Re: [ossec-list] ossec 3.6 configration

What errors are you getting when you try to install? If you can give more details, maybe we will be able to help more. Thanks, On Sat, Jul 30, 2022, 11:16 AM ABHISHEKH LADE wrote: > Dear Member, > Hello my name is Abhishekh. I am new here and want to install the OSSEC > into ubuntu but not

Re: [EXTERNAL MSG:][ossec-list] Re: ACTIVE-RESPONSE NOT WORKING

. Regards, Daniel Folch On Thursday, September 24, 2020 at 1:35:12 PM UTC+2, John Gomez wrote: > > Is there any deep dive on active response or a collection of use cases as > to how people are using it? > > Just seems to be such a cool capability of OSSEC that is under utilized. > &g

[ossec-list] Re: ACTIVE-RESPONSE NOT WORKING

This will try to test all combinations of lowercase characters, uppercase characters, and numbers with a length between 1 and 5, so it should not be able to find your password before active response triggers. Regards, Daniel Folch On Tuesday, September 22, 2020 at 1:07:58 PM UTC+2, conm...@gmail.com

[ossec-list] Windows Server agent not sending notifications to Linux server

Hi all, I am starting to use OSSEC so I may be doing something wrong here. I have OSSEC installed as a server in my Linux VM and the Agent in my Windows Server 2012 VM. My server has the default configuration plus this: ossec-slack ossec-slack.sh no no

[ossec-list] Re: wazuh languages

of examples of how to do this: https://wazuh.com/blog/how-to-integrate-external-software-using-integrator/ https://wazuh.com/blog/aws-sns-integration/ Regards, Daniel Folch On Wednesday, February 12, 2020 at 10:40:03 AM UTC+1, hiwot wrote: > > what are the integrated tools of wazuh > --

[ossec-list] Rootcheck rule for windows - mistake in rule or problem with 64bit system?

k this hives with rootchecks or are all the keys in hkey_local_machine\software and hkey_current_user\software "useless" for this kind of checks on 64bit Windows? I have seen that there is a workaround in this post, but im not able to implement that. Thank's for your support. Best Regards Daniel

[ossec-list] Auto-ossec not working

Hi guys, I am trying to use auto-ossec from binary defense for automatic pairing but when running the auto_ossec.exe (for windows) I get the following; Client side: [ *] Connected to auto enrollment server at IP: 10.18.119.14[*] Pulled hostname and IP, encrypted data, and now sending to

[ossec-list] Re: Alerts generated despite level '0' rule being hit

Yes, via ./ossec-control -r On Thursday, January 26, 2017 at 4:41:20 PM UTC-5, Daniel B. wrote: > > > <https://lh3.googleusercontent.com/-PjI5QG1OEt4/WIpsiYbmInI/AP8/XaaQ35illHgeh_zq_oAtMKNU6giFsek7QCLcB/s1600/2017-01-26_1638.png> > > > > full_log: >

[ossec-list] Alerts generated despite level '0' rule being hit

full_log: Files hidden inside directory '/var/lib/docker/aufs/mnt/545d04c068f0f7ce19361a94d1c43b0c6686a0dfdd45e1803ccee569acc1767b/usr/share/locale'.

[ossec-list] Re: local_decoder.xml -- can't override (ignore) parent decoder

y, January 18, 2017 at 5:00:47 AM UTC-5, Jesus Linares wrote: > > Hi Daniel, > > ossec-logtest always shows the name of the parent. > > If you want to ignore that alert, just create a rule in local_rules.xml: > > > > > > > 5104 > Ignore rul

[ossec-list] local_decoder.xml -- can't override (ignore) parent decoder

We use weave which periodically causes a network interface to enter promiscuous mode to sniff network traffic. This is expected behavior, and as such, I'm looking to ignore it. For reference, the iptables decoder is set at

Re: [ossec-list] Selecting multiple, discreet weekdays

It should work with spaces or commas: monday, tuesday, friday thanks, On Fri, Nov 18, 2016 at 1:24 PM, wrote: > Is it possible to select multiple, discreet days using the weekday > function? > > I can get the rule to run if I select a single day and it looks like I > should be

Re: [ossec-list] Syscheck not alerting on realtime scans

(ddp) <ddp...@gmail.com> wrote: > On Tue, Aug 2, 2016 at 8:55 AM, Daniel Bray <dbray...@gmail.com> wrote: > > OK, I think that is the issue. With the settings like this: > > > > 1am > > 82800 > > no > > yes > > no > > > &

