at. Perhaps OS updates occurring at unpredictable times
(setting off OSSEC in unpredictable ways) is the issue you may want to
address.
My 2 cents,
Scott
On Mon, Feb 22, 2021 at 12:44 PM 'Mike Lissner' via ossec-list <
ossec-list@googlegroups.com> wrote:
> Thanks Yana. I guess I shoul
ACK! Sorry! Didn't see you'd already replied, Dan...
What he said. :)
Scott
On Mon, Nov 16, 2020, 10:10 dan (ddp) wrote:
> On Mon, Nov 16, 2020 at 7:27 AM Andrew S wrote:
> >
> > Hi Brian,
> >
> > Thank you for the clarification but I don't understand why so
owing it's nothing (if it's a low enough
level of noise) or write a rule for the Daily Mail URL set to level 0 so it
doesn't log anymore. There's little you can do about some commenter on a
Daily Mail article linking to your site so you need to decide how much this
matters to you.
HTH,
Scott
On M
if I can make things more efficient
for the engine without making them a lot LESS efficient for me. :)
Much obliged,
Scott
On Tue, Aug 11, 2020 at 6:01 PM Juan Carlos Tello <
juancarlos.te...@wazuh.com> wrote:
> Hi Scott,
> Indeed all level 0 rules are considered for ma
Just note that this article was written before widespread deployment of
systemd so it may leave some files related to systemd service management
behind if your server uses systemd. But it DOES include the removal of
OSSEC users and groups which I forgot to mention so perhaps consider a
hybrid
to do a manual scrape-out. Inelegant, I know, but I haven't found a
better way. Perhaps some day someone will add an uninstaller to the tarball
installer, but in the meantime, this is what's worked for me.
Best of luck,
Scott
On Mon, Jul 27, 2020, 16:56 Carlos Islas wrote:
> Hello to everyb
srcip alone isn't
sufficient (or, as I said, is this just a bug)?
I'm running version 3.6.0 installed from the source tarball off the
ossec.net website.
Any suggestions or advice would be appreciated.
Thanks,
Scott
--
---
You received this message because you are subscribed to the Google
Cool! Thanks again for the feedback. :)
Scott
On Thu, Jun 18, 2020, 09:03 dan (ddp) wrote:
> On Wed, Jun 17, 2020 at 5:06 PM Scott Wozny wrote:
> >
> > OK, so after a little more digging, I see now why there is no logrotate
> script that comes with the build from sour
regret later?
Thanks,
Scott
On Wed, Jun 17, 2020 at 1:47 PM Scott Wozny wrote:
> Make came on the base OS, so I'm not inclined to remove that. It's mostly
> the compiler I want gone. I'll do a deeper dig into the other dependencies
> to see if I can see some obvious ongoing operationa
) This is a little off-topic, but what is the purpose of firewall.log? I
can't seem to find any reference in the documentation.
Thanks,
Scott
On Wed, Jun 17, 2020 at 1:37 PM Scott Wozny wrote:
> Thanks for the reply, Dan. I'll probably roll my own logrotate script and
> use the on
operational non-devel version which (I believe) should be sufficient to run
the system on an ongoing basis. I'll do some testing and report results
back here.
Thanks,
Scott
On Wed, Jun 17, 2020 at 8:31 AM dan (ddp) wrote:
> On Mon, Jun 15, 2020 at 3:47 PM Scott Wozny wrote:
> >
reporting to a server it all makes more sense now. :)
Scott
On Wed, Jun 17, 2020 at 8:26 AM dan (ddp) wrote:
> On Mon, Jun 15, 2020 at 3:09 PM Scott Wozny wrote:
> >
> > I'm trying to get off the Atomic repo for a variety of reasons, so I
> just did a 3.6.0 agent install from th
Hi Dan,
Very interesting! Feels kind of Rube Goldberg-y but I fully understand the
reasoning and it makes perfect sense in the context of what's trying to be
accomplished here. I very much appreciate the explanation! :)
Thanks,
Scott
On Wed, Jun 17, 2020 at 8:22 AM dan (ddp) wrote
r?
