n merges the ossec.conf and agent.conf.
>> >>
>> >> > Thanks all for the help!
>> >> >
>> >> > Eric
>> >> >
>> >> > --
>> >> >
>> >> > ---
>> >> > You received
gle.com/d/optout.
>>
>> --
>>
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to ossec-list+unsub
are subscribed to the Google
Groups ossec-list group.
To unsubscribe from this group and stop receiving emails from it, send an
email to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
Doug Burks
Need Security Onion Training or Commercial
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com
--
---
You received this message because you are subscribed to the Google Groups
ossec-list
/securityonion/sguild.log
I'm not sure I understand. That log file should be created
automatically by sguild (not syslog-ng).
What exactly are you trying to do?
--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com
--
---
You received this message
and end up in a loop.
--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com
--
---
You received this message because you are subscribed to the Google Groups
ossec-list group.
To unsubscribe from this group and stop receiving emails from it, send
options, visit https://groups.google.com/d/optout.
--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com
--
---
You received this message because you are subscribed to the Google Groups
ossec-list group.
To unsubscribe from this group and stop
-securityonion-web-page-package-adds.html
--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com
--
---
You received this message because you are subscribed to the Google Groups
ossec-list group.
To unsubscribe from this group and stop receiving
receiving emails from it, send an
email to ossec-list+unsubscr...@googlegroups.com javascript:;.
For more options, visit https://groups.google.com/d/optout.
--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com
--
---
You received this message
/os_zlib.c ../external/libz.a -lssl
-lcrypto -o agent-auth
https://launchpadlibrarian.net/186670618/buildlog_ubuntu-precise-amd64.ossec-hids-server_2.8.1-ubuntu10securityonion10_UPLOADING.txt.gz
On Tue, Oct 14, 2014 at 1:37 PM, Doug Burks doug.bu...@gmail.com wrote:
Yes, I'm fairly confident that our
, October 14, 2014 7:35:55 PM UTC+1, Doug Burks wrote:
Yes, just confirmed that our OSSEC package for Security Onion was
compiled with OpenSSL for ossec-authd. Here's the relevant snippet
from the buildlog:
*** Making os_auth ***
make[3]: Entering directory
`/build/buildd/ossec-hids-server-2.8.1
Thanks for releasing OSSEC 2.8.1 in response to CVE-2014-5284!
Will there be a 2.8.2 release with the TMP_FILE fix shown here?
http://www.ossec.net/?p=1135#comment-555
If so, is there an ETA for 2.8.2?
Thanks!
--
Doug Burks
--
---
You received this message because you are subscribed
Hi Dan,
Yes, I like that, too.
Any idea when an official decision will be made?
Thanks,
Doug
On Wed, Sep 24, 2014 at 12:58 PM, dan (ddp) ddp...@gmail.com wrote:
On Wed, Sep 24, 2014 at 12:51 PM, Doug Burks doug.bu...@gmail.com wrote:
Thanks for releasing OSSEC 2.8.1 in response to CVE-2014
...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com
--
---
You received this message because you are subscribed to the Google Groups
ossec-list group
to make it a •good• logging daemon.
Do we want to make this a •good• logging daemon tool and spend that time and
effort to build and support this feature set and direction?
My vote would be yes.
--
Doug Burks
--
---
You received this message because you are subscribed to the Google Groups
...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
--
Doug Burks
http://securityonion.blogspot.com
--
---
You received this message because you are subscribed to the Google Groups
ossec-list group.
To unsubscribe from this group and stop receiving emails from
...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
--
Doug Burks
http://securityonion.blogspot.com
--
---
You received this message because you are subscribed to the Google Groups
ossec-list group.
To unsubscribe from this group and stop receiving emails from
...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
--
Doug Burks
http://securityonion.blogspot.com
--
---
You received this message because you are subscribed to the Google Groups
ossec-list group.
To unsubscribe from this group and stop receiving emails
and I
like the overall interface, but is not open source (and I think I'll
eventually hit the 500 MB/day ceiling), requires Flash to view any graphs
(seems counter-productive given all of the security issues the plugin has!)
and splunkd has crashed quite frequently on me.
--
Doug Burks | http
,
--
Doug Burks, GSE, CISSP | http://securityonion.blogspot.com
President, Greater Augusta ISSA | http://augusta.issa.org
On Mon, Nov 21, 2011 at 5:17 AM, Artien Bel artien@protopics.nl wrote:
Hello,
As test to replace our application and server monitoring software, I am
checking out OSSEC. I
Hi Holger,
Take a look at the email_maxperhour setting in ossec.conf:
http://www.ossec.net/main/manual/configuration-options
Regards,
--
Doug Burks, GSE, CISSP | http://securityonion.blogspot.com
President, Greater Augusta ISSA | http://augusta.issa.org
On Thu, Nov 17, 2011 at 7:15 AM, Holger
SANS 434: Log Management In-Depth will soon have a dedicated OSSEC section. :)
--
Doug Burks, GSE, CISSP
President, Greater Augusta ISSA
http://augusta.issa.org
http://securityonion.blogspot.com
On Wed, May 25, 2011 at 2:38 PM, Michael Starks
ossec-l...@michaelstarks.com wrote:
On 05/25/2011
to the ossec-analysisd
process shows that it's receiving syscheck info (filenames and hashes)
from some of the local files. (Of course, this doesn't cause the
agents to disconnect since it is a local installation and there are no
agents.)
