On Sun, Oct 17, 2010 at 11:53 PM, pavan nutalapati wrote:
> the secure destination mail server listens on port 465, this port is
> default for the secure communication, i think the underlying protocol
> uses that port.
> so first, in the code i changed the port no from 25 to 465, but no
> luck, t
t;
> Best regards.
>
I've switched my AR over to the rules_group setup. So hopefully I'll
be able to test it later.
> On 17 oct, 20:34, "dan (ddp)" wrote:
>> On Sun, Oct 17, 2010 at 1:19 PM, tux3132 wrote:
>> > Hi
>>
On Mon, Oct 18, 2010 at 11:55 AM, Jefferson, Shawn
wrote:
> Hi,
>
> What's the "logall" option? My listening ports are changing on the client(s).
>
> What's the mechanism for getting output of commands from the client to the
> server? I am getting syscheck and rootcheck messages, but apparently
On Mon, Oct 18, 2010 at 1:19 PM, benfellows wrote:
> Just figured this out. It dawned on me that I had seen the maild
> daemon running multiples in the past when I was starting and
> restarting the server. Sure enough I had four mailds running. I killed
> three of them, and now watching to see if
On Mon, Oct 18, 2010 at 2:11 PM, Jefferson, Shawn
wrote:
> Hi,
>
> Ok! Getting closer to figuring this out. The full_command data is getting
> from the client to the server (and being logged in the archives.log file
> after using the global.logall option.) It looks like the message is NOT
>
And here's a roundup of day 2:
http://ddpbsd.blogspot.com/2010/10/second-week-of-ossec-roundup-day-2.html
On Mon, Oct 18, 2010 at 10:43 AM, Jason 'XenoPhage' Frisvold
wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> On 10/18/2010 08:33 AM, Michael Starks wrote:
>> http://www.immutable
On Tue, Oct 19, 2010 at 8:25 AM, Michael Starks
wrote:
> http://www.immutablesecurity.com/index.php/2010/10/19/2woo-day-3-abusing-ossec-the-countermeasures/
>
> --
> Michael Starks
> [I] Immutable Security
> http://www.immutablesecurity.com
>
Decoders 101: http://ddpbsd.blogspot.com/2010/10/ossec
On Tue, Oct 19, 2010 at 9:38 AM, Mike Sievers
wrote:
> Hi list
>
> I am using ossec with agents. But the don't use the:
> /var/ossec/etc/shared/agent.conf file
>
> I really have no idea and no error log.
> What can be happend?
> What tests are possible?
> agent_controls says:
>
> ID: 005, Name: n0
file is not ignored
> /lib <<<<<< this works
>
>
>
> maybe the syntax is simply wrong?
>
> Mike
>
It looks right to me. You could try the following:
^/etc/ppp/chap-secrets
But I don't think that will add anything. Which version of OSSEC are you usin
On Tue, Oct 19, 2010 at 9:10 PM, Vitor Correia wrote:
> Hello everyone,
>
> I have as apache server with an ssl-only site with restrictions on who
> can browse it by means of digital certificates. Meaning that ir order
> to browse the secure site one would need to have a x509 certificate
> issued
og/messages'.
> 2010/10/19 15:28:24 ossec-logcollector(1950): INFO: Analyzing file:
> '/var/log/warn'.
> 2010/10/19 15:28:24 ossec-logcollector: INFO: Started (pid: 24510).
>
> but no /boot
>
> Mike
>
> 2010/10/19 dan (ddp)
>>
>> On T
And the day 3 roundup:
http://ddpbsd.blogspot.com/2010/10/second-annual-week-of-ossec-roundup-day.html
On Tue, Oct 19, 2010 at 9:44 AM, dan (ddp) wrote:
> On Tue, Oct 19, 2010 at 8:25 AM, Michael Starks
> wrote:
>> http://www.immutablesecurity.com/index.php/2010/10/19/2woo-day-3-a
Which version are you using on the hpux box? There's a snapshot that
is suspected to fix some hpux issues: http://www.ossec.net/dcid/?p=204
On Wed, Oct 20, 2010 at 8:40 AM, marco wrote:
> Hi list,
> I'm pretty new here (just subscribed). I've installed ossec yesterday
> and trying to use it to mo
I'm kicking off my Work in Progress OSSEC rules.
http://ddpbsd.blogspot.com/2010/10/work-in-progress-ossec-rules.html
OSSEC tries to bind to the port and checks the output of netstat and
compares the results. If they don't match up it reports it.
