date:20170323

Re: [ossec-list] install ossec - bind to port 1514 fail | getaddrinfo: name or service not know

2017-03-23 Thread Eduardo Reichert Figueiredo

Hi,
i will try enable this feature in my rhel, after test i notice you.

Thanks.

Em quinta-feira, 23 de março de 2017 15:37:50 UTC-3, Victor Fernandez 
escreveu:
>
> Hi Eduardo, 
>
> I agree with Dan, I tested OSSEC v2.9 on a clean CentOS 7 with your 
>  configuration and it worked. But when I disabled IPv6 I got the 
> same errors you have.
>
> Please try to enable IPv6 on the running system with:
>
> sysctl -w net.ipv6.conf.all.disable_ipv6=1
> sysctl -w net.ipv6.conf.default.disable_ipv6=1
>
>
> And try to start OSSEC. If it works, consider enabling IPv6 permanently by 
> editing file */etc/sysctl.conf*.
>
> Hope it help. If I find another way to run OSSEC with IPv6 disabled I will 
> let you know.
>
> Best regards.
>
> On Thu, Mar 23, 2017 at 11:19 AM, dan (ddp)  > wrote:
>
>> On Thu, Mar 23, 2017 at 1:08 PM, Eduardo Reichert Figueiredo
>>  wrote:
>> > Hi dan, i dont have ipv6 enabled in my system linux, so i dont have 
>> inet6 in
>> > my ifconfig configurations, only ipv4.
>> >
>> > This can caused for the problem?
>> >
>>
>> I think having ipv6 support is necessary now. You don't need to have
>> addresses or anything, but the facilities need to be available.
>>
>> > Em quarta-feira, 22 de março de 2017 20:30:08 UTC-3, dan (ddpbsd) 
>> escreveu:
>> >>
>> >> On Tue, Mar 21, 2017 at 10:46 AM, Eduardo Reichert Figueiredo
>> >>  wrote:
>> >> > When i install ossec 2.9.0 on rhel 7.3 (no ipv6 feature and address) 
>> i
>> >> > have
>> >>
>> >> Is IPv6 totally disabled for your system (support for IPv6 was 
>> removed)?
>> >>
>> >> > a problem to ossec-remoted and ossec-auth, this services cant bind 
>> ports
>> >> > 1514, log error below.
>> >> > I generated my certificated with commands "openssl genrsa -out" and
>> >> > "openssl
>> >> > req -new -x509 -key ".
>> >> >
>> >> > ##Log OSSEC.LOG
>> >> > 2017/03/21 11:34:34 ossec-remoted: DEBUG: Forking remoted: '0'.
>> >> > 2017/03/21 11:34:34 ossec-remoted: Remote syslog allowed from:
>> >> > '0.0.0.0/0'
>> >> > 2017/03/21 11:34:34 ossec-remoted: DEBUG: Forking remoted: '1'.
>> >> > 2017/03/21 11:34:34 getaddrinfo: Name or service not known
>> >> > 2017/03/21 11:34:34 getaddrinfo: Name or service not known
>> >> > 2017/03/21 11:34:34 ossec-remoted(1206): ERROR: Unable to Bind port
>> >> > '1514'
>> >> > 2017/03/21 11:34:34 ossec-remoted(1206): ERROR: Unable to Bind port
>> >> > '514'
>> >> > 2017/03/21 11:34:41 ossec-syscheckd: INFO: Starting syscheck scan
>> >> > (forwarding database).
>> >> > 2017/03/21 11:34:41 ossec-syscheckd: INFO: Starting syscheck database
>> >> > (pre-scan).
>> >> > 2017/03/21 11:35:47 ossec-authd: DEBUG: Starting ...
>> >> > 2017/03/21 11:35:47 ossec-authd: INFO: Started (pid: 24420).
>> >> > 2017/03/21 11:35:47 ossec-authd: DEBUG: Returning CTX for server.
>> >> > 2017/03/21 11:35:47 getaddrinfo: Name or service not known
>> >> > 2017/03/21 11:35:47 ossec-authd: Unable to bind to port 1514
>> >> >
>> >> > in other cases for unable to bind port 1514, my error was my
>> >> > client.keys,
>> >> > but now i have a new error "getaddrinfo".
>> >> >
>> >> > Can you help me?
>> >> >
>> >> > Kind regards
>> >> >
>> >> > --
>> >> >
>> >> > ---
>> >> > You received this message because you are subscribed to the Google
>> >> > Groups
>> >> > "ossec-list" group.
>> >> > To unsubscribe from this group and stop receiving emails from it, 
>> send
>> >> > an
>> >> > email to ossec-list+...@googlegroups.com.
>> >> > For more options, visit https://groups.google.com/d/optout.
>> >
>> > --
>> >
>> > ---
>> > You received this message because you are subscribed to the Google 
>> Groups
>> > "ossec-list" group.
>> > To unsubscribe from this group and stop receiving emails from it, send 
>> an
>> > email to ossec-list+...@googlegroups.com .
>> > For more options, visit https://groups.google.com/d/optout.
>>
>> --
>>
>> ---
>> You received this message because you are subscribed to the Google Groups 
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to ossec-list+...@googlegroups.com .
>> For more options, visit https://groups.google.com/d/optout.
>>
>
>
>
> -- 
> Victor M. Fernandez-Castro
> IT Security Engineer
> Wazuh Inc.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Custom decoder & rule not working

