On Wed, Apr 19, 2017 at 2:26 PM, Tony Bryant wrote:
> Hello,
>
> I'm pretty new to OSSEC and I'm working to get some active responses
> working. I have tried a number of different active responses but cannot seem
> to get it to work anywhere (not on the server or agents).
Yes test.sh is on the agent. Execd is also running and yep the alert is
firing.
On Wednesday, April 19, 2017 at 11:30:37 AM UTC-7, dan (ddpbsd) wrote:
>
> On Wed, Apr 19, 2017 at 2:26 PM, Tony Bryant > wrote:
> > Hello,
> >
> > I'm pretty new to OSSEC and I'm working to
On Wed, Apr 19, 2017 at 3:23 PM, Tony Bryant wrote:
> Yes test.sh is on the agent. Execd is also running and yep the alert is
> firing.
>
Try removing the level option and leave just the rules_id.
> On Wednesday, April 19, 2017 at 11:30:37 AM UTC-7, dan (ddpbsd) wrote:
>>
How would I go about checking if AR is disabled on agents? Checking config
files and don't see anything about it. Running v2.8.3 for OSSEC. Also, this
on Ubuntu
On Wednesday, April 19, 2017 at 2:21:47 PM UTC-7, dan (ddpbsd) wrote:
>
> On Wed, Apr 19, 2017 at 5:09 PM, Rob Williams
On Wed, Apr 19, 2017 at 5:34 PM, Tony Bryant wrote:
> How would I go about checking if AR is disabled on agents? Checking config
> files and don't see anything about it. Running v2.8.3 for OSSEC. Also, this
> on Ubuntu
>
I think it's enabled by default. This is all I have
Hmm, ok, is this the only active-response config on your agent? I'm not
seeing any so that may be my problem. Is it one active-response config for
all (like the one you posted below should serve all future ARs)? And what I
posted was on the server. I'll give this a try though
On Wednesday,
On Mon, Apr 17, 2017 at 11:09 AM, Kumar G wrote:
> Hi Team,
>
> In our ossec environment we are getting lots of sha1sum alerts (even though
> its not configured) and that are irrelevant to us. Is there any way to
> suppress these alerts?
>
> ** Alert 1491577582.15621: mail -
Hello,
I'm pretty new to OSSEC and I'm working to get some active responses
working. I have tried a number of different active responses but cannot
seem to get it to work anywhere (not on the server or agents). I'm now
trying a simple AR to just log to active-responses.log but it still does
Still no luck. Just to verify, the scripts should be located in
/var/ossec/active-response/bin/, correct? Unfortunately the logs aren't
really telling me anything either.
On Wednesday, April 19, 2017 at 12:31:41 PM UTC-7, dan (ddpbsd) wrote:
>
> On Wed, Apr 19, 2017 at 3:23 PM, Tony Bryant
On Wed, Apr 19, 2017 at 5:09 PM, Rob Williams wrote:
> Still no luck. Just to verify, the scripts should be located in
> /var/ossec/active-response/bin/, correct? Unfortunately the logs aren't
> really telling me anything either.
>
Yep, that's where they go.
AR isn't
Ruxcon 2017 Call For Presentations
Melbourne, Australia, October 21-22
CQ Function Centre
http://www.ruxcon.org.au
The Ruxcon team is pleased to announce the first round of Call For
Presentations for Ruxcon 2017.
This year the conference will take place over the weekend of the 21st and 22nd
On Wed, Apr 19, 2017 at 5:54 PM, dan (ddp) wrote:
> On Wed, Apr 19, 2017 at 5:34 PM, Tony Bryant wrote:
>> How would I go about checking if AR is disabled on agents? Checking config
>> files and don't see anything about it. Running v2.8.3 for OSSEC. Also,
12 matches
Mail list logo