On Wed, Feb 1, 2012 at 5:02 PM, alsdks als...@gmail.com wrote:
try that 18152 rule again in your local rules with overwrite=yes
option , to overwrite the original rule and see how it goes .
(WARNING: I do not know if this will work! Try it, see if it works. Or not.)
Combined with the above,
On Wed, Feb 1, 2012 at 11:01 AM, Jon Bayless fbjbayl...@gmail.com wrote:
Here are the alerts I get from ossec, so I know it sees the attacks and the
level is 10 so it should be taking action. I have the active-response set for
anything over level 8 I think:
Check. ;)
Rule: 40111 fired
On Wed, Feb 1, 2012 at 7:59 AM, kumaig goj...@gmail.com wrote:
I have tried for a few weeks to decode one magento log with no luck. I
have searched more then 2 weeks for solution for this problem. If
anyone can help i appreciate it.
the log is :
2011-12-28T08:30:59+00:00 CRIT Not valid
On Wed, Feb 1, 2012 at 2:49 PM, Kat uncommon...@gmail.com wrote:
What am I missing - it just keeps firing on the windows-date-format --
so frustrating, it must be simple, I am just blind today:
Either put it before the windows-date-format decoder or make it a
child of that decoder.
Logentry:
On Thu, Feb 2, 2012 at 5:03 AM, alsdks als...@gmail.com wrote:
Hello list,
Some systems , in syslog logging , tend to group same messages to save
space and load. For example Solaris
logs failed ssh logins to syslog but issues an event that says that
the last message repeated x times, like :
On Thu, Feb 2, 2012 at 4:06 AM, Oliver Mueller ogmuel...@gmail.com wrote:
If I add the following rule to local_rules.xml and try to test it with
ossec-logtest, I receive a segfault (see below):
group name=apache,
rule id=30109 level=9 timeframe=60 frequency=5
overwrite=yes
!--
On Wed, Feb 1, 2012 at 4:21 PM, Peter M Abraham
peter.abra...@dynamicnet.net wrote:
Good day:
Given the following rule
rule id=18 level=11
if_sid18107/if_sid
matchLogon Type: 10/match
descriptionWindows RDP Login./description
groupauthentication_success,/group
/rule
On Tue, Jan 31, 2012 at 8:42 PM, Macus macu...@gmail.com wrote:
I have setup a daily report like below for the syscheck. it is
supposed to have the report delivered to my mailbox? The syscheck is
scheduled daily at 20:00
reports
categorysyscheck/category
titleOSSEC Daily Report: File
On Wed, Feb 1, 2012 at 4:56 AM, Marcos Tang marcostang2...@yahoo.com wrote:
Hi OSSEC users and Dan
High-level background of my current setup:
- Several OSSEC servers are running on Solaris
- OSSEC agents are running on Solaris and reporting to the above OSSEC
servers
- Running
On Thu, Feb 2, 2012 at 9:34 AM, Jon Bayless fbjbayl...@gmail.com wrote:
How can i determine if the IP is properly decoded? With the ossec-logtest
program?
Here is the output I get from that:
ossec-testrule: Type one log per line.
Feb 1 09:02:41 server1 ipop3d[39710]: Login failed
On Thu, Feb 2, 2012 at 9:42 AM, Kat uncommon...@gmail.com wrote:
I always wondered about that - shouldn't anything in Local... get
processed before the built-in?
I did have a feeling it was order dependent, and I took the route of
making the rules decoded_as - windows_date_format and
On Thu, Feb 2, 2012 at 10:34 AM, Jon Bayless fbjbayl...@gmail.com wrote:
Well with that custom decoder it matches the decoder now. I will try it and
see if it actually catches and blocks the source IPs now.
Is there any way to test whether it is decoding that source IP and will be
able to
On Fri, Feb 3, 2012 at 9:19 AM, alsdks als...@gmail.com wrote:
Hello again,
I followed the steps to configure a rule that will generate a higher
severity alert for specific files and noticed that it works for the
first change detected but not for the second and beyond .For example
the rule
On Sat, Feb 4, 2012 at 4:01 AM, Oliver Müller ogmuel...@gmail.com wrote:
I definitely get a segfault though and I clear out my local rules. There was
nothing in there execpt of this group with one rule.