Thanks,
Scott
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on
o how much
of the dependency software do I need to leave and how much can I remove
before making these clones into what I need them to be?
Any suggestions would be appreciated.
Thanks,
Scott
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" g
./install.sh?
Any assistance or suggestions would be appreciated.
Thanks,
Scott
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-lis
stack. Does anyone
know if the PHP in the WUI is thread safe or if I should use the prefork
MPM? Does anyone know if anything else is needed, module or configuration
wise?
Any thoughts or suggestions would be appreciated.
Thanks,
Scott
--
---
You received this message because you
You could have ossec monitor ossec.log like it does with active-
responses.log. You'd just have to write rules for it, or barring that
turn on archives.log
-Scott
On Mon, 2019-03-25 at 08:02 -0400, dan (ddp) wrote:
> On Fri, Mar 22, 2019 at 12:01 PM YoYo wrote:
> > Hi All,
&g
Looks like this has been fixed. (I still get the LSB error mentioned in
another post--or the bug tracker.)
Thanks to whoever fixed it!
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving
I think the apt repository may be out of sync with the actual built
packages...when I try to install a clean version of ossec-hids-server, I
get the following error messages:
Err:1 https://updates.atomicorp.com/channels/atomic/ubuntu xenial/main
amd64 ossec-hids-server amd64 2.9.2-2154xenial
.
Hope this helps!
-Scott
CTO, Atomicorp
On Sat, 2017-06-10 at 20:19 -0400, dan (ddp) wrote:
> On Thu, Jun 8, 2017 at 2:01 PM, Alexis Lessard
> <alexislessar...@gmail.com> wrote:
> > Do you update the version every time you add new rules? We've
> > manage to
> > install
I know how to redirect to ossec (send syslog to that server) but have you
come up with a decoder and/or rules for Mikrotik routers?
On Monday, September 2, 2013 at 9:00:43 AM UTC-5, list...@gmail.com wrote:
>
> Hi all,
>
> i m wondering if somebody have allready redirect Mikrotiks logs to ossec
On Monday, December 13, 2010 at 1:48:25 PM UTC-6, Shawn Jefferson wrote:
On Linux, if you run manage_agents -V you will get the version number
reported.
Yeah, but not the one you think -- it is showing the version of the server,
not the version of any agent.
I'm still hoping there is a way
Sorry, that’s not correct, it writes in 8KB chunks unless you add the
0x8000 switch which forces it to write immediately.
In any event, I tried the Snare Epilog agent and it’s able to forward the
events just fine. I think it’s a bug in the OSSEC agent.
Scott
From: ossec-list
, the DNS log level is set to 0x8000E121 and I've also
tried 0xE121.
Thanks,
Scott
--
---
You received this message because you are subscribed to the Google Groups
ossec-list group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr
Was there any resolution to this? Looks like it still is an issue in
2.8.1, the current version used by Alienvault
On Saturday, June 7, 2014 4:34:37 PM UTC-5, James MacLean wrote:
Applied diffs to the two files, make clean all and copied ossec-analysisd.
Put back in \$ but still got the
people
possible need. Let us know and submit a github.com/ossec/ossec-docs pull
request to add it for everyone.
On Oct 21, 2014, at 11:19 PM, Scott Closter closte...@gmail.com
javascript: wrote:
Hi there. We have a series of routers that require keys with a passphrase
Hi there. We have a series of routers that require keys with a passphrase
for authentication. Just wondering what the best method to use, if any,
that would allow OSSEC agentless monitoring to work in this scenario? I’ve
seen mention, not related to OSSEC specifically, of using various
which is hidden in explorer. So, on 64 bit windows, I believe from Vista
on, the proper syntax for the location is:
location%windir%\sysnative\Dhcp\DhcpSrvLog-%a.log/location
This work just fine for the daily rotation as well.
