Re: [ossec-list] Apache Rules don't Trigger Active Response

On Wed, May 18, 2016 at 2:33 PM, Patrick Müller wrote: > Hi guys. > > > My configuration is Freebsd-10.2 with ossec-hids-local-2.8.3 installed via > ports. > > > I have this custom configuration for a active reponse which block web > attacks. > > > > > ipfw-www > >

[ossec-list] Apache Rules don't Trigger Active Response

Hi guys. My configuration is Freebsd-10.2 with ossec-hids-local-2.8.3 installed via ports. I have this custom configuration for a active reponse which block web attacks. ipfw-www local 43200 *30202,31151* *This is my test with logtest * **Phase 1: Completed

[ossec-list] Re: Windows Defender Decoder ?

Nice! Thanks Pedro! I've got it now.. Cheers. On Wednesday, May 18, 2016 at 10:09:14 AM UTC-4, Pedro S wrote: > > Hi Rob, > > *extra_data *is another allowed field used by OSSEC decoders to extract > information from the event, once it is extracted you can match the field > content in order

Re: [ossec-list] Ossec rules matching order and other

Hi Issam, regarding to the rule order, OSSEC checks a rule and its childs recursively. Try to launch *ossec-logtest* with argument *-v*: log: '2014 Dec 20 09:29:47 WinEvtLog: Microsoft-Windows-Sysmon/Operational: INFORMATION(1): Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: WIN-U93G48C7BOP:

Re: [ossec-list] Ossec rules matching order and other

On Wed, May 18, 2016 at 10:47 AM, Issam Aouad Tabet wrote: > Hey everyone, > > I am windering if anyone can help me with these two questions: > > 1. I am using ossec-logtest file to test my rules in order to match with > some Windows logs. Does anyone know in which order

[ossec-list] Ossec rules matching order and other

Hey everyone, I am windering if anyone can help me with these two questions: 1. I am using ossec-logtest file to test my rules in order to match with some Windows logs. Does anyone know in which order are the rules tested? It seems it is not ID number order.. 2. Here is the default predefined

Re: [ossec-list] Re: Duplicated counter

Hi, Your configuration is working properly on my environment, what Windows version are you running? EventChannel Bookmark identifies an event in a channel or log file, bookmarks are created by OSSEC in order

[ossec-list] Re: Windows Defender Decoder ?

Hi Rob, *extra_data *is another allowed field used by OSSEC decoders to extract information from the event, once it is extracted you can match the field content in order to create a rule. The content of extra_data depends on the decoder which extracted it, in Windows decoders