Re: [ossec-list] Re: Active response not working for rule_id 554 with "filename" as expect

Hi again and sorry for the late response, In the last comment I posted, I showed you an example where I used manager and agent with Wazuh version 4.1.5. In order to replicate your issue, I need to know the Wazuh versions you are using in the implicated manager and agents. I have also seen

Re: [ossec-list] Re: Active response not working for rule_id 554 with "filename" as expect

Hi, Thank you for your detailed explanation. I would like to discuss my scenario in detail so we could have a good understanding on our issue. *Case1*: I will be creating a new file(march4.txt) generating rule ID 554 and also editing an existing file(march.txt) generating rule ID 551. This is the

Re: [ossec-list] Re: Active response not working for rule_id 554 with "filename" as expect

Hi again, Which Wazuh version are you using? I suppose that you are using *4.1* or a previous version as from *4.2*, active response custom scripts work differently. I have been testing your active response configuration and scripts are being executed properly, as you said. As you can see in

Re: [ossec-list] Re: Active response not working for rule_id 554 with "filename" as expect

Hi, We are using AlienVault Version: OSSIM 5.7.4 For scripts we are referring to : https://github.com/jonschipp/nsm-tools/ The script is getting executed but we are not receiving FILENAME parameter when RULE ID 554 is getting triggered. Thanks in advance. On Thu, Mar 3, 2022 at 5:45 PM Manuel

[ossec-list] Re: Active response not working for rule_id 554 with "filename" as expect

Hi Aksha and sorry for the late response, I will try to help you solve this issue. I need some information to test your use case and see what is happening. First of all, could you tell me which Wazuh version you are using? Also, it would be fine if you send the active response script you are

[ossec-list] Re: Active response not working for rule_id 554 with "filename" as expect

Hi Aksha and sorry for the late response, I will try to help you solve this issue. I need some information to test your use case and see what is happening. First of all, could you tell me which Wazuh version you are using? Also, it would be fine if you send the active response script you are

[ossec-list] Re: Active response not working for rule_id 554 with "filename" as expect

Hi Ossec Team, Can anyone please review this and help. Thanks in Advance. Aksha On Friday, February 25, 2022 at 7:17:18 PM UTC+5:30 AKSHA GANDHI wrote: > Hi, > 1. Active response is getting triggered for both Rule ID 550,554 if > parameter is kept blank. 2.If parameter is given value >

Re: [ossec-list] Re: ACTIVE-RESPONSE NOT WORKING

I don't know about stopping it completely but you can slow it substantially by using progressively larger penalty times for repeat offenders. Natassia On Fri, Sep 25, 2020 at 12:41 AM lê danh wrote: > oh i did it and it works great, it can block me before i get my password, > thank you so much

Re: [ossec-list] Re: ACTIVE-RESPONSE NOT WORKING

oh i did it and it works great, it can block me before i get my password, thank you so much Vào Th 4, 23 thg 9, 2020 vào lúc 18:21 Daniel Folch < daniel.fo...@wazuh.com> đã viết: > Hello, > > First, let us start with the active response configuration of the manager > and agent, the

Re: [EXTERNAL MSG:][ossec-list] Re: ACTIVE-RESPONSE NOT WORKING

t; > > Sent from my T-Mobile 4G LTE Device > > > > Original message > From: Daniel Folch > > Date: 9/23/20 7:21 AM (GMT-05:00) > To: ossec-list > > Subject: [EXTERNAL MSG:][ossec-list] Re: ACTIVE-RESPONSE NOT WORKING > > WARNING: This

RE: [EXTERNAL MSG:][ossec-list] Re: ACTIVE-RESPONSE NOT WORKING

(GMT-05:00) To: ossec-list Subject: [EXTERNAL MSG:][ossec-list] Re: ACTIVE-RESPONSE NOT WORKING WARNING: This email originated from outside of Sensato. Do not click links or open attachments unless you verify by phone with the sender. Hello, First, let us start with the active response

[ossec-list] Re: ACTIVE-RESPONSE NOT WORKING

Hello, First, let us start with the active response configuration of the manager and agent, the configuration you shared should be used on the manager side, and for the agent you just need to set it like this: no /var/ossec/etc/wpk_root.pem yes As a side note, the rule 5720

[ossec-list] Re: Active-Response will cause a zombie process

Hi EXP, Is the process execd still running when the zombie process is detected? In high concurrency environments, the system might drop the return signal of some child processes. In that case, the child sent his signal but execd did not receive it, so the child process gets converted into a

