Re: [ossec-list] Custom logo for each agent group

[dan (ddp)]

Ossec doesn’t show any logos. What application are you seeing logos in?

On Fri, Dec 8, 2023 at 9:38 AM Satwika sree  wrote:

> Hi All,
>
> Is this possible to set custom logo for each agent group? If it's possible
> what tis the process?
>
> Please help me work on this case.
>
> Regards,
> Sree.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ossec-list/7af1da99-00bc-423c-95fa-f043ef99e408n%40googlegroups.com
> 
> .
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/CAMyQvMo%3DTyYQwRjgWUwQmF6efauk9b0RnZ75ZdL2pg4zOe5tpg%40mail.gmail.com.

Re: [ossec-list] Install ossec in windows as standalone (local mode)

[dan (ddp)]

That's not supported. Windows is an agent only platform.

On Tue, Jul 12, 2022 at 1:34 PM M Asif  wrote:
>
> Hi! Geeks
>
> I am trying to install ossec in windows server. When I run exec it install in 
> client/server mode. But my requirement is to install ossec agnent as 
> standalone. I mean in local mode.
>
> Actually I want to integrate ossec with IBM QRadar.
>
>
> Please guide accordingly.
>
>
> Regards
> Asif
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups 
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to ossec-list+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/ossec-list/21140ab5-df21-4452-9da8-3dc21dfa4ab9n%40googlegroups.com.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/CAMyQvMqndZgbdWSLKD0L7rm4kMzSU_3pWM4UWnWpv5GOv6Vphw%40mail.gmail.com.

Re: [ossec-list] Hi, found below error

[dan (ddp)]

You can check the ossec.log on the ossec server for details.

On Tue, Jul 20, 2021 at 12:26 PM Vishal Ghaware
 wrote:
>
> OSSEC analysisd: Testing rules failed. Configuration error. Exiting
>
> hense all clients disconnected from server
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups 
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to ossec-list+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/ossec-list/e5fd1a20-bc05-4d5a-a26b-5e502bc81547n%40googlegroups.com.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/CAMyQvMrwLWXsNKCq%2BE9LgUHTOk_W_n32cYYDmFqaBjqcyMtsEA%40mail.gmail.com.

Re: [ossec-list] Trying to install OSSEC 3.6.0 under OpenBSD 6.8 fails

[dan (ddp)]

*ahem* _THIS_ patch.

On Mon, Feb 1, 2021 at 1:34 PM dan (ddp)  wrote:
>
> I think this patch should fix the inotify problem.
> Not sure how to work on the geoip stuff, I think OpenBSD dropped the
> ports for the old library.
>
> On Sun, Jan 31, 2021 at 12:11 PM Carlos Lopez  wrote:
> >
> > Hi all,
> >
> >
> >
> > I am trying to install Ossec 3.6.0 under an OpenBSD 6.8 hosts to act as an 
> > ossec-server, but the following errors appears:
> >
> >
> >
> > root@obsdtst:/tmp/ossec-hids-3.6.0/src# gmake TARGET=server 
> > PCRE2_SYSTEM=yes ZLIB_SYSTEM=yes USE_INOTIFY=yes USE_GEOIP=1
> >
> > ………
> >
> > cc -I/usr/local/include -DMAX_AGENTS=2048 -DOSSECHIDS 
> > -DDEFAULTDIR=\"/var/ossec\" -DUSER=\"ossec\" -DREMUSER=\"ossecr\" 
> > -DGROUPGLOBAL=\"ossec\" -DMAILUSER=\"ossecm\" -DOpenBSD -pthread 
> > -DZLIB_SYSTEM -DINOTIFY_ENABLED -DLIBGEOIP_ENABLED -DLIBOPENSSL_ENABLED 
> > -Wall -Wextra -I./ -I./headers/ -c os_regex/os_regex_execute.c -o 
> > os_regex/os_regex_execute.o
> >
> > os_regex/os_regex_execute.c:57:34: warning: comparison of integers of 
> > different signs: 'size_t' (aka 'unsigned long') and 'int' [-Wsign-compare]
> >
> > if (sub_string_start != -1) {
> >
> >  ^  ~~
> >
> > 1 warning generated.
> >
> > cc -I/usr/local/include -DMAX_AGENTS=2048 -DOSSECHIDS 
> > -DDEFAULTDIR=\"/var/ossec\" -DUSER=\"ossec\" -DREMUSER=\"ossecr\" 
> > -DGROUPGLOBAL=\"ossec\" -DMAILUSER=\"ossecm\" -DOpenBSD -pthread 
> > -DZLIB_SYSTEM -DINOTIFY_ENABLED -DLIBGEOIP_ENABLED -DLIBOPENSSL_ENABLED 
> > -Wall -Wextra -I./ -I./headers/ -c os_regex/os_regex_free_pattern.c -o 
> > os_regex/os_regex_free_pattern.o
> >
> > cc -I/usr/local/include -DMAX_AGENTS=2048 -DOSSECHIDS 
> > -DDEFAULTDIR=\"/var/ossec\" -DUSER=\"ossec\" -DREMUSER=\"ossecr\" 
> > -DGROUPGLOBAL=\"ossec\" -DMAILUSER=\"ossecm\" -DOpenBSD -pthread 
> > -DZLIB_SYSTEM -DINOTIFY_ENABLED -DLIBGEOIP_ENABLED -DLIBOPENSSL_ENABLED 
> > -Wall -Wextra -I./ -I./headers/ -c os_regex/os_regex_free_substrings.c -o 
> > os_regex/os_regex_free_substrings.o
> >
> > cc -I/usr/local/include -DMAX_AGENTS=2048 -DOSSECHIDS 
> > -DDEFAULTDIR=\"/var/ossec\" -DUSER=\"ossec\" -DREMUSER=\"ossecr\" 
> > -DGROUPGLOBAL=\"ossec\" -DMAILUSER=\"ossecm\" -DOpenBSD -pthread 
> > -DZLIB_SYSTEM -DINOTIFY_ENABLED -DLIBGEOIP_ENABLED -DLIBOPENSSL_ENABLED 
> > -Wall -Wextra -I./ -I./headers/ -c os_regex/os_regex_maps.c -o 
> > os_regex/os_regex_maps.o
> >
> > cc -I/usr/local/include -DMAX_AGENTS=2048 -DOSSECHIDS 
> > -DDEFAULTDIR=\"/var/ossec\" -DUSER=\"ossec\" -DREMUSER=\"ossecr\" 
> > -DGROUPGLOBAL=\"ossec\" -DMAILUSER=\"ossecm\" -DOpenBSD -pthread 
> > -DZLIB_SYSTEM -DINOTIFY_ENABLED -DLIBGEOIP_ENABLED -DLIBOPENSSL_ENABLED 
> > -Wall -Wextra -I./ -I./headers/ -c os_regex/os_regex_match.c -o 
> > os_regex/os_regex_match.o
> >
> > cc -I/usr/local/include -DMAX_AGENTS=2048 -DOSSECHIDS 
> > -DDEFAULTDIR=\"/var/ossec\" -DUSER=\"ossec\" -DREMUSER=\"ossecr\" 
> > -DGROUPGLOBAL=\"ossec\" -DMAILUSER=\"ossecm\" -DOpenBSD -pthread 
> > -DZLIB_SYSTEM -DINOTIFY_ENABLED -DLIBGEOIP_ENABLED -DLIBOPENSSL_ENABLED 
> > -Wall -Wextra -I./ -I./headers/ -c os_regex/os_regex_startswith.c -o 
> > os_regex/os_regex_startswith.o
> >
> > cc -I/usr/local/include -DMAX_AGENTS=2048 -DOSSECHIDS 
> > -DDEFAULTDIR=\"/var/ossec\" -DUSER=\"ossec\" -DREMUSER=\"ossecr\" 
> > -DGROUPGLOBAL=\"ossec\" -DMAILUSER=\"ossecm\" -DOpenBSD -pthread 
> > -DZLIB_SYSTEM -DINOTIFY_ENABLED -DLIBGEOIP_ENABLED -DLIBOPENSSL_ENABLED 
> > -Wall -Wextra -I./ -I./headers/ -c os_regex/os_regex_str.c -o 
> > os_regex/os_regex_str.o
> >
> > cc -I/usr/local/include -DMAX_AGENTS=2048 -DOSSECHIDS 
> > -DDEFAULTDIR=\"/var/ossec\" -DUSER=\"ossec\" -DREMUSER=\"ossecr\" 
> > -DGROUPGLOBAL=\"ossec\" -DMAILUSER=\"ossecm\" -DOpenBSD -pthread 
> > -DZLIB_SYSTEM -DINOTIFY_ENABLED -DLIBGEOIP_ENABLED -DLIBOPENSSL_ENABLED 
> > -Wall -Wextra -I./ -I./headers/ -c os_regex/os_regex_strbreak.c -o 
> > os_regex/os_regex_strbreak.o
> >
> > ar -crs os_regex.a os_regex/os_converter.o os_regex/os_match.o 
> > os_regex/os_match_compile.o os_regex/o

Re: [ossec-list] Trying to install OSSEC 3.6.0 under OpenBSD 6.8 fails

[dan (ddp)]

I think this patch should fix the inotify problem.
Not sure how to work on the geoip stuff, I think OpenBSD dropped the
ports for the old library.

On Sun, Jan 31, 2021 at 12:11 PM Carlos Lopez  wrote:
>
> Hi all,
>
>
>
> I am trying to install Ossec 3.6.0 under an OpenBSD 6.8 hosts to act as an 
> ossec-server, but the following errors appears:
>
>
>
> root@obsdtst:/tmp/ossec-hids-3.6.0/src# gmake TARGET=server PCRE2_SYSTEM=yes 
> ZLIB_SYSTEM=yes USE_INOTIFY=yes USE_GEOIP=1
>
> ………
>
> cc -I/usr/local/include -DMAX_AGENTS=2048 -DOSSECHIDS 
> -DDEFAULTDIR=\"/var/ossec\" -DUSER=\"ossec\" -DREMUSER=\"ossecr\" 
> -DGROUPGLOBAL=\"ossec\" -DMAILUSER=\"ossecm\" -DOpenBSD -pthread 
> -DZLIB_SYSTEM -DINOTIFY_ENABLED -DLIBGEOIP_ENABLED -DLIBOPENSSL_ENABLED -Wall 
> -Wextra -I./ -I./headers/ -c os_regex/os_regex_execute.c -o 
> os_regex/os_regex_execute.o
>
> os_regex/os_regex_execute.c:57:34: warning: comparison of integers of 
> different signs: 'size_t' (aka 'unsigned long') and 'int' [-Wsign-compare]
>
> if (sub_string_start != -1) {
>
>  ^  ~~
>
> 1 warning generated.
>
> cc -I/usr/local/include -DMAX_AGENTS=2048 -DOSSECHIDS 
> -DDEFAULTDIR=\"/var/ossec\" -DUSER=\"ossec\" -DREMUSER=\"ossecr\" 
> -DGROUPGLOBAL=\"ossec\" -DMAILUSER=\"ossecm\" -DOpenBSD -pthread 
> -DZLIB_SYSTEM -DINOTIFY_ENABLED -DLIBGEOIP_ENABLED -DLIBOPENSSL_ENABLED -Wall 
> -Wextra -I./ -I./headers/ -c os_regex/os_regex_free_pattern.c -o 
> os_regex/os_regex_free_pattern.o
>
> cc -I/usr/local/include -DMAX_AGENTS=2048 -DOSSECHIDS 
> -DDEFAULTDIR=\"/var/ossec\" -DUSER=\"ossec\" -DREMUSER=\"ossecr\" 
> -DGROUPGLOBAL=\"ossec\" -DMAILUSER=\"ossecm\" -DOpenBSD -pthread 
> -DZLIB_SYSTEM -DINOTIFY_ENABLED -DLIBGEOIP_ENABLED -DLIBOPENSSL_ENABLED -Wall 
> -Wextra -I./ -I./headers/ -c os_regex/os_regex_free_substrings.c -o 
> os_regex/os_regex_free_substrings.o
>
> cc -I/usr/local/include -DMAX_AGENTS=2048 -DOSSECHIDS 
> -DDEFAULTDIR=\"/var/ossec\" -DUSER=\"ossec\" -DREMUSER=\"ossecr\" 
> -DGROUPGLOBAL=\"ossec\" -DMAILUSER=\"ossecm\" -DOpenBSD -pthread 
> -DZLIB_SYSTEM -DINOTIFY_ENABLED -DLIBGEOIP_ENABLED -DLIBOPENSSL_ENABLED -Wall 
> -Wextra -I./ -I./headers/ -c os_regex/os_regex_maps.c -o 
> os_regex/os_regex_maps.o
>
> cc -I/usr/local/include -DMAX_AGENTS=2048 -DOSSECHIDS 
> -DDEFAULTDIR=\"/var/ossec\" -DUSER=\"ossec\" -DREMUSER=\"ossecr\" 
> -DGROUPGLOBAL=\"ossec\" -DMAILUSER=\"ossecm\" -DOpenBSD -pthread 
> -DZLIB_SYSTEM -DINOTIFY_ENABLED -DLIBGEOIP_ENABLED -DLIBOPENSSL_ENABLED -Wall 
> -Wextra -I./ -I./headers/ -c os_regex/os_regex_match.c -o 
> os_regex/os_regex_match.o
>
> cc -I/usr/local/include -DMAX_AGENTS=2048 -DOSSECHIDS 
> -DDEFAULTDIR=\"/var/ossec\" -DUSER=\"ossec\" -DREMUSER=\"ossecr\" 
> -DGROUPGLOBAL=\"ossec\" -DMAILUSER=\"ossecm\" -DOpenBSD -pthread 
> -DZLIB_SYSTEM -DINOTIFY_ENABLED -DLIBGEOIP_ENABLED -DLIBOPENSSL_ENABLED -Wall 
> -Wextra -I./ -I./headers/ -c os_regex/os_regex_startswith.c -o 
> os_regex/os_regex_startswith.o
>
> cc -I/usr/local/include -DMAX_AGENTS=2048 -DOSSECHIDS 
> -DDEFAULTDIR=\"/var/ossec\" -DUSER=\"ossec\" -DREMUSER=\"ossecr\" 
> -DGROUPGLOBAL=\"ossec\" -DMAILUSER=\"ossecm\" -DOpenBSD -pthread 
> -DZLIB_SYSTEM -DINOTIFY_ENABLED -DLIBGEOIP_ENABLED -DLIBOPENSSL_ENABLED -Wall 
> -Wextra -I./ -I./headers/ -c os_regex/os_regex_str.c -o 
> os_regex/os_regex_str.o
>
> cc -I/usr/local/include -DMAX_AGENTS=2048 -DOSSECHIDS 
> -DDEFAULTDIR=\"/var/ossec\" -DUSER=\"ossec\" -DREMUSER=\"ossecr\" 
> -DGROUPGLOBAL=\"ossec\" -DMAILUSER=\"ossecm\" -DOpenBSD -pthread 
> -DZLIB_SYSTEM -DINOTIFY_ENABLED -DLIBGEOIP_ENABLED -DLIBOPENSSL_ENABLED -Wall 
> -Wextra -I./ -I./headers/ -c os_regex/os_regex_strbreak.c -o 
> os_regex/os_regex_strbreak.o
>
> ar -crs os_regex.a os_regex/os_converter.o os_regex/os_match.o 
> os_regex/os_match_compile.o os_regex/os_match_execute.o 
> os_regex/os_match_free_pattern.o os_regex/os_pcre2.o 
> os_regex/os_pcre2_compile.o os_regex/os_pcre2_execute.o 
> os_regex/os_pcre2_free_pattern.o os_regex/os_pcre2_free_substrings.o 
> os_regex/os_regex.o os_regex/os_regex_compile.o os_regex/os_regex_execute.o 
> os_regex/os_regex_free_pattern.o os_regex/os_regex_free_substrings.o 
> os_regex/os_regex_maps.o os_regex/os_regex_match.o 
> os_regex/os_regex_startswith.o os_regex/os_regex_str.o 
> os_regex/os_regex_strbreak.o
>
> ranlib os_regex.a
>
> cc -I/usr/local/include -DMAX_AGENTS=2048 -DOSSECHIDS 
> -DDEFAULTDIR=\"/var/ossec\" -DUSER=\"ossec\" -DREMUSER=\"ossecr\" 
> -DGROUPGLOBAL=\"ossec\" -DMAILUSER=\"ossecm\" -DOpenBSD -pthread 
> -DZLIB_SYSTEM -DINOTIFY_ENABLED -DLIBGEOIP_ENABLED -DLIBOPENSSL_ENABLED -Wall 
> -Wextra -I./ -I./headers/ -c os_xml/os_xml.c -o os_xml/os_xml.o
>
> cc -I/usr/local/include -DMAX_AGENTS=2048 -DOSSECHIDS 
> -DDEFAULTDIR=\"/var/ossec\" -DUSER=\"ossec\" -DREMUSER=\"ossecr\" 
> -DGROUPGLOBAL=\"ossec\" -DMAILUSER=\"ossecm\" -DOpenBSD -pthread 
> -DZLIB_SYSTEM -DINOTIFY_ENABLED -DLIBGEOIP_ENABLED -DLIBOPENSSL_ENABLED -Wall 
> -Wextra -I./ 

Re: [ossec-list] MS Windows Security can prohibit the OSSEC agent

[dan (ddp)]

On Fri, Jan 29, 2021 at 6:39 AM lapin noel  wrote:
>
> I'm afraid there is the same info, but I couldn't find one in short browsing, 
> so I post here.
>
> When MS Windows Security/Defender(MSWS) validates heap integrity, the agent 
> crashes.
> And when MSWS does not validate, the agent runs without an error.
>
> The agent is run as admin.
>
> The MSWS settings are the following.
> In "App & browser control", in "Exploit protection settings", the "System 
> settings" are all set as "On by default".
> Where the "System settings" are: Control flow, Data Execution, Force 
> randomization, Radomize memory, High-entropy, Validate exception, Validate 
> heap.
> In "Program settings", one program is added to customize.
> The only customized program is C:/Program Files (x86)/ossec-agent/win32ui.exe.
> By "Edit", many settings can be selected by square checkboxes.
> Where only one check box is selected - "Validate heap integrity".
> The default system settings are "On" by the "System settings" stated above.
>
> When the slide button is left-side "Off", win32ui.exe runs without an error.
> The normal agent window appears.
>
> When the slide button is right-side "On", win32ui.exe crashes.
> MS Diagnostic Data Viewer reports as follows.
> (---
> win32ui.exe
>
> Description
> Faulting Application Path: C:\Program Files (x86)\ossec-agent\win32ui.exe
> Creation Time: 1/29/2021 5:20:39 PM
> Problem: Stopped working
> Status: Report sent
>
> Problem signature
> Problem Event Name: APPCRASH
> Application Name: win32ui.exe
> Application Version: 0.0.0.0
> Application Timestamp: 5e6e6eec
> Fault Module Name: StackHash_cee3
> Fault Module Version: 10.0.19041.662
> Fault Module Timestamp: 5f641e44
> Exception Code: c374
> Exception Offset: PCH_A5_FROM_ntdll+0x00071BDC
>
> Extra information about the problem
> Bucket ID: e0bfa8051f9ebad1ac54b45abee71e8d (2041454832948551309)
> ---)
>
> Windows 10 Home, version 20H2, build 19042.746
> ossec-agent-win32-3.6.0-12032.exe 1,604,775 bytes
> win32ui.exe 171,709 bytes
>


Hi!
I've seen similar crashes, but don't have a reliable windows machine
to try and debug them (and I don't know how to do that on Windows).
It's just been the gui interface that didn't work for me though, the
agent itself ran if I configured it manually.
Dan

> --
>
> ---
> You received this message because you are subscribed to the Google Groups 
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to ossec-list+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/ossec-list/482e6e57-5abb-40c8-aa04-acd695c7f30bn%40googlegroups.com.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/CAMyQvMp58WWcWnHunJqVpWWvzmou7kjK05fQbuwa2m1mD2NOPg%40mail.gmail.com.

Re: [ossec-list] Issue install ossec on ubuntu 18 and 20

[dan (ddp)]

On Wed, Jan 13, 2021 at 6:21 AM Kedar Mendhurwar
 wrote:
>
> Hi Folks,
>
> I have been trying to install ossec agent 3.6 on ubuntu 20.4 and each time I 
> try starting the service, I get the error " ERROR: Queue 
> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'." I have 
> tried this on a fresh install a couple of times with the same results. I 
> tried on ubuntu 18.4 with ossec version 3.1 with the same results.
>
> I even checked the wiki article 
> https://www.ossec.net/docs/faq/unexpected.html but this has been of no help. 
> According to the DOC " It means that ossec-analysisd is not running for some 
> reason which could be because ossec-analysisd didn’t start properly or 
> ossec-analysisd didn’t start at all.
>
> In my case when I tried starting ossec-analysisd manually, I found it wasn't 
> installed at all. Both Ubuntu versions with two different agent versions 
> resulted in the same error. In ossec documentation, they don't say how one 
> could manually install ossec.
>
> Any help would be greatly appreciated
>

ossec-analysisd is only installed on OSSEC servers or stand alone
systems, not on agents.
How did you install OSSEC on these agents?
Are there any errors before the Queue error in the ossec.log file?
You could try starting the processes manually to see what happens.
Something like (in different terminals because `-df` will keep them in
the foreground):
sudo /var/ossec/bin/ossec-agentd -df
sudo /var/ossec/bin/ossec-logcollector -df
sudo /var/ossec/bin/ossec-syscheckd -df

> --
>
> ---
> You received this message because you are subscribed to the Google Groups 
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to ossec-list+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/ossec-list/f7657696-2a55-4893-8107-e214f92717e1n%40googlegroups.com.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/CAMyQvMr28rS8P5tFj5Z_Aa5cZWg0wEDL5UeUdPju71W3ycpB4A%40mail.gmail.com.

Re: [ossec-list] Re: OSSEC JSON complete log format

[dan (ddp)]

On Mon, Dec 28, 2020 at 9:31 AM Yana Zaeva  wrote:
>
> Hi Kyriakos,
>
> Sorry for the late response. There default JSON decoder that OSSEC uses 
> (which you can find the path /var/ossec/ruleset/decoders/ 
> 0006-json_decoders.xml) should parse all the information present in a log. 
> For example, using the tool ossec-logtest which you can find in 
> /var/ossec/bin/ossec-logtest, and with the log:
>

This appears to be information about wazuh, not OSSEC.

> {"header": {"name": "EcoScope Data","well": "35/12-6S","field": 
> "Fram","date": "2020-06-14","operator": "Logtek Petroleum","startIndex": 
> 2907.79,"endIndex": 2907.84,"step": 0.01}}
>
> we would achieve the following result, where we can see that all the fields 
> were correctly parsed:
>
> **Phase 1: Completed pre-decoding.
>full event: '{"header": {"name": "EcoScope Data","well": 
> "35/12-6S","field": "Fram","date": "2020-06-14","operator": "Logtek 
> Petroleum","startIndex": 2907.79,"endIndex": 2907.84,"step": 0.01}}'
>timestamp: '(null)'
>hostname: 'default'
>program_name: '(null)'
>log: '{"header": {"name": "EcoScope Data","well": "35/12-6S","field": 
> "Fram","date": "2020-06-14","operator": "Logtek Petroleum","startIndex": 
> 2907.79,"endIndex": 2907.84,"step": 0.01}}'
>
> **Phase 2: Completed decoding.
>decoder: 'json'
>header.name: 'EcoScope Data'
>header.well: '35/12-6S'
>header.field: 'Fram'
>header.date: '2020-06-14'
>header.operator: 'Logtek Petroleum'
>header.startIndex: '2907.79'
>header.endIndex: '2907.84'
>header.step: '0.01'
>
> You can also find the JSON decoder in this link: 
> https://github.com/wazuh/wazuh/blob/master/ruleset/decoders/0006-json_decoders.xml
>
> I will also leave you some information about customizing rules and decoders 
> for further insight: 
> https://documentation.wazuh.com/4.0/user-manual/ruleset/custom.html
>
> Hope I was helpful. Do not hesitate to contact us if you have any doubt.
>
> Yana.
>
> On Wednesday, September 30, 2020 at 9:13:36 PM UTC+2 Kyriakos Stavridis wrote:
>>
>> Hello everyone!
>>
>> I was trying to find all the possible fields that can exist in a JSON log 
>> entry that OSSEC produces.
>>
>> I know that by using decoders, you can add your own fields and extend the 
>> possible fields that OSSEC adds by itself.
>>
>> I'm referring to all the possible fields that can be produced exclusively by 
>> OSSEC's engine.
>>
>> Does anyone have any particular documentation or something close to that?
>>
>> Thanks!
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups 
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to ossec-list+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/ossec-list/b147f05b-55dd-45e3-b8eb-49bbfa06cf24n%40googlegroups.com.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/CAMyQvMppM3%2BfYttQbtwzEE%3D%3DQkTGvrJqL41JFWwPFavq3oYLeA%40mail.gmail.com.

Re: [ossec-list] Re: Unknown Alert

[dan (ddp)]

No worries. You added some great information.

On Mon, Nov 16, 2020 at 12:48 PM Scott Wozny  wrote:
>
> ACK!  Sorry!  Didn't see you'd already replied, Dan...
>
> What he said. :)
>
> Scott
>
>
> On Mon, Nov 16, 2020, 10:10 dan (ddp)  wrote:
>>
>> On Mon, Nov 16, 2020 at 7:27 AM Andrew S  wrote:
>> >
>> > Hi Brian,
>> >
>> > Thank you for the clarification but I don't understand why someone would 
>> > associate our website with dailymail.co.uk ?
>> >
>>
>> I haven't verified, but Brian mentioned dailymail being in the
>> referrer field. So there was (possibly) a link somewhere on the page
>> in the log message pointing at your site.
>>
>> > GET
>> >  / HTTP/2.0" 200 84
>> >  
>> > "https://www.dailymail.co.uk/news/article-8949475/SOAS-failed-2017-admit-single-white-working-class-student.html;
>> >
>> > I understand the part of the log: GET / HTTP/2.0" 200
>> >
>> > I don't understand:
>> >
>> > 84
>> >  
>> > "https://www.dailymail.co.uk/news/article-8949475/SOAS-failed-2017-admit-single-white-working-class-student.html;
>> >
>> > Why 84 and why this dailymail URL ?
>> >
>> > many thanks
>> > Andrew
>> >
>> > On Monday, 16 November 2020 at 09:02:40 UTC Brian Candler wrote:
>> >>
>> >> Rule 1002 is a general catch-all rule which matches generic "bad words" 
>> >> like "failed" and "denied", as you can see here:
>> >>
>> >> https://github.com/ossec/ossec-rules/blob/master/rules.d/00-crs-syslog_rules.xml#L21
>> >> https://github.com/ossec/ossec-rules/blob/master/rules.d/00-crs-syslog_rules.xml#L31-L35
>> >>
>> >> It's a false positive for you, since the word "failed" appears in the 
>> >> Referer field of your HTTP logs.  You can silence these by writing your 
>> >> own more specific rule to catch them, e.g.
>> >> https://github.com/ossec/ossec-rules/blob/master/rules.d/00-crs-syslog_rules.xml#L69-L74
>> >>
>> >> On Sunday, 15 November 2020 at 14:11:37 UTC Andrew S wrote:
>> >>>
>> >>> We keep receiving these notifications from OSSEC. Our site has nothing 
>> >>> to do with dailymail. Is this worrying or is this a false alert?
>> >>>
>> >>> Received From: server->/var/log/nginx/access.log
>> >>> Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
>> >>> Portion of the log(s):
>> >>>
>> >>> 2a02:c7d:52b5:9600:df8:5196:fb48:404e - - [15/Nov/2020:08:28:41 +] 
>> >>> "GET
>> >>>  / HTTP/2.0" 200 84
>> >>>  
>> >>> "https://www.dailymail.co.uk/news/article-8949475/SOAS-failed-2017-admit-single-white-working-class-student.html;
>> >>>  "Mozilla/5.0
>> >>>  (Windows NT 10.0; Win64; x64; Xbox; Xbox One) AppleWebKit/537.36 
>> >>> (KHTML, like
>> >>>  Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041"
>> >
>> > --
>> >
>> > ---
>> > You received this message because you are subscribed to the Google Groups 
>> > "ossec-list" group.
>> > To unsubscribe from this group and stop receiving emails from it, send an 
>> > email to ossec-list+unsubscr...@googlegroups.com.
>> > To view this discussion on the web visit 
>> > https://groups.google.com/d/msgid/ossec-list/7a59f156-2823-4945-a828-6d9bc7f5c4e4n%40googlegroups.com.
>>
>> --
>>
>> ---
>> You received this message because you are subscribed to the Google Groups 
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to ossec-list+unsubscr...@googlegroups.com.
>> To view this discussion on the web visit 
>> https://groups.google.com/d/msgid/ossec-list/CAMyQvMo1cPejq_rEgoX-dpgA_%2BOdOc%3Dh8tvPon%2B6GAx%3DLNTuvw%40mail.gmail.com.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups 
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to ossec-list+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/ossec-list/CACUKT_r_Jx2mPxXgNbfq7E%2ByAev_%3D5N4qiaa7Z_EKV98sTETDg%40mail.gmail.com.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/CAMyQvMqrUSqwcFHbOaHXV__mn9UKa5YYZ%3D%2BQM%3DMV7UPKMY7T%2Bw%40mail.gmail.com.

Re: [ossec-list] Re: Unknown Alert

[dan (ddp)]

On Mon, Nov 16, 2020 at 7:27 AM Andrew S  wrote:
>
> Hi Brian,
>
> Thank you for the clarification but I don't understand why someone would 
> associate our website with dailymail.co.uk ?
>

I haven't verified, but Brian mentioned dailymail being in the
referrer field. So there was (possibly) a link somewhere on the page
in the log message pointing at your site.

> GET
>  / HTTP/2.0" 200 84
>  
> "https://www.dailymail.co.uk/news/article-8949475/SOAS-failed-2017-admit-single-white-working-class-student.html;
>
> I understand the part of the log: GET / HTTP/2.0" 200
>
> I don't understand:
>
> 84
>  
> "https://www.dailymail.co.uk/news/article-8949475/SOAS-failed-2017-admit-single-white-working-class-student.html;
>
> Why 84 and why this dailymail URL ?
>
> many thanks
> Andrew
>
> On Monday, 16 November 2020 at 09:02:40 UTC Brian Candler wrote:
>>
>> Rule 1002 is a general catch-all rule which matches generic "bad words" like 
>> "failed" and "denied", as you can see here:
>>
>> https://github.com/ossec/ossec-rules/blob/master/rules.d/00-crs-syslog_rules.xml#L21
>> https://github.com/ossec/ossec-rules/blob/master/rules.d/00-crs-syslog_rules.xml#L31-L35
>>
>> It's a false positive for you, since the word "failed" appears in the 
>> Referer field of your HTTP logs.  You can silence these by writing your own 
>> more specific rule to catch them, e.g.
>> https://github.com/ossec/ossec-rules/blob/master/rules.d/00-crs-syslog_rules.xml#L69-L74
>>
>> On Sunday, 15 November 2020 at 14:11:37 UTC Andrew S wrote:
>>>
>>> We keep receiving these notifications from OSSEC. Our site has nothing to 
>>> do with dailymail. Is this worrying or is this a false alert?
>>>
>>> Received From: server->/var/log/nginx/access.log
>>> Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
>>> Portion of the log(s):
>>>
>>> 2a02:c7d:52b5:9600:df8:5196:fb48:404e - - [15/Nov/2020:08:28:41 +] "GET
>>>  / HTTP/2.0" 200 84
>>>  
>>> "https://www.dailymail.co.uk/news/article-8949475/SOAS-failed-2017-admit-single-white-working-class-student.html;
>>>  "Mozilla/5.0
>>>  (Windows NT 10.0; Win64; x64; Xbox; Xbox One) AppleWebKit/537.36 (KHTML, 
>>> like
>>>  Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041"
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups 
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to ossec-list+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/ossec-list/7a59f156-2823-4945-a828-6d9bc7f5c4e4n%40googlegroups.com.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/CAMyQvMo1cPejq_rEgoX-dpgA_%2BOdOc%3Dh8tvPon%2B6GAx%3DLNTuvw%40mail.gmail.com.