Re: [ossec-list] Syscheck not alerting on realtime scans

, 2016 at 8:47 AM, dan (ddp) <ddp...@gmail.com> wrote: > On Mon, Aug 1, 2016 at 10:32 AM, Daniel Bray <dbray...@gmail.com> wrote: > > Can someone verify that all the proper settings are in place to allow for > > realtime scans on some directories? We are running

Re: [ossec-list] Re: Syscheck not alerting on realtime scans

monitoring: '/root'. On Mon, Aug 1, 2016 at 6:25 PM, Victor Fernandez <vic...@wazuh.com> wrote: > Hi Daniel. > > I had never used before, but I think it works for weekly > scans since OSSEC prints this log (even when setting frequency=84800): > > 2016/08/01 14:27:

[ossec-list] Syscheck not alerting on realtime scans

Can someone verify that all the proper settings are in place to allow for realtime scans on some directories? We are running CentOS 6 servers (manager and agents/clients), and we use the Atomic install method. Here is the latest available Atomic version installed (also noted inotify is

Re: [ossec-list] Re: reportd not sending any email

Try this patch from here: https://bitbucket.org/dcid/ossec-hids/commits/eb98bdae15cec6ccf04190d0badbd3b0de6f84b7 As it may fix the problem. thanks, On Mon, Apr 18, 2016 at 7:16 PM, theresa mic-snare wrote: > will need to take a proper look at what's causing those

Re: [ossec-list] Disk usage monitor not working in RHEL5

Curious how was that not working. Can you give some details? By default, it will send each line as a separated log message and we have rules to alert if any of the entries are over 95% utilization. Have the original running here on Centos 5,6 and 7 without any issues. thanks, On Fri, Apr 15,

Re: [ossec-list] Disable Email Alerts from a particular source ip

That's correct as long as the srcip is being decoded. You may need two rules just in case: 7 1.2.3.0/24 Ignoring rule any level above 7 from Whitelisted IPs 7 1.2.3.\d+ Ignoring rule any level above 7 from Whitelisted IPs The second one is a bit dangerous as it may open you up to log

Re: [ossec-list] Re: DNS caching for ?

This is this the kind of thing that is likely better (easily) implemented outside of the main ossec managers. Maybe an external tool or cron. I use the following shell script for example (added to cron to run every 10min to restart ossec in case the IP changes): #!/bin/sh mydomain=`cat

Re: [ossec-list] What is the use case for OSSEC hybrid mode

I personally use it mostly on very busy servers to limit the amount of events being sent by the agent to the manager. Say a very busy web server that generates thousands of logs per second. Instead of sending all events centrally, I use the hybrid mode to do the initial analysis locally and only

Re: [ossec-list] Re: Hybrid or dual install?

Yes, I use the hybrid mode quite a bit too. It basically automates the process of installing the local + agent without having to do both separately. thanks, On Thu, Feb 18, 2016 at 2:10 PM, Kat wrote: > I use Hybrid modes for 1000s of agents and mixed managers. It allows

Re: [ossec-list] strange in 'full_command' output

Our major limitation is the size of the UDP packet when sending from the agent->manager. We can't reliably split the message into multiple datagrams, so we restrict by size, forcing it to always fit into 1 packet. Moving to TCP would solve this limitation (this is something I am trying to work

Re: [ossec-list] Re: Global Mail limit

I added this limit early on to prevent a flood of emails in case of a config mistake or an attack. Plus, operationally speaking, I doubt any team can realistically handle and investigate more than 10,000+ emails in an hour :) thanks, On Fri, Jan 29, 2016 at 1:16 PM, Eero Volotinen

Re: [ossec-list] syscheck not working with restrict option

8, 2016 at 4:58:11 PM UTC-8, Daniel Cid wrote: >> >> The issue was in my branch there. Mind getting the latest again? Should >> be working now: >> >> https://bitbucket.org/dcid/ossec-hids/get/tip.tar.gz >> >> Sorry for the waste of time :/ >&

Re: [ossec-list] syscheck not working with restrict option

The issue was in my branch there. Mind getting the latest again? Should be working now: https://bitbucket.org/dcid/ossec-hids/get/tip.tar.gz Sorry for the waste of time :/ thanks, On Thu, Jan 28, 2016 at 1:34 PM, Luke Hansey wrote: > Thanks for the reply, Santiago.

