Re: [ossec-list] Solaris 10 install issue - Fatal error in reader: Makefile, line 4

[Patrick Tobin]

Not sure if this will help but these are the steps I took to build a binary 
installer for Solaris 10 (I did the same for 2.8.3 and it worked as well):

Compile OSSEC on Solaris 10 with OPENSSL Support

  1. Install opencsw pkgutil
  --> pkgadd -d http://get.opencsw.org/now
  2. Install OPENSSL and OPENSSL Libraries
  --> pkgutil -i libssl_dev
  --> pkgutil -i openssl_utils
  3. Download OSSEC Tar file
  --> wget http://www.ossec.net/files/ossec-hids-2.8.2.tar.gz
  4. Unzip the tar
  --> gunzip ossec-hids-2.8.2.tar.gz
  5. Untar the tar
  --> tar -xvf ossec-hids-2.8.2.tar.gz
  6. Change to the src dir
  --> cd ossec-hids-2.8.2/src
  7. Edit the Makeall file
  --> vi Makeall
  8. Change all instances of /bin/sh to /usr/bin/bash
  --> shift+:%s/\/bin\/sh/\/usr\/bin\/bash/g
  --> shift+:wq!
  9. Locate gcc and create softlink to cc
  --> which gcc
  --> cd to gcc dir
  --> ln -s  cc
  10. Find where the OPENSSL Header resides
  --> find / -name opensslconf.h -print
  11. Update the OPENSSL check in the Makeall file
  --> cd /tmp/ossec-hids-2.8.2/src
  --> vi Makeall
  --> /ssl
  --> change "if [ -e /usr/sfw/include/openssl/opensslconf.h ]; then" to 
the path of the header from the find command in step 10
  --> escape shift+:wq!
  12. Start the build process
  --> make setagent
  --> make all (make sure you see "-DUSE_OPENSSL" in the agent_auth compile)
  --> make build
  13. Update the preloaded-vars.conf
  --> cd /tmp/ossec-hids-2.8.2/etc
  --> vi preloaded-vars.conf
  --> update the agent variables as needed and exit
  14. Test the new binaries
  --> cd /tmp/ossec-hids-2.8.2
  --> ./install.sh
  --> /var/ossec/bin/agent-auth -m  -p  (should be 
successful with openssl support)
  15. Create new binary tar file for deployment
  --> cd /tmp
  --> tar -cvf ossec-solaris-binary-2.8.2.tar ossec-hids-2.8.2/


From:  on behalf of Eero Volotinen 

Reply-To: "ossec-list@googlegroups.com" 
Date: Thursday, June 29, 2017 at 7:10 PM
To: ossec-list , "robert.mille...@gmail.com" 

Subject: Re: [ossec-list] Solaris 10 install issue - Fatal error in reader: 
Makefile, line 4

you could also try to edit file src/makefile:

find line 4:


uname_S := $(shell sh -c 'uname -s 2>/dev/null || echo not')



and replace it with



uname_S=SunOS



and try again..



Eero

2017-06-30 2:04 GMT+03:00 Eero Volotinen 
>:
what is output of:


make --version



as you can see from errormessage, problem is in the makefile.

2017-06-29 23:39 GMT+03:00 Robert 
>:
I am having issues installing on Solaris 10 (i.e. Solaris 10 8/11 
s10s_u10wos_17b SPARC) and am getting the error below when it tries to finish 
the install.

5- Installing the system
 - Running the Makefile
make: Fatal error in reader: Makefile, line 4: Unexpected end of line seen

 Error 0x5.
 Building error. Unable to finish the installation.

The line in question is "uname_S := $(shell sh -c 'uname -s 2>/dev/null || echo 
not') ".  The output from that command is below.

# sh -c 'uname -s 2>/dev/null || echo not'
SunOS

I tried changing the first line of the install.sh script to "#!/bin/bash" and 
that didn't work.  I checked our compilers and we have gcc installed but not 
cc.  Below is the gcc version.

# gcc --version
gcc (GCC) 3.4.3 (csl-sol210-3_4-branch+sol_rpath)
Copyright (C) 2004 Free Software Foundation, Inc.

Below is the output using the following command: /bin/sh -x ./install.sh.

