Re: [ossec-list] ossec-remoted high CPU utlization

On Wed, Apr 26, 2017 at 9:59 AM, Nikki S wrote: > We have about 480 agents reporting the OSSEC server. The remoted server is > running constantly at 100% CPU utilization. Any suggestions on how to > re-mediate this please? > Is there a lot of traffic between the agents

Re: [ossec-list] Disable all rules for ossec server

On Apr 25, 2017 11:25 AM, "Huc Manté Miras" wrote: Hello, I try to disable all rules to ossec server. This is possible? Have you tried removing the rules from the server's ossec.conf? Thanks!! -- --- You received this message because you are subscribed to the Google

Re: [ossec-list] Opening port for ossec server/agents

On Apr 25, 2017 11:37 AM, "Martin" wrote: Hello, I'm getting a bit lost with the port opening for ossec. Let's say I have 3 machines running on ubuntu 16.04. I do a fresh install of OSSEC manager on the machine A and a fresh install of ossec agent on both B & C. Now I

Re: [ossec-list] Very big syscheck queue - how to deal with it?

> befuddle ossec? (I get I'll lose the change history.) > You should be able to delete the files. I don't generally use the diff option, so haven't tested this all myself. > > > On 04/20/2017 01:29 PM, dan (ddp) wrote: >> >> On Thu, Apr 20, 2017 at 1:02 PM, Bee esS <bs27...

Re: [ossec-list] Very big syscheck queue - how to deal with it?

On Thu, Apr 20, 2017 at 1:02 PM, Bee esS wrote: >> If you need them shrunk, you'll have to clear the databases. > > How? > When resurrecting 2+ year old threads, it might be best to offer more context. To clear a syscheck db: 1. stop the ossec processes on the server 2.

Re: [ossec-list] Active Response not working at all

On Wed, Apr 19, 2017 at 5:54 PM, dan (ddp) <ddp...@gmail.com> wrote: > On Wed, Apr 19, 2017 at 5:34 PM, Tony Bryant <cspitr@gmail.com> wrote: >> How would I go about checking if AR is disabled on agents? Checking config >> files and don't see anything about it. Run

Re: [ossec-list] Active Response not working at all

On Wed, Apr 19, 2017 at 5:34 PM, Tony Bryant wrote: > How would I go about checking if AR is disabled on agents? Checking config > files and don't see anything about it. Running v2.8.3 for OSSEC. Also, this > on Ubuntu > I think it's enabled by default. This is all I have

Re: [ossec-list] Active Response not working at all

On Wed, Apr 19, 2017 at 5:09 PM, Rob Williams wrote: > Still no luck. Just to verify, the scripts should be located in > /var/ossec/active-response/bin/, correct? Unfortunately the logs aren't > really telling me anything either. > Yep, that's where they go. AR isn't

Re: [ossec-list] Active Response not working at all

On Wed, Apr 19, 2017 at 3:23 PM, Tony Bryant wrote: > Yes test.sh is on the agent. Execd is also running and yep the alert is > firing. > Try removing the level option and leave just the rules_id. > On Wednesday, April 19, 2017 at 11:30:37 AM UTC-7, dan (ddpbsd) wrote: >>

Re: [ossec-list] Active Response not working at all

On Wed, Apr 19, 2017 at 2:26 PM, Tony Bryant wrote: > Hello, > > I'm pretty new to OSSEC and I'm working to get some active responses > working. I have tried a number of different active responses but cannot seem > to get it to work anywhere (not on the server or agents).

Re: [ossec-list] Alert suppression sha1sum

On Mon, Apr 17, 2017 at 11:09 AM, Kumar G wrote: > Hi Team, > > In our ossec environment we are getting lots of sha1sum alerts (even though > its not configured) and that are irrelevant to us. Is there any way to > suppress these alerts? > > ** Alert 1491577582.15621: mail -

Re: [ossec-list] OSSEC Agent not works

On Sat, Apr 15, 2017 at 4:57 AM, Руслан Аминджанов wrote: > Reinstalled on both server and client, enabled debug mode. Still same > situation. > Are there any relevant logs in the server's ossec.log? Are there any relevant logs in the agent's ossec.log? Help me help you.

