/bin/ossec-csyslogd
Thanks for any suggestions or help!
Steve
without it resulting in blocking search engines?
Steve
appreciated.
Steve
Richard Hopkins wrote:
Hi,
Sorry to have to report that the new version has exactly the same problems
as previous versions (and the same workaround still works).
Richard
--On 27 September 2006 13:57 +0100 Richard Hopkins
[EMAIL PROTECTED] wrote:
Hi Daniel
.
If I've overlooked anything, let me know, and I'll post it.
I appreciate your help.
Steve
Daniel Cid wrote:
Hi Steve,
Which operating system are you using? I tried to reproduce it on
multiple systems
(including solaris 10, Fedora, Ubuntu, OpenBSD and Windows) without
success. Do you
have
.
Thanks,
Steve
I just upgraded from 2.0 to 2.1.1, and now OSSEC is unable to send any
emails. The log says:
2009/07/20 10:16:19 ossec-logcollector: INFO: Started (pid: 4596).
2009/07/20 10:16:49 ossec-syscheckd: INFO: Starting syscheck database
(pre-scan).
2009/07/20 10:18:08 ossec-maild(1223): ERROR: Error
!
On Jul 20, 10:59 am, steve steve.hors...@gmail.com wrote:
I just upgraded from 2.0 to 2.1.1, and now OSSEC is unable to send any
emails. The log says:
2009/07/20 10:16:19 ossec-logcollector: INFO: Started (pid: 4596).
2009/07/20 10:16:49 ossec-syscheckd: INFO: Starting syscheck database
if I could find an answer, if it's here, I'm
missing it. ANy help would be greatly appreciated. I just added two
agents that I need to write more custom sections for, but I'm not confident
I can at this point. Thanks!
Steve
--
---
You received this message because you are subscribed
am inquiring to see if answer is still valid.
If this is not an option, how have those using OSSEC addressed the need for
capturing the commands being issued when running 'sudo' that maybe needed
for one's auditing.
Thanks
Steve
--
---
You received this message because you are subscribed
question I am asked is "what was the sudo command
that OSSEC captured *and* who issued the sudo command?".
I want to make sure the logs OSSEC is capturing includes these pieces of
information that will aide in an auditing.
Steve
On Thursday, October 5, 2017 at 4:01:06 AM UTC
Thanks Andreas.
I've got valgrind running on both binaries and it looks like there might be
some interesting leak results. Any suggestions on how to get this fixed?
Sorry, relative newbie to OSSEC and I'm not sure how to get this into the
bug fix process.
Cheers,
Steve
On Fri, Mar 2, 2012
it is configured.
Steve
On Mon, Mar 5, 2012 at 1:29 PM, Michael Barrett michael_barr...@mgic.comwrote:
I have a RH 5 box with two interfaces on different subnets
The interface that the key is on works fine but the other interface is
trying to connect to the ossec server and I get a reject error
there is for syslog_output?
Thanks,
Steve
I've had this patch running for the past two days and all indications are
this eliminated the memory leak in read-alert.c that affects ossec-csyslogd.
Thanks!!
Steve
On Sat, Mar 17, 2012 at 10:46 AM, Andreas Piesk a.pi...@gmx.net wrote:
On 05.03.2012 19:28, Steve Lodin wrote:
I've got
I was able to get code using:
https://github.com/ECSC/analogi/zipball/master
Looking forward to trying it out. We have approx 1MM events per hour and
haven't found a good interface.
Steve
On Tue, May 15, 2012 at 11:29 AM, Scott Klauminzer sklaumin...@gmail.comwrote:
Andy,
It looks like
Hi There,
My name is Steve W. Currently I have OSSEC 2.6 running on our web
email server, as a local instance. I have my settings to only receive
email alerts with a level/score or 7 or higher. Ever since the
installation, I have been getting many of the following alerts to my
email, and some
, or are there things I should/need to change?
Again, I appreciate your response, and thank you in advance for any
input or advice you might be able to give me. Thanks buddy.
