Re: [ossec-list] Re: windows AR not working

Hi, I was able to generate wrong password events after editing the audit policies of windows. log all option is enabled Alert for wrong password is generated in the manager at /var/ossec/logs/alerts/alerts.log Rule:18130 (level 5)-> 'Windows: Logon Failure - Unknown user or bad password.' User:

Re: [ossec-list] Re: windows AR not working

Hi, I enabled execd.debug = 2. In ossec logs *Read 0 lines from active-response\active-response.log, *these logs are seen several times. Also I checked */var/ossec/logs/alerts/alerts.log *file, basic logs for windows are getting generated but logs for wrong password events are not generated. On Mo

Re: [ossec-list] Re: windows AR not working

Hi Manuel, In my use case , Centos is the manager. I have only one wazuh agent i.e my windows machine, it is my victim. I have another Windows machine as the attacker. I am trying to RDP the machine with wrong password attempts. So in that case AR should get generated along with scrip field , but i

[ossec-list] windows AR not working

Hi all, This is my active response configuration on centos server: win_nullroute route-null.cmd srcip yes no win_nullroute all 5 60 I have enabled AR on windows agent, but it is not executed when an event of level>=5 is fired. I am using wazuh 3.1

Re: [ossec-list] Re: ACTIVE-RESPONSE NOT WORKING

I don't know about stopping it completely but you can slow it substantially by using progressively larger penalty times for repeat offenders. Natassia On Fri, Sep 25, 2020 at 12:41 AM lê danh wrote: > oh i did it and it works great, it can block me before i get my password, > thank you so much

[ossec-list] Level 10 - High amount of POST requests in a small period of time (likely bot)

We are getting a false alert: Received From: domain->/var/log/nginx/access.log Rule: 31533 fired (level 10) -> "High amount of POST requests in a small period of time (likely bot)." Src IP: 95.145.175.32 Portion of the log(s): 95.145.175.32 - - [22/Nov/2020:14:20:47 +] &q

Re: [ossec-list] Re: Unknown Alert

or loading the rules: 'local_rules.xml'. On Saturday, 21 November 2020 at 13:23:36 UTC Andrew S wrote: > after looking at the error log it says: > > 2020/11/21 13:15:49 ossec-analysisd: Duplicate rule ID:1009 > > 2020/11/21 13:15:49 ossec-testrule(1220): ERROR: Error loading t

Re: [ossec-list] Re: Unknown Alert

t 13:17:20 UTC Andrew S wrote: > Killing ossec-monitord .. > > Killing ossec-logcollector .. > > Killing ossec-syscheckd .. > > Killing ossec-analysisd .. > > Killing ossec-maild .. > > Killing ossec-execd .. > > OSSEC HIDS v2.8 Stopped > > Star

Re: [ossec-list] Re: Unknown Alert

Wednesday, 18 November 2020 at 08:39:19 UTC Brian Candler wrote: > And what does the configuration error message say? > > On Tuesday, 17 November 2020 at 17:10:45 UTC Andrew S wrote: > >> Actually I have tried to add the rule you have highlighted: >> >> >> &g

Re: [ossec-list] Re: Unknown Alert

t Wozny wrote: > > > > ACK! Sorry! Didn't see you'd already replied, Dan... > > > > What he said. :) > > > > Scott > > > > > > On Mon, Nov 16, 2020, 10:10 dan (ddp) wrote: > >> > >> On Mon, Nov 16, 2020 at 7:27 AM An

Re: [ossec-list] Re: Unknown Alert

0, 10:10 dan (ddp) wrote: > >> On Mon, Nov 16, 2020 at 7:27 AM Andrew S wrote: >> > >> > Hi Brian, >> > >> > Thank you for the clarification but I don't understand why someone >> would associate our website with dailymail.co.uk ? >> &g

[ossec-list] Re: Unknown Alert

rule to catch them, e.g. > > https://github.com/ossec/ossec-rules/blob/master/rules.d/00-crs-syslog_rules.xml#L69-L74 > > On Sunday, 15 November 2020 at 14:11:37 UTC Andrew S wrote: > >> We keep receiving these notifications from OSSEC. Our site has nothing to >> do with daily

[ossec-list] Unknown Alert

We keep receiving these notifications from OSSEC. Our site has nothing to do with dailymail. Is this worrying or is this a false alert? Received From: server->/var/log/nginx/access.log Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system." Portion of the log(s)

[ossec-list] Re: Anyone knows how to install OSSEC agent in the ubuntu server 20.04?

