[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[ossec-list] Re: The part of ossec were aborted

To: "'Daniel Cid'" <daniel.cid@xxxxxxxxx>
Subject: [ossec-list] Re: The part of ossec were aborted
From: "Oleksander Panchuk" <oleksander.panchuk@xxxxxxxxxxx>
Date: Tue, 6 Jun 2006 22:04:05 +0300
Cc: "'Peter Ahlert'" <peter@xxxxxxx>, <ossec-list@xxxxxxxxx>
Content-transfer-encoding: quoted-printable
Importance: Normal
Hi Daniel,

There is a new problem.

OSSEC add to host-deny search engine

ALL:72.30.252.87

----------------------
** Alert 1149619966.828631: mail
2006 Jun 06 21:52:46 /var/log/snort/alert
Rule: 4001 (level 6) -> 'IDS event.'
Src IP: 72.30.252.87
User: (none)
[**] [1:1852:3] WEB-MISC robots.txt access [**] [Classification: access to a
potentially vu
web application] [Priority: 2] {TCP} 72.30.252.87:58410 -> 62.149.0.156:80


> -----Original Message-----
> From: Daniel Cid [mailto:daniel.cid@xxxxxxxxx]
> Sent: Tuesday, June 06, 2006 8:44 PM
> To: Oleksander Panchuk
> Cc: Peter Ahlert; ossec-list@xxxxxxxxx
> Subject: Re: [Ossec-list] The part of ossec were aborted
> 
> Hi Oleksander,
> 
> Which files were with the executable flags? The update only changes what
> is necessary for the new version, so some old files or directories will
> still be there.
> The /var/ossec/queue/agent-info is only used by the server when there
> is agents there.
> These 0 size files are your currently days alerts. After the end of the
> day, if they are still 0 size, they will be deleted.
> 
> If you are using the server/agent model, you need to add the agents
> on the server. If you had done that before the update, you don't
> need to do again...
> 
> Hope it helps
> 
> --
> Daniel B. Cid
> dcid @ ( at ) ossec.net
> 
> On 6/6/06, Oleksander Panchuk <oleksander.panchuk@xxxxxxxxxxx> wrote:
> > Hi Daniel,
> >
> > I did upgrade, but every file become with executable flag.
> > I had to set off it by hands :).
> >
> > I have one question yet.
> > One directory left empty
> > /var/ossec/queue/agent-info
> >
> > Some of files left unchanged from first install
> > /var/ossec/queue/fts/fts-queue
> > drwx------ 2 ossec ossec 4096 Jun  6 19:11 .
> > dr-xr-x--- 8 root  ossec 4096 May 17 16:40 ..
> > -rw-r----- 1 ossec ossec  472 May 17 18:06 fts-queue
> > -rw-r----- 1 ossec ossec    0 Jun  6 19:11 ig-queue
> >
> > /var/ossec/queue/rootcheck/rootcheck
> >
> > Some of files are zero of size
> >
> > /var/ossec/logs/firewall/2006/Jun/ossec-firewall-06.log
> > /var/ossec/logs/archives/2006/Jun/ossec-archive-06.log
> >
> > And if the target system is server and agent, I have to add agent with
> > manage_agents. I didn't so. Is it right?
> >
> > Best regards,
> > Oleksander.
> >
> >
> >
> >
> > > -----Original Message-----
> > > From: Daniel Cid [mailto:daniel.cid@xxxxxxxxx]
> > > Sent: Tuesday, June 06, 2006 5:49 AM
> > > To: Peter Ahlert; Oleksander Panchuk
> > > Cc: ossec-list@xxxxxxxxx
> > > Subject: Re: [Ossec-list] The part of ossec were aborted
> > >
> > > HI Peter and Oleksander,
> > >
> > > I just uploaded to the server a version 0.8-2 of the ossec. It has a
> > > "upgrade"
> > > option during the install that should make the updating very fast and
> > > easy.
> > > If you still see the problem, or if you want to run on debug mode,
> just
> > > execute the install script as:
> > >
> > > ./install debug
> > >
> > > It will setup debug mode. Note that by doing that ossec will generate
> > > a lot of messages on /var/ossec/logs/ossec.log (and should only
> > > be using for debuging problems). Can you try that?
> > >
> > > Download
> > > http://www.ossec.net/files/ossec-hids-0.8-2.tar.gz
> > >
> > >
> > > Thanks for the report and the cooperation.
> > >
> > > --
> > > Daniel B. Cid
> > > dcid @ ( at ) ossec.net
> > >
> > >
> > > On 6/1/06, Daniel Cid <daniel.cid@xxxxxxxxx> wrote:
> > > > Thanks for the information Peter. Can you send part of your logs
> just
> > > before