Re: [ossec-list] We can't connect the client to the server, shows that it never connected.

[dan (ddp)]

On Mon, Nov 9, 2020 at 7:37 AM Ziv Mansour  wrote:
>
> Hey, we're trying to connect our Windows servers to OSSEC.
> It works for some of them, as for others it isn't.
>
> The error:  ERROR: Incorrectly formatted message from
>
> We used the correct key, as it works on some servers.

Are each of the keys installed on each server unique? They need to be unique.
Are the packets from the rejected servers coming from the correct IP
addresses (you can use tcpdump on the ossec server to make sure)?

> We tried these links:
>
> https://www.ossec.net/docs/faq/unexpected.html#how-do-i-troubleshoot-ossec
> https://www.ossec.net/docs/faq/unexpected.html#agent-won-t-connect-to-the-manager-or-the-agent-always-shows-never-connected
> https://www.ossec.net/docs/faq/unexpected.html#the-communication-between-my-agent-and-the-server-is-not-working-what-to-do
>
> How does it work here?
> Who do we talk to and can anyone help?
>
> Also my personal mail:
> ziv.mans...@gmail.com
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups 
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to ossec-list+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/ossec-list/4e8368c2-6d75-42db-80e2-d91024b79675n%40googlegroups.com.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/CAMyQvMp8ep6tVe-x4B7vmMQKNr26RUDABg3EXvRtJfWuRABoRg%40mail.gmail.com.

Re: [ossec-list] Issue with the Snort decoders

[dan (ddp)]

Hi Scott,

On Sat, Oct 17, 2020 at 6:47 PM saw...@gmail.com  wrote:
>
> In testing snort 2.9 inline operation logs against OSSEC (3.6.0), I have 
> found something weird.
>
>
> This “alert” event gets caught by the decoder:
>
>
> 10/17-21:23:32.374062 [**] [1:1002:0] /etc/passwd test detected [**] 
> [Priority: 0] {TCP} 10.1.4.2:59240 -> 10.1.7.2:80
>
>
> **Phase 1: Completed pre-decoding.
>
> full event: '10/17-21:23:32.374062 [**] [1:1002:0] /etc/passwd test 
> detected [**] [Priority: 0] {TCP} 10.1.4.2:59240 -> 10.1.7.2:80'
>
> hostname: 'ossec'
>
> program_name: '(null)'
>
> log: '[**] [1:1002:0] /etc/passwd test detected [**] [Priority: 0] {TCP} 
> 10.1.4.2:59240 -> 10.1.7.2:80'
>
>
> **Phase 2: Completed decoding.
>
> decoder: 'snort'
>
> id: '1:1002:0'
>
> srcip: '10.1.4.2'
>
> dstip: '10.1.7.2'
>
>
> **Phase 3: Completed filtering (rules).
>
> Rule id: '20101'
>
> Level: '6'
>
> Description: 'IDS event.'
>
> **Alert to be generated.
>
>
>
> This “drop” event, however, does not.
>
>
> 10/17-21:24:32.944406 [Drop] [**] [1:1002:0] cmd.exe test detected [**] 
> [Priority: 0] {TCP} 10.1.4.2:59244 -> 10.1.7.2:80
>
>
>
> **Phase 1: Completed pre-decoding.
>
> full event: '10/17-21:24:32.944406 [Drop] [**] [1:1002:0] cmd.exe test 
> detected [**] [Priority: 0] {TCP} 10.1.4.2:59244 -> 10.1.7.2:80'
>
> hostname: 'ossec'
>
> program_name: '(null)'
>
> log: '[Drop] [**] [1:1002:0] cmd.exe test detected [**] [Priority: 0] 
> {TCP} 10.1.4.2:59244 -> 10.1.7.2:80'
>
>
> **Phase 2: Completed decoding.
>
> No decoder matched.
>
>
> For your reference here are the Snort decoder lines from 
> /var/ossec/etc/decoder.xml:
>
>
> 
>
> ^snort
>
> 
>
>
> 
>
> ids
>
> ^\[\*\*\] \[\d+:\d+:\d+\] 
>
> 
>
>
> 
>
> snort
>
> ids
>
> ^\[\*\*\] \[|^\[Drop\] \[\*\*\] \[|^\[
>
> (\d+:\d+:\d+)\] .+ (\S+?):?\d* -> 
> ([^:]+)
>
> id,srcip,dstip
>
> name,id,srcip,dstip
>
> 
>
>
> So what’s happening is that the alert event that starts with the timestamp 
> then [**] [#::#] matches the second “snort” decoder and then gets 
> further tested against the “snort2” decoder.
>
>
> However, the drop event that starts with the timestamp then [Drop] [**] 
> [#:###:#] only matches the “snort2” decoder. This decoder catches strings 
> that start with [**] OR [Drop] [**] OR [ and then sorts out the ID and IP 
> info after the prematch. The problem is that since “snort2” declares “snort” 
> as it’s parent, and the “snort” decoder only catches events which starts with 
> [**] [#::#] only alert events make it to “snort2” for further 
> decoding.
>
>
> I have 3 proposed solutions:
>
>
> 1) Remove the “snort” parent requirement from the “snort2” decoder. I don’t 
> see any value added by making it contingent on a prematch_pcre2 that would 
> ALSO be caught by the child decoder’s prematch_pcre2 but I may be missing 
> something. If this is OK, this could also allow for the complete removal of 
> the second “snort” decoder since both would catch log lines starting with 
> [**] [#:###:#].
>
>
> 2) Change the second “snort” decoder’s prematch_pcre2 to: ^\[\*\*\] 
> \[\d+:\d+:\d+\]|^\[Drop\] \[\*\*\] \[\d+:\d+:\d+\] so it will match both 
> alert and drop events and allow access to the “snort2” decoder.
>
>
> 3) Add a third “snort” decoder with a prematch_pcre2 of ^\[Drop\] \[\*\*\] 
> \[\d+:\d+:\d+\]
>
>
> Does anyone see any superiority between these approaches? Also, how does one 
> propose a change to the built-in decoder.xml?
>

Which snort output are you using? It's been a long time since I've looked at it.
I think I like #1 the best, but I haven't had a chance to look into it
very much. You could create a pull request or an issue on github.
I'll try to install snort and get a better idea of what it all looks like again.

>
> Thanks,
>
>
> Scott
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups 
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to ossec-list+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/ossec-list/44af6fbc-8aa4-481f-9d5f-6b0520b9eab5n%40googlegroups.com.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/CAMyQvMoNoQSzD%2Bciukg7M1EE7%3D3oGZToTsyC_s5CgoARFEQVrQ%40mail.gmail.com.

Re: [ossec-list] Windows Server agent not sending notifications to Linux server

[dan (ddp)]

On Mon, Aug 17, 2020 at 10:42 PM Daniel Gerep  wrote:
>
> Hi all,
>
> I am starting to use OSSEC so I may be doing something wrong here.
>
> I have OSSEC installed as a server in my Linux VM and the Agent in my Windows 
> Server 2012 VM.
>
> My server has the default configuration plus this:
>
>   
>  ossec-slack
>  ossec-slack.sh
>   
>  no
>   
>
>   
> no
> ossec-slack
> local
> 3
>   
>
>   
> secure
>   
>
> In my Server, using the agent_control I can see my agent is active
>
> [root@gateway1-proxy bin]# ./agent_control -l
>
> OSSEC HIDS agent_control. List of available agents:
> ID: 000, Name: gateway1-proxy (server), IP: 127.0.0.1, Active/Local
> ID: 001, Name: clearing-optimizer, IP: XX.XX.X.X, Active
>
> With that, I believe my server and agent are communicating as expected.
>

You can look for alerts for log messages sent by the agent in
/var/ossec/logs/alerts/alerts.log on the server.
If there aren't any, turning on the log all option and checking
archives.log would be my next step.

> In my server's log, I have a lot of:
>
> 2020/08/17 19:25:18 ossec-remoted: WARN: Duplicate error:  global: 22, local: 
> 7947, saved global: 22, saved local:7948
> 2020/08/17 19:25:18 ossec-remoted(1407): ERROR: Duplicated counter for 
> 'clearing-optimizer'.
>
> I have found an old post here in this group and applied the suggestion but 
> the same error appears again after a while. I have also tried removing the 
> agent and adding again, with a different ID and name but again, after a 
> while, the error appears.
>

I'm not sure why that would be happening over and over, but you might
have to disable rids support entirely (set remoted.verify_msg_id=0 in
/var/ossec/etc/local_internal_options.conf).

> In my agent, I have the default configuration plus this:
>
>   
> no
> server
> 3
>   
>
> So, in my understanding, this is sending any active-response event to the 
> server, is that correct?
>

That's not how it works.
The agent monitors its own log files. When a new entry is written, the
agent sends the log message to the server.
The server then decodes the log message and compares it to its set of
rules. If a rule is triggered, an alert is created.
If that alert triggers an active response, the server sends a message
to the configured active response location.

In the case of the slack script, I believe it's run locally on the
server (it's been a long time since I looked at the script).

> Also, another question, is there a way to trigger an event in my agent 
> (Windows) so I can check if the server is receiving the notification 
> correctly?
>

Fail to login a few times would trigger a log message. These log
messages should trigger alerts on the ossec server for that agent.

> Thank you.
>
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups 
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to ossec-list+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/ossec-list/010078f3-af73-4b7d-ba9c-88bf1f1694b0n%40googlegroups.com.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/CAMyQvMp8bWDvO_oQy1TiP%3DOvq2Ax6uUAKpisCfXSzmd3EMORzg%40mail.gmail.com.

Re: [ossec-list] OSSEC can't parse greek characters

[dan (ddp)]

On Thu, Aug 13, 2020 at 6:22 AM Kyriakos Stavridis
 wrote:
>
> Hello dan, thank you for your response.
>
> My goal is to enable OSSEC to parse utf-8. Isn't there any option that would 
> allow me to do that?
>

Not currently.

> I would really like to contribute to OSSEC and add this myself. Sadly, I do 
> not know how. Do you have any suggestions on how to start or where to look 
> first?
>

I'd probably start by figuring out how various systems support utf8
and where this would have to be added to ossec.

> King regards,
> K.Stavridis
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups 
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to ossec-list+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/ossec-list/8ff56f9e-037a-4a5a-8e76-ab57323ed7d3o%40googlegroups.com.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/CAMyQvMrRXdZUoVFaEz_7O%2BX3_Ajj_WS1Ms-fj3K__%2BCUGn05%3Dg%40mail.gmail.com.

Re: [ossec-list] OSSEC can't parse greek characters

[dan (ddp)]

On Fri, Aug 7, 2020 at 5:23 AM Kyriakos Stavridis
 wrote:
>
> Hello everyone,
>
> When I install an agent on a machine, considering I live in Greece, I usually 
> face the problem that windows logs contain some Greek characters and OSSEC 
> server doesn't seem to be able to parse them.
>
> The part of the log that is in Greek (ex. a filename or a usename), after the 
> analysis, is shown as weird characters and rectangles and stuff that of 
> course are not machine readable or human readable.
>
> Does anyone have any suggestion on solving this issue?
>

OSSEC doesn't really have any support for non-ascii character sets.
Pull requests would be welcome though!

> Thanks!
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups 
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to ossec-list+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/ossec-list/24b17f30-69c5-4c4b-8845-fd272bd92bc9n%40googlegroups.com.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/CAMyQvMpxvRkeZeyza27hC9J96bDZXAnnODe4A00ZgTxuGUu_ow%40mail.gmail.com.

Re: [ossec-list] OSSEC syslog server

[dan (ddp)]

On Thu, Jul 30, 2020 at 8:43 AM Kyriakos Stavridis
 wrote:
>
> Hello everyone,
>
> When devices are configured to send remote syslog to OSSEC on port 514 (let's 
> say a security product), are these syslog logs saved somewhere? even if they 
> don't trigger an alert? As any other normal syslog server would do.
>

Not by default, but turning on the log all option might save them to
archives.log.

> The problem I'm trying to solve is that I want to supervise a service that 
> will send logs to OSSEC with remote syslog on port 514 but since they won't 
> trigger any alert and they will not match any decoder, I won't be able to see 
> them anywhere. I want to see them all somehow so I can study their format and 
> write the appropriate decoders and rules to satisfy that firewall's security 
> requirements.
>
> Thanks! :)
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups 
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to ossec-list+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/ossec-list/dae419ac-49c5-4ce0-aed0-896ba07c8a2fo%40googlegroups.com.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/CAMyQvMpdMC5ZT%3Dsd4Ff5itKkfFR85N_Peq7iCFxBachKYHEnuA%40mail.gmail.com.

Re: [ossec-list] HOW TO CONFIGURE OSSEC WARNING THROUGH EMAIL

[dan (ddp)]

On Sat, Jul 11, 2020 at 9:51 PM Jeff Dyke  wrote:
>
> my bad Dan, i thought i remembered somewhere that it was only getting 
> critical updates.  Thanks for the people's time that gets put into it!  Sorry 
> for the confusion, on my part.
>

No worries, there isn't a lot going on with the code base at the
moment. Energy and spare time for hobbies don't come easily these
days.

> On Thu, Jul 9, 2020 at 8:05 AM dan (ddp)  wrote:
>>
>> On Wed, Jul 8, 2020 at 8:45 PM Jeff Dyke  wrote:
>> >
>> > As Dan alluded to, I use a local postfix null mailer on my lan that sends 
>> > to a postfix relay from a single/failover point that then sends to gmail.
>> >
>> > Dan.  I have a question for you, perhaps i should start a new thread, but 
>> > you're so damn diligent about responding to queries, i thought i may just 
>> > append to my answer.  I know that OSSEC is EOL except for serious 
>> > changes/bugs.  I've used ossec for years and eventually moved to wazuh, 
>> > which I appreciate the fact that your name is in the credits, What is the 
>> > plan to support the current and non moving version of OSSEC?
>> >
>>
>> This is news to me. AFAIK the project isn't dead, just moving very
>> slowly. There's no commercial entity behind development, so it gets
>> the time and energy people put into it.
>>
>> > Thank you for all of your efforts, being on this list for many years has 
>> > taught me a lot about the underpinnings of your project!
>> >
>> > Thanks,
>> > Jeff
>> >
>> > On Wed, Jul 8, 2020 at 2:55 PM dan (ddp)  wrote:
>> >>
>> >> On Tue, Jul 7, 2020 at 4:29 AM lê danh  wrote:
>> >> >
>> >> > I am a new user, I just have ossec installed and I want to try its 
>> >> > email feature. I have configured the email address in ossec.conf as 
>> >> > follows:
>> >> >
>> >> > 
>> >> >
>> >> >   yes 
>> >> >   conme...@gmail.com 
>> >> >   alt4.gmail-smtp-in.l.google.com. 
>> >> >   ossecm @ ubuntu 
>> >> >
>> >> >
>> >> > 
>> >> > conme...@gmail.com 
>> >> > 5 
>> >> > 
>> >> >
>> >> > and expect to receive email alerts at level 5 or higher, but the error 
>> >> > has occurred as follows:
>> >> > 2020/07/06 02:51:42 ossec-maild (1261): ERROR: Waiting for child 
>> >> > process. (status: 139).
>> >> > 2020/07/06 02:51:42 ossec-maild (1223): ERROR: Error Sending email to 
>> >> > alt4.gmail-smtp
>> >> >
>> >> > It didn't work, I hope everyone can help me fix this problem as soon as 
>> >> > possible. Sincerely thank you.
>> >> >
>> >>
>> >> I'm pretty sure gmail requires authentication. So you'll have to relay
>> >> the OSSEC emails through an smtp server that doesn't require auth.
>> >> Luckily, the OSSEC server is running on a Linux or other unix-like
>> >> system. An smtpd usually comes installed on the good ones.
>> >> Configure the locally installed smtpd to relay the messages through gmail.
>> >>
>> >> > --
>> >> >
>> >> > ---
>> >> > You received this message because you are subscribed to the Google 
>> >> > Groups "ossec-list" group.
>> >> > To unsubscribe from this group and stop receiving emails from it, send 
>> >> > an email to ossec-list+unsubscr...@googlegroups.com.
>> >> > To view this discussion on the web visit 
>> >> > https://groups.google.com/d/msgid/ossec-list/c337727b-7a3b-4fa6-a428-3af96a0c4c54o%40googlegroups.com.
>> >>
>> >> --
>> >>
>> >> ---
>> >> You received this message because you are subscribed to the Google Groups 
>> >> "ossec-list" group.
>> >> To unsubscribe from this group and stop receiving emails from it, send an 
>> >> email to ossec-list+unsubscr...@googlegroups.com.
>> >> To view this discussion on the web visit 
>> >> https://groups.google.com/d/msgid/ossec-list/CAMyQvMob1QOQCTti8ryS1Ow9Ezkz5BrMd2Zy2jq1TzoPqarhrA%40mail.gmail.com.
>> >
>> > --
>> >
>> > ---
>> > You received this message because you are subscribed to the Google Groups 
>> > "ossec-list" group.
>> > To uns

Re: [ossec-list] REMOTE COMMANDS ARE NOT ACCEPTED FROM THE MANAGER. IGNORING IT ON THE AGENT.CONF

[dan (ddp)]

On Mon, Jul 13, 2020 at 10:11 AM lê danh  wrote:
>
> Hello everyone, I want to use ossec to be able to track progress on a windows 
> computer, follow the instructions from here 
> (http://santi-bassett.blogspot.com/2015/08/how-to-monitor 
> -running-processes-with-ossec.html).
>
> I did it exactly according to the instructions on the windows machine 
> (windows server 2012):
> - In the file internal_options.conf I have converted   
> logcollector.remote_commands = 1
> - I also added in the file local_internal_options.conf
> logcollector.remote_commands = 1
>
> On OSSEC server (ossec 3.1.0) I configured the agent.conf file as follows:
>
> 
> 
>  full_command 
>  tasklist 
>  60 
> 
> 
>
> But when I verify agent.conf, the message is as follows:
>
> 2020/07/13 21:02:42 verify-agent-conf: Remote commands are not accepted from 
> the manager. Ignoring it on the agent.conf
> 2020/07/13 21:02:42 verify-agent-conf (1202): ERROR: Configuration error at 
> '/var/ossec/etc/shared/agent.conf'. Exiting.
>
> Hope everyone can show me how to fix this, thank you very much
>

Did you restart the ossec service on the agent?

> --
>
> ---
> You received this message because you are subscribed to the Google Groups 
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to ossec-list+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/ossec-list/2fc0eeb8-3a30-45d4-b8c4-2e0ec2b649b3o%40googlegroups.com.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/CAMyQvMrjBq1zMWVZbTwcn%2BUkGzG5Tesw7usy8VEW5bKA9Gtrng%40mail.gmail.com.

Re: [ossec-list] HOW TO CONFIGURE OSSEC WARNING THROUGH EMAIL

[dan (ddp)]

On Wed, Jul 8, 2020 at 8:45 PM Jeff Dyke  wrote:
>
> As Dan alluded to, I use a local postfix null mailer on my lan that sends to 
> a postfix relay from a single/failover point that then sends to gmail.
>
> Dan.  I have a question for you, perhaps i should start a new thread, but 
> you're so damn diligent about responding to queries, i thought i may just 
> append to my answer.  I know that OSSEC is EOL except for serious 
> changes/bugs.  I've used ossec for years and eventually moved to wazuh, which 
> I appreciate the fact that your name is in the credits, What is the plan to 
> support the current and non moving version of OSSEC?
>

This is news to me. AFAIK the project isn't dead, just moving very
slowly. There's no commercial entity behind development, so it gets
the time and energy people put into it.

> Thank you for all of your efforts, being on this list for many years has 
> taught me a lot about the underpinnings of your project!
>
> Thanks,
> Jeff
>
> On Wed, Jul 8, 2020 at 2:55 PM dan (ddp)  wrote:
>>
>> On Tue, Jul 7, 2020 at 4:29 AM lê danh  wrote:
>> >
>> > I am a new user, I just have ossec installed and I want to try its email 
>> > feature. I have configured the email address in ossec.conf as follows:
>> >
>> > 
>> >
>> >   yes 
>> >   conme...@gmail.com 
>> >   alt4.gmail-smtp-in.l.google.com. 
>> >   ossecm @ ubuntu 
>> >
>> >
>> > 
>> > conme...@gmail.com 
>> > 5 
>> > 
>> >
>> > and expect to receive email alerts at level 5 or higher, but the error has 
>> > occurred as follows:
>> > 2020/07/06 02:51:42 ossec-maild (1261): ERROR: Waiting for child process. 
>> > (status: 139).
>> > 2020/07/06 02:51:42 ossec-maild (1223): ERROR: Error Sending email to 
>> > alt4.gmail-smtp
>> >
>> > It didn't work, I hope everyone can help me fix this problem as soon as 
>> > possible. Sincerely thank you.
>> >
>>
>> I'm pretty sure gmail requires authentication. So you'll have to relay
>> the OSSEC emails through an smtp server that doesn't require auth.
>> Luckily, the OSSEC server is running on a Linux or other unix-like
>> system. An smtpd usually comes installed on the good ones.
>> Configure the locally installed smtpd to relay the messages through gmail.
>>
>> > --
>> >
>> > ---
>> > You received this message because you are subscribed to the Google Groups 
>> > "ossec-list" group.
>> > To unsubscribe from this group and stop receiving emails from it, send an 
>> > email to ossec-list+unsubscr...@googlegroups.com.
>> > To view this discussion on the web visit 
>> > https://groups.google.com/d/msgid/ossec-list/c337727b-7a3b-4fa6-a428-3af96a0c4c54o%40googlegroups.com.
>>
>> --
>>
>> ---
>> You received this message because you are subscribed to the Google Groups 
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to ossec-list+unsubscr...@googlegroups.com.
>> To view this discussion on the web visit 
>> https://groups.google.com/d/msgid/ossec-list/CAMyQvMob1QOQCTti8ryS1Ow9Ezkz5BrMd2Zy2jq1TzoPqarhrA%40mail.gmail.com.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups 
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to ossec-list+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/ossec-list/CAHmnZdaGUok%2BijTLnPxXc3izRkcXhPEDMqeVWQH7QJVZT2aWmw%40mail.gmail.com.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/CAMyQvMrMtRcuw8J4%3DLz%2BAnEw8myd2H2Pd-wLPSwZgRfapUWgng%40mail.gmail.com.

Re: [ossec-list] Unnatended installation with .deb and .rpm packages

[dan (ddp)]

On Wed, Jul 8, 2020 at 2:53 PM Mm Dd  wrote:
>
> Hello all,
>
> First, nice to meet you all, and congratulations for the fantastic product 
> you have developed and released to the public.
>
> My question is if it is possible to carry out an unattended OSSEC agent 
> deployment using preloaded-vars.conf file in conjunction with .deb and .rpm 
> package managers.
>
> The method I am planning to use to deploy the agent is not compatible with 
> building from the tarball (I need to include .deb and .rpm packages instead).
>
> I have inspected the .deb archive for Ubuntu 18.04 and I could not find any 
> reference to the preloaded-vars.conf file.
>
> If it is not possible to proceed this way, I will have to find a workaround.
>
> Thanks a lot in advance!
>

I don't think so. You could use something like ansible to setup the
agents after installation though.

> --
>
> ---
> You received this message because you are subscribed to the Google Groups 
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to ossec-list+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/ossec-list/98533645-c0a7-4ea5-a1a4-478ff01f847bo%40googlegroups.com.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/CAMyQvMr4RCU-k7OySt8SskULD%3D%3DOTkNcMjSrJBQXOM7E6Had_Q%40mail.gmail.com.

Re: [ossec-list] HOW TO CONFIGURE OSSEC WARNING THROUGH EMAIL

[dan (ddp)]

On Tue, Jul 7, 2020 at 4:29 AM lê danh  wrote:
>
> I am a new user, I just have ossec installed and I want to try its email 
> feature. I have configured the email address in ossec.conf as follows:
>
> 
>
>   yes 
>   conme...@gmail.com 
>   alt4.gmail-smtp-in.l.google.com. 
>   ossecm @ ubuntu 
>
>
> 
> conme...@gmail.com 
> 5 
> 
>
> and expect to receive email alerts at level 5 or higher, but the error has 
> occurred as follows:
> 2020/07/06 02:51:42 ossec-maild (1261): ERROR: Waiting for child process. 
> (status: 139).
> 2020/07/06 02:51:42 ossec-maild (1223): ERROR: Error Sending email to 
> alt4.gmail-smtp
>
> It didn't work, I hope everyone can help me fix this problem as soon as 
> possible. Sincerely thank you.
>

I'm pretty sure gmail requires authentication. So you'll have to relay
the OSSEC emails through an smtp server that doesn't require auth.
Luckily, the OSSEC server is running on a Linux or other unix-like
system. An smtpd usually comes installed on the good ones.
Configure the locally installed smtpd to relay the messages through gmail.

> --
>
> ---
> You received this message because you are subscribed to the Google Groups 
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to ossec-list+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/ossec-list/c337727b-7a3b-4fa6-a428-3af96a0c4c54o%40googlegroups.com.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/CAMyQvMob1QOQCTti8ryS1Ow9Ezkz5BrMd2Zy2jq1TzoPqarhrA%40mail.gmail.com.

Re: [ossec-list] not receiving alerts on email.

[dan (ddp)]

On Fri, Jun 19, 2020 at 7:30 AM siddharth jha  wrote:
>
> yes i hv selected smtp as localhost.and using sendmail to do this process.
> and getting msg in maillog
>
> Jun 19 16:25:42 OssecVM sm-mta[25838]: 05GCIXFs019057: 
> to=, ctladdr= (0/0), delay=2+22:37:09, 
> xdelay=00:00:00, mailer=esm$$er=esmtp, pri=38460588, 
> relay=mailstore1.secureserver.net., dsn=4.0.0, stat=Deferred$er=esmtp, 
> pri=38460588, relay=mailstore1.secureserver.net., dsn=4.0.0, stat=Deferred
>
> can you suggest something?
> Thank You
>

My guess would be some issue between your sendmail and secureserver,
but I don't know how to set up either of those things.

>
>
> On Wednesday, June 17, 2020 at 5:53:42 PM UTC+5:30, dan (ddpbsd) wrote:
>>
>> On Tue, Jun 16, 2020 at 7:21 AM siddharth jha  wrote:
>> >
>> > Hi,
>> >
>> > I'm new in ossec and recently install OSSEC 3.6.0 on Ubuntu 18.04.04 
>> > server successfully.
>> > also add some win. agent and  i can see alerts on ossec web-ui but i'm not 
>> > receiving any alerts on email.
>> > need suggestion how should i configure alerts to get same over the email 
>> > also .
>> > Thanks
>> >
>>
>> Did you configure the smtp server in /var/ossec/etc/ossec.conf?
>> Do you see any errors in your smtp server's logs (often /var/log/maillog)?
>>
>> > --
>> >
>> > ---
>> > You received this message because you are subscribed to the Google Groups 
>> > "ossec-list" group.
>> > To unsubscribe from this group and stop receiving emails from it, send an 
>> > email to ossec...@googlegroups.com.
>> > To view this discussion on the web visit 
>> > https://groups.google.com/d/msgid/ossec-list/a9ff0723-17c0-4707-b53d-df1f0d4b96fbo%40googlegroups.com.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups 
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to ossec-list+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/ossec-list/42dad815-132e-49d5-b159-aae10e48775eo%40googlegroups.com.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/CAMyQvMq8vwhH%2BXOJF-CQ-%3DHQnFybsAL3%3D7nDtZJEUYYTHm_-aA%40mail.gmail.com.

Re: [ossec-list] Missing ossec-hids in logrotate.d

[dan (ddp)]

On Wed, Jun 17, 2020 at 5:06 PM Scott Wozny  wrote:
>
> OK, so after a little more digging, I see now why there is no logrotate 
> script that comes with the build from source since the files in 
> /var/ossec/logs/alerts, archives and firewall are managed and compressed by 
> ossec, itself.  :)
>
> This leaves me with a couple questions, though.
> 1) Is the size of ossec.log managed in the same way or should I have a plan 
> for handling that file as it grows (logrotate or whatever)?  I didn't see a 
> date based storage structure like with the other 3 log subdirectories (and 
> the ossec.log has more than a day's worth of data, unlike the other 3), but I 
> wanted to confirm.

OSSEC does not manage the ossec.log file.

> 2) Can / should I be monitoring /var/ossec/logs/ossec.log?  My only concern 
> is creating some sort of infinite loop situation where I create a line in the 
> file that causes an alert that causes another line to be created in the file 
> that causes another alert etc... until the disk fills up.

I think that's why it isn't monitored by default. I'd be wary of
monitoring it with itself. Not to say it can't be done, but you'd have
to be careful.

> 3) This is a little off-topic, but what is the purpose of firewall.log?  I 
> can't seem to find any reference in the documentation.
>

I don't know. I think the idea was that firewalls log a lot of stuff
all the time, and you don't necessarily want them clogging up the
usual log files. But that's just a guess.

> Thanks,
>
> Scott
>
> On Wed, Jun 17, 2020 at 1:37 PM Scott Wozny  wrote:
>>
>> Thanks for the reply, Dan.  I'll probably roll my own logrotate script and 
>> use the one from the Atomic repo 3.3.0 install as a base.  And yes, 
>> ossec.log was empty because I hadn't started the agent yet.  I had assumed a 
>> different purpose for that file, but now that I'm running a few agents 
>> reporting to a server it all makes more sense now.  :)
>>
>> Scott
>>
>> On Wed, Jun 17, 2020 at 8:26 AM dan (ddp)  wrote:
>>>
>>> On Mon, Jun 15, 2020 at 3:09 PM Scott Wozny  wrote:
>>> >
>>> > I'm trying to get off the Atomic repo for a variety of reasons, so I just 
>>> > did a 3.6.0 agent install from the tarball's script on a CentOS 7 minimal 
>>> > machine to test the process and compatibility with my build tweaks.  One 
>>> > of the issues I had with the Atomic repo 3.3.0 package install was 
>>> > /var/ossec/logs was of SELinux fcontext var_t rather than var_log_t which 
>>> > made those files inaccessible on an enforcing machine to logrotate_t.  An 
>>> > easy fix, but I never got around to doing it.  Now I see there is no 
>>> > ossec-hids script in /etc/logrotate.d.  Is this intentional (as in, I 
>>> > need to roll my own) or could something have gone wrong during the 
>>> > install?  I didn't see anything in /var/log/messages or journalctl and 
>>> > /var/ossec/logs/ossec.log (the only file in that directory) is empty.  Is 
>>> > there anywhere that install results are logged or am I just expected to 
>>> > go through the output after ./install.sh?
>>> >
>>> > Any assistance or suggestions would be appreciated.
>>> >
>>>
>>> We don't include a log rotate script.
>>> We don't log anything in the install.sh (I usually tee it to a file
>>> when I'm curious).
>>> If ossec.log is empty, ossec probably isn't running. Or maybe an selinux 
>>> issue?
>>>
>>> > Thanks,
>>> >
>>> > Scott
>>> >
>>> > --
>>> >
>>> > ---
>>> > You received this message because you are subscribed to the Google Groups 
>>> > "ossec-list" group.
>>> > To unsubscribe from this group and stop receiving emails from it, send an 
>>> > email to ossec-list+unsubscr...@googlegroups.com.
>>> > To view this discussion on the web visit 
>>> > https://groups.google.com/d/msgid/ossec-list/63ff1d8d-3877-48b4-b3c1-d558b4427219o%40googlegroups.com.
>>>
>>> --
>>>
>>> ---
>>> You received this message because you are subscribed to the Google Groups 
>>> "ossec-list" group.
>>> To unsubscribe from this group and stop receiving emails from it, send an 
>>> email to ossec-list+unsubscr...@googlegroups.com.
>>> To view this discussion on the web visit 
>>> https://groups.google.com/d/msgid/ossec-list/CAMyQvMq0y6SB1EHeNaT7hZxh%2BvYaGXnrZRnn6VEQgvXo7vF93A%40mail.gmail.com.
>
> --
>
> ---
> You rece

Re: [ossec-list] 2 instances of ossec-maild

[dan (ddp)]

On Wed, Jun 17, 2020 at 1:31 PM Scott Wozny  wrote:
>
> Hi Dan,
>
> Very interesting!  Feels kind of Rube Goldberg-y but I fully understand the 
> reasoning and it makes perfect sense in the context of what's trying to be 
> accomplished here.  I very much appreciate the explanation!  :)
>

Maybe, but it's not too bad. Everything except the connector process
existed before, and I couldn't think of a better way to do it. It was
fun, but definitely needs some polishing.

