Re: [ossec-list] Linux processes monitoring through ossec

Hi, you can find information about auditd and OSSEC here: https://documentation.wazuh.com/current/user-manual/capabilities/system-calls-monitoring/index.html Regards. On Monday, July 24, 2017 at 1:50:10 PM UTC+2, thefergus wrote: > > > On Fri, 21 Jul 2017 at 08:06,

Re: [ossec-list] Linux processes monitoring through ossec

Hi, check out this post: http://santi-bassett.blogspot.com.es/2015/08/how-to-monitor-running-processes-with-ossec.html I hope it helps. On Saturday, July 22, 2017 at 3:03:25 AM UTC+2, CEH wrote: > > Check Nagios for process monitoring > > On 22-Jul-2017 02:54, "dan (ddp)"

Re: [ossec-list] Re: Email alerts are sent hourly

ow we might have some tweaking to > do in our local_rules to adjust it to our needs), but at least, it works! > > tl;dr: Ensure that the email_maxperhour setting in the global config is > set to an appropriate value. Default is 12. > > 2017-07-12 7:26 GMT-04:00 Jesus Linares <j

[ossec-list] Re: Email alerts are sent hourly

Hi Alexis, So, you are receiving alert with level 3 in ourservice@domain, right?. That doesn't make sense (I understand that email1, email2 or email3 is not ourservice@domain). Try to use: do_not_delay and do_not_group. Also, the email_maxperhour

[ossec-list] Re: ossec blocked all ips? everywhere?

In case that you want to block all connections, you can create an active response script to add a specific rule in iptables. On Wednesday, July 12, 2017 at 1:03:01 PM UTC+2, Jesus Linares wrote: > > I think, by default, OSSEC has the active-response for blocking an IP if > an alert hi

[ossec-list] Re: ossec blocked all ips? everywhere?

I think, by default, OSSEC has the active-response for blocking an IP if an alert higher than 6 is fired. I recommend to disable this setting. Regards. On Tuesday, July 11, 2017 at 8:37:21 PM UTC+2, Cristian Lorenzetto wrote: > > is there a condition where ossec blocks all incoming

[ossec-list] Re: Email alerts are sent hourly

Hi Alexis, I'm not sure about what it is happening. Do a simple test. Set *email_alert_level *to 1, and configure only one custom alert: yes noreply@localhost smtpserver *email1* *email2* 10 Generate an alert with level 10, you will receive: -

[ossec-list] Re: OSSEC log analysis settings for apache access/error.log

Hi Kazim, - Review the ossec.log of your agent: is it monitoring the file? are there errors?. - The log file must exist before OSSEC is started. - Try with the format "syslog". - Copy some logs to /var/ossec/bin/ossec-logtest and check if an alert would be generated. Just

Re: [ossec-list] What is the best method to augment an existing decoder?

Hi Ian, change the decoders could be a harmful process. Keep in mind that if you change something in /var/ossec/rules, it will be overwritten during an update. Wazuh has created the *decoder_exclude* to simulate the *overwrite *option existing in rules but not in decoders. Take a look at the

Re: [ossec-list] Re: I'm unclear why my rule is not matching...

Hi Ian, Here you have the syntax of the OSSEC regexs: https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/regex.html Another difference I've discovered is that Perl's regex is greedy -- > it'll match all it can. It looks like this regex will only match the > least

Re: [ossec-list] OSSEC rule match time and timeframe

I never used it: http://ossec-docs.readthedocs.io/en/latest/syntax/head_rules.html#element-time I think is the time when the event comes to the manager (not the original time). On Thursday, July 6, 2017 at 3:46:49 AM UTC+2, dan (ddpbsd) wrote: > > On Mon, Jul 3, 2017 at 6:10 AM, Fredrik

[ossec-list] Re: I'm unclear why my rule is not matching...

Hi Ian, try this rule: 18105 192.168.1.120 ignore 192.168.1.120. ossec-logtest: 2017 Jul 02 22:38:47 WinEvtLog: Security: AUDIT_FAILURE(5152): Microsoft- Windows-Security-Auditing: (no user): no domain: leaf-1: The Windows Filtering Platform blocked a packet.

