[ossec-list] Real time monitoring hidden files or hidden folder
Recently, we are trying to use OSSEC to monitor ~/.ssh/authorized_key for real time. But it seems it only works for system integrity check periodically, but not real-time, I checked the /var/ossec/queue/diff folder, it recorded all the changes under that folder, but since .ssh is a hidden folder, I can not get alerts from ossec manager for real-time file change alert. Is there anyone knowing how to fix this? -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] OSSEC real-time monitoring with hidden files
Recently, we are trying to use OSSEC to monitor files ~/.ssh/authorized_key for real time, but it seems it can only detect for syscheck, but not real time. I checked the /var/ossec/queue/diff folder, it recorded all the changes, but because the .ssh folder is hidden. I can not get real-time alerts from OSSEC manager, is there anyone know how to fix this, or does OSSEC ever consider this function before? -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Modify rules
I am new to ossec and I am trying to figure out what is the best way to change a rule. In the ossec.conf it says this > > > host-deny > local > 6 > 600 > I am assuming the level it is referring to is the level set in the rule.xml So the sshd_rules.xml has this line. > > > 5700 > ^Failed|^error: PAM: Authentication > SSHD authentication failed. > authentication_failed, When testing failed ssh logins I see the alert in the alert.log for the rule above. How should I go about changing the level to 6 so it will get blocked? I tried editing the sshd_rules.xml but get the read only warning. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: Modify rules
Hi, You have some options to achieve this: One of them is to increase the rule level. Changing the value at the original rule would work but I'd recommend you to create a new rule (at file *local_rules.xml*), adding attribute 'overwrite="yes" ' and changing the rule level: 5700 ^Failed|^error: PAM: Authentication < description>SSHD authentication failed. authentication_failed, Another option would be enabling Active response for rule 5716 in particular, using option "rules_id" inside group: host-deny local 6 5711 600 Hope it help. Best regards. On Monday, March 20, 2017 at 11:56:29 AM UTC-7, The Dude wrote: > > I am new to ossec and I am trying to figure out what is the best way to > change a rule. In the ossec.conf it says this > > >> >> >> host-deny >> local >> 6 >> 600 >> > > > > > I am assuming the level it is referring to is the level set in the > rule.xml So the sshd_rules.xml has this line. > >> >> >> 5700 >> ^Failed|^error: PAM: Authentication >> SSHD authentication failed. >> authentication_failed, > > > > > > When testing failed ssh logins I see the alert in the alert.log for the > rule above. How should I go about changing the level to 6 so it will get > blocked? I tried editing the sshd_rules.xml but get the read only warning. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.