On Fri, Sep 22, 2017 at 6:22 PM, Kris Springer
wrote:
> Hi, I've got OSSEC agent v2.9.0 running on some Windows servers and clients
> of various versions and receive the default alerts through a Security Onion
> server. All is well from the defaults, but I'd like to
On Sat, Sep 23, 2017 at 4:08 PM, wrote:
> Q1) Is the following searches will return the same results. SEARCH 1: ssh
> error SEARCH 2: ssh AND error. True or False
I think splunk's default search is an "OR," but it's been a while (and
of course my local install is acting
On Mon, Sep 25, 2017 at 4:08 AM, Robert Necela wrote:
> Hello, i have message with character "`". But i can't write rule with such
> character. \. -> For anything not working and i can't find this character in
> \p -> ()*+,-.:;<=>?[]!"'#$%&|{} (punctuation characters)
>
>
On Tue, Sep 26, 2017 at 12:41 PM, James Stallard
wrote:
> Help anyone:
> OK, I'm at a loss
> Running version:
> # ./ossec-analysisd -V
> OSSEC HIDS v2.8 - Trend Micro Inc.
> CentOS release 6.7 (Final)
> On AWS
>
> I've distributed the keys by hand via manage_agents
> and
On Fri, Sep 15, 2017 at 3:03 AM, wrote:
> Hi,
> I have 5 windows server 2008 and they booting the same image. How can I use
> OSSEC for them? Installing it one the image makes no sense in my view. I
> know there is an option to use remote monitoring with ossec. Where
On Tue, Sep 12, 2017 at 12:09 AM, vikas wrote:
> Hi All,
>
> I am trying to collect only syscheck and rootcheck logs, and not the
> eventlogs in windows or any other log files in unix. I see some /var/log
> file locations declared in ossec.conf for linux that I can comment
On Mon, Sep 4, 2017 at 3:57 AM, Tirumala Raja Siriki
wrote:
> Hi Dan,
>
> The False positives are as follows,
>
> Rule 18138: The Account Name is one of our Associate account, and alert got
> triggered for this.
>
On Aug 28, 2017 2:46 PM, "Leroy Tennison" wrote:
I wondered about that but verify-agent-conf didn't complain so I thought it
was valid. I guess that means regex is only valid in rules?
Rules and decoders are the only places that come to mind at the moment.
On
On Mon, Aug 28, 2017 at 10:40 AM, Leroy Tennison
wrote:
> I'm having trouble getting an ignore expression to actually ignore a change
> and suspect it's due to not understanding how OSSEC regular expressions
> work. When I searched for examples I found very little so
On Mon, Aug 28, 2017 at 2:25 AM, Tirumala Raja Siriki
wrote:
> Email levels are at enough priority, I am getting emails now after stopping
> alerting from RDP. I have multiple RDP where agent is installed and I get
> lot of false alerts from RDPs, for Authentication
On Mon, Aug 28, 2017 at 12:17 AM, Ritu Soni wrote:
>>> hey,
>
> I have added the rule in local_rules.xml file in way as in the
> attached image..
> After adding the rule, i have restarted OSSEC services. But I get
> the following errors:
>
On Aug 25, 2017 11:32 AM, "Carlos Islas" wrote:
Hi dan,
Sorry, im newbie in that kind of commands. How can i kill the instance?
I usually use `pkill ossec-remoted`
You can also use `ps` to get the pid (or look for the pid in /var/ossec
somewhere) and kill it that
On Aug 24, 2017 6:28 PM, "Carlos Islas" wrote:
Hello dan,
Yes is remoted. Here is the result for netstat
root@vknxsegfim:/var/ossec/logs# netstat -an | grep 1514
udp0 0 0.0.0.0:15140.0.0.0:*
root@vknxsegfim:/var/ossec/logs#
Ok, so only 1
PM UTC+5:30, dan (ddpbsd) wrote:
>
> On Thu, Aug 24, 2017 at 8:35 AM, dan (ddp) <ddp...@gmail.com> wrote:
> >
> >
> > On Aug 24, 2017 4:40 AM, "Ritu Soni" <ritu.s...@gmail.com> wrote:
> >
> > Hello, ok
>
> > I simply want to t
On Aug 24, 2017 5:20 PM, "Carlos Islas" wrote:
Hello,
I am having this issue when i execute the command ./ossec-remoted
ossec.log:
2017/08/24 16:16:22 ossec-remoted: INFO: Started (pid: 19350).
