Re: [ossec-list] ossec server 2.9.0 WinEvt problems

On Feb 10, 2017 8:13 AM, "Chris Snyder" wrote: My only counter argument to your response is that if I do the same tests with a 2.8.3 ossec server all the tests pass with the expected match of a windows log type. So something changed somewhere in the ossec server. Whether

Re: [ossec-list] ossec server 2.9.0 WinEvt problems

On Thu, Feb 9, 2017 at 4:09 PM, Chris Snyder wrote: > update on your new code. > > I replaced the following code: > > > windows > ^\d\d\d\d \w\w\w \d\d \d\d:\d\d:\d\d WinEvtLog: |^WinEvtLog: > > ^\.+: (\w+)\((\d+)\): (\.+): > (\.+): \.+: (\S+): > status, id,

Re: [ossec-list] ossec server 2.9.0 WinEvt problems

On Thu, Feb 9, 2017 at 3:25 PM, Chris Snyder wrote: > You're new windows decoder rules work great! I'm going to throw them at my > hosts right now (better than what I've got at the moment!). > > However, I'm thinking there's a bug somewhere in some pattern matching code >

Re: [ossec-list] Debugging Unprocessed Log Entries

On Thu, Feb 9, 2017 at 9:48 AM, Quintin Beukes wrote: > Hi group, > > Server uname: Linux 2.6.32-642.13.1.el6.x86_64 #1 SMP Wed Jan 11 20:56:24 > UTC 2017 x86_64 x86_64 x86_64 GNU/Linux > Agent uname: Linux 2.6.32-642.13.1.el6.x86_64 #1 SMP Wed Jan 11 20:56:24 UTC > 2017

Re: [ossec-list] ossec server 2.9.0 WinEvt problems

Thanks for pointing this out. It's definitely shown me a(nother) gap in our rules testing setup. I'm guessing a 2.9.1 will be coming in shortly with the changes we made to the windows decoders backported from master. Here are the new decoders if you want to give them a spin: windows

Re: [ossec-list] Re: ossec-active response, how to refere files? [Linux]

On Wed, Feb 8, 2017 at 2:06 PM, Nil wrote: > so i can't interact with the file that triggered the alert? seems kinda > pointless then > Feel free to submit a pull request adding the functionality. > > El martes, 7 de febrero de 2017, 18:45:39 (UTC+1), Nil escribió: >> >> Hi,

Re: [ossec-list] Duplicate counts - Difference between global/local and saved global/local

On Mon, Feb 6, 2017 at 1:49 PM, Steve Dimoff wrote: > Hey everyone, > > I've been searching through this group and I couldn't find any reference of > someone explaining the difference between global / local and then saved. > > I'm trying to figure out WHY the duplicate

Re: [ossec-list] Debugging agent connectivity

On Wed, Feb 8, 2017 at 7:36 AM, Quintin Beukes wrote: > Hi group, > > I'm trying to debug why my agent's are always showing disconnected. They > would work for a bit, and then randomly stop working. Some agents will > disconnect permanently, some intermittently switch

Re: [ossec-list] ossec-active response, how to refere files? [Linux]

On Tue, Feb 7, 2017 at 12:40 PM, Nil wrote: > Hi, I would like to know how can i reference the file that triggered an > alert in order to use it with the commands > i.e If file X were modified, I would like to do a `cp /full/path/of/X > /some/other/path` > I don't believe

Re: [ossec-list] Decoder with parent and two prematches for avira virus software

On Feb 7, 2017 6:28 AM, "Dominik" wrote: I would like to write a decoder for a logfile with entries of the following kind: 27.01.2017,09:06:17 [INFO] Engine-Version: 8.3.42.156 27.01.2017,09:06:17 [INFO] VDF-Version: 8.12.150.34 27.01.2017,09:06:17 [INFO] APC-Version:

Re: [ossec-list] Central ossec.conf management question

On Wed, Feb 1, 2017 at 1:12 PM, wrote: > Just a note, I have had /var/ossec/etc/shared/agent.conf go from having > content back to being blank a number of times here without having any > interaction on the server. Has anyone else experienced this? > Did you install OSSEC

Re: [ossec-list] Central ossec.conf management question

On Wed, Feb 1, 2017 at 12:25 PM, wrote: > Hello All, > > I am currently working on a central ossec.conf file which contains our > Windows and Linux configurations for all clients. Here are a few background > details: > > 1. We currently only have a few Linux deployments

Re: [ossec-list] Monitoring syslog activity/traffic

On Wed, Feb 1, 2017 at 7:14 AM, Tibor Luth wrote: > Nothing at all. That's why I thought to monitor a command output. Primarily > in the mentioned (ossec-server side) appliance. Thanks the reply. (I havent > figured out any solution yet). > Well there should be alerts when an