This could be a sign that a process had bound to a port when it
checked the first part, and the process was dead when it tried the
second check.
It could also mean that
> /var/log/mail.warn
> /var/log/mail.err
> /etc/ppp/chap-secrets
>
>
>
> well, I will look how to update.
> Should I start withe the server or the agents?
>
> Mike
>
> 2010/10/20 dan (ddp)
>>
>> Please post your entire agent.conf
>> Yo
On Thu, Oct 21, 2010 at 7:42 AM, Mike Sievers
wrote:
> Hi list,
>
> the server was already connected and there is no firewall.
> I still can't connect agent and server, but why?
>
> 2010/10/21 13:36:39 ossec-agentd: INFO: Trying to connect to server
> (192.168.2.11:1514).
> 2010/10/21 13:37:00 oss
On Thu, Oct 21, 2010 at 9:16 AM, Jason 'XenoPhage' Frisvold
wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> On 10/20/2010 07:15 PM, Michael Starks wrote:
>> I agree completely. But just so you are aware, OSSEC integrates nicely
>> with Splunk for a non-free solution.
>
> Non-free if y
This is a bit rough. I've tested it to make sure it doesn't hurt
anything else, but my tests aren't exhaustive. Also, it's tough with
only 1 log sample to make sure I've got everything. And last but not
least, I didn't look at the other web decoders to make sure the items
I placed in match up to w
I'll try to do this tomorrow. I don't think it's too difficult to
do.On Thu, Oct 21, 2010 at 1:56 PM, Jefferson, Shawn
wrote:
> Nice! Could you post what is required? I haven't played with AR at all yet.
>
> -Original Message-
> From: ossec-list@googlegroups.com [mailto:ossec-l...@google
On Thu, Oct 21, 2010 at 2:01 PM, wrote:
> Anyone: After upgrading my management Servers to 2.5.1 I'm getting, after I
> restart the agents
>
> 2010/10/21 13:56:04 ossec-testrule: INFO: Reading local decoder file.
>
> Any information on this would be great.
> Thank You Christian
This is normal
On Thu, Oct 21, 2010 at 2:08 PM, Michael Starks
wrote:
>
> On Thu, 21 Oct 2010 17:31:30 +, "ddp...@gmail.com"
> wrote:
>> This isn't restart-free, but I setup an active response to restart
> agents
>> when agent.conf has changed.
>
> When ddpbsd mentioned this to me in IRC, I set this up for
g the level high enough to be emailed (I think
it's 7 and up by default) could do it.
>
> Thanks for your help.
>
>
> Vitor Correia
>
>
> On Oct 21, 3:09 pm, "dan (ddp)" wrote:
>> This is a bit rough. I've tested it to make sure it doesn't hur
On Fri, Oct 22, 2010 at 12:08 PM, Jefferson, Shawn
wrote:
>>- OSSEC (or OSSEC Pro) is has a correlation engine to use an IP
>>address reputation service to calculate and return the risk of an IP
>>address detected by OSSEC. (OSSEC Pro could include the use of Trend
>>Micro's service, for example,
e-
> From: ossec-list@googlegroups.com [mailto:ossec-l...@googlegroups.com] On
> Behalf Of dan (ddp)
> Sent: Saturday, October 16, 2010 11:02 AM
> To: ossec-list@googlegroups.com
> Subject: Re: [ossec-list] Two Questions
>
> On Sat, Oct 16, 2010 at 1:52 PM, dan (ddp) wrote:
>>
On Fri, Oct 22, 2010 at 12:49 PM, Chow, Dennis wrote:
> Hello,
>
> I'm trying to write a custom decoder for an appliance. I'm running on an
> older OSSEC 2.1.x server. When using the ossec-logtest tool, the test never
> completes phase1 or phase2 properly. Please advise if this is something I'm
>
It looked pretty neat to me. I wouldn't mind playing around with it.
