ossec server reporting itself as 0.0.0.0 and more
Vitor Correia
this question is specific to ossecgui.
does anyone know in which situations or in what conditions will/can an ossec server report itself as being 0.0.0.0 or reporting itself as being the agent's ip?
this is happening specially with ssh connections from machine1 to ossec server.
if i logon through ssh from ossecserver to ossecserver it reports as it should:
src ip dest ip
'SSHD authentication success.' 2006-09-13 11:50:18 10.0.7.220 10.0.7.220
but if i logon from another machine it doesn't:
src ip dest ip
SSHD authentication success.' 2006-09-13 11:47:40 10.0.7.43 10.0.7.43
- the src should be 10.0.7.43 & dest should be 10.0.7.220
background info: this ossecserver is also a central syslog server, listening to network syslogs from other machines and reporting them to ossecgui, using the latest ossecgui snapshot and the latest stable ossec-hids.
for those of you who have been following my questions on this suject, i've pretty much managed to work it out, yey!! :) more on that as (including my installation procedure) as soon as i iron out this issue.
now, i don't think i've forgotten to mention anything of importance, what do you think?
./vcorreia
Vitor Correia Systems Administrator -- Mobbit Systems vitor....@mobbit.net | Telemóvel: + 351 916 448 025 Avenida do Forte, 8 - 1º Andar - Frente 01 - 2795-503 Carnaxide Telefone: + 351 21 418 01 40 | Fax: + 351 21 418 01 41 in...@mobbit.net | www.mobbit.net ,-O O(_)) for a better world `-O
Meir Michanie
The src is taken from src ip line
if the alert has src ip none then I substitute that to 0.0.0.0
The destination IP value sould be parsed in the future by ossec-hids. In the meantime dst IP is parsed as I described before.
If the alert host (the dst ip) is not an IP or the script can't resolve to an IP, then It will copy srcip as dstip.
Meir Michanie
I configured remote servers to send syslog straight to ossec and then I got a similar log entry as you reported.
I corrected ossec2mysql in order to parse the log entry.
** Alert 1158059536.19220030 : nomail
2006 Sep 12 11:12:16 92382-borch1 -> 10.116.16.32
Rule: 5109 (level 4) -> 'Kernel Input/Output error'
Src IP: (0.0.0.0)
User: (none)
kernel: end_request: I/O error, dev sdd, sector 805583239
you can fetch the latest ossec2mysql from www.riunx.com (ossec-ui)
Leonardo Goldim
machine (if local installation) and the src ip the ip that try to
connect or 127.0.0.1 if is something local ?
I believe that using this way is better to organize information at
BASE, right ?
--
________________________________________
Leonardo Goldim - Auditoria Intranetworks
gol...@intranetworks.com.br
Intranetworks
Rua Marquês do Pombal 1710/805
Porto Alegre - RS - 90540-000
+55 51 3325-5700
+55 51 8415-8604
Meir Michanie wrote:
> Well, well, well.
> I configured remote servers to send syslog straight to ossec and then
> I got a similar log entry as you reported.
> I corrected ossec2mysql in order to parse the log entry.
>
> ** Alert 1158059536.19220030 : nomail
> 2006 Sep 12 11:12:16 92382-borch1 -> 10.116.16.32 <http://10.116.16.32>
> Rule: 5109 (level 4) -> 'Kernel Input/Output error'
> Src IP: (0.0.0.0 <http://0.0.0.0>)
> User: (none)
> kernel: end_request: I/O error, dev sdd, sector 805583239
>
> you can fetch the latest ossec2mysql from www.riunx.com
> <http://www.riunx.com> (ossec-ui)
>
> On 9/13/06, *Meir Michanie* <meirg...@gmail.com
> <mailto:meirg...@gmail.com>> wrote:
>
> The dst is taken from the line <date> <agent> -> <log>
> The src is taken from src ip line
> if the alert has src ip none then I substitute that to 0.0.0.0
> <http://0.0.0.0>
> The destination IP value sould be parsed in the future by
> ossec-hids. In the meantime dst IP is parsed as I described before.
> If the alert host (the dst ip) is not an IP or the script can't
> resolve to an IP, then It will copy srcip as dstip.
>
>
> On 9/13/06, * Vitor Correia* < vitor....@mobbit.net
> <mailto:vitor....@mobbit.net>> wrote:
>
> hello everyone,
>
> this question is specific to ossecgui.
>
> does anyone know in which situations or in what conditions
> will/can an ossec server report itself as being 0.0.0.0
> <http://0.0.0.0> or reporting itself as being the agent's ip?
>
> this is happening specially with ssh connections from machine1
> to ossec server.
>
>
>
> if i logon through ssh from ossecserver to ossecserver it
> reports as it should:
>
>
> src ip dest ip
> 'SSHD authentication success.' 2006-09-13 11:50:18 10.0.7.220
> <http://webappserver/ossecbase/base_stat_ipaddr.php?ip=10.0.3.220&netmask=32>
> 10.0.7.220
> <http://webappserver/ossecbase/base_stat_ipaddr.php?ip=10.0.3.220&netmask32>
>
>
> but if i logon from another machine it doesn't:
>
>
> src ip dest ip
> SSHD authentication success.' 2006-09-13 11:47:40 10.0.7.43
> <http://webappserver/ossecbase/base_stat_ipaddr.php?ip=10.0.3.43&netmask=32>
> 10.0.7.43
> <http://webappserver/ossecbase/base_stat_ipaddr.php?ip=10.0.3.43&netmask32>
>
> - the src should be 10.0.7.43 <http://10.0.7.43> & dest should
> be 10.0.7.220 <http://10.0.7.220>
>
> background info: this ossecserver is also a central syslog
> server, listening to network syslogs from other machines and
> reporting them to ossecgui, using the latest ossecgui snapshot
> and the latest stable ossec-hids.
>
> for those of you who have been following my questions on this
> suject, i've pretty much managed to work it out, yey!! :) more
> on that as (including my installation procedure) as soon as i
> iron out this issue.
>
> now, i don't think i've forgotten to mention anything of
> importance, what do you think?