Re: [ossec-list] Re: active-response is not working :(

On Wed, Jan 10, 2018 at 6:15 AM, HairLoss2018 wrote: > OK, I have resolved this issue by re-installing OSSEC and setting > active-response to live during setup. > > I notice that values entered during setup are added to ossec.mc and not > ossec.conf and in ossec.conf it says

[ossec-list] Re: Active Response on Agents - Filename

I just added no To ossec.conf on the agent and it triggered the same active response (I guess I should remove rules_group? it was rule 550, file changed) and was able to see the filename (currently the script just echoes all the parameters it receives) On Wednesday, December 27, 2017 at

[ossec-list] Re: Active response responding to other agent's alerts

On Friday, November 10, 2017 at 3:00:36 PM UTC-5, Josmell Chavarri wrote: > > Hi, can you help me with a problem? > > I have a ossec-wazuh Server with 20 agents connected with active response > for agent id 001. > > > Ossec.conf --- the server > > > > firewall-drop >

Re: [ossec-list] Re: Active response with multiple rules_group

On Mon, Oct 31, 2016 at 2:02 PM, Brad wrote: > Nice find Pedro! That was the problem. I wish the documentation had said > that it was regex based. Lol. At least it's working now. :) Many thanks > I've created a pull request to hopefully fix the documentation:

[ossec-list] Re: Active response with multiple rules_group

Nice find Pedro! That was the problem. I wish the documentation had said that it was regex based. Lol. At least it's working now. :) Many thanks On Saturday, October 29, 2016 at 3:53:53 PM UTC-5, Brad wrote: > > Hi all, > > I'm setting up an AR and it works if I only use 1 rules_group or

[ossec-list] Re: Active response command not present

Hi, if it is a linux agent, the restart-ossec.cmd will not work. You must use restart-ossec.sh. Check out the documentation: - http://ossec-docs.readthedocs.io/en/latest/manual/ar/index.html - http://ossec-docs.readthedocs.io/en/latest/syntax/head_ossec_config.active-response.html

[ossec-list] Re: Active response command not present

I also see the above on a Linux box (Ubuntu 14). On Tuesday, April 21, 2015 at 10:07:28 AM UTC-4, Bob Jolliffe wrote: > > I am seeing the following in my ossec.log on a linux agent: > > ossec-execd: INFO: Active response command not present: > '/var/ossec/active-response/bin/restart-ossec.cmd'.

Re: [ossec-list] Re: active-response alerts?

Decoder and rules for active-response are the same in both Wazuh and OSSEC. I meant that rules 601-606 are for a specific sh (check tag *action*), so if you are using a custom sh you will not see the alert. Also, alert 600 is generic (for all active responses) but level is 0. Regards. Jesus

Re: [ossec-list] Re: active-response alerts?

Seems that wazuh already has a decoder and rules for active-response. (Not sure if these are also in ossec proper) https://github.com/wazuh/ossec-rules/blob/master/rules-decoders/ossec/rules/ossec_rules.xml -- --- You received this message because you are subscribed to the Google Groups

Re: [ossec-list] Re: active-response alerts?

On Feb 23, 2016 12:42 AM, "Barry Kaplan" wrote: > > So I'm confused then. The server decided to initiate these actions on the client, no? The server rules are what decided those actions. Should the server not log that it took this action, given the elevated level of the rules?

Re: [ossec-list] Re: active-response alerts?

Hi Barry, if you want to see the rules generated by active response you must watch the active response log (as it said Dan): syslog /var/ossec/logs/active-responses.log Now, you will see in archives.log (with option yes) the log received: 2016 Feb 23 10:59:06

Re: [ossec-list] Re: active-response alerts?

So I'm confused then. The server decided to initiate these actions on the client, no? The server rules are what decided those actions. Should the server not log that it took this action, given the elevated level of the rules? I feel I am missing something understanding. -barry -- --- You

Re: [ossec-list] Re: active-response alerts?

On Feb 22, 2016 6:18 AM, "Barry Kaplan" wrote: > > Hmm, ok. On clients there are entries in active-response.log (eg, firewall-drop.sh). But on the server alerts.log there is no trace of those. If I understand the rules correctly they should be there. I don't see any errors in

[ossec-list] Re: active-response alerts?

