OSSEC 2.8.1 now available!

98 views
Skip to first unread message

Doug Burks

unread,
Oct 6, 2014, 7:11:39 AM10/6/14
to securit...@googlegroups.com
http://blog.securityonion.net/2014/10/ossec-281.html

--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com

sfear...@gmail.com

unread,
Oct 6, 2014, 12:00:19 PM10/6/14
to securit...@googlegroups.com
Problem upgrading ossec to 2.8.1.

Please see below. I've replaced the sensitive data with xxxx. I had the following in my ossec.conf prior to this upgrade. I was running the 2.8 install that was released not along ago.

Here are the entries I had for email prior to the failed 2.8.1 sed line below. It might related to how I commented out the "email no", and then created the other global block below it. Just wanted to ensure that I receive any new entries in ossec.conf before I re-edit.


xxxx@xxxx:~/togit$ dpkg -l | grep ossec
iF ossec-hids-server 2.8.1-ubuntu10securityonion8 Open Source Security, Host-Based Intrusion Detection System
ii securityonion-ossec-rules 20120726-0ubuntu0securityonion3 This package installs the Security Onion rules for OSSEC.
ii securityonion-sguil-agent-ossec



<ossec_config>
<global>
<!-- <email_notification>no</email_notification> -->
<logall>yes</logall>
</global>

<global>
<email_notification>yes</email_notification>
<smtp_server>XXX.XXX.XXX.XXX</smtp_server>
<email_to>xx...@xxxx.com</email_to>
<email_from>xx...@xxxx.com</email_from>
<email_maxperhour>50</email_maxperhour>
</global>

<email_alerts>
<rule_id>100109</rule_id>
<email_to>xx...@xxxx.com</email_to>
</email_alerts>

<email_alerts>
<rule_id>18222</rule_id>
<email_to>xx...@xxxx.com</email_to>
</email_alerts>
<email_alerts>
<rule_id>18222</rule_id>
<email_to>xx...@xxxx.com</email_to>
</email_alerts>


Setting up ossec-hids-server (2.8.1-ubuntu10securityonion8) ...
Installing new version of config file /etc/ossec-init.conf ...
It appears you had enabled email notification in OSSEC.
Enabing email notification and importing email settings.
smtp_server: XXX.XXX.XXX.XXX
email_from: x...@xxxx.com
email_to: xx...@xxxxx.com
xx...@xxxxx.com
xx...@xxxxx.com
xx...@xxxxx.com
sed: -e expression #1, char 63: unterminated `s' command
dpkg: error processing ossec-hids-server (--configure):
subprocess installed post-installation script returned error exit status 1
Setting up libmagic1 (5.09-2ubuntu0.5) ...
Setting up file (5.09-2ubuntu0.5) ...
Setting up openssl (1.0.1-4ubuntu5.18) ...
Setting up python-greenlet (0.3.1-1ubuntu5.1) ...
Setting up python-gevent (0.13.6-1ubuntu1) ...
Setting up securityonion-bro-scripts (20121004-0ubuntu0securityonion38) ...
Setting up securityonion-onionsalt (20140917-0ubuntu0securityonion17) ...
Setting up securityonion-setup (20120912-0ubuntu0securityonion122) ...
Checking to see if /etc/nsm/pulledpork/pulledpork.conf exists.
Checking /etc/nsm/pulledpork/pulledpork.conf to see if Snort VRT ruleset is enabled.
Snort VRT ruleset is NOT enabled in /etc/nsm/pulledpork/pulledpork.conf, so no changes necessary.
Setting up securityonion-sostat (20120722-0ubuntu0securityonion31) ...
Setting up securityonion-suricata (2.0.4-0ubuntu0securityonion1) ...
Setting up securityonion-web-page (20120722-0ubuntu0securityonion25) ...
Processing triggers for libc-bin ...
ldconfig deferred processing now taking place
Processing triggers for python-support ...
Errors were encountered while processing:
ossec-hids-server
E: Sub-process /usr/bin/dpkg returned an error code (1)


Thanks!
Scott F.

Doug Burks

unread,
Oct 6, 2014, 12:14:15 PM10/6/14
to securit...@googlegroups.com
Hi Scott,

Here's the relevant code snippet from
/var/lib/dpkg/info/ossec-hids-server.postinst:

if grep "<email_to>" $OLDCONF >/dev/null && ! grep
"<email_to>" $NEWCONF > /dev/null; then
EMAIL_TO=`grep "<email_to>" $OLDCONF | cut -d\> -f2 |
cut -d\< -f1`
echo "email_to: $EMAIL_TO"
sed -i "s| <logall>yes</logall>|
<email_to>$EMAIL_TO</email_to>\n <logall>yes</logall>|" $NEWCONF
fi

The grep is getting all of the <email_to> lines, including the extra
ones you've added for rules 100109 and 18222 (I assume these are
different email addresses than your main email address?).

I think the best way to avoid this is to grab only the first
occurrence of <email_to> by adding "head -1" like this:

if grep "<email_to>" $OLDCONF >/dev/null && ! grep
"<email_to>" $NEWCONF > /dev/null; then
EMAIL_TO=`grep "<email_to>" $OLDCONF | cut -d\> -f2 |
cut -d\< -f1 | head -1`
echo "email_to: $EMAIL_TO"
sed -i "s| <logall>yes</logall>|
<email_to>$EMAIL_TO</email_to>\n <logall>yes</logall>|" $NEWCONF
fi

I think you can edit /var/lib/dpkg/info/ossec-hids-server.postinst
with that change and have dpkg try postinst again. If that works for
you, I'll update the package.
> --
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.

Doug Burks

unread,
Oct 6, 2014, 12:37:10 PM10/6/14
to securit...@googlegroups.com
I just duplicated your scenario, then edited
/var/lib/dpkg/info/ossec-hids-server.postinst to include "head -1",
then ran "sudo soup" and everything worked just fine.

I'm building a new version of the package to include this by default.

Scott Farrell

unread,
Oct 6, 2014, 12:44:47 PM10/6/14
to securit...@googlegroups.com
Thanks for the quick response.  I believe that worked.  Also yeah there are some different emails in there due to some rule alert requirements.

root@xxxxxxxx:/var/lib/dpkg/info# dpkg --configure ossec-hids-server

Setting up ossec-hids-server (2.8.1-ubuntu10securityonion8) ...
It appears you had enabled email notification in OSSEC.
Enabing email notification and importing email settings.
Please double-check /var/ossec/etc/ossec.conf and add back any local customizations.
update-rc.d: warning: /etc/init.d/ossec-hids-server missing LSB information
update-rc.d: see <http://wiki.debian.org/LSBInitScripts>
Starting OSSEC HIDS v2.8 (by Trend Micro Inc.)...
Started ossec-csyslogd...
Started ossec-maild...
Started ossec-execd...
Started ossec-analysisd...
Started ossec-logcollector...
Started ossec-remoted...
Started ossec-syscheckd...
Started ossec-monitord...
Completed.


Doug Burks

unread,
Oct 6, 2014, 1:00:35 PM10/6/14
to securit...@googlegroups.com
ossec-hids-server - 2.8.1-ubuntu10securityonion10 is copying to the
stable PPA now:
https://launchpad.net/~securityonion/+archive/ubuntu/stable/+packages
Reply all
Reply to author
Forward
0 new messages