Re: [ossec-list] install ossec - bind to port 1514 fail | getaddrinfo: name or service not know
Hi, i will try enable this feature in my rhel, after test i notice you. Thanks. Em quinta-feira, 23 de março de 2017 15:37:50 UTC-3, Victor Fernandez escreveu: > > Hi Eduardo, > > I agree with Dan, I tested OSSEC v2.9 on a clean CentOS 7 with your > configuration and it worked. But when I disabled IPv6 I got the > same errors you have. > > Please try to enable IPv6 on the running system with: > > sysctl -w net.ipv6.conf.all.disable_ipv6=1 > sysctl -w net.ipv6.conf.default.disable_ipv6=1 > > > And try to start OSSEC. If it works, consider enabling IPv6 permanently by > editing file */etc/sysctl.conf*. > > Hope it help. If I find another way to run OSSEC with IPv6 disabled I will > let you know. > > Best regards. > > On Thu, Mar 23, 2017 at 11:19 AM, dan (ddp)> wrote: > >> On Thu, Mar 23, 2017 at 1:08 PM, Eduardo Reichert Figueiredo >> wrote: >> > Hi dan, i dont have ipv6 enabled in my system linux, so i dont have >> inet6 in >> > my ifconfig configurations, only ipv4. >> > >> > This can caused for the problem? >> > >> >> I think having ipv6 support is necessary now. You don't need to have >> addresses or anything, but the facilities need to be available. >> >> > Em quarta-feira, 22 de março de 2017 20:30:08 UTC-3, dan (ddpbsd) >> escreveu: >> >> >> >> On Tue, Mar 21, 2017 at 10:46 AM, Eduardo Reichert Figueiredo >> >> wrote: >> >> > When i install ossec 2.9.0 on rhel 7.3 (no ipv6 feature and address) >> i >> >> > have >> >> >> >> Is IPv6 totally disabled for your system (support for IPv6 was >> removed)? >> >> >> >> > a problem to ossec-remoted and ossec-auth, this services cant bind >> ports >> >> > 1514, log error below. >> >> > I generated my certificated with commands "openssl genrsa -out" and >> >> > "openssl >> >> > req -new -x509 -key ". >> >> > >> >> > ##Log OSSEC.LOG >> >> > 2017/03/21 11:34:34 ossec-remoted: DEBUG: Forking remoted: '0'. >> >> > 2017/03/21 11:34:34 ossec-remoted: Remote syslog allowed from: >> >> > '0.0.0.0/0' >> >> > 2017/03/21 11:34:34 ossec-remoted: DEBUG: Forking remoted: '1'. >> >> > 2017/03/21 11:34:34 getaddrinfo: Name or service not known >> >> > 2017/03/21 11:34:34 getaddrinfo: Name or service not known >> >> > 2017/03/21 11:34:34 ossec-remoted(1206): ERROR: Unable to Bind port >> >> > '1514' >> >> > 2017/03/21 11:34:34 ossec-remoted(1206): ERROR: Unable to Bind port >> >> > '514' >> >> > 2017/03/21 11:34:41 ossec-syscheckd: INFO: Starting syscheck scan >> >> > (forwarding database). >> >> > 2017/03/21 11:34:41 ossec-syscheckd: INFO: Starting syscheck database >> >> > (pre-scan). >> >> > 2017/03/21 11:35:47 ossec-authd: DEBUG: Starting ... >> >> > 2017/03/21 11:35:47 ossec-authd: INFO: Started (pid: 24420). >> >> > 2017/03/21 11:35:47 ossec-authd: DEBUG: Returning CTX for server. >> >> > 2017/03/21 11:35:47 getaddrinfo: Name or service not known >> >> > 2017/03/21 11:35:47 ossec-authd: Unable to bind to port 1514 >> >> > >> >> > in other cases for unable to bind port 1514, my error was my >> >> > client.keys, >> >> > but now i have a new error "getaddrinfo". >> >> > >> >> > Can you help me? >> >> > >> >> > Kind regards >> >> > >> >> > -- >> >> > >> >> > --- >> >> > You received this message because you are subscribed to the Google >> >> > Groups >> >> > "ossec-list" group. >> >> > To unsubscribe from this group and stop receiving emails from it, >> send >> >> > an >> >> > email to ossec-list+...