Re: [ossec-list] How to alert on successful Windows authentication

On Fri, Sep 22, 2017 at 6:22 PM, Kris Springer wrote: > Hi, I've got OSSEC agent v2.9.0 running on some Windows servers and clients > of various versions and receive the default alerts through a Security Onion > server. All is well from the defaults, but I'd like to

Re: [ossec-list] Please answer these two Splunk Questions?

On Sat, Sep 23, 2017 at 4:08 PM, wrote: > Q1) Is the following searches will return the same results. SEARCH 1: ssh > error SEARCH 2: ssh AND error. True or False I think splunk's default search is an "OR," but it's been a while (and of course my local install is acting

Re: [ossec-list] regex not working

On Mon, Sep 25, 2017 at 4:08 AM, Robert Necela wrote: > Hello, i have message with character "`". But i can't write rule with such > character. \. -> For anything not working and i can't find this character in > \p -> ()*+,-.:;<=>?[]!"'#$%&|{} (punctuation characters) > >

Re: [ossec-list] agents not connected to server, IP@ correct, udp connects, what gives

On Tue, Sep 26, 2017 at 12:41 PM, James Stallard wrote: > Help anyone: > OK, I'm at a loss > Running version: > # ./ossec-analysisd -V > OSSEC HIDS v2.8 - Trend Micro Inc. > CentOS release 6.7 (Final) > On AWS > > I've distributed the keys by hand via manage_agents > and

Re: [ossec-list] image based windows systems

On Fri, Sep 15, 2017 at 3:03 AM, wrote: > Hi, > I have 5 windows server 2008 and they booting the same image. How can I use > OSSEC for them? Installing it one the image makes no sense in my view. I > know there is an option to use remote monitoring with ossec. Where

Re: [ossec-list] How to collect only syscheck and rootcheck logs

On Tue, Sep 12, 2017 at 12:09 AM, vikas wrote: > Hi All, > > I am trying to collect only syscheck and rootcheck logs, and not the > eventlogs in windows or any other log files in unix. I see some /var/log > file locations declared in ossec.conf for linux that I can comment

Re: [ossec-list] OSSEC 2.8.3, Server doesnot trigger email alerts for agent

On Mon, Sep 4, 2017 at 3:57 AM, Tirumala Raja Siriki wrote: > Hi Dan, > > The False positives are as follows, > > Rule 18138: The Account Name is one of our Associate account, and alert got > triggered for this. >

Re: [ossec-list] Re: OSSEC regular expression example for agent.conf

On Aug 28, 2017 2:46 PM, "Leroy Tennison" wrote: I wondered about that but verify-agent-conf didn't complain so I thought it was valid. I guess that means regex is only valid in rules? Rules and decoders are the only places that come to mind at the moment. On

Re: [ossec-list] OSSEC regular expression example for agent.conf

On Mon, Aug 28, 2017 at 10:40 AM, Leroy Tennison wrote: > I'm having trouble getting an ignore expression to actually ignore a change > and suspect it's due to not understanding how OSSEC regular expressions > work. When I searched for examples I found very little so

Re: [ossec-list] OSSEC 2.8.3, Server doesnot trigger email alerts for agent

On Mon, Aug 28, 2017 at 2:25 AM, Tirumala Raja Siriki wrote: > Email levels are at enough priority, I am getting emails now after stopping > alerting from RDP. I have multiple RDP where agent is installed and I get > lot of false alerts from RDPs, for Authentication

Re: [ossec-list] Re: Testing OSSEC

On Mon, Aug 28, 2017 at 12:17 AM, Ritu Soni wrote: >>> hey, > > I have added the rule in local_rules.xml file in way as in the > attached image.. > After adding the rule, i have restarted OSSEC services. But I get > the following errors: >

Re: [ossec-list] Re: ERROR: Unable to Bind port '1514'

On Aug 25, 2017 11:32 AM, "Carlos Islas" wrote: Hi dan, Sorry, im newbie in that kind of commands. How can i kill the instance? I usually use `pkill ossec-remoted` You can also use `ps` to get the pid (or look for the pid in /var/ossec somewhere) and kill it that

Re: [ossec-list] ERROR: Unable to Bind port '1514'

On Aug 24, 2017 6:28 PM, "Carlos Islas" wrote: Hello dan, Yes is remoted. Here is the result for netstat root@vknxsegfim:/var/ossec/logs# netstat -an | grep 1514 udp0 0 0.0.0.0:15140.0.0.0:* root@vknxsegfim:/var/ossec/logs# Ok, so only 1

