On Mon, Feb 11, 2013 at 12:50 PM, Charles Bailey <[email protected]> wrote: > I wanted the 'Best' IDS for my Windows Apache server, and after a lot of > looking around I chose OSSEC. Documentation was pretty sparse, and I'm a
What documentation do you think we're missing? > Linux newbie, but somehow I managed to install Ubuntu, OSSEC, and the Web > interface, and I have the client running on my Windows server. I put in a > number of log files in the config file to monitor, and it seems to be > working. I've got a number of questions: > > 1) How does it block hack attempts? Windows Firewall? Some other mechanism? > > 2) This might be the expected result, but when I get a 404, OSSEC shows it > as a 400 error. > 404 falls within the 400 error range. What alert do you see? > 3) When someone tries to access a page repeatedly that's not on my server, > OSSEC doesn't block them. Actually, I haven't seen ANY blocks. Do they show > up in the log? > Blocks show up in the active-response.log file on the agent. How do you have AR (active response) configured? What alerts are you expecting to create blocks? > 4) Does OSSEC go by a set of rules to detect hack attempts? How would I > update them? How can I tell if they need updating? > Yes, rules are in /var/ossec/rules. They get updated when you update OSSEC. We don't currently have a disconnected rules download. You can always use custom rules. > 5) I keep getting minor PHP config errors logged, almost every minute. How > can I disable those from being logged? > Either fix the PHP or ignore the rules. You can create ignore rules in /var/ossec/rules/local_rules.xml. > 6) What files should be monitored? I mainly have just the Apache log and > error files monitored. > > > Thanks for any help you can offer! > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