>
>
> ./vcorreia
>
> Vitor Correia
> Systems Administrator
> --
>
> Mobbit Systems
>
> vitor....@mobbit.net
>
> <mailto:vitor....@mobbit.net> | Telemóvel: + 351 916 448 025
>
> Avenida do Forte, 8 - 1º Andar - Frente 01 - 2795-503 Carnaxide
> Telefone: + 351 21 418 01 40 | Fax: + 351 21 418 01 41
>
>
> in...@mobbit.net <mailto:in...@mobbit.net> | www.mobbit.net <http://www.mobbit.net>
Meir Michanie
Isn't better the dst ip is always the agent (if agent-server) or the
machine (if local installation) and the src ip the ip that try to
connect or 127.0.0.1 if is something local ?
I believe that using this way is better to organize information at
BASE, right ?
Please do not hesitate to continue the debate.
Leonardo Goldim
base ...
for example, i have a server that monitor many agents ... using base for
analise the alerts, i can' t order by host, the alerts are mixed ...
if use the dstip like real ip, i can go to dest ip addrs -> select an ip
and i got all the alerts from that host, it's possible make this
comparison that you explain using the srcip like 0.0.0.0 or real ip ...
i will not hesitate, it's a productive debate.
--
________________________________________
Leonardo Goldim - Auditoria Intranetworks
gol...@intranetworks.com.br
Intranetworks
Rua Marquês do Pombal 1710/805
Porto Alegre - RS - 90540-000
+55 51 3325-5700
+55 51 8415-8604
Meir Michanie wrote:
>
>
> On 9/13/06, *Leonardo Goldim* <gol...@intranetworks.com.br
> <mailto:gol...@intranetworks.com.br>> wrote:
>
>
> Isn't better the dst ip is always the agent (if agent-server)
> or the
> machine (if local installation) and the src ip the ip that try to
> connect or 127.0.0.1 <http://127.0.0.1> if is something local ?
>
> I believe that using this way is better to organize information at
> BASE, right ?
>
>
> I use srcip 0.0.0.0 <http://0.0.0.0> To indicate that it may not be a
> network related alert ( like new user). If I would use 127.0.0.1
> <http://127.0.0.1> then I would be mixing real srcip alert from
> 127.0.0.1 <http://127.0.0.1> of a network related alert like ssh from
Vitor Correia
Meir, again thank you for your testing and patch, i'm trying it now.
./vcorreia
Leonardo Goldim wrote:
my idea to use the real ip instead 0.0.0.0 is to organize the alerts at base ...
for example, i have a server that monitor many agents ... using base for analise the alerts, i can' t order by host, the alerts are mixed ...
if use the dstip like real ip, i can go to dest ip addrs -> select an ip and i got all the alerts from that host, it's possible make this comparison that you explain using the srcip like 0.0.0.0 or real ip ...
i will not hesitate, it's a productive debate.
Vitor Correia Systems Administrator -- Mobbit Systems vitor....@mobbit.net | Telemóvel: + 351 916 448 025
Avenida do Forte, 8 - 1º Andar - Frente 01 - 2795-503 Carnaxide Telefone: + 351 21 418 01 40 | Fax: + 351 21 418 01 41
Meir Michanie
my idea to use the real ip instead 0.0.0.0 is to organize the alerts at
base ...
for example, i have a server that monitor many agents ... using base for
analise the alerts, i can' t order by host, the alerts are mixed ...
Why not? the agent is the dst ip. sort by dstip.
if use the dstip like real ip, i can go to dest ip addrs -> select an ip
and i got all the alerts from that host, it's possible make this
comparison that you explain using the srcip like 0.0.0.0 or real ip ...
and src ip is either a know network real IP or null if unknown or not network related.
Vitor Correia
i downloaded the lastest ossec-ui, untarred it, copied the *.pl to /usr/local/bin (replaced the old ones), kill the realtime feeding process and kicked it up again...
what went wrong? ... :(
./vcorreia
Leonardo Goldim
like is today, the dstip is the agent ip ?
in my base, the dstip and the srcip are the same, it's right ?
--
________________________________________
Leonardo Goldim - Auditoria Intranetworks
gol...@intranetworks.com.br
Intranetworks
Rua Marquês do Pombal 1710/805
Porto Alegre - RS - 90540-000
+55 51 3325-5700
+55 51 8415-8604
Meir Michanie wrote:
>
>
> On 9/14/06, *Leonardo Goldim* <gol...@intranetworks.com.br
> <mailto:gol...@intranetworks.com.br>> wrote:
>
>
> my idea to use the real ip instead 0.0.0.0 <http://0.0.0.0> is to
> organize the alerts at
> base ...
> for example, i have a server that monitor many agents ... using
> base for
> analise the alerts, i can' t order by host, the alerts are mixed ...
>
>
> Why not? the agent is the dst ip. sort by dstip.
>
>
> if use the dstip like real ip, i can go to dest ip addrs -> select
> an ip
> and i got all the alerts from that host, it's possible make this
> comparison that you explain using the srcip like 0.0.0.0
> <http://0.0.0.0> or real ip ...
Meir Michanie
Vitor:
it seems that your alert logs shows that the log was generated by the agent.
We have to work to make ossec-hids report dstip by parsing the event and reporting it to the log, so I do not have to make it up.
Leonardo Goldim
--
________________________________________
Leonardo Goldim - Auditoria Intranetworks
gol...@intranetworks.com.br
Intranetworks
Rua Marquês do Pombal 1710/805
Porto Alegre - RS - 90540-000
+55 51 3325-5700
+55 51 8415-8604
Meir Michanie wrote:
> Leonardo, get the last ossec2mysql from cvs or from www.riunx.com
>
> Vitor:
> it seems that your alert logs shows that the log was generated by the
> agent.
> We have to work to make ossec-hids report dstip by parsing the event
> and reporting it to the log, so I do not have to make it up.
>
> On 9/14/06, *Leonardo Goldim* <gol...@intranetworks.com.br
> <mailto:gol...@intranetworks.com.br>> wrote:
>
>
> sorry, but i don't understand your answer ...
> like is today, the dstip is the agent ip ?
> in my base, the dstip and the srcip are the same, it's right ?
