Hi Dan and JB:
Thank you!!!
HI Dan:
I did the following:
/usr/local/bin/hg pull /usr/local/bin/hg
update
What would I change above to include a merge or do a merge instead?
Thank you.
'
Hi JB:
/* Some Global names */
local
#define __name GSS HIDS
#define __version v2.6
===
#define __name OSSEC HIDS
#define __version v2012-08
Thank you.
Good day:
I pulled the updates from https://bitbucket.org/dcid/ossec-hids and tried
to do a recompile via ./install.sh and y for update and y for rules.
Here is the error I receive:
- Installation will be made at /var/ossec .
5- Installing the system
- Running the Makefile
INFO: Little
Hi Gil:
If you are still using H-Sphere, since H-Sphere doesn't support IPv6, then
turning it off will be the current method rather than trying to modify the
decoder which might be overwritten on the next ossec update.
Thank you.
Thank you for getting http://www.ossec.net/rootcheck/files/ back up and
available.
Good day:
http://www.ossec.net/rootcheck/files/ uses to have the latest rootcheck
available as as separate download.
It appears to be missing.
What happened to it?
Thank you.
Hi Dan:
The logging for SSH is set to verbose.
What else do you suggest checking in terms of /etc/ssh/sshd_config ?
Are there any other areas to check?
Thank you.
Good day:
This past weekend, we are seeing a lot of rule 5701 being triggered for SSH
version gathering.
Rule: 5701 fired (level 10) - Possible attack on the ssh
server (or version gathering).
From doing some digging, I believe I can get the IP address of the attacker
with
Good day everyone:
Is there a way to modify rule 519 in ossec_rules.xml so that the
description auto fills the agent name?
Current output of the rule:
2012 May 25 14:50:39 (agent_name_goes_here) agent_ip_goes_here-
rootcheck
Rule: 519 (level 7) - 'System Audit: Vulnerable web application
Good day:
Thank you Dan and Daniel.
The following did the trick.
rule id=180001 level=0
if_sid18/if_sid
matchSource Network Address: 24.229.66.131/match
descriptionValid system admin IP - igore/description
/rule
Thank you again.
Good day, Ralphy:
There are several options.
The rule in question is
rule id=18152 level=10 frequency=$MS_FREQ timeframe=240
if_matched_groupwin_authentication_failed/if_matched_group
descriptionMultiple Windows Logon Failures./description
groupauthentication_failures,/group
Good day:
Given the following rule
rule id=18 level=11
if_sid18107/if_sid
matchLogon Type: 10/match
descriptionWindows RDP Login./description
groupauthentication_success,/group
/rule
What could we add so that if the User Name is not a specific value
AND the Source
Hi Dan:
By your listing the syntax options, doesn't tell me what the exact
syntax would be to run agent_control against all agents to block an IP
or ip/cidr.
Can you please be more exact?
Thank you.
Good day:
RE:agent_control -b ip -u id -f active-response
What would the syntax be to have the above run on all agents?
Thank you.
Good day:
1. I thought the installer was self contained installing what it
needs. Am I incorrect/
2. How do I install inotify?
Thank you.
Hi Dan:
The openssl-devel helped on several agents.
However, on one agent where that library was already installed, the
installation only gets as far as the below:
*** Making syscheckd ***
make[1]: Entering directory `/usr/local/src/ossec-hids/src/syscheckd'
gcc -g -Wall -I../ -I../headers
Hi Dan:
Thoughts?
Thank you.
Good day:
Is there a way to brand or otherwise white list ossec to remove the
words ossec from the emails (sender, subject line, body content)?
If not, is there a way to modify the body of the email that is sent
out to add additional content?
Thank you.
Good day:
I've tried to install / upgrade the latest ossec builds (retrieved
using hg clone) on several CentOS agents with little success.
Making os_auth ***
make[1]: Entering directory `/usr/local/src/ossec-hids/src/os_auth'
gcc -g -Wall -I../ -I../headers -DDEFAULTDIR=\/var/ossec\ -DCLIENT -
Hi Dan:
I was hoping this was something an end user could do.
My C programming is rusty.
