How is it you do this?
On Friday, 27 April 2012 14:49:09 UTC-4, dan (ddpbsd) wrote:
Use the real gcc instead of Apple's llvm/clang/whatever it is these days.
On Fri, Apr 27, 2012 at 2:18 PM, Gappa gap...@gmail.com javascript:
wrote:
hi everyone,
i'm trying to install ossec on my
How were you able to recreate the user and group? I am having a new
installation on my personal machine to test run things and I am having the
same issue you did, except I haven't been able to have my agent run at all!
Can't imagine how the user/group were deleted. Any insight would be a great
wrote:
Well, you need to give correct permissions to apache as wui is running
under apache uid..
Eeeo
8.8.2015 8.27 ip. Daniel Twardowski noghri...@gmail.com javascript:
kirjoitti:
I'm using OSSEC Server Virtual Appliance 2.8.2 and last night I
configured a few domain controllers
8, 2015 at 3:29:32 PM UTC-4, Eero Volotinen wrote:
Well, you need to give correct permissions to apache as wui is running
under apache uid..
Eeeo
8.8.2015 8.27 ip. Daniel Twardowski noghri...@gmail.com kirjoitti:
I'm using OSSEC Server Virtual Appliance 2.8.2 and last night I
configured
So basically what you're doing is looking for INFO logs and then matching
the log content and not the actual log ID? Interesting. My general rule
workflow is this:
If OS=WINDOWS, then if TYPE=ERROR/INFO/WARN/etc, then if EVENTID=x, then
create alert with LEVEL=y.
Types can be referenced in
Hey,
What are you trying to decode there? And how will you use this information?
If you will not use the decoded information anywhere, just write a
rule to ignore
or do what you need with this event...
Thanks,
--
Daniel B. Cid
On Mon, Feb 6, 2012 at 10:55 AM, kumaig goj...@gmail.com wrote
and
vice-versa.
In your case, you are better putting that rule as dependent (using
if_matched_sid30109) then overwriting it.
Thanks,
--
Daniel B. Cid
daniel@gmail.com
On Thu, Feb 2, 2012 at 5:06 AM, Oliver Mueller ogmuel...@gmail.com wrote:
If I add the following rule to local_rules.xml
Hey,
You have the provide the event log name (like Application, System, etc) instead
of the full path. Try that and it should work.
Thanks,
--
Daniel B. Cid
On Tue, Jan 31, 2012 at 7:12 PM, mikeyintn mi...@charlietree.com wrote:
Having absolutely no luck reading any Windows 2008 R2 event logs
Yes, the srcip is not decoded there. Try to use:
matchSource Network Address: (tab here)24.229.66.131/match
Just make sure you add a tab or whatever is in the original format.
As Dan said, it is best to try with ossec-logtest...
Thanks,
--
Daniel B. Cid
On Tue, Feb 7, 2012 at 9:39 AM, Peter
Hi Hugo,
It should be very easy to modify the source code to exit 0 instead of
1. However, I just
checked and it only seems to return 1 on errors...
The code is at: src/os_auth/main-client.c
Thanks,
--
Daniel B. Cid
http://dcid.me
On Tue, Feb 7, 2012 at 10:47 AM, Hugo Deprez hugo.dep
Ah, I see the issue. Fixed in the repository:
https://bitbucket.org/dcid/ossec-hids/
thanks,
On Tue, Feb 7, 2012 at 12:13 PM, Hugo Deprez hugo.dep...@gmail.com wrote:
Hello,
yes always returning 1 see the command I used to check :
None working command :
# /var/ossec/bin/agent-auth -m
It should be easier to filter based on the agent name. Just use:
hostnamelogger/hostname
thanks,
--
Daniel B. Cid
http://dcid.me
On Tue, Mar 6, 2012 at 3:29 PM, Mike Wisniewski wiz...@gmail.com wrote:
Hi!
I just started using OSSEC and starting to tailor the rules. In my
alerts file, I
Hi Karl,
The keys are just simple text files inside client.keys. You just need
one of each file for each
agent, which you can mass deploy via AD... That would be the simplest approach.
thanks,
--
Daniel B. Cid
http://dcid.me
On Wed, Mar 14, 2012 at 6:38 PM, karl_h...@ohionational.com wrote
Hey,
Can you send this patch with -U (unified diff?) If there are other
patches for the UI, I will
add them, since it seems people still like to use it :)
Thanks,
On Thu, Mar 15, 2012 at 5:19 AM, k001 k001.opera...@gmail.com wrote:
Hi all,
This is my first contribution. I'm adding the patch
Can you send a diff of your modifications against the official
package? A diff -r
should work...