2017/08/24 16:16:22 ossec-remoted(1206): ERROR: Unable to Bind port
On Aug 24, 2017 4:40 AM, "Ritu Soni" wrote:
Hello,
I simply want to test the rule for DDOS Attack,which is discussed
previously:
local_rules.xml:
attacks|attack|automatic_attack
Attacks from same source IP
But this is not working.
On Aug 23, 2017 6:18 AM, "Ritu Soni" wrote:
Hello,
My work requirement is that OSSEC should generate an alert " Attack
Detected " ,when the request from same ip address is received by the server
for 3 or more times within 300 seconds.
I have done changes in
On Aug 22, 2017 5:26 PM, wrote:
I have about 25 OSSEC clients (v2.9.0) in my environment. Over half of
them, the client will show under the ~OSSEC Windows Agent Manger~ “No
Information Available”. If I try to start the agent, it says “unable to
start agent
On Aug 22, 2017 12:52 PM, "Leroy Tennison" wrote:
Hopefully final question about this, I notice the default manager's
agent.conf has a configuration simply for os="linux" (and windows) as well
as one which has no qualifier, I'm assuming those configurations apply to
all
On Aug 22, 2017 11:55 AM, "Leroy Tennison" wrote:
Thank you for your reply, sadly, that's exactly what I've done (doubled
up). I'll go fix that. Correct me if I'm wrong but, from your reply, it
appears that I need to examine both the manager's agent.conf as well as
On Aug 21, 2017 4:58 PM, "Leroy Tennison" wrote:
I'm hoping to implement a constraint where, if disk space used (on a
specific tree such as /home) changes by more than a certain percent then it
will trigger an alert. I have a controlled environment (PCI) where delta
On Fri, Aug 18, 2017 at 1:58 PM, Tray wrote:
> Thanks for the response. So is there an account that will ssh into the
> target machine? and if so is it using keys instead of a password?
>
On the OSSEC manager, the ossec account will ssh to the agentless
system using
On Aug 18, 2017 8:35 AM, "Tray" wrote:
Hello,
I am new to OSSEC however, it will be set up in my environment and I am
trying to get an idea of what it takes to set up the agentless ossec. What
will be needed for the install/configuration on the target system?
An
On Aug 18, 2017 8:35 AM, "Gabriele Lagana"
wrote:
Hello,
I'm trying to understand if the keys stored in the client.keys file are
encrypted or not, and if they are encrypted which is the encryption
algorithm used.
I hope someone here can help me.
I don't think they
On Mon, Aug 14, 2017 at 11:47 AM, leroy.tennison
wrote:
> If documentation exists I haven't found it. setup-windows wants a directory
> name and, when supplied, "processes" the directory (whatever that means,
> lots of messages scroll by but nothing changes in
ssec 2.8.3.
> Richard
>
> On Tuesday, July 19, 2016 at 1:14:03 PM UTC-6, Kumar G wrote:
>>
>> Thanks Dan.
>>
>> Let me check with the new code and see.
>>
>> On 19 July 2016 at 23:27, dan (ddp) <ddp...@gmail.com> wrote:
>>>
>>> On
ues compiling on ubuntu
>
>
>
> On Tuesday, July 19, 2016 at 1:14:03 PM UTC-6, Kumar G wrote:
>
>> Thanks Dan.
>>
>> Let me check with the new code and see.
>>
>> On 19 July 2016 at 23:27, dan (ddp) <ddp...@gmail.com> wrote:
>>
>&g
piling on ubuntu
On Tuesday, July 19, 2016 at 1:14:03 PM UTC-6, Kumar G wrote:
> Thanks Dan.
>
> Let me check with the new code and see.
>
> On 19 July 2016 at 23:27, dan (ddp) <ddp...@gmail.com> wrote:
>
>> On Tue, Jul 19, 2016 at 1:32 PM, Kumar Mg <mkg...@gmail.com> w
On Fri, Aug 11, 2017 at 3:16 PM, Tibor Luth wrote:
> Dear Group!
>
> I've tried to parse MSExchande Management / MSExchange Cmdlet logs from
> Windows Event Log from its own log source. I've also enabled logall option.