Re: [ossec-list] Variables for monitoring syslog files in subfolders

On Fri, Apr 14, 2017 at 9:28 AM, Paul wrote: > Another tech set up a kiwi syslog server on a Windows machine and I am > trying to monitor those files with ossec. (v2.8.3) > However, the way things are setup, each device has its own folder with the > logs going inside of

Re: [ossec-list] on ubuntu compile windows 64bit error

On Thu, Apr 13, 2017 at 9:24 PM, weisst wrote: > windows 2012 r2 error > 问题签名: > 问题事件名称:APPCRASH > 应用程序名:win32ui.exe > 应用程序版本:0.0.0.0 > 应用程序时间戳:58ef28a9 > 故障模块名称:StackHash_bc03 > 故障模块版本:6.3.9600.17415 > 故障模块时间戳:5450559e > 异常代码:

Re: [ossec-list] OSSEC Agent not works

On Fri, Apr 14, 2017 at 4:21 AM, Руслан Аминджанов wrote: > Yes, I done it. > Configure debug mode on the OSSEC server (`/var/ossec/bin/ossec-control enable debug && /var/ossec/bin/ossec-control restart`). Then check the server's ossec.log again to see if an error is

Re: [ossec-list] on ubuntu compile windows 64bit error

On Thu, Apr 13, 2017 at 5:14 AM, weisst wrote: > Dear all > > i try compile windows 64bit on Ubuntu 16.10, and i install depend > > sudo apt-get install build-essential -y > sudo apt-get install nsis nsis-common -y > sudo apt-get install mingw-w64 mingw-w64-common

Re: [ossec-list] How soon does an agent disconnect appear

On Wed, Apr 12, 2017 at 4:01 PM, Nikki S wrote: > How long does it take for the agent to appear as 'disconnected'? I read on > another thread that the 'keep alive' needs to fail three times. I could not > find where we set the frequency of the agent check in. > I think

Re: [ossec-list] Is it possible to trigger an active response on a rule with a severity level of 0?

On Wed, Apr 12, 2017 at 1:40 PM, Rob Williams wrote: > Essentially, I want to trigger an active response for a rule that I created > that has a severity level of 0. I created this rule because I did not want > to be alerted on the default rule and only wanted to be

Re: [ossec-list] File deletion ,Integrity checksum and sending mail fails.

On Wed, Apr 12, 2017 at 6:28 AM, wrote: > Hi, > > I do not receive file deletion alert in latest 2.9.0 version, > Also any changes made to the file are not reported before. > I haven't tested this, but I'll give it a shot. > Also maild demon fails sending the mail.

Re: [ossec-list] Re: Same old song ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue

On Mon, Apr 10, 2017 at 2:46 PM, Anoop Perayil wrote: > I am running OSSEC on a Security Onion build Ubuntu 14.04.5 LTS. > The issue started after I added in more disk since I ran out of space in / > I really wish SO would partition their system properly. Big /, nothing

Re: [ossec-list] Re: Same old song ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue

On Mon, Apr 10, 2017 at 2:34 PM, Felix Martel wrote: > Perhaps this is way off base, but have you added an agent for localhost ? In > my context of a new install, a ton of issues went away after I added an > agent for the localhost (name=localhost, IP=127.0.0.1). Didn't

Re: [ossec-list] OSSEC upgrade from 2.8.3 to 2.9 RC5 DBD error

On Mon, Apr 10, 2017 at 2:34 PM, Dayne Jordan wrote: > DISREGARD - major faux pas on my part from previous... its' alert not alerts > table.(singular) > > Alert table does exist, however the column "level" does not, i will create > it manually. > > MariaDB [ossec]> describe

Re: [ossec-list] When doing rootchecks, OSSEC does not get the full information for the log

On Thu, Apr 6, 2017 at 1:46 PM, dan (ddp) <ddp...@gmail.com> wrote: > On Thu, Apr 6, 2017 at 1:29 PM, Jake B. <cspitr@gmail.com> wrote: >> Ok I'll do that. Also, not sure if you know but thought I'd ask anyway...Is >> there anyway to use the agents name in a rule o

Re: [ossec-list] When doing rootchecks, OSSEC does not get the full information for the log

On Thu, Apr 6, 2017 at 1:29 PM, Jake B. wrote: > Ok I'll do that. Also, not sure if you know but thought I'd ask anyway...Is > there anyway to use the agents name in a rule or decoder? I have my agents > named after the hostname so I was thinking that could potentially be

Re: [ossec-list] Re: Rule 510 is triggering events but logtest is not showing any rules that should be triggered

On Thu, Apr 6, 2017 at 1:28 PM, Rob Williams wrote: > Hi, > > I tried to do this, but I'm getting: > > ERROR: Parent decoder name invalid: 'rootcheck' > ERROR: Error adding decoder plugin > > I don't see the rootcheck decoder within decoder.xml as well, any ideas? > It