2017-03-23 Thread Victor Fernandez

Hi Martin,

the problem is that this log also matches with rule 2501 (from Syslog) that
has level 5. Since your rule 100201 has level 1 OSSEC discards it in favor
of rule 2501.

So increasing the level to 6 it should work:

 app.ERROR Multiple login attempts bepark.eu/fr/connexion   100201
  Multiple login attempts
bepark.eu/fr/connexion authentication_failures,



Hope it help.

Best regards.


On Thu, Mar 23, 2017 at 9:37 AM, Martin  wrote:

> Hello,
>
> I've those kind of log comming from a custom app
>
>>
>> [2017-03-23 10:18:01] app.ERROR: Authentication failure for IP:
>> 172.17.0.1 [] []
>
>
> I'm trying to block an ip with to much authentication failure.
>
> So I did a custom decoder which is working ;
>
> 
>   ^\p\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d\p 
> 
>
>
> 
>   app.ERROR
>   ^app.ERROR: \.+ (\S+) for IP: (\S+)
> (\.+)\s(\.+)$
>   status,srcip,extra_data,extra_data
> 
>
> and I want theses rules working with this log .
>
> 
> app.ERROR
> Multiple login attempts bepark.eu/fr/connexion description>
>   
>
>
>   
> 100201
> 
> Multiple login attempts bepark.eu/fr/connexion description>
> authentication_failures,
>   
>
>
> But this what I get when testing with */var/ossec/bin/ossec-logtest*
>
>
>
> [2017-03-23 10:18:01] app.ERROR: Authentication failure for IP: 172.17.0.1
> [] []
>
>
>
>
> **Phase 1: Completed pre-decoding.
>full event: '[2017-03-23 10:18:01] app.ERROR: Authentication
> failure for IP: 172.17.0.1 [] []'
>hostname: 'Digital-Ocean-1'
>program_name: '(null)'
>log: '[2017-03-23 10:18:01] app.ERROR: Authentication failure for
> IP: 172.17.0.1 [] []'
>
>
> **Phase 2: Completed decoding.
>decoder: 'app.ERROR'
>status: 'failure'
>srcip: '172.17.0.1'
>extra_data: '[]'
>extra_data: '[]'
>
>
> **Phase 3: Completed filtering (rules).
>Rule id: '2501'
>Level: '5'
>Description: 'User authentication failure.'
> **Alert to be generated.
>
> why are my rules not working over the 2501 one ?
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>



-- 
Victor M. Fernandez-Castro
IT Security Engineer
Wazuh Inc.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] install ossec - bind to port 1514 fail | getaddrinfo: name or service not know

2017-03-23 Thread Victor Fernandez

Hi Eduardo,

I agree with Dan, I tested OSSEC v2.9 on a clean CentOS 7 with your
 configuration and it worked. But when I disabled IPv6 I got the
same errors you have.