> Thanks,
>
> Scott
>
> On Wed, Jun 17, 2020 at 8:22 AM dan (ddp)  wrote:
>>
>> On Tue, Jun 16, 2020 at 5:35 PM Scott Wozny  wrote:
>> >
>> > Just an "idle curiosity" kind of question.  In a 3.6.0 server installed 
>> > from the tarball on CentOS 7, when I run a ps, I have 2 instances of 
>> > /var/ossec/bin/ossec-maild running, both under UID ossecm.  Does anyone 
>> > know why there are 2 instances of the same process run by the same user?
>> >
>>
>> When ossec-maild (I'll call it main) starts it forks off another
>> process (I'll call this one connector). There is a socket pair shared
>> between them for communication.
>> When the main process determines that an email should be sent, it
>> forks off another process (OS_Sendmail()). This sendmail process sends
>> a request to the connector process. The connector process finds the
>> smtp server and connects to it. Then forwards that connection back to
>> the sendmail process.
>> The purpose of all of this was to make managing it a bit easier. The
>> main process is chroot()ed to /var/ossec, so dns lookups for the smtp
>> server (if you don't use an IP adddress) were difficult. At a minimum
>> the /etc/resolv.conf had to be copied to /var/ossec/etc. Even that
>> didn't seem to work on some systems.
>> So the connector process was created. It is not chrooted, so it has
>> access to the entire system. resolv.conf no longer had to be copied,
>> and it even seemed to help with the "ipv6 is disabled" queries.
>>
>> > Thanks,
>> >
>> > Scott
>> >
>> > --
>> >
>> > ---
>> > You received this message because you are subscribed to the Google Groups 
>> > "ossec-list" group.
>> > To unsubscribe from this group and stop receiving emails from it, send an 
>> > email to ossec-list+unsubscr...@googlegroups.com.
>> > To view this discussion on the web visit 
>> > https://groups.google.com/d/msgid/ossec-list/7ad9c128-7bf4-493b-9271-a414d2add8d5o%40googlegroups.com.
>>
>> --
>>
>> ---
>> You received this message because you are subscribed to the Google Groups 
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to ossec-list+unsubscr...@googlegroups.com.
>> To view this discussion on the web visit 
>> https://groups.google.com/d/msgid/ossec-list/CAMyQvMoBwFs0Y-tas3Zxj5ijpF5Gn3gbsAVHiRb25NKJw8KavQ%40mail.gmail.com.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups 
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to ossec-list+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/ossec-list/CACUKT_ptNYqVWaD%3DMe9nXzVRQhnpzZfc6o515YogF0xcuHDNVQ%40mail.gmail.com.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/CAMyQvMo_bAhe_PNu0MsjaLfAarv-GzMWbXUbowKN7Jh%2BoGbU1g%40mail.gmail.com.

Re: [ossec-list] Windows 2012 logs missing

[dan (ddp)]

On Wed, Jun 17, 2020 at 9:26 AM Rashad Mogsi  wrote:
>
> first thx for the replay
> and i did install the ossec-hids -agent and its active on the ossem server.
> so i cant receive any logs in the OSSEM WEB.
> so i want to know how to change refresh rate of reciving logs from the server 
> to WEB interface GUI.
>

You can check the /var/ossec/logs/alerts.log file on the OSSEC server
to see if the agent is triggering alerts.
If you turn on the logall option on the OSSEC server, you can check
/var/ossec/logs/archives/archives.log to make sure the agent is
sending logs to the OSSEC server.
I don't know enough about OSSEM to help with that though.

>
> Thank you again for your attention .
>
> On Wednesday, June 17, 2020 at 6:19:29 AM UTC-7, dan (ddpbsd) wrote:
>>
>> On Wed, Jun 17, 2020 at 9:15 AM Rashad Mogsi  wrote:
>> >
>> > i have installed OSSEM Server on Esxi and i can't receve any logs form the 
>> > Windows server .
>> > is there any configurations should i do from the OSSEM or from the windows 
>> > so i can see the logs
>> >
>>
>> OSSEM or OSSEC? I can't help you with OSSEM.
>> If you're using OSSEC, did you install the agent software on the Windows 
>> host?
>> Did you add the agent to the OSSEC server?
>>
>> > any one can answer?
>> >
>> > --
>> >
>> > ---
>> > You received this message because you are subscribed to the Google Groups 
>> > "ossec-list" group.
>> > To unsubscribe from this group and stop receiving emails from it, send an 
>> > email to ossec...@googlegroups.com.
>> > To view this discussion on the web visit 
>> > https://groups.google.com/d/msgid/ossec-list/a83de371-51aa-4cb8-9422-9c253698cf0bo%40googlegroups.com.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups 
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to ossec-list+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/ossec-list/4e30c221-728d-4743-a2ab-914de0bb27e6o%40googlegroups.com.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/CAMyQvMqf%2Bc2z7spfeYo0AKxS9hYusncLprzE6GpOUh0KGwOsDA%40mail.gmail.com.

Re: [ossec-list] OSSEC Sys Log/Custom Log Capability

[dan (ddp)]

On Wed, Jun 17, 2020 at 9:15 AM sensato cybersecurity  wrote:
>
> Would someone know if the following is possible?
>
> I have a product by the name of BitDefender which can produce a log - the log 
> is in CEF format I believe.  That log contains alerts that are raised by 
> various endpoints being monitored by BitDefender.
>
> Is there a way I could deploy an OSSEC agent on the BitDefender server and 
> read in the log it produces and send that information as alerts to the OSSEC 
> server?
>

I don't know much about bitdefender, so it's hard to say. OSSEC can
install on most Windows and Linux systems. If it's a blackbox
appliance it would be a lot harder. Looking at their site there are a
lot of products. Which one are you using specifically?
Is the log file an actual file or does it log to a database or something?

> The log being produced by BitDefender is usually sent to a SIEM, so bascially 
> I am trying to get the OSSEC agent to act as a mini-SIEM - reading custom 
> logs.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups 
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to ossec-list+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/ossec-list/efe69c46-e7d5-45aa-8fc5-dc8bbae6cfaco%40googlegroups.com.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/CAMyQvMr2jiT-skJ4ivKWN%2BUV1CY%2Brb2p%3DbK5gfmeVBicWShMaA%40mail.gmail.com.

Re: [ossec-list] Windows 2012 logs missing

[dan (ddp)]

On Wed, Jun 17, 2020 at 9:15 AM Rashad Mogsi  wrote:
>
> i have installed OSSEM Server on Esxi and i can't receve any logs form the 
> Windows server .
> is there any configurations should i do from the OSSEM or from the windows so 
> i can see the logs
>

OSSEM or OSSEC? I can't help you with OSSEM.
If you're using OSSEC, did you install the agent software on the Windows host?
Did you add the agent to the OSSEC server?

> any one can answer?
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups 
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to ossec-list+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/ossec-list/a83de371-51aa-4cb8-9422-9c253698cf0bo%40googlegroups.com.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/CAMyQvMq8wtJMXeJSv8aoa9kvHmyvDJVZ0ie8sUybeYui2FXhVg%40mail.gmail.com.

Re: [ossec-list] Slack Group?

[dan (ddp)]

Yes there is! I believe the details are here:
https://www.ossec.net/join-us-on-slack/

On Wed, Jun 17, 2020 at 9:15 AM sensato cybersecurity  wrote:
>
> Is there a slack group for the OSSEC community?
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups 
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to ossec-list+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/ossec-list/fc19f902-e59a-40e6-8849-fb260601ef8co%40googlegroups.com.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/CAMyQvMqwJsX2jjaLbfk%3DcnDcWSSdP4QVLPF3YfS_9JALTBrgBQ%40mail.gmail.com.

Re: [ossec-list] Problem with alerting file changes and checksum integrity

[dan (ddp)]

On Sun, Jun 14, 2020 at 2:57 AM John Goh  wrote:
>
> So I should just leave the IDS running for a period of time and it will log 
> in real-time?
>

It's supposed to.

> The only changes that the IDS currently logs are like files in etc and 
> Mozilla cache. Nothing else in particular on those directories specified.
>

Check the ossec.log for log messages related to those directories by
ossec-syscheckd. You can even kill ossec-syscheckd and run it again in
debug (pkill ossec-syscheckd && /var/ossec/bin/ossec-syscheckd -d) to
increase the logging.
Also check the syscheck db (/var/ossec/queue/syscheck/ has the
syscheck databases, they're named after the agents) to see if files in
the directories you specified are there.


> On Sunday, June 14, 2020 at 4:33:43 AM UTC+8, dan (ddpbsd) wrote:
>>
>> On Sat, Jun 13, 2020 at 7:41 AM John Goh  wrote:
>> >
>> > Hi all, I'm new to the whole idea of using IDS and OSSEC. I've been trying 
>> > to detect certain file creation or changes in realtime but I do not see it 
>> > being reflected in the OSSEC web interface. The OSSEC is being deployed in 
>> > a local environment on Ubuntu 18.4.04 LTS. The rule I have for code 
>> > creation is:
>> >   
>> > ossec
>> > syscheck_new_entry
>> > File added to the system.
>> > syscheck,
>> >   
>> >
>> > The rule works as random file creation has been logging but it does not 
>> > work for the specific directories that I have specified. The code below is 
>> > the specified directories that I want to monitor. Even when I gave the 
>> > attribute "realtime" it does not reflect on the logs when i changed it.
>> > 
>> > no
>> > 180
>> > yes
>> >
>> > 
>> > /etc,/usr/bin,/usr/sbin
>> > /bin,/sbin,/boot
>> > > > check_all="yes">/home/ubuntu/Downloads
>> > > > check_all="yes">/home/ubuntu/Desktop,/home/ubuntu
>> > > > check_all="yes">/home/ubuntu/Downloads/active.txt
>> > Even when i force scan by using the following command:
>> > /var/ossec/bin/agent_control -r -u 000
>> > it does not work, for some reason, it keeps on stating that: "INFO: 
>> > Initializing real-time file monitoring (not started)."
>> >
>>
>> This message is normal, realtime should be started sometime after this.
>>
>> > I'm lost and I do not know what is wrong, can anybody help me with this 
>> > issue?
>> >
>>
>> I can't remember if realtime was changed to alert on new files or not.
>> At one point it did not.
>> Do changes to the files in those directories get alerted on automatically?
>>
>> > --
>> >
>> > ---
>> > You received this message because you are subscribed to the Google Groups 
>> > "ossec-list" group.
>> > To unsubscribe from this group and stop receiving emails from it, send an 
>> > email to ossec...@googlegroups.com.
>> > To view this discussion on the web visit 
>> > https://groups.google.com/d/msgid/ossec-list/b8a2c8b8-ec38-4310-bba9-40265da62c4fo%40googlegroups.com.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups 
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to ossec-list+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/ossec-list/6d9c7c7d-722c-47e1-80cb-3dc571621927o%40googlegroups.com.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/CAMyQvMpjkjTVvAPq0o-qTiSJNFs5yfL-KGP_7ru4esjq2D%2BzXQ%40mail.gmail.com.

Re: [ossec-list] Missing ossec-hids in logrotate.d

[dan (ddp)]

On Mon, Jun 15, 2020 at 3:09 PM Scott Wozny  wrote:
>
> I'm trying to get off the Atomic repo for a variety of reasons, so I just did 
> a 3.6.0 agent install from the tarball's script on a CentOS 7 minimal machine 
> to test the process and compatibility with my build tweaks.  One of the 
> issues I had with the Atomic repo 3.3.0 package install was /var/ossec/logs 
> was of SELinux fcontext var_t rather than var_log_t which made those files 
> inaccessible on an enforcing machine to logrotate_t.  An easy fix, but I 
> never got around to doing it.  Now I see there is no ossec-hids script in 
> /etc/logrotate.d.  Is this intentional (as in, I need to roll my own) or 
> could something have gone wrong during the install?  I didn't see anything in 
> /var/log/messages or journalctl and /var/ossec/logs/ossec.log (the only file 
> in that directory) is empty.  Is there anywhere that install results are 
> logged or am I just expected to go through the output after ./install.sh?
>
> Any assistance or suggestions would be appreciated.
>

We don't include a log rotate script.
We don't log anything in the install.sh (I usually tee it to a file
when I'm curious).
If ossec.log is empty, ossec probably isn't running. Or maybe an selinux issue?

> Thanks,
>
> Scott
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups 
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to ossec-list+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/ossec-list/63ff1d8d-3877-48b4-b3c1-d558b4427219o%40googlegroups.com.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/CAMyQvMq0y6SB1EHeNaT7hZxh%2BvYaGXnrZRnn6VEQgvXo7vF93A%40mail.gmail.com.

Re: [ossec-list] not receiving alerts on email.

[dan (ddp)]

On Tue, Jun 16, 2020 at 7:21 AM siddharth jha  wrote:
>
> Hi,
>
> I'm new in ossec and recently install OSSEC 3.6.0 on Ubuntu 18.04.04 server 
> successfully.
> also add some win. agent and  i can see alerts on ossec web-ui but i'm not 
> receiving any alerts on email.
> need suggestion how should i configure alerts to get same over the email also 
> .
> Thanks
>

Did you configure the smtp server in /var/ossec/etc/ossec.conf?
Do you see any errors in your smtp server's logs (often /var/log/maillog)?

> --
>
> ---
> You received this message because you are subscribed to the Google Groups 
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to ossec-list+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/ossec-list/a9ff0723-17c0-4707-b53d-df1f0d4b96fbo%40googlegroups.com.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/CAMyQvMr6VsRSRgzUgzciUx6DqyHoZAy9krDkdVWoz8R6Q_8oGg%40mail.gmail.com.

Re: [ossec-list] 2 instances of ossec-maild

[dan (ddp)]

On Tue, Jun 16, 2020 at 5:35 PM Scott Wozny  wrote:
>
> Just an "idle curiosity" kind of question.  In a 3.6.0 server installed from 
> the tarball on CentOS 7, when I run a ps, I have 2 instances of 
> /var/ossec/bin/ossec-maild running, both under UID ossecm.  Does anyone know 
> why there are 2 instances of the same process run by the same user?
>

When ossec-maild (I'll call it main) starts it forks off another
process (I'll call this one connector). There is a socket pair shared
between them for communication.
When the main process determines that an email should be sent, it
forks off another process (OS_Sendmail()). This sendmail process sends
a request to the connector process. The connector process finds the
smtp server and connects to it. Then forwards that connection back to
the sendmail process.
The purpose of all of this was to make managing it a bit easier. The
main process is chroot()ed to /var/ossec, so dns lookups for the smtp
server (if you don't use an IP adddress) were difficult. At a minimum
the /etc/resolv.conf had to be copied to /var/ossec/etc. Even that
didn't seem to work on some systems.
So the connector process was created. It is not chrooted, so it has
access to the entire system. resolv.conf no longer had to be copied,
and it even seemed to help with the "ipv6 is disabled" queries.

> Thanks,
>
> Scott
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups 
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to ossec-list+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/ossec-list/7ad9c128-7bf4-493b-9271-a414d2add8d5o%40googlegroups.com.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/CAMyQvMoBwFs0Y-tas3Zxj5ijpF5Gn3gbsAVHiRb25NKJw8KavQ%40mail.gmail.com.

Re: [ossec-list] Problem with alerting file changes and checksum integrity

[dan (ddp)]

On Sat, Jun 13, 2020 at 7:41 AM John Goh  wrote:
>
> Hi all, I'm new to the whole idea of using IDS and OSSEC. I've been trying to 
> detect certain file creation or changes in realtime but I do not see it being 
> reflected in the OSSEC web interface. The OSSEC is being deployed in a local 
> environment on Ubuntu 18.4.04 LTS. The rule I have for code creation is:
>   
> ossec
> syscheck_new_entry
> File added to the system.
> syscheck,
>   
>
> The rule works as random file creation has been logging but it does not work 
> for the specific directories that I have specified. The code below is the 
> specified directories that I want to monitor. Even when I gave the attribute 
> "realtime" it does not reflect on the logs when i changed it.
> 
> no
> 180
> yes
>
> 
> /etc,/usr/bin,/usr/sbin
> /bin,/sbin,/boot
>  check_all="yes">/home/ubuntu/Downloads
>  check_all="yes">/home/ubuntu/Desktop,/home/ubuntu
>  check_all="yes">/home/ubuntu/Downloads/active.txt
> Even when i force scan by using the following command:
> /var/ossec/bin/agent_control -r -u 000
> it does not work, for some reason, it keeps on stating that: "INFO: 
> Initializing real-time file monitoring (not started)."
>

This message is normal, realtime should be started sometime after this.

> I'm lost and I do not know what is wrong, can anybody help me with this issue?
>

I can't remember if realtime was changed to alert on new files or not.
At one point it did not.
Do changes to the files in those directories get alerted on automatically?

> --
>
> ---
> You received this message because you are subscribed to the Google Groups 
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to ossec-list+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/ossec-list/b8a2c8b8-ec38-4310-bba9-40265da62c4fo%40googlegroups.com.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/CAMyQvMpxoigGzpk4ch_B7mNCqjz2hxYk-tQhw%2BM7c2J%2BLz1akw%40mail.gmail.com.

Re: [ossec-list] Anyone knows how to install OSSEC agent in the ubuntu server 20.04?

[dan (ddp)]

On Sun, Jun 7, 2020 at 11:06 AM Arnau b s  wrote:
>
> Anyone knows how to install OSSEC agent in the ubuntu server 20.04?
>

I haven't had time to create an image for 20.04 yet. Are you
experiencing issues?
Can you provide details?

> --
>
> ---
> You received this message because you are subscribed to the Google Groups 
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to ossec-list+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/ossec-list/7140cbb7-7dcc-417a-904a-71ab7a99ac22o%40googlegroups.com.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/CAMyQvMrtS_dXKzRLV0ugZLFC70Zx2mzEiFvBDhke1M7yk7MAyA%40mail.gmail.com.

Re: [ossec-list] What does the tag do?

[dan (ddp)]

On Tue, May 12, 2020 at 8:57 AM Dominik Vogt  wrote:
>
> I'm struggling to understand how to write custom rules.
> Unfortunately the "" tag seems to be completely
> undocumented, and the book doesn't explain it either:
>
>   Each rule, or grouping of rules, must be defined within a
>element.  Your attribute name must contain the
>   rules you want to be part of this group.
>
> ...
>
>   
>   ... 
>  ...
>   
>
> The "name" of the group is a comma separated list of rules that
> are "part of the group"?  What does that mean?
>

They're kind of like tags that help label the rules.

> --
>
> Specifically, I want to try out the example from the chapter
> "Increasing the Alert Severity for Important Files":
>
>   
> syscheck
> for:'/etc/foobar
>   
>
> So, this needs to be enclosed in a  tag?  What is the
> supposed value of the "name" attribute?
>

Whatever you want. I'd start with local, and maybe add other things if
I want to be able to use them later.

> Ciao
>
> Dominik ^_^  ^_^
>
> --
>
> Dominik Vogt
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups 
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to ossec-list+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/ossec-list/20200512125638.wk4kklcfzi3eunp2%40gmx.de.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/CAMyQvMoYWAhHBD_u0cF2NJH6FoHk6sCkhsUjooYLoQTXMh5Rxg%40mail.gmail.com.

Re: [ossec-list] most current OSSEC documentation

[dan (ddp)]

On Sun, May 3, 2020 at 6:58 AM rpr //  wrote:
>
> On Thu, 8 Aug 2019 at 13:08, dan (ddp)  wrote:
> >
> > > Where can we find the most current OSSEC documentation?
> > >
> > You can browse through the github repository:
> > https://github.com/ossec/ossec-docs
> > It's not ideal, but it works.
>
> OSSEC v. 3.6.0 has been available since February 14, 2020, but the
> documentation at https://www.ossec.net/docs/ hasn't been updated to
> include changes important for v. 3.6.0.
>
> For example, 
> https://www.ossec.net/docs/docs/manual/installation/installation-requirements.html
> does not include all prerequisites required to successfully compile
> and install v. 3.6.0 from sources.
>
> I've found updated info at
> https://github.com/ossec/ossec-docs/blob/master/docs/manual/installation/installation-requirements.rst
>
> Could someone update the OSSEC documentation pages from GitHub sources, 
> please?
>

I'll poke the person who can make that happen.
Until then there's: https://ossec-docs.readthedocs.io/en/latest/

> -- rpr.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups 
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to ossec-list+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/ossec-list/CAN-5nyk0wj1UcN1wG27dEU-EFOm83uji-APu4juS%3Dmb7tTXLzA%40mail.gmail.com.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/CAMyQvMp_6579kKnzYBmNy%2BRfJA7aED4GGeomDmcVP%2BjTK8T9BA%40mail.gmail.com.

Re: [ossec-list] Unable to install OSSEC Agent

[dan (ddp)]

Openssl is what you need to run binaries, the devel version is what you
need to build the binaries. A precompiled version of ossec probably only
needs the openssl package.
I don’t know why they broke it up into 2 packages, but it’s not my
decision.

On Tue, Apr 21, 2020 at 1:39 PM Andy  wrote:

> This fixed it, thanks!
> What is the different b/w openssl and the devel option?
>
> On Tuesday, April 21, 2020 at 11:15:24 AM UTC-4, dan (ddpbsd) wrote:
>>
>> Openssl or openssl-devel?
>>
>> On Tue, Apr 21, 2020 at 10:29 AM Luke Boguslaw 
>> wrote:
>>
>>> I also had to install zlib-devel.
>>> But now I get this error:
>>> [image: image.png]
>>> So I install openssl, but it says it is already installed...
>>>
>>> On Tue, Apr 21, 2020 at 9:37 AM dan (ddp)  wrote:
>>>
>>>> The installation documentation has a list of pre requisite packages
>>>> that should be installed. In this case it’s libevet-devel
>>>>
>>>> On Tue, Apr 21, 2020 at 7:49 AM Luke Boguslaw 
>>>> wrote:
>>>>
>>> I did a make clean, then ran install with PCRE2_SYSTEM=yes, but am
>>>>> getting this error now:
>>>>> [image: image.png]
>>>>>
>>>>> On Mon, Apr 20, 2020 at 10:34 PM David Williams 
>>>>> wrote:
>>>>>
>>>> Andy,
>>>>>> How about this:
>>>>>> yum info pcre2-devel
>>>>>> Note the "2:" pcre2-devel
>>>>>> -David
>>>>>>
>>>>>>
>>>>>> On 4/20/20 7:43 PM, Luke Boguslaw wrote:
>>>>>> > It is telling me that pcre-utf does not exist, and pcre-devel is
>>>>>> already
>>>>>> > installed.
>>>>>> >
>>>>>> > On Mon, Apr 20, 2020 at 5:30 PM David Williams <
>>>>>> dave...@kayakero.net
>>>>>> > <mailto:dave...@kayakero.net>> wrote:
>>>>>> >
>>>>>> > Andy,
>>>>>> > I believe there are seperate pcre2 packages. I have
>>>>>> these
>>>>>> > installed:
>>>>>> >
>>>>>> > pcre-8.32-17.el7.x86_64
>>>>>> > pcre2-utf16-10.23-2.el7.x86_64
>>>>>> > pcre2-10.23-2.el7.x86_64
>>>>>> > pcre2-devel-10.23-2.el7.x86_64
>>>>>> > pcre-8.32-17.el7.i686
>>>>>> > pcre2-utf32-10.23-2.el7.x86_64
>>>>>> >
>>>>>> >
>>>>>> > -David
>>>>>> >
>>>>>> > On 4/20/20 2:09 PM, Andy wrote:
>>>>>> > > I am unable to install the ossec agent on a centos 7 server.
>>>>>> I
>>>>>> > get this
>>>>>> > > error:
>>>>>> > > |
>>>>>> > > In file included from ./headers/shared.h:215:0,
>>>>>> > >  from client-agent/sendmsg.c:10:
>>>>>> > > ./os_regex/os_regex.h:19:19: fatal error: pcre2.h: No such
>>>>>> file or
>>>>>> > directory
>>>>>> > >  #include 
>>>>>> > > |
>>>>>> > >
>>>>>> > > After installing pcre-devel, it still fails with this error.
>>>>>> > >
>>>>>> > > --
>>>>>> > >
>>>>>> > > ---
>>>>>> > > You received this message because you are subscribed to the
>>>>>> Google
>>>>>> > > Groups "ossec-list" group.
>>>>>> > > To unsubscribe from this group and stop receiving emails from
>>>>>> it, send
>>>>>>
>>>>> > > an email to ossec...@googlegroups.com
>>>>>> > <mailto:ossec-list%2bunsubscr...@googlegroups.com>
>>>>>> > > <mailto:ossec-list+unsubscr...@googlegroups.com
>>>>>> > <mailto:ossec-list%2bunsubscr...@googlegroups.com>>.
>>>>>> > > To view this discussion on the web visit
>>>>>> > >
>>>>>> >
>>>>>> https://groups.google.com/d/msgid/ossec-list/87a1b

Re: [ossec-list] Unable to install OSSEC Agent

[dan (ddp)]

Openssl or openssl-devel?

On Tue, Apr 21, 2020 at 10:29 AM Luke Boguslaw 
wrote:

> I also had to install zlib-devel.
> But now I get this error:
> [image: image.png]
> So I install openssl, but it says it is already installed...
>
> On Tue, Apr 21, 2020 at 9:37 AM dan (ddp)  wrote:
>
>> The installation documentation has a list of pre requisite packages that
>> should be installed. In this case it’s libevet-devel
>>
>> On Tue, Apr 21, 2020 at 7:49 AM Luke Boguslaw 
>> wrote:
>>
>>> I did a make clean, then ran install with PCRE2_SYSTEM=yes, but am
>>> getting this error now:
>>> [image: image.png]
>>>
>>> On Mon, Apr 20, 2020 at 10:34 PM David Williams 
>>> wrote:
>>>
>>>> Andy,
>>>> How about this:
>>>> yum info pcre2-devel
>>>> Note the "2:" pcre2-devel
>>>> -David
>>>>
>>>>
>>>> On 4/20/20 7:43 PM, Luke Boguslaw wrote:
>>>> > It is telling me that pcre-utf does not exist, and pcre-devel is
>>>> already
>>>> > installed.
>>>> >
>>>> > On Mon, Apr 20, 2020 at 5:30 PM David Williams >>> > <mailto:davew...@kayakero.net>> wrote:
>>>> >
>>>> > Andy,
>>>> > I believe there are seperate pcre2 packages. I have these
>>>> > installed:
>>>> >
>>>> > pcre-8.32-17.el7.x86_64
>>>> > pcre2-utf16-10.23-2.el7.x86_64
>>>> > pcre2-10.23-2.el7.x86_64
>>>> > pcre2-devel-10.23-2.el7.x86_64
>>>> > pcre-8.32-17.el7.i686
>>>> > pcre2-utf32-10.23-2.el7.x86_64
>>>> >
>>>> >
>>>> > -David
>>>> >
>>>> > On 4/20/20 2:09 PM, Andy wrote:
>>>> > > I am unable to install the ossec agent on a centos 7 server.  I
>>>> > get this
>>>> > > error:
>>>> > > |
>>>> > > In file included from ./headers/shared.h:215:0,
>>>> > >  from client-agent/sendmsg.c:10:
>>>> > > ./os_regex/os_regex.h:19:19: fatal error: pcre2.h: No such file
>>>> or
>>>> > directory
>>>> > >  #include 
>>>> > > |
>>>> > >
>>>> > > After installing pcre-devel, it still fails with this error.
>>>> > >
>>>> > > --
>>>> > >
>>>> > > ---
>>>> > > You received this message because you are subscribed to the
>>>> Google
>>>> > > Groups "ossec-list" group.
>>>> > > To unsubscribe from this group and stop receiving emails from
>>>> it, send
>>>> > > an email to ossec-list+unsubscr...@googlegroups.com
>>>> > <mailto:ossec-list%2bunsubscr...@googlegroups.com>
>>>> > > <mailto:ossec-list+unsubscr...@googlegroups.com
>>>> > <mailto:ossec-list%2bunsubscr...@googlegroups.com>>.
>>>> > > To view this discussion on the web visit
>>>> > >
>>>> >
>>>> https://groups.google.com/d/msgid/ossec-list/87a1b5ac-5b1d-476c-bda7-1c1dfc8cdae3%40googlegroups.com
>>>> > >
>>>> > <
>>>> https://groups.google.com/d/msgid/ossec-list/87a1b5ac-5b1d-476c-bda7-1c1dfc8cdae3%40googlegroups.com?utm_medium=email_source=footer
>>>> >.
>>>> >
>>>> > --
>>>> >
>>>> > GPG (http://www.gnupg.org/) key available from:
>>>> > http://www.kayakero.net/per/david/
>>>> >
>>>> > --
>>>> >
>>>> > ---
>>>> > You received this message because you are subscribed to the Google
>>>> > Groups "ossec-list" group.
>>>> > To unsubscribe from this group and stop receiving emails from it,
>>>> > send an email to ossec-list+unsubscr...@googlegroups.com
>>>> > <mailto:ossec-list%2bunsubscr...@googlegroups.com>.
>>>> > To view this discussion on the web visit
>>>> >
>>>> https://groups.google.com/d/msgid/ossec-list/cab8fad4-032e-f5ba-4390-e3285aa8bf9e%40kayakero.net
>>>> .
>>&

Re: [ossec-list] Unable to install OSSEC Agent

[dan (ddp)]

The installation documentation has a list of pre requisite packages that
should be installed. In this case it’s libevet-devel

On Tue, Apr 21, 2020 at 7:49 AM Luke Boguslaw  wrote:

> I did a make clean, then ran install with PCRE2_SYSTEM=yes, but am getting
> this error now:
> [image: image.png]
>
> On Mon, Apr 20, 2020 at 10:34 PM David Williams 
> wrote:
>
>> Andy,
>> How about this:
>> yum info pcre2-devel
>> Note the "2:" pcre2-devel
>> -David
>>
>>
>> On 4/20/20 7:43 PM, Luke Boguslaw wrote:
>> > It is telling me that pcre-utf does not exist, and pcre-devel is already
>> > installed.
>> >
>> > On Mon, Apr 20, 2020 at 5:30 PM David Williams > > > wrote:
>> >
>> > Andy,
>> > I believe there are seperate pcre2 packages. I have these
>> > installed:
>> >
>> > pcre-8.32-17.el7.x86_64
>> > pcre2-utf16-10.23-2.el7.x86_64
>> > pcre2-10.23-2.el7.x86_64
>> > pcre2-devel-10.23-2.el7.x86_64
>> > pcre-8.32-17.el7.i686
>> > pcre2-utf32-10.23-2.el7.x86_64
>> >
>> >
>> > -David
>> >
>> > On 4/20/20 2:09 PM, Andy wrote:
>> > > I am unable to install the ossec agent on a centos 7 server.  I
>> > get this
>> > > error:
>> > > |
>> > > In file included from ./headers/shared.h:215:0,
>> > >  from client-agent/sendmsg.c:10:
>> > > ./os_regex/os_regex.h:19:19: fatal error: pcre2.h: No such file or
>> > directory
>> > >  #include 
>> > > |
>> > >
>> > > After installing pcre-devel, it still fails with this error.
>> > >
>> > > --
>> > >
>> > > ---
>> > > You received this message because you are subscribed to the Google
>> > > Groups "ossec-list" group.
>> > > To unsubscribe from this group and stop receiving emails from it,
>> send
>> > > an email to ossec-list+unsubscr...@googlegroups.com
>> > 
>> > > > > >.
>> > > To view this discussion on the web visit
>> > >
>> >
>> https://groups.google.com/d/msgid/ossec-list/87a1b5ac-5b1d-476c-bda7-1c1dfc8cdae3%40googlegroups.com
>> > >
>> > <
>> https://groups.google.com/d/msgid/ossec-list/87a1b5ac-5b1d-476c-bda7-1c1dfc8cdae3%40googlegroups.com?utm_medium=email_source=footer
>> >.
>> >
>> > --
>> >
>> > GPG (http://www.gnupg.org/) key available from:
>> > http://www.kayakero.net/per/david/
>> >
>> > --
>> >
>> > ---
>> > You received this message because you are subscribed to the Google
>> > Groups "ossec-list" group.
>> > To unsubscribe from this group and stop receiving emails from it,
>> > send an email to ossec-list+unsubscr...@googlegroups.com
>> > .
>> > To view this discussion on the web visit
>> >
>> https://groups.google.com/d/msgid/ossec-list/cab8fad4-032e-f5ba-4390-e3285aa8bf9e%40kayakero.net
>> .
>> >
>> > --
>> >
>> > ---
>> > You received this message because you are subscribed to the Google
>> > Groups "ossec-list" group.
>> > To unsubscribe from this group and stop receiving emails from it, send
>> > an email to ossec-list+unsubscr...@googlegroups.com
>> > .
>> > To view this discussion on the web visit
>> >
>> https://groups.google.com/d/msgid/ossec-list/CABX9L-gdpq-JthSt-XW0V1bv49kwAVdXvB43s6rD%3D-WFm2-XRQ%40mail.gmail.com
>> > <
>> https://groups.google.com/d/msgid/ossec-list/CABX9L-gdpq-JthSt-XW0V1bv49kwAVdXvB43s6rD%3D-WFm2-XRQ%40mail.gmail.com?utm_medium=email_source=footer
>> >.
>>
>> --
>>
>> GPG (http://www.gnupg.org/) key available from:
>> http://www.kayakero.net/per/david/
>>
>> --
>>
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to ossec-list+unsubscr...@googlegroups.com.
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/ossec-list/19948dfd-4a75-ebc9-e7d7-44e5265fb86c%40kayakero.net
>> .
>>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ossec-list/CABX9L-j9DBPBWJ_w95NWNZKapRqW21942rBipNeqBAzhR3qnCw%40mail.gmail.com
> 
> .
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.

