[ossec-list] Re: Can agents have their own white list which adds to the server white list?

Hi Daniel: Thank you for your response. Since we use active-response based on sid rather than level, this might be far more work given we have around 30 agents with possibly more in the future. I did open up http://www.ossec.net/bugs/show_bug.cgi?id=141 as an enhancement request for yours and y

[ossec-list] Re: OSSEC predefined allowed registry changes

Hi John, Yes, you can have a pre-defined white list of entries that change often. A simple way is to create a local_rule ignoring these entries (on the server): 550, 551, 552, 553, 554 RegistryEntry1|Entry2|Entry3 Events ignored Also, ossec will by default auto ignore files that

[ossec-list] Re: ossec on openSuSE 10.3

You lost me. Why would you want to log in as the user ossec? They should only be used by the ossec process. If you need to manage ossec, use sudo, su or just login as root. Hope it helps. -- Daniel B. Cid dcid ( at ) osse.net On Dec 8, 2007 12:04 PM, Mex <[EMAIL PROTECTED]> wrote: > > Hello eve

[ossec-list] Re: Can agents have their own white list which adds to the server white list?

Hi Peter, Not really, since the while lists are all global. You can, however, create local rules matching on the agent name and on the desired ip address to ignore them. Example: 5 test1 1.2.3.4 Ignoring ip 1.2.3.4 for agent test1 *If you still want to see the alerts, just put a hig

[ossec-list] Re: PIX logs and names

On Dec 10, 2007 8:51 AM, Aaron Gee-Clough <[EMAIL PROTECTED]> wrote: > > I've seen this as well. In the PIX/ASA config you can assign names to > IPs like > > name 10.0.0.1 testbox > > That will then cause all syslog messages that might use 10.0.0.1 to > instead print testbox. For example

[ossec-list] Re: IPs behind a router

Greetings Lyle: Since ossec just sees what is in the logs, then the real issue is what is being logged. Is that correct? Or are both IP's -- router and desktop -- in the log file? Thank you.

[ossec-list] IPs behind a router

Hi all, we're just testing Ossec in an office environment, and so far it looks really promising. But we've got an issue with our routers. There are several routers all over the building, and the log files on the servers only show the IP addresses of the routers, not of the computers behind the

[ossec-list] OSSEC converting an backup-image(dd) (of an os-partition) as baseline

Hello, we intend to install OSSEC on (unfortunately) non-virgin Debian- and Windows based servers. (but there are backup-images(dd) of the os-partition made immediately after installation of the os available) Question: Is there a way to "convert" a dd-image in a "OSSEC baseline"? Thank's a l