one email per alert

[C. L. Martinez]

Hi all,

Sometimes ossec sends several alerts in only one email. Is it
possible to configure ossec to send one email per alert?? (I am using
a local mta in ossec server to send these email alerts).

Thanks.

[dan (ddp)]

http://www.ossec.net/doc/syntax/head_internal_options.analysisd.html#intopt-maild.groupping

[C. L. Martinez]

Many thanks dan.

[dan (ddp)]

No problem, that option is buried in a strange place.

[Christina Plummer]

I still seem to get combined emails sometimes, even though I have set maild.groupping=0.  I also increased my <email_maxperhour> to 6000 to make sure that wasn't getting in the way.

 

It seems to mostly occur with rule 5720 (multiple SSHD auth failures) or my local rule 101002 which tries to only send an alert when 1002 is matched 3 or more times in 6 minutes:

 

  <!-- Ignore mistyped passwords until 3rd occurrence -->
  <rule id="101002" level="4" frequency="3" timeframe="360">
    <if_matched_sid>1002</if_matched_sid>
    <match>Failed to authenticate user</match>
    <options>alert_by_email</options>
    <description>User authentication failure.</description>
  </rule>

The emails I get make it appear that OSSEC is considering failures on ALL hosts within that timeframe, as opposed to just on a single host. 

 

I don't necessarily care if UserA mistyped their password on HostA twice within a couple minutes of UserB mistyping their password on HostB.  Is it possible to adjust this behavior - to force a rule to apply on a per-host basis? 

 

If not, can I at least force it to appear as a "multi-host" match of some sort?  Currently, OSSEC shows the rule as being "Received From: " the last host that had a log entry which triggered the rule.  I'd like to be able to sort these differently - if the "last" host was a sandbox machine, I might inadvertently give the whole alert less criticality than a multi-host, potential brute-force attack would warrant.

 

Thanks,

Christina

[dan (ddp)]

Do you mean multiple log messages are included in one email or
multiple OSSEC alerts? Can you provide an example?

No, there isn't really a way to do any of this. I think you could
modify it to not include the sensor name in the subject, but I don't
know how much that helps.

I'd start by separating the sandbox machines from production machines.
It wouldn't hurt to keep those on different managers.

[Tom Piersa]

I’ve been tinkering with OSSec for about 6 months now. I’d like to setup a syslog server and have OSSec send it’s alerts to the syslog server. Then I would like to use an Open Source tool to do reporting off the syslog server. Two questions:

1.         Since OSSec does some of it’s reporting off the log files, if I install OSSec on the syslog server will I get double entries? It just sounds like a loop.

 

2.         My security budget got doubled this year. $0x2=$0. But we must be secure. If I can’t do that, I can feel free to quit and we’ll get someone who will. So …… What Open Source products can I use for Debian Syslog reporting? I’d like something web based.  At this point I’m just looking to see all of my log info in one place.

Thanks much,

 

Tom

 

 

[dan (ddp)]

On Wed, Apr 25, 2012 at 10:48 AM, Tom Piersa <tp2...@columbia.edu> wrote:
> I’ve been tinkering with OSSec for about 6 months now. I’d like to setup a
> syslog server and have OSSec send it’s alerts to the syslog server. Then I
> would like to use an Open Source tool to do reporting off the syslog server.
> Two questions:
>
> 1.         Since OSSec does some of it’s reporting off the log files, if I
> install OSSec on the syslog server will I get double entries? It just sounds
> like a loop.
>

It can happen. I usually configure rsyslog or syslog-ng to put the
forwarded OSSEC alerts in a file that isn't being monitored by OSSEC.

>
>
> 2.         My security budget got doubled this year. $0x2=$0. But we must be
> secure. If I can’t do that, I can feel free to quit and we’ll get someone
> who will. So …… What Open Source products can I use for Debian Syslog
> reporting? I’d like something web based.  At this point I’m just looking to
> see all of my log info in one place.
>

In no particular order:
logstash
graylog2
elsa
octopussy (seriously)

Limited "free" versions:
splunk (free version)

> Thanks much,
>
>
>
> Tom
>
>
>
>

[Christina Plummer]

> Do you mean multiple log messages are included in one email or
> multiple OSSEC alerts? Can you provide an example?

Sorry - yes, multiple log messages, from different servers, are
included in one email.

Example of 5720:
OSSEC HIDS Notification.
2012 Apr 14 23:26:13

Received From: (HostA) 10.x.x.x->/var/log/secure
Rule: 5720 fired (level 10) -> "Multiple SSHD authentication failures."
Portion of the log(s):

Apr 15 03:26:29 HostA sshd[1993]: error: PAM: Authentication failure
for UserA from cbigdc-padmp801.cbi.net
Apr 15 03:26:29 HostB sshd[26018]: error: PAM: Authentication failure
for UserA from cbigdc-padmp801.cbi.net
Apr 15 03:26:28 HostC sshd[722]: error: PAM: Authentication failure
for UserA from cbigdc-padmp801.cbi.net
Apr 14 20:26:28 HostD sshd[16629]: error: PAM: Authentication failure
for UserA from cbigdc-padmp801.cbi.net
Apr 14 20:26:29 HostE sshd[6648]: error: PAM: Authentication failure
for UserA from cbigdc-padmp801.cbi.net
Apr 15 03:26:28 HostF sshd[21030]: error: PAM: Authentication failure
for UserA from cbigdc-padmp801.cbi.net
Apr 15 03:26:28 HostG sshd[4320]: error: PAM: Authentication failure
for DOM\UserA from cbigdc-padmp801.cbi.net

