Re: [ossec-list] OSSEC on Raspberry Pi 2

2016-02-09 Thread Jan Andrasko 
Hello Shaharyar,

compiling from source works just fine

Jan

On Sun, Feb 7, 2016 at 6:39 PM, Shaharyar Chaudhry 
wrote:

> Hey, I was wondering how you got the ossec agent to work on rpi, is there
> a guide to this? I am trying to get agent on my rpi2 model to work. Any
> help would be great.
>
> Cheers :)
>
>
> On Thursday, October 15, 2015 at 9:50:38 AM UTC-4, Jedi Meister wrote:
>>
>> So,
>>
>> I rebuild the server with the SAME  tar.gz file and restart it.
>>
>> Now i receive the alerts from the clients.
>>
>> ** Alert 1444916936.103875: - syslog,sshd,authentication_failed,
>> 2015 Oct 15 15:48:56 (hal) 78.46.76.44->/var/log/auth.log
>> Rule: 5716 (level 5) -> 'SSHD authentication failed.'
>> Src IP: 80.87.168.98
>> User: itsolutions
>> Oct 15 15:48:55 hal sshd[21772]: Failed password for foobar from
>> 80.87.168.98 port 55976 ssh2
>>
>>
>> VERY Strange. But anyway, it works now.
>>
>> Thanks for the help!!
>>
>> Am Donnerstag, 15. Oktober 2015 15:44:39 UTC+2 schrieb Jedi Meister:
>>>
>>> Sorry,
>>>
>>> You didn't give us much to go on. Did you create a new key for this
>>> agent?
>>> Yes, new keys were generated on the rasperrby for the agents
>>>
>>>
>>> Did you install it?
>>> I used the install.sh method of the installation tar.gz
>>>
>>>
>>> Did you restart the OSSEC processes after adding the key?
>>> Yes, Restart or ossec and restart of the system
>>>
>>> Are you sure there's no firewall on the OSSEC manager blocking the
>>> traffic?
>>> Correct, Iptables is flushed, the firewall before let the ossec
>>> communication pass (as I receive the data with the same rule on the old
>>> system)
>>>
>>> Are there any logs from the manager's ossec.log file that might hint
>>> at the problem?
>>>
>>> No, there is only the no indication. I included the full log:
>>>
>>> 2015/10/15 15:42:17 ossec-testrule: INFO: Reading local decoder file.
>>> 2015/10/15 15:42:18 ossec-testrule: INFO: Started (pid: 5575).
>>> 2015/10/15 15:42:18 ossec-maild: INFO: Started (pid: 5587).
>>> 2015/10/15 15:42:18 ossec-execd: INFO: Started (pid: 5591).
>>> 2015/10/15 15:42:18 ossec-remoted: INFO: Started (pid: 5603).
>>> 2015/10/15 15:42:18 ossec-remoted: INFO: Started (pid: 5605).
>>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading local decoder file.
>>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file:
>>> 'rules_config.xml'
>>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file:
>>> 'pam_rules.xml'
>>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file:
>>> 'sshd_rules.xml'
>>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file:
>>> 'telnetd_rules.xml'
>>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file:
>>> 'syslog_rules.xml'
>>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file:
>>> 'arpwatch_rules.xml'
>>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file:
>>> 'symantec-av_rules.xml'
>>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file:
>>> 'symantec-ws_rules.xml'
>>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file:
>>> 'pix_rules.xml'
>>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file:
>>> 'named_rules.xml'
>>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file:
>>> 'smbd_rules.xml'
>>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file:
>>> 'vsftpd_rules.xml'
>>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file:
>>> 'pure-ftpd_rules.xml'
>>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file:
>>> 'proftpd_rules.xml'
>>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file:
>>> 'ms_ftpd_rules.xml'
>>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file:
>>> 'ftpd_rules.xml'
>>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file:
>>> 'hordeimp_rules.xml'
>>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file:
>>> 'roundcube_rules.xml'
>>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file:
>>> 'wordpress_rules.xml'
>>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file:
>>> 'cimserver_rules.xml'
>>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file:
>>> 'vpopmail_rules.xml'
>>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file:
>>> 'vmpop3d_rules.xml'
>>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file:
>>> 'courier_rules.xml'
>>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file:
>>> 'web_rules.xml'
>>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file:
>>> 'web_appsec_rules.xml'
>>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file:
>>> 'apache_rules.xml'
>>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file:
>>> 'nginx_rules.xml'
>>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file:
>>> 'php_rules.xml'
>>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file:
>>> 'mysql_rules.xml'
>>> 2015/10/15 15:42:18 ossec-analysisd: INFO: Reading rules file:
>>>

Re: [ossec-list] Does a single machine scenario use an agent?