Hmm, ok. On clients there are entries in active-response.log (eg, firewall-drop.sh). But on the server alerts.log there is no trace of those. If I understand the rules correctly they should be there. I don't see any errors in the ossec.log on client or server. What's the best way to debug

[ossec-list] Re: active-response alerts?

Hi Barry, There are decoders and rules

[ossec-list] Re: Active response on windows agent

I if possible I want to know the step to be follow for create a new script in windows and use it by the manager as active response. Andrea Il giorno lunedì 19 ottobre 2015 09:27:37 UTC+2, Andrea Garbeglio ha scritto: > Dear all, > > I'm working to configure ab active response on a windows

[ossec-list] Re: Active-Response and Fortinet firewall?

https://groups.google.com/forum/#!topic/ossec-list/_0fqn9fU8WA I've done something similar in the past with an ASA. I have no experience with a Fortinet firewall, but if you can manage it via SSH, you should be able to crawl into the ASA's example fairly easily. On Monday, May 4, 2015 at

[ossec-list] Re: Active response eject USB

Yeah, this is my essay. I'll eject USB when user plug in it into my agent. Vào 18:15:41 UTC+7 Thứ Tư, ngày 06 tháng 5 năm 2015, CraigL đã viết: What would you like your agent to do when a user ejects a USB device? On Wednesday, 6 May 2015 11:06:31 UTC+1, Bùi Viết Hướng wrote: I need active

[ossec-list] Re: Active response eject USB

Hey dan, I have a question, when I plug in USB in agent, I receive 1 alert. Then, I eject USB and plug in again, I won't receive alert again, that true or false Vào 18:15:41 UTC+7 Thứ Tư, ngày 06 tháng 5 năm 2015, CraigL đã viết: What would you like your agent to do when a user ejects a

[ossec-list] Re: Active response eject USB

What would you like your agent to do when a user ejects a USB device? On Wednesday, 6 May 2015 11:06:31 UTC+1, Bùi Viết Hướng wrote: I need active respond file.sh . Anyone can give me? \ -- --- You received this message because you are subscribed to the Google Groups ossec-list group.

Re: [ossec-list] Re: Active response didn't work anymore since 1 month !

On Tue, Jan 27, 2015 at 9:07 AM, Thomas Vidal vidal.tho...@gmail.com wrote: Hi, Well, I hope to find another way to solve my problem I'm not a programmer ! Neither am I, but I muddle through. Learning new things is one of the great joys in life! I will try to install an older version,

Re: [ossec-list] Re: Active response didn't work anymore since 1 month !

Hi, Well, I hope to find another way to solve my problem I'm not a programmer ! I will try to install an older version, just for test ! Thanks for your help. Best regards Thomas Le jeudi 22 janvier 2015 17:13:56 UTC+1, dan (ddpbsd) a écrit : On Thu, Jan 22, 2015 at 11:01 AM, Thomas

Re: [ossec-list] Re: Active response didn't work anymore since 1 month !

On Thu, Jan 22, 2015 at 8:44 AM, Thomas Vidal vidal.tho...@gmail.com wrote: Dear OSSEC team, I am using both on Ossec serverclients the last 2.8.1 Ossec version on debian Wheezy. Copy and Paste event in ossec-logtest give me good output. When agent.conf is modified the active response to

[ossec-list] Re: Active response didn't work anymore since 1 month !

Dear OSSEC team, I am using both on Ossec serverclients the last 2.8.1 Ossec version on debian Wheezy. Copy and Paste event in ossec-logtest give me good output. When agent.conf is modified the active response to restart all client is working fine. Server and clients are using up to date and

Re: [ossec-list] Re: Active response didn't work anymore since 1 month !

*Dear Dan,* Where do you think the bug is? Are you sure ossec-execd is running on the agent? *YES ! * Is AR disabled on the agent or manager? *There is no disableYES/disable both in ossec.conf and agent.conf (and normaly following the documentation AR is enable by default) * Can

Re: [ossec-list] Re: Active response didn't work anymore since 1 month !

On Thu, Jan 22, 2015 at 11:01 AM, Thomas Vidal vidal.tho...@gmail.com wrote: Dear Dan, Where do you think the bug is? Are you sure ossec-execd is running on the agent? YES ! Is AR disabled on the agent or manager? There is no disableYES/disable both in ossec.conf and agent.conf (and

[ossec-list] Re: Active response didn't work anymore since 1 month !

