Great job! Much appreciated.
Den torsdag 10 augusti 2017 kl. 01:09:46 UTC+2 skrev dan (ddpbsd):
>
> OSSEC 2.9.2 has been released. This is mostly a bug-fix/rules update
> release.
> Thank you to everyone who has contributed time and effort into the
> project, it is truly appreciated!
>
> Get
rev Fredrik Hilmersson:
>
> Hello,
>
> I would like some help and pointers to create a decoder. So I ran the line
> from the access log (see below). What I would like to accomplish is to
> match: python-requests/2.2.1 However as you can see at the
> moment the default decoder f
egards.
>
> On Monday, July 3, 2017 at 12:10:18 PM UTC+2, Fredrik Hilmersson wrote:
>>
>> Hello,
>>
>> Lets say I have a script which runs once every half an hour. With a
>> latency difference in about 10-20 seconds.
>> Would it be possible to m
Hello,
Lets say I have a script which runs once every half an hour. With a latency
difference in about 10-20 seconds.
Would it be possible to match the following:
1. Time
2. Hostname
3. Username
The reason I prefer more than a single match, i.e only time is to not by
mistake miss an actual
Hey, I had a similar issue with the active response not working as
intended. The way I solved it was to add the following to the ossec.conf
ossec-server
30,60,120,240,480
no
kind regards,
Fredrik
Den måndag 3 juli 2017 kl. 12:05:36 UTC+2 skrev Tunguyen:
>
> My rule
ossec.conf on the AGENT side, forgot to mention!
Den måndag 3 juli 2017 kl. 12:14:30 UTC+2 skrev Fredrik Hilmersson:
>
> Hey, I had a similar issue with the active response not working as
> intended. The way I solved it was to add the following to the ossec.conf
>
>
>
>
What happens if you change using 192.168.1.255?
Den måndag 3 juli 2017 kl. 14:29:48 UTC+2 skrev Ian Brown:
>
> I've got this event log in windows:
>
> 2017 Jul 02 22:38:47 WinEvtLog: Security: AUDIT_FAILURE(5152):
> Microsoft-Windows-Security-Auditing: (no user): no domain: leaf-1: The
>
Hello,
I would like some help and pointers to create a decoder. So I ran the line
from the access log (see below). What I would like to accomplish is to
match: python-requests/2.2.1 However as you can see at the
moment the default decoder for rule 31101, does only store the srcip, url
and id
>
>> Remote IP
>> no_email_alert
>>
>> Ignoring host remote IP
>>
>>
>>
>> However, I still get alerts sent to me when connecting to any ossec agent
>> through that remote host.
>>
>> Den måndag 19 juni 2017 kl. 16:27:4
Thank you!
Den lördag 24 juni 2017 kl. 21:21:48 UTC+2 skrev dan (ddpbsd):
>
> On Sat, Jun 24, 2017 at 2:08 PM, Fredrik Hilmersson
> <f.hilm...@worldclearing.org > wrote:
> > Hello,
> >
> > so recently I got spammed by this vulnerability scanner.
> >
> If you share your rules, you may help other user with the same issue.
>
> Regards.
>
> On Tuesday, June 20, 2017 at 2:31:57 PM UTC+2, Fredrik Hilmersson wrote:
>>
>> Thanks alot Jesus,
>>
>> did solve it by creating two local rules one for rule 5715
I spoke to early, Still getting spammed ...
Den lördag 24 juni 2017 kl. 22:20:13 UTC+2 skrev Fredrik Hilmersson:
>
> Thank you!
>
> Den lördag 24 juni 2017 kl. 21:21:48 UTC+2 skrev dan (ddpbsd):
>>
>> On Sat, Jun 24, 2017 at 2:08 PM, Fredrik Hilmersson
>> <f
Hello,
so recently I got spammed by this vulnerability scanner.
The HEAD is always the same, in regards to the $user_agent, *Jorgee*
** Alert 1498324205.1278330: - web,accesslog,
2017 Jun 24 17:10:05 (OSSEC AGENT) SRCIP->/var/log/nginx/access.log
Rule: 31101 (level 5) -> 'Web server 400 error
ption: 'Jorgee vulnerability scanner'
Kind regards,
Fredrik
Den måndag 26 juni 2017 kl. 10:48:16 UTC+2 skrev Jesus Linares:
>
> What is the output of ossec-logtest?.
>
> Once you have a rule for that event, you can create an active response.
>
> Regards.
>
> On Sunday, June 25,
-options/manual-integration.html
>
> I hope it helps.
