experience with us.
--
Daniel B. Cid
dcid ( at ) ossec.net
, but triggered that issue on the kernel.
If you have an old 2.6 kernel version, my recommendation is to update it or
to add
ignore/sys/ignore to the rootcheck and syscheck sections.
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Mon, Oct 19, 2009 at 6:11 PM, Dan Denton dden...@remitpro.com wrote
they would all be
reported, which
I believe most people don't want.
This is a very simple change that I can add, but I think that it will be
more confusing
than anything else.
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Wed, Oct 21, 2009 at 9:34 AM, Michael Starks
ossec-l
Hey,
You can use the hostname option in the rules to filter based on the agent
name, ip
or log file location.
Example:
hostname/var/log/messages/hostname
or
hostnameagentX|agentY|agentZ/hostname
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Thu, Oct 15, 2009 at 8:14 PM, xen xfire
Hi Marco,
Yes, this is the right approach. OSSEC v2.2 is compatible with any agent
from version 1.0 and up.
Our goal is to keep the manager backwards compatible, so you can update the
server with new features and keep the agents running an old version.
Thanks,
--
Daniel B. Cid
dcid
\CurrentVersion\Windows/windows_registry
windows_registryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon/windows_registry
windows_registryHKEY_LOCAL_MACHINE\Software\Microsoft\Active
Setup\Installed Components/windows_registry
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
/location
/localfile
--
/ossec_config
On Wed, Oct 21, 2009 at 9:21 AM, Daniel Baber daniel.ba...@gmail.comwrote:
Hello all. I have built rpms using the atomicrocketturtle.com spec
(version 3.art, although I also tried the latest 4.art) and upgraded the
server and agents. I am seeing a few
Hello all. I have built rpms using the atomicrocketturtle.com spec (version
3.art, although I also tried the latest 4.art) and upgraded the server and
agents. I am seeing a few errors that concern me in the agent logs (errors
of concern are in bold below):
*2009/10/21 08:41:32 ossec-logcollector:
the whole renaming of those binaries out and remove the init script patch.
How does this even work for you?!?
Thanks,
Dan
On Wed, Oct 21, 2009 at 9:50 AM, Daniel Baber dani...@libentech.com wrote:
Sorry about the repost, but the other one was from an account I rarely use
and I wanted to make sure I see
Sorry about the repost, but the other one was from an account I rarely use
and I wanted to make sure I see any replies in this email account.
Hello all. I have built rpms using the atomicrocketturtle.com spec (version
3.art, although I also tried the latest 4.art) and upgraded the server and
of the event too.
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Tue, Oct 6, 2009 at 9:51 AM, Noel Mulryan noelmulr...@gmail.com wrote:
Hi,
I have installed OSSEC as part of PCI DSS requirements and I must say it is
an excellent piece of software.
OSSEC is running on a Debian box which
Hi Chad,
If you run netstat do you see the ports 21 and 25 being listed? If
you run netcat can you bind
to those ports?
OSSEC basically tries to bind() to it and if it can't, it means that
the port is in use. We then check
on netstat to see if it is being reported.
Thanks,
--
Daniel B. Cid
,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Thu, Oct 8, 2009 at 2:53 AM, Gags gagan.bhat...@gmail.com wrote:
Hi
I am trying to compile ossec 2.0 on AIX box but it fails during the
compilation. The error received is as follow. Previously I have
deployed on many AIX boxes but haven't face
The use_own_name will just update the pointer internally to be used
by the rules,
but the name will not show up on ossec-logtest... I will make sure to fix it.
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Tue, Sep 29, 2009 at 2:57 PM, ddp ddp...@gmail.com wrote:
Summary: On my setup
by the ossec-syscheckd process.
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Fri, Sep 18, 2009 at 10:04 PM, HostGIS Support supp...@hostgis.com wrote:
A)
We use Tripwire instead of OSSEC, so I don't really need syscheck
looking for file alterations. How can I turn off the file
...
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Mon, Sep 21, 2009 at 5:42 PM, Gregor at HostGIS gre...@hostgis.com wrote:
I am curious, as to what the various daemons do. Specifically, I am
wondering whether my specific use case would allow me to slim down
OSSEC's footprint further.
ossec
Hi Dimitris,
Are these events being logged at all? Do you have auditing enabled for
that on Windows? The best
thing to do is to look at the logs itself to see if they are there and
at the ossec.log files for errors...
Besides that, we would need more information to help out.
