I understand that ossec will report on hidden processes which is designed
to detect rootkits etc.
However, is it also possible to white-list trusted processes, and then have
ossec report on new processes which are not on the white-list? I understand
that there are many background tasks and
On 2015-01-13 1:07, BKeep wrote:
Does it make sense to ship all endpoint logs to the central log
repository then use rsyslog to redirect the logs to local files,
graylog2, and OSSEC?
I have deployed OSSEC in several environments over the years. My
preference is to use OSSEC agents for
Thanks,
but I cannot find the file in the whole directory, however I did saw it
after compilation.
can you help me locate what creates ossec.mc ? (maybe I can remove it from
there)
On Tue, Jan 13, 2015 at 5:01 AM, dan (ddp) ddp...@gmail.com wrote:
On Tue, Jan 13, 2015 at 7:58 AM, Yaniv Ron
found it :
echo commandnetstat -tan |grep LISTEN |grep -v 127.0.0.1 |
sort/command $NEWCONFIG
inside install.sh
thanks man !
On Tue, Jan 13, 2015 at 6:17 AM, Yaniv Ron y...@viber.com wrote:
Thanks,
but I cannot find the file in the whole directory, however I did saw it
after
:).
btw, change it to python or perl my friend since (I think) that sort piped
to netstat running on a machine with lots of open sockets causes the CPU to
be on 100%.
system.calls are much better on these guys (perl/python) then on bash
On Tue, Jan 13, 2015 at 4:23 PM, dan (ddp)
I understand...hmm I read somewhere that perl and python have a memory
managment module that takes care not to choke the system.
however your call man, I appreciate the help today :) ! thanks
On Tue, Jan 13, 2015 at 4:29 PM, dan (ddp) ddp...@gmail.com wrote:
On Tue, Jan 13, 2015 at 9:26 AM,
grep -nr netstat
etc/rules/ossec_rules.xml:151:matchossec: output: 'netstat
-tan/match
etc/rules/ossec_rules.xml:153:descriptionListened ports status
(netstat) changed (new port opened or closed)./description
doc/rootcheck.txt:65: bind to the port (it's being used), but netstat
does not
On Tue, Jan 13, 2015 at 9:22 AM, Yaniv Ron y...@viber.com wrote:
found it :
echo commandnetstat -tan |grep LISTEN |grep -v 127.0.0.1 |
sort/command $NEWCONFIG
inside install.sh
thanks man !
And that took you less time than it took me to git clone a fresh copy.
On Tue, Jan 13, 2015
On Tue, Jan 13, 2015 at 9:26 AM, Yaniv Ron y...@viber.com wrote:
:).
btw, change it to python or perl my friend since (I think) that sort piped
to netstat running on a machine with lots of open sockets causes the CPU to
be on 100%.
system.calls are much better on these guys (perl/python)
On Tue, Jan 13, 2015 at 9:35 AM, Yaniv Ron y...@viber.com wrote:
I understand...hmm I read somewhere that perl and python have a memory
managment module that takes care not to choke the system.
however your call man, I appreciate the help today :) ! thanks
It's not my call, I'm just offering
On Tue, Jan 13, 2015 at 9:17 AM, Yaniv Ron y...@viber.com wrote:
Thanks,
but I cannot find the file in the whole directory, however I did saw it
after compilation.
can you help me locate what creates ossec.mc ? (maybe I can remove it from
there)
I can look through the scripts for you.
On
Hi,
we have Ossec server/agents (2.7.0) for monitoring file integrity. Both
include check_all=yes in their syscheck configurations. The agents work
perfectly and report file changes including their old/current MD5 and SHA1
hashes. However, logs from the Ossec server machine report only file
Hi,
I am just getting started with designing a logging stack and have some
questions regarding how OSSEC will fit into the overall scheme. Over the
last several weeks, I have been setting up different log stacks and think I
have a viable solution. However, I have some questions about how
Thanks Dan, opened an issue here:
https://github.com/ossec/ossec-hids/issues/495
dan (ddpbsd)於 2015年1月8日星期四 UTC+8下午9時38分32秒寫道:
On Wed, Jan 7, 2015 at 9:39 PM, Ming pomi...@gmail.com javascript:
wrote:
Thanks Dan,
It works! Do you think it will be included in coming update of
Thanks,
but is there a more reasonable way to do it on 1 package and then deploy it
?
and if so...how ? (I tried compiling an RPM and set n for root check on
/ossec-hids-2.8.1/etc/preloaded-vars.conf but it doesn't work).
