from:"Anoop Perayil"

Re: [ossec-list] Rootkit Checker High Load Question...

2018-01-15 Thread Anoop Perayil

came across this - 
http://www.ossec.net/files/ossec-hids-2.7-release-note.txt

=== Rootcheck 
== support rootcheck fine-grain configuration control -- yes/no of 
individual checks
   - etc/ossec.conf
 
  
   
yes
yes
yes
yes
yes
yes
yes
yes
 


'll check if its supported on v2.9.2 as well.

Thanks,
Anoop

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Any way to disable the netstat components of syscheckd/rootcheck?

2018-01-15 Thread Anoop Perayil

Hello All,

Do we have an option to disable the netstat checks via ossec.conf on 
v2.9.2? 

Thanks,
Anoop

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Rootkit Checker High Load Question...

2018-01-15 Thread Anoop Perayil

Hello All,

Do we have an option to disable the netstat checks via ossec.conf on 
v2.9.2? 

Thanks,
Anoop

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Any way to disable the netstat components of syscheckd/rootcheck?

2018-01-15 Thread Anoop Perayil

Do we have this feature to disable netstat on v2.9.2?

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Any way to disable the netstat components of syscheckd/rootcheck?

2018-01-15 Thread Anoop Perayil

Do we have this feature to disable netstat on v2.9.2?

On Thursday, 22 March 2012 10:26:35 UTC+5:30, quanta wrote:
>
> Which block do I must add these config. to: , 
> or anything else?
>
> Starting OSSEC: 2012/03/22 11:49:29 ossec-config(1230): ERROR: Invalid
> element in the configuration: 'rootkit'.
> 2012/03/22 11:49:29 ossec-config(1202): ERROR: Configuration error at
> '/var/ossec/etc/ossec.conf'. Exiting.
> 2012/03/22 11:49:29 ossec-syscheckd(1202): ERROR: Configuration error
> at '/var/ossec/etc/ossec.conf'. Exiting.
>[FAILED]
>
> On Jun 21 2011, 3:05 am, Christopher Moraes 
> wrote:
> >
> > This change 
> adds
> > the following configuration option in ossec.conf.
> > 
> > /dev
> > system
> > processes
> > allports
> > openports
> > interfaces
> > 
> >
> > The following comma separated notation is also supported
> > 
> > /dev, system, processes, allports, openports,
> > interfaces
> > 
> >
> > The values "/dev", "system", etc. must be spelled exactly as above (case 
> is
> > not important).
> >
> > HTH,
> > Chris
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] OSSEC UDP Ports

2017-04-27 Thread Anoop Perayil

Observed that the server initiates a connection to the client when we 
restart Syscheck/Rootcheck on an agent like -
./agent_control -r -u 001

a tcpdump on the agent shows -
15:59:22.034966 IP x.x.x.x.1514 > x.x.x.x.48902: UDP, length 73

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Same old song ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue

2017-04-10 Thread Anoop Perayil

Yeap, I have an agent on the localhost; actually now that is the only 
active one. Rest all are disconnected since 
ossec-remoted is not running

On Tuesday, 11 April 2017 00:04:46 UTC+5:30, Felix Martel wrote:
>
> Perhaps this is way off base, but have you added an agent for localhost ? 
> In my context of a new install, a ton of issues went away after I added an 
> agent for the localhost (name=localhost, IP=127.0.0.1). Didn't export the 
> key or anything. Once I did that, my queue errors went away and my agents 
> started reporting.
>
> If I have one rant regarding OSSEC HIDS, it's the structure and quality of 
> documentation: Sketchy at best... Doing a lot of poking in the dark to 
> solve issues.
>
> On Tuesday, October 11, 2016 at 2:22:03 PM UTC-4, Kernel Panic wrote:
>>
>> Hi guys,
>> Yes, I've been reading the error on the list, lots of cases and I got it 
>> too but I run out of idea.
>>
>> The log:
>>
>> 2016/10/11 13:04:40 ossec-syscheckd(1210): ERROR: Queue 
>> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
>> 2016/10/11 13:04:40 ossec-rootcheck(1210): ERROR: Queue 
>> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
>> 2016/10/11 13:04:46 ossec-logcollector(1210): ERROR: Queue 
>> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
>> 2016/10/11 13:04:46 ossec-logcollector(1211): ERROR: Unable to access 
>> queue: '/var/ossec/queue/ossec/queue'. Giving up..
>> 2016/10/11 13:04:48 ossec-syscheckd(1210): ERROR: Queue 
>> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
>> 2016/10/11 13:04:48 ossec-rootcheck(1210): ERROR: Queue 
>> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
>> 2016/10/11 13:05:01 ossec-syscheckd(1210): ERROR: Queue 
>> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
>> 2016/10/11 13:05:01 ossec-rootcheck(1211): ERROR: Unable to access queue: 
>> '/var/ossec/queue/ossec/queue'. Giving up..
>>
>> The queue
>> srw-rw. 1 ossec ossec 0 Oct 11 13:04 /var/ossec/queue/ossec/queue
>>
>> Also read the local_rules may have issues, tested with -t and no errors 
>> displayed also with xmllint
>>
>> xmllint local_rules.xml
>> 
>> --SNIP-
>> 
>> 
>> 
>>
>> There is a file also under /var/ossec/etc/decoder.xml that seems not good 
>> , is that correct?
>> xmllint decoder.xml
>> decoder.xml:52: parser error : Extra content at the end of the document
>> 
>> ^
>>
>> And found this:
>>
>> xmllint  ossec.conf
>> ossec.conf:74: parser error : Comment not terminated
>> 
>>
>> Line 74, what's missing here?
>>
>>  
>> 
>> 72000
>>
>>
>>
>>
>>
>> ossec-hids-2.8.3-53.el6.art.x86_64
>> ossec-hids-server-2.8.3-53.el6.art.x86_64
>> ossec-wui-0.8-4.el6.art.noarch
>>
>> Thanks for your time and support
>> Regards
>>
>>
>>
>>
>>
>>
>>
>>
>>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: Same old song ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue

