I thought the same thing when I read that article :)
--
Doug Burks, GCIA, GSEC, CISSP
http://securityonion.blogspot.com
On Tue, Apr 13, 2010 at 4:10 PM, Martin West wrote:
>
> http://blogs.zdnet.com/security/?p=6123&tag=nl.e589
>
> :-(
>
> Martin West
>
>
>
>
Hi Jeremy,
You might want to take a look at the section titled "Tweaking the
subject of mail notification" at the following link:
http://www.ossec.net/wiki/Tweaking_OSSEC
Regards,
--
Doug Burks, GCIA, GSEC, CISSP
http://securityonion.blogspot.com
On Tue, Apr 27, 2010 at 3:55 PM, Jer
Hi Daniel,
I'd be willing to help out on the documentation project.
Regards,
--
Doug Burks, GCIA, GSEC, CISSP
http://securityonion.blogspot.com
On Thu, Apr 29, 2010 at 6:34 PM, Daniel Cid wrote:
> Hi Ash,
>
> I am afraid the most current/complete documents we have are the onlin
Hi Ray,
Try something like this:
1002
^canitd
HandleDictionaryAttacks: Running task
HandleDictionaryAttacks completed
Please let us know whether or not that helps.
Thanks,
--
Doug Burks, GCIA, GSEC, CISSP
http://securityonion.blogspot.com
On Tue, May 4, 2010 at 9:04 AM, Ray
Hi Antony,
This appears to be a RedHat box of some kind (RHEL/CentOS/Fedora).
Check the yum repositories that are configured in /etc/yum.repos.d/
and verify that the host can access them.
Thanks,
--
Doug Burks, GPEN, GCIA, GSEC, CISSP
http://securityonion.blogspot.com
On Thu, Jun 10, 2010 at 1
This morning, McAfee Antivirus began deleting service-stop.exe on our
servers:
The file C:\Program Files\ossec-agent\service-stop.exe contains
Generic Downloader.x!eaf Trojan. The file was successfully deleted.
Is anybody else seeing this?
#x27;s the VirusTotal report for service-stop.exe from
OSSEC Agent version 2.4.1 (0/42 AV vendors alert):
http://www.virustotal.com/analisis/173034447d2ce6cba0969a82afeac24050b835879bfa0c51bb5243cc184490d2-1279019047
Doug Burks
On Jul 13, 10:20 am, Doug Burks wrote:
> This morning, McAfee An
password entered repeatedly
Please let us know how it goes.
Regards,
--
Doug Burks, GPEN, GCIH, GCIA, CISSP
President, Greater Augusta ISSA
http://augusta.issa.org
http://securityonion.blogspot.com
On Thu, Sep 23, 2010 at 6:33 AM, ItsMikeE wrote:
> There is a syslog rule (1002) which looks
peatedly
I did a quick test of these rules and they appear to work correctly.
Please let us know how it goes.
Regards,
--
Doug Burks, GPEN, GCIH, GCIA, CISSP
President, Greater Augusta ISSA
http://augusta.issa.org
http://securityonion.blogspot.com
On Sep 23, 6:58 am, Doug Burks wrote:
&g
gt;>> -Notice the new daemon, ossec-awardd :)
>>> -The PID is the alpha representation of Daniel's initials (d=4,b=2,c=3)
>>> -The log is fairly well-formatted for parsing and is an RFC-compliant
>>> syslog
>>>
>>> Please join me in thanki
Is this a Linux box? If so, have you considered using the native
IPTables logging? It's easy to configure and OSSEC can read it by
default:
http://www.ossec.net/wiki/Know_How:Iptables_Config
Regards,
--
Doug Burks, GSE, CISSP
President, Greater Augusta ISSA
http://augusta.issa.org
dn="cn=Host,ou=Personal Accounts,dc=example,dc=com" method=128
Jan 11 09:26:59 hostname slapd2.4[20872]: conn=99 op=6 BIND
dn="cn=Host,ou=Personal Accounts,dc=example,dc=com" mech=SIMPLE ssf=0
Jan 11 09:26:59 hostname slapd2.4[20872]: conn=99 op=6 RESULT
tag=97 err=0 text=
Jan 11 09:27:01 hostname slapd2.4[20872]: conn=99 op=7 UNBIND
Jan 11 09:27:01 hostname slapd2.4[20872]: conn=99 fd=64 closed
Thanks,
Doug Burks
Any ideas on this one?