> Logtest working. Im currently getting and parsing the
OSSEC 2.9.2 has been released. This is mostly a bug-fix/rules update release.
Thank you to everyone who has contributed time and effort into the
project, it is truly appreciated!
Get it here: https://github.com/ossec/ossec-hids/releases/tag/2.9.2
Changelog
Release Maintainers
Dan Parriott
On Mon, Aug 7, 2017 at 10:49 AM, Carlos Islas wrote:
>
> Thank you Dan,
>
> Sorry but i still confuse, I dont want to do something that get worse this
> situation. Do you have any idea to fix the error?
>
2 temporary fixes are to either stop the OSSEC server processes,
On Fri, Aug 4, 2017 at 11:59 AM, Carlos Islas wrote:
> Hi!
>
> The manager hasn´t agent. The alerts came from the other host.
>
> root@vknxsegfim:/var/ossec/bin# ./agent_control -lc
>
> OSSEC HIDS agent_control. List of available agents:
>ID: 000, Name: vknxsegfim
On Fri, Aug 4, 2017 at 2:57 AM, Fredrik Hilmersson
wrote:
> Hello,
>
> I would like some help and pointers to create a decoder. So I ran the line
> from the access log (see below). What I would like to accomplish is to
> match: python-requests/2.2.1 However as you
On Wed, Aug 2, 2017 at 7:19 AM, Stephen Crow wrote:
> can this be changed to use TCP instead of UDP? i have the same issue but i
> dont think changing the default buffer size is a good idea
>
Yes, just add tcp support to agentd and remoted.
Wazuh may already have this,
On Wed, Aug 2, 2017 at 5:21 AM, LGuerra wrote:
> Hi guys,
>
> I think that my server isn't collecting/analyzing all agent messages. A few
> days ago I turned off a huge log source and OSSEC started showing a lot more
> events from the other sources. My guess is that lots of
On Jul 23, 2017 8:08 AM, wrote:
My /var/ossec/queue/diff/ folder is over 2GB. I don't understand why this
happens.
It looks like you have the syscheck diff option set.
A. Is it ok to just delete this folder?
You should be able to prune the contents.
B. How could I
On Sat, Jul 22, 2017 at 5:59 AM, Marcin Gołębiowski
wrote:
> Good day to you all,
> I have a problem with OSSEC/Slack integration. OSSEC version 2.9.0 For an
> unknown reason, the ossec-slack script fires hundreds of Curl processes when
> sending data from
On Fri, Jul 21, 2017 at 5:27 AM, wrote:
> Hi all,
>
> I am new to ossec. I would like to monitor process through ossec. My plan is
> need to get the notification if some one start any new process or stop/kill
> any process.
> Can some one help me
>
If there is a way
On Thu, Jul 20, 2017 at 2:53 PM, Bob Boklewski
wrote:
> I have two issues.
>
> 1. I cannot get rule 18107 in the msauth_rules.xml file to generate an
> alert, unless I put it as a local rule. This prebuilt rule should work.
> 2. I am trying to monitor successful
On Thu, Jul 20, 2017 at 2:04 AM, Akash Munjal wrote:
> Hi Dan,
>
> If i add or delete file in a particular folder on windows agent desktop.
> I want to see their addition or deletion log on server/manager side.
>
If the directory is monitored by OSSEC (as defined with
On Jul 20, 2017 12:50 PM, "John Wojda" wrote:
I'm trying to setup ossec hids for deployment to the macOS environment.
I went through the documentation
On Wed, Jul 19, 2017 at 11:46 AM, Akash Munjal wrote:
> Hi All,
>
> Can I monitor a particular folder on desktop of my windows agent.
>
> If yes then how it can be done. Also I want to monitor a particular
> drive(:C).
>
Define "monitor." Do you mean syscheck
On Fri, Mar 3, 2017 at 2:04 PM, Aryn Nakaoka wrote:
> How do I get OSSEC to log the IP of failed RDP Logins?
>
What do you mean "log the IP?" Is the IP address in the log?
Does it not get identified by the decoding process?
