Testing OSSEC

[Jiri]

Hi,

I just finished installing ossec on ubuntu as a server and windows agent on another computer. How do i test if my agent is successfully connected to me? Also, can someone help me on creating rules to detect an a ddos attack or any attack on my server?

Thanks,

Regards.

[dan (ddp)]

On the server you can run `/var/ossec/bin/list_agents -c` to see the
connected agents.
Check out the rules that already exist in /var/ossec/rules. They
should be useful as a template.
If you still need help, please ask.

> Thanks,
> Regards.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

[Jesus Linares]

Hi Jiri,

also you can run the command "/var/ossec/bin/agent_control -lc" to get the connected agents. Keep in mind that in order to know if an agent is connected, disconnected or never connected OSSEC reads the modification date of the files in /var/ossec/queue/agent-info/*:

• if there is no file for the agent the status is never connected
  
• if the modification time of the file is less than a defined tiemout, the status is actived. If it is greater then the status is disconnected.
  

The timeout is 3*NOTIFY_TIME+30, NOTIFY_TIME by default is 600 seconds.

Regarding the rules to detect DDOS attacks, you could create something like this:

local_rules.xml:

<group name="attack,">


    <rule id="200000" level="15" timeframe="300" frequency="3">
        <if_matched_group>attacks|attack|automatic_attack</if_matched_group>
        <same_source_ip />
        <description>Attacks from same source IP</description>
  </rule>


</group>

You are saying: if one of these groups (attack, attacks or automatic_attack) have matched in the last 300 seconds more than 5 times (frecuency + 2) and the event comes from the same ip, it could be a DDOS attack. You can play with the variables (tiemframe and frecuency) or create new rules with a specific group and append it to the rule.

Regards.

Jesus Linares.

[Jiri]

HI, thanks for your response. I am using XOIC and also RDOS tu simulate DDOS attack but both are not working. The web ui are not detecting any attack and on RDOS it looks like the software aren't even connected to the server.

[Jesus Linares]

Hi,

there are several DDOS attack types: UDP/SYN/ICMP/HTTP flood, ping of the death, etc. If these attacks do not generate a log that OSSEC can read, the attack will not be detected.

Try to detect the DDOS attack in your machine manually: review apache logs, netstat or an specific tool to detect these types of attacks. Then, we can send the information obtained to OSSEC and play with specific rules or active response to block the attack.

[Ritu Soni]

hello,

I have installed OSSEC on UBUNTU server.

I want to perform changes in OSSEC rules, so that it can detect an attack and display an alert like "DDOS Attack". 

Is it possible to perform changes in rules of OSSEC using xml files?

What could be the possible method for this, please guide me.

[dan (ddp)]

Local additiona or changes to the rules can be done in /var/ossec/rules/local_rules.xml

--

---
You received this message because you are subscribed to the Google Groups "ossec-list" group.

To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscribe@googlegroups.com.

[Ritu Soni]

Hey,

When i perform any changes to xml files, ossec stopped working.

should i use ''make" command for those changes to work or any other command after performing the changes ?

 

On Monday, August 21, 2017 at 10:25:45 PM UTC+5:30, dan (ddpbsd) wrote:

On Aug 21, 2017 12:54 PM, "Ritu Soni" <ritu.s...@gmail.com> wrote:

hello,

I have installed OSSEC on UBUNTU server.

I want to perform changes in OSSEC rules, so that it can detect an attack and display an alert like "DDOS Attack". 

Is it possible to perform changes in rules of OSSEC using xml files?

What could be the possible method for this, please guide me.

Local additiona or changes to the rules can be done in /var/ossec/rules/local_rules.xml

--

---
You received this message because you are subscribed to the Google Groups "ossec-list" group.

To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.

[dan (ddp)]

On Aug 21, 2017 1:07 PM, "Ritu Soni" <ritu.s...@gmail.com> wrote:

Hey,

When i perform any changes to xml files, ossec stopped working.

should i use ''make" command for those changes to work or any other command after performing the changes ?

You can run `ossec-logtest -t` to test your changes before reatarting ossec. If there are issues, it should display error messages.

 

On Monday, August 21, 2017 at 10:25:45 PM UTC+5:30, dan (ddpbsd) wrote:

On Aug 21, 2017 12:54 PM, "Ritu Soni" <ritu.s...@gmail.com> wrote:

hello,

I have installed OSSEC on UBUNTU server.

