On Mon, Feb 9, 2015 at 3:42 PM, Ricardo Galossi <[email protected]> wrote: > Hi Dan, > I installed ossec as "local". Yeah, the AR configuration is default. The > daemon ossec-execd is running normally and the firewall is enable. I made > testes with both versions of ossec 2.7 and 2.8.1 within the same VPS. > However, only the version 2.7 block the attacker based on the rule ID 31151. > > If you want I can send you the logs of ossec 2.8.1. > > Thank you for your attention. >
Run ossec-logtest, and paste the log message I used in it multiple times. Let's see if 31151 or whatever fires (and see if the output differs from what I saw with post 2.8.1). I'm hoping to have a chance to try active responses tonight. > Em segunda-feira, 9 de fevereiro de 2015 18:23:09 UTC-2, dan (ddpbsd) > escreveu: >> >> On Mon, Feb 9, 2015 at 2:53 PM, Ricardo Galossi <[email protected]> >> wrote: >> > Hi Dan, >> > The logs are in attach. >> > >> >> Ok, it looks like active response is being triggered by rule 31151: >> Mon Feb 9 15:10:03 BRST 2015 >> /var/ossec/active-response/bin/host-deny.sh add - 172.16.10.87 >> 1423501803.36643 31151 >> >> Using ossec-logtest, and pasting the log message in a few times, does >> trigger 31151: >> 172.16.10.87 - - [09/Feb/2015:15:10:03 -0200] "GET >> /wordpress/KwJ55hQv.asmx HTTP/1.1" 403 1510 "-" "Mozilla/5.00 >> (Nikto/2.1.6) (Evasions:None) (Test:map_codes)" >> >> >> **Phase 1: Completed pre-decoding. >> full event: '172.16.10.87 - - [09/Feb/2015:15:10:03 -0200] "GET >> /wordpress/KwJ55hQv.asmx HTTP/1.1" 403 1510 "-" "Mozilla/5.00 >> (Nikto/2.1.6) (Evasions:None) (Test:map_codes)"' >> hostname: 'arrakis' >> program_name: '(null)' >> log: '172.16.10.87 - - [09/Feb/2015:15:10:03 -0200] "GET >> /wordpress/KwJ55hQv.asmx HTTP/1.1" 403 1510 "-" "Mozilla/5.00 >> (Nikto/2.1.6) (Evasions:None) (Test:map_codes)"' >> >> **Phase 2: Completed decoding. >> decoder: 'web-accesslog' >> srcip: '172.16.10.87' >> url: '/wordpress/KwJ55hQv.asmx' >> id: '403' >> >> **Phase 3: Completed filtering (rules). >> Rule id: '31151' >> Level: '10' >> Description: 'Multiple web server 400 error codes from same source >> ip.' >> **Alert to be generated. >> >> Since you didn't provide your AR configuration I'll have to assume >> it's the default. Based on that, we get back to earlier questions: >> Is ossec-execd running on the agent? >> Is the firewall enabled on the system? >> >> > Em segunda-feira, 9 de fevereiro de 2015 17:20:05 UTC-2, dan (ddpbsd) >> > escreveu: >> >> >> >> On Mon, Feb 9, 2015 at 2:14 PM, Ricardo Galossi <[email protected]> >> >> wrote: >> >> > Hi Dan, >> >> > I see. As soon as I get home I'll send the log files. Do you want >> >> > only >> >> > the >> >> > alert.log or something else? >> >> > >> >> >> >> I'd love to see the apache log messages that work in OSSEC 2.7 but not >> >> in >> >> 2.8. >> >> >> >> > Em segunda-feira, 9 de fevereiro de 2015 17:00:38 UTC-2, dan (ddpbsd) >> >> > escreveu: >> >> >> >> >> >> On Mon, Feb 9, 2015 at 1:39 PM, Ricardo Galossi >> >> >> <[email protected]> >> >> >> wrote: >> >> >> > Hi guys, >> >> >> > I made some tests here with ossec 2.7. When I try to scan the >> >> >> > target, >> >> >> > the >> >> >> > modsec delivery a 403 error page, so, ossec read the apache >> >> >> > access.log >> >> >> > file >> >> >> > and match the rule with ID 31151 from web_rules.xml and block the >> >> >> > attacker's >> >> >> > IP on iptables. Follow the rule below: >> >> >> > >> >> >> > <rule level="10" id="31151" timeframe="90" frequency="12"> >> >> >> > <if_matched_sid>31101</if_matched_sid> >> >> >> > <same_source_ip/> >> >> >> > <description>Multiple web server 400 error codes </description> >> >> >> > <description>from same source ip.</description> >> >> >> > <group>web_scan,recon,</group> >> >> >> > </rule> >> >> >> > >> >> >> > The question is, why doesn't happen the same thing on ossec 2.8.1? >> >> >> > There is some problem if I used the version 2.7? >> >> >> > >> >> >> >> >> >> It's hard to tell without log samples. >> >> >> >> >> >> > Em segunda-feira, 9 de fevereiro de 2015 15:47:31 UTC-2, Ricardo >> >> >> > Galossi >> >> >> > escreveu: >> >> >> >> >> >> >> >> Hi Dan, >> >> >> >> Thank you for your attention. I'm at work now, and I'm not able >> >> >> >> to >> >> >> >> access >> >> >> >> my VPS from here, but tonight when I leave the company I'll send >> >> >> >> you >> >> >> >> the log >> >> >> >> file. >> >> >> >> >> >> >> >> Em segunda-feira, 9 de fevereiro de 2015 15:42:46 UTC-2, dan >> >> >> >> (ddpbsd) >> >> >> >> escreveu: >> >> >> >>> >> >> >> >>> On Mon, Feb 9, 2015 at 12:39 PM, Ricardo Galossi >> >> >> >>> <[email protected]> wrote: >> >> >> >>> > Hi Rodrigo, >> >> >> >>> > I've seen the file syslog_rules.xml to see the rule with ID >> >> >> >>> > 1002, >> >> >> >>> > I >> >> >> >>> > understood the rule perfectly. As you said I've changed the >> >> >> >>> > field >> >> >> >>> > <match> of >> >> >> >>> > rules with ID 30200 and 30201 for "ModSecurity: Access >> >> >> >>> > denied". >> >> >> >>> > I've >> >> >> >>> > also >> >> >> >>> > changed the level of drop in my ossec.conf to level 2. >> >> >> >>> > Although, >> >> >> >>> > unfortunately it doesn't solve my problem. It's like apache >> >> >> >>> > rules >> >> >> >>> > doesn't >> >> >> >>> > match with any log record, just the rule ID 1002 from >> >> >> >>> > syslog_rules. >> >> >> >>> > >> >> >> >>> >> >> >> >>> Can you provide a log sample? >> >> >> >>> >> >> >> >>> >> >> >> >>> > On the other hand, I made a laboratory with ossec 2.7 and it >> >> >> >>> > works >> >> >> >>> > perfectly. I made a scan with Nikto and ossec blocked >> >> >> >>> > normally. >> >> >> >>> > >> >> >> >>> > Em segunda-feira, 9 de fevereiro de 2015 09:00:41 UTC-2, >> >> >> >>> > Rodrigo >> >> >> >>> > Montoro >> >> >> >>> > (Sp0oKeR) escreveu: >> >> >> >>> >> >> >> >> >>> >> Hi