Hi, I run a minor website http://socct.org, unfortunately the acronym
coincides with https://www.wikileaks.org/wiki/SOCCT_(military). For the
last two days the site is taking a multiple site brute force attacks. Apart
from changing our name, any suggestions? I have added an extension rule to
<alberto.rodrig...@wazuh.com>
wrote:
> Hello Martin
>
> If you are referring to include the archive logs (system log files,
> program log files, etc) you only need to monitor an empty file with Ossec,
> and then add all contents of your file inside this file: i.e. cat
> old_log_fi
Hello,
I'm getting a bit lost with the port opening for ossec.
Let's say I have 3 machines running on ubuntu 16.04. I do a fresh install
of OSSEC manager on the machine A and a fresh install of ossec agent on
both B & C.
Now I want to register my machines B & C using ossec-authd;
I have
Hello,
Thank you for your answers !
This is finaly working, what I had to do was to allow the traffic through
1514 with the following ;
*On the agent :*
- sudo iptables -D INPUT -j DROP
- iptables -A INPUT -p UDP --dport 1514 -s 10.0.0.1 -j ACCEPT
- iptables -A INPUT -p UDP --dport
Hello Victor,
I tried to run a second manager and I've the same file
/var/ossec/etc/client.keys
on it and on the first manager. I've copied the local_rules, ossec.conf,
local_decoder as well.
And I've specified on the agents to listen on him as you told me ;
10.0.0.1 10.0.0.2
My first
Is it possible to deploy them (agents) easily via chef ?
THank you again for your answers!
Best regards.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to
I know it is possible with "Unattended Source Installation" but i'd still
have to add manually these agents on the manager or is there another way :)
?
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and
Hi Victor,
Now that I know it is possible to have a second manager in case the first
one stop running. I'm wondering, is there a proper way to copy the first
manager to duplicate it ? Like that i won't have to configure the second
manager as I did with the first one.
And I was looking aswell
Hello everyone,
I was wondering, what happen if the "manager" bug / shutdown ?
It might sounds stupid but what behavior will the agents have ? Will they
make my server bug, consume too much cpu/ram or trying to send message all
the time etc ?
Is there a way to have a second manager as a
Indeed it was evaluated first because the level of the rule 2501 (5) is
higher than my rule.
Thank you for your answer !
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it,
Oh ok thank you, you made it clear for me !
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options,
Hello,
I've those kind of log comming from a custom app
>
> [2017-03-23 10:18:01] app.ERROR: Authentication failure for IP: 172.17.0.1
> [] []
I'm trying to block an ip with to much authentication failure.
So I did a custom decoder which is working ;
^\p\d\d\d\d-\d\d-\d\d
Hello,
I've those kind of log comming from a custom app
>
> [2017-03-23 10:18:01] app.ERROR: Authentication failure for IP: 172.17.0.1
> [] []
I'm trying to block an ip with to much authentication failure.
So I did a custom decoder which is working ;
^\p\d\d\d\d-\d\d-\d\d
Ok the problem was that I thought that all as stated
in the doc would execute the command everywhere (meaning on all the agents
& the server).
But "all" means all the agents except the server.
In order to execute the command on all the agents and the server, I had to
duplicate the
Hello,
It is working now, i've re install my set-up. And after having modify the
files, i did : */var/ossec/bin/ossec-control restart* on the server and all
the agents. Before, I was doing this on the server only and
*/var/ossec/bin/agent_control
-R* for the agents (but maybe my files were
attempts ..
Le mercredi 15 mars 2017 19:01:37 UTC+1, dan (ddpbsd) a écrit :
>
> On Wed, Mar 15, 2017 at 7:25 AM, Martin <mart...@gmail.com >
> wrote:
> > Hello,
> >
> > First, i'm sorry if the question has already been asked.
> >
> > So what i'm try
Hello,
First, i'm sorry if the question has already been asked.
