date:20170406

[ossec-list] OSSEC fails to start after install from RPM on RHEL7

2017-04-06 Thread Felix Martel

Hello,

Not finding any useful information regarding my problems anywhere. I'm new 
to OSSEC HIDS. I played around a little bit with an appliance version, but 
now want to install it on a DevOps host.

I just did a fresh install of OSSEC HIDS from the atomicorp repo. Install 
seemed to go normally, although none of the usual installation questions 
were asked with respect to the questions asked by /install.sh in the manual 
(ie installation type, e-mail address, notifications, different engines, 
etc.). Haven't found any instructions on how to do those configuration 
steps post-install either.

Anyways, I installed using the command 

yum install ossec-hids ossec-hids-server


Everything seemed normal. No error messages during the installation.

After the installation, I attempted to start OSSEC-HIDS with the command 

/etc/init.d/ossec-hids start

At this point I got an error "Command not found".

I rebooted the server and was then able to run the command. At this point I 
got the following errors:

Starting ossec-hids (via systemctl):  Job for ossec-hids.service failed 
because the control process exited with error code. See "systemctl status 
ossec-hids.service" and "journalctl -xe" for details.
   [FAILED]


I then ran journalctl -xe and gotr the following output:

-- Unit ossec-hids.service has begun starting up.
Apr 06 21:35:48 RHEL7HOST realmd[1698]: quitting realmd service after 
timeout
Apr 06 21:35:48 RHEL7HOST realmd[1698]: stopping service
Apr 06 21:36:01 RHEL7HOST ossec-hids[2382]: Starting ossec-hids: [FAILED]
Apr 06 21:36:01 RHEL7HOST systemd[1]: ossec-hids.service: control process 
exited, code=exited status=1
Apr 06 21:36:01 RHEL7HOST systemd[1]: Failed to start SYSV: OSSEC-HIDS is 
an Open Source Host-based Intrusion Detection System..
-- Subject: Unit ossec-hids.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit ossec-hids.service has failed.
-- 
-- The result is failed.
Apr 06 21:36:01 RHEL7HOST systemd[1]: Unit ossec-hids.service entered 
failed state.
Apr 06 21:36:01 RHEL7HOST systemd[1]: ossec-hids.service failed.

I'm stumped. What I find really curious is the fact that realmd seems to 
stop (and immediately restarts after the failed start). Any help 
appreciated.







-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] When doing rootchecks, OSSEC does not get the full information for the log

2017-04-06 Thread Jake B.

I see, I'll try same_location then as I believe that should serve my 
purpose as well. Thanks!

On Thursday, April 6, 2017 at 10:49:16 AM UTC-7, dan (ddpbsd) wrote:
>
> On Thu, Apr 6, 2017 at 1:46 PM, dan (ddp)  
> wrote: 
> > On Thu, Apr 6, 2017 at 1:29 PM, Jake B.  > wrote: 
> >> Ok I'll do that. Also, not sure if you know but thought I'd ask 
> anyway...Is 
> >> there anyway to use the agents name in a rule or decoder? I have my 
> agents 
> >> named after the hostname so I was thinking that could potentially be 
> another 
> >> option. Don't see anything about it in the documentation however. 
> >> 
> > 
> > It's either hostname or location, but I can never remember which. 
> > 
> >> On Thursday, April 6, 2017 at 10:16:49 AM UTC-7, dan (ddpbsd) wrote: 
> >>> 
> >>> On Wed, Apr 5, 2017 at 11:13 AM, Jake B.  wrote: 
> >>> > I'm not server if this is a problem with the OSSEC configuration or 
> the 
> >>> > host 
> >>> > itself, but there are some events where the logs or full message 
> only 
> >>> > have 
> >>> > some of the information I need. For example, this will be the full 
> >>> > message I 
> >>> > receive (2016-02-03 14:16:35 status installed some_package). The 
> email 
> >>> > alert 
> >>> > will give me the agent name it sent it from, but I am not receiving 
> the 
> >>> > hostname as well. It seems to be that most events do give the full 
> >>> > message, 
> >>> > but I'm starting to notice some that don't so wondering if I should 
> be 
> >>> > looking to fix this on the OSSEC side or making sure the system is 
> fully 
> >>> > logging or sending everything over. Thanks! 
> >>> > 
> >>> 
> >>> All of my test systems are down due to weather at the moment, but 
> >>> check the agent's logs to see if the hostname is included. 
> >>> If the hostname isn't included in the log, there's no way for OSSEC to 
> add 
> >>> it. 
> >>> 
>
> Here's an example from my dpkg.log: 
> 2017-03-04 13:24:22 status installed man-db:amd64 2.6.7.1-1ubuntu1 
>
> No hostname in the log message. 
>
> >>> > -- 
> >>> > 
> >>> > --- 
> >>> > You received this message because you are subscribed to the Google 
> >>> > Groups 
> >>> > "ossec-list" group. 
> >>> > To unsubscribe from this group and stop receiving emails from it, 
> send 
> >>> > an 
> >>> > email to ossec-list+...@googlegroups.com. 
> >>> > For more options, visit https://groups.google.com/d/optout. 
> >> 
> >> -- 
> >> 
> >> --- 
> >> You received this message because you are subscribed to the Google 
> Groups 
> >> "ossec-list" group. 
> >> To unsubscribe from this group and stop receiving emails from it, send 
> an 
> >> email to ossec-list+...@googlegroups.com . 
> >> For more options, visit https://groups.google.com/d/optout. 
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] When doing rootchecks, OSSEC does not get the full information for the log

