Re: [ossec-list] am i doing this wrong

38 views
Skip to first unread message

dan (ddp)

unread,
Oct 2, 2012, 10:43:00 AM10/2/12
to ossec...@googlegroups.com
On Tue, Oct 2, 2012 at 10:38 AM, Tom Hangstin <emada...@gmail.com> wrote:
> So i have a ossec server up and a few agents out there, but when i scan a
> agent system with nessus or nmap i dont get any emails or even a blip on the
> server im using 2.7 b1 and OSWUI. am i doing something wrong?

Maybe, you don't really give us enough information to know. What kinds
of logs are you seeing that should be triggering alerts? Provide
samples, maybe we can help you make that happen.

Tom Hangstin

unread,
Oct 2, 2012, 11:00:13 AM10/2/12
to ossec...@googlegroups.com
Well the agents are on windows 7 machines which I think just monitor win event log and like I said nothing gets reported to the server. Dose ossec not detect scans?

dan (ddp)

unread,
Oct 2, 2012, 11:06:31 AM10/2/12
to ossec...@googlegroups.com
On Tue, Oct 2, 2012 at 11:00 AM, Tom Hangstin <emada...@gmail.com> wrote:
> Well the agents are on windows 7 machines which I think just monitor win
> event log and like I said nothing gets reported to the server. Dose ossec
> not detect scans?
>

I think you're asking the question. You should be asking yourself
"What logs were created by the scan that should be causing alerts?"
OSSEC looks at the logs created by the system an its applications,
what log entries do you think should have alerted you?

Also, scan is such a generic term. By itself it's basically useless.

Tom Hangstin

unread,
Oct 2, 2012, 11:14:58 AM10/2/12
to ossec...@googlegroups.com
ok my bad, i assumed a full scan from nessus would give off some red flags because its so loud and im switching from snort "which would alert to things like nessus scans" to ossec. thanks for helping me see the light.

On Tue, Oct 2, 2012 at 10:07 AM, Kat <uncom...@gmail.com> wrote:
Scanning does not necessarily provide a "blip". Do you have any kind of tool logging scans or are you doing something beyond an nmap scan, such as brute force login attemps. Something has to create a log entry for OSSEC to see.  Based on what you are saying - is there any kind of entry in any of the event logs showing that a scan was happening? OSSEC would see that.



dan (ddp)

unread,
Oct 2, 2012, 11:18:22 AM10/2/12
to ossec...@googlegroups.com
On Tue, Oct 2, 2012 at 11:14 AM, Tom Hangstin <emada...@gmail.com> wrote:
> ok my bad, i assumed a full scan from nessus would give off some red flags
> because its so loud and im switching from snort "which would alert to things
> like nessus scans" to ossec. thanks for helping me see the light.
>

You don't have to assume, you have access to your logs. It's entirely
possible there's something there that we should alert on, but don't
(currently).

Also, snort provides very different capabilities than OSSEC. They're
used for different things, so this isn't surprising at all.
Reply all
Reply to author
Forward
0 new messages