On Fri, Mar 15, 2013 at 2:44 PM, Charles Bailey <[email protected]> wrote: > >> Thanks again for the fast response. >> >> I tried these rules exactly as I showed them. I have absolutely no idea >> how to modify them, or why I would need to. >>
You can modify them with a text editor, they're just plain text. >> I checked the log on the OSSEC server, and I find this: >> >> 2013/03/14 23:42:05 ossec-analysisd: INFO: Reading rules file: >> 'web_rules.xml' >> 2013/03/14 23:42:05 rules_list: Signature ID '31100' not found. Invalid >> 'if_sid'. You do not appear to have a signature with the ID 31100. You have rules that require 31100, so this being missing is going to stop OSSEC from working. >> 2013/03/14 23:42:08 ossec-syscheckd(1210): ERROR: Queue >> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. >> 2013/03/14 23:42:08 ossec-rootcheck(1210): ERROR: Queue >> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. >> 2013/03/14 23:42:08 ossec-remoted(1210): ERROR: Queue '/queue/ossec/queue' >> not accessible: 'Connection refused'. >> 2013/03/14 23:42:08 ossec-remoted(1211): ERROR: Unable to access queue: >> '/queue/ossec/queue'. Giving up.. >> 2013/03/14 23:42:12 ossec-logcollector(1210): ERROR: Queue >> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. >> 2013/03/14 23:42:12 ossec-logcollector(1211): ERROR: Unable to access >> queue: '/var/ossec/queue/ossec/queue'. Giving up.. >> 2013/03/14 23:42:14 ossec-syscheckd(1210): ERROR: Queue >> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. >> 2013/03/14 23:42:14 ossec-rootcheck(1210): ERROR: Queue >> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. >> 2013/03/14 23:42:27 ossec-syscheckd(1210): ERROR: Queue >> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. >> 2013/03/14 23:42:27 ossec-rootcheck(1211): ERROR: Unable to access queue: >> '/var/ossec/queue/ossec/queue'. Giving up.. >> >> >> On Monday, February 11, 2013 12:50:10 PM UTC-5, Charles Bailey wrote:I >> wanted the 'Best' IDS for my Windows Apache server, and after a lot of >> looking around I chose OSSEC. Documentation was pretty sparse, and I'm a >> Linux newbie, but somehow I managed to install Ubuntu, OSSEC, and the Web >> interface, and I have the client running on my Windows server. I put in a >> number of log files in the config file to monitor, and it seems to be >> working. I've got a number of questions: >> >> >> 1) How does it block hack attempts? Windows Firewall? Some other >> mechanism? >> >> 2) This might be the expected result, but when I get a 404, OSSEC shows it >> as a 400 error. >> >> 3) When someone tries to access a page repeatedly that's not on my server, >> OSSEC doesn't block them. Actually, I haven't seen ANY blocks. Do they show >> up in the log? >> >> 4) Does OSSEC go by a set of rules to detect hack attempts? How would I >> update them? How can I tell if they need updating? >> >> 5) I keep getting minor PHP config errors logged, almost every minute. How >> can I disable those from being logged? >> >> 6) What files should be monitored? I mainly have just the Apache log and >> error files monitored. >> > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
