Thanks for the info. I'll give your idea a try. Still wish I could get
the disable-account feature working. Would like to see in action even
if I shouldn't use it.
On Sep 19, 2011, at 12:31 PM, Joe Gedeon wrote:
> There is another option which will help secure your Linux builds.
> Normal users s
There is another option which will help secure your Linux builds.
Normal users should not be able to run such commands as su or sudo.
Move those to another group, change the permissions, and only add the
users that should be allowed to use those commands to the group that
you created for that. Hav
Well I haven't seen any documentation on disable-account. I was hoping to
find an example. As far as I can tell no one is using this.
Can anyone share an active-response configuration for the disable-account
command?
The disable-account command is in the default configuration. It's missing an
act
On Sep 19, 2011 1:13 PM, "Damien Hull" wrote:
>
> It means I've tried several rules and nothing seems to work. I'm surprised
nobody seems to know how this option works.
>
I know how it works. You're just making very little sense. I ask for
configurations and you give bits and pieces. You're makin
It means I've tried several rules and nothing seems to work. I'm surprised
nobody seems to know how this option works.
Does anyone use anything other then the default configuration?
Sent from my iPhone
On Sep 19, 2011, at 9:05 AM, "dan (ddp)" wrote:
On Sep 19, 2011 12:56 PM, "Damien Hull" wr
On Sep 19, 2011 12:56 PM, "Damien Hull" wrote:
>
> I had a rule in my config for level 6. I also tried to add a rules_id. No
luck.
>
You had a rule? What does this mean?
> I'm not trying to disable the root account. I'm trying to disable the
> account of the attacker. Let's say the user "Mickey"
I had a rule in my config for level 6. I also tried to add a rules_id. No luck.
I'm not trying to disable the root account. I'm trying to disable the
account of the attacker. Let's say the user "Mickey" tries to su to
root. If that user types the correct password they will get in. If
they type the
On Mon, Sep 19, 2011 at 9:59 AM, dan (ddp) wrote:
>
> I'm not sure what the asterisks will match, and I think there may be more in
> the logline after user_system (but we weren't given that info). Hopefully
> later I'll find a computer to find something that definitely works.
They should match a
Disabling root seems like a nice path to a DoS. You'd probably do
better to use a rule to block the offending IP rather than killing
root's account. (Hint from hard personal experience: Exclude your own
IP from the rule.)
On 09/19/2011 10:56 AM, dan (ddp) wrote:
>
> On Sep 19, 2011 11:53 AM, "
On Sep 19, 2011 11:56 AM, "Joshua Gimer" wrote:
>
> On Mon, Sep 19, 2011 at 9:17 AM, dan (ddp) wrote:
> >
> > On Sep 19, 2011 11:16 AM, "Joshua Gimer" wrote:
> >>
> >> On Mon, Sep 19, 2011 at 7:57 AM, Lennon, Padraig
> >> wrote:
> >> > Trying to match the following:
> >> >
> >> > 20110916 17035
On Mon, Sep 19, 2011 at 9:17 AM, dan (ddp) wrote:
>
> On Sep 19, 2011 11:16 AM, "Joshua Gimer" wrote:
>>
>> On Mon, Sep 19, 2011 at 7:57 AM, Lennon, Padraig
>> wrote:
>> > Trying to match the following:
>> >
>> > 20110916 170353 : user_system rest of details….
>> >
>>
>> How about (minus the quo
On Sep 19, 2011 11:53 AM, "Damien Hull" wrote:
>
> Here's my configuration for disable-account. It doesn't work. I'm not sure
I understand how it works. I was hoping a user would get kicked off the
system after too many failed login attempts. I tried to "su" to root and
type in the wrong password.
Here's my configuration for disable-account. It doesn't work. I'm not sure I
understand how it works. I was hoping a user would get kicked off the system
after too many failed login attempts. I tried to "su" to root and type in
the wrong password. I get an email from OSSEC but that's it. The user i
On Sep 19, 2011 11:16 AM, "Joshua Gimer" wrote:
>
> On Mon, Sep 19, 2011 at 7:57 AM, Lennon, Padraig
> wrote:
> > Trying to match the following:
> >
> > 20110916 170353 : user_system rest of details….
> >
>
> How about (minus the quotes):
>
> "^\d{8} +\d{6} *: *user_system.*$"
That's not valid os
On Mon, Sep 19, 2011 at 7:57 AM, Lennon, Padraig
wrote:
> Trying to match the following:
>
> 20110916 170353 : user_system rest of details….
>
How about (minus the quotes):
"^\d{8} +\d{6} *: *user_system.*$"
--
Thanks,
Joshua Gimer
---
http://www.linkedin.com/in/jgime
Trying to match the following:
20110916 170353 : user_system rest of details
I have tried to create a local decoder to no avail:
^\d\d\d\d\d\d\d\d \d\d\d\d\d : user_system
^\d\d\d\d\d\d\d\d \d\d\d\d\d \p user_system
I have been consulting http://www.ossec.net/wiki/Know_How:Rege
I tried, and logstash web gui didn’t seem to work as well – i.e. it kept
crashing with out of memory errors. Plus I think it had to make a second copy
of all the logs. . . Maybe I’m confused though.
--
James Pulver
Information Technology Area Supervisor
LEPP Computer Group
Cornell University
Fr
Heya,
I'm currently writing my thesis about a related security subject, and one of
the questions which is popping up here is the use of OSSEC to handle
SIM/SEM, and general intrusion detection and what not.
The thing is, and I can't seem to answer the question for sure, I wonder
wether a sol
Hi List,
After upgrading to 2.6 the mysql schema is not working. is there
update files to update mysql schema, without deleting old data?
--
Eero
19 matches
Mail list logo