Re: [ossec-list] ossec email notification not working
On Mon, Sep 5, 2016 at 12:29 PM, Daiyue Weng wrote: > Hi, ideally we like ossec to check file integrity in real time, if not, what > are the other options ossec can offer in that aspect? > It will do some things in real time, not all. I think it should be a fairly simple code change to add new files to the realtime options, but I've never really looked into it. > Is there a Syscheck cmd in ossec? > # /var/ossec/bin/agent_control -h OSSEC HIDS agent_control: Control remote agents. Available options: -h This help message. -l List available (active or not) agents. -lc List active agents. -i Extracts information from an agent. -R Restarts agent. -r -a Runs the integrity/rootkit checking on all agents now. -r -u Runs the integrity/rootkit checking on one agent now. -b Blocks the specified ip address. -f Used with -b, specifies which response to run. -L List available active responses. -s Changes the output to CSV (comma delimited). > On 5 September 2016 at 17:23, dan (ddp) wrote: >> >> On Mon, Sep 5, 2016 at 12:14 PM, Daiyue Weng wrote: >> > The /var/ossec/logs/alerts/alerts.log didn't show the addition of the >> > file, >> > no alerts fired after adding a file to /home/user_name, which is >> > monitored >> > by ossec. what's the possible problems? >> > >> >> A syscheck scan probably hasn't run since the file was added (I don't >> think it works with realtime). >> Try running a syscheck scan to see if an alert is created. >> >> > On Monday, 5 September 2016 17:02:06 UTC+1, dan (ddpbsd) wrote: >> >> >> >> On Mon, Sep 5, 2016 at 11:53 AM, Daiyue Weng >> >> wrote: >> >> > Using the above cmd, adding a file on a monitored directory, i.e. >> >> > /home/user_name, >> >> > >> >> > nothing is shown on tcpdump, >> >> > >> >> > tcpdump: listening on dummy0, link-type EN10MB (Ethernet), capture >> >> > size >> >> > 262144 bytes >> >> > >> >> > >> >> >> >> You can use "-i INTERFACE_NAME" to change the interface it listens on. >> >> So make sure you're listening to the interface the emails should be >> >> sent >> >> from. >> >> Did any alerts fire while you were using tcpdump (check >> >> /var/ossec/logs/alerts/alerts.log). >> >> If not, that'll be a problem. >> >> >> >> > >> >> > >> >> > On Monday, 5 September 2016 16:44:57 UTC+1, dan (ddpbsd) wrote: >> >> >> >> >> >> On Mon, Sep 5, 2016 at 11:42 AM, Daiyue Weng >> >> >> wrote: >> >> >> > Hi, could you give me an example of using tcpdump in this case? >> >> >> > >> >> >> >> >> >> tcpdump -nnXxevvs 0 port 25 >> >> >> >> >> >> > cheers >> >> >> > >> >> >> > On Monday, 5 September 2016 15:57:08 UTC+1, dan (ddpbsd) wrote: >> >> >> >> >> >> >> >> On Mon, Sep 5, 2016 at 10:47 AM, Daiyue Weng >> >> >> >> wrote: >> >> >> >> > Hi, since it is a fresh install of ossec, so I didn't get any >> >> >> >> > emails. >> >> >> >> > The >> >> >> >> > notification is turn on as >> >> >> >> > >> >> >> >> >> >> >> >> Try using tcpdump (looking for connections to the email server >> >> >> >> from >> >> >> >> the OSSEC system) >> >> >> >> or check the maillogs on the email server to determine if there >> >> >> >> is >> >> >> >> an >> >> >> >> error when sending. >> >> >> >> >> >> >> >> > yes >> >> >> >> > >> >> >> >> > in ossec.conf >> >> >> >> > >> >> >> >> > On Monday, 5 September 2016 15:38:25 UTC+1, dan (ddpbsd) wrote: >> >> >> >> >> >> >> >> >> >> On Mon, Sep 5, 2016 at 10:33 AM, Daiyue Weng >> >> >> >> >> >> >> >> >> >> wrote: >> >> >> >> >> > Hi, I installed ossec local on my cloud server, and >> >> >> >> >> > configure >> >> >> >> >> > ossec.conf >> >> >> >> >> > as >> >> >> >> >> > follows, I tried to detect new additions using >> >> >> >> >> > yes. >> >> >> >> >> > >> >> >> >> >> > >> >> >> >> >> > yes >> >> >> >> >> > my_e...@example.com >> >> >> >> >> > ns0.bt.net. >> >> >> >> >> > my_e...@example.com >> >> >> >> >> > >> >> >> >> >> > >> >> >> >> >> > >> >> >> >> >> > 79200 >> >> >> >> >> > yes >> >> >> >> >> > >> >> >> >> >> > >> >> >> >> >> > > >> >> >> >> > check_all="yes">/etc,/usr/bin,/usr/sbin >> >> >> >> >> > > >> >> >> >> > check_all="yes">/bin,/sbin >> >> >> >> >> > > >> >> >> >> > check_all="yes">/home/user_name >> >> >> >> >> > >> >> >> >> >> > >> >> >> >> >> > The local_rules.xml is like, >> >> >> >> >> > >> >> >> >> >> > >> >> >> >> >> > >> >> >> >> >> > >> >> >> >> >> > >> >> >> >> >> > 5711 >> >> >> >> >> > 1.1.1.1 >> >> >> >> >> > Example of rule that will ignore sshd >> >> >> >> >> > >> >> >> >> >> > failed logins from IP >> >> >> >> >> > 1.1.1.1. >> >> >> >> >> > >> >> >> >> >> > >> >> >> >> >> > >> >> >> >> >> > ossec >> >> >> >> >> > syscheck_new_entry >> >> >> >> >> > File added to the system. >> >> >> >> >> > syscheck, >> >> >> >> >> > >> >> >> >> >> >
Re: [ossec-list] ossec email notification not working