It seems that either SUBJECT_SIZE or MAIL_SUBJECT are incorrectly set there,
causing it to fail (probably by mistake when editing the files).
thanks,
--
Daniel B. Cid
http://dcid.me
On Wed, Mar 28
That's not something encryption is going to help you with.
Thanks,
--
Daniel B. Cid
http://dcid.me
On Thu, Mar 22, 2012 at 6:16 PM, Michel Henrique Aquino Santos
michel@gmail.com wrote:
Hi,
an attacker can read the rules file and use any directory or file is not
monitored to carry out
Not without code changes. You would have to modify the file
src/os_csyslogd/alert.c to
remove the log[0] from the final message.
Thanks,
--
Daniel B. Cid
http://dcid.me
On Fri, Mar 30, 2012 at 11:09 AM, C. L. Martinez carlopm...@gmail.com wrote:
Hi all,
I have configured an ossec server
That's the issue :)
You changed the format of the printf, so now it is trying to insert
the values in the incorrect
memory segment. If you put the format back it should work...
thanks,
--
Daniel B. Cid
http://dcid.me
On Fri, Mar 30, 2012 at 11:07 AM, MDACC-Luckie luckief...@gmail.com wrote
+read+regex_compile on every single HTTP event and that can slow
things down. It is
better to pre-compile and keep in memory than having to do it every
time. Besides that, it
is a very good start :)
Thanks,
--
Daniel B. Cid
http://dcid.me
On Mon, Apr 2, 2012 at 7:36 AM, Stephane ewerlin
The web-ui looks inside /var/ossec/queue for information on agents, so
you have to
remove from there as well..
thanks,
--
Daniel B. Cid
http://dcid.me
On Wed, May 2, 2012 at 8:56 PM, dan (ddp) ddp...@gmail.com wrote:
Do the deleted agents show up in the ossec output (like the list_agents
(only if you
add that to syscheck).
thanks,
--
Daniel B. Cid
http://dcid.me
On Thu, May 31, 2012 at 2:07 PM, Maahkus mark.v...@gmail.com wrote:
Is there a log file that displays what authenticated user or the date
and time a new agent was added? I need to track a newly added agent to
the user
Hi, I am installing an agent in Windows, i have 2 LAN's connected by 2
firewalls, in one LAN is the OSSEC server and in the other LAN is the
agent, what i want to know is which port the ossec agent uses to
connect to the server?
Thanks
Daniel Flores
Hi i woul like to be part of the group, I have some questions about
ossec manager installation on windows
a rule which allows traffic by port udp 1514 both
ways from server 192.168... to the ossec server 11.10.1.xxx. But still
agent doesn't run
I don´t know what else todo.
best regards
Saludos.
Daniel Flores
2012/6/14 dan (ddp) ddp...@gmail.com
On Thu, Jun 14, 2012 at 1:46 PM, Daniel Flores
Thank you so much ddp.
Daniel Flores
On 14 jun, 14:10, dan (ddp) ddp...@gmail.com wrote:
On Thu, Jun 14, 2012 at 3:01 PM, Daniel Flores
flores.herrera.dan...@gmail.com wrote:
Tnks ddp,
I opened the port but still can´t connect them, I have my server in
Ubuntu server 12.04 LTS, it's
The site got migrated, so a few files will be missing until it is all in order.
thanks,
--
Daniel B. Cid
http://dcid.me
On Mon, Jul 2, 2012 at 9:47 AM, Peter M Abraham
peter.abra...@dynamicnet.net wrote:
Good day:
http://www.ossec.net/rootcheck/files/ uses to have the latest rootcheck
That should do it. Just move the new locatime to /var/ossec/etc and
restart ossec.
thanks,
--
Daniel B. Cid
http://dcid.me
On Thu, Jul 5, 2012 at 3:42 AM, C. L. Martinez carlopm...@gmail.com wrote:
Hi all,
Due to a restructuring that I make in our infrastructure, I need to
modify the time
not have the times in sync...