I want to perform changes in OSSEC rules, so that it can detect an attack and display an alert like "DDOS Attack". 

Is it possible to perform changes in rules of OSSEC using xml files?

What could be the possible method for this, please guide me.

Local additiona or changes to the rules can be done in /var/ossec/rules/local_rules.xml

--

---
You received this message because you are subscribed to the Google Groups "ossec-list" group.

To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

---
You received this message because you are subscribed to the Google Groups "ossec-list" group.

To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscribe@googlegroups.com.

[Ritu Soni]

Hello,

My work requirement is that OSSEC should generate an alert " Attack Detected " ,when the request from same ip address is received by the server for 3 or more times within 300 seconds.

I have done changes in syslog_rules.xml file:

<rule id="1002" level="2" time_frame="300" frequency="3">

    <if_matched_group>attacks|attack|automatic_attack</if_matched_group>

    <options>alert_by_email</options>

    <description>DDOS Attack Detected</description>

  </rule>

But when i restart OSSEC,it generates an error msg:

OSSEC analysisd: Testing rules failed. Configuration error. Exiting.

Are these changes made correct?if not, please suggest the changes to achieve the same.

[dan (ddp)]

On Aug 23, 2017 6:18 AM, "Ritu Soni" <ritu.s...@gmail.com> wrote:

Hello,

My work requirement is that OSSEC should generate an alert " Attack Detected " ,when the request from same ip address is received by the server for 3 or more times within 300 seconds.

I have done changes in syslog_rules.xml file:

<rule id="1002" level="2" time_frame="300" frequency="3">

    <if_matched_group>attacks|attack|automatic_attack</if_matched_group>

    <options>alert_by_email</options>

    <description>DDOS Attack Detected</description>

  </rule>

But when i restart OSSEC,it generates an error msg:

OSSEC analysisd: Testing rules failed. Configuration error. Exiting.

Are these changes made correct?if not, please suggest the changes to achieve the same.

I don't see anything obviously incorrect with the changes. I'm not sure if_matched_group accepts multiple groups, or if they are pipe delimited though. Getting the actual errors (from logtest -t or the ossec.log) might help.

Stylistically though, modifying the rules files (except local_rules.xml) is a bad idea. Changes will be overwritten during updates. Also, I consider rule 1002 to be very important, and changing it isn't something I encourage. 

To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscribe@googlegroups.com.

[Ritu Soni]

Hello,

I simply want to test the rule for DDOS Attack,which is discussed previously:

local_rules.xml:

<group name="attack,">


    <rule id="200000" level="15" timeframe="300" frequency="3">


        <if_matched_group>attacks|attack|automatic_attack</if_matched_group>


        <same_source_ip />
        <description>Attacks from same source IP</description>
  </rule>


</group>

But this is not working. I get errors while adding this new rule.

What is the possible solution for making this rule work?

[dan (ddp)]

On Aug 24, 2017 4:40 AM, "Ritu Soni" <ritu.s...@gmail.com> wrote:

Hello,

I simply want to test the rule for DDOS Attack,which is discussed previously:

local_rules.xml:

<group name="attack,">


    <rule id="200000" level="15" timeframe="300" frequency="3">

        <if_matched_group>attacks|attack|automatic_attack</if_matched_group>

        <same_source_ip />
        <description>Attacks from same source IP</description>
  </rule>


</group>

But this is not working. I get errors while adding this new rule.

What is the possible solution for making this rule work?

Keeping those errors a secret is bot going to help me help you solve the problem. Either look at the errors and troubleshoot your problem, or share them and let me do it.

To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscribe@googlegroups.com.

[dan (ddp)]

On Thu, Aug 24, 2017 at 8:35 AM, dan (ddp) <ddp...@gmail.com> wrote:
>
>
> On Aug 24, 2017 4:40 AM, "Ritu Soni" <ritu.s...@gmail.com> wrote:
>
> Hello,
> I simply want to test the rule for DDOS Attack,which is discussed
> previously:
> local_rules.xml:
> <group name="attack,">
>
>
> <rule id="200000" level="15" timeframe="300" frequency="3">
>
> <if_matched_group>attacks|attack|automatic_attack</if_matched_group>
>
> <same_source_ip />
> <description>Attacks from same source IP</description>
> </rule>
>
>
> </group>
> But this is not working. I get errors while adding this new rule.
> What is the possible solution for making this rule work?
>
>
> Keeping those errors a secret is bot going to help me help you solve the
> problem. Either look at the errors and troubleshoot your problem, or share
> them and let me do it.
>

Testing this rule provided me with no errors, so my first guess is
that you have the <group> tag inside of another <group> tag.