Re: [ossec-list] Regarding automatically old log deleting.

[dan (ddp)]

On Sun, Apr 12, 2020 at 11:22 PM Problem Store  wrote:
>
> Dear Team,
>
> I have one question, the example I have 1GB storage in OSSEC, when storage 
> will be full then automatically deleted from the beginning log( old log). 
> It's possible if possible how? Please share your idea.
>

Use cron to cleanup old logs.

> Thank's
> OSU
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups 
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to ossec-list+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/ossec-list/8594d8fb-aad7-41e1-a346-80de7d600064%40googlegroups.com.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/CAMyQvMpCKrs6w_yRk0qi9aJmoYnqvvxRZ4sfUTJU4uZx931Sdw%40mail.gmail.com.

Re: [ossec-list] Query on rule for Supported languages

[dan (ddp)]

On Mon, Apr 20, 2020 at 5:30 PM sumit soni  wrote:
>
> Hi ,
> I have systems with different languages and wondering if  I create a rule to 
> match English logs  can that rule also work for logs from other language OS 
> or not .
> For .e.g if create a rule whc=ich mach with following string  3 incorrect 
> password attempts  and apply this rule on a System With Japanese language  
> would it work  and OSSEC would able to translate match string from one 
> language to other ??
> Or do i have to create new rule for specific language characters to match
>

OSSEC looks at the characters and strings it is passed. OSSEC doesn't
translate the message between languages, I think you'd need to match
the strings in each language you want to support.

> Regards
> Sumit
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups 
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to ossec-list+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/ossec-list/67b4a34a-a1a3-485c-8140-087b9042bab1%40googlegroups.com.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/CAMyQvMpgso0TDcMB%3Dz_ciQNpJva5ytAq7f7naZS%2BLpDUdtpwDQ%40mail.gmail.com.

Re: [ossec-list] Re: Unable to install OSSEC Agent

[dan (ddp)]

This does not look related to this thread. Reply in-line.

On Tue, Apr 21, 2020 at 6:36 AM Mohit Gupta  wrote:
>
> Hi Team,
>
> Good Morning/Afternoon/Evening.
>
> I was trying to install ossec agent on one of my machine but getting below 
> error on control start up.
>
> -
> 2020/04/21 07:31:49 ossec-syscheckd(1210): ERROR: Queue 
> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
> 2020/04/21 07:31:49 rootcheck(1210): ERROR: Queue 
> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
> 2020/04/21 07:31:57 ossec-syscheckd(1210): ERROR: Queue 
> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
> 2020/04/21 07:31:57 rootcheck(1210): ERROR: Queue 
> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
> 2020/04/21 07:32:10 ossec-syscheckd(1210): ERROR: Queue 
> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
> 2020/04/21 07:32:10 rootcheck(1211): ERROR: Unable to access queue: 
> '/var/ossec/queue/ossec/queue'. Giving up..
> ossec-syscheckd did not start
> -
>

These messages are from the agent machine?
Are there any error messages in the ossec.log file on the agent before
these messages?

> Where we have added Agent at server side and extracted key to add agent.
>
> kindly assist here for same.
>
> Note - We have kernel difference b/w server and client.
>
> Server has below version :
>
> Linux  3.10.0-693.5.2.el7.x86_64 #1 SMP Fri Oct 13 10:46:25 
> EDT 2017 x86_64 x86_64 x86_64 GNU/Linux
>
>
> Client has below version :
>
> Linux  3.10.0-862.11.6.el7.x86_64 #1 SMP Fri Aug 10 16:55:11 
> UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
>
>
> On Monday, April 20, 2020 at 11:42:18 PM UTC+5:30, Andy wrote:
>>
>> I am unable to install the ossec agent on a centos 7 server.  I get this 
>> error:
>> In file included from ./headers/shared.h:215:0,
>>  from client-agent/sendmsg.c:10:
>> ./os_regex/os_regex.h:19:19: fatal error: pcre2.h: No such file or directory
>>  #include 
>>
>> After installing pcre-devel, it still fails with this error.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups 
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to ossec-list+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/ossec-list/5a80eca6-0374-45a5-b4ad-27102c92b59d%40googlegroups.com.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/CAMyQvMpOW2fERWmTtGGvBquyJcYPrQtU_vxSimABmCDJ-eFynw%40mail.gmail.com.

Re: [ossec-list] Unable to install OSSEC Agent

[dan (ddp)]

On Mon, Apr 20, 2020 at 10:34 PM David Williams  wrote:
>
> Andy,
> How about this:
> yum info pcre2-devel
> Note the "2:" pcre2-devel
> -David
>

This should be the answer right here. Use pcre2, not pcre.

>
> On 4/20/20 7:43 PM, Luke Boguslaw wrote:
> > It is telling me that pcre-utf does not exist, and pcre-devel is already
> > installed.
> >
> > On Mon, Apr 20, 2020 at 5:30 PM David Williams  > > wrote:
> >
> > Andy,
> > I believe there are seperate pcre2 packages. I have these
> > installed:
> >
> > pcre-8.32-17.el7.x86_64
> > pcre2-utf16-10.23-2.el7.x86_64
> > pcre2-10.23-2.el7.x86_64
> > pcre2-devel-10.23-2.el7.x86_64
> > pcre-8.32-17.el7.i686
> > pcre2-utf32-10.23-2.el7.x86_64
> >
> >
> > -David
> >
> > On 4/20/20 2:09 PM, Andy wrote:
> > > I am unable to install the ossec agent on a centos 7 server.  I
> > get this
> > > error:
> > > |
> > > In file included from ./headers/shared.h:215:0,
> > >  from client-agent/sendmsg.c:10:
> > > ./os_regex/os_regex.h:19:19: fatal error: pcre2.h: No such file or
> > directory
> > >  #include 
> > > |
> > >
> > > After installing pcre-devel, it still fails with this error.
> > >
> > > --
> > >
> > > ---
> > > You received this message because you are subscribed to the Google
> > > Groups "ossec-list" group.
> > > To unsubscribe from this group and stop receiving emails from it, send
> > > an email to ossec-list+unsubscr...@googlegroups.com
> > 
> > >  > >.
> > > To view this discussion on the web visit
> > >
> > 
> > https://groups.google.com/d/msgid/ossec-list/87a1b5ac-5b1d-476c-bda7-1c1dfc8cdae3%40googlegroups.com
> > >
> > 
> > .
> >
> > --
> >
> > GPG (http://www.gnupg.org/) key available from:
> > http://www.kayakero.net/per/david/
> >
> > --
> >
> > ---
> > You received this message because you are subscribed to the Google
> > Groups "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it,
> > send an email to ossec-list+unsubscr...@googlegroups.com
> > .
> > To view this discussion on the web visit
> > 
> > https://groups.google.com/d/msgid/ossec-list/cab8fad4-032e-f5ba-4390-e3285aa8bf9e%40kayakero.net.
> >
> > --
> >
> > ---
> > You received this message because you are subscribed to the Google
> > Groups "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send
> > an email to ossec-list+unsubscr...@googlegroups.com
> > .
> > To view this discussion on the web visit
> > https://groups.google.com/d/msgid/ossec-list/CABX9L-gdpq-JthSt-XW0V1bv49kwAVdXvB43s6rD%3D-WFm2-XRQ%40mail.gmail.com
> > .
>
> --
>
> GPG (http://www.gnupg.org/) key available from:
> http://www.kayakero.net/per/david/
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups 
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to ossec-list+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/ossec-list/19948dfd-4a75-ebc9-e7d7-44e5265fb86c%40kayakero.net.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/CAMyQvMotRqrxTOZr_k5FJv5UgeVg%3Di58b39T3LzQ%3DSe2aaYqPQ%40mail.gmail.com.

Re: [ossec-list] ossec-Maild CPU Usage 95% +

[dan (ddp)]

On Wed, Apr 1, 2020 at 12:58 PM SHADO  wrote:
>
> Hi!
>
> Did a new install on Ubuntu 18.04 LTS and ossec-Maild is hogging the CPU.
>
>
> ossecmPID 1 78 Mar31 ?07:34:06 /var/ossec/bin/ossec-maild
>
>
>  PID USERPRI   NI  VIRT   RESSHR   S  CPU%  MEM%   TIME+  Command
>
> PID ossecm 20   0 24756  2768  2512 R 96.0  0.0  7h38:20 
> /var/ossec/bin/ossec-maild
>
>
>
>
> Have stopped and restart.
>
>
> Have rebooted.
>
>
> CPU is low until ossec-maild kicks off.
>
>

Which version of OSSEC?
Anything in the ossec.log on the server?


>
> Suggestions?
>
>
> Regards
>
> SHADO
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups 
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to ossec-list+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/ossec-list/460a4b27-be7c-4c84-af3a-e1eaed037372%40googlegroups.com.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/CAMyQvMpuPR8SPp8X-hh%3DKMfcXC5REXXh4F%2BQUzyAokrtqarwyQ%40mail.gmail.com.

Re: [ossec-list] ossec-maild?

[dan (ddp)]

On Mon, Mar 30, 2020 at 2:11 PM Glen Peterson  wrote:
>
> I installed on Ubuntu 18.04 with according to this:
> https://www.ossec.net/downloads/#apt-automated-installation-on-ubuntu-and-debian
>
> I installed both agent and server.  Specifically:
> $ wget -q -O - https://updates.atomicorp.com/installers/atomic | sudo bash
>
> $ sudo apt update
>
> $ sudo apt install ossec-hids-server
> $ sudo apt install ossec-hids-agent
>

They should be mutually exclusive, so I'm guessing the agent removed the server.

> $ sudo -u ossec ssh-keygen
>
> $ sudo vim /var/ossec/etc/client.keys
> 001 server1 any 
>
> $ sudo chown root.ossec /var/ossec/etc/client.keys
>
> Then I edited ossec.conf as I wrote in my previous mail and started the 
> server.
>
> $ sudo /var/ossec/bin/ossec-control start
> Starting OSSEC HIDS v3.6.0...
> Started ossec-execd...
> 2020/03/30 14:05:04 ossec-agentd: INFO: Using notify time: 600 and max time 
> to reconnect: 1800
> 2020/03/30 14:05:04 going daemon
> Started ossec-agentd...
> Started ossec-logcollector...
> Started ossec-syscheckd...
> Completed.
>
>
>
> On Monday, March 30, 2020 at 2:01:35 PM UTC-4, dan (ddpbsd) wrote:
>>
>> On Mon, Mar 30, 2020 at 2:00 PM Glen Peterson  wrote:
>> >
>> > Sorry to be dense.  I just tried to post another message and don't see it 
>> > in google groups.  I'm noticing that other people have an ossec-maild, but 
>> > I don't:
>> > $ sudo ls -l /var/ossec/bin/
>> > total 1164
>> > -r-xr-x--- 1 root ossec 149632 Mar 15 15:02 agent-auth
>> > -r-xr-x--- 1 root ossec 153728 Mar 15 15:02 manage_agents
>> > -r-xr-x--- 1 root ossec 276704 Mar 15 15:02 ossec-agentd
>> > -r-xr-x--- 1 root ossec   4593 Feb 14 14:46 ossec-control
>> > -r-xr-x--- 1 root ossec  63504 Mar 15 15:02 ossec-execd
>> > -r-xr-x--- 1 root ossec 235840 Mar 15 15:02 ossec-logcollector
>> > -r-xr-x--- 1 root ossec 284864 Mar 15 15:02 ossec-syscheckd
>> > -r-xr-x--- 1 root ossec   4503 Feb 14 14:46 util.sh
>> >
>> > I just installed ossec for the first time over the weekend.  I can't seem 
>> > to get it to send mail.  Am I missing an executable?
>> >
>>
>> This looks like an agent installation. The OSSEC server handles
>> sending out email.
>>
>> > --
>> >
>> > ---
>> > You received this message because you are subscribed to the Google Groups 
>> > "ossec-list" group.
>> > To unsubscribe from this group and stop receiving emails from it, send an 
>> > email to ossec...@googlegroups.com.
>> > To view this discussion on the web visit 
>> > https://groups.google.com/d/msgid/ossec-list/3d55b1e6-ae3d-4030-9cf2-30872ea7557f%40googlegroups.com.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups 
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to ossec-list+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/ossec-list/15f1956a-8065-4e5e-9dae-c428cb7f02e7%40googlegroups.com.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/CAMyQvMqommpAOt%3D7BY7qkfRDjATx6-ieQigKt8sUHxd_9YLAUg%40mail.gmail.com.

Re: [ossec-list] Re: Custom decoder failing to load

[dan (ddp)]

On Mon, Mar 23, 2020 at 8:35 AM Olivier Ragain
 wrote:
>
> Hi
> Sorry for the delay in answering.
>
> The error I get:
> 2020/03/23 12:28:25 ossec-testrule: INFO: Reading decoder file 
> etc/custom/local_decoder.xml.
> 2020/03/23 12:28:25 ossec-analysisd(2106): ERROR: Error adding decoder plugin.
> The configuration:
>   
> etc/custom
> ...

Are you planning on using the shipped decoder.xml file? If so, you'll
need to add it to the config.

>
> Thanks
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups 
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to ossec-list+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/ossec-list/c942ab6b-6d80-4e24-8b37-6a31d8d196cf%40googlegroups.com.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/CAMyQvMoPftx83328Q9c9Ui5cj%2B0Y9ABthGn_bAzroZR4AW4xfA%40mail.gmail.com.

Re: [ossec-list] regex help/clarification - specify all files with a given extension

[dan (ddp)]

On Thu, Mar 19, 2020 at 4:59 PM Leroy Tennison  wrote:
>
> Running v3.3.0 on the server and v3.2.0 on the client, trying to exclude 
> *.bz2 in a given directory, I tried:
>
> 
>   
> /path/to/.bz2$

I think this will ignore '/path/to/.bz2' and only that file.

>   
> 
>
> based on another post.  I obviously don't understand how to do it because 
> it's not working.  /var/ossec/etc/shared/agent.conf shows the above and 
> ossec.conf on the client has:
>
> 
>   
> 10.22.14.11
> bfr, cfg, ubuntu
>   
>
> I've also tried the above with the qcow2 extension and get the same result.
>
> In general, how do I write an OSSEC specification to exclude all files with a 
> given extension?  Thanks for your help.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups 
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to ossec-list+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/ossec-list/6b541572-515d-4346-9fc7-cc57a5f2b76b%40googlegroups.com.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/CAMyQvMr2daWp-F8hD1uK_jGy6QnSB6%3D4EF_zM2Ld0Ga9Zf7Hvw%40mail.gmail.com.

Re: [ossec-list] limit forwarded logs on ossec

[dan (ddp)]

On Tue, Mar 24, 2020 at 7:48 AM AHMED ADEWUYI  wrote:
>
> Hi,
>
> Please is there a way to reduce or manage numbers of forwarded events on the 
> ossec agent to Alienvault sensor.
>

Not really. The Windows agent can filter some things out with
eventchannel, but that's about it.

> Thanks.
>
> Ahmed.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups 
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to ossec-list+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/ossec-list/11efc678-fa31-421b-8357-20f246c82095%40googlegroups.com.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/CAMyQvMohQ-LE0R6edDnwCtctGodmg2951wE_91DfutKcY10jww%40mail.gmail.com.

Re: [ossec-list] Host-based anomaly detection event (rootcheck)

[dan (ddp)]

On Mon, Mar 16, 2020 at 12:33 PM llehirgen  wrote:
>
> I use dokku in a Ubuntu 18.04 LTS machine.
> I received the following alerts concerning files hidden in a long list of 
> directories:
>
> Rule: 510 fired (level 7) -> "Host-based anomaly detection event (rootcheck)."
> Portion of the log(s):
>
> Files hidden inside directory 
> '/var/lib/docker/overlay2/c3ee7713915112e9bd1df6d423cc6e2dd35a6d1c9871daae8c53054c05408516/merged/usr/share/man'.
>  Link count does not match number of files (26,1).
>
> Then again:
> Files hidden inside directory 
> '/var/lib/docker/overlay2/c3ee7713915112e9bd1df6d423cc6e2dd35a6d1c9871daae8c53054c05408516/merged/usr/share/dpkg'.
>  Link count does not match number of files (2,1).
>
> And so on for a list of 104 directories, like 
> '/var/lib/docker/overlay2/c3ee7713915112e9bd1df6d423cc6e2dd35a6d1c9871daae8c53054c05408516/merged/usr/sbin'
>  or 
> '/var/lib/docker/overlay2/c3ee7713915112e9bd1df6d423cc6e2dd35a6d1c9871daae8c53054c05408516/merged/usr/bin'
>  etc etc
>
> How am I expected to interpret these alerts? What am I expected to do?
>

rootcheck doesn't understand overlay filesystem stuff yet. There is at
least 1 issue open on the topic (at
https://github.com/ossec/ossec-hids/issues).


>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups 
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to ossec-list+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/ossec-list/4a32402e-71c6-4b0c-92bb-3007b742ac19%40googlegroups.com.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/CAMyQvMqGhsDC3cgscHgSsvRG%2BmmmcEzSuehzuROJbcmHOuLy2Q%40mail.gmail.com.

Re: [ossec-list] Re: Custom decoder failing to load

[dan (ddp)]

On Mon, Mar 16, 2020 at 8:43 AM dan (ddp)  wrote:
>
> On Mon, Mar 16, 2020 at 8:16 AM Olivier Ragain
>  wrote:
> >
> > Hi,
> > So now the question is, why does it not work when i use: 
> > decoders configuration in the ossec.conf file ? 
> > I see that it is loading the file from the logs, but it fails to log the 
> > decoder information itself and then ossec wont start.
> > Can anyone explain how to use the decoder_dir configuration element ?
> > I want to put all custom rules / decoders / lists in their own folder so 
> > that when updates happen, I dont get wiped or impacted for some update 
> > reasons.
> > Thanks
> >
>
> Can you provide the configuration you tried?
> I haven't used decoder_dir in a while, but it always worked in the past for 
> me.
>

Using this allowed `ossec-logtest -t` to work for me:
  
etc/decoder.xml
etc/local_decoder.xml
etc/decoders.d

> > --
> >
> > ---
> > You received this message because you are subscribed to the Google Groups 
> > "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send an 
> > email to ossec-list+unsubscr...@googlegroups.com.
> > To view this discussion on the web visit 
> > https://groups.google.com/d/msgid/ossec-list/f0d7b226-0fbe-4df8-9a23-c7759f18d347%40googlegroups.com.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/CAMyQvMrApEXMjXh6Fr%3DXgxWsQUg4zwTPFniyUWa%2Bd4wBhw1Xjg%40mail.gmail.com.

Re: [ossec-list] Re: Custom decoder failing to load

[dan (ddp)]

On Mon, Mar 16, 2020 at 8:16 AM Olivier Ragain
 wrote:
>
> Hi,
> So now the question is, why does it not work when i use: 
> decoders configuration in the ossec.conf file ? I 
> see that it is loading the file from the logs, but it fails to log the 
> decoder information itself and then ossec wont start.
> Can anyone explain how to use the decoder_dir configuration element ?
> I want to put all custom rules / decoders / lists in their own folder so that 
> when updates happen, I dont get wiped or impacted for some update reasons.
> Thanks
>

Can you provide the configuration you tried?
I haven't used decoder_dir in a while, but it always worked in the past for me.

> --
>
> ---
> You received this message because you are subscribed to the Google Groups 
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to ossec-list+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/ossec-list/f0d7b226-0fbe-4df8-9a23-c7759f18d347%40googlegroups.com.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/CAMyQvMpOT0bhnwKpy--GDoXqZ3KmwUDOs%3D95v295fC5g4Zs5MQ%40mail.gmail.com.

Re: [ossec-list] Custom decoder failing to load

[dan (ddp)]

On Fri, Mar 13, 2020 at 2:28 PM Olivier Ragain
 wrote:
>
> Hi,
> I've created a custom decoder:
> 
> ^sshd
> 
>
> 
> sshd-custom
> ^Bad protocol version
> ^\S+ from (\S+) port (\S+)$
> srcip,srcport
> 
>
> When I restart the engine to load it, I end up with the following error:
> 2020/03/13 18:21:54 ossec-testrule: INFO: Reading decoder file 
> decoders/ssh_decoder.xml.
> 2020/03/13 18:21:54 ossec-analysisd(2106): ERROR: Error adding decoder plugin.
> 2020/03/13 18:21:54 ossec-testrule: INFO: Reading the lists file: 
> 'lists/approved_scanners_list'
> 2020/03/13 18:21:54 ossec-analysisd: Invalid decoder name: 'pam'.
> 2020/03/13 18:21:54 ossec-testrule(1220): ERROR: Error loading the rules: 
> 'pam_rules.xml'.
>
> Where is the error in my decoder?
>

I don't receive an error when I add the decoders to local_decoders.xml.
Which version of OSSEC are you using?

> Thanks
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups 
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to ossec-list+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/ossec-list/9e0d792c-1b50-43fb-86e9-71d229dd17bd%40googlegroups.com.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/CAMyQvMo1_tMuHUB-1WGRuV6zw0SdGpVS%3D4BFdXxQaPJm6zHwVw%40mail.gmail.com.

Re: [ossec-list] LibSSL error on Linux 8

[dan (ddp)]

On Mon, Mar 2, 2020 at 9:25 AM Kumar G  wrote:
>
> Hi Team,
>
>
> Need your help on this one.
>
> We are at 3.1X version of OSSEC environment. When trying to install the 
> package on Linux 8 and starting the agent we get an errorr on libssl.
>
> error while loading shared libraries: libssl.so.10: cannot open shared object 
> file: No such file or directory
> ossec-execd did not start
>
> Similar message we get when starting the agent-auth daemon.
>
> We tried to create a soft link for the existing libssl file. What would be 
> the possible solution to fix this problem?
>
> Are any one one he Linux 8 facing this issue?
>
> Thanks and Regards
> Kumar
>

What is "Linux 8"?
How are you installing OSSEC?

>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups 
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to ossec-list+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/ossec-list/CALUtmTF4C6pNj8NZh788o776OvQTfZL6Jkeva59zmq31aMWURQ%40mail.gmail.com.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/CAMyQvMptL6Y6qx1meqpqvVHDX%2BLU%3DmcZr25bnkcRyX9%3DRNayvg%40mail.gmail.com.

Re: [ossec-list] ossec agent disconnected.

[dan (ddp)]

On Wed, Mar 4, 2020 at 8:38 AM AHMED ADEWUYI  wrote:
>
> Hello,
>
> I am experiencing frequent ossec agent disconnected from AlienVault server.
>
> I have removed the RIDS files on the client and server, yet isn't connecting.
>
> please what can i do to keep it up and running again.
>
> Here is the log i am getting from the ossec agent.
>

You might get better help by talking to the alienvault folks.
What version of OSSEC are you using?
What OS/version is the agent?

Check the ossec.log on the server for any log messages about the agent.
You may need to turn on debugging on the server to see anything.
Use tcpdump to make sure the packets from the agent are making it to the server.
Make sure these packets look like they're coming from the IP address
the server expects them to come from.
If there are replies from the server, make sure they are making it to the agent.

> --
>
> ---
> You received this message because you are subscribed to the Google Groups 
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to ossec-list+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/ossec-list/4fb3b704-2c9f-4af1-bca6-0b74f297d6ec%40googlegroups.com.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/CAMyQvMq%2B6OBNYRZyE1JLBHRv7Rt%3Ds3Mq6kPRwH5vU%3DBJQizb2g%40mail.gmail.com.

Re: [ossec-list] Syslog logs has to store Another file rather than archives.json

[dan (ddp)]

On Tue, Feb 18, 2020 at 4:44 AM Muhammed Ashique  wrote:
>
> Is there any way to store all syslog logs generated from Network Device into 
> different path ? . All Logs (agents,Devices) it is going to a single file 
> (archive.json) but i want to segregate only syslog logs has to come different 
> path and system logs has to in default path.  Instead of using syslog server 
> mechanism.
>

Not at this time. OSSEC's configuration and options for these things
are quite simplistic.

> --
>
> ---
> You received this message because you are subscribed to the Google Groups 
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to ossec-list+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/ossec-list/3ffede20-112f-44dc-9ab3-6afb0cb50915%40googlegroups.com.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/CAMyQvMr1J%2Bp6k4Dwyo9CifMwz0w-0jL%3DQSJmOMFxW3gf6CC0nA%40mail.gmail.com.

Re: [ossec-list] Log firewall changes

[dan (ddp)]

On Tue, Feb 18, 2020 at 1:52 AM Schultheis Burkhard
 wrote:
>
> Hi,
>
> I want to get a message, when the ruleset of iptables gets modified. But
> I see that iptables doesn't log its changes. Or am I wrong?
>

I'm not aware of a log, but I'm far from an expert.

If you're running an OSSEC agent on the system, it should be easy to
add a command to watch for changes.
This is probably a naive command to run, but I'm not sure what a
better one would be at the moment.
This goes in the ossec.conf of the agent with the iptables
configuration you want to monitor.

  
full_command
iptables_check
iptables -nL
60
  

Every 60ish seconds the command "iptables -nL" is run. The contents of
this command are sent to the OSSEC server.

Then you create a rule to match this command in local_rules.xml.
Something like this:
 >> But the OSSEC failed to start. What's wrong? How to get the desired
> >> emails for firewall changes? It's OSSEC v3.3.0 on CentOS 6.10.
> >>
> > What do you mean by "a port is opened or closed in the firewall?" Do
> > you mean when a program is listening on a port,
> > or the ruleset is modified to allow traffic through a particular port?
> >
> > What type of firewall?
> >
> > I don't think "log" is a valid value for . Just remove the line.
> > You can look at the ossec.log on the server for more details as to why
> > it's failing.
> >
> >> Thanks in advance!
> >>
> >> Regards
> >> Burkhard
> >>
> >> --
> >>
> >> ---
> >> You received this message because you are subscribed to the Google Groups 
> >> "ossec-list" group.
> >> To unsubscribe from this group and stop receiving emails from it, send an 
> >> email to ossec-list+unsubscr...@googlegroups.com.
> >> To view this discussion on the web visit 
> >> https://groups.google.com/d/msgid/ossec-list/359319ec-a624-3014-710b-68b871fa514d%40web.de.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups 
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to ossec-list+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/ossec-list/54e1a186-73f1-aa03-afc0-8bc762b833b2%40gmail.com.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/CAMyQvMrfwgfGs7n8EstEPH5VoWMYQVqS%3DyNuTuY%3Da3dEE%2Bzw4Q%40mail.gmail.com.

Re: [ossec-list] Log firewall changes

[dan (ddp)]

On Mon, Feb 17, 2020 at 9:25 AM Burkhard Schultheis
 wrote:
>
> Hi,
>
> I want to get an email from OSSEC when a port is opened or closed in the
> firewall. Therefore I changed "no_log" in firewall_rules.xml to "log".
> But the OSSEC failed to start. What's wrong? How to get the desired
> emails for firewall changes? It's OSSEC v3.3.0 on CentOS 6.10.
>

What do you mean by "a port is opened or closed in the firewall?" Do
you mean when a program is listening on a port,
or the ruleset is modified to allow traffic through a particular port?

What type of firewall?

I don't think "log" is a valid value for . Just remove the line.
You can look at the ossec.log on the server for more details as to why
it's failing.

> Thanks in advance!
>
> Regards
> Burkhard
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups 
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to ossec-list+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/ossec-list/359319ec-a624-3014-710b-68b871fa514d%40web.de.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/CAMyQvMqY6pHX8yYqigUqkBjvTniGZ1v0uAfkXi95ONgwmSM3og%40mail.gmail.com.