Thanks,
Doug Burks
On Nov 12, 2:29 pm, "dan (ddp)" wrote:
> What happens on the list stays on the list. ;)
>
>
>
> On Thu, Nov 11, 2010 at 9:15 PM, Chris Decker wrote:
> > I'm interested in such a decoder as well, so any effort expen
We *do* have OpenLDAP configured to use syslog. This multi-line mess
is as good as it gets :)
Thanks,
Doug Burks
On Nov 20, 7:05 pm, Michael Starks
wrote:
> On 11/10/2010 02:12 PM, Doug Burks wrote:
>
> > Has anybody used OSSEC to monitor OpenLDAP logs? Specifically, I'd
&g
http://securityonion.blogspot.com/2011/01/security-onion-20110101.html
Please let me know if you have any questions or suggestions.
Thanks,
--
Doug Burks, GSE, CISSP
President, Greater Augusta ISSA
http://augusta.issa.org
http://securityonion.blogspot.com
t and
lower the severity level to prevent Active Response
Regards,
--
Doug Burks, GSE, CISSP
President, Greater Augusta ISSA
http://augusta.issa.org
http://securityonion.blogspot.com
On Tue, Feb 22, 2011 at 4:02 AM, Steve wrote:
> I;ve been looking for a way to add domains to the whitelist to
Was there ever any conclusion on this problem? I have an OSSEC 2.5.1 server
with 43 agents. ossec-analysisd is using 99% CPU! Unix agents periodically
disconnect and will eventually reconnect. What can I do to troubleshoot
this further?
Thanks,
Doug Burks
Agreed. Any ideas on how to find out why analysisd is at 99% cpu? :)
Thanks,
Doug Burks
On Mon, Mar 14, 2011 at 3:04 PM, dan (ddp) wrote:
> I'd start by trying to find out why analysisd is at 99% cpu.
>
> On Fri, Mar 11, 2011 at 2:08 PM, Doug Burks wrote:
>> Was there ev
173679
16 165433
17 116530
18 94434
19 88046
20 105235
21 98339
22 93802
23 104293
24 1124
Most of the alerts are Windows events coming from domain controllers.
Thanks,
--
Doug Burks, GSE, CISSP
President, Greater Augusta ISSA
http://augusta.issa.org
http://securityonion.blogspot.com
On Mon,
I had two servers that were exhibiting this behavior (ossec-analysisd using
99% CPU resulting in agents disconnecting). They were both running CentOS
5.5 and I had verified that rebooting the server didn't help. As soon as
CentOS 5.6 became available, I upgraded and rebooted, and have not seen
r them like it seems to have resolved it for me.
Thanks,
--
Doug Burks, GSE, CISSP
President, Greater Augusta ISSA
http://augusta.issa.org
http://securityonion.blogspot.com
On Thu, Apr 21, 2011 at 11:33 AM, jjennings wrote:
> how many agents was the host monitoring? I'm monitoring about 20
Kat,
Is ossec-analysisd using a high percentage of CPU (more than 5%)?
That was what I experienced. Since I upgraded to CentOS (RHEL) 5.6, I
haven't seen the issue again.
Thanks,
--
Doug Burks, GSE, CISSP
President, Greater Augusta ISSA
http://augusta.issa.org
http://securityonion.blogspo
I experienced the issue with CentOS 5.5, which may be easier to find
than 5.2 or 5.3.
Thanks,
--
Doug Burks, GSE, CISSP
President, Greater Augusta ISSA
http://augusta.issa.org
http://securityonion.blogspot.com
On Wed, May 4, 2011 at 2:19 PM, dan (ddp) wrote:
> I'm trying to find a Ce
rvers have been upgraded to 5.6 and I haven't
seen the issue since.
--
Doug Burks, GSE, CISSP
President, Greater Augusta ISSA
http://augusta.issa.org
http://securityonion.blogspot.com
On Wed, May 4, 2011 at 2:35 PM, dan (ddp) wrote:
> Thanks for the heads up. I think I may have a copy of
Have you looked at the logall option?
http://www.ossec.net/main/manual/configuration-options
Regards,
--
Doug Burks, GSE, CISSP
President, Greater Augusta ISSA
http://augusta.issa.org
http://securityonion.blogspot.com
On Thu, May 5, 2011 at 12:00 PM, Kat wrote:
> Hi all..
>
> So I h
My CentOS 5.6 server is now displaying this behavior again. ossec-analysisd
is at 99% CPU usage and causing agents to disconnect. It's been a few weeks
since performing the upgrade to CentOS 5.6 and I haven't seen the issue
until today. Any ideas on how to troubleshoot ossec-analysisd?
Thank
strace to the ossec-analysisd
process shows that it's receiving syscheck info (filenames and hashes)
from some of the local files. (Of course, this doesn't cause the
agents to disconnect since it is a local installation and there are no
agents.)
Thanks,
--
Doug Burks, GSE, CISSP
Presid
-- --- --- - -
100.000.017206292801 total
What else would you like to see?
