phish phreek wrote:
> In the last rules file I emailed to the list, I choose IDs in the 12200
> range since the named rules were in the 12100 range. I've left the ipv4
> rules for 2k3 and 2k8 in the 12200 range and put the 2k8 ipv6 rules in
> the 12300 range.
This will be OK for testing, but you'
Any info logged to ossec/logs/active-responses.log?
Aaron
On Mon, May 11, 2009 at 5:11 PM, John Lewis wrote:
> I have an agent installed on an internet facing system, and am trying to get
> active response working for it.
>
>
>
> Here’s what I have in the agent’s ossec.conf file, AND the server
I have an agent installed on an internet facing system, and am trying to get
active response working for it.
Here's what I have in the agent's ossec.conf file, AND the server's
ossec.conf:
host-deny
host-deny.sh
srcip
yes
host-deny
local
10
My OSSEC server stopped processing these alerts as of midnight last
night. I noticed that logs timestamps are not changing. I don't know
how the OSSEC agent looks for the logs because I've told the agent to
look at *.log in the c:\windows\system32\dhcp folder. It successfully
processed Wednesday-S
Seeing that Kismet is a HIDS and not NIDS, would it still be
appropriate to use OSSEC to monitor logs for applications such as
kismet?
My idea was to setup several linux boxes with ossec and kismet
running. Then have ossec alert on kismet activity.
The ruleset that I emailed didn't work for Server 2008. It seems that
they've added two new event ids for 2K8 IPv4. IPv6. I've updated my ruleset
file and separated the 2k3/2k8 ipv4 and 2k8 ipv6 rules. I'm not using IPv6
at this time, so I've just created a decoder and tested using what few log
ent
Hi
Peter Robinson wrote:
>
> My rule is copied below with rule 11203 and output from ossec-logtest -f
>
> Logtest shows that my rule is tried but no match occurs against it.
>
...
>
Works OK for me. Have you passing it through logtest 'frequency' times
within 'timeframe' second
I put this in based on instructions but cant get the log to be read. Am I
missing anything here
-Derek Morris
> To those who have been waiting for this. I'm sorry! I got side tracked with
> a bunch of other projects and I forgot to send this to the list. I'm in the
> process of setting up a Wind
Hi
we have gotten alot of proftpd access attempts recently and I have been
trying to extend one of the in-built rules to block IPs after multiple
non-existent user attempts.
Starting with rule 11203, I simply went for a match against rule id and
frequency 3 against the same source IP.
My ru
Hi All,
I'm looking at implementing OSSEC on our pop server to stop some
recent exploits. How do you block an IP when the mail logs don't show
you the source IP.
** Alert 1242018464.128: -
syslog,access_control,authentication_failed,
2009 May 11 15:07:44 pop1->/var/log/maillog
Rule: 2501 (le
10 matches
Mail list logo