[ossec-list] Re: Monitoring defacement on highly dynamic websites with OSSEC

Hi Joe, Apologies for the late reply. Basically, there is a file here: /var/ossec/etc/internal_options.conf It contains these parameters: syscheck.sleep=2 syscheck.sleep_after=15 By changing those it is possible to decrease the time of any syscheck considerably. I think it is possible to

[ossec-list] Re: IIS 8 FTP log monitor & alert

*Started the decoder/rules from scratch since the test ossec system at home worked ok...* *This see's the FTP log attempts + the elevation of "Brute Force" to an active response threw route-null.cmd. but the route-null.cmd should be the latest updated release of this script from

[ossec-list] Re: IIS 8 FTP log monitor & alert

Hi Jacob, I have no idea what is happening. ossec.conf: etc/decoder.xml etc/local_decoder.xml local_decoder.xml: windows-date-format true ^\d+.\d+.\d+.\d+ \d+ \S+ FTPSVC ^(\d+.\d+.\d+.\d+) \d+ (\S+) \S+ \S+ \S+ \S+ \d+ (\S+) \S+ (\d+) srcip,user,action,id

[ossec-list] Re: IIS 8 FTP log monitor & alert

I guess you know it, but you must restart OSSEC after changing decoder, rules or ossec.conf. On Wednesday, May 25, 2016 at 10:37:49 AM UTC+2, Jesus Linares wrote: > > Hi Jacob, > > I have no idea what is happening. > > ossec.conf: > > etc/decoder.xml > etc/local_decoder.xml > >

[ossec-list] Re: parent usage in local_decoder.xml

Hi Dave, that happens. Maybe I didn't explain it very well. Just add a prematch to the USB decoder in kernel-iptables_apparmor_decoders.xml and use this decoder in your local_decoder file: iptables

Re: [ossec-list] Best ways to test OSSEC in an environment

Thanks but I think this is not quite what I am after as this seems more like a log parser tool. I think what I am looking for is an "automated intruder" tool, like a script that can be run which will cause alerts to happen at the various OSSEC alert levels from 0 to 16. I will see if a

Re: [ossec-list] Re: OSSEC Email-notification: multiple email-addresses/recipients possible?

In this case the email will contain multiple To: headers which will cause problems with AV and AS systems. Right? vineri, 28 septembrie 2007, 03:41:12 UTC+3, Daniel Cid a scris: > > Hi, > > Actually, this format will not work. You need to specify each email > address on its > own "email_to" tag:

Re: [ossec-list] Best ways to test OSSEC in an environment

On Wednesday, 25 May 2016 12:48:01 UTC+1, dan (ddpbsd) wrote: > > On Wed, May 25, 2016 at 4:59 AM, Tahir Hafiz > wrote: > > Thanks but I think this is not quite what I am after as this seems more > like > > a log parser tool. > > I think what I am looking for is an

Re: [ossec-list] Best ways to test OSSEC in an environment

On Wed, May 25, 2016 at 4:59 AM, Tahir Hafiz wrote: > Thanks but I think this is not quite what I am after as this seems more like > a log parser tool. > I think what I am looking for is an "automated intruder" tool, like a script > that can be run which will cause alerts