"..." means Ellipsis.
I think the syntax is valid, because I have received the report daily
for over a month. However, I couldn't receive it sometimes starting
from last week. "No report" mean no alert?
On 2月2日, 下午9時04分, "dan (ddp)" wrote:
> On Tue, Jan 31, 2012 at 8:42 PM, Macus wrote:
> > I ha
I was going reviewing the windows decoder and noticed "name,
location, user, system_name" I could not find any reference in
the documentation as to what this was for.
I finally found a reference to it in one of the message on this
mailing list, need help on writing rules (http://groups.google.com
On 02.02.2012 10:06, Oliver Mueller wrote:
> If I add the following rule to local_rules.xml and try to test it with
> ossec-logtest, I receive a
> segfault (see below):
>
..
>
> Is there any update planed to ossec soon?
works for me (RHEL 5.7 64bit):
$ /var/ossec/bin/ossec-logtest -V
OSSEC HI
I knew I was missing something simple, overwrite="yes".
I do vaguely remember reading about this option. Yes, it is here:
http://www.ossec.net/wiki/Know_How:Email_Alerts_below_7
Dan, your suggestion did not work. it was still preferring the 18152.
Although I took your suggestion and did the follow
it does not work with T either :(
On 2 феб, 14:07, "dan (ddp)" wrote:
> On Wed, Feb 1, 2012 at 7:59 AM, kumaig wrote:
> > I have tried for a few weeks to decode one magento log with no luck. I
> > have searched more then 2 weeks for solution for this problem. If
> > anyone can help i appreciate
On Thu, Feb 2, 2012 at 10:34 AM, Jon Bayless wrote:
> Well with that custom decoder it matches the decoder now. I will try it and
> see if it actually catches and blocks the source IPs now.
>
> Is there any way to test whether it is decoding that source IP and will be
> able to use it properly?
Well with that custom decoder it matches the decoder now. I will try it and see
if it actually catches and blocks the source IPs now.
Is there any way to test whether it is decoding that source IP and will be able
to use it properly?
Thanks for all your help.
On Thu, Feb 2, 2012 at 9:42 AM, Kat wrote:
> I always wondered about that - shouldn't anything in "Local..." get
> processed before the built-in?
> I did have a feeling it was order dependent, and I took the route of
> making the rules "decoded_as - windows_date_format" and everything
> works, and
I always wondered about that - shouldn't anything in "Local..." get
processed before the built-in?
I did have a feeling it was order dependent, and I took the route of
making the rules "decoded_as - windows_date_format" and everything
works, and this now confirms my thoughts that local did NOT get
On Thu, Feb 2, 2012 at 9:34 AM, Jon Bayless wrote:
> How can i determine if the IP is properly decoded? With the ossec-logtest
> program?
>
> Here is the output I get from that:
>
> ossec-testrule: Type one log per line.
>
> Feb 1 09:02:41 server1 ipop3d[39710]: Login failed user=stud...@hammer.
How can i determine if the IP is properly decoded? With the ossec-logtest
program?
Here is the output I get from that:
ossec-testrule: Type one log per line.
Feb 1 09:02:41 server1 ipop3d[39710]: Login failed user=stud...@hammer.net
auth=stud...@hammer.net host=ipx21117.ipxserver.de [212.112.
I am using version "OSSEC HIDS v2.6 - Trend Micro Inc." on an Ubuntu 11.10
oneiric.
On 02.02.2012, at 14:19, dan (ddp) wrote:
> On Thu, Feb 2, 2012 at 4:06 AM, Oliver Mueller wrote:
>> If I add the following rule to local_rules.xml and try to test it with
>> ossec-logtest, I receive a segfault
On Tue, Jan 31, 2012 at 8:42 PM, Macus wrote:
> I have setup a daily report like below for the syscheck. it is
> supposed to have the report delivered to my mailbox? The syscheck is
> scheduled daily at 20:00
>
>
> syscheck
> OSSEC Daily Report: File Integrity Check Result
> ...
> ...
I do
On Wed, Feb 1, 2012 at 2:49 PM, Kat wrote:
> What am I missing - it just keeps firing on the windows-date-format --
> so frustrating, it must be simple, I am just blind today:
>
Either put it before the windows-date-format decoder or make it a
child of that decoder.
> Logentry:
>
> 2012-01-12 15
On Thu, Feb 2, 2012 at 5:03 AM, alsdks wrote:
> Hello list,
>
>
> Some systems , in syslog logging , tend to group same messages to save
> space and load. For example Solaris
> logs failed ssh logins to syslog but issues an event that says that
> the last message repeated x times, like :
>
> sshd[
On Thu, Feb 2, 2012 at 4:06 AM, Oliver Mueller wrote:
> If I add the following rule to local_rules.xml and try to test it with
> ossec-logtest, I receive a segfault (see below):
>
>
> overwrite="yes">
>
> 30101 matched_sid>
> user \S+ not found
> Attempt
On Wed, Feb 1, 2012 at 4:21 PM, Peter M Abraham
wrote:
> Good day:
>
> Given the following rule
>
>
> 18107
> Logon Type: 10
> Windows RDP Login.
> authentication_success,
>
>
> What could we add so that if the "User Name" is not a specific value
> AND the "Source Network Address"
On Wed, Feb 1, 2012 at 4:56 AM, Marcos Tang wrote:
> Hi OSSEC users and Dan
>
> High-level background of my current setup:
>
> - Several OSSEC servers are running on Solaris
> - OSSEC agents are running on Solaris and reporting to the above OSSEC
> servers
> - Running /opt/ossec/bin/agent_control
On Wed, Feb 1, 2012 at 5:02 PM, alsdks wrote:
> try that 18152 rule again in your local rules with overwrite="yes"
> option , to overwrite the original rule and see how it goes .
>
(WARNING: I do not know if this will work! Try it, see if it works. Or not.)
Combined with the above, you could try
On Wed, Feb 1, 2012 at 11:01 AM, Jon Bayless wrote:
> Here are the alerts I get from ossec, so I know it sees the attacks and the
> level is 10 so it should be taking action. I have the active-response set for
> anything over level 8 I think:
>
Check. ;)
> Rule: 40111 fired (level 10) -> "Mult
On Wed, Feb 1, 2012 at 7:59 AM, kumaig wrote:
> I have tried for a few weeks to decode one magento log with no luck. I
> have searched more then 2 weeks for solution for this problem. If
> anyone can help i appreciate it.
> the log is :
> 2011-12-28T08:30:59+00:00 CRIT Not valid template file:fron
Hello list,
Some systems , in syslog logging , tend to group same messages to save
space and load. For example Solaris
logs failed ssh logins to syslog but issues an event that says that
the last message repeated x times, like :
sshd[22082]: [ID 800047 auth.notice] Failed keyboard-interactive
fo
If I add the following rule to local_rules.xml and try to test it with
ossec-logtest, I receive a segfault (see below):
30101
user \S+ not found
Attempt to login using a non-existent
user.
invalid_login,
# ../bin/ossec-logtest
2012/01/
23 matches
Mail list logo
