ossec / ossec-docs Goto Github PK

Copy and pasters won't get the checksum file on http://ossec-docs.readthedocs.org/en/latest/manual/installation/install-source.html

Change it from a _ to a -.

Reported to me privately by JB who was notified privately by Nicholas Johnson.

I don't think we currently have any, or I can't find it. I think it'd be nice to have.

Reminder that the post-2.9 release notes will eventually need to mention MS Windows versions OLDER than XP will probably not be able to run the OSSEC agent:

Support dropped for older MS Windows versions. OSSEC MS Windows agents now use the ws2_32 library for IPv6 support. This library is not available on Windows versions older than XP (WINVER < 0x0501) such as Windows ME and Windows 2000.

Be more insistent that the agent software is useless without the server side. This might be less of an issue if the Windows agent installation manual wasn't blank, but Windows users don't write documentation.

From JB, based on emails he gets from random "professionals."

Following the docs, with the newest version of ossec running, i'm triying to create a custom rule with this expresion

(.*\.){7,}

I'm following the pcre2 syntax, but no matchings when i run my tests (i have used diferent online regexp engines and verify that the regexp it's correct and may verify my tests)

To test it i use the binary ossec-regex and get:

~# /var/ossec/bin/ossec-regex '(.*\.){7,}'
mi.de.que.me.dice.sel.que.de.es.gob.mu

It give me no results, nothing happens.

I have tested that the binnary works

~# /var/ossec/bin/ossec-regex '^a'
antonio
+OSRegex_Execute: antonio
+OS_Regex       : antonio
+OSMatch_Compile: antonio
+OS_Match2      : antonio

What i'm doing wrong, any help will be useful.

Thanks in advance.

Discovered this issue while trying to sort out my issue with nfs monitoring by OSSEC.

Posted in mailing list and got response to post issue here.

https://groups.google.com/forum/#!topic/ossec-list/ieZD7Plv3gI

per the quote from ddpbsd -- "Actually it looks like 2.8.1 was released Sept 9, 2014, and this was added Feb 13, 2015. So it's not available in 2.8.1. Please create an issue at the ossec docs github, and I'll try to mark it as such soon."

https://www.ossec.net/docs/docs/manual/monitoring/process-monitoring.html#detecting-usb-storage-usage

The USB example

Command is used in this file

https://www.ossec.net/docs/docs/syntax/head_ossec_config.localfile.html?highlight=localfile#element-localfile

But I'm told here that it's not allowed

There are notes about a few, but they all deserve a few bits. Maybe in docs/manual/ar/scripts or something.

There doesn't seem to be a section for 2.8 yet in the docs for "whats new":

http://ossec-docs.readthedocs.org/en/latest/whatsnew/index.html

I would fix these right now, but I'm having network issues. Feel free to fix or these, or they can wait till I get to them this weekend.
http://ossec-docs.readthedocs.org/en/latest/manual/output/json-alert-log-output.html should mention that it's new for 2.9.
That page also has a typo, a syslog_output should be jsonout_output.

Reported by Bjorn Stange (bjorn248 gmail) on the user list.

The disabled switch works everywhere, but does different things depending on where you are. I'll adjust it soon.

Basically, this pull request allows you to do this:

 <directories check_all="yes" check_perms="no">/etc</directories>

Which will enable all checks except for the permissions checking. The previous behavior would have left the permissions checking enabled.

Reported by @awiddersheim here: ossec/ossec-hids#228

While trying to build the Widows agent I noticed the following minor errors in the instructions. The URL is: http://ossec-docs.readthedocs.org/en/latest/manual/installation/compile-ossec-on-windows.html.

1. In steps 3, 4 and 5 the slash is missing from src\win32.
2. In steps 5 and 6 there is a similar typo in that the slash is missing from src\win-pkg

Very minor but I thought it might be worth mentioning.

Some instructions for fixing SELinux problems if logrotate is used. Not sure where exactly this needs to go.

ossec-hids-selinux.txt

I was studying up on how to use agent profiles when I came across a significant typo on:
http://ossec-docs.readthedocs.org/en/latest/syntax/head_ossec_config.client.html

The second instance of “server-ip” on the page appears to be a copy/paste mistake. It should read “config-profile”.

Not sure if this is the right place to submit things like this. Please let me know the best way to go about submitting documentation fixes like this. Thanks!

Something something which files to copy, general steps to follow, something something.

With the merge of ossec/ossec-hids#270 it is probably best for someone to run through the documentation and make sure things match up before the next release.

http://ossec-docs.readthedocs.org/en/latest/programs/index.html

Hi,

Sorry per advance but I'm not a developper, I'm not familiar with github, and I'm not not an expert in english, but I'm full of goodwill.

  <rule id="5710" level="5">
    <if_sid>5700</if_sid>
    <match>illegal user|invalid user</match>
    <description>Attempt to login using a non-existent user</description>
    <group>invalid_login,authentication_failed,</group>
  </rule>

...

 <rule id="5716" level="5">
    <if_sid>5700</if_sid>
    <match>^Failed|^error: PAM: Authentication</match>
    <description>SSHD authentication failed.</description>
    <group>authentication_failed,</group>
  </rule>

...

  <rule id="5720" level="10" frequency="6">
    <if_matched_sid>5716</if_matched_sid>
    <same_source_ip />
    <description>Multiple SSHD authentication failures.</description>
    <group>authentication_failures,</group>
  </rule>

There's an issue with the rule 5710.
It fire when there is a login attempt using a non-existent user. That's normal. It's the designed behavior.
But it also fire on an "SSH authentication failure". That's not a desirable behavior because it prevent the rule 5716 "SSHD authentication failed." to fire and then the rule 5720 "Multiple SSHD authentication failures" to fire, so that an offender will never be blocked if he make multiple SSH authentication failure from a non existent user.

