[ossec-list] Reading Log Files with Funky, "Random" Filenames

All, OSSEC is working beautifully for me but I have two outlier log files that I'm having issues with: A COTS product is writing out logs with a filename of %pid%.log, and new child processes are constantly being created. I've read through the vendor documentation and the filename does not see

Re: [ossec-list] Problems installing under CentOS5

check that the file libbfd-2.14.90.0.4.s is present in /usr/lib and is readable. On Mon, Apr 23, 2012 at 8:43 AM, dan (ddp) wrote: > On Sat, Apr 21, 2012 at 11:00 AM, carlopmart wrote: > > Hi all, > > > > I am trying to install ossec agent on a CentOS5 (full

Re: [ossec-list] OSSEC can check the directory /dev ?

I tested it and it works. OSSEC does not throw any errors. However, you will have to make sense of the alerts it generates. On Mon, Apr 23, 2012 at 8:34 AM, dan (ddp) wrote: > I don't see why not. A lot of it might be ignored by default since on > some systems /dev is fairly dynamic. > > 2012/

Re: [ossec-list] Executing an action or script when a rule is triggered

Ok, many thanks dan ... On Mon, Apr 23, 2012 at 3:29 PM, dan (ddp) wrote: > You would need to define it in the manager's ossec.conf, just like all > other active responses. Then the script will have to be installed on > the systems you want it to run on. > > On Mon, Apr 23, 2012 at 9:08 AM, C. L.

Re: [ossec-list] Executing an action or script when a rule is triggered

You would need to define it in the manager's ossec.conf, just like all other active responses. Then the script will have to be installed on the systems you want it to run on. On Mon, Apr 23, 2012 at 9:08 AM, C. L. Martinez wrote: > On Mon, Apr 23, 2012 at 3:02 PM, dan (ddp) wrote: >> On Mon, Apr

Re: [ossec-list] Executing an action or script when a rule is triggered

On Mon, Apr 23, 2012 at 3:02 PM, dan (ddp) wrote: > On Mon, Apr 23, 2012 at 8:52 AM, C. L. Martinez wrote: >> Because for example for the sample that I have exposed... How can I >> use active response to block access to certain port that has been >> started by a daemon without admin permission??

Re: [ossec-list] Executing an action or script when a rule is triggered

On Mon, Apr 23, 2012 at 8:52 AM, C. L. Martinez wrote: > Because for example for the sample that I have exposed... How can I > use active response to block access to certain port that has been > started by a daemon without admin permission?? > Your example doesn't offer any specific port, but ins

Re: [ossec-list] Executing an action or script when a rule is triggered

Because for example for the sample that I have exposed... How can I use active response to block access to certain port that has been started by a daemon without admin permission?? On Mon, Apr 23, 2012 at 2:44 PM, dan (ddp) wrote: > Why couldn't you use active response for this? > > On Mon, Apr 2

Re: [ossec-list] Suckit rootkit

What version of OSSEC? Does the md5 or sha for /sbin/init match what it should? On Sun, Apr 22, 2012 at 8:41 AM, Mike Sievers wrote: > Hi List, > > on my opensuse 12.1 I found: > Trojaned version of file '/sbin/init' detected. Signature used: 'HOME' > (Suckit rootkit). > I hope this is false posi

Re: [ossec-list] first time user logged in from a new location

On Fri, Apr 20, 2012 at 4:33 PM, mtw wrote: > I am very fond of this rule: > > Rule: 10100 fired (level 7) -> "First time user logged in." > > Could you help me with a new rule that would trigger each time a user logged > in from a new location (IP address)?   I know that the fts-queue file holds

Re: [ossec-list] Executing an action or script when a rule is triggered

Why couldn't you use active response for this? On Mon, Apr 23, 2012 at 5:19 AM, C. L. Martinez wrote: > Hi all, > >  Is it possible to launch an action or script when an alert rule is > triggered?? Like occurs with active response but using rules. For > example: using netstat sample in OSSEC manu

Re: [ossec-list] on restart analysisd high CPU usage

On Fri, Apr 20, 2012 at 11:36 AM, Valentin Avram wrote: > Hello and thanks for the quick replies. > > On Fri, Apr 20, 2012 at 6:01 PM, Christopher Moraes > wrote: >> >> Yes, that reminds me - >> >> Do you have any "Large" files being scanned with syscheck?  I just ran a >> test of syscheck monito

Re: [ossec-list] Problems installing under CentOS5

On Sat, Apr 21, 2012 at 11:00 AM, carlopmart wrote: > Hi all, > >  I am trying to install ossec agent on a CentOS5 (full updated) and > install.sh returns me this error: > > make[1]: Entering directory `/tmp/x/ossec-hids-2.6/src/os_xml' > gcc -DXML_VAR=\"var\" -g -Wall -I../ -I../headers > -DDEFAU

Re: [ossec-list] rules by server and local_rules.xlm

On Mon, Apr 23, 2012 at 4:51 AM, ignasr wrote: > > > On Friday, April 20, 2012 5:34:13 PM UTC+3, dan (ddpbsd) wrote: >> >> >> >> > 2. Main group in local_rules.xml is >> > >> > >> > If I add >> > >> > >> > to the end of the file, I get xml errors and ossec-analysisd doesn't >> > start. >> > Do

Re: [ossec-list] OSSEC can check the directory /dev ?

I don't see why not. A lot of it might be ignored by default since on some systems /dev is fairly dynamic. 2012/4/20 Michel Henrique Aquino Santos : > Hi, the OSSEC can check the directory /dev > > rule: > > ... > /dev > ... > > Thanks! > -- > Att, > > Michel Henrique Aquino Santos > Bacharelado e

[ossec-list] Re: List blocked IPs without using iptables

Thanks for your input BP9906. It seems to me that OSSEC works this way as design, but I would like if someone could please explain to me why isn't so simple to check a list of blocked-IPs. In my opinion this would be a feature-request asked by a lot of users but instead I can't find anywhere o

[ossec-list] Executing an action or script when a rule is triggered

Hi all, Is it possible to launch an action or script when an alert rule is triggered?? Like occurs with active response but using rules. For example: using netstat sample in OSSEC manual: full_command netstat -tan |grep LISTEN|grep -v 127.0.0.1 and rule: 530 ossec: outpu

Re: [ossec-list] rules by server and local_rules.xlm

On Friday, April 20, 2012 5:34:13 PM UTC+3, dan (ddpbsd) wrote: > > > > > 2. Main group in local_rules.xml is > > > > > > If I add > > > > > > to the end of the file, I get xml errors and ossec-analysisd doesn't > start. > > Does that mean that all overwritten rules must go to the first grou