I just installed ossec-hids-server.x86_64 via dnf.
This is the error I am receiving:
2021/06/21 14:34:59 verify-agent-conf: Remote commands are not accepted from the manager. Ignoring it on the agent.conf
2021/06/21 14:34:59 verify-agent-conf(1202): ERROR: Configuration error at '/var/ossec/etc/shared/agent.conf'. Exiting.
2021/06/26 23:42:07 ossec-testrule: INFO: Reading local decoder file.
2021/06/26 23:42:07 rules_list: Group 'virus' not found. Invalid 'if_group'.
The only change was that is moved ossec.conf.sample to ossec.conf and configured email.
Any ideas?
Installation Start issue Fedora 3.6.0-19869.fc34.art
-
- Atomicorp Staff - Site Admin
- Posts: 8355
- Joined: Wed Dec 31, 1969 8:00 pm
- Location: earth
- Contact:
Re: Installation Start issue Fedora 3.6.0-19869.fc34.art
Missing rules?
Re: Installation Start issue Fedora 3.6.0-19869.fc34.art
This is a fresh download. It download large numbers of rules, including mcafee, firewall, etc.
One would think (this is an assumption and you know where that takes us...) that the base install would start, maybe not do anything, but start... I am also assuming those rules that are in ossec.conf were also downloaded. In any event, I don't see a specific "virus" rule.
I tried adding mcafee_av_rules.xml, but that didn't fix anything. I have since removed it.
Any other ideas?
Thanks
One would think (this is an assumption and you know where that takes us...) that the base install would start, maybe not do anything, but start... I am also assuming those rules that are in ossec.conf were also downloaded. In any event, I don't see a specific "virus" rule.
I tried adding mcafee_av_rules.xml, but that didn't fix anything. I have since removed it.
Any other ideas?
Thanks
Last edited by wspivak on Mon Jun 28, 2021 3:28 pm, edited 1 time in total.
-
- Atomicorp Staff - Site Admin
- Posts: 8355
- Joined: Wed Dec 31, 1969 8:00 pm
- Location: earth
- Contact:
Re: Installation Start issue Fedora 3.6.0-19869.fc34.art
Are you using the rules.d/decoders.d design from oum, or the classic design?
Re: Installation Start issue Fedora 3.6.0-19869.fc34.art
Sorry, new to OSSEC.
/var/ossec does not contain a directory rules.d, just rules.
Hope this helps.
/var/ossec does not contain a directory rules.d, just rules.
Hope this helps.
-
- Atomicorp Staff - Site Admin
- Posts: 8355
- Joined: Wed Dec 31, 1969 8:00 pm
- Location: earth
- Contact:
Re: Installation Start issue Fedora 3.6.0-19869.fc34.art
OK so you're using the legacy setup, you need to declare each ruleset manually in the config with the <include> statement. Likely you're just missing the declaration for whatever ruleset contains that group.
Re: Installation Start issue Fedora 3.6.0-19869.fc34.art
That makes some sense.
These are the "default" rules.
<rules>
<include>rules_config.xml</include>
<include>sshd_rules.xml</include>
<include>syslog_rules.xml</include>
<include>pix_rules.xml</include>
<include>named_rules.xml</include>
<include>pure-ftpd_rules.xml</include>
<include>proftpd_rules.xml</include>
<include>web_rules.xml</include>
<include>web_appsec_rules.xml</include>
<include>apache_rules.xml</include>
<include>ids_rules.xml</include>
<include>squid_rules.xml</include>
<include>firewall_rules.xml</include>
<include>postfix_rules.xml</include>
<include>sendmail_rules.xml</include>
<include>spamd_rules.xml</include>
<include>msauth_rules.xml</include>
<include>attack_rules.xml</include>
<include>dropbear_rules.xml</include>
<include>sysmon_rules.xml</include>
<include>opensmtpd_rules.xml</include>
<include>openbsd-dhcpd_rules.xml</include>
<include>nsd_rules.xml</include>
</rules>
Then I
[ rules]# grep virus *
attack_rules.xml: <if_matched_group>virus</if_matched_group>
attack_rules.xml: <description>Multiple viruses detected - Possible outbreak.</description>
attack_rules.xml: <group>virus,</group>
clam_av_rules.xml: <group>virus</group>
clam_av_rules.xml: <group>virus</group>
clam_av_rules.xml: <group>virus</group>
clam_av_rules.xml: <group>virus</group>
clam_av_rules.xml: <group>virus</group>
clam_av_rules.xml: <group>virus</group>
clam_av_rules.xml: <group>virus</group>
clam_av_rules.xml: <description>Could not download the incremental virus definition updates.</description>
mcafee_av_rules.xml: <group>virus</group>
mcafee_av_rules.xml: <group>virus</group>
mcafee_av_rules.xml: <group>virus</group>
mcafee_av_rules.xml: <description>McAfee Windows AV - Scan completed with no viruses found.</description>
ms-se_rules.xml: <group>virus</group>
ms-se_rules.xml: <group>virus</group>
ms-se_rules.xml: <group>virus</group>
ms-se_rules.xml: <group>virus,</group>
squid_rules.xml: - common extensions to cause false positives (specially anti virus).
