New to ossec ?

[frwa onto]

Hi All,

        I just rebuild and install ossec on my centos 6.4 machine. So what is the next step be done as this is any existing machine and I want to check for any previous intrusion? I also want to get alerts on updates on my local files or any new files created? I am sorry very new to it.

[dan (ddp)]

You can use ossec-logtest to check old log files, and syscheck has a
default configuration that can cover most needs. If you have custom
locations that must be monitored, you should add them to the
ossec.conf in the syscheck section.

> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.

[frwa onto]

Dear Dan,

              For ossec-logtest I just ran like this ./ossec-logtest? How about the syscheck how to run it? What will both of this script eventually be doing? Do I need to run the rootcheck ?

[dan (ddp)]

On Wed, Sep 4, 2013 at 1:54 PM, frwa onto <frwa...@gmail.com> wrote:
> Dear Dan,
> For ossec-logtest I just ran like this ./ossec-logtest? How

The easiest way is to pipe the log file through logtest:
cat /path/to/logfile | /var/ossec/bin/ossec-logtest

Use zcat if the logfile is compressed. If you want to redirect the
output to a file, use this:
cat /path/to/logfile | /var/ossec/bin/ossec-logtest > /path/to/file 2>&1

> about the syscheck how to run it? What will both of this script eventually

By default, syscheck will run when OSSEC starts.

> be doing? Do I need to run the rootcheck ?
>

Same as syscheck I believe.

[frwa onto]

Dear Dan,

              I know your option you gave is just for single file. I Want to do the whole of /var/log how to go about with that  which I think that is what ossec-logtest does right.

I know neither of this does now work..

cat /var/log | /var/ossec/bin/ossec-logtest  > /usr/local/ossetest.txt 2>&1

cat: /var/log: Is a directory

[root@capture var]# zcat /var/log | /var/ossec/bin/ossec-logtest  > /usr/local/ossetest.txt 2>&1

gzip: /var/log is a directory -- ignored

How to confirm that syscheck is running. Normally where and what are the logfiles of ossec for us to to view or look?. Thank you. Sorry very new to this tool.

[dan (ddp)]

On Fri, Sep 6, 2013 at 4:51 AM, frwa onto <frwa...@gmail.com> wrote:
> Dear Dan,
> I know your option you gave is just for single file. I Want to
> do the whole of /var/log how to go about with that which I think that is
> what ossec-logtest does right.
> I know neither of this does now work..
> cat /var/log | /var/ossec/bin/ossec-logtest > /usr/local/ossetest.txt 2>&1
> cat: /var/log: Is a directory
> [root@capture var]# zcat /var/log | /var/ossec/bin/ossec-logtest >
> /usr/local/ossetest.txt 2>&1
> gzip: /var/log is a directory -- ignored
>

You're running this on a linux or unix-like system, use the tools available.
zcat /var/log/*.gz | /var/ossec/bin/ossec-logtest

> How to confirm that syscheck is running. Normally where and what are the
> logfiles of ossec for us to to view or look?. Thank you. Sorry very new to
> this tool.
>

/var/ossec/logs/ossec.log contains information like when syscheck runs.
/var/ossec/logs/alerts/alerts.log has alert information.

[frwa onto]

Dear Dan,

              Yes I went into the ossec.log and saw like below. I got few things to ask here first I saw it say 1229 total rules enabled. Will the rules increase by itself or need manual intervention ? Why some are showing as errors? Another error is this one Queue '/queue/alerts/ar' not accessible: 'Connection refused'.?

2013/08/31 15:12:10 ossec-monitord: INFO: Started (pid: 5986).

2013/08/31 15:12:15 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/messages'.

2013/08/31 15:12:15 ossec-logcollector(1103): ERROR: Unable to open file '/var/log/authlog'.

2013/08/31 15:12:15 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/authlog'.

2013/08/31 15:12:15 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/secure'.

2013/08/31 15:12:15 ossec-logcollector(1103): ERROR: Unable to open file '/var/log/xferlog'.

2013/08/31 15:12:15 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/xferlog'.

2013/08/31 15:12:15 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/maillog'.

2013/08/31 15:12:15 ossec-logcollector(1103): ERROR: Unable to open file '/var/www/logs/access_log'.

