[ossec-list] Re: Problem with a cisco 837 router

Refer to this thread about a similar discussion: http://groups.google.com/group/ossec-list/browse_thread/thread/f78e998efb3c108b Below is a snip from the thread above which shows you the sequence numbers. Here I have enabled service sequence-numbers on the router. From the log file, you can

[ossec-list] Re: Cisco IOS question

Because I can't get Ossec to properly work with Cisco IOS logs I've opted to use local_rules.xml and place my rules in there. rule id=12 level=5 match%SYS-5-CONFIG_I/match descriptionConfiguration change detected./description /rule rule id=13 level=7

[ossec-list] First custom rule - please check my syntax

Greetings: I was investigating Apache segmentation faults on one of the servers monitored by ossec 1.3, and found that right before the segmentation fault was a hack attempt against shtml.dll (a FrontPage component). I created the following rule in /var/ossec/rules/local_rules.xml group

[ossec-list] Re: Ossec failed after server reboot

Greetings: I created a small number of sonicwall rules in /var/ossec/rules/ local_rules.xml When I restarted ossec, it told me there was no sonicwall decoder. When I commented out the decoder section for sonicwall in /var/ossec/ etc/decoder.xml I was told there is an error in the sonicwall

[ossec-list] Re: OSSEC Web Interface--Unable to access ossec directory

Hi all, I am running into the same issue. I tried various combinations including setting the type to var_log_t,httpd_log_t and others and changing the user to system (basically setting the enforcement as the httpd logs) but all to no avail. Has anyone had any luck with it? For the time being

[ossec-list] Snort Full Issue

I am launching two instances of snort with the following commands: /usr/local/bin/snort -i eth2 -A full -c /etc/snort/snort.conf -D /usr/local/bin/snort -i eth3 -A full -c /etc/snort/snort.conf -D I have this in my ossec.conf file with ossec running in agent mode on my snort sensor: localfile

[ossec-list] IMAP fetch overflow

Hi, Has anybody got any ideas of what this is: IMAP Fetch Overflow Attempt [**] [1:3070:1] IMAP fetch overflow attempt [**][Classification: Misc Attack] [Priority: 2] ???.???.???.???:48104 - ???.???.???.???:143 It triggers every time I try and collect email using Thunderbird on my pc

[ossec-list] Re: OSSEC Web Interface--Unable to access ossec directory

Props to Syndrowm for guiding me in figuring this out. Thanks Evan! # This will change the selinux permissions on the /var/ossec directory, to match those of the web directory. You can get more restrictive but I'm unsure exactly which directories the web server would need access to in the