So what i'm trying to achieve is this ;
If someone fail to log in, too many time on one of my agent, I want this ip
to be drop on all others agents and the server.
Same goes the other way around if someone try on the server i
Hello,
i have this problem, you could say. I need Ossec to crunch modified logs
(syslogs). Our syslog message is as follows.
*Example message:*
[syslog-1] Mar 13 06:25:16 my-server-1 syslog-ng[1012]: EOF on control
channel, closing connection;
*Format:*
[TAG] syslog_timestamp syslog_host
Nevermind, i see i need to run version *v2.9.0beta05*.
Thanks !
On Monday, August 15, 2016 at 5:35:20 PM UTC+2, Martin Dulovič wrote:
>
> Thanks for a quick response!
>
> Today I installed the latest version (2.8.3) and alert still look like
> this:
>
>
> <132&g
su[12372]: + /dev/pts/3 root:root
On Monday, August 15, 2016 at 4:30:45 PM UTC+2, dan (ddpbsd) wrote:
>
> On Mon, Aug 15, 2016 at 8:34 AM, Martin Dulovič
> <martin@gmail.com > wrote:
> > Hi,
> >
> > I need to modify csyslogd in a way that it will send a
Hi,
I need to modify csyslogd in a way that it will send alerts with "decoder
name" or group "rule group name".
Original alert:
Alert Level: 3; Rule: 5715 - SSHD authentication success.; Location: (jul)
192.168.2.0->/var/log/messages; srcip: 192.168.2.190; user: root; Jul 25
13:26:24 slacker
Thanks for a quick response and help !
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit
Hi,
so iam working on decoder for sophos UTM. I have written part of decoder,
it passes ossec-regex but fail ossec-logtest.
Here is log that iam tying to parse:
May 13 15:30:37 10.169.200.70 2016:05:13-15:30:38 sophos-dc-1 httpproxy[6896
]: id="0001" severity="info" sys="SecureWeb" sub="http"
yes
2015-05-08 20:39 GMT+02:00 dan (ddp) ddp...@gmail.com:
On Fri, May 8, 2015 at 2:36 PM, pmartin2b pmarti...@gmail.com wrote:
Hi,
I used this configuration in ossec.conf to receive email from ossec
alerts
log_alert_level1/log_alert_level
On Friday, 20 February 2015 04:59:28 UTC-7, dan (ddpbsd) wrote:
On Thu, Feb 19, 2015 at 10:25 PM, Martin G mgl...@stratusphone.com
javascript: wrote:
Hi,
I'm new to Ossec and I have it configured and setup using the 2.8.1
virtual
appliance. Everythig is working great except
on?
What am I missing in order to get this working?
Thanks for the help
Martin
--
---
You received this message because you are subscribed to the Google Groups
ossec-list group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr
Ok, I understand it now. I thought size/permission changes would be a
different rule, not 550.
Thanks!
On Thu, Jan 15, 2015 at 4:27 PM, dan (ddp) ddp...@gmail.com wrote:
On Thu, Jan 15, 2015 at 9:45 AM, Martin Kvocka mkvo...@gmail.com wrote:
Yes, here are two:
** Alert 1421201008.92848
is : '99eb652ad7dd9e2c782c5599d1eaa5e3dc2078fb'
On Thursday, January 15, 2015 at 2:19:26 PM UTC+1, dan (ddpbsd) wrote:
On Thu, Jan 15, 2015 at 4:39 AM, Martin Kvocka mkv...@gmail.com
javascript: wrote:
I checked the alerts log and the hashes are not there. There are however
longer entries than these (f.e. registry keys
.
Thanks for your help dan.
On Wed, Jan 14, 2015 at 3:52 PM, dan (ddp) ddp...@gmail.com wrote:
On Wed, Jan 14, 2015 at 4:56 AM, Martin Kvocka mkvo...@gmail.com wrote:
Hi,
I managed to get the samples. In manager syscheck queue I found the
following:
#++0:33206:0:0
seems to be a log file and may change
often - may this be the cause?