Example in my auth.log :

Sep 20 03:42:51 server sshd[4760]: Invalid user iop from 213.202.228.66
Sep 20 03:42:51 server sshd[4760]: input_userauth_request: invalid user ghost [preauth]
Sep 20 03:42:52 server sshd[4760]: pam_unix(sshd:auth): check pass; user unknown
Sep 20 03:42:52 server sshd[4760]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=213.202.228.66
Sep 20 03:42:54 server sshd[4760]: Failed password for invalid user ghost from 213.202.228.66 port 45313 ssh2

The key word "invalide user" is not enought restrictive in the rule 5710

Regarding my auth.log, I suggest to replace :
<match>illegal user|invalid user</match>
by :
<match>illegal user|^Invalid user</match>
or <match>illegal user|: invalid user</match>

This would make the rule 5710 to fire only on the first or second line (i.e only on a login attempt).

Thank you and sorry if you don't understand what I mean but it's very difficult for me to explain a such thing in english.

Regards.

Before you install any package from our project, we recommend that you verify it using our PGP key. Follow these two steps if you are not used to using gpg. You first need to import our public key:

ossec-test# wget http://ossec.github.io/files/OSSEC-PGP-KEY.asc
ossec-test# gpg –import OSSEC-PGP-KEY.asc

Should change the URL for wget to HTTPS to prevent MiTM of the PGP key potentially.

http://ossec-docs.readthedocs.io/en/latest/syntax/head_rules.html#element-weekday
Valid day format is weekends not weekend.

...

http://ossec.github.io/downloads.html is out of date WRT PGP.

It looks like the documentation pages under the options section, information is not being generated/shown.
Unless I'm missing something obvious the header is there but no subcontent for multiple pages.
https://www.ossec.net/docs/docs/syntax/head_ossec_config.localfile.html

Pic for a momentum in time of one of the pages

A recurring theme in issues opened in ossec/ossec-hids is users attempting to relay their alerts through Gmail without conforming to Google's requirements. A generic warning somewhere beneath https://ossec.github.io/docs/manual/output/email-output.html or one of the pages it links to about these restrictions could help stymie these recurring issues.

As another example, Exchange Online has specific encryption and authentication requirements depending on the source and destination domains: https://support.office.com/en-us/article/How-to-set-up-a-multifunction-device-or-application-to-send-email-using-Office-365-69f58e99-c550-4274-ad18-c805d654b4c4

On:
http://ossec.github.io/docs/manual/installation/install-source.html

The indicated checksum:
https://bintray.com/artifact/download/ossec/ossec-hids/ossec-hids-2.8.3.tar.gz.sha256

Does not appear to exist:

The requested path was not found.

At ossec-docs/docs/manual/output/json-alert-log-output.rst

etc/ossec.conf is correct

The old docs at readthedocs actually have all the sections and drill downs filled in.

I keep running into missing docs that used to exist here on the new site

Compare the Syslog Output Docs
Old Site - Has all the details
New Site - Might as well not exist

What happened to the docs? I relied on them pretty heavily, but now the officially linked docs aren't there anymore.

Its somewhat confusing to find features only available in OSSEC 2.9 described in the documentation for OSSEC 2.8.1.

The OSSEC rules syntax page doesn't list the extra_data option, as you can see here: https://github.com/ossec/ossec-docs/blob/master/docs/syntax/rules.trst and here: http://ossec-docs.readthedocs.org/en/latest/syntax/head_rules.html

This option does exist, it is used in the provided rules: https://github.com/ossec/ossec-hids/blob/master/etc/rules/ms-se_rules.xml#L22

I know Web UI is not developed anymore, but I'm doing some work on it for our internal use. Latest events section links each rule to an old docs search page. It no longer works. Is that information still available anywhere else? Here's an example where they link:
http://ossec-docs.readthedocs.io/en/latest/search.html?q=rule-id-2502

I want to clean it up, so I'm trying to figure out if I should point it somewhere else or just remove link.

Thanks.

It doesn't appear to be in 2.8. Prompted by an issue asking about 2.8.x not having it.

The space shouldn't be necessary.

Which files need to be backed up? That type of thing.

syslog is for devices, secure is for agents.

Hi all,

Seems that there is a typo in docs where tag shows that weekday and weekend are possible values. They should be replaced in the documentation by weekdays and weekends.

PS. Already reported partially on #163

ossec/ossec-hids#2 added support for json and zeromq. This needs to be documented.

The posgresql_log decoder expects the log_line_prefix string in postgresql.conf to be:

log_line_prefix = '[%t] %h '

This is not necessarily going to be the case with out of the box postgresql installs. For example, postgresql 9.3 on ubuntu server 14.04 has:

log_line_prefix = '%t '

There is no right or wrong prefix to use, but it would be useful to indicate in the ossec documentation the prefix string which is required for ossec decoder to process.

Example: https://bintray.com/ossec/ossec-hids/ossec-hids/2.9.0_beta_20151211/view#

Just a reminder to add links to those in the documentation. People can choose whichever hash they want to go with, or check multiple, or check multiple from multiple sources, or whatever suits their level of paranoia. :-)

Reminder that the post-2.9 release notes will need to mention several database fields have changed to accomodate IPv6 addresses and an existing database will need to be updated.

IP addresses are now stored in the database as character strings instead of integers. To convert an existing database, run the convert-db-ipv6.sql script (found in src/os_dbd).