Dear OSSEC users,
Maybe a dump question but are some of you collecting logs from Juniper SA's
(SSP VPN).
I read a very old thread on the list but grepping for Juniper in my
decoder.xml does not return any line...
I don't want to reinvent the wheel. Any decoder rules to share?
/x
--
My server
Yep, that's the one!
I'll start from this one and build my own. If working ok, I'll share...
/x
On Mon, Jul 30, 2012 at 9:06 PM, JB jjoob...@gmail.com wrote:
You probably found the work in progress in 2009:
https://groups.google.com/forum/?fromgroups#!topic/ossec-list/rQPN6sRJDNM
No decoders
+1 for GraphViz!
Sent from my iPad
On 21 Aug 2012, at 19:55, JB jjoob...@gmail.com wrote:
Interesting!
For example, OSSEC rules may be visualized similar to the program profile
as shown in http://www.graphviz.org/content/profile .
It looks like we just need to convert OSSEC rules into
I used it since the first release. The first installation was quite funny
and I had to fix lot of paths in the PHP code.
Then it was better and installation was quite straight forward!
/x
On Thu, Sep 13, 2012 at 2:51 PM, Derek Morris derek.morri...@gmail.comwrote:
First off this is a nice
it for:
prematch^\w\w\w \S+\s+\d+ \d\d:\d\d:\d\d \S+ \d+
/\.+/active-response/prematch
Can you try to see if it fixes ?
thanks,
--
Daniel B. Cid
http://dcid.me
On Thu, Nov 15, 2012 at 10:17 AM, Xavier Mertens xmert...@gmail.com
wrote:
Hello OSSEC'ers!
Is there a woking decoder for 'xferlog
Hi *,
I'm using OSSEC with Splunk for a while. There is a nice app called Splunk
for OSSEC.
I recently upgraded an instance to 2.7 and activated the splunk format
option:
syslog_output
server127.0.0.1/server
port10002/port
formatsplunk/format
/syslog_output
This config breaks
Hi Gerard,
I'm facing the same issue and wrote a patch to search for valid MD5
changes.
More details here:
http://blog.rootshell.be/2013/05/13/improving-file-integrity-monitoring-with-ossec/
Comments are welcome!
/x
On Mon, May 27, 2013 at 10:57 PM, Gerard Petersen gerar...@me.com wrote:
Hi
Hi List,
Is the OSSEC CON material published somewhere?
(from last Thursday)
/x
--
My server is comscript src=http://owned.cn/js.jspletely secure.
--
---
You received this message because you are subscribed to the Google Groups
ossec-list group.
To unsubscribe from this group and stop
Hi *,
I was implementing new rules with lookups against CDB lists using the
'match_key_value'. The goal is to look up a key AND the associated value
with a regex. Example:
list field=user lookup=match_key_value
check_value=^adminlists/users/list
After lot of tests and coffee, it was impossible
a ossec_makelist if you update them
frequently)
/x
On Thu, Aug 1, 2013 at 5:56 PM, Michael Starks ossec-l...@michaelstarks.com
wrote:
On 01.08.2013 05:33, Xavier Mertens wrote:
I really needed this feature and wrote a patch to implement it
(attached to this message). It is based on a stock 2.7
Hi *,
Q: XenServer OSSEC?
I googled for some references but results were very poor... What's your
point?
It is not recommended to install extra softwares on a XenServer box.
Anybody installed an OSSEC agent? Are they some decoders/rules?
Thank you for your input!
/x
--
My server is comscript
I'm lagging with my google groups :-(
+1 for an European version of the conference!
/x
On Fri, Oct 25, 2013 at 8:31 AM, rockands...@gmail.com wrote:
wonderful, thanks for your positive feedback Jb Cheng! :)
i'd be most interested, is there any way to spread the news?
i haven't checked
://splunk.com (Splunkbase web site) and grab the *splunk for ossec
app*. good luck!
On Mon, Apr 5, 2010 at 12:45 PM, Xavier Mertens xmert...@gmail.comwrote:
Hi *,
I'm testing the integration of OSSEC with Splunk. I followed the
configuration as describe in the Wiki. It works!
Splunk runs
Hi List,
I introduced OSSEC in a big project where HIDS where required to protect
hosts. Those hosts are part of a SCADA network!
Does anybody has references or experiences with the deployment of OSSEC
agents in a SCADA (or any other industrial environment).
My goal is not to analyze SCADA
= ossec-syslog-hostoverride1,ossec-syslog-hostoverride2
On Wed, Apr 7, 2010 at 2:25 AM, Xavier Mertens xmert...@gmail.com wrote:
Damn! I found the problem. I had two data-inputs created to receive syslog
messages from the OSSEC
Hi *,
Trend Micro office in Belgium is just at the same level as my company (next
door ;-)
I contacted them about OSSEC (just a question and some feedback). The answer
was:
Did you have a look at Deep Security?
:-(
On Mon, May 3, 2010 at 5:49 PM, Michael Starks ossec-l...@michaelstarks.com
Hi *,
I'm running an OSSEC instance for a while. Installation has bee done in
/usr/local/ossec/.
