Re: [ossec-list] Re: File content changes not reported thru email

2018-05-07 Thread dan (ddp)
On Mon, May 7, 2018 at 1:09 AM, Vibin K Madampath wrote: > Appreciate any help. > > Regards, > Vibin > > On 3 May 2018 at 15:13, Vibin K Madampath wrote: >> >> Hello Team, >> >> OSSEC is not reporting the file content changes thru email even though it >>

Re: [ossec-list] OSSEC and TLS

2018-05-07 Thread dan (ddp)
On Fri, May 4, 2018 at 7:21 PM, DG wrote: > Hi, > > I am a total newb to ossec so I apologize ahead of time. I have been tasked > to see if OSSEC can be leveraged to alert on TLS version used for > connections on a given instance/vm/computer. > > So far I know if I have

Re: [ossec-list] Hostname instead of ip in alert from syslog-device

2018-05-07 Thread dan (ddp)
On Mon, May 7, 2018 at 10:13 PM, dan (ddp) wrote: > On Mon, May 7, 2018 at 2:57 AM, Александр Канайкин > wrote: >> Hi guys! >> >> Is there an ability to configure resolving hostname in alert from syslog >> device (not an agent)? >> >> For example can :

Re: [ossec-list] Hostname instead of ip in alert from syslog-device

2018-05-07 Thread dan (ddp)
On Mon, May 7, 2018 at 2:57 AM, Александр Канайкин wrote: > Hi guys! > > Is there an ability to configure resolving hostname in alert from syslog > device (not an agent)? > > For example can : > > Received From: ids->10.10.19.1 > > look like > > > Received From:

Re: [ossec-list] Hostname instead of ip in alert from syslog-device

2018-05-07 Thread Jared Greene
Hello, If it helps, we use labels (Wazuh) on every agent so that we have the host name for every log, even if the host name and ip are not in the logs. We have our own agent that installs the ossec, Nessus and all beats agents and populates the labels automatically for all of our customers.

Re: [ossec-list] Hostname instead of ip in alert from syslog-device

2018-05-07 Thread Александр Канайкин
Thanks anyway. Still searching for resolution. On Mon, May 7, 2018, 21:36 David Lang wrote: > Sorry, I'm replying to a different mailing list than I thought I was (I > thought > I was replying to a message on the rsyslog mailing list) > > On Mon, 7 May 2018, David Lang wrote: > >

Re: [ossec-list] Hostname instead of ip in alert from syslog-device

2018-05-07 Thread David Lang
Sorry, I'm replying to a different mailing list than I thought I was (I thought I was replying to a message on the rsyslog mailing list) On Mon, 7 May 2018, David Lang wrote: please log some message using the template RSYSLOG_DebugFormat so that we can see what variables are in there. There

Re: [ossec-list] Hostname instead of ip in alert from syslog-device

2018-05-07 Thread David Lang
please log some message using the template RSYSLOG_DebugFormat so that we can see what variables are in there. There is not a direct way to call name resolution if you have an IP address in the content, but you could use a table lookup. David Lang

[ossec-list] Re: OSSEC and TLS

2018-05-07 Thread DG
Thanks Bill. This makes complete sense. In fact it is something I had tested (searching through log for a match). I was curious if there is a way to have OSSEC perform TLS version checks rather than introducing a script/program that looks for TLS, writes to a log and then have OSSEC parse

[ossec-list] Re: Pivoting in Windws Server

2018-05-07 Thread alberto . rodriguez
Hello As we discussed here: https://groups.google.com/forum/#!topic/wazuh/vdKsdOQX0QE Sysmon provides the information that you need. Hope it help. Best regards, Alberto R. On Wednesday, April 25, 2018 at 7:28:01 PM UTC+2, Aj Navarro wrote: > > Hi everibody… > > > > Can the rootchek

[ossec-list] Re: OSSEC and TLS

2018-05-07 Thread Bill Price
Easiest is to write a local rule using the Match directive Example Found TLS version Lower than V1.2 You can use ossec-logtest to verify the results was it helpful? On Friday, May 4, 2018 at 7:23:08 PM UTC-4, DG wrote: > > Hi, > > I am a total newb to ossec so I apologize ahead of time. I

[ossec-list] Re: Using regex to match specific URL

2018-05-07 Thread venizia03
Indeed the problem is the compiled rule : /* Example 4: Checking if a HTTP request is a simple GET/POST without a query * This avoid that we call the attack rules for no reason. */ void *is_simple_http_request(Eventinfo *lf){ if (!lf->url) {return (NULL);} /* Simple GET /

[ossec-list] Re: [Windows] Problem with eventchannel

2018-05-07 Thread alberto . rodriguez
Hello Richard You could be able to forward this event channel by XPATH query like this: USB eventchannel \ \ \*\ \ \ But, unfortunately, Ossec doesn't allow to scape some characters. This is fixed in this commit:

[ossec-list] Hostname instead of ip in alert from syslog-device

2018-05-07 Thread Александр Канайкин
Hi guys! Is there an ability to configure resolving hostname in alert from syslog device (not an agent)? For example can : Received From: ids->10.10.19.1 look like Received From: ids->asa123 or Received From: ids->asa123.example.com Thanks in advance. -- --- You received this