Re: [ossec-list] Re: id "|" or "," ??

They are regexp operators ^ beginning of line and $ is end of line.. Eero 28.3.2016 10.11 ip. "Rob B" kirjoitti: > PS. Almost forgot to add : > > What does this mean? ^1000$|^1002$ > > The "^" and the '$' before the pipe really has me perplexed. > > Thx. > > >

[ossec-list] Re: id "|" or "," ??

^ Start of string, or start of line in multi-line pattern \A Start of string $ End of string, or end of line in multi-line pattern On Monday, March 28, 2016 at 4:20:47 PM UTC-4, Rob B wrote: > > found pipe = logical OR > > > > On Monday, March 28, 2016 at 3:11:30 PM UTC-4, Rob B wrote: >> >>

[ossec-list] Re: id "|" or "," ??

found pipe = logical OR On Monday, March 28, 2016 at 3:11:30 PM UTC-4, Rob B wrote: > > PS. Almost forgot to add : > > What does this mean? ^1000$|^1002$ > > The "^" and the '$' before the pipe really has me perplexed. > > Thx. > > > > On Monday, March 28, 2016 at 3:07:30 PM

[ossec-list] Re: id "|" or "," ??

PS. Almost forgot to add : What does this mean? ^1000$|^1002$ The "^" and the '$' before the pipe really has me perplexed. Thx. On Monday, March 28, 2016 at 3:07:30 PM UTC-4, Rob B wrote: > > Heya Folks, > > I've been looking for the docs that explain the difference between

[ossec-list] id "|" or "," ??

Heya Folks, I've been looking for the docs that explain the difference between the use of the '|" and the "," when specifying the id numbers within a rule. I cant find anything that explains the use. Could someone explain to me the differences by way of use? or provide a link that I may

Re: [ossec-list] Re: ssh_asa-fwsmconfig_diff

Yes, I am using. KR, Yurii 2016-03-28 21:11 GMT+03:00 dan (ddp) : > On Mon, Mar 28, 2016 at 2:09 PM, Yurii Shatylo > wrote: > > Hi Brent, > > > > I have modified configuration and now it looks: > > > > # Going into enable mode. > > send "enable\r" > >

Re: [ossec-list] Re: ssh_asa-fwsmconfig_diff

On Mon, Mar 28, 2016 at 2:09 PM, Yurii Shatylo wrote: > Hi Brent, > > I have modified configuration and now it looks: > > # Going into enable mode. > send "enable\r" > expect { > "*assword:" { > send "$addpass\r" > expect { > "*asswor*"

Re: [ossec-list] Re: ssh_asa-fwsmconfig_diff

Hi Brent, I have modified configuration and now it looks: *# Going into enable mode.send "enable\r"expect { "*assword:" {* *send "$addpass\r"* *expect {"*asswor*" {send_user "ERROR: Incorrect enable password to remote host: $hostname .\n"

Re: [ossec-list] new postfix rule doesn't fire....

That regex looks IPv4 specific. Can you make it allow IPv6 addresses? Sent from my iPad > On Mar 28, 2016, at 05:35, theresa mic-snare wrote: > > Thanks, Dan! > I now almost got it fully working your advice was really good! > Here's my problem, somehow the OpenBSD

Re: [ossec-list] Re: ssh_asa-fwsmconfig_diff

When you use a standard SSH client, and go into enable mode. Does it have an uppercase P on password? I vaguely recall an issue with the case sensitivity of that script. send "enable\r" > expect { > "Password:" { > send "$addpass\r" > expect { I believe that should be

Re: [ossec-list] new postfix rule doesn't fire....

great, I will just do that :) thanks for all your help! Am Montag, 28. März 2016 17:56:09 UTC+2 schrieb dan (ddpbsd): > > On Mon, Mar 28, 2016 at 11:53 AM, theresa mic-snare > wrote: > > Awesome, this worked! > > Sweet. I'll submit a PR to change this. > > > I'm going

Re: [ossec-list] new postfix rule doesn't fire....

On Mon, Mar 28, 2016 at 11:53 AM, theresa mic-snare wrote: > Awesome, this worked! Sweet. I'll submit a PR to change this. > I'm going to work on some more postfix rules and decoders over the next few > days, because I have tons of Level 2 - Rule 1002 alerts that I want

Re: [ossec-list] Re: ssh_asa-fwsmconfig_diff

On Mon, Mar 28, 2016 at 10:00 AM, Yurii Shatylo wrote: > I have done it when I added host (ASA). > In my file called .passlist I have the following record: > username@192.168.0.1|password|enablepass > When I start checking I got error only with enable authentication, the

Re: [ossec-list] new postfix rule doesn't fire....

Awesome, this worked! I'm going to work on some more postfix rules and decoders over the next few days, because I have tons of Level 2 - Rule 1002 alerts that I want gone. do you think they would be accepted (once they work properly) as a PR on github? Am Montag, 28. März 2016 17:45:58 UTC+2

Re: [ossec-list] new postfix rule doesn't fire....

On Mon, Mar 28, 2016 at 11:42 AM, theresa mic-snare wrote: > Sorry, it's this one > 2016-03-23T01:09:28.962188+01:00 tron postfix/smtpd[472]: warning: > 199.249.24.179.list.dsbl.org: RBL lookup error: Host or domain name not > found. Name service error for

Re: [ossec-list] new postfix rule doesn't fire....

