Re: [ossec-list] Windows OSSEC Agent 2.8.3 – cannot install on Windows server 2012 R2

I downloaded the 2.8.3 Windows agent from http://www.ossec.net/?page_id=19 today, ( https://bintray.com/artifact/download/ossec/ossec-hids/ossec-agent-win32-2.8.3.exe). The EXE file size is 1,146 KB. The SHA256 check sum is: feb135286ed19382cc479b7f035be5296360291900faf01338accad59f910e4a os

[ossec-list] Re: Windows agent binaries

Thank you, Dan, for the correction! On Tuesday, November 10, 2015 at 5:28:00 AM UTC-8, dan (ddpbsd) wrote: > > When uploading the 2.8.3 Windows binary and checksum, I uploaded the > wrong checksum. I have just now re-uploaded the files. My apologies > for the confusion. > -- --- You receive

[ossec-list] Re: OSSEC: Real time file monitoring not starting

Realtime syscheck uses INOTIFY feature on Linux systems. The Makeall file checks existence of a header file. Please see if your Ubuntu system has one of the follwoing: # Checking for inotify if [ "X$OS" = "XLinux" ]; then if [ -e /usr/include/sys/inotify.h ]; then

[ossec-list] Re: 2.8.1 release notes link broken

Try http://www.ossec.net/files/ossec-hids-2.8.1-release-note.txt > [1]: http://www.ossec.net/files/ossec-hids-2.8-release-note.txt > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails f

Re: [ossec-list] OSSEC Clients connect to server - server doesnt answer / show them in the UI

I could not see your PNG files either. Judging from the following error, which means that manage_agents.exe could not get the full path to the directory the executable lives in, I suspect you may might have a non-working OSSEC Windows agent installation. Where did you get the agent from? T

[ossec-list] Re: OSSEC 2.8 Released

For a detailed, complete list of changes from 2.7.1 to 2.8, refer to the closed Pull Requests on GitHub (https://github.com/ossec/ossec-hids/pulls?direction=desc&page=1&sort=created&state=closed). Or, you can see a formatted version of the above at https://gist.github.com/jrossi/2ba9471e408e7b4

[ossec-list] Re: Won't start after upgrade from 2.7.1 to 2.8

Thanks to Steve for reporting this. Yes, the rule bro-ids.xml was removed in 2.8 since it did not work anyway. Please delete the line in your /var/ossec/etc/ossec.conf to avoid the error message. On Wednesday, June 4, 2014 9:57:04 AM UTC-7, Steven Stern wrote: > > At the end of ./install.sh >

[ossec-list] Re: ossec-agent can't access some folders/files on Windows Server 2008 R2

'C:\Windows\System32\drivers\etc' is in the default OSSEC agent configuration file ossec.conf. It works on my Windows Server 2008 R2 when I login as the Administrator. Check your folder permission first. Also, do you get similar errors for any of the other directories in your agent ossec.conf?

[ossec-list] Re: OSSEC 2.8 Beta

The OSSEC 2.8 Beta source, as well as the pre-built Windows Agent, are available on OSSEC web site Download page: http://www.ossec.net/?page_id=19 now. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and st

[ossec-list] OSSEC 2.8 Beta

We are entering OSSEC 2.8 Beta now. The latest fixes have been merged to the 'stable' branch and you can download the source code from the following link: wget https://github.com/ossec/ossec-hids/archive/stable.zip The Windows Agent build will be available soon. >From now until 2.8 release,

[ossec-list] Re: OSSEC 2.8 Alpha

OK? I would love to do some > beta testing of the 2.8 branch, but want to make sure we are in a good > place before starting any test. > > Thank you > ~J > > On Monday, April 7, 2014 11:21:53 PM UTC-7, Jb Cheng wrote: >> >> There have been 17 contributors since mo

[ossec-list] Re: OSSEC 2.8 Alpha

There have been 17 contributors since moving to GitHub --- See the complete list on https://github.com/ossec/ossec-hids/graphs/contributors. Also, thanks to all who submitted Pull Request to BitBucket, and who sent patches to mailing list in the past. Together you set the future direction of OSS

[ossec-list] Re: OSSEC 2.8 Alpha

A draft release notes can be found at https://gist.github.com/jrossi/a7934a436fef3811f97e On Monday, April 7, 2014 3:57:58 PM UTC-7, Jb Cheng wrote: > > We are in 2.8 Alpha testing phase now. > I have reviewed the GitHub 'master' branch and found the new commits > du