Dear Janelle, Thanks for your answer. I checked again this morning and yes and more than yes : I made changes (just add a comment) in ossec.conf and agent.conf on the server. I wait some minutes and merge.mg was not updated on the server (and of course also on clients) I restart the server

[ossec-list] Re: Active response didn't work anymore since 1 month !

I would make sure ar.conf is getting passed back to the agents. At the same time, is merged.mg being updated? That was always the problem I found when AR stopped working. ~J On Tuesday, January 20, 2015 at 1:47:30 AM UTC-8, Thomas Vidal wrote: Dear all, Active response stop working one

[ossec-list] Re: Active response

thank Dan. but how to config active response in window. i want to run script restart computer when i attach usb in window Vào 01:24:55 UTC+7 Thứ năm, ngày 03 tháng bảy năm 2014, Nguyễn Văn Hớn đã viết: This is my config acitve response in Agent active-response disabledno/disabled

Re: [ossec-list] Re: Active response

On Wed, Jul 2, 2014 at 2:59 PM, Nguyễn Văn Hớn honi...@gmail.com wrote: thank Dan. but how to config active response in window. i want to run script restart computer when i attach usb in window It should work the same way as running active response scripts on any other agent. Vào 01:24:55

[ossec-list] Re: active response

Hi. I come from Vietnam. And i have project for OSSEC. we can talk to each other about OSSEC? Vào 09:37:56 UTC+7 Thứ hai, ngày 02 tháng sáu năm 2014, Trieu Ngo Duy đã viết: help me about active response. how to execute this command: REG ADD HKCU \ Software \ Microsoft \ Windows \

Re: [ossec-list] Re: active response

hi vậy mình nói tiếng việt cho dể ha. bạn hiểu nhiều về active response không? như câu hỏi phía trên mình muốn thực hiện lệnh này: REG ADD HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ Explorer \ DisallowRun để thêm một mục vào registry bên agent windows bạn có thể giúp mình

Re: [ossec-list] Re: active response

It's wonderful that you guys are talking about OSSEC. But for the others from around the world that don't understand vietnamese could you please use English? Thank you. I have not used active response for editing the registry, but I am sure it oculd be done in a script. How you do this

Re: [ossec-list] Re: active response

Thanks everyone for the reply. My purpose is to stem a software agent inside windows 7. several weeks but had I can not figure out how to implement it. Can you help me? 2014-06-02 19:42 GMT+07:00 Jeremy Rossi jer...@jeremyrossi.com: It's wonderful that you guys are talking about OSSEC. But

Re: [ossec-list] Re: Active Response broken in 2.7?

On Fri, Jan 24, 2014 at 12:47 PM, Jeremiah Brock jeremiah.j.br...@gmail.com wrote: Hello Dan, Yes, fresh install of 2.7 server mode. I confirmed this again this am on another ubuntu 12.04 system doing the following : su root cd /root/installs wget

Re: [ossec-list] Re: Active Response broken in 2.7?

On Thu, Jan 23, 2014 at 8:10 PM, Jeremiah Brock jeremiah.j.br...@gmail.com wrote: Hi All, Just a follow up, I was able to get around this strange issue by doing the following : Was this a new install? On the Server : chown root:ossec ar.conf service ossec restart On the Agent :

Re: [ossec-list] Re: Active Response broken in 2.7?

Hello Dan, Yes, fresh install of 2.7 server mode. I confirmed this again this am on another ubuntu 12.04 system doing the following : su root cd /root/installs wget http://www.ossec.net/files/ossec-hids-2.7.tar.gz tar -zxvf ossec-hids-2.7.tar.gz cd ossec-hids-2.7 ./install.sh

[ossec-list] Re: Active Response broken in 2.7?

Hi All, Just a follow up, I was able to get around this strange issue by doing the following : *On the Server : * chown root:ossec ar.conf service ossec restart *On the Agent :* service ossec restart *The Agent /var/ossec/etc/shared now magically downloaded the proper ar.conf file : *

[ossec-list] Re: active-response to multiple agents

I _think_ all of the blocks are happening. I'm not 100% sure though. Even when I use all things are slightly delayed at times. Does the server retry sending if the agent doesn't receive the request? Like I said I tried updating to the newest code but it was buggy and things weren't working

Re: [ossec-list] Re: active-response to multiple agents

On Mon, Apr 15, 2013 at 1:51 PM, William Taylor zee...@gmail.com wrote: I _think_ all of the blocks are happening. I'm not 100% sure though. Even when I use all things are slightly delayed at times. There's no guarantee that the blocks will happen immediately. I generally don't see much delay,

Re: [ossec-list] Re: active-response to multiple agents

On Monday, April 15, 2013 11:27:41 AM UTC-7, dan (ddpbsd) wrote: Does the server retry sending if the agent doesn't receive the request? Like I said I tried updating to the newest code but it was buggy and things weren't working correctly. I think syscheck was segfaulting as well.