On Thu, Oct 21, 2010 at 6:25 PM, Tate Hansen wrote:
> Hi: We spun up a ruby on rails web app (backed by mongodb=speed) that allows
> us to do daily alert reviews quickly for us that means being able to view
> all the alerts in
3aff9121
> 0001-0001-0001-0001-5780 5780: Tunneling: Teamviewer Remote
> Access 5780 tcp 100.100.100.1 5938 100.100.100.2 4068
> 1 3 3 SOMEHOSTNAME 67447548 1287723528058'
> **Phase 2: Completed decoding.
>
leted decoding.
> No decoder matched.
>
>
> Vitor Correia
>
> On Oct 22, 5:02 pm, "dan (ddp)" wrote:
>> On Fri, Oct 22, 2010 at 11:35 AM, vcorreia wrote:
>> > Hello,
>>
>> > It looks excelent :)
>>
>> > I only posted one li
Windows NT 6.1; en-US; rv:
> 1.9.2.11) Gecko/20101012 Firefox/3.6.11"'
> hostname: 'www'
> program_name: '(null)'
> log: '"Vitor Correia" "PT" 89.155.91.201 - - [22/Oct/
> 2010:19:32:15 +0100] "GET /colle
Add it to the end of /var/ossec/etc/decoder.xml and try again. It
should complain that there is a duplicate decoder. If not, for some
reason it's not reading your local_decoder.xml. If it does and the log
isn't matching, something's wrong with the decoder.
On Fri, Oct 22, 2010 at 4:12 PM, vcorreia
Here's the output for ossec-logtest for me:
# /var/ossec/bin/ossec-logtest -D . -c etc/ossec.conf
2010/10/22 23:04:34 ossec-testrule: INFO: Reading local decoder file.
2010/10/22 23:04:34 ossec-testrule: INFO: Started (pid: 10010).
ossec-testrule: Type one log per line.
"Vitor Correia" "PT" 89.155
l be around your blog trying to learn how to
> write these decoders for myself :)
>
> Vitor
>
> On Oct 23, 4:08 am, "dan (ddp)" wrote:
>> Here's the output for ossec-logtest for me:
>> # /var/ossec/bin/ossec-logtest -D . -c etc/ossec.conf
>> 2010/10/22
On Sat, Oct 23, 2010 at 1:52 PM, Jeremy Lee wrote:
> So even if I setup the to specifically trigger when when a
> certain rule is hit, if that rule isn't over level 7, it won't fire? Because
> doesn't also have a flag? It seems
> should be independent of standard level...?
>
What option are
Rules 101 (Part 1): http://ddpbsd.blogspot.com/2010/10/ossec-rules-101.html
Roundup for day 7:
http://ddpbsd.blogspot.com/2010/10/second-annual-week-of-ossec-roundup-day_23.html
And a big thanks to mstarks for organizing this whole thing! And
everyone who contributed. It was a lot of fun to see al
On Sat, Oct 23, 2010 at 5:16 PM, Michael Starks
wrote:
> On 10/23/2010 09:12 AM, Michael Starks wrote:
>>
>> On this day, we'll try to take some of what we have learned and develop
>> a plan of action. We'll take the combined community intelligence and see
>> if we can make it real. Feel free to j
mail_alerts.html
> From local rules.xml:
>
> 100040
> 010105011000
> Arming alarm
>
>
> TIA!
>
>
> On Sat, Oct 23, 2010 at 1:46 PM, dan (ddp) wrote:
>>
>> On Sat, Oct 23, 2010 at 1:52 PM, Jeremy Lee wrote:
>> > So even if I setup the to
...@y.z
>123, 124
>
>
>
>
> Was that a mistake in the older doc?
>
> BTW: is there a way to get OSSEC to log/email alerts in a specific time
> window (i.e. between 8am-5pm) ?
>
> Thanks!
