date:20160223

Re: [ossec-list] Alert fires, but no email generated?

2016-02-23 Thread Fredrik

Thanks Eero!

Yes, this works in my setup :) Tried it to make sure. Sendmail is installed 
on this particular box, so changed mail into sendmail and fired away :)

Best regards,
Fredrik 

On Wednesday, February 24, 2016 at 8:12:41 AM UTC+1, Eero Volotinen wrote:
>
> is this working on your ossec server:
>
> echo foo | mail youremail@yourdomain -s 'test'
>
> could you give example of your mail configuration? 
>
> Eero
>
> 2016-02-24 9:00 GMT+02:00 Fredrik :
>
>> Thanks Eero!
>>
>> Anything specific to look for that could conflict with this particular 
>> alert - mail alerts seems to be working fine for other rules? 
>>
>> I checked the mail.info for anything obvious, but couldn't see anything 
>> suspicious at a first glance...
>>
>> Best regards,
>> Fredrik 
>>
>> On Wednesday, February 24, 2016 at 7:54:43 AM UTC+1, Eero Volotinen wrote:
>>>
>>> Please check your mail server configuration?
>>>
>>> 2016-02-24 8:28 GMT+02:00 Fredrik :
>>>
 Thanks Santiago, please find more details below.

 Best regards,
 Fredrik 

 Yes, I see the alert written to alerts.log (pulled the alert below out 
 of the archive from yesterday) and email alerts are working for other 
 rules. I also restarted ossec but to no avail. Strange! 

 ossec-alerts-23.log.gz:
 Rule: 100130 (level 12) -> 'SCEP malware alert' Feb 23 20:37:00 ossec-svr 
 SCEP[26715]: Malware alert: client2.domain.com Exploit:Java/CVE-2012-
 1723!jar Number of infections: 1 Last detection time(UTC time): 8/5/
 2013 10:42:41 AM file:_C:\Users\toho\AppData\LocalLow\Sun\Java\
 Deployment\cache\6.0\9\748789-14f29c54 Quarantine Succeeded

 ossec.conf:
  
1
7
  


  

 On Wednesday, February 24, 2016 at 2:46:31 AM UTC+1, Santiago Bassett 
 wrote:
>
> Did you say other alerts are triggering emails correctly? Everything 
> looks good to me, but here are some questions that might help 
> troubleshoot 
> the problem.
>
> Do you see the alert in alerts.log file?
> Have you configured other global email settings? 
> What is your email_alerts_level?
>
>
> On Tue, Feb 23, 2016 at 12:11 PM, Fredrik  wrote:
>
>> Hi All,
>>
>> Another question for all you Ossec gurus. I have another rule set up 
>> to handle messages in a somewhat strange format (below). I would like 
>> this 
>> to ultimately trigger an email alert - which is working for other rules. 
>>
>> Feb 23 20:18:06 ossec-srv SCEP[26457]: Malware alert: client2.domain.com 
>> Exploit:Java/CVE-2012-1723!jar Number of infections: 1 Last 
>> detection time(UTC time): 8/5/2013 10:42:41 AM file:_C:\Users\user1\
>> AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9\748789-14f29c54 
>> Quarantine Succeeded
>>
>> I see that an alert is written to alerts.log, and ossec-logtest 
>> finished processing with **Alert to be generated. However, no email is 
>> sent? 
>>
>> 
>>
>>MSSCEP
>>alert_by_email
>>SCEP malware alert
>>   
>> 
>>
>> As I wasn't sure how to best extract fields from the message above, 
>> the decoder simply matches on , please feel free to 
>> suggest 
>> variants to decode the message and make use of the fields available in 
>> OSSEC. Perhaps my failure to do so, can have something to do with the 
>> missing email alert?
>>
>> 
>>   SCEP
>>   syslog
>> 
>>
>>
>> Finally, output from ossec-logtest:
>>
>> **Phase 1: Completed pre-decoding.
>>full event: 'Feb 23 20:18:06 ossec-srv SCEP[26457]: Malware 
>> alert: client2.domain.com Exploit:Java/CVE-2012-1723!jar Number of 
>> infections: 1 Last detection time(UTC time): 8/5/2013 10:42:41 AM 
>> file:_C:\Users\toho\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9\748789-14f29c54
>>  
>> Quarantine Succeeded'
>>hostname: 'ossec-srv'
>>program_name: 'SCEP'
>>log: 'Malware alert: client2.domain.com 
>> Exploit:Java/CVE-2012-1723!jar Number of infections: 1 Last detection 
>> time(UTC time): 8/5/2013 10:42:41 AM 
>> file:_C:\Users\toho\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9\748789-14f29c54
>>  
>> Quarantine Succeeded'
>>
>> **Phase 2: Completed decoding.
>>decoder: 'MSSCEP'
>>
>> **Phase 3: Completed filtering (rules).
>>Rule id: '100130'
>>Level: '12'
>>Description: 'SCEP malware alert'
>> **Alert to be generated.
>>
>> Best regards,
>> Fredrik 
>>
>> -- 
>>
>> --- 
>> You received this message because you are subscribed to the Google 
>> Groups "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, 
>> send an email to

Re: [ossec-list] Alert fires, but no email generated?

2016-02-23 Thread Eero Volotinen

is this working on your ossec server:

echo foo | mail youremail@yourdomain -s 'test'

could you give example of your mail configuration?

Eero

2016-02-24 9:00 GMT+02:00 Fredrik :

> Thanks Eero!
>
> Anything specific to look for that could conflict with this particular
> alert - mail alerts seems to be working fine for other rules?
>
> I checked the mail.info for anything obvious, but couldn't see anything
> suspicious at a first glance...
>
> Best regards,
> Fredrik
>
> On Wednesday, February 24, 2016 at 7:54:43 AM UTC+1, Eero Volotinen wrote:
>>
>> Please check your mail server configuration?
>>
>> 2016-02-24 8:28 GMT+02:00 Fredrik :
>>
>>> Thanks Santiago, please find more details below.
>>>
>>> Best regards,
>>> Fredrik
>>>
>>> Yes, I see the alert written to alerts.log (pulled the alert below out
>>> of the archive from yesterday) and email alerts are working for other
>>> rules. I also restarted ossec but to no avail. Strange!
>>>
>>> ossec-alerts-23.log.gz:
>>> Rule: 100130 (level 12) -> 'SCEP malware alert' Feb 23 20:37:00 ossec-svr
>>> SCEP[26715]: Malware alert: client2.domain.com Exploit:Java/CVE-2012-
>>> 1723!jar Number of infections: 1 Last detection time(UTC time): 8/5/2013
>>> 10:42:41 AM file:_C:\Users\toho\AppData\LocalLow\Sun\Java\Deployment\
>>> cache\6.0\9\748789-14f29c54 Quarantine Succeeded
>>>
>>> ossec.conf:
>>>  
>>>1
>>>7
>>>  
>>>
>>>
>>>
>>>
>>> On Wednesday, February 24, 2016 at 2:46:31 AM UTC+1, Santiago Bassett
>>> wrote:

 Did you say other alerts are triggering emails correctly? Everything
 looks good to me, but here are some questions that might help troubleshoot
 the problem.

 Do you see the alert in alerts.log file?
 Have you configured other global email settings?
 What is your email_alerts_level?


 On Tue, Feb 23, 2016 at 12:11 PM, Fredrik  wrote:

> Hi All,
>
> Another question for all you Ossec gurus. I have another rule set up
> to handle messages in a somewhat strange format (below). I would like this
> to ultimately trigger an email alert - which is working for other rules.
>
> Feb 23 20:18:06 ossec-srv SCEP[26457]: Malware alert: client2.domain.com
> Exploit:Java/CVE-2012-1723!jar Number of infections: 1 Last detection
> time(UTC time): 8/5/2013 10:42:41 AM file:_C:\Users\user1\AppData\
> LocalLow\Sun\Java\Deployment\cache\6.0\9\748789-14f29c54 Quarantine
> Succeeded
>
> I see that an alert is written to alerts.log, and ossec-logtest
> finished processing with **Alert to be generated. However, no email is
> sent?
>
> 
>
>MSSCEP
>alert_by_email
>SCEP malware alert
>   
> 
>
> As I wasn't sure how to best extract fields from the message above,
> the decoder simply matches on , please feel free to suggest
> variants to decode the message and make use of the fields available in
> OSSEC. Perhaps my failure to do so, can have something to do with the
> missing email alert?
>
> 
>   SCEP
>   syslog
> 
>
>
> Finally, output from ossec-logtest:
>
> **Phase 1: Completed pre-decoding.
>full event: 'Feb 23 20:18:06 ossec-srv SCEP[26457]: Malware
> alert: client2.domain.com Exploit:Java/CVE-2012-1723!jar Number of
> infections: 1 Last detection time(UTC time): 8/5/2013 10:42:41 AM
> file:_C:\Users\toho\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9\748789-14f29c54
> Quarantine Succeeded'
>hostname: 'ossec-srv'
>program_name: 'SCEP'
>log: 'Malware alert: client2.domain.com
> Exploit:Java/CVE-2012-1723!jar Number of infections: 1 Last detection
> time(UTC time): 8/5/2013 10:42:41 AM
> file:_C:\Users\toho\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9\748789-14f29c54
> Quarantine Succeeded'
>
> **Phase 2: Completed decoding.
>decoder: 'MSSCEP'
>
> **Phase 3: Completed filtering (rules).
>Rule id: '100130'
>Level: '12'
>Description: 'SCEP malware alert'
> **Alert to be generated.
>
> Best regards,
> Fredrik
>
> --
>
> ---
> You received this message because you are subscribed to the Google
> Groups "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

 --
>>>
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "ossec-list" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to ossec-list+...@googlegroups.com.
>>> For more options, visit https://groups.google.com/d/optout.
>>>
>>
>> --
>
> ---
> You received this message because you are subscribed to

Re: [ossec-list] Alert fires, but no email generated?

2016-02-23 Thread Fredrik

Thanks Eero!

Anything specific to look for that could conflict with this particular 
alert - mail alerts seems to be working fine for other rules? 

I checked the mail.info for anything obvious, but couldn't see anything 
suspicious at a first glance...

