López wrote:
>
> Hi Fredrik,
>
> You are seeing every generated event because eventlog does not support
> XPATH querying. In order to fix this, you should use eventchannel, but it
> seems that your query isn't correctly formed as the error code returned is
> 15001
> <ht
for the eventID
(below) that are sent from the agent as they seem different from for
example a Snare agent?
Anyway, mostly wanted to contribute to an old post if anyone end up reading
it :)
Best regards,
Fredrik
Security
eventlog
Event/System[EventID = 4624 or EventID
ot;Mozilla/5.0"
IP - - [24/Sep/2018:14:10:36 +0200] "GET /log.php HTTP/1.1" 404 162 "-"
"Mozilla/5.0"
IP - - [24/Sep/2018:14:10:36 +0200] "GET /hell.php HTTP/1.1" 404 162 "-"
"Mozilla/5.0"
IP - - [24/Sep/2018:14:10:37 +0200] "GET /pmd_
signatures. I
think the web_appsec_rules.xml might need an update though to decrease the
amount of incoming requests. More information:
https://github.com/featzor/ossec-rules
Kind regards,
Fredrik
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list&q
Hello Dan,
well that solved it! I added the rule in the top of the list, adding it
where you suggested (in your conf) and no issues.
Thanks for the response as always!
Den torsdag 30 augusti 2018 kl. 13:19:17 UTC+2 skrev dan (ddpbsd):
>
> On Thu, Aug 30, 2018 at 4:11 AM Fredrik Hilm
. Invalid 'category'.
It works by adding the rules to local_rules.xml, so that's no issue, but
for convenience and also to learn if i've done something incorrect I would
appreciate some help of the above issue.
Kind regards,
Fredrik
--
---
You received this message because you are subscribed
Update: i'm aware that the ossec,syscheck Alert does state the hostname,
however when performing multiple updates/upgrades on several agents, its
rather hard to keep track of which alert belong to which ossec/syscheck.
Den måndag 11 september 2017 kl. 13:56:41 UTC+2 skrev Fredrik Hilmersson
sum changed for: '/usr/bin/lxc'
Old md5sum was: 'checksum'
New md5sum is : 'checksum'
Old sha1sum was: 'checksum'
however, it obviously doesn't state on which agent the checksum change
occurred. Hopefully you could add this to the ossec-slack integration.
Kind regards,
Fredrik
--
---
You recei
Great job! Much appreciated.
Den torsdag 10 augusti 2017 kl. 01:09:46 UTC+2 skrev dan (ddpbsd):
>
> OSSEC 2.9.2 has been released. This is mostly a bug-fix/rules update
> release.
> Thank you to everyone who has contributed time and effort into the
> project, it is truly appreciated!
>
> Get
rev Fredrik Hilmersson:
>
> Hello,
>
> I would like some help and pointers to create a decoder. So I ran the line
> from the access log (see below). What I would like to accomplish is to
> match: python-requests/2.2.1 However as you can see at the
> moment the default decoder f
'web-accesslog'
srcip: ''
url: '/'
id: '404'
**Phase 3: Completed filtering (rules).
Rule id: '31101'
Level: '5'
Description: 'Web server 400 error code.'
**Alert to be generated.
Kind regards,
Fredrik
--
---
You received this message because yo
trying to do.
Thanks for the response and help though!
Kind regards
Den tisdag 4 juli 2017 kl. 20:00:53 UTC+2 skrev Jesus Linares:
>
> Hi Fredrik,
>
> do you want to ignore the rule 5501 if it is fired by your script?. is it
> not enough with the hostname and the user?.
>
> R
What happens if you change using 192.168.1.255?
Den måndag 3 juli 2017 kl. 14:29:48 UTC+2 skrev Ian Brown:
>
> I've got this event log in windows:
>
> 2017 Jul 02 22:38:47 WinEvtLog: Security: AUDIT_FAILURE(5152):
> Microsoft-Windows-Security-Auditing: (no user): no domain: leaf-1: The
>
ossec.conf on the AGENT side, forgot to mention!
