The auth/authd source code is included in 2.7, but there is no pre-built
Windows binary that contains the 'auth' client yet.
You can be the first to build/test it on Windows.
On Tuesday, October 2, 2012 7:31:37 AM UTC-7, Michael Barrett wrote:
>
>
> Is there a plan to offer this on the Windows
There was a patch in 2.7-beta that may meet your requirement.
Please invoke 'ossec-authd' with ' -i' argument.
It was designed to write the ossec-auth agent IP address in the server
client.keys files (instead of ANY).
Please test to see if it works for you and report back.
Thanks!
On Tuesday,
Could you compare the information in /var/ossec/queue/agent-info/ with the
reported agent status to see if both are in error?
On Wednesday, October 3, 2012 6:31:25 AM UTC-7, PAL wrote:
>
> After a some issue in network ossec client lost connection to server. A
> message "Agent disconnected" was
Check the timestamps of the files under /var/ossec/queue/agent-info/.
Each active agent should have its corresponding file touched with a new
timestamp periodically.
I believe it's every 10 minutes.
If an agent file's timpstamp has not been updated for a long time, it is
declared 'inactive'.
I
Do you already have 1024 entries in the client.keys file?
If yes, it is the hard coded limited for 'manage_agent'. See
src/validate.c OS_AddNewAgent().
IDs higher than 1024 are reserved for 'ossec-authd' to use.
If you have not reached 1024 entries, do you have a lot of gaps in agent
IDs?
'm
Is this reproducible? Steps to reproduce it will be very helpful.
Are you using the default rootcheck _rcl.txt files (under
/var/ossec/etc/shared/)? Any customization?
On Monday, October 15, 2012 8:26:51 AM UTC-7, PAL wrote:
>
> After update to version 2.7 beta2 my ossec-syscheckd on my servers
Sorry for my ignorance!
What the purpose of '..' in the url:
'/sample-folder/news/global-report..?page=91' ?
Rule 31104 tries to catch directory traversal.
Would it be still effective to remove the final '|..|' from the following
line?
%027|%00|%01|%7f|%2E%2E|%0A|%0D|../..|..\..|echo;|..|
Thank you, PAL!
This has been fixed
in https://bitbucket.org/jbcheng/ossec-hids/get/tip.tar.gz.
On Friday, October 19, 2012 3:36:51 AM UTC-7, PAL wrote:
>
>
> A patch maded, now syscheckd work fine
>
> > After update to version 2.7 beta2 my ossec-syscheckd on my servers
> crashed with coredump.
Daniel fixed this before the release of 2.7-beta0, he decided not storing
Keepalives in archive.log.
On Friday, October 19, 2012 10:30:22 AM UTC-7, dan (ddpbsd) wrote:
>
> On Fri, Oct 19, 2012 at 1:28 PM, Courtney Grimland
> > wrote:
> > I found an old thread from Dec 2010 about a bug where the
I am not aware there is a timer to reset after a file is modified the 3rd
time.
You can look at syscheck database files under /var/ossec/queue/syscheck/
directory.
The first three characters of each line show how many times a file has been
changed.
"+++" means unchanged, while "!!!" means it h
Your compilation flag is correct: -DGEOIP -lGeoIP
Your ligGeoIP.a file under /usr/local/lib looks right.
You are on the right track, but I am not sure why your linker did not look
under /usr/local/lib/ for the lib file.
On Thursday, October 25, 2012 2:56:55 PM UTC-7, James Whittington wrote:
First, find out what log entries were created when an USB is plugged into
the remote computer.
Then, make OSSEC monitoring the particular log entries.
On Wednesday, October 31, 2012 6:37:02 AM UTC-7, Tho Trinh Truong wrote:
>
> who can help me?thanks so much!