Re: [ossec-list] Testing integratord

Mind sending the last 20-30 lines of your ossec.log? It can give us an idea to what is going on. thanks, On Thu, Jan 28, 2016 at 1:42 PM, Marcelo <tchello200...@gmail.com> wrote: > Dear Daniel, > > I did the installation of integrator, but I do not understand why my &g

[ossec-list] Testing integratord

I have been working on the integrator daemon (ossec-integratord) to allow OSSEC to easily integrate with external APIs to send alerts & notifications. I have pushed it to my personal fork and I am looking for testers, and people interested to try it out to help flush out any bugs/issues. So far,

[ossec-list] Re: Integrity checksum size changed to 0 or from 0 - false positive

Yes, that would be an issue. Have you tried not sending the output to a file and using the check_diff option on the rules itself? You could do: full_command iptables -S iptables_status 3600 And then write a rule to alert on changes: 530 ossec: output:

Re: [ossec-list] Re: OSSEC - Windows Event Log - PowerShell Alerts

So basically what you're doing is looking for INFO logs and then matching the log content and not the actual log ID? Interesting. My general rule workflow is this: If OS=WINDOWS, then if TYPE=ERROR/INFO/WARN/etc, then if EVENTID=x, then create alert with LEVEL=y. Types can be referenced in

Re: [ossec-list] ossec-logtest returns Level 0 but still getting email alerts Level 2

On Tuesday, December 1, 2015 at 9:38:30 AM UTC-5, Daniel Bray wrote: > > On Mon, Nov 30, 2015 at 5:28 PM, Ryan Schulze wrote: > >> >> Is this the only rule in your local_rules.xml that isn't working, or are >> all rules in your local_rules.xml not working? >> &

Re: [ossec-list] ossec-logtest returns Level 0 but still getting email alerts Level 2

On Mon, Nov 30, 2015 at 5:28 PM, Ryan Schulze wrote: > > Is this the only rule in your local_rules.xml that isn't working, or are > all rules in your local_rules.xml not working? > > So far, this is the only rule that I just can't seem to stop emailing. I have other rules, and

Re: [ossec-list] ossec-logtest returns Level 0 but still getting email alerts Level 2

On Friday, November 27, 2015 at 8:16:39 AM UTC-5, dan (ddpbsd) wrote: > > And strangely enough, this works just fine for me (ignored when fed > through logger). > > Can you update to the latest OSSEC source from github and try that? > Updated to latest github update, and issue remains. Logtest

Re: [ossec-list] ossec-logtest returns Level 0 but still getting email alerts Level 2

On Mon, Nov 30, 2015 at 11:26 AM, dan (ddp) wrote: > > > Last idea at the moment: > Copy archives.log. Open the copy in a text editor. Find an entry you > want to test against and delete everything else. > Delete the archives.log header from your chosen entry. > Run that through

Re: [ossec-list] ossec-logtest returns Level 0 but still getting email alerts Level 2

On Wednesday, November 25, 2015 at 1:46:15 PM UTC-5, LostInThe Tubez wrote: > > On the OSSEC server, open /var/ossec/rules/syslog_rules.xml. Search for > rule 1002, right there towards the top. Note the options element, which > contains alert_by_email. That option tells OSSEC to ignore your >

Re: [ossec-list] ossec-logtest returns Level 0 but still getting email alerts Level 2

the exact alert message when/if you get one. Be very > careful not to replace white space if you are sanitizing the data. It will > allow us to corroborate what you are seeing. > > > From: ossec...@googlegroups.com [mailto: > ossec...@googlegroups.com ] On Behalf Of Daniel Bra

Re: [ossec-list] ossec-logtest returns Level 0 but still getting email alerts Level 2

1 7 then I do not understand why level 2 emails are coming in: Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system." On Mon, Nov 23, 2015 at 12:24 PM, Pedro S. <snao...@gmail.com> wrote: > Hi Daniel, sorry for late response. >

Re: [ossec-list] ossec-logtest returns Level 0 but still getting email alerts Level 2

On Monday, November 16, 2015 at 8:28:27 AM UTC-5, Daniel Bray wrote: > > With the updated alert_by_email settings, this has stopped the email > alerts. I see it hitting the WebUI as alert level 2, but no emails are > coming in. > Unfortunately, with everything put back

