[ossec-list] Email alerting triggered for one specifuc AD user.

Hi All, I am very new to OSSEC and I need some help with a simple issue. I need an example rule for the following: I have a user that have a granular password policy applied to him, this policy says that this account cannot be locked out like all the other domain accounts. But because he is

Re: [ossec-list] OSSEC alerts on syslog

Hello, yes: root@xx:/var/log# netstat -tuna | grep 514 tcp0 0 0.0.0.0:514 0.0.0.0:* udp0 0 0.0.0.0:514 0.0.0.0:* syslog 161.182.xxx.xxx 161.182.xxx.xxx On Tuesday, March 14, 2017 at 1:48:17 PM UTC-4, jose wrote: > >

[ossec-list] Rule for Active Directory user

Hi Guys, I *desperately* need to create a rule that will fire when a specific AD user has a failed authentication event on my sensors. What must the rule look like? Where do i put it? into msauth_rules or what? Then I want to make it send me emails by doing the below. for now I don't want

Re: [ossec-list] OSSEC alerts on syslog

Hi, can you verify if the port it’s open? [root@wazuh-manager /]# netstat -tuna | grep 514 udp0 0 0.0.0.0:514 0.0.0.0:* The symantec ip is allowed in ossec.conf right? Regards --- Jose Luis Ruiz Wazuh Inc. j...@wazuh.com On March 14, 2017 at

Re: [ossec-list] Re: DNS block active response script not run for named rule

Nice catch! You know it also happened to me when testing your decoders? Same thing! That is why I always recommend to use ossec-logtest, it's a wonderful tool :D I don't think you have a way to not modify* decoders.xml*, there is already a child decoder matching your event, using "prematch" which

[ossec-list] Re: DNS block active response script not run for named rule

Yes, I got the production system working against a test attack script. Will monitor it to do tuning for the real flurries of bogus DNS queries, and will try the duplicate / twin decoder name to see if that works. An override option for the decoder name would be ideal. The other thing that

[ossec-list] Re: DNS block active response script not run for named rule

Pedro thanks again for your help. I think I found the problem, but the work around requires modification of the decoder.xml I moved decoder into the decoder.xml file (I now that’s not the recommended), before the named group decoder, and made the decoder not a child of the named group

[ossec-list] Re: DNS block active response script not run for named rule

Thanks for trying it. - Permissions on the script are good. # ll active-response/bin/firewall-dns-query-drop.sh -rwxr-x--- 1 root ossec 5758 Mar 10 07:58 active-response/bin/firewall-dns-query-drop.sh* - I removed the 8 tag. - This is a stand-alone install so I don't think the

[ossec-list] Re: DNS block active response script not run for named rule

Hi Ralph, I have been testing your configuration, everything works great on my environment (using standard firewall-drop.sh). Few tips which may help you: - Active-response block: you are using *rules_id *and *level*, since your rule will have same level no matter what, maybe you could

Re: [ossec-list] Re: DNS block active response script not run for named rule

Hi Ralph, You are welcome. Yes, I did, I can confirm I was seeing entries on active-response.log and the *firewall-dns-query-drop.sh* was triggering. Let me see if I can keep helping you, by "stand-alone" you mean you only have an OSSEC Manager running isn't it? Just to be sure, at

[ossec-list] OSSEC alerts on syslog

Hello All, I have pointed my Symantec AV logs to our OSSEC server via syslog over port 514. I am seeing the logs come into ELSA, but not as OSSEC alerts. I have created a custom decoder and parser, and can confirm that it is working: **Phase 2: Completed decoding. decoder: 'Symantec'

Re: [ossec-list] OSSEC alerts on syslog

On Mar 14, 2017 10:57 AM, wrote: Hello All, I have pointed my Symantec AV logs to our OSSEC server via syslog over port 514. I am seeing the logs come into ELSA, but not as OSSEC alerts. I have created a custom decoder and parser, and can confirm that it is working:

Re: [ossec-list] OSSEC alerts on syslog

It's very strange...I have enabled already enabled syslog over 514 from our symantec server to the OSSEC server, and I see the logs coming into our ELSA instance, but I have grep'd our syslog files, OSSEC archive and OSSEC alerts files and do not see the log anywhere on the server... Where

Re: [ossec-list] OSSEC alerts on syslog

Hello, In order to permit Ossec recibe your Symantec syslogs messages, you need to enable this in the configuration: Listen in port 514: syslog Symantec AV ip then you need to restart ossec: /var/ossec/bin/ossec-control restart If after these changes you are still not