Is documentation available to find out what procedure src/rootcheck/
common_rcl.c runs that outputs --System Audit: Web vulnerability
- Outdated WordPress installation. File: **FULL PATH WAS HERE.
Hi Dan:
CentOS 5.7 (latest), 64-bit.
Thank you.
Hi Dan:
Is ossec still being developed?
If yes, is there a place where I can make suggestions? If so, where?
Thank you!
Good day:
RE: http://www.ossec.net/main/manual/manual-active-responses
timeoutTime to block/timeout
Can a note be added to whether timeout is in seconds, minutes, etc?
Thank you.
Hi Dan:
It looks like the message for the /var/ossec/logs/alerts.log (and archives
in compressed format) is in /var/ossec/etc/shared/system_audit_rcl.txt
Do you know what I would have to change so that the agent name or agent id
or agent host name was included on the same line of the outdated
Good day, Dan:
/var/ossec/bin/ossec-logtest -t
2011/08/18 07:55:39 ossec-testrule: INFO: Reading local decoder file.
And nothing in /var/ossec/logs.
What else can I try?
Thank you.
Good day:
It turns out that on three servers at the same data center, the data
center set /var noexec on this particular server.
Thank you.
Good day:
Using ossec 2.6 on CentOS 5.6, fresh install of ossec when I go to
run ./manage_agents, I get permission denied.
A strace follows:
-bash: ./manage_agents: Permission denied
[root@web2 bin]# strace ./manage_agents
execve(./manage_agents, [./manage_agents], [/* 22 vars */]) = -1
EACCES
Greetings:
I need to be able to tell ossec not only the SMTP server, but the
port, user id and password to use.
How can this be done to allow Google Business Apps SMTP service to be
used with ossec?
Thank you.
Greetings:
You could start off with one server, one agent and scale as you
please. From checking the list, there are ossec users that have one
server and 250+ agents.
Thank you.
Greetings Dan:
2010/04/01 16:16:07 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/
queue/ossec/queue' not accessible: 'Connection refused'.
2010/04/01 16:16:07 ossec-rootcheck(1210): ERROR: Queue '/var/ossec/
queue/ossec/queue' not accessible: 'Connection refused'.
Is what I get if I edit
Hi Daniel:
http://www.ossec.net/files/snapshots/ossec-hids-100301.tar.gz appears
to be working to fix the ignore problem.
Thank you.
Greetings Daniel:
Head out to dinner, come back, and close to 400 alerts where the
ignore is being ignored.
OSSEC HIDS Notification.
2010 Feb 25 18:57:01
Received From: (Our Windows Server) UNIQUE IP OF WINDOWS SERVER-
\hslogfiles\ftp\MSFTPSVC1\ex100225.log
Rule: 11510 fired (level 13) - FTP
Greetings Daniel:
Sorry for the delay; but this doesn't happen every day... but when it
does,like coming this morning to work to find well over 1,700 ossec
messages concerning a single attack rather than a handful (because of
the ignore) makes things difficult.
Here is just a sampling where the
Greetings:
From time to time I get bombarded with several hundred FTP brute
force (multiple failed logins) rule 11510 and Multiple connection
attempts from same source 11511 alerts.
I've been trying to rewrite the rule so I don't get notifications of
the same attacker several hundred times.
Greetings:
From time to time I get bombarded with several hundred FTP brute
force (multiple failed logins) rule 11510 and Multiple connection
attempts from same source 11511 alerts.
I've been trying to rewrite the rule so I don't get notifications of
the same attacker several hundred times.
Greetings:
From time to time I get bombarded with several hundred FTP brute
force (multiple failed logins) rule 11510 and Multiple connection
attempts from same source 11511 alerts.
I've been trying to rewrite the rule so I don't get notifications of
the same attacker several hundred times.
Hi Daniel:
A complete uninstall and re-install of the agent with regenerated keys
appears to have fixed the issue.
Thank you.
Greetings Mike:
This worked like a charm (though I wish you could specify it on agent
installation).
For those looking to make this an easier switch on Linux, here's the
sed:
sed -i s/server-ip[IP ADDRESS YOU USED WITHOUT BRACKETS]\/server-
ip/server-hostname[HOST NAME YOU WANT WITHOUT
Greetings Dave:
When I try to put in a FQDN during the installation, when it asks for
the IP address of the ossec server, it states it must be an IP.
