Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update from original #1

Merged
merged 16 commits into from
Sep 21, 2015
Merged

Update from original #1

merged 16 commits into from
Sep 21, 2015

Conversation

brentmorris253
Copy link
Owner

No description provided.

jblaine and others added 16 commits July 14, 2015 15:44
@jblaine
Improve wording and -f info. Give example.
b23dc74
@anonimal
Patch rootkit_trojans.txt for s-nail systems.
b2f340c
@brentmorris253
Update decoder.xml
f720570
@brentmorris253
Update web_rules.ini
e280e94
@santiago-bassett
Added debian files and tool for the automatic creation of packages, u…
f64ad1f 
…sing pbuilder, for Debian/Ubuntu.

generate_ossec.sh works both for ossec-hids (the manager) and ossec-hids-agent packages.
@ddpbsd
Merge pull request #649 from santiago-bassett/master
0adb532 
Added files and tool for the automatic creation of debian/ubuntu packages
Let "ossec-syscheckd -t" display XML parsing errors for agent.conf on…
3dad0da 
… agents.
Let the -d debug flag be used multiple times, to get debug2 messages
310e50e 
from the command line.  "ossec-syscheckd -t -d -d"
@ddpbsd
Merge pull request #643 from brentmorris253/brentmorris253-patch-1
961df03 
Updated decoder.xml to include default logging settings in Windows IIS
@ddpbsd
Merge pull request #635 from jblaine/syscheck-flag
a2c6010 
Improve wording and -f info. Give example.
@doke2
strip newlines from agent name
956e5b9
@doke2
Merge remote-tracking branch 'upstream/master'
35c860c
@ddpbsd
Merge pull request #652 from doke2/master
39334a9 
Let "ossec-syscheckd -t" display XML parsing errors for agent.conf on…
@ddpbsd
Merge pull request #637 from anonimal/master
fac271e 
Patch rootkit_trojans.txt for s-nail systems.
@omarix
Improved vsftpd decoder
4d2d4eb 
OUTPUT

Sun Aug 16 15:47:34 2015 [pid 4864] CONNECT: Client "172.28.5.129"
Sun Aug 16 15:47:36 2015 [pid 4863] [ftpuser] FAIL LOGIN: Client "172.28.5.129"
Sun Aug 16 15:47:49 2015 [pid 4868] CONNECT: Client "172.28.5.129"
Sun Aug 16 15:47:50 2015 [pid 4867] [ftpuser] OK LOGIN: Client "172.28.5.129"
Sun Aug 16 15:47:50 2015 [pid 4872] [ftpuser] OK UPLOAD: Client "172.28.5.129", "/index.php", 8099 bytes, 1176.26Kbyte/sec
Sun Aug 16 15:48:02 2015 [pid 4832] [ftpuser] OK DELETE: Client "172.28.5.129", "/index.php"
Sun Aug 16 16:26:06 2015 [pid 4976] [ftpuser] OK CHMOD: Client "172.28.5.129", "/index.php 777"
Sun Aug 16 16:26:21 2015 [pid 4976] [ftpuser] OK RENAME: Client "172.28.5.129", "/index.php /4444index.php"

**Phase 1: Completed pre-decoding.
       full event: 'Sun Aug 16 15:47:34 2015 [pid 4864] CONNECT: Client "172.28.5.129"'
       hostname: 'ossec-server'
       program_name: '(null)'
       log: 'Sun Aug 16 15:47:34 2015 [pid 4864] CONNECT: Client "172.28.5.129"'

**Phase 2: Completed decoding.
       decoder: 'vsftpd'
       action: 'CONNECT'
       srcip: '172.28.5.129'

**Phase 3: Completed filtering (rules).
       Rule id: '11401'
       Level: '3'
       Description: 'FTP session opened.'
**Alert to be generated.




**Phase 1: Completed pre-decoding.
       full event: 'Sun Aug 16 15:47:36 2015 [pid 4863] [ftpuser] FAIL LOGIN: Client "172.28.5.129"'
       hostname: 'ossec-server'
       program_name: '(null)'
       log: 'Sun Aug 16 15:47:36 2015 [pid 4863] [ftpuser] FAIL LOGIN: Client "172.28.5.129"'

**Phase 2: Completed decoding.
       decoder: 'vsftpd'
       dstuser: 'ftpuser'
       status: 'FAIL LOGIN'
       srcip: '172.28.5.129'

**Phase 3: Completed filtering (rules).
       Rule id: '11403'
       Level: '5'
       Description: 'Login failed accessing the FTP server.'
**Alert to be generated.