Re: [ossec-list] need help with a rule

On Tue, Jan 31, 2017 at 11:15 AM, SternData wrote: > I'm getting hammered by probes for non-existent PHP files. > > Received From: sugaree->/var/log/httpd/xxx.c om_error_log > Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system." > Portion of the

Re: [ossec-list] Unable to capture file integrity changes more than 3 times with auto_ignore

On Tue, Jan 31, 2017 at 7:06 AM, Abhijit Tikekar wrote: > Hi, > > I am unable to make work on our OSSEC instance for few > directories which are set for Real Time monitoring. OSSEC Agent version is > 2.8.3 and server is currently on 2.8.1. > Start by correcting this

Re: [ossec-list] Re: Alerts generated despite level '0' rule being hit

On Fri, Jan 27, 2017 at 11:00 AM, Daniel B. wrote: > > Yes, via ./ossec-control -r > root@ossec-test:/var/ossec/etc# /var/ossec/bin/ossec-control -r Usage: /var/ossec/bin/ossec-control {start|stop|restart|status|enable|disable} Try `/var/ossec/bin/ossec-control

Re: [ossec-list] OSSEC 2.8.3 create custom rule

On Mon, Jan 30, 2017 at 9:54 AM, Eli Tunkel wrote: > Hi Guys > > > I am looking to create a new custom ossec rult to capture specific phrase in > a log. > I have added the required directory to the ossec.conf > monitoring. > > LOG Sample: > > 2016-07-24 11:43:22,707 INFO

Re: [ossec-list] Create rules for custom decoder (netasq/stomshield firewall)

On Mon, Jan 30, 2017 at 10:46 AM, Bertrand Danos wrote: > Hello, > > I still have some problems with my customes rules. > How to generate 3 differents alerts depending on the messages. > > > Here are my steps : > > 1) Add log file to monitor > * Edit the file etc/ossec.conf

Re: [ossec-list] how to modify the apache log decoder to accept dash in time

On Sun, Jan 29, 2017 at 2:54 PM, wrote: > My web servers logs are being decoded as 'pure-transfer' instead of as an > apache log due to the time format, which includes a dash '-". If I remove > the dash, then the logs are decoded as apache logs. I believe I have to >

Re: [ossec-list] Monitoring syslog activity/traffic

On Mon, Jan 30, 2017 at 9:14 AM, Tibor Luth wrote: > Hi all! > > I have a few datasources sending remote syslog to an OSSIM appliance running > Rsyslog (udp or tcp/514) and OSSEC server and local agent. First I would > like to generate alerts or see in logs if a datasource

Re: [ossec-list] Alerts generated despite level '0' rule being hit

On Thu, Jan 26, 2017 at 4:41 PM, Daniel B. wrote: > > > > full_log: > > Files hidden inside directory > '/var/lib/docker/aufs/mnt/545d04c068f0f7ce19361a94d1c43b0c6686a0dfdd45e1803ccee569acc1767b/usr/share/locale'. > Link count does not match number of files (54,70).

Re: [ossec-list] Re: ossec-analysisd won't start, "could not create directory"

On Wed, Jan 25, 2017 at 3:05 PM, Kat wrote: > My bad - I should have explained "bind" a bit more. This is actually part > of the FUSE filesystem (http://bindfs.org) > You will need to install fuse utils and Userspace programs -- example: > > #yum search fuse > > >

Re: [ossec-list] Re: Issues with Multi-server architecture

On Thu, Jan 5, 2017 at 11:07 AM, Lisa Li wrote: > As an update, some incomplete rsyslog related alerts are seen so that makes > me ask if my issue is related to decoders or even rules. These alerts are > generated by server-1 and not its 100 clients. Client alerts are not

Re: [ossec-list] Re: ossec-analysisd won't start, "could not create directory"

On Tue, Jan 24, 2017 at 2:12 PM, Kat wrote: > There is a work-around which I have used. > Dan is correct - you can't get to the folder outside of the chroot-ed jail. > You can however, bring the folder in via: > > mount --bind /var/ossec/logs /data/logs/ossec > > The trick

Re: [ossec-list] Generating alerts based on events outside a specific time slot

logname= uid=0 euid=0 tty=:0 ruser= rhost= user=foo' > > **Phase 2: Completed decoding. >No decoder matched. > > **Phase 3: Completed filtering (rules). >Rule id: '2501' >Level: '5' >Description: 'User authentication failure.' > **Alert to be g

Re: [ossec-list] Re: Update Wazuh with standard Ossec files

On Jan 22, 2017 4:16 PM, "Kat" wrote: The Wazuh fork is actually newer, but regardless there should never be a conflict from 2.x to 2.x with agent and server. When *With the caveat that this isn't explicitly tested. you say "conflict" - can you be more specific on the

