Guys,
I have a domain controller with ossec agent. Below default rules of ossec:
18105
^672|^673|^675|^676|^681|^4769
Windows DC Logon Failure.
win_authentication_failed,
Logon failed put the information in my log files:
Rule: 18139 (level 5) -> 'Windows DC Logon Failure.
Guys,
Sorry for get this older mail, but I have another doubt.
I need put it in /var/ossec/rules/local_rules.xml on the ossec server,
right?
Atenciosamente,
Rafael Brito Gomes
Analista de Segurança
LPIC-1 MCSO
DISUP/CPD/UFBA
Tel : +55 71 3283 6100
Em 01-10-2009 12:02, McClinton, Rick escrev
7;Server1'
**Phase 3: Completed filtering (rules).
Rule id: '181510'
Level: '0'
Description: 'Multiple failed attempts to perform a privileged
operation by the same user.'
On Fri, May 28, 2010 at 3:26 PM, rafael.gomes wrote:
I already
l: '4'
Description: 'Failed attempt to perform a privileged operation.'
**Alert to be generated.
On Thu, May 27, 2010 at 6:17 PM, rafael.gomes wrote:
Guys,
I have a log that Microsoft told me that is not a problem, so I wanna create
a excepetion for this (until a solve this
, rafael.gomes wrote:
Dan,
I create this rule:
18108
user1
Multiple failed attempts to perform a
privileged operation by the same user.
But when I restarted my service, I got this error:
2010/05/28 13:53:09 ossec-analysisd: Invalid option 'dstuser' for rule
'1815
Guys,
I have a log that Microsoft told me that is not a problem, so I wanna
create a excepetion for this (until a solve this problem):
Received From: (server1) 10.1.1.1->WinEvtLog
Rule: 18151 fired (level 10) -> "Multiple failed attempts to perform a
privileged operation by the same user."
P
Guys,
Is there any rules in OSSEC to get SPAM?
I am having problem with SPAM and I wanna know when it is happening and
block it.
My MTA is Postfix.
Thanks!
--
Atenciosamente,
Rafael Brito Gomes
Analista de Segurança
LPIC-1 MCSO
DISUP/CPD/UFBA
Tel : +55 71 3283 6100
Guys,
Sometimes I get emails that the subject inform one server, but its body
is about another server, anyone got this error too?
Sometimes I got an email with many servers in body, but the subject is
about one of these servers.
My OSSEC version is 2.4. Both Server and agents
--
Atenciosam
Guys,
What the purpose of that BAD_WORDS?
In my case I always get false positives for this rule (number 1002).
IMO we should remove this rule from OSSEC. What you think about?
--
Atenciosamente,
Rafael Brito Gomes
Analista de Segurança
LPIC-1 MCSO
DISUP/CPD/UFBA
Tel : +55 71 3283 6100
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Yes, I restarted the agent and the server.
Atenciosamente,
Rafael Brito Gomes
Analista de Segurança
LPIC-1 MCSO
DISUP/CPD/UFBA
Tel : +55 71 3283 6100
Em 23-04-2010 02:19, Nerijus Krukauskas escreveu:
> On 2010-04-22, rafael.gomes wrote:
>>
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Guys,
I added a new host in OSSEC environment, but I don`t works.
- From the server I got this log:
2010/04/22 15:47:18 ossec-remoted(1403): ERROR: Incorrectly formated
message from '1.2.3.4'.
- From the new client I got this log:
2010/04/22 15:52
act a source IP from the log entry
>
> You do not need to do any coding here. Just some XML descriptions.
>
> What alerts is ossec giving you for your rule?
>
> On Thu, Mar 18, 2010 at 9:05 PM, rafael.gomes <mailto:rafael.go...@ufba.br>> wrote:
>
> Hi Guys,
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi Guys,
I am getting this msg in my OSSEC:
Mar 18 10:08:53 server courierpop3login: LOGIN FAILED,
user=u...@domain.com, ip=[:::18.104.87.110]
Mar 18 10:08:53 server courierpop3login: LOGIN FAILED,
user=u...@domain.com, ip=[:::18.104.87.110]
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Guys,
How can I create a rule with two match parameter?
Ex:
WinEvtLog: Security: AUDIT_SUCCESS(520): Security: SYSTEM: NT AUTHORITY:
SERVER01: The system time was changed.Process ID: 2201Process
Name: C:\Program Files\VMware\VMware Tools
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi Guys,
How can I ignore word error when it appear in web app log?
The method GET is something like that:
"GET /20.htm HTTP/1.1" 200 125258
"http://dnserros.oi.com.br/main?ClientLocation"; "Mozilla/4.0
(compatible; MSIE 7.0; Windows NT 5.1; FunWeb
15 matches
Mail list logo
