On 03/24/2011 02:16 PM, dan (ddp) wrote:
> Oh,and would using "\S+" for the username be easier? Are spaces valid
> characters in Windows usernames?
That was the first thing I tried, I m not good with regex, let me check
if I can use it.
I think that, at least in active directory it is not allowed
On 03/24/2011 04:02 PM, Satish Patel wrote:
> Epic! Bro.
>
> What configuration you did for samba to generate audit log? We have
> older version of samba :(
I use this basic config:
[data]
comment = Datos
path = /home/samba/data
valid users = %U
read only = No
create mask = 0660
direc
On 03/24/2011 02:28 PM, Gurtaj Singh wrote:
> woops my bad...the pipe isnt on that list either...i guess we gotta add
> it there
Yeap, I had a hard day yesteray before I tried \| :), and by the way you
can customize the message in samba, more info check the manpage:
http://www.samba.org/samba/doc
On 03/24/2011 02:10 PM, dan (ddp) wrote:
> Awesome work! Should the "unlink" be decoded as an "action" or
> something similar?
> dan
I think so, the third field is for the file operation, so this can be
different for a new file written,
I think the operation is pwrite. for more info about the oper
Epic! Bro.
What configuration you did for samba to generate audit log? We have
older version of samba :(
--
Sent from my iPhone
On Mar 24, 2011, at 4:10 PM, "dan (ddp)" wrote:
Awesome work! Should the "unlink" be decoded as an "action" or
something similar?
dan
2011/3/24 Jorge Armando Me
I am new to OSSEC, but I do not see how to tell syscheck to only report
when a log file is modified as opposed to added to. In other words, I
am looking for a way to detect tampering with log files.
Could you provide more details?
Lars
On 3/24/2011 12:54 PM, Gurtaj Singh wrote:
use syscheck
I think it's a good idea.
On Thu, Mar 24, 2011 at 4:29 PM, Jeremy Lee wrote:
> Gah... not sure I'd want to go through the trouble of doing all that at this
> point.
>
> Thanks for the info though!
>
> Here's to hoping a "" directive will be added in the next
> OSSEC release!!! :D
>
>
>
> On Thu,
Gah... not sure I'd want to go through the trouble of doing all that at this
point.
Thanks for the info though!
Here's to hoping a "" directive will be added in the next
OSSEC release!!! :D
On Thu, Mar 24, 2011 at 1:15 PM, dan (ddp) wrote:
> Nope, sorry.
>
> You could setup an AR to add the
nice suggestion and observation dan but I believe windows usernames
sometimes do use spaces so i dont see it working consistently.
Spaces are valid in win usernames.
On Thu, 2011-03-24 at 16:16 -0400, dan (ddp) wrote:
> Oh,and would using "\S+" for the username be easier? Are spaces valid
> chara
woops my bad...the pipe isnt on that list either...i guess we gotta add
it there
On Thu, 2011-03-24 at 16:10 -0400, dan (ddp) wrote:
> Awesome work! Should the "unlink" be decoded as an "action" or
> something similar?
> dan
>
> 2011/3/24 Jorge Armando Medina :
> > Hi there,
> >
> >
> > I'm worki
gr8 job mani think I will be using this in the future..ALL credits
go to u man!!!
SWEET!!
oh and i believe the pipe sign is on the regex page but maybe not the
page you are looking for. CHeck this page out
http://www.ossec.net/doc/syntax/regex.html
On Thu, 2011-03-24 at 16:10 -0400, dan (dd
Nope, sorry.
You could setup an AR to add the username to a cdb list (and compile
the list, or compile the list every x minutes). Then create a rule to
check that list before alerting.
There would be a bit of setup involved in this. The lists aren't the
easiest thing to modify, so adding or remov
Oh,and would using "\S+" for the username be easier? Are spaces valid
characters in Windows usernames?
2011/3/24 Jorge Armando Medina :
> Hi there,
>
>
> I'm working on a project where I need to send alerts when somebody
> deletes a file from a samba share, Samba includes the module full_audit
> w
Awesome work! Should the "unlink" be decoded as an "action" or
something similar?
dan
2011/3/24 Jorge Armando Medina :
> Hi there,
>
>
> I'm working on a project where I need to send alerts when somebody
> deletes a file from a samba share, Samba includes the module full_audit
> which records some
use syscheck on those logs
i suppose thats ur best bet
On Thu, 2011-03-24 at 12:26 -0700, Lars Oberg wrote:
> Hello,
>
> How can I configure ossec to alert me if somebody tampers with a log file?