Thanks,
--
Daniel
and see if it works.
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Wed, Sep 2, 2009 at 12:49 PM, Alisha Kloc fallintosan...@gmail.com wrote:
Hi,
Thanks for the reply! However, the problem isn't that we're not
receiving an emailed alert from the OSSEC manager; we've got OSSEC
configured
do:
rule id=abc level=0
if_groupsyscheck/if_group
regex/var/spool/QF|/var/spool/df/regex
descriptionIgnoring QF and DF files inside /var/spool/description
/rule
Hope it helps.
--
Daniel B. Cid
dcid ( at ) ossec.net
On Thu, Sep 17, 2009 at 2:03 PM, Josh Albright jalbri...@escalate.com
IDS and a few more log formats.
And much more… Check out the changelog to see all changes and contributors.
Download it from: http://www.ossec.net/main/downloads .
Link: http://www.ossec.net/main/ossec-v22-released
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
response?
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Tue, Aug 18, 2009 at 6:05 PM, xenxfire...@gmail.com wrote:
I am trying to run a custom command on my Windows client. The cmd
file is in the active-response/bin folder with appropriate
permissions.
I am getting this error message
Hi,
You need to compile the binaries on a binary-compatible system or
install gcc on that box.
thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Wed, Aug 19, 2009 at 12:56 PM, Prof Falkenmattmacw...@gmail.com wrote:
Hi all,
We've got an old legacy system taht is due to be upgraded
matchUnhandledExceptionError| = |/match
descriptionIgnore successful emails/description
/rule
Hope it helps.
--
Daniel B. Cid
dcid ( at ) ossec.net
On Wed, Aug 19, 2009 at 12:56 PM, Mark
Smithmark.sm...@avcosystems.co.uk wrote:
I'm getting a lot of messages about successful emails when
Hi Alisha,
The rule 11 is the only one left that is not set in the rules file,
but we will be merging that
to the rules in the near future...
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Mon, Aug 17, 2009 at 2:23 PM, Alisha Klocfallintosan...@gmail.com wrote:
Hi,
My department
matchIgnore for users C and D/match
/rule
Makes sense?
thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Wed, Aug 19, 2009 at 9:47 AM, Adam Gardneragentgr...@gmail.com wrote:
Ok, but what if you are trying to alert on user lock outs in AD, but
only want to see the service accounts being
Hey,
Sorry for the spam in the list... Message deleted and member banned.
Thanks,
Thanks for the patch. It is included on the following snapshot:
http://ossec.net/files/snapshots/ossec-hids-090805.tar.gz
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Fri, Jul 31, 2009 at 11:59 PM, ddpddp...@gmail.com wrote:
On Fri, Jul 31, 2009 at 3:12 PM, Nathan
Grandboisngrandb
as the order to add the keys, they should be:
-Add keys on the manager
-Restart manager
-Import keys into the agents.
-Restart agents.
*btw, I added the command-line options to manage_agents on the latest snapshot:
http://ossec.net/files/snapshots/ossec-hids-090805.tar.gz
Thanks,
--
Daniel B. Cid
see when the server is down (that lock is what
tells you that it stopped processing):
2009/07/31 22:44:31 ossec-agentd: WARN: Server unavailable. Setting lock.
2009/07/31 22:44:52 ossec-agentd(4101): WARN: Waiting for server reply
(not started). Tried: 'a.b.c.d'.
--
Daniel B. Cid
dcid
will not show
it. So, you get a used port
that is indeed hidden from the rest of the system. It works well
everywhere else (including Windows)...
So, you may have an application with this behavior that is causing
these alerts.
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Mon, Aug 3, 2009
period to daily
and using the local time for file naming and rollover. In the extended
logging properties, configure it to log the Date, Time and all the
extended properties.
After that, it alert on these attacks by default.
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Mon, Aug 3, 2009
Hey,
This is expected to take a while. The agent_control -R only restarts
the agent, but do not
push the new configuration there. OSSEC pushes the files slowly and
only when it has
idle cycles to avoid blocking important events...
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Fri, Jul 31
to events coming from remote agents. For
local log files, the hostname
is always the syslog hostname.
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Thu, Jul 30, 2009 at 2:42 PM, Michael Altfieldmichael...@gmail.com wrote:
I haven't played with srcip, but I know I've gotten the hostname correct
Hi Martin,
If you remove the rids files from both agents and manager and is still
getting this error, you
probably have some keys being reused.
Are all your agents not working or only a few of them?
