[ossec-list] Re: parent usage in local_decoder.xml

Oh and if I follow the links in your reply you have already shown me the prematch to add! It's days like this that I almost feel like a blind man, the answer was there for me all! It's now all working and I will take the lesson to slow down to read & consider what is said in the replies before

[ossec-list] Re: parent usage in local_decoder.xml

On Tuesday, May 24, 2016 at 6:04:21 PM UTC-6, Dave Vehrs wrote: > > > Unfortunately I thought it might be an issue that was fixed in an update > so I updated my git copy and installed it. Now I get a whole different set > of errors. > > Starting with decoder.xml not being copied into the insta

[ossec-list] Re: parent usage in local_decoder.xml

On Monday, May 23, 2016 at 2:22:33 AM UTC-6, Jesus Linares wrote: > > Hi Dave, > > I found the problem. The last decoder > in kernel-iptables_apparmor_decoders.xml doesn't have a prematch tag. I > fixed it here >

[ossec-list] Re: IIS 8 FTP log monitor & alert

As far as alert.log ** Alert 1464116536.2709526: mail - syslog,errors, 2016 May 24 19:02:16 (spmedia1) 10.20.199.157->\inetpub\logs\LogFiles\FTPSVC4\u_ ex160524.log Rule: 1002 (level 2) -> 'Unknown problem somewhere in the system.' Src IP: 10.18.100.24 User: - 2016-05-24 19:0

[ossec-list] Re: IIS 8 FTP log monitor & alert

ossec v2.8 & local_rules included... On Tuesday, May 24, 2016 at 11:39:06 AM UTC-5, Jesus Linares wrote: > > Hi, > > you are right, the problem should be with your rule. Do you have > local_rules.xml included in ossec.conf?. What OSSEC version are you > running?. > > In my version it is working

Re: [ossec-list] Best ways to test OSSEC in an environment

On Tue, May 24, 2016 at 12:44 PM, Tahir Hafiz wrote: > Thanks I found the link earlier on. > > I have read through the document but I am not sure how to do the tests > (using Ubuntu 14.04 LTS). > I have downloaded the OSSEC version that we are using (2.8.2): > wget -U ossec http://www.ossec.net/fi

Re: [ossec-list] Best ways to test OSSEC in an environment

Thanks I found the link earlier on. I have read through the document but I am not sure how to do the tests (using Ubuntu 14.04 LTS). I have downloaded the OSSEC version that we are using (2.8.2): wget -U ossec http://www.ossec.net/files/ossec-hids-2.8.2.tar.gz I have unpacked the tarball, moved

[ossec-list] Re: IIS 8 FTP log monitor & alert

Hi, you are right, the problem should be with your rule. Do you have local_rules.xml included in ossec.conf?. What OSSEC version are you running?. In my version it is working (Wazuh ): 2016-05-23 20:03:38 10.18.100.24 23138 - FTPSVC4 SPMEDIA1 - 10.20.199.157 12600 PA

Re: [ossec-list] Best ways to test OSSEC in an environment

On Tue, May 24, 2016 at 11:33 AM, Tahir Hafiz wrote: > Hi Dan, > > Is there any documentation as to how to set-up and run the tests? > Where can I find said documentation? > https://ossec.github.io/docs/development/build/test-rules.html?highlight=runtests > Cheers, > Tahir > > > On Tuesday, 24 M

[ossec-list] Re: IIS 8 FTP log monitor & alert

I can run 8-10 failed logins and do get email alerts for them so I believe the decoder is working but the rules are not being applied and the fall back is rule:1002 for some reason OSSEC HIDS Notification. 2016 May 24 15:32:13 Received From: (spmedia1) 10.20.199.157->\inetpub\logs\Log

Re: [ossec-list] Best ways to test OSSEC in an environment

Hi Dan, Is there any documentation as to how to set-up and run the tests? Where can I find said documentation? Cheers, Tahir On Tuesday, 24 May 2016 13:55:58 UTC+1, dan (ddpbsd) wrote: > > On Tue, May 24, 2016 at 5:50 AM, Tahir Hafiz > wrote: > > Dear All, > > > > Is there a test suite avai

[ossec-list] Re: IIS 8 FTP log monitor & alert

I can run 8-10 failed logins and do get email alerts for them so I believe the decoder is working but the rules are not being applied and the fall back is rule:1002 for some reason On Tuesday, May 24, 2016 at 10:24:24 AM UTC-5, Jacob Mcgrath wrote: > > Weird I run the logtest and I get this

