ddpbsd
commented
8 years ago Where are you getting the second output from?
Closed Canon88 closed 8 years ago
ddpbsd
commented
8 years ago Where are you getting the second output from?
Canon88
commented
8 years ago I was through,taiilf /var/ossec/logs/alerts/alerts.log,found the problem.
Canon88
commented
8 years ago And I also found this problem on the web UI.
ddpbsd
commented
8 years ago Strange, I'm unable to find an alert in that format. I'll have to poke around a bit to try and find something.
ddpbsd
commented
8 years ago Oh, re-reading the origin post it looks like you changed the alert format. Am I reading that correctly?
Canon88
commented
8 years ago Yes, I revise the format of the alarm. So with this issue.
ddpbsd
commented
8 years ago Just guessing (since I don't know what strange configuration you've made), here is the output you're after:
EVENT: "[INIT]ossec: output: 'netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort':\ntcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN \ntcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN \ntcp 0 0 ::1:631 :::* LISTEN \ntcp 0 0 :::22 :::* LISTEN [END]";I try to reference URL:
http://ossec-docs.readthedocs.io/en/latest/syntax/head_ossec_config.global.html?highlight=ossec%20custom%20alert%20output
Revising the format of the alarm, the problem still occurs:
ddpbsd
commented
8 years ago Maybe I don't understand the problem. There is command output in the second alert you posted. If it's truncated, it probably has to do with the extra information earlier in the alert. There's only so much buffer space available.
Canon88
commented
8 years ago I tested just set a custom format, the alarm will be \n.and ossec mail alert is not in effect. example: change ossec.conf: (Custom format)
<global>
<email_notification>yes</email_notification>
<email_to>xxx@yyy.com</email_to>
<smtp_server>127.0.0.1</smtp_server>
<email_from>ossecm@localhost.localdomain</email_from>
<custom_alert_output>
TIMESTAMP:"$TIMESTAMP"
FTELL:"$FTELL"
RULEALERT:"$RULEALERT"
HOSTNAME:"$HOSTNAME"
LOCATION:"$LOCATION"
RULEID:"$RULEID"
RULELEVEL:"$RULELEVEL"
RULECOMMENT:"$RULECOMMENT"
SRCIP:"$SRCIP"
DSTUSER:"$DSTUSER"
FULLLOG:"$FULLLOG"
RULEGROUP:"$RULEGROUP"
</custom_alert_output>
</global>Alarm output:
TIMESTAMP:"1463415918"
FTELL:"17020"
RULEALERT:"mail "
HOSTNAME:"(192.168.81.141) 192.168.81.141->netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort"
LOCATION:"(192.168.81.141) 192.168.81.141->netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort"
RULEID:"533"
RULELEVEL:"7"
RULECOMMENT:"Listened ports status (netstat) changed (new port opened or closed)."
SRCIP:"None"
DSTUSER:"None"
FULLLOG:"ossec: output: 'netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort':\ntcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN \ntcp 0 0 ::1:25 :::* LISTEN \ntcp 0 0 ::1:631 :::* LISTEN \ntcp 0 0 :::22 :::* LISTEN "
RULEGROUP:"ossec,pci_dss_10.2.7,pci_dss_10.6.1,"The default output format alarm:
** Alert 1463415556.6424: mail - ossec,pci_dss_10.2.7,pci_dss_10.6.1,
2016 May 16 09:19:16 (192.168.81.141) 192.168.81.141->netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort
Rule: 533 (level 7) -> 'Listened ports status (netstat) changed (new port opened or closed).'
ossec: output: 'netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort':
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 ::1:631 :::* LISTEN
tcp 0 0 :::22 :::* LISTEN
**Previous output:**
ossec: output: 'netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort':
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 ::1:25 :::* LISTEN
tcp 0 0 ::1:631 :::* LISTEN
tcp 0 0 :::22 :::* LISTEN Custom format with the default format for output compare alarm. Missing port changing tips:
Previous output:
My English is not very good, I want to express, you can understand :)
ddpbsd
commented
8 years ago The FULLLOG entry has the port information, although it's possibly truncated for space reasons.
spookerlabs
commented
8 years ago I think he is using Wazuh version that save logs into json format no ?
Testing 2.9 here I noticed that json format didn't save changes as regular logs does.
{"rule":{"level":7,"comment":"Listened ports status (netstat) changed (new port opened or closed).","sidid":533},"location":"netstat -tan |grep LISTEN |egrep -v '(127.0.0.1| \1)' | sort","full_log":"ossec: output: 'netstat -tan |grep LISTEN |egrep -v '(127.0.0.1| \1)' | sort':\ntcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN \ntcp6 0 0 :::22 :::* LISTEN \ntcp6 0 0 :::80 :::* LISTEN "}
I think that's why he is getting alert "incomplete".
Regards,
ddpbsd
commented
8 years ago I don't think the custom alert messages stuff affects the json output, but I have never used either so I can't be sure.
Canon88
commented
8 years ago I am using OSSIM.