[Ritu Soni]

Ok, thanks.

have you added the rule in local_rules.xml file? or any other xml file?

On Thursday, August 24, 2017 at 6:14:56 PM UTC+5:30, dan (ddpbsd) wrote:

On Thu, Aug 24, 2017 at 8:35 AM, dan (ddp) <ddp...@gmail.com> wrote:
>
>
> On Aug 24, 2017 4:40 AM, "Ritu Soni" <ritu.s...@gmail.com> wrote:
>

> Hello, ok

[Ritu Soni]

Hey,

When I add the same rule in local_rules.xml file, I get the following errors:

2017/08/24 22:54:00 ossec-config(1501): ERROR: Invalid SMTP Server: alt1.gmail-smtp-in.l.google.com.

2017/08/24 22:54:00 ossec-config(1202): ERROR: Configuration error at '/var/ossec/etc/ossec.conf'. Exiting.

2017/08/24 22:54:00 ossec-maild(1202): ERROR: Configuration error at '/var/ossec/etc/ossec.conf'. Exiting.

ossec-maild did not start correctly.

How to solve this ?

 

[dan (ddp)]

On Aug 24, 2017 12:56 PM, "Ritu Soni" <ritu.s...@gmail.com> wrote:

Ok, thanks.

have you added the rule in local_rules.xml file? or any other xml file?

I added it to my local_rules.xml file, outside of the </group> tag near the bottom.

To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscribe@googlegroups.com.

[Ritu Soni]

hey,

          I have added the rule in local_rules.xml file in way as in the attached image..

          After adding the rule, i have restarted OSSEC services. But I get the following errors:

          Starting OSSEC HIDS v2.8.3 (by Trend Micro Inc.)...

          Started ossec-dbd...

          2017/08/28 09:40:55 ossec-config(1501): ERROR: Invalid SMTP Server: alt1.gmail-smtp-in.l.google.com.

          2017/08/28 09:40:55 ossec-config(1202): ERROR: Configuration error at '/var/ossec/etc/ossec.conf'. Exiting.

          2017/08/28 09:40:55 ossec-maild(1202): ERROR: Configuration error at '/var/ossec/etc/ossec.conf'. Exiting.

          ossec-maild did not start correctly.

          Did i miss anything? or any other command should have been used to make that rule work? Please guide me to solve this problem.

[dan (ddp)]

On Mon, Aug 28, 2017 at 12:17 AM, Ritu Soni <ritu.s...@gmail.com> wrote:
>>> hey,
>
> I have added the rule in local_rules.xml file in way as in the
> attached image..
> After adding the rule, i have restarted OSSEC services. But I get
> the following errors:
> Starting OSSEC HIDS v2.8.3 (by Trend Micro Inc.)...
> Started ossec-dbd...
> 2017/08/28 09:40:55 ossec-config(1501): ERROR: Invalid SMTP
> Server: alt1.gmail-smtp-in.l.google.com.
> 2017/08/28 09:40:55 ossec-config(1202): ERROR: Configuration error
> at '/var/ossec/etc/ossec.conf'. Exiting.
> 2017/08/28 09:40:55 ossec-maild(1202): ERROR: Configuration error
> at '/var/ossec/etc/ossec.conf'. Exiting.
> ossec-maild did not start correctly.
> Did i miss anything? or any other command should have been used to
> make that rule work? Please guide me to solve this problem.

That error has nothing to do with the rule you added. I think there's
an issue with name resolution for maild, but I haven't looked into it
yet.

>>
>>
>>
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to ossec-list+...@googlegroups.com.
>> For more options, visit https://groups.google.com/d/optout.
>>
>>

> --

[Ritu Soni]

Hey,

Thanks for your suggestions. Now the ossec is generating logs and not giving errors after restarting it couple of times.

Now i want to implement the rule,that is want to perform an attack according to that rule. I have tried to login from PUTTY in Windows 3 times within 5 mins, so that it will show that "attack from same source IP".But it is not working.

What else can i do? or how is it going to work?

Any other method to get alert after adding this rule. Please suggest me.