I am working on creating some custom logging rules for clamav . The default output from a scan is extremely long as it reports everyfile. The default logging doesnt even include timestamp so I added that to each entry of the log file. What I really want to capture is FOUND for when an infection is found. and I want to capture Mon Dec 9 19:29:53 UTC 2019Scanned files: 45 which tells me scan was completed and how many files were scanned

Mon Dec  9 19:29:53 UTC 2019/tmp/clamav_test/dshield.rules: OK
Mon Dec  9 19:29:53 UTC 2019/tmp/clamav_test/emerging-games.rules: OK
Mon Dec  9 19:29:53 UTC 2019/tmp/clamav_test/emerging-worm.rules: OK
Mon Dec  9 19:29:53 UTC 2019/tmp/clamav_test/emerging-tftp.rules: OK
Mon Dec  9 19:29:53 UTC 2019/tmp/clamav_test/emerging-deleted.rules: Html.Trojan.Blackhole-65 FOUND
Mon Dec  9 19:29:53 UTC 2019/tmp/clamav_test/emerging-icmp_info.rules: OK
Mon Dec  9 19:29:53 UTC 2019/tmp/clamav_test/emerging-web_client.rules: Html.Exploit.CVE_2018_8373-6654754-1 FOUND
Mon Dec  9 19:29:53 UTC 2019/tmp/clamav_test/emerging-policy.rules: OK
Mon Dec  9 19:29:53 UTC 2019/tmp/clamav_test/emerging-shellcode.rules: OK
Mon Dec  9 19:29:53 UTC 2019/tmp/clamav_test/emerging-info.rules: OK
Mon Dec  9 19:29:53 UTC 2019/tmp/clamav_test/emerging-smtp.rules: OK
Mon Dec  9 19:29:53 UTC 2019/tmp/clamav_test/emerging-pop3.rules: OK
Mon Dec  9 19:29:53 UTC 2019/tmp/clamav_test/emerging-current_events.rules: OK
Mon Dec  9 19:29:53 UTC 2019/tmp/clamav_test/emerging-attack_response.rules: OK
Mon Dec  9 19:29:53 UTC 2019/tmp/clamav_test/emerging-mobile_malware.rules: OK
Mon Dec  9 19:29:53 UTC 2019/tmp/clamav_test/tor.rules: OK
Mon Dec  9 19:29:53 UTC 2019/tmp/clamav_test/emerging-p2p.rules: OK
Mon Dec  9 19:29:53 UTC 2019/tmp/clamav_test/emerging-web_server.rules: OK
Mon Dec  9 19:29:53 UTC 2019/tmp/clamav_test/emerging-telnet.rules: OK
Mon Dec  9 19:29:53 UTC 2019/tmp/clamav_test/emerging-dns.rules: OK
Mon Dec  9 19:29:53 UTC 2019/tmp/clamav_test/emerging-scan.rules: OK
Mon Dec  9 19:29:53 UTC 2019/tmp/clamav_test/emerging-dos.rules: OK
Mon Dec  9 19:29:53 UTC 2019/tmp/clamav_test/emerging-malware.rules: OK
Mon Dec  9 19:29:53 UTC 2019/tmp/clamav_test/emerging-ftp.rules: OK
Mon Dec  9 19:29:53 UTC 2019/tmp/clamav_test/botcc.rules: OK
Mon Dec  9 19:29:53 UTC 2019/tmp/clamav_test/emerging-rpc.rules: OK
Mon Dec  9 19:29:53 UTC 2019/tmp/clamav_test/emerging-snmp.rules: OK
Mon Dec  9 19:29:53 UTC 2019
Mon Dec  9 19:29:53 UTC 2019----------- SCAN SUMMARY -----------
Mon Dec  9 19:29:53 UTC 2019Known viruses: 6594198
Mon Dec  9 19:29:53 UTC 2019Engine version: 0.101.4
Mon Dec  9 19:29:53 UTC 2019Scanned directories: 1
Mon Dec  9 19:29:53 UTC 2019Scanned files: 45
Mon Dec  9 19:29:53 UTC 2019Infected files: 2
Mon Dec  9 19:29:53 UTC 2019Data scanned: 38.73 MB
Mon Dec  9 19:29:53 UTC 2019Data read: 15.07 MB (ratio 2.57:1)
Mon Dec  9 19:29:53 UTC 2019Time: 50.946 sec (0 m 50 s)

This will capture any infections and write them here
clamscan -r --exclude=/sys | grep "FOUND" | sed "s/^/$(date)/ " >> /var/log/clamav/alerts/infections.log

This will capture the Scanned Files at completion of the output.
clamscan -r --exclude=/sys | grep "Scanned" | sed "s/^/$(date)/ " >> /var/log/clamav/alerts/scans.log

How the hell can I do that with one command?

