Re: [ossec-list] OSSEC WUI
Check the file permissions, and also your apache error.log On Fri, May 4, 2012 at 2:50 AM, Solayris solay...@gmail.com wrote: Hello, I have Apache 2.2 with PHP and ossec-wui installed on CentOS system. ossec-wui is in /var/www/htdocs/ directory. The DocumentRoot is set to /var/www/htdocs and a link is created for index.php in this location. When I try to access index.php from a web-browser the 403 Forbidden error comes up. You don't have permission to access / index.php on this server. Is there more information on this WUI available other them README file? Thank you, Solayris -- MVH/With regards Frank -- Name: Frank Stefan Sundberg Solli E-mail: frankste...@gmail.com Web:http://0x41.me GPG:684119F4
[ossec-list] Re: Sample about generating a weekly report
On Mon, Apr 30, 2012 at 1:06 PM, carlopmart carlopm...@gmail.com wrote: Hi all, Somebody have a sample script to generate a weekly report? Thanks. Please any sample to launch a weekly report from cron??
[ossec-list] Re: OSSEC WUI
Try to set chcon (SELinux Context) for your wui installation. For example: # cd /var/www # restorecon * and try again. Other way, check your configuration (Allow from localhost , deny from all ? :)) W dniu piątek, 4 maja 2012 02:50:33 UTC+2 użytkownik Solayris napisał: Hello, I have Apache 2.2 with PHP and ossec-wui installed on CentOS system. ossec-wui is in /var/www/htdocs/ directory. The DocumentRoot is set to /var/www/htdocs and a link is created for index.php in this location. When I try to access index.php from a web-browser the 403 Forbidden error comes up. You don't have permission to access / index.php on this server. Is there more information on this WUI available other them README file? Thank you, Solayris
Re: [ossec-list] OSSEC WUI
I believe the assumption is that the user who wants the ossec-wui will be able to set file permissions correctly and read their web server error log. What did you see when you looked at the server error log? What permissions did you set on that directory and the files therein? On 3 May 2012, at 19:50, Solayris wrote: Hello, I have Apache 2.2 with PHP and ossec-wui installed on CentOS system. ossec-wui is in /var/www/htdocs/ directory. The DocumentRoot is set to /var/www/htdocs and a link is created for index.php in this location. When I try to access index.php from a web-browser the 403 Forbidden error comes up. You don't have permission to access / index.php on this server. Is there more information on this WUI available other them README file? Thank you, Solayris
Re: [ossec-list] Re: Sample about generating a weekly report
On Fri, May 4, 2012 at 3:04 AM, C. L. Martinez carlopm...@gmail.com wrote: On Mon, Apr 30, 2012 at 1:06 PM, carlopmart carlopm...@gmail.com wrote: Hi all, Somebody have a sample script to generate a weekly report? Thanks. Please any sample to launch a weekly report from cron?? This seems like it belongs on a scripting for newbies list. Completely untested and intentionally incomplete: #!/bin/sh PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/var/ossec/bin:. date /dev/null 21 DATE=date gdate /dev/null 21 DATE=gdate TEMPFILE=$(mktemp -p /var/tmp tmplog.) || exit 1 MAILFILE=$(mktemp -p /var/tmp tmpmail.) || exit 1 for i in 7 6 5 4 3 2 1; do zcat /var/ossec/logs/alerts/$($DATE +%Y)/$($DATE +%b)/ossec-alerts-$($DATE --date=1 day ago +%d).log.gz $TEMPFILE done cat $TEMPFILE | /var/ossec/bin/ossec-reportd -OPTIONS $MAILFILE || exit 1 mail -s Weekly report USER@STUFF $MAILFILE
Re: [ossec-list] Comma in registry hive names