Hi, ideally we like ossec to check file integrity in real time, if not, what are the other options ossec can offer in that aspect? Is there a Syscheck cmd in ossec? On 5 September 2016 at 17:23, dan (ddp) wrote: > On Mon, Sep 5, 2016 at 12:14 PM, Daiyue Weng wrote: > > The /var/ossec/logs/alerts/alerts.log didn't show the addition of the > file, > > no alerts fired after adding a file to /home/user_name, which is > monitored > > by ossec. what's the possible problems? > > > > A syscheck scan probably hasn't run since the file was added (I don't > think it works with realtime). > Try running a syscheck scan to see if an alert is created. > > > On Monday, 5 September 2016 17:02:06 UTC+1, dan (ddpbsd) wrote: > >> > >> On Mon, Sep 5, 2016 at 11:53 AM, Daiyue Weng > wrote: > >> > Using the above cmd, adding a file on a monitored directory, i.e. > >> > /home/user_name, > >> > > >> > nothing is shown on tcpdump, > >> > > >> > tcpdump: listening on dummy0, link-type EN10MB (Ethernet), capture > size > >> > 262144 bytes > >> > > >> > > >> > >> You can use "-i INTERFACE_NAME" to change the interface it listens on. > >> So make sure you're listening to the interface the emails should be sent > >> from. > >> Did any alerts fire while you were using tcpdump (check > >> /var/ossec/logs/alerts/alerts.log). > >> If not, that'll be a problem. > >> > >> > > >> > > >> > On Monday, 5 September 2016 16:44:57 UTC+1, dan (ddpbsd) wrote: > >> >> > >> >> On Mon, Sep 5, 2016 at 11:42 AM, Daiyue Weng > >> >> wrote: > >> >> > Hi, could you give me an example of using tcpdump in this case? > >> >> > > >> >> > >> >> tcpdump -nnXxevvs 0 port 25 > >> >> > >> >> > cheers > >> >> > > >> >> > On Monday, 5 September 2016 15:57:08 UTC+1, dan (ddpbsd) wrote: > >> >> >> > >> >> >> On Mon, Sep 5, 2016 at 10:47 AM, Daiyue Weng > >> >> >> wrote: > >> >> >> > Hi, since it is a fresh install of ossec, so I didn't get any > >> >> >> > emails. > >> >> >> > The > >> >> >> > notification is turn on as > >> >> >> > > >> >> >> > >> >> >> Try using tcpdump (looking for connections to the email server > from > >> >> >> the OSSEC system) > >> >> >> or check the maillogs on the email server to determine if there > is > >> >> >> an > >> >> >> error when sending. > >> >> >> > >> >> >> > yes > >> >> >> > > >> >> >> > in ossec.conf > >> >> >> > > >> >> >> > On Monday, 5 September 2016 15:38:25 UTC+1, dan (ddpbsd) wrote: > >> >> >> >> > >> >> >> >> On Mon, Sep 5, 2016 at 10:33 AM, Daiyue Weng < > daiyu...@gmail.com> > >> >> >> >> wrote: > >> >> >> >> > Hi, I installed ossec local on my cloud server, and configure > >> >> >> >> > ossec.conf > >> >> >> >> > as > >> >> >> >> > follows, I tried to detect new additions using > >> >> >> >> > yes. > >> >> >> >> > > >> >> >> >> > > >> >> >> >> > yes > >> >> >> >> > my_e...@example.com > >> >> >> >> > ns0.bt.net. > >> >> >> >> > my_e...@example.com > >> >> >> >> > > >> >> >> >> > > >> >> >> >> > > >> >> >> >> > 79200 > >> >> >> >> > yes > >> >> >> >> > > >> >> >> >> > > >> >> >> >> > >> >> >> >> > check_all="yes">/etc,/usr/bin,/usr/sbin > >> >> >> >> > >> >> >> >> > check_all="yes">/bin,/sbin > >> >> >> >> > >> >> >> >> > check_all="yes">/home/user_name > >> >> >> >> > > >> >> >> >> > > >> >> >> >> > The local_rules.xml is like, > >> >> >> >> > > >> >> >> >> > > >> >> >> >> > > >> >> >> >> > > >> >> >> >> > > >> >> >> >> > 5711 > >> >> >> >> > 1.1.1.1 > >> >> >> >> > Example of rule that will ignore sshd > >> >> >> >> > > >> >> >> >> > failed logins from IP > 1.1.1.1. > >> >> >> >> > > >> >> >> >> > > >> >> >> >> > > >> >> >> >> > ossec > >> >> >> >> > syscheck_new_entry > >> >> >> >> > File added to the system. > >> >> >> >> > syscheck, > >> >> >> >> > > >> >> >> >> > > >> >> >> >> > > >> >> >> >> > Now, if I added a file in home/user_name, there is no email > >> >> >> >> > notification > >> >> >> >> > coming through the SMTP server. I am using smtp.bt.net, > using > >> >> >> >> > > >> >> >> >> > dig -t mx smtp.bt.net > >> >> >> >> > > >> >> >> >> > > >> >> >> >> > to get the SMTP server. Whats the possible reasons that I am > >> >> >> >> > not > >> >> >> >> > getting > >> >> >> >> > the > >> >> >> >> > email? > >> >> >> >> > > >> >> >> >> > >> >> >> >> Are you getting emails for other alerts? > >> >> >> >> Are alerts being triggered for these new files? > >> >> >> >> > >> >> >> >> > Many thanks > >> >> >> >> > > >> >> >> >> > -- > >> >> >> >> > > >> >> >> >> > --- > >> >> >> >> > You received this message because you are subscribed to the > >> >> >> >> > Google > >> >> >> >> > Groups > >> >> >> >> > "ossec-list" group. > >> >> >> >> > To unsubscribe from this group and stop receiving emails from > >> >> >> >> > it, > >> >> >> >> > send > >> >> >> >> > an > >> >> >> >> > email to ossec-list+...@googlegroups.com. > >> >> >> >> > For more options, visit https://groups.goo
Re: [ossec-list] ossec email notification not working
On Mon, Sep 5, 2016 at 12:14 PM, Daiyue Weng wrote: > The /var/ossec/logs/alerts/alerts.log didn't show the addition of the file, > no alerts fired after adding a file to /home/user_name, which is monitored > by ossec. what's the possible problems? > A syscheck scan probably hasn't run since the file was added (I don't think it works with realtime). Try running a syscheck scan to see if an alert is created. > On Monday, 5 September 2016 17:02:06 UTC+1, dan (ddpbsd) wrote: >> >> On Mon, Sep 5, 2016 at 11:53 AM, Daiyue Weng wrote: >> > Using the above cmd, adding a file on a monitored directory, i.e. >> > /home/user_name, >> > >> > nothing is shown on tcpdump, >> > >> > tcpdump: listening on dummy0, link-type EN10MB (Ethernet), capture size >> > 262144 bytes >> > >> > >> >> You can use "-i INTERFACE_NAME" to change