[ossec-list] Disabling the "display agents on master" when removing an agent in manage_agents.

Is there a way in the code to disable the "display of agents" when you remove an agent in manage_agents? When you have 2 or 15 agents its fine, but when you have more than will fit on the screen its not needed. Steven

[ossec-list] Re: ossec-analysisd core dumps on Solaris 10

Hello, Any further thoughts on fixing this core dump problem? Thanks, --JIM On Monday, August 13, 2012 7:41:39 PM UTC-4, Jim wrote: > > Here are the logs from the ossec.log, which was running in debug. Which > reports until you can see analysisd core dumps. IPs and hostnames have > been ch

Re: [ossec-list] Incorrectly formated message errors.

I would need to see some config files. Are you using agent.conf in the shared folder on the master (with active response enabled in the ossec.conf file)? Can you post the ossec.conf and the agent.conf from the agent? I assume that the ossec.conf files are the same on each of your agents. On Tu

Re: [ossec-list] Netscreen Firewall Logs

*hi Dan, Thank you for your reply. The original netscreen log message has timestamp. Log is taken from another syslog server.* " Aug 15 10:30:14 136.10.247.130 SSG350M: NetScreen device_id=Juniper111 [Root]system-warning-00518: Admin user "userid" login attempt for Web(http) management (po

Re: [ossec-list] Incorrectly formated message errors.

On 08/16/2012 08:48, Steven B. wrote: I would need to see some config files. Are you using agent.conf in the shared folder on the master (with active response enabled in the ossec.conf file)? Can you post the ossec.conf and the agent.conf from the agent? I assume that the ossec.conf files are th

Re: [ossec-list] Disabling the "display agents on master" when removing an agent in manage_agents.

On Thu, Aug 16, 2012 at 2:06 AM, Steven B. wrote: > Is there a way in the code to disable the "display of agents" when you > remove an agent in manage_agents? > When you have 2 or 15 agents its fine, but when you have more than will fit > on the screen its not needed. > > Steven Are you talking a

Re: [ossec-list] Netscreen Firewall Logs

On Thu, Aug 16, 2012 at 6:48 AM, oorhan wrote: > hi Dan, > > Thank you for your reply. > > The original netscreen log message has timestamp. Log is taken from another > syslog server. > According to your alert.log entry the log message does not have a timestamp. An example of an alert.log entry

Re: [ossec-list] Re: ossec-analysisd core dumps on Solaris 10

On Thu, Aug 16, 2012 at 1:12 AM, Jim wrote: > Hello, > > Any further thoughts on fixing this core dump problem? > > Thanks, > > > --JIM > Is there any chance you can run it in gdb? gdb /var/ossec/bin/ossec-analysisd set follow-fork-mode child run *CRASH* bt There are probably other things you

Re: [ossec-list] Incorrectly formated message errors.

On Tue, Aug 14, 2012 at 6:17 AM, bw wrote: > On 08/09/2012 16:39, dan (ddp) wrote: >> >> On Thu, Aug 9, 2012 at 9:13 AM, Nate wrote: >>> >>> OK, gave the add.remove key thing one last shot. >>> >>> Stopped ossec on both the master and the agent. >>> deleted client.keys on the agent. >>> used mana

Re: [ossec-list] Re: ossec fails to compile after recent updates from https://bitbucket.org/dcid/ossec-hids

Hi Dan and JB: Thank you!!!

[ossec-list] Re: which module in metasploit can i use to test ossec attack rules

You can try attacking sendmail, Apache server, ftp daemon, etc. and see if OSSEC rules trigger the alerts. On Tuesday, August 14, 2012 12:18:10 AM UTC-7, mohamed khalaf wrote: > > which module in metasploit can i use to test ossec attack rules > > if no which attack library can i use to test o

Re: [ossec-list] active response not triggering; how to debug?