Re: [ossec-list] ossec-logtest returns Level 0 but still getting email alerts Level 2

On Friday, November 13, 2015 at 2:30:24 PM UTC-5, Pedro S. wrote: > > Okay try this: > > Temporaly remove "alert_by_email" from rule 1002 on > syslog_rules.xml. > Now add "alert_by_email" in your custom rule. > Restart OSSEC and generate the alert. > > What im trying here is to stop OSSEC from

Re: [ossec-list] ossec-logtest returns Level 0 but still getting email alerts Level 2

On Monday, November 16, 2015 at 7:47:24 AM UTC-5, Daniel Bray wrote: > > OK, I'm a little lost as to what this is trying to prove, but the updated > settings are in place. I'm waiting for an alert to come through. > > With the updated alert_by_email settings, this has stopped th

Re: [ossec-list] ossec-logtest returns Level 0 but still getting email alerts Level 2

> OSSEC is not loading the rule properly. > > > > > > El viernes, 13 de noviembre de 2015, 8:04:05 (UTC-8), dan (ddpbsd) > escribió: > >> > >> On Fri, Nov 13, 2015 at 10:59 AM, Pedro S. <sna...@gmail.com> wrote: > >> > Hi Daniel, > >>

Re: [ossec-list] ossec-logtest returns Level 0 but still getting email alerts Level 2

Yes, all my local rules are under the and yes, I made sure to stop and restart everything. On Thursday, November 12, 2015 at 8:37:35 PM UTC-5, Santiago Bassett wrote: > > Hi Daniel, > > not sure if that matters but is your local rule in the same "syslog,errors,">, as r

Re: [ossec-list] ossec-logtest returns Level 0 but still getting email alerts Level 2

On Friday, November 13, 2015 at 10:33:04 AM UTC-5, Daniel Bray wrote: > > I'm waiting to see if it generates an alert. >> > > Nope, issue remains. Very confusing. -- --- You received this message because you are subscribed to the Google Groups "ossec-list"

Re: [ossec-list] ossec-logtest returns Level 0 but still getting email alerts Level 2

On Friday, November 13, 2015 at 8:51:45 AM UTC-5, dan (ddpbsd) wrote: > > Or are you sure the manager restarted? Most of the time when I've seen > this behavior on the list analysisd did not actually stop, so it > didn't pickup the new rules. Running `/var/ossec/bin/ossec-control > stop`, then

Re: [ossec-list] ossec-logtest returns Level 0 but still getting email alerts Level 2

On Friday, November 13, 2015 at 2:03:45 PM UTC-5, dan (ddpbsd) wrote: > > Try setting the rule to level 2 > > > Doing that results in: **Phase 3: Completed filtering (rules). Rule id: '17' Level: '2' Description: 'Ignore MIP Alerts' **Alert to be generated. -- ---

Re: [ossec-list] ossec-logtest returns Level 0 but still getting email alerts Level 2

On Fri, Nov 13, 2015 at 2:16 PM, dan (ddp) wrote: > I was hoping it would help with the production use, but since it was > working for me I guess that doesn't matter. I'm pretty much stumped at > the moment. > I'm running this on CentOS 6 with

Re: [ossec-list] ossec-logtest returns Level 0 but still getting email alerts Level 2

On Friday, November 13, 2015 at 12:17:09 PM UTC-5, dan (ddpbsd) wrote: > > Ok, this information is working for me as well. I have tested it on a > local install and an agent/server install (changing the hostname as > appropriate). > > Is the agent name testserver? Do the hostname of the system

[ossec-list] ossec-logtest returns Level 0 but still getting email alerts Level 2

I'm running ossec-hids-server-2.8.2-49.el6.art.x86_64 (Atomic repo) I've updated /var/ossec/rules/local_rules.xml with the following rule: 1002 testserver1|testserver2 mip HAEngine\.*INFO|HAEngine\.*WARNING|Failed to send pseudo-TCP segment frame Ignore MIP Alerts

[ossec-list] Hybrid mode automated install

We are wanting to deploy ossec with active response but also to send logs to OSSIM. I can't see an option for hybrid mode on the automated install config file, is there any way to automate this installation? -- --- You received this message because you are subscribed to the Google Groups