Is it an Ubuntu problem then?
I don't remember having any issues with Ubuntu, but that VM
, but I can never remember for sure (and I can't test at the
moment).
Thank you
BR
On Feb 2, 3:21 pm, dan (ddp) ddp...@gmail.com wrote:
On Thu, Feb 2, 2012 at 5:03 AM, alsdks als...@gmail.com wrote:
Hello list,
Some systems , in syslog logging , tend to group same messages to save
space
On Thu, Feb 2, 2012 at 3:53 PM, tao_zhyn taoz...@gmail.com wrote:
I was going reviewing the windows decoder and noticed ftsname,
location, user, system_name/fts I could not find any reference in
the documentation as to what this was for.
I finally found a reference to it in one of the
On Fri, Feb 3, 2012 at 8:04 AM, alsdks als...@gmail.com wrote:
Hello list,
Windows Ossec agent , default ossec.conf configuration, spits out a
lot of errors I believe others have noticed it as well but I could
not find a relative post .I was wondering if someone knew what they
mean and how
On Fri, Feb 3, 2012 at 1:15 AM, Marcos Tang marcos.t...@gmail.com wrote:
Hi Dan,
Refer to my previous email, I have the following findings.
*
Output from the OSSEC server
*
[root@myserver ~]# /opt/ossec/bin/syscheck_control -i 049 -f
On Thu, Feb 2, 2012 at 11:11 AM, kumaig goj...@gmail.com wrote:
it does not work with T either :(
Have you tried feeding it through ossec-logtest? The date may be
getting decoded out.
On 2 феб, 14:07, dan (ddp) ddp...@gmail.com wrote:
On Wed, Feb 1, 2012 at 7:59 AM, kumaig goj...@gmail.com
. No report mean no alert?
Possibly. Run it manually and check. Also check for report temporary
files (.reportSOMETHING or something like that, somewhere in
/var/ossec, I can't remember specifics and can't check at the moment).
On 2月2日, 下午9時04分, dan (ddp) ddp...@gmail.com wrote:
On Tue, Jan 31, 2012
are using windows 2003
and windows 7.
-- See:
http://www.mcbsys.com/techblog/2009/12/windows-7-causes-675-0x19-security-errors-in-windows-2003-domain/
-- See: http://www.ossec.net/wiki/Know_How:Multiple_Failures_WindowsAD
On Feb 2, 6:18 am, dan (ddp) ddp...@gmail.com wrote:
On Wed, Feb 1
On Sun, Feb 5, 2012 at 12:56 PM, lucas kauffman
lucas.kauff...@gmail.com wrote:
Hello,
I'm quite new to OSSEC, and there are two things I can't find out:
How do I increase the frequency of the rule when someone is blocked because
of a 400 error (failed to login through htaccess in Apache2).
'2':
3374167-3023424 (89%)
2012/01/30 20:03:17 ossec-syscheckd: INFO: Starting syscheck scan.
2012/01/30 22:38:21 ossec-syscheckd: INFO: Ending syscheck scan.
On 1月30日, 下午11時39分, dan (ddp) ddp...@gmail.com wrote:
On Mon, Jan 30, 2012 at 5:02 AM, Macus macu...@gmail.com wrote:
in the OSSEC
/order
/decoder
But with this log format no luck.
2011-12-28T08:30:59+00:00 CRIT Not valid template file:frontend/base/
default/template/exacttarget/top_sub.phtml
no luck...
Thanks dan for quick response.
On Feb 6, 12:39 pm, dan (ddp) ddp...@gmail.com wrote:
On Thu, Feb 2, 2012 at 11:11 AM
On Mon, Feb 6, 2012 at 12:48 PM, Julien Vehent juli...@aweber.com wrote:
I'm using report_changes on a lot of directories, and to avoid having
large diff queues, I ignore a bunch of files I don't care about.
