Hey,
What are you trying to decode there? And how will you use this information?
If you will not use the decoded information anywhere, just write a
rule to ignore
or do what you need with this event...
Thanks,
--
Daniel B. Cid
On Mon, Feb 6, 2012 at 10:55 AM, kumaig goj...@gmail.com wrote:
Hey,
I see the issue in there. You overwrote the rule 30109, which is an atomic rule
dependent on the 30101 (if_sid30101/if_sid).
You modified it to be a composite rule and OSSEC didn't like that. It
should have
warned that you can't use the overwrite to modify a rule from
atomic-composite and
Hey,
You have the provide the event log name (like Application, System, etc) instead
of the full path. Try that and it should work.
Thanks,
--
Daniel B. Cid
On Tue, Jan 31, 2012 at 7:12 PM, mikeyintn mi...@charlietree.com wrote:
Having absolutely no luck reading any Windows 2008 R2 event logs
Yes, the srcip is not decoded there. Try to use:
matchSource Network Address: (tab here)24.229.66.131/match
Just make sure you add a tab or whatever is in the original format.
As Dan said, it is best to try with ossec-logtest...
Thanks,
--
Daniel B. Cid
On Tue, Feb 7, 2012 at 9:39 AM, Peter
Hi Hugo,
It should be very easy to modify the source code to exit 0 instead of
1. However, I just
checked and it only seems to return 1 on errors...
The code is at: src/os_auth/main-client.c
Thanks,
--
Daniel B. Cid
http://dcid.me
On Tue, Feb 7, 2012 at 10:47 AM, Hugo Deprez
Ah, I see the issue. Fixed in the repository:
https://bitbucket.org/dcid/ossec-hids/
thanks,
On Tue, Feb 7, 2012 at 12:13 PM, Hugo Deprez hugo.dep...@gmail.com wrote:
Hello,
yes always returning 1 see the command I used to check :
None working command :
# /var/ossec/bin/agent-auth -m
It should be easier to filter based on the agent name. Just use:
hostnamelogger/hostname
thanks,
--
Daniel B. Cid
http://dcid.me
On Tue, Mar 6, 2012 at 3:29 PM, Mike Wisniewski wiz...@gmail.com wrote:
Hi!
I just started using OSSEC and starting to tailor the rules. In my
alerts file, I
Hi Karl,
The keys are just simple text files inside client.keys. You just need
one of each file for each
agent, which you can mass deploy via AD... That would be the simplest approach.
thanks,
--
Daniel B. Cid
http://dcid.me
On Wed, Mar 14, 2012 at 6:38 PM, karl_h...@ohionational.com wrote:
Hey,
Can you send this patch with -U (unified diff?) If there are other
patches for the UI, I will
add them, since it seems people still like to use it :)
Thanks,
On Thu, Mar 15, 2012 at 5:19 AM, k001 k001.opera...@gmail.com wrote:
Hi all,
This is my first contribution. I'm adding the patch
Can you send a diff of your modifications against the official
package? A diff -r
should work...
It seems that either SUBJECT_SIZE or MAIL_SUBJECT are incorrectly set there,
causing it to fail (probably by mistake when editing the files).
thanks,
--
Daniel B. Cid
http://dcid.me
On Wed, Mar 28,
That's not something encryption is going to help you with.
Thanks,
--
Daniel B. Cid
http://dcid.me
On Thu, Mar 22, 2012 at 6:16 PM, Michel Henrique Aquino Santos
michel@gmail.com wrote:
Hi,
an attacker can read the rules file and use any directory or file is not
monitored to carry out
Not without code changes. You would have to modify the file
src/os_csyslogd/alert.c to
remove the log[0] from the final message.
Thanks,
--
Daniel B. Cid
http://dcid.me
On Fri, Mar 30, 2012 at 11:09 AM, C. L. Martinez carlopm...@gmail.com wrote:
Hi all,
I have configured an ossec server to
That's the issue :)
You changed the format of the printf, so now it is trying to insert
the values in the incorrect
memory segment. If you put the format back it should work...
thanks,
--
Daniel B. Cid
http://dcid.me
On Fri, Mar 30, 2012 at 11:07 AM, MDACC-Luckie luckief...@gmail.com wrote:
Can you take a look at the file
src/analysisd/compiled_rules/compiled_rules.h to see if your new
function
is there?