[ossec-list] OSSEC 2.8 Alpha

We are in 2.8 Alpha testing phase now. I have reviewed the GitHub 'master' branch and found the new commits during the past week are good fixes and hence merged them to 'stable' branch. You can download the latest 'stable' source code from the following link for testing: wget https://github.co

Re: [ossec-list] Agent autoenrollment for Windows

Would you test https://github.com/ossec/ossec-hids/pull/181 to see if it works for you? On Monday, April 7, 2014 2:27:11 AM UTC-7, Eretico Bilbao wrote: > > > > Il giorno venerdì 4 aprile 2014 16:03:49 UTC+2, dan (ddpbsd) ha scritto: >> >> On Fri, Apr 4, 2014 at 9:45 AM, Eretico Bilbao >> wrote

Re: [ossec-list] Release process ? and time to cut a release

Problem solved. I need to get the proper libreadline installed. PR #159 has been merged to 'master' On Wednesday, April 2, 2014 5:00:51 PM UTC-7, Jb Cheng wrote: > > After checking out pull #159 by using the following commands: > > git checkout -b awiddersheim-fix_w

Re: [ossec-list] Release process ? and time to cut a release

After checking out pull #159 by using the following commands: git checkout -b awiddersheim-fix_win32_install_uninstall master git pull https://github.com/awiddersheim/ossec-hids.git fix_win32_install_uninstall The compile failed when trying to build LUA as part of Windows agent. I got a lot

Re: [ossec-list] Release process ? and time to cut a release

2014 11:08:44 AM UTC-7, Jb Cheng wrote: > > Let's proceed with 2.8 fork today. I plan to do this at 5 p.m. US Pacific > Time (12:00 midnight GMT). > > On Friday, March 21, 2014 3:47:33 PM UTC-7, Jb Cheng wrote: >> >> Since there is no objection so far, let's pl

Re: [ossec-list] Release process ? and time to cut a release

Let's proceed with 2.8 fork today. I plan to do this at 5 p.m. US Pacific Time (12:00 midnight GMT). On Friday, March 21, 2014 3:47:33 PM UTC-7, Jb Cheng wrote: > > Since there is no objection so far, let's plan to make ossec-hids-2.8 fork > on April 1st, 2014. > > If

Re: [ossec-list] Release process ? and time to cut a release

Since there is no objection so far, let's plan to make ossec-hids-2.8 fork on April 1st, 2014. If anyone has Pull Requests that you really like to be considered for 2.8 release, please do so by March 28th if you can. Be kind and allow time for Maintainers to review. -- --- You received th

Re: [ossec-list] Proposal to create ossec-rules repo

Let's say ossec_2.8 will be released with rules_2.8. Two months later, an updated rules_2.8_u1 is available and is applied (we need to decide whether this is done via install.sh, or by simply updating the rule files directly) Four months later, an updated rules_2.8_u2 is available and is applied.

Re: [ossec-list] Release process ? and time to cut a release

On Thursday, March 20, 2014 9:44:11 AM UTC-7, Jeremy Rossi wrote: > > >> # Code management of bug fixes # > >> > >> During alpha, beta, and RC I propose that we make sure that all fixes > go > >> into master then are cherry picked from master to the release repo. >

Re: [ossec-list] Release process ? and time to cut a release

> I can also help to setup travis-ci generation of tarballs, rpms, etc > and have it upload betas automaticly. It is wonderful that you can do the above. Thank you very much! > > # Use the Pull Requests Not the Commits > > To create the release notes I would use

Re: [ossec-list] Release process ? and time to cut a release

https://gist.github.com/jrossi/a7934a436fef3811f97e is indeed a complete list of pull requests and their descriptions. It serves well as a detailed relea

[ossec-list] Re: How does OSSEC keep track of what events it has not processed?

Not a direct answer to your question, but you may want to try an alternative approach I used for testing. You can leave the OSSEC agent running, but simply use a separate process to pull IIS logs from Azure and append it line by line to the monitored local file. On Tuesday, March 4, 2014 6:5

[ossec-list] Re: Trend Micro end Commercial Support?