I'm having issues with the regex on an ignore rule. The files are in
/tmp as follow:
them to be more effectively.
On Feb 6, 3:46 am, dan (ddp) ddp...@gmail.com wrote:
On Thu, Feb 2, 2012 at 8:53 PM, Macus macu...@gmail.com wrote:
... means Ellipsis.
I think the syntax is valid, because I have received the report daily
for over a month. However, I couldn't receive
changed/description
/rule
Thank you
On Feb 6, 1:57 pm, dan (ddp) ddp...@gmail.com wrote:
On Fri, Feb 3, 2012 at 9:19 AM, alsdks als...@gmail.com wrote:
Hello again,
I followed the steps to configure a rule that will generate a higher
severity alert for specific files and noticed
On Tue, Feb 7, 2012 at 5:40 AM, alsdks als...@gmail.com wrote:
Hello list,
I have a question about OSSEC log file monitoring . I have configured
OSSEC to monitor a file log which I populate with the output of a
script. I have also created accompanying decoder and alert rules.
How does the
On Tue, Feb 7, 2012 at 8:39 AM, Peter M Abraham
peter.abra...@dynamicnet.net wrote:
Hi Dan:
Thank you for your time and input.
The ignore is not working; I get paged on all RDP logins.
Here is the Windows event log.
** Alert 1328621405.259824: mail - windows,authentication_success,
2012
It'll be tough to help if you XXX all the logs.
Create a rule to ignore messages you don't want to see. In this case
if_sid1002if_sid and matchXXX/match
On Feb 8, 2012 10:37 AM, culley yel...@gmail.com wrote:
So I have Nagios as well OSSEC on the same system and because OSSEC is
set to check
Sent from my iPhone 4
On 8 Feb 2012, at 15:40, dan (ddp) ddp...@gmail.com wrote:
It'll be tough to help if you XXX all the logs.
Create a rule to ignore messages you don't want to see. In this case
if_sid1002if_sid and matchXXX/match
On Feb 8, 2012 10:37 AM, culley yel...@gmail.com wrote
Does anyone have any interesting full_command examples they want to
share? I'd love to include a few in the documentation. So if you have
anything new and unique let's see it! I'm especially looking for
Windows examples. I don't really have anything applicable to Windows
except a basic netstat.
On Thu, Feb 9, 2012 at 3:04 PM, BP9906 crazi...@gmail.com wrote:
Is it possible to have multiple start times for Syscheck?
I tried
scan_time05:00,11:00,18:00/scan_time
but the ossec agent complains about it.
I'm going to try
scan_time05:00/scan_time
scan_time11:00/scan_time
It will generally work, as long as the manager is a higher version.
You should test it with your configurations before putting it in place.
On Tue, Feb 14, 2012 at 6:06 AM, Christian Gebler cgeb...@tcsgmbh.de wrote:
Hello,
I want to upgrade my OSSEC Server from version 2.5 to 2.6.!
There are
On Mon, Feb 13, 2012 at 3:25 PM, sem...@hellyeah.com wrote:
I have an ESX server sending syslog to a central log server that has an OSSEC
agent running.
I configured the agent to read that file:
localfile
log_formatsyslog/log_format
I don't know of a specific way to debug this, but I guess you could
start by looking at the state files in the queue directory. Match up
the time/dates with the diff-less alerts.
On Mon, Feb 13, 2012 at 9:05 AM, Kat uncommon...@gmail.com wrote:
Hi all..
Here is an odd one. I have a folder with
How are you running ossec-authd? Do you need the -D /opt/ossec flag
for agent-auth? Is there already an n1dpmmgr2 agent? Maybe check
permissions on the client.keys file.
On Fri, Feb 10, 2012 at 11:32 AM, Swartz, Patrick H
patrick.swa...@firstdata.com wrote:
Hi All
I ran across an issue
time for me should be sufficient, but others might not
like a whole hour.