**Phase 1: Completed pre-decoding.
       full event: 'Sun Aug 16 15:47:49 2015 [pid 4868] CONNECT: Client "172.28.5.129"'
       hostname: 'ossec-server'
       program_name: '(null)'
       log: 'Sun Aug 16 15:47:49 2015 [pid 4868] CONNECT: Client "172.28.5.129"'

**Phase 2: Completed decoding.
       decoder: 'vsftpd'
       action: 'CONNECT'
       srcip: '172.28.5.129'

**Phase 3: Completed filtering (rules).
       Rule id: '11401'
       Level: '3'
       Description: 'FTP session opened.'
**Alert to be generated.




**Phase 1: Completed pre-decoding.
       full event: 'Sun Aug 16 15:47:50 2015 [pid 4867] [ftpuser] OK LOGIN: Client "172.28.5.129"'
       hostname: 'ossec-server'
       program_name: '(null)'
       log: 'Sun Aug 16 15:47:50 2015 [pid 4867] [ftpuser] OK LOGIN: Client "172.28.5.129"'

**Phase 2: Completed decoding.
       decoder: 'vsftpd'
       dstuser: 'ftpuser'
       status: 'OK LOGIN'
       srcip: '172.28.5.129'

**Phase 3: Completed filtering (rules).
       Rule id: '11402'
       Level: '3'
       Description: 'FTP Authentication success.'
**Alert to be generated.




**Phase 1: Completed pre-decoding.
       full event: 'Sun Aug 16 15:47:50 2015 [pid 4872] [ftpuser] OK UPLOAD: Client "172.28.5.129", "/index.php", 8099 bytes, 1176.26Kbyte/sec'
       hostname: 'ossec-server'
       program_name: '(null)'
       log: 'Sun Aug 16 15:47:50 2015 [pid 4872] [ftpuser] OK UPLOAD: Client "172.28.5.129", "/index.php", 8099 bytes, 1176.26Kbyte/sec'

**Phase 2: Completed decoding.
       decoder: 'vsftpd'
       dstuser: 'ftpuser'
       status: 'OK UPLOAD'
       srcip: '172.28.5.129'
       url: '/index.php'

**Phase 3: Completed filtering (rules).
       Rule id: '11404'
       Level: '0'
       Description: 'FTP server file upload.'


**Phase 1: Completed pre-decoding.
       full event: 'Sun Aug 16 15:48:02 2015 [pid 4832] [ftpuser] OK DELETE: Client "172.28.5.129", "/index.php"'
       hostname: 'ossec-server'
       program_name: '(null)'
       log: 'Sun Aug 16 15:48:02 2015 [pid 4832] [ftpuser] OK DELETE: Client "172.28.5.129", "/index.php"'

**Phase 2: Completed decoding.
       decoder: 'vsftpd'
       dstuser: 'ftpuser'
       status: 'OK DELETE'
       srcip: '172.28.5.129'
       url: '/index.php"'


**Phase 1: Completed pre-decoding.
       full event: 'Sun Aug 16 16:26:06 2015 [pid 4976] [ftpuser] OK CHMOD: Client "172.28.5.129", "/index.php 777"'
       hostname: 'ossec-server'
       program_name: '(null)'
       log: 'Sun Aug 16 16:26:06 2015 [pid 4976] [ftpuser] OK CHMOD: Client "172.28.5.129", "/index.php 777"'

**Phase 2: Completed decoding.
       decoder: 'vsftpd'
       dstuser: 'ftpuser'
       status: 'OK CHMOD'
       srcip: '172.28.5.129'
       url: '/index.php 777"'



**Phase 1: Completed pre-decoding.
       full event: 'Sun Aug 16 16:26:21 2015 [pid 4976] [ftpuser] OK RENAME: Client "172.28.5.129", "/index.php /4444index.php"'
       hostname: 'ossec-server'
       program_name: '(null)'
       log: 'Sun Aug 16 16:26:21 2015 [pid 4976] [ftpuser] OK RENAME: Client "172.28.5.129", "/index.php /4444index.php"'

**Phase 2: Completed decoding.
       decoder: 'vsftpd'
       dstuser: 'ftpuser'
       status: 'OK RENAME'
       srcip: '172.28.5.129'
       url: '/index.php /4444index.php"'
@ddpbsd
Merge pull request #654 from omarix/patch-1
5384936 
Improved vsftpd decoder
brentmorris253 added a commit that referenced this pull request Sep 21, 2015
@brentmorris253
Merge pull request #1 from ossec/master
0199e8c 
Update from original
@brentmorris253 brentmorris253 merged commit 0199e8c into brentmorris253:master Sep 21, 2015
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@brentmorris253 @jblaine @anonimal @santiago-bassett @ddpbsd @doke2 @omarix