>
>
> On Monday, October 7, 2013 at 12:24:38 PM
On Mon, Jul 10, 2017 at 4:49 AM, Kazim Koybasi wrote:
> Hello,
> I am trying to restart all agents and start syscheck and rootcheck but I can
> not achieve it with commands below.I use centralized agent.conf at manager
> and whenever I change agent.conf file I should
On Sun, Jul 9, 2017 at 8:58 PM, Roman Romanov <558...@gmail.com> wrote:
> Hello, how I can disable IPv6 for ossec-remoted. Such construction doesn't
> work:
>
>
> secure
> 0.0.0.0
>
>
>
>
> because I have this netstat's output:
> udp6 0 0 0.0.0.0:1514
On Jul 9, 2017 7:51 AM, "Roman Romanov" <558...@gmail.com> wrote:
Hello,
after upgrading from OSSEC 2.8.2 to OSSEC 2.9.0:
cd ossec-hids-2.9.0/src
make setprelude
I have an error:
# make setprelude
make: *** No rule to make target 'setprelude'. Stop.
Then I install OSSEC as Server via
On Mon, Jul 3, 2017 at 10:26 PM, Tunguyen wrote:
> I've checked the ossec.conf on server side and agent side, those are all the
> same as yours
> Here is the agent side:
>
> 20,40,60
>
>
> And the server side is same as above, except that i add
> like this:
>
On Fri, Jul 7, 2017 at 6:11 AM, Jesus Linares wrote:
> I never used it:
> http://ossec-docs.readthedocs.io/en/latest/syntax/head_rules.html#element-time
>
> I think is the time when the event comes to the manager (not the original
> time).
>
Oh, ok. Obviously I have never used
On Fri, Jul 7, 2017 at 4:15 AM, Kazim Koybasi wrote:
> Yes OSSEC mentioning about log files and says analyzing log file. I tried
> with apache log format and without logformat settings and results is
> same.What could be a workaround for that?
>
Provide a log sample of a
On Fri, Jul 7, 2017 at 8:07 AM, chintan shah wrote:
> Hi Guys ,
>
> Just wanted to check if anybody has an idea on how to throttle the events in
> OSSEC . I have a situation where there are 20 duplicate alerts within a
> second and I would want to raise only 1 alert for
On Fri, Jul 7, 2017 at 8:10 AM, Irshad Rahimbux
wrote:
> I have did all the configuration in ms-sccm.cfg [existing file in plugin
> folder].
>
That must be an OSSIM thing. Unrelated to OSSEC.
> But still dont see anything in alerts.log.
>
Turn on the logall option,
le(1202): ERROR: Configuration error at
> '/etc/decoder.xml'. Exiting.
>
Good to know.
You could try taking the windows decoders out of the newer decoder.xml
file, but that might be a lot of work for little benefit.
>
>
> On 7/6/2017 6:48 PM, dan (ddp) wrote:
>>
>> On Th
decoders.
I think they should be compatible, and you can test them quickly with
ossec-logtest without restarting OSSEC.
>
>
> On 7/6/2017 5:47 PM, dan (ddp) wrote:
>>
>> On Wed, Jul 5, 2017 at 10:26 PM, Ian Brown <zestys...@gmail.com> wrote:
>>>
>>> D
atch one or more from the following set: 0
> through 9, A through F and x. I guess that's done differently here. :)
>
> Thanks for helping me understand this better.
>
Our regex is weird.
>
> On 7/5/2017 6:45 PM, dan (ddp) wrote:
>>
>> On Mon, Jul 3, 2017 at 11:28 AM, Ian
**Phase 2: Completed decoding.
decoder: 'windows'
status: 'AUDIT_FAILURE'
id: '5152'
extra_data: 'Microsoft-Windows-Security-Auditing'
dstuser: '(no user)'
system_name: 'workstation'
srcip: '1.2.3.4'
dstip: '5.6.7.8'
**Phase 3: Completed filtering (rules
On Jul 6, 2017 4:38 PM, "Kazim Koybasi" wrote:
I added config below to etc/shared/agent.conf in ossec-server home
directory but there is no alerts in server.What could I need with this
configuration?
apache
/var/log/httpd/site/site_log
On Mon, Jul 3, 2017 at 2:52 PM, Ian Brown wrote:
> There is a decoder that isn't quite handling some log entries the want I
> need. I want to augment an existing decoder, but apparently I'm not doing
> this correctly.
> Here's an example log entry:
> 2017 Jul 03 11:17:37
On Mon, Jul 3, 2017 at 6:10 AM, Fredrik Hilmersson
wrote:
> Hello,
>
> Lets say I have a script which runs once every half an hour. With a latency
> difference in about 10-20 seconds.
