I am trying to harden up our instances, but I find that after applying
these controls the agent can longer contact the agent via UDP.
I'm still trying to figure out exactly which bit is to blame. Has anybody
else used the CIS controls on the same instance as OSSEC?
--
---
You received this
.(agent_name) agent_ip->syscheck.cpt
If I remember it correctly this is a hidden file that OSSEC users to
identify when the syscheck database, when it has finished writing into the
syscheck file.
"cpt" file extension stands for completed, meaning that syscheck scan has
finished.
This is on top
Agree with Daniel. Just want to add another clarification:
When you choose server profile, it will install the OSSEC manager and agent
components, meaning that you can also monitor your local system. No need to
choose hybrid mode unless you plan to forward data to another OSSEC manager.
On Thu,
On Feb 25, 2016 9:27 PM, "James Stallard" wrote:
>
> All:
>
> 1st time on board, and I know this sounds like a rookie question, but...I
did have ossec runnig ok in another aws environment, now with upgrade to
2.7-2.8.2 in a new env, am having problems
>
> I've just
All:
1st time on board, and I know this sounds like a rookie question, but...I
did have ossec runnig ok in another aws environment, now with upgrade to
2.7-2.8.2 in a new env, am having problems
I've just installed 2.8.3 agent & server on CentOS 6.7 (market place
version, hardened).
On Thu, Feb 25, 2016 at 9:37 AM, Barry Kaplan wrote:
> Ok, is this something that would be considered for change? In our
> environment there is no guarantee that nodes will remain on the same IP. For
> this we use consul and dnsmasq to lookup DNS names.
>
Sure, we would
On Tue, Feb 23, 2016 at 11:57 AM, Rui Zhang wrote:
> It is interesting that symlink works for ossec.conf under etc folder, but
> doesn't work for client.keys under etc folder for agent type.
>
It all depends on when the file is read. Perhaps ossec.conf is opened
before the
On Mon, Feb 22, 2016 at 6:09 PM, Abhi wrote:
> Hi,
>
> I am trying to get the report_changes working for /etc directory. After
> enabling it, along with the real time option, agent correctly logs all the
> changes immediately under
> " /var/ossec/queue/diff/local/etc/".
Interesting. We maintain a few compliance standards (not PCI) so I will
look into it for sure.
On Thursday, February 25, 2016 at 1:53:36 PM UTC-5, Pedro S wrote:
>
> You are welcome! I'll upload it into some website or repository folder.
>
> It is some simple but works, in the future I will
On Thu, Feb 25, 2016 at 1:50 PM, thak wrote:
> I've seen similar topics, so apologies if this has been answered several
> times but I want to make sure I get guidance for the most recent version!
>
> Loving OSSEC so far having set it up in our environment a few days ago.
>
On Thu, Feb 25, 2016 at 1:53 PM, Pedro Sanchez wrote:
> You are welcome! I'll upload it into some website or repository folder.
>
> It is some simple but works, in the future I will extract too the PCI
> compliance requirement of every rule. If you need the rules with PCI
>
I personally use it mostly on very busy servers to limit the amount of
events being sent by the agent
to the manager.
Say a very busy web server that generates thousands of logs per second.
Instead of sending all events centrally, I use the hybrid mode to do the
initial analysis locally and only
You are welcome! I'll upload it into some website or repository folder.
It is some simple but works, in the future I will extract too the PCI
compliance requirement of every rule. If you need the rules with PCI
requirements groups try out Wazuh Ruleset.
Regards,
Pedro S.
On Thu, Feb 25, 2016
I've seen similar topics, so apologies if this has been answered several
times but I want to make sure I get guidance for the most recent version!
Loving OSSEC so far having set it up in our environment a few days ago.
However, rule 1002 is particularly chatty given our Apache error logs.
Whoa, that's awesome! Thanks sir.
On Thursday, February 25, 2016 at 7:15:45 AM UTC-5, Pedro S wrote:
>
> Hi thak,
>
> I made a quick Python script that can help you out. It lists all the rules
> on */var/ossec/rules. *Output example:
>
> mailscanner_rules.xml - Rule 3751 - Level 6 -> Multiple
Hi,
I am not able to understand when should I use hybrid mode.
