Re: [ossec-list] OSSEC Clients connect to server - server doesnt answer / show them in the UI

On Jun 4, 2014 4:36 PM, "Bjoern Schwabe" wrote: > > Dan, > thank you for taking interest in this issue. > > Yes, there is a ossec.log file. > I have restarted the server and several times the client to see what happens to the log file: > http://i.imgur.com/OOEMtyI.png > (Not much) > > Server IP: >

Re: [ossec-list] OSSEC Clients connect to server - server doesnt answer / show them in the UI

I could not see your PNG files either. Judging from the following error, which means that manage_agents.exe could not get the full path to the directory the executable lives in, I suspect you may might have a non-working OSSEC Windows agent installation. Where did you get the agent from? T

[ossec-list] Re: I need help with impelmenting a new OSSEC monitoring process for USB drive insertion

Oh and I am using version 2.6 on the client and the server. On Wednesday, June 4, 2014 3:26:42 PM UTC-5, pmsearle90 wrote: > I have worked with OSSEC in the past and taken over in the last three > months our OSSEC infrastructure, so have mercy... > > I am following up after reading this thread

Re: [ossec-list] Re: I need help with impelmenting a new OSSEC monitoring process for USB drive insertion

On Jun 4, 2014 5:06 PM, "pmsearle90" wrote: > > Thanks for following up Dan. I apologize for not being clear... > > I am not getting the alert log on the server to recognize the insertion or removal. > I am not getting what Daniel said I should see on the server file structure. > what could I do t

[ossec-list] Re: I need help with impelmenting a new OSSEC monitoring process for USB drive insertion

Thanks for following up Dan. I apologize for not being clear... I am not getting the alert log on the server to recognize the insertion or removal. I am not getting what Daniel said I should see on the server file structure. what could I do to further troubleshoot?? However, FYI>> I have just

Re: [ossec-list] I need help with impelmenting a new OSSEC monitoring process for USB drive insertion

On Wed, Jun 4, 2014 at 4:26 PM, pmsearle90 wrote: > I have worked with OSSEC in the past and taken over in the last three months > our OSSEC infrastructure, so have mercy... > > I am following up after reading this thread and trying to implement USB > thumb drive insertion monitoring : > > > https

Re: [ossec-list] OSSEC Clients connect to server - server doesnt answer / show them in the UI

On Wed, Jun 4, 2014 at 3:53 PM, Bjoern Schwabe wrote: > Dan, > thank you for taking interest in this issue. > > Yes, there is a ossec.log file. > I have restarted the server and several times the client to see what happens > to the log file: > http://i.imgur.com/OOEMtyI.png > (Not much) > > Server

Re: [ossec-list] OSSEC Clients connect to server - server doesnt answer / show them in the UI

Dan, thank you for taking interest in this issue. Yes, there is a ossec.log file. I have restarted the server and several times the client to see what happens to the log file: http://i.imgur.com/OOEMtyI.png (Not much) Server IP: http://imgur.com/Y5FgKRb Here is a server shot from tcpdump fil

[ossec-list] I need help with impelmenting a new OSSEC monitoring process for USB drive insertion

I have worked with OSSEC in the past and taken over in the last three months our OSSEC infrastructure, so have mercy... I am following up after reading this thread and trying to implement USB thumb drive insertion monitoring : https://groups.google.com/d/topic/ossec-list/eL2DTKSXnhI/discussi

[ossec-list] Re: OSSEC 2.8 Released

For a detailed, complete list of changes from 2.7.1 to 2.8, refer to the closed Pull Requests on GitHub (https://github.com/ossec/ossec-hids/pulls?direction=desc&page=1&sort=created&state=closed). Or, you can see a formatted version of the above at https://gist.github.com/jrossi/2ba9471e408e7b4

Re: [ossec-list] Integrity checksum changed for: '/usr/bin/from'

Looks like its safe; 30 minutes before the email was sent out, i installed a package. I got thrown off because i thought the crc check was in real time. update-alternatives: using /usr/bin/frm.mailutils to provide /usr/bin/frm (frm)$ update-alternatives: using /usr/bin/from.mailutils to provid

[ossec-list] OSSEC 2.8 Released

OSSEC 2.8 has been released and posted on our download page - http://www.ossec.net/?page_id=19. You can check the release notes to find out what has been updated in this release. -- --- You received

[ossec-list] Re: Won't start after upgrade from 2.7.1 to 2.8

Thanks to Steve for reporting this. Yes, the rule bro-ids.xml was removed in 2.8 since it did not work anyway. Please delete the line in your /var/ossec/etc/ossec.conf to avoid the error message. On Wednesday, June 4, 2014 9:57:04 AM UTC-7, Steven Stern wrote: > > At the end of ./install.sh >

Re: [ossec-list] Integrity checksum changed for: '/usr/bin/from'

