Hi, I run a minor website http://socct.org, unfortunately the acronym
coincides with https://www.wikileaks.org/wiki/SOCCT_(military). For the
last two days the site is taking a multiple site brute force attacks. Apart
from changing our name, any suggestions? I have added an extension rule to
http://blogs.zdnet.com/security/?p=6123&tag=nl.e589
:-(
Martin West
--
To unsubscribe, reply using "remove me" as the subject.
tkit-checkers isn't used to seeing.
Cheers Leif"
Thanks for a great product.
Martin West
On Fri, 2007-03-02 at 11:55 -0800, Jim Starr wrote:
> I did more looking through the list archives (a search feature would
> be
> nice) and found the posts on this subject. I ran chkrootkit and
>
try
site:http://www.ossec.net/ search_args
--
Regards
Martin West
http://www.obje
ems to be running
OK.
--
Regards Martin West
07809 305 404
http://www.objectgizmos.com
16 SHEARWAY BUSINESS PARK,FOLKESTONE,KENT,CT19 4RH
Company No. 05912944
On Sat, 2007-03-03 at 20:53 -0400, Daniel Cid wrote:
> If you are looking for a way to help the project, here is your chance.
>
There does not seem to be an uninstall function.
I presume you have to delete /var/ossec and the init.d script.
--
Regards Martin West
07809 305 40
-- 1 ossec ossec 0 Mar 26 14:43 /var/ossec/queue/ossec/queue
--
Regards
Martin West
http://www.objectgizmos.com
07879 680 096
K, Thanks, its gone from the current logs now.
On Mon, 2007-03-26 at 22:40 -0400, David Williams wrote:
> up again, I got the queue not accessible error; restarting ossec
> fixed it for me (the stop script removes the socket, I believe).
>
--
Regards Martin West
07809 305
canned by InterScan.
> ***-***
>
>
>
>
> ***
> Your mail has been scanned by InterScan.
> ***-***
>
>
> I have tried searching the htaccess file, but I could find only manuals
> in the /var/www/manual/howto/htaccess.html for the same.
>
> Pankaj P.
>
Martin West
Interesting. I run svn and ossec but I run an svn server which might be
an alternative work around. There is an incentive to use the svn server
as its quite a bit faster/more efficient that the http interface.
That said I did have an unexplained hang of the svn server. svn uses
port 3690 by defau
-analysisd: Reading rules file:
'adsl_rules.xml'
Is it just me or is the documentation a bit sparse?
Thanks Martin West
e
> decoded_as looks for a valid decoder name on decoders.xml....
>
--
Regards Martin West
07809 305 404
skype:amartinwest1
http://www.objectgizmos.com
16 SHEARWAY BUSINESS PARK,FOLKESTONE,KENT,CT19 4RH
Company No. 05912944
What version of solaris?
Martin West
http://www.bastille-linux.org/
Just came across this, thought it might be of interest.
regards Martin West
in Solaris 9 and Solaris 10. I've triple-checked
> the permissions on all the files. Still no go.
>
--
Regards Martin West
07809 305 404
skype:amartinwest1
http://www.objectgizmos.com
16 SHEARWAY BUSINESS PARK,FOLKESTONE,KENT,CT19 4RH
Company No. 05912944
es this help?
>
did you do "su" or "su -", the latter should set the USER name to root.
Regards Martin West
ossec just threw up some files in usr/bin had changed and they hadnt
been upgraded by yum.
Some stuff in ncurses and less, so I moved out to a quarantine folder
and reinstalled the rpms for the affected files.
How can I tell if this is a virus?
Thanks
--
Regards
Martin West
Some how my libc6-dev package had become deinstalled - Im running a cut
down debian system (but not that cut down :-) ) - and this was the
result, maybe you might like to add an extra idiot check :-)
Thanks as always for a great tool.
You are about to start the installation process of the OSSE
Thanks as usual for a great product.
--
Regards Martin West
6 thecla2 kernel: ATM dev 0: ADSL line is up (2752 kb/s
down | 448 kb/s up)
--END OF NOTIFICATION
Martin West
adsl_rules.xml
Description: XML document
uth.log being monitored?
>
--
Regards Martin West
ure it is not being caught? I ran your log in here and got an
> alert (using v1.4):
>
--
Regards Martin West
07809 305 404
skype:amartinwest1
http://www.objectgizmos.com
16 SHEARWAY BUSINESS PARK,FOLKESTONE,KENT,CT19 4RH
Company No. 05912944
25 -0400, Daniel Cid wrote:
> Are you sure it is not being caught? I ran your log in here and got an
> alert (using v1.4):
>
--
Regards Martin West
07809 305 404
skype:amartinwest1
http://www.objectgizmos.com
16 SHEARWAY BUSINESS PARK,FOLKESTONE,KENT,CT19 4RH
Company No. 05912944
I think it must be an oddity in my mail system. The email was sent.
Thanks for the help, sorry for the noise.