Re: [ossec-list] No email from one of three servers

[dan (ddp)]

On Fri, Feb 7, 2020 at 5:43 AM Schultheis Burkhard
 wrote:
>
> Now I found ipv6 was disabled and the file /etc/services was very old.
> Now these 2 configuration items are the same as on the other server
> which is able to send emails. But the "problem" server is still not
> sending ossec emails. In alerts.log I see the following 2 error messages:
> getaddrinfo: System error
> ERROR: Error Sending email to xxx. (smtp server)
>
> First I didn't look in alerts.log! ;-)
>
> What could be the reason for the getaddrinfo error? ipv6 is now enabled,
> /var/ossec/etc/resolv.conf is a copy of /etc/resolv.conf and
> /etc/services is the same as on the other server.
>

3.4 made some improvements for systems that disable ipv6.
https://github.com/ossec/ossec-hids/releases/tag/3.4.0

> Regards
> Burkhard
>
>
> Am 28.01.2020 um 12:54 schrieb dan (ddp):
> > On Mon, Jan 27, 2020 at 1:47 AM Burkhard Schultheis
> >  wrote:
> >> We have 3 servers running OSSEC (standalone). One server runs CentOS 6,
> >> the two others opensuse 15.1. The configuration of OSSEC is almost
> >> identical on all three servers (as close as possible).
> >>
> >> The CentOS Server sends a lot of emails, one of the opensuse servers few
> >> and the third server (opensuse) no emails. But in the log I see issues
> >> they should lead to sending an email.
> >>
> >> The server is able to send emails to the configured server. I see no
> >> messages about errors sending emails. In /var/ossec/etc there is a copy
> >> of resolv.conf. OSSEC version is 3.3.0.
> >>
> >> What can I do?
> >>
> > Are they sending to the same smtp server?
> > If you have access to the mail server logs, you could check there.
> > Otherwise, you could use tcpdump to see if there are any issues.
> >
> >> Regards
> >> Burkhard
> >>
> >> --
> >>
> >> ---
> >> You received this message because you are subscribed to the Google Groups 
> >> "ossec-list" group.
> >> To unsubscribe from this group and stop receiving emails from it, send an 
> >> email to ossec-list+unsubscr...@googlegroups.com.
> >> To view this discussion on the web visit 
> >> https://groups.google.com/d/msgid/ossec-list/e09db76d-cd10-5399-8d05-255480e9fba5%40web.de.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups 
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to ossec-list+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/ossec-list/7e7c2bf5-ea0b-d9f6-6621-6359b16a541c%40gmail.com.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/CAMyQvMouT6yK2OqdmrJFF9NNtrapNuETLtYXXTPfO3tDTt6U2g%40mail.gmail.com.

Re: [ossec-list] OSSEC 3.3 - OSSEC not compiled with support for 'mysql'

[dan (ddp)]

On Wed, Feb 5, 2020 at 7:49 AM dan (ddp)  wrote:
>
> On Fri, Jan 31, 2020 at 2:28 PM Natassia M Stelmaszek  wrote:
> >
> > I performed my original installation without database support because I 
> > didn’t want to complicate things.  When I went to re-compile/reinstall with 
> > the database support included I kept getting the above error.  I finally 
> > fixed it by deleting the object files (*.o) in the scc/os_dbd directory 
> > before recompiling.
> >
> >
> >
> > The developers might consider putting “make clean” as a standard part of 
> > the install process or at least including a note on the page
> >
> > https://ossec-documentation.readthedocs.io/en/latest/legacy/docs/manual/output/database-output.html
> >
> >
> > About the necessity of cleaning the files before recompiling.
> >
>
> Thanks for pointing this out. I think this was one of those "it's
> obvious to me" things that I just skipped over.
> I added instructions to the dev branch in ossec-documentation, and
> submitted a pull request for ossec-docs
> (https://github.com/ossec/ossec-docs/pull/295).
>
> >
> > Also – In the printed book on page 75 it says that you can check to see if 
> > the installation was configured with database support by running
> >
> >
> > /var/ossec/bin/ossec-dbd –V
> >
> >
> > Which would return the information “Compiled with MySQL support” or with 
> > PostgreSQL or without database support.  But the book was written for v1.4 
> > and it doesn’t give that information when you run that command in v3.3.  
> > You might consider restoring that to the –V message.
> >
>
> I'll look into this.
>

Pull request submitted: https://github.com/ossec/ossec-hids/pull/1833
I'm not sure what the previous output looked like, so this may be a
bit different.

> >
> > Natassia
> >
> > --
> >
> > ---
> > You received this message because you are subscribed to the Google Groups 
> > "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send an 
> > email to ossec-list+unsubscr...@googlegroups.com.
> > To view this discussion on the web visit 
> > https://groups.google.com/d/msgid/ossec-list/0dcd26c1-1881-4091-9b75-f3cfd029725d%40googlegroups.com.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/CAMyQvMrDf5j5%3DZdisYt600qMG58FA9cHqjW05X%2BEy76KfUwkmw%40mail.gmail.com.

Re: [ossec-list] OSSEC 3.3 - OSSEC not compiled with support for 'mysql'

[dan (ddp)]

On Fri, Jan 31, 2020 at 2:28 PM Natassia M Stelmaszek  wrote:
>
> I performed my original installation without database support because I 
> didn’t want to complicate things.  When I went to re-compile/reinstall with 
> the database support included I kept getting the above error.  I finally 
> fixed it by deleting the object files (*.o) in the scc/os_dbd directory 
> before recompiling.
>
>
>
> The developers might consider putting “make clean” as a standard part of the 
> install process or at least including a note on the page
>
> https://ossec-documentation.readthedocs.io/en/latest/legacy/docs/manual/output/database-output.html
>
>
> About the necessity of cleaning the files before recompiling.
>

Thanks for pointing this out. I think this was one of those "it's
obvious to me" things that I just skipped over.
I added instructions to the dev branch in ossec-documentation, and
submitted a pull request for ossec-docs
(https://github.com/ossec/ossec-docs/pull/295).

>
> Also – In the printed book on page 75 it says that you can check to see if 
> the installation was configured with database support by running
>
>
> /var/ossec/bin/ossec-dbd –V
>
>
> Which would return the information “Compiled with MySQL support” or with 
> PostgreSQL or without database support.  But the book was written for v1.4 
> and it doesn’t give that information when you run that command in v3.3.  You 
> might consider restoring that to the –V message.
>

I'll look into this.

>
> Natassia
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups 
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to ossec-list+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/ossec-list/0dcd26c1-1881-4091-9b75-f3cfd029725d%40googlegroups.com.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/CAMyQvMovrupW0D36-8qLi0iwV4ZrujoqBFepVuv9Eu_G1QqWLg%40mail.gmail.com.

Re: [ossec-list] No email from one of three servers

[dan (ddp)]

On Mon, Jan 27, 2020 at 1:47 AM Burkhard Schultheis
 wrote:
>
> We have 3 servers running OSSEC (standalone). One server runs CentOS 6,
> the two others opensuse 15.1. The configuration of OSSEC is almost
> identical on all three servers (as close as possible).
>
> The CentOS Server sends a lot of emails, one of the opensuse servers few
> and the third server (opensuse) no emails. But in the log I see issues
> they should lead to sending an email.
>
> The server is able to send emails to the configured server. I see no
> messages about errors sending emails. In /var/ossec/etc there is a copy
> of resolv.conf. OSSEC version is 3.3.0.
>
> What can I do?
>

Are they sending to the same smtp server?
If you have access to the mail server logs, you could check there.
Otherwise, you could use tcpdump to see if there are any issues.

> Regards
> Burkhard
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups 
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to ossec-list+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/ossec-list/e09db76d-cd10-5399-8d05-255480e9fba5%40web.de.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/CAMyQvMpcObZ0J6v_9TgbirgEVDOWR3PiNoryin4rpU-O-vjxRg%40mail.gmail.com.

Re: [ossec-list] grep false positive

[dan (ddp)]

On Thu, Jan 23, 2020 at 6:46 PM Leroy Tennison  wrote:
>
> Received the following message: Trojaned version of file '/bin/grep' 
> detected. Signature used: 'bash|givemer|/dev/' (Generic)." on 18.04.3 LTS.  
> Downloaded the deb from Ubuntu standard repositories, extracted grep (in 
> /tmp) and compared sha512sums for it and /bin/grep - identical.  I received 
> another message about a trojaned file for s-nail (also on Ubuntu 16.04) 
> recently and, in that case, simply de-installed the package since it wasn't 
> needed.  Now I'm wondering if these are false positives.  Appears the agent 
> is 3.1.0, server is 2.9.1.  Any suggestions or further steps i can take?
>

Pretty sure '/dev/' was removed from the signature because of this
false positive.

> --
>
> ---
> You received this message because you are subscribed to the Google Groups 
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to ossec-list+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/ossec-list/77699c5a-21ea-43ea-83f3-4588ed3794b8%40googlegroups.com.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/CAMyQvMqnQfh0MPGJqrCw614S7oQSF6cx0f%3DJPQTR3Z8sC6KOeg%40mail.gmail.com.

Re: [ossec-list] Loop on opensuse

[dan (ddp)]

On Mon, Jan 13, 2020 at 9:04 AM Schultheis Burkhard
 wrote:
>
> Some weeks ago I've installed Ossec on on three servers. One is running
> CentOS 6.10, the others Opensuse 15.1. The CentOS installation behaves
> as expected, but the opensuse installations behave very different,
> although the configurations are as close as possible.
>
>  From the CentOS server we get emails as expected, from the opensuse
> servers not (other programs send us emails as expected from all
> servers). The opensuse servers write tons of ossec logs, because it's in
> a start-terminate loop. Excerpt:
>

How did you install OSSEC (package, source, etc)?
You could check the /var/log/audit/audit.log to see if it mentions
anything about it.
I have an OpenSuse VM where it worked fine, but I installed from
source. I haven't powered it up in a while though.

> 2020/01/13 13:45:25 ossec-testrule: INFO: Reading local decoder file.
> 2020/01/13 13:45:25 ossec-testrule: INFO: Started (pid: 28499).
> 2020/01/13 13:45:25 ossec-maild: INFO: Started (pid: 28516).
> 2020/01/13 13:45:25 ossec-execd: INFO: Started (pid: 28520).
> 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading local decoder file.
> 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:
> 'rules_config.xml'
> 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:
> 'pam_rules.xml'
> 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:
> 'sshd_rules.xml'
> 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:
> 'telnetd_rules.xml'
> 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:
> 'syslog_rules.xml'
> 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:
> 'arpwatch_rules.xml'
> 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:
> 'symantec-av_rules.xml'
> 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:
> 'symantec-ws_rules.xml'
> 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:
> 'pix_rules.xml'
> 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:
> 'named_rules.xml'
> 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:
> 'smbd_rules.xml'
> 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:
> 'vsftpd_rules.xml'
> 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:
> 'pure-ftpd_rules.xml'
> 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:
> 'proftpd_rules.xml'
> 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:
> 'ms_ftpd_rules.xml'
> 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:
> 'ftpd_rules.xml'
> 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:
> 'hordeimp_rules.xml'
> 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:
> 'roundcube_rules.xml'
> 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:
> 'wordpress_rules.xml'
> 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:
> 'cimserver_rules.xml'
> 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:
> 'vpopmail_rules.xml'
> 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:
> 'vmpop3d_rules.xml'
> 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:
> 'courier_rules.xml'
> 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:
> 'web_rules.xml'
> 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:
> 'web_appsec_rules.xml'
> 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:
> 'apache_rules.xml'
> 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:
> 'nginx_rules.xml'
> 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:
> 'php_rules.xml'
> 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:
> 'mysql_rules.xml'
> 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:
> 'postgresql_rules.xml'
> 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:
> 'ids_rules.xml'
> 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:
> 'squid_rules.xml'
> 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:
> 'firewall_rules.xml'
> 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:
> 'apparmor_rules.xml'
> 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:
> 'cisco-ios_rules.xml'
> 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:
> 'netscreenfw_rules.xml'
> 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:
> 'sonicwall_rules.xml'
> 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:
> 'postfix_rules.xml'
> 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:
> 'sendmail_rules.xml'
> 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:
> 'imapd_rules.xml'
> 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:
> 'mailscanner_rules.xml'
> 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:
> 'dovecot_rules.xml'
> 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:
> 'ms-exchange_rules.xml'
> 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:
> 

Re: [ossec-list] Composite Rule Not Firing

[dan (ddp)]

On Fri, Dec 20, 2019 at 12:15 PM Bruce Westbrook  wrote:
>
> I'm having an issue getting a composite rule to trigger.  What's really 
> throwing me is that it works just fine when testing with ossec-logtest, but 
> it doesn't work live.
>
> Here are the two rules in question:
>
>   
> 18101
> ^131$
> Server accepted initial RDP session request
> sysadmin,
>   
>
>   
> 100554
> ALERT: Potential RDP brute force attack
> sysadmin,recon,attacks,
>   
>

This seems like a silly idea, but it's the only one I have at the moment:
  
18101
^131$
Server accepted initial RDP session request
sysadmin,
  

  
18101
^131$
ALERT: Potential RDP brute force attack
sysadmin,recon,attacks,
  

I'll try to look into it more when I find some time.

>
> ...and here is a sample log entry:
>
> 2019 Dec 20 11:28:59 WinEvtLog: 
> Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational: 
> INFORMATION(131): Microsoft-Windows-RemoteDesktopServices-RdpCoreTS: NETWORK 
> SERVICE: NT AUTHORITY: server.domain: The server accepted a new TCP 
> connection from client 10.104.248.199:57714.
>
>
> Using ossec-logtest I can enter this log entry and on the fifth time it fires 
> off rule #100560 just as expected.  But when I make those same five logon 
> attempts to a live server, it only ever fires rule #100554.  I've tried this 
> up to 20 times in under 2 minutes, well within the rule timeframe, and it 
> still never fires the composite rule alert, only 100554.
>
> I have quite a few other composite rules that I've written over the past few 
> years and don't have this issue.  I just don't see what the problem is with 
> this one or why ossec-logtest shows it working but it never actually works in 
> a live situation.
>
> I'm running OSSEC HIDS v2.9.3 on Linux, with the agents on Windows 2012+ 
> servers.
>
> Any thoughts?
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups 
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to ossec-list+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/ossec-list/db6d29a9-ec7d-4577-9ce6-d7ed445d8862%40googlegroups.com.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/CAMyQvMpcZu9R1oN4bCM5ouX4aYG01piUbiHbgq_dYtF9hazgTg%40mail.gmail.com.

Re: [ossec-list] Fresh install error from Agent

[dan (ddp)]

On Wed, Jan 8, 2020 at 4:29 PM agsossec  wrote:
>
> Hello,
> We am setting up a test OSSEC server and agent -- both on AWS Linux
> On both we
>
> ran, sudo wget https://www.atomicorp.com/installers/atomic && sudo chmod +x 
> atomic && sudo ./atomic
> saved a copy of the agent config -- /var/ossec/etc/ossec-agent.conf 
> /var/ossec/etc/ossec-agent.conf.orig
> edited the agent config
>
> removed the example line
> changed the server IP our our OSSEC server IP
> restarted the OSSEC services
>
> At first we received an error, saying that the system was failing upon not 
> finding the default server IP address -- which was only in the saved copy of 
> the Agent config file.
> When we deleted that file, and restarted the service, we now get the error...
>
> ossec-agentd(4105): ERROR: No valid server IP found.
> ossec-agentd(1215): ERROR: No client configured. Exiting.
>
> In the file = /var/ossec/etc/ossec-agent.conf
>
> 
>   
> 10.1.252.41
>   
>
> In the logs, we see...
>
> 2020/01/08 11:49:37 ossec-execd(1314): INFO: Shutdown received. Deleting 
> responses.
> 2020/01/08 11:49:37 ossec-execd(1225): INFO: SIGNAL [(15)-(Terminated)] 
> Received. Exit Cleaning...
> 2020/01/08 11:49:38 ossec-agentd(4105): ERROR: No valid server IP found.
> 2020/01/08 11:49:38 ossec-execd: INFO: Started (pid: 3326).
> 2020/01/08 11:49:38 ossec-agentd(1215): ERROR: No client configured. Exiting.
>
> What are doing wrong?
> Thank you!
>
>

I don't have an AWS instance to test against, so I tried the CentOS 7 package.
I couldn't reproduce the issue (but I did have to remove a default agent.conf?).

I even tried using the ossec_config snippet posted above, and couldn't
get the same error.

>
>
>
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups 
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to ossec-list+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/ossec-list/7dbb8b68-6c70-461b-a2b3-9a9ca901eb9c%40googlegroups.com.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/CAMyQvMpk9HrBU_ag6qPHEwty%3DcujjPyovTD3wStxoRnhZRGOtQ%40mail.gmail.com.

Re: [ossec-list] ossec-logtest and kibana outputs are different

[dan (ddp)]

On Mon, Jan 6, 2020 at 6:09 AM Pierre Gremaud  wrote:
>
> I'm trying to decode syslog messages sent by pfsence
>
> The log received in archives.log is the following :
>
> 2020 Jan 05 22:02:05 LAN-HIDS->192.168.85.40 Jan  5 21:02:05 php-fpm[338]: 
> /index.php: webConfigurator authentication error for user 'admin' from: 
> 192.168.85.1
>

So stripping the archives header from the log file, the log message
you need to test against is:
Jan  5 21:02:05 php-fpm[338]: /index.php: webConfigurator
authentication error for user 'admin' from: 192.168.85.1

Later in your message you're testing against:
192.168.85.40 Jan  5 21:02:05 php-fpm[338]: /index.php:
webConfigurator authentication error for user 'admin' from:
192.168.85.1

So when the message comes into OSSEC it looks like the first one
(starting with Jan), but you're developing based on the second
(starting with the IP address).

Your decoders should look more like:


 php-fpm



  pfsense
  webConfigurator authentication error \.+ user '(\w+)' from:
(\d+.\d+.\d+.\d+)
  user, dstip


>
> The alert shown in kibana is the following :
>
>
> I created a custom decoder in local_decoder.xml
>
>
> 
>
>  \.+ php-fpm
>
> 
>
>
>
> 
>
>   pfsense
>
>   ^(\d+.\d+.\d+.\d+) \.+ webConfigurator authentication error \.+ user 
> '(\w+)' from: (\d+.\d+.\d+.\d+)
>
>   srcip, user, dstip
>
> 
>
>
> I created a custom rule in local_rules.xml
>
>
> 
>
>   
>
>   
>
> 2501
>
> pfsense
>
> Pfsense authentication error
>
> no_full_log
>
> 
>
> 
>
>
> The output from ossec-test is the following :
>
>
> **Phase 1: Completed pre-decoding.
>
>full event: '192.168.85.40 Jan  5 21:02:05 php-fpm[338]: /index.php: 
> webConfigurator authentication error for user 'admin' from: 192.168.85.1'
>
>timestamp: '(null)'
>
>hostname: 'LAN-HIDS'
>
>program_name: '(null)'
>
>log: '192.168.85.40 Jan  5 21:02:05 php-fpm[338]: /index.php: 
> webConfigurator authentication error for user 'admin' from: 192.168.85.1'
>
>
> **Phase 2: Completed decoding.
>
>decoder: 'pfsense'
>
>srcip: '192.168.85.40'
>
>dstuser: 'admin'
>
>dstip: '192.168.85.1'
>
>
> **Phase 3: Completed filtering (rules).
>
>Rule id: '100040'
>
>Level: '6'
>
>Description: 'Pfsense authentication error'
>
> **Alert to be generated.
>
>
> The alert generated in kibana still shows rule id 2501 and not 100040
>
>
>
>
>
> Any suggestions ?
>
>
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups 
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to ossec-list+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/ossec-list/5aca1f7e-0367-46cc-8067-fd881a495008%40googlegroups.com.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/CAMyQvMrLLWi0nycr4EwXgn8iykX01o4pYHTHZtjrLZUmLZM0Pw%40mail.gmail.com.

Re: [ossec-list] Re: OSSEC 3.3.0 Install CentOS 8

[dan (ddp)]

On Tue, Dec 31, 2019 at 2:16 PM Natassia M Stelmaszek  wrote:

> Dan,
>
> I'm sorry that I didn't respond sooner but I had to devote time to other
> projects.
>
> So it looks like I was right, this is a defective (or perhaps deficient
> would be more accurate) package.  In order to get it to compile I had to
> download the source code from pcre.org and expand it into the directory
> where the install.sh script expected it to be.
>
> wget https://ftp.pcre.org/pub/pcre/pcre2-10.32.tar.gz
>
> cp pcre2-10.32.tar.gz ~/ossec-hids-3.3.0/src/external/
>
> cd ~/ossec-hids-3.3.0/src/external/
>
> tar -xvf pcre2-10.32.tar.gz
>
> It seems like someone should think about rebuilding the gzip file that is
> offered for download on the OSSEC web site.
>


That was one of the 2 solutions I provided in my original email.


>
>> Natassia
>>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ossec-list/8679fad3-1399-4a01-b868-d155a22f1b42%40googlegroups.com
> 
> .
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/CAMyQvMpBWLKHO%3DP6BXk1_oskxqnFUyC0LaFTO3Q-%2Bj7nmpYNqA%40mail.gmail.com.

Re: [ossec-list] OSSEC 3.3.0 Install CentOS 8

[dan (ddp)]

Just a heads up, but that's a very old version. And it's not one I
imagine a lot of people want to support at this point.

On Mon, Dec 2, 2019 at 4:35 PM Natassia S  wrote:
>
> Yeah, I got rid of the copy that I made.
>
> I was able to install 2.8.3 on my new CentOS 8 machine.  :)
>
> Natassia
>
>
> On Mon, Dec 2, 2019 at 1:27 PM dan (ddp)  wrote:
>>
>>
>>
>> On Mon, Dec 2, 2019 at 3:56 PM Natassia S  wrote:
>>>
>>> Everything came out of 3.3.0.tar.gz
>>>
>>> I compared the contents and the same directory for 2.8.3 also has no pcre2 
>>> but it has a Makefile.  On a whim I put a copy of the 2.8.3 Makefile in the 
>>> 3.3.0 folder and got the same error.
>>
>>
>> The 2.8.3 Makefile would probably add more issues.
>>
>>>
>>> Natassia
>>>
>>> On Mon, Dec 2, 2019 at 12:33 PM dan (ddp)  wrote:
>>>>
>>>>
>>>>
>>>> On Mon, Dec 2, 2019 at 3:07 PM Natassia M Stelmaszek  wrote:
>>>>>
>>>>> Bad Installation Package???
>>>>>
>>>>> I'm trying to build a new machine that includes OSSEC 3.3.0.  When I run 
>>>>> the install.sh, use default responses for a local installation, it gives 
>>>>> me the following error.
>>>>>
>>>>> sudo ./install.sh
>>>>>
>>>>>
>>>>>
>>>>> - Running the Makefile
>>>>>
>>>>> cc  -DMAX_AGENTS=2048 -DOSSECHIDS -DDEFAULTDIR=\"/var/ossec\" 
>>>>> -DUSER=\"ossec\" -DREMUSER=\"ossecr\" -DGROUPGLOBAL=\"ossec\" 
>>>>> -DMAILUSER=\"ossecm\" -DLinux -DINOTIFY_ENABLED -DZLIB_SYSTEM 
>>>>> -I./external/pcre2-10.32//install/include/ -DPCRE2_STATIC -DUSE_PCRE2_JIT 
>>>>> -DLIBOPENSSL_ENABLED -DLOCAL -Wall -Wextra -I./ -I./headers/ -c 
>>>>> external/cJSON/cJSON.c -o external/cJSON/cJSON.o
>>>>>
>>>>> ar -crs libcJSON.a external/cJSON/cJSON.o
>>>>>
>>>>> ranlib libcJSON.a
>>>>>
>>>>> cd external/pcre2-10.32/ && \
>>>>>
>>>>> ./configure \
>>>>>
>>>>> 
>>>>> --prefix=/home/stelmn/ossec-hids-3.3.0/src/external/pcre2-10.32//install \
>>>>>
>>>>> --enable-jit \
>>>>>
>>>>> --disable-shared \
>>>>>
>>>>> --enable-static && \
>>>>>
>>>>> make install-libLTLIBRARIES install-nodist_includeHEADERS
>>>>>
>>>>> /bin/sh: line 0: cd: external/pcre2-10.32/: No such file or directory
>>>>>
>>>>> make: *** [Makefile:770: external/pcre2-10.32//install/lib/libpcre2-8.a] 
>>>>> Error 1
>>>>>
>>>>>
>>>>
>>>>
>>>> With that version of ossec you need to untar the pcre2 source in the above 
>>>> directory. Or you can install the devel package and set PCRE2_SYSTEM=y
>>>>
>>>>
>>>>>  Error 0x5.
>>>>>
>>>>>  Building error. Unable to finish the installation.
>>>>>
>>>>>
>>>>>
>>>>> I've verified that kernel-headers are installed, tried two different 
>>>>> machines and even tried updating an OSSEC installation on a CentOS 7 
>>>>> machine but I keep getting the same failure.  It appears that the script 
>>>>> is looking for pcre2 in the src directory but it doesn't exist.
>>>>>
>>>>>
>>>>> $ pwd
>>>>> /home/stelmn/Downloads/ossec-hids-3.3.0/src/external
>>>>> $ ls
>>>>> cJSON  lua  lua-5.2.3  zlib-1.2.11
>>>>>
>>>>> Is something missing from the download file or am I overlooking something?
>>>>>
>>>>> Natassia
>>>>>
>>>>> --
>>>>>
>>>>> ---
>>>>> You received this message because you are subscribed to the Google Groups 
>>>>> "ossec-list" group.
>>>>> To unsubscribe from this group and stop receiving emails from it, send an 
>>>>> email to ossec-list+unsubscr...@googlegroups.com.
>>>>> To view this discussion on the web visit 
>>>>> https://groups.google.com/d/msgid/ossec-list/07cf4c14-2480-48a7-b19f-b698d9c66fd2%40googlegroups.com.
>>&

Re: [ossec-list] remote secure logging

[dan (ddp)]

On Thu, Dec 5, 2019 at 6:05 AM Kyriakos Stavridis
 wrote:
>
> Hello everyone,
>
> Let's say I have a firewall that I want to configure to send it's logs to my 
> OSSEC server.
>
> I know that I can simply configure my firewall to send logs to my OSSEC 
> server's IP and the ossec server like this:
>
> 
> syslog
> {FIREWALL_IP}
> 
>
> The thing is that this is an insecure connection and the logs are being sent 
> unencrypted.
>
> In OSSEC's documentation it states that there is also the 
> secure option that uses authentication and 
> encryption for the logs and receives logs at port 1514.
>
> I set my firewall to send remote logs to OSSEC server's IP:1514 but I am not 
> seeing the logs at archives.logs (I check the traffic on 1514 port and I 
> indeed receive traffic from the firewall, although it's not logged)
>
> So I guess that the whole "secure" thing to work needs some kind of 
> authentication as I stated before.
>
> My question is how do I actually configure that? On the firewall, and on the 
> OSSEC server?
>
>

The secure option is for agents only. syslog logging is only sent
unencrypted. If your firewall supports it, you could send it to a
syslog daemon using tls and read the resulting files with OSSEC.

>
> Any answers or suggestions are appreciated!
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups 
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to ossec-list+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/ossec-list/dad13c7a-7c0e--ae04-46414f1ba62f%40googlegroups.com.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/CAMyQvMqnV-43FyF7un8Ch9u%3Da08W-Gmf0h9CC6YO-4sVVuE4cw%40mail.gmail.com.

Re: [ossec-list] Regular expresions

[dan (ddp)]

Newer versions of ossec support pcre2. That should work.

On Fri, Dec 20, 2019 at 2:22 PM Diego S  wrote:

> Hi all!
>
> I was wondering the best way to represent a digit between a range and if
> it is possible to indicate that a digit is going to be repeated a given
> number of times.
>
> For example a digit between 0 and 3, I mean 0, 1, 2 or 3 thats for the
> first question.
>
> For the second part, for example the digits between 0 and 3, repeated 14
> times. At the common regular expression it will be represented like
> (0-3){14}
>
> Thanks and Regards.
>
> Diego.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ossec-list/d87e366a-a9ff-4c10-bd6c-592b744f7599%40googlegroups.com
> 
> .
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/CAMyQvMrmDW5Vm8f_K%3Dr7Anzcg2QAKEJ%2B%2B_bFa8YZt4xEg1iqew%40mail.gmail.com.

Re: [ossec-list] OSSEC 3.3.0 Install CentOS 8

[dan (ddp)]

On Mon, Dec 2, 2019 at 3:56 PM Natassia S  wrote:

> Everything came out of 3.3.0.tar.gz
>
> I compared the contents and the same directory for 2.8.3 also has no pcre2
> but it has a Makefile.  On a whim I put a copy of the 2.8.3 Makefile in the
> 3.3.0 folder and got the same error.
>

The 2.8.3 Makefile would probably add more issues.


> Natassia
>
> On Mon, Dec 2, 2019 at 12:33 PM dan (ddp)  wrote:
>
>>
>>
>> On Mon, Dec 2, 2019 at 3:07 PM Natassia M Stelmaszek 
>> wrote:
>>
>>> Bad Installation Package???
>>>
>>> I'm trying to build a new machine that includes OSSEC 3.3.0.  When I run
>>> the install.sh, use default responses for a local installation, it gives me
>>> the following error.
>>>
>>> sudo ./install.sh
>>>
>>>
>>>
>>> - Running the Makefile
>>>
>>> cc  -DMAX_AGENTS=2048 -DOSSECHIDS -DDEFAULTDIR=\"/var/ossec\"
>>> -DUSER=\"ossec\" -DREMUSER=\"ossecr\" -DGROUPGLOBAL=\"ossec\"
>>> -DMAILUSER=\"ossecm\" -DLinux -DINOTIFY_ENABLED -DZLIB_SYSTEM
>>> -I./external/pcre2-10.32//install/include/ -DPCRE2_STATIC -DUSE_PCRE2_JIT
>>> -DLIBOPENSSL_ENABLED -DLOCAL -Wall -Wextra -I./ -I./headers/ -c
>>> external/cJSON/cJSON.c -o external/cJSON/cJSON.o
>>>
>>> ar -crs libcJSON.a external/cJSON/cJSON.o
>>>
>>> ranlib libcJSON.a
>>>
>>> cd external/pcre2-10.32/ && \
>>>
>>> ./configure \
>>>
>>> 
>>> --prefix=/home/stelmn/ossec-hids-3.3.0/src/external/pcre2-10.32//install
>>> \
>>>
>>> --enable-jit \
>>>
>>> --disable-shared \
>>>
>>> --enable-static && \
>>>
>>> make install-libLTLIBRARIES install-nodist_includeHEADERS
>>>
>>> /bin/sh: line 0: cd: external/pcre2-10.32/: No such file or directory
>>>
>>> make: *** [Makefile:770: external/pcre2-10.32//install/lib/libpcre2-8.a]
>>> Error 1
>>>
>>>
>>>
>>
>> With that version of ossec you need to untar the pcre2 source in the
>> above directory. Or you can install the devel package and set PCRE2_SYSTEM=y
>>
>>
>>  Error 0x5.
>>>
>>>  Building error. Unable to finish the installation.
>>>
>>>
>>> I've verified that kernel-headers are installed, tried two different
>>> machines and even tried updating an OSSEC installation on a CentOS 7
>>> machine but I keep getting the same failure.  It appears that the script is
>>> looking for pcre2 in the src directory but it doesn't exist.
>>>
>>>
>>> $ pwd
>>> /home/stelmn/Downloads/ossec-hids-3.3.0/src/external
>>> $ ls
>>> cJSON  lua  lua-5.2.3  zlib-1.2.11
>>>
>>> Is something missing from the download file or am I overlooking
>>> something?
>>>
>>> Natassia
>>>
>>> --
>>>
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "ossec-list" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to ossec-list+unsubscr...@googlegroups.com.
>>> To view this discussion on the web visit
>>> https://groups.google.com/d/msgid/ossec-list/07cf4c14-2480-48a7-b19f-b698d9c66fd2%40googlegroups.com
>>> <https://groups.google.com/d/msgid/ossec-list/07cf4c14-2480-48a7-b19f-b698d9c66fd2%40googlegroups.com?utm_medium=email_source=footer>
>>> .
>>>
>> --
>>
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to ossec-list+unsubscr...@googlegroups.com.
>>
> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/ossec-list/CAMyQvMrX0oCpx%2BAJ7v5rLpV_YgrChWHBKqidrWqOjksoi3Zk4g%40mail.gmail.com
>> <https://groups.google.com/d/msgid/ossec-list/CAMyQvMrX0oCpx%2BAJ7v5rLpV_YgrChWHBKqidrWqOjksoi3Zk4g%40mail.gmail.com?utm_medium=email_source=footer>
>> .
>>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ossec-list/CAFN5h2KGsUxC8Qp0JdmiyYRBNb9Xu%3DnPkaYYS-Nnug5_%3DTEmMw%40mail.gmail.com
> <https://groups.google.com/d/msgid/ossec-list/CAFN5h2KGsUxC8Qp0JdmiyYRBNb9Xu%3DnPkaYYS-Nnug5_%3DTEmMw%40mail.gmail.com?utm_medium=email_source=footer>
> .
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/CAMyQvMp9u3bmCK-Z-YNcNsrpbSeGyJLYxhVqGuDa6uedBuBbjA%40mail.gmail.com.

