Running Ubuntu 19 I used the package repo to update with apt.
chown: invalid user: ‘ossec:ossec’
dpkg: error processing package ossec-hids-server (--configure):
installed ossec-hids-server package post-installation script subprocess
returned error exit status 1
This happened on two of my
? I am totally out of ideas.
thanks
Rob
On Wednesday, 6 March 2019 19:08:59 UTC+1, Rob P wrote:
> Hi
>
> We recently moved all components to v3 or above. Subsequent to this we
> have had an issue with active response that we have not been able to
> resolve - we use ossec as
agent:
/var/ossec/etc/internal_options.conf - logcollector.remote_commands=1
Still when when we change location to all, active response stops working
completely.
Any suggests or help gratefully received.
thanks
Rob
--
---
You received this message because you are subscribed
On Wednesday, February 26, 2014 at 1:04:14 PM UTC-5, OsO Roñoso wrote:
>
> root@lenga # ls -las
> total 4
>2 drwxrwx--- 2 root root 512 Feb 26 14:31 .
>2 dr-xr-x--- 7 root root 512 Feb 25 18:26 ..
>0 -rw-r--r-- 1 root root 0 Feb 25 18:34
Indeed it does!! Thanks for the help, really appreciate it!
On Tuesday, March 6, 2018 at 3:55:11 PM UTC-8, dan (ddpbsd) wrote:
>
> On Tue, Mar 6, 2018 at 6:52 PM, Rob Williams <tsinfo...@gmail.com
> > wrote:
> > I am trying to create a child rule to 1002 (which I have
I am trying to create a child rule to 1002 (which I have silenced) to alert
in certain cases. I can get the rule to work if I remove the regex portion;
however, I don't want that as a permanent solution. My rule is below, and a
sample log entry is below as well. Am I doing something wrong when
Ole would you mind sharing your notify-pushbullet script?
On Thursday, September 8, 2016 at 3:59:26 PM UTC+1, Ole Jakob Skjelten
wrote:
>
> Hi,
>
> Having fiddled perhaps a bit too much with the setup of OSSEC, my active
> responses on my server stopped working last night, and I'm unable to
>
Hi Jesus,
Can you elaborate a bit more on what you mean here? I'm also trying to
disable syscheck alerts when unattended upgrades run, but I'm not quite
sure the best way of doing so.
Thanks!
On Saturday, October 1, 2016 at 2:01:58 AM UTC-7, Jesus Linares wrote:
>
> Hi James,
>
> review the
Still no luck. Just to verify, the scripts should be located in
/var/ossec/active-response/bin/, correct? Unfortunately the logs aren't
really telling me anything either.
On Wednesday, April 19, 2017 at 12:31:41 PM UTC-7, dan (ddpbsd) wrote:
>
> On Wed, Apr 19, 2017 at 3:23 PM, Tony Bryant
s for rootcheck. What you want to extract in the
> id field is the file, right?. You can do a *match* in the rule for the
> file.
>
> Regards.
>
> On Friday, April 14, 2017 at 12:13:50 AM UTC+2, Rob Williams wrote:
>>
>> Hi Jesus,
>>
>> Thanks for the rep
from the
decoder to do so. Any ideas? Thanks!
On Wednesday, April 5, 2017 at 12:26:31 PM UTC-7, Rob Williams wrote:
>
> Hi all,
>
> I'm running into an issue where rule 510 is triggering and I'm getting
> spammed with alerts but I can't seem to tune it correctly. What's weird is
&g
Essentially, I want to trigger an active response for a rule that I created
that has a severity level of 0. I created this rule because I did not want
to be alerted on the default rule and only wanted to be alerted based on
the output from my active response. My question is if I have the
Ah ok got it, thanks!!
On Friday, April 7, 2017 at 5:00:11 PM UTC-7, dan (ddpbsd) wrote:
>
> On Fri, Apr 7, 2017 at 7:30 PM, Rob Williams <tsinfo...@gmail.com
> > wrote:
> > Hello,
> >
> > I assume this should be pretty simple but I've been troubleshootin
Also, I've gone ahead and restarted, stopped then started, and more several
times.
On Friday, April 7, 2017 at 4:30:53 PM UTC-7, Rob Williams wrote:
>
> Hello,
>
> I assume this should be pretty simple but I've been troubleshooting an
> Active Response I setup with a custom s
-response/bin/ that I created is not on the agent. How would I go
about passing this? This is the first time I've created a custom script and
I can't seem to find any documentation on this in particular.