In the long term I hope to see a list of "Certified OSSEC Profession Service" providers that can cover all the various needs of OSSEC Support. That has not happened yet. For now, you can go to http://www.ossec.net/ home page and find the Team Blog section. I know some of the team members bel

[ossec-list] Re: Monitoring changes to a directory

I believe Syscheck checks files only; it does not check directory name or permission changes. On Tuesday, March 4, 2014 7:41:34 AM UTC-8, Abhi T wrote: > > Hi, > > I am using OSSEC to monitor a particular directory for changes. It's > working wonderfully for all the files in that directory(Incl

Re: [ossec-list] ossec-reportd produces zero results despite information in the alert.log

The alert format has been customized by AlienVault so ossec-reportd cannot parse it anymore. You should use AlienVault tools instead. On Monday, March 17, 2014 9:44:43 AM UTC-7, dan (ddpbsd) wrote: > > On Mon, Mar 17, 2014 at 12:36 PM, James Brown > > > wrote: > > I'm using OSSEC HIDS 2.7, it

[ossec-list] Re: Change usernames/group ossec uses?

Most ossec processes have the option '-g -u ' to run as a specific group/user. Perhaps that can meet your needs. On Wednesday, March 5, 2014 11:11:15 AM UTC-8, Anthony Biacco wrote: > > I'm compiling 2.7.1 from source and building an rpm using my own spec file. > I'm creating different username

Re: [ossec-list] Release process ? and time to cut a release

I am going to propose a 2.8 release schedule. Feel free to comment on dates and procedure below: 1) April 1st, 2014 --- From https://github.com/ossec/ossec-hids, fork the repository to ossec-hids-2.8. 2) Start Alpha testing phase for 2 weeks. Only bug fixes will be accepted to the ossec-hi

[ossec-list] Re: [ossec-dev] Seperate Rules and Decoders

Some new decoder/rules syntax require a minimal version of OSSEC source to run. Suggest using a rule version numbering system that takes this into consideration, and embed the version string in the comment of ...rules.xml files. For example, if 2.7.1-r000 is the default rules when OSSEC 2.7.1

[ossec-list] Re: Discrepancies in /etc/shared permissions.

The permission of ar.conf can change when OSSEC Agent started, and may depend on which user started the Agent. You may try starting the agent using '-u ossec -g ossec' arguments to see if it makes a difference. On Thursday, January 2, 2014 3:48:12 PM UTC-8, Paul L wrote: > > Hi, > > I have a se

[ossec-list] Re: Ossec-maild failed to start

If you do not use GEOIP, remove it from src/Config.OS and recompile/reinstall OSSEC. If you do use GEOIP, update "etc/internal_options.conf" to add maild.geoip=1. Refer to documentation on http://ossec-docs.readthedocs.org/en/latest/syntax/head_internal_options.analysisd.html And more informa

[ossec-list] Re: Combing Reportd Summarized Sections

Currently ossec-reportd '-r' flag takes only two arguments so what you are asking is not possible out of the box. Perhaps you can feed the reportd output to another processor to get the desired output. Or, the source code is at src/monitord/report.c and someone can work out a patch to add this

[ossec-list] Re: OSSEC & automount

Just a wild guess, do you have "/home/httpd" in /etc/mtab ? On Thursday, January 23, 2014 6:51:44 AM UTC-8, Maahkus wrote: > > Hello group, > > I have a UNIX systems administrator reporting that OSSEC is trying to > automount to /home/httpd on a certain system (Solaris) every 22 hours. > Within

Re: [ossec-list] OSSEC Windows Agent Directly to Splunk Server

Just echo Michael's comment -- OSSEC Agents send encrypted information to the OSSEC Manager and only the OSSEC Manager knows how to decrypt it. Without the OSSEC Manager in the picture, Splunk would not know how to decrypt it. On Wednesday, February 5, 2014 10:10:31 AM UTC-8, Michael Starks

[ossec-list] Re: help with regex for decoder

At the first glance, one thing you need is adding a new fieldname to to capture the regex item matched by "...Object Name: (\.*)". status, id, user, system_name On Thursday, February 13, 2014 4:38:14 AM UTC-8, Chris H wrote: > > Hi. I'm having real problems with a regex for a decoder, and h

[ossec-list] Re: Silent uninstall of OSSEC?

Try 'uninstall.exe /S', the standard switch for NSIS silent uninstall. On Thursday, February 20, 2014 5:35:32 AM UTC-8, bpgo...@gmail.com wrote: > > This is for X86 Windows to further clarify. > Thanks > > On Wednesday, February 19, 2014 8:47:55 AM UTC-5, bpgo...@gmail.com wrote: >> >> We are curr

[ossec-list] Re: 2.7.1 - MySQL database connection issues.