[ossec-list] Re: OSSEC rule match time and timeframe

Hi Fredrik, do you want to ignore the rule 5501 if it is fired by your script?. is it not enough with the hostname and the user?. Regards. On Monday, July 3, 2017 at 12:10:18 PM UTC+2, Fredrik Hilmersson wrote: > > Hello, > > Lets say I have a script which runs once every half an hour. With a

[ossec-list] Re: Windows agent doesn't synchronize agent.conf

Hi ossec-agent(1226): ERROR: Error reading XML file 'shared/agent.conf': > XMLERR: File 'shared/agent.conf' not found. (line 147). what is in the line 147?. More information about the agent.conf and the process to synchronize it:

[ossec-list] Re: Block ssh user ip after failed login attempt in OSSEC

> As i m new in OSSEC Please help me out > > On Wednesday, June 28, 2017 at 10:40:20 PM UTC+5:30, Jesus Linares wrote: >> >> Hi, >> >> the *frequency *attribute specifies the number of times (+2) the rule >> must have matched before firing. In this case,

[ossec-list] Re: Passing entire log line to Active Response script - how?

Hi, you are totally right. Active response configuration should allow any field: srcip, user, port, dynamic fields , etc. It is in Wazuh roadmap. It doesnt work, a real shame... It will only work if you dont

[ossec-list] Re: Block ssh user ip after failed login attempt in OSSEC

Hi, the *frequency *attribute specifies the number of times (+2) the rule must have matched before firing. In this case, the rule 5720 will be fired if the rule 5716 is fired 8 times (6+2). You must use *frequency="1"* to fire the rule after 3 attempts. Also, it is a good idea to add the

[ossec-list] Re: Treat Multiple Files as One

Hi Eric, Right now, I believe OSSEC is only able to correlate multiple failed logins > if they all happen to show up on only 1 of the log files That is not correct. The rules are based on the content of a log, not in the source. Pay attention to the following rules: sshd SSHD

Re: [ossec-list] OSSEC block vulnerability scanners head user_agent

**Phase 3: Completed filtering (rules). > > Rule id: '100205' > Level: '0' > Description: 'Jorgee vulnerability scanner' > > Kind regards, > Fredrik > > Den måndag 26 juni 2017 kl. 10:48:16 UTC+2 skrev Jesus Linares: >> >> What is the output of osse

Re: [ossec-list] ossec on cent os 7

Hi, keep in mind that the previous link is for OSSEC 2.8.2 and the latest release is v2.9.1 . I recommend you to install OSSEC from packages, here

Re: [ossec-list] Passing entire log line to Active Response script - how?

Hi, active response only accepts *user *and *srcip *as arguments. So, you need to create a decoder to extract the log as user or srcip. I'm not sure if this regex will work: "^(\.+)$". I hope it helps. On Sunday, June 25, 2017 at 7:06:31 PM UTC+2, dan (ddpbsd) wrote: > > > > On Jun 25, 2017

Re: [ossec-list] OSSEC block vulnerability scanners head user_agent

What is the output of ossec-logtest?. Once you have a rule for that event, you can create an active response. Regards. On Sunday, June 25, 2017 at 12:06:23 AM UTC+2, Fredrik Hilmersson wrote: > > I spoke to early, Still getting spammed ... > > Den lördag 24 juni 2017 kl. 22:20:13 UTC+2 skrev

[ossec-list] Re: ERROR: Incorrectly formated message from 'Agent IP'

Hi, 2017/06/20 10:17:55 ossec-remoted(1403): ERROR: Incorrectly formated > message from 'Agent IP'. that error is due to the manager is receiving a message from an agent with an invalid key. I would generate a new key for your agent. Also, check if the client.keys has duplicated IPs: IP1

[ossec-list] Re: OSSEC ignore ip issue

> and one rule to match the hostname to ignore the 5501. > > Kind regards, > Fredrik > > Den tisdag 20 juni 2017 kl. 14:09:39 UTC+2 skrev Jesus Linares: >> >> Hi Fredrik, >> >> when you create a new ssh connection, the following alerts are gene

[ossec-list] Re: Grouping syscheck email alerts per agent.

Hi, I think is not possible, but you can use *reports:* https://documentation.wazuh.com/current/user-manual/manager/output-options/manual-email-report/index.html#multiples-options-and-multiples-email I hope it helps. On Tuesday, June 20, 2017 at 12:09:02 PM UTC+2, Kazim Koybasi wrote: > > Is

[ossec-list] Re: OSSEC ignore ip issue

; also: > > > > 5501 > > Remote IP > no_email_alert > > Ignoring host remote IP > > > > However, I still get alerts sent to me when connecting to any ossec agent > through that remote host. > > Den måndag 19 juni 2017 kl. 16:27:47 UTC+2 skrev Jesus

[ossec-list] Re: How to start syscheck at same time in a weekdays?

