Hi all,
Just a quick question on whether Windows Server 2012 (agent of course) is
now supported (generally known to work) with OSSEC 2.7. I don't at all
mind testing things out, but noticed that at least on this page, 2012
wasn't in the list:
http://www.ossec.net/?page_id=36
Thanks.
Aaron
--
uld there be any issues by continuning to purge
>> /var/ossec/queue/diff and if so, should clear the syscheck database when
>> doing so? I'm guessing this is a bug? Please advise and thanks.
>>
>> Aaron
>>
>>
>> On Thu, May 2, 2013 at 3:39 PM, Aaron B
On Thu, May 2, 2013 at 3:39 PM, Aaron Bliss wrote:
> Hi all,
> In our environment, on the management server (version 2.7, CentOS 6 64
> bit), OSSEC is installed on a dedicated mount point at /var/ossec (fairly
> new install, has been online since this past December). We have a mix
Hi all,
In our environment, on the management server (version 2.7, CentOS 6 64
bit), OSSEC is installed on a dedicated mount point at /var/ossec (fairly
new install, has been online since this past December). We have a mixture
of Windows and Linux agents (200 or so). The /var/ossec mount point on
Hi all,
Just a quick question when creating rule exceptions (mods to
local_rules.xml). Is it possible to create a rule that will only apply to
a specific agent? I was thinking the syntax might be if_agentid or
something like that, but I didn't see it mentioned in the OSSEC docs.
Please advise and
and agents.
Note that I've only completed server and local ossec installs to
redhat 6, 64 bit based derivatives (i.e. CentOS 6 64 bit). Note sure
if results would vary across other platforms.
Aaron
On Fri, Dec 21, 2012 at 4:31 PM, Aaron Bliss wrote:
> P.S. All agents listed below are al
P.S. All agents listed below are also ossec 2.7.
Aaron
On Fri, Dec 21, 2012 at 4:27 PM, Aaron Bliss wrote:
> Hi all,
> I'm believe I'm seeing a new bug with ossec 2.7. Note we are a long
> time ossec shop, currently using 2.6 in production for a very long
> time, so
Hi all,
I'm believe I'm seeing a new bug with ossec 2.7. Note we are a long
time ossec shop, currently using 2.6 in production for a very long
time, so I knew what log files, config files, etc. to check and so
forth.
Environment:
-new management server installed, on a CentOS 6 64 host fully patc
Hi all,
Just following up for others who might be seeing this as well. Adding
the following did work around the issue. Active Response is now
triggered on the ossec server as well as all agents.
Aaron
firewall-drop
server
6
6000
On Fri, Apr 6, 2012 at 1:05 PM, Aaron Bliss
Hi all,
I've set the location option in the active response configuration to
all so that when an active response is initiated, all ossec agents
will run the appropriate script. Everything is working well with this
in that all agents execute the appropriate active response, except
that I noticed th
Hi all,
Is it possible to ignore all events / rules triggered from a specific
IP address? I'm not referring to whitelisting an IP address in the AR
configuration, but rather would like to ignore the alerts / events
generated when running nessus scans from our nessus box against OSSEC
clients. Ple
er to determine if this is a new bug.
Aaron
On Tue, May 3, 2011 at 1:53 PM, dan (ddp) wrote:
> I'll have to try and reproduce this. I don't remember having trouble
> with it in the past, but I haven't tested recently.
>
> On Fri, Apr 29, 2011 at 4:08 PM, Aaron Bliss wrote:
&
t;
> No idea why this doesn't work for you though.
>
> On Fri, Apr 29, 2011 at 11:56 AM, Aaron Bliss wrote:
>> Hi all,
>> I've enabled the syscheck option to look for new files as documented here:
>>
>> http://www.ossec.net/wiki/Know_How:Syscheck
>>
&
Hi all,
I've enabled the syscheck option to look for new files as documented here:
http://www.ossec.net/wiki/Know_How:Syscheck
New files are detected and alerted upon on the ossec server, but don't
seem to be on agents. I've verified that the clients are monitoring
the directories that I'm placi
e covered in the default outbound policy
> which is more than likely set to ACCEPT.
