try looking at what labels are on ossec and on apache: ps aux -Z | egrep 'httpd|ossec' ls -alZ /var/ossec/ /path/to/ossec-wui The -Z option shows SELinux labelling attributes. You can also use the avc deny messages you got to feed into the audit2allow tool to create a template that permits what was denied. Note that I have 0 fedora boxes to test this on so it is mostly from what I can read and remember. On Aug 13, 3:16 pm, Robert5156 [EMAIL PROTECTED] wrote: I followed the instructi0ons in the link below http://www.ossec.net/wiki/index.php/OSSECWUI:Install for installing web interface. I did add the web user to the ossec group and i did restart the apache service. When i access the site http ://anyhost/ossec-wui/ i am getting the error on the web page saying Unable to access ossec directory I also get a notification from OSSEC installed on this system saying the following OSSEC HIDS Notification. 2007 Aug 13 16:09:20 Received From: systemname-/var/log/messages Rule: 1002 fired (level 7) - Unknown problem somewhere in the system. Portion of the log(s): Aug 13 16:09:19 systemname kernel: audit(1187046559.343:130): avc: denied { read } for pid=29595 comm=httpd name=ossec dev=dm-0 ino=16957254 scontext=root:system_r:httpd_t:s0 tcontext=root:object_r:var_t:s0 tclass=dir --END OF NOTIFICATION Help please. apache is my web user.Found by using ps -aux | grep http The tmp/ folder inside ossec-wui folder has the following permissions drwxrwxrwx 2 root apache 4096 Aug 13 15:05 tmp The etc/group file has ossec:x:3004:apache added /var/ossec is the dir which has ossec installed.The permissions for ossec folder are as follows. dr-xr-xr-- 11 rootossec 4096 Aug 8 11:07 ossec Help please. Running Fedora 6
[ossec-list] Snort Full Issue
I am launching two instances of snort with the following commands: /usr/local/bin/snort -i eth2 -A full -c /etc/snort/snort.conf -D /usr/local/bin/snort -i eth3 -A full -c /etc/snort/snort.conf -D I have this in my ossec.conf file with ossec running in agent mode on my snort sensor: localfile log_formatsnort-full/log_format location/var/log/snort/alert/location /localfile This is what I get in my ossec.log: 2007/08/31 11:23:51 ossec-logcollector: Started (pid: 5249). 2007/08/31 11:30:13 ossec-logcollector: Bad formated snort full file. 2007/08/31 11:44:51 ossec-logcollector: Bad formated snort full file. 2007/08/31 12:06:55 ossec-logcollector: Bad formated snort full file. 2007/08/31 12:15:53 ossec-logcollector: Bad formated snort full file. 2007/08/31 12:17:31 ossec-logcollector: Bad formated snort full file. 2007/08/31 12:17:57 ossec-logcollector: Bad formated snort full file. 2007/08/31 12:18:39 ossec-logcollector: Bad formated snort full file. 2007/08/31 12:19:29 ossec-logcollector: Bad formated snort full file. 2007/08/31 12:21:09 ossec-logcollector: Bad formated snort full file. 2007/08/31 12:21:35 ossec-logcollector: Bad formated snort full file. 2007/08/31 12:22:21 ossec-logcollector(1904): File not available, ignoring it: '/var/log/snort/alert'. After which I stop getting any alerts from ossec on the snort events. Does anyone have any ideas as to why this may be happening (if there was a previous discussion about this issue please let me know...and point me at it). I'm using ossec 1.3 with snort 2.7.0.1. -- Zac Roetemeyer [EMAIL PROTECTED]
[ossec-list] IMAP fetch overflow
Hi, Has anybody got any ideas of what this is: IMAP Fetch Overflow Attempt [**] [1:3070:1] IMAP fetch overflow attempt [**][Classification: Misc Attack] [Priority: 2] ???.???.???.???:48104 - ???.???.???.???:143 It triggers every time I try and collect email using Thunderbird on my pc accessing my local email server using IMAP. I can't find any reference to this attack. Thanks Jonathan