Re: [ossec-list] Re: Testing OSSEC

PM UTC+5:30, dan (ddpbsd) wrote: > > On Thu, Aug 24, 2017 at 8:35 AM, dan (ddp) <ddp...@gmail.com> wrote: > > > > > > On Aug 24, 2017 4:40 AM, "Ritu Soni" <ritu.s...@gmail.com> wrote: > > > > Hello, ok > > > I simply want to t

Re: [ossec-list] ERROR: Unable to Bind port '1514'

On Aug 24, 2017 5:20 PM, "Carlos Islas" wrote: Hello, I am having this issue when i execute the command ./ossec-remoted ossec.log: 2017/08/24 16:16:22 ossec-remoted: INFO: Started (pid: 19350). 2017/08/24 16:16:22 ossec-remoted(1206): ERROR: Unable to Bind port

Re: [ossec-list] Re: Testing OSSEC

On Aug 24, 2017 4:40 AM, "Ritu Soni" wrote: Hello, I simply want to test the rule for DDOS Attack,which is discussed previously: local_rules.xml: attacks|attack|automatic_attack Attacks from same source IP But this is not working.

Re: [ossec-list] Re: Testing OSSEC

On Aug 23, 2017 6:18 AM, "Ritu Soni" wrote: Hello, My work requirement is that OSSEC should generate an alert " Attack Detected " ,when the request from same ip address is received by the server for 3 or more times within 300 seconds. I have done changes in

Re: [ossec-list] OSSEC windows agent disabling

On Aug 22, 2017 5:26 PM, wrote: I have about 25 OSSEC clients (v2.9.0) in my environment. Over half of them, the client will show under the ~OSSEC Windows Agent Manger~ “No Information Available”. If I try to start the agent, it says “unable to start agent

Re: [ossec-list] Newby question

On Aug 22, 2017 12:52 PM, "Leroy Tennison" wrote: Hopefully final question about this, I notice the default manager's agent.conf has a configuration simply for os="linux" (and windows) as well as one which has no qualifier, I'm assuming those configurations apply to all

Re: [ossec-list] Newby question

On Aug 22, 2017 11:55 AM, "Leroy Tennison" wrote: Thank you for your reply, sadly, that's exactly what I've done (doubled up). I'll go fix that. Correct me if I'm wrong but, from your reply, it appears that I need to examine both the manager's agent.conf as well as

Re: [ossec-list] Is a "percent change" criteria available?

On Aug 21, 2017 4:58 PM, "Leroy Tennison" wrote: I'm hoping to implement a constraint where, if disk space used (on a specific tree such as /home) changes by more than a certain percent then it will trigger an alert. I have a controlled environment (PCI) where delta

Re: [ossec-list] OSSEC Agentless install/configuration

On Fri, Aug 18, 2017 at 1:58 PM, Tray wrote: > Thanks for the response. So is there an account that will ssh into the > target machine? and if so is it using keys instead of a password? > On the OSSEC manager, the ossec account will ssh to the agentless system using

Re: [ossec-list] OSSEC Agentless install/configuration

On Aug 18, 2017 8:35 AM, "Tray" wrote: Hello, I am new to OSSEC however, it will be set up in my environment and I am trying to get an idea of what it takes to set up the agentless ossec. What will be needed for the install/configuration on the target system? An

Re: [ossec-list] client.keys key encryption

On Aug 18, 2017 8:35 AM, "Gabriele Lagana" wrote: Hello, I'm trying to understand if the keys stored in the client.keys file are encrypted or not, and if they are encrypted which is the encryption algorithm used. I hope someone here can help me. I don't think they

Re: [ossec-list] How to use setup-windows, setup-syscheck, etc.

