Re: [ossec-list] Matching a port range

Ha...that's what I was afraid of, Dan. Michael, thanks for the link. I'm not really a programmer, but I might be able to muddle through that. If not, I can find someone here easy enough to help. I'll check it out. On Thursday, August 23, 2012 10:22:21 AM UTC-5, Michael Starks wrote: > > On 2

Re: [ossec-list] Can this be achieved by rules?

On 23.08.2012 15:13, Kevin Huang wrote: Thanks for your answer, but I would like to silence the corresponding rule, say, if 4386 is fired and then can I silence 4334 for 40 minutes, as long as rule 4386 is fied? Hmmm, the only thing I can think of is a custom script based on an active respo

Re: [ossec-list] Can this be achieved by rules?

On 8/23/12 10:49 AM, Michael Starks wrote: > > 4334 > Nultiple AAA (VPN) authentication > failures. > authentication_failures, > Thanks for your answer, but I would like to silence the corresponding rule, say, if 4386 is fired and then can I silence 4334 for 40 minutes, as long as r

Re: [ossec-list] how to tell if syscheck is actively running?

On Thu, Aug 23, 2012 at 3:33 PM, dkoleary wrote: > Hi; > > It now appears that quite a bit of my initial problems have been caused by > my own impatience. As others have noted, when running syscheck initially, > creates the database of files w/check sums, permissions etc. That, > apparently, tak

[ossec-list] how to tell if syscheck is actively running?

Hi; It now appears that quite a bit of my initial problems have been caused by my own impatience. As others have noted, when running syscheck initially, creates the database of files w/check sums, permissions etc. That, apparently, takes *A LONG* time lol. For testing, I have the syscheck fr

Re: [ossec-list] syscheck: monitor directories and some files w/different parameters?

On Thu, Aug 23, 2012 at 12:52 PM, dkoleary wrote: > Hi; > > I'm not overly interested in getting alerted every time someone changes > their password so, I'd like to monitor the shadow file for owner, group and > permissions only while keeping everything else in /etc monitored for > everything. > >

[ossec-list] syscheck: monitor directories and some files w/different parameters?

Hi; I'm not overly interested in getting alerted every time someone changes their password so, I'd like to monitor the shadow file for owner, group and permissions only while keeping everything else in /etc monitored for everything. Would the following lines in syscheck do that or is this so

[ossec-list] Re: Server/agents?

Hey; Nevermind; I got it. Finally found the agent_control -l command which showed me that there was an agent 000 for localhost. agent_control -r -u 000 says it's running syscheck locally. Still not getting the alerts that I think I should be, but that's a different problem. Thanks anyway.

Re: [ossec-list] Server/agents?

Hi Doug Not 100%, but pretty sure if that if your environment is only 1 server with 1 install then there is no need to run the agent, as there is no agent. You simply run it on the server. Thanks dkoleary August 23, 2012 9:26 AM Hi; My ossec environmen

Re: [ossec-list] Server/agents?

On Thu, Aug 23, 2012 at 12:26 PM, dkoleary wrote: > Hi; > > My ossec environment, currently, consists of only one ossec server. That'll > expand reasonably soon; however, at the moment, just got the one server. > Since I only had the one server, when I started, I did not run the > manage_agents c

Re: [ossec-list] No agent available‏

On Thu, Aug 23, 2012 at 12:25 PM, Tony Trummer wrote: > > I'm trying to configure a new OSSEC installation on Centos 5.8 64bit using a > previous 2.3 installation as a guide. As far as I can tell I've gotten it What year is that installation guide from? > all configured the same, but all of the

[ossec-list] Server/agents?