> On Sat, Oct 23, 2010 at 8:18 PM, dan (ddp) wrote:
On Sat, Oct 23, 2010 at 11:27 PM, Jeremy Lee wrote:
> It shows it is here:
> http://www.ossec.net/wiki/Know_How:GranularEmail
>
> example:
>
>
>b...@y.z
>123, 124
>
>
>
>
> Was that a mistake in the older doc?
>
> BTW: is there a way to get OSSEC to log/email alerts in a specif
On Mon, Oct 25, 2010 at 12:43 AM, x509v3 wrote:
> I just upgraded a test infrastructure from 2.4 to 2.5.1. I upgraded
> the server first, then my one test agent.
>
> The startup of both the server and agent looked good, but at soon as I
> run syscheck_update, my ossec.log start filling up with th
On Mon, Oct 25, 2010 at 6:56 AM, ItsMikeE wrote:
> I created an RPM package to install OSSEC agent 2.4.1 on RHEL 5, using
> files created with a standard installation from an OSSEC agent.
>
> Updated the original agent to 2.5.1, and then packaged up those files
> again.
>
> When I start the agent
It can block internal IPs. If you don't want the IP blocked, add it to
the white list.
On Mon, Oct 25, 2010 at 10:25 AM, seekuel wrote:
> Dear group,
>
> We have a dedicated server that is configured to have a multiple public IPs
> configured to eth1. What happens is that in /etc/hosts.deny the p
On Mon, Oct 25, 2010 at 4:05 PM, Chow, Dennis wrote:
> Hello,
>
>
>
> I wrote a successful decoder and some rules that have matches and
> descriptions. But I want to also be able to print out the srcip, srcport,
> dstip, dstport, and extra_data information that was originally pulled from
> the dec
the option to have a rule fire at a specific time
>> just "" within the rule ID itself?
>>
>> http://www.mail-archive.com/ossec-list@googlegroups.com/msg07544.html
>>
>>
>>
>>
>> On Sun, Oct 24, 2010 at 1:09 PM, dan (ddp) wrote:
>>>
>
; another update if there are no alerts on the weekend!
>
Please let us know. I'll make a note to try and check the source tomorrow.
> On Mon, Oct 25, 2010 at 1:41 PM, dan (ddp) wrote:
>>
>> On Mon, Oct 25, 2010 at 4:31 PM, Jeremy Lee wrote:
>> > Nevermind, I think
There is no srcip decoded in the log message (and no IP at all).
Remove that line and it should work.
On Tue, Oct 26, 2010 at 9:25 AM, Mike Sievers
wrote:
> Hi List,
>
> for example: (server1=agent)
>
> OSSEC HIDS Notification.
> 2010 Oct 26 15:06:00
>
> Received From: (server1) 192.168.224.49->/
On Tue, Oct 26, 2010 at 9:15 AM, Mike Sievers
wrote:
> Hi,
>
> the ossec.log said:
> ossec-agentd(1210): ERROR: Queue '/queue/alerts/execq' not accessible:
> 'Queue not found'.
>
> After a reboot of the machine. The folder is empty:
>
> ls -a
> /var/ossec/queue/alerts
> (nofile)
>
> ???
>
> Mike
>
On Tue, Oct 26, 2010 at 12:12 PM, NewRules wrote:
> Hi,
>
> I've spent more than 15 hours trying to solve this problem. I browsed
> each page on the internet (twice). But I could'nt find the solution to
> my problem.
> I enabled debugging.
> I used truss (strace for AIX).
> The only thing I didn't
On Thu, Oct 21, 2010 at 8:15 PM, Jason 'XenoPhage' Frisvold
wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> I find myself struggling with how to handle directory traversal false
> positives. The following happily triggers rule 31104 and active response
> blocks the IP.
>
> 204.41.5
On Tue, Oct 26, 2010 at 3:45 PM, Jason 'XenoPhage' Frisvold
wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> On 10/26/2010 02:29 PM, dan (ddp) wrote:
>> The only thing I can think of is to watch the logs and implement
>> ignore rules for the legit
On Wed, Oct 27, 2010 at 7:34 AM, Mike Sievers
wrote:
> yes, active response is enabled
> the process is still running
>
> ???