Hi, you can find information about the precedence of* agent.conf *and *ossec.conf* here: https://documentation.wazuh.com/current/user-manual/reference/centralized-configuration.html#precedence The *alert_new_files *setting is only valid for manager. keep in mind that the first time that

[ossec-list] Re: OSSEC Agent Logs Showing Error

Hi, it looks like you have other instance of *authd *running: 2017/06/16 06:06:33 ossec-authd: Unable to bind to port 1515 Kill the authd and run it again. Then register your agent and restart it. I hope it helps. On Friday, June 16, 2017 at 2:50:01 PM UTC+2, Arvind Lavania wrote: > > Hi, >

Re: [ossec-list] No Decoder Match Problem

Hi Akash, the OSSEC engine has 3 phases: pre-decoding, decoding, rule matching. The pre-decoding is done automatically by OSSEC (at c level): **Phase 1: Completed pre-decoding. full event: 'myapplication: This is a test' hostname: 'ip-10-0-0-10' *program_name**: '(null)'*

Re: [ossec-list] Updates rules and signatures

ith a wazzuh installation and not with ossec vanilla. > Would it actually work without installing wazzuh? > > Le jeudi 8 juin 2017 05:14:07 UTC-4, Jesus Linares a écrit : >> >> Hi Alexis, >> >> Dan's method is the faster way to do it and it should work properly.

[ossec-list] Re: OSSEC rule to avoid alerts for apt-daily

Hi Fredrik, you want to do something like: "if Starting daily apt activities -> disable syscheck for that agent". I think there is no way to do it. The rule engine doesn't allow rules like "if event A (starting apt) and event B (syscheck) -> rule to ignore event". You can create a rule to

Re: [ossec-list] Updates rules and signatures

Hi Alexis, Dan's method is the faster way to do it and it should work properly. Saying that, Wazuh does a great effort to centralice decoders, rules, rootchecks and OpenSCAP content in wazuh-ruleset repository. Also, a script

Re: [ossec-list] Re: How to know when syscheck agent finishes a scan?

abase and run a new baseline, but > trying to speed up the process. If there is a way to disable rootcheck > when I do that command? I need to do that becuase otherwise I will get > tons of emails every time we do a deploy. > > Thanks > > > On Wednesday, June 7, 2017

Re: [ossec-list] Re: How to know when syscheck agent finishes a scan?

I ran it and it takes 4 hours on > one of my web servers. Is it the size of the files or the number of files > that determines the scan and is there anyway to speed it up? > > > Thanks > > > > On Wednesday, June 7, 2017 at 5:21:01 AM UTC-4, Jesus Linares wrote:

Re: [ossec-list] Problem with dovecot decoder

Hi, what fields do you need?. Dec 19 17:20:08 ny dovecot: pop3-login: Aborted login (auth failed, 2 attempts in 18 secs): *user*=, method=PLAIN, *rip*=1.2.3.4, *lip*=1.2. 3.4, session= **Phase 1: Completed pre-decoding. full event: 'Dec 19 17:20:08 ny dovecot: pop3-login: Aborted login

[ossec-list] Re: How to know when syscheck agent finishes a scan?

Hi John, I think it should appear in */var/ossec/bin/agent_control -i 1027. *Also, you can review the ossec.conf of your agent. Regards. On Monday, June 5, 2017 at 6:24:14 PM UTC+2, John Kondur wrote: > > I just started to use ossec, and was doing some testing by making some > changes in a

[ossec-list] Re: Email Notification using msmtp..

