Groups
Sign in
Groups
ossec-list
Conversations
About
Send feedback
Help
What to make of ossec-hosts.* files
696 views
Skip to first unread message
fi...@vivaldi.net
unread,
Dec 16, 2014, 4:04:23 PM
12/16/14
Reply to author
Sign in to reply to author
Forward
Sign in to forward
Delete
You do not have permission to delete messages in this group
Copy link
Report message
Sign in to report message
Show original message
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to Ossec List
Hi,
I see a bunch of files in /var/ossec with names of the form
ossec-hosts.*. what are they and how can I stop the system from creating
them?
Here are a few examples.
ossec-hosts.1i6uugNQB3
ossec-hosts.BFHjPh9dwg
ossec-hosts.i4EvjkDXUh
ossec-hosts.U3thtpzm6b
ossec-hosts.1MeJfr9MGt
TIA,
--
finid
fi...@vivaldi.net
unread,
Dec 16, 2014, 4:19:15 PM
12/16/14
Reply to author
Sign in to reply to author
Forward
Sign in to forward
Delete
You do not have permission to delete messages in this group
Copy link
Report message
Sign in to report message
Show original message
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to ossec...@googlegroups.com
So those files appear to be temporary files. Shouldn't they be in /tmp,
instead of /var/ossec?
--
finid
Brent Morris
unread,
Dec 16, 2014, 4:28:51 PM
12/16/14
Reply to author
Sign in to reply to author
Forward
Sign in to forward
Delete
You do not have permission to delete messages in this group
Copy link
Report message
Sign in to report message
Show original message
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to ossec...@googlegroups.com
I think what you're seeing is what is described in CVE-2014-5284 -
http://www.ossec.net/?p=1135
Basically, they were in /tmp, and then a vulnerability was disclosed... so those files were moved from /tmp to /var/ossec in 2.8.1
fi...@vivaldi.net
unread,
Dec 16, 2014, 5:19:47 PM
12/16/14
Reply to author
Sign in to reply to author
Forward
Sign in to forward
Delete
You do not have permission to delete messages in this group
Copy link
Report message
Sign in to report message
Show original message
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to ossec...@googlegroups.com
Thanks.
Since they are all empty files, nothing should break if they are all
deleted, right?
--
finid
> --
>
> ---
> You received this message because you are subscribed to the Google
> Groups "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it,
> send an email to
ossec-list+...@googlegroups.com
.
> For more options, visit
https://groups.google.com/d/optout
[1].
>
>
> Links:
> ------
> [1]
https://groups.google.com/d/optout
Message has been deleted
Nadir Boussoukaia
unread,
Apr 14, 2017, 6:02:25 PM
4/14/17
Reply to author
Sign in to reply to author
Forward
Sign in to forward
Delete
You do not have permission to delete messages in this group
Copy link
Report message
Sign in to report message
Show original message
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to ossec-list
For the record, what I do:
vi active-response/host-deny.sh
at the end for
TMP_FILE
you cans replace occurrences of
/var/ossec/
by
/var/ossec/
tmp
Reply all
Reply to author
Forward
0 new messages