What about the evaluation using a specific attacks. Are there any rules
available online for some kind of attacks like DOS or SQL injection. Is
there any one has evualuated OSSEC against some attacks and get alerts that
explain that there is an attack detected. Right now, we get only alerts
What about the evaluation using a specific attacks. Are there any rules
available online for some kind of attacks like DOS or SQL injection. Is
there any one has evualuated OSSEC against some attacks and get alerts that
explain that there is an attack detected. Right now, we get only alerts
Anyone know where I can download version 2.5.1 server? Can only find 2.6
on the OSSEC site but need the 2.5.1 version.
Michael Barrett | Information Security Analyst - Lead | Mortgage Guaranty
Insurance Corporation
270 E. Kilbourn Ave. | Milwaukee,
On Tue, Aug 21, 2012 at 10:52 AM, Michael Barrett
michael_barr...@mgic.com wrote:
Anyone know where I can download version 2.5.1 server? Can only find 2.6 on
the OSSEC site but need the 2.5.1 version.
Michael Barrett | Information Security Analyst
How is this related to this thread? Why did you post this same message
multiple times?
On Tue, Aug 21, 2012 at 7:12 AM, Kholidy hisham.doc...@gmail.com wrote:
What about the evaluation using a specific attacks. Are there any rules
available online for some kind of attacks like DOS or SQL
On Tue, Aug 21, 2012 at 7:03 AM, Kholidy hisham.doc...@gmail.com wrote:
What about the evaluation using a specific attacks. Are there any rules
available online for some kind of attacks like DOS or SQL injection. Is
there any one has evualuated OSSEC against some attacks and get alerts that
How is this related to this thread? Why did you post this same message
multiple times?
On Tue, Aug 21, 2012 at 7:02 AM, Kholidy hisham.doc...@gmail.com wrote:
What about the evaluation using a specific attacks. Are there any rules
available online for some kind of attacks like DOS or SQL
we are working on 2.6
Here is the issue.
I have one Windows 2003 agent that can't talk to the server. No firewalls
Windows ossec.log
2012/08/21 10:02:06 ossec-agent: INFO: Started (pid: 5392).
2012/08/21 10:02:16 ossec-agent: WARN: Process locked. Waiting for
permission...
2012/08/21
On Tue, Aug 21, 2012 at 11:05 AM, Michael Barrett
michael_barr...@mgic.com wrote:
we are working on 2.6
Here is the issue.
I have one Windows 2003 agent that can't talk to the server. No firewalls
Windows ossec.log
2012/08/21 10:02:06 ossec-agent: INFO: Started (pid: 5392).
On Fri, Aug 17, 2012 at 5:49 PM, JB jjoob...@gmail.com wrote:
The allowed value for remoteconnection is either 'secure' or 'syslog'
according to http://www.ossec.net/doc/syntax/head_ossec_config.remote.html
It seems strange that you have both values in your ossec.conf.
Try get rid of the
On Mon, Aug 20, 2012 at 7:38 AM, bw bw.mail.li...@gmail.com wrote:
Deleted everything (rm -rf /var/ossec /etc/ossec-init.conf
/etc/init.d/ossec), got 7987046f6bb1 from JBCheng's repo, that should be
latest at this time, installed it on server with only one agent, the least
busy one, no
Is this the only agent on this network? Could there be a networking
device messing things up in between? Is this the only host having
issues? Is the server listening on multiple networks? What does v2.5.1
have to do with this?
No this isn't the only host
The server is only listening on one IP
I ran the debug and here is the outupt
2012/08/20 17:06:18 ossec-rootcheck: INFO: Ending rootcheck scan.
2012/08/20 18:56:28 ossec-logcollector: socketerr (not available).
2012/08/20 18:56:28 ossec-logcollector(1224): ERROR: Error sending
message to queue.
2012/08/20 18:56:29 ossec-logcollector:
On Tue, Aug 21, 2012 at 11:18 AM, Michael Barrett
michael_barr...@mgic.com wrote:
Is this the only agent on this network? Could there be a networking
device messing things up in between? Is this the only host having
issues? Is the server listening on multiple networks? What does v2.5.1
have
On Tue, Aug 21, 2012 at 11:19 AM, Shaka Lewis shaka.le...@gmail.com wrote:
I ran the debug and here is the outupt
2012/08/20 17:06:18 ossec-rootcheck: INFO: Ending rootcheck scan.
2012/08/20 18:56:28 ossec-logcollector: socketerr (not available).
