Re: [ossec-list] OSSEC agent on windows laptops that will be out of the network

Has there been any further thought on this issue? I am in the same boat. On Wednesday, September 14, 2016 at 12:43:56 AM UTC-5, Vilius wrote: > > Jesus, > > when question is should I send alert into the void or into archive, there > are cases when archiving is a better option. > > Vilius > > On

RE: [ossec-list] Realtime integrity monitoring

What version of Linux are you running? Kernel support for the real time feature wasn't added until 2.6, which means RHEL 4.x doesn't support it. -Original Message- From: ossec-list@googlegroups.com [mailto:ossec-l...@googlegroups.com] On Behalf Of Brad Hazledine Sent: Monday, April 19,

[ossec-list] Monitoring Windows Hosts Files Only (no registry)

Greetings, I tried to setup a Windows Agent with only files and no registry entries listed in ossec.conf. When I do this, the agent refuses to start. If I put just one registry entry in the config file, it starts. Is this a bug or by design? Thank you, Kirk Frankovich -- Confidentiality

RE: [ossec-list] Possible agent_control bug

the agent_control command a few times. Is there any debugging I can turn on to see what is actually happening when I issue the command? Thank you, Kirk -Original Message- From: ossec-list@googlegroups.com [mailto:ossec-l...@googlegroups.com] On Behalf Of ddp...@gmail.com Sent: Thursday

[ossec-list] Possible agent_control bug

I filed a report on the uservoice site, but I wanted to post this to the mailing list to see if anyone else has seen this or knows of this. This morning I deployed OSSEC live for the first time. I installed the server and connected two agents. Once everything was up and communicating, I ran

[ossec-list] Agent Control From OSSEC Server

initiate a scan. My question is: Is there a delay between issuing the command and the agent actually starting a scan or should this occur immediately? Why would I be seeing such behavior? Thank you. Kirk Frankovich Systems Administrator 847.427.5223 - Direct 847.489.4717 - Cell

[ossec-list] Agent Control From OSSEC Server

From: Kirk Frankovich Sent: Tuesday, November 17, 2009 8:58 AM To: 'ossec-list@googlegroups.com' Subject: Agent Control From OSSEC Server Greetings, I have a quick question with regards to controlling an agent from the master server. When I run the following command ./agent_control -r

[ossec-list] Realtime and Agent Restart

restart for that matter) before starting realtime monitoring? Thank you very much. Kirk Frankovich Systems Administrator 847.427.5223 - Direct 847.489.4717 - Cell kfrankov...@fortdearborn.com Fort Dearborn Company 1530 Morse Ave Elk Grove Village, IL 60007 -- Confidentiality

[ossec-list] SMS Email Format Customization

information in both the subject and body so that I can process it correctly. Could someone please let me know if this is possible and if so, where can I find the config? Thank you very much! Kirk Frankovich Systems Administrator 847.427.5223 - Direct 847.489.4717 - Cell kfrankov...@fortdearborn.com

[ossec-list] Realtime and recursive subfolders

? This is a fresh install on OSSEC 2.1.1 on CentOS 5.3 32bit. Thank you. Kirk Frankovich Systems Administrator 847.427.5223 - Direct 847.489.4717 - Cell kfrankov...@fortdearborn.com Fort Dearborn Company 1530 Morse Ave Elk Grove Village, IL 60007 -- Confidentiality Notice: This e

[ossec-list] Re: OSSEC v2.1 released

Is there a document on using the real-time integrity checking? I cannot find how to enable it. Thank you very much. Kirk Frankovich Systems Administrator 847.427.5223 - Direct 847.489.4717 - Cell kfrankov...@fortdearborn.com Fort Dearborn Company 1530 Morse Ave Elk Grove Village, IL 60007

[ossec-list] Re: OSSEC v2.1 released

install on OSSEC 2.1.1 on CentOS 5.3 32bit. Thank you. Kirk Frankovich Systems Administrator 847.427.5223 - Direct 847.489.4717 - Cell kfrankov...@fortdearborn.com Fort Dearborn Company 1530 Morse Ave Elk Grove Village, IL 60007 -Original Message- From: ossec-list@googlegroups.com

[ossec-list] Re: Newbie Questions

Michael, Thank you very much. One more quick question for you. Which global option is that? I am not finding it in the config or in the online guide. I would like to have OSSEC alert anytime it finds a file that has changed. Thank you. Kirk Frankovich Systems Administrator 847.427.5223

[ossec-list] Re: Newbie Questions

I am just curious why there is a separate check for file changed a second time? What happens when it changes again and again? Is there a rule for that? Thank you. Kirk Frankovich Systems Administrator 847.427.5223 - Direct 847.489.4717 - Cell kfrankov...@fortdearborn.com Fort Dearborn

[ossec-list] Re: Composite Rule

I moved the rule to the local_rules.xml file and have renumbered it appropriately. And I restarted ossec. Here is what I added to the local_rules.xml file: group name=authentication_failures, rule id=100031 level=10 frequency=1 timeframe=240 if_matched_sid18130/if_matched_sid

[ossec-list] Composite Rule

Forgive me, but I'm new to ossec. I'm trying to construct a composite rule to alert me on 3 or more invalid login attempts via TermServ. I am seeing rule 18130 come through in my WUI, but when I try to create a composite rule, it never is triggered. Here is what I'm placing at the end of

[ossec-list] port to Digital Alpha V4.0G Rev 1530 - aka tru64

(first use in this function) make[1]: *** [net] Error 1 make[1]: Leaving directory `/home/usr/local/ossec-hids-1.4/src/os_net' Error Making os_net make: *** [all] Error 1 Error 0x5. Building error. Unable to finish the installation. -- Dr C S Kirk -- http://www.fastmail.fm - Access all