Hi Jesus,
It worked much better! Kicking out offenders more and more now :-)
My Google-fu was also better yesterday and I found this blog post:
https://mebsd.com/freebsd-security-hardening/solved-ossec-repeated-offenders-ignored.html
/x
On Thu, May 19, 2016 at 10:11 AM, Xavier Mertens <
Thanks for the tips! I'll test again following your advices...
/x
On Thu, May 19, 2016 at 9:33 AM, Jesus Linares wrote:
> Hi,
>
> I guess that your command needs an IP, so if your rule *xxx *doesn't have
> the field *srcip *extracted (by the proper decoder) the active-response
Hi *,
I'm trying to implement a new active-response rule for a specific event (1
rule ID).
It must be implement with the tag.
Problem: I've multiple active-response rules matching this event and it
seems that OSSEC picks up the wrong one (repeater offenders are not
applied).
Any idea to debug
Issue submitted!
/x
On Wed, Jan 27, 2016 at 5:04 PM, Brent Morris <brent.mor...@gmail.com>
wrote:
> Is this worth submitting as an issue to github?
>
> https://github.com/ossec/ossec-hids/issues
>
>
> On Wednesday, January 27, 2016 at 12:08:54 AM UTC-8, Xavier Mertens wr
18126(any)
>
> In the case of a TCP or UDP connection, you'd see Built outbound TCP
> connection 60148807 for outside:137.135.12.16/443 (137.135.12.16/443) to
> inside:1.2.3.4/11515 (external.ip.addr/11515)
>
>
>
> On Tuesday, January 26, 2016 at 2:10:25 PM UTC-8,
at 11:45 PM, Santiago Bassett <
santiago.bass...@gmail.com> wrote:
> I am afraid I don't understand the problem or question, maybe if you
> explain it a little bit more we can help better.
>
> Best
>
> On Thu, Jan 21, 2016 at 7:56 AM, Xavier Mertens <xmert...@
OSED ICMP 1.2.3.4:11278
> ->external.addr:11278
>
> I'm not sure what the issue might be.
>
> Also, thank you for the ossec2dshield script!!! I heard about it on the
> Internet Storm Center Stormcast, but it might be worth plugging to the list
> here too :)
>
> On Tuesday, Jan
Hi *,
Maybe a stupid question but I'm investigating an issue and I've to browse
my history of firewall.log files. Problem: I find only TCP/UDP events and
nothing regarding ICMP packets?
I tested via ossec-logstest and events are correctly parsed...
I never paid attention to this in the past...
Only alerts are sent to the syslog output, not logs (if you enabled the
logall feature).
/x
On Wed, May 27, 2015 at 11:20 AM, Martynas Buožis m...@nrdcs.lt wrote:
Hello
I have following configuration in /var/ossec/etc/ossec.conf :
syslog_output
server10.10.0.11/server
/syslog_output
Hi Gil,
When I wrote this patch for OSSEC a long time ago (it was later integrated
into the main branch), my goal was not to create geolocalized alerts.
IMHO, to add this feature, it requires a lot of patching because you need
to define a new keyword to be used in alerts like srcip, user, data,
Nice! I'll test this patch!
/x
On Wed, May 27, 2015 at 6:37 PM, dan (ddp) ddp...@gmail.com wrote:
On Wed, May 27, 2015 at 12:29 PM, Michael Starks
ossec-l...@michaelstarks.com wrote:
On 05/27/2015 07:19 AM, Xavier Mertens wrote:
Hi Gil,
When I wrote this patch for OSSEC a long time ago
-execd in debug mode
and use -t to test the configuration. Maybe that way you can figure out
what is causing the issue.
On Thu, May 21, 2015 at 8:01 AM, Xavier Mertens xmert...@gmail.com
wrote:
Hi,
I don't often write to the group (I'm following it closely) but today,
I've a question...
I'd
Hi,
I don't often write to the group (I'm following it closely) but today, I've
a question...
I'd like to trigger an Active-Response script on the _server_ for _any_
alert (ex with level 10).
I don't want to deply the script on all agents.
At the moment, here is my active-response config (for
Hi *,
I was just wondering if somebody has already interconnected a Fortinet
firewall with an Active-Response script? (to block offender's IP addresses)
Just to not re-invent the wheel...
This is not directly related to OSSEC but if you've some ideas to share,
ping me off list... Tx!
KR,
/x
--
I find the idea of a list of companies which can provide professional
services a good idea! Also for an OSSEC Certified VAS logo/program...
/x
On Mon, Mar 17, 2014 at 10:24 PM, Jb Cheng jjoob...@gmail.com wrote:
In the long term I hope to see a list of Certified OSSEC Profession
Service
I'm lagging with my google groups :-(
+1 for an European version of the conference!
/x
On Fri, Oct 25, 2013 at 8:31 AM, rockands...@gmail.com wrote:
wonderful, thanks for your positive feedback Jb Cheng! :)
i'd be most interested, is there any way to spread the news?
i haven't checked
Hi *,
Q: XenServer OSSEC?
I googled for some references but results were very poor... What's your
point?
It is not recommended to install extra softwares on a XenServer box.
