Re: [ossec-list] Re: OSSEC e-book download
I'm investigating this problem with Syngress (publisher) but I'm hoping a person in our OSSEC group experienced the same problem and knows where to get an electronic copy of the book to compliment the hard copy I use to troubleshoot/manage my OSSEC HIDS deployment. When I attain a legitimate copy of the free e-Book from the publisher (or whom the publisher designated to distribute e-Books to those who've purchased a hard copy), I will post a link here. I've read that you have to enter a unique code found in the book to acquire your soft copy, so there are no copyright infringements to get an e-Book as an owner of a hard copy. This is just an offer that comes with the OSSEC HIDS book as stated on the cover. Thanks.
Re: [ossec-list] Re: OSSEC e-book download
Hello. I recently purchased a hard copy of the OSSEC HIDS Host-Based Intrusion Detection Guide for around $50 and was directed to http://www.syngress.com/solutions to download my free e-book of the material. At this web page (http://www.syngress.com/solutions) the publisher says this service was having problems and is no longer available. Where can I get a copy of my Free e-Book now? Respectfully, A.D. On Friday, August 22, 2008 3:33:55 PM UTC-4, Jeannine Bos wrote: Thank you. I really appreciate that. I'll be interested to hear their response. Jeannine Andrew Hay wrote: Hey All, I've escalated this to our publisher (Syngress/Elsevier) to figure out what is going on. On Fri, Aug 22, 2008 at 12:47 PM, Jeannine Bos jeannine@doit.wisc.edu mailto:jeannine@doit.wisc.edu wrote: Yeah, I had similar success with that. Syngress has yet to respond to my emails concerning the free e-book. I would be happy to buy it just not at $31.50 a chapter. Thank you for the suggestion. Jeannine Jon Wright wrote: The hardcopy I have suggests that you can get a free download of the ebook when you purchase it, but I was unable to get the serial number check to succeed. Email to the support address returned no results. Check inside the front cover to see if yours has this information. Maybe you'll have better luck than I did. Jon On Fri, Aug 22, 2008 at 09:50:55AM -0500, Jeannine Bos wrote: Does anyone know where I can purchase an e-book copy of the OSSEC HIDS Host-Based Intrusion Detection Guide? The e-book used to be available from Syngress but they seemed to have moved their book sales to ElsevierDirect.com. That site claims to have the e-book format but according to their customer support it is at a cost of $31.50 per article. Their customer support staff suggested that it wouldn't be cost effective to purchase it and I should consider just purchasing the hardcopy. I actually have a copy of the book but e-books are so much easier to search. However, I want to make sure I am purchasing it from an official source. Thank you for any help. Jeannine -- Andrew Hay Security+, CCSE Plus, RHCE, GSEC, GCIA, GCIH, CISSP blog: http://www.andrewhay.ca email: andrewsm...@gmail.com mailto:andrewsm...@gmail.com twitter/skype: andrewsmhay profile: http://www.linkedin.com/in/andrewhay -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- Author: OSSEC Host-Based Intrusion Detection Guide http://www.amazon.com/OSSEC-Host-Based-Intrusion-Detection-Guide/dp/159749240X Author: Nokia Firewall, VPN, and IPSO Configuration Guide http://www.amazon.com/Nokia-Firewall-IPSO-Configuration-Guide/dp/1597492868 Author: Nagios 3 Enterprise Network Monitoring http://www.amazon.com/Nagios-Enterprise-Network-Monitoring-Including/dp/1597492671 -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
[ossec-list] Deciding the Level to Set Log Alerts
I would like to determine the level to set Log Alerts in my OSSEC installation. How was each event assigned a severity level? How have you all decided the level to set your log alerts? I am concerned about logging too many events but missing legitimate security events. Your opinions will help. Thank you.
Re: [ossec-list] Can OSSEC enforce Windows Group Policy?
Thank you for this information, Dan and Michael. On Thursday, May 17, 2012 9:06:26 PM UTC-4, Michael Starks wrote: On 05/17/2012 11:04 AM, A-Dubbs wrote: Can OSSEC enforce Windows Group Policy settings from being changed in Windows Server 2008 R2? I made changes to Windows basic audit policy and upon reboot, the settings are back what it was before I modified them. OSSEC in installed on this system and I'd like to know if OSSEC HIDS can prevent Windows Group Policy settings from being altered. Sorry, no.
[ossec-list] Can OSSEC enforce Windows Group Policy?
Can OSSEC enforce Windows Group Policy settings from being changed in Windows Server 2008 R2? I made changes to Windows basic audit policy and upon reboot, the settings are back what it was before I modified them. OSSEC in installed on this system and I'd like to know if OSSEC HIDS can prevent Windows Group Policy settings from being altered.
[ossec-list] Re: Can OSSEC enforce Windows Group Policy?
