I am trying to follow this setup to scan tmp for files that have perl
or php in them but for the life of me I can't seem to get it to work.
Any idea's on what I need to get this to work so that when files are
found I am sent emails about them?
http://groups.google.com/group/ossec-list/browse
Is there a way to use firewall-drop.sh by hand to block a ip on all clients?
I am a newbie to OSSEC. I am seeing daily gzipped files in /var/ossec/
logs/archives/{Month}, but the gzipped files have no content - it
doesn't seem to be gzipping the actual files from /var/ossec/logs/
alerts/alerts.log.
Is there some place this needs to be configured?
Thanks
I removed the Registry entries from the ossec.conf on a Windows agent,
and it seemed to also disable the folder check as well - I have only
one folder being checked.
Can I enable just a file check and not a registry check?
Thanks
If I remove the registry check, the agent does not seem to recognize
that I want a directory check and does nothing. Is there any way to
bypass the registry check?
That's what I figured...I set one up to monitor the ossec service.
Thanks
On Dec 6, 4:07 pm, "dan (ddp)" wrote:
> On Mon, Dec 6, 2010 at 3:59 PM, Chris wrote:
> > If I remove the registry check, the agent does not seem to recognize
> > that I want a directory che
I need to ignore all added files in a directory under under a folder
named .svn. I added the rule below to local_rules.xml and restarted
the ossec server, but not the agents. It still seems to be emailing
alerts. Did I get the syntax incorrect for the tag?.
ossec
554
*.svn*
File added to the
I have ossec setup to monitor D:\farm where an ear file is deployed.
When the ear file is redeployed (ie new code is pushed), I am not
getting an alert or anything in the log. If I bounce the agent, I get
an alert that it has been bounced. I am using a shared config and
verified the agent.conf is
n searching and have the OSSEC book by Andrew Hay, but so
far I've come up empty on this particular problem.
Any help would be appreciated!
Thanks!
-Chris
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from
_read+0x51/0x80
[132944.274714] [] ? system_call_fastpath+0x16/0x1b
-Chris
On Monday, March 30, 2009 7:49:51 PM UTC, John A. Sullivan III wrote:
>
> Thank you, Daniel. This gives us a usable work around as we can find
> other options for rootkit detection. I wonder why the process checking
> w
Hi list,
running OSSEC 2.8 on a debian wheezy server together with NginX 1.6 and
the ngx_pagespeed 1.8.31.2 module fires the following OSSEC rule:
OSSEC HIDS Notification.
2014 Jun 28 14:45:56
Hi,
>> to ignore those notifications but i'm not sure if there is a better way
>> to avoid such notifications.
>>
>> Any help/hints/tips are welcome.
>>
>
> Seems reasonable.
thanks for your reply. Running this now for some weeks and have not seen
any issues with this local rule.
--
---
You
When I try to run ossec-authd with the -v option I get an invalid option
error. According to the man page on the website for version 2.8.1 located
at https://ossec-docs.readthedocs.org/en/latest/programs/ossec-authd.html the
daemon supports a -v option to pass it a ca cert. The command and error
(ddpbsd) wrote:
>
> On Mon, Oct 27, 2014 at 10:11 AM, Chris >
> wrote:
> > When I try to run ossec-authd with the -v option I get an invalid option
> > error. According to the man page on the website for version 2.8.1
> located at
> > https://ossec-docs.readthe
After going through a security audit with my current employer something
came up that I cannot figure out how to solve. No one online seems to have
ran into this. The auditor wants us to log and alert access to the
/var/ossec/logs folder. I can do this, but every alert creates a log change
thus
s, but every alert creates a log
> change
> > thus creates another alert and log change, etc, etc, etc. Has anyone
> ever
> > had to do this and cold help me?
> >
>
> Did the auditors have any suggestions?
>
> > --
> > Chris
> >
> >
tes another alert and log change, etc, etc, etc. Has anyone
> >> > ever
> >> > had to do this and cold help me?
> >> >
> >>
> >> Did the auditors have any suggestions?
> >>
> >> > --
> >> > Chris
> >> >
Would auditd also send its logs to the OSSEC alert system?
On Monday, January 12, 2015 at 10:52:25 AM UTC-6, Chris Decker wrote:
>
> You could configure *auditd* to monitor for reads/writes to
> /var/ossec/logs and included a filter to exclude the OSSEC UID.