>
> --
> ________________________________________
> Leonardo Goldim - Auditoria Intranetworks
> gol...@intranetworks.com.br <mailto:gol...@intranetworks.com.br>
>
> Intranetworks
> Rua Marquês do Pombal 1710/805
> Porto Alegre - RS - 90540-000
> +55 51 3325-5700
> +55 51 8415-8604
>
>
>
> Meir Michanie wrote:
> >
> >
> > On 9/14/06, *Leonardo Goldim* <gol...@intranetworks.com.br
> <mailto:gol...@intranetworks.com.br>
> > <mailto:gol...@intranetworks.com.br
Meir Michanie
Leonardo Goldim
<http://www.riunx.com/public/ossec-ui-latest.tar.bz2> at www.riunx.com
<http://www.riunx.com> and do this:
* mysql base -p < ossec2base.sql
* mysql base -p < snort_tables.sql
* mysql base -p < trunc_ossecbase.sql
* cp ossec2mysqld.pl ossec2mysql.pl ossec2basetxt.pl /usr/local/bin/
* cat rules/*.xml |ossec2basetxt.pl -e -o /usr/share/base-php4/signatures/
* echo 'TRUNCATE TABLE `signature` ;' | mysql base -p
* echo 'TRUNCATE TABLE `sensor` ;' | mysql base -p
* echo 'TRUNCATE TABLE `acid_event` ;' | mysql base -p
* echo 'TRUNCATE TABLE `events` ;' | mysql base -p
* echo 'TRUNCATE TABLE `event` ;' | mysql base -p
* echo 'TRUNCATE TABLE `data` ;' | mysql base -p
* cat /opt/ossec/logs/alerts/2006/Jul/ossec-alerts-31.log
|ossec2mysql.pl --interface manualfeed
when i try to import the logs (last command) i got the follow error:
Global symbol "$alerthostip" requires explicit package name at
/usr/local/bin/ossec2mysql.pl line 206.
Global symbol "$alerthostip" requires explicit package name at
/usr/local/bin/ossec2mysql.pl line 207.
Global symbol "$alerthostip" requires explicit package name at
/usr/local/bin/ossec2mysql.pl line 208.
Global symbol "$alerthostip" requires explicit package name at
/usr/local/bin/ossec2mysql.pl line 246.
Global symbol "$alerthostip" requires explicit package name at
/usr/local/bin/ossec2mysql.pl line 279.
Execution of /usr/local/bin/ossec2mysql.pl aborted due to compilation
errors.
i forgot to do something?
--
________________________________________
Leonardo Goldim - Auditoria Intranetworks
gol...@intranetworks.com.br
Intranetworks
Rua Marquês do Pombal 1710/805
Porto Alegre - RS - 90540-000
+55 51 3325-5700
+55 51 8415-8604
Meir Michanie wrote:
> yes, I removed from cvs ossec2base and now is a link to ossec2mysql
>
>
> On 9/14/06, *Leonardo Goldim* <gol...@intranetworks.com.br
> <mailto:gol...@intranetworks.com.br>> wrote:
>
>
> ossec2mysql and ossec2base/ossec-ui are the same ?
>
> --
> ________________________________________
> Leonardo Goldim - Auditoria Intranetworks
> gol...@intranetworks.com.br <mailto:gol...@intranetworks.com.br>
>
> Intranetworks
> Rua Marquês do Pombal 1710/805
> Porto Alegre - RS - 90540-000
> +55 51 3325-5700
> +55 51 8415-8604
>
>
>
> Meir Michanie wrote:
> > Leonardo, get the last ossec2mysql from cvs or from
> www.riunx.com <http://www.riunx.com>
> > <http://www.riunx.com <http://www.riunx.com>>
> >
> > Vitor:
> > it seems that your alert logs shows that the log was generated
> by the
> > agent.
> > We have to work to make ossec-hids report dstip by parsing the event
> > and reporting it to the log, so I do not have to make it up.
> >
> > On 9/14/06, *Leonardo Goldim* <gol...@intranetworks.com.br
> <mailto:gol...@intranetworks.com.br>
> > <mailto:gol...@intranetworks.com.br
> <mailto:gol...@intranetworks.com.br> >> wrote:
> >
> >
> > sorry, but i don't understand your answer ...
> > like is today, the dstip is the agent ip ?
> > in my base, the dstip and the srcip are the same, it's right ?
> >
> > --
> > ________________________________________
> > Leonardo Goldim - Auditoria Intranetworks
> > gol...@intranetworks.com.br
> <mailto:gol...@intranetworks.com.br> <mailto:
Meir Michanie
TIA
Meir Michanie
Leonardo Goldim
but, at signature column appear just a number, not the text ... is it a
problem at db ?
--
________________________________________
Leonardo Goldim - Auditoria Intranetworks
gol...@intranetworks.com.br
Intranetworks
Rua Marquês do Pombal 1710/805
Porto Alegre - RS - 90540-000
+55 51 3325-5700
+55 51 8415-8604
Meir Michanie wrote:
> I just tested I will release a new file in 5 mins
>
>
> On 9/14/06, *Meir Michanie* <meirg...@gmail.com
> <mailto:meirg...@gmail.com>> wrote:
>
> I apologize that I did all my last testings on ossec2mysqld and
> not ossec2mysql. I just fixed the declaration of the variable.
> Please download again from riunx and let me know if it is ok. I
> will do QA in a few hours.
>
> TIA
>
>
> gol...@intranetworks.com.br <mailto:gol...@intranetworks.com.br>
>
> Intranetworks
> Rua Marquês do Pombal 1710/805
> Porto Alegre - RS - 90540-000
> +55 51 3325-5700
> +55 51 8415-8604
>
>
>
> Meir Michanie wrote:
> > yes, I removed from cvs ossec2base and now is a link to
> ossec2mysql
> >
> >
> > On 9/14/06, *Leonardo Goldim* < gol...@intranetworks.com.br
> <mailto:gol...@intranetworks.com.br>
> > <mailto:gol...@intranetworks.com.br
> <mailto:gol...@intranetworks.com.br>>> wrote:
> >
> >
> > ossec2mysql and ossec2base/ossec-ui are the same ?
> >
> > --
> > ________________________________________
> > Leonardo Goldim - Auditoria Intranetworks
> > gol...@intranetworks.com.br
> <mailto:gol...@intranetworks.com.br> <mailto:
> gol...@intranetworks.com.br <mailto:gol...@intranetworks.com.br>>
> >
> > Intranetworks
> > Rua Marquês do Pombal 1710/805
> > Porto Alegre - RS - 90540-000
> > +55 51 3325-5700
> > +55 51 8415-8604
> >
> >
> >
> > Meir Michanie wrote:
> > > Leonardo, get the last ossec2mysql from cvs or from
> > www.riunx.com <http://www.riunx.com> < http://www.riunx.com>
> > > < http://www.riunx.com <http://www.riunx.com>>
> > >
> > > Vitor:
> > > it seems that your alert logs shows that the log was
> generated
> > by the
> > > agent.
