Re: [ossec-list] OSSEC WUI

2010-02-09 Thread dan (ddp)
Nope. WUI does not utilize the database support. On Mon, Feb 8, 2010 at 4:12 PM, Ron wrote: > New installation with latest versions of OSSEC and WUI on CentOS. > Sorry for the basic question - Does the search on WUI require OSSEC to > be compiled with database support?  Thanks >

Re: [ossec-list] Block

2010-02-09 Thread oscar schneider
Hi, yes it does if you activated "Active Response" capabilities during installation, I think the default setting for that is "yes". Your ossec.conf should contain an active response section that looks like this (excerpt): host-deny host-deny.sh srcip yes host-

[ossec-list] Re: Seeking help with two Windows FTP rules

2010-02-09 Thread Peter M. Abraham
Greetings: >From time to time I get bombarded with several hundred " FTP brute force (multiple failed logins)" rule 11510 and " Multiple connection attempts from same source" 11511 alerts. I've been trying to rewrite the rule so I don't get notifications of the same attacker several hundred times

[ossec-list] New Install on HPUX 11iv2 (11iv23 IA64)

2010-02-09 Thread Smith, Al
Hello All, I did a new Server Installation (2.3) on HP-UX 11iv2 (11.23 IA64) using GCC 4.4. The compile went ok and installed ok but I have a few problems: 1 - I added a HP-UX agent and imported it's key and restarted but the agent will not contact the server 2 - Port 1514/UDP is not being ope

[ossec-list] OSSEC WUI

2010-02-09 Thread Ron
New installation with latest versions of OSSEC and WUI on CentOS. Sorry for the basic question - Does the search on WUI require OSSEC to be compiled with database support? Thanks

Re: [ossec-list] Re: Decoder problems

2010-02-09 Thread oscar schneider
I used a snapshot from 01/29/2010: $: cat /etc/ossec-init.conf DIRECTORY="/var/ossec" VERSION="2.4-SNP-100129" DATE="Thu Feb 4 14:29:08 CET 2010" TYPE="local" Maybe your problem is some character encoding or some non-ascii characters that accidentaly went into your decoder. Try rewriting it.

Re: [ossec-list] what does this mean?

2010-02-09 Thread oscar schneider
On my installation rule 11 alerts always look like this: 2010 Feb 07 11:25:11 Rule Id: 11level: 4 Location: (hostname) host_ip->/var/log/logfile Excessive number of events (above normal). So there I can see which agent and which logfile is responsible

[ossec-list] New Install on HPUX 11iv2 (11iv23 IA64)

2010-02-09 Thread al.sm...@timet.com
Hello All, I did a new Server Installation (2.3) on HP-UX 11iv2 (11.23 IA64) using GCC 4.4. The compile went ok and installed ok but I have a few problems: 1 - I added a HP-UX agent and imported it's key and restarted but the agent will not contact the server 2 - Port 1514/UDP is not being opene

[ossec-list] Block

2010-02-09 Thread john lee
Hi, Does ossec trigger any actions from log files? I am using the default settings in ossec.conf. But we had an instance where rule: 31115 fired and put that IP address on apache block list. We disable ossec agent and the user are fine. Received From: (server) x.x.x.x->/var/log/apache2/acc