Hi Rakesh, In case that your SMTP server has authentication (like Gmail), it is necessary to configure a server relay because OSSEC does not support it

[ossec-list] Re: OSSEC - windows event

, June 1, 2017 at 6:51:14 AM UTC+2, Irshad Rahimbux wrote: > > ANy one can provide some help? @Jesus Linares... the link you provided is > not helping much. It's for another issue. > > On Wednesday, May 31, 2017 at 1:07:19 PM UTC+4, Jesus Linares wrote: >> >> https://grou

[ossec-list] Re: OSSEC - windows event

https://groups.google.com/forum/#!topic/ossec-list/wcIE_EcDVxo On Tuesday, May 30, 2017 at 4:34:46 PM UTC+2, Akash Munjal wrote: > > > Hi All, > > I am also facing the same problem.I am not getting alert of > creation/deletion of file from windows agent > to my manager(linux). Agent show

[ossec-list] Re: Don't Getting Alerts From Window Agent to Linux Manager

Hi, check out the documentation: http://ossec-docs.readthedocs.io/en/latest/faq/syscheck.html#why-aren-t-new-files-creating-an-alert Also, it is not a good idea to monitor all the partition: - *report_changes *creates a snapshot in the agent for each change. - *realtime *on Windows

[ossec-list] Re: Help with decoder

Hi, your prematch is wrong: - log: [...] vd=root logdesc [...] - prematch: [...] vd=*"*\.+*"* [...] Try this one: fortigate-firewall-v5 type=event subtype=vpn level= logdesc="\.+" msg="(\.+)" action=(\.*) remip=(\S+) locip=(\S+) \.*vpntunnel="(\.*)"

Re: [ossec-list] Re: Rule 510 is triggering events but logtest is not showing any rules that should be triggered

e/file.txt host:ec2-11-22-33-44.ap-southeast-2.compute. >> amazonaws.com location:rootcheck >> >> >> Unfortunately, we can't just change the permissions of these without >> breaking our CI. I'm not very concerned about the world-writable files >> under /var/lib/doc

Re: [ossec-list] OSSEC slack alerts for agents v2.9.0

" > > SITE="https://hooks.slack.com/services/...; > > SOURCE="ossec2slack" > > ossec.conf > > > >ossec-slack > >ossec-slack.sh > > > >no > > > > > > > ossec-slack

Re: [ossec-list] OSSEC slack alerts for agents v2.9.0

Hi Fredrik, this is the flow: - The integrator reads the alerts from alerts*.log *filtering by *rule_id*, *level*, *group *or *event_location*. - It executes the script using the arguments *hook_url *and *api_key*. - The slack script send the alert to slack. Clarification: The host

Re: [ossec-list] Re: problems registering agents

t the same internal error problem. > > Results of commands: > > $ cat /var/ossec/etc/client.keys | wc -l > > 2032 > > $ cat /var/ossec/etc/client.keys | grep -P "^\d+\s*\!" -v | wc -l > > 209 > > $ cat /var/ossec/etc/client.keys | grep -P "^\d+\s*\!&q

Re: [ossec-list] OSSEC slack alerts for agents v2.9.0

Hi Fredrik, check out the documentation about *integrator* : https://documentation.wazuh.com/current/user-manual/manager/output-options/manual-integration.html I hope it helps. Regards. On Monday, May 22, 2017 at 4:53:56 PM UTC+2, Fredrik Hilmersson wrote: > > Hello Miguelangel! > > I do not

[ossec-list] Re: problems registering agents

Hi, as you mentioned, it seems that inactive agents are counting for the limit (2048 agents). Run the following commands in order to know the size of the *client.keys *file: - Total lines: cat /var/ossec/etc/client.keys | wc -l - Active agents: cat /var/ossec/etc/client.keys | grep -P

Re: [ossec-list] Re: Rule 510 is triggering events but logtest is not showing any rules that should be triggered

log: 'File > > > '/var/lib/docker/volumes/81c96e1d9b6a07710dc0ba90daccf5650efe59e213b20354bbb86f4e65929a0e/_data/path/to/static/fonts/icons/glyphicons-social-regular.eot' > > > > is owned by root and has written permissions to anyone.' > > > > > > >

Re: [ossec-list] TargetUserName is not mapped to an indexed field

> I will study it if I have some time. > > As Jesus said, once we got that windows field in "full_log" field you will > only need to add new decoders to extract it and populate it to Kibana. > > > Regards, > Pedro Sanche. > > > > > > On Mon,

Re: [ossec-list] TargetUserName is not mapped to an indexed field

Hi AntonH, you don't see *TargetUserName *in Kibana, because OSSEC decoders are not extracting that field. We will need to improve them. Could you paste the raw log (*full_log*) here?. Once we update the decoders and you install them, the new events will come with the *TargetUserName *

Re: [ossec-list] Active Response not working at all

Hi, you are right Tony. The syntax for *ossec.conf* is not user-friendly. You must think in the following way: If it is a setting like yes/no, it will be overwritten if the parser found the same setting below. Example: yes no The final value will be 'no'. However, if the setting is