Also, did you re-run make and copied the new analysisd binary to /var/ossec/bin?
*Btw, your current function is actually slower than using the match
from OSSEC. It is doing
a
The web-ui looks inside /var/ossec/queue for information on agents, so
you have to
remove from there as well..
thanks,
--
Daniel B. Cid
http://dcid.me
On Wed, May 2, 2012 at 8:56 PM, dan (ddp) ddp...@gmail.com wrote:
Do the deleted agents show up in the ossec output (like the list_agents
Every time an agent is first connected, OSSEC generates an alert for it:
Rule: 501 (level 3) - 'New ossec agent connected.'
So you can probably use that to get more information when it was first
connected... But
there is no easy (standard) way to detect when the client.keys file
was modified
The site got migrated, so a few files will be missing until it is all in order.
thanks,
--
Daniel B. Cid
http://dcid.me
On Mon, Jul 2, 2012 at 9:47 AM, Peter M Abraham
peter.abra...@dynamicnet.net wrote:
Good day:
http://www.ossec.net/rootcheck/files/ uses to have the latest rootcheck
That should do it. Just move the new locatime to /var/ossec/etc and
restart ossec.
thanks,
--
Daniel B. Cid
http://dcid.me
On Thu, Jul 5, 2012 at 3:42 AM, C. L. Martinez carlopm...@gmail.com wrote:
Hi all,
Due to a restructuring that I make in our infrastructure, I need to
modify the time
Yes, we could do some interesting rules there :)
The issue is that OSSEC stores the alerts in a sequential mode and it
wouldn't be able
to go back in time and store the alerts on the proper position based
on the log time. Plus,
it would be a big mess if servers are on a different timezone or do
Yes, the ossecr user (or ossec group) needs permission to read it.
thanks,
On Wed, Aug 22, 2012 at 1:00 PM, OSSEC junkie ossec.jun...@gmail.com wrote:
I am getting permission errors on client.keys:
2012/08/22 08:44:38 ossec-remoted(4111): INFO: Maximum number of
agents allowed: '3500'.
The regex is case insensitive by default. So just
regexOwnership was/regex
Should work.
thanks,
--
Daniel B. Cid
http://dcid.me
On Tue, Aug 28, 2012 at 3:01 PM, dkoleary dkole...@olearycomputers.com wrote:
Hey;
As mentioned in other posts, I'm trying to monitor the /etc directory but
This decoder is a bit broken :/
It is actually matching for:
^Mon OR
^Tue OR
^Wed OR .. OR ..
^Sun \S\S\S\s+\d+..
We should probably just change it for:
prematch^\w\w\w \S+\s+\d+ \d\d:\d\d:\d\d \S+ \d+
/\.+/active-response/prematch
Can you try to see if it fixes ?
thanks,
--
Daniel B. Cid
Hi Brenden,
In your initial rule, the match syntax was wrong:
matchossec: output: 'wget -o /dev/null -O -
http\//www.unruleable.org/blog/ | sha1sum'/match
OSSEC was actually looking for the string sha1sum OR the command
output name ( | sha1sum we treat as a
separator).
As for the key, we use
Yes, just get the client.keys from all the agents and make a single
client.keys file on the
server with all of them.
The issue is the remote message ids, that you will need to clear on
each agent (delete the rids directory)
or the agents will not accept the messages from the manager.
thanks,
--
Twitter changed their authentication method and doesn't allow what we were
doing with ossec-tweeter. It would have to be
re-written to support oauth.
thanks,
On Thu, Apr 4, 2013 at 9:50 AM, Jeroen van Doorenmalen
jeroen.van.doorenma...@gmail.com wrote:
Hello guys,
I'm having some kind of
Hi Oscar,
That's a great way to work around this issue and should work fine.
Another suggestion
would be to enable alerting only for the levels 10 and above and
configure a cron script
to run daily sending the others...
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Fri, Feb 12, 2010 at
Hi Peter,
Can you paste some of the alerts you got, just to give us some
context? Your rule seems fine and it should
have worked by ignoring the rule for 900 seconds (unless we have a bug).
