Category Archives: ossec DNS and Content modified

If you visit you will notice a pretty new design and a new home for it. The server was officially moved to a Trend server and is now being managed by Vic Hargrave ( and the Trend team. If … Continue reading

Posted in ossec | Leave a comment

OSSEC rule for the PHP-CGI vulnerability

I am seeing many scans for the PHP-CGI vulnerability in the wild and put up a quick OSSEC rule to detect/block those: <rule id=”31110″ level=”6″> <if_sid>31100</if_sid> <url>?-d|?-s|?-a|?-b|?-w</url> <description>PHP CGI-bin vulnerability attempt.</description> <group>attack,</group> </rule>   It looks for the possibly dangerous … Continue reading

Posted in ossec, webattacks | Tagged , , | Leave a comment

Database Logging (PostgreSQL and MySQL)

Nobody cares about database logging, but I really recommend enabling them to see what is happening behind the scenes (specially for web applications). To enable on PostgreSQL (and be compatible with OSSEC): # Adding the timestamp, hostname and database. log_line_prefix … Continue reading

Posted in log analysis, ossec | Tagged , , , | Leave a comment

3WoO: Alerting on DNS (IP Address) changes

If you keep your DNS outside and you can’t monitor the zone files directly, a nice way to make sure the integrity of your DNS is intact is by checking remotely that it hasn’t been changed. With OSSEC, you can … Continue reading

Posted in ossec, v27 | Tagged , | 1 Comment

OSSEC v2.6 is out!

OSSEC v2.6 was just released (finally :)) and you can get more details here: We are very happy to announce the availability of OSSEC version 2.6. This has been a long release cycle, but it is here now with … Continue reading

Posted in ossec, v2.6 | Tagged , | 3 Comments

OSSEC 2.6 beta-1 available

This has been a long release cycle, but OSSEC 2.6 BETA1 is now available. Helping us out testing the beta version is a great way to contribute back to the project and the best way to get started on it. … Continue reading

Posted in beta, ossec | 7 Comments

Improved reporting for file changes (OSSEC)

One that that always annoyed me on OSSEC was that ossec-reported didn’t list the file changes (from syscheck) and that I couldn’t use the filtering options in there for them. Well, that’s solved now :) On the latest OSSEC snapshot … Continue reading

Posted in ossec | 2 Comments

Running multiple OSSEC decoders on the same event

If you need to run multiple decoders on the same log to extract additional pieces of information (and at the same time do not affect the original decoder), we have a simple way to do so. Just create multiple child … Continue reading

Posted in ossec, v2.6 | 2 Comments

Blocking repeated offenders with OSSEC

By default OSSEC has a static timeout on our active response scripts. You specify the action and how long to block the IP Address: <active-response> <command>host-deny</command> <location>local</location> <level>6</level> <timeout>600</timeout> </active-response> Which works well for most of the time. However, if … Continue reading

Posted in ossec, v2.6 | 4 Comments

Automatically creating and setting up the agent keys

The complain I hear more often about OSSEC is related to how hard it is to setup the authentication keys between the agents and the manager. Each agent share a key-pair with the manager, so if you have a thousand … Continue reading

Posted in ossec | 15 Comments