El diumenge, 7 juny de 2020 17:06:45 UTC+2, Arnau b s va escriure: > > Anyone knows how to install OSSEC agent in the ubuntu server 20.04? > At the end, we don't use an ubuntu 18.04 deb package. We use, apt install libz-dev libssl-dev libpcre2-dev libevent-dev build-essenti

[ossec-list] Anyone knows how to install OSSEC agent in the ubuntu server 20.04?

Anyone knows how to install OSSEC agent in the ubuntu server 20.04? -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com.

[ossec-list] Regular expresions

Hi all! I was wondering the best way to represent a digit between a range and if it is possible to indicate that a digit is going to be repeated a given number of times. For example a digit between 0 and 3, I mean 0, 1, 2 or 3 thats for the first question. For the second part, for example the

Re: [ossec-list] no properly formatted SHA256 checksum lines found

ec 11, 2019 at 7:29 AM Natassia S wrote: > Correction, I just noticed that you used the -c option and got the same > error as you did. I normally run sha256sum without any flags. > > Natassia > > On Wed, Dec 11, 2019 at 7:27 AM Natassia S wrote: > >> I'm not s

Re: [ossec-list] no properly formatted SHA256 checksum lines found

I'm not sure why you got the error. I ran the sha256sum on the same file on a CentOS 8 box, got the same checksum and no errors. I'm guessing that you already tried downloading a fresh copy? Natassia On Wed, Dec 11, 2019 at 3:14 AM karthik s wrote: > Hello Team, > > When

Re: [ossec-list] no properly formatted SHA256 checksum lines found

Correction, I just noticed that you used the -c option and got the same error as you did. I normally run sha256sum without any flags. Natassia On Wed, Dec 11, 2019 at 7:27 AM Natassia S wrote: > I'm not sure why you got the error. I ran the sha256sum on the same file > on a CentOS

[ossec-list] no properly formatted SHA256 checksum lines found

Hello Team, When I try to run below command, i'm getting this error. Could someone help me ASAP. ubuntu@ip-x-x-x-x:~$ cat ossec-hids-2.8.3.tar.gz.sha256 SHA256 (ossec-hids-2.8.3.tar.gz) = 917989e23330d18b0d900e8722392cdbe4f17364a547508742c0fd005a1df7dd ubuntu@ip-x-x-x-x:~$ sha256sum -c ossec-h

Re: [ossec-list] OSSEC 3.3.0 Install CentOS 8

Yeah, I got rid of the copy that I made. I was able to install 2.8.3 on my new CentOS 8 machine. :) Natassia On Mon, Dec 2, 2019 at 1:27 PM dan (ddp) wrote: > > > On Mon, Dec 2, 2019 at 3:56 PM Natassia S wrote: > >> Everything came out of 3.3.0.tar.gz >> >> I

Re: [ossec-list] OSSEC 3.3.0 Install CentOS 8

Everything came out of 3.3.0.tar.gz I compared the contents and the same directory for 2.8.3 also has no pcre2 but it has a Makefile. On a whim I put a copy of the 2.8.3 Makefile in the 3.3.0 folder and got the same error. Natassia On Mon, Dec 2, 2019 at 12:33 PM dan (ddp) wrote: > > > On Mon

[ossec-list] SIEM is not displaying my alert

Hi everyone! Im not getting the alerts generated on the server reflected on SIEM dashboard. I followed this steps to take data from logs of an agent. https://www.alienvault.com/documentation/usm-appliance/ids-configuration/process-reading-log-file-with-hids-agent-windows.htm Im getting the alert

Re: [ossec-list] Custom Decoder

ocade-format > ^\d\d\d\d/\d\d/\d\d-\d\d:\d\d:\d\d > \(\S+\), [\S+], \S+, \S+, (\.+)/\S+/(\.+), > user,second > > Note that / , [ and ] characters are not escaped, and that the criteria > for extracting fields has been optimized. > > Although the issue was with the regul

Re: [ossec-list] Custom Decoder

Sorry, my bad Dan, thanks anyways, i have a start point now. Regards! El lun., 14 oct. 2019 a las 10:56, dan (ddp) () escribió: > On Mon, Oct 14, 2019 at 9:54 AM Diego S wrote: > > > > Hi! > > > > i tried with a updated version and im still getting the same error

