processes?
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Nov 12, 2007 5:27 AM, Tomas Olsson [EMAIL PROTECTED] wrote:
Tomas Olsson wrote:
Hi,
I am running OSSEC 1.4 storing the alerts on MySQL but it seems not to
be robust enogh for using on my PowerBook. I started running OSSEC
common NTFS ADS entries./description
/rule
I will make sure to add that to the default list of valid ADS for the
next version...
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Nov 4, 2007 1:20 PM, Chris Buechler [EMAIL PROTECTED] wrote:
On 11/3/07, Dennis Borkhus-Veto [EMAIL PROTECTED
Hi Peter,
These are false positives for sure. I will make sure to fix it for the
next version.
Thanks for letting us know.
*if you can, please open a bug about it at: http://www.ossec.net/bugs/
--
Daniel B. Cid
dcid ( at ) ossec.net
On Nov 3, 2007 11:09 AM, Peter M. Abraham [EMAIL PROTECTED
descriptionWindows Audit event test./description
grouprootcheck,/group
/rule
If you can show us a sample of the alerts you are getting, we can help
you write a real rule for it...
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Nov 2, 2007 9:08 AM, Dennis Borkhus-Veto [EMAIL PROTECTED
be something like:
SELECT FROM_UNIXTIME(timestamp) time, rule_id,location.name location,
INET_NTOA(src_ip) srcip, full_log FROM alert,location, data WHERE
location.id = alert.location_id AND data.id = alert.id AND
data.server_id = alert.server_id AND rule_id = 550;
Hope it helps.
--
Daniel B. Cid
dcid
the agent IP (when running
the manage_agents tool) to be a network instead of a unique address.
(like 192.168.2.0/24):
http://www.ossec.net/wiki/index.php/Know_How:DynamicIPs
That should fix the problem (you will need to re-import the new key in
the agent too).
Hope it helps.
--
Daniel B. Cid
helpful..
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On 10/31/07, carlopmart [EMAIL PROTECTED] wrote:
Hi all,
Is cp firewall-1 log format supported? If not, exists some option to record
alerts via ossec-agent to ossec-server?
Thanks.
--
CL Martinez
carlopmart {at} gmail {d0t} com
/main/manual/#remote_options
As for OSSEC analyzing the dst ip of the incoming packet and using
that for the reply,
I will take a look into implementing that (for v1.5)...
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On 10/25/07, Timothy Meader [EMAIL PROTECTED] wrote:
David, thanks
of logs (plus their location) of your
proftpd, it will help us when adding support for it.
*for the time being, you can probably change the proftpd config to log
directly to syslog...
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On 10/25/07, Steve West [EMAIL PROTECTED] wrote:
Daniel Cid
Hi again
It worked!!
Thanks for your help.
En/na Michael Starks ha escrit:
Daniel Rubio wrote:
In the last days I've been having problems contacting with some ossec
agents, I changed some directory permissions, but after, I recovered
from backup, reinstalled, upgraded, re
-logcollector: Started (pid: 4314).
2007/10/24 12:36:49 ossec-logcollector: Process locked. Waiting for
permission...
Actually, the server is a nightly 1.4 release
--
Daniel Rubio Rodríguez
OASI (Organisme Autònom Per la Societat de la
Hi Marco,
It is in the changelog of the version 1.3:
http://www.ossec.net/announcements/v1.3-2007-08-08.txt
-Fixed file descriptor leak on the Windows agent while reading
the Windows registry.
(Reported by Luke Bradeen lbradeen at suresource.com)
Thanks,
--
Daniel B. Cid
dcid
.
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On 10/24/07, Steve West [EMAIL PROTECTED] wrote:
Michael Starks wrote:
Try 21 or 22 invalid logins in 60 seconds.
-Mike
Hi Mike,
Thanks for the suggestion! I try over 25 invalid logins and still ossec
active response doesn't fire
Hi Nerijus,
Can you refresh my memory regarding which pthread issues? We
definitely want that
fixed for the next version. Anyone else using AIX in here to try out
the new version?