On Mon, Aug 14, 2017 at 11:47 AM, leroy.tennison wrote: > If documentation exists I haven't found it. setup-windows wants a directory > name and, when supplied, "processes" the directory (whatever that means, > lots of messages scroll by but nothing changes in

Re: [ossec-list] Warning during compilations Server

ssec 2.8.3. > Richard > > On Tuesday, July 19, 2016 at 1:14:03 PM UTC-6, Kumar G wrote: >> >> Thanks Dan. >> >> Let me check with the new code and see. >> >> On 19 July 2016 at 23:27, dan (ddp) <ddp...@gmail.com> wrote: >>> >>> On

Re: [ossec-list] Warning during compilations Server

ues compiling on ubuntu > > > > On Tuesday, July 19, 2016 at 1:14:03 PM UTC-6, Kumar G wrote: > >> Thanks Dan. >> >> Let me check with the new code and see. >> >> On 19 July 2016 at 23:27, dan (ddp) <ddp...@gmail.com> wrote: >> >&g

Re: [ossec-list] Warning during compilations Server

piling on ubuntu On Tuesday, July 19, 2016 at 1:14:03 PM UTC-6, Kumar G wrote: > Thanks Dan. > > Let me check with the new code and see. > > On 19 July 2016 at 23:27, dan (ddp) <ddp...@gmail.com> wrote: > >> On Tue, Jul 19, 2016 at 1:32 PM, Kumar Mg <mkg...@gmail.com> w

Re: [ossec-list] Missing EventData - Data fields in archives and alerts

On Fri, Aug 11, 2017 at 3:16 PM, Tibor Luth wrote: > Dear Group! > > I've tried to parse MSExchande Management / MSExchange Cmdlet logs from > Windows Event Log from its own log source. I've also enabled logall option. > Logtest working. Im currently getting and parsing the

[ossec-list] OSSEC 2.9.2 release

OSSEC 2.9.2 has been released. This is mostly a bug-fix/rules update release. Thank you to everyone who has contributed time and effort into the project, it is truly appreciated! Get it here: https://github.com/ossec/ossec-hids/releases/tag/2.9.2 Changelog Release Maintainers Dan Parriott

Re: [ossec-list] Agents Disconnected

On Mon, Aug 7, 2017 at 10:49 AM, Carlos Islas wrote: > > Thank you Dan, > > Sorry but i still confuse, I dont want to do something that get worse this > situation. Do you have any idea to fix the error? > 2 temporary fixes are to either stop the OSSEC server processes,

Re: [ossec-list] Agents Disconnected

On Fri, Aug 4, 2017 at 11:59 AM, Carlos Islas wrote: > Hi! > > The manager hasn´t agent. The alerts came from the other host. > > root@vknxsegfim:/var/ossec/bin# ./agent_control -lc > > OSSEC HIDS agent_control. List of available agents: >ID: 000, Name: vknxsegfim

Re: [ossec-list] OSSEC create a decoder (31101)

On Fri, Aug 4, 2017 at 2:57 AM, Fredrik Hilmersson wrote: > Hello, > > I would like some help and pointers to create a decoder. So I ran the line > from the access log (see below). What I would like to accomplish is to > match: python-requests/2.2.1 However as you

Re: [ossec-list] Re: Windows agent doesn't synchronize agent.conf

On Wed, Aug 2, 2017 at 7:19 AM, Stephen Crow wrote: > can this be changed to use TCP instead of UDP? i have the same issue but i > dont think changing the default buffer size is a good idea > Yes, just add tcp support to agentd and remoted. Wazuh may already have this,

Re: [ossec-list] Server maximum thresholds

On Wed, Aug 2, 2017 at 5:21 AM, LGuerra wrote: > Hi guys, > > I think that my server isn't collecting/analyzing all agent messages. A few > days ago I turned off a huge log source and OSSEC started showing a lot more > events from the other sources. My guess is that lots of

Re: [ossec-list] Huge Size over 2GB - /var/ossec/queue/diff/local

On Jul 23, 2017 8:08 AM, wrote: My /var/ossec/queue/diff/ folder is over 2GB. I don't understand why this happens. It looks like you have the syscheck diff option set. A. Is it ok to just delete this folder? You should be able to prune the contents. B. How could I

Re: [ossec-list] Ossec-slack.sh, curl processes leaks all memory on the server causing it to freeze.

On Sat, Jul 22, 2017 at 5:59 AM, Marcin Gołębiowski wrote: > Good day to you all, > I have a problem with OSSEC/Slack integration. OSSEC version 2.9.0 For an > unknown reason, the ossec-slack script fires hundreds of Curl processes when > sending data from

Re: [ossec-list] Linux processes monitoring through ossec

On Fri, Jul 21, 2017 at 5:27 AM, wrote: > Hi all, > > I am new to ossec. I would like to monitor process through ossec. My plan is > need to get the notification if some one start any new process or stop/kill > any process. > Can some one help me > If there is a way