MAKEBIN=make
+ [ XSunOS = XOpenBSD ]
+ [ XSunOS = XFreeBSD ]
+ [ XSunOS = XNetBSD ]
+ [ XSunOS = XDragonflyBSD ]
+ [ X%NUNAME = XBitrig ]
+ echo  - Running the Makefile
 - Running the Makefile
+ cd ./src
+ [ X = X ]
+ make PREFIX=/var/ossec TARGET=agent build
make: Fatal error in reader: Makefile, line 4: Unexpected end of line seen
+ [ 1 != 0 ]
+ cd ../
+ catError 0x5-build
FILE=0x5-build
FILE_PATH=./etc/templates/en/errors/0x5-build.txt
+ isFile ./etc/templates/en/errors/0x5-build.txt
FILE=./etc/templates/en/errors/0x5-build.txt
+ ls ./etc/templates/en/errors/0x5-build.txt
+ [ 0 = 0 ]
+ echo true
+ return 0
+ [ true = false ]
+ cat ./etc/templates/en/errors/0x5-build.txt

 Error 0x5.
 Building error. Unable to finish the installation.

I also tried patching our install.sh script using the patch 
(src_init_update_sh.diff) that was provided in another thread but that patch 
doesn't work.  Not to mention that thread was back in 2013.

Any ideas?

--

---
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to 
ossec-list+unsubscr...@googlegroups.com.
For more 

Re: [ossec-list] Solaris 10 install issue - Fatal error in reader: Makefile, line 4

[Eero Volotinen]

you could also try to edit file src/makefile:

find line 4:

uname_S := $(shell sh -c 'uname -s 2>/dev/null || echo not')


and replace it with


uname_S=SunOS


and try again..


Eero

2017-06-30 2:04 GMT+03:00 Eero Volotinen :

> what is output of:
>
> make --version
>
>
> as you can see from errormessage, problem is in the makefile.
>
> 2017-06-29 23:39 GMT+03:00 Robert :
>
>> I am having issues installing on Solaris 10 (i.e. Solaris 10 8/11
>> s10s_u10wos_17b SPARC) and am getting the error below when it tries to
>> finish the install.
>>
>> 5- Installing the system
>>  - Running the Makefile
>> make: Fatal error in reader: Makefile, line 4: Unexpected end of line seen
>>
>>  Error 0x5.
>>  Building error. Unable to finish the installation.
>>
>>
>> The line in question is "uname_S := $(shell sh -c 'uname -s 2>/dev/null
>> || echo not') ".  The output from that command is below.
>>
>> # sh -c 'uname -s 2>/dev/null || echo not'
>> SunOS
>>
>>
>> I tried changing the first line of the install.sh script to "#!/bin/bash"
>> and that didn't work.  I checked our compilers and we have gcc installed
>> but not cc.  Below is the gcc version.
>>
>> # gcc --version
>> gcc (GCC) 3.4.3 (csl-sol210-3_4-branch+sol_rpath)
>> Copyright (C) 2004 Free Software Foundation, Inc.
>>
>>
>> Below is the output using the following command: /bin/sh -x ./install.sh.
>>
>> MAKEBIN=make
>> + [ XSunOS = XOpenBSD ]
>> + [ XSunOS = XFreeBSD ]
>> + [ XSunOS = XNetBSD ]
>> + [ XSunOS = XDragonflyBSD ]
>> + [ X%NUNAME = XBitrig ]
>> + echo  - Running the Makefile
>>  - Running the Makefile
>> + cd ./src
>> + [ X = X ]
>> + make PREFIX=/var/ossec TARGET=agent build
>> make: Fatal error in reader: Makefile, line 4: Unexpected end of line seen
>> + [ 1 != 0 ]
>> + cd ../
>> + catError 0x5-build
>> FILE=0x5-build
>> FILE_PATH=./etc/templates/en/errors/0x5-build.txt
>> + isFile ./etc/templates/en/errors/0x5-build.txt
>> FILE=./etc/templates/en/errors/0x5-build.txt
>> + ls ./etc/templates/en/errors/0x5-build.txt
>> + [ 0 = 0 ]
>> + echo true
>> + return 0
>> + [ true = false ]
>> + cat ./etc/templates/en/errors/0x5-build.txt
>>
>>  Error 0x5.
>>  Building error. Unable to finish the installation.
>>
>>
>> I also tried patching our install.sh script using the patch
>> (src_init_update_sh.diff) that was provided in another thread but that
>> patch doesn't work.  Not to mention that thread was back in 2013.
>>
>> Any ideas?
>>
>> --
>>
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to ossec-list+unsubscr...@googlegroups.com.
>> For more options, visit https://groups.google.com/d/optout.
>>
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Solaris 10 install issue - Fatal error in reader: Makefile, line 4