Best regards,
Fredrik 

On Wednesday, February 24, 2016 at 7:54:43 AM UTC+1, Eero Volotinen wrote:
>
> Please check your mail server configuration?
>
> 2016-02-24 8:28 GMT+02:00 Fredrik :
>
>> Thanks Santiago, please find more details below.
>>
>> Best regards,
>> Fredrik 
>>
>> Yes, I see the alert written to alerts.log (pulled the alert below out of 
>> the archive from yesterday) and email alerts are working for other rules. I 
>> also restarted ossec but to no avail. Strange! 
>>
>> ossec-alerts-23.log.gz:
>> Rule: 100130 (level 12) -> 'SCEP malware alert' Feb 23 20:37:00 ossec-svr 
>> SCEP[26715]: Malware alert: client2.domain.com Exploit:Java/CVE-2012-1723
>> !jar Number of infections: 1 Last detection time(UTC time): 8/5/2013 10:
>> 42:41 AM file:_C:\Users\toho\AppData\LocalLow\Sun\Java\Deployment\cache\
>> 6.0\9\748789-14f29c54 Quarantine Succeeded
>>
>> ossec.conf:
>>  
>>1
>>7
>>  
>>
>>
>>  
>>
>> On Wednesday, February 24, 2016 at 2:46:31 AM UTC+1, Santiago Bassett 
>> wrote:
>>>
>>> Did you say other alerts are triggering emails correctly? Everything 
>>> looks good to me, but here are some questions that might help troubleshoot 
>>> the problem.
>>>
>>> Do you see the alert in alerts.log file?
>>> Have you configured other global email settings? 
>>> What is your email_alerts_level?
>>>
>>>
>>> On Tue, Feb 23, 2016 at 12:11 PM, Fredrik  wrote:
>>>
 Hi All,

 Another question for all you Ossec gurus. I have another rule set up to 
 handle messages in a somewhat strange format (below). I would like this to 
 ultimately trigger an email alert - which is working for other rules. 

 Feb 23 20:18:06 ossec-srv SCEP[26457]: Malware alert: client2.domain.com 
 Exploit:Java/CVE-2012-1723!jar Number of infections: 1 Last detection 
 time(UTC time): 8/5/2013 10:42:41 AM file:_C:\Users\user1\AppData\
 LocalLow\Sun\Java\Deployment\cache\6.0\9\748789-14f29c54 Quarantine 
 Succeeded

 I see that an alert is written to alerts.log, and ossec-logtest 
 finished processing with **Alert to be generated. However, no email is 
 sent? 

MSSCEP
alert_by_email
SCEP malware alert

 As I wasn't sure how to best extract fields from the message above, the 
 decoder simply matches on , please feel free to suggest 
 variants to decode the message and make use of the fields available in 
 OSSEC. Perhaps my failure to do so, can have something to do with the 
 missing email alert?

   SCEP
   syslog

 Finally, output from ossec-logtest:

 **Phase 1: Completed pre-decoding.
full event: 'Feb 23 20:18:06 ossec-srv SCEP[26457]: Malware 
 alert: client2.domain.com Exploit:Java/CVE-2012-1723!jar Number of 
 infections: 1 Last detection time(UTC time): 8/5/2013 10:42:41 AM 
 file:_C:\Users\toho\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9\748789-14f29c54

 Quarantine Succeeded'
hostname: 'ossec-srv'
program_name: 'SCEP'
log: 'Malware alert: client2.domain.com 
 Exploit:Java/CVE-2012-1723!jar Number of infections: 1 Last detection 
 time(UTC time): 8/5/2013 10:42:41 AM 
 file:_C:\Users\toho\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9\748789-14f29c54

 Quarantine Succeeded'

 **Phase 2: Completed decoding.
decoder: 'MSSCEP'

 **Phase 3: Completed filtering (rules).
Rule id: '100130'
Level: '12'
Description: 'SCEP malware alert'
 **Alert to be generated.

 Best regards,
 Fredrik 

 -- 

 --- 
 You received this message because you are subscribed to the Google 
 Groups "ossec-list" group.
 To unsubscribe from this group and stop receiving emails from it, send 
 an email to ossec-list+...@googlegroups.com.
 For more options, visit https://groups.google.com/d/optout.

>>>
>>> -- 
>>
>> --- 
>> You received this message because you are subscribed to the Google Groups 
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to ossec-list+...@googlegroups.com .
>> For more options, visit https://groups.google.com/d/optout.
>>
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Alert fires, but no email generated?

2016-02-23 Thread Eero Volotinen

Please check your mail server configuration?

2016-02-24 8:28 GMT+02:00 Fredrik :

> Thanks Santiago, please find more details below.
>
> Best regards,
> Fredrik
>
> Yes, I see the alert written to alerts.log (pulled the alert below out of
> the archive from yesterday) and email alerts are working for other rules. I
> also restarted ossec but to no avail. Strange!
>
> ossec-alerts-23.log.gz:
> Rule: 100130 (level 12) -> 'SCEP malware alert' Feb 23 20:37:00 ossec-svr
> SCEP[26715]: Malware alert: client2.domain.com Exploit:Java/CVE-2012-1723!jar
> Number of infections: 1 Last detection time(UTC time): 8/5/2013 10:42:41
> AM file:_C:\Users\toho\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9\
> 748789-14f29c54 Quarantine Succeeded
>
> ossec.conf:
>  
>1
>7
>  
>
>
>
>
> On Wednesday, February 24, 2016 at 2:46:31 AM UTC+1, Santiago Bassett
> wrote:
>>
>> Did you say other alerts are triggering emails correctly? Everything
>> looks good to me, but here are some questions that might help troubleshoot
>> the problem.
>>
>> Do you see the alert in alerts.log file?
>> Have you configured other global email settings?
>> What is your email_alerts_level?
>>
>>
>> On Tue, Feb 23, 2016 at 12:11 PM, Fredrik  wrote:
>>
>>> Hi All,
>>>
>>> Another question for all you Ossec gurus. I have another rule set up to
>>> handle messages in a somewhat strange format (below). I would like this to
>>> ultimately trigger an email alert - which is working for other rules.
>>>
>>> Feb 23 20:18:06 ossec-srv SCEP[26457]: Malware alert: client2.domain.com
>>> Exploit:Java/CVE-2012-1723!jar Number of infections: 1 Last detection
>>> time(UTC time): 8/5/2013 10:42:41 AM file:_C:\Users\user1\AppData\
>>> LocalLow\Sun\Java\Deployment\cache\6.0\9\748789-14f29c54 Quarantine
>>> Succeeded
>>>
>>> I see that an alert is written to alerts.log, and ossec-logtest finished
>>> processing with **Alert to be generated. However, no email is sent?
>>>
>>> 
>>>
>>>MSSCEP
>>>alert_by_email
>>>SCEP malware alert
>>>   
>>> 
>>>
>>> As I wasn't sure how to best extract fields from the message above, the
>>> decoder simply matches on , please feel free to suggest
>>> variants to decode the message and make use of the fields available in
>>> OSSEC. Perhaps my failure to do so, can have something to do with the
>>> missing email alert?
>>>
>>> 
>>>   SCEP
>>>   syslog
>>> 
>>>
>>>
>>> Finally, output from ossec-logtest:
>>>
>>> **Phase 1: Completed pre-decoding.
>>>full event: 'Feb 23 20:18:06 ossec-srv SCEP[26457]: Malware
>>> alert: client2.domain.com Exploit:Java/CVE-2012-1723!jar Number of
>>> infections: 1 Last detection time(UTC time): 8/5/2013 10:42:41 AM
>>> file:_C:\Users\toho\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9\748789-14f29c54
>>> Quarantine Succeeded'
>>>hostname: 'ossec-srv'
>>>program_name: 'SCEP'
>>>log: 'Malware alert: client2.domain.com
>>> Exploit:Java/CVE-2012-1723!jar Number of infections: 1 Last detection
>>> time(UTC time): 8/5/2013 10:42:41 AM
>>> file:_C:\Users\toho\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9\748789-14f29c54
>>> Quarantine Succeeded'
>>>
>>> **Phase 2: Completed decoding.
>>>decoder: 'MSSCEP'
>>>
>>> **Phase 3: Completed filtering (rules).
>>>Rule id: '100130'
>>>Level: '12'
>>>Description: 'SCEP malware alert'
>>> **Alert to be generated.
>>>
>>> Best regards,
>>> Fredrik
>>>
>>> --
>>>
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "ossec-list" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to ossec-list+...@googlegroups.com.
>>> For more options, visit https://groups.google.com/d/optout.
>>>
>>
>> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Alert fires, but no email generated?

2016-02-23 Thread Fredrik

Thanks Santiago, please find more details below.

Best regards,
Fredrik 

Yes, I see the alert written to alerts.log (pulled the alert below out of 
the archive from yesterday) and email alerts are working for other rules. I 
also restarted ossec but to no avail. Strange! 

ossec-alerts-23.log.gz:
Rule: 100130 (level 12) -> 'SCEP malware alert' Feb 23 20:37:00 ossec-svr 
SCEP[26715]: Malware alert: client2.domain.com Exploit:Java/CVE-2012-1723!jar 
Number of infections: 1 Last detection time(UTC time): 8/5/2013 10:42:41 AM 
file:_C:\Users\toho\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9\748789-
14f29c54 Quarantine Succeeded

ossec.conf:
 
   1
   7
 


 