2013/08/31 15:12:15 ossec-logcollector(1950): INFO: Analyzing file: '/var/www/logs/access_log'.

2013/08/31 15:12:15 ossec-logcollector(1103): ERROR: Unable to open file '/var/www/logs/error_log'.

2013/08/31 15:12:15 ossec-logcollector(1950): INFO: Analyzing file: '/var/www/logs/error_log'.

2013/08/31 15:12:15 ossec-logcollector: INFO: Started (pid: 5972).

2013/08/31 15:12:15 ossec-analysisd(1210): ERROR: Queue '/queue/alerts/ar' not accessible: 'Connection refused'.

2013/08/31 15:12:15 ossec-analysisd(1301): ERROR: Unable to connect to active response queue.

2013/08/31 15:12:15 ossec-analysisd: INFO: Connected to '/queue/alerts/execq' (exec queue)

2013/08/31 15:12:16 ossec-syscheckd: INFO: Started (pid: 5982).

2013/08/31 15:12:16 ossec-rootcheck: INFO: Started (pid: 5982).

2013/08/31 15:12:16 ossec-syscheckd: INFO: Monitoring directory: '/etc'.

2013/08/31 15:12:16 ossec-syscheckd: INFO: Monitoring directory: '/usr/bin'.

2013/08/31 15:12:16 ossec-syscheckd: INFO: Monitoring directory: '/usr/sbin'.

2013/08/31 15:12:16 ossec-syscheckd: INFO: Monitoring directory: '/bin'.

2013/08/31 15:12:16 ossec-syscheckd: INFO: Monitoring directory: '/sbin'.

2013/08/31 15:14:10 ossec-syscheckd: INFO: Starting syscheck scan (forwarding database).

2013/08/31 15:14:10 ossec-syscheckd: INFO: Starting syscheck database (pre-scan).

2013/08/31 15:14:25 ossec-logcollector(1904): INFO: File not available, ignoring it: '/var/log/authlog'.

2013/08/31 15:14:25 ossec-logcollector(1904): INFO: File not available, ignoring it: '/var/log/xferlog'.

2013/08/31 15:14:25 ossec-logcollector(1904): INFO: File not available, ignoring it: '/var/www/logs/access_log'.

2013/08/31 15:14:25 ossec-logcollector(1904): INFO: File not available, ignoring it: '/var/www/logs/error_log'.

2013/08/31 15:20:13 ossec-testrule: INFO: Reading local decoder file.

2013/08/31 15:20:13 ossec-testrule: INFO: Started (pid: 6010).

2013/08/31 15:20:14 ossec-remoted: INFO: Started (pid: 6064).

2013/08/31 15:26:10 ossec-syscheckd: INFO: Finished creating syscheck database (pre-scan completed).

2013/08/31 15:26:24 ossec-syscheckd: INFO: Ending syscheck scan (forwarding database).

2013/08/31 15:27:04 ossec-rootcheck: INFO: Starting rootcheck scan.

2013/08/31 15:31:02 ossec-rootcheck: INFO: Ending rootcheck scan.

2013/08/31 16:47:07 ossec-execd: INFO: Active response command not present: '/var/ossec/active-response/bin/restart-ossec.cmd'. Not using it on this system.

2013/09/01 00:00:30 ossec-monitord: No previous md5 checksum found: '/logs/archives/2013/Aug/ossec-archive-30.log.sum'. Starting over.

2013/09/01 00:00:30 ossec-monitord: No previous sha1 checksum found: '/logs/archives/2013/Aug/ossec-archive-30.log.sum'. Starting over.

2013/09/01 00:00:30 ossec-monitord: No previous md5 checksum found: '/logs/alerts/2013/Aug/ossec-alerts-30.log.sum'. Starting over.

2013/09/01 00:00:30 ossec-monitord: No previous sha1 checksum found: '/logs/alerts/2013/Aug/ossec-alerts-30.log.sum'. Starting over.

2013/09/01 00:00:30 ossec-monitord: No previous md5 checksum found: '/logs/firewall/2013/Aug/ossec-firewall-30.log.sum'. Starting over.

2013/09/01 00:00:30 ossec-monitord: No previous sha1 checksum found: '/logs/firewall/2013/Aug/ossec-firewall-30.log.sum'. Starting over.

2013/09/01 11:31:02 ossec-syscheckd: INFO: Starting syscheck scan.