Re: [ossec-list] i dos'd myself but ossec did not record it

OSSEC will detect the DoS attack only if it is monitoring a log file which contains an event related to DoS and probably you will have to create some decoders/rules. Regards. On Wednesday, April 26, 2017 at 9:35:44 PM UTC+2, dan (ddpbsd) wrote: > > On Wed, Apr 26, 2017 at 3:27 PM, Sargeras

Re: [ossec-list] Disable all rules for ossec server

I don't know if it is possible, but why do you want to do it?. On Wednesday, April 26, 2017 at 11:42:22 AM UTC+2, Huc Manté Miras wrote: > > I try to remove all includes but not work :( > > El martes, 25 de abril de 2017, 17:41:56 (UTC+2), dan (ddpbsd) escribió: >> >> >> >> On Apr 25, 2017 11:25

[ossec-list] Re: Override eventlog with eventchannel via Centralized agent config

Hi Brett, here you can find information about the configuration preference: https://documentation.wazuh.com/current/user-manual/reference/centralized-configuration.html#precedence In your case, both configurations are applying. Also, I recommend you to filter other noisy events

[ossec-list] Re: Rule 510 is triggering events but logtest is not showing any rules that should be triggered

t I wasn't able to. Thanks! > > > 510 > > Ignore rule 510 for 600 seconds if the same ID is > matched. > > > On Monday, April 17, 2017 at 3:16:48 AM UTC-5, Jesus Linares wrote: >> >> What rule did you use?. Please, share here the rule and the alerts t

[ossec-list] Re: Rule 510 is triggering events but logtest is not showing any rules that should be triggered

What rule did you use?. Please, share here the rule and the alerts that you want to ignore. I'd need the ID from the decoder to do so There are no xml decoders for rootcheck. What you want to extract in the id field is the file, right?. You can do a *match* in the rule for the file. Regards.

Re: [ossec-list] How soon does an agent disconnect appear

Check out *notify_time* and *time-reconnect* : http://ossec-docs.readthedocs.io/en/latest/syntax/head_ossec_config.client.html#ossec-conf-client-options On Friday, April 14, 2017 at 12:08:02 AM UTC+2, dan (ddpbsd) wrote: > > On Wed, Apr 12, 2017 at 4:01 PM, Nikki S >

Re: [ossec-list] Is it possible to trigger an active response on a rule with a severity level of 0?

Hi Rob, I'm not sure, but you can increase the level to 1 and: set the attribute noalert : or use the options no_log :

Re: [ossec-list] Re: Rule 510 is triggering events but logtest is not showing any rules that should be triggered

Hi Rob, it is not possible to create decoders for rootcheck because they are at C level: https://github.com/wazuh/wazuh/blob/master/src/analysisd/analysisd.c#L772 Also, you don't need them, just create a rule like: 510 your conditions (match the file?) Ignore rule 510 during 300

[ossec-list] Re: OSSEC Rule to alert on the first event, but ignore the rest for a 5 minute period.

April 6, 2017 at 1:24:05 AM UTC-7, Jesus Linares wrote: >> >> Hi Jake, >> >> take a look at rule 511 >> <https://github.com/wazuh/wazuh-ruleset/blob/f1e1e46e51faefbe75c79052d63437cc3c1a02b4/rules/0015-ossec_rules.xml#L63>. >> >> It is the way to ign

Re: [ossec-list] Rule 510 is triggering events but logtest is not showing any rules that should be triggered

Hi, check this out: https://groups.google.com/forum/#!topic/ossec-list/USAF6jF8yk8 Regards. On Wednesday, April 5, 2017 at 10:45:52 PM UTC+2, Rob Williams wrote: > > I stopped them all (which appeared to work fine) and start again. Here is > the rule and decoder I made for this (I want to

[ossec-list] Re: OSSEC Rule to alert on the first event, but ignore the rest for a 5 minute period.