On Wednesday, February 24, 2016 at 2:46:31 AM UTC+1, Santiago Bassett wrote:
>
> Did you say other alerts are triggering emails correctly? Everything looks 
> good to me, but here are some questions that might help troubleshoot the 
> problem.
>
> Do you see the alert in alerts.log file?
> Have you configured other global email settings? 
> What is your email_alerts_level?
>
>
> On Tue, Feb 23, 2016 at 12:11 PM, Fredrik  > wrote:
>
>> Hi All,
>>
>> Another question for all you Ossec gurus. I have another rule set up to 
>> handle messages in a somewhat strange format (below). I would like this to 
>> ultimately trigger an email alert - which is working for other rules. 
>>
>> Feb 23 20:18:06 ossec-srv SCEP[26457]: Malware alert: client2.domain.com 
>> Exploit:Java/CVE-2012-1723!jar Number of infections: 1 Last detection 
>> time(UTC time): 8/5/2013 10:42:41 AM file:_C:\Users\user1\AppData\
>> LocalLow\Sun\Java\Deployment\cache\6.0\9\748789-14f29c54 Quarantine 
>> Succeeded
>>
>> I see that an alert is written to alerts.log, and ossec-logtest finished 
>> processing with **Alert to be generated. However, no email is sent? 
>>
>> 
>>
>>MSSCEP
>>alert_by_email
>>SCEP malware alert
>>   
>> 
>>
>> As I wasn't sure how to best extract fields from the message above, the 
>> decoder simply matches on , please feel free to suggest 
>> variants to decode the message and make use of the fields available in 
>> OSSEC. Perhaps my failure to do so, can have something to do with the 
>> missing email alert?
>>
>> 
>>   SCEP
>>   syslog
>> 
>>
>>
>> Finally, output from ossec-logtest:
>>
>> **Phase 1: Completed pre-decoding.
>>full event: 'Feb 23 20:18:06 ossec-srv SCEP[26457]: Malware alert: 
>> client2.domain.com Exploit:Java/CVE-2012-1723!jar Number of infections: 
>> 1 Last detection time(UTC time): 8/5/2013 10:42:41 AM 
>> file:_C:\Users\toho\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9\748789-14f29c54
>>  
>> Quarantine Succeeded'
>>hostname: 'ossec-srv'
>>program_name: 'SCEP'
>>log: 'Malware alert: client2.domain.com 
>> Exploit:Java/CVE-2012-1723!jar Number of infections: 1 Last detection 
>> time(UTC time): 8/5/2013 10:42:41 AM 
>> file:_C:\Users\toho\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9\748789-14f29c54
>>  
>> Quarantine Succeeded'
>>
>> **Phase 2: Completed decoding.
>>decoder: 'MSSCEP'
>>
>> **Phase 3: Completed filtering (rules).
>>Rule id: '100130'
>>Level: '12'
>>Description: 'SCEP malware alert'
>> **Alert to be generated.
>>
>> Best regards,
>> Fredrik 
>>
>> -- 
>>
>> --- 
>> You received this message because you are subscribed to the Google Groups 
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to ossec-list+...@googlegroups.com .
>> For more options, visit https://groups.google.com/d/optout.
>>
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Alert fires, but no email generated?

2016-02-23 Thread Santiago Bassett

Did you say other alerts are triggering emails correctly? Everything looks
good to me, but here are some questions that might help troubleshoot the
problem.

Do you see the alert in alerts.log file?
Have you configured other global email settings?
What is your email_alerts_level?


On Tue, Feb 23, 2016 at 12:11 PM, Fredrik  wrote:

> Hi All,
>
> Another question for all you Ossec gurus. I have another rule set up to
> handle messages in a somewhat strange format (below). I would like this to
> ultimately trigger an email alert - which is working for other rules.
>
> Feb 23 20:18:06 ossec-srv SCEP[26457]: Malware alert: client2.domain.com
> Exploit:Java/CVE-2012-1723!jar Number of infections: 1 Last detection time
> (UTC time): 8/5/2013 10:42:41 AM file:_C:\Users\user1\AppData\LocalLow\Sun
> \Java\Deployment\cache\6.0\9\748789-14f29c54 Quarantine Succeeded
>
> I see that an alert is written to alerts.log, and ossec-logtest finished
> processing with **Alert to be generated. However, no email is sent?
>
> 
>
>MSSCEP
>alert_by_email
>SCEP malware alert
>   
> 
>
> As I wasn't sure how to best extract fields from the message above, the
> decoder simply matches on , please feel free to suggest
> variants to decode the message and make use of the fields available in
> OSSEC. Perhaps my failure to do so, can have something to do with the
> missing email alert?
>
> 
>   SCEP
>   syslog
> 
>
>
> Finally, output from ossec-logtest:
>
> **Phase 1: Completed pre-decoding.
>full event: 'Feb 23 20:18:06 ossec-srv SCEP[26457]: Malware alert:
> client2.domain.com Exploit:Java/CVE-2012-1723!jar Number of infections: 1
> Last detection time(UTC time): 8/5/2013 10:42:41 AM
> file:_C:\Users\toho\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9\748789-14f29c54
> Quarantine Succeeded'
>hostname: 'ossec-srv'
>program_name: 'SCEP'
>log: 'Malware alert: client2.domain.com
> Exploit:Java/CVE-2012-1723!jar Number of infections: 1 Last detection
> time(UTC time): 8/5/2013 10:42:41 AM
> file:_C:\Users\toho\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9\748789-14f29c54
> Quarantine Succeeded'
>
> **Phase 2: Completed decoding.
>decoder: 'MSSCEP'
>
> **Phase 3: Completed filtering (rules).
>Rule id: '100130'
>Level: '12'
>Description: 'SCEP malware alert'
> **Alert to be generated.
>
> Best regards,
> Fredrik
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Alert fires, but no email generated?

2016-02-23 Thread Fredrik

Hi All,

Another question for all you Ossec gurus. I have another rule set up to 
handle messages in a somewhat strange format (below). I would like this to 
ultimately trigger an email alert - which is working for other rules. 

Feb 23 20:18:06 ossec-srv SCEP[26457]: Malware alert: client2.domain.com 
Exploit:Java/CVE-2012-1723!jar Number of infections: 1 Last detection time(UTC 
time): 8/5/2013 10:42:41 AM file:_C:\Users\user1\AppData\LocalLow\Sun\Java\
Deployment\cache\6.0\9\748789-14f29c54 Quarantine Succeeded

I see that an alert is written to alerts.log, and ossec-logtest finished 
processing with **Alert to be generated. However, no email is sent? 


   
   MSSCEP
   alert_by_email
   SCEP malware alert
  


As I wasn't sure how to best extract fields from the message above, the 
decoder simply matches on , please feel free to suggest 
variants to decode the message and make use of the fields available in 
OSSEC. Perhaps my failure to do so, can have something to do with the 
missing email alert?


  SCEP
  syslog



Finally, output from ossec-logtest:

**Phase 1: Completed pre-decoding.
   full event: 'Feb 23 20:18:06 ossec-srv SCEP[26457]: Malware alert: 
client2.domain.com Exploit:Java/CVE-2012-1723!jar Number of infections: 1 
Last detection time(UTC time): 8/5/2013 10:42:41 AM 
file:_C:\Users\toho\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9\748789-14f29c54
 
Quarantine Succeeded'
   hostname: 'ossec-srv'
   program_name: 'SCEP'
   log: 'Malware alert: client2.domain.com 
Exploit:Java/CVE-2012-1723!jar Number of infections: 1 Last detection 
time(UTC time): 8/5/2013 10:42:41 AM 
file:_C:\Users\toho\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9\748789-14f29c54
 
Quarantine Succeeded'

**Phase 2: Completed decoding.
   decoder: 'MSSCEP'

**Phase 3: Completed filtering (rules).
   Rule id: '100130'
   Level: '12'
   Description: 'SCEP malware alert'
**Alert to be generated.

Best regards,
Fredrik 

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Alert message on the subject

2016-02-23 Thread Pedro S

Hi,

*I did not test it* but try the following:

Open the file /var/ossec/etc/internal_options.conf and modify the line (in 
your OSSEC Manager):

# Maild full subject (0=disabled, 1=enabled)
*maild.full_subject=1*

It seems like OSSEC has two different kind of subjects:

#define MAIL_SUBJECT "OSSEC Notification - %s - Alert level %d"
#define MAIL_SUBJECT_FULL "OSSEC Alert - %s - Level %d - %s"

And use them at os_maild_client.c 


I hope it helps!

Regards,

Pedro S.



On Tuesday, February 23, 2016 at 7:18:10 PM UTC+1, Jesus Linares wrote:



Hi,
>
> I think you can't change the subject. At least, I can't find anything 
> related to that in the documentation 
> .
>  
> What is your final goal?.
>
> Regards.
> Jesus Linares.
>
> On Tuesday, February 23, 2016 at 6:01:45 PM UTC+1, Junior Karvalho wrote:
>>
>> how do I add the alert message on the subject.
>>
>>
>>
>>
>>
>>
>> * Subject: OSSEC Notification - Alvin - level Alert 3 -> (ossec server 
>> started.)*
>>
>> OSSEC HIDS Notification.
>> 2016 Feb 23 13:35:53
>>
>> Received From: alvin->ossec-monitord
>> Rule: 502 fired (level 3) -> "Ossec server started."
>> Portion of the log(s):
>>
>> ossec: Ossec started.
>>
>>
>>
>>  --END OF NOTIFICATION
>>
>>
>>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Alert message on the subject

2016-02-23 Thread Jesus Linares

Hi,

I think you can't change the subject. At least, I can't find anything 
related to that in the documentation 
.
 
What is your final goal?.

Regards.
Jesus Linares.

On Tuesday, February 23, 2016 at 6:01:45 PM UTC+1, Junior Karvalho wrote:
>
> how do I add the alert message on the subject.
>
>
>
>
>
>
> * Subject: OSSEC Notification - Alvin - level Alert 3 -> (ossec server 
> started.)*
>
> OSSEC HIDS Notification.
> 2016 Feb 23 13:35:53
>
> Received From: alvin->ossec-monitord
> Rule: 502 fired (level 3) -> "Ossec server started."
> Portion of the log(s):
>
> ossec: Ossec started.
>
>
>
>  --END OF NOTIFICATION
>
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: active-response alerts?

2016-02-23 Thread Jesus Linares

Decoder and rules for active-response are the same in both Wazuh and OSSEC. 
I meant that rules 601-606 are for a specific sh (check tag *action*), so 
if you are using a custom sh you will not see the alert. Also, alert 600 is 
generic (for all active responses) but level is 0.

Regards.
Jesus Linares.

On Tuesday, February 23, 2016 at 3:56:02 PM UTC+1, Barry Kaplan wrote:
>
> Seems that wazuh already has a decoder and rules for active-response. (Not 
> sure if these are also in ossec proper)
>
>
> https://github.com/wazuh/ossec-rules/blob/master/rules-decoders/ossec/rules/ossec_rules.xml
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Alert message on the subject

2016-02-23 Thread Junior Karvalho

how do I add the alert message on the subject.






* Subject: OSSEC Notification - Alvin - level Alert 3 -> (ossec server 
started.)*

OSSEC HIDS Notification.
2016 Feb 23 13:35:53

Received From: alvin->ossec-monitord
Rule: 502 fired (level 3) -> "Ossec server started."
Portion of the log(s):

ossec: Ossec started.



 --END OF NOTIFICATION


-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] rules files as symlinks

2016-02-23 Thread Rui Zhang

It is interesting that symlink works for ossec.conf under etc folder, but 
doesn't work for client.keys under etc folder for agent type. 

