hi all,
I have a lot of these messages in manager log:
ossec-remoted(1310): WARN: Invalid active response (execd) message '1:
(client name'.
the messages repeat for all clients almost every minute.
After some time clients stop sending events to the manager (no new
events in alerts.log). If
- Original Message -
I think your rule says that if you see 25 5720 events within 180
seconds, fire rule 10044.
This wouldn't stop 5720 from firing.
What are you trying to do exactly?
On Mon, Feb 7, 2011 at 6:06 AM, --[ UxBoD ]-- ux...@splatnix.net
wrote:
Require some help
- Original Message -
I think your rule says that if you see 25 5720 events within 180
seconds, fire rule 10044.
This wouldn't stop 5720 from firing.
What are you trying to do exactly?
On Mon, Feb 7, 2011 at 6:06 AM, --[ UxBoD ]-- ux...@splatnix.net
wrote:
Require some help
The manager shouldn't be an older version than the clients.
Seeing the complete error would be nice, as would seeing some of the
configurations.
On Tue, Feb 8, 2011 at 7:07 AM, maker007 maker...@runbox.com wrote:
hi all,
I have a lot of these messages in manager log:
ossec-remoted(1310):
No, it's not currently possible.
On Tue, Feb 8, 2011 at 1:25 AM, tayebe t.amiri1...@gmail.com wrote:
hi all.
i have another question about active response.
i wana execute an script with some arguments,except srcip and user.is
there possible?what should i do if not?
appreciate you before
- Original Message -
Hi Phil,
On Tue, Feb 8, 2011 at 7:23 AM, --[ UxBoD ]-- ux...@splatnix.net
wrote:
Dan,
I think I see what I did wrong and have changed it now to use two
rules:
rule id=10044 level=0
if_sid5720/if_sid
same_source_ip /
descriptionMultiple
I can't seem to find in the documentation anywhere about the ability to
email when Active Response executes a block on IP or when it would drop it.
I know you can see the block message in the Active Response log, so is there
a way to email those messages as well? Maybe I'm missing something or
- Original Message -
- Original Message -
Hi Phil,
On Tue, Feb 8, 2011 at 7:23 AM, --[ UxBoD ]-- ux...@splatnix.net
wrote:
Dan,
I think I see what I did wrong and have changed it now to use two
rules:
rule id=10044 level=0
if_sid5720/if_sid
- Original Message -
- Original Message -
Hi Phil,
On Tue, Feb 8, 2011 at 7:23 AM, --[ UxBoD ]-- ux...@splatnix.net
wrote:
Dan,
I think I see what I did wrong and have changed it now to use two
rules:
rule id=10044 level=0
if_sid5720/if_sid
Hi all,
I have the following directive in my ossec.conf:
email_alerts
email_tom...@mydomain.com/email_to
rule_id300042/rule_id
do_not_delay /
do_not_group /
/email_alerts
This, I would assume, should only send the email of the 300042
triggered event. Correct?
If so, it
Hi James,
On Tue, Feb 8, 2011 at 2:07 PM, James Ford james0...@gmail.com wrote:
I can't seem to find in the documentation anywhere about the ability to
email when Active Response executes a block on IP or when it would drop it.
I know you can see the block message in the Active Response log,
On Tue, Feb 8, 2011 at 2:50 PM, jplee3 jpl...@gmail.com wrote:
Hi all,
I have the following directive in my ossec.conf:
email_alerts
email_tom...@mydomain.com/email_to
rule_id300042/rule_id
do_not_delay /
do_not_group /
/email_alerts
This, I would assume, should only
On Tue, Feb 8, 2011 at 2:10 PM, --[ UxBoD ]-- ux...@splatnix.net wrote:
SNIP
Okay have been doing quite a bit of testing with all this; and now I am
checking the *correct* rule to start with am seeing some interesting results.
Here are the two rules defined in local_rules.xml:
rule
Makes sense...just wanted to make sure there wasn't an easier way already
built into ossec that I'd just need to modify the ossec.conf file to
initiate. Thanks for the quick response!
