Count line when words has been matched $ grep -c 'word' /path/to/file Pass the -n option to precede each line of output with the number of the line in the text file$ grep -n 'root' /etc/passwd Ignore word case$ grep -i 'word' /path/to/file Use grep recursively under each directory $ grep -r 'word' /path/to/file Use grep to search 2 different ...

OSSEC Decoder Each application contains it's own log record format.eg: web.madhuka.lk 123.231.120.128 - - [27/Dec/2015:03:44:16 +0530] "POST /lksearch.php HTTP/1.1" 200 35765 "http://madhuka.lk/" "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0" Here we add new ossec decoder called “custom-apache-access-log”# /var/ossec/etc/decoder.xml <decoder name="custom-apache-access-log"> <program_name>custom-apache-access-log</program_name></decoder> Then test it # /var/ossec/bin/oss

How access log work with OSSIM Access log moves to sensor / data source then I mapping to event id with considering the rules in ossim. Data sources can be found in “ossim ->configuration –> threat_intelligence –> data_source” and search for source as below. Pick “AlienVault HIDS-accesslog” and it reads the access log. Browser the data source from the UI. Events are map to OSSEC event ...

HIDS Agentless in AlienVault USM It provides the SSH authentication to the host you want to access. For Cisco devices (PIX, routers, etc), you need to provide an additional parameter for the enable password. The same thing applies if you want to add support for “su”, it must be the additional parameter. 1. Log into AlienVault USM.2. Navigate to environment -> detection -> hids -> ...

Install  OSSIM 1. Download the image file of OSSIM 2. Make bootable pen with OSSIM ISO file 3. Boot drive Make sure you have internet connection 4. Select OSSIM server to install 5. Just follow the the wizard 6. Add the net work details correctly with unique new IP for OSSIM server. 7. After install is completed and go through web interface to setup configuration of the OSSIM

Finding the logs in my server. I generally use lsof to list what is my server. lsof | grep log I check which log are reading by OSSEC Check cat /var/ossec/etc/ossec.conf |grep "<location>/" Add new access log to OSSCE. /var/ossec/bin/util.sh addfile /var/log/httpd/nic.access_log OR Just update “/var/ossec/etc/ossec.conf” Then add some log or run your server to get some log echo "123.231.120.128 ...

Testing Log forwarding in OSSEC OSSEC client and server is connected using UDP port 1514. Need to testing message passing over UDP. To see ossec network connections is there by below command # netstat -putan | grep ossec There must to be results in both server and client Here it in server Here it is client (agent) To check if ossec-server is receiving data on ...

Host based firewall in Linux Linux comes with a host based firewall called Netfilter. 'iptables' is program linux based firewall and it handles filtering for IPv4, and ip6tables. This post lists most simple iptables solutions required by a new Linux user to secure his or her Linux operating system from intruders. Displaying the Status of Your Firewall iptables -L -n -v -L : List rules-v ...

Adding OSSEC client to OSSEC Server For this you will need two machine, one for OSSEC server and other one for OSSEC client. Post contains mainly two components OSSEC server OSSEC agent (client) 1. Install the server and steps are explain in previous article. and same way install OSSEC agent in other machine. 2. In server add new agent by # /var/ossec/bin/manage_agents (Enter you client IP ...

Creating Correlation Rules and Alarms in AlienVault The goal of a correlation analysis is to see whether two measurement variables co vary, and to quantify the strength of the relationship between the variables. Correlation is important to make sense out of all that information in the system. Correlation to the rescue and increase evidence of the event and the business impact and the event a false positiveness. ...

Advance Tutorial in OSSIM Directive Following Event in OSSIM In server if there is flow of above we will need trigger (alert) in our ossim. User make ‘QUIT’ event with following ‘DATA’ event <directive id="500002" name="Exceeding the email count" priority="4"> <rule type="detector" name="Exceeding the mail count" from="ANY" to="ANY" port_from="ANY" port_to="ANY" reliability="1" occurrence="1" plugin_id="9002" plugin_sid="4"> <rules> <rule type="detector" name="Test" from="ANY" to="ANY" port_from="ANY" port_to="ANY" reliab

OSSIM Correlation Correlation is a process performed by the correlation engine on OSSIM. The correlation engine reads all the directives on startup in order to match individual rules or events. OSSIM’s directives are defined using xml 1.0. Rules are build as logical tree consisting of 'if' and 'or' statements, joined them to provide reliable means of identifying attacks or network misbehavior. A ...

Making OSSIM Alarm from Event This post we will going to genrate alarm from ossim when custom event (attack or interested event) is occurred in our system. I will be using custom plug that we built. 1. Go to the “Data source”configuration -> threat_intelligence -> data_source 2. Then pick our custom data source (hello) which we created. (How to create OSSIM custom data source) 3. ...

Reading a custom log file from OSSIM Let write OSSIM plugin read hello log (which is my custom log file for this post). For this post I will call my plugin as ‘hello’ and it read log file called ‘hello. log’. Creating the plugin configuration file – hello.cfg CFG file contains fields called 'DEFAULT', 'config', translation and rules Plugins can be found in below location. we have ...

OSSIM components This post explain the steps to enable both OSSEC and SSH plugins in OSSIM. First we enable the plugins. 1. Update the ossim configuration variables at /etc/ossim/ossim_setup.conf Add ossec and ssh into the ‘detectors’ 2. As config is updated and now we run ossim-reconfig by ossim-reconfig -c -v –d 2.1 In SSH and OSSEC plugin config can be found in ...

module.exports VS exports module.exports is the object that's actually returned as the result of a require call. Modules use exports to make things available. The exports variable is initially set to that same object You can create nodejs application and include below codes for package.json { "name": "tutorial", "version": "1.0.0", "scripts": { "start": "node server.js" }} Then create two js files hello.js server.js ...

Adding agent for OSSIM from OSSEC Need to install OSSEC and OSSIM in you network. First we extract key from OSSIM 1. Go to OSSIM web UI and navigate to 'environment' => 'detection'2. Click on 'Agents' 3. Pick agent and click on key icon for 'Extract Key' Add agent for OSSEC 1. From below command we can find agents /var/ossec/bin/manage_agents -l 2. Open “manage agents”/var/ossec/bin/manage_agents it ...

OSSEC service for Centos7 OSSEC can be called as Log-based Intrusion Detection System (LIDS). You will need nano / vim and wget install in CentOS. You can used below command to install them. yum install wgetyum install nano 1. Let’s download OSSEC wget -U ossec http://www.ossec.net/files/ossec-hids-2.8.2.tar.gz 2. unzip ittar xf ossec-hids-2.8.2.tar.gz 3. Open host-deny.sh vim active-response/host-deny.sh 4. Remove spaces in below locationeg: TMP_FILE = ...

In this post contains some tips on using the setTimeout() and setInterval() functions in nested manner and using JavaScript reference in those. setTimeout() is used to call function after period of time. setInterval() is used to call function in a loop of time. There is function x(){} which need to called after 30 seconds.setTimeout(x(), 30000); Now I need to call ...

This post how to enable CORS in Node. CORS means cross-domain requests. Simply using below line of code in the application respond level will solve CORS issue. res.header("Access-Control-Allow-Origin", "*"); By below lines enable CORS for all the routes in that server. app.use(function(req, res, next) { res.header("Access-Control-Allow-Origin", "*"); res.header("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept"); next();}); you can add this for resources files ...

Previous Page