Scott
On Tuesday, October 23, 2012 2:34:47 PM UTC-5, Brian Sims
PM, Scott Mace sm...@xogrp.com javascript:
wrote:
I've hashed together a new decoder and rules file for the new Trend
Micro
Office Scan logging to Windows Event Logs. i don't quite have all the
result codes in there, but it's a start. Appreciate any comments,
suggestions. I'm using
I've hashed together a new decoder and rules file for the new Trend Micro
Office Scan logging to Windows Event Logs. i don't quite have all the
result codes in there, but it's a start. Appreciate any comments,
suggestions. I'm using Ossec in AlienVault, so I'll be doing some
correlation as
Hello,
Today I have 3 slave servers and 1 master server.
I receive one email by hour.
But i would like to receive one email by hour and by server.
How can I do ?
Here is an example :
* *
*Object of the email : OSSEC Notification - (serverA) xxx.xxx.xxx.xxx -
Alert level 6 *
Hello Dan,
Thank you.
Bye
Rodolphe SCOTTO
Le mardi 3 septembre 2013 15:29:06 UTC+2, dan (ddpbsd) a écrit :
On Tue, Sep 3, 2013 at 7:46 AM, scott rod mori...@gmail.com javascript:
wrote:
Hello Dan,
I would like to receive one email by hour by server.
If i turn off email
Hello Michael Starks,
Thank you for responding me.
Mr SCOTTO Rodolphe
Hello
Le mardi 3 septembre 2013 20:26:09 UTC+2, Michael Starks a écrit :
On 03.09.2013 06:52, scott rod wrote:
Hello Dan,
I would like to receive one email by hour by server.
If i turn off email grouping i
receive notifications about serverB in the
same email.
I would like to receive one email by server.
One email for serverA notifications and one email for serverB notifications.
Do you understand ?
Thanks in advance.
Mr SCOTTO Rodolphe.
Le lundi 26 août 2013 15:32:02 UTC+2, scott rod a écrit :
Hello
Hello Dan,
I would like to receive one email by hour by server.
If i turn off email grouping i will receive one email for every
notifications.
I willl receive to many notifications in that case.
Thanks Dan.
--
---
You received this message because you are subscribed to the Google Groups
Hello,
Today I have 3 slave servers and 1 master server.
I receive one email by hour.
But i would like to receive one email by hour and by server.
How can I do ?
Thanks in advance.
--
---
You received this message because you are subscribed to the Google Groups
ossec-list group.
To
Hello everybody,
Today i have one master server and 3 slave servers.
I receive one email by hour.
But I would like to receive one email by hour and by slave server.
Thanks in advance
--
---
You received this message because you are subscribed to the Google Groups
ossec-list group.
To
before.
So, either ask for a root shell:
sudo -s
or run a single command with sudo, and let your current directory be what it is
now:
sudo /var/ossec/bin/ossec-control restart
Hope this helps
--
Scott
On Dec 22, 2012, at 6:47 AM, dan (ddp) ddp...@gmail.com wrote:
On Dec 22
You missed something: after 'NOTICE[23927]' there is '[C-013] chan_sip.c:'
which is not in your prematch.
In my Guide to gooder grammer, I had a rule: Proofread your writing to see
if you any words out.
On Dec 11, 2012, at 12:12 AM, Phil Daws wrote:
Hello:
am attempting to write a
On Dec 11, 2012, at 4:16 PM, dan (ddp) wrote:
You could match on the fatal-errors@blahblah as above, but set the
level higher. Then create a child rule matching the Ok: queued bit.
Sure. Thank's a lot for your help, Dan.
Scott
I'm having trouble making a rule to eliminate this false positive, rule
1002 is kicking in:
sendmail[24167]: qBAHj1gY023631: to=fatal-err...@example.com,
delay=00:00:06, xdelay=00:00:05, mailer=esmtp, pri=120705,
relay=xyz.example.com. [1.2.3.4], dsn=2.0.0, stat=Sent (Ok: queued as
:
OSSEC which your hightlight is your ossec server ?
i think the alert is generate by your server .
On Thursday, December 6, 2012 7:10:44 AM UTC+8, Scott wrote:
Am I doing something wrong? Most of my ossec alerts have the server's
hostname instead of the sending system's hostname.
If I
).
On Wednesday, December 5, 2012 8:41:36 PM UTC-6, peng lin wrote:
OSSEC which your hightlight is your ossec server ?
i think the alert is generate by your server .
