5712
This statement means that Rule ID 100041 is reliant on rule 5712 firing
first.
Does this help?
On Thursday, October 2, 2014 8:02:48 PM UTC-4, Mark Moorcroft wrote:
>
>
> Can someone tell me why this works:
>
>
> 5712
> sshd
> sshd
> xxx.xxx.xxx.xxx
> ARC scanner
>
You are relying on this 31100 however that doesn't exist
in 2.7.1
Where would I find the Apache rules for 2.8 so I can copy that rule in?
On Saturday, October 4, 2014 9:30:57 AM UTC-4, Michael Starks wrote:
>
> On 10/04/2014 05:30 AM, Jan Andrasko wrote:
> > Rob,
> >
> > issue with your rul
Assuming agent key and IP are distinct for each server, please put the
ossec-control into debug on the server and look for errors such as "not
allowed" and so forth
On Monday, October 13, 2014 8:04:41 AM UTC-4, Antonio Querubin wrote:
>
> On Sun, 12 Oct 2014, David Masters wrote:
>
> > Ok...her
David
You wrote -- "The key files I am creating are being created directly from
the spreadsheet"
You are not creating the keys yourself are you?
when you run manage-agents and add a new agent, a key gets put into
client.keys, that key is associated with the hostname of the sending device
and
I have been following this thread with interest and I have a question
First, there is no reason, on the surface this should not have worked using
rule id = 19000, I tested in my lab on 2.7.1 and it worked. (I know I need
to move up and I will this year)
In my setup I tend to start with 7 fo
So that is rule 18106
I have just recently been playing with this one.
The issue isn't OSSEC its literally the WIndows log (note that the log
states (no user)
EVENT: "[INIT]WinEvtLog: Security: AUDIT_FAILURE(4625):
Microsoft-Windows-Security-Auditing: (no user): no domain:
some.server.name.h
great article sir, thanks I am testing that now
Make sure you add the values to local_decoder the way he discusses, not the
way he lists them.
He also doesn't note that you need override rules for each of those in your
local_rules so be sure to add those.
Thanks again for the link!
On Tuesday
That is an interesting idea, however all the logs are processed server
side, not agent side, thus by the time you detect an uptick in events, you
have already sent the traffic.
In theory you could create a custom rule for # of X event types over a
period of time, and if the rule fires, you have
What Dan says is accurate, and a visual representation might be helpful
For this log :
2014 Nov 05 09:10:02 (w2008) 192.1.1.1->\Programs\myapp\
logs\05-11-2014\Error.log Error - The process started successfully
This part is from the OSSEC agent :
2014 Nov 05 09:10:02 (w2008) 192.1.1.1->
And th
" I send alert level ossec via syslog to rsyslog ossim but not working
because OSSIM use custom log with tag AV in front of each log so alert from
ossec server not recognize by OSSIM "
OSSIM has plugins built to read that default output, you don't need to
route OSSEC syslog to OSSIM, you merely
Set a custom Alert variable output.
You can do this in the global config on the OSSEC server receiving the
logs, once the rules match and you get an ALERT you will have the same
output over and over.
Make sense?
On Tuesday, November 18, 2014 7:55:55 AM UTC-5, DefensiveDepth wrote:
>
> I have a
manage_agent is a server side function, not a client side.
On a Windows platform you can manually add your key in 'client.keys' then
restart the agent
On Tuesday, November 25, 2014 12:19:07 PM UTC-5, Colin Bruce wrote:
>
> Is there any way on Windows to install the agent’s key without using the
I have not seen a log in the wild that would let me write a rule for this
Any luck on your end?
On Thursday, November 20, 2014 5:07:31 AM UTC-5, secuc...@free.fr wrote:
>
> hi
> does someone has rule for MS14-066 ?
> https://technet.microsoft.com/en-us/library/security/ms14-066.aspx
> or maybe
"When I run ossec-logtest and put the ID 4625 "
Do you paste the entire log into the logtest?
Can you put your logtest output here?
