On Jul 21, 2012 10:42 AM, "ChristianB" <[email protected]> wrote: > > Hello, > > I'm very new to OSSEC and consider it as an IDS/logwatcher for an Internet FTP-server of mine. I already installed it in a Debian6 virtual machine to get it to know. Installation is very straight forward and without complications. But there are several points that are still a bit blurry to me. Perhaps you can enlighten me. > > 1. Is there an option I can set to enable active_response but not actually block the attacker? Some kind of file or log with messages like: "OSSEC would have added the IP 123.123.123.123 to your iptables/host.deny". I would like this to see before enabling it and potentially block a customer. >
Create an AR script that just logs that information. `echo $@ >> /var/log/almost-ar.log` > 2. Reading the OSSEC log files is available via file and webUI (which is buggy I now know). After reading the archive of this mailinglist (last 20 threads or so) I get the impression that I have to install another tool to browse the OSSEC logs. As I plan to install OSSEC to do the logreading for me and just giving me a summary of what happened I do not plan to investigate another tool that is doing what OSSEC should do in the first place (read: what I expect of it to do). Is there a preferred way to use OSSEC? Some Best-practice tips? > You don't need to install anything. More/less/most work just fine. If you want more/fancier then you have to install something. That's a different function than what ossec does, so it isn't surprising that ossec doesn't do it. > 3. Speaking of the webUI. I find it very disturbing that it is still listed at the OSSEC download page (and hosted on ossec.net) and not the least marked as deprecated or not supported. There seem to be several patches in the archives but nowhere else. > I've been told it's being worked on. > last note: the first steps with OSSEC page should be updated because some links are not working anymore ( I would liked to have seen a video tutorial or some more first-steps documentation. > Do you have a video to share? How exciting is a video of command line activity? I don't think that page is part of the documentation I work on, but I'll double check. Maybe someone with access will fix it. > Regards > Christian > > on a sidenote: I currently use logcheck and logwatch but lacking an IDS (lots of HTTP and SSH errors due to scanning and brute force password guessing)