Re: [ossec-list] Re: Profiles and agents

On Fri, Jan 20, 2017 at 8:25 AM, Kat wrote: > I already did. :-) > #1027 > Thanks, I missed it. It's been merged. > On Thursday, January 19, 2017 at 12:15:14 PM UTC-6, dan (ddpbsd) wrote: >> >> On Tue, Jan 17, 2017 at 3:06 PM, Kat wrote: >> > The

Re: [ossec-list] Re: Profiles and agents

On Tue, Jan 17, 2017 at 3:06 PM, Kat wrote: > The problem is simple - the install.sh is where this is taken care of, but > no one ever bothered to add the code when they added the variable of > USER_AGENT_CONFIG_PROFILE. > If you submit a pull request I'll bother with it

Re: [ossec-list] Date format in alerts.log (and alerts.json)

On Thu, Jan 19, 2017 at 12:20 PM, Marianne Härdh wrote: > Hello, > > I have a question about changing the date format in alerts.log if possible. > At the moment, I get this as an alert: > > ** Alert 1484784302.1529: - pam,syslog, > 2017 Jan 19 00:05:02

Re: [ossec-list] Generating alerts based on events outside a specific time slot

On Thu, Jan 19, 2017 at 11:18 AM, Bertrand Danos wrote: > Hello, > > Is it possible to generate alerts on events that are outside a specific time > slot? > > By sample, detect each user that connect on a computer outside the (08:00 - > 20:00) timeslot. > >> Jan 19 07:00:00

Re: [ossec-list] System Integrity Check questions

On Wed, Jan 18, 2017 at 3:27 PM, Nikki S wrote: > Hi, > > I have a couple of questions regarding FIM/System Integrity check. I'm > hoping this would help others as well starting off with OSSEC. > > When a new agent is installed does it run the system integrity check >

Re: [ossec-list] local_decoder.xml -- can't override (ignore) parent decoder

On Tue, Jan 17, 2017 at 2:53 PM, Daniel B. wrote: > We use weave which periodically causes a network interface to enter > promiscuous mode to sniff network traffic. This is expected behavior, and as > such, I'm looking to ignore it. > > For reference, the iptables

Re: [ossec-list] OSSEC.conf vs Agent.conf -- System Integrity check

On Jan 16, 2017 3:25 PM, "Nikki S" wrote: I read through some of the posts already on the list regarding this topic but I would still like some clarification on this please. I have added all the system integrity options of 'include' and 'ignore' in OSSEC.conf. Do I

Re: [ossec-list] ossec-analysisd won't start, "could not create directory"

On Jan 13, 2017 2:28 PM, "Joel" wrote: hi all, man, not having a good day. I was starting to run out of space on my / volume as a result of ossec logs piling up. i need to keep the logs, so i added a new drive (to the ossec VMW vm) mounted it and then moved the logs/

Re: [ossec-list] Re: syslog facility when sending to remote syslog server?

On Fri, Jan 13, 2017 at 11:40 AM, Joel wrote: > Thanks Dan > Sorry I didn't have better news. If you want to open an issue on the github (https://github.com/ossec/ossec-hids), we can keep it in mind when we find time to work on features. I think having more options might

Re: [ossec-list] syslog facility when sending to remote syslog server?

On Fri, Jan 13, 2017 at 10:26 AM, Joel wrote: > Hi all, > > I've been using osssec for a while now and I really like it. > > I'm now trying to integrate ossec with a monitoring application. I'd like > to have ossec send Alerts to a remote host via syslog. > > I have it

Re: [ossec-list] Re: ossec logs redirect to local syslog

On Jan 11, 2017 3:10 PM, "Mike" wrote: Hi did anyone figure out how to do this. We just started using OSSEC and I have the same question as Ali? I must be misunderstanding the question, but what happens when you point it at the local syslog listener and setup syslog to log

Re: [ossec-list] Ossec 2.8.3 problems with ossec-maild

On Tue, Jan 10, 2017 at 1:57 AM, Rimvydas wrote: > Hi, > > I noticed one strange thing on one of my Debian 8 box'es. I saw that I'm not > seeing mail notifications from ossec. Everything worked in the past on this > server with this ossec installation. I checked process

Re: [ossec-list] Alert ID not present JSON logs, feature request?

