Hi Steve,
Did you restart the agent after adding the iis logs? Can you show us your
agent ossec.log? Something must in there
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On 6/15/07, Steve West [EMAIL PROTECTED] wrote:
Hi Rick,
Yes, all options under Logging Properties has been
can't find out what is going on with it, it would be nice to
re-compile ossec
with debug enabled to see what is going on...
Thanks for the report,
--
Daniel B. Cid
dcid ( at ) ossec.net
On 6/10/07, Erik Delfgaauw [EMAIL PROTECTED] wrote:
Hi folks,
OSSEC Server is crashing after some time
/match
descriptionEvents ignored./description
/rule
/group
What it means? Every time the rule 1002 is matched, the above will be
checked and
if matched, ignore (see level = 0).
For more info: http://www.ossec.net/wiki/index.php/Know_How:Ignore_Rules
Hope it helps.
--
Daniel B. Cid
dcid
/Know_How:Ignore_Rules
hope it helps.
--
Daniel B. Cid
dcid ( at ) ossec.net
On 6/7/07, Clayton Dillard [EMAIL PROTECTED] wrote:
Can someone provide some insight into why this alert is being fired? I get
a lot of these alerts every day.
Anomaly detected in file
'/usr/local/apache2/htdocs/janeway
://denyhosts.sourceforge.net/
http://www.aczoom.com/cms/blockhosts
http://www.fail2ban.org
Link to the article:
http://www.ossec.net/en/attacking-loganalysis.html
Available patches:
http://www.ossec.net/en/attacking-loganalysis.html#patches
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
-dcid.pdf
hope it helps.
--
Daniel B. Cid, dcid ( at ) ossec.net
http://www.ossec.net
On 6/3/07, David Williams [EMAIL PROTECTED] wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Tim,
I tried a similar regex without luck but then saw another way to do
the same thing. You may want
and re-issuing a new agent id. Re
import the keys into the server and see if it works now.
*To calculate the msg id, do: (global_id -1) * + local_id.
Hope it helps.
--
Daniel B. Cid
dcid ( at ) ossec.net
On 5/30/07, Michael Starks [EMAIL PROTECTED] wrote:
Daniel Cid wrote:
Hi Michael
already support horde imp, but I am
looking to add support for more (like open webmail, round cube, uebimiau, etc).
If you have logs for any of those, please send them to us.
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On 5/30/07, Peter Robinson [EMAIL PROTECTED] wrote:
Hi
I have had about
Hi Michael,
Can you show us what is in the server log file? Was the agent able to connect
to the server after or it is still unavailable? What architecture you
are running
OpenBSD 3.8? If it is i386 it would not be an endiness issue...
Hope it helps.
--
Daniel B. Cid
dcid ( at ) ossec.net
on sshd:
http://www.ossec.net/wiki/index.php/Sshd
Hope it helps.
--
Daniel B. Cid
dcid ( at ) ossec.net
On 5/26/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:
When I get alerts I want to get the IP address inplace of hostname. How to
configure the ossec.conf for the same.
Regards,
DM
long to reply to you. I was without access to my
windows development
system for the last two weeks and unable to take a look at this issue.
If you can try this version and let us know how it goes, it would be great.
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On 5/16/07, Luke Bradeen [EMAIL
-070525.tar.gz
Upgrade your ossec install to this one and the problem should go away
(just choose upgrade option when you run ./install.sh).
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On 5/22/07, Blaine Aldridge [EMAIL PROTECTED] wrote:
ossec-execd was not running and refuses to start when
-May/000129.html
*Btw, I would suggest disabling it. The performance gain is very small
compared to the security costs (not knowing exactly which files
changed).
Hope it helps.
--
Daniel B. Cid
dcid ( at ) ossec.net
On 5/23/07, Martin West [EMAIL PROTECTED] wrote:
ossec just threw up some files
...
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On 5/23/07, Vazquez, Ed [EMAIL PROTECTED] wrote:
Here's an odd one for you.
Three different systems.
One running Win2K3 Server on a quad Xeon, one running WinXP Pro x64 on
a dual Athlon, one running Win2K3 Server x64 on a Core2 Duo.
