Hi all,
I was wondering if the "no" directive under
Active Response is supposed to be a global setting or if it's supposed
to be local to each individual AR.
The reason is because I set a couple ARs to yes
to try to prevent them from loading since we don't currently have the
scripts for them (the
Hi there,
precisely, in the last week, as part of my work at AlienVault, I have rewritten
the ossec plugin that is used in ossim.
The aim is format adequately the fields that you can get in every ossec rule,
so at correlation time I can write more interesting directives and response
actions ba
On Wed, Sep 7, 2011 at 4:19 AM, Waqas wrote:
> Yes. OSSEC id 7085 with the sid 18130 can be used to detect the failed
> Windows logins.
>
If OSSEC does the right thing, this seems like an OSSIM issue.
It looks like there is some OSSIM/OSSEC dev work going on at the moment.
> On Sep 5, 11:35 pm,
On Wed, Sep 7, 2011 at 4:27 AM, PJG wrote:
> Folks
>
> I'm sure I've posted something about this in the past, but couldn't
> find it so I'll go again.
>
> We are continually have to restart the OSSEC Service on server as all
> agents are going offline.
>
> The only errors appearing the logs are:
>
So how are those rules coming?
On Thu, Sep 8, 2011 at 12:05 AM, Eero Volotinen wrote:
>> Dumb question in return: If the network is down, how is it going to
>> notify you?
>
> It will notify when link comes back?
>
>>
>> You probably want one or more external boxes monitoring connectivity and
>>
> Dumb question in return: If the network is down, how is it going to
> notify you?
It will notify when link comes back?
>
> You probably want one or more external boxes monitoring connectivity and
> let them send messages. Nagios?
This is used for audit purposes.
--
Eero