I appreciate all the help. OSSEC has a big learning curve, but I think I'm making progress.
OK, I have another issue. I have Piwik installed, and every time Piwik gets a 'hit', I get a warning in OSSEC. I googled it, and found 3 rules that should help: <rule id="31164" level="3"> <if_sid>31100</if_sid> <url>/piwik/index.php?module=CoreHome&action=</url> <description>Login attempt</description> <group>piwik_login_attempt,</group> </rule> <rule id="31165" level="8" frequency="5" timeframe="60"> <if_sid>31100</if_sid> <if_matched_group>piwik_login_attempt</if_matched_group> <description>to much Login attempts</description> </rule> <rule id="SOMETHING" level="0"> <if_sid>31106</if_sid> <match>Form%20</match> <description>Ignore Form%20</description> </rule> Problem is, when I put any of them in my web_rules.xml, OSSEC's status (From the web interface)turns red, and says 'Inactive'. Of course, it doesn't log anything in this state. Do these rules somehow break OSSEC? -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