[ossec-list] Ignoring multiple user logon or logoff checks

I am trying to ignore rule 18107 and 18149, but only for certain accounts (including the servers/machines). Server OS: CentOS 6 (latest patches) OSSEC: ossec-hids-server-2.8.2-49.el6.art.x86_64 Here is what I have in my /var/ossec/rules/local_rules.xml file. 18107 Account Name:

[ossec-list] Monitor Windows Services Shutdown

I'm looking for a way to have OSSEC trigger on Event ID 1100 Service Shutdown in Windows. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to

Re: [ossec-list] Re: Monitor Windows Services Shutdown

t from your archives.log on > ossec :) > > On Monday, October 5, 2015 at 9:52:20 AM UTC-7, Daniel Baker wrote: >> >> - http://schemas.microsoft.com/win/2004/08/events/event >> <http://schemas.microsoft.com/win/2004/08/events/event>*"> >>

Re: [ossec-list] Re: Monitor Windows Services Shutdown

:25:48 AM UTC-6, dan (ddpbsd) wrote: > > > On Oct 5, 2015 12:23 PM, "Daniel Baker" <msu.d...@gmail.com > > wrote: > > > > > > > > On Monday, October 5, 2015 at 8:38:17 AM UTC-6, Daniel Baker wrote: > >> > >> I'm looking for

[ossec-list] Re: Monitor Windows Services Shutdown

On Monday, October 5, 2015 at 8:38:17 AM UTC-6, Daniel Baker wrote: > > I'm looking for a way to have OSSEC trigger on Event ID 1100 Service > Shutdown in Windows. > This is what I'm trying to add to the local_rules.xml file: 18104 ^1100$ Windows Service Stopped -- ---

[ossec-list] OSSEC WUI can't read alerts.log

I'm using OSSEC Server Virtual Appliance 2.8.2 and last night I configured a few domain controllers to send it their logs. When I came in today, the WUI is displaying an error of: Warning: fopen(/var/ossec/logs/alerts/alerts.log): failed to open stream: Value too large for defined data type

Re: [ossec-list] OSSEC WUI can't read alerts.log

wrote: Well, you need to give correct permissions to apache as wui is running under apache uid.. Eeeo 8.8.2015 8.27 ip. Daniel Twardowski noghri...@gmail.com javascript: kirjoitti: I'm using OSSEC Server Virtual Appliance 2.8.2 and last night I configured a few domain controllers

Re: [ossec-list] OSSEC WUI can't read alerts.log

8, 2015 at 3:29:32 PM UTC-4, Eero Volotinen wrote: Well, you need to give correct permissions to apache as wui is running under apache uid.. Eeeo 8.8.2015 8.27 ip. Daniel Twardowski noghri...@gmail.com kirjoitti: I'm using OSSEC Server Virtual Appliance 2.8.2 and last night I configured

Re: [ossec-list] rootcheck rule at sev 7 (bad word match)?

will probably just ignore the descriptions. Daniel On 17 June 2015 at 23:24, dan (ddp) ddp...@gmail.com wrote: On Wed, Jun 10, 2015 at 2:15 AM, Daniel X dan...@ritualmedia.co.nz wrote: Hi OSSECers, I've recently been working with Splunk dashboarding (using the Splunk for OSSEC app

Re: [ossec-list] rootcheck rule at sev 7 (bad word match)?

Cool. That's what I was looking for. I think I'm just going to remove my labeling from the sev levels in my dashboards. It might be useful to have a note on that page advising that these labels may not always be true today. Thanks. Daniel On 18 June 2015 at 09:39, dan (ddp) ddp...@gmail.com

[ossec-list] rootcheck rule at sev 7 (bad word match)?

Hi OSSECers, I've recently been working with Splunk dashboarding (using the Splunk for OSSEC app as a starting point). One of the features I've expanded is the 'top severities list', where I've named the severities according to the Rules Classification documentation (

Re: [ossec-list] Where are file integrity file permissions stored?

A couple of days ago I needed to parse integrity logs myself and found the above thread useful. Ended up writing up a quick n dirty bash script to do so and thought I'd post it here incase anyone finds it useful. It's certainly not my finest work but I may get around to turning it into something

Re: [ossec-list] Windows Application and System logs

:* ossec...@googlegroups.com javascript: [mailto: ossec...@googlegroups.com javascript:] *On Behalf Of *Daniel Wagner *Sent:* Wednesday, May 13, 2015 7:20 PM *To:* ossec...@googlegroups.com javascript: *Subject:* [ossec-list] Windows Application and System logs Hello all, I've installed

[ossec-list] Windows Application and System logs

Hello all, I've installed OSSEC HIDS Agent v2.8 on a few Windows 2008R2 servers and Windows 2003 servers and am receiving the Security logs on my OSSEC server, but not the Application and System logs. My config file is the default from the install which has a localfile entry for all three logs.

