I do not know if the question is considered to be related to programming, but I'll try anyway. I'm new to the Alienvault OSSIM System.
I'm trying to learn how to make my own rules, but unfortunately I am having some difficulty.
I created a simple rule in the rules file "local.rules" inside of the Snort rules folder.
alert icmp any any <> any any (msg:"simple ping rule."; icode:0; itype:0; classtype:icmp-event; sid:250888; rev:5;)
This rule triggers after an icmp ping from any machine to any machine.
I checked if Snort deals with this rule, and indeed its records appear in the snort log file.
From The searches I've done about this, I realized that after a change in the rules files I must run the script below for the purpose of mapping rules files.
perl /usr/share/ossim/scripts/create_sidmap.pl /etc/snort/rules/
Then I created the following OSSIM rule in local_rules.xml file:
<group name="local,syslog,">
<rule id="100020" level="2">
<if_sid>250888</if_sid>
<description>it's a new rule that i write myself!!</description>
</rule>
</group>
After a system reboot I sent some pings to the machine, but the rule did not appear as an occurrence in the alert log. And in the OSSIM system error log this appears:
2014/08/06 11:30:59 rules_list: Signature ID '250888' not found. Invalid 'if_sid'.
Can someone explain to me what I am doing wrong?
I'm not familiar with Alienvault OSSIM System, but from a snort standpoint, this is an invalid sid for a local rule. SIDs for local rules must be >= 1,000,000 as these are reserved for rules included with the Snort distribution (See documentation on this here). Perhaps try changing the sid to 1000000 (or 1250888 if you want to keep the 250888 part).
If you create a rule in snort you don't need to create a rule local_rules.xml
after you change the local.rules of snort
any any (msg:"simple ping rule."; icode:0; itype:0; classtype:icmp-event; sid:250888; rev:5;)
and do this command
perl /usr/share/ossim/scripts/create_sidmap.pl /etc/snort/rules/
go to web interface > configuration > THREAT INTELLIGENCE > Data source > Data source id 1001
In Search input write the sid of your rule (250888) and you will find you're rule
Related
I am trying to run the example grakn migration "phone_calls" (using python and JSON files).
Before reaching there, I need to load the schema, but I am having trouble with getting the schema loaded, as shown here: https://dev.grakn.ai/docs/examples/phone-calls-schema
System:
-Mac OS 10.15
-grakn-core 1.8.3
-python 3.7.3
The grakn server is started. I checked and the 48555 TCP port is open, so I don't think there is any firewall issue. The schema file is in the same folder (phone_calls) as where the json data files is, for the next step. I am using a virtual environment. The error is below:
(project1_env) (base) tiffanytoor1#MacBook-Pro-2 onco % grakn server start
Storage is already running
Grakn Core Server is already running
(project1_env) (base) tiffanytoor1#MacBook-Pro-2 onco % grakn console --keyspace phone_calls --file phone_calls/schema.gql
Unable to create connection to Grakn instance at localhost:48555
Cause: io.grpc.StatusRuntimeException
UNKNOWN: Could not reach any contact point, make sure you've provided valid addresses (showing first 1, use getErrors() for more: Node(endPoint=/127.0.0.1:9042, hostId=null, hashCode=5f59fd46): com.datastax.oss.driver.api.core.connection.ConnectionInitException: [JanusGraph Session|control|connecting...] init query OPTIONS: error writing ). Please check server logs for the stack trace.
I would appreciate any help! Thanks!
Nevermind -- I found the solution, in case any one else runs into a similar problem. The server configuration file needs to be edited: point the data directory to your project data files (here: the phone_calls data files) & change the server IP address to your own.
I have configured a syslog-handler in WildFly-10 Standalone.xml as below
<syslog-handler name="mysyslog">
<level name="INFO"/>
<hostname value="localhost"/>
<app-name value="myappserver"/>
<facility value="local-use-7"/>
</syslog-handler>
I have added rules in rsyslog.d as
if $programname == 'myappserver' then /tmp/mysyslog.log
When i check the mysyslog file i could see <feff> characters
These characters are appended by Wildfly itself before sending it to rsyslog.
Can you please let me know how to get rid of these from my logs
I referred this link https://en.wikipedia.org/wiki/Byte_order_mark and it indicated that these are BOM characters
That is per the RFC 5424 spec that the BOM is added. A simple workaround is to override the encoding. Unfortunately the standard syslog server management resource doesn't allow for an encoding to be set. There is an issue filed to fix this though.
