[ossec-list] am i doing this wrong
So i have a ossec server up and a few agents out there, but when i scan a agent system with nessus or nmap i dont get any emails or even a blip on the server im using 2.7 b1 and OSWUI. am i doing something wrong?
Re: [ossec-list] am i doing this wrong
On Tue, Oct 2, 2012 at 10:38 AM, Tom Hangstin wrote: > So i have a ossec server up and a few agents out there, but when i scan a > agent system with nessus or nmap i dont get any emails or even a blip on the > server im using 2.7 b1 and OSWUI. am i doing something wrong? Maybe, you don't really give us enough information to know. What kinds of logs are you seeing that should be triggering alerts? Provide samples, maybe we can help you make that happen.
Re: [ossec-list] am i doing this wrong
Well the agents are on windows 7 machines which I think just monitor win event log and like I said nothing gets reported to the server. Dose ossec not detect scans? On Tue, Oct 2, 2012 at 9:43 AM, dan (ddp) wrote: > On Tue, Oct 2, 2012 at 10:38 AM, Tom Hangstin > wrote: > > So i have a ossec server up and a few agents out there, but when i scan a > > agent system with nessus or nmap i dont get any emails or even a blip on > the > > server im using 2.7 b1 and OSWUI. am i doing something wrong? > > Maybe, you don't really give us enough information to know. What kinds > of logs are you seeing that should be triggering alerts? Provide > samples, maybe we can help you make that happen. >
Re: [ossec-list] am i doing this wrong
On Tue, Oct 2, 2012 at 11:00 AM, Tom Hangstin wrote: > Well the agents are on windows 7 machines which I think just monitor win > event log and like I said nothing gets reported to the server. Dose ossec > not detect scans? > I think you're asking the question. You should be asking yourself "What logs were created by the scan that should be causing alerts?" OSSEC looks at the logs created by the system an its applications, what log entries do you think should have alerted you? Also, scan is such a generic term. By itself it's basically useless. > > On Tue, Oct 2, 2012 at 9:43 AM, dan (ddp) wrote: >> >> On Tue, Oct 2, 2012 at 10:38 AM, Tom Hangstin >> wrote: >> > So i have a ossec server up and a few agents out there, but when i scan >> > a >> > agent system with nessus or nmap i dont get any emails or even a blip on >> > the >> > server im using 2.7 b1 and OSWUI. am i doing something wrong? >> >> Maybe, you don't really give us enough information to know. What kinds >> of logs are you seeing that should be triggering alerts? Provide >> samples, maybe we can help you make that happen. > >
Re: [ossec-list] am i doing this wrong
Scanning does not necessarily provide a "blip". Do you have any kind of tool logging scans or are you doing something beyond an nmap scan, such as brute force login attemps. Something has to create a log entry for OSSEC to see. Based on what you are saying - is there any kind of entry in any of the event logs showing that a scan was happening? OSSEC would see that. >
Re: [ossec-list] am i doing this wrong
ok my bad, i assumed a full scan from nessus would give off some red flags because its so loud and im switching from snort "which would alert to things like nessus scans" to ossec. thanks for helping me see the light. On Tue, Oct 2, 2012 at 10:07 AM, Kat wrote: > Scanning does not necessarily provide a "blip". Do you have any kind of > tool logging scans or are you doing something beyond an nmap scan, such as > brute force login attemps. Something has to create a log entry for OSSEC to > see. Based on what you are saying - is there any kind of entry in any of > the event logs showing that a scan was happening? OSSEC would see that. > > >>
Re: [ossec-list] am i doing this wrong
On Tue, Oct 2, 2012 at 11:14 AM, Tom Hangstin wrote: > ok my bad, i assumed a full scan from nessus would give off some red flags > because its so loud and im switching from snort "which would alert to things > like nessus scans" to ossec. thanks for helping me see the light. > You don't have to assume, you have access to your logs. It's entirely possible there's something there that we should alert on, but don't (currently). Also, snort provides very different capabilities than OSSEC. They're used for different things, so this isn't surprising at all. > > On Tue, Oct 2, 2012 at 10:07 AM, Kat wrote: >> >> Scanning does not necessarily provide a "blip". Do you have any kind of >> tool logging scans or are you doing something beyond an nmap scan, such as >> brute force login attemps. Something has to create a log entry for OSSEC to >> see. Based on what you are saying - is there any kind of entry in any of >> the event logs showing that a scan was happening? OSSEC would see that. >> >>> >