Re: [ossec-list] Re: Active response for FreeBSD

Here it is: root@plzfsiem02:/etc/mail# more /etc/rc.conf ## ### Important initial Boot-time options ## rc_conf_files=/etc/rc.conf /etc/rc.conf.local

Re: [ossec-list] Re: Active response for FreeBSD

On Wed, Apr 10, 2013 at 1:51 AM, C. L. Martinez carlopm...@gmail.com wrote: Here it is: I put this rc.conf in place (/etc/rc.conf) on my FreeBSD 9.1 system, deleted all previous remnants of OSSEC, and ran install.sh from a fresh untarring of the latest source. Everything worked as expected.

Re: [ossec-list] Re: Active response for FreeBSD

Ok, I have installed -devel branch in this agent and all works as expected ... Really strange ... I will install another FreeBSD host tomorrow and I will see ... On Wed, Apr 10, 2013 at 12:36 PM, dan (ddp) ddp...@gmail.com wrote: On Wed, Apr 10, 2013 at 1:51 AM, C. L. Martinez

Re: [ossec-list] Re: Active response for FreeBSD

Ok, I have reinstalled ossec client and same problem ... It is searching ipfilter ... On Mon, Apr 8, 2013 at 7:18 PM, dan (ddp) ddp...@gmail.com wrote: On Mon, Apr 8, 2013 at 3:17 PM, C. L. Martinez carlopm...@gmail.com wrote: Uhmm ... I do not remember but maybe can be the problem. I will

Re: [ossec-list] Re: Active response for FreeBSD

On Tue, Apr 9, 2013 at 2:39 AM, C. L. Martinez carlopm...@gmail.com wrote: Ok, I have reinstalled ossec client and same problem ... It is searching ipfilter ... All right. I'm downloading FreeBSD now. On Mon, Apr 8, 2013 at 7:18 PM, dan (ddp) ddp...@gmail.com wrote: On Mon, Apr 8, 2013

Re: [ossec-list] Re: Active response for FreeBSD

On Tue, Apr 9, 2013 at 8:13 AM, dan (ddp) ddp...@gmail.com wrote: On Tue, Apr 9, 2013 at 2:39 AM, C. L. Martinez carlopm...@gmail.com wrote: Ok, I have reinstalled ossec client and same problem ... It is searching ipfilter ... All right. I'm downloading FreeBSD now. I was unable to

[ossec-list] Re: Active response for FreeBSD

Executing active response manually: root@itafbsd01:/usr/local/ossec-hids/bin# /usr/local/ossec-hids/active-response/bin/firewall-drop.sh add - 10.196.0.15 open device: No such file or directory User/kernel version check failed 1:ioctl(add/insert rule): Bad file descriptor open device: No such

Re: [ossec-list] Re: Active response for FreeBSD

On Mon, Apr 8, 2013 at 9:45 AM, C. L. Martinez carlopm...@gmail.com wrote: Executing active response manually: root@itafbsd01:/usr/local/ossec-hids/bin# /usr/local/ossec-hids/active-response/bin/firewall-drop.sh add - 10.196.0.15 open device: No such file or directory User/kernel version

Re: [ossec-list] Re: Active response for FreeBSD

On Mon, Apr 8, 2013 at 9:50 AM, C. L. Martinez carlopm...@gmail.com wrote: works: root@itafbsd01:/data/logs/plain# pfctl -t ossec_fwtable -T add 10.196.0.15 No ALTQ support in kernel ALTQ related functions disabled 1/1 addresses added. root@itafbsd01:/data/logs/plain# pfctl -t ossec_fwtable

Re: [ossec-list] Re: Active response for FreeBSD

Yep, it is searching ipf ... root@itafbsd01:/data/logs/plain# /bin/sh -x /usr/local/ossec-hids/active-response/bin/firewall-drop.sh add - 10.196.0.15 + uname + UNAME=FreeBSD + ECHO=/bin/echo + GREP=/bin/grep + IPTABLES='' + IP4TABLES=/sbin/iptables + IP6TABLES=/sbin/ip6tables + IPFILTER=/sbin/ipf