> > > > logcollector died (the messages complaining about the socket error)?
> > > Without
> > > > it I have no way ot knowing what is going on... Next version will
> have
> > > some
> > > > better debug options to find these problems easily.
> > > >
> > > > Thanks!
> > > >
> > > > --
> > > > Daniel B. Cid
> > > > dcid @ ( at ) ossec.net
> > > >
> > > > On 6/1/06, Peter Ahlert <peter@xxxxxxx> wrote:
> > > > > Hi,
> > > > >
> > > > > I would like to add just a quick "me too" ;) The log looks like
> the
> > > one from Oleksander
> > > > > - no sign of analysisd dying. Only the files analyzed are
> different:
> > > > >
> > > > >
> > > > > 2006/06/01 01:49:34 ossec-logcollector(1950): Analyzing file:
> > > '/var/log/messages
> > > > > '.
> > > > > 2006/06/01 01:49:34 ossec-logcollector(1950): Analyzing file:
> > > '/var/log/auth.log
> > > > > '.
> > > > > 2006/06/01 01:49:34 ossec-logcollector(1950): Analyzing file:
> > > '/var/log/syslog'.
> > > > > 2006/06/01 01:49:34 ossec-logcollector(1950): Analyzing file:
> > > '/var/log/mail.inf
> > > > > o'.
> > > > > 2006/06/01 01:49:34 ossec-logcollector(1950): Analyzing file:
> > > '/var/log/snort/al
> > > > > ert'.
> > > > > 2006/06/01 01:49:34 ossec-logcollector(1950): Analyzing file:
> > > '/var/log/apache2/
> > > > > error.log'.
> > > > > 2006/06/01 01:49:34 ossec-logcollector(1950): Analyzing file:
> > > '/var/log/apache2/
> > > > > access.log'.
> > > > >
> > > > > Greetings Peter
> > > > >
> > > > >
> > > > >
> > > > > On Wed, 31 May 2006 10:17:52 +0300
> > > > > "Oleksander Panchuk" <oleksander.panchuk@xxxxxxxxxxx> wrote:
> > > > >
> > > > > > Hi Daniel,
> > > > > > I use 0.8 version of ossec.
> > > > > > Everything were started, please, see below.
> > > > > >
> > > > > > 2006/05/30 09:34:05 ossec-maild: Started (pid: 2360).
> > > > > > 2006/05/30 09:34:05 ossec-analysisd: Reading rules file:
> > > 'rules_config.xml'
> > > > > > 2006/05/30 09:34:05 ossec-analysisd: Reading rules file:
> > > 'sshd_rules.xml'
> > > > > > 2006/05/30 09:34:05 ossec-analysisd: Reading rules file:
> > > 'syslog_rules.xml'
> > > > > > 2006/05/30 09:34:05 ossec-analysisd: Reading rules file:
> > > 'pix_rules.xml'
> > > > > > 2006/05/30 09:34:05 ossec-analysisd: Reading rules file:
> > > 'named_rules.xml'
> > > > > > 2006/05/30 09:34:05 ossec-analysisd: Reading rules file:
> > > > > > 'pure-ftpd_rules.xml'
> > > > > > 2006/05/30 09:34:05 ossec-analysisd: Reading rules file:
> > > 'proftpd_rules.xml'
> > > > > > 2006/05/30 09:34:05 ossec-analysisd: Reading rules file:
> > > 'web_rules.xml'
> > > > > > 2006/05/30 09:34:05 ossec-analysisd: Reading rules file:
> > > 'apache_rules.xml'
> > > > > > 2006/05/30 09:34:05 ossec-analysisd: Reading rules file:
> > > 'ids_rules.xml'
> > > > > > 2006/05/30 09:34:05 ossec-analysisd: Reading rules file:
> > > 'squid_rules.xml'
> > > > > > 2006/05/30 09:34:05 ossec-analysisd: Reading rules file:
> > > > > > 'firewall_rules.xml'
> > > > > > 2006/05/30 09:34:05 ossec-analysisd: Reading rules file:
> > > 'postfix_rules.xml'
> > > > > > 2006/05/30 09:34:05 ossec-analysisd: Reading rules file:
> > > > > > 'sendmail_rules.xml'
> > > > > > 2006/05/30 09:34:05 ossec-analysisd: Reading rules file:
> > > 'spamd_rules.xml'
> > > > > > 2006/05/30 09:34:05 ossec-analysisd: Reading rules file:
> > > 'msauth_rules.xml'
> > > > > > 2006/05/30 09:34:05 ossec-analysisd: Reading rules file:
> > > 'attack_rules.xml'
> > > > > > 2006/05/30 09:34:05 ossec-analysisd: Total rules enabled: '246'
> > > > > > 2006/05/30 09:34:05 ossec-analysisd: Ignoring file: '/etc/mtab'
> > > > > > 2006/05/30 09:34:05 ossec-analysisd: Ignoring file:
> > > '/etc/hosts.deny'
> > > > > > 2006/05/30 09:34:05 ossec-analysisd: Ignoring file:
> > > '/etc/mail/statistics'
> > > > > > 2006/05/30 09:34:05 ossec-analysisd: Ignoring file:
> '/etc/random-
> > > seed'
> > > > > > 2006/05/30 09:34:05 ossec-analysisd: Ignoring file:
> '/etc/adjtime'