Thanks,
--
Doug Burks, GSE, CISSP
President, Greater Augusta ISSA
http://augusta.issa.org
http://securityonion.blogspot.com
On Thu, May 19, 2011 at 10:06 AM, Doug Burks wrote:
> I've verif
SANS 434: Log Management In-Depth will soon have a dedicated OSSEC section. :)
--
Doug Burks, GSE, CISSP
President, Greater Augusta ISSA
http://augusta.issa.org
http://securityonion.blogspot.com
On Wed, May 25, 2011 at 2:38 PM, Michael Starks
wrote:
> On 05/25/2011 12:23 PM, Walker, Ba
Hi Holger,
Take a look at the email_maxperhour setting in ossec.conf:
http://www.ossec.net/main/manual/configuration-options
Regards,
--
Doug Burks, GSE, CISSP | http://securityonion.blogspot.com
President, Greater Augusta ISSA | http://augusta.issa.org
On Thu, Nov 17, 2011 at 7:15 AM, Holger
-ossec-alerts-for-packet.html
Hope that helps!
Thanks,
--
Doug Burks, GSE, CISSP | http://securityonion.blogspot.com
President, Greater Augusta ISSA | http://augusta.issa.org
On Mon, Nov 21, 2011 at 5:17 AM, Artien Bel wrote:
> Hello,
>
> As test to replace our application and serv
Oorspronkelijk bericht-
> Van: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] Namens
> Doug Burks
> Verzonden: dinsdag 22 november 2011 14:53
> Aan: ossec-list@googlegroups.com
> Onderwerp: Re: [ossec-list] server-agent response on and another
> question
&
://www.ossec.net/doc/faq/ossec.html
Hope that helps!
Thanks,
-- Doug Burks, GSE, CISSP |
http://securityonion.blogspot.comPresident, Greater Augusta ISSA |
http://augusta.issa.org
On Tue, Nov 29, 2011 at 8:47 AM, Dimitris Chontzopoulos
wrote:
> Hey guys,
>
> I was wondering if you guys could he
ally hit the 500 MB/day ceiling), requires Flash to view any graphs
> (seems counter-productive given all of the security issues the plugin has!)
> and splunkd has crashed quite frequently on me.
--
Doug Burks | http://securityonion.blogspot.com
Don't miss SANS SEC503 Intrusion Detection In-Depth in
Augusta GA 6/11 - 6/16 | 10% discount for ISSA Members!
http://augusta.issa.org/drupal/SANS-Augusta-2012
to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group, send email to
> ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>
--
Doug Burks
http://securityonion.blogspot.com
--
---
Yo
g emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>
--
Doug Burks
http://securityonion.blogspot.com
--
---
You received this message because you are subscribed to the Google Groups
"ossec-l
note that
you can send standard syslog to ELSA and query those logs as well.
http://securityonion.blogspot.com/2013/10/new-video-on-ossec-and-elsa.html
--
Doug Burks
http://securityonion.blogspot.com
--
---
You received this message because you are subscribed to the Google Groups
"os
and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.
--
Doug Burks
http://securityonion.blogspot.com
--
---
You received this message because you are subscribed to the Google Groups
&q
't store any metadata about
> where the log file was gathered from. Basically it is missing a huge pile of
> features to make it a •good• logging daemon.
> Do we want to make this a •good• logging daemon tool and spend that time and
> effort to build and support this feat
ing emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com
--
---
You received this message because
Thanks for releasing OSSEC 2.8.1 in response to CVE-2014-5284!
Will there be a 2.8.2 release with the TMP_FILE fix shown here?
http://www.ossec.net/?p=1135#comment-555
If so, is there an ETA for 2.8.2?
Thanks!
--
Doug Burks
--
---
You received this message because you are subscribed to
Hi Dan,
Yes, I like that, too.
Any idea when an official decision will be made?
Thanks,
Doug
On Wed, Sep 24, 2014 at 12:58 PM, dan (ddp) wrote:
> On Wed, Sep 24, 2014 at 12:51 PM, Doug Burks wrote:
>> Thanks for releasing OSSEC 2.8.1 in response to CVE-2014-5284!
>>
>>
-
> >>> > You received this message because you are subscribed to the Google
> >>> > Groups
> >>> > "ossec-list" group.