On Mon, Jan 9, 2017 at 10:01 AM, Adam Tworkowski wrote: > Hi, > > I am collecting OSSEC logs via JSON on several log collection systems (ELK, > Graylog2) and am attempting to accomplish some basic reporting with respects > to determining which host triggered an Active

Re: [ossec-list] ossec-dbd keeps disconnecting

On Thu, Jan 5, 2017 at 6:59 PM, Sean Roe wrote: > Hi all, > > I am having some problems keeping ossec-dbd connected. I am connecting to a > mariadb 10.0.24 database and I am running ossec 2.8.3 > Are there any clues in your mariadb logs? > here is the info from the logs: >

Re: [ossec-list] OSSEC watching SQL

On Jan 8, 2017 8:19 AM, "Mike Hammett" wrote: My current centralized logging environment stores syslog in MySQL. Can OSSEC watch a SQL database instead of a file? Not at this time -- --- You received this message because you are subscribed to the Google Groups

Re: [ossec-list] Re: ossec run away cat and tr process

On Tue, Dec 20, 2016 at 1:41 PM, dan (ddp) <ddp...@gmail.com> wrote: > On Tue, Dec 20, 2016 at 1:40 PM, David Breise <dbre...@eticainc.com> wrote: >> [root@turpentine ossec]# cat /etc/*release >> CentOS release 6.8 (Final) >> LSB_VERSION=base-4.0-amd64:base-4

Re: [ossec-list] Re: Compile issue : undefined reference ?

On Sun, Dec 18, 2016 at 9:36 PM, Mohd Zainal Abidin Mamat wrote: > I'm getting same error using ver 2.8.3 on centos 7. Still seeking solution. > Verify that you have the devel packages installed. I just setup a Centos 7 VM, added the mysql community packages, and installed

Re: [ossec-list] Re: ossec run away cat and tr process

ing else), so I'll try with that first. Thanks for the info! > On Tue, Dec 20, 2016 at 10:31 AM, dan (ddp) <ddp...@gmail.com> wrote: >> >> On Tue, Dec 20, 2016 at 1:19 PM, David Breise <dbre...@eticainc.com> >> wrote: >> > Tested commands manually, no e

Re: [ossec-list] Re: ossec run away cat and tr process

On Tue, Dec 20, 2016 at 1:19 PM, David Breise wrote: > Tested commands manually, no errors returned. This is still a problem for > us. > Which distribution are you using? I'm wondering why mktemp isn't being used (or why it's failing). > On Wednesday, January 21, 2015 at

Re: [ossec-list] OSSEC Config Change alerts

On Dec 18, 2016 8:37 AM, "Nish" wrote: Hi, Are changes made to the *OSSEC.conf *file logged somewhere in the system? Asking because an admin inadvertently changed the notification email address and we stopped getting the alerts for sometime and then corrected it later...I

Re: [ossec-list] Notification by Level

It's email_alert_level, I think. It's in the ossec.conf syntax documentation On Dec 17, 2016 8:19 AM, "Mohd Zainal Abidin Mamat" wrote: > Hi, > > I want to receive email alert from level 10 and upward. How to set in > ossec.conf? > > Thanks. > > -- > > --- > You received

Re: [ossec-list] Check running process

On Wed, Dec 14, 2016 at 7:20 AM, Francesco Raimondi wrote: > Greetings, > > I have some problem trying to detect a process running on the machine. > Specifically, I want to detect the process "tor.exe" by using > win_applications_rcl.txt > Here's my directive: > >

Re: [ossec-list] Firewall appliance : netasq/stormshield

proto: 'ssh'", 19 proto: 'ssh') = 19 > write(2, "\n", 1 > ) = 1 > write(2, " srcip: '192.168.10.2'", 28 srcip: '192.168.10.2') = 28 > write(2, "\n", 1 > ) = 1 > write(2, &quo

Re: [ossec-list] OSSEC not Connecting to Graylog

On Thu, Dec 15, 2016 at 8:04 AM, Benbrahim Anass wrote: > hi everyone, > > i have an ossec Forwarding Logs to a graylog in format CEF, the port on > graylog is open, ossec telling me it's forwarding logs but when i check w\ > netstat, i dont see any connection If you run

Re: [ossec-list] Re: OSSEC not Connecting to Graylog

On Fri, Dec 16, 2016 at 7:54 AM, Benbrahim Anass wrote: > What a Groupe Guys, Responding is so fast. well DONE!! > Well now I definitely want to help you. > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To

Re: [ossec-list] remoted Dropping Events

On Tue, Dec 13, 2016 at 9:11 AM, Chris Decker wrote: > Victor, > > I'm at the point where my agents all have valid keys, so I'm unsure as to > why I have ~ 750 clients and only ~225 are reported as "active" at any one > time (all of the machines are alive and well, and

Re: [ossec-list] Does Ossec support MariaDB?