This seems to be a MySQL connection issue. You might be able to verify this by increasing the MySQL timeout. On Tuesday, January 14, 2014 10:33:29 PM UTC-8, Lawrence Williams wrote: > > Is there anyway to get more out of the OSSEC log? > > i have set all the debug parameters to Level 2 > in /va

[ossec-list] Re: Date and Timestamps / OSSEC Reporting

I am not aware of such a feature of adding date/time stamps to the ossec- reportd output. The output is basically a statistical summary (counting the number of things), so having time stamps for individual events does not make sense. I mean, where do you show them on the report anyway. Can yo

[ossec-list] Re: release 2.7.1, Windows agents and profiles, and Server 2012

Centralized Windows agent profiles was not planned for 2.7.1. Do you want to work on it? OSSEC agent could be installed and run on Windows 2012 server. You can give it a try and report if anything is broken. I have set up my Windows 7 for building OSSEC Agent, using MinGW, and NSIS. I was

[ossec-list] Re: ossec con in europe?!

At Trend Micro, we continue to gauge the interest for holding an OSSEC CON in Europe. Interested users please reply here. Ideally we would like to co-locate it with one of the other major conferences. Your feedback are important to us for making it happen. On Thursday, October 24, 2013 1:46

[ossec-list] Re: Locate agent: Incorrectly formated message from 'any'.

Run the following command to see which agent(s) were not "Active". In particular, look for the entry that says "Never connected". ossec/bin/agent_control -l On Thursday, September 26, 2013 10:48:22 AM UTC-7, BP9906 wrote: > > 2013/09/26 10:41:38 ossec-remoted(1403): ERROR: Incorrectly format

[ossec-list] Re: Empty "Src Location: " in alert using GeoIP while srcip is found

Did you do the step 3 of the GeoIP procedure shown in 2.7-release-note? - - - Step 3. Compile OSSEC with GeoIP enabled, modify config get ossec-hids-2.7.tar.gz tar xzvf ossec-hids-2.7.tar.gz cd ossec-hids-2.7 cd src make setgeoip cd .. su ./install.sh -- mo

[ossec-list] Re: segfault on Ossec_remoted

Indeed, the messages file shows: Sep 24 16:35:58 testsvr kernel: ossec-remoted[21537]: segfault at 0061 rip 0042251f rsp 7fff0cbf5a20 error 4 This is not enough information for me to pin point the crash point in the source code. Any help in terms of reproduction steps will

[ossec-list] Re: Why the system always reports all matched log entries instead of just report new added one according to the time stamp?

If you provide some sample logs and your custom decoders/rules, someone might be able to reproduce the problem and help. On Wednesday, August 21, 2013 6:20:10 AM UTC-7, Zhang Wei wrote: > > The OSSEC version is 2.7.1 beta1 > > *The scenario is like below:* > 1. I wrote the customized decoder XML

[ossec-list] Re: Rules: ignore="" question:

I think ignore="7200" means after rule 531 is triggered for the first time, it will not be triggered again for at least 7200 seconds. This means at most you will get 531 alerts every 2 hours. The first alert should not be delayed. On Thursday, August 8, 2013 10:57:11 AM UTC-7, David Blanton

[ossec-list] Re: server 2012 support

I was able to start OSSEC Agent on Windows Server 2012. You may need to adjust the ossec.conf file in order to match the Win Server 2012 environment better. On Monday, August 12, 2013 6:37:05 AM UTC-7, ab wrote: > > Hi all, > Just a quick question on whether Windows Server 2012 (agent of course)

[ossec-list] Re: OSSEC CON material?

OSSEC CON 2013 Recap has been posted on ossec.net. See http://www.ossec.net/?p=906 Enjoy! On Wednesday, July 31, 2013 3:27:19 PM UTC-7, perezbox wrote: > > That's Great Jb, when do you think that will be coming out? > > Interested to hear how it went. > > Tony > > O

Re: [ossec-list] Sub folder exclusion and symlinks question

2) Does OSSEC syscheck follow symlinks? In my /etc directory I have a symlink: lrwxrwxrwx 1 root root15 Aug 27 2010 rc.sysinit -> rc.d/rc.sysinit* In OSSEC syscheck DB I see two entries with the same HASH value: 168:+++27476:33261:0:0:1fb34a90a4c6b5ce98a9b21c655a171c:db56fd8d437ea9606

[ossec-list] Re: Limit level of alerts that generate email

See http://www.ossec.net/doc/manual/output/standard-email-output.html for the correct config. 10 On Monday, July 22, 2013 5:14:00 AM UTC-7, Macaulay Dias Souza wrote: > > Is possible can limit the level of alert to my email? I want to receive > alerts only above 6 > > > I addict

[ossec-list] Re: OSSEC CON material?