2014-10-13 Thread Jan Andrasko 
Hello Derek,

just install ossec in local mode, this should be best for you.

Brgds
Jan

On Mon, Oct 13, 2014 at 3:06 PM, de...@scratters.com wrote:

 I'm exploring the use of OSSEC and I've got a question the docs I've read
 aren't yet answering. I think it's going to be quicker to just ask...

 I have a single Linux box which runs in the DMZ. It has a few services,
 with Apache and Squid being the main ones. I want to put OSSEC on it
 primarily in a log monitoring role. The thing that just won't click from
 reading the docs and presentations so far is whether a single machine
 scenario uses an agent or not.

 There appear to be these possibilities:

 * the manager and agent run together and the agent talks to its local
 manager using localhost based communications;
 * the manager sort of runs the agent's processes itself, and hence there
 is no communications between the two pieces;
 * something else. :)

 I know the answer is in there somewhere, but I've been wading though docs
 for 3 hours now and I've probably missed it. Can someone point me at the
 answer?

 --

 ---
 You received this message because you are subscribed to the Google Groups
 ossec-list group.
 To unsubscribe from this group and stop receiving emails from it, send an
 email to ossec-list+unsubscr...@googlegroups.com.
 For more options, visit https://groups.google.com/d/optout.


-- 

--- 
You received this message because you are subscribed to the Google Groups 
ossec-list group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] OSSEC rule for Shellshock CGI attacks?

2014-10-07 Thread Jan Andrasko 
Michael,

if you remove if_sid, will it match anything? I am trying now to play
with it a bit and it doesn't match. I created vulnerable cgi script. All
40x attempts are matched by 31101.

**Phase 1: Completed pre-decoding.
   full event: '111.111.111.111 - - [07/Oct/2014:12:53:51 +] GET
/cgi-bin/test.cgi HTTP/1.1 404 1666 - () { test;};echo
\\\Content-type: text/plain\\\; echo; echo; /bin/cat /etc/passwd'
   hostname: 'Ossec1'
   program_name: '(null)'
   log: '111.111.111.111 - - [07/Oct/2014:12:53:51 +] GET
/cgi-bin/test.cgi HTTP/1.1 404 1666 - () { test;};echo
\\\Content-type: text/plain\\\; echo; echo; /bin/cat /etc/passwd'

**Phase 2: Completed decoding.
   decoder: 'web-accesslog'
   srcip: '111.111.111.111'
   url: '/cgi-bin/test.cgi'
   id: '404'

**Rule debugging:
Trying rule: 4 - Generic template for all web rules.
   *Rule 4 matched.
   *Trying child rules.
Trying rule: 31100 - Access log messages grouped.
   *Rule 31100 matched.
   *Trying child rules.
Trying rule: 31108 - Ignored URLs (simple queries).
Trying rule: 31115 - URL too long. Higher than allowed on most
browsers. Possible attack.
Trying rule: 31103 - SQL injection attempt.
Trying rule: 31104 - Common web attack.
Trying rule: 31105 - XSS (Cross Site Scripting) attempt.
Trying rule: 31110 - PHP CGI-bin vulnerability attempt.
Trying rule: 31109 - MSSQL Injection attempt (/ur.php, urchin.js)
Trying rule: 31164 - SQL injection attempt.
Trying rule: 31165 - SQL injection attempt.
Trying rule: 31501 - WordPress Comment Spam (coming from a fake search
engine UA).
Trying rule: 31502 - TimThumb vulnerability exploit attempt.
Trying rule: 31503 - osCommerce login.php bypass attempt.
Trying rule: 31504 - osCommerce file manager login.php bypass attempt.
Trying rule: 31505 - TimThumb backdoor access attempt.
Trying rule: 31506 - Cart.php directory transversal attempt.
Trying rule: 31507 - MSSQL Injection attempt (ur.php, urchin.js).
Trying rule: 31508 - Blacklisted user agent (known malicious user
agent).
Trying rule: 31511 - Blacklisted user agent (wget).
Trying rule: 31512 - Uploadify vulnerability exploit attempt.
Trying rule: 31513 - BBS delete.php exploit attempt.
Trying rule: 31514 - Simple shell.php command execution.
Trying rule: 31515 - PHPMyAdmin scans (looking for setup.php).
Trying rule: 31516 - Suspicious URL access.
Trying rule: 31550 - Anomaly URL query (attempting to pass null
termination).
Trying rule: 31101 - Web server 400 error code.
   *Rule 31101 matched.
   *Trying child rules.
Trying rule: 31102 - Ignored extensions on 400 error codes.
Trying rule: 31140 - Ignoring google/msn/yahoo bots.
Trying rule: 31141 - Ignored 499's on nginx.
Trying rule: 31151 - Multiple web server 400 error codes from same
source ip.

