[ossec-list] OSSEC and Postgres Install Error

OSSEC seems to be ignoring Postgres during the install. This is running on Ubuntu 14.04 LTS. I already have Postgres and postgres-client installed. sudo apt-get -y install postgresql postgresql-client postgresql-contrib I get an error when I run setdb (notice it doesn't say anything about

Re: [ossec-list] firewall.log and ICMP?

I'm collected firewall logs from many Ubuntu servers (basically the /var/log/ufw.log). In this log, I can see events about TCP, UDP and ICMP traffic (allowed or dropped). But, on my OSSEC server, in my firewall.log, I don't see any event related to the ICMP protocol... /x On Sat, Jan 23, 2016 at

[ossec-list] Re: Integrity checksum size changed to 0 or from 0 - false positive

Yes, that would be an issue. Have you tried not sending the output to a file and using the check_diff option on the rules itself? You could do: full_command iptables -S iptables_status 3600 And then write a rule to alert on changes: 530 ossec: output:

Re: [ossec-list] OSSEC and Postgres Install Error

On Jan 26, 2016 7:02 AM, "Jason Aleksi" wrote: > > OSSEC seems to be ignoring Postgres during the install. This is running on Ubuntu 14.04 LTS. > > I already have Postgres and postgres-client installed. > sudo apt-get -y install postgresql postgresql-client

Re: [ossec-list] Log file not triggering alert

Thanks for the response. I ran log test with the following output: ossec-testrule: Type one log per line. 2016-01-20T17:49:19 Error validating xml data against the schema on line 272 Content of element "litleTxnId" is incomplete **Phase 1: Completed pre-decoding. full event:

Re: [ossec-list] Windows malware detected

I just had this same alert happen on our build server. This system has a copy of svchost.exe in: C:\Windows\winsxs\x86_microsoft-windows-services-svchost_31bf3856ad364e35_6.1.7600.16385_none_b591afc466a15356 So something caused windows to install a side-by-side copy. The actual exe is the

Re: [ossec-list] firewall.log and ICMP?

Xavier, I'm collecting logs from my ASA and I do see ICMP traffic in my firewall.log - 2016 Jan 26 12:00:50 ossec->192.168.168.168 CLOSED ICMP 1.2.3.4:10254->external.addr:10254 2016 Jan 26 12:00:54 ossec->192.168.168.168 CLOSED ICMP 1.2.3.4:10510->external.addr:10510 2016 Jan 26 12:00:57

Re: [ossec-list] firewall.log and ICMP?

Hi Brent, I think that I found the problem! Here is an sample of my ossec-logtest output: **Phase 2: Completed decoding. decoder: 'iptables' action: 'AUDIT' srcip: '92.222.185.1' dstip: '51.254.36.238' proto: 'ICMP' But, while diving into the source code (in

Re: [ossec-list] firewall.log and ICMP?

Good catch! I think the ASA provides ports just as part of internal processing of the IP translation. Perhaps they're a sequence number or provide some internal function for IOS. They seem completely random. They change to the real port in the logs when using TCP or UDP. Here are the

[ossec-list] syscheck not working with restrict option

If I use: /var/www/vhosts/ syscheck logs no changes to any file. If I use: /var/www/vhosts/ Works fine and logs changes to any file. Am I missing something when using the *restrict *option? -- --- You received this message because you are subscribed to the Google Groups "ossec-list"