phish phreek wrote: > In the last rules file I emailed to the list, I choose IDs in the 12200 > range since the named rules were in the 12100 range. I've left the ipv4 > rules for 2k3 and 2k8 in the 12200 range and put the 2k8 ipv6 rules in > the 12300 range.
This will be OK for testing, but you're probably better of using rule IDs in the user range of 100,000-120,000 so that there aren't any conflicts during an upgrade. When they get accepted into the project, Daniel will assign a unique group of IDs. > Before I send the updated decoders and rules, I wanted to get a better > understanding of the rule alert levels and rule groups. I've been > looking over some of the documentation between the manual and the FAQs. > I'm not sure that either of them are documented? I've also not been able > to find valid "log types" to monitor. In my case, I just used syslog and > it's working but I'm not sure if I should use something else? OSSEC Rule ID Groupings and Best Practices: http://ossec.net/wiki/index.php/Know_How:RuleIDGrouping As to the log type, are the DHCP logs in the event log format? In that case, you may want to try <type>windows</type>. > Where can I find out the alert level scale? Or, how should I assign > alert levels to my rules? I've set all my rules to alert level 5 to start. This should help: http://ossec.net/wiki/index.php/Know_How:Rules_Severity In my experience, however, simply use this as a guide. If there is something that warrants a larger or smaller severity then simply use good judgment. > Are the rule groups predefined or can I use my own? I've used some of > the groups that I've seen defined in other rules such as > "service_availability" but I've gone on to define my own such as > "dhcp_lease_action","dhcp_maintenance","dhcp_dns_maintenance" and > "dhcp_rogue_server". You can make up your own groups, but try to use the pre-defined groups where it makes sense. More info here: http://ossec.net/wiki/index.php/Know_How:Rule_Groups > Where is a list of valid log types that you define on the agent's > ossec.conf file when you tell it to monitor a log? You can use strftime or globbing in the log name definition, otherwise, just feed it a log file and use the decoder as a guide for the log type. One hint: single line ASCII log files can be defined as syslog even if they aren't properly syslog-formatted. One final tip: use the local_decoder.xml file until this is accepted into the project, because if you don't, you might lose all your work during an upgrade!