Den måndag 3 juli 2017 kl. 12:14:30 UTC+2 skrev Fredrik Hilmersson:
>
> Hey, I had a similar issue with the active response not working as
> intended. The way I solved it was to add the following to the ossec.conf
>
>
>
>
Hey, I had a similar issue with the active response not working as
intended. The way I solved it was to add the following to the ossec.conf
ossec-server
30,60,120,240,480
no
kind regards,
Fredrik
Den måndag 3 juli 2017 kl. 12:05:36 UTC+2 skrev Tunguyen:
>
> M
event.
5501
**:30
agent-hostname
ssh-user
no_email_alert
Ignore rule 5501 for host
Kind regards,
Fredrik
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails fro
p://HOSTIP:80/phpmyadmin4/ HTTP/1.1" 404 0 "-" "Mozilla/5.0 Jorgee'
**Phase 2: Completed decoding.
decoder: 'web-accesslog'
srcip: 'SRCIP'
url: 'http://HOSTIP:80/phpmyadmin4/'
id: '404'
**Phase 3: Completed filtering (rules).
Rule id: '100205'
Level: '0'
Descri
I spoke to early, Still getting spammed ...
Den lördag 24 juni 2017 kl. 22:20:13 UTC+2 skrev Fredrik Hilmersson:
>
> Thank you!
>
> Den lördag 24 juni 2017 kl. 21:21:48 UTC+2 skrev dan (ddpbsd):
>>
>> On Sat, Jun 24, 2017 at 2:08 PM, Fredrik Hilmersson
>> <f
Thank you!
Den lördag 24 juni 2017 kl. 21:21:48 UTC+2 skrev dan (ddpbsd):
>
> On Sat, Jun 24, 2017 at 2:08 PM, Fredrik Hilmersson
> <f.hilm...@worldclearing.org > wrote:
> > Hello,
> >
> > so recently I got spammed by this vulnerability scanner.
> >
error code.'
213.119.18.4 - - [24/Jun/2017:19:10:05 +0200] HEAD
http://SRCIP:80/sql/phpmyadmin2/ HTTP/1.1 404 0 - Mozilla/5.0 *Jorgee*
So i'm wondering if anyone has a good idea or rule how to block/ban these
attempts?
Kind regards,
Fredrik
--
---
You received this message because you are subs
> If you share your rules, you may help other user with the same issue.
>
> Regards.
>
> On Tuesday, June 20, 2017 at 2:31:57 PM UTC+2, Fredrik Hilmersson wrote:
>>
>> Thanks alot Jesus,
>>
>> did solve it by creating two local rules one for rule 5715
Thanks alot Jesus,
did solve it by creating two local rules one for rule 5715 matching the
srcip,
and one rule to match the hostname to ignore the 5501.
Kind regards,
Fredrik
Den tisdag 20 juni 2017 kl. 14:09:39 UTC+2 skrev Jesus Linares:
>
> Hi Fredrik,
>
> when you crea
Hello,
So I got the following custom rule on the ossec server:
5500
session opened for user
Login session opened.
authentication_success,
Then afterwards I use the local rule on the ossec server to avoid alert
spam from a specific IP:
2
MYIP
Ignoring ip
I did end up creating a specific crontab user for remote ssh connections,
and here's the way I did exclude it from alerts if anyone else is
interested.
5501
USERNAME
no_email_alert
Ignore rule 5501 for scheduled crontab user
Kind regards,
Fredrik
Den måndag 29 maj 2017
success), is there a way prevent in step 1 to trigger step 2
and 3?
One option would obviously be to ignore the user and create a specific user
for the certain cronjob.
Kind regards,
Fredrik
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list&q
gent that
> generated the event. So, you must to configure your slack script in every
> agent. I think for this reason Daniel Cid created the integratord.
> <https://blog.sucuri.net/2016/01/server-security-integrating-ossec-with-slack-and-pagerduty.html>
>
> I hope it helps.
&
Thanks everyone for the feedback and support. It all made sense and your
comment did guide me to resolve it, wasn't any harder then updating the
section and add agent ID, e.g.:
ossec-slack
local,AGENT.ID
7
Have a nice day and,
Kind regards
Fredrik
Den tisdag
/hooks.slack.com/services/...;
SOURCE="ossec2slack"
ossec.conf
ossec-slack
ossec-slack.sh
no
ossec-slack
local
7
Kind regards,
Fredrik
Den tisdag 23 maj 2017 kl. 11:08:51 UTC+2 skrev Jesus Linares:
&
Clarification: The host specific alerts are sent to slack but the agent
alerts are being ignored.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to
at the agent side for the host to send its alerts or vice versa?