thanks,
--
Daniel B. Cid
http://dcid.me
On Wed, Aug 15, 2012 at 3:51 PM, dan (ddp) ddp...@gmail.com wrote:
On Wed, Aug 15, 2012 at 2:45 PM, Kat uncommon...@gmail.com wrote:
Is there a way to tell OSSEC to use the timestamp of the actual logfile
entry rather than
Yes, the ossecr user (or ossec group) needs permission to read it.
thanks,
On Wed, Aug 22, 2012 at 1:00 PM, OSSEC junkie ossec.jun...@gmail.com wrote:
I am getting permission errors on client.keys:
2012/08/22 08:44:38 ossec-remoted(4111): INFO: Maximum number of
agents allowed: '3500'.
The regex is case insensitive by default. So just
regexOwnership was/regex
Should work.
thanks,
--
Daniel B. Cid
http://dcid.me
On Tue, Aug 28, 2012 at 3:01 PM, dkoleary dkole...@olearycomputers.com wrote:
Hey;
As mentioned in other posts, I'm trying to monitor the /etc directory
#
the first part is mi ssh banner, and it logs in with root user as I'm
expecting, but then it doesn't executes commands and logs me off
I don't know why with the ossec user is not executing the next commands
Can you help me please???
Daniel Flores
2012/10/24 dan (ddp) ddp...@gmail.com
On Wed, Oct 24, 2012 at 2:44 PM, Daniel Flores
flores.herrera.dan...@gmail.com wrote:
Hi, I am using agentless to monitor one server running Red Hat, but the
problem is that when ossec user executes the ssh_integrity_check_linux I
get
pertinentes.
==
Last login: Wed Oct 24 14:02:06 2012 from 11.10.1.114
[root@sgasrv7l ~]#
ERROR: Timeout while connecting to host: root@10.10.1.210 .
Daniel Flores
This decoder is a bit broken :/
It is actually matching for:
^Mon OR
^Tue OR
^Wed OR .. OR ..
^Sun \S\S\S\s+\d+..
We should probably just change it for:
prematch^\w\w\w \S+\s+\d+ \d\d:\d\d:\d\d \S+ \d+
/\.+/active-response/prematch
Can you try to see if it fixes ?
thanks,
--
Daniel B. Cid
Hi,
I'm trying to customize the behavior of the rule 35051
(squid_rules.xml) in order to not have it fired if someone tries to access
facebook website.
This rule keeps annoying me, because Facebook like button is
EVERYWHERE and my proxy server blocks it.
I wrote this piece of
Rule: 35051 fired (level 10) - Multiple attempts to access forbidden file or
directory from same source ip.
Portion of the log(s):
About the upgrade, I'm doing it right now.
On Monday, December 3, 2012 6:06:15 PM UTC-2, dan (ddpbsd) wrote:
On Mon, Dec 3, 2012 at 2:13 PM, Daniel Requena
req
the rule id as the storage key, so you would
need a different rule for each
one of those sites.
thanks,
--
Daniel B. Cid
http://dcid.me
On Fri, Dec 7, 2012 at 2:47 PM, Brenden Walker bren...@unruleable.org wrote:
On Fri, 7 Dec 2012 13:18:33 -0500 dan (ddp) ddp...@gmail.com wrote:
On Fri, Dec 7
,
--
Daniel B. Cid
http://dcid.me
On Thu, Feb 14, 2013 at 2:13 PM, Kat uncommon...@gmail.com wrote:
Well - it happened - I lost a server (hardware raid failure and corrupted
drives).
So here is the question - all the agents have keys, but I lost the other end
- is there ANY way to rebuild a server
Twitter changed their authentication method and doesn't allow what we were
doing with ossec-tweeter. It would have to be
re-written to support oauth.
thanks,
On Thu, Apr 4, 2013 at 9:50 AM, Jeroen van Doorenmalen
jeroen.van.doorenma...@gmail.com wrote:
Hello guys,
I'm having some kind of
I'm trying to set up ossec agents on windows server 03/08/12. Would anybody
have an example custom ossec.conf agent file they could share? I know that
newer windows servers do not have all the files that are originally listed
in the default ossec.conf , so i was wondering what others have
I know that they are not there, but I keep them in the config for older
servers that will still have those files/paths. The errors are not my
problem, I'm just looking for what other peoples ossec.conf on their agent
look like. I'm trying to get a perspective on other files that they may be
Hi Oscar,
That's a great way to work around this issue and should work fine.