Canon88
commented
8 years ago I tested the custom alarm output, the emergence of this issue, but did not save json format.
ddpbsd
commented
8 years ago AlienVault has community support for their system, that might be a better place to ask. I'm unable to see an issue with the custom alert output that has been provided.
spookerlabs
commented
8 years ago But just to clarify
alerts.log default
* Alert 1463417219.5767829: mail - ossec, 2016 May 16 16:46:59 OctopusLiveDemo->netstat -tan |grep LISTEN |egrep -v '(127.0.0.1| \1)' | sort Rule: 533 (level 7) -> 'Listened ports status (netstat) changed (new port opened or closed).' ossec: output: 'netstat -tan |grep LISTEN |egrep -v '(127.0.0.1| \1)' | sort': tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:9977 0.0.0.0:* LISTEN tcp6 0 0 :::22 :::* LISTEN tcp6 0 0 :::80 :::* LISTEN tcp6 0 0 :::9977 :::* LISTEN Previous output: ossec: output: 'netstat -tan |grep LISTEN |egrep -v '(127.0.0.1| \1)' | sort': tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN tcp6 0 0 :::22 :::* LISTEN tcp6 0 0 :::80 :::\ LISTEN
alerts.json
{"rule":{"level":7,"comment":"Listened ports status (netstat) changed (new port opened or closed).","sidid":533},"location":"netstat -tan |grep LISTEN |egrep -v '(127.0.0.1| \1)' | sort","full_log":"ossec: output: 'netstat -tan |grep LISTEN |egrep -v '(127.0.0.1| \1)' | sort':\ntcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN \ntcp 0 0 0.0.0.0:9977 0.0.0.0:* LISTEN \ntcp6 0 0 :::22 :::* LISTEN \ntcp6 0 0 :::80 :::* LISTEN \ntcp6 0 0 :::9977 :::* LISTEN "}
I think something is missing at json output, maybe OSSIM use json output format but as Dan mentioned better to ask at OSSIM community.
ddpbsd
commented
8 years ago The data is in the json output as well (full_log field). It's probably just more truncated than the default output.
Canon88
commented
8 years ago I use the 2.8 version, it does not seem to support jsonout_output.
I also did in OSSEC 2.8.3 was tested, adjusted ossec.conf output format will lose some alarm.
(netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort)
<global>
<custom_alert_output>
TIMESTAMP:"$TIMESTAMP"
FTELL:"$FTELL"
RULEALERT:"$RULEALERT"
HOSTNAME:"$HOSTNAME"
LOCATION:"$LOCATION"
RULEID:"$RULEID"
RULELEVEL:"$RULELEVEL"
RULECOMMENT:"$RULECOMMENT"
SRCIP:"$SRCIP"
DSTUSER:"$DSTUSER"
FULLLOG:"$FULLLOG"
RULEGROUP:"$RULEGROUP"
</custom_alert_output>
</global>You can also modify ossec.conf. See its alarm output.
ddpbsd
commented
8 years ago Unless you can come up with a different way of telling us the problem you're having, I don't think this issue can advance. I enabled a custom output (most of what you have, except for the hostname/location duplication) and see very ugly, but expected output.
TIMESTAMP:"1463483912"
FTELL:"76967"
RULEALERT:"mail "
LOCATION:"netstat -tan|grep LISTEN |grep -v 127.0.0.1 | sort"
RULEID:"533"
RULELEVEL:"7"
RULECOMMENT:"Listened ports status (netstat) changed (new port opened or closed)."
SRCIP:"None"
DSTUSER:"None"
FULLLOG:"ossec: output: 'netstat -tan|grep LISTEN |grep -v 127.0.0.1 | sort':\ntcp 0 0 *.22 *.* LISTEN\ntcp 0 0 *.3000 *.* LISTEN\ntcp 0 0 *.5666 *.* LISTEN\ntcp 0 0 127.0.1.1.2514 *.* LISTEN\ntcp 0 0 127.0.1.1.9999 *.* LISTEN\ntcp 0 0 192.168.17.9.153 *.* LISTEN\ntcp 0 0 192.168.17.9.2222 *.* LISTEN\ntcp 0 0 192.168.17.9.25 *.* LISTEN\ntcp 0 0 192.168.17.9.3333 *.* LISTEN\ntcp 0 0 192.168.17.9.4445 *.* LISTEN\ntcp 0 0 192.168.17.9.53 *.* LISTEN\ntcp 0 0 192.168.17.9.80 *.* LISTEN\ntcp6 0 0 *.22 *.* LISTEN\ntcp6 0 0 *.5666 *.* LISTEN\ntcp6 0 0 2001:470:8:f38::.25 *.* LISTEN\ntcp6 0 0 2001:470:8:f38::.53 *.* LISTEN\ntcp6 0 0 ::1.25 *.* LISTEN\ntcp6 0 0 ::1.53 *.* LISTEN\ntcp6 0 0 ::1.8952 *.* LISTEN\ntcp6 0 0 ::1.8953 *.* LISTEN\ntcp6 0 0 fe80::1%lo0.25 *.* LISTEN\ntcp6 0 0 fe80::baac:6fff:.25 *.* LISTEN\ntcp6 0 0 fe80::baac:6fff:.53 *.* LISTEN"
RULEGROUP:"ossec,"
OSSEC V2.8 I have a question, we need help. Why ossec after the custom alarm output port detection alarm can not be displayed before and after comparison. Example: This is a default ossec alarm output:
This is a custom alarm after alarm output ossec, you can see the difference with the default ossec alarm output.After you customize the alarm output for netstat alarms, change alarm port can not be displayed.
AV - Alert - "1462844333" --> RID: "533"; RL: "7"; RG: "ossec,"; RC: "Listened ports status (netstat) changed (new port opened or closed)."; USER: "None"; SRCIP: "None"; HOSTNAME: "(Host-192-168-15-16) 192.168.15.16->netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort"; LOCATION: "(Host-192-168-15-16) 192.168.15.16->netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort"; EVENT: "[INIT]ossec: output: 'netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort':\ntcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN \ntcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN \ntcp 0 0 ::1:631 :::* LISTEN \ntcp 0 0 :::22 :::* LISTEN [END]";How do I solve this problem, thank you!