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Tue, Jul 28, 2009 at 5:47 PM, Martin
,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Tue, Jul 28, 2009 at 10:04 AM, Thomas
Statherthomas.stat...@sit.fraunhofer.de wrote:
Hello
I want to write a local rule which ignores the messages from a certain
system and process. For this i have written:
rule id=11 level=0
if_sid1002
|agent3
..
/agent_config
Hope that helps.
--
Daniel B. Cid
dcid ( at ) ossec.net
On Wed, Jul 1, 2009 at 5:23 PM, Peter M.
Abrahampeter.abra...@dynamicnet.net wrote:
Greetings:
RE: http://www.ossec.net/main/manual/centralized-config/
1. Does the settings in /var/ossec/etc/shared/agent.conf
configurations) were never
arriving properly on the Windows agents.
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Thu, Jul 30, 2009 at 3:10 PM, Danny Fullertondfuller...@mantor.org wrote:
Hello guys,
I've been trying to deploy a centralized config but ran into some problems.
I followed
new
keys to the agents, making sure each key you create is only used once.
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Sat, Jul 25, 2009 at 12:02 PM, Clint Alexandercl...@cdalexander.net wrote:
After a clean vanilla installation of v5.1.1 with 23 agents, I'm getting
spammed in the server
Hi Jose,
I have seen a lot of people asking about it or planing on doing, but
it never got completed. So, go for it
and ask us if you have any issues.
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Tue, Jul 21, 2009 at 12:11 PM, Jose Antonio
Quevedojoseantonio.quev...@gmail.com wrote
Hi Rafael,
If you don't want an alert if the log matches a string, just set the
severity to 0. For example:
rule id=100456 level=0
if_sidxyz/if_sid
matchtesting this rule/match
/rule
It accomplishes the same thing as the negation.
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Fri
checking.
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Fri, Jul 10, 2009 at 11:16 AM, Michael Altfieldmichael...@gmail.com wrote:
I noticed that OSSEC v2.1 now has support for Real time integrity
checking for Linux systems. However, I'm not really sure what this
is. Is there any
Hey,
I added the ignore option to Rootcheck, so you can specify your NFS
shares in there to
avoid scanning them.
It is available on the latest snapshot:
http://ossec.net/files/snapshots/ossec-hids-090723.tar.gz
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Thu, Jul 23, 2009 at 6:45 AM
Hi Miles,
Take a look at this document:
http://www.ossec.net/ossec-docs/auscert-2007-dcid.pdf
It explains how the pre-decoding works and how it is related to the decoding.
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Wed, Jul 15, 2009 at 2:23 AM, miles
sakaguchimilessakagu...@yahoo.com
specify anything in the
manual.
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Fri, Jul 10, 2009 at 11:57 AM, Michael Altfieldmichael...@gmail.com wrote:
Hello,
In regards to the new centralized config feature of OSSEC v2.1, what
should be the permissions to the file: /var/ossec/etc/shared
Hi Thomas,
How did you update OSSEC? If you ran the install.sh command and set
the update option to yes,
it should not have changed any of your keys. So, no, not normal behavior at all.
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Fri, Jul 10, 2009 at 7:09 PM, Thomas
Statherthomas.stat
Hi Steve,
Can you check the permissions of that file? It should be set properly
during upgrade, but
that might be a reason why.
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Fri, Jul 17, 2009 at 6:48 PM, l...@torpey.org wrote:
After updating from version 1.6 to 2.1, I am no longer
allow message from members, but spammers are
joining in and
sending...
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
Hey,
Can you show what you added to ossec.conf? Note that you need to add
the ignore directly
on the agent's ossec.conf and not on the manager side.
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Wed, Jul 15, 2009 at 1:57 PM, Justice Londonjlon...@lawinfo.com wrote:
I am trying to get
www-data
*Adding www-data to ossec group and checking after
# usermod -a -G ossec www-data
# cat /etc/group |grep ossec
ossec:x:1001:www-data
*Restarting apache
# apachectl restart
Hope it helps.
--
Daniel B. Cid
dcid ( at ) ossec.net
On Thu, Jul 16, 2009 at 11:18 PM, Bharanidharans.bhar
(within 10/20 minutes).
*btw, I am working to have rootcheck updated to 2.1.1. Thanks for the reminder.
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Fri, Jul 3, 2009 at 11:57 PM, Peter M.