Thanks,
MK
On Tuesday, January 13, 2015 at 3:43:21 PM UTC+1, dan (ddpbsd) wrote:
On Tue, Jan 13, 2015 at 9:40 AM, Martin Kvocka mkv...@gmail.com
javascript: wrote:
Hi,
we have Ossec server/agents (2.7.0
Hi,
we have Ossec server/agents (2.7.0) for monitoring file integrity. Both
include check_all=yes in their syscheck configurations. The agents work
perfectly and report file changes including their old/current MD5 and SHA1
hashes. However, logs from the Ossec server machine report only file
Hi,
I'll try to simulate this tomorrow in virtual machines, as I don't have the
necessary access to the environment (I only receive the logs from syslog).
I'll post the results.
MK
On Tuesday, January 13, 2015 at 3:40:26 PM UTC+1, Martin Kvocka wrote:
Hi,
we have Ossec server/agents
I am also interested in this topic. If I am understanding it correctly,
each time OSSEC scans a client, it essentially creates a list of metadata
for each matching file (including filesize, modification time, md5sum,
sha1sum, filename, etc). From what I can see, this data is stored in
Okay, thanks for the clarification. Is there a point at which old entries
are then purged from the file (or do they remain in there forever)?
On 28 October 2014 08:47, dan (ddp) ddp...@gmail.com wrote:
On Tue, Oct 28, 2014 at 9:42 AM, Andrew Martin
andrew.s.mar...@gmail.com wrote:
I am also
Thanks all. I've attached a sanitized local_rules.xml file that exhibits
the problem. On my system, if I uncomment the last rule in the file and
restart OSSEC, it throws the errors.
Cheers!
On Thursday, September 18, 2014 5:10:13 PM UTC-7, Dave Martin wrote:
I recently installed OSSEC 2.8
Removing the if_group/if_group sections did the trick. Thanks!
On Thursday, September 18, 2014 5:10:13 PM UTC-7, Dave Martin wrote:
I recently installed OSSEC 2.8 and have been adding rules to
local_rules.xml with no problems until today.
When I add the following rule:
rule id=100117
it is configured on
the agent side but, as I mentioned, I am already doing that.
Am I missing something?
Thanks.
Martin
--
---
You received this message because you are subscribed to the Google Groups
ossec-list group.
To unsubscribe from this group and stop receiving emails from it, send an email
on the server and all agents.
Am I missing something?
thanks.
Martin
PS. Sorry if this is a duplicate posting, I tried posting through the
web interface and it didn't show up.
--
---
You received this message because you are subscribed to the Google Groups ossec-list group
Not for me, but apparently it does for others.
On Tuesday, March 12, 2013 11:56:56 AM UTC-4, dan (ddpbsd) wrote:
On Mar 12, 2013 11:40 AM, Martin Gottlieb
mar...@axion-it.netjavascript:
wrote:
Hello,
I have added the repeated_offenders configuration block to all of my
agents
; adding a firewall rule
to block the X-Forwarded-For IP wouldn't have any effect.
Thanks.
On 23 May 2011 19:52, Martin Gottlieb mar...@axion-it.net
mailto:mar...@axion-it.net wrote:
Are the active responses getting the ELB IP addresses from your
Apache access/error logs? We
had
, you might want to look into mod_rpaf, which
replaces the proxy IP addresses
with the actual client IPs. This solution relies on the proxy servers
(or load-balancers in your case)
adding a header ( X-Forwarded-For ) to the request that gets passed on
to Apache.
Hope this helps.
Martin
On 5
On 5/4/2011 10:26 PM, Michael Starks wrote:
On 05/04/2011 08:32 PM, Martin Gottlieb wrote:
When I ran the command: sed -n 16741p
logs/alerts/2011/May/ossec-alerts-04.log | bin/ossec-logtest
from within /var/ossec, the decoder did not extract the user and srcip
fields. I then ran:
sed -n 16741p
to everyone who offered suggestions, especially Andy who pointed
me to ossec-logtest.
