On Wed, Nov 6, 2013 at 10:39 AM, frwa onto <frwao...@gmail.com> wrote: > Dear Dan, > Which log sample you prefer to have the apache error log or
Which log messasge do you want to trigger an alert? That is the important one here, right? In your original message you mentioned a log message containing "Directory index forbidden by Options directive:," but did not include the entire log message. I assume this is the log message you want an alert on? > the ossec log ? Are the rules need tweaking too? How can I be sure the > rootkit is running any log to check on it? > Check the ossec.log. If there is no mention of it, try turning on debug for syscheckd. > > On Wed, Nov 6, 2013 at 10:58 PM, dan (ddp) <ddp...@gmail.com> wrote: >> >> On Wed, Nov 6, 2013 at 9:54 AM, frwa onto <frwao...@gmail.com> wrote: >> > Dear Dan, >> > If I look into my ossec.conf I can see this both these >> > apache_rules.xml and web_appsec_rules.xml and I can see it monitors the >> > /var/log/httpd/error_log. What else do I need to check on ? Is >> > monitoring >> > just fine or must I still create rules sorry I am newbie into this. >> > Besides >> >> You didn't provide a log sample, so I cannot determine whether the log >> will be identified by OSSEC or not. >> >> > that when will the rootkit check will be done on a period basic or >> > launch >> > manually ? >> > >> >> It should scan periodically. >> >> > On Wednesday, November 6, 2013 12:29:02 AM UTC+8, dan (ddpbsd) wrote: >> >> >> >> On Sun, Nov 3, 2013 at 12:51 PM, frwa onto <frwa...@gmail.com> wrote: >> >> > Dear All, >> >> > I am new to ossec. I am still learning how it works just >> >> > wondering can it detect scraper activities because I have banned >> >> > directory >> >> > traversing but I notice yet the scrapper manage to get to some of the >> >> > directories but got this error Directory index forbidden by Options >> >> > directive: >> >> > >> >> >> >> Are these logs being monitored by OSSEC? You should be able to create >> >> a rule looking for the log message. >> >> >> >> > -- >> >> > >> >> > --- >> >> > You received this message because you are subscribed to the Google >> >> > Groups >> >> > "ossec-list" group. >> >> > To unsubscribe from this group and stop receiving emails from it, >> >> > send >> >> > an >> >> > email to ossec-list+...@googlegroups.com. >> >> > For more options, visit https://groups.google.com/groups/opt_out. >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to ossec-list+unsubscr...@googlegroups.com. >> > For more options, visit https://groups.google.com/groups/opt_out. >> >> -- >> >> --- >> You received this message because you are subscribed to a topic in the >> Google Groups "ossec-list" group. >> To unsubscribe from this topic, visit >> https://groups.google.com/d/topic/ossec-list/O551cLvYKrs/unsubscribe. >> To unsubscribe from this group and all its topics, send an email to >> ossec-list+unsubscr...@googlegroups.com. >> >> For more options, visit https://groups.google.com/groups/opt_out. > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
