block should look more like:
active-response
commandmailtest/command
locationdefined-agent/location
agent_id349/agent_id
rules_id5712/rules_id
/active-response
Again, forgive me if you already got past this, but that is the way I
understand the Active Response documentation from the book.
JM
(iptables)
# Last modified: Feb 14, 2006
[trim]
ACTION=$1
USER=$2
IP=$3
[trim]
# Checking for an IP
if [ x${IP} = x ]; then
echo $0: action username ip
exit 1;
fi
Is it just me, or am I missing something somewhere else??
Thanks.
JM
/ls), you're
machine has been compromised and can no longer be trusted.
JM
On 07/14/2010, Bob Sauvage bob.sauv...@gmx.fr wrote:
Hello everybody !
I just have an alert from OSSEC about integrity check on some bin files.
But when I do a ls -l the modification date is very old (2009).
When I do
If I remember correctly, it was only for the 3.x version of Splunk,
and hasn't yet been ported to the latest version - though I haven't
checked recently.
JM
On 12/31/2009, Dave S dsty...@comcast.net wrote:
I've also been testing Splunk these past few days. I read on the
OSSEC web site
http
On Tue, Jun 23, 2009 at 05:40, Raghu GSragh...@gmail.com wrote:
You can configure OSSEC-HIDS to add all the events to database.
On Jun 20, 11:15 pm, JM ubahm...@gmail.com wrote:
I'm looking for some advice on methods used to document local rules or
rule changes in your environment.
Do you
I'm looking for some advice on methods used to document local rules or
rule changes in your environment.
Do you just use a spreadsheet? Or do you check the config files into
an SVN,git, or CVS repository? How do you track authorize changes
(if at all?)
Thanks.
JM
. By including both hashes, it provides
greater assurance that the file has or hasn't changed.
I would consider it current day best practices to include both hashes
for any file verification methods.
JM
,
--
Daniel B. Cid
That would be a great option.
As a workaround, couldn't you add a static host route to the OSSEC
server IP on the client machine?
I don't have the environment to test that theory, but it works in my head! :-)
JM
be configured to *not* use the name when logging with
the command:
no names
It still keeps the names in the config and allows you to see them in
the PDM/ASDM if that's what you use to configure the device. It
simply tells the FW to use the IP when logging.
JM
On 9/30/07, Daniel Cid [EMAIL PROTECTED] wrote:
Hi JM,
I think you are confusing it a bit. The logformat in the localfile
configuration is only
used to tell ossec how to read the logs, not anything else. In fact,
the apache, squid,
syslog fields act the same in there (all one entry per
10 matches
Mail list logo