@googlegroups.com. >> >> > For more options, visit https://groups.google.com/d/optout. >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> an >> > email to ossec-list+...@googlegroups.com . >> > For more options, visit https://groups.google.com/d/optout. >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to ossec-list+...@googlegroups.com . >> For more options, visit https://groups.google.com/d/optout. >> > > > > -- > Victor M. Fernandez-Castro > IT Security Engineer > Wazuh Inc. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Custom decoder & rule not working
Hi Martin, the problem is that this log also matches with rule 2501 (from Syslog) that has level 5. Since your rule 100201 has level 1 OSSEC discards it in favor of rule 2501. So increasing the level to 6 it should work: app.ERROR Multiple login attempts bepark.eu/fr/connexion 100201 Multiple login attempts bepark.eu/fr/connexion authentication_failures, Hope it help. Best regards. On Thu, Mar 23, 2017 at 9:37 AM, Martinwrote: > Hello, > > I've those kind of log comming from a custom app > >> >> [2017-03-23 10:18:01] app.ERROR: Authentication failure for IP: >> 172.17.0.1 [] [] > > > I'm trying to block an ip with to much authentication failure. > > So I did a custom decoder which is working ; > > > ^\p\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d\p > > > > > app.ERROR > ^app.ERROR: \.+ (\S+) for IP: (\S+) > (\.+)\s(\.+)$ > status,srcip,extra_data,extra_data > > > and I want theses rules working with this log . > > > app.ERROR > Multiple login attempts bepark.eu/fr/connexion description> > > > > > 100201 > > Multiple login attempts bepark.eu/fr/connexion description> > authentication_failures, > > > > But this what I get when testing with */var/ossec/bin/ossec-logtest* > > > > [2017-03-23 10:18:01] app.ERROR: Authentication failure for IP: 172.17.0.1 > [] [] > > > > > **Phase 1: Completed pre-decoding. >full event: '[2017-03-23 10:18:01] app.ERROR: Authentication > failure for IP: 172.17.0.1 [] []' >hostname: 'Digital-Ocean-1' >program_name: '(null)' >log: '[2017-03-23 10:18:01] app.ERROR: Authentication failure for > IP: 172.17.0.1 [] []' > > > **Phase 2: Completed decoding. >decoder: 'app.ERROR' >status: 'failure' >srcip: '172.17.0.1' >extra_data: '[]' >extra_data: '[]' > > > **Phase 3: Completed filtering (rules). >Rule id: '2501' >Level: '5' >Description: 'User authentication failure.' > **Alert to be generated. > > why are my rules not working over the 2501 one ? > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- Victor M. Fernandez-Castro IT Security Engineer Wazuh Inc. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] install ossec - bind to port 1514 fail | getaddrinfo: name or service not know
Hi Eduardo, I agree with Dan, I tested OSSEC v2.9 on a clean CentOS 7 with your configuration and it worked. But when I disabled IPv6 I got the same errors you have. Please try to enable IPv6 on the running system with: sysctl -w net.ipv6.conf.all.disable_ipv6=1 sysctl -w net.ipv6.conf.default.disable_ipv6=1 And try to start OSSEC. If it works, consider enabling IPv6 permanently by editing file */etc/sysctl.conf*. Hope it help. If I find another way to run OSSEC with IPv6 disabled I will let you know. Best regards. On Thu, Mar 23, 2017 at 11:19 AM, dan (ddp)wrote: > On Thu, Mar 23, 2017 at 1:08 PM, Eduardo Reichert Figueiredo > wrote: > > Hi dan, i dont have ipv6 enabled