Hi Jiri, also you can run the command "/var/ossec/bin/agent_control -lc" to get the connected agents. Keep in mind that in order to know if an agent is connected, disconnected or never connected OSSEC reads the modification date of the files in /var/ossec/queue/agent-info/*:
- if there is no file for the agent the status is never connected - if the modification time of the file is less than a defined tiemout, the status is actived. If it is greater then the status is disconnected. The timeout is 3*NOTIFY_TIME+30, NOTIFY_TIME by default is 600 seconds. Regarding the rules to detect DDOS attacks, you could create something like this: local_rules.xml: <group name="attack,"> <rule id="200000" level="15" timeframe="300" frequency="3"> <if_matched_group>attacks|attack|automatic_attack</if_matched_group> <same_source_ip /> <description>Attacks from same source IP</description> </rule> </group> You are saying: if one of these groups (attack, attacks or automatic_attack) have matched in the last 300 seconds more than 5 times (frecuency + 2) and the event comes from the same ip, it could be a DDOS attack. You can play with the variables (tiemframe and frecuency) or create new rules with a specific group and append it to the rule. Regards. Jesus Linares. On Thursday, May 5, 2016 at 8:44:50 PM UTC+2, dan (ddpbsd) wrote: > > On Thu, May 5, 2016 at 2:12 PM, Jiri <necrosi...@gmail.com <javascript:>> > wrote: > > Hi, > > > > I just finished installing ossec on ubuntu as a server and windows agent > on > > another computer. How do i test if my agent is successfully connected to > me? > > Also, can someone help me on creating rules to detect an a ddos attack > or > > any attack on my server? > > > > On the server you can run `/var/ossec/bin/list_agents -c` to see the > connected agents. > Check out the rules that already exist in /var/ossec/rules. They > should be useful as a template. > If you still need help, please ask. > > > Thanks, > > Regards. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to ossec-list+...@googlegroups.com <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.