I was given responsibility of an OSSEC server with OSSEC 3.2 installed on
Ubuntu 18.04. On startup maild is segfaulting in libc-2.27.so Is anyone
else seeing this? I can't answer any questions on how the server was
built. Any options besides rebuilding?
--
---
You received this message
Easiest is to write a local rule using the Match directive Example
Found TLS version Lower than V1.2
You can use ossec-logtest to verify the results
was it helpful?
On Friday, May 4, 2018 at 7:23:08 PM UTC-4, DG wrote:
>
> Hi,
>
> I am a total newb to ossec so I apologize ahead of time. I
Have you looked at the ossec.log on your SO server? It might tell you if
there is an issue
. I've had issues with NAT and the server was not recognizing the IP.
On Friday, April 6, 2018 at 5:42:28 AM UTC-4, quentin mallet wrote:
>
> Greetings everyone,
>
> I have a distributed setup with the
There is a little document feature in OSSEC called lists. It allows you to
create a list of IPs for specific rules. I use then a lot.
Here is the link to the OSSEC to lists
http://ossec-docs.readthedocs.io/en/latest/manual/rules-decoders/rule-lists.html
Bill
On Tuesday, March 27, 2018 at
If you look in the logs directory on the clients, it will show you the
commands that are run to add and remove ips.
On Friday, March 23, 2018 at 10:20:54 AM UTC-4, Ricardo Almeida wrote:
>
> Hi,
>
> I would like to know for how long time OSSEC "store" the blocked IP so
> that it is considered
By default, 10 minutes. But you can change it.
Add this to the ossec.conf on the client machines. The values are in
seconds and you can adjust them
600,3600,7200, 14400
On Friday, March 23, 2018 at 10:20:54 AM UTC-4, Ricardo Almeida wrote:
>
> Hi,
>
> I would like to know for how long
Hey Chuck,
I have not actually tried to decode any Oracle logs. But have you used
the ossec-logtest utility? I have used it to debug several application
logging issue. You can pipe entire logs into it to see how ossec handles
it. But for me, I start off simple. Start ossec-logtest, then
We monitor a large variety of sites using ossec.
We were asked to monitor a Centos 7.2 site that is using journalctl.
Does Ossec 2.8.1 support log monitoring on a system using journalctl?
If not, will 2.9 or any later version at sometime support it?
--
---
You received this message because
We have an OSSEC 2.8.1 server with around 140 Linux clients with agents
installed. We recently added another Linux client/agent. The new agent is
unable to connect. The server reports the message it is getting from the
agent is garbled. I have reinstalled/regenerated keys sever times on the
Thank you!! Its in install.sh. I would have never thought to look there
On Thursday, May 7, 2015 at 3:33:20 PM UTC-4, Bill Price wrote:
I would like to modify the source code so the netstat option is different
in the ossec.conf. We add a couple of greps to filter out some connections
we
Do you have any suggestions on what module would need to be modified?
On Thursday, May 7, 2015 at 3:33:20 PM UTC-4, Bill Price wrote:
I would like to modify the source code so the netstat option is different
in the ossec.conf. We add a couple of greps to filter out some connections
we
Yes
On Thursday, May 7, 2015 at 3:33:20 PM UTC-4, Bill Price wrote:
I would like to modify the source code so the netstat option is different
in the ossec.conf. We add a couple of greps to filter out some connections
we are not interested in. It would be nice if I could modify
install.
Bill Price
--
---
You received this message because you are subscribed to the Google Groups
ossec-list group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d
What I have done is write specific rules for different source IP addesses
(srcip)
On Monday, March 30, 2015 at 10:38:49 AM UTC-4, pver...@cruiseplanners.com
wrote:
Hi all, I'm relatively new to Ossec and I believe I understand process of
writing custom rules. One of the issues I'm running
It was the active response log files. Someone had recommended we monitor
them to generate emails when active response was triggered. We stopped
monitoring them and email calls to the active response scripts.
Thanks
Bill
On Wednesday, March 4, 2015 at 2:32:51 PM UTC-5, Bill Price wrote:
My
It was Salt that was changing it.
On Friday, February 27, 2015 at 10:26:59 AM UTC-5, Bill Price wrote:
We have an account on one of servers that uses one of the user accounts
listed in the bad list. I deleted it from the bad list twice before I
realized
something was putting it back
on what could be causing this behaviour?
Bill Price
--
---
You received this message because you are subscribed to the Google Groups
ossec-list group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit
Yesi, they are being logged and email notifications are being sent.
On Wednesday, March 4, 2015 at 2:32:51 PM UTC-5, Bill Price wrote:
My project is going through some penetration testing and I am occasionally
observing some unusual behaviour with respect to active-response. Active
Yes, they are being logged and email notifications are being sent. Yes,
the rule ids are the same: 601/603 block, 602/604 unblock. No, there is no
sign of activity on the manager that would explain this behaviour/
On Wednesday, March 4, 2015 at 2:32:51 PM UTC-5, Bill Price wrote:
My project
It appears that CIRD notation cannot be used in rules for srcip. If this
is true, is there any way to designate blocks of IP addresses for srcip in
rules?
