On Sat, Jun 24, 2017 at 2:08 PM, Fredrik Hilmersson
wrote:
> Hello,
>
> so recently I got spammed by this vulnerability scanner.
> The HEAD is always the same, in regards to the $user_agent, Jorgee
>
> ** Alert 1498324205.1278330: - web,accesslog,
> 2017 Jun 24 17:10:05 (OSSEC AGENT) SRCIP->/var/l
On Fri, Jun 16, 2017 at 7:39 PM, Anthony Egbujor wrote:
> Thank you, i realized that i did not let the udp 1514 port through the
> firewall. It is working, but I now have one final issue. It is doing
> everything it is now supposed to, however, the agent is now only triggering
> alerts and notifyi
On Thu, Jun 15, 2017 at 6:39 AM, Rahul Tiwari wrote:
> Can you please provide the rule i am also having the same issue i need to
> block the user after failed attempts.
> Please help
>
What is stopping you from creating a rule?
Do you have log samples to help us help you?
> On Thursday, April 29
On Thu, Jun 15, 2017 at 3:14 AM, Irshad Rahimbux
wrote:
> The logs are being pushed to archives.log and not ossec.log
>
Only ossec stuff should be in the ossec.log. Alerts go in alerts.log
and log events go to archives.log (if the logall option is enabled).
> On Thursday, June 15, 2017 at 11:06:
On Tue, Jun 13, 2017 at 4:01 PM, Anthony Egbujor wrote:
> Hello. I have an issue. I am able to proct alerts and have it sent to my
> email, but I am having trouble getting the server to communicate with the
> agent. I already set the agent ip as the allowed Ip in secure in server, set
> the client
On Thu, Jun 8, 2017 at 12:12 PM, Akash Munjal wrote:
> HI,
>
> How ossec manager reads decoder...?
>
Can you expand on this question? It doesn't make much sense.
> Thanks..
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To u
On Thu, Jun 8, 2017 at 2:01 PM, Alexis Lessard
wrote:
> Do you update the version every time you add new rules? We've manage to
> install with with yum using atomicorp repo's, so if you could update them
> with yum, that'd much easier.
>
Atomic may update the rules separately. I don't use the pac
On Fri, Jun 9, 2017 at 11:21 AM, Akash Munjal wrote:
>
> Hi,
>
> I create custom decoder, /var/ossec/etc/local_decoder.xml as:
>
>
> myapplication
> ^myapplication:
>
>
>
> Entry of decoder in manager ossec.conf file as:
>
>
> local_rules.xml
> etc/decoder.xml
> etc/local_decode
Thanks, I missed that!
On Mon, Jun 5, 2017 at 8:00 AM, wrote:
> Hi,
> Thanks for adding my suggestion, but:
>
> On page: The Administrators group may not be present on non-English copies
> of #1137 is:
> - system("echo y|cacls * /T /G Administrators:f ");
> + system("echo y|cacls * /T /G \"*S-1-
On Wed, Jun 7, 2017 at 12:34 PM, prakash ranjan
wrote:
> Hi,
>
> After running "/var/ossec/bin/agent_control -l " there are several
> servers/agents status is showing as "Disconnected".
>
> Process I have followed to fix this:-
>
> /var/ossec/bin/agent_control -l | grep Disconnected
>
> output:- I
On Wed, Jun 7, 2017 at 4:24 PM, Alexis Lessard
wrote:
> Hi!
>
> What is the cleanest and easiest way to updates rules and signatures of
> attacks and threats in ossec? I'm looking maybe for a command I could use to
> automate it. When I execute bin/manage_agents -V (to obtain version), I get
> th
On Jun 7, 2017 2:09 PM, "sandaway" wrote:
I really need some help. It looks my OSSEC setup, a server and two clients,
could not run active response properly. From the active-responses.log, the
firewall-drop.sh command runs either on server or clients, depending on the
I set as in the following e
On Jun 6, 2017 1:56 PM, wrote:
Hi all,
have problem with dovecot decoder
Example log:
Dec 19 17:20:08 ny dovecot: pop3-login: Aborted login (auth failed, 2
attempts in 18 secs): user=, method=PLAIN, rip=1.2.3.4, lip=1.2.3.4,
session=
Default dovecot decoder
dovecot
^\w\w\w\w-login: Abort
On Jun 4, 2017 3:03 PM, "Jur" wrote:
I using version 2.8.3.3 on both client,server and deleted file from OSSEC
monitoring directory. But not alerting about file deleted. How I solve it?
