Wednesday, February 6, 2013

Add OSSEC agents to Security Onion


OSSEC configuration process is documented on the OSSEC site. 

Run the following on the Security Onion server:
sudo /var/ossec/bin/manage_agents

** You may need to open port 1514 in the firewall using ufw.

After that, you see the start screen:
****************************************
* OSSEC HIDS v2.5-SNP-100809 Agent manager.     *
* The following options are available: *
****************************************
   (A)dd an agent (A).
   (E)xtract key for an agent (E).
   (L)ist already added agents (L).
   (R)emove an agent (R).
   (Q)uit.
Choose your action: A,E,L,R or Q:
You can now choose one of the actions.

Adding an agent

To add an agent type A in the start screen:

Choose your action: A,E,L,R or Q: a

You are then asked to provide a name for the agent to be added. This can for example be the hostname. In this example the agent name will be agent1.

- Adding a new agent (use '\q' to return to the main menu).
  Please provide the following:
   * A name for the new agent: agent1

After that you have to specify the IP address for the agent. This can either be a single IP address (e.g. 192.168.1.25), a range of IPs (e.g. 192.168.2.0/24), or any. Using a network range or any is preferable when the IP of the agent may change frequently by DHCP or other service.
* The IP Address of the new agent: 192.168.2.0/24

The last information you will be asked for is the ID you want to assign to the agent. manage_agents will suggest a value for the ID to you. This value is the lowest positive number that is not already assigned to another agent. The ID 000 is assigned to the OSSEC server. To accept the suggestion, simply press ENTER. To choose another value, type it in and press ENTER.
* An ID for the new agent[001]:
Now you have to confirm adding the agent and you are done with this step.
After that manage_agents appends the agent information to /var/ossec/etc/client.keys and goes back to the start screen.

Extracting the key for an agent

After adding an agent, a key for the agent is created that has to be copied to the agent. To get the key, use the E option in the manage_agents start screen. You will be given a list of all agents already added to the server. To extract the key for an agent, simply type in the ID of the respective agent. It is important to note that you have to enter all digits of the ID.
Choose your action: A,E,L,R or Q: e

Available agents:
   ID: 001, Name: agent1, IP: 192.168.2.0/24
Provide the ID of the agent to extract the key (or '\q' to quit): 001

Agent key information for '001' is:
MDAyIGFnZW50MSAxOTIuMTY4LjIuMC8yNCBlNmY3N2RiMTdmMTJjZGRmZjg5YzA4ZDk5MmQ4NDE4MjYwMjJkN2ZkMzNkYzZiOWE5NWY4MzU5YWRlY2JkY2Rm

** Press ENTER to return to the main menu.
You can now copy that key to the agent1 and import it there via the agent version of manage_agents.

Monday, January 28, 2013

Windows Updates problem

General Windows Update Troubleshooting
The following outlines how to stop services pertaining to Windows Update, rename system folders, register related DLL files, and then restart the previously mentioned services. This troubleshooting generally applies to all Windows Update related issues.

Stopping services pertaining to Windows Update
1.     Click Start, click All Programs, click Accessories, right-click Command Prompt, and select Run as Administrator.
2.     If you receive a notification from User Account Control simply click Continue.
3.     At the command prompt, type the following, commands and then press ENTER after each command.
        net stop wuauserv
        net stop bits

        net stop cryptsvc
4.     Please do not close the Command Prompt window.
 
Renaming folders pertaining to Windows Update
1.     At the command prompt, type the following commands, and then press Enter after each command:
2.     ren %systemroot%\System32\Catroot2 Catroot2.old
3.     ren %systemroot%\SoftwareDistribution SoftwareDistribution.old
4.     Please do not close the Command Prompt window.

Registering DLL’s pertaining to Windows Update
1.     Please copy and paste the following text into a new Notepad document, and save the file as WindowsUpdate.BAT
2.     If saved correctly the icon will change from a Notepad file to BAT file which has two blue cogs as its icon.
            -or-
3.     You can manually type each command at the command prompt:
regsvr32 c:\windows\system32\vbscript.dll /s
regsvr32 c:\windows\system32\mshtml.dll /s
regsvr32 c:\windows\system32\msjava.dll /s
regsvr32 c:\windows\system32\jscript.dll /s
regsvr32 c:\windows\system32\msxml.dll /s
regsvr32 c:\windows\system32\actxprxy.dll /s
regsvr32 c:\windows\system32\shdocvw.dll /s
regsvr32 wuapi.dll /s
regsvr32 wuaueng1.dll /s
regsvr32 wuaueng.dll /s
regsvr32 wucltui.dll /s
regsvr32 wups2.dll /s
regsvr32 wups.dll /s
regsvr32 wuweb.dll /s
regsvr32 Softpub.dll /s
regsvr32 Mssip32.dll /s
regsvr32 Initpki.dll /s
regsvr32 softpub.dll /s
regsvr32 wintrust.dll /s
regsvr32 initpki.dll /s
regsvr32 dssenh.dll /s
regsvr32 rsaenh.dll /s
regsvr32 gpkcsp.dll /s
regsvr32 sccbase.dll /s
regsvr32 slbcsp.dll /s
regsvr32 cryptdlg.dll /s
regsvr32 Urlmon.dll /s
regsvr32 Shdocvw.dll /s
regsvr32 Msjava.dll /s
regsvr32 Actxprxy.dll /s
regsvr32 Oleaut32.dll /s
regsvr32 Mshtml.dll /s
regsvr32 msxml.dll /s
regsvr32 msxml2.dll /s
regsvr32 msxml3.dll /s
regsvr32 Browseui.dll /s
regsvr32 shell32.dll /s
regsvr32 wuapi.dll /s
regsvr32 wuaueng.dll /s
regsvr32 wuaueng1.dll /s
regsvr32 wucltui.dll /s
regsvr32 wups.dll /s
regsvr32 wuweb.dll /s
regsvr32 jscript.dll /s
regsvr32 atl.dll /s
regsvr32 Mssip32.dll /s
 Restarting services pertaining to Windows Update
1.     Click Start, click All Programs, click Accessories, right-click Command Prompt, and select Run as Administrator.
2.     If you receive a notification from User Account Control simply click Continue.
3.     At the command prompt, type the following, commands and then press ENTER after each command.
        net start wuauserv
        net start bits

        net start cryptsvc
        exit
4.     Now please check for updates using Windows Update

Sunday, December 30, 2012

Sguil & Squert password reset


Re-add a user with:
sguild-add-user USERNAME PASSWORD


If you'd rather not put your Sguil password into your bash history,
then you can try nsm_server_user-add.  It's an interactive wrapper
around sguild-add-user.

(You can use "history -c" to clear your history if you're have concerns about leaving your password there or whack the space bar a couple times before entering the command so it wouldn't go to .bash_history).


Wednesday, December 19, 2012

Ubuntu - Clean Up Old Crash Reports


Clean Up Old Crash Reports
System program problem detectedIf your Ubuntu system always pops up a dialog saying "System program problem detected" each time you log in even though you've already reported the problem, you might need to clean up all old crash reports by entering a command line below in the Terminal.
  1. Press Ctrl-Alt-T to run Terminal.
  2. Copy and paste sudo rm /var/crash/* in the Terminal and press Enter.
Log out and log back in the system, check if the dialog still appears.