Hi James,
that sounds like quite a few new rules in that list. I've never had that
many, so can't say what side affects it may have. But after looking at
the SANS document I would suggest shortening it down to one rule that
uses CDB lists and looks like this (based off the rule template from the
document):
<group name="web">
<rule id="100499" level="14">
<if_sid>3100</if_sid>
<list field="srcip" lookup="address_match_key">lists/ip_shunlist</list>
<description>Shun!</description>
</rule>
</group>
Then you just have to populate the ip_shunlist file and add the
following to the ossec.conf in the <rules> section:
<list>lists/ip_shunlist</list>
IMHO easier to maintain (just update the list of IPs), and the list can
be used for multiple rules.
Have a look at the OSSEC documentation for how the IP List should be
formatted:
http://www.ossec.net/doc/manual/rules-decoders/rule-lists.html
On 2/18/2013 4:46 PM, James Whittington wrote:
I read a whitepaper by the SANS institute where they gave an example
of taking an emerging threats blacklist and creating a custom ruleset
from it's IPs.
(http://www.sans.org/reading_room/whitepapers/detection/practical-ossec_33699)
I was pretty sure I had all the pieces working and in fact could do a
logtest successfully using the newly created ruleset.
This is OSSEC HIDS v2.7-beta2 by the way.
On an OSSEC restart however analysis had a couple of errors and none
of my remote logs seems to be flowing through anymore?
2013/02/18 16:58:29 ossec-syscheckd: INFO: Monitoring directory: '/bin'.
2013/02/18 16:58:29 ossec-syscheckd: INFO: Monitoring directory: '/sbin'.
2013/02/18 16:58:29 ossec-analysisd(1210): ERROR: Queue
'/queue/alerts/ar' not accessible: 'Connection refused'.
2013/02/18 16:58:29 ossec-analysisd(1301): ERROR: Unable to connect to
active response queue.
2013/02/18 16:58:29 ossec-analysisd: INFO: Connected to
'/queue/alerts/execq' (exec queue)
After commenting out the ruleset in the ossec.conf file fixed things
so it seems tied to this new ruleset.
The new rules are a bit larger at 1.7 MB so maybe something is timing out?
Any ideas out there on this?
I like the idea of incorporating a well known blacklist into ossec.
Thanks,
James Whittington
--
---
You received this message because you are subscribed to the Google
Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