Re: [ossec-list] Custom Decoder

Im using 2.0 version. Im not able to find the syntax error. Thanks! El vie., 11 oct. 2019 a las 14:51, dan (ddp) () escribió: > On Fri, Oct 11, 2019 at 1:41 PM Diego S wrote: > > > > Thnaks you very much for your response. > > Let me know if am i wrong. The deco

Re: [ossec-list] Custom Decoder

Thnaks you very much for your response. Let me know if am i wrong. The decoder will be like this: ^\d+\s\w\w\w\w\w, Brocade-format ^\d\d\d\d/\d\d/\d\d-\d\d:\d\d:\d\d \(\S+\), \[\S+\], \S+, \S+, /S+)/\S+(/\w+/\S+), user,second squid ^\d+ \S+ ^\d+ (\S+) (\w+)/(\d+) \d+ \w

[ossec-list] Custom Decoder

discriminate the one i need to the rest. ^\d+\s\w\w\w\w . And here is when im trying to get the underlined red values at the begining of the text but im not sure: -The type of the log i have to use or if it is necesary -The "order" value i have tho use to take this both r

Re: [ossec-list] Re: Using rules by escaping certain file extensions.

Javier would you confirm if this rule is working on wazuh V2.0? Because when i was to pass the rule from my laboratory(V3.9) to the wanted server with (V2.0) is not working. Thanks! El jue., 19 sept. 2019 a las 15:55, Javier Castro () escribió: > No problem Diego, glad it is working for you. >

Re: [ossec-list] Re: Using rules by escaping certain file extensions.

Oh man you save my day! It's works perfectly for my scenario. Im understanding how its works now. Thanks a lot Javier and congrats for the product and the community you all have. El jue., 19 sept. 2019 a las 15:00, Javier Castro () escribió: > Hi Diego, > the correct syntax would be: * restrict

Re: [ossec-list] Re: Using rules by escaping certain file extensions.

Hello Javier! I have another problem. If i want to exclude a group of extensions, how would i do it? because if i use */var/zimbra/ * This is not working. I guess is because im using and OR comparator or for the way im using the expresion. Any idea? Thanks again! Diego. El mié., 18 sept. 2019 a

Re: [ossec-list] Re: Using rules by escaping certain file extensions.

Thanks a lot Javier, that option works perfectly! Regards, Diego El mié., 18 sept. 2019 a las 11:35, Javier Castro () escribió: > Then you can try with restrict: > > */var/zimbra/* > > The folder you are monitoring will ignore files ending in .msg. You don't > need ignore for that. > Regards, >

Re: [ossec-list] Re: Using rules by escaping certain file extensions.

But i need to force both conditions at the same time. I need to skip up all the .msg from /var/zimbra. If that is the case, is ok to express */var/zimbra/.msg$ ?* Sorry if i didnt express good enough. But my question is about how to express the directory before the extension and if it is correct

Re: [ossec-list] Re: Using rules by escaping certain file extensions.

Hello Javier! thanks a lot for your answer, was really helpfull. I have another question if you dont mind. If I want to specify a previous path before the extension to exclude like "/var/zimbra/.msg$" should i have to do something special? or just put it like the example? */var/zimbra/.msg$* Tha

[ossec-list] Using rules by escaping certain file extensions.

Hello everyone, First off all, sorry for my english. Im having a problem when I try to use "Ignore_type" parameter on syscheck to escape ".msg" file extension. Im on Wazuh v3.9.3 (Centos 7). Agent: Ubuntu 18.04.3 LTS I have a rule set to detect possible credit card numbers in files in a cert

[ossec-list] Re: Detect USB Storage on Linux

rnel (given that that file is actually monitored on the > client systems), or do I need to 'hack' the decoder as well? > > I tried creating this in local_rules.xml: > > > iptables > kernel > ^usb \S* new > Unknown USB device attached > > > But

[ossec-list] OSSEC Agents are not Connecting to Different Network Segments

Hii All, I Have Installed the OSSEC version 3.1 in Ubuntu 16.04 in My Local PC. I Have Installed OSSEC Agents in the same Network segment, the Agents are connected and sending logs to OSSEC Server, and also installed agents in different network segments,all the Configuration are done properl

Re: [ossec-list] "ossec-dbd: Database not configured.