Another suggestion
would be to enable alerting only for the levels 10 and above and
configure a cron script
to run daily sending the others...
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Fri, Feb 12, 2010 at 8
Hi Peter,
Can you paste some of the alerts you got, just to give us some
context? Your rule seems fine and it should
have worked by ignoring the rule for 900 seconds (unless we have a bug).
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Sat, Jan 30, 2010 at 12:56 PM, Peter M. Abraham
addresses
for the manager:
server-ip10.1.1.1/server-ip
server-ipexternal-ip/server-ip
So that it will work when inside or outside the network. Also, I
generally set the IP of the client
itself as any.
hope it helps.
--
Daniel B. Cid
dcid ( at ) ossec.net
On Thu, Feb 11, 2010 at 8:40 AM, oscar
again. If the manager goes
offline for a while (or the agent is rebooted), you lose everything in
the middle...
Using TCP wouldn't help on those situations anyway..
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Wed, Feb 17, 2010 at 1:33 PM, roger cummi...@gonzaga.edu wrote:
+1
Hi Ozgur,
The ignore option is already recursive by default. So using that should
be enough.
Ex: ignore/etc/httpd/ignore will ignore all /etc/httpd and subfolders.
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Mon, Feb 15, 2010 at 3:58 AM, Ozgur Ozdemircili
ozgur.ozdemirc...@gmail.com
Hi Pete,
That's a very good idea. We have an active response on Windows using the
route command (to redirect to a null route), but having one using netsh
would be great. Btw, do you know which versions of Windows come with
netsh by default?
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Wed
Hi Borut,
Thanks for letting us know of this bug. It has been fixed on the
latest snapshot:
http://www.ossec.net/files/snapshots/ossec-hids-100301.tar.gz
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Tue, Feb 23, 2010 at 8:45 AM, Borut Podlipnik podlip...@mps.mpg.de wrote:
I am wondering
for the report.
--
Daniel B. Cid
dcid ( at ) ossec.net
On Thu, Feb 25, 2010 at 8:23 PM, Peter M. Abraham
peter.abra...@dynamicnet.net wrote:
Greetings Daniel:
Head out to dinner, come back, and close to 400 alerts where the
ignore is being ignored.
OSSEC HIDS Notification.
2010 Feb 25 18:57:01
and decrypts the message using the symmetric key.
4- If the rids count is repeated, it drops the message (injection
attack or network problem).
I hope that helps to summarize how it works...
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Fri, Feb 26, 2010 at 2:01 PM, Wim Remes wre...@gmail.com wrote
Hi Gil,
You need to use if_sid instead of if_matched_sid. The later is
only used for
composite rules (when matching across multiple events).
hope that helps.
--
Daniel B. Cid
dcid ( at ) ossec.net
On Sun, Feb 28, 2010 at 11:41 PM, Gil Vidals gvid...@gmail.com wrote:
I am trying to override
Hi Ivan,
What distribution are you using? Can you run the followng command:
# strings /bin/du |grep -E '/dev|w0rm|/prof|file\.h'
This will help us understand if it is a false positive or not..
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Thu, Mar 4, 2010 at 5:02 AM, Ivan Lezhnjov Jr
Hi,
Can you post the alert you are trying to ignore? Your hostname syntax is correct
and should have worked.
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Fri, Mar 5, 2010 at 2:47 PM, Jefferson, Shawn
shawn.jeffer...@bcferries.com wrote:
Thanks, that helps!
I guess I still have
this
problem before...
What version are you using? Which OS? How many agents pointing to that box?
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Fri, Mar 5, 2010 at 10:53 AM, Doug Burks mub...@gmail.com wrote:
Yes, I saw that the log file showed a 3-minute gap between syscheckd
starting
, etc. But that's only a
personal preference,
since both work well...
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Mon, Mar 8, 2010 at 8:33 AM, Dave S dsty...@comcast.net wrote:
I get that when future upgrades will include new ossec_rules.xml
files.