>
> On Mon, Jan 12, 2
. No one online seems to
> have
> >> >> > ran
> >> >> > into this. The auditor wants us to log and alert access to the
> >> >> > /var/ossec/logs folder. I can do this, but every alert creates a
> log
> >> >> > change
I am looking into auditd and that seems to be the route I want to go. What
would the rule be for the folder /var/ossec/logs/ that excludes the OSSEC
user?
On Monday, January 12, 2015 at 12:43:55 PM UTC-6, Chris Decker wrote:
>
> Yes - I currently monitor a few log files for 'wr
-w /var/ossec/logs/ -F euid!=XXX -p wa -k auditlog
So something like that ^^^?
On Monday, January 12, 2015 at 1:13:04 PM UTC-6, Chris Decker wrote:
>
> You'd want to add a filter to the end of the rule. For example:
> -F euid!=505 (or whatever the appropriate UID is for your
Also there are three ossec users 'ossec', 'ossecm', and 'ossecr'. Which one
is the writing done under?
On Monday, January 12, 2015 at 1:13:04 PM UTC-6, Chris Decker wrote:
>
> You'd want to add a filter to the end of the rule. For example:
> -F eu
Thank you for the reply. I know all of this. This is not a PCI audit, but
it could impact the business too much to fight. I used auditd to watch the
folders. Excluding the OSSEC group and auid=-1. Also added a few more
monitoring settings to auditd, like watching sudo and su usage. OSSEC looks
I have successfully configured an OSSEC server running on Ubuntu in AWS.
I have also successfully automated Ubuntu AWS instances automatically
installing the OSSEC agent and connecting to the OSSEC server via this
command /var/ossec/bin/agent-auth -m ossec.myprivatedomain.local -p 1515
I am
cloud environment where automation is required. Use of
third-party tools such as Chef, Puppet, Ansible, etc. can overcome this
limitation, but add additional considerations.
Thanks,
Chris
On Tuesday, December 22, 2015 at 7:04:55 AM UTC-6, dan (ddpbsd) wrote:
>
> On Mon, Dec 21, 2015 at 4:3
ing something wrong because ossec continued to
not recognise the failed auth log and email me every time it turned
up. I'd be very grateful if someone could point me in the right
direction.
Thanks,
Chris
this type of attack before and also to remind myself to make a
decoder and matching rule in the morning so that Ossec picks this up
in the future.
Chris
coder rule (and sshd rule 5706)
probably already exists for you but I changed it a bit. This works
fine for me by banning hosts who give me four identification failures
in 360 seconds.
Chris
og to /var/log/messages for OSSEC to pick up. But then again
if you end up using this method why not just get the cron to email you
directly? Like I say not exactly a brilliant solution but just an
idea.
Chris
On Sep 16, 9:15 am, "Yildirim Zaynal" <[EMAIL PROTECTED]> wrote:
> Hi,
match the location of your auth
log.
After a few seconds the custom OSSEC rule should pick this up and send
you an alert.
Chris
On Sep 17, 2:47 pm, cnk <[EMAIL PROTECTED]> wrote:
> Hey Kevin,
>
> I don't think it was necessary to modify the decoder since the current
> decoder
t the
current version number as I will need this for evidence.
dpkg -l shows the old version
manage_agents -V shows 2.9.0??
Thanks
Chris
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop r
Aug 29, 2018 at 6:06 AM Chris > wrote:
> >
> > Hi,
> >
> > I have upgraded OSSEC from 2.8.3 to 3.0.0 on my Ubuntu server, using the
> install.sh from the expanded tar.gz. From what I can see this was
> successful in running the upgrade, but as this was not an upgr
On Thu, May 6, 2010 at 7:18 PM, Alessandro Di Giuseppe
wrote:
> Re: Watch for spam and or defacement
> Can't a CAPTCHA be implemented to prevent spambot from posting?
>
That's not nearly as effective as you might think, speaking from
experience with involvement in other popular open source projec
congested. This results in some important alerts being
missed, which in my opinion compromises OSSEC's position as a solution for
compliance.
Chris Kolb
Manager of Information Security
GDSX, Ltd.
Phone: 972-612-7121
Fax: 972-612-7021
Come see us this summer at NBTA in Houston August 8 -
ion, but if any other information is needed please let me know.
Thanks,
Chris
and the agent to see if there is
> traffic on port 1514.
>
> On Tue, Sep 28, 2010 at 12:03 PM, Chris Decker
> wrote:
> > All,
> >
> > I just set up an OSSEC 2.5 server/agent installation on my testbed. I'm
> > having difficulty getting my agent to successfull
alert and 2 additional alerts related to
PAM/login. Is there an easy way to surpress these alerts if they happen all
within a second of one another?
