On Mon, Mar 11, 2013 at 2:16 PM, TWAD <[email protected]> wrote: > Thank you Dan, > The first issue is solved. I was not monitoring the list (blacklist) so it > would not fire an alert. I am now monitoring and it does fire. > > The second issue: I misunderstood the key to represent the second field. My > list is now correct but it does not fire. So here is my reasoning (and > perhaps demonstrated lack of understanding of OSSEC). Even though I have the > blacklist configured correctly, the OSSEC agent will not detect an > "offending" IP unless said IP shows up in a log/file on the system right? > In otherwords, OSSEC will need to be reading from a file that is being fed > from utilities such as tcpdump, snort, or wireshark... right? aka It does > not have the capability to do port detection on its own. >
Correct. OSSEC reads logs and creates alerts based on the logs. If you are not feeding it logs, it will not do much. > Thank you again > > On Thursday, March 7, 2013 9:28:29 PM UTC-6, dan (ddpbsd) wrote: >> >> There are 2 separate issues that you seem to be munging together. >> Let's try to keep them separated a bit. >> >> On Thu, Mar 7, 2013 at 10:54 AM, TWAD <[email protected]> wrote: >> > I did not get a 550... and perhaps 550 may not have been the right >> > choice. >> >> You need to find out what rule is firing. When I set this up for >> myself, 550 was the one I had used in my rule: >> <rule id="510011" level="10"> >> <if_sid>550</if_sid> >> <match>/var/ossec/lists/blocked.txt</match> >> <description>blocked.txt has been modified</description> >> </rule> >> >> And then my active response uses this rule: >> <active-response> >> <command>makelists</command> >> <location>server</location> >> <rules_id>510011</rules_id> >> </active-response> >> >> So find out why you aren't getting an alert for the file changing. Are >> you monitoring the file's location in syscheck? Is the file in the >> syscheck database? How often does syscheck run? >> >> > In fact, I do a grep for 192.168.1.10 (an IP in the blacklist) in >> > audit.log, >> > messages, alert.log, and secure etc, and it does not show up, even >> > though is >> > is an active agent. Here is the log after immediate start-up >> > >> >> I'm totally confused by this. You were saying you were not getting an >> alert based on your CDB list, right? >> >> Your rule: >> <rule id="101004" level="10"> >> <if_sid>101003</if_sid> >> <list field="srcip" >> lookup="address_match_key">lists/blacklist.txt.cdb</list> >> <description>DNS query on a potentially malicious >> domain.</description> >> </rule> >> >> Your list: >> IP1: 192.168.1.8 >> IP2: 10.10.1.200 >> >> Your rule is matching on the key, the first field (eg: IP1, IP2). You >> have expressed interest in the value (192.168.1.8), so I believe your >> rule is useless as written. >> You also need to make sure the decoder matched in 101003 decodes the >> srcip correctly. You can use ossec-logtest to determine if this is the >> case. >> >> > 2013/03/07 09:04:01 ossec-dbd: Connected to database 'wtshiddb' at >> > '192.168.1.8'. >> > 2013/03/07 09:04:01 ossec-execd: INFO: Started (pid: 5962). >> > 2013/03/07 09:04:01 ossec-analysisd: INFO: Reading local decoder file. >> > 2013/03/07 09:04:01 ossec-analysisd: INFO: Reading loading the lists >> > file: >> > 'lists/blacklist.txt' >> > 2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: >> > 'rules_config.xml' >> > 2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: >> > 'pam_rules.xml' >> > 2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: >> > 'sshd_rules.xml' >> > 2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: >> > 'telnetd_rules.xml' >> > 2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: >> > 'syslog_rules.xml' >> > 2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: >> > 'arpwatch_rules.xml' >> > 2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: >> > 'symantec-av_rules.xml' >> > 