2017-04-06 Thread dan (ddp)

On Thu, Apr 6, 2017 at 1:46 PM, dan (ddp)  wrote:
> On Thu, Apr 6, 2017 at 1:29 PM, Jake B.  wrote:
>> Ok I'll do that. Also, not sure if you know but thought I'd ask anyway...Is
>> there anyway to use the agents name in a rule or decoder? I have my agents
>> named after the hostname so I was thinking that could potentially be another
>> option. Don't see anything about it in the documentation however.
>>
>
> It's either hostname or location, but I can never remember which.
>
>> On Thursday, April 6, 2017 at 10:16:49 AM UTC-7, dan (ddpbsd) wrote:
>>>
>>> On Wed, Apr 5, 2017 at 11:13 AM, Jake B.  wrote:
>>> > I'm not server if this is a problem with the OSSEC configuration or the
>>> > host
>>> > itself, but there are some events where the logs or full message only
>>> > have
>>> > some of the information I need. For example, this will be the full
>>> > message I
>>> > receive (2016-02-03 14:16:35 status installed some_package). The email
>>> > alert
>>> > will give me the agent name it sent it from, but I am not receiving the
>>> > hostname as well. It seems to be that most events do give the full
>>> > message,
>>> > but I'm starting to notice some that don't so wondering if I should be
>>> > looking to fix this on the OSSEC side or making sure the system is fully
>>> > logging or sending everything over. Thanks!
>>> >
>>>
>>> All of my test systems are down due to weather at the moment, but
>>> check the agent's logs to see if the hostname is included.
>>> If the hostname isn't included in the log, there's no way for OSSEC to add
>>> it.
>>>

Here's an example from my dpkg.log:
2017-03-04 13:24:22 status installed man-db:amd64 2.6.7.1-1ubuntu1

No hostname in the log message.

>>> > --
>>> >
>>> > ---
>>> > You received this message because you are subscribed to the Google
>>> > Groups
>>> > "ossec-list" group.
>>> > To unsubscribe from this group and stop receiving emails from it, send
>>> > an
>>> > email to ossec-list+...@googlegroups.com.
>>> > For more options, visit https://groups.google.com/d/optout.
>>
>> --
>>
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to ossec-list+unsubscr...@googlegroups.com.
>> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] When doing rootchecks, OSSEC does not get the full information for the log

2017-04-06 Thread dan (ddp)

On Thu, Apr 6, 2017 at 1:29 PM, Jake B.  wrote:
> Ok I'll do that. Also, not sure if you know but thought I'd ask anyway...Is
> there anyway to use the agents name in a rule or decoder? I have my agents
> named after the hostname so I was thinking that could potentially be another
> option. Don't see anything about it in the documentation however.
>

It's either hostname or location, but I can never remember which.