Please try to enable IPv6 on the running system with:

sysctl -w net.ipv6.conf.all.disable_ipv6=1
sysctl -w net.ipv6.conf.default.disable_ipv6=1


And try to start OSSEC. If it works, consider enabling IPv6 permanently by
editing file */etc/sysctl.conf*.

Hope it help. If I find another way to run OSSEC with IPv6 disabled I will
let you know.

Best regards.

On Thu, Mar 23, 2017 at 11:19 AM, dan (ddp)  wrote:

> On Thu, Mar 23, 2017 at 1:08 PM, Eduardo Reichert Figueiredo
>  wrote:
> > Hi dan, i dont have ipv6 enabled in my system linux, so i dont have
> inet6 in
> > my ifconfig configurations, only ipv4.
> >
> > This can caused for the problem?
> >
>
> I think having ipv6 support is necessary now. You don't need to have
> addresses or anything, but the facilities need to be available.
>
> > Em quarta-feira, 22 de março de 2017 20:30:08 UTC-3, dan (ddpbsd)
> escreveu:
> >>
> >> On Tue, Mar 21, 2017 at 10:46 AM, Eduardo Reichert Figueiredo
> >>  wrote:
> >> > When i install ossec 2.9.0 on rhel 7.3 (no ipv6 feature and address) i
> >> > have
> >>
> >> Is IPv6 totally disabled for your system (support for IPv6 was removed)?
> >>
> >> > a problem to ossec-remoted and ossec-auth, this services cant bind
> ports
> >> > 1514, log error below.
> >> > I generated my certificated with commands "openssl genrsa -out" and
> >> > "openssl
> >> > req -new -x509 -key ".
> >> >
> >> > ##Log OSSEC.LOG
> >> > 2017/03/21 11:34:34 ossec-remoted: DEBUG: Forking remoted: '0'.
> >> > 2017/03/21 11:34:34 ossec-remoted: Remote syslog allowed from:
> >> > '0.0.0.0/0'
> >> > 2017/03/21 11:34:34 ossec-remoted: DEBUG: Forking remoted: '1'.
> >> > 2017/03/21 11:34:34 getaddrinfo: Name or service not known
> >> > 2017/03/21 11:34:34 getaddrinfo: Name or service not known
> >> > 2017/03/21 11:34:34 ossec-remoted(1206): ERROR: Unable to Bind port
> >> > '1514'
> >> > 2017/03/21 11:34:34 ossec-remoted(1206): ERROR: Unable to Bind port
> >> > '514'
> >> > 2017/03/21 11:34:41 ossec-syscheckd: INFO: Starting syscheck scan
> >> > (forwarding database).
> >> > 2017/03/21 11:34:41 ossec-syscheckd: INFO: Starting syscheck database
> >> > (pre-scan).
> >> > 2017/03/21 11:35:47 ossec-authd: DEBUG: Starting ...
> >> > 2017/03/21 11:35:47 ossec-authd: INFO: Started (pid: 24420).
> >> > 2017/03/21 11:35:47 ossec-authd: DEBUG: Returning CTX for server.
> >> > 2017/03/21 11:35:47 getaddrinfo: Name or service not known
> >> > 2017/03/21 11:35:47 ossec-authd: Unable to bind to port 1514
> >> >
> >> > in other cases for unable to bind port 1514, my error was my
> >> > client.keys,
> >> > but now i have a new error "getaddrinfo".
> >> >
> >> > Can you help me?
> >> >
> >> > Kind regards
> >> >
> >> > --
> >> >
> >> > ---
> >> > You received this message because you are subscribed to the Google
> >> > Groups
> >> > "ossec-list" group.
> >> > To unsubscribe from this group and stop receiving emails from it, send
> >> > an
> >> > email to ossec-list+...@googlegroups.com.
> >> > For more options, visit https://groups.google.com/d/optout.
> >
> > --
> >
> > ---
> > You received this message because you are subscribed to the Google Groups
> > "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send an
> > email to ossec-list+unsubscr...@googlegroups.com.
> > For more options, visit https://groups.google.com/d/optout.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>