Link for v1.4 beta:
http://www.ossec.net/files/snapshots/ossec-hids-071023.tar.gz
Thanks,
--
Daniel B. Cid
dcid
-hids-1.4
$ cd src; make setdb; cd ..
$ ./install.sh
http://www.ossec.net/wiki/index.php/Know_How:DatabaseOutput
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On 10/17/07, adjete wilson [EMAIL PROTECTED] wrote:
i installed 1.4 beta and i'm still getting the error. ossec will only run if
i
if we can change anything to avoid it (maybe by looking at the
proc filesystem or
something like that)...
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On 10/17/07, David Williams [EMAIL PROTECTED] wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Adding an absurd amount of verbose
that the agent is going down?
It is funny that I saw this already on another Windows 2003 system,
but could not reproduce it anywhere else...
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On 10/18/07, Peter M. Abraham [EMAIL PROTECTED] wrote:
Greetings:
The steps listed on
http://www.ossec.net
,
--
Daniel B. Cid
dcid ( at ) ossec.net
On 10/12/07, John Hinton [EMAIL PROTECTED] wrote:
I have set up a server/agents system. These are on CentOS systems so it
would be equivalent to RedHat EL servers.
I'm wondering what needs to be done upon the edit of a rule.
Does the server need
, if that doesn't work, try our beta for the v1.4 to see if the
problem persists...
http://www.ossec.net/files/snapshots/ossec-hids-071016.tar.gz
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On 10/16/07, Peter M. Abraham [EMAIL PROTECTED] wrote:
Greetings:
2007/10/16 09:02:44 ossec-agentd: Started (pid
Hi Nerijus (and Carlos),
I made some changes to the pre-decoders within ossec to support the
syslog format
from AIX. If you can try it out from:
http://www.ossec.net/files/snapshots/ossec-hids-071011.tar.gz
It should parse properly all these messages.
Thanks,
--
Daniel B. Cid
dcid
on the server side, we don't need
to share them...
I have some plans to improve that in the future, but currently it is
not possible.
Btw, what kind of configuration are you interested in changing on all agents?
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On 10/8/07, carlopmart [EMAIL PROTECTED] wrote
Hi Andy,
The easiest way is to uninstall OSSEC and reinstall it as an agent. To
uninstall, just do:
# rm -rf /var/ossec/
# rm /etc/ossec-init.conf
And re-run the install.sh...
Hope it helps.
--
Daniel B. Cid
dcid ( at ) ossec.net
On 10/8/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:
Hi
after the
syslog header.
Hope it helps.
--
Daniel B. Cid
dcid ( at ) ossec.net
On 9/19/07, Dan [EMAIL PROTECTED] wrote:
Hi
Thanks for your help.
I was able to make my own rules. But with some of them i have a
problem :-(
I have a application which reports to syslog and i need to match some
Hi Wilson,
OSSEC can definitely monitor your logs and generate alerts on real
time. That's why it
was written for :)
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On 10/10/07, Wilson Lai [EMAIL PROTECTED] wrote:
Dear ALL,
I have now installed the Syslog-NG server
]: Accepted
password for USER from 172.29.14.41 port 55839 ssh2
Is this something special to your AIX config? Can you change it to the
standard format?
Any other AIX user in here with more information on this?
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On 10/9/07, Carlos Eduardo Pedroza
Hi John,
You need to add this configuration to the ossec server, not the agent
(same to the auto_ignore option).
*Also, the alert will only come by the next time syscheck runs (which
is by default every
12 hours).
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On 10/9/07, PKTan [EMAIL
Hi Chad,
I would suggest ignoring this directory on the ossec server. Just add
an additional line
to the syscheck ignore:
ignoreC:\WINDOWS/system32/inetsrv/History/ignore
It should solve it. For the next version, I will make sure it comes
ignored by default...
Thanks,
--
Daniel B. Cid
dcid
it is possible to do on Windows, but on
Linux, BSD's (and similars), it would require kernel hacking... Anyone
interested in taking
such a task? :)
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
/index.php/Community_manual:BugReport
*the logs from one of those agents and the server should be enough.
