Atomicorp

The 4.0 RPMs are available here:

https://updates.atomicorp.com/channels/ossec-hub-repo/

And the 4.2.x RPMs are available here:

https://updates.atomicorp.com/channels/awp-hub-repo/

OK, I see whats going on, your system is using the old 3.x open source branch, there a bug in the branch for remoted. You'll want to upgrade to the 4.x branch.

I have the version which was installed using the instructions from my initial post. How do I find from the command-line what version is installed? Just query the operating system software management system, for example: rpm -qa ossec* For example: [mshinn@threat ~]$ rpm -qa ossec* ossec-hids-4.2.2-...

You can whitelist a CIDR or IP by running this command as root:

asl -w 1.2.3.0/24

And on v6:

awp -w 1.2.3.0/24

Are you using the open source OSSEC only? And if so, what version? Understood, however, shouldn't the service run on both protocols, or at least be binding to IPv4 in the first instance as still the standard? I'm not sure I understand, remoted will run on both protocols at the same time. It will not...

Does ossec-remoted not bind to IPv4 by default? It runs on IPv4 too, for example: [root@host ~]# netstat -anupl | grep ossec-remoted udp 0 0 0.0.0.0:1514 0.0.0.0:* 11174/ossec-remoted [root@host ~]# However, if an IPv4 interface wasnt plumbed when the service was started, then you would only see it...

Assuming the agent is trying to connect to the remoted service running on an IPv4 IP, no it doesnt look like you have ossec-remoted running on an IPv4 address. Is the hub system plumbed with an IPv4 address? Alternatively you can use IPv6. If so, what happens if you restart the ossec-hids service? P...

I'm not sure if Plesk makes the rules available in some other way, but if they provided you with a username and password you can just log into our rules archive with those credentials and download the rules.

You can however install the rules on your server outside of Plesk, just follow this process:

https://wiki.atomicorp.com/wiki/index.p ... stallation

We cant speak for Plesk, they may have their own process for installing and configuring modsecurity, but modsecurity rules are not platform dependant. Simply load the rules into modsecurity on whatever platform you are using and theyll work.

Certainly, the supported rules provide a lot more information and support is provided for any issues the same day the issue is reported, updates for false positives for example are provided the same day they are reported, our goal is provide any update within an hour.

It looks like youre using the unsupported free rules, is that correct?

The rules are supported on any platform that supports modsecurity, that includes Centos 8.

Can you put ossec-maild into debug mode and share whats happening when its using an unusually high amount of CPU?

That means these options are disabled in ASL/AWP: Advanced Malware Removal Ruleset: off [MODERATE] https://wiki.atomicorp.com/wiki/index.php/ASL_WAF#MODSEC_98_ADV_REDACTOR Just In Time Patches: off [HIGH] https://wiki.atomicorp.com/wiki/index.php/ASL_WAF#MODSEC_99_JITP Basic Malware Removal Ruleset:...