Sorry, it's this one 2016-03-23T01:09:28.962188+01:00 tron postfix/smtpd[472]: warning: 199.249. 24.179.list.dsbl.org: RBL lookup error: Host or domain name not found. Name service error for name=199.249.24.179.list.dsbl.org type=A: Host not found, try again Am Montag, 28. März 2016 17:39:32

Re: [ossec-list] new postfix rule doesn't fire....

On Mon, Mar 28, 2016 at 11:35 AM, theresa mic-snare wrote: > Thanks, Dan! > I now almost got it fully working your advice was really good! > Here's my problem, somehow the OpenBSD smtpd decoders fire instead of the > postfixmaybe I'd need to rearrange the order in

Re: [ossec-list] new postfix rule doesn't fire....

Thanks, Dan! I now almost got it fully working your advice was really good! Here's my problem, somehow the OpenBSD smtpd decoders fire instead of the postfixmaybe I'd need to rearrange the order in the ossec.conf to load the postfix decoders last. because it also triggers this smtpd

Re: [ossec-list] new postfix rule doesn't fire....

On Mon, Mar 28, 2016 at 10:00 AM, theresa mic-snare wrote: > hmm, well I have this decoder in my ossec decoder set, > /var/ossec/etc/ossec_decoders/postfix_decoders.xml > > ^warning: > ^(\S+): hostname (\s+) verification > failed > srcip > > > don't remember if I

Re: [ossec-list] Re: ssh_asa-fwsmconfig_diff

I have done it when I added host (ASA). In my file called *.passlist* I have the following record: *username@192.168.0.1 |password|enablepass* When I start checking I got error only with enable authentication, the first authentication is OK. Also I tried to put enable

Re: [ossec-list] Re: ssh_asa-fwsmconfig_diff

On Mon, Mar 28, 2016 at 8:07 AM, Yurii Shatylo wrote: > I have read ossec-docs but nothing found about how to set user credentials > for enables mode. If you know, please send me the doc. > Thank you in advance. >

Re: [ossec-list] new postfix rule doesn't fire....

On Fri, Mar 25, 2016 at 4:17 PM, theresa mic-snare wrote: > Hi, > > i'm trying to write my first rules, by extending the existing postfix rules. > > here's what i'm trying to test: > > 3300 > RBL lookup error: > Host or domain name not found. Name service > error >

Re: [ossec-list] Level list

On Sun, Mar 27, 2016 at 11:01 AM, Tuan Anh wrote: > Hi all, > I have one problem on the level listed in groups. For example, the response > groups, alert mail groups. > thanks ! > This doesn't make any sense to me, but I just started my second cup of coffee for the day.

Re: [ossec-list] Re: ssh_asa-fwsmconfig_diff

I have read ossec-docs but nothing found about how to set user credentials for enables mode. If you know, please send me the doc. Thank you in advance. KR, Yurii 2016-03-28 14:32 GMT+03:00 Eero Volotinen : > Please read docs and scripts used for this functionality. You

Re: [ossec-list] Re: ssh_asa-fwsmconfig_diff

Please read docs and scripts used for this functionality. You need to supply enable password too. 28.3.2016 2.15 ip. "Yurii Shatylo" kirjoitti: > Did you mean I need to add second line to *.psslist *with same > credentials for ENABLE mode? > > KR, Yurii > > 2016-03-28

Re: [ossec-list] Re: ssh_asa-fwsmconfig_diff

Did you mean I need to add second line to *.psslist *with same credentials for ENABLE mode? KR, Yurii 2016-03-28 14:10 GMT+03:00 Eero Volotinen : > you need to supply both passwords to register_host.sh > > -- > Eero > > 2016-03-28 14:04 GMT+03:00 Yurii Shatylo

Re: [ossec-list] Re: ssh_asa-fwsmconfig_diff

you need to supply both passwords to register_host.sh -- Eero 2016-03-28 14:04 GMT+03:00 Yurii Shatylo : > Hello, > > Cisco settings is setup correctly because I manually logon to ASA without > any issues and run the command "show ran conf". > Do you which line has to be

Re: [ossec-list] Re: ssh_asa-fwsmconfig_diff

Hello, Cisco settings is setup correctly because I manually logon to ASA without any issues and run the command "show ran conf". Do you which line has to be configure in script? In password list I have registered login and password by "*register_host.sh*" and I successfully authenticate (without

Re: [ossec-list] Re: ssh_asa-fwsmconfig_diff

You need to configure correct enable password in cisco and script too. (or to password list) -- Eero 2016-03-28 13:46 GMT+03:00 Yurii Shatylo : > Dear Colleagues, > > Some time ago I setup Cisco ASA agentless monitoring. After Brent’s > clarification I found out that I

Re: [ossec-list] Re: ssh_asa-fwsmconfig_diff

Dear Colleagues, Some time ago I setup Cisco ASA agentless monitoring. After Brent’s clarification I found out that I have missed some settings which I successfully setup. When the settings were implemented I tried to check by “./agentless/ssh_asa-fwsmconfig_diff user...@192.168.0.1” command but

[ossec-list] Filter Windows Event Log at client

Hi, I have installed the new version of OSSEC v2.8.3. I have a windows ossec client. I would like to filter Windows event logs (Applications/Security/System/Application and Services Log) based on the event ids at ossec client (in order to reduce the logs forwarded to OSSEC manager). Ex: