Re: [ossec-list] Active Response not working at all

On Wed, Apr 19, 2017 at 2:26 PM, Tony Bryant wrote: > Hello, > > I'm pretty new to OSSEC and I'm working to get some active responses > working. I have tried a number of different active responses but cannot seem > to get it to work anywhere (not on the server or agents).

Re: [ossec-list] Active Response not working at all

Yes test.sh is on the agent. Execd is also running and yep the alert is firing. On Wednesday, April 19, 2017 at 11:30:37 AM UTC-7, dan (ddpbsd) wrote: > > On Wed, Apr 19, 2017 at 2:26 PM, Tony Bryant > wrote: > > Hello, > > > > I'm pretty new to OSSEC and I'm working to

Re: [ossec-list] Active Response not working at all

On Wed, Apr 19, 2017 at 3:23 PM, Tony Bryant wrote: > Yes test.sh is on the agent. Execd is also running and yep the alert is > firing. > Try removing the level option and leave just the rules_id. > On Wednesday, April 19, 2017 at 11:30:37 AM UTC-7, dan (ddpbsd) wrote: >>

Re: [ossec-list] Active Response not working at all

How would I go about checking if AR is disabled on agents? Checking config files and don't see anything about it. Running v2.8.3 for OSSEC. Also, this on Ubuntu On Wednesday, April 19, 2017 at 2:21:47 PM UTC-7, dan (ddpbsd) wrote: > > On Wed, Apr 19, 2017 at 5:09 PM, Rob Williams

Re: [ossec-list] Active Response not working at all

On Wed, Apr 19, 2017 at 5:34 PM, Tony Bryant wrote: > How would I go about checking if AR is disabled on agents? Checking config > files and don't see anything about it. Running v2.8.3 for OSSEC. Also, this > on Ubuntu > I think it's enabled by default. This is all I have

Re: [ossec-list] Active Response not working at all

Hmm, ok, is this the only active-response config on your agent? I'm not seeing any so that may be my problem. Is it one active-response config for all (like the one you posted below should serve all future ARs)? And what I posted was on the server. I'll give this a try though On Wednesday,

Re: [ossec-list] Alert suppression sha1sum

On Mon, Apr 17, 2017 at 11:09 AM, Kumar G wrote: > Hi Team, > > In our ossec environment we are getting lots of sha1sum alerts (even though > its not configured) and that are irrelevant to us. Is there any way to > suppress these alerts? > > ** Alert 1491577582.15621: mail -

[ossec-list] Active Response not working at all

Hello, I'm pretty new to OSSEC and I'm working to get some active responses working. I have tried a number of different active responses but cannot seem to get it to work anywhere (not on the server or agents). I'm now trying a simple AR to just log to active-responses.log but it still does

Re: [ossec-list] Active Response not working at all

Still no luck. Just to verify, the scripts should be located in /var/ossec/active-response/bin/, correct? Unfortunately the logs aren't really telling me anything either. On Wednesday, April 19, 2017 at 12:31:41 PM UTC-7, dan (ddpbsd) wrote: > > On Wed, Apr 19, 2017 at 3:23 PM, Tony Bryant

Re: [ossec-list] Active Response not working at all

On Wed, Apr 19, 2017 at 5:09 PM, Rob Williams wrote: > Still no luck. Just to verify, the scripts should be located in > /var/ossec/active-response/bin/, correct? Unfortunately the logs aren't > really telling me anything either. > Yep, that's where they go. AR isn't

[ossec-list] Ruxcon 2017 Call For Presentations

Ruxcon 2017 Call For Presentations Melbourne, Australia, October 21-22 CQ Function Centre http://www.ruxcon.org.au The Ruxcon team is pleased to announce the first round of Call For Presentations for Ruxcon 2017. This year the conference will take place over the weekend of the 21st and 22nd

Re: [ossec-list] Active Response not working at all

On Wed, Apr 19, 2017 at 5:54 PM, dan (ddp) wrote: > On Wed, Apr 19, 2017 at 5:34 PM, Tony Bryant wrote: >> How would I go about checking if AR is disabled on agents? Checking config >> files and don't see anything about it. Running v2.8.3 for OSSEC. Also,