On Feb 10, 5:34 am, dan (ddp) ddp...@gmail.com wrote:
On Thu, Feb 9, 2012 at 3:04 PM, BP9906 crazi...@gmail.com wrote:
Is it possible to have multiple start times for Syscheck?
I tried
scan_time05:00,11:00,18:00
Use the parent decoder's name.
On Feb 14, 2012 4:38 PM, sem...@hellyeah.com wrote:
On Tue, Feb 14, 2012 at 10:08:18AM -0500, dan (ddp) wrote:
Shouldn't this match the 'esxi-state-transition' decoder as well?
It looks like it does. status and action are both decoded, so unless
that's
On Wed, Feb 15, 2012 at 12:39 AM, Bob Zscharnagk
bob.zscharn...@gmail.com wrote:
Andy,
I'm not Andy, I hope it's ok that I'm replying. If not, consider
contacting Andy privately.
I hope you don't mind if I ask a question regarding getting CDB list
lookups to work as you seem to have it set
On Wed, Feb 15, 2012 at 10:29 AM, sem...@hellyeah.com wrote:
On Tue, Feb 14, 2012 at 04:47:40PM -0500, dan (ddp) wrote:
Use the parent decoder's name.
Oh. My troubles are over, dude:
**Phase 3: Completed filtering (rules).
Rule id: '100090'
Level
Crap, sent this privately instead of to the list.
On Tue, Feb 21, 2012 at 4:57 PM, Love Vish lov3v...@gmail.com wrote:
Hi All,
I want to change/add drive for monitoring on window agent -ossec.conf.
For example - by default we have below directory for monitoring
!-- Default files to be
Have you tried using gcc? Hopefully apple will fix llvm soon...
On Tue, Feb 21, 2012 at 4:34 PM, Patrick smkym...@gmail.com wrote:
It's been a while since this thread was started but has anyone been able to
compile OSSEC on Lion? The one server I have running Lion is our web server
and I feel
Thanks for the report. I've changed it in my testing tree.
On Thu, Feb 23, 2012 at 1:33 PM, Patrick smkym...@gmail.com wrote:
There is a very minor issue with both the InstallServer.sh and
InstallAgent.sh scripts in the src directory. Neither have had the grep
expression updated to include
Do any other daemons do this?
On Thu, Feb 23, 2012 at 6:07 AM, Florian Crouzat
gen...@floriancrouzat.net wrote:
Hi list,
I think ossec could benefits to check it's decoder and rules constistancy
before stopping the daemon and failling to start when doing
/etc/init.d/ossec-hids restart (using
On Wed, Feb 22, 2012 at 3:33 AM, Love Vish lov3v...@gmail.com wrote:
Hi Dan,
I am sorry i was'nt aware that this topic has to be private, But I
really appreciate your revert.
!--My defined drive to be monitored. --
alert_new_filesyes/alert_new_files
directories check_all=yesF:\download
On Fri, Feb 17, 2012 at 5:59 PM, Ross Oliver roli...@box.com wrote:
Greetings,
I am having difficulty using the agent self-registration process using
ossec-authd and agent-auth utilities. I am using OSSEC 2.6 on CentOS 5.
When an agent registers, ossec-authd adds a new entry to the
On Thu, Feb 16, 2012 at 6:09 PM, Swartz, Patrick H
patrick.swa...@firstdata.com wrote:
My apologies for posting w/o a subject line...
Patrick Swartz
-Original Message-
From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On
Behalf Of Swartz, Patrick H
Sent:
On Thu, Feb 16, 2012 at 1:51 PM, AlexD alex.demit...@gmail.com wrote:
Hi,
I have made a script to grab the keys from the HIDS server and push it
out to the client to automate the installation process. Here is the
script:
#!/bin/bash
usage(){
echo Usage: $0 hostname
exit 1
}
[[ $#
On Tue, Feb 14, 2012 at 8:54 PM, Macus macu...@gmail.com wrote:
I am using OSSEC 2.6 server + agents on Centos 5.3 64bits. I have a
issue about the Integrity checksum changed alert delayed over 1 day.
