Sorry -- wrong maillinglist. :)
On Tuesday, July 11, 2017 at 11:11:09 AM UTC-7, Ian Brown wrote:
>
> I've noticed there are lots of rules that look for low reputation ip
> addresses .. Rules like this one:
>
> ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group
No effect. I tried dstip too, but I don't think either of those tags
contain data due to the decoder used?
windows
^\d\d\d\d \w\w\w \d\d \d\d:\d\d:\d\d WinEvtLog: |^WinEvtLog:
^\.+: (\w+)\((\d+)\): (\.+):
(\.+): \.+: (\S+):
status, id, extra_data, user, system_name
name,
I believe I've figured it out -- I think the decoder isn't matching the
full log string and is thus stripping the ip address information. Also
after looking at the regex in the decoder, I've discovered that it doesn't
even match against the first three example strings provided:
Here's an
There is a decoder that isn't quite handling some log entries the want I
need. I want to augment an existing decoder, but apparently I'm not doing
this correctly.
Here's an example log entry:
2017 Jul 03 11:17:37 WinEvtLog: Security: AUDIT_FAILURE(5152):
Microsoft-Windows-Security-Auditing:
:
On Thu, Jul 6, 2017 at 9:08 PM, Ian Brown <zestys...@gmail.com> wrote:
Dan,
It's what comes in SecurityOnion's latest iso (securityonion-14.04.5.2.iso).
./ossec-logtest -V
OSSEC HIDS v2.8 - Trend Micro Inc.
This program is free software; you can redistribute it and/or modify
it under the
Dan,
Okay, so say I make two rules. 100014 that uses the first match, and
100015 that uses the second. Is there a way to revert back to 18105 if
100014 matches but 100015 doesn't?
On Tuesday, March 13, 2018 at 3:31:15 AM UTC-7, dan (ddpbsd) wrote:
>
>
> I think this combined the matches,
Say SO is configured to use Suricata with the Emerging Threats ruleset
One of the rules is triggered: ET CNC Zeus Tracker Reported CnC Server
group 12 for IP address 199.59.242.150.
Now, with RC3, I can highlight the destination IP address in Squert and
search for it in Kibana. While in
Is it possible to crank up the verbosity of ossec-logtest so that I can see
if individual lines in a rule match? I'm stuck on something that's got me
flustered.
I've got what I think is a simple rule, but damn if I can get it to work:
This is the log entry:
2018 Mar 12 13:14:22 WinEvtLog:
I saw a strange log entry today that seemed to have the information put
into some of the wrong fields:
2018 Apr 16 12:11:14 (workstation) 1.1.1.2->WinEvtLog 2018 Apr 16 05:11:10
> WinEvtLog: Security: AUDIT_FAILURE(5140):
> Microsoft-Windows-Security-Auditing: (no user): no domain:
>
I know this is an old thread but when I Googled, this was the top result,
so I figured it would be okay to continue the discussion here.
I just received this today:
OSSEC HIDS Notification.
> 2019 Apr 04 12:31:45
>
> Received From: server->ossec-keepalive
> Rule: 1002 fired (level 2) ->
I'm trying to figure out why ossec is sometimes not emailing triggered
31122 alerts.
Here's a log entry in ossec's alerts log file:
** Alert 1554150564.41683927: mail - web,accesslog,system_error,
> 2019 Apr 01 20:29:24 us-web->/log/jetty/2019_04_01.request.log
> Rule: 31122 (level 5) -> 'Web
Also, I'm aware of the email_maxperhour setting (12 seems low for a default
setting?), however, as you can see in the alert info above, the alert was
created a week ago and was never delivered.
Is there a command to show the ossec email queue, or a file/folder location
I can check?
Is there a
Yeah, it's on a production server so I can't immediately upgrade that. I
just did search for "ossec-maild" under releases and see that this has been
touched quite a bit since my version. I'll push to get a newer version
installed by next release. Thanks Dan!
On Monday, April 8, 2019 at
13 matches
Mail list logo
