[ossec-list] Re: ossec 1.6.1 is there a way to white list by rule id?

Hi Peter, The easiest way to do this is by using the srcip tag and the list of rules inside if_sid. For example, to ignore networks 192.168.0.0/24 and 10.0.0.0/8 on rules rule1,rule2,rule3 and rule4: rule id=xyz level=0 if_sidrule1, rule2, rule3, rule4/if_sid srcip192.168.0.0/24/srcip

[ossec-list] OSSEC and Dimensioning solution

List, I need to implement OSSEC in approximately 300 servers. What should I consider? text? MySQL? another? Disk Space? Experiences? Thank´s -- Martin Tartarelli Linux User #476492 --

[ossec-list] Re: OSSEC and Dimensioning solution

With that many systems you going to need lots of disk space and a fast raid array if your going to do Mysql unless you do database partitioning with compression. I took a different approach and did everything text, disabled the compression in the internal_options.conf, compiled the lzma tools,

[ossec-list] Re: white list specific ip on active response

Hi Oliver, It seems that you configured the white_list on the agent side, but it should be set on the server's ossec.conf. That's probably why it didn't work. Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On Sat, Dec 13, 2008 at 2:22 PM, Oliver Jagape oliver.jag...@concentrix.com wrote: I

[ossec-list] Re: OSSEC 1.6.1 syscheck method

Hi, A suggestion would be to add a ignore entry in your ossec.conf to do not read webstore directory. That should reduce the load significantly. For example: ignore type=sregexwebstore/ignore Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On Thu, Dec 11, 2008 at 2:31 PM,

[ossec-list] Re: High CPU Usage on Windows 2008

Hi Derek, Can you give more information to us? -How much logging to you have enabled? -Show us your ossec.log file from the agent (will give an idea on the amount of events) -Output of agent_control -i this_agent_id (on the manager side) Also, how high is it and how often? Thanks, -- Daniel

[ossec-list] Suggestion for Integrity checksum changed again

Greetings: Would it be possible in a future version that after running authorized and approved updates to run an ossec command on the agent (if not the server) which would, for lack of better words, catch up the agent so it would not report Integrity checksum changed again messages that came

[ossec-list] Re: ossec 1.6.1 is there a way to white list by rule id?

Hi Daniel: Given the following in /var/ossec/rules/local_xml.rules rule id=100210 level=12 if_sid31100/if_sid match(Nikto//match descriptionNikto vulnerability scan/description /rule And given the above rule id is part of the active response chain, I'm having trouble