As always, help is appreciated.
Thanks,
Chris
of your help.
On Wed, Sep 29, 2010 at 12:52 PM, dan (ddp) wrote:
> On Wed, Sep 29, 2010 at 12:21 PM, Chris Decker
> wrote:
> > Ever helpful OSSEC list,
> >
> > I have three items I'm trying to figure out:
> >
> > How can I get the OSSEC server process to b
went ahead
and modified the PHP for the WUI so it only shows alerts at level 4 or
higher, which has helped with the noise.
On Wed, Sep 29, 2010 at 2:26 PM, dan (ddp) wrote:
> On Wed, Sep 29, 2010 at 2:13 PM, Chris Decker wrote:
> > Dan,
> >
> > Thanks. The "local_i
the OSSEC server, and can't
find a good way to troubleshoot.
Thanks,
Chris
IGNED MESSAGE-
> Hash: SHA1
>
> On Sep 29, 2010, at 12:21 PM, Chris Decker wrote:
> > * We use Nagios to periodically log-in to our servers (using SSH)
> to retrieve status information on processes. Everytime this happens I get
> the successful SSH connection alert
b environment at work I can reproduce the same issue using
RedHat 5.5 both ways. I do not have IRC access during the day, but am
typically on during the night and could help troubleshoot with anyone
willing to work with me.
Any help would be appreciated.
Thanks,
Chris
r the
/etc or C:program files directory, but not an individual file like
/etc/file.txt.". I knew this already, but tried my configuration with
realtime disabled and still experience this issue.
On Mon, Oct 4, 2010 at 9:22 PM, Chris Decker wrote:
> All,
>
> I've been experien
uld walk me through using the
debugger at night perhaps we could get some clues on the issue.
If you have any suggestions I'll give them a shot..I'm out of ideas!
Thanks,
Chris
On Wed, Oct 6, 2010 at 10:10 AM, Michael Starks <
ossec-l...@michaelstarks.com> wrote:
>
>
0x00403a94 in OS_ReadMSG (m_queue=6) at analysisd.c:1122
#3 0x00402f2c in main (argc=1, argv=0x7fffe7b8) at
analysisd.c:527
Does that tell you anything useful?
On Wed, Oct 6, 2010 at 1:11 PM, Daniel Cid wrote:
> Hi Chris,
>
> Can you run analysisd under gdb? I am u
I'm interested in such a decoder as well, so any effort expended to help
Doug would also help me and countless others I'm sure.
On Wed, Nov 10, 2010 at 3:55 PM, dan (ddp) wrote:
> On Wed, Nov 10, 2010 at 3:12 PM, Doug Burks wrote:
> > Has anybody used OSSEC to monitor OpenLDAP logs? Specifical
,
Chris
dy spots a fatal flaw in what I've done
:^)
10
SERVER-NAME
18152
Ignoring SERVER-NAME
On 5 January 2011 09:37, Chris Tweed wrote:
> This is my first posting to this list having rolled OSSEC HIDS out to an
> estate of around 800 Windows based machines towards the end of l
ginal rule. Nothing yesterday afternoon but I've come into work this
morning to discover a whole bundle of those alerts from over night.
Thank you very much for your help!
Chris
On 6 January 2011 16:49, loyd. darby wrote:
> please have a look at this:
> http
I don't see an obvious way to change the default location of the
ossec.log. Can I change this to /var/log/ossec.log? Otherwise, I'll
just symlink for convenience.
Thanks
Hi All,
I have set up a central "server" and several "agent" OSSEC hosts and OSSEC-WUI
and I can see them in the UI, but I have a question relating to alerts.
Previously I had the agents configured as "local" OSSEC hosts and the alerts
from them were obviously from each individual host, but now
On the website (http://www.ossec.net/main/ossecteam) there is a "Join Mailing
List" link, which opens an email (mailto:) but I received the following bounce
message upon making my submission to that list.
I eventually joined successfully, via: http://groups.google.com/group/ossec-list
--
ChrisP
Perfect, thanks!
I haven't found an option to tweak max emails per hour, but I'm hoping to tune
out "noise" so the number of emails should be minimal.
Cheers,
--
ChrisP
Chris Phillips
Service Designer, intY Ltd.
+44 (0)1454 640 532
-Original Message-
From: ossec-l
http://www.ossec.net/doc/syntax/head_ossec_config.reports.html#element-email_maxperhour
It goes in the global section.