[ossec-list] Re: IIS 8 FTP log monitor & alert

Weird I run the logtest and I get this: 2016-05-24 14:41:16 10.18.100.24 45491 - FTPSVC4 SPMEDIA1 - 10.20.199.157 12600 PASS *** 530 1326 41 101 11 0 e9bd6228-d83c-4b29-9163-e191716a1180 - An+error+occurred+during+the+authentication+process. **Phase 1: Completed pre-decoding. full event

[ossec-list] Re: ossec-syscheckd(1210): ********* /queue' not accessible: 'Connection refused' - Under Debian 6

Sorry, I imported the key again and started the agent and now everything is fine. root@vir-deb:/opt/ossecData# /opt/ossecData/bin/ossec-control start Starting OSSEC HIDS v2.8.3 (by Trend Micro Inc.)... Deleting PID file '/opt/ossecData/var/run/ossec-logcollector-6098.pid' not used... Deleting PID

Re: [ossec-list] Re: ossec-syscheckd(1210): ********* /queue' not accessible: 'Connection refused' - Under Debian 6

On Tue, May 24, 2016 at 9:15 AM, venkat swaminathan wrote: > Yes, I did add client in server machine and stored the keydata in > client.keys > Did you import the key on the agent? `/var/ossec/bin/manage_agents` and the "i" option (I think). > However, if analysisd is not required, what is caus

[ossec-list] Re: ossec-syscheckd(1210): ********* /queue' not accessible: 'Connection refused' - Under Debian 6

Yes, I did add client in server machine and stored the keydata in client.keys However, if analysisd is not required, what is causing the "ossec-syscheckd(1210): ERROR: Queue '/opt/ossecData/queue/ossec/queue' " On Tuesday, 24 May 2016 18:02:53 UTC+5:30, venkat swaminathan wrote: > > Dear

Re: [ossec-list] Best ways to test OSSEC in an environment

On Tue, May 24, 2016 at 5:50 AM, Tahir Hafiz wrote: > Dear All, > > Is there a test suite available which can be used to test a fully > functioning OSSEC server/client installation? > I am looking to test the rule sets systematically, I know I can modify a > system file and it will alert etc, but

Re: [ossec-list] Finding out the exact OSSEC server version

Thanks Pedro, that works! On Monday, 23 May 2016 17:55:30 UTC+1, Pedro S wrote: > > Hi Tahir, > > They way I do it is reading /etc/ossec-init.conf. > > cat /etc/ossec-init.conf >> > > DIRECTORY="/var/ossec" >> VERSION="v2.9.0" >> DATE="jue may 12 00:43:32 PDT 2016" >> TYPE="server" > > > Best r

Re: [ossec-list] ossec-syscheckd(1210): ********* /queue' not accessible: 'Connection refused' - Under Debian 6

On Tue, May 24, 2016 at 7:43 AM, venkat swaminathan wrote: > Dear All > > Please bare my simple overview, Request some guidance in addressing issue > > In our Linux system, we are trying to incorporate intrusion detection and > file integrity monitoring alerts. For this OSSEC seems to be best ope

[ossec-list] ossec-syscheckd(1210): ********* /queue' not accessible: 'Connection refused' - Under Debian 6

Dear All Please bare my simple overview, Request some guidance in addressing issue In our Linux system, we are trying to incorporate intrusion detection and file integrity monitoring alerts. For this OSSEC seems to be best open source option available in market. System Configuration: Ossec i

[ossec-list] Re: IIS 8 FTP log monitor & alert

Hi Jacob, the rule 16 will be fired when rule 15 fires 8 times (6+2). It seems to work: **Phase 1: Completed pre-decoding. full event: '2016-05-23 20:03:38 10.18.100.24 23138 - FTPSVC4 SPMEDIA1 - 10.20.199.157 12600 PASS *** 530 1326 41 101 16 0 6ecb4d92-0515-44a5-ad58-9f057ff2f

[ossec-list] Best ways to test OSSEC in an environment

Dear All, Is there a test suite available which can be used to test a fully functioning OSSEC server/client installation? I am looking to test the rule sets systematically, I know I can modify a system file and it will alert etc, but I am looking for a more automated test suite and methods acr