Hi; My ossec environment, currently, consists of only one ossec server. That'll expand reasonably soon; however, at the moment, just got the one server. Since I only had the one server, when I started, I did not run the manage_agents command. After some changes to the ossec config file, I ra

[ossec-list] No agent available‏

I'm trying to configure a new OSSEC installation on Centos 5.8 64bit using a previous 2.3 installation as a guide. As far as I can tell I've gotten it all configured the same, but all of the list_agents command (-a, -n, -c) show "No agent available". I can see the following in the agent logs, whic

Re: [ossec-list] analysisd register_rule.sh script permission error halts install

On Thu, Aug 23, 2012 at 11:52 AM, Christopher Werby wrote: > Hi Dan, > > Here's the "Error 127" that I get when I execute `make plugins`. I also show > the PATH on my system and the permissions on compiled_rules/ (775). > >> root@xxx:/tmp/ossec-hids-2.6/src/analysisd/compiled_rules# echo $PATH >

Re: [ossec-list] analysisd register_rule.sh script permission error halts install

Hi Dan, Here's the "Error 127" that I get when I execute `make plugins`. I also show the PATH on my system and the permissions on compiled_rules/ (775). > root@xxx:/tmp/ossec-hids-2.6/src/analysisd/compiled_rules# echo $PATH > /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin > root@

Re: [ossec-list] directories to monitor?

On Thu, Aug 23, 2012 at 11:12 AM, dkoleary wrote: > Has anyone modified the defaults in any significant way and have any > feedback on the quantity/quality of the resulting alerts? Yes. We monitor 20-30 Linux and Unix (BSD) servers and none are using the default directory configuration. My reas

Re: [ossec-list] Matching a port range

On 22.08.2012 10:56, Doc wrote: Drawing a blank here and not finding it in documentation...can we match a port range in a local rule? I'm looking to exclude messages where the destination port is dynamic within a specific range. Thanks, Doc As Dan noted, you can't do this with normal rules. Bu

[ossec-list] directories to monitor?

Hi; I have a client who's looking to install ossec, primarily for the integrity checking. I'm setting up the directories now and pondering the directories that get monitored. By default, it's the bin directories. I'm thinking of changing those as listed below and was hoping for some feedback

Re: [ossec-list] Can this be achieved by rules?

On 22.08.2012 17:05, Kevin Huang wrote: Hi, I am new to ossec, I would like to write a rule that will check for an occurrences when a rule is fired and if it is fired at a certain rate, do something. A scenario, I would like to write a rule that monitors all alerts and if I found more than

Re: [ossec-list] Re: ossec-analysisd core dumps on Solaris 10

Looks like Daniel Cid might have fixed this: https://bitbucket.org/dcid/ossec-hids/changeset/8cc93c407d69 On Wed, Aug 22, 2012 at 7:54 AM, dan (ddp) wrote: > On Fri, Aug 17, 2012 at 7:56 PM, Jim wrote: >> Dan, >> >> Here is the backtrace from GDB, but I am not sure that tells much more than >> m

Re: [ossec-list] analysisd register_rule.sh script permission error halts install

On Thu, Aug 23, 2012 at 12:05 AM, Christopher Werby wrote: > Hi Ryan, > > Sure! > >> root@XXX:/tmp/ossec-hids-2.6/src/analysisd/compiled_rules# /bin/sh -x >> register_rule.sh build >> + CHF=compiled_rules.h >> + ls -la register_rule.sh >> + '[' '!' 0 = 0 ']' >> + '[' xbuild = x -o xbuild = xhelp

Re: [ossec-list] Can this be achieved by rules?

On Wed, Aug 22, 2012 at 6:05 PM, Kevin Huang wrote: > Hi, > > I am new to ossec, I would like to write a rule that will check for an > occurrences when a rule is fired and if it is fired at a certain rate, > do something. > > A scenario, I would like to write a rule that monitors all alerts and if

Re: [ossec-list] What is the mistake in it?

On Thu, Aug 23, 2012 at 7:36 AM, ant's wrote: > Hi all: > > I'm seeing these errors in my log file : > > 2012/08/23 11:23:06 ossec-agentd: INFO: Using IPv4 for: 5x.x.x.x.x . > 2012/08/23 11:23:27 ossec-agentd(4101): WARN: Waiting for server reply (not > started). Tried: '5x.x.x.x. > > I'm sure thi

[ossec-list] What is the mistake in it?

Hi all: I'm seeing these errors in my log file : 2012/08/23 11:23:06 ossec-agentd: INFO: Using IPv4 for: 5x.x.x.x.x . 2012/08/23 11:23:27 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: '5x.x.x.x. I'm sure this of some firewall issues. I have configured firewall this wa