Installation Start issue Fedora 3.6.0-19869.fc34.art

Support/Development for OSSEC
wspivak
New Forum User
New Forum User
Posts: 4
Joined: Sun Jun 27, 2021 7:57 am

Installation Start issue Fedora 3.6.0-19869.fc34.art

Unread post by wspivak »

I just installed ossec-hids-server.x86_64 via dnf.

This is the error I am receiving:

2021/06/21 14:34:59 verify-agent-conf: Remote commands are not accepted from the manager. Ignoring it on the agent.conf
2021/06/21 14:34:59 verify-agent-conf(1202): ERROR: Configuration error at '/var/ossec/etc/shared/agent.conf'. Exiting.
2021/06/26 23:42:07 ossec-testrule: INFO: Reading local decoder file.
2021/06/26 23:42:07 rules_list: Group 'virus' not found. Invalid 'if_group'.

The only change was that is moved ossec.conf.sample to ossec.conf and configured email.

Any ideas?
scott
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 8355
Joined: Wed Dec 31, 1969 8:00 pm
Location: earth
Contact:

Re: Installation Start issue Fedora 3.6.0-19869.fc34.art

Unread post by scott »

Missing rules?
wspivak
New Forum User
New Forum User
Posts: 4
Joined: Sun Jun 27, 2021 7:57 am

Re: Installation Start issue Fedora 3.6.0-19869.fc34.art

Unread post by wspivak »

This is a fresh download. It download large numbers of rules, including mcafee, firewall, etc.

One would think (this is an assumption and you know where that takes us...) that the base install would start, maybe not do anything, but start... I am also assuming those rules that are in ossec.conf were also downloaded. In any event, I don't see a specific "virus" rule.

I tried adding mcafee_av_rules.xml, but that didn't fix anything. I have since removed it.

Any other ideas?

Thanks
Last edited by wspivak on Mon Jun 28, 2021 3:28 pm, edited 1 time in total.
scott
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 8355
Joined: Wed Dec 31, 1969 8:00 pm
Location: earth
Contact:

Re: Installation Start issue Fedora 3.6.0-19869.fc34.art

Unread post by scott »

Are you using the rules.d/decoders.d design from oum, or the classic design?
wspivak
New Forum User
New Forum User
Posts: 4
Joined: Sun Jun 27, 2021 7:57 am

Re: Installation Start issue Fedora 3.6.0-19869.fc34.art

Unread post by wspivak »

Sorry, new to OSSEC.

/var/ossec does not contain a directory rules.d, just rules.

Hope this helps.
scott
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 8355
Joined: Wed Dec 31, 1969 8:00 pm
Location: earth
Contact:

Re: Installation Start issue Fedora 3.6.0-19869.fc34.art

Unread post by scott »

OK so you're using the legacy setup, you need to declare each ruleset manually in the config with the <include> statement. Likely you're just missing the declaration for whatever ruleset contains that group.
wspivak
New Forum User
New Forum User
Posts: 4
Joined: Sun Jun 27, 2021 7:57 am

Re: Installation Start issue Fedora 3.6.0-19869.fc34.art

Unread post by wspivak »

That makes some sense.

These are the "default" rules.


<rules>
<include>rules_config.xml</include>
<include>sshd_rules.xml</include>
<include>syslog_rules.xml</include>
<include>pix_rules.xml</include>
<include>named_rules.xml</include>
<include>pure-ftpd_rules.xml</include>
<include>proftpd_rules.xml</include>
<include>web_rules.xml</include>
<include>web_appsec_rules.xml</include>
<include>apache_rules.xml</include>
<include>ids_rules.xml</include>
<include>squid_rules.xml</include>
<include>firewall_rules.xml</include>
<include>postfix_rules.xml</include>
<include>sendmail_rules.xml</include>
<include>spamd_rules.xml</include>
<include>msauth_rules.xml</include>
<include>attack_rules.xml</include>
<include>dropbear_rules.xml</include>
<include>sysmon_rules.xml</include>
<include>opensmtpd_rules.xml</include>
<include>openbsd-dhcpd_rules.xml</include>
<include>nsd_rules.xml</include>
</rules>

Then I
[ rules]# grep virus *
attack_rules.xml: <if_matched_group>virus</if_matched_group>
attack_rules.xml: <description>Multiple viruses detected - Possible outbreak.</description>
attack_rules.xml: <group>virus,</group>
clam_av_rules.xml: <group>virus</group>
clam_av_rules.xml: <group>virus</group>
clam_av_rules.xml: <group>virus</group>
clam_av_rules.xml: <group>virus</group>
clam_av_rules.xml: <group>virus</group>
clam_av_rules.xml: <group>virus</group>
clam_av_rules.xml: <group>virus</group>
clam_av_rules.xml: <description>Could not download the incremental virus definition updates.</description>
mcafee_av_rules.xml: <group>virus</group>
mcafee_av_rules.xml: <group>virus</group>
mcafee_av_rules.xml: <group>virus</group>
mcafee_av_rules.xml: <description>McAfee Windows AV - Scan completed with no viruses found.</description>
ms-se_rules.xml: <group>virus</group>
ms-se_rules.xml: <group>virus</group>
ms-se_rules.xml: <group>virus</group>
ms-se_rules.xml: <group>virus,</group>
squid_rules.xml: - common extensions to cause false positives (specially anti virus).
squid_rules.xml: <description>Multiple attempts to access a worm/trojan/virus </description>
symantec-av_rules.xml: - http://www.ossec.net/wiki/index.php/Symantec_Antivirus
symantec-av_rules.xml: <group>virus</group>
grep: translated: Is a directory
trend-osce_rules.xml: <group>virus</group>
trend-osce_rules.xml: <group>virus</group>

I tried adding clam_av_rules since I use clam, no success.
scott
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 8355
Joined: Wed Dec 31, 1969 8:00 pm
Location: earth
Contact:

Re: Installation Start issue Fedora 3.6.0-19869.fc34.art

Unread post by scott »

It might be less work to use the OUM setup on centos/rocky with the rules.d/decoders.d system for the server
wspivak
New Forum User
New Forum User
Posts: 4
Joined: Sun Jun 27, 2021 7:57 am

Re: Installation Start issue Fedora 3.6.0-19869.fc34.art

Unread post by wspivak »

I'll look into it, thanks
Post Reply