On Wednesday, February 17, 2016 at 10:13:46 AM UTC-8, Santiago Bassett 
wrote:
>
> Yes, if it is inside the jail then that should be ok. Also check that your 
> ossec.conf is configured to look for the rules where you want. As well, 
> symbolic links inside the jail should work.
>
> I hope that helps
>
> On Wed, Feb 17, 2016 at 7:49 AM, Rui Zhang  > wrote:
>
>> Thank you, Santiago! Other than remounting a partition inside the jail, 
>> can we configure the folder for rules files? If we can configure the 
>> folder, would this also be inside the same jail too? I am thinking of 
>> configuring the rules folder to /opt/ossec/rules, but I guess it will be 
>> looking for rules under /var/ossec/opt/ossec/rules instead of 
>> /opt/ossec/rules. 
>>
>> On Tuesday, February 16, 2016 at 6:24:46 PM UTC-8, Santiago Bassett wrote:
>>>
>>> This is because ossec-analysisd process runs in a chroot environment, so 
>>> it can't reach anything out of the jail (/var/ossec). 
>>>
>>> In some scenarios, when really necessary, what we do is remount a 
>>> partition inside the jail (mount -o bind). I don't recommend this, but it 
>>> is a workaround that should work.
>>>
>>> Best
>>>
>>> On Tue, Feb 16, 2016 at 2:45 PM, Rui Zhang  wrote:
>>>
 Hi,

 I am trying to use a symlink for local_rules.xml. Here is what I did

 cd /var/ossec/rules
 cp local_rules.xml /opt/ossec/rules
 mv local_rules.xml local_rules.xml.bak
 ln -s /opt/ossec/rules/local_rules.xml local_rules.xml

 But I couln't start OSSEC after this change and when I check the log 
 file, it indicates that it couldn't read the XML file local_rules.xml.
 2016/02/16 14:22:49 ossec-analysisd(1226): ERROR: Error reading XML 
 file '/rules/local_rules.xml': XMLERR: File '/rules/local_rules.xml' not 
 found. (line 88).
 2016/02/16 14:22:49 ossec-analysisd(1220): ERROR: Error loading the 
 rules: 'local_rules.xml'.
 2016/02/16 14:22:52 ossec-syscheckd(1210): ERROR: Queue 
 '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
 2016/02/16 14:22:52 ossec-rootcheck(1210): ERROR: Queue 
 '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
 2016/02/16 14:22:58 ossec-logcollector(1210): ERROR: Queue 
 '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
 2016/02/16 14:22:58 ossec-logcollector(1211): ERROR: Unable to access 
 queue: '/var/ossec/queue/ossec/queue'. Giving up..

 I checked the user/group and permission of those files, and they seem 
 to be identical. So OSSEC won't take symlink for rules XML file?
 ll /opt/ossec/rules/local_rules.xml 
 -r-xr-x--- 1 root ossec 1551 Oct 12 14:21 
 /opt/ossec/rules/local_rules.xml*

 ll local_rules.xml.bak 
 -r-xr-x--- 1 root ossec 1551 Oct 12 14:21 local_rules.xml.bak

 -- 

 --- 
 You received this message because you are subscribed to the Google 
 Groups "ossec-list" group.
 To unsubscribe from this group and stop receiving emails from it, send 
 an email to ossec-list+...@googlegroups.com.
 For more options, visit https://groups.google.com/d/optout.

>>>
>>> -- 
>>
>> --- 
>> You received this message because you are subscribed to the Google Groups 
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to ossec-list+...@googlegroups.com .
>> For more options, visit https://groups.google.com/d/optout.
>>
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: Active responce is not working

2016-02-23 Thread Pedro S

Sorry I missclicked and sent the post.

test.sh (+x and root:ossec)

#!/bin/sh

ACTION=$1
USER=$2
IP=$3
ALERTID=$4
RULEID=$5

LOCAL=`dirname $0`;
cd $LOCAL
cd ../
PWD=`pwd`


# Logging the call
echo "`date` $0 $1 $2 $3 $4 $5 $6 $7 $8" >> 
${PWD}/../logs/active-responses.log


active-response.log

mar feb 23 08:47:45 PST 2016 /var/ossec/active-response/bin/test.sh add - - 
1456246065.10321 5501 /var/log/auth.log -
mar feb 23 08:47:49 PST 2016 /var/ossec/active-response/bin/test.sh add - - 
1456246069.11280 5501 /var/log/auth.log -
mar feb 23 08:49:25 PST 2016 /var/ossec/active-response/bin/test.sh add - - 
1456246165.12583 5501 /var/log/auth.log -
mar feb 23 08:49:27 PST 2016 /var/ossec/active-response/bin/test.sh add - - 
1456246167.13542 5501 /var/log/auth.log -
mar feb 23 08:54:03 PST 2016 /var/ossec/active-response/bin/test.sh add - - 
1456246443.14673 5501 /var/log/auth.log -
mar feb 23 08:54:05 PST 2016 /var/ossec/active-response/bin/test.sh add - - 
1456246445.15632 5501 /var/log/auth.log -


I hope it helps,

Try to use a basic example like this and see if it is working.

Regards,

Pedro S.


On Tuesday, February 23, 2016 at 5:52:41 PM UTC+1, Pedro S wrote:
>
> Hi, 
>
> I have exactly the same files open:
>
> ossec-exe 43796root3u unix 0x8801d66cfa80 
>  0t01261890 /var/ossec/queue/alerts/execq
> ossec-ana 43800   ossec3u unix 0x8801d66cf380 
>  0t01261891 /queue/ossec/queue
> ossec-ana 43800   ossec4u  REG8,1 
>0  38583 /var/ossec/queue/fts/hostinfo
> ossec-ana 43800   ossec5u  REG8,1 
>  114  38584 /var/ossec/queue/fts/fts-queue
> ossec-ana 43800   ossec6u  REG8,1 
>0  38585 /var/ossec/queue/fts/ig-queue
>
>
> If you add some agents, you will have another file open like:
>
> ossec-rem 43375  ossecr5u unix 0x8801d674c980 
>  0t01232202 /queue/alerts/ar
> ossec-rem 43375  ossecr7u  REG8,1 
>0  38586 /var/ossec/queue/rids/001
> ossec-rem 43375  ossecr8u  REG8,1 
>5  38587 /var/ossec/queue/rids/sender_counter
>
> still not working your active-response?
>
> Here is my full test config right now:
>
> ossec.conf
> 
> test
> test.sh
> 
> no
> 
>
> 
> test
> server
> 0
> 5501
> 
>
>
>
> On Tuesday, February 23, 2016 at 2:31:06 PM UTC+1, Василий Романеев wrote:
>>
>> I tried. 
>> If i understand correct, analyticsd send active responces to execd 
>> Could you please run command lsof | grep ossec | grep queue 
>> to compare with my output ? 
>> Thank you! 
>>
>> root@serv-10244 [~]# lsof | grep ossec | grep queue 
>> ossec-exe  2797  root5u unix 0x88000c3ad0c00t0 
>>  270573469 /var/ossec/queue/alerts/execq 
>> ossec-ana  2803 ossec4u unix 0x8800938353800t0 
>>  270573486 /queue/ossec/queue 
>> ossec-ana  2803 ossec5u  REG9,1  0 
>>8651763 /var/ossec/queue/fts/hostinfo 
>> ossec-ana  2803 ossec6u  REG9,1102 
>>8651748 /var/ossec/queue/fts/fts-queue 
>> ossec-ana  2803 ossec7u  REG9,1  0 
>>8651749 /var/ossec/queue/fts/ig-queue 
>>
>> 2016-02-23 16:20 GMT+03:00 Pedro S : 
>> > I have been trying to replicate your situation, you can install either 
>> local 
>> > or server installation, it is working on both. 
>> > 
>> > I made it work by adding  tag into  section 
>> like 
>> > this: 
>> > 
>> >  
>> >testar 
>> >server 
>> >6 
>> >yourRuleID,yourAnotherRuleID 
>> >   
>> > 
>> > Try to specify what rules will trigger your active response. 
>> > 
>> > Remember to set groups and permissions to your script.sh 
>> > 
>> > If you need to extract srcip don't forget to set expect on command 
>> section: 
>> > 
>> >  
>> >  testar 
>> >  srcip 
>> >  testar.sh 
>> >   
>> > 
>> > 
>> > 
>> > 
>> > Regards, 
>> > 
>> > Pedro S. 
>> > 
>> > 
>> > On Tuesday, February 23, 2016 at 1:39:31 PM UTC+1, ba...@x-cart.com 
>> wrote: 
>> >> 
>> >> Now i haven't any whitelist. 
>> >> 
>> >> #ossec.log 
>> >> 2016/02/23 07:18:57 ossec-analysisd: DEBUG: Active response 
>> initialized 
>> >> ... 
>> >> 2016/02/23 07:18:57 ossec-analysisd: DEBUG: Active response Init 
>> >> completed. 
>> >> 
>> >> #Test active response: 
>> >> root@serv-10244 [/var/ossec/active-response/bin]# ./testar.sh action 
>> user 
>> >> src_ip alert_id rule_id agent_host filename 
>> >> root@serv-10244 [/var/ossec/active-response/bin]# cat 
>> >> ../../logs/active-responses.log 
>> >> Tue Feb 23 07:28:03 EST 2016 ./testar.sh action user src_ip alert_id 
>> >> rule_id agent_host filename 
>> >> 
>> >> Let's go from start. 
>> >> I need to execute active responcss on the same server, so, i run 
>> >> ossec-configure

Re: [ossec-list] Re: Active responce is not working

2016-02-23 Thread Pedro S

Hi, 

I have exactly the same files open:

ossec-exe 43796root3u unix 0x8801d66cfa80 
 0t01261890 /var/ossec/queue/alerts/execq
ossec-ana 43800   ossec3u unix 0x8801d66cf380 
 0t01261891 /queue/ossec/queue
ossec-ana 43800   ossec4u  REG8,1   
 0  38583 /var/ossec/queue/fts/hostinfo
ossec-ana 43800   ossec5u  REG8,1 
 114  38584 /var/ossec/queue/fts/fts-queue
ossec-ana 43800   ossec6u  REG8,1   
 0  38585 /var/ossec/queue/fts/ig-queue


If you add some agents, you will have another file open like:

ossec-rem 43375  ossecr5u unix 0x8801d674c980 
 0t01232202 /queue/alerts/ar
ossec-rem 43375  ossecr7u  REG8,1   
 0  38586 /var/ossec/queue/rids/001
ossec-rem 43375  ossecr8u  REG8,1   
 5  38587 /var/ossec/queue/rids/sender_counter

still not working your active-response?

