Regarding unblocking an IP that has become blocked
In your active responses log /var/ossec/logs/active-responses.log
You will see entries similar to the below:
/var/ossec/active-response/bin/firewall-drop.sh add - 123.123.123.123
1328136255.31737 31151
On Fri, Feb 3, 2012 at 9:19 AM, alsdks als...@gmail.com wrote:
Hello again,
I followed the steps to configure a rule that will generate a higher
severity alert for specific files and noticed that it works for the
first change detected but not for the second and beyond .For example
the rule
On Sat, Feb 4, 2012 at 4:01 AM, Oliver Müller ogmuel...@gmail.com wrote:
I definitely get a segfault though and I clear out my local rules. There was
nothing in there execpt of this group with one rule.
Is it an Ubuntu problem then?
I don't remember having any issues with Ubuntu, but that VM
On Fri, Feb 3, 2012 at 6:50 AM, alsdks als...@gmail.com wrote:
Hi Dan,
I do not know if that is possible but turning off message repeated
messages would probably affect other logging as well.
Now as for overwriting the rule , 5720 is a generic rule that
addresses many platforms ...For IBM
On Thu, Feb 2, 2012 at 3:53 PM, tao_zhyn taoz...@gmail.com wrote:
I was going reviewing the windows decoder and noticed ftsname,
location, user, system_name/fts I could not find any reference in
the documentation as to what this was for.
I finally found a reference to it in one of the
On Fri, Feb 3, 2012 at 8:04 AM, alsdks als...@gmail.com wrote:
Hello list,
Windows Ossec agent , default ossec.conf configuration, spits out a
lot of errors I believe others have noticed it as well but I could
not find a relative post .I was wondering if someone knew what they
mean and how
On Fri, Feb 3, 2012 at 1:15 AM, Marcos Tang marcos.t...@gmail.com wrote:
Hi Dan,
Refer to my previous email, I have the following findings.
*
Output from the OSSEC server
*
[root@myserver ~]# /opt/ossec/bin/syscheck_control -i 049 -f
On Thu, Feb 2, 2012 at 11:11 AM, kumaig goj...@gmail.com wrote:
it does not work with T either :(
Have you tried feeding it through ossec-logtest? The date may be
getting decoded out.
On 2 феб, 14:07, dan (ddp) ddp...@gmail.com wrote:
On Wed, Feb 1, 2012 at 7:59 AM, kumaig goj...@gmail.com
On Thu, Feb 2, 2012 at 8:53 PM, Macus macu...@gmail.com wrote:
... means Ellipsis.
I think the syntax is valid, because I have received the report daily
for over a month. However, I couldn't receive it sometimes starting
I missed that in your original mail, my apologies.
from last week. No
On Thu, Feb 2, 2012 at 10:57 AM, tao_zhyn taoz...@gmail.com wrote:
I knew I was missing something simple, overwrite=yes.
I do vaguely remember reading about this option. Yes, it is here:
http://www.ossec.net/wiki/Know_How:Email_Alerts_below_7
Dan, your suggestion did not work. it was still
On Sun, Feb 5, 2012 at 12:56 PM, lucas kauffman
lucas.kauff...@gmail.com wrote:
Hello,
I'm quite new to OSSEC, and there are two things I can't find out:
How do I increase the frequency of the rule when someone is blocked because
of a 400 error (failed to login through htaccess in Apache2).
On Mon, Jan 30, 2012 at 11:13 PM, Macus macu...@gmail.com wrote:
I have disabled the auto_ignore function like below.
syscheck
scan_time20:00/scan_time
alert_new_filesyes/alert_new_files
auto_ignoreno/auto_ignore
Did you set this on the manager? I think it's a manager only option.
Yes i have. Only solution that i find that worked for me is to change
log format like this..
2011-12-28 08:30:59+00:00 CRIT Not valid template file:frontend/base/
default/template/exacttarget/top_sub.phtml
and with this decoder everything works well...
decoder name=magentoCRIT
On Mon, Feb 6, 2012 at 9:55 AM, kumaig goj...@gmail.com wrote:
Yes i have. Only solution that i find that worked for me is to change
Well ok then. I'll try to remember to run it through ossec-logtest
when I get some free time. My thought was that perhaps it is being
decoded as something else, or
Hey,
What are you trying to decode there? And how will you use this information?
If you will not use the decoded information anywhere, just write a
rule to ignore
or do what you need with this event...
Thanks,
--
Daniel B. Cid
On Mon, Feb 6, 2012 at 10:55 AM, kumaig goj...@gmail.com wrote:
Hey,
I see the issue in there. You overwrote the rule 30109, which is an atomic rule
dependent on the 30101 (if_sid30101/if_sid).
You modified it to be a composite rule and OSSEC didn't like that. It
should have
warned that you can't use the overwrite to modify a rule from
atomic-composite and
Hey,
You have the provide the event log name (like Application, System, etc) instead
of the full path. Try that and it should work.
Thanks,
--
Daniel B. Cid
On Tue, Jan 31, 2012 at 7:12 PM, mikeyintn mi...@charlietree.com wrote:
Having absolutely no luck reading any Windows 2008 R2 event logs
Hey guys,
I was checking an ignore rule this morning and following syscheckd
activity with strace, and I noticed that syscheck was looking into
/proc.
So I went back to my configuration and confirmed that /proc is not
included in the list of directories to check
!-- Directories to check
Hi!
Try with this:
\d+-\d+-\d+\w\d+:\d+:\d+\+\d+:\d+ CRIT Not valid template file\:
Best regards
woodspeed
2012. február 6. 16:26 Daniel Cid írta, daniel@gmail.com:
Hey,
What are you trying to decode there? And how will you use this information?
If you will not use the decoded
I found that my reports in ossec server 2.5.1 dont run because of a
race condition where log rollover happens before the reports generate
so there's no file and thus no results. ossec.log file will show
that.
I found that by creating a cronjob that runs a daily report shell
script runs all my
On Mon, Feb 6, 2012 at 12:48 PM, Julien Vehent juli...@aweber.com wrote:
I'm using report_changes on a lot of directories, and to avoid having
large diff queues, I ignore a bunch of files I don't care about.
I'm having issues with the regex on an ignore rule. The files are in
/tmp as follow:
21 matches
Mail list logo