Thanks,
--
Doug Burks, GSE, CISSP
President, Greater Augusta
-- --- --- - -
100.000.017206292801 total
What else would you like to see?
Thanks,
--
Doug Burks, GSE, CISSP
President, Greater Augusta ISSA
http://augusta.issa.org
http://securityonion.blogspot.com
On Thu, May 19, 2011 at 10:06 AM, Doug Burks doug.bu...@gmail.com wrote
Have you looked at the logall option?
http://www.ossec.net/main/manual/configuration-options
Regards,
--
Doug Burks, GSE, CISSP
President, Greater Augusta ISSA
http://augusta.issa.org
http://securityonion.blogspot.com
On Thu, May 5, 2011 at 12:00 PM, Kat uncommon...@gmail.com wrote:
Hi all
Kat,
Is ossec-analysisd using a high percentage of CPU (more than 5%)?
That was what I experienced. Since I upgraded to CentOS (RHEL) 5.6, I
haven't seen the issue again.
Thanks,
--
Doug Burks, GSE, CISSP
President, Greater Augusta ISSA
http://augusta.issa.org
http://securityonion.blogspot.com
have been upgraded to 5.6 and I haven't
seen the issue since.
--
Doug Burks, GSE, CISSP
President, Greater Augusta ISSA
http://augusta.issa.org
http://securityonion.blogspot.com
On Wed, May 4, 2011 at 2:35 PM, dan (ddp) ddp...@gmail.com wrote:
Thanks for the heads up. I think I may have a copy
to have resolved it for me.
Thanks,
--
Doug Burks, GSE, CISSP
President, Greater Augusta ISSA
http://augusta.issa.org
http://securityonion.blogspot.com
On Thu, Apr 21, 2011 at 11:33 AM, jjennings jjenni...@zoominternet.net wrote:
how many agents was the host monitoring? I'm monitoring about 20
I had two servers that were exhibiting this behavior (ossec-analysisd using
99% CPU resulting in agents disconnecting). They were both running CentOS
5.5 and I had verified that rebooting the server didn't help. As soon as
CentOS 5.6 became available, I upgraded and rebooted, and have not
Agreed. Any ideas on how to find out why analysisd is at 99% cpu? :)
Thanks,
Doug Burks
On Mon, Mar 14, 2011 at 3:04 PM, dan (ddp) ddp...@gmail.com wrote:
I'd start by trying to find out why analysisd is at 99% cpu.
On Fri, Mar 11, 2011 at 2:08 PM, Doug Burks doug.bu...@gmail.com wrote
Was there ever any conclusion on this problem? I have an OSSEC 2.5.1 server
with 43 agents. ossec-analysisd is using 99% CPU! Unix agents periodically
disconnect and will eventually reconnect. What can I do to troubleshoot
this further?
Thanks,
Doug Burks
and
lower the severity level to prevent Active Response
Regards,
--
Doug Burks, GSE, CISSP
President, Greater Augusta ISSA
http://augusta.issa.org
http://securityonion.blogspot.com
On Tue, Feb 22, 2011 at 4:02 AM, Steve wardell.st...@gmail.com wrote:
I;ve been looking for a way to add domains
://securityonion.blogspot.com/2011/01/security-onion-20110101.html
Please let me know if you have any questions or suggestions.
Thanks,
--
Doug Burks, GSE, CISSP
President, Greater Augusta ISSA
http://augusta.issa.org
http://securityonion.blogspot.com
We *do* have OpenLDAP configured to use syslog. This multi-line mess
is as good as it gets :)
Thanks,
Doug Burks
On Nov 20, 7:05 pm, Michael Starks ossec-l...@michaelstarks.com
wrote:
On 11/10/2010 02:12 PM, Doug Burks wrote:
Has anybody used OSSEC to monitor OpenLDAP logs? Specifically
Any ideas on this one?
Thanks,
Doug Burks
On Nov 12, 2:29 pm, dan (ddp) ddp...@gmail.com wrote:
What happens on the list stays on the list. ;)
On Thu, Nov 11, 2010 at 9:15 PM, Chris Decker deckmo...@gmail.com wrote:
I'm interested in such a decoder as well, so any effort expended to help
ssf=0
Jan 11 09:26:59 hostname slapd2.4[20872]: conn=99 op=6 RESULT
tag=97 err=0 text=
Jan 11 09:27:01 hostname slapd2.4[20872]: conn=99 op=7 UNBIND
Jan 11 09:27:01 hostname slapd2.4[20872]: conn=99 fd=64 closed
Thanks,
Doug Burks
Is this a Linux box? If so, have you considered using the native
IPTables logging? It's easy to configure and OSSEC can read it by
default:
http://www.ossec.net/wiki/Know_How:Iptables_Config
Regards,
--
Doug Burks, GSE, CISSP
President, Greater Augusta ISSA
http://augusta.issa.org
http
for providing this free software as a
service to the community.