2017-04-10 Thread Anoop Perayil

I am running OSSEC on a Security Onion build Ubuntu 14.04.5 LTS.
The issue started after I added in more disk since I ran out of space in /

On Monday, 10 April 2017 23:52:07 UTC+5:30, Joshua Gimer wrote:
>
> Do you have SELinux running in an enforcing mode? What is the output of 
> sestatus?
>
> Josh
>
> On Wed, Oct 12, 2016 at 8:58 AM, Kernel Panic  > wrote:
>
>> Really do not know, just installed  it from repo and tried to start the 
>> service.
>>
>> Thanks
>> Regards
>>
>> El martes, 11 de octubre de 2016, 15:22:03 (UTC-3), Kernel Panic escribió:
>>
>>> Hi guys,
>>> Yes, I've been reading the error on the list, lots of cases and I got it 
>>> too but I run out of idea.
>>>
>>> The log:
>>>
>>> 2016/10/11 13:04:40 ossec-syscheckd(1210): ERROR: Queue 
>>> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
>>> 2016/10/11 13:04:40 ossec-rootcheck(1210): ERROR: Queue 
>>> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
>>> 2016/10/11 13:04:46 ossec-logcollector(1210): ERROR: Queue 
>>> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
>>> 2016/10/11 13:04:46 ossec-logcollector(1211): ERROR: Unable to access 
>>> queue: '/var/ossec/queue/ossec/queue'. Giving up..
>>> 2016/10/11 13:04:48 ossec-syscheckd(1210): ERROR: Queue 
>>> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
>>> 2016/10/11 13:04:48 ossec-rootcheck(1210): ERROR: Queue 
>>> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
>>> 2016/10/11 13:05:01 ossec-syscheckd(1210): ERROR: Queue 
>>> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
>>> 2016/10/11 13:05:01 ossec-rootcheck(1211): ERROR: Unable to access 
>>> queue: '/var/ossec/queue/ossec/queue'. Giving up..
>>>
>>> The queue
>>> srw-rw. 1 ossec ossec 0 Oct 11 13:04 /var/ossec/queue/ossec/queue
>>>
>>> Also read the local_rules may have issues, tested with -t and no errors 
>>> displayed also with xmllint
>>>
>>> xmllint local_rules.xml
>>> 
>>> --SNIP-
>>> 
>>> 
>>> 
>>>
>>> There is a file also under /var/ossec/etc/decoder.xml that seems not 
>>> good , is that correct?
>>> xmllint decoder.xml
>>> decoder.xml:52: parser error : Extra content at the end of the document
>>> 
>>> ^
>>>
>>> And found this:
>>>
>>> xmllint  ossec.conf
>>> ossec.conf:74: parser error : Comment not terminated
>>> 
>>>
>>> Line 74, what's missing here?
>>>
>>>  
>>> 
>>> 72000
>>>
>>>
>>>
>>>
>>>
>>> ossec-hids-2.8.3-53.el6.art.x86_64
>>> ossec-hids-server-2.8.3-53.el6.art.x86_64
>>> ossec-wui-0.8-4.el6.art.noarch
>>>
>>> Thanks for your time and support
>>> Regards
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> -- 
>>
>> --- 
>> You received this message because you are subscribed to the Google Groups 
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to ossec-list+...@googlegroups.com .
>> For more options, visit https://groups.google.com/d/optout.
>>
>
>
>
> -- 
> Thanks,
> Joshua Gimer
>
> ---
>
> http://www.linkedin.com/in/jgimer
> http://twitter.com/jgimer
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Same old song ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue

2017-04-10 Thread Anoop Perayil

I am getting the exact same error -

2017/04/10 18:03:02 ossec-remoted: Unable to open agent file. errno: 13
2017/04/10 18:03:02 ossec-remoted(1103): ERROR: Unable to open file 
'/queue/rids/1024'.

how did you manage to get ossec-remoted back up and running?

