I can't thank you (not help ...lol obviously I need to go to sleep
hehehehehe)
On Dec 6, 2:37 am, alsdks wrote:
> Dan,
>
> I can't help you enough for your help ...
>
> I went again through each step and stuck again at the ossec-config
> part . The first time you mentioned it, I must have done so
On Mon, Dec 5, 2011 at 7:37 PM, alsdks wrote:
> Dan,
>
> I can't help you enough for your help ...
>
> I went again through each step and stuck again at the ossec-config
> part . The first time you mentioned it, I must have done something
> wrong and did not work .
> I try these settings in two en
Dan,
I can't help you enough for your help ...
I went again through each step and stuck again at the ossec-config
part . The first time you mentioned it, I must have done something
wrong and did not work .
I try these settings in two environments , a vm-lab and a live setup,
so I must have mixed
On Mon, Dec 5, 2011 at 8:30 AM, alsdks wrote:
> Hello Dan,
>
>
> As it turn out , it doesn't work for ssh too .The cdb list lookup
> rules/
> trusted_ips is not working .Major disappointment !
>
> Any ideas why it is not working ?
>
>
> What I am trying to achieve is for each successful login (v
Hello Dan,
As it turn out , it doesn't work for ssh too .The cdb list lookup
rules/
trusted_ips is not working .Major disappointment !
Any ideas why it is not working ?
What I am trying to achieve is for each successful login (via ssh,rdp
etc ) check the source IP against a list of trusted I
Well I changes it also as you suggested just to see but again no
luck...
Whatever change I make to the rules , I have even tried to overwrite
rule 18107 but nothing ...
Two things are what I am looking for : Event ID: 528 and whithin that
event logon type: 10
Then do the lookup against that cdb l
On Wed, Nov 30, 2011 at 3:23 PM, alsdks wrote:
> Hello Dan,
>
> Yes I run ossec-makelists (it said it did not need to be compiled)
>
> It is like this
> /var/ossec/rules/trusted_ips
>
I don't know if this affects you since you put the full path in there,
but lists should take the chroot into acc
Hello Dan,
Yes I run ossec-makelists (it said it did not need to be compiled)
It is like this
/var/ossec/rules/trusted_ips
The list is not a problem as it works as expected for sshd logins .
In windows however as stated I get alerted no matter if the IP is or
is not in the list.
Thank you
On