in my system linux, so i dont have > inet6 in > > my ifconfig configurations, only ipv4. > > > > This can caused for the problem? > > > > I think having ipv6 support is necessary now. You don't need to have > addresses or anything, but the facilities need to be available. > > > Em quarta-feira, 22 de março de 2017 20:30:08 UTC-3, dan (ddpbsd) > escreveu: > >> > >> On Tue, Mar 21, 2017 at 10:46 AM, Eduardo Reichert Figueiredo > >> wrote: > >> > When i install ossec 2.9.0 on rhel 7.3 (no ipv6 feature and address) i > >> > have > >> > >> Is IPv6 totally disabled for your system (support for IPv6 was removed)? > >> > >> > a problem to ossec-remoted and ossec-auth, this services cant bind > ports > >> > 1514, log error below. > >> > I generated my certificated with commands "openssl genrsa -out" and > >> > "openssl > >> > req -new -x509 -key ". > >> > > >> > ##Log OSSEC.LOG > >> > 2017/03/21 11:34:34 ossec-remoted: DEBUG: Forking remoted: '0'. > >> > 2017/03/21 11:34:34 ossec-remoted: Remote syslog allowed from: > >> > '0.0.0.0/0' > >> > 2017/03/21 11:34:34 ossec-remoted: DEBUG: Forking remoted: '1'. > >> > 2017/03/21 11:34:34 getaddrinfo: Name or service not known > >> > 2017/03/21 11:34:34 getaddrinfo: Name or service not known > >> > 2017/03/21 11:34:34 ossec-remoted(1206): ERROR: Unable to Bind port > >> > '1514' > >> > 2017/03/21 11:34:34 ossec-remoted(1206): ERROR: Unable to Bind port > >> > '514' > >> > 2017/03/21 11:34:41 ossec-syscheckd: INFO: Starting syscheck scan > >> > (forwarding database). > >> > 2017/03/21 11:34:41 ossec-syscheckd: INFO: Starting syscheck database > >> > (pre-scan). > >> > 2017/03/21 11:35:47 ossec-authd: DEBUG: Starting ... > >> > 2017/03/21 11:35:47 ossec-authd: INFO: Started (pid: 24420). > >> > 2017/03/21 11:35:47 ossec-authd: DEBUG: Returning CTX for server. > >> > 2017/03/21 11:35:47 getaddrinfo: Name or service not known > >> > 2017/03/21 11:35:47 ossec-authd: Unable to bind to port 1514 > >> > > >> > in other cases for unable to bind port 1514, my error was my > >> > client.keys, > >> > but now i have a new error "getaddrinfo". > >> > > >> > Can you help me? > >> > > >> > Kind regards > >> > > >> > -- > >> > > >> > --- > >> > You received this message because you are subscribed to the Google > >> > Groups > >> > "ossec-list" group. > >> > To unsubscribe from this group and stop receiving emails from it, send > >> > an > >> > email to ossec-list+...@googlegroups.com. > >> > For more options, visit https://groups.google.com/d/optout. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send an > > email to ossec-list+unsubscr...@googlegroups.com. > > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- Victor M. Fernandez-Castro IT Security Engineer Wazuh Inc. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Re: Modify rules
On Thu, Mar 23, 2017 at 12:29 PM, The Dudewrote: > I went with the first option. Works as expected but now I need to adjust the > number of of fails before the ip is blocked.. Where do I do that? > Try using 5720 for the rule to trigger active response. It looks for 8+ instances by default. > > On Monday, March 20, 2017 at 2:56:29 PM UTC-4, The Dude wrote: >> >> I am new to ossec and I am trying to figure out what is the best way to >> change a rule. In the ossec.conf it says this >> >>> >>> >>> >>> host-deny >>> local >>> 6 >>> 600 >>> >> >> >> >> >> I am assuming the level it is referring to is the level set in the >> rule.xml So the sshd_rules.xml has this line. >>> >>> >>> >>> 5700 >>> ^Failed|^error: PAM: Authentication >>> SSHD authentication failed. >>> authentication_failed, >>> >>> >> >> >> >> When testing failed ssh logins I see the alert in the alert.log for the >> rule above. How should I go about changing the level to 6 so it will get >> blocked? I tried editing the sshd_rules.xml but get the read only warning. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Custom decoder & rules not working