the interface it listens on. >> So make sure you're listening to the interface the emails should be sent >> from. >> Did any alerts fire while you were using tcpdump (check >> /var/ossec/logs/alerts/alerts.log). >> If not, that'll be a problem. >> >> > >> > >> > On Monday, 5 September 2016 16:44:57 UTC+1, dan (ddpbsd) wrote: >> >> >> >> On Mon, Sep 5, 2016 at 11:42 AM, Daiyue Weng >> >> wrote: >> >> > Hi, could you give me an example of using tcpdump in this case? >> >> > >> >> >> >> tcpdump -nnXxevvs 0 port 25 >> >> >> >> > cheers >> >> > >> >> > On Monday, 5 September 2016 15:57:08 UTC+1, dan (ddpbsd) wrote: >> >> >> >> >> >> On Mon, Sep 5, 2016 at 10:47 AM, Daiyue Weng >> >> >> wrote: >> >> >> > Hi, since it is a fresh install of ossec, so I didn't get any >> >> >> > emails. >> >> >> > The >> >> >> > notification is turn on as >> >> >> > >> >> >> >> >> >> Try using tcpdump (looking for connections to the email server from >> >> >> the OSSEC system) >> >> >> or check the maillogs on the email server to determine if there is >> >> >> an >> >> >> error when sending. >> >> >> >> >> >> > yes >> >> >> > >> >> >> > in ossec.conf >> >> >> > >> >> >> > On Monday, 5 September 2016 15:38:25 UTC+1, dan (ddpbsd) wrote: >> >> >> >> >> >> >> >> On Mon, Sep 5, 2016 at 10:33 AM, Daiyue Weng >> >> >> >> wrote: >> >> >> >> > Hi, I installed ossec local on my cloud server, and configure >> >> >> >> > ossec.conf >> >> >> >> > as >> >> >> >> > follows, I tried to detect new additions using >> >> >> >> > yes. >> >> >> >> > >> >> >> >> > >> >> >> >> > yes >> >> >> >> > my_e...@example.com >> >> >> >> > ns0.bt.net. >> >> >> >> > my_e...@example.com >> >> >> >> > >> >> >> >> > >> >> >> >> > >> >> >> >> > 79200 >> >> >> >> > yes >> >> >> >> > >> >> >> >> > >> >> >> >> > > >> >> >> > check_all="yes">/etc,/usr/bin,/usr/sbin >> >> >> >> > > >> >> >> > check_all="yes">/bin,/sbin >> >> >> >> > > >> >> >> > check_all="yes">/home/user_name >> >> >> >> > >> >> >> >> > >> >> >> >> > The local_rules.xml is like, >> >> >> >> > >> >> >> >> > >> >> >> >> > >> >> >> >> > >> >> >> >> > >> >> >> >> > 5711 >> >> >> >> > 1.1.1.1 >> >> >> >> > Example of rule that will ignore sshd >> >> >> >> > >> >> >> >> > failed logins from IP 1.1.1.1. >> >> >> >> > >> >> >> >> > >> >> >> >> > >> >> >> >> > ossec >> >> >> >> > syscheck_new_entry >> >> >> >> > File added to the system. >> >> >> >> > syscheck, >> >> >> >> > >> >> >> >> > >> >> >> >> > >> >> >> >> > Now, if I added a file in home/user_name, there is no email >> >> >> >> > notification >> >> >> >> > coming through the SMTP server. I am using smtp.bt.net, using >> >> >> >> > >> >> >> >> > dig -t mx smtp.bt.net >> >> >> >> > >> >> >> >> > >> >> >> >> > to get the SMTP server. Whats the possible reasons that I am >> >> >> >> > not >> >> >> >> > getting >> >> >> >> > the >> >> >> >> > email? >> >> >> >> > >> >> >> >> >> >> >> >> Are you getting emails for other alerts? >> >> >> >> Are alerts being triggered for these new files? >> >> >> >> >> >> >> >> > Many thanks >> >> >> >> > >> >> >> >> > -- >> >> >> >> > >> >> >> >> > --- >> >> >> >> > You received this message because you are subscribed to the >> >> >> >> > Google >> >> >> >> > Groups >> >> >> >> > "ossec-list" group. >> >> >> >> > To unsubscribe from this group and stop receiving emails from >> >> >> >> > it, >> >> >> >> > send >> >> >> >> > an >> >> >> >> > email to ossec-list+...@googlegroups.com. >> >> >> >> > For more options, visit https://groups.google.com/d/optout. >> >> >> > >> >> >> > -- >> >> >> > >> >> >> > --- >> >> >> > You received this message because you are subscribed to the Google >> >> >> > Groups >> >> >> > "ossec-list" group. >> >> >> > To unsubscribe from this group and stop receiving emails from it, >> >> >> > send >> >> >> > an >> >> >> > email to ossec-list+...@googlegroups.com. >> >> >> > For more options, visit https://groups.google.com/d/optout. >> >> > >> >> > -- >> >> > >> >> > --- >> >> > You received this message because you are subscribed to the Google >> >
Re: [ossec-list] ossec email notification not working
The /var/ossec/logs/alerts/alerts.log didn't show the addition of the file, no alerts fired after adding a file to /home/user_name, which is monitored by ossec. what's the possible problems? On Monday, 5 September 2016 17:02:06 UTC+1, dan (ddpbsd) wrote: > > On Mon, Sep 5, 2016 at 11:53 AM, Daiyue Weng > wrote: > > Using the above cmd, adding a file on a monitored directory, i.e. > > /home/user_name, > > > > nothing is shown on tcpdump, > > > > tcpdump: listening on dummy0, link-type EN10MB (Ethernet), capture size > > 262144 bytes > > > > > > You can use "-i INTERFACE_NAME" to change the interface it listens on. > So make sure you're listening to the interface the emails should be sent > from. > Did any alerts fire while you were using tcpdump (check > /var/ossec/logs/alerts/alerts.log). > If not, that'll be a problem. > > > > > > > On Monday, 5 September 2016 16:44:57 UTC+1, dan (ddpbsd) wrote: > >> > >> On Mon, Sep 5, 2016 at 11:42 AM, Daiyue Weng > wrote: > >> > Hi, could you give me an example of using tcpdump in this case? > >> > > >> > >> tcpdump -nnXxevvs 0 port 25 > >> > >> > cheers > >> > > >> > On Monday, 5 September 2016 15:57:08 UTC+1, dan (ddpbsd) wrote: > >> >> > >> >> On Mon, Sep 5, 2016 at 10:47 AM, Daiyue Weng > >> >> wrote: > >> >> > Hi, since it is a fresh install of ossec, so I didn't get any > emails. > >> >> > The > >> >> > notification is turn on as > >> >> > > >> >> > >> >> Try using tcpdump (looking for connections to the email server from > >> >> the OSSEC system) > >> >> or check the maillogs on the email server to determine if there is > an > >> >> error when sending. > >> >> > >> >> > yes > >> >> > > >> >> > in ossec.conf > >> >> > > >> >> > On Monday, 5 September 2016 15:38:25 UTC+1, dan (ddpbsd) wrote: > >> >> >> > >> >> >> On Mon, Sep 5, 2016 at 10:33 AM, Daiyue Weng > > >> >> >> wrote: > >> >> >> > Hi, I installed ossec local on my cloud server, and configure > >> >> >> > ossec.conf > >> >> >> > as > >> >> >> > follows, I tried to detect new additions using > >> >> >> > yes. > >> >> >> > > >> >> >> > > >> >> >> > yes > >> >> >> > my_e...@example.com > >> >> >> > ns0.bt.net. > >> >> >> > my_e...@example.com > >> >> >> > > >> >> >> > > >> >> >> > > >> >> >> > 79200 > >> >> >> > yes > >> >> >> > > >> >> >> > > >> >> >> > >> >> >> > check_all="yes">/etc,/usr/bin,/usr/sbin > >> >> >> > >> >> >> > check_all="yes">/bin,/sbin > >> >> >> > >> >> >> > check_all="yes">/home/user_name > >> >> >> > > >> >> >> > > >> >> >> > The local_rules.xml is like, > >> >> >> > > >> >> >> > > >> >> >> > > >> >> >> > > >> >> >> > > >> >> >> > 5711 > >> >> >> > 1.1.1.1 > >> >> >> > Example of rule that will ignore sshd > >> >> >> > > >> >> >> > failed logins from IP 1.1.1.1. > >> >> >> > > >> >> >> > > >> >> >> > > >> >> >> > ossec > >> >> >> > syscheck_new_entry > >> >> >> > File added to the system. > >> >> >> > syscheck, > >> >> >> > > >> >> >> > > >> >> >> > > >> >> >> > Now, if I added a file in home/user_name, there is no email > >> >> >> > notification > >> >> >> > coming through the SMTP server. I am using smtp.bt.net, using > >> >> >> > > >> >> >> > dig -t mx smtp.bt.net > >> >> >> > > >> >> >> > > >> >> >> > to get the SMTP server. Whats the possible reasons that I am > not > >> >> >> > getting > >> >> >> > the > >> >> >> > email? > >> >> >> > > >> >> >> > >> >> >> Are you getting emails for other alerts? > >> >> >> Are alerts being triggered for these new files? > >> >> >> > >> >> >> > Many thanks > >> >> >> > > >> >> >> > -- > >> >> >> > > >> >> >> > --- > >> >> >> > You received this message because you are subscribed to the > Google > >> >> >> > Groups > >> >> >> > "ossec-list" group. > >> >> >> > To unsubscribe from this group and stop receiving emails from > it, > >> >> >> > send > >> >> >> > an > >> >> >> > email to ossec-list+...@googlegroups.com. > >> >> >> > For more options, visit https://groups.google.com/d/optout. > >> >> > > >> >> > -- > >> >> > > >> >> > --- > >> >> > You received this message because you are subscribed to the Google > >> >> > Groups > >> >> > "ossec-list" group. > >> >> > To unsubscribe from this group and stop receiving emails from it, > >> >> > send > >> >> > an > >> >> > email to ossec-list+...@googlegroups.com. > >> >> > For more options, visit https://groups.google.com/d/optout. > >> > > >> > -- > >> > > >> > --- > >> > You received this message because you are subscribed to the Google > >> > Groups > >> > "ossec-list" group. > >> > To unsubscribe from this group and stop receiving emails from it, > send > >> > an > >> > email to ossec-list+...@googlegroups.com. > >> > For more options, visit https://groups.google.com/d/optout. > > > > -- > > > > --
Re: [ossec-list] ossec email notification not working
On Mon, Sep 5, 2016 at 11:53 AM, Daiyue Weng wrote: > Using the above cmd, adding a file on a monitored directory, i.e. > /home/user_name, > > nothing is shown on tcpdump, > > tcpdump: listening on dummy0, link-type EN10MB (Ethernet), capture size > 262144 bytes > > You can use "-i INTERFACE_NAME" to change the interface it listens on. So make sure you're listening to the interface the emails should be sent from. Did any alerts fire while you were using tcpdump (check /var/ossec/logs/alerts/alerts.log). If not, that'll be a problem. > > > On Monday, 5 September 2016 16:44:57 UTC+1, dan (ddpbsd) wrote: >> >> On Mon, Sep 5, 2016 at 11:42 AM, Daiyue Weng wrote: >> > Hi, could you give me an example of using tcpdump in this case? >> > >> >> tcpdump -nnXxevvs 0 port 25 >> >> > cheers >> > >> > On Monday, 5 September 2016 15:57:08 UTC+1, dan (ddpbsd) wrote: >> >> >> >> On Mon, Sep 5, 2016 at 10:47 AM, Daiyue Weng >> >> wrote: >> >> > Hi, since it is a fresh install of ossec, so I didn't get any emails. >> >> > The >> >> > notification is turn on as >> >> > >> >> >> >> Try using tcpdump (looking for connections to the email server from >> >> the OSSEC system) >> >> or check the maillogs on the email server to determine if there is an >> >> error when sending. >> >> >> >> > yes >> >> > >> >> > in ossec.conf >> >> > >> >> > On Monday, 5 September 2016 15:38:25 UTC+1, dan (ddpbsd) wrote: >> >> >> >> >> >> On Mon, Sep 5, 2016 at 10:33 AM, Daiyue Weng >> >> >> wrote: >> >> >> > Hi, I installed ossec local on my cloud server, and configure >> >> >> > ossec.conf >> >> >> > as >> >> >> > follows, I tried to detect new additions using >> >> >> > yes. >> >> >> > >> >> >> > >> >> >> > yes >> >> >> > my_e...