On Thursday, December 6, 2012 7:10:44 AM UTC+8, Scott wrote:
Am I doing something wrong? Most of my ossec alerts have
Am I doing something wrong? Most of my ossec alerts have the server's
hostname instead of the sending system's hostname.
If I call my server ossec and other servers host1, host2, etc, send
syslog UDP messages to abc, then I may get these messages:
2012 Dec 05 23:02:08 host1-1.2.3.5 Dec 5
On Dec 5, 2012, at 5:56 PM, dan (ddp) wrote:
2012 Dec 05 23:02:08 host1-1.2.3.5 Dec 5 15:02:08 def sbn[92413]: testing
[this one looks right]
2012 Dec 05 23:04:01 ossec-1.2.3.6 sbn: testing [this one does not]
2012 Dec 05 23:05:00 ossec-1.2.3.7 sbn: testing [this one does not]
I have no
FYI - agent.conf extends the settings in ossec.conf.
You should have a minimal set of instructions in ossec.conf, usually the server
and those that will not function in agent.conf, i.e. full_command, etc.
Scott
On Nov 28, 2012, at 9:45 AM, funwithossec h...@donobi.net wrote:
On Wednesday
On Friday, November 23, 2012 7:20:44 AM UTC-6, dan (ddpbsd) wrote:
etc/local_decoder.xml:
decoder name=zabbix
prematch^Zabbix Server[\d+]: /prematch
/decoder
decoder name=zabbix-check-failed
parentzabbix/parent
regex offset=after_parentSending list of active checks to
23, 2012 7:20:45 AM UTC-6, dan (ddpbsd) wrote:
On Wed, Nov 21, 2012 at 3:47 PM, Scott Nelson wa6...@gmail.comjavascript:
wrote:
On Nov 21, 2012, at 2:23 PM, dan (ddp) wrote:
Hmm. Okay, please have patience with me, so if I then forget about
hybrid mode, then how do I forward logs
What do you manage these machine with currently? What is the client OS?
Do you have a system management platform like Puppet or Group Policy in place?
This question has been asked many times on this board, please search the
archives for great solutions!
Scott
On Nov 27, 2012, at 3:16 AM
Something like this might be a better tool for your needs:
SSA - Security System Analyzer 2.0
http://code.google.com/p/ssa/
You could tie it into OSSEC with the full_command option.
If all you need to t o determine the Admin account status, then use a
PowerShell command in full_command.
Scott
A newer resource fro SCAP scanning:
http://www.open-scap.org/page/Download
On Nov 27, 2012, at 6:18 AM, dan (ddp) ddp...@gmail.com wrote:
On Tue, Nov 27, 2012 at 7:02 AM, Michiel van Es vanesmich...@gmail.com
wrote:
Hi,
We want to check for hardening and one of our Windows hardening rules
Remember that in match, the pipe symbol | has special meaning: or
On Nov 23, 2012 1:51 PM, JPZ jp.zurbr...@gmail.com wrote:
Aah, there we go! Thanks a million for quick replies Dan.
For whom ever stumbles on my case facing the same problem, here is the
fixed configuration:
localfile
I had problems with installing on OS X 10.5; I ended up adding a #else to
the above and coding my own strnlen function.
On Tuesday, November 20, 2012 12:39:18 PM UTC-6, dan (ddpbsd) wrote:
On Tue, Nov 20, 2012 at 1:16 PM, bujanga buj...@gmail.com javascript:
wrote:
Yes, 1 is a local admin
On Nov 21, 2012, at 1:50 PM, dan (ddp) wrote:
On Wed, Nov 21, 2012 at 2:44 PM, Scott wa6...@gmail.com wrote:
Hello,
I would like to have my logs from a distant subnet forwarded to a central
ossec server. Some of these logs are UDP 514 syslog format from
appliances.
So, I was thinking
You could craft a Powershell to find the file by name (is that consistent?) and
calculate the MD5 of it.
This can then be run as a command from the agent, defined in it's ossec.conf
file:
localfile
log_formatfull_command/log_format
commandpowershell.exe -command .../command
On Nov 21, 2012, at 2:23 PM, dan (ddp) wrote:
Hmm. Okay, please have patience with me, so if I then forget about hybrid
mode, then how do I forward logs safely and securely over the internet to my
central ossec server?
