Hey Tanishk,
I'm OK with the log files, it's the database I'm trying to remove older events
from.
Dimitris
-Original Message-
From: ossec-list@googlegroups.com
To: ossec-list@googlegroups.com
Sent: Tue Feb 22 02:26:23 2011
Subject: Re: [ossec-list] How to purge/remove/delete data
I;ve been looking for a way to add domains to the whitelist to prevent
active-response. I can see similar questions have been asked but I can
not find any with an answer.
The issue is active-response taking action against a web crawler
(Google, etc) if they attempt to crawl many pages that no
me too - works just fine!
Jeff
-Original Message-
From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On
Behalf Of dan (ddp)
Sent: Monday, February 21, 2011 8:44 PM
To: ossec-list@googlegroups.com
Subject: Re: [ossec-list] OSSEC and Cloud Systems
I use OSSEC on my
Hey Dan,
It seems to me that data regarding events are stored/referenced in multiple
tables.
This stops me from just deleting data from a single table as it could affect
the rest of the data inside the other tables and end up
with an out-of-sync database.
Unless I'm horribly mistaken that is.
One possible solution for this would be to whitelist the crawler's
User Agent by doing the following:
-determine the User Agent that the bot is sending with the request
-determine which rule(s) are triggering the Active Response
-write new child rule(s) that match the User Agent of the bot and
Yes Dan, worked great thanks again!
dan (ddp) ddp...@gmail.com 2/21/2011 8:53 PM
Did this help?
On Fri, Feb 18, 2011 at 2:27 PM, ko...@mnr.org wrote:
Ok, I understand, I havn't changed the maxperhour. I will do that Thank You
!
On Tue, Feb 22, 2011 at 5:32 AM, carlopmart carlopm...@gmail.com wrote:
On 02/22/2011 02:44 AM, dan (ddp) wrote:
I use OSSEC on my systems running on esxi. It works just fine for me.
Uhmmm, under ESXi?? or ESX??. How do you instaled?? Compiling on another
host and tranferring binaries to
Hi,
I need a help.How to use Splunk *nix app to monitor multiple UNIX/LINUX server?
Regards,
John
Hi guys,
I'm just getting started with ossec. So far, it seems like a great
tool!
I need to deploy this in a centralized management configuration. I'm
reading through the docs and experimenting in a lab.
One thing i'm not clear on his what gets configured on the agents vs.
what gets
Hi Joel,
On Tue, Feb 22, 2011 at 10:58 AM, Joel Brooks jbro...@oddelement.com wrote:
Hi guys,
I'm just getting started with ossec. So far, it seems like a great
tool!
I need to deploy this in a centralized management configuration. I'm
reading through the docs and experimenting in a lab.
Hey all,
One of the syseng's here was complaining about how having GCC on a
publicly accessible server is insecure, etc. I partly agree, except
couldn't we just install GCC, then install OSSEC, then remove GCC?
Anyway, that's beside the point... I wanted to ask, if it is possible,
how one would
I'm going to try not to be too snarky with my response (not directed
at you, but at the installing gcc is insecure! mentality).
Emphasis on try. ;)
On Tue, Feb 22, 2011 at 1:49 PM, jplee3 jpl...@gmail.com wrote:
Hey all,
One of the syseng's here was complaining about how having GCC on a
That's what I thought :) I stopped chatting with him after several more
exchanges and am just going to have another engineer install it. He must be
in a bad mood today :P
On Tue, Feb 22, 2011 at 11:08 AM, dan (ddp) ddp...@gmail.com wrote:
I'm going to try not to be too snarky with my response
Dan sez:
I haven't tried the binary install methods, but I don't remember
seeing many issues with it.
I have, when I wanted to install an agent on a hardened Linux from a
vendor, and when I wanted to install on some of our self-hardened
systems. What I learned is that if the target is x64 then
As luck would have it, the same engineer was assigned to the ticket I
opened! :D
*sigh*
Guess I'll be trying the binary-install method.
On Tue, Feb 22, 2011 at 11:34 AM, Jeremy Lee jpl...@gmail.com wrote:
That's what I thought :) I stopped chatting with him after several more
exchanges and
Hey,
there's an entry in the FAQ about this...
http://www.ossec.net/wiki/Know_How:BinaryInstall
J
On Feb 22, 2:38 pm, Jeremy Lee jpl...@gmail.com wrote:
As luck would have it, the same engineer was assigned to the ticket I
opened! :D
*sigh*
Guess I'll be trying the binary-install method.
Thanks guys. Got it. The binary install worked perfectly. So hopefully I
won't hear any more whining in the near future
On Tue, Feb 22, 2011 at 12:01 PM, Joel Brooks jbro...@oddelement.comwrote:
Hey,
there's an entry in the FAQ about this...
They'll just whine about something else. ;)
On Tue, Feb 22, 2011 at 3:24 PM, Jeremy Lee jpl...@gmail.com wrote:
Thanks guys. Got it. The binary install worked perfectly. So hopefully I
won't hear any more whining in the near future
On Tue, Feb 22, 2011 at 12:01 PM, Joel Brooks
Exactly... like why OSSEC needs to be installed and if we can uninstall it
:)
On Tue, Feb 22, 2011 at 12:34 PM, dan (ddp) ddp...@gmail.com wrote:
They'll just whine about something else. ;)
On Tue, Feb 22, 2011 at 3:24 PM, Jeremy Lee jpl...@gmail.com wrote:
Thanks guys. Got it. The binary
:)
-Original Message-
From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On
Behalf Of dan (ddp)
Sent: Tuesday, February 22, 2011 3:35 PM
To: ossec-list@googlegroups.com
Subject: Re: [ossec-list] Re: Copying OSSEC installation?
They'll just whine about something else.
I am trying to use the agent.conf on the server to push out client
specific rules for each of my hosts. I am specifically looked at
configuring specific realtime integrity checking for directories. I
have configured the agent.conf file as:
agent_config name=system1
localfile
syscheck
Hi Dj,
On Tue, Feb 22, 2011 at 4:11 PM, Dj secur...@dejno.net wrote:
I am trying to use the agent.conf on the server to push out client
specific rules for each of my hosts. I am specifically looked at
configuring specific realtime integrity checking for directories. I
have configured the
/facepalm
Thanks for the quick response. For some reason I was (mis) thinking
the localfile was a tag related to the the agent's local system, but I
should have known better...
I will give that a try and it will most likely resolve the issue.
On Feb 22, 4:22 pm, dan (ddp) ddp...@gmail.com
Has anybody done much testing with the frequency and timeframe
parameters in various rulesets?
I'm trying to get it to work with SSH logins and am having issues.
This is in reference to alerts 5712 and 5720 specifically.
The SSH server I'm testing this on is pretty busy - I noticed that the
Okay, so I was able to get 5720 to fire consistently. But now I'm
having issues with AR working (again). This time the server is getting
the alerts from the OSSEC agent (as normal) and it is in fact firing
5720:
** Alert 1298415206.1338076638: mail -
syslog,sshd,authentication_failures,
2011 Feb
Nevermind I don't know what happened. There must have been a small
typo somewhere. I was trying to get this working with Active Response
and nothing would work. I at least got 5720 to trigger first and then
ended up re-writing the AR in ossec.conf and testing with another rule
to make sure AR
Hi gang,
I'm wondering if there's any tricks to getting ossec working when the
server is behind a NAT.
here's the case:
i have some linode servers that i'd like to monitor with ossec.
the ossec server is in the office behind a NATting firewall.
the ossecn agent on the linode boxes is configured
27 matches
Mail list logo