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On 9/28/07, Jon Whittington [EMAIL PROTECTED] wrote:
Hello,
I am getting the following error logged on the ossec server:
ossec-remoted
:
http://www.ossec.net/wiki/index.php/PIX_and_IOS_Syslog_Config_examples#Configuring_PIX
*btw, you can keep the additional timestamp in there, but not the
extra hostname.
Hope it helps.
--
Daniel B. Cid
dcid ( at ) ossec.net
On 9/28/07, ubahmapk [EMAIL PROTECTED] wrote:
This is a question
src; make
setprelude; cd ..;
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On 9/25/07, Tomas Olsson [EMAIL PROTECTED] wrote:
Hi,
Has anybody done any work on converting OSSEC alerts into IDMEF
(http://www.rfc-editor.org/rfc/rfc4765.txt)?
/Tomas
):
rule id=100101 level=0
if_sid31101/if_sid
urlurl1_to_ignore|url2_to_ignore/url
descriptionIgnoring false positives.../description
/rule
Hope it helps.
--
Daniel B. Cid
dcid ( at ) ossec.net
On 9/27/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:
Although it's good to enable
Hi,
Actually, this format will not work. You need to specify each email
address on its
own email_to tag:
email_to[EMAIL PROTECTED]/email_to
email_to[EMAIL PROTECTED]/email_to
email_toxxx/email_to
Hope it helps.
--
Daniel B. Cid
dcid ( at ) ossec.net
On 9/27/07, [EMAIL PROTECTED] [EMAIL
Hi Tim,
They will continue forever :) Basically, we don't queue the logs in
memory, but we just
store the location (pointer) of the last log that was read (and for
integrity checking, the last file checked). When the server is back,
we continue where we left...
Thanks,
--
Daniel B. Cid
dcid
of the alerts.log changes
and re open it...
Hope it helps.
--
Daniel B. Cid
dcid ( at ) ossec.net
On 9/19/07, Dan [EMAIL PROTECTED] wrote:
Hi list
How is the logrotation of ossec build?
I use an external tool to check the alerts.log, and with the
logrotation it could happen, that i loose
with the granular e-mail
options... So, if in
the granular option you choose to email everything above level 1, it
will in fact only
be e-mailed the ones above email_alert_level. Does it makes sense?
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On 9/17/07, [EMAIL PROTECTED] [EMAIL PROTECTED
Hi Daniel,
Regarding how to write the rules, the following documents can help:
http://www.ossec.net/ossec-docs/auscert-2007-dcid.pdf
http://www.ossec.net/wiki/index.php/Know_How:Ignore_Rules
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On 9/18/07, Peter M. Abraham [EMAIL PROTECTED] wrote
this shtml.exe, just create a local
rule looking for it:
..
if_sid30115/if_sid
match/shtml.exe//match
..
Hope it helps.
--
Daniel B. Cid
dcid ( at ) ossec.net
On 9/18/07, Peter M. Abraham [EMAIL PROTECTED] wrote:
Greetings:
Apache error_log entry:
[Tue Sep 18 19:04:59 2007] [error] [client
Hi Paco (and anyone else with the problem),
Can you send a copy of one or two ossec e-mails to us? They must
include the original
headers and the time it was supposed to show. Without that it is going
to be hard to find
out what is going on.
Thanks,
--
Daniel B. Cid
On 9/18/07, Paco Avila
,
--
Daniel B. Cid
dcid ( at ) ossec.net
On 9/17/07, Valerio Daelli [EMAIL PROTECTED] wrote:
Hi
we use ossec-hids 1.3 on FreeBSD and we would like to monitor
the logs of BIND.
If we use a log_format of 'named' the server cannot even start.
If we use a log_format of syslog for the log file
be:
rule id=12 level=0
if_sid4313/if_sid
id^4-419002/id
regexfrom inside:xxx.xxx.xxx.xxx/regex
descriptionRule that will ignore Duplicate/description
/rule
Hope it helps.
--
Daniel B. Cid
dcid ( at ) ossec.net
On 9/14/07, mcamacho75 [EMAIL PROTECTED] wrote:
I appreciate
:
Received From: (xx) 192.168.2.0-/var/log/messages
Everything after the from: is what the hostname matches...
