What IP did you specify with that option? I would assume setting 0.0.0.0
would allow OSSEC to listen on any IP address. You are restarting the
server after you make these changes, right?
On Mon, Mar 16, 2009 at 3:40 PM, Mark C wrote:
>
> Oh, I tried the option specified here:
> http://www.oss
I just ran into the opposite problem today.. I had just reinstalled several
'local' OSSEC installs as 'agents' and when I did this, the whitelists had
to be added to the servers ossec.conf, as adding them to the agent's
ossec.conf did nothing. This is really a question for another thread, but
is t
Hello,
I have a test environment consisting of three hosts with OSSEC (agent)
installed (Linux, XP professional and a Mac) and one host with OSSEC
(server) installed (Linux). The three hosts are configured to send
their events to the server.
This environment has a completely stock environment,
Oh, I tried the option specified here:
http://www.ossec.net/main/manual/configuration-options/#remote_options
syslog
xxx.xxx.xxx.xxx
And it did not work even after restarting.
On Mar 16, 2:54 pm, Mark C wrote:
> Hi all,
>
> I've just installed OSSEC 2 on an Ubuntu 6.06 server 3
hi,
Ossec can monitor messages from mod_security which go to apache
error_log per default, like
[Mon Sep 29 09:40:39 2008] [error] [client x.x.x.x] ModSecurity:
Warning. Pattern match "(?:b(?:(?:s(?:erver.(?:(?:(?:htm|ur)
lencod|execut)e|createobject|mappath)|cripting.filesystemobject
Hi,
Does OSSEC have a bundled rule(s) that covers clamd logs entries as
found here http://www.ossec.net/wiki/index.php/ClamAV ? I'm just not
finding anything in the OSSEC 2.0 rules. If ot, does anyone know of any
user contributed rules that covers clamd?
Thanks,
Mike
Please consider the e
Hi all,
I've just installed OSSEC 2 on an Ubuntu 6.06 server 32bit system.
It's part of a simple cluster where there's a floating IP, eth0:0. I
setup 2 agents, and during the initial setup gave them the floating
IP. Here's what both saw in the logs:
2009/03/16 14:42:11 ossec-agentd(4101): WARN
On Mar 16, 7:06 pm, Martin Tartarelli
wrote:
> > What version of ossec are you using? It comes by default on v2.0.
>
> I Have v.1.6.1. In that version.can i use this features?
No, it is a new feature since v2.0.
> Can I install v2.0 in OSSEC Server with Agent 1.6.1 in the rest of the LAN?
I have been clearing Windows App, Sec and System logs all day today and not one
alert. I have it set for 8 and email on 8's. I am running V2.0 on server and
windows clients. Where can I look to see whats wrong?
-Derek
Daniel -
These machines are agents. As far as I can tell, they're all running:
[r...@yamaguchi ~]# ps -ef|grep ossec
root 4594 1 0 Mar15 ?00:00:00 /var/ossec/bin/ossec-execd
ossec 4598 1 0 Mar15 ?00:00:00 /var/ossec/bin/ossec-agentd
root 4602 1 0 Mar
Excellent thanks. So far everything is working great!
Ben
On Mon, 2009-03-16 at 14:49 -0300, Daniel Cid wrote:
> Hi Ben,
>
> The 32bits version will work with Windows 64bit systems, including
> Vista, 2008, 2003, xp and 2000.
>
> Thanks,
>
> --
> Daniel B. Cid
> dcid ( at ) ossec.net
>
> On
Daniel,
2009/3/16 Daniel Cid :
>
> Hi Martin,
>
> What version of ossec are you using? It comes by default on v2.0.
>
I Have v.1.6.1. In that version.can i use this features?
Can I install v2.0 in OSSEC Server with Agent 1.6.1 in the rest of the LAN?
> Thanks,
>
Thanks
> --
> Daniel B. C
Hi Ed,
The log analysis part of OSSEC is very lightweight, so it should
support a good load of logs
well. A while back I did some tests with an old box and it was able to
handle more than 600
events per second on an PIII system:
http://www.ossec.net/dcid/?p=69
So, depending on the number of eve
Hi Macie,
Is there a reason why you need it? The manage_agents tool doesn't
allow you to duplicate
ids (even after deleting) because internally it still uses it to link
to old events, message ids, etc.
If you re-use the id, the manager may treat the new agent as if it was
the old one and may
caus
Hi Martin,
What version of ossec are you using? It comes by default on v2.0.
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Fri, Mar 13, 2009 at 2:06 PM, Martin Tartarelli
wrote:
>
> Hi list,
> How to install ossec-reportd? because I don´t have this file [1] on my server.
>
> [1] http://ww
Hi Ben,
The 32bits version will work with Windows 64bit systems, including
Vista, 2008, 2003, xp and 2000.
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Fri, Mar 13, 2009 at 12:46 PM, benw wrote:
>
> Hi there,
>
> I am eager to try the new 2.0 version of OSSEC but I only see on the
> down
Hi Tim,
Yes, this is a typo in the wiki. The variables are local to a specific
file and can not be shared
with the others. The easiest way is to just create a local rule for it:
1002
Local rule to reduce the severity of 1002
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Fri, Mar 13,
Hi Tim,
Were these systems installed as agents or "local" types? Generally you
get this "locked"
warning, when analysisd (or ossec-agentd on the agent) can not be
accessed. Can you
see if they are running and maybe try restarting it all?
If that still doesn't work, please share you config, versi
Hi Aaron,
This rule should work well without affecting other alerts. However, it
will only ignore the 3rd change (see rules
552 for the 2nd and rule 551 for the first). Because of that, I would
change the if_sid to if_group:
syscheck
'/etc/prelink.cache'
expected file change
You ca
Hi Andy,
You can look at the syscheck database and check for any file with that
hash, but you can't setup
syscheck to look directly for them.
For example, if I am looking for the hash of /bin/ls:
# md5 /bin/ls
MD5 (/bin/ls) = 0c10c7ad7fc0954fe9555b4b97189a7e
# grep -r 0c10c7ad7fc0954fe9555b4b9
Is it possible with Syscheck to scan for a certain hash value on a file in
Windows and alert if found?
If so, can someone give me pointers??
Thanks,
-Andy
CONFIDENTIALITY NOTICE: This correspondence, and all attachments transmitted
with it, may contain legally
Hi all,
We are running ossec 2.0. Most (all) of our linux clients report daily of
/etc/prelink.cache checksum changes. According to this RedHat post
http://www.redhat.com/archives/fedora-list/2007-October/msg04408.html this
is expected behavior. I know how to modify the local rules file on the
o
Hello,
I need to use OSSEC for an intrusion detection research project along
with Snort, based on DARPA 1999 dataset. I would like to feed DARPA
network traffic to snort and then run OSSEC on Solaris BSM log data and
Windows NT audit data. (They are here
http://www.ll.mit.edu/mission/communi
23 matches
Mail list logo