On Aug 4, 2011 1:34 AM, "George Ochola" wrote:
>
> THis is the output
> /var/ossec/bin/ossec-logtest -t
> 2011/08/04 08:29:44 ossec-testrule: INFO: Reading local decoder file.
> 2011/08/04 08:29:44 rules_list: Signature ID '18101' not found. Invalid
'if_sid'
>
>
Have you done something to 18101
THis is the output
/var/ossec/bin/ossec-logtest -t
2011/08/04 08:29:44 ossec-testrule: INFO: Reading local decoder file.
2011/08/04 08:29:44 rules_list: Signature ID '18101' not found. Invalid 'if_sid'
From: dan (ddp)
To: ossec-list@googlegroups.com
Sent: Wed
Actually, an amendment to my statement on wildcards.
"Wildcards won't work IF under Windows. They should work for Linux however"
On Wed, Aug 3, 2011 at 6:54 PM, Jeremy Lee wrote:
> I can't speak to question 1, but as far as question 2 is concerned
>
> Wildcards won't work but the date place
I can't speak to question 1, but as far as question 2 is concerned
Wildcards won't work but the date placeholders should. This should work
fine, although there may be delays with OSSEC reading the file. Also, the
OSSEC log won't log that it's reading a log file that was created *after*
the age
On Wed, Aug 3, 2011 at 9:19 PM, Decker Christopher wrote:
> OSSECers,
> I have two brief questions:
>
> I have OSSEC configured to write alerts to a DB. I've noticed that
> the agents table is never populated (even though I have multiple agents
> communicating with my Manager). Is this a bug? I
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Aug 1, 2011, at 6:55 PM, Alisha Kloc wrote:
> Unfortunately, we can't make any changes to the HP-UX system, which
> means no cron jobs, no clearing logs, etc. All we're allowed to touch
> is OSSEC agent stuff. Within that, I have some flexibility if
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Aug 3, 2011, at 10:41 AM, Chris Phillips wrote:
> Many Thanks Daniel,
>
> That is just what I needed to hear/read!
>
> I can see that we do have prelinking turned ON, but not sure it's a "choice"
> rather than an OS default, so we may end up swit
OSSECers,
I have two brief questions:
I have OSSEC configured to write alerts to a DB. I've noticed that the agents
table is never populated (even though I have multiple agents communicating with
my Manager). Is this a bug? I did find a April 2010 posting where someone
reported the same symp
On Tue, 2 Aug 2011 08:08:58 -0700 (PDT), Alisha Kloc wrote:
If I could, that's exactly how I'd do it. Unfortunately, like I said,
we are not allowed to clear the logs on these systems - they have to
remain there locally. We can't do anything except read them.
Believe me, I'd love to be able to u
Hi Daniel,
How would I go about changing that keep alive if I wanted to?
Thanks,
Jeremy
On Wed, Aug 3, 2011 at 9:21 AM, Daniel Cid wrote:
> Yes, when you restart the manager, he will only be able to communicate
> back to the agent after
> a keep alive is received from it. Since a keep alive i
On Aug 3, 2011 12:33 PM, "ash kumar" wrote:
>
> Yes. srcip is being populated correctly. In addition the dstip is getting
a uniform value of 32767 which tells me there is something odd going on.
>
That's not what I meant. I meant is the dstip value being inserted into the
srcip field? Find a log
Yes. srcip is being populated correctly. In addition the dstip is getting a
uniform value of 32767 which tells me there is something odd going on.
I have not tried disabling local_decoder and checking as yet though.
Yes, when you restart the manager, he will only be able to communicate
back to the agent after
a keep alive is received from it. Since a keep alive is sent every 10
min, during this time frame
you won't be able to send anything to it...
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Wed, Aug
Hi all,
I've been noticing that after I restart the OSSEC server, the Agents
don't seem to re-connect right away. Is this expected behavior? We are
constantly making changes to rules, etc on the server which in turn
also affect active response. I noticed this when I restarted the
server and then t
"ossec-logtest -a" will give you the same output. It doesn't really
run it through the system though (no active response or anything).
