Thanks for the help.
It still isn't working on my end, so I think I have a misunderstanding I
need to work through.
Appreciate the help
-b
On Tuesday, September 20, 2016 at 1:44:54 PM UTC-4, dan (ddpbsd) wrote:
>
> On Tue, Sep 20, 2016 at 1:04 PM, >
> wrote:
> > I misspoke in the original e
On Tue, Sep 20, 2016 at 1:04 PM, wrote:
> I misspoke in the original email. I was attempting to fire 100506 based on
> 100504.
>
> A side question: My openvpn install does not log to syslog and does not
> contain the program name. I was forced to name all decoders the same in
> order to get th
On Tue, Sep 20, 2016 at 1:26 PM, wrote:
> Also in my original logs it does show SRCIP as being set and identical
> across those entries.
>
Which doesn't matter if there is no decoder to decode the IP address.
>
> On Tuesday, September 20, 2016 at 1:04:01 PM UTC-4, bar...@bossanova.com
> wrote:
Also in my original logs it does show SRCIP as being set and identical
across those entries.
On Tuesday, September 20, 2016 at 1:04:01 PM UTC-4, bar...@bossanova.com
wrote:
>
> I misspoke in the original email. I was attempting to fire 100506 based on
> 100504.
>
> A side question: My openvpn i
I misspoke in the original email. I was attempting to fire 100506 based on
100504.
A side question: My openvpn install does not log to syslog and does not
contain the program name. I was forced to name all decoders the same in
order to get the rule to match. Is there a more elegant way to handl
I didn't post the entire ruleset or my decoders
Rule 100500 exists. I have a decoder that also extract the src IP
I have attached the complete rules and decoders
On Tuesday, September 20, 2016 at 12:25:30 PM UTC-4, dan (ddpbsd) wrote:
>
> On Tue, Sep 20, 2016 at 12:20 PM, dan (ddp) > wrote:
>
On Tue, Sep 20, 2016 at 12:20 PM, dan (ddp) wrote:
> On Tue, Sep 20, 2016 at 11:58 AM, wrote:
>> Question: I have a custom decoder/rule which I believe should lead to an
>> active response
>>
>>
>> My alert logs show:
>>
>> OSSEC - TS:"1474385165", RID: "100504", RL: "5", RG:
>> "openvpn,authent
On Tue, Sep 20, 2016 at 11:58 AM, wrote:
> Question: I have a custom decoder/rule which I believe should lead to an
> active response
>
>
> My alert logs show:
>
> OSSEC - TS:"1474385165", RID: "100504", RL: "5", RG:
> "openvpn,authentication_failed,", RC: "Revoked Certificate Usage.", USER:
> "b