> Thanks again for the fast response. > > I tried these rules exactly as I showed them. I have absolutely no idea > how to modify them, or why I would need to. > > I checked the log on the OSSEC server, and I find this: > > 2013/03/14 23:42:05 ossec-analysisd: INFO: Reading rules file: > 'web_rules.xml' > 2013/03/14 23:42:05 rules_list: Signature ID '31100' not found. Invalid > 'if_sid'. > 2013/03/14 23:42:08 ossec-syscheckd(1210): ERROR: Queue > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > 2013/03/14 23:42:08 ossec-rootcheck(1210): ERROR: Queue > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > 2013/03/14 23:42:08 ossec-remoted(1210): ERROR: Queue '/queue/ossec/queue' > not accessible: 'Connection refused'. > 2013/03/14 23:42:08 ossec-remoted(1211): ERROR: Unable to access queue: > '/queue/ossec/queue'. Giving up.. > 2013/03/14 23:42:12 ossec-logcollector(1210): ERROR: Queue > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > 2013/03/14 23:42:12 ossec-logcollector(1211): ERROR: Unable to access > queue: '/var/ossec/queue/ossec/queue'. Giving up.. > 2013/03/14 23:42:14 ossec-syscheckd(1210): ERROR: Queue > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > 2013/03/14 23:42:14 ossec-rootcheck(1210): ERROR: Queue > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > 2013/03/14 23:42:27 ossec-syscheckd(1210): ERROR: Queue > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > 2013/03/14 23:42:27 ossec-rootcheck(1211): ERROR: Unable to access queue: > '/var/ossec/queue/ossec/queue'. Giving up.. > > > On Monday, February 11, 2013 12:50:10 PM UTC-5, Charles Bailey wrote:I > wanted the 'Best' IDS for my Windows Apache server, and after a lot of > looking around I chose OSSEC. Documentation was pretty sparse, and I'm a > Linux newbie, but somehow I managed to install Ubuntu, OSSEC, and the Web > interface, and I have the client running on my Windows server. I put in a > number of log files in the config file to monitor, and it seems to be > working. I've got a number of questions: > > 1) How does it block hack attempts? Windows Firewall? Some other > mechanism? > > 2) This might be the expected result, but when I get a 404, OSSEC shows it > as a 400 error. > > 3) When someone tries to access a page repeatedly that's not on my server, > OSSEC doesn't block them. Actually, I haven't seen ANY blocks. Do they show > up in the log? > > 4) Does OSSEC go by a set of rules to detect hack attempts? How would I > update them? How can I tell if they need updating? > > 5) I keep getting minor PHP config errors logged, almost every minute. How > can I disable those from being logged? > > 6) What files should be monitored? I mainly have just the Apache log and > error files monitored. > >
-- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
