Greetings:
We currently are testing OSSEC 1.3 on 25 servers including 3 Window
2003 servers.
Two of the Window 2003 servers are running regular 32-bit Windows 2003
server; but the third one is running 64-bit plus also using the
storage server edition.
All three are to the latest Microsoft
After fighting trying to suppress Windows flak without voiding the
entire rule, I'm giving up.
Are there any resources available FOR HIRE that can help me fine-tune
the OSSEC ruleset in
a Windows environment?
---
Phillip
Hi Dave,
Thank you so much for all of your help!
Just for clarification, our vpopmail logs do NOT have the http:// stuff
which I'm seeing being added in your reply.
It seems that the OSSEC decoder might need a new rule or updating to
catch pop3 brute force attacks where the attacker doesn't
Hi Steve,
Thanks for the suggestion. I committed your improved decoder to CVS already and
it will be included in the next version. As for having custom
decoders, I am thinking
on creating a new local_decoders.xml, because right now all entries
on decoders.xml
are overwritten during upgrade.