Steve W
On May 25, 8:14 am, dan (ddp) ddp...@gmail.com wrote:
On Fri, May 25, 2012 at 4:14 AM, Steve W steve3
I'm headed into the OSSEC
alert data. Each day has about 8 GB of uncompressed alerts.
Can anyone identify the Windows event ID that corresponds to changing a
domain GPO? Any other hints on how I can find this?
Thanks,
Steve
Perhaps you missed a step. This is a partial document I did earlier in the
year when enabling DB support on CentOS...
Steve
--
Cell: +1-317-840-9088
LinkedIn: http://www.linkedin.com/in/stevelodin
Twitter: http://twitter.com/stevelodin
Updating OSSEC to include MySQL capability Backup Local
contact info,
I'd appreciate it. My email address is st...@typhoontech.net
Thanks
Steve
On Friday, May 25, 2012 3:14:51 AM UTC-5, Steve W wrote:
Hi There,
My name is Steve W. Currently I have OSSEC 2.6 running on our web
email server, as a local instance. I have my settings
restart, how long exactly I don't know.
--
Steve Kieu
? It can sometimes take a while. Also, check the
permissions. Try creating the file (or copying it over) and making
sure the permissions are correct so it can be overwritten.
--
Steve Kieu
sure the permissions are correct so it can be overwritten.
--
Steve Kieu
--
Steve Kieu
and
the test server is minimum, it is a LXC container using openvz minimum
template root file system - after that install gcc to compile and that is
it.
~K
On Tuesday, July 31, 2012 4:40:02 AM UTC-7, dan (ddpbsd) wrote:
On Tue, Jul 31, 2012 at 7:31 AM, Steve Kieu wrote:
I did
that merge
file for the config as I still do not see in the log that monitor these
entry yet (in the merged.mg file)
--
Steve Kieu
?
--
Steve Kieu
--
Steve Kieu
of an access denied on the server or
successful login.
Thanks in advance for the help,
-Steve
. Just want to get
some expert's opinion on this. What is the reason behind this
overwrite of hostname? Am I going to break something else by
commenting out this section of the code?
BTW, I'm using OSSEC v2.6.
Thanks!
Steve
To answer my own question, I found a patch in version 2.5.1 that fixed
this exact same problem. For some reason the version 2.6 is still not
fixed. So yes, my fix should work fine.
Thanks!
Steve
Hi,
The way OS_AddListRule() is implemented (in lists_list.c) and used (in
rules.c), each rule can have at most 2 lists. It will throw away all
but the last two lists.
I apologies if this is already fixed. I haven't tried to look for
available patches.
Steve
Hi,
I would like to say suppress this rule if srcip is the same as
hostname. This does NOT work:
rule id=10 level=5
if_sid1234/if_sid
srcip!hostname/srcip
descriptionignore if srcip is the same as hostname/description
/rule
What's the correct way to do this?
Thanks!
Steve
.
In OS_DBSearchKeyAddressValue(), as I pasted below, the
free(tmpkey); should be outside of the while loop, and the
tmpkey[strlen(tmpkey) - 1] = '\0'; should be outside of the outer-
most if statement.
Steve
+while(strlen(tmpkey) 0)
+{
+if(tmpkey[strlen(tmpkey) - 1
be the same.
P.
On Sun, Dec 25, 2011 at 4:59 PM, Steve West stevewes...@gmail.com
mailto:stevewes...@gmail.com wrote:
Version: OSSEC 2.6
OS: Windows 2003 SP2
Can't seem to get the active response to work on the windows side.
We are running the lastest version of ossec 2.6
.
On Sun, Dec 25, 2011 at 7:52 PM, Steve West stevewes...@gmail.com
mailto:stevewes...@gmail.com wrote:
On 12/25/2011 3:28 PM, dan (ddp) wrote:
Now I see where you get the win_nullroute600:
# ./agent_control -L
OSSEC HIDS agent_control. Available active responses
I have communication issues between my server and agents.
All agents on the servers subnet can connect to the server.
I have agents on other subnets which I've tried to configure in
different ways and they can't connect to the server
2012/01/25 15:25:51 ossec-agent: INFO: Trying to connect to
generated and see if that helps. That would
confirm source IP origination is the problem.