> On Thursday, April 6, 2017 at 10:16:49 AM UTC-7, dan (ddpbsd) wrote:
>>
>> On Wed, Apr 5, 2017 at 11:13 AM, Jake B.  wrote:
>> > I'm not server if this is a problem with the OSSEC configuration or the
>> > host
>> > itself, but there are some events where the logs or full message only
>> > have
>> > some of the information I need. For example, this will be the full
>> > message I
>> > receive (2016-02-03 14:16:35 status installed some_package). The email
>> > alert
>> > will give me the agent name it sent it from, but I am not receiving the
>> > hostname as well. It seems to be that most events do give the full
>> > message,
>> > but I'm starting to notice some that don't so wondering if I should be
>> > looking to fix this on the OSSEC side or making sure the system is fully
>> > logging or sending everything over. Thanks!
>> >
>>
>> All of my test systems are down due to weather at the moment, but
>> check the agent's logs to see if the hostname is included.
>> If the hostname isn't included in the log, there's no way for OSSEC to add
>> it.
>>
>> > --
>> >
>> > ---
>> > You received this message because you are subscribed to the Google
>> > Groups
>> > "ossec-list" group.
>> > To unsubscribe from this group and stop receiving emails from it, send
>> > an
>> > email to ossec-list+...@googlegroups.com.
>> > For more options, visit https://groups.google.com/d/optout.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: Rule 510 is triggering events but logtest is not showing any rules that should be triggered

2017-04-06 Thread dan (ddp)

On Thu, Apr 6, 2017 at 1:28 PM, Rob Williams  wrote:
> Hi,
>
> I tried to do this, but I'm getting:
>
> ERROR: Parent decoder name invalid: 'rootcheck'
> ERROR: Error adding decoder plugin
>
> I don't see the rootcheck decoder within decoder.xml as well, any ideas?
>

It must be one of the built in decoders, and I guess those can't be
used for child decoders.
No other ideas at the moment, but I'll keep thinking about it.

> Thanks again for the help!
>
>
> On Wednesday, April 5, 2017 at 12:26:31 PM UTC-7, Rob Williams wrote:
>>
>> Hi all,
>>
>> I'm running into an issue where rule 510 is triggering and I'm getting
>> spammed with alerts but I can't seem to tune it correctly. What's weird is
>> that I am still getting alerted for rule 510 for this log, but I can't
>> figure out how to get that to show in logtest. Basically, I am getting
>> spammed with rule 510 and trying to filter it down more and here is what
>> happens when I enter the log in logtest: any ideas on how to fix
>> this?
>>
>> **Phase 1: Completed pre-decoding.
>>
>>full event: 'File '/filepath/' is owned by root and has written
>> permissions to anyone.'
>>
>>hostname: 'hostname'
>>
>>program_name: '(null)'
>>
>>log: 'File '/filepath/' is owned by root and has written
>> permissions to anyone.'
>>
>>
>> **Phase 2: Completed decoding.
>>
>>decoder: 'sample_decoder_setup'
>>
>>id: '/filepath/'
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] When doing rootchecks, OSSEC does not get the full information for the log

2017-04-06 Thread Jake B.

Ok I'll do that. Also, not sure if you know but thought I'd ask anyway...Is 
there anyway to use the agents name in a rule or decoder? I have my agents 
named after the hostname so I was thinking that could potentially be 
another option. Don't see anything about it in the documentation however.

On Thursday, April 6, 2017 at 10:16:49 AM UTC-7, dan (ddpbsd) wrote:
>
> On Wed, Apr 5, 2017 at 11:13 AM, Jake B.  
> wrote: 
> > I'm not server if this is a problem with the OSSEC configuration or the 
> host 
> > itself, but there are some events where the logs or full message only 
> have 
> > some of the information I need. For example, this will be the full 
> message I 
> > receive (2016-02-03 14:16:35 status installed some_package). The email 
> alert 
> > will give me the agent name it sent it from, but I am not receiving the 
> > hostname as well. It seems to be that most events do give the full 
> message, 
> > but I'm starting to notice some that don't so wondering if I should be 
> > looking to fix this on the OSSEC side or making sure the system is fully 
> > logging or sending everything over. Thanks! 
> > 
>
> All of my test systems are down due to weather at the moment, but 
> check the agent's logs to see if the hostname is included. 
> If the hostname isn't included in the log, there's no way for OSSEC to add 
> it. 
>
> > -- 
> > 
> > --- 
> > You received this message because you are subscribed to the Google 
> Groups 
> > "ossec-list" group. 
> > To unsubscribe from this group and stop receiving emails from it, send 
> an 
> > email to ossec-list+...@googlegroups.com . 
> > For more options, visit https://groups.google.com/d/optout. 
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Rule 510 is triggering events but logtest is not showing any rules that should be triggered

2017-04-06 Thread Rob Williams

Hi,

I tried to do this, but I'm getting:

ERROR: Parent decoder name invalid: 'rootcheck'
ERROR: Error adding decoder plugin

I don't see the rootcheck decoder within decoder.xml as well, any ideas?