On Mon, Dec 12, 2016 at 7:35 PM, wrote: > Hi, > > There hasn't been any action on this topic for over a year but it was never > answered and I'm running into the same issue. What libraries is it looking > for? Is there somewhere that I can look at, possibly edit the list? Why >

Re: [ossec-list] Email Alerts on Google Compute Instances

On Tue, Dec 13, 2016 at 6:37 AM, flippery_fish wrote: > Hi, > > Google Compute Engine does not allow outbound connections on ports 25, 465, > and 587. > > As recommended by GCE, I have setup mailjet on 2525 which works fine for > outbound mail relay. > > Is there a way to

Re: [ossec-list] Is/will journalctl supported

On Dec 9, 2016 11:56 AM, "Bill Price" wrote: We monitor a large variety of sites using ossec. We were asked to monitor a Centos 7.2 site that is using journalctl. Does Ossec 2.8.1 support log monitoring on a system using journalctl? If not, will 2.9 or any later

Re: [ossec-list] Firewall appliance : netasq/stormshield

On Dec 9, 2016 5:51 AM, "Bertrand Danos" wrote: Hello Dan, Thank you very much for your help. I've a problem with the following decoder and sample. Its generates a segfault in ossec-logtest : netasq logtype="filter" ^id=(\S+) time=\.+ fw="(\w+)" \.+

Re: [ossec-list] remoted Dropping Events

On Dec 9, 2016 9:17 AM, "Chris Decker" wrote: Victor, On Friday, December 9, 2016 at 6:42:27 AM UTC-5, Victor Fernandez wrote: > > Hi, > > Agents should send a keepalive each 10 minutes (600 seconds) by default, > and this should be enough. But you can go down that time

Re: [ossec-list] remoted Dropping Events

On Dec 8, 2016 4:41 PM, "Chris Decker" wrote: All, I have an OSSEC instance (running the latest/greatest Wuzuh code cloned from GitHub) that has about 1k active hosts. I've noticed recently that hosts are flipping back and forth between *Active* and *Disconnected*.

Re: [ossec-list] Re: important questions on CDB lists

On Wed, Dec 7, 2016 at 12:39 PM, Omar M wrote: > Did anyone find a solution to this problem? > > I've compiled the CDB and created the rules but cannot seem to get the > lookup to work > I'd really need more information than this to help you. -- --- You received

Re: [ossec-list] Firewall appliance : netasq/stormshield

On Wed, Dec 7, 2016 at 5:26 AM, 1kn0 wrote: > Greetings, > > I'm new to OSSEC and I didn't find an answer to my problem on the list. > I've appliance firewalls (netasq and stormshield) on a network. These > firewalls exports their log to the computer where OSSEC is installed.

Re: [ossec-list] Still having problems with OSSEC 2.8 on FreeBSD 10.3

On Dec 3, 2016 4:54 PM, "Eponymous -" wrote: Hi all, I've had many problems getting the OSSEC agent to start up correctly on FreeBSD 10.3 (see: https://groups.google.com/forum/#!topic/ossec-list/ VDT4cTObDPQ - "Chroot directory change option.) I figured it would best to

Re: [ossec-list] Use file with keywords on rules

On Mon, Nov 28, 2016 at 7:47 AM, Julio Cesar wrote: > Hello. I have a file with more than 1000 IP's blacklisted. > Have any way to include a syntax like this on custom ossec rule? > >> >> /etc/blacklist/list.txt >> Black-listed IP address >> > This is an easy use case

Re: [ossec-list] Problem with rule 18257

On Mon, Nov 21, 2016 at 8:09 AM, dan (ddp) <ddp...@gmail.com> wrote: > On Fri, Nov 18, 2016 at 11:35 AM, Kevin Branch > <ke...@branchnetconsulting.com> wrote: >> Rule 18257 appears to be prone to misfire. I see it tripping for things >> like this: >> >> 2

Re: [ossec-list] Problem with rule 18257

On Fri, Nov 18, 2016 at 11:35 AM, Kevin Branch wrote: > Rule 18257 appears to be prone to misfire. I see it tripping for things > like this: > > 2016 Nov 18 10:37:26 WinEvtLog: Application: INFORMATION(302): ESENT: (no > user): no domain: BNC-O9020: Music.UI

Re: [ossec-list] A few comments on default active-response settings

make more sense. > > Christina > > On Fri, Nov 18, 2016 at 10:06 AM, Whit Blauvelt <w...@transpect.com> wrote: >> >> Hi Dan, >> >> Since I skipped answering this: >> >> On Mon, Nov 14, 2016 at 11:09:52AM -0500, dan (ddp) wrote: >> >&g

Re: [ossec-list] A few comments on default active-response settings

On Fri, Nov 18, 2016 at 10:06 AM, Whit Blauvelt <w...@transpect.com> wrote: > Hi Dan, > > Since I skipped answering this: > > On Mon, Nov 14, 2016 at 11:09:52AM -0500, dan (ddp) wrote: > >> > Except in a context of anon FTP servers (does anyone run those any

