, 2019 at 8:59 AM Nate >
> wrote:
> >
> > Looking at the syslog packets I see the Cisco ASA only uses local
> facility codes but my Palo Alto uses User facility codes:
> >
> > 08:55:50.340558 IP (tos 0x0, ttl 64, id 917, offset 0, fl
EDT fw1 : %ASA-4-106023: Deny udp src
outside:10.10.201.105/137 dst outside:10.10.201.255/137 by access-group
"outside_access_in" [0x0, 0x0]\0x0a
I can't change the ASA to be anything other than local facility.
On Tuesday, October 15, 2019 at 8:34:52 AM UTC-4, Nate wrote:
>
:03 PM Nate >
> wrote:
> >
> > Hi,
> >
> > I've never seen this before but I setup our ASA 5516 to send syslog
> events to our OSSEC server to detect SHUN events.
> >
> > ossec.conf
> >
> >syslog
> >
Hi,
I've never seen this before but I setup our ASA 5516 to send syslog events
to our OSSEC server to detect SHUN events.
*ossec.conf*
syslog
10.10.2.2
514
0
9
*local_rules.xml*
4100
ASA-4-73310\d|ASA-4-40100\d
ASA Shun event
but
Hi,
My ossec-dbd process keeps crashing after a few days and I wanted to know
how I can go about getting more information out as to why it's happening
because the OSSEC logs are sparse (just info entries of the services
starting up each time):
[U@secserv etc]# service ossec status
and once you get a feel for the regex implementation in OSSEC, you'll have
> this done in an afternoon. It looks like you have three levels (INFO,
> WARN, ERROR). Should be easy enough to create alerts on and all the rest...
>
>
>
> On Friday, May 24, 2019 at 7:59:38 AM UTC-7,
Hi Everyone -
Does anyone have a custom decoder for Atlassian products or can point me in
the correct path to properly identify them?
Here is a sample of what I am dealing with:
Bamboo
019-05-23 12:56:11,870 WARN [scheduler_Worker-3] [RemoteAgentManagerImpl]
Remote agent
I just wanted to reply to this thread since it was related to the issues I
ran into upgrading from OSSEC 2.4 to 3.2 (yep i know) - I did a search for
all files in analogi with SELECT then filtered by "data." and replaced
"data." with "alert." (including that period).
>From the analogi root:
Couldn't pass be used to monitor the frequency of files accessed or
rewritten on a share via the logs generated from those operations? It
might not be foolproof, but if the log shows a single account accessing
several files faster than a human might be able to, it could alert, or even
block.
We currently have samba file servers, which of course log access and
whatnot to the samba logs.
I'm curious if I might be able to leverage ossec as a means to detect if a
system is attempting to lock up one of our shares due to a ransomware
infection.
I could picture a rule that either detected
Ah yes, a stupid move on my part. That did the trick! I appreciate the help
quick responses.
On Wednesday, September 24, 2014 4:47:43 PM UTC-4, dan (ddpbsd) wrote:
On Sep 24, 2014 4:46 PM, Nate G nate@gmail.com javascript:
wrote:
OSSEC server is running version 2.7.1
when a logon request fails. It is
generated on the computer where access was attempted.
Much appreciated,
Nate
--
---
You received this message because you are subscribed to the Google Groups
ossec-list group.
To unsubscribe from this group and stop receiving emails from it, send an email
OSSEC server is running version 2.7.1
On Wednesday, September 24, 2014 2:00:32 PM UTC-4, dan (ddpbsd) wrote:
On Wed, Sep 24, 2014 at 11:53 AM, Nate G nate@gmail.com javascript:
wrote:
Hey!,
I have ossec(2.7 2.8) agents sending windows logs to a ossec server.
All
the windows
that, they are
identical.
I really dont know what's wrong here, this should be working.Everything ive
checked appears to check out.
On Wednesday, August 8, 2012 9:58:30 PM UTC-4, Nate wrote:
The IP is correct
no nat, The agent is a VM running on a KVM host, getting its network from
a Bridge
one of my agents... Unrelated?
Coincidence?
I think ossec has it in for me.