On Thu, May 3, 2012 at 3:50 PM, Michael Kleinpaste michael.kleinpa...@sharperlending.com wrote: Gave that a try and no dice. \\ and // didn't have an effect. Grrr. Did you try a single backslash? I have no idea if it'll work, I don't know if I've ever seen a comma in a registry entry. On Tuesday, May 1, 2012 4:22:47 PM UTC-7, Scott VR wrote: I'd try escaping the comma with a backslash. (or perhaps a double backslash?) -- ScottVR On May 1, 2012, at 5:45 PM, Michael mkleinpa...@gmail.com wrote: So, I'm getting OSSEC running for the company I work for. So far so good up to the point of monitoring the registry. All the basic ones are fine, but we have some entries our developers are using commas in the reg entry names. Basically the registry entry looks like this: HKEY_LOCAL_MACHINE\Software\Our Software, Inc\product HKEY_LOCAL_MACHINE\Software\Wow6432Node\Our Software, Inc\product What I would expect to see is this: 2012/05/01 13:56:01 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Ours Software, Inc\product'. 2012/05/01 13:56:01 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Ours Software, Inc\product'. The problem is the when I add that hive to the ossec.conf the logs show this: 2012/05/01 13:56:01 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Ours Software'. 2012/05/01 13:56:01 ossec-agent: INFO: Monitoring registry entry: 'Inc \product'. 2012/05/01 13:56:01 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Ours Software'. Notice the 2nd Inc\product'. is missing too. I tried quotes around the whole hive which results in this (again with the 2nd Inc... missing): 2012/05/01 15:24:12 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Our Software'. 2012/05/01 15:24:12 ossec-agent: INFO: Monitoring registry entry: 'Inc \Product'. 2012/05/01 15:24:12 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Our Software'. Any ideas on how to get OSSEC to view these completely?
Re: [ossec-list] Re: Ossec 2.6 Compile errors on Mac Os 10.7.3
Yes, you need an MTA to send mail. It doesn't have to be on your OSSEC server, but ossec-maild doesn't support auth so it's often easier. On Wed, May 2, 2012 at 6:08 PM, Gappa gapp...@gmail.com wrote: anyone?
Re: [ossec-list] OSSEC WUI
Sounds like a permissions issue. chown the directory for your webserver user. Not sure what it is on CentOS - apache or www-data On May 3, 2012 10:49 PM, Solayris solay...@gmail.com wrote: Hello, I have Apache 2.2 with PHP and ossec-wui installed on CentOS system. ossec-wui is in /var/www/htdocs/ directory. The DocumentRoot is set to /var/www/htdocs and a link is created for index.php in this location. When I try to access index.php from a web-browser the 403 Forbidden error comes up. You don't have permission to access / index.php on this server. Is there more information on this WUI available other them README file? Thank you, Solayris
Re: [ossec-list] Re: Sample about generating a weekly report
On Fri, May 4, 2012 at 2:35 PM, dan (ddp) ddp...@gmail.com wrote: On Fri, May 4, 2012 at 3:04 AM, C. L. Martinez carlopm...@gmail.com wrote: On Mon, Apr 30, 2012 at 1:06 PM, carlopmart carlopm...@gmail.com wrote: Hi all, Somebody have a sample script to generate a weekly report? Thanks. Please any sample to launch a weekly report from cron?? This seems like it belongs on a scripting for newbies list. Completely untested and intentionally incomplete: #!/bin/sh PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/var/ossec/bin:. date /dev/null 21 DATE=date gdate /dev/null 21 DATE=gdate TEMPFILE=$(mktemp -p /var/tmp tmplog.) || exit 1 MAILFILE=$(mktemp -p /var/tmp tmpmail.) || exit 1 for i in 7 6 5 4 3 2 1; do zcat /var/ossec/logs/alerts/$($DATE +%Y)/$($DATE +%b)/ossec-alerts-$($DATE --date=1 day ago +%d).log.gz $TEMPFILE done cat $TEMPFILE | /var/ossec/bin/ossec-reportd -OPTIONS $MAILFILE || exit 1 mail -s Weekly report USER@STUFF $MAILFILE Thanks dan.
[ossec-list] Decoding CEF log formats
Hi all, I am trying to write a new decoder to process CEF log formats, but I have a problems to escape '|'. For example: regex offset=after_prematch^\d\|\d+\|/regex doesn't works ... How can I escape '|' special character?? Thanks. -- CL Martinez carlopmart {at} gmail {d0t} com