Here! Here! Add our voices of thanks to the chorus! Thank you, Daniel -
John
--
Doug Burks, GSE, CISSP
President, Greater Augusta ISSA
http://augusta.issa.org
http://securityonion.blogspot.com
This morning, McAfee Antivirus began deleting service-stop.exe on our
servers:
The file C:\Program Files\ossec-agent\service-stop.exe contains
Generic Downloader.x!eaf Trojan. The file was successfully deleted.
Is anybody else seeing this?
the VirusTotal report for service-stop.exe from
OSSEC Agent version 2.4.1 (0/42 AV vendors alert):
http://www.virustotal.com/analisis/173034447d2ce6cba0969a82afeac24050b835879bfa0c51bb5243cc184490d2-1279019047
Doug Burks
On Jul 13, 10:20 am, Doug Burks doug.bu...@gmail.com wrote:
This morning, McAfee
Hi Antony,
This appears to be a RedHat box of some kind (RHEL/CentOS/Fedora).
Check the yum repositories that are configured in /etc/yum.repos.d/
and verify that the host can access them.
Thanks,
--
Doug Burks, GPEN, GCIA, GSEC, CISSP
http://securityonion.blogspot.com
On Thu, Jun 10, 2010 at 1
Hi Ray,
Try something like this:
rule id=101002 level=0
if_sid1002/if_sid
program_name^canitd/program_name
matchHandleDictionaryAttacks: Running task
HandleDictionaryAttacks completed/match
/rule
Please let us know whether or not that helps.
Thanks,
--
Doug Burks, GCIA, GSEC
Hi Jeremy,
You might want to take a look at the section titled Tweaking the
subject of mail notification at the following link:
http://www.ossec.net/wiki/Tweaking_OSSEC
Regards,
--
Doug Burks, GCIA, GSEC, CISSP
http://securityonion.blogspot.com
On Tue, Apr 27, 2010 at 3:55 PM, Jeremy Bowers
I thought the same thing when I read that article :)
--
Doug Burks, GCIA, GSEC, CISSP
http://securityonion.blogspot.com
On Tue, Apr 13, 2010 at 4:10 PM, Martin West mar...@objectgizmos.com wrote:
http://blogs.zdnet.com/security/?p=6123tag=nl.e589
:-(
Martin West
--
To unsubscribe
CPU usage. Daniel is going to work on
improving the code that reads the fts-queue file.
Regards,
Doug Burks
http://securityonion.blogspot.com/
On Tue, Mar 9, 2010 at 2:41 PM, Doug Burks mub...@gmail.com wrote:
Hi Daniel,
Thanks for your response. We're running OSSEC 2.3 on CentOS 5.4
You only have to restart the server, not the clients.
The group tag is used for reporting and you can put whatever you want
in there.
Here's how I ignored Snort startup messages in my local_rules.xml:
rule id=101007 level=2
if_sid1002/if_sid
program_name^snort/program_name
The decoder puts snort in program_name. Perhaps match doesn't
apply to program_name. What happens if you use the program_name line
from my rule and NO match line?
Doug
On Mar 10, 1:54 pm, Jefferson, Shawn shawn.jeffer...@bcferries.com
wrote:
Ok, thanks! Do you see any problems with the rule
is exhibiting the same behavior; would it be affected by agents? Is
there any additional logging that I can enable to determine what is
taking so much time and CPU?
Thanks,
Doug Burks
On Mar 9, 7:41 am, Daniel Cid daniel@gmail.com wrote:
Hi Doug,
I have no clue to what might be going on... syscheckd
installs is instantaneous with no excessive CPU usage.
What would cause ossec-analysisd and ossec-logtest to hit 100% CPU
usage for 3 minutes? Any ideas, Daniel Cid?
Thanks,
Doug Burks
On Mar 4, 4:02 pm, Joshua Gimer jgi...@gmail.com wrote:
On Thu, Mar 4, 2010 at 12:11 PM, Doug Burks mub
the rule to local_rules.xml, is it necessary to
restart both the server and the agent? Or just one or the other?
3. Is there something obviously wrong with my rule that would prevent
it from matching the above log snippet?
Thanks,
Doug Burks
).
Is this normal?
Thanks,
Doug Burks
decoding and then make your new rule a child to
the final decoded event (18101 Windows Informational Event). Lesson
learned! Thanks for your help in resolving this issue!
Thanks,
Doug Burks
On Mar 4, 12:16 pm, dan (ddp) ddp...@gmail.com wrote:
On Thu, Mar 4, 2010 at 10:14 AM, Doug Burks mub
52 matches
Mail list logo