Hii, Yes I enabled the Schema. On Thu, 18 Jul 2019 at 10:19, dan (ddp) wrote: > On Thu, Jul 18, 2019 at 12:43 AM sunitha s > wrote: > > > > Hi All, > >I am Trying to configure Database in OSSEC Server Version 3.1.0, For > that i enable /var/ossec/bin/ossec-co

[ossec-list] "ossec-dbd: Database not configured.

Hi All, I am Trying to configure Database in OSSEC Server Version 3.1.0, For that i enable /var/ossec/bin/ossec-control enable database, but it is Showing ossec-dbd not running and I Run the Logtest grep ossec-dbd /var/ossec/logs/ossec.log,It Showing the Result "ossec-dbd: Database not conf

[ossec-list] Whitelisting vulnerability scanners for specific rules

I've been following the instructions from the below link to setup a whitelist for our vulnerability scanners. https://geekcabi.net/article/ossec-whitelisting/ So far, I have the following config in /var/ossec/lists/approved_scanner_list ipaddress1:scanner1 ipaddress2:scanner2 In /var/ossec/

[ossec-list] Agent disk space utilization

Hi all , I need a inquiry regarding the disk space utilization . Is there any rule or method to get the disk space utilization alert or information in ossec logs for the agents ( eg: windows agent ) . As , I came across default rules in ossec , only for the ubuntu disk space notification i

[ossec-list] Agent disk space utilization

Hi all , I have a some inquiry regarding the disk space utilization . Is there is any method or rule to get notified about the agents disk space utilization ( eg: windows agent) , in ossec . As ,i came across in ossec , only the ubuntu ( ossec ) disk space only can be viewed .So , can any o

Re: [ossec-list] Ossec agent logs to two ossec server's / sensors

Hello, Thank you so much Dan, I'll try this. Best Regards, Shaikh S. > > I've never done it, so this is mostly a guess: > > Create a second OSSEC manager. > Copy the client.keys file from the original manager to the new one. > Turn off the rids functionali

Re: [ossec-list] Ossec agent logs to two ossec server's / sensors

Hello Dan, Thanks for your reply!!! Can you please tell me how I can configure it for failover. Thanks !!! On Friday, July 6, 2018 at 5:41:43 PM UTC+5:30, dan (ddpbsd) wrote: > > On Fri, Jul 6, 2018 at 3:43 AM, Shaikh S. > wrote: > > Hello Folks, > > >

[ossec-list] Ossec agent logs to two ossec server's / sensors

ny help will be greatful. Thanks in advance !!! Regards, Shaikh S. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@g

[ossec-list] Re: Disabling ossec use of netstat

at block and restart ossec. Assuming that > configuration is only managed on that server (i.e. you don't have Puppet or > some other configuration management tool handling it), that will stop Ossec > from running it. > > --Maarten > > On Thursday, November 9, 201

[ossec-list] Disabling ossec use of netstat

still see ossec agent running netstat when rootcheck is confirmed disabled. [root@server ~]# ps aux|grep netstat root 2771 0.0 0.0 106076 1292 ?S23:53 0:00 sh -c netstat -tulpen | sort root 2772 22.7 0.0 105400 1068 ?R23:53 0:03 netstat -tulpen root

[ossec-list] Re: Unable to restart OSSEC 2.8.3

DUH! I wasn't running the command as SU! Feel really stupid right now :D On Friday, April 28, 2017 at 3:55:35 PM UTC-4, Nikki S wrote: > > No changes have been to the configuration file! > > > # ./ossec-control restart > cat: /var/ossec/var/start-script-lock/pid: No

[ossec-list] Re: Unable to restart OSSEC 2.8.3

tmpfs783M 0 783M 0% /run/user/1164 On Friday, April 28, 2017 at 3:55:35 PM UTC-4, Nikki S wrote: > > No changes have been to the configuration file! > > > # ./ossec-control restart > cat: /var/ossec/var/start-script-lock/pid: No such file or directory

[ossec-list] Re: Unable to restart OSSEC 2.8.3

2017/04/28 15:54:58 ossec-analysisd(1103): ERROR: Unable to open file 'queue/fts/fts-queue'. 2017/04/28 15:54:58 ossec-testrule(1260): ERROR: Error initiating FTS list On Friday, April 28, 2017 at 3:55:35 PM UTC-4, Nikki S wrote: > > No changes have been to the co

