Essentially, I want to trigger an active response for a rule that I created
that has a severity level of 0. I created this rule because I did not want
to be alerted on the default rule and only wanted to be alerted based on
the output from my active response. My question is if I have the
Hi,
I tried to do this, but I'm getting:
ERROR: Parent decoder name invalid: 'rootcheck'
ERROR: Error adding decoder plugin
I don't see the rootcheck decoder within decoder.xml as well, any ideas?
Thanks again for the help!
On Wednesday, April 5, 2017 at 12:26:31 PM UTC-7, Rob Williams wrote
Yes I have, I've also tried to disable all the relevant changes I've made,
restart, and still have the same issue.
On Wednesday, April 5, 2017 at 12:39:42 PM UTC-7, dan (ddpbsd) wrote:
>
> On Wed, Apr 5, 2017 at 3:26 PM, Rob Williams <tsinfo...@gmail.com
> > wrote:
> >
Hi all,
I'm running into an issue where rule 510 is triggering and I'm getting
spammed with alerts but I can't seem to tune it correctly. What's weird is
that I am still getting alerted for rule 510 for this log, but I can't
figure out how to get that to show in logtest. Basically, I am
, 2017 at 12:48:21 PM UTC-7, dan (ddpbsd) wrote:
>
> On Wed, Apr 5, 2017 at 3:44 PM, Rob Williams <tsinfo...@gmail.com
> > wrote:
> > Yes I have, I've also tried to disable all the relevant changes I've
> made,
> > restart, and still have the same issue.
> >
Hi all,
I'm running into an issue where rule 510 is triggering and I'm getting
spammed with alerts but I can't seem to tune it correctly. What's weird is
that I am still getting alerted for rule 510 for this log, but I can't
figure out how to get that to show in logtest. Basically, I am
Ah ok got it, thanks!!
On Friday, April 7, 2017 at 5:00:11 PM UTC-7, dan (ddpbsd) wrote:
>
> On Fri, Apr 7, 2017 at 7:30 PM, Rob Williams <tsinfo...@gmail.com
> > wrote:
> > Hello,
> >
> > I assume this should be pretty simple but I've been troubleshootin
from the
decoder to do so. Any ideas? Thanks!
On Wednesday, April 5, 2017 at 12:26:31 PM UTC-7, Rob Williams wrote:
>
> Hi all,
>
> I'm running into an issue where rule 510 is triggering and I'm getting
> spammed with alerts but I can't seem to tune it correctly. What's weird is
&g
s for rootcheck. What you want to extract in the
> id field is the file, right?. You can do a *match* in the rule for the
> file.
>
> Regards.
>
> On Friday, April 14, 2017 at 12:13:50 AM UTC+2, Rob Williams wrote:
>>
>> Hi Jesus,
>>
>> Thanks for the rep
Still no luck. Just to verify, the scripts should be located in
/var/ossec/active-response/bin/, correct? Unfortunately the logs aren't
really telling me anything either.
On Wednesday, April 19, 2017 at 12:31:41 PM UTC-7, dan (ddpbsd) wrote:
>
> On Wed, Apr 19, 2017 at 3:23 PM, Tony Bryant
Hello,
I assume this should be pretty simple but I've been troubleshooting an
Active Response I setup with a custom script and rules/decoders. Everything
looks it it should be operating correctly, but I could not get it work.
After checking an agent, I'm realizing the custom script in
Also, I've gone ahead and restarted, stopped then started, and more several
times.
On Friday, April 7, 2017 at 4:30:53 PM UTC-7, Rob Williams wrote:
>
> Hello,
>
> I assume this should be pretty simple but I've been troubleshooting an
> Active Response I setup with a custom s
Hi Jesus,
Can you elaborate a bit more on what you mean here? I'm also trying to
disable syscheck alerts when unattended upgrades run, but I'm not quite
sure the best way of doing so.
Thanks!
On Saturday, October 1, 2016 at 2:01:58 AM UTC-7, Jesus Linares wrote:
>
> Hi James,
>
> review the
Indeed it does!! Thanks for the help, really appreciate it!
On Tuesday, March 6, 2018 at 3:55:11 PM UTC-8, dan (ddpbsd) wrote:
>
> On Tue, Mar 6, 2018 at 6:52 PM, Rob Williams <tsinfo...@gmail.com
> > wrote:
> > I am trying to create a child rule to 1002 (which I have
I am trying to create a child rule to 1002 (which I have silenced) to alert
in certain cases. I can get the rule to work if I remove the regex portion;
however, I don't want that as a permanent solution. My rule is below, and a
sample log entry is below as well. Am I doing something wrong when
15 matches
Mail list logo