Thank you, I integrated your patch to src/Makefile
to https://bitbucket.org/jbcheng/ossec-hids/
On Wednesday, October 31, 2012 8:46:33 AM UTC-7, dan (ddpbsd) wrote:
>
> On Wed, Oct 31, 2012 at 11:26 AM, dan (ddp) >
> wrote:
> > On Wed, Oct 31, 2012 at 11:15 AM, James Whittington
> > > wrote:
Wikipeidia says:
"Celerra runs on real-time operating system called as Data Access in Real
Time (DART).
DART OS is a modified UNIX kernel with additional functionality added to
operate as a file server."
a) You can try to pre-compile and install OSSEC Agent on your NAS device.
If the inst
The OSSEC allowed fields are listed at the beginning of the file
etc/decoder.xml. In your case, 'dstport' is correct.
For the extra fields in the raw log which you want to skip (ipproto=
ipdatalen= ...), you need to count them out using like the
following:
^[\d\d\d\d-\d\d-\d\d \d\d:\d\
This is strange --- AIX works OK, but Linux does not.
I would like to reproduce the issue on Linux. Could you post the relevant
ossec.conf section here?
On Thursday, November 15, 2012 7:36:48 AM UTC-8, mcrane0 wrote:
>
> It's worth noting that this is only occurring in our Linux environment.
Following dcid's suggestion on ossec-dev, the strnlen() functions have been
changed to strlen() when it is safe to do so.
You can get the latest source from
https://bitbucket.org/jbcheng/ossec-hids/get/default.tar.gz
>
How many agents were configured on this server?
Were the agents running version 2.6?
Are you using agent-auth?
Does your etc/client.keys showing agent IP addresses, or ANY in place of
aaa.bbb.ccc.ddd?
On Tuesday, November 20, 2012 8:09:00 AM UTC-8, Francisco Jelves wrote:
>
> After running OSS
>From dcid's patch posted by dan on ossec-dev, change install.sh line 372:
-if [[ "X${USER_AGENT_SERVER_IP}" = "X" && "X${USER_AGENT_SERVER_NAME}"
= "X" ]]; then
+if [ "X${USER_AGENT_SERVER_IP}" = "X" -a "X${USER_AGENT_SERVER_NAME}"
= "X" ]; then
On Thursday, November 22, 2012 7:54:19
> > #
>> >
>> > agent.conf, linux:
>> >
>> >
>> >
>> > 86400
>> > yes
>> > 03:00
>> > false
>> >
>> >
>> > /etc,/usr/bin,/usr/s
Read http://www.ossec.net/doc/ for the OSSEC features available.
On Thursday, December 6, 2012 4:43:22 AM UTC-8, Sai wrote:
>
> *Hi All,*
>
> I am new to OSSEC, have deployed the agent and central manager in one of
> the virtual machines.
> I am getting the mails for alert level 3,7.
> Can you p
What operating system did you install OSSEC Hybrid mode on?
On Wednesday, December 5, 2012 2:27:08 AM UTC-8, peng lin wrote:
>
> 1 can't restart windows agent in server
>
> AR should be enabled on all agents for the remote restart feature to work
>
> what is AR ? Is that a file in /var/ossec/e
Do you mean using 'manage_agents -f' to bulk generate client keys?
Which file would you include in the RPM package? Notice that the content
in client.keys file is different from the extracted keys by running
'manage_agents -e '.
If you package the right file in an RPM package and deliver it t
On OSSEC server, you can run reportd by feeding alerts.log to it. For
example,
# cd /var/ossec
# bin/ossec-reportd < logs/alerts/alerts.log
On Wednesday, December 5, 2012 6:39:49 PM UTC-8, peng lin wrote:
>
> i see ossec have report function.
> if i want use this funcion,i should config it in
The 2 came from etc/internal_options.conf
# Remoted compression averages printout.
remoted.comp_average_printout=1
When event count > 1, it will log the message, and reset the event
count to 0. The % means the compression ratio.
This log message is harmless.
What you should
Stop OSSEC, run each ossec daemon separately to see which one causes
Segmentation fault.
In some cases, adding missing configuration in ossec.conf can resolve the
issue.
