Great, that works. This is all giving me a much better idea how this thing
operates...
Am Donnerstag, 10. März 2016 14:58:28 UTC+1 schrieb dan (ddpbsd):
>
> On Thu, Mar 10, 2016 at 8:52 AM, Armin M >
> wrote:
> > Ok, but further to that: This ssh "bug" does indeed trigger rule 5301
> which
>
On Thu, Mar 10, 2016 at 8:52 AM, Armin M wrote:
> Ok, but further to that: This ssh "bug" does indeed trigger rule 5301 which
> is level 5 and below the active-response level 6 but still a kind of false
> positive. So the question actually remains: How can I whitelist this
> particular message pat
Ok, but further to that: This ssh "bug" does indeed trigger rule 5301 which
is level 5 and below the active-response level 6 but still a kind of false
positive. So the question actually remains: How can I whitelist this
particular message pattern in auth.log?
Am Donnerstag, 10. März 2016 13:28:
>
> Are you sure it was this log message that caused you to be locked out?
> There is no information in that log message that could be used in an
> active response.
>
right, I just realized that the active-responses.log references the rule it
was triggered from, in my case 40101 and the fact
On Thu, Mar 10, 2016 at 7:12 AM, Armin M wrote:
> Hi,
>
> I just locked myself out of a system and found the reason to be that
> apparently, some ssh versions produce the following message for every su
> command:
>
> pam_systemd(su:session): Failed to create session: No such file or directory
>
A
Hi,
I just locked myself out of a system and found the reason to be that
apparently, some ssh versions produce the following message for every su
command:
pam_systemd(su:session): Failed to create session: No such file or directory
This apparently triggers rule id 5716 which matches ^Failed in
On Mar 10, 2016 5:32 AM, "Johnny InfoSec" wrote:
>
> Greetings,
>
> As a new OSSEC user. I have found some of the alerts difficult to make
sense of. Is there any documentation (or decoder ring :-)) that helps with
this?
>
> Trying to make sense of some of the different sections in the below alert:
Greetings,
As a new OSSEC user. I have found some of the alerts difficult to make
sense of. Is there any documentation (or decoder ring :-)) that helps with
this?
Trying to make sense of some of the different sections in the below alert:
OSSEC HIDS Notification.
2016 Mar 08 21:00:02
Recei
