Search found 1669 matches

by mikeshinn
Mon Mar 02, 2020 5:53 pm
Forum: Requests
Topic: ClamAV 0.102.2
Replies: 2
Views: 7438

Re: ClamAV 0.102.2

Unfortunately 0.102.x isnt supported on el6/7 it requires a version of the curl api thats not available for those platforms (which is also why epel doesnt have updates to 1.102.x either). clamav has basically abandoned el6/7 with this choice. clamav 1.102.x is going to need to be re-written in those...
by mikeshinn
Tue Nov 12, 2019 5:22 pm
Forum: Atomic Protector (formerly ASL)
Topic: ASL - Logs
Replies: 1
Views: 5147

Re: ASL - Logs

WAF events are logged concurrently to the event data repository with one per event and are stored by default in this location on the system:

/var/asl/data/audit/apache
by mikeshinn
Wed Sep 25, 2019 3:23 pm
Forum: OSSEC
Topic: Long messages being truncated when sent using syslog_output.
Replies: 10
Views: 6351

Re: Long messages being truncated when sent using syslog_out

Ah, OK si that sounds like youre just using the open source builds? If so, then you need to grab the latest source code and build from that the binary your using is quite old and it looks like youre using 3.0, whereas the source tree has patches for the upcoming 4.0 release. If youre using the comme...
by mikeshinn
Tue Sep 17, 2019 4:35 pm
Forum: OSSEC
Topic: Long messages being truncated when sent using syslog_output.
Replies: 10
Views: 6351

Re: Long messages being truncated when sent using syslog_out

Thats pretty old, I dont think we've put out a version of AEO using a version of OSSEC that old. Can you send me the version number for AEO with this command:

asl -v
by mikeshinn
Wed Sep 11, 2019 10:35 am
Forum: OSSEC
Topic: Long messages being truncated when sent using syslog_output.
Replies: 10
Views: 6351

Re: Long messages being truncated when sent using syslog_out

Sorry if I wasnt clear, the latest version of AEO has no limit. What version of AEO is the hub using?

Just run this command:

asl -v
by mikeshinn
Fri Sep 06, 2019 8:41 am
Forum: OSSEC
Topic: Local installation version VS Agentless Server installation
Replies: 1
Views: 2851

Re: Local installation version VS Agentless Server installat

They basically the same thing. You may want to disable some services that are used just with agents, like remoted but otherwise a standalone instance is an ossec server as opposed to an agent.
by mikeshinn
Tue Aug 20, 2019 6:58 pm
Forum: OSSEC
Topic: Long messages being truncated when sent using syslog_output.
Replies: 10
Views: 6351

Re: Long messages being truncated when sent using syslog_out

Yes the latest version of AEO allows for setting effectively an unlimited limit, just make sure youre using the latest version of AEO.
by mikeshinn
Thu Jul 18, 2019 1:29 pm
Forum: OSSEC
Topic: How to extract IP from Log
Replies: 4
Views: 3712

Re: How to extract IP from Log

What version of OSSEC are you using?
by mikeshinn
Fri Jul 05, 2019 2:59 pm
Forum: OSSEC
Topic: active-responses log filling up drive
Replies: 1
Views: 2799

Re: active-responses log filling up drive

It looks like youre included either /var or /var/ossec in your FIM settings, and configured them further to report the content of changes in those directories (record diffs). Just log into the AEO GUI, and Click on the "ASL" tab, select "File Integrity", then select "Watch R...
by mikeshinn
Fri Jul 05, 2019 2:54 pm
Forum: OSSEC
Topic: How to extract IP from Log
Replies: 4
Views: 3712

Re: How to extract IP from Log

Yes, you just need to create a decoder for that application/platforms log format, which will then allow you assign key values for each position/pattern/delimiter in your log file. You'll find decoders in /var/ossec/etc/decoders.d/ For example: May 14 17:49:12 auth openvpn: Sun May 14 17:49:12 2017 2...
by mikeshinn
Fri Jul 05, 2019 2:50 pm
Forum: Atomic Protector (formerly ASL)
Topic: SACK
Replies: 7
Views: 7684

Re: SACK

Its not added into a table, it changes kernel settings.
by mikeshinn
Wed Jun 26, 2019 5:55 pm
Forum: Atomic Protector (formerly ASL)
Topic: SACK
Replies: 7
Views: 7684

Re: SACK

On older systems it was probably set to no, it is set to yes by default not sure when the change happened though but for sometime its been the default.
by mikeshinn
Thu Jun 20, 2019 4:33 pm
Forum: Atomic Protector (formerly ASL)
Topic: SACK
Replies: 7
Views: 7684

Re: SACK

Only if TSO or GSO is enabled for the interface, and only if you have MSS protection disabled in ASL. Check this setting in ASL: FW_MSS_DROP="yes" ASL has always been immune to this kind of attack, for many many years if this is enabled. If youre not using ASL, then you want to check to se...
by mikeshinn
Tue Jun 18, 2019 3:57 pm
Forum: Atomic OSSEC
Topic: which agent reported the event?
Replies: 4
Views: 9315

Re: which agent reported the event?

Just a followup, the QA build will be released tomorrow into testing.
by mikeshinn
Thu Jun 13, 2019 4:37 pm
Forum: Atomic OSSEC
Topic: which agent reported the event?
Replies: 4
Views: 9315

Re: which agent reported the event?

Doug I see whats happening, it is a setting but a bug is causing it to be hidden in the current GUI. We're pushing an update out into QA to enable this column, and itll be in the testing channel Monday. As soon as its available I'll post that its out. Youll be able to install the update from "t...