evanr

Very cool thank you. My boss will sleep better at night.

Is there any additional overhead on the SQL server after setting up AppInsight?

Agreed.

What about unable to deploy agent - SafeCall failed, check fault information. 2014/07/11 12:42:02:515 PID: 13464 TID: 11156 [WARN] ewException caught: Error [1L], [CertificateData::QueryRegistry() - is not implemeted for Orion Agent], File: ClientCertificateCache.cpp, Line: 473 2014/07/11 12:42:02:530 PID: 13464 TID: 11596…

In case anyone runs into a similar issue with this. Tripwires documentation shows that instead of using syslog their default facility is user.log. However even after adjusting our connector still no go. I finally went through the list of facilities, testing, viewing, capturing. Finally hit the sweet spot. The Tripwire box,…

Yeah that is the route I'm leaning towards right now. I've edited the time when the alert should check for now. Will test for a week and see how it goes. Thanks.

Right you were about the registered port. There was a properties file with the info in it. It definitely looks to be talking fine. 393.325556000192.168.1.167192.168.1.14TCP66shell > 55389 [SYN, ACK] Seq=0 Ack=1 Win=14600 Len=0 MSS=1460 SACK_PERM=1 WS=128 Transmission Control Protocol, Src Port: shell (514), Dst Port: 55389…

Did you specify the subnets you want to sniff traffic on in your snort.conf file? Or in our case we have two separate subnets and use the following: -S HOME_NET=[your subnet/whatever] -i eth1

Can you post what you have for this? We are having a similar issue. Where our custom AppPools are recycling in the wee hours of the morning and we are getting SAM alerts for them. I would like to suppress these as much as possible. Thanks

cmc> appliance cmc::acm# checklogs Available log files: [1]: Syslog Log (83M) [2]: SNMP Trap Log (2.9M) [3]: Snort Alert Log (Empty) [4]: Auth Log (12K) [5]: Daemon Log (3.5M) [6]: User Log (4.0K) [7]: Solr Log (Empty) [8]: Database Log (4.0K) [9]: Manager Configuration Log (12K) [10]: Kernel Log (Empty) [11]: Migration…

FYI support was kind enough to send me the new revision #5 for the iisftp connector and revision #6 for the globalscape connector. However I still wasn't seeing the path/filename in nDepth. A closer look at the .xml file revealed the issue. We need cs-uri-stem which reveals the path/filename. This is verified in the…

Doesn't look like its connecting. You should see something like the following: (Fri May 02 13:41:42 CDT 2014) II:NOTICE [NioComNetworkParent v24745] {ComModuleSpop:20} Install request completed (favorably); Can you telnet to your LEM device on port 37890 from that specific machine?

Thanks curtisi I set it to ServiceWarning.ToolAlias = Windows Application and will wait and see.

Nope. Only the reader starting and stopping. I turned on debug ntp packet and i'm getting ntp debug info in the local3 logs. But still nothing in the Monitor/nDepth. I rebooted the vm and still nada. Edit: Weird they just started coming through. Maybe NTP wasn't fully synced. Thanks @curtisi

Yes we are on 6. I will have to try it on the new version. I don't believe I have used the command on 6.0 yet. Thanks

Thanks Triumph. That seems to have done it for us. Select Server Name (s-computername) in your log field config

I noticed you are $Revision: #11 $. We are on 3? I was under the impression we had the latest connectors but I will have to re-download and deploy. If not I will try your config edit. Thanks.

What are the recommended Audit Policy settings for Windows when implementing logging for the PCI DSS or other security standard? Here is what I found and what I have set based on this: Category/Subcategory Setting System Security System Extension No Auditing System Integrity Success and Failure IPsec Driver No Auditing…

OK will do. Thanks

I think it may be done via the cleanagentconfig command on the LEM box itself. But I haven't run it since I opted to just manually edit the .conf files on the agent machines instead. 

-K ascii would be the correct flag if you wanted them in plain text. From your command I don't see you logging it in binary however. 

Well it would seem Tripwire uses TCP 514 instead of UDP. According to the LEM port guide it listens on both TCP/UDP for syslog connections. Which explains why I can telnet to TCP port 514. In our case a scan reveals it appears 514 is being used by the default rlogin/shell service. Blah. Hopefully I can get the root…

Anything in the spoplog?

It would be nice to be able to use LEM as the IDS/IPS. But yes I don't feel it fits those requirements yet. That's what we do currently is send our log data to LEM and then use LEM to send us the appropriate triggers.

Would be nice. I'm afraid I will most likely have to use a 3rd party utility to send the log file via Syslog to LEM then parse it . 

When you say 90 days online. Your are referring to being able to query results via ndepth for up to 90 days correct? For someone also in the PCI realm. I would be interested in some of the industry standard best practices that others are leveraging with LEM. We currently do a monthly archiveconfig, and weekly backupconfigs…

Interesting. In addition to our reports/saved nDepth searches. I'm on the web portal all day every day. Maybe I'm a paranoid but I like to see whats going on in real time. The web portal definitely seems snappier than the console for sure. 

So the Tripwire connector works fine for our monitored node. This connector is set up to log to local4. Its firing off a log to LEM action when one of our rules is changed/edited etc. This side works. We also would like to audit the changes on the Tripwire box itself, ie log-ins, rule and policy changes..etc. I can see…

That's what I need to happen though. The group of systems receive the same message. So even if I receive the message only twice on one server and three times on another server. I want the rule to fire. Thanks for the explanation it is starting to sink in a bit more

Yep I just synced it with our NTP server. Still getting the log data via checklogs but still nothing in the filter yet.