Thank you.
Greetings Dan:
Originally, I did a fresh install on the target, CentOS 5.4 64-bit Xen
Guest. Then I copied over the client keys and the ossec.conf along
with other local configuration files and the local_rules.xml file.
Then I tried using sed to just change the IP address in the agent
Greetings:
I got past the error of agents connecting by doing the following:
1. In the remote section of the server ossec.conf use the local_ip
setting to fix the IP as the pubic ip. Given that netstat -lnupe |
grep :1514 showed ossec-remoted listening on ALL ports, this should
not have been
Greetings:
While I'm still having problems on our own XenServer installation
(just working on today), I did solve one of the problems by reviewing
http://www.ossec.net/main/manual/configuration-options/
In our case the ossec server is on a XenGuest (not dom0), and I ended
up using the
Greetings:
Given
OSSEC HIDS Notification.
2009 Dec 18 12:15:06
Received From: (web2.dynamicnet.net) abc.def.ghi.jkl-/var/log/
messages
Rule: 20152 fired (level 10) - Multiple IDS alerts for same id.
Portion of the log(s):
Dec 18 12:15:05 web2 suhosin[18068]: ALERT - script tried to increase
Greetings Daniel:
Thank you.
Hi Daniel:
In /var/ossec/etc/shared/agent.conf on the ossec server I have the
following:
agent_config os=Linux
localfile
log_formatcommand/log_format
commanduptime/command
/localfile
/agent_config
In /var/ossec/rules/local_rules.xml on the ossec server I have the
following:
Greetings Daniel:
All of the agents and the server are on 2.3.
In C:\Program Files\ossec-agent\shared on the Windows server with the
most error has five (5) files in shared.
rootkit_files.txt
rootkit_trojans.txt
win_applications_rcl.txt
win_audit_rcl.txt
win_malware_rcl.txt
Greetings Keith:
I received this error after upgrading to ossec 2.3.
While Daniel and other developers have not answered the why, for me it
came down to a custom rule in /var/ossec/rules/local_rules.xml
What I recommend doing is backing up /var/ossec/rules/local_rules.xml
and putting in an
Greetings:
Given the following alert...
Dec 13 23:07:24 web2 suhosin[18198]: ALERT - script tried to increase
memory_limit to 134217728 bytes which is above the allowed value
(attacker '[IP ADDRESS OF ALLEGED ATTACKER]', file '[full path to file
goes here]', line 65)
... if this rule was tied
Greetings:
RE: http://www.ossec.net/main/manual/
One of the set up options is to receive such notifications.
Thank you.
Greetings Daniel:
All of the agents and the server are on 2.3.
In C:\Program Files\ossec-agent\shared on the Windows server with the
most error has five (5) files in shared.
rootkit_files.txt
rootkit_trojans.txt
win_applications_rcl.txt
win_audit_rcl.txt
win_malware_rcl.txt
bump
Greetings:
What log_format do I use for Horde IMP log files?
Is it syslog or is there a specific one for Horde IMP?
Thank you.
Greetings:
If you want the purple grape pin for the explorers' club like Russel
received, you will experiment more ;-)
cd /var/ossec/etc
cp -p client.keys client.keys.backup
vi client.keys
# remove clobbered entries leaving zero blank lines
/var/ossec/bin/ossec-control restart
sleep 3
Greetings:
Looking at the files in the active-response/bin directory I noticed
they are owned by root, and group owned by ossec.
Is your file group owned by ossec?
I also noticed that every one had #!/bin/sh at the start, and /bin/
sh was present in the file system as a valid shell.
Our
Greetings Michael:
RE: http://www.ossec.net/wiki/Know_How:GranularEmail --
read please
Where would I put this rule?
In /var/ossec/etc/ossec.conf and then restart ossec.
NOTES:
1. I'm responding in the group rather than personal email as the back
and forth helps all members of
Hi Daniel:
I found the rule which worked well under all prior versions, but
chokes under 2.3:
rule id=30114 level=3 frequency=30 timeframe=45
overwrite=yes
if_matched_sid30112/if_matched_sid
same_source_ip /
descriptionMultiple attempts to access non-existent /
description
Greetings:
Does bad-ip.sh exist?
