Re: [ossec-list] OSSEC windows agent on non-English Windows

2017-06-07 Thread dan (ddp)
Thanks, I missed that! On Mon, Jun 5, 2017 at 8:00 AM, wrote: > Hi, > Thanks for adding my suggestion, but: > > On page: The Administrators group may not be present on non-English copies > of #1137 is: > - system("echo y|cacls * /T /G Administrators:f "); > + system("echo

[ossec-list] Updates rules and signatures

2017-06-07 Thread Alexis Lessard
Hi! What is the cleanest and easiest way to updates rules and signatures of attacks and threats in ossec? I'm looking maybe for a command I could use to automate it. When I execute bin/manage_agents -V (to obtain version), I get this: OSSEC HIDS v2.8.3 - Trend Micro Inc. According to the

Re: [ossec-list] Active Response location question

2017-06-07 Thread sandaway
Thanks, it worked! On Wednesday, June 7, 2017 at 3:39:34 PM UTC-4, dan (ddpbsd) wrote: > > > > On Jun 7, 2017 2:09 PM, "sandaway" > wrote: > > I really need some help. It looks my OSSEC setup, a server and two > clients, could not run active response properly. From > the

Re: [ossec-list] Active Response location question

2017-06-07 Thread dan (ddp)
On Jun 7, 2017 2:09 PM, "sandaway" wrote: I really need some help. It looks my OSSEC setup, a server and two clients, could not run active response properly. From the active-responses.log, the firewall-drop.sh command runs either on server or clients, depending on the I

Re: [ossec-list] Re: How to know when syscheck agent finishes a scan?

2017-06-07 Thread John Kondur
Thanks that helped a lot and definitely speed it up. We went from several hours to 4 minutes now. This includes our entire webapp Is there a way to speed up rootcheck? That is the longest part of the scan that takes 15 minutes now, so the whole process takes approx 20 minutes now. But I

[ossec-list] Active Response location question

2017-06-07 Thread sandaway
I really need some help. It looks my OSSEC setup, a server and two clients, could not run active response properly. From the active-responses.log, the firewall-drop.sh command runs either on server or clients, depending on the I set as in the following example. firewall-drop

[ossec-list] Host status = Disconnected

2017-06-07 Thread prakash ranjan
Hi, After running "/var/ossec/bin/agent_control -l " there are several servers/agents status is showing as "Disconnected". Process I have followed to fix this:- /var/ossec/bin/agent_control -l | grep Disconnected output:- ID: 1042, Name: rungps-nightly.networkfleet.com, IP: any,

Re: [ossec-list] Disconnect issue

2017-06-07 Thread prakash ranjan
Hi Fernando, Thanks for looking in to solution. I guess you mean to say that to delete files inside ./ossec/queue/ride in agent and corresponding from server. If this is the case, then, it didn't worked in my case. Solution provided by Jose is able to deal with my problem. Regards Prakash On

Re: [ossec-list] Disconnect issue

2017-06-07 Thread prakash ranjan
Hi Jose, Thanks for sharing the solution. This is working. I don't see this issue till the time I have implemented. I'll keep you posted if I come across any issue. Regards Prakash On Tuesday, June 6, 2017 at 3:31:25 PM UTC-7, jose wrote: > > Hi Prakash > > Try set to 0 (now you should have

Re: [ossec-list] Re: How to know when syscheck agent finishes a scan?

2017-06-07 Thread Jesus Linares
Hi John, there is a way to speed up syscheck. By default *syscheck sleeps 2 seconds each 15 files*. This avoid packet loss due to UDP. You can overwrite this configuration in *local_internal_options.conf*: $ nano /var/ossec/etc/local_internal_options.conf syscheck.sleep=1

Re: [ossec-list] Re: How to know when syscheck agent finishes a scan?

2017-06-07 Thread Jose Luis Ruiz
Hi John You cannot speed the syscheck, but you can always add the option *realtime* for your more important folders, with this option you will have the alerts in “real time” :) https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html?highlight=realtime Regards

[ossec-list] Re: How to know when syscheck agent finishes a scan?

2017-06-07 Thread John Kondur
Thanks I did find it that did help, I had two more questions not sure if I should start another thread: I had frequency set on the agents to: 7200 I looked in the ossec.log and it never kicked off, and it has been 15 hours since the last scan finished. I restarted the agent and it kicked off

Re: [ossec-list] Problem with dovecot decoder

2017-06-07 Thread nnonka
Hi, I am using ossec 2.8.3, but in 2.9.0 dovecot-aborted decoder was fixed, thanks. Regards -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to

Re: [ossec-list] Disconnect issue

2017-06-07 Thread Fernando Morata
Hi, This disable the RIDS counter I think that a better option is remove the RID counter in the server and the agent. El miércoles, 7 de junio de 2017, 0:31:25 (UTC+2), jose escribió: > > Hi Prakash > > Try set to 0 (now you should have 1) the option *remoted.verify_msg_id* > in

Re: [ossec-list] Problem with dovecot decoder

2017-06-07 Thread Jesus Linares
Hi, what fields do you need?. Dec 19 17:20:08 ny dovecot: pop3-login: Aborted login (auth failed, 2 attempts in 18 secs): *user*=, method=PLAIN, *rip*=1.2.3.4, *lip*=1.2. 3.4, session= **Phase 1: Completed pre-decoding. full event: 'Dec 19 17:20:08 ny dovecot: pop3-login: Aborted login