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Sat, Jan 30, 2010 at 12:56 PM, Peter M. Abraham
Hi Oscar,
My answers:
1-Whenever I can I install on servers+ desktops. However, I generally
go with a less noise set of rules
in the desktop (specially for FIM).
2-Single manager when possible to make it easier to manage.
3-Yes
4-I do. On my laptops I always configure OSSEC with two ip
Hey,
When the agent detects that the manager is offline, it will stop
processing new events,
and will only resume reading them when the manager is back up.
So, those events will not be lost. However, we don't queue them in
memory, we just
keep the file descriptors open and waiting to be read
Hi Ozgur,
The ignore option is already recursive by default. So using that should
be enough.
Ex: ignore/etc/httpd/ignore will ignore all /etc/httpd and subfolders.
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Mon, Feb 15, 2010 at 3:58 AM, Ozgur Ozdemircili
ozgur.ozdemirc...@gmail.com
Hi Pete,
That's a very good idea. We have an active response on Windows using the
route command (to redirect to a null route), but having one using netsh
would be great. Btw, do you know which versions of Windows come with
netsh by default?
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On
Hi Borut,
Thanks for letting us know of this bug. It has been fixed on the
latest snapshot:
http://www.ossec.net/files/snapshots/ossec-hids-100301.tar.gz
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Tue, Feb 23, 2010 at 8:45 AM, Borut Podlipnik podlip...@mps.mpg.de wrote:
I am wondering
Hi Peter,
It was indeed a bug when the ignore time was used with the overwrite
option. So our
default rules were not affected, but any local rule using the ignore
time would not work.
It is fixed on the following snapshot:
http://www.ossec.net/files/snapshots/ossec-hids-100301.tar.gz
Thanks for
Hey,
Yes, the communication is using UDP port 1514 (by default). This is
how it works:
-Network level:
1-Agent connects to the manager port 1514
2-Manager acknowledges the connection by replying back to the agent.
31-Agent sends the events to the manager as they are read locally.
32-Agent
Hi Gil,
You need to use if_sid instead of if_matched_sid. The later is
only used for
composite rules (when matching across multiple events).
hope that helps.
--
Daniel B. Cid
dcid ( at ) ossec.net
On Sun, Feb 28, 2010 at 11:41 PM, Gil Vidals gvid...@gmail.com wrote:
I am trying to override
Hi Ivan,
What distribution are you using? Can you run the followng command:
# strings /bin/du |grep -E '/dev|w0rm|/prof|file\.h'
This will help us understand if it is a false positive or not..
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Thu, Mar 4, 2010 at 5:02 AM, Ivan Lezhnjov Jr.
Hi,
Can you post the alert you are trying to ignore? Your hostname syntax is correct
and should have worked.
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Fri, Mar 5, 2010 at 2:47 PM, Jefferson, Shawn
shawn.jeffer...@bcferries.com wrote:
Thanks, that helps!
I guess I still have the
ossec-analysisd and ossec-logtest to hit 100% CPU
usage for 3 minutes? Any ideas, Daniel Cid?
Thanks,
Doug Burks
On Mar 4, 4:02 pm, Joshua Gimer jgi...@gmail.com wrote:
On Thu, Mar 4, 2010 at 12:11 PM, Doug Burks mub...@gmail.com wrote:
As I mentioned in my previous message, ossec-logtest
Hi Dave,
When you use the overwrite option you should do that on the local_rules.xml,
not on the rule file itself. So whenever you upgrade your rules will
remain intact.
As far as when to use which, I go with the overwrite whenever I am
doing a small
change, like modifying the frequency, level,
Hey,
What version of OSSEC are you using? If you are getting this alerts is
because the
manager didn't see any event from the agent for a while. If the agent
wasn't shut down
and starts sending events back again, the manager will not report that the agent
has been reconnected...
*if you are on
- Free, Functional Secure
- Mensaje original
De: Daniel Cid daniel@gmail.com
Para: ossec-list@googlegroups.com
Enviado: mar,9 marzo, 2010 09:31
Asunto: Re: [ossec-list] lost connectivity
Hey,
What version of OSSEC are you using? If you are getting this alerts is
because
it be affected by agents? Is
there any additional logging that I can enable to determine what is
taking so much time and CPU?