2013/09/01 11:43:25 ossec-syscheckd: INFO: Ending syscheck scan.

2013/09/01 11:48:25 ossec-rootcheck: INFO: Starting rootcheck scan.

2013/09/01 11:51:57 ossec-rootcheck: INFO: Ending rootcheck scan.

2013/09/01 21:29:43 ossec-monitord(1225): INFO: SIGNAL Received. Exit Cleaning...

2013/09/01 21:29:43 ossec-logcollector(1225): INFO: SIGNAL Received. Exit Cleaning...

2013/09/01 21:29:43 ossec-syscheckd(1225): INFO: SIGNAL Received. Exit Cleaning...

2013/09/01 21:29:43 ossec-analysisd(1225): INFO: SIGNAL Received. Exit Cleaning...

2013/09/01 21:29:43 ossec-execd(1314): INFO: Shutdown received. Deleting responses.

2013/09/01 21:29:43 ossec-execd(1225): INFO: SIGNAL Received. Exit Cleaning...

2013/09/01 21:32:07 ossec-testrule: INFO: Reading local decoder file.

2013/09/01 21:32:07 ossec-testrule: INFO: Started (pid: 1246).

2013/09/01 21:32:08 DEBUG: I am creating the SQLite table. 

2013/09/01 21:32:08 ossec-execd: INFO: Started (pid: 1269).

2013/09/01 21:32:08 ossec-analysisd: INFO: Reading local decoder file.

2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: 'rules_config.xml'

2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: 'pam_rules.xml'

2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: 'sshd_rules.xml'

2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: 'telnetd_rules.xml'

2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: 'syslog_rules.xml'

2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: 'arpwatch_rules.xml'

2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: 'symantec-av_rules.xml'

2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: 'symantec-ws_rules.xml'

2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: 'pix_rules.xml'

2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: 'named_rules.xml'

2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: 'smbd_rules.xml'

2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: 'vsftpd_rules.xml'

2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: 'pure-ftpd_rules.xml'

2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: 'proftpd_rules.xml'

2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: 'ms_ftpd_rules.xml'

2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: 'ftpd_rules.xml'

2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: 'hordeimp_rules.xml'

2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: 'roundcube_rules.xml'

2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: 'wordpress_rules.xml'

2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: 'cimserver_rules.xml'

2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: 'vpopmail_rules.xml'

2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: 'vmpop3d_rules.xml'

2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: 'courier_rules.xml'

2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: 'web_rules.xml'

2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: 'web_appsec_rules.xml'

2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: 'apache_rules.xml'

2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: 'nginx_rules.xml'

2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: 'php_rules.xml'

2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: 'mysql_rules.xml'

2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: 'postgresql_rules.xml'

2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: 'ids_rules.xml'

2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: 'squid_rules.xml'

2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: 'firewall_rules.xml'

2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: 'cisco-ios_rules.xml'

2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: 'netscreenfw_rules.xml'

2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: 'sonicwall_rules.xml'

2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: 'postfix_rules.xml'

2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: 'sendmail_rules.xml'

2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: 'imapd_rules.xml'

2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: 'mailscanner_rules.xml'

2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: 'dovecot_rules.xml'

2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: 'ms-exchange_rules.xml'

2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: 'racoon_rules.xml'

2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: 'vpn_concentrator_rules.xml'

2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: 'spamd_rules.xml'

2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: 'msauth_rules.xml'

2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: 'mcafee_av_rules.xml'

2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: 'trend-osce_rules.xml'

2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: 'ms-se_rules.xml'

2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: 'zeus_rules.xml'

2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: 'solaris_bsm_rules.xml'

2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: 'vmware_rules.xml'

2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: 'ms_dhcp_rules.xml'

2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: 'asterisk_rules.xml'

2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: 'ossec_rules.xml'

2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: 'attack_rules.xml'

2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: 'local_rules.xml'

2013/09/01 21:32:08 ossec-analysisd: INFO: Total rules enabled: '1229'

2013/09/01 21:32:08 ossec-analysisd: INFO: Ignoring file: '/etc/mtab'

2013/09/01 21:32:08 ossec-analysisd: INFO: Ignoring file: '/etc/hosts.deny'

2013/09/01 21:32:08 ossec-analysisd: INFO: Ignoring file: '/etc/mail/statistics'

2013/09/01 21:32:08 ossec-analysisd: INFO: Ignoring file: '/etc/random-seed'

2013/09/01 21:32:08 ossec-analysisd: INFO: Ignoring file: '/etc/adjtime'

2013/09/01 21:32:08 ossec-analysisd: INFO: Ignoring file: '/etc/httpd/logs'

2013/09/01 21:32:14 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/messages'.