Here is my full test config right now:

ossec.conf

test
test.sh

no



test
server
0
5501




On Tuesday, February 23, 2016 at 2:31:06 PM UTC+1, Василий Романеев wrote:
>
> I tried. 
> If i understand correct, analyticsd send active responces to execd 
> Could you please run command lsof | grep ossec | grep queue 
> to compare with my output ? 
> Thank you! 
>
> root@serv-10244 [~]# lsof | grep ossec | grep queue 
> ossec-exe  2797  root5u unix 0x88000c3ad0c00t0 
>  270573469 /var/ossec/queue/alerts/execq 
> ossec-ana  2803 ossec4u unix 0x8800938353800t0 
>  270573486 /queue/ossec/queue 
> ossec-ana  2803 ossec5u  REG9,1  0 
>8651763 /var/ossec/queue/fts/hostinfo 
> ossec-ana  2803 ossec6u  REG9,1102 
>8651748 /var/ossec/queue/fts/fts-queue 
> ossec-ana  2803 ossec7u  REG9,1  0 
>8651749 /var/ossec/queue/fts/ig-queue 
>
> 2016-02-23 16:20 GMT+03:00 Pedro S : 
> > I have been trying to replicate your situation, you can install either 
> local 
> > or server installation, it is working on both. 
> > 
> > I made it work by adding  tag into  section 
> like 
> > this: 
> > 
> >  
> >testar 
> >server 
> >6 
> >yourRuleID,yourAnotherRuleID 
> >   
> > 
> > Try to specify what rules will trigger your active response. 
> > 
> > Remember to set groups and permissions to your script.sh 
> > 
> > If you need to extract srcip don't forget to set expect on command 
> section: 
> > 
> >  
> >  testar 
> >  srcip 
> >  testar.sh 
> >   
> > 
> > 
> > 
> > 
> > Regards, 
> > 
> > Pedro S. 
> > 
> > 
> > On Tuesday, February 23, 2016 at 1:39:31 PM UTC+1, ba...@x-cart.com 
> wrote: 
> >> 
> >> Now i haven't any whitelist. 
> >> 
> >> #ossec.log 
> >> 2016/02/23 07:18:57 ossec-analysisd: DEBUG: Active response initialized 
> >> ... 
> >> 2016/02/23 07:18:57 ossec-analysisd: DEBUG: Active response Init 
> >> completed. 
> >> 
> >> #Test active response: 
> >> root@serv-10244 [/var/ossec/active-response/bin]# ./testar.sh action 
> user 
> >> src_ip alert_id rule_id agent_host filename 
> >> root@serv-10244 [/var/ossec/active-response/bin]# cat 
> >> ../../logs/active-responses.log 
> >> Tue Feb 23 07:28:03 EST 2016 ./testar.sh action user src_ip alert_id 
> >> rule_id agent_host filename 
> >> 
> >> Let's go from start. 
> >> I need to execute active responcss on the same server, so, i run 
> >> ossec-configure and select there installation type "local" and active 
> >> responses enabled "yes" 
> >> Next i add active response 
> >> 
> >>
> >> testar 
> >>  
> >> testar.sh 
> >>
> >> 
> >>
> >> testar 
> >> all 
> >> 6 
> >>
> >> 
> >> But active responces still not executed. 
> >> 
> >> 
> >>> Hi, 
> >>> 
> >>> The daemon in charge of executing active-response scripts is 
> >>> "ossec-execd", I think your conf is good, active-response should be 
> active 
> >>> and working, try to force some response and check active-response.log. 
> >>> 
> >>> Check ossec.log for entires like: 
> >>> 
> >>> 2016/02/23 03:48:19 ossec-analysisd: INFO: 2 IPs in the white list for 
> >>> active response. 
> >>> 2016/02/23 03:48:19 ossec-analysisd: INFO: 1 Hostname(s) in the white 
> >>> list for active response. 
> >>> 
> >>> 
> >>> 
> >>> If you really want to check if active-response is active, try this: 
> >>> 
> >>> Enable debug mode: 
> >>> /var/ossec/bin/ossec-control enable debug 
> >>> 
> >>> Restart OSSEC and check for line: 
> >>> 
> >>> 2016/02/23 11:40:57 ossec-analysisd: DEBUG: Active response 
> initialized 
> >>> ... 
> >>> 
> >>> The scripts should be placed on /var/ossec/active-response/bin with 
> >>> execution permissions. 
> >>> 
> >>> Regards, 
> >>> 
> >>> Pedro S. 
> >>> 
> >>> 
> >>> On

Re: [ossec-list] Re: active-response alerts?

2016-02-23 Thread Barry Kaplan

Seems that wazuh already has a decoder and rules for active-response. (Not 
sure if these are also in ossec proper)

https://github.com/wazuh/ossec-rules/blob/master/rules-decoders/ossec/rules/ossec_rules.xml

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: Active responce is not working

2016-02-23 Thread Василий Романеев

I tried.
If i understand correct, analyticsd send active responces to execd
Could you please run command lsof | grep ossec | grep queue
to compare with my output ?
Thank you!

root@serv-10244 [~]# lsof | grep ossec | grep queue
ossec-exe  2797  root5u unix 0x88000c3ad0c00t0
 270573469 /var/ossec/queue/alerts/execq
ossec-ana  2803 ossec4u unix 0x8800938353800t0
 270573486 /queue/ossec/queue
ossec-ana  2803 ossec5u  REG9,1  0
   8651763 /var/ossec/queue/fts/hostinfo
ossec-ana  2803 ossec6u  REG9,1102
   8651748 /var/ossec/queue/fts/fts-queue
ossec-ana  2803 ossec7u  REG9,1  0
   8651749 /var/ossec/queue/fts/ig-queue

2016-02-23 16:20 GMT+03:00 Pedro S :
> I have been trying to replicate your situation, you can install either local
> or server installation, it is working on both.
>
> I made it work by adding  tag into  section like
> this:
>
> 
>testar
>server
>6
>yourRuleID,yourAnotherRuleID
>  
>
> Try to specify what rules will trigger your active response.
>
> Remember to set groups and permissions to your script.sh
>
> If you need to extract srcip don't forget to set expect on command section:
>
> 
>  testar
>  srcip
>  testar.sh
>  
>
>
>
>
> Regards,
>
> Pedro S.
>
>
> On Tuesday, February 23, 2016 at 1:39:31 PM UTC+1, ba...@x-cart.com wrote:
>>
>> Now i haven't any whitelist.
>>
>> #ossec.log
>> 2016/02/23 07:18:57 ossec-analysisd: DEBUG: Active response initialized
>> ...
>> 2016/02/23 07:18:57 ossec-analysisd: DEBUG: Active response Init
>> completed.
>>
>> #Test active response:
>> root@serv-10244 [/var/ossec/active-response/bin]# ./testar.sh action user
>> src_ip alert_id rule_id agent_host filename
>> root@serv-10244 [/var/ossec/active-response/bin]# cat
>> ../../logs/active-responses.log
>> Tue Feb 23 07:28:03 EST 2016 ./testar.sh action user src_ip alert_id
>> rule_id agent_host filename
>>
>> Let's go from start.
>> I need to execute active responcss on the same server, so, i run
>> ossec-configure and select there installation type "local" and active
>> responses enabled "yes"
>> Next i add active response
>>
>>   
>> testar
>> 
>> testar.sh
>>   
>>
>>   
>> testar
>> all
>> 6
>>   
>>
>> But active responces still not executed.
>>
>>
>>> Hi,
>>>
>>> The daemon in charge of executing active-response scripts is
>>> "ossec-execd", I think your conf is good, active-response should be active
>>> and working, try to force some response and check active-response.log.
>>>
>>> Check ossec.log for entires like:
>>>
>>> 2016/02/23 03:48:19 ossec-analysisd: INFO: 2 IPs in the white list for
>>> active response.
>>> 2016/02/23 03:48:19 ossec-analysisd: INFO: 1 Hostname(s) in the white
>>> list for active response.
>>>
>>>
>>>
>>> If you really want to check if active-response is active, try this:
>>>
>>> Enable debug mode:
>>> /var/ossec/bin/ossec-control enable debug
>>>
>>> Restart OSSEC and check for line:
>>>
>>> 2016/02/23 11:40:57 ossec-analysisd: DEBUG: Active response initialized
>>> ...
>>>
>>> The scripts should be placed on /var/ossec/active-response/bin with
>>> execution permissions.
>>>
>>> Regards,
>>>
>>> Pedro S.
>>>
>>>
>>> On Tuesday, February 23, 2016 at 11:21:13 AM UTC+1, ba...@x-cart.com
>>> wrote:

 Why active-responces is not working ?
 I receive email notification, but active responce had not started.
 What may caused a problem?

 #etc/shared/ar.conf:
 restart-ossec0 - restart-ossec.sh - 0
 restart-ossec0 - restart-ossec.cmd - 0
 testar0 - testar.sh - 0
 slack0 - slack.py - 0


 #alert.log
 ** Alert 1456222573.17132: mail  - syslog,sshdauthentication_success,
 2016 Feb 23 05:16:13 serv-10244->/var/log/secure
 Rule: 5715 (level 7) -> 'SSHD authentication success.'
 Src IP: 104.131.225.112
 User: root
 Feb 23 05:16:12 serv-10244 sshd[16530]: Accepted password for root from
 104.131.225.112 port 47280 ssh2

 #ossec.conf
   
 testar
 
 testar.sh
   

   
 slack
 user,srcip
 slack.py
   

   
 testar
 local
 5715,11309
   


   
 slack
 local
 5715,11309
   


 #ossec.log:
 2016/02/23 05:11:04 ossec-monitord(1225): INFO: SIGNAL Received. Exit
 Cleaning...
 2016/02/23 05:11:04 ossec-logcollector(1225): INFO: SIGNAL Received.
 Exit Cleaning...
 2016/02/23 05:11:04 ossec-remoted(1225): INFO: SIGNAL Received. Exit
 Cleaning...
 2016/02/23 05:11:04 ossec-syscheckd(1225): INFO: SIGNAL Received. Exit
 Cleaning...
 2016/02/23 05:11:04 ossec-analysisd(1225): INFO: SIGNAL Received. Exit
 Cleaning...
 2016/02/23 05:11:04 ossec-maild(1225): INFO: SIGNAL Received. Exit
 Cleaning...
 2016/02/23

[ossec-list] Re: Active responce is not working

2016-02-23 Thread Pedro S

I have been trying to replicate your situation, you can install either 
local or server installation, it is working on both. 