Did syscheck go through a complete check after the file was deleted?
--
---
You received this message be
We have a pull request to allow for a whitelist of hashes to be stored
in an sqlite database. I think Wazuh already has this feature.
(https://github.com/ossec/ossec-hids/pull/1091)
You could pre-populate it with the appropriate hashes before an upgrade.
On Fri, Jun 2, 2017 at 3:45 AM, wrote:
>
I have created pull request #1137. Thanks for researching that!
On Fri, Jun 2, 2017 at 9:04 AM, wrote:
> Hi,
>
> I haven't got group "Administrators" on my non-English Windows.
> Ossec-agent for Windows is trying to execute command:
> echo y|cacls * /T /G Administrators:f
> or:
> echo y|cacls .
Pull requests #1135 and #1136 created for this. Thanks for the report!
On Fri, Jun 2, 2017 at 3:18 PM, dan (ddp) wrote:
> On Thu, Jun 1, 2017 at 5:39 AM, wrote:
>> Hi,
>> I installed OSSEC ver. 2.9.0. Server worked, but I can't compile ossec with
>> mysql support.
On Thu, Jun 1, 2017 at 5:39 AM, wrote:
> Hi,
> I installed OSSEC ver. 2.9.0. Server worked, but I can't compile ossec with
> mysql support.
>
> This command doesn't work:
> make TARGET=server DATABASE=mysql install
>
> I checked few *.c files and found that in src/os_dbd/main.c in line 25 is:
> #
On Sat, May 27, 2017 at 5:39 PM, Руслан Аминджанов
wrote:
> Fully reinstalled system and got a new problem: still agents not connecting
> but now event if I send messages to ossec-remoted via netcat there is no
> entities in log. Checked via netstat and ossec-remoted is listening.
>
Turn on debug
On Thu, May 25, 2017 at 11:37 AM, LGuerra wrote:
> Hi,
>
>
>
> I've been noticing heavy disk I/O operations on some of my OSSEC agents. The
> average write is around 2 mb/s and 0 mb/s for read operations (which is
> weird).
>
>
>
> Is anyone experiencing the same thing? Wasn’t supposed to be (at l
On Thu, May 18, 2017 at 3:50 PM, Pedro Sanchez wrote:
> Hi,
>
> I did not find any MariaDB decoders/rules, it could be interesting to create
> them. Feel free to paste here some log samples so we can take a look and
> maybe guide you a little bit to create them.
>
The OSSEC project would also be
On Thu, May 18, 2017 at 3:47 PM, Pedro Sanchez wrote:
> Yes, it does.
> Rootcheck works for Linux as well, we have different rootcheck policies:
> https://github.com/wazuh/wazuh-ruleset/tree/master/rootchecks
>
OSSEC has rootcheck as well.
> Cheers,
> Pedro.
>
> On Wed, May 17, 2017 at 11:16 AM,
On Thu, May 18, 2017 at 4:51 PM, Gert Verhoog wrote:
> Hi Jesus,
>
> I'm having the same problem, and the triggering of this rule causes so much
> noise that it's drowning out other alerts. I have added a rule like you
> suggested to my local rules:
>
>
> 510
> /var/lib/docker/volumes/\
On Fri, May 12, 2017 at 4:45 AM, Akash Munjal wrote:
> Hi dan,
>
> Thanks for the response. I tried this, but problem remains same.
> If you have another method to solve this please share.
>
I would have to find out what the problem is first.
You tried what?
What were the results?
Without any inf
On Fri, May 12, 2017 at 4:40 AM, AntonH wrote:
> Hello,
>
> I'm using Wazuh and I don't know how to map TargetUserName to an indexed
> field.
> Security events are generated but the associated username is not mapped so
> there is no way to search for or display the culprit.
