Re: [ossec-list] Re: Repeated offenders?

Hi Jesus, It worked much better! Kicking out offenders more and more now :-) My Google-fu was also better yesterday and I found this blog post: https://mebsd.com/freebsd-security-hardening/solved-ossec-repeated-offenders-ignored.html /x On Thu, May 19, 2016 at 10:11 AM, Xavier Mertens <

Re: [ossec-list] Re: Repeated offenders?

Thanks for the tips! I'll test again following your advices... /x On Thu, May 19, 2016 at 9:33 AM, Jesus Linares wrote: > Hi, > > I guess that your command needs an IP, so if your rule *xxx *doesn't have > the field *srcip *extracted (by the proper decoder) the active-response

[ossec-list] Repeated offenders?

Hi *, I'm trying to implement a new active-response rule for a specific event (1 rule ID). It must be implement with the tag. Problem: I've multiple active-response rules matching this event and it seems that OSSEC picks up the wrong one (repeater offenders are not applied). Any idea to debug

Re: [ossec-list] firewall.log and ICMP?

Issue submitted! /x On Wed, Jan 27, 2016 at 5:04 PM, Brent Morris <brent.mor...@gmail.com> wrote: > Is this worth submitting as an issue to github? > > https://github.com/ossec/ossec-hids/issues > > > On Wednesday, January 27, 2016 at 12:08:54 AM UTC-8, Xavier Mertens wr

Re: [ossec-list] firewall.log and ICMP?

18126(any) > > In the case of a TCP or UDP connection, you'd see Built outbound TCP > connection 60148807 for outside:137.135.12.16/443 (137.135.12.16/443) to > inside:1.2.3.4/11515 (external.ip.addr/11515) > > > > On Tuesday, January 26, 2016 at 2:10:25 PM UTC-8,

Re: [ossec-list] firewall.log and ICMP?

at 11:45 PM, Santiago Bassett < santiago.bass...@gmail.com> wrote: > I am afraid I don't understand the problem or question, maybe if you > explain it a little bit more we can help better. > > Best > > On Thu, Jan 21, 2016 at 7:56 AM, Xavier Mertens <xmert...@

Re: [ossec-list] firewall.log and ICMP?

OSED ICMP 1.2.3.4:11278 > ->external.addr:11278 > > I'm not sure what the issue might be. > > Also, thank you for the ossec2dshield script!!! I heard about it on the > Internet Storm Center Stormcast, but it might be worth plugging to the list > here too :) > > On Tuesday, Jan

[ossec-list] firewall.log and ICMP?

Hi *, Maybe a stupid question but I'm investigating an issue and I've to browse my history of firewall.log files. Problem: I find only TCP/UDP events and nothing regarding ICMP packets? I tested via ossec-logstest and events are correctly parsed... I never paid attention to this in the past...

Re: [ossec-list] Syslog output issue

Only alerts are sent to the syslog output, not logs (if you enabled the logall feature). /x On Wed, May 27, 2015 at 11:20 AM, Martynas Buožis m...@nrdcs.lt wrote: Hello I have following configuration in /var/ossec/etc/ossec.conf : syslog_output server10.10.0.11/server /syslog_output

Re: [ossec-list] rule based geoip block

Hi Gil, When I wrote this patch for OSSEC a long time ago (it was later integrated into the main branch), my goal was not to create geolocalized alerts. IMHO, to add this feature, it requires a lot of patching because you need to define a new keyword to be used in alerts like srcip, user, data,

Re: [ossec-list] rule based geoip block

Nice! I'll test this patch! /x On Wed, May 27, 2015 at 6:37 PM, dan (ddp) ddp...@gmail.com wrote: On Wed, May 27, 2015 at 12:29 PM, Michael Starks ossec-l...@michaelstarks.com wrote: On 05/27/2015 07:19 AM, Xavier Mertens wrote: Hi Gil, When I wrote this patch for OSSEC a long time ago

Re: [ossec-list] Active-Response on server for remote alerts?

-execd in debug mode and use -t to test the configuration. Maybe that way you can figure out what is causing the issue. On Thu, May 21, 2015 at 8:01 AM, Xavier Mertens xmert...@gmail.com wrote: Hi, I don't often write to the group (I'm following it closely) but today, I've a question... I'd

[ossec-list] Active-Response on server for remote alerts?

Hi, I don't often write to the group (I'm following it closely) but today, I've a question... I'd like to trigger an Active-Response script on the _server_ for _any_ alert (ex with level 10). I don't want to deply the script on all agents. At the moment, here is my active-response config (for

[ossec-list] Active-Response and Fortinet firewall?

Hi *, I was just wondering if somebody has already interconnected a Fortinet firewall with an Active-Response script? (to block offender's IP addresses) Just to not re-invent the wheel... This is not directly related to OSSEC but if you've some ideas to share, ping me off list... Tx! KR, /x --

Re: [ossec-list] Re: Trend Micro end Commercial Support?

I find the idea of a list of companies which can provide professional services a good idea! Also for an OSSEC Certified VAS logo/program... /x On Mon, Mar 17, 2014 at 10:24 PM, Jb Cheng jjoob...@gmail.com wrote: In the long term I hope to see a list of Certified OSSEC Profession Service

Re: [ossec-list] Re: ossec con in europe?!

I'm lagging with my google groups :-( +1 for an European version of the conference! /x On Fri, Oct 25, 2013 at 8:31 AM, rockands...@gmail.com wrote: wonderful, thanks for your positive feedback Jb Cheng! :) i'd be most interested, is there any way to spread the news? i haven't checked

[ossec-list] OSSEC XenServer?