For example, I modified a file in a machine last Fri, but the OSSEC
server alert me the
@googlegroups.com] On
Behalf Of dan (ddp)
Sent: Tuesday, February 14, 2012 9:18 AM
To: ossec-list@googlegroups.com
Subject: Re: [ossec-list] agent-auth not working - internal error
How are you running ossec-authd? Do you need the -D /opt/ossec flag
for agent-auth? Is there already an n1dpmmgr2
Nope, not at the moment.
On Fri, Feb 24, 2012 at 9:24 AM, Weezel mcwee...@gmail.com wrote:
I have a log collection/correlation engine running on a centralized
rsyslog server. I have configured ossec to log to a local rsyslog
forwarder in the syslog_output stanza of the server's ossec.conf and
http://www.amazon.com/PHP-5-Dummies-Janet-Valade/dp/0764541668/ref=sr_1_3?ie=UTF8qid=1330513166sr=8-3
Alternatively, how much is this worth to you?
On Tue, Feb 28, 2012 at 4:05 AM, PJG slt...@hotmail.co.uk wrote:
All,
I saw a post back to last year about the WUI not displaying logs
On Wed, Feb 29, 2012 at 12:55 AM, Marcos Tang marcos.t...@gmail.com wrote:
Hi,
I find my OSSEC server keeps reporting a file is changed. I checked that
file check sum and timestamp and it has nothing change, as far as I can
tell.
When I try to see what is going on inside the file
It's a global setting. You can work around this in the active response script.
On Tue, Feb 28, 2012 at 9:03 AM, Jakov Sosic jakov.so...@gmail.com wrote:
Hi
I'm using server-client setup, with activeresponse. But I would like to
whitelist some IP's only on some agents. Is that possible?
I've
On Tue, Feb 28, 2012 at 8:47 AM, jjj092353 jjj092...@gmail.com wrote:
I have ossec running on abour 20 linux boxes and only one of the boxes
(they're all Centos 5.4 or higher) throws this error.
I sometimes get this error every 10 minutes. How do I change the
parameter to stop the errors or
On Sat, Feb 25, 2012 at 8:54 PM, Joe Corea joecorea1...@gmail.com wrote:
I have been trying to get the agentless monitoring with our shell
account that 1 and 1. They allow a stripped down shell access. I have
did all the steps on the user guide and got ssh to work correctly
using the
On Thu, Mar 1, 2012 at 5:54 AM, PJG slt...@hotmail.co.uk wrote:
It's open source if you consume less that 500Mb of logs per day, and I
beleive per instance.
No it isn't. It doesn't cost anything up to 500MB of logs per day
(with reduced functionality).
Hence if you deploy directly onto your
It must be nice to have people do your work for you.
On Thu, Mar 1, 2012 at 3:06 AM, C. L. Martinez carlopm...@gmail.com wrote:
On Wed, Feb 29, 2012 at 4:52 PM, Viktor Gazdag woodsp...@gmail.com wrote:
Hi!
I made quickly this decoder and after that, you can see the ossec-logtest
output! The
On Thu, Mar 1, 2012 at 9:36 AM, Megerman, Joshua
joshua.meger...@iwco.com wrote:
(I originally sent this to ossec-l...@ossec.net, but that appears to be the
wrong address since I don’t see it posting to this list. Apologies if this
ends up being a duplicate post.)
I’ve been asked to set up
On Thu, Mar 1, 2012 at 12:15 PM, Megerman, Joshua
joshua.meger...@iwco.com wrote:
From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On
Behalf Of dan (ddp)
Most of the data OSSEC stores is stored in plain text.
Excellent - that's much easier to maintain periodically
On Mon, Mar 5, 2012 at 4:26 AM, C. L. Martinez carlopm...@gmail.com wrote:
Hi all,
I am trying to report all actions made by some CheckPoint Firewall's.
After adjust my decoder, I am trying to write some rules to match all
logged firewall actions like: Drop, Accept, Session Auth, etc...