Abrahampeter.abra...@dynamicnet.net wrote:
Greetings:
Re: http://www.ossec.net/main/manual/manual
,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Thu, Jul 16, 2009 at 10:47 AM, Rafael Gomesrafael.go...@ufba.br wrote:
I am applying the audit of windows to log every change in its folders.
How can I get this logs in Ossec server?
Already is there a decoder or rule to do this?
Thanks,
--
Rafael
structure, not the original log.
Take a look at the this document explaining this a bit:
http://www.ossec.net/ossec-docs/auscert-2007-dcid.pdf
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Sat, Jul 11, 2009 at 11:26 PM, miles
sakaguchimilessakagu...@yahoo.com wrote:
if predecoding is done why
Hey,
There is no hard limit on OSSEC itself. It all depends on the hardware
you have and
number of events per second being generated.
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Mon, Jul 13, 2009 at 5:46 AM, prabhupprab...@zohocorp.com wrote:
Hi
How many agents max can be added
are specified.
We will address that later.
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
for the suggestion)
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
-syscheckd
Inside gdb:
(gdb) set follow-fork-mode child
(gdb) run
When it seg faults:
(gdb) bt
If you can do that (and run with -d -d to enable debug) would really help.
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Tue, Jun 30, 2009 at 11:12 AM, louielo...@nchc.org.tw wrote:
It's a me
/ossec-syscheckd -d
Tue Jun 30 23:00:33 CST 2009
gdb: option `-d' requires an argument
Use `gdb --help' for a complete list of options.
segfault happened within ten minutes
--
Louie June 30, 2009 22:58:40
On Tue, Jun 30, 2009 at 11:33:54AM -0300, Daniel Cid wrote
Hi Louie,
The log you sent is good. Means it is working now. I updated 2.1 with
the fix. If you had problems, please
download it again: http://www.ossec.net/main/downloads/
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Tue, Jun 30, 2009 at 1:36 PM, louielo...@nchc.org.tw wrote:
Sorry
Download v2.1 again :) We just fixed this issue.
thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Tue, Jun 30, 2009 at 1:57 PM, Rafael Gomesrafael.go...@ufba.br wrote:
Hi I am geting this error in ossec web:
kernel: ossec-syscheckd[4260]: segfault at 0 ip 0804b2da sp bfa0d000
error 4
Hi Philipp,
You have a point. I could have created a 2.1.1, but in a rush to fix
it, I end up replacing the package
itself. Next time I will take it in consideration and bump the version.
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Tue, Jun 30, 2009 at 2:06 PM, Philipp Buckp
Hi Rafael,
Just download the latest version and install again. The script
install.sh will detect that OSSEC is already installed
and handle the update properly.
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Tue, Jun 30, 2009 at 5:18 PM, Rafael Gomesrafael.go...@ufba.br wrote:
Hi Daniel
:)
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Tue, Jun 23, 2009 at 2:16 PM, Michael Altfieldmichael...@gmail.com wrote:
Thank you!
At the default settings (syscheck.sleep=2 and
syscheck.sleep_after=15), it took about 50 minutes to complete a
syscheck of about 6500 files. When I changed
(killall ossec-logcollector;
/var/ossec/bin/ossec-logcollector) and
to the same most syscheck/rootcheck (only kill ossec-syscheckd).
The only exception is ossec-analysisd, which if you kill it, the other
processes will not work
until you start it back.
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
Hi,
Can you try with the latest snapshot:
http://ossec.net/files/snapshots/ossec-hids-090626.tar.gz
It was a bug where you couldn't use glob+strftime together..
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Thu, Jun 25, 2009 at 2:03 AM, Kaiphamtungdu...@gmail.com wrote:
Hi all,
I
And recompile it?
$ cd src
$ make clean
$ make all
$ make build
$ cp -pr ../bin/* /var/ossec/bin
If it works, we will have to auto-detect it better.
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Thu, Jun 25, 2009 at 10:51 AM, ddpddp...@gmail.com wrote:
Is the error something like
.* to
ossecu...@10.2.5.78;
set password for ossecu...@10.2.5.78=password('ossecpass');
It might be easier to just switch to 127.0.0.1 and debug from there...
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Wed, Jun 24, 2009 at 11:25 AM, Derek J.
Morrisdmor...@digitalmorris.com wrote:
In her
Hi Derek,
Did you configure it to use a centralized agent configuration? I have
a fix for it at:
http://ossec.net/files/snapshots/ossec-hids-090624.tar.gz
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Wed, Jun 24, 2009 at 9:33 AM, Derek J.