We are writing a blog and together with the presentation materials will be posted on ossec.net. Stay tuned... On Sunday, July 28, 2013 3:17:10 AM UTC-7, Xme wrote: > > Hi List, > > Is the OSSEC CON material published somewhere? > (from last Thursday) > > /x > > -- > My server is com

[ossec-list] Re: ossec-dbd not shut down with 2.7.1-beta-1

"os_dbd/main.c" line 257 should write the .pid file 257 if(CreatePID(ARGV0, getpid()) < 0) The daemon should write a log of the following format in ossec.log when starting: "%s: INFO: Started (pid: %d). If there was an error connecting to DB, the ossec-dbd will not function properly.

Re: [ossec-list] OSSEC Over Nat

You will also need to check ossec.log on the server to see if it received the agent's message. Perhaps it is easier to create a VPN tunnel between OSSEC Agents and OSSEC Server. On Tuesday, June 25, 2013 1:44:02 PM UTC-7, Erik Karnafel wrote: > > Dan, > I do have udp/1514 port forwarded to my

[ossec-list] Re: OSSEC and DeepSec

Not sure why you want to do that. It seems redundant to me. Deep Security provides a superset of what OSSEC provides. On Wednesday, June 26, 2013 7:17:24 AM UTC-7, Mike wrote: > > Anyone know of any issues installing OSSEC on a system with a Deep > Security agent? > > MikeD. > -- --- You re

[ossec-list] Re: OSSEC WUI global search not working

WUI 0.3 had some issues. We fixed all known issues and made WUI 0.8 Beta ( http://www.ossec.net/?page_id=19 ). Try it! On Tuesday, June 25, 2013 4:44:15 PM UTC-7, jingu...@gmail.com wrote: > > Gives me Forbidden error: > > "You don't have permission to access /main/ on this server". Nothing s

[ossec-list] Re: Timeline for 2.7.1

Friday, June 21, 2013 2:33:00 PM UTC-7, Jb Cheng wrote: > > 2.7.1 is still in Alpha. > Beta is expected within a week. > > On Tuesday, June 4, 2013 6:22:56 AM UTC-7, carlopmart wrote: >> >> Hi all, >> >> Any idea when will be relased?? In the next days

[ossec-list] Re: GeoIP Support errors in config

1) The GeoLiteCity*.dat files should be placed under ${OSSEC_HOME}/etc, e.g., /var/ossec/etc/. In ossec.conf, it is specified as relative to /var/ossec/. 2) Your error message seems to indicate the GEOIP code was not compiled in. See http://www.ossec.net/files/ossec-hids-2.7-release-note.t

Re: [ossec-list] change to decode.xml (courier rule)

How about this patch? --- a/etc/decoder.xml Thu May 23 14:47:45 2013 -0700 +++ b/etc/decoder.xml Fri Jun 21 14:46:37 2013 -0700 @@ -464,7 +464,7 @@ proftpd - ^\S+ \(\S+[(\S+)]\) + ^\S+ \(\S+[(\S+)]\)|^\S+ \(\S+[:::(\S+)]\) srcip @@ -728,7 +728,7 @@ courier - , ip=[(\

[ossec-list] Re: Timeline for 2.7.1

2.7.1 is still in Alpha. Beta is expected within a week. On Tuesday, June 4, 2013 6:22:56 AM UTC-7, carlopmart wrote: > > Hi all, > > Any idea when will be relased?? In the next days I need to install > some servers and I would like to know if it will be released soon. > > Thanks. > --

[ossec-list] Re: rootcheck error

Rootkit configuration allows for several types of checking: "f", "r", "p", "d" , which mean FILE, REGISTRY, PROCESS, DIRECTORY. Pasting your modified rootcheck file may help solving the issue you encountered. On Tuesday, June 18, 2013 8:22:51 AM UTC-7, Janelle wrote: > > Hello -- > > I'm new

[ossec-list] Re: ossec-csyslogd dies on status query

les . fstat-debug.patch is how i debugged this > issue . csyslogd-crash-fix.patch has the actual fix. > > Hope this helps > > Sethu > > > On Friday, 17 May 2013 21:19:38 UTC-4, Jb Cheng wrote: >> >> csyslogd crashed when trying to read alerts.log file, at the line

[ossec-list] Re: "Splunk" format in OSSEC 2.7 ?

