Re: [ossec-list] Problem with rule 18257

2016-11-21 Thread Jesus Linares
Hi all, nice catch Dan!. Unfortunately, the rule 18257 is still triggering. The log is related with a "Database update" and the rule 18257 is for logins. So, I think we should add a rule to ignore this kind of logs. Regards. On

Re: [ossec-list] Agent Syscheck Frequency Issue

2016-11-21 Thread Jesus Linares
Hi Yousif, as Dan said, the minimum is around 300 seconds. Do not set a lower value. It is possible to improve the syscheck performance, changing this option in* local_internal_options.conf*: syscheck.sleep=2 // change to 1 or 0 syscheck.sleep_after=15 // change for a greater value By

Re: [ossec-list] Problem with rule 18257

2016-11-21 Thread dan (ddp)
On Mon, Nov 21, 2016 at 8:09 AM, dan (ddp) wrote: > On Fri, Nov 18, 2016 at 11:35 AM, Kevin Branch > wrote: >> Rule 18257 appears to be prone to misfire. I see it tripping for things >> like this: >> >> 2016 Nov 18 10:37:26 WinEvtLog:

Re: [ossec-list] Problem with rule 18257

2016-11-21 Thread dan (ddp)
On Fri, Nov 18, 2016 at 11:35 AM, Kevin Branch wrote: > Rule 18257 appears to be prone to misfire. I see it tripping for things > like this: > > 2016 Nov 18 10:37:26 WinEvtLog: Application: INFORMATION(302): ESENT: (no > user): no domain: BNC-O9020: Music.UI

Re: [ossec-list] A few comments on default active-response settings

2016-11-21 Thread dan (ddp)
On Fri, Nov 18, 2016 at 6:00 PM, Christina Plummer wrote: > My 2 cents: > > 1) I got tripped up by the fact that the default alert level to trigger an > active response is 6, while the default alert level to trigger an email is > 7. There were a number of times when

Re: [ossec-list] A few comments on default active-response settings

2016-11-21 Thread dan (ddp)
On Fri, Nov 18, 2016 at 10:06 AM, Whit Blauvelt wrote: > Hi Dan, > > Since I skipped answering this: > > On Mon, Nov 14, 2016 at 11:09:52AM -0500, dan (ddp) wrote: > >> > Except in a context of anon FTP servers (does anyone run those any more?) >> > blocking IPs because they

Re: [ossec-list] Agent Syscheck Frequency Issue

2016-11-21 Thread dan (ddp)
On Mon, Nov 21, 2016 at 7:34 AM, Yousif Johny wrote: > Hi all, > > I've been having this weird issue with OSSEC. I setup an agent in one > server, and things seem okay at first. > > When I modify a file that is being monitored (/etc/passwd) I'd have to wait > a significant

[ossec-list] Agent Syscheck Frequency Issue

2016-11-21 Thread Yousif Johny
Hi all, I've been having this weird issue with OSSEC. I setup an agent in one server, and things seem okay at first. When I modify a file that is being monitored (/etc/passwd) I'd have to wait a significant time for it to trigger an alert (unless I manually run the syscheckd). So I went to