Hi Jake, take a look at rule 511 . It is the way to ignore a event coming from rule 510. You could do the same with a composite rule, it would be something like: 510

[ossec-list] Re: Detecting Powershell

Hi, Sysmon has several events (1, 11, 15) that can be used to monitor Powershell executions. Sysmon - Event 1 > 2017 Mar 29 13:36:36 WinEvtLog: Microsoft-Windows-Sysmon/Operational: > INFORMATION(1): Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: > WIN-P57C9KN929H: Process Create: UtcTime:

Re: [ossec-list] time based exceptions

Hi, there are rules for that in https://github.com/wazuh/wazuh-ruleset/blob/master/rules/0215-policy_rules.xml. They are included by default, but not enabled. Regards. On Thursday, March 30, 2017 at 12:20:39 AM UTC+2, jose wrote: > > Hi mscrano, yes you can do that, > > example: > > >

Re: [ossec-list] Dynamic values in regex inside OSSEC rules?

Hi, it is very interesting. Right now, Wazuh is able to extract dynamic fields and use them in the rule description. Example for your log: **Phase 1: Completed pre-decoding. full event: '2017 Mar 02 04:04:22 WinEvtLog: Security: AUDIT_FAILURE(4656): Microsoft-Windows-Security-Auditing:

Re: [ossec-list] Dynamic values in regex inside OSSEC rules?

Hi, could you give us a real example?. Thanks On Wednesday, March 1, 2017 at 10:34:18 AM UTC-8, dan (ddpbsd) wrote: > > On Mon, Feb 27, 2017 at 2:50 PM, Jahchan, Georges J. > wrote: > > That is not what I meant. > > > > If the source IP is decoded and stored in

[ossec-list] Re: Create custom rule for OSSEC 2.8.3, to capture specific phrase in application log

Hi, you should create decoders and rules for that event. Check out the documentation: http://ossec-docs.readthedocs.io/en/latest/syntax/analysis.html Also. you can use the binary /var/ossec/bin/ossec-logtest to test your own decoders/rules. On Monday, January 30, 2017 at 7:04:34 AM UTC-8, Eli

[ossec-list] Re: Alerts generated despite level '0' rule being hit

Hi Daniel, review *archives.log* to be sure the log is how you expected. Also, check out *alerts.log* to see the alert. Remember that *ossec-logtest* shows alerts with level 0, but OSSEC does not or at least it should not. Regards. On Friday, January 27, 2017 at 8:00:19 AM UTC-8, Daniel B.

[ossec-list] Re: local_decoder.xml -- can't override (ignore) parent decoder

ntries with rule ID 5104? > > I *feel* like I should be able to override the iptables decoder... but > maybe that's me being optimistic. > > On Wednesday, January 18, 2017 at 5:00:47 AM UTC-5, Jesus Linares wrote: >> >> Hi Daniel, >> >> ossec-logtest alwa

[ossec-list] Re: local_decoder.xml -- can't override (ignore) parent decoder

Hi Daniel, ossec-logtest always shows the name of the parent. If you want to ignore that alert, just create a rule in local_rules.xml: 5104 Ignore rule 5104. Jan 16 20:46:57 machine_name kernel: [347956.184868] device veth9c8da7ba entered promiscuous mode **Phase 1:

[ossec-list] Re: Wazuh OSSEC Rules

Hi, usually all rules in wazuh ruleset should work with OSSEC but in some cases it could be a compatibility issue due to some new capabilities of Wazuh (like support dynamic fields

Re: [ossec-list] Does Ossec support MariaDB?

Hi, I have not used databases in OSSEC, but you can choose the type in the configuration: 192.168.2.30 ossecuser ossecpass ossec mysql In order to use databases, you must compile OSSEC with database support: # cd ossec-hids-* # cd src; make

Re: [ossec-list] Firewall appliance : netasq/stormshield

Hi, what OSSEC version are you running?. Regards. On Friday, December 9, 2016 at 11:51:09 AM UTC+1, 1kn0 wrote: > > Hello Dan, > > Thank you very much for your help. > > I've a problem with the following decoder and sample. Its generates a > segfault in ossec-logtest : > > > > >

Re: [ossec-list] Re: important questions on CDB lists

Hi Omar, if you don't mind, please share your decoders, rules and CDB list and I can test it in my lab. Thanks. On Wednesday, December 7, 2016 at 9:01:18 PM UTC+1, Omar M wrote: > > Hi Dan, > Thanks for the quick response. > > The objective is to create a rule that will trigger if a restricted

[ossec-list] Re: regex in agent id field

Hi Sean, it seems that agent_config name is checked by the function OS_Match2 which only matches strings with *^*, *$* or *|* special characters. So,