On Wed, Aug 3, 2011 at 6:50 AM, sAmUrAi wrote:
> Can I run a process to analyse the full log files after an install or
> can we only have analysis on and after th
For the alerts that should include a dstip, is the srcip field being
populated instead?
On Tue, Aug 2, 2011 at 1:04 PM, ash kumar wrote:
> I set up logging to mysql for version 2.6. I created the schema using the
> mysql.schema file included in the src/ directory of the distribution.
> All fields
/var/ossec/bin/ossec-logtest -t
Also, it'd still be great if you checked the ossec.log file for log
messages that may be relevant before the ones you posted in the
original message.
On Tue, Aug 2, 2011 at 1:44 AM, George Ochola wrote:
> This is a server install
>
> __
Also, I'm still curious if you changed anything. Has this ever worked? etc.
On Tue, Aug 2, 2011 at 1:44 AM, George Ochola wrote:
> This is a server install
>
>
> From: dan (ddp)
> To: ossec-list@googlegroups.com
> Sent: Tuesday, August 2, 2011 12:25 AM
> Subject:
Many Thanks Daniel,
That is just what I needed to hear/read!
I can see that we do have prelinking turned ON, but not sure it's a "choice"
rather than an OS default, so we may end up switching it OFF as I doubt we see
any benefits from it.
Cheers,
--
ChrisP
Chris Phillips
Service Designer, int
Hi Joshua,
Depending on the VPN link and the type / amount of the logs, it might
be better to install the manager (or standalone)
option on each location (option #2) and only send the alerts to the
centralized manager.
I do it often when monitoring httpd (or proxy) logs that can generate
thousand
This is the output i am getting after starting OSSEC
Starting OSSEC HIDS v2.6 (by Trend Micro Inc.)...
OSSEC analysisd: Testing rules failed. Configuration error. Exiting.
Started ossec-maild...
Started ossec-execd...
Started ossec-analysisd...
Started ossec-logcollector...
Started ossec-remoted.
It's CentOS5 and it definitely didn't update on its own (quite closely
controlled and only has access to our in-house repos).
There was an identical host (on another hostname/IP of course) created at the
same time as the one, which did not throw the same alerts.
I can't see anything dodgy going
Probably because of prelinking... More details here:
http://www.ossec.net/wiki/Know_How:Check_Sums
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Wed, Aug 3, 2011 at 9:11 AM, Chris Phillips wrote:
> Hi All,
>
> Recently, I received about 400+ "Alert Level 7" notifications, for a single
> s
Not currently. The best way would be to do an active response script
to just clear an IP address.
The issue is that the manager only sends to the agent the active
response script and the IP (or user name), not
the action. So it is always treated as a block. But a removal script
would be a good ide
Hi.
This amount of Checksum Changes have never happened to me, on any of my
CPanel or Debian/Ubuntu/FreeBSD-servers. What kind of disitribution do you
run? Maybe you/the system auto updated itself to a new version.
On Wed, Aug 3, 2011 at 2:11 PM, Chris Phillips wrote:
> Hi All,
>
> Recently, I r
Hi All,
Recently, I received about 400+ "Alert Level 7" notifications, for a single
server, all related to "Integrity checksum changed" events.
I am really worried about this, but I can see no reason why it has happened.
The situation has not re-occurred and has not happened on any of the other
Hello,
I've changed of "strategy", SEP 11 management console can log to an
external syslog server.
So I receive on my syslog server this kind of security logs when I run
a scan ports with nmap:
Aug 3 04:10:59 sep11srvtest sep11srvtest: testdev,"Somebody is
scanning your computer. Your computer's
Can I run a process to analyse the full log files after an install or
can we only have analysis on and after the install date?
Kill the all OSSEC processes, remove
"/var/ossec/queue/ossec/queue" file
and after "/var/ossec/bin/ossec-control start" .
On Mon, Aug 1, 2011 at 4:15 PM, George Ochola wrote:
> Hi All
> I have just installed OSSEC 2.6 on my AIX 5.3 machine which was previouly
> running 2.5.1 , but on installing
29 matches
Mail list logo