On all
Hi Worawit,
The no_log option means do not log (in archives or alerts log) at all.
The reason we do that with firewall logs is because they are already
logged (in a normalized way) at /var/ossec/logs/firewall/firewall.log
Hope it helps to clarify.
--
Daniel B. Cid
dcid ( at ) ossec.net
On 5
. If it
starts fine, just restart ossec and see if the problem persist...
If that doesn't help, let us know and we will look deep into that :)
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On 5/20/07, Blaine Aldridge [EMAIL PROTECTED] wrote:
Hey all,
I'm running OSSEC on a openvz based VPS
and restarted apache?
-Do you have any file at /var/ossec/queue/syscheck ? Can you show what is
in there to us?
-Is there any errors at the apache error log? At the ossec log (both server
and agent side)?
With that information we can start troubleshooting :)
thanks,
--
Daniel B. Cid
dcid
regex offset=after_prematch^ (\d+.\d+.\d+.\d+)/regex
ordersrcip/order
/decoder
It tried it here and seemed to work.
hope it helps.
--
Daniel B. Cid
dcid ( at ) ossec.net
On 5/15/07, Peter Robinson [EMAIL PROTECTED] wrote:
Hi
I've been trying to write a rule to detect and then block hosts
Hi Thorne,
You are right, ossec will by default block the ip address for only a limited
period of time. Check at /var/ossec/logs/active-response.log for a list
of IP addresses that were blocked.
Hope it helps.
--
Daniel B. Cid
dcid ( at ) ossec.net
On 5/16/07, Thorne Lawler [EMAIL PROTECTED
) = 831b03059f279132a4b26f2debd443fff294cb5a
MD5 (ossec-agent-win32-1.2.exe) = e9bede4e84b1445ad67a1739564fafad
SHA1 (ossec-agent-win32-1.2.exe) = 84f443f2df268096775c56c6d8cab3de0cff59dd
We want to thank everyone who contributed or just sent some comments or
nice words to us! We really appreciate the feedback!
--
Daniel B. Cid
.
--
Daniel B. Cid
dcid ( at ) ossec.net
On 5/9/07, Dimitri Yioulos [EMAIL PROTECTED] wrote:
Hi, folks.
Even though I've been using O-H for w while now, I still think I have this
screwed up: I want to use the firewall active response. However, it doesn't
seem to be working. My firewall
for urls (actually all of
them on ossec)
are case Insensitive already. So SeLect, SELECT or select will
all be treated
the same way.
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On 5/4/07, Worawit Wang [EMAIL PROTECTED] wrote:
Hi all,
I've just found bug in decoder.xml, named web-accesslog-iis6
Hi Tommy,
You don't need to worry about this alert because it is a false
positive. The following signature was removed already from ossec...
Upgrade to our latest snapshot if you
want to try it out:
http://www.ossec.net/files/snapshots/
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On 5/2
/if_matched_sid
descriptionSSHD brute force trying to get access to /description
descriptionthe system./description
optionsno_email_alert/options
groupauthentication_failures,/group
/rule
Hope it helps.
--
Daniel B. Cid
dcid ( at ) ossec.net
On 5/2/07, Ben Ruset [EMAIL PROTECTED] wrote:
Well
...
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On 5/1/07, List Subscriptions [EMAIL PROTECTED] wrote:
Daniel,
After several days this issue still exists. I have been monitoring
the interface statistics and I'm not even close to saturating the
link. Any ideas?
On 4/27/07, List Subscriptions
Hi John,
Posting your log samples in the wiki is the best way to share them with us.
You can probably create an entry for that Linux distribution at:
http://www.ossec.net/wiki/index.php/Log_Samples
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On 5/1/07, John Lewis [EMAIL PROTECTED] wrote
(from sshd, etc), I can make sure to test them too.
Hope it helps.
--
Daniel B. Cid
dcid ( at ) ossec.net
On 4/27/07, John Lewis [EMAIL PROTECTED] wrote:
I'm running several servers using the smeserver linux distro
(http://wiki.contribs.org/Main_Page) based on centos. I've noticed many
.
-Wolfsheim, 'Blind'
*I am glad to see you guys from the NIH using ossec :) I worked at the
NIH/NHLBI department a few years ago ...
