Atomicorp

I just installed ossec-hids-server.x86_64 via dnf.

This is the error I am receiving:

2021/06/21 14:34:59 verify-agent-conf: Remote commands are not accepted from the manager. Ignoring it on the agent.conf
2021/06/21 14:34:59 verify-agent-conf(1202): ERROR: Configuration error at '/var/ossec/etc/shared/agent.conf'. Exiting.
2021/06/26 23:42:07 ossec-testrule: INFO: Reading local decoder file.
2021/06/26 23:42:07 rules_list: Group 'virus' not found. Invalid 'if_group'.

The only change was that is moved ossec.conf.sample to ossec.conf and configured email.

Any ideas?

Missing rules?

This is a fresh download. It download large numbers of rules, including mcafee, firewall, etc.

One would think (this is an assumption and you know where that takes us...) that the base install would start, maybe not do anything, but start... I am also assuming those rules that are in ossec.conf were also downloaded. In any event, I don't see a specific "virus" rule.

I tried adding mcafee_av_rules.xml, but that didn't fix anything. I have since removed it.

Any other ideas?

Thanks

Are you using the rules.d/decoders.d design from oum, or the classic design?

Sorry, new to OSSEC.

/var/ossec does not contain a directory rules.d, just rules.

Hope this helps.

OK so you're using the legacy setup, you need to declare each ruleset manually in the config with the <include> statement. Likely you're just missing the declaration for whatever ruleset contains that group.

That makes some sense.

These are the "default" rules.


<rules>
<include>rules_config.xml</include>
<include>sshd_rules.xml</include>
<include>syslog_rules.xml</include>
<include>pix_rules.xml</include>
<include>named_rules.xml</include>
<include>pure-ftpd_rules.xml</include>
<include>proftpd_rules.xml</include>
<include>web_rules.xml</include>
<include>web_appsec_rules.xml</include>
<include>apache_rules.xml</include>
<include>ids_rules.xml</include>
<include>squid_rules.xml</include>
<include>firewall_rules.xml</include>
<include>postfix_rules.xml</include>
<include>sendmail_rules.xml</include>
<include>spamd_rules.xml</include>
<include>msauth_rules.xml</include>
<include>attack_rules.xml</include>
<include>dropbear_rules.xml</include>
<include>sysmon_rules.xml</include>
<include>opensmtpd_rules.xml</include>
<include>openbsd-dhcpd_rules.xml</include>
<include>nsd_rules.xml</include>
</rules>

Then I
[ rules]# grep virus *
attack_rules.xml: <if_matched_group>virus</if_matched_group>
attack_rules.xml: <description>Multiple viruses detected - Possible outbreak.</description>
attack_rules.xml: <group>virus,</group>
clam_av_rules.xml: <group>virus</group>
clam_av_rules.xml: <group>virus</group>
clam_av_rules.xml: <group>virus</group>
clam_av_rules.xml: <group>virus</group>
clam_av_rules.xml: <group>virus</group>
clam_av_rules.xml: <group>virus</group>
clam_av_rules.xml: <group>virus</group>
clam_av_rules.xml: <description>Could not download the incremental virus definition updates.</description>
mcafee_av_rules.xml: <group>virus</group>
mcafee_av_rules.xml: <group>virus</group>
mcafee_av_rules.xml: <group>virus</group>
mcafee_av_rules.xml: <description>McAfee Windows AV - Scan completed with no viruses found.</description>
ms-se_rules.xml: <group>virus</group>
ms-se_rules.xml: <group>virus</group>
ms-se_rules.xml: <group>virus</group>
ms-se_rules.xml: <group>virus,</group>
squid_rules.xml: - common extensions to cause false positives (specially anti virus).
squid_rules.xml: <description>Multiple attempts to access a worm/trojan/virus </description>
symantec-av_rules.xml: - http://www.ossec.net/wiki/index.php/Symantec_Antivirus
symantec-av_rules.xml: <group>virus</group>
grep: translated: Is a directory
trend-osce_rules.xml: <group>virus</group>
trend-osce_rules.xml: <group>virus</group>

I tried adding clam_av_rules since I use clam, no success.

It might be less work to use the OUM setup on centos/rocky with the rules.d/decoders.d system for the server

I'll look into it, thanks