Else, use wireshark or tcpdump on agent and server to look for 1514
packets sent/received.
On Jan 25, 12:35 pm, Steve Kuntz stephen.ku...@gmail.com wrote:
I have communication issues between my
Tried this also. Didn't work. My agents are Windows 2008. I don't
believe this has anything to do with it as the Windows boxes on the
same subnet as the server are getting responses back from the server.
On Jan 26, 1:57 pm, Kat uncommon...@gmail.com wrote:
I keep seeing these from more than one
Hi folks,
I've added log samples for H-Sphere IIS at the wiki:
http://www.ossec.net/wiki/index.php/Log_Samples_IIS_H-Sphere
thx,
SW
Hi Daniel,
Thanks for another outstanding release...hopefully I can install it
later tonight on a few servers. I just have a quick question...I'm
reading through the release notes and I'm wondering if the following is
missing the opening tag for do_not_delay or is there none:
email_alerts
Daniel Cid wrote:
Hi Steve,
This is easy to do with ossec. Just create a local rule to exclude
these messages
(include the following at /var/ossec/rules/local_rules.xml ):
group name=local
rule id=100101 level=0
if_sid1002/if_sid
matchconnect_error: getsockopt|Ignoring mirror
Hi,
How do I test if ossec is actually reading the IIS logs I setup in
ossec.conf? I don't see any entries in the ossec.log stating anything
about iis logs and I'm wondering if there is a way I can test to make
sure ossec is actually reading the logs.
Also, can ossec take active response on
Hi,
I thought I reply back to my own question just incase anyone else might
be in a position like me and needs to find an answer in the future... ;-)
I used this wiki to ignore certain rules from firing:
http://www.ossec.net/wiki/index.php/Know_How:Ignore_Rules
thx,
SW
Steve West wrote
/discover.xml - 80 - xxx.xxx.xxx.198 HTTP/1.1
Microsoft+Office/12.0+(Windows+NT+5.1;+Microsoft+Office+Outlook+12.0.6017;+Pro)
- - autodiscover.somedomain.com 404 0 3 1830 243 375
thx,
SW
McClinton, Rick wrote:
Steve,
My windows installation (ossec 1.1) displays the following in the
ossec.log:
2006/10
the keyword from rule 1002 or even less ignore the rule completely, but
I was wondering if there was a way to whitelist certain specific syslog
messages? I could not find the information in the wiki, so I hope I
didn't just overlook it :-)
Thanks,
Steve Johnson
of the SSHd.
Thanks again,
Steve Johnson
Daniel Cid wrote:
Hi Steve,
A lot of people have problems finding stuff on our wiki, but we plan to keep
improving it (and any help is welcome). As Michael said, you can send the log
entries to the list so we can help you out or you use the following
Thanks a lot for the reply. Worked great.
Sorry for my late reply, I was away for a few weeks.
Daniel Cid wrote:
Hi Steve,
A simple way to ignore these logs is with the following rule:
rule id=100101 level=0
if_sid1002/if_sid
program_name^sshd/program_name
matcherror
Hi,
We have a similar issue w/ phpmyadmin false positives but in my case the
URLs don't have 'phpmyadmin' as we have phpmyadmin setup under the root
directory of a virtualhost (ie https://mysql.domain.com). So, does
anyone know how to best write a rule that would ONLY ignore rule #31103
for
attacks I never get
and I'm at a lost as to why. :-(
Has anyone else ever seen something similar to this? Does OSSEC might
not be reading the log file fully or skipping parts of the log entirely?
thx,
SW
Dave Lowe wrote:
Hi Steve,
Can you please check to make sure that the maillog file
orderuser, srcip/order
/decoder
And lastly, how can I add custom decoder rules that would survive OSSEC
updates?
thx,
SW
Dave Lowe wrote:
Hi Steve
Sorry, I was wrong. I cant get the brute force rule (RuleID 9952) to fire.
I have tried and tried again. No luck.
I threw 20-30 of the rule 9902 which
Peter M. Abraham wrote:
Greetings:
The server in question is CentOS 4, and rkhunter and chkrootkit do not
report any issues.
