[ossec-list] Re: syscheck checksums changing on windows agents

I found that OSSEC opens the files in text mode, and this seems to produce wrong hashes. Files should be opened in binary mode to work properly. I fixed this problem in our repository: https://github.com/wazuh/ossec-wazuh/commit/f52514647f0be8ae01a83c260bdad85d24eb8cd9 And I also sent a

[ossec-list] Re:

Santiago, Thank you for your insight, I really appreciate it. I see your discovery. I'm new to understanding the regex used, but I'm a quick study. After the parent decoder is matched, shouldn't apache24-errorlog-ip be able to jump ahead to the section starting with [client - not sure how

[ossec-list] Re: Get actual Agent IP

IP is used in OSSEC for assigning permissions to agents. It would be possible to add information about the IP address in the agent's queue and show it with *agent_control*, or include the IP in the alert generated when an agent connects to the manager. Another solution that won't imply to

Re: [ossec-list] rules files as symlinks

Thank you, Santiago! Other than remounting a partition inside the jail, can we configure the folder for rules files? If we can configure the folder, would this also be inside the same jail too? I am thinking of configuring the rules folder to /opt/ossec/rules, but I guess it will be looking for

[ossec-list] Re:

Santiago, After testing variations of your log edits, I'm finding that keeping the pid in place and just adding the port produces: **Phase 2: Completed decoding. decoder: 'apache-errorlog' srcip: '46.4.84.147' id: 'ModSecurity' How can I get the decoder to not require the

[ossec-list] Re:

Hi Brian, The decoder that you see in logtest is always the parent: **Phase 2: Completed decoding. decoder: 'apache-errorlog' <- This is the parent decoder. We have 6 decoders for apache: - Parents: - - - - Childs: - - - The log matches

Re: [ossec-list] rules files as symlinks

Yes, if it is inside the jail then that should be ok. Also check that your ossec.conf is configured to look for the rules where you want. As well, symbolic links inside the jail should work. I hope that helps On Wed, Feb 17, 2016 at 7:49 AM, Rui Zhang wrote: > Thank you,

[ossec-list] Re:

Jesus, You were spot on! Your analyses and solution worked perfectly. Thank you so much. I had made some additional Ossec rules for ModSecurity and now they're all working. I don't know if you are associated with the development team at github, but this should be shared because it is likely

[ossec-list] Re:

Hi Brian, I'm glad to hear that!. I did some chages to extract the port and other fixs. You can see the apache decoders updated here . Also I sent a pull request

[ossec-list] Re:

Excellent! -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit