i see it like a feature, and it works like a cluster of information.
We discover it on in very bad case!
when an ip is triggering an alert, all the servers block this ip.
It protects more the datacenter, but it could really go wrong
and the second problem is if you put a lot of servers/ rules
Hello
Thanks a mil. I will check that.
Martynas
From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On
Behalf Of Daniil Svetlov
Sent: Tuesday, June 30, 2015 12:07 AM
To: ossec-list@googlegroups.com
Subject: Re: [ossec-list] archives.log and logstash
Hello, Martynas!
I have
Hi Everyone,
We have a large deployment of OSSEC and use agent-auth to auto deploy
agents. At times, there are some old entries for the same
agent(Disconnected state) and although we try our best to clear those out
before a re-deployment, some get left behind.
Due to this, the agent re-connect
Hey,
I have set up an OSSEC Server on a Kali linux OS and an OSSEC agent on
windows 7 OS. My Windows Agent Config regarding Syscheck looks like the
following:
43200
yes
no
no
HKEY_LOCAL_MACHINE\Software\Classes
HKEY_LOCAL_MACHINE\Software\Policies
HKEY_LOCAL_MACHI
Best way to do this is to check out what logs are being generated when you
login as root.
On my system, I see the following:
Jun 30 08:42:26 ossec sshd[26600]: pam_unix(sshd:session): session opened
for user root by (uid=0)
I usually just paste the actual log into ossec-logtest to see what rul
On Tuesday, June 30, 2015 at 5:27:58 AM UTC-4, secuc...@free.fr wrote:
>
> i see it like a feature, and it works like a cluster of information.
> We discover it on in very bad case!
>
It's a feature and a design flaw, IMO.
The feature part is as you described.
The design flaw is that Active Re
Could you add a custom rule to achieve what you’re looking for? Something like:
550,554
hostnameexample|hostnameexample2
550 or 554 event that occurred on hostnameexample
or hostnameexampmle2
…Then trigger your active response off of 10