Re: [ossec-list] When doing rootchecks, OSSEC does not get the full information for the log

On Wed, Apr 5, 2017 at 11:13 AM, Jake B. wrote: > I'm not server if this is a problem with the OSSEC configuration or the host > itself, but there are some events where the logs or full message only have > some of the information I need. For example, this will be the full

Re: [ossec-list] Redundancy manager (backup)

On Wed, Apr 5, 2017 at 11:32 AM, Martin wrote: > Hello Victor, > > I tried to run a second manager and I've the same file > /var/ossec/etc/client.keys on it and on the first manager. I've copied the > local_rules, ossec.conf, local_decoder as well. > > And I've specified on

Re: [ossec-list] Rule 510 is triggering events but logtest is not showing any rules that should be triggered

On Wed, Apr 5, 2017 at 4:45 PM, Rob Williams wrote: > I stopped them all (which appeared to work fine) and start again. Here is > the rule and decoder I made for this (I want to alert only once if the same > ID (filepath) has alerted in the past minute): > > > > 510

Re: [ossec-list] Rule 510 is triggering events but logtest is not showing any rules that should be triggered

On Wed, Apr 5, 2017 at 3:44 PM, Rob Williams wrote: > Yes I have, I've also tried to disable all the relevant changes I've made, > restart, and still have the same issue. > Try stopping the ossec processes, verify that ossec-analysisd has stopped (sometimes it doesn't

Re: [ossec-list] Rule 510 is triggering events but logtest is not showing any rules that should be triggered

On Wed, Apr 5, 2017 at 3:26 PM, Rob Williams wrote: > Hi all, > > I'm running into an issue where rule 510 is triggering and I'm getting > spammed with alerts but I can't seem to tune it correctly. What's weird is > that I am still getting alerted for rule 510 for this

Re: [ossec-list] Ossec 2.90 - Issue alerts for Windows 1002

There was a major iaaue with the windows decoder in 2.9.0. Grab the decoders feom MASTER or 2.9.1 branch and try those On Apr 3, 2017 12:59 PM, "Charles Profitt" wrote: I have checked the agent and server versions and they are 2.9.0. I am getting all my alerts from

Re: [ossec-list] install ossec - bind to port 1514 fail | getaddrinfo: name or service not know

I agree with Dan, I tested OSSEC v2.9 on a clean CentOS 7 with your >>>> configuration and it worked. But when I disabled IPv6 I got the >>>> same errors you have. >>>> >>>> Please try to enable IPv6 on the running system with: >>>> >>>

Re: [ossec-list] cannot get policy auditing to work

On Tue, Mar 28, 2017 at 5:16 PM, Keith Goodlip wrote: > I've been trying to setup policy audit in a lab I've set up to no avail. > > My setup is 2 servers (server, client) using CentOS 7.3 and RPMs from the > atomic repository (selinux, firewalld are disabled) (ipv6 is

Re: [ossec-list] Re: %AppData% alert on new file creation proper setup

On Mon, Mar 27, 2017 at 4:26 AM, wrote: > Hello Dan, > > Thank you for your feedback. I have changed the frequency to 900 > sec, and inspected the ossec.log. I noted that inside the log file none of > the agent.conf directories where present. Any theories

Re: [ossec-list] OSSEC Agents Unable to Connect to Server

On Mon, Mar 27, 2017 at 10:50 AM, Marc Baker wrote: > OSSEC agents this morning were working without issue and then began > reporting as Disconnected. Agent logs are returning the following error: > > 2017/03/27 10:14:38 ossec-agent: WARN: Process locked. Waiting for >

Re: [ossec-list] OSSEC alerts on syslog

On Mon, Mar 27, 2017 at 11:25 AM, wrote: > Hi All, > > So I am currently still troubleshooting, but noticed that the syslog-ng > process was listening on 514 TCP, but also had an entry for 514 UDP, which > is the protocol I've set within my ossec.conf. Could this be part

Re: [ossec-list] Can the windows agent report to Wazuh and OSSIM simultaneously?

On Mon, Mar 27, 2017 at 12:52 PM, Joel Fries wrote: > Am I able to setup the OSSEC windows agent to report to both a Wazuh and a > OSSIM server at the same time? > There is no support in the OSSEC agent to report to 2 destinations simultaneously. It is possible that Wazuh has

Re: [ossec-list] Do I need to create a new decoder for a custom rule?