2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: >> > 'symantec-ws_rules.xml' >> > 2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: >> > 'pix_rules.xml' >> > 2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: >> > 'named_rules.xml' >> > 2013/03/07 09:04:01 ossec-remoted: INFO: Started (pid: 5974). >> > 2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: >> > 'smbd_rules.xml' >> > 2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: >> > 'vsftpd_rules.xml' >> > 2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: >> > 'pure-ftpd_rules.xml' >> > 2013/03/07 09:04:01 ossec-remoted: INFO: Started (pid: 5976). >> > 2013/03/07 09:04:01 ossec-remoted: Remote syslog allowed from: >> > '192.168.1.0/24' >> > 2013/03/07 09:04:01 ossec-remoted: Remote syslog allowed from: >> > '10.10.1.0/24' >> > 2013/03/07 09:04:01 ossec-remoted: INFO: Started (pid: 5975). >> > 2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: >> > 'proftpd_rules.xml' >> > 2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: >> > 'ms_ftpd_rules.xml' >> > 2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: >> > 'ftpd_rules.xml' >> > 2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: >> > 'hordeimp_rules.xml' >> > 2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: >> > 'roundcube_rules.xml' >> > 2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: >> > 'wordpress_rules.xml' >> > 2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: >> > 'cimserver_rules.xml' >> > 2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: >> > 'vpopmail_rules.xml' >> > 2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: >> > 'vmpop3d_rules.xml' >> > 2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: >> > 'courier_rules.xml' >> > 2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: >> > 'web_rules.xml' >> > 2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: >> > 'web_appsec_rules.xml' >> > 2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: >> > 'apache_rules.xml' >> > 2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: >> > 'nginx_rules.xml' >> > 2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: >> > 'php_rules.xml' >> > 2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: >> > 'mysql_rules.xml' >> > 2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: >> > 'postgresql_rules.xml' >> > 2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: >> > 'ids_rules.xml' >> > 2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: >> > 'squid_rules.xml' >> > 2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: >> > 'firewall_rules.xml' >> > 2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: >> > 'cisco-ios_rules.xml' >> > 2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: >> > 'netscreenfw_rules.xml' >> > 2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: >> > 'sonicwall_rules.xml' >> > 2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: >> > 'postfix_rules.xml' >> > 2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: >> > 'sendmail_rules.xml' >> > 2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: >> > 'imapd_rules.xml' >> > 2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: >> > 'mailscanner_rules.xml' >> > 2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: >> > 'dovecot_rules.xml' >> > 2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: >> > 'ms-exchange_rules.xml' >> > 2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: >> > 'racoon_rules.xml' >> > 2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: >> > 'vpn_concentrator_rules.xml' >> > 2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: >> > 'spamd_rules.xml' >> > 2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: >> > 'msauth_rules.xml' >> > 2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: >> > 'mcafee_av_rules.xml' >> > 2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: >> > 'trend-osce_rules.xml' >> > 