I made it work by adding  tag into  section like 
this:


   testar
   *server*
   6
   <*rules_id*>yourRuleID,yourAnotherRuleID
 

Try to specify what rules will trigger your active response.

Remember to set groups and permissions to your *script.sh*

If you need to extract srcip don't forget to set *expect *on command 
section:


 testar
 srcip
 testar.sh
 




Regards,

Pedro S.


On Tuesday, February 23, 2016 at 1:39:31 PM UTC+1, ba...@x-cart.com wrote:
>
> Now i haven't any whitelist.
>
> #ossec.log
> 2016/02/23 07:18:57 ossec-analysisd: DEBUG: Active response initialized ...
> 2016/02/23 07:18:57 ossec-analysisd: DEBUG: Active response Init completed.
>
> #Test active response: 
> root@serv-10244 [/var/ossec/active-response/bin]# ./testar.sh action user 
> src_ip alert_id rule_id agent_host filename
> root@serv-10244 [/var/ossec/active-response/bin]# cat 
> ../../logs/active-responses.log
> Tue Feb 23 07:28:03 EST 2016 ./testar.sh action user src_ip alert_id 
> rule_id agent_host filename 
>
> Let's go from start.
> I need to execute active responcss on the same server, so, i run 
> ossec-configure and select there installation type "local" and active 
> responses enabled "yes"
> Next i add active response 
>
>   
> testar
> 
> testar.sh
>   
>
>   
> testar
> all
> 6
>   
>
> But active responces still not executed.
>
>
> Hi,
>>
>> The daemon in charge of executing active-response scripts is 
>> *"ossec-execd",* I think your conf is good*,* active-response should be 
>> active and working, try to force some response and check 
>> active-response.log.
>>
>> Check ossec.log for entires like:
>>
>> 2016/02/23 03:48:19 ossec-analysisd: INFO: 2 IPs in the white list for 
>> active response.
>> 2016/02/23 03:48:19 ossec-analysisd: INFO: 1 Hostname(s) in the white 
>> list for active response.
>>
>>
>>
>> If you really want to check if active-response is active, try this:
>>
>> Enable debug mode:
>> /var/ossec/bin/ossec-control enable debug
>>
>> Restart OSSEC and check for line:
>>
>> 2016/02/23 11:40:57 ossec-analysisd: DEBUG: Active response initialized 
>> ...
>>
>> The scripts should be placed on /var/ossec/active-response/bin with 
>> execution permissions.
>>
>> Regards,
>>
>> Pedro S.
>>
>>
>> On Tuesday, February 23, 2016 at 11:21:13 AM UTC+1, ba...@x-cart.com 
>> wrote:
>>>
>>> Why active-responces is not working ?
>>> I receive email notification, but active responce had not started.
>>> What may caused a problem?
>>>
>>> #etc/shared/ar.conf:
>>> restart-ossec0 - restart-ossec.sh - 0
>>> restart-ossec0 - restart-ossec.cmd - 0
>>> testar0 - testar.sh - 0
>>> slack0 - slack.py - 0
>>>
>>>
>>> #alert.log
>>> ** Alert 1456222573.17132: mail  - syslog,sshdauthentication_success,
>>> 2016 Feb 23 05:16:13 serv-10244->/var/log/secure
>>> Rule: 5715 (level 7) -> 'SSHD authentication success.'
>>> Src IP: 104.131.225.112
>>> User: root
>>> Feb 23 05:16:12 serv-10244 sshd[16530]: Accepted password for root from 
>>> 104.131.225.112 port 47280 ssh2
>>>
>>> #ossec.conf
>>>   
>>> testar
>>> 
>>> testar.sh
>>>   
>>>
>>>   
>>> slack
>>> user,srcip
>>> slack.py
>>>   
>>>
>>>   
>>> testar
>>> local
>>> 5715,11309
>>>   
>>>
>>>
>>>   
>>> slack
>>> local
>>> 5715,11309
>>>   
>>>
>>>
>>> #ossec.log:
>>> 2016/02/23 05:11:04 ossec-monitord(1225): INFO: SIGNAL Received. Exit 
>>> Cleaning...
>>> 2016/02/23 05:11:04 ossec-logcollector(1225): INFO: SIGNAL Received. 
>>> Exit Cleaning...
>>> 2016/02/23 05:11:04 ossec-remoted(1225): INFO: SIGNAL Received. Exit 
>>> Cleaning...
>>> 2016/02/23 05:11:04 ossec-syscheckd(1225): INFO: SIGNAL Received. Exit 
>>> Cleaning...
>>> 2016/02/23 05:11:04 ossec-analysisd(1225): INFO: SIGNAL Received. Exit 
>>> Cleaning...
>>> 2016/02/23 05:11:04 ossec-maild(1225): INFO: SIGNAL Received. Exit 
>>> Cleaning...
>>> 2016/02/23 05:11:04 ossec-execd(1314): INFO: Shutdown received. Deleting 
>>> responses.
>>> 2016/02/23 05:11:04 ossec-execd(1225): INFO: SIGNAL Received. Exit 
>>> Cleaning...
>>> 2016/02/23 05:11:14 ossec-testrule: INFO: Reading local decoder file.
>>> 2016/02/23 05:11:14 ossec-testrule: INFO: Started (pid: 15157).
>>> 2016/02/23 05:11:14 ossec-maild: INFO: Started (pid: 15176).
>>> 2016/02/23 05:11:15 ossec-execd: INFO: Started (pid: 15180).
>>> 2016/02/23 05:11:15 ossec-analysisd: INFO: Reading local decoder file.
>>> 2016/02/23 05:11:15 ossec-analysisd: INFO: Reading rules file: 
>>> 'sshd_rules.xml'
>>> 2016/02/23 05:11:15 ossec-remoted: INFO: Started (pid: 15192).
>>> 2016/02/23 05:11:15 ossec-rootcheck: System audit file not configured.
>>> 2016/02/23 05:11:15 ossec-remoted: INFO: Started (pid: 15193).
>>> 2016/02/23 05:11:15 ossec-analysisd: INFO: Reading rules file: 
>>> 'local_rules.xml'
>>> 2016/02/23 05:11:15 ossec-analysisd: INFO: Total rules enabled: '1258'

[ossec-list] Re: Active responce is not working

2016-02-23 Thread bazz

Now i haven't any whitelist.

#ossec.log
2016/02/23 07:18:57 ossec-analysisd: DEBUG: Active response initialized ...
2016/02/23 07:18:57 ossec-analysisd: DEBUG: Active response Init completed.

#Test active response: 
root@serv-10244 [/var/ossec/active-response/bin]# ./testar.sh action user 
src_ip alert_id rule_id agent_host filename
root@serv-10244 [/var/ossec/active-response/bin]# cat 
../../logs/active-responses.log
Tue Feb 23 07:28:03 EST 2016 ./testar.sh action user src_ip alert_id 
rule_id agent_host filename 

Let's go from start.
I need to execute active responcss on the same server, so, i run 
ossec-configure and select there installation type "local" and active 
responses enabled "yes"
Next i add active response 

  
testar

testar.sh
  

  
testar
all
6
  

But active responces still not executed.


Hi,
>
> The daemon in charge of executing active-response scripts is 
> *"ossec-execd",* I think your conf is good*,* active-response should be 
> active and working, try to force some response and check 
> active-response.log.
>
> Check ossec.log for entires like:
>
> 2016/02/23 03:48:19 ossec-analysisd: INFO: 2 IPs in the white list for 
> active response.
> 2016/02/23 03:48:19 ossec-analysisd: INFO: 1 Hostname(s) in the white list 
> for active response.
>
>
>
> If you really want to check if active-response is active, try this:
>
> Enable debug mode:
> /var/ossec/bin/ossec-control enable debug
>
> Restart OSSEC and check for line:
>
> 2016/02/23 11:40:57 ossec-analysisd: DEBUG: Active response initialized ...
>
> The scripts should be placed on /var/ossec/active-response/bin with 
> execution permissions.
>
> Regards,
>
> Pedro S.
>
>
> On Tuesday, February 23, 2016 at 11:21:13 AM UTC+1, ba...@x-cart.com 
> wrote:
>>
>> Why active-responces is not working ?
>> I receive email notification, but active responce had not started.
>> What may caused a problem?
>>
>> #etc/shared/ar.conf:
>> restart-ossec0 - restart-ossec.sh - 0
>> restart-ossec0 - restart-ossec.cmd - 0
>> testar0 - testar.sh - 0
>> slack0 - slack.py - 0
>>
>>
>> #alert.log
>> ** Alert 1456222573.17132: mail  - syslog,sshdauthentication_success,
>> 2016 Feb 23 05:16:13 serv-10244->/var/log/secure
>> Rule: 5715 (level 7) -> 'SSHD authentication success.'
>> Src IP: 104.131.225.112
>> User: root
>> Feb 23 05:16:12 serv-10244 sshd[16530]: Accepted password for root from 
>> 104.131.225.112 port 47280 ssh2
>>
>> #ossec.conf
>>   
>> testar
>> 
>> testar.sh
>>   
>>
>>   
>> slack
>> user,srcip
>> slack.py
>>   
>>
>>   
>> testar
>> local
>> 5715,11309
>>   
>>
>>
>>   
>> slack
>> local
>> 5715,11309
>>   
>>
>>
>> #ossec.log:
>> 2016/02/23 05:11:04 ossec-monitord(1225): INFO: SIGNAL Received. Exit 
>> Cleaning...
>> 2016/02/23 05:11:04 ossec-logcollector(1225): INFO: SIGNAL Received. Exit 
>> Cleaning...
>> 2016/02/23 05:11:04 ossec-remoted(1225): INFO: SIGNAL Received. Exit 
>> Cleaning...
>> 2016/02/23 05:11:04 ossec-syscheckd(1225): INFO: SIGNAL Received. Exit 
>> Cleaning...
>> 2016/02/23 05:11:04 ossec-analysisd(1225): INFO: SIGNAL Received. Exit 
>> Cleaning...
>> 2016/02/23 05:11:04 ossec-maild(1225): INFO: SIGNAL Received. Exit 
>> Cleaning...
>> 2016/02/23 05:11:04 ossec-execd(1314): INFO: Shutdown received. Deleting 
>> responses.
>> 2016/02/23 05:11:04 ossec-execd(1225): INFO: SIGNAL Received. Exit 
>> Cleaning...
>> 2016/02/23 05:11:14 ossec-testrule: INFO: Reading local decoder file.
>> 2016/02/23 05:11:14 ossec-testrule: INFO: Started (pid: 15157).
>> 2016/02/23 05:11:14 ossec-maild: INFO: Started (pid: 15176).
>> 2016/02/23 05:11:15 ossec-execd: INFO: Started (pid: 15180).
>> 2016/02/23 05:11:15 ossec-analysisd: INFO: Reading local decoder file.
>> 2016/02/23 05:11:15 ossec-analysisd: INFO: Reading rules file: 
>> 'sshd_rules.xml'
>> 2016/02/23 05:11:15 ossec-remoted: INFO: Started (pid: 15192).
>> 2016/02/23 05:11:15 ossec-rootcheck: System audit file not configured.
>> 2016/02/23 05:11:15 ossec-remoted: INFO: Started (pid: 15193).
>> 2016/02/23 05:11:15 ossec-analysisd: INFO: Reading rules file: 
>> 'local_rules.xml'
>> 2016/02/23 05:11:15 ossec-analysisd: INFO: Total rules enabled: '1258'
>> 2016/02/23 05:11:15 ossec-analysisd: INFO: Started (pid: 15184).
>> 2016/02/23 05:11:16 ossec-monitord: INFO: Started (pid: 15219).
>> 2016/02/23 05:11:16 ossec-remoted(4111): INFO: Maximum number of agents 
>> allowed: '256'.
>> 2016/02/23 05:11:16 ossec-remoted(1410): INFO: Reading authentication 
>> keys file.
>> 2016/02/23 05:11:16 ossec-remoted: INFO: No previous counter available 
>> for 'local'.
>> 2016/02/23 05:11:16 ossec-remoted: INFO: Assigning counter for agent 
>> local: '0:0'.
>> 2016/02/23 05:11:16 ossec-remoted: INFO: No previous sender counter.
>> 2016/02/23 05:11:16 ossec-remoted: INFO: Assigning sender counter: 0:0
>> 2016/02/23 05:11:21 ossec-logcollector(1950): INFO: Analyzing file: 
>> '/var/log/messages'.
>> 2016/02/23 05:11:21