>
> The field marked ye
On Thu, May 11, 2017 at 5:18 AM, Akash Munjal wrote:
>
> Hi All,
>
> I can not receive alert from this agent(ID:1024). When i check the status it
> look like this.
>
> Please help me out.
>
>
> /var/ossec/bin/agent_control -i 1024
>
> OSSEC HIDS agent_control. Agent information:
>Agent ID: 1
On Tue, May 9, 2017 at 11:13 AM, wrote:
> Hi,
>
> I've been having an issue where OSSEC is not sending the checksum data in
> the syslog alerts. Below is an example of what I am seeing (alerts log).
> This doesn't happen all the time but has been becoming more and more of an
> issue:
>
>
> 2017 M
I think asking the elasticsearch mailing list might provide better results.
On Fri, May 5, 2017 at 3:07 PM, RWagner
wrote:
> Hi Guys!
>
> My elasticsearch indexes are filling the disk. I would like to compress
> these indexes. Is it possible to compress these indexes in a way that I can
> restore
On Wed, May 3, 2017 at 4:58 PM, dan (ddp) wrote:
> On Wed, May 3, 2017 at 12:55 PM, Jason Aleksi wrote:
>> I am attempting to get OSSEC to read my ufw.log for port scan attempts. The
>> ufw.log is reading and logging potential port scans. I've created a decoder
>> t
On Wed, May 3, 2017 at 12:55 PM, Jason Aleksi wrote:
> I am attempting to get OSSEC to read my ufw.log for port scan attempts. The
> ufw.log is reading and logging potential port scans. I've created a decoder
> to identify the log entries. I've also created a rule in the
> local_rules.xml. I'm
On Tue, May 2, 2017 at 4:37 AM, Huc Manté Miras wrote:
> Only its needed to include two rule files:
>
>
>
> rules_config.xml
> ossec_rules.xml
>
>
Using just those 2 files allows OSSEC to start for me.
You can check the ossec.log for more information on why it failed. I'm
guessing s
gh the server doesn't do
>> anything with the logs.
>>
>> > I was wondering if clearing out the syscheck DB would help?
>> >
>>
>> I don't think so, but you can try it.
>>
>> > Thank you!
>> >
>> >> On Apr 26, 2
On Wed, Apr 26, 2017 at 3:31 PM, Phil Porada wrote:
> Hi,
>
> I'm running OSSEC 2.9.0. I'm unable to get the rootcheck to run the
> rootcheck_files, rootcheck_trojans,a and system_audit on an agent that has
> its config pushed out via the server. I'm not sure what I'm doing wrong.
>
>
> server: /v
server doesn't do
anything with the logs.
> I was wondering if clearing out the syscheck DB would help?
>
I don't think so, but you can try it.
> Thank you!
>
>> On Apr 26, 2017, at 3:02 PM, dan (ddp) wrote:
>>
>>> On Wed, Apr 26, 2017 at 9:59 AM, Nikki S wr
On Thu, Apr 27, 2017 at 12:08 PM, Anoop Perayil wrote:
> Observed that the server initiates a connection to the client when we
> restart Syscheck/Rootcheck on an agent like -
> ./agent_control -r -u 001
>
> a tcpdump on the agent shows -
> 15:59:22.034966 IP x.x.x.x.1514 > x.x.x.x.48902: UDP, leng
On Wed, Apr 26, 2017 at 3:27 PM, Sargeras wrote:
> Greetings, I recently installed ossec (ubuntu VM) and in order to verify its
> abilities, i dos'd myself on a kali vm I also installed, but as it seems
> ossec did not recorded it.anyone can help me out?
>
What kind of DoS? What logs were produce
On Wed, Apr 26, 2017 at 9:59 AM, Nikki S wrote:
> We have about 480 agents reporting the OSSEC server. The remoted server is
> running constantly at 100% CPU utilization. Any suggestions on how to
> re-mediate this please?
>
Is there a lot of traffic between the agents and the server?
> --
>
> -
On Wed, Apr 26, 2017 at 5:42 AM, Huc Manté Miras wrote:
> I try to remove all includes but not work :(
>
You provided me with no information to help correct the issue.
