Re: [ISSForum] AIX Server Sensor Not Working

Hi Zoran,

The syslog is running but not into a file. When I make
necessary changes to the syslog.conf, syslog messages
can show its events in the SP(like SU_login). But this
is not what I want, the events like
login_with_Administrative_privileges events didn't
show up(like someone doing telnet & accessing as
root). The only way I can do it is by using C2 audit.
Doing the C2 audit is really a big hassle as there's
another file to keep track on its size.

I already patched the system according to the article.

Best regards,
Kwan

--- Zoran Hrvoic <zoran4afc@hdinfo.hr> wrote:

> Hello,
>
> AFAIK, you can't run any UNIX ServerSensor without
> syslog.
>
> From the Server Sensor Installation Guide
> (RS_SvrSensor_IG_7.0.pdf):
> "... for UNIX sensors, you must enable syslog
> logging before any syslog
> based
> signatures can work (many non-network based
> signatures rely
> on the syslog)".
>
> You should also check the KB article #2902.
>
> Zoran
>
> ----- Original Message ----- 
> From: "Kwan Chee Kin" <kck3180@yahoo.com>
> To: "Zoran Hrvoic" <zoran4afc@hdinfo.hr>;
> <ISSForum@iss.net>
> Sent: Wednesday, March 16, 2005 3:20 PM
> Subject: Re: [ISSForum] AIX Server Sensor Not
> Working
>
>
> Hi,
> I'm not using any Syslog.
>
> Kwan
>
> --- Zoran Hrvoic <zoran4afc@hdinfo.hr> wrote:
> > I had a similar issue few years ago with AIX OS
> > Sensor.
> > Then the problem was trivial: the syslog daemon
> had
> > been writing to the
> > "/var/log/syslog.log" file, and the sensor
> expected
> > log in
> > "/var/log/syslog".
> > Check what is your syslog output file, and is it
> the
> > same file the sensor is
> > expecting.
> >
> > Zoran
> >
> >
> > ----- Original Message ----- 
> > From: "Kwan Chee Kin" <kck3180@yahoo.com>
> > To: "Andres Riancho" <andresit@fibertel.com.ar>;
> > <issforum@iss.net>
> > Sent: Saturday, March 12, 2005 10:24 AM
> > Subject: Re: [ISSForum] AIX Server Sensor Not
> > Working
> >
> >
> > Hi,
> >
> > Yes, I did try with another policy. It still won't
> > work. I did not install the network monitoring
> > component so I don't think that will work, will
> it?
> > I'm trying to get the auditting part work.
> >
> > Thanks.
> >
> > Best regards,
> > Kwan Chee Kin
> >
> > --- Andres Riancho <andresit@fibertel.com.ar>
> wrote:
> > > Have you tried with another policy ? Maybe you
> > could
> > > try to enable the event
> > > HTTP_GET for testing.
> > >
> > > Cheers ,
> > >
> > > Andres Riancho
> > >
> > > ----- Original Message ----- 
> > > From: "Kwan Chee Kin" <kck3180@yahoo.com>
> > > To: <issforum@iss.net>
> > > Sent: Thursday, March 10, 2005 7:32 AM
> > > Subject: [ISSForum] AIX Server Sensor Not
> Working
> > > > Hi,
> > > > I installed RS Server Sensor 7 on both AIX and
> > > > Windows. I got the Sensors on both platforms
> > > > communicating to the Site Protector 5. I
> applied
> > > the
> > > > default Attack_And_Audit_Policy into the
> > Sensors.
> > > Then
> > > > I tried to test on the audit part of this
> policy
> > > by
> > > > trying a brute force login to the Sensors.
> > > >
> > > > The Windows platform sensors shows me the
> events
> > > like
> > > > I expected but the AIX did not even show
> > anything.
> > > > There is not even an event showing 'root'
> access
> > > to
> > > > the system.
> > > >
> > > > I verified the Sensors is Active. Then I
> > verified
> > > that
> > > > the enforce audit policy is turned on in each
> > AIX
> > > > sensors and the Auditing in OS for the policy
> is
> > > > checked.
> > > >
> > > > What could be the problem? Anyone bump into
> such
> > > > problem before?
> > > > Will AIX sensors show me anything in the
> events
> > > like
> > > > telnet login?
> > > > Anyone knows any diagnostic tool I can check
> > > whether
> > > > the AIX sensor is working or not?
> > > >
> > > > Appreciate any comment.
> > > > Thank you.
> > > >
> > > > Best regards,
> > > > Kwan CK
> > __________________________________________________
> > > > Do You Yahoo!?
> > > > Tired of spam?  Yahoo! Mail has the best spam
> > > protection around
> > > > http://mail.yahoo.com
> _______________________________________________
> > > > ISSForum mailing list
> > > > ISSForum@iss.net
> > > >
> > > > TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go
> > to
> > >
> https://atla-mm1.iss.net/mailman/listinfo/issforum
> > > > To contact the ISSForum Moderator, send email
> to
> > > mod-issforum@iss.net
> > > > The ISSForum mailing list is hosted and
> managed
> > by
> > > Internet Security
> > > Systems, 6303 Barfield Road, Atlanta, Georgia,
> USA
> > > 30328.
> > > >
> >
> > __________________________________________________
> > Do You Yahoo!?
> > Tired of spam?  Yahoo! Mail has the best spam
> > protection around
> > http://mail.yahoo.com
> > _______________________________________________
> > ISSForum mailing list
> > ISSForum@iss.net
> >
> > TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to
> > https://atla-mm1.iss.net/mailman/listinfo/issforum
> >
> > To contact the ISSForum Moderator, send email to
> > mod-issforum@iss.net
> >
> > The ISSForum mailing list is hosted and managed by
> > Internet Security
> > Systems, 6303 Barfield Road, Atlanta, Georgia, USA
> > 30328.
>
>
>
> __________________________________
> Do you Yahoo!?
> Yahoo! Small Business - Try our new resources site!
> http://smallbusiness.yahoo.com/resources/
=== message truncated ===



                
__________________________________ 
Do you Yahoo!? 
Yahoo! Small Business - Try our new resources site!
http://smallbusiness.yahoo.com/resources/ 
_______________________________________________
ISSForum mailing list
ISSForum@iss.net

TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to 
https://atla-mm1.iss.net/mailman/listinfo/issforum

To contact the ISSForum Moderator, send email to mod-issforum@iss.net

The ISSForum mailing list is hosted and managed by Internet Security Systems, 
6303 Barfield Road, Atlanta, Georgia, USA 30328.