[ossec-list] Error in destination mail with agent created with IP address = any

2010-12-14 Thread tux3132
Hello I have created on the server multiple entry for agents with IP address fixed to any because the agents are behind a firewall and they are seen by the server with its public IP. All is working fine except when the agent fire too much rules. Server side the rule is affected to the wrong

[ossec-list] Re: false positive ?

2010-10-21 Thread tux3132
of the netstat command to make sure it hasn't changed. On Tue, Oct 19, 2010 at 10:36 AM, tux3132 tux3...@gmail.com wrote: Hi I have this level 7 alert fired by #510 rule: Port '40848'(tcp) hidden. Kernel-level rootkit or trojaned version of netstat No over alerts of this level since one

[ossec-list] false positive ?

2010-10-19 Thread tux3132
Hi I have this level 7 alert fired by #510 rule: Port '40848'(tcp) hidden. Kernel-level rootkit or trojaned version of netstat No over alerts of this level since one month ... Is this a false positive ? (I hope ... ) Best regards.

[ossec-list] Re: Problem to run active response and rules_groups

2010-10-18 Thread tux3132
, tux3132 tux3...@gmail.com wrote: Hi I have the following configuration for active response configured as following : command    namefirewall_drop/name    executablefirewall-drop.sh/executable    expectsrcip/expect    timeout_allowedyes/timeout_allowed /command active-response

[ossec-list] Problem to run active response and rules_groups

2010-10-17 Thread tux3132
Hi I have the following configuration for active response configured as following : command namefirewall_drop/name executablefirewall-drop.sh/executable expectsrcip/expect timeout_allowedyes/timeout_allowed /command active-response commandfirewall_drop/command

[ossec-list] Re: Duplicate active response

2010-10-15 Thread tux3132
No one has ever encountered this problem ? On 10 oct, 15:48, tux3132 tux3...@gmail.com wrote: I I have installed OSSEC 2.5 on Debian Lenny and all is working fine. I have created a command :   command     namefirewall_drop/name     executablefirewall-drop.sh/executable     expectsrcip

[ossec-list] Re: Multiples agents behind a firewall. Only the first one connected to server

2010-10-15 Thread tux3132
to be unique (or a CIDR range, and /32 is too small of a range). On Fri, Oct 15, 2010 at 4:35 AM, tux3132 tux3...@gmail.com wrote: I I have installed one agent on a (linux) host on a private network behind a firewall connected to the net with a static public IP address. This agent contact

[ossec-list] Re: Duplicate active response

2010-10-15 Thread tux3132
agent_id#agent/agent_id Thank you for your help. Best regards. On 15 oct, 15:56, dan (ddp) ddp...@gmail.com wrote: On Sun, Oct 10, 2010 at 9:48 AM, tux3132 tux3...@gmail.com wrote: I I have installed OSSEC 2.5 on Debian Lenny and all is working fine. I have created a command

[ossec-list] Duplicate active response

2010-10-10 Thread tux3132
I I have installed OSSEC 2.5 on Debian Lenny and all is working fine. I have created a command : command namefirewall_drop/name executablefirewall-drop.sh/executable expectsrcip/expect timeout_allowedyes/timeout_allowed /command and two active-response, one for each agents