By default do you mean default settings, or OSSEC will not perform this function the way it comes programmed? On May 17, 12:28 pm, dan (ddp) ddp...@gmail.com wrote: Not out of the box. You might be able to set something up, but by default there is nothing in OSSEC that will do this. On Thu, May 17, 2012 at 12:04 PM, A-Dubbs arlendelcasti...@gmail.com wrote: Can OSSEC enforce Windows Group Policy settings from being changed in Windows Server 2008 R2? I made changes to Windows basic audit policy and upon reboot, the settings are back what it was before I modified them. OSSEC in installed on this system and I'd like to know if OSSEC HIDS can prevent Windows Group Policy settings from being altered.
[ossec-list] Re: msauth_rules.xml file, is this for Microsoft Windows rules?
In which file would I create level 0 rules at your prescribe wouldn't trigger alerts and wouldn't be log anything in alerts.log? In Dan (ddp)'s first reply in this thread, he advised me ( I'm brand new to OSSEC but really trying here!!!) to not modify the msauth_rules.xml file. I pretty much understand why after he explained why I shouldn't, but I don't see any other place but the msauth_rules.xml file to lower the level on some of these low-to-mid level alerts on the file so they won't trigger alerts in alerts.log file. For example, when a windows workstation's system account logs onto the domain controller, WINDOWS_LOGIN_SUCCESS, or a user logon on, AUDIT_SUCCESS), I don't think should see OSSEC triggering an alert on my system. On May 3, 8:09 am, Florian Crouzat gen...@floriancrouzat.net wrote: Le 02/05/2012 20:10, A-Dubbs a écrit : Will it at least significantly reduce the amount of alerts in the alerts.log file? I just want to verify I am modifying the correct settings for reducing alerts. It will, yes, except for ... exceptions ;) If don't have enough disk space to store the alerts.log history, you can just delete the files. Basically, you are storing them twice already, /var/ossec/logs/archives vs. /var/ossec/logs/alerts. You want to store raw received logs (archives). Alerts logs are just decoded archives and at least five times bigger (multi-lines for a single raw log line). In case you need to understand how a certain received log-line has been treated, you still can re-decode it from archives.log using ossec-logtest, but certainly, you never will. Finally, to reduce the alerts.log file, if you are using ossec just to centralize and store certain logs, create as many level 0 rules as possible for these logs, they still will be stored, but never decoded: they won't trigger alerts and won't be logged in alerts.log) Hope it helps. -- Cheers, Florian Crouzat
[ossec-list] Re: msauth_rules.xml file, is this for Microsoft Windows rules?
Will increasing the log alert level from 1 to 7 in the /var/ossec/etc/ ossec.conf file reduce the number of alerts level 7 to zero alerts? On Apr 30, 2:56 pm, dan (ddp) ddp...@gmail.com wrote: Modifying the default rules directly isn't encouraged. Your changes will be overwritten on an upgrade. You should add custom rules to /var/ossec/rules/local_rules.xml. You can create custom rules to look for new things the default rules don't cover, or to ignore rules that are already in place. On Mon, Apr 30, 2012 at 2:42 PM, A-Dubbs arlendelcasti...@gmail.com wrote: I'm looking for the rules file for adjusting what gets logged for Microsoft Windows systems. Is msauth_rules.xml the correct file?
[ossec-list] Re: msauth_rules.xml file, is this for Microsoft Windows rules?
Will it at least significantly reduce the amount of alerts in the alerts.log file? I just want to verify I am modifying the correct settings for reducing alerts. On May 2, 1:38 pm, dan (ddp) ddp...@gmail.com wrote: Probably not. Some rules, like 1002, always send email. On May 2, 2012 1:37 PM, A-Dubbs arlendelcasti...@gmail.com wrote: Will increasing the log alert level from 1 to 7 in the /var/ossec/etc/ ossec.conf file reduce the number of alerts level 7 to zero alerts? On Apr 30, 2:56 pm, dan (ddp) ddp...@gmail.com wrote: Modifying the default rules directly isn't encouraged. Your changes will be overwritten on an upgrade. You should add custom rules to /var/ossec/rules/local_rules.xml. You can create custom rules to look for new things the default rules don't cover, or to ignore rules that are already in place. On Mon, Apr 30, 2012 at 2:42 PM, A-Dubbs arlendelcasti...@gmail.com wrote: I'm looking for the rules file for adjusting what gets logged for Microsoft Windows systems. Is msauth_rules.xml the correct file?
[ossec-list] Where the OSSEC configurations are...
Just learning OSSEC here using the documentation on ossec.net to troubleshoot some problems.I am receiving excessive HIDS notifications in a log for a windows machines(an agent) in my OSSEC environment. When looking at the security log, it seems that too many events are being added to the queue, mostly system activity, in the security log of the windows machine. Which files should I look to, to start adjusting configurations for what I want to ignore and what I would like to include in the alerts.log file? I looked at ossec.conf and now I just don't see a file where I can modify alerts going into the alerts.log file. Thank you.
[ossec-list] msauth_rules.xml file, is this for Microsoft Windows rules?
I'm looking for the rules file for adjusting what gets logged for Microsoft Windows systems. Is msauth_rules.xml the correct file?