[ossec-list] i understand hybrid mode ,but how to create key to give hybrid ?

hybrid can create key to agent ,, how server ceeate key to hybrid ? and how hybrid will import the key ?

Re: [ossec-list] can't restart windows agent in server ?

i did it , and it work. change active response disable yes to no On Wednesday, December 5, 2012 10:35:33 AM UTC+8, peng lin wrote: > oh? In linux ,i need't enable active response. > in windows i must enable it ,so that in server can restart > windows'agent ? > On Tuesday, December 4, 2012 9

[ossec-list] VERY THANKS TO Dan

VERY THANKS TO Dan i looks this group ,a lot of questions is your answered. and your sloved my lots of questions. Thank you for such a spirit of sharing. my english is not good .so just for THANK YOU

Re: [ossec-list] can't restart windows agent in server ?

oh? In linux ,i need't enable active response. in windows i must enable it ,so that in server can restart windows'agent ? On Tuesday, December 4, 2012 9:48:33 PM UTC+8, dan (ddpbsd) wrote: > On Tue, Dec 4, 2012 at 1:08 AM, peng lin > > wrote: > > can't restart windows agent in server ? > >

Re: [ossec-list] where is hybrid mode ?

On Tuesday, December 4, 2012 9:48:07 PM UTC+8, dan (ddpbsd) wrote: > > On Mon, Dec 3, 2012 at 9:37 PM, peng lin > > wrote: > > how to install with hybrid mode ? > > is that use this ? to layer Deploy? > > server > >| > >

Re: [ossec-list] correlate 2 lines in ossec

Nicolas, Over on the ossec-dev list there was a patch created by Brad Lhotsky that does what you want, since it appears both of the lines you want to combine share an ID of 19378(?). Anyways, I believe his patch only supports alert generation based on multiple events (aka "composite" rules whe

Re: [ossec-list] Re: report_changes=yes not reporting diffs in alerts

To add to the confusion, this just started working for me after a restart of the agent and server (this is not the first time a restart was attempted). I'll keep digging to see if the issue presents itself again. On Tue, Dec 4, 2012 at 1:05 PM, Jb Cheng wrote: > I tried the followingconfi

[ossec-list] Re: /var/ossec/queue/ossec/queus not accsesible error , while editing local_Rules.xml file

You can also turn ON debugging. it may tell you exactly what you did wrong. ossec/etc/internal_options.conf Change these to 2. # Windows debug (used by the windows agent) windows.debug=0 # Syscheck (local, server and unix agent) syscheck.debug=0 # Remoted (server debug) remoted.debug=0 # Analysi

Re: [ossec-list] Re: report_changes=yes not reporting diffs in alerts

I tried the followingconfig on Linux centos 2.6.18. /etc Added a comment line a dummy file /etc/hosts.jb, the diff showed up under queue/diff/local/etc/hosts.jb but did not show in alerts.log. TODO: Who can trace the source code to debug this issue? On Wednesday, November 28, 2012 8

[ossec-list] correlate 2 lines in ossec

Hi, in my (mail)log I want to join information present (seldomly) in my maillog on 2 lines. Example: Dec 2 08:03:44 ns15 sm-acceptingconnections[19378]: qB2D3g8Q019378: AUTH failure (LOGIN): authentication failure (-13) SASL(-13): authentication failure: checkpass failed Dec 2 08:03:45 ns15 sm-

Re: [ossec-list] Problem with rule 35051

Thank you! I'm pretty sure I already tried the 35005 "interception" approach, but I'll try again. Just for the record, is it possible to "match" multiple sites on a single rule, like this? Or even using a regex? 35005 facebook.com|facebook.com:443| static.facebook.

Re: [ossec-list] Decoder childs aren't processed

On Tue, Dec 4, 2012 at 10:46 AM, Jeroen D wrote: > I was working all day with regular expressions to get a new child decoder of > bro-ids working. Nothing seemed to work so I tried one of the tested and > tried decoders to check if the childs are processed at all. > It turns out, they aren't... >

[ossec-list] Decoder childs aren't processed

I was working all day with regular expressions to get a new child decoder of bro-ids working. Nothing seemed to work so I tried one of the tested and tried decoders to check if the childs are processed at all. It turns out, they aren't... I'm using version 2.7. As you can see in the output belo

Re: [ossec-list] syscheck startup question

On Mon, Dec 3, 2012 at 2:00 PM, Mike Hubbard wrote: > Yes, I experimented with that and found that you could either initialize the > database right off the bat, or wait the frequency duration before > initializing itbut not a don't initialize it. So, modify the ossec-control script to not sta

Re: [ossec-list] Problem with rule 35051

On Tue, Dec 4, 2012 at 7:30 AM, Daniel Requena wrote: > Hi > >Just extracted from squid access.log > > 1354623033.296 0 10.0.0.202 TCP_DENIED/403 3789 CONNECT > s-static.ak.facebook.com:443 - NONE/- text/html > 1354623033.297 1 10.0.0.202 TCP_DENIED/403 3789 CONNECT > s-static.ak.fac

Re: [ossec-list] can't restart windows agent in server ?

On Tue, Dec 4, 2012 at 1:08 AM, peng lin wrote: > can't restart windows agent in server ? > i think in server to restart all linux client is ok,but can't restart it in > windows. (i can't see any about restart information in windows /ossec/logs) > what happen ? Is active response enabled on the

Re: [ossec-list] where is hybrid mode ?

On Mon, Dec 3, 2012 at 9:37 PM, peng lin wrote: > how to install with hybrid mode ? > is that use this ? to layer Deploy? > server >| >| > --- hybridhybrid > | |

Re: [ossec-list] Problem with rule 35051

Hi Just extracted from squid access.log 1354623033.296 0 10.0.0.202 TCP_DENIED/403 3789 CONNECT s-static.ak.facebook.com:443 - NONE/- text/html 1354623033.297 1 10.0.0.202 TCP_DENIED/403 3789 CONNECT s-static.ak.facebook.com:443 - NONE/- text/html 1354623033.297 1 10.0.0.202

[ossec-list] can't restart windows agent in server ?

can't restart windows agent in server ? i think in server to restart all linux client is ok,but can't restart it in windows. (i can't see any about restart information in windows /ossec/logs) what happen ?