**ok, before someone complains, I know hostname is not the best name for this
option, but this is what we have now. Patches are welcome :)
Hope it helps.
--
Daniel B. Cid
dcid
Hi Eric,
You shouldn't be too worried about, since it is just a scanner or
something like that. If you
do a netcat (or telnet) to your ssh server you will get the same
error. I will reduce the
severity of this one...
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On 9/12/07, Eric Yeoh [EMAIL
the installation scripts, but just make sure
they work on all the operating systems we currently support (Linux,
*BSD, Solaris, AIX, etc) and have at
least all the current functionality (+ being easy to use :)).
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On 9/6/07, Slava Semushin [EMAIL PROTECTED
Hi Reggie,
My suggestion would be:
-Copy the whole /var/ossec and /etc/ossec-init.conf to the new system.
-Reinstall ossec (running the install.sh and choose the upgrade option).
It should do it..
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On 9/5/07, Reggie Griffin [EMAIL PROTECTED
Hi Daniel.
You can execute anything you want in there (from perl, to .sh, java,
etc). It just need
to have the executable flag set and accept the proper arguments (add,
delete, etc).
Hope it helps.
--
Daniel B. Cid
dcid ( at ) ossec.net
On 9/3/07, Dan [EMAIL PROTECTED] wrote:
Hi Ossec List
/ossec-hids-070902.tar.gz
Btw, nice local rules :)
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On 8/31/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:
Refer to this thread about a similar discussion:
http://groups.google.com/group/ossec-list/browse_thread/thread/f78e998efb3c108b
Below
Hi Peter,
Your rule looks good to me. If you can show us the log that you want
to match, it
may be easier to improve it a bit more. The only change I would do is
to use an id
above 100,000 since these are reserved for local rules.
Hope it helps.
--
Daniel B. Cid
dcid ( at ) ossec.net
On 8/31
it helps.
--
Daniel B. Cid
dcid ( at ) ossec.net
On 8/22/07, Stephen Williamson [EMAIL PROTECTED] wrote:
Will I did as you suggested
active_response
disabledyes/disabled
/active_response
but it stops in error on the change. See below.
Steve
OSSEC HIDS v1.3 Stopped
Starting
) and we will help you to set it up (docs not ready yet).
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On 8/23/07, Thorne Lawler [EMAIL PROTECTED] wrote:
Dan,
Please let me know if you find any, that would be very handy. What would
be even better would be some kind of ossec plugin
Yes, it supports logs from PIX, ASA and FWSM. Most of them are the same and our
decoders handle all cases...
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On 8/28/07, Patrick Roelke [EMAIL PROTECTED] wrote:
I can't recall if the PIX logs are the same as the ASA but it should
log
03:20:11 ADT 2007
*Anyone willing to come up with some perl/shell script to show up the last scans
for all agents? Might be useful
Hope it helps.
--
Daniel B. Cid
dcid ( at ) ossec.net
On 8/27/07, Andrew Storms [EMAIL PROTECTED] wrote:
Thanks. Its not a matter of rootcheck doing its
*Linux is the only OS that reports this incorrectly (even Windows does
this right :/)...
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On 8/27/07, David Williams [EMAIL PROTECTED] wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
In my previous life, we had several busy servers
Hi Daniel,
Are you sure ossec did this? First, it doesn't run on kernel mode, so
even if it crashed, it
would not crash the whole system. It also doesn't use a lot of memory,
so I can't see it
being responsible for that...
Can you show us more information? If you are still getting alerts from
this? Or can tell me what can
I seek to correct the issue. By chance I have 2 dhcp servers the other one took
the control when my master one died.
--
Daniel Paquet
Technicien Informatique
Service des Résidences
514-343-6111 #1665
Hi Peter,
They should happen almost at the same time, with the active response before
the e-mail (most of the time). Basically, as soon as the alert is
fired, it is sent to the os-remoted (on the server), which forwards to
the correct agent.
Hope it helps.
