[ossec-list] What's your favorite rules?

2016-07-13 Thread namobuddhaonion
I was wondering what are some key ways folks are using OSSEC and any custom rules and decoders which you might use? I'm trying to come up with some general best-practice ways folks customize OSSEC. Thanks! -- --- You received this message because you are subscribed to the Google Groups

Re: [ossec-list] What's your favorite rules?

2016-04-26 Thread Rob B
roblem with abnormal memory usage > on > >>>>>>> this system! Please investigate the indicated > processes. > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>

Re: [ossec-list] What's your favorite rules?

2016-04-26 Thread Rob B
nosed >>>>>>> >>>>>>> There's a problem with abnormal memory usage on >>>>>>> this system! Please investigate the indicated processes. >>>>>>> >>>>>>> >>>>>>> >>>>

Re: [ossec-list] What's your favorite rules?

2016-04-26 Thread dan (ddp)
the indicated processes. >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> 18104 >>>>>>&

Re: [ossec-list] What's your favorite rules?

2016-04-26 Thread Rob B
t;>>> >>>>>> >>>>>> >>>>>> 18104 >>>>>> >>>>>> 4698 >>>>>> >>>>>> A scheduled task has been created on this >>>>>> machine. Please review

Re: [ossec-list] What's your favorite rules?

2016-04-26 Thread theresa mic-snare
nts. See: >>>>> https://technet.microsoft.com/en-us/library/dn319119.aspx >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> 18103 >>>>> &

Re: [ossec-list] What's your favorite rules?

2016-04-26 Thread theresa mic-snare
recon_ssl, >>>> >>>> Add Schannel errors to the custom recon_ssl >>>> group >>>> >>>> >>>> >>>> >>>> >>>> >>> ignore="1800"> >>>> >>>&g

Re: [ossec-list] What's your favorite rules?

2016-04-26 Thread Jesus Linares
t;> >>> >>> recon_ssl >>> >>> There have been over 40 SSL cipher suite probes in >>> the last two minutes. Someone may be performing reconnaissance on your >>> servers, assessing whether one of your SSL-enabled s

Re: [ossec-list] What's your favorite rules?

2016-04-24 Thread theresa mic-snare
d usefulness. >> They occur without any indication of which IP address caused them, so >> consulting contextual log info or firewall logs is the only way to track >> down who is responsible. >> >> >> >> >> >> >> >>

Re: [ossec-list] What's your favorite rules?

2016-04-22 Thread namobuddhaonion
; > > > > 18103 > > ^1000$|^1002$|^7023$|^7034$ > > > > A program or service has crashed. Investigate as > appropriate. > > > > > > > > 18101 > > ^7045$ > > A new service has bee

Re: [ossec-list] What's your favorite rules?

2016-03-04 Thread namobuddhaonion
only way to track > down who is responsible. > > > > > > > > 18103 > > ^1000$|^1002$|^7023$|^7034$ > > > > A program or service has crashed. Investigate as > appropriate. > > > > > > > > 1810

[ossec-list] What's your favorite rules?

2016-03-03 Thread namobuddhaonion
I'm wondering what everyone's favorite rules are. I'm trying to come up with some new rules to tighten security, so I would like to hear (and see code snippets) or folks favorites, and what they are designed to detect. I.E. detect commands run, look for certain IOC's and so on. I'm impressed