-- 
Victor M. Fernandez-Castro
IT Security Engineer
Wazuh Inc.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: Modify rules

2017-03-23 Thread dan (ddp)

On Thu, Mar 23, 2017 at 12:29 PM, The Dude  wrote:
> I went with the first option. Works as expected but now I need to adjust the
> number of of fails before the ip is blocked.. Where do I do that?
>

Try using 5720 for the rule to trigger active response. It looks for
8+ instances by default.

>
> On Monday, March 20, 2017 at 2:56:29 PM UTC-4, The Dude wrote:
>>
>> I am new to ossec and I am trying to figure out what is the best way to
>> change a rule.  In the ossec.conf it says this
>>
>>> 
>>>   
>>> 
>>> host-deny
>>> local
>>> 6
>>> 600
>>>   
>>
>>
>>
>>
>> I am assuming the level it is referring to is the level set in the
>> rule.xml So the sshd_rules.xml has this line.
>>>
>>>
>>> 
>>> 5700
>>> ^Failed|^error: PAM: Authentication
>>> SSHD authentication failed.
>>> authentication_failed,
>>>
>>>   
>>
>>
>>
>> When testing failed ssh logins I see the alert in the alert.log for the
>> rule above. How should I go about changing the level to 6 so it will get
>> blocked? I tried editing the sshd_rules.xml but get the read only warning.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Custom decoder & rules not working

2017-03-23 Thread dan (ddp)

On Thu, Mar 23, 2017 at 12:41 PM, Martin  wrote:
> Hello,
>
> I've those kind of log comming from a custom app
>>
>>
>> [2017-03-23 10:18:01] app.ERROR: Authentication failure for IP: 172.17.0.1
>> [] []
>
>
> I'm trying to block an ip with to much authentication failure.
>
> So I did a custom decoder which is working ;
>
> 
>   ^\p\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d\p 
> 
>
>
> 
>   app.ERROR
>   ^app.ERROR: \.+ (\S+) for IP: (\S+)
> (\.+)\s(\.+)$
>   status,srcip,extra_data,extra_data
> 
>
> and I want theses rules working with this log .
>
> 
> app.ERROR
> Multiple login attempts customapp
>   
>
>
>   
> 100201
> 
> Multiple login attempts customapp
> authentication_failures,
>   
>
>
> But this what I get when testing with /var/ossec/bin/ossec-logtest
>
>
>
> [2017-03-23 10:18:01] app.ERROR: Authentication failure for IP: 172.17.0.1
> [] []
>
>
>
>
> **Phase 1: Completed pre-decoding.
>full event: '[2017-03-23 10:18:01] app.ERROR: Authentication failure
> for IP: 172.17.0.1 [] []'
>hostname: 'Digital-Ocean-1'
>program_name: '(null)'
>log: '[2017-03-23 10:18:01] app.ERROR: Authentication failure for IP:
> 172.17.0.1 [] []'
>
>
> **Phase 2: Completed decoding.
>decoder: 'app.ERROR'
>status: 'failure'
>srcip: '172.17.0.1'
>extra_data: '[]'
>extra_data: '[]'
>
>
> **Phase 3: Completed filtering (rules).
>Rule id: '2501'
>Level: '5'
>Description: 'User authentication failure.'
> **Alert to be generated.
>
> why are my rules not working over the 2501 one ?
>


2501 is probably evaluated first.
You can add an 2501 to your first rule to help it match.
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] install ossec - bind to port 1514 fail | getaddrinfo: name or service not know

2017-03-23 Thread dan (ddp)

On Thu, Mar 23, 2017 at 1:08 PM, Eduardo Reichert Figueiredo
 wrote:
> Hi dan, i dont have ipv6 enabled in my system linux, so i dont have inet6 in
> my ifconfig configurations, only ipv4.
>
> This can caused for the problem?
>

I think having ipv6 support is necessary now. You don't need to have
addresses or anything, but the facilities need to be available.