On Thursday, August 9, 2012 8:54:17 AM UTC-4, Nate wrote:
Ok, now i'm seeing another error, which still leads me to believe theires
a key problem on the systems.
Checksum mismatch on message from agent ip
I
I've found a number of references to this error message, none of them seem
to be helping me though.
I've recently setup an ossec manager, with four agents. Ossec 2.6, Fedora
15 on the manager, and the four agents are all CentOS 6.
I added all of the agents by generating keys, restarting
:
On Wed, Aug 8, 2012 at 2:53 PM, Nate yjn...@gmail.com javascript:
wrote:
I've found a number of references to this error message, none of them
seem
to be helping me though.
I've recently setup an ossec manager, with four agents. Ossec 2.6,
Fedora 15
on the manager, and the four
You don't necessarily need a sub-decoder to do that. You can just write
a subordinate rule that matches on the failure code string in the event.
Decoders are only needed when you want to extract a specific part of the
log and match it up with a specific tag for correlation purposes.
Help
is not triggering. Why?
-Original Message-
From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On
Behalf Of Sanders, Nate
Sent: Friday, May 18, 2012 11:21 AM
To: ossec-list@googlegroups.com
Subject: RE: [ossec-list] Re: OSSEC large scale deployment
You don't necessarily
@googlegroups.com [mailto:ossec-list@googlegroups.com] On
Behalf Of Sanders, Nate
Sent: Friday, May 18, 2012 2:42 PM
To: ossec-list@googlegroups.com
Subject: RE: [ossec-list] Re: OSSEC large scale deployment
Thinking about it, I tried this in local_rules.xml
rule id=14 level=5
if_sid18105/if_sid
By what method are you doing configuration management, agent deployment, and
are you deployed to windows servers?
-Original Message-
From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On
Behalf Of MDACC-Luckie
Sent: Monday, May 14, 2012 7:37 AM
To: ossec-list
Nate:
We are split 50/50 between Windows and Redhat. I wrote some crude
scripts to push the installation media along with the preconfigured
ossec.conf files for each O/S out to each of our 600 boxes. Although
there are numerous ways I have seen (on the Linux side especially) to
do an automated
;
* f:%HOMEPATH%\Documents\nates_test.txt;
None of the above produced a match in alerts.log.
Only when I specify an exact path (\Users\nsanders\Documents\nates_test.txt) do
I get a match
* logs/alerts/alerts.log:279618:Windows Malware: Nate TEST. File:
C:\Users\nsanders\Documents
have
taken much log activity in that time to make OSSEC miss the tampering.
Is there any way to decrease this delay?
-Original Message-
From: Nate Woodward
Sent: Monday, March 28, 2011 2:31 PM
To: ossec-list
Subject: RE: [ossec-list] Deletion of log data
Yeah, I found that info
Have you tested whether this rule works? I can't get it to function
correctly.
-Original Message-
From: Lars Oberg [mailto:larsoberg...@gmail.com]
Sent: Friday, March 25, 2011 8:12 PM
To: ossec-list@googlegroups.com
Subject: Re: [ossec-list] Alerts on log file modified, but
not
On 3/28/2011 7:16 AM, Nate Woodward wrote:
Have you tested whether this rule works? I can't get it to function
correctly.
-Original Message-
From: Lars Oberg [mailto:larsoberg...@gmail.com]
Sent: Friday, March 25, 2011 8:12 PM
To: ossec-list@googlegroups.com
Subject: Re
of log data
vim typically saves the file to a new inode. In this instance
OSSEC generally detects that the log file was rotated, and
may re-check all of the log messages in the log file.
On Fri, Mar 4, 2011 at 11:08 AM, Nate Woodward
nate.woodw...@the-connection.com wrote:
Hi,
I'm
Dan,
-Original Message-
From: dan (ddp) [mailto:ddp...@gmail.com]
Sent: Monday, March 07, 2011 10:35 AM
To: ossec-list@googlegroups.com
Subject: Re: [ossec-list] Decoder/Rules Problem
Hi Nate,
On Mon, Mar 7, 2011 at 10:49 AM, Nate Woodward
nate.woodw...@the-connection.com
: Nate Woodward nate.woodw...@the-connection.com
Sender: ossec-list@googlegroups.com
Date: Fri, 4 Mar 2011 10:08:51
To: ossec-listossec-list@googlegroups.com
Reply-To: ossec-list@googlegroups.com
Subject: [ossec-list] Deletion of log data
Hi,
I'm trying to get OSSEC to detect data
it was the
/etc/group file)...syscheck fired a lvl 7 alert like 2 min
later...it detected a modified file...havent tried a reduced
logfile yet.
also can u tell me what log file did u use?
