Hi Denis,
This level "100" alert is a bug that I just fixed at:
http://www.ossec.net/files/snapshots/ossec-hids-071206.tar.gz
Try updating to this version and it should work.
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Nov 30, 2007 1:12 PM, Denis Shaposhnikov <[EMAIL PROTECTED]> wrote:
Hi Will,
Can you provide a few more details? A few examples? You meant that instead
of the ip address you can have the hostname in the logs? If that's the case we
should fix the decoder for that...
Btw, we have pix information at:
http://www.ossec.net/wiki/index.php/PIX_and_IOS_Syslog_Config_exa
Hi Welkson,
Can you try upgrading to ossec v1.4. We fixed that a while back...
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Nov 28, 2007 8:07 AM, Welkson Renny de Medeiros
<[EMAIL PROTECTED]> wrote:
>
> Others messages:
>
> snort -i tun0 -A full -c /usr/local/etc/snort/snort.conf
>
> [EMA
Hey Mark,
If the IP is not being decoded, you need to use the "match" tag
instead of "srcip". You may also want to use "if_level" to determine
when to check for your rule.
Take a look at the following entry in our FAQ (should help):
http://www.ossec.net/wiki/index.php/Know_How:Ignore_Rules#Igno
Hi Daniel:
Welcome to the human race , and thank you for letting me know
about having two entries.
I'm testing that now.
Thank you again.
Daniel,
It works perfectly just the way you said. Should I add this to the wiki?
Aaron
Daniel Cid wrote:
> Hi Aaron,
>
> The easiest way is to just get the ossec binaries (from /var/ossec/bin) and
> move them to the ossec package under the bin directory.
>
> After that, set the etc/preloaded-va
Just an FYI as I couldn't find anything about it on the OSSEC wiki for
PIX logs. If you are using names in your PIX/ASA config the decoder
seems to be broken as it is trying to match y.y.y.y but if you are
using names (which is helpful when you have a few thousand rules to
manage) you could have