My question is, if we want to change
are on version 2.2 on Windows, we fixed some relevant bugs
related to that (
losing the connection and not reconnecting).
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Mon, Mar 8, 2010 at 5:30 PM, Rich Rumble richrum...@gmail.com wrote:
I have the same issue, no fix in sight, as I can't track down
or not.
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Wed, Mar 10, 2010 at 5:18 PM, Dimitri trichotec...@yahoo.es wrote:
Hello.
I run OSSEC version 2.1.
Is possible upgrade only the agent but not ossec server?
Regards.
Dimitri.-
http://deoxyt2.livejournal.com
http://anabalon.clan.su
OpenBSD
I just fixed the code and it is available on the latest snapshot:
http://www.ossec.net/files/snapshots/ossec-hids-100311.tar.gz
If anyone is having the same problems, please try this version to see if
it goes away.
thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Thu, Mar 11, 2010 at 7:35 AM
for that event. Try enabling log_all to see if you get all
the alerts.
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Thu, Mar 18, 2010 at 5:57 PM, Vipul_Gupta vipulgup...@gmail.com wrote:
Hey All,
I have two questions.
1) Is it possible to use wildcards in win_malware_rcl.txt file?
I
'
srcip: ':::18.104.87.110'
**Phase 3: Completed filtering (rules).
Rule id: '3902'
Level: '5'
Description: 'Courier (imap/pop3) authentication failed.'
**Alert to be generated.
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Thu, Mar 18, 2010 at 5:05 PM
categorysyscheck/category
titleDaily report: Syscheck/title
email_tomyemail/email_to
/reports
With each entry per report section.
thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Mon, Mar 22, 2010 at 1:16 PM, Derek J. Morris
dmor...@digitalmorris.com wrote:
I have added this to my ossec.conf
reports
Hey,
Did you add that to the malware_rct.txt on the manager or on the
agent? If you added on the manager, you have
to wait until the manager pushes the file to the agent.
Also, you can try to debug it bu running the ossec-rootcheck directly.
thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
Hi Trevor,
Thanks for the report. It has been fixed on the latest snapshot:
http://www.ossec.net/files/snapshots/ossec-hids-100324.tar.gz
--
Daniel B. Cid
dcid ( at ) ossec.net
On Mon, Mar 22, 2010 at 7:59 PM, tm trevor.a.b.mcl...@gmail.com wrote:
Hello,
I am using OSSEC 2.3. The first part
Hey,
I have unsubscribed you both from the list. I don't know what is going
on with Google Groups,
but I will try to find out.
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
2010/3/22 Jose Luis Vázquez González jlvazq...@rfranco.com:
What if you follow the instructions BUT you CANNOT
=12345 level=0
if_sid5501/if_sid
program_namesshd/program_name
descriptionUsing only sshd logs/description
rule
Would that do what you want or did I completely missed what you are
trying to do?
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Wed, Mar 24, 2010 at 9:37 AM, dan (ddp) ddp
Hi Gagan,
To run on real time, you need to set realtime=yes in your configuration:
http://www.ossec.net/main/manual/manual-syscheck/realtime-file-integrity-monitoring/
As for knowing who made the change, you need to leverage system level
auditing logs
to get this information.
Thanks,
--
Daniel
,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Thu, Mar 25, 2010 at 8:36 PM, Nate Schmoll m...@nateschmoll.com wrote:
dcid - why is there moderation on this list? is this something TM imposed on
you?
Nate Schmoll
m...@nateschmoll.com
253-987-NATE
To unsubscribe from this group, send email
/Dev:BetaTesting
We appreciate any feedback.
thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
To unsubscribe from this group, send email to
ossec-list+unsubscribegooglegroups.com or reply to this email with the words
REMOVE ME as the subject.
Hi Marcelo,
The name option is used as a pattern match, so c1 will match c1
and c1-devel. If you
want it to match only c1, you need to specify: ^c1$:
agent_config name=^c1$
..
Hope that helps.
--
Daniel B. Cid
dcid ( at ) ossec.net
On Tue, Mar 30, 2010 at 5:04 PM, Marcelo de Miranda Barbosa
The location of the log is intranet, while the source ip is 1.2.3.4.
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Mon, Mar 29, 2010 at 11:39 AM, Davide D'Amico
davide.dam...@gmail.com wrote:
Thanks for your answers.
