Is there any way to monitor the ossec server and agent? Like to
capture any strange logs in the ossec.log.
Hello,
I have set up a command to monitor file permissions in Windows (Since
by default Ossec only supports POSIX ). The command for example is :
full_command
icacls c:\WINDOWS\system32\*.exe
icacls
Now the question: is there a limitation how many lines can OSSEC take
and proces
Hello Dan,
Interestingly, grepping for 'syscheck_integrity_changed' returns
different files depending platform , whether the source has been
compiled or not, etc etc.
Here is what I found in an un-compiled ossec source directory , under
ossec-hids-2.6/src/analysisd/rules.h :
#define ROOTCHECK
Sometimes I see the same host blocked every 600 seconds (the timeout value).
I tried adding the repeated_offenders list to it's own block as the
documentation suggested, but then I do not see:
2011/12/12 19:39:15 ossec-execd: INFO: Adding offenders timeout: 30 (for #1)
2011/12/12 19:39:15 ossec-
Based on http://dcid.me/2011/02/blocking-repeated-offenders-with-ossec/
I think the repeated_offenders list should be in its own block.
Example:
firewall-drop
all
7
600
30,60,120,1440
Again, I'm not sure and I don't know how easy this will be for me to test.
On Mon, Dec 12, 2011 at
How much time passes between the blocks?
(I don't know much about repeated_offenders, so just gathering ideas.)
On Mon, Dec 12, 2011 at 10:08 PM, Chris Warren
wrote:
> Hi,
> I'm am trying out the option but it does not seem to be
> triggering.
>
> Here is my active response config:
>
>
>
On Mon, Dec 12, 2011 at 10:52 PM, Macus wrote:
> I have added the report_changes option like below. It seems work a
> little bit. Both abc and def are linked to abc-v123 and def-v123
> respectively. Now, I can see some files were copied from /home/abc to /
> var/ossec/queue/diff/local/home/abc , b
On Tue, Dec 13, 2011 at 5:23 AM, alsdks wrote:
>
> Hello Dan,
>
> hmmm those are binaries and I can't get anything out of them ...
>
They should be c source code files.
> The thing is, while troubleshooting my other issue (Syscheck issue on
> Windows : alerts not generated for registry and execu
On Mon, Dec 12, 2011 at 9:30 PM, Chris Decker wrote:
> As the subject suggests, is there a way to override a particular
> decoder in decoder.xml? I have a few tweaks I want to make and
> obviously want to make sure that future upgrades to smoothly (so I
> want to keep everything in local_decoder.
On Tue, Dec 13, 2011 at 12:35 PM, culley wrote:
> Hi,
>
> I have read the docs correctly I have configured correctly but I keep
> getting this message.
>
If you're getting that message, you've done something incorrectly.
I'm not sure I should be offering help on this, since it might seem I
am enc
Hi,
I have read the docs correctly I have configured correctly but I keep
getting this message.
I am running OSSEC on CentOS 5.7.
I have added the user apache to the ossec group. I have changed
permission on the tmp folders, I have changed owner/group on the tmp
folders. Basically I have tried e
Hello Dan,
hmmm those are binaries and I can't get anything out of them ...
The thing is, while troubleshooting my other issue (Syscheck issue on
Windows : alerts not generated for registry and executable checks :
default OSSEC.conf) I have noticed the following behavior :
While testing message
+1 for this problem
I am running the latest release of ossec on FreeBSD 8.2
Sent using BlackBerry® from Orange
-Original Message-
From: Chris Warren
Sender: ossec-list@googlegroups.com
Date: Mon, 12 Dec 2011 22:08:30
To:
Reply-To: ossec-list@googlegroups.com
Subject: [ossec-list] Repea
13 matches
Mail list logo