[ossec-list] Unable to restart OSSEC 2.8.3

No changes have been to the configuration file! # ./ossec-control restart cat: /var/ossec/var/start-script-lock/pid: No such file or directory cat: /var/ossec/var/start-script-lock/pid: No such file or directory cat: /var/ossec/var/start-script-lock/pid: No such file or directory cat: /var/ossec

Re: [ossec-list] ossec-remoted high CPU utlization

n agent > has its log monitoring turned on, even though the server doesn't do > anything with the logs. > > > I was wondering if clearing out the syscheck DB would help? > > > > I don't think so, but you can try it. > > > Thank you! > > &

Re: [ossec-list] ossec-remoted high CPU utlization

OSSEC HIDS v2.8.3. 8 GB of RAM and 4 CPU cores VM. On Wednesday, April 26, 2017 at 10:23:02 PM UTC-4, Phil Porada wrote: > > What version of OSSEC are you running? What specs does the server node > have? > -- --- You received this message because you are subscribed to the Google Groups "oss

[ossec-list] Re: Disable all rules for ossec server

Yes, you can disable all rules via OSSEC.conf. From the testing I did, the only rules that have to always remain enabled are OSSEC.rules, rules_config and local rules On Tuesday, April 25, 2017 at 11:25:57 AM UTC-4, Huc Manté Miras wrote: > > Hello, > > I try to disable all rules to ossec server

[ossec-list] ossec-remoted high CPU utlization

We have about 480 agents reporting the OSSEC server. The remoted server is running constantly at 100% CPU utilization. Any suggestions on how to re-mediate this please? -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from t

Re: [ossec-list] Re: Deleting the OSSEC agent 'queue' directory

Kewl! Thank you! > Here is my solution if you are using active response and allow remote commands. Ah, but reading it, you also answer local installs! Thank you! So, just deleting files in /var/ossec/queue/diff/local/ won't befuddle ossec? What are the consequences / impact? Loss of change

Re: [ossec-list] Very big syscheck queue - how to deal with it?

> To clear a syscheck db: > 1. stop the ossec processes on the server > 2. /var/ossec/bin/syscheck_control -u AGENT_ID > 3. Start the ossec processes on the server Thank you - "To clear a syscheck db" gave me the context needed to better understand syscheck_control --help. So: > 2. /var/ossec/

[ossec-list] How soon does an agent disconnect appear

How long does it take for the agent to appear as 'disconnected'? I read on another thread that the 'keep alive' needs to fail three times. I could not find where we set the frequency of the agent check in. Thank you! -- --- You received this message because you are subscribed to the Googl

Re: [ossec-list] Regular OSSEC vs OSSEC Wazuh

Hi, Philip, Wazuh still supports CEF format, it integrates all the functionality from OSSEC 2.8.3 and 2.9beta, I am pretty sure you will be able to integrate Wazuh with your current Graylog instance, same way you can do it with OSSEC. Regarding to the ruleset, last version from Wazuh rules is

[ossec-list] Re: System Integrity Check questions

Thank you Dan! On Wednesday, January 18, 2017 at 3:27:57 PM UTC-5, Nikki S wrote: > > Hi, > > I have a couple of questions regarding FIM/System Integrity check. I'm > hoping this would help others as well starting off with OSSEC. > >- When a new agent is instal

[ossec-list] Re: System Integrity Check questions

Also, to clarify auto_ignore is set to 'no' - no On Wednesday, January 18, 2017 at 3:27:57 PM UTC-5, Nikki S wrote: > > Hi, > > I have a couple of questions regarding FIM/System Integrity check. I'm > hoping this would help others as well starting off with OSSEC.

