On May 15, 2015 5:27 PM, "The O.G." wrote:
>
> So, does that mean the best way to understand how the system policy audit
works is to basically read the source code in rootcheck system?
>
It simply means I cannot answer many questions about it. Reading the aource
is one way to get a better underst
So, does that mean the best way to understand how the system policy audit
works is to basically read the source code in rootcheck system?
On Fri, May 15, 2015 at 5:04 AM, dan (ddp) wrote:
> On Tue, May 12, 2015 at 6:57 PM, autodidactic
> wrote:
> > Are there any updates to this feature or docum
Syscheck only runs on intervals, and will have some limitations in a 64 bit
environment. Please see the issue below.
https://github.com/ossec/ossec-hids/issues/301
Another way to accomplish your goal would be to turn on auditing on the
Windows computer. This is either done through Group Polic
Hi Brent,
I appreciate the response, and it seems like the way forward for the
Registry Monitoring portion. I will test it out, and let you know how it
works. I understand it is going to generate a lot of stuff, but I am just
testing it right now, and need to figure out a few things, and it w
Hi Sebastian,
not sure what could be the problem here. Did you figure it out?
Best
On Wed, May 13, 2015 at 7:21 AM, skotthof <
sebastian.kotth...@rz.uni-mannheim.de> wrote:
>
> OK, thank you.
> I checked how to use CDBs now, seems this is really what I need. Really
> cool!
> Nevertheless, now I
Close. Firewall logging on the client side helped. The OSSEC server has two
IPs on the same network. It was receiving messages from the agent on one IP
but sending the response back on the other IP. The agent's firewall was
then dropping the response as unrelated. Specifying a local_ip in the
s
I have ossec server(CentOS) and ossec agent(win7).
-On server-
ossec.conf:
eject_usb
event.cmd
srcip
yes
eject_usb
local
120005
30
local_rule.xml:
Event_USB
Event USB
12
USB
Detected USB Storage
-O
You'll want to test this yourself
But you can manage what files are monitored and what registry entries are
monitored in the host's config file for the Syscheck. Run the Agent Manger
on the host and go to view > config. Then you can just change the
configuration file and save it, restart
Have you run a tcdpump or ngrep on the server to ensure packets are
arriving on UDP port 1514?
When the agent is initially restarted it begins a new dialog with the
server and you should be able to see that on the wire
On Thursday, May 14, 2015 at 5:31:28 PM UTC-4, Andy Theuninck wrote:
>
> I h
It should be enough sir
Each agent needs their own key, but once the agent has the key and checks
in with the server, it will pick up any custom configurations
All the best
On Thursday, May 14, 2015 at 7:02:32 PM UTC-4, Daniil Svetlov wrote:
>
> Hi!
>
> I'm trying update ossec-agent key on wind
Hey Everyone,
Huge fan of OSSEC, just got my first implementation up and operational. I
have a few rules that I want to right, just for testing sake.
What we are looking to do, is to write two separate rules that achieve
similar results, and more specifically we want to know when any change is
On Tue, May 12, 2015 at 6:57 PM, autodidactic wrote:
> Are there any updates to this feature or documentation about it? I see vary
> raw documentation in the sample CIS benchark policy audit files, but leaves
> me guessing about some of it? I want to write the policy for the newer CIS
> benchmarks
On Thu, May 14, 2015 at 5:05 PM, Andy Theuninck wrote:
> I have OSSEC 2.8.1 server installed on CentOS 7. I have OSSEC 2.8.1 agent
> installed on a separate CentOS 6 box. The agent cannot connect to the server
> and I do not understand why.
>
> When the agent starts, I see this in the logs:
> 2015
On Thu, May 14, 2015 at 10:59 AM, HMath wrote:
> First , sorry for my English
>
> I am new to OSSEC
> what happened is I was trying some attacks on iis on windows machine and
> alerts are generated in ossec server , I have supposed that ossec will
> block the attacking ip for 600 seconds, but tha
On Wed, May 13, 2015 at 10:20 PM, Daniel Wagner wrote:
> Hello all,
>
> I've installed OSSEC HIDS Agent v2.8 on a few Windows 2008R2 servers and
> Windows 2003 servers and am receiving the Security logs on my OSSEC
> server, but not the Application and System logs.
>
> My config file is the defau
Hello,
Just set up a VM with Ossec from the Virtual Appliance template and
encountered a problem with monitoring Windows event logs.
I set up a security audit for shares under Windows 2008 Server and when
Ossec gets the log message i get the following output in Kibana -
2015 Mar 27 12:50:42 W
16 matches
Mail list logo