> El martes, 25 de abril de 2017, 17:41:56 (UTC+2), dan (ddpbsd) escribió:
>>
>>
>>
>> On Apr 25, 2017 11:25 AM, "Huc Manté Mira
On Apr 25, 2017 11:25 AM, "Huc Manté Miras" wrote:
Hello,
I try to disable all rules to ossec server.
This is possible?
Have you tried removing the rules from the server's ossec.conf?
Thanks!!
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list"
On Apr 25, 2017 11:37 AM, "Martin" wrote:
Hello,
I'm getting a bit lost with the port opening for ossec.
Let's say I have 3 machines running on ubuntu 16.04. I do a fresh install
of OSSEC manager on the machine A and a fresh install of ossec agent on
both B & C.
Now I want to register my machi
> befuddle ossec? (I get I'll lose the change history.)
>
You should be able to delete the files. I don't generally use the diff
option, so haven't tested this all myself.
>
>
> On 04/20/2017 01:29 PM, dan (ddp) wrote:
>>
>> On Thu, Apr 20, 2017 at 1:02 PM,
On Thu, Apr 20, 2017 at 1:02 PM, Bee esS wrote:
>> If you need them shrunk, you'll have to clear the databases.
>
> How?
>
When resurrecting 2+ year old threads, it might be best to offer more context.
To clear a syscheck db:
1. stop the ossec processes on the server
2. /var/ossec/bin/syscheck_co
On Wed, Apr 19, 2017 at 5:54 PM, dan (ddp) wrote:
> On Wed, Apr 19, 2017 at 5:34 PM, Tony Bryant wrote:
>> How would I go about checking if AR is disabled on agents? Checking config
>> files and don't see anything about it. Running v2.8.3 for OSSEC. Also, this
>> on
On Wed, Apr 19, 2017 at 5:34 PM, Tony Bryant wrote:
> How would I go about checking if AR is disabled on agents? Checking config
> files and don't see anything about it. Running v2.8.3 for OSSEC. Also, this
> on Ubuntu
>
I think it's enabled by default. This is all I have on one of my agents:
On Wed, Apr 19, 2017 at 5:09 PM, Rob Williams wrote:
> Still no luck. Just to verify, the scripts should be located in
> /var/ossec/active-response/bin/, correct? Unfortunately the logs aren't
> really telling me anything either.
>
Yep, that's where they go.
AR isn't disabled on the agents is it?
On Wed, Apr 19, 2017 at 3:23 PM, Tony Bryant wrote:
> Yes test.sh is on the agent. Execd is also running and yep the alert is
> firing.
>
Try removing the level option and leave just the rules_id.
> On Wednesday, April 19, 2017 at 11:30:37 AM UTC-7, dan (ddpbsd) wrote:
>>
>> On Wed, Apr 19, 2017
On Wed, Apr 19, 2017 at 2:26 PM, Tony Bryant wrote:
> Hello,
>
> I'm pretty new to OSSEC and I'm working to get some active responses
> working. I have tried a number of different active responses but cannot seem
> to get it to work anywhere (not on the server or agents). I'm now trying a
> simple
On Mon, Apr 17, 2017 at 11:09 AM, Kumar G wrote:
> Hi Team,
>
> In our ossec environment we are getting lots of sha1sum alerts (even though
> its not configured) and that are irrelevant to us. Is there any way to
> suppress these alerts?
>
> ** Alert 1491577582.15621: mail - ossec,syscheck,
>
> 2
On Sat, Apr 15, 2017 at 4:57 AM, Руслан Аминджанов
wrote:
> Reinstalled on both server and client, enabled debug mode. Still same
> situation.
>
Are there any relevant logs in the server's ossec.log?
Are there any relevant logs in the agent's ossec.log?
Help me help you.