> Em quarta-feira, 22 de março de 2017 20:30:08 UTC-3, dan (ddpbsd) escreveu:
>>
>> On Tue, Mar 21, 2017 at 10:46 AM, Eduardo Reichert Figueiredo
>>  wrote:
>> > When i install ossec 2.9.0 on rhel 7.3 (no ipv6 feature and address) i
>> > have
>>
>> Is IPv6 totally disabled for your system (support for IPv6 was removed)?
>>
>> > a problem to ossec-remoted and ossec-auth, this services cant bind ports
>> > 1514, log error below.
>> > I generated my certificated with commands "openssl genrsa -out" and
>> > "openssl
>> > req -new -x509 -key ".
>> >
>> > ##Log OSSEC.LOG
>> > 2017/03/21 11:34:34 ossec-remoted: DEBUG: Forking remoted: '0'.
>> > 2017/03/21 11:34:34 ossec-remoted: Remote syslog allowed from:
>> > '0.0.0.0/0'
>> > 2017/03/21 11:34:34 ossec-remoted: DEBUG: Forking remoted: '1'.
>> > 2017/03/21 11:34:34 getaddrinfo: Name or service not known
>> > 2017/03/21 11:34:34 getaddrinfo: Name or service not known
>> > 2017/03/21 11:34:34 ossec-remoted(1206): ERROR: Unable to Bind port
>> > '1514'
>> > 2017/03/21 11:34:34 ossec-remoted(1206): ERROR: Unable to Bind port
>> > '514'
>> > 2017/03/21 11:34:41 ossec-syscheckd: INFO: Starting syscheck scan
>> > (forwarding database).
>> > 2017/03/21 11:34:41 ossec-syscheckd: INFO: Starting syscheck database
>> > (pre-scan).
>> > 2017/03/21 11:35:47 ossec-authd: DEBUG: Starting ...
>> > 2017/03/21 11:35:47 ossec-authd: INFO: Started (pid: 24420).
>> > 2017/03/21 11:35:47 ossec-authd: DEBUG: Returning CTX for server.
>> > 2017/03/21 11:35:47 getaddrinfo: Name or service not known
>> > 2017/03/21 11:35:47 ossec-authd: Unable to bind to port 1514
>> >
>> > in other cases for unable to bind port 1514, my error was my
>> > client.keys,
>> > but now i have a new error "getaddrinfo".
>> >
>> > Can you help me?
>> >
>> > Kind regards
>> >
>> > --
>> >
>> > ---
>> > You received this message because you are subscribed to the Google
>> > Groups
>> > "ossec-list" group.
>> > To unsubscribe from this group and stop receiving emails from it, send
>> > an
>> > email to ossec-list+...@googlegroups.com.
>> > For more options, visit https://groups.google.com/d/optout.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] install ossec - bind to port 1514 fail | getaddrinfo: name or service not know

2017-03-23 Thread Eduardo Reichert Figueiredo

Hi dan, i dont have ipv6 enabled in my system linux, so i dont have inet6 
in my ifconfig configurations, only ipv4.

This can caused for the problem?