2013/09/01 21:32:14 ossec-logcollector(1103): ERROR: Unable to open file '/var/log/authlog'.

2013/09/01 21:32:14 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/authlog'.

2013/09/01 21:32:14 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/secure'.

2013/09/01 21:32:14 ossec-logcollector(1103): ERROR: Unable to open file '/var/log/xferlog'.

2013/09/01 21:32:14 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/xferlog'.

2013/09/01 21:32:14 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/maillog'.

2013/09/01 21:32:14 ossec-analysisd(1210): ERROR: Queue '/queue/alerts/ar' not accessible: 'Connection refused'.

2013/09/01 21:32:14 ossec-analysisd(1301): ERROR: Unable to connect to active response queue.

2013/09/06 03:18:42 ossec-rootcheck: INFO: Starting rootcheck scan.

2013/09/06 03:22:50 ossec-rootcheck: INFO: Ending rootcheck scan.

2013/09/06 16:33:13 ossec-testrule: INFO: Reading local decoder file.

2013/09/06 16:33:13 ossec-testrule: INFO: Started (pid: 10245).

2013/09/06 16:33:31 ossec-testrule: INFO: Reading local decoder file.

2013/09/06 16:33:31 ossec-testrule: INFO: Started (pid: 10248).

2013/09/06 16:34:01 ossec-testrule: INFO: Reading local decoder file.

2013/09/06 16:34:01 ossec-testrule: INFO: Started (pid: 10250).

2013/09/06 23:17:50 ossec-syscheckd: INFO: Starting syscheck scan.

2013/09/06 23:30:42 ossec-syscheckd: INFO: Ending syscheck scan.

2013/09/06 23:35:42 ossec-rootcheck: INFO: Starting rootcheck scan.

2013/09/06 23:39:49 ossec-rootcheck: INFO: Ending rootcheck scan.

2013/09/07 19:34:49 ossec-syscheckd: INFO: Starting syscheck scan.

2013/09/07 19:47:41 ossec-syscheckd: INFO: Ending syscheck scan.

2013/09/07 19:52:41 ossec-rootcheck: INFO: Starting rootcheck scan.

2013/09/07 19:56:47 ossec-rootcheck: INFO: Ending rootcheck scan.

The rootcheck runs by itself is it automatically?

NExt I went into  alerts.log. So will all this be alerted via email or only some alerts? 

Saw this.

** Alert 1378572677.0: - syslog,sshd,authentication_success,

2013 Sep 08 00:51:17 capture->/var/log/secure

Rule: 5715 (level 3) -> 'SSHD authentication success.'

Src IP: 60.50.38.78

User: root

Sep  8 00:51:17 capture sshd[11987]: Accepted password for root from **.**.**.78 port 3516 ssh2

** Alert 1378572679.290: - pam,syslog,authentication_success,

2013 Sep 08 00:51:19 capture->/var/log/secure

Rule: 5501 (level 3) -> 'Login session opened.'

Sep  8 00:51:17 capture sshd[11987]: pam_unix(sshd:session): session opened for user root by (uid=0)

** Alert 1378572745.548: - syslog,sshd,authentication_success,

2013 Sep 08 00:52:25 capture->/var/log/secure

Rule: 5715 (level 3) -> 'SSHD authentication success.'

Src IP: 60.50.38.78

User: root

Sep  8 00:52:24 capture sshd[11985]: Accepted password for root from **.**.**.78 port 3512 ssh2

** Alert 1378572745.840: - pam,syslog,authentication_success,

2013 Sep 08 00:52:25 capture->/var/log/secure

Rule: 5501 (level 3) -> 'Login session opened.'

Sep  8 00:52:25 capture sshd[11985]: pam_unix(sshd:session): session opened for user root by (uid=0) 

Another thing this process zcat /var/log/*.gz | /var/ossec/bin/ossec-logtest basically what are we going to look out from here?