--
Daniel B. Cid
dcid
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On 8/21/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:
Hello,
I rebooted the server and found ossec failed. I tried to start it
service ossec start
Starting OSSEC: 2007/08/21 00:56:01 ossec-syscheckd(1210): Queue
'/var/ossec/queue/ossec/queue
for the majority of users. If
in your environment you can live with the risk of being blocked for a
few days, just increase it :)
Anyway, I really liked your idea of a dynamic timeouts and I will add
it to our todo list.
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On 8/21/07, Thorne
Hi Stephen,
It is actually a bug in ossec. You need to set it to: (note the
underline instead of a dash)
active_response
disabledyes/disabled
/active_response
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On 8/21/07, Stephen Williamson [EMAIL PROTECTED] wrote:
I have some agents
privately to avoid having to
remove ip addresses, etc.
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On 8/18/07, Jeff Schroeder [EMAIL PROTECTED] wrote:
On Aug 17, 8:18 pm, Peter M. Abraham [EMAIL PROTECTED]
wrote:
Does anyone have any rules they have, and are willing to share in
terms
, so if that is different, let us know.
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On 8/20/07, Tom Bicer [EMAIL PROTECTED] wrote:
I've been trying to get ossec work with netscreen logs. I'm unable to figure
out why only device name ns5gt works.
Replacing that name with any other valid
). If the entry is not there, please send to us your
ossec.conf and some more
information to understand/reproduce the issue.
http://www.ossec.net/wiki/index.php/Community_manual:BugReport
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On 8/17/07, Peter M. Abraham [EMAIL PROTECTED] wrote:
Greetings
.
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On 8/15/07, Steve West [EMAIL PROTECTED] wrote:
Hi Dave,
Thank you so much for all of your help!
Just for clarification, our vpopmail logs do NOT have the http:// stuff
which I'm seeing being added in your reply.
It seems that the OSSEC decoder
of A, the problem is with grep. On Solaris we
try to use the one
at /usr/xpg4/bin/grep , do you have it? You might need to install it,
because we use the
binaries at /usr/xpg4/bin to compile ossec... Anyone else using
Solaris that can give some
help?
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On 8/13
here:
http://www.ossec.net/ossec-list/2007-March/msg00079.html
example (to overwrite rule 1002):
rule id =1002 level = 10 overwrite=yes
..
/rule
or:
rule id=1002 level=8 overwrite=yes
matchSegmentation|XYZ/match
descriptionRule 1002 overwriten. /description
/rule
Hope it helps.
--
Daniel B. Cid
that the 100100 is going to be checked first, followed
by the 1001002 and
100103...
Hope it helps.
--
Daniel B. Cid
dcid ( at ) ossec.net
On 8/9/07, Josh Drummond [EMAIL PROTECTED] wrote:
At 06:10 PM 8/8/2007, Daniel Cid wrote:
Hi Josh,
Reply inline...
On 8/8/07, Josh Drummond [EMAIL PROTECTED
Hi Jonas,
Yes, you can use wildcards in the log files. Wiki entry about it:
http://www.ossec.net/wiki/index.php/Know_Host:MultipleLogs
Hope it helps.
--
Daniel B. Cid
dcid ( at ) ossec.net
On 8/8/07, Jonas [EMAIL PROTECTED] wrote:
It would be possible use wildcards to indicate the log
Download:
http://www.ossec.net/main/downloads
Special thanks to Michael Starks, Brian Wang, Serge Dubrouski, Logan
O'Sullivan Bruns and Dave Lowe for the contributions and Dennis
Borkhus-Veto, John Ives and Liliane Cid for beta testing this release.
Thanks!
--
Daniel B. Cid
dcid
Hi Robert,
Did you restart the server after adding the
alert_new_filesyes/alert_new_files
entry? Also, take a look at this post that explains a bit more about
the alert_new_files
option:
http://www.ossec.net/ossec-list/2007-May/msg5.html
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
?
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On 8/2/07, David Williams [EMAIL PROTECTED] wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Daniel,
I was just writing to say I've not seen that problem in a while --
but I just checked the logs and it's back. I upgraded the server
(or gziped) copy of your /var/ossec/queue/syscheck?
I want to see what is wrong in there...
Btw, is anyone else seeing those? If yes, please send me a copy of the above
directory to debug...