[ossec-list] use_fqdn

in advance, Daniel -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com

Re: [ossec-list] Re: Bypassing Asterisk rules

users, you can do it via INVITE, REGISTER and OPTIONS. ossec is only able to detect REGISTER requests, but nothing happens when successfully try to enumerate vía INVITE ( tried myself ) I´m doing something wrong or ossec has to be tweaked? Kind Regards, Daniel -- --- You received

Re: [ossec-list] Asterisk rules for Ubuntu

...@gmail.com wrote: On Feb 10, 2015 7:57 AM, Daniel Calvo Castro daniel.ca...@kernelsecurity.es wrote: Hi again These brackets are for emphasis, sorry for not to clarify this, but it clearly looks like it is a regexp issue, I´m going to deal with it now and I´ll post if I´m able to solve

[ossec-list] Bypassing Asterisk rules

Regards, Daniel -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Asterisk rules for Ubuntu

on github as suggested? I´ll do that in such case Kind Regards 2015-02-10 13:31 GMT+01:00 dan (ddp) ddp...@gmail.com: On Mon, Feb 9, 2015 at 4:23 PM, Daniel Calvo Castro daniel.ca...@kernelsecurity.es wrote: Just today I´ve been experiencing same issues trying to get OSSIM + OSSEC working

Re: [ossec-list] Asterisk rules for Ubuntu

, Daniel [1] https://sysbrain.wordpress.com/2010/05/24/asterisk-ossec-part-ii/ 2015-02-09 20:21 GMT+01:00 dan (ddp) ddp...@gmail.com: On Mon, Feb 9, 2015 at 2:10 PM, Security secur...@gillet-bouillon.eu wrote: Could be. I don't know if I have to write to the dev mailing list to have it fixed

[ossec-list] Email alerts for certain groups only not working...

/group email_tosystem_admin@domain/email_to /email_alerts Assistance how to get the local,syslog group alerts emailed to system_admin@domain would be appreciated since I don't get it to work. Regards, Daniel -- --- You received this message because you are subscribed to the Google

[ossec-list] Re: Decoders and rules for Juniper SA2500 and Juniper SSG-320M

rule id=100080 level=12 decoded_assa2500/decoded_as descriptionAlert from the SA2500 Secure Gateway/description /rule Suggestions how to improve the work above is appreciated but remember - Im a newbie on writing this stuff.. Regards, Daniel On Thursday, April 3, 2014 10:13:39 PM

[ossec-list] Decoders and rules for Juniper SA2500 and Juniper SSG-320M

Hi people, Anyone have decoders and rule for the SA2500 and the SSG-320M and would like to share their work? Anything is more than nothing for me, thanks! :) Regards, Daniel -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe

Re: [ossec-list] Netscreen Firewall Logs

in the system.' **Alert to be generated. --- On Wednesday, April 2, 2014 1:57:53 PM UTC+2, dan (ddpbsd) wrote: On Apr 2, 2014 7:54 AM, Daniel Kertby ker

Re: [ossec-list] Netscreen Firewall Logs

Hi again, sorry for a delayed reply. I had accidentally installed 2.6 but upgraded to 2.7.1. Still got the same issue though... Im home but appreciate feedback how to continue troubleshoot the issue... /Daniel On Wed, Apr 2, 2014 at 3:01 PM, dan (ddp) ddp...@gmail.com wrote: On Wed, Apr 2

Re: [ossec-list] Error 1203

How were you able to recreate the user and group? I am having a new installation on my personal machine to test run things and I am having the same issue you did, except I haven't been able to have my agent run at all! Can't imagine how the user/group were deleted. Any insight would be a great

[ossec-list] Re: Ossec agent ossec.conf issue

I know that they are not there, but I keep them in the config for older servers that will still have those files/paths. The errors are not my problem, I'm just looking for what other peoples ossec.conf on their agent look like. I'm trying to get a perspective on other files that they may be

