Refer to this thread about a similar discussion:
http://groups.google.com/group/ossec-list/browse_thread/thread/f78e998efb3c108b
Below is a snip from the thread above which shows you the sequence
numbers.
Here I have enabled service sequence-numbers on the router. From the
log file, you can
Because I can't get Ossec to properly work with Cisco IOS logs I've
opted to use local_rules.xml and place my rules in there.
rule id=12 level=5
match%SYS-5-CONFIG_I/match
descriptionConfiguration change detected./description
/rule
rule id=13 level=7
Greetings:
I was investigating Apache segmentation faults on one of the servers
monitored by ossec 1.3, and found that right before the segmentation
fault was a hack attempt against shtml.dll (a FrontPage component).
I created the following rule in /var/ossec/rules/local_rules.xml
group
Greetings:
I created a small number of sonicwall rules in /var/ossec/rules/
local_rules.xml
When I restarted ossec, it told me there was no sonicwall decoder.
When I commented out the decoder section for sonicwall in /var/ossec/
etc/decoder.xml I was told there is an error in the sonicwall
Hi all,
I am running into the same issue. I tried various combinations
including setting the type to var_log_t,httpd_log_t and others and
changing the user to system (basically setting the enforcement as the
httpd logs) but all to no avail.
Has anyone had any luck with it? For the time being
I am launching two instances of snort with the following commands:
/usr/local/bin/snort -i eth2 -A full -c /etc/snort/snort.conf -D
/usr/local/bin/snort -i eth3 -A full -c /etc/snort/snort.conf -D
I have this in my ossec.conf file with ossec running in agent mode on
my snort sensor:
localfile
Hi,
Has anybody got any ideas of what this is: IMAP Fetch Overflow Attempt
[**] [1:3070:1] IMAP fetch overflow attempt [**][Classification: Misc
Attack] [Priority: 2] ???.???.???.???:48104 - ???.???.???.???:143
It triggers every time I try and collect email using Thunderbird on my
pc
Props to Syndrowm for guiding me in figuring this out. Thanks Evan!
#
This will change the selinux permissions on the /var/ossec directory,
to match those of the web directory. You can get more restrictive but
I'm unsure exactly which directories the web server would need access
to in the