Hello, all. We are busily diving into OSSEC; looks like a great
product. We noticed the database output options and, after extensive
searching of this list, found that using database output duplicates the
local alert logging.
Is there any OSSEC advantage to using database output or is it
Hi list.
I need your help me. I have installed ossec in my machine from september
with the version 1.6, a few days ago ossec rules which creates blocks ip
0.0.0.0 leaving my machine without connection. This is a problem ossec?. I
review the logs generated and that this appears nowhere in the
Hi Peter,
You need to have the system_audit entry for it to work and it has been
added by default since v1.5. However, if you have been upgrading from previous
versions, this entry is not added on updates. I will make sure to document it
better (there are lots of features not well documented in
Hi John,
The database output is specially useful to create reports and to consolidate
all the alerts into one place if you have more than one ossec server.
If you only
have one server and don't care about doing custom reports in there, you
are probably fine without it.
thanks,
--
Daniel B. Cid
Greetings Danile:
1. If I wanted to test On|1 from
[PHP - Register globals are enabled] [any] []
f:$php.ini - r:^register_globals = On;
Would the change then be
[PHP - Register globals are enabled] [any] []
f:$php.ini - r:^register_globals = r:On|1;
Based on you response?
2. In H-Sphere
We have OSSEC running on a couple of webapp servers and we're seeing FPs
in the OSSEC logs that seem to be flagging the following section of this
sample URI:
+select+fixed+income
My guess is that OSSEC sees this as SQL and alerts on it. We need to be
able to get rid of these FPs since the word
Hi Daniel:
I did some digging, and found some interesting results:
cat /var/ossec/queue/rootcheck\/\(web.dy*
!1233829834!1233849935!1233849935 Starting rootcheck scan.
!1233849942!1233849942 System Audit: File found on /tmp or /dev/shm
with perl php in it. File: /tmp/test.
I have compiled ossec-hid here on my Ubuntu box. It asked for email
notification, i selected yes. I entered my gmail address, and it seemed to
have auto detected a default gmail smtp server for email reporting. it did not
however, prompt for a password for smtp sending. I am unsure if a
I have installed ossec-hid and am wondering, if it has perhaps a web interface,
or perhaps, optional gtk application, that would allow to to monitor its
function (other than email alerts). I realize it works in the background,
however, I'm not too clear on what would happen, if an intrusion
Hey Clayton,
FP's are pretty normal since the ossec web rules are rather generic.
The log line above is firing an alert just because of select+. The
easiest way to deal with this is to add local rule like this:
group name =local
rule id=10 level=0
if_sid31103/if_sid
Yes, OSSEC-HIDS does not support gmail cause TLS plus email authentication.A
solution I use is install email-relay and configure it to send using gmail.
Works like a charm! :)
Marcos Neves
+55 44 3263-8132
+55 44 9918-8488
On Thu, Feb 5, 2009 at 3:00 PM, cnk lists.canuck...@gmail.com wrote:
Hello, all. We plan to make extensive use of OSSEC on a very large
number of VServer guests. These are, in effect, very efficient and
secure chroot guests and thus share the same kernel and, to a degree,
memory and file system.
Since the file systems for all the guests are accessible from the
Hello, all. As you can tell, we are continuing our exploration of
OSSEC :-) We wanted to bind the OSSEC server to a specific address
rather than all addresses. Thus, we changed the server's ossec.conf
file to read:
remote
connectionsecure/connection
local_ip192.168.223.28/local_ip
13 matches
Mail list logo