Hello:
am attempting to write a local decoder for Asterisk and cannot get the syntax
correct. The log line appears as:
[Dec 10 19:47:47] NOTICE[23927][C-0013] chan_sip.c: Call from ''
(NNN.NNN.NNN.NNN:9202) to extension 'N' rejected because extension
not found in context
On Mon, Dec 10, 2012 at 9:46 PM, Brenden Walker bren...@unruleable.org wrote:
On Mon, 10 Dec 2012 13:15:50 -0800 (PST) Guilmxm guilhem.march...@gmail.com
wrote:
Hi,
I had the same issue with Ossec 2.7 even with a server / agent fresh
install, i confirm.
Regards,
Guilhem
Weird, it's
Hi ALL. After upgrading ossec to 2.7 release I try to check auditd logs.
server side ossec.conf changes:
localfile
log_formatauditd/log_format
location/var/log/audit/audit.log/location
/localfile
# service ossec restart
Stopping OSSEC:[
Yes -- I did it. Works fine. Just install it normally and select Upgrade
as it will find the previous version.
On Monday, December 10, 2012 9:13:07 PM UTC-8, peng lin wrote:
can use 2.7 replace ossim 's ossec ?
is that everyone do it ?
Hi Brenden,
In your initial rule, the match syntax was wrong:
matchossec: output: 'wget -o /dev/null -O -
http\//www.unruleable.org/blog/ | sha1sum'/match
OSSEC was actually looking for the string sha1sum OR the command
output name ( | sha1sum we treat as a
separator).
As for the key, we use
You missed something: after 'NOTICE[23927]' there is '[C-013] chan_sip.c:'
which is not in your prematch.
In my Guide to gooder grammer, I had a rule: Proofread your writing to see
if you any words out.
On Dec 11, 2012, at 12:12 AM, Phil Daws wrote:
Hello:
am attempting to write a
On Tue, 11 Dec 2012 10:39:19 -0400 Daniel Cid daniel@gmail.com wrote:
Hi Brenden,
In your initial rule, the match syntax was wrong:
matchossec: output: 'wget -o /dev/null -O -
http\//www.unruleable.org/blog/ | sha1sum'/match
OSSEC was actually looking for the string sha1sum OR the
Hi did anyone solve this issue in managed environment?
Y.
W dniu poniedziałek, 3 grudnia 2012 09:30:53 UTC+1 użytkownik YatZeck
napisał:
Hi OSSec guys!
I've read a little about people problems with Event count after '2',
but I think none found solution. My probem is ossec agent is
On Sun, Dec 9, 2012 at 11:10 AM, Guilmxm guilhem.march...@gmail.com wrote:
Ok, the error in log :
2012/12/09 12:47:44 ossec-execd(1311): ERROR: Invalid command name
'firewall-drop14400' provided.
Came from the fact i wanted to increase the default 600 seconds banish
time to 14400 (4 hours),
On Tue, Dec 11, 2012 at 1:12 AM, Phil Daws ux...@splatnix.net wrote:
Hello:
am attempting to write a local decoder for Asterisk and cannot get the syntax
correct. The log line appears as:
[Dec 10 19:47:47] NOTICE[23927][C-0013] chan_sip.c: Call from ''
(NNN.NNN.NNN.NNN:9202) to
On Mon, Dec 10, 2012 at 12:53 PM, Scott wa6...@gmail.com wrote:
I'm having trouble making a rule to eliminate this false positive, rule 1002
is kicking in:
sendmail[24167]: qBAHj1gY023631: to=fatal-err...@example.com,
delay=00:00:06, xdelay=00:00:05, mailer=esmtp, pri=120705,
On Mon, Dec 10, 2012 at 10:12 AM, orfan a.ula...@gmail.com wrote:
I have ossec-hids-server-2.6_2.
rule id=509 level=0
categoryossec/category
decoded_asrootcheck/decoded_as
descriptionRootcheck event./description
grouprootcheck,/group
/rule
Decoded as rootcheck, but i
On Tue, Dec 11, 2012 at 6:20 AM, Roman K mf.f...@gmail.com wrote:
Hi ALL. After upgrading ossec to 2.7 release I try to check auditd logs.
server side ossec.conf changes:
localfile
log_formatauditd/log_format
location/var/log/audit/audit.log/location
/localfile
# service
On Tue, Dec 11, 2012 at 5:03 PM, Scott Nelson wa6...@gmail.com wrote:
On Dec 11, 2012, at 3:55 PM, dan (ddp) wrote:
On Mon, Dec 10, 2012 at 12:53 PM, Scott wa6...@gmail.com wrote:
I'm having trouble making a rule to eliminate this false positive, rule 1002
is kicking in:
sendmail[24167]:
On Dec 11, 2012, at 4:16 PM, dan (ddp) wrote:
You could match on the fatal-errors@blahblah as above, but set the
level higher. Then create a child rule matching the Ok: queued bit.
Sure. Thank's a lot for your help, Dan.
Scott
i have to try update ossec in current copy (2.7) and give it (www-data
)right permission
as
original . but when i update ,i can't see any log in siem dashboard .
On Tuesday, December 11, 2012 10:48:14 PM UTC+8, Kat wrote:
Yes -- I did it. Works fine. Just install it normally and select
On Tue, Dec 11, 2012 at 6:47 AM, C. L. Martinez carlopm...@gmail.com wrote:
On Mon, Dec 10, 2012 at 9:46 PM, Brenden Walker bren...@unruleable.org
wrote:
On Mon, 10 Dec 2012 13:15:50 -0800 (PST) Guilmxm
guilhem.march...@gmail.com wrote:
Hi,
I had the same issue with Ossec 2.7 even with a
On Dec 12, 2012 2:36 AM, C. L. Martinez carlopm...@gmail.com wrote:
On Tue, Dec 11, 2012 at 6:47 AM, C. L. Martinez carlopm...@gmail.com
wrote:
On Mon, Dec 10, 2012 at 9:46 PM, Brenden Walker bren...@unruleable.org
wrote:
On Mon, 10 Dec 2012 13:15:50 -0800 (PST) Guilmxm
Hello,
is there any chance configure OSSEC to make every log only appendable?
Eg. setup automatically chattr -a for active logs and chattr -i for archive
? Because then If I remove CAP_LINUX_IMMUTABLE rights for root (until
reboot) maybe I could cover more items in PCI scope. Thanks for any
19 matches
Mail list logo