On Monday, December 17, 2012 1:39:46 PM UTC-8, carrie p wrote:
>
> I’m getting segmentation faults across all of my agents whe
Did you add 0.0.0.0 to the routing table on purpose, or it was added by
some program?
What kind of issue you had that's related to OSSEC?
On Wednesday, December 19, 2012 9:30:00 AM UTC-8, Truongy wrote:
>
> Has anyone experienced an issue where IP 0.0.0.0 was added to the routing
> table? Any
First step, find log samples for the events you are interested in alerting,
then start working on decoders...
On Tuesday, December 18, 2012 10:03:19 AM UTC-8, OSSEC junkie wrote:
>
> Is there an easy way to just fire an alert off when any event is recorded
> into the event viewer from a certain
Thanks for providing "bash install.sh" as a workaround.
Alternatively, try change line 372 to:
if [ "X${USER_AGENT_SERVER_IP}" = "X" -a "X${USER_AGENT_SERVER_NAME}" =
"X" ]; then
On Wednesday, December 19, 2012 5:03:07 PM UTC-8, migue...@gmail.com wrote:
>
> Hi,
>
> I'm installing ossec 2.7
The ar.conf file is overwritten every time when ossec-analysisd starts. See
src/analysisd/active-response.c AR_ReadConfig().
OSSEC 2.7 tightened the file permission from 444 to 440 at line 59 of
active-response.c, which was intentional.
59 chmod(DEFAULTARPATH, 0440);
The owner:group of
Take a look at "src/os_maild/maild.c", OS_Run(), after line 387. You may be
able to insert a space or a line after each message by modifying the source
code.
387 /* Receive message from queue */
388 if((msg = OS_RecvMailQ(fileq, p, mail, &msg_sms)) != NULL)
389
Notice the difference where OSSEC thinks the log starts --- the initial IP
address "111.22.111.111 " was stripped in case (a):
>log: '- test [26/Dec/2012:17:51:27 +0100] "POST /api/ HTTP/1.1" 200
20 "somereferrer" "somebrowser
>No decoder matched.
The full log was preserved in case
Found the root cause at "analysisd/cleanevent.c".
If you have an IP address which happens to meet the conditional statement,
the first 14 characters of the log will be stripped (and cause "No decoder
matched").
You can modify the following code so there won't be false positives:
489 /* Chec
Try the attached patch which modifies analysisd/cleanevent.c and report
back. Thanks!
On Friday, January 11, 2013 2:04:05 PM UTC-8, Jb Cheng wrote:
>
> Found the root cause at "analysisd/cleanevent.c".
> If you have an IP address which happens to meet the conditional stateme
Which UDP ports were blocked by Windows Firewall?
On Saturday, December 22, 2012 11:51:32 AM UTC-8, Beau wrote:
>
> Hi, I hope this is a simple "yes that's how it's supposed to be" answer.
>
> I have had OSSEC 2.6 running on about 9 PCs for over a year, that
> auto-reboot every night. Every ti
Which versions of OSSEC were running on the server and on agents?
On Monday, January 14, 2013 4:51:38 PM UTC-8, Tony Trummer wrote:
>
> Just to add to the numerous "agent disconnection" issues reported with
> OSSEC.
>
> I have approximately 250 Centos agents that speak to a server and all have
tried it out on or test servers, and then bumped it to our live servers.
> No problems, no side affects. Looks good :-)
>
>
>
> On 1/11/2013 4:18 PM, Jb Cheng wrote:
>
> Try the attached patch which modifies analysisd/cleanevent.c and report
> back. Thanks!
>
> On Fri
On the agent machine in question, what is the content of the
queue/ossec/.agent_info file? This is the agent name.
The agent name is used to match against the regular expression in the
'name' attribute of
On Thursday, January 10, 2013 6:09:56 AM UTC-8, pvradu wrote:
>
> Hi,
>
> I have a sha
BP9906:
Thank you for sharing.
It's good to know 2.7 does not have the same memory issue.
On Tuesday, January 8, 2013 9:11:03 AM UTC-8, BP9906 wrote:
>
> I updated to OSSEC 2.7 and it resolved the issue.
