[ossec-list] SQL Server 2008 logon

Hi, I've created a new rule for monitoring logon actions on SQL Server 2008. OS is Windows Server 2008. I'm using OSSEC server/agent 2.3 Here is rule: 18104 ^33205 MS SQL Server 2008 Logon Success. authentication_success, Problem occurs when log is process

[ossec-list] ossec-logtest error

Hi all, I have fresh instalation of ossec server 2.5.1 on AIX server. I didn't modify anything yet in decoder or rules, but when i try to run ossec-logtest i get following error: 2011/03/21 12:03:36 ossec-analysisd(1226): ERROR: Error reading XML file 'etc/decoder.xml': XML ERR: Element

RE: [ossec-list] ossec-logtest error

Subject: Re: [ossec-list] ossec-logtest error > > Try: > > ^20\d\d\d\d\d\d\p;\p > ^\d+\p;\p\S+\p;\p(\d+)\p; > id > > > > 2011/3/21 Branimir Pačar : > > Hi all, > > > > > > > > I have fresh instalation of ossec server 2.5.1 on AI

[ossec-list] WIn server 2008

HI, I had some problems with alerting on Win server 2008 R2. i was constantly getting alerts that windows station is shutting down. Since that wasn't case, i've investigated it little and foun that problem was in rule 18117 and matching of id 513. since 2008 has events that begin with 513

RE: [ossec-list] ossec-logtest is performing differently from running ossec

> -Original Message- > From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On > Behalf Of joshua.gruber > Sent: Friday, April 01, 2011 6:14 AM > To: ossec-list > Subject: [ossec-list] ossec-logtest is performing differently from running > ossec > > Okay, per microsoft, w

[ossec-list] Source ip for network segment

Hi all, Is possible to define whole network segment in rule as source ip? Currently i know for tag but i would like to define i.e. 192.168.1.0/28 and trigger rule for all those addresses without need to define each address in that segment using . Regards, Branimir

RE: [ossec-list] Emails Notification Alert Levels

> -Original Message- > From: ossec-list@googlegroups.com [mailto:ossec-l...@googlegroups.com] On > Behalf Of dan (ddp) > Sent: Tuesday, February 02, 2010 4:39 PM > To: ossec-list@googlegroups.com > Subject: Re: [ossec-list] Emails Notification Alert Levels > > On Mon, Feb 1, 2010 at 10:16

RE: [ossec-list] Local Rules Syntax

Maybe you could write your rule like this: ... snort01 snort02 ... I'm not sure if it is going to work, but it doesn't hurt to try. Best regards, Branimir From: ossec-list@googlegroups.com [mailto:ossec-l...@googlegroups.com] On Behalf O

RE: [ossec-list] Issues with upgrade to 2.3

Hi,, When I try to start OSSEC with your rules, in first rule error occures because of second backslash in match tag: \system32\ If I remove it, OSSEC reports no errors. In second rule there may be error with level option and quotation marks. Try to write it like this level