2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: >> > 'ms-se_rules.xml' >> > 2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: >> > 'zeus_rules.xml' >> > 2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: >> > 'solaris_bsm_rules.xml' >> > 2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: >> > 'vmware_rules.xml' >> > 2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: >> > 'ms_dhcp_rules.xml' >> > 2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: >> > 'asterisk_rules.xml' >> > 2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: >> > 'ossec_rules.xml' >> > 2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: >> > 'attack_rules.xml' >> > 2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: >> > 'openbsd_rules.xml' >> > 2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: >> > 'clam_av_rules.xml' >> > 2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: >> > 'bro-ids_rules.xml' >> > 2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: >> > 'dropbear_rules.xml' >> > 2013/03/07 09:04:01 ossec-analysisd: INFO: Reading rules file: >> > 'local_rules.xml' >> > 2013/03/07 09:04:01 ossec-analysisd: INFO: Total rules enabled: '1293' >> > 2013/03/07 09:04:01 ossec-analysisd: INFO: Ignoring file: '/etc/mtab' >> > 2013/03/07 09:04:01 ossec-analysisd: INFO: Ignoring file: '/etc/mnttab' >> > 2013/03/07 09:04:01 ossec-analysisd: INFO: Ignoring file: >> > '/etc/hosts.deny' >> > 2013/03/07 09:04:01 ossec-analysisd: INFO: Ignoring file: >> > '/etc/mail/statistics' >> > 2013/03/07 09:04:01 ossec-analysisd: INFO: Ignoring file: >> > '/etc/random-seed' >> > 2013/03/07 09:04:01 ossec-analysisd: INFO: Ignoring file: '/etc/adjtime' >> > 2013/03/07 09:04:01 ossec-analysisd: INFO: Ignoring file: >> > '/etc/httpd/logs' >> > 2013/03/07 09:04:01 ossec-analysisd: INFO: Ignoring file: '/etc/utmpx' >> > 2013/03/07 09:04:01 ossec-analysisd: INFO: Ignoring file: '/etc/wtmpx' >> > 2013/03/07 09:04:01 ossec-analysisd: INFO: Ignoring file: >> > '/etc/cups/certs' >> > 2013/03/07 09:04:01 ossec-analysisd: INFO: Ignoring file: >> > '/etc/dumpdates' >> > 2013/03/07 09:04:01 ossec-analysisd: INFO: Ignoring file: >> > '/etc/svc/volatile' >> > 2013/03/07 09:04:01 ossec-analysisd: INFO: Ignoring file: >> > 'C:\WINDOWS/System32/LogFiles' >> > 2013/03/07 09:04:01 ossec-analysisd: INFO: Ignoring file: >> > 'C:\WINDOWS/Debug' >> > 2013/03/07 09:04:01 ossec-analysisd: INFO: Ignoring file: >> > 'C:\WINDOWS/WindowsUpdate.log' >> > 2013/03/07 09:04:01 ossec-analysisd: INFO: Ignoring file: >> > 'C:\WINDOWS/iis6.log' >> > 2013/03/07 09:04:01 ossec-analysisd: INFO: Ignoring file: >> > 'C:\WINDOWS/system32/wbem/Logs' >> > 2013/03/07 09:04:01 ossec-analysisd: INFO: Ignoring file: >> > 'C:\WINDOWS/system32/wbem/Repository' >> > 2013/03/07 09:04:01 ossec-analysisd: INFO: Ignoring file: >> > 'C:\WINDOWS/Prefetch' >> > 2013/03/07 09:04:01 ossec-analysisd: INFO: Ignoring file: >> > 'C:\WINDOWS/PCHEALTH/HELPCTR/DataColl' >> > 2013/03/07 09:04:01 ossec-analysisd: INFO: Ignoring file: >> > 'C:\WINDOWS/SoftwareDistribution' >> > 2013/03/07 09:04:01 ossec-analysisd: INFO: Ignoring file: >> > 'C:\WINDOWS/Temp' >> > 2013/03/07 09:04:01 ossec-analysisd: INFO: Ignoring file: >> > 'C:\WINDOWS/system32/config' >> > 2013/03/07 09:04:01 ossec-analysisd: INFO: Ignoring file: >> > 'C:\WINDOWS/system32/spool' >> > 2013/03/07 09:04:01 ossec-analysisd: INFO: Ignoring file: >> > 'C:\WINDOWS/system32/CatRoot' >> > 2013/03/07 09:04:01 ossec-analysisd: INFO: White listing IP: >> > '192.168.1.8' >> > 2013/03/07 09:04:01 ossec-analysisd: INFO: White listing IP: >> > '192.168.1.7' >> > 2013/03/07 09:04:01 ossec-analysisd: INFO: 2 IPs in the white list for >> > active response. >> > 2013/03/07 09:04:01 ossec-analysisd: INFO: No Hostname in the white list >> > for >> > active reponse. >> > 2013/03/07 09:04:01 ossec-analysisd: INFO: Started (pid: 5966). >> > 2013/03/07 09:04:02 