Re: [ossec-list] OSSEC 3.3.0 Install CentOS 8

[dan (ddp)]

On Mon, Dec 2, 2019 at 3:07 PM Natassia M Stelmaszek  wrote:

> Bad Installation Package???
>
> I'm trying to build a new machine that includes OSSEC 3.3.0.  When I run
> the install.sh, use default responses for a local installation, it gives me
> the following error.
>
> sudo ./install.sh
>
>
>
> - Running the Makefile
>
> cc  -DMAX_AGENTS=2048 -DOSSECHIDS -DDEFAULTDIR=\"/var/ossec\"
> -DUSER=\"ossec\" -DREMUSER=\"ossecr\" -DGROUPGLOBAL=\"ossec\"
> -DMAILUSER=\"ossecm\" -DLinux -DINOTIFY_ENABLED -DZLIB_SYSTEM
> -I./external/pcre2-10.32//install/include/ -DPCRE2_STATIC -DUSE_PCRE2_JIT
> -DLIBOPENSSL_ENABLED -DLOCAL -Wall -Wextra -I./ -I./headers/ -c
> external/cJSON/cJSON.c -o external/cJSON/cJSON.o
>
> ar -crs libcJSON.a external/cJSON/cJSON.o
>
> ranlib libcJSON.a
>
> cd external/pcre2-10.32/ && \
>
> ./configure \
>
> 
> --prefix=/home/stelmn/ossec-hids-3.3.0/src/external/pcre2-10.32//install
> \
>
> --enable-jit \
>
> --disable-shared \
>
> --enable-static && \
>
> make install-libLTLIBRARIES install-nodist_includeHEADERS
>
> /bin/sh: line 0: cd: external/pcre2-10.32/: No such file or directory
>
> make: *** [Makefile:770: external/pcre2-10.32//install/lib/libpcre2-8.a]
> Error 1
>
>
>

With that version of ossec you need to untar the pcre2 source in the above
directory. Or you can install the devel package and set PCRE2_SYSTEM=y


 Error 0x5.
>
>  Building error. Unable to finish the installation.
>
>
> I've verified that kernel-headers are installed, tried two different
> machines and even tried updating an OSSEC installation on a CentOS 7
> machine but I keep getting the same failure.  It appears that the script is
> looking for pcre2 in the src directory but it doesn't exist.
>
>
> $ pwd
> /home/stelmn/Downloads/ossec-hids-3.3.0/src/external
> $ ls
> cJSON  lua  lua-5.2.3  zlib-1.2.11
>
> Is something missing from the download file or am I overlooking something?
>
> Natassia
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ossec-list/07cf4c14-2480-48a7-b19f-b698d9c66fd2%40googlegroups.com
> 
> .
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/CAMyQvMrX0oCpx%2BAJ7v5rLpV_YgrChWHBKqidrWqOjksoi3Zk4g%40mail.gmail.com.

Re: [ossec-list] running processes without a binary on disk

[dan (ddp)]

On Thu, Nov 7, 2019 at 11:16 AM bill evergreen  wrote:
>
> Hello list,
>
> does Ossec alert if there are processes running without a binary on disk?
>
> Thank's a lot for any feedback
>

I don't think there's any rules for this.

> Bill
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups 
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to ossec-list+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/ossec-list/CAAmYSevq1oU75KESvCPQAA6BVq%2BhRfd_DJLx%2Bryvy_atfDO4%3Dw%40mail.gmail.com.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/CAMyQvMqqRs_Bk9LEKbRdGdpkZRQnEHdZ_t8UCPNOCidjWcmwyw%40mail.gmail.com.

Re: [ossec-list] Re: Receiving Syslog from device but OSSEC not logging it

[dan (ddp)]

On Tue, Nov 12, 2019 at 7:56 PM Mike  wrote:
>
> Related to this, do you accept Pull Requests to add additional timestamp 
> formats to your pre-decoding? I forked and added a simple change to 
> cleanevent.c which has made my parsing much easier for a non-standard syslog 
> time format.
>

Yes, we do! Feel free to submit a pull request, and I'll get to it as
quickly as my schedule allows.

>
>
> On Friday, 8 November 2019 11:47:23 UTC-8, Mike wrote:
>>
>> I believe I have found the issues using strace to find out what 
>> ossec-remoted was doing. I found:
>>
>> 1. Not sure why, but on the Virtual Appliance the "ossec" group did not have 
>> write permissions to /var/ossec/logs so ossec-remoted (which runs under user 
>> "ossecr") could not write anything
>> 2. After getting error logged to ossec.log, I found that I had simply 
>> entered the "allowed IP" incorrectly and so it was being blocked.
>>
>>
>> So as long as Ossec's own logging works, it's relatively simple to figure 
>> out the problem.
>>
>>
>> On Friday, 8 November 2019 01:40:09 UTC-8, Mike wrote:
>>>
>>> Hello,
>>>
>>> I am new to OSSEC so bare with me. I have setup OSSEC using the VirtualBox 
>>> appliance and everything seemed to run nicely out of the box except...
>>> I am trying to setup OSSEC to monitor a Syslog from a firewall but I don't 
>>> see any references to those syslog entries. I have done the following:
>>>
>>> On the firewall, told it to send syslog files to the static IP of the OSSEC 
>>> server
>>> On the OSSEC server's ossec.conf added a  section with a 
>>> syslog and specified the allowed_ip
>>> Also in the ossec.conf, set logall to yes
>>> Tested incoming connection using tcpdump -A port 514  and I can see 
>>> syslog-like entries coming in
>>> Because the format is not quite standard syslog, I created a custom decoder 
>>> and tested it using ossec-logtest.
>>>
>>>
>>> Despite all of these steps (and restarting the service using "ossec-control 
>>> restart" multiple times) I still do not see any of the remote syslog 
>>> entries in the archive.log.
>>>
>>> Am I missing something obvious to make this work?
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups 
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to ossec-list+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/ossec-list/b5781be6-a9b3-4e1d-8a27-cc2a56776ed3%40googlegroups.com.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/CAMyQvMrz2Ln%2BueyjevxYWSQaGH8%2BajbpWPSHO-O4UWjKppj1%3DQ%40mail.gmail.com.

Re: [ossec-list] Re: Receiving Syslog from device but OSSEC not logging it

[dan (ddp)]

On Fri, Nov 8, 2019 at 2:47 PM Mike  wrote:
>
> I believe I have found the issues using strace to find out what ossec-remoted 
> was doing. I found:
>
> 1. Not sure why, but on the Virtual Appliance the "ossec" group did not have 
> write permissions to /var/ossec/logs so ossec-remoted (which runs under user 
> "ossecr") could not write anything
> 2. After getting error logged to ossec.log, I found that I had simply entered 
> the "allowed IP" incorrectly and so it was being blocked.
>
>
> So as long as Ossec's own logging works, it's relatively simple to figure out 
> the problem.
>

Nice catch. The virtual appliance isn't really maintained, and I doubt
we'll see any updates going forward.

>
> On Friday, 8 November 2019 01:40:09 UTC-8, Mike wrote:
>>
>> Hello,
>>
>> I am new to OSSEC so bare with me. I have setup OSSEC using the VirtualBox 
>> appliance and everything seemed to run nicely out of the box except...
>> I am trying to setup OSSEC to monitor a Syslog from a firewall but I don't 
>> see any references to those syslog entries. I have done the following:
>>
>> On the firewall, told it to send syslog files to the static IP of the OSSEC 
>> server
>> On the OSSEC server's ossec.conf added a  section with a 
>> syslog and specified the allowed_ip
>> Also in the ossec.conf, set logall to yes
>> Tested incoming connection using tcpdump -A port 514  and I can see 
>> syslog-like entries coming in
>> Because the format is not quite standard syslog, I created a custom decoder 
>> and tested it using ossec-logtest.
>>
>>
>> Despite all of these steps (and restarting the service using "ossec-control 
>> restart" multiple times) I still do not see any of the remote syslog entries 
>> in the archive.log.
>>
>> Am I missing something obvious to make this work?
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups 
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to ossec-list+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/ossec-list/eac2b4f9-fc73-4e9c-8f36-7cfb680694b9%40googlegroups.com.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/CAMyQvMoHMQeY%3DRvnn6tfe_a_rYD%3Dnf2f479V_RbnY%2BL%3DLo818A%40mail.gmail.com.

Re: [ossec-list] Issues installing OSSEC 2.9.0 in Solaris 10

[dan (ddp)]

On Thu, Oct 24, 2019 at 12:08 AM 'Vicente Munoz' via ossec-list
 wrote:
>
> Hello everyone,
>
>
>
> Just wondering if someone has had some luck with this, we been trying to 
> install OSSEC 2.9.0 on Solaris 10 with little luck to this point, after 
> making sure the required packages are installed an error comes up about 
> during the compiling process, I can’t remember this correctly but I recall 
> seeing something about the compiler recursively calling up something during 
> the process. If the exact error is needed I can try to reproduce, for 
> reference gcc and cc are installed on the machine.
>

That's a very old version of OSSEC. But we'll need more details to
have any idea why it's failing.

>
>
> Vicente Muñoz
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups 
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to ossec-list+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/ossec-list/BYAPR04MB43892CE2CC0830849D11BE87CF6A0%40BYAPR04MB4389.namprd04.prod.outlook.com.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/CAMyQvMpzhJz3Vpk5taAi3i0dJXyqpE-2v3jo65XAMz21ci5Gdg%40mail.gmail.com.

Re: [ossec-list] OSSEC receiving syslog alerts from ASA but not processing them

[dan (ddp)]

On Tue, Oct 15, 2019 at 8:59 AM Nate  wrote:
>
> Looking at the syslog packets I see the Cisco ASA only uses local facility 
> codes but my Palo Alto uses User facility codes:
>
> 08:55:50.340558 IP (tos 0x0, ttl 64, id 917, offset 0, flags [DF], proto UDP 
> (17), length 329)
> 10.10.10.151.44375 > 10.10.10.17.syslog: SYSLOG, length: 301
> Facility user (1), Severity info (6)
> Msg: Oct 15 08:55:50 10.10.10.151 1,2019/10/15 
> 08:55:50,012001010622,SYSTEM,userid,0,2019/10/15 
> 08:55:50,,connect-ldap-sever,10.10.10.10,0,0,general,informational,"ldap cfg 
> DOMAIN GMapping FW-Admins connected to server 10.10.10.10:389, initiated by: 
> 10.10.10.152",1204131,0x0,0,0,0,0,,fw2
> 08:55:50.726480 IP (tos 0x0, ttl 254, id 65458, offset 0, flags [none], proto 
> UDP (17), length 190)
> 10.10.2.2.syslog > 10.10.10.17.syslog: SYSLOG, length: 162
> Facility local4 (20), Severity warning (4)
> Msg: Oct 15 08:55:50 EDT fw1 : %ASA-4-106023: Deny udp src 
> outside:10.10.201.105/137 dst outside:10.10.201.255/137 by access-group 
> "outside_access_in" [0x0, 0x0]\0x0a
>
> I can't change the ASA to be anything other than local facility.
>

I don't see anything in the remoted code that cares about the facility.
If the IP isn't allowed, there should be a log message.

If you don't have the  option set to "yes," it might be worth
turning it on to see if the messages make it to the archives.log file.

> On Tuesday, October 15, 2019 at 8:34:52 AM UTC-4, Nate wrote:
>>
>> Hi Dan,
>>
>> Yes I restarted the OSSEC service with a: service OSSEC restart
>>
>> Right now the iptables are wide open due to this issue:
>>
>> # iptables -L
>> Chain INPUT (policy ACCEPT)
>> target prot opt source   destination
>>
>> Chain FORWARD (policy ACCEPT)
>> target prot opt source   destination
>>
>> Chain OUTPUT (policy ACCEPT)
>> target prot opt source   destination
>> # iptables -S
>> -P INPUT ACCEPT
>> -P FORWARD ACCEPT
>> -P OUTPUT ACCEPT
>>
>> My full remote connections list is the following:
>>
>>   
>>syslog
>>10.10.10.0/23
>>10.10.2.2
>>10.10.39.2
>>10.10.6.2
>>10.10.9.1
>>192.168.2.0/24
>>514
>>   
>>
>> I will move up the 10.10.2.2 up above the /23 in case this is causing it but 
>> I know we are getting syslog events from all other sources.
>>
>> Maybe it's the Cisco packet?
>>
>> On Tuesday, October 15, 2019 at 7:19:23 AM UTC-4, dan (ddpbsd) wrote:
>>>
>>> On Mon, Oct 14, 2019 at 3:03 PM Nate  wrote:
>>> >
>>> > Hi,
>>> >
>>> > I've never seen this before but I setup our ASA 5516 to send syslog 
>>> > events to our OSSEC server to detect SHUN events.
>>> >
>>> > ossec.conf
>>> >  
>>> >syslog
>>> >10.10.2.2
>>> >514
>>> >   
>>> >
>>> >   
>>> > 0
>>> > 9
>>> >   
>>> >
>>> >
>>> > local_rules.xml
>>> >
>>> > 
>>> >
>>> > 
>>> > 4100
>>> > ASA-4-73310\d|ASA-4-40100\d
>>> > ASA Shun event
>>> >
>>> > 
>>> >
>>> >
>>> > but reviewing the alerts, archives,database no events from our 10.10.2.2 
>>> > or ASA show up. Running tcpdump on ossec shows they are received by the 
>>> > server:
>>> >
>>> > 14:53:41.611883 IP (tos 0x0, ttl 254, id 54586, offset 0, flags [none], 
>>> > proto UDP (17), length 140)
>>> > 10.10.2.2.syslog > 10.10.10.17.syslog: SYSLOG, length: 112
>>> > Facility local0 (16), Severity warning (4)
>>> > Msg: Oct 14 14:53:41 EDT fw1 : %ASA-4-401004: Shunned packet: 
>>> > 10.10.35.37 ==> 87.106.71.108 on interface inside\0x0a
>>> > 14:53:41.614335 IP (tos 0x0, ttl 254, id 46962, offset 0, flags [none], 
>>> > proto UDP (17), length 140)
>>> > 10.10.2.2.syslog > 10.10.10.17.syslog: SYSLOG, length: 112
>>> > Facility local0 (16), Severity warning (4)
>>> > Msg: Oct 14 14:53:41 EDT fw1 : %ASA-4-401004: Shunned packet: 
>>> > 10.10.35.37 ==> 87.106.71.108 on interface inside\0x0a
>>> >
>>> > If I copy out the Msg and paste it into ossec-logtest it does process it 
>>> > to my rule:
>>> >
>>> > [USER@ossec~]# /var/ossec/bin/ossec-logtest
>>> > 2019/10/14 14:58:37 ossec-testrule: INFO: Reading local decoder file.
>>> > 2019/10/14 14:58:37 ossec-testrule: INFO: Started (pid: 29400).
>>> > ossec-testrule: Type one log per line.
>>> >
>>> > Oct 14 14:53:41 EDT fw1 : %ASA-4-401004: Shunned packet: 10.10.35.37 ==> 
>>> > 87.106.71.108 on interface inside\0x0a
>>> >
>>> >
>>> > **Phase 1: Completed pre-decoding.
>>> >full event: 'Oct 14 14:53:41 EDT fw1 : %ASA-4-401004: Shunned 
>>> > packet: 10.10.35.37 ==> 87.106.71.108 on interface inside\0x0a'
>>> >hostname: 'EDT'
>>> >program_name: '(null)'
>>> >log: 'fw1 : %ASA-4-401004: Shunned packet: 10.10.35.37 ==> 
>>> > 87.106.71.108 on interface inside\0x0a'
>>> >
>>> > **Phase 2: Completed decoding.
>>> >decoder: 'ASA-lanattk'
>>> >
>>> > **Phase 3: Completed filtering (rules).
>>> >Rule id: '100260'
>>> >Level: '9'
>>> >

Re: [ossec-list] OSSEC receiving syslog alerts from ASA but not processing them

[dan (ddp)]

On Mon, Oct 14, 2019 at 3:03 PM Nate  wrote:
>
> Hi,
>
> I've never seen this before but I setup our ASA 5516 to send syslog events to 
> our OSSEC server to detect SHUN events.
>
> ossec.conf
>  
>syslog
>10.10.2.2
>514
>   
>
>   
> 0
> 9
>   
>
>
> local_rules.xml
>
> 
>
> 
> 4100
> ASA-4-73310\d|ASA-4-40100\d
> ASA Shun event
>
> 
>
>
> but reviewing the alerts, archives,database no events from our 10.10.2.2 or 
> ASA show up. Running tcpdump on ossec shows they are received by the server:
>
> 14:53:41.611883 IP (tos 0x0, ttl 254, id 54586, offset 0, flags [none], proto 
> UDP (17), length 140)
> 10.10.2.2.syslog > 10.10.10.17.syslog: SYSLOG, length: 112
> Facility local0 (16), Severity warning (4)
> Msg: Oct 14 14:53:41 EDT fw1 : %ASA-4-401004: Shunned packet: 
> 10.10.35.37 ==> 87.106.71.108 on interface inside\0x0a
> 14:53:41.614335 IP (tos 0x0, ttl 254, id 46962, offset 0, flags [none], proto 
> UDP (17), length 140)
> 10.10.2.2.syslog > 10.10.10.17.syslog: SYSLOG, length: 112
> Facility local0 (16), Severity warning (4)
> Msg: Oct 14 14:53:41 EDT fw1 : %ASA-4-401004: Shunned packet: 
> 10.10.35.37 ==> 87.106.71.108 on interface inside\0x0a
>
> If I copy out the Msg and paste it into ossec-logtest it does process it to 
> my rule:
>
> [USER@ossec~]# /var/ossec/bin/ossec-logtest
> 2019/10/14 14:58:37 ossec-testrule: INFO: Reading local decoder file.
> 2019/10/14 14:58:37 ossec-testrule: INFO: Started (pid: 29400).
> ossec-testrule: Type one log per line.
>
> Oct 14 14:53:41 EDT fw1 : %ASA-4-401004: Shunned packet: 10.10.35.37 ==> 
> 87.106.71.108 on interface inside\0x0a
>
>
> **Phase 1: Completed pre-decoding.
>full event: 'Oct 14 14:53:41 EDT fw1 : %ASA-4-401004: Shunned packet: 
> 10.10.35.37 ==> 87.106.71.108 on interface inside\0x0a'
>hostname: 'EDT'
>program_name: '(null)'
>log: 'fw1 : %ASA-4-401004: Shunned packet: 10.10.35.37 ==> 
> 87.106.71.108 on interface inside\0x0a'
>
> **Phase 2: Completed decoding.
>decoder: 'ASA-lanattk'
>
> **Phase 3: Completed filtering (rules).
>Rule id: '100260'
>Level: '9'
>Description: 'ASA Shun event'
> **Alert to be generated.
>
> I see that UDP port 514 is running:
>
> [root@secserv ~]# netstat -anp | grep 514
> tcp0  0 127.0.0.1:3306  127.0.0.1:37514 
> ESTABLISHED 5542/mysqld
> tcp0  0 127.0.0.1:37514 127.0.0.1:3306  
> ESTABLISHED 29340/ossec-dbd
> udp0  0 :::1514 :::*  
>   29373/ossec-remoted
> udp0  0 :::514  :::*  
>   29372/ossec-remoted
>
>
> What obvious thing am I missing to setup an ASA to OSSEC? Our HP switches and 
> Palo Alto firewall are sending syslogs just fine.
>

After adding the system to allowed-ips, did you restart the OSSEC
processes on the OSSEC server?
Is there a host firewall (iptables) on the OSSEC server? Is 514UDP
open to 10.10.2.2?

> --
>
> ---
> You received this message because you are subscribed to the Google Groups 
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to ossec-list+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/ossec-list/b1faa727-7071-49a0-91da-9fe4b680a724%40googlegroups.com.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/CAMyQvMqVaKyr2A49%3Daf3LA4AodhY677HoGvzguhhZZWGrAO9EA%40mail.gmail.com.

Re: [ossec-list] Re: Not receiving email alert for file changes(FIM)

[dan (ddp)]

On Fri, Oct 11, 2019 at 8:56 AM Prashanthi Soundarajan
 wrote:
>
>
>
> On Friday, October 11, 2019 at 6:23:37 PM UTC+5:30, Prashanthi Soundarajan 
> wrote:
>>
>>
>>
>>>
>>> Do the new files you create show up in your syscheck database file?
>>> (/var/ossec/queue/syscheck/syscheck.db for the OSSEC server)
>>
>>
>>
>> I am not able  to see database file. I can see a file name 
>> /var/ossec/queue/syscheck/syscheck
>>
>> Is that what you are referring ?  if yes than I am not able to see the newly 
>> created file name in this file.
>
>

My memory failed me, that's the file.


>
>
> Kindly ignore the above response . I am able to view the newly created file 
> in (/var/ossec/queue/syscheck/syscheck)
>
> +++25:33184:0:0:8f40752e7074f39fca815d476987bac5:2f06aa578c59786289dfa2b27c57e1aafbf9d489
>  !1570798265 /etc/prash
>

I'll have to test the alert new files functionality out. It worked
last time I tried it, but I haven't tried it recently.
Which version of OSSEC are you using?

> --
>
> ---
> You received this message because you are subscribed to the Google Groups 
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to ossec-list+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/ossec-list/9e771c93-62b9-4f68-8613-3d61ca00c859%40googlegroups.com.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/CAMyQvMqDA_iG7rkkYhaHdQ9ccmoM2Fdc-xQ%3Dp_jDgYpqbGRLow%40mail.gmail.com.

Re: [ossec-list] Custom Decoder

[dan (ddp)]

On Mon, Oct 14, 2019 at 9:54 AM Diego S  wrote:
>
> Hi!
>
> i tried with a updated version and im still getting the same error :S
>

That's Wazuh. I don't know enough about their project to help.

>
>
> El sáb., 12 oct. 2019 a las 9:12, dan (ddp) () escribió:
>>
>>
>>
>> On Fri, Oct 11, 2019 at 2:03 PM Diego S  wrote:
>>>
>>> Im using 2.0 version.
>>
>>
>> 2.0 is ancient. Not much I can do to help with that.
>>
>>>
>>> Im not able to find the syntax error.
>>>
>>> Thanks!
>>>
>>> El vie., 11 oct. 2019 a las 14:51, dan (ddp) () escribió:
>>>>
>>>> On Fri, Oct 11, 2019 at 1:41 PM Diego S  wrote:
>>>> >
>>>> > Thnaks you very much for your response.
>>>> > Let me know if am i wrong. The decoder will be like this:
>>>> >
>>>> > 
>>>> >   ^\d+\s\w\w\w\w\w, 
>>>> > 
>>>> >
>>>> > 
>>>> >   Brocade-format
>>>> >   ^\d\d\d\d/\d\d/\d\d-\d\d:\d\d:\d\d 
>>>> > \(\S+\), \[\S+\], \S+, \S+, /S+)/\S+(/\w+/\S+),
>>>> >   user,second
>>>> > 
>>>> >
>>>> > 
>>>> >   squid
>>>> >   ^\d+ \S+ 
>>>> >   ^\d+ (\S+) (\w+)/(\d+) \d+ \w+ (\S+) 
>>>> >   srcip,action,id,url
>>>> > 
>>>> >
>>>> > But im getting a syntax error and i dont know why or where.
>>>> >
>>>> > 2019/10/11 12:05:07 ossec-analysisd(1450): ERROR: Syntax error on regex: 
>>>> > '^\d\d\d\d/\d\d/\d\d-\d\d:\d\d:\d\d\(\S+\), \[\S+\], \S+, \S+, 
>>>> > (\S+)/\S+(/\w+/\S+)': 6.
>>>> >
>>>>
>>>> I'm not sure what's wrong there. Which version of OSSEC are you using?
>>>>
>>>> > Thanks and regards!
>>>> >
>>>> > --
>>>> >
>>>> > ---
>>>> > You received this message because you are subscribed to the Google 
>>>> > Groups "ossec-list" group.
>>>> > To unsubscribe from this group and stop receiving emails from it, send 
>>>> > an email to ossec-list+unsubscr...@googlegroups.com.
>>>> > To view this discussion on the web visit 
>>>> > https://groups.google.com/d/msgid/ossec-list/CAGQH4FLk08YBG4NhaVQ9vG-nB-zF2%2Bo1GwnxSSvRbE62MGH2qA%40mail.gmail.com.
>>>>
>>>> --
>>>>
>>>> ---
>>>> You received this message because you are subscribed to the Google Groups 
>>>> "ossec-list" group.
>>>> To unsubscribe from this group and stop receiving emails from it, send an 
>>>> email to ossec-list+unsubscr...@googlegroups.com.
>>>>
>>>> To view this discussion on the web visit 
>>>> https://groups.google.com/d/msgid/ossec-list/CAMyQvMpCiBxvjLv5_memm7H%2BFPO4JTeiKGDLqpw72f8RA6dvMw%40mail.gmail.com.
>>>
>>> --
>>>
>>> ---
>>> You received this message because you are subscribed to the Google Groups 
>>> "ossec-list" group.
>>> To unsubscribe from this group and stop receiving emails from it, send an 
>>> email to ossec-list+unsubscr...@googlegroups.com.
>>> To view this discussion on the web visit 
>>> https://groups.google.com/d/msgid/ossec-list/CAGQH4F%2BqTDKSiMJXBtCWmewR2SR1oDRiTpTwQBB%3Dm21mQrs-Ag%40mail.gmail.com.
>>
>> --
>>
>> ---
>> You received this message because you are subscribed to the Google Groups 
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to ossec-list+unsubscr...@googlegroups.com.
>> To view this discussion on the web visit 
>> https://groups.google.com/d/msgid/ossec-list/CAMyQvMrEQhqC%3D5_ggxQkf8hLExg3iJVG77b9xxp4_YmTB-jt8A%40mail.gmail.com.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups 
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to ossec-list+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/ossec-list/CAGQH4FLLsptFocLfeLdZ0vLnCKVN_RkWVA5EbJPs_X2SVQytwQ%40mail.gmail.com.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/CAMyQvMpafeA_0FcmJ5jc%2BtfpiE79FjdbGgApzTVVANCCQpCAYQ%40mail.gmail.com.

Re: [ossec-list] Custom Decoder

[dan (ddp)]

On Fri, Oct 11, 2019 at 2:03 PM Diego S  wrote:

> Im using 2.0 version.
>

2.0 is ancient. Not much I can do to help with that.


> Im not able to find the syntax error.
>
> Thanks!
>
> El vie., 11 oct. 2019 a las 14:51, dan (ddp) ()
> escribió:
>
>> On Fri, Oct 11, 2019 at 1:41 PM Diego S  wrote:
>> >
>> > Thnaks you very much for your response.
>> > Let me know if am i wrong. The decoder will be like this:
>> >
>> > 
>> >   ^\d+\s\w\w\w\w\w, 
>> > 
>> >
>> > 
>> >   Brocade-format
>> >   ^\d\d\d\d/\d\d/\d\d-\d\d:\d\d:\d\d
>> \(\S+\), \[\S+\], \S+, \S+, /S+)/\S+(/\w+/\S+),
>> >   user,second
>> > 
>> >
>> > 
>> >   squid
>> >   ^\d+ \S+ 
>> >   ^\d+ (\S+) (\w+)/(\d+) \d+ \w+ (\S+) 
>> >   srcip,action,id,url
>> > 
>> >
>> > But im getting a syntax error and i dont know why or where.
>> >
>> > 2019/10/11 12:05:07 ossec-analysisd(1450): ERROR: Syntax error on
>> regex: '^\d\d\d\d/\d\d/\d\d-\d\d:\d\d:\d\d\(\S+\), \[\S+\], \S+, \S+,
>> (\S+)/\S+(/\w+/\S+)': 6.
>> >
>>
>> I'm not sure what's wrong there. Which version of OSSEC are you using?
>>
>> > Thanks and regards!
>> >
>> > --
>> >
>> > ---
>> > You received this message because you are subscribed to the Google
>> Groups "ossec-list" group.
>> > To unsubscribe from this group and stop receiving emails from it, send
>> an email to ossec-list+unsubscr...@googlegroups.com.
>> > To view this discussion on the web visit
>> https://groups.google.com/d/msgid/ossec-list/CAGQH4FLk08YBG4NhaVQ9vG-nB-zF2%2Bo1GwnxSSvRbE62MGH2qA%40mail.gmail.com
>> .
>>
>> --
>>
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to ossec-list+unsubscr...@googlegroups.com.
>>
> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/ossec-list/CAMyQvMpCiBxvjLv5_memm7H%2BFPO4JTeiKGDLqpw72f8RA6dvMw%40mail.gmail.com
>> .
>>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ossec-list/CAGQH4F%2BqTDKSiMJXBtCWmewR2SR1oDRiTpTwQBB%3Dm21mQrs-Ag%40mail.gmail.com
> <https://groups.google.com/d/msgid/ossec-list/CAGQH4F%2BqTDKSiMJXBtCWmewR2SR1oDRiTpTwQBB%3Dm21mQrs-Ag%40mail.gmail.com?utm_medium=email_source=footer>
> .
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/CAMyQvMrEQhqC%3D5_ggxQkf8hLExg3iJVG77b9xxp4_YmTB-jt8A%40mail.gmail.com.

Re: [ossec-list] Custom Decoder

[dan (ddp)]

On Fri, Oct 11, 2019 at 1:41 PM Diego S  wrote:
>
> Thnaks you very much for your response.
> Let me know if am i wrong. The decoder will be like this:
>
> 
>   ^\d+\s\w\w\w\w\w, 
> 
>
> 
>   Brocade-format
>   ^\d\d\d\d/\d\d/\d\d-\d\d:\d\d:\d\d \(\S+\), 
> \[\S+\], \S+, \S+, /S+)/\S+(/\w+/\S+),
>   user,second
> 
>
> 
>   squid
>   ^\d+ \S+ 
>   ^\d+ (\S+) (\w+)/(\d+) \d+ \w+ (\S+) 
>   srcip,action,id,url
> 
>
> But im getting a syntax error and i dont know why or where.
>
> 2019/10/11 12:05:07 ossec-analysisd(1450): ERROR: Syntax error on regex: 
> '^\d\d\d\d/\d\d/\d\d-\d\d:\d\d:\d\d\(\S+\), \[\S+\], \S+, \S+, 
> (\S+)/\S+(/\w+/\S+)': 6.
>

I'm not sure what's wrong there. Which version of OSSEC are you using?