>
Is there anything else in the log?
Are ALL of the ossec processes running?
Try running agentd in debug mode.
> 2010/10/26 dan (ddp)
>>
>>
On Wed, Oct 27, 2010 at 7:39 AM, Mike Sievers
wrote:
> Hi Dan,
>
> ok, I did it and now I am waiting.
> How do I select specific nodes?
>
> Mike
>
server1?
>
>
> 2010/10/26 dan (ddp)
>>
>> There is no srcip decoded in the log message (and no IP at al
On Wed, Oct 27, 2010 at 12:19 PM, Rich Houston wrote:
> Hi all,
>
> I have recently upgraded a firewall I manage from CentOS 4.x to Ubuntu
> 10.04 based system, I have installed the latest from repos Shorewall
> and the latest Ossec 2.5.1.
>
> Under the old system drops and redirects were logged a
What's the worst that will happen if you try it?
You're using an ancient version, in a strange configuration. I'm not
sure how many people will be able to test something like this and get
back to you. Give it a shot. If it breaks, you should know how to fix
it. ;)
On Tue, Oct 26, 2010 at 8:41 PM,
On Wed, Oct 27, 2010 at 9:22 AM, Brooks Garrett
wrote:
> Is anyone currently using the address_match_key_value CDB lookup? I am
> trying to use the following:
>
>
> 110100
> check_value="^sslvpn">lists/bcexclusions
> Host in SSLVPN subnet is bypassing WebProxy
>
>
> In the list, I ha
On Wed, Oct 27, 2010 at 1:44 PM, Steven Stern
wrote:
> In /var/ossec/etc/osse.conf, I have
>
>
> firewall-drop
> firewall-drop.sh
> srcip
> yes
>
>
>
> firewall-drop
> local
> 31151
> 8
>
>
> My logs show multiple 31151 alerts. For example:
> ossec-alerts-23.log:Rule: 31151 (le
What type of system did your syslog message come from?
What others did you test?
Looks like an okay change to me.
On Thu, Oct 28, 2010 at 1:22 PM, blacklight wrote:
> Hello Folks,
>
> We noticed that rule 11109 failed to trigger the active response that
> we had specified. We traced the failure
I think the most common way I've seen something like this done is by
using multiple OSSEC managers.
On Thu, Oct 28, 2010 at 10:06 AM, ItsMikeE wrote:
> As I add more agents to ossec, I am beginning to see a need for
> classifying agents into groups.
>
> For example, it is more important to know a
The OSSEC processes all restarted properly? Did the binaries actually change?
On Thu, Oct 28, 2010 at 12:45 PM, reg wrote:
> My second question has to do with this article.
>
> http://www.immutablesecurity.com/index.php/2010/10/20/2woo-tips-tricks/
>
> I made the changes that are supposed to chan
I don't understand the question. Are you trying to re-use an ID?
On Thu, Oct 28, 2010 at 2:38 AM, Mike Sievers
wrote:
> ... I now created a new id/key and it works.
> Is it also possible to remove an ID instead only an agent?
>
> 2010/10/21 dan (ddp)
>>
>> On Thu,
It's possible. ;)
I'll try to sneak it into my tree and bug dcid about it again.
Thanks for the report BTW.
On Thu, Oct 28, 2010 at 5:43 PM, Rich Houston wrote:
> Perfect that worked great. Any way we could get that into the next
> update?
>
> Thanks for your help!!
>
> Rich
>
> Rich Houston wr
Are you using SELinux?
Is apache still running as the same user/group?
On Thu, Oct 28, 2010 at 5:50 PM, Justin Redman wrote:
> I recently applied some updates to the server ossec is residing on (rhel 5)
> then restarted the system, and now the web ui is complaining about
> permissions “Unable to
On Thu, Oct 28, 2010 at 7:26 PM, Hac Phan wrote:
> Hi,
>
> I want to have OSSEC on my syslog server. However, when it monitors that
> server's log files (e.g. /var/log/messages), OSSEC inadvertently captures the
> errors from other servers. This reesults in a duplicate alert because OSSEC
> caught
ine at file client.keys?