On Thu, Mar 23, 2017 at 12:41 PM, Martinwrote: > Hello, > > I've those kind of log comming from a custom app >> >> >> [2017-03-23 10:18:01] app.ERROR: Authentication failure for IP: 172.17.0.1 >> [] [] > > > I'm trying to block an ip with to much authentication failure. > > So I did a custom decoder which is working ; > > > ^\p\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d\p > > > > > app.ERROR > ^app.ERROR: \.+ (\S+) for IP: (\S+) > (\.+)\s(\.+)$ > status,srcip,extra_data,extra_data > > > and I want theses rules working with this log . > > > app.ERROR > Multiple login attempts customapp > > > > > 100201 > > Multiple login attempts customapp > authentication_failures, > > > > But this what I get when testing with /var/ossec/bin/ossec-logtest > > > > [2017-03-23 10:18:01] app.ERROR: Authentication failure for IP: 172.17.0.1 > [] [] > > > > > **Phase 1: Completed pre-decoding. >full event: '[2017-03-23 10:18:01] app.ERROR: Authentication failure > for IP: 172.17.0.1 [] []' >hostname: 'Digital-Ocean-1' >program_name: '(null)' >log: '[2017-03-23 10:18:01] app.ERROR: Authentication failure for IP: > 172.17.0.1 [] []' > > > **Phase 2: Completed decoding. >decoder: 'app.ERROR' >status: 'failure' >srcip: '172.17.0.1' >extra_data: '[]' >extra_data: '[]' > > > **Phase 3: Completed filtering (rules). >Rule id: '2501' >Level: '5' >Description: 'User authentication failure.' > **Alert to be generated. > > why are my rules not working over the 2501 one ? > 2501 is probably evaluated first. You can add an 2501 to your first rule to help it match. > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] install ossec - bind to port 1514 fail | getaddrinfo: name or service not know
On Thu, Mar 23, 2017 at 1:08 PM, Eduardo Reichert Figueiredowrote: > Hi dan, i dont have ipv6 enabled in my system linux, so i dont have inet6 in > my ifconfig configurations, only ipv4. > > This can caused for the problem? > I think having ipv6 support is necessary now. You don't need to have addresses or anything, but the facilities need to be available. > Em quarta-feira, 22 de março de 2017 20:30:08 UTC-3, dan (ddpbsd) escreveu: >> >> On Tue, Mar 21, 2017 at 10:46 AM, Eduardo Reichert Figueiredo >> wrote: >> > When i install ossec 2.9.0 on rhel 7.3 (no ipv6 feature and address) i >> > have >> >> Is IPv6 totally disabled for your system (support for IPv6 was removed)? >> >> > a problem to ossec-remoted and ossec-auth, this services cant bind ports >> > 1514, log error below. >> > I generated my certificated with commands "openssl genrsa -out" and >> > "openssl >> > req -new -x509 -key ". >> > >> > ##Log OSSEC.LOG >> > 2017/03/21 11:34:34 ossec-remoted: DEBUG: Forking remoted: '0'. >> > 2017/03/21 11:34:34 ossec-remoted: Remote syslog allowed from: >> > '0.0.0.0/0' >> > 2017/03/21 11:34:34 ossec-remoted: DEBUG: Forking remoted: '1'. >> > 2017/03/21 11:34:34 getaddrinfo: Name or service not known >> > 2017/03/21 11:34:34 getaddrinfo: Name or