>
> On Sunday, January 6, 2013 7:06:47 AM UTC-8, BP9906 wrote:
>>
>> Hello,
>> I'm running
In system_audit_rcl.txt, the following line was there since 2007 and is
still the same in OSSEC 2.7.
$web_dirs=/var/www,/var/htdocs,/home/httpd,/usr/local/apache,/usr/local/apache2,/usr/local/www;
Is there one specific folder that you encountered the issue?
On Friday, January 18, 2013 7:37:57 A
The file under queue/syscheck has size 0. This is not normal.
-rw-r--r--. 1 ossec ossec0 Jan 21 13:26 (rosie) 192.168.56.55->syscheck-
registry
A typical Windows agent with syscheck enabled should have many entries in
this file.
What is the size of another syscheck file: (rosie) 192.168.56
Try a decoder with English first, for example, MICROSOFT_
AUTHENTICATION_PACKAGE_V1.
After you get it working, then add new thing one at a time.
On Monday, January 21, 2013 10:36:27 PM UTC-8, root wrote:
>
> hi,all
>
> i write decoder like this
>
>
>
> Security-Auditing-failure
>
Thank you Aaron, for the update.
If all installations set the ownership of ar.conf to root:root, we have a
bug to fix.
Any volunteer to try?
On Wednesday, January 23, 2013 7:10:20 AM UTC-8, ab wrote:
>
> Just thought I would provide an update. My testing has shown that new
> server or local
ake sure it
compiles and works as expected.
On Thursday, January 24, 2013 7:33:16 AM UTC-8, dan (ddpbsd) wrote:
>
> On Wed, Jan 23, 2013 at 10:35 PM, Jb Cheng >
> wrote:
> > Thank you Aaron, for the update.
> > If all installations set the ownership of ar.conf to root:root,
Could you post the content of Config.OS after you run 'make all'?
On Thursday, January 31, 2013 10:43:32 AM UTC-8, brownwrap wrote:
>
> Well, actually it is on a secured net, so I can't give you access.
>
> On Thu, Jan 31, 2013 at 11:39 AM, dan (ddp)
> > wrote:
>
>> On Thu, Jan 31, 2013 at 1:34
:
>
> Hi!
> Of course it is indeed the only reasonable way to solve this issue, but
> please let me know, where to start from.
> Thanx.
> Y.
>
> W dniu czwartek, 20 grudnia 2012 22:58:52 UTC+1 użytkownik Jb Cheng
> napisał:
>
>> The 2 came from etc/int
The /etc/localtime file should have been copied during installation by the
script "src/InstallServer.sh".
214 ls /etc/localtime > /dev/null 2>&1
215 if [ $? = 0 ]; then
216 cp -pL /etc/localtime ${DIR}/etc/;
217 chmod 440 ${DIR}/etc/localtime
218 chown root:${GROUP} ${DIR}/etc/localt
Thanks to Ryan Schulze's contribution, also Darius Jahandarie, ddpbsd, and
Vic Hargrave.
I started integrating several WUI patches into a BitBucket
repository: https://bitbucket.org/jbcheng/ossec-wui/.
(1) Updated logo, remove paypal button, wider display format, easier to
read events output.
Your SonicWall log
"time="2013-02-07 12:23:05 UTC" contains three words for the time stamp
(extra "UTC" at the end), but the decoder
"time=\S+ \S+". matches two words only
Try changing it to "time=\S+ \S+ \S+"
On Saturday, February 9, 2013 11:01:07 PM UTC-8, Shaun wrote:
>
> Hello eve
Does the administrator know the agent name?
If yes, "agent_control -l" can list all agent names and their associated
IDs. You can use 'grep' and 'cut' to get the agent ID.
On Wednesday, February 13, 2013 6:13:25 AM UTC-8, TWAD wrote:
>
> Hey There,
>
> I find myself in a situation where all hos
I was able to recreate the issue on Ubuntu.