I should probably mention that I think the -a flag for ossec-logtest
will give you OSSEC alert log output. Redirect that to a file or
possibly to ossec-reportd, and you should probably get what you're
after.
On Mon, Mar 5, 2012 at 5:48 AM, dan (ddp) ddp...@gmail.com wrote:
On Mon, Mar 5, 2012
On Mon, Mar 5, 2012 at 6:09 AM, C. L. Martinez carlopm...@gmail.com wrote:
On Mon, Mar 5, 2012 at 11:49 AM, dan (ddp) ddp...@gmail.com wrote:
I should probably mention that I think the -a flag for ossec-logtest
will give you OSSEC alert log output. Redirect that to a file or
possibly to ossec
I don't know, you should try it. But if you have the if_sid defined,
the decoded_as might not matter as much. Try testing without the
decoded_as option also.
On Tue, Mar 6, 2012 at 4:58 AM, C. L. Martinez carlopm...@gmail.com wrote:
Hi all,
Is it possible to add more than one option in
The ossec-control script is different for the server version. You'll
need to install that at a minimum. You may also need to install other
ossec-* binaries. It might be easier to re-install the server
version over the local version. Run install.sh and when it asks if you
want to upgrade say no.
On Tue, Mar 6, 2012 at 6:48 AM, dan (ddp) ddp...@gmail.com wrote:
The ossec-control script is different for the server version. You'll
need to install that at a minimum. You may also need to install other
ossec-* binaries. It might be easier to re-install the server
version over the local
On Mon, Mar 5, 2012 at 7:01 PM, Stephane Rossan sros...@netflix.com wrote:
Hello,
I would like to update the internal syscheck database, used in my OSSEC
local deployment. What is the best way?
Run a syscheck scan?
I use the same system image everywhere, and would like to get a new syscheck
Out of curiosity, can you provide a log message?
On Mon, Mar 5, 2012 at 11:20 AM, Hugo Deprez hugo.dep...@gmail.com wrote:
Dear community,
I do have a mail each time a user connect to a windows server.
I get an alert with regards to :
Rule: 18111 fired (level 8) - User account changed.
I may be way off base here, but shouldn't the system's routing take
care of this?
On Mon, Mar 5, 2012 at 1:29 PM, Michael Barrett
michael_barr...@mgic.com wrote:
I have a RH 5 box with two interfaces on different subnets
The interface that the key is on works fine but the other interface is
What else did you change? I don't think anything in the configuration
snippet you posted should affect this.
On Mon, Mar 5, 2012 at 4:33 PM, Swartz, Patrick H
patrick.swa...@firstdata.com wrote:
Hi All,
I need a second set of eyes. For some reason I can't seem to get Ossec to
generate
On Tue, Mar 6, 2012 at 1:59 PM, Scott Mace scottym...@gmail.com wrote:
I've seen this issue raised before, but never answered. There is a
firewall between the agent and server, but proper access lists are in
place. I used netcat to verify communication is working fine both
ways, for udp port
, if anyone has been able to get 2.6 working correctly and fully
integrated in Ossim/AlienVault, I'm all ears!
Scott
On Tue, Mar 6, 2012 at 1:16 PM, dan (ddp) ddp...@gmail.com wrote:
On Tue, Mar 6, 2012 at 1:59 PM, Scott Mace scottym...@gmail.com wrote:
I've seen this issue raised before, but never
Syscheck /home/*/.ssh, and write a rule to ignore everything im that dir,
then write a rule to alert on the authorized_keys file.
On Mar 8, 2012 12:07 PM, Michael Zoet michael.z...@zoet.de wrote:
Hi to all,
I am new to the list and I am using OSSEC for a few weeks in a 70 server
enviroment
Yep, just write rules to ignore what you don't want to see.