On Tue, Jul 26, 2011 at 7:22 PM, Chris Phillips wrote:
> Perfect, thanks!
>
> I haven't found an option to tweak max emails per hour, but I'm hoping to
> t
Hi All,
I have just seen something quite odd in my active-responses.log: -
Wed Jul 27 15:31:44 BST 2011 /var/ossec/active-response/bin/host-deny.sh add -
UNKNOWN 1311777104.54981959 5706
Wed Jul 27 15:31:44 BST 2011 /var/ossec/active-response/bin/firewall-drop.sh
add - UNKNOWN 1311777104.549819
Thanks, I'll ignore it, as it doesn't seem to go completely wrong when it tries
to auto-respond.
--
ChrisP
Chris Phillips
Service Designer, intY Ltd.
+44 (0)1454 640 532
-Original Message-
From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On
Behalf O
From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On
Behalf Of SystemAli
Sent: 27 July 2011 17:29
To: ossec-list@googlegroups.com
Subject: [ossec-list] Web interface - HOW TO ??
Hello All :
I want to install and configure the GUI for OSSEC, But since i am a little
novice i
--
ChrisP
Chris Phillips - Service Designer, intY Ltd.
-Original Message-
From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On
Behalf Of dan (ddp)
Sent: 27 July 2011 19:10
To: ossec-list@googlegroups.com
Subject: Re: RE: [ossec-list] Web interface - HOW TO ??
And the form
ppened on any of the other
servers we have OSSEC installed on.
Can anyone please explain what could cause this? I am hoping it's some sort of
obscure but OK OSSEC anomaly!
Cheers,
--
ChrisP (slightly panicky)
-Original Message-
From: OSSEC HIDS
Sent: 28 July 2011 08:46
To: Chri
anything dodgy going on on the system, so I'll continue to monitor
closely...
--
ChrisP
Chris Phillips
Service Designer, intY Ltd.
+44 (0)1454 640 532
From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On
Behalf Of Frank Stefan Sundberg Solli
Sent: 03 August 2011
Many Thanks Daniel,
That is just what I needed to hear/read!
I can see that we do have prelinking turned ON, but not sure it's a "choice"
rather than an OS default, so we may end up switching it OFF as I doubt we see
any benefits from it.
Cheers,
--
ChrisP
Chris Phillips
S
en restart with /var/ossec/bin/ossec-control
restart.
It seems to take a very long time for that change to propagate & take effect on
the "agents".
Do I need to do something to manually make the updates apply across the board,
or can I alter some setting to make the updates a bit
ould be working.
On Thu, Aug 18, 2011 at 8:52 AM, Chris Phillips wrote:
> Hi All,
>
> When I see an alert which I do not want to be notified of (such as assorted
> things triggering rule 1002), on the central "server" instance, I edit
> /var/ossec/rules/local_rules.xml a
using pipe and comma delimiters,
but those did not work. Any tips?
Chris Kolb
Manager of Information Security
GDSX, Ltd.
Phone: 972-612-7121
Fax: 972-612-7021
Confidentiality Notice: This e-mail contains information that is
confidential. It is intended for the exclusive use of the individual or e
t-filtering alerts: 22
->First alert: 2011 Oct 11 17:35:37
->Last alert: 2011 Oct 11 23:00:44
It seems that it's performing an AND operation on all the -f strings, rather
than an OR operation.
Chris
-Original Message-
From: ossec-list@googlegroups.com [mailto:ossec-lis
I want to generate an alert.
As I mentioned, I've read the OSSEC documentation but still can't
figure things out. I've also read the past OSSEC User Group postings.
Can someone post a brief example of a setup that does something
similar to what I need so I have a model for implementi
As the subject suggests, is there a way to override a particular
decoder in decoder.xml? I have a few tweaks I want to make and
obviously want to make sure that future upgrades to smoothly (so I
want to keep everything in local_decoder.xml).
(Thanks in advance, Dan, for the response ;))
Sent f
Dan,
Thanks, that's what I thought based on the key/value references in the
documentation.
Sent from my iPhone
On Dec 12, 2011, at 3:08 PM, "dan (ddp)" wrote:
> On Sat, Dec 10, 2011 at 12:01 AM, vmpc vmpc wrote:
>> Whenever my rule triggers, I get three alerts sent to the OSSEC server. I am
>
being unblocked
after 600 seconds each time.
Thanks for any help offered.
Chris
ers list should be in its own block.