Re: [ossec-list] Strange rule issue

On Thu, Jul 20, 2017 at 2:53 PM, Bob Boklewski wrote: > I have two issues. > > 1. I cannot get rule 18107 in the msauth_rules.xml file to generate an > alert, unless I put it as a local rule. This prebuilt rule should work. > 2. I am trying to monitor successful

Re: [ossec-list] Monitor Particular Folder On Windows Agent

On Thu, Jul 20, 2017 at 2:04 AM, Akash Munjal wrote: > Hi Dan, > > If i add or delete file in a particular folder on windows agent desktop. > I want to see their addition or deletion log on server/manager side. > If the directory is monitored by OSSEC (as defined with

Re: [ossec-list] compiled 2.9.1 hids doens't seem to work

On Jul 20, 2017 12:50 PM, "John Wojda" wrote: I'm trying to setup ossec hids for deployment to the macOS environment. I went through the documentation

Re: [ossec-list] Monitor Particular Folder On Windows Agent

On Wed, Jul 19, 2017 at 11:46 AM, Akash Munjal wrote: > Hi All, > > Can I monitor a particular folder on desktop of my windows agent. > > If yes then how it can be done. Also I want to monitor a particular > drive(:C). > Define "monitor." Do you mean syscheck

Re: [ossec-list] Re: RDP Alerts / msauth.xml

On Fri, Mar 3, 2017 at 2:04 PM, Aryn Nakaoka wrote: > How do I get OSSEC to log the IP of failed RDP Logins? > What do you mean "log the IP?" Is the IP address in the log? Does it not get identified by the decoding process? > > > On Monday, October 7, 2013 at 12:24:38 PM

Re: [ossec-list] Restart agents, syscheck and rootcheck from ossec manager

On Mon, Jul 10, 2017 at 4:49 AM, Kazim Koybasi wrote: > Hello, > I am trying to restart all agents and start syscheck and rootcheck but I can > not achieve it with commands below.I use centralized agent.conf at manager > and whenever I change agent.conf file I should

Re: [ossec-list] Disable IPv6 for ossec-remoted

On Sun, Jul 9, 2017 at 8:58 PM, Roman Romanov <558...@gmail.com> wrote: > Hello, how I can disable IPv6 for ossec-remoted. Such construction doesn't > work: > > > secure > 0.0.0.0 > > > > > because I have this netstat's output: > udp6 0 0 0.0.0.0:1514

Re: [ossec-list] OSSEC 2.9.0 don't works with Prelude SIEM

On Jul 9, 2017 7:51 AM, "Roman Romanov" <558...@gmail.com> wrote: Hello, after upgrading from OSSEC 2.8.2 to OSSEC 2.9.0: cd ossec-hids-2.9.0/src make setprelude I have an error: # make setprelude make: *** No rule to make target 'setprelude'. Stop. Then I install OSSEC as Server via

Re: [ossec-list] Re: Rule fired but active-response didn't work

On Mon, Jul 3, 2017 at 10:26 PM, Tunguyen wrote: > I've checked the ossec.conf on server side and agent side, those are all the > same as yours > Here is the agent side: > > 20,40,60 > > > And the server side is same as above, except that i add > like this: >

Re: [ossec-list] OSSEC rule match time and timeframe

On Fri, Jul 7, 2017 at 6:11 AM, Jesus Linares wrote: > I never used it: > http://ossec-docs.readthedocs.io/en/latest/syntax/head_rules.html#element-time > > I think is the time when the event comes to the manager (not the original > time). > Oh, ok. Obviously I have never used

Re: [ossec-list] Re: OSSEC log analysis settings for apache access/error.log

On Fri, Jul 7, 2017 at 4:15 AM, Kazim Koybasi wrote: > Yes OSSEC mentioning about log files and says analyzing log file. I tried > with apache log format and without logformat settings and results is > same.What could be a workaround for that? > Provide a log sample of a

Re: [ossec-list] Throttling of events in OSSEC

On Fri, Jul 7, 2017 at 8:07 AM, chintan shah wrote: > Hi Guys , > > Just wanted to check if anybody has an idea on how to throttle the events in > OSSEC . I have a situation where there are 20 duplicate alerts within a > second and I would want to raise only 1 alert for

Re: [ossec-list] Integration with MS SCCM

On Fri, Jul 7, 2017 at 8:10 AM, Irshad Rahimbux wrote: > I have did all the configuration in ms-sccm.cfg [existing file in plugin > folder]. > That must be an OSSIM thing. Unrelated to OSSEC. > But still dont see anything in alerts.log. > Turn on the logall option,