Em quarta-feira, 22 de março de 2017 20:30:08 UTC-3, dan (ddpbsd) escreveu:
>
> On Tue, Mar 21, 2017 at 10:46 AM, Eduardo Reichert Figueiredo 
>  wrote: 
> > When i install ossec 2.9.0 on rhel 7.3 (no ipv6 feature and address) i 
> have 
>
> Is IPv6 totally disabled for your system (support for IPv6 was removed)? 
>
> > a problem to ossec-remoted and ossec-auth, this services cant bind ports 
> > 1514, log error below. 
> > I generated my certificated with commands "openssl genrsa -out" and 
> "openssl 
> > req -new -x509 -key ". 
> > 
> > ##Log OSSEC.LOG 
> > 2017/03/21 11:34:34 ossec-remoted: DEBUG: Forking remoted: '0'. 
> > 2017/03/21 11:34:34 ossec-remoted: Remote syslog allowed from: '
> 0.0.0.0/0' 
> > 2017/03/21 11:34:34 ossec-remoted: DEBUG: Forking remoted: '1'. 
> > 2017/03/21 11:34:34 getaddrinfo: Name or service not known 
> > 2017/03/21 11:34:34 getaddrinfo: Name or service not known 
> > 2017/03/21 11:34:34 ossec-remoted(1206): ERROR: Unable to Bind port 
> '1514' 
> > 2017/03/21 11:34:34 ossec-remoted(1206): ERROR: Unable to Bind port 
> '514' 
> > 2017/03/21 11:34:41 ossec-syscheckd: INFO: Starting syscheck scan 
> > (forwarding database). 
> > 2017/03/21 11:34:41 ossec-syscheckd: INFO: Starting syscheck database 
> > (pre-scan). 
> > 2017/03/21 11:35:47 ossec-authd: DEBUG: Starting ... 
> > 2017/03/21 11:35:47 ossec-authd: INFO: Started (pid: 24420). 
> > 2017/03/21 11:35:47 ossec-authd: DEBUG: Returning CTX for server. 
> > 2017/03/21 11:35:47 getaddrinfo: Name or service not known 
> > 2017/03/21 11:35:47 ossec-authd: Unable to bind to port 1514 
> > 
> > in other cases for unable to bind port 1514, my error was my 
> client.keys, 
> > but now i have a new error "getaddrinfo". 
> > 
> > Can you help me? 
> > 
> > Kind regards 
> > 
> > -- 
> > 
> > --- 
> > You received this message because you are subscribed to the Google 
> Groups 
> > "ossec-list" group. 
> > To unsubscribe from this group and stop receiving emails from it, send 
> an 
> > email to ossec-list+...@googlegroups.com . 
> > For more options, visit https://groups.google.com/d/optout. 
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Custom decoder & rules not working

2017-03-23 Thread Martin

Hello,

I've those kind of log comming from a custom app

>
> [2017-03-23 10:18:01] app.ERROR: Authentication failure for IP: 172.17.0.1 
> [] []


I'm trying to block an ip with to much authentication failure.

So I did a custom decoder which is working ;


  ^\p\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d\p 




  app.ERROR
  ^app.ERROR: \.+ (\S+) for IP: (\S+) 
(\.+)\s(\.+)$
  status,srcip,extra_data,extra_data


and I want theses rules working with this log .


app.ERROR
Multiple login attempts customapp
  


  
100201

Multiple login attempts customapp
authentication_failures,
  


But this what I get when testing with */var/ossec/bin/ossec-logtest*



[2017-03-23 10:18:01] app.ERROR: Authentication failure for IP: 172.17.0.1 
[] []




**Phase 1: Completed pre-decoding.
   full event: '[2017-03-23 10:18:01] app.ERROR: Authentication failure 
for IP: 172.17.0.1 [] []'
   hostname: 'Digital-Ocean-1'
   program_name: '(null)'
   log: '[2017-03-23 10:18:01] app.ERROR: Authentication failure for 
IP: 172.17.0.1 [] []'


**Phase 2: Completed decoding.
   decoder: 'app.ERROR'
   status: 'failure'
   srcip: '172.17.0.1'
   extra_data: '[]'
   extra_data: '[]'


**Phase 3: Completed filtering (rules).
   Rule id: '2501'
   Level: '5'
   Description: 'User authentication failure.'
**Alert to be generated.

why are my rules not working over the 2501 one ?

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Custom decoder & rule not working

2017-03-23 Thread Martin

Hello,

I've those kind of log comming from a custom app

>
> [2017-03-23 10:18:01] app.ERROR: Authentication failure for IP: 172.17.0.1 
> [] []


I'm trying to block an ip with to much authentication failure.

