This is because ossec-analysisd process runs in a chroot environment, so it
can't reach anything out of the jail (/var/ossec).
In some scenarios, when really necessary, what we do is remount a partition
inside the jail (mount -o bind). I don't recommend this, but it is a
workaround that should wor
Hi Brian,
when running it through ossec-logtest, this is what I get:
**Phase 1: Completed pre-decoding.
full event: '[Tue Feb 16 04:02:21.018764 2016] [:error] [pid 3223]
[client 46.4.84.147] ModSecurity: Access denied with code 403 (phase 2).
String match "JDatabaseDriverMysqli" at REQUE
I'm having an issue extracting the IP out of a successfully triggered
ModSecurity rule.
Details:
I'm using Ossec-Hid 2.8.3 on CentOS 7 with Apache 2.4. I have borrowed the
Apache 2.4 rules and decoder (Apache section) from Ossec 2.9b, which are:
+++
Hi,
I am trying to use a symlink for local_rules.xml. Here is what I did
cd /var/ossec/rules
cp local_rules.xml /opt/ossec/rules
mv local_rules.xml local_rules.xml.bak
ln -s /opt/ossec/rules/local_rules.xml local_rules.xml
But I couln't start OSSEC after this change and when I check the log file
There are a couple of ways to track connected devices.
It depends on where DHCP lives. If it's on a windows computer, add DHCP
logs to your OSSEC configuration.
%windir%\sysnative\Dhcp\DhcpSrvLog-%a.log
syslog
Then inside your DHCP MMC, right click on the IPV4 scope and go to
pr
Thanks again Jesus! Will try and get my test rule working as per your
instruction. In my case I would need to make an exception to rule 31108
given the current result from ossec_logtest (previous example). I would
like to ignore URLs (simple queries) for the most part, but not for a
specific UR
Thanks; at least I know I'm not trying to re-invent the wheel here. I'll
have to dig in deeper in code. At some point the source IP is getting
replaced by "any". I was able to verify that remoted was getting the actual
source IP address (which is should), but I have yet to determine where it
is
Hi,
*OS_Match/sregex* supports simple string matching and the following special
characters: ^, $, |. You are using invalid expressions as \.+ or \S+. *Ignore
*option is very useful but in this case I think there is no choice to use
rules:
syscheck
'/path1/path2
'\.+.extension