@example.com >> >> >> > ns0.bt.net. >> >> >> > my_e...@example.com >> >> >> > >> >> >> > >> >> >> > >> >> >> > 79200 >> >> >> > yes >> >> >> > >> >> >> > >> >> >> > > >> >> > check_all="yes">/etc,/usr/bin,/usr/sbin >> >> >> > > >> >> > check_all="yes">/bin,/sbin >> >> >> > > >> >> > check_all="yes">/home/user_name >> >> >> > >> >> >> > >> >> >> > The local_rules.xml is like, >> >> >> > >> >> >> > >> >> >> > >> >> >> > >> >> >> > >> >> >> > 5711 >> >> >> > 1.1.1.1 >> >> >> > Example of rule that will ignore sshd >> >> >> > >> >> >> > failed logins from IP 1.1.1.1. >> >> >> > >> >> >> > >> >> >> > >> >> >> > ossec >> >> >> > syscheck_new_entry >> >> >> > File added to the system. >> >> >> > syscheck, >> >> >> > >> >> >> > >> >> >> > >> >> >> > Now, if I added a file in home/user_name, there is no email >> >> >> > notification >> >> >> > coming through the SMTP server. I am using smtp.bt.net, using >> >> >> > >> >> >> > dig -t mx smtp.bt.net >> >> >> > >> >> >> > >> >> >> > to get the SMTP server. Whats the possible reasons that I am not >> >> >> > getting >> >> >> > the >> >> >> > email? >> >> >> > >> >> >> >> >> >> Are you getting emails for other alerts? >> >> >> Are alerts being triggered for these new files? >> >> >> >> >> >> > Many thanks >> >> >> > >> >> >> > -- >> >> >> > >> >> >> > --- >> >> >> > You received this message because you are subscribed to the Google >> >> >> > Groups >> >> >> > "ossec-list" group. >> >> >> > To unsubscribe from this group and stop receiving emails from it, >> >> >> > send >> >> >> > an >> >> >> > email to ossec-list+...@googlegroups.com. >> >> >> > For more options, visit https://groups.google.com/d/optout. >> >> > >> >> > -- >> >> > >> >> > --- >> >> > You received this message because you are subscribed to the Google >> >> > Groups >> >> > "ossec-list" group. >> >> > To unsubscribe from this group and stop receiving emails from it, >> >> > send >> >> > an >> >> > email to ossec-list+...@googlegroups.com. >> >> > For more options, visit https://groups.google.com/d/optout. >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to ossec-list+...@googlegroups.com. >> > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Multiple agent_id for one active response
On Mon 5.Sep'16 at 8:59:41 +0200, secucatc...@free.fr wrote: > hi > 003,004 doesn't work > but each section separetely is working > > > firewall-drop > defined-agent > 067 > 864000 > 117154,31510,117159,117162 > > > > firewall-drop > defined-agent > 038 > 864000 > 117154,31510,117159,117162 > > > > be carefull with that case > https://github.com/ossec/ossec-hids/issues/701 > > if you have a lot of attacks the script can't be fast enough (i have the > case with a chinese dns pointing one of our server by error) > cheers > > Many thanks. That is what I am doing ... But until today, I didn't see any problem, but this servers are not reachable from Internet... -- Greetings, C. L. Martinez -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] ossec email notification not working
Using the above cmd, adding a file on a monitored directory, i.e. /home/user_name, nothing is shown on tcpdump, tcpdump: listening on dummy0, link-type EN10MB (Ethernet), capture size 262144 bytes On Monday, 5 September 2016 16:44:57 UTC+1, dan (ddpbsd) wrote: > > On Mon, Sep 5, 2016 at 11:42 AM, Daiyue Weng > wrote: > > Hi, could you give me an example of using tcpdump in this case? > > > > tcpdump -nnXxevvs 0 port 25 > > > cheers > > > > On Monday, 5 September 2016 15:57:08 UTC+1, dan (ddpbsd) wrote: > >> > >> On Mon, Sep 5, 2016 at 10:47 AM, Daiyue Weng > wrote: > >> > Hi, since it is a fresh install of ossec, so I didn't get any emails. > >> > The > >> > notification is turn on as > >> > > >> > >> Try using tcpdump (looking for connections to the email server from > >> the OSSEC system) > >> or check the maillogs on the email server to determine if there is an > >> error when sending. > >> > >> > yes > >> > > >> > in ossec.conf > >> > > >> > On Monday, 5 September 2016 15:38:25 UTC+1, dan (ddpbsd) wrote: > >> >> > >> >> On Mon, Sep 5, 2016 at 10:33 AM, Daiyue Weng > >> >> wrote: > >> >> > Hi, I installed ossec local on my cloud server, and configure > >> >> > ossec.conf > >> >> > as > >> >> > follows, I tried to detect new additions using > >> >> > yes. > >> >> > > >> >> > > >> >> > yes > >> >> > my_e...@example.com > >> >> > ns0.bt.net. > >> >> > my_e...@example.com > >> >> > > >> >> > > >> >> > > >> >> > 79200 > >> >> > yes > >> >> > > >> >> > > >> >> > >> >> > check_all="yes">/etc,/usr/bin,/usr/sbin > >> >> > >> >> > check_all="yes">/bin,/sbin > >> >> > >> >> > check_all="yes">/home/user_name > >> >> > > >> >> > > >> >> > The local_rules.xml is like, > >> >> > > >> >> > > >> >> > > >> >> > > >> >> > > >> >> > 5711 > >> >> > 1.1.1.1 > >> >> > Example of rule that will ignore sshd > >> >> > > >> >> > failed logins from IP 1.1.1.1. > >> >> > > >> >> > > >> >> > > >> >> > ossec > >> >> > syscheck_new_entry > >> >> > File added to the system. > >> >> > syscheck, > >> >> > > >> >> > > >> >> > > >> >> > Now, if I added a file in home/user_name, there is no email > >> >> > notification > >> >> > coming through the SMTP server. I am using smtp.bt.net, using > >> >> > > >> >> > dig -t mx smtp.bt.net > >> >> > > >> >> > > >> >> > to get the SMTP server. Whats the possible reasons that I am not > >> >> > getting > >> >> > the > >> >> > email? > >> >> > > >> >> > >> >> Are you getting emails for other alerts? > >> >> Are alerts being triggered for these new files? > >> >> > >> >> > Many thanks > >> >> > > >> >> > -- > >> >> > > >> >> > --- > >> >> > You received this message because you are subscribed to the Google > >> >> > Groups > >> >> > "ossec-list" group. > >> >> > To unsubscribe from this group and stop receiving emails from it, > >> >> > send > >> >> > an > >> >> > email to ossec-list+...