Hi *, Q: XenServer OSSEC? I googled for some references but results were very poor... What's your point? It is not recommended to install extra softwares on a XenServer box. Anybody installed an OSSEC agent? Are they some decoders/rules? Thank you for your input! /x -- My server is comscript

Re: [ossec-list] CDB lookups key + value

a ossec_makelist if you update them frequently) /x On Thu, Aug 1, 2013 at 5:56 PM, Michael Starks ossec-l...@michaelstarks.com wrote: On 01.08.2013 05:33, Xavier Mertens wrote: I really needed this feature and wrote a patch to implement it (attached to this message). It is based on a stock 2.7

[ossec-list] CDB lookups key + value

Hi *, I was implementing new rules with lookups against CDB lists using the 'match_key_value'. The goal is to look up a key AND the associated value with a regex. Example: list field=user lookup=match_key_value check_value=^adminlists/users/list After lot of tests and coffee, it was impossible

[ossec-list] OSSEC CON material?

Hi List, Is the OSSEC CON material published somewhere? (from last Thursday) /x -- My server is comscript src=http://owned.cn/js.jspletely secure. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop

Re: [ossec-list] What's a good way to update syscheck after an apt-get upgrade?

Hi Gerard, I'm facing the same issue and wrote a patch to search for valid MD5 changes. More details here: http://blog.rootshell.be/2013/05/13/improving-file-integrity-monitoring-with-ossec/ Comments are welcome! /x On Mon, May 27, 2013 at 10:57 PM, Gerard Petersen gerar...@me.com wrote: Hi

[ossec-list] Splunk format in OSSEC 2.7 ?

Hi *, I'm using OSSEC with Splunk for a while. There is a nice app called Splunk for OSSEC. I recently upgraded an instance to 2.7 and activated the splunk format option: syslog_output server127.0.0.1/server port10002/port formatsplunk/format /syslog_output This config breaks

Re: [ossec-list] xferlog decoder

it for: prematch^\w\w\w \S+\s+\d+ \d\d:\d\d:\d\d \S+ \d+ /\.+/active-response/prematch Can you try to see if it fixes ? thanks, -- Daniel B. Cid http://dcid.me On Thu, Nov 15, 2012 at 10:17 AM, Xavier Mertens xmert...@gmail.com wrote: Hello OSSEC'ers! Is there a woking decoder for 'xferlog

Re: [ossec-list] Analogi UI for Ossec

I used it since the first release. The first installation was quite funny and I had to fix lot of paths in the PHP code. Then it was better and installation was quite straight forward! /x On Thu, Sep 13, 2012 at 2:51 PM, Derek Morris derek.morri...@gmail.comwrote: First off this is a nice

Re: [ossec-list] Visualizing the Ruleset

+1 for GraphViz! Sent from my iPad On 21 Aug 2012, at 19:55, JB jjoob...@gmail.com wrote: Interesting! For example, OSSEC rules may be visualized similar to the program profile as shown in http://www.graphviz.org/content/profile . It looks like we just need to convert OSSEC rules into

Re: [ossec-list] Re: Support for Juniper SA

Yep, that's the one! I'll start from this one and build my own. If working ok, I'll share... /x On Mon, Jul 30, 2012 at 9:06 PM, JB jjoob...@gmail.com wrote: You probably found the work in progress in 2009: https://groups.google.com/forum/?fromgroups#!topic/ossec-list/rQPN6sRJDNM No decoders

[ossec-list] Support for Juniper SA

Dear OSSEC users, Maybe a dump question but are some of you collecting logs from Juniper SA's (SSP VPN). I read a very old thread on the list but grepping for Juniper in my decoder.xml does not return any line... I don't want to reinvent the wheel. Any decoder rules to share? /x -- My server

Re: [ossec-list] IP-less agent?

, 2010 at 7:33 AM, Xavier Mertens xmert...@gmail.com wrote: Hi *, For a few days, I configured an OSSEC agent behind a dynamic Internet connection (ADSL). To achieve this, I specified the whole IP pool (a /16). It worked perfectly. Helas, since the last IP address change, the agent

[ossec-list] Moving OSSEC to another location?

Hi *, I'm running an OSSEC instance for a while. Installation has bee done in /usr/local/ossec/. Now, for performance reasons, I'd like to move the whole stuff to another filesystem. The easy way is to move the ossec/ directory and symlink it. But, it there a procedure to really reconfigure it

Re: [ossec-list] Commercial Suppoprt

Hi *, Trend Micro office in Belgium is just at the same level as my company (next door ;-) I contacted them about OSSEC (just a question and some feedback). The answer was: Did you have a look at Deep Security? :-( On Mon, May 3, 2010 at 5:49 PM, Michael Starks ossec-l...@michaelstarks.com

Re: [ossec-list] OSSEC Splunk integration

= ossec-syslog-hostoverride1,ossec-syslog-hostoverride2 On Wed, Apr 7, 2010 at 2:25 AM, Xavier Mertens xmert...@gmail.com wrote: Damn! I found the problem. I had two data-inputs created to receive syslog messages from the OSSEC

[ossec-list] OSSEC in SCADA environments?

Hi List, I introduced OSSEC in a big project where HIDS where required to protect hosts. Those hosts are part of a SCADA network! Does anybody has references or experiences with the deployment of OSSEC agents in a SCADA (or any other industrial environment). My goal is not to analyze SCADA

Re: [ossec-list] OSSEC Splunk integration

://splunk.com (Splunkbase web site) and grab the *splunk for ossec app*. good luck! On Mon, Apr 5, 2010 at 12:45 PM, Xavier Mertens xmert...@gmail.comwrote: Hi *, I'm testing the integration of OSSEC with Splunk. I followed the configuration as describe in the Wiki. It works! Splunk runs