[ossec-list] Re: Trying to create a application whitelist for Windows

Josh, some of these are really amazing. Thank you so much for sharing and posting that. All the best Grant On Wednesday, March 25, 2015 at 12:43:29 PM UTC-4, DefensiveDepth wrote: I have been doing some work in the area as well, but with Sysmon logs. Feel free to look over what I have

[ossec-list] Re: ossec-agent installation process automatization on windows

It should be enough sir Each agent needs their own key, but once the agent has the key and checks in with the server, it will pick up any custom configurations All the best On Thursday, May 14, 2015 at 7:02:32 PM UTC-4, Daniil Svetlov wrote: Hi! I'm trying update ossec-agent key on windows

[ossec-list] Re: Agent cannot connect to server, does not appear to be firewall or key related

Have you run a tcdpump or ngrep on the server to ensure packets are arriving on UDP port 1514? When the agent is initially restarted it begins a new dialog with the server and you should be able to see that on the wire On Thursday, May 14, 2015 at 5:31:28 PM UTC-4, Andy Theuninck wrote: I

[ossec-list] Re: Rules

You can look up the codes here http://technet.microsoft.com/en-us/library/dd941635(v=ws.10).aspx https://technet.microsoft.com/en-us/library/dd941635%28v=ws.10%29.aspx https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4625 ...you have a 2008 server or newer,

Re: [ossec-list] #*#*#*#*#*# in client.keys on server. Is it hosed?

it is certainly what happens when deleting old agents. This is normal expected behavior Check you ossec.log to look for errors with remote agents reporting in. On Wednesday, July 1, 2015 at 8:35:14 PM UTC-4, Michael Starks wrote: On 07/01/2015 04:50 PM, Jon Price wrote: Ive had ~1000

[ossec-list] Re: OSSEC Agent Install - Windows

I wasn't aware that agent-auth works in Windows, I know some people have written things to make it work Here is some code you can try https://github.com/sedarasecurity/ossec-agent-auth/blob/master/build.sh I am sure there others out there as well, typically we use a mass deploy script

[ossec-list] Re: SEIM system with OSSEC.

Try Alienvault or OSSIM, they both make good use of OSSEC and add additional tools you will need for detecting the spread of malware On Friday, August 7, 2015 at 6:40:54 AM UTC-4, Jason Long wrote: Hello Experts. How can I launch a SEIM for my local network and find the spread point of

Re: [ossec-list] Re: SEIM system with OSSEC.

are wide open, give it a try! https://www.alienvault.com/products/ossim Grant Leonard Castra Consulting, LLC http://castraconsulting.com/#/ 919-949-4002 On Sun, Aug 9, 2015 at 10:46 AM, 'Jason Long' via ossec-list ossec-list@googlegroups.com wrote: Thank you. Grant , Can you give me more

[ossec-list] Re: Deleting the OSSEC agent 'queue' directory

I haven't seen this directory fill up unless it cannot talk to the server and even in that case it did not take much disk space What kind of size are you seeing? On Wednesday, August 19, 2015 at 10:51:26 AM UTC-4, Jamey B wrote: > > I'm making a CRON job to remove anything in the queue folder,

[ossec-list] Re: Windows Server 2012 and automated ossec install

It is possible, our company has successfully pulled it off for another larger corporation On Wednesday, September 16, 2015 at 8:00:46 AM UTC-4, Chris Spangler wrote: > > Does anyone know if ossec will allow for an unattended install under > Windows Server 2012. It seems like I saw some issues

[ossec-list] Re: Hacker or configuration error ?

Do you have a firewall at all ? Are any server ports exposed to the world? is it always /proc that is full? Where is all the space and how big is your hard drive? Could it be, given you are running a mail server, simply spam/email that has filled up your hard drive? This doesn't seem related

Re: [ossec-list] Re: Windows Event ID 4625

We addressed this using an OSSIM plugin to read a different part of the alert log Hope that helps sir Grant Leonard Castra Consulting, LLC <http://castraconsulting.com/#/> 919-949-4002 On Fri, Nov 20, 2015 at 12:28 PM, Joshua Roback <jrob...@gmail.com> wrote: > I have a dec

[ossec-list] .txt file for log overwrites daily - ossec only reads once

How can we get the ossec agent to read a localfile that overwrites itself? The CIS CAT benchmarks write a .txt file which we are reading with "syslog" as the local file However when the benchmark tests run, ossec does not appear to re-read the log, its as if it never gets read again. As it

Re: [ossec-list] Potential Bug: Windows Security Event ID 5140 incorrectly parsed by OSSEC.