Hope it helps.
--
Daniel B. Cid
dcid ( at ) ossec.net
* 0/1/0 (79)
Hope it helps,
--
Daniel B. Cid
dcid ( at ) ossec.net
On 4/27/07, Michael Starks [EMAIL PROTECTED] wrote:
List Subscriptions wrote:
The windows firewall is a one-way firewall that only blocks incoming
traffic. Since the agent is using UDP to forward to the server no
exception
to check your network (not the server itself), to see if you
don't have any connectivity issues (I have servers monitoring a much
larger number of agents and never had these errors).
Btw, does the problem still persists or it is gone?
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On 4/25/07, List
Yes, it should work. The examples on the manual are for IIS 5 and the order
you have is for IIS 6. If you can take a couple of screenshots from the IIS 6
setup, I will post on the site.
Thanks,
--
Daniek B. Cid
dcid ( at ) ossec.net
On 4/23/07, List Subscriptions [EMAIL PROTECTED] wrote:
know which IP is being used, just try to connect to the
server from the
agent and run tcpdump on the server side to see ...
Hope that helps clarify...
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On 4/23/07, John Lewis [EMAIL PROTECTED] wrote:
Could I get some help clarifying how to set up
However, if you can't re-configure IIS for any reason, try removing the spaces
from your local rule (your log does not have spaces before pageerror) and
restarting ossec.
from:
match pageerror.aspx /match
to:
matchpageerror.aspx /match
Hope it helps.
--
Daniel B. Cid
dcid ( at ) ossec.net
On 4
-host. A simple way to do it is with the following regex
(just create a
local rule using that):
regexHTTP/1.0 \d+.\d+.\d+.\d+ \S+/regex
Basically it looks for the http version followed by a cs-host that is
composed of an
IP address.
Hope it helps.
--
Daniel B. Cid
dcid ( at ) ossec.net
On 4/19/07
the manage_agents tool
again and making sure the authentication keys match.
Hope it helps.
--
Daniel B. Cid
dcid ( at ) ossec.net
On 4/19/07, Tim [EMAIL PROTECTED] wrote:
On Apr 19, 1:58 pm, Jeremy Melanson [EMAIL PROTECTED] wrote:
You probably need to reload the OSSEC Server. After you add the host
Hi Sioban,
I had blocked all editing on the wiki for reasons of vandalism (
http://www.ossec.net/dcid/?p=70 ), but it should be open now. I
already
committed your changes to CVS and it will be included on the next release.
Thanks for the help!
--
Daniel B. Cid
dcid ( at ) ossec.net
On 4/13
to track
valid file changes.
Thanks.
--
Daniel B. Cid
dcid ( at ) ossec.net
On 4/13/07, Chad Rober [EMAIL PROTECTED] wrote:
I've noticed the time a notification is sent regarding file with a different
checksum can be greatly different from the actual time the file changed.
I'll assume this is due
to:
rule id=101000 level=0 noalert=1
program_namekernel/program_name
descriptionGrouping for the adsl rules./description
/rule
Hope it helps.
--
Daniel B. Cid
dcid ( at ) ossec.net
On 4/7/07, Martin West [EMAIL PROTECTED] wrote:
I wrote a rule
group name=local,syslog,
rule id
/url
descriptionIgnored 404 error codes for url svn/trunk/description
/rule
You can also use the srcip or username tags to refine it even further ...
*Some information regarding local rules:
http://www.ossec.net/wiki/index.php/Know_How:Ignore_Rules
Hope it helps.
--
Daniel B. Cid
dcid
://www.ossec.net/img/w3c-log.jpg
http://www.ossec.net/img/w3c-opt1.jpg
http://www.ossec.net/img/w3c-opt2.jpg
As soon as you fix it, ossec will parse them properly (as web logs).
Hope it helps.
--
Daniel B. Cid
dcid ( at ) ossec.net
On 4/6/07, Chad Rober [EMAIL PROTECTED] wrote:
I recently setup
Hi Sebastian,
Did you restart apache after adding www-data to the ossec group?
Apache will only
use the additional group after it...
Hope it helps.
