Re: [ossec-list] on ubuntu compile windows 64bit error

在 2017年4月15日星期六 UTC+8上午3:18:42，dan (ddpbsd)写道： > > On Thu, Apr 13, 2017 at 9:24 PM, weisst > wrote: > > windows 2012 r2 error > > 问题签名: > > 问题事件名称:APPCRASH > > 应用程序名:win32ui.exe > > 应用程序版本:0.0.0.0 > > 应用程序时间戳:58ef28a9 > > 故障模块名称:

[ossec-list] Re: Rule 510 is triggering events but logtest is not showing any rules that should be triggered

Hi Jesus, the first rule is what I am trying. You said I can match the file in but can I do that when the file changes as is not one file I want to ignore. Can I use regex syntax in rules? I used it in decoders as I thought I wasn't able to. Thanks! 510 Ignore rule 510 for 600

[ossec-list] Alert suppression sha1sum

Hi Team, In our ossec environment we are getting lots of sha1sum alerts (even though its not configured) and that are irrelevant to us. Is there any way to suppress these alerts? ** Alert 1491577582.15621: mail - ossec,syscheck, 2017 Apr 07 10:06:22 inssys01->syscheck Rule: 550 (level 7) ->

Re: [ossec-list] Re: OSSEC Agent not works

I am reinstalling system right now but it looks like this was the issue. Thank you very much! понедельник, 17 апреля 2017 г., 7:01:29 UTC+5:45 пользователь Victor Fernandez написал: > > Hi, > > have you more than one network interface on your manager? I see your > tcpdump log a bit unusual: >

[ossec-list] Re: Rule 510 is triggering events but logtest is not showing any rules that should be triggered

What rule did you use?. Please, share here the rule and the alerts that you want to ignore. I'd need the ID from the decoder to do so There are no xml decoders for rootcheck. What you want to extract in the id field is the file, right?. You can do a *match* in the rule for the file. Regards.

Re: [ossec-list] How soon does an agent disconnect appear

Check out *notify_time* and *time-reconnect* : http://ossec-docs.readthedocs.io/en/latest/syntax/head_ossec_config.client.html#ossec-conf-client-options On Friday, April 14, 2017 at 12:08:02 AM UTC+2, dan (ddpbsd) wrote: > > On Wed, Apr 12, 2017 at 4:01 PM, Nikki S >

Re: [ossec-list] Is it possible to trigger an active response on a rule with a severity level of 0?

Hi Rob, I'm not sure, but you can increase the level to 1 and: set the attribute noalert : or use the options no_log :

Re: [ossec-list] Re: OSSEC Agent not works

Hi, have you more than one network interface on your manager? I see your tcpdump log a bit unusual: 00:58:11.619862 IP 10.2.2.3.43453 > *10.2.2.12*.fujitsu-dtcns: UDP, length 73 00:58:11.620415 IP *10.2.2.13*.fujitsu-dtcns > 10.2.2.3.43453: UDP, length 73 It seems that the manager is