Check your package updater's logs. On 06/04/2014 07:51 AM, dan (ddp) wrote: > On Wed, Jun 4, 2014 at 4:53 AM, PAL 18 wrote: >> I just got this a few minutes ago and i wasn't logged into the box. Should i >> be worried? Has my server been hacked? >> > > You have to investigate the change. There'

[ossec-list] 1 zombie process after starting 2.8

# ps -ef |grep ossec ossecm 17982 1 0 11:55 ?00:00:00 /var/ossec/bin/ossec-maild root 17984 1 0 11:55 ?00:00:00 /var/ossec/bin/ossec-execd ossec17990 1 0 11:55 ?00:00:00 /var/ossec/bin/ossec-analysisd root 17994 1 0 11:55 ?00:00:00 /

[ossec-list] Won't start after upgrade from 2.7.1 to 2.8

At the end of ./install.sh OSSEC HIDS v2.7.1 Stopped Starting OSSEC HIDS v2.8 (by Trend Micro Inc.)... ossec-analysisd: Configuration error. Exiting. - Configuration finished properly. service ossec start Starting OSSEC:[FAILED] from ossec.log 2014/

Re: [ossec-list] upgrading to v2.8 changed local to server

On Wednesday, June 4, 2014 11:40:13 AM UTC-5, Up wrote: > > Thanks Dan. Deleting the enry in ossec.conf took care of that rule. > > > What is the full output of /etc/ossec-init.conf. > DIRECTORY="/var/ossec" > VERSION="v2.8" > DATE="Wed Jun 4 11:06:30 CDT 2014" > TYPE="server" > > Previous

Re: [ossec-list] upgrading to v2.8 changed local to server

Thanks Dan. Deleting the enry in ossec.conf took care of that rule. > What is the full output of /etc/ossec-init.conf. DIRECTORY="/var/ossec" VERSION="v2.8" DATE="Wed Jun 4 11:06:30 CDT 2014" TYPE="server" Previously, it was: DIRECTORY="/var/ossec" VERSION="v2.7.1" DATE="Mon Feb 17 16:27:23 CST

Re: [ossec-list] upgrading to v2.8 changed local to server

* Up [2014-06-04 09:21:22 -0700]: Hello guys, I just tried upgrade of ossec on my linux system(local) from VERSION="v2.7.1"TYPE="local" to latest Latest Stable Release (2.8)server/agent. But it seems there is no local type in it? After running ./install.sh (I chose yes to both questions), my

Re: [ossec-list] upgrading to v2.8 changed local to server

* Up [2014-06-04 09:21:22 -0700]: Hello guys, I just tried upgrade of ossec on my linux system(local) from VERSION="v2.7.1"TYPE="local" to latest Latest Stable Release (2.8)server/agent. But it seems there is no local type in it? After running ./install.sh (I chose yes to both questions), my

Re: [ossec-list] upgrading to v2.8 changed local to server

On Wed, Jun 4, 2014 at 12:21 PM, Up wrote: > Hello guys, > > I just tried upgrade of ossec on my linux system(local) from > VERSION="v2.7.1"TYPE="local" to latest Latest Stable Release > (2.8)server/agent. But it seems there is no local type in it? > > After running ./install.sh (I chose yes to b

[ossec-list] upgrading to v2.8 changed local to server

Hello guys, I just tried upgrade of ossec on my linux system(local) from VERSION="v2.7.1"TYPE="local" to latest Latest Stable Release (2.8)server/agent. But it seems there is no local type in it? After running ./install.sh (I chose yes to both questions), my TYPE="local" got converted to TYPE

[ossec-list] 2.8 released?

Hello. On the website, 2.8 shows as "latest stable" - does this mean it has been released? ~J -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+u

Re: [ossec-list] Integrity checksum changed for: '/usr/bin/from'

On Wed, Jun 4, 2014 at 4:53 AM, PAL 18 wrote: > I just got this a few minutes ago and i wasn't logged into the box. Should i > be worried? Has my server been hacked? > You have to investigate the change. There's no way for us to know. > Rule: 550 fired (level 7) -> "Integrity checksum changed."

Re: [ossec-list] OSSEC Clients connect to server - server doesnt answer / show them in the UI

On Tue, Jun 3, 2014 at 9:52 PM, Bjoern Schwabe wrote: > Hey guys, > > I have been having troubles configuring agents and establishing > communication between the OSSEC server I have set up and the agent. > > The configuration: > Server: Debian Wheezy - standard installation from github with option

[ossec-list] Integrity checksum changed for: '/usr/bin/from'

I just got this a few minutes ago and i wasn't logged into the box. Should i be worried? Has my server been hacked? Rule: 550 fired (level 7) -> "Integrity checksum changed." Portion of the log(s): Integrity checksum changed for: '/usr/bin/from' Old md5sum was: '24dc25d90a3eca83ee42f2532f33e174