I will aply the patches for webui , here are some logs
** Alert 1342061705.23090023: mail - syslog,asterisk,invalid_login, 2012 Jul 11 22:55:05 (HP22) 209.xx.xx.xx->/var/log/messages Rule: 6212 (level 10) -> 'Login session failed (invalid extension).' Jul 11 22:54:47 hp22 asterisk[11715]: NOTICE[11747]: chan_sip.c:24170 in handle_request_register: Registration from '"2"<sip:[email protected]>' failed for '69.xx.xx.xx:13567' - No matching peer found ** Alert 1342061731.23091856: mail - syslog,asterisk,invalid_login, 2012 Jul 11 22:55:31 (HP22) 209.217.109.82->/var/log/messages Rule: 6212 (level 10) -> 'Login session failed (invalid extension).' Jul 11 22:55:12 hp22 asterisk[11715]: NOTICE[11747]: chan_sip.c:24170 in handle_request_register: Registration from '<sip:[email protected]:5060>' failed for '99.251.108.141:5060' - No matching peer found Kind Regards , Cristian On Wed, Jul 11, 2012 at 10:43 PM, dan (ddp) <[email protected]> wrote: > Yeah, it looks like you're using the 0.3 version. It's known to be broken. > There are patches on the list. Use alerts.log. > On Jul 11, 2012 10:39 PM, "cosmaschi cristian" <[email protected]> > wrote: > >> Dan , >> >> Is this the type of alert are u looking for? >> >> looks like its still messed up.. >> >> i just "updated" the web-ui to make sure i have the latest version and >> the allerts are looking the same >> >> 2012 Jul 11 22:29:01 Rule Id: >> 6212<http://www.ossec.net/wiki/index.php/Rule:6212>level: 10 >> Location: (Hp22) 209.217.109.82->/var/log/messages >> Src IP: 2:28:41 hp22 asterisk[11715]: NOTICE[11747]: chan_sip.c:24170 in >> handle_request_register: Registration from '<sip:[email protected]:5060>' >> failed for '99.251.108.141:5060' - No matching peer found >> Login session failed (invalid extension). ** Alert 1342060143.22702224: >> - syslog,proftpd,connection_attempt, >> 2012 Jul 11 22:29:03 (Hp17) 209.xx.xx.xx->/var/log/messages >> Rule: 11201 (level 3) -> 'FTP session opened.' >> Src IP: 127.0.0.1 >> Jul 11 22:28:44 h17 proftpd[3689]: 209.xx.xx.xx (localhost[127.0.0.1]) - >> FTP session opened. >> >> ps. im running latest ossec version on server and agents. >> >> Thanks , >> >> >> >> On Wed, Jul 11, 2012 at 10:25 PM, cosmaschi cristian < >> [email protected]> wrote: >> >>> The Web UI version im using its 0.3 >>> >>> >>> On Wed, Jul 11, 2012 at 9:58 PM, Ivan Zenteno >>> <[email protected]>wrote: >>> >>>> Dan, >>>> >>>> Ouch, you just killed me... >>>> >>>> Maybe Cristian doesn't know the netiquette in mail lists. >>>> >>>> Rules >>>> >>>> 2012/7/11 dan (ddp) <[email protected]> >>>> >>>> >>>>> On Jul 11, 2012 9:43 PM, "cosmaschi cristian" < >>>>> [email protected]> wrote: >>>>> > >>>>> > i see that the rules are being processed , but when i check ip >>>>> tables to se if the host was blocked ... nothing... >>>>> > >>>>> > its used to work util 2 days ago... >>>>> > >>>>> >>>>> What changed? What is your configuration? How did you check iptables? >>>>> Anything in the active response log? Why didn't you include that info? >>>>> >>>>> > >>>>> > Results: >>>>> > Total alerts found: 424 >>>>> > >>>>> > >>>>> > >>>>> > Alert list >>>>> > 2012 Jul 11 20:56:00 Rule Id: 6212 level: 10 >>>>> > Location: (Hp22) 209.217.109.82->/var/log/messages >>>>> > Src IP: 0:55:41 hp22 asterisk[11715]: NOTICE[11747]: >>>>> chan_sip.c:24170 in handle_request_register: Registration from '< >>>>> sip:[email protected]:5060>' failed for '99.251.108.141:5060' - No >>>>> matching peer found >>>>> > Login session failed (invalid extension). ** Alert >>>>> 1342054561.21049945: - syslog,asterisk, >>>>> > >>>>> >>>>> It looks like you're using the broken web ui. Stop that. Either fix it >>>>> or don't use it, and definitely give me an un-messed up alert. >>>>> >>>>> > >>>>> > >>>>> > On Wed, Jul 11, 2012 at 9:33 PM, dan (ddp) <[email protected]> wrote: >>>>> >> >>>>> >> >>>>> >> On Jul 11, 2012 9:31 PM, "cosmaschi cristian" < >>>>> [email protected]> wrote: >>>>> >> > >>>>> >> > Hello , >>>>> >> > >>>>> >> > Im trying to debug on ossec , following >>>>> >> > http://www.ossec.net/doc/faq/unexpected.html >>>>> >> > >>>>> >> > example If you have logs similar to the following in >>>>> /var/ossec/queue/ossec/queue: >>>>> >> > >>>>> >> > when i run >>>>> >> > >>>>> >> > tail -f /var/ossec/queue/ossec/queue >>>>> >> > >>>>> >> > >>>>> >> >>>>> >> That page does not tell you to do that. It probably wants you to >>>>> tail the logfile: >>>>> >> `tail -f /var/ossec/logs/ossec.log` >>>>> >> >>>>> >> > i get >>>>> >> > >>>>> >> > tail: cannot open `/var/ossec/queue/ossec/queue' for reading: No >>>>> such device or address >>>>> >> > tail: no files remaining >>>>> >> > >>>>> >> > >>>>> >> > >>>>> >> > >>>>> >> > >>>>> >> > >>>>> >> > >>>>> >> > >>>>> > >>>>> > >>>>> >>>> >>>> >>> >>