service not known >> > 2017/03/21 11:34:34 ossec-remoted(1206): ERROR: Unable to Bind port >> > '1514' >> > 2017/03/21 11:34:34 ossec-remoted(1206): ERROR: Unable to Bind port >> > '514' >> > 2017/03/21 11:34:41 ossec-syscheckd: INFO: Starting syscheck scan >> > (forwarding database). >> > 2017/03/21 11:34:41 ossec-syscheckd: INFO: Starting syscheck database >> > (pre-scan). >> > 2017/03/21 11:35:47 ossec-authd: DEBUG: Starting ... >> > 2017/03/21 11:35:47 ossec-authd: INFO: Started (pid: 24420). >> > 2017/03/21 11:35:47 ossec-authd: DEBUG: Returning CTX for server. >> > 2017/03/21 11:35:47 getaddrinfo: Name or service not known >> > 2017/03/21 11:35:47 ossec-authd: Unable to bind to port 1514 >> > >> > in other cases for unable to bind port 1514, my error was my >> > client.keys, >> > but now i have a new error "getaddrinfo". >> > >> > Can you help me? >> > >> > Kind regards >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to ossec-list+...@googlegroups.com. >> > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] install ossec - bind to port 1514 fail | getaddrinfo: name or service not know
Hi dan, i dont have ipv6 enabled in my system linux, so i dont have inet6 in my ifconfig configurations, only ipv4. This can caused for the problem? Em quarta-feira, 22 de março de 2017 20:30:08 UTC-3, dan (ddpbsd) escreveu: > > On Tue, Mar 21, 2017 at 10:46 AM, Eduardo Reichert Figueiredo >wrote: > > When i install ossec 2.9.0 on rhel 7.3 (no ipv6 feature and address) i > have > > Is IPv6 totally disabled for your system (support for IPv6 was removed)? > > > a problem to ossec-remoted and ossec-auth, this services cant bind ports > > 1514, log error below. > > I generated my certificated with commands "openssl genrsa -out" and > "openssl > > req -new -x509 -key ". > > > > ##Log OSSEC.LOG > > 2017/03/21 11:34:34 ossec-remoted: DEBUG: Forking remoted: '0'. > > 2017/03/21 11:34:34 ossec-remoted: Remote syslog allowed from: ' > 0.0.0.0/0' > > 2017/03/21 11:34:34 ossec-remoted: DEBUG: Forking remoted: '1'. > > 2017/03/21 11:34:34 getaddrinfo: Name or service not known > > 2017/03/21 11:34:34 getaddrinfo: Name or service not known > > 2017/03/21 11:34:34 ossec-remoted(1206): ERROR: Unable to Bind port > '1514' > > 2017/03/21 11:34:34 ossec-remoted(1206): ERROR: Unable to Bind port > '514' > > 2017/03/21 11:34:41 ossec-syscheckd: INFO: Starting syscheck scan > > (forwarding database). > > 2017/03/21 11:34:41 ossec-syscheckd: INFO: Starting syscheck database > > (pre-scan). > > 2017/03/21 11:35:47 ossec-authd: DEBUG: Starting ... > > 2017/03/21 11:35:47 ossec-authd: INFO: Started (pid: 24420). > > 2017/03/21 11:35:47 ossec-authd: DEBUG: Returning CTX for server. > > 2017/03/21 11:35:47 getaddrinfo: Name or service not known > > 2017/03/21 11:35:47 ossec-authd: Unable to bind to port 1514 > > > > in other cases for unable to bind port 1514, my error was my > client.keys, > > but now i have a new error "getaddrinfo". > > > > Can you help me? > > > > Kind regards > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to ossec-list+...@googlegroups.com . > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Custom decoder & rules not working
