heh heh heh heh
no no no no problems problems problems problems here here here here either
either either either.
-macker -macker -macker -macker
On Tue, May 18, 2010 at 5:07 AM, Wim Remes wrote:
> yup, yup, yup and yup :-D
>
> all joking aside. I don't have that problem, problem, problem, prob
Hi All,
As I continue to understand the proper use of rules, I still have a few
questions.
Given this list of files/directories that need to be monitored:
/opt/Apache/httpd-2.2.12/conf/cmi_cntpay_p
/opt/Apache/httpd-2.2.12/conf/opnpmnt_cntpay_p
/opt/Apache/httpd-2.2.12/conf/sprt_cntpay_p
/opt/Apac
I "reinstalled" (2.3) and set the max agents again (was 1024) to 2048,
clients started connecting again, when we first added over 254 agents we
noticed the error and used
http://www.ossec.net/wiki/Errors:LargeNumberAgents to up the agents, all was
well. Haven't seen the error in the log since, and
I've gotten copied on this mail 10 times already. But not a response.
>>> 5/18/2010 8:38 AM >>>
I have that also Here is the setting maybe I'm missing something else, I
changed the frequency
792
yes
/etc,/usr/bin,/usr/sbin
/bin,/sbin
Christian L. Kovac
Sr Netw
Thanks for the reply, Yes, Yes (system32 directory being watched by syscheck?
) I believe by the default it is being watched by syscheck. I do get alerts
when I modify a test file in the System32 directory. This is basic install for
testing and evaluation. This is the only issue I cant seem t
On Tue, 18 May 2010 09:14:51 -0500 Michael Starks
wrote:
>
> On Tue, 18 May 2010 08:55:47 -0400, B/K Walker
> wrote:
> > Here's an example, I get smart HDD test syslog events from my NAS
> > box:
> >
> > Received From: fatty->/var/log/messages
> > Rule: 1002 fired (level 2) -> "Unknown problem
On Tue, 18 May 2010 10:51:36 -0400 "dan (ddp)" wrote:
> On Tue, May 18, 2010 at 8:55 AM, B/K Walker wrote:
> > I've been struggling with cleaning up the notifications from ossec,
> > I've had some success but for whatever reason I can't seem to get a
> > grip on it completely.
> >
> > I've got se
On Tue, 18 May 2010 08:55:47 -0400, B/K Walker wrote:
> Here's an example, I get smart HDD test syslog events from my NAS box:
>
> Received From: fatty->/var/log/messages
> Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
> Portion of the log(s):
>
> May 18 00:02:06 fatt
UNSUBSCRIBE
Have you tested this? Maybe tried creating a file in the system32 directory?
Did you set the alert_new_files to yes on the agents (not sure if this
is necessary or not, but probably won't hurt)?
Is the system32 directory being watched by syscheck?
On Tue, May 18, 2010 at 8:38 AM, wrote:
> I have
I get double posts, which am counting as a blessing that I'm not getting
4 copies. :-)
Patrick Swartz
UNIX Planning & Engineering (DSUSSE)
First Data
402-777-7337 desk
402-871-8981 cell
-Original Message-
From: ossec-list@googlegroups.com [mailto:ossec-l...@googlegroups.com]
On Behalf
Same here too!
Andre Pawlowski
---
Right and wrong are not what seperate us and our enemies.
It's our different standpoints, our perspectives that
seperate us. Both sides blame one another. There's no
good or bad side. Just two sid
This is how to log to an sql database:
http://www.ossec.net/wiki/Know_How:DatabaseOutput
But I don't think the problem has anything to do with an sql database.
I was thinking syscheck_control -u all:
"-u all Updates (clear) the database for all agents."
I guess you could manually clear out the s
Hi Dan,
If by clearing the syscheck database you mean:
.../syscheck_update -a
and/or
.../syscheck_update -u local
I already did that while ossec daemons were stopped.
After restart the same errors appears in logs.
I am using ossec-hids-2.4.1.
The above error messages appear in server and agent lo
Thank you
So i have modified:
debiantest:/tmp# grep ossec /etc/passwd
ossec:x:1001:1001::/var/ossec:/bin/false
ossecm:x:1002:1001::/var/ossec:/bin/false
ossecr:x:1003:1001::/var/ossec:/bin/false
debiantest:/tmp#
debiantest:/tmp# grep ossec /etc/group
ossec:x:1001:www-data,ossec
and start/stop
yes, will try it out later today!
thanks!
On Tue, May 18, 2010 at 7:01 AM, Daniel Cid wrote:
> Hi Charlie,
>
> Thanks! Just fixed on the latest snapshot:
>
> http://www.ossec.net/files/snapshots/
>
> Can you give it a try?
>
> Thanks,
>
> --
> Daniel B. Cid
> dcid ( at ) ossec.net
>
> On Fri, Ma
Your mail made it through (although I don't know the answer off hand).
On Tue, May 18, 2010 at 9:21 AM, Rich Rumble wrote:
> I am having the same issue, the email I sent yesterday doesn't seem to have
> been posted (grr google groups)
On Tue, 18 May 2010 07:28:20 -0400 William Montgomery
wrote:
> B/K Walker wrote:
> > I'm getting 4 (maybe more) copies of every post, each with a
> > different return-path and envelope-from headers (some sort of id
> > used by google groups).