Thanks,
Doug Burks
On Mar 9, 7:41 am, Daniel Cid daniel@gmail.com wrote:
Hi Doug,
I have no clue to what might be going on... syscheckd taking long
doesn't matter
Hi Vipul,
Yes, you can use wildcards, but you have to specify the r: before using it:
r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion
\Winlogon - Taskman - r:C:\RECYCLER;
If the agent is sending the events properly to the manager, you have to check if
the rules are enabled
Hi Rafael,
It has been fixed already on our development snapshot:
http://www.ossec.net/files/snapshots/ossec-hids-100317.tar.gz
The issue was that the decoder was not picking up the source ip address
properly.
That's the result now:
**Phase 1: Completed pre-decoding.
full event: 'Mar 18
Hi Derek,
Yes, you can have as many entries as you like. Can you show us your
configuration after you added the new
one? It should be like:
reports
categorywin_authentication_failed/category
titleDaily report: Windows Auth Failures/title
email_tomyemail/email_to
/reports
reports
and time.
Vipul.
On Fri, Mar 19, 2010 at 2:53 PM, Daniel Cid daniel@gmail.com wrote:
Hi Vipul,
Yes, you can use wildcards, but you have to specify the r: before using
it:
r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion
\Winlogon - Taskman - r:C:\RECYCLER
Hi Trevor,
Thanks for the report. It has been fixed on the latest snapshot:
http://www.ossec.net/files/snapshots/ossec-hids-100324.tar.gz
--
Daniel B. Cid
dcid ( at ) ossec.net
On Mon, Mar 22, 2010 at 7:59 PM, tm trevor.a.b.mcl...@gmail.com wrote:
Hello,
I am using OSSEC 2.3. The first part
Hey,
I have unsubscribed you both from the list. I don't know what is going
on with Google Groups,
but I will try to find out.
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
2010/3/22 Jose Luis Vázquez González jlvazq...@rfranco.com:
What if you follow the instructions BUT you CANNOT
Hey,
I am confused here to what is going on. When you log in, SSHD
generates it's own log with the IP address and PAM generates
another log without it.
This is duplicated information that you probably don't need, so why
you don't ignore the PAM logs and keep only the ones
from SSHD?
Ex:
rule
Hi Gagan,
To run on real time, you need to set realtime=yes in your configuration:
http://www.ossec.net/main/manual/manual-syscheck/realtime-file-integrity-monitoring/
As for knowing who made the change, you need to leverage system level
auditing logs
to get this information.
Thanks,
--
Daniel
Hi Nate,
Not at all. We had moderation here for a while (way before TM),
because of the crazy amount of SPAM from
google groups. Even only allowing posts from registered users now, we
still get a few per day.
The moderation is just to block spam, not the free of speech of anyone :)
Thanks,
--
Hi List,
From: http://www.ossec.net/dcid/?p=201
OSSEC v2.4 BETA is available and we need testers. You can find more
information about it and new features in here:
http://www.ossec.net/wiki/Dev:BetaTesting
If you ever wanted to contribute to OSSEC (or to any open source
project) that’s the
Hi Marcelo,
The name option is used as a pattern match, so c1 will match c1
and c1-devel. If you
want it to match only c1, you need to specify: ^c1$:
agent_config name=^c1$
..
Hope that helps.
--
Daniel B. Cid
dcid ( at ) ossec.net
On Tue, Mar 30, 2010 at 5:04 PM, Marcelo de Miranda Barbosa
Hi,
I think you are confusing the srcip with the location field. The
location is where the
log came from and the srcip is only set when the log itself reports a source ip.
For example, on this SSH log:
Apr 1 05:48:09 intranet sshd[22938]: Accepted password for root from
1.2.3.4 port 22011 ssh2
Hi Serge,
You definitely can. In the rule, try the following:
rule id=100102 level=0
if_sid1002/if_sid
hostname/var/log/messages/hostname
descriptionignoring from /var/log/messages/hostname
/rule
In this example, it will ignore any alert from rule 1002 that came
from /var/log/messages.
