on the IIS logs.
James Whittington
-Original Message-
From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On
Behalf Of dan (ddp)
Sent: Wednesday, December 24, 2014 12:23
To: ossec-list@googlegroups.com
Subject: Re: [ossec-list] Re: anyone know the status of the issue
ed URLs (simple queries)) triggers first even though I
would guess the lower rule number 31103 would be evaluated first.
- in my web_rules.xml file Rule 31108 is listed before Rule 31103 so logically
the positioning of the rules seems out of order (thus my questioning how rules
were evaluated
Ja
simple fix and not too far reaching into the core logic of how
alerts are decoded..
On Tuesday, December 23, 2014 2:24:39 PM UTC-8, James Whittington wrote:
>>What does ossec-logtest respond with on the sample below?
>>2014-12-12 21:00:55 W3SVC1 IIS8-5Server 1.2
BS(CHECKSUM(NewId()))%257%20when%200%20then%20''''%2Bchar(60)%2B''div%20style=%22display:none%22''%2Bchar(62)%2B''abortion%20pill%20prescription%20''%2Bchar(60)%2B''a%20href=%22http:''%2Bchar(47)%2Bchar(47)%2BREPLACE(case%
out there in case anything new had happened
with it.
James Whittington
-Original Message-
From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On
Behalf Of Michael Starks
Sent: Saturday, December 13, 2014 11:50
To: ossec-list@googlegroups.com
Subject: Re: [ossec-li
eventchannel support so I
keep meaning to check that out.
I will have to check out dotDefender however…
James Whittington
From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On
Behalf Of Nathaniel Bentzinger
Sent: Friday, December 12, 2014 16:45
To: ossec-list
-hids/pull/434
James Whittington
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more
est/manual/installation/installatio
n-windows.html ) it is blank so you would need to give more guidance on how
to configure the OSSEC agent.
James Whittington
-Original Message-
From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On
Behalf Of dan (ddp)
Sent: Wednesday, Septembe
agent_control to restart the remote agent works and that
activity is picked up my process monitor
I am not quite sure where to go from here?
Any ideas out there?
James Whittington
-Original Message-----
From: James Whittington [mailto:james.whittington@gmail.com]
Sent: Friday, August 0
actually passed into
the AR script, WHOOPS guess I should have read the docs on creating customized
AR scripts
So I am going to alter my custom script to accept the expected arguments and
then see of things work.
James Whittington
-Original Message-
From: ossec-list@googlegroups.com
;m not sure where it came from
I tested my custom script which is perl based and expects an ip address as
input and it ran fine.
If UAC is causing the issue with AR script running then I wouldn't have
expected the restart-ossec.cmd to run.
James Whittington
-Original Message-
Fr
Okay thanks, I didn't see them in my inbox for this list but maybe that was
because there are no responses to them.
I forgot if google groups broadcast to all members or everyone but the
poster of the comment.
Anyway sorry to pester you with multiple emails.
James Whittington
-Ori
tions.
You would think a google group would not block an email from google gmail?
Anyhow we'll see if this message shows up or not.
James Whittington
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from
er a restart
of the agent from the OSSEC server and that event does appear in a client
side active response log so it appears some communication is occuring.
Any ideas on how to troubleshoot why AR doesn't appear to be triggering?
Thanks,
James Whittington
--
---
You received
rt
of the agent from the OSSEC server and that event does appear in a client
side active response log so it appears some communication is occuring.
Any ideas on how to troubleshoot why AR doesn't appear to be triggering?
Thanks,
James Whittington
--
---
You received this message because you a
ocal_decoder.xml
etc/decoder.xml
However I am pretty sure on our production instance we don't specifically
define local_decoder.xml so I think OSSEC must discover it if it's in the
"./ossec/etc" folder
Thanks again for the help.
James Whittington
On Wed, Jul 30, 2014 at 10:55 AM, dan
cents.
On Wed, Jul 30, 2014 at 11:40 AM, dan (ddp) wrote:
> On Wed, Jul 30, 2014 at 11:31 AM, James Whittington
> wrote:
> > Dan, thanks for taking a quick look at the log line.
> > I'll try to modify the iis6 decoder and see what happens then.
> > I have a OSSEC te
ilize OSSEC that they would share if there were a place for them to do so.