> > > > > > 2006/05/30 09:34:05 ossec-analysisd: Ignoring file:
> > > '/etc/httpd/logs'
> > > > > > 2006/05/30 09:34:05 ossec-execd: Started (pid: 2364).
> > > > > > 2006/05/30 09:34:05 ossec-analysisd: 3 IPs in the white list for
> > > active
> > > > > > response.
> > > > > > 2006/05/30 09:34:05 ossec-analysisd: Started (pid: 2368).
> > > > > > 2006/05/30 09:34:05 ossec-remoted: Started (pid: 2376).
> > > > > > 2006/05/30 09:34:05 ossec-remoted: Started (pid: 2377).
> > > > > > 2006/05/30 09:34:08 ossec-analysisd: Connected to
> '/queue/alerts/ar'
> > > > > > (active-response queue
> > > > > > 2006/05/30 09:34:08 ossec-analysisd: Connected to
> > > '/queue/alerts/execq'
> > > > > > (exec queue)
> > > > > > 2006/05/30 09:34:08 ossec-syscheckd: Started (pid: 2381).
> > > > > > 2006/05/30 09:34:11 ossec-logcollector(1950): Analyzing file:
> > > > > > '/var/log/messages'.
> > > > > > 2006/05/30 09:34:11 ossec-logcollector(1950): Analyzing file:
> > > > > > '/var/log/secure'.
> > > > > > 2006/05/30 09:34:11 ossec-logcollector(1950): Analyzing file:
> > > > > > '/var/log/xferlog'.
> > > > > > 2006/05/30 09:34:11 ossec-logcollector(1950): Analyzing file:
> > > > > > '/var/log/maillog'.
> > > > > > 2006/05/30 09:34:11 ossec-logcollector(1950): Analyzing file:
> > > > > > '/var/log/snort/alert'.
> > > > > > 2006/05/30 09:34:12 ossec-logcollector(1950): Analyzing file:
> > > > > > '/var/log/httpd/error_log'.
> > > > > > 2006/05/30 09:34:12 ossec-logcollector(1950): Analyzing file:
> > > > > > '/var/log/httpd/access_log'.
> > > > > > 2006/05/30 09:34:12 ossec-logcollector(1950): Analyzing file:
> > > > > > '/etc/httpd/logs/audit_log'.
> > > > > > 2006/05/30 09:34:12 ossec-logcollector(1950): Analyzing file:
> > > > > > '/etc/httpd/logs/ssl_request_
> > > > > > 2006/05/30 09:34:12 ossec-logcollector(1950): Analyzing file:
> > > > > > '/etc/httpd/logs/suexec.log'.
> > > > > > 2006/05/30 09:34:12 ossec-logcollector(1950): Analyzing file:
> > > > > > '/var/log/squid/access.log'.
> > > > > > 2006/05/30 09:34:12 ossec-logcollector(1950): Analyzing file:
> > > > > > '/var/log/squid/cache.log'.
> > > > > > 2006/05/30 09:34:12 ossec-logcollector(1950): Analyzing file:
> > > > > > '/var/log/squid/store.log'.
> > > > > > 2006/05/30 09:34:12 ossec-logcollector: Started (pid: 2372).
> > > > > > 2006/05/30 10:00:02 ossec-syscheckd: socketerr
> > > > > > 2006/05/30 10:00:02 ossec-syscheckd(1224): Error sending message
> to
> > > queue.
> > > > > > 2006/05/30 10:00:03 ossec-logcollector: socketerr
> > > > > > 2006/05/30 10:00:03 ossec-logcollector(1224): Error sending
> message
> > > to
> > > > > > queue.
> > > > > > 2006/05/30 10:00:05 ossec-syscheckd(1210): Queue
> > > > > > '/var/ossec/queue/ossec/queue' not accessible.
> > > > > > 2006/05/30 10:00:05 ossec-syscheckd(1211): Unable to access
> queue:
> > > > > > '/var/ossec/queue/ossec/queue'. Giving up..
> > > > > > 2006/05/30 10:00:06 ossec-logcollector(1210): Queue
> > > > > > '/var/ossec/queue/ossec/queue' not accessible.
> > > > > > 2006/05/30 10:00:06 ossec-logcollector(1211): Unable to access
> > > queue:
> > > > > > '/var/ossec/queue/ossec/queue/ossec/queue'. Giving up..
> > > > > >
> > > > > _______________________________________________
> > > > > ossec-list mailing list
> > > > > ossec-list@xxxxxxxxx
> > > > > http://mailman.underlinux.com.br/mailman/listinfo/ossec-list
> > > > >
> > > >
> >
> >


--~--~---------~--~----~------------~-------~--~----~
-~----------~----~----~----~------~----~------~--~---
References:
- [ossec-list] Re: The part of ossec were aborted
  - From: Daniel Cid
Prev by Date: [ossec-list] Re: The part of ossec were aborted
Next by Date: [ossec-list] Re: The part of ossec were aborted
Previous by thread: [ossec-list] Re: The part of ossec were aborted
Next by thread: [ossec-list] Re: The part of ossec were aborted
Index(es):
- Date
- Thread
OSSEC home | Main Index | Thread Index
OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.