>> > For testing purposes try to deactivate (change to level 0) rule 1002
> and
> >> > check if it is still generating these alerts.
> >> >
> >>
> >> Don't do this. There's no reason to change that to 0. Even for
> >> test
ule 1002 is? You sure you restarted the manger
> right?
>
> Best
>
> On Thu, Nov 12, 2015 at 7:06 AM, Daniel Bray <dbra...@gmail.com
> > wrote:
>
>> I'm running ossec-hids-server-2.8.2-49.el6.art.x86_64 (Atomic repo)
>>
>> I've updated /var/oss
On Friday, November 13, 2015 at 10:33:04 AM UTC-5, Daniel Bray wrote:
>
> I'm waiting to see if it generates an alert.
>>
>
>
Nope, issue remains. Very confusing.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list"
On Friday, November 13, 2015 at 8:51:45 AM UTC-5, dan (ddpbsd) wrote:
>
> Or are you sure the manager restarted? Most of the time when I've seen
> this behavior on the list analysisd did not actually stop, so it
> didn't pickup the new rules. Running `/var/ossec/bin/ossec-control
> stop`, then
On Friday, November 13, 2015 at 2:03:45 PM UTC-5, dan (ddpbsd) wrote:
>
> Try setting the rule to level 2
>
>
>
Doing that results in:
**Phase 3: Completed filtering (rules).
Rule id: '17'
Level: '2'
Description: 'Ignore MIP Alerts'
**Alert to be generated.
--
---
On Fri, Nov 13, 2015 at 2:16 PM, dan (ddp) wrote:
> I was hoping it would help with the production use, but since it was
> working for me I guess that doesn't matter. I'm pretty much stumped at
> the moment.
>
I'm running this on CentOS 6 with
On Friday, November 13, 2015 at 12:17:09 PM UTC-5, dan (ddpbsd) wrote:
>
> Ok, this information is working for me as well. I have tested it on a
> local install and an agent/server install (changing the hostname as
> appropriate).
>
> Is the agent name testserver? Do the hostname of the system
On Friday, November 13, 2015 at 2:30:24 PM UTC-5, Pedro S. wrote:
>
> Okay try this:
>
> Temporaly remove "alert_by_email" from rule 1002 on
> syslog_rules.xml.
> Now add "alert_by_email" in your custom rule.
> Restart OSSEC and generate the alert.
>
> What im trying here is to stop OSSEC from
On Monday, November 16, 2015 at 7:47:24 AM UTC-5, Daniel Bray wrote:
>
> OK, I'm a little lost as to what this is trying to prove, but the updated
> settings are in place. I'm waiting for an alert to come through.
>
>
With the updated alert_by_email settings, this has stopped th
I'm running ossec-hids-server-2.8.2-49.el6.art.x86_64 (Atomic repo)
I've updated /var/ossec/rules/local_rules.xml with the following rule:
1002
testserver1|testserver2
mip
HAEngine\.*INFO|HAEngine\.*WARNING|Failed to send pseudo-TCP
segment frame
Ignore MIP Alerts
I am trying to ignore rule 18107 and 18149, but only for certain accounts
(including the servers/machines).
Server OS: CentOS 6 (latest patches)
OSSEC: ossec-hids-server-2.8.2-49.el6.art.x86_64
Here is what I have in my /var/ossec/rules/local_rules.xml file.
18107
Account Name:
On Tuesday, December 1, 2015 at 9:38:30 AM UTC-5, Daniel Bray wrote:
>
> On Mon, Nov 30, 2015 at 5:28 PM, Ryan Schulze wrote:
>
>>
>> Is this the only rule in your local_rules.xml that isn't working, or are
>> all rules in your local_rules.xml not working?
>>
&
On Wednesday, November 25, 2015 at 1:46:15 PM UTC-5, LostInThe Tubez wrote:
>
> On the OSSEC server, open /var/ossec/rules/syslog_rules.xml. Search for
> rule 1002, right there towards the top. Note the options element, which
> contains alert_by_email. That option tells OSSEC to ignore your
>
the exact alert message when/if you get one. Be very
> careful not to replace white space if you are sanitizing the data. It will
> allow us to corroborate what you are seeing.
>
>
> From: ossec...@googlegroups.com [mailto:
> ossec...@googlegroups.com ] On Behalf Of Daniel Bra
ant that the alert your looking to be send via email
> actually be present on alerts.log file.
>
> Good luck! Keep us up to date.
>
>
> El lunes, 23 de noviembre de 2015, 5:03:18 (UTC-8), Daniel Bray escribió:
>>
>>
>> On Monday, November 16, 2015 at 8:28:27 AM UTC
On Friday, November 27, 2015 at 8:16:39 AM UTC-5, dan (ddpbsd) wrote:
>
> And strangely enough, this works just fine for me (ignored when fed
> through logger).
>
> Can you update to the latest OSSEC source from github and try that?
>
Updated to latest github update, and issue remains. Logtest
On Mon, Nov 30, 2015 at 11:26 AM, dan (ddp) wrote:
>
>
> Last idea at the moment:
> Copy archives.log. Open the copy in a text editor. Find an entry you
> want to test against and delete everything else.
> Delete the archives.log header from your chosen entry.
> Run that through
On Mon, Nov 30, 2015 at 5:28 PM, Ryan Schulze wrote:
>
> Is this the only rule in your local_rules.xml that isn't working, or are
> all rules in your local_rules.xml not working?
>
>
So far, this is the only rule that I just can't seem to stop emailing. I
have other rules, and
On Monday, November 16, 2015 at 8:28:27 AM UTC-5, Daniel Bray wrote:
>
> With the updated alert_by_email settings, this has stopped the email
> alerts. I see it hitting the WebUI as alert level 2, but no emails are
> coming in.
>
Unfortunately, with everything put back
Can someone verify that all the proper settings are in place to allow for
realtime scans on some directories? We are running CentOS 6 servers
(manager and agents/clients), and we use the Atomic install method.
Here is the latest available Atomic version installed (also noted inotify
is
day
>
> I tested that configuration and Syscheck appears to work properly.
>
> Hope it helps.
>
> Best regards.
>
>
> On Monday, August 1, 2016 at 7:32:13 AM UTC-7, Daniel Bray wrote:
>>
>> Can someone verify that all the proper settings are in place to allow
, 2016 at 8:47 AM, dan (ddp) <ddp...@gmail.com> wrote:
> On Mon, Aug 1, 2016 at 10:32 AM, Daniel Bray <dbray...@gmail.com> wrote:
> > Can someone verify that all the proper settings are in place to allow for
> > realtime scans on some directories? We are running
(ddp) <ddp...@gmail.com> wrote:
> On Tue, Aug 2, 2016 at 8:55 AM, Daniel Bray <dbray...@gmail.com> wrote:
> > OK, I think that is the issue. With the settings like this:
> >
> > 1am
> > 82800
> > no
> > yes
> > no
> >
> &
23 matches
Mail list logo