Re: [ossec-list] What is the best method to augment an existing decoder?

le(1202): ERROR: Configuration error at > '/etc/decoder.xml'. Exiting. > Good to know. You could try taking the windows decoders out of the newer decoder.xml file, but that might be a lot of work for little benefit. > > > On 7/6/2017 6:48 PM, dan (ddp) wrote: >> >> On Th

Re: [ossec-list] What is the best method to augment an existing decoder?

decoders. I think they should be compatible, and you can test them quickly with ossec-logtest without restarting OSSEC. > > > On 7/6/2017 5:47 PM, dan (ddp) wrote: >> >> On Wed, Jul 5, 2017 at 10:26 PM, Ian Brown <zestys...@gmail.com> wrote: >>> >>> D

Re: [ossec-list] Re: I'm unclear why my rule is not matching...

atch one or more from the following set: 0 > through 9, A through F and x. I guess that's done differently here. :) > > Thanks for helping me understand this better. > Our regex is weird. > > On 7/5/2017 6:45 PM, dan (ddp) wrote: >> >> On Mon, Jul 3, 2017 at 11:28 AM, Ian

Re: [ossec-list] What is the best method to augment an existing decoder?

**Phase 2: Completed decoding. decoder: 'windows' status: 'AUDIT_FAILURE' id: '5152' extra_data: 'Microsoft-Windows-Security-Auditing' dstuser: '(no user)' system_name: 'workstation' srcip: '1.2.3.4' dstip: '5.6.7.8' **Phase 3: Completed filtering (rules

Re: [ossec-list] OSSEC log analysis settings for apache access/error.log

On Jul 6, 2017 4:38 PM, "Kazim Koybasi" wrote: I added config below to etc/shared/agent.conf in ossec-server home directory but there is no alerts in server.What could I need with this configuration? apache /var/log/httpd/site/site_log

Re: [ossec-list] What is the best method to augment an existing decoder?

On Mon, Jul 3, 2017 at 2:52 PM, Ian Brown wrote: > There is a decoder that isn't quite handling some log entries the want I > need. I want to augment an existing decoder, but apparently I'm not doing > this correctly. > Here's an example log entry: > 2017 Jul 03 11:17:37

Re: [ossec-list] OSSEC rule match time and timeframe

On Mon, Jul 3, 2017 at 6:10 AM, Fredrik Hilmersson wrote: > Hello, > > Lets say I have a script which runs once every half an hour. With a latency > difference in about 10-20 seconds. > Would it be possible to match the following: > > 1. Time > 2. Hostname > 3.

Re: [ossec-list] Re: I'm unclear why my rule is not matching...

On Mon, Jul 3, 2017 at 11:28 AM, Ian Brown wrote: > I believe I've figured it out -- I think the decoder isn't matching the full > log string and is thus stripping the ip address information. Also after > looking at the regex in the decoder, I've discovered that it doesn't

Re: [ossec-list] I'm unclear why my rule is not matching...

On Mon, Jul 3, 2017 at 2:28 AM, Ian Brown wrote: > I've got this event log in windows: > > 2017 Jul 02 22:38:47 WinEvtLog: Security: AUDIT_FAILURE(5152): > Microsoft-Windows-Security-Auditing: (no user): no domain: leaf-1: The > Windows Filtering Platform blocked a packet.

Re: [ossec-list] Active-response firewall-drop server IP instead of agent IP when fired an agent rule

On Wed, Jul 5, 2017 at 12:52 AM, Tunguyen wrote: > Hi everyone, here is my ossec.conf on the server: > > > > firewall-drop > server,all > 31152 > 600 > 30,60,90,120,150 > > > rule 31152 is: > > > 31103 > > Multiple SQL

Re: [ossec-list] Re: OSSEC rule not firing

On Wed, Jul 5, 2017 at 11:41 AM, Bob Boklewski wrote: > Also, what does the "if_sid" match too? I am trying to understand how to > create custom rules and it seems this "if_sid" is unique and defined > somewhere. I see that rule id and description can be whatever

Re: [ossec-list] OSSEC rule not firing

On Wed, Jul 5, 2017 at 11:27 AM, Bob Boklewski wrote: > In the OSSEC.conf file I have level 3 logging set. I can't seem to get this > rule to fire that is a predefined rule in the msauth_rules.xml file. I can > see in the windows log event id: 4624, but it won't