there! >> >> >> >>> >> >> >> >> >>> >> Rule 1002 is triggering because "error" word in the alert >> >> >> >>> >> and >> >> >> >>> >> no >> >> >> >>> >> specific >> >> >> >>> >> decoder for this alert >> >> >> >>> >> >> >> >> >>> >> >> >> >> >>> >> #./ossec-logtest >> >> >> >>> >> >> >> >> >>> >> 2015/02/09 10:26:45 ossec-testrule: INFO: Reading local >> >> >> >>> >> decoder >> >> >> >>> >> file. >> >> >> >>> >> 2015/02/09 10:26:45 ossec-testrule: INFO: Started (pid: >> >> >> >>> >> 28969). >> >> >> >>> >> ossec-testrule: Type one log per line. >> >> >> >>> >> >> >> >> >>> >> [Mon Feb 09 00:11:26.954264 2015] [:error] [pid 4242] [client >> >> >> >>> >> 37.128.148.180] ModSecurity: Access denied with code 403 >> >> >> >>> >> (phase >> >> >> >>> >> 1). >> >> >> >>> >> Match of >> >> >> >>> >> "rx ^0$" against "REQUEST_HEADERS:Content-Length" required. >> >> >> >>> >> [file >> >> >> >>> >> >> >> >> >>> >> >> >> >> >>> >> >> >> >> >>> >> >> >> >> >>> >> "/etc/apache2/ModSecurity/activated_rules/modsecurity_crs_21_protocol_anomalies.conf"] >> >> >> >>> >> [line "84"] [id "960904"] [rev "2"] [msg "Request Containing >> >> >> >>> >> Content, >> >> >> >>> >> but >> >> >> >>> >> Missing Content-Type header"] [severity "NOTICE"] [ver >> >> >> >>> >> "OWASP_CRS/2.2.9"] >> >> >> >>> >> [maturity "9"] [accuracy "9"] [hostname "www.ubuntu.com.br"] >> >> >> >>> >> [uri >> >> >> >>> >> "/nyet.gif"] [unique_id "VNglXmiDNHMAABCSoYkAAAAH"] >> >> >> >>> >> >> >> >> >>> >> >> >> >> >>> >> **Phase 1: Completed pre-decoding. >> >> >> >>> >> full event: '[Mon Feb 09 00:11:26.954264 2015] >> >> >> >>> >> [:error] >> >> >> >>> >> [pid >> >> >> >>> >> 4242] >> >> >> >>> >> [client 37.128.148.180] ModSecurity: Access denied with code >> >> >> >>> >> 403 >> >> >> >>> >> (phase 1). >> >> >> >>> >> Match of "rx ^0$" against "REQUEST_HEADERS:Content-Length" >> >> >> >>> >> required. >> >> >> >>> >> [file >> >> >> >>> >> >> >> >> >>> >> >> >> >> >>> >> >> >> >> >>> >> >> >> >> >>> >> "/etc/apache2/ModSecurity/activated_rules/modsecurity_crs_21_protocol_anomalies.conf"] >> >> >> >>> >> [line "84"] [id "960904"] [rev "2"] [msg "Request Containing >> >> >> >>> >> Content, >> >> >> >>> >> but >> >> >> >>> >> Missing Content-Type header"] [severity "NOTICE"] [ver >> >> >> >>> >> "OWASP_CRS/2.2.9"] >> >> >> >>> >> [maturity "9"] [accuracy "9"] [hostname "www.ubuntu.com.br"] >> >> >> >>> >> [uri >> >> >> >>> >> "/nyet.gif"] [unique_id "VNglXmiDNHMAABCSoYkAAAAH"]' >> >> >> >>> >> hostname: 'spookerlabs' >> >> >> >>> >> program_name: '(null)' >> >> >> >>> >> log: '[Mon Feb 09 00:11:26.954264 2015] [:error] [pid >> >> >> >>> >> 4242] >> >> >> >>> >> [client >> >> >> >>> >> 37.128.148.180] ModSecurity: Access denied with code 403 >> >> >> >>> >> (phase >> >> >> >>> >> 1). >> >> >> >>> >> Match of >> >> >> >>> >> "rx ^0$" against "REQUEST_HEADERS:Content-Length" required. >> >> >> >>> >> [file >> >> >> >>> >> >> >> >> >>> >> >> >> >> >>> >> >> >> >> >>> >> >> >> >> >>> >> "/etc/apache2/ModSecurity/activated_rules/modsecurity_crs_21_protocol_anomalies.conf"] >> >> >> >>> >> [line "84"] [id "960904"] [rev "2"] [msg "Request Containing >> >> >> >>> >> Content, >> >> >> >>> >> but >> >> >> >>> >> Missing Content-Type header"] [severity "NOTICE"] [ver >> >> >> >>> >> "OWASP_CRS/2.2.9"] >> >> >> >>> >> [maturity "9"] [accuracy "9"] [hostname "www.ubuntu.com.br"] >> >> >> >>> >> [uri >> >> >> >>> >> "/nyet.gif"] [unique_id "VNglXmiDNHMAABCSoYkAAAAH"]' >> >> >> >>> >> >> >> >> >>> >> **Phase 2: Completed decoding. >> >> >> >>> >> No decoder matched. >> >> >> >>> >> >> >> >> >>> >> **Phase 3: Completed filtering (rules). >> >> >> >>> >> Rule id: '1002' >> >> >> >>> >> Level: '2' >> >> >> >>> >> Description: 'Unknown problem somewhere in the >> >> >> >>> >> system.' >> >> >> >>> >> **Alert to be generated. >> >> >> >>> >> >> >> >> >>> >> >> >> >> >>> >> Rule 1002 >> >> >> >>> >> >> >> >> >>> >> <var name="BAD_WORDS">core_dumped|failure|error|attack|bad >> >> >> >>> >> |illegal >> >> >> >>> >> |denied|refused|unauthorized|fatal|failed|Segmentation >> >> >> >>> >> Fault|Corrupted</var> >> >> >> >>> >> >> >> >> >>> >> <rule id="1002" level="2"> >> >> >> >>> >> <match>$BAD_WORDS</match> >> >> >> >>> >> <options>alert_by_email</options> >> >> >> >>> >> <description>Unknown problem somewhere in the >> >> >> >>> >> system.</description> >> >> >> >>> >> </rule> >> >> >> >>> >> >> >> >> >>> >> >> >> >> >>> >> Since this rule is level 2 it's not going to trigger an >> >> >> >>> >> active >> >> >> >>> >> response >> >> >> >>> >> since your config said to alert only level 5 or higher. >> >> >> >>> >> >> >> >> >>> >> More info here >> >> >> >>> >> http://ossec-docs.readthedocs.org/en/latest/manual/ar/ >> >> >> >>> >> >> >> >> >>> >> Looking into Modsecurity rules, there are 2 under apache >> >> >> >>> >> rules >> >> >> >>> >> >> >> >> >>> >> <rule id="30200" level="6" noalert="1"> >> >> >> >>> >> <match>^mod_security-message: </match> >> >> >> >>> >> <description>Modsecurity alert.</description> >> >> >> >>> >> </rule> >> >> >> >>> >> >> >> >> >>> >> <rule id="30201" level="6"> >> >> >> >>> >> <if_sid>30200</if_sid> >> >> >> >>> >> <match>^mod_security-message: Access denied </match> >> >> >> >>> >> <description>Modsecurity access denied.</description> >> >> >> >>> >> <group>access_denied,</group> >> >> >> >>> >> </rule> >> >> >> >>> >> >> >> >> >>> >> But I think need to update to ModSecurity: Access denied >> >> >> >>> >> instead >> >> >> >>> >> of >> >> >> >>> >> mod_security-message: Access denied. >> >> >> >>> >> >> >> >> >>> >> Do you have a raw log different from error ? is this a common >> >> >> >>> >> modsec >> >> >> >>> >> error >> >> >> >>> >> log ? Maybe need to create a decoder for that. >> >> >> >>> >> >> >> >> >>> >> Hope it helps. >> >> >> >>> >> >> >> >> >>> >> On Mon, Feb 9, 2015 at 2:07 AM, Ricardo Galossi >> >> >> >>> >> <[email protected]> >> >> >> >>> >> wrote: >> >> >> >>> >>> >> >> >> >>> >>> Hello Rodrigo, >> >> >> >>> >>> Thank you so much for answer me. So, some time ago I've had >> >> >> >>> >>> an >> >> >> >>> >>> installation of ossec with the same configuration, the ossec >> >> >> >>> >>> read >> >> >> >>> >>> the >> >> >> >>> >>> error.log of apache and blocked the attacks on iptables with >> >> >> >>> >>> the >> >> >> >>> >>> active >> >> >> >>> >>> response. I really don't know if something has changed in >> >> >> >>> >>> the >> >> >> >>> >>> last >> >> >> >>> >>> version >> >> >> >>> >>> of ossec, but it does't block any kind of attack (ssh brute >> >> >> >>> >>> force, >> >> >> >>> >>> http >> >> >> >>> >>> attacks, etc). Follow below in attach my ossec.conf and some >> >> >> >>> >>> alerts >> >> >> >>> >>> of >> >> >> >>> >>> alert.conf. My active-responses.log is empty. >> >> >> >>> >>> When I executed the command (cat >> >> >> >>> >>> /var/chroot/var/log/apache2/error.log | >> >> >> >>> >>> /var/ossec/bin/ossec-logtest -a | >> >> >> >>> >>> /var/ossec/bin/ossec-reportd) >> >> >> >>> >>> I >> >> >> >>> >>> received >> >> >> >>> >>> the following message: >> >> >> >>> >>> >> >> >> >>> >>> 2015/02/09 01:03:00 ossec-reportd: INFO: Started (pid: >> >> >> >>> >>> 5038). >> >> >> >>> >>> 2015/02/09 01:03:00 ossec-testrule: INFO: Reading local >> >> >> >>> >>> decoder >> >> >> >>> >>> file. >> >> >> >>> >>> 2015/02/09 01:03:00 ossec-testrule: INFO: Started (pid: >> >> >> >>> >>> 5037). >> >> >> >>> >>> 2015/02/09 01:03:06 ossec-reportd: INFO: Report completed. >> >> >> >>> >>> Creating >> >> >> >>> >>> output... >> >> >> >>> >>> >> >> >> >>> >>> Report completed. == >> >> >> >>> >>> ------------------------------------------------ >> >> >> >>> >>> ->Processed alerts: 3940 >> >> >> >>> >>> ->Post-filtering alerts: 3940 >> >> >> >>> >>> ->First alert: 2015 Feb 09 01:03:00 >> >> >> >>> >>> ->Last alert: 2015 Feb 09 01:03:01 >> >> >> >>> >>> >> >> >> >>> >>> >> >> >> >>> >>> Top entries for 'Level': >> >> >> >>> >>> ------------------------------------------------ >> >> >> >>> >>> Severity 6 >> >> >> >>> >>> |3864 | >> >> >> >>> >>> Severity 13 >> >> >> >>> >>> |76 | >> >> >> >>> >>> >> >> >> >>> >>> >> >> >> >>> >>> Top entries for 'Group': >> >> >> >>> >>> ------------------------------------------------ >> >> >> >>> >>> errors >> >> >> >>> >>> |3940 | >> >> >> >>> >>> syslog >> >> >> >>> >>> |3940 | >> >> >> >>> >>> >> >> >> >>> >>> Top entries for 'Location': >> >> >> >>> >>> ------------------------------------------------ >> >> >> >>> >>> ubuntu->stdin >> >> >> >>> >>> |3940 | >> >> >> >>> >>> >> >> >> >>> >>> >> >> >> >>> >>> Top entries for 'Rule': >> >> >> >>> >>> ------------------------------------------------ >> >> >> >>> >>> 1002 - Unknown problem somewhere in the system. >> >> >> >>> >>> |3864 | >> >> >> >>> >>> 1003 - Non standard syslog message (size too