Category Archives: ossec

www.ossec.net DNS and Content modified

Posted on June 26, 2012 by danielcid

If you visit ossec.net you will notice a pretty new design and a new home for it. The server was officially moved to a Trend server and is now being managed by Vic Hargrave (ossec@vichargrave.com) and the Trend team. If … Continue reading →

Posted in ossec | Leave a comment

OSSEC rule for the PHP-CGI vulnerability

Posted on May 9, 2012 by danielcid

I am seeing many scans for the PHP-CGI vulnerability in the wild and put up a quick OSSEC rule to detect/block those: <rule id=”31110″ level=”6″> <if_sid>31100</if_sid> <url>?-d|?-s|?-a|?-b|?-w</url> <description>PHP CGI-bin vulnerability attempt.</description> <group>attack,</group> </rule> It looks for the possibly dangerous … Continue reading →

Posted in ossec, webattacks | Tagged logging, ossec, webattacks | Leave a comment

Database Logging (PostgreSQL and MySQL)

Posted on May 8, 2012 by danielcid

Nobody cares about database logging, but I really recommend enabling them to see what is happening behind the scenes (specially for web applications). To enable on PostgreSQL (and be compatible with OSSEC): # Adding the timestamp, hostname and database. log_line_prefix … Continue reading →

Posted in log analysis, ossec | Tagged database, log analysis, logging, ossec | Leave a comment

3WoO: Alerting on DNS (IP Address) changes

Posted on October 25, 2011 by danielcid

If you keep your DNS outside and you can’t monitor the zone files directly, a nice way to make sure the integrity of your DNS is intact is by checking remotely that it hasn’t been changed. With OSSEC, you can … Continue reading →

Posted in ossec, v27 | Tagged ossec, v2.7 | 1 Comment

OSSEC v2.6 is out!

Posted on July 19, 2011 by danielcid

OSSEC v2.6 was just released (finally :)) and you can get more details here: http://www.ossec.net/main/ossec-v2-6-released We are very happy to announce the availability of OSSEC version 2.6. This has been a long release cycle, but it is here now with … Continue reading →

Posted in ossec, v2.6 | Tagged ossec, v2.6 | 3 Comments

OSSEC 2.6 beta-1 available

Posted on June 7, 2011 by danielcid

This has been a long release cycle, but OSSEC 2.6 BETA1 is now available. Helping us out testing the beta version is a great way to contribute back to the project and the best way to get started on it. … Continue reading →

Posted in beta, ossec | 7 Comments

Improved reporting for file changes (OSSEC)

Posted on May 26, 2011 by danielcid

One that that always annoyed me on OSSEC was that ossec-reported didn’t list the file changes (from syscheck) and that I couldn’t use the filtering options in there for them. Well, that’s solved now :) On the latest OSSEC snapshot … Continue reading →

Posted in ossec | 2 Comments

Running multiple OSSEC decoders on the same event

Posted on April 5, 2011 by danielcid

If you need to run multiple decoders on the same log to extract additional pieces of information (and at the same time do not affect the original decoder), we have a simple way to do so. Just create multiple child … Continue reading →

Posted in ossec, v2.6 | 2 Comments

Blocking repeated offenders with OSSEC

Posted on February 11, 2011 by danielcid

By default OSSEC has a static timeout on our active response scripts. You specify the action and how long to block the IP Address: <active-response> <command>host-deny</command> <location>local</location> <level>6</level> <timeout>600</timeout> </active-response> Which works well for most of the time. However, if … Continue reading →

Posted in ossec, v2.6 | 4 Comments

Automatically creating and setting up the agent keys

Posted on January 19, 2011 by danielcid

The complain I hear more often about OSSEC is related to how hard it is to setup the authentication keys between the agents and the manager. Each agent share a key-pair with the manager, so if you have a thousand … Continue reading →

Posted in ossec | 15 Comments