Anybody installed an OSSEC agent? Are they some decoders/rules?
Thank you for your input!
/x
--
My server is comscript
a ossec_makelist if you update them
frequently)
/x
On Thu, Aug 1, 2013 at 5:56 PM, Michael Starks ossec-l...@michaelstarks.com
wrote:
On 01.08.2013 05:33, Xavier Mertens wrote:
I really needed this feature and wrote a patch to implement it
(attached to this message). It is based on a stock 2.7
Hi *,
I was implementing new rules with lookups against CDB lists using the
'match_key_value'. The goal is to look up a key AND the associated value
with a regex. Example:
list field=user lookup=match_key_value
check_value=^adminlists/users/list
After lot of tests and coffee, it was impossible
Hi List,
Is the OSSEC CON material published somewhere?
(from last Thursday)
/x
--
My server is comscript src=http://owned.cn/js.jspletely secure.
--
---
You received this message because you are subscribed to the Google Groups
ossec-list group.
To unsubscribe from this group and stop
Hi Gerard,
I'm facing the same issue and wrote a patch to search for valid MD5
changes.
More details here:
http://blog.rootshell.be/2013/05/13/improving-file-integrity-monitoring-with-ossec/
Comments are welcome!
/x
On Mon, May 27, 2013 at 10:57 PM, Gerard Petersen gerar...@me.com wrote:
Hi
Hi *,
I'm using OSSEC with Splunk for a while. There is a nice app called Splunk
for OSSEC.
I recently upgraded an instance to 2.7 and activated the splunk format
option:
syslog_output
server127.0.0.1/server
port10002/port
formatsplunk/format
/syslog_output
This config breaks
it for:
prematch^\w\w\w \S+\s+\d+ \d\d:\d\d:\d\d \S+ \d+
/\.+/active-response/prematch
Can you try to see if it fixes ?
thanks,
--
Daniel B. Cid
http://dcid.me
On Thu, Nov 15, 2012 at 10:17 AM, Xavier Mertens xmert...@gmail.com
wrote:
Hello OSSEC'ers!
Is there a woking decoder for 'xferlog
I used it since the first release. The first installation was quite funny
and I had to fix lot of paths in the PHP code.
Then it was better and installation was quite straight forward!
/x
On Thu, Sep 13, 2012 at 2:51 PM, Derek Morris derek.morri...@gmail.comwrote:
First off this is a nice
+1 for GraphViz!
Sent from my iPad
On 21 Aug 2012, at 19:55, JB jjoob...@gmail.com wrote:
Interesting!
For example, OSSEC rules may be visualized similar to the program profile
as shown in http://www.graphviz.org/content/profile .
It looks like we just need to convert OSSEC rules into
Yep, that's the one!
I'll start from this one and build my own. If working ok, I'll share...
/x
On Mon, Jul 30, 2012 at 9:06 PM, JB jjoob...@gmail.com wrote:
You probably found the work in progress in 2009:
https://groups.google.com/forum/?fromgroups#!topic/ossec-list/rQPN6sRJDNM
No decoders
Dear OSSEC users,
Maybe a dump question but are some of you collecting logs from Juniper SA's
(SSP VPN).
I read a very old thread on the list but grepping for Juniper in my
decoder.xml does not return any line...
I don't want to reinvent the wheel. Any decoder rules to share?
/x
--
My server
, 2010 at 7:33 AM, Xavier Mertens xmert...@gmail.com
wrote:
Hi *,
For a few days, I configured an OSSEC agent behind a dynamic Internet
connection (ADSL). To achieve this, I specified the whole IP pool (a
/16).
It worked perfectly.
Helas, since the last IP address change, the agent
Hi *,
I'm running an OSSEC instance for a while. Installation has bee done in
/usr/local/ossec/.
Now, for performance reasons, I'd like to move the whole stuff to another
filesystem. The easy way is to move the ossec/ directory and symlink it.
But, it there a procedure to really reconfigure it
Hi *,
Trend Micro office in Belgium is just at the same level as my company (next
door ;-)
I contacted them about OSSEC (just a question and some feedback). The answer
was:
Did you have a look at Deep Security?
:-(
On Mon, May 3, 2010 at 5:49 PM, Michael Starks ossec-l...@michaelstarks.com
= ossec-syslog-hostoverride1,ossec-syslog-hostoverride2
On Wed, Apr 7, 2010 at 2:25 AM, Xavier Mertens xmert...@gmail.com wrote:
Damn! I found the problem. I had two data-inputs created to receive syslog
messages from the OSSEC
Hi List,
I introduced OSSEC in a big project where HIDS where required to protect
hosts. Those hosts are part of a SCADA network!
Does anybody has references or experiences with the deployment of OSSEC
agents in a SCADA (or any other industrial environment).
My goal is not to analyze SCADA
://splunk.com (Splunkbase web site) and grab the *splunk for ossec
app*. good luck!
On Mon, Apr 5, 2010 at 12:45 PM, Xavier Mertens xmert...@gmail.comwrote:
Hi *,
I'm testing the integration of OSSEC with Splunk. I followed the
configuration as describe in the Wiki. It works!
Splunk runs
33 matches
Mail list logo