# If USER_ENABLE_ROOTCHECK is set to y,
# rootcheck will be enabled. Set to
I was curious is there a restriction for new users to post?
--
---
You received this message because you are subscribed to the Google Groups
ossec-list group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more
Hi All,
I would like to disable the agents from running the command netstat , how
can I do it ?
(I tried reading the document on OSSEC site but unfortunately I couldn't
find anything)
--
*Yaniv Ron*
+972-3-7298582
*Security Department | Viber S.a.r.l *| www.viber.com | yron@viber
On Tue, Jan 13, 2015 at 2:16 AM, BKeep bk...@alias454studios.com wrote:
I was curious is there a restriction for new users to post?
No, the list is moderated though. And for some reason some non-spam
messages are marked as spam by google, so I have to accidentally
stumble on them on occasion.
How can I import the agents without this command ? (meaning that I do not
want my agents to run it at all)
On Mon, Jan 12, 2015 at 6:42 PM, Ming poming...@gmail.com wrote:
Thanks Dan, opened an issue here:
https://github.com/ossec/ossec-hids/issues/495
dan (ddpbsd)於 2015年1月8日星期四
On Tue, Jan 13, 2015 at 7:44 AM, Yaniv Ron y...@viber.com wrote:
Hi All,
I would like to disable the agents from running the command netstat , how
can I do it ?
(I tried reading the document on OSSEC site but unfortunately I couldn't
find anything)
Remove the appropriate localfile entry in
On Tue, Jan 13, 2015 at 7:58 AM, Yaniv Ron y...@viber.com wrote:
Thanks,
but is there a more reasonable way to do it on 1 package and then deploy it
?
and if so...how ? (I tried compiling an RPM and set n for root check on
/ossec-hids-2.8.1/etc/preloaded-vars.conf but it doesn't work).
# If
Ahh okay thanks
--
---
You received this message because you are subscribed to the Google Groups
ossec-list group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit
On Tue, Jan 13, 2015 at 10:11 AM, SoulAuctioneer
awiddersh...@hotmail.com wrote:
It can probably be added. There are a few issues with the proper reporting
of 2012 and 2012R2 but they are pretty minimal. Everything else should work
though.
I've created a pull request to update the
It can probably be added. There are a few issues with the proper reporting
of 2012 and 2012R2 but they are pretty minimal. Everything else should work
though.
--
---
You received this message because you are subscribed to the Google Groups
ossec-list group.
To unsubscribe from this group
Hi,
I'll try to simulate this tomorrow in virtual machines, as I don't have the
necessary access to the environment (I only receive the logs from syslog).
I'll post the results.
MK
On Tuesday, January 13, 2015 at 3:40:26 PM UTC+1, Martin Kvocka wrote:
Hi,
we have Ossec server/agents
I just investigated this as I've been working on the eventchannel code
quite a bit. The eventchannel stuff will both bookmark the last location so
the agent can pick up again where it left off. Also, if the manager is down
and seen as disconnected by the agent than it will also behave the same
On Mon, 12 Jan 2015, BKeep wrote:
Hi,
I am just getting started with designing a logging stack and have some
questions regarding how OSSEC will fit into the overall scheme. Over the
last several weeks, I have been setting up different log stacks and think I
have a viable solution. However, I
Hello,
I only want to track 4-5 specific registry keys across all agents, ignoring
all other registry keys. How do I clear and stop tracking all the other
keys?
I am aware of the windows_registry tag, but modifying the syscheck
options of the server's ossec.conf file, updating the database for
28 matches
Mail list logo