Thanks again for the help!

On Wednesday, April 5, 2017 at 12:26:31 PM UTC-7, Rob Williams wrote:
>
> Hi all,
>
> I'm running into an issue where rule 510 is triggering and I'm getting 
> spammed with alerts but I can't seem to tune it correctly. What's weird is 
> that I am still getting alerted for rule 510 for this log, but I can't 
> figure out how to get that to show in logtest. Basically, I am getting 
> spammed with rule 510 and trying to filter it down more and here is what 
> happens when I enter the log in logtest: any ideas on how to fix 
> this?
>
> **Phase 1: Completed pre-decoding.
>
>full event: 'File '/filepath/' is owned by root and has written 
> permissions to anyone.'
>
>hostname: 'hostname'
>
>program_name: '(null)'
>
>log: 'File '/filepath/' is owned by root and has written 
> permissions to anyone.'
>
>
> **Phase 2: Completed decoding.
>
>decoder: 'sample_decoder_setup'
>
>id: '/filepath/'
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] When doing rootchecks, OSSEC does not get the full information for the log

2017-04-06 Thread dan (ddp)

On Wed, Apr 5, 2017 at 11:13 AM, Jake B.  wrote:
> I'm not server if this is a problem with the OSSEC configuration or the host
> itself, but there are some events where the logs or full message only have
> some of the information I need. For example, this will be the full message I
> receive (2016-02-03 14:16:35 status installed some_package). The email alert
> will give me the agent name it sent it from, but I am not receiving the
> hostname as well. It seems to be that most events do give the full message,
> but I'm starting to notice some that don't so wondering if I should be
> looking to fix this on the OSSEC side or making sure the system is fully
> logging or sending everything over. Thanks!
>

All of my test systems are down due to weather at the moment, but
check the agent's logs to see if the hostname is included.
If the hostname isn't included in the log, there's no way for OSSEC to add it.

> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Redundancy manager (backup)

2017-04-06 Thread dan (ddp)

On Wed, Apr 5, 2017 at 11:32 AM, Martin  wrote:
> Hello Victor,
>
> I tried to run a second manager and I've the same file
> /var/ossec/etc/client.keys on it and on the first manager. I've copied the
> local_rules, ossec.conf, local_decoder as well.
>
> And I've specified on the agents to listen on him as you told me ;
>
>  10.0.0.1 10.0.0.2
> 
>
> My first manager (10.0.0.1 here) is shutdown and none the agents are
> listening on 10.0.0.2.
>
> What sould I look into ?
>

It takes a while (30min?) for the agents to switch over.

> Best regards.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: OSSEC Rule to alert on the first event, but ignore the rest for a 5 minute period.

2017-04-06 Thread Jake B.

Hi Jesus,

Thanks for the reply. Would this also alert on the first instance of this? 
I still do want to alert, but I want to avoid the spam that comes with it 
as it typically happens in large batches with little to no difference in 
meaning between the different events.

Thanks!

On Thursday, April 6, 2017 at 1:24:05 AM UTC-7, Jesus Linares wrote:
>
> Hi Jake,
>
> take a look at rule 511 
> .
>  
> It is the way to ignore a event coming from rule 510. You could do the same 
> with a composite rule, it would be something like:
>
> 
> 510
> your_file
> Ignore rule 510 for 'your_file' during 300 seconds.
> 
> 
>
> frequency=”0” would mean the rule must be matched 2 times (frequency is 
> always +2 than the setting).
> level 0 will not generate an alert (for testing you could increase it).
>
> I hope it help.
> Regards.
>
>
> On Wednesday, April 5, 2017 at 5:11:22 PM UTC+2, Jake B. wrote:
>>
>> Hello,
>>
>> I have alerts coming in huge batches for rule 510. The batches of alerts 
>> are essentially all the same event and the file path of the area that's 
>> causing this is essentially identical in each batch except for the last 
>> file. I'm trying to setup a rule that would look at the ID I setup in my 
>> decoder, which is a file path that takes the path except for the last file 
>> in order to match the batches of events. I want to alert only on the first 
>> one and ignore the rest with that same ID for 5 minutes. First of all, does 
>> the rule below look ok for this? Does frequency="0" work as I know the 
>> frequency essentially adds 2 to it? Also, I'm having another issue with 
>> this in particular is that ossec-logtest does not test this rule correctly 
>> at all. Even when I paste the message, it doesn't even show up as something 
>> that would trigger rule 510, which is what the alerts are coming as. So 
>> that is also making it hard to troubleshoot this. Any ideas? Thanks!
>>
>>  
>> 510 my_decoder 
>>  *TEST* - Only alert on the first docker root event 
>> for the same host and file path in a 60 second range. 
>> *TEST* - This is meant to reduce noise as docker root events 
>> typically happen in batches with not much difference in 
>> meaning. 
>>
>>
>>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Rule 510 is triggering events but logtest is not showing any rules that should be triggered

