I was wondering what are some key ways folks are using OSSEC and any custom
rules and decoders which you might use?
I'm trying to come up with some general best-practice ways folks customize
OSSEC.
Thanks!
--
---
You received this message because you are subscribed to the Google Groups
roblem with abnormal memory usage
> on
> >>>>>>> this system! Please investigate the indicated
> processes.
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>
nosed
>>>>>>>
>>>>>>> There's a problem with abnormal memory usage on
>>>>>>> this system! Please investigate the indicated processes.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>
the indicated processes.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> 18104
>>>>>>&
t;>>>
>>>>>>
>>>>>>
>>>>>> 18104
>>>>>>
>>>>>> 4698
>>>>>>
>>>>>> A scheduled task has been created on this
>>>>>> machine. Please review
nts. See:
>>>>> https://technet.microsoft.com/en-us/library/dn319119.aspx
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> 18103
>>>>>
&
recon_ssl,
>>>>
>>>> Add Schannel errors to the custom recon_ssl
>>>> group
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> >>> ignore="1800">
>>>>
>>>&g
t;>
>>>
>>> recon_ssl
>>>
>>> There have been over 40 SSL cipher suite probes in
>>> the last two minutes. Someone may be performing reconnaissance on your
>>> servers, assessing whether one of your SSL-enabled s
d usefulness.
>> They occur without any indication of which IP address caused them, so
>> consulting contextual log info or firewall logs is the only way to track
>> down who is responsible.
>>
>>
>>
>>
>>
>>
>>
>>
;
>
>
>
> 18103
>
> ^1000$|^1002$|^7023$|^7034$
>
>
>
> A program or service has crashed. Investigate as
> appropriate.
>
>
>
>
>
>
>
> 18101
>
> ^7045$
>
> A new service has bee
only way to track
> down who is responsible.
>
>
>
>
>
>
>
> 18103
>
> ^1000$|^1002$|^7023$|^7034$
>
>
>
> A program or service has crashed. Investigate as
> appropriate.
>
>
>
>
>
>
>
> 1810
I'm wondering what everyone's favorite rules are.
I'm trying to come up with some new rules to tighten security, so I would
like to hear (and see code snippets) or folks favorites, and what they are
designed to detect. I.E. detect commands run, look for certain IOC's and so
on. I'm impressed
12 matches
Mail list logo