I wanted the 'Best' IDS for my Windows Apache server, and after a lot of looking around I chose OSSEC. Documentation was pretty sparse, and I'm a Linux newbie, but somehow I managed to install Ubuntu, OSSEC, and the Web interface, and I have the client running on my Windows server. I put in a number of log files in the config file to monitor, and it seems to be working. I've got a number of questions:
1) How does it block hack attempts? Windows Firewall? Some other mechanism? 2) This might be the expected result, but when I get a 404, OSSEC shows it as a 400 error. 3) When someone tries to access a page repeatedly that's not on my server, OSSEC doesn't block them. Actually, I haven't seen ANY blocks. Do they show up in the log? 4) Does OSSEC go by a set of rules to detect hack attempts? How would I update them? How can I tell if they need updating? 5) I keep getting minor PHP config errors logged, almost every minute. How can I disable those from being logged? 6) What files should be monitored? I mainly have just the Apache log and error files monitored. Thanks for any help you can offer! -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