> >>> > To unsubscribe from this group and stop receiving emails from it,
> send
> >>> > a
_crypto/os_crypto.a ../os_zlib/os_zlib.c ../external/libz.a -lssl
-lcrypto -o agent-auth
https://launchpadlibrarian.net/186670618/buildlog_ubuntu-precise-amd64.ossec-hids-server_2.8.1-ubuntu10securityonion10_UPLOADING.txt.gz
On Tue, Oct 14, 2014 at 1:37 PM, Doug Burks wrote:
> Yes, I'm f
>
>
>
> On Tuesday, October 14, 2014 7:35:55 PM UTC+1, Doug Burks wrote:
>>
>> Yes, just confirmed that our OSSEC package for Security Onion was
>> compiled with OpenSSL for ossec-authd. Here's the relevant snippet
>> from the buildlog:
>>
>> *** Ma
w-securityonion-web-page-package-adds.html
--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop
e URL and just stick
>>> with the match and regex elements.
>>>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> e
on/sguild.log
I'm not sure I understand. That log file should be created
automatically by sguild (not syslog-ng).
What exactly are you trying to do?
--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com
--
---
You received this message bec
rt
with OSSEC itself and end up in a loop.
--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop rec
ribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com
--
---
Y
>
>> Links:
>> --
>> [1] https://groups.google.com/d/optout
>>
>
> --
>
> --- You received this message because you are subscribed to the Google
> Groups "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from i
Is there something obviously wrong with my rule that would prevent
it from matching the above log snippet?
Thanks,
Doug Burks
23 ossec-syscheckd: INFO: Monitoring directory: '/
sbin'.
2010/03/04 13:59:24 ossec-logcollector(1950): INFO: Analyzing file: '/
var/log/messages'.
2010/03/04 13:59:24 ossec-logcollector(1950): INFO: Analyzing file: '/
var/log/secure'.
2010/03/04 13:59:24 ossec-logcollector(1950): INFO: Analyzing file: '/
var/log/maillog'.
2010/03/04 13:59:24 ossec-logcollector: INFO: Started (pid: 28466).
2010/03/04 13:59:55 ossec-syscheckd: INFO: Starting syscheck database
(pre-scan).
2010/03/04 14:02:41 ossec-syscheckd: INFO: Finished creating syscheck
database (pre-scan completed).
2010/03/04 14:03:34 ossec-analysisd: INFO: Connected to '/queue/alerts/
ar' (active-response queue)
2010/03/04 14:03:34 ossec-analysisd: INFO: Connected to '/queue/alerts/
execq' (exec queue)
2010/03/04 14:04:41 ossec-syscheckd: INFO: Starting syscheck scan
(forwarding database).
Is this normal?
Thanks,
Doug Burks
tural decoding and then make your new rule a child to
the final decoded event (18101 Windows Informational Event). Lesson
learned! Thanks for your help in resolving this issue!
Thanks,
Doug Burks
On Mar 4, 12:16 pm, "dan (ddp)" wrote:
> On Thu, Mar 4, 2010 at 10:14 AM, Doug Bur
ther
OSSEC installs is instantaneous with no excessive CPU usage.
What would cause ossec-analysisd and ossec-logtest to hit 100% CPU
usage for 3 minutes? Any ideas, Daniel Cid?
Thanks,
Doug Burks
On Mar 4, 4:02 pm, Joshua Gimer wrote:
> On Thu, Mar 4, 2010 at 12:11 PM, Doug Burks wr
st
is exhibiting the same behavior; would it be affected by agents? Is
there any additional logging that I can enable to determine what is
taking so much time and CPU?
Thanks,
Doug Burks
On Mar 9, 7:41 am, Daniel Cid wrote:
> Hi Doug,
>
> I have no clue to what might be going on... syschec
You only have to restart the server, not the clients.
The group tag is used for reporting and you can put whatever you want
in there.
Here's how I ignored Snort startup messages in my local_rules.xml:
1002
^snort
Check for Bounce Attacks: YES alert: YES
I chose to err on the s
The decoder puts "snort" in program_name. Perhaps doesn't
apply to program_name. What happens if you use the program_name line
from my rule and NO match line?
Doug
On Mar 10, 1:54 pm, "Jefferson, Shawn"
wrote:
> Ok, thanks! Do you see any problems with the rule that I do have though? I
> wo
CPU usage. Daniel is going to work on
improving the code that reads the fts-queue file.
Regards,
Doug Burks
http://securityonion.blogspot.com/
On Tue, Mar 9, 2010 at 2:41 PM, Doug Burks wrote:
> Hi Daniel,
>
> Thanks for your response. We're running OSSEC 2.3 on CentOS 5.4.
> N
; You received this message because you are subscribed to the Google Groups
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to ossec-list+unsubscr...@googlegroups.com.
>> For more options, visit https://groups.goo
t;> >> > Thanks all for the help!
>> >> >
>> >> > Eric
>> >> >
>> >> > --
>> >> >
>> >> > ---
>> >> > You received this message because you are subscribed to the Google
>> >&g
61 matches
Mail list logo