[dan (ddp)]

On Sat, Sep 7, 2013 at 1:03 PM, frwa onto <frwa...@gmail.com> wrote:
> Dear Dan,

> Yes I went into the ossec.log and saw like below. I got few
> things to ask here first I saw it say 1229 total rules enabled. Will the
> rules increase by itself or need manual intervention ? Why some are showing

You will have to update the rules manually (for now).

> as errors? Another error is this one Queue '/queue/alerts/ar' not

What rules are showing up as errors?

> accessible: 'Connection refused'.?

Are you using active response? If not, ignore.

Looks like it.

>
> NExt I went into alerts.log. So will all this be alerted via email or only
> some alerts?
>

Some alerts will trigger emails, some will not. You can customize a lot of that.

That will provide some alerts. In fact, the "-a" flag to ossec-logtest
should provide alerts very similar to what is in alerts.log.

Other than that, this question is too broad for me to answer.

[frwa onto]

Dear DAn,

               Sorry I will limit my question.

1. How to manually update the rules?

2. Here I dont see any rules.IT does not state what rule 

> 2013/08/31 15:12:15 ossec-logcollector: INFO: Started (pid: 5972). 
> 2013/08/31 15:12:15 ossec-analysisd(1210): ERROR: Queue '/queue/alerts/ar' 
> not accessible: 'Connection refused'. 
> 2013/08/31 15:12:15 ossec-analysisd(1301): ERROR: Unable to connect to 
> active response queue. 

Isnt active response a key for ossec? How to enable it and what is does?

Thank you very much.

[dan (ddp)]

On Tue, Sep 10, 2013 at 10:14 AM, frwa onto <frwa...@gmail.com> wrote:
> Dear DAn,
> Sorry I will limit my question.
> 1. How to manually update the rules?

Either add your own to local_rules.xml, download the latest rules from
the repository, or update your OSSEC installation.

> 2. Here I dont see any rules.IT does not state what rule
>

Any entry in alerts.log is there because the log message triggered a
rule. The rule id is mentioned in each entry. For example:

** Alert 1378572677.0: - syslog,sshd,authentication_success,
2013 Sep 08 00:51:17 capture->/var/log/secure
Rule: 5715 (level 3) -> 'SSHD authentication success.'
Src IP: 60.50.38.78
User: root
Sep 8 00:51:17 capture sshd[11987]: Accepted password for root from
**.**.**.78 port 3516 ssh2

The above alert was for rule 5715. If you look in
/var/ossec/rules/sshd_rules.xml you should see rule 5715.

>> 2013/08/31 15:12:15 ossec-logcollector: INFO: Started (pid: 5972).
>> 2013/08/31 15:12:15 ossec-analysisd(1210): ERROR: Queue '/queue/alerts/ar'
>> not accessible: 'Connection refused'.
>> 2013/08/31 15:12:15 ossec-analysisd(1301): ERROR: Unable to connect to
>> active response queue.
>
> Isnt active response a key for ossec? How to enable it and what is does?
>

You don't have to use it.

[frwa onto]

Dear Dan,

            

1. IS there any link on how to download and updates the latest rules. Because how to update the installation(uninstall and reinstall ?) unless it installed via yum rite ? But in my case my .rpm is rebuild?

2. Ok I can see all the logs in the /var/ossec/logs/alerts have a rule number. How about the one in /var/ossec/ossec.log what does this represent cause all the errors I post earlier was from this ossec.log.

3. I am trying to read from here on active-response http://www.ossec.net/doc/syntax/head_ossec_config.active-response.html actually what is it ? So you said dont need to use any specific reason or drawback of it?

Thank you.

You received this message because you are subscribed to a topic in the Google Groups "ossec-list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ossec-list/n0-gBzCdh3M/unsubscribe.
To unsubscribe from this group and all its topics, send an email to ossec-list+...@googlegroups.com.

[dan (ddp)]

On Tue, Sep 10, 2013 at 11:59 AM, frwa onto <frwa...@gmail.com> wrote:
> Dear Dan,
>

> 1. IS there any link on how to download and updates the latest rules.
> Because how to update the installation(uninstall and reinstall ?) unless it
> installed via yum rite ? But in my case my .rpm is rebuild?
>

I don't know anything about the RPMs. Just replace the rules files
with newer copies. The rules don't get updated very often right now,
so it isn't a big concern.

