[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Ossec-list] [ossecm@xxxxxxxxxxxxxxxx: OSSEC Hids Notification - Alert level 12]

Subject: [Ossec-list] [ossecm@xxxxxxxxxxxxxxxx: OSSEC Hids Notification - Alert level 12]
From: kayvan at sylvan.com (Kayvan A. Sylvan)
Date: Mon, 8 May 2006 12:31:23 -0700

How about anchoring the regexp like this?

<var name="SYS_USERS">^(apache|mysql|www|nobody|nogroup|portmap|named|rpc|mail|ftp|shutdown|bin|daemon|postfix|shell|info|guest|psql)$</var>

Best regards,

			---Kayvan

On Mon, May 08, 2006 at 02:53:45PM -0300, Daniel Cid wrote:
> Hi Kayvan,
> 
> This is a terrible behavior. If you can go to your
> /var/ossec/rules/attack_rules.xml
> and remove the user "bin" from the SYS_USERS variable, it should fix
> the problem.

References:
- [Ossec-list] [ossecm@xxxxxxxxxxxxxxxx: OSSEC Hids Notification - Alert level 12]
  - From: Kayvan A. Sylvan
- [Ossec-list] [ossecm@xxxxxxxxxxxxxxxx: OSSEC Hids Notification - Alert level 12]
  - From: Daniel Cid

Prev by Date: [Ossec-list] [ossecm@xxxxxxxxxxxxxxxx: OSSEC Hids Notification - Alert level 12]
Next by Date: [Ossec-list] Version 0.8 of OSSEC HIDS is now available!
Previous by thread: [Ossec-list] [ossecm@xxxxxxxxxxxxxxxx: OSSEC Hids Notification - Alert level 12]
Next by thread: [Ossec-list] Version 0.8 of OSSEC HIDS is now available!
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.