[ossec-list] Anybody using CIS controls with OSSEC? (https://github.com/awailly/cis-ubuntu-ansible)

I am trying to harden up our instances, but I find that after applying these controls the agent can longer contact the agent via UDP. I'm still trying to figure out exactly which bit is to blame. Has anybody else used the CIS controls on the same instance as OSSEC? -- --- You received this

Re: [ossec-list] Syscheck Database names?

.(agent_name) agent_ip->syscheck.cpt If I remember it correctly this is a hidden file that OSSEC users to identify when the syscheck database, when it has finished writing into the syscheck file. "cpt" file extension stands for completed, meaning that syscheck scan has finished. This is on top

Re: [ossec-list] What is the use case for OSSEC hybrid mode

Agree with Daniel. Just want to add another clarification: When you choose server profile, it will install the OSSEC manager and agent components, meaning that you can also monitor your local system. No need to choose hybrid mode unless you plan to forward data to another OSSEC manager. On Thu,

Re: [ossec-list] Server not responding to agent messages (1218/4101)

On Feb 25, 2016 9:27 PM, "James Stallard" wrote: > > All: > > 1st time on board, and I know this sounds like a rookie question, but...I did have ossec runnig ok in another aws environment, now with upgrade to 2.7-2.8.2 in a new env, am having problems > > I've just

[ossec-list] Server not responding to agent messages (1218/4101)

All: 1st time on board, and I know this sounds like a rookie question, but...I did have ossec runnig ok in another aws environment, now with upgrade to 2.7-2.8.2 in a new env, am having problems I've just installed 2.8.3 agent & server on CentOS 6.7 (market place version, hardened).

Re: [ossec-list] Re: DNS caching for ?

On Thu, Feb 25, 2016 at 9:37 AM, Barry Kaplan wrote: > Ok, is this something that would be considered for change? In our > environment there is no guarantee that nodes will remain on the same IP. For > this we use consul and dnsmasq to lookup DNS names. > Sure, we would

Re: [ossec-list] rules files as symlinks

On Tue, Feb 23, 2016 at 11:57 AM, Rui Zhang wrote: > It is interesting that symlink works for ossec.conf under etc folder, but > doesn't work for client.keys under etc folder for agent type. > It all depends on when the file is read. Perhaps ossec.conf is opened before the

Re: [ossec-list] agent unable to forward diff data for report_changes

On Mon, Feb 22, 2016 at 6:09 PM, Abhi wrote: > Hi, > > I am trying to get the report_changes working for /etc directory. After > enabling it, along with the real time option, agent correctly logs all the > changes immediately under > " /var/ossec/queue/diff/local/etc/".

Re: [ossec-list] List of OSSEC rules?

Interesting. We maintain a few compliance standards (not PCI) so I will look into it for sure. On Thursday, February 25, 2016 at 1:53:36 PM UTC-5, Pedro S wrote: > > You are welcome! I'll upload it into some website or repository folder. > > It is some simple but works, in the future I will

Re: [ossec-list] Custom rule to disable 1002 email alerts

On Thu, Feb 25, 2016 at 1:50 PM, thak wrote: > I've seen similar topics, so apologies if this has been answered several > times but I want to make sure I get guidance for the most recent version! > > Loving OSSEC so far having set it up in our environment a few days ago. >

Re: [ossec-list] List of OSSEC rules?

On Thu, Feb 25, 2016 at 1:53 PM, Pedro Sanchez wrote: > You are welcome! I'll upload it into some website or repository folder. > > It is some simple but works, in the future I will extract too the PCI > compliance requirement of every rule. If you need the rules with PCI >

Re: [ossec-list] What is the use case for OSSEC hybrid mode

I personally use it mostly on very busy servers to limit the amount of events being sent by the agent to the manager. Say a very busy web server that generates thousands of logs per second. Instead of sending all events centrally, I use the hybrid mode to do the initial analysis locally and only

Re: [ossec-list] List of OSSEC rules?

You are welcome! I'll upload it into some website or repository folder. It is some simple but works, in the future I will extract too the PCI compliance requirement of every rule. If you need the rules with PCI requirements groups try out Wazuh Ruleset. Regards, Pedro S. On Thu, Feb 25, 2016

[ossec-list] Custom rule to disable 1002 email alerts

I've seen similar topics, so apologies if this has been answered several times but I want to make sure I get guidance for the most recent version! Loving OSSEC so far having set it up in our environment a few days ago. However, rule 1002 is particularly chatty given our Apache error logs.

Re: [ossec-list] List of OSSEC rules?