Example:
firewall-drop
all
7
600
30,60,120,1440
Again, I'm not sure and I don't know how easy this will be for me to test.
On Mon, Dec 12, 2011 at 10:08 PM, Chris Warren
wrote:
> Hi,
> I'm am trying out the option but
7;t see
anything in the log on start either.
Is this feature confirmed as working? Just doesn't seem to have many docs for
it, would be a nice feature to use.
Jake
Sent using BlackBerry® from Orange
-Original Message-
From: Chris Warren
Sender: ossec-list@googlegroups.com
Date: Tue
read through the
source.
Any of the developers know much about this?
-Original Message-
From: Chris Warren
Sender: ossec-list@googlegroups.com
Date: Fri, 16 Dec 2011 14:41:38
To:
Reply-To: ossec-list@googlegroups.com
Subject: Re: [ossec-list] Repeated Offenders not triggering
Could be t
of been
nice, but it's fine for now.
For more details on this see my post on this solution here:
http://www.mebsd.com/freebsd-security-hardening/solved-ossec-repeated-offenders-ignored.html
Regards
Jake
On Dec 17, 4:57 am, Chris Warren wrote:
> Good find! Thank you!
>
> Unfort
, it will go to repeated_offenders :)
Thanks again, Jake, for the tested you did with this, and thanks Dan for
updating the docs :)
- Original Message -----
From: "Chris Warren"
To: ossec-list@googlegroups.com
Sent: Saturday, December 17, 2011 10:37:41 AM
Subject: Re: [ossec-list] Re: Repeated
didn't
come up with anything.
Chris
Wow! I was actually just coming to write in and see if a deb repo with deb
builds would be a useful way to contribute.
I have just worked on a project that required puppet, and I found myself
writing a lot of "execs" to get agents registered etc. (the new agent-authd was
a HUGE help, btw).
I
Rainer, also try putting the block in its own section
(i.e. not part of the actual active responses). So take it out of both, and
put it once it its own block.
A few of us have had trouble with this feature. It does work...always just
been a question of which config to put it in and how to
ill want to be able to generate metrics using the flat-file.Thanks,Chris-- Sent from my HP TouchPad
instructions, I think it finishes
correctly.
ossec-hids-2.6/src$ sudo make setdb
Error: PostgreSQL client libraries not installed.
Info: Compiled with MySQL support.
During make os_auth:
make[1]: Entering directory `/home/chris/ossec-hids-2.6/src/os_dbd'
cp -pr ossec-dbd ../../b
now works..
Cheers
Chris
On Friday, June 22, 2012 1:03:18 PM UTC+1, dan (ddpbsd) wrote:
>
> On Fri, Jun 22, 2012 at 5:27 AM, Chris Billson <> wrote:
> > Server is Ubuntu 12.04, I installed LAMP during setup, post setup I
> > installed gcc, build essentials (boo
Hi,
Is it possible to override variables?
For example, the BAD_WORDS variable defined in syslog_rules, would it be
possible to override this in local_rules? But have the override then used
in the original syslog_rules rules.
Thanks.
Does anyone know if it is possible to run more than one configuration of
this, ie I'd like to scan hourly a couple of small directories for changes,
and scan the rest of the windows components once a day..
Thanks
Chris
Hi.
I've just deployed OSSEC for testing on a VM, and I'm looking to use it for
log retention, as well as alerting. I've enabled syslog and logall, and
successfully got it alerting and logging from apache logs sent by syslog.
But I'm having issues with pfsense.
I've enabled syslog in pfsense
l 405015003 ecr 0,nop,wscale 5], length 0
Thanks
On Monday, October 22, 2012 4:01:54 PM UTC+1, dan (ddpbsd) wrote:
>
> On Sat, Oct 20, 2012 at 6:46 AM, Chris H >
> wrote:
> > Hi.
> >
> > I've just deployed OSSEC for testing on a VM, and I'm looking to us
Hi,
I'm trying to configure email alerts. I want to use granular alerting, so
that specific alerts (i.e. Cisco) go to specific teams. I only want
specific alert groups generating emails, not everything. I've enabled the
global alerts, and tested that it works globally by
adding 9. This wor
to elaborate, ultimately what I am trying to do is send all emails from
cisco above level 9 to one address, and all emails in general above level
12 to another address.
Thanks
On Wednesday, October 24, 2012 11:09:58 AM UTC+1, Chris H wrote:
>
> Hi,
>
> I'm trying to configure
I've also tried putting the IP ranges in allowed-ips, in the form
192.168.0.0/16, with the same effect. It is definitely listening, as I've
sent apache logs to it via syslog.
