OSSEC notifications are incorrect!
Ralphy
receives from two separate hosts and reports them as if they were from
just one host. Has anyone else seen this and if so, is there a fix?
I'm happy to supply example messages received. I just didn't want to
post specifics with hostnames etc.
Thanks in advance!
Ralphy
dan (ddp)
Jeremy Lee
- So this is the description:
- maild.groupping
If set to 1 alerts will be grouped together in one email. These alerts may be of different types or levels, and may be from different systems.
Default: 1
Allowed: 1 or 2
dan (ddp)
Brenton, Steve
Does anyone have OSSEC reporting into the opensource SIEM OSSIM? I am having troubles with some of the alerts generating false positives and was looking for some advice on where to start.
One problem is when reporting on logon events OSSIM is reading the OSSEC alerts as a success regardless of an access denied on the server or successful login.
Thanks in advance for the help,
-Steve
Ralphy
happens.
Ralphy
On Aug 18, 12:18 pm, "dan (ddp)" <ddp...@gmail.com> wrote:
> Did you change this:http://www.ossec.net/doc/syntax/head_internal_options.analysisd.html#...
Michael Starks
As Dan notes, this is normal behavior. You may also be interested to
know that the subject of the alert email comes from the last log of the
alert, so the level may not even be indicative of the highest level in
the alert email.
Waqas
Windows machines and haven't faced any problem. Have you verified that
logon failure events are received by OSSEC server within the OSSIM.
Also, make sure the /etc/ossim/agents/plugins/ossec.cfg has the
corresponding SID mapped to the OSSIM event. I believe the OSSEC sid
you will be looking at is 18130 (Bad username or password) although
there are more sids for other logon failures as well. Make sure the
one you are interested in is correctly mapped there. Then verify that
the OSSIM sids on which it's mapped is also in the OSSIM database.
As an example, the OSSEC sid 18130 is mapped to OSSIM sid 7085. Then
make sure the OSSIM db has Windows Logon Failure description for 7085.
I hope this will help.
dan (ddp)
Waqas
Windows logins.
dan (ddp)
> Yes. OSSEC id 7085 with the sid 18130 can be used to detect the failed
> Windows logins.
>
If OSSEC does the right thing, this seems like an OSSIM issue.
It looks like there is some OSSIM/OSSEC dev work going on at the moment.
Guillermo Grande
precisely, in the last week, as part of my work at AlienVault, I have rewritten the ossec plugin that is used in ossim.
The aim is format adequately the fields that you can get in every ossec rule, so at correlation time I can write more interesting directives and response actions based on ossec rules and in the forensic console you can get a pretty detail custom view seeing the username, filename, userdataX with useful values.
So I can assure you that the new plugin normalize the windows security audits events. I am publishing it to the public repository as soon as it will be fixed an ugly bug in the agent, may be the next week.
But, anyway, if you are getting problems to match the event with the current plugin, take care of uncomment at the first lines of the plugin this line, exclude_sids:
# Windows audit failure event too noisy - 18105
# Windows Logon Success event too noisy - 18107
# Multiple Windows audit failure events too noisy - 18153
#exclude_sids=18105,18107
that are precisely avoiding to match the windows login event in the agent.
Don't forget to reboot the agent every time you change a plugin! (/etc/init.d/ossim-agent reboot)
In fact, the good way to test this will be, put an event like this in a separate file (take care of the last empty line at the end of the file), per example, a file called windows-audit-failure with this content:
** Alert 1314655215.7565: - windows,
2011 Aug 30 00:00:15 (agentname_002) 0.0.0.0->WinEvtLog
Rule: 18105 (level 4) -> 'Windows audit failure event.'
Src IP: (none)
User: (no user)
WinEvtLog: Security: AUDIT_FAILURE(5159): Microsoft-Windows-Security-Auditing: (no user): no domain: TestPC: The Windows Filtering Platform has blocked a bind to a local port. Application Information: Process ID: 1272 Application Name: \device\harddiskvolume3\windows\system32\svchost.exe Network Information: Source Address: 0.0.0.0 Source Port: 52952 Protocol: 17 Filter Information: Filter Run-Time ID: 0 Layer Name: %%14608 Layer Run-Time ID: 36
next see what is happening in the agent, once rebooted:
tail -f /var/log/ossim/agent.log
and see there if when you insert the event in the ossec alerts.log the agent match a rule against one of the regexp in the plugin:
# cat windows-audit-failure >> /var/ossec/logs/alerts/alerts.log
you can get insight about possible errors in the matching process looking at this log.
If you still not getting the events in the console forensic I can indicate you more checks to do, but may be the better is wait for the new plugin will be published.
Also I will be glad to get tons of feedback about ossec integration in ossim. Don't miss the new web interface for ossec in the recently published ossim 3.0 :-)
Greetings
--
Guillermo
twitter: guillermo
freenode: guillermo (#ossim #ossec ...)
Waqas
whole OSSIM distribution to version 3.0, just PM me your skype id and
if you want, I will take a look at it.
On Sep 8, 11:32 pm, "dan (ddp)" <ddp...@gmail.com> wrote:
dan (ddp)
dan