> пятница, 14 апреля 201
On Fri, Apr 14, 2017 at 9:28 AM, Paul wrote:
> Another tech set up a kiwi syslog server on a Windows machine and I am
> trying to monitor those files with ossec. (v2.8.3)
> However, the way things are setup, each device has its own folder with the
> logs going inside of them. Here is an example:
>
On Thu, Apr 13, 2017 at 9:24 PM, weisst wrote:
> windows 2012 r2 error
> 问题签名:
> 问题事件名称:APPCRASH
> 应用程序名:win32ui.exe
> 应用程序版本:0.0.0.0
> 应用程序时间戳:58ef28a9
> 故障模块名称:StackHash_bc03
> 故障模块版本:6.3.9600.17415
> 故障模块时间戳:5450559e
> 异常代码:c374
> 异常偏移:P
On Fri, Apr 14, 2017 at 4:21 AM, Руслан Аминджанов
wrote:
> Yes, I done it.
>
Configure debug mode on the OSSEC server
(`/var/ossec/bin/ossec-control enable debug &&
/var/ossec/bin/ossec-control restart`).
Then check the server's ossec.log again to see if an error is produced.
> --
>
> ---
> You
On Thu, Apr 13, 2017 at 6:09 PM, Руслан Аминджанов
wrote:
> Hello!
> I installed OSSEC server and client on 2 hosts whoever agent showed as
> "Never connected". There is no firewall between these hosts and if I use
> netcat to connect to server It log shows that message is not properly
> formated.
On Thu, Apr 13, 2017 at 5:14 AM, weisst wrote:
> Dear all
>
> i try compile windows 64bit on Ubuntu 16.10, and i install depend
>
> sudo apt-get install build-essential -y
> sudo apt-get install nsis nsis-common -y
> sudo apt-get install mingw-w64 mingw-w64-common mingw-w64-x86-64-dev -y
>
> i fin
On Wed, Apr 12, 2017 at 4:01 PM, Nikki S wrote:
> How long does it take for the agent to appear as 'disconnected'? I read on
> another thread that the 'keep alive' needs to fail three times. I could not
> find where we set the frequency of the agent check in.
>
I think it's 10 minutes, and I don
On Wed, Apr 12, 2017 at 1:40 PM, Rob Williams wrote:
> Essentially, I want to trigger an active response for a rule that I created
> that has a severity level of 0. I created this rule because I did not want
> to be alerted on the default rule and only wanted to be alerted based on the
> output fr
On Wed, Apr 12, 2017 at 6:28 AM, wrote:
> Hi,
>
> I do not receive file deletion alert in latest 2.9.0 version,
> Also any changes made to the file are not reported before.
>
I haven't tested this, but I'll give it a shot.
> Also maild demon fails sending the mail. I fixed it by copying the hos
On Mon, Apr 10, 2017 at 2:46 PM, Anoop Perayil wrote:
> I am running OSSEC on a Security Onion build Ubuntu 14.04.5 LTS.
> The issue started after I added in more disk since I ran out of space in /
>
I really wish SO would partition their system properly. Big /, nothing
else is very annoying.
Che
On Mon, Apr 10, 2017 at 2:34 PM, Felix Martel wrote:
> Perhaps this is way off base, but have you added an agent for localhost ? In
> my context of a new install, a ton of issues went away after I added an
> agent for the localhost (name=localhost, IP=127.0.0.1). Didn't export the
> key or anythin
On Mon, Apr 10, 2017 at 2:34 PM, Dayne Jordan wrote:
> DISREGARD - major faux pas on my part from previous... its' alert not alerts
> table.(singular)
>
> Alert table does exist, however the column "level" does not, i will create
> it manually.
>
> MariaDB [ossec]> describe alert;
> +-
On Fri, Apr 7, 2017 at 7:30 PM, Rob Williams wrote:
> Hello,
>
> I assume this should be pretty simple but I've been troubleshooting an
> Active Response I setup with a custom script and rules/decoders. Everything
> looks it it should be operating correctly, but I could not get it work.
> After ch
On Thu, Apr 6, 2017 at 1:46 PM, dan (ddp) wrote:
> On Thu, Apr 6, 2017 at 1:29 PM, Jake B. wrote:
>> Ok I'll do that. Also, not sure if you know but thought I'd ask anyway...Is
>> there anyway to use the agents name in a rule or decoder? I have my agents
>> na
On Thu, Apr 6, 2017 at 1:29 PM, Jake B. wrote:
> Ok I'll do that. Also, not sure if you know but thought I'd ask anyway...Is
> there anyway to use the agents name in a rule or decoder? I have my agents
> named after the hostname so I was thinking that could potentially be another
> option. Don't s
On Thu, Apr 6, 2017 at 1:28 PM, Rob Williams wrote:
> Hi,
>
> I tried to do this, but I'm getting:
>
> ERROR: Parent decoder name invalid: 'rootcheck'
> ERROR: Error adding decoder plugin
>
> I don't see the rootcheck decoder within decoder.xml as well, any ideas?