[ossec-list] System Integrity Check questions

Hi, I have a couple of questions regarding FIM/System Integrity check. I'm hoping this would help others as well starting off with OSSEC. - When a new agent is installed does it run the system integrity check automatically? or does the option needs to be enabled? - I have kept the

[ossec-list] OSSEC.conf vs Agent.conf -- System Integrity check

I read through some of the posts already on the list regarding this topic but I would still like some clarification on this please. I have added all the system integrity options of 'include' and 'ignore' in OSSEC.conf. Do I need to replicate this to agent.conf as well? Thank you! -- ---

[ossec-list] Re: OSSEC agent limit modification after server install

The server was initially installed from the installation package so I guess I need to download the entire package with src and configure it again? On Thursday, January 12, 2017 at 3:22:50 PM UTC-5, Nikki S wrote: > > Is there a command that can be run to change the max agents per m

[ossec-list] Re: OSSEC agent limit modification after server install

Thank you Chris! On Thursday, January 12, 2017 at 3:22:50 PM UTC-5, Nikki S wrote: > > Is there a command that can be run to change the max agents per manager? > > The OSSEC server has already been installed so I cannot find a way to run > the following: > > *Can an OS

Re: [ossec-list] Firewall appliance : netasq/stormshield

port=22 dstportname=ssh dstname=FW action=pass > logtype="filter"#015' >hostname: '192.168.10.1' >program_name: '(null)' >log: 'id=firewall time="2016-12-02 14:37:41" fw="FW1" tz=+ > startime="2016-1

Re: [ossec-list] Selecting multiple, discreet weekdays

Yes that did it, thanks! :) Natassia On Fri, Nov 18, 2016 at 9:42 AM, Daniel Cid wrote: > It should work with spaces or commas: > > monday, tuesday, friday > > thanks, > > On Fri, Nov 18, 2016 at 1:24 PM, wrote: > >> Is it possible to select multiple, discreet days using the weekday >> functio

Re: [ossec-list] Failed md5 for: /etc/shared/merged.mg -- deleting.

I managed to resolve this issue in the end by removing OSSEC on the client and re-installing and then re-adding the key. I've no idea what happened but I'm guessing something got messed up. Thanks again for your support! On Monday, 31 October 2016 09:38:26 UTC, Pedro S wrote: > &

Re: [ossec-list] Failed md5 for: /etc/shared/merged.mg -- deleting.

gt; log message in the manager logs. > > Is there anything else I can try? > > On Wednesday, 26 October 2016 12:23:38 UTC+1, Pedro S wrote: >> >> Hi Sean, >> >> OSSEC compress the whole /var/ossec/etc/shared directory, including the >> agent.conf and push ever

[ossec-list] Re: Simultaneous Events at 25 EPS, but Missing Alerts

Hi Jon, This is an interesting test, I think we can get a lot of useful information from here. On my experience probably the bottleneck is on remoted socket/buffer or logcollector speed performance to read each log line. For Remoted, try to enable debug mode at the agent, internal_options.conf

Re: [ossec-list] ossec-authd: Unable to connect

ossec-authd is running and listening on the >> sensor? You could use >> >>>> >> >>>> >> >>>> netstat -pna | grep 1515 >> >>> >> >>> >> >>> The expected output will be similar to: >> >>&g

[ossec-list] Re: Agents not connecting, traffic visible in tcpdump

al) and remove duplicated entries, the agent will fail to connect if there is more than one entry with the same IP. Hope it helps, best regards, Pedro S. On Tuesday, August 2, 2016 at 2:08:14 PM UTC-7, Cal wrote: > > Hi all, > > Been debugging an issue for a few hours, thought I&#

[ossec-list] Re: Monitoring windoews eventlog kibana

channel (these are OSSEC lists :D) Best regards, Pedro S: On Friday, June 17, 2016 at 9:19:03 AM UTC-7, sant...@gmail.com wrote: > > Hello. > I installed ossec-wazzuh with kibana on linux server > i want to monitoring winddows eventlog from 2 active directory servers. > I have co

[ossec-list] Re: Quickest way to test an updated local_rules.xml

Hi Tahir, I don't think OSSEC has a tool for do that, the option you have is remove previous/old alerts files, remove alerts.log file and restart OSSEC, another possibility is to create a intermediate script to search for all the occurrences of the alerts and remove them from every past alerts

[ossec-list] Re: reindexing logs

Hi Maxim, How are you forwarding the alerts/archives to Kibana? I think you will need the archives JSON output setting, if you are using Wazuh , edit *ossec.conf *and add the following setting: > *yes* > Once you do it, you will find new archives.json events fil

Re: [ossec-list] Re: Duplicated counter

ing again OSSEC, if does not work, try to grant permissions to group "Administrators". Best regards, Pedro S. On Monday, May 16, 2016 at 2:07:57 PM UTC+2, Abdulvehhab Agin wrote: > > Hi Pedro, > > > My ossec.conf and internal_options.conf is attached. > > > I s