Martin
On 4/23/2011 5:26 PM, Andy Cockroft (andic) wrote:
Hi
I didn't have that much success with a Regex similar to the one you
wrote, I ended up having to specify everything in a very long-handed
way
-space characters.
Thanks.
Martin
On 4/25/2011 11:43 AM, Martin Gottlieb wrote:
Thanks, my ossec server is a router/firewall, my apologies for
omitting this detail. I was really
just trying to figure out how to get the server to trigger the
script(s) in the first place on the
windows events
original question remains, why is it not able to extract the SrcIP
address using the decoder that I created
and verified using ossec-logtest?
Thanks.
Martin
On 4/27/2011 3:27 PM, Andy Cockroft (andic) wrote:
Hi
This is triggering a level 5 alert -- will that actually do anything
on your system
[mailto:ossec-list@googlegroups.com] *On Behalf Of *Martin Gottlieb
*Sent:* Thursday, 28 April 2011 7:36 a.m.
*To:* ossec-list@googlegroups.com
*Subject:* Re: [ossec-list] Re: Active Response on Windows events
good point, I should not be expecting email alerts on the level 5
rule. But since it's
believe I have found that the issue boils down to
the decoders. I think I
have a fix i place now and will be posting a RESOLVED message once I
have verified this (just waiting
for someone to attack the server).
Thanks again to everyone who offered help on this.
Martin
On 4/25/2011 11:23 AM
: AUDIT_FAILURE\(\d+\): Security\.* Logon
Failure: /prematch
regex offset=after_prematchUser Name: (\w+) \.* Source Network
Address: (\d+.\d+.\d+.\d+)/regex
orderuser,srcip/order
/decoder
Thanks.
Martin
On 4/22/2011 7:28 PM, AndiC wrote:
The problem I found was that the Windows decoder in the server /dev
matchLogon Failure/match
groupauthentication_failed,/group
descriptionUser authentication failure./description
/rule
I think this should to the trick. Thanks again for your help.
Martin
On 4/23/2011 5:26 PM, Andy Cockroft (andic) wrote:
Hi
I didn't have that much success with a Regex similar
and another
for SQL Server log-in failures.
I added the null_cmd command mentioned in the docs, but I'd be happy if
it just triggered the firewall drop script.
Am I missing something in the configuration?
thanks.
Martin
on the server side as happens with
Linux agents?
Thanks.
Martin
On 4/22/2011 3:28 PM, Tanishk Lakhaani wrote:
Hey martin,
All these default active response scripts are written for a specific event.
Read these scripts to understand these scripts.
For the event of ur interest -- multiple logon
.
Martin
On 4/22/2011 4:24 PM, dan (ddp) wrote:
Hi Tanishk,
The active response scripts should exist on the systems (agents and
servers) they need to be run on.
On Fri, Apr 22, 2011 at 4:17 PM, Tanishk Lakhaanitanishk2...@gmail.com wrote:
Hey martin,
See, the active response related scripts
Thanks! I'll give that a try. Sorry if I wasn't entirely clear about this.
Martin
On 4/22/2011 5:12 PM, dan (ddp) wrote:
Hi Martin,
On Fri, Apr 22, 2011 at 5:08 PM, Martin Gottliebmar...@axion-it.net wrote:
Shouldn't this block from the config on the OSSEC server:
active-response
http://blogs.zdnet.com/security/?p=6123tag=nl.e589
:-(
Martin West
--
To unsubscribe, reply using remove me as the subject.
List,
It´s posible to set a time to run the rootcheck process? like syscheck ?
something like...
syscheck
scan_time1:00/scan_time
/syscheck
...but with rootcheck
Thanks
--
Martin Tartarelli
Linux User #476492
--
--
To unsubscribe, reply using remove me as the subject.
