Jose Neira
Thursday, November 12, 2015
Saturday, February 1, 2014
Saturday, January 4, 2014
Wednesday, February 6, 2013
Add OSSEC agents to Security Onion
OSSEC configuration process is documented on the OSSEC site.
Run the following on the Security Onion server:
sudo /var/ossec/bin/manage_agents
** You may need to open port 1514 in the firewall using ufw.
After that, you see the start screen:
****************************************
* OSSEC HIDS v2.5-SNP-100809 Agent manager. *
* The following options are available: *
****************************************
(A)dd an agent (A).
(E)xtract key for an agent (E).
(L)ist already added agents (L).
(R)emove an agent (R).
(Q)uit.
Choose your action: A,E,L,R or Q:
Adding an agent¶
To add an agent type A in the start screen:
Choose your action: A,E,L,R or Q: a
You are then asked to provide a name for the agent to be added. This can for example be the hostname. In this example the agent name will be agent1.
- Adding a new agent (use '\q' to return to the main menu).
Please provide the following:
* A name for the new agent: agent1
After that you have to specify the IP address for the agent. This can either be a single IP address (e.g. 192.168.1.25), a range of IPs (e.g. 192.168.2.0/24), or any. Using a network range or any is preferable when the IP of the agent may change frequently by DHCP or other service.
* The IP Address of the new agent: 192.168.2.0/24
The last information you will be asked for is the ID you want to assign to the agent. manage_agents will suggest a value for the ID to you. This value is the lowest positive number that is not already assigned to another agent. The ID 000 is assigned to the OSSEC server. To accept the suggestion, simply press ENTER. To choose another value, type it in and press ENTER.
* An ID for the new agent[001]:
After that manage_agents appends the agent information to /var/ossec/etc/client.keys and goes back to the start screen.
Extracting the key for an agent¶
After adding an agent, a key for the agent is created that has to be copied to the agent. To get the key, use the E option in the manage_agents start screen. You will be given a list of all agents already added to the server. To extract the key for an agent, simply type in the ID of the respective agent. It is important to note that you have to enter all digits of the ID.Choose your action: A,E,L,R or Q: e
Available agents:
ID: 001, Name: agent1, IP: 192.168.2.0/24
Provide the ID of the agent to extract the key (or '\q' to quit): 001
Agent key information for '001' is:
MDAyIGFnZW50MSAxOTIuMTY4LjIuMC8yNCBlNmY3N2RiMTdmMTJjZGRmZjg5YzA4ZDk5MmQ4NDE4MjYwMjJkN2ZkMzNkYzZiOWE5NWY4MzU5YWRlY2JkY2Rm
** Press ENTER to return to the main menu.
Monday, January 28, 2013
Windows Updates problem
General Windows Update Troubleshooting
The following outlines how to stop services pertaining to Windows Update, rename system folders, register related DLL files, and then restart the previously mentioned services. This troubleshooting generally applies to all Windows Update related issues.