Thank you.
Have you tried to do a nmap scan of the system from another workstation?
nmap should show you what open ports and then you can try to identify if
Hi Peter,
I have ossec running on a few CentOS 5 64-bit servers as agent and as
server with no problems. All my CentOS boxes are bare minimum installs
so not sure if you have something that might be impacting ossec.
SW
Peter M. Abraham wrote:
Hi Daniel:
I followed
Hi,
I'm trying to create a new proftpd rule in
/var/ossec/rules/local_rules.xml but for some reason ossec is not
performing the active response. Here is my rule:
!-- Proftpd Rules --
group name=proftpd
rule id=1101 level=10 frequency=20 timeframe=60
Michael Starks wrote:
Try 21 or 22 invalid logins in 60 seconds.
-Mike
Hi Mike,
Thanks for the suggestion! I try over 25 invalid logins and still ossec
active response doesn't fire. Not really sure why but I think it might
be related to my rule or the underlaying proftpd group rule
Daniel Cid wrote:
Hi Steve,
Are the alerts being generated based on your rule?
No. I don't see anything in /var/ossec/logs/alerts/alerts.log regarding
my attempts. I have ossec monitoring my proftpd logs
/var/log/proftpd/current but maybe my log file format is not compatible
w/ ossec. Here
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
I saw an entry in the wiki containing example xferlog entries, but I
haven't seen any rules to watch for them. Is there an existing rule to
have OSSEC alert when a file is uploading via ProFTPD, which uses
xferlog for this?
Thanks.
- --
Steve
Hi,
Does latest OSSEC has rules to catch the following brute force attacks?
Just got hit w/ over 20,000 requests overnight by this korean
hacker/spammer:
Dec 19 02:55:31 mail vpopmail[28761]: vchkpw-pop3: vpopmail user not
found webadmin@:61.33.87.88
Dec 19 02:10:20 mail vpopmail[24587]:
It depends on why the rule is alerting. Some rules are configured to
always email, regardless of their level, and some rules will email
because their level is at or above your configured email_alert_level.
An example of the first would be rule 502, located in
$OSSEC_DIR/rules/ossec_rules.xml.
Rules 5715, 5501 and 5402 are all level 3 alerts. Your ossec.conf says
to only email on alerts that are level 8 and higher. To fix this, add
the following to your local_rules.xml in $OSSEC_DIR/rules
rule id=105402 level=8
if_sid5402/if_sid
/rule
rule id=105501 level=8
.
From: Steve McMaster [mailto:[EMAIL PROTECTED]
mailto:[EMAIL PROTECTED]]O
To: ossec-list@googlegroups.com mailto:ossec-list@googlegroups.com
Sent: Tue, 15 Jan 2008 12:46:16 +
Subject: [ossec-list] Re: How do I turn off the emails for certain
I'm trying to do a binary installation of OSSEC. I have the binaries
from a similar system (same operating system and architecture) in the
bin/ directory in the OSSEC package. I edited etc/preloaded-vars.conf
and set USER_BINARYINSTALL to y. When I run ./install.sh, however, I
get the following:
=yesamp;amp%3Bamp%3Bprintable=yesamp;amp%3Bprintable=yesamp;printable=yes
- Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR
2.0.50727; .NET CLR 1.1.4322)
Let me know if I should still open up a bug report?
thx,
SW
Daniel Cid wrote:
Hi Steve,
I think it may be related to the size
Your server doesn't seem to be running. Can you run
# ps ax | grep ossec
on your server?
Philippe Bechamp wrote:
Anyone have a few minutes? I tried here and the IRC channel and no one
responds L.. I would much appreciate the help. Philippe.
would check is the permissions on /var/ossec and
its assorted subdirectories. I have read, write and execute for owner
and group, and have everything owned by the ossec user and the ossec group.
Try that on for size, and let us know how it works out.
