Search results

= About ASL = ...utions, ASL is designed for beginners and experts alike. You just install ASL and it does the work for you.

[[ASL]] includes a special secure kernel, that will proactively protect your syst ...the [https://www.atomicorp.com/wiki/index.php/ASL_3.2_Virtualization_Notes ASL 3 Virtualization Notes] for special information about using the kernel with

...lve and release an update within a few hours of you report. Real time and ASL customers can expect to see the update the same day they report this issue. === '''False Positives/Negatives with Atomic Secured Linux (ASL)''' ===

=== Do I need a real time rules subscription if I am using ASL? === No. ASL includes the Real Time Rules.

...an it change this behavior in apache. Disabling this rule will only cause ASL to not report the event, it wont change apache behavior nor will disabling ...on from a client, and Apache has determined the method used is Invalid. [[ASL]] does not cause this, this is simply a reporting rule, and disabling this

ASL is reporting that a client has made multiple successful FTP login attempts '''ASL will not shun on this event, so there is no effect on the end user.''' We

...ese events are not triggered, caused, configured or managed by by ASL, and ASL does not cause the blocking action or alert. The Third Party IDS is the ca ASL will shun on this event by default.

''(Available in ASL and the real time rules only)'' ... a search engine, as well as valid search engines. You must have either [[ASL]] installed, or apache configured with "HostnameLookups Double" and a very

The ASL firewall will log a lot of information about a firewall event. A typical l These rules do not block anything, they just log allowed traffic or special events.

ASL, Atomic Protector and Atomic WAF support unattended installations. That me ASL and Atomic WAF contain a number of new features that are set up on Installa

...g [[ASL]], then this is already setup for you and you can simply use the [[ASL]] gui to view the event. This article will focus on the audit log event de = Viewing events =

= ASL Rule Manager = The ASL rule manager centrally controls all of ASLs event correlation, analysis and

... lead to the compromise of that application and in some cases the system. ASL itself is immune to this, however other log monitoring applications may not ..., or they could be serious problems or event attacks on the systems. When ASL detects a syslog message that is greater than 1025 characters (1024 being t

...as the minimum level to send emails. '''1002's are always emailed because ASL does not know what they are, they may be important and the system is seekin ...tional analysis on the event and if the log entry contains words that lead ASL to believe this is an error or a potentially malicious event, it will alert

...f reverse lookup errors. The application performs the reverse lookup (not ASL), and reports that the reverse lookups mapping has failed. ...o you you based on its internal understanding of those messages, and other events that may (or may not) be occurring on the system.

...tortix : TTY=unknown ; PWD=/var/asl/www ; USER=root ; COMMAND=/var/asl/bin/asl --validate_gui '''Known ASL use of sudo'''

ASL has two different ways you can configure the firewall on your system: The ASL stateful packet inspection firewall works much like other firewalls. It in

The ASL WAF has two non-exclusive modes operation: ... it native WAF protection capabilities. This installation will occur when ASL is installed.

ASL is configured to a secure set of defaults upon installation. Most users do ...sl/config file is not supported. Please change these settings through the ASL web console.

ASL includes a powerful Host Based Intrusion Detection System (HIDS). This HID Step 1) Log into the ASL GUI

...ments to install ASL, for ASL to function properly and recommendations for ASL to perform optimally. ...our web browser. Please see the following FAQ for a list of browsers that ASL is currently supported:

PCI DSS Requirements ASL addresses ASL enforces key based (two factor) authentication

... a '''third party''' Intrusion Detection system (IDS) has been detected by ASL, and the third party IDS has generated an alert and/or blocked some action. ...ese events are not triggered, caused, configured or managed by by ASL, and ASL does not cause the blocking action or alert. The Third Party IDS is the ca

This rule is triggered when ASL has detected that your web server has forbidden access to a file or directo '''This event is not triggered, caused, configured or managed by ASL.'''

|data3 = Multiple Firewall drop events from same source. ...Therefore, if you are getting these alerts, this means you have configured ASL to block this port. See the Tuning guidance section below for instructions

...anaged by by ASL, and ASL does not cause the blocking action or alert.''' ASL simply reports that this error has occurred, and when Apache logs this erro ...n DOS attacks that generate these errors with Apache, ASL will track these events but will not shun them. Please see [[HIDS_30221]] for information about sh

... a '''third party''' Intrusion Detection system (IDS) has been detected by ASL, and the third party IDS has generated multiple alerts and/or blocked some ...ese events are not triggered, caused, configured or managed by by ASL, and ASL does not cause the blocking action or alert. The Third Party IDS is the ca

...anaged by by ASL, and ASL does not cause the blocking action or alert.''' ASL simply reports that this error has occurred, and when Apache logs this erro ...n DOS attacks that generate these errors with Apache, ASL will track these events but will shun them.

...to access a non-existent file, or files, '''multiple times via Apache'''. ASL does not cause this event, nor does it control this, it simply reports when ...eturning a non-existent file error. Disabling this rule will simply cause ASL to no longer report when this occurs.

...uilt in that will alert you if file changes have occurred on your system. ASL does not use rkhunter for this. To access the ASL file intergrity manager, follow this process

... a '''third party''' Intrusion Detection system (IDS) has been detected by ASL, and the third party IDS has generated an alert and/or blocked some action. ...ese events are not triggered, caused, configured or managed by by ASL, and ASL does not cause the blocking action or alert. The Third Party IDS is the ca

|data3 = Multiple IDS events from same source ip. ... a '''third party''' Intrusion Detection system (IDS) has been detected by ASL, and the third party IDS has generated multiple alerts and/or blocked some

|data3 = Multiple IDS events from same source ip (ignoring now this srcip and id). ... a '''third party''' Intrusion Detection system (IDS) has been detected by ASL, and the third party IDS has generated multiple alerts and/or blocked some

This rule is triggered when ASL detects that an Internal server error, a 500 error, has occurred in Apache. ... and ASL does not cause either the alert or the internal error in apache. ASL is just reporting that apache is reporting a 500 error has occured.'''