On Sat, Mar 25, 2017 at 6:32 PM, Justin Redman wrote: > I'm receiving generic level 2 rule 1002 "Unknown problem somewhere in the > system" alerts. It is opendkim reporting "bad signature data" in syslog when > receiving email from some domains. Unfortunately not everyone

Re: [ossec-list] %AppData% alert on new file creation proper setup

On Sat, Mar 25, 2017 at 4:54 AM, wrote: > Hello fellow googlers, > > > The GOAL: > > For every user on my windows OSSEC agent, generate OSSEC alert severity 10 > when new file added to > > C:\Users/*/%AppData%/Local/Temp directory > > Where star was supposed to be

Re: [ossec-list] Re: Modify rules

On Thu, Mar 23, 2017 at 12:29 PM, The Dude wrote: > I went with the first option. Works as expected but now I need to adjust the > number of of fails before the ip is blocked.. Where do I do that? > Try using 5720 for the rule to trigger active response. It looks for 8+

Re: [ossec-list] Custom decoder & rules not working

On Thu, Mar 23, 2017 at 12:41 PM, Martin wrote: > Hello, > > I've those kind of log comming from a custom app >> >> >> [2017-03-23 10:18:01] app.ERROR: Authentication failure for IP: 172.17.0.1 >> [] [] > > > I'm trying to block an ip with to much authentication failure. > >

Re: [ossec-list] install ossec - bind to port 1514 fail | getaddrinfo: name or service not know

On Thu, Mar 23, 2017 at 1:08 PM, Eduardo Reichert Figueiredo wrote: > Hi dan, i dont have ipv6 enabled in my system linux, so i dont have inet6 in > my ifconfig configurations, only ipv4. > > This can caused for the problem? > I think having ipv6 support is

Re: [ossec-list] Re: Agentless ssh monitoring fails to connect every time

On Tue, Mar 21, 2017 at 7:11 PM, Marcin Gołębiowski wrote: > Trying to debug with expect I got: > expect -d agentless/ssh_integrity_check_linux u...@server.com > /directory/to/check > expect version 5.45 > argv[0] = expect argv[1] = -d argv[2] = >

Re: [ossec-list] Syslog Forward Configuration Resulting in a Failure

On Tue, Mar 21, 2017 at 2:53 PM, Marc Baker wrote: > I am attempting to forward OSSEC logs to a SIEM via syslog. Recommended > configuration in the documentation is: > > > 192.168.4.1 > > > > > The SIEM recognizes json format on port 5500 so I've configured logs

Re: [ossec-list] Drop IP on all agents

On Wed, Mar 22, 2017 at 7:05 AM, Martin wrote: > Ok the problem was that I thought that all as stated in > the doc would execute the command everywhere (meaning on all the agents & > the server). > > But "all" means all the agents except the server. Thanks for pointing that

Re: [ossec-list] install ossec - bind to port 1514 fail | getaddrinfo: name or service not know

On Tue, Mar 21, 2017 at 10:46 AM, Eduardo Reichert Figueiredo wrote: > When i install ossec 2.9.0 on rhel 7.3 (no ipv6 feature and address) i have Is IPv6 totally disabled for your system (support for IPv6 was removed)? > a problem to ossec-remoted and ossec-auth,

Re: [ossec-list] Journald again

On Wed, Mar 22, 2017 at 8:20 AM, Per-Erik Persson wrote: > Is anyone working in this? Not that I'm aware of. > Or is there any way to feed the journald logs the ossecagent? > Or am I supposed to install rsyslog and forward the logs to the ossec server? > Any way to feed

Re: [ossec-list] timeout - ossec-agentlessd: ERROR: ssh_generic_diff: ossec

On Thu, Mar 16, 2017 at 6:44 AM, Eduardo Reichert Figueiredo wrote: > Hi Dan, i have success when run this command below. > > # su ossec -s /bin/bash -c 'cd /var/ossec && expect > agentless/ssh_generic_diff user_ossec@SERVIDOR-01 ls -lah' > Connection to SERVIDOR-01

Re: [ossec-list] Drop IP on all agents

On Thu, Mar 16, 2017 at 7:11 AM, Martin wrote: > Hello, > > Thank you for your answer. > > I modified the Active-Response in the file /var/ossec/etc/ossec.conf to look > like this; > > > > > host-deny > all > 6 > 600 > > > > > >