> Thanks and regards!
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups 
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to ossec-list+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/ossec-list/CAGQH4FLk08YBG4NhaVQ9vG-nB-zF2%2Bo1GwnxSSvRbE62MGH2qA%40mail.gmail.com.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/CAMyQvMpCiBxvjLv5_memm7H%2BFPO4JTeiKGDLqpw72f8RA6dvMw%40mail.gmail.com.

Re: [ossec-list] Custom Decoder

[dan (ddp)]

I'm sure it can be cleaned up a lot

On Fri, Oct 11, 2019 at 12:06 PM dan (ddp)  wrote:
>
> On Fri, Oct 11, 2019 at 11:49 AM Diego S  wrote:
> >
> > Hi everyone!
> >
> > I wondering if we already have on ossec a custom decoder acording to this 
> > kind of log to get the red values.
> >
> > 1022 AUDIT, 2019/07/26-18:02:33 (UYT), [SEC-3020], INFO, SECURITY, 
> > diego.gonzales/user/pivonox.prod.pci.elan.red.com.uy/ssh/CLI, 
> > ad_0/SW-FC-2/FID 128, , Event: login, Status: success, Info: Successful 
> > login attempt via REMOTE, IP Addr: pivonox.prod.pci.elan.red.com.uy.
> >
>
> Running this through ossec-logtest gives me this:
> **Phase 1: Completed pre-decoding.
>full event: '1022 AUDIT, 2019/07/26-18:02:33 (UYT), [SEC-3020],
> INFO, SECURITY,
> diego.gonzales/user/pivonox.prod.pci.elan.red.com.uy/ssh/CLI,
> ad_0/SW-FC-2/FID 128, , Event: login, Status: success, Info:
> Successful login attempt via REMOTE, IP Addr:
> pivonox.prod.pci.elan.red.com.uy.'
>hostname: 'ix'
>program_name: '(null)'
>log: '1022 AUDIT, 2019/07/26-18:02:33 (UYT), [SEC-3020], INFO,
> SECURITY, diego.gonzales/user/pivonox.prod.pci.elan.red.com.uy/ssh/CLI,
> ad_0/SW-FC-2/FID 128, , Event: login, Status: success, Info:
> Successful login attempt via REMOTE, IP Addr:
> pivonox.prod.pci.elan.red.com.uy.'
>
> **Phase 2: Completed decoding.
>decoder: 'squid-accesslog'
>
> **Phase 3: Completed filtering (rules).
>Rule id: '35000'
>Level: '0'
>Description: 'Squid messages grouped.'
>
> I get the same output with and without your custom decoder. You'll
> need to put your decoder before the squid decoder.
>

I put this before the squid-accesslog decoder in decoder.xml:

  ^\d+\s\w\w\w\w\w, 


  Brocade-format
  
  ^\d\d\d\d/\d\d/\d\d-\d\d:\d\d:\d\d
\(\S+\), \[\S+\], \S+, \S+, (\S+)/\S+(/\w+/\S+),
  user,second


Now I get the following output:
**Phase 1: Completed pre-decoding.
   full event: '1022 AUDIT, 2019/07/26-18:02:33 (UYT), [SEC-3020],
INFO, SECURITY,
diego.gonzales/user/pivonox.prod.pci.elan.red.com.uy/ssh/CLI,
ad_0/SW-FC-2/FID 128, , Event: login, Status: success, Info:
Successful login attempt via REMOTE, IP Addr:
pivonox.prod.pci.elan.red.com.uy.'
   hostname: 'ix'
   program_name: '(null)'
   log: '1022 AUDIT, 2019/07/26-18:02:33 (UYT), [SEC-3020], INFO,
SECURITY, diego.gonzales/user/pivonox.prod.pci.elan.red.com.uy/ssh/CLI,
ad_0/SW-FC-2/FID 128, , Event: login, Status: success, Info:
Successful login attempt via REMOTE, IP Addr:
pivonox.prod.pci.elan.red.com.uy.'

**Phase 2: Completed decoding.
   decoder: 'Brocade-format'
   dstuser: 'diego.gonzales'
   second: '/ssh/CLI'

I'm sure it can be cleaned up a lot, and using pcre2 might make it even better.

> >
> > I tried to do a custom one, but without success.
> >
> >
> > I let you here what ive did.
> >
> >
> >
> > This one is getting the "1022 Audit" for discriminate the one i need to the 
> > rest.
> >
> >
> > 
> >
> >   ^\d+\s\w\w\w\w
> >
> > 
> >
> >
> > .
> >
> >
> >  And here is when im trying to get the underlined red values at the 
> > begining of the text but im not sure:
> >
> >
> > -The type of the log i have to use or if it is necesary
> >
> > -The "order" value i have tho use to take this both red values.
> >
> > -The structure of the decoder.
> >
> >
> > 
> >
> >   Brocade-format
> >
> >   -
> >
> >> offset="after_parent">^\d\d\d\d/\d\d/\d\d-\d\d:d\d:d\d\s\(\w+\),\s\p\w\w\w-\w\w\w\w\p,\s\w+,\s(\w+),\w+/\w+/\w+/\w+(/\w+),\.*
> >
> >   -
> >
> > 
> >
> >
> >
> > Thanks and Regards!
> >
> > --
> >
> > ---
> > You received this message because you are subscribed to the Google Groups 
> > "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send an 
> > email to ossec-list+unsubscr...@googlegroups.com.
> > To view this discussion on the web visit 
> > https://groups.google.com/d/msgid/ossec-list/6d13f649-698c-41bf-b386-08602e9b2f80%40googlegroups.com.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/CAMyQvMrUmbPfA1FwgzCXGAa2neBHW37pBDnWj0d4tNFxUKAaBQ%40mail.gmail.com.

Re: [ossec-list] Custom Decoder

[dan (ddp)]

On Fri, Oct 11, 2019 at 11:49 AM Diego S  wrote:
>
> Hi everyone!
>
> I wondering if we already have on ossec a custom decoder acording to this 
> kind of log to get the red values.
>
> 1022 AUDIT, 2019/07/26-18:02:33 (UYT), [SEC-3020], INFO, SECURITY, 
> diego.gonzales/user/pivonox.prod.pci.elan.red.com.uy/ssh/CLI, 
> ad_0/SW-FC-2/FID 128, , Event: login, Status: success, Info: Successful login 
> attempt via REMOTE, IP Addr: pivonox.prod.pci.elan.red.com.uy.
>

Running this through ossec-logtest gives me this:
**Phase 1: Completed pre-decoding.
   full event: '1022 AUDIT, 2019/07/26-18:02:33 (UYT), [SEC-3020],
INFO, SECURITY,
diego.gonzales/user/pivonox.prod.pci.elan.red.com.uy/ssh/CLI,
ad_0/SW-FC-2/FID 128, , Event: login, Status: success, Info:
Successful login attempt via REMOTE, IP Addr:
pivonox.prod.pci.elan.red.com.uy.'
   hostname: 'ix'
   program_name: '(null)'
   log: '1022 AUDIT, 2019/07/26-18:02:33 (UYT), [SEC-3020], INFO,
SECURITY, diego.gonzales/user/pivonox.prod.pci.elan.red.com.uy/ssh/CLI,
ad_0/SW-FC-2/FID 128, , Event: login, Status: success, Info:
Successful login attempt via REMOTE, IP Addr:
pivonox.prod.pci.elan.red.com.uy.'

**Phase 2: Completed decoding.
   decoder: 'squid-accesslog'

**Phase 3: Completed filtering (rules).
   Rule id: '35000'
   Level: '0'
   Description: 'Squid messages grouped.'

I get the same output with and without your custom decoder. You'll
need to put your decoder before the squid decoder.

>
> I tried to do a custom one, but without success.
>
>
> I let you here what ive did.
>
>
>
> This one is getting the "1022 Audit" for discriminate the one i need to the 
> rest.
>
>
> 
>
>   ^\d+\s\w\w\w\w
>
> 
>
>
> .
>
>
>  And here is when im trying to get the underlined red values at the begining 
> of the text but im not sure:
>
>
> -The type of the log i have to use or if it is necesary
>
> -The "order" value i have tho use to take this both red values.
>
> -The structure of the decoder.
>
>
> 
>
>   Brocade-format
>
>   -
>
>offset="after_parent">^\d\d\d\d/\d\d/\d\d-\d\d:d\d:d\d\s\(\w+\),\s\p\w\w\w-\w\w\w\w\p,\s\w+,\s(\w+),\w+/\w+/\w+/\w+(/\w+),\.*
>
>   -
>
> 
>
>
>
> Thanks and Regards!
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups 
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to ossec-list+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/ossec-list/6d13f649-698c-41bf-b386-08602e9b2f80%40googlegroups.com.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/CAMyQvMo7nAub-vgNQod%3DATfMzke3WteHkaTjsR%3DfCJJLeH0QaQ%40mail.gmail.com.

Re: [ossec-list] Re: Not receiving email alert for file changes(FIM)

[dan (ddp)]

On Fri, Oct 11, 2019 at 7:53 AM Prashanthi Soundarajan
 wrote:
>
>
>
>>
>> All the samples are from the alerts you say you are getting emails
>> for. The important alerts to look for are the ones you're not getting
>> emails for.
>> Assuming those exist in the alerts.log file, check your smtp server's
>> mail logs. Perhaps it's discarding the messages or they aren't getting
>> transferred properly?
>>
>
>
> No those alerts are not in alerts.log . For example if I test creating  a new 
> file  in the specified directory .. am not able to see logs in alert.log
> so I guess there is less possibility for they aren't getting transferred 
> properly when it logs are not actually in alert.log

If they are not in the alerts.log file, then they won't get emailed.

Do the new files you create show up in your syscheck database file?
(/var/ossec/queue/syscheck/syscheck.db for the OSSEC server)

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/CAMyQvMoFH-NBVLMgUXk9UFkLTFgfqV49%2BSZqeCd%3D7MKpxWwzJQ%40mail.gmail.com.

Re: [ossec-list] About active responses

[dan (ddp)]

On Thu, Oct 10, 2019 at 5:10 AM Kyriakos Stavridis
 wrote:
>
> Hey guys,
>
> Can I have an active response only activated for a specific agent? (active 
> reponse's location is on ossec server)
>
> Example:
> I have agent1 and agent2, I have 2 active responses AR1 and AR2. I want AR1 
> to be triggered only by agent1 events and AR2 to be triggered only by agent2 
> events.
> Is this possible?
>

I can't think of a way to do this off the top of my head.

> Example config:
> 
>   commandname1
>   server
>   // some config here? specifying agent1
>   3
> 
>
> 
>   commandname2
>   server
>   // some config here? specifying agent2
>   3
> 
>
> Thanks! have a nice day!
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups 
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to ossec-list+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/ossec-list/2a4319d3-dc11-4cd8-913c-e7d3fba3ece5%40googlegroups.com.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/CAMyQvMp0tiN13LxZn_2ucZcd00T1aRVEVYkeBv7aFu_vbD-5sQ%40mail.gmail.com.

Re: [ossec-list] Re: Not receiving email alert for file changes(FIM)

[dan (ddp)]

On Thu, Oct 10, 2019 at 9:24 AM Prashanthi Soundarajan
 wrote:
>
>
> Yes, I able see the alerts which I mentioned (" Level 2 - Unknown problem 
> somewhere in the system","Level 8 - Log file size reduced","Level 7 - 
> Integrity checksum changed."," Level 13 - Non standard syslog message")  in 
> /var/ossec/logs/alerts/alerts.log
>
> Sample:_
>
> ** Alert 1570713203.436414: mail  - syslog,errors,
> 2019 Oct 10 13:13:23 fc-app-7->/var/log/nginx/error.log
> Rule: 1002 (level 2) -> 'Unknown problem somewhere in the system.'
> App 1663 stderr: 
> /data/helpkit/shared/bundler_gems/ruby/2.2.0/gems/rest-client-1.8.0/lib/restclient/request.rb:387:in
>  `transmit' : This dangerous monkey patch leaves you open to MITM attacks! 
> (StandardWarning)
>
> ** Alert 1570713205.436799: mail  - syslog,errors,
> 2019 Oct 10 13:13:25 fc-app-7->/var/log/nginx/error.log
> Rule: 1002 (level 2) -> 'Unknown problem somewhere in the system.'
> App 1663 stderr: 
> /data/helpkit/shared/bundler_gems/ruby/2.2.0/gems/rest-client-1.8.0/lib/restclient/request.rb:387:in
>  `transmit' : This dangerous monkey patch leaves you open to MITM attacks! 
> (StandardWarning)
>
> ** Alert 1570713207.437184: mail  - syslog,errors,
> 2019 Oct 10 13:13:27 fc-app-7->/var/log/nginx/error.log
> Rule: 1002 (level 2) -> 'Unknown problem somewhere in the system.'
> App 1663 stderr: 
> /data/helpkit/shared/bundler_gems/ruby/2.2.0/gems/rest-client-1.8.0/lib/restclient/request.rb:387:in
>  `transmit' : This dangerous monkey patch leaves you open to MITM attacks! 
> (StandardWarning)

All the samples are from the alerts you say you are getting emails
for. The important alerts to look for are the ones you're not getting
emails for.
Assuming those exist in the alerts.log file, check your smtp server's
mail logs. Perhaps it's discarding the messages or they aren't getting
transferred properly?

>>
>> > You received this message because you are subscribed to the Google Groups 
>> > "ossec-list" group.
>> > To unsubscribe from this group and stop receiving emails from it, send an 
>> > email to ossec...@googlegroups.com.
>> > To view this discussion on the web visit 
>> > https://groups.google.com/d/msgid/ossec-list/22dc0593-8252-4bc6-b19c-61a67db7e522%40googlegroups.com.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups 
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to ossec-list+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/ossec-list/9fc6a473-a9ac-4aa3-ac09-48162be0064e%40googlegroups.com.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/CAMyQvMobR33Vn0aDbdCYsq4Liuo1-pYtSKr7nAZbtM25Cda67Q%40mail.gmail.com.

Re: [ossec-list] Re: Not receiving email alert for file changes(FIM)

[dan (ddp)]

On Thu, Oct 10, 2019 at 8:54 AM Prashanthi Soundarajan
 wrote:
>
> Yes, I am getting email alerts like " Level 2 - Unknown problem somewhere in 
> the system","
> Level 8 - Log file size reduced","Level 7 - Integrity checksum changed."," 
> Level 13 - Non standard syslog message"
>
> I am not getting alerts for new file creation/Deletion/Modification
>

Are these alerts getting triggered (check /var/ossec/logs/alerts/alerts.log)?

> On Thursday, October 10, 2019 at 6:17:54 PM UTC+5:30, dan (ddpbsd) wrote:
>>
>> On Thu, Oct 10, 2019 at 7:02 AM Prashanthi Soundarajan
>>  wrote:
>> >
>> >
>> >
>> > On Thursday, October 10, 2019 at 3:57:41 PM UTC+5:30, Prashanthi 
>> > Soundarajan wrote:
>> >>
>> >> ossec.conf
>> >> ___
>> >>
>> >> 
>> >>   
>> >> yes
>> >> my email
>> >> 127.0.0.1
>> >> ossecm@fcappiee
>> >> yes
>> >>   
>> >>
>> >>   
>> >> my email
>> >> 550, 553, 554
>> >> 
>> >>   
>> >>
>> >>   
>> >> rules_config.xml
>> >> pam_rules.xml
>> >> sshd_rules.xml
>> >> telnetd_rules.xml
>> >> syslog_rules.xml
>> >> arpwatch_rules.xml
>> >> symantec-av_rules.xml
>> >> symantec-ws_rules.xml
>> >> pix_rules.xml
>> >> named_rules.xml
>> >> smbd_rules.xml
>> >> vsftpd_rules.xml
>> >> pure-ftpd_rules.xml
>> >> proftpd_rules.xml
>> >> ms_ftpd_rules.xml
>> >> ftpd_rules.xml
>> >> hordeimp_rules.xml
>> >> roundcube_rules.xml
>> >> wordpress_rules.xml
>> >> cimserver_rules.xml
>> >> vpopmail_rules.xml
>> >> vmpop3d_rules.xml
>> >> courier_rules.xml
>> >> web_rules.xml
>> >> web_appsec_rules.xml
>> >> apache_rules.xml
>> >> nginx_rules.xml
>> >> php_rules.xml
>> >> mysql_rules.xml
>> >> postgresql_rules.xml
>> >> ids_rules.xml
>> >> squid_rules.xml
>> >> firewall_rules.xml
>> >> apparmor_rules.xml
>> >> cisco-ios_rules.xml
>> >> netscreenfw_rules.xml
>> >> sonicwall_rules.xml
>> >> postfix_rules.xml
>> >> sendmail_rules.xml
>> >> imapd_rules.xml
>> >> mailscanner_rules.xml
>> >> dovecot_rules.xml
>> >> ms-exchange_rules.xml
>> >> racoon_rules.xml
>> >> vpn_concentrator_rules.xml
>> >> spamd_rules.xml
>> >> msauth_rules.xml
>> >> mcafee_av_rules.xml
>> >> trend-osce_rules.xml
>> >> ms-se_rules.xml
>> >> 
>> >> zeus_rules.xml
>> >> solaris_bsm_rules.xml
>> >> vmware_rules.xml
>> >> ms_dhcp_rules.xml
>> >> asterisk_rules.xml
>> >> ossec_rules.xml
>> >> attack_rules.xml
>> >> openbsd_rules.xml
>> >> clam_av_rules.xml
>> >> dropbear_rules.xml
>> >> sysmon_rules.xml
>> >> opensmtpd_rules.xml
>> >> exim_rules.xml
>> >> local_rules.xml
>> >>   
>> >>
>> >>   
>> >> 
>> >> 60
>> >> yes
>> >> 
>> >> > >> check_all="yes">/etc,/usr/bin,/usr/sbin,/data,/home,/opt
>> >> > >> check_all="yes">/bin,/sbin,/boot,/dev,/null,/lib,/media,/proc,/srv,/mnt
>> >>
>> >> 
>> >> /etc/mtab
>> >> /etc/mnttab
>> >> /etc/hosts.deny
>> >> /etc/mail/statistics
>> >> /etc/random-seed
>> >> /etc/adjtime
>> >> /etc/httpd/logs
>> >> /etc/utmpx
>> >> /etc/wtmpx
>> >> /etc/cups/certs
>> >> /etc/dumpdates
>> >> /etc/svc/volatile
>> >> /data/helpkit/shared/log
>> >> /data/haystack-shipper/logs
>> >> /data/haystack-shipper/data
>> >> /data/helpkit/shared/tmp/cache
>> >> /data/helpkit/current/log
>> >> /dev/pts
>> >> /dev/null
>> >> /dev/tty
>> >> /etc/blkid/blkid.tab
>> >> /etc/sudoers
>> >> /opt/confd/confd.txt
>> >> /var/log
>> >> /opt/SumoCollector/config
>> >> /opt/SumoCollector/logs
>> >> /var/lib
>> >> /var/run
>> >> /var/spool
>> >> /var/cache
>> >> /tmp
>> >> /var/log
>> >> /var/ossec
>> >> /home/^/.ssh
>> >> /home/^/.bash_history
>> >> /opt/aws/opsworks/releases
>> >> /root/.bash_history
>> >> /root/.monit.state
>> >> /root/.viminfo
>> >> /root/.viminfo.tmp
>> >> /dev/char
>> >>
>> >>
>> >> 
>> >>
>> >>  
>> >>   60
>> >>   no
>> >>   yes
>> >>   yes
>> >>   yes
>> >>   yes
>> >>   yes
>> >>   yes
>> >>   yes
>> >>   yes
>> >>   
>> >> /var/ossec/etc/shared/rootkit_files.txt
>> >>   
>> >> /var/ossec/etc/shared/rootkit_trojans.txt
>> >>   
>> >> /var/ossec/etc/shared/system_audit_rcl.txt
>> >>   
>> >> /var/ossec/etc/shared/cis_debian_linux_rcl.txt
>> >>   
>> >> /var/ossec/etc/shared/cis_rhel_linux_rcl.txt
>> >>   
>> >> /var/ossec/etc/shared/cis_rhel5_linux_rcl.txt
>> >>  
>> >>
>> >>  
>> >> 7
>> >> 7
>> >>  
>> >>
>> >> 
>> >>
>> >> **
>> >>
>> >> local_rules.xml
>> >> ___
>> >>
>> >> 
>> >>   
>> >>ossec
>> >>syscheck_new_entry
>> >>File added to the system.
>> >>syscheck,
>> >>   
>> >> 
>> >>
>> >>

Re: [ossec-list] Re: Not receiving email alert for file changes(FIM)

[dan (ddp)]

On Thu, Oct 10, 2019 at 7:02 AM Prashanthi Soundarajan
 wrote:
>
>
>
> On Thursday, October 10, 2019 at 3:57:41 PM UTC+5:30, Prashanthi Soundarajan 
> wrote:
>>
>> ossec.conf
>> ___
>>
>> 
>>   
>> yes
>> my email
>> 127.0.0.1
>> ossecm@fcappiee
>> yes
>>   
>>
>>   
>> my email
>> 550, 553, 554
>> 
>>   
>>
>>   
>> rules_config.xml
>> pam_rules.xml
>> sshd_rules.xml
>> telnetd_rules.xml
>> syslog_rules.xml
>> arpwatch_rules.xml
>> symantec-av_rules.xml
>> symantec-ws_rules.xml
>> pix_rules.xml
>> named_rules.xml
>> smbd_rules.xml
>> vsftpd_rules.xml
>> pure-ftpd_rules.xml
>> proftpd_rules.xml
>> ms_ftpd_rules.xml
>> ftpd_rules.xml
>> hordeimp_rules.xml
>> roundcube_rules.xml
>> wordpress_rules.xml
>> cimserver_rules.xml
>> vpopmail_rules.xml
>> vmpop3d_rules.xml
>> courier_rules.xml
>> web_rules.xml
>> web_appsec_rules.xml
>> apache_rules.xml
>> nginx_rules.xml
>> php_rules.xml
>> mysql_rules.xml
>> postgresql_rules.xml
>> ids_rules.xml
>> squid_rules.xml
>> firewall_rules.xml
>> apparmor_rules.xml
>> cisco-ios_rules.xml
>> netscreenfw_rules.xml
>> sonicwall_rules.xml
>> postfix_rules.xml
>> sendmail_rules.xml
>> imapd_rules.xml
>> mailscanner_rules.xml
>> dovecot_rules.xml
>> ms-exchange_rules.xml
>> racoon_rules.xml
>> vpn_concentrator_rules.xml
>> spamd_rules.xml
>> msauth_rules.xml
>> mcafee_av_rules.xml
>> trend-osce_rules.xml
>> ms-se_rules.xml
>> 
>> zeus_rules.xml
>> solaris_bsm_rules.xml
>> vmware_rules.xml
>> ms_dhcp_rules.xml
>> asterisk_rules.xml
>> ossec_rules.xml
>> attack_rules.xml
>> openbsd_rules.xml
>> clam_av_rules.xml
>> dropbear_rules.xml
>> sysmon_rules.xml
>> opensmtpd_rules.xml
>> exim_rules.xml
>> local_rules.xml
>>   
>>
>>   
>> 
>> 60
>> yes
>> 
>> > check_all="yes">/etc,/usr/bin,/usr/sbin,/data,/home,/opt
>> > check_all="yes">/bin,/sbin,/boot,/dev,/null,/lib,/media,/proc,/srv,/mnt
>>
>> 
>> /etc/mtab
>> /etc/mnttab
>> /etc/hosts.deny
>> /etc/mail/statistics
>> /etc/random-seed
>> /etc/adjtime
>> /etc/httpd/logs
>> /etc/utmpx
>> /etc/wtmpx
>> /etc/cups/certs
>> /etc/dumpdates
>> /etc/svc/volatile
>> /data/helpkit/shared/log
>> /data/haystack-shipper/logs
>> /data/haystack-shipper/data
>> /data/helpkit/shared/tmp/cache
>> /data/helpkit/current/log
>> /dev/pts
>> /dev/null
>> /dev/tty
>> /etc/blkid/blkid.tab
>> /etc/sudoers
>> /opt/confd/confd.txt
>> /var/log
>> /opt/SumoCollector/config
>> /opt/SumoCollector/logs
>> /var/lib
>> /var/run
>> /var/spool
>> /var/cache
>> /tmp
>> /var/log
>> /var/ossec
>> /home/^/.ssh
>> /home/^/.bash_history
>> /opt/aws/opsworks/releases
>> /root/.bash_history
>> /root/.monit.state
>> /root/.viminfo
>> /root/.viminfo.tmp
>> /dev/char
>>
>>
>> 
>>
>>  
>>   60
>>   no
>>   yes
>>   yes
>>   yes
>>   yes
>>   yes
>>   yes
>>   yes
>>   yes
>>   /var/ossec/etc/shared/rootkit_files.txt
>>   
>> /var/ossec/etc/shared/rootkit_trojans.txt
>>   /var/ossec/etc/shared/system_audit_rcl.txt
>>   
>> /var/ossec/etc/shared/cis_debian_linux_rcl.txt
>>   
>> /var/ossec/etc/shared/cis_rhel_linux_rcl.txt
>>   
>> /var/ossec/etc/shared/cis_rhel5_linux_rcl.txt
>>  
>>
>>  
>> 7
>> 7
>>  
>>
>> 
>>
>> **
>>
>> local_rules.xml
>> ___
>>
>> 
>>   
>>ossec
>>syscheck_new_entry
>>File added to the system.
>>syscheck,
>>   
>> 
>>
>>
>> I am not getting email alert if a file is modified / added / deleted to my 
>> system.
>
> Installtion type : Local
> OS : Amazon Linux
>

Are you getting any email alerts?

> --
>
> ---
> You received this message because you are subscribed to the Google Groups 
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to ossec-list+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/ossec-list/4e627d64-3384-4022-8968-96a35e908312%40googlegroups.com.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/CAMyQvMrVuFG1Zv-hc%2BwbBPWZ0354sNqJWPDhvT%2B23vz9ZsyxHw%40mail.gmail.com.

Re: [ossec-list] ossec-analysisd(1450): ERROR: Syntax error on regex: '(pam_u nix)$': 9.

[dan (ddp)]

On Tue, Oct 8, 2019 at 11:42 AM Jerry Lowry  wrote:
>
> Dan,
> Well my test system has been running since last Thursday without any database 
> problems. I install MariaDB 13.4.  Still not getting email to work but will 
> continue to check on that.
> So, If the Mysql database has an agent table and you don't add any agents to 
> it, Why is it there?
>

I can't say for sure (I didn't write it). But my assumption is that
this was for a planned feature that never materialized.
My "never" response wasn't quite right. I guess it should have been
"whenever someone adds that feature."
I'd like to do some work in dbd, but I don't have a lot of time. I
feel like the time I do have would be better spent elsewhere right
now.

> jerry
>
> On Thu, Oct 3, 2019 at 10:12 AM dan (ddp)  wrote:
>>
>> On Thu, Oct 3, 2019 at 12:09 PM Jerry Lowry  wrote:
>> >
>> > Dan,
>> > trying to add the agent I get this:
>> > ***
>> > * OSSEC HIDS v3.3.0 Agent manager. *
>> > * The following options are available: *
>> > 
>> >(I)mport key from the server (I).
>> >(Q)uit.
>> > Choose your action: I or Q: i
>> >
>> > * Provide the Key generated by the server.
>> > * The best approach is to cut and paste it.
>> > *** OBS: Do not include spaces or new lines.
>> >
>> > Paste it here (or '\q' to quit): 
>> > Agent information:
>> >ID:002
>> >Name:tcpdiag
>> >IP Address:10.10.10.29
>> >
>> > Confirm adding it?(y/n): y
>> > Not Adding.
>> >
>>
>> That's very odd, haven't seen that. I only see 2 places in the source
>> for that, and both assume the user didn't type y or Y.
>>
>> > Also, when does the agent get added to the database?  If it's done on the 
>> > server the manage_agents is not working!
>>
>> The mysql database? Never.
>>
>> > jerry
>> >
>> > On Wed, Oct 2, 2019 at 4:55 PM dan (ddp)  wrote:
>> >>
>> >> On Wed, Oct 2, 2019 at 6:32 PM Jerry Lowry  wrote:
>> >> >
>> >> > Well, I have the agent running and the server running but they are not 
>> >> > talking.  From the agent log file :
>> >> > Started ossec-agentd...
>> >> > 2019/10/02 15:24:23 ossec-logcollector: Remote commands are not 
>> >> > accepted from the manager. Ignoring it on the agent.conf
>> >> > 2019/10/02 15:24:23 ossec-logcollector(1202): ERROR: Configuration 
>> >> > error at '/var/ossec/etc/shared/agent.conf'. Exiting.
>> >> > Started ossec-logcollector...
>> >>
>> >> Start removing configurations from the agent.conf until you find the 
>> >> right one.
>> >>
>> >> > 2019/10/02 15:11:34 ossec-agentd: INFO: Trying to connect to server 
>> >> > 10.10.10.108, port 1514.
>> >> > 2019/10/02 15:11:34 INFO: Connected to 10.10.10.108 at address 
>> >> > 10.10.10.108, port 1514
>> >> > 2019/10/02 15:11:44 ossec-agentd(1218): ERROR: Unable to send message 
>> >> > to 'server'.
>> >> > 2019/10/02 15:11:56 ossec-agentd(1218): ERROR: Unable to send message 
>> >> > to 'server'.
>> >> > 2019/10/02 15:11:57 ossec-agentd(4101): WARN: Waiting for server reply 
>> >> > (not started). Tried: '10.10.10.108'.
>> >> >
>> >> > I get this message but it does not say what the error is?
>> >> >
>> >> > How do they communicate?
>> >> >
>> >>
>> >> UDP port 1514. This needs to be not blocked by iptables on the server 
>> >> side.
>> >>
>> >> > From the server log file:
>> >> >
>> >> > 2019/10/02 15:21:42 INFO: Connected to 
>> >> > west.smtp.exch083.serverdata.net. at address 199.193.205.130, port 25
>> >> > 2019/10/02 15:21:42 os_sendmail(1765): WARN: RCPT TO not accepted by 
>> >> > server - 'jlo...@edt.com'.
>> >> > 2019/10/02 15:21:42 ossec-maild(1223): ERROR: Error Sending email to 
>> >> > west.smtp.exch083.serverdata.net. (smtp server)
>> >> >
>> >> > How can you specify the smtp port and connection security?
>> >> >
>> >>
>> >> ossec-maild doesn't do tls, auth, or custom ports. I usually use the
>> >> local mail server to relay the emails.
>> >>
>

Re: [ossec-list] ossec-analysisd(1450): ERROR: Syntax error on regex: '(pam_u nix)$': 9.

[dan (ddp)]

On Thu, Oct 3, 2019 at 12:09 PM Jerry Lowry  wrote:
>
> Dan,
> trying to add the agent I get this:
> ***
> * OSSEC HIDS v3.3.0 Agent manager. *
> * The following options are available: *
> 
>(I)mport key from the server (I).
>(Q)uit.
> Choose your action: I or Q: i
>
> * Provide the Key generated by the server.
> * The best approach is to cut and paste it.
> *** OBS: Do not include spaces or new lines.
>
> Paste it here (or '\q' to quit): 
> Agent information:
>ID:002
>Name:tcpdiag
>IP Address:10.10.10.29
>
> Confirm adding it?(y/n): y
> Not Adding.
>

That's very odd, haven't seen that. I only see 2 places in the source
for that, and both assume the user didn't type y or Y.

> Also, when does the agent get added to the database?  If it's done on the 
> server the manage_agents is not working!

The mysql database? Never.