[Eero Volotinen]

what is output of:

make --version


as you can see from errormessage, problem is in the makefile.

2017-06-29 23:39 GMT+03:00 Robert :

> I am having issues installing on Solaris 10 (i.e. Solaris 10 8/11
> s10s_u10wos_17b SPARC) and am getting the error below when it tries to
> finish the install.
>
> 5- Installing the system
>  - Running the Makefile
> make: Fatal error in reader: Makefile, line 4: Unexpected end of line seen
>
>  Error 0x5.
>  Building error. Unable to finish the installation.
>
>
> The line in question is "uname_S := $(shell sh -c 'uname -s 2>/dev/null ||
> echo not') ".  The output from that command is below.
>
> # sh -c 'uname -s 2>/dev/null || echo not'
> SunOS
>
>
> I tried changing the first line of the install.sh script to "#!/bin/bash"
> and that didn't work.  I checked our compilers and we have gcc installed
> but not cc.  Below is the gcc version.
>
> # gcc --version
> gcc (GCC) 3.4.3 (csl-sol210-3_4-branch+sol_rpath)
> Copyright (C) 2004 Free Software Foundation, Inc.
>
>
> Below is the output using the following command: /bin/sh -x ./install.sh.
>
> MAKEBIN=make
> + [ XSunOS = XOpenBSD ]
> + [ XSunOS = XFreeBSD ]
> + [ XSunOS = XNetBSD ]
> + [ XSunOS = XDragonflyBSD ]
> + [ X%NUNAME = XBitrig ]
> + echo  - Running the Makefile
>  - Running the Makefile
> + cd ./src
> + [ X = X ]
> + make PREFIX=/var/ossec TARGET=agent build
> make: Fatal error in reader: Makefile, line 4: Unexpected end of line seen
> + [ 1 != 0 ]
> + cd ../
> + catError 0x5-build
> FILE=0x5-build
> FILE_PATH=./etc/templates/en/errors/0x5-build.txt
> + isFile ./etc/templates/en/errors/0x5-build.txt
> FILE=./etc/templates/en/errors/0x5-build.txt
> + ls ./etc/templates/en/errors/0x5-build.txt
> + [ 0 = 0 ]
> + echo true
> + return 0
> + [ true = false ]
> + cat ./etc/templates/en/errors/0x5-build.txt
>
>  Error 0x5.
>  Building error. Unable to finish the installation.
>
>
> I also tried patching our install.sh script using the patch
> (src_init_update_sh.diff) that was provided in another thread but that
> patch doesn't work.  Not to mention that thread was back in 2013.
>
> Any ideas?
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Solaris 10 install issue - Fatal error in reader: Makefile, line 4

[Robert]

I am having issues installing on Solaris 10 (i.e. Solaris 10 8/11 
s10s_u10wos_17b SPARC) and am getting the error below when it tries to 
finish the install. 

5- Installing the system
 - Running the Makefile
make: Fatal error in reader: Makefile, line 4: Unexpected end of line seen

 Error 0x5.
 Building error. Unable to finish the installation.


The line in question is "uname_S := $(shell sh -c 'uname -s 2>/dev/null || 
echo not') ".  The output from that command is below.

# sh -c 'uname -s 2>/dev/null || echo not' 
SunOS 


I tried changing the first line of the install.sh script to "#!/bin/bash" 
and that didn't work.  I checked our compilers and we have gcc installed 
but not cc.  Below is the gcc version.

# gcc --version
gcc (GCC) 3.4.3 (csl-sol210-3_4-branch+sol_rpath)
Copyright (C) 2004 Free Software Foundation, Inc. 


Below is the output using the following command: /bin/sh -x ./install.sh.

