Atomicorp

So this error: 2 9901 ASLCommon::cmd_exec ERROR: '(1) /usr/sbin/apachectl -t 2>&1 >/dev/null -- httpd: Syntax error on line 1 of /etc/httpd/conf/httpd.conf: Syntax error on line 3 of /etc/httpd/conf.d/00_mod_security.conf: Cannot load modules/mod_security2.so into server: /etc/httpd/modules/mod_...

Unfortunately 0.102.x isnt supported on el6/7 it requires a version of the curl api thats not available for those platforms (which is also why epel doesnt have updates to 1.102.x either). clamav has basically abandoned el6/7 with this choice. clamav 1.102.x is going to need to be re-written in those...

WAF events are logged concurrently to the event data repository with one per event and are stored by default in this location on the system:

/var/asl/data/audit/apache

Ah, OK si that sounds like youre just using the open source builds? If so, then you need to grab the latest source code and build from that the binary your using is quite old and it looks like youre using 3.0, whereas the source tree has patches for the upcoming 4.0 release. If youre using the comme...

Thats pretty old, I dont think we've put out a version of AEO using a version of OSSEC that old. Can you send me the version number for AEO with this command:

asl -v

Sorry if I wasnt clear, the latest version of AEO has no limit. What version of AEO is the hub using?

Just run this command:

asl -v

They basically the same thing. You may want to disable some services that are used just with agents, like remoted but otherwise a standalone instance is an ossec server as opposed to an agent.

Yes the latest version of AEO allows for setting effectively an unlimited limit, just make sure youre using the latest version of AEO.

What version of OSSEC are you using?

It looks like youre included either /var or /var/ossec in your FIM settings, and configured them further to report the content of changes in those directories (record diffs). Just log into the AEO GUI, and Click on the "ASL" tab, select "File Integrity", then select "Watch R...

Yes, you just need to create a decoder for that application/platforms log format, which will then allow you assign key values for each position/pattern/delimiter in your log file. You'll find decoders in /var/ossec/etc/decoders.d/ For example: May 14 17:49:12 auth openvpn: Sun May 14 17:49:12 2017 2...

Its not added into a table, it changes kernel settings.

On older systems it was probably set to no, it is set to yes by default not sure when the change happened though but for sometime its been the default.

Only if TSO or GSO is enabled for the interface, and only if you have MSS protection disabled in ASL. Check this setting in ASL: FW_MSS_DROP="yes" ASL has always been immune to this kind of attack, for many many years if this is enabled. If youre not using ASL, then you want to check to se...

Just a followup, the QA build will be released tomorrow into testing.