Re: [ossec-list] OSSEC alerts on syslog

On Thu, Mar 16, 2017 at 11:33 AM, wrote: > Here is the output: > > udp0 0 0.0.0.0:514 0.0.0.0:* > 21090/syslog-ng > So syslog-ng is listening for incoming messages. You'll have to figure out what syslog-ng is doing with the log messages. > This

Re: [ossec-list] Re: DNS block active response script not run for named rule

On Wed, Mar 15, 2017 at 4:15 PM, Ralph Durkee wrote: > Dan, > > > When I started this I was apparently was using some old documentation, > probably the book you wrote several years ago, and the parameter examples > were limited. Also the newer docs show a limited set of >

Re: [ossec-list] timeout - ossec-agentlessd: ERROR: ssh_generic_diff: ossec

On Mon, Mar 13, 2017 at 9:59 AM, Eduardo Reichert Figueiredo wrote: > Dear all, > i have the ERROR below in my ossec server, and not generated alerts from > Linux (agentless) in ossec. > I search more error similars in this foruns but i dont founded solution. > > Can

Re: [ossec-list] Email alerting triggered for one specifuc AD user.

On Tue, Mar 14, 2017 at 1:51 PM, BeesZA wrote: > Hi All, > > I am very new to OSSEC and I need some help with a simple issue. I need an > example rule for the following: > > I have a user that have a granular password policy applied to him, this > policy says that this

Re: [ossec-list] OSSEC alerts on syslog

On Tue, Mar 14, 2017 at 3:37 PM, wrote: > Hello, yes: > > root@xx:/var/log# netstat -tuna | grep 514 > tcp0 0 0.0.0.0:514 0.0.0.0:* > udp0 0 0.0.0.0:514 0.0.0.0:* > > Adding -p to that could tell you the process using

Re: [ossec-list] OSSEC alerts on syslog

On Tue, Mar 14, 2017 at 11:44 AM, Jose Luis Ruiz wrote: > Hello, > > In order to permit Ossec recibe your Symantec syslogs messages, you need to > enable this in the configuration: > Unless you're using a proper syslog daemon, which may already be listening on that port. >

Re: [ossec-list] Re: DNS block active response script not run for named rule

On Tue, Mar 14, 2017 at 5:44 PM, Ralph Durkee wrote: > Yes, I got the production system working against a test attack script. Will > monitor it to do tuning for the real flurries of bogus DNS queries, and will > try the duplicate / twin decoder name to see if that works.

Re: [ossec-list] Drop IP on all agents

On Wed, Mar 15, 2017 at 7:25 AM, Martin wrote: > Hello, > > First, i'm sorry if the question has already been asked. > > So what i'm trying to achieve is this ; > > If someone fail to log in, too many time on one of my agent, I want this ip > to be drop on all others agents

Re: [ossec-list] OSSEC alerts on syslog

On Mar 14, 2017 10:57 AM, wrote: Hello All, I have pointed my Symantec AV logs to our OSSEC server via syslog over port 514. I am seeing the logs come into ELSA, but not as OSSEC alerts. I have created a custom decoder and parser, and can confirm that it is working:

Re: [ossec-list] Ossec - modify message (add tag)

On Mar 13, 2017 11:50 AM, "Martin Dulovič" wrote: Hello, i have this problem, you could say. I need Ossec to crunch modified logs (syslogs). Our syslog message is as follows. *Example message:* [syslog-1] Mar 13 06:25:16 my-server-1 syslog-ng[1012]: EOF on control

Re: [ossec-list] Ossec rule to parse two patterns with OR

On Fri, Mar 10, 2017 at 3:37 AM, Ieva wrote: > Hello > Maybe someone can help for newbie to write first OSSEC rule. I tried to read > OSSEC chapter 4 book „Working with rules“ but it didn‘t help. So I have > Windows event logs and want to write a rule with regex to drop out

Re: [ossec-list] ossec-logcollector: socketerr (not available).

On Mar 6, 2017 9:42 AM, "Eduardo Reichert Figueiredo" < eduardo.reich...@hotmail.com> wrote: Dear all, my ossec dont list agentless servers with command "agent_control -l" and in my ossec.log i have log below. 2017/03/06 11:27:54 ossec-logcollector: socketerr (not available). 2017/03/06 11:30:04

Re: [ossec-list] Re: Windows override Audit Events. Decoder

; >> > >> **Phase 2: Completed decoding. > >>decoder: 'windows' > >>status: 'AUDIT_FAILURE' > >>id: '5152' > >>extra_data: 'Microsoft-Windows-Security-Auditing' > >>dstuser: '(no user)' > >

Re: [ossec-list] Enable only syscheckd for FIM

On Mar 6, 2017 11:16 AM, "Sam Gardner" wrote: Once I turned on "alert_new_files" I started getting alerts - things appear to be working now. Is there any way to completely disable the logcollector daemon? We have another process that does that job so no need to have that bit

Re: [ossec-list] Is OSSEC 2.9.0 officially released?