On Tue, Feb 8, 2011 at 11:51 AM, dan (ddp) ddp...@gmail.com wrote:
Hi James,
On Tue, Feb 8, 2011 at 2:07 PM,
What is the directive again for disabling grouping?
On Tue, Feb 8, 2011 at 11:52 AM, dan (ddp) ddp...@gmail.com wrote:
On Tue, Feb 8, 2011 at 2:50 PM, jplee3 jpl...@gmail.com wrote:
Hi all,
I have the following directive in my ossec.conf:
email_alerts
On Tue, Feb 8, 2011 at 3:05 PM, Jeremy Lee jpl...@gmail.com wrote:
What is the directive again for disabling grouping?
Look in /var/ossec/etc/internal_options.conf .
# Maild grouping (0=disabled, 1=enabled)
# Groups alerts within the same e-mail.
maild.groupping=1
I'm sure there's a better
On Tue, Feb 8, 2011 at 3:28 PM, --[ UxBoD ]-- ux...@splatnix.net wrote:
Doesn't look like you're missing anything.
Why so Dan ? If the frequency on rule 5551 is 6, and there are 31 events that
trigger rule 5503, then I would have expected rule 5551 to have matched 6
times when in fact it
Is anyone else having issues with getting AR to work when location
is set to defined-agent and the log alerts/analysis is on the OSSEC
server itself?
On Feb 7, 12:00 pm, Jeremy Lee jpl...@gmail.com wrote:
Actually, locationlocal/location does work (in addition to 'server') -
thinking about
I've switched one of my ARs to use defined-agent. I'll let you know
tomorrow if it works.
On Tue, Feb 8, 2011 at 4:24 PM, jplee3 jpl...@gmail.com wrote:
Is anyone else having issues with getting AR to work when location
is set to defined-agent and the log alerts/analysis is on the OSSEC
server
OSSEC HIDS Notification.
2011 Feb 08 19:15:51
Received From: servername-/var/log/messages
Rule: 1002 fired (level 2) - Unknown problem somewhere in the
system.
Portion of the log(s):
Feb 8 19:15:49 servername kernel: program[26416] general protection
ip:3d2007f754 sp:7fff8c54be88 error:0 in
What do you have so far?
echo 'Feb 8 19:15:49 servername kernel: program[26416] general
protection ip:3d2007f754 sp:7fff8c54be88 error:0 in
libc-2.12.so[3d2000+175000]' | /var/ossec/bin/ossec-logtest
On Tue, Feb 8, 2011 at 8:28 PM, upen upendra.gan...@gmail.com wrote:
OSSEC HIDS
On Feb 8, 7:35 pm, dan (ddp) ddp...@gmail.com wrote:
What do you have so far?
Thanks for quick reply.
!-- Specify here a list of rules to ignore. --
!--
rule id=100040 level=2
if_sid1002/if_sid
matchservername kernel: graph/match
descriptionservername kernel: graph/description
On Feb 8, 7:35 pm, dan (ddp) ddp...@gmail.com wrote:
What do you have so far?
Thanks for quick reply.
!-- Specify here a list of rules to ignore. --
!--
rule id=100040 level=2
if_sid1002/if_sid
matchservername kernel: graph/match
descriptionservername kernel: graph/description
On Tue, Feb 8, 2011 at 8:41 PM, upen upendra.gan...@gmail.com wrote:
On Feb 8, 7:35 pm, dan (ddp) ddp...@gmail.com wrote:
What do you have so far?
Thanks for quick reply.
!-- Specify here a list of rules to ignore. --
!--
The '!--' above and '--' below indicate that this is commented
The '!--' above and '--' below indicate that this is commented out.
Thanks. I am an idiot!
The term graph did not appear in the log message at all.
I don't have access to ossec at the moment, but servername is probably
the hostname of the system the log message came from. If so, it won't
On Wed, Feb 9, 2011 at 12:00 AM, tayebeh amiri t.amiri1...@gmail.com wrote:
so,what should i do?i want to eject usb in agent when some specific rule
occures.
but i can't find a script without arguments.plz help me.
Don't know. Maybe you can add support to OSSEC to pass more than just
srcip
26 matches
Mail list logo