List,
It´s posible to set a time to run the rootcheck process? like syscheck ?
something like...
syscheck
scan_time1:00/scan_time
/syscheck
...but with rootcheck
Thanks
--
Martin Tartarelli
Linux User #476492
http://owasp.org/index.php/Argentina
--
--
To unsubscribe, reply using remove me
List,
It´s posible to set a time to run the rootcheck process? like syscheck ?
something like...
syscheck
scan_time1:00/scan_time
/syscheck
...but with rootcheck
Thanks
--
Martin Tartarelli
Linux User #476492
--
To unsubscribe from this group, send email to
ossec-list
.
restart ossec
/var/ossec/bin/ossec-control restart
Main script /var/ossec/active-response/bin/diff-alert.sh
#!/bin/bash
# E-mails an alert - showing diff of selected files
#
# Author: Martin West based on Daniel Cids mail-test.sh
# Set to root and use /etc/aliases to redirect root as needed
Thanks, thats a good lead, Ill investigate and if I get anywhere Ill
post the results
Martin West
skype:amartinwest
On 7 Nov 2009, at 12:46, dan (ddp) wrote:
I basically setup an active respose in the server's ossec.conf to fire
on the file integrity rules.
The script would figure out
Updated fine on
Ubuntu 2.6.24-24-generic #1 SMP Tue Aug 18 16:22:17 UTC 2009 x86_64
GNU/Linux
Martin West
skype:amartinwest
On 26 Aug 2009, at 19:38, Daniel Cid wrote:
Hi list,
OSSEC v2.2 will be released soon and we need help beta testing it. The
code is pretty stable already
ddp,
2009/7/28 ddp ddp...@gmail.com:
What operating systems/architectures? Did you restart the ossec server
processes after adding the agents?
Linux and Window OS
Yes, I restart the server processes
On Fri, Jul 24, 2009 at 10:41 AM, Martin
Tartarellimartin.tartare...@gmail.com wrote
formate
message from'172. Xxx.
2009/07/24 11:51:53 ossec-remote (1407): ERROR: Duplicated counter for 'SRV1.
I tested removing the counters in /var/ossec/queue/rids/ on both sides
but still the same.
suggestions will be appreciated
Thank you
--
Martin Tartarelli
Linux User #476492
--
for windows xp or
windows 2003. I can see windows agent but i havent seen server.
Is there a way to install OSSEC server on windows system.
Thanks Regards,
Manoj Bavikati.
--
Martin Tomasek
List,
The md5 hash generated by OSSEC are not the same for any other
application that generates md5 hash of Windows (For example Windows
API).
Does anyone know why?
Thanks
--
Martin
Luciano Mannucci napsal(a):
On Tue, 16 Jun 2009 16:20:47 +0200
Martin Tomasek toma...@ufe.cz wrote:
you can disable particular rule. look for reported rule number, place it
in rule_id attribute here:
rule id=REPORTED RULE ID HERE level=0 overwrite=yes
descriptionYour description
description here/description
/rule
and add rule you created to your local rules.
Cheers to everybody,
luciano.
--
Martin Tomasek
the results of ps -flp on the process
to see what was running.
Thanks
Martin West
skype:amartinwest
On 4 Jun 2009, at 14:55, c...@libero.it wrote:
Hi,
I have recently received the alert Process 'X' hidden from /proc.
Possible kernel level rootkit.
I have run rootkitcheck again, rootkit hunter
matthias,
2009/4/15 matthias platzer e...@platzer-statik.at:
On Apr 15, 6:57 pm, Martin Tartarelli martin.tartare...@gmail.com
wrote:
Fatal error: Maximum execution time of 90 seconds exceeded in
/var/www/htdocs/ossec-wui-0.3/lib/os_lib_alerts.php on line 123
Can I modified the time
When I execute a custom search in OSSEC WUI, the application give me an error:
Fatal error: Maximum execution time of 90 seconds exceeded in
/var/www/htdocs/ossec-wui-0.3/lib/os_lib_alerts.php on line 123
Can I modified the time exceeded?