Hello, I've those kind of log comming from a custom app > > [2017-03-23 10:18:01] app.ERROR: Authentication failure for IP: 172.17.0.1 > [] [] I'm trying to block an ip with to much authentication failure. So I did a custom decoder which is working ; ^\p\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d\p app.ERROR ^app.ERROR: \.+ (\S+) for IP: (\S+) (\.+)\s(\.+)$ status,srcip,extra_data,extra_data and I want theses rules working with this log . app.ERROR Multiple login attempts customapp 100201 Multiple login attempts customapp authentication_failures, But this what I get when testing with */var/ossec/bin/ossec-logtest* [2017-03-23 10:18:01] app.ERROR: Authentication failure for IP: 172.17.0.1 [] [] **Phase 1: Completed pre-decoding. full event: '[2017-03-23 10:18:01] app.ERROR: Authentication failure for IP: 172.17.0.1 [] []' hostname: 'Digital-Ocean-1' program_name: '(null)' log: '[2017-03-23 10:18:01] app.ERROR: Authentication failure for IP: 172.17.0.1 [] []' **Phase 2: Completed decoding. decoder: 'app.ERROR' status: 'failure' srcip: '172.17.0.1' extra_data: '[]' extra_data: '[]' **Phase 3: Completed filtering (rules). Rule id: '2501' Level: '5' Description: 'User authentication failure.' **Alert to be generated. why are my rules not working over the 2501 one ? -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Custom decoder & rule not working
Hello, I've those kind of log comming from a custom app > > [2017-03-23 10:18:01] app.ERROR: Authentication failure for IP: 172.17.0.1 > [] [] I'm trying to block an ip with to much authentication failure. So I did a custom decoder which is working ; ^\p\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d\p app.ERROR ^app.ERROR: \.+ (\S+) for IP: (\S+) (\.+)\s(\.+)$ status,srcip,extra_data,extra_data and I want theses rules working with this log . app.ERROR Multiple login attempts bepark.eu/fr/connexion 100201 Multiple login attempts bepark.eu/fr/connexion authentication_failures, But this what I get when testing with */var/ossec/bin/ossec-logtest* [2017-03-23 10:18:01] app.ERROR: Authentication failure for IP: 172.17.0.1 [] [] **Phase 1: Completed pre-decoding. full event: '[2017-03-23 10:18:01] app.ERROR: Authentication failure for IP: 172.17.0.1 [] []' hostname: 'Digital-Ocean-1' program_name: '(null)' log: '[2017-03-23 10:18:01] app.ERROR: Authentication failure for IP: 172.17.0.1 [] []' **Phase 2: Completed decoding. decoder: 'app.ERROR' status: 'failure' srcip: '172.17.0.1' extra_data: '[]' extra_data: '[]' **Phase 3: Completed filtering (rules). Rule id: '2501' Level: '5' Description: 'User authentication failure.' **Alert to be generated. why are my rules not working over the 2501 one ? -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: Modify rules
I went with the first option. Works as expected but now I need to adjust the number of of fails before the ip is blocked.. Where do I do that? On Monday, March 20, 2017 at 2:56:29 PM UTC-4, The Dude wrote: > > I am new to ossec and I am trying to figure out what is the best way to > change a rule. In the ossec.conf it says this > > >> >> >> host-deny >> local >> 6 >> 600 >> > > > > > I am assuming the level it is referring to is the level set in the > rule.xml So the sshd_rules.xml has this line. > >> >> >> 5700 >> ^Failed|^error: PAM: Authentication >> SSHD authentication failed. >> authentication_failed, > > > > > > When testing failed ssh logins I see the alert in the alert.log for the > rule above. How should I go about changing the level to 6 so it will get > blocked? I tried editing the sshd_rules.xml but get the read only warning. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: Real time monitoring hidden files or hidden folder