Whoa, that's awesome! Thanks sir. On Thursday, February 25, 2016 at 7:15:45 AM UTC-5, Pedro S wrote: > > Hi thak, > > I made a quick Python script that can help you out. It lists all the rules > on */var/ossec/rules. *Output example: > > mailscanner_rules.xml - Rule 3751 - Level 6 -> Multiple

[ossec-list] What is the use case for OSSEC hybrid mode

Hi, I am not able to understand when should I use hybrid mode. I have one server and 4 agents. My server also have many applications and a web server which I want to monitor along with that web servers and other applications on agents. Therefore should I go for 1) hybrid on server and agent on

[ossec-list] Re: Why don't my rules do anything?

Well, I guess you can change the apache log format or improve/overwrite the decoders. Regards. Jesus Linares. On Thursday, February 25, 2016 at 6:18:08 PM UTC+1, James Culver wrote: > > Thank you, this is helpful. Now it works with and without GET parameters. > However, it only works if Apache

[ossec-list] Re: Why don't my rules do anything?

Thank you, this is helpful. Now it works with and without GET parameters. However, it only works if Apache records a hostname and not just "-" in the hostname position. And Apache doesn't always do that (in fact, in our logs, it never does it). On Thursday, February 25, 2016 at 9:42:17 AM

[ossec-list] Re: Why don't my rules do anything?

Keep in mind that rule 31108 is for http codes 2xx and 3xx. If you want to log that request with 4xx or 5xx codes you should add these rules (31101, 31120...). It's working, but I'm thinking on a better way to do this. Regards. Jesus Linares. On Thursday, February 25, 2016 at 5:36:34 PM

[ossec-list] Re: Why don't my rules do anything?

That is because with GET parameters is not a simple query (rule 31108): **Phase 1: Completed pre-decoding. full event: '10.10.10.10 hostname - [25/Feb/2016:10:10:10 -0500] "GET /icons/whatever/?C=http://5.6.7.8/requeststringtest.php; HTTP/1.1" 200 Text...' hostname: 'LinMV'

[ossec-list] Re: Why don't my rules do anything?

Thanks. I have tested your version of the rule, and it works *so long as* there aren't GET parameters in the requested URI. For example, the following request triggers an alert: 1.2.3.4 - -[25/Feb/2016:08:43:08 -0700] "GET /icons/whatever/requeststringtest.php HTTP/1.1" 20068393 blahblahblah

[ossec-list] Re: DNS caching for ?

Ok, is this something that would be considered for change? In our environment there is no guarantee that nodes will remain on the same IP. For this we use consul and dnsmasq to lookup DNS names. For now I will hard code server_hostname to the DNS of the ossec server. At least that value

[ossec-list] Why don't my rules do anything?

I have added the following rules to local_rules.conf: 31100 requeststringtest.php request string test 2 alert_by_email 100060 request string test 2 alert_by_email but OSSEC doesn't care at all. It counts the rules as being enabled, but no matter how

Re: [ossec-list] List of OSSEC rules?

Hi thak, I made a quick Python script that can help you out. It lists all the rules on */var/ossec/rules. *Output example: mailscanner_rules.xml - Rule 3751 - Level 6 -> Multiple attempts of spam. hordeimp_rules.xml - Rule 9300 - Level 0 -> Grouping for the Horde imp rules. hordeimp_rules.xml

Re: [ossec-list] ERROR: Incorrectly formated message

Hi, A tried, nothing changed. But after few hours the client started to work...weird. And now, three other clients stpped to work, they are on "Disconnected" state. It is strange becouse the agent's log says: ossec-agentd(4102): INFO: Connected to the server (192.168.7.212:1514) No error

[ossec-list] Syscheck Database names?

Hi team, Agents are name like '(agent_name) agent_ip->syscheck', right? Sometimes I meet with a file with these files in my syscheck folder: (agent_name) agent_ip->syscheck-registry > .(agent_name) agent_ip->syscheck.cpt What are they exactly? Are they just internal temporally files? Should

[ossec-list] Re: DNS caching for ?

Hi Barry, If I understood well, you need to resolve the DNS IP Address more than once, unfortunately seems like OSSEC won't do it. At the very first start, OSSEC reads the file ossec.conf, when detecting a

Re: [ossec-list] OSSEC Server Backup & Restore Procedure

Hi, I don't know if it is what you need, but Wazuh has an script to update the ruleset (rules, decoders and rootchecks). Also, this script allows do a bakcup of* /var/ossec/etc* and* /var/ossec/rules* and you can restore from the script. Ruleset repository

[ossec-list] DNS caching for ?

I have a situation where ossec.conf is set with before the DNS entry is set. From what I can tell so far the result of the initial dns lookup is kept forever, requiring the agent to be restarted. Is it the case that a failed DNS will never be retried? BTW, I'm pretty sure it's not any caching