>
It must be one of the built in
On Wed, Apr 5, 2017 at 11:13 AM, Jake B. wrote:
> I'm not server if this is a problem with the OSSEC configuration or the host
> itself, but there are some events where the logs or full message only have
> some of the information I need. For example, this will be the full message I
> receive (2016
On Wed, Apr 5, 2017 at 11:32 AM, Martin wrote:
> Hello Victor,
>
> I tried to run a second manager and I've the same file
> /var/ossec/etc/client.keys on it and on the first manager. I've copied the
> local_rules, ossec.conf, local_decoder as well.
>
> And I've specified on the agents to listen on
On Wed, Apr 5, 2017 at 4:45 PM, Rob Williams wrote:
> I stopped them all (which appeared to work fine) and start again. Here is
> the rule and decoder I made for this (I want to alert only once if the same
> ID (filepath) has alerted in the past minute):
>
>
>
> 510
>
>
>
> This is m
On Wed, Apr 5, 2017 at 3:44 PM, Rob Williams wrote:
> Yes I have, I've also tried to disable all the relevant changes I've made,
> restart, and still have the same issue.
>
Try stopping the ossec processes, verify that ossec-analysisd has
stopped (sometimes it doesn't and causes issues), and star
On Wed, Apr 5, 2017 at 3:26 PM, Rob Williams wrote:
> Hi all,
>
> I'm running into an issue where rule 510 is triggering and I'm getting
> spammed with alerts but I can't seem to tune it correctly. What's weird is
> that I am still getting alerted for rule 510 for this log, but I can't
> figure ou
There was a major iaaue with the windows decoder in 2.9.0. Grab the
decoders feom MASTER or 2.9.1 branch and try those
On Apr 3, 2017 12:59 PM, "Charles Profitt" wrote:
I have checked the agent and server versions and they are 2.9.0.
I am getting all my alerts from Windows as rule 1002.
I am
>>>> configuration and it worked. But when I disabled IPv6 I got the
>>>> same errors you have.
>>>>
>>>> Please try to enable IPv6 on the running system with:
>>>>
>>>> sysctl -w net.ipv6.conf.all.disable_ipv6=1
>>>
On Tue, Mar 28, 2017 at 5:16 PM, Keith Goodlip wrote:
> I've been trying to setup policy audit in a lab I've set up to no avail.
>
> My setup is 2 servers (server, client) using CentOS 7.3 and RPMs from the
> atomic repository (selinux, firewalld are disabled) (ipv6 is enabled)
>
> All server proc
On Mon, Mar 27, 2017 at 4:26 AM, wrote:
> Hello Dan,
>
> Thank you for your feedback. I have changed the frequency to 900
> sec, and inspected the ossec.log. I noted that inside the log file none of
> the agent.conf directories where present. Any theories on why the ossec.conf
> syscheck
On Mon, Mar 27, 2017 at 10:50 AM, Marc Baker wrote:
> OSSEC agents this morning were working without issue and then began
> reporting as Disconnected. Agent logs are returning the following error:
>
> 2017/03/27 10:14:38 ossec-agent: WARN: Process locked. Waiting for
> permission...
>
> 2017/03/27
On Mon, Mar 27, 2017 at 11:25 AM, wrote:
> Hi All,
>
> So I am currently still troubleshooting, but noticed that the syslog-ng
> process was listening on 514 TCP, but also had an entry for 514 UDP, which
> is the protocol I've set within my ossec.conf. Could this be part of the
> issue? My guess
On Mon, Mar 27, 2017 at 12:52 PM, Joel Fries wrote:
> Am I able to setup the OSSEC windows agent to report to both a Wazuh and a
> OSSIM server at the same time?