I think the point is to have a central repository for the alerts more
On Nov 19, 2012, at 4:58 PM, Michael Starks wrote:
On 16.11.2012 11:44, Scott wrote:
However, I am not receiving all of the remote log entries. In fact, I
only see a very small amount of the entries.
Are you sure you're not seeing everything? OSSEC does not save all logs by
default
On Nov 20, 2012, at 7:53 AM, dan (ddp) wrote:
On Tue, Nov 20, 2012 at 8:46 AM, Scott Nelson wa6...@gmail.com wrote:
On Nov 19, 2012, at 4:58 PM, Michael Starks wrote:
On 16.11.2012 11:44, Scott wrote:
However, I am not receiving all of the remote log entries. In fact, I
only see a very
On Nov 20, 2012, at 9:27 AM, dan (ddpbsd) wrote:
Ok, this has totally confused me. Maybe you should provide your
configurations. I don't know whether you're using syslog or the OSSEC secure
method of transport.
Sorry to confuse you. I inherited this setup, it was originally set up to use
Hi everyone,
Sorry to be on the list so much, but I've hit another block in my
understanding of ossec.
What am I doing wrong here? The decoder seems to work, but the rule does
not match!
etc/local_decoder.xml:
decoder name=zabbix
prematch^Zabbix Server[\d+]: /prematch
/decoder
decoder
I should mention this is OSSEC 2.7
On Tuesday, November 20, 2012 4:35:31 PM UTC-6, Scott wrote:
Hi everyone,
Sorry to be on the list so much, but I've hit another block in my
understanding of ossec.
What am I doing wrong here? The decoder seems to work, but the rule does
not match
often.
Any suggestions on how I can diagnose?
Scott
On Friday, November 16, 2012 11:44:13 AM UTC-6, Scott wrote:
Currently, I am having the remote host sending the logs to ossec via
standard syslog UDP port 514 (syslog over tcp is not available on that
server). That seems to work fine
Currently, I am having the remote host sending the logs to ossec via
standard syslog UDP port 514 (syslog over tcp is not available on that
server). That seems to work fine.
But I wish to use an ossec agent to send the log information. I have set
that up on the host, and ossec reports the
(wearing brown paper sack over head)
never mind -- wasn't logging all files.
Sorry for the noise.
Hello.
I've been asked to make ossec alert when an unknown log message is
received. That is, one that doesn't match a decoder and/or a rule. As we
receive the alerts, we will identify them and create decoders/rules as
needed until we have identified everything. What we don't want is for
have read the manual and studied all of the config entries -- but I'm
not sure where to look now.
Can someone help me get this going again?
Thanks,
Scott
: DEBUG: OS_StartCounter completed.
Make sure the host doesn't have a firewall blocking the traffic.
Nope:
# ipfw list
33300 deny log icmp from any to me in icmptypes 8
65535 allow ip from any to any
Thanks for your suggestions; got any others?
Scott
I have discovered my problem:
There are *two* firewalls to worry about on Mac OS X. I disabled one
(ipfw) but the other (afw) was still enabled. Disabling the second fixed
the problem. I'm not sure how it was working before!?!
'syscheck_control -u agent_id' to clear
the agent syscheck database.
bin/syscheck_control
-u id Updates (clear) the database for the agent.
On Friday, October 19, 2012 2:32:49 PM UTC-7, Scott wrote:
Hi Dan,
Thanks for the reply. My global set up is fine and I am getting many
I want notification to continue no matter how many times a file changes,
not just 3 times.
On Wednesday, October 24, 2012 11:08:09 AM UTC-7, dan (ddpbsd) wrote:
On Wed, Oct 24, 2012 at 2:01 PM, Scott kazm...@gmail.com javascript:
wrote:
If there is no timer does this mean once a file has
though at the time was the missing /bin in
ossec-command when checking rules on start using ossec-logtest. (present in
original ossec 2.6)
I added a symlink in /var/ossec/ for /var/ossec/bin/ossec-logtest and have not
run into issues with hanging since.