I actually monitor /home/*.ssh,/root/.ssh And have AR set that if a new directory appears in /home, it restarts the agent so it adds it to the wildcard. On Monday, March 20, 2017 at 10:47:13 PM UTC-5, jingxu...@bettercloud.com wrote: > > Recently, we are trying to use OSSEC to monitor ~/.ssh/authorized_key for > real time. But it seems it only works for system integrity check > periodically, but not real-time, I checked the /var/ossec/queue/diff > folder, it recorded all the changes under that folder, but since .ssh is a > hidden folder, I can not get alerts from ossec manager for real-time file > change alert. Is there anyone knowing how to fix this? > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Re: syscheckd causing soft lockups
Upgrading has not solved the problem. Still appears to be some form of port / bind issue based on the backtrace. To obfuscate things, this was my ossec master (wazuh docker image), so it was running in a docker container, on a virtual machine under VMWare. Nothing complicated there, right? I'd love to hear any suggestions on where to look next to track down this problem. I can (apparently) get around it by disabling rootcheck, but since that's one of the key features of ossec I really want for security, it's not a very good solution. NMI watchdog: BUG: soft lockup - CPU#2 stuck for 23s! [ossec-syscheckd:16223] Modules linked in: xt_nat veth binfmt_misc ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 xt_addrtyp e xt_conntrack nf_nat nf_conntrack br_netfilter bridge stp llc iptable_filter vmw_vsock_vmci_transport vsock btrfs zlib_deflate raid6_pq xor intel_p owerclamp coretemp iosf_mbi crc32_pclmul ghash_clmulni_intel ppdev aesni_intel lrw gf128mul glue_helper vmw_balloon ablk_helper cryptd pcspkr sg vmw _vmci i2c_piix4 shpchp parport_pc parport nfsd auth_rpcgss nfs_acl lockd grace sunrpc ip_tables ext4 mbcache jbd2 sr_mod cdrom ata_generic pata_acpi sd_mod crc_t10dif crct10dif_generic crct10dif_pclmul crct10dif_common crc32c_intel vmwgfx drm_kms_helper ata_piix syscopyarea serio_raw sysfillrect sysimgblt fb_sys_fops ttm vmxnet3 drm libata vmw_pvscsi i2c_core floppy fjes dm_mirror dm_region_hash dm_log dm_mod CPU: 2 PID: 16223 Comm: ossec-syscheckd Not tainted 3.10.0-514.10.2.el7.x86_64 #1 Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 09/21/2015 task: 88000593ce70 ti: 8800130ec000 task.ti: 8800130ec000 RIP: 0010:[] [] _raw_spin_lock+0x32/0x50 RSP: 0018:8800130efde0 EFLAGS: 0203 RAX: 411c RBX: 0020 RCX: bb00 RDX: 384c RSI: 384c RDI: c900016fe4f0 RBP: 8800130efde0 R08: 8800b7aa9380 R09: c900016fe4f0 R10: 0008 R11: 0206 R12: c900016fe3e0 R13: 88013ae99a80 R14: 0246 R15: 8800130efd78 FS: 7efe439a5740() GS:88013ae8() knlGS: CS: 0010 DS: ES: CR0: 8005003b CR2: 0063e000 CR3: 13e8c000 CR4: 000407e0 DR0: DR1: DR2: DR3: DR6: 0ff0 DR7: 0400 Stack: 8800130efe68 815bc2b5 0005811de175 8800b8993640 81f96140 c900016fe4f0 0c01 Call Trace: [] inet_csk_get_port+0x385/0x5c0 [] inet_bind+0x14c/0x200 [] SYSC_bind+0xe0/0x120 [] ? __secure_computing+0x73/0x240 [] ? __audit_syscall_exit+0x1e6/0x280 [] ? __audit_syscall_entry+0xb4/0x110 [] ? syscall_trace_enter+0x173/0x220 [] SyS_bind+0xe/0x10 [] tracesys+0xdd/0xe2 Code: 00 02 00 f0 0f c1 07 89 c2 c1 ea 10 66 39 c2 75 01 c3 55 83 e2 fe 0f b7 f2 48 89 e5 b8 00 80 00 00 eb 0d 66 0f 1f 44 00 00 f3 90 <83> e8 01 74 0a 0f b7 0f 66 39 ca 75 f1 5d c3 66 66 66 90 66 66 -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.