On Mar 8, 2012 12:07 PM, Michael Barrett michael_barr...@mgic.com wrote:
Is there a way to configure the ossec agent to ignore specific windows
events? I have an application that is mis-behaving and its creating ossec
alerts for
I have a bitbucket with some of the offered patches so far. I haven't
had time to do much else though (including actually testing the
changes).
https://bitbucket.org/ddpbsd/ossec-wui
On Thu, Mar 15, 2012 at 9:40 AM, Daniel Cid daniel@gmail.com wrote:
Hey,
Can you send this patch with -U
The exported key is encoded (base64?), the client.keys entries are
raw. If you look at the keys file on a configured agent it will look
more like the client.keys entries than the exported version.
On Thu, Mar 15, 2012 at 9:55 AM, karl_h...@ohionational.com wrote:
If I open the client.keys files
You can generally create rules to ignore logs you don't care about. In
the case of 18154, you should look at the collected log messages and
create rules to ignore the individual ones you don't want to see. If
you keep them from firing 18103 alerts, then 18154 won't be triggered.
On Thu, Mar 15,
On Thu, Mar 15, 2012 at 6:58 AM, C. L. Martinez carlopm...@gmail.com wrote:
Hi all,
I have configured this decoder:
decoder name=custom-decoder
prematch^\w+ \d+ \d+:\d+:\d+ RT_FLOW: /prematch
/decoder
decoder name=custom-decoder-action
parentcustom-decoder/parent
typefirewall/type
On Fri, Mar 16, 2012 at 7:22 AM, Frank Devlin fdevlin2...@yahoo.com wrote:
I have been receiving alerts from a Windows 2008 server for rule 18152
(multiple logon failures) and I was wondering why the server was not using
active response to blackhole the source IP. I found a few responses on
It's hack-ish, but I run multiple copies of ossec-csyslogd. You can
point to an alternate config file with -c.
On Mon, Mar 12, 2012 at 1:24 PM, Swartz, Patrick H
patrick.swa...@firstdata.com wrote:
Hi All,
When using the syslog output, is it possible to send the output to two
different
decoder name=windows
typewindows/type
parentwindows/parent
regexSecurity: (\S+)\((\d+)\): (\S+): (\.+): \.+: (\S+): /regex
orderstatus, id, extra_data, user, system_name/order
ftsname, location, user, system_name/fts
/decoder
decoder name=windows
typewindows/type
On Fri, Mar 16, 2012 at 9:58 AM, C. L. Martinez carlopm...@gmail.com wrote:
On Fri, Mar 16, 2012 at 1:43 PM, dan (ddp) ddp...@gmail.com wrote:
On Thu, Mar 15, 2012 at 6:58 AM, C. L. Martinez carlopm...@gmail.com wrote:
Hi all,
I have configured this decoder:
decoder name=custom-decoder
On Fri, Mar 16, 2012 at 10:40 AM, Michael Barrett
michael_barr...@mgic.comwrote:
I tried the rule change below and got an error when I tried to start ossec.
-bash-3.2# /etc/init.d/ossec-hids start
Starting ossec-hids: 2012/03/16 09:37:46 ossec-testrule: INFO: Reading
local dec
oder file.
My comments show up in my copy and the web copy.
On Fri, Mar 16, 2012 at 11:36 AM, Michael Barrett
michael_barr...@mgic.com wrote:
Dan
Did you mean to reply with no comment?
Michael Barrett | Information Security Analyst - Lead | Mortgage
On Fri, Mar 16, 2012 at 11:35 AM, C. L. Martinez carlopm...@gmail.com wrote:
Hi all,
Is it possible to generate an alert when two or one or more
conditions conditions are matched in a rule and/or group of rules??
For example, using my previous rule:
group name=custfw,
rule id=100200
On Fri, Mar 16, 2012 at 3:37 PM, Michael Barrett
michael_barr...@mgic.com wrote:
I think your reply got corrupted in my email server? Was it here where
the red box is?
That wasn't a corruption, it was pointing out the error in the log
messages you posted. It was meant as a hint. I also
information. Disclosure or use of
this message by any other person is strictly prohibited. If this message is
received in error, please notify the sender immediately and delete this
message.