On Monday, December 8, 2014 7:14:15 PM UTC-5, Jarrod Farncomb wrote:
>
> I'm having an issue getting failed logins to Windows servers to log
> correctly to alert
OSSEC imho)
Grant
On Tuesday, December 16, 2014 8:00:13 AM UTC-5, Chris Decker wrote:
>
> Good morning all,
>
> I have about 2,000 (heavily active) OSSEC agents sending logs to a
> Manager. On the Manager side I've noticed that *ossec-remoted* is
> hovering around 98% t
I can confirm this to be true, we did an extensive testing running a stock
2.7 and 2.8.1 OSSEC install feeding an Alienvault platform and syslog, when
custom alert is configured, did not work.
On Wednesday, January 7, 2015 8:04:25 AM UTC-5, dan (ddpbsd) wrote:
>
> On Tue, Jan 6, 2015 at 10:12 AM
This has worked for me
C: \ Windows \ System32 \ cmd.exe
Typically I stand up a basic windows syscheck like this
no
yes
yes
c:\windows\system32
c:\windows\syswow64
Hope that helps sir
On Friday, January 16, 2015 at 8:45:08 AM UTC-5, alex petrov wrot
I have only tested one laptop, using English, installed as Administrator,
and it works
That said, I cannot read the logs or access various files even though I am
administrator, I have to launch the GUI first.
I make all my changes on the OSSEC server and the Agent picks up the config
from ther
I would be interested in those as well.
I have a few generic ones for other events of interest (workstation lock,
console logon, network logon) but I am missing some good differentiation in
failures and 4625 type events (related to your 4771 )
On Tuesday, February 24, 2015 at 4:09:34 PM UTC-5,
I'm new to using OSSEC...does anyone know how to change the Web UI
default password? It's installed as 'ossec' for the username and
password but we'd like to change it to something more secure.
Thanks!
Noah
Thanks Dan, that did it :)
Noah Grant
Systems Engineer
Ext. 3212
-Original Message-
From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On
Behalf Of dan (ddp)
Sent: Monday, June 06, 2011 2:55 PM
To: ossec-list@googlegroups.com
Subject: Re: [ossec-list] how to change
Level=0 makes no alert, as I am sure you are aware
See what your decoder.xml reports about SSHD and SSH
grep ssh /var/ossec/decoder.xml
There are tons of paths to start there.
Grant Leonard
Castra Consulting, LLC <http://castraconsulting.com/#/>
919-949-4002
On Fri, Oct 3, 2014 at 2
That is kind of how it works for Windows, my company wrote a tool that will
deploy them automatically for you.
On Oct 13, 2014 12:20 PM, "David Masters" wrote:
> The whole purpose of this exercise is to not have to go to each individual
> machine to input the key and configuration. We have over
Do this for about 5 non communicating servers at random.
On the OSSEC-SERVER
run 'tcpdump -i eth0 host port 1514'
see if the connection even makes it to the server
Also, note that OSSEC has to be installed as local admin or domain admin,
else UAC kind of kills the application.
Gra
I guessed at your eth interface
the command is sound, I just dont know what your OS looks like
SO
tcpdump -i host and port 1514 -vvv
Make sense?
Grant Leonard
Castra Consulting, LLC <http://castraconsulting.com/#/>
919-949-4002
On Mon, Oct 13, 2014 at 8:32 PM, David Masters
miss something
> when I typed it in?
>
> On Monday, October 13, 2014 7:43:23 PM UTC-5, Grant L wrote:
>>
>> I guessed at your eth interface
>>
>> the command is sound, I just dont know what your OS looks like
>>
>> SO
>>
>> tcpdump -i host
Great point David
Grant Leonard
Castra Consulting, LLC <http://castraconsulting.com/#/>
919-949-4002
On Tue, Oct 14, 2014 at 12:00 PM, Rick McClinton wrote:
> David,
>
> I'm not confident that notepad, wordpad, or notepad++ wouldn't hide the
> byte order marker at
/queue/rids# more sender_counter
81:5072:70:4350:
Grant Leonard
Castra Consulting, LLC <http://castraconsulting.com/#/>
919-949-4002
On Fri, Oct 17, 2014 at 2:52 PM, David Masters
wrote:
> I got most everything to work except at one site. After looking through
> everything on th
file
I will post with results.
All the best
Grant Leonard
Castra Consulting, LLC <http://castraconsulting.com/#/>
919-949-4002
On Tue, Nov 4, 2014 at 10:16 AM, Luke Goldman
wrote:
> Let me know if you get the decoders to work. Do you have tell ossec to
> use the local_decoders.xml?