> Regards.
>
> On Monday, May 22, 2017 at 4:53:56 PM UTC+2, Fredrik Hilmersson wrote:
>>
>> Hello Miguelangel!
>>
>> I do not see any new rows regarding the agent-ossec.com (within the host
>> active-response.log, o
Clarification: The host specific alerts are sent to slack but the agent
alerts are being ignored.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to
>
> Clarification: The host specific alerts are sent to slack but the agent
>> alerts are being ignored.
>
> Review your integrator configuration, maybe you have a filter to get only
> alerts in the current host. Share here the config.
>
> Regards.
>
>
> On T
gt; from etc/ossec.conf regarding slack
> notification?,
> thanks.
>
> Regards,
>
> On Sun, May 21, 2017 at 4:18 PM, Fredrik Hilmersson <
> f.hilm...@worldclearing.org > wrote:
>
>> I set up a OSSEC server along with an remote agent. The alert log file is
&g
I set up a OSSEC server along with an remote agent. The alert log file is
populated with alerts regarding both the host and the agent. However, the
integrated slack notification script only send reports regarding the host.
The only difference within the log is how the hostnames are displayed,
ope it helps.
>
> On Tuesday, May 23, 2017 at 12:46:36 PM UTC+2, Fredrik Hilmersson wrote:
>>
>> Hello again Jesus,
>>
>> As I did state, so we're not misunderstanding each other, I do not run
>> the wazuh forked version, but the 2.9.0 OSSEC version.
>
om alerts*.log *filtering by
>>>*rule_id*, *level*, *group *or *event_location*.
>>>- It executes the script using the arguments *hook_url *and *api_key*
>>>.
>>>- The slack script send the alert to slack.
>>>
>>> Clarific
Hello, let me try make myself understod. So i've got the part to
ignore/exclude an specific IP to work, thats no problem. However, here's my
issue/problem I'd like to solve.
7
cronjobIP
Ignorning cronjobIP
1. Ignore specific IP which run regular cronjob's and utilizes SSH (done).
2. The
kl. 09:52:41 UTC+2 skrev Fredrik Hilmersson:
>
> Hello, let me try make myself understod. So i've got the part to
> ignore/exclude an specific IP to work, thats no problem. However, here's my
> issue/problem I'd like to solve.
>
>
> 7
> cronjobIP
> Ignorning
Hello,
So I got the following custom rule on the ossec server:
5500
session opened for user
Login session opened.
authentication_success,
Then afterwards I use the local rule on the ossec server to avoid alert
spam from a specific IP:
2
MYIP
Ignoring ip
Update: i'm aware that the ossec,syscheck Alert does state the hostname,
however when performing multiple updates/upgrades on several agents, its
rather hard to keep track of which alert belong to which ossec/syscheck.
Den måndag 11 september 2017 kl. 13:56:41 UTC+2 skrev Fredrik Hilmersson
Hello,
I'm wondering if it would be possible to do a small update regarding the
ossec-slack integration to report from which host the integrity check
reports from.
Today an alert message looks like:
Rule: 551 (level 7) -> 'Integrity checksum changed again (2nd time).'
Integrity checksum
Hello,
I noticed recently that my cloud servers has got increased requests for a
long range of php files from same source IP. If i'm not the only one, I
started to collect the page requests to a list. However, I seen that some
of the requests get caught for instance by PSAD and matching
Hello Dan,
well that solved it! I added the rule in the top of the list, adding it
where you suggested (in your conf) and no issues.
Thanks for the response as always!
Den torsdag 30 augusti 2018 kl. 13:19:17 UTC+2 skrev dan (ddpbsd):
>
> On Thu, Aug 30, 2018 at 4:11 AM Fredrik Hilm
Hello,
The ruleset psad_rules.xml which is included in the 3.0.0 version is not by
default included in the ossec.conf file. When i add the the include:
psad_rules.xml within the I get the following error:
ossec-testrule: INFO: Reading local decoder file.
rules_list: Category '1' not found.
ot;Mozilla/5.0"
IP - - [24/Sep/2018:14:10:36 +0200] "GET /log.php HTTP/1.1" 404 162 "-"
"Mozilla/5.0"
IP - - [24/Sep/2018:14:10:36 +0200] "GET /hell.php HTTP/1.1" 404 162 "-"
"Mozilla/5.0"
IP - - [24/Sep/2018:14:10:37 +0200] "GET /pmd_
30 matches
Mail list logo