I checked http://www.ossec.net/?p=402, it does not say you need the following line in ossec.conf: splunk Perhaps "Spluck for OSSEC" app accepts the default syslog output format, which is syslog. On Tuesday, May 21, 2013 12:58:37 PM UTC-7, Xme wrote: > > Hi *, > > I'm using OSSEC with Sp

[ossec-list] Re: 2.7 signature file?

You did not miss it. 2.7 release did not come with GPG signature file because I was new to the OSSEC release process and I did not provide it. For now, there is only checksum for basic integrity checking of the 2.7 package on ossec.net web site. On Sunday, May 19, 2013 11:30:23 AM UTC-7, David

[ossec-list] Re: Issue with timestamp on rsyslogd format

t; application. > > On Tuesday, 7 May 2013 08:50:00 UTC+10, Jb Cheng wrote: >> >> Either use 'July 04' format, or add an extra space after 'July ' and it >> can be decoded correctly. >> - - - >> Jul 4 09:42:16 enigma sshd[11990]: Accept

[ossec-list] Re: ossec-csyslogd dies on status query

entify the alerts.log file lines when this happened, it may be useful. Also, which XML tag was causing it? On Saturday, May 11, 2013 8:32:55 AM UTC-7, Xme wrote: > > Hi Jb, > > FYI, I'm working on a patch for OSSEC and it makes my csyslogd crashing > too! > It coredumps he

[ossec-list] Re: Issue with timestamp on rsyslogd format

Either use 'July 04' format, or add an extra space after 'July ' and it can be decoded correctly. - - - Jul 4 09:42:16 enigma sshd[11990]: Accepted password for dcid from 192.168.2.10 port 35259 ssh2 On Thursday, May 2, 2013 7:14:19 PM UTC-7, Giovanni P wrote: > > Hi all, > > I am using "O

[ossec-list] Re: question with /var/ossec/queue/diff

The queue/diff//535/ directory is used for rule ID 535 as shown in etc/ruels/ossec-rules.xml. For Unix-like systems, syscheck daemon uses the output of 'last -n 5' to detect changes in logged-in users. Windows systems use a different mechanism for this so you don't see them under /diff/. I do

[ossec-list] OSSEC 2.7.1 Alpha test

OSSEC 2.7.1 Alpha-1 build is available for download at http://www.ossec.net/?page_id=19 This is mostly a bug fix minor release and we plan to enter Beta within a week. Thank you for your help! --JB Cheng Trend Micro, Inc

[ossec-list] Re: ossec-csyslogd dies on status query

Dominique, Could you try 2.7.1 Alpha build from http://www.ossec.net/?page_id=19 and see it the issue is still there? On Tuesday, April 9, 2013 12:00:23 PM UTC-7, Dominique Derrier wrote: > > Hi all, > On a fresh Install I've got : > > ./ossec-csyslogd -D /var/ossec -f > 2013/04/09 14:57:07 oss

[ossec-list] Re: HP-UX syscheck not reporting diff of file changes

For debugging, check the /var/ossec/queue/diff/ directory for subdirectories corresponding to the file pathnames that were changed. Look for last-entry which should be a copy of the file at the time of running syscheck. Compare this one with the 'real' file and see if they are different. On T

[ossec-list] Re: Custom predecoder

You may need to modify src/analysisd/cleanevent.c, which skips certain prefixes with known format. On Monday, April 1, 2013 6:33:48 AM UTC-7, Андрей Шевченко wrote: > > Hi all. > > I am using srlog2 to transport logs to the central server and the problem > is that srlog adds tai64nlocal timestamp

Re: [ossec-list] Re: OSSEC Active Response

t; > Has the ar.conf file been populated on the agent? > > > > > On Wed, Apr 3, 2013 at 10:28 PM, Jb Cheng > > wrote: > >> > >> agent_control -L checks the content of the file shared/ar.conf. > >> What is the content of this file on your

[ossec-list] Re: OSSEC Active Response

agent_control -L checks the content of the file shared/ar.conf. What is the content of this file on your OSSEC server? On Wednesday, April 3, 2013 4:58:40 PM UTC-7, MDG wrote: > > Hello, > > I am trying to get Active Response working and having a bit of > difficulty. I have followed the instruc

[ossec-list] Re: No .sig file for Latest Stable Unix/Linux Version 2.7

Yes, I was responsible for not getting the 2.7 package properly signed, due to my lack of experience using 'gpg' tool on Linux. Still learning this stuff... On Wednesday, April 3, 2013 4:22:49 PM UTC-7, iangr...@gmail.com wrote: > > Hey, just wanted to let someone know there is no .sig file for

Re: [ossec-list] Agents are disconnected and the Maximun agent setting keeps reverting back to ‘254’