Using 'gdb' it showed ossec-csyslogd crashed at line 59:
merror("%s: INFO: File queue connected.", ARGV0 );
This is kind of strange because I did not see it happening in CentOS before
the release of 2.7.
Anyway, I have a workaround that you can
Take a look at the contributed PERL script ---
ossec-hids/contrib/ossec2mysql.pl.
It may be able to achieve what you are trying to accomplish.
On Tuesday, February 26, 2013 11:15:50 PM UTC-8, Alejandro wrote:
>
> Hi,
>
> I'm logging information to mysql.
>
> I had a problem one day with databa
In 2.7, rootcheck port check can be turned off through configuration:
no
...
See details in http://www.ossec.net/files/ossec-hids-2.7-release-note.txt.
=== Rootcheck
== support rootcheck fine-grain configuration control -- yes/no of
individual checks
You can uninstall OSSEC by removing all files and directories
under /var/ossec/.
On Wednesday, February 27, 2013 5:55:18 PM UTC-8, SDR wrote:
>
> Hello I'm trying to resintall the application. However, I would like to
> uninstall the application first because I Keep getting these errors
>
> sh-
The default is 1514 for the OSSEC client to talk to OSSEC
manager.
The should have been populated when you ran install.sh
on the agent, unless there was a problem.
On Wednesday, March 6, 2013 12:07:35 PM UTC-8, kody abney wrote:
>
> Hi Dan, yes I have resolved this issue. I indeed just
rules/rules_config.xml does not have the comma in all the lines starting
with
> Make sure any "firewall," in
> /var/ossec/rules/*_rules.xml actually have the comma.
>
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubsc
'syscheck_control -u ' delete the syscheck history database file
for this agent on OSSEC server.
It's a way to reduce unwanted alerts, say, after the agent machine was
patched.
It does not delete anything on the agent machine.
On Tuesday, March 5, 2013 3:50:10 PM UTC-8, dan (ddpbsd) wrote:
>
>
I tested the ignore local rule by modifying "rules/local_rules.xml"
The following works as expected -- no more alerts matching rule id 5715 and
srcIP 10.2.3.4
5715
10.2.3.4
Example of rule that will ignore sshd
failed logins from IP 10.2.3.4.
However, if I remove the line
This is JB Cheng from Trend Micro and I provided OSSEC 2.7 release on
ossec.net web site.
I will add a direst link on the Download page to the development
repository, currently hosted at https://bitbucket.org/jbcheng/ossec-hids.
On Friday, March 8, 2013 5:29:32 AM UTC-8, dan (ddpbsd) wrote
A direct link to the dev repos has been added to ossec.net Download page --
http://www.ossec.net/?page_id=19
On Friday, March 8, 2013 11:34:33 AM UTC-8, Jb Cheng wrote:
>
> This is JB Cheng from Trend Micro and I provided OSSEC 2.7 release on
> ossec.net web site.
>
> I will ad
Check Wikipedia OSSEC entry for a quick summary.
Also this blog:
http://ossec-notebook.blogspot.com/2012/04/so-you-want-to-know-about-ossec.html
On Sunday, March 10, 2013 4:40:19 PM UTC-7, Debbie C wrote:
>
> Can anyone point me in the right direction to learn about the history of
> the OSSEC
Extracted from the book "OSSEC HIDS - Host-Based Intrusion Detection Guide"
by Andrew Hey/Daniel Cid/
page 8-9 comparing HIDS vs. NIDS:
"
An HIDS detects events on a server or workstation and can generate alerts
similar to an
NIDS. An HIDS, however, is able to inspect the full communications stre
One way to do this is to use another syslog client that can read from an
input file and forward the content to your syslog server.
I have done this using syslog4j (https://sites.google.com/site/syslog4j/)
in the past.
Once you have the syslog4j-.jar file downloaded, a command similar
to the
Files under /var/ossec/stats/ show the average number of alerts by the hour
for one day, and average number of alerts by the day for one week, plus
historical total counts.
