Hi Peter,
The easiest way to do this is by using the srcip tag and the list of
rules inside
if_sid. For example, to ignore networks 192.168.0.0/24 and 10.0.0.0/8 on rules
rule1,rule2,rule3 and rule4:
rule id=xyz level=0
if_sidrule1, rule2, rule3, rule4/if_sid
srcip192.168.0.0/24/srcip
List,
I need to implement OSSEC in approximately 300 servers. What should I consider?
text? MySQL? another? Disk Space?
Experiences?
ThankĀ“s
--
Martin Tartarelli
Linux User #476492
--
With that many systems you going to need lots of disk space and a fast
raid array if your going to do Mysql unless you do database
partitioning with compression. I took a different approach and did
everything text, disabled the compression in the
internal_options.conf, compiled the lzma tools,
Hi Oliver,
It seems that you configured the white_list on the agent side, but it should be
set on the server's ossec.conf. That's probably why it didn't work.
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Sat, Dec 13, 2008 at 2:22 PM, Oliver Jagape
oliver.jag...@concentrix.com wrote:
I
Hi,
A suggestion would be to add a ignore entry in your ossec.conf to do not read
webstore directory. That should reduce the load significantly.
For example:
ignore type=sregexwebstore/ignore
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Thu, Dec 11, 2008 at 2:31 PM,
Hi Derek,
Can you give more information to us?
-How much logging to you have enabled?
-Show us your ossec.log file from the agent (will give an idea on the
amount of events)
-Output of agent_control -i this_agent_id (on the manager side)
Also, how high is it and how often?
Thanks,
--
Daniel
Greetings:
Would it be possible in a future version that after running authorized
and approved updates to run an ossec command on the agent (if not the
server) which would, for lack of better words, catch up the agent so
it would not report Integrity checksum changed again messages that
came
Hi Daniel:
Given the following in /var/ossec/rules/local_xml.rules
rule id=100210 level=12
if_sid31100/if_sid
match(Nikto//match
descriptionNikto vulnerability scan/description
/rule
And given the above rule id is part of the active response chain, I'm
having trouble