--
Daniel B. Cid
dcid ( at ) ossec.net
On 4/5/07, Sebastian Esch [EMAIL PROTECTED] wrote:
ok. I checked the permissions and the group ossec
the problem, check if SELinux is enabled and
blocking the access...
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On 4/2/07, Chris Rimondi [EMAIL PROTECTED] wrote:
I have tried to install ossec-wui v.0.2 on a CentOS box. I am getting the
No Agent Available on the main page. I have OSSEC v1.1 running
version).
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On 4/3/07, Nick Baronian [EMAIL PROTECTED] wrote:
Hello, I have an agent on a HP-UX 11i box that is generating some odd
things in the logs and I was hoping someone might be able to help me
figure out what might be wrong.
After install I
to receive remote messages
and configure ossec and splunk to read from the files directly.
Hope it helps.
--
Daniel B. Cid
dcid ( at ) ossec.net
On 4/2/07, List Subscriptions [EMAIL PROTECTED] wrote:
I'm running both ossec and splunk and want both to have access to
syslog sources but it seems
/ossec/etc/shared ).
Regarding the log analysis signature updates, we generally release them with
each new release (+- every 2 months), and you only need to update them on
the server. However, we are working on some form of dynamic update for
them ...
Hope it helps.
--
Daniel B. Cid
dcid
Hi Nuno,
We currently do not have any *rules for Cisco IOS routers. If you have logs
to share with us, we can add support for it very easily (anyone else with
additional logs to share would be even better).
*we have rules for the IDS module for IOS, but nothing else...
Thanks,
--
Daniel B
with an issue on a Wednesday, you can
set the weekday to it and prepend XXX to the description so you can
easily grep for rules with the XXX to fix them later...
Just some workarounds that may help.
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On 3/28/07, Nicolas Arias [EMAIL PROTECTED] wrote:
Hello
This tool will be the basis for the ossec NTFS ADS detection on ossec ...
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
Btw, did anyone else have this problem? I am wondering if I should make this
the default behavior on ossec Any other syslog-ng user here?
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On 3/21/07, Matthew Hilty [EMAIL PROTECTED] wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Hi OSSEC
database
for a specific system.
Hope it helps.
--
Daniel B. Cid
dcid ( at ) ossec.net
On 3/18/07, Marco Supino [EMAIL PROTECTED] wrote:
Hi,
When adding ignore to ossec, should it be on the agent or on the server ?
Also, what does syscheck_update do ?
Marco.
.
*It shoudn't afect rids or anything related to the agents. It is all stored
under /var/ossec.
Hope it helps.
--
Daniel B. Cid
dcid ( at ) ossec.net
On 3/17/07, Michael Starks [EMAIL PROTECTED] wrote:
Michael Starks wrote:
I would do a fresh install so that it creates the startup scripts, users
, but that will be
in a future version (1.2 and above)..
*Btw, the current ossec-maild works fine with gmail SMTP (I used it all
the time), since you are not required to use TLS for it.
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On 3/15/07, Thanh Han The [EMAIL PROTECTED] wrote:
Hi list
-agent-win32-1.1.exe) = 2401fa249de7d0bafb07259c5838674e9b7785bd
We want to thank everyone who contributed or just sent some comments or
nice words to us! We really appreciate the feedback!
--
Daniel B. Cid (in name of the OSSEC team).
dcid ( at ) ossec.net
There is no uninstall function for Unix (for Windows there is). You need
to delete /var/ossec, /etc/ossec-init.conf and remove the ossec users...
Thanks for testing the beta!
Daniel
On 3/4/07, Martin West [EMAIL PROTECTED] wrote:
On Sat, 2007-03-03 at 20:53 -0400, Daniel Cid wrote:
If you
to the ossec
server, you can
configure ossec to use any of the three methods above or keep using syslog-ng
and configure the ossec server to read the log files directly...
Hope it helps.
--
Daniel B. Cid
dcid ( at ) ossec.net
On 2/28/07, Nicolas Arias [EMAIL PROTECTED] wrote:
Hello list!, how are you
on weekends if it's a big problem, and if I'm
likely sleeping, it had better be a real big problem! :)
We will keep this in mind for the next version... One feature at a time :)
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
if_matched_sid18106/if_matched_sid
descriptionMultiple Windows Logon Failures./description
groupauthentication_failures,/group
/rule
Hope it helps.