--END OF NOTIFICATION

Example of 101002:

OSSEC HIDS Notification.
2012 Apr 14 23:26:08

Received From: (Host1) 10.228.0.182->/var/log/messages
Rule: 101002 fired (level 4) -> "User authentication failure."
Portion of the log(s):

Apr 15 03:26:24 Host1 lsassd[4341]: 0x479d6940:Failed to authenticate
user (name = 'UserA') -> error = 40056, symbol =
LW_ERROR_ACCOUNT_DISABLED, client pid = 10943
Apr 15 03:26:23 Host2 sshd[26801]:
[module:pam_lsass]pam_sm_authenticate error [login:UserA][error
code:40056]
Apr 15 03:26:23 Host2 lsassd[3395]: 0x4a622940:Failed to authenticate
user (name = 'UserA') -> error = 40056, symbol =
LW_ERROR_ACCOUNT_DISABLED, client pid = 26801
Apr 14 20:26:24 cbigdc-iecmb001 sshd[25199]:
[module:pam_lsass]pam_sm_authenticate error [login:UserA][error
code:40056]

--END OF NOTIFICATION

Can that be done only for certain rules?

> I'd start by separating the sandbox machines from production machines.
> It wouldn't hurt to keep those on different managers.

That's a thought. Currently I install and configure OSSEC agents as
part of my Kickstart process, so I'd have to figure out some way to
"tag" which manager they should talk to. Are multiple OSSEC managers
completely separate, or is there any non-manual method for
coordinating them in terms of syncing rules and configs?

Thanks,
Christina

[Christina Plummer]

Ugh, please reply to this one and ignore the last one. I didn't
finish sanitizing the logs before hitting send.

> Do you mean multiple log messages are included in one email or
> multiple OSSEC alerts? Can you provide an example?

Sorry - yes, multiple log messages, from different servers, are
included in one email.

Example of 5720:
OSSEC HIDS Notification.
2012 Apr 14 23:26:13

Received From: (HostA) 10.x.x.x->/var/log/secure
Rule: 5720 fired (level 10) -> "Multiple SSHD authentication failures."
Portion of the log(s):

Apr 15 03:26:29 HostA sshd[1993]: error: PAM: Authentication failure

for UserA from BadHost1

Apr 15 03:26:29 HostB sshd[26018]: error: PAM: Authentication failure

for UserA from BadHost1

Apr 15 03:26:28 HostC sshd[722]: error: PAM: Authentication failure

for UserA from BadHost1

Apr 14 20:26:28 HostD sshd[16629]: error: PAM: Authentication failure

for UserA from BadHost1

Apr 14 20:26:29 HostE sshd[6648]: error: PAM: Authentication failure

for UserA from BadHost1

Apr 15 03:26:28 HostF sshd[21030]: error: PAM: Authentication failure

for UserA from BadHost1

Apr 15 03:26:28 HostG sshd[4320]: error: PAM: Authentication failure

for DOM\UserA from BadHost1
--END OF NOTIFICATION

Example of 101002:

OSSEC HIDS Notification.
2012 Apr 14 23:26:08

Received From: (Host1) 10.x.x.y->/var/log/messages

Rule: 101002 fired (level 4) -> "User authentication failure."
Portion of the log(s):

Apr 15 03:26:24 Host1 lsassd[4341]: 0x479d6940:Failed to authenticate
user (name = 'UserA') -> error = 40056, symbol =
LW_ERROR_ACCOUNT_DISABLED, client pid = 10943
Apr 15 03:26:23 Host2 sshd[26801]:
[module:pam_lsass]pam_sm_authenticate error [login:UserA][error
code:40056]
Apr 15 03:26:23 Host2 lsassd[3395]: 0x4a622940:Failed to authenticate
user (name = 'UserA') -> error = 40056, symbol =
LW_ERROR_ACCOUNT_DISABLED, client pid = 26801

Apr 14 20:26:24 Host3 sshd[25199]:

[dan (ddp)]

On Wed, Apr 25, 2012 at 11:05 AM, Christina Plummer <cplu...@gmail.com> wrote:
> Ugh, please reply to this one and ignore the last one.  I didn't
> finish sanitizing the logs before hitting send.
>
>> Do you mean multiple log messages are included in one email or
>> multiple OSSEC alerts? Can you provide an example?
>
> Sorry - yes, multiple log messages, from different servers, are
> included in one email.
>

That's the way the rules are intended to work. I don't know of a way
to modify those rules to only combine logs from the same agent.

[snip]

>
> That's a thought.  Currently I install and configure OSSEC agents as
> part of my Kickstart process, so I'd have to figure out some way to
> "tag" which manager they should talk to.  Are multiple OSSEC managers
> completely separate, or is there any non-manual method for
> coordinating them in terms of syncing rules and configs?
>

It's all manual. You could setup a simple rsync or scp.


> Thanks,
> Christina

[Tom Piersa]

Sending the forward alerts to a separate file makes sense. I didn't want to
leave a machine that important totally unprotected.

I'll look into the products you mentioned below.

Thanks again,

Tom