> Would it be possible to match the following:
>
> 1. Time
> 2. Hostname
> 3.
On Mon, Jul 3, 2017 at 11:28 AM, Ian Brown wrote:
> I believe I've figured it out -- I think the decoder isn't matching the full
> log string and is thus stripping the ip address information. Also after
> looking at the regex in the decoder, I've discovered that it doesn't
On Mon, Jul 3, 2017 at 2:28 AM, Ian Brown wrote:
> I've got this event log in windows:
>
> 2017 Jul 02 22:38:47 WinEvtLog: Security: AUDIT_FAILURE(5152):
> Microsoft-Windows-Security-Auditing: (no user): no domain: leaf-1: The
> Windows Filtering Platform blocked a packet.
On Wed, Jul 5, 2017 at 12:52 AM, Tunguyen wrote:
> Hi everyone, here is my ossec.conf on the server:
>
>
>
> firewall-drop
> server,all
> 31152
> 600
> 30,60,90,120,150
>
>
> rule 31152 is:
>
>
> 31103
>
> Multiple SQL
On Wed, Jul 5, 2017 at 11:41 AM, Bob Boklewski
wrote:
> Also, what does the "if_sid" match too? I am trying to understand how to
> create custom rules and it seems this "if_sid" is unique and defined
> somewhere. I see that rule id and description can be whatever
On Wed, Jul 5, 2017 at 11:27 AM, Bob Boklewski
wrote:
> In the OSSEC.conf file I have level 3 logging set. I can't seem to get this
> rule to fire that is a predefined rule in the msauth_rules.xml file. I can
> see in the windows log event id: 4624, but it won't
On Thu, Jun 29, 2017 at 4:08 AM, Rahul Tiwari wrote:
>
>
> 0down votefavorite
>
> I need to block the user ip after 3 times login failed attempt in ossec I
> tried below in sshd_rules file
>
>
> 5716
>
> Multiple SSHD authentication failures.
>
On Thu, Jun 29, 2017 at 1:00 AM, Irshad Rahimbux
wrote:
> Dear Team,
>
> I would like to integrate Microsoft SCCM with OSSIM.
>
> All configuration has been done in ms-sccm.cfg [which was already
> available].
>
> Logs are coming to /var/log/alienvault/agent.log but
On Thu, Jun 29, 2017 at 8:40 PM, Patrick Tobin
wrote:
> Not sure if this will help but these are the steps I took to build a binary
> installer for Solaris 10 (I did the same for 2.8.3 and it worked as well):
>
>
>
> Compile OSSEC on Solaris 10 with OPENSSL Support
>
On Thu, Jun 29, 2017 at 5:17 PM, Eduardo Nunez wrote:
> Trying to change the max agents in version 2.9.1, but the make command used
> in previous version does not work. Is the default agent limit the same or
> has that been changed? And is it still changeable?
>
I think the
On Wed, Jun 28, 2017 at 12:21 PM, Guy Or wrote:
>> It doesnt work, a real shame... It will only work if you dont have spaces
>> in your log line.
>
> This is really really really annoying lol... all that is needed is to wrap
> with ' ' the argument (log line with spaces and
On Jun 25, 2017 1:05 PM, "Guy Or" wrote:
Hello,
I am writing decoders, rules and scripts that monitor my uwsgi application.
Say that I write a decoder for a certain event that appears in the log, and
that triggers a rule I wrote for it (using 'decoded_as').
How do I pass
On Sat, Jun 24, 2017 at 2:08 PM, Fredrik Hilmersson
wrote:
> Hello,
>
> so recently I got spammed by this vulnerability scanner.
> The HEAD is always the same, in regards to the $user_agent, Jorgee
>
> ** Alert 1498324205.1278330: - web,accesslog,
> 2017 Jun 24
On Fri, Jun 16, 2017 at 7:39 PM, Anthony Egbujor wrote:
> Thank you, i realized that i did not let the udp 1514 port through the
> firewall. It is working, but I now have one final issue. It is doing
> everything it is now supposed to, however, the agent is now only triggering
On Thu, Jun 15, 2017 at 6:39 AM, Rahul Tiwari wrote:
> Can you please provide the rule i am also having the same issue i need to
> block the user after failed attempts.
