evanr

Local installer. I will give that a shot thanks.

Sorry this is my first go around with any type of agent issues as well.

This has been working much better for us since the upgrade to RC3. I haven't any time-outs when running searches lately. Fingers crossed.

Hmm that's what we have.

Do I have to open up a case to submit it as a bug?

Thank you. Are the iptables changes perpetual or do they reset after LEM is rebooted? I set this and for some reason when we do updates on the host and have to power off the vms and reboot. It will magically show up on our vulnerability list again. We contemplated just editing the server.xml file directly and manually…

Just in case anyone else is running LEM via HyperV and is looking to do the same thing. Straight from the horses mouth: Snort included on LEM is capable of sniffing the entire network as long as you're forwarding all the network's traffic to an anonymous (no IP) promiscuous mode NIC in the LEM. This would basically require…

Thanks Danielle

Sorry I should have been more specific. I was referring to the profiler logs on the actual box the agent is installed on. These can grow fast.

Nope all you need to do is edit the policy and its good to go.

Yes the promiscuous NIC is the device that should be listed in the .conf file. So for example our physical box has 3 nics. Our management interface, our internal LAN, and our DMZ network. We have two separate conf files one for eth1 (LAN) and one for eth2 (DMZ). snort.eth1.conf: ipvar HOME_NET LAN ip range/21…

No they did not update when I attempted to update via the manage - node screen. (Release 5.7.0rc1) build [rc1]. The remote agent installer worked fine.

Our prod system was still on 5.7.0RC. Not sure if that's the reason. I am able to install using the remote agent installer to match the current 6.0.0RC1. Not a big deal i only have about 10 systems left to update and it's going fairly quickly. Thank you guys for the quick response however. It's appreciated.

What about setting up an alias on your connector? Then call your new filter PAM. I know we had some issues where we had to point it to auth.log.1 then back to auth.log and it would start to log correctly again. Not sure if there was an issue with the log rotation that day but it seemed to snap it back into place.

Via the customer portal. If I click on LEM I get a drop down for 5.6.0. Not sure what your results are.

Monitor -> Filters -> + sign -> new filter. Then under event groups highlight any alert and below that choose tool alias and drag it to your conditions. So it should read Any Alert.ToolAlias = (This is where you want to put the name of your alias in the connector). Name it and save it and you should start to see logs…

Oh nice. I will have to take advantage of that. Yes I agree. It's a great tool and has made my life considerably easier. I am interested to see how it continues to evolve in the IDS/IPS realm. We are still utilizing a dedicated box simply because we can change/tweak it how we see fit. You can't do that with a hardened…

/usr/local/contego/ContegoSPOP Keep in mind this is done on the agents themselves.

That's too bad. I even tested the Beta version of the FIM connector w/o being on a domain and I still experienced no issues. Hopefully its something they can easily identify and fix.

Any other vms running on the host? We have a dedicated host box for our SW environment. I would imagine it all depends on how much data is flowing into it as well that could cause additional overhead. Sorry to hear your having issues with it. Ours has been pretty stable since the upgrade to 5.6 with the exception of having…

For the most part a total uninstall/including removing all registry entries and a remote agent install has fixed a majority of them. But we still have 2 or 3 that simply refuse to work. Or if they do it's about a day then they drop off again. So no issue still persists.

You can't currently point a LEM connector to a flat file. I would think attempting to do this with a saved .evtx would fall under the same category. There is a feature request to add this however.

ntpconfig

PCI. And according to our auditor 3.0 is going to be even stricter. We aren't the only business unit in the company that has a ROC so luckily we were given a blueprint. From there we could pick and choose what we needed to fit our environment regarding the requirements like FIM, IDS/IPS, SEIM...etc. I agree it would be…

Hmm run across this one? I got my new connector installed but doesn't want to start. Not sure if you have seen this in creating yours or not. Not sure if its something in my FastPattern causing this? Weird. A reboot and reupload of my custom connector and its working now. Now I just have to tweak the FastFields..etc. Very…

So I'm assuming the DefaultReaderConfiguration is where I plug in all the information for the connector itself and the FastToolID is where all the regular expressions go. Or the events from the log file I want to show up in LEM? 

Hmm this particular application just logs to a flat text file. Is it possible to use LEM to pick that up somehow?

I would imagine its probably overwhelming to try and sift through all that log data for larger corporations. We generally collect around 35-40 million logs a day which I'm sure is a drop in the bucket compared to most shops. We looked at the SIEM(LEM) almost as an additional IDS tool. Which I believe is actually in one of…

Well if they have to be PCI compliant they will need the SIEM implementation regardless of the costs. It's a requirement. I know in our environment all we have to do is say its for PCI compliance and purchasing will usually get it done. I would agree that most of this is "DUH" level stuff. I haven't read the article but…

We experience the same problem and generally a bounce of the manager service brings everything back up. Annoying to say the least.