Hope this helps.
Scott
On Oct 23, 2012
If I remember right my issue was solved by a fixing permissions.
Scott
On Oct 22, 2012, at 11:36 PM, C. L. Martinez carlopm...@gmail.com wrote:
On Tue, Oct 23, 2012 at 5:54 AM, C. L. Martinez carlopm...@gmail.com wrote:
Hi all,
I have a strange problem with one of my ossec servers. After
: followed by the log source. (i.e.
Application:, Security: etc.)
Hope this helps.
Scott.
What is the best way to test rules on Windows Event Logs?
With syslog or weblog related stuff I know I can take a line from the log
and feed it to ossec-logtest.
However with Windows Event Logs what
?
On Thursday, October 18, 2012 1:12:10 PM UTC-7, Scott wrote:
I am trying to monitor one specific file on one server for any changes and
to send email notification to several individuals when that file changes,
no matter how often it changes, and including a diff of the changes. I am
using
I am trying to monitor one specific file on one server for any changes and
to send email notification to several individuals when that file changes,
no matter how often it changes, and including a diff of the changes. I am
using a centralized configuration to manage ossec agents. The client
Is it possible you have set setmaxagents to 1024 on make?
Scott
On Oct 5, 2012, at 10:00 AM, Michael Barrett michael_barr...@mgic.com wrote:
It seems to be messed up. The agent ID used to default to the next number,
now it seems to be stuck on 1025
Mail Attachment.gif
.
On Sep 25, 2012 1:43 PM, Scott Klauminzer sklaumin...@gmail.com wrote:
This may help in building rules to monitor. Also the Event IDs change based
on OS Version (Vista+)
http://blogs.msdn.com/b/ericfitz/archive/2006/03/07/545726.aspx
Events 560, 562, 563, 564, 567, and each of those
Did you verify that all ossec services stopped before restarting?
I had this issue previously, and one of the services was hanging and not
allowing the restart to function.
run: ps -eaf | grep ossec
On Jul 26, 2012, at 11:12 AM, William Lindfors wrote:
Here is a screen capture of what I'm
@googlegroups.com] On
Behalf Of Scott Klauminzer
Sent: Thursday, July 26, 2012 2:26 PM
To: ossec-list@googlegroups.com
Subject: Re: [ossec-list] Rule ID 5701? Possible attack on the SSH server?
All agents inactive, what gives?
Did you verify that all ossec services stopped before restarting?
I had
Dan,
I too am unable to make use of the ideas here:
http://dcid.me/2010/03/detecting-usb-storage-usage-with-ossec/
Using OSSEC HIDS 2.6 - When I have the the command in a local Windows machine
agent.conf I get the following in my log on agent restart.
2012/06/21 09:42:43 ossec-agent: Remote
categorysyscheck/category
titleDaily report: File changes/title
email_tom...@example.com/email_to
/reports
I just want both reports to my email at daily
thanks.
br,
--
Eero
Scott
Nate,
Have you run a sample log entry through ossec-logtest
What is the result? If it fires rule 14 , have you restarted ossec since
emailing the rule?
Scott
On May 18, 2012, at 12:42 PM, Sanders, Nate nsand...@bioware.com wrote:
Thinking about it, I tried this in local_rules.xml
Andy,
It looks like the AnaLogi_v1.0.1.zip is not available.
AnaLogi_v1.0.1.zip returns a file not found.
Scott
On May 15, 2012, at 7:38 AM, techsupp...@ecsc.co.uk wrote:
Hi James,
Many thanks for letting me know...
https://github.com/ECSC/analogi/downloads
Not sure how I've got
On May 9, 2012, at 6:16 AM, secatoor secat...@gmail.com wrote:
Is there something specific I have to tell OSSEC to make it stop
logging into log files and log into mysql database ?
Did you set database_output and appropriate credential, etc parameters in
ossec.conf?
See
On May 9, 2012, at 11:35 AM, Scott VR scot...@s0cialpath.net wrote:
On May 9, 2012, at 6:16 AM, secatoor secat...@gmail.com wrote:
Is there something specific I have to tell OSSEC to make it stop
logging into log files and log into mysql database ?