@googlegroups.com. > >> >> > For more options, visit https://groups.google.com/d/optout. > >> > > >> > -- > >> > > >> > --- > >> > You received this message because you are subscribed to the Google > >> > Groups > >> > "ossec-list" group. > >> > To unsubscribe from this group and stop receiving emails from it, > send > >> > an > >> > email to ossec-list+...@googlegroups.com. > >> > For more options, visit https://groups.google.com/d/optout. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to ossec-list+...@googlegroups.com . > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] ossec email notification not working
On Mon, Sep 5, 2016 at 11:42 AM, Daiyue Weng wrote: > Hi, could you give me an example of using tcpdump in this case? > tcpdump -nnXxevvs 0 port 25 > cheers > > On Monday, 5 September 2016 15:57:08 UTC+1, dan (ddpbsd) wrote: >> >> On Mon, Sep 5, 2016 at 10:47 AM, Daiyue Weng wrote: >> > Hi, since it is a fresh install of ossec, so I didn't get any emails. >> > The >> > notification is turn on as >> > >> >> Try using tcpdump (looking for connections to the email server from >> the OSSEC system) >> or check the maillogs on the email server to determine if there is an >> error when sending. >> >> > yes >> > >> > in ossec.conf >> > >> > On Monday, 5 September 2016 15:38:25 UTC+1, dan (ddpbsd) wrote: >> >> >> >> On Mon, Sep 5, 2016 at 10:33 AM, Daiyue Weng >> >> wrote: >> >> > Hi, I installed ossec local on my cloud server, and configure >> >> > ossec.conf >> >> > as >> >> > follows, I tried to detect new additions using >> >> > yes. >> >> > >> >> > >> >> > yes >> >> > my_e...@example.com >> >> > ns0.bt.net. >> >> > my_e...@example.com >> >> > >> >> > >> >> > >> >> > 79200 >> >> > yes >> >> > >> >> > >> >> > > >> > check_all="yes">/etc,/usr/bin,/usr/sbin >> >> > > >> > check_all="yes">/bin,/sbin >> >> > > >> > check_all="yes">/home/user_name >> >> > >> >> > >> >> > The local_rules.xml is like, >> >> > >> >> > >> >> > >> >> > >> >> > >> >> > 5711 >> >> > 1.1.1.1 >> >> > Example of rule that will ignore sshd >> >> > >> >> > failed logins from IP 1.1.1.1. >> >> > >> >> > >> >> > >> >> > ossec >> >> > syscheck_new_entry >> >> > File added to the system. >> >> > syscheck, >> >> > >> >> > >> >> > >> >> > Now, if I added a file in home/user_name, there is no email >> >> > notification >> >> > coming through the SMTP server. I am using smtp.bt.net, using >> >> > >> >> > dig -t mx smtp.bt.net >> >> > >> >> > >> >> > to get the SMTP server. Whats the possible reasons that I am not >> >> > getting >> >> > the >> >> > email? >> >> > >> >> >> >> Are you getting emails for other alerts? >> >> Are alerts being triggered for these new files? >> >> >> >> > Many thanks >> >> > >> >> > -- >> >> > >> >> > --- >> >> > You received this message because you are subscribed to the Google >> >> > Groups >> >> > "ossec-list" group. >> >> > To unsubscribe from this group and stop receiving emails from it, >> >> > send >> >> > an >> >> > email to ossec-list+...@googlegroups.com. >> >> > For more options, visit https://groups.google.com/d/optout. >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to ossec-list+...@googlegroups.com. >> > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] ossec email notification not working
Hi, could you give me an example of using tcpdump in this case? cheers On Monday, 5 September 2016 15:57:08 UTC+1, dan (ddpbsd) wrote: > > On Mon, Sep 5, 2016 at 10:47 AM, Daiyue Weng > wrote: > > Hi, since it is a fresh install of ossec, so I didn't get any emails. > The > > notification is turn on as > > > > Try using tcpdump (looking for connections to the email server from > the OSSEC system) > or check the maillogs on the email server to determine if there is an > error when sending. > > > yes > > > > in ossec.conf > > > > On Monday, 5 September 2016 15:38:25 UTC+1, dan (ddpbsd) wrote: > >> > >> On Mon, Sep 5, 2016 at 10:33 AM, Daiyue Weng > wrote: > >> > Hi, I installed ossec local on my cloud server, and configure > ossec.conf > >> > as > >> > follows, I tried to detect new additions using > >> > yes. > >> > > >> > > >> > yes > >> > my_e...@example.com > >> > ns0.bt.net. > >> > my_e...