> 2. Ok I can see all the logs in the /var/ossec/logs/alerts have a rule
> number. How about the one in /var/ossec/ossec.log what does this represent
> cause all the errors I post earlier was from this ossec.log.
>

Those are OSSEC logs. They are the logs from the OSSEC processes.

> 3. I am trying to read from here on active-response
> http://www.ossec.net/doc/syntax/head_ossec_config.active-response.html
> actually what is it ? So you said dont need to use any specific reason or
> drawback of it?
>

I find it difficult to believe you've done any research into OSSEC if
you don't know what active response is.

It's the capability for OSSEC to automatically do things based on logs received.

[frwa onto]

Dear Dan,

1. Ok about the rules I wont take it as a concern for now.

2. Ok now I am clear among both the logs.

3. Since you said that active response should react based on the logs rite why do not want me to use it ?

4. Brief can I say that ossec will be reading the log files and accordingly it will react based on the logs. Can in react on files that are being modified etc?

Thank you.

[dan (ddp)]

On Tue, Sep 10, 2013 at 12:41 PM, frwa onto <frwa...@gmail.com> wrote:
> Dear Dan,
>

> 1. Ok about the rules I wont take it as a concern for now.
>
> 2. Ok now I am clear among both the logs.
>
> 3. Since you said that active response should react based on the logs rite
> why do not want me to use it ?
>

I never said you shouldn't use it, I just said it wasn't necessary.

> 4. Brief can I say that ossec will be reading the log files and accordingly
> it will react based on the logs. Can in react on files that are being
> modified etc?
>

Agents get a checksum for files, and pass this checksum to the server
in a log message. That log message is then analyzed, the checksum
compared to the checksum in the db ,and if necessary an alert is
created. Yes, AR can be triggered by files being modified.

[frwa onto]

Dear Dan,

              The problem now I had to rebuild the ossec and installed it. But normally installation will ask is it local,server,agent. So in my case all this was not asked. I guess my installation is local. 

I installed using this command yum install ossec-hids-server-2.7-31.art.x86_64.rpm ossec-hids-2.7-31.art.x86_64.rpm. I know where to setup the email that is /var/ossec/etc/ossec-server.conf. Anything else I must configure? I know I read some article say that Active-Response can be risky if not set well.  

I notice my .conf file have this. Should I remove it.

  <!-- Active Response Config -->

  <active-response>

    <!-- This response is going to execute the host-deny

       - command for every event that fires a rule with

       - level (severity) >= 6.

       - The IP is going to be blocked for  600 seconds.

      -->

    <command>host-deny</command>

    <location>local</location>

    <level>6</level>

    <timeout>600</timeout>

  </active-response>

  <active-response>

    <!-- Firewall Drop response. Block the IP for

       - 600 seconds on the firewall (iptables,

       - ipfilter, etc).

      -->

    <command>firewall-drop</command>

    <location>local</location>

    <level>6</level>

    <timeout>600</timeout>    

  </active-response>

So in my case will ossec go and get checksum for all my files ?

Thank you.

[dan (ddp)]

On Tue, Sep 10, 2013 at 1:08 PM, frwa onto <frwa...@gmail.com> wrote:
> Dear Dan,

> The problem now I had to rebuild the ossec and installed it.
> But normally installation will ask is it local,server,agent. So in my case
> all this was not asked. I guess my installation is local.
>
> I installed using this command yum install
> ossec-hids-server-2.7-31.art.x86_64.rpm ossec-hids-2.7-31.art.x86_64.rpm. I
> know where to setup the email that is /var/ossec/etc/ossec-server.conf.
> Anything else I must configure? I know I read some article say that
> Active-Response can be risky if not set well.
>

I don't know anything about the RPMs.

> I notice my .conf file have this. Should I remove it.
>
> <!-- Active Response Config -->
> <active-response>
> <!-- This response is going to execute the host-deny
> - command for every event that fires a rule with
> - level (severity) >= 6.
> - The IP is going to be blocked for 600 seconds.
> -->
> <command>host-deny</command>
> <location>local</location>
> <level>6</level>
> <timeout>600</timeout>
> </active-response>
>
> <active-response>
> <!-- Firewall Drop response. Block the IP for
> - 600 seconds on the firewall (iptables,
> - ipfilter, etc).
> -->
> <command>firewall-drop</command>
> <location>local</location>
> <level>6</level>
> <timeout>600</timeout>
> </active-response>
>
> So in my case will ossec go and get checksum for all my files ?
>

AR does not get checksums, syscheck does that.

