Re: [ossec-list] OSSEC flushed all the iptables rules

Are you sure it was OSSEC? I just had a look at https://github.com/ossec/ossec-hids/blob/master/active-response/firewall-drop.sh The only iptables commands it does are the following four, and I can't see how they would flush an entire table/chain. iptables -I INPUT -s ${IP} -j DROP iptables

Re: [ossec-list] Rendering of access rights codes in Windows audit logs

I think it would be ideal for the agent to decode the %% access rights codes and then send the logs along looking like the Windows event viewer would display them. Not only would the stored logs be much easier to meaningfully review, but also building OSSEC rules to fire on specific audit events w

[ossec-list] Re: ossec local logfile ignored

I ended up moving this bash script to the Security Onion server then with help her wrote basic decoders and rules to trigger alerts. Still going to play with the agent custom log file issue off and on. On Friday, June 10, 2016 at 11:12:02 AM UTC-5, Jacob Mcgrath wrote: > > ANy have a issue like

Re: [ossec-list] Re: ossec local logfile ignored

On Fri, Jun 10, 2016 at 6:26 PM, Jacob Mcgrath wrote: > The script will write each line as the bash script as the check fails. This > log is deleted if first creation is older than 7 days( since the record > would remain in Ossec archive). > > I thought it may be already accessed by the script as

Re: [ossec-list] Rendering of access rights codes in Windows audit logs

On Mon, Jun 13, 2016 at 6:57 PM, Kevin Branch wrote: > I've noticed that while the Windows Event Viewer shows fairly human readable > information in audit records, like this audit log section: > > Access Reasons: READ_CONTROL: Granted by D:(A;ID;0x1200a9;;;BU) > SYNCHRONIZE: Granted by D:(A;ID;0x1

Re: [ossec-list] logrotate issue

On Mon, Jun 13, 2016 at 7:45 AM, Hugo Deprez wrote: > Hello, > > since I upgraded to the last debian package available in the repository, I'm > getting errors from my servers. > > /etc/cron.daily/logrotate: > error: ossec-hids:13 error verifying olddir path /var/ossec/logs/archives/: > Aucun fichi

[ossec-list] How to warn and handle on all the thousands of alerts coming in

We are tuning our OSSEC server/agent environment. We have multiple environments and use Puppet for configuration management and AWS for our cloud based systems. We baseline (run OSSEC) at the start of an environment build, and then do a Puppet apply. We seem to have thousands of alerts coming

Re: [ossec-list] OSSEC flushed all the iptables rules

We had deployed OSSEC Client across all our servers in the evening and next day morning we find that all iptables rules were flushed. It were for around 50+ machines. OSSEC client were running. We then had stop OSSEC client for investigation and load iptables rules again. On Tuesday, June 14, 2