General
-
detecte the ipsrc responsable of the syscheck integrity
detecte the ipsrc responsable of the syscheck integrity
1 vote -
detecte the ipsrc responsable of the syscheck integrity
detecte the ipsrc responsable of the syscheck integrity
1 vote -
Add SSL connections for agent to server communication.
Pre-shared keys do not work for dynamic cloud based environments like AWS where hosts can pop up and down at a moments notice.
Using a technology like SSL would mean that the agent only needs to know where to send it's data.3 votes -
There is a false positive on FreeBSD9 (rootcheck rule 510)
Rule: 510 fired (level 7) -> "Host-based anomaly detection event (rootcheck)."
Portion of the log(s):
Files hidden inside directory '/dev'. Link count does not match number of files (5,17).I guess something has changed in bsd 9.0 and OSSEC fires a false positive
5 votes -
Fix rootcheck so it does not report "Trojaned version of file '/sbin/init' detected. Signature used: 'bash|/dev/h|HOME' (Generic)"
Root check reports:
"Trojaned version of file '/sbin/init' detected. Signature used: 'bash|/dev/h|HOME' (Generic)" while checking opensuse 12.1 (and probably all Linux versions that use "systemd" instead of "init".This happens because systemd includes the string "HOME".
So this is a false positive and should be fixed.
4 votes -
correction to "process monitoring" manual page
http://www.ossec.net/doc/manual/monitoring/process-monitoring.html
In the load average example, the match tag uses double quotes in
ossec: output: "uptime":
and in the regex tag:
load averages: 2.
In my new CentOS 6.1 installation, it will only work if single quotes (apostrophes) are used within the match tag and "load average: 2" (singular) is used within the regex tag.
1 vote -
Allow custom audit rules in /var/ossec/etc/shared which are not overwritten by rule updates.
When ossec is updated, any customizations to the rules in /var/ossec/etc/shared are overwritten.
A specific example is system_audit_rcl.txt where the locations of php.ini as well as the web directories are different for us and our clients than the default.
We make the changes in system_audit_rcl.txt and updates overwrite our changes.
1 vote -
Allow customization of the entire ossec alert email - from sender, subject line, and body
The goal is to either A) allow the solution to be white label or branded or B) allow providers to include messages in the body of the ossec alert for their clients.
4 votes -
Please include agent host name or agent name or agent id message body of alerts for outdated web applications
Change:
System Audit: Web vulnerability - Outdated WordPress installation. File: **FULL PATH WAS HERE. Reference: http://sucuri.net/latest-versions
To
*** HOSTNAME*** System Audit: Web vulnerability - Outdated WordPress installation. File: **FULL PATH WAS HERE. Reference: http://sucuri.net/latest-versions
This should allow ossec-reportd to be used to show outdated applications by agent.
3 votes -
fix your php date error in line 48
looks like a coding error in Alert.php line 48 for the way it asks the date
4 votes -
2 votes
-
nultiple
Fix description on rule 4386 in pix_rules.xml
now it is
Nultiple AAA (VPN) authentication failures.
should be
Multiple AAA (VPN) authentication failures.3 votes -
add /bin/ to line 209 of ossec-control
Line 209 specifies ossec-logtest line as:
echo | ${DIR}/ossec-logtest > /dev/null 2>&1;
It should be:
echo | ${DIR}/bin/ossec-logtest > /dev/null 2>&1;
If it isn't then the following line appears on startup:
OSSEC analysisd: Testing rules failed. Configuration error. Exiting.
1 vote -
Configure process monitoring centrally
At the moment is not possible to configure process monitoring using agent.conf and therefore it must be configure on every single agent.
It would be handy to remove this limitation by having command and command_full configurable from agent.conf and therefore centrally manageable from the OSSEC master.3 votes -
BUG: Agent seems "active" even it's completely shutdown
if I type "list_agents -c" I can see my agent that has previously been added to ossec as "active" even I did "ossec-control stop" and there are no ossec* process running there.
It stays "active" even after ossec-server has been restarted.
And it means this system is VERY unreliable cos if someone/something killed your agent you would never know about that.
Could it be fixed?Thanks
1 vote -
compile issue on Lion using XCode 4.1 (LLVM)
There is an issue compiling on Lion using XCode 4.1.
When making os_crypto:
sha_locl.h:261: error: unsupported inline asm: input constraint with a matching output constraint of incompatible type!
19 votes -
Bug in default agent rules?
After getting alerts on windows registry \Enum keys changing, I noticed this rule in the default config file:
<registry_ignore type=“sregex”>\Enum$</registry_ignore>Is this a typo? What would the \E match - it doesn't seem to be a documented expression?
2 votes -
Fix broken links in documentation
There are multiple links in the documentation and missing "complete" examples.
4 votes -
rootkit
The OSSEC rootkit checks (netstat, ps) returns lots of false positive on our linux plateform (centos). We have investigated the issue and related source code and have few suggestions.
The rules in questions are:
Rule: 510 fired (level 7) -> "Host-based anomaly detection event (rootcheck)."
Port '22'(tcp) hidden. Kernel-level rootkit or trojaned version of netstat.
Process '5' hidden from ps. Possible trojaned version installed.rootcheck/check_rc_ports.c
The linux 'NETSTAT' can be slightly improved using a non posix option of netstat (--tcp/--udp) instead of greping the output. This option will increase notably the performance of the system() call and therefore decrease false…10 votes -
Increase Agent Disconnect Timeout
Similar to:
http://www.mail-archive.com/ossec-list@googlegroups.com/msg03429.htmlAllow the user to configure the timeout length before a client is considered 'disconnected'. We can get 12 alerts/agent/day which becomes very 'noisy'.
Many Thanks9 votes
- Don't see your idea?