large). >> >> >> >>> >>> |76 | >> >> >> >>> >>> >> >> >> >>> >>> Thank you for your help. >> >> >> >>> >>> >> >> >> >>> >>> >> >> >> >>> >>> Em domingo, 8 de fevereiro de 2015 22:25:22 UTC-2, Rodrigo >> >> >> >>> >>> Montoro >> >> >> >>> >>> (Sp0oKeR) escreveu: >> >> >> >>> >>>> >> >> >> >>> >>>> Hi Ricardo, >> >> >> >>> >>>> >> >> >> >>> >>>> I think modsec isn't apache format, could you share some >> >> >> >>> >>>> alert >> >> >> >>> >>>> samples >> >> >> >>> >>>> from your log file ? >> >> >> >>> >>>> >> >> >> >>> >>>> A good way to test if ossec will work with your log format >> >> >> >>> >>>> is >> >> >> >>> >>>> using >> >> >> >>> >>>> logtest >> >> >> >>> >>>> >> >> >> >>> >>>> >> >> >> >>> >>>> >> >> >> >>> >>>> >> >> >> >>> >>>> http://ossec-docs.readthedocs.org/en/latest/programs/ossec-logtest.html >> >> >> >>> >>>> >> >> >> >>> >>>> About active-response, how is configured your ossec.conf ? >> >> >> >>> >>>> could >> >> >> >>> >>>> you >> >> >> >>> >>>> share ? Anyway OSSEC won't block any attack, only take some >> >> >> >>> >>>> action >> >> >> >>> >>>> from some >> >> >> >>> >>>> attack. Looking into /var/ossec/log/ you could see under >> >> >> >>> >>>> active-response >> >> >> >>> >>>> log. >> >> >> >>> >>>> >> >> >> >>> >>>> Let me know if this helps. >> >> >> >>> >>>> >> >> >> >>> >>>> Thanks >> >> >> >>> >>>> >> >> >> >>> >>>> On Sun, Feb 8, 2015 at 9:11 PM, Ricardo Galossi >> >> >> >>> >>>> <[email protected]> >> >> >> >>> >>>> wrote: >> >> >> >>> >>>>> >> >> >> >>> >>>>> Hi there guys, >> >> >> >>> >>>>> I'm facing a problem with ossec, I hope you can help me. >> >> >> >>> >>>>> I've >> >> >> >>> >>>>> configured my ossec to monitoring apache and modsecurity's >> >> >> >>> >>>>> log >> >> >> >>> >>>>> of >> >> >> >>> >>>>> my chroot. >> >> >> >>> >>>>> I put the lines below on ossec.conf: >> >> >> >>> >>>>> >> >> >> >>> >>>>> <localfile> >> >> >> >>> >>>>> <log_format>apache</log_format> >> >> >> >>> >>>>> >> >> >> >>> >>>>> >> >> >> >>> >>>>> >> >> >> >>> >>>>> <location>/var/chroot/var/log/apache2/modsec_audit.log</location> >> >> >> >>> >>>>> </localfile> >> >> >> >>> >>>>> >> >> >> >>> >>>>> <localfile> >> >> >> >>> >>>>> <log_format>apache</log_format> >> >> >> >>> >>>>> <location>/var/chroot/var/log/apache2/error.log</location> >> >> >> >>> >>>>> </localfile> >> >> >> >>> >>>>> >> >> >> >>> >>>>> The problem is that ossec doesn't block any attack. I >> >> >> >>> >>>>> received >> >> >> >>> >>>>> the >> >> >> >>> >>>>> ossec's logs normally, but every log has the same ID, like >> >> >> >>> >>>>> this: >> >> >> >>> >>>>> >> >> >> >>> >>>>> Received From: >> >> >> >>> >>>>> Ubuntu->/var/chroot/var/log/apache2/error.log >> >> >> >>> >>>>> Rule: 1002 fired (level 6) -> "Unknown problem somewhere >> >> >> >>> >>>>> in >> >> >> >>> >>>>> the >> >> >> >>> >>>>> system." >> >> >> >>> >>>>> Portion of the log(s): >> >> >> >>> >>>>> >> >> >> >>> >>>>> Thank you for your