We will take a stab at it this week and see what we can uncover All the best Grant On Friday, February 24, 2017 at 12:32:02 PM UTC-5, dan (ddpbsd) wrote: > > Any Windows users want to take a look at this? > > On Thu, Feb 23, 2017 at 11:42 PM, Jahchan, Georges J. >

Re: [ossec-list] .txt file for log overwrites daily - ossec only reads once

hecking the file inode. > > So if the file is replaced (it is first removed and then re-created, or > your benchmark writes on another log file that then is moved onto the > monitored file) OSSEC should detect it and read it again entirely. > > I hope that it help. > &

Re: [ossec-list] Potential Bug: Windows Security Event ID 5140 incorrectly parsed by OSSEC.

I am in EST and I absolutely agree with you. I think we should spend no more than 30 minutes looking at your discovery, looking at logs in archives.log then , as you noted, requesting an enhancement to ensure those log values are sent over by the agent. All the best Grant Leonard Castra

Re: [ossec-list] Potential Bug: Windows Security Event ID 5140 incorrectly parsed by OSSEC.

I am in EST and I absolutely agree with you. I think we should spend no more than 30 minutes looking at your discovery, looking at logs in archives.log then , as you noted, requesting an enhancement to ensure those log values are sent over by the agent. All the best Grant Leonard Castra

Re: [ossec-list] Potential Bug: Windows Security Event ID 5140 incorrectly parsed by OSSEC.

with another "open source windows event agent to syslog" utility, the same issue was present. Grant On Wednesday, March 8, 2017 at 2:49:59 PM UTC-5, Grant Leonard wrote: > > I am in EST and I absolutely agree with you. I think we should spend no > more than 30 minutes lookin

[ossec-list] ossec-agent buffer and/or cache configurations

Two specific questions Are the amount of logs cached/tracked configurable? (Specifically for linux agents) when the agent cannot reach the ossec-server (yes I read the discussion from 2010, looking for updated thoughts here) How, specifically, does the agent handle being down/restarted? For

Re: [ossec-list] How to collect only syscheck and rootcheck logs

I turned them OFF this way. I am assuming you can declare just these options with no logging location and you will have the reverse of my config yes no no yes no no HKEY_LOCAL_MACHINE HKEY_USERS HKEY_CURRENT_CONFIG

[ossec-list] Re: regex not working

Out of curiosity, can you post the raw message here? I would like to know what kind of log has "`" in it. All the best On Monday, September 25, 2017 at 4:23:30 AM UTC-4, Robert Necela wrote: > > Hello, i have message with character "`". But i can't write rule with such > character. \. -> For

Re: [ossec-list] Format email output from ossec-reportd and category list

for the existing list Thanks! On Thursday, November 9, 2017 at 8:52:08 AM UTC-5, dan (ddpbsd) wrote: > > On Tue, Nov 7, 2017 at 9:58 AM, Grant Leonard > <gr...@castraconsulting.com > wrote: > > > > Good morning > > > > After the /var/ossec/bin/ossec-report

[ossec-list] Format email output from ossec-reportd and category list

Good morning After the /var/ossec/bin/ossec-reportd runs, the tallies are left aligned and when emailed the spacing is not kept from stdout to email Thus stdout looks like this Top entries for 'Group': pci_dss_10.6.1

[ossec-list] Re: ossec / alienvault - issues getting application logs to AlienVault

You need to make sure the numbers you picked for your new rules exist in a DS group and you have the correct translation statements in your .cfg.local file for the plugin. Also, to ensure you get a hit with the rule, your level has to be > 0 to be written to alerts.log You are closing in sir!

[ossec-list] Looking for an older OSSEC version, 2.9.1 for MAC OS

Does anyone know where I can find this version, if it even exists? All the best Grant -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to

Re: [ossec-list] Looking for an older OSSEC version, 2.9.1 for MAC OS

Thank you sir, this is the source code, I was hoping for binaries as I am not really awesome at making them for Mac from scratch, I don't use that OS Thoughts? All the best Grant On Thursday, January 17, 2019 at 1:58:49 PM UTC-5, dan (ddpbsd) wrote: > > On Thu, Jan 17, 2019 at 1:48 PM

[ossec-list] Re: Monitoring Users loggin on and off from Active Directory.

You are going to need to grab logs from the desktop as well, as those have the "unlock" and "lock" instances, many times users remain logged in and you get tons of background authentication noise. You can also marry that with Kerberos ticket requests, but that is a whole next level of noise.