Thanks,
Rob
--
---
You received this message because you are subscribed to the Google
Hi,
I tried to do this, but I'm getting:
ERROR: Parent decoder name invalid: 'rootcheck'
ERROR: Error adding decoder plugin
I don't see the rootcheck decoder within decoder.xml as well, any ideas?
Thanks again for the help!
On Wednesday, April 5, 2017 at 12:26:31 PM UTC-7, Rob Williams wrote
, 2017 at 12:48:21 PM UTC-7, dan (ddpbsd) wrote:
>
> On Wed, Apr 5, 2017 at 3:44 PM, Rob Williams <tsinfo...@gmail.com
> > wrote:
> > Yes I have, I've also tried to disable all the relevant changes I've
> made,
> > restart, and still have the same issue.
> >
Yes I have, I've also tried to disable all the relevant changes I've made,
restart, and still have the same issue.
On Wednesday, April 5, 2017 at 12:39:42 PM UTC-7, dan (ddpbsd) wrote:
>
> On Wed, Apr 5, 2017 at 3:26 PM, Rob Williams <tsinfo...@gmail.com
> > wrote:
> >
Hi all,
I'm running into an issue where rule 510 is triggering and I'm getting
spammed with alerts but I can't seem to tune it correctly. What's weird is
that I am still getting alerted for rule 510 for this log, but I can't
figure out how to get that to show in logtest. Basically, I am
Hi all,
I'm running into an issue where rule 510 is triggering and I'm getting
spammed with alerts but I can't seem to tune it correctly. What's weird is
that I am still getting alerted for rule 510 for this log, but I can't
figure out how to get that to show in logtest. Basically, I am
Nice! Thanks Pedro! I've got it now..
Cheers.
On Wednesday, May 18, 2016 at 10:09:14 AM UTC-4, Pedro S wrote:
>
> Hi Rob,
>
> *extra_data *is another allowed field used by OSSEC decoders to extract
> information from the event, once it is extracted you can match the field
>
? How
is this used properly?
Cheers! Rob
On Monday, May 16, 2016 at 5:22:08 PM UTC-4, Brent Morris wrote:
>
> Rob - can you post your OSSEC version of the log? I can check my rules.
> These are a culmination of gleaned rules that I updated some time back
> with new event
Interesting.. thanks for that blog post. COM+ lol, classic!
anyhow, here is a crude one but it works.. ;-)
18100
Regsvr32.exe
Suspicious - "Regsvr32" Capable of application whitelisting
bypass.
On Tuesday, April 26, 2016 at 11:37:07 AM UTC-4, namobud...@gmail.com wrote:
>
>
) wrote:
>
> On Tue, Apr 26, 2016 at 10:15 AM, Rob B <rba...@netorian.com >
> wrote:
> > what _rules.xml file is 1002 located? I wish I had some kind of rules
> > legend to reference. Thanks. ;-)
> >
>
> [ddp@ix] :; grep '"1002"'
NM, found it! ;-) syslog duh.
On Tuesday, April 26, 2016 at 10:15:03 AM UTC-4, Rob B wrote:
>
> what _rules.xml file is 1002 located? I wish I had some kind of rules
> legend to reference. Thanks. ;-)
>
>
>
> On Tuesday, April 26, 2016 at 8:20:11 AM UTC-4, th
what _rules.xml file is 1002 located? I wish I had some kind of rules
legend to reference. Thanks. ;-)
On Tuesday, April 26, 2016 at 8:20:11 AM UTC-4, theresa mic-snare wrote:
>
> Also, I should explain why I first wrote 1002
> I often check for this rule (2 - Unknown problem
2054.0, AS: 1.217.2054.0, NIS:
115.8.0.0
AM: 1.1.12603.0, NIS: 2.1.11804.0
Thanks!, Rob
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to oss
dan,
quick question for :
What is the best way to take care of whitespace and a quote in string
example?, such as:
^route-null.cmd" delete
Thanks!, Rob
On Friday, April 22, 2016 at 12:44:25 PM UTC-4, dan (ddpbsd) wrote:
>
> On Fri, Apr 22, 2016 at 12:42 PM, Rob B <rba..
