ossec / ossec-docs Goto Github PK
View Code? Open in Web Editor NEWOSSEC Documentation
OSSEC Documentation
The USB example
Command is used in this file
But I'm told here that it's not allowed
Which files need to be backed up? That type of thing.
There are notes about a few, but they all deserve a few bits. Maybe in docs/manual/ar/scripts
or something.
I was studying up on how to use agent profiles when I came across a significant typo on:
http://ossec-docs.readthedocs.org/en/latest/syntax/head_ossec_config.client.html
The second instance of “server-ip” on the page appears to be a copy/paste mistake. It should read “config-profile”.
Not sure if this is the right place to submit things like this. Please let me know the best way to go about submitting documentation fixes like this. Thanks!
The space shouldn't be necessary.
syslog
is for devices, secure
is for agents.
Reminder that the post-2.9 release notes will eventually need to mention MS Windows versions OLDER than XP will probably not be able to run the OSSEC agent:
Support dropped for older MS Windows versions. OSSEC MS Windows agents now use the ws2_32 library for IPv6 support. This library is not available on Windows versions older than XP (WINVER < 0x0501) such as Windows ME and Windows 2000.
Reminder that the post-2.9 release notes will need to mention several database fields have changed to accomodate IPv6 addresses and an existing database will need to be updated.
IP addresses are now stored in the database as character strings instead of integers. To convert an existing database, run the convert-db-ipv6.sql script (found in src/os_dbd).
There doesn't seem to be a section for 2.8 yet in the docs for "whats new":
http://ossec-docs.readthedocs.org/en/latest/whatsnew/index.html
Hi all,
Seems that there is a typo in docs where tag shows that weekday and weekend are possible values. They should be replaced in the documentation by weekdays and weekends.
PS. Already reported partially on #163
http://ossec-docs.readthedocs.io/en/latest/syntax/head_rules.html#element-weekday
Valid day format is weekends not weekend.
I don't think we currently have any, or I can't find it. I think it'd be nice to have.
With the merge of ossec/ossec-hids#270 it is probably best for someone to run through the documentation and make sure things match up before the next release.
http://ossec-docs.readthedocs.org/en/latest/programs/index.html
Basically, this pull request allows you to do this:
<directories check_all="yes" check_perms="no">/etc</directories>
Which will enable all checks except for the permissions checking. The previous behavior would have left the permissions checking enabled.
I know Web UI is not developed anymore, but I'm doing some work on it for our internal use. Latest events section links each rule to an old docs search page. It no longer works. Is that information still available anywhere else? Here's an example where they link:
http://ossec-docs.readthedocs.io/en/latest/search.html?q=rule-id-2502
I want to clean it up, so I'm trying to figure out if I should point it somewhere else or just remove link.
Thanks.
On:
http://ossec.github.io/docs/manual/installation/install-source.html
The indicated checksum:
https://bintray.com/artifact/download/ossec/ossec-hids/ossec-hids-2.8.3.tar.gz.sha256
Does not appear to exist:
The requested path was not found.
Example: https://bintray.com/ossec/ossec-hids/ossec-hids/2.9.0_beta_20151211/view#
Just a reminder to add links to those in the documentation. People can choose whichever hash they want to go with, or check multiple, or check multiple from multiple sources, or whatever suits their level of paranoia. :-)
Its somewhat confusing to find features only available in OSSEC 2.9 described in the documentation for OSSEC 2.8.1.
Be more insistent that the agent software is useless without the server side. This might be less of an issue if the Windows agent installation manual wasn't blank, but Windows users don't write documentation.
From JB, based on emails he gets from random "professionals."
Before you install any package from our project, we recommend that you verify it using our PGP key. Follow these two steps if you are not used to using gpg. You first need to import our public key:
ossec-test# wget http://ossec.github.io/files/OSSEC-PGP-KEY.asc
ossec-test# gpg –import OSSEC-PGP-KEY.asc
Should change the URL for wget to HTTPS to prevent MiTM of the PGP key potentially.
Discovered this issue while trying to sort out my issue with nfs monitoring by OSSEC.
Posted in mailing list and got response to post issue here.
https://groups.google.com/forum/#!topic/ossec-list/ieZD7Plv3gI
per the quote from ddpbsd -- "Actually it looks like 2.8.1 was released Sept 9, 2014, and this was added Feb 13, 2015. So it's not available in 2.8.1. Please create an issue at the ossec docs github, and I'll try to mark it as such soon."
Reported by @awiddersheim here: ossec/ossec-hids#228
ossec/ossec-hids#2 added support for json and zeromq. This needs to be documented.
Something something which files to copy, general steps to follow, something something.
The posgresql_log decoder expects the log_line_prefix string in postgresql.conf to be:
log_line_prefix = '[%t] %h '
This is not necessarily going to be the case with out of the box postgresql installs. For example, postgresql 9.3 on ubuntu server 14.04 has:
log_line_prefix = '%t '
There is no right or wrong prefix to use, but it would be useful to indicate in the ossec documentation the prefix string which is required for ossec decoder to process.
It doesn't appear to be in 2.8. Prompted by an issue asking about 2.8.x not having it.
Some instructions for fixing SELinux problems if logrotate is used. Not sure where exactly this needs to go.
While trying to build the Widows agent I noticed the following minor errors in the instructions. The URL is: http://ossec-docs.readthedocs.org/en/latest/manual/installation/compile-ossec-on-windows.html.