2017-04-06 Thread dan (ddp)

On Wed, Apr 5, 2017 at 4:45 PM, Rob Williams  wrote:
> I stopped them all (which appeared to work fine) and start again. Here is
> the rule and decoder I made for this (I want to alert only once if the same
> ID (filepath) has alerted in the past minute):
>
> 
>
> 510
>
> 
>
> This is meant to reduce noise as these events happen in
> batches with not much difference in meaning.
>
>   
>
>
> DECODER:
>
>
> 
>
>   ^(\.+) (\p/filepath\.+) 
>
>   (/filepath/\.+/mnt/\.+/)
>
>   id
>
> 
>
>
> Logtest returns the id I am looking for to match and that part works fine.
> It only gets to the first 2 steps though, and does not match it with a rule
> in logtest.
>

Well 510 won't match because it expects 509 to match. 509 won't match
because it requires decoder "rootcheck" to match. Your decoder is
taking priority apparently. Maybe if you made your decoder a child of
rootcheck.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Rule 510 is triggering events but logtest is not showing any rules that should be triggered

2017-04-06 Thread Jesus Linares

Hi,

check this 
out: https://groups.google.com/forum/#!topic/ossec-list/USAF6jF8yk8

Regards.

On Wednesday, April 5, 2017 at 10:45:52 PM UTC+2, Rob Williams wrote:
>
> I stopped them all (which appeared to work fine) and start again. Here is 
> the rule and decoder I made for this (I want to alert only once if the same 
> ID (filepath) has alerted in the past minute):
>
> 
>
> 510
>
> 
>
> This is meant to reduce noise as these events happen in 
> batches with not much difference in meaning.
>
>   
>
>
> DECODER:
>
>
> 
>
>   ^(\.+) (\p/filepath\.+) 
>
>   (/filepath/\.+/mnt/\.+/)
>
>   id
>
> 
>
>
> Logtest returns the id I am looking for to match and that part works fine. 
> It only gets to the first 2 steps though, and does not match it with a rule 
> in logtest.
> On Wednesday, April 5, 2017 at 12:48:21 PM UTC-7, dan (ddpbsd) wrote:
>>
>> On Wed, Apr 5, 2017 at 3:44 PM, Rob Williams  
>> wrote: 
>> > Yes I have, I've also tried to disable all the relevant changes I've 
>> made, 
>> > restart, and still have the same issue. 
>> > 
>>
>> Try stopping the ossec processes, verify that ossec-analysisd has 
>> stopped (sometimes it doesn't and causes issues), and start it back 
>> up. 
>> Can you also post the changes you made? 
>>
>> > On Wednesday, April 5, 2017 at 12:39:42 PM UTC-7, dan (ddpbsd) wrote: 
>> >> 
>> >> On Wed, Apr 5, 2017 at 3:26 PM, Rob Williams  
>> wrote: 
>> >> > Hi all, 
>> >> > 
>> >> > I'm running into an issue where rule 510 is triggering and I'm 
>> getting 
>> >> > spammed with alerts but I can't seem to tune it correctly. What's 
>> weird 
>> >> > is 
>> >> > that I am still getting alerted for rule 510 for this log, but I 
>> can't 
>> >> > figure out how to get that to show in logtest. Basically, I am 
>> getting 
>> >> > spammed with rule 510 and trying to filter it down more and here is 
>> what 
>> >> > happens when I enter the log in logtest: any ideas on how to 
>> fix 
>> >> > this? 
>> >> > 
>> >> > **Phase 1: Completed pre-decoding. 
>> >> > 
>> >> >full event: 'File '/filepath/' is owned by root and has 
>> written 
>> >> > permissions to anyone.' 
>> >> > 
>> >> >hostname: 'hostname' 
>> >> > 
>> >> >program_name: '(null)' 
>> >> > 
>> >> >log: 'File '/filepath/' is owned by root and has written 
>> >> > permissions 
>> >> > to anyone.' 
>> >> > 
>> >> > 
>> >> > **Phase 2: Completed decoding. 
>> >> > 
>> >> >decoder: 'sample_decoder_setup' 
>> >> > 
>> >> >id: '/filepath/' 
>> >> > 
>> >> 
>> >> Did you restart the OSSEC processes on the server after making your 
>> >> modifications? 
>> >> 
>> >> > -- 
>> >> > 
>> >> > --- 
>> >> > You received this message because you are subscribed to the Google 
>> >> > Groups 
>> >> > "ossec-list" group. 
>> >> > To unsubscribe from this group and stop receiving emails from it, 
>> send 
>> >> > an 
>> >> > email to ossec-list+...@googlegroups.com. 
>> >> > For more options, visit https://groups.google.com/d/optout. 
>> > 
>> > -- 
>> > 
>> > --- 
>> > You received this message because you are subscribed to the Google 
>> Groups 
>> > "ossec-list" group. 
>> > To unsubscribe from this group and stop receiving emails from it, send 
>> an 
>> > email to ossec-list+...@googlegroups.com. 
>> > For more options, visit https://groups.google.com/d/optout. 
>>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: OSSEC Rule to alert on the first event, but ignore the rest for a 5 minute period.