> > > We have to work to make ossec-hids report dstip by
> parsing the event
> > > and reporting it to the log, so I do not have to make
> it up.
> > >
> > > On 9/14/06, *Leonardo Goldim* <
> gol...@intranetworks.com.br <mailto:gol...@intranetworks.com.br>
> > <mailto:gol...@intranetworks.com.br
> <mailto:gol...@intranetworks.com.br>>
> > > <mailto: gol...@intranetworks.com.br
> <mailto:gol...@intranetworks.com.br>
> > <mailto: gol...@intranetworks.com.br
> <mailto:gol...@intranetworks.com.br>> >> wrote:
> > >
> > >
> > > sorry, but i don't understand your answer ...
> > > like is today, the dstip is the agent ip ?
> > > in my base, the dstip and the srcip are the same,
> it's right ?
> > >
> > > --
> > > ________________________________________
> > > Leonardo Goldim - Auditoria Intranetworks
> > > gol...@intranetworks.com.br
> <mailto:gol...@intranetworks.com.br>
> > <mailto: gol...@intranetworks.com.br
> <mailto:gol...@intranetworks.com.br>> <mailto:
Leonardo Goldim
always the server ip or 127.0.0.1 ... shouldn't appear the other machine
ip too ?
and the signatures appear always like numbers (1, 4, 2, 3), not text
like before the upgrade ...
--
________________________________________
Leonardo Goldim - Auditoria Intranetworks
gol...@intranetworks.com.br
Intranetworks
Rua Marquês do Pombal 1710/805
Porto Alegre - RS - 90540-000
+55 51 3325-5700
+55 51 8415-8604
Meir Michanie
---file start here --
** Alert 1157059138.537:
2006 Sep 01 00:18:58 topgun->/var/log/mail.info
Rule: 3303 (level 5) -> 'Sender domain is not found (450: Requested mail action not taken).'
Src IP: 82.182.108.180
User: (none)
postfix/smtpd[4351]: NOQUEUE: reject: RCPT from 1-1-4-21a.gka.gbg[172.16.108.180]: 450 <shos...@localhost.localdomain>: Recipient address rejected: Gre helo=<1-1-4-21a.gka.gbg >
** Alert 1157453980.455791: mail
2006 Sep 05 13:59:40 (Web) 195.X.X.X->WinEvtLog
Rule: 18153 (level 10) -> 'Multiple Windows audit failure events.'
Src IP: (none)
User: SYSTEM
WinEvtLog: Security: AUDIT_FAILURE(529): Security: SYSTEM: NT AUTHORITY: X: Logon Failure: Reason: Unknown user name or bad password User Name: X Domain: X Logon Type: 3 Logon Process: NtLmSsp Authentication Package: NTLM Workstation Name: X
WinEvtLog: Security: AUDIT_FAILURE(681): Security: SYSTEM: NT AUTHORITY: X: The logon to account: X by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 from workstation: X failed. The error code was: 3221225572
** Alert 1157450401.442293: mail
2006 Sep 05 13:00:01 (Web) 195.X.X.X->syscheck
Rule: 13 (level 8) -> 'Integrity checksum of file 'C:\Program Files/Microsoft SQL Server/MSSQL/Data/X.mdf' has changed.'
Src IP: (none)
User: (none)
Integrity checksum changed for: 'C:\Program Files/Microsoft SQL Server/MSSQL/Data/X.mdf'
Size changed from '112132096' to '135725056'
** Alert 1157448825.440232: mail
2006 Sep 05 12:33:45 (SERVER2) 195.X.X.X->syscheck
Rule: 13 (level 8) -> 'Integrity checksum of file 'C:\WINNT/Debug/PASSWD.LOG' has changed.'
Src IP: (none)
User: (none)
Integrity checksum changed for: 'C:\WINNT/Debug/PASSWD.LOG'
Size changed from '12460' to '12638'
Old md5sum was: '7815a64d079991d60aeba658be961633'
New md5sum is : 'e58818dd1f1155053a4616e1884dc554'
Old sha1sum was: '9df84637f4d746899cbd80bafcc2e37fc7066bdf'
New sha1sum is : '0d5b6ccabe9ae1d37ed0c4dad72f61e816620e47'
** Alert 1158059536.19220030: nomail
2006 Sep 12 11:12:16 92382-borch1 -> 10.116.16.32
Rule: 5109 (level 4) -> 'Kernel Input/Output error'
Src IP: ( 0.0.0.0)
User: (none)
kernel: end_request: I/O error, dev sdd, sector 805583239
copy all the lines between the --- lines
sa...@ttnet.net.tr
** Alert 1158312137.299900: mail
2006 Sep 15 12:22:17 localhost -> (X1)
195.X.X.X->\WINNT/System32/LogFiles/W3SVC2/ex060915.log
Rule: 11 (level 8) -> 'Excessive number of connections during this
hour.
Src IP: (0.0.0.0)
User: (none)
The average number of logs between 12:00 and 13:00 is 8485. We
reached 10184.'No Log Available (HOURLY_STATS)
Meir Michanie
Leonardo Goldim
here are what appear at base:
| ID | < Signature > | < Timestamp > | < Source Address > | < Dest. Address > | < Layer 4 Proto > |
| #0-(1-189033) | 46557 | 2006-09-01 00:18:58 | 82.182.108.180 | 82.182.108.180 | IP |
| Meta |
|
||||||
|
|||||||
|
| Payload |
** Alert 1157059138.537: nomail 2006 Sep 01 00:18:58 topgun -> /var/log/mail.info Rule: 3303 (level 5) -> 'Sender domain is not found (450: Requested mail action not taken).' Src IP: (82.182.108.180) User: (none) postfix/smtpd[4351]: NOQUEUE: reject: RCPT from 1-1-4-21a.gka.gbg[172.16.108.180]: 450 |
: Recipient address rejected: Gre helo=<1-1-4-21a.gka.gbg > |
i changed the address 195.x.x.x to 192.196.197.198, but this address appear at base like 127.0.0.1:
| Meta |
|
||||||
|
|||||||
|
| Payload |
** Alert 1157448825.440232: mail
2006 Sep 05 12:33:45 localhost -> (SERVER2) 192.196.197.198->syscheck
Rule: 13 (level 8) -> 'Integrity checksum of file
'C:\WINNT/Debug/PASSWD.LOG' has changed.'