squid_rules.xml: <description>Multiple attempts to access a worm/trojan/virus </description>
symantec-av_rules.xml: - http://www.ossec.net/wiki/index.php/Symantec_Antivirus
symantec-av_rules.xml: <group>virus</group>
grep: translated: Is a directory
trend-osce_rules.xml: <group>virus</group>
trend-osce_rules.xml: <group>virus</group>
I tried adding clam_av_rules since I use clam, no success.
These are the "default" rules.
<rules>
<include>rules_config.xml</include>
<include>sshd_rules.xml</include>
<include>syslog_rules.xml</include>
<include>pix_rules.xml</include>
<include>named_rules.xml</include>
<include>pure-ftpd_rules.xml</include>
<include>proftpd_rules.xml</include>
<include>web_rules.xml</include>
<include>web_appsec_rules.xml</include>
<include>apache_rules.xml</include>
<include>ids_rules.xml</include>
<include>squid_rules.xml</include>
<include>firewall_rules.xml</include>
<include>postfix_rules.xml</include>
<include>sendmail_rules.xml</include>
<include>spamd_rules.xml</include>
<include>msauth_rules.xml</include>
<include>attack_rules.xml</include>
<include>dropbear_rules.xml</include>
<include>sysmon_rules.xml</include>
<include>opensmtpd_rules.xml</include>
<include>openbsd-dhcpd_rules.xml</include>
<include>nsd_rules.xml</include>
</rules>
Then I
[ rules]# grep virus *
attack_rules.xml: <if_matched_group>virus</if_matched_group>
attack_rules.xml: <description>Multiple viruses detected - Possible outbreak.</description>
attack_rules.xml: <group>virus,</group>
clam_av_rules.xml: <group>virus</group>
clam_av_rules.xml: <group>virus</group>
clam_av_rules.xml: <group>virus</group>
clam_av_rules.xml: <group>virus</group>
clam_av_rules.xml: <group>virus</group>
clam_av_rules.xml: <group>virus</group>
clam_av_rules.xml: <group>virus</group>
clam_av_rules.xml: <description>Could not download the incremental virus definition updates.</description>
mcafee_av_rules.xml: <group>virus</group>
mcafee_av_rules.xml: <group>virus</group>
mcafee_av_rules.xml: <group>virus</group>
mcafee_av_rules.xml: <description>McAfee Windows AV - Scan completed with no viruses found.</description>
ms-se_rules.xml: <group>virus</group>
ms-se_rules.xml: <group>virus</group>
ms-se_rules.xml: <group>virus</group>
ms-se_rules.xml: <group>virus,</group>
squid_rules.xml: - common extensions to cause false positives (specially anti virus).
squid_rules.xml: <description>Multiple attempts to access a worm/trojan/virus </description>
symantec-av_rules.xml: - http://www.ossec.net/wiki/index.php/Symantec_Antivirus
symantec-av_rules.xml: <group>virus</group>
grep: translated: Is a directory
trend-osce_rules.xml: <group>virus</group>
trend-osce_rules.xml: <group>virus</group>
I tried adding clam_av_rules since I use clam, no success.
-
- Atomicorp Staff - Site Admin
- Posts: 8355
- Joined: Wed Dec 31, 1969 8:00 pm
- Location: earth
- Contact:
Re: Installation Start issue Fedora 3.6.0-19869.fc34.art
It might be less work to use the OUM setup on centos/rocky with the rules.d/decoders.d system for the server
Re: Installation Start issue Fedora 3.6.0-19869.fc34.art
I'll look into it, thanks