Great point.
We do see the custom alert in alerts.log
Should we put in a request or just modify csyslogd ourselves?
Grant Leonard
Castra Consulting, LLC <http://castraconsulting.com/#/>
919-949-4002
On Wed, Jan 7, 2015 at 8:58 AM, dan (ddp) wrote:
> On Wed, Jan 7, 2015 at 8:18 AM
Josh, some of these are really amazing. Thank you so much for sharing and
posting that.
All the best
Grant
On Wednesday, March 25, 2015 at 12:43:29 PM UTC-4, DefensiveDepth wrote:
>
> I have been doing some work in the area as well, but with Sysmon logs.
> Feel free to look over wh
It should be enough sir
Each agent needs their own key, but once the agent has the key and checks
in with the server, it will pick up any custom configurations
All the best
On Thursday, May 14, 2015 at 7:02:32 PM UTC-4, Daniil Svetlov wrote:
>
> Hi!
>
> I'm trying update ossec-agent key on wind
Have you run a tcdpump or ngrep on the server to ensure packets are
arriving on UDP port 1514?
When the agent is initially restarted it begins a new dialog with the
server and you should be able to see that on the wire
On Thursday, May 14, 2015 at 5:31:28 PM UTC-4, Andy Theuninck wrote:
>
> I h
I wasn't aware that agent-auth works in Windows, I know some people have
written things to make it work
Here is some code you can try
https://github.com/sedarasecurity/ossec-agent-auth/blob/master/build.sh
I am sure there others out there as well, typically we use a mass deploy
script dependin
You can look up the codes here
http://technet.microsoft.com/en-us/library/dd941635(v=ws.10).aspx
https://technet.microsoft.com/en-us/library/dd941635%28v=ws.10%29.aspx
https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4625
...you have a 2008 server or newer,
it is certainly what happens when deleting old agents.
This is normal expected behavior
Check you ossec.log to look for errors with remote agents reporting in.
On Wednesday, July 1, 2015 at 8:35:14 PM UTC-4, Michael Starks wrote:
>
> On 07/01/2015 04:50 PM, Jon Price wrote:
> > Ive had ~1000 ag
If the work can occur remotely, there are some really great companies that
can help
I know of an awesome spanish speaking company that can help you out. Feel
free to email me directly sir
All the best
On Wednesday, July 1, 2015 at 5:28:04 PM UTC-4, Javier A. Nieto Salcedo
wrote:
>
> Hi OSSEC
Try Alienvault or OSSIM, they both make good use of OSSEC and add
additional tools you will need for detecting the spread of malware
On Friday, August 7, 2015 at 6:40:54 AM UTC-4, Jason Long wrote:
>
> Hello Experts.
> How can I launch a SEIM for my local network and find the spread point of
> m
are wide open, give it a try!
https://www.alienvault.com/products/ossim
Grant Leonard
Castra Consulting, LLC <http://castraconsulting.com/#/>
919-949-4002
On Sun, Aug 9, 2015 at 10:46 AM, 'Jason Long' via ossec-list <
ossec-list@googlegroups.com> wrote:
> Thank you.
I haven't seen this directory fill up unless it cannot talk to the server
and even in that case it did not take much disk space
What kind of size are you seeing?
On Wednesday, August 19, 2015 at 10:51:26 AM UTC-4, Jamey B wrote:
>
> I'm making a CRON job to remove anything in the queue folder, w
It is possible, our company has successfully pulled it off for another
larger corporation
On Wednesday, September 16, 2015 at 8:00:46 AM UTC-4, Chris Spangler wrote:
>
> Does anyone know if ossec will allow for an unattended install under
> Windows Server 2012. It seems like I saw some issues i
We addressed this using an OSSIM plugin to read a different part of the
alert log
Hope that helps sir
Grant Leonard
Castra Consulting, LLC <http://castraconsulting.com/#/>
919-949-4002
On Fri, Nov 20, 2015 at 12:28 PM, Joshua Roback wrote:
> I have a decoder that grabs the appropriat
Do you have a firewall at all ? Are any server ports exposed to the world?
is it always /proc that is full? Where is all the space and how big is your
hard drive? Could it be, given you are running a mail server, simply
spam/email that has filled up your hard drive?
