Hi,
I'm saying that AR just doesn't work at all on any agent - it works fine on
the server but for some reason the command is not getting passed to the
machines the agent is running on.
On Fri, Feb 4, 2011 at 8:03 PM, tanishk lakhaani wrote:
> Hi,
> Could not understand the issue that u are faci
I think his point is that one attack 'passing' through is enough. Think
about it - if they can get an attack through that successfully commits a
DROP TABLE statement, you're already in the black. Whether you've dropped
them at that point or not doesn't really matter because they've accomplished
wha
Hi,
Could not understand the issue that u are facing. Do u wanna say that when u
run the command to check the AR's functionality, it does not run in
accordance to the configurtion in ossec.conf ?
Regards
Tanishk
On Sat, Feb 5, 2011 at 5:45 AM, jplee3 wrote:
> I also tried with all and it did no
Yes, the active response works on the basis of this only...When u launch a
scan, a few attacks will acually pass thru, then only the agent will forward
the corresponding logs to the OSSEC Server, who will then decide whether to
use Active Response or not. Once the server decides to use active respo
I also tried with all and it did not work.
Something I did notice: on the OSSEC server the "/var/ossec/queue/
alerts/ar" file exists while on the agents I'm trying to get this to
work on, that file does not exist. Is this the cause of the problem?
If so, what would have caused the ar file to go a
What's really strange is that I can get the AR to run perfectly fine
on the OSSEC server (server). AR kicks off the
route-null.sh command on the server and null routes the correct IP.
When I tested this on the local server (in addition to the defined
agent) I couldn't get AR to work at all though.
Hi,
The fix is to find out why it's dying. You should look through your
logs to see if there is any mention of it.
If you're running linux and it segfaults there should be a message in
the logfiles about that.
If it's crashing, you can try running it in gdb.
Not sure if the fork thing is needed,
Hey guys,
I'm not exactly sure what happened but it seems my Active Response
stopped working. I've verified the rule behind the AR gets triggered
and I also manually tested the rule via the agent_control command.
Here's the configs/logs:
ossec.conf:
route-null
route-null.sh
srcip
Hello Folks,
We are running OSSEC 2.5.1
root@bobo src]# service ossec status
ossec-monitord is running...
ossec-logcollector is running...
ossec-remoted is running...
ossec-syscheckd is running...
ossec-analysisd is running...
ossec-maild: Process 31720 not used by ossec, removing ..
ossec-maild
So are you wanting to forward *all* Apache logs to the syslog server (OSSIM
I'm assuming)? Or are you wanting to forward OSSEC alerts to the syslog
server? BTW: I'm sure you're aware but OSSEC is integrated into OSSIM.
--Jeremy
On Fri, Feb 4, 2011 at 12:30 PM, tanishk lakhaani wrote:
> Jeremy,
On 02/04/2011 12:39 PM, tanishk lakhaani wrote:
> Well, I think that deploying active response can be a good way out to
> prevent SQL Injection based attacks. However, there may be a few issues
> related to it viz..decoders in ossec are designed to indicate a SQL
> Injection attack even in case SEL
Jeremy,
In case I am using the OSSEC Agent, I think, my steps goes like, configuring
mod-security to log its events in *error_log* file at the server end.Then I
can reconfigure the agent to monitor the logs of eeror_log file and send it
to tthe serevr, which will parse these logs in accordance to t
I don't know if "/var/log/messages local7.*" is correct
However, the second line is correct.
BUT, I think I was initially incorrect about the 2nd option when advising
it. If the logs are logging to Apache logs, which they should be default,
then I believe you actually need to setup l
Jeremy,
Its syslogd daemon tat this Open Source Uses.
Rgds
Tanishk
On Sat, Feb 5, 2011 at 12:48 AM, dan (ddp) wrote:
> Hi Tanishk,
>
> Which syslog daemon are you using?
>
>
> On Fri, Feb 4, 2011 at 2:07 PM, tanishk lakhaani
> wrote:
> > Hey thanks for replying
> >
> > Well I am trying th
Hi Tanishk,
Which syslog daemon are you using?
On Fri, Feb 4, 2011 at 2:07 PM, tanishk lakhaani wrote:
> Hey thanks for replying
>
> Well I am trying the second option. Can u pls gimme some information on how
> to set up log forwarding via syslog
>
> What I tried was (in /etc/syslog.conf):
Jeremy
I am using OSSIM for the same.
Any suggestions ?
Rgds
Tanishk
On Sat, Feb 5, 2011 at 12:26 AM, Jeremy Lee wrote:
> What SIEM are you using? Also, this may be obvious, but make sure the SIEM
> is setup/enabled to receive syslogs from other sources (a lot of SIEMS use
> agents to poll dat
Hey thanks for replying
Well I am trying the second option. Can u pls gimme some information on how
to set up log forwarding via syslog
What I tried was (in /etc/syslog.conf):
/var/log/messages local7.*
local7.* @ServerIP
Am i doing the right way ?
Regards
Tanishk
On Sat, Feb 5, 2011 a
Do you have the OSSEC agent installed on the same box that ModSecurity is
on? And is ModSec logging to the Apache logs? If so, make sure the OSSEC
agent is monitoring the Apache logs and on your OSSEC server be sure to tune
the ModSec rules (should be in the apache_rules.xml) to log/alert as
requir
What SIEM are you using? Also, this may be obvious, but make sure the SIEM
is setup/enabled to receive syslogs from other sources (a lot of SIEMS use
agents to poll data but will also have syslog receive functionality).You'll
probably have to make sure that the server where you're forwarding logs f
Hi all,
I have deployed Mod-Security, bt I am unable to forward the logs of
Mod-Security to the OSSEC Server as well as a SIEM.
Can anyone help me in fixing this.
Regards
Tanishk
Well, I think that deploying active response can be a good way out to
prevent SQL Injection based attacks. However, there may be a few issues
related to it viz..decoders in ossec are designed to indicate a SQL
Injection attack even in case SELEC/UNION or any other SQL Based command is
used in the R
Hi,
Probably this is Ok, but dnt u think that some changes have to be done at
the SIEM side as well, to accept the syslogs from the OSSEC Server.
Regards
Tanishk
On Thu, Feb 3, 2011 at 3:14 AM, Jefferson, Shawn <
shawn.jeffer...@bcferries.com> wrote:
> Hi,
>
> It depends on what you are trying
Also, can u pls explain the 2nd point in some more detail
Rgds
Tanishk
On Thu, Feb 3, 2011 at 3:14 AM, Jefferson, Shawn <
shawn.jeffer...@bcferries.com> wrote:
> Hi,
>
> It depends on what you are trying to do I guess. Here's how I have it
> setup:
>
> 1. Set the syslog output in the ossec.con
The location of ossec.log depends upon the directory in which u have
configured it to...By Default it is /var/ossec, and hence ur ossec.log file
resides at /var/log/ossec.log
Rgds
Tanishk
On Thu, Feb 3, 2011 at 10:58 PM, dan (ddp) wrote:
> There's no configuration for where the log exists.
> OS
24 matches
Mail list logo