They give a snapshot of how your system is doing, and can trigger alerts if
suddenly the numbers differ too much from his
How many entries are in your /etc/client.keys file?
What is the largest agent ID in that file?
What is the content of your ossec-hids/src/Config.OS file with the
line MAX_AGENTS after your ran 2.7 install.sh?
Did you restart ossec-remoted between the following two points in time?
2013/03/21
Found a related link:
http://osdir.com/ml/ossec-list/2009-10/msg00041.html (thanks to Daniel
Cid).
It seems a bug caused in gcc that can't compile some AIX headers.
The suggestion was to use the "xlc" compiler instead of gcc.
OSSEC was compiled fine with AIX 5.2 and 5.3..
On Friday, March
T. Case,
Thank you for following up. Good to know it's up and running for you.
2.7 does try to migrate existing 2.6 config files during 'update'
installation. The migration script is very simple; it assumes ossec.conf
file format is not very different from the default.
If you have custom
Yes, I was responsible for not getting the 2.7 package properly signed, due
to my lack of experience using 'gpg' tool on Linux. Still learning this
stuff...
On Wednesday, April 3, 2013 4:22:49 PM UTC-7, iangr...@gmail.com wrote:
>
> Hey, just wanted to let someone know there is no .sig file for
agent_control -L checks the content of the file shared/ar.conf.
What is the content of this file on your OSSEC server?
On Wednesday, April 3, 2013 4:58:40 PM UTC-7, MDG wrote:
>
> Hello,
>
> I am trying to get Active Response working and having a bit of
> difficulty. I have followed the instruc
t;
> Has the ar.conf file been populated on the agent?
>
> >
> > On Wed, Apr 3, 2013 at 10:28 PM, Jb Cheng >
> wrote:
> >>
> >> agent_control -L checks the content of the file shared/ar.conf.
> >> What is the content of this file on your
You may need to modify src/analysisd/cleanevent.c, which skips certain
prefixes with known format.
On Monday, April 1, 2013 6:33:48 AM UTC-7, Андрей Шевченко wrote:
>
> Hi all.
>
> I am using srlog2 to transport logs to the central server and the problem
> is that srlog adds tai64nlocal timestamp
For debugging, check the /var/ossec/queue/diff/ directory for
subdirectories corresponding to the file pathnames that were changed.
Look for last-entry which should be a copy of the file at the time of
running syscheck. Compare this one with the 'real' file and see if they are
different.
On T
Dominique,
Could you try 2.7.1 Alpha build from http://www.ossec.net/?page_id=19 and
see it the issue is still there?
On Tuesday, April 9, 2013 12:00:23 PM UTC-7, Dominique Derrier wrote:
>
> Hi all,
> On a fresh Install I've got :
>
> ./ossec-csyslogd -D /var/ossec -f
> 2013/04/09 14:57:07 oss
OSSEC 2.7.1 Alpha-1 build is available for download at
http://www.ossec.net/?page_id=19
This is mostly a bug fix minor release and we plan to enter Beta within a
week.
Thank you for your help! --JB Cheng
Trend Micro, Inc
The queue/diff//535/ directory is used for rule ID 535 as shown in
etc/ruels/ossec-rules.xml.
For Unix-like systems, syscheck daemon uses the output of 'last -n 5' to
detect changes in logged-in users.
Windows systems use a different mechanism for this so you don't see them
under /diff/.
I do
Either use 'July 04' format, or add an extra space after 'July ' and it can
be decoded correctly.
- - -
Jul 4 09:42:16 enigma sshd[11990]: Accepted password for dcid from
192.168.2.10 port 35259 ssh2
On Thursday, May 2, 2013 7:14:19 PM UTC-7, Giovanni P wrote:
>
> Hi all,
>
> I am using "O
works like a charm
> (version 2.7)
>
> Note: Branch is 2.7 stable and csyslogd code was NOT patched!
>
> On Thursday, April 18, 2013 2:28:40 AM UTC+2, Jb Cheng wrote:
>>
>> Dominique,
>>
>> Could you try 2.7.1 Alpha build from http://www.ossec.net/?page_id=19 an
t; application.