[frwa onto]

Dear Dan,

              How to confirm what type of installation is mine? So where is the checksum db is kept? Can I say that syscheck run each time will update the checksum?

Thank you.

[dan (ddp)]

On Tue, Sep 10, 2013 at 1:37 PM, frwa onto <frwa...@gmail.com> wrote:
> Dear Dan,

> How to confirm what type of installation is mine? So where is

cat /etc/ossec-init.conf

> the checksum db is kept? Can I say that syscheck run each time will update

/var/ossec/queue/syscheck/SOMETHING

> the checksum?
>

The checksum will be updated when a scan is run after the file is modified.

[frwa onto]

Dear Dan,

This show as server.

DIRECTORY="/var/ossec"

VERSION="2.7"

DATE="Sat Aug 31 14:42:53 MYT 2013"

TYPE="server"

Whereas I just need it to run as local for single machine is this fine ?

Ok I have seen this /var/ossec/queue/syscheck/ but its just a limited number of files right? Not for everyfile. How do they validate a file if have been changes surely the checksum will change and is that change which will be notified right?

Thank you.

[dan (ddp)]

On Tue, Sep 10, 2013 at 1:55 PM, frwa onto <frwa...@gmail.com> wrote:
> Dear Dan,

> This show as server.
>
> DIRECTORY="/var/ossec"
> VERSION="2.7"
> DATE="Sat Aug 31 14:42:53 MYT 2013"
> TYPE="server"
>
> Whereas I just need it to run as local for single machine is this fine ?
>

I can't think of a reason it wouldn't be ok, but I don't think I've tried it.

> Ok I have seen this /var/ossec/queue/syscheck/ but its just a limited number
> of files right? Not for everyfile. How do they validate a file if have been

There should be 1-2 files per system.

> changes surely the checksum will change and is that change which will be
> notified right?

If the file changes, the checksum probably changes. This triggers an alert.

[frwa onto]

Dear Dan,

              So should I leave it as server but it does not have any agent. Will be able to function as local installation?

What you mean by 1-2 files per system? What is the per-system referring to here? For e.g. below is my  /var/ossec/queue/syscheck/syscheck

+++18:41471:0:0:16246c14ab75c792e68869aaa7dae36a:378e73b007df1a415536de93bc93c2820d1acc62 !1378825242 /etc/rc.d/rc3.d/K92iptables

+++18:41471:0:0:16246c14ab75c792e68869aaa7dae36a:378e73b007df1a415536de93bc93c2820d1acc62 !1378825258 /etc/rc.d/rc4.d/K92iptables

+++18:41471:0:0:16246c14ab75c792e68869aaa7dae36a:378e73b007df1a415536de93bc93c2820d1acc62 !1378825274 /etc/rc.d/rc5.d/K92iptables

+++18:41471:0:0:16246c14ab75c792e68869aaa7dae36a:378e73b007df1a415536de93bc93c2820d1acc62 !1378825282 /etc/rc.d/rc2.d/K92iptables

[dan (ddp)]

On Tue, Sep 10, 2013 at 2:14 PM, frwa onto <frwa...@gmail.com> wrote:
> Dear Dan,

> So should I leave it as server but it does not have any agent.
> Will be able to function as local installation?
>

Try it and find out.

> What you mean by 1-2 files per system? What is the per-system referring to
> here? For e.g. below is my /var/ossec/queue/syscheck/syscheck
>

Each system (server and agent) will have 1 or 2 syscheck database
files. Windows systems will have 2, one for the files one for the
registry. They will be named something like:
(agent001) 127.0.0.1->syscheck

Or just syscheck for the local system (I think).