ossec-remoted(4111): INFO: Maximum number of agents >> > allowed: '256'. >> > 2013/03/07 09:04:02 ossec-remoted(1410): INFO: Reading authentication >> > keys >> > file. >> > 2013/03/07 09:04:02 ossec-remoted: INFO: Assigning counter for agent >> > Dads: >> > '0:533'. >> > 2013/03/07 09:04:02 ossec-remoted: INFO: Assigning counter for agent >> > Win2012: '9:7228'. >> > 2013/03/07 09:04:02 ossec-remoted: INFO: Assigning counter for agent >> > Solaris10: '3:8363'. >> > 2013/03/07 09:04:02 ossec-remoted: INFO: Assigning sender counter: >> > 0:2081 >> > 2013/03/07 09:04:02 ossec-monitord: INFO: Started (pid: 5985). >> > 2013/03/07 09:04:03 ossec-dbd: INFO: Started (pid: 5955). >> > 2013/03/07 09:04:04 ossec-analysisd: INFO: Connected to >> > '/queue/alerts/execq' (exec queue) >> > 2013/03/07 09:04:06 ossec-syscheckd: INFO: Started (pid: 5981). >> > 2013/03/07 09:04:06 ossec-rootcheck: INFO: Started (pid: 5981). >> > 2013/03/07 09:04:06 ossec-syscheckd: INFO: Monitoring directory: '/etc'. >> > 2013/03/07 09:04:06 ossec-syscheckd: INFO: Monitoring directory: >> > '/usr/bin'. >> > 2013/03/07 09:04:06 ossec-syscheckd: INFO: Monitoring directory: >> > '/usr/sbin'. >> > 2013/03/07 09:04:06 ossec-syscheckd: INFO: Monitoring directory: '/bin'. >> > 2013/03/07 09:04:06 ossec-syscheckd: INFO: Monitoring directory: >> > '/sbin'. >> > 2013/03/07 09:04:07 ossec-logcollector(1950): INFO: Analyzing file: >> > '/var/log/audit/audit.log'. >> > 2013/03/07 09:04:07 ossec-logcollector(1950): INFO: Analyzing file: >> > '/var/log/messages'. >> > 2013/03/07 09:04:07 ossec-logcollector(1950): INFO: Analyzing file: >> > '/var/log/secure'. >> > 2013/03/07 09:04:07 ossec-logcollector(1950): INFO: Analyzing file: >> > '/var/log/maillog'. >> > 2013/03/07 09:04:07 ossec-logcollector: INFO: Monitoring output of >> > command(360): df -h >> > 2013/03/07 09:04:07 ossec-logcollector: INFO: Monitoring full output of >> > command(360): netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort >> > 2013/03/07 09:04:07 ossec-logcollector: INFO: Monitoring full output of >> > command(360): last -n 5 >> > 2013/03/07 09:04:07 ossec-logcollector: INFO: Started (pid: 5970). >> > 2013/03/07 09:05:08 ossec-syscheckd: INFO: Starting syscheck scan >> > (forwarding database). >> > 2013/03/07 09:05:08 ossec-syscheckd: INFO: Starting syscheck database >> > (pre-scan). >> > >> > >> > >> > >> > >> > >> > On Thursday, March 7, 2013 12:35:21 AM UTC-6, dan (ddpbsd) wrote: >> >> >> >> >> >> On Mar 6, 2013 11:31 PM, "TWAD" <[email protected]> wrote: >> >> > >> >> > Hey Dan, I took your advice and created a CDB with over 10k IPs and >> >> > then >> >> > I added one of my local IPs to test for an alert. However, the alert >> >> > does >> >> > not fire when one of my local hosts trys to connect or when I change >> >> > the >> >> > blacklists file. I am running tcpdump and I can see the host trying >> >> > to >> >> > connect, but nothing in the alert.log. The active response log is >> >> > still at 0 >> >> > as well. What am I doing wrong? >> >> > >> >> >> >> Please provide a log sample. >> >> >> >> > Blacklist format for CDB: >> >> > IP1: 192.168.1.8 >> >> > IP2: 10.10.1.200 >> >> > etc >> >> > >> >> > In ossec.conf I have >> >> > <rules> >> >> > ... >> >> > >> >> > <list>lists/blacklist.txt</list> >> >> > >> >> > <include>local_rules.xml</include> >> >> > >> >> > </rules> >> >> > >> >> > >> >> > >> >> > I added this to execute ossec-makelist when the blacklist changes. I >> >> > do >> >> > not believe it worked because I ran it manuallyy and it showed an >> >> > update was >> >> > needed >> >> > >> >> > <command> >> >> > >> >> > <name>makelists</name> >> >> > >> >> > <executable>makelists.sh</executable> >> >> > >> >> > <expect></expect> >> >> > >> >> > </command> >> >> > >> >> > >> >> > >> >> > <active-response> >> >> > >> >> > <disabled>no</disabled> >> >> > >> >> > <command>makelists</command> >> >> > >> >> > <location>server</location> >> >> > >> >> > <rules_id>105001</rules_id> >> >> > >> >> > </active-response> >> >> > >> >> > >> >> > Here is my blacklist file with the new CDB created from Makelists >> >> > >> >> > [root@RHEL6-4 lists]# ls -la >> >> > >> >> > total 712 >> >> > >> >> > drwxr-xr-x. 2 ossec ossec 4096 Mar 6 22:03 . >> >> > >> >> > dr-xr-x---. 