Re: [ossec-list] agents not connected to server, IP@ correct, udp connects, what gives

On Tue, Sep 26, 2017 at 12:41 PM, James Stallard wrote: > Help anyone: > OK, I'm at a loss > Running version: > # ./ossec-analysisd -V > OSSEC HIDS v2.8 - Trend Micro Inc. > CentOS release 6.7 (Final) > On AWS > > I've distributed the keys by hand via manage_agents > and

Re: [ossec-list] regex not working

On Mon, Sep 25, 2017 at 4:08 AM, Robert Necela wrote: > Hello, i have message with character "`". But i can't write rule with such > character. \. -> For anything not working and i can't find this character in > \p -> ()*+,-.:;<=>?[]!"'#$%&|{} (punctuation characters) > >

Re: [ossec-list] Please answer these two Splunk Questions?

On Sat, Sep 23, 2017 at 4:08 PM, wrote: > Q1) Is the following searches will return the same results. SEARCH 1: ssh > error SEARCH 2: ssh AND error. True or False I think splunk's default search is an "OR," but it's been a while (and of course my local install is acting

Re: [ossec-list] How to alert on successful Windows authentication

On Fri, Sep 22, 2017 at 6:22 PM, Kris Springer wrote: > Hi, I've got OSSEC agent v2.9.0 running on some Windows servers and clients > of various versions and receive the default alerts through a Security Onion > server. All is well from the defaults, but I'd like to

Re: [ossec-list] "New file" false positives on version 2.9.1

On Fri, Sep 22, 2017 at 12:11 PM, Leroy Tennison wrote: > Couldn't find anything about this is the archives, I started the agent and > about 10 minutes later got an email with about 100 files listed as being > new. The first 20 were in /usr/share/i18n/locales and I

Re: [ossec-list] "New file" false positives on version 2.9.1

On Fri, Sep 22, 2017 at 12:11 PM, Leroy Tennison wrote: > Couldn't find anything about this is the archives, I started the agent and > about 10 minutes later got an email with about 100 files listed as being > new. The first 20 were in /usr/share/i18n/locales and I

Re: [ossec-list] Extending the windows decoder

On Fri, Sep 22, 2017 at 3:49 AM, Nico MT wrote: > Hi all, > > I've been trying to create a decoder for the new version of TrendMicro, > which is not supported by OSSEC or by Wazuh yet. The sample event I want to > decode is like this: > > 2017 Sep 20 16:12:10 WinEvtLog:

Re: [ossec-list] agents not connected to server, IP@ correct, udp connects, what gives

Dan/Jeff - thanks for the quick response! I know this sounds like a rookie problem, but I have run out of debugging tools: In summary: 1) the pb. is with clients from other subnets, 2) I DO have connectivity via udp1514 *bi-directionally *(confirmed by nc) - I don't think any other ports are

Re: [ossec-list] agents not connected to server, IP@ correct, udp connects, what gives

On Wed, Sep 27, 2017 at 10:11 AM, James Stallard wrote: > Dan/Jeff - thanks for the quick response! I know this sounds like a rookie > problem, but I have run out of debugging tools: > > In summary: > 1) the pb. is with clients from other subnets, > 2) I DO have

Re: [ossec-list] "New file" false positives on version 2.9.1

I should have said that this was a new install, the start of the agent was as a result of completing the installation. On Wednesday, September 27, 2017 at 8:04:28 AM UTC-5, dan (ddpbsd) wrote: > > On Fri, Sep 22, 2017 at 12:11 PM, Leroy Tennison > wrote: > > Couldn't