--
Daniel B. Cid
dcid ( at ) ossec.net
On 2/20/07, Michael Starks [EMAIL PROTECTED] wrote:
I am having a problem ignoring or otherwise
Hi Kurt,
The all option means all connected agents, but not the server. However, on 1.0
there was a bug that is was also firing on the server (it is fixed on
the latest beta).
Hope it helps.
--
Daniel B. Cid
dcid ( at ) ossec.net
On 2/22/07, Kurt [EMAIL PROTECTED] wrote:
I wanted to know
want to set email_maxperhour
in the global config to a very high value ()...
http://www.ossec.net/en/manual.html#global_options
Hope it helps.
--
Daniel B. Cid
dcid ( at ) ossec.net
On 1/18/07, Warren Petrofsky [EMAIL PROTECTED] wrote:
We are installing ossec agents on a ton
for these queries. Any help would be highly appreciated.
Thanks,
Pankaj P.
I hope it helps. If you can send your config (and your client.keys
file) and the ossec.log
we can see what is going on (please, use the gz format)...
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
smbd denied connection from/description
/rule
Hope it helps.
--
Daniel B. Cid
dcid ( at ) ossec.net
On 2/17/07, Kayvan A. Sylvan [EMAIL PROTECTED] wrote:
On Sat, Feb 17, 2007 at 05:23:36PM -0500, Michael Starks wrote:
Kayvan A. Sylvan wrote:
My local_rules.xml contains these snippets
Hi OlRoy,
By default the server does everything that the agent does, so there is no
need to install both. If you want ossec in just one box, choose the
local install.
Hope it helps.
--
Daniel B. Cid
dcid ( at ) ossec.net
On 2/17/07, OlRoy OlRoy [EMAIL PROTECTED] wrote:
Hey Daniel,
I've
://www.ossec.net/wiki/index.php/FAQ
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
Feb 16 09:52:21 server smbd[14947]: Denied connection from (0.0.0.0)
On 2/16/07, Kayvan A. Sylvan [EMAIL PROTECTED] wrote:
On Fri, Feb 16, 2007 at 01:30:13PM -0500, Mark Haney wrote:
Kayvan A. Sylvan wrote
have the client config in your agent:
http://www.ossec.net/en/manual.html#client_options
Hope it helps.
--
Daniel B. Cid
dcid ( at ) ossec.net
On 2/16/07, OlRoy OlRoy [EMAIL PROTECTED] wrote:
I'm using OSSEC v1.0 running on OpenBSD 4.0, and am following this tutorial
for OSSEC v.9 on FreeBSD 6.1
/description
/rule
Hope it helps.
--
Daniel B. Cid
dcid ( at ) ossec.net
On 2/14/07, Kayvan A. Sylvan [EMAIL PROTECTED] wrote:
I thought I had an answer for this before, but I can't find it.
I have an alert that fires off all the time:
OSSEC HIDS Notification.
2007 Feb 14 16:15:03
to be:
Feb 10 16:58:32 hostname snort[3769]: [1:1420:11] SNMP trap tcp [Classification:
Attempted Information Leak] [Priority: 2]: {TCP} 10.4.12.26:37020 - 10.4.10.231
162
Just curious if other people might be affected by this issue.
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On 2/2/07, John Li
level=0
if_sid18106/if_sid
id^675/id
matchFailure Code:0x19/match
/rule
Hope it helps.
--
Daniel B. Cid
dcid ( at ) ossec.net
On 2/9/07, Nicolas Arias [EMAIL PROTECTED] wrote:
This is the line that is filling my mailbox with rule 8152 fired (level 10)
- Multiple Windows Logon Failures.:
Feb
tag, but with a slower algorithm
(for regex matching)...
Can you give us more information?
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On 2/8/07, Mark Haney [EMAIL PROTECTED] wrote:
I've encountered what I think is a problem in OSSEC with regular
expressions. I have a rule that looks like
support:
http://www.ossec.net/wiki/index.php/Know_How:Regex_Readme
Hope it helps.