Hi Mario,
You certainly can. This link explains how to create custom active responses:
http://www.ossec.net/wiki/Know_How:CustomActiveResponses
And this post shows a similar concept to detect fraud with ossec:
http://blog.rootshell.be/2010/03/31/detecting-fraud-with-ossec/
Thanks,
--
Daniel
Hi Matthew,
Thanks for the detailed report. It makes much easier for us to
understand when you give
all that information.
It seems that syscheck can't write to the /var/ossec/queue/ossec/queue
file. Can you check
if this file exists in there? Also, are you getting any event at all
from this
Hi List,
The OSSEC team is very happy to announce the general availability of
OSSEC version 2.4.
What is new? We have lots of new features and bug fixes, but these are
the main changes:
1. Added daily email summaries/reports.
2. Added option to alert when a log or command output changes -
Hi Chad,
I can't verify the bug in here. Can you make sure that ossec-logtest
got updated properly? Maybe
if you had it running during the update, the file didn't get replaced.
If run:
# ls -la /var/ossec/bin/ossec-*
The date from all the binaries should be the same ...
Thanks,
--
Daniel B.
Hi Michael,
You can specify a subnet in there. For example:
srcip192.168.2.0/24/srcip
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Fri, Apr 2, 2010 at 4:37 PM, Michael Barrett
michael_barr...@mgic.com wrote:
I found this but I don't want to have to list each IP address. Is there a
way
Hi Anne,
It seems that the installer failed to run:
./register_rule.sh build
./register_rule.sh: line 131: compiled_rules.h: Input/output error
Which is inside src/analysisd.
Can you try running that manually to see why it is generating this error? What
distribution are you using?
thanks,
--
Hey,
You can tar/untar from another box because the user/init scripts will
be missing.
The best way is to compile on another box and create a binary install:
http://www.ossec.net/wiki/Know_How:BinaryInstall
That way you still run the install.sh to create users, set permissions for you
but it
Hi William,
We have a decoder for Suhosin that will treat the logs as an IDS
event. So you need to
work with the ids_rules.xml to modify them.
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Thu, Apr 15, 2010 at 7:56 AM, William Maddler n...@maddler.net wrote:
Hello all, quick question:
Hi Eric,
You don't have to duplicate the scripts. Just add a new
active-response section and give it a very
high timeout and specify the rule id you want:
active-response
commandfirewall-drop/command
locationlocal/location
rules_id3302/rules_id
timeout/timeout
Hi Michael,
Do you get any errors on the manager's ossec.log file? Check there as well..
thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Thu, Apr 22, 2010 at 11:05 AM, Michael Barrett
michael_barr...@mgic.com wrote:
I am having an issue with one of my systems. This is OSSEC Windows version
: |
|
--|
|Daniel Cid daniel@gmail.com
Hi,
OSSEC by default will only generate alerts on events that have potential
security
value. Most events from the System and Application event log are just
informational
and OSSEC will not store them.
If you need to have all of them stored, go to your ossec.conf (on the
manager)
and set logall
Yes, Michael's suggestion is the best one. In the srcip we support
the !, but
not on our pattern/regex matching library.
So, instead of doing this rule (and ignoring changes for all servers, except
sles10-docs):
rule id=100500 level=0
if_sid550, 551, 552/if_sid
matchmdas/match
Hi Rafael,
I find this rule useful too. If you (and everyone else having too many
false positives),
can provide the logs that are matching, we can add some of these to our default
rules as ignored by default.
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Thu, May 13, 2010 at 10:09 PM,
Hey,
This groupping option can cause a lot of confusion. It means that OSSEC will
not group any email and sent them independently.
However, we still have a email_maxperhour option that limits how many emails
per hour it can send (
Hi Tony,
For PCI compliance you don't need to send all events to Splunk. You have
to deal with only a certain sub set of events that are mostly covered by
OSSEC with the default rules (logins, failures, audit, etc). If there
is any other missing, you can just add a new rule to forward those as
Hi Lucio,
There is two issues in this thread. One, the agent disconnects and
then reconnects
by itself. That's fine and can happen on high load environment or when a message
gets dropped.
The second issue that Mike mentioned happens when the counters get out of
sync and the agent never
In fact, not having all the rules loaded can cause performance penalty, because
non-matching events will end up being checked by all the rule tree.