On Sun, 2007-11-25 at 11:25 -0400, Daniel Cid wrote:
> Are you sure it is not being caught? I ran your log in here and got an
> alert (using v1.4):
>
--
Regards Martin West
problem 1? I tried restarting ossec but the same error came
up.
This is ossec 1.4 running on debian, kernel 2.6.22-3-686.
Thanks.
--
Regards Martin West
2007/12/17 08:48:31 ossec-logcollector(1950): Analyzing file: '/var/log/messages'.
2007/12/17 08:48:31 ossec-logcollector(1950):
Thanks.
On Tue, 2007-12-18 at 20:54 -0400, Daniel Cid wrote:
> behavior and fix the problem inside ossec. You
> can try with the following package to see if the problem persists.
>
>
--
Regards Martin West
07809 305 404
skype:amartinwest1
http://www.objectgizmos.com
16 SHEARWAY B
2:22 ossec-analysisd: Connected to
'/queue/alerts/execq' (exec queue)
Any ideas on this?
This is on
http://www.ossec.net/files/snapshots/ossec-hids-071218.tar.gz
though it was a problem on 1.4
--
Regards Martin West
n pairs and the up event has the
connection speed which I find useful.
Thanks
--
Regards Martin West
http://searchenterpriselinux.techtarget.com/tip/0,289483,sid39_gci1288007,00.html?track=NL-641&ad=618916&asrc=EM_NLN_2818629&uid=5731537
I drew their very serious omission, no reference to ossec !
:-)
--
Regards
Martin West
ache2/error.log.1:[Fri Jan 25 02:36:42 2008] [error] [client
8.7.22.195] File does not exist: /websites/default/"
gping="&POS=28&CM=WPU&CE=6&CS=AWP&SR=6&sample=0
regards Martin West
Received From: thecla2->rootcheck
Rule: 510 fired (level 7) -> "Host-based anomaly detection event
(rootcheck)."
Portion of the log(s):
Trojaned version of file '/sbin/hdparm' detected. Signature used:
'bash|/dev/ida|/dev/' (Generic).
--END OF NOTIFICATION
--
regards
Martin West
07879 680096
I can send you the binary if that helps
Thanks
On Wed, 2008-04-02 at 06:43 -0400, Daniel Cid wrote:
> grep -E 'bash|/dev/ida|/dev/' /sbin/hdparm
>
--
regards
Martin West
v/'
>
--
regards
Martin West
07879 680096
egards
Martin West
07879 680096
alerts from ossec, thoughts?
--
regards
Martin West
07879 680096
; What was the size of these URLs? Were they "bad" indeed?
>
--
regards
Martin West
07879 680096
On Thu, 2008-07-10 at 16:43 -0300, Daniel Cid wrote:
> I want to hear
> the feedback anyone may have.
Installed and ran ok on
Linux lenovo2 2.6.24-19-server #1 SMP Wed Jun 18 15:18:00 UTC 2008 i686
GNU/Linux
Looks good, Thanks
--
regards
Martin West
This shared memory I assume and not something to be alarmed at.
Received From: lenovo3->rootcheck
Rule: 510 fired (level 7) -> "Host-based anomaly detection event
(rootcheck)."
Portion of the log(s):
File '/dev/shm/pulse-shm-3257873433' present on /dev. Possible hidden
file.
System is ubuntu d
Sorry need new glasses, Im running 1.6
On Tue, 2008-09-09 at 19:06 +0100, Martin West wrote:
> This shared memory I assume and not something to be alarmed at.
>
> Received From: lenovo3->rootcheck
> Rule: 510 fired (level 7) -> "Host-based anomaly detection event
>
If you run a maven repository you often get multiple 404s. This rule
ignores them ...
31151
maven2
Ignore 404s on the maven repository
--
regards
Martin West
be possible to include the results of ps -flp on the process
to see what was running.
Thanks
Martin West
skype:amartinwest
On 4 Jun 2009, at 14:55, c...@libero.it wrote:
>
> Hi,
>
> I have recently received the alert "Process 'X' hidden from /proc.
> Possibl
Updated fine on
Ubuntu 2.6.24-24-generic #1 SMP Tue Aug 18 16:22:17 UTC 2009 x86_64
GNU/Linux
Martin West
skype:amartinwest
On 26 Aug 2009, at 19:38, Daniel Cid wrote:
>
> Hi list,
>
> OSSEC v2.2 will be released soon and we need help beta testing it. The
> code is pretty
Thanks, thats a good lead, Ill investigate and if I get anywhere Ill
post the results
Martin West
skype:amartinwest
On 7 Nov 2009, at 12:46, dan (ddp) wrote:
>
> I basically setup an active respose in the server's ossec.conf to fire
> on the file integrity rules.
> The sc
nto diff-checks.
restart ossec
/var/ossec/bin/ossec-control restart
Main script /var/ossec/active-response/bin/diff-alert.sh
#!/bin/bash
# E-mails an alert - showing diff of selected files
#
# Author: Martin West based on Daniel Cids mail-test.sh
# Set to root and use /etc/aliases to redirect
44 matches
Mail list logo