Very interesting and thanks a lot dan
I guess I need to fix my logtest too, it probably would have helped me
figure it out.Thanks again!! ;-)
Rob
On Friday, April 22, 2016 at 12:21:48 PM UTC-4, dan (ddpbsd) wrote:
>
> On Fri, Apr 22, 2016 at 11:50 AM, Rob B <rba...@net
Thanks, Rob
On Friday, April 22, 2016 at 11:35:10 AM UTC-4, dan (ddpbsd) wrote:
>
> Can you provide a log sample?
>
> On Fri, Apr 22, 2016 at 11:30 AM, Rob B <rba...@netorian.com >
> wrote:
> > Hi Folks,
> >
> >I have a rule for applocker created as
le 100046 above does nothing.
As additional info, I also have the following rule:
18100
^8003$|^8004$
Applocker - blocked program.
(Could this possibly cause a conflict?)
Question: Overall, Could someone shed some light here as to why rule 100046
does not fire?
Thanks!!!
Rob
--
for to see the verbose
information? ie: debug mode / debug log location?)
Off to testing now.. =)
Thanks! --Rob
On Wednesday, April 13, 2016 at 7:27:53 AM UTC-4, dan (ddpbsd) wrote:
>
> On Tue, Apr 12, 2016 at 4:52 PM, Rob B <rba...@netorian.com >
> wrote:
> > Hello Folks,
&
and where to turn it ON in the agent
side .conf file. How can I turn ON all the agents active response from the
server? (Currently i only know how to manually update the file at each
client.)
Any pointers from the Gurus would be greatly appreciated. =)
Thanks much Guys!!
Rob
--
---
You
frequency and time frame,
which would help me, though I am at a loss for the remainder of my
needs. Seems an external script may be needed along with a sort of
temporary repository. ( I may be over thinking this and mucking it up
)
What could you suggest?
V/R,
Rob B.
On Tuesday, March 29
^
Start of string, or start of line in multi-line pattern
\A
Start of string
$
End of string, or end of line in multi-line pattern
On Monday, March 28, 2016 at 4:20:47 PM UTC-4, Rob B wrote:
>
> found pipe = logical OR
>
>
>
> On Monday, March 28, 2016 at 3:11:30 PM
found pipe = logical OR
On Monday, March 28, 2016 at 3:11:30 PM UTC-4, Rob B wrote:
>
> PS. Almost forgot to add :
>
> What does this mean? ^1000$|^1002$
>
> The "^" and the '$' before the pipe really has me perplexed.
>
> Thx.
>
>
>
PS. Almost forgot to add :
What does this mean? ^1000$|^1002$
The "^" and the '$' before the pipe really has me perplexed.
Thx.
On Monday, March 28, 2016 at 3:07:30 PM UTC-4, Rob B wrote:
>
> Heya Folks,
>
> I've been looking for the docs that explain
Heya Folks,
I've been looking for the docs that explain the difference between the
use of the '|" and the "," when specifying the id numbers within a rule. I
cant find anything that explains the use.
Could someone explain to me the differences by way of use? or provide a
link that I may
Hey Guys,
I have been running the latest OSSEC 2.83 with a Wazuh fork upgrade. I
have performed the Wazuh auto update with the .py script. All works well,
thanks guys.
I have simply noticed recently that I can not make use of my favorite
Sysmon based correlations because I am not able to
In my case, No, I have just one ossec server and no forwarders. I guess
from what I was reading, I should go back and increase the max emails that
can be sent because I'm in a high volume environment.
On Wed, May 25, 2011 at 11:44 AM, dan (ddp) ddp...@gmail.com wrote:
Do you happen to have
even on
around 30 servers.
--Rob
On Tue, May 24, 2011 at 1:46 PM, Pat pat...@yahoo.com wrote:
Hi
I was wondering if anyone has come accross this before. I've looked
in previous posts, and I've seen some information about email grouping
in internal_options.conf, but I'm not sure if it can
troubleshooting.
--Rob
On Fri, Apr 22, 2011 at 3:32 AM, Doug Burks doug.bu...@gmail.com wrote:
One of my OSSEC servers has about 40 agents and sees about 3 million
events/day. Now that the issue seems to have been resolved, it's CPU
utilization is quite low just like yours and is what I'm
(4101): WARN: Waiting for server reply (not
started). Tried: 'xxx.xxx.xxx.54'.