Stopping services pertaining to Windows Update
1. Click Start, click All Programs, click Accessories, right-click Command Prompt, and select Run as Administrator.
2. If you receive a notification from User Account Control simply click Continue.
3. At the command prompt, type the following, commands and then press ENTER after each command.
net stop wuauserv
net stop bits
net stop cryptsvc
4. Please do not close the Command Prompt window.
Renaming folders pertaining to Windows Update
1. At the command prompt, type the following commands, and then press Enter after each command:
2. ren %systemroot%\System32\Catroot2 Catroot2.old
3. ren %systemroot%\SoftwareDistribution SoftwareDistribution.old
4. Please do not close the Command Prompt window.
Registering DLL’s pertaining to Windows Update
1. Please copy and paste the following text into a new Notepad document, and save the file as WindowsUpdate.BAT
2. If saved correctly the icon will change from a Notepad file to BAT file which has two blue cogs as its icon.
-or-
3. You can manually type each command at the command prompt:
regsvr32 c:\windows\system32\vbscript.dll /s
regsvr32 c:\windows\system32\mshtml.dll /s
regsvr32 c:\windows\system32\msjava.dll /s
regsvr32 c:\windows\system32\jscript.dll /s
regsvr32 c:\windows\system32\msxml.dll /s
regsvr32 c:\windows\system32\actxprxy.dll /s
regsvr32 c:\windows\system32\shdocvw.dll /s
regsvr32 wuapi.dll /s
regsvr32 wuaueng1.dll /s
regsvr32 wuaueng.dll /s
regsvr32 wucltui.dll /s
regsvr32 wups2.dll /s
regsvr32 wups.dll /s
regsvr32 wuweb.dll /s
regsvr32 Softpub.dll /s
regsvr32 Mssip32.dll /s
regsvr32 Initpki.dll /s
regsvr32 softpub.dll /s
regsvr32 wintrust.dll /s
regsvr32 initpki.dll /s
regsvr32 dssenh.dll /s
regsvr32 rsaenh.dll /s
regsvr32 gpkcsp.dll /s
regsvr32 sccbase.dll /s
regsvr32 slbcsp.dll /s
regsvr32 cryptdlg.dll /s
regsvr32 Urlmon.dll /s
regsvr32 Shdocvw.dll /s
regsvr32 Msjava.dll /s
regsvr32 Actxprxy.dll /s
regsvr32 Oleaut32.dll /s
regsvr32 Mshtml.dll /s
regsvr32 msxml.dll /s
regsvr32 msxml2.dll /s
regsvr32 msxml3.dll /s
regsvr32 Browseui.dll /s
regsvr32 shell32.dll /s
regsvr32 wuapi.dll /s
regsvr32 wuaueng.dll /s
regsvr32 wuaueng1.dll /s
regsvr32 wucltui.dll /s
regsvr32 wups.dll /s
regsvr32 wuweb.dll /s
regsvr32 jscript.dll /s
regsvr32 atl.dll /s
regsvr32 Mssip32.dll /s
Restarting services pertaining to Windows Update
1. Click Start, click All Programs, click Accessories, right-click Command Prompt, and select Run as Administrator.
2. If you receive a notification from User Account Control simply click Continue.
3. At the command prompt, type the following, commands and then press ENTER after each command.
net start wuauserv
net start bits
net start cryptsvc
exit
4. Now please check for updates using Windows Update
The following outlines how to stop services pertaining to Windows Update, rename system folders, register related DLL files, and then restart the previously mentioned services. This troubleshooting generally applies to all Windows Update related issues.
Stopping services pertaining to Windows Update
1. Click Start, click All Programs, click Accessories, right-click Command Prompt, and select Run as Administrator.
2. If you receive a notification from User Account Control simply click Continue.
3. At the command prompt, type the following, commands and then press ENTER after each command.
net stop wuauserv
net stop bits
net stop cryptsvc
4. Please do not close the Command Prompt window.
Renaming folders pertaining to Windows Update
1. At the command prompt, type the following commands, and then press Enter after each command:
2. ren %systemroot%\System32\Catroot2 Catroot2.old
3. ren %systemroot%\SoftwareDistribution SoftwareDistribution.old
4. Please do not close the Command Prompt window.
Registering DLL’s pertaining to Windows Update
1. Please copy and paste the following text into a new Notepad document, and save the file as WindowsUpdate.BAT
2. If saved correctly the icon will change from a Notepad file to BAT file which has two blue cogs as its icon.
-or-
3. You can manually type each command at the command prompt:
regsvr32 c:\windows\system32\vbscript.dll /s
regsvr32 c:\windows\system32\mshtml.dll /s
regsvr32 c:\windows\system32\msjava.dll /s
regsvr32 c:\windows\system32\jscript.dll /s
regsvr32 c:\windows\system32\msxml.dll /s
regsvr32 c:\windows\system32\actxprxy.dll /s
regsvr32 c:\windows\system32\shdocvw.dll /s
regsvr32 wuapi.dll /s
regsvr32 wuaueng1.dll /s
regsvr32 wuaueng.dll /s
regsvr32 wucltui.dll /s
regsvr32 wups2.dll /s
regsvr32 wups.dll /s
regsvr32 wuweb.dll /s
regsvr32 Softpub.dll /s
regsvr32 Mssip32.dll /s
regsvr32 Initpki.dll /s
regsvr32 softpub.dll /s
regsvr32 wintrust.dll /s
regsvr32 initpki.dll /s
regsvr32 dssenh.dll /s
regsvr32 rsaenh.dll /s
regsvr32 gpkcsp.dll /s
regsvr32 sccbase.dll /s
regsvr32 slbcsp.dll /s
regsvr32 cryptdlg.dll /s
regsvr32 Urlmon.dll /s
regsvr32 Shdocvw.dll /s
regsvr32 Msjava.dll /s
regsvr32 Actxprxy.dll /s
regsvr32 Oleaut32.dll /s
regsvr32 Mshtml.dll /s
regsvr32 msxml.dll /s
regsvr32 msxml2.dll /s
regsvr32 msxml3.dll /s
regsvr32 Browseui.dll /s
regsvr32 shell32.dll /s
regsvr32 wuapi.dll /s
regsvr32 wuaueng.dll /s
regsvr32 wuaueng1.dll /s
regsvr32 wucltui.dll /s
regsvr32 wups.dll /s
regsvr32 wuweb.dll /s
regsvr32 jscript.dll /s
regsvr32 atl.dll /s
regsvr32 Mssip32.dll /s
Restarting services pertaining to Windows Update
1. Click Start, click All Programs, click Accessories, right-click Command Prompt, and select Run as Administrator.
2. If you receive a notification from User Account Control simply click Continue.
3. At the command prompt, type the following, commands and then press ENTER after each command.
net start wuauserv
net start bits
net start cryptsvc
exit
4. Now please check for updates using Windows Update
Sunday, December 30, 2012
Sguil & Squert password reset
Re-add a user with:
sguild-add-user USERNAME PASSWORD
If you'd rather not put your Sguil password into your bash history,
then you can try nsm_server_user-add. It's an interactive wrapper
around sguild-add-user.
(You can use "history -c" to clear your history if you're have concerns about leaving your password there or whack the space bar a couple times before entering the command so it wouldn't go to .bash_history).
Wednesday, December 19, 2012
Ubuntu - Clean Up Old Crash Reports
Clean Up Old Crash Reports
If
your Ubuntu system always pops up a dialog saying "System program
problem detected" each time you log in even though you've already
reported the problem, you might need to clean up all old crash reports
by entering a command line below in the Terminal.- Press Ctrl-Alt-T to run Terminal.
- Copy and paste sudo rm /var/crash/* in the Terminal and press Enter.
Subscribe to:
Posts (Atom)