Hello,
how important is it to install the OSSEC server on a hardened/trusted
system?
Is there somewhere a HowTo prepare/install a secured Linux for OSSEC
available?
Or would you rather recommend to install OSSEC on BSD?
Thank's a lot for your feedback!
John
Hi John
For me it is more important, that the OSSEC agents runs on a hardened/
trusted system, because they have to be secure and do all the
communication with the bad world ;-) But it is a good idea to secure
the OSSEC server too.
I did an implementation of OSSEC with ubuntu secured by
Hi Frank,
It seems that your configuration is missing the log_format parameter.
It should look like that:
localfile
log_formatsyslog/log_format
location/var/log/syslog-ng/*/messages/location
/localfile
Hope it helps.
--
Daniel B. Cid
dcid ( at ) ossec.net
On Jan 12, 2008 9:14 PM, Frank
Hello,
I am amazed of the capabilities of OSSEC and I am wondering it there are
cases where an IDS
is still recommended...
Thank's a lot for any feedback!
John
PS:
I'm not an IDS specialist.
Hi Dave,
Our wiki has some examples on how to ignore a specific IP address. The
whitelist is only used
for the active response, not for the alerts itself.
Link:
http://www.ossec.net/wiki/index.php/Know_How:Ignore_Rules#Ignoring_a_specific_IP
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
Hi
Just one idea: Are all time settings corrrect (e.g. the time zones)?
Dan
Am 13.01.2008 um 04:21 schrieb Kunthar:
I am getting alert emails nearly 2 hours late.
Mail functions are okay.
When i check my emails i see i have exactly 2 hours differentation
from the thing was happened.
Any
Thanks, Daniel. Hopefully this can be integrated in the database on the
next version.
Sherwin
-Original Message-
From: ossec-list@googlegroups.com [mailto:[EMAIL PROTECTED]
On Behalf Of Daniel Cid
Sent: Monday, January 14, 2008 6:25 PM
To: ossec-list@googlegroups.com
Subject:
|
|
| Hello,
|
Hi,
| how important is it to install the OSSEC server on a hardened/trusted
| system?
Because I am damn lazy to read my logs unless I need to debug something that
is not working.
So I prefer to configure Ossec with patterns I am interested in, so that I
Some rules always send emails, but I don;t want tem to. How can I turn off
email notification for specific rules?
TIA
Dave
I run snort ids on all of my external-facing boxes, and quite often on my
internal servers as well; in addition to running ossec on them as well of
course. :) This past year at DefCon I was running ossec + snort on my
laptop, and the snort log entries were pretty essential in detecting the
scr1pt
It depends on why the rule is alerting. Some rules are configured to
always email, regardless of their level, and some rules will email
because their level is at or above your configured email_alert_level.
An example of the first would be rule 502, located in
$OSSEC_DIR/rules/ossec_rules.xml.
I want to audit when a user first logs onto their system for the day
and when they log of for the day. I have looked through my Active
Directory Security logs and notice users with multiple success logs
within seconds of each other then a log off within a minute. Event
ID's of 540 and 538. How
I have the following in my ossec.conf file:
ossec_config
global
email_notificationyes/email_notification
email_to[EMAIL PROTECTED]/email_to
smtp_servermail.halogensoftware.com/smtp_server
email_from[EMAIL PROTECTED]/email_from
/global
email_alerts
email_to[EMAIL
13 matches
Mail list logo