I have a couple questions:
1) Is there a way to suppress the body of the OSSEC log so that it
doesn't necessarily appear in the email? I'm setting up alerting via
SMS but the long log messages causes the SMS to get cut off.
2) Do the "" levels in the ossec.conf affect whether emails go
out if usi
Deploying Ossec HIDS via Active Directory - Part 1
In my first blog series I'm going to go over one way to deploy Ossec
HIDS to windows PCs in a network via Active Directory software
deployment. In it's current form, Ossec HIDS is fairly easy to deploy
to larger Linux environments but it's not ne
Deploying Ossec HIDS via Active Directory Part 2 - Automating the
Windows Agent Configuration
In the first part of this series we went over getting a large number
of agents to the Ossec Server from an easy to setup list of machines
via script and getting the client.keys file ready. Then we went ah
Hello Group--
Here is my contribution to 2WoO. I have taken some ideas and methods
from around the internet and in the Ossec-list and combined it with
some of my own methodology and coding and created a working deployment
package OssecHIDS for Windows Agents in larger groups. This was
designed t
Here's the output for ossec-logtest for me:
# /var/ossec/bin/ossec-logtest -D . -c etc/ossec.conf
2010/10/22 23:04:34 ossec-testrule: INFO: Reading local decoder file.
2010/10/22 23:04:34 ossec-testrule: INFO: Started (pid: 10010).
ossec-testrule: Type one log per line.
"Vitor Correia" "PT" 89.155
Add it to the end of /var/ossec/etc/decoder.xml and try again. It
should complain that there is a duplicate decoder. If not, for some
reason it's not reading your local_decoder.xml. If it does and the log
isn't matching, something's wrong with the decoder.
On Fri, Oct 22, 2010 at 4:12 PM, vcorreia
I've been browsing your blog all afternoon, trying to come up with
something. The httpd program line idea came from your blog, but yields
no result.
On Oct 22, 9:09 pm, vcorreia wrote:
> It comes up with the same result with or without that line.
>
> On Oct 22, 8:39 pm, "dan (ddp)" wrote:
>
> >
It comes up with the same result with or without that line.
On Oct 22, 8:39 pm, "dan (ddp)" wrote:
> Your decoder includes "^httpd", but the
> output from logtest has a null program_name:
>
> > program_name: '(null)'
>
> Remove that line and it may work (I can't test at the moment).
>
> On
Your decoder includes "^httpd", but the
output from logtest has a null program_name:
> program_name: '(null)'
Remove that line and it may work (I can't test at the moment).
On Fri, Oct 22, 2010 at 3:29 PM, vcorreia wrote:
> No luck.
>
> I've created the following local_decoder.xml file in
No luck.
I've created the following local_decoder.xml file in /var/ossec/etc:
^httpd
^"\.+" "\S+" \S+ - - [\d+/\S+/\d\d\d\d:\d\d:\d\d:\d\d \S+]
^"(\.+)" "(\S+)" (\S+) - - [\d+/\S+/\d\d\d\d:\d\d:\d\d:\d\d
\p\d+] "(\S+) (\.+) HTTP/\d.\d" (\d+) \d+ "\.+" "(\.+)
srcuser,id,srcip,action,url,st
It worked fine for me. Make sure the decoder pasted nicely. It doesn't
look very nice in gmail to me, and weird newlines might mess with
things.
On Fri, Oct 22, 2010 at 2:44 PM, vcorreia wrote:
> I did what you said, but on logtest I keep getting this error:
>
> **Phase 2: Completed decoding.
>
On Fri, Oct 22, 2010 at 2:34 PM, Chow, Dennis wrote:
> Same problem, and I have no clue why. Phase 1 keeps trying to decode the
> first IP address into the actual 'hostname' before I can even attempt to
> decode.
>
Quoting myself:
> The message looks like a syslog message, so the timestamp and
I did what you said, but on logtest I keep getting this error:
**Phase 2: Completed decoding.
No decoder matched.
Vitor Correia
On Oct 22, 5:02 pm, "dan (ddp)" wrote:
> On Fri, Oct 22, 2010 at 11:35 AM, vcorreia wrote:
> > Hello,
>
> > It looks excelent :)
>
> > I only posted one line
Same problem, and I have no clue why. Phase 1 keeps trying to decode the first
IP address into the actual 'hostname' before I can even attempt to decode.