MAKEBIN=make
+ [ XSunOS = XOpenBSD ] 
+ [ XSunOS = XFreeBSD ] 
+ [ XSunOS = XNetBSD ] 
+ [ XSunOS = XDragonflyBSD ] 
+ [ X%NUNAME = XBitrig ] 
+ echo  - Running the Makefile 
 - Running the Makefile
+ cd ./src 
+ [ X = X ] 
+ make PREFIX=/var/ossec TARGET=agent build 
make: Fatal error in reader: Makefile, line 4: Unexpected end of line seen
+ [ 1 != 0 ] 
+ cd ../ 
+ catError 0x5-build 
FILE=0x5-build
FILE_PATH=./etc/templates/en/errors/0x5-build.txt
+ isFile ./etc/templates/en/errors/0x5-build.txt 
FILE=./etc/templates/en/errors/0x5-build.txt
+ ls ./etc/templates/en/errors/0x5-build.txt 
+ [ 0 = 0 ] 
+ echo true 
+ return 0 
+ [ true = false ] 
+ cat ./etc/templates/en/errors/0x5-build.txt 

 Error 0x5.
 Building error. Unable to finish the installation. 


I also tried patching our install.sh script using the patch 
(src_init_update_sh.diff) that was provided in another thread but that 
patch doesn't work.  Not to mention that thread was back in 2013.

Any ideas?

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Block ssh user ip after failed login attempt in OSSEC

[Jesus Linares]

Remember that you need to restart OSSEC after changing the rules.

Also, you can use *ossec-logest* to test your rules.
Regards.

On Thursday, June 29, 2017 at 11:25:17 AM UTC+2, Rahul Tiwari wrote:
>
> I tired this but its not working any other rule or something which i need 
> to add.
> As i m new in OSSEC Please help me out
>
> On Wednesday, June 28, 2017 at 10:40:20 PM UTC+5:30, Jesus Linares wrote:
>>
>> Hi,
>>
>> the *frequency *attribute specifies the number of times (+2) the rule 
>> must have matched before firing. In this case, the rule 5720 will be fired 
>> if the rule 5716 is fired 8 times (6+2).
>>
>> You must use *frequency="1"* to fire the rule after 3 attempts. Also, it 
>> is a good idea to add the *timeframe *attribute.
>>
>> I hope it helps.
>> Regards.
>>
>> On Wednesday, June 28, 2017 at 10:09:56 AM UTC+2, Rahul Tiwari wrote:
>>>
>>> I need to block the user ip after 3 times login failed attempt in ossec 
>>> I tried below in sshd_rules file
>>>
>>> 
>>> 5716
>>> 
>>> Multiple SSHD authentication failures.
>>> authentication_failures,
>>>   
>>>
>>> But its blocking the user ip after 10 attempt please help me out
>>>
>>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: About the user login/login failed alert

[miguelangel]

Hi, 

You need to set the "frequency" attribute in rule 5712 to "1", this 
attribute set the number of time (+2) that a rule needs to match to fire an 
alert, by default the 5712 will show an alert when the 5710 appears at 
least 8 times, changing to "1" will fire at 3th attempt. Please check 
http://ossec-docs.readthedocs.io/en/latest/syntax/head_rules.html

I hope it helps.