Re: [ossec-list] Re: active-response alerts?

2016-02-23 Thread dan (ddp)

On Feb 23, 2016 12:42 AM, "Barry Kaplan"  wrote:
>
> So I'm confused then. The server decided to initiate these actions on the
client, no? The server rules are what decided those actions. Should the
server not log that it took this action, given the elevated level of the
rules? I feel I am missing something understanding.
>

I wouldn't mind that. You can submit a pull request on the github repo.

> -barry
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
"ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Active responce is not working

2016-02-23 Thread Pedro S

Hi,

The daemon in charge of executing active-response scripts is 
*"ossec-execd",* I think your conf is good*,* active-response should be 
active and working, try to force some response and check 
active-response.log.

Check ossec.log for entires like:

2016/02/23 03:48:19 ossec-analysisd: INFO: 2 IPs in the white list for 
active response.
2016/02/23 03:48:19 ossec-analysisd: INFO: 1 Hostname(s) in the white list 
for active response.



If you really want to check if active-response is active, try this:

Enable debug mode:
/var/ossec/bin/ossec-control enable debug

Restart OSSEC and check for line:

2016/02/23 11:40:57 ossec-analysisd: DEBUG: Active response initialized ...

The scripts should be placed on /var/ossec/active-response/bin with 
execution permissions.

Regards,

Pedro S.


On Tuesday, February 23, 2016 at 11:21:13 AM UTC+1, ba...@x-cart.com wrote:
>
> Why active-responces is not working ?
> I receive email notification, but active responce had not started.
> What may caused a problem?
>
> #etc/shared/ar.conf:
> restart-ossec0 - restart-ossec.sh - 0
> restart-ossec0 - restart-ossec.cmd - 0
> testar0 - testar.sh - 0
> slack0 - slack.py - 0
>
>
> #alert.log
> ** Alert 1456222573.17132: mail  - syslog,sshdauthentication_success,
> 2016 Feb 23 05:16:13 serv-10244->/var/log/secure
> Rule: 5715 (level 7) -> 'SSHD authentication success.'
> Src IP: 104.131.225.112
> User: root
> Feb 23 05:16:12 serv-10244 sshd[16530]: Accepted password for root from 
> 104.131.225.112 port 47280 ssh2
>
> #ossec.conf
>   
> testar
> 
> testar.sh
>   
>
>   
> slack
> user,srcip
> slack.py
>   
>
>   
> testar
> local
> 5715,11309
>   
>
>
>   
> slack
> local
> 5715,11309
>   
>
>
> #ossec.log:
> 2016/02/23 05:11:04 ossec-monitord(1225): INFO: SIGNAL Received. Exit 
> Cleaning...
> 2016/02/23 05:11:04 ossec-logcollector(1225): INFO: SIGNAL Received. Exit 
> Cleaning...
> 2016/02/23 05:11:04 ossec-remoted(1225): INFO: SIGNAL Received. Exit 
> Cleaning...
> 2016/02/23 05:11:04 ossec-syscheckd(1225): INFO: SIGNAL Received. Exit 
> Cleaning...
> 2016/02/23 05:11:04 ossec-analysisd(1225): INFO: SIGNAL Received. Exit 
> Cleaning...
> 2016/02/23 05:11:04 ossec-maild(1225): INFO: SIGNAL Received. Exit 
> Cleaning...
> 2016/02/23 05:11:04 ossec-execd(1314): INFO: Shutdown received. Deleting 
> responses.
> 2016/02/23 05:11:04 ossec-execd(1225): INFO: SIGNAL Received. Exit 
> Cleaning...
> 2016/02/23 05:11:14 ossec-testrule: INFO: Reading local decoder file.
> 2016/02/23 05:11:14 ossec-testrule: INFO: Started (pid: 15157).
> 2016/02/23 05:11:14 ossec-maild: INFO: Started (pid: 15176).
> 2016/02/23 05:11:15 ossec-execd: INFO: Started (pid: 15180).
> 2016/02/23 05:11:15 ossec-analysisd: INFO: Reading local decoder file.
> 2016/02/23 05:11:15 ossec-analysisd: INFO: Reading rules file: 
> 'sshd_rules.xml'
> 2016/02/23 05:11:15 ossec-remoted: INFO: Started (pid: 15192).
> 2016/02/23 05:11:15 ossec-rootcheck: System audit file not configured.
> 2016/02/23 05:11:15 ossec-remoted: INFO: Started (pid: 15193).
> 2016/02/23 05:11:15 ossec-analysisd: INFO: Reading rules file: 
> 'local_rules.xml'
> 2016/02/23 05:11:15 ossec-analysisd: INFO: Total rules enabled: '1258'
> 2016/02/23 05:11:15 ossec-analysisd: INFO: Started (pid: 15184).
> 2016/02/23 05:11:16 ossec-monitord: INFO: Started (pid: 15219).
> 2016/02/23 05:11:16 ossec-remoted(4111): INFO: Maximum number of agents 
> allowed: '256'.
> 2016/02/23 05:11:16 ossec-remoted(1410): INFO: Reading authentication keys 
> file.
> 2016/02/23 05:11:16 ossec-remoted: INFO: No previous counter available for 
> 'local'.
> 2016/02/23 05:11:16 ossec-remoted: INFO: Assigning counter for agent 
> local: '0:0'.
> 2016/02/23 05:11:16 ossec-remoted: INFO: No previous sender counter.
> 2016/02/23 05:11:16 ossec-remoted: INFO: Assigning sender counter: 0:0
> 2016/02/23 05:11:21 ossec-logcollector(1950): INFO: Analyzing file: 
> '/var/log/messages'.
> 2016/02/23 05:11:21 ossec-logcollector(1950): INFO: Analyzing file: 
> '/var/log/secure'.
> 2016/02/23 05:11:21 ossec-logcollector: INFO: Started (pid: 15188).
> 2016/02/23 05:11:22 ossec-syscheckd: INFO: Started (pid: 15215).
> 2016/02/23 05:11:22 ossec-rootcheck: INFO: Started (pid: 15215).
> 2016/02/23 05:11:22 ossec-syscheckd: INFO: Monitoring directory: 
> '/home/woodwork/public_html'.
>
>
> # ps ax | grep ossec
> 15176 ?S  0:00 /var/ossec/bin/ossec-maild
> 15180 ?S  0:00 /var/ossec/bin/ossec-execd
> 15184 ?S  0:00 /var/ossec/bin/ossec-analysisd
> 15188 ?S  0:00 /var/ossec/bin/ossec-logcollector
> 15193 ?Sl 0:00 /var/ossec/bin/ossec-remoted
> 15215 ?S  0:00 /var/ossec/bin/ossec-syscheckd
> 15219 ?S  0:00 /var/ossec/bin/ossec-monitord
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email

Re: [ossec-list] Removing agent by deleting line in client.keys?

2016-02-23 Thread Barry Kaplan

Ok, thanks Pedro. I have changed the role to use 'manage_agents -r' and to 
restart the ossec server. Much nicer.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: active-response alerts?

2016-02-23 Thread Jesus Linares

Hi Barry,

if you want to see the rules generated by active response you must watch 
the active response log (as it said Dan):
  
syslog
/var/ossec/logs/active-responses.log
  

Now, you will see in archives.log (with option yes) the 
log received:
2016 Feb 23 10:59:06 LinMV->/var/ossec/logs/active-responses.log Tue Feb 23 
10:59:04 UTC 2016 /var/ossec/active-response/bin/x.sh add - - 
1456225144.17818 RULEID

Then, if that log matches with some rule 
,
 
you will see the alert in alerts.log.

It's up to you to generate rules to track the active responses.

I hope that helps.

Regards.
Jesus Linares.


On Tuesday, February 23, 2016 at 6:42:45 AM UTC+1, Barry Kaplan wrote:
>
> So I'm confused then. The server decided to initiate these actions on the 
> client, no? The server rules are what decided those actions. Should the 
> server not log that it took this action, given the elevated level of the 
> rules? I feel I am missing something understanding.
>
> -barry
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: clamav?