@stacksofplates said in How can I write two separate outputs from one command?:

@IRJ said in How can I write two separate outputs from one command?:

I ended up moving out of /tmp and the permission issue was fixed. It still failed because I wasnt specifying /bin/bash before script file. Once I changed that it worked.

Ah ok. Did you have #!/bin/bash in the script? I've never had it complain about that before?

Nope lol.

None of those rules displayed are a true correlations like you are looking to do.

So you need to go to /var/ossec/etc/rules and create a new file called smb_security_correlations.xml

Note: I like to specify rule ranges and makes notes in my custom rule files

<!-- ################################### -->
<!-- # SMB Security Correlations                #  --> 
<!-- ################################### -->

<!-- ################################### -->
<!-- # Rule numbers 100100 - 100150    #  --> 
<!-- ################################### -->


<group name="smb_security_correlations,">

<rule id="100100" level="8" frequency="6" timeframe="360">
  <if_sid>13102</if_sid>
  <description>Multiple Failed Attempts on SMB Share</description>
  <group>smb_security_correlations,</group>
</rule>


</group>

This will create a level 8 alert if there are 5 failed attempts within a 90 second time frame.

@DustinB3403 said in Wazuh - operational and can add agents - now what:

@IRJ How are rulesets installed?

They are in your /var/ossec/rules directory. You should not change those rules ever.

Any new rules, you will need to put in /var/ossec/etc/rules like I explained in previous post.

@DustinB3403

This is how you verify rule ID numbers

Then you open the rule file

I am on a Ubuntu 18.04 system that is very slow when issuing any command via sudo. It can take 30 seconds for the command to complete. Any other command is completed instantaneously.

The system has very little CPU and memory usage with no resource issues over a very long period of time. If I do sudo su and switch to root, I am able to run commands simultenously. It is only an issue when running sudo

@black3dynamite said in Very Slow Sudo:

@IRJ said in Very Slow Sudo:

@DustinB3403 said in Very Slow Sudo:

Maybe this?

Another option would be update to current and see if the issue persists.

No effect.

I already had 127.0.0.1 localhost I tried 127.0.0.1 systemname and it made no difference.

Shouldn't it be 127.0.0.1 localhost and 127.0.1.1 systemname

As far as I know, all 127.* is the same loopback address.

1. FIM logs are transmitted over 1514 UDP just like other logs. So if you are getting other logs this is not a network or wazuh agent issue

2. Forget Kibana for now... Are these events showing up in /var/osssec/logs/ossec.log ?

@Dashrender said in Any awesome paid linux desktop software out there?:

wait - you're fishing for anything - just software in general - to waste a budget on? are you in one of those crazy companies that if you don't spend it, next year you get less?

No I just said in the post above this that I only wanted something that would provide value and productivity. Not just anything lol.

@flaxking said in Grow with Google Certs?:

Sure, it would help you get a job on our customer facing helpdesk

Yeah and that's about it. If you already work in any IT capacity, this won't gain you anything.

Like @Dashrender said train for the job you want, not have

Bad move by them as alot of people are using tools like Slack instead of email (especially internally).

Non-genuine and unsupported are different in my eyes, but whatever Microsoft

@coliver said in Should SodiumSuite Be Open Source:

@IRJ said in Should SodiumSuite Be Open Source:

@Obsolesce said in Should SodiumSuite Be Open Source:

@scottalanmiller said in Should SodiumSuite Be Open Source:

It's been kicked around but adds a ton of complication to any monetization strategy.

You can't monetize something that doesn't exist!