@example.com > >> > > >> > > >> > > >> > 79200 > >> > yes > >> > > >> > > >> > >> > check_all="yes">/etc,/usr/bin,/usr/sbin > >> > >> > check_all="yes">/bin,/sbin > >> > >> > check_all="yes">/home/user_name > >> > > >> > > >> > The local_rules.xml is like, > >> > > >> > > >> > > >> > > >> > > >> > 5711 > >> > 1.1.1.1 > >> > Example of rule that will ignore sshd > > >> > failed logins from IP 1.1.1.1. > >> > > >> > > >> > > >> > ossec > >> > syscheck_new_entry > >> > File added to the system. > >> > syscheck, > >> > > >> > > >> > > >> > Now, if I added a file in home/user_name, there is no email > notification > >> > coming through the SMTP server. I am using smtp.bt.net, using > >> > > >> > dig -t mx smtp.bt.net > >> > > >> > > >> > to get the SMTP server. Whats the possible reasons that I am not > getting > >> > the > >> > email? > >> > > >> > >> Are you getting emails for other alerts? > >> Are alerts being triggered for these new files? > >> > >> > Many thanks > >> > > >> > -- > >> > > >> > --- > >> > You received this message because you are subscribed to the Google > >> > Groups > >> > "ossec-list" group. > >> > To unsubscribe from this group and stop receiving emails from it, > send > >> > an > >> > email to ossec-list+...@googlegroups.com. > >> > For more options, visit https://groups.google.com/d/optout. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to ossec-list+...@googlegroups.com . > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] ossec email notification not working
On Mon, Sep 5, 2016 at 10:47 AM, Daiyue Weng wrote: > Hi, since it is a fresh install of ossec, so I didn't get any emails. The > notification is turn on as > Try using tcpdump (looking for connections to the email server from the OSSEC system) or check the maillogs on the email server to determine if there is an error when sending. > yes > > in ossec.conf > > On Monday, 5 September 2016 15:38:25 UTC+1, dan (ddpbsd) wrote: >> >> On Mon, Sep 5, 2016 at 10:33 AM, Daiyue Weng wrote: >> > Hi, I installed ossec local on my cloud server, and configure ossec.conf >> > as >> > follows, I tried to detect new additions using >> > yes. >> > >> > >> > yes >> > my_e...@example.com >> > ns0.bt.net. >> > my_e...@example.com >> > >> > >> > >> > 79200 >> > yes >> > >> > >> > > > check_all="yes">/etc,/usr/bin,/usr/sbin >> > > > check_all="yes">/bin,/sbin >> > > > check_all="yes">/home/user_name >> > >> > >> > The local_rules.xml is like, >> > >> > >> > >> > >> > >> > 5711 >> > 1.1.1.1 >> > Example of rule that will ignore sshd >> > failed logins from IP 1.1.1.1. >> > >> > >> > >> > ossec >> > syscheck_new_entry >> > File added to the system. >> > syscheck, >> > >> > >> > >> > Now, if I added a file in home/user_name, there is no email notification >> > coming through the SMTP server. I am using smtp.bt.net, using >> > >> > dig -t mx smtp.bt.net >> > >> > >> > to get the SMTP server. Whats the possible reasons that I am not getting >> > the >> > email? >> > >> >> Are you getting emails for other alerts? >> Are alerts being triggered for these new files? >> >> > Many thanks >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to ossec-list+...@googlegroups.com. >> > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] ossec email notification not working
Hi, since it is a fresh install of ossec, so I didn't get any emails. The notification is turn on as yes in ossec.conf On Monday, 5 September 2016 15:38:25 UTC+1, dan (ddpbsd) wrote: > > On Mon, Sep 5, 2016 at 10:33 AM, Daiyue Weng > wrote: > > Hi, I installed ossec local on my cloud server, and configure ossec.conf > as > > follows, I tried to detect new additions using > > yes. > > > > > > yes > > my_e...@example.com > > ns0.bt.net. > > my_e...@example.com > > > > > > > > 79200 > > yes > > > > > > > check_all="yes">/etc,/usr/bin,/usr/sbin > > > check_all="yes">/bin,/sbin > > > check_all="yes">/home/user_name > > > > > > The local_rules.xml is like, > > > > > > > > > > > > 5711 > > 1.1.1.1 > > Example of rule that will ignore sshd > > failed logins from IP 1.1.1.1. > > > > > > > > ossec > > syscheck_new_entry > > File added to the system. > > syscheck, > > > > > > > > Now, if I added a file in home/user_name, there is no email notification > > coming through the SMTP server. I am using smtp.bt.net, using > > > > dig -t mx smtp.bt.net > > > > > > to get the SMTP server. Whats the possible reasons that I am not getting > the > > email? > > > > Are you getting emails for other alerts? > Are alerts being triggered for these new files? > > > Many thanks > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to ossec-list+...@googlegroups.com . > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] ossec email notification not working
On Mon, Sep 5, 2016 at 10:33 AM, Daiyue Weng wrote: > Hi, I installed ossec local on my cloud server, and configure ossec.conf as > follows, I tried to detect new additions using > yes. > > > yes > my_em...@example.com > ns0.bt.net. > my_em...@example.com > > > > 79200 > yes > > > check_all="yes">/etc,/usr/bin,/usr/sbin > check_all="yes">/bin,/sbin > check_all="yes">/home/user_name > > > The local_rules.xml is like, > > > > > > 5711 > 1.1.1.1 > Example of rule that will ignore sshd > failed logins from IP 1.1.1.1. > > > > ossec > syscheck_new_entry > File added to the system. > syscheck, > > > > Now, if I added a file in home/user_name, there is no email notification > coming through the SMTP server. I am using smtp.bt.net, using > > dig -t mx smtp.bt.net > > > to get the SMTP server. Whats the possible reasons that I am not getting the > email? > Are you getting emails for other alerts? Are alerts being triggered for these new files? > Many thanks > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] ossec email notification not working