>
> On Tuesday, 7 May 2013 08:50:00 UTC+10, Jb Cheng wrote:
>>
>> Either use 'July 04' format, or add an extra space after 'July ' and it
>> can be decoded correctly.
>> - - -
>> Jul 4 09:42:16 enigma sshd[11990]: Accept
You did not miss it.
2.7 release did not come with GPG signature file because I was new to the
OSSEC release process and I did not provide it.
For now, there is only checksum for basic integrity checking of the 2.7
package on ossec.net web site.
On Sunday, May 19, 2013 11:30:23 AM UTC-7, David
I checked http://www.ossec.net/?p=402, it does not say you need the
following line in ossec.conf:
splunk
Perhaps "Spluck for OSSEC" app accepts the default syslog output format,
which is syslog.
On Tuesday, May 21, 2013 12:58:37 PM UTC-7, Xme wrote:
>
> Hi *,
>
> I'm using OSSEC with Sp
les . fstat-debug.patch is how i debugged this
> issue . csyslogd-crash-fix.patch has the actual fix.
>
> Hope this helps
>
> Sethu
>
>
> On Friday, 17 May 2013 21:19:38 UTC-4, Jb Cheng wrote:
>>
>> csyslogd crashed when trying to read alerts.log file, at the line
Rootkit configuration allows for several types of checking: "f", "r", "p",
"d" , which mean FILE, REGISTRY, PROCESS, DIRECTORY.
Pasting your modified rootcheck file may help solving the issue you
encountered.
On Tuesday, June 18, 2013 8:22:51 AM UTC-7, Janelle wrote:
>
> Hello --
>
> I'm new
2.7.1 is still in Alpha.
Beta is expected within a week.
On Tuesday, June 4, 2013 6:22:56 AM UTC-7, carlopmart wrote:
>
> Hi all,
>
> Any idea when will be relased?? In the next days I need to install
> some servers and I would like to know if it will be released soon.
>
> Thanks.
>
--
How about this patch?
--- a/etc/decoder.xml Thu May 23 14:47:45 2013 -0700
+++ b/etc/decoder.xml Fri Jun 21 14:46:37 2013 -0700
@@ -464,7 +464,7 @@
proftpd
- ^\S+ \(\S+[(\S+)]\)
+ ^\S+ \(\S+[(\S+)]\)|^\S+ \(\S+[:::(\S+)]\)
srcip
@@ -728,7 +728,7 @@
courier
- , ip=[(\
1) The GeoLiteCity*.dat files should be placed under ${OSSEC_HOME}/etc, e.g.,
/var/ossec/etc/.
In ossec.conf, it is specified as relative to /var/ossec/.
2) Your error message seems to indicate the GEOIP code was not compiled in.
See http://www.ossec.net/files/ossec-hids-2.7-release-note.t
Friday, June 21, 2013 2:33:00 PM UTC-7, Jb Cheng wrote:
>
> 2.7.1 is still in Alpha.
> Beta is expected within a week.
>
> On Tuesday, June 4, 2013 6:22:56 AM UTC-7, carlopmart wrote:
>>
>> Hi all,
>>
>> Any idea when will be relased?? In the next days
WUI 0.3 had some issues.
We fixed all known issues and made WUI 0.8 Beta (
http://www.ossec.net/?page_id=19 ).
Try it!
On Tuesday, June 25, 2013 4:44:15 PM UTC-7, jingu...@gmail.com wrote:
>
> Gives me Forbidden error:
>
> "You don't have permission to access /main/ on this server". Nothing s
Not sure why you want to do that. It seems redundant to me.
Deep Security provides a superset of what OSSEC provides.
On Wednesday, June 26, 2013 7:17:24 AM UTC-7, Mike wrote:
>
> Anyone know of any issues installing OSSEC on a system with a Deep
> Security agent?
>
> MikeD.