That is true as well. Open Source will dramatically reduce your development costs as you have interested parties actually contributing to project

You could also do the open core model, which a lot of FOSS software does. Have the core functionality, maybe RMM specific stuff, be open source but all the "game changing" things be behind a pay wall.

Wazuh Cloud is a cool offering. It gives you a 30 day trial on their cloud so you get used to it.

https://wazuh.com/cloud/

@Dashrender said in Should SodiumSuite Be Open Source:

@scottalanmiller said in Should SodiumSuite Be Open Source:

@stacksofplates said in Should SodiumSuite Be Open Source:

Obviously you can do what you want since it's your software.

It's our service, that's the key. If we were just making software, this would truly be a totally different discussion. If we were going to release this for others to operate, I'd be the first to champion open sourcing it. But as a pure service with no intent to release as software, it's not open source that you are actually trying to talk me into (I know you are just making points, but you know what I mean) but rather to release the service components as software at all. Once we are doing that, sure, open source makes the most sense.

So let's reframe the discussion. The actual discussion becomes "should SS be released as software" rather than as a service? It is that that causes all of the concern. Making it available for others to operate when the value is less the software under the hood but the operational system that we are primarily looking to build. That we are making software is kind of an aside, it's all in the pursuit of building a service offering. Few people today talk about AWS software, they talk only about the service. But AWS has software under the hood putting it all together. But we overlook that as it is a pure service. It's not open or closed, because it isn't software at all in that context, just a service.

That's where we are. The arguments that you are giving are why software should be open, but the issues we are concerned about are not that but that the software exist in the wild at all. So my responses are almost purely about that aspect of it. That's why my adherence to believing in open source for software feels at odds with my position here - because it's releasing as software that I'm stuck thinking about.

Scott's company in this case is not a software vendor - they are a service provider, just like Starbucks is a place to buy premade coffee/snacks, even though the company makes it's own espresso machines, they don't sell them, Starbucks only sells the coffee made by those machines.

Makes sense to me.

Most opensource projects are not software vendors. They dont sell the software. Sure you can sell support if you would like, but you dont even have to do that. You could just sell it as SaaS and be done with it.

Your company in that case would only sell a service not software or support. So you could stagger releases and have better features on your SaaS version and have a legitimate Opensource project without selling software or even software support.

AD is something you have to know if you want to step up to more of a system administration role, but its something that is fading out. AD will still be around for another 10 years, but adoption will only decrease going forward.

I would do some AD training on Udemy or Youtube to get some basic knowledge as you do need it. However, I dont think its the most marketable skill to push you to the next level and make you stick out from the crowd. Nearly all IT people with any experience have some level AD experience.

Office 365 / Intune is a better choice for system administrators going forward IMO. Its a skill that less people have in comparasion to AD so it will make you a bit more valuable if you can show competency in both. It will eventually replace AD / Exchange in environments.

Once you master these areas, you can look towards more complex concepts like AWS and Azure.

@Dashrender said in Should SodiumSuite Be Open Source:

@IRJ said in Should SodiumSuite Be Open Source:

@Dashrender said in Should SodiumSuite Be Open Source:

@scottalanmiller said in Should SodiumSuite Be Open Source:

@stacksofplates said in Should SodiumSuite Be Open Source:

Obviously you can do what you want since it's your software.

It's our service, that's the key. If we were just making software, this would truly be a totally different discussion. If we were going to release this for others to operate, I'd be the first to champion open sourcing it. But as a pure service with no intent to release as software, it's not open source that you are actually trying to talk me into (I know you are just making points, but you know what I mean) but rather to release the service components as software at all. Once we are doing that, sure, open source makes the most sense.

So let's reframe the discussion. The actual discussion becomes "should SS be released as software" rather than as a service? It is that that causes all of the concern. Making it available for others to operate when the value is less the software under the hood but the operational system that we are primarily looking to build. That we are making software is kind of an aside, it's all in the pursuit of building a service offering. Few people today talk about AWS software, they talk only about the service. But AWS has software under the hood putting it all together. But we overlook that as it is a pure service. It's not open or closed, because it isn't software at all in that context, just a service.

That's where we are. The arguments that you are giving are why software should be open, but the issues we are concerned about are not that but that the software exist in the wild at all. So my responses are almost purely about that aspect of it. That's why my adherence to believing in open source for software feels at odds with my position here - because it's releasing as software that I'm stuck thinking about.

