Hello
I have a problem with the installation of ossec.
After the installation i have the message No agent available.
I have read the forum but i dont find the solution. Here the problem :
/etc/init.d/ossec start
Starting OSSEC HIDS v2.4.1 (by Trend Micro Inc.)...
I'm getting 4 (maybe more) copies of every post, each with a different
return-path and envelope-from headers (some sort of id used by google groups).
This is the first googlegroup I've signed up for, I'm on dozens of other lists
and never have seen this kind of behaviour.
--
If you write
Guys,
Is there any rules in OSSEC to get SPAM?
I am having problem with SPAM and I wanna know when it is happening and
block it.
My MTA is Postfix.
Thanks!
--
Atenciosamente,
Rafael Brito Gomes
Analista de Segurança
LPIC-1 MCSO
DISUP/CPD/UFBA
Tel : +55 71 3283 6100
B/K Walker wrote:
I'm getting 4 (maybe more) copies of every post, each with a different
return-path and envelope-from headers (some sort of id used by google groups).
This is the first googlegroup I've signed up for, I'm on dozens of other lists
and never have seen this kind of behaviour.
Hi Patrick,
Yes, that's basically what Dan explained. Removing the counters would allow for
someone inside your network to replay the events into ossec.
However, if you are using syslog internally, you will have this
problem anyway... So
even using this option would not protect you.
I disable
Hi Aaron,
Thanks for the patch. Added to the latest snapshot:
http://www.ossec.net/files/snapshots/
Can you take a look to make sure it is working correctly?
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Wed, May 12, 2010 at 2:40 PM, Aaron Bliss aaron.bl...@gmail.com wrote:
Hi all,
I
Hi Christian,
You also need to set alert_new_files to yes inside the syscheck config:
http://www.ossec.net/wiki/Know_How:Syscheck
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Mon, May 17, 2010 at 2:29 PM, ko...@mnr.org wrote:
Ive changed the rules required 554 to level 7 and the rule
Hi Charlie,
Thanks! Just fixed on the latest snapshot:
http://www.ossec.net/files/snapshots/
Can you give it a try?
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Fri, May 14, 2010 at 3:58 PM, Charlie cmee...@gmail.com wrote:
:~$ strings /bin/login | grep -E
I have that also Here is the setting maybe I'm missing something else, I
changed the frequency
syscheck
!-- Frequency that syscheck is executed - default to every 22 hours --
frequency792/frequency
alert_new_filesyes/alert_new_files
!-- Directories to check (perform all
I've been struggling with cleaning up the notifications from ossec, I've had
some success but for whatever reason I can't seem to get a grip on it
completely.
I've got several rules in local_rules.xml that filter out unimportant stuff
(windows really likes to twiddle registry keys, in
I'm testing the OSSEC which it looks like me may use here. Question is Does
anyone have a pre-compiled HP-Unix agent I can test on my HP agents. Until we
purchase the support it seems we can not test it. Thank You Christian
Christian L. Kovac
Sr Network Support Analyst
Information
I am having the same issue, the email I sent yesterday doesn't seem to have
been posted (grr google groups)
I can't figure out why no agent is connecting to my server, new or old. I'd
like to back up the keys DB and remake the server, and restore the keys. I
do not want to generate 500+ keys by
On Tue, May 18, 2010 at 4:44 AM, BOUTROUILLE PASCAL
pboutroui...@ca-cf.fr wrote:
Hello
I have a problem with the installation of ossec.
After the installation i have the message « No agent available. »
I have read the forum but i dont find the solution. Here the problem :
On Tue, May 18, 2010 at 8:55 AM, B/K Walker b...@diablops.com wrote:
I've been struggling with cleaning up the notifications from ossec, I've had
some success but for whatever reason I can't seem to get a grip on it
completely.
I've got several rules in local_rules.xml that filter out
On Tue, 18 May 2010 14:07:17 +0200 Wim Remes wre...@gmail.com wrote:
yup, yup, yup and yup :-D
all joking aside. I don't have that problem, problem, problem,
problem.
try to unsubscribe and subscribe again ?
Just tried, no luck there. Perhaps email signup is broken, I don't have a
On Tue, 18 May 2010 07:28:20 -0400 William Montgomery will...@opinicus.com
wrote:
B/K Walker wrote:
I'm getting 4 (maybe more) copies of every post, each with a
different return-path and envelope-from headers (some sort of id
used by google groups).
This is the first googlegroup I've
Your mail made it through (although I don't know the answer off hand).
