Very strange issue - OSSEC will intermittently fail to generate an alarm
for a specific decoder/rule. All systems are RHEL, iptables is disabled.
OSSEC HIDS v2.6 - Trend Micro Inc.
/etc/init.conf:
DIRECTORY="/var/ossec"
VERSION="v2.6"
DATE="Thu Nov 10 18:57:58 CST 2011"
TYPE="server"
Here is t
y rule? The fact that I need to restart OSSEC when I
make changes to the rule is a bit of a problem due issue "1" above (unless
it's not causing alerts to be dropped?)
On Friday, June 1, 2012 6:17:57 PM UTC-5, mcrane0 wrote:
>
> Very strange issue - OSSEC will intermitte
All of the links posted result in a 404
On Wednesday, January 18, 2012 7:33:21 AM UTC-6, treydock wrote:
>
> I finally got some time and have uploaded my latest SRPM here,
> http://itscblog.tamu.edu/ossec-2-6-rpms-for-centos/#srpms. I've only
> tested it on CentOS 6.0 - 6.2 as that's all I have
I have an alert set up to email certain distributions when a set of files
are changed on two hosts. It's emailing the wrong people and I have
absolutely no clue why.
It's emailing the two users in the global config, and *only *the distribution
list
from the email_alerts section.
*Simply pu
RE: Jumbled mess, sorry, I tried to format it best I could in Rich Text
view.
> Did the 10+ contain a 100300 alert?
>
Strangely enough, no. It was all 100301, among others. It was pretty much
all rules over 10+ (the email threshold at the time) and rules configured
to blast email. I think
Subject says it all. I'd like to know if it's possible to have Syscheck or
the File Integrity monitoring tools record what user made the change as
part of it's alerting capabilities.
Thanks!
Can you elaborate on this? It is a UNIX environment, would this tell us
what user made changes to a file in conjunction with file integrity alerts?
On Friday, November 9, 2012 12:13:53 PM UTC-6, dan (ddpbsd) wrote:
>
> On Fri, Nov 9, 2012 at 1:04 PM, mcrane0 >
> wrote:
> > S
I misunderstood, I thought you were talking about policy auditing within
OSSEC relating to the OS. /var/log/secure alerting should suffice in
correlating file changes.
On Friday, November 9, 2012 1:04:53 PM UTC-6, dan (ddpbsd) wrote:
>
> On Fri, Nov 9, 2012 at 1:45 PM, mcrane0 >
Trying to include filesystem integrity alert diffs.
Testing with /etc
I have verified that both ossec.conf on server and
/var/ossec/etc/shared/agent.conf has 'report_changes=yes' for /etc.
/var/ossec/queue/diff/local/etc/fstab folder includes the diff file on the
client.
The alert triggers,
What is your distribution?
On Tuesday, November 13, 2012 1:33:40 PM UTC-6, Jose Sento Se wrote:
>
> Hi, i was trying to install Ossec 2.7rc1 and i got de following message:
>
> 5- Instalando o sistema
>
> - Executando o Makefile
>
> ./install.sh: line 88: make: command not found
>
> How can i sol
g level to 2 on
client and see no change in logging. It's very frustrating as a.) the
alert is triggering and, b.) the diff is appearing in
/var/ossec/queue/diff/local/etc/, but it's not being reported with
the alert.
On Tuesday, November 13, 2012 11:33:12 AM UTC-6, mcrane0 wrote:
&
Also of note: no difference between pre-compiled binaries installed from
custom RPM package and package manually compiled on server.
On Thursday, November 15, 2012 9:36:48 AM UTC-6, mcrane0 wrote:
>
> It's worth noting that this is only occurring in our Linux environment.
> The
post the relevant
> ossec.conf section here?
>
> On Thursday, November 15, 2012 7:36:48 AM UTC-8, mcrane0 wrote:
>>
>> It's worth noting that this is only occurring in our Linux environment.
>> The AIX agents are correctly reporting diffs with file integrity
g
/var/log/messages
syslog
/var/log/secure
syslog
/var/log/maillog
On Wednesday, November 28, 2012 9:35:40 AM UTC-6, dan (ddpbsd) wrote:
>
> On Wed, Nov 28, 2012 at 10:01 AM, mcrane0 >
> wrote:
> > ossec.conf on server, relevant portion
14 matches
Mail list logo