2012/08/20 18:56:28 ossec-logcollector(1224):
I've temporarily made a copy I had stashed somewhere available at:
http://devio.us/~ddp/ossec/ossec-hids-2.5.1.tar.gz
On Tue, Aug 21, 2012 at 11:18 AM, Michael Barrett
michael_barr...@mgic.com wrote:
Is this the only agent on this network? Could there be a networking
device messing things up
Unfortunately with 500 machines to roll out and a lot of other work to do
I can't do everything at once.
Will a 2.6 agent be able to talk to a 2.5.1 server?
Michael Barrett | Information Security Analyst - Lead | Mortgage Guaranty
Insurance
So if re-installing doesn't work, any ideas of what I can try?
Michael Barrett | Information Security Analyst - Lead | Mortgage Guaranty
Insurance Corporation
270 E. Kilbourn Ave. | Milwaukee, WI 53202 USA | ( 1.414.347.6271 | 7
1.888.601.4440 | *
On Tue, Aug 21, 2012 at 12:36 PM, Michael Barrett
michael_barr...@mgic.com wrote:
So if re-installing doesn't work, any ideas of what I can try?
Could there be a networking device messing things up in between? Is
this the only system having
On Tue, Aug 21, 2012 at 12:35 PM, Michael Barrett
michael_barr...@mgic.com wrote:
Unfortunately with 500 machines to roll out and a lot of other work to do
I can't do everything at once.
Will a 2.6 agent be able to talk to a 2.5.1 server?
Maybe,
How can I clear the ossec db for the active responses? I'm not using mysql
for ossec. I have installed whatever the default db is.
I don't need to clear the sys checks; instead I want to clear the active
responses. Is there a way to do this?
--
Gil Vidals
CONFIDENTIALITY NOTICE: The
On Tue, Aug 21, 2012 at 1:37 PM, Gil Vidals gvid...@gmail.com wrote:
How can I clear the ossec db for the active responses? I'm not using mysql
for ossec. I have installed whatever the default db is.
I don't need to clear the sys checks; instead I want to clear the active
responses. Is there
Interesting!
For example, OSSEC rules may be visualized similar to the program profile
as shown in http://www.graphviz.org/content/profile .
It looks like we just need to convert OSSEC rules into this format:
http://www.graphviz.org/Gallery/directed/profile.gv.txt .
On Monday, August 20,
The ossec processes running at this point are execd, logcollector, and monitord.
AnalysisD crashed and here is the output:
Program received signal SIGSEGV, Segmentation fault.
[Switching to process 26814]
0x in ?? ()
Missing separate debuginfos, use: debuginfo-install
Dan,
Can you tell me specifically what file to clear AND will this resolve the
following condition:
1) active response drops an IP as planned
2) sysadmin restarts the firewall (which clears all the IP drop rules)
3) ossec believes the drop is still in place, but it isn't!
Gil Vidals
On Tue,
On Tue, Aug 21, 2012 at 2:50 PM, Gil Vidals gvid...@gmail.com wrote:
Dan,
Can you tell me specifically what file to clear AND will this resolve the
following condition:
1) active response drops an IP as planned
2) sysadmin restarts the firewall (which clears all the IP drop rules)
3) ossec
Dan,
We have active response set to 1 hr, 1 day, 1 week, so assuming the IP is
being blocked for one week and the iptables is reset in the middle of the
week by the sysadmin, then the IP we thought was being blocked is actually
not being blocked.
Here is a clearer explanation:
Monday - block
+1 for GraphViz!
Sent from my iPad
On 21 Aug 2012, at 19:55, JB jjoob...@gmail.com wrote:
Interesting!
For example, OSSEC rules may be visualized similar to the program profile
as shown in http://www.graphviz.org/content/profile .
It looks like we just need to convert OSSEC rules into
Any hope of getting to the bottom of this? Let me know if more info would
help.
--JIM
On Friday, August 17, 2012 7:56:44 PM UTC-4, Jim wrote:
Dan,
Here is the backtrace from GDB, but I am not sure that tells much more
than mdb had?
Program terminated with signal 11, Segmentation
On Aug 21, 2012, at 3:46 PM, Gil Vidals wrote:
Dan,
We have active response set to 1 hr, 1 day, 1 week, so assuming the IP is
being blocked for one week and the iptables is reset in the middle of the
week by the sysadmin, then the IP we thought was being blocked is actually
not being
30 matches
Mail list logo