2011/04/11 08:56:51 ossec-agentd: INFO: Trying to connect to server
(xxx.xxx.xxx.54:1514).
Kind Regards,
Rob
On Mon, Apr 11, 2011 at 12:22 PM, dan (ddp) ddp...@gmail.com wrote:
It doesn't look like a very busy system. I'm
on the server to
0 and didn't see a difference. A few minutes ago it dawned on me to check on
the agent version of internal_options.conf. I then changed it to 0 as well.
Bounced both server and client...no differences.
No ideas on this one, tcpdumps aren't very revealing so far.
Thx,
Rob
-Original
I have a ossec installed as master/agent setup. There are about 30
agents running with one master. I recently changed the ossec.conf to
monitor changes in directories to real time
directories realtime=yes check_all=yes/etc,/usr/bin,/usr/sbin/
directories
directories realtime=yes
Hi Guys
I need more info around the rule 31106 and what it does. There is
nothing on the wiki on ossec.net. I recieve the following alert:
Rule: 31106 fired (level 12) - A web attack returned code 200
(success).
Portion of the log(s):
18/Mar/2010:12:39:43 +0200] GET /URL?mu=74bffe75-
for example. I am still testing it.
On Mar 2, 5:39 pm, dan (ddp) ddp...@gmail.com wrote:
On Tue, Mar 2, 2010 at 3:04 AM, rob rjlourenco2...@hotmail.com wrote:
Hi
I would like to be able to schedule scans with OSSEC rather than use
the frequency. I would like the scans only to run once a week
Hi guys
I want to know if OSSEC scans initially after installation. I
installed it as a local copy and edited the ossec.conf to not scan on
start.
I also removed the whole frequency line. I only want it to scan with
my cron job once a week but it seems to be scanning anyway.
Any comments.
I'm seeing this problem also. I'm just upgrading some of the offending agents
to 2.3 to see if the old agent version against the new server version is
causing it...
-Original Message-
From: ossec-list@googlegroups.com [mailto:ossec-l...@googlegroups.com] On
Behalf Of --[ UxBoD ]--
.
Is there a way to set up a rule that says if failed logins and the
successful login then send email?
Rob
on a different host, you have to make sure the
mysql server is configured to allow remote connections, which some recent
distributions are not. You can use the same test above, with -h hostname/ipaddr
in this case.
Hope this helps
Rob
--Original Message--
From: Kelly Egode
To: ossec
When I used an address range (e.g. 192.168.1.0/24) I ended up with only one
agent listed in the WUI - it didn't seem to like that I had multiple agents on
the same network using the same address.
Rob
-Original Message-
From: ossec-list@googlegroups.com [mailto:ossec-l
info: id
0x341e7636 ) pck
t_len=48 ttl=128
On Mar 10, 8:35 pm, Daniel Cid daniel@gmail.com wrote:
Hi Rob,
I don't think anyone did this yet. Can you share some of your logs
with us? We can certainly
help writing some rules/decoders if we get some samples...
Thanks,
--
Daniel B. Cid
dcid
already do the hard work ?
If not, any pointers to instructions on writing new decoders and rules
would be most welcome. If I get anything worth sharing, I'll offer it
back to the project or at least post my findings here.
Rob
We have Ossec running (flawlessly) on all of our SLES 9 and 10 servers along
with Ossec agents on everything else. Ossec was the only useful tool we had in
finding and eliminating a root-kit we were blessed with (thanks to an AXIS 207
camera) back in September 2008.
The difference between
triggering the
alert) helpful. I assume by fixing it you want to make the alerts go
away. If that is the case the following link should be helpful.
http://www.ossec.net/wiki/index.php/Know_How:Email_Alerts_below_7
Rob
a link to the book:
http://www.amazon.com/OSSEC-Host-Based-Intrusion-Detection-Guide/dp/159749240X
Rob
to all be covered by the defaults.
Also by default does OSSEC check itself? (C:\Program Files\ossec-agent)
I didn't see the directory listed in the ossec.conf file but was given
an alert on it anyways after changing the file.
Thanks,
Rob Skoog
Logon Type: 3 Logon Process:
KerberosAuthentication Package: KerberosWorkstation Name:
Logon GUID: scrubbed
--END OF NOTIFICATION
I'm guessing this is an error?
