On 9/13/06, Leonardo Goldim <[EMAIL PROTECTED]> wrote:
Isn't better the dst ip is always the agent (if agent-server) or themachine (if local installation) and the src ip the ip that try toconnect or 127.0.0.1 if is something local ?
I believe that using this way is better to organize inform
To execute the active response, ossec needs to know the ip address to
block. Did you
write a decoder for vpopmail? If you look at /var/ossec/etc/decoder.xm
you will see all
the ones we currently have.
Basically, the decoder extract the IPs, usernames and other data from the logs.
The rules do th
Hi all,
I am writing new vpopmail rules to block vpopmail pop3 brute force attack. I find logs in alert/2006/Sep/ at level 10 by my new rules. But I could not see the active-response. I did set to trigger the active-response at level 10 in
ossec.conf.
What is the problem here ?
Hi Daniel,
that's logfile entrys from my mailer!
p548CE135.dip.t-dialin.net = @home
mailer = datacenter
Sep 11 18:17:54 www sendmail[27878]: k8BGHr6s027878:
ruleset=check_rcpt, arg1=<[EMAIL PROTECTED]>, relay=p548CE135.dip.t-
dialin.net [84.140.225.53], reject=550 5.0.0 <[EMAIL PROTECTED]>.
Daniel,
Thank you, that was indeed the issue!
On another note I learned in correcting this that the rules are
processed in the order that they are listed in the ossec.conf file. The
result was that originally I added the local_rules.xml as my first one
this time around and that caused ossec to
Do you have the local_rules.xml configured to be included at
/var/ossec/etc/ossec.conf ? The update probably removed
it from there (yes, this is something we need to fix)...
Let us know if it fixes or not..
--
Daniel B. Cid
dcid ( at ) ossec.net
On 9/13/06, Joel Gray <[EMAIL PROTECTED]> wrote:
Hi Amauri,
This is a known bug. The latest snapshot fixes it:
http://www.ossec.net/files/snapshots/ossec-hids-060912.tar.gz
*btw, the directory is correct. Since ossec chroots to /var/ossec, the root
directory becomes /var/ossec for every log message.
Hope it helps,
--
Daniel B. Cid
dcid ( a
Hi Matt,
We added support for IIS W3C extended logs some weeks ago. If you try
the latest snapshot it should work. You can get them at:
http://www.ossec.net/files/snapshots/
Let us know of any problem..
--
Daniel B. Cid
dcid ( at ) ossec.net
On 9/13/06, Matthew Martz <[EMAIL PROTECTED]> wrot
Hi Forrest,
Inside a rule, the "level" specify the severity of the rule. For example, a rule
with severity "2" is not very security relevant, but a rule with severity "15"
may indicate a severe problem. However, in the active-response, the
"level" indicates the lower level to execute the respons
Hi Leonardo,
Check out this section in the wiki FAQ (I just added to answer your question,
since I know more users will want to know about it):
http://www.ossec.net/wiki/index.php/Know_How:White_list
Hope it helps,
--
Daniel B. Cid
dcid ( at ) ossec.net
On 9/13/06, Leonardo Goldim <[EMAIL PR
Isn't better the dst ip is always the agent (if agent-server) or the
machine (if local installation) and the src ip the ip that try to
connect or 127.0.0.1 if is something local ?
I believe that using this way is better to organize information at
BASE, right ?
--
hello everyone
how can i make a white list for active response don't block some ips ?
tks
--
Leonardo Goldim - Auditoria Intranetworks
[EMAIL PROTECTED]
Intranetworks
Rua Marquês do Pombal 1710/805
Porto Alegre - RS - 90540-000
+55 51 3325-570
What is the difference between using in the and
areas?
If I set a at level="16", then my expectation would be the same
value would apply to the active-response - or I wonder why I have that
option in to begin with. Or is this just
finer granularity in specifying a different priority f
I am looking for support to monitor IIS W3C Logs.
I am not sending a sample because there appears to be one on your wiki.
Thanks!
--
-
Matt Martz - [EMAIL PROTECTED]
Network Engineer
Swift Systems, Inc. - Your True Technology Partner
www.Swift
I think that an agent send alert for multiple ossec servers and this
server send email for group A or group B according with the source agent
is a good and very useful idea ...
Is this feature in TODO list ?
Tks
--
Leonardo Goldim - Auditoria
Might be useful to have a Changes file or something that lists the new
features added. Or are you doing this online somewhere?
I'd like to learn how to use auto_ignore and alert_new_files.
Daniel Cid wrote:
Hi Roald,
This is only available in the latest snapshot.
http://www.ossec.net/f
Well, well, well.I configured remote servers to send syslog straight to ossec and then I got a similar log entry as you reported. I corrected ossec2mysql in order to parse the log entry.** Alert 1158059536.19220030
: nomail2006 Sep 12 11:12:16 92382-borch1 -> 10.116.16.32Rule: 5109 (level 4) ->
Hi all,
I'm getting an alert on an internal server that, at one point, I had
been able to ignore. Recently I moved the logs that apache (wn32
version) uses to a different drive for space considerations and since
doing so have begun getting the alert again. The reason I wish to
ignore the alert
Hello all, (sorry for my english)
After upgrade ossec to version 9.1a, I see in
logs:
2006/09/13 11:25:00 /etc/shared/rootkit_files.txt:
Error accessing file '(null)'2006/09/13 11:25:00
/etc/shared/rootkit_trojans.txt: Error accessing file '(null)'2006/09/13
11:37:22 /etc/shared/rootkit_
Hi Joachim,
Can you show a few log samples to us? If your smtp server is reporting it
as spam and denying the e-mail, ossec will attempt to block the IP if it
repeats too often. Btw, why are you denying e-mail from yahoo? :)
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On 9/12/06, Joachim V
The dst is taken from the line -> The src is taken from src ip lineif the alert has src ip none then I substitute that to 0.0.0.0The destination IP value sould be parsed in the future by ossec-hids. In the meantime dst IP is parsed as I described before.
If the alert host (the dst ip) is not an I
hello everyone,
this question is specific to ossecgui.
does anyone know in which situations or in what conditions will/can an
ossec server report itself as being 0.0.0.0 or reporting itself as
being the agent's ip?
this is happening
specially with ssh connections from machine1 to ossec serve
22 matches
Mail list logo