Did you set
I'd try escaping the comma with a backslash. (or perhaps a double backslash?)
--
ScottVR
On May 1, 2012, at 5:45 PM, Michael mkleinpa...@gmail.com wrote:
So, I'm getting OSSEC running for the company I work for. So far so
good up to the point of monitoring the registry. All the basic ones
to the stop command.
I'm assuming that this will fix my alert issues, as the rules were likely never
recycled.
Thank you for the helpful reminder.
Scott
On Apr 20, 2012, at 8:05 AM, Christopher Moraes wrote:
Scott,
Can you try this -
1. Shutdown ossec
2. Wait for a minute
3. Check
to the stop command.
I'm assuming that this will fix my alert issues, as the rules were likely never
recycled.
Thank you for the helpful reminder.
Scott
On Apr 20, 2012, at 8:05 AM, Christopher Moraes wrote:
Scott,
Can you try this -
1. Shutdown ossec
2. Wait for a minute
3. Check
Yes, Only 1 entry is returned:
grep rule id=\1002\ /var/ossec/rules/*.xml
/var/ossec/rules/syslog_rules.xml: rule id=1002 level=2
Scott
On Apr 18, 2012, at 1:08 PM, Christopher Moraes wrote:
Since you mentioned this -
On Mon, Apr 16, 2012 at 11:59 AM, sklauminzer sklaumin...@gmail.com
of the registry changes that aren't
much of a concern, but haven't gotten around to it. Not to mention routine
computer account password changes. I would be really interested in what you
come up with.
Thanks,
Mike Scott
On Wed, Apr 4, 2012 at 8:18 AM, Walden H. Leverich
wald
Thanks Kat! I was thinking of firewalls between the OSSEC server and the
sonicwall, it wasn't until after Dan emailed that I figured I better double
check the firewall on the OSSEC server itself. Next time I'll have to check
that a little earlier :-)
Mike Scott
On Thu, Mar 22, 2012 at 7:29 AM
messages.
Any other suggestions?
Thanks,
Mike Scott
On Wed, Mar 21, 2012 at 6:47 AM, dan (ddp) ddp...@gmail.com wrote:
On Tue, Mar 20, 2012 at 5:44 PM, Michael Scott
ms.thenetwor...@gmail.com wrote:
Greetings!
I'm having some difficulty trying to set up a Sonicwall to be monitored
Thanks again for the help and reply Dan.
Just for fun, I disabled the firewall, and it started working. I ended up
removing the exception, applying changes, and then recreating it and
applying changes. After that, it ended up working.
Sorry for the false alarm, and thanks!
- Mike Scott
On Wed
,
Mike Scott
using short hostname) and
IP address in full CIDR format: xxx.xxx.xxx.xxx/32 (originally without /32)
Once that was done, re-import the key into the agent box, and restart
server and agent processes. Worked fine after that.
Scott
for that to happen, and I don't want to roll out an older
agent, just to have to upgrade later.
Now, if anyone has been able to get 2.6 working correctly and fully
integrated in Ossim/AlienVault, I'm all ears!
Scott
On Tue, Mar 6, 2012 at 1:16 PM, dan (ddp) ddp...@gmail.com wrote:
On Tue, Mar 6, 2012 at 1:59
Kind of off-topic (ossec-wise I mean) but by any chance are you using te Cisco
Embedded Syslog Manager and perhaps are having an issue wiyh munging of the
escaped double colon Tcl variables from that?
See
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t2/feature/guide/gt_esm.html#wp1053047
for
On Jan 26, 2012, at 9:26 AM, Steve Kuntz stephen.ku...@gmail.com wrote:
I'm reluctant to install wireshark on the agent at this point.
It may be your quickest path to a resolution, though. That or a span/mirror
port on the switch.
Check the routing table on the server to see how traffic is
The problem is that the 404 is not for the static file favicon.ico, but for a
.php script that is passed favicon.ico as an argument and returns a 404. Either
/theme/image.php does not exist, or it is written to return a 404 when passed a
non-existent filename as an argument. In any case, I
1 - 100 of 134 matches
Mail list logo