If you have customized ossec.conf, it is a good idea to back them up and restore afterwards. On Wednesday, April 3, 2013 12:51:33 PM UTC-7, T. Case wrote: > > Hi Jb > Wanted to follow-up and close loop. We are back up and running. I > backed-up all the ossec config, keys

[ossec-list] Re: aix 6.1 install failure

Found a related link: http://osdir.com/ml/ossec-list/2009-10/msg00041.html (thanks to Daniel Cid). It seems a bug caused in gcc that can't compile some AIX headers. The suggestion was to use the "xlc" compiler instead of gcc. OSSEC was compiled fine with AIX 5.2 and 5.3.. On Friday, March

[ossec-list] Re: Agents are disconnected and the Maximun agent setting keeps reverting back to ‘254’

How many entries are in your /etc/client.keys file? What is the largest agent ID in that file? What is the content of your ossec-hids/src/Config.OS file with the line MAX_AGENTS after your ran 2.7 install.sh? Did you restart ossec-remoted between the following two points in time? 2013/03/21

[ossec-list] Re: What does it mean "/var/ossec/stats" directory

Files under /var/ossec/stats/ show the average number of alerts by the hour for one day, and average number of alerts by the day for one week, plus historical total counts. They give a snapshot of how your system is doing, and can trigger alerts if suddenly the numbers differ too much from his

[ossec-list] Re: Forwarding Old Syslogs to SPLUNK

One way to do this is to use another syslog client that can read from an input file and forward the content to your syslog server. I have done this using syslog4j (https://sites.google.com/site/syslog4j/) in the past. Once you have the syslog4j-.jar file downloaded, a command similar to the

Re: [ossec-list] Host Intrusion Detection Functionality

Extracted from the book "OSSEC HIDS - Host-Based Intrusion Detection Guide" by Andrew Hey/Daniel Cid/ page 8-9 comparing HIDS vs. NIDS: " An HIDS detects events on a server or workstation and can generate alerts similar to an NIDS. An HIDS, however, is able to inspect the full communications stre

[ossec-list] Re: History of OSSEC project

Check Wikipedia OSSEC entry for a quick summary. Also this blog: http://ossec-notebook.blogspot.com/2012/04/so-you-want-to-know-about-ossec.html On Sunday, March 10, 2013 4:40:19 PM UTC-7, Debbie C wrote: > > Can anyone point me in the right direction to learn about the history of > the OSSEC

Re: [ossec-list] Re: Seeking assistance with agent install.

A direct link to the dev repos has been added to ossec.net Download page -- http://www.ossec.net/?page_id=19 On Friday, March 8, 2013 11:34:33 AM UTC-8, Jb Cheng wrote: > > This is JB Cheng from Trend Micro and I provided OSSEC 2.7 release on > ossec.net web site. > > I will ad

Re: [ossec-list] Re: Seeking assistance with agent install.

This is JB Cheng from Trend Micro and I provided OSSEC 2.7 release on ossec.net web site. I will add a direst link on the Download page to the development repository, currently hosted at https://bitbucket.org/jbcheng/ossec-hids. On Friday, March 8, 2013 5:29:32 AM UTC-8, dan (ddpbsd) wrote

Re: [ossec-list] Custom Rules

I tested the ignore local rule by modifying "rules/local_rules.xml" The following works as expected -- no more alerts matching rule id 5715 and srcIP 10.2.3.4 5715 10.2.3.4 Example of rule that will ignore sshd failed logins from IP 10.2.3.4. However, if I remove the line

Re: [ossec-list] syscheck on agent - space? Missing something?

'syscheck_control -u ' delete the syscheck history database file for this agent on OSSEC server. It's a way to reduce unwanted alerts, say, after the agent machine was patched. It does not delete anything on the agent machine. On Tuesday, March 5, 2013 3:50:10 PM UTC-8, dan (ddpbsd) wrote: > >

Re: [ossec-list] Re: Alert.log format issue with "mail - firewall" and rule group delimiting.

rules/rules_config.xml does not have the comma in all the lines starting with > Make sure any "firewall," in > /var/ossec/rules/*_rules.xml actually have the comma. > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubsc

Re: [ossec-list] Seeking assistance with agent install.