[ossec-list] Ossec agent ossec.conf issue

I'm trying to set up ossec agents on windows server 03/08/12. Would anybody have an example custom ossec.conf agent file they could share? I know that newer windows servers do not have all the files that are originally listed in the default ossec.conf , so i was wondering what others have

Re: [ossec-list] White-list for certain agent using Agent.conf Twitter to Ossec

Twitter changed their authentication method and doesn't allow what we were doing with ossec-tweeter. It would have to be re-written to support oauth. thanks, On Thu, Apr 4, 2013 at 9:50 AM, Jeroen van Doorenmalen jeroen.van.doorenma...@gmail.com wrote: Hello guys, I'm having some kind of

Re: [ossec-list] Ossec 2.6 Compile errors on Mac Os 10.7.3

How is it you do this? On Friday, 27 April 2012 14:49:09 UTC-4, dan (ddpbsd) wrote: Use the real gcc instead of Apple's llvm/clang/whatever it is these days. On Fri, Apr 27, 2012 at 2:18 PM, Gappa gap...@gmail.com javascript: wrote: hi everyone, i'm trying to install ossec on my

Re: [ossec-list] recover SERVER keys?

, -- Daniel B. Cid http://dcid.me On Thu, Feb 14, 2013 at 2:13 PM, Kat uncommon...@gmail.com wrote: Well - it happened - I lost a server (hardware raid failure and corrupted drives). So here is the question - all the agents have keys, but I lost the other end - is there ANY way to rebuild a server

Re: [ossec-list] Monitoring command output check_diff is getting mixed up.

the rule id as the storage key, so you would need a different rule for each one of those sites. thanks, -- Daniel B. Cid http://dcid.me On Fri, Dec 7, 2012 at 2:47 PM, Brenden Walker bren...@unruleable.org wrote: On Fri, 7 Dec 2012 13:18:33 -0500 dan (ddp) ddp...@gmail.com wrote: On Fri, Dec 7

Re: [ossec-list] Problem with rule 35051

Rule: 35051 fired (level 10) - Multiple attempts to access forbidden file or directory from same source ip. Portion of the log(s): About the upgrade, I'm doing it right now. On Monday, December 3, 2012 6:06:15 PM UTC-2, dan (ddpbsd) wrote: On Mon, Dec 3, 2012 at 2:13 PM, Daniel Requena req

[ossec-list] Problem with rule 35051

Hi, I'm trying to customize the behavior of the rule 35051 (squid_rules.xml) in order to not have it fired if someone tries to access facebook website. This rule keeps annoying me, because Facebook like button is EVERYWHERE and my proxy server blocks it. I wrote this piece of

Re: [ossec-list] xferlog decoder

This decoder is a bit broken :/ It is actually matching for: ^Mon OR ^Tue OR ^Wed OR .. OR .. ^Sun \S\S\S\s+\d+.. We should probably just change it for: prematch^\w\w\w \S+\s+\d+ \d\d:\d\d:\d\d \S+ \d+ /\.+/active-response/prematch Can you try to see if it fixes ? thanks, -- Daniel B. Cid

[ossec-list] ERROR: Timeout while connecting to host:

# the first part is mi ssh banner, and it logs in with root user as I'm expecting, but then it doesn't executes commands and logs me off I don't know why with the ossec user is not executing the next commands Can you help me please??? Daniel Flores

Re: [ossec-list] ERROR: Timeout while connecting to host:

2012/10/24 dan (ddp) ddp...@gmail.com On Wed, Oct 24, 2012 at 2:44 PM, Daniel Flores flores.herrera.dan...@gmail.com wrote: Hi, I am using agentless to monitor one server running Red Hat, but the problem is that when ossec user executes the ssh_integrity_check_linux I get

Re: [ossec-list] ERROR: Timeout while connecting to host:

pertinentes. == Last login: Wed Oct 24 14:02:06 2012 from 11.10.1.114 [root@sgasrv7l ~]# ERROR: Timeout while connecting to host: root@10.10.1.210 . Daniel Flores

Re: [ossec-list] case insensitive regex?

