Hi Daniel:
Thank you for your response.
Since we use active-response based on sid rather than level, this
might be far more work given we have around 30 agents with possibly
more in the future.
I did open up http://www.ossec.net/bugs/show_bug.cgi?id=141 as an
enhancement request for yours and y
Hi John,
Yes, you can have a pre-defined white list of entries that change often.
A simple way is to create a local_rule ignoring these entries (on the server):
550, 551, 552, 553, 554
RegistryEntry1|Entry2|Entry3
Events ignored
Also, ossec will by default auto ignore files that
You lost me. Why would you want to log in as the user ossec? They should
only be used by the ossec process. If you need to manage ossec, use sudo, su
or just login as root.
Hope it helps.
--
Daniel B. Cid
dcid ( at ) osse.net
On Dec 8, 2007 12:04 PM, Mex <[EMAIL PROTECTED]> wrote:
>
> Hello eve
Hi Peter,
Not really, since the while lists are all global. You can, however,
create local rules
matching on the agent name and on the desired ip address to ignore them.
Example:
5
test1
1.2.3.4
Ignoring ip 1.2.3.4 for agent test1
*If you still want to see the alerts, just put a hig
On Dec 10, 2007 8:51 AM, Aaron Gee-Clough <[EMAIL PROTECTED]> wrote:
>
> I've seen this as well. In the PIX/ASA config you can assign names to
> IPs like
>
> name 10.0.0.1 testbox
>
> That will then cause all syslog messages that might use 10.0.0.1 to
> instead print testbox. For example
Greetings Lyle:
Since ossec just sees what is in the logs, then the real issue is what
is being logged. Is that correct?
Or are both IP's -- router and desktop -- in the log file?
Thank you.
Hi all,
we're just testing Ossec in an office environment, and so far it looks really
promising.
But we've got an issue with our routers. There are several routers all over the
building, and the log files on the servers only show the IP addresses of the
routers, not of the computers behind the
Hello,
we intend to install OSSEC on (unfortunately) non-virgin Debian- and
Windows based servers.
(but there are backup-images(dd) of the os-partition made immediately
after installation of
the os available)
Question:
Is there a way to "convert" a dd-image in a "OSSEC baseline"?
Thank's a l