>
There is no support in the OSSEC agent to report to 2 destinations
simultaneously. It is possible that Wazuh has that capability. OSS
On Sat, Mar 25, 2017 at 6:32 PM, Justin Redman wrote:
> I'm receiving generic level 2 rule 1002 "Unknown problem somewhere in the
> system" alerts. It is opendkim reporting "bad signature data" in syslog when
> receiving email from some domains. Unfortunately not everyone seems to be
> on the ope
On Sat, Mar 25, 2017 at 4:54 AM, wrote:
> Hello fellow googlers,
>
>
> The GOAL:
>
> For every user on my windows OSSEC agent, generate OSSEC alert severity 10
> when new file added to
>
> C:\Users/*/%AppData%/Local/Temp directory
>
> Where star was supposed to be the wildcard place holder to ins
On Thu, Mar 23, 2017 at 12:29 PM, The Dude wrote:
> I went with the first option. Works as expected but now I need to adjust the
> number of of fails before the ip is blocked.. Where do I do that?
>
Try using 5720 for the rule to trigger active response. It looks for
8+ instances by default.
>
>
On Thu, Mar 23, 2017 at 12:41 PM, Martin wrote:
> Hello,
>
> I've those kind of log comming from a custom app
>>
>>
>> [2017-03-23 10:18:01] app.ERROR: Authentication failure for IP: 172.17.0.1
>> [] []
>
>
> I'm trying to block an ip with to much authentication failure.
>
> So I did a custom deco
On Thu, Mar 23, 2017 at 1:08 PM, Eduardo Reichert Figueiredo
wrote:
> Hi dan, i dont have ipv6 enabled in my system linux, so i dont have inet6 in
> my ifconfig configurations, only ipv4.
>
> This can caused for the problem?
>
I think having ipv6 support is necessary now. You don't need to have
a
On Tue, Mar 21, 2017 at 7:11 PM, Marcin Gołębiowski
wrote:
> Trying to debug with expect I got:
> expect -d agentless/ssh_integrity_check_linux u...@server.com
> /directory/to/check
> expect version 5.45
> argv[0] = expect argv[1] = -d argv[2] =
> agentless/ssh_integrity_check_linux argv[3] = u
On Tue, Mar 21, 2017 at 2:53 PM, Marc Baker wrote:
> I am attempting to forward OSSEC logs to a SIEM via syslog. Recommended
> configuration in the documentation is:
>
>
> 192.168.4.1
>
>
>
>
> The SIEM recognizes json format on port 5500 so I've configured logs to that
> formatted and s
On Wed, Mar 22, 2017 at 7:05 AM, Martin wrote:
> Ok the problem was that I thought that all as stated in
> the doc would execute the command everywhere (meaning on all the agents &
> the server).
>
> But "all" means all the agents except the server.
Thanks for pointing that out. I could have swor
On Tue, Mar 21, 2017 at 10:46 AM, Eduardo Reichert Figueiredo
wrote:
> When i install ossec 2.9.0 on rhel 7.3 (no ipv6 feature and address) i have
Is IPv6 totally disabled for your system (support for IPv6 was removed)?
> a problem to ossec-remoted and ossec-auth, this services cant bind ports
>
On Wed, Mar 22, 2017 at 8:20 AM, Per-Erik Persson wrote:
> Is anyone working in this?
Not that I'm aware of.
> Or is there any way to feed the journald logs the ossecagent?
> Or am I supposed to install rsyslog and forward the logs to the ossec server?
> Any way to feed ossec with logevents from
On Thu, Mar 16, 2017 at 6:44 AM, Eduardo Reichert Figueiredo
wrote:
> Hi Dan, i have success when run this command below.
>
> # su ossec -s /bin/bash -c 'cd /var/ossec && expect
> agentless/ssh_generic_diff user_ossec@SERVIDOR-01 ls -lah'
> Connection to SERVIDOR-01 closed.
> INFO: Finished.
>
>
On Thu, Mar 16, 2017 at 7:11 AM, Martin wrote:
> Hello,
>
> Thank you for your answer.