Src IP: (0.0.0.0)
User: (none)
Integrity checksum changed for: 'C:\WINNT/Debug/PASSWD.LOG'Size
changed from '12460' to '12638'Old md5sum was:
'7815a64d079991d60aeba658be961633'New md5sum is :
'e58818dd1f1155053a4616e1884dc554'Old sha1sum was:
'9df84637f4d746899cbd80bafcc2e37fc7066bdf'New sha1sum is :
'0d5b6ccabe9ae1d37ed0c4dad72f61e816620e47'
|
here are a little bit of my logs:
-- log start here --
** Alert 1158233140.513: mail
2006 Sep 14 08:25:40 (smart08) 10.0.x.x->syscheck
Rule: 13 (level 8) -> 'Integrity checksum of file '/etc/blkid/blkid.tab' has changed again (third time). Ignoring it.'
Src IP: (none)
User: (none)
Old md5sum was: '6d84d9df95a0a48e3b52bb8074f456d7'
New md5sum is : 'e4ca48d47b888fd1d5afb4e2bedfe990'
Old sha1sum was: '047faaf6358185d53dc032e918ce800c247a8b22'
New sha1sum is : 'a330773fe7671988125775cc660450ce01c2dada'
** Alert 1158233377.1020: mail
2006 Sep 14 08:29:37 (smart08) 10.0.x.x->syscheck
Rule: 13 (level 8) -> 'Integrity checksum of file '/usr/bin/thunderbird' has changed.'
Src IP: (none)
User: (none)
Old md5sum was: '607c7034d7991baec997b1993b04c581'
New md5sum is : '3a4317227c00f4a3be4506e39d9bd939'
Old sha1sum was: '9986f6db24e722e4d1e9acaee25b456efc048450'
New sha1sum is : '55295b41f0f8efa50dfe2ec84e3e59a61074ea99'
** Alert 1158233633.1496: mail
2006 Sep 14 08:33:53 (smart08) 10.0.x.x->syscheck
Rule: 13 (level 8) -> 'Integrity checksum of file '/usr/bin/ncomputing/ltsrv.log' has changed again (2nd time)'
Src IP: (none)
User: (none)
Size changed from '30743' to '30907'
Old md5sum was: 'b2def3a0a348f5f8e47475584492dcf0'
New md5sum is : 'ac0e7170f8ddb88103ba3a985314e00b'
Old sha1sum was: '7238fe19321717d7b765bffa3fda79fd8d39b96a'
New sha1sum is : 'a6df29768ea48cebf6e35a8382cda336b3e87e2c'
** Alert 1158239910.4043:
2006 Sep 14 10:18:30 smart09->/var/log/httpd/error_log
Rule: 30112 (level 5) -> 'Attempt to access an non-existent file.'
Src IP: 127.0.0.1
User: (none)
[error] [client 127.0.0.1] File does not exist: /usr/share/base-php4/signatures/1516.txt, referer: http://127.0.0.1/base/base_qry_main.php?&num_result_rows=-1&submit
=Query+DB¤t_view=-1
** Alert 1158239910.4414:
2006 Sep 14 10:18:30 smart09->/var/log/httpd/access_log
Rule: 31101 (level 5) -> 'Web server 400 error code.'
Src IP: 127.0.0.1
User: (none)
127.0.0.1 - - [14/Sep/2006:10:18:30 -0300] "GET /base/signatures/1516.txt HTTP/1.1" 404 296 "http://127.0.0.1/base/base_qry_main.php?&num_result_rows=-1&submit=Query
+DB¤t_view=-1" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.6) Gecko/20060808 Fedora/1.5.0.6-2.fc5 Firefox/1.5.0.6"
** Alert 1158239910.4874:
2006 Sep 14 10:18:30 smart09->/etc/httpd/logs/access_log
Rule: 31101 (level 5) -> 'Web server 400 error code.'
Src IP: 127.0.0.1
User: (none)
127.0.0.1 - - [14/Sep/2006:10:18:30 -0300] "GET /base/signatures/1516.txt HTTP/1.1" 404 296 "http://127.0.0.1/base/base_qry_main.php?&num_result_rows=-1&submit=Query
+DB¤t_view=-1" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.6) Gecko/20060808 Fedora/1.5.0.6-2.fc5 Firefox/1.5.0.6"
** Alert 1158240900.5707:
2006 Sep 14 10:35:00 smart09->/var/log/secure
Rule: 5303 (level 3) -> 'User sucessfully changed UID to root'
Src IP: (none)
User: (none)
** Alert 1158253029.7654: mail
2006 Sep 14 13:57:09 (smart08) 10.0.0.8->/var/log/messages
Rule: 1002 (level 7) -> 'Unknown problem somewhere in the system.'
Src IP: (none)
User: (none)
** Alert 1158267855.5625567: mail
2006 Sep 14 18:04:15 (smart08) 10.0.x.x->/var/log/messages
Rule: 1002 (level 7) -> 'Unknown problem somewhere in the system.'
Src IP: (none)
User: (none)
** Alert 1158267855.5625812: mail
2006 Sep 14 18:04:15 (smart08) 10.0.x.x->/var/log/messages
Rule: 1002 (level 7) -> 'Unknown problem somewhere in the system.'
Src IP: (none)
User: (none)
-- log ends here --
why the address go to base is always the smart09 ip and 10.0.x.x (smart08) don't go?
-- ________________________________________ Leonardo Goldim - Auditoria Intranetworks gol...@intranetworks.com.br Intranetworks Rua Marquês do Pombal 1710/805 Porto Alegre - RS - 90540-000 +55 51 3325-5700 +55 51 8415-8604
|SaMaN|
It is latest snapshot of ossec2mysql and running with resolve. My config is below. So where is the problem?
[root@localhost rules]# cat /etc/ossec2base.conf
# PARAMS USED BY OSSEC2BASED dbhost=localhost database=snort
debug=5
dbport=3306
dbpasswd=
dbuser=root
fieldseparator=;
daemonize=1
sensor=ossec
interface=daemon
resolve=1
Meir Michanie
http://www.riunx.com/portal/modules.php?module=tips&mode=article&artid=5
Meir Michanie
Meir Michanie
Vitor Correia
was replacing the .pl files from the new snapshot enough?
i did that and i'm still getting the ossec server ip being reported as the agent's ip.