Re: [ossec-list] Re: Active response for FreeBSD

On Mon, Apr 8, 2013 at 10:03 AM, C. L. Martinez carlopm...@gmail.com wrote: Yep, it is searching ipf ... root@itafbsd01:/data/logs/plain# /bin/sh -x /usr/local/ossec-hids/active-response/bin/firewall-drop.sh add - 10.196.0.15 + uname + UNAME=FreeBSD + ECHO=/bin/echo + GREP=/bin/grep +

Re: [ossec-list] Re: Active response for FreeBSD

Correct, but for this reason, I ask the question ... On Mon, Apr 8, 2013 at 2:09 PM, dan (ddp) ddp...@gmail.com wrote: On Mon, Apr 8, 2013 at 10:03 AM, C. L. Martinez carlopm...@gmail.com wrote: Yep, it is searching ipf ... root@itafbsd01:/data/logs/plain# /bin/sh -x

Re: [ossec-list] Re: Active response for FreeBSD

On Mon, Apr 8, 2013 at 10:12 AM, C. L. Martinez carlopm...@gmail.com wrote: Correct, but for this reason, I ask the question ... Does freebsd use ipf anymore? Is it still a knob? On Mon, Apr 8, 2013 at 2:09 PM, dan (ddp) ddp...@gmail.com wrote: On Mon, Apr 8, 2013 at 10:03 AM, C. L.

Re: [ossec-list] Re: Active response for FreeBSD

AFAIK, FreeBSD can use three different firewall types: ipf, ipfw and pf ... On Mon, Apr 8, 2013 at 2:16 PM, dan (ddp) ddp...@gmail.com wrote: On Mon, Apr 8, 2013 at 10:12 AM, C. L. Martinez carlopm...@gmail.com wrote: Correct, but for this reason, I ask the question ... Does freebsd use

Re: [ossec-list] Re: Active response for FreeBSD

On Mon, Apr 8, 2013 at 10:19 AM, C. L. Martinez carlopm...@gmail.com wrote: AFAIK, FreeBSD can use three different firewall types: ipf, ipfw and pf ... It looks like FreeBSD with pf enabled should be using pf.sh. Try running the same command you did previously, but with pf.sh instead. If that

Re: [ossec-list] Re: Active response for FreeBSD

Ok, using pf.sh script, works as expected. Can I reconfigure agent.conf to use pf.sh as active response instead firewall-drop.sh script only for FreeBSD hosts ?? On Mon, Apr 8, 2013 at 2:25 PM, dan (ddp) ddp...@gmail.com wrote: On Mon, Apr 8, 2013 at 10:19 AM, C. L. Martinez

Re: [ossec-list] Re: Active response for FreeBSD

On Mon, Apr 8, 2013 at 10:29 AM, C. L. Martinez carlopm...@gmail.com wrote: Ok, using pf.sh script, works as expected. Can I reconfigure agent.conf to use pf.sh as active response instead firewall-drop.sh script only for FreeBSD hosts ?? I don't think so. I'm pretty sure those are server side

Re: [ossec-list] Re: Active response for FreeBSD

I am using FreeBSD 9.1 amd64 .. On Mon, Apr 8, 2013 at 2:34 PM, dan (ddp) ddp...@gmail.com wrote: On Mon, Apr 8, 2013 at 10:29 AM, C. L. Martinez carlopm...@gmail.com wrote: Ok, using pf.sh script, works as expected. Can I reconfigure agent.conf to use pf.sh as active response instead

Re: [ossec-list] Re: Active response for FreeBSD

On Mon, Apr 8, 2013 at 10:36 AM, C. L. Martinez carlopm...@gmail.com wrote: I am using FreeBSD 9.1 amd64 .. Did you have 'pf_enable=YES' in your rc.conf when you installed OSSEC? Not having that set it the only way I can see for the ipf script to be put in place instead of the pf one. On

[ossec-list] Re: Active response for FreeBSD

Uhmm ... I do not remember but maybe can be the problem. I will try it tomorrow On Monday, April 8, 2013, dan (ddp) ddp...@gmail.com wrote: On Mon, Apr 8, 2013 at 10:36 AM, C. L. Martinez carlopm...@gmail.com wrote: I am using FreeBSD 9.1 amd64 .. Did you have 'pf_enable=YES' in your rc.conf

Re: [ossec-list] Re: Active response for FreeBSD

On Mon, Apr 8, 2013 at 3:17 PM, C. L. Martinez carlopm...@gmail.com wrote: Uhmm ... I do not remember but maybe can be the problem. I will try it tomorrow Thanks. I'll be working on the documentation to make this clearer and to provide clear instructions on how to fix these types of issues.