>
> 2010/10/28 dan (ddp)
>>
>> I don't understand the question. Are you trying to re-use an ID?
>>
>> On Thu, Oct 28, 2010 at 2:38 AM, Mike Sievers
>> wrote:
>> > ... I now created a new id/key and it works.
>> > Is it als
I have a couple of agents showing this behavior. I'm not sure if the
manager missed the message from the agent, or what.
On Thu, Oct 28, 2010 at 2:53 PM, Jeremy Lee wrote:
> Anybody else seeing this?
>
> On Wed, Oct 27, 2010 at 11:10 AM, jplee3 wrote:
>>
>> Hey all,
>>
>> I seem to be having iss
I've never seen this problem. In fact I've never had to clear out the
rids files.
Can you provide a bit more information about the hosts showing this problem?
On Thu, Oct 28, 2010 at 1:31 PM, blacklight wrote:
> Hello Folks,
>
> Once in a while, the active response does not kick in. Then I have t
gt; occurs, the agent involved is nevertheless recognized by agent_control
> as active. I hope the description helps.
>
> On Oct 29, 10:47 am, "dan (ddp)" wrote:
>> I've never seen this problem. In fact I've never had to clear out the
>> rids files.
>>
There's a gui front end on the Windows side. It should be in the Start
menu ("Start -> programs -> ossec" I think).
If you're wondering how to get the key in the first place, you have to
use the "/var/ossec/bin/manage_agents" program on the manager to
create the agent identity. You can then export
The manager doesn't need a key. It will run, and you get the key for
the agents from the manager.
On Fri, Oct 29, 2010 at 8:31 PM, Ben Morgan wrote:
> I understand once i start ossec. But the trouble is it won't run without the
> key. And i can't get the key unless i run it, right?
>
>
>
>
>
>> D
If the log messages are making it into a log file monitored by OSSEC,
it will alert on it.
On Mon, Nov 1, 2010 at 10:18 AM, Michael Larsen wrote:
> My OSSEC server is also my syslog server. I recently enabled remote logging
> to it on several systems, but didn't install/register the OSSEC agent o
I'm scouring google for samples. I'll have something by the end of the
week that should handle more cases than the current and proposed
solutions...
On Sun, Oct 31, 2010 at 10:55 PM, Jason 'XenoPhage' Frisvold
wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> On Oct 28, 2010, at 3:08 P
On Mon, Nov 1, 2010 at 3:11 PM, Ballard, Tim wrote:
>
> Here’s what I’m getting
>
>
>
> 2010/11/01 09:11:35 ossec-agent(1402): ERROR: Authentication key file
> 'client.keys' not found.
>
>
Have you added a key to the agent?
>
> 2010/11/01 09:11:35 ossec-agent(1750): ERROR: No remote connection
Completely untested:
portsentry
portsentry
attackalert: Connect from
ost: (\S)/\S+ to \S+ port: (\d+)$
srcip, dstport
portsentry
is already blocked. Ignoring$
Host: (\S+) is
srcip
On Mon, Nov 1, 2010 at 6:42 PM, Js Opdebeeck wrote:
> Hello Doug
>
> Thanks for your note
Host: (\S+) is
srcip
On Tue, Nov 2, 2010 at 3:35 PM, Js Opdebeeck wrote:
> Dan
>
> I close this post and open a new one called Portsentry ..
>
> Thanks for your help, I'll try this.
>
> On Nov 2, 12:07 am, "dan (ddp)" wrote:
>> Completely untested:
On Tue, Nov 2, 2010 at 3:44 PM, Js Opdebeeck wrote:
> This post to continue the previous one -
> http://groups.google.com/group/ossec-list/browse_thread/thread/fd9503ef5f9055cc/92abe89dfb932698
> "Scanlogd Support".
>
>
> Goal is to Detect port Scan with PortSentry, but I don't have
> suffisent ba
On Tue, Nov 2, 2010 at 4:13 PM, Tim Eberhard wrote:
> [My apologies for posting this to ossec-dev. I typed in the wrong
> google group. This was intended for ossec-list]
>
> All,
>
> I've been trying to write some rules for my lab OSSEC box and test
> them before we roll OSSEC out to production. I
Not through OSSEC by default. That's best handled by your
configuration management process.