Scott's company in this case is not a software vendor - they are a service provider, just like Starbucks is a place to buy premade coffee/snacks, even though the company makes it's own espresso machines, they don't sell them, Starbucks only sells the coffee made by those machines.

Makes sense to me.

Most opensource projects are not software vendors. They dont sell the software. Sure you can sell support if you would like, but you dont even have to do that. You could just sell it as SaaS and be done with it.

Your company in that case would only sell a service not software or support. So you could stagger releases and have better features on your SaaS version and have a legitimate Opensource project without selling software or even software support.

Sure you can do that, but that's super risky. As Scott said - some VC could just come along, take your code and stand up their own SaaS and undercut you all day long and never be under the costs of the original development. Of course, the new player could always just be a version or 2 behind because they solely rely on you (Scott's company in this case) releasing new versions... or they could hire inhouse and start contributing or fork, etc. But all of those things take a ton of revenue away from the original SaaS creator.

Scott asked if there is an example of a SaaS out there is the solely based on OS? He couldn't come up with any examples - can you?

https://wazuh.com/

Sure, MSPs host their own wazuh instances and then come to Wazuh team for support, but hey some money is better than no money.

Then you have plenty of customers who soley use the SaaS from Wazuh themselves.

@scottalanmiller said in Anyway I can Learn AD?:

@IRJ said in Anyway I can Learn AD?:

AD is something you have to know if you want to step up to more of a system administration role, but its something that is fading out. AD will still be around for another 10 years, but adoption will only decrease going forward.

Very true, I agree completely. Definitely a "need to know", but it's had a good 20 year run and isn't the "go to" solution that it once was.

Definitely not a good path for someone early in their career to focus on. As mentioned its a need to know, but not something I would spend alot of time on if I was early in my career. 90% of the IT market already has this skill so it doesnt help your marketability at all.

@coliver said in Anyway I can Learn AD?:

Honestly there really isn't much to AD that you will encounter on a day-to-day basis. A book may be overkill for it. The YouTube videos may be a good place to start but setting up an environment and using it will be the best way to learn.

100% agree with this. There are better places to focus. I will catch shit for this, but you need to be going and trying to learn Office 365 in and out. If I was in a end user support role, that is the path I would be taking.

Office 365 is in higher demand than AD for marketability. It may have less jobs that reference O365 vs AD, but the pool of qualified candidates for O365 is much smaller. So therefore it is more valuable and in higher demand.

@Dashrender said in SAMIT: Do You Really Need Active Directory:

@scottalanmiller said in SAMIT: Do You Really Need Active Directory:

@Dashrender said in SAMIT: Do You Really Need Active Directory:

We'll use my office then for requirements - must be HIPAA compliant. So I have to show that AV is installed (and I assuming I have to show it's getting updates - but maybe I don't HAVE to), I'm pretty sure I have to show that updates are being applied.

AV is part of the OS. There's really nothing to show. You'd have to have removed it. And updates are automatic, again, you'd have to have disabled them. If you are audited, each machine shows you the status. That's trivial.

So you've been through an audit and the auditor allowed you to say - and to see the status of each machine's AV level - we'll be going around to every machine now - and they still passed your audit?

I have

I had to implement this with no centrally managed tool. I used wazuh to create triggers for certain events to go the SIEM.

Based just on local logs I can

1. Know AV is currently running (sytemctl timer that runs a service status check every 4 mins and writes to a log file if there are any issues)
2. Know when scans were last run be ingesting completed scan logs and creating a low level entry in SIEM
3. Know when AV database was updated (also taken from log file)
4. Know when any infections are found. It will write to the log file and in my case send a high level alert.

Dashboard shows scans every 2 mins. I was running this when testing to see a list of events over time.

@scottalanmiller said in SAMIT: Do You Really Need Active Directory:

@IRJ said in SAMIT: Do You Really Need Active Directory:

I had to implement this with no centrally managed tool. I used wazuh to create triggers for certain events to go the SIEM.

Many RMM will do this, too.

As will MeshCentral!

Those are both central management tools, but non-Windows ones. MC is great for knowing that AV is installed and running at every machine.

SIEM is nice to use because its one location of truth to manage.