Re: [ossec-list] A few comments on default active-response settings

2016-11-18 Thread Christina Plummer
My 2 cents: 1) I got tripped up by the fact that the default alert level to trigger an active response is 6, while the default alert level to trigger an email is 7. There were a number of times when communication between 2 internal hosts on my network suddenly stopped working, then mysteriously

Re: [ossec-list] Selecting multiple, discreet weekdays

2016-11-18 Thread Natassia S
Yes that did it, thanks! :) Natassia On Fri, Nov 18, 2016 at 9:42 AM, Daniel Cid wrote: > It should work with spaces or commas: > > monday, tuesday, friday > > thanks, > > On Fri, Nov 18, 2016 at 1:24 PM, wrote: > >> Is it possible to select multiple,

Re: [ossec-list] Selecting multiple, discreet weekdays

2016-11-18 Thread Daniel Cid
It should work with spaces or commas: monday, tuesday, friday thanks, On Fri, Nov 18, 2016 at 1:24 PM, wrote: > Is it possible to select multiple, discreet days using the weekday > function? > > I can get the rule to run if I select a single day and it looks like I > should be

[ossec-list] Selecting multiple, discreet weekdays

2016-11-18 Thread stelmn
Is it possible to select multiple, discreet days using the weekday function? I can get the rule to run if I select a single day and it looks like I should be able to specify weekends or weekdays. What I would like to do is to specify certain days, in this case Sunday, Monday, Wednesday and

[ossec-list] Problem with rule 18257

2016-11-18 Thread Kevin Branch
Rule 18257 appears to be prone to misfire. I see it tripping for things like this: 2016 Nov 18 10:37:26 WinEvtLog: Application: INFORMATION(302): ESENT: (no user): no domain: BNC-O9020: Music.UI (25428) {87E550B7-AD4D-40F7-BE5E-263C3D44C124}: The database engine has successfully completed

Re: [ossec-list] A few comments on default active-response settings

2016-11-18 Thread Whit Blauvelt
Hi Dan, Since I skipped answering this: On Mon, Nov 14, 2016 at 11:09:52AM -0500, dan (ddp) wrote: > > Except in a context of anon FTP servers (does anyone run those any more?) > > blocking IPs because they connect using valid logins "too often" is a > > dangerous default. "First, do no harm."

Re: [ossec-list] SELinux policy for ossec

2016-11-18 Thread 'cgzones' via ossec-list
I started one a while ago, but i don't if it's still working and how well remote connections and active response are supported. Also i am unaware of where the rpm package install ossec. Feel free to take a look. 2016-11-17 22:27 GMT+01:00 Christina Plummer : > >> Is there a

Re: [ossec-list] agentless monitoring and cisco ios switches

2016-11-18 Thread dan (ddp)
On Fri, Nov 18, 2016 at 5:23 AM, Kevin COUSIN wrote: > > > Le jeudi 17 novembre 2016 18:15:57 UTC+1, dan (ddpbsd) a écrit : >> >> On Thu, Nov 17, 2016 at 11:39 AM, Kevin COUSIN >> wrote: >> > Hi list, >> > >> > I try to use agentless on cisco ios

Re: [ossec-list] agentless monitoring and cisco ios switches

2016-11-18 Thread Kevin COUSIN
Le jeudi 17 novembre 2016 18:15:57 UTC+1, dan (ddpbsd) a écrit : > > On Thu, Nov 17, 2016 at 11:39 AM, Kevin COUSIN > wrote: > > Hi list, > > > > I try to use agentless on cisco ios switches. I add in ossec.conf > > > > > > ssh_pixconfig_diff > > 300