./vcorreia
sa...@ttnet.net.tr wrote:
Finally latest snapshot seems working. Thanks.
Leonardo Goldim
-- ________________________________________ Leonardo Goldim - Auditoria Intranetworks gol...@intranetworks.com.br Intranetworks Rua Marquês do Pombal 1710/805 Porto Alegre - RS - 90540-000 +55 51 3325-5700 +55 51 8415-8604
Meir Michanie wrote:
Leonardo Goldim
do you have any suggestion that i can do to correct my problem with
signatures?
after this fixes at ossec-ui, how we have to import the signatures ?
with the ossec2base_sigs.pl or ossec2basetxt.pl ?
in my case i used ossec2basetxt.pl ...
tks
--
________________________________________
Leonardo Goldim - Auditoria Intranetworks
gol...@intranetworks.com.br
Intranetworks
Rua Marquês do Pombal 1710/805
Porto Alegre - RS - 90540-000
+55 51 3325-5700
+55 51 8415-8604
Leonardo Goldim wrote:
> i've installed the last ossec-ui (i did the download 30 minutes ago)
> and the problem with signatures continue ...
>
> ID <
> <http://127.0.0.1/base//base_qry_main.php?caller=&num_result_rows=12024¤t_view=0&sort_order=sig_a>Signature>
> <http://127.0.0.1/base//base_qry_main.php?caller=&num_result_rows=12024¤t_view=0&sort_order=sig_d>
> <
> <http://127.0.0.1/base//base_qry_main.php?caller=&num_result_rows=12024¤t_view=0&sort_order=time_a>Timestamp>
> <http://127.0.0.1/base//base_qry_main.php?caller=&num_result_rows=12024¤t_view=0&sort_order=time_d>
> <
> <http://127.0.0.1/base//base_qry_main.php?caller=&num_result_rows=12024¤t_view=0&sort_order=sip_a>Source Address>
> <http://127.0.0.1/base//base_qry_main.php?caller=&num_result_rows=12024¤t_view=0&sort_order=sip_d>
> <
> <http://127.0.0.1/base//base_qry_main.php?caller=&num_result_rows=12024¤t_view=0&sort_order=dip_a>Dest. Address>
> <http://127.0.0.1/base//base_qry_main.php?caller=&num_result_rows=12024¤t_view=0&sort_order=dip_d>
> <
> <http://127.0.0.1/base//base_qry_main.php?caller=&num_result_rows=12024¤t_view=0&sort_order=proto_a>Layer 4 Proto>
> <http://127.0.0.1/base//base_qry_main.php?caller=&num_result_rows=12024¤t_view=0&sort_order=proto_d>
>
> #0-(1-1)
> <http://127.0.0.1/base//base_qry_alert.php?submit=%230-%281-1%29&sort_order=>
> 1 2006-07-31 10:41:33 0.0.0.0
> <http://127.0.0.1/base//base_stat_ipaddr.php?ip=0.0.0.0&netmask=32>
> 10.0.0.9
> <http://127.0.0.1/base//base_stat_ipaddr.php?ip=10.0.0.9&netmask32> IP
>
>
> what i forgot to do ?
> --
> ________________________________________
> Leonardo Goldim - Auditoria Intranetworks
> gol...@intranetworks.com.br
>
> Intranetworks
> Rua Marquês do Pombal 1710/805
> Porto Alegre - RS - 90540-000
> +55 51 3325-5700
> +55 51 8415-8604
>
>
>
> Meir Michanie wrote:
>> download ossec-ui
>>
>> On 9/17/06, *Meir Michanie* <meirg...@gmail.com
>> <mailto:meirg...@gmail.com>> wrote:
>>
>> try my last build
>>
>> http://www.riunx.com/portal/modules.php?module=tips&mode=article&artid=5
>> <http://www.riunx.com/portal/modules.php?module=tips&mode=article&artid=5>
>>
>>
>>
>> On 9/15/06, *|SaMaN|* <sa...@ttnet.net.tr
>> <mailto:sa...@ttnet.net.tr>> wrote:
>>
>> It is latest snapshot of ossec2mysql and running with
>> resolve. My config is below. So where is the problem?
>>
>>
>>
>> [root@localhost rules]# cat /etc/ossec2base.conf
>>
>> # PARAMS USED BY OSSEC2BASED dbhost=localhost database=snort
>>
>> debug=5
>>
>> dbport=3306
>>
>> dbpasswd=
>>
>> dbuser=root
>>
>> fieldseparator=;
>>
>> daemonize=1
>>
>> sensor=ossec
>>
>> interface=daemon
>>
>> resolve=1
>>
>>
>>
>>
>>
>>
>>
>> ------------------------------------------------------------------------
>>
>> *From:* ossec...@googlegroups.com
>> <mailto:ossec...@googlegroups.com> [mailto:
>> ossec...@googlegroups.com
>> <mailto:ossec...@googlegroups.com>] *On Behalf Of *Meir
>> Michanie
>> *Sent:* Friday, September 15, 2006 2:08 PM
>> *To:* ossec...@googlegroups.com
>> <mailto:ossec...@googlegroups.com>
>> *Subject:* [ossec-list] Re: ossec server reporting itself as
>> 0.0.0.0 <http://0.0.0.0> and more
>>
>>
>>
>> use ossec2mysql with resolve (without -n and check your config)
>>
>> On 9/15/06, * sa...@ttnet.net.tr <mailto:sa...@ttnet.net.tr>*
>> < sa...@ttnet.net.tr <mailto:sa...@ttnet.net.tr>> wrote:
>>
>> Installed latest snapshot still 0.0.0.0 <http://0.0.0.0>
>>
>> ** Alert 1158312137.299900: mail
>> 2006 Sep 15 12:22:17 localhost -> (X1)
>> 195.X.X.X->\WINNT/System32/LogFiles/W3SVC2/ex060915.log
>> Rule: 11 (level 8) -> 'Excessive number of connections during
>> this
>> hour.
>> Src IP: (0.0.0.0 <http://0.0.0.0>)
Meir Michanie
hey meir
do you have any suggestion that i can do to correct my problem with
signatures?
after this fixes at ossec-ui, how we have to import the signatures ?
with the ossec2base_sigs.pl or ossec2basetxt.pl ?
in my case i used ossec2basetxt.pl ...