Morrisdmor...@digitalmorris.com wrote:
I am
limit is set to 1024 (generally -n) to 4096
and restarting ossec:
# ulimit -n 4096
# /var/ossec/bin/ossec-control restart
See if it fixes the issue. And no, ossec shouldn't crash :) I will
check this out too..
thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Mon, Jun 22, 2009 at 12:21 PM
read
with the one from stat.
And a few more...
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Fri, Jun 19, 2009 at 12:30 PM, Joshua Gimerjgi...@gmail.com wrote:
Pretty interesting, now incorporated into chkrootkit. Does rootcheck
do anything like this currently?
https://blogs.sans.org
Hi Patrick,
That's a very serious accusation from them ;) As far as I know, we
produce a valid syslog output
according to the RFC. Can they explain what is wrong with it?
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Tue, Jun 2, 2009 at 1:52 PM, patrick.swa...@firstdata.com wrote:
RSA
ossec experiences with the rest of the community, let me know (we
are accepting submissions).
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
Stopped,,'
**Phase 2: Completed decoding.
decoder: 'ms-dhcp-ipv6'
id: '11011'
**Phase 3: Completed filtering (rules).
Rule id: '6362'
Level: '7'
Description: 'Stopped.'
**Alert to be generated.
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Fri, May 29
.
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Thu, May 28, 2009 at 12:56 PM, jackal...@fastmail.fm wrote:
Hi list,
I'm new to OSSEC and have read quite a bit on it, but one question I
haven't been able to figure out yet is this: after you install OSSEC,
does it automatically perform
Oh,
That would be a problem for sure. We fixed it already on previous
snapshots too. You can try
them out from here:
http://ossec.net/files/snapshots/
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Wed, May 20, 2009 at 9:13 AM, dthfoo dth...@googlemail.com wrote:
Dan,
I've worked out
if_sid100302/if_sid
descriptionIgnoring 100302/description
/rule
Hope it helps.
--
Daniel B. Cid
dcid ( at ) ossec.net
On Tue, May 19, 2009 at 5:16 PM, Gregory Rubin grru...@gmail.com wrote:
Neither of those seem to address my problem. The issue is that I'm
trying to have one event suppress
it easier)...
*a start for the script would be to list all the files that are auto-ignored:
for i in `/var/ossec/bin/syscheck_control -l -s | cut -d , -f 1`; do
echo Agent: $i; /var/ossec/bin/syscheck_control -s -i $i |grep ,3|
cut -d , -f 2; done
Hope it helps.
--
Daniel B. Cid
dcid
if //var/opt is already in the database
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Fri, May 22, 2009 at 3:43 PM, Marcelo de Miranda Barbosa
cel...@gmail.com wrote:
Hello Group,
I have a problem with my configuration , because that I add a new directory
in ossec.conf and the syscheck it does
latest snapshot and let us know
if the problem persists (before you try make sure to clear your iptables
drop list to avoid confusion).
Snapshot: http://ossec.net/files/snapshots/ossec-hids-090514.tar.gz
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
|
(ssh_generic_diff) a...@127.0.0.1-agentless|xx |
enigma-ossec-monitord |zzz |
..
If you are using the web ui, then no, we still need to fix that..
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Thu, May 14, 2009 at 8:08 AM, dthfoo dth
a issue in the past, where syscheck would crash the kernel
when trying to access the
/sys directory, but that was a big bad kernel bug that was fixed long
ago. I don't think your
issue is related to that.
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Tue, May 5, 2009 at 2:11 PM, John
Hope it helps.
--
Daniel B. Cid
dcid ( at ) ossec.net
On Tue, May 5, 2009 at 6:02 PM, Derrick Farmer dfar...@vertek.com wrote:
Anyone running agentless systems and having luck with them showing up in
Web-UI? I would just like to know if I should be able to see my agents or
not before I spend
Hey,
You can also use the RPMs from the atomic source:
http://3es.atomicrocketturtle.com/packages/ossec/
They keep it very updated, even regarding the latest snapshots.
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
2009/5/6 Sébastien Duquette ekse...@gmail.com:
I tried building an RPM
:/var/www/ossec# chmod 770 tmp/
r...@home:/var/www/ossec# chgrp www-data tmp/
r...@home:/var/www/ossec# apache2ctl restart
Hope it helps.
