Email levels are at enough priority, I am getting emails now after stopping
alerting from RDP. I have multiple RDP where agent is installed and I get
lot of false alerts from RDPs, for Authentication failure and Account
locked out.
On Thursday, August 24, 2017 at 6:07:05 PM UTC+5:30, dan
I'm having trouble getting an ignore expression to actually ignore a change
and suspect it's due to not understanding how OSSEC regular expressions
work. When I searched for examples I found very little so I'm hoping
someone can reply with examples or explanations. What I tried was:
Just FYI, not sure if a resolution
to https://groups.google.com/forum/#!msg/ossec-list/dE3klm84JMU/kGZkRdSl3ZkJ
has been put in place or not but it is occurring in v2.9.2 - I received an
email alert (can post the text if it would be helpful).
Related to this, I noticed that the alert level is
On Mon, Aug 28, 2017 at 12:17 AM, Ritu Soni wrote:
>>> hey,
>
> I have added the rule in local_rules.xml file in way as in the
> attached image..
> After adding the rule, i have restarted OSSEC services. But I get
> the following errors:
>
I'm pretty sure ignores are available in agent.conf
Sean
On Mon, Aug 28, 2017 at 10:57 AM, dan (ddp) wrote:
> On Mon, Aug 28, 2017 at 10:40 AM, Leroy Tennison
> wrote:
> > I'm having trouble getting an ignore expression to actually ignore a
> change
On Mon, Aug 28, 2017 at 10:40 AM, Leroy Tennison
wrote:
> I'm having trouble getting an ignore expression to actually ignore a change
> and suspect it's due to not understanding how OSSEC regular expressions
> work. When I searched for examples I found very little so
On Mon, Aug 28, 2017 at 2:25 AM, Tirumala Raja Siriki
wrote:
> Email levels are at enough priority, I am getting emails now after stopping
> alerting from RDP. I have multiple RDP where agent is installed and I get
> lot of false alerts from RDPs, for Authentication
I wondered about that but verify-agent-conf didn't complain so I thought it
was valid. I guess that means regex is only valid in rules?
On Monday, August 28, 2017 at 9:40:53 AM UTC-5, Leroy Tennison wrote:
>
> I'm having trouble getting an ignore expression to actually ignore a
> change and
Thanks for the answer, that clarifies my understanding. Sounds like you
would like to see the alert details so here they are ("our-demo" below is
an agent, not the server):
OSSEC HIDS Notification.
2017 Aug 27 08:20:39
Received From: (our-demo) 10.nnn.nnn.nnn->ossec-keepalive
Rule: 1002 fired
On Aug 28, 2017 2:46 PM, "Leroy Tennison" wrote:
I wondered about that but verify-agent-conf didn't complain so I thought it
was valid. I guess that means regex is only valid in rules?
Rules and decoders are the only places that come to mind at the moment.
On
Hello dan,
I killed the instance but anything happend, i had that start the process
manualy because de services get down. =S
Regards...
El viernes, 25 de agosto de 2017, 11:01:25 (UTC-5), dan (ddpbsd) escribió:
>
>
>
> On Aug 25, 2017 11:32 AM, "Carlos Islas" > wrote:
11 matches
Mail list logo