[ossec-list] Re: Windows Defender Decoder ?

Hi Jesus, Yeah, I think I submitted a pull request into OSSEC some time back on this... If memory serves, the other IDs are because I used the existing MS ID schema for OSSEC. The odd IDs are just because these live in my local_rules.xml in production. Sadly, I haven't had the time to

Re: [ossec-list] OSSEC-abnormal-behavior-active-repsonse

How are you configuring those white listed subnets in the config - as a series of individual addresses? Sent from my iPad > On May 19, 2016, at 06:42, James Siegel wrote: > > I have a set of subnets that are whitelisted. > The server and agents were installed quite

[ossec-list] Re: white list specific ip on active response

James, please check the active-responses.log on the respective agent/device. and you might want to consider upgrading to a new version, because maybe there was indeed a bug in active response that has been addressed and fixed with a more recent version. Current Stable Version is 2.8.3 but if

[ossec-list] Re: OSSEC-abnormal-behavior-active-repsonse

Have you checked the active responses log on the respective agent/device? /var/ossec/logs/active-responses.log or on Windows systems C:\Program Files (x86)\ossec-agent\active-response\active-responses.log Am Donnerstag, 19. Mai 2016 18:42:04 UTC+2 schrieb James Siegel: > > I have a set of

[ossec-list] Re: reindexing logs

Hi Maxim, what was the problem with logstash? How is your configuration?. A typical configuration is Manager + Logstash forwarder and other machine with ELK. So you should debug if each part is receiving the logs. Quick debug guide: Logstash forwarder: -

Re: [ossec-list] Re: Repeated offenders?

Hi Jesus, It worked much better! Kicking out offenders more and more now :-) My Google-fu was also better yesterday and I found this blog post: https://mebsd.com/freebsd-security-hardening/solved-ossec-repeated-offenders-ignored.html /x On Thu, May 19, 2016 at 10:11 AM, Xavier Mertens