attention. >> >> >> >>> >>>>> >> >> >> >>> >>>>> >> >> >> >>> >>>>> -- >> >> >> >>> >>>>> >> >> >> >>> >>>>> --- >> >> >> >>> >>>>> You received this message because you are subscribed to >> >> >> >>> >>>>> the >> >> >> >>> >>>>> Google >> >> >> >>> >>>>> Groups "ossec-list" group. >> >> >> >>> >>>>> To unsubscribe from this group and stop receiving emails >> >> >> >>> >>>>> from >> >> >> >>> >>>>> it, >> >> >> >>> >>>>> send >> >> >> >>> >>>>> an email to [email protected]. >> >> >> >>> >>>>> For more options, visit >> >> >> >>> >>>>> https://groups.google.com/d/optout. >> >> >> >>> >>>> >> >> >> >>> >>>> >> >> >> >>> >>>> >> >> >> >>> >>>> >> >> >> >>> >>>> -- >> >> >> >>> >>>> Rodrigo Montoro (Sp0oKeR) >> >> >> >>> >>>> http://spookerlabs.blogspot.com >> >> >> >>> >>>> http://www.twitter.com/spookerlabs >> >> >> >>> >>>> http://www.linkedin.com/in/spooker >> >> >> >>> >>> >> >> >> >>> >>> -- >> >> >> >>> >>> >> >> >> >>> >>> --- >> >> >> >>> >>> You received this message because you are subscribed to the >> >> >> >>> >>> Google >> >> >> >>> >>> Groups >> >> >> >>> >>> "ossec-list" group. >> >> >> >>> >>> To unsubscribe from this group and stop receiving emails >> >> >> >>> >>> from >> >> >> >>> >>> it, >> >> >> >>> >>> send an >> >> >> >>> >>> email to [email protected]. >> >> >> >>> >>> For more options, visit https://groups.google.com/d/optout. >> >> >> >>> >> >> >> >> >>> >> >> >> >> >>> >> >> >> >> >>> >> >> >> >> >>> >> -- >> >> >> >>> >> Rodrigo Montoro (Sp0oKeR) >> >> >> >>> >> http://spookerlabs.blogspot.com >> >> >> >>> >> http://www.twitter.com/spookerlabs >> >> >> >>> >> http://www.linkedin.com/in/spooker >> >> >> >>> > >> >> >> >>> > -- >> >> >> >>> > >> >> >> >>> > --- >> >> >> >>> > You received this message because you are subscribed to the >> >> >> >>> > Google >> >> >> >>> > Groups >> >> >> >>> > "ossec-list" group. >> >> >> >>> > To unsubscribe from this group and stop receiving emails from >> >> >> >>> > it, >> >> >> >>> > send >> >> >> >>> > an >> >> >> >>> > email to [email protected]. >> >> >> >>> > For more options, visit https://groups.google.com/d/optout. >> >> >> > >> >> >> > -- >> >> >> > >> >> >> > --- >> >> >> > You received this message because you are subscribed to the Google >> >> >> > Groups >> >> >> > "ossec-list" group. >> >> >> > To unsubscribe from this group and stop receiving emails from it, >> >> >> > send >> >> >> > an >> >> >> > email to [email protected]. >> >> >> > For more options, visit https://groups.google.com/d/optout. >> >> > >> >> > -- >> >> > >> >> > --- >> >> > You received this message because you are subscribed to the Google >> >> > Groups >> >> > "ossec-list" group. >> >> > To unsubscribe from this group and stop receiving emails from it, >> >> > send >> >> > an >> >> > email to [email protected]. >> >> > For more options, visit https://groups.google.com/d/optout. >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