> +++18:41471:0:0:16246c14ab75c792e68869aaa7dae36a:378e73b007df1a415536de93bc93c2820d1acc62
> !1378825242 /etc/rc.d/rc3.d/K92iptables
> +++18:41471:0:0:16246c14ab75c792e68869aaa7dae36a:378e73b007df1a415536de93bc93c2820d1acc62
> !1378825258 /etc/rc.d/rc4.d/K92iptables
> +++18:41471:0:0:16246c14ab75c792e68869aaa7dae36a:378e73b007df1a415536de93bc93c2820d1acc62
> !1378825274 /etc/rc.d/rc5.d/K92iptables
> +++18:41471:0:0:16246c14ab75c792e68869aaa7dae36a:378e73b007df1a415536de93bc93c2820d1acc62
> !1378825282 /etc/rc.d/rc2.d/K92iptables
>

These are entries in the syscheck db, not files. Perhaps your question
meant something other than how I interpreted it.

[frwa onto]

Dear Dan,

              My question is why the entry list of /var/ossec/queue/syscheck/syscheck is so little. I am sure the total files I have in my system is more then this list am I right?

[dan (ddp)]

On Tue, Sep 10, 2013 at 2:34 PM, frwa onto <frwa...@gmail.com> wrote:
> Dear Dan,

> My question is why the entry list of
> /var/ossec/queue/syscheck/syscheck is so little. I am sure the total files I
> have in my system is more then this list am I right?
>

I don't know. Check the directories you have configured in the
ossec.conf (<directories> entries in the <syscheck> section). Those
are the directories containing the files listed in that db file. If
you want something monitored, the directory must be defined in the
ossec.conf.

[frwa onto]

Dear Dan,

               Ok I think you are referring to this right.

<!-- Files to monitor (localfiles) --> . So in my scenario which .conf to look into the one ossec.conf or ossec-server.conf?

[dan (ddp)]

On Tue, Sep 10, 2013 at 2:54 PM, frwa onto <frwa...@gmail.com> wrote:
> Dear Dan,

> Ok I think you are referring to this right.
>
> <!-- Files to monitor (localfiles) --> . So in my scenario which .conf to
> look into the one ossec.conf or ossec-server.conf?
>

The official file is ossec.conf. If the RPM does something silly with
that, I wouldn't know. I continue to know nothing about the RPM.

>
> On Wed, Sep 11, 2013 at 2:40 AM, dan (ddp) <ddp...@gmail.com> wrote:
>>
>> On Tue, Sep 10, 2013 at 2:34 PM, frwa onto <frwa...@gmail.com> wrote:
>> > Dear Dan,
>> > My question is why the entry list of
>> > /var/ossec/queue/syscheck/syscheck is so little. I am sure the total
>> > files I
>> > have in my system is more then this list am I right?
>> >
>>
>> I don't know. Check the directories you have configured in the
>> ossec.conf (<directories> entries in the <syscheck> section). Those
>> are the directories containing the files listed in that db file. If
>> you want something monitored, the directory must be defined in the
>> ossec.conf.
>>
>> --
>>
>> ---
>> You received this message because you are subscribed to a topic in the
>> Google Groups "ossec-list" group.
>> To unsubscribe from this topic, visit
>> https://groups.google.com/d/topic/ossec-list/n0-gBzCdh3M/unsubscribe.
>> To unsubscribe from this group and all its topics, send an email to
>> ossec-list+...@googlegroups.com.
>> For more options, visit https://groups.google.com/groups/opt_out.
>
>
> --
>
> ---

> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an

[frwa onto]

Dear Dan,

              Hopefully its following the standard file. So can I say that OSSSEC is not similar to AIDE as the later does monitoring on all files in the system that is why initially it builds the checksum database right? Thank you.

[dan (ddp)]

On Tue, Sep 10, 2013 at 10:13 PM, frwa onto <frwa...@gmail.com> wrote:
> Dear Dan,

> Hopefully its following the standard file. So can I say that
> OSSSEC is not similar to AIDE as the later does monitoring on all files in
> the system that is why initially it builds the checksum database right?
> Thank you.
>

Look at the ossec.conf and decide for yourself.

[frwa onto]

Dear Dan,

              Is it fine to monitor to every file from / onwards ? Thank you.

[dan (ddp)]

On Sep 14, 2013 11:16 PM, "frwa onto" <frwa...@gmail.com> wrote:
>
> Dear Dan,

>               Is it fine to monitor to every file from / onwards ? Thank you.
>

There are a lot of files on a linux system that change very frequently.

[frwa onto]

Dear Dan,

              Normally which are the files to be crucially monitored for intrusion detection based on your experience ?