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Fri, May 14, 2010 at 10:27 AM, dan (ddp) ddp...@gmail.com wrote:
I don't know about the
-871-8981 cell
-Original Message-
From: ossec-list@googlegroups.com [mailto:ossec-l...@googlegroups.com] On
Behalf Of Daniel Cid
Sent: Friday, May 14, 2010 11:43 AM
To: ossec-list@googlegroups.com
Subject: Re: [ossec-list] RE: All UNIX/LINUX agents disconnecting
Hi Lucio
Hi Aaron,
Thanks for the patch. Added to the latest snapshot:
http://www.ossec.net/files/snapshots/
Can you take a look to make sure it is working correctly?
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Wed, May 12, 2010 at 2:40 PM, Aaron Bliss aaron.bl...@gmail.com wrote:
Hi all,
I
Hi Christian,
You also need to set alert_new_files to yes inside the syscheck config:
http://www.ossec.net/wiki/Know_How:Syscheck
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Mon, May 17, 2010 at 2:29 PM, ko...@mnr.org wrote:
Ive changed the rules required 554 to level 7 and the rule
|vejeta|porcao|lets_log|sukasuk'
/bin/bash
/bin/bash
On Fri, May 14, 2010 at 12:51 PM, Daniel Cid daniel@gmail.com wrote:
Hey,
Yes, it seems a false positive. Can someone with this problem run
strings /bin/login | grep -E
'bash|elite|SucKIT|xlogin|vejeta|porcao|lets_log|sukasuk
Hi Rich,
I added in the wiki what files are necessary to backup/migrate the manager:
http://www.ossec.net/wiki/Know_How:Agents#Migrating.2Fbacking_up_the_manager
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Tue, May 18, 2010 at 4:22 PM, Rich Rumble richrum...@gmail.com wrote:
I
Hi Peter,
You don't need this info to send the emails to your account. Yo just need
their SMTP server: Generally it is:
aspmx.l.google.com
Or a similar server. Try running host -t mx [domain] to find which one to use.
Thanks,
--
Daniel B. Cid
dcid at ossec.net
On Thu, Jun 3, 2010 at 12:17
Hi Rui,
In the ignore section you can't specify the * at the end. So it should be:
ignoreC:\WINDOWS/System32/CCM/ServiceData/Messaging//ignore
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Mon, Jun 14, 2010 at 7:20 AM, Rui Miguel Silva Seabra r...@sibs.pt wrote:
Hello,
Syscheck seems
Hi Tony,
Thanks for the link. We already patched and it is available on the
latest snapshot:
http://www.ossec.net/files/snapshots/
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Fri, Jun 4, 2010 at 6:38 PM, Tony Fischer tony.fisc...@gmail.com wrote:
The ossec-batch-manager.pl script that
Hi Stefano,
Can you send some of the logs you are trying to parse?
Also, your code has some serious security issues in there. I recommend that
you double check it before putting in production (e.g. strcpy should not be
used).
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Fri, May 28, 2010
Hi,
We currently do not support it, but if you can send some log samples to us, we
can certainly build some rules for it.
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Tue, Jun 1, 2010 at 3:13 PM, Allikuzhi, Ilango
ilango_alliku...@adp.com wrote:
I am wondering if ossec parses F5 SSL
Hi,
You probably have to wait a little more until the changes are send
over. The scan
itself takes more than 20 minutes to start, so if you are making these
changes as
soon as you start ossec, they will not be picked up.
If you want realtime detection, use the realtime option:
Hi Doug,
I received some other complains about it as well. I contacted a few
guys at McAfee, so hopefully
they will fix it soon.
*if anyone have contacts at McAfee, send this to them to get it solved
as soon as possible.
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Tue, Jul 13, 2010 at
are using Ossec Version 2.4. Counters are disabled.
Thank you,
Robert
-Original Message-
From: ossec-list@googlegroups.com [mailto:ossec-l...@googlegroups.com] On
Behalf Of Daniel Cid
Sent: Friday, May 14, 2010 9:43 AM
To: ossec-list@googlegroups.com
Subject: Re: [ossec-list] RE: All
Hi Mike,
Can you check how many instances of ossec-dbd do you have running?
