Re: [ossec-list] Apache Rules don't Trigger Active Response

Log of apache 2.4.20_1 in FreeBSD is much more complex which the docoder expect, the standard config can’t understand. I add this instruction in prematch of decoder apache-errorlog. And now the decoder can understand the log *^[\w+ \w+ \d+ \d+:\d+:\d+.\d+ \d+] [:error] [pid \d+] [client

[ossec-list] OSSEC-abnormal-behavior-active-repsonse

I have a set of subnets that are whitelisted. The server and agents were installed quite some time ago and are on 2.81. The server and the agents have been restarted at various times over the past months as part of update/patching processes. The conf file was not changed during those time

[ossec-list] Re: white list specific ip on active response

Active response is acting up abnormally in 2.8.1 Active response is enabled. Subnets are whitelisted in ossec.conf on the server. The server and the agents have all been restarted over the past few months during patching cycles. Last week my boss was locked out by active response while

Re: [ossec-list] Apache Rules don't Trigger Active Response

On Thu, May 19, 2016 at 9:25 AM, Patrick wrote: > Thanks so much Dan. > > > The error was simple, but i couldn't see. Thanks so much. > > > I edit the decoder and now the action work. > What changes did you make to the decoder? They might be able to be put into the

Re: [ossec-list] Apache Rules don't Trigger Active Response

Thanks so much Dan. The error was simple, but i couldn't see. Thanks so much. I edit the decoder and now the action work. Em quarta-feira, 18 de maio de 2016 15:49:12 UTC-3, dan (ddpbsd) escreveu: > > On Wed, May 18, 2016 at 2:33 PM, Patrick Müller > wrote: > >

Re: [ossec-list] Re: Repeated offenders?

Thanks for the tips! I'll test again following your advices... /x On Thu, May 19, 2016 at 9:33 AM, Jesus Linares wrote: > Hi, > > I guess that your command needs an IP, so if your rule *xxx *doesn't have > the field *srcip *extracted (by the proper decoder) the active-response

[ossec-list] Re: Repeated offenders?

Hi, I guess that your command needs an IP, so if your rule *xxx *doesn't have the field *srcip *extracted (by the proper decoder) the active-response will not work. Also, keep in mind that *repeated_offenders *must be in* ossec.conf* of *every agent* (*shared/agent.conf* or

[ossec-list] Re: Windows Defender Decoder ?

Hi Brent, Your rules are in OSSEC by default (with other ID, why?) but you added a few new rules. could you send a PR to OSSEC or Wazuh with your new rules?. Thanks. On Wednesday, May 18, 2016 at 8:38:16 PM UTC+2, Rob B wrote: > >

[ossec-list] reindexing logs

Hi dear community, i had a problem with logstash, after i resolve it i saw what in kibana are missing logs, how can i resolve the problem and reindexing all my logs to kibana I will be thankful if someone will help me step by step i appreciate your help, and a lot of respect for developers

[ossec-list] Repeated offenders?

Hi *, I'm trying to implement a new active-response rule for a specific event (1 rule ID). It must be implement with the tag. Problem: I've multiple active-response rules matching this event and it seems that OSSEC picks up the wrong one (repeater offenders are not applied). Any idea to debug