--
Martin Tartarelli
Linux User #476492
http
Any ideas?
-- Forwarded message --
From: Martin Tartarelli martin.tartare...@gmail.com
Date: 2009/3/31
Subject: Alert search options in scheduled job
To: ossec-list@googlegroups.com
List,
Can I put searches of the ossec-wui in a scheduled job?
...Or can I perform detailed
List,
Can I put searches of the ossec-wui in a scheduled job?
...Or can I perform detailed searches of ossec-wui from the command line?
Thanks
--
Martin Tartarelli
Linux User #476492
--
Matthias,
2009/3/23 matthias platzer e...@platzer-statik.at:
On Mar 20, 3:27 pm, Martin Tartarelli martin.tartare...@gmail.com
wrote:
Now I have another questionHow can I export reports with ossec?
because using # ossec-reportd .xx... reportfile.txt is not
workingthe file
matthias/Daniel,
2009/3/16 matthias platzer e...@platzer-statik.at:
On Mar 16, 7:06 pm, Martin Tartarelli martin.tartare...@gmail.com
wrote:
What version of ossec are you using? It comes by default on v2.0.
I Have v.1.6.1. In that version.can i use this features?
No, it is a new
Hi list,
How to install ossec-reportd? because I don´t have this file [1] on my server.
[1] http://www.ossec.net/main/manual/manual-reporting-tool/
Thank´s
Cheers,
--
Martin Tartarelli
Linux User #476492
--
Nice!
Thank´s
2009/2/24 Reggie Griffin regoma...@gmail.com:
Aurora,
That is exactly what I was thinking. Good to know it's possible.
-Reggie
Aurora Mazzone wrote:
Hi Martin, Reggie,
Reggie Griffin ha scritto:
It's not possible from what I know. The hostname is picked up when
Reggie,
2009/2/20 Reggie Griffin regoma...@gmail.com:
Martin,
I use the hostname/hostname parameter to accomplish this within my
local_rules.xml file.
Default location is /var/ossec/rules/local_rules.xml.
Here is an example:
rule id=100019 level=0
if_sid30112/if_sid
Reggie,
2009/2/23 Reggie Griffin regoma...@gmail.com:
Martin,
I see. In that case, it would be nice to insert a variable in the
hostname/hostname tag. Then
you could define groups of systems into one nice entry.
=) Interesting...How can i do that?
-Reggie
Martin Tartarelli wrote
Any idea?
-- Forwarded message --
From: Martin Tartarelli martin.tartare...@gmail.com
Date: 2009/2/13
Subject: OSSEC with one or more Instance
To: ossec-list@googlegroups.com
List, I need your helps...
OSSEC has the ability to discriminate critical alerts using the Alert
one discriminate xml (with rules) for different servers? Can i do
that? (maybe with more instance on the ossec server)
Thank´s
--
Martin Tartarelli
Linux User #476492
--
, srcip or hostname, etc.
Josh
On Fri, Feb 6, 2009 at 2:36 PM, Martin Tartarelli
martin.tartare...@gmail.com wrote:
List, i have e litle question.
I like ignore this type of event (one or more match) when the Server
is SRV1 (or other) and the Domain is DOMAIN1. That´s is possible?
Received
: NTLM
Workstation Name: W2K1
It´s like this...
group name=local
rule id=100101 level=0
if_sid18152/if_sid
matchSRV1/match
matchDOMAIN1/match
descriptionEvents ignored/description
/rule
/group
Thank´s
--
Martin Tartarelli
Linux User #476492
--
Martin
On Jan 8, 10:30 am, McClinton, Rick rmcclin...@tmaresources.com
wrote:
Sorry Martin, I'm not sure what you're running into there.
I have this working in my production system: (1.6.1)
global
email_notificationyes/email_notification
email_tom...@email/email_to
in
the global section.
