Hi,
i will try enable this feature in my rhel, after test i notice you.
Thanks.
Em quinta-feira, 23 de março de 2017 15:37:50 UTC-3, Victor Fernandez
escreveu:
>
> Hi Eduardo,
>
> I agree with Dan, I tested OSSEC v2.9 on a clean CentOS 7 with your
> configuration and it worked. But when I dis
Hi Martin,
the problem is that this log also matches with rule 2501 (from Syslog) that
has level 5. Since your rule 100201 has level 1 OSSEC discards it in favor
of rule 2501.
So increasing the level to 6 it should work:
app.ERROR Multiple login attempts bepark.eu/fr/connexion 100201
Multip
Hi Eduardo,
I agree with Dan, I tested OSSEC v2.9 on a clean CentOS 7 with your
configuration and it worked. But when I disabled IPv6 I got the
same errors you have.
Please try to enable IPv6 on the running system with:
sysctl -w net.ipv6.conf.all.disable_ipv6=1
sysctl -w net.ipv6.conf.default.
On Thu, Mar 23, 2017 at 12:29 PM, The Dude wrote:
> I went with the first option. Works as expected but now I need to adjust the
> number of of fails before the ip is blocked.. Where do I do that?
>
Try using 5720 for the rule to trigger active response. It looks for
8+ instances by default.
>
>
On Thu, Mar 23, 2017 at 12:41 PM, Martin wrote:
> Hello,
>
> I've those kind of log comming from a custom app
>>
>>
>> [2017-03-23 10:18:01] app.ERROR: Authentication failure for IP: 172.17.0.1
>> [] []
>
>
> I'm trying to block an ip with to much authentication failure.
>
> So I did a custom deco
On Thu, Mar 23, 2017 at 1:08 PM, Eduardo Reichert Figueiredo
wrote:
> Hi dan, i dont have ipv6 enabled in my system linux, so i dont have inet6 in
> my ifconfig configurations, only ipv4.
>
> This can caused for the problem?
>
I think having ipv6 support is necessary now. You don't need to have
a
Hi dan, i dont have ipv6 enabled in my system linux, so i dont have inet6
in my ifconfig configurations, only ipv4.
This can caused for the problem?
Em quarta-feira, 22 de março de 2017 20:30:08 UTC-3, dan (ddpbsd) escreveu:
>
> On Tue, Mar 21, 2017 at 10:46 AM, Eduardo Reichert Figueiredo
> >
Hello,
I've those kind of log comming from a custom app
>
> [2017-03-23 10:18:01] app.ERROR: Authentication failure for IP: 172.17.0.1
> [] []
I'm trying to block an ip with to much authentication failure.
So I did a custom decoder which is working ;
^\p\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d\p
Hello,
I've those kind of log comming from a custom app
>
> [2017-03-23 10:18:01] app.ERROR: Authentication failure for IP: 172.17.0.1
> [] []
I'm trying to block an ip with to much authentication failure.
So I did a custom decoder which is working ;
^\p\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d\p
I went with the first option. Works as expected but now I need to adjust
the number of of fails before the ip is blocked.. Where do I do that?
On Monday, March 20, 2017 at 2:56:29 PM UTC-4, The Dude wrote:
>
> I am new to ossec and I am trying to figure out what is the best way to
> change a rul
I actually monitor
/home/*.ssh,/root/.ssh
And have AR set that if a new directory appears in /home, it restarts the
agent so it adds it to the wildcard.
On Monday, March 20, 2017 at 10:47:13 PM UTC-5, jingxu...@bettercloud.com
wrote:
>
> Recently, we are trying to use OSSEC to monitor ~/.ssh/
Upgrading has not solved the problem.
Still appears to be some form of port / bind issue based on the backtrace.
To obfuscate things, this was my ossec master (wazuh docker image), so it
was running in a docker container, on a virtual machine under VMWare.
Nothing complicated there, right?
I
12 matches
Mail list logo