Re: [ossec-list] Re: Active response to email abuse contact of IP block owner?

This is great! I will try it as soon as time permits. - Original Message - From: Iraklis Mathiopoulos mathiopou...@gmail.com To: ossec-list@googlegroups.com Sent: Saturday, January 26, 2013 12:42:22 PM Subject: [ossec-list] Re: Active response to email abuse contact of IP block

[ossec-list] Re: Active response to email abuse contact of IP block owner?

Hey guys, Any progress on this? Cheers, Iraklis On Monday, June 4, 2012 8:00:59 PM UTC+3, Ryan Schulze wrote: Hi Chris, sorry to dig up this old mail, just wanted to ask if you stumbled across anything interesting since I was also thinking about automatic generation of abuse mails

[ossec-list] Re: Active response to email abuse contact of IP block owner?

Couldn't find anything so I coded up something. https://github.com/iam1980/ossec-email-abuse I'm testing it in OSSEC ver. 2.7 and it seems to be working. Feel free to make any modifications Cheers On Saturday, January 26, 2013 12:22:55 PM UTC+2, Iraklis Mathiopoulos wrote: Hey guys, Any

[ossec-list] Re: active response not triggered on management server

Hi all, Just following up for others who might be seeing this as well. Adding the following did work around the issue. Active Response is now triggered on the ossec server as well as all agents. Aaron active-response commandfirewall-drop/command locationserver/location level6/level

[ossec-list] Re: Active-response doesn't seem to work for some rules (ipop3 specifically but some ssh and other auth failures as well)

How can i determine if the IP is properly decoded? With the ossec-logtest program? Here is the output I get from that: ossec-testrule: Type one log per line. Feb 1 09:02:41 server1 ipop3d[39710]: Login failed user=stud...@hammer.net auth=stud...@hammer.net host=ipx21117.ipxserver.de

Re: [ossec-list] Re: Active-response doesn't seem to work for some rules (ipop3 specifically but some ssh and other auth failures as well)

On Thu, Feb 2, 2012 at 9:34 AM, Jon Bayless fbjbayl...@gmail.com wrote: How can i determine if the IP is properly decoded? With the ossec-logtest program? Here is the output I get from that: ossec-testrule: Type one log per line. Feb  1 09:02:41 server1 ipop3d[39710]: Login failed

[ossec-list] Re: Active-response doesn't seem to work for some rules (ipop3 specifically but some ssh and other auth failures as well)

Well with that custom decoder it matches the decoder now. I will try it and see if it actually catches and blocks the source IPs now. Is there any way to test whether it is decoding that source IP and will be able to use it properly? Thanks for all your help.

Re: [ossec-list] Re: Active-response doesn't seem to work for some rules (ipop3 specifically but some ssh and other auth failures as well)

On Thu, Feb 2, 2012 at 10:34 AM, Jon Bayless fbjbayl...@gmail.com wrote: Well with that custom decoder it matches the decoder now. I will try it and see if it actually catches and blocks the source IPs now. Is there any way to test whether it is decoding that source IP and will be able to

[ossec-list] Re: active-response on Windows - ERROR

One more (maybe crucial) information. My installation (and also system) drive is E, hence the agent is installed under: E:\Program Files\ossec-agent\ On Dec 22, 9:45 pm, Peter Skurczak piotr.skurc...@gmail.com wrote: On the agent, in ossec.conf I've got the following section: (...)

[ossec-list] Re: active-response on Windows - ERROR

I think I resolved it. Sorry for so many emails. So, it goes like this. if everything as far as the connection is al right, one has to check also the ar.conf In my case I had there entries like: host-deny2147483647 - host-deny.sh - 2147483647 firewall-drop2147483647 - firewall-drop.sh -

[ossec-list] Re: Active response arguments - clarification

A! ... um, No. :-( On Dec 20, 10:14 am, dan (ddp) ddp...@gmail.com wrote: Is expectsrcip/expect set in the command definition?