I will remove it from cvs
it doesn't hurts but it is not needed.
Leonardo Goldim
i had installed ossim and this one change somethings at my base, so i
download the base source and install it in another place.
i do these steps for install ossec-ui:
* mysqladmin create base -p
* mysql base -p < snort_tables.sql
* mysql base -p < ossec2base.sql
* mysql base -p < trunc_ossecbase.sql
* configure my new base to access the base db
* cat /opt/ossec/rules/*.xml |ossec2basetxt.pl -e -o
/var/www/html/ossecbase/signatures/
* cat /opt/ossec/logs/alerts/2006/Jul/ossec-alerts-31.log
|ossec2mysql.pl --interface manualfeed
after this i access the url http://127.0.0.1/ossecbase/ but the problem
with signatures continue, look:
ID <
<http://127.0.0.1/ossecbase/base_qry_main.php?caller=&num_result_rows=27807¤t_view=0&sort_order=sig_a> Signature >
<http://127.0.0.1/ossecbase/base_qry_main.php?caller=&num_result_rows=27807¤t_view=0&sort_order=sig_d>
<
<http://127.0.0.1/ossecbase/base_qry_main.php?caller=&num_result_rows=27807¤t_view=0&sort_order=time_a> Timestamp >
<http://127.0.0.1/ossecbase/base_qry_main.php?caller=&num_result_rows=27807¤t_view=0&sort_order=time_d>
<
<http://127.0.0.1/ossecbase/base_qry_main.php?caller=&num_result_rows=27807¤t_view=0&sort_order=sip_a> Source Address >
<http://127.0.0.1/ossecbase/base_qry_main.php?caller=&num_result_rows=27807¤t_view=0&sort_order=sip_d>
<
<http://127.0.0.1/ossecbase/base_qry_main.php?caller=&num_result_rows=27807¤t_view=0&sort_order=dip_a> Dest. Address >
<http://127.0.0.1/ossecbase/base_qry_main.php?caller=&num_result_rows=27807¤t_view=0&sort_order=dip_d>
<
<http://127.0.0.1/ossecbase/base_qry_main.php?caller=&num_result_rows=27807¤t_view=0&sort_order=proto_a> Layer 4 Proto >
<http://127.0.0.1/ossecbase/base_qry_main.php?caller=&num_result_rows=27807¤t_view=0&sort_order=proto_d>
#0-(1-1)
<http://127.0.0.1/ossecbase/base_qry_alert.php?submit=%230-%281-1%29&sort_order=>
1 2006-07-31 10:41:33 0.0.0.0
<http://127.0.0.1/ossecbase/base_stat_ipaddr.php?ip=0.0.0.0&netmask=32> 10.0.0.9
<http://127.0.0.1/ossecbase/base_stat_ipaddr.php?ip=10.0.0.9&netmask32> IP
i don't know what i can do anymore ... do you have any suggestion?
but the good side is that the "problem" with dest. address and source
address appears to be ok.
--
________________________________________
Leonardo Goldim - Auditoria Intranetworks
gol...@intranetworks.com.br
Intranetworks
Rua Marquês do Pombal 1710/805
Porto Alegre - RS - 90540-000
+55 51 3325-5700
+55 51 8415-8604
Meir Michanie wrote:
>
>
> On 9/19/06, *Leonardo Goldim* <gol...@intranetworks.com.br
Meir Michanie
Leonardo Goldim
my logs are equal to logs you post here in the list before...
---------------- LOG ----------------------------
** Alert 1158838515.0:
2006 Sep 21 08:35:15 smart09->/var/log/secure
Rule: 5303 (level 3) -> 'User sucessfully changed UID to root'
Src IP: (none)
User: (none)
su: pam_unix(su:session): session opened for user root by (uid=501)
2006 Sep 21 10:15:31 smart09->/var/log/secure
Rule: 5303 (level 3) -> 'User sucessfully changed UID to root'
Src IP: (none)
User: (none)
su: pam_unix(su:session): session opened for user root by (uid=501)
i was looking at base db and consulting the table signature i saw the signatures are registered there, but the base interface don't show this information ...
here are a little bit of table:
-------------- TABLE ------------------
+--------+-------------------------------------------------------------------------------+--------------+--------------+---------+---------+---------+
| sig_id | sig_name | sig_class_id | sig_priority | sig_rev | sig_sid | sig_gid |
+--------+-------------------------------------------------------------------------------+--------------+--------------+---------+---------+---------+
| 1 | 'Unknown problem somewhere in the system.' | 1 | 7 | 0 | 102 | NULL |
| 2 | 'SSHD authentication failed.' | 1 | 5 | 0 | 1516 | NULL |
| 3 | 'Attempt to access an non-existent file.' | 1 | 5 | 0 | 3012 | NULL |
| 4 | 'Web server 400 error code.' | 1 | 5 | 0 | 3101 | NULL |
| 5 | 'Integrity checksum of file '/etc/httpd/conf/httpd.conf' has changed.' | 1 | 8 | 0 | 13 | NULL |
| 6 | 'Multiple attempts to access non-existent files (web scan) from same source.' | 1 | 10 | 0 | 3014 | NULL |
| 7 | 'User authentication failure.' | 1 | 5 | 0 | 401 | NULL |
| 8 | 'User sucessfully changed UID to root' | 1 | 3 | 0 | 1103 | NULL |
| 9 | 'Integrity checksum of file '/etc/alsa/pcm/dsnoop.conf' has changed.' | 1 | 8 | 0 | 13 | NULL |
| 10 | 'Integrity checksum of file '/etc/alsa/pcm/dmix.conf' has changed.' | 1 | 8 | 0 | 13 | NULL |
+--------+-------------------------------------------------------------------------------+--------------+--------------+---------+---------+---------+
-------------- TABLE ------------------
here are the base interface:
| 1 | 2006-07-31 10:41:33 | 0.0.0.0 |
| 10.0.0.9 | IP |
its possible the ossim has broken something more? which version of base you are using?