Hi, I installed ossec local on my cloud server, and configure ossec.conf as follows, I tried to detect new additions using yes. yes my_em...@example.com ns0.bt.net. my_em...@example.com 79200 yes /etc,/usr/bin,/usr/sbin /bin,/sbin /home/user_name The local_rules.xml is like, 5711 1.1.1.1 Example of rule that will ignore sshd failed logins from IP 1.1.1.1. ossec syscheck_new_entry File added to the system. syscheck, Now, if I added a file in home/user_name, there is no email notification coming through the SMTP server. I am using smtp.bt.net, using dig -t mx smtp.bt.net to get the SMTP server. Whats the possible reasons that I am not getting the email? Many thanks -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Different branches?
On Mon, Sep 5, 2016 at 8:47 AM, Kat wrote: > Hi all, > > Trying to figure out the different branches right now and what has been > integrated and what has not. Right now there seems to be the main branch, > then there is Dan's - (is that the main branch too?) and then there is > Wazuh, and of course Atomic. > I believe these are forks, not branches. * github.com/ossec/ossec-hids MASTER is where the new stuff is happening. New releases/testing releases are branched/tagged from here. * github.com/ddpbsd/ossec-hids MASTER should follow the above fairly closely. I try not to add anything to this. Everything I work on gets its own branch, and I sometimes prune old branches. PRs I submit are usually from a branch (if I submit a PR from my MASTER, it's because I done did goof) * Wazuh's fork is for their version of OSSEC. They submit a number of things back to the main code. I don't follow this as well as I probably should. * Atomic's fork I think is for the work Scott does on OSSEC. I'm not positive whether it's the Atomic Corp code or just the fork he uses for working on the mainline code. * bitbucket.org/dcid/ossec-hids is Daniel Cid's OSSEC code (it feels weird calling it a fork). I believe he adds stuff that Sucuri uses. I also don't follow this is as well as I should. If you're working on the main OSSEC project, fork ossec/ossec-hids and work from there. If you prefer Wazuh's OSSEC, use theirs. The proliferation of OSSEC based projects using the name OSSEC can make this quite confusing. But there is cooperation between the projects, but that's limited by time. > Can someone summarize the different branches and make my brain stop > contorting please :-) I want to get all the best parts of all the > enhancements from all the teams, but I am not quite sure there is one branch > that incorporates them all? Then again, I could be completely wrong? > AFAIK Wazuh is the only company really pushing their OSSEC fork along quickly, one of the benefits of having employees who are paid to work on it. Daniel does dumps every once in a while to his version, but I'm sure he's time limited as well. Sucuri is looking for a C coder to work on their OSSEC (and probably other projects), but I don't know if this will translate to more work on the bitbucket repo. > Kat > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Different branches?
Hi all, Trying to figure out the different branches right now and what has been integrated and what has not. Right now there seems to be the main branch, then there is Dan's - (is that the main branch too?) and then there is Wazuh, and of course Atomic. Can someone summarize the different branches and make my brain stop contorting please :-) I want to get all the best parts of all the enhancements from all the teams, but I am not quite sure there is one branch that incorporates them all? Then again, I could be completely wrong? Kat -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Multiple agent_id for one active response
hi 003,004 doesn't work but each section separetely is working firewall-drop defined-agent 067 864000 117154,31510,117159,117162 firewall-drop defined-agent 038 864000 117154,31510,117159,117162 be carefull with that case https://github.com/ossec/ossec-hids/issues/701 if you have a lot of attacks the script can't be fast enough (i have the case with a chinese dns pointing one of our server by error) cheers Le 2016-09-02 15:40, dan (ddp) a écrit : On Fri, Sep 2, 2016 at 7:54 AM, C. L. Martinez wrote: On Fri 2.Sep'16 at 7:37:24 -0400, dan (ddp) wrote: On Fri, Sep 2, 2016 at 7:07 AM, C. L. Martinez wrote: > Hi all, > > Is it posible to assign multiple agent_id for one active reponse only? Example: > > > firewall-drop > defined-agent > 003,004 > 7 > 86400 > 2880,4320,5760 > > > Thanks. > Have you tried it? I can't remember for sure, but I feel like you can't. Well, I have inserted these lines in ossec.conf's sever manager and restart it. There is no error in ossec.log. But, how can I test it? If it doesn't works, could this config be ok? firewall-drop defined-agent 003 7 86400 2880,4320,5760 firewall-drop defined-agent 004 7 86400 2880,4320,5760 I believe having multiple with the same command, but different agent_ids, should work. The surest way to find out is to trigger one of those events and make sure the IP is added to the blocklist. -- Greetings, C. L. Martinez -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