There were some unreported issues with 2.9, so I'm hoping to roll 2.9.1 real soon now. Going forward, I'm going to work on a better test plan for releases. I've been sloppy and need to improve that. On Mar 6, 2017 9:01 AM, "Kat" wrote: > Hi all, > > It seems to me that

Re: [ossec-list] ossec-remoted not running

On Sat, Mar 4, 2017 at 2:36 PM, Eduardo Reichert Figueiredo wrote: > Hi All, > i killed de process and take command "ossec-control start" and the process > of remoted stay up. > But my agents "Windows" display "never connected" but the port 1514 stay up > and with

Re: [ossec-list] Enable only syscheckd for FIM

On Fri, Mar 3, 2017 at 5:29 PM, Sam Gardner wrote: > Thanks for the info - I'd like to explore what I can actually do with OSSEC > and do my due diligence before exploring other options. > > I've spun up the following conf file and am running ossec-analysisd and >

Re: [ossec-list] Corresponding user ossec, ossecm don't exist

On Sat, Mar 4, 2017 at 12:21 PM, wrote: > > I am having the problem that within the installation of the OSSEC client the > corresponding user/groups (that OSSEC use within its executable files and > directories) are not created. > I am running the

Re: [ossec-list] Re: Windows override Audit Events. Decoder

extra_data: 'Microsoft-Windows-Security-Auditing' >> dstuser: '(no user)' >>system_name: 'WK034.dom.com' >>srcip: '10.20.10.55' >> >> **Phase 3: Completed filtering (rules). >>Rule id: '18105' >>Level: '4' >

Re: [ossec-list] Enable only syscheckd for FIM

be the package for them. Projects like Aide are great at what they do without the fluff. But that kind of decision is very project/requirement specific, so don't consider this a professional opinion. :-) > On Thu, Mar 2, 2017 at 4:44 PM, dan (ddp) <ddp...@gmail.com> wrote: >> >

Re: [ossec-list] Enable only syscheckd for FIM

On Thu, Mar 2, 2017 at 2:33 PM, Sam Gardner wrote: > Hi All - > > I'd like to run only the syscheck subsystem in order to provide FIM. > > I don't see anything in the docs that immediately appears to do what I want > - is there any way to run syscheckd in "standalone" mode or

Re: [ossec-list] Re: Windows override Audit Events. Decoder

' Description: 'Windows audit failure event.' **Alert to be generated. On Thu, Mar 2, 2017 at 12:32 PM, dan (ddp) <ddp...@gmail.com> wrote: > On Thu, Mar 2, 2017 at 6:41 AM, Casimiro <hfbar...@gmail.com> wrote: >> Thanks. >> But don't work. It only decode srcip field. Attach

Re: [ossec-list] Re: Windows override Audit Events. Decoder

On Thu, Mar 2, 2017 at 6:41 AM, Casimiro wrote: > Thanks. > But don't work. It only decode srcip field. Attach the output: > > **Phase 1: Completed pre-decoding. >full event: 'WinEvtLog: Security: AUDIT_FAILURE(5152): > Microsoft-Windows-Security-Auditing: (no user):

Re: [ossec-list] Dynamic values in regex inside OSSEC rules?

On Thu, Mar 2, 2017 at 1:01 AM, InfoSec wrote: > In the Wazuh fork, dynamic decoders are an outstanding idea. It allows > unprecedented visualization capabilities in the security console *without* > having to resort to further parsing tricks at ingestion time. It is all

Re: [ossec-list] Re: Windows Defender Decoder ?

On Wed, Mar 1, 2017 at 6:40 PM, Ed Davison wrote: > It would be great to see the decoder entries that go with these rules ... I > know this is an older post but maybe you are still around and can share the > decoder and maybe the plugin as well? > If you can provide log

Re: [ossec-list] ossec-remoted not running

On Wed, Mar 1, 2017 at 6:59 AM, Eduardo Reichert Figueiredo wrote: > Port 1514 is already, i received UPD packets (validated with tcpdump), ossec > is running (monitord, logcollector, syscheck, analysisd), only remoted not > running, but remoted is displayed for port

Re: [ossec-list] Dynamic values in regex inside OSSEC rules?

