Hi all,
I have an strange problem. I have defined a custom rule to trigger an
alert when a RBN IP comes as a srcip in my logs file. For example:
group name=rbn,
rule id=110008 level=14
if_sid100202,100203,100201/if_sid
srcip108.60.159.33/srcip
descriptionConnection from RBN
Hi Chris,
You mention logstash and Splunk, but have you looked at ELSA?
http://code.google.com/p/enterprise-log-search-and-archive/
Regards,
Doug
On Sun, Apr 1, 2012 at 8:45 PM, Decker Christopher
ch...@chris-decker.com wrote:
All,
I'm running MySQL + Apache/PHP on a very beefy box but using
Hi all,
I need a rule for Apache to check if a bad useragent like Nikto, Zeus,
WebReaper etc is crawling a webserver. Additionally I need a file where all
my forbidden useragents are listed. My first thought was to use the list
tag in a rule like this:
rule id=109005 level=14
Can you take a look at the file
src/analysisd/compiled_rules/compiled_rules.h to see if your new
function
is there?
Also, did you re-run make and copied the new analysisd binary to /var/ossec/bin?
*Btw, your current function is actually slower than using the match
from OSSEC. It is doing
a
hi,
Thanks for the quick answer.
This is the content of my compiled_rules.h:
/* This file is auto generated by ./register_rule.sh. Do not touch it. */
/* Adding the function definitions. */
void *check_id_size(Eventinfo *lf);
void *comp_mswin_targetuser_calleruser_diff(Eventinfo *lf);
void
On Mon, Apr 2, 2012 at 9:56 AM, C. L. Martinez carlopm...@gmail.com wrote:
Hi all,
I have an strange problem. I have defined a custom rule to trigger an
alert when a RBN IP comes as a srcip in my logs file. For example:
group name=rbn,
rule id=110008 level=14
/var/ossec/bin/logtest -t
Try troubleshooting the issue.
On Apr 2, 2012 6:31 AM, C. L. Martinez carlopm...@gmail.com wrote:
Hi all,
I have an strange problem. I have defined a custom rule to trigger an
alert when a RBN IP comes as a srcip in my logs file. For example:
group name=rbn,
So here is my plan for a global cloud arch (systems very volitile)
- Local install
- Alert via Syslog to central server on dedicated facility
- Local Syslog go to central server
- Central console (Graylog2?) parsing all syslog for custom correlation
Should scale to 10's of thousands. We'll see.
Hi: I just ran into this issue over the weekend - did you find a solution?
On 2/14/12 9:54 AM, Swartz, Patrick H patrick.swa...@firstdata.com
wrote:
Hi Dan,
Yes we use the -D option. I have reason to believe that we are hitting a
hard-coded limit of 4000 in the addagent/validate.c file. Our
Hi, modifying the src/addagent/validate.c file --
{
i = 1024;
snprintf(nid, 6, %d, i);
while(IDExist(nid))
{
i++;
snprintf(nid, 6, %d, i);
if(i = 9000)
{
return(NULL);
}
}
10 matches
Mail list logo