Philippe Bechamp wrote:
Hi Steve,
Thank you
Hi,
Can OSSEC monitor the modsecurity audit log? What should the
log_format option be for modsecurity_audit.log? I tried using
log_formatsyslog/log_format but that didn't work.
thx,
SW
Hi,
I just upgraded to 2.0 and I still see this bug has not yet been
addressed (Bug ID 184). :-( OSSEC does send an e-mail warning out but no
active-response takes place. Here is the e-mail I get from ossec and the
apache log entry if that helps:
OSSEC HIDS Notification.
2009 Mar 21 16:13:43
syntax? I would appreciate
any help you can give me. I saw your post, and thought hopefully you could help
me.
Thank You
Steve
.
___
*Steve MacDougall* | *Sr. Systems/Network Administrator*
BluePay Canada
o: 647.258.3704-{l;tvjnpeotupouivnjg5987lcgno}
m: 289.924.1806
e: smacdoug...@bluepay.ca
w: www.bluepay.ca
http://cp.mcafee.com/d
.
On Monday, May 11, 2015 at 12:27:34 PM UTC-4, Santiago Bassett wrote:
Hi Steve,
do you use DHCP or fixed IP addresses in your environment? Do your servers
have one or more than one IP?
When you added the agents, did you used fixed IPs for each one? Is tcpdump
output showing the same IP you
I have OSSEC running as part of an Alienvault installation, with about 20
agents configured. Recently I've observed that most of the agents will show
as disconnected. After a few hours all of them except for one or two will
show active again. Then within a short period of time, most of them
There are cases where I'd like to perform different checks on the parent
directory than on the nested directories. For example, 'check all' on /var.
but check only ownership and permissions on /var/lib/postgresql.
Since OSSEC has recursive checking enabled by default, it seems that if I
entered
Select the 'hybrid' installation.
Steve MacDougall
Sr. Systems/Network Administrator
o: 647.258.3704
m: 289.924.1806
e: smacdoug...@bluepay.ca
w: www.bluepay.ca
On May 19, 2015, at 6:41 PM, Ryan Wendel ryan.wen...@gmail.com wrote:
I'm working through how to use OSSEC and am
at the top level?
___
*Steve MacDougall* | *Sr. Systems/Network Administrator*
BluePay Canada
o: 647.258.3704
m: 289.924.1806
e: smacdoug...@bluepay.ca
w: www.bluepay.ca
http://cp.mcafee.com/d
There a WUI you can download from here:
http://www.ossec.net/?page_id=19
Is this what you were looking for?
___
*Steve MacDougall* | *Sr. Systems/Network Administrator*
BluePay Canada
o: 647.258.3704
m: 289.924.1806
e: smacdoug...@bluepay.ca
w: www.bluepay.ca
http
Hey everyone,
I've been searching through this group and I couldn't find any reference of
someone explaining the difference between global / local and then saved.
I'm trying to figure out WHY the duplicate error is happening, I know how
to fix it... just trying to understand it more.
Here is
Hey everyone,
I've been searching through this group and I couldn't find any reference of
someone explaining the difference between global / local and then saved.
I'm trying to figure out WHY the duplicate error is happening, I know how
to fix it... just trying to understand it more.
Here is
Is anybody using the the OSSEC *Add-on* in Splunk 7.x.x. It seems rather
limited in what it parses compared to the older OSSEC app that is no longer
available. I want to extend it to capture and parse OSSEC events from my
Web server. These events are actually being captured now but not
Not sure what changed overnight but now seeing all alerts from OSSEC
servers and agents. Let the data analysis begin!
On Wednesday, January 16, 2019 at 8:12:14 AM UTC-7, steve sauer wrote:
>
> Is anybody using the the OSSEC *Add-on* in Splunk 7.x.x. It seems rather
> limite
to see if I can see why these are
working. In theory, it will indicate why the others are not.
I will let the list know what I find.
Steve
- Original Message -
From: Daniel Cid daniel@gmail.com
To: ossec-list@googlegroups.com
Sent: Sunday, July 19, 2009 10:49 PM
Subject: [ossec-list] Re
activation. I changed the config file to server so that the firewall-drop
applied at the gateway (which is better) and the active-response is sending
to the log on the server (which is where I thought it would be).
Thanks for listening and I hope that I help someone else,
Steve
- Original Message
79 matches
Mail list logo