On Mon, Feb 27, 2017 at 2:50 PM, Jahchan, Georges J. wrote: > That is not what I meant. > > If the source IP is decoded and stored in field srcip, I want to be able to > specify _srcip_ (or whatever convention used to tell regex that this is a > variable), and have

Re: [ossec-list] How to check that chained checksums are correct

On Wed, Mar 1, 2017 at 11:10 AM, Dominik wrote: > OSSEC creates checksums and chained checksums of the archives. I need a way > to confirm that the chain is correct. > > zcat /var/ossec/logs/archives/2017/Feb/ossec-archive-28.log.gz | md5sum > creates the entry > Current

Re: [ossec-list] Dynamic values in regex inside OSSEC rules?

On Feb 26, 2017 11:45 AM, "InfoSec" wrote: Is it possible to refer to the content of a decoded field by its field name inside a regex in a rule? Example: after decoding an event, we have two fields among several, field1 and field2. The event contains: ... Field1

Re: [ossec-list] Potential Bug: Windows Security Event ID 5140 incorrectly parsed by OSSEC.

Any Windows users want to take a look at this? On Thu, Feb 23, 2017 at 11:42 PM, Jahchan, Georges J. wrote: > I am using the eventchannel format. Eventlog provides no useful information > for logs other than the three basics: Application, Security and System. > > If

Re: [ossec-list] ossec-authd failing qualys scans due to weak cipher

On Thu, Feb 23, 2017 at 2:27 PM, dan (ddp) <ddp...@gmail.com> wrote: > On Thu, Feb 23, 2017 at 2:11 PM, <sergio.uriarte.3...@gmail.com> wrote: >> ossec-authd while configured to default to tls 1.2 still reponds to lower >> encryption types of sslv3, tls1, and t

Re: [ossec-list] ossec-authd failing qualys scans due to weak cipher

On Thu, Feb 23, 2017 at 2:11 PM, wrote: > ossec-authd while configured to default to tls 1.2 still reponds to lower > encryption types of sslv3, tls1, and tls 1.1. Are there any plans to resolve > this issue? > Sure: https://github.com/ossec/ossec-hids/issues/1070

Re: [ossec-list] Debugging Unprocessed Log Entries

On Fri, Feb 10, 2017 at 3:04 AM, Quintin Beukes wrote: > Thanks Dan. Is there a way to get OSSEC to provide more details on the > messages it actually processes? I'd like to gain a better understanding of > this application because it has a lot of seemingly random

Re: [ossec-list] Alert when Multiple if_matched_sid triggered

On Sat, Feb 18, 2017 at 3:51 PM, Samet Sazak wrote: > Hi everyone, > > I want to alert when these two rule triggered. One rule sid is enough but it > works like "OR" I want to use "2502" and "18149" both triggered, then alert > for me ? > > > 2502 > 18149 > Test Rule 1 >

Re: [ossec-list] OSSEC Agent Causes Memory Leak

On Mon, Feb 20, 2017 at 5:33 AM, Antonis M wrote: > Hello, > > I have installed OSSEC agent on some Windows Servers 2008. OSSEC agent, > through svchost.exe, consumes all the available memory on the system. > Any thoughts would be appreciated! > Can you provide your

Re: [ossec-list] Potential Bug: Windows Security Event ID 5140 incorrectly parsed by OSSEC.

On Thu, Feb 23, 2017 at 10:30 AM, InfoSec wrote: > I found how to run the agent in debug mode. It seems like the issue lies > with the agent, and the server is faithfully accepting whatever the agent is > sending across. > Oh sweet, I didn't know it did that. I guess I

Re: [ossec-list] Potential Bug: Windows Security Event ID 5140 incorrectly parsed by OSSEC.

On Thu, Feb 23, 2017 at 9:30 AM, InfoSec wrote: > I tend to think that the Windows Agent is the culprit. > > Can the agent be temporarily run in debug mode, so it logs locally the > events that it forwards to the server? > There are no options for that. The best you can

Re: [ossec-list] Alerts forwarded to syslog do not have group information

On Thu, Feb 23, 2017 at 11:58 AM, David G. Pullman wrote: > I'm using OSSEC 2.8.3 and the Wazuh ruleset addon, primarily for the pci_dss > tagging. I have the syslog_output configured to forward to localhost to > capture the alerts in syslog (rsyslog on Ubuntu 16.04). The

Re: [ossec-list] Re: Windows override Audit Events. Decoder

On Mon, Feb 20, 2017 at 6:08 AM, Casimiro wrote: > Version 2.8 > > Events: > > WinEvtLog: Security: AUDIT_FAILURE(5152): > Microsoft-Windows-Security-Auditing: no domain: WKUSR01.cm.shr: The Windows > Filtering Platform blocked a packet. Application Information: Process ID: 0

Re: [ossec-list] Potential Bug: Windows Security Event ID 5140 incorrectly parsed by OSSEC.

