Hello Group,
We are trying to make a decision on a FIM product, and would like to go
with OSSEC for obvious reasons. What I do not know is what we would miss
compared to tripwire. We currently don’t have lot of resources to manage
the solution, and we are looking at 200 nodes initially with
Hi Abdulvehhab.
It has sense, it falls into a infinite recursivity, But it's a bit
difficult to store some messages and send them to the server since the
protocol consists on one datagram per message. Even if the agent stores
some messages and sends all of them at a time, the firewall would det
Couldn't pass be used to monitor the frequency of files accessed or
rewritten on a share via the logs generated from those operations? It
might not be foolproof, but if the log shows a single account accessing
several files faster than a human might be able to, it could alert, or even
block. Maybe
Hi,
Unfortunately windows audit (EventLog configuration) has not specific
configuration,
If audit of windows firewall event is enable, all of firewall
events (chrome, internet explorer, ping, etc) is logged. (So we *cannot
exclude OSSEC firewall events*)
If audit of windows
Dear All,
I currently have a few rules which are very similar, how can I have
multiple matches with the same rule:
510
Robust partition scheme - /tmp is not on its own partition.
File: /etc/fstab.
Ignore /tmp not being on it's own partition
rootcheck,
510
On Thu, Jun 9, 2016 at 10:22 AM, Tahir Hafiz wrote:
> Dear All,
>
> I currently have a few rules which are very similar, how can I have multiple
> matches with the same rule:
>
>
>
> 510
> Robust partition scheme - /tmp is not on its own partition.
> File: /etc/fstab.
> Ignore /
Hi.
In normal operation, OSSEC connects once, on startup, and closes the socket
on exiting. But, for the behavior of UDP, there isn't an actual
"connection", instead of this, every datagram is independent of the rest.
Maybe this is the reason why the firewall considers every delivery as a
conn
So does the replay protection feature of OSSEC only serve to protect from
malicious replays of OSSEC messages or does is serve other purposes, too?
Kevin
On Tuesday, June 7, 2016 at 6:55:34 PM UTC-4, Kevin Branch wrote:
>
> I see that at times it is recommended to set remoted.verify_msg_id to
On Thu, Jun 9, 2016 at 11:34 AM, Kevin Branch
wrote:
> So does the replay protection feature of OSSEC only serve to protect from
> malicious replays of OSSEC messages or does is serve other purposes, too?
>
> Kevin
>
To the best of my knowledge, that's the purpose. dcid would obviously
know more
Thanks for that Dan - very useful.
What about output from the following stanza to be whitelisted, what
should be used here in the local_rules.xml, is the group to be
whitelisted called syslog,access_control or authentication_failed??:
FAILED LOGIN |authentication failure|
Authenti
On Thu, Jun 9, 2016 at 12:11 PM, Tahir Hafiz wrote:
> Thanks for that Dan - very useful.
>
> What about output from the following stanza to be whitelisted, what
> should be used here in the local_rules.xml, is the group to be
> whitelisted called syslog,access_control or authentication_failed??:
Thanks something like this, with the logtest I take it:
cat /var/ossec/logs/alerts/alerts.log | /var/ossec/bin/ossec-logtest -a |
grep -A 3 -B 3 "level 5"
On Thursday, 9 June 2016 17:30:19 UTC+1, dan (ddpbsd) wrote:
>
> On Thu, Jun 9, 2016 at 12:11 PM, Tahir Hafiz > wrote:
> > Thanks for that
On Thu, Jun 9, 2016 at 12:36 PM, Tahir Hafiz wrote:
> Thanks something like this, with the logtest I take it:
> cat /var/ossec/logs/alerts/alerts.log | /var/ossec/bin/ossec-logtest -a |
> grep -A 3 -B 3 "level 5"
>
I don't think that will give you the results you are looking for.
ossec-logtest ta
How can I get at the logs that have been pushed to the IDS box instead of
having to copy the logs to the IDS box from each individual system?
On Thursday, 9 June 2016 17:38:35 UTC+1, dan (ddpbsd) wrote:
>
> On Thu, Jun 9, 2016 at 12:36 PM, Tahir Hafiz > wrote:
> > Thanks something like this,
We have a way of triggering alerts to Nagios depending on the level of
alert in the alerts file.
Generally, at what level is considered worthy of a trigger to Nagios for
most people?
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsu
On Thu, Jun 9, 2016 at 12:51 PM, Tahir Hafiz wrote:
> How can I get at the logs that have been pushed to the IDS box instead of
> having to copy the logs to the IDS box from each individual system?
>
If you have the logall option turned on, you can strip the headers
from the log messages in /var/
Weird issue any have insites :)
My local log output:
ServPing Domain A down 06092016 08:48:01
ServPing Game A down 06092016 08:48:01
Decoders & rules:
servping
(\w+) (\w+) (\w+) (\d\d\d\d\d\d\d\d
\d\d:\d\d:\d\d)
id,dstip,action,extra_data
servping-all
Ping
On Thu, Jun 9, 2016 at 12:58 PM, Jacob Mcgrath
wrote:
> Weird issue any have insites :)
>
> My local log output:
> ServPing Domain A down 06092016 08:48:01
>
> ServPing Game A down 06092016 08:48:01
>
> Decoders & rules:
>
> servping
> (\w+) (\w+) (\w+) (\d\d\d\d\d\d\d\d
> \d
I think I am going to reinstall my Security Onion had off the wall
issues with other things as well. Will try on my test server when I get
home Might have a semi borked install
On Thursday, June 2, 2016 at 6:48:13 AM UTC-5, Jacob Mcgrath wrote:
>
> Was wondering on the best route/opti
19 matches
Mail list logo