>
> The logs that you show for the alerts look to be based on a windows
> firewall log. Which is the firewall dropping the connection.
>
>
>
> On Fri, Dec 3, 2010 at 00:16, Aaron Bliss wrote:
>
agent to port 1514 on the manager should be allowed.
>>
>> On Thu, Dec 2, 2010 at 11:14 PM, Aaron Bliss wrote:
>>> Hi all
>>> I've noticed that in several Windows' clients firewall logs that the
>>> ossec server is attempting to connect to the client
ndom port to 1514, and the server responds to that
> port.
> Traffic to and from the agent to port 1514 on the manager should be allowed.
>
> On Thu, Dec 2, 2010 at 11:14 PM, Aaron Bliss wrote:
>> Hi all
>> I've noticed that in several Windows' clients firewall l
Hi all
I've noticed that in several Windows' clients firewall logs that the
ossec server is attempting to connect to the client on random UDP
ports. The clients are firewalled which is why I noticed the dropped
packets. The source port is always UDP 1514, so this points to ossec
related traffic (
Hi all,
I believe that I found documentation to answer this. On the master
server, changing location from local to any for each active-response
stanza in ossec.conf will achieve this, correct?
Aaron
On Tue, Nov 30, 2010 at 10:11 AM, Aaron Bliss wrote:
> Hi all,
> We are successfully
Hi all,
We are successfully using Active Responses against both Windows and
Linux based hosts. Currently we are using the boxed null-route and
firewall-drop responses. Is it possible to configure the ossec server
to initiate an active response on all managed agents instead of just
the agent that
I use the default rules (running on a RedHat 5, os and Apache have
been hardened) and average about 5-10 active responses per day. The
only non-standard setting currently used is that I've increased the
the timeout from 10 minutes to 90 minutes for any triggered active
responses. BTW, ossec (acti
Hi all,
I noticed that Windows 2008 clients were not running the built in
route-null.cmd active response script properly. Server 2003 clients
run it without issue. This seems to be because the output of ifconfig
/all changed in server 2008. Modifying the route-null.cmd script by
editing the foll
Hi all,
We currently have a very stable version 2.2 Ossec deployment, with a
mixture of Windows, Linux and Solaris clients. Everything is working
great, but I don't want our environment to get too far out of date.
Are there any things to be concerned about in order to upgrade to 2.4,
other than to
f-list --
>> I'd love to get your feedback.
>>
>> On Mon, Nov 23, 2009 at 11:54 AM, Aaron Bliss wrote:
>> > Hi all. I'm looking for the splunk ossec app. The link below doesn't
>> > seem to be working and browsing the splunk website, I can't
Hi all. I'm looking for the splunk ossec app. The link below doesn't
seem to be working and browsing the splunk website, I can't seem to
find the ossec app. Any ideas where the app is located?
http://www.splunkbase.com/apps/All/Security/app:Splunk+for+OSSEC#
Hi all,
I have an apache (RedHat) web server that is not configured to log
it's files to the standard location, however the format is the same.
The server is using cronolog to split up the logifiles into several
directories. So I'm looking to monitor any file in
/usr/local/apache/logs/*/*.log ; s
ossec-list+unsubscr...@googlegroups.com worked; I've been subscribed
to this list from 2 mailboxes, but don't need the double mailings.
Thanks for your help.
On Thu, Aug 27, 2009 at 2:20 PM, Trey Valenta wrote:
>
> On Aug 27, 2009, at 6:52 AM, Aaron Bliss wrote:
>
>>
&g
This page lists the mail address of
ossec-list-unsubscr...@googlegroups.com however the mailbox doesn't seem
to exist, as I'm getting bounce back messages when attempting to
unsubscribe:
http://www.ossec.net/main/support/#ossec-list
Normally applications that require a database and have the MySQL database
running locally don't connect via IP address, but rather via socket (as you
did when you made the connection with your root user). Everything looks
good, but try making the connection to your database from your server's cli
I have a few questions about auto_ignore. We have been running ossec
version 2 for a few months now and I believe that auto_ignore is
enabled by default? If so, I can disable by adding the following
inside the configuration part of the ossec.conf file on the
ossec server, correct:
no
Is there
I would also go with Apache. Also, you can do things to help to
mitigate against potential vulnerabilities, such as limiting access to
the webserver by IP address, or using ssh port forwarding which would
eliminate the need to have the webserver accessible from anywhere
other than localhost...the
Any info logged to ossec/logs/active-responses.log?