On Mon, Feb 20, 2017 at 6:09 AM, InfoSec wrote: > The event is from a Windows 10 system. > > I have turned on logall. I am having a hard time regenerating event ID 5140, > however I have spotted several other event types where the xml field labels > are NOT logged up by

Re: [ossec-list] Unable to establish mail communication

On Feb 21, 2017 9:05 AM, wrote: Hi , I am unable to receive emails triggered on events to the specified email-id. Could anyone please help me on this . Sure. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group.

Re: [ossec-list] Windows override Audit Events. Decoder

On Fri, Feb 17, 2017 at 6:04 AM, Casimiro wrote: > I'm trying to override the windows decoder to extract more fields (in > local_decoder.xml), like source ip, destination ip, source port, > > This is my local decoder for windows > > >windows >AUDIT_FAILURE(51512) >

Re: [ossec-list] Supressing notification {Scanned}

unnecessary emails/day from my inbox wouldn't make a dent! Thanks for reporting back, I'll submit a PR. > Thanks a lot for the help! > > Best regards > Göran Lundberg > > "dan (ddp)" <ddp...@gmail.com> skrev: (15 februari 2017 22:17:23 CET) >> >> On Wed,

Re: [ossec-list] Agent with ip of network

On Thu, Feb 16, 2017 at 11:57 AM, Eduardo Reichert Figueiredo wrote: > Hi all, > i tested ossec with agents (windows) set ip 10.10.10.0/24, and alway > computer within network response with your log (file integrity, evnt vwr). > But, when i have alert of integrity

Re: [ossec-list] Supressing notification {Scanned}

er. > > Can anyone add this upstream to the mailscanner_rules.xml? If it is > confirmed to work that is. > Test it out and let me know. If it works as intended I'll try to put it in. > -- > Best regards, > Göran Lundberg > > > 2017-02-15 21:05 skrev dan (ddp): >> >> On T

Re: [ossec-list] windows_registry monitoring in OSSEC

On Tue, Feb 14, 2017 at 8:10 AM, amir zargaran wrote: > > Dear All > I want to Monitor the > "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" Path in > Ossec. > Also i add mentioned path to C:\Program_File(x86)\ossec-agent\ossec.conf > file in syscheck

Re: [ossec-list] ossec-remoted will not stay running

On Tue, Feb 14, 2017 at 6:24 PM, aiborin wrote: > I am running v2.8.3-53. > > Please explain what you mean by "what is my remote config?" > - I checked ossec.conf and only see a setting related to running remote > connections secure (default port 1514). > So, this?

Re: [ossec-list] Potential Bug: Windows Security Event ID 5140 incorrectly parsed by OSSEC.

On Wed, Feb 15, 2017 at 3:20 AM, InfoSec wrote: > The events are sanitized. > > XML in Windows Event Viewer: > - http://schemas.microsoft.com/win/2004/08/events/event;> > - >Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> > 5140 > 1 > 0 > 12808 > 0 >

Re: [ossec-list] Supressing notification {Scanned}

On Tue, Feb 14, 2017 at 7:11 PM, wrote: > Hi! I'm trying to remove these notifications from mailscanner. > > > OSSEC HIDS Notification. > 2017 Feb 14 06:29:41 > > Received From: hostname->/var/log/syslog > Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the

Re: [ossec-list] OSSEC parse rfc3164 / BSD format log files

On Wed, Feb 15, 2017 at 1:03 PM, Ralph Durkee wrote: > I'm surprised I'm not finding a quick answer to this one in my searches, so > hopefully this will be quick. > OSSEC is not parsing log files with a priority prefix, in the rfc3164 / BSD > format. The prematch fails.

Re: [ossec-list] ossec-remoted will not stay running

On Feb 13, 2017 11:48 AM, "aiborin" wrote: I am running an OSSEC server in each of my two data centers. In one data center, the server will stop the ossec-remoted service multiple times a week. There is nothing in /var/ossec/logs/ossec.log to indicate why. I get the

<    2   3   4   5   6   7   8   9   10   11   >