Do a ps auwx |grep ossec-dbd
Maybe you have two in there (one working and one not).
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Thu, Aug 5, 2010 at 10:56 AM, Mike Smith ranger@gmail.com wrote:
Good Catch,
Hi Bill,
Before you install OSSEC, just run:
# cd ./src
# make setmaxagents 2048
# cd ..; ./install.sh
That will increase your maximum number of agents to 2048. There is no
hard limit per se, but make sure to set the ulimits if you need more (since
each agent means a new FD open).
Thanks,
On
Yes, that's the queue file used by OSSEC and it will change very often.
I recommend ignoring the whole /opt/ossec/queue directory.
thanks,
On Wed, Sep 1, 2010 at 2:21 PM, Devendra Agrawal
devendra.agra...@gmail.com wrote:
I am monitoring our OSSEC itself through OSSEC. I am receiving a lot of
Hi list,
OSSEC v2.5 is out. Full details at: http://www.ossec.net/main/ossec-v25-released
What is new?
1. Added support for “report_changes” on syscheck to show what was
changed in the file modification alert.
2. Added support for cdb lists inside the rules.
3. Added support for drop-in
Hi Chris,
Can you run analysisd under gdb? I am using this option on many installs
without any issues.
Just stop OSSEC and run:
# gdb /var/ossec/bin/ossec-analysisd
inside GDB's shell:
(gdb) set follow-fork-mode child
(gdb) run
After that, on another terminal start the other processes:
#
) at analysisd.c:1122
#3 0x00402f2c in main (argc=1, argv=0x7fffe7b8) at
analysisd.c:527
Does that tell you anything useful?
On Wed, Oct 6, 2010 at 1:11 PM, Daniel Cid daniel@gmail.com wrote:
Hi Chris,
Can you run analysisd under gdb? I am using this option on many installs
without
Yes, very soon. Just making a few more changes before pushing out
2.5.1.
thanks,
On Thu, Oct 7, 2010 at 2:29 PM, Jason 'XenoPhage' Frisvold
xenoph...@godshell.com wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Oct 7, 2010, at 10:56 AM, Daniel Cid wrote:
Thanks! Yes, that was very
It is a new feature added on v2.5, so not available during the write
of the book.
Just add report_changes=yes to add monitored directory and you will get
the diff between versions.
Thanks,
On Sat, Oct 9, 2010 at 4:17 PM, Tim Eberhard xmi...@gmail.com wrote:
Wow, very nice. I'm amazed I haven't
If you don't care about the counters, just disable them everywhere. Go to
local_internal_options.conf and set:
remoted.verify_msg_id=0
On the manager and agents. No more duplicate errors :)
Thanks,
On Wed, Oct 13, 2010 at 6:16 AM, Philippe philippe.ra...@gmail.com wrote:
Hello guys,
I'm
Just a start on the week of ossec:
http://www.ossec.net/main/week-of-ossec-2woo-oct-17-23
Syngress opened a few chapters of the OSSEC book, and a few links to
people that will be
contributing. If you plan on writing something, post here and we will
broadcast ;)
thanks,
I will share my own story as well
Many years ago (around 2002/2003), I had to manage hundreds
Linux/Solaris servers
and one of the requirements was file integrity checking / log analysis
on all of them. None of the solutions at the time allowed me to do
that from a centralized location,
so I
Hi Jefferson,
Yes, you can. Just add the following to the agent config:
agent_config os=Microsoft Windows XP Home Edition Service Pack 3
..
/agent
And it will match only on XP with SP3. You can also do:
agent_config os=Windows XP|Windows 2003
..
/agent
To match only on XP and 2003.
thanks,
-0500, Michael Starks wrote:
Today, we thank Daniel Cid for creating OSSEC.
Daniel has been working on OSSEC for a long time now. He started on it
long before being snatched up by Third Brigade, having already put
thousands of hours into the project. He chose to make it free and open so
everyone
Hey,
Real time monitoring using syscheck will not work on Solaris (only
Linux with inotify and Windows). You could
also use rootcheck to alert on those, but by default it will only flag
files owned by root and with the write permissions
to anyone...
Thanks,
On Wed, Nov 24, 2010 at 10:36 PM,
1 - 100 of 903 matches
Mail list logo