Re: [ossec-list] Problem with rule 18257

Hi all, nice catch Dan!. Unfortunately, the rule 18257 is still triggering. The log is related with a "Database update" and the rule 18257 is for logins. So, I think we should add a rule to ignore this kind of logs. Regards. On

Re: [ossec-list] Agent Syscheck Frequency Issue

Hi Yousif, as Dan said, the minimum is around 300 seconds. Do not set a lower value. It is possible to improve the syscheck performance, changing this option in* local_internal_options.conf*: syscheck.sleep=2 // change to 1 or 0 syscheck.sleep_after=15 // change for a greater value By

Re: [ossec-list] Filter Windows Event at client

ents > within a certain timeframe (e.g. 24h) are grouped together and included in > the email? I realize this might involve multiple parts and configuration, > but perhaps you can give a few pointers without spending too much of your > time? > > Best regards, > Fredrik > &g

Re: [ossec-list] OSSEC Signature Update Frequency

butors and create new ones. Regards. On Friday, November 4, 2016 at 9:43:58 AM UTC+1, Jesus Linares wrote: > > Hi Matthew, > > Wazuh has a repository <https://github.com/wazuh/ossec-rules> for > decoders, rules, rootchecks, etc. Almost all decoders/rules should work in > eve

[ossec-list] Re: can ossec 2.8 run on CentOS 7.x ?

Yes, it works. Just try it. On Thursday, November 3, 2016 at 10:46:57 PM UTC+1, Rajanikanthrao Bolla wrote: > > Hi, > Will ossec 2.8 (server type install) run on CentOS 7.x? > > Has anyone tested it or had experience using it? > > Please share. > > Thanks, > Raj. > -- --- You received this

Re: [ossec-list] OSSEC Signature Update Frequency

Hi Matthew, Wazuh has a repository for decoders, rules, rootchecks, etc. Almost all decoders/rules should work in every OSSEC version, except some of them that use new features. I recommend you to create a backup of OSSEC, then update the rules using the

Re: [ossec-list] Filter Windows Event at client

Hi Fredrik, according to the documentation you can use the Microsoft event schema . If you want to add multiple event IDs: Security eventchannel Event/System[EventID=5140 and EventID=5144] Also, I think

[ossec-list] Re: Ignore computer account logon and logoff

Thanks for your recommendation about windows logs. On Wednesday, October 26, 2016 at 4:52:41 AM UTC+2, InfoSec wrote: > > Windows uses a combination of tabs and spaces between fields, and between > field names and field content. There is not telling how many of each there > are. > > Using

[ossec-list] Re: Teamviewer logs not consistant

Hi, this could be a good starting point: ^\d+\t+\.+\d\d-\d\d-\d\d\d\d teamviewer ^\d+\t\t ^\d+\t+\s*(\.+)\t+(\.+)\t+(\.+)\t+RemoteControl\t+{(\.+)} extra_data,status,srcuser,id teamviewer ^\d+\t

[ossec-list] Re: Ignore computer account logon and logoff

I didn't test it, but it seems OSSEC tries to use "$\S+" as a variable. You could do something like: @domain Account Name: \S+\$ Regards. On Monday, October 10, 2016 at 10:28:37 PM UTC+2, roberto@phoebustecnologia.com.br wrote: > > hi! > I'm using this solution in my ossec. But I have

[ossec-list] Re: Correct way to overwrite a "chained" rule

Hi Christina, 1) I think you could create a child rule of 5503 (if_sid) with level 0. Then, use regex to match a user with backslash. In this way, you are ignoring alert 5503 if the user contains a backslash (or anything you put in the regex). You could do the same with alert 5551. 2) is

[ossec-list] Re: Windows SSTP VPN rule.

monitoring Radius connections too? > > On Saturday, October 1, 2016 at 5:03:18 AM UTC-4, Jesus Linares wrote: >> >> Hi, >> >> if you share the events (logs) that you want to track, we can help to >> create the decoders and rules. >> >> Regards. >&g

[ossec-list] Re: Ossec Naming Conventions

I don't think so. Check out the ossec.log of the agents that don't connect to the Manager. Usually they do not connect due to: firewall, bad key or duplicate counters (rids). The hostname should not be a problem. On Friday, September 30, 2016 at 2:56:28 PM UTC+2, EvilZ wrote: > > Hi everyone i

[ossec-list] Re: Ossec authd, Cant connect

Hi, it looks like a firewall issue. You could run tcpdump in the Manager to see if there are a connection between the manager and the agent. Regards. On Monday, October 3, 2016 at 10:02:52 AM UTC+2, Ali Khan wrote: > > Hi All, > > I am trying to use ossec-authd and agent-authd for auto agent

[ossec-list] Re: Windows SSTP VPN rule.

