What's the meaning of the log below in OSSEC agent?
2012/01/26 00:38:15 ossec-agentd: INFO: Event count after '2':
3454420->2988040 (86%)
Could it be because you have multiple source IPs?
Try creating a new agent on the server and use the subnet.
manage_agents, a, hostname, 192.168.1.0/24, y.
Then import the new key generated and see if that helps. That would
confirm source IP origination is the problem.
Else, use wireshark or tc
Well, you could start with using a rule for that user first. Then you
could change the "2" option you're using to
11, assuming that's your rule ID.
Then you can just configure the script to do something, either block
the IP, lock the user account, etc.
Hope that helps.
On Jan 25, 1:38 pm, "
I'm trying to set an Active Response alert based on a particular user
login, and I'm not sure how to write the script.
Anyone out there have any ideas?
What I need it to do is email an alert when a certain user account logs
into any one of the agents.
I think I got the command config and a
I have communication issues between my server and agents.
All agents on the servers subnet can connect to the server.
I have agents on other subnets which I've tried to configure in
different ways and they can't connect to the server
2012/01/25 15:25:51 ossec-agent: INFO: Trying to connect to se
The problem is that the 404 is not for the static file favicon.ico, but for a
.php script that is passed favicon.ico as an argument and returns a 404. Either
/theme/image.php does not exist, or it is written to return a 404 when passed a
non-existent filename as an argument. In any case, I think
I just turned of active response this morning... I may leave it off
unless I can fix this problem...
On Wed, Jan 25, 2012 at 8:03 AM, sempai wrote:
> I alert and block on many but not all web servers for precisely this reason,
> but I knew what Active Response did before I turned it on and compla
No, that option does tell syscheckd to ignore that entire folder and
subcontents. If you have windows, I believe its different.
See http://www.ossec.net/main/manual/manual-syscheck#examples
On Jan 24, 11:03 am, Julien Vehent wrote:
> On Mon 23.Jan'12 at 11:46:17 -0800, BP9906 wrote:
>
> > Your i
I alert and block on many but not all web servers for precisely
this reason, but I knew what Active Response did before I turned it on
and complained about it working.
There are a lot of vulnerability
probes and assessment tools that look specifically for certain urls and
generate 404s while
I noticed ossec has some basic sendmail rules installed. I was wondering if
anyone has gone beyond this basic functionality to create active response to
detect and block spam attacks and if so if there is any good repository of
info.
For example, you can configure sendmail to log the subject of m
I get a lot of 404 alerts, and I let OSSEC block access when it's
multiples from the same IP. Typically, they're looking for phpmyadmin or
other common (and probably poorly secured tools) in a number of locations.
On 01/24/2012 11:33 PM, Damien Hull wrote:
> It looks like someone was requesting th
This information is not logged by OSSEC as far as I can tell, so no.
I'd like to see this info myself though, so I second this as a dev
request.
On Dec 16 2011, 12:16 pm, Tom Paine wrote:
> When the integrity rules are fired for syscheck registry changes, is it
> possible to show the old and new
It looks like someone was requesting thee favicon and the server
replied with "404"... How does that equal a level 10 alert? Anyway,
here's the log info.
GET /theme/image.php?theme=moodlebook&image=favicon&rev=282&component=theme
HTTP/1.1" 404 290 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT
13 matches
Mail list logo