Re: [ossec-list] OSSEC Active Response Block on pattern-matched SSH user logins

On Thu, Jun 29, 2017 at 4:08 AM, Rahul Tiwari wrote: > > > 0down votefavorite > > I need to block the user ip after 3 times login failed attempt in ossec I > tried below in sshd_rules file > > > 5716 > > Multiple SSHD authentication failures. >

Re: [ossec-list] Integration with MS SCCM

On Thu, Jun 29, 2017 at 1:00 AM, Irshad Rahimbux wrote: > Dear Team, > > I would like to integrate Microsoft SCCM with OSSIM. > > All configuration has been done in ms-sccm.cfg [which was already > available]. > > Logs are coming to /var/log/alienvault/agent.log but

Re: [ossec-list] Solaris 10 install issue - Fatal error in reader: Makefile, line 4

On Thu, Jun 29, 2017 at 8:40 PM, Patrick Tobin wrote: > Not sure if this will help but these are the steps I took to build a binary > installer for Solaris 10 (I did the same for 2.8.3 and it worked as well): > > > > Compile OSSEC on Solaris 10 with OPENSSL Support >

Re: [ossec-list] 2.9.1 Max Agents

On Thu, Jun 29, 2017 at 5:17 PM, Eduardo Nunez wrote: > Trying to change the max agents in version 2.9.1, but the make command used > in previous version does not work. Is the default agent limit the same or > has that been changed? And is it still changeable? > I think the

Re: [ossec-list] Re: Passing entire log line to Active Response script - how?

On Wed, Jun 28, 2017 at 12:21 PM, Guy Or wrote: >> It doesnt work, a real shame... It will only work if you dont have spaces >> in your log line. > > This is really really really annoying lol... all that is needed is to wrap > with ' ' the argument (log line with spaces and

Re: [ossec-list] Passing entire log line to Active Response script - how?

On Jun 25, 2017 1:05 PM, "Guy Or" wrote: Hello, I am writing decoders, rules and scripts that monitor my uwsgi application. Say that I write a decoder for a certain event that appears in the log, and that triggers a rule I wrote for it (using 'decoded_as'). How do I pass

Re: [ossec-list] OSSEC block vulnerability scanners head user_agent

On Sat, Jun 24, 2017 at 2:08 PM, Fredrik Hilmersson wrote: > Hello, > > so recently I got spammed by this vulnerability scanner. > The HEAD is always the same, in regards to the $user_agent, Jorgee > > ** Alert 1498324205.1278330: - web,accesslog, > 2017 Jun 24

Re: [ossec-list] Communicating from Agent to Server

On Fri, Jun 16, 2017 at 7:39 PM, Anthony Egbujor wrote: > Thank you, i realized that i did not let the udp 1514 port through the > firewall. It is working, but I now have one final issue. It is doing > everything it is now supposed to, however, the agent is now only triggering

Re: [ossec-list] OSSEC Active Response Block on pattern-matched SSH user logins

On Thu, Jun 15, 2017 at 6:39 AM, Rahul Tiwari wrote: > Can you please provide the rule i am also having the same issue i need to > block the user after failed attempts. > Please help > What is stopping you from creating a rule? Do you have log samples to help us help you?

Re: [ossec-list] Re: Logging of informational events on OSSIM

On Thu, Jun 15, 2017 at 3:14 AM, Irshad Rahimbux wrote: > The logs are being pushed to archives.log and not ossec.log > Only ossec stuff should be in the ossec.log. Alerts go in alerts.log and log events go to archives.log (if the logall option is enabled). > On

Re: [ossec-list] Communicating from Agent to Server

On Tue, Jun 13, 2017 at 4:01 PM, Anthony Egbujor wrote: > Hello. I have an issue. I am able to proct alerts and have it sent to my > email, but I am having trouble getting the server to communicate with the > agent. I already set the agent ip as the allowed Ip in secure in

Re: [ossec-list] How ossec manager reads decoder

On Thu, Jun 8, 2017 at 12:12 PM, Akash Munjal wrote: > HI, > > How ossec manager reads decoder...? > Can you expand on this question? It doesn't make much sense. > Thanks.. > > -- > > --- > You received this message because you are subscribed to the Google Groups >

Re: [ossec-list] Updates rules and signatures

On Thu, Jun 8, 2017 at 2:01 PM, Alexis Lessard wrote: > Do you update the version every time you add new rules? We've manage to > install with with yum using atomicorp repo's, so if you could update them > with yum, that'd much easier. > Atomic may update the rules