>
--
---
You re
You will also need to check ossec.log on the server to see if it received
the agent's message.
Perhaps it is easier to create a VPN tunnel between OSSEC Agents and OSSEC
Server.
On Tuesday, June 25, 2013 1:44:02 PM UTC-7, Erik Karnafel wrote:
>
> Dan,
> I do have udp/1514 port forwarded to my
"os_dbd/main.c" line 257 should write the .pid file
257 if(CreatePID(ARGV0, getpid()) < 0)
The daemon should write a log of the following format in ossec.log when
starting:
"%s: INFO: Started (pid: %d).
If there was an error connecting to DB, the ossec-dbd will not function
properly.
See http://www.ossec.net/doc/manual/output/standard-email-output.html for
the correct config.
10
On Monday, July 22, 2013 5:14:00 AM UTC-7, Macaulay Dias Souza wrote:
>
> Is possible can limit the level of alert to my email? I want to receive
> alerts only above 6
>
>
> I addict
We are writing a blog and together with the presentation materials will be
posted on ossec.net.
Stay tuned...
On Sunday, July 28, 2013 3:17:10 AM UTC-7, Xme wrote:
>
> Hi List,
>
> Is the OSSEC CON material published somewhere?
> (from last Thursday)
>
> /x
>
> --
> My server is com
2) Does OSSEC syscheck follow symlinks?
In my /etc directory I have a symlink:
lrwxrwxrwx 1 root root15 Aug 27 2010 rc.sysinit ->
rc.d/rc.sysinit*
In OSSEC syscheck DB I see two entries with the same HASH value:
168:+++27476:33261:0:0:1fb34a90a4c6b5ce98a9b21c655a171c:db56fd8d437ea9606
n Monday, July 29, 2013 11:25:19 PM UTC-7, Jb Cheng wrote:
>>
>> We are writing a blog and together with the presentation materials will
>> be posted on ossec.net.
>> Stay tuned...
>>
>> On Sunday, July 28, 2013 3:17:10 AM UTC-7, Xme wrote:
>>>
>>
I think ignore="7200" means after rule 531 is triggered for the first time,
it will not be triggered again for at least 7200 seconds.
This means at most you will get 531 alerts every 2 hours. The first alert
should not be delayed.
On Thursday, August 8, 2013 10:57:11 AM UTC-7, David Blanton
I was able to start OSSEC Agent on Windows Server 2012.
You may need to adjust the ossec.conf file in order to match the Win Server
2012 environment better.
On Monday, August 12, 2013 6:37:05 AM UTC-7, ab wrote:
>
> Hi all,
> Just a quick question on whether Windows Server 2012 (agent of course)
If you provide some sample logs and your custom decoders/rules, someone
might be able to reproduce the problem and help.
On Wednesday, August 21, 2013 6:20:10 AM UTC-7, Zhang Wei wrote:
>
> The OSSEC version is 2.7.1 beta1
>
> *The scenario is like below:*
> 1. I wrote the customized decoder XML
Indeed, the messages file shows:
Sep 24 16:35:58 testsvr kernel: ossec-remoted[21537]: segfault at
0061 rip 0042251f rsp 7fff0cbf5a20 error 4
This is not enough information for me to pin point the crash point in the
source code.
Any help in terms of reproduction steps will
Did you do the step 3 of the GeoIP procedure shown in 2.7-release-note?
- - -
Step 3. Compile OSSEC with GeoIP enabled, modify config
get ossec-hids-2.7.tar.gz
tar xzvf ossec-hids-2.7.tar.gz
cd ossec-hids-2.7
cd src
make setgeoip
cd ..
su
./install.sh
-- mo
Run the following command to see which agent(s) were not "Active". In
particular, look for the entry that says "Never connected".
ossec/bin/agent_control -l
On Thursday, September 26, 2013 10:48:22 AM UTC-7, BP9906 wrote:
>
> 2013/09/26 10:41:38 ossec-remoted(1403): ERROR: Incorrectly format
1 - 100 of 142 matches
Mail list logo