It can tell when an agent's interface goes into promisc mode. But if
the machine isn't an agent, it won't be able to tell.
On Wed, Apr 14, 2010 at 4:06 PM, Saeid Ansaripour sidan...@gmail.com wrote:
Deos any body know if ossec can detect sniffers?
--
To unsubscribe, reply using remove me as
thanks for ur help =))
On Wed, Apr 14, 2010 at 6:16 PM, Ozgur Ozdemircili
ozgur.ozdemirc...@gmail.com wrote:
Hi Wu,
Try nmaping.
From the client try this:
nmap -sU -p 1514 serverip
Özgür Özdemircili
http://www.acikkod.org
Code so clean you could eat off it
On Tue, Apr 13, 2010
Hi,
I seem to be getting a 5715 message saying user A has logged in to server
B. But I do not receive anything when the same user logs out.
Is there any way ossec can send me an email/ alert when user logs out
stating:
- The ip address of the user
- Username (of course)
- Login / logout times
Dennis,
optionsno-email-alert/option causes ossec to fail to start.
optionsno_email_alert/option (within a rule block) has no
effect. Email alerts still pile in.
-Brian
On Apr 14, 2:10 pm, Carter, Dennis A dcar...@co.pinellas.fl.us
wrote:
Brian,
No. The level=0 is used to ignore the rule
ossec can detect an interface entering promiscuous mode, so yes, it can
detect a sniffer running on a host which has an ossec agent installed.
On Thu, Apr 15, 2010 at 6:06 AM, Saeid Ansaripour sidan...@gmail.comwrote:
Deos any body know if ossec can detect sniffers?
--
To unsubscribe,
Thanks for ur help=)
On Tue, Apr 13, 2010 at 8:36 PM, dan (ddp) ddp...@gmail.com wrote:
I think it means the reverse dns isn't correct for that host.
On Tue, Apr 13, 2010 at 1:47 AM, wu tingyi wendytin...@gmail.com wrote:
Hello all,
** Alert 1271055172.24104: mail - syslog,sshd--what
If rule 24 is your custom rule, it looks like it isn't being applied.
Try adding if_sid31151/if_sid to your rule.
On Wed, Apr 14, 2010 at 3:17 PM, Brian br...@unwell.org wrote:
In the email alert, however, it is being listed as level 10, which
is leading me to believe my local rule is just
Thanks for ur help=))
On Tue, Apr 13, 2010 at 8:26 PM, Mike Sievers saturnge...@googlemail.comwrote:
what about:
netstat -an | grep 1514 ?
--
To unsubscribe, reply using remove me as the subject.
Hello
I am trying to set up granular email alerts, i managed to set up
emailing for specific users with individual agents , but i am having an
issue with the last setting .
I want to set up an email alert that will include all agents except for
a specific agent and only above a certain
Hello all, quick question:
is there any suhoshin rules file?
Tried googling around but didn't found anything.
Thank you
William
--
To unsubscribe, reply using remove me as the subject.
On Thu, Apr 15, 2010 at 12:09 PM, Joel Merrick joel.merr...@gmail.com wrote:
On Wed, Apr 14, 2010 at 10:11 PM, uifjlh joel.hueb...@gmail.com wrote:
Paul,
I seem to have some piece missing my self ? ... the search part of
Splunk Works, and I have OSSEC Data there, from my OSSEC clients to
Hi,
I seem to be getting a 5715 message saying user A has logged in to server
B. But I do not receive anything when the same user logs out.
Is there any way ossec can send me an email/ alert when user logs out
stating:
- The ip address of the user
- Username (of course)
- Login / logout time
what if the computer that does the sniffing is not part of my ossec agents,
other words what happens if sombody trys to snif my network.
On Wed, Apr 14, 2010 at 8:29 PM, dan (ddp) ddp...@gmail.com wrote:
It can tell when an agent's interface goes into promisc mode. But if
the machine isn't an
Well, it doesn't seem to be displaying anything...
OSSEC log directory is being monitored, however sourcetype=ossec
produced nothing. Files have been indexed.