Kind regards
Den måndag 22 maj 2017 kl. 18:33:54 UTC+2 skrev Jesus Linares:
>
> Hi Fredrik,
>
> check out the documentation about *integrator*:
> https://documentation.wazuh.com/current/user-manual/manager/output
no
ossec-slack
local
7
Kind regards,
Fredrik
Den måndag 22 maj 2017 kl. 16:47:54 UTC+2 skrev Miguelangel Freitas:
>
> Hi Fredrik,
>
> Can you see in logs/active-responses.log any new row regarding (
> agent-ossec.com)?
>
> Could you share and
&
,
e.g., 2017-05-10, host-ossec.com.. and 2017-05-10, (agent-ossec.com). Is
there anything i'm missing regarding my setup which causes the script to
dismiss the agent alerts? Any tip or help is greatly appreciated.
Kind regards,
Fredrik
--
---
You received this message because you are subscribed
in previous post) and I can
see those events be passed on to the ossec server (triggering 18103 rule).
os...@example.com
18103
On Thursday, November 10, 2016 at 10:19:09 AM UTC+1, Jesus Linares wrote:
>
> Hi Fredrik,
>
> create a rule for your "level 2 events".
d together and included in
the email? I realize this might involve multiple parts and configuration,
but perhaps you can give a few pointers without spending too much of your
time?
Best regards,
Fredrik
On Friday, November 4, 2016 at 9:37:37 AM UTC+1, Jesus Linares wrote:
>
> Hi Fredri
event in application log"
alerts.log
2016 Nov 02 13:18:55 (win-testdc) 10.1.1.10->WinEvtLog
2016 Nov 02 13:19:24 WinEvtLog: System: ERROR(100): system: ADMIN: contoso:
win-testdc.contoso.com: (no message)
Best regards,
Fredrik
On Tuesday, August 18, 2015 at 9:20:43 PM UTC+2, Santiago Bassett
Thanks again Jesus!
I will definitely share what I come up with and thanks for all your
suggestions and bearing with me through this (long) thread :)
Fredrik
On Thursday, August 18, 2016 at 12:17:20 PM UTC+2, Jesus Linares wrote:
>
> Hi Fredik,
>
> Long time no see!. It is a hot
re
on creating parent/child decoders is useful to the rest of the community.
Best regards,
Fredrik
On Friday, April 15, 2016 at 6:28:22 PM UTC+2, Jesus Linares wrote:
>
> Hi Fredrik,
>
> It is good progress. You can capture all events with:
>
>
> ^redirect \p|^prevent \
that, I was able to pass IP-address from the matching rule to
my script, make a geolookup and act on the output based on country (similar
to !US in your example). If this is of interest you you or anyone else and
not to trivial, I'd be happy to elaborate further.
Best regards,
Fredrik
On Wednesday
Thanks Antonio! Noted!
Best regards,
Fredrik
On Saturday, April 16, 2016 at 1:14:53 AM UTC+2, Antonio Querubin wrote:
>
> On Fri, 15 Apr 2016, Fredrik wrote:
>
> > Thanks for getting back to me. Again :) :) I'm trying out your
> enhancement
> > to the first decod
dst:
104.16.65.50; src: 192.168.10.204; product: SmartDefense; service: https;
s_port: 56814; FollowUp: Not Followed; product_family: Network;
Best regards,
Fredrik
On Friday, April 1, 2016 at 1:18:17 PM UTC+2, Jesus Linares wrote:
>
> Hi Fredrik,
>
> here an example of decoding all
; product: SmartDefense; service: https;
s_port: 56814; FollowUp: Not Followed; product_family: Network;
Best regards,
Fredrik
On Friday, April 1, 2016 at 1:18:17 PM UTC+2, Jesus Linares wrote:
>
> Hi Fredrik,
>
> here an example of decoding allow/block events (with the o
Very sorry about the mistake with your name - hope I haven't done it
before!?