>
> I modified the Active-Response in the file /var/ossec/etc/ossec.conf to look
> like this;
>
>
>
>
> host-deny
> all
> 6
> 600
>
>
>
>
>
> firewall-drop
> all
>
On Thu, Mar 16, 2017 at 11:33 AM, wrote:
> Here is the output:
>
> udp0 0 0.0.0.0:514 0.0.0.0:*
> 21090/syslog-ng
>
So syslog-ng is listening for incoming messages.
You'll have to figure out what syslog-ng is doing with the log messages.
> This is the only instance...
>
On Wed, Mar 15, 2017 at 4:15 PM, Ralph Durkee wrote:
> Dan,
>
>
> When I started this I was apparently was using some old documentation,
> probably the book you wrote several years ago, and the parameter examples
> were limited. Also the newer docs show a limited set of
> directives, so I’m wonde
On Mon, Mar 13, 2017 at 9:59 AM, Eduardo Reichert Figueiredo
wrote:
> Dear all,
> i have the ERROR below in my ossec server, and not generated alerts from
> Linux (agentless) in ossec.
> I search more error similars in this foruns but i dont founded solution.
>
> Can you help me?
>
> 2017/03/13 10
On Tue, Mar 14, 2017 at 1:51 PM, BeesZA wrote:
> Hi All,
>
> I am very new to OSSEC and I need some help with a simple issue. I need an
> example rule for the following:
>
> I have a user that have a granular password policy applied to him, this
> policy says that this account cannot be locked out
On Tue, Mar 14, 2017 at 3:37 PM, wrote:
> Hello, yes:
>
> root@xx:/var/log# netstat -tuna | grep 514
> tcp0 0 0.0.0.0:514 0.0.0.0:*
> udp0 0 0.0.0.0:514 0.0.0.0:*
>
>
Adding -p to that could tell you the process using that port.
`netstat -ptu
On Tue, Mar 14, 2017 at 11:44 AM, Jose Luis Ruiz wrote:
> Hello,
>
> In order to permit Ossec recibe your Symantec syslogs messages, you need to
> enable this in the configuration:
>
Unless you're using a proper syslog daemon, which may already be
listening on that port.
> Listen in port 514:
>
On Tue, Mar 14, 2017 at 5:44 PM, Ralph Durkee wrote:
> Yes, I got the production system working against a test attack script. Will
> monitor it to do tuning for the real flurries of bogus DNS queries, and will
> try the duplicate / twin decoder name to see if that works. An override
> option for
On Wed, Mar 15, 2017 at 7:25 AM, Martin wrote:
> Hello,
>
> First, i'm sorry if the question has already been asked.
>
> So what i'm trying to achieve is this ;
>
> If someone fail to log in, too many time on one of my agent, I want this ip
> to be drop on all others agents and the server.
>
> Sam
On Mar 14, 2017 10:57 AM, wrote:
Hello All,
I have pointed my Symantec AV logs to our OSSEC server via syslog over port
514. I am seeing the logs come into ELSA, but not as OSSEC alerts. I have
created a custom decoder and parser, and can confirm that it is working:
**Phase 2: Completed decodin
On Mar 13, 2017 11:50 AM, "Martin Dulovič" wrote:
Hello,
i have this problem, you could say. I need Ossec to crunch modified logs
(syslogs). Our syslog message is as follows.
*Example message:*
[syslog-1] Mar 13 06:25:16 my-server-1 syslog-ng[1012]: EOF on control
channel, closing connection;
On Fri, Mar 10, 2017 at 3:37 AM, Ieva wrote:
> Hello
> Maybe someone can help for newbie to write first OSSEC rule. I tried to read
> OSSEC chapter 4 book „Working with rules“ but it didn‘t help. So I have
> Windows event logs and want to write a rule with regex to drop out events
> with specific
On Mar 6, 2017 9:42 AM, "Eduardo Reichert Figueiredo" <
eduardo.reich...@hotmail.com> wrote:
Dear all,
my ossec dont list agentless servers with command "agent_control -l" and in
my ossec.log i have log below.
2017/03/06 11:27:54 ossec-logcollector: socketerr (not available).
2017/03/06 11:30:04
601 - 700 of 6437 matches
Mail list logo