> Please help
>
What is stopping you from creating a rule?
Do you have log samples to help us help you?
On Thu, Jun 15, 2017 at 3:14 AM, Irshad Rahimbux
wrote:
> The logs are being pushed to archives.log and not ossec.log
>
Only ossec stuff should be in the ossec.log. Alerts go in alerts.log
and log events go to archives.log (if the logall option is enabled).
> On
On Tue, Jun 13, 2017 at 4:01 PM, Anthony Egbujor wrote:
> Hello. I have an issue. I am able to proct alerts and have it sent to my
> email, but I am having trouble getting the server to communicate with the
> agent. I already set the agent ip as the allowed Ip in secure in
On Thu, Jun 8, 2017 at 12:12 PM, Akash Munjal wrote:
> HI,
>
> How ossec manager reads decoder...?
>
Can you expand on this question? It doesn't make much sense.
> Thanks..
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
>
On Thu, Jun 8, 2017 at 2:01 PM, Alexis Lessard
wrote:
> Do you update the version every time you add new rules? We've manage to
> install with with yum using atomicorp repo's, so if you could update them
> with yum, that'd much easier.
>
Atomic may update the rules
On Fri, Jun 9, 2017 at 11:21 AM, Akash Munjal wrote:
>
> Hi,
>
> I create custom decoder, /var/ossec/etc/local_decoder.xml as:
>
>
> myapplication
> ^myapplication:
>
>
>
> Entry of decoder in manager ossec.conf file as:
>
>
> local_rules.xml
>
Thanks, I missed that!
On Mon, Jun 5, 2017 at 8:00 AM, wrote:
> Hi,
> Thanks for adding my suggestion, but:
>
> On page: The Administrators group may not be present on non-English copies
> of #1137 is:
> - system("echo y|cacls * /T /G Administrators:f ");
> + system("echo
On Jun 7, 2017 2:09 PM, "sandaway" wrote:
I really need some help. It looks my OSSEC setup, a server and two clients,
could not run active response properly. From the active-responses.log, the
firewall-drop.sh command runs either on server or clients, depending on the
I
On Jun 4, 2017 3:03 PM, "Jur" wrote:
I using version 2.8.3.3 on both client,server and deleted file from OSSEC
monitoring directory. But not alerting about file deleted. How I solve it?
Did syscheck go through a complete check after the file was deleted?
--
---
You
We have a pull request to allow for a whitelist of hashes to be stored
in an sqlite database. I think Wazuh already has this feature.
(https://github.com/ossec/ossec-hids/pull/1091)
You could pre-populate it with the appropriate hashes before an upgrade.
On Fri, Jun 2, 2017 at 3:45 AM,
I have created pull request #1137. Thanks for researching that!
On Fri, Jun 2, 2017 at 9:04 AM, wrote:
> Hi,
>
> I haven't got group "Administrators" on my non-English Windows.
> Ossec-agent for Windows is trying to execute command:
> echo y|cacls * /T /G Administrators:f
Pull requests #1135 and #1136 created for this. Thanks for the report!
On Fri, Jun 2, 2017 at 3:18 PM, dan (ddp) <ddp...@gmail.com> wrote:
> On Thu, Jun 1, 2017 at 5:39 AM, <andrewm0...@gmail.com> wrote:
>> Hi,
>> I installed OSSEC ver. 2.9.0. Server worked
On Thu, Jun 1, 2017 at 5:39 AM, wrote:
> Hi,
> I installed OSSEC ver. 2.9.0. Server worked, but I can't compile ossec with
> mysql support.
>
> This command doesn't work:
> make TARGET=server DATABASE=mysql install
>
> I checked few *.c files and found that in
On Sat, May 27, 2017 at 5:39 PM, Руслан Аминджанов
wrote:
> Fully reinstalled system and got a new problem: still agents not connecting
> but now event if I send messages to ossec-remoted via netcat there is no
> entities in log. Checked via netstat and ossec-remoted is
On Thu, May 25, 2017 at 11:37 AM, LGuerra wrote:
> Hi,
>
>
>
> I've been noticing heavy disk I/O operations on some of my OSSEC agents. The
> average write is around 2 mb/s and 0 mb/s for read operations (which is
> weird).