Cheers
/Martin
On Jan 8, 10:30 am, McClinton, Rick rmcclin...@tmaresources.com
wrote:
Sorry Martin, I'm not sure what you're running into there.
I have this working in my production system: (1.6.1)
global
email_notificationyes/email_notification
email_tom
file on the ram disk halved the cpu load.
Cheers
On Dec 23 2008, 6:15 am, Daniel Cid daniel@gmail.com wrote:
Hi Martin,
Which version of ossec are you using? We added support for pipes in
v1.6...
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Sun, Dec 21, 2008 at 10:57 PM, Martin
?
Cheers
/Martin
List, I have a litle question...
I can read directory permissions with rootcheck policies?
Thank´s
--
Martin Tartarelli
Linux User #476492
--
no result.
Can someone please assist me or forward me additional documentation?
Thanks,
Rachel Martin
Computer Support Analyst, IT
World Book, Inc.
233 North Michigan Ave., Suite 2000
Chicago, Illinois 60601
Phone: (312) 819-8996
Email: rmar...@worldbook.com
This message (including any
Is it possible to combine them, such as
location/var/log/*/logfile-%U.log/location
Cheers
Martin
List,
I need to implement OSSEC in approximately 300 servers. What should I consider?
text? MySQL? another? Disk Space?
Experiences?
Thank´s
--
Martin Tartarelli
Linux User #476492
--
Nice ! I needed that...
thank´s
2008/11/19 Daniel Cid [EMAIL PROTECTED]:
Hi Martin,
It seems that you want some kind of reporting, instead of rule. Have
you tried the ossec_report tool in
the contrib directory? For example, if you want to get a list of all
the user names that failed login
Can i do a statistical rule with OSSEC?
For Example
I like Identify and summarize login failed
-user1 10 login fail
-User2 7 login fail
-User3 4 login fail
Thank´s
--
Martin Tartarelli
Linux User #476492
--
OSSEC can make a review of logs from old files?
Example:
I have files in /var/log/history/file.log and I want to correlate
events (only once).
is it possible?
Thank´s
--
Martin Tartarelli
Linux User #476492
http://owasp.org/index.php/Argentina
http://tartamar.blogspot.com
--
desktop 8.04 updated
ossec is 1.5 but I see there is a 1.6 - will install shortly
Thanks Martin
Sorry need new glasses, Im running 1.6
On Tue, 2008-09-09 at 19:06 +0100, Martin West wrote:
This shared memory I assume and not something to be alarmed at.
Received From: lenovo3-rootcheck
Rule: 510 fired (level 7) - Host-based anomaly detection event
(rootcheck).
Portion of the log(s
of these URLs? Were they bad indeed?
--
regards
Martin West
07879 680096
Martin West
07879 680096
I try to do. Thanks
Martin
2008/4/9, Paco Avila [EMAIL PROTECTED]:
El mar, 08-04-2008 a las 17:35 -0400, Derek J. Morris escribió:
me too
Hi list, I have a problem with ossec very strange. Receipt much
quantity of
mails informing that agent disconnected. Reviewing the equipment
Hi list, I have a problem with ossec very strange. Receipt much quantity of
mails informing that agent disconnected. Reviewing the equipment and network
performance not encounter problems.
Someone knows it can be happening?
Cheers,
Martin
Received From: thecla2-rootcheck
Rule: 510 fired (level 7) - Host-based anomaly detection event
(rootcheck).
Portion of the log(s):
Trojaned version of file '/sbin/hdparm' detected. Signature used:
'bash|/dev/ida|/dev/' (Generic).
--END OF NOTIFICATION
--
regards
Martin West
07879 680096
: /websites/default/
gping=amp;POS=28amp;CM=WPUamp;CE=6amp;CS=AWPamp;SR=6amp;sample=0
regards Martin West
1 - 100 of 124 matches
Mail list logo