The default is 1514 for the OSSEC client to talk to OSSEC manager. The should have been populated when you ran install.sh on the agent, unless there was a problem. On Wednesday, March 6, 2013 12:07:35 PM UTC-8, kody abney wrote: > > Hi Dan, yes I have resolved this issue. I indeed just

[ossec-list] Re: How to uninstall Ossec from 2.7 on mac mountaion lion

You can uninstall OSSEC by removing all files and directories under /var/ossec/. On Wednesday, February 27, 2013 5:55:18 PM UTC-8, SDR wrote: > > Hello I'm trying to resintall the application. However, I would like to > uninstall the application first because I Keep getting these errors > > sh-

Re: [ossec-list] disable netstat check OSSEC 2.6

In 2.7, rootcheck port check can be turned off through configuration: no ... See details in http://www.ossec.net/files/ossec-hids-2.7-release-note.txt. === Rootcheck == support rootcheck fine-grain configuration control -- yes/no of individual checks

[ossec-list] Re: alerts.log to database

Take a look at the contributed PERL script --- ossec-hids/contrib/ossec2mysql.pl. It may be able to achieve what you are trying to accomplish. On Tuesday, February 26, 2013 11:15:50 PM UTC-8, Alejandro wrote: > > Hi, > > I'm logging information to mysql. > > I had a problem one day with databa

Re: [ossec-list] ossec-csyslogd dies on status query

I was able to recreate the issue on Ubuntu. Using 'gdb' it showed ossec-csyslogd crashed at line 59: merror("%s: INFO: File queue connected.", ARGV0 ); This is kind of strange because I did not see it happening in CentOS before the release of 2.7. Anyway, I have a workaround that you can

[ossec-list] Re: A standard procedure for manually starting rootcheck and syscheck

Does the administrator know the agent name? If yes, "agent_control -l" can list all agent names and their associated IDs. You can use 'grep' and 'cut' to get the agent ID. On Wednesday, February 13, 2013 6:13:25 AM UTC-8, TWAD wrote: > > Hey There, > > I find myself in a situation where all hos

[ossec-list] Re: sonic wall decoder problem

Your SonicWall log "time="2013-02-07 12:23:05 UTC" contains three words for the time stamp (extra "UTC" at the end), but the decoder "time=\S+ \S+". matches two words only Try changing it to "time=\S+ \S+ \S+" On Saturday, February 9, 2013 11:01:07 PM UTC-8, Shaun wrote: > > Hello eve

Re: [ossec-list] OSSEC-WUI SrcIP parsing question

Thanks to Ryan Schulze's contribution, also Darius Jahandarie, ddpbsd, and Vic Hargrave. I started integrating several WUI patches into a BitBucket repository: https://bitbucket.org/jbcheng/ossec-wui/. (1) Updated logo, remove paypal button, wider display format, easier to read events output.

[ossec-list] Re: UTC time

The /etc/localtime file should have been copied during installation by the script "src/InstallServer.sh". 214 ls /etc/localtime > /dev/null 2>&1 215 if [ $? = 0 ]; then 216 cp -pL /etc/localtime ${DIR}/etc/; 217 chmod 440 ${DIR}/etc/localtime 218 chown root:${GROUP} ${DIR}/etc/localt

[ossec-list] Re: ossec-agent: INFO: Event count after '20000'

: > > Hi! > Of course it is indeed the only reasonable way to solve this issue, but > please let me know, where to start from. > Thanx. > Y. > > W dniu czwartek, 20 grudnia 2012 22:58:52 UTC+1 użytkownik Jb Cheng > napisał: > >> The 2 came from etc/int

Re: [ossec-list] Re: Trying to install on Solaris 10

Could you post the content of Config.OS after you run 'make all'? On Thursday, January 31, 2013 10:43:32 AM UTC-8, brownwrap wrote: > > Well, actually it is on a secured net, so I can't give you access. > > On Thu, Jan 31, 2013 at 11:39 AM, dan (ddp) > > wrote: > >> On Thu, Jan 31, 2013 at 1:34

Re: [ossec-list] Re: file permissions incorrect on ar.conf

ake sure it compiles and works as expected. On Thursday, January 24, 2013 7:33:16 AM UTC-8, dan (ddpbsd) wrote: > > On Wed, Jan 23, 2013 at 10:35 PM, Jb Cheng > > wrote: > > Thank you Aaron, for the update. > > If all installations set the ownership of ar.conf to root:root,

[ossec-list] Re: file permissions incorrect on ar.conf

Thank you Aaron, for the update. If all installations set the ownership of ar.conf to root:root, we have a bug to fix. Any volunteer to try? On Wednesday, January 23, 2013 7:10:20 AM UTC-8, ab wrote: > > Just thought I would provide an update. My testing has shown that new > server or local

  1   2   >