I tried both maillog and messages.
On Mon, 2011-03-07 at 13:31 -0600, Nate Woodward wrote
Maybe something like...
rule id=100201 level=2
if_sid503/if_sid
regexAgent started: '\S+-10.1.1.\d+'/regex
optionsno_email_alert/options
descriptionNo email alerts when workstations start up./description
/rule
_
From: Lars Oberg [mailto:larsoberg...@gmail.com]
Sent:
include the rules above, or do those rules only trigger when
syscheck is run (at which time the log would have grown bigger than what
it was before, despite my deletions)?
How can I ensure log file integrity?
-Nate
Hello,
Quick question: Can you specify multiple system_audit files in the
rootcheck section of ossec.conf/agent.conf, or is only one allowed?
I'd like use the method described at
http://www.ossec.net/wiki/Know_How:GranularEmail to send windows-related
messages to one group of people and linux-related messages to another
group. I see that there's a 'windows' group already, so that I can just
put this in ossec.conf:
email_alerts
Dan,
-Original Message-
From: dan (ddp) [mailto:ddp...@gmail.com]
Sent: Wednesday, March 02, 2011 2:11 PM
To: ossec-list@googlegroups.com
Subject: Re: [ossec-list] Linux group?
Hi Nate,
On Wed, Mar 2, 2011 at 12:45 PM, Nate Woodward
nate.woodw...@the-connection.com wrote
Looks to me like your original rule (with id_sid=5402) is only matching
when the user executes sudo from the /opt/splunk/etc/apps/ossec/bin
directory. Maybe try removing the match part?
-Original Message-
From: satish patel [mailto:satish...@gmail.com]
Sent: Wednesday, March 02,
PM, Nate Woodward
nate.woodw...@the-connection.com wrote:
Looks to me like your original rule (with id_sid=5402) is only
matching when the user executes sudo from the
/opt/splunk/etc/apps/ossec/bin directory. Maybe try
removing the match part?
-Original Message-
From
is, and uses lsof to report any 'hidden' ports.
This should more or less be the same as what OSSEC does.
regards,
-Nate
-Original Message-
From: Sebel, Gary M. [mailto:se...@nytimes.com]
Sent: Wednesday, February 16, 2011 2:15 PM
To: ossec-list@googlegroups.com
Subject: Re: [ossec
Hi,
I just started using OSSEC a few days ago, and google isn't helping me
on this. I'm trying to exclude a list of files from OSSEC's syschecks,
and I'm running into problems with both the regex engine and variables.
The documentation at http://www.ossec.net/wiki/Know_How:Regex_Readme
says
Hi Dan,
-Original Message-
From: dan (ddp) [mailto:ddp...@gmail.com]
Sent: Wednesday, February 02, 2011 4:37 PM
To: ossec-list@googlegroups.com
Subject: Re: [ossec-list] Protecting OSSEC variables
Hi Nate,
On Wed, Feb 2, 2011 at 5:22 PM, Nate Woodward
nate.woodw
dcid - why is there moderation on this list? is this something TM imposed on
you?
Nate Schmoll
m...@nateschmoll.com
253-987-NATE
On Mar 25, 2010, at 11:16 AM, Iñaki R. wrote:
Hi,
ossec maintains an internal database with the number of events per agent
and if an agent exceed that number
will show up in a rpm -qa and VMware will see them in a vm-support package.
They may refuse to provide support to you.
Nate Schmoll
UNIX Group, Concur
n...@concur.com
(253) 987-NATE
On Nov 18, 2009, at 11:04 AM, Robertson, James wrote:
You need to install gcc, autoconf and automake to build
42 matches
Mail list logo