Hi, I've installed Ossec on a laptop (10.0.0.10) running Windows7. The client is configured to send logs to a remote appliance (10.0.0.1). There has been a huge transfer (several 10G) of data from the client to the server and the netflow has shown that many files, several 100M each have been sent to the server:
# nfdump -R . |grep 10.0.0.10 |grep 1514 |grep UDP 2013-09-16 08:31:32.283 0.000 UDP 10.0.0.1:1514 -> 10.0.0.10:51000 1 101 1 2013-09-16 08:37:35.897 0.000 UDP 10.0.0.1:1514 -> 10.0.0.10:51000 1 101 1 2013-09-16 08:36:37.002 304.999 UDP 10.0.0.10:51000 -> 10.0.0.1:1514 776927 347.3 M 1 2013-09-16 08:44:16.866 0.000 UDP 10.0.0.1:1514 -> 10.0.0.10:51000 1 101 1 2013-09-16 08:41:42.002 304.999 UDP 10.0.0.10:51000 -> 10.0.0.1:1514 747132 333.7 M 1 2013-09-16 08:46:47.002 305.001 UDP 10.0.0.10:51000 -> 10.0.0.1:1514 787362 352.1 M 1 2013-09-16 08:51:52.003 304.250 UDP 10.0.0.10:51000 -> 10.0.0.1:1514 825777 369.2 M 1 2013-09-16 08:57:38.290 0.000 UDP 10.0.0.1:1514 -> 10.0.0.10:51000 1 101 1 2013-09-16 08:56:57.236 303.905 UDP 10.0.0.10:51000 -> 10.0.0.1:1514 764367 341.7 M 1 2013-09-16 09:02:02.126 304.872 UDP 10.0.0.10:51000 -> 10.0.0.1:1514 763929 341.4 M 1 2013-09-16 09:07:39.156 0.932 UDP 10.0.0.1:1514 -> 10.0.0.10:51000 2 202 1 2013-09-16 09:12:12.001 304.973 UDP 10.0.0.10:51000 -> 10.0.0.1:1514 721068 322.3 M 1 2013-09-16 09:17:42.008 0.000 UDP 10.0.0.1:1514 -> 10.0.0.10:51000 1 101 1 2013-09-16 09:24:22.340 0.000 UDP 10.0.0.1:1514 -> 10.0.0.10:51000 1 101 1 2013-09-16 09:22:22.001 304.999 UDP 10.0.0.10:51000 -> 10.0.0.1:1514 740302 330.9 M 1 2013-09-16 09:31:03.403 0.000 UDP 10.0.0.1:1514 -> 10.0.0.10:51000 1 101 1 2013-09-16 09:27:27.001 305.000 UDP 10.0.0.10:51000 -> 10.0.0.1:1514 774572 346.3 M 1 2013-09-16 09:32:32.001 304.999 UDP 10.0.0.10:51000 -> 10.0.0.1:1514 731715 327.1 M 1 2013-09-16 09:37:44.404 0.000 UDP 10.0.0.1:1514 -> 10.0.0.10:51000 1 101 1 2013-09-16 09:44:25.285 0.000 UDP 10.0.0.1:1514 -> 10.0.0.10:51000 1 101 1 2013-09-16 09:42:42.000 305.000 UDP 10.0.0.10:51000 -> 10.0.0.1:1514 762709 340.7 M 1 2013-09-16 09:51:06.272 0.000 UDP 10.0.0.1:1514 -> 10.0.0.10:51000 1 101 1 2013-09-16 09:52:52.000 304.561 UDP 10.0.0.10:51000 -> 10.0.0.1:1514 780955 349.1 M 1 2013-09-16 09:57:47.302 0.000 UDP 10.0.0.1:1514 -> 10.0.0.10:51000 1 101 1 2013-09-16 09:57:57.541 304.370 UDP 10.0.0.10:51000 -> 10.0.0.1:1514 726640 324.7 M 1 Files seem to be backup files: Alert - "1379331284" --> RID: "554"; RL: "10"; RG: "local,syslog,syscheck,"; RC: "File added to the system."; USER: "None"; SRCIP: "None"; HOSTNAME: "(W7COMPUTER10) 10.0.0.10->syscheck"; LOCATION: "(W7COMPUTER10) 10.0.0.10->syscheck"; EVENT: "[INIT]New file 'C:\Windows/winsxs/Backup/x86_microsoft-windows-setupapi.resources_31bf3856ad364e35_6.1.7600.16385_en-us_6a372375d8b5ccfd.manifest' added to the file system.[END]"; Alert - "1379331284" --> RID: "554"; RL: "10"; RG: "local,syslog,syscheck,"; RC: "File added to the system."; USER: "None"; SRCIP: "None"; HOSTNAME: "(W7COMPUTER10) 10.0.0.10->syscheck"; LOCATION: "(W7COMPUTER10) 10.0.0.10->syscheck"; EVENT: "[INIT]New file 'C:\Windows/winsxs/Backup/x86_microsoft-windows-setupapi.resources_31bf3856ad364e35_6.1.7600.16385_en-us_6a372375d8b5ccfd.manifest' added to the file system.[END]"; Is it possible that copies of files are transmitted by Ossec to the server? My understanding as per my configuration was that only MD5sum were sent to the server. Thank you very much in advance for your help. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