Meir Michanie
Built on ACID by Roman Danyliw )
I truncated my db as you did and it works ok
|
|
|
Leonardo Goldim
could you send me the result of this query (SELECT * from acid_event
limit 10;) in your db for i compare with my db ?
i think the problem is in this table, the base get the fields sid
and cid, but my db is like this:
mysql> SELECT * from acid_event limit 10;
+-----+-----+-----------+--------------------------------------------+--------------+--------------+---------------------+-----------+-----------+----------+--------------+--------------+
| sid | cid | signature | sig_name |
sig_class_id | sig_priority | timestamp | ip_src |
ip_dst | ip_proto | layer4_sport | layer4_dport |
+-----+-----+-----------+--------------------------------------------+--------------+--------------+---------------------+-----------+-----------+----------+--------------+--------------+
| 1 | 1 | 1 | 'Unknown problem somewhere in the system.'
| 1 | 7 | 2006-07-31 10:41:33 | 0 |
167772169 | NULL | NULL | NULL |
| 1 | 2 | 2 | 'SSHD authentication failed.'
| 1 | 5 | 2006-07-31 10:41:55 | 167772168 |
167772169 | NULL | NULL | NULL |
| 1 | 3 | 2 | 'SSHD authentication failed.'
| 1 | 5 | 2006-07-31 10:41:59 | 167772168 |
167772169 | NULL | NULL | NULL |
| 1 | 4 | 3 | 'Attempt to access an non-existent file.'
| 1 | 5 | 2006-07-31 10:59:08 | 167772168 |
167772169 | NULL | NULL | NULL |
| 1 | 5 | 4 | 'Web server 400 error code.'
| 1 | 5 | 2006-07-31 10:59:08 | 167772168 |
167772169 | NULL | NULL | NULL |
| 1 | 6 | 4 | 'Web server 400 error code.'
| 1 | 5 | 2006-07-31 10:59:08 | 167772168 |
167772169 | NULL | NULL | NULL |
| 1 | 7 | 3 | 'Attempt to access an non-existent file.'
| 1 | 5 | 2006-07-31 10:59:08 | 167772168 |
167772169 | NULL | NULL | NULL |
| 1 | 8 | 3 | 'Attempt to access an non-existent file.'
| 1 | 5 | 2006-07-31 11:02:14 | 167772168 |
167772169 | NULL | NULL | NULL |
| 1 | 9 | 3 | 'Attempt to access an non-existent file.'
| 1 | 5 | 2006-07-31 11:02:14 | 167772168 |
167772169 | NULL | NULL | NULL |
| 1 | 10 | 3 | 'Attempt to access an non-existent file.'
| 1 | 5 | 2006-07-31 11:03:03 | 167772169 |
167772169 | NULL | NULL | NULL |
+-----+-----+-----------+--------------------------------------------+--------------+--------------+---------------------+-----------+-----------+----------+--------------+--------------+
how are you table ?
--
________________________________________
Leonardo Goldim - Auditoria Intranetworks
gol...@intranetworks.com.br
Intranetworks
Rua Marquęs do Pombal 1710/805
Meir Michanie
mysql> SELECT * FROM `acid_event` WHERE 1 \G
*************************** 1. row ***************************
sid: 1
cid: 1
signature: 1
sig_name: 'Attempt to login using a non-existent user'
sig_class_id: 1
sig_priority: 5
timestamp: 2006-09-21 23:08:03
ip_src: 2130706433
ip_dst: 3232236033
ip_proto: NULL
layer4_sport: NULL
layer4_dport: NULL
*************************** 2. row ***************************
sid: 1
cid: 2
signature: 1
sig_name: 'Attempt to login using a non-existent user'
sig_class_id: 1
sig_priority: 5
timestamp: 2006-09-21 23:08:03
ip_src: 2130706433
ip_dst: 3232236033
ip_proto: NULL
layer4_sport: NULL
layer4_dport: NULL
*************************** 3. row ***************************
sid: 1
cid: 3
signature: 1
sig_name: 'Attempt to login using a non-existent user'
sig_class_id: 1
sig_priority: 5
timestamp: 2006-09-21 23:08:07
ip_src: 2130706433
ip_dst: 3232236033
ip_proto: NULL
layer4_sport: NULL
layer4_dport: NULL
3 rows in set (0.00 sec)
Leonardo Goldim
i did more test with base x ossec-ui without success ... could send me a
db that you use for test for i compare with my db and make more test ?
i think the problem is with my db but i don't know where ... if it help,
i could send you a dump of my db ...
could you help me ?
--
________________________________________
Leonardo Goldim - Auditoria Intranetworks
gol...@intranetworks.com.br
Intranetworks
Rua Marquês do Pombal 1710/805
Leonardo Goldim
guys, in my older tests i was using the *.sql (ossec2base.sql,
snort_tables.sql and trunc_ossecbase.sql) that come with the ossec-ui ...
now i dropped my db and created again, but i used the files create_mysql
(that came with snort), trunc_ossecbase.sql (came with ossec-ui) and
create_base_tbls_mysql.sql (came with base) and my base works fine ...
i think better review the *.sql files that came with ossec-ui ...
thanks for your patience ...
--
________________________________________
Leonardo Goldim - Auditoria Intranetworks
gol...@intranetworks.com.br
Intranetworks
Rua Marquês do Pombal 1710/805
Porto Alegre - RS - 90540-000
+55 51 3325-5700
+55 51 8415-8604
Meir Michanie
Smirnov, Pavel
Sorry if I'm asking something that is really FAQ - just couldnt find an
obvious answer.
Question is - I need to preserve on the "server" _all_ events logged
from a Windows client tailing on a plain text file.
These text files can be a variety of SunOne standard and application
specific logs... i.e. I want multiple boxes to forward _all_ logs to my
central ossec server.
I included following configuration to the Windows client, ossec server
already logs messages from this host when they come from event logs. It
doesn't at the moment log anything that I would append to the
D:\Test.log...
<localfile>
<location>D:\Test.log</location>
<log_format>syslog</log_format>
</localfile>
Maybe I am just trying to misuse ossec ?
Kind regards,
Pavel Smirnov.
Daniel Cid
Ossec by default only logs events that match at least one of our rules. To save
these application specific messages you would need to write a few rules for
them OR configure ossec to log everything (which isn't very practical and fast).
If you can give us a few samples of your logs we can help you with that. If you
want to log everything, you need to enable the "log_all" directive and
everything
will be stored at /var/ossec/logs/events/events.log (instead of
alerts/alerts.log).
*again, enabling "log_all" can be very bad for your ossec performance :)
Hope it helps,
--
Daniel B. Cid
dcid ( at ) ossec.net