Yes, I got the production system working against a test attack script. Will
monitor it to do tuning for the real flurries of bogus DNS queries, and
will try the duplicate / twin decoder name to see if that works. An
override option for the decoder name would be ideal. The other thing that
occu
Nice catch! You know it also happened to me when testing your decoders?
Same thing! That is why I always recommend to use ossec-logtest, it's a
wonderful tool :D
I don't think you have a way to not modify* decoders.xml*, there is already
a child decoder matching your event, using "prematch" which
Pedro thanks again for your help.
I think I found the problem, but the work around requires modification of
the decoder.xml
I moved decoder into the decoder.xml file (I now that’s not the
recommended), before the named group decoder, and made the decoder not a
child of the named group decod
Hello, yes:
root@xx:/var/log# netstat -tuna | grep 514
tcp0 0 0.0.0.0:514 0.0.0.0:*
udp0 0 0.0.0.0:514 0.0.0.0:*
syslog
161.182.xxx.xxx
161.182.xxx.xxx
On Tuesday, March 14, 2017 at 1:48:17 PM UTC-4, jose wrote:
>
>
Hi Guys,
I *desperately* need to create a rule that will fire when a specific AD
user has a failed authentication event on my sensors.
What must the rule look like?
Where do i put it? into msauth_rules or what?
Then I want to make it send me emails by doing the below. for now I don't
want ema
Hi All,
I am very new to OSSEC and I need some help with a simple issue. I need an
example rule for the following:
I have a user that have a granular password policy applied to him, this
policy says that this account cannot be locked out like all the other
domain accounts. But because he is th
Hi, can you verify if the port it’s open?
[root@wazuh-manager /]# netstat -tuna | grep 514
udp0 0 0.0.0.0:514 0.0.0.0:*
The symantec ip is allowed in ossec.conf right?
Regards
---
Jose Luis Ruiz
Wazuh Inc.
j...@wazuh.com
On March 14, 2017 at 12:44:
It's very strange...I have enabled already enabled syslog over 514 from our
symantec server to the OSSEC server, and I see the logs coming into our
ELSA instance, but I have grep'd our syslog files, OSSEC archive and OSSEC
alerts files and do not see the log anywhere on the server... Where shoul
Hello,
In order to permit Ossec recibe your Symantec syslogs messages, you need to
enable this in the configuration:
Listen in port 514:
syslog
Symantec AV ip
then you need to restart ossec:
/var/ossec/bin/ossec-control restart
If after these changes you are still not receiv
On Mar 14, 2017 10:57 AM, wrote:
Hello All,
I have pointed my Symantec AV logs to our OSSEC server via syslog over port
514. I am seeing the logs come into ELSA, but not as OSSEC alerts. I have
created a custom decoder and parser, and can confirm that it is working:
**Phase 2: Completed decodin
Hello All,
I have pointed my Symantec AV logs to our OSSEC server via syslog over port
514. I am seeing the logs come into ELSA, but not as OSSEC alerts. I have
created a custom decoder and parser, and can confirm that it is working:
**Phase 2: Completed decoding.
decoder: 'Symantec'
**
Hi Ralph,
You are welcome.
Yes, I did, I can confirm I was seeing entries on active-response.log and
the *firewall-dns-query-drop.sh* was triggering.
Let me see if I can keep helping you, by "stand-alone" you mean you only
have an OSSEC Manager running isn't it?
Just to be sure, at active-respon
Thanks for trying it.
- Permissions on the script are good.
# ll active-response/bin/firewall-dns-query-drop.sh
-rwxr-x--- 1 root ossec 5758 Mar 10 07:58
active-response/bin/firewall-dns-query-drop.sh*
- I removed the 8 tag.
- This is a stand-alone install so I don't think the serve
Hi Ralph,
I have been testing your configuration, everything works great on my
environment (using standard firewall-drop.sh).
Few tips which may help you:
- Active-response block: you are using *rules_id *and *level*, since
your rule will have same level no matter what, maybe you could
14 matches
Mail list logo