^\w\w\w\s\d\d\s\d\d:\d\d:\d\d\s192.168.1.2
2010/10/22 13:33:21 ossec-testrule: INFO: Started (pid: 1069).
ossec-testrule: Type one log per
It looked pretty neat to me. I wouldn't mind playing around with it.
On Thu, Oct 21, 2010 at 6:25 PM, Tate Hansen wrote:
> Hi: We spun up a ruby on rails web app (backed by mongodb=speed) that allows
> us to do daily alert reviews quickly for us that means being able to view
> all the alerts in
On Fri, Oct 22, 2010 at 12:49 PM, Chow, Dennis wrote:
> Hello,
>
> I'm trying to write a custom decoder for an appliance. I'm running on an
> older OSSEC 2.1.x server. When using the ossec-logtest tool, the test never
> completes phase1 or phase2 properly. Please advise if this is something I'm
>
I'd have to double-check, but I don't remember seeing any alerts for
the registry events I've setup to ignore.
I think the sregex type might be best:
^HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\GPExtensions
On Fri, Oct 22, 2010 at 1:09 PM, Jefferson, Shawn
wrote:
>
Any further news on this?
Did you find a regex that would work for ignoring this registry entry (which
changes frequently):
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\GPExtensions
-Original Message-
From: ossec-list@googlegroups.com [mailto:ossec-l...@goog
> With sample logs (*wink wink nudge nudge*) we can support websense,
> bluecoat, etc. I think most of them will do syslog. If anyone wants to
> send me the hardware, let me know. :P
While not hardware I've managed to reverse a few AV logs
Symantec SEP 11.x should be a 80-90% complete "Rosetta sto
Hello,
I'm trying to write a custom decoder for an appliance. I'm running on an older
OSSEC 2.1.x server. When using the ossec-logtest tool, the test never
completes phase1 or phase2 properly. Please advise if this is something I'm
doing incorrectly when the pre-decoder is processing the log.
On Fri, Oct 22, 2010 at 12:08 PM, Jefferson, Shawn
wrote:
>>- OSSEC (or OSSEC Pro) is has a correlation engine to use an IP
>>address reputation service to calculate and return the risk of an IP
>>address detected by OSSEC. (OSSEC Pro could include the use of Trend
>>Micro's service, for example,
>- OSSEC (or OSSEC Pro) is has a correlation engine to use an IP
>address reputation service to calculate and return the risk of an IP
>address detected by OSSEC. (OSSEC Pro could include the use of Trend
>Micro's service, for example, and the open source version could simply
>have an API or framew
On Fri, Oct 22, 2010 at 11:35 AM, vcorreia wrote:
> Hello,
>
> It looks excelent :)
>
> I only posted one line of log because all the other lines are the
> same, only changing the time, ip and the first field which is the
> common name of the certificate. The second field 'PT' is always the
> same
Hello,
It looks excelent :)
I only posted one line of log because all the other lines are the
same, only changing the time, ip and the first field which is the
common name of the certificate. The second field 'PT' is always the
same, i set it up that way in order to have a way for ossec to catch
off the top of my head:
- OSSEC is built into Amazon EC2 instances out of the box, with useful
decoders and rules. by default each instance is pre-wired as an agent
and pre-wired to talk to your server instance. Perhaps using user-data
as key exchange or config bootstraping method.
- OSSEC (or OSS
OSSEC introduces an FLOSS AI Core wich is capable of detect security behaviors
automcatically
OSSEC Alerts can be browsed by a semanthic Web UI
signature.asc
Description: Digital signature
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 10/22/2010 08:26 AM, Michael Starks wrote:
> http://www.immutablesecurity.com/index.php/2010/10/22/2woo-day-6-running-multiple-instances-on-one-box/
Day 6 - Layin' Down The Law -
http://blog.godshell.com/blog/archives/277-WoO-Day-6-Layin-Down-The-L
http://www.immutablesecurity.com/index.php/2010/10/22/2woo-day-6-running-multiple-instances-on-one-box/
--
Michael Starks
[I] Immutable Security
http://www.immutablesecurity.com
This is the big perspective on the future of OSSEC. Think BIG! It
doesn't matter if no HIDs has ever done it before. It doesn't even
matter if you think it can't be done. Let's dream.
--
Michael Starks
[I] Immutable Security
http://www.immutablesecurity.com
29 matches
Mail list logo