[ossec-list] Re: Windows Defender Decoder ?

tps://github.com/wazuh/ossec-rules/blob/master/rules-decoders/ossec/decoders/windows_decoders.xml#L350>could be for example: Win source, Parent Image, Protocol, Signature, Start function... Best regards, Pedro S. On Tuesday, May 17, 2016 at 5:32:25 PM UTC+2, Rob B wrote: > > Thanks Brent

Re: [ossec-list] Re: Duplicated counter

Just to be sure, the variable I was talking about is: # Verify msg id (set to 0 to disable it) > remoted.verify_msg_id=1 At /var/ossec/etc/internal_options.conf Best regards, Pedro S. On Friday, May 13, 2016 at 3:53:20 PM UTC+2, Pedro S wrote: > > Hi, > > I don't think

Re: [ossec-list] ossec category/group - syslog remote

; *"groups": [ "pam", "syslog", "authentication_success" > ],* > "level": 3, > "sidid": 5501 > }, > "timestamp": "2016 May 13 04:30:22" > } Kibana example: <https://lh3.goog

[ossec-list] Re: Duplicated counter

open file etc/internal_options.conf (Manager & Agent) and set verify_msg_id=0. Regards, Pedro S. On Wednesday, May 11, 2016 at 10:33:00 PM UTC+2, Abdulvehhab Agin wrote: > > Hi, > > > > Sometimes ossec server says *"ERROR: Duplicated counter for"* errors. &

[ossec-list] Re: Prerrequisites Instalation OSSEC

platform, Redhat/Debian. Maybe someone can bring us some light here, but those will be the requirements on my opinion! Best regards, Pedro S. On Tuesday, April 26, 2016 at 1:08:15 AM UTC+2, Adiel Navarro wrote: > > > > What are the hardware prerrequisites to install OSSEC? >

[ossec-list] Re: UTF-8/16 support

Didn't hear about that before. According to the error maybe is because the UTF-8/16 like you said, we can find in logcollector read_multiline log or at syslog collector <

[ossec-list] Re: netstat part of syscheck not seeing all ports on initial read

Previous output: ossec: output: 'netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort': tcp0 0 *0.0.0.0: * 0.0.0.0:* LISTEN tcp6 0 0 ::1:25 :::*LISTEN tcp6 0 0 :::22 :::*

Re: [ossec-list] RootCheck disableing

I have reproduced your configuration on my labs, rootcheck is not starting again. Could you re-verify that agent.conf file is right on your agent? On Thursday, April 14, 2016 at 2:38:47 PM UTC+2, eyal gershon wrote: > > 2016/04/14 06:03:17 ossec-rootcheck: INFO: Started (pid: 30101). > 2016/04/14

[ossec-list] Re: Windows Agent Compilation

nstall gcc-c++ gcc scons mingw32-gcc mingw64-gcc zlib-devel bzip2 unzip Debian: $ apt-get install gcc-mingw-w64 $ apt-get install nsis $ apt-get install make Regards, Pedro S. On Thursday, April 14, 2016 at 3:06:16 PM UTC+2, Kumar Mg wrote: > > Thank you Victor. > > > We trie

[ossec-list] Re: Email notification for adding new users, new packages, triggering hours later

l time does not work if syscheck scan is running, I mean, if the scan is running realtime option won't work until syscheck finishes the scan. Regards, Pedro S. On Thursday, April 14, 2016 at 8:51:20 PM UTC+2, thak wrote: > > So after some investigating it seems what's ACTUALLY ha

[ossec-list] Re: netstat part of syscheck not seeing all ports on initial read

ed ports status (netstat) changed (new port opened or closed). pci_dss_10.2.7,pci_dss_10.6.1, Regards, Pedro S. On Thursday, April 14, 2016 at 10:38:59 PM UTC+2, Noway2 wrote: > > I have been using Ossec on a couple of my servers for several years now. > I recently updated one

[ossec-list] Re: Disk usage monitor not working in RHEL5

Thanks! nice work-around. On Friday, April 15, 2016 at 11:15:30 AM UTC+2, Robert Micallef wrote: > > For anyone who encounters this issue where disk usage alerts are not > working on Redhat 5, the issue is that in RHEL5 'df -h' output is > multiline. > > You can easily fix it by modifying the o

[ossec-list] Re: When new ossec build is planning ?