**Phase 3: Completed filtering (rules).
   Rule id: '31101'
   Level: '5'
   Description: 'Web server 400 error code.'
**Alert to be generated.


There is even bigger issue. When status code is 200, rule 31108 matches and
attack is ignored

**Phase 1: Completed pre-decoding.
   full event: '111.111.111.111 - - [07/Oct/2014:12:53:51 +] GET
/cgi-bin/test.cgi HTTP/1.1 200 1666 - () { test;};echo
\\\Content-type: text/plain\\\; echo; echo; /bin/cat /etc/passwd'
   hostname: 'Ossec1'
   program_name: '(null)'
   log: '111.111.111.111 - - [07/Oct/2014:12:53:51 +] GET
/cgi-bin/test.cgi HTTP/1.1 200 1666 - () { test;};echo
\\\Content-type: text/plain\\\; echo; echo; /bin/cat /etc/passwd'

**Phase 2: Completed decoding.
   decoder: 'web-accesslog'
   srcip: '111.111.111.111'
   url: '/cgi-bin/test.cgi'
   id: '200'

**Rule debugging:
Trying rule: 4 - Generic template for all web rules.
   *Rule 4 matched.
   *Trying child rules.
Trying rule: 31100 - Access log messages grouped.
   *Rule 31100 matched.
   *Trying child rules.
Trying rule: 31108 - Ignored URLs (simple queries).
   *Rule 31108 matched.
   *Trying child rules.
Trying rule: 31509 - CMS (WordPress or Joomla) login attempt.

**Phase 3: Completed filtering (rules).
   Rule id: '31108'
   Level: '0'
   Description: 'Ignored URLs (simple queries).'


Jan

On Mon, Oct 6, 2014 at 5:52 PM, Michael Starks ossec-l...@michaelstarks.com
 wrote:

 On 2014-10-04 5:30, Jan Andrasko wrote:

 Hello Michael,

  Thanks for sharing this. Any specific reason for the '.+' after the

 '()'?

 You are right, '.*' is better. Thanks for pointing this out.

  Also, the ':' before ';' is not part of the exploit, so you may want

 to remove that.

 You are right again, there can be anything before ';'.


 I think there is a bug in either the OSSEC code or documentation, as I was
 getting some false-positives for this. The issue seems to be with the ()
 characters, which, in my experience, need

Re: [ossec-list] OSSEC rule for Shellshock CGI attacks?

2014-10-04 Thread Jan Andrasko 
Hello Michael,

 Thanks for sharing this. Any specific reason for the '\.+' after the '()'?

You are right, '\.*' is better. Thanks for pointing this out.

 Also, the ':' before ';' is not part of the exploit, so you may want to
remove that.

You are right again, there can be anything before ';'.


Rob,

issue with your rule was that this string is not part of url. It is usually
in place of user agent, which is not decoded by Ossec. Therefore you need
to regex whole log message.

Brgds
Jan

On Sat, Oct 4, 2014 at 12:48 AM, Michael Starks 
ossec-l...@michaelstarks.com wrote:

 On 2014-10-03 9:12, Jan Andrasko wrote:

  rule id=120003 level=13
 if_sid31100/if_sid
 regex()\.+{\.+:;};/regex
 descriptionShellshock Attempt/description
 groupattack,/group
   /rule


 Thanks for sharing this. Any specific reason for the '\.+' after the '()'?
 I'm not sure you'll always see something there. Also, the ':' before ';' is
 not part of the exploit, so you may want to remove that. I am testing this
 version:

 rule id=100085 level=13
   if_sid31100/if_sid
   regex()\.*{\.*;};/regex
   descriptionShellshock Exploit Attempt/description
   groupattack,/group
 /rule

 As it were, this is a very unique string so I bet something like this
 would even work without too many false-positives:

 rule id=100085 level=13
   if_sid31100/if_sid
   regex()\.*{/regex
   descriptionShellshock Exploit Attempt/description
   groupattack,/group
 /rule

 This version should account for some URL encoding:

 rule id=100085 level=13
   if_sid31100/if_sid
   regex()\.*{|%28%29+%7B|%28%29%7B/regex
   descriptionShellshock Exploit Attempt/description
   groupattack,/group
 /rule


 --

 --- You received this message because you are subscribed to the Google
 Groups ossec-list group.
 To unsubscribe from this group and stop receiving emails from it, send an
 email to ossec-list+unsubscr...@googlegroups.com.
 For more options, visit https://groups.google.com/d/optout.