I have one server and 4 agents.
My server also have many applications and a web server which I want to
monitor along with that web servers and other applications on agents.
Therefore should I go for
1) hybrid on server and agent on
Well, I guess you can change the apache log format or improve/overwrite the
decoders.
Regards.
Jesus Linares.
On Thursday, February 25, 2016 at 6:18:08 PM UTC+1, James Culver wrote:
>
> Thank you, this is helpful. Now it works with and without GET parameters.
> However, it only works if Apache
Thank you, this is helpful. Now it works with and without GET parameters.
However, it only works if Apache records a hostname and not just "-" in the
hostname position. And Apache doesn't always do that (in fact, in our logs,
it never does it).
On Thursday, February 25, 2016 at 9:42:17 AM
Keep in mind that rule 31108 is for http codes 2xx and 3xx. If you want to
log that request with 4xx or 5xx codes you should add these rules (31101,
31120...).
It's working, but I'm thinking on a better way to do this.
Regards.
Jesus Linares.
On Thursday, February 25, 2016 at 5:36:34 PM
That is because with GET parameters is not a simple query (rule 31108):
**Phase 1: Completed pre-decoding.
full event: '10.10.10.10 hostname - [25/Feb/2016:10:10:10 -0500]
"GET /icons/whatever/?C=http://5.6.7.8/requeststringtest.php; HTTP/1.1" 200
Text...'
hostname: 'LinMV'
Thanks. I have tested your version of the rule, and it works *so long as*
there aren't GET parameters in the requested URI.
For example, the following request triggers an alert:
1.2.3.4 - -[25/Feb/2016:08:43:08 -0700] "GET
/icons/whatever/requeststringtest.php HTTP/1.1" 20068393 blahblahblah
Ok, is this something that would be considered for change? In our
environment there is no guarantee that nodes will remain on the same IP.
For this we use consul and dnsmasq to lookup DNS names.
For now I will hard code server_hostname to the DNS of the ossec server. At
least that value
I have added the following rules to local_rules.conf:
31100
requeststringtest.php
request string test 2
alert_by_email
100060
request string test 2
alert_by_email
but OSSEC doesn't care at all. It counts the rules as being enabled, but no
matter how
Hi thak,
I made a quick Python script that can help you out. It lists all the rules
on */var/ossec/rules. *Output example:
mailscanner_rules.xml - Rule 3751 - Level 6 -> Multiple attempts of spam.
hordeimp_rules.xml - Rule 9300 - Level 0 -> Grouping for the Horde imp
rules.
hordeimp_rules.xml
Hi,
A tried, nothing changed.
But after few hours the client started to work...weird.
And now, three other clients stpped to work, they are on "Disconnected"
state.
It is strange becouse the agent's log says: ossec-agentd(4102): INFO:
Connected to the server (192.168.7.212:1514)
No error
Hi team,
Agents are name like '(agent_name) agent_ip->syscheck', right?
Sometimes I meet with a file with these files in my syscheck folder:
(agent_name) agent_ip->syscheck-registry
> .(agent_name) agent_ip->syscheck.cpt
What are they exactly? Are they just internal temporally files? Should
Hi Barry,
If I understood well, you need to resolve the DNS IP Address more than
once, unfortunately seems like OSSEC won't do it.
At the very first start, OSSEC reads the file ossec.conf, when detecting a
Hi,
I don't know if it is what you need, but Wazuh has an script to update the
ruleset (rules, decoders and rootchecks). Also, this script allows do a
bakcup of* /var/ossec/etc* and* /var/ossec/rules* and you can restore from
the script.
Ruleset repository
I have a situation where ossec.conf is set with before
the DNS entry is set. From what I can tell so far the result of the initial
dns lookup is kept forever, requiring the agent to be restarted. Is it the
case that a failed DNS will never be retried?
BTW, I'm pretty sure it's not any caching
29 matches
Mail list logo