--
Daniel B. Cid
dcid ( at ) ossec.net
On 2/2/07, Sergey Zhumatiy [EMAIL PROTECTED] wrote:
Hello!
Where can I find full syntax for ossec regexps? It seems to be not
fully compatible with POSIX and not fully
Looks like googlegroups is having problems are all messages are being dropped...
Testing if it is now working...
-list ,
please re-send.
Thanks and sorry for any problem..
--
Daniel B. Cid
dcid ( at ) ossec.net
On 1/31/07, Daniel Cid [EMAIL PROTECTED] wrote:
Looks like googlegroups is having problems are all messages are being dropped...
Testing if it is now working...
Hi Tommy,
A complete uninstall is not required. Just remove the agent name from the
/var/ossec/queue/agent-info/ directory. Manage_agents was supposed to
remove it, but for some reason it is not (I will fix it in the code later).
Hope it helps.
--
Daniel B. Cid
dcid ( at ) ossec.net
On 1/30
that ossec is meant to be a log analysis engine, so you will
not have as many options regarding how to archive your logs.
Hope it helps.
--
Daniel B. Cid
dcid ( at ) ossec.net
On 1/29/07, John J. Culkin [EMAIL PROTECTED] wrote:
Can OSSEC act as a centralized log host for linux machines? Or should I
,
Daniel B. Cid
dcid ( at ) ossec.net
On 1/29/07, Jeremy Melanson [EMAIL PROTECTED] wrote:
Hello all.
I have several machines in a high-capacity Oracle database environment
that I have running with OSSEC. The machines have a separate, dedicated
network for that Oracle uses for heartbeat
and/or mascot for the
ossec project.
This logo (or mascot) will be the official symbol of the ossec project
and our new face.
If you are interested, check the following link:
http://www.ossec.net/wiki/index.php/CContest
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
).
-Make sure your agent firewall allows UDP 1514 outbound connections to
the server
(using proper stateful filtering to allow replies back).
-Do the proper port forwarding/natting in the external firewall to the
ossec server.
Hope it helps.
--
Daniel B. Cid
dcid ( at ) ossec.net
On 1/25/07
one has a specific
function to read them...
**log_format is only used by logcollector (telling it how to read the file),
and does not change the way the message is analyzed.
Hope it helps.
--
Daniel B. Cid
dcid ( at ) ossec.net
On 1/24/07, Black CryptoKnight [EMAIL PROTECTED] wrote:
What
information (like your
ossec config, parts of the log, etc) ...
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On 1/24/07, Magnus Egilsson [EMAIL PROTECTED] wrote:
Hi
Has anyone experienced not beeing able to add more than 5 agents to the
server? After restart I can see number six added
after 60 failed attempts).
You can keep the old rule and it is only going to show up after the 6 failed
login attempts, but only reporting the last log received... I have a fix ready
for that if you are insterested.
thanks,
norm
Hope it clarifies a bit..
--
Daniel B. Cid
dcid ( at ) ossec.net
apache to chroot to /var instead of /var/www (lot of work).
Hope it helps.
--
Daniel B. Cid
dcid ( at ) ossec.net
On 1/19/07, Blot Nicolas [EMAIL PROTECTED] wrote:
Hi all,
I just discovered OSSEC and his WebUi but I'm having troubles with webui.
I run Ossec server and webui on an OpenBSD 4.0
:
/dev/hde, SMART
Prefailure Attribute: 8 Seek_Time_Performance changed from 253 to
252|Unable to connect to shock.cloudmark.com|^MDLOG,\w+,drop,Bad html:
Image cidN/regex
Hope it helps..
--
Daniel B. Cid
dcid ( at ) ossec.net
On 1/19/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:
Hi.
I was using
changed in the code, if you want. I just
don't think it is a good idea (at least for more cases)...
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On 1/18/07, Rob [EMAIL PROTECTED] wrote:
Hey all,
Read the docs and saw the default frequency for syscheck to run is 7200
seconds
,id,system_name/fts
/decoder
It is basically going to create an FTS entry whenever it sees for the first
time an IDS id + system name combination. You can leverage that do
add source ips, protocols, usernames, etc...
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On 1/17/07, shawn reed [EMAIL
it helps.