Hi, if you share the events (logs) that you want to track, we can help to create the decoders and rules. Regards. On Wednesday, September 28, 2016 at 5:58:03 PM UTC+2, namobud...@gmail.com wrote: > > I'm wondering if anyone has done an OSSEC Windows SSTP VPN rule? > I want to start tracking

[ossec-list] Re: What is the best way to make ossec ignore alerts caused by new packages (unatended upgrades)?

Hi James, review the alerts related with packages, and create a rule to ignore the events that you do not need. Regards. On Wednesday, September 28, 2016 at 5:40:34 PM UTC+2, James Vernon wrote: > > As the title sais, is there a defined best practice for this? > > If unattended upgrades runs

[ossec-list] Re: Active response command not present

Hi, if it is a linux agent, the restart-ossec.cmd will not work. You must use restart-ossec.sh. Check out the documentation: - http://ossec-docs.readthedocs.io/en/latest/manual/ar/index.html - http://ossec-docs.readthedocs.io/en/latest/syntax/head_ossec_config.active-response.html

[ossec-list] Re: Querying Kibana for specific event types

in the logstash index. Instead of id, I have _id which is not a > number but a character string. > > On Tuesday, September 20, 2016 at 3:56:44 AM UTC-4, Jesus Linares wrote: >> >> Hi, >> >> in order to filter by an event ID of Windows, just use this query in the &

[ossec-list] Re: Querying Kibana for specific event types

Hi, in order to filter by an event ID of Windows, just use this query in the search bar of kibana: decoder.name:"windows" AND id:"4625" In this case, you are filtering events with id 4625: 2016 Sep 20 07:50:17 WinEvtLog: Security: AUDIT_FAILURE(*4625*): Microsoft- Windows-Security-Auditing: (no

[ossec-list] Re: Best way to whitelist installed RPM / packages

Hi Shawn, by default OSSEC triggers an alert when a package is installed/removed/updated: *command* yum install valgrind.x86_64 *archives.log* 2016 Sep 15 09:08:44 ip-10-0-0-10->/var/log/messages Sep 15 09:08:43 ip-10-0 -0-10 yum[5630]: Installed: 1:valgrind-3.10.0-16.el7.x86_64 *alerts.log*

[ossec-list] Re: Alienvault OSSEC 2.8 a couple of computers are showing disconnected from the webGUI and I don't know how to get them reconnected

Hi, probably you need to reset the counters: Stop manager and the agent: /var/ossec/bin/ossec-control stop *agent* - cd /var/ossec/queue/rids - remove all the files *manager* - cd /var/ossec/queue/rids - Remove *the file of the agent* (the filename is the agent ID) Start manager

Re: [ossec-list] OSSEC agent on windows laptops that will be out of the network

quot;ANY" , thats great thanks a lot. If my ossec > server is accessible externally any alerts from the agents should still > reach my server right ? ( if the agents are connected to the net and > nothing blocking ) > > On Tuesday, 13 September 2016 10:51:37 UTC+1, Jesus Linare

Re: [ossec-list] OSSEC agent on windows laptops that will be out of the network

Hi, as Eero said, you can register your agents with ANY instead of the IP. anyway, remember that the agents send the alerts in real time. *Alerts are not stored to be sent later*. So, you are not going to receive the alerts generated in your agents when they were not connected to the Manager

[ossec-list] Re: ossec-analysisd: Rules in an inconsistent state. Exiting

Hi, the section is missing in your ossec.conf. Did you remove it?. Regards. On Tuesday, September 13, 2016 at 10:19:19 AM UTC+2, toddmichael wrote: > > When I start ossec-hids via init script, ossec-analysisd dies shortly > thereafter with the following error: > > 2016/09/13 01:07:43

[ossec-list] Re: logg file from Kaspesky Antivirus for Linux File Server 8.0

As Dan said: > logcollectord currently does not support pulling data from a database. Try to create a script to transform the db to a log file or configure the AV to send the logs to syslog (if it is possible). On Friday, September 9, 2016 at 3:18:49 PM UTC+2, al...@mazm.ru wrote: > > So , I

  1   2   3   >