--
---
You received this message because you are subscribed to the Google Groups
ossec-list group.
To unsubscribe from this group and
too.
And the ossec server process is restarted so the changed rule is loaded.
Bill Price
--
---
You received this message because you are subscribed to the Google Groups
ossec-list group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr
I am trying to add some rules for our esxi 5.5 servers. Im am seeing some
predecoder behaviour I dont understand. in two nearly identical messages
the precoder give me different results
For the following message
2014-12-30T06:39:20.007Z cpu16:747537)World: 14302: VC opID hostd-b7af maps
to
Thanks, but I already tried that also
On Tuesday, December 16, 2014 8:20:08 AM UTC-5, dan (ddpbsd) wrote:
On Mon, Dec 15, 2014 at 4:51 PM, Bill Price billpric...@gmail.com
javascript: wrote:
Thanks, but still no joy
On Monday, December 15, 2014 3:18:43 PM UTC-5, Bill Price wrote
'
program_name: '(null)'
log: 'snmpd[1469]: last message repeated 23 times'
How do you handle a program name of '(null)' in the decoder?
Bill Price
--
---
You received this message because you are subscribed to the Google Groups
ossec-list group.
To unsubscribe from
Thanks, but still no joy
On Monday, December 15, 2014 3:18:43 PM UTC-5, Bill Price wrote:
I'm trying to decode the following message:
Dec 11 06:27:14 snmpd[1469]: last message repeated 23 times.
The pre-coding phase of ossec-logtest reports:
**Phase 1: Completed pre-decoding
I was asked to setup decoders and rules on a client. When I run
ossec-test, I get the following error message:
rules_list: Category '1' not found. Invalid 'category'
All the Categories in the rules xml are the standard one (ids, syslog,
firewall, web-log, squid, ossec or windows)
Any ideas
I ran ossec-logtest
On Tuesday, December 2, 2014 2:24:06 PM UTC-5, dan (ddpbsd) wrote:
On Tue, Dec 2, 2014 at 2:22 PM, Bill Price billpric...@gmail.com
javascript: wrote:
I was asked to setup decoders and rules on a client. When I run
ossec-test,
I get the following error message
Thank you. I've learned that the -d option supplies similar information
On Monday, December 1, 2014 1:49:54 PM UTC-5, dan (ddpbsd) wrote:
On Mon, Dec 1, 2014 at 1:45 PM, Bill Price billpric...@gmail.com
javascript: wrote:
When I run /var/ossec/bin/ossec-logtest -f, I get
# /var
to
ossec.conf. I was told that the installation was fresh, but there could be
a chance someone else has changed something
On Tuesday, December 2, 2014 2:32:42 PM UTC-5, dan (ddpbsd) wrote:
On Tue, Dec 2, 2014 at 2:29 PM, Bill Price billpric...@gmail.com
javascript: wrote:
I ran ossec-logtest
OSSEC HIDS v2.8 - Trend Micro Inc.
On Tuesday, December 2, 2014 2:32:42 PM UTC-5, dan (ddpbsd) wrote:
On Tue, Dec 2, 2014 at 2:29 PM, Bill Price billpric...@gmail.com
javascript: wrote:
I ran ossec-logtest
You made no changes to the OSSEC rules or decoders? Very strange, I
haven't
No. I get: ossec-testrule(1220): ERROR: Error loading the rules:
'rules_config.xml'
On Tuesday, December 2, 2014 2:49:38 PM UTC-5, dan (ddpbsd) wrote:
On Tue, Dec 2, 2014 at 2:46 PM, Bill Price billpric...@gmail.com
javascript: wrote:
I initially made changes to local_rules.xml
I grepped Category in the rules directory and only found the standard
ones. Anywhere else I should search?
On Tuesday, December 2, 2014 3:04:06 PM UTC-5, dan (ddpbsd) wrote:
On Tue, Dec 2, 2014 at 2:49 PM, Bill Price billpric...@gmail.com
javascript: wrote:
OSSEC HIDS v2.8 - Trend Micro
, Bill Price billpric...@gmail.com
javascript: wrote:
No. I get: ossec-testrule(1220): ERROR: Error loading the rules:
'rules_config.xml'
Do you have:
rules
includerules_config.xml/include
in your ossec.conf?
Or is that file missing from /var/ossec/rules?
On Tuesday
When I run /var/ossec/bin/ossec-logtest -f, I get
# /var/ossec/bin/ossec-logtest -f
/var/ossec/bin/ossec-logtest: invalid option -- 'f'
OSSEC HIDS v2.8
ossec-testrule: -[Vatfdh] [-U ut_str] [-u user] [-g group] [-c config]
[-D dir]
Its a new installation and I am trying to setup some new
34 matches
Mail list logo