>
>
>
> Is anyone experiencing the same thing? Wasn’t
On Thu, May 18, 2017 at 3:50 PM, Pedro Sanchez wrote:
> Hi,
>
> I did not find any MariaDB decoders/rules, it could be interesting to create
> them. Feel free to paste here some log samples so we can take a look and
> maybe guide you a little bit to create them.
>
The OSSEC
On Thu, May 18, 2017 at 3:47 PM, Pedro Sanchez wrote:
> Yes, it does.
> Rootcheck works for Linux as well, we have different rootcheck policies:
> https://github.com/wazuh/wazuh-ruleset/tree/master/rootchecks
>
OSSEC has rootcheck as well.
> Cheers,
> Pedro.
>
> On Wed, May 17,
On Thu, May 18, 2017 at 4:51 PM, Gert Verhoog wrote:
> Hi Jesus,
>
> I'm having the same problem, and the triggering of this rule causes so much
> noise that it's drowning out other alerts. I have added a rule like you
> suggested to my local rules:
>
>
> 510
>
On Fri, May 12, 2017 at 4:45 AM, Akash Munjal wrote:
> Hi dan,
>
> Thanks for the response. I tried this, but problem remains same.
> If you have another method to solve this please share.
>
I would have to find out what the problem is first.
You tried what?
What were
On Fri, May 12, 2017 at 4:40 AM, AntonH wrote:
> Hello,
>
> I'm using Wazuh and I don't know how to map TargetUserName to an indexed
> field.
> Security events are generated but the associated username is not mapped so
> there is no way to search for or display the
On Thu, May 11, 2017 at 5:18 AM, Akash Munjal wrote:
>
> Hi All,
>
> I can not receive alert from this agent(ID:1024). When i check the status it
> look like this.
>
> Please help me out.
>
>
> /var/ossec/bin/agent_control -i 1024
>
> OSSEC HIDS agent_control. Agent
On Tue, May 9, 2017 at 11:13 AM, wrote:
> Hi,
>
> I've been having an issue where OSSEC is not sending the checksum data in
> the syslog alerts. Below is an example of what I am seeing (alerts log).
> This doesn't happen all the time but has been becoming more and more of an
>
On Wed, May 3, 2017 at 4:58 PM, dan (ddp) <ddp...@gmail.com> wrote:
> On Wed, May 3, 2017 at 12:55 PM, Jason Aleksi <jason.ale...@gmail.com> wrote:
>> I am attempting to get OSSEC to read my ufw.log for port scan attempts. The
>> ufw.log is reading and logging potentia
On Wed, May 3, 2017 at 12:55 PM, Jason Aleksi wrote:
> I am attempting to get OSSEC to read my ufw.log for port scan attempts. The
> ufw.log is reading and logging potential port scans. I've created a decoder
> to identify the log entries. I've also created a rule in
On Tue, May 2, 2017 at 4:37 AM, Huc Manté Miras wrote:
> Only its needed to include two rule files:
>
>
>
> rules_config.xml
> ossec_rules.xml
>
>
Using just those 2 files allows OSSEC to start for me.
You can check the ossec.log for more information on why it
nt
>> has its log monitoring turned on, even though the server doesn't do
>> anything with the logs.
>>
>> > I was wondering if clearing out the syscheck DB would help?
>> >
>>
>> I don't think so, but you can try it.
>>
>> > Thank
On Wed, Apr 26, 2017 at 3:31 PM, Phil Porada wrote:
> Hi,
>
> I'm running OSSEC 2.9.0. I'm unable to get the rootcheck to run the
> rootcheck_files, rootcheck_trojans,a and system_audit on an agent that has
> its config pushed out via the server. I'm not sure what I'm doing
ed on, even though the server doesn't do
anything with the logs.
> I was wondering if clearing out the syscheck DB would help?
>
I don't think so, but you can try it.
> Thank you!
>
>> On Apr 26, 2017, at 3:02 PM, dan (ddp) <ddp...@gmail.com> wrote:
>>
>>&
On Thu, Apr 27, 2017 at 12:08 PM, Anoop Perayil wrote:
> Observed that the server initiates a connection to the client when we
> restart Syscheck/Rootcheck on an agent like -
> ./agent_control -r -u 001
>
> a tcpdump on the agent shows -
> 15:59:22.034966 IP x.x.x.x.1514 >
501 - 600 of 5855 matches
Mail list logo