From: dan (ddp) ddp...@gmail.com
To: ossec-list@googlegroups.com
Date: 03/16/2012 11:32 AM
Subject: Re
Tour last message said everything was working as expected. Is this a glitch
in the Matrix or is it still not working?
On Mar 17, 2012 7:40 AM, C. L. Martinez carlopm...@gmail.com wrote:
Please, any help?
On Thursday, March 15, 2012, C. L. Martinez carlopm...@gmail.com wrote:
Hi all,
I
On Mar 21, 2012 6:43 AM, jagruti sangani jugni1sm...@gmail.com wrote:
hello all
I have installed the ossec as per steps given in the document.But now i
got the error in ossec.log like ossec-maild(1223): ERROR: Error Sending
email to 192.168.1.23 (smtp server).I have given my email_to as
-profileopenbsd-firewall,openbsd-test/config-profile
/client
On Wed, Mar 21, 2012 at 4:16 PM, dan (ddp) ddp...@gmail.com wrote:
On Mar 21, 2012 6:43 AM, jagruti sangani jugni1sm...@gmail.com wrote:
hello all
I have installed the ossec as per steps given in the document.But now i
got the error
It's been considered. Playing with tcp is on at least one TODO list.
On Tue, Mar 20, 2012 at 9:52 PM, Jeroen C. van Gelderen
s...@thegreek.com wrote:
Hi,
I was wondering if TCP transport (or UDP with ACKs and buffering) has been
considered instead of the current UDP-based communication
On Tue, Mar 20, 2012 at 5:44 PM, Michael Scott
ms.thenetwor...@gmail.com wrote:
Greetings!
I'm having some difficulty trying to set up a Sonicwall to be monitored by
OSSEC. Here's what I've done so far:
1. Set the Sonicwall to send syslog messages to the OSSEC server on port
514.
2.
I generally use the development code.
On Mon, Mar 19, 2012 at 8:07 PM, Phil Cox p...@rightscale.com wrote:
All,
Which source do most use:
http://www.ossec.net
OR
https://bitbucket.org/dcid/ossec-hids
Or is the latter just a mirror?
Thanks,
Phil
2012/3/20 Félix Barbeira fbarbe...@gmail.com:
I have a ossec server with several agents. I forward the alerts over
level 7 to a logstash instance listening on the port 1515 in another
server:
syslog_output
serverx.x.x.x/server
level7/level
port1515/port
/syslog_output
In this
of the agents are
listed in the whitelist section, so I added the sonicwall's IP address there
as well.
I'm going to leave it running with logall set and I'll see if I get any
messages.
Any other suggestions?
Thanks,
Mike Scott
On Wed, Mar 21, 2012 at 6:47 AM, dan (ddp) ddp...@gmail.com wrote
On Wed, Mar 21, 2012 at 3:39 PM, MDACC-Luckie luckief...@gmail.com wrote:
We have had a very successful deployment of OSSEC so I got really gung-
ho and decided to add the final handful of servers and generate keys
for them. I generated keys for about 60 extra servers consecutively.
Since
Neither are encrypted in OSSEC.
On Thu, Mar 22, 2012 at 4:22 PM, Michel Henrique Aquino Santos
michel@gmail.com wrote:
Hello,
I'm doing an paper on university study (Federal University of Lavras - UFLA
- www.ufla.br), comparing four tools for checking integrity of files
(Tripwire, OSSEC,
Are you sure that isn't how one way agents always show up? I have no
idea, I don't like that option. Was the manager updated recently
(maybe the one way comms setting has to be set on the manager and
someone forgot to set it)?
You can try:
Turn off the firewall on the manager.
Run the manager's
What's your mail configuration in the manager's ossec.conf?
I wish ossec was compiled with -ggdb by default. It might make the gdb
information a bit easier to follow.
On Thu, Mar 22, 2012 at 1:47 PM, MDACC-Luckie luckief...@gmail.com wrote:
I increased the number of agents my installation was
1 - 100 of 5855 matches
Mail list logo