However, if you want to do something like this it shouldn't be too hard to do.
"echo 'host: 192.168.1.1' | logger -t blockscript"
Then setup a decoder like the following (all of this is untested so do
you
this I'll do my best to spoon feed myself :)
>
> Thanks again for your help,
> -Tim Eberhard
>
>
> On Tue, Nov 2, 2010 at 7:57 PM, Tim Eberhard wrote:
>> That's how it sits today. I'll remove them and see if that helps things at
>> all.
>>
>&
g ...
> r...@ossec:/home/teberhard# /var/ossec/bin/ossec-logcollector -d -t -c
> /var/ossec/etc/ossec.conf
> 2010/11/03 09:30:10 ossec-logcollector: DEBUG: Starting ...
>
>
>
> On Wed, Nov 3, 2010 at 10:07 AM, dan (ddp) wrote:
>> Try running logcollector in debug mode.
ck
> database (pre-scan completed).
> 2010/11/03 10:01:39 ossec-syscheckd: INFO: Ending syscheck scan
> (forwarding database).
> 2010/11/03 10:01:59 ossec-syscheckd: INFO: Starting real time file monitoring.
> 2010/11/03 10:01:59 ossec-rootcheck: INFO: Starting rootcheck scan.
&g
I don't think so, but it would be REALLY easy to test. ;)
On Wed, Nov 3, 2010 at 1:49 PM, jplee3 wrote:
> Hi all,
>
> Was wondering if I could use the * wildcard in in
> agent.conf
>
> For example
>
>
> Is this possible?
tire agent.conf gets copied to all agents.
> On Wed, Nov 3, 2010 at 11:15 AM, dan (ddp) wrote:
>>
>> I don't think so, but it would be REALLY easy to test. ;)
>>
>> On Wed, Nov 3, 2010 at 1:49 PM, jplee3 wrote:
>> > Hi all,
>> >
>> > Was wondering if I could use the * wildcard in in
>> > agent.conf
>> >
>> > For example
>> >
>> >
>> > Is this possible?
>
>
openssh/ssh-keysign
> /usr/bin/at
> /usr/bin/gpasswd
> /usr/bin/passwd
> /usr/bin/sudoedit
> /usr/bin/sudo
> /usr/bin/chsh
> /usr/bin/chage
> /usr/bin/crontab
> /usr/bin/newgrp
> /usr/lib/vmware-tools/sbin64/vmware-hgfsmounter
> /bin/ping
> /bin/su
> /bin/mount
&
src/os_maild ?
On Thu, Nov 4, 2010 at 1:59 PM, Jefferson, Shawn
wrote:
> I noticed that some notifications emails, especially those that contain the
> output of a command are cut off. Is there somewhere a max length of email
> alert is defined that I can change?
>
> --
> Shawn
>
On Thu, Nov 4, 2010 at 12:57 PM, Chad Robertson wrote:
> I have a problem getting active response to work between systems. I will
> paste the tcpdumps from both the server and the client when triggering a AR
> rule.
>
>
>
> 08:32:58.458874 IP (tos 0x0, ttl 63, id 17222, offset 0, flags [DF], prot
On Thu, Nov 4, 2010 at 2:38 PM, Jefferson, Shawn
wrote:
> oh, too bad it's not in internal.conf. :(
>
You can fix that (if there's a limit, I don't know if there is).
> -Original Message-
> From: ossec-list@googlegroups.com [mailto:ossec-l...@googlegroups.co
On Thu, Nov 4, 2010 at 3:07 PM, Chad Robertson wrote:
> No. That the problem. The server doesn't send the client any network
> traffic to tell it that it should run host-deny.sh.
>
How is the AR configured?
> -Original Message-----
> From: dan (ddp) [mailto:ddp.
On Thu, Nov 4, 2010 at 3:28 PM, Chad Robertson wrote:
> On the server:
>
> ossec.conf
>
>
> host-deny
> local
> 100055
> 600
>
>
> local_rules.xml
>
>
> ssh-invalid_user
> none
> SSHD invalid username detected.