Regards

On Wednesday, June 28, 2017 at 11:06:44 PM UTC-4, az...@51ecommerce.com 
wrote:
>
> HI,
>
> I set the email notify level to 3, and try to login into serverA through 
> ssh, It's work, I receive the email alert.
>
> Thank you!
>
> And I've other question, I want block the user ip when the user login 
> failed more then 3 times with ssh, then block the ip of user, I use 5712, 
> but it did not work, I've try to login failed more then 10, it still do not 
> block me.
> here is my active-response in ossec.conf
>
> 
>
> no
>
> firewall-drop
>
> local
>
> 5712
>
> 8
>
> 120
>
> 60,120,180
>
>   
>
>
> here is my 5710 and 5712 rule defines
>
>   
>
> 5700
>
> illegal user|invalid user
>
> sshd: Attempt to login using a non-existent 
> user
>
> 
> invalid_login,authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_10.6.1,
>
>   
>
>
>   
>
> 5700
>
> authentication failure; logname= uid=0 euid=0 tty=ssh|
>
> input_userauth_request: invalid user|
>
> PAM: User not known to the underlying authentication module for 
> illegal user|
>
> error retrieving information about user
>
> sshd: Useless/Duplicated SSHD message without a 
> user/ip.
>
>   
>
>
>   
>
> 5710
>
> sshd: brute force trying to get access to 
>
> the system.
>
> 
>
> 
> authentication_failures,pci_dss_11.4,pci_dss_10.2.4,pci_dss_10.2.5,
>
>   
>
> On Thursday, June 29, 2017 at 2:19:23 AM UTC+8, migue...@wazuh.com wrote:
>>
>> Hi,
>>
>> The email notification is triggered when an alert reach or overpass the 
>> level defined in  (by default is set to level 7), 
>> setting this option to level 3 will send you email notifications for 
>> successful logins attempts.
>>
>> * option reference:* 
>> http://ossec-docs.readthedocs.io/en/latest/syntax/head_ossec_config.alerts.html#element-email_alert_level
>> *Rules clasification:* 
>> http://ossec-docs.readthedocs.io/en/latest/manual/rules-decoders/rule-levels.html.
>>
>> I hope this could help you
>>
>> Best regards.
>>
>> On Wednesday, June 28, 2017 at 2:03:23 PM UTC-4, az...@51ecommerce.com 
>> wrote:
>>>
>>> hello, 
>>> I've setup the ossec server and agent in my serverS(server) and 
>>> serverA(agent), but when I login into serverA, I have not receive the email 
>>> alert, but if I change something in serverA, I can receive the email alert. 
>>> So, my question is: how to make a email alert when some one login into 
>>> system, like ssh, or ftp
>>>
>>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] OSSEC Active Response Block on pattern-matched SSH user logins

[Rahul Tiwari]

0down votefavorite 


I need to block the user ip after 3 times login failed attempt in ossec I 
tried below in sshd_rules file


5716

Multiple SSHD authentication failures.
authentication_failures,
  

But its blocking the user ip after 10 attempt please help me out



On Friday, June 16, 2017 at 1:16:39 AM UTC+5:30, dan (ddpbsd) wrote:
>
> On Thu, Jun 15, 2017 at 6:39 AM, Rahul Tiwari  > wrote: 
> > Can you please provide the rule i am also having the same issue i need 
> to 
> > block the user after failed attempts. 
> > Please help 
> > 
>
> What is stopping you from creating a rule? 
> Do you have log samples to help us help you? 
>
> > On Thursday, April 29, 2010 at 3:41:48 AM UTC+5:30, JL wrote: 
> >> 
> >> Hi all, 
> >> 
> >> Forgive me if this has been covered somewhere, but I haven't come 
> >> across it. 
> >> 
> >> 
> >> Is there a way to have OSSEC Active Response block a particular user 
> >> from logging in? I don't care about thresholds or # of attempts. If I 
> >> see, 'root' for instance, attempting to logon to a server at all, can 
> >> OSSEC match on that and drop that username and source IP immediately? 
> >> 
> >> 
> >> Additionally, one question on timeouts. Is the  flag in 
> >> seconds or in minutes? If so, I tried setting "1" 
> >> but it took 54 seconds to delete from the firewall-drop.sh script. If 
> >> it is in fact in minutes, how would I set it up to unblock in seconds? 
> >> Otherwise, if the flag should be seconds, is there a reason why it 
> >> would take 54 seconds to respond when I set the timeout to 1 second. I 
> >> know this doesn't make much sense (in terms of setting to 1 second) 
> >> but I tested with 5 and even 30 seconds and it still took a minute to 
> >> unblock. 
> >> 
> >> Thanks in advance! 
> > 
> > -- 
> > 
> > --- 
> > You received this message because you are subscribed to the Google 
> Groups 
> > "ossec-list" group. 
> > To unsubscribe from this group and stop receiving emails from it, send 
> an 
> > email to ossec-list+...@googlegroups.com . 
> > For more options, visit https://groups.google.com/d/optout. 
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.