15 root ossec 4096 Mar 6 16:49 .. >> >> > >> >> > -rw-r--r--. 1 ossec ossec 239574 Mar 6 22:03 blacklist.txt >> >> > >> >> > -rw-r--r--. 1 ossec ossec 478742 Mar 6 17:09 blacklist.txt.cdb >> >> > >> >> > >> >> > >> >> > My local_rules.xml addition for the alert >> >> > >> >> > >> >> > >> >> > <rule id="101003" level="0" noalert="1"> >> >> > >> >> > <decoded_as>unbound</decoded_as> >> >> > >> >> > <description>Grouping for unbound.</description> >> >> > >> >> > </rule> >> >> > >> >> > >> >> > >> >> > <rule id="101004" level="10"> >> >> > >> >> > <if_sid>101003</if_sid> >> >> > >> >> > <list field="srcip" >> >> > lookup="address_match_key">lists/blacklist.txt.cdb</list> >> >> > >> >> > <description>DNS query on a potentially malicious >> >> > domain.</description> </rule> >> >> > >> >> > <rule id="101005" level="10"> >> >> > >> >> > <if_sid>550</if_sid> >> >> > >> >> >> >> Did you get a 550 with the path you defined below? >> >> >> >> > <match>/var/ossec/lists/blacklist.txt</match> >> >> > >> >> > <description>blacklist.txt has been modified</description> >> >> > >> >> > </rule> >> >> > >> >> > >> >> > >> >> > >> >> > >> >> > >> >> > >> >> > >> >> > >> >> > >> >> > On Tuesday, March 5, 2013 5:45:10 PM UTC-6, dan (ddpbsd) wrote: >> >> >> >> >> >> On Mon, Mar 4, 2013 at 4:45 PM, TWAD <[email protected]> wrote: >> >> >> > Hey everybody, >> >> >> > I have a task that I'm struggling with; could you help? >> >> >> > >> >> >> > Task: I need to have a blacklist capability on all of my agents ( >> >> >> > to >> >> >> > alert, >> >> >> > not block) >> >> >> > >> >> >> >> >> >> Alerts are only created by the server, not the agents. >> >> >> >> >> >> > Issue 1: The blacklist contains over 700 IPs (currently) so >> >> >> > creating >> >> >> > a rule >> >> >> > for each would (to me) seem taxing on the agent and server >> >> >> > >> >> >> >> >> >> Using a cdb seems like a decent option. I had a cdb of over 100k >> >> >> domains at one point. >> >> >> >> >> >> > Issue 2: The white list will contain over 200 IPs or 10 >> >> >> > domains/subnets >> >> >> > >> >> >> > Questions: >> >> >> > >> >> >> > Should I use a white list instead of the blacklist? >> >> >> > Has anybody on this list done this? >> >> >> > What is the most practical method? >> >> >> > >> >> >> > Reasearch: >> >> >> > >> >> >> > I found an excellent example written by Anthony Kasza >> >> >> > (anthonykasza.webs.com/docs/honeyports.pdf) but none of my agents >> >> >> > will be >> >> >> > running nc. >> >> >> > I looked on this list and other great resources but do not have a >> >> >> > good >> >> >> > answer >> >> >> > >> >> >> > Thank you in advance for your time! >> >> >> > >> >> >> > -- >> >> >> > >> >> >> > --- >> >> >> > You received this message because you are subscribed to the Google >> >> >> > Groups >> >> >> > "ossec-list" group. >> >> >> > To unsubscribe from this group and stop receiving emails from it, >> >> >> > send an >> >> >> > email to [email protected]. >> >> >> > For more options, visit https://groups.google.com/groups/opt_out. >> >> >> > >> >> >> > >> >> > >> >> > -- >> >> > >> >> > --- >> >> > You received this message because you are subscribed to the Google >> >> > Groups "ossec-list" group. >> >> > To unsubscribe from this group and stop receiving emails from it, >> >> > send >> >> > an email to [email protected]. >> >> > For more options, visit https://groups.google.com/groups/opt_out. >> >> > >> >> > >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/groups/opt_out. >> > >> > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