Will try out your much much appreciated suggestions for decoders over the
weekend! Very excited! :)
Thanks,
Fredrik
On Friday, April 1, 2016 at 1:18:17 PM UTC+2, Jesus Linares wrote:
>
> Hi Fredrik,
&g
il".
>
> What firewall are you using? Version?.
>
> Paste here more logs.
>
> Regards,
> Jesus Linares
>
> On Thursday, March 24, 2016 at 9:47:28 PM UTC+1, Fredrik wrote:
>>
>> Hi Jesus,
>>
>>
>> Got sidetracked with other projects, and
/; proxy_src_ip:
192.168.1.15 product: Application Control; service: http; s_port: 58579;
product_family: Network;
On Monday, March 7, 2016 at 12:11:21 PM UTC+1, Jesus Linares wrote:
> Hi Fredrik,
>
> The expression "\.+" matches for anything. Usually, it is not a good idea
; service: http; s_port: 61834;
Best regards,
Fredrik
On Wednesday, March 2, 2016 at 11:03:08 AM UTC+1, Fredrik wrote:
>
> Hi All,
>
>
> Came across this where I think I would be helped by extracting fields both
> in forward (from beginning) and in reverse (from end)
(as opposed to
narrow) in matching a string?
Best regards,
Fredrik
On Thursday, March 3, 2016 at 12:51:19 PM UTC+1, Jesus Linares wrote:
>
> Hi,
>
> I would add a *prematch *tag:
>
>
> Checkpoint
> **
> (\w+) \p\w+ \w+
> src:\s(\d+.\d+.\d+.\d+);\sdst:
:
>
> Hi Fredrik,
>
> I don't think OSSEC allow regex to work backwards, from end to beginning,
> I know that can be specify on other languages with some flags, but I am not
> sure if we can do that here.
>
> Regarding to your decoder, we have two options, include the ex
Only a suggestion, but have you tried 2.3.4.0/24 given that
2.3.4.5/24 is not a valid netadress with C-class mask??
/f
On Wednesday, March 2, 2016 at 12:24:59 PM UTC+1, calvin ratti wrote:
>
> Thanks all for your feedback. I added the following in the local_rules.xml
> after --> and before
extract
Application Control and resource . How would you suggest I do this?!
Thanks again for all the great help - hope my threads (and questions) can
be useful for other newstarters outhere trying to get there feet off the
ground ;)
Best regards,
Fredrik
LOG-MESSAGE
*Jan 27 09:41:01
Ah, I see! Thanks for clearing that out :)
/f
On Tuesday, March 1, 2016 at 12:15:49 PM UTC+1, Jesus Linares wrote:
>
> Hi Fredrik,
>
> The expression *31100,31108* is an *OR *expression. If
> 31100 or 31108 have matched, then the rule matches.
>
> Regards.
> Jesu
, but will move on and work on all the other
decoder/rules that I'm hoping to be able to piece together. Thanks again
for your help on this!
Best regards,
Fredrik
On Wednesday, February 24, 2016 at 7:28:05 AM UTC+1, Fredrik wrote:
>
> Thanks Santiago, please find more details below.
&g
, given
that email_alerts seems is working for other rules?
Best regards,
Fredrik
On Wednesday, February 24, 2016 at 8:48:41 AM UTC+1, Eero Volotinen wrote:
>
> You should also point your ossec mail configuration to local smtp
> instance.
>
> --
> Eero
>
> 2016-02-2
Hi Jesus,
Sorry to break into the conversation like this - interesting post James! I
was just curious as to how I should interpret your example with two entries
in the statement? Is this to tell OSSEC if both 31100, 31108 then
match the user defined rule?
Thanks,
Fredrik
On Thursday
Thanks Eero!
Yes, this works in my setup :) Tried it to make sure. Sendmail is installed
on this particular box, so changed mail into sendmail and fired away :)
Best regards,
Fredrik
On Wednesday, February 24, 2016 at 8:12:41 AM UTC+1, Eero Volotinen wrote:
>
> is this working on your
Thanks Eero!
Anything specific to look for that could conflict with this particular
alert - mail alerts seems to be working fine for other rules?
I checked the mail.info for anything obvious, but couldn't see anything
suspicious at a first glance...
Best regards,
Fredrik
On Wednesday
Thanks Santiago, please find more details below.