Is it chmod 755?
Can you run it by hand without errors?
Thank you.
Greetings:
This is what we use:
email_alerts
email_to[separate admin email without brackets]/email_to
event_location[agent name]|[next agent for the admin name]/
event_location
do_not_group /
do_not_delay /
/email_alerts
Thank you.
Greetings:
After upgrading the ossec server, and all agents I'm still seeing the
following in /var/ossec/logs/ossec.log on the server end:
2009/12/07 13:55:51 ossec-remoted: Invalid message from
'abc.def.hij.klm' (strchr \n)
2009/12/07 14:04:14 ossec-remoted: Invalid message from
Greetings Michael:
Well done.
Thank you for sharing.
Greetings Daniel:
Has upgrading been fixed so that if you want to update rules, BUT keep
your rule exclusions in /var/ossec/etc/ossec.conf your exclusions are
not clobbered?
i.e.
!--
includearpwatch_rules.xml/include
includesymantec-av_rules.xml/include
Greetings:
Is there a way to kick off a manual active response from the ossec
server to all clients?
Thank you.
Greetings Daniel:
42 agents (CentOS 3, 4 and 5; RedHat 3 and 4; Windows 2000/2003)
upgraded along with the server without incident.
NOTES:
1. /var/ossec/etc/ossec.conf is still overwritten in terms of having
rules commented out put back in.
2.
Greetings Jaka:
ossec does allow you to write your own rules; and that's a very
powerful feature.
Thank you.
Greetings Greg:
If I understand you correctly, you resolved by problem through taking
the following steps:
1. Remove agent from ossec server
2. Uninstall Windows agent on Windows server
(Did you reboot the Windows server)?
3. Re-install Windows agent on Windows server.
4. Add agent to
Bump
Bump
bump
Hi Daniel:
The problem still exists
2009/07/20 09:15:21 ossec-execd(1311): ERROR: Invalid command name
'win_nullroute43200' provided.
2009/07/20 09:15:49 ossec-execd(1311): ERROR: Invalid command name
'win_nullroute43200' provided.
Please advise.
Thank you.
Greetings:
RE: http://www.ossec.net/main/manual/centralized-config/
1. Does the settings in /var/ossec/etc/shared/agent.conf complement
the settings on the agent server?
Meaning, can you have both where both will be used?
If the answer is yes, does /var/ossec/etc/shared/agent.conf overwrite
Greetings:
Bump; yes, this still is happening today.
Greetings:
Yes; use the client/server installation, and then on the server in /
var/ossec/etc/ossec.conf use
locationall/location
For the active-response.
Thank you.
bump
bump
Bump
Greetings:
Re: http://www.ossec.net/main/manual/manual-active-response-on-windows/
/var/ossec/bin/agent_control -L
OSSEC HIDS agent_control. Available active responses:
Response name: win_nullroute43200, command: route-null.cmd
Response name: apache_restart0, command: apache_restart.sh
Greetings Daniel:
For both 2.1 and 2.1.1 I get the following error on the ossec server
(agents are fine):
make[1]: Leaving directory `/usr/local/src/ossec-hids-2.1.1/src/
monitord'
Killing ossec-monitord ..
Killing ossec-logcollector ..
Killing ossec-remoted ..
Killing ossec-syscheckd ..
Greetings:
In our /var/ossec/etc/ossec.conf file on the server end, we exclude
those rules which have no application in our environment.
Examples:
!--
includemailscanner_rules.xml/include
includems-exchange_rules.xml/include
includeracoon_rules.xml/include
Greetings:
RE: http://www.ossec.net/main/manual/centralized-config/
1. Does the settings in /var/ossec/etc/shared/agent.conf complement
the settings on the agent server?
Meaning, can you have both where both will be used?
If the answer is yes, does /var/ossec/etc/shared/agent.conf overwrite
Greetings:
/var/ossec/etc/ossec.conf is overwritten on the server (I think it is
safe on agents).
If you've commented out rules; you will need to redo all of that work
(which is lost from every upgrade from the 1.x days until 2.1
inclusive).
thank you.
