Questions tagged [ossec]

OSSEC is an Open Source Host-based Intrusion Detection System. It performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response. (from www.ossec.net)

73 questions
10
votes
2 answers

OSSEC large scale deployment

We have a data-center and as a happy OSSEC user I am trying to convince my management to use it for host intrusion detection. However I have never deployed it on more than a handful of servers and I am not sure if it does scale. Anyone has deployed…
lisa1987
  • 871
  • 1
  • 9
  • 17
7
votes
1 answer

OSSEC integrity checksum alert - what caused the change?

Recently installed OSSEC on Linux machine to test. Most results are expected, however yesterday I received emails with a number of notifications about Integrity checksum changing on files such as /usr/bin/whoami /usr/bin/md5sum /usr/bin/ls …
Eureka Ikara
  • 309
  • 5
  • 11
6
votes
4 answers

OSSEC disk space usage

A few days ago I noticed that the disk of my Ubuntu server was almost full. I dug a bit and found out that the disk space was used by OSSEC, in the /var/ossec/queue/diff folder. I wanted to try something immediate so I deleted the contents of this…
Sinklar
  • 93
  • 1
  • 6
4
votes
1 answer

Postfix Send only Without a FQDN

I'm using OSSEC and Nagios to build a sort of HID system on our network. Everything is going smoothly so far; however I cannot get OSSEC to send email alerts. What I'm trying to do right now is get postfix to send out emails and then have OSSEC use…
Ryan
  • 143
  • 1
  • 3
4
votes
0 answers

How/where does one get a version of the OSSEC agent-auth application that will run on Windows?

I have successfully configured an OSSEC server running on Ubuntu in AWS. I have also successfully automated Ubuntu AWS instances automatically installing the OSSEC agent and connecting to the OSSEC server via this command /var/ossec/bin/agent-auth…
Chris
  • 81
  • 1
  • 6
3
votes
1 answer

Suppress OSSEC email for failed root ssh

I'm running OSSEC as a HIDS on a Ubuntu 12.10 server, and it routinely (3-4x a day) sends me a notification like this: (note the last octet of the IP address has been changed to 'xxx' to protect the guilty) OSSEC HIDS Notification. 2013 Nov 21…
tkrajcar
  • 163
  • 6
3
votes
2 answers

OSSEC: Unblock an IP and increase tresshold

I just set up OSSEC, but I accidentally shut myself out already from my home ip. So does OSSEC have a function to unblock an IP after it is blocked or do I need to do this manually in iptables ? Also does OSSEC provide a way to temporary ban IP's ?…
Lucas Kauffman
  • 16,818
  • 9
  • 57
  • 92
3
votes
1 answer

PID ran away with all our MEM and SWAPPED hard - OSSEC RHEL

Forgive me for the length of this question... it is mostly details... only attempt to follow if you also enjoy reading log files... or drinking coffee. I'll state the questions first: 1) how the heck did a nano process fire off based on what…
Patrick R
  • 2,925
  • 1
  • 18
  • 27
2
votes
1 answer

How can I make the OSSEC server service start automatically on reboot?

I am running CentOS7 with OSSEC 2.9.2. Is there a way to make OSSEC automatically start the server after a reboot? Currently it appears to require that I run the ossec-control start after every reboot.
JadedCore
  • 121
  • 1
  • 6
2
votes
2 answers

OSSEC won't start, Error: queue not accessible

I'm trying to set up OSSEC on a CemtOS 6.5 server. This is to be installed as an agent, not a server or local instance. The package successfully installed and I created the clients.key file, but when I try to start the daemon I receive the error…
Liam
  • 164
  • 2
  • 6
2
votes
2 answers

Using OSSEC HIPS alongside rsyslog, overkill?

I have been tasked to harden our company linux servers. One of the problems that was outlined was the fact that logs are stored on the server which poses two problems: Difficult to aggregate and diagnose problems Not very secure, if a server is…
Rijndael
  • 163
  • 1
  • 4
2
votes
4 answers

Simple application level file integrity monitoring & Intrusion detection (IDS)

We've been searching for a simple file integrity monitoring solution on CentOS/Linux that will work on the application level. We are not looking for OS/network level IDS as OSSEC and the others do a pretty good job at that. We have looked at…
Dev
  • 21
  • 2
2
votes
1 answer

What is the purpose of filtering egressing traffic (CSF)?

For a while now I am using CSF as main firewall with LFD, and OSSEC as main IDS. (I like OSSEC over the overreacting builtin IDS of CSF). I tested it for small DoS attacks such a slowloris variants and synfloods. Works fine. Apache is running with…
BTZ
  • 23
  • 4
2
votes
1 answer

OSSEC agent behind NAT

I am working on an OSSEC deployment where I will have multiple agents behind 1 public IP. Below is an example of the setup Private Network OSSEC-Agent1 (192.168.1.10) OSSEC-Agent2 (192.168.50.33) OSSEC-Agent3 (10.10.10.1) Those IPs…
Eric
  • 1,373
  • 3
  • 17
  • 33
2
votes
1 answer

Ossec fields to Oracle DB

I would like some recommendations for the following problem. I use Ossec for log analysis. What I want, is after extracting the fields to save them in an Oracle database. For example, if I have this line IP:(\d+.\d+.\d+.\d+)@(\w+): (forcefield…
Nikolaidis Fotis
  • 1,994
  • 11
  • 13
1
2 3 4 5