The regex is case insensitive by default. So just regexOwnership was/regex Should work. thanks, -- Daniel B. Cid http://dcid.me On Tue, Aug 28, 2012 at 3:01 PM, dkoleary dkole...@olearycomputers.com wrote: Hey; As mentioned in other posts, I'm trying to monitor the /etc directory

Re: [ossec-list] Client.keys Permission error

Yes, the ossecr user (or ossec group) needs permission to read it. thanks, On Wed, Aug 22, 2012 at 1:00 PM, OSSEC junkie ossec.jun...@gmail.com wrote: I am getting permission errors on client.keys: 2012/08/22 08:44:38 ossec-remoted(4111): INFO: Maximum number of agents allowed: '3500'.

Re: [ossec-list] Simplest question ever (?) - timestamp

not have the times in sync... thanks, -- Daniel B. Cid http://dcid.me On Wed, Aug 15, 2012 at 3:51 PM, dan (ddp) ddp...@gmail.com wrote: On Wed, Aug 15, 2012 at 2:45 PM, Kat uncommon...@gmail.com wrote: Is there a way to tell OSSEC to use the timestamp of the actual logfile entry rather than

Re: [ossec-list] Changing timezone in all OSSEC components

That should do it. Just move the new locatime to /var/ossec/etc and restart ossec. thanks, -- Daniel B. Cid http://dcid.me On Thu, Jul 5, 2012 at 3:42 AM, C. L. Martinez carlopm...@gmail.com wrote: Hi all, Due to a restructuring that I make in our infrastructure, I need to modify the time

Re: [ossec-list] What happened to ossec rootcheck ?

The site got migrated, so a few files will be missing until it is all in order. thanks, -- Daniel B. Cid http://dcid.me On Mon, Jul 2, 2012 at 9:47 AM, Peter M Abraham peter.abra...@dynamicnet.net wrote: Good day: http://www.ossec.net/rootcheck/files/ uses to have the latest rootcheck

[ossec-list] Ossec agent installation

Hi, I am installing an agent in Windows, i have 2 LAN's connected by 2 firewalls, in one LAN is the OSSEC server and in the other LAN is the agent, what i want to know is which port the ossec agent uses to connect to the server? Thanks Daniel Flores

[ossec-list] Subscribe ossec-list

Hi i woul like to be part of the group, I have some questions about ossec manager installation on windows

Re: [ossec-list] Ossec agent installation

a rule which allows traffic by port udp 1514 both ways from server 192.168... to the ossec server 11.10.1.xxx. But still agent doesn't run I don´t know what else todo. best regards Saludos. Daniel Flores 2012/6/14 dan (ddp) ddp...@gmail.com On Thu, Jun 14, 2012 at 1:46 PM, Daniel Flores

[ossec-list] Re: Ossec agent installation

Thank you so much ddp. Daniel Flores On 14 jun, 14:10, dan (ddp) ddp...@gmail.com wrote: On Thu, Jun 14, 2012 at 3:01 PM, Daniel Flores flores.herrera.dan...@gmail.com wrote: Tnks ddp, I opened the port but still can´t connect them, I have my server in Ubuntu server 12.04 LTS, it's

Re: [ossec-list] OSSEC agents

(only if you add that to syscheck). thanks, -- Daniel B. Cid http://dcid.me On Thu, May 31, 2012 at 2:07 PM, Maahkus mark.v...@gmail.com wrote: Is there a log file that displays what authenticated user or the date and time a new agent was added? I need to track a newly added agent to the user

Re: [ossec-list] OSSEC Doesn't Forget !

The web-ui looks inside /var/ossec/queue for information on agents, so you have to remove from there as well.. thanks, -- Daniel B. Cid http://dcid.me On Wed, May 2, 2012 at 8:56 PM, dan (ddp) ddp...@gmail.com wrote: Do the deleted agents show up in the ossec output (like the list_agents

Re: [ossec-list] ossec-analysisd: ERROR: Compiled rule not found: if_bad_useragent

+read+regex_compile on every single HTTP event and that can slow things down. It is better to pre-compile and keep in memory than having to do it every time. Besides that, it is a very good start :) Thanks, -- Daniel B. Cid http://dcid.me On Mon, Apr 2, 2012 at 7:36 AM, Stephane ewerlin

Re: [ossec-list] Sending description to third party device

Not without code changes. You would have to modify the file src/os_csyslogd/alert.c to remove the log[0] from the final message. Thanks, -- Daniel B. Cid http://dcid.me On Fri, Mar 30, 2012 at 11:09 AM, C. L. Martinez carlopm...@gmail.com wrote: Hi all,  I have configured an ossec server

  1   2   3   4   5   6   7   8   9   10   >