James Whittington
On Wed, Jul 30, 2014 at 11:00 AM, dan (ddp) wrote:
> On Wed, Jul 30, 2014 at 10:55 AM, dan (ddp) wrote:
> > On Wed, Jul 30, 2014 at 10:28 AM, James Whittington
> > wrote:
> >>
k registration activity to a web service and trigger a
custom AR script if multiple registration attempts occur from the same
source ip.
If anyone would like to share their IIS decoders I would be most
appreciative, I don't know why OSSEC doesn't have a user contributed
exchange of decode
you may want to try an alternative
approach I used for testing.
You can leave the OSSEC agent running, but simply use a separate process to
pull IIS logs from Azure and append it line by line to the monitored local
file.
On Tuesday, March 4, 2014 6:58:16 AM UTC-8, James Whittington wrote:
How
applications we have
in the cloud.
Thanks,
James Whittington
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroup
asn't sure how OSSEC would react to that event either?
Thanks.
James Whittington
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to
t viewer) I do see a reference to Channel
Microsoft-Windows-TaskScheduler/Operational .
So maybe I am asking if OSSEC can read Event Channels in Windows and if so
what would the syntax of that look like?
James Whittington
-Original Message-
From: ossec-list@googlegroups.com [mailto:ossec-list@
t signal.
Can the OSSEC Windows Agent handle eventlogs listed under Applications and
Service Logs Area of the Windows Event Viewer?
If so would the log_format be eventlog ?
Thanks,
James Whittington
From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On
Beh
bout using the agent.conf option to push config
files out to the remote agents it would seem allowing the use of an external
file for local customizations would make a lot of sense.
James Whittington
From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On
Behalf O
ct it into the correct place in the OSSEC config file.
James Whittington
james.whitting...@vc3.com
-Original Message-
From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On
Behalf Of Devon J. Greene
Sent: Monday, August 26, 2013 11:35 PM
To: ossec-list@googlegroup
the main config file.
I am hoping I just missed this option as it sounds like something that could
be in the agent.conf file and pushed out to multiple servers.
James Whittington
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To u
Host Intrusion
Detection was needed I would be looking toward a Windows based HID, I pretty
sure McAfee makes one.
James Whittington
From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On
Behalf Of René Kåbis
Sent: Wednesday, March 20, 2013 3:18 PM
To: ossec-list
run ossec-makelists to rebuild the lists, does
that require a manual restart of ossec-analysisd?
Thanks,
James Whittington
-Original Message-
From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On
Behalf Of dan (ddp)
Sent: Tuesday, February 19, 2013 9:55 AM
To: ossec-l
[enabled by
default]
ar cru alerts.a mail.o log.o exec.o getloglocation.o
ranlib alerts.a
If I have time I may just try building on another server to see if I can
reproduce the condition or hopefully just get the binaries (with geoip
support) built.
James Whittington
ere? Anyone else working with ossec beta + geoip + Ubuntu out
there??
James Whittington
From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On
Behalf Of Jb Cheng
Sent: Monday, October 29, 2012 7:30 PM
To: ossec-list@googlegroups.com
Subject: [ossec-list] Re: Having Issues
-rwxr-xr-x 1 root root71255 Oct 22 13:14 libGeoIPUpdate.so.0.0.0
Has anyone else had or worked around these issues ? I would really like to
get the geoip stuff working..
Thanks..
James Whittington
Thanks to everyone for the advice on testing eventlog rules.
Unfortunately my ossec server is the EC2 Amazon Cloud right now and they are
having major issues on the Northeast US datacenter :<(..
Thank goodness my production stuff is elsewhere :<)..
James Whittington
-Original M
event
in windows?
Thanks,
James Whittington
will go ahead and make the jump to the
beta.
I have some linux based systems but much of my web services stuff is windows
2008, 2008 r2 and now Windows 2012.
So if I am going to spend time tuning I guess I should start from the latest
code.
James Whittington
-Original Message-
From: ossec
pe 10|Type: 10|Logon Type: 10
Remote access login failure.
authentication_failed,
18107
Type 10|Type: 10|Logon Type: 10
Remote access login success.
authentication_success,
James Whittington
From: ossec-list@googlegroups.com [mailto:ossec-l
P's in
the local_rules.xml file on the OSSEC server?
Currently OSSEC is generating a good bit of noise but I am also now blocking
attacks I previously didn't know about so I am determined to tune it as I
learn how to better use it.
James Whittington
37 matches
Mail list logo