--
Daniel B. Cid
dcid ( at ) ossec.net
On 1/16/07, cfactor [EMAIL PROTECTED] wrote:
Hello All.
I only just found out about OSSEC today through the ISC diary. From what
I've read, it all seems very cool. Before I start playing around with it,
I have a question about the communication
interesting entry missing, please let us know.
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On 1/15/07, Dennis Borkhus-Veto [EMAIL PROTECTED] wrote:
Could you tell me what format I should list for the routing and remote
access logs?
Sincerely
Dennis Borkhus-Veto
Systems Administrator
MEE
all
the data, etc). Is that what you meant? I initally got the impression that
you wanted the agents to be able to forward messages to more than one
server (HA style), but the bug says it differently...
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On 1/15/07, Leonardo Goldim [EMAIL PROTECTED
(ossec-agent-win32-1.0.exe) = 9dd53252ebfb31dd00f8d67c98f6d2a65115d368
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
: 192.168.2.0/24 (always using the
whole network
as the ip)
Since the ossec server is going to see them as if they were comming from the nat
server (192.168.2.x ip), it should work. Make sure to use one separate key for
each agent...
Hope it helps.
--
Daniel B. Cid
dcid ( at ) ossec.net
the preloaded-vars.conf file properly (for the binary
install):
USER_BINARYINSTALL=y
USER_DIR=/var/log/ossec
*This work is only necessary on binary installs. For everyone else, just
using the install.sh script should be fibe.
Hope it helps.
--
Daniel B. Cid
dcid ( at ) ossec.net
On 1/7/07, Michael
glibc/gcc major version and share
the same architecture (i386 or amd64, etc)...
Hope it helps...
--
Daniel B. Cid
dcid ( at ) ossec.net
On 1/3/07, Michael Starks [EMAIL PROTECTED] wrote:
Black CryptoKnight wrote:
I think when the smoothwall and IPCop guys are doing their mods, many do
Hi John,
Do you have OSSEC 0.9-3 (or higher snapshot) installed? We added the group
information on 0.9-3 and the web ui requires that. Can you check that
for us?
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On 1/3/07, John Mothershead [EMAIL PROTECTED] wrote:
Greetings,
I have the exact
/ossec-wui-0.1-BETA2.tar.gz
Installation instructions:
http://www.ossec.net/dcid/?p=26
Let us know of any problems.
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
,
can you show us what is causing these alerts? Maybe there is
a false positive on rootcheck that we need to fix.
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On 1/2/07, jalal [EMAIL PROTECTED] wrote:
So, ossec is setup and ticking along nicely. The only fly in the ointment is
emails I get about
comments...
*btw, next version (1.0) is comming soon...
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
Hi Tim,
Can you show us your ossec config and your ossec log*? It looks like that
you have a configuration error and ossec is not handling it very well.
*The files we need are: /var/ossec/etc/ossec.conf and /var/ossec/logs/ossec.log
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On 12/19
*:
http://www.ossec.net/files/snapshots/ossec-hids-061221.tar.gz
*Always make sure to check for new versions at
http://www.ossec.net/files/snapshots/
before downloading.
*Snapshots are not official releases, but somewhat stable (tested in a
few systems).
Thanks,
--
Daniel B. Cid
dcid
Hi Kurt,
Can you try restarting your webserver? Sometimes it will only use the new group
information after you restart it. In addition to that, do you see
anything in the apache
error logs? *I need to test it with PHP 5 to make sure it works...
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
it is not
required to match the source ip address (or real hostname of the system).
*The SMTP session is very simple and it follows the RFC correctly. Since it
is failing on the helo command, I am guessing on an access control issue
on the mail server.
Thanks,
--
Daniel B. Cid
dcid
/log_format
/localfile
/ossec_config
Let me know if this fixes your problem. If not, we will need to keep digging.
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On 11/29/06, Rob [EMAIL PROTECTED] wrote:
Here's the agent config and log. I've checked to make sure nothing was
running. I ran
I'm using OSSEC on a closed network with no mail servers on it. I've
only ever gotten OSSEC reports by e-mail, how do you read the reports
locally?
--
Dan Guido
801 - 900 of 1000 matches
Mail list logo
