Re: [ossec-list] Dynamic values in regex inside OSSEC rules?

2017-03-01 Thread InfoSec
In the Wazuh fork, dynamic decoders are an outstanding idea. It allows unprecedented visualization capabilities in the security console *without* having to resort to further parsing tricks at ingestion time. It is all done in OSSEC. Dynamic decoders enable unprecedented normalization of

Re: [ossec-list] Dynamic values in regex inside OSSEC rules?

2017-03-01 Thread InfoSec
Sure thing. I am trying to implement three use cases. 1) Windows event ID: Failed object access attempt by a subject "Subject" (tied to a real user, not a system account) of Object Type: File and object: "C:\Users\Other-than-Subject\Whatever-else comes after.ext". Ten recurrences by same

Re: [ossec-list] Re: Windows Defender Decoder ?

2017-03-01 Thread dan (ddp)
On Wed, Mar 1, 2017 at 6:40 PM, Ed Davison wrote: > It would be great to see the decoder entries that go with these rules ... I > know this is an older post but maybe you are still around and can share the > decoder and maybe the plugin as well? > If you can provide log

Re: [ossec-list] Dynamic values in regex inside OSSEC rules?

2017-03-01 Thread Jesus Linares
Hi, could you give us a real example?. Thanks On Wednesday, March 1, 2017 at 10:34:18 AM UTC-8, dan (ddpbsd) wrote: > > On Mon, Feb 27, 2017 at 2:50 PM, Jahchan, Georges J. > wrote: > > That is not what I meant. > > > > If the source IP is decoded and stored in

[ossec-list] Re: Windows Defender Decoder ?

2017-03-01 Thread Ed Davison
It would be great to see the decoder entries that go with these rules ... I know this is an older post but maybe you are still around and can share the decoder and maybe the plugin as well? On Monday, May 16, 2016 at 4:22:08 PM UTC-5, Brent Morris wrote: > > Rob - can you post your OSSEC

[ossec-list] OSSEC IDS on Windows only sending Error logs

2017-03-01 Thread Ed Davison
I have OSSEC 2.8.3 installed on a Windows 2012R2 server and have added an eventchannel localfile option to gather logs from "Microsoft-Windows-Backup" log. No errors on startup. On the OSSIM side, I have logall enabled and am checking alerts.log file and can ONLY see Error logs being

Re: [ossec-list] Re: syscheckd causing soft lockups

2017-03-01 Thread Santiago Bassett
That is probably rootcheck trying to detect system anomalies and kernel level rootkits. It does it by comparing the output of netstat with its own results binding ports to check if they are open. Remember that syscheckd not only does FIM, but also Rootchecks (policy monitoring checks and

Re: [ossec-list] ossec-remoted not running

2017-03-01 Thread dan (ddp)
On Wed, Mar 1, 2017 at 6:59 AM, Eduardo Reichert Figueiredo wrote: > Port 1514 is already, i received UPD packets (validated with tcpdump), ossec > is running (monitord, logcollector, syscheck, analysisd), only remoted not > running, but remoted is displayed for port

Re: [ossec-list] Dynamic values in regex inside OSSEC rules?

2017-03-01 Thread dan (ddp)
On Mon, Feb 27, 2017 at 2:50 PM, Jahchan, Georges J. wrote: > That is not what I meant. > > If the source IP is decoded and stored in field srcip, I want to be able to > specify _srcip_ (or whatever convention used to tell regex that this is a > variable), and have

Re: [ossec-list] How to check that chained checksums are correct

2017-03-01 Thread dan (ddp)
On Wed, Mar 1, 2017 at 11:10 AM, Dominik wrote: > OSSEC creates checksums and chained checksums of the archives. I need a way > to confirm that the chain is correct. > > zcat /var/ossec/logs/archives/2017/Feb/ossec-archive-28.log.gz | md5sum > creates the entry > Current

[ossec-list] How to check that chained checksums are correct

2017-03-01 Thread Dominik
OSSEC creates checksums and chained checksums of the archives. I need a way to confirm that the chain is correct. zcat /var/ossec/logs/archives/2017/Feb/ossec-archive-28.log.gz | md5sum creates the entry Current checksum: MD5 (/logs/archives/2017/Feb/ossec-archive-28.log) = in

[ossec-list] Re: syscheckd causing soft lockups

2017-03-01 Thread John Gelnaw
Followup. ossec-syscheckd appears to be doing some bind operation: socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = 6 bind(6, {sa_family=AF_INET, sin_port=htons(12310), sin_addr=inet_addr("0.0.0.0")}, 16) = 0 close(6) = 0 socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = 6 bind(6, {sa_family=AF_INET,

Re: [ossec-list] ossec-remoted not running

2017-03-01 Thread Eduardo Reichert Figueiredo
Port 1514 is already, i received UPD packets (validated with tcpdump), ossec is running (monitord, logcollector, syscheck, analysisd), only remoted not running, but remoted is displayed for port 1514 (netstat -vandup). Em quarta-feira, 1 de março de 2017 08:53:21 UTC-3, Eero Volotinen

Re: [ossec-list] ossec-remoted not running

2017-03-01 Thread Eero Volotinen
Is something runnin on port 1514 already? or ossec already running? Eero 2017-03-01 13:50 GMT+02:00 Eduardo Reichert Figueiredo < eduardo.reich...@hotmail.com>: > Dear All, > i doing installing ossec server in RHEL 6.8, but just ossec-remoted not > running, i do troubleshooting with commands

[ossec-list] ossec-remoted not running

2017-03-01 Thread Eduardo Reichert Figueiredo
Dear All, i doing installing ossec server in RHEL 6.8, but just ossec-remoted not running, i do troubleshooting with commands bellow: #gdb /var/ossec-2.9/bin/ossec-remoted ###RESULT### ... Reading symbols from /var/ossec-2.9/bin/ossec-remoted...(no debugging