I've been using OSSEC for a while, but only with the default rules.
I've experimented, but just not understanding how to make a custom rule
kick in when a loser tries guessing passwords to a non-existent user.
Basically, if someone uses dovecot and tries a password for the user
root (or admin,
On Wed, Aug 22, 2012 at 6:18 AM, Michael Clark
6f0e8bfb03a6030e6bc5d69cc24da080.ossec-l...@planetmike.com wrote:
I've been using OSSEC for a while, but only with the default rules.
I've experimented, but just not understanding how to make a custom rule
kick in when a loser tries guessing
On Tue, Aug 21, 2012 at 3:46 PM, Gil Vidals gvid...@gmail.com wrote:
Dan,
We have active response set to 1 hr, 1 day, 1 week, so assuming the IP is
being blocked for one week and the iptables is reset in the middle of the
week by the sysadmin, then the IP we thought was being blocked is
On Tue, Aug 21, 2012 at 2:13 PM, Shaka Lewis shaka.le...@gmail.com wrote:
The ossec processes running at this point are execd, logcollector, and
monitord.
AnalysisD crashed and here is the output:
Program received signal SIGSEGV, Segmentation fault.
[Switching to process 26814]
On Fri, Aug 17, 2012 at 7:56 PM, Jim jim.w.matth...@gmail.com wrote:
Dan,
Here is the backtrace from GDB, but I am not sure that tells much more than
mdb had?
It's a tool I'm more familiar with. I don't get much of an opportunity
to use niche systems these days.
I'd consider tossing the
Hey;
While not a direct answer, I think I have the direction in which you want
to go. I've been reading the online manual (http://www.ossec.net/doc/)
which has a section on cdb list lookups from within rules
(http://www.ossec.net/doc/manual/rules-decoders/rule-lists.html). Cdb is
'constant
On Wed, Aug 22, 2012 at 9:29 AM, dkoleary dkole...@olearycomputers.com wrote:
Hey;
While not a direct answer, I think I have the direction in which you want to
go. I've been reading the online manual (http://www.ossec.net/doc/) which
has a section on cdb list lookups from within rules
here is all I have from the latest debug:
2012/08/21 17:43:35 ossec-rootcheck: DEBUG: Going into check_rc_dev
2012/08/21 17:43:35 ossec-rootcheck: DEBUG: Starting on check_rc_dev
2012/08/21 17:43:36 ossec-rootcheck: DEBUG: Going into check_rc_sys
2012/08/21 17:43:36 ossec-rootcheck: DEBUG:
Since you don't seem too interested in fixing this, good luck.
On Wed, Aug 22, 2012 at 10:19 AM, Shaka Lewis shaka.le...@gmail.com wrote:
here is all I have from the latest debug:
2012/08/21 17:43:35 ossec-rootcheck: DEBUG: Going into check_rc_dev
2012/08/21 17:43:35 ossec-rootcheck: DEBUG:
Not sure what you mean, I have run all the debug commands you requested.
On Wed, Aug 22, 2012 at 10:33 AM, dan (ddp) ddp...@gmail.com wrote:
Since you don't seem too interested in fixing this, good luck.
On Wed, Aug 22, 2012 at 10:19 AM, Shaka Lewis shaka.le...@gmail.com wrote:
here is all I
Drawing a blank here and not finding it in documentation...can we match a
port range in a local rule? I'm looking to exclude messages where the
destination port is dynamic within a specific range.
Thanks,
Doc
I am getting permission errors on client.keys:
2012/08/22 08:44:38 ossec-remoted(4111): INFO: Maximum number of
agents allowed: '3500'.
2012/08/22 08:44:38 ossec-remoted(1410): INFO: Reading authentication keys file.
2012/08/22 08:44:38 ossec-remoted(1103): ERROR: Unable to open file
Yes, the ossecr user (or ossec group) needs permission to read it.
thanks,
On Wed, Aug 22, 2012 at 1:00 PM, OSSEC junkie ossec.jun...@gmail.com wrote:
I am getting permission errors on client.keys:
2012/08/22 08:44:38 ossec-remoted(4111): INFO: Maximum number of
agents allowed: '3500'.
On Wed, Aug 22, 2012 at 11:18 AM, Shaka Lewis shaka.le...@gmail.com wrote:
Not sure what you mean, I have run all the debug commands you requested.
I'm sorry, gmail isn't showing the gdb info.
Or the answer to Did you make any changes before
restarting? What log messages are
there before the
On Wed, Aug 22, 2012 at 11:56 AM, Doc teetime2...@gmail.com wrote:
Drawing a blank here and not finding it in documentation...can we match a
port range in a local rule? I'm looking to exclude messages where the
destination port is dynamic within a specific range.
Thanks,
Doc
Nope.
On Wed, Aug 22, 2012 at 3:05 PM, Shaka Lewis shaka.le...@gmail.com wrote:
And what OSSEC processes are running at this point?
Did you run analysisd in gdb? Did it crash? Is there a backtrace?
I'll throw in some more questions, because I need some more to not be
answered. Is this a server or a
Hi,
I am new to ossec, I would like to write a rule that will check for an
occurrences when a rule is fired and if it is fired at a certain rate,
do something.
A scenario, I would like to write a rule that monitors all alerts and if
I found more than 5 identical alerts from the same machine,
You need to build a binary install.
http://www.ossec.net/doc/manual/installation/installation-binary.html
On Wed, Aug 22, 2012 at 4:42 PM, Christopher Werby cwe...@pipsqueak.com wrote:
Hi
I'm trying to set OSSEC up as local on a VPS hosted by Dreamhost (running
the Debian 6.0, Linux kernal
Hi Joe,
If I understand properly, I need an identical platform to create the binary.
There aren't premade binaries available for me to use. The platform where I
got stuck was a brand new just out of the box VPS. I don't have another.
And even if I made another, it would presumably stick at
On Aug 22, 2012 4:46 PM, Christopher Werby cwe...@pipsqueak.com wrote:
Hi
I'm trying to set OSSEC up as local on a VPS hosted by Dreamhost
(running the Debian 6.0, Linux kernal release 3.1.9-vs2.3.2.5). I've done
this twice before using older versions of OSSEC without difficulty.
When
Hi Dan,
Here's the output. Does it help?
root@xxx:/tmp/ossec-hids-2.6/src/analysisd/compiled_rules# /bin/sh -x
register_rule.sh
+ CHF=compiled_rules.h
+ ls -la register_rule.sh
+ '[' '!' 0 = 0 ']'
+ '[' x = x -o x = xhelp -o x = x-h ']'
+ echo 'register_rule.sh add function_name'
Can you do that again, but this time as /bin/sh -x register_rule.sh
build ?
On 8/22/2012 7:10 PM, Christopher Werby wrote:
root@xxx:/tmp/ossec-hids-2.6/src/analysisd/compiled_rules# /bin/sh -x
register_rule.sh
Hi Ryan,
Sure!
root@XXX:/tmp/ossec-hids-2.6/src/analysisd/compiled_rules# /bin/sh -x
register_rule.sh build
+ CHF=compiled_rules.h
+ ls -la register_rule.sh
+ '[' '!' 0 = 0 ']'
+ '[' xbuild = x -o xbuild = xhelp -o xbuild = x-h ']'
+ '[' xbuild = xlist ']'
+ '[' xbuild = xsave ']'
+
23 matches
Mail list logo