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On 7/31/07, David Williams [EMAIL PROTECTED] wrote:
-BEGIN
/local_rules.xml and it should
solve your problem.
Regarding the white list, it should have worked too, but you would
still get the alerts,
but not the active response. If you can show us your ossec config and
active response
log, we can try to see what is going on..
Thanks,
--
Daniel B. Cid
dcid
, repackage ossec and
install it on any system that does not
have a compiler...
If that's not the issue, let me know.
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On 7/30/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:
The compile error only happens with the BINARY_INSTALL=X ; I solved
it like
this change, all first time alerts from host termserv1
will have only a
severity of 3, without the alert_by_email option...
Hope it helps.
--
Daniel B. Cid
dcid ( at ) ossec.net
On 7/26/07, Will Froning [EMAIL PROTECTED] wrote:
Hello Daniel,
On 7/26/07, Daniel Cid [EMAIL PROTECTED] wrote
://www.ossec.net/wiki/index.php/Know_How:WindowsPolicy
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
or lsof) nothing will
be shown. However, if you try to use the port, you will get an error
saying that it is already in use.
Hope it helps.
--
Daniel B. Cid
dcid ( at ) ossec.net
On 7/26/07, Ken A [EMAIL PROTECTED] wrote:
Clayton Dillard wrote:
I've received several alerts from one host where
://www.ossec.net/wiki/index.php/Errors:AgentCommunication
*You can also change the port 1514, by specifying the port tag.
Hope it helps.
--
Daniel B. Cid
dcid ( at ) ossec.net
On 7/26/07, Reggie Griffin [EMAIL PROTECTED] wrote:
Daniel,
Thanks, that was very helpful. Anyway to hardcode
-July/msg00035.html
If that's not it, let me know and we can try to figure out what is happening...
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On 7/25/07, Will Froning [EMAIL PROTECTED] wrote:
Hello All,
On 7/25/07, Will Froning [EMAIL PROTECTED] wrote:
Hello All,
Here's a me too
know if the problem persists (we fixed a lot of issues on
this version).
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On 7/23/07, Chris Tankersley [EMAIL PROTECTED] wrote:
We were having problems with ossec just stopping on OpenBSD 4.1-stable,
so we set up a cron to stop, then start the ossec
/hostname
descriptionEvents ignored/description
/rule
/group
Hope it helps.
*http://www.ossec.net/wiki/index.php/Know_How:Ignore_Rules
--
Daniel B. Cid
dcid ( at ) ossec.net
On 7/24/07, Clayton Dillard [EMAIL PROTECTED] wrote:
I'm a bit fuzzed on the relationship between the server and agents
optionsalert_by_email/options
descriptionLogin to secure server./description
/rule
After that, you can create your granular config:
email_alerts
email_to[EMAIL PROTECTED]/email_to
rule_id100200/rule_id
do_not_delay /
/email_alerts
hope it helps...
--
Daniel B. Cid
dcid ( at ) ossec.net
(generally /etc/init.d/ossec and all the
references on /etc/rc.X)
-Remove all the ossec users
-Remove /etc/ossec-init.conf
Hope it helps.
--
Daniel B. Cid
dcid ( at ) ossec.net
On 7/21/07, Barbaros Usekes [EMAIL PROTECTED] wrote:
Hello,
I installed ossec to my server yesterday, for trying it and now i
Hi Jose,
Can you show us a few samples of your proftpd logs? Also, look at the
ossec alerts log
and the active responses log to make sure that it really didn't block
the attack. By
default it will unblock the ip after 10 minutes...
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On 7/17/07
)
We would need to change some of the decoders to support this format...
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On 7/16/07, Fletch Hasues [EMAIL PROTECTED] wrote:
Greetings,
I am trying to configure a host to prevent access via firewall drop by
using the rules that I see firing
the other location, so reinstalling make it easier
Hope it helps.
--
Daniel B. Cid
dcid ( at ) ossec.net
On 7/13/07, Zach Patrick [EMAIL PROTECTED] wrote:
Hi List,
Ossec is located at /var/ossec, and the logs are currently being stored at
/var/ossec/logs. The /var/ partition on our ossec server
Hi Paco,
Joking aside, the agent will detect that the server is down (after a
few minutes without
the keep alive messages) and stop reading/sending events until it is
back up (it will
detect when the server is back again).