...occurs. If you wish to shun these events, just set Active Response in the ASL rule manager for rule 331030 to "yes".

...tomicorp Modsecurity Rules. These docs are for users that do not have [[ASL]]. ...e ASL, [https://www.atomicorp.com/amember/cart/index/index?c=1 upgrade to ASL today!]'''

Note: ASL does not cause this event to occur, it simply reports when another applicat ...user and has failed to do add this user. This event is not caused by ASL, ASL simply reports when this event occurs.

Note: ASL Lite is End of Life and is no longer maintained. Please use [[ASL]] or [https://www.atomicorp.com/wiki/index.php/Downloading_Rules#Just_a_dow

=== ASL web console === ==== Where is the ASL Web GUI? ====

...ate and these commands many not work. This type of error is not caused by ASL. ... completely removed. If this occurs, you will need to manually remove the ASL database. To do that, log into mysql as your administrative user (root for

<big>'''ASL Troubleshooting'''</big> Please see the [[ASL FAQ]] page.

...atically and dynamically whitelist the real google webcrawler from all WAF events:

...eans an application is trying to do something dangerous on your system and ASL is protecting you from this action. Please read this article for additiona ...rotection to allow them to compromise the system. In other words, on a non-ASL system the attacker can just disable your stack protection.

...them to be "rewritten" while running. Specifically, this protection in the ASL kernel guarantees that this can not occur, by enforcing that memory pages w Please see this article if you see this event for any '''paxtest''' events:

...atically and dynamically whitelist the real google webcrawler from all WAF events:

...atically and dynamically whitelist the real google webcrawler from all WAF events:

...atically and dynamically whitelist the real google webcrawler from all WAF events:

...re WAF system. This is the only supported method for disabling the WAF in ASL. Uninstalling mod_security and the use of third party methods to remove mo Enable/Disable Tortix WAF proxy (ASL users only). The tortix waf module, this module can process local or remote

'''ASL does not cause this event to occur. ASL simply reports when it occurs.''' ...hese blocks, and only configuring Exim will change this behavior of Exim. ASL does not manage or configure Exim. Please contact your mail server vendor

ASL has detected a known brute force attacker that is attempting to brute force If you wish to prevent ASL from shunning on these events, simply set Active Response for the rule to off. This will of course allow

|data3 = Rapid SMTP password incorrect events from the same IP source. ASL has detected multiple failed SMTP login attempts from a single IP within a

ASL has detected multiple failed SMTP login attempts from a single IP within a If you wish to prevent ASL from shunning on these events, simply set Active Response for the rule to off.

|data3 = Slow SMTP password incorrect events from the same IP source. ASL has detected multiple failed SMTP login attempts from a single IP within a

...iple events indicative of an attacker, on multiple other systems running [[ASL]].

== ASL Web Windows == ==== ASL ====

IP Reports are accessed by clicking an IP address found anywhere else within ASL Web.<br/> Clicking the 'View all activity from this IP' link will open an Events Search window listing the full event history for the address.<br/>

'''This rule is not caused by ASL.''' ...03 error. ASL does not cause this to occur, and has no control over these events, it merely reports it.

=== Atomic Secured Linux ([[ASL]]) === To enable the TI in ASL just enable this setting:

... an application may be trying to do something dangerous on your system and ASL is protecting you from this action. Please read this article for additiona ...aries will be deterred. When a child of a forking daemon is stopped by the ASL kernel because it has violated the kernel protection model or crashed due t

|data3 = Multiple access forbidden file or directory events from the same IP. This rule is triggered when ASL has detected that your web server has forbidden access to a file or directo

'''This event does not block anything and is not caused by ASL.''' '''ASL merely reports when this occurs.''' If your pop or imap server is denying

ASL does not cause this occur. It merely reports when it occurs. Disabling th ...o you you based on its internal understanding of those messages, and other events that may (or may not) be occurring on the system.

Include windows\*asl*.conf ...s are designed to work with advanced security management systems such as [[ASL]] and may not work completely without an advanced management system.

'''ASL does not cause these events.''' ...simply reports from your database server has experienced multiple errors. ASL does not cause this event, and disabling this rule will not fix the error w

...th alternate credentials. This logon type does not seem to show up in any events. If you want to track ...n a particular directory change, please log into the ASL GUI, click on the ASL tab, select the File Integrity menu options and modify your configuration t

...th alternate credentials. This logon type does not seem to show up in any events. If you want to track ...n a particular directory change, please log into the ASL GUI, click on the ASL tab, select the File Integrity menu options and modify your configuration t

... to log the logoff event until the system restarts. Therefore, some logoff events are logged much later than the time at which they actually occur. ANONYMOUS LOGONs are routine events on Windows networks.

...omatically and dynamically whitelist the real bing webcrawler from all WAF events:

...matically and dynamically whitelist the real Baidu webcrawler from all WAF events:

''(Available in ASL and the real time rules only)'' ... a search engine, as well as valid search engines. You must have either [[ASL]] installed, or apache configured with "HostnameLookups Double" and a very