[ossec-list] Re: Active response arguments - clarification

Something to ponder however -- I thought it was in there - instead there was an unmatched /expect on a line within the command definition - and no error was generated, that is how I missed it. A bug perhaps? On Dec 20, 10:21 am, Kat uncommon...@gmail.com wrote: A! ... um, No. :-( On Dec

Re: [ossec-list] Re: Active response arguments - clarification

It does sound like a bug to me. On Tue, Dec 20, 2011 at 2:02 PM, Kat uncommon...@gmail.com wrote: Something to ponder however -- I thought it was in there - instead there was an unmatched /expect on a line within the command definition - and no error was generated, that is how I missed it. A

Re: [ossec-list] Re: active-response question on the ossec server Options

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Jun 19, 2011, at 6:09 PM, pierz wrote: Yes exactly, regarding the manual, this is the purpose of the locationall/location statement. But agents doesn't block IP if the attack occur on the server. That seems to be correct. I haven't tried

Re: [ossec-list] Re: active-response question on the ossec server Options

What OS are your agents running on? On Sun, Jun 19, 2011 at 6:09 PM, pierz pierz.h...@gmail.com wrote: Yes exactly, regarding the manual, this is the purpose of the locationall/location statement. But agents doesn't block IP if the attack occur on the server. On 17 juin, 02:09, Jason

[ossec-list] Re: active-response question on the ossec server Options

Yes exactly, regarding the manual, this is the purpose of the locationall/location statement. But agents doesn't block IP if the attack occur on the server. On 17 juin, 02:09, Jason Frisvold xenoph...@godshell.com wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Jun 16, 2011, at 1:59

Re: [ossec-list] Re: active response log monitoring

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On May 23, 2011, at 10:44 AM, Michael Starks wrote: I have added this (with some modifications) to my fork and am about to commit it for consideration into release. Trey and Jason, do I have your permission? I will list the contributors as Jason

Re: [ossec-list] Re: active response log monitoring

On 05/24/2011 09:33 PM, treydock wrote: With those active response rules built in, would this be the preferred method for enabling alerts specifically for those rules? (for example in case the alert threshold is above Level 3) email_alerts email_tou...@example.com/email_to rule_id601,

Re: [ossec-list] Re: active response log monitoring

You can do it now. Filter based on: rule_id group event_location So your example should work.. Link: http://www.ossec.net/doc/manual/output/granular-email-output.html Thanks, On Wed, May 25, 2011 at 12:15 PM, Michael Starks ossec-l...@michaelstarks.com wrote: On 05/24/2011 09:33 PM, treydock

Re: [ossec-list] Re: active response log monitoring

On 05/23/2011 08:39 PM, treydock wrote: That's fine by me, though use Trey Dockendorf. Thanks! - Trey Supported added here:https://bitbucket.org/mstarks01/ossec-hids-mstarks/changeset/67e4be778491 It should set up log monitoring on install, but won't actually work the first time because

[ossec-list] Re: active response log monitoring

With those active response rules built in, would this be the preferred method for enabling alerts specifically for those rules? (for example in case the alert threshold is above Level 3) email_alerts email_tou...@example.com/email_to rule_id601, 602, 603, 604, 605, 606/rule_id

Re: [ossec-list] Re: active response log monitoring

On 05/17/2011 01:59 PM, Jason Frisvold wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On May 12, 2011, at 5:41 AM, treydock wrote: I had to accomplish this a few days ago. See my post here, http://itscblog.tamu.edu/ossec-email-alerts-on-active-responses/ . I have the exact decoder and

[ossec-list] Re: active response log monitoring

That's fine by me, though use Trey Dockendorf. Thanks! - Trey On May 23, 9:44 am, Michael Starks ossec-l...@michaelstarks.com wrote: On 05/17/2011 01:59 PM, Jason Frisvold wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On May 12, 2011, at 5:41 AM,treydockwrote: I had to

Re: [ossec-list] Re: active response log monitoring

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On May 18, 2011, at 5:22 AM, treydock wrote: Jason, do you have Splunk working with OSSEC? I am planning to do something very similar to what you described. So far I haven't had much luck getting the OSSEC for Splunk plugin to work in a way that

[ossec-list] Re: active response log monitoring

Jason, do you have Splunk working with OSSEC? I am planning to do something very similar to what you described. So far I haven't had much luck getting the OSSEC for Splunk plugin to work in a way that is gives me a good overview of my environment. So far the problem I'm having is my Linux

  1   2   3   >