Best regards,
Fredrik
Yes, I see the alert written to alerts.log (pulled the alert below out of
the archive from yesterday) and email alerts are working for other rules. I
also restarted ossec but to no avail. Strange!
ossec-alerts-23.log.gz
: 'MSSCEP'
**Phase 3: Completed filtering (rules).
Rule id: '100130'
Level: '12'
Description: 'SCEP malware alert'
**Alert to be generated.
Best regards,
Fredrik
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list&q
Hi Jesus!
So, sorry! My bad! Like you said, my last example did work - I made a typo
in the string I used to test the rule :(
Thanks for looking into it though and also explaining the group
concatenation!
Best regards,
Fredrik
On Friday, February 19, 2016 at 2:06:51 PM UTC+1, Jesus
regards,
Fredrik
On Monday, February 15, 2016 at 11:58:13 AM UTC+1, Jesus Linares wrote:
>
> Hi Fredrik,
>
> user-created rules are defined in *local_rules.xml* and the range is from
> 10 to 11. If you want to change the behaviour of a rule you have to
> use the
URL.
Definitely :) I will put together a new thread with my current thoughts on
building something for connecting devices, hopefully it will pique a few
peoples interest even if I haven't gathered all my thoughts on the matter
yet.
Best regards,
Fredrik
On Monday, February 15, 2016 at 11:58
of links to see if I can figure it out :) Also,
saw some interesting stuff on how to track connecting devices (dhcp)
through MAC-addresses -- obviously unrelated to IIS logs though ;)
Best regards,
Fredrik
On Thursday, February 11, 2016 at 12:25:33 AM UTC+1, Brent Morris wrote:
>
> eesh... h
were not
checked in this server's configuration.
Regarding the alerts, I'm more trying to set up a few samples to see what I
can catch. Do you have any recommendations of things to try? Maybe one for
requests resulting in ID 400?
Best regards,
Fredrik
On Monday, February 8, 2016 at 9:24:18 PM
rmation with regards to this. I will continue to read and hopefully
figure it out, but if you have a few minutes :)
Best regards,
Fredrik
On Sunday, February 7, 2016 at 11:44:55 AM UTC+1, Jesus Linares wrote:
>
> Hi Fredik,
>
> You can turn up the logging in IIS as said Brent. Anyway, I t
regardless. Provided I'm able to update the logging, what decoder settings
should I use? Go with Jesus', or is the stuff I cooked up worth pursuing?
Thanks again!
Best regards,
Fredrik
On Thursday, February 4, 2016 at 9:05:09 PM UTC+1, Brent Morris wrote:
>
> In order to get OSSEC t
,
Fredrik
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
,
somewhat erratic behavior where things matched that I believed wouldn't ;)
Best,
Fredrik
On Wednesday, January 27, 2016 at 4:09:38 PM UTC+1, dan (ddpbsd) wrote:
>
>
> On Jan 27, 2016 10:06 AM, "Fredrik" <fredri...@gmail.com >
> wrote:
> >
> > HI All,
>
the transport
header. If I got this right, I should match against what logtest outputs
after log: and not the full string?
Best regards,
Fredrik
On Thursday, January 28, 2016 at 12:12:53 AM UTC+1, Santiago Bassett wrote:
>
> Agree with Dan, also double check the regexes, as it look
: 58579; product_family: Network;'
**Phase 2: Completed decoding.
No decoder matched.
Best,
Fredrik
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, sen
'
Description: '(null)'
**Alert to be generated.
Best regards.
Fredrik
On Tuesday, February 26, 2013 4:04:24 PM UTC+1, srossan wrote:
HI Fredrik,
I really meant ossec-logtest -f.
Here is my example with your log:
# /apps/ossec/bin/ossec-logtest -f
2013/02/26 14:54:43 ossec-testrule: INFO
Hi Kevin,
Thanks for your post! I included a bad sample string that, as you point out
didn't include an IP, see below for an example of an actuall alert.
Best,
Fredrik
On Monday, February 25, 2013 11:55:46 PM UTC+1, Kevin Kelly wrote:
I believe the problem is: srcip192.168.x.y/srcip
?!
Fredrik
--
---
You received this message because you are subscribed to the Google Groups
ossec-list group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
71 matches
Mail list logo