So I did a custom decoder which is working ;


  ^\p\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d\p 




  app.ERROR
  ^app.ERROR: \.+ (\S+) for IP: (\S+) 
(\.+)\s(\.+)$
  status,srcip,extra_data,extra_data


and I want theses rules working with this log .


app.ERROR
Multiple login attempts bepark.eu/fr/connexion

  


  
100201

Multiple login attempts bepark.eu/fr/connexion

authentication_failures,
  


But this what I get when testing with */var/ossec/bin/ossec-logtest*



[2017-03-23 10:18:01] app.ERROR: Authentication failure for IP: 172.17.0.1 
[] []




**Phase 1: Completed pre-decoding.
   full event: '[2017-03-23 10:18:01] app.ERROR: Authentication failure 
for IP: 172.17.0.1 [] []'
   hostname: 'Digital-Ocean-1'
   program_name: '(null)'
   log: '[2017-03-23 10:18:01] app.ERROR: Authentication failure for 
IP: 172.17.0.1 [] []'


**Phase 2: Completed decoding.
   decoder: 'app.ERROR'
   status: 'failure'
   srcip: '172.17.0.1'
   extra_data: '[]'
   extra_data: '[]'


**Phase 3: Completed filtering (rules).
   Rule id: '2501'
   Level: '5'
   Description: 'User authentication failure.'
**Alert to be generated.

why are my rules not working over the 2501 one ?

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Modify rules

2017-03-23 Thread The Dude

I went with the first option. Works as expected but now I need to adjust 
the number of of fails before the ip is blocked.. Where do I do that?

On Monday, March 20, 2017 at 2:56:29 PM UTC-4, The Dude wrote:
>
> I am new to ossec and I am trying to figure out what is the best way to 
> change a rule.  In the ossec.conf it says this
>
> 
>>   
>> 
>> host-deny
>> local
>> 6
>> 600
>>   
>
>
>
>
> I am assuming the level it is referring to is the level set in the 
> rule.xml So the sshd_rules.xml has this line.
>
>>
>> 
>> 5700
>> ^Failed|^error: PAM: Authentication
>> SSHD authentication failed.
>> authentication_failed,
>
>   
>
>  
>
> When testing failed ssh logins I see the alert in the alert.log for the 
> rule above. How should I go about changing the level to 6 so it will get 
> blocked? I tried editing the sshd_rules.xml but get the read only warning. 
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Real time monitoring hidden files or hidden folder

2017-03-23 Thread Kat

I actually monitor

 /home/*.ssh,/root/.ssh

And have AR set that if a new directory appears in /home, it restarts the 
agent so it adds it to the wildcard.

On Monday, March 20, 2017 at 10:47:13 PM UTC-5, jingxu...@bettercloud.com 
wrote:
>
> Recently, we are trying to use OSSEC to monitor ~/.ssh/authorized_key for 
> real time. But it seems it only works for system integrity check 
> periodically, but not real-time, I checked the /var/ossec/queue/diff 
> folder, it recorded all the changes under that folder, but since .ssh is a 
> hidden folder, I can not get alerts from ossec manager for real-time file 
> change alert. Is there anyone knowing how to fix this?
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: syscheckd causing soft lockups

2017-03-23 Thread John Gelnaw


Upgrading has not solved the problem.

Still appears to be some form of port / bind issue based on the backtrace. 
 To obfuscate things, this was my ossec master (wazuh docker image), so it 
was running in a docker container, on a virtual machine under VMWare.

Nothing complicated there, right?

I'd love to hear any suggestions on where to look next to track down this 
problem.  I can (apparently) get around it by disabling rootcheck, but 
since that's one of the key features of ossec I really want for security, 
it's not a very good solution.