> jerry
>
> On Wed, Oct 2, 2019 at 4:55 PM dan (ddp)  wrote:
>>
>> On Wed, Oct 2, 2019 at 6:32 PM Jerry Lowry  wrote:
>> >
>> > Well, I have the agent running and the server running but they are not 
>> > talking.  From the agent log file :
>> > Started ossec-agentd...
>> > 2019/10/02 15:24:23 ossec-logcollector: Remote commands are not accepted 
>> > from the manager. Ignoring it on the agent.conf
>> > 2019/10/02 15:24:23 ossec-logcollector(1202): ERROR: Configuration error 
>> > at '/var/ossec/etc/shared/agent.conf'. Exiting.
>> > Started ossec-logcollector...
>>
>> Start removing configurations from the agent.conf until you find the right 
>> one.
>>
>> > 2019/10/02 15:11:34 ossec-agentd: INFO: Trying to connect to server 
>> > 10.10.10.108, port 1514.
>> > 2019/10/02 15:11:34 INFO: Connected to 10.10.10.108 at address 
>> > 10.10.10.108, port 1514
>> > 2019/10/02 15:11:44 ossec-agentd(1218): ERROR: Unable to send message to 
>> > 'server'.
>> > 2019/10/02 15:11:56 ossec-agentd(1218): ERROR: Unable to send message to 
>> > 'server'.
>> > 2019/10/02 15:11:57 ossec-agentd(4101): WARN: Waiting for server reply 
>> > (not started). Tried: '10.10.10.108'.
>> >
>> > I get this message but it does not say what the error is?
>> >
>> > How do they communicate?
>> >
>>
>> UDP port 1514. This needs to be not blocked by iptables on the server side.
>>
>> > From the server log file:
>> >
>> > 2019/10/02 15:21:42 INFO: Connected to west.smtp.exch083.serverdata.net. 
>> > at address 199.193.205.130, port 25
>> > 2019/10/02 15:21:42 os_sendmail(1765): WARN: RCPT TO not accepted by 
>> > server - 'jlo...@edt.com'.
>> > 2019/10/02 15:21:42 ossec-maild(1223): ERROR: Error Sending email to 
>> > west.smtp.exch083.serverdata.net. (smtp server)
>> >
>> > How can you specify the smtp port and connection security?
>> >
>>
>> ossec-maild doesn't do tls, auth, or custom ports. I usually use the
>> local mail server to relay the emails.
>>
>> > thanks
>> >
>> > On Wed, Oct 2, 2019 at 10:08 AM Jerry Lowry  wrote:
>> >>
>> >> Dan,
>> >> I have noticed that when the application is started and there are errors 
>> >> like :
>> >> 2019/10/02 10:03:15 ossec-maild(1235): ERROR: Invalid value for element 
>> >> 'format': sms.
>> >> 019/10/02 10:03:15 ossec-dbd(5202): ERROR: Error connecting to database 
>> >> '10.10.10.108'(ossec): ERROR: Access denied for user ''@'ossec' to 
>> >> database 'ossec'.
>> >>
>> >> When you stop ossec it does NOT kill the ossec-dbd process.  Also, the 
>> >> book specifies the use of 'format' sms for email alerts but it says its 
>> >> and invalid value.
>> >>
>> >> jerry
>> >>
>> >> On Wed, Oct 2, 2019 at 9:00 AM Jerry Lowry  wrote:
>> >>>
>> >>> thanks Dan!
>> >>> That was the problem. Rebuilt Pcre with --enable-jit=no and it is off 
>> >>> and running.  This is my test VM where I installed MariaDB.  I will add 
>> >>> an agent to it and see if it has the same problem as my physical server.
>> >>>
>> >>> jerry
>> >>>
>> >>> On Wed, Oct 2, 2019 at 4:00 AM dan (ddp)  wrote:
>> >>>>
>> >>>> On Tue, Oct 1, 2019 at 1:13 PM Jerry Lowry  
>> >>>> wrote:
>> >>>> >
>> >>>&g

Re: [ossec-list] ossec-analysisd(1450): ERROR: Syntax error on regex: '(pam_u nix)$': 9.

[dan (ddp)]

On Wed, Oct 2, 2019 at 6:32 PM Jerry Lowry  wrote:
>
> Well, I have the agent running and the server running but they are not 
> talking.  From the agent log file :
> Started ossec-agentd...
> 2019/10/02 15:24:23 ossec-logcollector: Remote commands are not accepted from 
> the manager. Ignoring it on the agent.conf
> 2019/10/02 15:24:23 ossec-logcollector(1202): ERROR: Configuration error at 
> '/var/ossec/etc/shared/agent.conf'. Exiting.
> Started ossec-logcollector...

Start removing configurations from the agent.conf until you find the right one.

> 2019/10/02 15:11:34 ossec-agentd: INFO: Trying to connect to server 
> 10.10.10.108, port 1514.
> 2019/10/02 15:11:34 INFO: Connected to 10.10.10.108 at address 10.10.10.108, 
> port 1514
> 2019/10/02 15:11:44 ossec-agentd(1218): ERROR: Unable to send message to 
> 'server'.
> 2019/10/02 15:11:56 ossec-agentd(1218): ERROR: Unable to send message to 
> 'server'.
> 2019/10/02 15:11:57 ossec-agentd(4101): WARN: Waiting for server reply (not 
> started). Tried: '10.10.10.108'.
>
> I get this message but it does not say what the error is?
>
> How do they communicate?
>

UDP port 1514. This needs to be not blocked by iptables on the server side.

> From the server log file:
>
> 2019/10/02 15:21:42 INFO: Connected to west.smtp.exch083.serverdata.net. at 
> address 199.193.205.130, port 25
> 2019/10/02 15:21:42 os_sendmail(1765): WARN: RCPT TO not accepted by server - 
> 'jlo...@edt.com'.
> 2019/10/02 15:21:42 ossec-maild(1223): ERROR: Error Sending email to 
> west.smtp.exch083.serverdata.net. (smtp server)
>
> How can you specify the smtp port and connection security?
>

ossec-maild doesn't do tls, auth, or custom ports. I usually use the
local mail server to relay the emails.

> thanks
>
> On Wed, Oct 2, 2019 at 10:08 AM Jerry Lowry  wrote:
>>
>> Dan,
>> I have noticed that when the application is started and there are errors 
>> like :
>> 2019/10/02 10:03:15 ossec-maild(1235): ERROR: Invalid value for element 
>> 'format': sms.
>> 019/10/02 10:03:15 ossec-dbd(5202): ERROR: Error connecting to database 
>> '10.10.10.108'(ossec): ERROR: Access denied for user ''@'ossec' to database 
>> 'ossec'.
>>
>> When you stop ossec it does NOT kill the ossec-dbd process.  Also, the book 
>> specifies the use of 'format' sms for email alerts but it says its and 
>> invalid value.
>>
>> jerry
>>
>> On Wed, Oct 2, 2019 at 9:00 AM Jerry Lowry  wrote:
>>>
>>> thanks Dan!
>>> That was the problem. Rebuilt Pcre with --enable-jit=no and it is off and 
>>> running.  This is my test VM where I installed MariaDB.  I will add an 
>>> agent to it and see if it has the same problem as my physical server.
>>>
>>> jerry
>>>
>>> On Wed, Oct 2, 2019 at 4:00 AM dan (ddp)  wrote:
>>>>
>>>> On Tue, Oct 1, 2019 at 1:13 PM Jerry Lowry  wrote:
>>>> >
>>>> > List,
>>>> >
>>>> > I just installed a test VM running Centos 7 and installed ossec 3.3.0.  
>>>> > Ran through the script and took all the default questions except for the 
>>>> > email.  When I try to start ossec these are the errors I get in the log:
>>>> > 019/09/27 16:21:53 ossec-analysisd(1450): ERROR: Syntax error on regex: 
>>>> > '(pam_unix)$': 9.
>>>> > 2019/09/27 16:21:53 ossec-testrule(1202): ERROR: Configuration error at 
>>>> > '/etc/decoder.xml'. Exiting.
>>>> > 2019/09/27 16:29:41 ossec-analysisd(1450): ERROR: Syntax error on regex: 
>>>> > '(pam_unix)$': 9.
>>>> > 2019/09/27 16:29:41 ossec-testrule(1202): ERROR: Configuration error at 
>>>> > '/etc/decoder.xml'. Exiting.
>>>> > 2019/09/30 08:49:07 ossec-analysisd(1450): ERROR: Syntax error on regex: 
>>>> > '(pam_unix)$': 9.
>>>> > 2019/09/30 08:49:07 ossec-testrule(1202): ERROR: Configuration error at 
>>>> > '/etc/decoder.xml'. Exiting.
>>>> > 2019/09/30 09:37:55 ossec-analysisd(1450): ERROR: Syntax error on regex: 
>>>> > '(pam_unix)$': 9.
>>>> > 2019/09/30 09:37:55 ossec-testrule(1202): ERROR: Configuration error at 
>>>> > '/etc/decoder.xml'. Exiting.
>>>> > I have not touched any of the rules or configuration files as they were 
>>>> > setup based on the question in the installation script.
>>>> >
>>>> > so, what I am I missing.  Shouldn't this run with a default install?
>>>> >
>>>>
>>>> I think this is a pcre2 issue. I ran in

Re: [ossec-list] ossec-analysisd(1450): ERROR: Syntax error on regex: '(pam_u nix)$': 9.

[dan (ddp)]

On Wed, Oct 2, 2019 at 1:06 PM Jerry Lowry  wrote:
>
> Dan,
> I have noticed that when the application is started and there are errors like 
> :
> 2019/10/02 10:03:15 ossec-maild(1235): ERROR: Invalid value for element 
> 'format': sms.

I think I removed this fairly recently.

> 019/10/02 10:03:15 ossec-dbd(5202): ERROR: Error connecting to database 
> '10.10.10.108'(ossec): ERROR: Access denied for user ''@'ossec' to database 
> 'ossec'.
>

That's an odd error, like the username wasn't specified?

> When you stop ossec it does NOT kill the ossec-dbd process.  Also, the book 
> specifies the use of 'format' sms for email alerts but it says its and 
> invalid value.
>

How are you stopping it? /var/ossec/bin/ossec-control stop?

> jerry
>
> On Wed, Oct 2, 2019 at 9:00 AM Jerry Lowry  wrote:
>>
>> thanks Dan!
>> That was the problem. Rebuilt Pcre with --enable-jit=no and it is off and 
>> running.  This is my test VM where I installed MariaDB.  I will add an agent 
>> to it and see if it has the same problem as my physical server.
>>
>> jerry
>>
>> On Wed, Oct 2, 2019 at 4:00 AM dan (ddp)  wrote:
>>>
>>> On Tue, Oct 1, 2019 at 1:13 PM Jerry Lowry  wrote:
>>> >
>>> > List,
>>> >
>>> > I just installed a test VM running Centos 7 and installed ossec 3.3.0.  
>>> > Ran through the script and took all the default questions except for the 
>>> > email.  When I try to start ossec these are the errors I get in the log:
>>> > 019/09/27 16:21:53 ossec-analysisd(1450): ERROR: Syntax error on regex: 
>>> > '(pam_unix)$': 9.
>>> > 2019/09/27 16:21:53 ossec-testrule(1202): ERROR: Configuration error at 
>>> > '/etc/decoder.xml'. Exiting.
>>> > 2019/09/27 16:29:41 ossec-analysisd(1450): ERROR: Syntax error on regex: 
>>> > '(pam_unix)$': 9.
>>> > 2019/09/27 16:29:41 ossec-testrule(1202): ERROR: Configuration error at 
>>> > '/etc/decoder.xml'. Exiting.
>>> > 2019/09/30 08:49:07 ossec-analysisd(1450): ERROR: Syntax error on regex: 
>>> > '(pam_unix)$': 9.
>>> > 2019/09/30 08:49:07 ossec-testrule(1202): ERROR: Configuration error at 
>>> > '/etc/decoder.xml'. Exiting.
>>> > 2019/09/30 09:37:55 ossec-analysisd(1450): ERROR: Syntax error on regex: 
>>> > '(pam_unix)$': 9.
>>> > 2019/09/30 09:37:55 ossec-testrule(1202): ERROR: Configuration error at 
>>> > '/etc/decoder.xml'. Exiting.
>>> > I have not touched any of the rules or configuration files as they were 
>>> > setup based on the question in the installation script.
>>> >
>>> > so, what I am I missing.  Shouldn't this run with a default install?
>>> >
>>>
>>> I think this is a pcre2 issue. I ran into it a bunch of times when I
>>> didn't disable JIT on a system that didn't support the JIT.
>>>
>>> > jerry
>>> >
>>> > psno errors during the installation/compilation
>>> >
>>> > --
>>> >
>>> > ---
>>> > You received this message because you are subscribed to the Google Groups 
>>> > "ossec-list" group.
>>> > To unsubscribe from this group and stop receiving emails from it, send an 
>>> > email to ossec-list+unsubscr...@googlegroups.com.
>>> > To view this discussion on the web visit 
>>> > https://groups.google.com/d/msgid/ossec-list/c9a3f10d-b29c-444c-a678-0bb0d18f7b38%40googlegroups.com.
>>>
>>> --
>>>
>>> ---
>>> You received this message because you are subscribed to the Google Groups 
>>> "ossec-list" group.
>>> To unsubscribe from this group and stop receiving emails from it, send an 
>>> email to ossec-list+unsubscr...@googlegroups.com.
>>> To view this discussion on the web visit 
>>> https://groups.google.com/d/msgid/ossec-list/CAMyQvMo4L5rb6Jgsm3tOnyLt7OX9Yn9huZp9FNKwm%3D_ey1L%2BTQ%40mail.gmail.com.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups 
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to ossec-list+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/ossec-list/CAKP%3DcB5SBAD2RD-G60F%2Bh26hsgZXj1oYTfNeoaj08QDnXa_rMQ%40mail.gmail.com.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/CAMyQvMqWx1dP71EADTZgHtgDouQjSyik7787t-4tSUAb-A-Uhw%40mail.gmail.com.

Re: [ossec-list] ossec-analysisd(1450): ERROR: Syntax error on regex: '(pam_u nix)$': 9.

[dan (ddp)]

On Tue, Oct 1, 2019 at 1:13 PM Jerry Lowry  wrote:
>
> List,
>
> I just installed a test VM running Centos 7 and installed ossec 3.3.0.  Ran 
> through the script and took all the default questions except for the email.  
> When I try to start ossec these are the errors I get in the log:
> 019/09/27 16:21:53 ossec-analysisd(1450): ERROR: Syntax error on regex: 
> '(pam_unix)$': 9.
> 2019/09/27 16:21:53 ossec-testrule(1202): ERROR: Configuration error at 
> '/etc/decoder.xml'. Exiting.
> 2019/09/27 16:29:41 ossec-analysisd(1450): ERROR: Syntax error on regex: 
> '(pam_unix)$': 9.
> 2019/09/27 16:29:41 ossec-testrule(1202): ERROR: Configuration error at 
> '/etc/decoder.xml'. Exiting.
> 2019/09/30 08:49:07 ossec-analysisd(1450): ERROR: Syntax error on regex: 
> '(pam_unix)$': 9.
> 2019/09/30 08:49:07 ossec-testrule(1202): ERROR: Configuration error at 
> '/etc/decoder.xml'. Exiting.
> 2019/09/30 09:37:55 ossec-analysisd(1450): ERROR: Syntax error on regex: 
> '(pam_unix)$': 9.
> 2019/09/30 09:37:55 ossec-testrule(1202): ERROR: Configuration error at 
> '/etc/decoder.xml'. Exiting.
> I have not touched any of the rules or configuration files as they were setup 
> based on the question in the installation script.
>
> so, what I am I missing.  Shouldn't this run with a default install?
>

I think this is a pcre2 issue. I ran into it a bunch of times when I
didn't disable JIT on a system that didn't support the JIT.

> jerry
>
> psno errors during the installation/compilation
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups 
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to ossec-list+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/ossec-list/c9a3f10d-b29c-444c-a678-0bb0d18f7b38%40googlegroups.com.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/CAMyQvMo4L5rb6Jgsm3tOnyLt7OX9Yn9huZp9FNKwm%3D_ey1L%2BTQ%40mail.gmail.com.

Re: [ossec-list] ossec-dbd ERROR: Error executing query 'Insert into alert....'

[dan (ddp)]

On Fri, Sep 27, 2019 at 12:32 PM Jerry Lowry  wrote:
>
> Dan,
> I changed the timeout variable to 8 hrs and restarted the database and ossec. 
>  I got the same error about 6 hours of running. Mysql reported communication 
> error with the ossec user at 12 hours running. So, I don't think mysql is the 
> problem.  What are your timeout variable (connect_timeout, wait_timeout, 
> interactive_timeout) set to in MariaDB?
> I am going to rebuild this with Mariadb and see what happens.  I'll let you 
> know, probably next week.
>

They are whatever the defaults are. I think this page lists them:
https://mariadb.com/kb/en/library/server-system-variables/
connect_timeout appears to be 10
wait_timeout 28800
interactive_timeout 28800

My system is a lot busier than yours though.

> jerry
>
> On Thu, Sep 26, 2019 at 4:15 AM dan (ddp)  wrote:
>>
>> On Wed, Sep 25, 2019 at 8:56 PM Jerry Lowry  wrote:
>> >
>> > I understand completely,  I am not real happy about it either, and I used 
>> > to work there in support!
>> >
>> > But that is what your docs say to use, so I did.
>> >
>> > I was going to install MariaDB and give that a shot as well.
>> >
>> > thanks,
>> >
>> > jerry
>> >
>>
>> I just verified and it is mariadb 10.3.18 (on OpenBSD/amd64).
>> I have a little over 47000 events in it, and had no drops.
>> I'd really start looking at mysql timeouts, and possibly increasing them.
>>
>> --
>>
>> ---
>> You received this message because you are subscribed to the Google Groups 
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to ossec-list+unsubscr...@googlegroups.com.
>> To view this discussion on the web visit 
>> https://groups.google.com/d/msgid/ossec-list/CAMyQvMrAEp2s3f%3DrPYtCkPGVB9dBu0ZPUHUWaguTsPNSVBje2w%40mail.gmail.com.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups 
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to ossec-list+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/ossec-list/CAKP%3DcB6Yn8cqyTjPgKKv9NNZv%3DzfBH8iYazmbUBadCLB7HtGXA%40mail.gmail.com.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/CAMyQvMpkpyGXvs5PMQWfA%2BHBni6Mk1eN-Jw8P3u9ZQvhnBveZw%40mail.gmail.com.

Re: [ossec-list] Is gmail silently dropping my OSSEC email alerts?

[dan (ddp)]

On Fri, Sep 27, 2019 at 11:51 AM llehirgen  wrote:
>
>
>
> On Friday, September 27, 2019 at 4:51:20 PM UTC+2, dan (ddpbsd) wrote:
>>
>>
>> Is ssmtp listening on 127.0.0.1 port 25?
>>
>
> I honestly do not know what port is ssmtp listening on.
> I used sudo netstat -tulpn and got 5 program names: systemd-resolve, sshd, 
> sshd, systemd-resolve, systemd-network
> I could not find documentation on which port is ssmtp listening.
>

It doesn't look like ssmtp is an actual daemon. So instead of using
'127.0.0.1' as the smtp server, you should probably use something like
'/usr/sbin/ssmtp'
I don't know what flags or anything you might need with it though,
I've never used it.

> --
>
> ---
> You received this message because you are subscribed to the Google Groups 
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to ossec-list+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/ossec-list/383895b0-0672-427c-998f-acf1d4f46a4c%40googlegroups.com.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/CAMyQvMqU4gvDDyGFg0rvBm8CdPgCajqJYmt6%2B894HmUGoQ_nXw%40mail.gmail.com.

Re: [ossec-list] Is gmail silently dropping my OSSEC email alerts?

[dan (ddp)]

On Fri, Sep 27, 2019 at 10:45 AM llehirgen  wrote:
>
> I am testing OSSEC HIDS in a Virtual machine on Ubuntu 18.04 server.
> First of all I installed and configured ssmtp as follows:
>
>
> root=my...@gmail.com
> mailhub=smtp.gmail.com:587
> rewriteDomain=gmail.com
> hostname=localhost
> TLS_CA_FILE=/etc/ssl/certs/ca-certificates.crt
> UseTLS=Yes
> UseSTARTTLS=Yes
> AuthUser=my...@gmail.com
> AuthPass=password
> AuthMethod=LOGIN
> FromLineOverride=yes
>
>
> Emails from command line are sent and received, however there are some issues 
> with OSSEC email alerts.
> Below is part of /var/ossec/etc/ossec.conf:
>
>
> 
> yes
> my...@gmail.com
> 127.0.0.1

Is ssmtp listening on 127.0.0.1 port 25?

> ossecm@myserver
> 1
> 
>
>
> According to OSSEC's documentation the software should sent an email at 
> startup and when it stops. I received an email after the first startup, in 
> the spam folder, probably because the email_from directive was set to an 
> invalid email address. That email contained two notifications, one about 
> "Partition usage reached 100% (disk space monitor)." and the other about 
> OSSEC start. So I told Gmail that that was not spam, I changed the email_from 
> directive to my...@gmail.com, stopped OSSEC and restarted it. Unfortunately 
> that was the only alert I received. After that I stopped and started OSSEC 
> several times without receiving any email alert. I do not understand why this 
> happens: am I blackholed by Gmail? As I said emails from command line are 
> received without issues. Would OSSEC receive the same treatment on a 
> production server with valid domain?
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups 
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to ossec-list+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/ossec-list/87b79ecd-e30a-4c7d-a9f4-50701bb9a519%40googlegroups.com.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/CAMyQvMpwbwncDMtiAnWCi%2BospKAHjNJfjmOrSfbs4AuX7-7cow%40mail.gmail.com.

Re: [ossec-list] ossec-dbd ERROR: Error executing query 'Insert into alert....'

[dan (ddp)]

On Wed, Sep 25, 2019 at 8:56 PM Jerry Lowry  wrote:
>
> I understand completely,  I am not real happy about it either, and I used to 
> work there in support!
>
> But that is what your docs say to use, so I did.
>
> I was going to install MariaDB and give that a shot as well.
>
> thanks,
>
> jerry
>

I just verified and it is mariadb 10.3.18 (on OpenBSD/amd64).
I have a little over 47000 events in it, and had no drops.
I'd really start looking at mysql timeouts, and possibly increasing them.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/CAMyQvMrAEp2s3f%3DrPYtCkPGVB9dBu0ZPUHUWaguTsPNSVBje2w%40mail.gmail.com.

Re: [ossec-list] ossec-dbd ERROR: Error executing query 'Insert into alert....'

[dan (ddp)]

On Wed, Sep 25, 2019 at 4:42 PM Jerry Lowry  wrote:

> Since my last reply, these are the messages I have received in the mysql
> log:
> 2019-09-25T07:25:47.923547Z 40 [Note] Aborted connection 40 to db: 'ossec'
> user: 'ossecuser' host: 'obed' (Got timeout reading communication packets)
> 2019-09-25T17:31:03.941613Z 41 [Note] Aborted connection 41 to db: 'ossec'
> user: 'ossecuser' host: 'obed' (Got an error reading communication packets)
>
> Mail log does not show any errors from ossec.
>
> What version of MariaDB are you using?
>

I think it’s 10.3.18, but I can verify later. I didn’t realize openbsd
still has mysql, so I guess I can try with the official one too (although
I’m not sure how I feel about installing oracle software ;)).


> jerry
>
> On Wed, Sep 25, 2019 at 12:40 PM dan (ddp)  wrote:
>
>>
>>
>> On Wed, Sep 25, 2019 at 1:52 PM Jerry Lowry 
>> wrote:
>>
>>> Well, being as I only have two agents installed to test initially and
>>> neither one is contacting the server due to email issues, I only have 53
>>> alerts in the table.  Just be aware that the database connects and
>>> functions fine for ~8 hours. It has failed at 4 in the morning the last
>>> time I sent you email.
>>>
>>
>> I’ll check my dbd in the morning to see if it’s still running. I’m
>> wondering if you’re having some kind of timeout issue or something.
>>
>>
>> As to the email problem this is what I have in my config file.  The node
>>> 'cascade (10.20.10.6)' is running a postfix smtp server. The ossec server
>>> is in the same subnet.
>>> The user ossec is a valid user on the smtp server.
>>> yes
>>> jlo...@domain.com
>>> cascade
>>> os...@domain.com
>>> 20
>>>
>>> I have copied the host file into the /var/ossec directory so it should
>>> be doing dns translation.  I still get "Mail from not accepted by server"
>>> errors, postfix is also configured to accept email from any of the subnets
>>> defined.
>>>
>>
>> Check your postfix logs for errors.
>>
>>
>>> jerry
>>>
>>> On Wed, Sep 25, 2019 at 9:47 AM dan (ddp)  wrote:
>>>
>>>> On Tue, Sep 24, 2019 at 2:23 PM Jerry Lowry 
>>>> wrote:
>>>> >
>>>> > Dan,
>>>> >
>>>> > the only entries for today are as follows:
>>>> > 2019-09-24T08:02:49.637423Z 35 [Note] Aborted connection 35 to db:
>>>> 'ossec' user: 'ossecuser' host: 'obed' (Got timeout reading communication
>>>> packets)
>>>> > 2019-09-24T16:31:32.557059Z 36 [Note] Aborted connection 36 to db:
>>>> 'ossec' user: 'ossecuser' host: 'obed' (Got an error reading communication
>>>> packets)
>>>> > 2019-09-24T16:32:07.253522Z 38 [Note] Aborted connection 38 to db:
>>>> 'ossec' user: 'ossecuser' host: 'obed' (Got an error reading communication
>>>> packets)
>>>> > these errors do not coincide with the error from the dbd process at
>>>> 04:07:17 this morning. but then it looks like zulu time!  PST is gmt+7.
>>>> >
>>>> > I have restarted all the ossec processes by hand and setup debugging
>>>> on the dbd and mail processes.  I also have a tail -f running on the ossec
>>>> log.  Nothing shows up as failing to connect for either the dbd or mail
>>>> process.  It just finished the syscheck and rootcheck in the last hour with
>>>> no errors from either process.
>>>> >
>>>> > The mysql process statistics :
>>>> > ps -o etime= -p 12275
>>>> > 11-23:09:07
>>>> > it has been up 11 days +.   The only access error in the mysql log
>>>> are when I was resetting the host name for the user in the database, forgot
>>>> to change the permissions, it now has been granted everything.
>>>> >
>>>>
>>>> Ok, I setup mariadb a couple of hours ago and started feeding OSSEC
>>>> alerts into it. I have a bit over 7000 rows in the alert table.
>>>> I haven't seen any issues so far, but my alert volume is pretty small.
>>>> How many alerts are you seeing?
>>>> I won't have the time to look into dbd for a bit, but I'm sure there
>>>> are a lot of improvements that can be made.
>>>>
>>>> > jerry
>>>> >
>>>> >
>>>> > On Tue, Sep 24, 2019 at 9:39 AM dan (ddp)  wrote:
>>>> >>
>>>> >> On Tu

Re: [ossec-list] ossec-dbd ERROR: Error executing query 'Insert into alert....'

[dan (ddp)]

On Wed, Sep 25, 2019 at 1:52 PM Jerry Lowry  wrote:

> Well, being as I only have two agents installed to test initially and
> neither one is contacting the server due to email issues, I only have 53
> alerts in the table.  Just be aware that the database connects and
> functions fine for ~8 hours. It has failed at 4 in the morning the last
> time I sent you email.
>

I’ll check my dbd in the morning to see if it’s still running. I’m
wondering if you’re having some kind of timeout issue or something.


As to the email problem this is what I have in my config file.  The node
> 'cascade (10.20.10.6)' is running a postfix smtp server. The ossec server
> is in the same subnet.
> The user ossec is a valid user on the smtp server.
> yes
> jlo...@domain.com
> cascade
> os...@domain.com
> 20
>
> I have copied the host file into the /var/ossec directory so it should be
> doing dns translation.  I still get "Mail from not accepted by server"
> errors, postfix is also configured to accept email from any of the subnets
> defined.
>

Check your postfix logs for errors.


> jerry
>
> On Wed, Sep 25, 2019 at 9:47 AM dan (ddp)  wrote:
>
>> On Tue, Sep 24, 2019 at 2:23 PM Jerry Lowry 
>> wrote:
>> >
>> > Dan,
>> >
>> > the only entries for today are as follows:
>> > 2019-09-24T08:02:49.637423Z 35 [Note] Aborted connection 35 to db:
>> 'ossec' user: 'ossecuser' host: 'obed' (Got timeout reading communication
>> packets)
>> > 2019-09-24T16:31:32.557059Z 36 [Note] Aborted connection 36 to db:
>> 'ossec' user: 'ossecuser' host: 'obed' (Got an error reading communication
>> packets)
>> > 2019-09-24T16:32:07.253522Z 38 [Note] Aborted connection 38 to db:
>> 'ossec' user: 'ossecuser' host: 'obed' (Got an error reading communication
>> packets)
>> > these errors do not coincide with the error from the dbd process at
>> 04:07:17 this morning. but then it looks like zulu time!  PST is gmt+7.
>> >
>> > I have restarted all the ossec processes by hand and setup debugging on
>> the dbd and mail processes.  I also have a tail -f running on the ossec
>> log.  Nothing shows up as failing to connect for either the dbd or mail
>> process.  It just finished the syscheck and rootcheck in the last hour with
>> no errors from either process.
>> >
>> > The mysql process statistics :
>> > ps -o etime= -p 12275
>> > 11-23:09:07
>> > it has been up 11 days +.   The only access error in the mysql log are
>> when I was resetting the host name for the user in the database, forgot to
>> change the permissions, it now has been granted everything.
>> >
>>
>> Ok, I setup mariadb a couple of hours ago and started feeding OSSEC
>> alerts into it. I have a bit over 7000 rows in the alert table.
>> I haven't seen any issues so far, but my alert volume is pretty small.
>> How many alerts are you seeing?
>> I won't have the time to look into dbd for a bit, but I'm sure there
>> are a lot of improvements that can be made.
>>
>> > jerry
>> >
>> >
>> > On Tue, Sep 24, 2019 at 9:39 AM dan (ddp)  wrote:
>> >>
>> >> On Tue, Sep 24, 2019 at 12:29 PM Jerry Lowry 
>> wrote:
>> >> >
>> >> > Dan,
>> >> > So I configured the database to use the host name for the ossec
>> user. Restarted everything with ossec and it was able to log in initially.
>> It ran most of the night and then at 4 am this morning it failed with the
>> same error saying:
>> >> >
>> >> > 2019/09/24 04:07:17 ossec-dbd(5203): ERROR: Error executing query
>> 'INSERT INTO
>> alert(server_id,rule_id,level,timestamp,location_id,src_ip,src_port,dst_ip,dst_port,alertid,user,full_log,tld)
>> VALUES ('1', '1002','2','1569323237', '1', '(null)', '0', '(null)', '0',
>> '1569323234.0', '(null)', 'Sep 24 04:07:14 obed audispd: node=
>> obed.edt.com type=ANOM_RBAC_INTEGRITY_FAIL
>> msg=audit(1569323234.455:87010): pid=28134 uid=0 auid=0 ses=2001
>> msg=`added=43772 removed=17 changed=2021 exe="/usr/sbin/aide" hostname=?
>> addr=? terminal=? res=failed`','')'. Error: 'MySQL server has gone away'.
>> >> > 2019/09/24 04:07:17 ossec-dbd(5209): INFO: Closing connection to
>> database.
>> >> > 2019/09/24 04:07:17 ossec-dbd(5210): INFO: Attempting to reconnect
>> to database.
>> >> > 2019/09/24 04:07:17 ossec-dbd: Connected to database 'ossec' at
>> 'obed'.
>> >> > 2019/09/24 04:07:17 ossec-dbd(5204): ERROR: Database error. Unable
>> t