Now, for performance reasons, I'd like to move the whole stuff to another
filesystem. The easy way is to move the ossec/ directory and symlink it.
But, it there a procedure to really reconfigure it
, 2010 at 7:33 AM, Xavier Mertens xmert...@gmail.com
wrote:
Hi *,
For a few days, I configured an OSSEC agent behind a dynamic Internet
connection (ADSL). To achieve this, I specified the whole IP pool (a
/16).
It worked perfectly.
Helas, since the last IP address change, the agent
I find the idea of a list of companies which can provide professional
services a good idea! Also for an OSSEC Certified VAS logo/program...
/x
On Mon, Mar 17, 2014 at 10:24 PM, Jb Cheng jjoob...@gmail.com wrote:
In the long term I hope to see a list of Certified OSSEC Profession
Service
Hi *,
I was just wondering if somebody has already interconnected a Fortinet
firewall with an Active-Response script? (to block offender's IP addresses)
Just to not re-invent the wheel...
This is not directly related to OSSEC but if you've some ideas to share,
ping me off list... Tx!
KR,
/x
--
Only alerts are sent to the syslog output, not logs (if you enabled the
logall feature).
/x
On Wed, May 27, 2015 at 11:20 AM, Martynas Buožis m...@nrdcs.lt wrote:
Hello
I have following configuration in /var/ossec/etc/ossec.conf :
syslog_output
server10.10.0.11/server
/syslog_output
Hi Gil,
When I wrote this patch for OSSEC a long time ago (it was later integrated
into the main branch), my goal was not to create geolocalized alerts.
IMHO, to add this feature, it requires a lot of patching because you need
to define a new keyword to be used in alerts like srcip, user, data,
Nice! I'll test this patch!
/x
On Wed, May 27, 2015 at 6:37 PM, dan (ddp) ddp...@gmail.com wrote:
On Wed, May 27, 2015 at 12:29 PM, Michael Starks
ossec-l...@michaelstarks.com wrote:
On 05/27/2015 07:19 AM, Xavier Mertens wrote:
Hi Gil,
When I wrote this patch for OSSEC a long time ago
-execd in debug mode
and use -t to test the configuration. Maybe that way you can figure out
what is causing the issue.
On Thu, May 21, 2015 at 8:01 AM, Xavier Mertens xmert...@gmail.com
wrote:
Hi,
I don't often write to the group (I'm following it closely) but today,
I've a question...
I'd
Hi,
I don't often write to the group (I'm following it closely) but today, I've
a question...
I'd like to trigger an Active-Response script on the _server_ for _any_
alert (ex with level 10).
I don't want to deply the script on all agents.
At the moment, here is my active-response config (for
Issue submitted!
/x
On Wed, Jan 27, 2016 at 5:04 PM, Brent Morris <brent.mor...@gmail.com>
wrote:
> Is this worth submitting as an issue to github?
>
> https://github.com/ossec/ossec-hids/issues
>
>
> On Wednesday, January 27, 2016 at 12:08:54 AM UTC-8, Xavier Mertens wr
at 11:45 PM, Santiago Bassett <
santiago.bass...@gmail.com> wrote:
> I am afraid I don't understand the problem or question, maybe if you
> explain it a little bit more we can help better.
>
> Best
>
> On Thu, Jan 21, 2016 at 7:56 AM, Xavier Mertens <xmert...@
18126(any)
>
> In the case of a TCP or UDP connection, you'd see Built outbound TCP
> connection 60148807 for outside:137.135.12.16/443 (137.135.12.16/443) to
> inside:1.2.3.4/11515 (external.ip.addr/11515)
>
>
>
> On Tuesday, January 26, 2016 at 2:10:25 PM UTC-8,
Hi *,
Maybe a stupid question but I'm investigating an issue and I've to browse
my history of firewall.log files. Problem: I find only TCP/UDP events and
nothing regarding ICMP packets?
I tested via ossec-logstest and events are correctly parsed...
I never paid attention to this in the past...
OSED ICMP 1.2.3.4:11278
> ->external.addr:11278
>
> I'm not sure what the issue might be.
>
> Also, thank you for the ossec2dshield script!!! I heard about it on the
> Internet Storm Center Stormcast, but it might be worth plugging to the list
> here too :)
>
> On Tuesday, Jan
Hi Jesus,
It worked much better! Kicking out offenders more and more now :-)
My Google-fu was also better yesterday and I found this blog post:
https://mebsd.com/freebsd-security-hardening/solved-ossec-repeated-offenders-ignored.html
/x
On Thu, May 19, 2016 at 10:11 AM, Xavier Mertens <
Hi *,
I'm trying to implement a new active-response rule for a specific event (1
rule ID).
It must be implement with the tag.
Problem: I've multiple active-response rules matching this event and it
seems that OSSEC picks up the wrong one (repeater offenders are not
applied).
Any idea to debug
Thanks for the tips! I'll test again following your advices...
/x
On Thu, May 19, 2016 at 9:33 AM, Jesus Linares wrote:
> Hi,
>
> I guess that your command needs an IP, so if your rule *xxx *doesn't have
> the field *srcip *extracted (by the proper decoder) the active-response
33 matches
Mail list logo