I haven't an agent on remote hosts, I'm collecting logs
. Note that
the hostname tag matches the agent name, agent ip and log file.
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Thu, Mar 25, 2010 at 6:26 PM, Serge Dubrouski serge...@gmail.com wrote:
Hello -
Is it possible to create a custom decoder that will match particular
logfile name? I'm
Hi Mario,
You certainly can. This link explains how to create custom active responses:
http://www.ossec.net/wiki/Know_How:CustomActiveResponses
And this post shows a similar concept to detect fraud with ossec:
http://blog.rootshell.be/2010/03/31/detecting-fraud-with-ossec/
Thanks,
--
Daniel B
this agent? If you are, it
means that logcollector is able to write to this file.
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Tue, Mar 30, 2010 at 2:51 AM, Murphy, Matthew
matthew.murph...@t-mobile.com wrote:
I am having major problems getting ossec-hids-2.3 agent installs working on
our HP/UX
:
http://www.ossec.net/announcements/v2.4-2010-04-01.txt
Download the new version from http://www.ossec.net/main/downloads
Official announcement: http://www.ossec.net/main/ossec-v24-released
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
--
To unsubscribe, reply using remove me
Hi Chad,
I can't verify the bug in here. Can you make sure that ossec-logtest
got updated properly? Maybe
if you had it running during the update, the file didn't get replaced.
If run:
# ls -la /var/ossec/bin/ossec-*
The date from all the binaries should be the same ...
Thanks,
--
Daniel B
Hi Michael,
You can specify a subnet in there. For example:
srcip192.168.2.0/24/srcip
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Fri, Apr 2, 2010 at 4:37 PM, Michael Barrett
michael_barr...@mgic.com wrote:
I found this but I don't want to have to list each IP address. Is there a
way
,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Wed, Apr 7, 2010 at 12:21 PM, Anne abeste...@gmail.com wrote:
I tried to run the 2.4 upgrade on my server, and got the following
errors:
---
starting the upgrade:
- You already have OSSEC installed. Do you want to update it? (y/n):
y
- Do you want
but it will use the binary compiled from the other system.
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Wed, Apr 7, 2010 at 4:21 AM, Res5 res...@gmail.com wrote:
Hi all, I need a little bit help from you guys!
I have a major problem installing and running Ossec on VmWare Esx
server 4.0
Hi William,
We have a decoder for Suhosin that will treat the logs as an IDS
event. So you need to
work with the ids_rules.xml to modify them.
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Thu, Apr 15, 2010 at 7:56 AM, William Maddler n...@maddler.net wrote:
Hello all, quick question
-response
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Fri, Apr 23, 2010 at 5:45 PM, Eric Biondi e...@biondi.com wrote:
I would like to treat one Rule violation different from the rest. I'll
duplicate the scripts for firewall drop under a different name and add
commands in ossec.conf
Hi Michael,
Do you get any errors on the manager's ossec.log file? Check there as well..
thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Thu, Apr 22, 2010 at 11:05 AM, Michael Barrett
michael_barr...@mgic.com wrote:
I am having an issue with one of my systems. This is OSSEC Windows version
the traffic coming in?
-Do you have other agents in there? Are they working?
*Alessandro: thanks for the report. I will fix it :)
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Tue, Apr 27, 2010 at 5:54 PM, Michael Barrett
michael_barr...@mgic.com wrote:
OK thanks for that tip
I modified the short
to yes. Everything will be then logged at the
archives.log
*You also mentioned Cisco logs. What kind of Cisco logs are those?
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Sat, May 8, 2010 at 1:06 PM, Muraleedaran Kanapathy
muralee.kanapa...@inet.net.sa wrote:
Dear Sirs
We
/if_sid
hostnamesles10-docs/hostname
descriptionChanges to sles-docs/description
/rule
It requires one extra rule, but works.
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Thu, May 13, 2010 at 9:44 PM, Michael Starks
ossec-l...@michaelstarks.com wrote:
Swartz, Patrick H wrote:
I
Hi Rafael,
I find this rule useful too. If you (and everyone else having too many
false positives),
can provide the logs that are matching, we can add some of these to our default
rules as ignored by default.