[ossec-list] Re: OSSEC Web Interface--Unable to access ossec directory
Props to Syndrowm for guiding me in figuring this out. Thanks Evan! # This will change the selinux permissions on the /var/ossec directory, to match those of the web directory. You can get more restrictive but I'm unsure exactly which directories the web server would need access to in the ossec dir (/var/ossec). For this example, the web dir is /var/www, and ossec is in /var/ossec: chcon -R --reference /var/www/ /var/ossec/ That is what worked on my FC6 box. And it worked on F7 (just confirmed). You can get more restrictive in your modifications of the selinux permissions if you know what dirs and files the web server needs to access; then modify the chcon cmd as needed. NOTE: This works for my setup, and didn't break anything (that I have seen so far). That's not to say that it wouldn't fubar your setup. What's the acronym? YMMV. :) -Chuck (MdMonk) On 8/31/07, Joel Gray [EMAIL PROTECTED] wrote: Hi all, I am running into the same issue. I tried various combinations including setting the type to var_log_t,httpd_log_t and others and changing the user to system (basically setting the enforcement as the httpd logs) but all to no avail. Has anyone had any luck with it? For the time being I've turned off enforcement which fixes the WUI error, but I would like to get SELinux re-enabled. Best Regards, -Joel -Original Message- From: ossec-list@googlegroups.com [mailto:[EMAIL PROTECTED] On Behalf Of Jeff Schroeder Sent: Monday, August 13, 2007 5:33 PM To: ossec-list Subject: [ossec-list] Re: OSSEC Web Interface--Unable to access ossec directory avc deny = SELinux problem. I'm not any SELinux guru, but you might be able to fix this. http://fedoraproject.org/wiki/SELinux/apache Gives a few pointers. I *think* something like this will work until a proper SELinux policy is written for ossec: chcon -R -h -t httpd_unconfined_script_exec_t /path/to/ossec-wui chcon -R -h -t httpd_sys_content_t /var/ossec/logs If you get tired of all of this and want to disable SELinux: setenforce 0 Try looking at what labels are on ossec and on apache: ps aux -Z | egrep 'httpd|ossec' ls -alZ /var/ossec/ /path/to/ossec-wui The -Z option shows SELinux labelling attributes. You can also use the avc deny messages you got to feed into the audit2allow tool to create a template that permits what was denied. Note that I have 0 fedora boxes to test this on so it is mostly from what I can read and remember. On Aug 13, 3:16 pm, Robert5156 [EMAIL PROTECTED] wrote: I followed the instructi0ons in the link below http://www.ossec.net/wiki/index.php/OSSECWUI:Install for installing web interface. I did add the web user to the ossec group and i did restart the apache service. When i access the site http ://anyhost/ossec-wui/ i am getting the error on the web page saying Unable to access ossec directory I also get a notification from OSSEC installed on this system saying the following OSSEC HIDS Notification. 2007 Aug 13 16:09:20 Received From: systemname-/var/log/messages Rule: 1002 fired (level 7) - Unknown problem somewhere in the system. Portion of the log(s): Aug 13 16:09:19 systemname kernel: audit(1187046559.343:130): avc: denied { read } for pid=29595 comm=httpd name=ossec dev=dm-0 ino=16957254 scontext=root:system_r:httpd_t:s0 tcontext=root:object_r:var_t:s0 tclass=dir --END OF NOTIFICATION Help please. apache is my web user.Found by using ps -aux | grep http The tmp/ folder inside ossec-wui folder has the following permissions drwxrwxrwx 2 root apache 4096 Aug 13 15:05 tmp The etc/group file has ossec:x:3004:apache added /var/ossec is the dir which has ossec installed.The permissions for ossec folder are as follows. dr-xr-xr-- 11 rootossec 4096 Aug 8 11:07 ossec Help please. Running Fedora 6