Dear Dan,
The log message is from the httpd error log. Here is the
part of the log where I notice.
[Sun Oct 13 12:33:29 2013] [error] [client 103.246.38.196] Directory index
forbidden by Options directive: /var/www/html/*******/
[Sun Oct 13 12:33:30 2013] [error] [client 103.246.38.196] File does not
exist: /var/www/html/images
[Sun Oct 13 12:33:30 2013] [error] [client 103.246.38.196] Directory index
forbidden by Options directive: /var/www/html/******/images/
What should I look for the ossec.log for the syscheckd ? What is the
command to turning the debug for syscheckd ?
On Wed, Nov 6, 2013 at 11:45 PM, dan (ddp) <[email protected]> wrote:
> On Wed, Nov 6, 2013 at 10:39 AM, frwa onto <[email protected]> wrote:
> > Dear Dan,
> > Which log sample you prefer to have the apache error log
> or
>
> Which log messasge do you want to trigger an alert? That is the
> important one here, right? In your original message you mentioned a
> log message containing "Directory index forbidden by Options
> directive:," but did not include the entire log message. I assume this
> is the log message you want an alert on?
>
> > the ossec log ? Are the rules need tweaking too? How can I be sure the
> > rootkit is running any log to check on it?
> >
>
> Check the ossec.log. If there is no mention of it, try turning on
> debug for syscheckd.
>
> >
> > On Wed, Nov 6, 2013 at 10:58 PM, dan (ddp) <[email protected]> wrote:
> >>
> >> On Wed, Nov 6, 2013 at 9:54 AM, frwa onto <[email protected]> wrote:
> >> > Dear Dan,
> >> > If I look into my ossec.conf I can see this both these
> >> > apache_rules.xml and web_appsec_rules.xml and I can see it monitors
> the
> >> > /var/log/httpd/error_log. What else do I need to check on ? Is
> >> > monitoring
> >> > just fine or must I still create rules sorry I am newbie into this.
> >> > Besides
> >>
> >> You didn't provide a log sample, so I cannot determine whether the log
> >> will be identified by OSSEC or not.
> >>
> >> > that when will the rootkit check will be done on a period basic or
> >> > launch
> >> > manually ?
> >> >
> >>
> >> It should scan periodically.
> >>
> >> > On Wednesday, November 6, 2013 12:29:02 AM UTC+8, dan (ddpbsd) wrote:
> >> >>
> >> >> On Sun, Nov 3, 2013 at 12:51 PM, frwa onto <[email protected]>
> wrote:
> >> >> > Dear All,
> >> >> > I am new to ossec. I am still learning how it works
> just
> >> >> > wondering can it detect scraper activities because I have banned
> >> >> > directory
> >> >> > traversing but I notice yet the scrapper manage to get to some of
> the
> >> >> > directories but got this error Directory index forbidden by Options
> >> >> > directive:
> >> >> >
> >> >>
> >> >> Are these logs being monitored by OSSEC? You should be able to create
> >> >> a rule looking for the log message.
> >> >>
> >> >> > --
> >> >> >
> >> >> > ---
> >> >> > You received this message because you are subscribed to the Google
> >> >> > Groups
> >> >> > "ossec-list" group.
> >> >> > To unsubscribe from this group and stop receiving emails from it,
> >> >> > send
> >> >> > an
> >> >> > email to [email protected].
> >> >> > For more options, visit https://groups.google.com/groups/opt_out.
> >> >
> >> > --
> >> >
> >> > ---
> >> > You received this message because you are subscribed to the Google
> >> > Groups
> >> > "ossec-list" group.
> >> > To unsubscribe from this group and stop receiving emails from it, send
> >> > an
> >> > email to [email protected].
> >> > For more options, visit https://groups.google.com/groups/opt_out.
> >>
> >> --
> >>
> >> ---
> >> You received this message because you are subscribed to a topic in the
> >> Google Groups "ossec-list" group.
> >> To unsubscribe from this topic, visit
> >> https://groups.google.com/d/topic/ossec-list/O551cLvYKrs/unsubscribe.
> >> To unsubscribe from this group and all its topics, send an email to
> >> [email protected].
> >>
> >> For more options, visit https://groups.google.com/groups/opt_out.
> >
> >
> > --
> >
> > ---
> > You received this message because you are subscribed to the Google Groups
> > "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send an
> > email to [email protected].
> > For more options, visit https://groups.google.com/groups/opt_out.
>
> --
>
> ---
> You received this message because you are subscribed to a topic in the
> Google Groups "ossec-list" group.
> To unsubscribe from this topic, visit
> https://groups.google.com/d/topic/ossec-list/O551cLvYKrs/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
> [email protected].
> For more options, visit https://groups.google.com/groups/opt_out.
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