>
> In other words, I do not want to get alerts anytime something is added
> to the log, but I wa
Hello,
How can I configure ossec to alert me if somebody tampers with a log file?
In other words, I do not want to get alerts anytime something is added
to the log, but I want to get alerts if existing contents in the log
file is modified or deleted.
Thanks,
Lars
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 03/23/2011 10:54 AM, Eric Hansen wrote:
> Yeaup; 770 with root:ossec, and I used install.sh to install OSSEC. I
> know I also can't install Safe Squid either on Arch Linux (it won't
> generate a full serial key), so I'm wondering if it just might b
Hi there,
I'm working on a project where I need to send alerts when somebody
deletes a file from a samba share, Samba includes the module full_audit
which records something like this:
Mar 23 13:44:18 fs1 smbd_audit: jperez|192.168.221.50|unlink|ok|dir1/ss.txt
Mar 23 13:44:18 fs1 smbd_audit:
jorg
I am new to OSSEC. I made changes to local_rules.xml, which seemed to
work. When I when back and made other changes that should have negated
some of the original ones, they never seemed to take effect. I have a
rule that is showing up in alert.log that was in the original changed
local_rules file,
Hey all,
I was wondering if it's possible to ignore certain MSAuth rules based
on users. I know this is possible with IPs. I'd want to implement this
for account lockouts.
In some cases users get themselves locked out and it creates a flurry
of Alert level 7s - probably because they have their mo
I have not tried it myself. Others have though, including Daniel Cid.
Search the archvies.
On Thu, Mar 24, 2011 at 10:28 AM, Tanishk Lakhaani
wrote:
> Hi dan,
> I still have a doubt. Have u done the poc for this ??
>
> I doubt it will work. Still ill try doing it
>
> Regards
> Tanishk Lakhaan
Hi dan,
I still have a doubt. Have u done the poc for this ??
I doubt it will work. Still ill try doing it
Regards
Tanishk Lakhaani
Sent from BlackBerry® on Airtel
-Original Message-
From: "dan (ddp)"
Sender: ossec-list@googlegroups.com
Date: Thu, 24 Mar 2011 09:28:04
To:
Reply-T
Has anyone used Ossec to perform the log capturing and Orion to perform the due
the syslog analysis? My current environment contains Ossec, Splunk (free) and
Orion. I know that I could set Splunk to be a forwarder.
Barry Walker
Have you tried to use a load balancer to perform the task since it has a
virtual ip address and can have multiple addresses behind the virtual address?
Barry Walker
-Original Message-
From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On
Behalf Of Hakan Bi
Sent: Thu
On Mar 24, 2011 9:25 AM, "Tanishk Lakhaani" wrote:
>
> But hw are we going to generate the same keys on both the servers...the
serevr has its own algo of generating the keys...though the algo's will be
the same on both the servers...but generating the same key is not possiblen
I think..
>
Copy th
Copy the client.keys file from one server to the other.
On Mar 24, 2011 9:25 AM, "Hakan Bi" wrote:
> OK, but how can two different master use the same agent key? They
> should generate their own agent key?
> Thanks for the replay
>
> 2011/3/23 dan (ddp) :
>> I think they'd have to use the same key
Hi jeff,
Times are consistent bcoz integrity checksum must have been fixed to run at a
certain time in the ossec.conf file...that's why when it notices changes it
notified the server and hence the flood.
Regards
Tanishk Lakhaani
Sent from BlackBerry® on Airtel
-Original Message-
From:
But hw are we going to generate the same keys on both the servers...the serevr
has its own algo of generating the keys...though the algo's will be the same on
both the servers...but generating the same key is not possiblen I think..
Also, in my opinion it is not possible to configure client to s
OK, but how can two different master use the same agent key? They
should generate their own agent key?
Thanks for the replay
2011/3/23 dan (ddp) :
> I think they'd have to use the same key on both servers.
>
> On Wed, Mar 23, 2011 at 12:42 PM, Gunnar wrote:
>> Hello
>>
>> Is two masters possible
29 matches
Mail list logo