--
Daniel B. Cid
dcid ( at ) ossec.net
2009/5/7 yangguyu44944 yangguyu44...@163.com:
Hi ,
Sorry to trouble you guys,but I don't have a better way to solve
Hi Derek,
What command (and arguments) are you using? It seems that it is trying
to allocate
more than what you have available.
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Mon, May 4, 2009 at 4:40 PM, Derek J. Morris
dmor...@digitalmorris.com wrote:
My monthly summary report wont run
Hi,
You need to look at the file /var/ossec/logs/active-response.log to get detailed
information when active responses are added or deleted. For the logall,
you can not enable it per server, no... Maybe in the future :)
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Tue, May 5, 2009 at 7
I don't know if anyone still frequents this mailing list or not.
I am having trouble with OSSEC using the format option.
I run the version command and this is what I get.
OSSEC HIDS v1.6.1 - Third Brigade, Inc.
And the config I have in ossec.conf looks like:
email_alerts
://thirdbrigade.com/company.aspx?id=101
Thanks!
--
Daniel B. Cid
dcid ( at ) ossec.net
Hey,
There a few places to post suggestions and ideas:
-Here (we always monitor the list)
-At our bugzilla: http://www.ossec.net/bugs/
-Or send them directly to features-requ...@ossec.net (yes, we setup an
email just for that).
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Fri, Apr 17
/description
/rule
But as we already said, trusting on the history file is not the best
option, since it can easily be
avoided.
Hope it helps.
--
Daniel B. Cid
dcid ( at ) ossec.net
On Mon, Apr 20, 2009 at 3:14 PM, matthias platzer e...@platzer-statik.at
wrote:
hi,
On Apr 20, 9:57 am, lovewad
To ignore a specific domain:
white_list^www.gmail.com$/white_list
I don't think there is any security issues, but I always try to
disable reverse lookup on the applications
itself (it needs to be done on a per application base).
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Mon, Apr 20
argument:
Cd C:\program files\ossec-agent
ossec-agentd.exe install-service
You can also try to start it directly from these (not using the services):
Cd C:\program files\ossec-agent
ossec-agentd.exe start
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Sun, Apr 19, 2009 at 3:09 PM, Mike
received
in the following format:
hour--totalalerts--total events--total syscheck--total fw
For example:
7--789-45677-2355--345
8--307--33793--3168--0
Hope it helps.
--
Daniel B. Cid
dcid ( at ) ossec.net
On Tue, Apr 21, 2009 at 9:31 AM, Roch elro...@gmail.com wrote:
Thanks Matthias
response? It should be inside /var/ossec/alerts/ and the
content of ossec.conf on the manager and
active-response.log from the agent?
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Tue, Apr 21, 2009 at 9:25 AM, cianop luciano.branc...@feltrinelli.it wrote:
I'm sorry but I have no idea, I
Hi Dave,
You need to provide a user name in the host field. It should be in the
format u...@host. Plus, it should
match what you gave for the register_host.
If you look at our examples, we always use u...@host:
hostp...@pix.fw.local/host
That should solve your problem.
Thanks,
--
Daniel B
Hi Jose,
Check your logs. Try restarting OSSEC and looking for ossec-remoted in the logs:
# cat /var/ossec/logs/ossec.log |grep remoted
To see the list of remote managed agents, run:
# /var/ossec/bin/agent-control -l
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
2009/4/14 Jose Luis
what you want.
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Tue, Apr 14, 2009 at 12:33 PM, Darvin Denmian
darvin.denm...@gmail.com wrote:
Maddler,
your solution is good, but i need to know what ossec rule triggered
the active response .
Thanks for reply!!!
On Tue, Apr 14, 2009
.
We need to move the integrity checking to be more target based for it
to still be useful
(specially on Windows systems). Btw, how is most people here using
Windows integrity checking?
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Mon, Apr 13, 2009 at 8:45 PM, Michael Starks
ossec-l
on the ossec.conf file. There is a directory tag where
you set these
options. More information at: http://www.ossec.net/main/manual/manual-syscheck/
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Mon, Apr 13, 2009 at 3:30 PM, patrick.swa...@firstdata.com wrote:
Hello and Thank You!!
After
is more than welcome.
*You can add on your own to the wiki or just reply in here..
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
Hi,
Right now you can't monitor them directly from the database, but if
you can configure
rsyslog to dump those to another log file (or pipe) ossec can
certainly monitor them.
Our plan for next version is do add directly database monitoring, so
later you can
switch to it.
Thanks,
--
Daniel B
301 - 400 of 1000 matches
Mail list logo