Hope it helps,
--
Daniel B. Cid
dcid ( at ) ossec.net
On 7/13/07, Paco
have suggestions
and would like to help building the applications profiles and default
audit settings,
let me know.
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
is happening.
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On 6/29/07, Tim Boyer [EMAIL PROTECTED] wrote:
Yup. Just tried it again, just to be sure - no luck.
Hi Tim,
Did you restart the server after adding the new agents? And after that start
the new agents?
E.
2007/6/29, Tim Boyer
is that the server sends new rules out to
the agents.
You only need to restart the server. The agent does no log parsing...
Any help would be much appreciated.
-GP
hope it helps.
--
Daniel B. Cid
dcid ( at ) ossec.net
Hi Rob,
That's expected if the agent can't connect to the server, otherwise
you have some
weird error. Can you provide us with your whole ossec.log from the
agent? Also, if
you can show us the ossec.conf (of the agent), it can help too.
*which ossec version are you using?
Thanks,
--
Daniel B
we hard-coded
a validator looking for Security, Application or System... I
will see if I can fix it
for the next snapshot. Is there any more event log sources that we may need to
add?
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On 6/26/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:
Hello
Hi Erik,
Sorry for taking long to reply to you, but it looks like that your
problem should be
fixed in the following snapshot:
http://www.ossec.net/files/snapshots/ossec-hids-070625.tar.gz
Thanks to Logan Bruns in the dev-list for the patch...
--
Daniel B. Cid
dcid ( at ) ossec.net
On 6/18
/Know_How:Ignore_Rules
http://www.ossec.net/wiki/index.php/Know_How:CorrelateSnort
Also, my presentation at AusCERT/Confidence can be of help too:
http://www.ossec.net/ossec-docs/auscert-2007-dcid.pdf
Hope it helps,
--
Daniel B. Cid
dcid ( at ) ossec.net
On 6/21/07, Steve Johnson [EMAIL
Hi Erik,
Did you restart Apache after making the group changes? This is the only thing
I can think of... OSSEC WUI only requires PHP 4 or above with Posix support...
Hope it helps.
--
Daniel B. Cid
dcid ( at ) ossec.net
On 6/19/07, Erik Delfgaauw [EMAIL PROTECTED] wrote:
Hi Brad,
Wish
be good to go.
*btw, I don't think that these rules are very likely to generate false
positives, specially
on Unix systems (where people don't use spaces for file names). It is
matching on the
%20from%20, which is commonly used on SQL injections...
hope it helps.
--
Daniel B. Cid
dcid
Hi Serge,
My bad, I was testing with my own cvs copy. It should work now:
//www.ossec.net/files/snapshots/ossec-hids-070619.tar.gz
Thanks for testing...
--
Daniel B. Cid
dcid ( at ) ossec.net
On 6/18/07, Serge Dubrouski [EMAIL PROTECTED] wrote:
It does not compile:
gcc -g -Wall -I../ -I
Hi Clayton,
Can you give us the following information:
http://www.ossec.net/wiki/index.php/Community_manual:BugReport
Without that is very hard to troubleshoot what is going on...
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On 6/17/07, Clayton Dillard [EMAIL PROTECTED] wrote:
I've
files work with the ASA
please let me know – I would be more than happy to help.
Yes, please (see above) :)
Hope it helps.
--
Daniel B. Cid
dcid ( at ) ossec.net
are not being parsed, but also the program
name (e.g sshd),
which are causing your ossec install to miss a lot of stuff (some of
are rules/decoders
are based on the program name)...
Hope it helps..
--
Daniel B. Cid
dcid ( at ) ossec.net
can blame sourceforge for it being broken. I used to use the
compile farm to test ossec on most operating systems, but since they
disabled it, I have no way of testing it.
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On 6/14/07, Serge Dubrouski [EMAIL PROTECTED] wrote:
Some additional info
701 - 800 of 1000 matches
Mail list logo