Re: [ossec-list] Agent Syscheck Frequency Issue

On Mon, Nov 21, 2016 at 7:34 AM, Yousif Johny wrote: > Hi all, > > I've been having this weird issue with OSSEC. I setup an agent in one > server, and things seem okay at first. > > When I modify a file that is being monitored (/etc/passwd) I'd have to wait > a significant

Re: [ossec-list] Installation error

On Nov 19, 2016 3:40 PM, "Zach Ogden" wrote: > > Hello, > > I am running the Windows Linux Subsystem on Windows 10. I installed ossec on the debian bash system. I ran the ./install.sh file my normal user with sudo in front of the script. Installation was successful. I cannot

Re: [ossec-list] agentless monitoring and cisco ios switches

On Fri, Nov 18, 2016 at 5:23 AM, Kevin COUSIN wrote: > > > Le jeudi 17 novembre 2016 18:15:57 UTC+1, dan (ddpbsd) a écrit : >> >> On Thu, Nov 17, 2016 at 11:39 AM, Kevin COUSIN >> wrote: >> > Hi list, >> > >> > I try to use agentless on cisco ios

Re: [ossec-list] agentless monitoring and cisco ios switches

On Thu, Nov 17, 2016 at 11:39 AM, Kevin COUSIN wrote: > Hi list, > > I try to use agentless on cisco ios switches. I add in ossec.conf > > > ssh_pixconfig_diff > 300 > user@switch > periodic_diff > > > I have ossec-agentlessd: INFO: Test passed for

Re: [ossec-list] Re: Don't see the intrusion logs

Did you restart the ossec processes after adding the new localfile entry? Try running the logs through ossec-logtest. On Thu, Nov 17, 2016 at 5:39 AM, Arthur Hidalgo wrote: > In the file "/var/log/secure" : > > Nov 17 11:05:03 PCYINTPSEVU001 sshd[35427]:

Re: [ossec-list] A few comments on default active-response settings

On Mon, Nov 14, 2016 at 10:51 AM, Whit Blauvelt <w...@transpect.com> wrote: > On Fri, Nov 11, 2016 at 07:10:51PM -0500, dan (ddp) wrote: >> On Nov 11, 2016 4:11 PM, "Whit Blauvelt" <w...@transpect.com> wrote: >> > >> > With a default agent ins

Re: [ossec-list] Re: email not going out - "getaddrinfo: Name or service not known"

On Mon, Nov 14, 2016 at 10:40 AM, Whit Blauvelt wrote: > On Sat, Nov 12, 2016 at 11:17:19AM -0800, Dave Stoddard wrote: >> If OSSEC is chrooting to /var/ossec, copy your /etc/services and >> /etc/hosts >> files to the /var/ossec/etc directory. Do not use a symlink or

Re: [ossec-list] email not going out - "getaddrinfo: Name or service not known"

On Nov 11, 2016 3:52 PM, "Whit Blauvelt" <w...@transpect.com> wrote: > > On Tue, Nov 08, 2016 at 04:37:04AM -0500, dan (ddp) wrote: > > > Have you tried 127.0.0.1? > > 127.0.0.1 does work. > > So this has something to do with chrooting in the current ver

Re: [ossec-list] Re: email not going out - "getaddrinfo: Name or service not known"

On Nov 11, 2016 3:54 PM, "Whit Blauvelt" wrote: > > On Wed, Nov 09, 2016 at 10:19:21AM -0800, Dave Stoddard wrote: > > If you are getting that message with getaddrinfo, it is likely you do not have > > an /etc/services file on your system, or smtp is not defined in the /etc/ >

Re: [ossec-list] A few comments on default active-response settings

On Nov 11, 2016 4:11 PM, "Whit Blauvelt" wrote: > > With a default agent installation of 2.9rc3 with active response included, I > was surprised by a few things: > > 1. Too frequent connections, even successful ones with valid logins, to an >ftp or sftp server are

Re: [ossec-list] invalid option for 2.8.3 ossec-authd -k -v -x but documentation says they are there. Attached screenshot. Am I doing something wrong?

On Fri, Nov 11, 2016 at 1:16 PM, 'James Vernon' via ossec-list <ossec-list@googlegroups.com> wrote: > > > On Friday, 11 November 2016 17:39:18 UTC, dan (ddpbsd) wrote: >> >> On Fri, Nov 11, 2016 at 12:37 PM, dan (ddp) <ddp...@gmail.com> wrote: >> > On Fr

Re: [ossec-list] invalid option for 2.8.3 ossec-authd -k -v -x but documentation says they are there. Attached screenshot. Am I doing something wrong?