On Wednesday, 12 October 2016 20:00:47 UTC+5:30, Kernel Panic wrote:
>
> Hi guys
> The remote service was not starting, now it up and running, and have to 
> say that this was pure pain!!
>
> */var/ossec/bin/ossec-remoted -df*
> 2016/10/12 09:08:05 ossec-remoted: DEBUG: Starting ...
> 2016/10/12 09:08:05 ossec-remoted: INFO: Started (pid: 21609).
> 2016/10/12 09:08:05 ossec-remoted: DEBUG: Forking remoted: '0'.
> z77s-tpuppetm01:/var/ossec/etc# 2016/10/12 09:08:05 ossec-remoted: INFO: 
> Started (pid: 21610).
> 2016/10/12 09:08:05 ossec-remoted: DEBUG: Running manager_init
> 2016/10/12 09:08:05 ossec-remoted: INFO: (unix_domain) Maximum send buffer 
> set to: '4194304'.
> 2016/10/12 09:08:05 ossec-remoted(4111): INFO: Maximum number of agents 
> allowed: '16384'.
> 2016/10/12 09:08:05 ossec-remoted(1410): INFO: Reading authentication keys 
> file.
> 2016/10/12 09:08:05 ossec-remoted: DEBUG: OS_StartCounter.
> 2016/10/12 09:08:05 ossec-remoted: OS_StartCounter: keysize: 1
> 2016/10/12 09:08:05 ossec-remoted: Unable to open agent file. errno: 13
> *2016/10/12 09:08:05 ossec-remoted(1103): ERROR: Unable to open file 
> '/queue/rids/001'.* 
>
> netstat -antuwp | grep ossec
> udp0  0 0.0.0.0:1514
> 0.0.0.0:*   21908/ossec-remoted
>
> Thank you very much!
> Regards
>
>
> El martes, 11 de octubre de 2016, 15:22:03 (UTC-3), Kernel Panic escribió:
>>
>> Hi guys,
>> Yes, I've been reading the error on the list, lots of cases and I got it 
>> too but I run out of idea.
>>
>> The log:
>>
>> 2016/10/11 13:04:40 ossec-syscheckd(1210): ERROR: Queue 
>> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
>> 2016/10/11 13:04:40 ossec-rootcheck(1210): ERROR: Queue 
>> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
>> 2016/10/11 13:04:46 ossec-logcollector(1210): ERROR: Queue 
>> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
>> 2016/10/11 13:04:46 ossec-logcollector(1211): ERROR: Unable to access 
>> queue: '/var/ossec/queue/ossec/queue'. Giving up..
>> 2016/10/11 13:04:48 ossec-syscheckd(1210): ERROR: Queue 
>> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
>> 2016/10/11 13:04:48 ossec-rootcheck(1210): ERROR: Queue 
>> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
>> 2016/10/11 13:05:01 ossec-syscheckd(1210): ERROR: Queue 
>> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
>> 2016/10/11 13:05:01 ossec-rootcheck(1211): ERROR: Unable to access queue: 
>> '/var/ossec/queue/ossec/queue'. Giving up..
>>
>> The queue
>> srw-rw. 1 ossec ossec 0 Oct 11 13:04 /var/ossec/queue/ossec/queue
>>
>> Also read the local_rules may have issues, tested with -t and no errors 
>> displayed also with xmllint
>>
>> xmllint local_rules.xml
>> 
>> --SNIP-
>> 
>> 
>> 
>>
>> There is a file also under /var/ossec/etc/decoder.xml that seems not good 
>> , is that correct?
>> xmllint decoder.xml
>> decoder.xml:52: parser error : Extra content at the end of the document
>> 
>> ^
>>
>> And found this:
>>
>> xmllint  ossec.conf
>> ossec.conf:74: parser error : Comment not terminated
>> 
>>
>> Line 74, what's missing here?
>>
>>  
>> 
>> 72000
>>
>>
>>
>>
>>
>> ossec-hids-2.8.3-53.el6.art.x86_64
>> ossec-hids-server-2.8.3-53.el6.art.x86_64
>> ossec-wui-0.8-4.el6.art.noarch
>>
>> Thanks for your time and support
>> Regards
>>
>>
>>
>>
>>
>>
>>
>>
>>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Rootkit Checker High Load Question...

[ossec-list] Re: Any way to disable the netstat components of syscheckd/rootcheck?

Re: [ossec-list] Rootkit Checker High Load Question...

[ossec-list] Re: Any way to disable the netstat components of syscheckd/rootcheck?

[ossec-list] Re: Any way to disable the netstat components of syscheckd/rootcheck?

Re: [ossec-list] OSSEC UDP Ports

[ossec-list] Re: Same old song ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue

Re: [ossec-list] Re: Same old song ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue

[ossec-list] Re: Same old song ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue

9 matches

Site Navigation

Mail list logo

Footer information