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Thu, May 13, 2010 at 10:09 PM
/email_maxperhour
*A request: If you ever get an answer that solves your problem (from everyone
in the list), please try to take some time to add that to our wiki
FAQ. I started with
the email issues here: http://www.ossec.net/wiki/Know_How:Email
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Fri, May 14
as
well.
You could use the logall option to archive every event in case you ever need
to go back and look at everything.
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Thu, May 13, 2010 at 3:12 PM, Tony Z azimzo...@gmail.com wrote:
After briefly checking in IRC I found that OSSEC does not output
reconnects. For this problem, you have to either clean
the rids directory on the manager or disable the counters. To disable it, set
verify_msg_id to 0 on the internal_options.conf file:
# Verify msg id (set to 0 to disable it)
remoted.verify_msg_id=0
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
In fact, not having all the rules loaded can cause performance penalty, because
non-matching events will end up being checked by all the rule tree.
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Fri, May 14, 2010 at 10:27 AM, dan (ddp) ddp...@gmail.com wrote:
I don't know about the active
this many times on internal networks because it makes easy to manage
and use with multiple servers (they don't have to be in sync anymore).
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Mon, May 17, 2010 at 11:25 AM, dan (ddp) ddp...@gmail.com wrote:
Not Daniel, but... The counters help
Hi Aaron,
Thanks for the patch. Added to the latest snapshot:
http://www.ossec.net/files/snapshots/
Can you take a look to make sure it is working correctly?
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Wed, May 12, 2010 at 2:40 PM, Aaron Bliss aaron.bl...@gmail.com wrote:
Hi all,
I
Hi Christian,
You also need to set alert_new_files to yes inside the syscheck config:
http://www.ossec.net/wiki/Know_How:Syscheck
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Mon, May 17, 2010 at 2:29 PM, ko...@mnr.org wrote:
Ive changed the rules required 554 to level 7 and the rule
Hi Charlie,
Thanks! Just fixed on the latest snapshot:
http://www.ossec.net/files/snapshots/
Can you give it a try?
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Fri, May 14, 2010 at 3:58 PM, Charlie cmee...@gmail.com wrote:
:~$ strings /bin/login | grep -E
'bash|elite|SucKIT|xlogin
Hi Rich,
I added in the wiki what files are necessary to backup/migrate the manager:
http://www.ossec.net/wiki/Know_How:Agents#Migrating.2Fbacking_up_the_manager
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Tue, May 18, 2010 at 4:22 PM, Rich Rumble richrum...@gmail.com wrote:
I
Hi Peter,
You don't need this info to send the emails to your account. Yo just need
their SMTP server: Generally it is:
aspmx.l.google.com
Or a similar server. Try running host -t mx [domain] to find which one to use.
Thanks,
--
Daniel B. Cid
dcid at ossec.net
On Thu, Jun 3, 2010 at 12:17 PM
Hi Rui,
In the ignore section you can't specify the * at the end. So it should be:
ignoreC:\WINDOWS/System32/CCM/ServiceData/Messaging//ignore
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Mon, Jun 14, 2010 at 7:20 AM, Rui Miguel Silva Seabra r...@sibs.pt wrote:
Hello,
Syscheck seems
Hi Tony,
Thanks for the link. We already patched and it is available on the
latest snapshot:
http://www.ossec.net/files/snapshots/
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Fri, Jun 4, 2010 at 6:38 PM, Tony Fischer tony.fisc...@gmail.com wrote:
The ossec-batch-manager.pl script
Hi Stefano,
Can you send some of the logs you are trying to parse?
Also, your code has some serious security issues in there. I recommend that
you double check it before putting in production (e.g. strcpy should not be
used).
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Fri, May 28, 2010
Hi,
We currently do not support it, but if you can send some log samples to us, we
can certainly build some rules for it.
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Tue, Jun 1, 2010 at 3:13 PM, Allikuzhi, Ilango
ilango_alliku...@adp.com wrote:
I am wondering if ossec parses F5 SSL
://www.ossec.net/main/manual/manual-syscheck/realtime-file-integrity-monitoring/
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Mon, Jul 12, 2010 at 7:32 AM, ItsMikeE goo...@ernstoff.net wrote:
I have done a server installation on RHEL5. There are no agents yet.
I am carrying out some basic testing
1 - 100 of 1000 matches
Mail list logo