It'd also help to see the commands you sent to the ASA for syslogging.
sh run log
or sh run | inc log
On Friday, February 6, 2015 at 8:34:12 AM UTC-8, dan (ddpbsd) wrote:
On Fri, Feb 6, 2015 at 11:28 AM, Network Infrastructure
panhat...@gmail.com javascript: wrote:
I the folder:
Hi Rodrigo,
I've seen the file syslog_rules.xml to see the rule with ID 1002, I
understood the rule perfectly. As you said I've changed the field match
of rules with ID 30200 and 30201 for ModSecurity: Access denied. I've
also changed the level of drop in my ossec.conf to level 2. Although,
Could be.
I don’t know if I have to write to the dev mailing list to have it fixed in the
next release.
I’m running my modified version on 3 asterisk instances and I’m very happy with
the results.
Regards,
Simon Gillet
Le 9 févr. 2015 à 14:08, dan (ddp) ddp...@gmail.com a écrit :
On Sun,
On Mon, Feb 9, 2015 at 12:39 PM, Ricardo Galossi
chacalito2...@gmail.com wrote:
Hi Rodrigo,
I've seen the file syslog_rules.xml to see the rule with ID 1002, I
understood the rule perfectly. As you said I've changed the field match of
rules with ID 30200 and 30201 for ModSecurity: Access
Hi Dan,
Thank you for your attention. I'm at work now, and I'm not able to access
my VPS from here, but tonight when I leave the company I'll send you the
log file.
Em segunda-feira, 9 de fevereiro de 2015 15:42:46 UTC-2, dan (ddpbsd)
escreveu:
On Mon, Feb 9, 2015 at 12:39 PM, Ricardo
On Mon, Feb 9, 2015 at 1:39 PM, Ricardo Galossi chacalito2...@gmail.com wrote:
Hi guys,
I made some tests here with ossec 2.7. When I try to scan the target, the
modsec delivery a 403 error page, so, ossec read the apache access.log file
and match the rule with ID 31151 from web_rules.xml and
Hi guys,
I made some tests here with ossec 2.7. When I try to scan the target, the
modsec delivery a 403 error page, so, ossec read the apache access.log file
and match the rule with ID 31151 from web_rules.xml and block the
attacker's IP on iptables. Follow the rule below:
rule level=10
On Mon, Feb 9, 2015 at 2:53 PM, Ricardo Galossi chacalito2...@gmail.com wrote:
Hi Dan,
The logs are in attach.
Ok, it looks like active response is being triggered by rule 31151:
Mon Feb 9 15:10:03 BRST 2015
/var/ossec/active-response/bin/host-deny.sh add - 172.16.10.87
1423501803.36643 31151
Hi Dan,
I installed ossec as local. Yeah, the AR configuration is default. The
daemon ossec-execd is running normally and the firewall is enable. I made
testes with both versions of ossec 2.7 and 2.8.1 within the same VPS.
However, only the version 2.7 block the attacker based on the rule ID
Just today I´ve been experiencing same issues trying to get OSSIM + OSSEC
working with an asterisk box, I´ve followed this link [1], and trying to
enumerate users I´m able to correlate and fire mails correctly with OSSIM,
but UI always show $SRCIP 0.0.0.0 so seems useless to configure
post-actions
Hi,
I using ossec 2.8.1 on Ubuntu 14.04 running locally only, no agents. I have
the following local_rules.xml defined to exercise syslog monitoring :
$ sudo more /var/ossec/rules/local_rules.xml
group name=ossectester,local
rule id=10 level=5
matchOSSEC-TESTER-RULE/match
Hey there,
Do you have expect command installed ?
Did you look into /var/ossec/logs/ossec.log to see if any error ?
Thanks
On Mon, Feb 9, 2015 at 7:26 AM, Glen Leeder glen.lee...@gmail.com wrote:
Hi,
I using ossec 2.8.1 on Ubuntu 14.04 running locally only, no agents. I
have the following
Help please. Why when I use the chesk_diff I have created in the directory
/var/ossec/queue/diff/tes /700086/ only one file 'last-entry' instead of
multiple files with changes.
--
---
You received this message because you are subscribed to the Google Groups
ossec-list group.
To unsubscribe
Yes, the list of installed programs.
I need to create files change command output
example : state.1413465006
понедельник, 9 февраля 2015 г., 16:53:37 UTC+3 пользователь dan (ddpbsd)
написал:
On Mon, Feb 9, 2015 at 8:13 AM, alex petrov allrea...@gmail.com
javascript: wrote:
rule
Hi there!
Rule 1002 is triggering because error word in the alert and no specific
decoder for this alert
#./ossec-logtest
2015/02/09 10:26:45 ossec-testrule: INFO: Reading local decoder file.