This doesn't seem related to
How can we get the ossec agent to read a localfile that overwrites itself?
The CIS CAT benchmarks write a .txt file which we are reading with
"syslog" as the local file
However when the benchmark tests run, ossec does not appear to re-read the
log, its as if it never gets read again.
As it t
Thanks, we will check into that today and see what we find. It appears it
merely overwrites versus replacing though
All the best
Grant
On Friday, February 24, 2017 at 9:50:12 PM UTC-5, Victor Fernandez wrote:
>
> Hi Grant,
>
> how is that file overwritten? I mean, is it trun
We will take a stab at it this week and see what we can uncover
All the best
Grant
On Friday, February 24, 2017 at 12:32:02 PM UTC-5, dan (ddpbsd) wrote:
>
> Any Windows users want to take a look at this?
>
> On Thu, Feb 23, 2017 at 11:42 PM, Jahchan, Georges J.
> > wrot
I am in EST and I absolutely agree with you. I think we should spend no
more than 30 minutes looking at your discovery, looking at logs in
archives.log then , as you noted, requesting an enhancement to ensure those
log values are sent over by the agent.
All the best
Grant Leonard
Castra
I am in EST and I absolutely agree with you. I think we should spend no
more than 30 minutes looking at your discovery, looking at logs in
archives.log then , as you noted, requesting an enhancement to ensure those
log values are sent over by the agent.
All the best
Grant Leonard
Castra
with another "open source windows event agent to syslog" utility, the same
issue was present.
Grant
On Wednesday, March 8, 2017 at 2:49:59 PM UTC-5, Grant Leonard wrote:
>
> I am in EST and I absolutely agree with you. I think we should spend no
> more than 30 minutes lookin
Two specific questions
Are the amount of logs cached/tracked configurable? (Specifically for linux
agents) when the agent cannot reach the ossec-server
(yes I read the discussion from 2010, looking for updated thoughts here)
How, specifically, does the agent handle being down/restarted?
For
HKEY_CURRENT_USER
HKEY_CLASSES_ROOT
Grant
On Thursday, September 14, 2017 at 9:38:48 AM UTC-4, dan (ddpbsd) wrote:
>
> On Tue, Sep 12, 2017 at 12:09 AM, vikas >
> wrote:
> > Hi All,
> >
> > I am trying to collect only syscheck and rootcheck logs,
Out of curiosity, can you post the raw message here? I would like to know
what kind of log has "`" in it.
All the best
On Monday, September 25, 2017 at 4:23:30 AM UTC-4, Robert Necela wrote:
>
> Hello, i have message with character "`". But i can't write rule with such
> character. \. -> For an
Good morning
After the /var/ossec/bin/ossec-reportd runs, the tallies are left aligned
and when emailed the spacing is not kept from stdout to email
Thus stdout looks like this
Top entries for 'Group':
pci_dss_10.6.1
the existing list
Thanks!
On Thursday, November 9, 2017 at 8:52:08 AM UTC-5, dan (ddpbsd) wrote:
>
> On Tue, Nov 7, 2017 at 9:58 AM, Grant Leonard
> > wrote:
> >
> > Good morning
> >
> > After the /var/ossec/bin/ossec-reportd runs, the tallies are left
sir! Note that this is for OSSEC and not Alienvault. I
happen to run both and know what you are doing, though this group might not
be the best place for Alienvault related questions of OSSEC
All the best
Grant
On Monday, February 5, 2018 at 6:07:21 PM UTC-5, Sam Wallace wrote:
>
> Curr
Does anyone know where I can find this version, if it even exists?
All the best
Grant
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-lis
Thank you sir, this is the source code, I was hoping for binaries as I am
not really awesome at making them for Mac from scratch, I don't use that OS
Thoughts?
All the best
Grant
On Thursday, January 17, 2019 at 1:58:49 PM UTC-5, dan (ddpbsd) wrote:
>
> On Thu, Jan 17, 2019 at 1:
olicies and matching specific desktop
events with Domain logon/logoff , as you can then filter out the connection
to shared drives and such
All the best
Grant
On Friday, May 31, 2019 at 4:21:05 AM UTC-4, Kyriakos Stavridis wrote:
>
> Hello everyone.
>
> I am trying to use OSSEC to m
58 matches
Mail list logo
