Thanks for the replies! As for documentation... What would have helped me immensely would have been a complete, start-to-finish walkthrough installing OSSEC on something common, like Ubuntu, and configuring with Windows. I modified the Config file based on guesses, without a great deal of confidence, and I suspect it's not complete, or done right. I did find some things documented, but it was spread throughout the Internet. I'm assuming this is to encourage purchasing the book, but I wanted to actually see OSSEC before investing in anything. Also, the book is for an older version.
As for the 404 error, someone keeps trying to access files that don't exist. Some are weird, like www.mywebsite.com/best-practices-in-european-countries.html, and some are obvious attempts at finding installed programs with vulnerabilities. After seeing a ton of these, I decided to start looking for an IDS. I'm concerned that, even though I still these probes for installed programs, OSSEC isn't doing anything, other than reporting a 400 error. As for Active Response, all I could find was a website that told me how to enable it. No other configuration. How/where would I find out how to configure it? Although it would be ideal, I wasn't able to fix the PHP errors. They were minor warnings. I looked inside local_rules.xml, and was completely confused. Where can I find documentation on how to configure it to ignore PHP errors? Thanks again! On Monday, February 11, 2013 12:50:10 PM UTC-5, Charles Bailey wrote: > > I wanted the 'Best' IDS for my Windows Apache server, and after a lot of > looking around I chose OSSEC. Documentation was pretty sparse, and I'm a > Linux newbie, but somehow I managed to install Ubuntu, OSSEC, and the Web > interface, and I have the client running on my Windows server. I put in a > number of log files in the config file to monitor, and it seems to be > working. I've got a number of questions: > > 1) How does it block hack attempts? Windows Firewall? Some other > mechanism? > > 2) This might be the expected result, but when I get a 404, OSSEC shows it > as a 400 error. > > 3) When someone tries to access a page repeatedly that's not on my server, > OSSEC doesn't block them. Actually, I haven't seen ANY blocks. Do they show > up in the log? > > 4) Does OSSEC go by a set of rules to detect hack attempts? How would I > update them? How can I tell if they need updating? > > 5) I keep getting minor PHP config errors logged, almost every minute. How > can I disable those from being logged? > > 6) What files should be monitored? I mainly have just the Apache log and > error files monitored. > > > Thanks for any help you can offer! > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