Aaron
On Mon, May 11, 2009 at 5:11 PM, John Lewis wrote:
> I have an agent installed on an internet facing system, and am trying to get
> active response working for it.
>
>
>
> Here’s what I have in the agent’s ossec.conf file, AND the server
Hi all I have a few questions on white listing and active response;
Even though I've white listed our network (using CIDR format, on our
server, not the agents) I noticed that some hosts on our network were
getting blacklisted. Today I was able to catch one while the black
listing happened and t
--
> Daniel B. Cid
> dcid ( at ) ossec.net
>
>
> On Mon, Mar 16, 2009 at 10:37 AM, Aaron Bliss
> wrote:
> > Hi all,
> > We are running ossec 2.0. Most (all) of our linux clients report daily
> of
> > /etc/prelink.cache checksum changes. According to this Re
Hi all,
We are running ossec 2.0. Most (all) of our linux clients report daily of
/etc/prelink.cache checksum changes. According to this RedHat post
http://www.redhat.com/archives/fedora-list/2007-October/msg04408.html this
is expected behavior. I know how to modify the local rules file on the
o
Hi all. I'm running ossec 2.0 on RedHat 5 ES (32 bit). I have a Windows
2003 server client that is reporting a failure of "Windows Audit: Microsoft
Firewall disabled." I've verified that the firewall is in fact running (by
way of group policy, checking for the lock icon on the network interface
Arie,
Do you have selinux enabled?
Aaron
On Tue, Feb 17, 2009 at 7:38 AM, Arjen van Drie wrote:
> Hi,
>
> I am trying to get ossec running on CentOS release 5.2, kernel
> 2.6.18-92.1.10.el5xen, a xen guest. I get in my logs
>
> 2009/02/17 12:15:23 ossec-analysisd(1210): ERROR: Queue '/queue/ale
Hi all,
I'm not sure if I'm running the tool properly, however here is what I'm
doing:
./rootcheck_control -l | grep bantest
ID: 069, Name: bantest, IP: 137.21.6.50, Active
./rootcheck_control -q -i 069
Policy and auditing events for agent 'bantest (069) - 137.21.8.3':
It doesn't seem to matter
8, 2008 at 4:55 PM, Aaron Bliss <[EMAIL PROTECTED]> wrote:
> Daniel,
> That was it. Server and client were upgraded from earlier releases. CIS
> auditing now working. Thanks for your help.
>
> Aaron
>
>
> On Tue, Oct 28, 2008 at 3:18 PM, Daniel Cid <[EMAIL PROTECTED
Daniel B. Cid
> dcid ( at ) ossec.net
>
> On Sat, Oct 25, 2008 at 10:30 AM, Aaron Bliss <[EMAIL PROTECTED]>
> wrote:
> > Hi all,
> > I'm running version 1.6.1. I'm looking for documentation on how to
> enable
> > CIS benchmark auditing on the s
Hi all,
I'm running version 1.6.1. I'm looking for documentation on how to enable
CIS benchmark auditing on the server and clients. I cam across this link in
the wiki, but I didn't see any documentation on configuring/enabling the
auditing policy or rules. Thanks.
Aaron
http://www.ossec.net/wi
Hi all,
I'm running ossec 1.6 with ~75 agents. I would like to know what needs to
be backed up on the ossec server to ensure that if I had to recover the box,
that I would be able to get the server up and running again without having
to visit each client. I'm not too concerned about loosing histo
Hi everyone,
I'm looking for upgrade instructions for upgrading from version 1.4 to
1.5. Should I stop the ossec daemons before upgrading? Also, is there
any problem with having an older agent (1.4) talk to a newer server
(1.5)? Thanks for your help.