-- 

--- 
You received this message because you are subscribed to the Google Groups 
ossec-list group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] OSSEC rule for Shellshock CGI attacks?

2014-10-03 Thread Jan Andrasko 
Hello Rob,

this works for us:

rule id=120003 level=13
if_sid31100/if_sid
regex()\.+{\.+:;};/regex
descriptionShellshock Attempt/description
groupattack,/group
  /rule


Brgds

Jan




On Thu, Oct 2, 2014 at 3:08 PM, Robert Moerman rjmfphotogra...@gmail.com
wrote:

 Hello,

 I've been trying to write a rule to detect CGI-based shellshock attacks
 via the apache log parser, but I find the signature doesn't fire (even when
 I see the string in the apache logs):


 *Detect () { :; }; in url string*

 rule id=12 level=13
 if_sid31100/if_sid
 url() { :; };/url
 descriptionShellshock Attempt/description
 groupattack,/group
   /rule

 *Detect () { :; }; transposed in url string*

 rule id=13 level=13
 if_sid31100/if_sid
 url()%20%7B%20:;%20%7D;/url
 descriptionShellshock Attempt/description
 groupattack,/group
   /rule

 Has anyone done this successfully?


 Thanks - Rob

 --

 ---
 You received this message because you are subscribed to the Google Groups
 ossec-list group.
 To unsubscribe from this group and stop receiving emails from it, send an
 email to ossec-list+unsubscr...@googlegroups.com.
 For more options, visit https://groups.google.com/d/optout.


-- 

--- 
You received this message because you are subscribed to the Google Groups 
ossec-list group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] rule test succeeds but fails to alert

2014-09-03 Thread Jan Andrasko 
velvin, can you try to run ossec-logtest more verbose with command
ossec-logtest -v  and paste the results here? I had similar issues with
ossec-logtest giving different results than ossec-analysisd in the past.

Jan




On Fri, Aug 29, 2014 at 8:44 PM, dan (ddp) ddp...@gmail.com wrote:

 On Fri, Aug 29, 2014 at 12:16 PM, velvin vel...@gmail.com wrote:
  Regardless of the rule ID it triggers, the issue I'm seeing is that while
  manually testing the rule using the ossec-logtest tells me alert to be
  generated but in actual testing (causing the event ID from a host with
  agent running) no alerts or log entry is generated (except rule ID
 1002). I
  know the workstation is sending the correct log since I see rule ID 1002
  generate the alert but the windows msauth rules are not hit. I am stuck
  here
 

 Make sure the OSSEC processes restart after you make changes.
 Other than that, I cannot reproduce this issue, so I have no clue.

  --
 
  ---
  You received this message because you are subscribed to the Google Groups
  ossec-list group.
  To unsubscribe from this group and stop receiving emails from it, send an
  email to ossec-list+unsubscr...@googlegroups.com.
  For more options, visit https://groups.google.com/d/optout.

 --

 ---
 You received this message because you are subscribed to the Google Groups
 ossec-list group.
 To unsubscribe from this group and stop receiving emails from it, send an
 email to ossec-list+unsubscr...@googlegroups.com.
 For more options, visit https://groups.google.com/d/optout.


-- 

--- 
You received this message because you are subscribed to the Google Groups 
ossec-list group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: wget download forbidden

2014-09-03 Thread Jan Andrasko 
Hello Joe,

for me too, however all howtos and installation manuals don't contain
information that you have to use -U option in wget. Could be misleading for
newbies.

Jan


On Wed, Aug 27, 2014 at 1:12 AM, Joe Evango joe.eva...@gmail.com wrote:

 Hello,

 This works for me:

 wget -U ossec http://www.ossec.net/files/ossec-hids-2.8.tar.gz


 On Tuesday, July 29, 2014 6:30:38 AM UTC-7, Jan Andrasko wrote:

 Hi guys,

 today, when trying to download ossec from your website, I was constatnly
 getting 403 error:

 wget http://www.ossec.net/files/ossec-hids-2.8.tar.gz
 --2014-07-29 15:16:21--  http://www.ossec.net/files/ossec-hids-2.8.tar.gz
 Resolving www.ossec.net (www.ossec.net)... 150.70.191.237
 Connecting to www.ossec.net (www.ossec.net)|150.70.191.237|:80...
 connected.
 HTTP request sent, awaiting response... 403 Forbidden
 2014-07-29 15:16:21 ERROR 403: Forbidden.