2016-02-23 Thread Barry Kaplan


On Tuesday, February 23, 2016 at 3:40:29 PM UTC+5:30, Jesus Linares wrote:
 

> It seems your solution is working, but I give you others possible ways to 
> write in syslog:
>
>- freshclam: edit */etc/clamav/freshclam.conf* and set "LogSyslog yes"
>
> I had though that freshclam (which is running as service from the apt 
package) was already logging to syslog, but I see that it is not.


>- clamscan: clamscan --infected -r $SCAN_DIRECTORY --log=$LOG_FILE 
>--stdout | logger -i -t clamav
>
> Very nice, I was not aware of logger. I will change over to this. (FYI, 
the ossec decoder expects the programto be 'clamd' not 'clamav'.)


>- clamd: I think, clamd writes in syslog by default.
>
> Yes, this is what I started with, using clamdscan instead. But clamd runs 
as clamav user, and hence did not have privs to see pretty much anything. I 
tried configuring apparmor to give it access specified directories but that 
did not seem work. 

thanks much Jesus

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Removing agent by deleting line in client.keys?

2016-02-23 Thread Pedro S

Hi Barry,

You can run manage_agents with option "-r" and it will remove an agent, so 
you can create some scripts to automatize the process.

/var/ossec/bin/manage_agents -r AGENTID

OSSEC has internally a hash table with client.keys table, removing manually 
from client.keys or using manage_agents -r in both cases you will need to 
restart OSSEC Manager to apply changes.

On Monday, February 22, 2016 at 7:21:57 AM UTC+1, Barry Kaplan wrote:
>
> Thanks! Of course it would be much nicer manage_agents was a little nicer 
> to automation...
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Active responce is not working

2016-02-23 Thread bazz

Why active-responces is not working ?
I receive email notification, but active responce had not started.
What may caused a problem?

#etc/shared/ar.conf:
restart-ossec0 - restart-ossec.sh - 0
restart-ossec0 - restart-ossec.cmd - 0
testar0 - testar.sh - 0
slack0 - slack.py - 0


#alert.log
** Alert 1456222573.17132: mail  - syslog,sshdauthentication_success,
2016 Feb 23 05:16:13 serv-10244->/var/log/secure
Rule: 5715 (level 7) -> 'SSHD authentication success.'
Src IP: 104.131.225.112
User: root
Feb 23 05:16:12 serv-10244 sshd[16530]: Accepted password for root from 
104.131.225.112 port 47280 ssh2

#ossec.conf
  
testar

testar.sh
  

  
slack
user,srcip
slack.py
  

  
testar
local
5715,11309
  


  
slack
local
5715,11309
  


#ossec.log:
2016/02/23 05:11:04 ossec-monitord(1225): INFO: SIGNAL Received. Exit 
Cleaning...
2016/02/23 05:11:04 ossec-logcollector(1225): INFO: SIGNAL Received. Exit 
Cleaning...
2016/02/23 05:11:04 ossec-remoted(1225): INFO: SIGNAL Received. Exit 
Cleaning...
2016/02/23 05:11:04 ossec-syscheckd(1225): INFO: SIGNAL Received. Exit 
Cleaning...
2016/02/23 05:11:04 ossec-analysisd(1225): INFO: SIGNAL Received. Exit 
Cleaning...
2016/02/23 05:11:04 ossec-maild(1225): INFO: SIGNAL Received. Exit 
Cleaning...
2016/02/23 05:11:04 ossec-execd(1314): INFO: Shutdown received. Deleting 
responses.
2016/02/23 05:11:04 ossec-execd(1225): INFO: SIGNAL Received. Exit 
Cleaning...
2016/02/23 05:11:14 ossec-testrule: INFO: Reading local decoder file.
2016/02/23 05:11:14 ossec-testrule: INFO: Started (pid: 15157).
2016/02/23 05:11:14 ossec-maild: INFO: Started (pid: 15176).
2016/02/23 05:11:15 ossec-execd: INFO: Started (pid: 15180).
2016/02/23 05:11:15 ossec-analysisd: INFO: Reading local decoder file.
2016/02/23 05:11:15 ossec-analysisd: INFO: Reading rules file: 
'sshd_rules.xml'
2016/02/23 05:11:15 ossec-remoted: INFO: Started (pid: 15192).
2016/02/23 05:11:15 ossec-rootcheck: System audit file not configured.
2016/02/23 05:11:15 ossec-remoted: INFO: Started (pid: 15193).
2016/02/23 05:11:15 ossec-analysisd: INFO: Reading rules file: 
'local_rules.xml'
2016/02/23 05:11:15 ossec-analysisd: INFO: Total rules enabled: '1258'
2016/02/23 05:11:15 ossec-analysisd: INFO: Started (pid: 15184).
2016/02/23 05:11:16 ossec-monitord: INFO: Started (pid: 15219).
2016/02/23 05:11:16 ossec-remoted(4111): INFO: Maximum number of agents 
allowed: '256'.
2016/02/23 05:11:16 ossec-remoted(1410): INFO: Reading authentication keys 
file.
2016/02/23 05:11:16 ossec-remoted: INFO: No previous counter available for 
'local'.
2016/02/23 05:11:16 ossec-remoted: INFO: Assigning counter for agent local: 
'0:0'.
2016/02/23 05:11:16 ossec-remoted: INFO: No previous sender counter.
2016/02/23 05:11:16 ossec-remoted: INFO: Assigning sender counter: 0:0
2016/02/23 05:11:21 ossec-logcollector(1950): INFO: Analyzing file: 
'/var/log/messages'.
2016/02/23 05:11:21 ossec-logcollector(1950): INFO: Analyzing file: 
'/var/log/secure'.
2016/02/23 05:11:21 ossec-logcollector: INFO: Started (pid: 15188).
2016/02/23 05:11:22 ossec-syscheckd: INFO: Started (pid: 15215).
2016/02/23 05:11:22 ossec-rootcheck: INFO: Started (pid: 15215).
2016/02/23 05:11:22 ossec-syscheckd: INFO: Monitoring directory: 
'/home/woodwork/public_html'.


# ps ax | grep ossec
15176 ?S  0:00 /var/ossec/bin/ossec-maild
15180 ?S  0:00 /var/ossec/bin/ossec-execd
15184 ?S  0:00 /var/ossec/bin/ossec-analysisd
15188 ?S  0:00 /var/ossec/bin/ossec-logcollector
15193 ?Sl 0:00 /var/ossec/bin/ossec-remoted
15215 ?S  0:00 /var/ossec/bin/ossec-syscheckd
15219 ?S  0:00 /var/ossec/bin/ossec-monitord

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: clamav?

2016-02-23 Thread Jesus Linares

Hi Barry,

It seems your solution is working, but I give you others possible ways to 
write in syslog:

   - freshclam: edit */etc/clamav/freshclam.conf* and set "LogSyslog yes"
   - clamscan: clamscan --infected -r $SCAN_DIRECTORY --log=$LOG_FILE 
   --stdout | logger -i -t clamav
  - Example: clamscan --infected -r /usr/share/clamav-testfiles 
  --log=/var/log/clamav/clamav.log --stdout | *logger -i -t clamd*
  - clamd: I think, clamd writes in syslog by default.

Regards.
Jesus Linares.

On Tuesday, February 23, 2016 at 9:10:34 AM UTC+1, Barry Kaplan wrote:
>
> Looks like the clamav rules are just fine. 
>
> Only the clamav daemon writes to syslog. So I added a rsyslog config:
>
> $ModLoad imfile
>
> $InputFileName {{ clamav_scan_log_file }}
> $InputFileTag clamd:
> $InputFileStateFile stat-{{ clamav_scan_log_file }}
>
> $InputFileSeverity error
> $InputFileFacility local7
> $InputRunFileMonitor
>
>
> Then some cron jobs to run clamscan on directories, eg (where I have the 
> EICAR test signature file in /tmp):
>
> clamscan --log=/var/log/clamav/clamav.log --no-summary --infected --remove
> =no --recursive=yes /tmp
>
> And magically I get alerts in OSSEC. Very very nice.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: How to group Syscheck notifications

2016-02-23 Thread bazz

Thank you so much for the great answer!

Hi again,
>
> About getting a list of all modified files, you can execute 
> syscheck_control binary to get a list of file by agent,day:
>
> /var/ossec/bin/syscheck_control -i AGENTID
>
>
> So your active-response script can periodically check that command output 
> and look for today changes, the bad thing about this command is you need to 
> filter for one specific agent.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: clamav?

2016-02-23 Thread Barry Kaplan

Looks like the clamav rules are just fine. 

Only the clamav daemon writes to syslog. So I added a rsyslog config:

$ModLoad imfile

$InputFileName {{ clamav_scan_log_file }}
$InputFileTag clamd:
$InputFileStateFile stat-{{ clamav_scan_log_file }}

$InputFileSeverity error
$InputFileFacility local7
$InputRunFileMonitor


Then some cron jobs to run clamscan on directories, eg (where I have the 
EICAR test signature file in /tmp):

clamscan --log=/var/log/clamav/clamav.log --no-summary --infected --remove=
no --recursive=yes /tmp

And magically I get alerts in OSSEC. Very very nice.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Alert fires, but no email generated?

Re: [ossec-list] Alert fires, but no email generated?

Re: [ossec-list] Alert fires, but no email generated?

Re: [ossec-list] Alert fires, but no email generated?

Re: [ossec-list] Alert fires, but no email generated?

Re: [ossec-list] Alert fires, but no email generated?

[ossec-list] Alert fires, but no email generated?

[ossec-list] Re: Alert message on the subject

[ossec-list] Re: Alert message on the subject

Re: [ossec-list] Re: active-response alerts?

[ossec-list] Alert message on the subject

Re: [ossec-list] rules files as symlinks

Re: [ossec-list] Re: Active responce is not working

Re: [ossec-list] Re: Active responce is not working

Re: [ossec-list] Re: active-response alerts?

Re: [ossec-list] Re: Active responce is not working

[ossec-list] Re: Active responce is not working

[ossec-list] Re: Active responce is not working

Re: [ossec-list] Re: active-response alerts?

[ossec-list] Re: Active responce is not working

Re: [ossec-list] Removing agent by deleting line in client.keys?

Re: [ossec-list] Re: active-response alerts?

[ossec-list] Re: clamav?

Re: [ossec-list] Removing agent by deleting line in client.keys?

[ossec-list] Active responce is not working

[ossec-list] Re: clamav?

[ossec-list] Re: How to group Syscheck notifications

[ossec-list] Re: clamav?

28 matches

Site Navigation

Mail list logo

Footer information