[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Ossec-list] ossec-hids-0.7p1 questions

Subject: [Ossec-list] ossec-hids-0.7p1 questions
From: daniel.cid at gmail.com (Daniel Cid)
Date: Thu, 6 Apr 2006 11:50:32 -0300

Hi Kayvan,

I'm happy that the ossec is being useful and thanks for the report.
I love to see the results of it. Now for the answers:

-Yes, the e-mail should be coming from ossecm. I don't know
why is it ossect in there :) I probably never noticed because I
never had a problem with it. I will fix it for the next version.

-This events are being matched by the "Unknown events/Bad words"
rule (because we don't have a specific rule for them).
An easy way to shut it up would be to ignore them. Just add the
following lines a the end of your rules/syslog_rules.xml (and restart
ossec)

<group name="syslog,ignored">
  <rule id="12345" level="0">
    <regex>^named[\d+]: client \S+ update \S+ denied|</regex>
    <regex>^xinetd[\d+]: libwrap refused connection</regex>
    <description>ignored events</description>
  </rule>
</group>

Other way to avoid receiving this messages by e-mail is to increase the
mail alert level from 7 to 8 (just edit ossec.conf and increase the alerts->
mail alerting option from 7 to 8).

*I will add them to the default rules of the next version (in their right
place).

>What do the levels signify? Is level 7 worse or better than level 1?

Levels in the ossec context means "severity" :) Level is probably not a good
word anyway... The level "0" means ignored. Level 15 means high serious
event.  These events were being matched in the level "7" because
they match a rule that looks for "bad" words in the logs. It includes bad,
failed, refused, etc...

These are the default strings we look in the "bad word" rule.
(We only use them as a last resource when looking for the logs --
if nothing else matches):

<var name="BAD_WORDS">
core_dumped|failure|error|attack|bad|illegal|denied|refused|unauthorized|fatal|Segmentation
Fault|Corrupted
</var>

The following link explain the "levels" a little bit:
http://www.ossec.net/src/ossec-hids-0.7/doc/rules.txt

In addition to that the levels are useful for alerting and active response. You
can only alert on levels >= 7 or >=10...

Hope it helps...

--
Daniel B. Cid
dcid @ ( at ) ossec.net
http://www.ossec.net



On 4/6/06, Kayvan A. Sylvan <kayvan at sylvan.com> wrote:
> Hi everyone!
>
> I ran into OSSEC and it helped a friend of mine rid his system of a
> hidden root-kit. Bravo!
>
> Now, I have it installed on a couple of different servers.
>
> First, one small problem:
>
> The default configuration generates emails coming from "ossect at YOURHOST".
> However, the installation creates the following users: ossec, ossecm,
> ossece, ossecr. There is no ossect user created.
>
> If your MTA is set up to do sender verification (like exim), it will
> reject all mail generated by OSSEC.
>
> In order to fix this, I had to make the mail come from "ossecm".
>
> Next, my questions:
>
> 1) I am getting lots of emails like this from OSSEC:
>
>    Received From: /var/log/messages
>    Rule: 102 fired (level 7) -> "Possible problem (unknown) somewhere
>    in the system"
>    Portion of the log(s):
>
>    "named[3271]: client 69.51.117.46#12601: update 'sylvan.com/IN' denied
>    "
>
>    How am I supposed to fix (or ignore) this?
>
> 2) Another similar notification:
>
>    Received From: /var/log/messages
>    Rule: 102 fired (level 7) -> "Possible problem (unknown) somewhere
>    in the system"
>    Portion of the log(s):
>
>    "xinetd[9440]: libwrap refused connection to imap (libwrap=imapd) from
>    216.25.10.69
>    "
>
>    Again, how do I fix this (or shut this up)?
>
> 3) What do the levels signify? Is level 7 worse or better than level 1?
>
> Thanks a lot for OSSEC and for your answers!
>
>                         ---Kayvan
> --
> Kayvan A. Sylvan          | Proud husband of       | Father to my kids:
> Sylvan Associates, Inc.   | Laura Isabella Sylvan, | Katherine Yelena (8/8/89)
> http://sylvan.com/~kayvan | my beautiful Queen.    | Robin Gregory (2/28/92)
> _______________________________________________
> ossec-list mailing list
> ossec-list at ossec.net
> http://mailman.underlinux.com.br/mailman/listinfo/ossec-list
>

References:
- [Ossec-list] ossec-hids-0.7p1 questions
  - From: Kayvan A. Sylvan

Prev by Date: [Ossec-list] ossec-hids-0.7p1 questions
Next by Date: [Ossec-list] Syscheck doesn't seem to work ?
Previous by thread: [Ossec-list] email-notification vs. email_notification
Next by thread: [Ossec-list] Multiple messages refused based on timestamp only
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.