The 2.6 OSSEC decoder looks for IP address inside [ ], for example, (pD9EE35B1.dip.t-dialin.net[217.238.53.177]) Your log seems to have a difference format. Did you see other log lines from proftpd that shows IP address in [ ]? On Wednesday, August 15, 2012 6:33:04 AM UTC-7, dan (

[ossec-list] firewall --> ossec via UDP 514 : "WARN: Message from 10.5.4.1 not allowed."

I have the following in ossec.conf: . . . syslog 10.5.4.1 514 secure . . . And yet when 10.5.4.1 sends a message to the OSSEC server I get this: WARN: Message from 10.5.4.1 not allowed. Am I missing something? And yes... I've restarted the server.

Re: [ossec-list] firewall --> ossec via UDP 514 : "WARN: Message from 10.5.4.1 not allowed."

Hi Adriel You have the same port set on both the Agent and Server? Which server does this ossec.conf belong to? Thanks Tony Adriel Desautels August 16, 2012 6:25 PM I have the following in ossec.conf: . . . syslog 10.5.4.1 514 secure . . . And yet when

Re: [ossec-list] firewall --> ossec via UDP 514 : "WARN: Message from 10.5.4.1 not allowed."

So, the server (10.5.4.1) is a pfsense firewall. It is sending all of its syslog data to the OSSEC server on UDP 514. Every time the OSSEC server receives a syslog message it generates the error "2012/08/16 21:41:03 ossec-remoted(1213): WARN: Message from 10.5.4.1 not allowed." So, yes pfsense

Re: [ossec-list] firewall --> ossec via UDP 514 : "WARN: Message from 10.5.4.1 not allowed."

Hi Adriel Gotcha, sorry didn't phrase the question right, but you answered it right. Have you been able to turn on debug mode to see if you can see anything there? Anything that would help understand the failed comm attempts? Thanks Adriel Desautels August 16

Re: [ossec-list] firewall --> ossec via UDP 514 : "WARN: Message from 10.5.4.1 not allowed."

Yes I have and no additional information what so ever. My syntax is correct, correct? The IP address of the OSSEC server is 10.5.4.9 so its on the same host... Why would OSSEC ignore the directives in the config and not allow 10.5.4.1? I am CONFUSED!!! syslog *10.5.4.1*

Re: [ossec-list] firewall --> ossec via UDP 514 : "WARN: Message from 10.5.4.1 not allowed."

And, it is listening too... [root@bos-ossec01][/opt/ossec/queue] % lsof -i | grep 514 ossec-rem 10942 ossecr4u IPv4 19815488 0t0 UDP *:1514 [root@bos-ossec01][/opt/ossec/queue] % lsof -i | grep syslog ossec-rem 10941 ossecr4u IPv4 19815490 0t0 UDP *:syslog ... /me pulls hai

Re: [ossec-list] firewall --> ossec via UDP 514 : "WARN: Message from 10.5.4.1 not allowed."

Something I should mention... It is installed in a custom path. /opt/ossec instead of /var/ossec Could that be part of the issue? On 8/16/12 9:51 PM, Tony Perez, PMP wrote: > Hi Adriel > > Gotcha, sorry didn't phrase the question right, but you answered it right. > > Have you been able to turn

Re: [ossec-list] firewall --> ossec via UDP 514 : "WARN: Message from 10.5.4.1 not allowed."

So, I just reinstalled my ossec server... Issue still not resolved. This is version OSSEC HIDS v2.6. Help? On 8/16/12 9:51 PM, Tony Perez, PMP wrote: > Hi Adriel > > Gotcha, sorry didn't phrase the question right, but you answered it right. > > Have you been able to turn on debug mode to see i

Re: [ossec-list] firewall --> ossec via UDP 514 : "WARN: Message from 10.5.4.1 not allowed."

One last thing... % /var/ossec/bin/ossec-control restart Killing ossec-monitord .. Killing ossec-logcollector .. Killing ossec-remoted .. Killing ossec-syscheckd .. Killing ossec-analysisd .. Killing ossec-maild .. Killing ossec-execd .. OSSEC HIDS v2.6 Stopped Starting OSSEC HIDS v2.6 (by Trend M