/proftpd_rules.xml: 11200 unable to open incoming connection Couldn't open the incoming connection. Check log message for reason. Regards, Pedro S. On Tuesday, April 5, 2016 at 8:06:17 PM UTC+2, ba...@x-cart.com wrote: > > Hello! > I very interested in this commit for s

Re: [ossec-list] OSSEC agents show as Active even after the OSSEC Process on server is stopped

Jesus is totally right. The time out he is talking about is:* 3*NOTIFY_TIME+30*, *NOTIFY_TIME* by default is 600 seconds. Check the last modification file date on every agent-info/* file and wait until that time be more than 30'30''. Best regards, Pedro S. On Thursday, Apr

[ossec-list] Re: new files does not creating alert at all

Hi, That decoder is hardcoded <https://github.com/wazuh/ossec-wazuh/blob/5441889d963ce6d8ee3fae0e9f273e701b6c89eb/src/analysisd/rules.h#L231>into OSSEC code, so you won't find any decoder called like that. Best regards, Pedro S. On Monday, April 4, 2016 at 8:06:58 PM UT

[ossec-list] Re: How are the best test to ossec rules

Testing OSSEC installation or OSSEC Rules? I am with Dan, define "test" hehe, what do you want exactly. On Tuesday, April 5, 2016 at 4:58:46 PM UTC+2, tchello2008br wrote: > > Hi all > I want to test my installation , what is the best method ? > > Tks > -- --- You received this message bec

Re: [ossec-list] Emails are not going

You can set up on OSSEC any SMTP server and it will use it to send the emails, BUT OSSEC is not able to use SMTP authentication. Amazon SES works with TLS authentication so.. I don't think OSSEC out-the-box can use Amazon SES. Instead of that you can probably configure Amazon SES SMTP account i

Re: [ossec-list] How to ignore log ?

Did you run ossec-logtest to verify that your log triggers the rule just created? Try to run it and paste the log, if the rule 81 is not being fired something went wrong with the rule creation. On Wednesday, March 30, 2016 at 8:10:39 AM UTC+2, sandeep wrote: > > Hi Dan, > > Thanks for the d

[ossec-list] Re: id "|" or "," ??

a previous match of 4000 or 4001. I don't know any other approach to solve this. Maybe we can use active response to execute an script which store the info and at some point triggers an alert. I hope someone can bring us some light here. Regards, Pedro S. On Tuesday, March 29, 2016 at 4

[ossec-list] Re: id "|" or "," ??

last one will work, and the following one WON'T work: > 18105 > ^529$,^530$,^531$,^532$,^533$ > Windows Logon Failure. > win_authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5, > Regards, Pedro S. On Monday, March 28, 2016 at 9:07:30 PM UTC+2, Rob B

[ossec-list] Re: Change ossec.conf globaly

I can't imagine a way to change ossec.conf on every agent if you are not using some deployment software (like Puppet). One solution for further installations is to change default ossec.conf file in order to include your EventID exception. Regards, Pedro S. On Monday, March 7, 2016 at 3:

[ossec-list] Re: Help needed with Ossec implementation

ite => true } } If everything goes well, you should see on Kibana every log collect by your OSSEC agents. Be careful, archives option collect *everything *so archives.json/log and elasticsearch indexes will be huge if you have a large deployment. Regards, Pedro S. On Thursday, March 3, 2

[ossec-list] Re: Decoding long messages - multiple regex statements

ot; and product" fields on the same decoder: FULL DECODER Checkpoint (\w+) \p\w+ \w+ src:\s(\d+.\d+.\d+.\d+);\sdst:\s(\d+.\d+.\d+.\d+)\.*resource: (\.*);\.*product: (\.*); action,srcip,dstip,url,extra_data Or in a better way, separate the extraction in two different decoders, so we

[ossec-list] Re: help me phase pre-decode

azuh/blob/master/src/analysisd/cleanevent.c#L77> Regards, Pedro S. On Sunday, February 28, 2016 at 2:43:09 PM UTC+1, luan vo wrote: > > Hello everyone , I began to learn OSSEC . Can tell me *pre - decod*e > stage can tweak it? thank for all > -- --- You received this message be

  1   2   3   4   >