Take a look at this -
http://www.immutablesecurity.com/index.php/2009/10/26/week-of-ossec-day-2-detecting-new-files/
On Wed, Apr 27, 2011 at 1:57 PM, Maahkus wrote:
> Hi group - OSSEC is used in our environment mainly for File Integrity
> Monitoring. We've installed OSSEC locally on each server
Hi group - OSSEC is used in our environment mainly for File Integrity
Monitoring. We've installed OSSEC locally on each server and the logs
are sent to a centralized logging solution.
Is there a way that OSSEC can alert when a file is moved or copied in/
from a particular directory? Currently we a
Sorry Martin, got to go out now, but one last suggestion
Are you running the web-gui? If so, can you see the level 5 alerts as
they arise? And again can you determine if those alerts are logging the
IP?
Andy
From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com]
On Be
Thanks, that does work. The problem is that when a real intruder is
triggering my level 5 rule (100245),
it is not recording the source IP, so it has no way of ever triggering
the level 10 rule. That is what I am
trying to figure out, why the decoder is not working properly "live"
when it wo
Hi
You should be able to run ossec-logtest repeatedly (ie 6 times at least)
with the same data, and you should see what it does in triggering the
level 10 rule
Andy
From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com]
On Behalf Of Martin Gottlieb
Sent: Thursday, 28
good point, I should not be expecting email alerts on the level 5 rule.
But since it's not recording the SrcIP
value, it never triggers the level 10 rule, which I did also create:
Logon Failure
authentication_failed,
User authentication failure.
100245
Windows brute force trying to get ac
Hi
This is triggering a level 5 alert - will that actually do anything on
your system? Or do you have another rule for multiple occurrences?
Certainly for mine, I have a level 10 alert for multiple occurrences
(more than 3) which then activates the response on the windows agent
Just a r
SOLVED!!!
I have created three rules and use option in place of srcip.
Thanks to ossec-logtest tool helped me to pinpoint issue. :)
Still your advice accepted.
-S
On Wed, Apr 27, 2011 at 11:05 AM, satish patel wrote:
> Hello,
>
> Here is my question we have a security scanner running ever
Hello,
Here is my question we have a security scanner running everyday now i
want to ignore it but issue its its ipv6 address i don't know how to
ignore ipv6 i tried but OSSEC not accepting it.
I tried following rules but it doesn't working
5712
no_email_alert
10
Well, I thought I was making progress, but now I'm not so sure. My
MSSQL decoder has triggered a couple
of active responses, so I believe it is working properly. But, I am not
getting any alerts on windows logon
failures (I did previously), much less an active response.
I found the following
10 matches
Mail list logo