Aaron
local
5701
Aaron Bliss wrote:
Hi
everyone,
I've been using ossec for a few months now and everything is working
great (a truly excellent, robust application set). I've deployed the
redhat agents with active response disabled, but I would like to start
testing this now that
Hi everyone,
I've been using ossec for a few months now and everything is working
great (a truly excellent, robust application set). I've deployed the
redhat agents with active response disabled, but I would like to start
testing this now that mostly everything is working. My goal is to
hav
Hi everyone,
I've been using ossec for a few months now and everything is working
great (a truly excellent, robust application set). I've deployed the
redhat agents with active response disabled, but I would like to start
testing this now that mostly everything is working. My goal is to
hav
; Daniel B. Cid
> dcid ( at ) ossec.net
>
> On Dec 5, 2007 11:00 AM, Aaron Bliss <[EMAIL PROTECTED]> wrote:
>
>> Hi everyone,
>> I have several boxes of similar hardware and os. I've complied the
>> agent on one of the boxes without issues (solaris 10 sparc
Hi everyone,
I have several boxes of similar hardware and os. I've complied the
agent on one of the boxes without issues (solaris 10 sparc). Can I
simply to just recursively copy the /var/ossec directory to the other
boxes? I've added the ossec user and group and fixed all necessary
ownersh
Hi everyone,
I'm just trying to figure out how to monitor the built in windows
firewall logs with ossec. I've have the windows policies configured,
logging, etc, but I'm not sure what the log_format directive should be
set to. Thanks for your help.
Aaron
Hi everyone, is it possible to configure the ossec
server to ignore successful Logon Type: 3 events? Thanks for your help.
2007 Nov 27 10:26:24 Rule Id: 18107
level: 3
Location: (test1) 137.21.8.90->WinEvtLog
Windows Logon Success.WinEvtLog:
Security: AUDIT_SUCCESS(540): Security: IT Suppor
a sneak peak at messages with a handy reading pane with All new
> Yahoo! Mail: http://mail.yahoo.ca
>
--
Aaron Bliss
Systems Administrator
SUNY Brockport
(585) 395-2417
Answered my own question again:
mysql-devel and postgresql-devel.
Aaron
Aaron Bliss wrote:
> When attempting to set build option of setdb (from the wiki
> http://www.ossec.net/wiki/index.php/Know_How:DatabaseOutput), I get
> the following error:
> # make setdb
> Error: D
When attempting to set build option of setdb (from the wiki
http://www.ossec.net/wiki/index.php/Know_How:DatabaseOutput), I get the
following error:
# make setdb
Error: DB libraries not installed.
Any ideas of what package I'm missing? Thanks.
Aaron
ving the syslogs from the remote host? Thanks.
syslog
192.168.8.3
Aaron Bliss wrote:
> I figured this out. Thanks.
>
> Aaron
>
> Aaron Bliss wrote:
>> Hi everyone,
>> I'm pretty sure that ossec can do this. Before deploying agents to
>> oth
I figured this out. Thanks.
Aaron
Aaron Bliss wrote:
> Hi everyone,
> I'm pretty sure that ossec can do this. Before deploying agents to
> other machines, I would first like to get ossec to accept syslog's
> from remote machines and just analyze those messages. Duri
It looks like I'm receiving events from the remote syslog host, I just
didn't realize that I need to configure e-mail alerts for the remote
host as well. So again, all looks good so far. Thanks.
Aaron
Aaron Bliss wrote:
> I added the IP of the remote machine that I want to a
Hi everyone,
I'm pretty sure that ossec can do this. Before deploying agents to
other machines, I would first like to get ossec to accept syslog's from
remote machines and just analyze those messages. During the setup of
the ossec server, I chose the option to have it accept syslog messages,
Hi everyone,
I looked at list of supported operating systems
(http://ossec.net/wiki/index.php/Supported_Systems) and was wondering if
solaris 10 sparc is supported to run as a hid? Our ossec server would
most likely be a redhat box if Solaris 10 sparc will work. Thanks for
your help.
58 matches
Mail list logo