2015/02/09 10:26:45 ossec-testrule: INFO: Started (pid: 28969).
ossec-testrule: Type one log per
Thanks Dan,
I've changed my rsyslog format to IP addresses instead of hosts and all is
good.
Do you know whether the white_list directive requires that
expectsrcip/expect is specified or will it work without that?
Glen
On Monday, February 9, 2015 at 11:08:11 PM UTC+10, dan (ddpbsd) wrote:
rule id=700086 level=7
if_sid530/if_sid
matchossec: output: 'for /f tokens=3*/match
check_diff /
descriptionnew soft install/description
/rule
localfile
log_formatfull_command/log_format
frequency10/frequency
commandfor /f tokens=3* %a in ('reg query
On Mon, Feb 9, 2015 at 8:13 AM, alex petrov allreadypa...@gmail.com wrote:
rule id=700086 level=7
if_sid530/if_sid
matchossec: output: 'for /f tokens=3*/match
check_diff /
descriptionnew soft install/description
/rule
localfile
log_formatfull_command/log_format
On Mon, Feb 9, 2015 at 2:10 PM, Security secur...@gillet-bouillon.eu wrote:
Could be.
I don't know if I have to write to the dev mailing list to have it fixed in
the next release.
I'm running my modified version on 3 asterisk instances and I'm very happy
with the results.
Your best option
Great blog post. Just saw it the other day from twitter I think. Let me
know how your testing goes. Best way we can get things like this fixed is
to have good testing.
--
---
You received this message because you are subscribed to the Google Groups
ossec-list group.
To unsubscribe from this
I've set OSSEC up to use the MySQL database to store everything; all looks
fine, except for the vast majority of records in the user field (in the
data table) are null. These are for operations/alerts which I would think
certainly would be able to record the user; ie apt-get install shows all
On Sun, Feb 8, 2015 at 5:26 PM, Security secur...@gillet-bouillon.eu wrote:
Hello,
I think the Asterisk rules could be wrong. Or at least for Ubuntu.
OSSEC always failed blocking brute force attempt on Asterisk.
A standart log entry for brute force attempt looks like:
Dec 17 22:37:25 new
Hello,
I think the Asterisk rules could be wrong. Or at least for Ubuntu.
OSSEC always failed blocking brute force attempt on Asterisk.
A standart log entry for brute force attempt looks like:
Dec 17 22:37:25 new asterisk[20110]: NOTICE[20127]: chan_sip.c:25030 in
handle_request_register:
On Mon, Feb 9, 2015 at 6:07 AM, alex petrov allreadypa...@gmail.com wrote:
Help please. Why when I use the chesk_diff I have created in the directory
/var/ossec/queue/diff/tes /700086/ only one file 'last-entry' instead of
multiple files with changes.
Are all of these files text files?
Has a
On Mon, Feb 9, 2015 at 4:26 AM, Glen Leeder glen.lee...@gmail.com wrote:
Hi,
I using ossec 2.8.1 on Ubuntu 14.04 running locally only, no agents. I have
the following local_rules.xml defined to exercise syslog monitoring :
$ sudo more /var/ossec/rules/local_rules.xml
group
On Sun, Feb 8, 2015 at 6:11 PM, Ricardo Galossi chacalito2...@gmail.com wrote:
Hi there guys,
I'm facing a problem with ossec, I hope you can help me. I've configured my
ossec to monitoring apache and modsecurity's log of my chroot. I put the
lines below on ossec.conf:
localfile
On Mon, Feb 9, 2015 at 7:25 AM, King Helix kinghel...@gmail.com wrote:
I've set OSSEC up to use the MySQL database to store everything; all looks
fine, except for the vast majority of records in the user field (in the
data table) are null. These are for operations/alerts which I would think
In case anyone is interested my testing showed expectsrcip/expect is
required for white_list to work and prevent active-responses being called
if a particular host is responsible.
I have been able to massage ossec.conf too operate as required for my
scenario by defining two commands (1 that
Hi Dan,
I see. As soon as I get home I'll send the log files. Do you want only the
alert.log or something else?
Em segunda-feira, 9 de fevereiro de 2015 17:00:38 UTC-2, dan (ddpbsd)
escreveu:
On Mon, Feb 9, 2015 at 1:39 PM, Ricardo Galossi chacal...@gmail.com
javascript: wrote:
Hi guys,
On Mon, Feb 9, 2015 at 2:14 PM, Ricardo Galossi chacalito2...@gmail.com wrote:
Hi Dan,
I see. As soon as I get home I'll send the log files. Do you want only the
alert.log or something else?
I'd love to see the apache log messages that work in OSSEC 2.7 but not in 2.8.
Em segunda-feira, 9
30 matches
Mail list logo