[ossec-list] Re: Level 10 - High amount of POST requests in a small period of time (likely bot)

2020-12-24 Thread Yana Zaeva
Hi Andrew, Sorry for the late response. A rule function is to basically, let you know what is happening in your environment, but this rule will not block normal visitors IP just because it was triggered. Have you checked if the Active Response module is active? If you have something similar to

[ossec-list] Re: OSSEC JSON complete log format

2020-12-28 Thread Yana Zaeva
Hi Kyriakos, Sorry for the late response. There default JSON decoder that OSSEC uses (which you can find the path */var/ossec/ruleset/decoders/* *0006-json_decoders.xml) *should parse all the information present in a log. For example, using the tool *ossec-logtest* which you can find in */var/

Re: [ossec-list] Re: OSSEC JSON complete log format

2020-12-28 Thread Yana Zaeva
customizing already existing rules or decoders and adding new ones can be of use too. Regards, Yana. On Monday, December 28, 2020 at 3:40:04 PM UTC+1 dan (ddpbsd) wrote: > On Mon, Dec 28, 2020 at 9:31 AM Yana Zaeva wrote: > > > > Hi Kyriakos, > > > > Sorry for the l

[ossec-list] Re: Using syscheck in production

2021-02-22 Thread Yana Zaeva
Hi Mike, The *syscheck *module can be kind of noisy, especially when you have loads of agents registered. However, you can play with the rules a little bit in order to adapt this module to your necessities and be alerted of the events that are of greater importance for you. You can ignore some

[ossec-list] Re: Issues getting web rules to detect an Nginx log when it's come in via syslog

2021-06-21 Thread Yana Zaeva
Hi Miguel, Could you please paste the output coming from *ossec-logtest* after pasting these logs? Waiting for your reply, Yana. On Monday, June 21, 2021 at 12:29:56 PM UTC+2 migue...@gmail.com wrote: > Hi, > > I am running a system whereby Nginx traffic logs are being sent from a > Docker co

[ossec-list] Re: Issues getting web rules to detect an Nginx log when it's come in via syslog

2021-06-29 Thread Yana Zaeva
Hi, My apologies for the late response. Is your installation a fresh installation? It seems that from version 3.4, you must have the pcre2-10.32 sources installed in *src/external. *You can obtain them by running: *cd ossec-hids-* * *wget https://ftp.pcre.org/pub/pcre/pcre2-10.32.tar.gz * *tar

[ossec-list] Re: Logging Warnings in Windows Logs

2021-12-09 Thread Yana Zaeva
Hi, You can do that using Eventchannel. Eventchannel is maintained since Windows vista and can monitor the Application and Services logs along with the basic Windows logs. You can check the following link

[ossec-list] Re: Windows agent auth

2021-12-22 Thread Yana Zaeva
Hi, Sorry for the late response, but if you are still facing this problem we can try to figure it out. Can you see any error or message displayed right after running this executable? You can also check and share the agent's *ossec.log *file, for more information. Waiting for your reply, Yana.

[ossec-list] Re: Order of Ossec rule matching engine

2022-02-04 Thread Yana Zaeva
Hi Gopal, Once an alert is triggered, *analysisd* tries to match every existing rule. Once one rule matches, (the level of this first rule matching is not relevant), *analysisd* starts looking for this first rule children. If two or more children match, the rule with the higher level will be se

[ossec-list] Re: Ossec Active Response support windows machine nr linux machine??

2022-02-04 Thread Yana Zaeva
Hi, Sure, it supports both Windows and Linux machines. You can check here the default script for each SO. Also, for further information, I will leave here a lin

[ossec-list] Re: How to configure OSSEC-window & Linux agents

2022-02-04 Thread Yana Zaeva
Hi Pruthvi, You can use Ansible for this. Ansible is an open-source platform designed for automating tasks. It comes with Playbooks, a descriptive language based on YAML, that make it easy to create and describe automation jobs. Also, Ansible communicates with every host over SSH, making it ver

[ossec-list] Re: CIS Benchmarking

2022-02-04 Thread Yana Zaeva
Hi Charles, You can perform audits using CIS Benchmarks by integrating with CIS-CAT. I will leave here a link with some information about it. Remember that you require CIS-CAT Pro licence.

[ossec-list] Re: HELP ME DECODE THIS LOG (check Authen)

2022-03-03 Thread Yana Zaeva
Hi, My apologies for the late response. You could start creating decoders following this example: ^\w+,\w+,\w+. ossec_custom \w+,(\w+),(\w+.\w+.\w+.\w+):(\d+), info, srcip, srcport ossec_custom (\w+.\w+.\w+.\w+):(\d+),(\w+), dstip, dstport, user Ossec logtest output: Type one

[ossec-list] Re: About new OSSEC's dynamic decoders

2022-03-10 Thread Yana Zaeva
Hi Kyriakos, It seems that this feature is not available for OSSEC (you can check an older thread about it here ). However, as mentioned in the thread, you can use Wazuh to achieve that goal: **Phase 1: Completed pre-decodi