On Tue, May 18, 2010 at 9:21 AM, Rich Rumble richrum...@gmail.com wrote:
I am having the same issue, the email I sent yesterday doesn't seem to have
been posted (grr google groups)
Thank you
So i have modified:
debiantest:/tmp# grep ossec /etc/passwd
ossec:x:1001:1001::/var/ossec:/bin/false
ossecm:x:1002:1001::/var/ossec:/bin/false
ossecr:x:1003:1001::/var/ossec:/bin/false
debiantest:/tmp#
debiantest:/tmp# grep ossec /etc/group
ossec:x:1001:www-data,ossec
and start/stop
yes, will try it out later today!
thanks!
On Tue, May 18, 2010 at 7:01 AM, Daniel Cid daniel@gmail.com wrote:
Hi Charlie,
Thanks! Just fixed on the latest snapshot:
http://www.ossec.net/files/snapshots/
Can you give it a try?
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On
Hi Dan,
If by clearing the syscheck database you mean:
.../syscheck_update -a
and/or
.../syscheck_update -u local
I already did that while ossec daemons were stopped.
After restart the same errors appears in logs.
I am using ossec-hids-2.4.1.
The above error messages appear in server and agent
This is how to log to an sql database:
http://www.ossec.net/wiki/Know_How:DatabaseOutput
But I don't think the problem has anything to do with an sql database.
I was thinking syscheck_control -u all:
-u all Updates (clear) the database for all agents.
I guess you could manually clear out the
Same here too!
Andre Pawlowski
---
Right and wrong are not what seperate us and our enemies.
It's our different standpoints, our perspectives that
seperate us. Both sides blame one another. There's no
good or bad side. Just two
Have you tested this? Maybe tried creating a file in the system32 directory?
Did you set the alert_new_files to yes on the agents (not sure if this
is necessary or not, but probably won't hurt)?
Is the system32 directory being watched by syscheck?
On Tue, May 18, 2010 at 8:38 AM, ko...@mnr.org
UNSUBSCRIBE
On Tue, 18 May 2010 08:55:47 -0400, B/K Walker b...@diablops.com wrote:
Here's an example, I get smart HDD test syslog events from my NAS box:
Received From: fatty-/var/log/messages
Rule: 1002 fired (level 2) - Unknown problem somewhere in the system.
Portion of the log(s):
May 18
On Tue, 18 May 2010 10:51:36 -0400 dan (ddp) ddp...@gmail.com wrote:
On Tue, May 18, 2010 at 8:55 AM, B/K Walker b...@diablops.com wrote:
I've been struggling with cleaning up the notifications from ossec,
I've had some success but for whatever reason I can't seem to get a
grip on it
On Tue, 18 May 2010 09:14:51 -0500 Michael Starks
ossec-l...@michaelstarks.com wrote:
On Tue, 18 May 2010 08:55:47 -0400, B/K Walker b...@diablops.com
wrote:
Here's an example, I get smart HDD test syslog events from my NAS
box:
Received From: fatty-/var/log/messages
Rule: 1002
Thanks for the reply, Yes, Yes (system32 directory being watched by syscheck?
) I believe by the default it is being watched by syscheck. I do get alerts
when I modify a test file in the System32 directory. This is basic install for
testing and evaluation. This is the only issue I cant seem
I've gotten copied on this mail 10 times already. But not a response.
ko...@mnr.org 5/18/2010 8:38 AM
I have that also Here is the setting maybe I'm missing something else, I
changed the frequency
syscheck
!-- Frequency that syscheck is executed - default to every 22 hours --
I reinstalled (2.3) and set the max agents again (was 1024) to 2048,
clients started connecting again, when we first added over 254 agents we
noticed the error and used
http://www.ossec.net/wiki/Errors:LargeNumberAgents to up the agents, all was
well. Haven't seen the error in the log since, and
Hi All,
As I continue to understand the proper use of rules, I still have a few
questions.
Given this list of files/directories that need to be monitored:
/opt/Apache/httpd-2.2.12/conf/cmi_cntpay_p
/opt/Apache/httpd-2.2.12/conf/opnpmnt_cntpay_p
/opt/Apache/httpd-2.2.12/conf/sprt_cntpay_p
heh heh heh heh
no no no no problems problems problems problems here here here here either
either either either.
-macker -macker -macker -macker
On Tue, May 18, 2010 at 5:07 AM, Wim Remes wre...@gmail.com wrote:
yup, yup, yup and yup :-D
all joking aside. I don't have that problem, problem,
32 matches
Mail list logo