However you could use a custom-handler to override this and use an encoding like US-ASCII to change the encoding which would remove the BOM. The following CLI commands should create a syslog handler similar to the one you have configured.
/subsystem=logging/pattern-formatter=syslog-pattern:add(pattern="(%t) %s%e")
/subsystem=logging/custom-handler=syslog:add(module=org.jboss.logmanager, class=org.jboss.logmanager.handlers.SyslogHandler, named-formatter=syslog-pattern, level=INFO, properties={hostname=localhost, appName="myappserver", facility="LOCAL_USE_7", encoding="US-ASCII", syslogType=RFC5424})
I am using snort 2.9.6 and am having trouble getting my rules to run. When I run snort I receive the following error
Initializing rule chains...
ERROR: /etc/snort/rules/(1) Unknown rule type alert
Fatal Error, Quitting..
I have tried copying/using multiple rules from other rules files,etc.. so that they would have the correct syntax, yet none of them seem to be working
Here's an example of a rule I am trying just as a catch all over tcp in order to verify that the rules are being executed
Example: alert tcp any any -> 172.16.136.129 any (msg:"any, any"; sid:1000011;)
Does anyone have any ideas as to what the problem may be?
Thanks for your help
I am uploading a file from a collection of different servers to one data server. I am using psftp and one out of 20+ servers is producing a permissions problem.
Remote working directory is /
psftp> cd Remote_Directory\
Remote directory is now /Remote_Directory/
psftp> put C:\folders\containing\file\FILE.zip
/Remote_Directory/: open for write: failure
psftp> quit
It appears like a permissions issue on the remote directory, however, why am I only getting the issue on one server? The batch is identical on all of the 20+ servers.
PUT command expects a file name at the end of the destination location.
Please try the following code
put C:\folders\containing\file\FILE.zip /Remote_Directory/FILE.zip
The path in the error message is an exact path to the remote file the psftp tried to create. See outfname in below code snippet:
req = fxp_open_send(outfname,
SSH_FXF_WRITE | SSH_FXF_CREAT | SSH_FXF_TRUNC,
&attrs);
...
printf("%s: open for write: %s\n", outfname, fxp_error());
As the path is obviously not correct (lacks file name), it seems that psftp got confused somehow. I believe it's likely due to wrong (back)slash you have used in the cd command.
Try cd Remote_Directory/.
In my case, it's a permission issue on the remote server, i.e. the account you are using to log on doesn't have the write permission for the remote folder.
I have an R package that sends out a job to the OpenMPI cluster I have running by means of the Rmpi package. All works as expected within an R session run from the console. However, when I try to execute the relevant function with from my OpenCPU server like this (details changed to protect the innocent):
curl -XPOST http://99.999.999.99/ocpu/library/MyPackage/R/my_cluster_function
I get this error:
R call failed: process died.
(Other, non-cluster calling functions within the package work as expected via OpenCPU). I noticed in /var/log/kern.log a variety of requests being DENIED by apparmor, and I have been able to resolve most of them by adding entries into /etc/apparmor.d/opencpu.d/custom to allow OpenMPI to access the files it needs. However, I cannot resolve these two issues (again, IP address changed) related to "open" requests for location "/":
Oct 26 03:49:58 99.999.999.99 kernel: [142952.551234] type=1400 audit(1414295398.849:957): apparmor="DENIED" operation="open" profile="opencpu-main" name="/" pid=22486 comm="orted" requested_mask="r" denied_mask="r" fsuid=33 ouid=0
Oct 26 03:49:58 99.999.999.99 kernel: [142952.556422] type=1400 audit(1414295398.857:958): apparmor="DENIED" operation="open" profile="opencpu-main" name="/" pid=22485 comm="apache2" requested_mask="r" denied_mask="r" fsuid=33 ouid=0
Adding this to my apparmor rules did not help:
/* r,
Two questions:
Why is opencpu trying to read from my root level directory (or does this mean something else)?
More urgently, how can I resolve this apparmor issue?
Thanks.
You might need to add both apparmor rules
/ r,
/* r,
The first rule allows directory listing of / and the second rule allows read access to any file under /.
I don't understand why Rmpi wants to read / or why were you getting process died error instead of access denied. Are you sure the problem is completely resolved?