Greetings:
RE: http://www.ossec.net/main/manual/centralized-config/
1. Does the settings in /var/ossec/etc/shared/agent.conf complement
the settings on the agent server?
Meaning, can you have both where both will be used?
If the answer is yes, does /var/ossec/etc/shared/agent.conf
Greetings:
RE: http://www.ossec.net/en/rootcheck.html
Will there be an update to rootcheck?
Thank you.
Hi:
2009/07/01 16:19:11 ossec-remoted: Invalid message from
'xxx.xxx.xxx.xxx' (strchr \n)
2009/07/01 16:19:11 ossec-remoted: Invalid message from
'xxx.xxx.xxx.xxx' (strchr \n)
We are still seeing the above in /var/ossec/logs/ossec.log on the
ossec server end where xxx.xxx.xxx.xxx is the IP
Greetings:
Is anyone else seeing this?
For those running into this issue, what operating system and 32 or 64-
bit?
Thank you.
Greetings:
Anyone?
Thank you.
Greetings:
/var/qmail/bin/qmail-qstat shows how many email messages are in the
queue and how many are not yet in preprocessing.
Example output from two separate mail servers:
/var/qmail/bin/qmail-qstat
messages in queue: 72
messages in queue but not yet preprocessed: 0
Greetings Greg:
Does http://www.ossec.net/wiki/index.php/Know_How:Ignore_Rules help?
Also see the thread http://www.ossec.net/ossec-list/2007-September/msg00108.html
(all responses).
Thank you.
Greetings Sébastien
When I do
vi +188 ossectop.pl
It shows
$date=$1
Above it is
#2006 Aug 29 17:33:31 (recepcao) 10.0.3.154 - syscheck
}elsif ( m/^([0-9]+\s\w+\s[0-9]+\s[0-9]+:[0-9]+:[0-9]+)\s+\
((.*?)\)\s+(\S+)\s+-(.*)$/){
Is line 187 the line to replace?
Thank
Greetings Daniel:
This is a good idea.
I do recommend qmail
On the others you mentioned -- named, Apache -- please allow a way to
customize paths as various automation systems will have named and
httpd in different areas.
For Unix, a infected or otherwise corrupted binary notice would also
be
Greetings Darvin:
Your English is good.
Are you receiving ossec alert emails?
I.e.
### START
OSSEC HIDS Notification.
2009 Apr 13 21:40:46
Received From: (fully qualified machine name) abc.abc.abc.abc-/var/
log/secure
Rule: 5712 fired (level 13) - SSHD brute force trying to get access
to
Greetings Daniel:
Congratulations.
http://www.securityhorizon.com/journal/TSJ-2009-02-spring.pdf is well
written.
Thank you for sharing this link.
Greetings Patrick:
1. Not that I'm aware of; though that would be a neat idea if it can
be done securely.
2. I would imagine a resource limit; we are currently monitoring
approximately 40 agents (clients) without a hitch.
3. In ossec.conf in the same location as the agent binary (check the
bump
Hi Daniel:
Thank you.
HI Dan:
For me, and maybe it is because I have a number of the rules which
mean nothing commented out, when I comment out the McAfee rules, ossec
dies.
Thank you.
Greetings:
There is a bug in ossec 2 server where if you comment out the
includemcafee_av_rules.xml/include in /var/ossec/ossec.conf
ossec will then not restart properly.
Please fix this bug.
Also, I've reported in the past that all upgrades to date absolutely
destroy customizations of what
Greetings:
Re: http://www.ossec.net/en/rootcheck.html
When will this be updated for 2.0?
Thank you.
Hi Daniel:
We have emails set up for level 3 and higher, so that's not the issue
smile.
On the ignore match rule, should it be using the ! as part of the
rule?
match!.gz.|!.tgz|!.exe./match
Thank you.
Greetings Matt:
I don't know Slackware, but if it uses RPM's, then there might be a
check like
rpm -Va 2/dev/null | grep '^S.5'
I'm not sure if it is a false positive or not as I've seen machines
just connected to the Internet start getting attacked in five
minutes or so; and
1 - 100 of 229 matches
Mail list logo