On Fri, Nov 11, 2016 at 12:31 PM, 'James Vernon' via ossec-list wrote: > > http://imgur.com/a/efxLo > > If you follow that screenshot, you can see what I mean. These options were > added in 2.8.1, and I have 2.8.3 yet they are invalid. Am I missing something >

Re: [ossec-list] invalid option for 2.8.3 ossec-authd -k -v -x but documentation says they are there. Attached screenshot. Am I doing something wrong?

On Fri, Nov 11, 2016 at 12:37 PM, dan (ddp) <ddp...@gmail.com> wrote: > On Fri, Nov 11, 2016 at 12:31 PM, 'James Vernon' via ossec-list > <ossec-list@googlegroups.com> wrote: >> >> http://imgur.com/a/efxLo >> >> If you follow that screenshot, you can see

Re: [ossec-list] Integrity Checking Issue on Windows Server 2012 R2 with OSSEC 2.8.3

On Fri, Nov 11, 2016 at 10:41 AM, Keith wrote: > I have a new OSSEC install on a 2012r2 box and have set up on directory I > need to monitor in realtime for any changes or modifications to this one > specific folder. It does not appear to be working so any suggestions on >

Re: [ossec-list] Re: email not going out - "getaddrinfo: Name or service not known"

On Wed, Nov 9, 2016 at 1:19 PM, Dave Stoddard wrote: > If you are getting that message with getaddrinfo, it is likely you do not > have an /etc/services file on your system, or smtp is not defined in the > /etc/services file. Alternatively, it could be referring to localhost -

Re: [ossec-list] rebuilt endpoint

On Nov 8, 2016 9:53 AM, "Derek Day" wrote: > > If i have a system that has an ossec agent running, and the system needs to be rebuilt or replaced, using same name and addresses space etc, just a pc refresh. do i need to generate a new ID and client.keys on the server side or

Re: [ossec-list] OSSEC Agent to server communication issue

On Tue, Nov 8, 2016 at 9:13 AM, Kumar G wrote: > Don't know if this falls under same issue. We are getting same error messages > on one of the ossec server A, no new agents addition via manage_agents or > ossec_authd were changing the status from "Never connected" to Active

Re: [ossec-list] email not going out - "getaddrinfo: Name or service not known"

On Nov 8, 2016 4:35 AM, "Whit Blauvelt" wrote: > > Hi, > > There have been multiple past discussions of email problems. Yet none seem > to cover this exactly. Here's what's logging, repeatedly: > > 2016/11/04 18:33:53 getaddrinfo: Name or service not known > 2016/11/04

Re: [ossec-list] getting error: ossec-remoted(1213): WARN: Message from 10.8.6.20 not allowed.

have to. You might need to generate new keys, but I'm not positive about that (you might be able to modify client.keys and restart the OSSEC processes on the OSSEC server). Or, if you use routing, nothing should have to change beyond that. > On Fri, Nov 4, 2016 at 9:06 AM, dan (ddp) <

Re: [ossec-list] OSSEC Signature Update Frequency

On Fri, Nov 4, 2016 at 6:25 AM, Jesus Linares wrote: > Hi Matthew, > > Of course, you can do the "same" procedure from OSSEC-HIDS but Wazuh is > doing a great effort to centralize, test and maintain decoders and rules > submitted by Open Source contributors and create new ones. >

Re: [ossec-list] getting error: ossec-remoted(1213): WARN: Message from 10.8.6.20 not allowed.

On Fri, Nov 4, 2016 at 8:43 AM, Stephen LuShing wrote: > I was able to install an osec agent to a solaris 10 server and everything > seems to be working. The only issue is I am getting this error and I think > is because the network interface has a primary and a 2 virtual

Re: [ossec-list] File Integrity Monitoring for ESXi 4.x, 5.x and 6.x

On Thu, Nov 3, 2016 at 12:50 PM, Jit Tank <jitt...@gmail.com> wrote: > Dan - thanks for your time ... which version of ESXi are you testing > against? > 5.5 > On Thu, Nov 3, 2016 at 4:44 PM, dan (ddp) <ddp...@gmail.com> wrote: >> >> On Thu, Nov 3, 2016 at 1

Re: [ossec-list] File Integrity Monitoring for ESXi 4.x, 5.x and 6.x

On Thu, Nov 3, 2016 at 12:44 PM, dan (ddp) <ddp...@gmail.com> wrote: > On Thu, Nov 3, 2016 at 12:31 PM, dan (ddp) <ddp...@gmail.com> wrote: >> On Thu, Nov 3, 2016 at 12:24 PM, dan (ddp) <ddp...@gmail.com> wrote: >>> On Thu, Nov 3, 2016 at 12:07 PM, dan (ddp) &