Re: [ossec-list] No Decoder Match Problem

On Fri, Jun 9, 2017 at 11:21 AM, Akash Munjal wrote: > > Hi, > > I create custom decoder, /var/ossec/etc/local_decoder.xml as: > > > myapplication > ^myapplication: > > > > Entry of decoder in manager ossec.conf file as: > > > local_rules.xml >

Re: [ossec-list] OSSEC windows agent on non-English Windows

Thanks, I missed that! On Mon, Jun 5, 2017 at 8:00 AM, wrote: > Hi, > Thanks for adding my suggestion, but: > > On page: The Administrators group may not be present on non-English copies > of #1137 is: > - system("echo y|cacls * /T /G Administrators:f "); > + system("echo

Re: [ossec-list] Active Response location question

On Jun 7, 2017 2:09 PM, "sandaway" wrote: I really need some help. It looks my OSSEC setup, a server and two clients, could not run active response properly. From the active-responses.log, the firewall-drop.sh command runs either on server or clients, depending on the I

Re: [ossec-list] Not notify File deletion

On Jun 4, 2017 3:03 PM, "Jur" wrote: I using version 2.8.3.3 on both client,server and deleted file from OSSEC monitoring directory. But not alerting about file deleted. How I solve it? Did syscheck go through a complete check after the file was deleted? -- --- You

Re: [ossec-list] Disable the ossec-agent for OS updates.

We have a pull request to allow for a whitelist of hashes to be stored in an sqlite database. I think Wazuh already has this feature. (https://github.com/ossec/ossec-hids/pull/1091) You could pre-populate it with the appropriate hashes before an upgrade. On Fri, Jun 2, 2017 at 3:45 AM,

Re: [ossec-list] OSSEC windows agent on non-English Windows

I have created pull request #1137. Thanks for researching that! On Fri, Jun 2, 2017 at 9:04 AM, wrote: > Hi, > > I haven't got group "Administrators" on my non-English Windows. > Ossec-agent for Windows is trying to execute command: > echo y|cacls * /T /G Administrators:f

Re: [ossec-list] ossec 2.9.0 - mysql problem

Pull requests #1135 and #1136 created for this. Thanks for the report! On Fri, Jun 2, 2017 at 3:18 PM, dan (ddp) <ddp...@gmail.com> wrote: > On Thu, Jun 1, 2017 at 5:39 AM, <andrewm0...@gmail.com> wrote: >> Hi, >> I installed OSSEC ver. 2.9.0. Server worked

Re: [ossec-list] ossec 2.9.0 - mysql problem

On Thu, Jun 1, 2017 at 5:39 AM, wrote: > Hi, > I installed OSSEC ver. 2.9.0. Server worked, but I can't compile ossec with > mysql support. > > This command doesn't work: > make TARGET=server DATABASE=mysql install > > I checked few *.c files and found that in

Re: [ossec-list] Re: OSSEC Agent not works

On Sat, May 27, 2017 at 5:39 PM, Руслан Аминджанов wrote: > Fully reinstalled system and got a new problem: still agents not connecting > but now event if I send messages to ossec-remoted via netcat there is no > entities in log. Checked via netstat and ossec-remoted is

Re: [ossec-list] Ossec Windows Agent High Disk I/O Consumption

On Thu, May 25, 2017 at 11:37 AM, LGuerra wrote: > Hi, > > > > I've been noticing heavy disk I/O operations on some of my OSSEC agents. The > average write is around 2 mb/s and 0 mb/s for read operations (which is > weird). > > > > Is anyone experiencing the same thing? Wasn’t

Re: [ossec-list] mariadb monitoring?

On Thu, May 18, 2017 at 3:50 PM, Pedro Sanchez wrote: > Hi, > > I did not find any MariaDB decoders/rules, it could be interesting to create > them. Feel free to paste here some log samples so we can take a look and > maybe guide you a little bit to create them. > The OSSEC

Re: [ossec-list] Using OSSEC HIDS to spot rogue software

On Thu, May 18, 2017 at 3:47 PM, Pedro Sanchez wrote: > Yes, it does. > Rootcheck works for Linux as well, we have different rootcheck policies: > https://github.com/wazuh/wazuh-ruleset/tree/master/rootchecks > OSSEC has rootcheck as well. > Cheers, > Pedro. > > On Wed, May 17,

