On 05/04/2011 08:32 PM, Martin Gottlieb wrote:
When I ran the command: sed -n 16741p
logs/alerts/2011/May/ossec-alerts-04.log | bin/ossec-logtest
from within /var/ossec, the decoder did not extract the user and srcip
fields. I then ran:
sed -n 16741p logs/alerts/2011/May/ossec-alerts-04.log |
On 5/4/2011 10:26 PM, Michael Starks wrote:
On 05/04/2011 08:32 PM, Martin Gottlieb wrote:
When I ran the command: sed -n 16741p
logs/alerts/2011/May/ossec-alerts-04.log | bin/ossec-logtest
from within /var/ossec, the decoder did not extract the user and srcip
fields. I then ran:
sed -n 16741p
a.m.
*To:* ossec-list@googlegroups.com
*Subject:* Re: [ossec-list] Re: Active Response on Windows events
Awesome, thanks! The events I'm seeing generally take 2 forms:
SQL Server Events:
WinEvtLog: Application: AUDIT_FAILURE(18456): MSSQLSERVER: (no user):
no domain: WINSERVER: Login failed
*Subject:* Re: [ossec-list] Re: Active Response on Windows events
Awesome, thanks! The events I'm seeing generally take 2 forms:
SQL Server Events:
WinEvtLog: Application: AUDIT_FAILURE(18456): MSSQLSERVER: (no
user): no domain: WINSERVER: Login failed for user 'admin
a random thought
Andy
From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com]
On Behalf Of Martin Gottlieb
Sent: Thursday, 28 April 2011 1:23 a.m.
To: ossec-list@googlegroups.com
Subject: Re: [ossec-list] Re: Active Response on Windows events
Well, I thought I was making
] *On Behalf Of *Martin Gottlieb
*Sent:* Thursday, 28 April 2011 1:23 a.m.
*To:* ossec-list@googlegroups.com
*Subject:* Re: [ossec-list] Re: Active Response on Windows events
Well, I thought I was making progress, but now I'm not so sure. My
MSSQL decoder has triggered a couple
of active responses
April 2011 7:36 a.m.
To: ossec-list@googlegroups.com
Subject: Re: [ossec-list] Re: Active Response on Windows events
good point, I should not be expecting email alerts on the level 5 rule.
But since it's not recording the SrcIP
value, it never triggers the level 10 rule, which I did also
[mailto:ossec-list@googlegroups.com] *On Behalf Of *Martin Gottlieb
*Sent:* Thursday, 28 April 2011 7:36 a.m.
*To:* ossec-list@googlegroups.com
*Subject:* Re: [ossec-list] Re: Active Response on Windows events
good point, I should not be expecting email alerts on the level 5
rule. But since it's
]
On Behalf Of Martin Gottlieb
Sent: Thursday, 28 April 2011 8:13 a.m.
To: ossec-list@googlegroups.com
Subject: Re: [ossec-list] Re: Active Response on Windows events
Thanks, that does work. The problem is that when a real intruder is
triggering my level 5 rule (100245),
it is not recording
-list@googlegroups.com
[mailto:ossec-list@googlegroups.com] *On Behalf Of *Martin Gottlieb
*Sent:* Sunday, 24 April 2011 3:16 a.m.
*To:* ossec-list@googlegroups.com
mailto:ossec-list@googlegroups.com
*Subject:* Re: [ossec-list] Re: Active Response on Windows events
Awesome
Awesome, thanks! The events I'm seeing generally take 2 forms:
SQL Server Events:
WinEvtLog: Application: AUDIT_FAILURE(18456): MSSQLSERVER: (no user): no
domain: WINSERVER: Login failed for user 'admin'. [CLIENT: 203.81.30.248]
And general Windows Events:
WinEvtLog: Security:
time
Andy
From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com]
On Behalf Of Martin Gottlieb
Sent: Sunday, 24 April 2011 3:16 a.m.
To: ossec-list@googlegroups.com
Subject: Re: [ossec-list] Re: Active Response on Windows events
Awesome, thanks! The events I'm seeing
-list@googlegroups.com] *On Behalf Of *Martin Gottlieb
*Sent:* Sunday, 24 April 2011 3:16 a.m.
*To:* ossec-list@googlegroups.com
*Subject:* Re: [ossec-list] Re: Active Response on Windows events
Awesome, thanks! The events I'm seeing generally take 2 forms:
SQL Server Events:
WinEvtLog
The problem I found was that the Windows decoder in the server /dev/
ossec/etc/decoder.xml does not extract the srcip, so you have
nothing to work with to block
Now this is what I replaced mine with:
decoder name=windows
typewindows/type
prematch^WinEvtLog: /prematch
regex
14 matches
Mail list logo