> >
> > This is the first googlegroup I've signed up f
On Tue, 18 May 2010 14:07:17 +0200 Wim Remes wrote:
> yup, yup, yup and yup :-D
>
> all joking aside. I don't have that problem, problem, problem,
> problem.
>
> try to unsubscribe and subscribe again ?
Just tried, no luck there. Perhaps email signup is broken, I don't have a
google account o
On Tue, May 18, 2010 at 8:55 AM, B/K Walker wrote:
> I've been struggling with cleaning up the notifications from ossec, I've had
> some success but for whatever reason I can't seem to get a grip on it
> completely.
>
> I've got several rules in local_rules.xml that filter out unimportant stuff
On Tue, May 18, 2010 at 4:44 AM, BOUTROUILLE PASCAL
wrote:
>
> Hello
>
> I have a problem with the installation of ossec.
>
> After the installation i have the message « No agent available. »
>
> I have read the forum but i dont find the solution. Here the problem :
>
>
> /etc/init.d/ossec start
>
yup, yup, yup and yup :-D
all joking aside. I don't have that problem, problem, problem, problem.
try to unsubscribe and subscribe again ?
On Mon, May 17, 2010 at 11:05 PM, B/K Walker wrote:
> I'm getting 4 (maybe more) copies of every post, each with a different
> return-path and envelope-fro
I am having the same issue, the email I sent yesterday doesn't seem to have
been posted (grr google groups)
>I can't figure out why no agent is connecting to my server, new or old. I'd
like to back up the keys DB and remake the server, and restore the keys. I
do not want to generate 500+ keys by h
I'm testing the OSSEC which it looks like me may use here. Question is Does
anyone have a pre-compiled HP-Unix agent I can test on my HP agents. Until we
purchase the support it seems we can not test it. Thank You Christian
Christian L. Kovac
Sr Network Support Analyst
Information Technol
Hi Dan,
If by clearing the syscheck database you mean:
./syscheck_update -a
and/or
./syscheck_update -u local
I already did that while ossec daemons were stopped.
After restart the same errors appears in logs.
I am using ossec-hids-2.4.1.
The above error messages appear in server and agent logs.
I've been struggling with cleaning up the notifications from ossec, I've had
some success but for whatever reason I can't seem to get a grip on it
completely.
I've got several rules in local_rules.xml that filter out unimportant stuff
(windows really likes to twiddle registry keys, in particula
I have that also Here is the setting maybe I'm missing something else, I
changed the frequency
792
yes
/etc,/usr/bin,/usr/sbin
/bin,/sbin
Christian L. Kovac
Sr Network Support Analyst
Information Technology & Project Management
Metro-North Railroad
ko...@mnr.org
Hi Charlie,
Thanks! Just fixed on the latest snapshot:
http://www.ossec.net/files/snapshots/
Can you give it a try?
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Fri, May 14, 2010 at 3:58 PM, Charlie wrote:
> :~$ strings /bin/login | grep -E
> 'bash|elite|SucKIT|xlogin|vejeta|porcao|lets
Hi Christian,
You also need to set "alert_new_files" to "yes" inside the syscheck config:
http://www.ossec.net/wiki/Know_How:Syscheck
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Mon, May 17, 2010 at 2:29 PM, wrote:
> Ive changed the rules required 554 to level 7 and the rule is as foll
Hi Aaron,
Thanks for the patch. Added to the latest snapshot:
http://www.ossec.net/files/snapshots/
Can you take a look to make sure it is working correctly?
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Wed, May 12, 2010 at 2:40 PM, Aaron Bliss wrote:
> Hi all,
> I noticed that Windows
Hi Patrick,
Yes, that's basically what Dan explained. Removing the counters would allow for
someone inside your network to replay the events into ossec.
However, if you are using syslog internally, you will have this
problem anyway... So
even using this option would not protect you.
I disable th
B/K Walker wrote:
I'm getting 4 (maybe more) copies of every post, each with a different
return-path and envelope-from headers (some sort of id used by google groups).
This is the first googlegroup I've signed up for, I'm on dozens of other lists
and never have seen this kind of behaviour.
Guys,
Is there any rules in OSSEC to get SPAM?
I am having problem with SPAM and I wanna know when it is happening and
block it.
My MTA is Postfix.
Thanks!
--
Atenciosamente,
Rafael Brito Gomes
Analista de Segurança
LPIC-1 MCSO
DISUP/CPD/UFBA
Tel : +55 71 3283 6100
I'm getting 4 (maybe more) copies of every post, each with a different
return-path and envelope-from headers (some sort of id used by google groups).
This is the first googlegroup I've signed up for, I'm on dozens of other lists
and never have seen this kind of behaviour.
--
If you write some
Hello
I have a problem with the installation of ossec.
After the installation i have the message < No agent available. >
I have read the forum but i dont find the solution. Here the problem :
/etc/init.d/ossec start
Starting OSSEC HIDS v2.4.1 (by Trend Micro Inc.)...
2010/05
35 matches
Mail list logo