NMI watchdog: BUG: soft lockup - CPU#2 stuck for 23s! 
[ossec-syscheckd:16223]
Modules linked in: xt_nat veth binfmt_misc ipt_MASQUERADE 
nf_nat_masquerade_ipv4 iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 
nf_nat_ipv4 xt_addrtyp
e xt_conntrack nf_nat nf_conntrack br_netfilter bridge stp llc 
iptable_filter vmw_vsock_vmci_transport vsock btrfs zlib_deflate raid6_pq 
xor intel_p
owerclamp coretemp iosf_mbi crc32_pclmul ghash_clmulni_intel ppdev 
aesni_intel lrw gf128mul glue_helper vmw_balloon ablk_helper cryptd pcspkr 
sg vmw
_vmci i2c_piix4 shpchp parport_pc parport nfsd auth_rpcgss nfs_acl lockd 
grace sunrpc ip_tables ext4 mbcache jbd2 sr_mod cdrom ata_generic pata_acpi
 sd_mod crc_t10dif crct10dif_generic crct10dif_pclmul crct10dif_common 
crc32c_intel vmwgfx drm_kms_helper ata_piix syscopyarea serio_raw 
sysfillrect
 sysimgblt fb_sys_fops ttm vmxnet3 drm libata vmw_pvscsi
 i2c_core floppy fjes dm_mirror dm_region_hash dm_log dm_mod
CPU: 2 PID: 16223 Comm: ossec-syscheckd Not tainted 
3.10.0-514.10.2.el7.x86_64 #1
Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference 
Platform, BIOS 6.00 09/21/2015
task: 88000593ce70 ti: 8800130ec000 task.ti: 8800130ec000
RIP: 0010:[]  [] 
_raw_spin_lock+0x32/0x50
RSP: 0018:8800130efde0  EFLAGS: 0203
RAX: 411c RBX: 0020 RCX: bb00
RDX: 384c RSI: 384c RDI: c900016fe4f0
RBP: 8800130efde0 R08: 8800b7aa9380 R09: c900016fe4f0
R10: 0008 R11: 0206 R12: c900016fe3e0
R13: 88013ae99a80 R14: 0246 R15: 8800130efd78
FS:  7efe439a5740() GS:88013ae8() knlGS:
CS:  0010 DS:  ES:  CR0: 8005003b
CR2: 0063e000 CR3: 13e8c000 CR4: 000407e0
DR0:  DR1:  DR2: 
DR3:  DR6: 0ff0 DR7: 0400
Stack:
 8800130efe68 815bc2b5 0005811de175 8800b8993640
    81f96140
  c900016fe4f0 0c01 
Call Trace:
 [] inet_csk_get_port+0x385/0x5c0
 [] inet_bind+0x14c/0x200
 [] SYSC_bind+0xe0/0x120
 [] ? __secure_computing+0x73/0x240
 [] ? __audit_syscall_exit+0x1e6/0x280
 [] ? __audit_syscall_entry+0xb4/0x110
 [] ? syscall_trace_enter+0x173/0x220
 [] SyS_bind+0xe/0x10
 [] tracesys+0xdd/0xe2
Code: 00 02 00 f0 0f c1 07 89 c2 c1 ea 10 66 39 c2 75 01 c3 55 83 e2 fe 0f 
b7 f2 48 89 e5 b8 00 80 00 00 eb 0d 66 0f 1f 44 00 00 f3 90 <83> e8 01 74
 0a 0f b7 0f 66 39 ca 75 f1 5d c3 66 66 66 90 66 66

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] install ossec - bind to port 1514 fail | getaddrinfo: name or service not know

Re: [ossec-list] Custom decoder & rule not working

Re: [ossec-list] install ossec - bind to port 1514 fail | getaddrinfo: name or service not know

Re: [ossec-list] Re: Modify rules

Re: [ossec-list] Custom decoder & rules not working

Re: [ossec-list] install ossec - bind to port 1514 fail | getaddrinfo: name or service not know

Re: [ossec-list] install ossec - bind to port 1514 fail | getaddrinfo: name or service not know

[ossec-list] Custom decoder & rules not working

[ossec-list] Custom decoder & rule not working

[ossec-list] Re: Modify rules

[ossec-list] Re: Real time monitoring hidden files or hidden folder

Re: [ossec-list] Re: syscheckd causing soft lockups

12 matches

Site Navigation

Mail list logo

Footer information