>
>
> local_decoder.xml
>
>
> Failed \S+ for
On Thu, Nov 4, 2010 at 5:16 PM, Chad Robertson wrote:
> In the beginning there is no AR log on the agent. After testing the host.sh
> script as root the log showed up. I chown and chgrp the log to ossec.
>
> By default there was nothing in the ossec.conf file about AR.
>
> I added this to the ag
ossec.conf & local_rules.xml. I've scrubbed it a bit :)
>
> Thanks again for all your help
>
>
>
> On Wed, Nov 3, 2010 at 2:48 PM, dan (ddp) wrote:
>> I'll have to play with this tomorrow when I have access to my OSSEC setup.
>>
>> Could you perhaps
On Fri, Nov 5, 2010 at 9:46 AM, ANiMOSiTY wrote:
> Hey guys,
>
> We've recently deployed OSSEC to monitor Microsoft Active Directory on
> 3 Windows Server 2003 boxes.
>
> I'm getting a lot of 'Windows DC Logon Failure' and 'Multiple Windows
> Logon Failures' alerts.
>
> We run a shared platform, a
You need to have a management server setup. You will get the key from
the management server.
On Sun, Nov 7, 2010 at 8:01 AM, I.M.Sultan wrote:
>
> I'm home user willing to secure my pc against intrusions & hacking for
> this purpose I downloaded " OSSEC HIDS v2.5.1 " but is not able to use it a
.
On Wed, Nov 3, 2010 at 3:55 PM, Tim Eberhard wrote:
> Sure thing.
>
> Attached is the ossec.conf & local_rules.xml. I've scrubbed it a bit :)
>
> Thanks again for all your help
>
>
>
> On Wed, Nov 3, 2010 at 2:48 PM, dan (ddp) wrote:
>> I'll h
You could try restarting ossec-emaild. Check
/var/ossec/logs/alerts/alerts.log to see if the alerts were replicated
as well.
Check your maillog, there might be a clue in there.
On Mon, Nov 8, 2010 at 3:42 AM, Bob Sauvage wrote:
> Hello *,
>
> This weekend I received many duplicates email alerts.
nux and MachineA configs.
> On Sep 28, 10:20 am, "dan (ddp)" wrote:
>> On Tue, Sep 28, 2010 at 1:31 PM, Jeremy Lee wrote:
>> > That makes sense. I guess what I'd really want to see the option to
>> > push/update just a single 'config' file
On Tue, Nov 9, 2010 at 11:33 AM, Winpy wrote:
> I have replaced my original server and installed the new 2.5.1
> software.
> I have updated all of my Agents to the new version also.
>
> One of the problems that I have always had is that I receive emails
> for all alert levels even though the defau
Your plan is to run the install.sh to re-install, right? I think
that'd be about the only way it would work.
But I think it should work. Make sure to pay attention to ownership
and permissions with the files you copy over.
On Tue, Nov 9, 2010 at 1:02 PM, jplee3 wrote:
> Hey guys,
>
> Would I be
On Wed, Nov 10, 2010 at 3:57 AM, Jakub Moravek wrote:
> Hi everybody,
> I was discussing some security issues wit my colleagues. And we
> found interresting issue. How is guaranteed integrity of Ossec itself?
> Can Ossec somehow discover, that an attacker will replace Ossec with
> modified appli
On Wed, Nov 10, 2010 at 3:12 PM, Doug Burks wrote:
> Has anybody used OSSEC to monitor OpenLDAP logs? Specifically, I'd
> like to monitor for auth failures (err=49 in the sanitized log sample
> below). As you can see, one LDAP connection (conn=99) creates
> multiple log entries. Further com
On Thu, Nov 11, 2010 at 8:57 AM, seekuel wrote:
> Hi group,
> I successful configured a server-agent setup. Clients can send alters and
> can access the server with no issue. One thing I notice is the server it
> self is not sending an alert email.
> May I know where to check this? I also added a
401 - 500 of 1980 matches
Mail list logo