Very minor but I thought it might be worth mentioning.
Following the docs, with the newest version of ossec running, i'm triying to create a custom rule with this expresion
(.*\.){7,}
I'm following the pcre2 syntax, but no matchings when i run my tests (i have used diferent online regexp engines and verify that the regexp it's correct and may verify my tests)
To test it i use the binary ossec-regex and get:
~# /var/ossec/bin/ossec-regex '(.*\.){7,}'
mi.de.que.me.dice.sel.que.de.es.gob.mu
It give me no results, nothing happens.
I have tested that the binnary works
~# /var/ossec/bin/ossec-regex '^a'
antonio
+OSRegex_Execute: antonio
+OS_Regex : antonio
+OSMatch_Compile: antonio
+OS_Match2 : antonio
What i'm doing wrong, any help will be useful.
Thanks in advance.
...
It looks like the documentation pages under the options section, information is not being generated/shown.
Unless I'm missing something obvious the header is there but no subcontent for multiple pages.
https://www.ossec.net/docs/docs/syntax/head_ossec_config.localfile.html
Hi,
Sorry per advance but I'm not a developper, I'm not familiar with github, and I'm not not an expert in english, but I'm full of goodwill.
<rule id="5710" level="5">
<if_sid>5700</if_sid>
<match>illegal user|invalid user</match>
<description>Attempt to login using a non-existent user</description>
<group>invalid_login,authentication_failed,</group>
</rule>
...
<rule id="5716" level="5">
<if_sid>5700</if_sid>
<match>^Failed|^error: PAM: Authentication</match>
<description>SSHD authentication failed.</description>
<group>authentication_failed,</group>
</rule>
...
<rule id="5720" level="10" frequency="6">
<if_matched_sid>5716</if_matched_sid>
<same_source_ip />
<description>Multiple SSHD authentication failures.</description>
<group>authentication_failures,</group>
</rule>
There's an issue with the rule 5710.
It fire when there is a login attempt using a non-existent user. That's normal. It's the designed behavior.
But it also fire on an "SSH authentication failure". That's not a desirable behavior because it prevent the rule 5716 "SSHD authentication failed." to fire and then the rule 5720 "Multiple SSHD authentication failures" to fire, so that an offender will never be blocked if he make multiple SSH authentication failure from a non existent user.
Example in my auth.log :
Sep 20 03:42:51 server sshd[4760]: Invalid user iop from 213.202.228.66
Sep 20 03:42:51 server sshd[4760]: input_userauth_request: invalid user ghost [preauth]
Sep 20 03:42:52 server sshd[4760]: pam_unix(sshd:auth): check pass; user unknown
Sep 20 03:42:52 server sshd[4760]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=213.202.228.66
Sep 20 03:42:54 server sshd[4760]: Failed password for invalid user ghost from 213.202.228.66 port 45313 ssh2
The key word "invalide user" is not enought restrictive in the rule 5710
Regarding my auth.log, I suggest to replace :
<match>illegal user|invalid user</match>
by :
<match>illegal user|^Invalid user</match>
or <match>illegal user|: invalid user</match>
This would make the rule 5710 to fire only on the first or second line (i.e only on a login attempt).
Thank you and sorry if you don't understand what I mean but it's very difficult for me to explain a such thing in english.
Regards.
The old docs at readthedocs actually have all the sections and drill downs filled in.
I keep running into missing docs that used to exist here on the new site
Compare the Syslog Output Docs
Old Site - Has all the details
New Site - Might as well not exist
What happened to the docs? I relied on them pretty heavily, but now the officially linked docs aren't there anymore.
The disabled switch works everywhere, but does different things depending on where you are. I'll adjust it soon.
I would fix these right now, but I'm having network issues. Feel free to fix or these, or they can wait till I get to them this weekend.
http://ossec-docs.readthedocs.org/en/latest/manual/output/json-alert-log-output.html should mention that it's new for 2.9.
That page also has a typo, a syslog_output should be jsonout_output.
Reported by Bjorn Stange (bjorn248 gmail) on the user list.
A recurring theme in issues opened in ossec/ossec-hids is users attempting to relay their alerts through Gmail without conforming to Google's requirements. A generic warning somewhere beneath https://ossec.github.io/docs/manual/output/email-output.html or one of the pages it links to about these restrictions could help stymie these recurring issues.
As another example, Exchange Online has specific encryption and authentication requirements depending on the source and destination domains: https://support.office.com/en-us/article/How-to-set-up-a-multifunction-device-or-application-to-send-email-using-Office-365-69f58e99-c550-4274-ad18-c805d654b4c4
The OSSEC rules syntax page doesn't list the extra_data option, as you can see here: https://github.com/ossec/ossec-docs/blob/master/docs/syntax/rules.trst and here: http://ossec-docs.readthedocs.org/en/latest/syntax/head_rules.html
This option does exist, it is used in the provided rules: https://github.com/ossec/ossec-hids/blob/master/etc/rules/ms-se_rules.xml#L22
http://ossec.github.io/downloads.html is out of date WRT PGP.
Copy and pasters won't get the checksum file on http://ossec-docs.readthedocs.org/en/latest/manual/installation/install-source.html
Change it from a _ to a -.
Reported to me privately by JB who was notified privately by Nicholas Johnson.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.