Re: [ossec-list] File Integrity Monitoring for ESXi 4.x, 5.x and 6.x

On Thu, Nov 3, 2016 at 12:31 PM, dan (ddp) <ddp...@gmail.com> wrote: > On Thu, Nov 3, 2016 at 12:24 PM, dan (ddp) <ddp...@gmail.com> wrote: >> On Thu, Nov 3, 2016 at 12:07 PM, dan (ddp) <ddp...@gmail.com> wrote: >>> On Thu, Nov 3, 2016 at 11:58 AM, Jit Tank

Re: [ossec-list] ossec-authd TLS1.2 only

On Thu, Nov 3, 2016 at 12:18 PM, john homer alvero wrote: > Hello, > > Is there a way for ossec-authd to establish TLS1.2 only? The reason im > asking is that our vulnerability scanner is flagging the ossec-authd port > 1515 as insecure because of support for RC4 and other

Re: [ossec-list] File Integrity Monitoring for ESXi 4.x, 5.x and 6.x

On Thu, Nov 3, 2016 at 12:24 PM, dan (ddp) <ddp...@gmail.com> wrote: > On Thu, Nov 3, 2016 at 12:07 PM, dan (ddp) <ddp...@gmail.com> wrote: >> On Thu, Nov 3, 2016 at 11:58 AM, Jit Tank <jitt...@gmail.com> wrote: >>> Can anyone confirm the ssh_integrit

Re: [ossec-list] File Integrity Monitoring for ESXi 4.x, 5.x and 6.x

On Thu, Nov 3, 2016 at 12:07 PM, dan (ddp) <ddp...@gmail.com> wrote: > On Thu, Nov 3, 2016 at 11:58 AM, Jit Tank <jitt...@gmail.com> wrote: >> Can anyone confirm the ssh_integrity_check_linux agentless script works on >> the ESXi 4.x, 5.x and 6.x platforms? >> >

Re: [ossec-list] File Integrity Monitoring for ESXi 4.x, 5.x and 6.x

On Thu, Nov 3, 2016 at 11:58 AM, Jit Tank wrote: > Can anyone confirm the ssh_integrity_check_linux agentless script works on > the ESXi 4.x, 5.x and 6.x platforms? > If you have an ESXi box, you can. > > > On Thursday, November 3, 2016 at 12:45:45 PM UTC, dan (ddpbsd) wrote:

Re: [ossec-list] File Integrity Monitoring for ESXi 4.x, 5.x and 6.x

On Thu, Nov 3, 2016 at 5:50 AM, Jit Tank wrote: > I note that OSSEC agent only supports VMWare ESX 3.0,3.5. > > Is it possible to perform file integrity checks on VMware vSphere ESXi 4.x, > 5.x and 6.x? > > If possible, how is this completed? By agentless monitoring or by

Re: [ossec-list] Chroot directory change option

/local/ossec-hids/queue/rids to >> > be >> > owned by the ossec user. >> > >> > I've no idea how this installer managed to mess this up. >> > >> > Just for reference, what should the permissions for the processes and >> > chroot di

Re: [ossec-list] OSSEC Signature Update Frequency

On Wed, Nov 2, 2016 at 12:00 PM, Matthew Casperson wrote: > I've been trying to track down where it details how often signatures are > updated for OSSEC. Are new signatures part of each version? E.g. if I am > on 2.8.2 and want to have the most up to date signatures

Re: [ossec-list] Chroot directory change option

t; The users for the processes look correct, but I don't know the permissions off hand. I'll try to look them up later. > Thanks! > > > On Tuesday, November 1, 2016 at 6:03:31 PM UTC, dan (ddpbsd) wrote: >> >> On Tue, Nov 1, 2016 at 1:53 PM, dan (ddp) <ddp...@gmail

Re: [ossec-list] Chroot directory change option

On Tue, Nov 1, 2016 at 1:53 PM, dan (ddp) <ddp...@gmail.com> wrote: > On Tue, Nov 1, 2016 at 1:49 PM, Eponymous - <the.e...@gmail.com> wrote: >>>> To a process chrooted to /usr/local/ossec-hids, /var/run and >>>> /usr/local/ossec-hids/var/run are the same

Re: [ossec-list] Chroot directory change option

On Tue, Nov 1, 2016 at 1:49 PM, Eponymous - wrote: >>> To a process chrooted to /usr/local/ossec-hids, /var/run and >>> /usr/local/ossec-hids/var/run are the same thing. The process' root >>> directory (/) is now /usr/local/ossec-hids. So /usr/local/ossec-hids/var/run >>>

<    3   4   5   6   7   8   9   10   11   12   >