Thanks,
Rob
, is it possible to do
that all at once right now?
The file:
/var/ossec/etc/client-keys
looks like just an id, host, ip, key (AES-256 maybe?, looks to be 64
characters of hex). Is this file editable outside of ossec?
Thanks,
Rob
to help you browse all the documentation on your system in
one central tool.
bash-3.1$
Thanks,
Rob Skoog
Did anyone install OSSEC1.4 server with web UI 0.3 on Fedora 8 yet.
My install is working fine on Fedora 6.I just installed web interface
0.3 today and it works fine too.
Thank you Daniel for providing this wonderful product.
I just installed web interface 0.3. Looks like everything is working
ok.The problem i have is when i try to search for log events for the
last 2 days and click
Search button it displays alerts found number but not the actual error messages.
I get the error Nothing returned(or search expired).
I
As long as you have Xcode (gcc does the dirty work) you should be fine
compiling 1.3 on OSX. We are running 1.3 on Panther with no problems. Xcode
2.4.1 (if I am not mistaken) only runs on Tiger and should already be installed
on your two 10.4 machines.
robm
I've done a search and didn't find any answers as to why I'm seeing this
over and over on the windows agents. Any ideas? It goes away when I reboot
the ossec server and then recycle the agents themselves. Seems like no
alerts go through either.
Mix and match of Windows 2000 and 2003 agents.
Hey all, congrats with the new release. I have a few quick questions. The
VM that is running my ossec server install is having issues and probably
will need a rebuild. So, can I merely backup the directories that have
ossec and then copy them back after the rebuild is done? Or will I need
Wow, great work Daniel. Truly awesome work. I do have a question, I've
already installed 1.1 and look to upgrade. I couldn't find an upgrade doc
anywhere. Do I just run the installer again for the server and agents?
On 5/1/07, Daniel Cid [EMAIL PROTECTED] wrote:
Hi,
Can you try
I am having that problem as well. I get events but not on files that I've
purposely added to a checked directory.
On 5/1/07, Hans Lakhan [EMAIL PROTECTED] wrote:
First of all, thank you for such an awesome product. It takes a lot of
work to produce what your team has. Your work is greatly
Thanks for your reply Daniel. We configured a static route from that server
and we were able to connect.
On 4/25/07, Daniel Cid [EMAIL PROTECTED] wrote:
Hi Rob,
I don't much about NIC teaming, so that may (or may not) be causing a
problem.
Can you show us your agent logs? You can also try
Hey all,
Finally got done installing the windows agent on over 30 windows servers.
I'm having an issue and wanted to see if anyone else wsa having the
problem. It's a Itanium2 server with NIC teaming enabled and it's having
issues connecting to the ossec server. The other servers connect just
Hey Marco,
Can you post your agent and server configs? You may want to turn on
debugging on the agent to see what it's doing. I can compare them to mine.
Thanks,
Robert
On 3/26/07, Marco Supino [EMAIL PROTECTED] wrote:
Hi,
I am trying to make the windows agent (1.1) read a syslog type
?
-Original Message-
From: ossec-list@googlegroups.com [mailto:[EMAIL PROTECTED] On
Behalf
Of Daniel Cid
Sent: Wednesday, February 28, 2007 8:43 PM
To: ossec-list@googlegroups.com
Cc: Rob
Subject: [ossec-list] Re: Windows Agent Issues
Hi Rob,
OSSEC will only alert you when a file changes, so
PROTECTED] wrote:
Rob, can you give us some details about the Windows client?, i can try to
reproduce the error in a vmware enviroment.
Cheers!
On 2/27/07, Michael Starks [EMAIL PROTECTED] wrote:
Rob wrote:
Hello all,
Currently I'm running 1.0 of the Windows Client and the server on
Fedora
5
Hello all,
Currently I'm running 1.0 of the Windows Client and the server on Fedora 5.
I can restart the agent and I get email when it connects. The issue I have
is the client will only do a file/folder syscheck when I restart the agent.
I'm getting registry notifications, but nothing about the
Wow, that fixed it! Thanks for your help! I knew it had to be something
easy. Much appreciated.
Quick question - What's the minimum frequency time? I was putting 60
seconds.
Robert
On 12/4/06, Daniel Cid [EMAIL PROTECTED] wrote:
Hi Rob,
After examing and testing your config, I found
75 matches
Mail list logo