 After spoofing Mozilla Firefox user agent, file was downloaded correctly.
 Is there any special reason for blocking wget downloads?

 Thanks
 Jan

  --

 ---
 You received this message because you are subscribed to the Google Groups
 ossec-list group.
 To unsubscribe from this group and stop receiving emails from it, send an
 email to ossec-list+unsubscr...@googlegroups.com.
 For more options, visit https://groups.google.com/d/optout.


-- 

--- 
You received this message because you are subscribed to the Google Groups 
ossec-list group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] wget download forbidden

2014-07-29 Thread Jan Andrasko 
Hi guys,

today, when trying to download ossec from your website, I was constatnly
getting 403 error:

wget http://www.ossec.net/files/ossec-hids-2.8.tar.gz
--2014-07-29 15:16:21--  http://www.ossec.net/files/ossec-hids-2.8.tar.gz
Resolving www.ossec.net (www.ossec.net)... 150.70.191.237
Connecting to www.ossec.net (www.ossec.net)|150.70.191.237|:80... connected.
HTTP request sent, awaiting response... 403 Forbidden
2014-07-29 15:16:21 ERROR 403: Forbidden.

After spoofing Mozilla Firefox user agent, file was downloaded correctly.
Is there any special reason for blocking wget downloads?

Thanks
Jan

-- 

--- 
You received this message because you are subscribed to the Google Groups 
ossec-list group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Setting email

2014-04-16 Thread Jan Andrasko 
Hello Evan,

rule 1002 matches every log which contains these words:

var name=BAD_WORDScore_dumped|failure|error|attack|bad |illegal
|denied|refused|unauthorized|fatal|failed|Segmentation Fault|Corrupted/var

and is by default configured to aler by email

  rule id=1002 level=2
match$BAD_WORDS/match
options*alert_by_email*/options
descriptionUnknown problem somewhere in the system./description
  /rule

You can create new local rule to override this for either only iptables or
all events with ID 1002

Jan



On Fri, Apr 11, 2014 at 4:23 PM, Evan evster...@gmail.com wrote:

 All of them are like this one:

 OSSEC HIDS Notification.
 2014 Apr 11 00:48:55

 Received From: my_host_name-/var/log/syslog
 Rule: 1002 fired (level 2) - Unknown problem somewhere in the system.
 Portion of the log(s):

 Apr 11 00:48:47 my_host_name kernel: iptables denied: IN=eth0 OUT=
 MAC=ff:3c:91:70:34:ec:84:38:af:0d:97:c1:09:11 SRC=xx.xx.xx.xx
 DST=xx.xx.xx.xx LEN=76 TOS=0x00 PREC=0x00 TTL=53 ID=57740 PROTO=UDP SPT=455
 DPT=123 LEN=56

 (I replaced both IPs with x's)


 On Thursday, April 10, 2014 9:16:13 PM UTC-5, nicolaszin wrote:

 Which alerts is it?

 does the alert has a “alert_by_email” by any chance?




 On Thu, Apr 10, 2014 at 9:03 PM, Evan evst...@gmail.com wrote:

 Today I installed OSSEC on my server and I have these settings:

   global
 email_notificationyes/email_notification
 email_tomy-email...@gmail.com/email_to

 smtp_serverlocalhost/smtp_server
 email_fromossecm@scaver/email_from
   /global

   email_alerts
 email_tomy-email...@gmail.com/email_to

 level7/level
   /email_alerts

 Near the end of the file I have these lines as well:

   alerts
 log_alert_level1/log_alert_level
 email_alert_level8/email_alert_level
   /alerts

 But with these settings I get an email from OSSEC every 5 seconds and
 it's a Level 2 alert.  What do I need to configure so that I only get an
 email for level 7 and above?

 Thanks,
 Evan

 --

 ---
 You received this message because you are subscribed to the Google
 Groups ossec-list group.
 To unsubscribe from this group and stop receiving emails from it, send
 an email to ossec-list+...@googlegroups.com.

 For more options, visit https://groups.google.com/d/optout.


  --

 ---
 You received this message because you are subscribed to the Google Groups
 ossec-list group.
 To unsubscribe from this group and stop receiving emails from it, send an
 email to ossec-list+unsubscr...@googlegroups.com.
 For more options, visit https://groups.google.com/d/optout.


-- 

--- 
You received this message because you are subscribed to the Google Groups 
ossec-list group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.