messages/description
/rule
replace 11 with the next available ID if 11 is already used by
another rule.
Hoping this helps.
Valere
From: Steven Stern [subscribed-li...@sterndata.com]
Sent: Friday, August 22, 2014 6:21 PM
To: ossec
What's the best way to get OSSEC to ignore this particular error in
error_log? It's the result of .htaccess rules operating corrrectly, so I
don't really need to get emails about it.
I suspect that I need to tell it to non notifiy me on a rule 1002 if
AH01797 is in the text, but I'm not sure how
At the end of ./install.sh
OSSEC HIDS v2.7.1 Stopped
Starting OSSEC HIDS v2.8 (by Trend Micro Inc.)...
ossec-analysisd: Configuration error. Exiting.
- Configuration finished properly.
service ossec start
Starting OSSEC:[FAILED]
from ossec.log
# ps -ef |grep ossec
ossecm 17982 1 0 11:55 ?00:00:00 /var/ossec/bin/ossec-maild
root 17984 1 0 11:55 ?00:00:00 /var/ossec/bin/ossec-execd
ossec17990 1 0 11:55 ?00:00:00
/var/ossec/bin/ossec-analysisd
root 17994 1 0 11:55 ?00:00:00
Check your package updater's logs.
On 06/04/2014 07:51 AM, dan (ddp) wrote:
On Wed, Jun 4, 2014 at 4:53 AM, PAL 18 pal...@ftwgamer.com wrote:
I just got this a few minutes ago and i wasn't logged into the box. Should i
be worried? Has my server been hacked?
You have to investigate the
I'm getting network change notifications a couple of times per day on
one system. It appears it's comparing the current state to some base
state where most of the services weren't started. I can't find anything
in the logs to indicate that services are being restarted during the
day, so this is a
This just arrived as an alert:
OSSEC HIDS Notification.
2012 Apr 08 10:40:50
Received From: breadboard-ossec-keepalive
Rule: 1002 fired (level 2) - Unknown problem somewhere in the system.
Portion of the log(s):
--MARK--:
On 03/12/2012 10:49 AM, Dimitri Yioulos wrote:
Anyone have any ideas on this?
All,
Back at the end of last year, I asked about using the repeated-offenders
feature
in OH. I added the following directives to ossec.conf on the host that I
want
this to work in:
command
On 03/12/2012 11:53 AM, Dimitri Yioulos wrote:
On Monday 12 March 2012 12:24:47 pm Steven Stern wrote:
On 03/12/2012 10:49 AM, Dimitri Yioulos wrote:
Anyone have any ideas on this?
All,
Back at the end of last year, I asked about using the repeated-offenders
feature
in OH. I added
On 02/05/2012 11:56 AM, lucas kauffman wrote:
Also if an IP is blocked, how can I unblock it through ossec ? Or do I
have to do it manually and delete the entries for hosts.deny and iptables ?
OSSEC will unblock automatically, based on the timeout parameter in
ossec.conf or you your local
I get a lot of 404 alerts, and I let OSSEC block access when it's
multiples from the same IP. Typically, they're looking for phpmyadmin or
other common (and probably poorly secured tools) in a number of locations.
On 01/24/2012 11:33 PM, Damien Hull wrote:
It looks like someone was requesting
Be sure to whitelist your own IP address!
On 12/27/2011 09:57 AM, Peter Skurczak wrote:
Hello there,
I was having similar problem. I wanted to find the way how to block an
ip permanently.
I ended up with increasing the ban time for not 600 but 60
seconds and I think that is
I just disabled cups on my server (no printer, no need to print) and
OSSEC reported
Port '631'(tcp) hidden. Kernel-level rootkit or trojaned version of netstat
A quick check of netstat shows
$ sudo netstat -anp |grep 631
udp0 0 0.0.0.0:631 0.0.0.0:*
Disabling root seems like a nice path to a DoS. You'd probably do
better to use a rule to block the offending IP rather than killing
root's account. (Hint from hard personal experience: Exclude your own
IP from the rule.)
On 09/19/2011 10:56 AM, dan (ddp) wrote:
On Sep 19, 2011 11:53 AM,
On 09/07/2011 09:10 AM, Eero Volotinen wrote:
Hi List,
I want alert to ossec when linux interface (ethernet) link goes down ?
How to do this?
--
Eero
Dumb question in return: If the network is down, how is it going to
notify you?
You probably want one or more external boxes monitoring
to be
ignored so they don't fire alerts...
On Fri, Jun 17, 2011 at 3:52 PM, Steven Stern
subscribed-li...@sterndata.com wrote:
What does this mean? Where do I look for an error?
Received From: ip-10-x-ossec-keepalive
Rule: 1002 fired (level 2) - Unknown problem somewhere in the system.
Portion
On 06/05/2011 07:02 AM, Rainer wrote:
Hi,
I want to block a certain WWW bot called verticalpigeon; it is known
to scan for Joomla! installations. You can also trigger it through the
website manually. But the nice thing is, it says
who it is:
66.103.61.161 - - [05/Jun/2011:09:44:59 +0200]
GET
I just want to confirm In an active response rule, is the timeout
value the number seconds?
I had someone whacking my website today looking for mysql access and the
rule triggered three times (on the same IP address) in two minutes. The
first trigger should have locked out his IP for 360 --
Response
turned out to be fantastic to prevent SQL Injection based attacks.
Regards
Tanishk
On Fri, Feb 4, 2011 at 12:12 AM, Steven Stern
subscribed-li...@sterndata.com mailto:subscribed-li...@sterndata.com
wrote:
On 02/03/2011 12:00 PM, satish patel wrote:
How efficient OSSEC
On 02/03/2011 12:00 PM, satish patel wrote:
How efficient OSSEC is to stop SQL injection ? If not then i have to
move on mod_security
Is anybody out there who using ossec for sql injection ?
Thanks,
S
It's very good at detecting SQL injection, but your code shouldn't
(smile) be
OSSEC 2.5.1, Fedora 13
In /var/ossec/etc/osse.conf, I have
command
namefirewall-drop/name
executablefirewall-drop.sh/executable
expectsrcip/expect
timeout_allowedyes/timeout_allowed
/command
active-response
commandfirewall-drop/command
locationlocal/location
rules_id31151/rules_id
It shows in the email alert I get from OSSEC. The snippet below was
grabbed from OSSEC's logs.
On Wed, Oct 27, 2010 at 1:38 PM, Jeremy Lee jpl...@gmail.com wrote:
Does the source IP even show when that rule is tripped?
On Wed, Oct 27, 2010 at 11:30 AM, Steven Stern
subscribed-li
22 matches
Mail list logo