Re: [ossec-list] Re: Rule 510 is triggering events but logtest is not showing any rules that should be triggered

On Thu, May 18, 2017 at 4:51 PM, Gert Verhoog wrote: > Hi Jesus, > > I'm having the same problem, and the triggering of this rule causes so much > noise that it's drowning out other alerts. I have added a rule like you > suggested to my local rules: > > > 510 >

Re: [ossec-list] Unable to connect with agent

On Fri, May 12, 2017 at 4:45 AM, Akash Munjal wrote: > Hi dan, > > Thanks for the response. I tried this, but problem remains same. > If you have another method to solve this please share. > I would have to find out what the problem is first. You tried what? What were

Re: [ossec-list] TargetUserName is not mapped to an indexed field

On Fri, May 12, 2017 at 4:40 AM, AntonH wrote: > Hello, > > I'm using Wazuh and I don't know how to map TargetUserName to an indexed > field. > Security events are generated but the associated username is not mapped so > there is no way to search for or display the

Re: [ossec-list] Unable to connect with agent

On Thu, May 11, 2017 at 5:18 AM, Akash Munjal wrote: > > Hi All, > > I can not receive alert from this agent(ID:1024). When i check the status it > look like this. > > Please help me out. > > > /var/ossec/bin/agent_control -i 1024 > > OSSEC HIDS agent_control. Agent

Re: [ossec-list] OSSEC Syslog Entries Missing Checksum Data

On Tue, May 9, 2017 at 11:13 AM, wrote: > Hi, > > I've been having an issue where OSSEC is not sending the checksum data in > the syslog alerts. Below is an example of what I am seeing (alerts log). > This doesn't happen all the time but has been becoming more and more of an >

Re: [ossec-list] Trouble with configuring OSSEC/UFW for Port Scan detection

On Wed, May 3, 2017 at 4:58 PM, dan (ddp) <ddp...@gmail.com> wrote: > On Wed, May 3, 2017 at 12:55 PM, Jason Aleksi <jason.ale...@gmail.com> wrote: >> I am attempting to get OSSEC to read my ufw.log for port scan attempts. The >> ufw.log is reading and logging potentia

Re: [ossec-list] Trouble with configuring OSSEC/UFW for Port Scan detection

On Wed, May 3, 2017 at 12:55 PM, Jason Aleksi wrote: > I am attempting to get OSSEC to read my ufw.log for port scan attempts. The > ufw.log is reading and logging potential port scans. I've created a decoder > to identify the log entries. I've also created a rule in

Re: [ossec-list] Disable all rules for ossec server

On Tue, May 2, 2017 at 4:37 AM, Huc Manté Miras wrote: > Only its needed to include two rule files: > > > > rules_config.xml > ossec_rules.xml > > Using just those 2 files allows OSSEC to start for me. You can check the ossec.log for more information on why it

Re: [ossec-list] ossec-remoted high CPU utlization

nt >> has its log monitoring turned on, even though the server doesn't do >> anything with the logs. >> >> > I was wondering if clearing out the syscheck DB would help? >> > >> >> I don't think so, but you can try it. >> >> > Thank

Re: [ossec-list] rootcheck_files, rootcheck_trojans, and system_audit don't appear to fire when using /var/ossec/etc/shared/agent.conf

On Wed, Apr 26, 2017 at 3:31 PM, Phil Porada wrote: > Hi, > > I'm running OSSEC 2.9.0. I'm unable to get the rootcheck to run the > rootcheck_files, rootcheck_trojans,a and system_audit on an agent that has > its config pushed out via the server. I'm not sure what I'm doing

Re: [ossec-list] ossec-remoted high CPU utlization

ed on, even though the server doesn't do anything with the logs. > I was wondering if clearing out the syscheck DB would help? > I don't think so, but you can try it. > Thank you! > >> On Apr 26, 2017, at 3:02 PM, dan (ddp) <ddp...@gmail.com> wrote: >> >>&

Re: [ossec-list] OSSEC UDP Ports

On Thu, Apr 27, 2017 at 12:08 PM, Anoop Perayil wrote: > Observed that the server initiates a connection to the client when we > restart Syscheck/Rootcheck on an agent like - > ./agent_control -r -u 001 > > a tcpdump on the agent shows - > 15:59:22.034966 IP x.x.x.x.1514 >

<    1   2   3   4   5   6   7   8   9   10   >