2017-04-06 Thread Jesus Linares

Hi Jake,

take a look at rule 511 
.
 
It is the way to ignore a event coming from rule 510. You could do the same 
with a composite rule, it would be something like:


510
your_file
Ignore rule 510 for 'your_file' during 300 seconds.



frequency=”0” would mean the rule must be matched 2 times (frequency is 
always +2 than the setting).
level 0 will not generate an alert (for testing you could increase it).

I hope it help.
Regards.


On Wednesday, April 5, 2017 at 5:11:22 PM UTC+2, Jake B. wrote:
>
> Hello,
>
> I have alerts coming in huge batches for rule 510. The batches of alerts 
> are essentially all the same event and the file path of the area that's 
> causing this is essentially identical in each batch except for the last 
> file. I'm trying to setup a rule that would look at the ID I setup in my 
> decoder, which is a file path that takes the path except for the last file 
> in order to match the batches of events. I want to alert only on the first 
> one and ignore the rest with that same ID for 5 minutes. First of all, does 
> the rule below look ok for this? Does frequency="0" work as I know the 
> frequency essentially adds 2 to it? Also, I'm having another issue with 
> this in particular is that ossec-logtest does not test this rule correctly 
> at all. Even when I paste the message, it doesn't even show up as something 
> that would trigger rule 510, which is what the alerts are coming as. So 
> that is also making it hard to troubleshoot this. Any ideas? Thanks!
>
>  
> 510 my_decoder 
>  *TEST* - Only alert on the first docker root event 
> for the same host and file path in a 60 second range. 
> *TEST* - This is meant to reduce noise as docker root events 
> typically happen in batches with not much difference in 
> meaning. 
>
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] OSSEC fails to start after install from RPM on RHEL7

Re: [ossec-list] When doing rootchecks, OSSEC does not get the full information for the log

Re: [ossec-list] When doing rootchecks, OSSEC does not get the full information for the log

Re: [ossec-list] When doing rootchecks, OSSEC does not get the full information for the log

Re: [ossec-list] Re: Rule 510 is triggering events but logtest is not showing any rules that should be triggered

Re: [ossec-list] When doing rootchecks, OSSEC does not get the full information for the log

[ossec-list] Re: Rule 510 is triggering events but logtest is not showing any rules that should be triggered

Re: [ossec-list] When doing rootchecks, OSSEC does not get the full information for the log

Re: [ossec-list] Redundancy manager (backup)

[ossec-list] Re: OSSEC Rule to alert on the first event, but ignore the rest for a 5 minute period.

Re: [ossec-list] Rule 510 is triggering events but logtest is not showing any rules that should be triggered

Re: [ossec-list] Rule 510 is triggering events but logtest is not showing any rules that should be triggered

[ossec-list] Re: OSSEC Rule to alert on the first event, but ignore the rest for a 5 minute period.

13 matches

Site Navigation

Mail list logo

Footer information