Thanks
On Wednesday, October 24, 2012 1:42:48 PM UTC+1, dan (ddpbsd) wrote:
>
> On Wed, Oct 24, 2012 a
, October 24, 2012 1:46:01 PM UTC+1, dan (ddpbsd) wrote:
>
> On Wed, Oct 24, 2012 at 6:09 AM, Chris H >
> wrote:
> > Hi,
> >
> > I'm trying to configure email alerts. I want to use granular alerting,
> so
> > that specific alerts (i.e. Cisco)
works,
testing with netcat shows results coming through and going in to the
archive log:
echo "`date`" | nc -uvvv log-01 514
Thanks.
On Wednesday, October 24, 2012 2:18:23 PM UTC+1, dan (ddpbsd) wrote:
>
> On Wed, Oct 24, 2012 at 9:08 AM, Chris H >
> wrote:
> > I'
Many thanks Ryan, that sounds like it will achieve exactly what I'm after.
Chris
On Wednesday, October 24, 2012 2:40:57 PM UTC+1, Ryan Schulze wrote:
>
> Hi Chris,
>
> the email notification works like this: emails always get sent to the
> global , and any granular emai
Hi,
I'm passing log files from Domain Controllers via the OSSEC agent, and
trying to refine the decoders for logon events. As standard, the event
logs the User as SYSTEM, as this is what raises the event. The event logs
contain the User Name and Client IP. I've added a new decoder to
local_
On Tuesday, November 6, 2012 11:13:24 AM UTC, Chris H wrote:
>
> Hi,
>
> I'm passing log files from Domain Controllers via the OSSEC agent, and
> trying to refine the decoders for logon events. As standard, the event
> logs the User as SYSTEM, as this is what raises the
On Tuesday, November 6, 2012 2:25:42 PM UTC, dan (ddpbsd) wrote:
>
> On Tue, Nov 6, 2012 at 8:17 AM, Chris H >
> wrote:
> > OK, in further digging, it doesn't work. It seemed to work under
> > ossec-logtest, but no alerts were firing in the real world.
> &g
On Tuesday, November 6, 2012 2:25:43 PM UTC, dan (ddpbsd) wrote:
>
> On Tue, Nov 6, 2012 at 6:13 AM, Chris H >
> wrote:
> > Hi,
> >
> > I'm passing log files from Domain Controllers via the OSSEC agent, and
> > trying to refine the decoders for logo
On Tuesday, November 6, 2012 4:58:24 PM UTC, dan (ddpbsd) wrote:
>
> On Tue, Nov 6, 2012 at 11:19 AM, Chris H >
> wrote:
> >
> >
> > On Tuesday, November 6, 2012 2:25:42 PM UTC, dan (ddpbsd) wrote:
> >>
> >> On Tue, Nov 6, 2012 at 8:17 AM, Ch
On Tuesday, November 6, 2012 4:58:14 PM UTC, dan (ddpbsd) wrote:
>
> On Tue, Nov 6, 2012 at 11:39 AM, Chris H >
> wrote:
> >
> >
> > On Tuesday, November 6, 2012 2:25:43 PM UTC, dan (ddpbsd) wrote:
> >>
> >> On Tue, Nov 6, 2012 at 6:13 AM,
Hi all,
Has anyone set up a decoder for csf firewall logs? They are pretty similar to
the shorewall logs, but with a few differences. I'm not great with the regex's
and whatnot, so I haven't been able to decode the "action".
Any help appreciated.
Chris
9:54:30 AM
Subject: Re: [ossec-list] csf firewall
On Mon, Jan 14, 2013 at 4:22 PM, Chris Warren
wrote:
> Hi all,
> Has anyone set up a decoder for csf firewall logs? They are pretty similar
> to the shorewall logs, but with a few differences. I'm not great with the
>
,
Any progress on this?
Cheers,
Iraklis
On Monday, June 4, 2012 8:00:59 PM UTC+3, Ryan Schulze wrote:
Hi Chris,
sorry to dig up this old mail, just wanted to ask if you stumbled across
anything interesting since I was also thinking about automatic generation of
abuse mails with
> 6
>
>
>
> network@...
> syslog,cisco_ios
> 10
>
>
>
>
> chris@...
> 11
>
>
>
>
If a change is made to the Domain Admin group, this triggers a level 12
alert. Howeve
1 - 100 of 271 matches
Mail list logo