Any ideas?
On Thu, Apr 15, 2010 at 1:05 PM, Joel Merrick joel.merr...@gmail.com wrote:
I have this working now,
I had to manually add
Check your ssh logs for some kind of logoff message. I can't remember
if there is one, or if all of this information in included.
On Thu, Apr 15, 2010 at 6:46 AM, Ozgur Ozdemircili
ozgur.ozdemirc...@gmail.com wrote:
Hi,
I seem to be getting a 5715 message saying user A has logged in to server
On Thu, Apr 15, 2010 at 1:22 PM, Joel Merrick joel.merr...@gmail.com wrote:
Well, it doesn't seem to be displaying anything...
OSSEC log directory is being monitored, however sourcetype=ossec
produced nothing. Files have been indexed.
Any ideas?
Seems as though the string parsing is not
Is osses doing any kind of IPS at all.
It looks like ossec is more like of a loging management than anything
else.
How does it prevent the intrusion if say a malware attacks a system?
--
To unsubscribe, reply using remove me as the subject.
If there is no agent on that machine, ossec cannot detect that it is
running a sniffer.
There have been some techniques for finding sniffers posted on the
net, I don't know if any of them are still valid or if there are any
tools for using them though. If there are, you might be able to get
some
It depends on the attack. If there are logs created for the attack
(ie. snort logs, or system logs) then the attack can often be stopped
through the use of firewalls or whatnot blocking the source. If a
piece of malicious software is downloaded and installed by the user,
detecting and stopping the
It can block the attack. If it detects it in any log it can do any
action you want. I've written a script that mirrors the attack back to
the attacker ( http://h4des.org/source/blog/mirroring-traffic.sh.txt ).
If you want more, you can combine it with snort or any other NIDS. Ossec
is a great
Hi William,
We have a decoder for Suhosin that will treat the logs as an IDS
event. So you need to
work with the ids_rules.xml to modify them.
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Thu, Apr 15, 2010 at 7:56 AM, William Maddler n...@maddler.net wrote:
Hello all, quick question:
Thank you Andre
If I'm not mistaking, this script is only good for a linux machine.
I'm trying to get a use out of ossec against fake anti-virus scanner problem
that we have in our company on our windows machine.
We have over 10,000 computers that all run windows xp, some of them have
this rogue
According to the Slides (slide #3) on the OSSEC site, OSSEC is NOT a log
management tool, it only stores alerts, not every single log, they recommend
that you still have a log management and long term storage solution of all logs
outside of the OSSEC tool.
Hello,
I am trying to find a solution I am having with ossec-hids-2.4 on the HP-UX
platform. The problem occours when installing the client/agent software on the
hosts I need to monitor. I have it working for AIX, Linux, and Sun but still
can't find a solution to the problem HP-UX. We are
Message: 30Apr 15 15:37:50 newman ossec:/var/ossec/logs/alerts/alerts.log
Rule: 11 (level 8) - 'Excessive number of events (above normal).'
I get several of these every day. I asked a question about suppressing
them and was told that I shouldn't do it.
What does this alert tell me? How would
On Thu, 15 Apr 2010 14:42:05 -0400, James Keegan james.kee...@essent.us
wrote:
According to the Slides (slide #3) on the OSSEC site, OSSEC is NOT a log
management tool, it only stores alerts, not every single log, they
recommend that you still have a log management and long term storage
Did Joel's suggestion make any difference for you?
If not, what version of Splunk are you running, and is it the free license
or enterprise?
On Wed, Apr 14, 2010 at 5:11 PM, uifjlh joel.hueb...@gmail.com wrote:
Paul,
I seem to have some piece missing my self ? ... the search part of
That sounds like Splunk's automatic sourcetype assignment. How do you have
the data coming in? (syslog? Direct to a Splunk listening port? Or pointed
directly to the OSSEC alerts file on the local machine?)
If you look in inputs.conf, or in the Manager within Splunk you should be
able to set the
28 matches
Mail list logo
